diff --git a/arkProject/HeavenShadow/HeavenShadow.sln b/arkProject/HeavenShadow/HeavenShadow.sln
new file mode 100644
index 0000000..b6bc7cb
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow.sln
@@ -0,0 +1,44 @@
+ï»¿
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual Studio 2010
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HeavenShadow", "HeavenShadow\HeavenShadow.vcxproj", "{A8649B59-9CD1-4E45-A2EE-C390FFFCB8A0}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "injectdll64", "injectdll64\injectdll64.vcxproj", "{F7C83834-3D4A-4362-9E7B-5EE1F4D68C89}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "injectdll32", "injectdll32\injectdll32.vcxproj", "{53E8A28F-7458-42B6-9AFA-200CBCC48221}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{A8649B59-9CD1-4E45-A2EE-C390FFFCB8A0}.Debug|Win32.ActiveCfg = Debug|Win32
+		{A8649B59-9CD1-4E45-A2EE-C390FFFCB8A0}.Debug|Win32.Build.0 = Debug|Win32
+		{A8649B59-9CD1-4E45-A2EE-C390FFFCB8A0}.Debug|x64.ActiveCfg = Debug|x64
+		{A8649B59-9CD1-4E45-A2EE-C390FFFCB8A0}.Debug|x64.Build.0 = Debug|x64
+		{A8649B59-9CD1-4E45-A2EE-C390FFFCB8A0}.Release|Win32.ActiveCfg = Release|Win32
+		{A8649B59-9CD1-4E45-A2EE-C390FFFCB8A0}.Release|Win32.Build.0 = Release|Win32
+		{A8649B59-9CD1-4E45-A2EE-C390FFFCB8A0}.Release|x64.ActiveCfg = Release|x64
+		{A8649B59-9CD1-4E45-A2EE-C390FFFCB8A0}.Release|x64.Build.0 = Release|x64
+		{F7C83834-3D4A-4362-9E7B-5EE1F4D68C89}.Debug|Win32.ActiveCfg = Debug|x64
+		{F7C83834-3D4A-4362-9E7B-5EE1F4D68C89}.Debug|Win32.Build.0 = Debug|x64
+		{F7C83834-3D4A-4362-9E7B-5EE1F4D68C89}.Debug|x64.ActiveCfg = Debug|x64
+		{F7C83834-3D4A-4362-9E7B-5EE1F4D68C89}.Debug|x64.Build.0 = Debug|x64
+		{F7C83834-3D4A-4362-9E7B-5EE1F4D68C89}.Release|Win32.ActiveCfg = Release|Win32
+		{F7C83834-3D4A-4362-9E7B-5EE1F4D68C89}.Release|Win32.Build.0 = Release|Win32
+		{F7C83834-3D4A-4362-9E7B-5EE1F4D68C89}.Release|x64.ActiveCfg = Release|Win32
+		{53E8A28F-7458-42B6-9AFA-200CBCC48221}.Debug|Win32.ActiveCfg = Debug|Win32
+		{53E8A28F-7458-42B6-9AFA-200CBCC48221}.Debug|Win32.Build.0 = Debug|Win32
+		{53E8A28F-7458-42B6-9AFA-200CBCC48221}.Debug|x64.ActiveCfg = Debug|Win32
+		{53E8A28F-7458-42B6-9AFA-200CBCC48221}.Debug|x64.Build.0 = Debug|Win32
+		{53E8A28F-7458-42B6-9AFA-200CBCC48221}.Release|Win32.ActiveCfg = Release|Win32
+		{53E8A28F-7458-42B6-9AFA-200CBCC48221}.Release|Win32.Build.0 = Release|Win32
+		{53E8A28F-7458-42B6-9AFA-200CBCC48221}.Release|x64.ActiveCfg = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/arkProject/HeavenShadow/HeavenShadow.suo b/arkProject/HeavenShadow/HeavenShadow.suo
new file mode 100644
index 0000000..f70af49
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow.suo differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/AlertWnd.cpp b/arkProject/HeavenShadow/HeavenShadow/AlertWnd.cpp
new file mode 100644
index 0000000..7be2bed
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/AlertWnd.cpp
@@ -0,0 +1,298 @@
+// AlertWnd.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "AlertWnd.h"
+#include "afxdialogex.h"
+
+
+#include <Mmsystem.h>
+
+
+// CAlertWnd ¶Ô»°¿ò
+
+IMPLEMENT_DYNAMIC(CAlertWnd, CDialog)
+
+CAlertWnd::CAlertWnd(CWnd* pParent /*=NULL*/)
+	: CDialog(CAlertWnd::IDD, pParent)
+{
+	m_ulCount = 20;
+	m_TimerTip = _T("");
+}
+
+CAlertWnd::~CAlertWnd()
+{
+}
+
+void CAlertWnd::DoDataExchange(CDataExchange* pDX)
+{
+	CDialog::DoDataExchange(pDX);
+	DDX_Text(pDX, IDC_STATIC_TIMERTIP, m_TimerTip);
+	DDX_Control(pDX, IDC_STATIC_BTN_ALLOW, m_btnAllow);
+	DDX_Control(pDX, IDC_STATIC_BTN_PREVENT, m_btnPrevent);
+	DDX_Control(pDX, IDC_STATIC_TIMERTIP, m_TextTimer);
+	DDX_Control(pDX, IDC_STATIC_ALERT_CONTEXT, m_TextContext);
+	DDX_Control(pDX, IDC_STATIC_ALERT_TITLE, m_TextTitle);
+}
+
+
+BEGIN_MESSAGE_MAP(CAlertWnd, CDialog)
+	ON_WM_CLOSE()
+	ON_WM_PAINT()
+	ON_WM_SHOWWINDOW()
+	ON_WM_CTLCOLOR()
+//	ON_STN_CLICKED(IDC_STATIC_ALERTBTNEXIT, &CAlertWnd::OnStnClickedStaticAlertbtnexit)
+	ON_WM_TIMER()
+	ON_STN_CLICKED(IDC_STATIC_BTN_PREVENT, &CAlertWnd::OnStnClickedStaticBtnPrevent)
+	ON_STN_CLICKED(IDC_STATIC_BTN_ALLOW, &CAlertWnd::OnStnClickedStaticBtnAllow)
+	ON_WM_SYSCOMMAND()
+	ON_WM_SIZE()
+END_MESSAGE_MAP()
+
+
+// CAlertWnd ÏûÏ¢´¦Àí³ÌÐò
+
+
+
+
+
+
+BOOL CAlertWnd::OnInitDialog()
+{
+	CDialog::OnInitDialog();
+
+	// TODO:  ÔÚ´ËÌí¼Ó¶îÍâµÄ³õÊ¼»¯
+
+	ModifyStyleEx(WS_EX_APPWINDOW,WS_EX_TOOLWINDOW);//ÉèÖÃÀ©Õ¹¹¤¾ß´°Ä£Ê½¡£×èÖ¹ÈÎÎñÀ¸ÏÔÊ¾Í¼±ê
+
+	m_ulCount = 20;
+
+	m_TimerTip.Format(L"½«Ö´ÐÐ×èÖ¹²Ù×÷£º %2d Ãë     ",m_ulCount);
+
+	UpdateData(FALSE);
+
+	//»ñµÃ×ÀÃæ´óÐ¡
+	CRect rectWorkArea;
+	SystemParametersInfoW(SPI_GETWORKAREA,0,&rectWorkArea,SPIF_SENDCHANGE);
+
+	//»ñµÃ¶Ô»°¿ò´óÐ¡
+	CRect rectDlg;
+	GetWindowRect(&rectDlg);
+	int nW = rectDlg.Width();
+	int nH = rectDlg.Height();
+
+	//½«´°¿ÚÉèÖÃµ½ÓÒÏÂ½Å
+	::SetWindowPos(this->m_hWnd,HWND_BOTTOM,
+		rectWorkArea.right-nW-6,rectWorkArea.bottom-nH,
+		nW,nH,
+		SWP_NOZORDER);
+
+	//¶¯»­ÏÔÊ¾
+	//AnimateWindow(150,AW_CENTER|AW_ACTIVATE|AW_VER_NEGATIVE);
+	//AnimateWindow(200,AW_SLIDE|AW_ACTIVATE|AW_VER_NEGATIVE);//
+	//AnimateWindow(150,AW_BLEND|AW_ACTIVATE|AW_VER_NEGATIVE);
+
+	
+
+
+	CloseHandle(CreateThread(NULL,0, 
+		(LPTHREAD_START_ROUTINE)HsPlayAlertSound,NULL, 0,NULL));
+
+
+	SetTimer(3333,1000,NULL);
+
+
+
+
+
+	return TRUE;  // return TRUE unless you set the focus to a control
+	// Òì³£: OCX ÊôÐÔÒ³Ó¦·µ»Ø FALSE
+}
+
+
+BOOL CAlertWnd::PreTranslateMessage(MSG* pMsg)
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+
+	if(pMsg->message==WM_KEYDOWN && (pMsg->wParam==VK_RETURN ||pMsg->wParam==VK_ESCAPE))
+	{
+		return TRUE;
+	}
+
+	return CDialog::PreTranslateMessage(pMsg);
+}
+
+
+void CAlertWnd::OnPaint()
+{
+	CPaintDC dc(this); // device context for painting
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+	// ²»Îª»æÍ¼ÏûÏ¢µ÷ÓÃ CDialog::OnPaint()
+
+	CRect   rect;
+	GetClientRect(rect);
+	dc.FillSolidRect(rect,RGB(0,116,179));
+}
+
+
+void CAlertWnd::OnShowWindow(BOOL bShow, UINT nStatus)
+{
+	CDialog::OnShowWindow(bShow, nStatus);
+
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+
+	if (bShow == TRUE)
+	{
+	}
+}
+
+void CAlertWnd::OnClose()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂëºÍ/»òµ÷ÓÃÄ¬ÈÏÖµ
+
+	//¶¯»­ÏÔÊ¾
+	//AnimateWindow(150,AW_CENTER|AW_HIDE|AW_VER_POSITIVE);
+	//AnimateWindow(200,AW_SLIDE|AW_HIDE|AW_VER_POSITIVE);//AW_SLIDE|
+	//AnimateWindow(150,AW_BLEND|AW_HIDE|AW_VER_POSITIVE);
+
+	CDialog::OnClose();
+}
+
+
+HBRUSH CAlertWnd::OnCtlColor(CDC* pDC, CWnd* pWnd, UINT nCtlColor)
+{
+	HBRUSH hbr = CDialog::OnCtlColor(pDC, pWnd, nCtlColor);
+
+	// TODO:  ÔÚ´Ë¸ü¸Ä DC µÄÈÎºÎÌØÐÔ
+
+	if ( nCtlColor == CTLCOLOR_BTN)
+	{
+		pDC->SetBkMode(TRANSPARENT);
+		return (HBRUSH)::GetStockObject(NULL_BRUSH);
+
+	}
+
+// 	if ( nCtlColor == CTLCOLOR_STATIC|| nCtlColor == CTLCOLOR_BTN|| nCtlColor == CTLCOLOR_MAX )
+// 	{
+// 		//pDC->SetBkColor(RGB(232,80,80));
+// 
+// 		pDC->SetBkMode(TRANSPARENT);
+// 
+// 		pDC->SetTextColor(RGB(255,255,255));
+// 
+// 		// TODO:  Èç¹ûÄ¬ÈÏµÄ²»ÊÇËùÐè»­±Ê£¬Ôò·µ»ØÁíÒ»¸ö»­±Ê
+// 		return (HBRUSH)::GetStockObject(NULL_BRUSH);
+// 	}
+
+	return hbr;
+}
+
+
+void CAlertWnd::OnOK()
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+
+	CDialog::OnOK();
+}
+
+
+void CAlertWnd::OnCancel()
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+
+	CDialog::OnCancel();
+}
+
+
+//void CAlertWnd::OnStnClickedStaticAlertbtnexit()
+//{
+//	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+//	SendMessage(WM_CLOSE);
+//}
+
+
+void CAlertWnd::OnTimer(UINT_PTR nIDEvent)
+{
+	// TODO: ÔÚ´ËÌí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂëºÍ/»òµ÷ÓÃÄ¬ÈÏÖµ
+
+	switch(nIDEvent)
+	{
+	case 3333:
+		{
+			if (m_ulCount == 0)
+			{
+				KillTimer(3333);
+				SendMessage(WM_CLOSE);
+			}
+			m_ulCount--;
+
+			
+			m_TimerTip.Format(L"½«Ö´ÐÐ×èÖ¹²Ù×÷£º %2d Ãë",m_ulCount);
+
+			UpdateData(FALSE);
+
+			SendMessage(WM_PAINT);
+		}
+	}
+
+	CDialog::OnTimer(nIDEvent);
+}
+
+
+void HsPlayAlertSound(void)
+{
+	::PlaySoundW(MAKEINTRESOURCE(IDR_WAVE_SYSTEM_ALERT), ::GetModuleHandle(NULL), SND_RESOURCE | SND_SYNC);
+
+}
+
+
+void CAlertWnd::OnStnClickedStaticBtnPrevent()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_BTN_PREVENT_C),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_BTN_PREVENT_C));
+
+	m_btnPrevent.SetBitmap(hBmp);
+
+	Sleep(100);
+
+	SendMessage(WM_CLOSE);
+}
+
+
+void CAlertWnd::OnStnClickedStaticBtnAllow()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_BTN_ALLOW_C),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_BTN_ALLOW_C));
+
+	m_btnAllow.SetBitmap(hBmp);
+
+	Sleep(100);
+
+	SendMessage(WM_CLOSE);
+}
+
+
+void CAlertWnd::OnSysCommand(UINT nID, LPARAM lParam)
+{
+	// TODO: ÔÚ´ËÌí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂëºÍ/»òµ÷ÓÃÄ¬ÈÏÖµ
+
+	CDialog::OnSysCommand(nID, lParam);
+}
+
+
+void CAlertWnd::OnSize(UINT nType, int cx, int cy)
+{
+	CDialog::OnSize(nType, cx, cy);
+
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+
+	if (SIZE_MINIMIZED==nType)
+	{
+		ShowWindow(TRUE);
+	}
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/AlertWnd.h b/arkProject/HeavenShadow/HeavenShadow/AlertWnd.h
new file mode 100644
index 0000000..fb212b6
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/AlertWnd.h
@@ -0,0 +1,51 @@
+#pragma once
+
+#include "MyPicButton.h"
+
+#include "MyText.h"
+#include "afxwin.h"
+
+// CAlertWnd ¶Ô»°¿ò
+
+class CAlertWnd : public CDialog
+{
+	DECLARE_DYNAMIC(CAlertWnd)
+
+public:
+	CAlertWnd(CWnd* pParent = NULL);   // ±ê×¼¹¹Ôìº¯Êý
+	virtual ~CAlertWnd();
+
+// ¶Ô»°¿òÊý¾Ý
+	enum { IDD = IDD_DIALOG_ALERT };
+
+	ULONG m_ulCount;
+
+protected:
+	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV Ö§³Ö
+
+	DECLARE_MESSAGE_MAP()
+public:
+	afx_msg void OnClose();
+	virtual BOOL OnInitDialog();
+	virtual BOOL PreTranslateMessage(MSG* pMsg);
+	afx_msg void OnPaint();
+	afx_msg void OnShowWindow(BOOL bShow, UINT nStatus);
+	afx_msg HBRUSH OnCtlColor(CDC* pDC, CWnd* pWnd, UINT nCtlColor);
+	virtual void OnOK();
+	virtual void OnCancel();
+//	afx_msg void OnStnClickedStaticAlertbtnexit();
+	afx_msg void OnTimer(UINT_PTR nIDEvent);
+	CString m_TimerTip;
+	afx_msg void OnStnClickedStaticBtnPrevent();
+	afx_msg void OnStnClickedStaticBtnAllow();
+	afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
+	afx_msg void OnSize(UINT nType, int cx, int cy);
+	CMyPicButton m_btnAllow;
+	CMyPicButton m_btnPrevent;
+	CMyText m_TextTimer;
+	CMyText m_TextContext;
+	CMyText m_TextTitle;
+};
+
+
+void HsPlayAlertSound(void);
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/ButtonNotify.cpp b/arkProject/HeavenShadow/HeavenShadow/ButtonNotify.cpp
new file mode 100644
index 0000000..f9989a5
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ButtonNotify.cpp
@@ -0,0 +1,317 @@
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "HeavenShadowDlg.h"
+#include "afxdialogex.h"
+
+
+extern BOOL bIsChecking;
+extern BOOL bDriverIsOK;
+
+//////////////////////////////////////////////////////////////////////////
+
+void CHeavenShadowDlg::OnClickedStaticProcess()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	if (!bIsChecking && bDriverIsOK)
+	{
+		HsEnableNowButton();
+		HsSelectWindow(HS_DIALOG_PROCESS);
+	}
+}
+void CHeavenShadowDlg::OnClickedStaticModule()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	if (!bIsChecking && bDriverIsOK)
+	{
+		HsEnableNowButton();
+		HsSelectWindow(HS_DIALOG_MODULE);
+	}
+}
+
+
+
+
+void CHeavenShadowDlg::OnClickedStaticService()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	if (!bIsChecking && bDriverIsOK)
+	{
+		HsEnableNowButton();
+		HsSelectWindow(HS_DIALOG_SERVICE);
+	}
+}
+
+
+
+
+
+void CHeavenShadowDlg::OnEnableStaticProcess()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns_proc = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_PROCESS),RT_GROUP_ICON);
+
+	HBITMAP   hBmp_proc = ::LoadBitmap(hIns_proc, MAKEINTRESOURCE(IDB_BITMAP_PROCESS));
+
+	m_btnProc.SetBitmap(hBmp_proc);
+}
+
+
+void CHeavenShadowDlg::OnDisableStaticProcess()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	//¼ÓÔØÎ»Í¼
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_PROCESS_NOW),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_PROCESS_NOW));
+
+	m_btnProc.SetBitmap(hBmp);
+}
+
+
+void CHeavenShadowDlg::OnEnableStaticModule()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_MODULE),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_MODULE));
+
+	m_btnModu.SetBitmap(hBmp);
+}
+
+
+void CHeavenShadowDlg::OnDisableStaticModule()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_MODULE_NOW),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_MODULE_NOW));
+
+	m_btnModu.SetBitmap(hBmp);
+}
+
+
+void CHeavenShadowDlg::OnEnableStaticService()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_SERVICE),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_SERVICE));
+
+	m_btnServ.SetBitmap(hBmp);
+}
+
+
+void CHeavenShadowDlg::OnDisableStaticService()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_SERVICE_NOW),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_SERVICE_NOW));
+
+	m_btnServ.SetBitmap(hBmp);
+}
+
+
+void CHeavenShadowDlg::OnClickedStaticLogo()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	if (!bIsChecking && bDriverIsOK)
+	{
+		HsEnableNowButton();
+		HsSelectWindow(HS_DIALOG_ABOUT);
+	}
+
+}
+
+void CHeavenShadowDlg::OnEnableStaticLogo()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_LOGOBAR),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_LOGOBAR));
+
+	m_btnAbou.SetBitmap(hBmp);
+}
+
+
+void CHeavenShadowDlg::OnDisableStaticLogo()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_LOGOBAR_NOW),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_LOGOBAR_NOW));
+
+	m_btnAbou.SetBitmap(hBmp);
+}
+
+
+void CHeavenShadowDlg::OnClickedStaticFile()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	if (!bIsChecking && bDriverIsOK)
+	{
+		HsEnableNowButton();
+		HsSelectWindow(HS_DIALOG_FILE);
+	}
+}
+
+
+
+
+
+void CHeavenShadowDlg::OnEnableStaticFile()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_FILE),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_FILE));
+
+	m_btnFile.SetBitmap(hBmp);
+}
+
+
+void CHeavenShadowDlg::OnDisableStaticFile()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_FILE_NOW),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_FILE_NOW));
+
+	m_btnFile.SetBitmap(hBmp);
+}
+
+
+void CHeavenShadowDlg::OnClickedStaticSystem()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	if (!bIsChecking && bDriverIsOK)
+	{
+		HsEnableNowButton();
+		HsSelectWindow(HS_DIALOG_SYSTEM);
+	}
+}
+
+
+void CHeavenShadowDlg::OnEnableStaticSystem()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_SYSTEM),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_SYSTEM));
+
+	m_btnSys.SetBitmap(hBmp);
+}
+
+
+void CHeavenShadowDlg::OnDisableStaticSystem()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_SYSTEM_NOW),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_SYSTEM_NOW));
+
+	m_btnSys.SetBitmap(hBmp);
+}
+
+
+
+void CHeavenShadowDlg::OnClickedStaticSetting()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	if (!bIsChecking && bDriverIsOK)
+	{
+		HsEnableNowButton();
+		HsSelectWindow(HS_DIALOG_SETTING);
+	}
+}
+
+
+void CHeavenShadowDlg::OnEnableStaticSetting()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_SETTING),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_SETTING));
+
+	m_btnSet.SetBitmap(hBmp);
+}
+
+
+void CHeavenShadowDlg::OnDisableStaticSetting()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_SETTING_NOW),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_SETTING_NOW));
+
+	m_btnSet.SetBitmap(hBmp);
+}
+
+
+void CHeavenShadowDlg::OnClickedStaticTools()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	if (!bIsChecking && bDriverIsOK)
+	{
+		HsEnableNowButton();
+		HsSelectWindow(HS_DIALOG_TOOLS);
+	}
+}
+
+
+void CHeavenShadowDlg::OnEnableStaticTools()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_TOOLS),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_TOOLS));
+
+	m_btnTool.SetBitmap(hBmp);
+}
+
+
+void CHeavenShadowDlg::OnDisableStaticTools()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_TOOLS_NOW),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_TOOLS_NOW));
+
+	m_btnTool.SetBitmap(hBmp);
+}
+
+
+void CHeavenShadowDlg::OnClickedStaticKernel()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	if (!bIsChecking && bDriverIsOK)
+	{
+		HsEnableNowButton();
+		HsSelectWindow(HS_DIALOG_KERNEL);
+	}
+}
+
+
+void CHeavenShadowDlg::OnEnableStaticKernel()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_KERNEL),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_KERNEL));
+
+	m_btnKrnl.SetBitmap(hBmp);
+}
+
+
+void CHeavenShadowDlg::OnDisableStaticKernel()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_KERNEL_NOW),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_KERNEL_NOW));
+
+	m_btnKrnl.SetBitmap(hBmp);
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/CallbackFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/CallbackFunc.cpp
new file mode 100644
index 0000000..8ea2c63
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/CallbackFunc.cpp
@@ -0,0 +1,343 @@
+#include "stdafx.h"
+#include "CallbackFunc.h"
+#include "ModuleFunc.h"
+#include "SSDTFunc.h"
+#include "ProcessFunc.h"
+#include "Common.h"
+#include <vector>
+
+using namespace std;
+
+extern HANDLE g_hDevice;
+extern WIN_VERSION WinVersion;
+extern BOOL bIsChecking;
+
+ULONG_PTR m_ulAllNotify = 0;
+extern vector<DRIVER_INFO> m_DriverList;
+vector<CALLBACK_INFO> m_CallbackVector;
+
+COLUMNSTRUCT g_Column_CallBack[] = 
+{
+	{	L"»Øµ÷µØÖ·",				125	},
+	{	L"»Øµ÷ÀàÐÍ",				125	},
+	{	L"Ä£¿éÎÄ¼þ",				225	},
+	{	L"³öÆ·³§ÉÌ",				125	},
+	{	L"ÃèÊö",					125	},
+};
+
+UINT g_Column_CallBack_Count = 5;
+
+
+extern int dpix;
+extern int dpiy;
+
+
+ULONG_PTR m_ulNotifyLoadImage = 0;
+ULONG_PTR m_ulNotifyCmpCallback = 0;
+ULONG_PTR m_ulNotifyCreateProcess = 0;
+ULONG_PTR m_ulNotifyCreateThread = 0;
+ULONG_PTR m_ulNotifyShutdown = 0;
+ULONG_PTR m_ulNotifyCheckReason = 0;
+ULONG_PTR m_ulNotifyCheck = 0;
+
+
+
+VOID HsInitCallBackList(CListCtrl *m_ListCtrl)
+{
+	while(m_ListCtrl->DeleteColumn(0));
+	m_ListCtrl->DeleteAllItems();
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_CallBack_Count;i++)
+	{
+		m_ListCtrl->InsertColumn(i, g_Column_CallBack[i].szTitle,LVCFMT_LEFT,(int)(g_Column_CallBack[i].nWidth*(dpix/96.0)));
+	}
+}
+
+
+
+VOID HsLoadCallBackList(CListCtrl *m_ListCtrl)
+{
+	if (bIsChecking == TRUE)
+	{
+		return;
+	}
+
+	// 	while(bIsChecking == TRUE)
+	// 	{
+	// 		Sleep(10);
+	// 	}
+
+	bIsChecking = TRUE;
+
+	HsSendStatusDetail(L"ÏµÍ³»Øµ÷ÕýÔÚ¼ÓÔØ...");
+	HsSendStatusTip(L"ÏµÍ³»Øµ÷");
+
+	HsQueryCallBackList(m_ListCtrl);
+
+	bIsChecking = FALSE;
+}
+
+
+
+VOID HsQueryCallBackList(CListCtrl *m_ListCtrl)
+{
+	m_ListCtrl->DeleteAllItems();
+	m_CallbackVector.clear();
+
+	EnumDriver();
+
+	if (HsQueryCallBackList() == FALSE)
+	{
+		HsSendStatusDetail(L"ÏµÍ³»Øµ÷¼ÓÔØÊ§°Ü¡£");
+		return;
+	}
+
+	HsInsertCallbackItem(m_ListCtrl);
+}
+
+BOOL HsQueryCallBackList()
+{
+	ULONG_PTR ulCnt = 100;
+	PGET_CALLBACK CallbackInfor = NULL;
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+
+	do 
+	{
+		ULONG_PTR ulSize = sizeof(GET_CALLBACK) + ulCnt * sizeof(CALLBACK_INFO);
+
+		if (CallbackInfor)
+		{
+			free(CallbackInfor);
+			CallbackInfor = NULL;
+		}
+
+		CallbackInfor = (PGET_CALLBACK)malloc(ulSize);
+
+		if (CallbackInfor)
+		{
+			memset(CallbackInfor, 0, ulSize);
+			CallbackInfor->ulCnt = ulCnt;
+
+			BOOL NotifyType = NotifyLoadImage;
+
+			bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_SYSK_CALLBACKLIST),
+				&NotifyType,
+				sizeof(BOOL),
+				CallbackInfor,
+				(DWORD)ulSize,
+				&ulReturnSize,
+				NULL);
+		}
+
+		ulCnt =CallbackInfor->ulCnt + 10;
+
+	} while (!bRet && CallbackInfor->ulRetCnt > CallbackInfor->ulCnt);
+
+	if (bRet &&
+		CallbackInfor->ulCnt >= CallbackInfor->ulRetCnt)
+	{
+		for (ULONG i = 0; i < CallbackInfor->ulRetCnt; i++)
+		{
+			m_CallbackVector.push_back(CallbackInfor->Callbacks[i]);
+		}
+	}
+
+	if (CallbackInfor)
+	{
+		free(CallbackInfor);
+		CallbackInfor = NULL;
+	}
+
+	return bRet;
+}
+
+
+
+
+VOID HsInsertCallbackItem(CListCtrl* m_ListCtrl)
+{
+	m_ulNotifyLoadImage = 0;
+	m_ulNotifyCmpCallback = 0;
+	m_ulNotifyCreateProcess = 0;
+	m_ulNotifyCreateThread = 0;
+	m_ulNotifyShutdown = 0;
+	m_ulNotifyCheckReason = 0;
+	m_ulNotifyCheck = 0;
+
+	m_ulAllNotify = 0;
+
+	for (vector<CALLBACK_INFO>::iterator itor = m_CallbackVector.begin(); itor != m_CallbackVector.end(); itor++)
+	{
+		CString strCallbackAddress, strType, strPath, strComp, strNote;
+
+		strCallbackAddress.Format(L"0x%p", itor->CallbackAddress);
+		int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(),strCallbackAddress);
+
+
+		strNote.Format(L"0x%p", itor->Note);
+
+
+		switch (itor->Type)
+		{
+		case NotifyLoadImage:
+			{
+				strType = L"LoadImage";
+
+				m_ulNotifyLoadImage++;
+				break;
+			}
+		case NotifyCmCallBack:
+			{
+				strType = L"CmpCallBack";
+
+				m_ulNotifyCmpCallback++;
+				break;
+			}
+		case NotifyCreateProcess:
+			{
+				strType = L"CreateProcess";
+
+				m_ulNotifyCreateProcess++;
+				break;
+			}
+		case NotifyCreateThread:
+			{
+				strType = L"CreateThread";
+
+				m_ulNotifyCreateThread++;
+				break;
+			}
+		case NotifyShutdown:
+			{
+				strType = L"Shutdown";
+
+				m_ulNotifyShutdown++;
+				break;
+			}
+		case NotifyKeBugCheckReason:
+			{
+				strType = L"BugCheckReason";
+
+				m_ulNotifyCheckReason++;
+				break;
+			}
+		case NotifyKeBugCheck:
+			{
+				strType = L"BugCheck";
+
+				m_ulNotifyCheck++;
+				break;
+			}
+		default:
+			{
+				break;
+			}
+		}
+		m_ulAllNotify++;
+
+
+
+		strPath = GetDriverPath(itor->CallbackAddress);
+		strComp = HsGetFileCompanyName(strPath);
+
+		m_ListCtrl->SetItemText(n, 1, strType);
+		m_ListCtrl->SetItemText(n, 2, strPath);
+		m_ListCtrl->SetItemText(n, 3, strComp);
+		m_ListCtrl->SetItemText(n, 4, strNote);
+
+
+		CString StatusBarContext;
+		StatusBarContext.Format(
+			L"ÏµÍ³»Øµ÷ÕýÔÚ¼ÓÔØ¡£ Çý¶¯¼ÓÔØ£º%d£¬×¢²á±í£º%d£¬½ø³Ì´´½¨£º%d£¬Ïß³Ì´´½¨£º%d£¬¹Ø»ú£º%d£¬ÆäËû£º%d",
+			m_ulNotifyLoadImage,
+			m_ulNotifyCmpCallback,
+			m_ulNotifyCreateProcess,
+			m_ulNotifyCreateThread,
+			m_ulNotifyShutdown,
+			m_ulNotifyCheckReason+m_ulNotifyCheck);
+
+		HsSendStatusDetail(StatusBarContext);
+
+	}
+
+	CString StatusBarContext;
+	StatusBarContext.Format(
+		L"ÏµÍ³»Øµ÷¼ÓÔØÍê³É¡£ Çý¶¯¼ÓÔØ£º%d£¬×¢²á±í£º%d£¬½ø³Ì´´½¨£º%d£¬Ïß³Ì´´½¨£º%d£¬¹Ø»ú£º%d£¬ÆäËû£º%d",
+		m_ulNotifyLoadImage,
+		m_ulNotifyCmpCallback,
+		m_ulNotifyCreateProcess,
+		m_ulNotifyCreateThread,
+		m_ulNotifyShutdown,
+		m_ulNotifyCheckReason+m_ulNotifyCheck);
+
+	HsSendStatusDetail(StatusBarContext);
+
+}
+
+
+VOID HsRemoveCallBackItem(CListCtrl* m_ListCtrl)
+{
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+	int Index = m_ListCtrl->GetSelectionMark();
+
+	if (Index<0)
+	{
+		return;
+	}
+
+
+	CString Temp = m_ListCtrl->GetItemText(Index,0);
+
+	REMOVE_CALLBACK  RemoveCallBack;
+
+	for ( vector <CALLBACK_INFO>::iterator Iter = m_CallbackVector.begin( ); Iter != m_CallbackVector.end( ); Iter++ )
+	{
+		CString strCallback;
+		strCallback.Format(L"0x%p", Iter->CallbackAddress);
+		if (!strCallback.CompareNoCase(Temp))
+		{
+
+			RemoveCallBack.CallbackAddress = Iter->CallbackAddress;
+			RemoveCallBack.Note = Iter->Note;
+			RemoveCallBack.NotifyType = Iter->Type;
+
+			bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_SYSK_REMOVECALLBACK),
+				&RemoveCallBack,
+				sizeof(REMOVE_CALLBACK),
+				NULL,
+				0,
+				&ulReturnSize,
+				NULL);
+
+
+			break;
+		}	
+	}
+
+	if (bRet)
+	{
+		m_ulNotifyLoadImage--;
+		m_ulAllNotify--;
+		m_ListCtrl->DeleteItem(Index);
+
+		CString StatusBarContext;
+		StatusBarContext.Format(
+			L"ÏµÍ³»Øµ÷¼ÓÔØÍê³É¡£ Çý¶¯¼ÓÔØ£º%d£¬×¢²á±í£º%d£¬½ø³Ì´´½¨£º%d£¬Ïß³Ì´´½¨£º%d£¬¹Ø»ú£º%d£¬ÆäËû£º%d",
+			m_ulNotifyLoadImage,
+			m_ulNotifyCmpCallback,
+			m_ulNotifyCreateProcess,
+			m_ulNotifyCreateThread,
+			m_ulNotifyShutdown,
+			m_ulNotifyCheckReason+m_ulNotifyCheck);
+
+		HsSendStatusDetail(StatusBarContext);
+	}
+	
+
+	bIsChecking = FALSE;
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/CallbackFunc.h b/arkProject/HeavenShadow/HeavenShadow/CallbackFunc.h
new file mode 100644
index 0000000..cfc0566
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/CallbackFunc.h
@@ -0,0 +1,51 @@
+#pragma once
+#include "stdafx.h"
+
+typedef enum _CALLBACK_TYPE_
+{
+	NotifyCreateProcess,
+	NotifyCreateThread,
+	NotifyLoadImage,
+	NotifyShutdown,
+	NotifyCmCallBack,
+	NotifyKeBugCheckReason,
+	NotifyKeBugCheck
+}CALLBACK_TYPE;
+
+typedef struct _CALLBACK_INFO_
+{
+	CALLBACK_TYPE Type;
+	ULONG_PTR     CallbackAddress;
+	ULONG_PTR     Note;
+}CALLBACK_INFO, *PCALLBACK_INFO;
+
+typedef struct _GET_CALLBACK_
+{
+	ULONG_PTR ulCnt;
+	ULONG_PTR ulRetCnt;
+	CALLBACK_INFO Callbacks[1];
+}GET_CALLBACK, *PGET_CALLBACK;
+
+typedef struct _REMOVE_CALLBACK
+{
+	CALLBACK_TYPE NotifyType;
+	ULONG_PTR     CallbackAddress;
+	ULONG_PTR     Note;
+}REMOVE_CALLBACK,*PREMOVE_CALLBACK;
+
+
+
+VOID HsInitCallBackList(CListCtrl *m_ListCtrl);
+
+VOID HsLoadCallBackList(CListCtrl *m_ListCtrl);
+
+VOID HsQueryCallBackList(CListCtrl *m_ListCtrl);
+
+BOOL HsQueryCallBackList();
+
+VOID HsInsertCallbackItem(CListCtrl* m_ListCtrl);
+
+VOID HsRemoveCallBackItem(CListCtrl* m_ListCtrl);
+
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/Common.cpp b/arkProject/HeavenShadow/HeavenShadow/Common.cpp
new file mode 100644
index 0000000..e55419b
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/Common.cpp
@@ -0,0 +1,533 @@
+
+#include "stdafx.h"
+#include "Common.h"
+
+
+
+#ifndef NT_SUCCESS
+#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
+#endif
+#ifndef STATUS_SUCCESS
+#define STATUS_SUCCESS       ((NTSTATUS)0x00000000L)
+#endif
+#ifndef STATUS_UNSUCCESSFUL
+#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
+#endif
+
+
+
+HANDLE g_hDevice = NULL;
+
+
+extern WIN_VERSION WinVersion;
+extern CWnd* g_wParent;
+
+
+
+//ÔÚÐéÄâ»úÖÐ²âÊÔ: WinXP, Vista, Win7, Win8(RP) °üº¬32/64Î»
+typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
+BOOL HsIs64BitWindows()
+{
+#if defined(_WIN64)
+	return TRUE;  // 64Î»³ÌÐòÖ»ÔÚWin64ÏµÍ³ÖÐÔËÐÐ
+#elif defined(_WIN32)
+	// 32Î»³ÌÐòÔÚ32/64Î»ÏµÍ³ÖÐÔËÐÐ¡£
+	// ËùÒÔ±ØÐëÅÐ¶Ï
+	BOOL f64 = FALSE;
+	LPFN_ISWOW64PROCESS fnIsWow64Process;
+
+	fnIsWow64Process = (LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle(_T("kernel32")),"IsWow64Process");
+	if(NULL != fnIsWow64Process)
+	{
+		return fnIsWow64Process(GetCurrentProcess(),&f64) && f64;
+	}
+	return FALSE;
+#else
+	return FALSE; // Win64²»Ö§³Ö16Î»ÏµÍ³
+#endif
+}
+
+
+VOID HsSendStatusDetail(LPCWSTR szBuffer)
+{
+	::SendMessageW(g_wParent->m_hWnd,HS_MESSAGE_STATUSDETAIL,NULL,(LPARAM)szBuffer);
+}
+
+VOID HsSendStatusTip(LPCWSTR szBuffer)
+{
+	::SendMessageW(g_wParent->m_hWnd,HS_MESSAGE_STATUSTIP,NULL,(LPARAM)szBuffer);
+}
+
+
+CString TrimPath(WCHAR * wzPath)
+{
+	CString strPath;
+
+	if (wzPath[1] == ':' && wzPath[2] == '\\')
+	{
+		strPath = wzPath;
+	}
+	else if (wcslen(wzPath) > wcslen(L"\\SystemRoot\\") && 
+		!_wcsnicmp(wzPath, L"\\SystemRoot\\", wcslen(L"\\SystemRoot\\")))
+	{
+		WCHAR szSystemDir[MAX_PATH] = {0};
+		GetWindowsDirectory(szSystemDir, MAX_PATH);
+		strPath.Format(L"%s\\%s", szSystemDir, wzPath + wcslen(L"\\SystemRoot\\"));
+	}
+	else if (wcslen(wzPath) > wcslen(L"system32\\") && 
+		!_wcsnicmp(wzPath, L"system32\\", wcslen(L"system32\\")))
+	{
+		WCHAR szSystemDir[MAX_PATH] = {0};
+		GetWindowsDirectory(szSystemDir, MAX_PATH);
+		strPath.Format(L"%s\\%s", szSystemDir, wzPath/* + wcslen(L"system32\\")*/);
+	}
+	else if (wcslen(wzPath) > wcslen(L"\\??\\") &&
+		!_wcsnicmp(wzPath, L"\\??\\", wcslen(L"\\??\\")))
+	{
+		strPath = wzPath + wcslen(L"\\??\\");
+	}
+	else if (wcslen(wzPath) > wcslen(L"%ProgramFiles%") &&
+		!_wcsnicmp(wzPath, L"%ProgramFiles%", wcslen(L"%ProgramFiles%")))
+	{
+		WCHAR szSystemDir[MAX_PATH] = {0};
+		if (GetWindowsDirectory(szSystemDir, MAX_PATH) != 0)
+		{
+			CString szTemp = szSystemDir;
+			szTemp = szTemp.Left(szTemp.Find('\\'));
+			szTemp += L"\\Program Files";
+			szTemp += wzPath + wcslen(L"%ProgramFiles%"); 
+			strPath = szTemp;
+		}
+	}
+	else
+	{
+		strPath = wzPath;
+	}
+
+	strPath = GetLongPath(strPath);
+
+	return strPath;
+}
+
+CString GetLongPath(CString szPath)
+{
+	CString strPath;
+
+	if (szPath.Find(L'~') != -1)
+	{
+		WCHAR szLongPath[MAX_PATH] = {0};
+		DWORD nRet = GetLongPathName(szPath, szLongPath, MAX_PATH);
+		if (nRet >= MAX_PATH || nRet == 0)
+		{
+			strPath = szPath;
+		}
+		else
+		{
+			strPath = szLongPath;
+		}
+	}
+	else
+	{
+		strPath = szPath;
+	}
+
+	return strPath;
+}
+
+
+
+
+
+CHAR* HsLoadDllContext(char* szFileName)
+{
+	DWORD dwReadWrite, LenOfFile=FileLen(szFileName);
+	HANDLE hFile = CreateFileA(szFileName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
+	if (hFile != INVALID_HANDLE_VALUE)
+	{
+		PCHAR Buffer=(PCHAR)malloc(LenOfFile);
+		SetFilePointer(hFile, 0, 0, FILE_BEGIN);
+		ReadFile(hFile, Buffer, LenOfFile, &dwReadWrite, 0);
+		CloseHandle(hFile);
+		return Buffer;
+	}
+	return NULL;
+}
+
+
+DWORD FileLen(char* szFileName)
+{
+	WIN32_FIND_DATAA FileInfo= {0};
+	DWORD FileSize = 0;
+	HANDLE hFind;
+	hFind = FindFirstFileA(szFileName ,&FileInfo);
+	if(hFind != INVALID_HANDLE_VALUE)
+	{
+		FileSize = FileInfo.nFileSizeLow;
+		FindClose(hFind);
+	}
+	return FileSize;
+}
+
+
+
+
+ULONG_PTR HsGetKernelBase(char* szNtosName)
+{
+	typedef long (__stdcall *pfnZwQuerySystemInformation)
+		(
+		IN ULONG SystemInformationClass,
+		IN PVOID SystemInformation,
+		IN ULONG SystemInformationLength,
+		IN PULONG ReturnLength OPTIONAL
+		);
+	typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY64
+	{
+		ULONG Unknow1;
+		ULONG Unknow2;
+		ULONG Unknow3;
+		ULONG Unknow4;
+		PVOID Base;
+		ULONG Size;
+		ULONG Flags;
+		USHORT Index;
+		USHORT NameLength;
+		USHORT LoadCount;
+		USHORT ModuleNameOffset;
+		char ImageName[256];
+	} SYSTEM_MODULE_INFORMATION_ENTRY64, *PSYSTEM_MODULE_INFORMATION_ENTRY64;
+
+
+
+	typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY32
+	{
+		ULONG  Reserved[2];  
+		ULONG  Base;        
+		ULONG  Size;         
+		ULONG  Flags;        
+		USHORT Index;       
+		USHORT Unknown;     
+		USHORT LoadCount;   
+		USHORT ModuleNameOffset;
+		CHAR   ImageName[256];   
+	} SYSTEM_MODULE_INFORMATION_ENTRY32, *PSYSTEM_MODULE_INFORMATION_ENTRY32;
+
+#ifdef _WIN64
+#define SYSTEM_MODULE_INFORMATION_ENTRY SYSTEM_MODULE_INFORMATION_ENTRY64
+#else
+#define SYSTEM_MODULE_INFORMATION_ENTRY SYSTEM_MODULE_INFORMATION_ENTRY32
+#endif
+
+
+	typedef struct _SYSTEM_MODULE_INFORMATION
+	{
+		ULONG Count;
+		SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
+	} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
+#define SystemModuleInformation 11
+#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
+	pfnZwQuerySystemInformation ZwQuerySystemInformationAddress = NULL;
+	PSYSTEM_MODULE_INFORMATION  SystemModuleInformationPoint;
+	ULONG NeedSize, BufferSize = 0x5000;
+	PVOID Buffer = NULL;
+	NTSTATUS bOk;
+	ZwQuerySystemInformationAddress = (pfnZwQuerySystemInformation)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation");
+	do
+	{
+		Buffer = malloc(BufferSize);
+		if(Buffer == NULL ) 
+		{
+			return 0;
+		}
+		bOk = ZwQuerySystemInformationAddress( SystemModuleInformation, Buffer, BufferSize, &NeedSize );
+		if( bOk == STATUS_INFO_LENGTH_MISMATCH )
+		{
+			free(Buffer);
+			BufferSize *= 2;
+		}
+		else if(!NT_SUCCESS(bOk))
+		{
+			free(Buffer);
+			return 0;
+		}
+	}
+	while(bOk==STATUS_INFO_LENGTH_MISMATCH );
+	SystemModuleInformationPoint = (PSYSTEM_MODULE_INFORMATION)Buffer;
+	ULONG_PTR Address = (ULONG_PTR)(SystemModuleInformationPoint->Module[0].Base);
+
+	if(szNtosName!=NULL)
+	{
+		//*////////////////////////////////////////////////////////////////////////
+		memcpy(
+			szNtosName,
+			SystemModuleInformationPoint->Module[0].ImageName+SystemModuleInformationPoint->Module[0].ModuleNameOffset,
+			strlen(SystemModuleInformationPoint->Module[0].ImageName+SystemModuleInformationPoint->Module[0].ModuleNameOffset)
+			);
+	}
+
+	free(Buffer);
+
+	return Address;
+}
+
+
+
+char *Strcat(char *Str1, char *Str2) 
+{
+	DWORD dwLen = (DWORD)(strlen(Str1)+strlen(Str2)+1);
+	char* Str3 =(char*)malloc(dwLen);
+	memcpy(Str3,Str1,strlen(Str1));
+	memcpy(Str3+strlen(Str1),Str2,strlen(Str2)+1);
+	return Str3;
+}
+
+
+
+int HsReloc(ULONG_PTR NewBase, ULONG_PTR OrigBase)
+{
+	PIMAGE_DOS_HEADER		DosHeader;
+	PIMAGE_NT_HEADERS		NtHeader;
+	PIMAGE_BASE_RELOCATION	RelocTable;
+	ULONG i,dwOldProtect;
+	DosHeader = (PIMAGE_DOS_HEADER)NewBase;
+	if (DosHeader->e_magic != IMAGE_DOS_SIGNATURE)
+	{
+		return 0;
+	}
+	NtHeader = (PIMAGE_NT_HEADERS)((ULONG_PTR)NewBase + DosHeader->e_lfanew );
+	if (NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)//ÊÇ·ñ´æÔÚÖØ¶¨Î»±í
+	{
+		RelocTable=(PIMAGE_BASE_RELOCATION)((ULONG_PTR)NewBase + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
+		do
+		{
+			ULONG	NumOfReloc=(RelocTable->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/2;
+			SHORT	MiniOffset=0;
+			PUSHORT RelocData =(PUSHORT)((ULONG_PTR)RelocTable+sizeof(IMAGE_BASE_RELOCATION));
+			for (i=0; i<NumOfReloc; i++) 
+			{
+				PULONG_PTR RelocAddress;//ÐèÒªÖØ¶¨Î»µÄµØÖ·
+
+				if (((*RelocData)>>12)==IMAGE_REL_BASED_DIR64||((*RelocData)>>12)==IMAGE_REL_BASED_HIGHLOW)//ÅÐ¶ÏÖØ¶¨Î»ÀàÐÍÊÇ·ñÎªIMAGE_REL_BASED_HIGHLOW[32]»òIMAGE_REL_BASED_DIR64[64]
+				{
+
+					MiniOffset=(*RelocData)&0xFFF;//Ð¡Æ«ÒÆ
+
+					RelocAddress=(PULONG_PTR)(NewBase+RelocTable->VirtualAddress+MiniOffset);
+
+					VirtualProtect((PVOID)RelocAddress,sizeof(ULONG_PTR),PAGE_EXECUTE_READWRITE, &dwOldProtect);
+
+					*RelocAddress=*RelocAddress+OrigBase-NtHeader->OptionalHeader.ImageBase;
+
+					VirtualProtect((PVOID)RelocAddress, sizeof(ULONG_PTR),dwOldProtect,&dwOldProtect);
+				}
+				//ÏÂÒ»¸öÖØ¶¨Î»Êý¾Ý
+				RelocData++;
+			}
+			//ÏÂÒ»¸öÖØ¶¨Î»¿é
+			RelocTable=(PIMAGE_BASE_RELOCATION)((ULONG_PTR)RelocTable+RelocTable->SizeOfBlock);
+		}
+		while (RelocTable->VirtualAddress);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+
+
+CHAR *HsGetTempNtdll()
+{
+	char *szPath;
+	szPath=(char*)malloc(260);
+	memset(szPath,0,260);
+	GetTempPathA(260,szPath);   //Ã»ÓÐÊÍ·ÅÄÚ´æ  
+	return Strcat(szPath,"ntdll.dll");    
+}
+
+
+CHAR* HsGetSystemDir()
+{
+	char* szPath;
+	szPath =(char *)malloc(20);
+	memset(szPath,0,20);
+	GetWindowsDirectoryA(szPath,20);
+	return Strcat(szPath,"\\system32\\");
+}
+
+
+
+
+
+DWORD HsGetSSDTFunctionIndex(char *FunctionName)
+{
+
+	ULONG_PTR IndexOffset = 0;
+
+	switch(WinVersion)
+	{
+	case Windows7:
+		{		
+			IndexOffset = 4;
+
+			break;
+		}
+
+	case WindowsXP:
+		{
+
+			IndexOffset = 1;
+
+			break;
+		}
+	}
+
+
+
+	return *(DWORD*)((PUCHAR)GetProcAddress(GetModuleHandleW(L"ntdll.dll"),FunctionName)+IndexOffset);
+}
+
+
+DWORD HsGetSpecialIndex(char *FunctionName)
+{
+	switch(WinVersion)
+	{
+	case Windows7:
+		{
+			if(!_stricmp(FunctionName,"ZwQuerySystemTime"))
+			{
+				return 0x57;
+			}
+			return 0;
+		}
+
+	default:
+		return 0;
+	}
+}
+
+
+
+CHAR* HsGetTempWin32k()
+{
+	char* szPath = NULL;
+	szPath=(char*)malloc(260);
+	memset(szPath,0,260);
+	GetTempPathA(260,szPath);
+	return Strcat(szPath,"win32k.sys");
+}
+
+
+
+ULONG_PTR HsGetWin32kBase()
+{
+	typedef long (__stdcall *pfnZwQuerySystemInformation)
+		(
+		IN ULONG SystemInformationClass,
+		IN PVOID SystemInformation,
+		IN ULONG SystemInformationLength,
+		IN PULONG ReturnLength OPTIONAL
+		);
+	typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY64
+	{
+		ULONG Unknow1;
+		ULONG Unknow2;
+		ULONG Unknow3;
+		ULONG Unknow4;
+		PVOID Base;
+		ULONG Size;
+		ULONG Flags;
+		USHORT Index;
+		USHORT NameLength;
+		USHORT LoadCount;
+		USHORT ModuleNameOffset;
+		char ImageName[256];
+	} SYSTEM_MODULE_INFORMATION_ENTRY64, *PSYSTEM_MODULE_INFORMATION_ENTRY64;
+
+
+
+	typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY32
+	{
+		ULONG  Reserved[2];  
+		ULONG  Base;        
+		ULONG  Size;         
+		ULONG  Flags;        
+		USHORT Index;       
+		USHORT Unknown;     
+		USHORT LoadCount;   
+		USHORT ModuleNameOffset;
+		CHAR   ImageName[256];   
+	} SYSTEM_MODULE_INFORMATION_ENTRY32, *PSYSTEM_MODULE_INFORMATION_ENTRY32;
+
+
+
+#ifdef _WIN64
+#define SYSTEM_MODULE_INFORMATION_ENTRY SYSTEM_MODULE_INFORMATION_ENTRY64
+#else
+#define SYSTEM_MODULE_INFORMATION_ENTRY SYSTEM_MODULE_INFORMATION_ENTRY32
+#endif
+
+
+	typedef struct _SYSTEM_MODULE_INFORMATION
+	{
+		ULONG Count;
+		SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
+	} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
+#define SystemModuleInformation 11
+#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
+	pfnZwQuerySystemInformation ZwQuerySystemInformationAddress = NULL;
+	PSYSTEM_MODULE_INFORMATION  SystemModuleInformationPoint;
+	ULONG NeedSize, BufferSize = 0x5000;
+	PVOID Buffer = NULL;
+	NTSTATUS bOk;
+	ZwQuerySystemInformationAddress = (pfnZwQuerySystemInformation)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation");
+	do
+	{
+		Buffer = malloc(BufferSize);
+		if(Buffer == NULL ) 
+		{
+			return 0;
+		}
+		bOk = ZwQuerySystemInformationAddress( SystemModuleInformation, Buffer, BufferSize, &NeedSize );
+		if( bOk == STATUS_INFO_LENGTH_MISMATCH )
+		{
+			free(Buffer);
+			BufferSize *= 2;
+		}
+		else if(!NT_SUCCESS(bOk))
+		{
+			free(Buffer);
+			return 0;
+		}
+	}
+	while(bOk==STATUS_INFO_LENGTH_MISMATCH );
+	SystemModuleInformationPoint = (PSYSTEM_MODULE_INFORMATION)Buffer;
+	ULONG_PTR ModuleCount = SystemModuleInformationPoint->Count;
+
+	ULONG_PTR Address = NULL;
+	//±éÀúËùÓÐµÄÄ£¿é
+	int i = 0;
+	for(i=0; i<ModuleCount;i++ )
+	{
+		if(_stricmp(SystemModuleInformationPoint->Module[i].ImageName+SystemModuleInformationPoint->Module[i].ModuleNameOffset,"win32k.sys")==0 )
+		{
+			Address=(ULONG_PTR)SystemModuleInformationPoint->Module[i].Base;
+			break;
+		}
+	}
+	free(Buffer);
+
+	return Address;
+}
+
+
+
+ULONG_PTR HsGetWin32kImageBase(char *szFileName)
+{
+	PIMAGE_NT_HEADERS NtHeader;
+	PIMAGE_DOS_HEADER DosHeader;
+	ULONG_PTR ImageBaseAddr = 0;
+	char* szNtosFileData=NULL;
+	szNtosFileData = HsLoadDllContext(szFileName);
+	DosHeader = (PIMAGE_DOS_HEADER)szNtosFileData;
+	NtHeader  = (PIMAGE_NT_HEADERS)(szNtosFileData+DosHeader->e_lfanew);
+	ImageBaseAddr=NtHeader->OptionalHeader.ImageBase;
+	return ImageBaseAddr;
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/Common.h b/arkProject/HeavenShadow/HeavenShadow/Common.h
new file mode 100644
index 0000000..582540e
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/Common.h
@@ -0,0 +1,158 @@
+#pragma once
+
+#include "stdafx.h"
+
+#include <WinIoCtl.h>
+
+typedef struct _COLUMNSTRUCT
+{
+	WCHAR*	szTitle;
+	UINT    nWidth;
+}COLUMNSTRUCT;
+
+
+enum HS_ENUM_DLG_MSG	//×Ó¶Ô»°¿ò¡¢Ö÷¶Ô»°¿òÖ®¼äÍ¨ÐÅÃ¶¾Ù
+{
+	HS_MESSAGE_STATUSDETAIL = 5425,	//ÐÞ¸Ä×´Ì¬À¸ÏêÏ¸ÐÅÏ¢
+	HS_MESSAGE_STATUSTIP
+};
+
+enum HS_ENUM_IOCTL
+{
+	HS_IOCTL_PROC = 0x100,					//½ø³ÌÏà¹Ø
+	HS_IOCTL_PROC_SENDSELFPID,				//·¢ËÍ×Ô¼ºµÄPIDµ½Çý¶¯²ã
+	HS_IOCTL_PROC_PROCESSCOUNT,				//½ø³Ì¼ÆÊý
+	HS_IOCTL_PROC_PROCESSLIST,				//ÁÐ¾Ù½ø³ÌÁÐ±í
+	HS_IOCTL_PROC_PROTECTPROCESS,			//±£»¤½ø³Ì
+	HS_IOCTL_PROC_KILLPROCESSBYFORCE,		//Ç¿ÖÆ¹Ø±Õ½ø³Ì
+	HS_IOCTL_PROC_PROCESSTHREAD,			//Ïß³Ì
+	HS_IOCTL_PROC_PROCESSTHREADMODULE,		//Ïß³ÌÄ£¿é
+	HS_IOCTL_PROC_PROCESSPRIVILEGE,			//ÁÐ¾Ù½ø³ÌÈ¨ÏÞ
+	HS_IOCTL_PROC_PRIVILEGE_ADJUST,			//¸Ä±ä½ø³ÌÈ¨ÏÞ
+	HS_IOCTL_PROC_PROCESSHANDLE,			//¾ä±ú
+	HS_IOCTL_PROC_PROCESSWINDOW,			//´°¿Ú
+	HS_IOCTL_PROC_PROCESSMODULE,			//½ø³ÌÄ£¿é
+	HS_IOCTL_PROC_PROCESSMEMORY,			//½ø³ÌÄÚ´æ
+
+	HS_IOCTL_MODU = 0x180,					//Ä£¿éÏà¹Ø
+	HS_IOCTL_MODU_MODULELIST,				//ÁÐ¾ÙÏµÍ³Ä£¿éÁÐ±í
+	HS_IOCTL_MODU_REMOVEMODULE,				//Ð¶ÔØÏµÍ³Ä£¿é
+
+	HS_IOCTL_KRNL = 0x200,					//ÄÚºË¹³×ÓÏà¹Ø
+	HS_IOCTL_KRNL_SSDTLIST,					//ÁÐ¾ÙSSDTÁÐ±í
+	HS_IOCTL_KRNL_KISRVTAB,					//»ñÈ¡·þÎñ±í
+	HS_IOCTL_KRNL_RESUMESSDT,				//»Ö¸´SSDTº¯Êý
+	HS_IOCTL_KRNL_SSSDTLIST,				//ÁÐ¾ÙSSSDTÁÐ±í
+	HS_IOCTL_KRNL_WIN32KSERVICE,			//»ñÈ¡Win32k·þÎñ±í
+	HS_IOCTL_KRNL_KRNLFILE,					//»ñÈ¡ÄÚºËÎÄ¼þ		//¾ßÌåÄÄ¸öÎÄ¼þÔÚInputBufferµÄ²¼¶ûÐÍÖÐÈ·¶¨
+	HS_IOCTL_KRNL_KRNLIAT,					//»ñÈ¡ÄÚºËµ¼Èë±í
+	HS_IOCTL_KRNL_KRNLEAT,					//»ñÈ¡ÄÚºËµ¼³ö±í
+
+	HS_IOCTL_SYSK = 0x280,					//ÄÚºËÏà¹Ø
+	HS_IOCTL_SYSK_SYSTHREAD,				//ÄÚºËÏß³Ì
+	HS_IOCTL_SYSK_IOTIMER,					//IOTIMER
+	HS_IOCTL_SYSK_OPERIOTIMER,				//IOTIMERÇÐ»»
+	HS_IOCTL_SYSK_REMOVEIOTIMER,			//IOTIMERÒÆ³ý
+	HS_IOCTL_SYSK_CALLBACKLIST,				//ÏµÍ³»Øµ÷£ºÇý¶¯¼ÓÔØ
+	HS_IOCTL_SYSK_REMOVECALLBACK,			//É¾³ýÏµÍ³»Øµ÷
+	HS_IOCTL_SYSK_DPCTIMER,					//DPCTimer
+	HS_IOCTL_SYSK_REMOVEDPCTIMER,			//DPCTimerÉ¾³ý
+	HS_IOCTL_SYSK_FILTERDRIVER,				//¹ýÂËÇý¶¯
+	HS_IOCTL_SYSK_FILTERUNLOAD,				//Ð¶ÔØ¹ýÂËÇý¶¯
+};
+
+enum HS_DLG_NUM
+{
+	HS_DIALOG_ABOUT = 1,		//¹ØÓÚ¶Ô»°¿ò
+	HS_DIALOG_PROCESS,			//½ø³Ì¶Ô»°¿ò
+	HS_DIALOG_MODULE,			//Ä£¿é¶Ô»°¿ò
+	HS_DIALOG_SYSTEM,			//ÄÚºË¶Ô»°¿ò
+	HS_DIALOG_KERNEL,			//ÄÚºË¹³×Ó¶Ô»°¿ò
+	HS_DIALOG_SERVICE,			//·þÎñ¶Ô»°¿ò
+	HS_DIALOG_FILE,				//ÎÄ¼þ¶Ô»°¿ò
+	HS_DIALOG_SETTING,			//ÉèÖÃ¶Ô»°¿ò
+	HS_DIALOG_TOOLS				//¹¤¾ßÏä¶Ô»°¿ò
+};
+
+typedef enum _WIN_VERSION
+{
+	WindowsNT,
+	Windows2000,
+	WindowsXP,
+	Windows2003,
+	WindowsVista,
+	Windows7,
+	Windows8,
+	Windows8_1,
+	Windows10,
+	WinUnknown
+}WIN_VERSION;
+
+//²»Ö§³Ö·ûºÅÁ´½ÓÓÃ»§Ïà¹ØÐÔ
+#define HS_DEVICE_NAME                  L"\\Device\\HeavenShadowDevice"             // Driver Name
+#define HS_LINK_NAME					L"\\\\.\\HeavenShadowLink"                  // Win32 Link Name
+
+#define HS_EVENT_PROCESS_NAME			L"\\BaseNamedObjects\\HeavenShadowProcessEvent"
+
+#define HS_DRIVER_NAME                  L"HeavenShadowDrv"
+#define HS_DRIVER_PATH                  L"HeavenShadowDrv.sys"
+
+
+
+
+#define HS_IOCTL(i)			 \
+	CTL_CODE                 \
+	(                        \
+	FILE_DEVICE_UNKNOWN,     \
+	i,						 \
+	METHOD_NEITHER,          \
+	FILE_ANY_ACCESS          \
+	)
+
+// HS_IOCTL(HS_IOCTL_PROC_PROCESSLIST)
+
+
+//////////////////////////////////////////////////////////////////////////
+//¹«ÓÐ±äÁ¿
+
+
+
+
+
+//////////////////////////////////////////////////////////////////////////
+//¹«ÓÐº¯Êý
+HANDLE OpenDevice(LPCTSTR lpDevicePath);
+
+BOOL HsIs64BitWindows();
+
+VOID HsSendStatusDetail(LPCWSTR szBuffer);
+
+VOID HsSendStatusTip(LPCWSTR szBuffer);
+
+CString TrimPath(WCHAR * wzPath);
+
+CString GetLongPath(CString szPath);
+
+CHAR* HsLoadDllContext(char* szFileName);
+
+DWORD FileLen(char* szFileName);
+
+ULONG_PTR HsGetKernelBase(char* szNtosName);
+
+char *Strcat(char *Str1, char *Str2);
+
+int HsReloc(ULONG_PTR NewBase, ULONG_PTR OrigBase);
+
+CHAR *HsGetTempNtdll();
+
+CHAR* HsGetSystemDir();
+
+DWORD HsGetSpecialIndex(char *FunctionName);
+
+DWORD HsGetSSDTFunctionIndex(char *FunctionName);
+
+CHAR* HsGetTempWin32k();
+
+ULONG_PTR HsGetWin32kBase();
+
+ULONG_PTR HsGetWin32kImageBase(char *szFileName);
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/DetailFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/DetailFunc.cpp
new file mode 100644
index 0000000..4648ce5
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/DetailFunc.cpp
@@ -0,0 +1,1045 @@
+#include "stdafx.h"
+#include "DetailFunc.h"
+#include "Common.h"
+
+#include "resource.h"
+
+
+extern WIN_VERSION GetWindowsVersion();
+extern WIN_VERSION WinVersion;
+
+
+
+COLUMNSTRUCT g_Column_ProcessDetail[] = 
+{
+	{	L"ÌõÄ¿Àà±ð",				150	},
+	{	L"ÌõÄ¿ÃèÊö",				440	}
+};
+
+WCHAR g_Item_ProcessDetail[][260] = 
+{
+	L"Ó³ÏñÃû³Æ",
+	L"½ø³ÌID",
+	L"¸¸½ø³ÌID",
+	L"Ó³ÏñÎÄ¼þÂ·¾¶",
+	L"EPROCESS",
+	L"Ó¦ÓÃ²ã·ÃÎÊ",
+	L"ÔËÐÐÊ±¼ä",
+	L"´´½¨Ê±¼ä",
+	L"ÐÞ¸ÄÊ±¼ä",
+	L"·ÃÎÊÊ±¼ä",
+	L"ÎÄ¼þ´óÐ¡",
+	L"ÎÄ¼þ°æ±¾",
+	L"½ø³Ì»·¾³±äÁ¿",
+	L"½ø³ÌÃüÁîÐÐ",
+	L"½ø³Ìµ±Ç°Ä¿Â¼",
+	L"ÎÄ¼þ³§ÉÌ",
+	L"ÎÄ¼þÃèÊö"
+};
+
+enum HS_PROCESS_DETAIL_ITEM
+{
+	HS_PROCESS_DETAIL_ITEM_FILENAME = 0,
+	HS_PROCESS_DETAIL_ITEM_PID,
+	HS_PROCESS_DETAIL_ITEM_PPID,
+	HS_PROCESS_DETAIL_ITEM_PATH,
+	HS_PROCESS_DETAIL_ITEM_EPROCESS,
+	HS_PROCESS_DETAIL_ITEM_USERACCESS,
+	HS_PROCESS_DETAIL_ITEM_RUNTIME,
+	HS_PROCESS_DETAIL_ITEM_CREATETIME,
+	HS_PROCESS_DETAIL_ITEM_MOTIFITIME,
+	HS_PROCESS_DETAIL_ITEM_ACCESSTIME,
+	HS_PROCESS_DETAIL_ITEM_FILESIZE,
+	HS_PROCESS_DETAIL_ITEM_FILEVERSION,
+	HS_PROCESS_DETAIL_ITEM_PEB,
+	HS_PROCESS_DETAIL_ITEM_CMD,
+	HS_PROCESS_DETAIL_ITEM_CURDIR,
+	HS_PROCESS_DETAIL_ITEM_COMPANY,
+	HS_PROCESS_DETAIL_ITEM_DESCRIPTOR
+};
+
+
+UINT g_Column_ProcessDetail_Count  = 2;	  //½ø³ÌÁÐ±íÁÐÊý
+
+UINT g_Item_ProcessDetail_Count = 17;
+
+
+
+typedef long (__fastcall *pfnRtlAdjustPrivilege64)(ULONG,ULONG,ULONG,PVOID);
+pfnRtlAdjustPrivilege64 RtlAdjustPrivilege;
+
+typedef 
+	NTSTATUS 
+	(WINAPI *pfnNtQueryInformationProcess)(HANDLE,
+	UINT,
+	PVOID,
+	ULONG,
+	PULONG
+	);
+
+pfnNtQueryInformationProcess NtQueryInformationProcessAddress = NULL;
+
+extern int dpix;
+extern int dpiy;		
+
+
+VOID HsInitProcessDetailList(CMyList *m_ListCtrl)
+{
+	while(m_ListCtrl->DeleteColumn(0));
+	m_ListCtrl->DeleteAllItems();
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_ProcessDetail_Count;i++)
+	{
+		m_ListCtrl->InsertColumn(i, g_Column_ProcessDetail[i].szTitle,LVCFMT_LEFT,(int)(g_Column_ProcessDetail[i].nWidth*(dpix/96.0)));
+	}
+}
+
+
+
+VOID HsLoadProcessDetailList(PHSPROCESSINFO ProcessInfo, CMyList *m_ListCtrl)
+{
+	m_ListCtrl->DeleteAllItems();
+
+	UINT i;
+	for (i = 0;i<g_Item_ProcessDetail_Count;i++)
+	{
+		m_ListCtrl->InsertItem(i,g_Item_ProcessDetail[i]);
+	}
+
+	WCHAR Temp[20] = {0};
+
+	m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_FILENAME,1,ProcessInfo->Name);
+
+	swprintf_s(Temp,L"%d",ProcessInfo->Pid);
+	m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_PID,1,Temp);
+	ZeroMemory(Temp,sizeof(WCHAR)*20);
+
+	swprintf_s(Temp,L"%d",ProcessInfo->PPid);
+	m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_PPID,1,Temp);
+	ZeroMemory(Temp,sizeof(WCHAR)*20);
+
+	m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_PATH,1,ProcessInfo->Path);
+
+	swprintf_s(Temp,L"0x%p",ProcessInfo->Eprocess);
+	m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_EPROCESS,1,Temp);
+	ZeroMemory(Temp,sizeof(WCHAR)*20);
+
+	if (ProcessInfo->UserAccess == FALSE)
+	{
+		m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_USERACCESS,1,L"¾Ü¾ø");
+	}
+	else
+	{
+		m_ListCtrl->SetItemText(5,1,L"ÔÊÐí");
+	}
+
+	m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_RUNTIME,1,L"1970/01/01 00:00:00");
+
+	m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_COMPANY,1,ProcessInfo->CompanyName);
+
+	CString Detail = ProcessInfo->Path;
+	Detail = HsGetFileDescription(Detail);
+	m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_DESCRIPTOR,1,Detail.GetBuffer());
+
+	CFileStatus Status;
+	if(CFile::GetStatus(ProcessInfo->Path, Status))
+	{
+		CTime CreateTime = Status.m_ctime;
+		CTime ModifyTime = Status.m_mtime;
+		CTime AccessTime = Status.m_atime;
+
+		CString strCreateTime;
+		strCreateTime.Format(
+			L"%04d/%02d/%02d %02d:%02d:%02d", 
+			CreateTime.GetYear(),
+			CreateTime.GetMonth(),
+			CreateTime.GetDay(),
+			CreateTime.GetHour(),
+			CreateTime.GetMinute(),
+			CreateTime.GetSecond());
+
+		CString strModifyTime;
+		strModifyTime.Format(
+			L"%04d/%02d/%02d %02d:%02d:%02d", 
+			ModifyTime.GetYear(),
+			ModifyTime.GetMonth(),
+			ModifyTime.GetDay(),
+			ModifyTime.GetHour(),
+			ModifyTime.GetMinute(),
+			ModifyTime.GetSecond());
+
+		CString strAccessTime;
+		strAccessTime.Format(
+			L"%04d/%02d/%02d %02d:%02d:%02d", 
+			AccessTime.GetYear(),
+			AccessTime.GetMonth(),
+			AccessTime.GetDay(),
+			AccessTime.GetHour(),
+			AccessTime.GetMinute(),
+			AccessTime.GetSecond());
+
+		m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_CREATETIME, 1,strCreateTime.GetBuffer());
+		m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_MOTIFITIME,1,strModifyTime.GetBuffer());
+		m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_ACCESSTIME,1,strAccessTime.GetBuffer());
+	}
+	else
+	{
+
+	}
+
+	
+	HANDLE hFile = CreateFile(
+		ProcessInfo->Path, 
+		GENERIC_READ, 
+		FILE_SHARE_READ | FILE_SHARE_DELETE | FILE_SHARE_WRITE, 
+		NULL,
+		OPEN_EXISTING,
+		FILE_ATTRIBUTE_NORMAL,
+		NULL);
+
+	if (hFile != INVALID_HANDLE_VALUE)
+	{
+		CString strFileSize;
+		LARGE_INTEGER FileSize;
+		if (GetFileSizeEx( hFile, &FileSize))
+		{
+			strFileSize.Format(L"%d KB", FileSize.QuadPart / 1024);
+		}
+		CloseHandle(hFile);
+
+		m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_FILESIZE, 1,strFileSize.GetBuffer());
+	}
+	else
+	{
+	}
+
+
+
+	//////////////////////////////////////////////////////////////////////////
+	//°æ±¾
+
+	TCHAR szVersionBuffer[8192] = _T("");
+	DWORD dwVerSize = 0;   
+	DWORD dwHandle = 0;   
+	QWORD dwVersion = 0;
+
+	dwVerSize = GetFileVersionInfoSize(ProcessInfo->Path, &dwHandle);   
+
+	if (dwVerSize)
+	{
+		if (GetFileVersionInfo(ProcessInfo->Path, dwHandle, dwVerSize, szVersionBuffer))   
+		{   
+			VS_FIXEDFILEINFO* Infor;   
+			unsigned int nInfoLen;   
+			if (VerQueryValue(szVersionBuffer, _T("\\"), (void**)&Infor, &nInfoLen))
+			{	
+				dwVersion = Infor->dwFileVersionMS;
+				dwVersion = dwVersion << 32;
+				dwVersion |= Infor->dwFileVersionLS;
+			}   
+		}  
+	} 	
+
+	if (dwVersion)
+	{
+		CString strFileVersion;
+		DWORD dwV1,dwV2,dwV3,dwV4;
+		QWORD dwStackVersion = dwVersion;
+
+		dwV1 = (DWORD)(dwStackVersion & 0xffff);
+		dwStackVersion >>= 16;
+		dwV2 = (DWORD)(dwStackVersion & 0xffff);
+		dwStackVersion >>= 16;
+		dwV3 = (DWORD)(dwStackVersion & 0xffff);
+		dwStackVersion >>= 16;
+		dwV4 = (DWORD)(dwStackVersion & 0xffff);
+
+		strFileVersion.Format(L"%d.%d.%d.%d", dwV4, dwV3, dwV2, dwV1);
+
+		m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_FILEVERSION,1,strFileVersion.GetBuffer());
+
+	}
+	else
+	{
+	}
+
+
+	//////////////////////////////////////////////////////////////////////////
+	//PEB
+
+	CString strPEB;
+
+	strPEB = HsGetProcessPebAddress((DWORD)ProcessInfo->Pid);
+
+	m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_PEB,1,strPEB.GetBuffer());
+
+
+	//////////////////////////////////////////////////////////////////////////
+	//ÃüÁîÐÐ
+
+	CString strCmdLine;
+
+	strCmdLine = HsGetProcessCmdLine((DWORD)ProcessInfo->Pid);
+
+	m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_CMD,1,strCmdLine.GetBuffer());
+
+
+	//////////////////////////////////////////////////////////////////////////
+	//µ±Ç°Ä¿Â¼
+
+	CString strCurDir;
+
+	strCurDir = HsGetProcessCurrentDirectory((DWORD)ProcessInfo->Pid);
+
+	m_ListCtrl->SetItemText(HS_PROCESS_DETAIL_ITEM_CURDIR,1,strCurDir.GetBuffer());
+}
+
+
+
+CString HsGetProcessPebAddress(DWORD dwPid)
+{
+	CString szRet = L"";
+	LONG                      Status;
+	HANDLE                    hProcess = NULL;
+	BOOL                      bRet = FALSE;
+	LPTHREAD_START_ROUTINE    FuncAddress = NULL;
+	DWORD                     dwRetVal = 0;
+
+
+	WinVersion = GetWindowsVersion();
+
+	switch(WinVersion)
+	{
+	case Windows7:   //×¢ÒâÎÒÃÇÕâÀïÕë¶ÔµÄÊÇ64Î»µÄWin7
+		{
+			PROCESS_BASIC_INFORMATION64 pbi;
+
+#ifdef _UNICODE
+			FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
+#else
+			FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
+#endif	
+			if (FuncAddress==NULL)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			NtQueryInformationProcessAddress=(pfnNtQueryInformationProcess)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"NtQueryInformationProcess");
+
+			if (NtQueryInformationProcessAddress==NULL)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+
+			RtlAdjustPrivilege=(pfnRtlAdjustPrivilege64)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege");
+
+			if (RtlAdjustPrivilege==NULL)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+			RtlAdjustPrivilege(20,1,0,&dwRetVal);
+
+			hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPid);
+
+			if (!hProcess)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			Status = NtQueryInformationProcessAddress(hProcess,
+				ProcessBasicInformation,
+				(PVOID)&pbi,
+				sizeof(PROCESS_BASIC_INFORMATION64),
+				NULL
+				);
+
+			if (Status)
+			{
+
+				bRet = FALSE;
+
+				break;
+			}
+
+			else
+			{
+				szRet.Format(L"0x%p",pbi.PebBaseAddress);
+
+				bRet = TRUE;
+			}
+
+
+			break;
+		}
+
+	case WindowsXP:  //ÕâÀïÊÇÕë¶ÔµÄ32Î»µÄXP
+		{
+
+
+			PROCESS_BASIC_INFORMATION32 pbi;
+
+
+#ifdef _UNICODE
+			FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
+#else
+			FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
+#endif	
+			if (FuncAddress==NULL)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			NtQueryInformationProcessAddress=(pfnNtQueryInformationProcess)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"NtQueryInformationProcess");
+
+			if (NtQueryInformationProcessAddress==NULL)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+			HsDebugPrivilege(SE_DEBUG_NAME, TRUE);
+			hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPid);
+			HsDebugPrivilege(SE_DEBUG_NAME, FALSE);
+			if (!hProcess)
+			{
+				bRet = FALSE;
+
+				break;;
+			}
+
+
+			Status = NtQueryInformationProcessAddress(hProcess,
+				ProcessBasicInformation,
+				(PVOID)&pbi,
+				sizeof(PROCESS_BASIC_INFORMATION32),
+				NULL
+				);
+
+			if (Status)
+			{
+
+				bRet = FALSE;
+
+				break;
+			}
+
+			else
+			{
+				szRet.Format(L"0x%x",pbi.PebBaseAddress);
+
+				bRet = TRUE;
+			}
+
+
+			break;
+		}
+	}
+
+
+	if (hProcess)
+	{
+		CloseHandle(hProcess);
+	}
+	if (bRet==FALSE)
+	{
+		szRet.Empty();
+	}
+
+	return szRet;
+}
+
+
+
+
+
+CString HsGetFileDescription(CString strPath)
+{
+	CString strDescription; 
+
+	if (!strPath.IsEmpty() && PathFileExists(strPath))
+	{
+		LPWSTR lpstrFilename = (LPWSTR)(LPCWSTR)strPath;
+		DWORD  dwSize = GetFileVersionInfoSize(lpstrFilename, NULL); 
+
+		if (dwSize)
+		{
+			LPVOID Buffer = malloc(sizeof(char)*dwSize); 
+			if (Buffer)
+			{
+				if (GetFileVersionInfo(lpstrFilename, 0, dwSize, Buffer))
+				{
+					char* VerValue = NULL; 
+					UINT  nSize = 0; 
+					if (VerQueryValue(Buffer, L"\\VarFileInfo\\Translation", (LPVOID*)&VerValue, &nSize))
+					{
+						CString strSubBlock, strTranslation;
+						strDescription.Format(L"000%x", *((unsigned short int *)VerValue)); 
+						strTranslation = strDescription.Right(4); 
+						strDescription.Format(L"000%x", *((unsigned short int *)&VerValue[2])); 
+						strTranslation += strDescription.Right(4); 
+
+						strSubBlock.Format(L"\\StringFileInfo\\%s\\FileDescription", strTranslation); 
+						if (VerQueryValue(Buffer, strSubBlock.GetBufferSetLength(256), (LPVOID*)&VerValue, &nSize))
+						{
+							strSubBlock.ReleaseBuffer(); 
+							strDescription.Format(L"%s", VerValue); 
+						}
+					}
+				}
+
+				free(Buffer);
+			}
+		}
+	}
+
+	return strDescription;
+}
+
+
+
+
+
+CString HsGetProcessCmdLine(DWORD dwPid)
+{
+	CString m_CmdLine;
+	LPTHREAD_START_ROUTINE FuncAddress = NULL;
+	DWORD                  dwRetVal  = 0;
+	HANDLE                 hProcess  = NULL;
+	LONG                   Status;
+
+
+	PVOID		CmdBuffer = NULL;
+	SIZE_T      dwReturn = 0;
+
+	DWORD                     dwSize = 0;
+	LPVOID                    lpAddress = NULL;
+	BOOL                      bRet = FALSE;
+
+	switch(WinVersion)
+	{
+	case Windows7:   //×¢ÒâÎÒÃÇÕâÀïÕë¶ÔµÄÊÇ64Î»µÄWin7
+		{
+
+			_PEB64        Peb;
+			PROCESS_BASIC_INFORMATION64 pbi;
+			PROCESS_PARAMETERS64        ProcParam;
+#ifdef _UNICODE
+			FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
+#else
+			FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
+#endif	
+			if (FuncAddress==NULL)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			NtQueryInformationProcessAddress=(pfnNtQueryInformationProcess)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"NtQueryInformationProcess");
+
+			if (NtQueryInformationProcessAddress==NULL)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+
+			RtlAdjustPrivilege=(pfnRtlAdjustPrivilege64)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege");
+
+			if (RtlAdjustPrivilege==NULL)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+			RtlAdjustPrivilege(20,1,0,&dwRetVal);
+
+			hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPid);
+
+			if (!hProcess)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+
+			Status = NtQueryInformationProcessAddress(hProcess,
+				ProcessBasicInformation,
+				(PVOID)&pbi,
+				sizeof(PROCESS_BASIC_INFORMATION64),
+				NULL
+				);
+
+			if (Status)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			if (!ReadProcessMemory( hProcess,
+				(PVOID)pbi.PebBaseAddress,
+				&Peb,
+				sizeof(_PEB64),
+				&dwReturn))
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+
+
+			if (!ReadProcessMemory( hProcess,
+				Peb.ProcessParameters,
+				&ProcParam,
+				sizeof(PROCESS_PARAMETERS64),
+				&dwReturn
+				)
+				)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			lpAddress = ProcParam.CommandLine.Buffer;
+			dwSize = ProcParam.CommandLine.Length;
+
+			CmdBuffer = malloc(dwSize + sizeof(WCHAR));
+			if (!CmdBuffer)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			memset(CmdBuffer, 0, dwSize + sizeof(WCHAR));
+			if (!ReadProcessMemory( hProcess,
+				lpAddress,
+				CmdBuffer,
+				dwSize,
+				&dwReturn))
+			{
+				bRet = FALSE;
+
+				break;
+			}
+			bRet = TRUE;
+			m_CmdLine = (WCHAR*)CmdBuffer;
+
+
+			break;
+		}
+
+	case WindowsXP:  //ÕâÀïÊÇÕë¶ÔµÄ32Î»µÄXP
+		{
+
+			_PEB32        Peb;
+			PROCESS_BASIC_INFORMATION32 pbi;
+			PROCESS_PARAMETERS32        ProcParam;
+
+#ifdef _UNICODE
+			FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
+#else
+			FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
+#endif	
+			if (FuncAddress==NULL)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			NtQueryInformationProcessAddress=(pfnNtQueryInformationProcess)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"NtQueryInformationProcess");
+
+			if (NtQueryInformationProcessAddress==NULL)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+			HsDebugPrivilege(SE_DEBUG_NAME,TRUE);
+			hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPid);
+			HsDebugPrivilege(SE_DEBUG_NAME,FALSE);
+			if (!hProcess)
+			{
+				bRet = FALSE;
+
+				break;;
+			}
+
+
+			Status = NtQueryInformationProcessAddress(hProcess,
+				ProcessBasicInformation,
+				(PVOID)&pbi,
+				sizeof(PROCESS_BASIC_INFORMATION32),
+				NULL
+				);
+
+			if (Status)
+			{
+				bRet = FALSE;
+
+				break;;
+			}
+
+			if (!ReadProcessMemory( hProcess,
+				(PVOID)pbi.PebBaseAddress,
+				&Peb,
+				sizeof(_PEB32),
+				&dwReturn))
+			{
+				bRet = FALSE;
+
+				break;;
+			}
+
+
+
+			if (!ReadProcessMemory( hProcess,
+				Peb.ProcessParameters,
+				&ProcParam,
+				sizeof(PROCESS_PARAMETERS32),
+				&dwReturn
+				)
+				)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			lpAddress = ProcParam.CommandLine.Buffer;
+			dwSize = ProcParam.CommandLine.Length;
+
+			CmdBuffer = malloc(dwSize + sizeof(WCHAR));
+			if (!CmdBuffer)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			memset(CmdBuffer, 0, dwSize + sizeof(WCHAR));
+			if (!ReadProcessMemory( hProcess,
+				lpAddress,
+				CmdBuffer,
+				dwSize,
+				&dwReturn))
+			{
+				bRet = FALSE;
+
+				break;
+			}
+			bRet = TRUE;
+			m_CmdLine = (WCHAR*)CmdBuffer;
+
+			break;
+		}
+	}
+
+
+
+
+	if (hProcess!=NULL)
+	{
+		CloseHandle(hProcess);
+	}
+
+	if (CmdBuffer)
+	{
+		free(CmdBuffer);
+		CmdBuffer = NULL;
+	}
+
+	if (bRet==FALSE)
+	{
+		m_CmdLine.Empty();
+	}
+
+
+	return m_CmdLine;
+} 
+
+
+
+CString HsGetProcessCurrentDirectory(DWORD dwPid)
+{
+	CString                   m_Dir;
+	BOOL                      bRet = FALSE;
+	LPTHREAD_START_ROUTINE    FuncAddress = NULL;
+	DWORD                     dwRetVal = 0;
+	SIZE_T                    dwReturn = 0;
+	HANDLE                    hProcess = NULL;
+	NTSTATUS                  Status;
+	PVOID                     lpAddress = NULL;
+	ULONG                     ulSize = 0;
+	WCHAR*                    CmdBuffer = NULL;
+	switch(WinVersion)
+	{
+	case Windows7:   //×¢ÒâÎÒÃÇÕâÀïÕë¶ÔµÄÊÇ64Î»µÄWin7
+		{
+
+			_PEB64        Peb;
+			PROCESS_BASIC_INFORMATION64 pbi;
+			PROCESS_PARAMETERS64        ProcParam;
+
+#ifdef _UNICODE
+			FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
+#else
+			FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
+#endif	
+			if (FuncAddress==NULL)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			NtQueryInformationProcessAddress=(pfnNtQueryInformationProcess)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"NtQueryInformationProcess");
+
+			if (NtQueryInformationProcessAddress==NULL)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+
+			RtlAdjustPrivilege=(pfnRtlAdjustPrivilege64)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege");
+
+			if (RtlAdjustPrivilege==NULL)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+			RtlAdjustPrivilege(20,1,0,&dwRetVal);
+
+			hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPid);
+
+			if (!hProcess)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			Status = NtQueryInformationProcessAddress(hProcess,
+				ProcessBasicInformation,
+				(PVOID)&pbi,
+				sizeof(PROCESS_BASIC_INFORMATION64),
+				NULL
+				);
+
+			if (Status)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			if (!ReadProcessMemory( hProcess,
+				(PVOID)pbi.PebBaseAddress,
+				&Peb,
+				sizeof(_PEB64),
+				&dwReturn))
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+
+
+			if (!ReadProcessMemory( hProcess,
+				Peb.ProcessParameters,
+				&ProcParam,
+				sizeof(PROCESS_PARAMETERS64),
+				&dwReturn
+				)
+				)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+
+			lpAddress = ProcParam.CurrentDirectory.Buffer;
+			ulSize = ProcParam.CurrentDirectory.Length;
+
+			CmdBuffer = (WCHAR*)malloc(ulSize + sizeof(WCHAR));
+			if (!CmdBuffer)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			memset(CmdBuffer, 0, ulSize + sizeof(WCHAR));
+			if (!ReadProcessMemory(hProcess,
+				lpAddress,
+				CmdBuffer,
+				ulSize,
+				&dwReturn))
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+
+			m_Dir = (WCHAR*)CmdBuffer;
+			bRet = TRUE;
+
+			break;
+		}
+
+	case WindowsXP:  //ÕâÀïÊÇÕë¶ÔµÄ32Î»µÄXP
+		{
+			_PEB32                      Peb = {0};
+			PROCESS_PARAMETERS32        ProcParam = {0};
+			PROCESS_BASIC_INFORMATION32 pbi;
+
+
+#ifdef _UNICODE
+			FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
+#else
+			FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
+#endif	
+			if (FuncAddress==NULL)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			NtQueryInformationProcessAddress=(pfnNtQueryInformationProcess)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"NtQueryInformationProcess");
+
+			if (NtQueryInformationProcessAddress==NULL)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+			HsDebugPrivilege(SE_DEBUG_NAME,TRUE);
+			hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPid);
+			HsDebugPrivilege(SE_DEBUG_NAME,FALSE);
+			if (!hProcess)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			Status = NtQueryInformationProcessAddress(hProcess,
+				ProcessBasicInformation,
+				(PVOID)&pbi,
+				sizeof(PROCESS_BASIC_INFORMATION32),
+				NULL
+				);
+
+			if (Status)
+			{
+				bRet = FALSE;
+
+				break;;
+			}
+
+			if (!ReadProcessMemory( hProcess,
+				(PVOID)pbi.PebBaseAddress,
+				&Peb,
+				sizeof(_PEB32),
+				&dwReturn))
+			{
+				bRet = FALSE;
+
+				break;;
+			}
+
+
+
+			if (!ReadProcessMemory( hProcess,
+				Peb.ProcessParameters,
+				&ProcParam,
+				sizeof(PROCESS_PARAMETERS32),
+				&dwReturn
+				)
+				)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			lpAddress = ProcParam.CurrentDirectory.Buffer;
+			ulSize = ProcParam.CurrentDirectory.Length;
+
+			CmdBuffer = (WCHAR*)malloc(ulSize + sizeof(WCHAR));
+			if (!CmdBuffer)
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+			memset(CmdBuffer, 0, ulSize + sizeof(WCHAR));
+			if (!ReadProcessMemory(hProcess,
+				lpAddress,
+				CmdBuffer,
+				ulSize,
+				&dwReturn))
+			{
+				bRet = FALSE;
+
+				break;
+			}
+
+
+			m_Dir = (WCHAR*)CmdBuffer;
+			bRet = TRUE;
+
+			break;
+		}
+	}
+
+
+	if (hProcess)
+	{
+		CloseHandle(hProcess);
+	}
+
+	if (CmdBuffer)
+	{
+		free(CmdBuffer);
+		CmdBuffer = NULL;
+	}
+
+	if (bRet==FALSE)
+	{
+		m_Dir.Empty();
+	}
+
+	return m_Dir;
+}
+
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/DetailFunc.h b/arkProject/HeavenShadow/HeavenShadow/DetailFunc.h
new file mode 100644
index 0000000..8a7e78b
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/DetailFunc.h
@@ -0,0 +1,148 @@
+#pragma once
+#include "stdafx.h"
+
+#include "MyList.h"
+
+
+#include "ProcessFunc.h"
+
+
+#define ProcessBasicInformation 0
+
+
+
+
+typedef LONG NTSTATUS;
+
+typedef struct
+{
+	USHORT Length;
+	USHORT MaximumLength;
+	PWSTR  Buffer;
+} UNICODE_STRING, *PUNICODE_STRING;
+
+typedef struct  PROCESS_PARAMETERS32
+{
+	ULONG          AllocationSize;
+	ULONG          ActualSize;
+	ULONG          Flags;
+	ULONG          Unknown1;
+	UNICODE_STRING Unknown2;
+	HANDLE         InputHandle;
+	HANDLE         OutputHandle;
+	HANDLE         ErrorHandle;
+	UNICODE_STRING CurrentDirectory;
+	HANDLE         CurrentDirectoryHandle;
+	UNICODE_STRING SearchPaths;
+	UNICODE_STRING ApplicationName;
+	UNICODE_STRING CommandLine;
+	PVOID          EnvironmentBlock;
+	ULONG          Unknown[9];
+	UNICODE_STRING Unknown3;
+	UNICODE_STRING Unknown4;
+	UNICODE_STRING Unknown5;
+	UNICODE_STRING Unknown6;
+} PROCESS_PARAMETERS32, *PPROCESS_PARAMETERS32;
+
+typedef struct PROCESS_PARAMETERS64
+{
+	ULONG          AllocationSize;
+	ULONG          ActualSize;
+	ULONG          Flags;
+	ULONG          Unknown1;
+	PVOID64        ConsoleHandle;
+	ULONG          ConsoleFlags;
+	PVOID64        InputHandle;
+	PVOID64		   OutputHandle;
+	PVOID64        ErrorHandle;
+	UNICODE_STRING CurrentDirectory;
+	HANDLE         CurrentDirectoryHandle;
+	UNICODE_STRING SearchPaths;
+	UNICODE_STRING ApplicationName;
+	UNICODE_STRING CommandLine;
+	PVOID64        EnvironmentBlock;
+	ULONG          Unknown[9];
+	UNICODE_STRING Unknown3;
+	UNICODE_STRING Unknown4;
+	UNICODE_STRING Unknown5;
+	UNICODE_STRING Unknown6;
+}PROCESS_PARAMETERS64,*PPROCESS_PARAMETERS64;
+
+
+
+
+
+
+typedef struct _PEB32 {
+	BOOLEAN InheritedAddressSpace; 
+	BOOLEAN ReadImageFileExecOptions;   
+	BOOLEAN BeingDebugged;             
+	union {
+		BOOLEAN BitField;            
+		struct {
+			BOOLEAN ImageUsesLargePages : 1;
+			BOOLEAN SpareBits : 7;
+		};
+	};
+	LONG Mutant;
+	PVOID ImageBaseAddress;
+	PVOID Ldr;
+	PVOID ProcessParameters;
+}_PEB32, *_PPEB32;
+
+
+
+typedef struct _PEB64 {
+	BOOLEAN InheritedAddressSpace; 
+	BOOLEAN ReadImageFileExecOptions;   
+	BOOLEAN BeingDebugged;             
+	union {
+		BOOLEAN BitField;            
+		struct {
+			BOOLEAN ImageUsesLargePages : 1;
+			BOOLEAN SpareBits : 7;
+		};
+	};
+	LONG_PTR Mutant;
+	PVOID ImageBaseAddress;
+	PVOID Ldr;
+	PVOID ProcessParameters;
+}_PEB64, *_PPEB64;
+
+
+typedef struct _PROCESS_BASIC_INFORMATION32 {
+	NTSTATUS ExitStatus;
+	ULONG32 PebBaseAddress;
+	ULONG32 AffinityMask;
+	ULONG BasePriority;
+	ULONG32 UniqueProcessId;
+	ULONG32 InheritedFromUniqueProcessId;
+} PROCESS_BASIC_INFORMATION32;
+
+
+
+
+
+typedef struct _PROCESS_BASIC_INFORMATION64 {
+	NTSTATUS ExitStatus;
+	ULONG32 Pad1;
+	ULONG64 PebBaseAddress;
+	ULONG64 AffinityMask;
+	ULONG   BasePriority;
+	ULONG32 Pad2;
+	ULONG64 UniqueProcessId;
+	ULONG64 InheritedFromUniqueProcessId;
+} PROCESS_BASIC_INFORMATION64;
+
+
+VOID HsInitProcessDetailList(CMyList *m_ListCtrl);
+
+VOID HsLoadProcessDetailList(PHSPROCESSINFO ProcessInfo, CMyList *m_ListCtrl);
+
+CString HsGetProcessPebAddress(DWORD dwPid);
+
+CString HsGetFileDescription(CString strPath);
+
+CString HsGetProcessCmdLine(DWORD dwPid);
+
+CString HsGetProcessCurrentDirectory(DWORD dwPid);
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/DpcTimerFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/DpcTimerFunc.cpp
new file mode 100644
index 0000000..c709929
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/DpcTimerFunc.cpp
@@ -0,0 +1,243 @@
+#include "stdafx.h"
+#include "DpcTimerFunc.h"
+#include "SSDTFunc.h"
+#include "ModuleFunc.h"
+#include "ProcessFunc.h"
+#include "Common.h"
+#include <vector>
+
+using namespace std;
+
+
+vector<DPC_TIMER> m_DPCTimerVector;
+ULONG             m_ulDPCCount;
+extern HANDLE g_hDevice;
+extern WIN_VERSION WinVersion;
+extern BOOL bIsChecking;
+extern vector<DRIVER_INFO> m_DriverList;
+
+
+
+COLUMNSTRUCT g_Column_DPCTimer[] = 
+{
+	{	L"¶¨Ê±Æ÷¶ÔÏó",			125	},
+	{	L"Éè±¸¶ÔÏó",				125	},
+	{	L"´¥·¢ÖÜÆÚ",				70	},
+	{	L"º¯ÊýÈë¿Ú",				125	},
+	{	L"Ä£¿éÎÄ¼þ",				155	},
+	{	L"³öÆ·³§ÉÌ",				125	}
+};
+
+
+UINT g_Column_DPCTimer_Count = 6;
+
+extern int dpix;
+extern int dpiy;
+
+
+VOID HsInitDPCTimerList(CListCtrl *m_ListCtrl)
+{
+	while(m_ListCtrl->DeleteColumn(0));
+	m_ListCtrl->DeleteAllItems();
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_DPCTimer_Count;i++)
+	{
+		m_ListCtrl->InsertColumn(i, g_Column_DPCTimer[i].szTitle,LVCFMT_LEFT,(int)(g_Column_DPCTimer[i].nWidth*(dpix/96.0)));
+	}
+}
+
+
+
+VOID HsLoadDPCTimerList(CListCtrl *m_ListCtrl)
+{
+	if (bIsChecking == TRUE)
+	{
+		return;
+	}
+
+	// 	while(bIsChecking == TRUE)
+	// 	{
+	// 		Sleep(10);
+	// 	}
+
+	bIsChecking = TRUE;
+
+	HsSendStatusDetail(L"DPCTimerÕýÔÚ¼ÓÔØ...");
+	HsSendStatusTip(L"DPCTimer");
+
+	HsQueryDPCTimerList(m_ListCtrl);
+
+	bIsChecking = FALSE;
+}
+
+
+
+VOID HsQueryDPCTimerList(CListCtrl *m_ListCtrl)
+{
+	BOOL bRet = FALSE;
+
+	m_ListCtrl->DeleteAllItems();
+	m_DPCTimerVector.clear();
+
+	bRet = EnumDriver();
+	if (bRet == FALSE)
+	{
+		HsSendStatusDetail(L"Çý¶¯Ä£¿é³õÊ¼»¯Ê§°Ü¡£");
+		return;
+	}
+
+	bRet = HsGetDPCTimerList();
+	if (bRet == FALSE)
+	{
+		HsSendStatusDetail(L"DPCTimer³õÊ¼»¯Ê§°Ü¡£");
+		return;
+	}
+
+	HsInsertDPCTimerItem(m_ListCtrl);
+}
+
+
+BOOL HsGetDPCTimerList()
+{
+	ULONG_PTR ulCnt = 100;
+	PDPC_TIMER_INFOR TimerInfor = NULL;
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+
+
+	do 
+	{
+		ULONG_PTR ulSize = sizeof(DPC_TIMER_INFOR) + ulCnt * sizeof(DPC_TIMER);
+
+		if (TimerInfor)
+		{
+			free(TimerInfor);
+			TimerInfor = NULL;
+		}
+
+		TimerInfor = (PDPC_TIMER_INFOR)malloc(ulSize);
+
+		if (TimerInfor)
+		{
+			memset(TimerInfor, 0, ulSize);
+			TimerInfor->ulCnt = (ULONG)ulCnt;		
+			bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_SYSK_DPCTIMER),
+				NULL,
+				0,
+				TimerInfor,
+				(DWORD)ulSize,
+				&ulReturnSize,
+				NULL);
+		}
+
+		ulCnt =TimerInfor->ulCnt + 10;
+
+	} while (!bRet && TimerInfor->ulRetCnt > TimerInfor->ulCnt);
+
+	if (bRet &&
+		TimerInfor->ulCnt >= TimerInfor->ulRetCnt)
+	{
+		for (ULONG i = 0; i < TimerInfor->ulRetCnt; i++)
+		{
+			m_DPCTimerVector.push_back(TimerInfor->DpcTimer[i]);
+		}
+	}
+
+	if (TimerInfor)
+	{
+		free(TimerInfor);
+		TimerInfor = NULL;
+	}
+
+	return bRet;
+}
+
+
+
+VOID HsInsertDPCTimerItem(CListCtrl* m_ListCtrl)
+{
+	m_ulDPCCount = 0;
+	for (vector<DPC_TIMER>::iterator itor = m_DPCTimerVector.begin(); itor != m_DPCTimerVector.end(); itor++)
+	{
+		CString strTimerObject, strPeriod, strDispatch, strPath, strDpc;
+
+		strTimerObject.Format(L"0x%p", itor->TimerObject);
+		strPeriod.Format(L"%d", itor->Period / 1000);
+		strDispatch.Format(L"0x%p", itor->TimeDispatch);
+		strPath = GetDriverPath(itor->TimeDispatch);
+		strDpc.Format(L"0x%p", itor->Dpc);
+
+		int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(),strTimerObject);
+		m_ListCtrl->SetItemText(n, 1, strDpc);
+		m_ListCtrl->SetItemText(n, 2, strPeriod);
+		m_ListCtrl->SetItemText(n, 3, strDispatch);
+		m_ListCtrl->SetItemText(n, 4, strPath);
+		m_ListCtrl->SetItemText(n, 5, HsGetFileCompanyName(strPath));
+
+
+		m_ulDPCCount++;
+
+		CString StatusBarContext;
+		StatusBarContext.Format(L"DPCTimerÕýÔÚ¼ÓÔØ¡£ ¶¨Ê±Æ÷Êý£º%d",m_ulDPCCount);
+		HsSendStatusDetail(StatusBarContext);
+
+	}
+
+	CString StatusBarContext;
+	StatusBarContext.Format(L"DPCTimer¼ÓÔØÍê³É¡£ ¶¨Ê±Æ÷Êý£º%d",m_ulDPCCount);
+	HsSendStatusDetail(StatusBarContext);
+
+}
+
+
+
+
+VOID HsRemoveDPCTimerItem(CListCtrl* m_ListCtrl)
+{
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+	int Index = m_ListCtrl->GetSelectionMark();
+
+	if (Index<0)
+	{
+		return;
+	}
+
+	CString Temp = m_ListCtrl->GetItemText(Index,0);
+
+	REMOVE_DPCTIMER  RemoveDPCTimer;
+
+	for ( vector <DPC_TIMER>::iterator Iter = m_DPCTimerVector.begin( ); Iter != m_DPCTimerVector.end( ); Iter++ )
+	{
+		CString strTimerObject;
+		strTimerObject.Format(L"0x%08p", Iter->TimerObject);
+		if (!strTimerObject.CompareNoCase(Temp))
+		{
+
+			RemoveDPCTimer.TimerObject = Iter->TimerObject;
+			bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_SYSK_REMOVEDPCTIMER),
+				&RemoveDPCTimer,
+				sizeof(REMOVE_DPCTIMER),
+				NULL,
+				0,
+				&ulReturnSize,
+				NULL);
+
+
+			break;
+		}	
+	}
+
+	m_ulDPCCount--;
+	m_ListCtrl->DeleteItem(Index);
+
+	CString StatusBarContext;
+	StatusBarContext.Format(L"DPCTimer¼ÓÔØÍê³É¡£ ¶¨Ê±Æ÷Êý£º%d",m_ulDPCCount);
+	HsSendStatusDetail(StatusBarContext);
+
+
+	bIsChecking = FALSE;
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/DpcTimerFunc.h b/arkProject/HeavenShadow/HeavenShadow/DpcTimerFunc.h
new file mode 100644
index 0000000..e0082f0
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/DpcTimerFunc.h
@@ -0,0 +1,39 @@
+#pragma once
+#include "stdafx.h"
+
+
+
+typedef struct _REMOVE_DPCTIMER
+{
+	ULONG_PTR     TimerObject;
+}REMOVE_DPCTIMER,*PREMOVE_DPCTIMER;
+
+typedef struct _DPC_TIMER_
+{
+	ULONG_PTR TimerObject;
+	ULONG_PTR Period;			// ÖÜÆÚ
+	ULONG_PTR TimeDispatch;
+	ULONG_PTR Dpc;
+}DPC_TIMER, *PDPC_TIMER;
+
+typedef struct _DPC_TIMER_INFOR_
+{
+	ULONG ulCnt;
+	ULONG ulRetCnt;
+	DPC_TIMER DpcTimer[1];
+}DPC_TIMER_INFOR, *PDPC_TIMER_INFOR;
+
+
+VOID HsInitDPCTimerList(CListCtrl *m_ListCtrl);
+
+VOID HsLoadDPCTimerList(CListCtrl *m_ListCtrl);
+
+VOID HsQueryDPCTimerList(CListCtrl *m_ListCtrl);
+
+BOOL HsGetDPCTimerList();
+
+VOID HsInsertDPCTimerItem(CListCtrl* m_ListCtrl);
+
+VOID HsRemoveDPCTimerItem(CListCtrl* m_ListCtrl);
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/FileDlg.cpp b/arkProject/HeavenShadow/HeavenShadow/FileDlg.cpp
new file mode 100644
index 0000000..8610a6c
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/FileDlg.cpp
@@ -0,0 +1,463 @@
+// FileDlg.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "FileDlg.h"
+#include "afxdialogex.h"
+#include "HeavenShadowDlg.h"
+#include "Common.h"
+
+#include "FileFunc.h"
+
+
+HICON m_hIcon;
+CImageList m_pImageList_Large;
+CImageList m_pImageList_Small;
+
+WCHAR  DriveString[MAX_PATH] = {0};
+
+// CFileDlg ¶Ô»°¿ò
+
+IMPLEMENT_DYNAMIC(CFileDlg, CDialog)
+
+CFileDlg::CFileDlg(CWnd* pParent /*=NULL*/)
+	: CDialog(CFileDlg::IDD, pParent)
+{
+	HRESULT hresut=CoInitialize(NULL);
+
+	SHFILEINFO	sfi;
+	SHGetFileInfo
+		(
+		L"\\\\",                   //Ëæ±ã´«µÝÁ½¸ö×Ö½Ú
+		FILE_ATTRIBUTE_NORMAL, 
+		&sfi,
+		sizeof(SHFILEINFO), 
+		SHGFI_ICON | SHGFI_USEFILEATTRIBUTES | SHGFI_PIDL
+		);
+	m_hIcon = sfi.hIcon;
+
+	WCHAR Temp[100] = {0};
+
+	HIMAGELIST hImageList;
+	// ¼ÓÔØÏµÍ³Í¼±êÁÐ±í
+	hImageList = (HIMAGELIST)SHGetFileInfoW
+		(
+		Temp,
+		FILE_ATTRIBUTE_NORMAL,
+		&sfi,
+		sizeof(SHFILEINFO),
+		SHGFI_LARGEICON | SHGFI_SYSICONINDEX | SHGFI_PIDL
+		);
+	m_pImageList_Large.Attach(hImageList);
+
+	// ¼ÓÔØÏµÍ³Í¼±êÁÐ±í
+	hImageList = (HIMAGELIST)SHGetFileInfoW
+		(
+		Temp,
+		FILE_ATTRIBUTE_NORMAL,
+		&sfi,
+		sizeof(SHFILEINFO),
+		SHGFI_SMALLICON | SHGFI_SYSICONINDEX | SHGFI_PIDL
+		);
+	m_pImageList_Small.Attach(hImageList);
+
+	m_wParent = pParent;
+}
+
+CFileDlg::~CFileDlg()
+{
+}
+
+void CFileDlg::DoDataExchange(CDataExchange* pDX)
+{
+	CDialog::DoDataExchange(pDX);
+	DDX_Control(pDX, IDC_LIST_FILELIST, m_fileList);
+	DDX_Control(pDX, IDC_COMBOBOX_FILEPATH, m_filePath);
+	DDX_Control(pDX, IDC_TREE_FILEDIRECTORY, m_dirTree);
+}
+
+
+BEGIN_MESSAGE_MAP(CFileDlg, CDialog)
+	ON_WM_PAINT()
+	ON_WM_SHOWWINDOW()
+	ON_NOTIFY(NM_RCLICK, IDC_TREE_FILEDIRECTORY, &CFileDlg::OnRclickTreeFiledirectory)
+END_MESSAGE_MAP()
+
+
+// CFileDlg ÏûÏ¢´¦Àí³ÌÐò
+
+
+void CFileDlg::OnPaint()
+{
+	CPaintDC dc(this); // device context for painting
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+	// ²»Îª»æÍ¼ÏûÏ¢µ÷ÓÃ CDialog::OnPaint()
+ 
+ 	CRect   rect;
+ 	GetClientRect(rect);
+// 	dc.FillSolidRect(rect,RGB(255,255,255));
+
+	CClientDC aDC(this); //CClientDCµÄ¹¹Ôìº¯ÊýÐèÒªÒ»¸ö²ÎÊý£¬Õâ¸ö²ÎÊýÊÇÖ¸Ïò»æÍ¼´°¿ÚµÄÖ¸Õë£¬ÎÒÃÇÓÃthisÖ¸Õë¾Í¿ÉÒÔÁË
+
+	CPoint startPoint;
+	CPoint endPoint;
+
+	startPoint.x = -1;
+	startPoint.y = 38;
+	endPoint.x = rect.Width()+1;
+	endPoint.y = 38;
+
+	COLORREF m_Color(RGB(160,160,255));
+
+	CPen pen(PS_SOLID,1,m_Color); ////½¨Á¢Ò»¸ö»­±ÊÀà¶ÔÏó£¬¹¹ÔìÊ±ÉèÖÃ»­±ÊÊôÐÔ
+	aDC.SelectObject(&pen);
+	aDC.MoveTo(startPoint);
+	aDC.LineTo(endPoint);
+
+	startPoint.x = -1;
+	startPoint.y = 40;
+	endPoint.x = rect.Width()+1;
+	endPoint.y = 40;
+
+	COLORREF m_Color3(RGB(255,255,255));
+
+	CPen pen3(PS_SOLID,2,m_Color3); ////½¨Á¢Ò»¸ö»­±ÊÀà¶ÔÏó£¬¹¹ÔìÊ±ÉèÖÃ»­±ÊÊôÐÔ
+	aDC.SelectObject(&pen3);
+	aDC.MoveTo(startPoint);
+	aDC.LineTo(endPoint);
+
+
+
+	startPoint.x = 218;
+	startPoint.y = 38;
+	endPoint.x = 218;
+	endPoint.y = rect.Height()+2;
+
+
+	COLORREF m_Color2(RGB(190,190,190));
+
+	CPen pen2(PS_SOLID,1,m_Color2);
+	aDC.SelectObject(&pen2);
+	aDC.MoveTo(startPoint);
+	aDC.LineTo(endPoint);
+}
+
+
+BOOL CFileDlg::OnInitDialog()
+{
+	CDialog::OnInitDialog();
+
+	// TODO:  ÔÚ´ËÌí¼Ó¶îÍâµÄ³õÊ¼»¯
+
+	//////////////////////////////////////////////////////////////////////////
+	//Ö÷¹¤¾ßÀ¸
+	if (!m_wndToolBar.Create(this, WS_CHILD |
+		WS_VISIBLE | CBRS_ALIGN_ANY | CBRS_TOOLTIPS | CBRS_FLYBY, IDR_TOOLBAR_FILETOOLBAR) 
+		||!m_wndToolBar.LoadToolBar(IDR_TOOLBAR_FILETOOLBAR))
+	{
+
+		return -1;
+	}
+	m_wndToolBar.ModifyStyle(0, TBSTYLE_FLAT);    //Fix for WinXP
+	m_wndToolBar.LoadTrueColorToolBar
+		(
+		24,    //¼ÓÔØÕæ²Ê¹¤¾ßÌõ 
+		IDB_BITMAP_FILETOOLBAR,
+		IDB_BITMAP_FILETOOLBAR,
+		IDB_BITMAP_FILETOOLBAR
+		);
+	// Ìí¼ÓÏÂÀ­°´Å¥
+	m_wndToolBar.AddDropDownButton(this, ID_BUTTON_FILE_VIEW, IDR_MENU_FILE_VIEW);
+
+	m_wndToolBar.MoveWindow(0, 0, 300, 36);	//640
+	//////////////////////////////////////////////////////////////////////////
+	//////////////////////////////////////////////////////////////////////////
+	//Ö÷¹¤¾ßÀ¸
+	if (!m_wndToolBar_goto.Create(this, WS_CHILD |
+		WS_VISIBLE | CBRS_ALIGN_ANY | CBRS_TOOLTIPS | CBRS_FLYBY, IDR_TOOLBAR_FILETOOLBARGOTO) 
+		||!m_wndToolBar_goto.LoadToolBar(IDR_TOOLBAR_FILETOOLBARGOTO))
+	{
+
+		return -1;
+	}
+	m_wndToolBar_goto.ModifyStyle(0, TBSTYLE_FLAT);    //Fix for WinXP
+	m_wndToolBar_goto.LoadTrueColorToolBar
+		(
+		24,    //¼ÓÔØÕæ²Ê¹¤¾ßÌõ 
+		IDB_BITMAP_FILETOOLBARGOTO,
+		IDB_BITMAP_FILETOOLBARGOTO,
+		IDB_BITMAP_FILETOOLBARGOTO
+		);
+
+	m_wndToolBar_goto.MoveWindow(829, 0, 300, 36);	//640
+	//////////////////////////////////////////////////////////////////////////
+
+
+
+
+	m_filePath.SendMessage(CB_SETITEMHEIGHT,-1,18); ///ÉèÖÃCombobox¸ß¶È
+
+
+
+	
+
+ 	// ÎªÁÐ±íÊÓÍ¼ÉèÖÃImageList
+ 	m_fileList.SetImageList(&m_pImageList_Large, LVSIL_NORMAL);
+ 	m_fileList.SetImageList(&m_pImageList_Small, LVSIL_SMALL);
+
+
+
+	m_dirTree.SetImageList(&m_pImageList_Small, LVSIL_NORMAL);
+
+
+	CoInitialize(NULL);
+
+
+	
+
+
+	
+	CloseHandle(CreateThread(NULL, 0, 
+		(LPTHREAD_START_ROUTINE)HsLoadFileTreeList,this, 0, NULL));
+
+
+	return TRUE;  // return TRUE unless you set the focus to a control
+	// Òì³£: OCX ÊôÐÔÒ³Ó¦·µ»Ø FALSE
+}
+
+
+void CFileDlg::OnShowWindow(BOOL bShow, UINT nStatus)
+{
+	CDialog::OnShowWindow(bShow, nStatus);
+
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+	if (bShow == TRUE)
+	{
+		((CHeavenShadowDlg*)m_wParent)->m_bNowWindow = HS_DIALOG_FILE;
+
+		((CHeavenShadowDlg*)m_wParent)->m_btnFile.EnableWindow(FALSE);
+
+		HsSendStatusDetail(L"¹ÜÀíÄãµÄ´ÅÅÌÎÄ¼þ¡£");
+		HsSendStatusTip(L"ÎÄ¼þ");
+
+	}
+}
+
+
+BOOL CFileDlg::PreTranslateMessage(MSG* pMsg)
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+	if (pMsg->message==WM_KEYDOWN && (pMsg->wParam==VK_RETURN ||pMsg->wParam==VK_ESCAPE))
+	{
+		return TRUE;
+	}
+	return CDialog::PreTranslateMessage(pMsg);
+}
+
+
+// ³õÊ¼»¯ÎÄ¼þÊ÷ºÍÁÐ±í
+void HsLoadFileTreeList(CFileDlg *cFleDlg)
+{
+
+	WCHAR* pDrive = NULL;
+
+	HTREEITEM hRoot;     // Ê÷µÄ¸ù½ÚµãµÄ¾ä±ú   
+	HTREEITEM hDriverItem; // ¿É±íÊ¾ÈÎÒ»´ÅÅÌ½ÚµãµÄ¾ä±ú   
+	HTREEITEM hFolderItem;  // ¿É±íÊ¾ÈÎÒ»Ä¿Â¼½ÚµãµÄ¾ä±ú
+
+	HIMAGELIST hImageListLarge = NULL;
+	HIMAGELIST hImageListSmall = NULL;
+	Shell_GetImageLists(&hImageListLarge, &hImageListSmall);
+	ListView_SetImageList(cFleDlg->m_fileList.m_hWnd, hImageListLarge, LVSIL_NORMAL);
+	ListView_SetImageList(cFleDlg->m_fileList.m_hWnd, hImageListSmall, LVSIL_SMALL);
+
+
+	HsInitDriveList(&cFleDlg->m_fileList);
+
+
+	cFleDlg->m_fileList.DeleteAllItems();
+	cFleDlg->m_dirTree.DeleteAllItems();
+
+
+	LPITEMIDLIST ppidl = {0};
+	SHGetSpecialFolderLocation(NULL,CSIDL_DRIVES,&ppidl);
+	//SHGetPathFromIDList(ppidl,TempPath);
+
+	SHFILEINFO	sfi;
+
+	SHGetFileInfoW
+		(
+		(LPCWSTR)ppidl,
+		0, 
+		&sfi,
+		sizeof(SHFILEINFO), 
+		SHGFI_SYSICONINDEX | SHGFI_PIDL 
+		);
+
+	hRoot = cFleDlg->m_dirTree.InsertItem(_T("¼ÆËã»ú"),sfi.iIcon,sfi.iIcon,0,0);
+
+	GetLogicalDriveStrings(sizeof(DriveString), DriveString);
+
+
+	pDrive = DriveString;
+
+	CString DriveName;
+
+	WCHAR	FileSystem[MAX_PATH];
+	unsigned __int64	HDAmount = 0;
+	unsigned __int64	HDFreeSpace = 0;
+	unsigned long		AmntMB = 0; // ×Ü´óÐ¡
+	unsigned long		FreeMB = 0; // Ê£Óà¿Õ¼ä
+
+
+	cFleDlg->m_dirTree.Expand(hRoot,TVE_EXPAND);
+
+	for (int i = 0; *pDrive != '\0'; i++, pDrive += lstrlen(pDrive) + 1)
+	{
+		
+
+		// µÃµ½´ÅÅÌÏà¹ØÐÅÏ¢
+		memset(FileSystem, 0, sizeof(FileSystem));
+		// µÃµ½ÎÄ¼þÏµÍ³ÐÅÏ¢¼°´óÐ¡
+		GetVolumeInformation(pDrive, NULL, 0, NULL, NULL, NULL, FileSystem, MAX_PATH);
+
+		int	nFileSystemLen = lstrlen(FileSystem) + 1;
+		if (GetDiskFreeSpaceEx(pDrive, (PULARGE_INTEGER)&HDFreeSpace, (PULARGE_INTEGER)&HDAmount, NULL))
+		{	
+			AmntMB = (ULONG)(HDAmount / 1024 / 1024);
+			FreeMB = (ULONG)(HDFreeSpace / 1024 / 1024);
+		}
+		else
+		{
+			AmntMB = 0;
+			FreeMB = 0;
+		}
+
+		//»ñµÃ´ÅÅÌÀà±ð
+		SHFILEINFO	sfi;
+		SHGetFileInfo(pDrive, FILE_ATTRIBUTE_NORMAL, &sfi,sizeof(SHFILEINFO), SHGFI_TYPENAME | SHGFI_USEFILEATTRIBUTES);
+
+		DriveName = sfi.szTypeName;
+
+		DriveName += L" (";
+		DriveName += pDrive;
+
+		DriveName.Delete(DriveName.GetLength()-1);
+
+		DriveName += L")";
+
+		
+
+		int icon = GetIconIndex(pDrive,GetFileAttributes(pDrive));
+
+		int	nItem = cFleDlg->m_fileList.InsertItem(i, DriveName, icon);		//²åÈëÁÐ±í¿ò
+		cFleDlg->m_fileList.SetItemData(nItem, (DWORD_PTR)pDrive);
+
+		hDriverItem = cFleDlg->m_dirTree.InsertItem(DriveName,icon,icon,hRoot,0);	//²åÈëÊ÷ÐÎÁÐ±í
+		cFleDlg->m_dirTree.SetItemData(hDriverItem, (DWORD_PTR)pDrive);
+
+		cFleDlg->m_dirTree.Expand(hRoot,TVE_EXPAND);
+
+		cFleDlg->m_fileList.SetItemText(nItem, 1, sfi.szTypeName);	//²åÈë´ÅÅÌÀà±ð
+
+		CString	str;
+		str.Format(L"%10.1f GB", (float)AmntMB / 1024);
+		cFleDlg->m_fileList.SetItemText(nItem, 2, str);
+		str.Format(L"%10.1f GB", (float)FreeMB / 1024);
+		cFleDlg->m_fileList.SetItemText(nItem, 3, str);
+	}
+	// ÖØÖÃ±¾µØµ±Ç°Â·¾¶
+
+	cFleDlg->m_filePath.ResetContent();
+
+
+
+
+	cFleDlg->m_filePath.SetWindowTextW(L"¼ÆËã»ú");
+
+}
+
+
+
+
+
+int GetIconIndex(LPCWSTR lpFileName, DWORD dwFileAttributes)
+{
+	SHFILEINFO	sfi;
+	if (dwFileAttributes == INVALID_FILE_ATTRIBUTES)
+		dwFileAttributes = FILE_ATTRIBUTE_NORMAL;
+	else
+		dwFileAttributes |= FILE_ATTRIBUTE_NORMAL;
+
+	SHGetFileInfo
+		(
+		lpFileName,
+		dwFileAttributes, 
+		&sfi,
+		sizeof(SHFILEINFO), 
+		SHGFI_SYSICONINDEX | SHGFI_USEFILEATTRIBUTES
+		);
+
+	return sfi.iIcon;
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+void CFileDlg::OnRclickTreeFiledirectory(NMHDR *pNMHDR, LRESULT *pResult)
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	// Ñ¡ÖÐµ±Ç°ÓÒ¼üµã»÷µÄ½Úµã
+	POINT pos ;
+	if(!GetCursorPos(&pos))
+		return ;
+	m_dirTree.ScreenToClient(&pos);
+
+	UINT uFlags;
+	HTREEITEM hItem = m_dirTree.HitTest(pos, &uFlags);
+	if ((hItem != NULL) && (TVHT_ONITEM & uFlags))
+	{
+		m_dirTree.Select(hItem, TVGN_CARET);
+	}
+
+
+
+// 	// ÏÔÊ¾²Ëµ¥
+// 	CRect rect ;
+// 	this->GetClientRect(&rect) ;
+// 	ClientToScreen(&rect) ;
+// 	m_dirTree.ClientToScreen(&pos);
+// 
+// 	int iCode= rect.PtInRect(pos) ;
+// 
+// 	CMenu m_Menu,*p_Menu=NULL ;
+// 	if(iCode)
+// 	{
+// 		m_Menu.LoadMenu( IDR_MENU_REG) ; 
+// 		p_Menu = (CMenu*) m_Menu.GetSubMenu(0);
+// 		if( p_Menu != NULL)
+// 			p_Menu->TrackPopupMenu( TPM_RIGHTBUTTON|TPM_LEFTALIGN, pos.x, pos.y, this);
+// 		p_Menu = NULL;
+// 		//mouse_event(MOUSEEVENTF_RIGHTUP, pos.x, pos.y, 0, NULL);
+// 	}
+
+
+
+
+	*pResult = 0;
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/FileDlg.h b/arkProject/HeavenShadow/HeavenShadow/FileDlg.h
new file mode 100644
index 0000000..02ba164
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/FileDlg.h
@@ -0,0 +1,47 @@
+#pragma once
+#include "afxcmn.h"
+#include "afxshelltreectrl.h"
+
+#include "MyList.h"
+#include "TrueColorToolBar.h"
+
+// CFileDlg ¶Ô»°¿ò
+
+class CFileDlg : public CDialog
+{
+	DECLARE_DYNAMIC(CFileDlg)
+
+public:
+	CFileDlg(CWnd* pParent = NULL);   // ±ê×¼¹¹Ôìº¯Êý
+	virtual ~CFileDlg();
+
+// ¶Ô»°¿òÊý¾Ý
+	enum { IDD = IDD_DIALOG_FILE };
+
+	CTrueColorToolBar m_wndToolBar; //¹¤¾ßÀ¸
+	CTrueColorToolBar m_wndToolBar_goto; //¹¤¾ßÀ¸
+
+	CWnd* m_wParent;
+
+	
+
+protected:
+	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV Ö§³Ö
+
+	DECLARE_MESSAGE_MAP()
+public:
+	afx_msg void OnPaint();
+	virtual BOOL OnInitDialog();
+	afx_msg void OnShowWindow(BOOL bShow, UINT nStatus);
+	virtual BOOL PreTranslateMessage(MSG* pMsg);
+	CListCtrl m_fileList;
+	CComboBoxEx m_filePath;
+	CTreeCtrl m_dirTree;
+	// ³õÊ¼»¯ÎÄ¼þÊ÷ºÍÁÐ±í
+
+	afx_msg void OnRclickTreeFiledirectory(NMHDR *pNMHDR, LRESULT *pResult);
+};
+
+
+
+void HsLoadFileTreeList(CFileDlg *cFleDlg);
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/FileFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/FileFunc.cpp
new file mode 100644
index 0000000..330b368
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/FileFunc.cpp
@@ -0,0 +1,56 @@
+#include "stdafx.h"
+#include "FileFunc.h"
+#include "Common.h"
+
+
+
+COLUMNSTRUCT g_Column_Drive[] = 
+{
+	{	L"Ãû³Æ",			150	},
+	{	L"ÀàÐÍ",			150	},
+	{	L"×Ü´óÐ¡",			150	},
+	{	L"¿ÉÓÃ¿Õ¼ä",		150	}
+};
+
+UINT g_Column_Drive_Count  = 4;	  //½ø³ÌÁÐ±íÁÐÊý
+
+
+COLUMNSTRUCT g_Column_File[] = 
+{
+	{	L"ÎÄ¼þÃû³Æ",		130	},
+	{	L"´óÐ¡",			100	},
+	{	L"ÎÄ¼þÀàÐÍ",		125	},
+	{	L"´´½¨Ê±¼ä",		125	},
+	{	L"ÐÞ¸ÄÊ±¼ä",		125	}
+};
+
+UINT g_Column_File_Count  = 5;	  //½ø³ÌÁÐ±íÁÐÊý
+
+extern int dpix;
+extern int dpiy;
+
+
+void HsInitDriveList(CListCtrl *m_ListCtrl)
+{
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	while(m_ListCtrl->DeleteColumn(0));
+
+	UINT i;
+	for (i = 0;i<g_Column_Drive_Count;i++)
+	{
+		if (i == 0 || i == 1)
+		{
+			m_ListCtrl->InsertColumn(i, g_Column_Drive[i].szTitle,LVCFMT_LEFT,(int)(g_Column_Drive[i].nWidth*(dpix/96.0)));
+		}
+		else
+		{
+			m_ListCtrl->InsertColumn(i, g_Column_Drive[i].szTitle,LVCFMT_RIGHT,(int)(g_Column_Drive[i].nWidth*(dpix/96.0)));
+		}
+		
+	}
+}
+
+
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/FileFunc.h b/arkProject/HeavenShadow/HeavenShadow/FileFunc.h
new file mode 100644
index 0000000..0c3bb58
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/FileFunc.h
@@ -0,0 +1,11 @@
+#pragma once
+#include "stdafx.h"
+
+#include "MyList.h"
+
+
+
+
+void HsInitDriveList(CListCtrl *m_ListCtrl);
+
+int GetIconIndex(LPCWSTR lpFileName, DWORD dwFileAttributes);
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/FilterDriverFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/FilterDriverFunc.cpp
new file mode 100644
index 0000000..ab00ba7
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/FilterDriverFunc.cpp
@@ -0,0 +1,339 @@
+#include "stdafx.h"
+#include "FilterDriverFunc.h"
+#include "ProcessFunc.h"
+#include "Common.h"
+#include <vector>
+
+#include "ProcessFunc.h"
+
+using namespace std;
+
+
+vector<FILTER_INFO> m_FilterInfor;
+extern HANDLE g_hDevice;
+extern WIN_VERSION WinVersion;
+extern BOOL bIsChecking;
+
+COLUMNSTRUCT g_Column_FilterDriver[] = 
+{
+	{	L"ÀàÐÍ",					80	},
+	{	L"¹ýÂËÉè±¸¶ÔÏó",			125	},
+	{	L"¹ýÂËÇý¶¯Ãû³Æ",			125	},
+	{	L"ËÞÖ÷Çý¶¯Ãû³Æ",			125	},
+	{	L"ËùÊôÇý¶¯Â·¾¶",			220	},
+	{	L"³öÆ·³§ÉÌ",				125	}
+};
+
+WCHAR szFilterType[][260] = {
+	L"Unkonw",
+	L"File",
+	L"Disk",
+	L"Volume",
+	L"Keyboard",
+	L"Mouse",
+	L"I8042prt",
+	L"Tcpip",
+	L"NDIS",
+	L"PnpManager"
+	L"Tdx",
+	L"RAW"
+};
+
+
+UINT g_Column_FilterDriver_Count = 6;
+
+extern int dpix;
+extern int dpiy;
+
+
+VOID HsInitFilterDriverList(CListCtrl *m_ListCtrl)
+{
+	while(m_ListCtrl->DeleteColumn(0));
+	m_ListCtrl->DeleteAllItems();
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_FilterDriver_Count;i++)
+	{
+		m_ListCtrl->InsertColumn(i, g_Column_FilterDriver[i].szTitle,LVCFMT_LEFT,(int)(g_Column_FilterDriver[i].nWidth*(dpix/96.0)));
+	}
+}
+
+
+
+VOID HsLoadFilterDriverList(CListCtrl *m_ListCtrl)
+{
+	if (bIsChecking == TRUE)
+	{
+		return;
+	}
+
+	// 	while(bIsChecking == TRUE)
+	// 	{
+	// 		Sleep(10);
+	// 	}
+
+	bIsChecking = TRUE;
+
+	HsSendStatusDetail(L"¹ýÂËÇý¶¯ÕýÔÚ¼ÓÔØ...");
+	HsSendStatusTip(L"¹ýÂËÇý¶¯");
+
+	HsQueryFilterDriverList(m_ListCtrl);
+
+	bIsChecking = FALSE;
+}
+
+
+
+VOID HsQueryFilterDriverList(CListCtrl *m_ListCtrl)
+{
+	ULONG_PTR ulCnt = 100;
+	PFILTER_DRIVER FilterDriver = NULL;
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+
+	m_ListCtrl->DeleteAllItems();
+	m_FilterInfor.clear();
+
+	do 
+	{
+		ULONG_PTR ulSize = sizeof(FILTER_DRIVER) + ulCnt * sizeof(FILTER_INFO);
+
+		if (FilterDriver)
+		{
+			free(FilterDriver);
+			FilterDriver = NULL;
+		}
+
+		FilterDriver = (PFILTER_DRIVER)malloc(ulSize);
+
+		if (FilterDriver)
+		{
+			memset(FilterDriver, 0, ulSize);
+			FilterDriver->ulCnt = ulCnt;		
+
+			bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_SYSK_FILTERDRIVER),
+				NULL,
+				0,
+				FilterDriver,
+				(DWORD)ulSize,
+				&ulReturnSize,
+				NULL);
+		}
+
+		ulCnt =FilterDriver->ulCnt + 10;
+
+	} while (!bRet && FilterDriver->ulRetCnt > FilterDriver->ulCnt);
+
+	if (bRet &&
+		FilterDriver->ulCnt >= FilterDriver->ulRetCnt)
+	{
+		for (ULONG i = 0; i < FilterDriver->ulRetCnt; i++)
+		{
+			m_FilterInfor.push_back(FilterDriver->Filter[i]);
+		}
+	}
+
+	if (FilterDriver)
+	{
+		free(FilterDriver);
+		FilterDriver = NULL;
+	}
+
+	if (bRet == FALSE)
+	{
+		HsSendStatusDetail(L"¹ýÂËÇý¶¯¼ÓÔØÊ§°Ü¡£");
+
+		return;
+	}
+
+	HsInsertFilterDriverItem(m_ListCtrl);
+}
+
+
+
+void HsInsertFilterDriverItem(CListCtrl* m_ListCtrl)
+{
+	ULONG_PTR ulFilterDriver = 0;
+
+	for (vector<FILTER_INFO>::iterator itor = m_FilterInfor.begin(); itor != m_FilterInfor.end(); itor++)
+	{
+		CString strFileterDeviceObject, strType;
+
+
+		switch(itor->Type)
+		{
+		case Disk:
+			{
+				CString strTemp("Disk");
+				strType = strTemp;
+				break;
+			}
+		case Volume:
+			{
+				CString strTemp("Volume");
+				strType = strTemp;
+				break;
+			}
+		case File:
+			{
+				CString strTemp("File");
+				strType = strTemp;
+				break;
+			}
+		case Keyboard:
+			{
+				CString strTemp("Keyboard");
+				strType = strTemp;
+				break;
+			}
+		case Mouse:
+			{
+				CString strTemp("Mouse");
+				strType = strTemp;
+				break;
+			}
+		case I8042prt:
+			{
+				CString strTemp("I8042prt");
+				strType = strTemp;
+				break;
+			}
+		case Tcpip:
+			{
+				CString strTemp("TCP/IP");
+				strType = strTemp;
+				break;
+			}
+		case NDIS:
+			{
+				CString strTemp("NDIS");
+				strType = strTemp;
+				break;
+			}
+		case PnpManager:
+			{
+				CString strTemp("PnpManager");
+				strType = strTemp;
+				break;
+			}
+		case Tdx:
+			{
+				CString strTemp("Tdx");
+				strType = strTemp;
+				break;
+			}
+		case RAW:
+			{
+				CString strTemp("RAW");
+				strType = strTemp;
+				break;
+			}
+		default:
+			{
+				CString strTemp("Unknow");
+				strType = strTemp;
+				break;
+			}
+		}
+
+
+		int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(),strType);
+		strFileterDeviceObject.Format(L"0x%08p", itor->FileterDeviceObject);
+		m_ListCtrl->SetItemText(n, 1, strFileterDeviceObject);
+		CString strFilterDriverName(itor->wzFilterDriverName);
+		m_ListCtrl->SetItemText(n, 2, strFilterDriverName);
+
+		CString strAttachedDriverName(itor->wzAttachedDriverName);
+		m_ListCtrl->SetItemText(n, 3, strAttachedDriverName);
+
+		CString strPath(itor->wzPath);
+		if (wcsstr(strPath,L"SystemRoot")!=NULL)
+		{
+			WCHAR wzTempDir[260] = {0};
+			GetEnvironmentVariableW(L"windir",wzTempDir,MAX_PATH);
+			WCHAR* Temp = strPath.LockBuffer()+wcslen(L"\\SystemRoot");
+			if (wzTempDir[lstrlen(wzTempDir)-1]=='\\')
+			{
+				Temp = Temp + 1;
+			}
+			wcscat_s(wzTempDir,Temp);
+			strPath.UnlockBuffer();
+			strPath = wzTempDir;
+		}
+		else if (wcsstr(strPath,L"\\??\\")!=NULL)
+		{
+			WCHAR* Temp = strPath.LockBuffer()+wcslen(L"\\??\\");
+			strPath = Temp;
+		}
+		m_ListCtrl->SetItemText(n, 4, strPath);
+
+		CString strFileCorp = HsGetFileCompanyName(strPath);
+
+		m_ListCtrl->SetItemText(n, 5, strFileCorp);
+
+		ulFilterDriver++;
+
+		CString StatusBarContext;
+		StatusBarContext.Format(L"¹ýÂËÇý¶¯ÕýÔÚ¼ÓÔØ¡£ Çý¶¯Êý£º%d",ulFilterDriver);
+		HsSendStatusDetail(StatusBarContext);
+	}
+
+	CString StatusBarContext;
+	StatusBarContext.Format(L"¹ýÂËÇý¶¯¼ÓÔØÍê³É¡£ Çý¶¯Êý£º%d",ulFilterDriver);
+	HsSendStatusDetail(StatusBarContext);
+
+}
+
+
+VOID HsRemoveFilterDriverItem(CListCtrl* m_ListCtrl)
+{
+	UNLOAD_FILTER UnloadFilter;
+
+	int Index = m_ListCtrl->GetSelectionMark();
+
+	if (Index<0)
+	{
+		return;
+	}
+
+	CString Temp = m_ListCtrl->GetItemText(Index,1);
+
+	swscanf_s(Temp.GetBuffer()+2,L"%p",&UnloadFilter.DeviceObject);
+
+	Temp = m_ListCtrl->GetItemText(Index,0);
+
+	int nFilterType = 0;
+
+	for (nFilterType = 0; nFilterType < 10; nFilterType++)
+	{
+		if (_wcsicmp(szFilterType[nFilterType],Temp)==0)
+		{
+			break;
+		}
+	}
+
+	UnloadFilter.Type = (FILTER_TYPE)nFilterType;
+	
+
+	BOOL dwRet = FALSE;
+
+	DWORD dwReturnSize = 0;
+	dwRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_SYSK_FILTERUNLOAD),
+		&UnloadFilter,
+		sizeof(UNLOAD_FILTER),
+		NULL,
+		0,
+		&dwReturnSize,
+		NULL);
+
+	if (dwRet)
+	{
+		HsQueryFilterDriverList(m_ListCtrl);
+	}
+
+	bIsChecking = FALSE;
+}
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/FilterDriverFunc.h b/arkProject/HeavenShadow/HeavenShadow/FilterDriverFunc.h
new file mode 100644
index 0000000..8be2046
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/FilterDriverFunc.h
@@ -0,0 +1,58 @@
+#pragma once
+#include "stdafx.h"
+
+
+typedef enum _FILTER_TYPE_
+{
+	Unkonw,
+	File,
+	Disk,
+	Volume,
+	Keyboard,
+	Mouse,
+	I8042prt,
+	Tcpip,
+	NDIS,
+	PnpManager,
+	Tdx,
+	RAW
+}FILTER_TYPE;
+
+typedef struct _FILTER_INFO_
+{
+	FILTER_TYPE Type;
+	ULONG_PTR FileterDeviceObject;
+	WCHAR wzFilterDriverName[100];
+	WCHAR wzAttachedDriverName[100];
+	WCHAR wzPath[MAX_PATH];
+}FILTER_INFO, *PFILTER_INFO;
+
+typedef struct _FILTER_DRIVER_
+{
+	ULONG_PTR ulCnt;
+	ULONG_PTR ulRetCnt;
+	FILTER_INFO Filter[1];
+}FILTER_DRIVER, *PFILTER_DRIVER;
+
+typedef struct _UNLOAD_FILTER_
+{
+	FILTER_TYPE Type;
+	ULONG_PTR   DeviceObject;
+}UNLOAD_FILTER, *PUNLOAD_FILTER;
+
+
+VOID HsInitFilterDriverList(CListCtrl *m_ListCtrl);
+
+VOID HsLoadFilterDriverList(CListCtrl *m_ListCtrl);
+
+VOID HsQueryFilterDriverList(CListCtrl *m_ListCtrl);
+
+void HsInsertFilterDriverItem(CListCtrl* m_ListCtrl);
+
+VOID HsRemoveFilterDriverItem(CListCtrl* m_ListCtrl);
+
+
+
+
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/HandleFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/HandleFunc.cpp
new file mode 100644
index 0000000..74919e2
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/HandleFunc.cpp
@@ -0,0 +1,192 @@
+#include "stdafx.h"
+#include "HandleFunc.h"
+#include "Common.h"
+
+#include "resource.h"
+
+
+extern ULONG_PTR g_ulProcessId;
+extern HANDLE g_hDevice;
+
+vector<HANDLE_INFO> m_HandleVector;
+
+COLUMNSTRUCT g_Column_ProcessHandle[] = 
+{
+	{	L"¾ä±ú",					60	},
+	{	L"¾ä±úÃû³Æ",				205	},
+	{	L"¾ä±ú¶ÔÏó",				130	},
+	{	L"¾ä±úÀàÐÍ",				125	},
+	{	L"ÒýÓÃ¼ÆÊý",				70	}
+};
+
+
+enum HS_HANDLE_COLUMN
+{
+	HS_HANDLE_COLUMN_HANDLEVALUE,
+	HS_HANDLE_COLUMN_OBJECTNAME,
+	HS_HANDLE_COLUMN_OBJECT,
+	HS_HANDLE_COLUMN_TYPENAME,
+	HS_HANDLE_COLUMN_HANDLECOUNT
+};
+
+UINT g_Column_ProcessHandle_Count  = 5;	  //½ø³ÌÁÐ±íÁÐÊý
+
+extern int dpix;
+extern int dpiy;
+
+
+VOID HsInitProcessHandleList(CMyList *m_ListCtrl)
+{
+	while(m_ListCtrl->DeleteColumn(0));
+	m_ListCtrl->DeleteAllItems();
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_ProcessHandle_Count;i++)
+	{
+		m_ListCtrl->InsertColumn(i, g_Column_ProcessHandle[i].szTitle,LVCFMT_LEFT,(int)(g_Column_ProcessHandle[i].nWidth*(dpix/96.0)));
+	}
+}
+
+
+
+
+VOID HsQueryProcessHandle(CMyList *m_ListCtrl)
+{
+	ULONG_PTR  ProcessID = g_ulProcessId;
+
+	if (ProcessID <= 4)
+	{
+		return;
+	}
+
+	m_ListCtrl->DeleteAllItems();
+	m_HandleVector.clear();
+
+	BOOL bOk = FALSE;
+
+	ULONG_PTR ulCount = 0x1000;
+	PALL_HANDLES Handles= NULL;
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+
+	do 
+	{
+		ULONG_PTR ulSize = 0;
+
+		if (Handles)
+		{
+			free(Handles);
+			Handles = NULL;
+		}
+
+		ulSize = sizeof(ALL_HANDLES) + ulCount * sizeof(HANDLE_INFO);
+
+		Handles = (PALL_HANDLES)malloc(ulSize);
+		if (!Handles)
+		{
+			break;
+		}
+
+		memset(Handles,0,ulSize);
+
+
+		bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_PROC_PROCESSHANDLE),
+			&ProcessID,
+			sizeof(ULONG),
+			Handles,
+			(DWORD)ulSize,
+			&ulReturnSize,
+			NULL);
+
+
+		ulCount = Handles->ulCount + 1000;
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+	if (bRet && Handles)
+	{
+		for (ULONG i = 0; i < Handles->ulCount; i++)
+		{
+			m_HandleVector.push_back(Handles->Handles[i]);
+		}
+
+		bOk = TRUE;
+	}
+
+	if (Handles)
+	{
+		free(Handles);
+		Handles = NULL;
+	}
+
+	if (m_HandleVector.empty())
+	{
+		return;
+	}
+
+	for (vector <HANDLE_INFO>::iterator Iter = m_HandleVector.begin( ); 
+		Iter != m_HandleVector.end( ); 
+		Iter++ )
+	{
+		CString strHandle, strObject, strReferenceCount;
+
+		strHandle.Format(L"0x%04X", ((HANDLE_INFO)*Iter).Handle);
+		strObject.Format(L"0x%08p", ((HANDLE_INFO)*Iter).Object);
+		strReferenceCount.Format(L"%d", ((HANDLE_INFO)*Iter).ReferenceCount);
+
+		int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(), strHandle);
+		m_ListCtrl->SetItemText(n, 1, ((HANDLE_INFO)*Iter).HandleName);
+		m_ListCtrl->SetItemText(n, 2, strObject);
+		m_ListCtrl->SetItemText(n, 3, ((HANDLE_INFO)*Iter).ObjectName);
+		m_ListCtrl->SetItemText(n, 4, strReferenceCount);
+	}
+
+// 	ULONG dwReturnSize = 0;
+// 	ULONG dwRet = 0;
+// 
+// 	ULONG nSize = 0x100000;
+// 
+// 	PHSHANDLE pHandleInfo = NULL;
+// 
+// 	if (ProcessID == 0)
+// 	{
+// 		return;
+// 	}
+// 
+// 
+// 	pHandleInfo = (PHSHANDLE)VirtualAlloc(0, nSize,MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
+// 
+// 	ZeroMemory(pHandleInfo,nSize);
+// 
+// 
+// 	dwRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_PROC_PROCESSHANDLE),
+// 		&ProcessID,
+// 		sizeof(ULONG_PTR),
+// 		pHandleInfo,
+// 		nSize,
+// 		&dwReturnSize,
+// 		NULL);
+// 
+// 	if (dwRet == 0)
+// 	{
+// 		return;
+// 	}
+// 
+// 	for (int i = 0; i < (int)pHandleInfo->NumberOfHandles; i++)
+// 	{
+// 		CString Temp;
+// 		Temp.Format(L"0x%08X",pHandleInfo->Handles[i].HandleValue);
+// 		m_ListCtrl->InsertItem(i,Temp);
+// 		Temp.Empty();
+// 
+// 		Temp.Format(L"0x%p",pHandleInfo->Handles[i].Object);
+// 		m_ListCtrl->SetItemText(i,HS_HANDLE_COLUMN_OBJECT,Temp);
+// 		Temp.Empty();
+// 
+// 		Temp.Format(L"%d",pHandleInfo->Handles[i].ObjectTypeIndex);
+// 		m_ListCtrl->SetItemText(i,HS_HANDLE_COLUMN_TYPEINDEX,Temp);
+// 		Temp.Empty();
+// 	}
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/HandleFunc.h b/arkProject/HeavenShadow/HeavenShadow/HandleFunc.h
new file mode 100644
index 0000000..f194f90
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/HandleFunc.h
@@ -0,0 +1,36 @@
+#pragma once
+#include "stdafx.h"
+#include <vector>
+#include <afxtempl.h>
+#include "MyList.h"
+using namespace std;
+
+#include "ProcessFunc.h"
+
+
+
+#define MAX_OBJECT_NAME  50
+#define MAX_PATH2        500
+
+
+typedef struct _HANDLE_INFO_
+{
+	ULONG_PTR Handle;
+	ULONG_PTR Object;
+	ULONG_PTR ReferenceCount;
+	WCHAR ObjectName[MAX_OBJECT_NAME];
+	WCHAR HandleName[MAX_PATH2];
+}HANDLE_INFO, *PHANDLE_INFO;
+
+typedef struct _PROCESS_HANDLES_
+{
+	ULONG_PTR ulCount;
+	HANDLE_INFO Handles[1];
+}ALL_HANDLES, *PALL_HANDLES;
+
+
+
+
+VOID HsInitProcessHandleList(CMyList *m_ListCtrl);
+
+VOID HsQueryProcessHandle(CMyList *m_ListCtrl);
diff --git a/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.aps b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.aps
new file mode 100644
index 0000000..590eaf5
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.aps differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.cpp b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.cpp
new file mode 100644
index 0000000..651c635
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.cpp
@@ -0,0 +1,250 @@
+
+// HeavenShadow.cpp : ¶¨ÒåÓ¦ÓÃ³ÌÐòµÄÀàÐÐÎª¡£
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "HeavenShadowDlg.h"
+
+
+//////////////////////////////////////////////////////////////////////////
+#include "LoadSys.h"
+
+#include "WzdSplash.h"
+
+#define HS_ONLY_ONE_PROCESS L"HS_ONLY_ONE_PROCESS"
+
+extern HANDLE g_hDevice;
+BOOL bDriverIsOK = FALSE;
+//////////////////////////////////////////////////////////////////////////
+
+#ifdef _DEBUG
+#define new DEBUG_NEW
+#endif
+
+
+// CHeavenShadowApp
+
+BEGIN_MESSAGE_MAP(CHeavenShadowApp, CWinApp)
+	ON_COMMAND(ID_HELP, &CWinApp::OnHelp)
+END_MESSAGE_MAP()
+
+
+// CHeavenShadowApp ¹¹Ôì
+
+CHeavenShadowApp::CHeavenShadowApp()
+{
+	// Ö§³ÖÖØÐÂÆô¶¯¹ÜÀíÆ÷
+	m_dwRestartManagerSupportFlags = AFX_RESTART_MANAGER_SUPPORT_RESTART;
+
+	// TODO: ÔÚ´Ë´¦Ìí¼Ó¹¹Ôì´úÂë£¬
+	// ½«ËùÓÐÖØÒªµÄ³õÊ¼»¯·ÅÖÃÔÚ InitInstance ÖÐ
+}
+
+
+// Î¨Ò»µÄÒ»¸ö CHeavenShadowApp ¶ÔÏó
+
+CHeavenShadowApp theApp;
+
+
+// CHeavenShadowApp ³õÊ¼»¯
+
+BOOL CHeavenShadowApp::InitInstance()
+{
+	//////////////////////////////////////////////////////////////////////////
+
+
+	HANDLE hMutex = ::CreateMutexW(NULL,TRUE,HS_ONLY_ONE_PROCESS);
+	if (GetLastError() == ERROR_ALREADY_EXISTS)
+	{
+		::MessageBox(
+			NULL,
+			L"ÄúÒÑ¾­ÔËÐÐÁËÌìÓ°ÎÀÊ¿£¡",
+			L"ÌìÓ°ÎÀÊ¿",
+			0
+			);	//µ¯³ö¶Ô»°¿òÈ·ÈÏ²»ÄÜÔËÐÐµÚ¶þ¸öÊµÀý¡£
+
+		CloseHandle(hMutex);
+		ExitProcess(0);
+	}
+
+	if (HsIs64BitWindows() == TRUE && sizeof(ULONG_PTR) == sizeof(ULONG32))
+	{
+		::MessageBox(
+			NULL,
+			L"ÄúÔÚÊ¹ÓÃ 64 Î»µÄ Windows ²Ù×÷ÏµÍ³¡£ÔËÐÐÌìÓ°ÎÀÊ¿ 32 Î»°æ\r\n¿ÉÄÜ»áÔì³É²»¿ÉÔ¤ÁÏµÄºó¹û¡£¾´ÇëÑ¡ÔñÌìÓ°ÎÀÊ¿ 64 Î»°æ¡£",
+			L"ÌìÓ°ÎÀÊ¿",
+			0
+			);
+		ExitProcess(0);
+	}
+
+	//////////////////ÏÔÊ¾Splash£¬2010-10-15///////////////////////////////////
+	CWzdSplash wndSplash;                 //´´½¨Æô¶¯´°¿ÚÀàµÄÊµÀý
+	wndSplash.Create(IDB_BITMAP_WZDSPLASH);
+	wndSplash.CenterWindow();
+	wndSplash.UpdateWindow();          //send WM_PAINT
+
+
+	//////////////////////////////////////////////////////////////////////////
+
+	//////////////////////////////////////////////////////////////////////////
+
+	// Èç¹ûÒ»¸öÔËÐÐÔÚ Windows XP ÉÏµÄÓ¦ÓÃ³ÌÐòÇåµ¥Ö¸¶¨Òª
+	// Ê¹ÓÃ ComCtl32.dll °æ±¾ 6 »ò¸ü¸ß°æ±¾À´ÆôÓÃ¿ÉÊÓ»¯·½Ê½£¬
+	//ÔòÐèÒª InitCommonControlsEx()¡£·ñÔò£¬½«ÎÞ·¨´´½¨´°¿Ú¡£
+	INITCOMMONCONTROLSEX InitCtrls;
+	InitCtrls.dwSize = sizeof(InitCtrls);
+	// ½«ËüÉèÖÃÎª°üÀ¨ËùÓÐÒªÔÚÓ¦ÓÃ³ÌÐòÖÐÊ¹ÓÃµÄ
+	// ¹«¹²¿Ø¼þÀà¡£
+	InitCtrls.dwICC = ICC_WIN95_CLASSES;
+	InitCommonControlsEx(&InitCtrls);
+
+	CWinApp::InitInstance();
+
+
+	AfxEnableControlContainer();
+
+	// ´´½¨ shell ¹ÜÀíÆ÷£¬ÒÔ·À¶Ô»°¿ò°üº¬
+	// ÈÎºÎ shell Ê÷ÊÓÍ¼¿Ø¼þ»ò shell ÁÐ±íÊÓÍ¼¿Ø¼þ¡£
+	CShellManager *pShellManager = new CShellManager;
+
+	// ±ê×¼³õÊ¼»¯
+	// Èç¹ûÎ´Ê¹ÓÃÕâÐ©¹¦ÄÜ²¢Ï£Íû¼õÐ¡
+	// ×îÖÕ¿ÉÖ´ÐÐÎÄ¼þµÄ´óÐ¡£¬ÔòÓ¦ÒÆ³ýÏÂÁÐ
+	// ²»ÐèÒªµÄÌØ¶¨³õÊ¼»¯Àý³Ì
+	// ¸ü¸ÄÓÃÓÚ´æ´¢ÉèÖÃµÄ×¢²á±íÏî
+	// TODO: Ó¦ÊÊµ±ÐÞ¸Ä¸Ã×Ö·û´®£¬
+	// ÀýÈçÐÞ¸ÄÎª¹«Ë¾»ò×éÖ¯Ãû
+	SetRegistryKey(_T("ÌìÓ°ÎÀÊ¿"));
+
+
+	//////////////////////////////////////////////////////////////////////////
+
+	// 	WCHAR *Temp = AfxGetApp()->m_lpCmdLine;
+	// 
+	// 	BOOL bIsHideWnd = FALSE;
+	// 
+	// 	if (wcslen(Temp))
+	// 	{
+	// 		WCHAR* p = Temp;
+	// 
+	// 		for (int i = 0; i< wcslen(Temp); i++)
+	// 		{
+	// 			if (_wcsnicmp(p,L"-HideWnd",wcslen(L"-HideWnd"))==0)
+	// 			{
+	// 				bIsHideWnd = TRUE;
+	// 			}
+	// 			p++;
+	// 		}
+	// 	}
+
+	// 	CHeavenShadowDlg* dlg = new CHeavenShadowDlg();
+	// 
+	// 	m_pMainWnd = dlg;
+	// 
+	// 	INT_PTR nResponse = dlg->Create(IDD_HEAVENSHADOW_DIALOG);
+	// 
+	// 	dlg->ShowWindow(SW_HIDE);
+	// 
+	// 	return FALSE;
+
+
+	//////////////////////////////////////////////////////////////////////////
+
+	//¼ÓÔØÇý¶¯
+	//ExtractFile();
+	//////////////////////////////////////////////////////////////////////////
+	WCHAR wzSysPath[260] = {0};
+	WCHAR *p;
+	CString SysPath;
+	HMODULE module = GetModuleHandle(0);
+	GetModuleFileName(module,wzSysPath,sizeof(wzSysPath));
+	p = wcsrchr(wzSysPath,L'\\');
+	*p = 0;
+	SysPath = wzSysPath;
+	if (HsIs64BitWindows()) 
+		SysPath += L"\\sys\\x64\\HeavenShadowDrv.sys";
+	else 
+		SysPath += L"\\sys\\x86\\HeavenShadowDrv.sys";
+
+	HsLoadNTDriver(HS_DRIVER_NAME,SysPath.GetBuffer());
+	//////////////////////////////////////////////////////////////////////////
+
+
+	g_hDevice = CreateFileW(HS_LINK_NAME,
+		GENERIC_READ | GENERIC_WRITE,
+		0,
+		NULL,
+		OPEN_EXISTING,
+		FILE_ATTRIBUTE_NORMAL,
+		NULL );
+
+
+	if (g_hDevice != INVALID_HANDLE_VALUE)
+	{
+		ULONG_PTR ulCurrentPid = GetCurrentProcessId();
+		ULONG_PTR ulRetCode = 0;
+		DWORD dwReturnSize = 0;
+
+		BOOL dwRet = DeviceIoControl(g_hDevice,
+			HS_IOCTL(HS_IOCTL_PROC_SENDSELFPID),
+			&ulCurrentPid,
+			sizeof(ULONG_PTR),
+			&ulRetCode,
+			sizeof(ULONG_PTR),
+			&dwReturnSize,
+			NULL);
+
+		if (dwRet && ulRetCode)
+		{
+			bDriverIsOK = TRUE;
+		}
+	}
+
+	//////////////////////////////////////////////////////////////////////////
+
+	
+	
+
+
+
+	CHeavenShadowDlg dlg;
+	m_pMainWnd = &dlg;
+	wndSplash.DestroyWindow();
+	INT_PTR nResponse = dlg.DoModal();
+
+
+	//////////////////////////////////////////////////////////////////////////
+
+	CloseHandle(hMutex);
+
+	CloseHandle(g_hDevice);
+
+	HsUnloadNTDriver(HS_DRIVER_NAME);	//Ð¶ÔØÇý¶¯
+	
+	//////////////////////////////////////////////////////////////////////////
+
+
+	if (nResponse == IDOK)
+	{
+		// TODO: ÔÚ´Ë·ÅÖÃ´¦ÀíºÎÊ±ÓÃ
+		//  ¡°È·¶¨¡±À´¹Ø±Õ¶Ô»°¿òµÄ´úÂë
+	}
+	else if (nResponse == IDCANCEL)
+	{
+		// TODO: ÔÚ´Ë·ÅÖÃ´¦ÀíºÎÊ±ÓÃ
+		//  ¡°È¡Ïû¡±À´¹Ø±Õ¶Ô»°¿òµÄ´úÂë
+	}
+
+	// É¾³ýÉÏÃæ´´½¨µÄ shell ¹ÜÀíÆ÷¡£
+	if (pShellManager != NULL)
+	{
+		delete pShellManager;
+	}
+ 
+// 	// ÓÉÓÚ¶Ô»°¿òÒÑ¹Ø±Õ£¬ËùÒÔ½«·µ»Ø FALSE ÒÔ±ãÍË³öÓ¦ÓÃ³ÌÐò£¬
+// 	//  ¶ø²»ÊÇÆô¶¯Ó¦ÓÃ³ÌÐòµÄÏûÏ¢±Ã¡£
+ 	return FALSE;
+}
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.h b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.h
new file mode 100644
index 0000000..99e31b0
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.h
@@ -0,0 +1,34 @@
+
+// HeavenShadow.h : PROJECT_NAME Ó¦ÓÃ³ÌÐòµÄÖ÷Í·ÎÄ¼þ
+//
+
+#pragma once
+
+#ifndef __AFXWIN_H__
+	#error "ÔÚ°üº¬´ËÎÄ¼þÖ®Ç°°üº¬¡°stdafx.h¡±ÒÔÉú³É PCH ÎÄ¼þ"
+#endif
+
+#include "resource.h"		// Ö÷·ûºÅ
+
+
+// CHeavenShadowApp:
+// ÓÐ¹Ø´ËÀàµÄÊµÏÖ£¬Çë²ÎÔÄ HeavenShadow.cpp
+//
+
+class CHeavenShadowApp : public CWinApp
+{
+public:
+	CHeavenShadowApp();
+
+// ÖØÐ´
+public:
+	virtual BOOL InitInstance();
+
+// ÊµÏÖ
+
+	DECLARE_MESSAGE_MAP()
+};
+
+extern CHeavenShadowApp theApp;
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.idc b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.idc
new file mode 100644
index 0000000..f32073c
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.idc
@@ -0,0 +1 @@
+<Configurations active="é»˜è®¤"><Configuration name="é»˜è®¤"><GuestCommandRemote val="project command through a shared folder"></GuestCommandRemote><ShareFoldersRemote val="å…±äº«æ–‡ä»¶å¤¹=E:\"></ShareFoldersRemote><RemoteDebugMonitor val="D:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe"></RemoteDebugMonitor><MonitorName val="VMDebug"></MonitorName><RemoteVM val="U:\è™šæ‹Ÿæœº\å¼€å‘\Windows 7 X64\Windows 7 x64.vmx"></RemoteVM><StartMode val="No"></StartMode><TerminationModeRemote val="No operation"></TerminationModeRemote><CopyFilesRemote val=""></CopyFilesRemote><PreRemoteCommandLine val=""></PreRemoteCommandLine><PostRemoteCommandLine val=""></PostRemoteCommandLine><RecordingToReplay val=""></RecordingToReplay><ReplayVM val=""></ReplayVM><BaseSnapshotForRecording val=""></BaseSnapshotForRecording><CopyFilesRecord val=""></CopyFilesRecord><PreRecordCommandLine val=""></PreRecordCommandLine><PostRecordCommandLine val=""></PostRecordCommandLine><TerminationModeRecord val="No operation"></TerminationModeRecord><InstanceToDebug val=""></InstanceToDebug><GuestCommandReplay val="project command through a shared folder"></GuestCommandReplay><ShareFoldersRecord val=""></ShareFoldersRecord><RemoteReplayFlag val=""></RemoteReplayFlag><RemoteMachine val=""></RemoteMachine><RemoteReplayVM val=""></RemoteReplayVM><RemoteRecordingToReplay val=""></RemoteRecordingToReplay><RemoteReplayPasscode val=""></RemoteReplayPasscode><HostSearchPath val=""></HostSearchPath></Configuration></Configurations>
diff --git a/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.rc b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.rc
new file mode 100644
index 0000000..a353298
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.rc differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.vcxproj b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.vcxproj
new file mode 100644
index 0000000..ba994b3
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.vcxproj
@@ -0,0 +1,337 @@
+ï»¿<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{A8649B59-9CD1-4E45-A2EE-C390FFFCB8A0}</ProjectGuid>
+    <RootNamespace>HeavenShadow</RootNamespace>
+    <Keyword>MFCProj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+    <UseOfMfc>Static</UseOfMfc>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+    <UseOfMfc>Static</UseOfMfc>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <UseOfMfc>Static</UseOfMfc>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <UseOfMfc>Static</UseOfMfc>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_WINDOWS;_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Lib\odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
+    </Link>
+    <Midl>
+      <MkTypLibCompatible>false</MkTypLibCompatible>
+      <ValidateAllParameters>true</ValidateAllParameters>
+      <PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </Midl>
+    <ResourceCompile>
+      <Culture>0x0804</Culture>
+      <PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>$(IntDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_WINDOWS;_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>user32.lib</AdditionalDependencies>
+      <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
+    </Link>
+    <Midl>
+      <MkTypLibCompatible>false</MkTypLibCompatible>
+      <PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </Midl>
+    <ResourceCompile>
+      <Culture>0x0804</Culture>
+      <PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>$(IntDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;_WINDOWS;NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+    <Midl>
+      <MkTypLibCompatible>false</MkTypLibCompatible>
+      <ValidateAllParameters>true</ValidateAllParameters>
+      <PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </Midl>
+    <ResourceCompile>
+      <Culture>0x0804</Culture>
+      <PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>$(IntDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;_WINDOWS;NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
+      <UACUIAccess>true</UACUIAccess>
+    </Link>
+    <Midl>
+      <MkTypLibCompatible>false</MkTypLibCompatible>
+      <PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </Midl>
+    <ResourceCompile>
+      <Culture>0x0804</Culture>
+      <PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>$(IntDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="ReadMe.txt" />
+    <None Include="res\alert_btnexit.bmp" />
+    <None Include="res\alert_btn_allow.bmp" />
+    <None Include="res\alert_btn_allow_clicked.bmp" />
+    <None Include="res\alert_btn_prevent.bmp" />
+    <None Include="res\alert_btn_prevent_clicked.bmp" />
+    <None Include="res\bitmap1.bmp" />
+    <None Include="res\bmp00001.bmp" />
+    <None Include="res\check_alt_v.bmp" />
+    <None Include="res\check_alt_x.bmp" />
+    <None Include="res\drivers\HeavenShadowSys32.sys" />
+    <None Include="res\drivers\HeavenShadowSys64.sys" />
+    <None Include="res\file_toolbar.bmp" />
+    <None Include="res\file_toolbar_goto.bmp" />
+    <None Include="res\HeavenShadow.ico" />
+    <None Include="res\HeavenShadow.rc2" />
+    <None Include="res\HeavenShadowLittle.ico" />
+    <None Include="res\HomeCheckBtn.bmp" />
+    <None Include="res\HomeCheckBtn_click.bmp" />
+    <None Include="res\HomeCheckBtn_hover.bmp" />
+    <None Include="res\LOGO.bmp" />
+    <None Include="res\mainmenu_button.bmp" />
+    <None Include="res\SYSTEM_ALERT.WAV" />
+    <None Include="res\toolbar1.bmp" />
+    <None Include="res\toolbar_file.bmp" />
+    <None Include="res\toolbar_file_now.bmp" />
+    <None Include="res\toolbar_kernel.bmp" />
+    <None Include="res\toolbar_kernel_now.bmp" />
+    <None Include="res\toolbar_logo.bmp" />
+    <None Include="res\toolbar_logo_now.bmp" />
+    <None Include="res\toolbar_module.bmp" />
+    <None Include="res\toolbar_module_now.bmp" />
+    <None Include="res\toolbar_process.bmp" />
+    <None Include="res\toolbar_process_now.bmp" />
+    <None Include="res\toolbar_service.bmp" />
+    <None Include="res\toolbar_service_now.bmp" />
+    <None Include="res\toolbar_setting.bmp" />
+    <None Include="res\toolbar_setting_now.bmp" />
+    <None Include="res\toolbar_system.bmp" />
+    <None Include="res\toolbar_system_now.bmp" />
+    <None Include="res\toolbar_tools.bmp" />
+    <None Include="res\toolbar_tools_now.bmp" />
+    <None Include="res\WzdSplash.bmp" />
+    <None Include="res\WzdSplash.png" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="AlertWnd.h" />
+    <ClInclude Include="CallbackFunc.h" />
+    <ClInclude Include="Common.h" />
+    <ClInclude Include="DpcTimerFunc.h" />
+    <ClInclude Include="FilterDriverFunc.h" />
+    <ClInclude Include="InjectFunc.h" />
+    <ClInclude Include="IoTimerFunc.h" />
+    <ClInclude Include="KernelFunc.h" />
+    <ClInclude Include="ModuleFunc.h" />
+    <ClInclude Include="MyCheckBtn.h" />
+    <ClInclude Include="MyText2.h" />
+    <ClInclude Include="PModuleFunc.h" />
+    <ClInclude Include="SSDTFunc.h" />
+    <ClInclude Include="DetailFunc.h" />
+    <ClInclude Include="FileDlg.h" />
+    <ClInclude Include="FileFunc.h" />
+    <ClInclude Include="HandleFunc.h" />
+    <ClInclude Include="HeavenShadow.h" />
+    <ClInclude Include="HeavenShadowDlg.h" />
+    <ClInclude Include="HsAboutDlg.h" />
+    <ClInclude Include="KernelDlg.h" />
+    <ClInclude Include="LoadSys.h" />
+    <ClInclude Include="MemoryFunc.h" />
+    <ClInclude Include="ModuleDlg.h" />
+    <ClInclude Include="MyEdit.h" />
+    <ClInclude Include="MyList.h" />
+    <ClInclude Include="MyPicButton.h" />
+    <ClInclude Include="MyText.h" />
+    <ClInclude Include="PrivilegeFunc.h" />
+    <ClInclude Include="ProcessDlg.h" />
+    <ClInclude Include="ProcessFunc.h" />
+    <ClInclude Include="ProcessViewDlg.h" />
+    <ClInclude Include="Resource.h" />
+    <ClInclude Include="ServiceDlg.h" />
+    <ClInclude Include="SettingDlg.h" />
+    <ClInclude Include="SSSDTFunc.h" />
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="SystemDlg.h" />
+    <ClInclude Include="SysThread.h" />
+    <ClInclude Include="targetver.h" />
+    <ClInclude Include="ThreadFunc.h" />
+    <ClInclude Include="ToolsDlg.h" />
+    <ClInclude Include="TrueColorToolBar.h" />
+    <ClInclude Include="WindowFunc.h" />
+    <ClInclude Include="WzdSplash.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="AlertWnd.cpp" />
+    <ClCompile Include="ButtonNotify.cpp" />
+    <ClCompile Include="CallbackFunc.cpp" />
+    <ClCompile Include="Common.cpp" />
+    <ClCompile Include="DpcTimerFunc.cpp" />
+    <ClCompile Include="FilterDriverFunc.cpp" />
+    <ClCompile Include="InjectFunc.cpp" />
+    <ClCompile Include="IoTimerFunc.cpp" />
+    <ClCompile Include="KernelFunc.cpp" />
+    <ClCompile Include="ModuleFunc.cpp" />
+    <ClCompile Include="MyCheckBtn.cpp" />
+    <ClCompile Include="MyText2.cpp" />
+    <ClCompile Include="PModuleFunc.cpp" />
+    <ClCompile Include="SSDTFunc.cpp" />
+    <ClCompile Include="DetailFunc.cpp" />
+    <ClCompile Include="FileDlg.cpp" />
+    <ClCompile Include="FileFunc.cpp" />
+    <ClCompile Include="HandleFunc.cpp" />
+    <ClCompile Include="HeavenShadow.cpp" />
+    <ClCompile Include="HeavenShadowDlg.cpp" />
+    <ClCompile Include="HsAboutDlg.cpp" />
+    <ClCompile Include="KernelDlg.cpp" />
+    <ClCompile Include="LoadSys.cpp" />
+    <ClCompile Include="MemoryFunc.cpp" />
+    <ClCompile Include="ModuleDlg.cpp" />
+    <ClCompile Include="MyEdit.cpp" />
+    <ClCompile Include="MyList.cpp" />
+    <ClCompile Include="MyPicButton.cpp" />
+    <ClCompile Include="MyText.cpp" />
+    <ClCompile Include="PrivilegeFunc.cpp" />
+    <ClCompile Include="ProcessDlg.cpp" />
+    <ClCompile Include="ProcessFunc.cpp" />
+    <ClCompile Include="ProcessViewDlg.cpp" />
+    <ClCompile Include="ServiceDlg.cpp" />
+    <ClCompile Include="SettingDlg.cpp" />
+    <ClCompile Include="SSSDTFunc.cpp" />
+    <ClCompile Include="SSSDTName.cpp" />
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="SystemDlg.cpp" />
+    <ClCompile Include="SysThread.cpp" />
+    <ClCompile Include="ThreadFunc.cpp" />
+    <ClCompile Include="ToolsDlg.cpp" />
+    <ClCompile Include="TrueColorToolBar.cpp" />
+    <ClCompile Include="WindowFunc.cpp" />
+    <ClCompile Include="WzdSplash.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="HeavenShadow.rc" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+  <ProjectExtensions>
+    <VisualStudio>
+      <UserProperties RESOURCE_FILE="HeavenShadow.rc" />
+    </VisualStudio>
+  </ProjectExtensions>
+</Project>
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.vcxproj.filters b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.vcxproj.filters
new file mode 100644
index 0000000..0355919
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.vcxproj.filters
@@ -0,0 +1,494 @@
+ï»¿<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="èµ„æºæ–‡ä»¶">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="ä¸»å¯¹è¯æ¡†">
+      <UniqueIdentifier>{e8967836-3339-4be5-85e8-5e93c5666e2c}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šè¿›ç¨‹">
+      <UniqueIdentifier>{7c6e02d8-cff1-488b-bbc6-381abd7ac141}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šæœåŠ¡">
+      <UniqueIdentifier>{ac2bdd48-ac02-4c4e-815c-31f32d87b798}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šæ¨¡å—">
+      <UniqueIdentifier>{66bcb5e6-0155-4fe4-9639-c4f7f951951a}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="é€šç”¨æ–‡ä»¶">
+      <UniqueIdentifier>{7232feb3-998d-49d1-be1b-a5c82b99cee5}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="ä¸»å¯¹è¯æ¡†\MyListCtrl">
+      <UniqueIdentifier>{bfef2f38-76fc-456e-a17c-0806c7fe8035}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šè­¦å‘Š">
+      <UniqueIdentifier>{62837207-1a9f-40d8-b27c-43bec063184c}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹">
+      <UniqueIdentifier>{409a277b-e935-4a16-8bcb-2f39c93c89b7}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šæ–‡ä»¶">
+      <UniqueIdentifier>{cd12a9fa-1165-48fa-bc9d-fda5a44e8666}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="ä¸»å¯¹è¯æ¡†\TrueColorToolBar">
+      <UniqueIdentifier>{0081ba72-8dbb-4756-a9cc-c43662828415}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹\MyEdit">
+      <UniqueIdentifier>{978d8f23-085b-40d2-95de-d6d4b920c852}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šè®¾ç½®">
+      <UniqueIdentifier>{187136f8-b929-42ba-a89f-85f468755d7d}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šå·¥å…·ç®±">
+      <UniqueIdentifier>{4c8702ed-28cc-44f6-9ba1-4b9a1a537cf0}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="ä¸»å¯¹è¯æ¡†\MyPicButton">
+      <UniqueIdentifier>{faa3185b-3234-47e4-9a3e-f7eb02439c1f}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šæ¬¢è¿Žé¡µ">
+      <UniqueIdentifier>{4d019f13-de81-43ff-9ad4-7f6e593befaa}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="ä¸»å¯¹è¯æ¡†\MyText">
+      <UniqueIdentifier>{865ad5bf-b6ad-4c9b-9f86-fdb75d6a8073}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šå†…æ ¸é’©å­">
+      <UniqueIdentifier>{c89dcef6-342d-4d73-bf67-65e6175be83b}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šå†…æ ¸é’©å­\ShadowSSDT">
+      <UniqueIdentifier>{b178911c-d483-491c-a173-7de48768a193}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šå†…æ ¸é’©å­\å†…æ ¸å‡½æ•°">
+      <UniqueIdentifier>{f94994a2-fa95-42bb-815a-fed46e72980d}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šå†…æ ¸é’©å­\SSDT">
+      <UniqueIdentifier>{57c54be0-e34c-41bc-b694-9d1da9995439}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šå†…æ ¸">
+      <UniqueIdentifier>{92468187-99be-4395-9a84-8b3b4e0d342c}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šå†…æ ¸\å†…æ ¸çº¿ç¨‹">
+      <UniqueIdentifier>{8e1feaf3-f326-47c0-8c9f-595c65d56d60}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šå†…æ ¸\IOTimer">
+      <UniqueIdentifier>{a6695778-8cd1-4060-bf9e-0eb611019311}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šå†…æ ¸\ç³»ç»Ÿå›žè°ƒ">
+      <UniqueIdentifier>{824241e3-5aca-4e13-8c31-fee1b1aca203}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šå†…æ ¸\DPCTimer">
+      <UniqueIdentifier>{36b65559-1511-4b10-857d-f9bc104688de}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="å¯¹è¯æ¡†ï¼šå†…æ ¸\è¿‡æ»¤é©±åŠ¨">
+      <UniqueIdentifier>{df342808-8375-4b69-9c1e-e76b704a12f3}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="ReadMe.txt" />
+    <None Include="res\HeavenShadow.rc2">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\HeavenShadow.ico">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar1.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\LOGO.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_process.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_module.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_service.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_process_now.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_module_now.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_service_now.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_logo.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_logo_now.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\alert_btnexit.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\SYSTEM_ALERT.WAV">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\alert_btn_allow.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\alert_btn_prevent.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_file.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_file_now.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\file_toolbar.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\file_toolbar_goto.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\alert_btn_allow_clicked.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\alert_btn_prevent_clicked.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\bmp00001.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\drivers\HeavenShadowSys32.sys">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\drivers\HeavenShadowSys64.sys">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_system.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_system_now.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_setting.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_setting_now.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_tools.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_tools_now.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\mainmenu_button.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\HeavenShadowLittle.ico">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_kernel.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\toolbar_kernel_now.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\check_alt_v.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\check_alt_x.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\HomeCheckBtn.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\bitmap1.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\HomeCheckBtn_hover.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\HomeCheckBtn_click.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\WzdSplash.png">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="res\WzdSplash.bmp">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="HeavenShadowDlg.h">
+      <Filter>ä¸»å¯¹è¯æ¡†</Filter>
+    </ClInclude>
+    <ClInclude Include="HeavenShadow.h">
+      <Filter>ä¸»å¯¹è¯æ¡†</Filter>
+    </ClInclude>
+    <ClInclude Include="ProcessDlg.h">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹</Filter>
+    </ClInclude>
+    <ClInclude Include="ServiceDlg.h">
+      <Filter>å¯¹è¯æ¡†ï¼šæœåŠ¡</Filter>
+    </ClInclude>
+    <ClInclude Include="ModuleDlg.h">
+      <Filter>å¯¹è¯æ¡†ï¼šæ¨¡å—</Filter>
+    </ClInclude>
+    <ClInclude Include="ProcessFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹</Filter>
+    </ClInclude>
+    <ClInclude Include="Common.h">
+      <Filter>é€šç”¨æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="stdafx.h">
+      <Filter>é€šç”¨æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="targetver.h">
+      <Filter>é€šç”¨æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="MyList.h">
+      <Filter>ä¸»å¯¹è¯æ¡†\MyListCtrl</Filter>
+    </ClInclude>
+    <ClInclude Include="Resource.h">
+      <Filter>é€šç”¨æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="HsAboutDlg.h">
+      <Filter>å¯¹è¯æ¡†ï¼šæ¬¢è¿Žé¡µ</Filter>
+    </ClInclude>
+    <ClInclude Include="AlertWnd.h">
+      <Filter>å¯¹è¯æ¡†ï¼šè­¦å‘Š</Filter>
+    </ClInclude>
+    <ClInclude Include="ThreadFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹</Filter>
+    </ClInclude>
+    <ClInclude Include="LoadSys.h">
+      <Filter>é€šç”¨æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="FileDlg.h">
+      <Filter>å¯¹è¯æ¡†ï¼šæ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="FileFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šæ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="TrueColorToolBar.h">
+      <Filter>ä¸»å¯¹è¯æ¡†\TrueColorToolBar</Filter>
+    </ClInclude>
+    <ClInclude Include="PrivilegeFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹</Filter>
+    </ClInclude>
+    <ClInclude Include="DetailFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹</Filter>
+    </ClInclude>
+    <ClInclude Include="HandleFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹</Filter>
+    </ClInclude>
+    <ClInclude Include="MyEdit.h">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹\MyEdit</Filter>
+    </ClInclude>
+    <ClInclude Include="SystemDlg.h">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸</Filter>
+    </ClInclude>
+    <ClInclude Include="ToolsDlg.h">
+      <Filter>å¯¹è¯æ¡†ï¼šå·¥å…·ç®±</Filter>
+    </ClInclude>
+    <ClInclude Include="SettingDlg.h">
+      <Filter>å¯¹è¯æ¡†ï¼šè®¾ç½®</Filter>
+    </ClInclude>
+    <ClInclude Include="MyPicButton.h">
+      <Filter>ä¸»å¯¹è¯æ¡†\MyPicButton</Filter>
+    </ClInclude>
+    <ClInclude Include="MemoryFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹</Filter>
+    </ClInclude>
+    <ClInclude Include="MyText.h">
+      <Filter>ä¸»å¯¹è¯æ¡†\MyText</Filter>
+    </ClInclude>
+    <ClInclude Include="KernelDlg.h">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸é’©å­</Filter>
+    </ClInclude>
+    <ClInclude Include="SSDTFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸é’©å­\SSDT</Filter>
+    </ClInclude>
+    <ClInclude Include="InjectFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹</Filter>
+    </ClInclude>
+    <ClInclude Include="MyText2.h">
+      <Filter>å¯¹è¯æ¡†ï¼šæ¬¢è¿Žé¡µ</Filter>
+    </ClInclude>
+    <ClInclude Include="MyCheckBtn.h">
+      <Filter>å¯¹è¯æ¡†ï¼šæ¬¢è¿Žé¡µ</Filter>
+    </ClInclude>
+    <ClInclude Include="WindowFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹</Filter>
+    </ClInclude>
+    <ClInclude Include="PModuleFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹</Filter>
+    </ClInclude>
+    <ClInclude Include="ModuleFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šæ¨¡å—</Filter>
+    </ClInclude>
+    <ClInclude Include="ProcessViewDlg.h">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹</Filter>
+    </ClInclude>
+    <ClInclude Include="WzdSplash.h" />
+    <ClInclude Include="SSSDTFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸é’©å­\ShadowSSDT</Filter>
+    </ClInclude>
+    <ClInclude Include="KernelFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸é’©å­\å†…æ ¸å‡½æ•°</Filter>
+    </ClInclude>
+    <ClInclude Include="SysThread.h">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸\å†…æ ¸çº¿ç¨‹</Filter>
+    </ClInclude>
+    <ClInclude Include="IoTimerFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸\IOTimer</Filter>
+    </ClInclude>
+    <ClInclude Include="CallbackFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸\ç³»ç»Ÿå›žè°ƒ</Filter>
+    </ClInclude>
+    <ClInclude Include="DpcTimerFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸\DPCTimer</Filter>
+    </ClInclude>
+    <ClInclude Include="FilterDriverFunc.h">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸\è¿‡æ»¤é©±åŠ¨</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="HeavenShadow.cpp">
+      <Filter>ä¸»å¯¹è¯æ¡†</Filter>
+    </ClCompile>
+    <ClCompile Include="HeavenShadowDlg.cpp">
+      <Filter>ä¸»å¯¹è¯æ¡†</Filter>
+    </ClCompile>
+    <ClCompile Include="ProcessDlg.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹</Filter>
+    </ClCompile>
+    <ClCompile Include="ServiceDlg.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šæœåŠ¡</Filter>
+    </ClCompile>
+    <ClCompile Include="ModuleDlg.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šæ¨¡å—</Filter>
+    </ClCompile>
+    <ClCompile Include="ProcessFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹</Filter>
+    </ClCompile>
+    <ClCompile Include="Common.cpp">
+      <Filter>é€šç”¨æ–‡ä»¶</Filter>
+    </ClCompile>
+    <ClCompile Include="stdafx.cpp">
+      <Filter>é€šç”¨æ–‡ä»¶</Filter>
+    </ClCompile>
+    <ClCompile Include="MyList.cpp">
+      <Filter>ä¸»å¯¹è¯æ¡†\MyListCtrl</Filter>
+    </ClCompile>
+    <ClCompile Include="HsAboutDlg.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šæ¬¢è¿Žé¡µ</Filter>
+    </ClCompile>
+    <ClCompile Include="AlertWnd.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šè­¦å‘Š</Filter>
+    </ClCompile>
+    <ClCompile Include="ThreadFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹</Filter>
+    </ClCompile>
+    <ClCompile Include="LoadSys.cpp">
+      <Filter>é€šç”¨æ–‡ä»¶</Filter>
+    </ClCompile>
+    <ClCompile Include="FileDlg.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šæ–‡ä»¶</Filter>
+    </ClCompile>
+    <ClCompile Include="FileFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šæ–‡ä»¶</Filter>
+    </ClCompile>
+    <ClCompile Include="TrueColorToolBar.cpp">
+      <Filter>ä¸»å¯¹è¯æ¡†\TrueColorToolBar</Filter>
+    </ClCompile>
+    <ClCompile Include="PrivilegeFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹</Filter>
+    </ClCompile>
+    <ClCompile Include="DetailFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹</Filter>
+    </ClCompile>
+    <ClCompile Include="HandleFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹</Filter>
+    </ClCompile>
+    <ClCompile Include="MyEdit.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹\MyEdit</Filter>
+    </ClCompile>
+    <ClCompile Include="SystemDlg.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸</Filter>
+    </ClCompile>
+    <ClCompile Include="ToolsDlg.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šå·¥å…·ç®±</Filter>
+    </ClCompile>
+    <ClCompile Include="SettingDlg.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šè®¾ç½®</Filter>
+    </ClCompile>
+    <ClCompile Include="MyPicButton.cpp">
+      <Filter>ä¸»å¯¹è¯æ¡†\MyPicButton</Filter>
+    </ClCompile>
+    <ClCompile Include="MemoryFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹</Filter>
+    </ClCompile>
+    <ClCompile Include="MyText.cpp">
+      <Filter>ä¸»å¯¹è¯æ¡†\MyText</Filter>
+    </ClCompile>
+    <ClCompile Include="KernelDlg.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸é’©å­</Filter>
+    </ClCompile>
+    <ClCompile Include="SSDTFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸é’©å­\SSDT</Filter>
+    </ClCompile>
+    <ClCompile Include="ButtonNotify.cpp">
+      <Filter>ä¸»å¯¹è¯æ¡†</Filter>
+    </ClCompile>
+    <ClCompile Include="InjectFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹</Filter>
+    </ClCompile>
+    <ClCompile Include="MyText2.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šæ¬¢è¿Žé¡µ</Filter>
+    </ClCompile>
+    <ClCompile Include="MyCheckBtn.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šæ¬¢è¿Žé¡µ</Filter>
+    </ClCompile>
+    <ClCompile Include="WindowFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹</Filter>
+    </ClCompile>
+    <ClCompile Include="PModuleFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹\å¯¹è¯æ¡†ï¼šè¿›ç¨‹æŸ¥çœ‹</Filter>
+    </ClCompile>
+    <ClCompile Include="ModuleFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šæ¨¡å—</Filter>
+    </ClCompile>
+    <ClCompile Include="ProcessViewDlg.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šè¿›ç¨‹</Filter>
+    </ClCompile>
+    <ClCompile Include="WzdSplash.cpp" />
+    <ClCompile Include="SSSDTFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸é’©å­\ShadowSSDT</Filter>
+    </ClCompile>
+    <ClCompile Include="SSSDTName.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸é’©å­\ShadowSSDT</Filter>
+    </ClCompile>
+    <ClCompile Include="KernelFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸é’©å­\å†…æ ¸å‡½æ•°</Filter>
+    </ClCompile>
+    <ClCompile Include="SysThread.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸\å†…æ ¸çº¿ç¨‹</Filter>
+    </ClCompile>
+    <ClCompile Include="IoTimerFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸\IOTimer</Filter>
+    </ClCompile>
+    <ClCompile Include="CallbackFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸\ç³»ç»Ÿå›žè°ƒ</Filter>
+    </ClCompile>
+    <ClCompile Include="DpcTimerFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸\DPCTimer</Filter>
+    </ClCompile>
+    <ClCompile Include="FilterDriverFunc.cpp">
+      <Filter>å¯¹è¯æ¡†ï¼šå†…æ ¸\è¿‡æ»¤é©±åŠ¨</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="HeavenShadow.rc">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </ResourceCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.vcxproj.user b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.vcxproj.user
new file mode 100644
index 0000000..21efa19
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/HeavenShadow.vcxproj.user
@@ -0,0 +1,6 @@
+ï»¿<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
+  </PropertyGroup>
+</Project>
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/HeavenShadowDlg.cpp b/arkProject/HeavenShadow/HeavenShadow/HeavenShadowDlg.cpp
new file mode 100644
index 0000000..baad534
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/HeavenShadowDlg.cpp
@@ -0,0 +1,869 @@
+
+// HeavenShadowDlg.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "HeavenShadowDlg.h"
+#include "afxdialogex.h"
+
+#include "WzdSplash.h"
+
+extern HANDLE g_hDevice;
+
+#ifdef _DEBUG
+#define new DEBUG_NEW
+#endif
+
+CWnd* g_wParent  = NULL;
+BOOL bIsChecking = FALSE; //µ±Ç°µÄ¼ì²é×´Ì¬
+
+
+extern CWnd* g_process;
+
+int dpix = 0;
+int dpiy = 0;
+
+enum
+{
+	UM_ICONNOTIFY= WM_USER+0x100
+};
+
+
+// ÓÃÓÚÓ¦ÓÃ³ÌÐò¡°¹ØÓÚ¡±²Ëµ¥ÏîµÄ CAboutDlg ¶Ô»°¿ò
+
+class CAboutDlg : public CDialogEx
+{
+public:
+	CAboutDlg();
+
+// ¶Ô»°¿òÊý¾Ý
+	enum { IDD = IDD_ABOUTBOX };
+
+	protected:
+	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV Ö§³Ö
+
+// ÊµÏÖ
+protected:
+	DECLARE_MESSAGE_MAP()
+};
+
+CAboutDlg::CAboutDlg() : CDialogEx(CAboutDlg::IDD)
+{
+}
+
+void CAboutDlg::DoDataExchange(CDataExchange* pDX)
+{
+	CDialogEx::DoDataExchange(pDX);
+}
+
+BEGIN_MESSAGE_MAP(CAboutDlg, CDialogEx)
+END_MESSAGE_MAP()
+
+
+// CHeavenShadowDlg ¶Ô»°¿ò
+
+
+
+
+CHeavenShadowDlg::CHeavenShadowDlg(CWnd* pParent /*=NULL*/)
+	: CDialog(CHeavenShadowDlg::IDD, pParent)
+{
+	m_hIcon = AfxGetApp()->LoadIconW(IDR_MAINFRAME);
+
+	m_processDlg = NULL;
+	m_moduleDlg = NULL;
+	m_serviceDlg = NULL;
+	m_fileDlg = NULL;
+	m_aboutDlg = NULL;
+	m_systemDlg = NULL;
+	m_settingDlg = NULL;
+	m_toolsDlg = NULL;
+	m_kernelDlg = NULL;
+
+
+	m_bHideWnd = TRUE;
+
+}
+
+CHeavenShadowDlg::~CHeavenShadowDlg()
+{
+}
+
+void CHeavenShadowDlg::DoDataExchange(CDataExchange* pDX)
+{
+	CDialog::DoDataExchange(pDX);
+	DDX_Control(pDX, IDC_TAB_MAIN, m_mainTab);
+	DDX_Control(pDX, IDC_STATIC_PROCESS, m_btnProc);
+	DDX_Control(pDX, IDC_STATIC_MODULE, m_btnModu);
+	DDX_Control(pDX, IDC_STATIC_SERVICE, m_btnServ);
+	DDX_Control(pDX, IDC_STATIC_LOGO, m_btnAbou);
+	DDX_Control(pDX, IDC_STATIC_FILE, m_btnFile);
+	DDX_Control(pDX, IDC_STATIC_SYSTEM, m_btnSys);
+	DDX_Control(pDX, IDC_STATIC_SETTING, m_btnSet);
+	DDX_Control(pDX, IDC_STATIC_TOOLS, m_btnTool);
+	DDX_Control(pDX, IDC_STATIC_MANMENUBTN, m_btnMenu);
+	DDX_Control(pDX, IDC_STATIC_KERNEL, m_btnKrnl);
+}
+
+BEGIN_MESSAGE_MAP(CHeavenShadowDlg, CDialog)
+	ON_WM_SYSCOMMAND()
+	ON_WM_PAINT()
+	ON_WM_QUERYDRAGICON()
+
+	ON_MESSAGE(HS_MESSAGE_STATUSDETAIL,HsSetStatusDetail)
+	ON_MESSAGE(HS_MESSAGE_STATUSTIP,HsSetStatusTip)
+
+	ON_STN_CLICKED(IDC_STATIC_MODULE, &CHeavenShadowDlg::OnClickedStaticModule)
+	ON_STN_CLICKED(IDC_STATIC_PROCESS, &CHeavenShadowDlg::OnClickedStaticProcess)
+	ON_STN_CLICKED(IDC_STATIC_SERVICE, &CHeavenShadowDlg::OnClickedStaticService)
+	ON_STN_DISABLE(IDC_STATIC_PROCESS, &CHeavenShadowDlg::OnDisableStaticProcess)
+	ON_STN_ENABLE(IDC_STATIC_PROCESS, &CHeavenShadowDlg::OnEnableStaticProcess)
+	ON_STN_ENABLE(IDC_STATIC_MODULE, &CHeavenShadowDlg::OnEnableStaticModule)
+	ON_STN_DISABLE(IDC_STATIC_MODULE, &CHeavenShadowDlg::OnDisableStaticModule)
+	ON_STN_ENABLE(IDC_STATIC_SERVICE, &CHeavenShadowDlg::OnEnableStaticService)
+	ON_STN_DISABLE(IDC_STATIC_SERVICE, &CHeavenShadowDlg::OnDisableStaticService)
+	ON_STN_CLICKED(IDC_STATIC_LOGO, &CHeavenShadowDlg::OnClickedStaticLogo)
+	ON_STN_ENABLE(IDC_STATIC_LOGO, &CHeavenShadowDlg::OnEnableStaticLogo)
+	ON_STN_DISABLE(IDC_STATIC_LOGO, &CHeavenShadowDlg::OnDisableStaticLogo)
+	ON_STN_CLICKED(IDC_STATIC_FILE, &CHeavenShadowDlg::OnClickedStaticFile)
+	ON_STN_ENABLE(IDC_STATIC_FILE, &CHeavenShadowDlg::OnEnableStaticFile)
+	ON_STN_DISABLE(IDC_STATIC_FILE, &CHeavenShadowDlg::OnDisableStaticFile)
+	ON_WM_HELPINFO()
+	ON_STN_CLICKED(IDC_STATIC_SYSTEM, &CHeavenShadowDlg::OnClickedStaticSystem)
+	ON_STN_ENABLE(IDC_STATIC_SYSTEM, &CHeavenShadowDlg::OnEnableStaticSystem)
+	ON_STN_DISABLE(IDC_STATIC_SYSTEM, &CHeavenShadowDlg::OnDisableStaticSystem)
+	ON_STN_CLICKED(IDC_STATIC_SETTING, &CHeavenShadowDlg::OnClickedStaticSetting)
+	ON_STN_ENABLE(IDC_STATIC_SETTING, &CHeavenShadowDlg::OnEnableStaticSetting)
+	ON_STN_DISABLE(IDC_STATIC_SETTING, &CHeavenShadowDlg::OnDisableStaticSetting)
+	ON_STN_CLICKED(IDC_STATIC_TOOLS, &CHeavenShadowDlg::OnClickedStaticTools)
+	ON_STN_ENABLE(IDC_STATIC_TOOLS, &CHeavenShadowDlg::OnEnableStaticTools)
+	ON_STN_DISABLE(IDC_STATIC_TOOLS, &CHeavenShadowDlg::OnDisableStaticTools)
+
+	ON_STN_CLICKED(IDC_STATIC_MANMENUBTN, &CHeavenShadowDlg::OnClickedStaticManmenubtn)
+	ON_MESSAGE(UM_ICONNOTIFY, (LRESULT (__thiscall CWnd::* )(WPARAM,LPARAM))OnIconNotify)
+	ON_WM_CLOSE()
+	ON_COMMAND(ID_MENU_EXIT, &CHeavenShadowDlg::OnMenuExit)
+	ON_COMMAND(ID_MENU_SHOWMAIN, &CHeavenShadowDlg::OnMenuShowmain)
+	ON_COMMAND(ID_MENU_HIDEMAIN, &CHeavenShadowDlg::OnMenuHidemain)
+	ON_WM_SHOWWINDOW()
+	ON_STN_CLICKED(IDC_STATIC_KERNEL, &CHeavenShadowDlg::OnClickedStaticKernel)
+	ON_STN_ENABLE(IDC_STATIC_KERNEL, &CHeavenShadowDlg::OnEnableStaticKernel)
+	ON_STN_DISABLE(IDC_STATIC_KERNEL, &CHeavenShadowDlg::OnDisableStaticKernel)
+	ON_WM_CREATE()
+END_MESSAGE_MAP()
+
+
+// CHeavenShadowDlg ÏûÏ¢´¦Àí³ÌÐò
+
+BOOL CHeavenShadowDlg::OnInitDialog()
+{
+	CDialog::OnInitDialog();
+
+
+	// ½«¡°¹ØÓÚ...¡±²Ëµ¥ÏîÌí¼Óµ½ÏµÍ³²Ëµ¥ÖÐ¡£
+
+	// IDM_ABOUTBOX ±ØÐëÔÚÏµÍ³ÃüÁî·¶Î§ÄÚ¡£
+	ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
+	ASSERT(IDM_ABOUTBOX < 0xF000);
+
+	CMenu* pSysMenu = GetSystemMenu(FALSE);
+	if (pSysMenu != NULL)
+	{
+		BOOL bNameValid;
+		CString strAboutMenu;
+		bNameValid = strAboutMenu.LoadString(IDS_ABOUTBOX);
+		ASSERT(bNameValid);
+// 		if (!strAboutMenu.IsEmpty())
+// 		{
+// 			pSysMenu->AppendMenu(MF_SEPARATOR);
+// 			pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
+// 		}
+	}
+
+	// ÉèÖÃ´Ë¶Ô»°¿òµÄÍ¼±ê¡£µ±Ó¦ÓÃ³ÌÐòÖ÷´°¿Ú²»ÊÇ¶Ô»°¿òÊ±£¬¿ò¼Ü½«×Ô¶¯
+	//  Ö´ÐÐ´Ë²Ù×÷
+	SetIcon(m_hIcon, TRUE);			// ÉèÖÃ´óÍ¼±ê
+	SetIcon(m_hIcon, FALSE);		// ÉèÖÃÐ¡Í¼±ê
+
+	// TODO: ÔÚ´ËÌí¼Ó¶îÍâµÄ³õÊ¼»¯´úÂë
+
+
+	if (g_hDevice == INVALID_HANDLE_VALUE)
+	{
+
+	}
+
+	HsInitTray(&m_NotifyIcon);
+
+
+	CString TempToolTip = L"²Ëµ¥";
+	m_btnMenu.SetToolTipText(TempToolTip);
+
+	//////////////////////////////////////////////////////////////////////////
+
+	g_wParent = this;
+
+	CRect rect;
+
+	GetWindowRect(&rect);
+
+	CPaintDC dc(this);
+	dpix = GetDeviceCaps(dc.m_hDC,LOGPIXELSX);
+	dpiy = GetDeviceCaps(dc.m_hDC,LOGPIXELSY);
+	rect.bottom += (LONG)(1+21*(dpiy/96.0));
+
+	MoveWindow(&rect);
+
+	//////////////////////////////////////////////////////////////////////////
+	//Ìí¼Ó×´Ì¬À¸
+	m_StatusBar = new CStatusBarCtrl;
+
+	m_StatusBar->Create(WS_CHILD|WS_VISIBLE|SBT_OWNERDRAW,CRect(0,0,0,0),this,0);
+
+	int strPartDim[3] = {745,850,0};
+
+	//strPartDim[0] = (int)((double)strPartDim[0]*dpix/96.0);
+
+	GetClientRect(&rect);
+
+	strPartDim[1] = rect.right - (int)(1+21*(dpix/96.0));
+	strPartDim[0] = strPartDim[1] - (int)(120*(dpix/96.0));
+
+	m_StatusBar->SetParts(3,strPartDim);
+
+	m_StatusBar->SetText(L"×¼±¸¾ÍÐ÷¡£",0,0);
+	m_StatusBar->SetText(L"",1,0);
+
+
+	//////////////////////////////////////////////////////////////////////////
+	//¼ÓÔØ¹¤¾ßÀ¸
+
+	int leftpos = 5;
+
+	m_btnAbou.MoveWindow(leftpos+(70*0), 0, 70, 94);
+	m_btnProc.MoveWindow(leftpos+(70*1), 0, 70, 94);
+	m_btnModu.MoveWindow(leftpos+(70*2), 0, 70, 94);
+	m_btnSys.MoveWindow(leftpos+(70*3), 0, 70, 94);
+	m_btnKrnl.MoveWindow(leftpos+(70*4), 0, 70, 94);
+	m_btnServ.MoveWindow(leftpos+(70*5), 0, 70, 94);
+	m_btnFile.MoveWindow(leftpos+(70*6), 0, 70, 94);	//m_btnSys
+	m_btnTool.MoveWindow(leftpos+(70*7), 0, 70, 94);
+	m_btnSet.MoveWindow(leftpos+(70*8), 0, 70, 94);
+
+	CRect menubtnrect;
+	m_btnMenu.GetWindowRect(&menubtnrect);
+	int menubtnwidth = menubtnrect.Width();
+	menubtnrect.left = rect.right - 80;
+	menubtnrect.top = rect.top - 20;
+	menubtnrect.bottom = menubtnrect.top + menubtnwidth;
+	menubtnrect.right = menubtnrect.left + menubtnwidth;
+
+	//////////////////////////////////////////////////////////////////////////
+	//³õÊ¼»¯×Ó¶Ô»°¿ò¹¦ÄÜÀà
+	
+	GetClientRect(&rect);
+	rect.top = 94+2;
+	rect.bottom -= (LONG)(1+21*(dpiy/96.0));
+	m_mainTab.MoveWindow(rect);
+
+
+	//////////////////////////////////////////////////////////////////////////
+
+	return TRUE;  // ³ý·Ç½«½¹µãÉèÖÃµ½¿Ø¼þ£¬·ñÔò·µ»Ø TRUE
+}
+
+void CHeavenShadowDlg::OnSysCommand(UINT nID, LPARAM lParam)
+{
+	if ((nID & 0xFFF0) == IDM_ABOUTBOX)
+	{
+// 		CAboutDlg dlgAbout;
+// 		dlgAbout.DoModal();
+//		//¹ØÓÚ¶Ô»°¿ò
+
+		if (m_bNowWindow != HS_DIALOG_ABOUT)
+		{
+			OnClickedStaticLogo();
+		}
+	}
+	else
+	{
+		CDialog::OnSysCommand(nID, lParam);
+	}
+}
+
+// Èç¹ûÏò¶Ô»°¿òÌí¼Ó×îÐ¡»¯°´Å¥£¬ÔòÐèÒªÏÂÃæµÄ´úÂë
+//  À´»æÖÆ¸ÃÍ¼±ê¡£¶ÔÓÚÊ¹ÓÃÎÄµµ/ÊÓÍ¼Ä£ÐÍµÄ MFC Ó¦ÓÃ³ÌÐò£¬
+//  Õâ½«ÓÉ¿ò¼Ü×Ô¶¯Íê³É¡£
+
+void CHeavenShadowDlg::OnPaint()
+{
+	if (IsIconic())
+	{
+		CPaintDC dc(this); // ÓÃÓÚ»æÖÆµÄÉè±¸ÉÏÏÂÎÄ
+
+		SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0);
+
+		// Ê¹Í¼±êÔÚ¹¤×÷Çø¾ØÐÎÖÐ¾ÓÖÐ
+		int cxIcon = GetSystemMetrics(SM_CXICON);
+		int cyIcon = GetSystemMetrics(SM_CYICON);
+		CRect rect;
+		GetClientRect(&rect);
+		int x = (rect.Width() - cxIcon + 1) / 2;
+		int y = (rect.Height() - cyIcon + 1) / 2;
+
+		// »æÖÆÍ¼±ê
+		dc.DrawIcon(x, y, m_hIcon);
+	}
+	else
+	{
+		CPaintDC dc(this);
+		CRect rect;
+		GetClientRect(rect);
+		dc.FillSolidRect(rect,RGB(255,255,255));
+
+		int ddd = GetDeviceCaps(dc.m_hDC,LOGPIXELSX);
+
+		GetWindowRect(rect);
+
+		CPoint startPoint;
+		startPoint.x = -1;
+		startPoint.y = 95;
+		CPoint endPoint;
+		endPoint.x = rect.Width();
+		endPoint.y = 95;
+
+
+		COLORREF m_Color(RGB(55,173,255));
+
+		CClientDC aDC(this); //CClientDCµÄ¹¹Ôìº¯ÊýÐèÒªÒ»¸ö²ÎÊý£¬Õâ¸ö²ÎÊýÊÇÖ¸Ïò»æÍ¼´°¿ÚµÄÖ¸Õë£¬ÎÒÃÇÓÃthisÖ¸Õë¾Í¿ÉÒÔÁË
+		CPen pen(PS_SOLID,2,m_Color); ////½¨Á¢Ò»¸ö»­±ÊÀà¶ÔÏó£¬¹¹ÔìÊ±ÉèÖÃ»­±ÊÊôÐÔ
+		aDC.SelectObject(&pen);
+		aDC.MoveTo(startPoint);
+		aDC.LineTo(endPoint);
+
+		CDialog::OnPaint();
+	}
+}
+
+//µ±ÓÃ»§ÍÏ¶¯×îÐ¡»¯´°¿ÚÊ±ÏµÍ³µ÷ÓÃ´Ëº¯ÊýÈ¡µÃ¹â±ê
+//ÏÔÊ¾¡£
+HCURSOR CHeavenShadowDlg::OnQueryDragIcon()
+{
+	return static_cast<HCURSOR>(m_hIcon);
+}
+
+
+
+void CHeavenShadowDlg::HsEnableNowButton()
+{
+	switch(m_bNowWindow)
+	{
+	case HS_DIALOG_PROCESS:
+		{
+			m_btnProc.EnableWindow(TRUE);
+			break;
+		}
+	case HS_DIALOG_MODULE:
+		{
+			m_btnModu.EnableWindow(TRUE);
+			break;
+		}
+	case HS_DIALOG_KERNEL:
+		{
+			m_btnKrnl.EnableWindow(TRUE);
+			break;
+		}
+	case HS_DIALOG_SERVICE:
+		{
+			m_btnServ.EnableWindow(TRUE);
+			break;
+		}
+	case HS_DIALOG_FILE:
+		{
+			m_btnFile.EnableWindow(TRUE);
+			break;
+		}
+	case HS_DIALOG_SYSTEM:
+		{
+			m_btnSys.EnableWindow(TRUE);
+			break;
+		}
+	case HS_DIALOG_TOOLS:
+		{
+			m_btnTool.EnableWindow(TRUE);
+			break;
+		}
+	case HS_DIALOG_SETTING:
+		{
+			m_btnSet.EnableWindow(TRUE);
+			break;
+		}
+	case HS_DIALOG_ABOUT:
+		{
+			m_btnAbou.EnableWindow(TRUE);
+			break;
+		}
+	default:
+		{
+
+		}
+	}
+}
+
+
+//////////////////////////////////////////////////////////////////////////
+
+void CHeavenShadowDlg::HsSelectWindow(UINT CurSel)
+{
+	switch(CurSel)
+	{
+	case HS_DIALOG_PROCESS:
+		{
+
+			if (m_processDlg == NULL)
+			{
+				m_processDlg  = new CProcessDlg(this);
+				//////////////////////////////////////////////////////////////////////////
+				//°ó¶¨¶Ô»°¿ò
+				m_processDlg->Create(IDD_DIALOG_PROCESS,GetDlgItem(IDC_TAB_MAIN));
+				//////////////////////////////////////////////////////////////////////////
+				//ÒÆ¶¯´°¿ÚÎ»ÖÃ
+				CRect rs;
+				m_mainTab.GetClientRect(&rs);
+				//ÉèÖÃ×Ó¶Ô»°¿ò³ß´ç²¢ÒÆ¶¯µ½Ö¸¶¨Î»ÖÃ
+				m_processDlg->MoveWindow(&rs);
+			}
+			if (m_processDlg) m_processDlg->ShowWindow(true);
+			if (m_serviceDlg) m_serviceDlg->ShowWindow(false);
+			if (m_moduleDlg) m_moduleDlg->ShowWindow(false);
+			if (m_aboutDlg) m_aboutDlg->ShowWindow(false);
+			if (m_fileDlg) m_fileDlg->ShowWindow(false);
+			if (m_systemDlg) m_systemDlg->ShowWindow(false);
+			if (m_settingDlg) m_settingDlg->ShowWindow(false);
+			if (m_toolsDlg) m_toolsDlg->ShowWindow(false);
+			if (m_kernelDlg) m_kernelDlg->ShowWindow(false);
+			break;
+		}
+	case HS_DIALOG_SERVICE:
+		{
+			if (m_serviceDlg == NULL)
+			{
+				m_serviceDlg  = new CServiceDlg(this);
+				//////////////////////////////////////////////////////////////////////////
+				//°ó¶¨¶Ô»°¿ò
+				m_serviceDlg->Create(IDD_DIALOG_SERVICE,GetDlgItem(IDC_TAB_MAIN));
+				//////////////////////////////////////////////////////////////////////////
+				//ÒÆ¶¯´°¿ÚÎ»ÖÃ
+				CRect rs;
+				m_mainTab.GetClientRect(&rs);
+				//ÉèÖÃ×Ó¶Ô»°¿ò³ß´ç²¢ÒÆ¶¯µ½Ö¸¶¨Î»ÖÃ
+				m_serviceDlg->MoveWindow(&rs);
+			}
+			if (m_serviceDlg) m_serviceDlg->ShowWindow(true);
+			if (m_processDlg) m_processDlg->ShowWindow(false);
+			if (m_moduleDlg) m_moduleDlg->ShowWindow(false);
+			if (m_aboutDlg) m_aboutDlg->ShowWindow(false);
+			if (m_fileDlg) m_fileDlg->ShowWindow(false);
+			if (m_systemDlg) m_systemDlg->ShowWindow(false);
+			if (m_settingDlg) m_settingDlg->ShowWindow(false);
+			if (m_toolsDlg) m_toolsDlg->ShowWindow(false);
+			if (m_kernelDlg) m_kernelDlg->ShowWindow(false);
+			break;
+		}
+	case HS_DIALOG_MODULE:
+		{
+			if (m_moduleDlg == NULL)
+			{
+				m_moduleDlg  = new CModuleDlg(this);
+				//////////////////////////////////////////////////////////////////////////
+				//°ó¶¨¶Ô»°¿ò
+				m_moduleDlg->Create(IDD_DIALOG_MODULE,GetDlgItem(IDC_TAB_MAIN));
+				//////////////////////////////////////////////////////////////////////////
+				//ÒÆ¶¯´°¿ÚÎ»ÖÃ
+				CRect rs;
+				m_mainTab.GetClientRect(&rs);
+				//ÉèÖÃ×Ó¶Ô»°¿ò³ß´ç²¢ÒÆ¶¯µ½Ö¸¶¨Î»ÖÃ
+				m_moduleDlg->MoveWindow(&rs);
+			}
+			if (m_moduleDlg) m_moduleDlg->ShowWindow(true);
+			if (m_processDlg) m_processDlg->ShowWindow(false);
+			if (m_serviceDlg) m_serviceDlg->ShowWindow(false);
+			if (m_aboutDlg) m_aboutDlg->ShowWindow(false);
+			if (m_fileDlg) m_fileDlg->ShowWindow(false);
+			if (m_systemDlg) m_systemDlg->ShowWindow(false);
+			if (m_settingDlg) m_settingDlg->ShowWindow(false);
+			if (m_toolsDlg) m_toolsDlg->ShowWindow(false);
+			if (m_kernelDlg) m_kernelDlg->ShowWindow(false);
+			break;
+		}
+
+	case HS_DIALOG_FILE:
+		{
+			if (m_fileDlg == NULL)
+			{
+				m_fileDlg  = new CFileDlg(this);
+				//////////////////////////////////////////////////////////////////////////
+				//°ó¶¨¶Ô»°¿ò
+				m_fileDlg->Create(IDD_DIALOG_FILE,GetDlgItem(IDC_TAB_MAIN));
+				//////////////////////////////////////////////////////////////////////////
+				//ÒÆ¶¯´°¿ÚÎ»ÖÃ
+				CRect rs;
+				m_mainTab.GetClientRect(&rs);
+				//ÉèÖÃ×Ó¶Ô»°¿ò³ß´ç²¢ÒÆ¶¯µ½Ö¸¶¨Î»ÖÃ
+				m_fileDlg->MoveWindow(&rs);
+			}
+			if (m_fileDlg) m_fileDlg->ShowWindow(true);
+			if (m_processDlg) m_processDlg->ShowWindow(false);
+			if (m_serviceDlg) m_serviceDlg->ShowWindow(false);
+			if (m_moduleDlg) m_moduleDlg->ShowWindow(false);
+			if (m_aboutDlg) m_aboutDlg->ShowWindow(false);
+			if (m_systemDlg) m_systemDlg->ShowWindow(false);
+			if (m_settingDlg) m_settingDlg->ShowWindow(false);
+			if (m_toolsDlg) m_toolsDlg->ShowWindow(false);
+			if (m_kernelDlg) m_kernelDlg->ShowWindow(false);
+			break;
+		}
+	case HS_DIALOG_SYSTEM:
+		{
+
+			if (m_systemDlg == NULL)
+			{
+				m_systemDlg  = new CSystemDlg(this);
+				//////////////////////////////////////////////////////////////////////////
+				//°ó¶¨¶Ô»°¿ò
+				m_systemDlg->Create(IDD_DIALOG_SYSTEM,GetDlgItem(IDC_TAB_MAIN));
+				//////////////////////////////////////////////////////////////////////////
+				//ÒÆ¶¯´°¿ÚÎ»ÖÃ
+				CRect rs;
+				m_mainTab.GetClientRect(&rs);
+				//ÉèÖÃ×Ó¶Ô»°¿ò³ß´ç²¢ÒÆ¶¯µ½Ö¸¶¨Î»ÖÃ
+				m_systemDlg->MoveWindow(&rs);
+			}
+			if (m_systemDlg) m_systemDlg->ShowWindow(true);
+			if (m_processDlg) m_processDlg->ShowWindow(false);
+			if (m_serviceDlg) m_serviceDlg->ShowWindow(false);
+			if (m_moduleDlg) m_moduleDlg->ShowWindow(false);
+			if (m_aboutDlg) m_aboutDlg->ShowWindow(false);
+			if (m_fileDlg) m_fileDlg->ShowWindow(false);
+			if (m_settingDlg) m_settingDlg->ShowWindow(false);
+			if (m_toolsDlg) m_toolsDlg->ShowWindow(false);
+			if (m_kernelDlg) m_kernelDlg->ShowWindow(false);
+			break;
+		}
+	case HS_DIALOG_KERNEL:
+		{
+
+			if (m_kernelDlg == NULL)
+			{
+				m_kernelDlg  = new CKernelDlg(this);
+				//////////////////////////////////////////////////////////////////////////
+				//°ó¶¨¶Ô»°¿ò
+				m_kernelDlg->Create(IDD_DIALOG_KERNEL,GetDlgItem(IDC_TAB_MAIN));
+				//////////////////////////////////////////////////////////////////////////
+				//ÒÆ¶¯´°¿ÚÎ»ÖÃ
+				CRect rs;
+				m_mainTab.GetClientRect(&rs);
+				//ÉèÖÃ×Ó¶Ô»°¿ò³ß´ç²¢ÒÆ¶¯µ½Ö¸¶¨Î»ÖÃ
+				m_kernelDlg->MoveWindow(&rs);
+			}
+			if (m_kernelDlg) m_kernelDlg->ShowWindow(true);
+			if (m_toolsDlg) m_toolsDlg->ShowWindow(false);
+			if (m_processDlg) m_processDlg->ShowWindow(false);
+			if (m_serviceDlg) m_serviceDlg->ShowWindow(false);
+			if (m_moduleDlg) m_moduleDlg->ShowWindow(false);
+			if (m_aboutDlg) m_aboutDlg->ShowWindow(false);
+			if (m_fileDlg) m_fileDlg->ShowWindow(false);
+			if (m_systemDlg) m_systemDlg->ShowWindow(false);
+			if (m_settingDlg) m_settingDlg->ShowWindow(false);
+			break;
+		}
+	case HS_DIALOG_TOOLS:
+		{
+
+			if (m_toolsDlg == NULL)
+			{
+				m_toolsDlg  = new CToolsDlg(this);
+				//////////////////////////////////////////////////////////////////////////
+				//°ó¶¨¶Ô»°¿ò
+				m_toolsDlg->Create(IDD_DIALOG_TOOLS,GetDlgItem(IDC_TAB_MAIN));
+				//////////////////////////////////////////////////////////////////////////
+				//ÒÆ¶¯´°¿ÚÎ»ÖÃ
+				CRect rs;
+				m_mainTab.GetClientRect(&rs);
+				//ÉèÖÃ×Ó¶Ô»°¿ò³ß´ç²¢ÒÆ¶¯µ½Ö¸¶¨Î»ÖÃ
+				m_toolsDlg->MoveWindow(&rs);
+			}
+			if (m_toolsDlg) m_toolsDlg->ShowWindow(true);
+			if (m_processDlg) m_processDlg->ShowWindow(false);
+			if (m_serviceDlg) m_serviceDlg->ShowWindow(false);
+			if (m_moduleDlg) m_moduleDlg->ShowWindow(false);
+			if (m_aboutDlg) m_aboutDlg->ShowWindow(false);
+			if (m_fileDlg) m_fileDlg->ShowWindow(false);
+			if (m_systemDlg) m_systemDlg->ShowWindow(false);
+			if (m_settingDlg) m_settingDlg->ShowWindow(false);
+			if (m_kernelDlg) m_kernelDlg->ShowWindow(false);
+			break;
+		}
+	case HS_DIALOG_SETTING:
+		{
+
+			if (m_settingDlg == NULL)
+			{
+				m_settingDlg  = new CSettingDlg(this);
+				//////////////////////////////////////////////////////////////////////////
+				//°ó¶¨¶Ô»°¿ò
+				m_settingDlg->Create(IDD_DIALOG_SETTING,GetDlgItem(IDC_TAB_MAIN));
+				//////////////////////////////////////////////////////////////////////////
+				//ÒÆ¶¯´°¿ÚÎ»ÖÃ
+				CRect rs;
+				m_mainTab.GetClientRect(&rs);
+				//ÉèÖÃ×Ó¶Ô»°¿ò³ß´ç²¢ÒÆ¶¯µ½Ö¸¶¨Î»ÖÃ
+				m_settingDlg->MoveWindow(&rs);
+			}
+			if (m_settingDlg) m_settingDlg->ShowWindow(true);
+			if (m_systemDlg) m_systemDlg->ShowWindow(false);
+			if (m_processDlg) m_processDlg->ShowWindow(false);
+			if (m_serviceDlg) m_serviceDlg->ShowWindow(false);
+			if (m_moduleDlg) m_moduleDlg->ShowWindow(false);
+			if (m_aboutDlg) m_aboutDlg->ShowWindow(false);
+			if (m_fileDlg) m_fileDlg->ShowWindow(false);
+			if (m_toolsDlg) m_toolsDlg->ShowWindow(false);
+			if (m_kernelDlg) m_kernelDlg->ShowWindow(false);
+			break;
+		}
+	case HS_DIALOG_ABOUT:
+		{
+			if (m_aboutDlg == NULL)
+			{
+				m_aboutDlg  = new CHsAboutDlg(this);
+				//////////////////////////////////////////////////////////////////////////
+				//°ó¶¨¶Ô»°¿ò
+				m_aboutDlg->Create(IDD_DIALOG_ABOUT,GetDlgItem(IDC_TAB_MAIN));
+				//////////////////////////////////////////////////////////////////////////
+				//ÒÆ¶¯´°¿ÚÎ»ÖÃ
+				CRect rs;
+				m_mainTab.GetClientRect(&rs);
+				//ÉèÖÃ×Ó¶Ô»°¿ò³ß´ç²¢ÒÆ¶¯µ½Ö¸¶¨Î»ÖÃ
+				m_aboutDlg->MoveWindow(&rs);
+			}
+			if (m_aboutDlg) m_aboutDlg->ShowWindow(true);
+			if (m_processDlg) m_processDlg->ShowWindow(false);
+			if (m_serviceDlg) m_serviceDlg->ShowWindow(false);
+			if (m_moduleDlg) m_moduleDlg->ShowWindow(false);
+			if (m_fileDlg) m_fileDlg->ShowWindow(false);
+			if (m_systemDlg) m_systemDlg->ShowWindow(false);
+			if (m_settingDlg) m_settingDlg->ShowWindow(false);
+			if (m_toolsDlg) m_toolsDlg->ShowWindow(false);
+			if (m_kernelDlg) m_kernelDlg->ShowWindow(false);
+			break;
+		}
+	}
+}
+
+//×´Ì¬À¸ÏûÏ¢ÏìÓ¦¡£
+
+LRESULT CHeavenShadowDlg::HsSetStatusDetail(WPARAM wParam, LPARAM lParam)
+{
+
+	CString recvstr = (LPCTSTR)lParam;
+
+	m_StatusBar->SetText(recvstr.GetBuffer(),0,0);
+
+	return TRUE;
+}
+
+LRESULT CHeavenShadowDlg::HsSetStatusTip(WPARAM wParam, LPARAM lParam)
+{
+	CString recvstr = (LPCTSTR)lParam;
+
+	m_StatusBar->SetText(recvstr.GetBuffer(),1,0);
+
+	return TRUE;
+}
+
+
+
+
+BOOL CHeavenShadowDlg::HsInitChildDialog(void)
+{
+	HsSelectWindow(HS_DIALOG_ABOUT);
+
+	return TRUE;
+}
+
+
+
+BOOL CHeavenShadowDlg::PreTranslateMessage(MSG* pMsg)
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+	if (pMsg->message==WM_KEYDOWN &&
+		(pMsg->wParam==VK_RETURN ||
+		pMsg->wParam==VK_ESCAPE))
+	{
+		return TRUE;
+	}
+	return CDialog::PreTranslateMessage(pMsg);
+}
+
+
+
+
+BOOL CHeavenShadowDlg::OnHelpInfo(HELPINFO* pHelpInfo)
+{
+	// TODO: ÔÚ´ËÌí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂëºÍ/»òµ÷ÓÃÄ¬ÈÏÖµ
+
+	return TRUE;
+
+	//return CDialog::OnHelpInfo(pHelpInfo);
+}
+
+
+
+
+
+void CHeavenShadowDlg::HsInitTray(PNOTIFYICONDATA nid)
+{
+	nid->cbSize = sizeof(NOTIFYICONDATA);				//´óÐ¡¸³Öµ
+	nid->hWnd = m_hWnd;									//¸¸´°¿Ú
+	nid->uID = IDR_MAINFRAME;							//icon  ID
+	nid->uFlags = NIF_MESSAGE | NIF_ICON | NIF_TIP;		//ÍÐÅÌËùÓµÓÐµÄ×´Ì¬
+	nid->uCallbackMessage = UM_ICONNOTIFY;				//»Øµ÷ÏûÏ¢
+
+	HICON hIcon = AfxGetApp()->LoadIconW(IDI_ICON_LITTLE);
+	nid->hIcon = hIcon;									//icon ±äÁ¿
+
+	CString str=L"ÌìÓ°ÎÀÊ¿";							//ÆøÅÝÌáÊ¾
+	lstrcpyn(nid->szTip, str, sizeof(nid->szTip) / sizeof(nid->szTip[0]));
+	Shell_NotifyIcon(NIM_ADD, nid);						//ÏÔÊ¾ÍÐÅÌ
+
+}
+
+void CHeavenShadowDlg::OnClose()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂëºÍ/»òµ÷ÓÃÄ¬ÈÏÖµ
+
+	//if (m_bHideWnd == TRUE)
+	{
+		//ShowWindow(SW_HIDE);
+	}
+	//else
+	{
+		Shell_NotifyIcon(NIM_DELETE, &m_NotifyIcon);
+		CDialog::OnClose();
+	}
+
+
+	//ShowWindow(SW_HIDE);
+}
+
+
+void CHeavenShadowDlg::OnIconNotify(WPARAM wParam, LPARAM lParam)
+{
+	switch ((UINT)lParam)
+	{
+	case WM_LBUTTONDOWN:
+//	case WM_LBUTTONDBLCLK:
+// 		if (!IsWindowVisible())
+// 			ShowWindow(SW_SHOWNORMAL);
+// 		else
+// 			ShowWindow(SW_HIDE);
+// 		break;
+	case WM_RBUTTONDOWN: 
+		CMenu menu;
+		menu.LoadMenu(IDR_MENU_ICONNOTIFY);
+
+		if (!IsWindowVisible()) 
+			menu.DeleteMenu(ID_MENU_HIDEMAIN,MF_BYCOMMAND);
+		else
+			menu.DeleteMenu(ID_MENU_SHOWMAIN,MF_BYCOMMAND);
+
+		CPoint point;
+		GetCursorPos(&point);
+		SetForegroundWindow();   //ÉèÖÃµ±Ç°´°¿Ú
+		menu.GetSubMenu(0)->TrackPopupMenu(
+			TPM_LEFTBUTTON|TPM_RIGHTBUTTON, 
+			point.x, point.y, this, NULL); 
+		PostMessage(WM_USER, 0, 0);
+		break;
+	}
+}
+
+
+
+void CHeavenShadowDlg::OnClickedStaticManmenubtn()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	CMenu	popup;
+
+	popup.LoadMenu(IDR_MENU_MAIN);		//¼ÓÔØ²Ëµ¥×ÊÔ´
+	CMenu*	pM = popup.GetSubMenu(0);	//»ñµÃ²Ëµ¥µÄ×ÓÏî
+	CPoint	p;
+
+	CRect rect;
+	m_btnMenu.GetWindowRect(&rect);
+
+	p.SetPoint(rect.left,rect.top+20);
+
+	int	count = pM->GetMenuItemCount();
+	
+	pM->TrackPopupMenu(TPM_LEFTALIGN, p.x, p.y, this);
+	
+
+}
+
+
+
+
+
+void CHeavenShadowDlg::OnMenuExit()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	m_bHideWnd = FALSE;
+	SendMessage(WM_CLOSE);
+}
+
+
+void CHeavenShadowDlg::OnMenuShowmain()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	ShowWindow(SW_SHOWNORMAL);
+}
+
+
+void CHeavenShadowDlg::OnMenuHidemain()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	ShowWindow(SW_HIDE);
+}
+
+
+void CHeavenShadowDlg::OnShowWindow(BOOL bShow, UINT nStatus)
+{
+	CDialog::OnShowWindow(bShow, nStatus);
+
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+
+	if (bShow)
+	{
+		if (!bIsChecking && m_bNowWindow != 1)
+		{
+			HsEnableNowButton();
+			HsInitChildDialog();
+		}
+	}
+}
+
+
+
+
+
+int CHeavenShadowDlg::OnCreate(LPCREATESTRUCT lpCreateStruct)
+{
+	if (CDialog::OnCreate(lpCreateStruct) == -1)
+		return -1;
+
+	// TODO:  ÔÚ´ËÌí¼ÓÄú×¨ÓÃµÄ´´½¨´úÂë
+
+	return 0;
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/HeavenShadowDlg.h b/arkProject/HeavenShadow/HeavenShadow/HeavenShadowDlg.h
new file mode 100644
index 0000000..1dd51db
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/HeavenShadowDlg.h
@@ -0,0 +1,143 @@
+
+// HeavenShadowDlg.h : Í·ÎÄ¼þ
+//
+
+#pragma once
+
+#include "afxwin.h"
+#include "afxcmn.h"
+
+#include "ProcessDlg.h"
+#include "ServiceDlg.h"
+#include "ModuleDlg.h"
+#include "HsAboutDlg.h"
+#include "FileDlg.h"
+#include "SystemDlg.h"
+#include "SettingDlg.h"
+#include "ToolsDlg.h"
+#include "KernelDlg.h"
+
+#include "MyPicButton.h"
+
+
+
+
+// CHeavenShadowDlg ¶Ô»°¿ò
+class CHeavenShadowDlg : public CDialog
+{
+// ¹¹Ôì
+public:
+	CHeavenShadowDlg(CWnd* pParent = NULL);	// ±ê×¼¹¹Ôìº¯Êý
+	virtual ~CHeavenShadowDlg();
+
+
+// ¶Ô»°¿òÊý¾Ý
+	enum { IDD = IDD_HEAVENSHADOW_DIALOG };
+
+	//////////////////////////////////////////////////////////////////////////
+	/// º¯Êý
+	//////////////////////////////////////////////////////////////////////////
+	
+
+	//////////////////////////////////////////////////////////////////////////
+	void HsSelectWindow(UINT CurSel);
+	LRESULT HsSetStatusDetail(WPARAM wParam, LPARAM lParam);
+	LRESULT HsSetStatusTip(WPARAM wParam, LPARAM lParam);
+	BOOL HsLoadToolBar(void);
+	BOOL HsInitChildDialog(void);
+	void HsEnableNowButton(void);
+
+	// ¹¤¾ßÌõ
+	CStatusBarCtrl*   m_StatusBar;
+
+	CWnd* m_pHndWnd;
+
+
+	BOOL m_bHideWnd; //ÅÐ¶ÏÊÇ·ñÏÔÊ¾½çÃæ
+
+	//ÈÎÎñÀ¸Í¼±ê
+	NOTIFYICONDATA m_NotifyIcon; //ÏµÍ³ÍÐÅÌ½á¹¹
+	void HsInitTray(PNOTIFYICONDATA nid);
+	void OnIconNotify(WPARAM wParam, LPARAM lParam);
+
+	//////////////////////////////////////////////////////////////////////////
+	BOOL m_bNowWindow;
+	//////////////////////////////////////////////////////////////////////////
+	//×Ó¶Ô»°¿òÀà³ÉÔ±¶ÔÏó
+
+	CProcessDlg* m_processDlg;
+	CServiceDlg* m_serviceDlg;
+	CModuleDlg*  m_moduleDlg;
+	CHsAboutDlg* m_aboutDlg;
+	CFileDlg*    m_fileDlg;
+	CSystemDlg*  m_systemDlg;
+	CSettingDlg* m_settingDlg;
+	CToolsDlg*   m_toolsDlg;
+	CKernelDlg*  m_kernelDlg;
+
+	protected:
+	virtual void DoDataExchange(CDataExchange* pDX);	// DDX/DDV Ö§³Ö
+
+
+// ÊµÏÖ
+protected:
+	HICON m_hIcon;
+
+	// Éú³ÉµÄÏûÏ¢Ó³Éäº¯Êý
+	virtual BOOL OnInitDialog();
+	afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
+	afx_msg void OnPaint();
+	afx_msg HCURSOR OnQueryDragIcon();
+	DECLARE_MESSAGE_MAP()
+public:
+	CTabCtrl m_mainTab;
+
+	afx_msg void OnClickedStaticModule();
+	CMyPicButton m_btnProc;
+	CMyPicButton m_btnModu;
+	CMyPicButton m_btnServ;
+	CMyPicButton m_btnAbou;
+	CMyPicButton m_btnFile;
+	CMyPicButton m_btnSys;
+	CMyPicButton m_btnSet;
+	CMyPicButton m_btnTool;
+	CMyPicButton m_btnMenu;
+	CMyPicButton m_btnKrnl;
+
+	afx_msg void OnClickedStaticProcess();
+	afx_msg void OnClickedStaticService();
+	afx_msg void OnEnableStaticProcess();
+	afx_msg void OnDisableStaticProcess();
+	afx_msg void OnEnableStaticModule();
+	afx_msg void OnDisableStaticModule();
+	afx_msg void OnEnableStaticService();
+	afx_msg void OnDisableStaticService();
+	afx_msg void OnClickedStaticLogo();
+	afx_msg void OnEnableStaticLogo();
+	afx_msg void OnDisableStaticLogo();
+	
+	virtual BOOL PreTranslateMessage(MSG* pMsg);
+	afx_msg void OnClickedStaticFile();
+	afx_msg void OnEnableStaticFile();
+	afx_msg void OnDisableStaticFile();
+	afx_msg BOOL OnHelpInfo(HELPINFO* pHelpInfo);
+	afx_msg void OnClickedStaticSystem();
+	afx_msg void OnEnableStaticSystem();
+	afx_msg void OnDisableStaticSystem();
+	afx_msg void OnClickedStaticSetting();
+	afx_msg void OnEnableStaticSetting();
+	afx_msg void OnDisableStaticSetting();
+	afx_msg void OnClickedStaticTools();
+	afx_msg void OnEnableStaticTools();
+	afx_msg void OnDisableStaticTools();
+	afx_msg void OnClickedStaticManmenubtn();
+	afx_msg void OnClose();
+	afx_msg void OnMenuExit();
+	afx_msg void OnMenuShowmain();
+	afx_msg void OnMenuHidemain();
+	afx_msg void OnShowWindow(BOOL bShow, UINT nStatus);
+	afx_msg void OnClickedStaticKernel();
+	afx_msg void OnEnableStaticKernel();
+	afx_msg void OnDisableStaticKernel();
+	afx_msg int OnCreate(LPCREATESTRUCT lpCreateStruct);
+};
diff --git a/arkProject/HeavenShadow/HeavenShadow/HsAboutDlg.cpp b/arkProject/HeavenShadow/HeavenShadow/HsAboutDlg.cpp
new file mode 100644
index 0000000..df938a5
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/HsAboutDlg.cpp
@@ -0,0 +1,217 @@
+// HsAboutDlg.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "HsAboutDlg.h"
+#include "afxdialogex.h"
+
+#include "HeavenShadowDlg.h"
+
+
+extern BOOL bDriverIsOK;
+extern WIN_VERSION GetWindowsVersion();
+extern WIN_VERSION WinVersion;
+
+extern int dpix;
+extern int dpiy;
+
+
+
+// CHsAboutDlg ¶Ô»°¿ò
+
+IMPLEMENT_DYNAMIC(CHsAboutDlg, CDialog)
+
+CHsAboutDlg::CHsAboutDlg(CWnd* pParent /*=NULL*/)
+	: CDialog(CHsAboutDlg::IDD, pParent)
+{
+	m_wParent = pParent;
+}
+
+CHsAboutDlg::~CHsAboutDlg()
+{
+}
+
+void CHsAboutDlg::DoDataExchange(CDataExchange* pDX)
+{
+	CDialog::DoDataExchange(pDX);
+	DDX_Control(pDX, IDC_TEXT_CHECK_ALT, m_TextCheckAlt);
+	DDX_Control(pDX, IDC_STATIC_CHECK_ALT, m_PicCheckAlt);
+	DDX_Control(pDX, IDC_STATIC_SYS_BIT, m_PicSysBit);
+	DDX_Control(pDX, IDC_TEXT_SYS_BIT, m_TextSysBit);
+	DDX_Control(pDX, IDC_TEXT_SOFT_BIT, m_TextSoftBit);
+	DDX_Control(pDX, IDC_STATIC_HOMECHECK, m_CheckBtn);
+}
+
+
+BEGIN_MESSAGE_MAP(CHsAboutDlg, CDialog)
+	ON_WM_SHOWWINDOW()
+	ON_WM_PAINT()
+	ON_WM_CTLCOLOR()
+	ON_STN_CLICKED(IDC_STATIC_HOMECHECK, &CHsAboutDlg::OnClickedStaticHomecheck)
+END_MESSAGE_MAP()
+
+
+// CHsAboutDlg ÏûÏ¢´¦Àí³ÌÐò
+
+
+BOOL CHsAboutDlg::OnInitDialog()
+{
+	CDialog::OnInitDialog();
+
+	// TODO:  ÔÚ´ËÌí¼Ó¶îÍâµÄ³õÊ¼»¯
+
+	return TRUE;  // return TRUE unless you set the focus to a control
+	// Òì³£: OCX ÊôÐÔÒ³Ó¦·µ»Ø FALSE
+}
+
+
+void CHsAboutDlg::OnShowWindow(BOOL bShow, UINT nStatus)
+{
+	CDialog::OnShowWindow(bShow, nStatus);
+
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+
+
+	if (bShow == TRUE)
+	{
+		((CHeavenShadowDlg*)m_wParent)->m_bNowWindow = HS_DIALOG_ABOUT;
+
+		((CHeavenShadowDlg*)m_wParent)->m_btnAbou.EnableWindow(FALSE);
+
+		HsSendStatusDetail(L"ÌìÓ°ÎÀÊ¿°²È«·À»¤¹¤¾ß¡£");
+
+		HsSendStatusTip(L"ÌìÓ°ÎÀÊ¿");
+
+
+		if (sizeof(ULONG_PTR) == sizeof(ULONG32))
+		{
+			m_TextSoftBit.SetWindowTextW(L"ÌìÓ°ÎÀÊ¿ 32Î»°æ¡£");
+		}
+		else
+		{
+			m_TextSoftBit.SetWindowTextW(L"ÌìÓ°ÎÀÊ¿ 64Î»°æ¡£");
+		}
+
+		CString SysBit;
+
+		WinVersion = GetWindowsVersion();
+
+		switch(WinVersion)
+		{
+		case Windows7:
+			{
+				SysBit += L"Windows7";
+				break;
+			}
+		case WindowsXP:
+			{
+				SysBit += L"WindowsXP";
+				break;
+			}
+		default:
+			{
+				SysBit += L"Other";
+			}
+		}
+
+		if (HsIs64BitWindows())
+		{
+			SysBit += L" 64Î»²Ù×÷ÏµÍ³¡£";
+		}
+		else
+		{
+			SysBit += L" 32Î»²Ù×÷ÏµÍ³¡£";
+		}
+
+		m_TextSysBit.SetWindowTextW(SysBit.GetBuffer());
+
+		if (bDriverIsOK)
+		{
+			HINSTANCE hIns_proc = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_CHECK_ALT_V),RT_GROUP_ICON);
+			HBITMAP   hBmp_proc = ::LoadBitmap(hIns_proc, MAKEINTRESOURCE(IDB_BITMAP_CHECK_ALT_V));
+			m_PicCheckAlt.SetBitmap(hBmp_proc);
+
+			m_TextCheckAlt.SetWindowTextW(L"³ÌÐòÓëÄÚºË²ãÍ¨Ñ¶Õý³£¡£");
+		}
+		else
+		{
+			HINSTANCE hIns_proc = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_CHECK_ALT_X),RT_GROUP_ICON);
+			HBITMAP   hBmp_proc = ::LoadBitmap(hIns_proc, MAKEINTRESOURCE(IDB_BITMAP_CHECK_ALT_X));
+			m_PicCheckAlt.SetBitmap(hBmp_proc);
+
+			m_TextCheckAlt.SetWindowTextW(L"³ÌÐòÓëÄÚºË²ãÍ¨Ñ¶Òì³£¡£");
+		}
+
+	}
+}
+
+
+void CHsAboutDlg::OnPaint()
+{
+	CPaintDC dc(this); // device context for painting
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+	// ²»Îª»æÍ¼ÏûÏ¢µ÷ÓÃ CDialog::OnPaint()
+
+	CRect   rect;
+	GetClientRect(rect);
+	dc.FillSolidRect(rect,RGB(255,255,255));
+
+	ClientToScreen(&rect);
+
+	CRect picrect;
+	m_PicSysBit.GetWindowRect(&picrect);
+	picrect.left = picrect.left - rect.left;
+
+	CPoint startPoint;
+	startPoint.x = (LONG)(picrect.left-(20)*(dpix/96.0));
+	startPoint.y = 13;
+	CPoint endPoint;
+	endPoint.x = (LONG)(picrect.left-(20)*(dpix/96.0));
+	endPoint.y = rect.Height()-13;
+
+
+	COLORREF m_Color(RGB(225,225,255));
+
+	CClientDC aDC(this); //CClientDCµÄ¹¹Ôìº¯ÊýÐèÒªÒ»¸ö²ÎÊý£¬Õâ¸ö²ÎÊýÊÇÖ¸Ïò»æÍ¼´°¿ÚµÄÖ¸Õë£¬ÎÒÃÇÓÃthisÖ¸Õë¾Í¿ÉÒÔÁË
+	CPen pen(PS_SOLID,1,m_Color); ////½¨Á¢Ò»¸ö»­±ÊÀà¶ÔÏó£¬¹¹ÔìÊ±ÉèÖÃ»­±ÊÊôÐÔ
+	aDC.SelectObject(&pen);
+	aDC.MoveTo(startPoint);
+	aDC.LineTo(endPoint);
+}
+
+
+BOOL CHsAboutDlg::PreTranslateMessage(MSG* pMsg)
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+	if (pMsg->message==WM_KEYDOWN && (pMsg->wParam==VK_RETURN ||pMsg->wParam==VK_ESCAPE))
+	{
+		return TRUE;
+	}
+	return CDialog::PreTranslateMessage(pMsg);
+}
+
+
+HBRUSH CHsAboutDlg::OnCtlColor(CDC* pDC, CWnd* pWnd, UINT nCtlColor)
+{
+	HBRUSH hbr = CDialog::OnCtlColor(pDC, pWnd, nCtlColor);
+
+	// TODO:  ÔÚ´Ë¸ü¸Ä DC µÄÈÎºÎÌØÐÔ
+
+
+	// TODO:  Èç¹ûÄ¬ÈÏµÄ²»ÊÇËùÐè»­±Ê£¬Ôò·µ»ØÁíÒ»¸ö»­±Ê
+	return hbr;
+}
+
+
+void CHsAboutDlg::OnClickedStaticHomecheck()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	HINSTANCE hIns_proc = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_HOMECHECK_BTN_CLICK),RT_GROUP_ICON);
+	HBITMAP   hBmp_proc = ::LoadBitmap(hIns_proc, MAKEINTRESOURCE(IDB_BITMAP_HOMECHECK_BTN_CLICK));
+	m_CheckBtn.SetBitmap(hBmp_proc);
+
+	Sleep(100);
+	((CHeavenShadowDlg*)m_wParent)->OnClickedStaticProcess();
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/HsAboutDlg.h b/arkProject/HeavenShadow/HeavenShadow/HsAboutDlg.h
new file mode 100644
index 0000000..766939c
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/HsAboutDlg.h
@@ -0,0 +1,38 @@
+#pragma once
+#include "afxwin.h"
+#include "MyCheckBtn.h"
+#include "MyText2.h"
+
+// CHsAboutDlg ¶Ô»°¿ò
+
+class CHsAboutDlg : public CDialog
+{
+	DECLARE_DYNAMIC(CHsAboutDlg)
+
+public:
+	CHsAboutDlg(CWnd* pParent = NULL);   // ±ê×¼¹¹Ôìº¯Êý
+	virtual ~CHsAboutDlg();
+
+// ¶Ô»°¿òÊý¾Ý
+	enum { IDD = IDD_DIALOG_ABOUT };
+
+	CWnd* m_wParent;
+
+protected:
+	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV Ö§³Ö
+
+	DECLARE_MESSAGE_MAP()
+public:
+	virtual BOOL OnInitDialog();
+	afx_msg void OnShowWindow(BOOL bShow, UINT nStatus);
+	afx_msg void OnPaint();
+	virtual BOOL PreTranslateMessage(MSG* pMsg);
+	afx_msg HBRUSH OnCtlColor(CDC* pDC, CWnd* pWnd, UINT nCtlColor);
+	CMyText2 m_TextCheckAlt;
+	CMyText2 m_TextSysBit;
+	CMyText2 m_TextSoftBit;
+	CStatic  m_PicCheckAlt;
+	CStatic m_PicSysBit;
+	CMyCheckBtn m_CheckBtn;
+	afx_msg void OnClickedStaticHomecheck();
+};
diff --git a/arkProject/HeavenShadow/HeavenShadow/InjectFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/InjectFunc.cpp
new file mode 100644
index 0000000..6226283
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/InjectFunc.cpp
@@ -0,0 +1,589 @@
+#include "stdafx.h"
+#include "InjectFunc.h"
+#include "Common.h"
+#include "ProcessFunc.h"
+
+WIN_VERSION  GetWindowsVersion();
+WIN_VERSION  WinVersion = WinUnknown;
+
+typedef long (__fastcall *pfnRtlAdjustPrivilege64)(ULONG,ULONG,ULONG,PVOID);
+typedef long (__fastcall *pfnRtlAdjustPrivilege32)(ULONG,ULONG,ULONG,PVOID);
+pfnRtlAdjustPrivilege64 RtlAdjustPrivilege64;
+pfnRtlAdjustPrivilege32 RtlAdjustPrivilege32;
+
+DWORD WINAPI HsRemoteThreadInjectDll(CListCtrl *m_ListCtrl)
+{
+	CString ProcessPath;
+	ULONG_PTR ProcessId = 0;
+	CString CmdLine;
+
+	POSITION pos = m_ListCtrl->GetFirstSelectedItemPosition();
+
+	while(pos)
+	{
+		int nItem = m_ListCtrl->GetNextSelectedItem(pos);
+
+		ProcessPath = m_ListCtrl->GetItemText(nItem,HS_PROCESS_COLUMN_PATH);
+		ProcessId = _ttoi(m_ListCtrl->GetItemText(nItem,HS_PROCESS_COLUMN_PID));
+
+		CmdLine += L"-d ";
+		CmdLine += m_ListCtrl->GetItemText(nItem,HS_PROCESS_COLUMN_PID);
+		CmdLine += L" -p ";
+		CmdLine += ProcessPath;
+	}
+	
+	
+
+
+	if (ProcessId<=4)
+	{
+		return FALSE;
+	}
+
+	if (HsIs32BitFile(ProcessPath.GetBuffer())==TRUE)
+	{
+		WinVersion = GetWindowsVersion();
+
+		if (WinVersion >= WindowsVista)
+		{
+			WCHAR wzInjectPath[260] = {0};
+			WCHAR* p = NULL;
+			CString InjectPath;
+			HMODULE module = GetModuleHandle(0);
+			GetModuleFileName(module,wzInjectPath,sizeof(wzInjectPath));
+			p = wcsrchr(wzInjectPath,L'\\');
+			*p = 0;
+			InjectPath = wzInjectPath;
+			InjectPath += L"\\injectdll32.exe";
+
+			SHELLEXECUTEINFO sei = {sizeof(SHELLEXECUTEINFO)};
+			sei.lpVerb = L"runas";
+			sei.lpFile = InjectPath.GetBuffer();
+			sei.hwnd = GetDesktopWindow();
+			sei.nShow = SW_NORMAL;
+			sei.lpParameters = CmdLine.GetBuffer();
+
+			if (!ShellExecuteEx(&sei))
+			{
+				MessageBox(NULL,L"×¢ÈëÊ§°Ü",L"×¢ÈëÊ§°Ü",0);
+			}
+		}
+		else
+		{
+			ShellExecuteW(NULL,
+				L"open",
+				L"injectdll32.exe",
+				CmdLine.GetBuffer(),
+				L"",
+				SW_SHOWMAXIMIZED);
+		}
+
+	}
+	else
+	{
+		if (WinVersion >= WindowsVista)
+		{
+			WCHAR wzInjectPath[260] = {0};
+			WCHAR* p = NULL;
+			CString InjectPath;
+			HMODULE module = GetModuleHandle(0);
+			GetModuleFileName(module,wzInjectPath,sizeof(wzInjectPath));
+			p = wcsrchr(wzInjectPath,L'\\');
+			*p = 0;
+			InjectPath = wzInjectPath;
+			InjectPath += L"\\injectdll64.exe";
+
+			SHELLEXECUTEINFO sei = {sizeof(SHELLEXECUTEINFO)};
+			sei.lpVerb = L"runas";
+			sei.lpFile = InjectPath.GetBuffer();
+			sei.hwnd = GetDesktopWindow();
+			sei.nShow = SW_NORMAL;
+			sei.lpParameters = CmdLine.GetBuffer();
+
+			if (!ShellExecuteEx(&sei))
+			{
+				MessageBox(NULL,L"×¢ÈëÊ§°Ü",L"×¢ÈëÊ§°Ü",0);
+			}
+
+		}
+		else
+		{
+			ShellExecuteW(NULL,
+				L"open",
+				L"injectdll64.exe",
+				CmdLine.GetBuffer(),
+				L"",
+				SW_SHOWMAXIMIZED);
+		}
+	}
+
+
+	
+	return TRUE;
+
+	WCHAR wzFileFilter[] = L"Ó¦ÓÃ³ÌÐòÀ©Õ¹ (*.dll)\0*.dll\0ËùÓÐÎÄ¼þ (*.*)\0*.*\0";
+	WCHAR wzFileChoose[] = L"´ò¿ªÎÄ¼þ";
+
+
+	CFileDialog FileDlg(TRUE);
+	FileDlg.m_ofn.lpstrTitle  = wzFileChoose;
+	FileDlg.m_ofn.lpstrFilter = wzFileFilter;
+
+	if (IDOK != FileDlg.DoModal())
+	{
+		return FALSE;
+	}
+
+	
+
+	CString strDllPath = FileDlg.GetPathName();
+
+	BOOL bResult = FALSE;
+
+	if (PathFileExists(strDllPath) && ProcessId > 4)   //×¢ÒâÕâÀïµÄÅÐ¶ÏÈç¹ûÊÇÒªÑ¡Ôñ64Î»µÄDll¾ÍÒª±àÒë³É64Î»
+	{
+		if (HsIs32BitFile(ProcessPath.GetBuffer())==TRUE &&
+			HsIs32BitFile(strDllPath.GetBuffer())==TRUE)
+		{
+			bResult = HsInjectDll(TRUE,&strDllPath,ProcessId);
+		}
+		else if (HsIs32BitFile(ProcessPath.GetBuffer())==FALSE &&
+			HsIs32BitFile(strDllPath.GetBuffer())==FALSE)
+		{
+			bResult = HsInjectDll(FALSE,&strDllPath,ProcessId);
+		}
+	}
+
+	if (bResult == FALSE)
+	{
+		::MessageBox(NULL,L"Ô¶³ÌÏß³Ì×¢ÈëÊ§°Ü¡£",L"ÌìÓ°ÎÀÊ¿",0);
+
+	}
+	else
+	{
+		::MessageBox(NULL,L"Ô¶³ÌÏß³Ì×¢Èë³É¹¦¡£",L"ÌìÓ°ÎÀÊ¿",0);
+	}
+
+	return bResult;
+}
+
+
+//¸Ä³ÌÐò±àÒë³É64Î»¿ÉÒÔ×¢Èë64Î» ±àÒë³É32Î»¿ÉÒÔ×¢Èë32Î»
+
+BOOL HsInjectDll(BOOL Is32Bit, CString* strDllPath, ULONG_PTR ProcessID)
+{
+	BOOL bResult = FALSE;
+
+	if (ProcessID <= 0)
+	{
+		return FALSE;
+	}
+
+
+	if (PathFileExists(*strDllPath))
+	{
+		WinVersion = GetWindowsVersion();
+
+		switch(WinVersion)
+		{
+		case Windows7:   //×¢ÒâÎÒÃÇÕâÀïÕë¶ÔµÄÊÇ64Î»µÄWin7
+			{
+
+				WCHAR wzPath[MAX_PATH] = {0};
+				wcscpy_s(wzPath, strDllPath->GetBuffer());
+				strDllPath->ReleaseBuffer();
+
+				bResult = HsInjectDllByRemoteThreadWin7(wzPath,ProcessID,Is32Bit);
+
+				break;
+			}
+
+		case WindowsXP:  //ÕâÀïÊÇÕë¶ÔµÄ32Î»µÄXP
+			{
+				WCHAR wzPath[MAX_PATH] = {0};
+				wcscpy_s(wzPath, strDllPath->GetBuffer());
+
+				strDllPath->ReleaseBuffer();
+
+				bResult = HsInjectDllByRemoteThreadWinXP(wzPath,ProcessID);
+
+				break;
+			}
+		}
+	}
+	return bResult;
+}
+
+
+BOOL HsInjectDllByRemoteThreadWin7(const TCHAR* wzDllFile, ULONG_PTR ProcessId, BOOL Is32Bit)
+{
+	if (NULL == wzDllFile || 0 == ::_tcslen(wzDllFile) || ProcessId == 0 || -1 == _taccess(wzDllFile, 0))
+	{
+		return FALSE;
+	}
+	HANDLE                 hProcess = NULL;
+	HANDLE                 hThread  = NULL;
+	DWORD                  dwRetVal    = 0;
+	LPTHREAD_START_ROUTINE FuncAddress = NULL;
+	DWORD  dwSize = 0;
+	TCHAR* VirtualAddress = NULL;
+
+#ifdef _UNICODE
+	FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
+#else
+	FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
+#endif
+
+	if (FuncAddress==NULL)
+	{
+		return FALSE;
+	}
+
+	if (Is32Bit == FALSE)
+	{
+		RtlAdjustPrivilege64=(pfnRtlAdjustPrivilege64)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege");
+
+		if (RtlAdjustPrivilege64==NULL)
+		{
+			return FALSE;
+		}
+		RtlAdjustPrivilege64(20,1,0,&dwRetVal);  //19
+	}
+	else
+	{
+		RtlAdjustPrivilege32=(pfnRtlAdjustPrivilege32)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege");
+
+		if (RtlAdjustPrivilege32==NULL)
+		{
+			return FALSE;
+		}
+		RtlAdjustPrivilege32(20,1,0,&dwRetVal);  //19
+	}
+
+
+	hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE, (DWORD)ProcessId);
+
+	if (NULL == hProcess)
+	{
+		printf("Open Process Fail\r\n");
+		return FALSE;
+	}
+
+	// ÔÚÄ¿±ê½ø³ÌÖÐ·ÖÅäÄÚ´æ¿Õ¼ä
+	dwSize = (DWORD)::_tcslen(wzDllFile) + 1;
+	VirtualAddress = (TCHAR*)::VirtualAllocEx(hProcess, NULL, dwSize * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE);  
+	if (NULL == VirtualAddress)
+	{
+
+		printf("Virtual Process Memory Fail\r\n");
+		CloseHandle(hProcess);
+		return FALSE;
+	}
+
+	// ÔÚÄ¿±ê½ø³ÌµÄÄÚ´æ¿Õ¼äÖÐÐ´ÈëËùÐè²ÎÊý(Ä£¿éÃû)
+	if (FALSE == ::WriteProcessMemory(hProcess, VirtualAddress, (LPVOID)wzDllFile, dwSize * sizeof(TCHAR), NULL))
+	{
+		printf("Write Data Fail\r\n");
+		VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+		CloseHandle(hProcess);
+		return FALSE;
+	}
+
+	hThread = ::CreateRemoteThread(hProcess, NULL, 0, FuncAddress, VirtualAddress, 0, NULL);
+	if (NULL == hThread)
+	{
+		printf("CreateRemoteThread Fail\r\n");
+
+		VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+		CloseHandle(hProcess);
+		return FALSE;
+	}
+
+
+	// µÈ´ýÔ¶³ÌÏß³Ì½áÊø
+	WaitForSingleObject(hThread, INFINITE);
+	// ÇåÀí
+	VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+	CloseHandle(hThread);
+	CloseHandle(hProcess);
+
+	return TRUE;
+
+}
+
+
+
+
+BOOL HsInjectDllByRemoteThreadWinXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
+{
+	//Ìá¸ß±¾½ø³ÌµÄÈ¨ÏÞ
+
+	if (!HsInjectUpPrivilige())  //ÌáÈ¨
+	{
+		printf("Up Privilige Is Error\n");
+		return FALSE;
+	}
+
+	CStringA *Dll = new CStringA(wzDllFile);
+
+
+	//ÎÒÃÇ¾ÍÒª´ò¿ªÏëÒª´ò¿ªµÄ½ø³Ì
+	HANDLE hProcess = NULL;
+	HANDLE hThread  = NULL;
+
+	hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,(DWORD)ProcessId);  //explorer.exe  hProcess
+	if (hProcess==NULL)
+	{
+		printf("Open Process Is Error\n");
+
+		return FALSE;
+	}
+
+	char* szDllName = NULL;
+
+	szDllName = (char*)VirtualAllocEx(hProcess,
+		NULL,Dll->GetLength()+1,MEM_COMMIT,PAGE_READWRITE);   
+
+	if (szDllName==NULL)
+	{
+
+		CloseHandle(hProcess);
+		printf("Apply Memory Is Error\n");
+
+		return FALSE;
+	}
+
+	//È»ºó½«ÍêÕûµÄÂ·¾¶Ö±½ÓÐ´ÈëÄÚ´æ
+
+	if (!WriteProcessMemory(hProcess,szDllName,Dll->GetBuffer(),Dll->GetLength()+1,NULL))
+	{
+
+		CloseHandle(hProcess);
+
+		printf("Write Memory Is Error\n");
+
+		return FALSE;
+	}
+
+	LPTHREAD_START_ROUTINE StartRoutine = NULL;
+
+	StartRoutine = 
+		(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),
+		"LoadLibraryA");
+
+	if(StartRoutine == NULL)
+	{
+		printf("Get ProcAddress Error\n");
+		return FALSE;
+	}
+
+	hThread = CreateRemoteThread(hProcess,NULL,0,StartRoutine,szDllName,0,NULL);
+
+	if (hThread==NULL)
+	{
+		CloseHandle(hProcess);
+
+		printf("Create Remote Thread Is Error\n");
+
+		return FALSE;
+	}
+
+	WaitForSingleObject(hThread, INFINITE);
+	CloseHandle(hThread);
+	VirtualFreeEx(hProcess,szDllName,0,MEM_RELEASE);
+	CloseHandle(hProcess);
+
+	return TRUE;
+}
+
+
+BOOL HsInjectUpPrivilige()	//XP
+{
+
+	HANDLE hToken = NULL;
+
+	_TOKEN_PRIVILEGES tp = {0};
+
+	LUID luid={0};
+
+
+	if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken))
+	{
+		printf("OpenProcess Is Error\n");
+
+		return FALSE;
+	}
+
+	if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid))
+	{
+
+		printf("Lookup Is Error\n");
+
+		return FALSE;
+	}
+
+	tp.PrivilegeCount = 1;
+	tp.Privileges[0].Luid = luid;
+	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+
+
+	if (!AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
+	{
+		printf("Adjust Is Error\n");
+
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+
+/*
+BOOL HsInjectDllByRemoteThreadWinXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
+{
+// ²ÎÊýÎÞÐ§
+if (NULL == wzDllFile || 0 == ::_tcslen(wzDllFile) || ProcessId == 0 || -1 == _taccess(wzDllFile, 0))
+{
+
+return FALSE;
+}
+
+HANDLE hProcess = NULL;
+HANDLE hThread  = NULL;
+DWORD dwSize = 0;
+TCHAR* VirtualAddress = NULL;
+LPTHREAD_START_ROUTINE FuncAddress = NULL;
+
+// »ñÈ¡Ä¿±ê½ø³Ì¾ä±ú
+hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)ProcessId);
+if (NULL == hProcess)
+{
+printf("Open Process Fail\r\n");
+return FALSE;
+}
+
+// ÔÚÄ¿±ê½ø³ÌÖÐ·ÖÅäÄÚ´æ¿Õ¼ä
+dwSize = (DWORD)::_tcslen(wzDllFile) + 1;
+VirtualAddress = (TCHAR*)::VirtualAllocEx(hProcess, NULL, dwSize * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE);
+if (NULL == VirtualAddress)
+{
+
+printf("Virtual Process Memory Fail\r\n");
+CloseHandle(hProcess);
+return FALSE;
+}
+
+// ÔÚÄ¿±ê½ø³ÌµÄÄÚ´æ¿Õ¼äÖÐÐ´ÈëËùÐè²ÎÊý(Ä£¿éÃû)
+if (FALSE == ::WriteProcessMemory(hProcess, VirtualAddress, (LPVOID)wzDllFile, dwSize * sizeof(TCHAR), NULL))
+{
+printf("Write Data Fail\r\n");
+VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+CloseHandle(hProcess);
+return FALSE;
+}
+
+// ´Ó Kernel32.dll ÖÐ»ñÈ¡ LoadLibrary º¯ÊýµØÖ·
+#ifdef _UNICODE
+FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
+#else
+FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
+#endif
+
+if (NULL == FuncAddress)
+{
+printf("Get LoadLibrary Fail\r\n");
+VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+CloseHandle(hProcess);
+return false;
+}
+
+// ´´½¨Ô¶³ÌÏß³Ìµ÷ÓÃ LoadLibrary
+hThread = ::CreateRemoteThread(hProcess, NULL, 0, FuncAddress, VirtualAddress, 0, NULL);
+if (NULL == hThread)
+{
+printf("CreateRemoteThread Fail\r\n");
+
+VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+CloseHandle(hProcess);
+return FALSE;
+}
+
+// µÈ´ýÔ¶³ÌÏß³Ì½áÊø
+WaitForSingleObject(hThread, INFINITE);
+// ÇåÀí
+VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+CloseHandle(hThread);
+CloseHandle(hProcess);
+
+return TRUE;
+}
+
+
+*/
+
+
+
+
+WIN_VERSION  GetWindowsVersion()
+{
+	OSVERSIONINFOEX	OsVerInfoEx;
+	OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+	GetVersionEx((OSVERSIONINFO *)&OsVerInfoEx); // ×¢Òâ×ª»»ÀàÐÍ
+
+	switch (OsVerInfoEx.dwPlatformId)
+	{
+	case VER_PLATFORM_WIN32_NT:
+		{
+			if (OsVerInfoEx.dwMajorVersion <= 4 )
+			{
+				return WindowsNT;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 0)
+			{
+				return Windows2000;
+			}
+
+			if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 1)
+			{
+				return WindowsXP;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 2)
+			{
+				return Windows2003;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 0)
+			{
+				return WindowsVista;
+			}
+
+			if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 1)
+			{
+				return Windows7;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 2 )
+			{
+				return Windows8;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 3 )
+			{
+				return Windows8_1;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 10 && OsVerInfoEx.dwMinorVersion == 0 )
+			{
+				return Windows10;
+			}
+
+			break;
+		}
+
+	default:
+		{
+			return WinUnknown;
+		}
+	}
+
+	return WinUnknown;
+}
+
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/InjectFunc.h b/arkProject/HeavenShadow/HeavenShadow/InjectFunc.h
new file mode 100644
index 0000000..81edca6
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/InjectFunc.h
@@ -0,0 +1,21 @@
+#pragma once
+#include "stdafx.h"
+
+
+
+
+
+BOOL HsInjectDll(BOOL Is32Bit, CString* strDllPath, ULONG_PTR ProcessID);
+
+
+BOOL HsInjectDllByRemoteThreadWin7(const TCHAR* wzDllFile, ULONG_PTR ProcessId, BOOL Is32Bit);
+
+
+
+
+
+BOOL HsInjectDllByRemoteThreadWinXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId);
+
+BOOL HsInjectUpPrivilige();
+
+DWORD WINAPI HsRemoteThreadInjectDll(CListCtrl *m_ListCtrl);
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/IoTimerFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/IoTimerFunc.cpp
new file mode 100644
index 0000000..986cd06
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/IoTimerFunc.cpp
@@ -0,0 +1,318 @@
+#include "stdafx.h"
+#include "IoTimerFunc.h"
+#include "Common.h"
+#include "ModuleFunc.h"
+#include "ThreadFunc.h"
+#include "SSDTFunc.h"
+#include <vector>
+
+#include "ProcessFunc.h"
+
+using namespace std;
+
+typedef struct _PCOMMUNICATE_IO_TIMER_  
+{
+	PLIST_ENTRY     TimerEntry;
+	ULONG_PTR       DeviceObject;
+	BOOLEAN         bStart;
+}COMMUNICATE_IO_TIMER,*PCOMMUNICATE_IO_TIMER;
+typedef struct _IO_TIMERS_
+{
+	ULONG_PTR TimerObject;
+	ULONG_PTR DeviceObject;
+	ULONG_PTR TimeDispatch;
+	ULONG_PTR TimerEntry;
+	ULONG     Status;
+}IO_TIMERS, *PIO_TIMERS;
+
+typedef struct _IO_TIMER_INFOR_
+{
+	ULONG ulCnt;
+	ULONG ulRetCnt;
+	IO_TIMERS IoTimer[1];
+}IO_TIMER_INFOR, *PIO_TIMER_INFOR;
+
+vector<IO_TIMERS> m_IOTimerVector;
+extern HANDLE g_hDevice;
+extern WIN_VERSION WinVersion;
+extern BOOL bIsChecking;
+
+COLUMNSTRUCT g_Column_IOTimer[] = 
+{
+	{	L"¶¨Ê±Æ÷¶ÔÏó",			125	},
+	{	L"Éè±¸¶ÔÏó",				125	},
+	{	L"×´Ì¬",					45	},
+	{	L"º¯ÊýÈë¿Ú",				125	},
+	{	L"Ä£¿éÂ·¾¶",				180	},
+	{	L"³öÆ·³§ÉÌ",				125	}
+};
+
+ULONG_PTR m_ulIOTimerCount = 0;
+
+UINT g_Column_IOTimer_Count = 6;
+
+extern int dpix;
+extern int dpiy;
+
+
+VOID HsInitIOTimerList(CListCtrl *m_ListCtrl)
+{
+	while(m_ListCtrl->DeleteColumn(0));
+	m_ListCtrl->DeleteAllItems();
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_IOTimer_Count;i++)
+	{
+		m_ListCtrl->InsertColumn(i, g_Column_IOTimer[i].szTitle,LVCFMT_LEFT,(int)(g_Column_IOTimer[i].nWidth*(dpix/96.0)));
+	}
+}
+
+
+
+VOID HsLoadIOTimerList(CListCtrl *m_ListCtrl)
+{
+	if (bIsChecking == TRUE)
+	{
+		return;
+	}
+
+	// 	while(bIsChecking == TRUE)
+	// 	{
+	// 		Sleep(10);
+	// 	}
+
+	bIsChecking = TRUE;
+
+	HsSendStatusDetail(L"IOTimerÕýÔÚ¼ÓÔØ...");
+	HsSendStatusTip(L"IOTimer");
+
+	HsQueryIOTimerList(m_ListCtrl);
+
+	bIsChecking = FALSE;
+}
+
+
+
+VOID HsQueryIOTimerList(CListCtrl *m_ListCtrl)
+{
+	BOOL bRet = FALSE;
+
+	bRet = EnumDriver();
+	if (bRet == FALSE)
+	{
+		HsSendStatusDetail(L"Çý¶¯Ä£¿é³õÊ¼»¯Ê§°Ü...");
+		return;
+	}
+
+	ULONG_PTR ulCnt = 100;
+	PIO_TIMER_INFOR IOTimerInfor = NULL;
+	DWORD ulReturnSize = 0;
+
+	m_ListCtrl->DeleteAllItems();
+	m_IOTimerVector.clear();
+
+	do 
+	{
+		ULONG_PTR ulSize = sizeof(IO_TIMER_INFOR) + ulCnt * sizeof(IO_TIMERS);
+
+		if (IOTimerInfor)
+		{
+			free(IOTimerInfor);
+			IOTimerInfor = NULL;
+		}
+
+		IOTimerInfor = (PIO_TIMER_INFOR)malloc(ulSize);
+
+		if (IOTimerInfor)
+		{
+			memset(IOTimerInfor, 0, ulSize);
+			IOTimerInfor->ulCnt = (ULONG)ulCnt;		
+			bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_SYSK_IOTIMER),
+				NULL,
+				0,
+				IOTimerInfor,
+				(DWORD)ulSize,
+				&ulReturnSize,
+				NULL);
+		}
+
+		ulCnt =IOTimerInfor->ulCnt + 10;
+
+
+	} while (!bRet && IOTimerInfor->ulRetCnt > IOTimerInfor->ulCnt);
+
+	if (!bRet)
+	{
+		HsSendStatusDetail(L"IOTimer¼ÓÔØÊ§°Ü¡£");
+		return;
+	}
+
+	if (bRet &&
+		IOTimerInfor->ulCnt >= IOTimerInfor->ulRetCnt)
+	{
+		for (ULONG i = 0; i < IOTimerInfor->ulRetCnt; i++)
+		{
+			m_IOTimerVector.push_back(IOTimerInfor->IoTimer[i]);
+		}
+	}
+
+	if (IOTimerInfor)
+	{
+		free(IOTimerInfor);
+		IOTimerInfor = NULL;
+	}
+
+	//////////////////////////////////////////////////////////////////////////
+
+	m_ulIOTimerCount = 0;
+
+	for (vector<IO_TIMERS>::iterator itor = m_IOTimerVector.begin(); itor != m_IOTimerVector.end(); itor++)
+	{
+		CString strTimer, strDeviceObject, strPath, strStatus, strDispatch;
+
+		strTimer.Format(L"0x%p", itor->TimerObject);
+		strDeviceObject.Format(L"0x%p", itor->DeviceObject);
+		strDispatch.Format(L"0x%p", itor->TimeDispatch);
+		strPath = GetDriverPath(itor->TimeDispatch);
+
+		if (itor->Status)
+		{
+			strStatus = L"ÔËÐÐ";
+		}
+		else
+		{
+			strStatus = L"Í£Ö¹";
+		}
+
+
+		int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(),strTimer);
+		m_ListCtrl->SetItemText(n, 1, strDeviceObject);
+		m_ListCtrl->SetItemText(n, 2, strStatus);
+		m_ListCtrl->SetItemText(n, 3, strDispatch);
+		m_ListCtrl->SetItemText(n, 4, strPath);
+		m_ListCtrl->SetItemText(n, 5, HsGetFileCompanyName(strPath));
+
+		m_ListCtrl->SetItemData(n, itor->TimerEntry);
+
+		m_ulIOTimerCount++;
+
+		CString StatusBarContext;
+		StatusBarContext.Format(L"IOTimerÕýÔÚ¼ÓÔØ¡£ ¶¨Ê±Æ÷Êý£º%d",m_ulIOTimerCount);
+		HsSendStatusDetail(StatusBarContext);
+	}
+
+	CString StatusBarContext;
+	StatusBarContext.Format(L"IOTimer¼ÓÔØÍê³É¡£ ¶¨Ê±Æ÷Êý£º%d",m_ulIOTimerCount);
+	HsSendStatusDetail(StatusBarContext);
+
+}
+
+
+
+VOID HsOperIOTimer(CListCtrl* m_ListCtrl)
+{
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+	int Index = m_ListCtrl->GetSelectionMark();
+
+	if (Index<0)
+	{
+		return;
+	}
+
+	CString Temp = m_ListCtrl->GetItemText(Index,1);
+
+	COMMUNICATE_IO_TIMER  IOTimer;
+
+	for ( vector <IO_TIMERS>::iterator Iter = m_IOTimerVector.begin( ); Iter != m_IOTimerVector.end( ); Iter++ )
+	{
+		CString strObject;
+		strObject.Format(L"0x%p", Iter->DeviceObject);
+		if (!strObject.CompareNoCase(Temp))
+		{
+
+			IOTimer.DeviceObject = Iter->DeviceObject;
+
+			if (Iter->Status)
+			{
+
+				IOTimer.bStart = 0;
+			}
+			else
+			{
+
+				IOTimer.bStart = 1;
+			}
+
+
+			bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_SYSK_OPERIOTIMER),
+				&IOTimer,
+				sizeof(COMMUNICATE_IO_TIMER),
+				NULL,
+				0,
+				&ulReturnSize,
+				NULL);
+
+			break;
+		}	
+	}
+
+	if (bRet == TRUE)
+	{
+		HsQueryIOTimerList(m_ListCtrl);
+	}
+
+	bIsChecking = FALSE;
+}
+
+
+
+
+VOID HsRemoveIOTimerItem(CListCtrl* m_ListCtrl)
+{
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+	int Index = m_ListCtrl->GetSelectionMark();
+
+	if (Index<0)
+	{
+		return;
+	}
+
+	CString Temp = m_ListCtrl->GetItemText(Index,3);
+
+	COMMUNICATE_IO_TIMER  IOTimer;
+
+	for ( vector <IO_TIMERS>::iterator Iter = m_IOTimerVector.begin( ); Iter != m_IOTimerVector.end( ); Iter++ )
+	{
+
+		if (m_ListCtrl->GetItemData(Index)==Iter->TimerEntry)
+		{
+
+			IOTimer.TimerEntry = (PLIST_ENTRY)Iter->TimerEntry;
+
+
+			bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_SYSK_REMOVEIOTIMER),
+				&IOTimer,
+				sizeof(COMMUNICATE_IO_TIMER),
+				NULL,
+				0,
+				&ulReturnSize,
+				NULL);
+
+
+			break;
+		}	
+	}
+	
+
+	if (bRet)
+	{
+		HsQueryIOTimerList(m_ListCtrl);
+	}
+
+
+	bIsChecking = FALSE;
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/IoTimerFunc.h b/arkProject/HeavenShadow/HeavenShadow/IoTimerFunc.h
new file mode 100644
index 0000000..63a3552
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/IoTimerFunc.h
@@ -0,0 +1,28 @@
+#pragma once
+#include "stdafx.h"
+
+
+
+
+VOID HsInitIOTimerList(CListCtrl *m_ListCtrl);
+
+VOID HsLoadIOTimerList(CListCtrl *m_ListCtrl);
+
+VOID HsQueryIOTimerList(CListCtrl *m_ListCtrl);
+
+VOID HsOperIOTimer(CListCtrl* m_ListCtrl);
+
+VOID HsRemoveIOTimerItem(CListCtrl* m_ListCtrl);
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/KernelDlg.cpp b/arkProject/HeavenShadow/HeavenShadow/KernelDlg.cpp
new file mode 100644
index 0000000..237c477
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/KernelDlg.cpp
@@ -0,0 +1,568 @@
+// KernelDlg.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "KernelDlg.h"
+#include "afxdialogex.h"
+
+#include "SSDTFunc.h"
+#include "SSSDTFunc.h"
+#include "SysThread.h"
+
+#include "KernelFunc.h"
+
+#include "HeavenShadowDlg.h"
+
+// CKernelDlg ¶Ô»°¿ò
+
+
+enum HS_KERNEL_LIST
+{
+	HS_KERNEL_SSDT,
+	HS_KERNEL_SSSDT,
+	HS_KERNEL_KRNLFUNC,
+	HS_KERNEL_KRNLIAT,
+	HS_KERNEL_KRNLEAT,
+};
+
+extern int dpix;
+extern int dpiy;
+
+extern BOOL bIsChecking;
+
+BOOL bNowKernelSel = 255;
+
+
+IMPLEMENT_DYNAMIC(CKernelDlg, CDialog)
+
+CKernelDlg::CKernelDlg(CWnd* pParent /*=NULL*/)
+	: CDialog(CKernelDlg::IDD, pParent)
+{
+	m_wParent = pParent;
+}
+
+CKernelDlg::~CKernelDlg()
+{
+}
+
+void CKernelDlg::DoDataExchange(CDataExchange* pDX)
+{
+	CDialog::DoDataExchange(pDX);
+	DDX_Control(pDX, IDC_LIST_KERNEL, m_ListKernel);
+	DDX_Control(pDX, IDC_LIST_KERNEL_CTRL, m_ListKernelCtrl);
+	DDX_Control(pDX, IDC_LIST_KRNLNAME, m_KernelNameList);
+}
+
+
+BEGIN_MESSAGE_MAP(CKernelDlg, CDialog)
+	ON_WM_PAINT()
+	ON_WM_SHOWWINDOW()
+	ON_LBN_SELCHANGE(IDC_LIST_KERNEL, &CKernelDlg::OnSelchangeListKernel)
+	ON_NOTIFY(NM_CUSTOMDRAW, IDC_LIST_KERNEL_CTRL, &CKernelDlg::OnNMCustomdrawListKernelCtrl)
+	ON_COMMAND(ID_MENU_SSDT_REFRESH, &CKernelDlg::OnMenuSsdtRefresh)
+	ON_NOTIFY(NM_RCLICK, IDC_LIST_KERNEL_CTRL, &CKernelDlg::OnNMRClickListKernelCtrl)
+	ON_COMMAND(ID_MENU_SSDT_RESUME, &CKernelDlg::OnMenuSsdtResume)
+	ON_LBN_SELCHANGE(IDC_LIST_KRNLNAME, &CKernelDlg::OnLbnSelchangeListKrnlname)
+END_MESSAGE_MAP()
+
+
+// CKernelDlg ÏûÏ¢´¦Àí³ÌÐò
+
+
+BOOL CKernelDlg::PreTranslateMessage(MSG* pMsg)
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+	if (pMsg->message==WM_KEYDOWN && (pMsg->wParam==VK_RETURN ||pMsg->wParam==VK_ESCAPE))
+	{
+		return TRUE;
+	}
+	return CDialog::PreTranslateMessage(pMsg);
+}
+
+
+BOOL CKernelDlg::OnInitDialog()
+{
+	CDialog::OnInitDialog();
+
+	// TODO:  ÔÚ´ËÌí¼Ó¶îÍâµÄ³õÊ¼»¯
+
+	InitKernelList();
+
+	UINT uIconSize = 20;
+
+	uIconSize *= (UINT)(dpix/96.0);
+
+	m_TreeKernelImageList.Create(1, uIconSize, ILC_COLOR32 | ILC_MASK, 2, 2);
+
+	ListView_SetImageList(m_ListKernelCtrl.m_hWnd, m_TreeKernelImageList.GetSafeHandle(), LVSIL_SMALL);
+
+	return TRUE;  // return TRUE unless you set the focus to a control
+	// Òì³£: OCX ÊôÐÔÒ³Ó¦·µ»Ø FALSE
+}
+
+
+void CKernelDlg::OnPaint()
+{
+	CPaintDC dc(this); // device context for painting
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+	// ²»Îª»æÍ¼ÏûÏ¢µ÷ÓÃ CDialog::OnPaint()
+ 
+ 	CRect   rect;
+ 	GetClientRect(rect);
+ 	dc.FillSolidRect(rect,RGB(255,255,255));
+
+	CRect KernelListRect;
+	CRect KernelNameRect;
+	CRect KernelCtrlRect;
+
+	//m_ListKernel.GetClientRect(KernelListRect);
+	m_ListKernel.GetWindowRect(&KernelListRect);
+	ClientToScreen(&rect);
+	KernelListRect.left -= rect.left;
+	KernelListRect.right -= rect.left;
+	KernelListRect.top -= rect.top;
+	KernelListRect.bottom -= rect.top;
+	KernelListRect.bottom = rect.Height() - 2;
+	//m_ListKernel.MoveWindow(&KernelListRect);
+
+	CPoint startPoint;
+	startPoint.x = (LONG)(KernelListRect.right)+2;
+	startPoint.y = -1;
+	CPoint endPoint;
+	endPoint.x = (LONG)(KernelListRect.right)+2;
+	endPoint.y = rect.Height()+2;
+
+	KernelCtrlRect.left = startPoint.x+1;
+	KernelCtrlRect.right = rect.Width();
+	KernelCtrlRect.top = 0;
+	KernelCtrlRect.bottom = rect.Height();
+	m_ListKernelCtrl.MoveWindow(KernelCtrlRect);
+
+// 	CPoint startPoint;
+// 	startPoint.x = (UINT)(98*(dpix/96.0))+2;
+// 	startPoint.y = -1;
+// 	CPoint endPoint;
+// 	endPoint.x = (UINT)(98*(dpix/96.0))+2;
+// 	endPoint.y = rect.Height()+2;
+
+
+	COLORREF m_Color(RGB(190,190,190));
+
+	CClientDC aDC(this);			//CClientDCµÄ¹¹Ôìº¯ÊýÐèÒªÒ»¸ö²ÎÊý£¬Õâ¸ö²ÎÊýÊÇÖ¸Ïò»æÍ¼´°¿ÚµÄÖ¸Õë£¬ÎÒÃÇÓÃthisÖ¸Õë¾Í¿ÉÒÔÁË
+	CPen pen(PS_SOLID,1,m_Color);	//½¨Á¢Ò»¸ö»­±ÊÀà¶ÔÏó£¬¹¹ÔìÊ±ÉèÖÃ»­±ÊÊôÐÔ
+	aDC.SelectObject(&pen);
+	aDC.MoveTo(startPoint);
+	aDC.LineTo(endPoint);
+
+	
+
+	if (m_KernelNameList.IsWindowVisible())
+	{
+		KernelListRect.bottom = rect.Height()/2;
+
+		startPoint.x = -1;
+		startPoint.y = (LONG)(KernelListRect.bottom) + 2;
+		endPoint.x = (LONG)(KernelListRect.right) + 2;
+		endPoint.y = (LONG)(KernelListRect.bottom) + 2;
+
+		m_KernelNameList.MoveWindow(
+			KernelListRect.left,
+			KernelListRect.bottom+5,
+			KernelListRect.Width(),
+			rect.Height()-KernelListRect.bottom-7
+			);
+
+		CPen pen2(PS_SOLID,1,m_Color);	//½¨Á¢Ò»¸ö»­±ÊÀà¶ÔÏó£¬¹¹ÔìÊ±ÉèÖÃ»­±ÊÊôÐÔ
+		aDC.SelectObject(&pen2);
+		aDC.MoveTo(startPoint);
+		aDC.LineTo(endPoint);
+	}
+
+	m_ListKernel.MoveWindow(&KernelListRect);
+
+}
+
+
+void CKernelDlg::OnShowWindow(BOOL bShow, UINT nStatus)
+{
+	CDialog::OnShowWindow(bShow, nStatus);
+
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+
+	if (bShow == TRUE)
+	{
+		((CHeavenShadowDlg*)m_wParent)->m_bNowWindow = HS_DIALOG_KERNEL;
+
+		((CHeavenShadowDlg*)m_wParent)->m_btnKrnl.EnableWindow(FALSE);
+
+		HsSendStatusDetail(L"²Ù×÷ÏµÍ³ÄÚºËÐÅÏ¢¡£");
+		HsSendStatusTip(L"ÄÚºË");
+
+		m_ListKernel.SetCurSel(HS_KERNEL_SSDT);
+		
+		bNowKernelSel = 255;
+
+		OnSelchangeListKernel();
+
+		m_ListKernelCtrl.SetFocus();
+
+	}
+}
+
+
+void CKernelDlg::InitKernelList(void)
+{
+	m_ListKernel.AddString(L"SSDT");
+	m_ListKernel.InsertString(HS_KERNEL_SSSDT,L"ShadowSSDT");
+	m_ListKernel.InsertString(HS_KERNEL_KRNLFUNC,L"ÄÚºËº¯Êý");
+ 	m_ListKernel.InsertString(HS_KERNEL_KRNLIAT,L"ÄÚºËµ¼Èë±í");
+ 	m_ListKernel.InsertString(HS_KERNEL_KRNLEAT,L"ÄÚºËµ¼³ö±í");
+
+	m_ListKernel.SetItemHeight(-1,(UINT)(16*(dpiy/96.0)));
+	m_KernelNameList.SetItemHeight(-1,(UINT)(16*(dpiy/96.0)));
+}
+
+
+void CKernelDlg::OnSelchangeListKernel()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	int nCurSel = m_ListKernel.GetCurSel();
+
+	switch(nCurSel)
+	{
+	case HS_KERNEL_SSDT:
+		{
+			if (bIsChecking == TRUE || bNowKernelSel == HS_KERNEL_SSDT)	//
+			{
+				m_ListKernel.SetCurSel(bNowKernelSel);
+				m_ListKernelCtrl.SetFocus();
+				return;
+			}
+
+			bNowKernelSel = nCurSel;
+			bIsChecking = TRUE;
+
+			m_KernelNameList.ShowWindow(FALSE);
+
+			HsInitSSDTList(&m_ListKernelCtrl);
+
+			CloseHandle(
+				CreateThread(NULL,0, 
+				(LPTHREAD_START_ROUTINE)HsLoadSSDTList,&m_ListKernelCtrl, 0,NULL)
+				);
+			//HsLoadSSDTList(&m_ListKernelCtrl);
+			break;
+		}
+	case HS_KERNEL_SSSDT:
+		{
+			if (bIsChecking == TRUE || bNowKernelSel == HS_KERNEL_SSSDT)	//
+			{
+				m_ListKernel.SetCurSel(bNowKernelSel);
+				m_ListKernelCtrl.SetFocus();
+				return;
+			}
+
+			bNowKernelSel = nCurSel;
+			bIsChecking = TRUE;
+
+			m_KernelNameList.ShowWindow(FALSE);
+
+			HsInitSSSDTList(&m_ListKernelCtrl);
+
+			CloseHandle(
+				CreateThread(NULL,0, 
+				(LPTHREAD_START_ROUTINE)HsLoadSSSDTList,&m_ListKernelCtrl, 0,NULL)
+				);
+			//HsLoadSSSDTList(&m_ListKernelCtrl);
+			break;
+		}
+
+	case HS_KERNEL_KRNLFUNC:
+		{
+			if (bIsChecking == TRUE || bNowKernelSel == HS_KERNEL_KRNLFUNC)	//
+			{
+				m_ListKernel.SetCurSel(bNowKernelSel);
+				m_ListKernelCtrl.SetFocus();
+				Sleep(50);
+				return;
+			}
+
+			bNowKernelSel = nCurSel;
+
+			m_KernelNameList.ShowWindow(TRUE);
+
+			HsSendStatusDetail(L"ÄÚºËº¯ÊýÕýÔÚ¼ÓÔØ...");
+
+			HsInitKernelFuncList(&m_KernelNameList, &m_ListKernelCtrl);
+
+			m_KernelNameList.SetCurSel(0);
+
+			OnLbnSelchangeListKrnlname();
+
+			break;
+		}
+
+	case HS_KERNEL_KRNLIAT:
+		{
+			if (bIsChecking == TRUE || bNowKernelSel == HS_KERNEL_KRNLIAT)	//
+			{
+				m_ListKernel.SetCurSel(bNowKernelSel);
+				m_ListKernelCtrl.SetFocus();
+				Sleep(50);
+				return;
+			}
+
+			bNowKernelSel = nCurSel;
+
+			m_KernelNameList.ShowWindow(TRUE);
+
+			HsSendStatusDetail(L"ÄÚºËµ¼Èë±íÕýÔÚ¼ÓÔØ...");
+
+			HsInitKernelFileList(&m_KernelNameList, &m_ListKernelCtrl);
+
+// 			m_KernelNameList.SetCurSel(0);
+// 
+// 			OnLbnSelchangeListKrnlname();
+
+			break;
+		}
+	case HS_KERNEL_KRNLEAT:
+		{
+			if (bIsChecking == TRUE || bNowKernelSel == HS_KERNEL_KRNLEAT)	//
+			{
+				m_ListKernel.SetCurSel(bNowKernelSel);
+				m_ListKernelCtrl.SetFocus();
+				Sleep(50);
+				return;
+			}
+
+			bNowKernelSel = nCurSel;
+
+			m_KernelNameList.ShowWindow(TRUE);
+
+			HsSendStatusDetail(L"ÄÚºËµ¼Èë±íÕýÔÚ¼ÓÔØ...");
+
+			HsInitKernelFileList(&m_KernelNameList, &m_ListKernelCtrl);
+
+// 			m_KernelNameList.SetCurSel(0);
+// 
+// 			OnLbnSelchangeListKrnlname();
+
+			break;
+		}
+	default:
+		{
+
+		}
+	}
+
+	m_ListKernelCtrl.SetFocus();
+}
+
+
+void CKernelDlg::OnNMCustomdrawListKernelCtrl(NMHDR *pNMHDR, LRESULT *pResult)
+{
+	NMLVCUSTOMDRAW* pLVCD = reinterpret_cast<NMLVCUSTOMDRAW*>( pNMHDR );
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	*pResult = CDRF_DODEFAULT;
+
+	if ( CDDS_PREPAINT == pLVCD->nmcd.dwDrawStage )
+	{
+		*pResult = CDRF_NOTIFYITEMDRAW;
+	}
+	else if ( CDDS_ITEMPREPAINT == pLVCD->nmcd.dwDrawStage )
+	{
+		*pResult = CDRF_NOTIFYSUBITEMDRAW;
+	}
+	else if ( (CDDS_ITEMPREPAINT | CDDS_SUBITEM) == pLVCD->nmcd.dwDrawStage )
+	{
+		COLORREF clrNewTextColor, clrNewBkColor;
+		int bHooked = 0;
+		int nItem = static_cast<int>( pLVCD->nmcd.dwItemSpec );
+
+		clrNewTextColor = RGB( 0, 0, 0 );
+		clrNewBkColor = RGB( 255, 255, 255 );
+
+		bHooked = (int)m_ListKernelCtrl.GetItemData(nItem); 		
+		if (bHooked == 1)
+		{
+			clrNewTextColor = RGB( 255, 0, 0 );
+		}
+
+		pLVCD->clrText = clrNewTextColor;
+		pLVCD->clrTextBk = clrNewBkColor;
+
+		*pResult = CDRF_DODEFAULT;
+	}
+
+}
+
+
+
+
+void CKernelDlg::OnNMRClickListKernelCtrl(NMHDR *pNMHDR, LRESULT *pResult)
+{
+	LPNMITEMACTIVATE pNMItemActivate = reinterpret_cast<LPNMITEMACTIVATE>(pNMHDR);
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	CMenu	popup;
+	CPoint	p;
+
+	switch(bNowKernelSel)
+	{
+	case HS_KERNEL_SSDT:
+		{
+			popup.LoadMenu(IDR_MENU_KERNEL_SSDT);			//¼ÓÔØ²Ëµ¥×ÊÔ´
+			CMenu*	pM = popup.GetSubMenu(0);				//»ñµÃ²Ëµ¥µÄ×ÓÏî
+
+			GetCursorPos(&p);
+			int	count = pM->GetMenuItemCount();
+			if (m_ListKernelCtrl.GetSelectedCount() == 0)		//Èç¹ûÃ»ÓÐÑ¡ÖÐ
+			{ 
+				for (int i = 0;i<count;i++)
+				{
+					pM->EnableMenuItem(i, MF_BYPOSITION | MF_DISABLED | MF_GRAYED); //²Ëµ¥È«²¿±ä»Ò
+				}
+			}
+
+			POSITION pos = m_ListKernelCtrl.GetFirstSelectedItemPosition();
+
+			while (pos)
+			{
+				int nItem = m_ListKernelCtrl.GetNextSelectedItem(pos);
+
+				if (_wcsnicmp(L"Õý³£",m_ListKernelCtrl.GetItemText(nItem,5),wcslen(L"Õý³£"))==0)
+				{
+					pM->EnableMenuItem(ID_MENU_SSDT_RESUME, MF_BYCOMMAND | MF_DISABLED | MF_GRAYED); //²Ëµ¥È«²¿±ä»Ò
+				}
+			}
+
+			pM->TrackPopupMenu(TPM_LEFTALIGN, p.x, p.y, this);
+			break;
+		}
+	case HS_KERNEL_SSSDT:
+		{
+			popup.LoadMenu(IDR_MENU_KERNEL_SSDT);			//¼ÓÔØ²Ëµ¥×ÊÔ´
+			CMenu*	pM = popup.GetSubMenu(0);				//»ñµÃ²Ëµ¥µÄ×ÓÏî
+
+			GetCursorPos(&p);
+			int	count = pM->GetMenuItemCount();
+			if (m_ListKernelCtrl.GetSelectedCount() == 0)		//Èç¹ûÃ»ÓÐÑ¡ÖÐ
+			{ 
+				for (int i = 0;i<count;i++)
+				{
+					pM->EnableMenuItem(i, MF_BYPOSITION | MF_DISABLED | MF_GRAYED); //²Ëµ¥È«²¿±ä»Ò
+				}
+
+			}
+
+			POSITION pos = m_ListKernelCtrl.GetFirstSelectedItemPosition();
+
+			while (pos)
+			{
+				int nItem = m_ListKernelCtrl.GetNextSelectedItem(pos);
+
+				if (_wcsnicmp(L"Õý³£",m_ListKernelCtrl.GetItemText(nItem,5),wcslen(L"Õý³£"))==0)
+				{
+					pM->EnableMenuItem(ID_MENU_SSDT_RESUME, MF_BYCOMMAND | MF_DISABLED | MF_GRAYED); //²Ëµ¥È«²¿±ä»Ò
+				}
+			}
+
+			pM->TrackPopupMenu(TPM_LEFTALIGN, p.x, p.y, this);
+			break;
+		}
+	default:
+		{
+
+		}
+	}
+
+
+	*pResult = 0;
+}
+
+
+
+//////////////////////////////////////////////////////////////////////////
+
+
+void CKernelDlg::OnMenuSsdtRefresh()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+
+	switch(bNowKernelSel)
+	{
+	case HS_KERNEL_SSDT:
+		{
+			bNowKernelSel = 255;
+
+			m_ListKernel.SetCurSel(HS_KERNEL_SSDT);
+
+			OnSelchangeListKernel();
+			break;
+		}
+	case HS_KERNEL_SSSDT:
+		{
+			bNowKernelSel = 255;
+
+			m_ListKernel.SetCurSel(HS_KERNEL_SSSDT);
+
+			OnSelchangeListKernel();
+			break;
+		}
+	}
+
+
+}
+
+void CKernelDlg::OnMenuSsdtResume()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+
+	switch(bNowKernelSel)
+	{
+	case HS_KERNEL_SSDT:
+		{
+			HsResumeSSDTHook(&m_ListKernelCtrl);
+			break;
+		}
+	case HS_KERNEL_SSSDT:
+		{
+			break;
+		}
+	}
+}
+
+
+void CKernelDlg::OnLbnSelchangeListKrnlname()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	switch(bNowKernelSel)
+	{
+	case HS_KERNEL_KRNLFUNC:
+		{
+			SelchangeListKrnlFunc(&m_KernelNameList, &m_ListKernelCtrl);
+			break;
+		}
+	case HS_KERNEL_KRNLIAT:
+		{
+			SelchangeListKrnlIAT(&m_KernelNameList, &m_ListKernelCtrl);
+			break;
+		}
+	case HS_KERNEL_KRNLEAT:
+		{
+			SelchangeListKrnlEAT(&m_KernelNameList, &m_ListKernelCtrl);
+			break;
+		}
+	default:
+		{
+
+		}
+	}
+
+	m_ListKernelCtrl.SetFocus();
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/KernelDlg.h b/arkProject/HeavenShadow/HeavenShadow/KernelDlg.h
new file mode 100644
index 0000000..c574f3d
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/KernelDlg.h
@@ -0,0 +1,41 @@
+#pragma once
+#include "afxwin.h"
+#include "afxcmn.h"
+
+// CKernelDlg ¶Ô»°¿ò
+
+class CKernelDlg : public CDialog
+{
+	DECLARE_DYNAMIC(CKernelDlg)
+
+public:
+	CKernelDlg(CWnd* pParent = NULL);   // ±ê×¼¹¹Ôìº¯Êý
+	virtual ~CKernelDlg();
+
+// ¶Ô»°¿òÊý¾Ý
+	enum { IDD = IDD_DIALOG_KERNEL };
+
+	CWnd* m_wParent;
+
+	CImageList m_TreeKernelImageList;
+
+protected:
+	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV Ö§³Ö
+
+	DECLARE_MESSAGE_MAP()
+public:
+	virtual BOOL PreTranslateMessage(MSG* pMsg);
+	virtual BOOL OnInitDialog();
+	afx_msg void OnPaint();
+	afx_msg void OnShowWindow(BOOL bShow, UINT nStatus);
+	void InitKernelList(void);
+	CListBox m_ListKernel;
+	CListCtrl m_ListKernelCtrl;
+	afx_msg void OnSelchangeListKernel();
+	afx_msg void OnNMCustomdrawListKernelCtrl(NMHDR *pNMHDR, LRESULT *pResult);
+	afx_msg void OnMenuSsdtRefresh();
+	afx_msg void OnNMRClickListKernelCtrl(NMHDR *pNMHDR, LRESULT *pResult);
+	afx_msg void OnMenuSsdtResume();
+	CListBox m_KernelNameList;
+	afx_msg void OnLbnSelchangeListKrnlname();
+};
diff --git a/arkProject/HeavenShadow/HeavenShadow/KernelFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/KernelFunc.cpp
new file mode 100644
index 0000000..30551d9
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/KernelFunc.cpp
@@ -0,0 +1,1225 @@
+#include "stdafx.h"
+#include "KernelFunc.h"
+#include "Common.h"
+#include "SSDTFunc.h"
+#include "ProcessFunc.h"
+#include "ModuleFunc.h"
+#include <vector>
+
+using namespace std;
+
+BOOL bNowSelKernelFile = 255;
+
+extern BOOL bIsChecking;
+
+extern HANDLE g_hDevice;
+extern vector<DRIVER_INFO> m_DriverList;
+
+
+COLUMNSTRUCT g_Column_KernelFunc[] = 
+{
+	{	L"ÐòºÅ",					50	},
+	{	L"º¯ÊýÃû³Æ",				205	},
+	{	L"º¯Êýµ±Ç°µØÖ·",			135	},
+	{	L"º¯ÊýÔ­µØÖ·",			135	},
+	{	L"Ä£¿éÎÄ¼þ",				115	},
+	{	L"×´Ì¬",					85	}
+};
+
+UINT g_Column_KernelFunc_Count  = 6;	  //½ø³ÌÁÐ±íÁÐÊý
+
+extern int dpix;
+extern int dpiy;
+
+
+void HsInitKernelFuncList(CListBox* m_ListBox, CListCtrl* m_ListCtrl)
+{
+	if (m_ListBox->GetCount())
+	{
+		while(m_ListBox->DeleteString(0));
+	}
+	
+
+	m_ListBox->AddString(L"ntoskrnl.exe [IAT]");
+	m_ListBox->InsertString(HS_KERNEL_KERNELFILE_NTOSKRNL_EAT,L"ntoskrnl.exe [EAT]");
+	m_ListBox->InsertString(HS_KERNEL_KERNELFILE_WIN32K_IAT,L"win32k.sys [IAT]");
+	m_ListBox->InsertString(HS_KERNEL_KERNELFILE_WIN32K_EAT,L"win32k.sys [EAT]");
+	m_ListBox->InsertString(HS_KERNEL_KERNELFILE_HALDLL_IAT,L"hal.dll [IAT]");
+	m_ListBox->InsertString(HS_KERNEL_KERNELFILE_HALDLL_EAT,L"hal.dll [EAT]");
+
+	m_ListCtrl->DeleteAllItems();
+	while(m_ListCtrl->DeleteColumn(0));
+
+	//////////////////////////////////////////////////////////////////////////
+
+	while(m_ListCtrl->DeleteColumn(0));
+	m_ListCtrl->DeleteAllItems();
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_KernelFunc_Count;i++)
+	{
+		m_ListCtrl->InsertColumn(i, g_Column_KernelFunc[i].szTitle,LVCFMT_LEFT,(int)(g_Column_KernelFunc[i].nWidth*(dpix/96.0)));
+	}
+
+	bNowSelKernelFile = 255;
+}
+
+
+void HsInitKernelFileList(CListBox* m_ListBox, CListCtrl* m_ListCtrl)
+{
+	if (m_ListBox->GetCount())
+	{
+		while(m_ListBox->DeleteString(0));
+	}
+
+	m_ListCtrl->DeleteAllItems();
+	while(m_ListCtrl->DeleteColumn(0));
+
+	//////////////////////////////////////////////////////////////////////////
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_KernelFunc_Count;i++)
+	{
+		m_ListCtrl->InsertColumn(i, g_Column_KernelFunc[i].szTitle,LVCFMT_LEFT,(int)(g_Column_KernelFunc[i].nWidth*(dpix/96.0)));
+	}
+
+	//////////////////////////////////////////////////////////////////////////
+
+	m_DriverList.clear();
+
+	BOOL bRet = FALSE;
+
+	bRet = EnumDriver();
+
+	if (bRet == FALSE)
+	{
+		HsSendStatusDetail(L"ÄÚºËµ¼Èë±í¼ÓÔØÊ§°Ü¡£");
+		return;
+	}
+
+
+	i = 0;
+
+	CString ModuleName;
+
+	for (vector<DRIVER_INFO>::iterator itor = m_DriverList.begin(); 
+		itor != m_DriverList.end(); 
+		itor++)
+	{
+		ModuleName = wcsrchr(itor->wzDriverPath,L'\\');
+
+		ModuleName = ModuleName.GetBuffer()+1;
+
+		if (i==0)
+		{
+			m_ListBox->AddString(ModuleName);
+		}
+		else if (wcslen(itor->wzDriverPath)>0)
+		{
+			m_ListBox->InsertString(i,ModuleName);
+		}
+		i++;
+		
+	}
+
+	bNowSelKernelFile = 255;
+}
+
+
+void SelchangeListKrnlIAT(CListBox* m_ListBox,  CListCtrl* m_ListCtrl)
+{
+	HsSendStatusTip(L"ÄÚºËº¯Êý");
+
+	int nCurSel = m_ListBox->GetCurSel();
+
+	if (bIsChecking == TRUE || bNowSelKernelFile == nCurSel)	//
+	{
+		m_ListBox->SetCurSel(bNowSelKernelFile);
+		m_ListCtrl->SetFocus();
+		return;
+	}
+
+	bIsChecking = TRUE;
+
+	bNowSelKernelFile = nCurSel;
+
+	CString ModuleFile;
+
+	m_ListBox->GetText(m_ListBox->GetCurSel(), ModuleFile);
+
+	CString DetailContext;
+	DetailContext.Format(L"%sµÄIATÕýÔÚ¼ÓÔØ...",ModuleFile.GetBuffer());
+
+	HsSendStatusDetail(DetailContext);
+
+	//////////////////////////////////////////////////////////////////////////
+
+	m_ListCtrl->DeleteAllItems();
+
+	BOOL bOk = FALSE;
+
+	ULONG_PTR   ulCount = 0x1000;
+	PMODULE_IAT IAT = NULL;
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+
+	do 
+	{
+		ULONG_PTR ulSize = 0;
+
+		if (IAT)
+		{
+			free(IAT);
+			IAT = NULL;
+		}
+
+		ulSize = sizeof(MODULE_IAT) + ulCount * sizeof(IAT_INFO);
+
+		IAT = (PMODULE_IAT)malloc(ulSize);
+		if (!IAT)
+		{
+			break;
+		}
+
+		memset(IAT,0,ulSize);
+
+		CStringA ModuleFileA(ModuleFile);
+
+		bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_KRNL_KRNLIAT),
+			ModuleFileA.GetBuffer(),
+			ModuleFileA.GetLength(),
+			IAT,
+			(DWORD)ulSize,
+			&ulReturnSize,
+			NULL);
+
+
+		ulCount = IAT->ulCount + 1000;
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+	if (bRet && IAT)
+	{
+		for (ULONG i = 0; i < IAT->ulCount; i++)
+		{
+			CString strIndex;
+			strIndex.Format(L"%d",i+1);
+			int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(), strIndex);
+
+			CString strFuncName(IAT->Data[i].szFunctionName);
+			m_ListCtrl->SetItemText(n, 1, strFuncName);
+
+			CString strCurFuncAddress;
+			strCurFuncAddress.Format(L"0x%p",IAT->Data[i].CurFuncAddress);
+			m_ListCtrl->SetItemText(n, 2, strCurFuncAddress);
+
+			CString strOriFuncAddress;
+			strOriFuncAddress.Format(L"0x%p",IAT->Data[i].OriFuncAddress);
+			m_ListCtrl->SetItemText(n, 3, strOriFuncAddress);
+
+			CString strModuleName(IAT->Data[i].szModuleName);
+			m_ListCtrl->SetItemText(n, 4, strModuleName);
+
+			CString strFuncStatus;
+			if (IAT->Data[i].CurFuncAddress == IAT->Data[i].OriFuncAddress)
+			{
+				strFuncStatus = L"Õý³£";
+			}
+			else
+			{
+				strFuncStatus = L"Hooked";
+				m_ListCtrl->SetItemData(n,1);
+			}
+			m_ListCtrl->SetItemText(n, 5, strFuncStatus);
+
+			CString StatusBarContext;
+			StatusBarContext.Format(L"%sµÄIATÕýÔÚ¼ÓÔØ¡£ IATº¯Êý£º%d",ModuleFile,i);
+			HsSendStatusDetail(StatusBarContext);
+		}
+
+		CString StatusBarContext;
+		StatusBarContext.Format(L"%sµÄIAT¼ÓÔØÍê³É¡£ IATº¯Êý£º%d",ModuleFile,IAT->ulCount);
+		HsSendStatusDetail(StatusBarContext);
+
+		bOk = TRUE;
+	}
+	else
+	{
+		CString StatusBarContext;
+		StatusBarContext.Format(L"%sµÄIAT¼ÓÔØÊ§°Ü¡£",ModuleFile);
+		HsSendStatusDetail(ModuleFile);
+	}
+
+	if (IAT)
+	{
+		free(IAT);
+		IAT = NULL;
+	}
+
+	bIsChecking = FALSE;
+
+}
+
+
+void SelchangeListKrnlEAT(CListBox* m_ListBox,  CListCtrl* m_ListCtrl)
+{
+	HsSendStatusTip(L"ÄÚºËº¯Êý");
+
+	int nCurSel = m_ListBox->GetCurSel();
+
+	if (bIsChecking == TRUE || bNowSelKernelFile == nCurSel)	//
+	{
+		m_ListBox->SetCurSel(bNowSelKernelFile);
+		m_ListCtrl->SetFocus();
+		return;
+	}
+
+	bIsChecking = TRUE;
+
+	bNowSelKernelFile = nCurSel;
+
+	CString ModuleFile;
+
+	m_ListBox->GetText(m_ListBox->GetCurSel(), ModuleFile);
+
+	CString DetailContext;
+	DetailContext.Format(L"%sµÄEATÕýÔÚ¼ÓÔØ...",ModuleFile.GetBuffer());
+
+	HsSendStatusDetail(DetailContext);
+
+	//////////////////////////////////////////////////////////////////////////
+
+	m_ListCtrl->DeleteAllItems();
+
+	BOOL bOk = FALSE;
+
+	ULONG_PTR   ulCount = 0x1000;
+	PMODULE_EAT EAT = NULL;
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+
+	do 
+	{
+		ULONG_PTR ulSize = 0;
+
+		if (EAT)
+		{
+			free(EAT);
+			EAT = NULL;
+		}
+
+		ulSize = sizeof(MODULE_EAT) + ulCount * sizeof(EAT_INFO);
+
+		EAT = (PMODULE_EAT)malloc(ulSize);
+		if (!EAT)
+		{
+			break;
+		}
+
+		memset(EAT,0,ulSize);
+
+		CStringA ModuleFileA(ModuleFile);
+
+		bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_KRNL_KRNLEAT),
+			ModuleFileA.GetBuffer(),
+			ModuleFileA.GetLength(),
+			EAT,
+			(DWORD)ulSize,
+			&ulReturnSize,
+			NULL);
+
+
+		ulCount = EAT->ulCount + 1000;
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+	if (bRet && EAT)
+	{
+		for (ULONG i = 0; i < EAT->ulCount; i++)
+		{
+			CString strIndex;
+			strIndex.Format(L"%d",i+1);
+			int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(), strIndex);
+
+			CString strFuncName(EAT->Data[i].szFunctionName);
+			m_ListCtrl->SetItemText(n, 1, strFuncName);
+
+			CString strCurFuncAddress;
+			strCurFuncAddress.Format(L"0x%p",EAT->Data[i].CurFuncAddress);
+			m_ListCtrl->SetItemText(n, 2, strCurFuncAddress);
+
+			CString strOriFuncAddress;
+			strOriFuncAddress.Format(L"0x%p",EAT->Data[i].OriFuncAddress);
+			m_ListCtrl->SetItemText(n, 3, strOriFuncAddress);
+
+			CString strModuleName(ModuleFile);
+			m_ListCtrl->SetItemText(n, 4, strModuleName);
+
+			CString strFuncStatus;
+			if (EAT->Data[i].CurFuncAddress == EAT->Data[i].OriFuncAddress)
+			{
+				strFuncStatus = L"Õý³£";
+			}
+			else
+			{
+				strFuncStatus = L"Hooked";
+				m_ListCtrl->SetItemData(n,1);
+			}
+			m_ListCtrl->SetItemText(n, 5, strFuncStatus);
+
+			CString StatusBarContext;
+			StatusBarContext.Format(L"%sµÄEATÕýÔÚ¼ÓÔØ¡£ EATº¯Êý£º%d",ModuleFile,i);
+			HsSendStatusDetail(StatusBarContext);
+		}
+
+		CString StatusBarContext;
+		StatusBarContext.Format(L"%sµÄEAT¼ÓÔØÍê³É¡£ EATº¯Êý£º%d",ModuleFile,EAT->ulCount);
+		HsSendStatusDetail(StatusBarContext);
+
+		bOk = TRUE;
+	}
+	else
+	{
+		CString StatusBarContext;
+		StatusBarContext.Format(L"%sµÄEAT¼ÓÔØÊ§°Ü¡£",ModuleFile);
+		HsSendStatusDetail(ModuleFile);
+	}
+
+	if (EAT)
+	{
+		free(EAT);
+		EAT = NULL;
+	}
+
+	bIsChecking = FALSE;
+
+}
+
+
+void SelchangeListKrnlFunc(CListBox* m_ListBox, CListCtrl* m_ListCtrl)
+{
+	HsSendStatusTip(L"ÄÚºËº¯Êý");
+
+	int nCurSel = m_ListBox->GetCurSel();
+
+	switch (nCurSel)
+	{
+	case HS_KERNEL_KERNELFILE_NTOSKRNL_IAT:
+		{
+			if (bIsChecking == TRUE || bNowSelKernelFile == HS_KERNEL_KERNELFILE_NTOSKRNL_IAT)	//
+			{
+				m_ListBox->SetCurSel(bNowSelKernelFile);
+				m_ListCtrl->SetFocus();
+				return;
+			}
+
+			bIsChecking = TRUE;
+
+			bNowSelKernelFile = nCurSel;
+
+			//////////////////////////////////////////////////////////////////////////
+
+			HsSendStatusDetail(L"ntoskrnl.exeµÄIATÕýÔÚ¼ÓÔØ...");
+
+			CloseHandle(
+				CreateThread(NULL,0, 
+				(LPTHREAD_START_ROUTINE)HsEnumKernelFuncNameNtoskrnlIAT,m_ListCtrl, 0,NULL)
+				);
+
+			//HsEnumKernelFuncNameNtoskrnlIAT(m_ListCtrl);
+
+			break;
+		}
+	case HS_KERNEL_KERNELFILE_NTOSKRNL_EAT:
+		{
+			if (bIsChecking == TRUE || bNowSelKernelFile == HS_KERNEL_KERNELFILE_NTOSKRNL_EAT)	//
+			{
+				m_ListBox->SetCurSel(bNowSelKernelFile);
+				m_ListCtrl->SetFocus();
+				return;
+			}
+
+			bIsChecking = TRUE;
+
+			bNowSelKernelFile = nCurSel;
+
+			//////////////////////////////////////////////////////////////////////////
+
+			HsSendStatusDetail(L"ntoskrnl.exeµÄEATÕýÔÚ¼ÓÔØ...");
+
+			CloseHandle(
+				CreateThread(NULL,0, 
+				(LPTHREAD_START_ROUTINE)HsEnumKernelFuncNameNtoskrnlEAT,m_ListCtrl, 0,NULL)
+				);
+
+			//HsEnumKernelFuncNameNtoskrnlEAT(m_ListCtrl);
+
+			break;
+		}
+	case HS_KERNEL_KERNELFILE_WIN32K_IAT:
+		{
+			if (bIsChecking == TRUE || bNowSelKernelFile == HS_KERNEL_KERNELFILE_WIN32K_IAT)	//
+			{
+				m_ListBox->SetCurSel(bNowSelKernelFile);
+				m_ListCtrl->SetFocus();
+				return;
+			}
+
+			bIsChecking = TRUE;
+
+			bNowSelKernelFile = nCurSel;
+
+			//////////////////////////////////////////////////////////////////////////
+
+			HsSendStatusDetail(L"ntoskrnl.exeµÄIATÕýÔÚ¼ÓÔØ...");
+
+			CloseHandle(
+				CreateThread(NULL,0, 
+				(LPTHREAD_START_ROUTINE)HsEnumKernelFuncNameWin32kIAT,m_ListCtrl, 0,NULL)
+				);
+
+			//HsEnumKernelFuncNameWin32kIAT(m_ListCtrl);
+
+			break;
+		}
+	case HS_KERNEL_KERNELFILE_WIN32K_EAT:
+		{
+			if (bIsChecking == TRUE || bNowSelKernelFile == HS_KERNEL_KERNELFILE_WIN32K_EAT)	//
+			{
+				m_ListBox->SetCurSel(bNowSelKernelFile);
+				m_ListCtrl->SetFocus();
+				return;
+			}
+
+			bIsChecking = TRUE;
+
+			bNowSelKernelFile = nCurSel;
+
+			//////////////////////////////////////////////////////////////////////////
+
+			HsSendStatusDetail(L"ntoskrnl.exeµÄEATÕýÔÚ¼ÓÔØ...");
+
+			CloseHandle(
+				CreateThread(NULL,0, 
+				(LPTHREAD_START_ROUTINE)HsEnumKernelFuncNameWin32kEAT,m_ListCtrl, 0,NULL)
+				);
+
+			//HsEnumKernelFuncNameWin32kEAT(m_ListCtrl);
+
+			break;
+		}
+	case HS_KERNEL_KERNELFILE_HALDLL_IAT:
+		{
+			if (bIsChecking == TRUE || bNowSelKernelFile == HS_KERNEL_KERNELFILE_HALDLL_IAT)	//
+			{
+				m_ListBox->SetCurSel(bNowSelKernelFile);
+				m_ListCtrl->SetFocus();
+				return;
+			}
+
+			bIsChecking = TRUE;
+
+			bNowSelKernelFile = nCurSel;
+
+			//////////////////////////////////////////////////////////////////////////
+
+			HsSendStatusDetail(L"hal.dllµÄIATÕýÔÚ¼ÓÔØ...");
+
+			CloseHandle(
+				CreateThread(NULL,0, 
+				(LPTHREAD_START_ROUTINE)HsEnumKernelFuncNameHaldllIAT,m_ListCtrl, 0,NULL)
+				);
+
+			//HsEnumKernelFuncNameHaldllIAT(m_ListCtrl);
+
+			break;
+		}
+	case HS_KERNEL_KERNELFILE_HALDLL_EAT:
+		{
+			if (bIsChecking == TRUE || bNowSelKernelFile == HS_KERNEL_KERNELFILE_HALDLL_EAT)	//
+			{
+				m_ListBox->SetCurSel(bNowSelKernelFile);
+				m_ListCtrl->SetFocus();
+				return;
+			}
+
+			bIsChecking = TRUE;
+
+			bNowSelKernelFile = nCurSel;
+
+			//////////////////////////////////////////////////////////////////////////
+
+			HsSendStatusDetail(L"hal.dllµÄEATÕýÔÚ¼ÓÔØ...");
+
+			CloseHandle(
+				CreateThread(NULL,0, 
+				(LPTHREAD_START_ROUTINE)HsEnumKernelFuncNameHaldllEAT,m_ListCtrl, 0,NULL)
+				);
+
+			//HsEnumKernelFuncNameHaldllEAT(m_ListCtrl);
+
+			break;
+		}
+	}
+
+}
+
+
+
+void HsEnumKernelFuncNameNtoskrnlIAT(CListCtrl* m_ListCtrl)
+{
+	m_ListCtrl->DeleteAllItems();
+
+	BOOL bOk = FALSE;
+
+	ULONG_PTR   ulCount = 0x1000;
+	PMODULE_IAT IAT = NULL;
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+
+	do 
+	{
+		ULONG_PTR ulSize = 0;
+
+		if (IAT)
+		{
+			free(IAT);
+			IAT = NULL;
+		}
+
+		ulSize = sizeof(MODULE_IAT) + ulCount * sizeof(IAT_INFO);
+
+		IAT = (PMODULE_IAT)malloc(ulSize);
+		if (!IAT)
+		{
+			break;
+		}
+
+		memset(IAT,0,ulSize);
+
+		int KernelFile = HS_KERNEL_KERNELFILE_NTOSKRNL_IAT;
+
+		bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_KRNL_KRNLFILE),
+			&KernelFile,
+			sizeof(int),
+			IAT,
+			(DWORD)ulSize,
+			&ulReturnSize,
+			NULL);
+
+
+		ulCount = IAT->ulCount + 1000;
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+	if (bRet && IAT)
+	{
+		for (ULONG i = 0; i < IAT->ulCount; i++)
+		{
+			CString strIndex;
+			strIndex.Format(L"%d",i+1);
+			int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(), strIndex);
+
+			CString strFuncName(IAT->Data[i].szFunctionName);
+			m_ListCtrl->SetItemText(n, 1, strFuncName);
+
+			CString strCurFuncAddress;
+			strCurFuncAddress.Format(L"0x%p",IAT->Data[i].CurFuncAddress);
+			m_ListCtrl->SetItemText(n, 2, strCurFuncAddress);
+
+			CString strOriFuncAddress;
+			strOriFuncAddress.Format(L"0x%p",IAT->Data[i].OriFuncAddress);
+			m_ListCtrl->SetItemText(n, 3, strOriFuncAddress);
+
+			CString strModuleName(IAT->Data[i].szModuleName);
+			m_ListCtrl->SetItemText(n, 4, strModuleName);
+
+			CString strFuncStatus;
+			if (IAT->Data[i].CurFuncAddress == IAT->Data[i].OriFuncAddress)
+			{
+				strFuncStatus = L"Õý³£";
+			}
+			else
+			{
+				strFuncStatus = L"Hooked";
+				m_ListCtrl->SetItemData(n,1);
+			}
+			m_ListCtrl->SetItemText(n, 5, strFuncStatus);
+
+			CString StatusBarContext;
+			StatusBarContext.Format(L"ntoskrnl.exeµÄIATÕýÔÚ¼ÓÔØ¡£ IATº¯Êý£º%d",i);
+
+			HsSendStatusDetail(StatusBarContext);
+		}
+
+		CString StatusBarContext;
+		StatusBarContext.Format(L"ntoskrnl.exeµÄIAT¼ÓÔØÍê³É¡£ IATº¯Êý£º%d",IAT->ulCount);
+
+		HsSendStatusDetail(StatusBarContext);
+
+		bOk = TRUE;
+	}
+	else
+	{
+		HsSendStatusDetail(L"ntoskrnl.exeµÄIAT¼ÓÔØÊ§°Ü¡£");
+	}
+	//m_strIATCount.Format(L"%d",IAT->ulCount);
+	if (IAT)
+	{
+		free(IAT);
+		IAT = NULL;
+	}
+
+	
+	bIsChecking = FALSE;
+}
+
+
+void HsEnumKernelFuncNameNtoskrnlEAT(CListCtrl* m_ListCtrl)
+{
+	m_ListCtrl->DeleteAllItems();
+
+	BOOL bOk = FALSE;
+
+	ULONG_PTR   ulCount = 0x1000;
+	PMODULE_EAT EAT = NULL;
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+
+	CString ModuleFile(L"ntoskrnl.exe");
+
+	do 
+	{
+		ULONG_PTR ulSize = 0;
+
+		if (EAT)
+		{
+			free(EAT);
+			EAT = NULL;
+		}
+
+		ulSize = sizeof(MODULE_EAT) + ulCount * sizeof(EAT_INFO);
+
+		EAT = (PMODULE_EAT)malloc(ulSize);
+		if (!EAT)
+		{
+			break;
+		}
+
+		memset(EAT,0,ulSize);
+
+		int KernelFile = HS_KERNEL_KERNELFILE_NTOSKRNL_EAT;
+
+		bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_KRNL_KRNLFILE),
+			&KernelFile,
+			sizeof(int),
+			EAT,
+			(DWORD)ulSize,
+			&ulReturnSize,
+			NULL);
+
+		ulCount = EAT->ulCount + 1000;
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+	if (bRet && EAT)
+	{
+		for (ULONG i = 0; i < EAT->ulCount; i++)
+		{
+			CString strIndex;
+			strIndex.Format(L"%d",i+1);
+			int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(), strIndex);
+
+			CString strFuncName(EAT->Data[i].szFunctionName);
+			m_ListCtrl->SetItemText(n, 1, strFuncName);
+
+			CString strCurFuncAddress;
+			strCurFuncAddress.Format(L"0x%p",EAT->Data[i].CurFuncAddress);
+			m_ListCtrl->SetItemText(n, 2, strCurFuncAddress);
+
+			CString strOriFuncAddress;
+			strOriFuncAddress.Format(L"0x%p",EAT->Data[i].OriFuncAddress);
+			m_ListCtrl->SetItemText(n, 3, strOriFuncAddress);
+
+			CString strModuleName(ModuleFile);
+			m_ListCtrl->SetItemText(n, 4, strModuleName);
+
+			CString strFuncStatus;
+			if (EAT->Data[i].CurFuncAddress == EAT->Data[i].OriFuncAddress)
+			{
+				strFuncStatus = L"Õý³£";
+			}
+			else
+			{
+				strFuncStatus = L"Hooked";
+				m_ListCtrl->SetItemData(n,1);
+			}
+			m_ListCtrl->SetItemText(n, 5, strFuncStatus);
+
+			CString StatusBarContext;
+			StatusBarContext.Format(L"ntoskrnl.exeµÄEATÕýÔÚ¼ÓÔØ¡£ EATº¯Êý£º%d",i);
+
+			HsSendStatusDetail(StatusBarContext);
+		}
+
+		CString StatusBarContext;
+		StatusBarContext.Format(L"ntoskrnl.exeµÄEAT¼ÓÔØÍê³É¡£ EATº¯Êý£º%d",EAT->ulCount);
+
+		HsSendStatusDetail(StatusBarContext);
+
+		bOk = TRUE;
+	}
+	else
+	{
+		HsSendStatusDetail(L"ntoskrnl.exeµÄEAT¼ÓÔØÊ§°Ü¡£");
+	}
+	//m_strEATCount.Format(L"%d",EAT->ulCount);
+	if (EAT)
+	{
+		free(EAT);
+		EAT = NULL;
+	}
+
+	
+	bIsChecking = FALSE;
+}
+
+
+void HsEnumKernelFuncNameWin32kIAT(CListCtrl* m_ListCtrl)
+{
+	m_ListCtrl->DeleteAllItems();
+
+	BOOL bOk = FALSE;
+
+	ULONG_PTR   ulCount = 0x1000;
+	PMODULE_IAT IAT = NULL;
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+
+	do 
+	{
+		ULONG_PTR ulSize = 0;
+
+		if (IAT)
+		{
+			free(IAT);
+			IAT = NULL;
+		}
+
+		ulSize = sizeof(MODULE_IAT) + ulCount * sizeof(IAT_INFO);
+
+		IAT = (PMODULE_IAT)malloc(ulSize);
+		if (!IAT)
+		{
+			break;
+		}
+
+		memset(IAT,0,ulSize);
+
+		int KernelFile = HS_KERNEL_KERNELFILE_WIN32K_IAT;
+
+		bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_KRNL_KRNLFILE),
+			&KernelFile,
+			sizeof(int),
+			IAT,
+			(DWORD)ulSize,
+			&ulReturnSize,
+			NULL);
+
+
+		ulCount = IAT->ulCount + 1000;
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+	if (bRet && IAT)
+	{
+		for (ULONG i = 0; i < IAT->ulCount; i++)
+		{
+			CString strIndex;
+			strIndex.Format(L"%d",i+1);
+			int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(), strIndex);
+
+			CString strFuncName(IAT->Data[i].szFunctionName);
+			m_ListCtrl->SetItemText(n, 1, strFuncName);
+
+			CString strCurFuncAddress;
+			strCurFuncAddress.Format(L"0x%p",IAT->Data[i].CurFuncAddress);
+			m_ListCtrl->SetItemText(n, 2, strCurFuncAddress);
+
+			CString strOriFuncAddress;
+			strOriFuncAddress.Format(L"0x%p",IAT->Data[i].OriFuncAddress);
+			m_ListCtrl->SetItemText(n, 3, strOriFuncAddress);
+
+			CString strModuleName(IAT->Data[i].szModuleName);
+			m_ListCtrl->SetItemText(n, 4, strModuleName);
+
+			CString strFuncStatus;
+			if (IAT->Data[i].CurFuncAddress == IAT->Data[i].OriFuncAddress)
+			{
+				strFuncStatus = L"Õý³£";
+			}
+			else
+			{
+				strFuncStatus = L"Hooked";
+				m_ListCtrl->SetItemData(n,1);
+			}
+			m_ListCtrl->SetItemText(n, 5, strFuncStatus);
+
+			CString StatusBarContext;
+			StatusBarContext.Format(L"win32k.sysµÄIATÕýÔÚ¼ÓÔØ¡£ IATº¯Êý£º%d",i);
+
+			HsSendStatusDetail(StatusBarContext);
+
+		}
+
+		CString StatusBarContext;
+		StatusBarContext.Format(L"win32k.sysµÄIAT¼ÓÔØÍê³É¡£ IATº¯Êý£º%d",IAT->ulCount);
+
+		HsSendStatusDetail(StatusBarContext);
+
+		bOk = TRUE;
+	}
+	else
+	{
+		HsSendStatusDetail(L"win32k.sysµÄIAT¼ÓÔØÊ§°Ü¡£");
+	}
+	//m_strIATCount.Format(L"%d",IAT->ulCount);
+	if (IAT)
+	{
+		free(IAT);
+		IAT = NULL;
+	}
+
+	
+	bIsChecking = FALSE;
+}
+
+
+void HsEnumKernelFuncNameWin32kEAT(CListCtrl* m_ListCtrl)
+{
+	m_ListCtrl->DeleteAllItems();
+
+	BOOL bOk = FALSE;
+
+	ULONG_PTR   ulCount = 0x1000;
+	PMODULE_EAT EAT = NULL;
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+
+	CString ModuleFile(L"win32k.sys");
+
+	do 
+	{
+		ULONG_PTR ulSize = 0;
+
+		if (EAT)
+		{
+			free(EAT);
+			EAT = NULL;
+		}
+
+		ulSize = sizeof(MODULE_EAT) + ulCount * sizeof(EAT_INFO);
+
+		EAT = (PMODULE_EAT)malloc(ulSize);
+		if (!EAT)
+		{
+			break;
+		}
+
+		memset(EAT,0,ulSize);
+
+		int KernelFile = HS_KERNEL_KERNELFILE_WIN32K_EAT;
+
+		bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_KRNL_KRNLFILE),
+			&KernelFile,
+			sizeof(int),
+			EAT,
+			(DWORD)ulSize,
+			&ulReturnSize,
+			NULL);
+
+		ulCount = EAT->ulCount + 1000;
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+	if (bRet && EAT)
+	{
+		for (ULONG i = 0; i < EAT->ulCount; i++)
+		{
+			CString strIndex;
+			strIndex.Format(L"%d",i+1);
+			int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(), strIndex);
+
+			CString strFuncName(EAT->Data[i].szFunctionName);
+			m_ListCtrl->SetItemText(n, 1, strFuncName);
+
+			CString strCurFuncAddress;
+			strCurFuncAddress.Format(L"0x%p",EAT->Data[i].CurFuncAddress);
+			m_ListCtrl->SetItemText(n, 2, strCurFuncAddress);
+
+			CString strOriFuncAddress;
+			strOriFuncAddress.Format(L"0x%p",EAT->Data[i].OriFuncAddress);
+			m_ListCtrl->SetItemText(n, 3, strOriFuncAddress);
+
+			CString strModuleName(ModuleFile);
+			m_ListCtrl->SetItemText(n, 4, strModuleName);
+
+			CString strFuncStatus;
+			if (EAT->Data[i].CurFuncAddress == EAT->Data[i].OriFuncAddress)
+			{
+				strFuncStatus = L"Õý³£";
+			}
+			else
+			{
+				strFuncStatus = L"Hooked";
+				m_ListCtrl->SetItemData(n,1);
+			}
+			m_ListCtrl->SetItemText(n, 5, strFuncStatus);
+
+			CString StatusBarContext;
+			StatusBarContext.Format(L"win32k.sysµÄEATÕýÔÚ¼ÓÔØ¡£ EATº¯Êý£º%d",i);
+
+			HsSendStatusDetail(StatusBarContext);
+		}
+
+		CString StatusBarContext;
+		StatusBarContext.Format(L"win32k.sysµÄEAT¼ÓÔØÍê³É¡£ EATº¯Êý£º%d",EAT->ulCount);
+
+		HsSendStatusDetail(StatusBarContext);
+
+		bOk = TRUE;
+	}
+	else
+	{
+		HsSendStatusDetail(L"win32k.sysµÄEAT¼ÓÔØÊ§°Ü¡£");
+	}
+
+	if (EAT)
+	{
+		free(EAT);
+		EAT = NULL;
+	}
+
+	bIsChecking = FALSE;
+}
+
+void HsEnumKernelFuncNameHaldllIAT(CListCtrl* m_ListCtrl)
+{
+	m_ListCtrl->DeleteAllItems();
+
+	BOOL bOk = FALSE;
+
+	ULONG_PTR   ulCount = 0x1000;
+	PMODULE_IAT IAT = NULL;
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+
+	do 
+	{
+		ULONG_PTR ulSize = 0;
+
+		if (IAT)
+		{
+			free(IAT);
+			IAT = NULL;
+		}
+
+		ulSize = sizeof(MODULE_IAT) + ulCount * sizeof(IAT_INFO);
+
+		IAT = (PMODULE_IAT)malloc(ulSize);
+		if (!IAT)
+		{
+			break;
+		}
+
+		memset(IAT,0,ulSize);
+
+		int KernelFile = HS_KERNEL_KERNELFILE_HALDLL_IAT;
+
+		bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_KRNL_KRNLFILE),
+			&KernelFile,
+			sizeof(int),
+			IAT,
+			(DWORD)ulSize,
+			&ulReturnSize,
+			NULL);
+
+
+		ulCount = IAT->ulCount + 1000;
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+	if (bRet && IAT)
+	{
+		for (ULONG i = 0; i < IAT->ulCount; i++)
+		{
+			CString strIndex;
+			strIndex.Format(L"%d",i+1);
+			int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(), strIndex);
+
+			CString strFuncName(IAT->Data[i].szFunctionName);
+			m_ListCtrl->SetItemText(n, 1, strFuncName);
+
+			CString strCurFuncAddress;
+			strCurFuncAddress.Format(L"0x%p",IAT->Data[i].CurFuncAddress);
+			m_ListCtrl->SetItemText(n, 2, strCurFuncAddress);
+
+			CString strOriFuncAddress;
+			strOriFuncAddress.Format(L"0x%p",IAT->Data[i].OriFuncAddress);
+			m_ListCtrl->SetItemText(n, 3, strOriFuncAddress);
+
+			CString strModuleName(IAT->Data[i].szModuleName);
+			m_ListCtrl->SetItemText(n, 4, strModuleName);
+
+			CString strFuncStatus;
+			if (IAT->Data[i].CurFuncAddress == IAT->Data[i].OriFuncAddress)
+			{
+				strFuncStatus = L"Õý³£";
+			}
+			else
+			{
+				strFuncStatus = L"Hooked";
+				m_ListCtrl->SetItemData(n,1);
+			}
+			m_ListCtrl->SetItemText(n, 5, strFuncStatus);
+
+			CString StatusBarContext;
+			StatusBarContext.Format(L"hal.dllµÄIATÕýÔÚ¼ÓÔØ¡£ IATº¯Êý£º%d",i);
+
+			HsSendStatusDetail(StatusBarContext);
+
+		}
+
+		CString StatusBarContext;
+		StatusBarContext.Format(L"hal.dllµÄIAT¼ÓÔØÍê³É¡£ IATº¯Êý£º%d",IAT->ulCount);
+
+		HsSendStatusDetail(StatusBarContext);
+
+		bOk = TRUE;
+	}
+	else
+	{
+		HsSendStatusDetail(L"hal.dllµÄIAT¼ÓÔØÊ§°Ü¡£");
+	}
+	//m_strIATCount.Format(L"%d",IAT->ulCount);
+	if (IAT)
+	{
+		free(IAT);
+		IAT = NULL;
+	}
+
+
+	bIsChecking = FALSE;
+}
+
+void HsEnumKernelFuncNameHaldllEAT(CListCtrl* m_ListCtrl)
+{
+	m_ListCtrl->DeleteAllItems();
+
+	BOOL bOk = FALSE;
+
+	ULONG_PTR   ulCount = 0x1000;
+	PMODULE_EAT EAT = NULL;
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+
+	CString ModuleFile(L"hal.dll");
+
+	do 
+	{
+		ULONG_PTR ulSize = 0;
+
+		if (EAT)
+		{
+			free(EAT);
+			EAT = NULL;
+		}
+
+		ulSize = sizeof(MODULE_EAT) + ulCount * sizeof(EAT_INFO);
+
+		EAT = (PMODULE_EAT)malloc(ulSize);
+		if (!EAT)
+		{
+			break;
+		}
+
+		memset(EAT,0,ulSize);
+
+		int KernelFile = HS_KERNEL_KERNELFILE_HALDLL_EAT;
+
+		bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_KRNL_KRNLFILE),
+			&KernelFile,
+			sizeof(int),
+			EAT,
+			(DWORD)ulSize,
+			&ulReturnSize,
+			NULL);
+
+		ulCount = EAT->ulCount + 1000;
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+	if (bRet && EAT)
+	{
+		for (ULONG i = 0; i < EAT->ulCount; i++)
+		{
+			CString strIndex;
+			strIndex.Format(L"%d",i+1);
+			int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(), strIndex);
+
+			CString strFuncName(EAT->Data[i].szFunctionName);
+			m_ListCtrl->SetItemText(n, 1, strFuncName);
+
+			CString strCurFuncAddress;
+			strCurFuncAddress.Format(L"0x%p",EAT->Data[i].CurFuncAddress);
+			m_ListCtrl->SetItemText(n, 2, strCurFuncAddress);
+
+			CString strOriFuncAddress;
+			strOriFuncAddress.Format(L"0x%p",EAT->Data[i].OriFuncAddress);
+			m_ListCtrl->SetItemText(n, 3, strOriFuncAddress);
+
+			CString strModuleName(ModuleFile);
+			m_ListCtrl->SetItemText(n, 4, strModuleName);
+
+			CString strFuncStatus;
+			if (EAT->Data[i].CurFuncAddress == EAT->Data[i].OriFuncAddress)
+			{
+				strFuncStatus = L"Õý³£";
+			}
+			else
+			{
+				strFuncStatus = L"Hooked";
+				m_ListCtrl->SetItemData(n,1);
+			}
+			m_ListCtrl->SetItemText(n, 5, strFuncStatus);
+
+			CString StatusBarContext;
+			StatusBarContext.Format(L"hal.dllµÄEATÕýÔÚ¼ÓÔØ¡£ EATº¯Êý£º%d",i);
+
+			HsSendStatusDetail(StatusBarContext);
+		}
+
+		CString StatusBarContext;
+		StatusBarContext.Format(L"hal.dllµÄEAT¼ÓÔØÍê³É¡£ EATº¯Êý£º%d",EAT->ulCount);
+
+		HsSendStatusDetail(StatusBarContext);
+
+		bOk = TRUE;
+	}
+	else
+	{
+		HsSendStatusDetail(L"hal.dllµÄEAT¼ÓÔØÊ§°Ü¡£");
+	}
+
+	if (EAT)
+	{
+		free(EAT);
+		EAT = NULL;
+	}
+
+	bIsChecking = FALSE;
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/KernelFunc.h b/arkProject/HeavenShadow/HeavenShadow/KernelFunc.h
new file mode 100644
index 0000000..5da49f3
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/KernelFunc.h
@@ -0,0 +1,79 @@
+#pragma once
+#include "stdafx.h"
+
+
+//////////////////////////////////////////////////////////////////////////
+
+enum HS_KERNEL_KERNELFILE
+{
+	HS_KERNEL_KERNELFILE_NTOSKRNL_IAT,
+	HS_KERNEL_KERNELFILE_NTOSKRNL_EAT,
+	HS_KERNEL_KERNELFILE_WIN32K_IAT,
+	HS_KERNEL_KERNELFILE_WIN32K_EAT,
+	HS_KERNEL_KERNELFILE_HALDLL_IAT,
+	HS_KERNEL_KERNELFILE_HALDLL_EAT,
+};
+
+//////////////////////////////////////////////////////////////////////////
+
+#define MAX_NAME 60
+
+typedef struct _IAT_INFO_
+{
+	ULONG_PTR CurFuncAddress;
+	ULONG_PTR OriFuncAddress;
+	CHAR  szFunctionName[MAX_NAME];
+	CHAR  szModuleName[MAX_NAME];
+}IAT_INFO, *PIAT_INFO;
+
+typedef struct _MODULE_IAT_
+{
+	ULONG_PTR ulCount;
+	IAT_INFO  Data[1];
+}MODULE_IAT, *PMODULE_IAT;
+
+typedef struct _EAT_INFO_
+{
+	ULONG_PTR CurFuncAddress;
+	ULONG_PTR OriFuncAddress;
+	CHAR  szFunctionName[MAX_NAME];
+}EAT_INFO, *PEAT_INFO;
+
+typedef struct _MODULE_EAT_
+{
+	ULONG_PTR ulCount;
+	EAT_INFO  Data[1];
+}MODULE_EAT, *PMODULE_EAT;
+
+
+
+void HsInitKernelFuncList(CListBox* m_ListBox, CListCtrl* m_ListCtrl);
+
+void HsInitKernelFileList(CListBox* m_ListBox, CListCtrl* m_ListCtrl);
+
+void SelchangeListKrnlFunc(CListBox* m_ListBox,  CListCtrl* m_ListCtrl);
+
+void SelchangeListKrnlIAT(CListBox* m_ListBox,  CListCtrl* m_ListCtrl);
+void SelchangeListKrnlEAT(CListBox* m_ListBox,  CListCtrl* m_ListCtrl);
+
+void HsEnumKernelFuncNameNtoskrnlIAT(CListCtrl* m_ListCtrl);
+
+void HsEnumKernelFuncNameWin32kIAT(CListCtrl* m_ListCtrl);
+
+void HsEnumKernelFuncNameHaldllIAT(CListCtrl* m_ListCtrl);
+
+//////////////////////////////////////////////////////////////////////////
+
+void HsEnumKernelFuncNameNtoskrnlEAT(CListCtrl* m_ListCtrl);
+
+void HsEnumKernelFuncNameWin32kEAT(CListCtrl* m_ListCtrl);
+
+void HsEnumKernelFuncNameHaldllEAT(CListCtrl* m_ListCtrl);
+
+
+
+
+
+
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/LoadSys.cpp b/arkProject/HeavenShadow/HeavenShadow/LoadSys.cpp
new file mode 100644
index 0000000..365aa27
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/LoadSys.cpp
@@ -0,0 +1,298 @@
+#include "stdafx.h"
+#include "LoadSys.h"
+#include <windows.h>
+#include <winsvc.h>
+
+#include "resource.h"
+
+#include "Common.h"
+
+BOOL ExtractFile(void)
+{
+	HMODULE hLibrary;
+	HRSRC hResource;
+
+	HGLOBAL hResourceLoaded;
+
+	LPBYTE lpBuffer;
+
+	WCHAR wzTempDir[MAX_PATH] = {0};
+
+	CString SysFilePath;
+
+	GetEnvironmentVariableW(L"TEMP",wzTempDir,MAX_PATH);
+
+	SysFilePath = wzTempDir;
+
+	SysFilePath += L"\\HeavenShadowDrv.sys";
+
+
+	if (HsIs64BitWindows())
+	{
+		hResource = ::FindResourceW(AfxGetResourceHandle(), MAKEINTRESOURCE(IDR_SYSDRIVER64),L"SYSDRIVER");
+	}
+	else
+	{
+		hResource = ::FindResourceW(AfxGetResourceHandle(), MAKEINTRESOURCE(IDR_SYSDRIVER32),L"SYSDRIVER");
+	}
+
+
+
+	if (NULL != hResource)
+	{
+		hResourceLoaded = LoadResource(NULL,hResource);
+
+		if (NULL != hResourceLoaded)
+		{
+			lpBuffer = (LPBYTE)LockResource(hResourceLoaded);
+
+			if (NULL != lpBuffer)
+			{
+				DWORD dwFileSize, dwBytesWritten;
+
+				HANDLE hFile;
+
+				dwFileSize = SizeofResource(NULL,hResource);
+
+				hFile = CreateFile(SysFilePath.GetBuffer(),GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
+
+				if (INVALID_HANDLE_VALUE != hFile)
+				{
+					WriteFile(hFile,lpBuffer,dwFileSize,&dwBytesWritten,NULL);
+
+					CloseHandle(hFile);
+
+					HsLoadNTDriver(HS_DRIVER_NAME,SysFilePath.GetBuffer());
+
+					DeleteFile(SysFilePath.GetBuffer());
+
+					return TRUE;
+				}
+			}
+		}
+	}
+	return FALSE;
+}
+
+
+//×°ÔØNTÇý¶¯³ÌÐò
+BOOL HsLoadNTDriver(WCHAR* lpszDriverName,WCHAR* lpszDriverPath)
+{
+
+	WCHAR szDriverImagePath[256];
+
+	//µÃµ½ÍêÕûµÄÇý¶¯Â·¾¶
+	GetFullPathNameW(lpszDriverPath, 256, szDriverImagePath, NULL);
+
+	BOOL bRet = FALSE;
+	SC_HANDLE hServiceMgr=NULL;//SCM¹ÜÀíÆ÷µÄ¾ä±ú
+	SC_HANDLE hServiceDDK=NULL;//NTÇý¶¯³ÌÐòµÄ·þÎñ¾ä±ú
+
+	//´ò¿ª·þÎñ¿ØÖÆ¹ÜÀíÆ÷
+	hServiceMgr = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS );
+
+	if( hServiceMgr == NULL )
+	{
+		//OpenSCManagerÊ§°Ü
+		printf( "OpenSCManager() Faild %d ! \n", GetLastError() );
+		bRet = FALSE;
+		goto BeforeLeave;
+	}
+	else
+	{
+		////OpenSCManager³É¹¦
+		printf( "OpenSCManager() ok ! \n" );
+	}
+
+	//´´½¨Çý¶¯Ëù¶ÔÓ¦µÄ·þÎñ
+	hServiceDDK = CreateServiceW( hServiceMgr,
+		lpszDriverName,        // Çý¶¯³ÌÐòµÄÔÚ×¢²á±íÖÐµÄÃû×Ö
+		lpszDriverName,        // ×¢²á±íÇý¶¯³ÌÐòµÄ DisplayName Öµ
+		SERVICE_ALL_ACCESS,    // ¼ÓÔØÇý¶¯³ÌÐòµÄ·ÃÎÊÈ¨ÏÞ
+		SERVICE_KERNEL_DRIVER, // ±íÊ¾¼ÓÔØµÄ·þÎñÊÇÇý¶¯³ÌÐò
+		SERVICE_DEMAND_START,  // ×¢²á±íÇý¶¯³ÌÐòµÄ Start Öµ
+		SERVICE_ERROR_IGNORE,  // ×¢²á±íÇý¶¯³ÌÐòµÄ ErrorControl Öµ
+		szDriverImagePath,     // ×¢²á±íÇý¶¯³ÌÐòµÄ ImagePath Öµ
+		NULL,
+		NULL,
+		NULL,
+		NULL,
+		NULL);
+
+	DWORD dwRtn;
+
+	//ÅÐ¶Ï·þÎñÊÇ·ñÊ§°Ü
+	if( hServiceDDK == NULL )
+	{
+		dwRtn = GetLastError();
+		if( dwRtn != ERROR_IO_PENDING && dwRtn != ERROR_SERVICE_EXISTS )
+		{
+			//ÓÉÓÚÆäËûÔ­Òò´´½¨·þÎñÊ§°Ü
+			printf( "CrateService() Faild %d ! \n", dwRtn );
+			bRet = FALSE;
+			goto BeforeLeave;
+		}
+		else
+		{
+			//·þÎñ´´½¨Ê§°Ü£¬ÊÇÓÉÓÚ·þÎñÒÑ¾­´´Á¢¹ý
+			printf( "CrateService() Faild Service is ERROR_IO_PENDING or ERROR_SERVICE_EXISTS! \n" );
+		}
+
+		// Çý¶¯³ÌÐòÒÑ¾­¼ÓÔØ£¬Ö»ÐèÒª´ò¿ª
+		hServiceDDK = OpenService( hServiceMgr, lpszDriverName, SERVICE_ALL_ACCESS );
+
+		if( hServiceDDK == NULL )
+		{
+			//Èç¹û´ò¿ª·þÎñÒ²Ê§°Ü£¬ÔòÒâÎ¶´íÎó
+			dwRtn = GetLastError();
+			printf( "OpenService() Faild %d ! \n", dwRtn );
+			bRet = FALSE;
+			goto BeforeLeave;
+
+		}
+		else 
+		{
+			printf( "OpenService() ok ! \n" );
+		}
+	}
+	else
+	{
+		printf( "CrateService() ok ! \n" );
+	}
+
+	//¿ªÆô´ËÏî·þÎñ
+	bRet= StartService( hServiceDDK, NULL, NULL );
+
+	if( !bRet )
+	{
+		DWORD dwRtn = GetLastError();
+
+		if( dwRtn != ERROR_IO_PENDING && dwRtn != ERROR_SERVICE_ALREADY_RUNNING )
+		{
+			printf( "StartService() Faild %d ! \n", dwRtn );
+			bRet = FALSE;
+			goto BeforeLeave;
+		}
+		else
+		{
+			if( dwRtn == ERROR_IO_PENDING )
+			{
+				//Éè±¸±»¹Ò×¡
+				printf( "StartService() Faild ERROR_IO_PENDING ! \n");
+				bRet = FALSE;
+				goto BeforeLeave;
+			}
+			else
+			{
+				//·þÎñÒÑ¾­¿ªÆô
+				printf( "StartService() Faild ERROR_SERVICE_ALREADY_RUNNING ! \n");
+				bRet = TRUE;
+				goto BeforeLeave;
+			}
+		}
+	}
+
+	bRet = TRUE;
+
+	//Àë¿ªÇ°¹Ø±Õ¾ä±ú
+BeforeLeave:
+
+	if(hServiceDDK)
+	{
+		CloseServiceHandle(hServiceDDK);
+	}
+	if(hServiceMgr)
+	{
+		CloseServiceHandle(hServiceMgr);
+	}
+
+	return bRet;
+
+}
+
+
+
+//Ð¶ÔØÇý¶¯³ÌÐò
+BOOL HsUnloadNTDriver( WCHAR* szSvrName )
+{
+
+	BOOL bRet = FALSE;
+	SC_HANDLE hServiceMgr=NULL;//SCM¹ÜÀíÆ÷µÄ¾ä±ú
+	SC_HANDLE hServiceDDK=NULL;//NTÇý¶¯³ÌÐòµÄ·þÎñ¾ä±ú
+
+	SERVICE_STATUS SvrSta;
+
+	//´ò¿ªSCM¹ÜÀíÆ÷
+	hServiceMgr = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS );
+
+	if( hServiceMgr == NULL )
+	{
+
+		//´ø¿ªSCM¹ÜÀíÆ÷Ê§°Ü
+		printf( "OpenSCManager() Faild %d ! \n", GetLastError() );
+		bRet = FALSE;
+		goto BeforeLeave;
+
+	}
+	else
+	{
+
+		//´ø¿ªSCM¹ÜÀíÆ÷Ê§°Ü³É¹¦
+		printf( "OpenSCManager() ok ! \n" );
+	}
+
+	//´ò¿ªÇý¶¯Ëù¶ÔÓ¦µÄ·þÎñ
+	hServiceDDK = OpenService( hServiceMgr, szSvrName, SERVICE_ALL_ACCESS );
+
+	if( hServiceDDK == NULL )
+	{
+		//´ò¿ªÇý¶¯Ëù¶ÔÓ¦µÄ·þÎñÊ§°Ü
+		printf( "OpenService() Faild %d ! \n", GetLastError() );
+		bRet = FALSE;
+		goto BeforeLeave;
+	}
+	else
+	{
+		printf( "OpenService() ok ! \n" );
+	}
+
+	//Í£Ö¹Çý¶¯³ÌÐò£¬Èç¹ûÍ£Ö¹Ê§°Ü£¬Ö»ÓÐÖØÐÂÆô¶¯²ÅÄÜ£¬ÔÙ¶¯Ì¬¼ÓÔØ¡£
+	if( !ControlService( hServiceDDK, SERVICE_CONTROL_STOP , &SvrSta ) )
+	{
+		printf( "ControlService() Faild %d !\n", GetLastError() );
+	}
+	else
+	{
+		//´ò¿ªÇý¶¯Ëù¶ÔÓ¦µÄÊ§°Ü
+		printf( "ControlService() ok !\n" );
+	}
+
+	//¶¯Ì¬Ð¶ÔØÇý¶¯³ÌÐò¡£
+	if( !DeleteService( hServiceDDK ) )
+	{
+		//Ð¶ÔØÊ§°Ü
+		printf( "DeleteSrevice() Faild %d !\n", GetLastError() );
+	}
+	else
+	{
+		//Ð¶ÔØ³É¹¦
+		printf( "DelServer:eleteSrevice() ok !\n" );
+	}
+
+	bRet = TRUE;
+
+BeforeLeave:
+
+	//Àë¿ªÇ°¹Ø±Õ´ò¿ªµÄ¾ä±ú
+	if(hServiceDDK)
+	{
+		CloseServiceHandle(hServiceDDK);
+	}
+	if(hServiceMgr)
+	{
+		CloseServiceHandle(hServiceMgr);
+	}
+
+	return bRet;    
+
+} 
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/LoadSys.h b/arkProject/HeavenShadow/HeavenShadow/LoadSys.h
new file mode 100644
index 0000000..4f63644
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/LoadSys.h
@@ -0,0 +1,9 @@
+#pragma once
+#include "stdafx.h"
+#include "afxcmn.h"
+
+BOOL ExtractFile(void);
+
+BOOL HsLoadNTDriver(WCHAR* lpszDriverName,WCHAR* lpszDriverPath);
+
+BOOL HsUnloadNTDriver(WCHAR* szSvrName);
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/MemoryFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/MemoryFunc.cpp
new file mode 100644
index 0000000..a7674e3
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/MemoryFunc.cpp
@@ -0,0 +1,437 @@
+#include "stdafx.h"
+#include "MemoryFunc.h"
+#include "Common.h"
+#include <vector>
+#include "resource.h"
+
+using namespace std;
+
+typedef struct _MODULE_INFO_
+{
+	ULONG_PTR Base;
+	ULONG_PTR Size;
+	WCHAR Path[MAX_PATH]; 
+}MODULE_INFO, *PMODULE_INFO;
+
+typedef struct _ALL_MODULES_
+{
+	ULONG_PTR   ulCount;
+	MODULE_INFO Modules[1];
+}ALL_MODULES, *PALL_MODULES;
+
+
+vector<PROTECT> m_vectorProtectType;
+vector<MODULE_INFO> m_vectorModules;
+
+extern ULONG_PTR g_ulProcessId;
+extern HANDLE g_hDevice;
+CMyList* g_ListCtrl; 
+
+COLUMNSTRUCT g_Column_Memory[] = 
+{
+	{	L"ÄÚ´æµØÖ·",			125	},
+	{	L"ÄÚ´æ´óÐ¡",			80	},
+	{	L"ÊôÐÔ",				100	},
+	{	L"×´Ì¬",				80	},
+	{	L"ÀàÐÍ",				80	},
+	{	L"Ä£¿éÃû",			125	}
+};
+
+UINT g_Column_Memory_Count  = 6;	  //½ø³ÌÁÐ±íÁÐÊý
+
+extern int dpix;
+extern int dpiy;
+
+
+
+void HsInitMemoryList(CMyList *m_ListCtrl)
+{
+	g_ListCtrl = m_ListCtrl;
+
+	InitMemoryProtect();
+
+	while(m_ListCtrl->DeleteColumn(0));
+	m_ListCtrl->DeleteAllItems();
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_Memory_Count;i++)
+	{
+		if (i == 1)
+		{
+			m_ListCtrl->InsertColumn(i, g_Column_Memory[i].szTitle,LVCFMT_RIGHT,(int)(g_Column_Memory[i].nWidth*(dpix/96.0)));
+		}
+		else
+		{
+			m_ListCtrl->InsertColumn(i, g_Column_Memory[i].szTitle,LVCFMT_LEFT,(int)(g_Column_Memory[i].nWidth*(dpix/96.0)));
+		}
+		
+	}
+}
+
+
+
+BOOL HsQueryProcessMemory(CMyList *m_ListCtrl)
+{
+	m_ListCtrl->DeleteAllItems();
+
+	if (g_ulProcessId==0)
+	{
+		return FALSE;
+	}
+
+	SendIoControlCodeModule(g_ulProcessId);
+	SendIoControlCodeMemory(g_ulProcessId);
+
+	return TRUE;
+}
+
+
+BOOL SendIoControlCodeModule(ULONG_PTR ProcessID)
+{
+	ULONG ulReturnSize = 0;
+	BOOL  bRet = 0;
+	ULONG ulCount = 0x10;
+	PALL_MODULES AllModules = NULL;
+
+	do 
+	{
+
+		ULONG ulSize = 0;
+
+		if (AllModules)
+		{
+			free(AllModules);
+			AllModules = NULL;
+		}
+
+		ulSize = sizeof(ALL_MODULES) + ulCount * sizeof(MODULE_INFO);
+
+		AllModules = (PALL_MODULES)malloc(ulSize);
+		if (!AllModules)
+		{
+			break;
+		}
+
+		memset(AllModules,0,ulSize);
+
+
+		bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_PROC_PROCESSMODULE),
+			&ProcessID,
+			sizeof(ULONG_PTR),
+			AllModules,
+			ulSize,
+			&ulReturnSize,
+			NULL);
+
+
+		ulCount = (ULONG)AllModules->ulCount + 1000;
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+
+	if (bRet==0)
+	{
+
+
+		return bRet;
+	}
+
+	if (bRet && AllModules->ulCount > 0)
+	{
+
+		for (ULONG i=0;i<AllModules->ulCount;i++)
+		{
+			MODULE_INFO Temp;
+
+			Temp.Base = AllModules->Modules[i].Base;
+			Temp.Size = AllModules->Modules[i].Size;
+			CString szPath = TrimPath(AllModules->Modules[i].Path);
+
+			wcsncpy_s(Temp.Path, MAX_PATH, szPath.GetBuffer(), szPath.GetLength());
+			szPath.ReleaseBuffer();
+
+			m_vectorModules.push_back(Temp);
+
+		}
+	}
+
+
+	if (AllModules!=NULL)
+	{
+		free(AllModules);
+		AllModules = NULL;
+	}
+	return bRet;
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+BOOL SendIoControlCodeMemory(ULONG_PTR ProcessID)
+{
+	ULONG ulReturnSize = 0;
+	BOOL  bRet = 0;
+	ULONG ulCount = 0x10;
+	PALL_MEMORYS Memorys = NULL;
+
+	do 
+	{
+
+		ULONG ulSize = 0;
+
+		if (Memorys)
+		{
+			free(Memorys);
+			Memorys = NULL;
+		}
+
+		ulSize = sizeof(ALL_MEMORYS) + ulCount * sizeof(MEMORY_INFO);
+
+		Memorys = (PALL_MEMORYS)malloc(ulSize);
+		if (!Memorys)
+		{
+			break;
+		}
+
+		memset(Memorys,0,ulSize);
+
+
+		bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_PROC_PROCESSMEMORY),
+			&ProcessID,
+			sizeof(ULONG_PTR),
+			Memorys,
+			ulSize,
+			&ulReturnSize,
+			NULL);
+
+
+		ulCount = (ULONG)Memorys->ulCount + 1000;
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+
+	if (bRet==0)
+	{
+
+
+		return bRet;
+	}
+
+	if (bRet && Memorys->ulCount > 0)
+	{
+
+		for (ULONG i=0;i<Memorys->ulCount;i++)
+		{
+			CString strBase, strSize, strProtect, strType, strImageName, strState;
+
+			strBase.Format(L"0x%08p", Memorys->Memorys[i].ulBase);
+			strSize.Format(L"0x%X",  Memorys->Memorys[i].ulSize);
+			strProtect = GetMemoryProtect(Memorys->Memorys[i].ulProtect);
+			strType = GetMemoryType(Memorys->Memorys[i].ulType);
+			strState = GetMemoryState(Memorys->Memorys[i].ulState);
+
+			if (Memorys->Memorys[i].ulType == MEM_IMAGE)
+			{
+				strImageName = GetModuleImageName( Memorys->Memorys[i].ulBase);  //ÔÚÎÒÃÇµÄÁíÒ»¸öÊý¾Ý½á¹¹ÖÐ²éÕÒÄ£¿éµÄÃû³Æ
+			}
+
+			int n = g_ListCtrl->GetItemCount();
+			int j = g_ListCtrl->InsertItem(n, strBase);
+			g_ListCtrl->SetItemText(j, MemorySize, strSize);
+			g_ListCtrl->SetItemText(j, MemoryProtect, strProtect);
+			g_ListCtrl->SetItemText(j, MemoryState, strState);
+			g_ListCtrl->SetItemText(j, MemoryType, strType);
+			g_ListCtrl->SetItemText(j, MmeoryModuleName, strImageName);
+
+			g_ListCtrl->SetItemData(j,j);
+
+		}
+	}
+
+
+	if (Memorys!=NULL)
+	{
+		free(Memorys);
+		Memorys = NULL;
+	}
+
+
+	m_vectorProtectType.clear();
+	m_vectorModules.clear();
+	return bRet;
+}
+
+
+CString GetModuleImageName(ULONG_PTR ulBase)
+{
+	CString strImageName = L"";
+
+	for ( vector <MODULE_INFO>::iterator Iter = m_vectorModules.begin( ); Iter != m_vectorModules.end( ); Iter++)
+	{	
+		MODULE_INFO entry = *Iter;
+
+		if (ulBase >= entry.Base && ulBase <= (entry.Base + entry.Size))
+		{
+			CString strPath = entry.Path;
+			strImageName = strPath.Right(strPath.GetLength() - strPath.ReverseFind('\\') - 1);
+			break;
+		}
+	}
+
+	return strImageName;
+}
+
+
+
+CString GetMemoryState(ULONG State)
+{
+	CString szState = L"";
+
+	if (State == MEM_COMMIT)
+	{
+		szState = L"Commit";
+	}
+	else if (State == MEM_FREE)
+	{
+		szState = L"Free";
+	}
+	else if (State == MEM_RESERVE)
+	{
+		szState = L"Reserve";
+	}
+	else if (State == MEM_DECOMMIT)
+	{
+		szState = L"Decommit";
+	}
+	else if (State == MEM_RELEASE)
+	{
+		szState = L"Release";
+	}
+
+	return szState;
+}
+
+
+CString GetMemoryType(ULONG Type)
+{
+	CString szType = L"";
+
+	if (Type == MEM_PRIVATE)
+	{
+		szType = L"Private";
+	}
+	else if (Type == MEM_MAPPED)
+	{
+		szType = L"Map";
+	}
+	else if (Type == MEM_IMAGE)
+	{
+		szType = L"Image";
+	}
+
+	return szType;
+}
+
+
+
+
+VOID InitMemoryProtect()
+{
+	PROTECT protect;
+
+	memset(&protect, 0, sizeof(PROTECT));
+	protect.uType = PAGE_NOACCESS;
+	wcsncpy_s(protect.szTypeName, L"No Access", wcslen(L"No Access"));
+	m_vectorProtectType.push_back(protect);
+
+	memset(&protect, 0, sizeof(PROTECT));
+	protect.uType = PAGE_READONLY;
+	wcsncpy_s(protect.szTypeName, L"Read", wcslen(L"Read"));
+	m_vectorProtectType.push_back(protect);
+
+	memset(&protect, 0, sizeof(PROTECT));
+	protect.uType = PAGE_READWRITE;
+	wcsncpy_s(protect.szTypeName, L"ReadWrite", wcslen(L"ReadWrite"));
+	m_vectorProtectType.push_back(protect);
+
+	memset(&protect, 0, sizeof(PROTECT));
+	protect.uType = PAGE_WRITECOPY;
+	wcsncpy_s(protect.szTypeName, L"WriteCopy", wcslen(L"WriteCopy"));
+	m_vectorProtectType.push_back(protect);
+
+	memset(&protect, 0, sizeof(PROTECT));
+	protect.uType = PAGE_EXECUTE;
+	wcsncpy_s(protect.szTypeName, L"Execute", wcslen(L"Execute"));
+	m_vectorProtectType.push_back(protect);
+
+	memset(&protect, 0, sizeof(PROTECT));
+	protect.uType = PAGE_EXECUTE_READ;
+	wcsncpy_s(protect.szTypeName, L"ReadExecute", wcslen(L"ReadExecute"));
+	m_vectorProtectType.push_back(protect);
+
+	memset(&protect, 0, sizeof(PROTECT));
+	protect.uType = PAGE_EXECUTE_READWRITE;
+	wcsncpy_s(protect.szTypeName, L"ReadWriteExecute", wcslen(L"ReadWriteExecute"));
+	m_vectorProtectType.push_back(protect);
+
+	memset(&protect, 0, sizeof(PROTECT));
+	protect.uType = PAGE_EXECUTE_WRITECOPY;
+	wcsncpy_s(protect.szTypeName, L"WriteCopyExecute", wcslen(L"WriteCopyExecute"));
+	m_vectorProtectType.push_back(protect);
+
+	memset(&protect, 0, sizeof(PROTECT));
+	protect.uType = PAGE_GUARD;
+	wcsncpy_s(protect.szTypeName, L"Guard", wcslen(L"Guard"));
+	m_vectorProtectType.push_back(protect);
+
+	memset(&protect, 0, sizeof(PROTECT));
+	protect.uType = PAGE_NOCACHE;
+	wcsncpy_s(protect.szTypeName, L"No Cache", wcslen(L"No Cache"));
+	m_vectorProtectType.push_back(protect);
+
+	memset(&protect, 0, sizeof(PROTECT));
+	protect.uType = PAGE_WRITECOMBINE;
+	wcsncpy_s(protect.szTypeName, L"WriteCombine", wcslen(L"WriteCombine"));
+	m_vectorProtectType.push_back(protect);
+}
+
+
+
+CString GetMemoryProtect(ULONG Protect)
+{
+	BOOL bFirst = TRUE;
+	CString strProtect = L"";
+
+	for ( vector <PROTECT>::iterator Iter = m_vectorProtectType.begin( ); 
+		Iter != m_vectorProtectType.end( ); 
+		Iter++ )
+	{
+		PROTECT item = *Iter;
+		if (item.uType & Protect)
+		{
+			if (bFirst == TRUE)
+			{
+				strProtect = item.szTypeName;
+				bFirst = FALSE;
+			}
+			else
+			{
+				strProtect += L" & ";
+				strProtect += item.szTypeName;
+			}
+		}
+	}
+
+	return strProtect;
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/MemoryFunc.h b/arkProject/HeavenShadow/HeavenShadow/MemoryFunc.h
new file mode 100644
index 0000000..e68c5f6
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/MemoryFunc.h
@@ -0,0 +1,65 @@
+#pragma once
+
+#include "stdafx.h"
+
+#include "MyList.h"
+
+
+typedef struct _PROTECT_
+{
+	ULONG uType;
+	WCHAR szTypeName[50];
+}PROTECT, *PPROTECT;
+
+
+
+
+
+typedef struct _MEMORY_INFO_
+{
+	ULONG_PTR ulBase;
+	ULONG_PTR ulSize;
+	ULONG ulProtect;
+	ULONG ulState;
+	ULONG ulType;
+}MEMORY_INFO, *PMEMORY_INFO;
+
+typedef struct _ALL_MEMORYS_
+{
+	ULONG_PTR ulCount;
+	MEMORY_INFO Memorys[1];
+}ALL_MEMORYS, *PALL_MEMORYS;
+
+typedef enum _MEMORY_HEADER_INDEX
+{
+	MemoryBase,
+	MemorySize,
+	MemoryProtect,
+	MemoryState,
+	MemoryType,
+	MmeoryModuleName,
+}MEMORY_HEADER_INDEX;
+
+
+void HsInitMemoryList(CMyList *m_ListCtrl);
+
+BOOL HsQueryProcessMemory(CMyList *m_ListCtrl);
+
+BOOL SendIoControlCodeModule(ULONG_PTR ProcessID);
+
+BOOL SendIoControlCodeMemory(ULONG_PTR ProcessID);
+
+CString TrimPath(WCHAR * wzPath);
+
+CString GetMemoryProtect(ULONG Protect);
+
+VOID InitMemoryProtect();
+
+CString GetMemoryType(ULONG Type);
+
+CString GetMemoryState(ULONG State);
+
+CString GetModuleImageName(ULONG_PTR ulBase);
+
+BOOL SendIoControlCodeMemory(ULONG_PTR ProcessID);
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/ModuleDlg.cpp b/arkProject/HeavenShadow/HeavenShadow/ModuleDlg.cpp
new file mode 100644
index 0000000..5a7283f
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ModuleDlg.cpp
@@ -0,0 +1,393 @@
+// ModuleDlg.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "ModuleDlg.h"
+#include "afxdialogex.h"
+
+#include "HeavenShadowDlg.h"
+#include "Common.h"
+
+#include "ModuleFunc.h"
+
+// CModuleDlg ¶Ô»°¿ò
+
+extern int ResizeX;
+extern int ResizeY;
+
+extern int dpix;
+extern int dpiy;
+
+//////////////////////////////////////////////////////////////////////////
+//ÅÅÐò
+
+UINT module_sort_column;		//¼ÇÂ¼µã»÷µÄÁÐ
+BOOL module_method = TRUE;		//¼ÇÂ¼±È½Ï·½·¨
+
+//////////////////////////////////////////////////////////////////////////
+
+extern CImageList m_TreeModuleImageList;
+
+extern BOOL bIsChecking;
+
+IMPLEMENT_DYNAMIC(CModuleDlg, CDialog)
+
+CModuleDlg::CModuleDlg(CWnd* pParent /*=NULL*/)
+	: CDialog(CModuleDlg::IDD, pParent)
+{
+	m_wParent = pParent;
+}
+
+CModuleDlg::~CModuleDlg()
+{
+}
+
+void CModuleDlg::DoDataExchange(CDataExchange* pDX)
+{
+	CDialog::DoDataExchange(pDX);
+	DDX_Control(pDX, IDC_LIST_MODULELIST, m_ModuleList);
+}
+
+
+BEGIN_MESSAGE_MAP(CModuleDlg, CDialog)
+	ON_WM_PAINT()
+	ON_WM_SHOWWINDOW()
+	ON_WM_SIZE()
+	ON_NOTIFY(NM_CUSTOMDRAW, IDC_LIST_MODULELIST, &CModuleDlg::OnNMCustomdrawListModulelist)
+	ON_NOTIFY(LVN_COLUMNCLICK, IDC_LIST_MODULELIST, &CModuleDlg::OnLvnColumnclickListModulelist)
+	ON_COMMAND(ID_MENU_MODULE_REMOVEMODULE, &CModuleDlg::OnMenuModuleRemovemodule)
+	ON_NOTIFY(NM_RCLICK, IDC_LIST_MODULELIST, &CModuleDlg::OnRclickListModulelist)
+	ON_COMMAND(ID_MENU_MODULE_REFRESH, &CModuleDlg::OnMenuModuleRefresh)
+END_MESSAGE_MAP()
+
+
+// CModuleDlg ÏûÏ¢´¦Àí³ÌÐò
+
+
+void CModuleDlg::OnPaint()
+{
+	CPaintDC dc(this); // device context for painting
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+	// ²»Îª»æÍ¼ÏûÏ¢µ÷ÓÃ CDialog::OnPaint()
+
+	CRect   rect;
+	GetClientRect(rect);
+	dc.FillSolidRect(rect,RGB(255,255,255));
+}
+
+
+void CModuleDlg::OnShowWindow(BOOL bShow, UINT nStatus)
+{
+	CDialog::OnShowWindow(bShow, nStatus);
+
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+
+	if (bShow == TRUE)
+	{
+		m_ModuleList.MoveWindow(0,0,ResizeX,ResizeY);
+
+		((CHeavenShadowDlg*)m_wParent)->m_bNowWindow = HS_DIALOG_MODULE;
+
+		((CHeavenShadowDlg*)m_wParent)->m_btnModu.EnableWindow(FALSE);
+
+		HsLoadModuleList();
+
+		HsSendStatusTip(L"Çý¶¯Ä£¿é");
+
+		m_ModuleList.SetFocus();
+	}
+}
+
+
+BOOL CModuleDlg::PreTranslateMessage(MSG* pMsg)
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+	if (pMsg->message==WM_KEYDOWN && (pMsg->wParam==VK_RETURN ||pMsg->wParam==VK_ESCAPE))
+	{
+		return TRUE;
+	}
+	return CDialog::PreTranslateMessage(pMsg);
+}
+
+
+BOOL CModuleDlg::OnInitDialog()
+{
+	CDialog::OnInitDialog();
+
+	// TODO:  ÔÚ´ËÌí¼Ó¶îÍâµÄ³õÊ¼»¯
+
+	HsInitModuleList((CMyList*)&m_ModuleList);
+
+	UINT uIconSize = 20;
+
+	uIconSize *= (UINT)(dpix/96.0);
+
+	m_TreeModuleImageList.Create(uIconSize, uIconSize, ILC_COLOR32 | ILC_MASK, 2, 2);
+
+	ListView_SetImageList(m_ModuleList.m_hWnd, m_TreeModuleImageList.GetSafeHandle(), LVSIL_SMALL);
+
+	return TRUE;  // return TRUE unless you set the focus to a control
+	// Òì³£: OCX ÊôÐÔÒ³Ó¦·µ»Ø FALSE
+}
+
+
+void CModuleDlg::OnSize(UINT nType, int cx, int cy)
+{
+	CDialog::OnSize(nType, cx, cy);
+
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+
+	ResizeX = cx;
+	ResizeY = cy;
+}
+
+
+void CModuleDlg::HsLoadModuleList(void)
+{
+	if (bIsChecking == TRUE)
+	{
+		return;
+	}
+
+	bIsChecking = TRUE;
+
+	m_ModuleList.DeleteAllItems();
+
+	m_ModuleList.SetSelectedColumn(-1);
+
+	HsSendStatusDetail(L"½ø³ÌÁÐ±íÕýÔÚ¼ÓÔØ¡£");
+
+	CloseHandle(
+		CreateThread(NULL,0, 
+		(LPTHREAD_START_ROUTINE)HsQueryModuleFunction,&m_ModuleList, 0,NULL)
+		);
+}
+
+
+
+
+void CModuleDlg::OnNMCustomdrawListModulelist(NMHDR *pNMHDR, LRESULT *pResult)
+{
+	NMLVCUSTOMDRAW* pLVCD = reinterpret_cast<NMLVCUSTOMDRAW*>( pNMHDR );
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	*pResult = CDRF_DODEFAULT;
+
+	if ( CDDS_PREPAINT == pLVCD->nmcd.dwDrawStage )
+	{
+		*pResult = CDRF_NOTIFYITEMDRAW;
+	}
+	else if ( CDDS_ITEMPREPAINT == pLVCD->nmcd.dwDrawStage )
+	{
+		*pResult = CDRF_NOTIFYSUBITEMDRAW;
+	}
+	else if ( (CDDS_ITEMPREPAINT | CDDS_SUBITEM) == pLVCD->nmcd.dwDrawStage )
+	{
+		COLORREF clrNewTextColor, clrNewBkColor;
+		int bHooked = 0;
+		int nItem = static_cast<int>( pLVCD->nmcd.dwItemSpec );
+
+		clrNewTextColor = RGB( 0, 0, 0 );
+		clrNewBkColor = RGB( 255, 255, 255 );
+
+		bHooked = (int)m_ModuleList.GetItemData(nItem); 		
+		if (bHooked == 1)
+		{
+			clrNewTextColor = RGB( 0, 0, 255 );
+		}
+
+		pLVCD->clrText = clrNewTextColor;
+		pLVCD->clrTextBk = clrNewBkColor;
+
+		*pResult = CDRF_DODEFAULT;
+	}
+}
+
+
+void CModuleDlg::OnLvnColumnclickListModulelist(NMHDR *pNMHDR, LRESULT *pResult)
+{
+	LPNMLISTVIEW pNMLV = reinterpret_cast<LPNMLISTVIEW>(pNMHDR);
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	int nItemCount;
+
+	nItemCount = m_ModuleList.GetItemCount();
+
+	module_sort_column=pNMLV->iSubItem;//µã»÷µÄÁÐ
+
+	m_ModuleList.SetSelectedColumn(module_sort_column);
+
+	for(int i=0;i<nItemCount;i++) m_ModuleList.SetItemData(i,i);//Ã¿ÐÐµÄ±È½Ï¹Ø¼ü×Ö£¬´Ë´¦ÎªÁÐÐòºÅ£¨µã»÷µÄÁÐºÅ£©£¬¿ÉÒÔÉèÖÃÎªÆäËû ±È½Ïº¯ÊýµÄµÚÒ»¶þ¸ö²ÎÊý
+
+	m_ModuleList.SortItems(HsModuleListCompareProc,(DWORD_PTR)&m_ModuleList);//ÅÅÐò µÚ¶þ¸ö²ÎÊýÊÇ±È½Ïº¯ÊýµÄµÚÈý¸ö²ÎÊý
+
+	if (module_method)
+	{
+		module_method = FALSE;
+	}
+	else
+	{
+		module_method = TRUE;
+	}
+
+	for (int i = 0; i < nItemCount; i++)
+	{
+		if (_wcsnicmp(
+			m_ModuleList.GetItemText(i,8),
+			L"Microsoft Corporation",
+			wcslen(L"Microsoft Corporation"))==0
+			)
+		{
+			m_ModuleList.SetItemData(i,1);
+		}
+	}
+
+	*pResult = 0;
+}
+
+
+
+
+//////////////////////////////////////////////////////////////////////////
+
+//ÅÅÐò±È½Ïº¯Êý
+static int CALLBACK HsModuleListCompareProc(LPARAM lParam1, LPARAM lParam2, LPARAM lParamSort)
+{
+
+	//´Ó²ÎÊýÖÐÌáÈ¡ËùÐè±È½ÏlcµÄÁ½ÐÐÊý¾Ý
+
+	int row1=(int) lParam1;
+	int row2=(int) lParam2;
+
+	CListCtrl*lc=(CListCtrl*)lParamSort;
+
+	CString lp1=lc->GetItemText(row1,module_sort_column);
+	CString lp2=lc->GetItemText(row2,module_sort_column);
+
+
+	//±È½Ï£¬¶Ô²»Í¬µÄÁÐ£¬²»Í¬±È½Ï£¬×¢Òâ¼ÇÂ¼Ç°Ò»´ÎÅÅÐò·½Ïò£¬ÏÂÒ»´ÎÒªÏà·´ÅÅÐò
+
+	if (module_sort_column == 7)
+	{
+		// intÐÍ±È½Ï
+		if (module_method)
+			return _ttoi(lp1)-_ttoi(lp2);
+		else
+			return _ttoi(lp2)-_ttoi(lp1);
+	}
+	else if (module_sort_column == 1 ||module_sort_column == 2 ||module_sort_column == 3 ||module_sort_column == 6)
+	{
+		ULONG_PTR nlp1 = 0, nlp2 = 0;
+
+		if (lp1.GetLength()>1)
+		{
+			lp1 = lp1.GetBuffer()+2;
+			swscanf_s(lp1.GetBuffer(),L"%P",&nlp1);
+		}
+		else
+		{
+			nlp1 = 0;
+		}
+
+		if (lp2.GetLength()>1)
+		{
+			lp2 = lp2.GetBuffer()+2;
+			swscanf_s(lp2.GetBuffer(),L"%P",&nlp2);
+		}
+		else
+		{
+			nlp2 = 0;
+		}
+
+		if (module_method)
+		{
+			return (int)(nlp1 - nlp2);
+		}
+		else
+		{
+			return (int)(nlp2 - nlp1);
+		}
+	}
+	else
+	{
+		// ÎÄ×ÖÐÍ±È½Ï
+		if(module_method)
+			return lp1.CompareNoCase(lp2);
+		else
+			return lp2.CompareNoCase(lp1);
+	}
+
+	return 0;
+}
+
+
+void CModuleDlg::OnMenuModuleRemovemodule()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+
+	BOOL bRet = MessageBox(L"Ð¶ÔØÄ£¿é²Ù×÷¼«¿ÉÄÜ»áÔì³ÉÏµÍ³Òì³£»ò±ÀÀ££¬\r\nÇëÔÚÈ·ÈÏºó¼ÌÐø¡£",L"ÌìÓ°ÎÀÊ¿",MB_ICONWARNING | MB_OKCANCEL);
+
+	if (bRet == IDCANCEL)
+	{
+		return;
+	}
+
+	if (bIsChecking == TRUE)
+	{
+		return;
+	}
+
+	bIsChecking = TRUE;
+
+ 	CloseHandle(
+ 		CreateThread(NULL,0, 
+ 		(LPTHREAD_START_ROUTINE)HsRemoveDriverModule,&m_ModuleList, 0,NULL)
+ 		);
+	//HsRemoveDriverModule(&m_ListSystemCtrl);
+}
+
+
+void CModuleDlg::OnRclickListModulelist(NMHDR *pNMHDR, LRESULT *pResult)
+{
+	LPNMITEMACTIVATE pNMItemActivate = reinterpret_cast<LPNMITEMACTIVATE>(pNMHDR);
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	CMenu	popup;
+	CPoint	p;
+
+	popup.LoadMenu(IDR_MENU_MODULE);				//¼ÓÔØ²Ëµ¥×ÊÔ´
+	CMenu*	pM = popup.GetSubMenu(0);				//»ñµÃ²Ëµ¥µÄ×ÓÏî
+
+	GetCursorPos(&p);
+	int	count = pM->GetMenuItemCount();
+	if (m_ModuleList.GetSelectedCount() == 0)		//Èç¹ûÃ»ÓÐÑ¡ÖÐ
+	{ 
+		for (int i = 0;i<count;i++)
+		{
+			pM->EnableMenuItem(i, MF_BYPOSITION | MF_DISABLED | MF_GRAYED); //²Ëµ¥È«²¿±ä»Ò
+		}
+	}
+
+	int Index = m_ModuleList.GetSelectionMark();
+
+	if (Index>=0)
+	{
+		if (_wcsicmp(L"-",m_ModuleList.GetItemText(Index,3))==0)
+		{
+			pM->EnableMenuItem(ID_MENU_MODULE_REMOVEMODULE, MF_BYCOMMAND | MF_DISABLED | MF_GRAYED);
+		}
+	}
+
+	pM->TrackPopupMenu(TPM_LEFTALIGN, p.x, p.y, this);
+
+	*pResult = 0;
+}
+
+
+void CModuleDlg::OnMenuModuleRefresh()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+
+	HsLoadModuleList();
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/ModuleDlg.h b/arkProject/HeavenShadow/HeavenShadow/ModuleDlg.h
new file mode 100644
index 0000000..4643a6a
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ModuleDlg.h
@@ -0,0 +1,40 @@
+#pragma once
+#include "afxcmn.h"
+
+
+// CModuleDlg ¶Ô»°¿ò
+
+class CModuleDlg : public CDialog
+{
+	DECLARE_DYNAMIC(CModuleDlg)
+
+public:
+	CModuleDlg(CWnd* pParent = NULL);   // ±ê×¼¹¹Ôìº¯Êý
+	virtual ~CModuleDlg();
+
+// ¶Ô»°¿òÊý¾Ý
+	enum { IDD = IDD_DIALOG_MODULE };
+
+	CWnd* m_wParent;
+
+protected:
+	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV Ö§³Ö
+
+	DECLARE_MESSAGE_MAP()
+public:
+	afx_msg void OnPaint();
+	afx_msg void OnShowWindow(BOOL bShow, UINT nStatus);
+	virtual BOOL PreTranslateMessage(MSG* pMsg);
+	virtual BOOL OnInitDialog();
+	CListCtrl m_ModuleList;
+	afx_msg void OnSize(UINT nType, int cx, int cy);
+	void HsLoadModuleList(void);
+	afx_msg void OnNMCustomdrawListModulelist(NMHDR *pNMHDR, LRESULT *pResult);
+	afx_msg void OnLvnColumnclickListModulelist(NMHDR *pNMHDR, LRESULT *pResult);
+	afx_msg void OnMenuModuleRemovemodule();
+	afx_msg void OnRclickListModulelist(NMHDR *pNMHDR, LRESULT *pResult);
+	afx_msg void OnMenuModuleRefresh();
+};
+
+
+static int CALLBACK HsModuleListCompareProc(LPARAM lParam1, LPARAM lParam2, LPARAM lParamSort);
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/ModuleFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/ModuleFunc.cpp
new file mode 100644
index 0000000..0c2551b
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ModuleFunc.cpp
@@ -0,0 +1,403 @@
+#include "stdafx.h"
+#include "ModuleFunc.h"
+#include "Common.h"
+
+#include "ProcessFunc.h"
+#include <WinVer.h>
+
+extern BOOL bIsChecking;
+extern HANDLE g_hDevice;
+
+ULONG_PTR m_DriverObject;
+
+CListCtrl* g_ListCtrl_Module;
+
+vector<DRIVER_INFO> m_DriverList;
+CImageList m_TreeModuleImageList;
+
+COLUMNSTRUCT g_Column_Module[] = 
+{
+	{	L"Çý¶¯Ãû",		130	},
+	{	L"»ùµØÖ·",		125	},
+	{	L"´óÐ¡",			70	},
+	{	L"Çý¶¯¶ÔÏó",		125	},
+	{	L"Çý¶¯Â·¾¶",		200	},
+	{	L"·þÎñÃû³Æ",		80	},
+	{	L"Æô¶¯Èë¿Ú",		125	},
+	{	L"¼ÓÔØË³Ðò",		65	},
+	{	L"ÎÄ¼þ³§ÉÌ",		120	}
+};
+
+UINT g_Column_Module_Count  = 9;	  //½ø³ÌÁÐ±íÁÐÊý
+
+extern int dpix;
+extern int dpiy;
+
+
+
+void HsInitModuleList(CListCtrl *m_ListCtrl)
+{
+	g_ListCtrl_Module = m_ListCtrl;
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_Module_Count;i++)
+	{
+		if (i == 2)
+		{
+			m_ListCtrl->InsertColumn(i, g_Column_Module[i].szTitle,LVCFMT_RIGHT,(int)(g_Column_Module[i].nWidth*(dpix/96.0)));
+		}
+		else
+		{
+			m_ListCtrl->InsertColumn(i, g_Column_Module[i].szTitle,LVCFMT_LEFT,(int)(g_Column_Module[i].nWidth*(dpix/96.0)));
+		}
+	}
+}
+
+
+DWORD WINAPI HsQueryModuleFunction(CListCtrl *m_ListCtrl)
+{
+	bIsChecking = TRUE;
+
+	HsQueryModuleList(m_ListCtrl);
+
+	bIsChecking = FALSE;
+	return 0;
+}
+
+void HsQueryModuleList(CListCtrl *m_ListCtrl)
+{
+	DWORD dwReturnSize = 0;
+	DWORD dwRet = 0;
+	int ModuleCount = 0;
+
+	while (m_TreeModuleImageList.Remove(0));
+	m_ListCtrl->DeleteAllItems();
+
+	ULONG ulReturnSize = 0;
+	BOOL bRet = FALSE;
+
+
+	m_DriverList.clear();
+
+	ULONG ulCount = 1000;
+	PALL_DRIVERS Drivers = NULL;
+
+	do 
+	{
+		ULONG ulSize = 0;
+
+		if (Drivers)
+		{
+			free(Drivers);
+			Drivers = NULL;
+		}
+
+		ulSize = sizeof(ALL_DRIVERS) + ulCount * sizeof(DRIVER_INFO);
+
+		Drivers = (PALL_DRIVERS)malloc(ulSize);
+		if (!Drivers)
+		{
+			break;
+		}
+
+		memset(Drivers,0,ulSize);
+
+
+		bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_MODU_MODULELIST),
+			NULL,
+			0,
+			Drivers,
+			ulSize,
+			&ulReturnSize,
+			NULL);
+
+		ulCount = (ULONG)Drivers->ulCount + 100;
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+	if (bRet && Drivers->ulCount > 0)
+	{
+		for (ULONG i = 0;i<Drivers->ulCount; i++)
+		{
+			FixDriverPath(&Drivers->Drivers[i]);
+			m_DriverList.push_back(Drivers->Drivers[i]);
+		}
+	}
+
+	if (Drivers)
+	{
+		free(Drivers);
+		Drivers = NULL;
+	}
+
+	//////////////////////////////////////////////////////////////////////////
+
+	if (m_DriverList.empty())
+	{
+		return;
+	}
+
+
+	for (vector <DRIVER_INFO>::iterator Iter = m_DriverList.begin( ); 
+		Iter != m_DriverList.end( ); 
+		Iter++ )
+	{
+		DRIVER_INFO DriverInfor = *Iter;
+
+		WCHAR wzDriverName[MAX_PATH] = {0};
+		WCHAR szWindowsText[MAX_PATH] = {0};
+
+
+		CString  strDriverName;
+		CString  strBase;
+		CString  strSize;
+		CString  strObject;
+		CString  strLoadCount;
+		CString  strComp;
+		CString  strDriverStart;
+
+
+		//»ñµÃÏµÍ³ÖÐÈ«²¿·þÎñÐÅÏ¢
+		//GetServiceKeys();
+
+
+		wcsncpy_s(wzDriverName, DriverInfor.wzDriverPath,wcslen(DriverInfor.wzDriverPath));
+
+
+		//
+		// »ñµÃÇý¶¯Ãû
+		//
+		WCHAR* Temp = wcsrchr(wzDriverName, '\\');
+
+		
+
+
+		strBase.Format(L"0x%p",DriverInfor.Base);
+		strSize.Format(L"0x%X",DriverInfor.Size);
+		if (DriverInfor.DriverObject)
+		{
+			strObject.Format(L"0x%p",DriverInfor.DriverObject);
+		}
+		else
+		{
+			strObject = L"-";
+		}
+		strLoadCount.Format(L"%d",DriverInfor.LodeOrder);
+		if (DriverInfor.DriverObject)
+		{
+			strDriverStart.Format(L"0x%p",DriverInfor.DirverStartAddress);
+		}
+		else
+		{
+			strDriverStart = L"-";
+		}
+		
+		int n = g_ListCtrl_Module->GetItemCount();
+
+		int j = 0;
+
+		LPCTSTR lpModuleName;
+
+		if (Temp!=NULL)
+		{
+			lpModuleName = Temp+1;
+		}
+		else if (wcslen(DriverInfor.wzDriverPath)>0)
+		{
+			lpModuleName = DriverInfor.wzDriverPath;
+			
+		} else
+		{
+			continue;
+		}
+
+
+		AddModuleFileIcon(DriverInfor.wzDriverPath);
+		int nImageCount = m_TreeModuleImageList.GetImageCount()-1;
+		j = g_ListCtrl_Module->InsertItem(n,lpModuleName, nImageCount);
+
+		
+		
+		ModuleCount++;
+		CString CSStatusDetail;
+		CSStatusDetail.Format( L"Çý¶¯Ä£¿éÕýÔÚ¼ÓÔØ¡£ Çý¶¯Êý£º%d",ModuleCount);
+		HsSendStatusDetail(CSStatusDetail.GetBuffer());
+		
+
+
+		//»ñµÃÎÄ¼þ³§ÉÌ
+		if (PathFileExists(DriverInfor.wzDriverPath))
+		{
+			strComp = HsGetFileCompanyName(DriverInfor.wzDriverPath);
+		}
+
+		else
+		{
+			strComp = L"ÎÄ¼þ²»´æÔÚ";
+		}
+
+
+		g_ListCtrl_Module->SetItemText(j, 1, strBase);
+		g_ListCtrl_Module->SetItemText(j, 2, strSize);
+		g_ListCtrl_Module->SetItemText(j, 3, strObject);
+		g_ListCtrl_Module->SetItemText(j, 4, DriverInfor.wzDriverPath);
+		g_ListCtrl_Module->SetItemText(j, 5, DriverInfor.wzKeyName);
+		g_ListCtrl_Module->SetItemText(j, 6, strDriverStart);
+		g_ListCtrl_Module->SetItemText(j, 7, strLoadCount);
+		g_ListCtrl_Module->SetItemText(j, 8, strComp);
+		//g_ListCtrl_Module->SetItemData(j,j);
+		if (_wcsnicmp(strComp,L"Microsoft Corporation", wcslen(L"Microsoft Corporation"))==0)
+		{
+			g_ListCtrl_Module->SetItemData(j,1);
+		}
+	}
+
+	CString CSStatusDetail;
+	CSStatusDetail.Format( L"Çý¶¯Ä£¿é¼ÓÔØÍê³É¡£ Çý¶¯Êý£º%d",ModuleCount);
+	HsSendStatusDetail(CSStatusDetail.GetBuffer());
+}
+
+
+
+
+void FixDriverPath(PDRIVER_INFO DriverInfor)
+{
+	if (!DriverInfor || wcslen(DriverInfor->wzDriverPath) == 0)
+	{
+		return;
+	}
+
+	WCHAR wzWindowsDirectory[MAX_PATH] = {0};
+	WCHAR wzDriverDirectory[MAX_PATH] = {0};	
+	WCHAR wzDriver[] = L"\\System32\\Drivers\\";
+
+	GetWindowsDirectory(wzWindowsDirectory, MAX_PATH - 1);
+	wcscpy_s(wzDriverDirectory, wzWindowsDirectory);
+	wcscat_s(wzDriverDirectory, wzDriver);
+
+	WCHAR* wzOriginPath = DriverInfor->wzDriverPath;
+	WCHAR  wzPath[MAX_PATH] = {0};
+	WCHAR* wzTemp = wcschr(wzOriginPath, L'\\');
+
+	// Ã»ÓÐÄ¿Â¼ÐÅÏ¢£¬Ö»ÓÐÒ»¸öÇý¶¯Ãû×ÖµÄ£¬Ö±½ÓÆ´½ÓDriverÄ¿Â¼¡£
+	if (!wzTemp)
+	{
+		wcscpy_s(wzPath, wzDriverDirectory);
+		wcscat_s(wzPath, wzOriginPath);
+		wcscpy_s(DriverInfor->wzDriverPath, wzPath);
+
+		wzOriginPath[wcslen(wzPath)] = L'\0';
+	}
+	else
+	{
+		WCHAR wzUnknow[] = L"\\??\\";
+		WCHAR wzSystemRoot[] = L"\\SystemRoot";
+		WCHAR wzWindows[] = L"\\Windows";
+		WCHAR wzWinnt[] = L"\\Winnt";
+		size_t nOrigin = wcslen(wzOriginPath);
+
+		if ( nOrigin >= wcslen(wzUnknow) && !_wcsnicmp(wzOriginPath, wzUnknow, wcslen(wzUnknow)) )
+		{
+			wcscpy_s(wzPath, wzOriginPath + wcslen(wzUnknow));
+			wcscpy_s(DriverInfor->wzDriverPath, wzPath);
+			wzOriginPath[wcslen(wzPath)] = L'\0';
+		}
+		else if (nOrigin >= wcslen(wzSystemRoot) && !_wcsnicmp(wzOriginPath, wzSystemRoot, wcslen(wzSystemRoot)))
+		{
+			wcscpy_s(wzPath, wzWindowsDirectory);
+			wcscat_s(wzPath, wzOriginPath + wcslen(wzSystemRoot));
+			wcscpy_s(DriverInfor->wzDriverPath, wzPath);
+			wzOriginPath[wcslen(wzPath)] = L'\0';
+		}
+		else if (nOrigin >= wcslen(wzWindows) && !_wcsnicmp(wzOriginPath, wzWindows, wcslen(wzWindows)))
+		{
+			wcscpy_s(wzPath, wzWindowsDirectory);
+			wcscat_s(wzPath, wzOriginPath + wcslen(wzWindows));
+			wcscpy_s(DriverInfor->wzDriverPath, wzPath);
+			wzOriginPath[wcslen(wzPath)] = L'\0';
+		}
+		else if (nOrigin >= wcslen(wzWinnt) && !_wcsnicmp(wzOriginPath, wzWinnt, wcslen(wzWinnt)))
+		{
+			wcscpy_s(wzPath, wzWindowsDirectory);
+			wcscat_s(wzPath, wzOriginPath + wcslen(wzWinnt));
+			wcscpy_s(DriverInfor->wzDriverPath, wzPath);
+			wzOriginPath[wcslen(wzPath)] = L'\0';
+		}
+	}
+
+	// Èç¹ûÊÇ¶ÌÎÄ¼þÃû
+	if (wcschr(wzOriginPath, '~'))
+	{
+		WCHAR wzLongPath[MAX_PATH] = {0};
+		DWORD nRet = GetLongPathName(wzOriginPath, wzLongPath, MAX_PATH);
+		if ( !(nRet >= MAX_PATH || nRet == 0) )
+		{
+			wcscpy_s(DriverInfor->wzDriverPath, wzLongPath);
+			wzOriginPath[wcslen(wzLongPath)] = L'\0';
+		}
+	}
+}
+
+
+
+void AddModuleFileIcon(WCHAR* ModulePath)
+{
+	SHFILEINFO shInfo;
+	memset(&shInfo, 0, sizeof(shInfo));
+	CString CSmPath = ModulePath;
+	SHGetFileInfo(CSmPath, FILE_ATTRIBUTE_NORMAL, 
+		&shInfo, sizeof(SHFILEINFO), SHGFI_ICON | SHGFI_USEFILEATTRIBUTES);
+
+	HICON  hIcon = shInfo.hIcon;
+
+	m_TreeModuleImageList.Add(hIcon);
+}
+
+
+
+void HsRemoveDriverModule(CListCtrl* m_ListCtrl)
+{
+	m_DriverObject = 0;
+
+	int Index = m_ListCtrl->GetSelectionMark();
+
+	if (Index<0)
+	{
+		return;
+	}
+
+	CString Temp = m_ListCtrl->GetItemText(Index,3);
+
+	swscanf_s(Temp.GetBuffer()+2,L"%p",&m_DriverObject);
+
+	if (m_DriverObject==0)
+	{
+		return;
+	}
+
+	if (SendIoControlUnloadDriver())
+	{
+		HsQueryModuleList(m_ListCtrl);
+	}
+
+	bIsChecking = FALSE;
+}
+
+
+BOOL SendIoControlUnloadDriver()
+{
+	ULONG ulReturnSize = 0;
+	BOOL bRet = FALSE;
+
+	bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_MODU_REMOVEMODULE),
+		&m_DriverObject,
+		sizeof(ULONG_PTR),
+		NULL,
+		0,
+		&ulReturnSize,
+		NULL);
+
+	return bRet;
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/ModuleFunc.h b/arkProject/HeavenShadow/HeavenShadow/ModuleFunc.h
new file mode 100644
index 0000000..4478650
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ModuleFunc.h
@@ -0,0 +1,50 @@
+#pragma once
+#include "stdafx.h"
+
+#include "MyList.h"
+
+#include <afxtempl.h>
+#include <vector>
+#include <Strsafe.h>
+
+#pragma comment(lib,"Version.lib")
+using namespace std;
+
+typedef struct _DRIVER_INFO_
+{
+	ULONG_PTR LodeOrder;
+	ULONG_PTR Base;
+	ULONG_PTR Size;
+	ULONG_PTR DriverObject;
+	ULONG_PTR DirverStartAddress;
+	WCHAR wzDriverPath[MAX_PATH];
+	WCHAR wzKeyName[MAX_PATH];
+}DRIVER_INFO, *PDRIVER_INFO;
+
+typedef struct _ALL_DRIVERS_
+{
+	ULONG_PTR ulCount;
+	DRIVER_INFO Drivers[1];
+}ALL_DRIVERS, *PALL_DRIVERS;
+
+
+
+//////////////////////////////////////////////////////////////////////////
+
+void HsInitModuleList(CListCtrl *m_ListCtrl);
+
+DWORD WINAPI HsQueryModuleFunction(CListCtrl *m_ListCtrl);
+
+void HsQueryModuleList(CListCtrl *m_ListCtrl);
+
+void FixDriverPath(PDRIVER_INFO DriverInfor);
+
+void AddModuleFileIcon(WCHAR* ModulePath);
+
+void HsRemoveDriverModule(CListCtrl* m_ListCtrl);
+
+BOOL SendIoControlUnloadDriver();
+
+
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/MyCheckBtn.cpp b/arkProject/HeavenShadow/HeavenShadow/MyCheckBtn.cpp
new file mode 100644
index 0000000..da166c9
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/MyCheckBtn.cpp
@@ -0,0 +1,83 @@
+// MyCheckBtn.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "MyCheckBtn.h"
+
+
+// CMyCheckBtn
+
+IMPLEMENT_DYNAMIC(CMyCheckBtn, CStatic)
+
+CMyCheckBtn::CMyCheckBtn()
+{
+
+}
+
+CMyCheckBtn::~CMyCheckBtn()
+{
+}
+
+
+BEGIN_MESSAGE_MAP(CMyCheckBtn, CStatic)
+	ON_WM_MOUSEMOVE()
+	ON_WM_MOUSELEAVE()
+	ON_WM_MOUSEHOVER()
+	ON_WM_SETCURSOR()
+END_MESSAGE_MAP()
+
+
+
+// CMyCheckBtn ÏûÏ¢´¦Àí³ÌÐò
+
+
+
+
+void CMyCheckBtn::OnMouseMove(UINT nFlags, CPoint point)
+{
+	// TODO: ÔÚ´ËÌí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂëºÍ/»òµ÷ÓÃÄ¬ÈÏÖµ
+	TRACKMOUSEEVENT csTME;
+	csTME.cbSize = sizeof (csTME);
+	csTME.dwFlags = TME_LEAVE|TME_HOVER;
+	csTME.hwndTrack = m_hWnd;		// Ö¸¶¨Òª ×·×Ù µÄ´°¿Ú 
+	csTME.dwHoverTime = 50;			// Êó±êÔÚ°´Å¥ÉÏÍ£Áô³¬¹ý 50ms £¬²ÅÈÏÎª×´Ì¬Îª HOVER
+	::_TrackMouseEvent (&csTME);	// ¿ªÆô Windows µÄ WM_MOUSELEAVE £¬ WM_MOUSEHOVER ÊÂ¼þÖ§³Ö
+	CStatic::OnMouseMove(nFlags, point);
+}
+
+
+void CMyCheckBtn::OnMouseLeave()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂëºÍ/»òµ÷ÓÃÄ¬ÈÏÖµ
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_HOMECHECK_BTN),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_HOMECHECK_BTN));
+
+	SetBitmap(hBmp);
+
+	CStatic::OnMouseLeave();
+}
+
+
+void CMyCheckBtn::OnMouseHover(UINT nFlags, CPoint point)
+{
+	// TODO: ÔÚ´ËÌí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂëºÍ/»òµ÷ÓÃÄ¬ÈÏÖµ
+	HINSTANCE hIns = AfxFindResourceHandle(MAKEINTRESOURCE(IDB_BITMAP_HOMECHECK_BTN_HOVER),RT_GROUP_ICON);
+
+	HBITMAP   hBmp = ::LoadBitmap(hIns, MAKEINTRESOURCE(IDB_BITMAP_HOMECHECK_BTN_HOVER));
+
+	SetBitmap(hBmp);
+
+	CStatic::OnMouseHover(nFlags, point);
+}
+
+
+BOOL CMyCheckBtn::OnSetCursor(CWnd* pWnd, UINT nHitTest, UINT message)
+{
+	// TODO: ÔÚ´ËÌí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂëºÍ/»òµ÷ÓÃÄ¬ÈÏÖµ
+	// Ê¹ÓÃ×Ô¼ºµÄÊó±ê»æÖÆº¯Êý¡£
+	::SetCursor(::LoadCursorW(NULL,IDC_HAND));
+
+	return TRUE;
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/MyCheckBtn.h b/arkProject/HeavenShadow/HeavenShadow/MyCheckBtn.h
new file mode 100644
index 0000000..faa3bea
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/MyCheckBtn.h
@@ -0,0 +1,23 @@
+#pragma once
+
+
+// CMyCheckBtn
+
+class CMyCheckBtn : public CStatic
+{
+	DECLARE_DYNAMIC(CMyCheckBtn)
+
+public:
+	CMyCheckBtn();
+	virtual ~CMyCheckBtn();
+
+protected:
+	DECLARE_MESSAGE_MAP()
+public:
+	afx_msg void OnMouseMove(UINT nFlags, CPoint point);
+	afx_msg void OnMouseLeave();
+	afx_msg void OnMouseHover(UINT nFlags, CPoint point);
+	afx_msg BOOL OnSetCursor(CWnd* pWnd, UINT nHitTest, UINT message);
+};
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/MyEdit.cpp b/arkProject/HeavenShadow/HeavenShadow/MyEdit.cpp
new file mode 100644
index 0000000..337d9e6
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/MyEdit.cpp
@@ -0,0 +1,37 @@
+// MyEdit.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "MyEdit.h"
+
+
+// CMyEdit
+
+IMPLEMENT_DYNAMIC(CMyEdit, CEdit)
+
+CMyEdit::CMyEdit()
+{
+
+}
+
+CMyEdit::~CMyEdit()
+{
+}
+
+
+BEGIN_MESSAGE_MAP(CMyEdit, CEdit)
+	ON_WM_CONTEXTMENU()
+END_MESSAGE_MAP()
+
+
+
+// CMyEdit ÏûÏ¢´¦Àí³ÌÐò
+
+
+
+
+void CMyEdit::OnContextMenu(CWnd* /*pWnd*/, CPoint /*point*/)
+{
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/MyEdit.h b/arkProject/HeavenShadow/HeavenShadow/MyEdit.h
new file mode 100644
index 0000000..abd41c2
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/MyEdit.h
@@ -0,0 +1,20 @@
+#pragma once
+
+
+// CMyEdit
+
+class CMyEdit : public CEdit
+{
+	DECLARE_DYNAMIC(CMyEdit)
+
+public:
+	CMyEdit();
+	virtual ~CMyEdit();
+
+protected:
+	DECLARE_MESSAGE_MAP()
+public:
+	afx_msg void OnContextMenu(CWnd* /*pWnd*/, CPoint /*point*/);
+};
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/MyList.cpp b/arkProject/HeavenShadow/HeavenShadow/MyList.cpp
new file mode 100644
index 0000000..60b12f7
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/MyList.cpp
@@ -0,0 +1,43 @@
+// MyList.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "MyList.h"
+
+
+// CMyList
+
+IMPLEMENT_DYNAMIC(CMyList, CListCtrl)
+
+CMyList::CMyList()
+{
+
+}
+
+CMyList::~CMyList()
+{
+}
+
+CMap<DWORD , DWORD& , COLORREF , COLORREF&> MapItemColor;
+int CMyList::InsertItem(int nItem,LPCTSTR lpText,COLORREF fontcolor)
+{
+	const int IDX = CListCtrl::InsertItem(nItem, lpText);
+	//¸Ä±äÑÕÉ«
+	DWORD iItem=(DWORD)nItem;
+	MapItemColor.SetAt(iItem, fontcolor);
+	CListCtrl::RedrawItems(iItem,iItem);
+	CListCtrl::Update(iItem);
+	return IDX;
+}
+
+
+
+BEGIN_MESSAGE_MAP(CMyList, CListCtrl)
+END_MESSAGE_MAP()
+
+
+
+// CMyList ÏûÏ¢´¦Àí³ÌÐò
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/MyList.h b/arkProject/HeavenShadow/HeavenShadow/MyList.h
new file mode 100644
index 0000000..02a095d
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/MyList.h
@@ -0,0 +1,21 @@
+#pragma once
+
+
+// CMyList
+
+class CMyList : public CListCtrl
+{
+	DECLARE_DYNAMIC(CMyList)
+
+public:
+	CMyList();
+	virtual ~CMyList();
+
+	//²åÈëÊý¾Ý£¬¿ÉÉèÖÃ×ÖÌåÑÕÉ«
+	int InsertItem(int nItem,LPCTSTR lpText,COLORREF fontcolor=RGB(0,0,0));
+
+protected:
+	DECLARE_MESSAGE_MAP()
+};
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/MyPicButton.cpp b/arkProject/HeavenShadow/HeavenShadow/MyPicButton.cpp
new file mode 100644
index 0000000..3808916
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/MyPicButton.cpp
@@ -0,0 +1,94 @@
+// MyPicButton.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "MyPicButton.h"
+
+#include "Common.h"
+
+
+extern CWnd* g_wParent;
+
+// CMyPicButton
+
+IMPLEMENT_DYNAMIC(CMyPicButton, CStatic)
+
+CMyPicButton::CMyPicButton()
+{
+}
+
+CMyPicButton::~CMyPicButton()
+{
+}
+
+
+BEGIN_MESSAGE_MAP(CMyPicButton, CStatic)
+	ON_WM_SETCURSOR()
+END_MESSAGE_MAP()
+
+
+
+// CMyPicButton ÏûÏ¢´¦Àí³ÌÐò
+
+
+
+BOOL CMyPicButton::PreTranslateMessage(MSG* pMsg)
+{
+	m_toolTip.RelayEvent(pMsg);
+
+	return CStatic::PreTranslateMessage(pMsg);
+}
+
+
+void CMyPicButton::PreSubclassWindow()
+{
+	CRect rect;
+	GetClientRect(rect);
+	m_toolTip.Create(this);
+	m_toolTip.AddTool(this, m_szToolTipText, rect, GetDlgCtrlID());
+	m_toolTip.Activate(TRUE);
+	EnableToolTips(TRUE);
+
+	CStatic::PreSubclassWindow();
+}
+
+void CMyPicButton::SetToolTipText(const CString &szTip)
+{
+	m_szToolTipText = szTip;
+	UpdateToolTipText();
+	return;
+}
+
+void CMyPicButton::UpdateToolTipText()
+{
+	if (::IsWindow(GetSafeHwnd()))
+	{
+		m_toolTip.UpdateTipText(m_szToolTipText, this, GetDlgCtrlID());
+	}
+	return;
+}
+
+
+INT_PTR CMyPicButton::OnToolHitTest(CPoint point, TOOLINFO* pTI) const
+{
+	pTI->hwnd = m_hWnd;
+	pTI->uId = (UINT)m_hWnd;
+	pTI->uFlags |= TTF_IDISHWND;
+	pTI->lpszText = LPSTR_TEXTCALLBACK;
+	return GetDlgCtrlID();
+
+	//return CStatic::OnToolHitTest(point, pTI);
+}
+
+
+
+BOOL CMyPicButton::OnSetCursor(CWnd* pWnd, UINT nHitTest, UINT message)
+{
+	// TODO: ÔÚ´ËÌí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂëºÍ/»òµ÷ÓÃÄ¬ÈÏÖµ
+
+	// Ê¹ÓÃ×Ô¼ºµÄÊó±ê»æÖÆº¯Êý¡£
+	::SetCursor(::LoadCursorW(NULL,IDC_HAND));
+
+	return TRUE;
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/MyPicButton.h b/arkProject/HeavenShadow/HeavenShadow/MyPicButton.h
new file mode 100644
index 0000000..eec2660
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/MyPicButton.h
@@ -0,0 +1,33 @@
+#pragma once
+
+
+// CMyPicButton
+
+class CMyPicButton : public CStatic
+{
+	DECLARE_DYNAMIC(CMyPicButton)
+
+public:
+	CMyPicButton();
+	virtual ~CMyPicButton();
+
+	BOOL m_bIsHand;
+
+protected:
+	DECLARE_MESSAGE_MAP()
+public:
+	//afx_msg void OnMouseMove(UINT nFlags, CPoint point);
+
+public:
+	CString m_szToolTipText;
+	CToolTipCtrl m_toolTip;
+	void SetToolTipText(const CString &szTip);
+	void UpdateToolTipText();
+
+	virtual BOOL PreTranslateMessage(MSG* pMsg);
+	virtual void PreSubclassWindow();
+	virtual INT_PTR OnToolHitTest(CPoint point, TOOLINFO* pTI) const;
+	afx_msg BOOL OnSetCursor(CWnd* pWnd, UINT nHitTest, UINT message);
+};
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/MyText.cpp b/arkProject/HeavenShadow/HeavenShadow/MyText.cpp
new file mode 100644
index 0000000..60eaf65
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/MyText.cpp
@@ -0,0 +1,63 @@
+// MyText.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "MyText.h"
+
+
+// CMyText
+
+IMPLEMENT_DYNAMIC(CMyText, CStatic)
+
+CMyText::CMyText()
+{
+
+}
+
+CMyText::~CMyText()
+{
+}
+
+
+BEGIN_MESSAGE_MAP(CMyText, CStatic)
+	ON_WM_CTLCOLOR_REFLECT()
+END_MESSAGE_MAP()
+
+
+
+// CMyText ÏûÏ¢´¦Àí³ÌÐò
+
+
+
+HBRUSH CMyText::CtlColor(CDC* pDC, UINT nCtlColor)
+{
+	pDC->SetBkMode(TRANSPARENT);
+	pDC->SetTextColor(RGB(255,255,255));
+
+	return (HBRUSH)::GetStockObject(NULL_BRUSH);
+}
+
+
+LRESULT CMyText::DefWindowProc(UINT message, WPARAM wParam, LPARAM lParam)
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+
+	if (message == WM_SETTEXT)
+	{
+		CRect rect;
+
+		GetWindowRect(&rect);
+
+		CWnd* pParent = GetParent();
+
+		if (pParent)
+		{
+			pParent->ScreenToClient(&rect);
+			pParent->InvalidateRect(&rect);
+		}
+	}
+
+	return CStatic::DefWindowProc(message, wParam, lParam);
+}
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/MyText.h b/arkProject/HeavenShadow/HeavenShadow/MyText.h
new file mode 100644
index 0000000..d3a8873
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/MyText.h
@@ -0,0 +1,21 @@
+#pragma once
+
+
+// CMyText
+
+class CMyText : public CStatic
+{
+	DECLARE_DYNAMIC(CMyText)
+
+public:
+	CMyText();
+	virtual ~CMyText();
+
+protected:
+	DECLARE_MESSAGE_MAP()
+	afx_msg HBRUSH CtlColor(CDC* pDC, UINT nCtlColor);
+public:
+	virtual LRESULT DefWindowProc(UINT message, WPARAM wParam, LPARAM lParam);
+};
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/MyText2.cpp b/arkProject/HeavenShadow/HeavenShadow/MyText2.cpp
new file mode 100644
index 0000000..3a9a2d3
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/MyText2.cpp
@@ -0,0 +1,63 @@
+// MyText2.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "MyText2.h"
+
+
+// CMyText2
+
+IMPLEMENT_DYNAMIC(CMyText2, CStatic)
+
+CMyText2::CMyText2()
+{
+
+}
+
+CMyText2::~CMyText2()
+{
+}
+
+
+BEGIN_MESSAGE_MAP(CMyText2, CStatic)
+	ON_WM_CTLCOLOR_REFLECT()
+END_MESSAGE_MAP()
+
+
+
+// CMyText2 ÏûÏ¢´¦Àí³ÌÐò
+
+
+
+HBRUSH CMyText2::CtlColor(CDC* pDC, UINT nCtlColor)
+{
+	pDC->SetBkMode(TRANSPARENT);
+	pDC->SetTextColor(RGB(75,75,75));
+
+	return (HBRUSH)::GetStockObject(NULL_BRUSH);
+}
+
+
+LRESULT CMyText2::DefWindowProc(UINT message, WPARAM wParam, LPARAM lParam)
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+
+	if (message == WM_SETTEXT)
+	{
+		CRect rect;
+
+		GetWindowRect(&rect);
+
+		CWnd* pParent = GetParent();
+
+		if (pParent)
+		{
+			pParent->ScreenToClient(&rect);
+			pParent->InvalidateRect(&rect);
+		}
+	}
+
+	return CStatic::DefWindowProc(message, wParam, lParam);
+}
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/MyText2.h b/arkProject/HeavenShadow/HeavenShadow/MyText2.h
new file mode 100644
index 0000000..8072eb3
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/MyText2.h
@@ -0,0 +1,20 @@
+#pragma once
+
+
+// CMyText2
+
+class CMyText2 : public CStatic
+{
+	DECLARE_DYNAMIC(CMyText2)
+
+public:
+	CMyText2();
+	virtual ~CMyText2();
+protected:
+	DECLARE_MESSAGE_MAP()
+	afx_msg HBRUSH CtlColor(CDC* pDC, UINT nCtlColor);
+public:
+	virtual LRESULT DefWindowProc(UINT message, WPARAM wParam, LPARAM lParam);
+};
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/PModuleFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/PModuleFunc.cpp
new file mode 100644
index 0000000..de4d088
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/PModuleFunc.cpp
@@ -0,0 +1,211 @@
+#include "stdafx.h"
+#include "PModuleFunc.h"
+#include "Common.h"
+
+#include <Psapi.h>
+#include "resource.h"
+
+
+#pragma comment(lib,"psapi.lib")
+
+extern WIN_VERSION GetWindowsVersion();
+extern WIN_VERSION WinVersion;
+
+extern ULONG_PTR g_ulProcessId;
+
+
+
+COLUMNSTRUCT g_Column_ProcessModule[] = 
+{
+	{	L"µØÖ·",					125	},
+	{	L"´óÐ¡",					70	},
+	{	L"Èë¿ÚµØÖ·",				125	},
+	{	L"Ä£¿éÃû³Æ",				270	}
+};
+
+UINT g_Column_ProcessModule_Count  = 4;	  //½ø³ÌÁÐ±íÁÐÊý
+
+
+
+extern int dpix;
+extern int dpiy;
+
+
+
+
+VOID HsInitPModuleDetailList(CListCtrl *m_ListCtrl)
+{
+	while(m_ListCtrl->DeleteColumn(0));
+	m_ListCtrl->DeleteAllItems();
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_ProcessModule_Count;i++)
+	{
+		if (i==1)
+		{
+			m_ListCtrl->InsertColumn(i, g_Column_ProcessModule[i].szTitle,LVCFMT_RIGHT,(int)(g_Column_ProcessModule[i].nWidth*(dpix/96.0)));
+		}
+		else
+		{
+			m_ListCtrl->InsertColumn(i, g_Column_ProcessModule[i].szTitle,LVCFMT_LEFT,(int)(g_Column_ProcessModule[i].nWidth*(dpix/96.0)));
+		}
+	}
+
+
+	if (HsIs64BitWindows())
+	{
+		EnableDebugPri64();
+	}
+	else
+	{
+		EnableDebugPri32();
+	}
+}
+
+VOID HsLoadPModuleDetailList(CListCtrl *m_ListCtrl)
+{
+	PROCESSMODULE_INFO mi[1024] = {0};
+
+	m_ListCtrl->DeleteAllItems();
+
+
+	ULONG_PTR ulCount = EnumProcessModule(mi);
+
+	CString  strBase;
+	CString  strSize;
+	CString  strEntryPoint;
+
+
+	if (ulCount>0)
+	{
+		UINT i = 0;
+		for (i=0;i<ulCount;i++)
+		{
+
+
+			strBase.Format(L"0x%p",mi[i].ulBase);
+			strSize.Format(L"0x%X",mi[i].ulSize);
+			strEntryPoint.Format(L"0x%p",mi[i].ulEntryPoint);
+			CString  strPathName(mi[i].szPath);
+
+
+			int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(),strBase);
+			m_ListCtrl->SetItemText(n,1,strSize);
+			m_ListCtrl->SetItemText(n,2,strEntryPoint);
+			m_ListCtrl->SetItemText(n,3,strPathName);
+
+		}
+	}
+
+}
+
+BOOL EnableDebugPri64()
+{
+	typedef long (__fastcall *pfnRtlAdjustPrivilege64)(ULONG,ULONG,ULONG,PVOID);
+	pfnRtlAdjustPrivilege64 RtlAdjustPrivilege;
+
+	DWORD                  dwRetVal    = 0;
+	LPTHREAD_START_ROUTINE FuncAddress = NULL;
+#ifdef _UNICODE
+	FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
+#else
+	FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
+#endif
+
+	if (FuncAddress==NULL)
+	{
+		return FALSE;
+	}
+
+
+	RtlAdjustPrivilege=(pfnRtlAdjustPrivilege64)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege");
+
+	if (RtlAdjustPrivilege==NULL)
+	{
+		return FALSE;
+	}
+	RtlAdjustPrivilege(20,1,0,&dwRetVal);
+
+	return TRUE;
+}
+
+
+
+BOOL EnableDebugPri32()
+{
+
+	HANDLE hToken;
+	TOKEN_PRIVILEGES pTP;
+	LUID uID;
+
+	if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
+	{
+		printf("OpenProcessToken is Error\n");
+
+		return FALSE;
+	}
+
+	if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID))
+	{
+		printf("LookupPrivilegeValue is Error\n");
+
+		return FALSE;
+	}
+
+
+	pTP.PrivilegeCount = 1;
+	pTP.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+	pTP.Privileges[0].Luid = uID;
+
+
+	//ÔÚÕâÀïÎÒÃÇ½øÐÐµ÷ÕûÈ¨ÏÞ
+	if (!AdjustTokenPrivileges(hToken,false,&pTP,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
+	{
+		printf("AdjuestTokenPrivileges is Error\n");
+		return  FALSE;
+	}
+
+
+	return TRUE;
+
+}
+
+
+
+
+
+ULONG_PTR EnumProcessModule(_PROCESSMODULE_INFO* mi)
+{
+
+	MODULEINFO ModInfor;
+	char szModName[MAX_PATH];
+	HMODULE hMods[1024];
+	DWORD cbNeeded,i;
+	HANDLE hProcess;
+	hProcess = OpenProcess(PROCESS_ALL_ACCESS,0,(DWORD)g_ulProcessId);
+	if (hProcess==0)
+	{
+		return 0;
+	}
+	if(EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded))
+	{
+		for (i=0; i<=cbNeeded/sizeof(HMODULE); i++ )
+		{
+			GetModuleInformation(hProcess, hMods[i], &ModInfor, sizeof(MODULEINFO));
+			GetModuleFileNameExA(hProcess, hMods[i], szModName, 260);
+			mi[i].ulBase=(ULONG_PTR)(ModInfor.lpBaseOfDll);
+			mi[i].ulSize=(ULONG_PTR)(ModInfor.SizeOfImage);
+			mi[i].ulEntryPoint=(ULONG_PTR)(ModInfor.EntryPoint);
+			strcpy_s(mi[i].szPath,szModName);
+		}
+		CloseHandle(hProcess);
+		return cbNeeded/sizeof(HMODULE);
+	}
+	else
+	{
+		CloseHandle(hProcess);
+		return 0;
+	}
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/PModuleFunc.h b/arkProject/HeavenShadow/HeavenShadow/PModuleFunc.h
new file mode 100644
index 0000000..6b873c8
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/PModuleFunc.h
@@ -0,0 +1,29 @@
+#pragma once
+#include "stdafx.h"
+
+#include "MyList.h"
+
+#include "ProcessFunc.h"
+
+typedef struct _PROCESSMODULE_INFO
+{
+	ULONG_PTR	ulBase;
+	ULONG_PTR	ulSize;
+	ULONG_PTR	ulEntryPoint;
+	CHAR	    szPath[264];
+} PROCESSMODULE_INFO,*PPROCESSMODULE_INFO;
+
+
+VOID HsInitPModuleDetailList(CListCtrl *m_ListCtrl);
+
+
+BOOL EnableDebugPri64();
+
+
+BOOL EnableDebugPri32();
+
+
+ULONG_PTR EnumProcessModule(_PROCESSMODULE_INFO* mi);
+
+
+VOID HsLoadPModuleDetailList(CListCtrl *m_ListCtrl);
diff --git a/arkProject/HeavenShadow/HeavenShadow/PrivilegeFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/PrivilegeFunc.cpp
new file mode 100644
index 0000000..7f022f3
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/PrivilegeFunc.cpp
@@ -0,0 +1,248 @@
+#include "stdafx.h"
+#include "PrivilegeFunc.h"
+#include "Common.h"
+
+#include "resource.h"
+
+extern HANDLE g_hDevice;
+
+extern ULONG_PTR g_ulProcessId;
+
+typedef struct _PRIVILEGE_DATA_
+{
+	ULONG_PTR  ProcessID;
+	TOKEN_PRIVILEGES TokenPrivileges;
+}PRIVILEGEDATA, *PPRIVILEGEDATA;
+
+
+
+COLUMNSTRUCT g_Column_Privilege[] = 
+{
+	{	L"È¨ÏÞÃû³Æ",			170	},
+	{	L"È¨ÏÞÃèÊö",			200	},
+	{	L"È¨ÏÞ×´Ì¬",			150	}
+};
+
+UINT g_Column_Privilege_Count  = 3;	  //½ø³ÌÁÐ±íÁÐÊý
+
+
+
+extern int dpix;
+extern int dpiy;
+
+
+
+void HsInitPrivilegeList(CMyList *m_ListCtrl)
+{
+
+	while(m_ListCtrl->DeleteColumn(0));
+	m_ListCtrl->DeleteAllItems();
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_Privilege_Count;i++)
+	{
+		m_ListCtrl->InsertColumn(i, g_Column_Privilege[i].szTitle,LVCFMT_LEFT,(int)(g_Column_Privilege[i].nWidth*(dpix/96.0)));
+	}
+}
+
+
+
+
+VOID
+HsQueryProcessPrivilege(CMyList *m_ListCtrl)
+{
+
+	ULONG_PTR  ProcessID = g_ulProcessId;
+
+	ULONG dwReturnSize = 0;
+	ULONG dwRet = 0;
+
+	PVOID Temp = NULL;
+	ULONG nSize = 1000;
+
+	if (ProcessID == 0)
+	{
+		return;
+	}
+
+	m_ListCtrl->DeleteAllItems();
+
+	Temp = (PTOKEN_PRIVILEGES)malloc(sizeof(char)*nSize);
+	if (!Temp)
+	{
+		return;
+	}
+
+	dwRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_PROC_PROCESSPRIVILEGE),
+		&ProcessID,
+		sizeof(ULONG_PTR),
+		Temp,
+		nSize,
+		&dwReturnSize,
+		NULL);
+
+	if (dwRet && ((PTOKEN_PRIVILEGES)Temp)->PrivilegeCount > 0)
+	{
+		for (ULONG i = 0; i <((PTOKEN_PRIVILEGES)Temp)->PrivilegeCount;i++)
+		{
+			WCHAR PrivilegeName[MAX_PATH] = {0};
+			WCHAR DisplayName[MAX_PATH] = {0};
+			DWORD LanguageId = 0;
+			DWORD dwRet1 = MAX_PATH;
+			DWORD dwRet2 = MAX_PATH;
+
+			LookupPrivilegeName(NULL, &((PTOKEN_PRIVILEGES)Temp)->Privileges[i].Luid, PrivilegeName, &dwRet1);
+			LookupPrivilegeDisplayName(NULL,PrivilegeName,DisplayName,&dwRet2,&LanguageId);
+
+
+			printf("%S\r\n",PrivilegeName);
+			wprintf(L"%s",DisplayName);
+
+			if (wcslen(PrivilegeName) == 0)
+			{
+				break;
+			}
+
+			m_ListCtrl->InsertItem(i, PrivilegeName);
+
+			m_ListCtrl->SetItemText(i,1,DisplayName);
+
+			if (((PTOKEN_PRIVILEGES)Temp)->Privileges[i].Attributes & 1)
+			{
+				//printf("\t\tDefault Enabled");
+				m_ListCtrl->SetItemText(i,2,L"Default Enabled");
+			}
+			else if ( ((PTOKEN_PRIVILEGES)Temp)->Privileges[i].Attributes & 2 )
+			{
+				//printf("\t\tEnabled");
+				m_ListCtrl->SetItemText(i,2,L"Enabled");
+			}
+			else
+			{
+				//printf("\t\tDisabled");
+				m_ListCtrl->SetItemText(i,2,L"Disabled");
+			}
+		}
+	}
+
+
+	//·¢ËÍIO ¿ØÖÆÂë
+
+	if (dwRet==0)
+	{
+		//cout<<"Send IoCode Error"<<endl;
+	}
+	if (Temp!=NULL)
+	{
+		free(Temp);
+	}
+
+	return;
+}
+
+
+
+//È¨ÏÞ½çÃæµ¯³ö²Ëµ¥
+VOID HsProcessPrivilegePopupMenu(CMyList *m_ListCtrl, CWnd* parent)
+{
+	CMenu	popup;
+	popup.LoadMenu(IDR_MENU_PROCESS_PRIVILEGE);		//¼ÓÔØ²Ëµ¥×ÊÔ´
+	CMenu*	pM = popup.GetSubMenu(0);				//»ñµÃ²Ëµ¥µÄ×ÓÏî
+	CPoint	p;
+	GetCursorPos(&p);
+	int	count = pM->GetMenuItemCount();
+	if (m_ListCtrl->GetSelectedCount() == 0)		//Èç¹ûÃ»ÓÐÑ¡ÖÐ
+	{ 
+		for (int i = 0;i<count;i++)
+		{
+			pM->EnableMenuItem(i, MF_BYPOSITION | MF_DISABLED | MF_GRAYED); //²Ëµ¥È«²¿±ä»Ò
+		}
+	}
+	else
+	{
+		POSITION pos = m_ListCtrl->GetFirstSelectedItemPosition();
+
+		while(pos)
+		{
+			int iItem = m_ListCtrl->GetNextSelectedItem(pos);
+
+			if (_wcsnicmp(m_ListCtrl->GetItemText(iItem,2),L"Default Enabled",15) == 0)
+			{
+				for (int i = 1;i<count;i++)
+				{
+					pM->EnableMenuItem(i, MF_BYPOSITION | MF_DISABLED | MF_GRAYED); //²Ëµ¥È«²¿±ä»Ò
+				}
+			}
+			else if (_wcsnicmp(m_ListCtrl->GetItemText(iItem,2),L"Enabled",7) == 0)
+			{
+				pM->CheckMenuRadioItem(2,3,2, MF_BYPOSITION | MF_CHECKED);
+			}
+			else
+			{
+				pM->CheckMenuRadioItem(2,3,3, MF_BYPOSITION | MF_CHECKED);
+			}
+		}
+	}
+	pM->TrackPopupMenu(TPM_LEFTALIGN, p.x, p.y, parent);
+}
+
+
+
+BOOL HsAdjustPrivilege(ULONG_PTR ProcessID, WCHAR* PrivilegeName, BOOL bIsEnable)
+{
+
+	PRIVILEGEDATA PrivilegeData = {0};
+	TOKEN_PRIVILEGES TokenPrivileges;
+	TokenPrivileges.PrivilegeCount = 1;
+
+
+	if (LookupPrivilegeValueW(NULL, PrivilegeName, &TokenPrivileges.Privileges[0].Luid))
+	{
+		if (bIsEnable)
+		{
+			TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+		}
+		else
+		{
+
+			TokenPrivileges.Privileges[0].Attributes = 0;
+		}
+
+
+		//ÏòÇý¶¯·¢ËÍÏûÏ¢
+
+		PrivilegeData.ProcessID = ProcessID;
+		PrivilegeData.TokenPrivileges = TokenPrivileges;
+
+
+		if (g_hDevice==NULL)
+		{
+			return FALSE;
+		}
+
+		ULONG dwReturnSize = 0;
+		ULONG dwRet = 0;
+
+		BOOL bFeedback = FALSE;
+
+
+		dwRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_PROC_PRIVILEGE_ADJUST),
+			&PrivilegeData,
+			sizeof(PRIVILEGEDATA),
+			&bFeedback,
+			sizeof(BOOL),
+			&dwReturnSize,
+			NULL);
+
+		//·¢ËÍIO ¿ØÖÆÂë
+
+
+		return bFeedback;
+	}
+
+	return FALSE;
+}
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/PrivilegeFunc.h b/arkProject/HeavenShadow/HeavenShadow/PrivilegeFunc.h
new file mode 100644
index 0000000..b706d3c
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/PrivilegeFunc.h
@@ -0,0 +1,20 @@
+#pragma once
+#include "stdafx.h"
+
+#include "MyList.h"
+
+
+
+
+
+
+VOID HsInitPrivilegeList(CMyList *m_ListCtrl);
+
+
+//²éÑ¯½ø³ÌÈ¨ÏÞ
+VOID HsQueryProcessPrivilege(CMyList *m_ListCtrl);
+
+VOID HsProcessPrivilegePopupMenu(CMyList *m_ListCtrl, CWnd* parent);
+
+//ÉèÖÃÆôÓÃÈ¨ÏÞ
+BOOL HsAdjustPrivilege(ULONG_PTR ProcessID, WCHAR* PrivilegeName, BOOL bIsEnable);
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/ProcessDlg.cpp b/arkProject/HeavenShadow/HeavenShadow/ProcessDlg.cpp
new file mode 100644
index 0000000..e3c8df9
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ProcessDlg.cpp
@@ -0,0 +1,1061 @@
+// ProcessDlg.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "ProcessDlg.h"
+#include "afxdialogex.h"
+#include "ProcessFunc.h"
+
+#include "HeavenShadowDlg.h"
+#include "Common.h"
+
+#include "ProcessViewDlg.h"
+#include "InjectFunc.h"
+
+#include <afxdb.h>             //×¢ÒâÕâÀïµÄÎÄ¼þÉùÃ÷
+#include <odbcinst.h>
+
+
+CWnd* g_process = NULL;
+
+
+extern HANDLE g_hDevice;
+extern BOOL bIsChecking;
+
+extern enum HS_ENUM_PROCVIEW_TYPE;
+
+
+int ResizeX = 0;
+int ResizeY = 0;
+
+extern int dpix;
+extern int dpiy;
+
+//////////////////////////////////////////////////////////////////////////
+//ÅÅÐò
+
+UINT sort_column;		//¼ÇÂ¼µã»÷µÄÁÐ
+BOOL method = TRUE;		//¼ÇÂ¼±È½Ï·½·¨
+
+//////////////////////////////////////////////////////////////////////////
+
+
+// CProcessDlg ¶Ô»°¿ò
+
+IMPLEMENT_DYNAMIC(CProcessDlg, CDialog)
+
+CProcessDlg::CProcessDlg(CWnd* pParent /*=NULL*/)
+	: CDialog(CProcessDlg::IDD, pParent)
+{
+	m_wParent = pParent;
+}
+
+CProcessDlg::~CProcessDlg()
+{
+}
+
+void CProcessDlg::DoDataExchange(CDataExchange* pDX)
+{
+	CDialog::DoDataExchange(pDX);
+	DDX_Control(pDX, IDC_LIST_PROCESSLIST, m_ProcessList);
+}
+
+
+BEGIN_MESSAGE_MAP(CProcessDlg, CDialog)
+	ON_WM_PAINT()
+	ON_WM_SHOWWINDOW()
+	ON_MESSAGE(HS_PROCESSDIG_SEND_INSERT,HsProcessDlgSendInsert)
+	ON_NOTIFY(LVN_COLUMNCLICK, IDC_LIST_PROCESSLIST, &CProcessDlg::OnColumnclickListProcesslist)
+	ON_NOTIFY(NM_RCLICK, IDC_LIST_PROCESSLIST, &CProcessDlg::OnRclickListProcesslist)
+	ON_COMMAND(ID_MENU_PROCESS_REFRESH, &CProcessDlg::OnMenuProcessRefresh)
+	ON_COMMAND(ID_MENU_PROCESS_KILLPROCESS, &CProcessDlg::OnMenuProcessKillprocess)
+	ON_COMMAND(ID_MENU_PROCESS_PROCESSTHREAD, &CProcessDlg::OnMenuProcessProcessthread)
+	ON_COMMAND(ID_MENU_PROCESS_COPYINFO, &CProcessDlg::OnMenuProcessCopyinfo)
+	ON_COMMAND(ID_MENU_PROCESS_ATTRIBUTE, &CProcessDlg::OnMenuProcessAttribute)
+	ON_COMMAND(ID_MENU_PROCESS_LOCATIONFILE, &CProcessDlg::OnMenuProcessLocationfile)
+	ON_COMMAND(ID_MENU_PROCESS_EXPORTTXT, &CProcessDlg::OnMenuProcessExporttxt)
+	ON_COMMAND(ID_MENU_PROCESS_EXPORTEXCEL, &CProcessDlg::OnMenuProcessExportexcel)
+	ON_COMMAND(ID_MENU_PROCESS_PROCESSPRIVILEGE, &CProcessDlg::OnMenuProcessProcessprivilege)
+	ON_COMMAND(ID_MENU_PROCESS_INJECTDLL, &CProcessDlg::OnMenuProcessInjectdll)
+	ON_COMMAND(ID_MENU_PROCESS_KILLMUST, &CProcessDlg::OnMenuProcessKillmust)
+	ON_COMMAND(ID_MENU_PROCESS_DETAIL, &CProcessDlg::OnMenuProcessDetail)
+	ON_COMMAND(ID_MENU_PROCESS_PROCESSHANDLE, &CProcessDlg::OnMenuProcessProcesshandle)
+	ON_COMMAND(ID_MENU_PROCESS_MEMORY, &CProcessDlg::OnMenuProcessMemory)
+	ON_COMMAND(ID_MENU_PROCESS_NEWRUN, &CProcessDlg::OnMenuProcessNewrun)
+	ON_NOTIFY(NM_DBLCLK, IDC_LIST_PROCESSLIST, &CProcessDlg::OnDblclkListProcesslist)
+	ON_COMMAND(ID_MENU_PROCESS_PROCESSWINDOW, &CProcessDlg::OnMenuProcessProcesswindow)
+	ON_COMMAND(ID_MENU_PROCESS_SUSPEND, &CProcessDlg::OnMenuProcessSuspend)
+	ON_COMMAND(ID_MENU_PROCESS_RECOVERY, &CProcessDlg::OnMenuProcessRecovery)
+	ON_COMMAND(ID_MENU_PROCESS_PROCESSMODULE, &CProcessDlg::OnMenuProcessProcessmodule)
+	ON_WM_SIZE()
+	ON_NOTIFY(NM_CUSTOMDRAW, IDC_LIST_PROCESSLIST, &CProcessDlg::OnNMCustomdrawListProcesslist)
+END_MESSAGE_MAP()
+
+
+// CProcessDlg ÏûÏ¢´¦Àí³ÌÐò
+
+
+void CProcessDlg::OnBnClickedButtonTest()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+	MessageBox(L"½ø³Ì¶Ô»°¿ò",L"½ø³Ì¶Ô»°¿ò");
+}
+
+
+void CProcessDlg::OnPaint()
+{
+	CPaintDC dc(this); // device context for painting
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+	// ²»Îª»æÍ¼ÏûÏ¢µ÷ÓÃ CDialog::OnPaint()
+
+	CRect   rect;
+	GetClientRect(rect);
+	dc.FillSolidRect(rect,RGB(255,255,255));
+}
+
+
+BOOL CProcessDlg::OnInitDialog()
+{
+	CDialog::OnInitDialog();
+
+	// TODO:  ÔÚ´ËÌí¼Ó¶îÍâµÄ³õÊ¼»¯
+
+	g_process = this;
+
+	UINT uIconSize = 20;
+
+	uIconSize *= (UINT)(dpix/96.0);
+
+	m_TreeImageList.Create(uIconSize, uIconSize, ILC_COLOR32 | ILC_MASK, 2, 2);
+	
+	ListView_SetImageList(m_ProcessList.m_hWnd, m_TreeImageList.GetSafeHandle(), LVSIL_SMALL); 
+	
+	//m_ProcessList.SetImageList(&m_TreeImageList, LVSIL_SMALL);
+
+	HsInitList();
+
+	return TRUE;  // return TRUE unless you set the focus to a control
+	// Òì³£: OCX ÊôÐÔÒ³Ó¦·µ»Ø FALSE
+}
+
+
+
+void CProcessDlg::HsInitList(void)
+{
+	HsInitProcessList((CMyList*)&m_ProcessList);
+	
+	//m_ProcessList.SetSelectedColumn(1);
+}
+
+void CProcessDlg::OnShowWindow(BOOL bShow, UINT nStatus)
+{
+	CDialog::OnShowWindow(bShow, nStatus);
+
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+
+	//////////////////////////////////////////////////////////////////////////
+	
+	if (bShow == TRUE)
+	{
+		m_ProcessList.MoveWindow(0,0,ResizeX,ResizeY);
+
+		((CHeavenShadowDlg*)m_wParent)->m_bNowWindow = HS_DIALOG_PROCESS;
+
+		((CHeavenShadowDlg*)m_wParent)->m_btnProc.EnableWindow(FALSE);
+
+		HsLoadProcessList();
+
+		HsSendStatusTip(L"½ø³Ì");
+
+		m_ProcessList.SetFocus();
+	}
+}
+
+
+
+void CProcessDlg::OnColumnclickListProcesslist(NMHDR *pNMHDR, LRESULT *pResult)
+{
+	LPNMLISTVIEW pNMLV = reinterpret_cast<LPNMLISTVIEW>(pNMHDR);
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	int nItemCount;
+	
+	nItemCount = m_ProcessList.GetItemCount();
+
+	sort_column=pNMLV->iSubItem;//µã»÷µÄÁÐ
+
+	m_ProcessList.SetSelectedColumn(sort_column);
+
+	for(int i=0;i<nItemCount;i++) m_ProcessList.SetItemData(i,i);//Ã¿ÐÐµÄ±È½Ï¹Ø¼ü×Ö£¬´Ë´¦ÎªÁÐÐòºÅ£¨µã»÷µÄÁÐºÅ£©£¬¿ÉÒÔÉèÖÃÎªÆäËû ±È½Ïº¯ÊýµÄµÚÒ»¶þ¸ö²ÎÊý
+
+	m_ProcessList.SortItems(HsProcessListCompareProc,(DWORD_PTR)&m_ProcessList);//ÅÅÐò µÚ¶þ¸ö²ÎÊýÊÇ±È½Ïº¯ÊýµÄµÚÈý¸ö²ÎÊý
+
+	if (method)
+	{
+		method = FALSE;
+	}
+	else
+	{
+		method = TRUE;
+	}
+
+	for (int i = 0; i < nItemCount; i++)
+	{
+		if (_wcsnicmp(
+			m_ProcessList.GetItemText(i,HS_PROCESS_COLUMN_COMPANY),
+			L"Microsoft Corporation",
+			wcslen(L"Microsoft Corporation"))==0
+			)
+		{
+			m_ProcessList.SetItemData(i,1);
+		}
+	}
+
+	*pResult = 0;
+}
+
+
+void CProcessDlg::HsLoadProcessList(void) //¼ÓÔØÁÐ±í
+{
+
+	if (bIsChecking == FALSE)
+	{
+		bIsChecking = TRUE;
+
+		while(m_TreeImageList.Remove(0));
+
+		m_ProcessList.DeleteAllItems();
+
+		m_ProcessList.SetSelectedColumn(-1);
+
+		HsSendStatusDetail(L"½ø³ÌÁÐ±íÕýÔÚ¼ÓÔØ¡£");
+		
+		CloseHandle(
+ 			CreateThread(NULL,0, 
+ 			(LPTHREAD_START_ROUTINE)HsQueryProcessFunction,&m_ProcessList, 0,NULL)
+			);
+	}
+}
+
+
+
+
+
+
+
+void CProcessDlg::OnRclickListProcesslist(NMHDR *pNMHDR, LRESULT *pResult)
+{
+	LPNMITEMACTIVATE pNMItemActivate = reinterpret_cast<LPNMITEMACTIVATE>(pNMHDR);
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	CMenu	popup;
+	popup.LoadMenu(IDR_MENU_PROCESS);				//¼ÓÔØ²Ëµ¥×ÊÔ´
+	CMenu*	pM = popup.GetSubMenu(0);				//»ñµÃ²Ëµ¥µÄ×ÓÏî
+	CPoint	p;
+	GetCursorPos(&p);
+	int	count = pM->GetMenuItemCount();
+	if (m_ProcessList.GetSelectedCount() == 0)		//Èç¹ûÃ»ÓÐÑ¡ÖÐ
+	{ 
+		for (int i = 0;i<count;i++)
+		{
+			pM->EnableMenuItem(i, MF_BYPOSITION | MF_DISABLED | MF_GRAYED); //²Ëµ¥È«²¿±ä»Ò
+		}
+
+		pM->EnableMenuItem(ID_MENU_PROCESS_REFRESH, MF_BYCOMMAND | MF_ENABLED);
+	}
+
+	pM->TrackPopupMenu(TPM_LEFTALIGN, p.x, p.y, this);
+
+	*pResult = 0;
+}
+
+
+void CProcessDlg::OnMenuProcessRefresh()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	HsLoadProcessList();
+}
+
+
+
+
+
+void CProcessDlg::OnMenuProcessKillprocess()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+
+	if (bIsChecking)
+	{
+		return;
+	}
+
+	if (MessageBox(L"È·¶¨Òª½áÊø¸Ã½ø³ÌÂð£¿",L"ÌìÓ°ÎÀÊ¿",MB_YESNO) == IDYES)
+	{
+		bIsChecking = TRUE;
+
+		POSITION pos = m_ProcessList.GetFirstSelectedItemPosition();
+
+		while (pos)
+		{
+			int nItem = m_ProcessList.GetNextSelectedItem(pos);
+
+			DWORD_PTR ulPid = _ttoi(m_ProcessList.GetItemText(nItem,HS_PROCESS_COLUMN_PID).GetBuffer());
+
+			if (ulPid == 0 || ulPid == 4)
+			{
+				MessageBox(L"½ø³Ì¹Ø±ÕÊ§°Ü¡£",L"ÌìÓ°ÎÀÊ¿",0);
+				return;
+			}
+
+			HsDebugPrivilege(SE_DEBUG_NAME, TRUE);
+
+			HANDLE hProcess = OpenProcess(PROCESS_TERMINATE | PROCESS_VM_OPERATION, TRUE, (DWORD)ulPid);
+
+			BOOL bIsSuccess = TerminateProcess(hProcess,0);
+
+			HsDebugPrivilege(SE_DEBUG_NAME, FALSE);
+
+			if (bIsSuccess == FALSE)
+			{
+				MessageBox(L"¹Ø±Õ½ø³ÌÊ§°Ü¡£",L"ÌìÓ°ÎÀÊ¿",0);
+			}
+			else
+			{
+				m_ProcessList.DeleteItem(nItem);
+			}
+
+			CloseHandle(hProcess);
+		}
+		
+		bIsChecking = FALSE;
+	}
+
+}
+
+
+
+// void CProcessDlg::HsQuaryProcessThread(ULONG_PTR ulPid)
+// {
+// 	DWORD dwReturnSize = 0;
+// 	DWORD dwRet = 0;
+// 	//·¢ËÍIO ¿ØÖÆÂë
+// 
+// 
+// 
+// 	dwRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_PROC_PROCESSTHREAD),
+// 		(PVOID)&ulPid,
+// 		sizeof(ULONG_PTR),
+// 		NULL,
+// 		0,
+// 		&dwReturnSize,
+// 		NULL);
+// 
+// 	if (dwRet==0)
+// 	{
+// 		WCHAR *temp = L"ÓëÄÚºË²ãÍ¨ÐÅÒì³£¡£";
+// 		::SendMessageW(m_wParent->m_hWnd,HS_MESSAGE_STATUSDETAIL,NULL,(LPARAM)temp);
+// 
+// 		return;
+// 	}
+// }
+
+
+
+BOOL CProcessDlg::PreTranslateMessage(MSG* pMsg)
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+	if (pMsg->message==WM_KEYDOWN && (pMsg->wParam==VK_RETURN ||pMsg->wParam==VK_ESCAPE))
+	{
+		return TRUE;
+	}
+	if (pMsg->message==WM_KEYDOWN && pMsg->wParam==VK_F5)
+	{
+		OnMenuProcessRefresh();
+	}
+	return CDialog::PreTranslateMessage(pMsg);
+}
+
+
+void CProcessDlg::OnMenuProcessCopyinfo()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	POSITION pos = m_ProcessList.GetFirstSelectedItemPosition();
+
+	while(pos)
+	{
+		int iItem = m_ProcessList.GetNextSelectedItem(pos);
+
+		CStringA(csProcInfo);
+		csProcInfo = "Ó³ÏñÃû³Æ: ";
+		csProcInfo += m_ProcessList.GetItemText(iItem,HS_PROCESS_COLUMN_NAME);
+		csProcInfo += "  ½ø³ÌID: ";
+		csProcInfo += m_ProcessList.GetItemText(iItem,HS_PROCESS_COLUMN_PID);
+		csProcInfo += "  ¸¸½ø³ÌID: ";
+		csProcInfo += m_ProcessList.GetItemText(iItem,HS_PROCESS_COLUMN_PPID);
+		csProcInfo += "  Ó³ÏñÂ·¾¶: ";
+		csProcInfo += m_ProcessList.GetItemText(iItem,HS_PROCESS_COLUMN_PATH);
+		csProcInfo += "  EPROCESS: ";
+		csProcInfo += m_ProcessList.GetItemText(iItem,HS_PROCESS_COLUMN_EPROCESS);
+		csProcInfo += "  Ó¦ÓÃ²ã·ÃÎÊ: ";
+		csProcInfo += m_ProcessList.GetItemText(iItem,HS_PROCESS_COLUMN_USERACCESS);
+		csProcInfo += "  ÎÄ¼þ³§ÉÌ: ";
+		if (m_ProcessList.GetItemText(iItem,HS_PROCESS_COLUMN_COMPANY).GetLength()>0)
+		{
+			csProcInfo += m_ProcessList.GetItemText(iItem,HS_PROCESS_COLUMN_COMPANY);
+		}
+
+		if(::OpenClipboard(NULL))
+		{
+			HGLOBAL hmem=GlobalAlloc(GHND,csProcInfo.GetLength()+1);
+			char *pmem=(char*)GlobalLock(hmem);
+
+			EmptyClipboard();
+			memcpy(pmem,csProcInfo.GetBuffer(),csProcInfo.GetLength()+1);
+			SetClipboardData(CF_TEXT,hmem);
+			CloseClipboard();
+			GlobalFree(hmem); 
+		}
+	}
+}
+
+
+
+void CProcessDlg::OnMenuProcessAttribute()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+
+	POSITION pos = m_ProcessList.GetFirstSelectedItemPosition();
+
+	while(pos)
+	{
+		int iItem = m_ProcessList.GetNextSelectedItem(pos);
+
+		CString csFilePath = m_ProcessList.GetItemText(iItem,HS_PROCESS_COLUMN_PATH);
+
+		HsCheckAttribute(csFilePath);
+	}
+}
+
+
+void CProcessDlg::OnMenuProcessLocationfile()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	POSITION pos = m_ProcessList.GetFirstSelectedItemPosition();
+
+	while(pos)
+	{
+		int iItem = m_ProcessList.GetNextSelectedItem(pos);
+
+		CString csFilePath = m_ProcessList.GetItemText(iItem,HS_PROCESS_COLUMN_PATH);
+
+		HsLocationExplorer(csFilePath);
+	}
+}
+
+
+void CProcessDlg::OnMenuProcessExporttxt()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	
+	if (m_ProcessList.GetItemCount () > 0) 
+	{ 
+		CString strFile; 
+
+		if (!HsGetDefaultTextFileName(strFile))
+			return;
+
+		CFile File;
+
+		TRY
+		{
+			if (File.Open(strFile, CFile::modeCreate | CFile::modeWrite | CFile::modeNoTruncate, NULL))
+			{
+				int i = 0;
+				LVCOLUMN columnData;
+				CString  columnName;
+				int      columnNum = 0;
+				CString  strCloumn;
+				CHAR  szColumn[0x1000] = {0};
+				WCHAR wzColumn[0x1000] = {0};
+
+				columnData.mask = LVCF_TEXT;
+				columnData.cchTextMax = 100;
+				columnData.pszText = columnName.GetBuffer(100);
+
+				for(i = 0;m_ProcessList.GetColumn(i,&columnData); i++)
+				{
+					strCloumn = strCloumn + columnData.pszText + L"  |  ";
+				}
+
+				strCloumn += "\r\n";
+				ULONG  nLenTemp = strCloumn.GetLength();
+				wcsncpy_s(wzColumn,0x1000,strCloumn.GetBuffer(),nLenTemp);
+				strCloumn.ReleaseBuffer();
+				WideCharToMultiByte(CP_ACP,0,wzColumn,-1,szColumn,0x1000,NULL,NULL);
+				File.Write(szColumn,(UINT)strlen(szColumn));  
+
+				columnName.ReleaseBuffer();
+				columnNum = i;
+
+				//ÉÏÃæÊÇÈ¡³öShowList µÄ±êÌâ
+
+
+				for (int nItemIndex = 0; nItemIndex <m_ProcessList.GetItemCount(); nItemIndex++)
+				{
+					CHAR  szColumn[0x1000]  = {0};
+					WCHAR wzColumn[0x1000] = {0};
+					CString strItem;
+
+					for( i = 0; i < columnNum; i++)
+					{
+						strItem = strItem + m_ProcessList.GetItemText(nItemIndex,i) + L"  |  ";
+					}
+
+					strItem += "\r\n";
+					nLenTemp = strItem.GetLength();
+					wcsncpy_s(wzColumn,0x1000,strItem.GetBuffer(),nLenTemp);
+					strItem.ReleaseBuffer();
+					WideCharToMultiByte(CP_ACP,0,wzColumn,-1,szColumn,0x1000,NULL,NULL);
+					File.Write(szColumn, (UINT)strlen(szColumn));  
+				}
+
+				File.Close();
+			}
+		}
+		CATCH_ALL(e)
+		{
+			File.Abort();  
+		}
+		END_CATCH_ALL
+
+
+		if ( PathFileExists(strFile))
+		{
+			ShellExecuteW(NULL, L"open", strFile, NULL, NULL, SW_SHOW);
+		}
+		else
+		{
+			::MessageBox(NULL, L"µ¼³öµ½ÎÄ±¾ÎÄ¼þÊ§°Ü¡£", L"ÌìÓ°ÎÀÊ¿", MB_OK | MB_ICONERROR);
+		}
+	}
+}
+
+
+void CProcessDlg::OnMenuProcessExportexcel()
+{
+// 	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+// 
+// 	BOOL bOk = FALSE;
+// 
+// 	CString strEnd = L"Ã¶¾ÙÍê±Ï";
+// 
+// 	if (m_ProcessList.GetItemCount () > 0) 
+// 	{ 
+// 		CDatabase DataBase;
+// 		CString   strDriver;
+// 		CString   strExcelFile; 
+// 		CString   strSql;
+// 		CString   TableName = L"HeavenShadow";
+// 		strDriver = HsGetExcelDriver();
+// 		if (strDriver.IsEmpty())
+// 		{
+// 			::MessageBox(NULL, L"Ã»ÓÐ°²×°Excel!\nÇëÏÈ°²×°ExcelÈí¼þ²ÅÄÜÊ¹ÓÃµ¼³ö¹¦ÄÜ!", L"µ¼³ö", MB_OK | MB_ICONERROR);
+// 			return;
+// 		}
+//
+// 		if (!HsGetDefaultExcelFileName(strExcelFile))
+// 		{
+// 			return;
+// 		}
+// 
+// 		strSql.Format(L"DRIVER={%s};DSN='';FIRSTROWHASNAMES=1;READONLY=FALSE;CREATE_DB=\"%s\";DBQ=%s", strDriver, strExcelFile, strExcelFile);
+// 
+// 		if(DataBase.OpenEx(strSql, CDatabase::noOdbcDialog))
+// 		{
+// 			int i;
+// 			LVCOLUMN columnData;
+// 			CString columnName;
+// 			int columnNum = 0;
+// 			CString strH;
+// 			CString strV;
+// 
+// 			strSql = L"";
+// 			strH = L"";
+// 			columnData.mask = LVCF_TEXT;
+// 			columnData.cchTextMax = 100;
+// 			columnData.pszText = columnName.GetBuffer(100);
+// 
+// 			for(i = 0; m_ProcessList.GetColumn(i, &columnData); i++)
+// 			{
+// 				if (i != 0)
+// 				{
+// 					strSql = strSql + L", " ;
+// 					strH = strH + L", " ;
+// 				}
+// 
+// 				strSql = strSql + L" " + L"[" + columnData.pszText + L"]" + L" TEXT";
+// 				strH = strH + L" " + L"[" + columnData.pszText + L"]" + L" ";
+// 			}
+// 
+// 			columnName.ReleaseBuffer();
+// 			columnNum = i;
+// 
+// 			strSql = L"CREATE TABLE " +TableName + L" ( " + strSql +   L" ) ";
+// 			DataBase.ExecuteSQL(strSql);
+// 
+// 			for (int nItemIndex = 0; nItemIndex < m_ProcessList.GetItemCount(); nItemIndex++)
+// 			{
+// 				strV = L"";
+// 				for( i = 0; i < columnNum; i++)
+// 				{
+// 					if (i != 0)
+// 					{
+// 						strV = strV + L", " ;
+// 					}
+// 
+// 					strV = strV + L" '" + m_ProcessList.GetItemText(nItemIndex, i) + L"' ";
+// 				}
+// 
+// 				strSql = L"INSERT INTO "+ TableName + L" ("+ strH + L")" + L" VALUES("+ strV + L")";
+// 				DataBase.ExecuteSQL(strSql);
+// 			}
+// 
+// 			strV = L"";
+// 			for( i = 0; i < columnNum; i++)
+// 			{
+// 				if (i != 0)
+// 				{
+// 					strV = strV + L", " ;
+// 				}
+// 
+// 				strV = strV + L" '" + L" " + L"' ";
+// 			}
+// 
+// 			strSql = L"INSERT INTO "+ TableName + L" ("+ strH + L")" + L" VALUES("+ strV + L")";
+// 			DataBase.ExecuteSQL(strSql);
+// 
+// 			strV = L" ";
+// 			strV = strV + L" '" + strEnd + L"' ";
+// 
+// 			for( i = 1; i < columnNum; i++)
+// 			{
+// 				strV = strV + L", " ;
+// 				strV = strV + L" '" + L" " + L"' ";
+// 			}
+// 
+// 			strSql = L"INSERT INTO "+ TableName + L" ("+ strH + L")" + L" VALUES("+ strV + L")";
+// 			DataBase.ExecuteSQL(strSql);
+// 
+// 			bOk = TRUE;
+// 		}      
+// 
+// 		DataBase.Close();
+// 
+// 		if ( bOk && PathFileExists(strExcelFile) )
+// 		{
+// 			ShellExecuteW(NULL,L"open",strExcelFile,NULL,NULL,SW_SHOW);
+// 		}
+// 		else
+// 		{
+// 			::MessageBox(NULL,L"µ¼³öµ½ExcelÎÄ¼þÊ§°Ü¡£",L"ÌìÓ°ÎÀÊ¿",MB_OK | MB_ICONERROR);
+// 		}
+// 	}
+}
+
+
+
+
+
+
+//ÅÅÐò±È½Ïº¯Êý
+static int CALLBACK HsProcessListCompareProc(LPARAM lParam1, LPARAM lParam2, LPARAM lParamSort)
+{
+
+	//´Ó²ÎÊýÖÐÌáÈ¡ËùÐè±È½ÏlcµÄÁ½ÐÐÊý¾Ý
+
+	int row1=(int) lParam1;
+	int row2=(int) lParam2;
+
+	CListCtrl*lc=(CListCtrl*)lParamSort;
+
+	CString lp1=lc->GetItemText(row1,sort_column);
+	CString lp2=lc->GetItemText(row2,sort_column);
+
+
+	//±È½Ï£¬¶Ô²»Í¬µÄÁÐ£¬²»Í¬±È½Ï£¬×¢Òâ¼ÇÂ¼Ç°Ò»´ÎÅÅÐò·½Ïò£¬ÏÂÒ»´ÎÒªÏà·´ÅÅÐò
+
+	if (sort_column == HS_PROCESS_COLUMN_PID ||
+		sort_column == HS_PROCESS_COLUMN_PPID)
+	{
+		// intÐÍ±È½Ï
+		if (method)
+			return _ttoi(lp1)-_ttoi(lp2);
+		else
+			return _ttoi(lp2)-_ttoi(lp1);
+	}
+	else if (sort_column == HS_PROCESS_COLUMN_EPROCESS)
+	{
+		if (method)
+		{
+			ULONG_PTR nlp1 = 0, nlp2 = 0;
+
+			lp1 = lp1.GetBuffer()+2;
+			lp2 = lp2.GetBuffer()+2;
+
+			swscanf_s(lp1.GetBuffer(),L"%P",&nlp1);
+			swscanf_s(lp2.GetBuffer(),L"%P",&nlp2);
+			return (int)(nlp1 - nlp2);
+		}
+		else
+		{
+			int nlp1 = 0, nlp2 = 0;
+			lp1 = lp1.GetBuffer()+2;
+			lp2 = lp2.GetBuffer()+2;
+			swscanf_s(lp1.GetBuffer(),L"%X",&nlp1);
+			swscanf_s(lp2.GetBuffer(),L"%X",&nlp2);
+			return nlp2 - nlp1;
+		}
+	}
+	else
+	{
+		// ÎÄ×ÖÐÍ±È½Ï
+		if(method)
+			return lp1.CompareNoCase(lp2);
+		else
+			return lp2.CompareNoCase(lp1);
+	}
+
+	return 0;
+}
+
+
+void CProcessDlg::OnMenuProcessInjectdll()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+
+	CloseHandle(
+		CreateThread(NULL,0, 
+		(LPTHREAD_START_ROUTINE)HsRemoteThreadInjectDll,&m_ProcessList, 0,NULL)
+		);
+
+}
+
+
+void CProcessDlg::OnMenuProcessKillmust()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+
+	if (bIsChecking)
+	{
+		return;
+	}
+
+	if (MessageBox(L"Ç¿ÖÆ¹Ø±Õ½ø³ÌµÄ²Ù×÷ÓÐ·çÏÕ£¬Çë½÷É÷²Ù×÷¡£\r\nÈ·¶¨Òª½áÊø¸Ã½ø³ÌÂð£¿",L"ÌìÓ°ÎÀÊ¿",MB_YESNO) == IDNO)
+	{
+		return;
+	}
+
+// 	CreateThread(NULL,0, 
+// 		(LPTHREAD_START_ROUTINE)HsKillProcessByForce,(CMyList*)&m_ProcessList, 0,NULL);
+
+	bIsChecking = TRUE;
+
+	HsKillProcessByForce((CMyList*)&m_ProcessList);
+
+	bIsChecking = FALSE;
+
+}
+
+
+
+
+
+
+void CProcessDlg::OnMenuProcessProcessthread()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+
+	//HsQuaryProcessThread(ulPid);
+
+	HsOpenProcessViewDlg(HS_PROCVIEW_TYPE_THREAD);
+
+}
+
+void CProcessDlg::OnMenuProcessProcessprivilege()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	HsOpenProcessViewDlg(HS_PROCVIEW_TYPE_PRIVILEGE);
+}
+
+
+void CProcessDlg::OnMenuProcessDetail()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	HsOpenProcessViewDlg(HS_PROCVIEW_TYPE_DETAIL);
+}
+
+
+void CProcessDlg::HsOpenProcessViewDlg(int nViewType)
+{
+	POSITION pos = m_ProcessList.GetFirstSelectedItemPosition();
+
+	while(pos)
+	{
+		int nItem = m_ProcessList.GetNextSelectedItem(pos);
+
+		ULONG_PTR ulPid = _ttoi(m_ProcessList.GetItemText(nItem,HS_PROCESS_COLUMN_PID).GetBuffer());
+		ULONG_PTR ulPPid = _ttoi(m_ProcessList.GetItemText(nItem,HS_PROCESS_COLUMN_PPID).GetBuffer());
+
+		CString ProcessEProcess = m_ProcessList.GetItemText(nItem,HS_PROCESS_COLUMN_EPROCESS);
+
+		ProcessEProcess = ProcessEProcess.GetBuffer()+2;
+
+		ULONG_PTR ulEProcess = 0;
+
+		swscanf_s(ProcessEProcess.GetBuffer(),L"%P",&ulEProcess);
+
+
+		HSPROCESSINFO hsProcInfo = {0};
+
+		hsProcInfo.Pid = ulPid;
+		hsProcInfo.PPid = ulPPid;
+		hsProcInfo.Eprocess = ulEProcess;
+
+		if (_wcsnicmp(m_ProcessList.GetItemText(nItem,HS_PROCESS_COLUMN_COMPANY).GetBuffer(),L"¾Ü¾ø",wcslen(L"¾Ü¾ø")) == 0)
+		{
+			hsProcInfo.UserAccess = FALSE;
+		}
+		else
+		{
+			hsProcInfo.UserAccess = TRUE;
+		}
+
+		StringCchCopyW(hsProcInfo.CompanyName,
+			m_ProcessList.GetItemText(nItem,HS_PROCESS_COLUMN_COMPANY).GetLength()+1,
+			m_ProcessList.GetItemText(nItem,HS_PROCESS_COLUMN_COMPANY).GetBuffer());
+		StringCchCopyW(hsProcInfo.Name,
+			m_ProcessList.GetItemText(nItem,HS_PROCESS_COLUMN_NAME).GetLength()+1,
+			m_ProcessList.GetItemText(nItem,HS_PROCESS_COLUMN_NAME).GetBuffer());
+		StringCchCopyW(hsProcInfo.Path,
+			m_ProcessList.GetItemText(nItem,HS_PROCESS_COLUMN_PATH).GetLength()+1,
+			m_ProcessList.GetItemText(nItem,HS_PROCESS_COLUMN_PATH).GetBuffer());
+
+		CProcessViewDlg* dlg = new CProcessViewDlg(nViewType,&hsProcInfo,this);
+		dlg->DoModal();
+	}
+}
+
+
+
+LRESULT CProcessDlg::HsProcessDlgSendInsert(WPARAM wParam, LPARAM lParam)
+{
+	PHSPROCESSINFO* hsProcItem = (PHSPROCESSINFO*)lParam;
+
+	CString Name = NULL;
+	CString Pid = NULL;
+	CString PPid = NULL;
+	CString Path = NULL;
+	CString EProcess = NULL;
+	CString UserAccess = NULL;
+	CString CompanyName = NULL;
+
+	ULONG ulItem = m_ProcessList.GetItemCount();
+
+	WCHAR tempdir[100];
+	GetEnvironmentVariableW(L"windir",tempdir,100);
+
+
+	Name = (*hsProcItem)->Name;
+	Pid.Format(L"%d",(*hsProcItem)->Pid);
+
+	if ((*hsProcItem)->PPid == 0xffffffff)
+	{
+		PPid = L"-";
+	}
+	else
+	{
+		PPid.Format(L"%d",(*hsProcItem)->PPid);
+	}
+
+	Path = (*hsProcItem)->Path;
+
+	EProcess.Format(L"0x%p",(*hsProcItem)->Eprocess);
+
+	if ((*hsProcItem)->UserAccess == TRUE)
+	{
+		UserAccess = L"ÔÊÐí";
+	}
+	else
+	{
+		UserAccess = L"¾Ü¾ø";
+	}
+
+	CompanyName = (*hsProcItem)->CompanyName;
+
+	AddProcessFileIcon(Path.GetBuffer());
+
+	m_ProcessList.InsertItem(ulItem,Name,ulItem);
+	m_ProcessList.SetItemText(ulItem,HS_PROCESS_COLUMN_PID,Pid);
+	m_ProcessList.SetItemText(ulItem,HS_PROCESS_COLUMN_PPID,PPid);
+	m_ProcessList.SetItemText(ulItem,HS_PROCESS_COLUMN_PATH,Path);
+	m_ProcessList.SetItemText(ulItem,HS_PROCESS_COLUMN_EPROCESS,EProcess);
+	m_ProcessList.SetItemText(ulItem,HS_PROCESS_COLUMN_USERACCESS,UserAccess);
+	m_ProcessList.SetItemText(ulItem,HS_PROCESS_COLUMN_COMPANY,CompanyName);
+
+	if (_wcsnicmp(CompanyName,L"Microsoft Corporation", wcslen(L"Microsoft Corporation"))==0)
+	{
+		m_ProcessList.SetItemData(ulItem,1);
+	}
+
+
+	CToolTipCtrl ToolTipCtrl;
+
+	ToolTipCtrl.Create(this);
+	m_ProcessList.SetToolTips(&ToolTipCtrl);
+
+
+	return TRUE;
+}
+
+
+
+void CProcessDlg::OnMenuProcessProcesshandle()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	HsOpenProcessViewDlg(HS_PROCVIEW_TYPE_HANDLE);
+}
+
+void CProcessDlg::OnMenuProcessProcesswindow()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	HsOpenProcessViewDlg(HS_PROCVIEW_TYPE_WINDOW);
+}
+
+
+void CProcessDlg::OnMenuProcessProcessmodule()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	HsOpenProcessViewDlg(HS_PROCVIEW_TYPE_MODULE);
+}
+
+void CProcessDlg::OnMenuProcessMemory()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+
+	HsOpenProcessViewDlg(HS_PROCVIEW_TYPE_MEMORY);
+}
+
+
+void CProcessDlg::OnMenuProcessNewrun()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+
+	WCHAR wzFileFilter[] = L"Ó¦ÓÃ³ÌÐò (*.exe)\0*.exe\0";
+	WCHAR wzFileChoose[] = L"´ò¿ªÎÄ¼þ";
+
+
+	CFileDialog FileDlg(TRUE);
+	FileDlg.m_ofn.lpstrTitle  = wzFileChoose;
+	FileDlg.m_ofn.lpstrFilter = wzFileFilter;
+
+	if (IDOK != FileDlg.DoModal())
+	{
+		return;
+	}
+
+	CString ExePath = FileDlg.GetPathName();
+
+	ShellExecuteW(NULL, L"open", ExePath, L"", L"", SW_SHOW);
+}
+
+
+
+void CProcessDlg::AddProcessFileIcon(WCHAR* ProcessPath)
+{
+	SHFILEINFO shInfo;
+	memset(&shInfo, 0, sizeof(shInfo));
+	SHGetFileInfo(ProcessPath, FILE_ATTRIBUTE_NORMAL, 
+		&shInfo, sizeof(SHFILEINFO), SHGFI_ICON | SHGFI_USEFILEATTRIBUTES);
+
+	HICON  hIcon = shInfo.hIcon;
+
+	m_TreeImageList.Add(hIcon);
+}
+
+void CProcessDlg::OnDblclkListProcesslist(NMHDR *pNMHDR, LRESULT *pResult)
+{
+	LPNMITEMACTIVATE pNMItemActivate = reinterpret_cast<LPNMITEMACTIVATE>(pNMHDR);
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	OnMenuProcessDetail();
+
+	*pResult = 0;
+}
+
+
+
+
+
+void CProcessDlg::OnMenuProcessSuspend()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+}
+
+
+void CProcessDlg::OnMenuProcessRecovery()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+}
+
+
+
+
+void CProcessDlg::OnSize(UINT nType, int cx, int cy)
+{
+	CDialog::OnSize(nType, cx, cy);
+
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+
+	ResizeX = cx;
+	ResizeY = cy;
+}
+
+
+void CProcessDlg::OnNMCustomdrawListProcesslist(NMHDR *pNMHDR, LRESULT *pResult)
+{
+	NMLVCUSTOMDRAW* pLVCD = reinterpret_cast<NMLVCUSTOMDRAW*>( pNMHDR );
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	*pResult = CDRF_DODEFAULT;
+
+	if ( CDDS_PREPAINT == pLVCD->nmcd.dwDrawStage )
+	{
+		*pResult = CDRF_NOTIFYITEMDRAW;
+	}
+	else if ( CDDS_ITEMPREPAINT == pLVCD->nmcd.dwDrawStage )
+	{
+		*pResult = CDRF_NOTIFYSUBITEMDRAW;
+	}
+	else if ( (CDDS_ITEMPREPAINT | CDDS_SUBITEM) == pLVCD->nmcd.dwDrawStage )
+	{
+		COLORREF clrNewTextColor, clrNewBkColor;
+		int bHooked = 0;
+		int nItem = static_cast<int>( pLVCD->nmcd.dwItemSpec );
+
+		clrNewTextColor = RGB( 0, 0, 0 );
+		clrNewBkColor = RGB( 255, 255, 255 );
+
+		bHooked = (int)m_ProcessList.GetItemData(nItem); 		
+		if (bHooked == 1)
+		{
+			clrNewTextColor = RGB( 0, 0, 255 );
+		}
+
+		pLVCD->clrText = clrNewTextColor;
+		pLVCD->clrTextBk = clrNewBkColor;
+
+		*pResult = CDRF_DODEFAULT;
+	}
+
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/ProcessDlg.h b/arkProject/HeavenShadow/HeavenShadow/ProcessDlg.h
new file mode 100644
index 0000000..a538caa
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ProcessDlg.h
@@ -0,0 +1,73 @@
+#pragma once
+
+#include "Common.h"
+#include "afxcmn.h"
+
+#include "MyList.h"
+
+
+// CProcessDlg ¶Ô»°¿ò
+
+class CProcessDlg : public CDialog
+{
+	DECLARE_DYNAMIC(CProcessDlg)
+
+public:
+	CProcessDlg(CWnd* pParent = NULL);   // ±ê×¼¹¹Ôìº¯Êý
+	virtual ~CProcessDlg();
+
+// ¶Ô»°¿òÊý¾Ý
+	enum { IDD = IDD_DIALOG_PROCESS };
+
+
+	//////////////////////////////////////////////////////////////////////////
+	void HsLoadProcessList(void);
+	void HsQuaryProcessThread(ULONG_PTR ProcessId);
+	void AddProcessFileIcon(WCHAR* ProcessPath);
+	LRESULT HsProcessDlgSendInsert(WPARAM wParam, LPARAM lParam);
+
+	CWnd* m_wParent;
+	CImageList m_TreeImageList;
+
+	CListCtrl m_ProcessList;
+
+	void CProcessDlg::HsInitList(void);
+
+protected:
+	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV Ö§³Ö
+
+
+	DECLARE_MESSAGE_MAP()
+public:
+	afx_msg void OnBnClickedButtonTest();
+	afx_msg void OnPaint();
+	virtual BOOL OnInitDialog();
+	afx_msg void OnShowWindow(BOOL bShow, UINT nStatus);
+	afx_msg void OnColumnclickListProcesslist(NMHDR *pNMHDR, LRESULT *pResult);
+	afx_msg void OnRclickListProcesslist(NMHDR *pNMHDR, LRESULT *pResult);
+	afx_msg void OnMenuProcessRefresh();
+	afx_msg void OnMenuProcessKillprocess();
+	afx_msg void OnMenuProcessProcessthread();
+	virtual BOOL PreTranslateMessage(MSG* pMsg);
+	afx_msg void OnMenuProcessCopyinfo();
+	afx_msg void OnMenuProcessAttribute();
+	afx_msg void OnMenuProcessLocationfile();
+	afx_msg void OnMenuProcessExporttxt();
+	afx_msg void OnMenuProcessExportexcel();
+	afx_msg void OnMenuProcessProcessprivilege();
+	afx_msg void OnMenuProcessInjectdll();
+	afx_msg void OnMenuProcessKillmust();
+	void HsOpenProcessViewDlg(int nViewType);
+	afx_msg void OnMenuProcessDetail();
+
+	afx_msg void OnMenuProcessProcesshandle();
+	afx_msg void OnMenuProcessMemory();
+	afx_msg void OnMenuProcessNewrun();
+	afx_msg void OnDblclkListProcesslist(NMHDR *pNMHDR, LRESULT *pResult);
+	afx_msg void OnMenuProcessProcesswindow();
+	afx_msg void OnMenuProcessSuspend();
+	afx_msg void OnMenuProcessRecovery();
+	afx_msg void OnMenuProcessProcessmodule();
+	afx_msg void OnSize(UINT nType, int cx, int cy);
+	afx_msg void OnNMCustomdrawListProcesslist(NMHDR *pNMHDR, LRESULT *pResult);
+};
diff --git a/arkProject/HeavenShadow/HeavenShadow/ProcessFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/ProcessFunc.cpp
new file mode 100644
index 0000000..d5c06e9
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ProcessFunc.cpp
@@ -0,0 +1,696 @@
+#include "stdafx.h"
+#include "ProcessFunc.h"
+#include "Common.h"
+
+
+
+#include <afxdb.h>
+#include <odbcinst.h>
+
+#include <WinVer.h>
+
+#pragma comment(lib, "version.lib")
+
+extern BOOL bIsChecking;
+extern HANDLE g_hDevice;
+extern CWnd* g_process;
+extern CWnd* g_wParent;
+
+
+
+extern UINT sort_column;
+extern BOOL method;
+
+extern enum HS_PROCESSDIG_SEND_TYPE;
+
+int nProcCount = 0;
+
+
+COLUMNSTRUCT g_Column_Process[] = 
+{
+	{	L"Ó³ÏñÃû³Æ",			160	},
+	{	L"½ø³ÌID",			65	},
+	{	L"¸¸½ø³ÌID",			65	},
+	{	L"Ó³ÏñÂ·¾¶",			230	},
+	{	L"EPROCESS",		125	},
+	{	L"Ó¦ÓÃ²ã·ÃÎÊ",		75	},
+	{	L"ÎÄ¼þ³§ÉÌ",			122	}
+};
+
+UINT g_Column_Process_Count  = 7;	  //½ø³ÌÁÐ±íÁÐÊý
+
+extern int dpix;
+extern int dpiy;
+
+
+//×Ô¶¨º¯Êý
+//////////////////////////////////////////////////////////////////////////
+
+
+void HsInitProcessList(CMyList *m_ListCtrl)
+{
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_Process_Count;i++)
+	{
+		if (i == HS_PROCESS_COLUMN_USERACCESS)
+		{
+			m_ListCtrl->InsertColumn(i, g_Column_Process[i].szTitle,LVCFMT_CENTER,(int)(g_Column_Process[i].nWidth*(dpix/96.0)));
+		}
+		else
+		{
+			m_ListCtrl->InsertColumn(i, g_Column_Process[i].szTitle,LVCFMT_LEFT,(int)(g_Column_Process[i].nWidth*(dpix/96.0)));
+		}
+	}
+
+}
+
+
+
+ULONG_PTR
+HsQuerySystemProcessCount(CMyList *m_ListCtrl)
+{
+
+	ULONG_PTR dwReturnSize = 0;
+	ULONG_PTR dwRet = 0;
+
+	ULONG_PTR ulProcessCount = 0;
+
+	dwRet = DeviceIoControl(g_hDevice,
+		HS_IOCTL(HS_IOCTL_PROC_PROCESSCOUNT),
+		NULL,
+		0,
+		&ulProcessCount,
+		sizeof(ULONG_PTR),
+		(LPDWORD)&dwReturnSize,
+		NULL);
+
+	//·¢ËÍIO ¿ØÖÆÂë
+
+	if (dwRet==0)
+	{
+		//cout<<"Send IoCode Error"<<endl;
+	}
+
+	return ulProcessCount;
+}
+
+
+
+
+
+DWORD WINAPI HsQueryProcessFunction(CMyList *m_ListCtrl)
+{
+	bIsChecking = TRUE;
+
+	HsQueryProcessList(m_ListCtrl);
+
+	bIsChecking = FALSE;
+	return 0;
+}
+
+
+void HsQueryProcessList(CMyList *m_ListCtrl)
+{
+	DWORD dwReturnSize = 0;
+	DWORD dwRet = 0;
+
+	//·¢ËÍIO ¿ØÖÆÂë
+	//PVOID hProcessList = NULL;
+
+	int ulItem = 0;	//½ø³Ì¼ÆÊý
+
+	ULONG_PTR ulPid = 0;
+
+	ulItem = 0;
+
+
+	//ULONG_PTR ulProcessCount = HsQuerySystemProcessCount(m_ListCtrl);
+
+	while(1)
+	{
+		TRY 
+		{
+			HSPROCESSINFO hsProcItem = {0};
+
+
+			dwRet = DeviceIoControl(g_hDevice,
+				HS_IOCTL(HS_IOCTL_PROC_PROCESSLIST),
+				&ulPid,
+				sizeof(ULONG_PTR),
+				&hsProcItem,
+				sizeof(HSPROCESSINFO),
+				&dwReturnSize,
+				NULL);
+
+			if (dwReturnSize==0)
+			{
+				break;
+			}
+			else
+			{
+				//·¢ËÍ×´Ì¬À¸ÏûÏ¢ÏìÓ¦
+				CString csStatusMsg;
+				csStatusMsg.Format(L"½ø³ÌÁÐ±íÕýÔÚ¼ÓÔØ¡£ ½ø³ÌÊý£º%d",ulItem);
+
+				HsSendStatusDetail(csStatusMsg.GetBuffer());
+			}
+
+			if (hsProcItem.Eprocess == 0||hsProcItem.Eprocess == NULL) 
+			{
+				break;
+			}
+
+			if ((_wcsnicmp(hsProcItem.Path,L"UnKnow",wcslen(L"UnKnow"))==0&&hsProcItem.Pid>4))
+			{
+				goto CONTINUE;
+			}
+
+			if (hsProcItem.Pid == 0)
+			{
+				StringCchCopyW(hsProcItem.Name,wcslen(L"System Idle Process")+1,L"System Idle Process");
+				StringCchCopyW(hsProcItem.Path,wcslen(L"System Idle Process")+1,L"System Idle Process");
+				hsProcItem.UserAccess = FALSE;
+				hsProcItem.PPid = 0xffffffff;
+				StringCchCopyW(hsProcItem.CompanyName,wcslen(L" ")+1,L" ");
+
+			}
+			else if (hsProcItem.Pid == 4)	//System½ø³Ì
+			{
+				StringCchCopyW(hsProcItem.Name,wcslen(L"System")+1,L"System");
+
+				WCHAR wzTempDir[260] = {0};
+				CString Temp;
+				GetEnvironmentVariableW(L"windir",wzTempDir,MAX_PATH);
+
+				Temp = wzTempDir;
+				Temp += L"\\System32\\ntoskrnl.exe";
+
+
+				StringCchCopyW(hsProcItem.Path,Temp.GetLength()+1,Temp.GetBuffer());
+				hsProcItem.UserAccess = FALSE;
+				hsProcItem.PPid = 0xffffffff;
+				StringCchCopyW(hsProcItem.CompanyName,
+					HsGetFileCompanyName(hsProcItem.Path).GetLength()+1,
+					HsGetFileCompanyName(hsProcItem.Path).GetBuffer());
+			}
+			else
+			{
+				WCHAR* szImageFileName = NULL;
+				szImageFileName = wcsrchr(hsProcItem.Path,'\\');
+				szImageFileName++;
+
+				StringCchCopyW(hsProcItem.Name,wcslen(szImageFileName)+1,szImageFileName);
+
+				hsProcItem.PPid = hsProcItem.PPid;
+
+				if (HsR3CanOpenProcess((DWORD)hsProcItem.Pid)==TRUE)
+				{
+					hsProcItem.UserAccess = TRUE;
+				}
+				else
+				{
+					hsProcItem.UserAccess = FALSE;
+				}
+				
+				CString Path, CompanyName;
+				Path = hsProcItem.Path;
+				CompanyName = HsGetFileCompanyName(Path);
+				if (CompanyName.GetLength() == 0)
+				{
+					CompanyName = L" ";
+				}
+
+				StringCchCopyW(hsProcItem.CompanyName,CompanyName.GetLength()+1,CompanyName.GetBuffer());
+
+				if (HsIs64BitWindows())
+				{
+					if (HsIs32BitFile(hsProcItem.Path) == TRUE)
+					{
+						CString Name;
+						Name = hsProcItem.Name;
+						Name += L" *32";
+						StringCchCopyW(hsProcItem.Name,Name.GetLength()+1,Name.GetBuffer());
+					}
+				}
+			}
+
+			hsProcItem.Pid = hsProcItem.Pid;
+
+			hsProcItem.Eprocess = hsProcItem.Eprocess;
+
+			//////////////////////////////////////////////////////////////////////////
+			// ¿ªÊ¼²åÈëÁÐ±í
+
+			PHSPROCESSINFO pHsProcessInfo = &hsProcItem;
+
+			::SendMessageW(g_process->m_hWnd,HS_PROCESSDIG_SEND_INSERT,sizeof(HSPROCESSINFO),(LPARAM)&pHsProcessInfo);
+
+			//²åÈëÁÐ±í½áÊø
+			//////////////////////////////////////////////////////////////////////////
+
+CONTINUE:
+
+
+			ulPid = hsProcItem.Pid + 4;
+
+			ulItem = ulItem + 1;
+
+		}
+		CATCH (CMemoryException, e)
+		{
+			
+		}
+		END_CATCH
+		
+	}
+	
+
+	bIsChecking = FALSE;
+
+	CString csStatusMsg;
+	csStatusMsg.Format(L"½ø³ÌÁÐ±í¼ÓÔØÍê³É¡£ ½ø³ÌÊý£º%d",ulItem);
+
+	HsSendStatusDetail(csStatusMsg.GetBuffer());
+
+	nProcCount = (int)ulItem;
+}
+
+
+
+
+
+CString HsGetFileCompanyName(CString strPath)
+{
+	CString strCompanyName = 0;;
+
+	if (strPath.IsEmpty())
+	{
+		return NULL;
+	}
+
+	if (!strPath.CompareNoCase(L"Idle") || !strPath.CompareNoCase(L"System"))
+	{
+		return NULL;
+	}
+
+	struct LANGANDCODEPAGE {
+		WORD wLanguage;
+		WORD wCodePage;
+	} *lpTranslate;
+
+	LPWSTR lpstrFilename = (LPWSTR)(LPCWSTR)strPath;
+	DWORD dwHandle = 0;
+	DWORD dwVerInfoSize = GetFileVersionInfoSize(lpstrFilename, &dwHandle);
+
+	if (dwVerInfoSize)
+	{
+		LPVOID Buffer = malloc(sizeof(char)*dwVerInfoSize);
+
+		if (Buffer)
+		{
+			if (GetFileVersionInfo(lpstrFilename, dwHandle, dwVerInfoSize, Buffer))
+			{
+				UINT cbTranslate = 0;
+
+				if ( VerQueryValue(Buffer, L"\\VarFileInfo\\Translation", (LPVOID*) &lpTranslate, &cbTranslate))
+				{                
+					LPCWSTR lpwszBlock = 0;          
+					UINT    cbSizeBuf  = 0;
+					WCHAR   wzSubBlock[MAX_PATH] = {0};
+
+					if ((cbTranslate/sizeof(struct LANGANDCODEPAGE)) > 0)   
+					{
+						StringCchPrintf(wzSubBlock, sizeof(wzSubBlock)/sizeof(WCHAR), 
+							L"\\StringFileInfo\\%04x%04x\\CompanyName", lpTranslate[0].wLanguage, lpTranslate[0].wCodePage); 
+					}
+
+					if ( VerQueryValue(Buffer, wzSubBlock, (LPVOID*)&lpwszBlock, &cbSizeBuf))
+					{
+						WCHAR wzCompanyName[MAX_PATH] = {0};
+
+						StringCchCopy(wzCompanyName, MAX_PATH/sizeof(WCHAR), (LPCWSTR)lpwszBlock);   //½«ÏµÍ³ÖÐÄÚ´æµÄÊý¾Ý¿½±´µ½ÎÒÃÇ×Ô¼ºÄÚ´æµ±ÖÐ
+						strCompanyName = wzCompanyName;
+					}
+				}
+			}
+
+			free(Buffer);
+		}
+	}
+
+	return strCompanyName;
+}
+
+
+
+BOOL __stdcall HsIs32BitFile(const WCHAR * pwszFullPath)
+{
+	FILE * peFile = NULL;
+	_wfopen_s(&peFile, pwszFullPath, L"rb");
+	if (peFile == NULL)
+	{
+		fclose(peFile);
+		return -1;
+	}
+
+	IMAGE_DOS_HEADER imageDosHeader;
+	fread(&imageDosHeader, sizeof(IMAGE_DOS_HEADER), 1, peFile);
+	if (imageDosHeader.e_magic != IMAGE_DOS_SIGNATURE)
+	{
+		fclose(peFile);
+		return FALSE;
+	}
+
+	IMAGE_NT_HEADERS imageNtHeaders;
+	fseek(peFile, imageDosHeader.e_lfanew, SEEK_SET);
+	fread(&imageNtHeaders, sizeof(IMAGE_NT_HEADERS), 1, peFile);
+	fclose(peFile);
+	if (imageNtHeaders.Signature != IMAGE_NT_SIGNATURE)
+	{
+		return FALSE;
+	}
+
+	if (imageNtHeaders.FileHeader.Machine == IMAGE_FILE_MACHINE_I386)
+	{
+		return TRUE;
+	}
+// 	if (imageNtHeaders.FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 ||
+// 		imageNtHeaders.FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
+// 	{
+// 		return FALSE;	//64BIT
+// 	}
+
+	return FALSE;
+}
+
+
+
+BOOL HsR3CanOpenProcess(DWORD dwPid)
+{
+	BOOL bOpen = TRUE;
+
+	HsDebugPrivilege(SE_DEBUG_NAME, TRUE);
+
+	HANDLE hProcess = OpenProcess(PROCESS_TERMINATE | PROCESS_VM_OPERATION, TRUE, dwPid);
+
+	HsDebugPrivilege(SE_DEBUG_NAME, FALSE);
+	if (hProcess)
+	{
+		CloseHandle(hProcess);
+	}
+	else
+	{
+		bOpen = FALSE;
+	}
+
+	return bOpen;
+}
+
+
+
+VOID HsCheckAttribute(CString strPath)
+{
+
+	if (!strPath.IsEmpty())
+	{
+		SHELLEXECUTEINFO ExecInfor ;
+		memset(&ExecInfor, 0, sizeof(ExecInfor)) ;
+		ExecInfor.fMask = SEE_MASK_INVOKEIDLIST ;
+		ExecInfor.cbSize = sizeof(ExecInfor) ;
+		ExecInfor.hwnd = NULL ;
+		ExecInfor.lpVerb = _T( "properties" );
+		ExecInfor.lpFile = strPath ;
+		ExecInfor.lpParameters = NULL ;
+		ExecInfor.lpDirectory = NULL ;
+		ExecInfor.nShow = SW_SHOWNORMAL ;
+		ExecInfor.hProcess = NULL ;
+		ExecInfor.lpIDList = 0 ;
+		ExecInfor.hInstApp = 0 ;
+		ShellExecuteEx(&ExecInfor) ;
+	}
+	else
+	{
+		MessageBox(NULL,L"ÎÄ¼þÂ·¾¶´íÎó", NULL, MB_OK | MB_ICONWARNING);
+	}
+}
+
+
+
+VOID HsLocationExplorer(CString strPath)
+{
+	if (!strPath.IsEmpty() && PathFileExists(strPath))
+	{
+		CString strCmd;
+		strCmd.Format(L"/select,%s", strPath);
+		ShellExecuteW(NULL, L"open", L"explorer.exe", strCmd, NULL, SW_SHOW);
+	}
+	else
+	{
+		MessageBox(NULL,L"ÎÄ¼þÂ·¾¶´íÎó", NULL, MB_OK | MB_ICONWARNING);
+	}
+}
+
+
+
+
+BOOL HsGetDefaultTextFileName(CString& strFile)
+{
+	CString strTime;
+	CTime Time = CTime::GetCurrentTime();
+	int FileNameDay, FileNameMonth, FileNameYear, FileHour, FileMin, FileSec;
+
+	FileNameDay = Time.GetDay();
+	FileNameMonth = Time.GetMonth();
+	FileNameYear = Time.GetYear();
+	FileHour = Time.GetHour();
+	FileMin = Time.GetMinute();
+	FileSec = Time.GetSecond();
+	strTime.Format(L"%04d%02d%02d%02d%02d%02d", FileNameYear, FileNameMonth, FileNameDay, FileHour, FileMin, FileSec);
+
+	strFile = strTime + L".txt";
+
+	CFileDialog FileDlg(
+		FALSE, 
+		0, 
+		strFile, 
+		0, 
+		L"ÎÄ±¾ÎÄ¼þ (*.txt)|*.txt|ËùÓÐÎÄ¼þ (*.*)|*.*||",
+		0
+		);
+
+	if (IDOK == FileDlg.DoModal())
+	{
+		strFile = FileDlg.GetFileName();   //¿ÉÒÔ»ñµÃÎÄ¼þÂ·¾¶ ²¢ÇÒÐÞ¸Ä
+
+		CString strTemp = strFile.Right((int)wcslen(L".txt"));
+
+		if (strTemp.CompareNoCase(L".txt") != 0)
+		{
+			strFile += L".txt";
+		}
+
+		if (!PathFileExists(strFile))
+		{
+			return TRUE;
+		}
+		else if	(PathFileExists(strFile) && MessageBox(NULL, L"ÎÄ¼þÒÑ¾­´æÔÚ£¬ÊÇ·ñ¸²¸Ç£¿", L"ÌìÓ°ÎÀÊ¿", MB_YESNO | MB_ICONQUESTION) == IDYES)
+		{
+			if(!DeleteFile(strFile))
+			{
+				MessageBox(NULL, L"¸²¸ÇÎÄ¼þÊ§°Ü¡£", L"ÌìÓ°ÎÀÊ¿", MB_OK | MB_ICONERROR);
+				return FALSE;
+			}
+
+			return TRUE;
+		}
+	}
+
+	return FALSE;
+}
+
+
+
+// CString HsGetExcelDriver()
+// {
+// 	WCHAR wzBuffer[0x1000] = {0};
+// 	WORD  cbBufferMax = 0x1000;
+// 	WORD  cbBufferOut;
+// 	WCHAR *pwzBuffer = wzBuffer;
+// 	CString strDriver;
+// 
+// 	if (!SQLGetInstalledDrivers(wzBuffer, cbBufferMax, &cbBufferOut))
+// 	{
+// 		return NULL;
+// 	}
+// 
+// 	do
+// 	{
+// 		if (wcsstr(pwzBuffer, L"Excel") != 0)
+// 		{
+// 			strDriver = CString(pwzBuffer);
+// 			break;
+// 		}
+// 
+// 		pwzBuffer = wcschr(pwzBuffer, L'\0') + 1;
+// 	}
+// 	while (pwzBuffer[1] != L'\0');
+// 
+// 	return strDriver;
+// }
+
+
+
+
+// BOOL HsGetDefaultExcelFileName(CString& strExcelFile)
+// {
+// 	CString strTime;
+// 	CTime Time = CTime::GetCurrentTime();
+// 	int FileNameDay, FileNameMonth, FileNameYear, FileHour, FileMin, FileSec;
+// 
+// 	FileNameDay = Time.GetDay();
+// 	FileNameMonth = Time.GetMonth();
+// 	FileNameYear = Time.GetYear();
+// 	FileHour = Time.GetHour();
+// 	FileMin = Time.GetMinute();
+// 	FileSec = Time.GetSecond();
+// 	strTime.Format(L"%04d%02d%02d%02d%02d%02d", FileNameDay, FileNameMonth, FileNameYear, FileHour, FileMin, FileSec);
+// 
+// 	strExcelFile = strTime + L".xls";
+// 
+// 	CFileDialog FileDlg(
+// 		FALSE, 
+// 		0, 
+// 		strExcelFile, 
+// 		0, 
+// 		L"Excel Files (*.xls)|*.xls|All Files (*.*)|*.*||",
+// 		0
+// 		);
+// 
+// 	if (IDOK == FileDlg.DoModal())
+// 	{
+// 		strExcelFile = FileDlg.GetFileName();
+// 
+// 		CString szTemp = strExcelFile.Right((int)wcslen(L".xls"));
+// 
+// 		if (szTemp.CompareNoCase(L".xls") != 0)
+// 		{
+// 			strExcelFile += L".xls";
+// 		}
+// 
+// 		if ( !PathFileExists(strExcelFile) )
+// 		{
+// 			return TRUE;
+// 		}
+// 		else if	(PathFileExists(strExcelFile) && MessageBox(NULL, L"ÎÄ¼þÒÑ¾­´æÔÚ£¬ÊÇ·ñ¸²¸Ç£¿", L"µ¼³ö", MB_YESNO | MB_ICONQUESTION) == IDYES)
+// 		{
+// 			if(!DeleteFile(strExcelFile))
+// 			{
+// 				MessageBox(NULL, L"¸²¸ÇÎÄ¼þÊ§°Ü£¡", L"µ¼³ö", MB_OK | MB_ICONERROR);
+// 				return FALSE;
+// 			}
+// 
+// 			return TRUE;
+// 		}
+// 	}
+// 
+// 	return FALSE;
+// }
+
+
+
+
+
+
+BOOL HsDebugPrivilege(const WCHAR *pName, BOOL bEnable)
+{
+	BOOL              bResult = TRUE;
+	HANDLE            hToken;
+	TOKEN_PRIVILEGES  TokenPrivileges;
+
+	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken))
+	{
+		bResult = FALSE;
+		return bResult;
+	}
+	TokenPrivileges.PrivilegeCount = 1;
+	TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
+
+	LookupPrivilegeValue(NULL, pName, &TokenPrivileges.Privileges[0].Luid);
+	AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
+	if (GetLastError() != ERROR_SUCCESS)
+	{
+		bResult = FALSE;
+	}
+
+	CloseHandle(hToken);
+	return bResult;	
+}
+
+
+
+
+
+
+
+BOOL HsKillProcessByForce(CMyList* m_ListCtrl)
+{
+	POSITION pos = m_ListCtrl->GetFirstSelectedItemPosition();
+
+	ULONG_PTR ulProcessId = 0;
+
+	int nItem = 0;
+
+	while(pos)
+	{
+		nItem = m_ListCtrl->GetNextSelectedItem(pos);
+
+		ulProcessId = _ttoi(m_ListCtrl->GetItemText(nItem,HS_PROCESS_COLUMN_PID).GetBuffer());
+
+		if (ulProcessId <= 4)
+		{
+			return FALSE;
+		}
+
+	} 
+
+	if (g_hDevice==NULL)
+	{
+		return FALSE;
+	}
+
+	ULONG dwReturnSize = 0;
+	ULONG dwRet = 0;
+
+	BOOL bFeedback = FALSE;
+
+	    
+	dwRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_PROC_KILLPROCESSBYFORCE),
+		&ulProcessId,
+		sizeof(ULONG_PTR),
+		&bFeedback,
+		sizeof(BOOL),
+		&dwReturnSize,
+		NULL);
+
+	//·¢ËÍIO ¿ØÖÆÂë
+
+	if (bFeedback = TRUE)
+	{
+		m_ListCtrl->DeleteItem(nItem);
+	}
+	else
+	{
+		MessageBox(NULL,L"¹Ø±Õ½ø³ÌÊ§°Ü¡£",L"ÌìÓ°ÎÀÊ¿",0);
+	}
+
+	bIsChecking = FALSE;
+
+	return bFeedback;
+
+}
+
+
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/ProcessFunc.h b/arkProject/HeavenShadow/HeavenShadow/ProcessFunc.h
new file mode 100644
index 0000000..e795e44
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ProcessFunc.h
@@ -0,0 +1,89 @@
+#pragma once
+#include "stdafx.h"
+
+#include "MyList.h"
+
+
+enum HS_ENUM_PROC_COLUMN	//½ø³ÌÁÐ±íÁÐÃ¶¾Ù
+{
+	HS_PROCESS_COLUMN_NAME = 0,
+	HS_PROCESS_COLUMN_PID,
+	HS_PROCESS_COLUMN_PPID,
+	HS_PROCESS_COLUMN_PATH,
+	HS_PROCESS_COLUMN_EPROCESS,
+	HS_PROCESS_COLUMN_USERACCESS,
+	HS_PROCESS_COLUMN_COMPANY
+};
+
+
+
+enum HS_PROCESSDIG_SEND_TYPE
+{
+	HS_PROCESSDIG_SEND_INSERT = 555,	//²åÈëÌõÄ¿
+	HS_PROCESSDIG_SEND_DELETE			//É¾³ýÌõÄ¿
+};
+
+
+//½á¹¹Ìå//////////////////////////////////////////////////////////////////
+
+typedef struct HS_PROCESSINFO
+{
+
+	WCHAR     Name[100];
+	WCHAR     Path[260];
+	WCHAR     CompanyName[100];
+	BOOL      UserAccess;
+	ULONG_PTR Pid;
+	ULONG_PTR PPid;
+	ULONG_PTR Eprocess;
+	LONGLONG  CreateTime;
+
+}HSPROCESSINFO, *PHSPROCESSINFO;
+
+
+
+//º¯Êý////////////////////////////////////////////////////////////////////
+
+void HsInitProcessList(CMyList *m_ListCtrl);
+
+DWORD WINAPI HsQueryProcessFunction(CMyList *m_ListCtrl);
+
+
+
+void HsQueryProcessList(CMyList *m_ListCtrl);
+
+BOOL HsR3CanOpenProcess(DWORD dwPid);
+
+CString HsGetFileCompanyName(CString strPath);
+
+//²é¿´ÎÄ¼þÊôÐÔ
+VOID HsCheckAttribute(CString strPath);
+
+//¶¨Î»ÎÄ¼þÎ»ÖÃ
+VOID HsLocationExplorer(CString strPath);
+
+
+
+
+
+BOOL HsGetDefaultTextFileName(CString& strFile);
+
+CString HsGetExcelDriver();
+BOOL HsGetDefaultExcelFileName(CString& strExcelFile);
+
+BOOL __stdcall HsIs32BitFile(const WCHAR * pwszFullPath);
+
+
+//»ñÈ¡È¨ÏÞ
+BOOL HsDebugPrivilege(const WCHAR *pName, BOOL bEnable);
+
+
+//ÅÅÐò±È½Ïº¯Êý
+static int CALLBACK HsProcessListCompareProc(LPARAM lParam1, LPARAM lParam2, LPARAM lParamSort);
+
+
+BOOL HsKillProcessByForce(CMyList* m_ListCtrl);
+
+
+ULONG_PTR
+HsQuerySystemProcessCount(CMyList *m_ListCtrl);
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/ProcessViewDlg.cpp b/arkProject/HeavenShadow/HeavenShadow/ProcessViewDlg.cpp
new file mode 100644
index 0000000..d539698
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ProcessViewDlg.cpp
@@ -0,0 +1,493 @@
+// ProcessViewDlg.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "ProcessViewDlg.h"
+#include "afxdialogex.h"
+
+#include "ThreadFunc.h"
+#include "PrivilegeFunc.h"
+#include "DetailFunc.h"
+#include "HandleFunc.h"
+#include "WindowFunc.h"
+#include "MemoryFunc.h"
+#include "PModuleFunc.h"
+
+#include "Common.h"
+
+
+
+
+ULONG_PTR g_ulProcessId = 0;
+
+extern int dpix;
+extern int dpiy;
+
+
+UINT nowType = 999;
+
+
+// CProcessViewDlg ¶Ô»°¿ò
+
+IMPLEMENT_DYNAMIC(CProcessViewDlg, CDialog)
+
+CProcessViewDlg::CProcessViewDlg(ULONG_PTR ulViewType, PHSPROCESSINFO piProcInfo, CWnd* pParent /*=NULL*/)
+	: CDialog(CProcessViewDlg::IDD, pParent)
+{
+	m_wParent = pParent;
+	m_piProcInfo = piProcInfo;
+	m_ulViewType = ulViewType;
+
+	g_ulProcessId = m_piProcInfo->Pid;
+}
+
+CProcessViewDlg::~CProcessViewDlg()
+{
+}
+
+void CProcessViewDlg::DoDataExchange(CDataExchange* pDX)
+{
+	CDialog::DoDataExchange(pDX);
+	DDX_Control(pDX, IDC_LIST_PROCESS_VIEW, m_viewList);
+	DDX_Control(pDX, IDC_LIST_PROCESSVIEWTYPE, m_typeList);
+	DDX_Control(pDX, IDC_STATIC_VIEWICON, m_ViewIcon);
+}
+
+
+BEGIN_MESSAGE_MAP(CProcessViewDlg, CDialog)
+	ON_NOTIFY(NM_RCLICK, IDC_LIST_PROCESS_VIEW, &CProcessViewDlg::OnRclickListProcessView)
+	ON_COMMAND(ID_MENU_PROCESSPRIVILEGE_REFRESH, &CProcessViewDlg::OnMenuProcessprivilegeRefresh)
+	ON_COMMAND(ID_MENU_PROCESSPRIVILEGE_ENABLE, &CProcessViewDlg::OnMenuProcessprivilegeEnable)
+	ON_COMMAND(ID_MENU_PROCESSPRIVILEGE_DISABLE, &CProcessViewDlg::OnMenuProcessprivilegeDisable)
+	ON_WM_PAINT()
+	ON_LBN_SELCHANGE(IDC_LIST_PROCESSVIEWTYPE, &CProcessViewDlg::OnSelchangeListProcessviewtype)
+	ON_WM_CTLCOLOR()
+	ON_COMMAND(ID_MENU_PROCESSTHREAD_REFRESH, &CProcessViewDlg::OnMenuProcessthreadRefresh)
+	ON_COMMAND(ID_MENU_PROCESSTHREAD_CLOSETHREAD, &CProcessViewDlg::OnMenuProcessthreadClosethread)
+END_MESSAGE_MAP()
+
+
+// CProcessViewDlg ÏûÏ¢´¦Àí³ÌÐò
+
+
+BOOL CProcessViewDlg::OnInitDialog()
+{
+	CDialog::OnInitDialog();
+
+	// TODO:  ÔÚ´ËÌí¼Ó¶îÍâµÄ³õÊ¼»¯
+
+	nowType = 999;
+
+	SHFILEINFO shInfo;
+	memset(&shInfo, 0, sizeof(shInfo));
+	SHGetFileInfo(m_piProcInfo->Path, FILE_ATTRIBUTE_NORMAL, 
+		&shInfo, sizeof(SHFILEINFO), SHGFI_ICON | SHGFI_USEFILEATTRIBUTES);
+
+	m_hIcon = shInfo.hIcon;
+
+	SetIcon(m_hIcon,TRUE);
+	SetIcon(m_hIcon,FALSE);
+
+
+	m_ViewIcon.SetIcon(m_hIcon);
+
+	m_typeList.InsertString(HS_PROCVIEW_TYPE_DETAIL,L"½ø³ÌÓ³Ïñ");
+	m_typeList.InsertString(HS_PROCVIEW_TYPE_THREAD,L"½ø³ÌÏß³Ì");
+	m_typeList.InsertString(HS_PROCVIEW_TYPE_PRIVILEGE,L"½ø³ÌÈ¨ÏÞ");
+	m_typeList.InsertString(HS_PROCVIEW_TYPE_HANDLE,L"½ø³Ì¾ä±ú");
+	m_typeList.InsertString(HS_PROCVIEW_TYPE_WINDOW,L"½ø³Ì´°¿Ú");
+	m_typeList.InsertString(HS_PROCVIEW_TYPE_MODULE,L"½ø³ÌÄ£¿é");
+	m_typeList.InsertString(HS_PROCVIEW_TYPE_MEMORY,L"½ø³ÌÄÚ´æ");
+
+	m_typeList.SetItemHeight(-1,(UINT)(16*(dpiy/96.0)));
+
+	m_typeList.SetCurSel((int)m_ulViewType);
+
+	OnSelchangeListProcessviewtype();
+
+	UINT uIconSize = 20;
+
+	uIconSize *= (UINT)(dpix/96.0);
+
+	m_TreeKernelImageList.Create(1, uIconSize, ILC_COLOR32 | ILC_MASK, 2, 2);
+
+	ListView_SetImageList(m_viewList.m_hWnd, m_TreeKernelImageList.GetSafeHandle(), LVSIL_SMALL);
+
+
+	return TRUE;  // return TRUE unless you set the focus to a control
+	// Òì³£: OCX ÊôÐÔÒ³Ó¦·µ»Ø FALSE
+}
+
+
+void CProcessViewDlg::OnRclickListProcessView(NMHDR *pNMHDR, LRESULT *pResult)
+{
+	LPNMITEMACTIVATE pNMItemActivate = reinterpret_cast<LPNMITEMACTIVATE>(pNMHDR);
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	switch (m_ulViewType)
+	{
+	case HS_PROCVIEW_TYPE_PRIVILEGE:
+		{
+			HsProcessPrivilegePopupMenu(&m_viewList,this);
+			break;
+		}
+	case HS_PROCVIEW_TYPE_THREAD:
+		{
+			HsProcessThreadPopupMenu(&m_viewList,this);
+			break;
+		}
+	case HS_PROCVIEW_TYPE_WINDOW:
+		{
+			HsProcessWindowPopupMenu(&m_viewList,this);
+			break;
+		}
+	}
+
+	*pResult = 0;
+}
+
+
+void CProcessViewDlg::OnMenuProcessprivilegeRefresh()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+
+ 	CloseHandle(CreateThread(NULL, 0, 
+ 		(LPTHREAD_START_ROUTINE)HsQueryProcessPrivilege,&m_viewList, 0, NULL));
+
+	//HsQueryProcessPrivilege(&m_viewList);
+}
+
+
+void CProcessViewDlg::OnMenuProcessprivilegeEnable()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+
+	POSITION pos = m_viewList.GetFirstSelectedItemPosition();
+
+	while (pos)
+	{
+		int nItem = m_viewList.GetNextSelectedItem(pos);
+
+		WCHAR PrivilegeName[60] = {0};
+		
+		StringCchCopyW(PrivilegeName,m_viewList.GetItemText(nItem,0).GetLength()+1,m_viewList.GetItemText(nItem,0).GetBuffer());
+
+		BOOL bFeedBack = HsAdjustPrivilege(m_piProcInfo->Pid,PrivilegeName,TRUE);
+
+		if (bFeedBack == TRUE)
+		{
+			m_viewList.SetItemText(nItem,2,L"Enabled");
+		}
+	}
+}
+
+
+void CProcessViewDlg::OnMenuProcessprivilegeDisable()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+
+	POSITION pos = m_viewList.GetFirstSelectedItemPosition();
+
+	
+
+	while (pos)
+	{
+		int nItem = m_viewList.GetNextSelectedItem(pos);
+
+		WCHAR PrivilegeName[60];
+
+		StringCchCopyW(PrivilegeName,m_viewList.GetItemText(nItem,0).GetLength()+1,m_viewList.GetItemText(nItem,0).GetBuffer());
+
+		BOOL bFeedBack = HsAdjustPrivilege(m_piProcInfo->Pid,PrivilegeName,FALSE);
+
+		if (bFeedBack == TRUE)
+		{
+			m_viewList.SetItemText(nItem,2,L"Disabled");
+		}
+	}
+}
+
+
+void CProcessViewDlg::OnPaint()
+{
+	CPaintDC dc(this); // device context for painting
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+	// ²»Îª»æÍ¼ÏûÏ¢µ÷ÓÃ CDialog::OnPaint()
+ 
+ 	CRect   rect;
+ 	GetClientRect(&rect);
+	dc.FillSolidRect(rect,RGB(255,255,255));
+
+	CRect leftlistrect;
+	CRect rightlistrect;
+
+	m_typeList.GetClientRect(leftlistrect);
+
+	CPoint startPoint;
+	startPoint.x = (LONG)(leftlistrect.right)+4;
+	startPoint.y = -1;
+	CPoint endPoint;
+	endPoint.x = (LONG)(leftlistrect.right)+4;
+	endPoint.y = rect.Height()+2;
+
+	rightlistrect.left = startPoint.x+1;
+	rightlistrect.right = rect.Width();
+	rightlistrect.top = 0;
+	rightlistrect.bottom = rect.Height();
+	m_viewList.MoveWindow(rightlistrect);
+
+
+
+	COLORREF m_Color(RGB(190,190,190));
+
+	CClientDC aDC(this); //CClientDCµÄ¹¹Ôìº¯ÊýÐèÒªÒ»¸ö²ÎÊý£¬Õâ¸ö²ÎÊýÊÇÖ¸Ïò»æÍ¼´°¿ÚµÄÖ¸Õë£¬ÎÒÃÇÓÃthisÖ¸Õë¾Í¿ÉÒÔÁË
+	CPen pen(PS_SOLID,1,m_Color); ////½¨Á¢Ò»¸ö»­±ÊÀà¶ÔÏó£¬¹¹ÔìÊ±ÉèÖÃ»­±ÊÊôÐÔ
+	aDC.SelectObject(&pen);
+	aDC.MoveTo(startPoint);
+	aDC.LineTo(endPoint);
+
+	if (IsIconic())
+	{
+		// Ê¹Í¼±êÔÚ¹¤×÷Çø¾ØÐÎÖÐ¾ÓÖÐ
+		int cxIcon = GetSystemMetrics(SM_CXICON);
+		int cyIcon = GetSystemMetrics(SM_CYICON);
+		CRect rect;
+		GetClientRect(&rect);
+		int x = (rect.Width() - cxIcon + 1) / 2;
+		int y = (rect.Height() - cyIcon + 1) / 2;
+		dc.DrawIcon(32,32,m_hIcon);
+	}
+}
+
+
+void CProcessViewDlg::OnSelchangeListProcessviewtype()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	int nItem = m_typeList.GetCurSel();
+
+	m_ulViewType = nItem;
+
+	switch(m_ulViewType)
+	{
+	case HS_PROCVIEW_TYPE_DETAIL:
+		{
+			if (nowType == HS_PROCVIEW_TYPE_DETAIL)
+			{
+				return;
+			}
+			nowType = HS_PROCVIEW_TYPE_DETAIL;
+
+			CString Temp;
+			Temp.Format(L"½ø³ÌÓ³Ïñ - %s", m_piProcInfo->Name);
+
+			SetWindowText(Temp.GetBuffer());
+
+			HsInitProcessDetailList(&m_viewList);
+
+			HsLoadProcessDetailList(m_piProcInfo,&m_viewList);
+
+			break;
+		}
+	case HS_PROCVIEW_TYPE_THREAD:
+		{
+			if (nowType == HS_PROCVIEW_TYPE_THREAD)
+			{
+				return;
+			}
+			nowType = HS_PROCVIEW_TYPE_THREAD;
+
+			CString Temp;
+
+			Temp.Format(L"½ø³ÌÏß³Ì - %s", m_piProcInfo->Name);
+
+			SetWindowText(Temp.GetBuffer());
+
+			HsInitThreadList(&m_viewList);
+
+			//CloseHandle(CreateThread(NULL, 0,
+			//	(LPTHREAD_START_ROUTINE)HsQueryProcessThread,&m_viewList, 0, NULL));
+
+			HsQueryProcessThread(&m_viewList);
+
+			break;
+		}
+	case HS_PROCVIEW_TYPE_PRIVILEGE:
+		{
+			if (nowType == HS_PROCVIEW_TYPE_PRIVILEGE)
+			{
+				return;
+			}
+			nowType = HS_PROCVIEW_TYPE_PRIVILEGE;
+
+			CString Temp;
+			Temp.Format(L"½ø³ÌÈ¨ÏÞ - %s", m_piProcInfo->Name);
+
+			SetWindowText(Temp.GetBuffer());
+
+			HsInitPrivilegeList(&m_viewList);
+
+			//CloseHandle(CreateThread(NULL, 0,
+			//	(LPTHREAD_START_ROUTINE)HsQueryProcessPrivilege,&m_viewList, 0, NULL));
+
+			HsQueryProcessPrivilege(&m_viewList);
+
+			break;
+		}
+	case HS_PROCVIEW_TYPE_HANDLE:
+		{
+			if (nowType == HS_PROCVIEW_TYPE_HANDLE)
+			{
+				return;
+			}
+			nowType = HS_PROCVIEW_TYPE_HANDLE;
+
+			CString Temp;
+			Temp.Format(L"½ø³Ì¾ä±ú - %s", m_piProcInfo->Name);
+
+			SetWindowText(Temp.GetBuffer());
+
+			HsInitProcessHandleList(&m_viewList);
+
+			//CloseHandle(CreateThread(NULL, 0,
+			//	(LPTHREAD_START_ROUTINE)HsQueryProcessHandle,&m_viewList, 0, NULL));
+
+			HsQueryProcessHandle(&m_viewList);
+
+			break;
+		}
+	case HS_PROCVIEW_TYPE_WINDOW:
+		{
+			if (nowType == HS_PROCVIEW_TYPE_WINDOW)
+			{
+				return;
+			}
+			nowType = HS_PROCVIEW_TYPE_WINDOW;
+
+
+			CString Temp;
+			Temp.Format(L"½ø³Ì´°¿Ú - %s", m_piProcInfo->Name);
+
+			SetWindowText(Temp.GetBuffer());
+
+			HsInitWindowList(&m_viewList);
+
+			//CloseHandle(CreateThread(NULL, 0,
+			//	(LPTHREAD_START_ROUTINE)HsQueryProcessWindow,&m_viewList, 0, NULL));
+
+			HsQueryProcessWindow(&m_viewList);
+
+			break;
+		}
+	case HS_PROCVIEW_TYPE_MODULE:
+		{
+			if (nowType == HS_PROCVIEW_TYPE_MODULE)
+			{
+				return;
+			}
+			nowType = HS_PROCVIEW_TYPE_MODULE;
+
+			CString Temp;
+			Temp.Format(L"½ø³ÌÄ£¿é - %s", m_piProcInfo->Name);
+
+			SetWindowText(Temp.GetBuffer());
+
+			HsInitPModuleDetailList(&m_viewList);
+
+			HsLoadPModuleDetailList(&m_viewList);
+
+			break;
+		}
+	case HS_PROCVIEW_TYPE_MEMORY:
+		{
+			if (nowType == HS_PROCVIEW_TYPE_MEMORY)
+			{
+				return;
+			}
+			nowType = HS_PROCVIEW_TYPE_MEMORY;
+
+			CString Temp;
+			Temp.Format(L"½ø³ÌÄÚ´æ - %s", m_piProcInfo->Name);
+
+			SetWindowText(Temp.GetBuffer());
+
+			HsInitMemoryList(&m_viewList);
+
+			HsQueryProcessMemory(&m_viewList);
+
+			break;
+		}
+	}
+
+	m_viewList.SetFocus();
+}
+
+
+BOOL CProcessViewDlg::PreTranslateMessage(MSG* pMsg)
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+	if (pMsg->message==WM_KEYDOWN && (pMsg->wParam==VK_RETURN ||pMsg->wParam==VK_ESCAPE))
+	{
+		return TRUE;
+	}
+	return CDialog::PreTranslateMessage(pMsg);
+}
+
+
+HBRUSH CProcessViewDlg::OnCtlColor(CDC* pDC, CWnd* pWnd, UINT nCtlColor)
+{
+	HBRUSH hbr = CDialog::OnCtlColor(pDC, pWnd, nCtlColor);
+
+	// TODO:  ÔÚ´Ë¸ü¸Ä DC µÄÈÎºÎÌØÐÔ
+
+// 	if ( nCtlColor == CTLCOLOR_STATIC)
+// 	{
+// 		pDC->SetBkMode(TRANSPARENT);
+// 		pDC->SetBkColor(RGB(255,255,255));
+// 
+// 		return (HBRUSH)::GetStockObject(NULL_BRUSH);
+// 
+// 	}
+
+
+// 	if (nCtlColor == CTLCOLOR_LISTBOX)
+// 	{
+// 		pDC->SetBkMode(TRANSPARENT);
+// 		return (HBRUSH)::GetStockObject(NULL_BRUSH);
+// 	}
+
+	// TODO:  Èç¹ûÄ¬ÈÏµÄ²»ÊÇËùÐè»­±Ê£¬Ôò·µ»ØÁíÒ»¸ö»­±Ê
+	return hbr;
+}
+
+
+void CProcessViewDlg::OnMenuProcessthreadRefresh()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	CloseHandle(CreateThread(NULL, 0, 
+		(LPTHREAD_START_ROUTINE)HsQueryProcessThread,&m_viewList, 0, NULL));
+}
+
+
+void CProcessViewDlg::OnMenuProcessthreadClosethread()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	POSITION pos = m_viewList.GetFirstSelectedItemPosition();
+
+	while (pos)
+	{
+		UINT nItem = m_viewList.GetNextSelectedItem(pos);
+
+		ULONG ulThreadId = _ttoi(m_viewList.GetItemText(nItem,0));
+
+		HANDLE hThread = OpenThread(THREAD_TERMINATE,FALSE,ulThreadId);
+
+		BOOL bRet = TerminateThread(hThread,0);
+
+		if (bRet)
+		{
+			m_viewList.DeleteItem(nItem);
+		}
+	}
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/ProcessViewDlg.h b/arkProject/HeavenShadow/HeavenShadow/ProcessViewDlg.h
new file mode 100644
index 0000000..7cd852c
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ProcessViewDlg.h
@@ -0,0 +1,67 @@
+#pragma once
+
+#include "ProcessFunc.h"
+#include "MyList.h"
+#include "afxwin.h"
+
+
+
+enum HS_ENUM_PROCVIEW_TYPE
+{
+	HS_PROCVIEW_TYPE_DETAIL,
+	HS_PROCVIEW_TYPE_THREAD,
+	HS_PROCVIEW_TYPE_PRIVILEGE,
+	HS_PROCVIEW_TYPE_HANDLE,
+	HS_PROCVIEW_TYPE_WINDOW,
+	HS_PROCVIEW_TYPE_MODULE,
+	HS_PROCVIEW_TYPE_MEMORY
+};
+
+
+
+// CProcessViewDlg ¶Ô»°¿ò
+
+class CProcessViewDlg : public CDialog
+{
+	DECLARE_DYNAMIC(CProcessViewDlg)
+
+public:
+	CProcessViewDlg(ULONG_PTR ulViewType, PHSPROCESSINFO piProcInfo, CWnd* pParent = NULL);   // ±ê×¼¹¹Ôìº¯Êý
+	virtual ~CProcessViewDlg();
+
+// ¶Ô»°¿òÊý¾Ý
+	enum { IDD = IDD_DIALOG_PROCESS_VIEW };
+
+	// ËùÊô½ø³ÌÐÅÏ¢
+	PHSPROCESSINFO m_piProcInfo;
+
+	// ¸¸´°¿ÚÖ¸Õë
+	CWnd* m_wParent;
+
+	HICON m_hIcon;
+
+	// ´°¿ÚÏÔÊ¾ÀàÐÍ
+	ULONG_PTR m_ulViewType;
+
+	CImageList m_TreeKernelImageList;
+
+protected:
+	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV Ö§³Ö
+
+	DECLARE_MESSAGE_MAP()
+public:
+	CMyList m_viewList;
+	virtual BOOL OnInitDialog();
+	afx_msg void OnRclickListProcessView(NMHDR *pNMHDR, LRESULT *pResult);
+	afx_msg void OnMenuProcessprivilegeRefresh();
+	afx_msg void OnMenuProcessprivilegeEnable();
+	afx_msg void OnMenuProcessprivilegeDisable();
+	afx_msg void OnPaint();
+	CListBox m_typeList;
+	afx_msg void OnSelchangeListProcessviewtype();
+	virtual BOOL PreTranslateMessage(MSG* pMsg);
+	CStatic m_ViewIcon;
+	afx_msg HBRUSH OnCtlColor(CDC* pDC, CWnd* pWnd, UINT nCtlColor);
+	afx_msg void OnMenuProcessthreadRefresh();
+	afx_msg void OnMenuProcessthreadClosethread();
+};
diff --git a/arkProject/HeavenShadow/HeavenShadow/ReadMe.txt b/arkProject/HeavenShadow/HeavenShadow/ReadMe.txt
new file mode 100644
index 0000000..735c011
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ReadMe.txt
@@ -0,0 +1,74 @@
+================================================================================
+MICROSOFT »ù´¡Àà¿â: HeavenShadow ÏîÄ¿¸ÅÊö
+===============================================================================
+
+Ó¦ÓÃ³ÌÐòÏòµ¼ÒÑÎªÄú´´½¨ÁËÕâ¸ö HeavenShadow Ó¦ÓÃ³ÌÐò¡£´ËÓ¦ÓÃ³ÌÐò²»½öÑÝÊ¾ Microsoft »ù´¡ÀàµÄ»ù±¾Ê¹ÓÃ·½·¨£¬»¹¿É×÷ÎªÄú±àÐ´Ó¦ÓÃ³ÌÐòµÄÆðµã¡£
+
+±¾ÎÄ¼þ¸ÅÒª½éÉÜ×é³É HeavenShadow Ó¦ÓÃ³ÌÐòµÄÃ¿¸öÎÄ¼þµÄÄÚÈÝ¡£
+
+HeavenShadow.vcxproj
+ÕâÊÇÊ¹ÓÃÓ¦ÓÃ³ÌÐòÏòµ¼Éú³ÉµÄ VC++ ÏîÄ¿µÄÖ÷ÏîÄ¿ÎÄ¼þ¡£ 
+Ëü°üº¬Éú³É¸ÃÎÄ¼þµÄ Visual C++ µÄ°æ±¾ÐÅÏ¢£¬ÒÔ¼°ÓÐ¹ØÊ¹ÓÃÓ¦ÓÃ³ÌÐòÏòµ¼Ñ¡ÔñµÄÆ½Ì¨¡¢ÅäÖÃºÍÏîÄ¿¹¦ÄÜµÄÐÅÏ¢¡£
+
+HeavenShadow.vcxproj.filters
+    ÕâÊÇÊ¹ÓÃ¡°Ó¦ÓÃ³ÌÐòÏòµ¼¡±Éú³ÉµÄ VC++ ÏîÄ¿É¸Ñ¡Æ÷ÎÄ¼þ¡£
+    Ëü°üº¬ÓÐ¹ØÏîÄ¿ÎÄ¼þÓëÉ¸Ñ¡Æ÷Ö®¼äµÄ¹ØÁªÐÅÏ¢¡£ÔÚ IDE ÖÐ£¬Í¨¹ýÕâÖÖ¹ØÁª£¬ÔÚÌØ¶¨½ÚµãÏÂÒÔ·Ö×éÐÎÊ½ÏÔÊ¾¾ßÓÐÏàËÆÀ©Õ¹ÃûµÄÎÄ¼þ¡£ÀýÈç£¬¡°.cpp¡±ÎÄ¼þÓë¡°Ô´ÎÄ¼þ¡±É¸Ñ¡Æ÷¹ØÁª¡£
+
+HeavenShadow.h
+ÕâÊÇÓ¦ÓÃ³ÌÐòµÄÖ÷ÒªÍ·ÎÄ¼þ¡£Ëü°üÀ¨ÆäËûÏîÄ¿ÌØ¶¨µÄÍ·ÎÄ¼þ(°üÀ¨ Resource.h)£¬²¢ÉùÃ÷ CHeavenShadowApp Ó¦ÓÃ³ÌÐòÀà¡£
+
+HeavenShadow.cpp
+ÕâÊÇ°üº¬Ó¦ÓÃ³ÌÐòÀà CHeavenShadowApp µÄÖ÷ÒªÓ¦ÓÃ³ÌÐòÔ´ÎÄ¼þ¡£
+
+HeavenShadow.rc
+ÕâÊÇ³ÌÐòÊ¹ÓÃµÄËùÓÐ Microsoft Windows ×ÊÔ´µÄÁÐ±í¡£Ëü°üÀ¨ RES ×ÓÄ¿Â¼ÖÐ´æ´¢µÄÍ¼±ê¡¢Î»Í¼ºÍ¹â±ê¡£´ËÎÄ¼þ¿ÉÒÔÖ±½ÓÔÚ Microsoft Visual C++ ÖÐ½øÐÐ±à¼­¡£ÏîÄ¿×ÊÔ´Î»ÓÚ 2052 ÖÐ¡£
+
+res\HeavenShadow.ico
+ÕâÊÇÓÃ×÷Ó¦ÓÃ³ÌÐòÍ¼±êµÄÍ¼±êÎÄ¼þ¡£´ËÍ¼±ê°üÀ¨ÔÚÖ÷Òª×ÊÔ´ÎÄ¼þ HeavenShadow.rc ÖÐ¡£
+
+res\HeavenShadow.rc2
+´ËÎÄ¼þ°üº¬²»ÔÚ Microsoft Visual C++ ÖÐ½øÐÐ±à¼­µÄ×ÊÔ´¡£ÄúÓ¦¸Ã½«²»¿ÉÓÉ×ÊÔ´±à¼­Æ÷±à¼­µÄËùÓÐ×ÊÔ´·ÅÔÚ´ËÎÄ¼þÖÐ¡£
+
+
+/////////////////////////////////////////////////////////////////////////////
+
+Ó¦ÓÃ³ÌÐòÏòµ¼´´½¨Ò»¸ö¶Ô»°¿òÀà:
+
+HeavenShadowDlg.h£¬HeavenShadowDlg.cpp - ¶Ô»°¿ò
+ÕâÐ©ÎÄ¼þ°üº¬ CHeavenShadowDlg Àà¡£¸ÃÀà¶¨ÒåÓ¦ÓÃ³ÌÐòÖ÷¶Ô»°¿òµÄÐÐÎª¡£¸Ã¶Ô»°¿òµÄÄ£°åÎ»ÓÚ HeavenShadow.rc ÖÐ£¬¸ÃÎÄ¼þ¿ÉÒÔÔÚ Microsoft Visual C++ ÖÐ½øÐÐ±à¼­¡£
+
+
+/////////////////////////////////////////////////////////////////////////////
+
+ÆäËû¹¦ÄÜ:
+
+ActiveX ¿Ø¼þ
+Ó¦ÓÃ³ÌÐò°üÀ¨¶ÔÊ¹ÓÃ ActiveX ¿Ø¼þµÄÖ§³Ö¡£
+
+/////////////////////////////////////////////////////////////////////////////
+
+ÆäËû±ê×¼ÎÄ¼þ:
+
+StdAfx.h£¬StdAfx.cpp
+ÕâÐ©ÎÄ¼þÓÃÓÚÉú³ÉÃûÎª HeavenShadow.pch µÄÔ¤±àÒëÍ· (PCH) ÎÄ¼þºÍÃûÎª StdAfx.obj µÄÔ¤±àÒëÀàÐÍÎÄ¼þ¡£
+
+Resource.h
+ÕâÊÇ±ê×¼Í·ÎÄ¼þ£¬Ëü¶¨ÒåÐÂµÄ×ÊÔ´ ID¡£
+Microsoft Visual C++ ¶ÁÈ¡²¢¸üÐÂ´ËÎÄ¼þ¡£
+
+HeavenShadow.manifest
+	Ó¦ÓÃ³ÌÐòÇåµ¥ÎÄ¼þ¹© Windows XP ÓÃÀ´ÃèÊöÓ¦ÓÃ³ÌÐò
+	¶ÔÌØ¶¨°æ±¾²¢ÐÐ³ÌÐò¼¯µÄÒÀÀµÐÔ¡£¼ÓÔØ³ÌÐòÊ¹ÓÃ´Ë
+	ÐÅÏ¢´Ó³ÌÐò¼¯»º´æ¼ÓÔØÊÊµ±µÄ³ÌÐò¼¯»ò
+	´ÓÓ¦ÓÃ³ÌÐò¼ÓÔØË½ÓÐÐÅÏ¢¡£Ó¦ÓÃ³ÌÐòÇåµ¥¿ÉÄÜÎªÁËÖØÐÂ·Ö·¢¶ø×÷Îª
+	ÓëÓ¦ÓÃ³ÌÐò¿ÉÖ´ÐÐÎÄ¼þ°²×°ÔÚÏàÍ¬ÎÄ¼þ¼ÐÖÐµÄÍâ²¿ .manifest ÎÄ¼þ°üÀ¨£¬
+	Ò²¿ÉÄÜÒÔ×ÊÔ´µÄÐÎÊ½°üÀ¨ÔÚ¸Ã¿ÉÖ´ÐÐÎÄ¼þÖÐ¡£ 
+/////////////////////////////////////////////////////////////////////////////
+
+ÆäËû×¢ÊÍ:
+
+Ó¦ÓÃ³ÌÐòÏòµ¼Ê¹ÓÃ¡°TODO:¡±Ö¸Ê¾Ó¦Ìí¼Ó»ò×Ô¶¨ÒåµÄÔ´´úÂë²¿·Ö¡£
+
+Èç¹ûÓ¦ÓÃ³ÌÐòÔÚ¹²ÏíµÄ DLL ÖÐÊ¹ÓÃ MFC£¬ÔòÐèÒªÖØÐÂ·¢²¼ÕâÐ© MFC DLL£»Èç¹ûÓ¦ÓÃ³ÌÐòËùÓÃµÄÓïÑÔÓë²Ù×÷ÏµÍ³µÄµ±Ç°ÇøÓòÉèÖÃ²»Í¬£¬Ôò»¹ÐèÒªÖØÐÂ·¢²¼¶ÔÓ¦µÄ±¾µØ»¯×ÊÔ´ MFC100XXX.DLL¡£ÓÐ¹ØÕâÁ½¸öÖ÷ÌâµÄ¸ü¶àÐÅÏ¢£¬Çë²Î¼û MSDN ÎÄµµÖÐÓÐ¹Ø Redistributing Visual C++ applications (ÖØÐÂ·¢²¼ Visual C++ Ó¦ÓÃ³ÌÐò)µÄÕÂ½Ú¡£
+
+/////////////////////////////////////////////////////////////////////////////
diff --git a/arkProject/HeavenShadow/HeavenShadow/SSDTFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/SSDTFunc.cpp
new file mode 100644
index 0000000..259daf3
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/SSDTFunc.cpp
@@ -0,0 +1,563 @@
+#include "stdafx.h"
+#include "SSDTFunc.h"
+#include "ModuleFunc.h"
+#include "Common.h"
+#include <vector>
+#include <Strsafe.h>
+
+using namespace std;
+
+extern vector<DRIVER_INFO> m_DriverList;
+extern HANDLE g_hDevice;
+extern WIN_VERSION WinVersion;
+extern BOOL bIsChecking;
+
+COLUMNSTRUCT g_Column_SSDT[] = 
+{
+	{	L"ÐòºÅ",					50	},
+	{	L"º¯ÊýÃû³Æ",				145	},
+	{	L"º¯Êýµ±Ç°µØÖ·",			125	},
+	{	L"º¯ÊýÔ­µØÖ·",			125	},
+	{	L"Ä£¿éÎÄ¼þ",				195	},
+	{	L"×´Ì¬",					85	}
+};
+
+UINT g_Column_SSDT_Count  = 6;	  //½ø³ÌÁÐ±íÁÐÊý
+
+ULONG_PTR m_KiServiceTable = 0;
+ULONG_PTR m_SSDTFuncCount = 0;
+ULONG_PTR m_HookFuncCount = 0;
+CHAR  m_szNtosName[512];
+CHAR  m_szTempNtosName[512];
+ULONG_PTR m_NtosImageBase;
+ULONG_PTR m_NtosBase;
+ULONG_PTR m_TempNtosBase;
+BOOL  m_bSSDTOk = FALSE;
+
+extern int dpix;
+extern int dpiy;
+
+
+VOID HsInitSSDTList(CListCtrl *m_ListCtrl)
+{
+	while(m_ListCtrl->DeleteColumn(0));
+	m_ListCtrl->DeleteAllItems();
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_SSDT_Count;i++)
+	{
+		m_ListCtrl->InsertColumn(i, g_Column_SSDT[i].szTitle,LVCFMT_LEFT,(int)(g_Column_SSDT[i].nWidth*(dpix/96.0)));
+	}
+
+}
+
+VOID HsLoadSSDTList(CListCtrl *m_ListCtrl)
+{
+// 	if (bIsChecking == TRUE)
+// 	{
+// 		return;
+// 	}
+
+// 	while(bIsChecking == TRUE)
+// 	{
+// 		Sleep(10);
+// 	}
+
+
+	HsSendStatusDetail(L"SSDTÕýÔÚ¼ÓÔØ...");
+	HsSendStatusTip(L"SSDT");
+
+	HsQuerySSDTList(m_ListCtrl);
+
+	
+	bIsChecking = FALSE;
+}
+
+
+VOID HsQuerySSDTList(CListCtrl *m_ListCtrl)
+{
+
+
+	SSDT_INFO si[0x1000] = {0};
+
+	m_KiServiceTable = 0;
+	m_HookFuncCount = 0;
+	m_SSDTFuncCount = 0;
+
+	m_DriverList.clear();
+
+	BOOL bRet = FALSE;
+
+	InitDataOfSSDT();
+
+	bRet = EnumSSDT(si);
+
+	if (bRet == FALSE)
+	{
+		HsSendStatusDetail(L"SSDT¼ÓÔØÊ§°Ü¡£");
+		return;
+	}
+
+	bRet = EnumDriver();
+
+	if (bRet == FALSE)
+	{
+		HsSendStatusDetail(L"SSDT¼ÓÔØÊ§°Ü¡£");
+		return;
+	}
+
+	CString strIndex;
+
+	int i = 0;
+	int j = 0;
+	for (i=0;i<m_SSDTFuncCount;i++)
+	{
+
+		strIndex.Format(L"%d",si[i].Id);
+		int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(),strIndex);
+
+		CString strFuncName(si[i].szFuncName);
+		m_ListCtrl->SetItemText(n,1,strFuncName);
+
+		CString strCurAddr;
+		strCurAddr.Format(L"0x%p",si[i].CurAddr);
+		m_ListCtrl->SetItemText(n,2,strCurAddr);
+
+		CString strOrigAddr;
+		strOrigAddr.Format(L"0x%p",si[i].OriAddr);
+		m_ListCtrl->SetItemText(n,3,strOrigAddr);
+
+
+		CString strType;
+		if (si[i].OriAddr!=si[i].CurAddr)
+		{
+			m_ListCtrl->SetItemData(n,1);
+
+			strType = L"SSDTHook";
+		}
+		else
+		{
+			strType = L"Õý³£";
+		}
+
+
+		m_ListCtrl->SetItemText(n,5,strType);
+
+		CString strPath;
+
+		strPath = GetDriverPath(si[i].CurAddr);
+		m_ListCtrl->SetItemText(n,4,strPath);
+
+		if (_wcsnicmp(L"Õý³£",strType,wcslen(L"Õý³£"))!=0)
+		{
+			j+=1;
+		}
+
+		CString StatusBarContext;
+		StatusBarContext.Format(L"SSDTÕýÔÚ¼ÓÔØ¡£ SSDTº¯Êý£º%d£¬¹Ò¹³º¯Êý£º%d",i+1,j);
+
+		HsSendStatusDetail(StatusBarContext);
+	}
+
+	CString StatusBarContext;
+	StatusBarContext.Format(L"SSDT¼ÓÔØÍê³É¡£ SSDTº¯Êý£º%d£¬¹Ò¹³º¯Êý£º%d",m_SSDTFuncCount,m_HookFuncCount);
+
+	HsSendStatusDetail(StatusBarContext);
+}
+
+CString GetDriverPath(ULONG_PTR Address)
+{
+	CString strPath;
+
+	for (vector<DRIVER_INFO>::iterator itor = m_DriverList.begin(); 
+		itor != m_DriverList.end(); 
+		itor++)
+	{
+		ULONG_PTR ulBase = itor->Base;
+		ULONG_PTR ulEnd = itor->Base + itor->Size;
+
+		if (Address >= ulBase && Address <= ulEnd)
+		{
+			strPath = itor->wzDriverPath;
+			break;
+		}
+	}
+
+	return strPath;
+}
+
+
+BOOL EnumSSDT(SSDT_INFO* si)
+{
+	DWORD i=0,SSDTFuncCount = 0;
+
+
+	CHAR* szTempNtdll = NULL;
+	DWORD dwLen = 0;
+	DWORD dwStart = 0;
+	DWORD dwEnd = 0;
+	ULONG_PTR SSDTOriAddr = 0;
+	ULONG_PTR SSDTCurAddr = 0;
+	szTempNtdll=HsGetTempNtdll();
+
+	if(!CopyFileA(Strcat(HsGetSystemDir(),"ntdll.dll"),szTempNtdll,0))
+	{
+		return FALSE;
+	}
+
+	dwLen = FileLen(szTempNtdll);
+
+	char szFuncStart[]="ZwAcceptConnectPort", szFuncEnd[]="ZwYieldExecution"; //Ã¿¸öº¯ÊýÃûÖ®¼ä¸ô×Å\0
+
+	char* szNtdll = HsLoadDllContext(szTempNtdll);
+	char* szTemp  = szNtdll;
+	for(i=0; i<dwLen; i++)
+	{
+		if(memcmp(szTemp+i,szFuncStart,strlen(szFuncStart))==0)
+		{
+			dwStart = i;
+		}
+		if(memcmp(szTemp+i,szFuncEnd,strlen(szFuncEnd))==0)
+		{
+			dwEnd = i;
+			break;
+		}
+	}
+	szTemp =szTemp+dwStart;
+	//ÕâÀï²»ÄÜÏÔÊ¾µ½×îºóÒ»¸öº¯Êý
+	while(strcmp(szTemp,szFuncEnd)!=0)
+	{
+		DWORD dwFuncIndex = HsGetSSDTFunctionIndex(szTemp);
+		if(dwFuncIndex<0x1000)
+		{
+			SSDTOriAddr = HsGetFunctionOriginalAddress(dwFuncIndex);
+
+			SendIoCodeSSDT(dwFuncIndex,&SSDTCurAddr);
+
+
+			if (SSDTCurAddr!=SSDTOriAddr)
+			{
+				m_HookFuncCount++;
+			}
+
+			szTemp[0]='N';
+			szTemp[1]='t';		//Ñ°ÕÒµÄÊÇZw***£¬µ«ÊÇÓ¦¸ÃÏÔÊ¾Nt***
+		}
+		else
+		{
+
+			dwFuncIndex = HsGetSpecialIndex(szTemp);
+			SSDTOriAddr=HsGetFunctionOriginalAddress(dwFuncIndex);
+			SendIoCodeSSDT(dwFuncIndex,&SSDTCurAddr);
+
+			if (SSDTCurAddr!=SSDTOriAddr)
+			{
+				m_HookFuncCount++;
+			}
+			szTemp[0]='N';
+			szTemp[1]='t';
+		}
+		si[SSDTFuncCount].Id = dwFuncIndex;
+		si[SSDTFuncCount].CurAddr = SSDTCurAddr;
+		si[SSDTFuncCount].OriAddr = SSDTOriAddr;
+		strcpy_s(si[SSDTFuncCount].szFuncName,szTemp);
+		szTemp=szTemp+strlen(szTemp)+1;
+		SSDTFuncCount++;
+		dwFuncIndex=0;
+	}
+	//ÏÔÊ¾Íê×îºóÒ»¸öº¯Êý
+	DWORD dwFuncIndex = HsGetSSDTFunctionIndex(szTemp);
+	SSDTOriAddr = HsGetFunctionOriginalAddress(dwFuncIndex);
+	SendIoCodeSSDT(dwFuncIndex,&SSDTCurAddr);
+
+	if (SSDTCurAddr!=SSDTOriAddr)
+	{
+		m_HookFuncCount++;
+	}
+	szTemp[0]='N';
+	szTemp[1]='t';
+	si[SSDTFuncCount].Id = dwFuncIndex;
+	si[SSDTFuncCount].CurAddr = SSDTCurAddr;
+	si[SSDTFuncCount].OriAddr = SSDTOriAddr;
+	strcpy_s(si[SSDTFuncCount].szFuncName,szTemp);
+	SSDTFuncCount++;
+
+	m_SSDTFuncCount = SSDTFuncCount;
+	DeleteFileA(szTempNtdll);
+	DeleteFileA(m_szTempNtosName);
+	free(szNtdll);
+
+	return TRUE;
+}
+
+
+BOOL SendIoCodeSSDT(DWORD dwFuncIndex,PULONG_PTR SSDTCurAddr)
+{
+	DWORD dwReturnSize = 0;
+	DWORD dwRet = 0;
+
+	//·¢ËÍIO ¿ØÖÆÂë
+	dwRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_KRNL_SSDTLIST),
+		&dwFuncIndex,
+		sizeof(DWORD),
+		SSDTCurAddr,
+		sizeof(ULONG_PTR),
+		&dwReturnSize,
+		NULL);
+
+
+	if (dwRet==0)
+	{
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+
+
+
+ULONG_PTR HsGetFunctionOriginalAddress(ULONG_PTR dwIndex)	//Í¨¹ýINDEX»ñµÃº¯ÊýÔ­Ê¼µØÖ·
+{
+	ULONG_PTR RVA = m_KiServiceTable - m_NtosBase;
+	ULONG_PTR Temp=*(PULONG_PTR)(m_TempNtosBase+RVA+sizeof(ULONG_PTR)*(ULONG_PTR)dwIndex);
+	return Temp;
+}
+
+
+BOOL InitDataOfSSDT()
+{
+	BOOL b1=FALSE,b2=FALSE;
+	BOOL bOk = FALSE;
+	b1 = GetNtosNameAndBase();
+	b2 = GetNtosImageBase();
+
+	m_TempNtosBase = (ULONG_PTR)LoadLibraryExA(m_szTempNtosName,0, DONT_RESOLVE_DLL_REFERENCES);
+
+	if (m_bSSDTOk==FALSE)
+	{
+		HsReloc((ULONG_PTR)m_TempNtosBase,m_NtosBase);
+		m_bSSDTOk = TRUE;
+	}
+
+	if (GetKiServiceTable()==FALSE)
+	{
+		return FALSE;
+	}
+
+	if(b1 && b2)
+	{
+		bOk = TRUE;
+	}	
+	else
+	{
+		bOk = FALSE;
+	}
+
+	return bOk;
+}
+
+
+
+BOOL GetNtosImageBase()
+{
+	PIMAGE_NT_HEADERS NtHeader;
+	PIMAGE_DOS_HEADER DosHeader;
+	char* szNtosFileData=NULL;
+	szNtosFileData = HsLoadDllContext(m_szTempNtosName);
+	if(szNtosFileData==NULL)
+	{
+		return FALSE;
+	}
+	DosHeader = (PIMAGE_DOS_HEADER)szNtosFileData;
+	NtHeader  = (PIMAGE_NT_HEADERS)(szNtosFileData+DosHeader->e_lfanew);
+	m_NtosImageBase = NtHeader->OptionalHeader.ImageBase;
+	return TRUE;
+}
+
+BOOL GetNtosNameAndBase()    //»ñµÃNtosµÄÂ·¾¶ºÍ¼ÓÔØµØÖ·
+{
+	char szFileName[260]= {0},*szFullName;
+	m_NtosBase = HsGetKernelBase(szFileName);
+	szFullName = Strcat(HsGetSystemDir(),szFileName);
+	strcpy_s(m_szNtosName,szFullName);
+	return GetTempNtosName();
+}
+
+
+
+BOOL GetTempNtosName()   //¸ù¾ÝNtosµÄÂ·¾¶ ½øÐÐ¿½±´¹¹½¨ntosxxxx.exe
+{
+	char *szPath;
+	szPath=(char *)malloc(260);
+	memset(szPath,0,260);
+	GetTempPathA(260,szPath);
+	szPath = Strcat(szPath,"ntosxxxx.exe");
+	strcpy_s(m_szTempNtosName,szPath);
+
+	if(CopyFileA(m_szNtosName,m_szTempNtosName,0))
+	{
+		free(szPath);
+		return TRUE;
+	}
+	else
+	{
+		free(szPath);
+		return FALSE;
+	}
+}
+
+
+
+
+BOOL GetKiServiceTable()
+{
+	DWORD dwReturnSize = 0;
+	DWORD dwRet = 0;
+
+	if (g_hDevice==NULL)
+	{
+		return FALSE;
+	}
+
+	dwRet = DeviceIoControl(
+		g_hDevice,
+		HS_IOCTL(HS_IOCTL_KRNL_KISRVTAB),
+		NULL,
+		0,
+		&m_KiServiceTable,
+		sizeof(ULONG_PTR),
+		&dwReturnSize,
+		NULL);
+
+
+	if (dwRet==0)
+	{
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+
+
+
+
+BOOL EnumDriver()
+{
+	ULONG ulReturnSize = 0;
+	BOOL bRet = FALSE;
+
+	m_DriverList.clear();
+
+	ULONG ulCount = 1000;
+	PALL_DRIVERS Drivers = NULL;
+
+	if (g_hDevice==NULL)
+	{
+		MessageBox(NULL,L"Éè±¸»ñÈ¡Ê§°Ü",L"Error",0);
+		return FALSE;
+	}
+
+	do 
+	{
+		ULONG ulSize = 0;
+
+		if (Drivers)
+		{
+			free(Drivers);
+			Drivers = NULL;
+		}
+
+		ulSize = sizeof(ALL_DRIVERS) + ulCount * sizeof(DRIVER_INFO);
+
+		Drivers = (PALL_DRIVERS)malloc(ulSize);
+		if (!Drivers)
+		{
+			break;
+		}
+
+		memset(Drivers,0,ulSize);
+
+
+		bRet = DeviceIoControl(
+			g_hDevice,
+			HS_IOCTL(HS_IOCTL_MODU_MODULELIST),
+			NULL,
+			0,
+			Drivers,
+			ulSize,
+			&ulReturnSize,
+			NULL);
+
+		ulCount = (ULONG)Drivers->ulCount + 100;
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+	if (bRet && Drivers->ulCount > 0)
+	{
+		for (ULONG i = 0;i<Drivers->ulCount; i++)
+		{
+			FixDriverPath(&Drivers->Drivers[i]);
+			m_DriverList.push_back(Drivers->Drivers[i]);
+		}
+	}
+
+	if (Drivers)
+	{
+		free(Drivers);
+		Drivers = NULL;
+	}
+
+	return bRet;
+}
+
+
+void HsResumeSSDTHook(CListCtrl* m_ListCtrl)
+{
+
+	int Index = m_ListCtrl->GetSelectionMark();
+
+	if (Index<0)
+	{
+		return;
+	}
+
+	CString Temp = m_ListCtrl->GetItemText(Index,0);
+
+	RESUME_DATA  Data = {0};  
+
+	swscanf_s(Temp.GetBuffer(),L"%d",&Data.ulIndex);
+
+	Temp  = m_ListCtrl->GetItemText(Index,3);
+	swscanf_s(Temp.GetBuffer()+2,L"%p",&Data.ulFuncAddress);
+
+	BOOL dwRet = FALSE;
+
+	if (g_hDevice==NULL)
+	{
+		return;
+	}
+
+	DWORD dwReturnSize = 0;
+
+
+	dwRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_KRNL_RESUMESSDT),
+		&Data,
+		sizeof(Data),
+		NULL,
+		0,
+		&dwReturnSize,
+		NULL);
+
+	if (dwRet==0)
+	{
+		return;
+	}
+
+	m_ListCtrl->SetItemText(Index,5,L"Õý³£");
+	m_ListCtrl->SetItemData(Index,0);
+
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/SSDTFunc.h b/arkProject/HeavenShadow/HeavenShadow/SSDTFunc.h
new file mode 100644
index 0000000..124aa35
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/SSDTFunc.h
@@ -0,0 +1,45 @@
+#pragma once
+#include "stdafx.h"
+
+typedef struct _SSDT_INFO
+{
+	ULONG_PTR	Id;
+	ULONG_PTR	CurAddr;
+	ULONG_PTR	OriAddr;
+	CHAR	    szFuncName[80];
+}SSDT_INFO, *PSSDT_INFO;
+
+typedef struct _RESUME_DATA_ 
+{
+	ULONG ulIndex;
+	ULONG_PTR ulFuncAddress;
+}RESUME_DATA,*PRESUME_DATA;
+
+VOID HsInitSSDTList(CListCtrl *m_ListCtrl);
+
+VOID HsLoadSSDTList(CListCtrl *m_ListCtrl);
+
+VOID HsQuerySSDTList(CListCtrl *m_ListCtrl);
+
+BOOL GetNtosImageBase();
+
+BOOL GetNtosNameAndBase();
+
+BOOL GetTempNtosName();
+
+BOOL GetKiServiceTable();
+
+
+BOOL InitDataOfSSDT();
+
+BOOL EnumSSDT(SSDT_INFO* si);
+
+ULONG_PTR HsGetFunctionOriginalAddress(ULONG_PTR dwIndex);
+
+BOOL SendIoCodeSSDT(DWORD dwFuncIndex,PULONG_PTR SSDTCurAddr);
+
+BOOL EnumDriver();
+
+CString GetDriverPath(ULONG_PTR Address);
+
+void HsResumeSSDTHook(CListCtrl* m_ListCtrl);
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/SSSDTFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/SSSDTFunc.cpp
new file mode 100644
index 0000000..1e6d4d6
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/SSSDTFunc.cpp
@@ -0,0 +1,390 @@
+#include "stdafx.h"
+#include "SSDTFunc.h"
+#include "SSSDTFunc.h"
+#include "ModuleFunc.h"
+#include "Common.h"
+#include <vector>
+#include <Strsafe.h>
+
+using namespace std;
+
+extern vector<DRIVER_INFO> m_DriverList;
+extern HANDLE g_hDevice;
+extern WIN_VERSION WinVersion;
+extern BOOL bIsChecking;
+extern CHAR XPProcName[667][100];
+extern CHAR WIN7ProcName[827][100];
+
+char* m_szTempWin32k;
+ULONG_PTR m_Win32kServiceTable = 0;
+ULONG_PTR m_Win32kBase = 0;
+ULONG_PTR m_Win32kImageBase = 0;
+ULONG_PTR m_TempWin32kBase = 0;
+BOOL      m_bSSSDTOk = FALSE;
+
+COLUMNSTRUCT g_Column_SSSDT[] = 
+{
+	{	L"ÐòºÅ",					50	},
+	{	L"º¯ÊýÃû³Æ",				145	},
+	{	L"º¯Êýµ±Ç°µØÖ·",			125	},
+	{	L"º¯ÊýÔ­µØÖ·",			125	},
+	{	L"Ä£¿éÎÄ¼þ",				195	},
+	{	L"×´Ì¬",					85	}
+};
+
+
+UINT g_Column_SSSDT_Count  = 6;	  //½ø³ÌÁÐ±íÁÐÊý
+
+extern int dpix;
+extern int dpiy;
+
+
+VOID HsInitSSSDTList(CListCtrl *m_ListCtrl)
+{
+	while(m_ListCtrl->DeleteColumn(0));
+	m_ListCtrl->DeleteAllItems();
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_SSSDT_Count;i++)
+	{
+		m_ListCtrl->InsertColumn(i, g_Column_SSSDT[i].szTitle,LVCFMT_LEFT,(int)(g_Column_SSSDT[i].nWidth*(dpix/96.0)));
+	}
+
+}
+
+VOID HsLoadSSSDTList(CListCtrl *m_ListCtrl)
+{
+// 	if (bIsChecking == TRUE)
+// 	{
+// 		return;
+// 	}
+
+// 	while(bIsChecking == TRUE)
+// 	{
+// 		Sleep(10);
+// 	}
+
+
+	HsSendStatusDetail(L"ShadowSSDTÕýÔÚ¼ÓÔØ...");
+	HsSendStatusTip(L"ShadowSSDT");
+
+	HsQuerySSSDTList(m_ListCtrl);
+
+	
+	bIsChecking = FALSE;
+}
+
+
+VOID HsQuerySSSDTList(CListCtrl *m_ListCtrl)
+{
+	SSSDT_INFO si[0x1000];
+
+	if(EnumDriver()==FALSE)
+	{
+		return;
+	}
+
+	EnumSSSDT(si,m_ListCtrl);
+}
+
+
+
+
+BOOL EnumSSSDT(SSSDT_INFO* si, CListCtrl* m_ListCtrl)
+{
+
+	m_ListCtrl->DeleteAllItems();
+	ULONG_PTR SSSDTFuncCount = 0;
+	ULONG_PTR HookFuncCount = 0;
+
+
+	ULONG_PTR SSSDTOriAddr = 0;
+	ULONG_PTR SSSDTCurAddr = 0;
+
+	switch(WinVersion)
+	{
+	case Windows7:
+		{
+
+			int i = 0;
+			int j = 0;
+			for (i=0;i<sizeof(WIN7ProcName)/100;i++)
+			{
+
+
+				SendIoCodeSSSDT(i,&SSSDTCurAddr);
+				SSSDTOriAddr = GetOriSSSDTAddress(i);
+
+
+				si[SSSDTFuncCount].Id = i;
+				si[SSSDTFuncCount].CurAddr = SSSDTCurAddr;
+				si[SSSDTFuncCount].OriAddr = SSSDTOriAddr;
+				strcpy_s(si[SSSDTFuncCount].szFuncName,WIN7ProcName[i]);
+
+
+				if (SSSDTCurAddr!=SSSDTOriAddr)
+				{
+					HookFuncCount++;
+				}
+
+				SSSDTFuncCount++;
+			}
+
+			CString strIndex;
+			for (i=0;i<SSSDTFuncCount;i++)
+			{
+
+				strIndex.Format(L"%d",si[i].Id);
+				int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(),strIndex);
+
+				CString strFuncName(si[i].szFuncName);
+				m_ListCtrl->SetItemText(n,1,strFuncName);
+
+				CString strCurAddr;
+				strCurAddr.Format(L"0x%p",si[i].CurAddr);
+				m_ListCtrl->SetItemText(n,2,strCurAddr);
+
+				CString strOrigAddr;
+				strOrigAddr.Format(L"0x%p",si[i].OriAddr);
+				m_ListCtrl->SetItemText(n,3,strOrigAddr);
+
+
+				CString strPath;
+
+				strPath = GetDriverPath(si[i].CurAddr);
+				m_ListCtrl->SetItemText(n,4,strPath);
+
+				CString strType;
+				if (si[i].OriAddr!=si[i].CurAddr)
+				{
+					m_ListCtrl->SetItemData(n,1);
+
+					strType = L"SSSDTHook";
+				}
+				else
+				{
+					strType = L"Õý³£";
+				}
+
+
+				m_ListCtrl->SetItemText(n,5,strType);
+
+				if (_wcsnicmp(L"Õý³£",strType,wcslen(L"Õý³£"))!=0)
+				{
+					j+=1;
+				}
+
+				CString StatusBarContext;
+				StatusBarContext.Format(L"ShadowSSDTÕýÔÚ¼ÓÔØ¡£ ShadowSSDTº¯Êý£º%d£¬¹Ò¹³º¯Êý£º%d",i+1,j);
+
+				HsSendStatusDetail(StatusBarContext);
+
+
+
+			}
+
+			CString StatusBarContext;
+			StatusBarContext.Format(L"ShadowSSDT¼ÓÔØÍê³É¡£ ShadowSSDTº¯Êý£º%d£¬¹Ò¹³º¯Êý£º%d",SSSDTFuncCount,HookFuncCount);
+
+			HsSendStatusDetail(StatusBarContext);
+
+			break;
+		}
+
+	case WindowsXP:
+		{
+
+			int i = 0;
+			int j = 0;
+			for (i=0;i<sizeof(XPProcName)/100;i++)
+			{
+
+
+				SendIoCodeSSSDT(i,&SSSDTCurAddr);
+				SSSDTOriAddr = GetOriSSSDTAddress(i);
+
+
+				si[SSSDTFuncCount].Id = i;
+				si[SSSDTFuncCount].CurAddr = SSSDTCurAddr;
+				si[SSSDTFuncCount].OriAddr = SSSDTOriAddr;
+				strcpy_s(si[SSSDTFuncCount].szFuncName,XPProcName[i]);
+
+
+				if (SSSDTCurAddr!=SSSDTOriAddr)
+				{
+					HookFuncCount++;
+				}
+
+				SSSDTFuncCount++;
+
+			}
+
+			CString strIndex;
+			for (i=0;i<SSSDTFuncCount;i++)
+			{
+
+				strIndex.Format(L"%d",si[i].Id);
+				int n = m_ListCtrl->InsertItem(m_ListCtrl->GetItemCount(),strIndex);
+
+				CString strFuncName(si[i].szFuncName);
+				m_ListCtrl->SetItemText(n,1,strFuncName);
+
+				CString strCurAddr;
+				strCurAddr.Format(L"0x%p",si[i].CurAddr);
+				m_ListCtrl->SetItemText(n,2,strCurAddr);
+
+				CString strOrigAddr;
+				strOrigAddr.Format(L"0x%p",si[i].OriAddr);
+				m_ListCtrl->SetItemText(n,3,strOrigAddr);
+
+
+				CString strPath;
+
+
+
+				strPath = GetDriverPath(si[i].CurAddr);
+				m_ListCtrl->SetItemText(n,4,strPath);
+
+
+				CString strType;
+				if (si[i].OriAddr!=si[i].CurAddr)
+				{
+					m_ListCtrl->SetItemData(n,1);
+
+					strType = L"SSSDTHook";
+				}
+				else
+				{
+					strType = L"Õý³£";
+				}
+
+				m_ListCtrl->SetItemText(n,5,strType);
+
+
+				if (_wcsnicmp(L"Õý³£",strType,wcslen(L"Õý³£"))!=0)
+				{
+					j+=1;
+				}
+
+				CString StatusBarContext;
+				StatusBarContext.Format(L"ShadowSSDTÕýÔÚ¼ÓÔØ¡£ ShadowSSDTº¯Êý£º%d£¬¹Ò¹³º¯Êý£º%d",i+1,j);
+
+				HsSendStatusDetail(StatusBarContext);
+
+			}
+
+			CString StatusBarContext;
+			StatusBarContext.Format(L"ShadowSSDT¼ÓÔØÍê³É¡£ ShadowSSDTº¯Êý£º%d£¬¹Ò¹³º¯Êý£º%d",SSSDTFuncCount,HookFuncCount);
+
+			HsSendStatusDetail(StatusBarContext);
+
+			break;
+		}
+	}
+
+	return TRUE;
+}
+
+
+
+VOID SendIoCodeSSSDT(DWORD dwFuncIndex,PULONG_PTR SSSDTCurAddr)
+{
+	DWORD dwReturnSize = 0;
+	DWORD dwRet = 0;
+
+	//·¢ËÍIO ¿ØÖÆÂë
+	dwRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_KRNL_SSSDTLIST),
+		&dwFuncIndex,
+		sizeof(DWORD),
+		SSSDTCurAddr,
+		sizeof(ULONG_PTR),
+		&dwReturnSize,
+		NULL);
+
+
+	if (dwRet==0)
+	{
+		return;
+	}
+
+	return;
+}
+
+
+ULONG_PTR GetOriSSSDTAddress(ULONG_PTR Index)
+{
+
+	m_szTempWin32k = HsGetTempWin32k();
+
+	if(m_Win32kServiceTable==0 )
+	{
+		SendIoCodeWin32kServiceTable();
+	}
+
+	if(m_Win32kBase==0 )
+	{
+		m_Win32kBase = HsGetWin32kBase();
+	}
+	if(m_Win32kImageBase==0)
+	{
+		if(!CopyFileA(Strcat(HsGetSystemDir(),"win32k.sys"),m_szTempWin32k,0))
+		{
+			return 0;
+		}
+		m_Win32kImageBase = HsGetWin32kImageBase(m_szTempWin32k);
+	}
+	if( m_TempWin32kBase==0 )
+	{
+		m_TempWin32kBase = (ULONG_PTR)LoadLibraryExA(m_szTempWin32k,0, DONT_RESOLVE_DLL_REFERENCES);
+	}
+
+
+	if (m_bSSSDTOk==FALSE)
+	{
+		if(!HsReloc(m_TempWin32kBase,m_Win32kBase))
+		{
+			return 0;
+		}
+
+		m_bSSSDTOk = TRUE;
+	}
+
+	ULONG_PTR RVA = m_Win32kServiceTable - m_Win32kBase;
+	ULONG_PTR Address = *(ULONG_PTR*)(m_TempWin32kBase+RVA+sizeof(ULONG_PTR)*Index);
+
+
+
+	return Address;
+}
+
+
+
+VOID SendIoCodeWin32kServiceTable()
+{
+	DWORD dwReturnSize = 0;
+	DWORD dwRet = 0;
+
+	//·¢ËÍIO ¿ØÖÆÂë
+	dwRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_KRNL_WIN32KSERVICE),   //
+		NULL,
+		0,
+		&m_Win32kServiceTable,
+		sizeof(ULONG_PTR),
+		&dwReturnSize,
+		NULL);
+
+
+	if (dwRet==0)
+	{
+		return;
+	}
+
+	return;
+}
+
+
+//////////////////////////////////////////////////////////////////////////
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/SSSDTFunc.h b/arkProject/HeavenShadow/HeavenShadow/SSSDTFunc.h
new file mode 100644
index 0000000..c646562
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/SSSDTFunc.h
@@ -0,0 +1,29 @@
+#pragma once
+#include "stdafx.h"
+
+typedef struct _SSSDT_INFO
+{
+	ULONG_PTR	Id;
+	ULONG_PTR	CurAddr;
+	ULONG_PTR	OriAddr;
+	CHAR	    szFuncName[100];
+}SSSDT_INFO, *PSSSDT_INFO;
+
+
+VOID HsInitSSSDTList(CListCtrl *m_ListCtrl);
+
+VOID HsLoadSSSDTList(CListCtrl *m_ListCtrl);
+
+VOID HsQuerySSSDTList(CListCtrl *m_ListCtrl);
+
+BOOL EnumSSSDT(SSSDT_INFO* si, CListCtrl* m_ListCtrl);
+
+VOID SendIoCodeSSSDT(DWORD dwFuncIndex,PULONG_PTR SSSDTCurAddr);
+
+ULONG_PTR GetOriSSSDTAddress(ULONG_PTR Index);
+
+VOID SendIoCodeWin32kServiceTable();
+
+
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/SSSDTName.cpp b/arkProject/HeavenShadow/HeavenShadow/SSSDTName.cpp
new file mode 100644
index 0000000..01eadc4
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/SSSDTName.cpp
@@ -0,0 +1,1509 @@
+#include "stdafx.h"
+
+
+
+CHAR XPProcName[667][100]=
+{
+	"NtGdiAbortDoc"
+	,"NtGdiAbortPath"
+	,"NtGdiAddFontResourceW"
+	,"NtGdiAddRemoteFontToDC"
+	,"NtGdiAddFontMemResourceEx"
+	,"NtGdiRemoveMergeFont"
+	,"NtGdiAddRemoteMMInstanceToDC"
+	,"NtGdiAlphaBlend"
+	,"NtGdiAngleArc"
+	,"NtGdiAnyLinkedFonts"
+	,"NtGdiFontIsLinked"
+	,"NtGdiArcInternal"
+	,"NtGdiBeginPath"
+	,"NtGdiBitBlt"
+	,"NtGdiCancelDC"
+	,"NtGdiCheckBitmapBits"
+	,"NtGdiCloseFigure"
+	,"NtGdiClearBitmapAttributes"
+	,"NtGdiClearBrushAttributes"
+	,"NtGdiColorCorrectPalette"
+	,"NtGdiCombineRgn"
+	,"NtGdiCombineTransform"
+	,"NtGdiComputeXformCoefficients"
+	,"NtGdiConsoleTextOut"
+	,"NtGdiConvertMetafileRect"
+	,"NtGdiCreateBitmap"
+	,"NtGdiCreateClientObj"
+	,"NtGdiCreateColorSpace"
+	,"NtGdiCreateColorTransform"
+	,"NtGdiCreateCompatibleBitmap"
+	,"NtGdiCreateCompatibleDC"
+	,"NtGdiCreateDIBBrush"
+	,"NtGdiCreateDIBitmapInternal"
+	,"NtGdiCreateDIBSection"
+	,"NtGdiCreateEllipticRgn"
+	,"NtGdiCreateHalftonePalette"
+	,"NtGdiCreateHatchBrushInternal"
+	,"NtGdiCreateMetafileDC"
+	,"NtGdiCreatePaletteInternal"
+	,"NtGdiCreatePatternBrushInternal"
+	,"NtGdiCreatePen"
+	,"NtGdiCreateRectRgn"
+	,"NtGdiCreateRoundRectRgn"
+	,"NtGdiCreateServerMetaFile"
+	,"NtGdiCreateSolidBrush"
+	,"NtGdiD3dContextCreate"
+	,"NtGdiD3dContextDestroy"
+	,"NtGdiD3dContextDestroyAll"
+	,"NtGdiD3dValidateTextureStageState"
+	,"NtGdiD3dDrawPrimitives2"
+	,"NtGdiDdGetDriverState"
+	,"NtGdiDdAddAttachedSurface"
+	,"NtGdiDdAlphaBlt"
+	,"NtGdiDdAttachSurface"
+	,"NtGdiDdBeginMoCompFrame"
+	,"NtGdiDdBlt"
+	,"NtGdiDdCanCreateSurface"
+	,"NtGdiDdCanCreateD3DBuffer"
+	,"NtGdiDdColorControl"
+	,"NtGdiDdCreateDirectDrawObject"
+	,"NtGdiDdCreateSurface"
+	,"NtGdiDdCreateD3DBuffer"
+	,"NtGdiDdCreateMoComp"
+	,"NtGdiDdCreateSurfaceObject"
+	,"NtGdiDdDeleteDirectDrawObject"
+	,"NtGdiDdDeleteSurfaceObject"
+	,"NtGdiDdDestroyMoComp"
+	,"NtGdiDdDestroySurface"
+	,"NtGdiDdDestroyD3DBuffer"
+	,"NtGdiDdEndMoCompFrame"
+	,"NtGdiDdFlip"
+	,"NtGdiDdFlipToGDISurface"
+	,"NtGdiDdGetAvailDriverMemory"
+	,"NtGdiDdGetBltStatus"
+	,"NtGdiDdGetDC"
+	,"NtGdiDdGetDriverInfo"
+	,"NtGdiDdGetDxHandle"
+	,"NtGdiDdGetFlipStatus"
+	,"NtGdiDdGetInternalMoCompInfo"
+	,"NtGdiDdGetMoCompBuffInfo"
+	,"NtGdiDdGetMoCompGuids"
+	,"NtGdiDdGetMoCompFormats"
+	,"NtGdiDdGetScanLine"
+	,"NtGdiDdLock"
+	,"NtGdiDdLockD3D"
+	,"NtGdiDdQueryDirectDrawObject"
+	,"NtGdiDdQueryMoCompStatus"
+	,"NtGdiDdReenableDirectDrawObject"
+	,"NtGdiDdReleaseDC"
+	,"NtGdiDdRenderMoComp"
+	,"NtGdiDdResetVisrgn"
+	,"NtGdiDdSetColorKey"
+	,"NtGdiDdSetExclusiveMode"
+	,"NtGdiDdSetGammaRamp"
+	,"NtGdiDdCreateSurfaceEx"
+	,"NtGdiDdSetOverlayPosition"
+	,"NtGdiDdUnattachSurface"
+	,"NtGdiDdUnlock"
+	,"NtGdiDdUnlockD3D"
+	,"NtGdiDdUpdateOverlay"
+	,"NtGdiDdWaitForVerticalBlank"
+	,"NtGdiDvpCanCreateVideoPort"
+	,"NtGdiDvpColorControl"
+	,"NtGdiDvpCreateVideoPort"
+	,"NtGdiDvpDestroyVideoPort"
+	,"NtGdiDvpFlipVideoPort"
+	,"NtGdiDvpGetVideoPortBandwidth"
+	,"NtGdiDvpGetVideoPortField"
+	,"NtGdiDvpGetVideoPortFlipStatus"
+	,"NtGdiDvpGetVideoPortInputFormats"
+	,"NtGdiDvpGetVideoPortLine"
+	,"NtGdiDvpGetVideoPortOutputFormats"
+	,"NtGdiDvpGetVideoPortConnectInfo"
+	,"NtGdiDvpGetVideoSignalStatus"
+	,"NtGdiDvpUpdateVideoPort"
+	,"NtGdiDvpWaitForVideoPortSync"
+	,"NtGdiDvpAcquireNotification"
+	,"NtGdiDvpReleaseNotification"
+	,"NtGdiDxgGenericThunk"
+	,"NtGdiDeleteClientObj"
+	,"NtGdiDeleteColorSpace"
+	,"NtGdiDeleteColorTransform"
+	,"NtGdiDeleteObjectApp"
+	,"NtGdiDescribePixelFormat"
+	,"NtGdiGetPerBandInfo"
+	,"NtGdiDoBanding"
+	,"NtGdiDoPalette"
+	,"NtGdiDrawEscape"
+	,"NtGdiEllipse"
+	,"NtGdiEnableEudc"
+	,"NtGdiEndDoc"
+	,"NtGdiEndPage"
+	,"NtGdiEndPath"
+	,"NtGdiEnumFontChunk"
+	,"NtGdiEnumFontClose"
+	,"NtGdiEnumFontOpen"
+	,"NtGdiEnumObjects"
+	,"NtGdiEqualRgn"
+	,"NtGdiEudcLoadUnloadLink"
+	,"NtGdiExcludeClipRect"
+	,"NtGdiExtCreatePen"
+	,"NtGdiExtCreateRegion"
+	,"NtGdiExtEscape"
+	,"NtGdiExtFloodFill"
+	,"NtGdiExtGetObjectW"
+	,"NtGdiExtSelectClipRgn"
+	,"NtGdiExtTextOutW"
+	,"NtGdiFillPath"
+	,"NtGdiFillRgn"
+	,"NtGdiFlattenPath"
+	,"NtGdiFlushUserBatch"
+	,"NtGdiFlush"
+	,"NtGdiForceUFIMapping"
+	,"NtGdiFrameRgn"
+	,"NtGdiFullscreenControl"
+	,"NtGdiGetAndSetDCDword"
+	,"NtGdiGetAppClipBox"
+	,"NtGdiGetBitmapBits"
+	,"NtGdiGetBitmapDimension"
+	,"NtGdiGetBoundsRect"
+	,"NtGdiGetCharABCWidthsW"
+	,"NtGdiGetCharacterPlacementW"
+	,"NtGdiGetCharSet"
+	,"NtGdiGetCharWidthW"
+	,"NtGdiGetCharWidthInfo"
+	,"NtGdiGetColorAdjustment"
+	,"NtGdiGetColorSpaceforBitmap"
+	,"NtGdiGetDCDword"
+	,"NtGdiGetDCforBitmap"
+	,"NtGdiGetDCObject"
+	,"NtGdiGetDCPoint"
+	,"NtGdiGetDeviceCaps"
+	,"NtGdiGetDeviceGammaRamp"
+	,"NtGdiGetDeviceCapsAll"
+	,"NtGdiGetDIBitsInternal"
+	,"NtGdiGetETM"
+	,"NtGdiGetEudcTimeStampEx"
+	,"NtGdiGetFontData"
+	,"NtGdiGetFontResourceInfoInternalW"
+	,"NtGdiGetGlyphIndicesW"
+	,"NtGdiGetGlyphIndicesWInternal"
+	,"NtGdiGetGlyphOutline"
+	,"NtGdiGetKerningPairs"
+	,"NtGdiGetLinkedUFIs"
+	,"NtGdiGetMiterLimit"
+	,"NtGdiGetMonitorID"
+	,"NtGdiGetNearestColor"
+	,"NtGdiGetNearestPaletteIndex"
+	,"NtGdiGetObjectBitmapHandle"
+	,"NtGdiGetOutlineTextMetricsInternalW"
+	,"NtGdiGetPath"
+	,"NtGdiGetPixel"
+	,"NtGdiGetRandomRgn"
+	,"NtGdiGetRasterizerCaps"
+	,"NtGdiGetRealizationInfo"
+	,"NtGdiGetRegionData"
+	,"NtGdiGetRgnBox"
+	,"NtGdiGetServerMetaFileBits"
+	,"NtGdiGetSpoolMessage"
+	,"NtGdiGetStats"
+	,"NtGdiGetStockObject"
+	,"NtGdiGetStringBitmapW"
+	,"NtGdiGetSystemPaletteUse"
+	,"NtGdiGetTextCharsetInfo"
+	,"NtGdiGetTextExtent"
+	,"NtGdiGetTextExtentExW"
+	,"NtGdiGetTextFaceW"
+	,"NtGdiGetTextMetricsW"
+	,"NtGdiGetTransform"
+	,"NtGdiGetUFI"
+	,"NtGdiGetEmbUFI"
+	,"NtGdiGetUFIPathname"
+	,"NtGdiGetEmbedFonts"
+	,"NtGdiChangeGhostFont"
+	,"NtGdiAddEmbFontToDC"
+	,"NtGdiGetFontUnicodeRanges"
+	,"NtGdiGetWidthTable"
+	,"NtGdiGradientFill"
+	,"NtGdiHfontCreate"
+	,"NtGdiIcmBrushInfo"
+	,"NtGdiInit"
+	,"NtGdiInitSpool"
+	,"NtGdiIntersectClipRect"
+	,"NtGdiInvertRgn"
+	,"NtGdiLineTo"
+	,"NtGdiMakeFontDir"
+	,"NtGdiMakeInfoDC"
+	,"NtGdiMaskBlt"
+	,"NtGdiModifyWorldTransform"
+	,"NtGdiMonoBitmap"
+	,"NtGdiMoveTo"
+	,"NtGdiOffsetClipRgn"
+	,"NtGdiOffsetRgn"
+	,"NtGdiOpenDCW"
+	,"NtGdiPatBlt"
+	,"NtGdiPolyPatBlt"
+	,"NtGdiPathToRegion"
+	,"NtGdiPlgBlt"
+	,"NtGdiPolyDraw"
+	,"NtGdiPolyPolyDraw"
+	,"NtGdiPolyTextOutW"
+	,"NtGdiPtInRegion"
+	,"NtGdiPtVisible"
+	,"NtGdiQueryFonts"
+	,"NtGdiQueryFontAssocInfo"
+	,"NtGdiRectangle"
+	,"NtGdiRectInRegion"
+	,"NtGdiRectVisible"
+	,"NtGdiRemoveFontResourceW"
+	,"NtGdiRemoveFontMemResourceEx"
+	,"NtGdiResetDC"
+	,"NtGdiResizePalette"
+	,"NtGdiRestoreDC"
+	,"NtGdiRoundRect"
+	,"NtGdiSaveDC"
+	,"NtGdiScaleViewportExtEx"
+	,"NtGdiScaleWindowExtEx"
+	,"NtGdiSelectBitmap"
+	,"NtGdiSelectBrush"
+	,"NtGdiSelectClipPath"
+	,"NtGdiSelectFont"
+	,"NtGdiSelectPen"
+	,"NtGdiSetBitmapAttributes"
+	,"NtGdiSetBitmapBits"
+	,"NtGdiSetBitmapDimension"
+	,"NtGdiSetBoundsRect"
+	,"NtGdiSetBrushAttributes"
+	,"NtGdiSetBrushOrg"
+	,"NtGdiSetColorAdjustment"
+	,"NtGdiSetColorSpace"
+	,"NtGdiSetDeviceGammaRamp"
+	,"NtGdiSetDIBitsToDeviceInternal"
+	,"NtGdiSetFontEnumeration"
+	,"NtGdiSetFontXform"
+	,"NtGdiSetIcmMode"
+	,"NtGdiSetLinkedUFIs"
+	,"NtGdiSetMagicColors"
+	,"NtGdiSetMetaRgn"
+	,"NtGdiSetMiterLimit"
+	,"NtGdiGetDeviceWidth"
+	,"NtGdiMirrorWindowOrg"
+	,"NtGdiSetLayout"
+	,"NtGdiSetPixel"
+	,"NtGdiSetPixelFormat"
+	,"NtGdiSetRectRgn"
+	,"NtGdiSetSystemPaletteUse"
+	,"NtGdiSetTextJustification"
+	,"NtGdiSetupPublicCFONT"
+	,"NtGdiSetVirtualResolution"
+	,"NtGdiSetSizeDevice"
+	,"NtGdiStartDoc"
+	,"NtGdiStartPage"
+	,"NtGdiStretchBlt"
+	,"NtGdiStretchDIBitsInternal"
+	,"NtGdiStrokeAndFillPath"
+	,"NtGdiStrokePath"
+	,"NtGdiSwapBuffers"
+	,"NtGdiTransformPoints"
+	,"NtGdiTransparentBlt"
+	,"NtGdiUnloadPrinterDriver"
+	,"NtGdiUnmapMemFont"
+	,"NtGdiUnrealizeObject"
+	,"NtGdiUpdateColors"
+	,"NtGdiWidenPath"
+	,"NtUserActivateKeyboardLayout"
+	,"NtUserAlterWindowStyle"
+	,"NtUserAssociateInputContext"
+	,"NtUserAttachThreadInput"
+	,"NtUserBeginPaint"
+	,"NtUserBitBltSysBmp"
+	,"NtUserBlockInput"
+	,"NtUserBuildHimcList"
+	,"NtUserBuildHwndList"
+	,"NtUserBuildNameList"
+	,"NtUserBuildPropList"
+	,"NtUserCallHwnd"
+	,"NtUserCallHwndLock"
+	,"NtUserCallHwndOpt"
+	,"NtUserCallHwndParam"
+	,"NtUserCallHwndParamLock"
+	,"NtUserCallMsgFilter"
+	,"NtUserCallNextHookEx"
+	,"NtUserCallNoParam"
+	,"NtUserCallOneParam"
+	,"NtUserCallTwoParam"
+	,"NtUserChangeClipboardChain"
+	,"NtUserChangeDisplaySettings"
+	,"NtUserCheckImeHotKey"
+	,"NtUserCheckMenuItem"
+	,"NtUserChildWindowFromPointEx"
+	,"NtUserClipCursor"
+	,"NtUserCloseClipboard"
+	,"NtUserCloseDesktop"
+	,"NtUserCloseWindowStation"
+	,"NtUserConsoleControl"
+	,"NtUserConvertMemHandle"
+	,"NtUserCopyAcceleratorTable"
+	,"NtUserCountClipboardFormats"
+	,"NtUserCreateAcceleratorTable"
+	,"NtUserCreateCaret"
+	,"NtUserCreateDesktop"
+	,"NtUserCreateInputContext"
+	,"NtUserCreateLocalMemHandle"
+	,"NtUserCreateWindowEx"
+	,"NtUserCreateWindowStation"
+	,"NtUserDdeGetQualityOfService"
+	,"NtUserDdeInitialize"
+	,"NtUserDdeSetQualityOfService"
+	,"NtUserDeferWindowPos"
+	,"NtUserDefSetText"
+	,"NtUserDeleteMenu"
+	,"NtUserDestroyAcceleratorTable"
+	,"NtUserDestroyCursor"
+	,"NtUserDestroyInputContext"
+	,"NtUserDestroyMenu"
+	,"NtUserDestroyWindow"
+	,"NtUserDisableThreadIme"
+	,"NtUserDispatchMessage"
+	,"NtUserDragDetect"
+	,"NtUserDragObject"
+	,"NtUserDrawAnimatedRects"
+	,"NtUserDrawCaption"
+	,"NtUserDrawCaptionTemp"
+	,"NtUserDrawIconEx"
+	,"NtUserDrawMenuBarTemp"
+	,"NtUserEmptyClipboard"
+	,"NtUserEnableMenuItem"
+	,"NtUserEnableScrollBar"
+	,"NtUserEndDeferWindowPosEx"
+	,"NtUserEndMenu"
+	,"NtUserEndPaint"
+	,"NtUserEnumDisplayDevices"
+	,"NtUserEnumDisplayMonitors"
+	,"NtUserEnumDisplaySettings"
+	,"NtUserEvent"
+	,"NtUserExcludeUpdateRgn"
+	,"NtUserFillWindow"
+	,"NtUserFindExistingCursorIcon"
+	,"NtUserFindWindowEx"
+	,"NtUserFlashWindowEx"
+	,"NtUserGetAltTabInfo"
+	,"NtUserGetAncestor"
+	,"NtUserGetAppImeLevel"
+	,"NtUserGetAsyncKeyState"
+	,"NtUserGetAtomName"
+	,"NtUserGetCaretBlinkTime"
+	,"NtUserGetCaretPos"
+	,"NtUserGetClassInfo"
+	,"NtUserGetClassName"
+	,"NtUserGetClipboardData"
+	,"NtUserGetClipboardFormatName"
+	,"NtUserGetClipboardOwner"
+	,"NtUserGetClipboardSequenceNumber"
+	,"NtUserGetClipboardViewer"
+	,"NtUserGetClipCursor"
+	,"NtUserGetComboBoxInfo"
+	,"NtUserGetControlBrush"
+	,"NtUserGetControlColor"
+	,"NtUserGetCPD"
+	,"NtUserGetCursorFrameInfo"
+	,"NtUserGetCursorInfo"
+	,"NtUserGetDC"
+	,"NtUserGetDCEx"
+	,"NtUserGetDoubleClickTime"
+	,"NtUserGetForegroundWindow"
+	,"NtUserGetGuiResources"
+	,"NtUserGetGUIThreadInfo"
+	,"NtUserGetIconInfo"
+	,"NtUserGetIconSize"
+	,"NtUserGetImeHotKey"
+	,"NtUserGetImeInfoEx"
+	,"NtUserGetInternalWindowPos"
+	,"NtUserGetKeyboardLayoutList"
+	,"NtUserGetKeyboardLayoutName"
+	,"NtUserGetKeyboardState"
+	,"NtUserGetKeyNameText"
+	,"NtUserGetKeyState"
+	,"NtUserGetListBoxInfo"
+	,"NtUserGetMenuBarInfo"
+	,"NtUserGetMenuIndex"
+	,"NtUserGetMenuItemRect"
+	,"NtUserGetMessage"
+	,"NtUserGetMouseMovePointsEx"
+	,"NtUserGetObjectInformation"
+	,"NtUserGetOpenClipboardWindow"
+	,"NtUserGetPriorityClipboardFormat"
+	,"NtUserGetProcessWindowStation"
+	,"NtUserGetRawInputBuffer"
+	,"NtUserGetRawInputData"
+	,"NtUserGetRawInputDeviceInfo"
+	,"NtUserGetRawInputDeviceList"
+	,"NtUserGetRegisteredRawInputDevices"
+	,"NtUserGetScrollBarInfo"
+	,"NtUserGetSystemMenu"
+	,"NtUserGetThreadDesktop"
+	,"NtUserGetThreadState"
+	,"NtUserGetTitleBarInfo"
+	,"NtUserGetUpdateRect"
+	,"NtUserGetUpdateRgn"
+	,"NtUserGetWindowDC"
+	,"NtUserGetWindowPlacement"
+	,"NtUserGetWOWClass"
+	,"NtUserHardErrorControl"
+	,"NtUserHideCaret"
+	,"NtUserHiliteMenuItem"
+	,"NtUserImpersonateDdeClientWindow"
+	,"NtUserInitialize"
+	,"NtUserInitializeClientPfnArrays"
+	,"NtUserInitTask"
+	,"NtUserInternalGetWindowText"
+	,"NtUserInvalidateRect"
+	,"NtUserInvalidateRgn"
+	,"NtUserIsClipboardFormatAvailable"
+	,"NtUserKillTimer"
+	,"NtUserLoadKeyboardLayoutEx"
+	,"NtUserLockWindowStation"
+	,"NtUserLockWindowUpdate"
+	,"NtUserLockWorkStation"
+	,"NtUserMapVirtualKeyEx"
+	,"NtUserMenuItemFromPoint"
+	,"NtUserMessageCall"
+	,"NtUserMinMaximize"
+	,"NtUserMNDragLeave"
+	,"NtUserMNDragOver"
+	,"NtUserModifyUserStartupInfoFlags"
+	,"NtUserMoveWindow"
+	,"NtUserNotifyIMEStatus"
+	,"NtUserNotifyProcessCreate"
+	,"NtUserNotifyWinEvent"
+	,"NtUserOpenClipboard"
+	,"NtUserOpenDesktop"
+	,"NtUserOpenInputDesktop"
+	,"NtUserOpenWindowStation"
+	,"NtUserPaintDesktop"
+	,"NtUserPeekMessage"
+	,"NtUserPostMessage"
+	,"NtUserPostThreadMessage"
+	,"NtUserPrintWindow"
+	,"NtUserProcessConnect"
+	,"NtUserQueryInformationThread"
+	,"NtUserQueryInputContext"
+	,"NtUserQuerySendMessage"
+	,"NtUserQueryUserCounters"
+	,"NtUserQueryWindow"
+	,"NtUserRealChildWindowFromPoint"
+	,"NtUserRealInternalGetMessage"
+	,"NtUserRealWaitMessageEx"
+	,"NtUserRedrawWindow"
+	,"NtUserRegisterClassExWOW"
+	,"NtUserRegisterUserApiHook"
+	,"NtUserRegisterHotKey"
+	,"NtUserRegisterRawInputDevices"
+	,"NtUserRegisterTasklist"
+	,"NtUserRegisterWindowMessage"
+	,"NtUserRemoveMenu"
+	,"NtUserRemoveProp"
+	,"NtUserResolveDesktop"
+	,"NtUserResolveDesktopForWOW"
+	,"NtUserSBGetParms"
+	,"NtUserScrollDC"
+	,"NtUserScrollWindowEx"
+	,"NtUserSelectPalette"
+	,"NtUserSendInput"
+	,"NtUserSetActiveWindow"
+	,"NtUserSetAppImeLevel"
+	,"NtUserSetCapture"
+	,"NtUserSetClassLong"
+	,"NtUserSetClassWord"
+	,"NtUserSetClipboardData"
+	,"NtUserSetClipboardViewer"
+	,"NtUserSetConsoleReserveKeys"
+	,"NtUserSetCursor"
+	,"NtUserSetCursorContents"
+	,"NtUserSetCursorIconData"
+	,"NtUserSetDbgTag"
+	,"NtUserSetFocus"
+	,"NtUserSetImeHotKey"
+	,"NtUserSetImeInfoEx"
+	,"NtUserSetImeOwnerWindow"
+	,"NtUserSetInformationProcess"
+	,"NtUserSetInformationThread"
+	,"NtUserSetInternalWindowPos"
+	,"NtUserSetKeyboardState"
+	,"NtUserSetLogonNotifyWindow"
+	,"NtUserSetMenu"
+	,"NtUserSetMenuContextHelpId"
+	,"NtUserSetMenuDefaultItem"
+	,"NtUserSetMenuFlagRtoL"
+	,"NtUserSetObjectInformation"
+	,"NtUserSetParent"
+	,"NtUserSetProcessWindowStation"
+	,"NtUserSetProp"
+	,"NtUserSetRipFlags"
+	,"NtUserSetScrollInfo"
+	,"NtUserSetShellWindowEx"
+	,"NtUserSetSysColors"
+	,"NtUserSetSystemCursor"
+	,"NtUserSetSystemMenu"
+	,"NtUserSetSystemTimer"
+	,"NtUserSetThreadDesktop"
+	,"NtUserSetThreadLayoutHandles"
+	,"NtUserSetThreadState"
+	,"NtUserSetTimer"
+	,"NtUserSetWindowFNID"
+	,"NtUserSetWindowLong"
+	,"NtUserSetWindowPlacement"
+	,"NtUserSetWindowPos"
+	,"NtUserSetWindowRgn"
+	,"NtUserSetWindowsHookAW"
+	,"NtUserSetWindowsHookEx"
+	,"NtUserSetWindowStationUser"
+	,"NtUserSetWindowWord"
+	,"NtUserSetWinEventHook"
+	,"NtUserShowCaret"
+	,"NtUserShowScrollBar"
+	,"NtUserShowWindow"
+	,"NtUserShowWindowAsync"
+	,"NtUserSoundSentry"
+	,"NtUserSwitchDesktop"
+	,"NtUserSystemParametersInfo"
+	,"NtUserTestForInteractiveUser"
+	,"NtUserThunkedMenuInfo"
+	,"NtUserThunkedMenuItemInfo"
+	,"NtUserToUnicodeEx"
+	,"NtUserTrackMouseEvent"
+	,"NtUserTrackPopupMenuEx"
+	,"NtUserCalcMenuBar"
+	,"NtUserPaintMenuBar"
+	,"NtUserTranslateAccelerator"
+	,"NtUserTranslateMessage"
+	,"NtUserUnhookWindowsHookEx"
+	,"NtUserUnhookWinEvent"
+	,"NtUserUnloadKeyboardLayout"
+	,"NtUserUnlockWindowStation"
+	,"NtUserUnregisterClass"
+	,"NtUserUnregisterUserApiHook"
+	,"NtUserUnregisterHotKey"
+	,"NtUserUpdateInputContext"
+	,"NtUserUpdateInstance"
+	,"NtUserUpdateLayeredWindow"
+	,"NtUserGetLayeredWindowAttributes"
+	,"NtUserSetLayeredWindowAttributes"
+	,"NtUserUpdatePerUserSystemParameters"
+	,"NtUserUserHandleGrantAccess"
+	,"NtUserValidateHandleSecure"
+	,"NtUserValidateRect"
+	,"NtUserValidateTimerCallback"
+	,"NtUserVkKeyScanEx"
+	,"NtUserWaitForInputIdle"
+	,"NtUserWaitForMsgAndEvent"
+	,"NtUserWaitMessage"
+	,"NtUserWin32PoolAllocationStats"
+	,"NtUserWindowFromPoint"
+	,"NtUserYieldTask"
+	,"NtUserRemoteConnect"
+	,"NtUserRemoteRedrawRectangle"
+	,"NtUserRemoteRedrawScreen"
+	,"NtUserRemoteStopScreenUpdates"
+	,"NtUserCtxDisplayIOCtl"
+	,"NtGdiEngAssociateSurface"
+	,"NtGdiEngCreateBitmap"
+	,"NtGdiEngCreateDeviceSurface"
+	,"NtGdiEngCreateDeviceBitmap"
+	,"NtGdiEngCreatePalette"
+	,"NtGdiEngComputeGlyphSet"
+	,"NtGdiEngCopyBits"
+	,"NtGdiEngDeletePalette"
+	,"NtGdiEngDeleteSurface"
+	,"NtGdiEngEraseSurface"
+	,"NtGdiEngUnlockSurface"
+	,"NtGdiEngLockSurface"
+	,"NtGdiEngBitBlt"
+	,"NtGdiEngStretchBlt"
+	,"NtGdiEngPlgBlt"
+	,"NtGdiEngMarkBandingSurface"
+	,"NtGdiEngStrokePath"
+	,"NtGdiEngFillPath"
+	,"NtGdiEngStrokeAndFillPath"
+	,"NtGdiEngPaint"
+	,"NtGdiEngLineTo"
+	,"NtGdiEngAlphaBlend"
+	,"NtGdiEngGradientFill"
+	,"NtGdiEngTransparentBlt"
+	,"NtGdiEngTextOut"
+	,"NtGdiEngStretchBltROP"
+	,"NtGdiXLATEOBJ_cGetPalette"
+	,"NtGdiXLATEOBJ_iXlate"
+	,"NtGdiXLATEOBJ_hGetColorTransform"
+	,"NtGdiCLIPOBJ_bEnum"
+	,"NtGdiCLIPOBJ_cEnumStart"
+	,"NtGdiCLIPOBJ_ppoGetPath"
+	,"NtGdiEngDeletePath"
+	,"NtGdiEngCreateClip"
+	,"NtGdiEngDeleteClip"
+	,"NtGdiBRUSHOBJ_ulGetBrushColor"
+	,"NtGdiBRUSHOBJ_pvAllocRbrush"
+	,"NtGdiBRUSHOBJ_pvGetRbrush"
+	,"NtGdiBRUSHOBJ_hGetColorTransform"
+	,"NtGdiXFORMOBJ_bApplyXform"
+	,"NtGdiXFORMOBJ_iGetXform"
+	,"NtGdiFONTOBJ_vGetInfo"
+	,"NtGdiFONTOBJ_pxoGetXform"
+	,"NtGdiFONTOBJ_cGetGlyphs"
+	,"NtGdiFONTOBJ_pifi"
+	,"NtGdiFONTOBJ_pfdg"
+	,"NtGdiFONTOBJ_pQueryGlyphAttrs"
+	,"NtGdiFONTOBJ_pvTrueTypeFontFile"
+	,"NtGdiFONTOBJ_cGetAllGlyphHandles"
+	,"NtGdiSTROBJ_bEnum"
+	,"NtGdiSTROBJ_bEnumPositionsOnly"
+	,"NtGdiSTROBJ_bGetAdvanceWidths"
+	,"NtGdiSTROBJ_vEnumStart"
+	,"NtGdiSTROBJ_dwGetCodePage"
+	,"NtGdiPATHOBJ_vGetBounds"
+	,"NtGdiPATHOBJ_bEnum"
+	,"NtGdiPATHOBJ_vEnumStart"
+	,"NtGdiPATHOBJ_vEnumStartClipLines"
+	,"NtGdiPATHOBJ_bEnumClipLines"
+	,"NtGdiGetDhpdev"
+	,"NtGdiEngCheckAbort"
+	,"NtGdiHT_Get8BPPFormatPalette"
+	,"NtGdiHT_Get8BPPMaskPalette"
+	,"NtGdiUpdateTransform"
+	,"NtGdiSetPUMPDOBJ"
+	,"NtGdiBRUSHOBJ_DeleteRbrush"
+	,"NtGdiUnmapMemFont"
+	,"NtGdiDrawStream"
+};
+
+
+
+
+
+CHAR WIN7ProcName[827][100]=
+{
+	"NtUserGetThreadState"          //0
+	,"NtUserPeekMessage"            //1
+	,"NtUserCallOneParam"           //2
+	,"NtUserGetKeyState"            //3
+	,"NtUserInvalidateRect"         //4
+	,"NtUserCallNoParam"            //5
+	,"NtUserGetMessage"             //6
+	,"NtUserMessageCall"            //7
+	,"NtGdiBitBlt"                  //8
+	,"NtGdiGetCharSet"              //9
+	,"NtUserGetDC"                  //10 
+	,"NtGdiSelectBitmap"			//11
+	,"NtUserWaitMessage"			//12
+	,"NtUserTranslateMessage"		//13
+	,"NtUserGetProp"			    //14
+	,"NtUserPostMessage"            //15
+	,"NtUserQueryWindow"            //16
+	,"NtUserTranslateAccelerator"   //17
+	,"NtGdiFlush"                   //18
+	,"NtUserRedrawWindow"           //19
+	,"NtUserWindowFromPoint"        //20
+	,"NtUserCallMsgFilter"          //21
+	,"NtUserValidateTimerCallback"  //22
+	,"NtUserBeginPaint"             //23
+	,"NtUserSetTimer"               //24
+	,"NtUserEndPaint"               //25
+	,"NtUserSetCursor"              //26
+	,"NtUserKillTimer"              //27
+	,"NtUserBuildHwndList"          //28
+	,"NtUserSelectPalette"          //29
+	,"NtUserCallNextHookEx"         //30 
+	,"NtUserHideCaret"              //31 
+	,"NtGdiIntersectClipRect"       //32
+	,"NtUserCallHwndLock"           //33 
+	,"NtUserGetProcessWindowStation"//34
+	,"NtGdiDeleteObjectApp"         //35
+	,"NtUserSetWindowPos"           //36
+	,"NtUserShowCaret"              //37
+	,"NtUserEndDeferWindowPosEx"    //38
+	,"NtUserCallHwndParamLock"      //39
+	,"NtUserVkKeyScanEx"            //40
+	,"NtGdiSetDIBitsToDeviceInternal"//41
+	,"NtUserCallTwoParam"           //42   
+	,"NtGdiGetRandomRgn"            //43
+	,"NtUserCopyAcceleratorTable"   //44
+	,"NtUserNotifyWinEvent"         //45 
+	,"NtGdiExtSelectClipRgn"        //46 
+	,"NtUserIsClipboardFormatAvailable"//47
+	,"NtUserSetScrollInfo"          //48
+	,"NtGdiStretchBlt"              //49
+	,"NtUserCreateCaret"            //50
+	,"NtGdiRectVisible"             //51
+	,"NtGdiCombineRgn"              //52
+	,"NtGdiGetDCObject"             //53
+	,"NtUserDispatchMessage"        //54
+	,"NtUserRegisterWindowMessage"  //55
+	,"NtGdiExtTextOutW"             //56
+	,"NtGdiSelectFont"              //57
+	,"NtGdiRestoreDC"               //58
+	,"NtGdiSaveDC"                  //59
+	,"NtUserGetForegroundWindow"    //60  
+	,"NtUserShowScrollBar"          //61
+	,"NtUserFindExistingCursorIcon" //62
+	,"NtGdiGetDCDword"				//63
+	,"NtGdiGetRegionData"			//64	
+	,"NtGdiLineTo"					//65	
+	,"NtUserSystemParametersInfo"	//66
+	,"NtGdiGetAppClipBox"			//67
+	,"NtUserGetAsyncKeyState"		//68	
+	,"NtUserGetCPD"					//69
+	,"NtUserRemoveProp"				//70
+	,"NtGdiDoPalette"				//71
+	,"NtGdiPolyPolyDraw"            //72
+	,"NtUserSetCapture"				//73
+	,"NtUserEnumDisplayMonitors"    //74
+	,"NtGdiCreateCompatibleBitmap"  //75
+	,"NtUserSetProp"				//76
+	,"NtGdiGetTextCharsetInfo"		//77
+	,"NtUserSBGetParms"				//78
+	,"NtUserGetIconInfo"			//79	
+	,"NtUserExcludeUpdateRgn"		//80
+	,"NtUserSetFocus"				//81
+	,"NtGdiExtGetObjectW"			//82
+	,"NtUserDeferWindowPos"         //83
+	,"NtUserGetUpdateRect"			//84
+	,"NtGdiCreateCompatibleDC"		//85
+	,"NtUserGetClipboardSequenceNumber"//86
+	,"NtGdiCreatePen"				//87
+	,"NtUserShowWindow"				//88
+	,"NtUserGetKeyboardLayoutList"	//89	
+	,"NtGdiPatBlt"                  //90
+	,"NtUserMapVirtualKeyEx"		//91
+	,"NtUserSetWindowLong"			//92
+	,"NtGdiHfontCreate"				//93
+	,"NtUserMoveWindow"				//94
+	,"NtUserPostThreadMessage"      //95
+	,"NtUserDrawIconEx"				//96
+	,"NtUserGetSystemMenu"			//97
+	,"NtGdiDrawStream"				//98
+	,"NtUserInternalGetWindowText"	//99
+	,"NtUserGetWindowDC"			//100
+	,"NtGdiD3dDrawPrimitives2"	    //101
+	,"NtGdiInvertRgn"				//102
+	,"NtGdiGetRgnBox"				//103
+	,"NtGdiGetAndSetDCDword"		//104
+	,"NtGdiMaskBlt"					//105
+	,"NtGdiGetWidthTable"			//106
+	,"NtUserScrollDC"				//107
+	,"NtUserGetObjectInformation"	//108
+	,"NtGdiCreateBitmap"			//109
+	,"NtUserFindWindowEx"			//110
+	,"NtGdiPolyPatBlt"				//111
+	,"NtUserUnhookWindowsHookEx"	//112	
+	,"NtGdiGetNearestColor"			//113
+	,"NtGdiTransformPoints"			//114
+	,"NtGdiGetDCPoint"				//115
+	,"NtGdiCreateDIBBrush"			//116
+	,"NtGdiGetTextMetricsW"         //117 
+	,"NtUserCreateWindowEx"			//118
+	,"NtUserSetParent"				//119
+	,"NtUserGetKeyboardState"		//120	
+	,"NtUserToUnicodeEx"			//121
+	,"NtUserGetControlBrush"		//122
+	,"NtUserGetClassName"			//123
+	,"NtGdiAlphaBlend"				//124
+	,"NtGdiDdBlt"			        //125
+	,"NtGdiOffsetRgn"				//126
+	,"NtUserDefSetText"				//127
+	,"NtGdiGetTextFaceW"			//128
+	,"NtGdiStretchDIBitsInternal"	//129	
+	,"NtUserSendInput"				//130
+	,"NtUserGetThreadDesktop"		//131
+	,"NtGdiCreateRectRgn"			//132
+	,"NtGdiGetDIBitsInternal"		//133
+	,"NtUserGetUpdateRgn"			//134
+	,"NtGdiDeleteClientObj"			//135
+	,"NtUserGetIconSize"			//136
+	,"NtUserFillWindow"				//137
+	,"NtGdiExtCreateRegion"			//138
+	,"NtGdiComputeXformCoefficients"//139
+	,"NtUserSetWindowsHookEx"		//140
+	,"NtUserNotifyProcessCreate"	//141	
+	,"NtGdiUnrealizeObject"			//142
+	,"NtUserGetTitleBarInfo"		//143
+	,"NtGdiRectangle"				//144
+	,"NtUserSetThreadDesktop"		//145	
+	,"NtUserGetDCEx"				//146
+	,"NtUserGetScrollBarInfo"       //147
+	,"NtGdiGetTextExtent"			//148
+	,"NtUserSetWindowFNID"			//149
+	,"NtGdiSetLayout"				//150
+	,"NtUserCalcMenuBar"			//151
+	,"NtUserThunkedMenuItemInfo"	//152	
+	,"NtGdiExcludeClipRect"			//153
+	,"NtGdiCreateDIBSection"		//154
+	,"NtGdiGetDCforBitmap"			//155
+	,"NtUserDestroyCursor"			//156
+	,"NtUserDestroyWindow"			//157
+	,"NtUserCallHwndParam"          //158
+	,"NtGdiCreateDIBitmapInternal"  //159 
+	,"NtUserOpenWindowStation"      //160
+	,"NtGdiDdDeleteSurfaceObject"   //161
+	,"NtGdiDdCanCreateSurface"      //162  
+	,"NtGdiDdCreateSurface"         //163
+	,"NtUserSetCursorIconData"      //164
+	,"NtGdiDdDestroySurface"        //165
+	,"NtUserCloseDesktop"			//166
+	,"NtUserOpenDesktop"            //167 
+	,"NtUserSetProcessWindowStation"//168             
+	,"NtUserGetAtomName"            //169
+	,"NtGdiDdResetVisrgn"           //170
+	,"NtGdiExtCreatePen"            //171   
+	,"NtGdiCreatePaletteInternal"   //172 
+	,"NtGdiSetBrushOrg"             //173
+	,"NtUserBuildNameList"          //174
+	,"NtGdiSetPixel"                //175
+	,"NtUserRegisterClassExWOW"     //176              
+	,"NtGdiCreatePatternBrushInternal"//177
+	,"NtUserGetAncestor"            //178
+	,"NtGdiGetOutlineTextMetricsInternalW"//179
+	,"NtGdiSetBitmapBits"           //180
+	,"NtUserCloseWindowStation"     //181 
+	,"NtUserGetDoubleClickTime"     //182
+	,"NtUserEnableScrollBar"        //183
+	,"NtGdiCreateSolidBrush"        //184 
+	,"NtUserGetClassInfoEx"         //185
+	,"NtGdiCreateClientObj"		    //186	
+	,"NtUserUnregisterClass"        //187
+	,"NtUserDeleteMenu"			    //188	
+	,"NtGdiRectInRegion"			//189
+	,"NtUserScrollWindowEx"			//190
+	,"NtGdiGetPixel"                //191
+	,"NtUserSetClassLong"           //192 
+	,"NtUserGetMenuBarInfo"         //193
+	,"NtGdiDdCreateSurfaceEx"       //195
+	,"NtGdiDdCreateSurfaceObject"   //195
+	,"NtGdiGetNearestPaletteIndex"  //196
+	,"NtGdiDdLockD3D"               //197
+	,"NtGdiDdUnlockD3D"             //198
+	,"NtGdiGetCharWidthW"           //199
+	,"NtUserInvalidateRgn"          //200
+	,"NtUserGetClipboardOwner"      //201 
+	,"NtUserSetWindowRgn"           //202 
+	,"NtUserBitBltSysBmp"           //203
+	,"NtGdiGetCharWidthInfo"        //204  
+	,"NtUserValidateRect"           //205 
+	,"NtUserCloseClipboard"         //206
+	,"NtUserOpenClipboard"          //207
+	,"NtGdiGetStockObject"          //208 
+	,"NtUserSetClipboardData"       //209
+	,"NtUserEnableMenuItem"         //210
+	,"NtUserAlterWindowStyle"       //211
+	,"NtGdiFillRgn"                 //212
+	,"NtUserGetWindowPlacement"     //213 
+	,"NtGdiModifyWorldTransform"    //214
+	,"NtGdiGetFontData"             //215
+	,"NtUserGetOpenClipboardWindow" //216
+	,"NtUserSetThreadState"         //217
+	,"NtGdiOpenDCW"                 //218
+	,"NtUserTrackMouseEvent"        //219  
+	,"NtGdiGetTransform"            //220
+	,"NtUserDestroyMenu"            //221
+	,"NtGdiGetBitmapBits"           //222
+	,"NtUserConsoleControl"         //223  
+	,"NtUserSetActiveWindow"        //224
+	,"NtUserSetInformationThread"   //225
+	,"NtUserSetWindowPlacement"     //226 
+	,"NtUserGetControlColor"        //227
+	,"NtGdiSetMetaRgn"              //228
+	,"NtGdiSetMiterLimit"           //229
+	,"NtGdiSetVirtualResolution"    //230
+	,"NtGdiGetRasterizerCaps"       //231
+	,"NtUserSetWindowWord"          //232
+	,"NtUserGetClipboardFormatName" //233
+	,"NtUserRealInternalGetMessage" //234 
+	,"NtUserCreateLocalMemHandle"   //235
+	,"NtUserAttachThreadInput"      //236
+	,"NtGdiCreateHalftonePalette"   //237
+	,"NtUserPaintMenuBar"           //238
+	,"NtUserSetKeyboardState"       //239
+	,"NtGdiCombineTransform"        //240 
+	,"NtUserCreateAcceleratorTable" //241
+	,"NtUserGetCursorFrameInfo"     //242
+	,"NtUserGetAltTabInfo"          //243
+	,"NtUserGetCaretBlinkTime"      //244
+	,"NtGdiQueryFontAssocInfo"      //245
+	,"NtUserProcessConnect"         //246
+	,"NtUserEnumDisplayDevices"     //247 
+	,"NtUserEmptyClipboard"         //248
+	,"NtUserGetClipboardData"       //249
+	,"NtUserRemoveMenu"             //250
+	,"NtGdiSetBoundsRect"           //251
+	,"NtGdiGetBitmapDimension"      //252
+	,"NtUserConvertMemHandle"       //253
+	,"NtUserDestroyAcceleratorTable"//254 
+	,"NtUserGetGUIThreadInfo"       //255
+	,"NtGdiCloseFigure"             //256
+	,"NtUserSetWindowsHookAW"       //257 
+	,"NtUserSetMenuDefaultItem"     //258 
+	,"NtUserCheckMenuItem"          //259
+	,"NtUserSetWinEventHook"        //260
+	,"NtUserUnhookWinEvent"         //261
+	,"NtUserLockWindowUpdate"       //262 
+	,"NtUserSetSystemMenu"          //263
+	,"NtUserThunkedMenuInfo"        //264
+	,"NtGdiBeginPath"               //265
+	,"NtGdiEndPath"                 //266
+	,"NtGdiFillPath"                //267
+	,"NtUserCallHwnd"               //268
+	,"NtUserDdeInitialize"          //269
+	,"NtUserModifyUserStartupInfoFlags"//270 
+	,"NtUserCountClipboardFormats"  //271 
+	,"NtGdiAddFontMemResourceEx"    //272
+	,"NtGdiEqualRgn"                //273
+	,"NtGdiGetSystemPaletteUse"     //274
+	,"NtGdiRemoveFontMemResourceEx" //275 
+	,"NtUserEnumDisplaySettings"    //276
+	,"NtUserPaintDesktop"           //277 
+	,"NtGdiExtEscape"               //278
+	,"NtGdiSetBitmapDimension"      //279 
+	,"NtGdiSetFontEnumeration"      //280
+	,"NtUserChangeClipboardChain"   //281
+	,"NtUserSetClipboardViewer"     //282
+	,"NtUserShowWindowAsync"        //283
+	,"NtGdiCreateColorSpace"        //284
+	,"NtGdiDeleteColorSpace"        //285
+	,"NtUserActivateKeyboardLayout" //286 
+	,"NtGdiAbortDoc"                //287 
+	,"NtGdiAbortPath"               //288
+	,"NtGdiAddEmbFontToDC"          //289
+	,"NtGdiAddFontResourceW"        //290 
+	,"NtGdiAddRemoteFontToDC"       //291
+	,"NtGdiAddRemoteMMInstanceToDC" //292
+	,"NtGdiAngleArc"                //293
+	,"NtGdiAnyLinkedFonts"          //294 
+	,"NtGdiArcInternal"             //295
+	,"NtGdiBRUSHOBJ_DeleteRbrush"   //296
+	,"NtGdiBRUSHOBJ_hGetColorTransform"//297 
+	,"NtGdiBRUSHOBJ_pvAllocRbrush"  //298 
+	,"NtGdiBRUSHOBJ_pvGetRbrush"    //299
+	,"NtGdiBRUSHOBJ_ulGetBrushColor"//300
+	,"NtGdiBeginGdiRendering"       //301
+	,"NtGdiCLIPOBJ_bEnum"           //302    
+	,"NtGdiCLIPOBJ_cEnumStart"      //303
+	,"NtGdiCLIPOBJ_ppoGetPath"      //304 
+	,"NtGdiCancelDC"                //305
+	,"NtGdiChangeGhostFont"         //306
+	,"NtGdiCheckBitmapBits"         //307
+	,"NtGdiClearBitmapAttributes"   //308
+	,"NtGdiClearBrushAttributes"    //309
+	,"NtGdiColorCorrectPalette"     //310
+	,"NtGdiConfigureOPMProtectedOutput"//311
+	,"NtGdiConvertMetafileRect"     //312 
+	,"NtGdiCreateBitmapFromDxSurface"//313
+	,"NtGdiCreateColorTransform"     //314
+	,"NtGdiCreateEllipticRgn"        //315 
+	,"NtGdiCreateHatchBrushInternal" //316
+	,"NtGdiCreateMetafileDC"         //317
+	,"NtGdiCreateOPMProtectedOutputs"//318 
+	,"NtGdiCreateRoundRectRgn"       //319
+	,"NtGdiCreateServerMetaFile"     //320
+	,"NtGdiD3dContextCreate"         //321
+	,"NtGdiD3dContextDestroy"        //322
+	,"NtGdiD3dContextDestroyAll"     //323 
+	,"NtGdiD3dValidateTextureStageState"//324 
+	,"NtGdiDDCCIGetCapabilitiesString"//325
+	,"NtGdiDDCCIGetCapabilitiesStringLength"//326
+	,"NtGdiDDCCIGetTimingReport"     //327
+	,"NtGdiDDCCIGetVCPFeature"       //328
+	,"NtGdiDDCCISaveCurrentSettings" //329
+	,"NtGdiDDCCISetVCPFeature"       //330
+	,"NtGdiDdAddAttachedSurface"     //331
+	,"NtGdiDdAlphaBlt"               //332
+	,"NtGdiDdAttachSurface"          //333
+	,"NtGdiDdBeginMoCompFrame"       //334
+	,"NtGdiDdCanCreateD3DBuffer"     //335
+	,"NtGdiDdColorControl"           //336
+	,"NtGdiDdCreateD3DBuffer"        //337
+	,"NtGdiDdCreateDirectDrawObject" //338
+	,"NtGdiDdCreateFullscreenSprite" //339 
+	,"NtGdiDdCreateMoComp"           //340
+	,"NtGdiDdDDIAcquireKeyedMutex"   //341
+	,"NtGdiDdDDICheckExclusiveOwnership"//342
+	,"NtGdiDdDDICheckMonitorPowerState"//343 
+	,"NtGdiDdDDICheckOcclusion"      //344
+	,"NtGdiDdDDICheckSharedResourceAccess"//345
+	,"NtGdiDdDDICheckVidPnExclusiveOwnership"//346
+	,"NtGdiDdDDICloseAdapter"        //347
+	,"NtGdiDdDDIConfigureSharedResource"//348
+	,"NtGdiDdDDICreateAllocation"    //349
+	,"NtGdiDdDDICreateContext"       //350
+	,"NtGdiDdDDICreateDCFromMemory"  //351
+	,"NtGdiDdDDICreateDevice"        //352
+	,"NtGdiDdDDICreateKeyedMutex"    //353
+	,"NtGdiDdDDICreateOverlay"       //354
+	,"NtGdiDdDDICreateSynchronizationObject"//355
+	,"NtGdiDdDDIDestroyAllocation"   //356
+	,"NtGdiDdDDIDestroyContext"      //357
+	,"NtGdiDdDDIDestroyDCFromMemory" //358
+	,"NtGdiDdDDIDestroyDevice"       //359
+	,"NtGdiDdDDIDestroyKeyedMutex"   //360
+	,"NtGdiDdDDIDestroyOverlay"      //361 
+	,"NtGdiDdDDIDestroySynchronizationObject"//362
+	,"NtGdiDdDDIEscape"				 //363
+	,"NtGdiDdDDIFlipOverlay"         //364
+	,"NtGdiDdDDIGetContextSchedulingPriority"//365
+	,"NtGdiDdDDIGetDeviceState"      //366
+	,"NtGdiDdDDIGetDisplayModeList"  //357
+	,"NtGdiDdDDIGetMultisampleMethodList"//368
+	,"NtGdiDdDDIGetOverlayState"     //369
+	,"NtGdiDdDDIGetPresentHistory"   //370
+	,"NtGdiDdDDIGetPresentQueueEvent"//371
+	,"NtGdiDdDDIGetProcessSchedulingPriorityClass"//372
+	,"NtGdiDdDDIGetRuntimeData"      //373
+	,"NtGdiDdDDIGetScanLine"         //374
+	,"NtGdiDdDDIGetSharedPrimaryHandle"//375
+	,"NtGdiDdDDIInvalidateActiveVidPn"//376 
+	,"NtGdiDdDDILock"                //377
+	,"NtGdiDdDDIOpenAdapterFromDeviceName"//378
+	,"NtGdiDdDDIOpenAdapterFromHdc"  //379
+	,"NtGdiDdDDIOpenKeyedMutex"      //380
+	,"NtGdiDdDDIOpenResource"        //381
+	,"NtGdiDdDDIOpenSynchronizationObject"//382
+	,"NtGdiDdDDIPollDisplayChildren" //383
+	,"NtGdiDdDDIPresent"             //384
+	,"NtGdiDdDDIQueryAdapterInfo"    //385 
+	,"NtGdiDdDDIQueryAllocationResidency"//386
+	,"NtGdiDdDDIQueryResourceInfo"    //387
+	,"NtGdiDdDDIQueryStatistics"      //388
+	,"NtGdiDdDDIReleaseKeyedMutex"	  //389
+	,"NtGdiDdDDIReleaseProcessVidPnSourceOwners"//390
+	,"NtGdiDdDDIRender"		          //391
+	,"NtGdiDdDDISetAllocationPriority"//392
+	,"NtGdiDdDDISetContextSchedulingPriority"//393
+	,"NtGdiDdDDISetDisplayMode"		  //394
+	,"NtGdiDdDDISetDisplayPrivateDriverFormat"//395
+	,"NtGdiDdDDISetGammaRamp"		  //396
+	,"NtGdiDdDDISetProcessSchedulingPriorityClass"//397
+	,"NtGdiDdDDISetQueuedLimit"		  //398
+	,"NtGdiDdDDISetVidPnSourceOwner"  //399
+	,"NtGdiDdDDISharedPrimaryLockNotification"//400
+	,"NtGdiDdDDISharedPrimaryUnLockNotification"//401
+	,"NtGdiDdDDISignalSynchronizationObject"//402
+	,"NtGdiDdDDIUnlock"		         //403
+	,"NtGdiDdDDIUpdateOverlay"		 //404
+	,"NtGdiDdDDIWaitForIdle"		 //405
+	,"NtGdiDdDDIWaitForSynchronizationObject"//406
+	,"NtGdiDdDDIWaitForVerticalBlankEvent"//407
+	,"NtGdiDdDeleteDirectDrawObject" //408
+	,"NtGdiDdDestroyD3DBuffer"		 //409
+	,"NtGdiDdDestroyFullscreenSprite"//410
+	,"NtGdiDdDestroyMoComp"		     //411
+	,"NtGdiDdEndMoCompFrame"		 //412
+	,"NtGdiDdFlip"		             //413
+	,"NtGdiDdFlipToGDISurface"		 //414
+	,"NtGdiDdGetAvailDriverMemory"	 //415
+	,"NtGdiDdGetBltStatus"		     //416
+	,"NtGdiDdGetDC"		             //417
+	,"NtGdiDdGetDriverInfo"		     //418
+	,"NtGdiDdGetDriverState"		 //419
+	,"NtGdiDdGetDxHandle"		     //420
+	,"NtGdiDdGetFlipStatus"		     //421
+	,"NtGdiDdGetInternalMoCompInfo"	 //422
+	,"NtGdiDdGetMoCompBuffInfo"		 //423
+	,"NtGdiDdGetMoCompFormats"		 //424
+	,"NtGdiDdGetMoCompGuids"		 //425
+	,"NtGdiDdGetScanLine"		     //426
+	,"NtGdiDdLock"		             //427
+	,"NtGdiDdNotifyFullscreenSpriteUpdate"//428
+	,"NtGdiDdQueryDirectDrawObject"	 //429
+	,"NtGdiDdQueryMoCompStatus"		 //430
+	,"NtGdiDdQueryVisRgnUniqueness"	 //431
+	,"NtGdiDdReenableDirectDrawObject"//432
+	,"NtGdiDdReleaseDC"		         //433
+	,"NtGdiDdRenderMoComp"			 //434
+	,"NtGdiDdSetColorKey"			 //435
+	,"NtGdiDdSetExclusiveMode"		 //436
+	,"NtGdiDdSetGammaRamp"			 //437
+	,"NtGdiDdSetOverlayPosition"	 //438
+	,"NtGdiDdUnattachSurface"		 //439
+	,"NtGdiDdUnlock"			     //440
+	,"NtGdiDdUpdateOverlay"			 //441
+	,"NtGdiDdWaitForVerticalBlank"	 //442
+	,"NtGdiDeleteColorTransform"	 //443
+	,"NtGdiDescribePixelFormat"		 //444
+	,"NtGdiDestroyOPMProtectedOutput"//445
+	,"NtGdiDestroyPhysicalMonitor"	 //446
+	,"NtGdiDoBanding"				 //447
+	,"NtGdiDrawEscape"				 //448
+	,"NtGdiDvpAcquireNotification"	 //449
+	,"NtGdiDvpCanCreateVideoPort"	 //450
+	,"NtGdiDvpColorControl"			 //451
+	,"NtGdiDvpCreateVideoPort"		 //452
+	,"NtGdiDvpDestroyVideoPort"		 //453
+	,"NtGdiDvpFlipVideoPort"		 //454
+	,"NtGdiDvpGetVideoPortBandwidth" //455
+	,"NtGdiDvpGetVideoPortConnectInfo"//456
+	,"NtGdiDvpGetVideoPortField"	 //457
+	,"NtGdiDvpGetVideoPortFlipStatus"//458
+	,"NtGdiDvpGetVideoPortInputFormats"//459
+	,"NtGdiDvpGetVideoPortLine"		 //460
+	,"NtGdiDvpGetVideoPortOutputFormats"//461
+	,"NtGdiDvpGetVideoSignalStatus"	 //462
+	,"NtGdiDvpReleaseNotification"	 //463
+	,"NtGdiDvpUpdateVideoPort"		 //464
+	,"NtGdiDvpWaitForVideoPortSync"	 //465
+	,"NtGdiDxgGenericThunk"		     //466
+	,"NtGdiEllipse"					 //467
+	,"NtGdiEnableEudc"				 //468
+	,"NtGdiEndDoc"				     //469
+	,"NtGdiEndGdiRendering"			 //470
+	,"NtGdiEndPage"					 //471
+	,"NtGdiEngAlphaBlend"			 //472
+	,"NtGdiEngAssociateSurface"		 //473
+	,"NtGdiEngBitBlt"				 //474
+	,"NtGdiEngCheckAbort"		     //475
+	,"NtGdiEngComputeGlyphSet"		 //476
+	,"NtGdiEngCopyBits"				 //477
+	,"NtGdiEngCreateBitmap"			 //478
+	,"NtGdiEngCreateClip"			 //479
+	,"NtGdiEngCreateDeviceBitmap"	 //480
+	,"NtGdiEngCreateDeviceSurface"	 //481
+	,"NtGdiEngCreatePalette"		 //482
+	,"NtGdiEngDeleteClip"			 //483
+	,"NtGdiEngDeletePalette"		 //484
+	,"NtGdiEngDeletePath"			 //485
+	,"NtGdiEngDeleteSurface"		 //486
+	,"NtGdiEngEraseSurface"			 //487
+	,"NtGdiEngFillPath"				 //488
+	,"NtGdiEngGradientFill"			 //489
+	,"NtGdiEngLineTo"				 //490
+	,"NtGdiEngLockSurface"			 //491
+	,"NtGdiEngMarkBandingSurface"	 //492
+	,"NtGdiEngPaint"				 //493
+	,"NtGdiEngPlgBlt"				 //494
+	,"NtGdiEngStretchBlt"			 //495
+	,"NtGdiEngStretchBltROP"		 //496
+	,"NtGdiEngStrokeAndFillPath"	 //497
+	,"NtGdiEngStrokePath"			 //498
+	,"NtGdiEngTextOut"				 //499
+	,"NtGdiEngTransparentBlt"		 //500
+	,"NtGdiEngUnlockSurface"		 //501
+	,"NtGdiEnumFonts"				 //502
+	,"NtGdiEnumObjects"				 //503
+	,"NtGdiEudcLoadUnloadLink"		 //504
+	,"NtGdiExtFloodFill"			 //505
+	,"NtGdiFONTOBJ_cGetAllGlyphHandles"	//506
+	,"NtGdiFONTOBJ_cGetGlyphs"		 //507
+	,"NtGdiFONTOBJ_pQueryGlyphAttrs" //508
+	,"NtGdiFONTOBJ_pfdg"			 //509
+	,"NtGdiFONTOBJ_pifi"			 //510
+	,"NtGdiFONTOBJ_pvTrueTypeFontFile"//511
+	,"NtGdiFONTOBJ_pxoGetXform"		 //512
+	,"NtGdiFONTOBJ_vGetInfo"		 //513
+	,"NtGdiFlattenPath"				 //514
+	,"NtGdiFontIsLinked"			 //515
+	,"NtGdiForceUFIMapping"		     //516
+	,"NtGdiFrameRgn"		         //517
+	,"NtGdiFullscreenControl"		 //518
+	,"NtGdiGetBoundsRect"		     //519
+	,"NtGdiGetCOPPCompatibleOPMInformation"//520
+	,"NtGdiGetCertificate"			 //521
+	,"NtGdiGetCertificateSize"		 //522
+	,"NtGdiGetCharABCWidthsW"		 //523
+	,"NtGdiGetCharacterPlacementW"	 //524
+	,"NtGdiGetColorAdjustment"		 //525
+	,"NtGdiGetColorSpaceforBitmap"	 //526
+	,"NtGdiGetDeviceCaps"			 //527
+	,"NtGdiGetDeviceCapsAll"		 //528
+	,"NtGdiGetDeviceGammaRamp"		 //529
+	,"NtGdiGetDeviceWidth"			 //530
+	,"NtGdiGetDhpdev"				 //531
+	,"NtGdiGetETM"					 //532
+	,"NtGdiGetEmbUFI"				 //533
+	,"NtGdiGetEmbedFonts"			 //534
+	,"NtGdiGetEudcTimeStampEx"		 //535
+	,"NtGdiGetFontFileData"			 //536
+	,"NtGdiGetFontFileInfo"			 //537
+	,"NtGdiGetFontResourceInfoInternalW"//538
+	,"NtGdiGetFontUnicodeRanges"	 //539
+	,"NtGdiGetGlyphIndicesW"		 //540
+	,"NtGdiGetGlyphIndicesWInternal" //541
+	,"NtGdiGetGlyphOutline"			 //542
+	,"NtGdiGetKerningPairs"			 //543
+	,"NtGdiGetLinkedUFIs"			 //544
+	,"NtGdiGetMiterLimit"			 //545
+	,"NtGdiGetMonitorID"			 //546
+	,"NtGdiGetNumberOfPhysicalMonitors"	//547
+	,"NtGdiGetOPMInformation"		 //548
+	,"NtGdiGetOPMRandomNumber"		 //549
+	,"NtGdiGetObjectBitmapHandle"	 //550
+	,"NtGdiGetPath"					 //551
+	,"NtGdiGetPerBandInfo"			 //552
+	,"NtGdiGetPhysicalMonitorDescription"//553
+	,"NtGdiGetPhysicalMonitors"		 //554
+	,"NtGdiGetRealizationInfo"		 //555
+	,"NtGdiGetServerMetaFileBits"	 //556
+	,"DxgStubAlphaBlt"				 //557
+	,"NtGdiGetStats"				 //558
+	,"NtGdiGetStringBitmapW"		 //559
+	,"NtGdiGetSuggestedOPMProtectedOutputArraySize"//560
+	,"NtGdiGetTextExtentExW"		 //561
+	,"NtGdiGetUFI"					 //562
+	,"NtGdiGetUFIPathname"			 //563
+	,"NtGdiGradientFill"			 //564
+	,"NtGdiHLSurfGetInformation"	 //565
+	,"NtGdiHLSurfSetInformation"	 //566
+	,"NtGdiHT_Get8BPPFormatPalette"	 //567
+	,"NtGdiHT_Get8BPPMaskPalette"	 //568
+	,"NtGdiIcmBrushInfo"			 //569
+	,"EngRestoreFloatingPointState"	 //570
+	,"NtGdiInitSpool"				 //571
+	,"NtGdiMakeFontDir"				 //572
+	,"NtGdiMakeInfoDC"				 //573
+	,"NtGdiMakeObjectUnXferable"	 //574
+	,"NtGdiMakeObjectXferable"		 //575
+	,"NtGdiMirrorWindowOrg"			 //576
+	,"NtGdiMonoBitmap"				 //577
+	,"NtGdiMoveTo"					 //578
+	,"NtGdiOffsetClipRgn"			 //579
+	,"NtGdiPATHOBJ_bEnum"			 //580
+	,"NtGdiPATHOBJ_bEnumClipLines"	 //581
+	,"NtGdiPATHOBJ_vEnumStart"		 //582
+	,"NtGdiPATHOBJ_vEnumStartClipLines"//583
+	,"NtGdiPATHOBJ_vGetBounds"		 //584
+	,"NtGdiPathToRegion"			 //585
+	,"NtGdiPlgBlt"					 //586
+	,"NtGdiPolyDraw"				 //587
+	,"NtGdiPolyTextOutW"			 //588
+	,"NtGdiPtInRegion"				 //589
+	,"NtGdiPtVisible"				 //590
+	,"NtGdiQueryFonts"				 //591
+	,"NtGdiRemoveFontResourceW"		 //592
+	,"NtGdiRemoveMergeFont"			 //593
+	,"NtGdiResetDC"					 //594
+	,"NtGdiResizePalette"			 //595
+	,"NtGdiRoundRect"				 //596
+	,"NtGdiSTROBJ_bEnum"			 //597
+	,"NtGdiSTROBJ_bEnumPositionsOnly"//598
+	,"NtGdiSTROBJ_bGetAdvanceWidths" //599
+	,"NtGdiSTROBJ_dwGetCodePage"	 //600
+	,"NtGdiSTROBJ_vEnumStart"		 //601
+	,"NtGdiScaleViewportExtEx"		 //602
+	,"NtGdiScaleWindowExtEx"		 //603
+	,"NtGdiSelectBrush"				 //604
+	,"NtGdiSelectClipPath"			 //605
+	,"NtGdiSelectPen"				 //606
+	,"NtGdiSetBitmapAttributes"		 //607
+	,"NtGdiSetBrushAttributes"		 //608
+	,"NtGdiSetColorAdjustment"		 //609
+	,"NtGdiSetColorSpace"			 //610
+	,"NtGdiSetDeviceGammaRamp"		 //611
+	,"NtGdiSetFontXform"			 //612
+	,"NtGdiSetIcmMode"				 //613
+	,"NtGdiSetLinkedUFIs"			 //614
+	,"NtGdiSetMagicColors"			 //615
+	,"NtGdiSetOPMSigningKeyAndSequenceNumbers"//616
+	,"NtGdiSetPUMPDOBJ"				 //617
+	,"NtGdiSetPixelFormat"			 //618
+	,"NtGdiSetRectRgn"				 //619
+	,"NtGdiSetSizeDevice"			 //620
+	,"NtGdiSetSystemPaletteUse"		 //621
+	,"NtGdiSetTextJustification"	 //622
+	,"NtGdiSfmGetNotificationTokens" //623
+	,"NtGdiStartDoc"				 //624
+	,"NtGdiStartPage"				 //625
+	,"NtGdiStrokeAndFillPath"		 //626
+	,"NtGdiStrokePath"				 //627
+	,"NtGdiSwapBuffers"				 //628
+	,"NtGdiTransparentBlt"			 //629
+	,"NtGdiUMPDEngFreeUserMem"		 //630
+	,"DxgStubAlphaBlt"				 //631
+	,"EngRestoreFloatingPointState"	 //632
+	,"NtGdiUpdateColors"			 //633
+	,"NtGdiUpdateTransform"			 //634
+	,"NtGdiWidenPath"				 //635
+	,"NtGdiXFORMOBJ_bApplyXform"	 //636
+	,"NtGdiXFORMOBJ_iGetXform"		 //637
+	,"NtGdiXLATEOBJ_cGetPalette"	 //638
+	,"NtGdiXLATEOBJ_hGetColorTransform"//639
+	,"NtGdiXLATEOBJ_iXlate"			 //640
+	,"NtUserAddClipboardFormatListener"//641
+	,"NtUserAssociateInputContext"	 //642
+	,"NtUserBlockInput"				 //643
+	,"NtUserBuildHimcList"			 //644
+	,"NtUserBuildPropList"			 //645
+	,"NtUserCalculatePopupWindowPosition"//646
+	,"NtUserCallHwndOpt"			 //647
+	,"NtUserChangeDisplaySettings"	 //648
+	,"NtUserChangeWindowMessageFilterEx"//649
+	,"NtUserCheckAccessForIntegrityLevel"//650
+	,"NtUserCheckDesktopByThreadId"	 //651
+	,"NtUserCheckWindowThreadDesktop"//652
+	,"NtUserChildWindowFromPointEx"	 //653
+	,"NtUserClipCursor"				 //654
+	,"NtUserCreateDesktopEx"	     //655
+	,"NtUserCreateInputContext"		 //656
+	,"NtUserCreateWindowStation"	 //657
+	,"NtUserCtxDisplayIOCtl"		 //658
+	,"NtUserDestroyInputContext"	 //659
+	,"NtUserDisableThreadIme"		 //660
+	,"NtUserDisplayConfigGetDeviceInfo"//661
+	,"NtUserDisplayConfigSetDeviceInfo"//662
+	,"NtUserDoSoundConnect"			 //663
+	,"NtUserDoSoundDisconnect"		 //664
+	,"NtUserDragDetect"				 //665
+	,"NtUserDragObject"				 //666
+	,"NtUserDrawAnimatedRects"		 //667
+	,"NtUserDrawCaption"			 //668
+	,"NtUserDrawCaptionTemp"		 //669
+	,"NtUserDrawMenuBarTemp"		 //670
+	,"NtUserDwmStartRedirection"	 //671
+	,"NtUserDwmStopRedirection"		 //672
+	,"NtUserEndMenu"				 //673
+	,"NtUserEndTouchOperation"		 //674
+	,"NtUserEvent"					 //675
+	,"NtUserFlashWindowEx"		     //676
+	,"NtUserFrostCrashedWindow"		 //677
+	,"NtUserGetAppImeLevel"			 //678
+	,"NtUserGetCaretPos"			 //679
+	,"NtUserGetClipCursor"			 //680
+	,"NtUserGetClipboardViewer"		 //681
+	,"NtUserGetComboBoxInfo"		 //682
+	,"NtUserGetCursorInfo"			 //683
+	,"NtUserGetDisplayConfigBufferSizes"//684
+	,"NtUserGetGestureConfig"		 //685
+	,"NtUserGetGestureExtArgs"		 //686
+	,"NtUserGetGestureInfo"			 //687
+	,"NtUserGetGuiResources"		 //688
+	,"NtUserGetImeHotKey"			 //689
+	,"NtUserGetImeInfoEx"			 //690
+	,"NtUserGetInputLocaleInfo"		 //691
+	,"NtUserGetInternalWindowPos"	 //692
+	,"NtUserGetKeyNameText"			 //693
+	,"NtUserGetKeyboardLayoutName"	 //694
+	,"NtUserGetLayeredWindowAttributes"//695
+	,"NtUserGetListBoxInfo"			 //696
+	,"NtUserGetMenuIndex"			 //697
+	,"NtUserGetMenuItemRect"		 //698
+	,"NtUserGetMouseMovePointsEx"	 //699
+	,"NtUserGetPriorityClipboardFormat"//700
+	,"NtUserGetRawInputBuffer"		 //701
+	,"NtUserGetRawInputData"		 //702
+	,"NtUserGetRawInputDeviceInfo"	 //703
+	,"NtUserGetRawInputDeviceList"	 //704
+	,"NtUserGetRegisteredRawInputDevices"//705
+	,"NtUserGetTopLevelWindow"		 //706
+	,"NtUserGetTouchInputInfo"		 //707
+	,"NtUserGetUpdatedClipboardFormats"//708
+	,"NtUserGetWOWClass"			 //709
+	,"NtUserGetWindowCompositionAttribute"//710
+	,"NtUserGetWindowCompositionInfo"//711
+	,"NtUserGetWindowDisplayAffinity"//712
+	,"NtUserGetWindowMinimizeRect"	 //713
+	,"NtUserGetWindowRgnEx"			 //714
+	,"NtUserGhostWindowFromHungWindow"//715
+	,"NtUserHardErrorControl"		 //716
+	,"NtUserHiliteMenuItem"			 //717
+	,"NtUserHungWindowFromGhostWindow"//718
+	,"NtUserHwndQueryRedirectionInfo"//719
+	,"NtUserHwndSetRedirectionInfo"	 //720
+	,"NtUserImpersonateDdeClientWindow"//721
+	,"NtUserInitTask"				 //722
+	,"NtUserInitialize"			     //723
+	,"NtUserInitializeClientPfnArrays"//724
+	,"NtUserInjectGesture"			 //725
+	,"NtUserInternalGetWindowIcon"	 //726
+	,"NtUserIsTopLevelWindow"		 //727
+	,"NtUserIsTouchWindow"			 //728
+	,"NtUserLoadKeyboardLayoutEx"	 //729
+	,"NtUserLockWindowStation"		 //730
+	,"NtUserLockWorkStation"		 //731
+	,"NtUserLogicalToPhysicalPoint"	 //732
+	,"NtUserMNDragLeave"			 //733
+	,"NtUserMNDragOver"				 //734
+	,"NtUserMagControl"				 //735
+	,"NtUserMagGetContextInformation"//736
+	,"NtUserMagSetContextInformation"//737
+	,"NtUserManageGestureHandlerWindow"//738
+	,"NtUserMenuItemFromPoint"		 //739
+	,"NtUserMinMaximize"			 //740
+	,"NtUserModifyWindowTouchCapability"//741
+	,"NtUserNotifyIMEStatus"		 //742
+	,"NtUserOpenInputDesktop"		 //743
+	,"NtUserOpenThreadDesktop"		 //744
+	,"NtUserPaintMonitor"			 //745
+	,"NtUserPhysicalToLogicalPoint"	 //746
+	,"NtUserPrintWindow"			 //747
+	,"NtUserQueryDisplayConfig"		 //748
+	,"NtUserQueryInformationThread"	 //749
+	,"NtUserQueryInputContext"		 //750
+	,"NtUserQuerySendMessage"		 //751
+	,"NtUserRealChildWindowFromPoint"//752
+	,"NtUserRealWaitMessageEx"		 //753
+	,"NtUserRegisterErrorReportingDialog"//754
+	,"NtUserRegisterHotKey"			 //755
+	,"NtUserRegisterRawInputDevices" //756
+	,"NtUserRegisterServicesProcess" //757
+	,"NtUserRegisterSessionPort"	 //758
+	,"NtUserRegisterTasklist"		 //759
+	,"NtUserRegisterUserApiHook"	 //760
+	,"NtUserRemoteConnect"			 //761
+	,"NtUserRemoteRedrawRectangle"	 //762
+	,"NtUserRemoteRedrawScreen"		 //763
+	,"NtUserRemoteStopScreenUpdates" //764
+	,"NtUserRemoveClipboardFormatListener"//765
+	,"NtUserResolveDesktopForWOW"	 //766
+	,"NtUserSendTouchInput"			 //767
+	,"NtUserSetAppImeLevel"			 //768
+	,"NtUserSetChildWindowNoActivate"//769
+	,"NtUserSetClassWord"			 //770
+	,"NtUserSetCursorContents"		 //771
+	,"NtUserSetDisplayConfig"		 //772
+	,"NtUserSetGestureConfig"		 //773
+	,"NtUserSetImeHotKey"			 //774
+	,"NtUserSetImeInfoEx"			 //775
+	,"NtUserSetImeOwnerWindow"		 //776
+	,"NtUserSetInternalWindowPos"	 //777
+	,"NtUserSetLayeredWindowAttributes"	//778
+	,"NtUserSetMenu"				 //779
+	,"NtUserSetMenuContextHelpId"	 //780
+	,"NtUserSetMenuFlagRtoL"		 //781
+	,"NtUserSetMirrorRendering"		 //782
+	,"NtUserSetObjectInformation"	 //783
+	,"NtUserSetProcessDPIAware"		 //784
+	,"NtUserSetShellWindowEx"		 //785
+	,"NtUserSetSysColors"			 //786
+	,"NtUserSetSystemCursor"		 //787
+	,"NtUserSetSystemTimer"			 //788
+	,"NtUserSetThreadLayoutHandles"	 //789
+	,"NtUserSetWindowCompositionAttribute"//790
+	,"NtUserSetWindowDisplayAffinity"//791
+	,"NtUserSetWindowRgnEx"			 //792
+	,"NtUserSetWindowStationUser"	 //793
+	,"NtUserSfmDestroyLogicalSurfaceBinding"//794
+	,"NtUserSfmDxBindSwapChain"		 //795
+	,"NtUserSfmDxGetSwapChainStats"	 //796
+	,"NtUserSfmDxOpenSwapChain"		 //797
+	,"NtUserSfmDxQuerySwapChainBindingStatus"//798
+	,"NtUserSfmDxReleaseSwapChain"	 //799
+	,"NtUserSfmDxReportPendingBindingsToDwm"//800
+	,"NtUserSfmDxSetSwapChainBindingStatus"//801
+	,"NtUserSfmDxSetSwapChainStats"	 //802
+	,"NtUserSfmGetLogicalSurfaceBinding"//803
+	,"NtUserShowSystemCursor"		 //804
+	,"NtUserSoundSentry"			 //805
+	,"NtUserSwitchDesktop"			 //806
+	,"NtUserTestForInteractiveUser"	 //807
+	,"NtUserTrackPopupMenuEx"		 //808
+	,"NtUserUnloadKeyboardLayout"	 //809
+	,"NtUserUnlockWindowStation"	 //810
+	,"NtUserUnregisterHotKey"		 //811
+	,"NtUserUnregisterSessionPort"	 //812
+	,"NtUserUnregisterUserApiHook"	 //813
+	,"NtUserUpdateInputContext"		 //814
+	,"NtUserUpdateInstance"			 //815
+	,"NtUserUpdateLayeredWindow"	 //816
+	,"NtUserUpdatePerUserSystemParameters"//817
+	,"NtUserUpdateWindowTransform"	 //818
+	,"NtUserUserHandleGrantAccess"	 //819
+	,"NtUserValidateHandleSecure"	 //820
+	,"NtUserWaitForInputIdle"		 //821
+	,"NtUserWaitForMsgAndEvent"		 //822
+	,"NtUserWindowFromPhysicalPoint" //823
+	,"NtUserYieldTask"				 //824
+	,"NtUserSetClassLongPtr"		 //825
+	,"NtUserSetWindowLongPtr"		 //826
+};
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/ServiceDlg.cpp b/arkProject/HeavenShadow/HeavenShadow/ServiceDlg.cpp
new file mode 100644
index 0000000..8d3807d
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ServiceDlg.cpp
@@ -0,0 +1,110 @@
+// ServiceDlg.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "ServiceDlg.h"
+#include "afxdialogex.h"
+#include "HeavenShadowDlg.h"
+#include "Common.h"
+
+#include "AlertWnd.h"
+
+
+// CServiceDlg ¶Ô»°¿ò
+
+IMPLEMENT_DYNAMIC(CServiceDlg, CDialog)
+
+CServiceDlg::CServiceDlg(CWnd* pParent /*=NULL*/)
+	: CDialog(CServiceDlg::IDD, pParent)
+{
+	m_wParent = pParent;
+}
+
+CServiceDlg::~CServiceDlg()
+{
+}
+
+void CServiceDlg::DoDataExchange(CDataExchange* pDX)
+{
+	CDialog::DoDataExchange(pDX);
+	DDX_Control(pDX, IDC_BUTTON_TEST2, m_demoBtn);
+}
+
+
+BEGIN_MESSAGE_MAP(CServiceDlg, CDialog)
+	ON_WM_PAINT()
+	ON_WM_SHOWWINDOW()
+	ON_BN_CLICKED(IDC_BUTTON_TEST2, &CServiceDlg::OnBnClickedButtonTest2)
+END_MESSAGE_MAP()
+
+
+// CServiceDlg ÏûÏ¢´¦Àí³ÌÐò
+
+
+
+void CServiceDlg::OnPaint()
+{
+	CPaintDC dc(this); // device context for painting
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+	// ²»Îª»æÍ¼ÏûÏ¢µ÷ÓÃ CDialog::OnPaint()
+
+	CRect   rect;
+	GetClientRect(rect);
+	dc.FillSolidRect(rect,RGB(255,255,255));
+}
+
+
+BOOL CServiceDlg::OnInitDialog()
+{
+	CDialog::OnInitDialog();
+
+	// TODO:  ÔÚ´ËÌí¼Ó¶îÍâµÄ³õÊ¼»¯
+
+	return TRUE;  // return TRUE unless you set the focus to a control
+	// Òì³£: OCX ÊôÐÔÒ³Ó¦·µ»Ø FALSE
+}
+
+
+void CServiceDlg::OnShowWindow(BOOL bShow, UINT nStatus)
+{
+	CDialog::OnShowWindow(bShow, nStatus);
+
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+
+	if (bShow == TRUE)
+	{
+		((CHeavenShadowDlg*)m_wParent)->m_bNowWindow = HS_DIALOG_SERVICE;
+
+		((CHeavenShadowDlg*)m_wParent)->m_btnServ.EnableWindow(FALSE);
+
+		HsSendStatusDetail(L"ÏµÍ³·þÎñÕýÔÚ¼ÓÔØ¡£");
+		HsSendStatusTip(L"·þÎñ");
+
+	}
+
+	
+}
+
+
+BOOL CServiceDlg::PreTranslateMessage(MSG* pMsg)
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+	if (pMsg->message==WM_KEYDOWN && (pMsg->wParam==VK_RETURN ||pMsg->wParam==VK_ESCAPE))
+	{
+		return TRUE;
+	}
+	return CDialog::PreTranslateMessage(pMsg);
+}
+
+
+void CServiceDlg::OnBnClickedButtonTest2()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	CAlertWnd *dlg = new CAlertWnd(this);
+
+	dlg->Create(IDD_DIALOG_ALERT,GetDesktopWindow());
+
+	dlg->ShowWindow(SW_SHOW);
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/ServiceDlg.h b/arkProject/HeavenShadow/HeavenShadow/ServiceDlg.h
new file mode 100644
index 0000000..ccb47b2
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ServiceDlg.h
@@ -0,0 +1,34 @@
+#pragma once
+#include "afxwin.h"
+
+
+// CServiceDlg ¶Ô»°¿ò
+
+class CServiceDlg : public CDialog
+{
+	DECLARE_DYNAMIC(CServiceDlg)
+
+public:
+	CServiceDlg(CWnd* pParent = NULL);   // ±ê×¼¹¹Ôìº¯Êý
+	virtual ~CServiceDlg();
+
+// ¶Ô»°¿òÊý¾Ý
+	enum { IDD = IDD_DIALOG_SERVICE };
+
+
+	CWnd* m_wParent;
+
+
+
+protected:
+	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV Ö§³Ö
+
+	DECLARE_MESSAGE_MAP()
+public:
+	afx_msg void OnPaint();
+	CButton m_demoBtn;
+	virtual BOOL OnInitDialog();
+	afx_msg void OnShowWindow(BOOL bShow, UINT nStatus);
+	virtual BOOL PreTranslateMessage(MSG* pMsg);
+	afx_msg void OnBnClickedButtonTest2();
+};
diff --git a/arkProject/HeavenShadow/HeavenShadow/SettingDlg.cpp b/arkProject/HeavenShadow/HeavenShadow/SettingDlg.cpp
new file mode 100644
index 0000000..5abb36f
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/SettingDlg.cpp
@@ -0,0 +1,92 @@
+// SettingDlg.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "SettingDlg.h"
+#include "afxdialogex.h"
+
+#include "HeavenShadowDlg.h"
+
+
+// CSettingDlg ¶Ô»°¿ò
+
+IMPLEMENT_DYNAMIC(CSettingDlg, CDialog)
+
+CSettingDlg::CSettingDlg(CWnd* pParent /*=NULL*/)
+	: CDialog(CSettingDlg::IDD, pParent)
+{
+	m_wParent = pParent;
+}
+
+CSettingDlg::~CSettingDlg()
+{
+}
+
+void CSettingDlg::DoDataExchange(CDataExchange* pDX)
+{
+	CDialog::DoDataExchange(pDX);
+}
+
+
+BEGIN_MESSAGE_MAP(CSettingDlg, CDialog)
+	ON_WM_PAINT()
+	ON_WM_SHOWWINDOW()
+END_MESSAGE_MAP()
+
+
+// CSettingDlg ÏûÏ¢´¦Àí³ÌÐò
+
+
+void CSettingDlg::OnPaint()
+{
+	CPaintDC dc(this); // device context for painting
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+	// ²»Îª»æÍ¼ÏûÏ¢µ÷ÓÃ CDialog::OnPaint()
+
+	CRect   rect;
+	GetClientRect(rect);
+	dc.FillSolidRect(rect,RGB(255,255,255));
+}
+
+
+BOOL CSettingDlg::PreTranslateMessage(MSG* pMsg)
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+	if (pMsg->message==WM_KEYDOWN && (pMsg->wParam==VK_RETURN ||pMsg->wParam==VK_ESCAPE))
+	{
+		return TRUE;
+	}
+	return CDialog::PreTranslateMessage(pMsg);
+}
+
+
+BOOL CSettingDlg::OnInitDialog()
+{
+	CDialog::OnInitDialog();
+
+	// TODO:  ÔÚ´ËÌí¼Ó¶îÍâµÄ³õÊ¼»¯
+
+	return TRUE;  // return TRUE unless you set the focus to a control
+	// Òì³£: OCX ÊôÐÔÒ³Ó¦·µ»Ø FALSE
+}
+
+
+void CSettingDlg::OnShowWindow(BOOL bShow, UINT nStatus)
+{
+	CDialog::OnShowWindow(bShow, nStatus);
+
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+
+	if (bShow == TRUE)
+	{
+		((CHeavenShadowDlg*)m_wParent)->m_bNowWindow = HS_DIALOG_SETTING;
+
+		((CHeavenShadowDlg*)m_wParent)->m_btnSet.EnableWindow(FALSE);
+
+
+
+		HsSendStatusDetail(L"¶ÔÌìÓ°ÎÀÊ¿½øÐÐÏêÏ¸ÉèÖÃ¡£");
+		HsSendStatusTip(L"ÉèÖÃ");
+	}
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/SettingDlg.h b/arkProject/HeavenShadow/HeavenShadow/SettingDlg.h
new file mode 100644
index 0000000..6a1ddf7
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/SettingDlg.h
@@ -0,0 +1,28 @@
+#pragma once
+
+
+// CSettingDlg ¶Ô»°¿ò
+
+class CSettingDlg : public CDialog
+{
+	DECLARE_DYNAMIC(CSettingDlg)
+
+public:
+	CSettingDlg(CWnd* pParent = NULL);   // ±ê×¼¹¹Ôìº¯Êý
+	virtual ~CSettingDlg();
+
+// ¶Ô»°¿òÊý¾Ý
+	enum { IDD = IDD_DIALOG_SETTING };
+
+	CWnd* m_wParent;
+
+protected:
+	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV Ö§³Ö
+
+	DECLARE_MESSAGE_MAP()
+public:
+	afx_msg void OnPaint();
+	virtual BOOL PreTranslateMessage(MSG* pMsg);
+	virtual BOOL OnInitDialog();
+	afx_msg void OnShowWindow(BOOL bShow, UINT nStatus);
+};
diff --git a/arkProject/HeavenShadow/HeavenShadow/SysThread.cpp b/arkProject/HeavenShadow/HeavenShadow/SysThread.cpp
new file mode 100644
index 0000000..523461b
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/SysThread.cpp
@@ -0,0 +1,295 @@
+#include "stdafx.h"
+#include "SysThread.h"
+#include "Common.h"
+#include "ModuleFunc.h"
+#include "ThreadFunc.h"
+#include "SSDTFunc.h"
+#include <vector>
+
+#include "ProcessFunc.h"
+
+using namespace std;
+
+
+extern HANDLE g_hDevice;
+extern WIN_VERSION WinVersion;
+extern BOOL bIsChecking;
+
+COLUMNSTRUCT g_Column_SysThread[] = 
+{
+	{	L"Ïß³ÌID",				50	},
+	{	L"Ïß³Ì¶ÔÏó",				125	},
+	{	L"Peb",					35	},
+	{	L"ÓÅÏÈ¼¶",				55	},
+	{	L"Ïß³ÌÈë¿Ú",				125	},
+	{	L"ÇÐ»»´ÎÊý",				65	},
+	{	L"Ïß³Ì×´Ì¬",				100	},
+	{	L"Ä£¿éÎÄ¼þ",				190	},
+	{	L"³öÆ·³§ÉÌ",				125	}
+};
+
+extern vector<THREAD_INFO> m_vectorThread;
+extern vector<DRIVER_INFO> m_DriverList;
+ULONG_PTR m_ulSYSThreadCount = 0;
+
+UINT g_Column_SysThread_Count = 9;
+
+
+extern int dpix;
+extern int dpiy;
+
+
+VOID HsInitSysThreadList(CListCtrl *m_ListCtrl)
+{
+	while(m_ListCtrl->DeleteColumn(0));
+	m_ListCtrl->DeleteAllItems();
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_SysThread_Count;i++)
+	{
+		m_ListCtrl->InsertColumn(i, g_Column_SysThread[i].szTitle,LVCFMT_LEFT,(int)(g_Column_SysThread[i].nWidth*(dpix/96.0)));
+	}
+}
+
+
+
+VOID HsLoadSysThreadList(CListCtrl *m_ListCtrl)
+{
+	if (bIsChecking == TRUE)
+	{
+		return;
+	}
+
+	// 	while(bIsChecking == TRUE)
+	// 	{
+	// 		Sleep(10);
+	// 	}
+
+	bIsChecking = TRUE;
+
+	HsSendStatusDetail(L"ÄÚºËÏß³ÌÕýÔÚ¼ÓÔØ...");
+	HsSendStatusTip(L"ÄÚºËÏß³Ì");
+
+	HsQuerySysThreadList(m_ListCtrl);
+
+	bIsChecking = FALSE;
+}
+
+
+
+VOID HsQuerySysThreadList(CListCtrl *m_ListCtrl)
+{
+	m_ulSYSThreadCount = 0;
+
+	m_vectorThread.clear();
+	m_DriverList.clear();
+
+	BOOL bRet = FALSE;
+
+	bRet = EnumDriver();
+
+	if (bRet == FALSE)
+	{
+		HsSendStatusDetail(L"Çý¶¯Ä£¿é¼ÓÔØÊ§°Ü¡£");
+		return;
+	}
+
+	bRet = HsGetSYSThread(m_ListCtrl);
+
+	if (bRet == FALSE)
+	{
+		HsSendStatusDetail(L"ÄÚºËÏß³Ì¼ÓÔØÊ§°Ü¡£");
+		return;
+	}
+
+	for (vector <THREAD_INFO>::iterator Iter = m_vectorThread.begin( ); 
+		Iter != m_vectorThread.end( ); 
+		Iter++ )
+	{
+		THREAD_INFO ThreadInfor = *Iter;
+
+		if (ThreadInfor.State == Terminated)
+		{
+			return;
+		}
+
+		CString strTid, strEThread, strTeb, strPriority, strWin32StartAddress, strContextSwitches, strState, strModule;
+
+		strTid.Format(L"%d", ThreadInfor.Tid);
+		strEThread.Format(L"0x%08p", ThreadInfor.Thread);
+		if (ThreadInfor.Teb == 0)
+		{
+			strTeb = L"-";
+		}
+		else
+		{
+			strTeb.Format(L"0x%08p", ThreadInfor.Teb);
+		}
+
+		strPriority.Format(L"%d", ThreadInfor.Priority);
+		strWin32StartAddress.Format(L"0x%08p", ThreadInfor.Win32StartAddress);
+		strContextSwitches.Format(L"%d", ThreadInfor.ContextSwitches);
+
+		strModule = GetDriverPath(ThreadInfor.Win32StartAddress);
+
+		switch (ThreadInfor.State)
+		{
+		case Initialized:
+			{
+				strState = L"Initialized";
+				break;
+			}
+		case Ready:
+			{
+				strState = L"Ready";
+				break;
+			}
+		case Running:
+			{
+				strState = L"Running";
+				break;
+
+			}
+		case Standby:
+			{
+				strState = L"Standby";
+				break;
+
+			}
+		case Terminated:
+			{
+				strState = L"Terminated";
+				break;
+
+			}
+		case Waiting:
+			{
+				strState = L"Waiting";
+				break;
+
+			}
+		case Transition:
+			{
+				strState = L"Transition";
+				break;
+			}
+
+		case DeferredReady:
+			{
+				strState = L"Deferred Ready";
+				break;
+
+			}
+		case GateWait:
+			{
+				strState = L"Gate Wait";
+				break;
+
+			}
+		default:
+			{
+				strState = L"UnKnown";
+				break;
+			}
+		}
+
+		int n = m_ListCtrl->GetItemCount();
+		int j = m_ListCtrl->InsertItem(n,strTid);
+		m_ListCtrl->SetItemText(j, ThreadObject, strEThread);
+		m_ListCtrl->SetItemText(j, ThreadTeb, strTeb);
+		m_ListCtrl->SetItemText(j, ThreadPriority, strPriority);
+		m_ListCtrl->SetItemText(j, ThreadStartAddress, strWin32StartAddress);
+		m_ListCtrl->SetItemText(j, ThreadSwitchTimes, strContextSwitches);
+		m_ListCtrl->SetItemText(j, ThreadStatus, strState);
+		m_ListCtrl->SetItemText(j, ThreadStartModule, strModule);
+
+
+		CString strComp;
+		strComp = HsGetFileCompanyName(strModule);
+
+		m_ListCtrl->SetItemText(j,ThreadComp, strComp);
+		m_ListCtrl->SetItemData(j,j);
+
+		m_ulSYSThreadCount++;
+
+		CString StatusBarContext;
+		StatusBarContext.Format(L"ÄÚºËÏß³ÌÕýÔÚ¼ÓÔØ¡£ Ïß³ÌÊý£º%d",m_ulSYSThreadCount);
+
+		HsSendStatusDetail(StatusBarContext);
+	}
+
+	CString StatusBarContext;
+	StatusBarContext.Format(L"ÄÚºËÏß³Ì¼ÓÔØÍê³É¡£ Ïß³ÌÊý£º%d",m_ulSYSThreadCount);
+
+	HsSendStatusDetail(StatusBarContext);
+
+}
+
+
+BOOL HsGetSYSThread(CListCtrl *m_ListCtrl)
+{
+	m_ListCtrl->DeleteAllItems();
+
+	m_vectorThread.clear();
+
+
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+
+	ULONG_PTR ulCnt = 1000;
+	PALL_THREADS AllThreads = NULL;
+	do 
+	{
+		ULONG_PTR ulSize = 0;
+
+		if (AllThreads)
+		{
+			free(AllThreads);
+			AllThreads = NULL;
+		}
+
+		ulSize = sizeof(ALL_THREADS) + ulCnt * sizeof(THREAD_INFO);
+
+		AllThreads = (PALL_THREADS)malloc(ulSize);
+		if (!AllThreads)
+		{
+			break;
+		}
+
+		memset(AllThreads, 0, ulSize);
+
+		bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_SYSK_SYSTHREAD),
+			NULL,
+			0,
+			AllThreads,
+			(DWORD)ulSize,
+			&ulReturnSize,
+			NULL);
+
+		ulCnt = AllThreads->nCnt + 100;
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+	if (bRet && AllThreads->nCnt > 0)
+	{
+		for (ULONG i = 0; i < AllThreads->nCnt; i++)
+		{
+			m_vectorThread.push_back(AllThreads->Threads[i]);
+		}
+	}
+
+	if (AllThreads)
+	{
+		free(AllThreads);
+		AllThreads = NULL;
+	}
+
+	if (!m_vectorThread.empty())
+	{
+		return TRUE;
+	}
+
+	return FALSE;
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/SysThread.h b/arkProject/HeavenShadow/HeavenShadow/SysThread.h
new file mode 100644
index 0000000..32365ea
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/SysThread.h
@@ -0,0 +1,13 @@
+#pragma once
+#include "stdafx.h"
+
+
+
+
+VOID HsInitSysThreadList(CListCtrl *m_ListCtrl);
+
+VOID HsLoadSysThreadList(CListCtrl *m_ListCtrl);
+
+VOID HsQuerySysThreadList(CListCtrl *m_ListCtrl);
+
+BOOL HsGetSYSThread(CListCtrl *m_ListCtrl);
diff --git a/arkProject/HeavenShadow/HeavenShadow/SystemDlg.cpp b/arkProject/HeavenShadow/HeavenShadow/SystemDlg.cpp
new file mode 100644
index 0000000..2fede36
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/SystemDlg.cpp
@@ -0,0 +1,579 @@
+// SystemDlg.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "SystemDlg.h"
+#include "afxdialogex.h"
+
+#include "SysThread.h"
+#include "IoTimerFunc.h"
+#include "CallbackFunc.h"
+#include "DpcTimerFunc.h"
+#include "FilterDriverFunc.h"
+
+#include "HeavenShadowDlg.h"
+
+enum HS_SYSK_LIST
+{
+	HS_SYSK_CALLBACK,
+	HS_SYSK_IOTIMER,
+	HS_SYSK_DPCTIMER,
+	HS_SYSK_FILTERDRIVER,
+	HS_SYSK_SYSTHREAD,
+};
+
+extern int dpix;
+extern int dpiy;
+
+extern BOOL bIsChecking;
+
+BOOL bNowSystemSel = 255;
+
+
+// CSystemDlg ¶Ô»°¿ò
+
+IMPLEMENT_DYNAMIC(CSystemDlg, CDialog)
+
+CSystemDlg::CSystemDlg(CWnd* pParent /*=NULL*/)
+	: CDialog(CSystemDlg::IDD, pParent)
+{
+	m_wParent = pParent;
+}
+
+CSystemDlg::~CSystemDlg()
+{
+}
+
+void CSystemDlg::DoDataExchange(CDataExchange* pDX)
+{
+	CDialog::DoDataExchange(pDX);
+	DDX_Control(pDX, IDC_LIST_SYSTEM, m_ListSystem);
+	DDX_Control(pDX, IDC_LIST_SYSTEM_CTRL, m_ListSystemCtrl);
+}
+
+
+BEGIN_MESSAGE_MAP(CSystemDlg, CDialog)
+	ON_WM_SHOWWINDOW()
+	ON_WM_PAINT()
+	ON_LBN_SELCHANGE(IDC_LIST_SYSTEM, &CSystemDlg::OnSelchangeListSystem)
+	ON_NOTIFY(NM_RCLICK, IDC_LIST_SYSTEM_CTRL, &CSystemDlg::OnRclickListSystemCtrl)
+	ON_COMMAND(ID_MENU_SYSK_IOTIMER_REFRESH, &CSystemDlg::OnMenuSyskIoTimerRefresh)
+	ON_COMMAND(ID_MENU_SYSK_IOTIMER_OPER, &CSystemDlg::OnMenuSyskOperiotimer)
+	ON_COMMAND(ID_MENU_SYSK_CALLBACK_REFRESH, &CSystemDlg::OnMenuSyskCallbackRefresh)
+	ON_COMMAND(ID_MENU_SYSK_CALLBACK_REMOVE, &CSystemDlg::OnMenuSyskCallbackRemove)
+	ON_COMMAND(ID_MENU_SYSK_IOTIMER_REMOVE, &CSystemDlg::OnMenuSyskRemoveiotimer)
+	ON_COMMAND(ID_MENU_SYSK_DPCTIMER_REFRESH, &CSystemDlg::OnMenuSyskDpctimerRefresh)
+	ON_COMMAND(ID_MENU_SYSK_DPCTIMER_REMOVE, &CSystemDlg::OnMenuSyskDpctimerRemove)
+	ON_COMMAND(ID_MENU_SYSK_FILTER_REFRESH, &CSystemDlg::OnMenuSyskFilterRefresh)
+	ON_COMMAND(ID_MENU_SYSK_FILTER_REMOVEFILTER, &CSystemDlg::OnMenuSyskFilterRemovefilter)
+END_MESSAGE_MAP()
+
+
+// CSystemDlg ÏûÏ¢´¦Àí³ÌÐò
+
+
+BOOL CSystemDlg::PreTranslateMessage(MSG* pMsg)
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+	if (pMsg->message==WM_KEYDOWN && (pMsg->wParam==VK_RETURN ||pMsg->wParam==VK_ESCAPE))
+	{
+		return TRUE;
+	}
+	return CDialog::PreTranslateMessage(pMsg);
+}
+
+
+BOOL CSystemDlg::OnInitDialog()
+{
+	CDialog::OnInitDialog();
+
+	// TODO:  ÔÚ´ËÌí¼Ó¶îÍâµÄ³õÊ¼»¯
+
+	InitSystemList();
+
+	UINT uIconSize = 20;
+
+	uIconSize *= (UINT)(dpix/96.0);
+
+	m_TreeSystemImageList.Create(1, uIconSize, ILC_COLOR32 | ILC_MASK, 2, 2);
+
+	ListView_SetImageList(m_ListSystemCtrl.m_hWnd, m_TreeSystemImageList.GetSafeHandle(), LVSIL_SMALL);
+
+	return TRUE;  // return TRUE unless you set the focus to a control
+	// Òì³£: OCX ÊôÐÔÒ³Ó¦·µ»Ø FALSE
+}
+
+
+void CSystemDlg::OnShowWindow(BOOL bShow, UINT nStatus)
+{
+	CDialog::OnShowWindow(bShow, nStatus);
+
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+
+	if (bShow == TRUE)
+	{
+		((CHeavenShadowDlg*)m_wParent)->m_bNowWindow = HS_DIALOG_SYSTEM;
+
+		((CHeavenShadowDlg*)m_wParent)->m_btnSys.EnableWindow(FALSE);
+
+		HsSendStatusDetail(L"ÏÔÊ¾²Ù×÷ÏµÍ³ÄÚºËÏà¹ØÐÅÏ¢¡£");
+		HsSendStatusTip(L"ÄÚºË");
+
+		m_ListSystem.SetCurSel(0);
+
+		bNowSystemSel = 255;
+
+		OnSelchangeListSystem();
+
+		m_ListSystemCtrl.SetFocus();
+	}
+}
+
+
+void CSystemDlg::OnPaint()
+{
+	CPaintDC dc(this); // device context for painting
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+	// ²»Îª»æÍ¼ÏûÏ¢µ÷ÓÃ CDialog::OnPaint()
+
+
+	CRect   rect;
+	GetClientRect(rect);
+	dc.FillSolidRect(rect,RGB(255,255,255));
+
+	CRect SystemListRect;
+	CRect SystemCtrlRect;
+
+	//m_ListKernel.GetClientRect(KernelListRect);
+	m_ListSystem.GetWindowRect(&SystemListRect);
+	ClientToScreen(&rect);
+	SystemListRect.left -= rect.left;
+	SystemListRect.right -= rect.left;
+	SystemListRect.top -= rect.top;
+	SystemListRect.bottom -= rect.top;
+	SystemListRect.bottom = rect.Height() - 2;
+	//m_ListKernel.MoveWindow(&KernelListRect);
+
+	CPoint startPoint;
+	startPoint.x = (LONG)(SystemListRect.right)+2;
+	startPoint.y = -1;
+	CPoint endPoint;
+	endPoint.x = (LONG)(SystemListRect.right)+2;
+	endPoint.y = rect.Height()+2;
+
+	SystemCtrlRect.left = startPoint.x+1;
+	SystemCtrlRect.right = rect.Width();
+	SystemCtrlRect.top = 0;
+	SystemCtrlRect.bottom = rect.Height();
+	m_ListSystemCtrl.MoveWindow(SystemCtrlRect);
+
+	// 	CPoint startPoint;
+	// 	startPoint.x = (UINT)(98*(dpix/96.0))+2;
+	// 	startPoint.y = -1;
+	// 	CPoint endPoint;
+	// 	endPoint.x = (UINT)(98*(dpix/96.0))+2;
+	// 	endPoint.y = rect.Height()+2;
+
+
+	COLORREF m_Color(RGB(190,190,190));
+
+	CClientDC aDC(this);			//CClientDCµÄ¹¹Ôìº¯ÊýÐèÒªÒ»¸ö²ÎÊý£¬Õâ¸ö²ÎÊýÊÇÖ¸Ïò»æÍ¼´°¿ÚµÄÖ¸Õë£¬ÎÒÃÇÓÃthisÖ¸Õë¾Í¿ÉÒÔÁË
+	CPen pen(PS_SOLID,1,m_Color);	//½¨Á¢Ò»¸ö»­±ÊÀà¶ÔÏó£¬¹¹ÔìÊ±ÉèÖÃ»­±ÊÊôÐÔ
+	aDC.SelectObject(&pen);
+	aDC.MoveTo(startPoint);
+	aDC.LineTo(endPoint);
+}
+
+
+
+
+void CSystemDlg::InitSystemList(void)
+{
+	m_ListSystem.AddString(L"ÏµÍ³»Øµ÷");
+	m_ListSystem.InsertString(HS_SYSK_IOTIMER,L"IOPTimer");
+	m_ListSystem.InsertString(HS_SYSK_DPCTIMER,L"DPCTimer");
+	m_ListSystem.InsertString(HS_SYSK_FILTERDRIVER,L"¹ýÂËÇý¶¯");
+	m_ListSystem.InsertString(HS_SYSK_SYSTHREAD,L"ÄÚºËÏß³Ì");
+	
+	m_ListSystem.SetItemHeight(-1,(UINT)(16*(dpiy/96.0)));
+}
+
+void CSystemDlg::OnSelchangeListSystem()
+{
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	int nCurSel = m_ListSystem.GetCurSel();
+
+	switch(nCurSel)
+	{
+	case HS_SYSK_CALLBACK:
+		{
+			if (bIsChecking == TRUE || bNowSystemSel == HS_SYSK_CALLBACK)	//
+			{
+				m_ListSystem.SetCurSel(bNowSystemSel);
+				m_ListSystemCtrl.SetFocus();
+				return;
+			}
+
+			bNowSystemSel = nCurSel;
+
+			HsInitCallBackList(&m_ListSystemCtrl);
+
+			CloseHandle(
+				CreateThread(NULL,0, 
+				(LPTHREAD_START_ROUTINE)HsLoadCallBackList,&m_ListSystemCtrl, 0,NULL)
+				);
+			//HsLoadCallBackList(&m_ListSystemCtrl);
+
+			break;
+		}
+	case HS_SYSK_IOTIMER:
+		{
+			if (bIsChecking == TRUE || bNowSystemSel == HS_SYSK_IOTIMER)	//
+			{
+				m_ListSystem.SetCurSel(bNowSystemSel);
+				m_ListSystemCtrl.SetFocus();
+				return;
+			}
+
+			bNowSystemSel = nCurSel;
+
+			HsInitIOTimerList(&m_ListSystemCtrl);
+
+			CloseHandle(
+				CreateThread(NULL,0, 
+				(LPTHREAD_START_ROUTINE)HsLoadIOTimerList,&m_ListSystemCtrl, 0,NULL)
+				);
+			//HsLoadIOTimerList(&m_ListSystemCtrl);
+
+			break;
+		}
+	case HS_SYSK_DPCTIMER:
+		{
+			if (bIsChecking == TRUE || bNowSystemSel == HS_SYSK_DPCTIMER)	//
+			{
+				m_ListSystem.SetCurSel(bNowSystemSel);
+				m_ListSystemCtrl.SetFocus();
+				return;
+			}
+
+			bNowSystemSel = nCurSel;
+
+			HsInitDPCTimerList(&m_ListSystemCtrl);
+
+			CloseHandle(
+				CreateThread(NULL,0, 
+				(LPTHREAD_START_ROUTINE)HsLoadDPCTimerList,&m_ListSystemCtrl, 0,NULL)
+				);
+			//HsLoadDPCTimerList(&m_ListSystemCtrl);
+
+			break;
+		}
+	case HS_SYSK_FILTERDRIVER:
+		{
+			if (bIsChecking == TRUE || bNowSystemSel == HS_SYSK_FILTERDRIVER)	//
+			{
+				m_ListSystem.SetCurSel(bNowSystemSel);
+				m_ListSystemCtrl.SetFocus();
+				return;
+			}
+
+			bNowSystemSel = nCurSel;
+
+			HsInitFilterDriverList(&m_ListSystemCtrl);
+
+			CloseHandle(
+				CreateThread(NULL,0, 
+				(LPTHREAD_START_ROUTINE)HsLoadFilterDriverList,&m_ListSystemCtrl, 0,NULL)
+				);
+			//HsLoadFilterDriverList(&m_ListSystemCtrl);
+
+			break;
+		}
+	case HS_SYSK_SYSTHREAD:
+		{
+			if (bIsChecking == TRUE || bNowSystemSel == HS_SYSK_SYSTHREAD)	//
+			{
+				m_ListSystem.SetCurSel(bNowSystemSel);
+				m_ListSystemCtrl.SetFocus();
+				return;
+			}
+
+			bNowSystemSel = nCurSel;
+
+			HsInitSysThreadList(&m_ListSystemCtrl);
+
+			CloseHandle(
+				CreateThread(NULL,0, 
+				(LPTHREAD_START_ROUTINE)HsLoadSysThreadList,&m_ListSystemCtrl, 0,NULL)
+				);
+			//HsLoadSysThreadList(&m_ListSystemCtrl);
+
+			break;
+		}
+	default:
+		{
+
+		}
+	}
+
+	m_ListSystemCtrl.SetFocus();
+}
+
+
+void CSystemDlg::OnRclickListSystemCtrl(NMHDR *pNMHDR, LRESULT *pResult)
+{
+	LPNMITEMACTIVATE pNMItemActivate = reinterpret_cast<LPNMITEMACTIVATE>(pNMHDR);
+	// TODO: ÔÚ´ËÌí¼Ó¿Ø¼þÍ¨Öª´¦Àí³ÌÐò´úÂë
+
+	CMenu	popup;
+	CPoint	p;
+
+	switch(bNowSystemSel)
+	{
+	case HS_SYSK_IOTIMER:
+		{
+			popup.LoadMenu(IDR_MENU_SYSK_IOTIMER);			//¼ÓÔØ²Ëµ¥×ÊÔ´
+			CMenu*	pM = popup.GetSubMenu(0);				//»ñµÃ²Ëµ¥µÄ×ÓÏî
+
+			GetCursorPos(&p);
+			int	count = pM->GetMenuItemCount();
+			if (m_ListSystemCtrl.GetSelectedCount() == 0)		//Èç¹ûÃ»ÓÐÑ¡ÖÐ
+			{ 
+				for (int i = 1;i<count;i++)
+				{
+					pM->EnableMenuItem(i, MF_BYPOSITION | MF_DISABLED | MF_GRAYED); //²Ëµ¥È«²¿±ä»Ò
+				}
+			}
+
+			POSITION pos = m_ListSystemCtrl.GetFirstSelectedItemPosition();
+
+			while (pos)
+			{
+				int nItem = m_ListSystemCtrl.GetNextSelectedItem(pos);
+
+				if (_wcsnicmp(L"ÔËÐÐ",m_ListSystemCtrl.GetItemText(nItem,2),wcslen(L"ÔËÐÐ"))==0)
+				{
+					pM->ModifyMenuW(ID_MENU_SYSK_IOTIMER_OPER,MF_BYCOMMAND,ID_MENU_SYSK_IOTIMER_OPER,L"Í£Ö¹(&S)");
+				}
+				else if (_wcsnicmp(L"Í£Ö¹",m_ListSystemCtrl.GetItemText(nItem,2),wcslen(L"Í£Ö¹"))==0)
+				{
+					pM->ModifyMenuW(ID_MENU_SYSK_IOTIMER_OPER,MF_BYCOMMAND,ID_MENU_SYSK_IOTIMER_OPER,L"ÔËÐÐ(&S)");
+				}
+			}
+
+			pM->TrackPopupMenu(TPM_LEFTALIGN, p.x, p.y, this);
+			break;
+		}
+	case HS_SYSK_CALLBACK:
+		{
+			popup.LoadMenu(IDR_MENU_SYSK_CALLBACK);			//¼ÓÔØ²Ëµ¥×ÊÔ´
+			CMenu*	pM = popup.GetSubMenu(0);				//»ñµÃ²Ëµ¥µÄ×ÓÏî
+
+			GetCursorPos(&p);
+			int	count = pM->GetMenuItemCount();
+			if (m_ListSystemCtrl.GetSelectedCount() == 0)		//Èç¹ûÃ»ÓÐÑ¡ÖÐ
+			{ 
+				for (int i = 1;i<count;i++)
+				{
+					pM->EnableMenuItem(i, MF_BYPOSITION | MF_DISABLED | MF_GRAYED); //²Ëµ¥È«²¿±ä»Ò
+				}
+			}
+
+			pM->TrackPopupMenu(TPM_LEFTALIGN, p.x, p.y, this);
+			break;
+		}
+	case HS_SYSK_DPCTIMER:
+		{
+			popup.LoadMenu(IDR_MENU_SYSK_DPCTIMER);			//¼ÓÔØ²Ëµ¥×ÊÔ´
+			CMenu*	pM = popup.GetSubMenu(0);				//»ñµÃ²Ëµ¥µÄ×ÓÏî
+
+			GetCursorPos(&p);
+			int	count = pM->GetMenuItemCount();
+			if (m_ListSystemCtrl.GetSelectedCount() == 0)		//Èç¹ûÃ»ÓÐÑ¡ÖÐ
+			{ 
+				for (int i = 1;i<count;i++)
+				{
+					pM->EnableMenuItem(i, MF_BYPOSITION | MF_DISABLED | MF_GRAYED); //²Ëµ¥È«²¿±ä»Ò
+				}
+			}
+
+			pM->TrackPopupMenu(TPM_LEFTALIGN, p.x, p.y, this);
+			break;
+		}
+	case HS_SYSK_FILTERDRIVER:
+		{
+			popup.LoadMenu(IDR_MENU_SYSK_FILTERDRIVER);		//¼ÓÔØ²Ëµ¥×ÊÔ´
+			CMenu*	pM = popup.GetSubMenu(0);				//»ñµÃ²Ëµ¥µÄ×ÓÏî
+
+			GetCursorPos(&p);
+			int	count = pM->GetMenuItemCount();
+			if (m_ListSystemCtrl.GetSelectedCount() == 0)		//Èç¹ûÃ»ÓÐÑ¡ÖÐ
+			{ 
+				for (int i = 1;i<count;i++)
+				{
+					pM->EnableMenuItem(i, MF_BYPOSITION | MF_DISABLED | MF_GRAYED); //²Ëµ¥È«²¿±ä»Ò
+				}
+			}
+
+			pM->TrackPopupMenu(TPM_LEFTALIGN, p.x, p.y, this);
+			break;
+		}
+	default:
+		{
+
+		}
+	}
+
+
+	*pResult = 0;
+}
+
+
+void CSystemDlg::OnMenuSyskIoTimerRefresh()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	m_ListSystem.SetCurSel(HS_SYSK_IOTIMER);
+	bNowSystemSel = 255;
+	OnSelchangeListSystem();
+}
+
+
+void CSystemDlg::OnMenuSyskOperiotimer()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	if (bIsChecking)
+	{
+		return;
+	}
+
+	bIsChecking = TRUE;
+
+	CloseHandle(
+		CreateThread(NULL,0, 
+		(LPTHREAD_START_ROUTINE)HsOperIOTimer,&m_ListSystemCtrl, 0,NULL)
+		);
+	//HsOperIOTimer(&m_ListSystemCtrl);
+}
+
+
+void CSystemDlg::OnMenuSyskCallbackRefresh()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	m_ListSystem.SetCurSel(HS_SYSK_CALLBACK);
+	bNowSystemSel = 255;
+	OnSelchangeListSystem();
+}
+
+
+void CSystemDlg::OnMenuSyskCallbackRemove()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	if (bIsChecking)
+	{
+		return;
+	}
+
+	bIsChecking = TRUE;
+
+	CloseHandle(
+		CreateThread(NULL,0, 
+		(LPTHREAD_START_ROUTINE)HsRemoveCallBackItem,&m_ListSystemCtrl, 0,NULL)
+		);
+	//HsRemoveCallBackItem(&m_ListSystemCtrl);
+}
+
+
+void CSystemDlg::OnMenuSyskRemoveiotimer()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+
+	BOOL bRet = MessageBox(L"É¾³ýIOTimer²Ù×÷¿ÉÄÜ»áÔì³ÉÏµÍ³Òì³£»ò±ÀÀ££¬\r\nÇëÔÚÈ·ÈÏºó¼ÌÐø¡£",L"ÌìÓ°ÎÀÊ¿",MB_ICONWARNING | MB_OKCANCEL);
+
+	if (bRet == IDCANCEL)
+	{
+		return;
+	}
+
+	if (bIsChecking == TRUE)
+	{
+		return;
+	}
+
+	bIsChecking = TRUE;
+
+	CloseHandle(
+		CreateThread(NULL,0, 
+		(LPTHREAD_START_ROUTINE)HsRemoveIOTimerItem,&m_ListSystemCtrl, 0,NULL)
+		);
+	//HsRemoveIOTimerItem(&m_ListSystemCtrl);
+}
+
+
+void CSystemDlg::OnMenuSyskDpctimerRefresh()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	m_ListSystem.SetCurSel(HS_SYSK_DPCTIMER);
+	bNowSystemSel = 255;
+	OnSelchangeListSystem();
+}
+
+
+void CSystemDlg::OnMenuSyskDpctimerRemove()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	BOOL bRet = MessageBox(L"É¾³ýDPCTimer²Ù×÷¿ÉÄÜ»áÔì³ÉÏµÍ³Òì³£»ò±ÀÀ££¬\r\nÇëÔÚÈ·ÈÏºó¼ÌÐø¡£",L"ÌìÓ°ÎÀÊ¿",MB_ICONWARNING | MB_OKCANCEL);
+
+	if (bRet == IDCANCEL)
+	{
+		return;
+	}
+
+	if (bIsChecking == TRUE)
+	{
+		return;
+	}
+
+	bIsChecking = TRUE;
+
+	CloseHandle(
+		CreateThread(NULL,0, 
+		(LPTHREAD_START_ROUTINE)HsRemoveDPCTimerItem,&m_ListSystemCtrl, 0,NULL)
+		);
+	//HsRemoveDPCTimerItem(&m_ListSystemCtrl);
+}
+
+
+void CSystemDlg::OnMenuSyskFilterRefresh()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	m_ListSystem.SetCurSel(HS_SYSK_FILTERDRIVER);
+	bNowSystemSel = 255;
+	OnSelchangeListSystem();
+}
+
+
+void CSystemDlg::OnMenuSyskFilterRemovefilter()
+{
+	// TODO: ÔÚ´ËÌí¼ÓÃüÁî´¦Àí³ÌÐò´úÂë
+	BOOL bRet = MessageBox(L"Ð¶ÔØ¹ýÂËÇý¶¯²Ù×÷¿ÉÄÜ»áÔì³ÉÏµÍ³Òì³£»ò±ÀÀ££¬\r\nÇëÔÚÈ·ÈÏºó¼ÌÐø¡£",L"ÌìÓ°ÎÀÊ¿",MB_ICONWARNING | MB_OKCANCEL);
+
+	if (bRet == IDCANCEL)
+	{
+		return;
+	}
+
+	if (bIsChecking == TRUE)
+	{
+		return;
+	}
+
+	bIsChecking = TRUE;
+
+	CloseHandle(
+		CreateThread(NULL,0, 
+		(LPTHREAD_START_ROUTINE)HsRemoveFilterDriverItem,&m_ListSystemCtrl, 0,NULL)
+		);
+	//HsRemoveFilterDriverItem(&m_ListSystemCtrl);
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/SystemDlg.h b/arkProject/HeavenShadow/HeavenShadow/SystemDlg.h
new file mode 100644
index 0000000..c662664
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/SystemDlg.h
@@ -0,0 +1,47 @@
+#pragma once
+#include "afxwin.h"
+#include "afxcmn.h"
+
+
+// CSystemDlg ¶Ô»°¿ò
+
+class CSystemDlg : public CDialog
+{
+	DECLARE_DYNAMIC(CSystemDlg)
+
+public:
+	CSystemDlg(CWnd* pParent = NULL);   // ±ê×¼¹¹Ôìº¯Êý
+	virtual ~CSystemDlg();
+
+// ¶Ô»°¿òÊý¾Ý
+	enum { IDD = IDD_DIALOG_SYSTEM };
+
+	CWnd* m_wParent;
+
+	void InitSystemList(void);
+
+	CImageList m_TreeSystemImageList;
+
+protected:
+	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV Ö§³Ö
+
+	DECLARE_MESSAGE_MAP()
+public:
+	virtual BOOL PreTranslateMessage(MSG* pMsg);
+	virtual BOOL OnInitDialog();
+	afx_msg void OnShowWindow(BOOL bShow, UINT nStatus);
+	afx_msg void OnPaint();
+	CXTPEditListBox m_ListSystem;
+	CListCtrl m_ListSystemCtrl;
+	afx_msg void OnSelchangeListSystem();
+	afx_msg void OnRclickListSystemCtrl(NMHDR *pNMHDR, LRESULT *pResult);
+	afx_msg void OnMenuSyskIoTimerRefresh();
+	afx_msg void OnMenuSyskOperiotimer();
+	afx_msg void OnMenuSyskCallbackRefresh();
+	afx_msg void OnMenuSyskCallbackRemove();
+	afx_msg void OnMenuSyskRemoveiotimer();
+	afx_msg void OnMenuSyskDpctimerRefresh();
+	afx_msg void OnMenuSyskDpctimerRemove();
+	afx_msg void OnMenuSyskFilterRefresh();
+	afx_msg void OnMenuSyskFilterRemovefilter();
+};
diff --git a/arkProject/HeavenShadow/HeavenShadow/ThreadFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/ThreadFunc.cpp
new file mode 100644
index 0000000..0748e60
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ThreadFunc.cpp
@@ -0,0 +1,365 @@
+#include "stdafx.h"
+#include "ThreadFunc.h"
+#include "Common.h"
+#include "resource.h"
+
+#include <stdio.h>
+#include <vector>
+
+using namespace std;
+
+
+vector<THREAD_INFO> m_vectorThread;
+vector<MODULE_INFO> m_vectorModule;
+extern ULONG_PTR g_ulProcessId;
+extern HANDLE g_hDevice;
+
+COLUMNSTRUCT g_Column_Thread[] = 
+{
+	{	L"Ïß³ÌID",			50	},
+	{	L"ETHREAD",			125	},
+	{	L"Teb",				125	},
+	{	L"ÓÅÏÈ¼¶",			54	},
+	{	L"Ïß³ÌÈë¿Ú",			125	},
+	{	L"Ä£¿é",				90	},
+	{	L"ÇÐ»»´ÎÊý",			68	},
+	{	L"×´Ì¬",				50	}
+};
+
+UINT g_Column_Thread_Count  = 8;	  //½ø³ÌÁÐ±íÁÐÊý
+
+extern int dpix;
+extern int dpiy;
+
+
+
+void HsInitThreadList(CMyList *m_ListCtrl)
+{
+
+	while(m_ListCtrl->DeleteColumn(0));
+	m_ListCtrl->DeleteAllItems();
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_Thread_Count;i++)
+	{
+		m_ListCtrl->InsertColumn(i, g_Column_Thread[i].szTitle,LVCFMT_LEFT,(int)(g_Column_Thread[i].nWidth*(dpix/96.0)));
+	}
+}
+
+
+BOOL HsQueryProcessThread(CMyList *m_ListCtrl)
+{
+	m_ListCtrl->DeleteAllItems();
+	m_vectorThread.clear();
+
+	ULONG ulReturnSize = 0;
+	BOOL bRet = FALSE;
+
+	UINT m_Pid = (UINT)g_ulProcessId;
+
+	
+
+	if (m_Pid == 0)
+	{
+		return bRet;
+	}
+
+	m_vectorThread.clear();
+
+	ULONG ulCount = 1000;
+	PALL_THREADS Threads = NULL;
+
+	do 
+	{
+		ULONG ulSize = 0;
+
+		if (Threads)
+		{
+			free(Threads);
+			Threads = NULL;
+		}
+
+		ulSize = sizeof(ALL_THREADS) + ulCount * sizeof(THREAD_INFO);
+
+		Threads = (PALL_THREADS)malloc(ulSize);
+		if (!Threads)
+		{
+			break;
+		}
+
+		memset(Threads,0,ulSize);
+
+
+		bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_PROC_PROCESSTHREAD),
+			&m_Pid,
+			sizeof(ULONG),
+			Threads,
+			ulSize,
+			&ulReturnSize,
+			NULL);
+
+		ulCount = (ULONG)(Threads->nCnt + 100);
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+	if (bRet && Threads->nCnt > 0)
+	{
+		for (ULONG i = 0;i<Threads->nCnt; i++)
+		{
+			m_vectorThread.push_back(Threads->Threads[i]);
+		}
+	}
+
+	if (Threads)
+	{
+		free(Threads);
+		Threads = NULL;
+	}
+
+	if (m_vectorThread.empty())
+	{
+		return FALSE;
+	}
+
+	//////////////////////////////////////////////////////////////////////////
+
+	ulCount = 0x10;
+	PALL_MODULES AllModules = NULL;
+
+	do 
+	{
+
+		ULONG ulSize = 0;
+
+		if (AllModules)
+		{
+			free(AllModules);
+			AllModules = NULL;
+		}
+
+		ulSize = sizeof(ALL_MODULES) + ulCount * sizeof(MODULE_INFO);
+
+		AllModules = (PALL_MODULES)malloc(ulSize);
+		if (!AllModules)
+		{
+			break;
+		}
+
+		memset(AllModules,0,ulSize);
+
+
+		bRet = DeviceIoControl(g_hDevice,HS_IOCTL(HS_IOCTL_PROC_PROCESSTHREADMODULE),
+			&m_Pid,
+			sizeof(ULONG_PTR),
+			AllModules,
+			ulSize,
+			&ulReturnSize,
+			NULL);
+
+
+		ulCount = (ULONG)(AllModules->ulCount + 1000);
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+
+	if (bRet && AllModules->ulCount > 0)
+	{
+
+		for (ULONG i=0;i<AllModules->ulCount;i++)
+		{
+			MODULE_INFO Temp;
+
+			Temp.Base = AllModules->Modules[i].Base;
+			Temp.Size = AllModules->Modules[i].Size;
+			CString szPath = TrimPath(AllModules->Modules[i].Path);
+
+			wcsncpy_s(Temp.Path, MAX_PATH, szPath.GetBuffer(), szPath.GetLength());
+			szPath.ReleaseBuffer();
+
+			m_vectorModule.push_back(Temp);
+
+		}
+	}
+
+
+	if (AllModules!=NULL)
+	{
+		free(AllModules);
+		AllModules = NULL;
+	}
+
+	//////////////////////////////////////////////////////////////////////////
+
+	for (vector <THREAD_INFO>::iterator Iter = m_vectorThread.begin( ); 
+		Iter != m_vectorThread.end( ); 
+		Iter++ )
+	{
+		THREAD_INFO ThreadInfor = (THREAD_INFO)*Iter;
+		if (ThreadInfor.State == Terminated)
+		{
+			return FALSE;
+		}
+
+		CString strTid, strEThread, strTeb, strPriority, strWin32StartAddress, strContextSwitches, strState, strModule;
+
+		strTid.Format(L"%d", ThreadInfor.Tid);
+		strEThread.Format(L"0x%08p", ThreadInfor.Thread);
+		if (ThreadInfor.Teb == 0)
+		{
+			strTeb = L"-";
+		}
+		else
+		{
+			strTeb.Format(L"0x%08p", ThreadInfor.Teb);
+		}
+
+		strPriority.Format(L"%d", ThreadInfor.Priority);
+		strWin32StartAddress.Format(L"0x%08p", ThreadInfor.Win32StartAddress);
+		strContextSwitches.Format(L"%d", ThreadInfor.ContextSwitches);
+
+		strModule = GetModulePathByThreadStartAddress(ThreadInfor.Win32StartAddress);
+
+		if (strModule.GetLength()<=1)
+		{
+			strModule = L"\\ ";
+		}
+
+		WCHAR* Temp = NULL;
+
+		Temp = wcsrchr(strModule.GetBuffer(),L'\\');
+
+		if (Temp != NULL)
+		{
+			Temp++;
+		}
+
+		strModule = Temp;
+
+		switch (ThreadInfor.State)
+		{
+		case Initialized:
+			{
+				strState = L"Ô¤ÖÃ";
+				break;
+			}
+		case Ready:
+			{
+				strState = L"¾ÍÐ÷";
+				break;
+			}
+		case Running:
+			{
+				strState = L"ÔËÐÐ";
+				break;
+
+			}
+		case Standby:
+			{
+				strState = L"±¸ÓÃ";
+				break;
+
+			}
+		case Terminated:
+			{
+				strState = L"ÖÕÖ¹";
+				break;
+
+			}
+		case Waiting:
+			{
+				strState = L"µÈ´ý";
+				break;
+
+			}
+		case Transition:
+			{
+				strState = L"¹ý¶È";
+				break;
+			}
+
+		case DeferredReady:
+			{
+				strState = L"ÑÓ³Ù¾ÍÐ÷";
+				break;
+
+			}
+		case GateWait:
+			{
+				strState = L"ÃÅµÈ´ý";
+				break;
+
+			}
+		default:
+			{
+				strState = L"Î´Öª";
+				break;
+			}
+		}
+
+		int n = m_ListCtrl->GetItemCount();
+		int j = m_ListCtrl->InsertItem(n,strTid);
+		m_ListCtrl->SetItemText(j, HS_THREAD_COLUMN_ETHREAD, strEThread);
+		m_ListCtrl->SetItemText(j, HS_THREAD_COLUMN_TEB, strTeb);
+		m_ListCtrl->SetItemText(j, HS_THREAD_COLUMN_PRIORITY, strPriority);
+		m_ListCtrl->SetItemText(j, HS_THREAD_COLUMN_ENTRANCE, strWin32StartAddress);
+		m_ListCtrl->SetItemText(j, HS_THREAD_COLUMN_COUNTER, strContextSwitches);
+		m_ListCtrl->SetItemText(j, HS_THREAD_COLUMN_STATUS, strState);
+		m_ListCtrl->SetItemText(j, HS_THREAD_COLUMN_MODULE, strModule);
+		m_ListCtrl->SetItemData(j,j);
+
+	}
+
+	return bRet;
+}
+
+
+
+CString GetModulePathByThreadStartAddress(ULONG_PTR ulBase)
+{
+	CString szRet = L"";
+
+
+	for ( vector <MODULE_INFO>::iterator Iter = m_vectorModule.begin( ); 
+		Iter != m_vectorModule.end( ); 
+		Iter++)
+	{	
+		MODULE_INFO entry = *Iter;
+		if (ulBase >= entry.Base && ulBase <= (entry.Base + entry.Size))
+		{
+			szRet = entry.Path;
+		}
+	}
+
+
+
+
+	//Èç¹û²»½øÈëÑ­»· ¾ÍËµÃ÷ÊÇÄÚºËÄ£¿é
+	return szRet;
+}
+
+
+
+
+
+
+//È¨ÏÞ½çÃæµ¯³ö²Ëµ¥
+VOID HsProcessThreadPopupMenu(CMyList *m_ListCtrl, CWnd* parent)
+{
+	CMenu	popup;
+	popup.LoadMenu(IDR_MENU_PROCESS_THREAD);		//¼ÓÔØ²Ëµ¥×ÊÔ´
+	CMenu*	pM = popup.GetSubMenu(0);				//»ñµÃ²Ëµ¥µÄ×ÓÏî
+	CPoint	p;
+	GetCursorPos(&p);
+	int	count = pM->GetMenuItemCount();
+	if (m_ListCtrl->GetSelectedCount() == 0)		//Èç¹ûÃ»ÓÐÑ¡ÖÐ
+	{ 
+		for (int i = 0;i<count;i++)
+		{
+			pM->EnableMenuItem(i, MF_BYPOSITION | MF_DISABLED | MF_GRAYED); //²Ëµ¥È«²¿±ä»Ò
+		}
+	}
+
+	pM->TrackPopupMenu(TPM_LEFTALIGN, p.x, p.y, parent);
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/ThreadFunc.h b/arkProject/HeavenShadow/HeavenShadow/ThreadFunc.h
new file mode 100644
index 0000000..af5faf6
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ThreadFunc.h
@@ -0,0 +1,92 @@
+#pragma once
+#include "stdafx.h"
+
+#include "MyList.h"
+
+enum HS_THREAD_COLUMN
+{
+	HS_THREAD_COLUMN_TID = 0,
+	HS_THREAD_COLUMN_ETHREAD,
+	HS_THREAD_COLUMN_TEB,
+	HS_THREAD_COLUMN_PRIORITY,
+	HS_THREAD_COLUMN_ENTRANCE,
+	HS_THREAD_COLUMN_MODULE,
+	HS_THREAD_COLUMN_COUNTER,
+	HS_THREAD_COLUMN_STATUS
+};
+
+typedef struct _THREAD_INFO_
+{
+	ULONG_PTR Thread;
+	ULONG_PTR Tid;
+	ULONG_PTR Teb;
+	UCHAR Priority;
+	ULONG_PTR Win32StartAddress;
+	ULONG ContextSwitches;
+	UCHAR State;
+}THREAD_INFO, *PTHREAD_INFO;
+
+typedef struct _ALL_THREADS_
+{
+	ULONG_PTR    nCnt;
+	THREAD_INFO Threads[1];
+}ALL_THREADS, *PALL_THREADS;
+
+
+
+typedef enum _KTHREAD_STATE
+{
+	Initialized,
+	Ready,
+	Running,
+	Standby,
+	Terminated,
+	Waiting,
+	Transition,
+	DeferredReady,
+	GateWait
+} KTHREAD_STATE, *PKTHREAD_STATE;
+
+
+
+
+typedef enum _THREAD_HEADER_INDEX_
+{
+	ThreadId,
+	ThreadObject,
+	ThreadTeb,
+	ThreadPriority,
+	ThreadStartAddress,
+	ThreadSwitchTimes,
+	ThreadStatus,
+	ThreadStartModule,
+	ThreadComp
+}THREAD_HEADER_INDEX;
+
+
+
+
+
+typedef struct _MODULE_INFO_
+{
+	ULONG_PTR Base;
+	ULONG_PTR Size;
+	WCHAR Path[MAX_PATH]; 
+}MODULE_INFO, *PMODULE_INFO;
+
+typedef struct _ALL_MODULES_
+{
+	ULONG_PTR   ulCount;
+	MODULE_INFO Modules[1];
+}ALL_MODULES, *PALL_MODULES;
+
+
+
+
+void HsInitThreadList(CMyList *m_ListCtrl);
+
+BOOL HsQueryProcessThread(CMyList *m_ListCtrl);
+
+CString GetModulePathByThreadStartAddress(ULONG_PTR ulBase);
+
+VOID HsProcessThreadPopupMenu(CMyList *m_ListCtrl, CWnd* parent);
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/ToolsDlg.cpp b/arkProject/HeavenShadow/HeavenShadow/ToolsDlg.cpp
new file mode 100644
index 0000000..0a5f5ad
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ToolsDlg.cpp
@@ -0,0 +1,88 @@
+// ToolsDlg.cpp : ÊµÏÖÎÄ¼þ
+//
+
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "ToolsDlg.h"
+#include "afxdialogex.h"
+
+#include "HeavenShadowDlg.h"
+
+// CToolsDlg ¶Ô»°¿ò
+
+IMPLEMENT_DYNAMIC(CToolsDlg, CDialog)
+
+CToolsDlg::CToolsDlg(CWnd* pParent /*=NULL*/)
+	: CDialog(CToolsDlg::IDD, pParent)
+{
+	m_wParent = pParent;
+}
+
+CToolsDlg::~CToolsDlg()
+{
+}
+
+void CToolsDlg::DoDataExchange(CDataExchange* pDX)
+{
+	CDialog::DoDataExchange(pDX);
+}
+
+
+BEGIN_MESSAGE_MAP(CToolsDlg, CDialog)
+	ON_WM_PAINT()
+	ON_WM_SHOWWINDOW()
+END_MESSAGE_MAP()
+
+
+// CToolsDlg ÏûÏ¢´¦Àí³ÌÐò
+
+
+BOOL CToolsDlg::OnInitDialog()
+{
+	CDialog::OnInitDialog();
+
+	// TODO:  ÔÚ´ËÌí¼Ó¶îÍâµÄ³õÊ¼»¯
+
+	return TRUE;  // return TRUE unless you set the focus to a control
+	// Òì³£: OCX ÊôÐÔÒ³Ó¦·µ»Ø FALSE
+}
+
+
+BOOL CToolsDlg::PreTranslateMessage(MSG* pMsg)
+{
+	// TODO: ÔÚ´ËÌí¼Ó×¨ÓÃ´úÂëºÍ/»òµ÷ÓÃ»ùÀà
+	if (pMsg->message==WM_KEYDOWN && (pMsg->wParam==VK_RETURN ||pMsg->wParam==VK_ESCAPE))
+	{
+		return TRUE;
+	}
+	return CDialog::PreTranslateMessage(pMsg);
+}
+
+
+void CToolsDlg::OnPaint()
+{
+	CPaintDC dc(this); // device context for painting
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+	// ²»Îª»æÍ¼ÏûÏ¢µ÷ÓÃ CDialog::OnPaint()
+
+	CRect   rect;
+	GetClientRect(rect);
+	dc.FillSolidRect(rect,RGB(255,255,255));
+}
+
+
+void CToolsDlg::OnShowWindow(BOOL bShow, UINT nStatus)
+{
+	CDialog::OnShowWindow(bShow, nStatus);
+
+	if (bShow == TRUE)
+	{
+		((CHeavenShadowDlg*)m_wParent)->m_bNowWindow = HS_DIALOG_TOOLS;
+
+		((CHeavenShadowDlg*)m_wParent)->m_btnTool.EnableWindow(FALSE);
+
+		HsSendStatusDetail(L"ÏµÍ³¹¤¾ß¼¯ºÏ¡£");
+		HsSendStatusTip(L"¹¤¾ßÏä");
+	}
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/ToolsDlg.h b/arkProject/HeavenShadow/HeavenShadow/ToolsDlg.h
new file mode 100644
index 0000000..6530aca
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/ToolsDlg.h
@@ -0,0 +1,28 @@
+#pragma once
+
+
+// CToolsDlg ¶Ô»°¿ò
+
+class CToolsDlg : public CDialog
+{
+	DECLARE_DYNAMIC(CToolsDlg)
+
+public:
+	CToolsDlg(CWnd* pParent = NULL);   // ±ê×¼¹¹Ôìº¯Êý
+	virtual ~CToolsDlg();
+
+// ¶Ô»°¿òÊý¾Ý
+	enum { IDD = IDD_DIALOG_TOOLS };
+
+	CWnd* m_wParent;
+
+protected:
+	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV Ö§³Ö
+
+	DECLARE_MESSAGE_MAP()
+public:
+	virtual BOOL OnInitDialog();
+	virtual BOOL PreTranslateMessage(MSG* pMsg);
+	afx_msg void OnPaint();
+	afx_msg void OnShowWindow(BOOL bShow, UINT nStatus);
+};
diff --git a/arkProject/HeavenShadow/HeavenShadow/TrueColorToolBar.cpp b/arkProject/HeavenShadow/HeavenShadow/TrueColorToolBar.cpp
new file mode 100644
index 0000000..cbfca41
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/TrueColorToolBar.cpp
@@ -0,0 +1,141 @@
+/***=========================================================================
+====                                                                     ====
+====                          D C U t i l i t y                          ====
+====                                                                     ====
+=============================================================================
+====                                                                     ====
+====    File name           :  TrueColorToolBar.cpp                      ====
+====    Project name        :  Tester                                    ====
+====    Project number      :  ---                                       ====
+====    Creation date       :  13/1/2003                                 ====
+====    Author(s)           :  Dany Cantin                               ====
+====                                                                     ====
+====                  Copyright ?DCUtility  2003                        ====
+====                                                                     ====
+=============================================================================
+===========================================================================*/
+
+#include "stdafx.h"
+#include "TrueColorToolBar.h"
+
+#ifdef _DEBUG
+#define new DEBUG_NEW
+#undef THIS_FILE
+static char THIS_FILE[] = __FILE__; 
+#endif 
+
+/////////////////////////////////////////////////////////////////////////////
+// CTrueColorToolBar
+
+CTrueColorToolBar::CTrueColorToolBar()
+{
+	m_bDropDown = FALSE;
+}
+
+CTrueColorToolBar::~CTrueColorToolBar()
+{
+}
+
+
+BEGIN_MESSAGE_MAP(CTrueColorToolBar, CToolBar)
+	//{{AFX_MSG_MAP(CTrueColorToolBar)
+	ON_NOTIFY_REFLECT(TBN_DROPDOWN, OnToolbarDropDown)
+	//}}AFX_MSG_MAP
+END_MESSAGE_MAP()
+
+/////////////////////////////////////////////////////////////////////////////
+// CTrueColorToolBar message handlers
+BOOL CTrueColorToolBar::LoadTrueColorToolBar(int  nBtnWidth,
+											 UINT uToolBar,
+											 UINT uToolBarHot,
+											 UINT uToolBarDisabled)
+{
+	if (!SetTrueColorToolBar(TB_SETIMAGELIST, uToolBar, nBtnWidth))
+		return FALSE;
+	
+	if (uToolBarHot) {
+		if (!SetTrueColorToolBar(TB_SETHOTIMAGELIST, uToolBarHot, nBtnWidth))
+			return FALSE;
+	}
+
+	if (uToolBarDisabled) {
+		if (!SetTrueColorToolBar(TB_SETDISABLEDIMAGELIST, uToolBarDisabled, nBtnWidth))
+			return FALSE;
+	}
+
+	return TRUE;
+}
+
+
+BOOL CTrueColorToolBar::SetTrueColorToolBar(UINT uToolBarType, 
+							     	        UINT uToolBar,
+										    int  nBtnWidth)
+{
+	CImageList	cImageList;
+	CBitmap		cBitmap;
+	BITMAP		bmBitmap;
+	
+	if (!cBitmap.Attach(LoadImage(AfxGetResourceHandle(), MAKEINTRESOURCE(uToolBar),
+								  IMAGE_BITMAP, 0, 0,
+								  LR_DEFAULTSIZE|LR_CREATEDIBSECTION)) ||
+	    !cBitmap.GetBitmap(&bmBitmap))
+		return FALSE;
+
+	CSize		cSize(bmBitmap.bmWidth, bmBitmap.bmHeight); 
+	int			nNbBtn	= cSize.cx/nBtnWidth;
+	RGBTRIPLE*	rgb		= (RGBTRIPLE*)(bmBitmap.bmBits);
+	COLORREF	rgbMask	= RGB(rgb[0].rgbtRed, rgb[0].rgbtGreen, rgb[0].rgbtBlue);
+	
+	if (!cImageList.Create(nBtnWidth, cSize.cy, ILC_COLOR24|ILC_MASK, nNbBtn, 0))
+		return FALSE;
+	
+	if (cImageList.Add(&cBitmap, rgbMask) == -1)
+		return FALSE;
+
+	SendMessage(uToolBarType, 0, (LPARAM)cImageList.m_hImageList);
+	cImageList.Detach(); 
+	cBitmap.Detach();
+	
+	return TRUE;
+}
+
+void CTrueColorToolBar::AddDropDownButton(CWnd* pParent, UINT uButtonID, UINT uMenuID)
+{
+	if (!m_bDropDown) {
+		GetToolBarCtrl().SendMessage(TB_SETEXTENDEDSTYLE, 0, (LPARAM)TBSTYLE_EX_DRAWDDARROWS);
+		m_bDropDown = TRUE;
+	}
+
+	SetButtonStyle(CommandToIndex(uButtonID), TBSTYLE_DROPDOWN);
+
+	stDropDownInfo DropDownInfo;
+	DropDownInfo.pParent	= pParent;
+	DropDownInfo.uButtonID	= uButtonID;
+	DropDownInfo.uMenuID	= uMenuID;
+	m_lstDropDownButton.Add(DropDownInfo);
+}
+
+void CTrueColorToolBar::OnToolbarDropDown(NMHDR * pnmtb, LRESULT *plr)
+{
+	NMTOOLBARA * pnmtbb=(NMTOOLBARA *)pnmtb;
+
+	for (int i = 0; i < m_lstDropDownButton.GetSize(); i++) {
+
+		stDropDownInfo DropDownInfo = m_lstDropDownButton.GetAt(i);
+
+		if (DropDownInfo.uButtonID == UINT(pnmtbb->iItem)) {
+
+			CMenu menu;
+			menu.LoadMenu(DropDownInfo.uMenuID);
+			CMenu* pPopup = menu.GetSubMenu(0);
+
+			CRect rc;
+			SendMessage(TB_GETRECT, (WPARAM)pnmtbb->iItem, (LPARAM)&rc);
+			ClientToScreen(&rc);
+
+			pPopup->TrackPopupMenu(TPM_LEFTALIGN|TPM_LEFTBUTTON|TPM_VERTICAL,
+				rc.left, rc.bottom, DropDownInfo.pParent, &rc);
+			break;
+		}
+	}
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/TrueColorToolBar.h b/arkProject/HeavenShadow/HeavenShadow/TrueColorToolBar.h
new file mode 100644
index 0000000..afea40c
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/TrueColorToolBar.h
@@ -0,0 +1,88 @@
+/***=========================================================================
+====                                                                     ====
+====                          D C U t i l i t y                          ====
+====                                                                     ====
+=============================================================================
+====                                                                     ====
+====    File name           :  TrueColorToolBar.h                        ====
+====    Project name        :  Tester                                    ====
+====    Project number      :  ---                                       ====
+====    Creation date       :  13/1/2003                                 ====
+====    Author(s)           :  Dany Cantin                               ====
+====                                                                     ====
+====                  Copyright ?DCUtility  2003                        ====
+====                                                                     ====
+=============================================================================
+===========================================================================*/
+
+
+#ifndef TRUECOLORTOOLBAR_H_
+#define TRUECOLORTOOLBAR_H_
+
+#if _MSC_VER > 1000
+#pragma once
+#endif // _MSC_VER > 1000
+
+
+#include <afxtempl.h>
+
+/////////////////////////////////////////////////////////////////////////////
+// CTrueColorToolBar
+
+class CTrueColorToolBar : public CToolBar
+{
+// Construction
+public:
+	CTrueColorToolBar();
+
+// Attributes
+private:
+	BOOL m_bDropDown;
+
+	struct stDropDownInfo {
+	public:
+		UINT  uButtonID;
+		UINT  uMenuID;
+		CWnd* pParent;
+	};
+	
+	CArray <stDropDownInfo, stDropDownInfo&> m_lstDropDownButton;
+	
+// Operations
+public:
+	BOOL LoadTrueColorToolBar(int  nBtnWidth,
+							  UINT uToolBar,
+							  UINT uToolBarHot		= 0,
+							  UINT uToolBarDisabled = 0);
+
+	void AddDropDownButton(CWnd* pParent, UINT uButtonID, UINT uMenuID);
+
+private:
+	BOOL SetTrueColorToolBar(UINT uToolBarType,
+		                     UINT uToolBar,
+						     int  nBtnWidth);
+
+// Overrides
+	// ClassWizard generated virtual function overrides
+	//{{AFX_VIRTUAL(CTrueColorToolBar)
+	//}}AFX_VIRTUAL
+
+// Implementation
+public:
+	virtual ~CTrueColorToolBar();
+
+	// Generated message map functions
+protected:
+	//{{AFX_MSG(CTrueColorToolBar)
+	afx_msg void OnToolbarDropDown(NMHDR * pnmh, LRESULT* plRes);
+	//}}AFX_MSG
+
+	DECLARE_MESSAGE_MAP()
+};
+
+/////////////////////////////////////////////////////////////////////////////
+
+//{{AFX_INSERT_LOCATION}}
+// Microsoft Visual C++ will insert additional declarations immediately before the previous line.
+
+#endif // TRUECOLORTOOLBAR_H_
diff --git a/arkProject/HeavenShadow/HeavenShadow/WindowFunc.cpp b/arkProject/HeavenShadow/HeavenShadow/WindowFunc.cpp
new file mode 100644
index 0000000..e2fbeeb
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/WindowFunc.cpp
@@ -0,0 +1,207 @@
+#include "stdafx.h"
+#include "WindowFunc.h"
+#include "Common.h"
+#include "resource.h"
+
+#include <vector>
+
+using namespace std;
+
+vector<WND_INFO> m_vectorWnds;
+
+extern ULONG_PTR g_ulProcessId;
+extern HANDLE g_hDevice;
+
+COLUMNSTRUCT g_Column_Window[] = 
+{
+	{	L"´°¿Ú¾ä±ú",			80	},
+	{	L"´°¿Ú±êÌâ",			140	},
+	{	L"´°¿ÚÀàÃû",			140	},
+	{	L"´°¿Ú¿É¼ûÐÔ",		90	},
+	{	L"Ïß³ÌID",			70	},
+	{	L"½ø³ÌID",			70	}
+};
+
+UINT g_Column_Window_Count  = 6;	  //½ø³ÌÁÐ±íÁÐÊý
+
+extern int dpix;
+extern int dpiy;
+
+
+void HsInitWindowList(CMyList *m_ListCtrl)
+{
+
+	while(m_ListCtrl->DeleteColumn(0));
+	m_ListCtrl->DeleteAllItems();
+
+	m_ListCtrl->SetExtendedStyle(LVS_EX_FULLROWSELECT|LVS_EX_GRIDLINES|LVS_EX_HEADERDRAGDROP);
+
+	UINT i;
+	for (i = 0;i<g_Column_Window_Count;i++)
+	{
+		m_ListCtrl->InsertColumn(i, g_Column_Window[i].szTitle,LVCFMT_LEFT,(int)(g_Column_Window[i].nWidth*(dpix/96.0)));
+	}
+}
+
+
+
+VOID HsQueryProcessWindow(CMyList *m_ListCtrl)
+{
+	m_ListCtrl->DeleteAllItems();
+
+	BOOL bRet = FALSE;
+	ULONG ulReturnSize = 0;
+	m_vectorWnds.clear();
+
+	PALL_WNDS WndInfo = NULL;
+	ULONG ulCount = 1000;
+
+	if (g_ulProcessId <= 4)
+	{
+		return;
+	}
+
+	do 
+	{
+		ULONG ulSize = sizeof(ALL_WNDS) + ulCount * sizeof(WND_INFO);
+
+		if (WndInfo)
+		{
+			free(WndInfo);
+			WndInfo = NULL;
+		}
+
+		WndInfo = (PALL_WNDS)malloc(ulSize);
+		if (!WndInfo)
+		{
+			break;
+		}
+
+		memset(WndInfo,0,ulSize);
+
+
+		bRet = DeviceIoControl(g_hDevice,
+			HS_IOCTL(HS_IOCTL_PROC_PROCESSWINDOW),
+			&g_ulProcessId,
+			sizeof(ULONG),
+			WndInfo,
+			ulSize,
+			&ulReturnSize,
+			NULL);
+
+		ulCount = WndInfo->nCnt + 100;
+
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+	if (bRet && WndInfo->nCnt > 0)
+	{
+		for (ULONG i = 0;i<WndInfo->nCnt; i++)
+		{
+			m_vectorWnds.push_back(WndInfo->WndInfo[i]);
+		}
+	}
+
+	if (WndInfo)
+	{
+		free(WndInfo);
+		WndInfo = NULL;
+	}
+
+
+
+	if (m_vectorWnds.empty())
+	{
+		return;
+	}
+
+
+	//////////////////////////////////////////////////////////////////////////
+
+	for (vector <WND_INFO>::iterator Iter = m_vectorWnds.begin( ); 
+		Iter != m_vectorWnds.end( ); 
+		Iter++ )
+	{
+		HsAddWndItem(*Iter,FALSE,m_ListCtrl);
+	}
+}
+
+
+void HsAddWndItem(WND_INFO WndInfor,BOOL bAll,CMyList *m_ListCtrl)
+{
+
+
+	WCHAR szClassName[MAX_PATH] = {0};
+	WCHAR szWindowsText[MAX_PATH] = {0};
+
+	CString  strhWnd;
+	CString  strTid;
+	CString  strPid;
+	CString  strVisable;
+
+	::GetClassName(WndInfor.hWnd,  szClassName, MAX_PATH);
+	::GetWindowText(WndInfor.hWnd, szWindowsText, MAX_PATH);
+
+
+	if (::IsWindowVisible(WndInfor.hWnd))
+	{
+		strVisable = L"¿É¼û";
+	}
+	else
+	{
+		strVisable = L"-";
+	}
+
+
+	if (bAll==TRUE)
+	{
+
+	}
+	else
+	{
+		if (WndInfor.uPid!=g_ulProcessId)
+		{
+			return;
+		}
+	}
+
+
+
+
+
+	strhWnd.Format(L"0x%08X",WndInfor.hWnd);
+	strTid.Format(L"%d",WndInfor.uTid);
+	strPid.Format(L"%d",WndInfor.uPid);
+	int n = m_ListCtrl->GetItemCount();
+	int j = m_ListCtrl->InsertItem(n,strhWnd);
+	m_ListCtrl->SetItemText(j, 1, szWindowsText);
+	m_ListCtrl->SetItemText(j, 2, szClassName);
+	m_ListCtrl->SetItemText(j, 3, strVisable);
+	m_ListCtrl->SetItemText(j, 4, strTid);
+	m_ListCtrl->SetItemText(j, 5, strPid);
+
+	m_ListCtrl->SetItemData(j,j);
+
+
+}
+
+
+
+//È¨ÏÞ½çÃæµ¯³ö²Ëµ¥
+VOID HsProcessWindowPopupMenu(CMyList *m_ListCtrl, CWnd* parent)
+{
+// 	CMenu	popup;
+// 	popup.LoadMenu(IDR_MENU_PROCESS_THREAD);		//¼ÓÔØ²Ëµ¥×ÊÔ´
+// 	CMenu*	pM = popup.GetSubMenu(0);				//»ñµÃ²Ëµ¥µÄ×ÓÏî
+// 	CPoint	p;
+// 	GetCursorPos(&p);
+// 	int	count = pM->GetMenuItemCount();
+// 	if (m_ListCtrl->GetSelectedCount() == 0)		//Èç¹ûÃ»ÓÐÑ¡ÖÐ
+// 	{ 
+// 		for (int i = 0;i<count;i++)
+// 		{
+// 			pM->EnableMenuItem(i, MF_BYPOSITION | MF_DISABLED | MF_GRAYED); //²Ëµ¥È«²¿±ä»Ò
+// 		}
+// 	}
+// 
+// 	pM->TrackPopupMenu(TPM_LEFTALIGN, p.x, p.y, parent);
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/WindowFunc.h b/arkProject/HeavenShadow/HeavenShadow/WindowFunc.h
new file mode 100644
index 0000000..cbad95d
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/WindowFunc.h
@@ -0,0 +1,30 @@
+#pragma once
+#include "stdafx.h"
+
+#include "MyList.h"
+
+
+typedef struct _WND_INFO_
+{
+	HWND  hWnd;
+	ULONG uPid;
+	ULONG uTid;
+}WND_INFO, *PWND_INFO;
+
+typedef struct _ALL_WNDS_
+{
+	ULONG nCnt;
+	WND_INFO WndInfo[1];
+}ALL_WNDS, *PALL_WNDS;
+
+
+
+void HsInitWindowList(CMyList *m_ListCtrl);
+
+VOID HsQueryProcessWindow(CMyList *m_ListCtrl);
+
+void HsAddWndItem(WND_INFO WndInfor,BOOL bAll,CMyList *m_ListCtrl);
+
+
+//È¨ÏÞ½çÃæµ¯³ö²Ëµ¥
+VOID HsProcessWindowPopupMenu(CMyList *m_ListCtrl, CWnd* parent);
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/HeavenShadow/WzdSplash.cpp b/arkProject/HeavenShadow/HeavenShadow/WzdSplash.cpp
new file mode 100644
index 0000000..d5356b9
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/WzdSplash.cpp
@@ -0,0 +1,51 @@
+// WzdSplash.cpp : ÊµÏÖÎÄ¼þ
+//
+#include "stdafx.h"
+#include "HeavenShadow.h"
+#include "WzdSplash.h"
+// CWzdSplash
+IMPLEMENT_DYNAMIC(CWzdSplash, CWnd)
+	CWzdSplash::CWzdSplash()
+{
+}
+CWzdSplash::~CWzdSplash()
+{
+}
+BEGIN_MESSAGE_MAP(CWzdSplash, CWnd)
+	ON_WM_PAINT()
+	ON_WM_TIMER()
+END_MESSAGE_MAP()
+// CWzdSplash ÏûÏ¢´¦Àí³ÌÐò
+void CWzdSplash::Create(UINT nBitmapID)
+{
+	m_bitmap.LoadBitmap(nBitmapID);
+	BITMAP bitmap;
+	m_bitmap.GetBitmap(&bitmap);
+	//CreateEx(0,AfxRegisterWndClass(0),"",WS_POPUP|WS_VISIBLE|WS_BORDER,0,0,bitmap.bmWidth,bitmap.bmHeight,NULL,0);
+	CreateEx(0,
+		AfxRegisterWndClass(0, AfxGetApp()->LoadStandardCursor(IDC_ARROW)),
+		NULL, WS_POPUP | WS_VISIBLE, 0, 0, bitmap.bmWidth, bitmap.bmHeight, NULL , NULL);
+
+	::SetWindowPos(m_hWnd,HWND_TOPMOST,0,0,0,0,SWP_NOMOVE|SWP_NOSIZE);
+
+	//SetTimer(0,1200,NULL);
+}
+void CWzdSplash::OnPaint()
+{
+	// TODO: ÔÚ´Ë´¦Ìí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂë
+	// ²»Îª»æÍ¼ÏûÏ¢µ÷ÓÃ CWnd::OnPaint()
+	CPaintDC dc(this); // device context forpainting
+	BITMAP bitmap;
+	m_bitmap.GetBitmap(&bitmap);
+	CDC dcComp;
+	dcComp.CreateCompatibleDC(&dc);
+	dcComp.SelectObject(&m_bitmap);
+	// draw bitmap
+	dc.BitBlt(0,0,bitmap.bmWidth,bitmap.bmHeight,&dcComp,0,0,SRCCOPY);
+}
+void CWzdSplash::OnTimer(UINT_PTR nIDEvent)
+{
+	// TODO: ÔÚ´ËÌí¼ÓÏûÏ¢´¦Àí³ÌÐò´úÂëºÍ/»òµ÷ÓÃÄ¬ÈÏÖµ
+	//CWnd::OnTimer(nIDEvent);
+	DestroyWindow(); //Ïú»Ù³õÊ¼»­Ãæ´°¿Ú
+}
diff --git a/arkProject/HeavenShadow/HeavenShadow/WzdSplash.h b/arkProject/HeavenShadow/HeavenShadow/WzdSplash.h
new file mode 100644
index 0000000..29d48fb
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/WzdSplash.h
@@ -0,0 +1,18 @@
+#pragma once
+// CWzdSplash
+class CWzdSplash : public CWnd
+{
+	DECLARE_DYNAMIC(CWzdSplash)
+public:
+	CWzdSplash();
+	virtual ~CWzdSplash();
+protected:
+	DECLARE_MESSAGE_MAP()
+public:
+	CBitmap m_bitmap;
+//	void Create(void);
+	void Create(UINT nBitmapID);
+	afx_msg void OnPaint();
+	afx_msg void OnTimer(UINT_PTR nIDEvent);
+};
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/HeavenShadow.ico b/arkProject/HeavenShadow/HeavenShadow/res/HeavenShadow.ico
new file mode 100644
index 0000000..5ff3e40
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/HeavenShadow.ico differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/HeavenShadow.rc2 b/arkProject/HeavenShadow/HeavenShadow/res/HeavenShadow.rc2
new file mode 100644
index 0000000..5229b5d
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/HeavenShadow.rc2 differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/HeavenShadowLittle.ico b/arkProject/HeavenShadow/HeavenShadow/res/HeavenShadowLittle.ico
new file mode 100644
index 0000000..7dd7fa8
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/HeavenShadowLittle.ico differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/HeavenShadow_old.ico b/arkProject/HeavenShadow/HeavenShadow/res/HeavenShadow_old.ico
new file mode 100644
index 0000000..d56fbcd
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/HeavenShadow_old.ico differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn.bmp b/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn.bmp
new file mode 100644
index 0000000..b44f11c
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn.psd b/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn.psd
new file mode 100644
index 0000000..4e906fd
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn_click.bmp b/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn_click.bmp
new file mode 100644
index 0000000..7b5c6a9
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn_click.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn_click.psd b/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn_click.psd
new file mode 100644
index 0000000..052bdd9
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn_click.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn_hover.bmp b/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn_hover.bmp
new file mode 100644
index 0000000..7c9d80d
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn_hover.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn_hover.psd b/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn_hover.psd
new file mode 100644
index 0000000..eb44106
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/HomeCheckBtn_hover.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/ICON.bmp b/arkProject/HeavenShadow/HeavenShadow/res/ICON.bmp
new file mode 100644
index 0000000..2890444
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/ICON.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/LOGO.bmp b/arkProject/HeavenShadow/HeavenShadow/res/LOGO.bmp
new file mode 100644
index 0000000..89dd413
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/LOGO.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/LOGO.psd b/arkProject/HeavenShadow/HeavenShadow/res/LOGO.psd
new file mode 100644
index 0000000..cb98032
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/LOGO.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/WzdSplash.bmp b/arkProject/HeavenShadow/HeavenShadow/res/WzdSplash.bmp
new file mode 100644
index 0000000..30cf4c5
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/WzdSplash.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/WzdSplash.psd b/arkProject/HeavenShadow/HeavenShadow/res/WzdSplash.psd
new file mode 100644
index 0000000..feb304b
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/WzdSplash.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/alert_btn_allow.bmp b/arkProject/HeavenShadow/HeavenShadow/res/alert_btn_allow.bmp
new file mode 100644
index 0000000..276ab68
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/alert_btn_allow.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/alert_btn_allow_clicked.bmp b/arkProject/HeavenShadow/HeavenShadow/res/alert_btn_allow_clicked.bmp
new file mode 100644
index 0000000..5c4727f
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/alert_btn_allow_clicked.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/alert_btn_prevent.bmp b/arkProject/HeavenShadow/HeavenShadow/res/alert_btn_prevent.bmp
new file mode 100644
index 0000000..41de5e7
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/alert_btn_prevent.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/alert_btn_prevent_clicked.bmp b/arkProject/HeavenShadow/HeavenShadow/res/alert_btn_prevent_clicked.bmp
new file mode 100644
index 0000000..fca444c
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/alert_btn_prevent_clicked.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/alert_btnexit.bmp b/arkProject/HeavenShadow/HeavenShadow/res/alert_btnexit.bmp
new file mode 100644
index 0000000..0e61c61
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/alert_btnexit.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/bitmap1.bmp b/arkProject/HeavenShadow/HeavenShadow/res/bitmap1.bmp
new file mode 100644
index 0000000..6e8e840
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/bitmap1.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/bmp00001.bmp b/arkProject/HeavenShadow/HeavenShadow/res/bmp00001.bmp
new file mode 100644
index 0000000..4f3b54d
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/bmp00001.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/check_alt_v.bmp b/arkProject/HeavenShadow/HeavenShadow/res/check_alt_v.bmp
new file mode 100644
index 0000000..58f32b7
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/check_alt_v.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/check_alt_x.bmp b/arkProject/HeavenShadow/HeavenShadow/res/check_alt_x.bmp
new file mode 100644
index 0000000..6020a91
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/check_alt_x.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/drivers/HeavenShadowDrv32.sys b/arkProject/HeavenShadow/HeavenShadow/res/drivers/HeavenShadowDrv32.sys
new file mode 100644
index 0000000..7431006
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/drivers/HeavenShadowDrv32.sys differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/drivers/HeavenShadowDrv64.sys b/arkProject/HeavenShadow/HeavenShadow/res/drivers/HeavenShadowDrv64.sys
new file mode 100644
index 0000000..87b11ef
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/drivers/HeavenShadowDrv64.sys differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/file_toolbar.bmp b/arkProject/HeavenShadow/HeavenShadow/res/file_toolbar.bmp
new file mode 100644
index 0000000..b8d5665
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/file_toolbar.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/file_toolbar_goto.bmp b/arkProject/HeavenShadow/HeavenShadow/res/file_toolbar_goto.bmp
new file mode 100644
index 0000000..4f3b54d
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/file_toolbar_goto.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/mainmenu_button.bmp b/arkProject/HeavenShadow/HeavenShadow/res/mainmenu_button.bmp
new file mode 100644
index 0000000..431a91d
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/mainmenu_button.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/system_alert.WAV b/arkProject/HeavenShadow/HeavenShadow/res/system_alert.WAV
new file mode 100644
index 0000000..1d9288c
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/system_alert.WAV differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar.psd
new file mode 100644
index 0000000..50ca4fc
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar1.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar1.bmp
new file mode 100644
index 0000000..71bc623
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar1.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_file.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_file.bmp
new file mode 100644
index 0000000..14345e8
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_file.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_file.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_file.psd
new file mode 100644
index 0000000..34390dc
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_file.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_file_now.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_file_now.bmp
new file mode 100644
index 0000000..71a0fa5
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_file_now.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_file_now.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_file_now.psd
new file mode 100644
index 0000000..3ab8274
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_file_now.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_kernel.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_kernel.bmp
new file mode 100644
index 0000000..ebcadb7
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_kernel.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_kernel.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_kernel.psd
new file mode 100644
index 0000000..4987ce9
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_kernel.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_kernel_now.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_kernel_now.bmp
new file mode 100644
index 0000000..deea146
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_kernel_now.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_kernel_now.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_kernel_now.psd
new file mode 100644
index 0000000..b9284f4
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_kernel_now.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_logo.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_logo.bmp
new file mode 100644
index 0000000..860d3b5
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_logo.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_logo.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_logo.psd
new file mode 100644
index 0000000..bb7e873
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_logo.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_logo_now.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_logo_now.bmp
new file mode 100644
index 0000000..e9248b0
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_logo_now.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_logo_now.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_logo_now.psd
new file mode 100644
index 0000000..07c4299
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_logo_now.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_module.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_module.bmp
new file mode 100644
index 0000000..60a7168
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_module.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_module.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_module.psd
new file mode 100644
index 0000000..1dba311
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_module.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_module_now.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_module_now.bmp
new file mode 100644
index 0000000..061a19b
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_module_now.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_module_now.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_module_now.psd
new file mode 100644
index 0000000..884e2d8
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_module_now.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_process.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_process.bmp
new file mode 100644
index 0000000..55623dd
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_process.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_process.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_process.psd
new file mode 100644
index 0000000..7d00ef6
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_process.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_process_now.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_process_now.bmp
new file mode 100644
index 0000000..65d12dc
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_process_now.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_process_now.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_process_now.psd
new file mode 100644
index 0000000..fa55306
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_process_now.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_service.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_service.bmp
new file mode 100644
index 0000000..864d8a3
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_service.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_service.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_service.psd
new file mode 100644
index 0000000..5324714
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_service.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_service_now.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_service_now.bmp
new file mode 100644
index 0000000..b4ce486
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_service_now.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_service_now.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_service_now.psd
new file mode 100644
index 0000000..0ff2591
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_service_now.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_setting.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_setting.bmp
new file mode 100644
index 0000000..c132487
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_setting.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_setting.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_setting.psd
new file mode 100644
index 0000000..3b63f38
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_setting.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_setting_now.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_setting_now.bmp
new file mode 100644
index 0000000..9808de5
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_setting_now.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_setting_now.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_setting_now.psd
new file mode 100644
index 0000000..b57408d
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_setting_now.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_system.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_system.bmp
new file mode 100644
index 0000000..ac6a7f6
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_system.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_system.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_system.psd
new file mode 100644
index 0000000..1cfb373
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_system.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_system_now.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_system_now.bmp
new file mode 100644
index 0000000..5d1fe99
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_system_now.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_system_now.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_system_now.psd
new file mode 100644
index 0000000..d1f56a4
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_system_now.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_tools.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_tools.bmp
new file mode 100644
index 0000000..bc88cdc
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_tools.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_tools.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_tools.psd
new file mode 100644
index 0000000..4dcff1c
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_tools.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_tools_now.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_tools_now.bmp
new file mode 100644
index 0000000..13b1c0f
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_tools_now.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_tools_now.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_tools_now.psd
new file mode 100644
index 0000000..1232630
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_tools_now.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_youhua.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_youhua.bmp
new file mode 100644
index 0000000..5d779d7
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_youhua.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_youhua.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_youhua.psd
new file mode 100644
index 0000000..988ae74
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_youhua.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_youhua_now.bmp b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_youhua_now.bmp
new file mode 100644
index 0000000..f48f739
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_youhua_now.bmp differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/res/toolbar_youhua_now.psd b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_youhua_now.psd
new file mode 100644
index 0000000..a0cd026
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/res/toolbar_youhua_now.psd differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/resource.h b/arkProject/HeavenShadow/HeavenShadow/resource.h
new file mode 100644
index 0000000..f2cdcec
Binary files /dev/null and b/arkProject/HeavenShadow/HeavenShadow/resource.h differ
diff --git a/arkProject/HeavenShadow/HeavenShadow/stdafx.cpp b/arkProject/HeavenShadow/HeavenShadow/stdafx.cpp
new file mode 100644
index 0000000..b6dba72
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/stdafx.cpp
@@ -0,0 +1,8 @@
+
+// stdafx.cpp : Ö»°üÀ¨±ê×¼°üº¬ÎÄ¼þµÄÔ´ÎÄ¼þ
+// HeavenShadow.pch ½«×÷ÎªÔ¤±àÒëÍ·
+// stdafx.obj ½«°üº¬Ô¤±àÒëÀàÐÍÐÅÏ¢
+
+#include "stdafx.h"
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/stdafx.h b/arkProject/HeavenShadow/HeavenShadow/stdafx.h
new file mode 100644
index 0000000..7dcd7ba
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/stdafx.h
@@ -0,0 +1,66 @@
+
+// stdafx.h : ±ê×¼ÏµÍ³°üº¬ÎÄ¼þµÄ°üº¬ÎÄ¼þ£¬
+// »òÊÇ¾­³£Ê¹ÓÃµ«²»³£¸ü¸ÄµÄ
+// ÌØ¶¨ÓÚÏîÄ¿µÄ°üº¬ÎÄ¼þ
+
+#pragma once
+
+#ifndef _SECURE_ATL
+#define _SECURE_ATL 1
+#endif
+
+#ifndef VC_EXTRALEAN
+#define VC_EXTRALEAN            // ´Ó Windows Í·ÖÐÅÅ³ý¼«ÉÙÊ¹ÓÃµÄ×ÊÁÏ
+#endif
+
+#include "targetver.h"
+
+#define _ATL_CSTRING_EXPLICIT_CONSTRUCTORS      // Ä³Ð© CString ¹¹Ôìº¯Êý½«ÊÇÏÔÊ½µÄ
+
+// ¹Ø±Õ MFC ¶ÔÄ³Ð©³£¼ûµ«¾­³£¿É·ÅÐÄºöÂÔµÄ¾¯¸æÏûÏ¢µÄÒþ²Ø
+#define _AFX_ALL_WARNINGS
+
+#include <afxwin.h>         // MFC ºËÐÄ×é¼þºÍ±ê×¼×é¼þ
+#include <afxext.h>         // MFC À©Õ¹
+
+
+#include <afxdisp.h>        // MFC ×Ô¶¯»¯Àà
+
+#include <strsafe.h>
+
+
+#ifndef _AFX_NO_OLE_SUPPORT
+#include <afxdtctl.h>           // MFC ¶Ô Internet Explorer 4 ¹«¹²¿Ø¼þµÄÖ§³Ö
+#endif
+#ifndef _AFX_NO_AFXCMN_SUPPORT
+#include <afxcmn.h>             // MFC ¶Ô Windows ¹«¹²¿Ø¼þµÄÖ§³Ö
+#endif // _AFX_NO_AFXCMN_SUPPORT
+
+#include <afxcontrolbars.h>     // ¹¦ÄÜÇøºÍ¿Ø¼þÌõµÄ MFC Ö§³Ö
+
+
+
+// Lets help compiler to skip some headers
+#define _XTP_EXCLUDE_CALENDAR
+#define _XTP_EXCLUDE_SYNTAXEDIT
+#define _XTP_EXCLUDE_REPORTCONTROL
+
+
+
+#include <XTToolkitPro.h>   // Codejock Software Components
+
+
+
+
+
+#ifdef _UNICODE
+#if defined _M_IX86
+#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*'\"")
+#elif defined _M_X64
+#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='amd64' publicKeyToken='6595b64144ccf1df' language='*'\"")
+#else
+#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'\"")
+#endif
+#endif
+
+
diff --git a/arkProject/HeavenShadow/HeavenShadow/targetver.h b/arkProject/HeavenShadow/HeavenShadow/targetver.h
new file mode 100644
index 0000000..0afac5b
--- /dev/null
+++ b/arkProject/HeavenShadow/HeavenShadow/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// °üÀ¨ SDKDDKVer.h ½«¶¨Òå×î¸ß°æ±¾µÄ¿ÉÓÃ Windows Æ½Ì¨¡£
+
+// Èç¹ûÒªÎªÒÔÇ°µÄ Windows Æ½Ì¨Éú³ÉÓ¦ÓÃ³ÌÐò£¬Çë°üÀ¨ WinSDKVer.h£¬²¢½«
+// WIN32_WINNT ºêÉèÖÃÎªÒªÖ§³ÖµÄÆ½Ì¨£¬È»ºóÔÙ°üÀ¨ SDKDDKVer.h¡£
+
+#include <SDKDDKVer.h>
diff --git a/arkProject/HeavenShadow/injectdll32/InjectFunc32.cpp b/arkProject/HeavenShadow/injectdll32/InjectFunc32.cpp
new file mode 100644
index 0000000..6fa3587
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll32/InjectFunc32.cpp
@@ -0,0 +1,596 @@
+#include "stdafx.h"
+
+#include "InjectFunc32.h"
+
+WIN_VERSION  GetWindowsVersion();
+WIN_VERSION  WinVersion = WinUnknown;
+
+typedef long (__fastcall *pfnRtlAdjustPrivilege64)(ULONG,ULONG,ULONG,PVOID);
+typedef long (__fastcall *pfnRtlAdjustPrivilege32)(ULONG,ULONG,ULONG,PVOID);
+pfnRtlAdjustPrivilege64 RtlAdjustPrivilege64;
+pfnRtlAdjustPrivilege32 RtlAdjustPrivilege32;
+
+static OPENFILENAME ofn ;
+
+DWORD HsRemoteThreadInjectDll32(WCHAR* ProcessInfo)
+{
+	ULONG_PTR ProcessId = 0;
+	WCHAR*    ProcessPath = NULL;
+	WCHAR wzFileFilter[] = L"Ó¦ÓÃ³ÌÐòÀ©Õ¹ (*.dll)\0*.dll\0ËùÓÐÎÄ¼þ (*.*)\0*.*\0";
+	WCHAR wzFileChoose[] = L"´ò¿ªÎÄ¼þ";
+
+	int i;
+	int j;
+
+	WCHAR szPid[10] = {0};
+
+	for (i = 0; _wcsnicmp(ProcessInfo+i,L"-d ",wcslen(L"-d "))!=0 && i<=10 ;i++);
+
+	if (i == 10)
+	{
+		return FALSE;
+	}
+
+	WCHAR* PidTemp = ProcessInfo + i + wcslen(L"-d ");
+
+	j = i;
+
+	for ( ; _wcsnicmp(ProcessInfo + j,L" -p ",wcslen(L" -p "))!=0 && j-i<=10 ;j++);
+
+	if (j-i==10)
+	{
+		return FALSE;
+	}
+
+	memcpy(szPid,PidTemp,j-i);
+
+	ProcessId   = _ttoi(szPid);
+
+	ProcessPath = ProcessInfo + j + wcslen(L" -p ");
+
+	static TCHAR szFileName[MAX_PATH], szTitleName[MAX_PATH] ;
+	HWND hwnd;
+	hwnd=GetForegroundWindow(); //»ñÈ¡Ç°Ì¨´°¿Ú¾ä±ú¡£±¾³ÌÐòÖÐµÄÇ°Ì¨´°¿Ú¾ÍÊÇ¿ØÖÆÌ¨´°¿Ú¡£ 
+	PopFileInitialize (hwnd);   //³õÊ¼»¯ofn
+	PopFileOpenDlg(hwnd, szFileName, szTitleName);//´ò¿ªÎÄ¼þ¶Ô»°¿ò
+
+	CString strDllPath = szFileName;
+
+	BOOL bResult = FALSE;
+
+	if (PathFileExists(strDllPath))
+	{
+		if (HsIs32BitFile(ProcessPath)==TRUE &&
+			HsIs32BitFile(strDllPath.GetBuffer())==TRUE)
+		{
+			bResult = HsInjectDll(TRUE,&strDllPath,ProcessId);
+		}
+	}
+
+	if (bResult == FALSE)
+	{
+		::MessageBox(NULL,L"Ô¶³ÌÏß³Ì×¢ÈëÊ§°Ü¡£",L"ÌìÓ°ÎÀÊ¿",MB_SYSTEMMODAL|MB_OK);
+
+	}
+	else
+	{
+		::MessageBox(NULL,L"Ô¶³ÌÏß³Ì×¢Èë³É¹¦¡£",L"ÌìÓ°ÎÀÊ¿",MB_SYSTEMMODAL|MB_OK);
+	}
+
+	return bResult;
+}
+
+
+
+
+
+BOOL __stdcall HsIs32BitFile(const WCHAR * pwszFullPath)
+{
+	FILE * peFile = NULL;
+	_wfopen_s(&peFile, pwszFullPath, L"rb");
+	if (peFile == NULL)
+	{
+		fclose(peFile);
+		return -1;
+	}
+
+	IMAGE_DOS_HEADER imageDosHeader;
+	fread(&imageDosHeader, sizeof(IMAGE_DOS_HEADER), 1, peFile);
+	if (imageDosHeader.e_magic != IMAGE_DOS_SIGNATURE)
+	{
+		fclose(peFile);
+		return FALSE;
+	}
+
+	IMAGE_NT_HEADERS imageNtHeaders;
+	fseek(peFile, imageDosHeader.e_lfanew, SEEK_SET);
+	fread(&imageNtHeaders, sizeof(IMAGE_NT_HEADERS), 1, peFile);
+	fclose(peFile);
+	if (imageNtHeaders.Signature != IMAGE_NT_SIGNATURE)
+	{
+		return FALSE;
+	}
+
+	if (imageNtHeaders.FileHeader.Machine == IMAGE_FILE_MACHINE_I386)
+	{
+		return TRUE;
+	}
+	// 	if (imageNtHeaders.FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 ||
+	// 		imageNtHeaders.FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
+	// 	{
+	// 		return FALSE;	//64BIT
+	// 	}
+
+	return FALSE;
+}
+
+
+
+
+
+//¸Ä³ÌÐò±àÒë³É64Î»¿ÉÒÔ×¢Èë64Î» ±àÒë³É32Î»¿ÉÒÔ×¢Èë32Î»
+
+BOOL HsInjectDll(BOOL Is32Bit, CString* strDllPath, ULONG_PTR ProcessID)
+{
+	BOOL bResult = FALSE;
+
+	if (ProcessID <= 0)
+	{
+		return FALSE;
+	}
+
+
+	if (PathFileExists(*strDllPath))
+	{
+		WinVersion = GetWindowsVersion();
+
+		switch(WinVersion)
+		{
+		case Windows7:   //×¢ÒâÎÒÃÇÕâÀïÕë¶ÔµÄÊÇ64Î»µÄWin7
+			{
+
+				WCHAR wzPath[MAX_PATH] = {0};
+				wcscpy_s(wzPath, strDllPath->GetBuffer());
+				strDllPath->ReleaseBuffer();
+
+				HsDebugPrivilege(SE_DEBUG_NAME, TRUE);
+				bResult = HsInjectDllByRemoteThreadWin7(wzPath,ProcessID,Is32Bit);
+				HsDebugPrivilege(SE_DEBUG_NAME, FALSE);
+
+				break;
+			}
+
+		case WindowsXP:  //ÕâÀïÊÇÕë¶ÔµÄ32Î»µÄXP
+			{
+				WCHAR wzPath[MAX_PATH] = {0};
+				wcscpy_s(wzPath, strDllPath->GetBuffer());
+
+				strDllPath->ReleaseBuffer();
+
+				bResult = HsInjectDllByRemoteThreadWinXP(wzPath,ProcessID);
+
+				break;
+			}
+		}
+	}
+	return bResult;
+}
+
+
+BOOL HsInjectDllByRemoteThreadWin7(const TCHAR* wzDllFile, ULONG_PTR ProcessId, BOOL Is32Bit)
+{
+	if (NULL == wzDllFile || 0 == ::_tcslen(wzDllFile) || ProcessId == 0 || -1 == _taccess(wzDllFile, 0))
+	{
+		return FALSE;
+	}
+	HANDLE                 hProcess = NULL;
+	HANDLE                 hThread  = NULL;
+	DWORD                  dwRetVal    = 0;
+	LPTHREAD_START_ROUTINE FuncAddress = NULL;
+	DWORD  dwSize = 0;
+	TCHAR* VirtualAddress = NULL;
+
+#ifdef _UNICODE
+	FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
+#else
+	FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
+#endif
+
+	if (FuncAddress==NULL)
+	{
+		return FALSE;
+	}
+
+	hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE, (DWORD)ProcessId);
+
+	if (NULL == hProcess)
+	{
+		printf("Open Process Fail\r\n");
+		return FALSE;
+	}
+
+	// ÔÚÄ¿±ê½ø³ÌÖÐ·ÖÅäÄÚ´æ¿Õ¼ä
+	dwSize = (DWORD)::_tcslen(wzDllFile) + 1;
+	VirtualAddress = (TCHAR*)::VirtualAllocEx(hProcess, NULL, dwSize * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE);  
+	if (NULL == VirtualAddress)
+	{
+
+		printf("Virtual Process Memory Fail\r\n");
+		CloseHandle(hProcess);
+		return FALSE;
+	}
+
+	// ÔÚÄ¿±ê½ø³ÌµÄÄÚ´æ¿Õ¼äÖÐÐ´ÈëËùÐè²ÎÊý(Ä£¿éÃû)
+	if (FALSE == ::WriteProcessMemory(hProcess, VirtualAddress, (LPVOID)wzDllFile, dwSize * sizeof(TCHAR), NULL))
+	{
+		printf("Write Data Fail\r\n");
+		VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+		CloseHandle(hProcess);
+		return FALSE;
+	}
+
+	hThread = ::CreateRemoteThread(hProcess, NULL, 0, FuncAddress, VirtualAddress, 0, NULL);
+	if (NULL == hThread)
+	{
+		printf("CreateRemoteThread Fail\r\n");
+
+		VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+		CloseHandle(hProcess);
+		return FALSE;
+	}
+
+
+	// µÈ´ýÔ¶³ÌÏß³Ì½áÊø
+	WaitForSingleObject(hThread, INFINITE);
+	// ÇåÀí
+	VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+	CloseHandle(hThread);
+	CloseHandle(hProcess);
+
+	return TRUE;
+
+}
+
+
+
+
+BOOL HsInjectDllByRemoteThreadWinXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
+{
+	//Ìá¸ß±¾½ø³ÌµÄÈ¨ÏÞ
+
+	if (!HsInjectUpPrivilige())  //ÌáÈ¨
+	{
+		printf("Up Privilige Is Error\n");
+		return FALSE;
+	}
+
+	CStringA *Dll = new CStringA(wzDllFile);
+
+
+	//ÎÒÃÇ¾ÍÒª´ò¿ªÏëÒª´ò¿ªµÄ½ø³Ì
+	HANDLE hProcess = NULL;
+	HANDLE hThread  = NULL;
+
+	hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,(DWORD)ProcessId);  //explorer.exe  hProcess
+	if (hProcess==NULL)
+	{
+		printf("Open Process Is Error\n");
+
+		return FALSE;
+	}
+
+	char* szDllName = NULL;
+
+	szDllName = (char*)VirtualAllocEx(hProcess,
+		NULL,Dll->GetLength()+1,MEM_COMMIT,PAGE_READWRITE);   
+
+	if (szDllName==NULL)
+	{
+
+		CloseHandle(hProcess);
+		printf("Apply Memory Is Error\n");
+
+		return FALSE;
+	}
+
+	//È»ºó½«ÍêÕûµÄÂ·¾¶Ö±½ÓÐ´ÈëÄÚ´æ
+
+	if (!WriteProcessMemory(hProcess,szDllName,Dll->GetBuffer(),Dll->GetLength()+1,NULL))
+	{
+
+		CloseHandle(hProcess);
+
+		printf("Write Memory Is Error\n");
+
+		return FALSE;
+	}
+
+	LPTHREAD_START_ROUTINE StartRoutine = NULL;
+
+	StartRoutine = 
+		(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),
+		"LoadLibraryA");
+
+	if(StartRoutine == NULL)
+	{
+		printf("Get ProcAddress Error\n");
+		return FALSE;
+	}
+
+	hThread = CreateRemoteThread(hProcess,NULL,0,StartRoutine,szDllName,0,NULL);
+
+	if (hThread==NULL)
+	{
+		CloseHandle(hProcess);
+
+		printf("Create Remote Thread Is Error\n");
+
+		return FALSE;
+	}
+
+	WaitForSingleObject(hThread, INFINITE);
+	CloseHandle(hThread);
+	VirtualFreeEx(hProcess,szDllName,0,MEM_RELEASE);
+	CloseHandle(hProcess);
+
+	return TRUE;
+}
+
+
+BOOL HsInjectUpPrivilige()	//XP
+{
+
+	HANDLE hToken = NULL;
+
+	_TOKEN_PRIVILEGES tp = {0};
+
+	LUID luid={0};
+
+
+	if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken))
+	{
+		printf("OpenProcess Is Error\n");
+
+		return FALSE;
+	}
+
+	if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid))
+	{
+
+		printf("Lookup Is Error\n");
+
+		return FALSE;
+	}
+
+	tp.PrivilegeCount = 1;
+	tp.Privileges[0].Luid = luid;
+	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+
+
+	if (!AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
+	{
+		printf("Adjust Is Error\n");
+
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+
+/*
+BOOL HsInjectDllByRemoteThreadWinXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
+{
+// ²ÎÊýÎÞÐ§
+if (NULL == wzDllFile || 0 == ::_tcslen(wzDllFile) || ProcessId == 0 || -1 == _taccess(wzDllFile, 0))
+{
+
+return FALSE;
+}
+
+HANDLE hProcess = NULL;
+HANDLE hThread  = NULL;
+DWORD dwSize = 0;
+TCHAR* VirtualAddress = NULL;
+LPTHREAD_START_ROUTINE FuncAddress = NULL;
+
+// »ñÈ¡Ä¿±ê½ø³Ì¾ä±ú
+hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)ProcessId);
+if (NULL == hProcess)
+{
+printf("Open Process Fail\r\n");
+return FALSE;
+}
+
+// ÔÚÄ¿±ê½ø³ÌÖÐ·ÖÅäÄÚ´æ¿Õ¼ä
+dwSize = (DWORD)::_tcslen(wzDllFile) + 1;
+VirtualAddress = (TCHAR*)::VirtualAllocEx(hProcess, NULL, dwSize * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE);
+if (NULL == VirtualAddress)
+{
+
+printf("Virtual Process Memory Fail\r\n");
+CloseHandle(hProcess);
+return FALSE;
+}
+
+// ÔÚÄ¿±ê½ø³ÌµÄÄÚ´æ¿Õ¼äÖÐÐ´ÈëËùÐè²ÎÊý(Ä£¿éÃû)
+if (FALSE == ::WriteProcessMemory(hProcess, VirtualAddress, (LPVOID)wzDllFile, dwSize * sizeof(TCHAR), NULL))
+{
+printf("Write Data Fail\r\n");
+VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+CloseHandle(hProcess);
+return FALSE;
+}
+
+// ´Ó Kernel32.dll ÖÐ»ñÈ¡ LoadLibrary º¯ÊýµØÖ·
+#ifdef _UNICODE
+FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
+#else
+FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
+#endif
+
+if (NULL == FuncAddress)
+{
+printf("Get LoadLibrary Fail\r\n");
+VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+CloseHandle(hProcess);
+return false;
+}
+
+// ´´½¨Ô¶³ÌÏß³Ìµ÷ÓÃ LoadLibrary
+hThread = ::CreateRemoteThread(hProcess, NULL, 0, FuncAddress, VirtualAddress, 0, NULL);
+if (NULL == hThread)
+{
+printf("CreateRemoteThread Fail\r\n");
+
+VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+CloseHandle(hProcess);
+return FALSE;
+}
+
+// µÈ´ýÔ¶³ÌÏß³Ì½áÊø
+WaitForSingleObject(hThread, INFINITE);
+// ÇåÀí
+VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+CloseHandle(hThread);
+CloseHandle(hProcess);
+
+return TRUE;
+}
+
+
+*/
+
+
+
+
+WIN_VERSION  GetWindowsVersion()
+{
+	OSVERSIONINFOEX	OsVerInfoEx;
+	OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+	GetVersionEx((OSVERSIONINFO *)&OsVerInfoEx); // ×¢Òâ×ª»»ÀàÐÍ
+
+	switch (OsVerInfoEx.dwPlatformId)
+	{
+	case VER_PLATFORM_WIN32_NT:
+		{
+			if (OsVerInfoEx.dwMajorVersion <= 4 )
+			{
+				return WindowsNT;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 0)
+			{
+				return Windows2000;
+			}
+
+			if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 1)
+			{
+				return WindowsXP;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 2)
+			{
+				return Windows2003;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 0)
+			{
+				return WindowsVista;
+			}
+
+			if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 1)
+			{
+				return Windows7;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 2 )
+			{
+				return Windows8;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 3 )
+			{
+				return Windows8_1;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 10 && OsVerInfoEx.dwMinorVersion == 0 )
+			{
+				return Windows10;
+			}
+
+			break;
+		}
+
+	default:
+		{
+			return WinUnknown;
+		}
+	}
+
+	return WinUnknown;
+}
+
+
+
+
+
+
+
+
+
+BOOL HsDebugPrivilege(const WCHAR *pName, BOOL bEnable)
+{
+	BOOL              bResult = TRUE;
+	HANDLE            hToken;
+	TOKEN_PRIVILEGES  TokenPrivileges;
+
+	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken))
+	{
+		bResult = FALSE;
+		return bResult;
+	}
+	TokenPrivileges.PrivilegeCount = 1;
+	TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
+
+	LookupPrivilegeValue(NULL, pName, &TokenPrivileges.Privileges[0].Luid);
+	AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
+	if (GetLastError() != ERROR_SUCCESS)
+	{
+		bResult = FALSE;
+	}
+
+	CloseHandle(hToken);
+	return bResult;	
+}
+
+
+void PopFileInitialize (HWND hwnd)
+{
+	static TCHAR szFilter[] = TEXT ("Ó¦ÓÃ³ÌÐòÀ©Õ¹ (*.dll)\0*.dll\0\0");
+
+	ofn.lStructSize       = sizeof (OPENFILENAME) ;
+	ofn.hwndOwner         = hwnd ;
+	ofn.hInstance         = NULL ;
+	ofn.lpstrFilter       = szFilter ;
+	ofn.lpstrCustomFilter = NULL ;
+	ofn.nMaxCustFilter    = 0 ;
+	ofn.nFilterIndex      = 0 ;
+	ofn.lpstrFile         = NULL ;          // Set in Open and Close functions
+	ofn.nMaxFile          = MAX_PATH ;
+	ofn.lpstrFileTitle    = NULL ;          // Set in Open and Close functions
+	ofn.nMaxFileTitle     = MAX_PATH ;
+	ofn.lpstrInitialDir   = NULL ;
+	ofn.lpstrTitle        = NULL ;
+	ofn.Flags             = 0 ;             // Set in Open and Close functions
+	ofn.nFileOffset       = 0 ;
+	ofn.nFileExtension    = 0 ;
+	ofn.lpstrDefExt       = TEXT ("dll") ;
+	ofn.lCustData         = 0L ;
+	ofn.lpfnHook          = NULL ;
+	ofn.lpTemplateName    = NULL ;
+}
+
+BOOL PopFileOpenDlg (HWND hwnd, PTSTR pstrFileName, PTSTR pstrTitleName)
+{
+	ofn.hwndOwner         = hwnd ;
+	ofn.lpstrFile         = pstrFileName ;
+	ofn.lpstrFileTitle    = pstrTitleName ;
+	ofn.Flags             = OFN_HIDEREADONLY | OFN_CREATEPROMPT ;
+
+	return GetOpenFileName (&ofn) ;
+}
diff --git a/arkProject/HeavenShadow/injectdll32/InjectFunc32.h b/arkProject/HeavenShadow/injectdll32/InjectFunc32.h
new file mode 100644
index 0000000..1122071
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll32/InjectFunc32.h
@@ -0,0 +1,30 @@
+#pragma once
+#include "stdafx.h"
+#include <atlstr.h>
+
+typedef enum _WIN_VERSION
+{
+	WindowsNT,
+	Windows2000,
+	WindowsXP,
+	Windows2003,
+	WindowsVista,
+	Windows7,
+	Windows8,
+	Windows8_1,
+	Windows10,
+	WinUnknown
+}WIN_VERSION;
+
+DWORD HsRemoteThreadInjectDll32(WCHAR* ProcessInfo);
+BOOL __stdcall HsIs32BitFile(const WCHAR * pwszFullPath);
+
+WIN_VERSION  GetWindowsVersion();
+BOOL HsInjectUpPrivilige();	//XP
+BOOL HsInjectDllByRemoteThreadWinXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId);
+BOOL HsInjectDllByRemoteThreadWin7(const TCHAR* wzDllFile, ULONG_PTR ProcessId, BOOL Is32Bit);
+BOOL HsInjectDll(BOOL Is32Bit, CString* strDllPath, ULONG_PTR ProcessID);
+BOOL HsDebugPrivilege(const WCHAR *pName, BOOL bEnable);
+
+void PopFileInitialize (HWND hwnd);
+BOOL PopFileOpenDlg (HWND hwnd, PTSTR pstrFileName, PTSTR pstrTitleName);
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/injectdll32/ReadMe.txt b/arkProject/HeavenShadow/injectdll32/ReadMe.txt
new file mode 100644
index 0000000..654b620
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll32/ReadMe.txt
@@ -0,0 +1,56 @@
+ï»¿========================================================================
+    WIN32 åº”ç”¨ç¨‹åºï¼šinjectdll32 é¡¹ç›®æ¦‚è¿°
+========================================================================
+
+åº”ç”¨ç¨‹åºå‘å¯¼å·²ä¸ºæ‚¨åˆ›å»ºäº†æ­¤ injectdll32 åº”ç”¨ç¨‹åºã€‚
+
+æœ¬æ–‡ä»¶æ¦‚è¦ä»‹ç»ç»„æˆ injectdll32 åº”ç”¨ç¨‹åºçš„æ¯ä¸ªæ–‡ä»¶çš„å†…å®¹ã€‚
+
+
+injectdll32.vcxproj
+    è¿™æ˜¯ä½¿ç”¨åº”ç”¨ç¨‹åºå‘å¯¼ç”Ÿæˆçš„ VC++ é¡¹ç›®çš„ä¸»é¡¹ç›®æ–‡ä»¶ï¼Œ
+    å…¶ä¸­åŒ…å«ç”Ÿæˆè¯¥æ–‡ä»¶çš„ Visual C++ 
+    çš„ç‰ˆæœ¬ä¿¡æ¯ï¼Œä»¥åŠæœ‰å…³ä½¿ç”¨åº”ç”¨ç¨‹åºå‘å¯¼é€‰æ‹©çš„å¹³å°ã€é…ç½®å’Œé¡¹ç›®åŠŸèƒ½çš„ä¿¡æ¯ã€‚
+
+injectdll32.vcxproj.filters
+    è¿™æ˜¯ä½¿ç”¨â€œåº”ç”¨ç¨‹åºå‘å¯¼â€ç”Ÿæˆçš„ VC++ é¡¹ç›®ç­›é€‰å™¨æ–‡ä»¶ã€‚ 
+    å®ƒåŒ…å«æœ‰å…³é¡¹ç›®æ–‡ä»¶ä¸Žç­›é€‰å™¨ä¹‹é—´çš„å…³è”ä¿¡æ¯ã€‚ åœ¨ IDE 
+    ä¸­ï¼Œé€šè¿‡è¿™ç§å…³è”ï¼Œåœ¨ç‰¹å®šèŠ‚ç‚¹ä¸‹ä»¥åˆ†ç»„å½¢å¼æ˜¾ç¤ºå…·æœ‰ç›¸ä¼¼æ‰©å±•åçš„æ–‡ä»¶ã€‚
+    ä¾‹å¦‚ï¼Œâ€œ.cppâ€æ–‡ä»¶ä¸Žâ€œæºæ–‡ä»¶â€ç­›é€‰å™¨å…³è”ã€‚
+
+injectdll32.cpp
+    è¿™æ˜¯ä¸»åº”ç”¨ç¨‹åºæºæ–‡ä»¶ã€‚
+
+/////////////////////////////////////////////////////////////////////////////
+åº”ç”¨ç¨‹åºå‘å¯¼åˆ›å»ºäº†ä¸‹åˆ—èµ„æºï¼š
+
+injectdll32.rc
+    è¿™æ˜¯ç¨‹åºä½¿ç”¨çš„æ‰€æœ‰ Microsoft Windows èµ„æºçš„åˆ—è¡¨ã€‚  å®ƒåŒ…æ‹¬ RES 
+    å­ç›®å½•ä¸­å­˜å‚¨çš„å›¾æ ‡ã€ä½å›¾å’Œå…‰æ ‡ã€‚  æ­¤æ–‡ä»¶å¯ä»¥ç›´æŽ¥åœ¨ Microsoft Visual C++ 
+    ä¸­è¿›è¡Œç¼–è¾‘ã€‚
+
+Resource.h
+    è¿™æ˜¯æ ‡å‡†å¤´æ–‡ä»¶ï¼Œå¯ç”¨äºŽå®šä¹‰æ–°çš„èµ„æº IDã€‚
+    Microsoft Visual C++ å°†è¯»å–å¹¶æ›´æ–°æ­¤æ–‡ä»¶ã€‚
+
+injectdll32.ico
+    è¿™æ˜¯ç”¨ä½œåº”ç”¨ç¨‹åºå›¾æ ‡ (32x32) çš„å›¾æ ‡æ–‡ä»¶ã€‚
+    æ­¤å›¾æ ‡åŒ…æ‹¬åœ¨ä¸»èµ„æºæ–‡ä»¶ injectdll32.rc ä¸­ã€‚
+
+small.ico
+    è¿™æ˜¯ä¸€ä¸ªå›¾æ ‡æ–‡ä»¶ï¼Œå…¶ä¸­åŒ…å«åº”ç”¨ç¨‹åºçš„å›¾æ ‡çš„è¾ƒå°ç‰ˆæœ¬ (16x16)ã€‚ 
+    æ­¤å›¾æ ‡åŒ…æ‹¬åœ¨ä¸»èµ„æºæ–‡ä»¶ injectdll32.rc ä¸­ã€‚
+
+/////////////////////////////////////////////////////////////////////////////
+å…¶ä»–æ ‡å‡†æ–‡ä»¶ï¼š
+
+StdAfx.hï¼ŒStdAfx.cpp
+    è¿™äº›æ–‡ä»¶ç”¨äºŽç”Ÿæˆåä¸º injectdll32.pch çš„é¢„ç¼–è¯‘å¤´ (PCH) æ–‡ä»¶å’Œ
+    åä¸º StdAfx.obj çš„é¢„ç¼–è¯‘ç±»åž‹æ–‡ä»¶ã€‚
+
+/////////////////////////////////////////////////////////////////////////////
+å…¶ä»–æ³¨é‡Šï¼š
+
+åº”ç”¨ç¨‹åºå‘å¯¼ä½¿ç”¨â€œTODO:â€æ³¨é‡Šæ¥æŒ‡ç¤ºåº”æ·»åŠ æˆ–è‡ªå®šä¹‰çš„æºä»£ç éƒ¨åˆ†ã€‚
+
+/////////////////////////////////////////////////////////////////////////////
diff --git a/arkProject/HeavenShadow/injectdll32/Resource.h b/arkProject/HeavenShadow/injectdll32/Resource.h
new file mode 100644
index 0000000..1c4f890
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll32/Resource.h
@@ -0,0 +1,31 @@
+//{{NO_DEPENDENCIES}}
+// Microsoft Visual C++ generated include file.
+// Used by injectdll32.rc
+//
+
+#define IDS_APP_TITLE			103
+
+#define IDR_MAINFRAME			128
+#define IDD_INJECTDLL32_DIALOG	102
+#define IDD_ABOUTBOX			103
+#define IDM_ABOUT				104
+#define IDM_EXIT				105
+#define IDI_INJECTDLL32			107
+#define IDI_SMALL				108
+#define IDC_INJECTDLL32			109
+#define IDC_MYICON				2
+#ifndef IDC_STATIC
+#define IDC_STATIC				-1
+#endif
+// ÐÂ¶ÔÏóµÄÏÂÒ»×éÄ¬ÈÏÖµ
+//
+#ifdef APSTUDIO_INVOKED
+#ifndef APSTUDIO_READONLY_SYMBOLS
+
+#define _APS_NO_MFC					130
+#define _APS_NEXT_RESOURCE_VALUE	129
+#define _APS_NEXT_COMMAND_VALUE		32771
+#define _APS_NEXT_CONTROL_VALUE		1000
+#define _APS_NEXT_SYMED_VALUE		110
+#endif
+#endif
diff --git a/arkProject/HeavenShadow/injectdll32/injectdll32.cpp b/arkProject/HeavenShadow/injectdll32/injectdll32.cpp
new file mode 100644
index 0000000..00fd0d8
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll32/injectdll32.cpp
@@ -0,0 +1,188 @@
+// injectdll32.cpp : ¶¨ÒåÓ¦ÓÃ³ÌÐòµÄÈë¿Úµã¡£
+//
+
+#include "stdafx.h"
+#include "injectdll32.h"
+
+#include "InjectFunc32.h"
+
+#define MAX_LOADSTRING 100
+
+// È«¾Ö±äÁ¿:
+HINSTANCE hInst;								// µ±Ç°ÊµÀý
+TCHAR szTitle[MAX_LOADSTRING];					// ±êÌâÀ¸ÎÄ±¾
+TCHAR szWindowClass[MAX_LOADSTRING];			// Ö÷´°¿ÚÀàÃû
+
+// ´Ë´úÂëÄ£¿éÖÐ°üº¬µÄº¯ÊýµÄÇ°ÏòÉùÃ÷:
+ATOM				MyRegisterClass(HINSTANCE hInstance);
+BOOL				InitInstance(HINSTANCE, int);
+LRESULT CALLBACK	WndProc(HWND, UINT, WPARAM, LPARAM);
+INT_PTR CALLBACK	About(HWND, UINT, WPARAM, LPARAM);
+
+LPTSTR m_lpCmdLine = NULL;
+
+int APIENTRY _tWinMain(HINSTANCE hInstance,
+                     HINSTANCE hPrevInstance,
+                     LPTSTR    lpCmdLine,
+                     int       nCmdShow)
+{
+	UNREFERENCED_PARAMETER(hPrevInstance);
+	UNREFERENCED_PARAMETER(lpCmdLine);
+
+ 	// TODO: ÔÚ´Ë·ÅÖÃ´úÂë¡£
+
+	HACCEL hAccelTable;
+
+	// ³õÊ¼»¯È«¾Ö×Ö·û´®
+	LoadString(hInstance, IDS_APP_TITLE, szTitle, MAX_LOADSTRING);
+	LoadString(hInstance, IDC_INJECTDLL32, szWindowClass, MAX_LOADSTRING);
+	MyRegisterClass(hInstance);
+
+	m_lpCmdLine = lpCmdLine;
+
+	// Ö´ÐÐÓ¦ÓÃ³ÌÐò³õÊ¼»¯:
+	if (!InitInstance (hInstance, nCmdShow))
+	{
+		return FALSE;
+	}
+
+	hAccelTable = LoadAccelerators(hInstance, MAKEINTRESOURCE(IDC_INJECTDLL32));
+
+	// Ö÷ÏûÏ¢Ñ­»·:
+// 	while (GetMessage(&msg, NULL, 0, 0))
+// 	{
+// 		if (!TranslateAccelerator(msg.hwnd, hAccelTable, &msg))
+// 		{
+// 			TranslateMessage(&msg);
+// 			DispatchMessage(&msg);
+// 		}
+// 	}
+
+	return FALSE;
+}
+
+
+
+//
+//  º¯Êý: MyRegisterClass()
+//
+//  Ä¿µÄ: ×¢²á´°¿ÚÀà¡£
+//
+//  ×¢ÊÍ:
+//
+//    ½öµ±Ï£Íû
+//    ´Ë´úÂëÓëÌí¼Óµ½ Windows 95 ÖÐµÄ¡°RegisterClassEx¡±
+//    º¯ÊýÖ®Ç°µÄ Win32 ÏµÍ³¼æÈÝÊ±£¬²ÅÐèÒª´Ëº¯Êý¼°ÆäÓÃ·¨¡£µ÷ÓÃ´Ëº¯ÊýÊ®·ÖÖØÒª£¬
+//    ÕâÑùÓ¦ÓÃ³ÌÐò¾Í¿ÉÒÔ»ñµÃ¹ØÁªµÄ
+//    ¡°¸ñÊ½ÕýÈ·µÄ¡±Ð¡Í¼±ê¡£
+//
+ATOM MyRegisterClass(HINSTANCE hInstance)
+{
+	WNDCLASSEX wcex;
+
+	wcex.cbSize = sizeof(WNDCLASSEX);
+
+	wcex.style			= CS_HREDRAW | CS_VREDRAW;
+	wcex.lpfnWndProc	= WndProc;
+	wcex.cbClsExtra		= 0;
+	wcex.cbWndExtra		= 0;
+	wcex.hInstance		= hInstance;
+	wcex.hIcon			= LoadIcon(hInstance, MAKEINTRESOURCE(IDI_INJECTDLL32));
+	wcex.hCursor		= LoadCursor(NULL, IDC_ARROW);
+	wcex.hbrBackground	= (HBRUSH)(COLOR_WINDOW+1);
+	wcex.lpszMenuName	= MAKEINTRESOURCE(IDC_INJECTDLL32);
+	wcex.lpszClassName	= szWindowClass;
+	wcex.hIconSm		= LoadIcon(wcex.hInstance, MAKEINTRESOURCE(IDI_SMALL));
+
+	return RegisterClassEx(&wcex);
+}
+
+//
+//   º¯Êý: InitInstance(HINSTANCE, int)
+//
+//   Ä¿µÄ: ±£´æÊµÀý¾ä±ú²¢´´½¨Ö÷´°¿Ú
+//
+//   ×¢ÊÍ:
+//
+//        ÔÚ´Ëº¯ÊýÖÐ£¬ÎÒÃÇÔÚÈ«¾Ö±äÁ¿ÖÐ±£´æÊµÀý¾ä±ú²¢
+//        ´´½¨ºÍÏÔÊ¾Ö÷³ÌÐò´°¿Ú¡£
+//
+BOOL InitInstance(HINSTANCE hInstance, int nCmdShow)
+{
+	WCHAR* Temp = m_lpCmdLine;
+
+	if (wcslen(Temp) > 0)
+	{
+		HsRemoteThreadInjectDll32(Temp);
+	}
+
+	return TRUE;
+}
+
+//
+//  º¯Êý: WndProc(HWND, UINT, WPARAM, LPARAM)
+//
+//  Ä¿µÄ: ´¦ÀíÖ÷´°¿ÚµÄÏûÏ¢¡£
+//
+//  WM_COMMAND	- ´¦ÀíÓ¦ÓÃ³ÌÐò²Ëµ¥
+//  WM_PAINT	- »æÖÆÖ÷´°¿Ú
+//  WM_DESTROY	- ·¢ËÍÍË³öÏûÏ¢²¢·µ»Ø
+//
+//
+LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
+{
+	int wmId, wmEvent;
+	PAINTSTRUCT ps;
+	HDC hdc;
+
+	switch (message)
+	{
+	case WM_COMMAND:
+		wmId    = LOWORD(wParam);
+		wmEvent = HIWORD(wParam);
+		// ·ÖÎö²Ëµ¥Ñ¡Ôñ:
+		switch (wmId)
+		{
+		case IDM_ABOUT:
+			DialogBox(hInst, MAKEINTRESOURCE(IDD_ABOUTBOX), hWnd, About);
+			break;
+		case IDM_EXIT:
+			DestroyWindow(hWnd);
+			break;
+		default:
+			return DefWindowProc(hWnd, message, wParam, lParam);
+		}
+		break;
+	case WM_PAINT:
+		hdc = BeginPaint(hWnd, &ps);
+		// TODO: ÔÚ´ËÌí¼ÓÈÎÒâ»æÍ¼´úÂë...
+		EndPaint(hWnd, &ps);
+		break;
+	case WM_DESTROY:
+		PostQuitMessage(0);
+		break;
+	default:
+		return DefWindowProc(hWnd, message, wParam, lParam);
+	}
+	return 0;
+}
+
+// ¡°¹ØÓÚ¡±¿òµÄÏûÏ¢´¦Àí³ÌÐò¡£
+INT_PTR CALLBACK About(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
+{
+	UNREFERENCED_PARAMETER(lParam);
+	switch (message)
+	{
+	case WM_INITDIALOG:
+		return (INT_PTR)TRUE;
+
+	case WM_COMMAND:
+		if (LOWORD(wParam) == IDOK || LOWORD(wParam) == IDCANCEL)
+		{
+			EndDialog(hDlg, LOWORD(wParam));
+			return (INT_PTR)TRUE;
+		}
+		break;
+	}
+	return (INT_PTR)FALSE;
+}
diff --git a/arkProject/HeavenShadow/injectdll32/injectdll32.h b/arkProject/HeavenShadow/injectdll32/injectdll32.h
new file mode 100644
index 0000000..d00d47e
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll32/injectdll32.h
@@ -0,0 +1,3 @@
+#pragma once
+
+#include "resource.h"
diff --git a/arkProject/HeavenShadow/injectdll32/injectdll32.ico b/arkProject/HeavenShadow/injectdll32/injectdll32.ico
new file mode 100644
index 0000000..d551aa3
Binary files /dev/null and b/arkProject/HeavenShadow/injectdll32/injectdll32.ico differ
diff --git a/arkProject/HeavenShadow/injectdll32/injectdll32.rc b/arkProject/HeavenShadow/injectdll32/injectdll32.rc
new file mode 100644
index 0000000..0535906
Binary files /dev/null and b/arkProject/HeavenShadow/injectdll32/injectdll32.rc differ
diff --git a/arkProject/HeavenShadow/injectdll32/injectdll32.vcxproj b/arkProject/HeavenShadow/injectdll32/injectdll32.vcxproj
new file mode 100644
index 0000000..c2b2c30
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll32/injectdll32.vcxproj
@@ -0,0 +1,101 @@
+ï»¿<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{53E8A28F-7458-42B6-9AFA-200CBCC48221}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>injectdll32</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+    <UseOfMfc>false</UseOfMfc>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="injectdll32.ico" />
+    <None Include="ReadMe.txt" />
+    <None Include="small.ico" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="injectdll32.h" />
+    <ClInclude Include="InjectFunc32.h" />
+    <ClInclude Include="Resource.h" />
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="injectdll32.cpp" />
+    <ClCompile Include="InjectFunc32.cpp" />
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="injectdll32.rc" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/injectdll32/injectdll32.vcxproj.filters b/arkProject/HeavenShadow/injectdll32/injectdll32.vcxproj.filters
new file mode 100644
index 0000000..e54f0f3
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll32/injectdll32.vcxproj.filters
@@ -0,0 +1,62 @@
+ï»¿<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="æºæ–‡ä»¶">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="å¤´æ–‡ä»¶">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="èµ„æºæ–‡ä»¶">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="æ³¨å…¥å‡½æ•°">
+      <UniqueIdentifier>{c3207227-e44d-441a-b01b-b0de98727eaf}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="ReadMe.txt" />
+    <None Include="small.ico">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="injectdll32.ico">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h">
+      <Filter>å¤´æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="targetver.h">
+      <Filter>å¤´æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="Resource.h">
+      <Filter>å¤´æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="injectdll32.h">
+      <Filter>å¤´æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="InjectFunc32.h">
+      <Filter>æ³¨å…¥å‡½æ•°</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="stdafx.cpp">
+      <Filter>æºæ–‡ä»¶</Filter>
+    </ClCompile>
+    <ClCompile Include="injectdll32.cpp">
+      <Filter>æºæ–‡ä»¶</Filter>
+    </ClCompile>
+    <ClCompile Include="InjectFunc32.cpp">
+      <Filter>æ³¨å…¥å‡½æ•°</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="injectdll32.rc">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </ResourceCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/injectdll32/injectdll32.vcxproj.user b/arkProject/HeavenShadow/injectdll32/injectdll32.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll32/injectdll32.vcxproj.user
@@ -0,0 +1,3 @@
+ï»¿<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/injectdll32/small.ico b/arkProject/HeavenShadow/injectdll32/small.ico
new file mode 100644
index 0000000..d551aa3
Binary files /dev/null and b/arkProject/HeavenShadow/injectdll32/small.ico differ
diff --git a/arkProject/HeavenShadow/injectdll32/stdafx.cpp b/arkProject/HeavenShadow/injectdll32/stdafx.cpp
new file mode 100644
index 0000000..c283c7b
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll32/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : Ö»°üÀ¨±ê×¼°üº¬ÎÄ¼þµÄÔ´ÎÄ¼þ
+// injectdll32.pch ½«×÷ÎªÔ¤±àÒëÍ·
+// stdafx.obj ½«°üº¬Ô¤±àÒëÀàÐÍÐÅÏ¢
+
+#include "stdafx.h"
+
+// TODO: ÔÚ STDAFX.H ÖÐ
+// ÒýÓÃÈÎºÎËùÐèµÄ¸½¼ÓÍ·ÎÄ¼þ£¬¶ø²»ÊÇÔÚ´ËÎÄ¼þÖÐÒýÓÃ
diff --git a/arkProject/HeavenShadow/injectdll32/stdafx.h b/arkProject/HeavenShadow/injectdll32/stdafx.h
new file mode 100644
index 0000000..5c45873
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll32/stdafx.h
@@ -0,0 +1,23 @@
+// stdafx.h : ±ê×¼ÏµÍ³°üº¬ÎÄ¼þµÄ°üº¬ÎÄ¼þ£¬
+// »òÊÇ¾­³£Ê¹ÓÃµ«²»³£¸ü¸ÄµÄ
+// ÌØ¶¨ÓÚÏîÄ¿µÄ°üº¬ÎÄ¼þ
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#define WIN32_LEAN_AND_MEAN             //  ´Ó Windows Í·ÎÄ¼þÖÐÅÅ³ý¼«ÉÙÊ¹ÓÃµÄÐÅÏ¢
+// Windows Í·ÎÄ¼þ:
+#include <windows.h>
+
+// C ÔËÐÐÊ±Í·ÎÄ¼þ
+#include <stdlib.h>
+#include <malloc.h>
+#include <memory.h>
+#include <tchar.h>
+#include <Windows.h>
+#include <CommDlg.h>
+
+
+// TODO: ÔÚ´Ë´¦ÒýÓÃ³ÌÐòÐèÒªµÄÆäËûÍ·ÎÄ¼þ
diff --git a/arkProject/HeavenShadow/injectdll32/targetver.h b/arkProject/HeavenShadow/injectdll32/targetver.h
new file mode 100644
index 0000000..7a7d2c8
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll32/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// °üÀ¨ SDKDDKVer.h ½«¶¨Òå¿ÉÓÃµÄ×î¸ß°æ±¾µÄ Windows Æ½Ì¨¡£
+
+// Èç¹ûÒªÎªÒÔÇ°µÄ Windows Æ½Ì¨Éú³ÉÓ¦ÓÃ³ÌÐò£¬Çë°üÀ¨ WinSDKVer.h£¬²¢½«
+// WIN32_WINNT ºêÉèÖÃÎªÒªÖ§³ÖµÄÆ½Ì¨£¬È»ºóÔÙ°üÀ¨ SDKDDKVer.h¡£
+
+#include <SDKDDKVer.h>
diff --git a/arkProject/HeavenShadow/injectdll64/InjectFunc64.cpp b/arkProject/HeavenShadow/injectdll64/InjectFunc64.cpp
new file mode 100644
index 0000000..f854119
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll64/InjectFunc64.cpp
@@ -0,0 +1,573 @@
+#include "stdafx.h"
+
+#include "InjectFunc64.h"
+
+WIN_VERSION  GetWindowsVersion();
+WIN_VERSION  WinVersion = WinUnknown;
+
+typedef long (__fastcall *pfnRtlAdjustPrivilege64)(ULONG,ULONG,ULONG,PVOID);
+typedef long (__fastcall *pfnRtlAdjustPrivilege32)(ULONG,ULONG,ULONG,PVOID);
+pfnRtlAdjustPrivilege64 RtlAdjustPrivilege64;
+pfnRtlAdjustPrivilege32 RtlAdjustPrivilege32;
+
+static OPENFILENAME ofn ;
+
+DWORD HsRemoteThreadInjectDll64(WCHAR* ProcessInfo)
+{
+	ULONG_PTR ProcessId = 0;
+	WCHAR*    ProcessPath = NULL;
+	WCHAR wzFileFilter[] = L"Ó¦ÓÃ³ÌÐòÀ©Õ¹ (*.dll)\0*.dll\0ËùÓÐÎÄ¼þ (*.*)\0*.*\0";
+	WCHAR wzFileChoose[] = L"´ò¿ªÎÄ¼þ";
+
+	int i;
+	int j;
+
+	WCHAR szPid[10] = {0};
+
+	for (i = 0; _wcsnicmp(ProcessInfo+i,L"-d ",wcslen(L"-d "))!=0 && i<=10 ;i++);
+
+	if (i == 10)
+	{
+		return FALSE;
+	}
+
+	WCHAR* PidTemp = ProcessInfo + i + wcslen(L"-d ");
+
+	j = i;
+
+	for ( ; _wcsnicmp(ProcessInfo + j,L" -p ",wcslen(L" -p "))!=0 && j-i<=10 ;j++);
+
+	if (j-i==10)
+	{
+		return FALSE;
+	}
+
+	memcpy(szPid,PidTemp,j-i);
+
+	ProcessId   = _ttoi(szPid);
+
+	ProcessPath = ProcessInfo + j + wcslen(L" -p ");
+
+	static TCHAR szFileName[MAX_PATH], szTitleName[MAX_PATH] ;
+	HWND hwnd;
+	hwnd=GetForegroundWindow(); //»ñÈ¡Ç°Ì¨´°¿Ú¾ä±ú¡£±¾³ÌÐòÖÐµÄÇ°Ì¨´°¿Ú¾ÍÊÇ¿ØÖÆÌ¨´°¿Ú¡£ 
+	PopFileInitialize (hwnd);   //³õÊ¼»¯ofn
+	PopFileOpenDlg(hwnd, szFileName, szTitleName);//´ò¿ªÎÄ¼þ¶Ô»°¿ò
+	
+	CString strDllPath = szFileName;
+
+	BOOL bResult = FALSE;
+
+	if (PathFileExists(strDllPath))
+	{
+		if (HsIs32BitFile(ProcessPath)==FALSE &&
+			HsIs32BitFile(strDllPath.GetBuffer())==FALSE)
+		{
+			bResult = HsInjectDll(FALSE,&strDllPath,ProcessId);
+		}
+	}
+
+	if (bResult == FALSE)
+	{
+		::MessageBox(NULL,L"Ô¶³ÌÏß³Ì×¢ÈëÊ§°Ü¡£",L"ÌìÓ°ÎÀÊ¿",MB_SYSTEMMODAL|MB_OK);
+
+	}
+	else
+	{
+		::MessageBox(NULL,L"Ô¶³ÌÏß³Ì×¢Èë³É¹¦¡£",L"ÌìÓ°ÎÀÊ¿",MB_SYSTEMMODAL|MB_OK);
+	}
+
+	return bResult;
+}
+
+
+
+
+
+BOOL __stdcall HsIs32BitFile(const WCHAR * pwszFullPath)
+{
+	FILE * peFile = NULL;
+	_wfopen_s(&peFile, pwszFullPath, L"rb");
+	if (peFile == NULL)
+	{
+		fclose(peFile);
+		return -1;
+	}
+
+	IMAGE_DOS_HEADER imageDosHeader;
+	fread(&imageDosHeader, sizeof(IMAGE_DOS_HEADER), 1, peFile);
+	if (imageDosHeader.e_magic != IMAGE_DOS_SIGNATURE)
+	{
+		fclose(peFile);
+		return FALSE;
+	}
+
+	IMAGE_NT_HEADERS imageNtHeaders;
+	fseek(peFile, imageDosHeader.e_lfanew, SEEK_SET);
+	fread(&imageNtHeaders, sizeof(IMAGE_NT_HEADERS), 1, peFile);
+	fclose(peFile);
+	if (imageNtHeaders.Signature != IMAGE_NT_SIGNATURE)
+	{
+		return FALSE;
+	}
+
+	if (imageNtHeaders.FileHeader.Machine == IMAGE_FILE_MACHINE_I386)
+	{
+		return TRUE;
+	}
+	// 	if (imageNtHeaders.FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 ||
+	// 		imageNtHeaders.FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
+	// 	{
+	// 		return FALSE;	//64BIT
+	// 	}
+
+	return FALSE;
+}
+
+
+
+
+
+//¸Ä³ÌÐò±àÒë³É64Î»¿ÉÒÔ×¢Èë64Î» ±àÒë³É32Î»¿ÉÒÔ×¢Èë32Î»
+
+BOOL HsInjectDll(BOOL Is32Bit, CString* strDllPath, ULONG_PTR ProcessID)
+{
+	BOOL bResult = FALSE;
+
+	if (ProcessID <= 0)
+	{
+		return FALSE;
+	}
+
+
+	if (PathFileExists(*strDllPath))
+	{
+		WinVersion = GetWindowsVersion();
+
+		switch(WinVersion)
+		{
+		case Windows7:   //×¢ÒâÎÒÃÇÕâÀïÕë¶ÔµÄÊÇ64Î»µÄWin7
+			{
+
+				WCHAR wzPath[MAX_PATH] = {0};
+				wcscpy_s(wzPath, strDllPath->GetBuffer());
+				strDllPath->ReleaseBuffer();
+
+				bResult = HsInjectDllByRemoteThreadWin7(wzPath,ProcessID,Is32Bit);
+
+				break;
+			}
+
+		case WindowsXP:  //ÕâÀïÊÇÕë¶ÔµÄ32Î»µÄXP
+			{
+				WCHAR wzPath[MAX_PATH] = {0};
+				wcscpy_s(wzPath, strDllPath->GetBuffer());
+
+				strDllPath->ReleaseBuffer();
+
+				bResult = HsInjectDllByRemoteThreadWinXP(wzPath,ProcessID);
+
+				break;
+			}
+		}
+	}
+	return bResult;
+}
+
+
+BOOL HsInjectDllByRemoteThreadWin7(const TCHAR* wzDllFile, ULONG_PTR ProcessId, BOOL Is32Bit)
+{
+	if (NULL == wzDllFile || 0 == ::_tcslen(wzDllFile) || ProcessId == 0 || -1 == _taccess(wzDllFile, 0))
+	{
+		return FALSE;
+	}
+	HANDLE                 hProcess = NULL;
+	HANDLE                 hThread  = NULL;
+	DWORD                  dwRetVal    = 0;
+	LPTHREAD_START_ROUTINE FuncAddress = NULL;
+	DWORD  dwSize = 0;
+	TCHAR* VirtualAddress = NULL;
+
+#ifdef _UNICODE
+	FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
+#else
+	FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
+#endif
+
+	if (FuncAddress==NULL)
+	{
+		return FALSE;
+	}
+
+
+	RtlAdjustPrivilege64=(pfnRtlAdjustPrivilege64)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege");
+
+	if (RtlAdjustPrivilege64==NULL)
+	{
+		return FALSE;
+	}
+	RtlAdjustPrivilege64(20,1,0,&dwRetVal);  //19
+
+
+	hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE, (DWORD)ProcessId);
+
+	if (NULL == hProcess)
+	{
+		printf("Open Process Fail\r\n");
+		return FALSE;
+	}
+
+	// ÔÚÄ¿±ê½ø³ÌÖÐ·ÖÅäÄÚ´æ¿Õ¼ä
+	dwSize = (DWORD)::_tcslen(wzDllFile) + 1;
+	VirtualAddress = (TCHAR*)::VirtualAllocEx(hProcess, NULL, dwSize * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE);  
+	if (NULL == VirtualAddress)
+	{
+
+		printf("Virtual Process Memory Fail\r\n");
+		CloseHandle(hProcess);
+		return FALSE;
+	}
+
+	// ÔÚÄ¿±ê½ø³ÌµÄÄÚ´æ¿Õ¼äÖÐÐ´ÈëËùÐè²ÎÊý(Ä£¿éÃû)
+	if (FALSE == ::WriteProcessMemory(hProcess, VirtualAddress, (LPVOID)wzDllFile, dwSize * sizeof(TCHAR), NULL))
+	{
+		printf("Write Data Fail\r\n");
+		VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+		CloseHandle(hProcess);
+		return FALSE;
+	}
+
+	hThread = ::CreateRemoteThread(hProcess, NULL, 0, FuncAddress, VirtualAddress, 0, NULL);
+	if (NULL == hThread)
+	{
+		printf("CreateRemoteThread Fail\r\n");
+
+		VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+		CloseHandle(hProcess);
+		return FALSE;
+	}
+
+
+	// µÈ´ýÔ¶³ÌÏß³Ì½áÊø
+	WaitForSingleObject(hThread, INFINITE);
+	// ÇåÀí
+	VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+	CloseHandle(hThread);
+	CloseHandle(hProcess);
+
+	return TRUE;
+
+}
+
+
+
+
+BOOL HsInjectDllByRemoteThreadWinXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
+{
+	//Ìá¸ß±¾½ø³ÌµÄÈ¨ÏÞ
+
+	if (!HsInjectUpPrivilige())  //ÌáÈ¨
+	{
+		printf("Up Privilige Is Error\n");
+		return FALSE;
+	}
+
+	CStringA *Dll = new CStringA(wzDllFile);
+
+
+	//ÎÒÃÇ¾ÍÒª´ò¿ªÏëÒª´ò¿ªµÄ½ø³Ì
+	HANDLE hProcess = NULL;
+	HANDLE hThread  = NULL;
+
+	hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,(DWORD)ProcessId);  //explorer.exe  hProcess
+	if (hProcess==NULL)
+	{
+		printf("Open Process Is Error\n");
+
+		return FALSE;
+	}
+
+	char* szDllName = NULL;
+
+	szDllName = (char*)VirtualAllocEx(hProcess,
+		NULL,Dll->GetLength()+1,MEM_COMMIT,PAGE_READWRITE);   
+
+	if (szDllName==NULL)
+	{
+
+		CloseHandle(hProcess);
+		printf("Apply Memory Is Error\n");
+
+		return FALSE;
+	}
+
+	//È»ºó½«ÍêÕûµÄÂ·¾¶Ö±½ÓÐ´ÈëÄÚ´æ
+
+	if (!WriteProcessMemory(hProcess,szDllName,Dll->GetBuffer(),Dll->GetLength()+1,NULL))
+	{
+
+		CloseHandle(hProcess);
+
+		printf("Write Memory Is Error\n");
+
+		return FALSE;
+	}
+
+	LPTHREAD_START_ROUTINE StartRoutine = NULL;
+
+	StartRoutine = 
+		(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),
+		"LoadLibraryA");
+
+	if(StartRoutine == NULL)
+	{
+		printf("Get ProcAddress Error\n");
+		return FALSE;
+	}
+
+	hThread = CreateRemoteThread(hProcess,NULL,0,StartRoutine,szDllName,0,NULL);
+
+	if (hThread==NULL)
+	{
+		CloseHandle(hProcess);
+
+		printf("Create Remote Thread Is Error\n");
+
+		return FALSE;
+	}
+
+	WaitForSingleObject(hThread, INFINITE);
+	CloseHandle(hThread);
+	VirtualFreeEx(hProcess,szDllName,0,MEM_RELEASE);
+	CloseHandle(hProcess);
+
+	return TRUE;
+}
+
+
+BOOL HsInjectUpPrivilige()	//XP
+{
+
+	HANDLE hToken = NULL;
+
+	_TOKEN_PRIVILEGES tp = {0};
+
+	LUID luid={0};
+
+
+	if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken))
+	{
+		printf("OpenProcess Is Error\n");
+
+		return FALSE;
+	}
+
+	if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid))
+	{
+
+		printf("Lookup Is Error\n");
+
+		return FALSE;
+	}
+
+	tp.PrivilegeCount = 1;
+	tp.Privileges[0].Luid = luid;
+	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+
+
+	if (!AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
+	{
+		printf("Adjust Is Error\n");
+
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+
+/*
+BOOL HsInjectDllByRemoteThreadWinXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
+{
+// ²ÎÊýÎÞÐ§
+if (NULL == wzDllFile || 0 == ::_tcslen(wzDllFile) || ProcessId == 0 || -1 == _taccess(wzDllFile, 0))
+{
+
+return FALSE;
+}
+
+HANDLE hProcess = NULL;
+HANDLE hThread  = NULL;
+DWORD dwSize = 0;
+TCHAR* VirtualAddress = NULL;
+LPTHREAD_START_ROUTINE FuncAddress = NULL;
+
+// »ñÈ¡Ä¿±ê½ø³Ì¾ä±ú
+hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)ProcessId);
+if (NULL == hProcess)
+{
+printf("Open Process Fail\r\n");
+return FALSE;
+}
+
+// ÔÚÄ¿±ê½ø³ÌÖÐ·ÖÅäÄÚ´æ¿Õ¼ä
+dwSize = (DWORD)::_tcslen(wzDllFile) + 1;
+VirtualAddress = (TCHAR*)::VirtualAllocEx(hProcess, NULL, dwSize * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE);
+if (NULL == VirtualAddress)
+{
+
+printf("Virtual Process Memory Fail\r\n");
+CloseHandle(hProcess);
+return FALSE;
+}
+
+// ÔÚÄ¿±ê½ø³ÌµÄÄÚ´æ¿Õ¼äÖÐÐ´ÈëËùÐè²ÎÊý(Ä£¿éÃû)
+if (FALSE == ::WriteProcessMemory(hProcess, VirtualAddress, (LPVOID)wzDllFile, dwSize * sizeof(TCHAR), NULL))
+{
+printf("Write Data Fail\r\n");
+VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+CloseHandle(hProcess);
+return FALSE;
+}
+
+// ´Ó Kernel32.dll ÖÐ»ñÈ¡ LoadLibrary º¯ÊýµØÖ·
+#ifdef _UNICODE
+FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
+#else
+FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
+#endif
+
+if (NULL == FuncAddress)
+{
+printf("Get LoadLibrary Fail\r\n");
+VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+CloseHandle(hProcess);
+return false;
+}
+
+// ´´½¨Ô¶³ÌÏß³Ìµ÷ÓÃ LoadLibrary
+hThread = ::CreateRemoteThread(hProcess, NULL, 0, FuncAddress, VirtualAddress, 0, NULL);
+if (NULL == hThread)
+{
+printf("CreateRemoteThread Fail\r\n");
+
+VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+CloseHandle(hProcess);
+return FALSE;
+}
+
+// µÈ´ýÔ¶³ÌÏß³Ì½áÊø
+WaitForSingleObject(hThread, INFINITE);
+// ÇåÀí
+VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
+CloseHandle(hThread);
+CloseHandle(hProcess);
+
+return TRUE;
+}
+
+
+*/
+
+
+
+
+WIN_VERSION  GetWindowsVersion()
+{
+	OSVERSIONINFOEX	OsVerInfoEx;
+	OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+	GetVersionEx((OSVERSIONINFO *)&OsVerInfoEx); // ×¢Òâ×ª»»ÀàÐÍ
+
+	switch (OsVerInfoEx.dwPlatformId)
+	{
+	case VER_PLATFORM_WIN32_NT:
+		{
+			if (OsVerInfoEx.dwMajorVersion <= 4 )
+			{
+				return WindowsNT;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 0)
+			{
+				return Windows2000;
+			}
+
+			if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 1)
+			{
+				return WindowsXP;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 2)
+			{
+				return Windows2003;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 0)
+			{
+				return WindowsVista;
+			}
+
+			if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 1)
+			{
+				return Windows7;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 2 )
+			{
+				return Windows8;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 3 )
+			{
+				return Windows8_1;
+			}
+			if (OsVerInfoEx.dwMajorVersion == 10 && OsVerInfoEx.dwMinorVersion == 0 )
+			{
+				return Windows10;
+			}
+
+			break;
+		}
+
+	default:
+		{
+			return WinUnknown;
+		}
+	}
+
+	return WinUnknown;
+}
+
+
+
+
+void PopFileInitialize (HWND hwnd)
+{
+	static TCHAR szFilter[] = TEXT ("Ó¦ÓÃ³ÌÐòÀ©Õ¹ (*.dll)\0*.dll\0\0");
+
+	ofn.lStructSize       = sizeof (OPENFILENAME) ;
+	ofn.hwndOwner         = hwnd ;
+	ofn.hInstance         = NULL ;
+	ofn.lpstrFilter       = szFilter ;
+	ofn.lpstrCustomFilter = NULL ;
+	ofn.nMaxCustFilter    = 0 ;
+	ofn.nFilterIndex      = 0 ;
+	ofn.lpstrFile         = NULL ;          // Set in Open and Close functions
+	ofn.nMaxFile          = MAX_PATH ;
+	ofn.lpstrFileTitle    = NULL ;          // Set in Open and Close functions
+	ofn.nMaxFileTitle     = MAX_PATH ;
+	ofn.lpstrInitialDir   = NULL ;
+	ofn.lpstrTitle        = NULL ;
+	ofn.Flags             = 0 ;             // Set in Open and Close functions
+	ofn.nFileOffset       = 0 ;
+	ofn.nFileExtension    = 0 ;
+	ofn.lpstrDefExt       = TEXT ("dll") ;
+	ofn.lCustData         = 0L ;
+	ofn.lpfnHook          = NULL ;
+	ofn.lpTemplateName    = NULL ;
+}
+
+BOOL PopFileOpenDlg (HWND hwnd, PTSTR pstrFileName, PTSTR pstrTitleName)
+{
+	ofn.hwndOwner         = hwnd ;
+	ofn.lpstrFile         = pstrFileName ;
+	ofn.lpstrFileTitle    = pstrTitleName ;
+	ofn.Flags             = OFN_HIDEREADONLY | OFN_CREATEPROMPT ;
+
+	return GetOpenFileName (&ofn) ;
+}
diff --git a/arkProject/HeavenShadow/injectdll64/InjectFunc64.h b/arkProject/HeavenShadow/injectdll64/InjectFunc64.h
new file mode 100644
index 0000000..f258680
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll64/InjectFunc64.h
@@ -0,0 +1,29 @@
+#pragma once
+#include "stdafx.h"
+#include <atlstr.h>
+
+typedef enum _WIN_VERSION
+{
+	WindowsNT,
+	Windows2000,
+	WindowsXP,
+	Windows2003,
+	WindowsVista,
+	Windows7,
+	Windows8,
+	Windows8_1,
+	Windows10,
+	WinUnknown
+}WIN_VERSION;
+
+DWORD HsRemoteThreadInjectDll64(WCHAR* ProcessInfo);
+BOOL __stdcall HsIs32BitFile(const WCHAR * pwszFullPath);
+
+WIN_VERSION  GetWindowsVersion();
+BOOL HsInjectUpPrivilige();	//XP
+BOOL HsInjectDllByRemoteThreadWinXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId);
+BOOL HsInjectDllByRemoteThreadWin7(const TCHAR* wzDllFile, ULONG_PTR ProcessId, BOOL Is32Bit);
+BOOL HsInjectDll(BOOL Is32Bit, CString* strDllPath, ULONG_PTR ProcessID);
+
+void PopFileInitialize (HWND hwnd);
+BOOL PopFileOpenDlg (HWND hwnd, PTSTR pstrFileName, PTSTR pstrTitleName);
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/injectdll64/ReadMe.txt b/arkProject/HeavenShadow/injectdll64/ReadMe.txt
new file mode 100644
index 0000000..a88edb6
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll64/ReadMe.txt
@@ -0,0 +1,56 @@
+ï»¿========================================================================
+    WIN32 åº”ç”¨ç¨‹åºï¼šinjectdll64 é¡¹ç›®æ¦‚è¿°
+========================================================================
+
+åº”ç”¨ç¨‹åºå‘å¯¼å·²ä¸ºæ‚¨åˆ›å»ºäº†æ­¤ injectdll64 åº”ç”¨ç¨‹åºã€‚
+
+æœ¬æ–‡ä»¶æ¦‚è¦ä»‹ç»ç»„æˆ injectdll64 åº”ç”¨ç¨‹åºçš„æ¯ä¸ªæ–‡ä»¶çš„å†…å®¹ã€‚
+
+
+injectdll64.vcxproj
+    è¿™æ˜¯ä½¿ç”¨åº”ç”¨ç¨‹åºå‘å¯¼ç”Ÿæˆçš„ VC++ é¡¹ç›®çš„ä¸»é¡¹ç›®æ–‡ä»¶ï¼Œ
+    å…¶ä¸­åŒ…å«ç”Ÿæˆè¯¥æ–‡ä»¶çš„ Visual C++ 
+    çš„ç‰ˆæœ¬ä¿¡æ¯ï¼Œä»¥åŠæœ‰å…³ä½¿ç”¨åº”ç”¨ç¨‹åºå‘å¯¼é€‰æ‹©çš„å¹³å°ã€é…ç½®å’Œé¡¹ç›®åŠŸèƒ½çš„ä¿¡æ¯ã€‚
+
+injectdll64.vcxproj.filters
+    è¿™æ˜¯ä½¿ç”¨â€œåº”ç”¨ç¨‹åºå‘å¯¼â€ç”Ÿæˆçš„ VC++ é¡¹ç›®ç­›é€‰å™¨æ–‡ä»¶ã€‚ 
+    å®ƒåŒ…å«æœ‰å…³é¡¹ç›®æ–‡ä»¶ä¸Žç­›é€‰å™¨ä¹‹é—´çš„å…³è”ä¿¡æ¯ã€‚ åœ¨ IDE 
+    ä¸­ï¼Œé€šè¿‡è¿™ç§å…³è”ï¼Œåœ¨ç‰¹å®šèŠ‚ç‚¹ä¸‹ä»¥åˆ†ç»„å½¢å¼æ˜¾ç¤ºå…·æœ‰ç›¸ä¼¼æ‰©å±•åçš„æ–‡ä»¶ã€‚
+    ä¾‹å¦‚ï¼Œâ€œ.cppâ€æ–‡ä»¶ä¸Žâ€œæºæ–‡ä»¶â€ç­›é€‰å™¨å…³è”ã€‚
+
+injectdll64.cpp
+    è¿™æ˜¯ä¸»åº”ç”¨ç¨‹åºæºæ–‡ä»¶ã€‚
+
+/////////////////////////////////////////////////////////////////////////////
+åº”ç”¨ç¨‹åºå‘å¯¼åˆ›å»ºäº†ä¸‹åˆ—èµ„æºï¼š
+
+injectdll64.rc
+    è¿™æ˜¯ç¨‹åºä½¿ç”¨çš„æ‰€æœ‰ Microsoft Windows èµ„æºçš„åˆ—è¡¨ã€‚  å®ƒåŒ…æ‹¬ RES 
+    å­ç›®å½•ä¸­å­˜å‚¨çš„å›¾æ ‡ã€ä½å›¾å’Œå…‰æ ‡ã€‚  æ­¤æ–‡ä»¶å¯ä»¥ç›´æŽ¥åœ¨ Microsoft Visual C++ 
+    ä¸­è¿›è¡Œç¼–è¾‘ã€‚
+
+Resource.h
+    è¿™æ˜¯æ ‡å‡†å¤´æ–‡ä»¶ï¼Œå¯ç”¨äºŽå®šä¹‰æ–°çš„èµ„æº IDã€‚
+    Microsoft Visual C++ å°†è¯»å–å¹¶æ›´æ–°æ­¤æ–‡ä»¶ã€‚
+
+injectdll64.ico
+    è¿™æ˜¯ç”¨ä½œåº”ç”¨ç¨‹åºå›¾æ ‡ (32x32) çš„å›¾æ ‡æ–‡ä»¶ã€‚
+    æ­¤å›¾æ ‡åŒ…æ‹¬åœ¨ä¸»èµ„æºæ–‡ä»¶ injectdll64.rc ä¸­ã€‚
+
+small.ico
+    è¿™æ˜¯ä¸€ä¸ªå›¾æ ‡æ–‡ä»¶ï¼Œå…¶ä¸­åŒ…å«åº”ç”¨ç¨‹åºçš„å›¾æ ‡çš„è¾ƒå°ç‰ˆæœ¬ (16x16)ã€‚ 
+    æ­¤å›¾æ ‡åŒ…æ‹¬åœ¨ä¸»èµ„æºæ–‡ä»¶ injectdll64.rc ä¸­ã€‚
+
+/////////////////////////////////////////////////////////////////////////////
+å…¶ä»–æ ‡å‡†æ–‡ä»¶ï¼š
+
+StdAfx.hï¼ŒStdAfx.cpp
+    è¿™äº›æ–‡ä»¶ç”¨äºŽç”Ÿæˆåä¸º injectdll64.pch çš„é¢„ç¼–è¯‘å¤´ (PCH) æ–‡ä»¶å’Œ
+    åä¸º StdAfx.obj çš„é¢„ç¼–è¯‘ç±»åž‹æ–‡ä»¶ã€‚
+
+/////////////////////////////////////////////////////////////////////////////
+å…¶ä»–æ³¨é‡Šï¼š
+
+åº”ç”¨ç¨‹åºå‘å¯¼ä½¿ç”¨â€œTODO:â€æ³¨é‡Šæ¥æŒ‡ç¤ºåº”æ·»åŠ æˆ–è‡ªå®šä¹‰çš„æºä»£ç éƒ¨åˆ†ã€‚
+
+/////////////////////////////////////////////////////////////////////////////
diff --git a/arkProject/HeavenShadow/injectdll64/Resource.h b/arkProject/HeavenShadow/injectdll64/Resource.h
new file mode 100644
index 0000000..1eae80a
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll64/Resource.h
@@ -0,0 +1,31 @@
+//{{NO_DEPENDENCIES}}
+// Microsoft Visual C++ generated include file.
+// Used by injectdll64.rc
+//
+
+#define IDS_APP_TITLE			103
+
+#define IDR_MAINFRAME			128
+#define IDD_INJECTDLL64_DIALOG	102
+#define IDD_ABOUTBOX			103
+#define IDM_ABOUT				104
+#define IDM_EXIT				105
+#define IDI_INJECTDLL64			107
+#define IDI_SMALL				108
+#define IDC_INJECTDLL64			109
+#define IDC_MYICON				2
+#ifndef IDC_STATIC
+#define IDC_STATIC				-1
+#endif
+// ÐÂ¶ÔÏóµÄÏÂÒ»×éÄ¬ÈÏÖµ
+//
+#ifdef APSTUDIO_INVOKED
+#ifndef APSTUDIO_READONLY_SYMBOLS
+
+#define _APS_NO_MFC					130
+#define _APS_NEXT_RESOURCE_VALUE	129
+#define _APS_NEXT_COMMAND_VALUE		32771
+#define _APS_NEXT_CONTROL_VALUE		1000
+#define _APS_NEXT_SYMED_VALUE		110
+#endif
+#endif
diff --git a/arkProject/HeavenShadow/injectdll64/injectdll64.cpp b/arkProject/HeavenShadow/injectdll64/injectdll64.cpp
new file mode 100644
index 0000000..94e02d7
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll64/injectdll64.cpp
@@ -0,0 +1,191 @@
+// injectdll64.cpp : ¶¨ÒåÓ¦ÓÃ³ÌÐòµÄÈë¿Úµã¡£
+//
+
+#include "stdafx.h"
+#include "injectdll64.h"
+
+#include "InjectFunc64.h"
+
+#define MAX_LOADSTRING 100
+
+// È«¾Ö±äÁ¿:
+HINSTANCE hInst;								// µ±Ç°ÊµÀý
+TCHAR szTitle[MAX_LOADSTRING];					// ±êÌâÀ¸ÎÄ±¾
+TCHAR szWindowClass[MAX_LOADSTRING];			// Ö÷´°¿ÚÀàÃû
+
+// ´Ë´úÂëÄ£¿éÖÐ°üº¬µÄº¯ÊýµÄÇ°ÏòÉùÃ÷:
+ATOM				MyRegisterClass(HINSTANCE hInstance);
+BOOL				InitInstance(HINSTANCE, int);
+LRESULT CALLBACK	WndProc(HWND, UINT, WPARAM, LPARAM);
+INT_PTR CALLBACK	About(HWND, UINT, WPARAM, LPARAM);
+
+LPTSTR m_lpCmdLine = NULL;
+
+int APIENTRY _tWinMain(HINSTANCE hInstance,
+                     HINSTANCE hPrevInstance,
+                     LPTSTR    lpCmdLine,
+                     int       nCmdShow)
+{
+	UNREFERENCED_PARAMETER(hPrevInstance);
+	UNREFERENCED_PARAMETER(lpCmdLine);
+
+ 	// TODO: ÔÚ´Ë·ÅÖÃ´úÂë¡£
+
+	HACCEL hAccelTable;
+
+	// ³õÊ¼»¯È«¾Ö×Ö·û´®
+	LoadString(hInstance, IDS_APP_TITLE, szTitle, MAX_LOADSTRING);
+	LoadString(hInstance, IDC_INJECTDLL64, szWindowClass, MAX_LOADSTRING);
+	MyRegisterClass(hInstance);
+
+	m_lpCmdLine = lpCmdLine;
+
+	// Ö´ÐÐÓ¦ÓÃ³ÌÐò³õÊ¼»¯:
+	if (!InitInstance (hInstance, nCmdShow))
+	{
+		return FALSE;
+	}
+
+	hAccelTable = LoadAccelerators(hInstance, MAKEINTRESOURCE(IDC_INJECTDLL64));
+
+	// Ö÷ÏûÏ¢Ñ­»·:
+// 	while (GetMessage(&msg, NULL, 0, 0))
+// 	{
+// 		if (!TranslateAccelerator(msg.hwnd, hAccelTable, &msg))
+// 		{
+// 			TranslateMessage(&msg);
+// 			DispatchMessage(&msg);
+// 		}
+// 	}
+
+	return FALSE;
+}
+
+
+
+//
+//  º¯Êý: MyRegisterClass()
+//
+//  Ä¿µÄ: ×¢²á´°¿ÚÀà¡£
+//
+//  ×¢ÊÍ:
+//
+//    ½öµ±Ï£Íû
+//    ´Ë´úÂëÓëÌí¼Óµ½ Windows 95 ÖÐµÄ¡°RegisterClassEx¡±
+//    º¯ÊýÖ®Ç°µÄ Win32 ÏµÍ³¼æÈÝÊ±£¬²ÅÐèÒª´Ëº¯Êý¼°ÆäÓÃ·¨¡£µ÷ÓÃ´Ëº¯ÊýÊ®·ÖÖØÒª£¬
+//    ÕâÑùÓ¦ÓÃ³ÌÐò¾Í¿ÉÒÔ»ñµÃ¹ØÁªµÄ
+//    ¡°¸ñÊ½ÕýÈ·µÄ¡±Ð¡Í¼±ê¡£
+//
+ATOM MyRegisterClass(HINSTANCE hInstance)
+{
+	WNDCLASSEX wcex;
+
+	wcex.cbSize = sizeof(WNDCLASSEX);
+
+	wcex.style			= CS_HREDRAW | CS_VREDRAW;
+	wcex.lpfnWndProc	= WndProc;
+	wcex.cbClsExtra		= 0;
+	wcex.cbWndExtra		= 0;
+	wcex.hInstance		= hInstance;
+	wcex.hIcon			= LoadIcon(hInstance, MAKEINTRESOURCE(IDI_INJECTDLL64));
+	wcex.hCursor		= LoadCursor(NULL, IDC_ARROW);
+	wcex.hbrBackground	= (HBRUSH)(COLOR_WINDOW+1);
+	wcex.lpszMenuName	= MAKEINTRESOURCE(IDC_INJECTDLL64);
+	wcex.lpszClassName	= szWindowClass;
+	wcex.hIconSm		= LoadIcon(wcex.hInstance, MAKEINTRESOURCE(IDI_SMALL));
+
+	return RegisterClassEx(&wcex);
+}
+
+//
+//   º¯Êý: InitInstance(HINSTANCE, int)
+//
+//   Ä¿µÄ: ±£´æÊµÀý¾ä±ú²¢´´½¨Ö÷´°¿Ú
+//
+//   ×¢ÊÍ:
+//
+//        ÔÚ´Ëº¯ÊýÖÐ£¬ÎÒÃÇÔÚÈ«¾Ö±äÁ¿ÖÐ±£´æÊµÀý¾ä±ú²¢
+//        ´´½¨ºÍÏÔÊ¾Ö÷³ÌÐò´°¿Ú¡£
+//
+BOOL InitInstance(HINSTANCE hInstance, int nCmdShow)
+{
+	WCHAR* Temp = m_lpCmdLine;
+
+	if (wcslen(Temp) > 0)
+	{
+		HsRemoteThreadInjectDll64(Temp);
+	}
+	
+	return TRUE;
+}
+
+//
+//  º¯Êý: WndProc(HWND, UINT, WPARAM, LPARAM)
+//
+//  Ä¿µÄ: ´¦ÀíÖ÷´°¿ÚµÄÏûÏ¢¡£
+//
+//  WM_COMMAND	- ´¦ÀíÓ¦ÓÃ³ÌÐò²Ëµ¥
+//  WM_PAINT	- »æÖÆÖ÷´°¿Ú
+//  WM_DESTROY	- ·¢ËÍÍË³öÏûÏ¢²¢·µ»Ø
+//
+//
+LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
+{
+	int wmId, wmEvent;
+	PAINTSTRUCT ps;
+	HDC hdc;
+
+	switch (message)
+	{
+	case WM_COMMAND:
+		wmId    = LOWORD(wParam);
+		wmEvent = HIWORD(wParam);
+		// ·ÖÎö²Ëµ¥Ñ¡Ôñ:
+		switch (wmId)
+		{
+		case IDM_ABOUT:
+			DialogBox(hInst, MAKEINTRESOURCE(IDD_ABOUTBOX), hWnd, About);
+			break;
+		case IDM_EXIT:
+			DestroyWindow(hWnd);
+			break;
+		default:
+			return DefWindowProc(hWnd, message, wParam, lParam);
+		}
+		break;
+	case WM_PAINT:
+		hdc = BeginPaint(hWnd, &ps);
+		// TODO: ÔÚ´ËÌí¼ÓÈÎÒâ»æÍ¼´úÂë...
+		EndPaint(hWnd, &ps);
+		break;
+	case WM_DESTROY:
+		PostQuitMessage(0);
+		break;
+	default:
+		return DefWindowProc(hWnd, message, wParam, lParam);
+	}
+	return 0;
+}
+
+// ¡°¹ØÓÚ¡±¿òµÄÏûÏ¢´¦Àí³ÌÐò¡£
+INT_PTR CALLBACK About(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
+{
+	UNREFERENCED_PARAMETER(lParam);
+	switch (message)
+	{
+	case WM_INITDIALOG:
+		return (INT_PTR)TRUE;
+
+	case WM_COMMAND:
+		if (LOWORD(wParam) == IDOK || LOWORD(wParam) == IDCANCEL)
+		{
+			EndDialog(hDlg, LOWORD(wParam));
+			return (INT_PTR)TRUE;
+		}
+		break;
+	}
+	return (INT_PTR)FALSE;
+}
+
+
+
diff --git a/arkProject/HeavenShadow/injectdll64/injectdll64.h b/arkProject/HeavenShadow/injectdll64/injectdll64.h
new file mode 100644
index 0000000..d00d47e
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll64/injectdll64.h
@@ -0,0 +1,3 @@
+#pragma once
+
+#include "resource.h"
diff --git a/arkProject/HeavenShadow/injectdll64/injectdll64.ico b/arkProject/HeavenShadow/injectdll64/injectdll64.ico
new file mode 100644
index 0000000..d551aa3
Binary files /dev/null and b/arkProject/HeavenShadow/injectdll64/injectdll64.ico differ
diff --git a/arkProject/HeavenShadow/injectdll64/injectdll64.rc b/arkProject/HeavenShadow/injectdll64/injectdll64.rc
new file mode 100644
index 0000000..e3aa668
Binary files /dev/null and b/arkProject/HeavenShadow/injectdll64/injectdll64.rc differ
diff --git a/arkProject/HeavenShadow/injectdll64/injectdll64.vcxproj b/arkProject/HeavenShadow/injectdll64/injectdll64.vcxproj
new file mode 100644
index 0000000..57711c7
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll64/injectdll64.vcxproj
@@ -0,0 +1,162 @@
+ï»¿<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{F7C83834-3D4A-4362-9E7B-5EE1F4D68C89}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>injectdll64</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+    <UseOfMfc>false</UseOfMfc>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="injectdll64.ico" />
+    <None Include="ReadMe.txt" />
+    <None Include="small.ico" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="injectdll64.h" />
+    <ClInclude Include="InjectFunc64.h" />
+    <ClInclude Include="Resource.h" />
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="injectdll64.cpp" />
+    <ClCompile Include="InjectFunc64.cpp" />
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="injectdll64.rc" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/injectdll64/injectdll64.vcxproj.filters b/arkProject/HeavenShadow/injectdll64/injectdll64.vcxproj.filters
new file mode 100644
index 0000000..8aba311
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll64/injectdll64.vcxproj.filters
@@ -0,0 +1,62 @@
+ï»¿<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="æºæ–‡ä»¶">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="å¤´æ–‡ä»¶">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="èµ„æºæ–‡ä»¶">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="æ³¨å…¥å‡½æ•°">
+      <UniqueIdentifier>{c54db13b-b85e-48e1-b87f-c04eb9a9214a}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="ReadMe.txt" />
+    <None Include="small.ico">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+    <None Include="injectdll64.ico">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </None>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h">
+      <Filter>å¤´æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="targetver.h">
+      <Filter>å¤´æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="Resource.h">
+      <Filter>å¤´æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="injectdll64.h">
+      <Filter>å¤´æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="InjectFunc64.h">
+      <Filter>æ³¨å…¥å‡½æ•°</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="stdafx.cpp">
+      <Filter>æºæ–‡ä»¶</Filter>
+    </ClCompile>
+    <ClCompile Include="injectdll64.cpp">
+      <Filter>æºæ–‡ä»¶</Filter>
+    </ClCompile>
+    <ClCompile Include="InjectFunc64.cpp">
+      <Filter>æ³¨å…¥å‡½æ•°</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="injectdll64.rc">
+      <Filter>èµ„æºæ–‡ä»¶</Filter>
+    </ResourceCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/injectdll64/injectdll64.vcxproj.user b/arkProject/HeavenShadow/injectdll64/injectdll64.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll64/injectdll64.vcxproj.user
@@ -0,0 +1,3 @@
+ï»¿<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/arkProject/HeavenShadow/injectdll64/small.ico b/arkProject/HeavenShadow/injectdll64/small.ico
new file mode 100644
index 0000000..d551aa3
Binary files /dev/null and b/arkProject/HeavenShadow/injectdll64/small.ico differ
diff --git a/arkProject/HeavenShadow/injectdll64/stdafx.cpp b/arkProject/HeavenShadow/injectdll64/stdafx.cpp
new file mode 100644
index 0000000..b4ee544
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll64/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : Ö»°üÀ¨±ê×¼°üº¬ÎÄ¼þµÄÔ´ÎÄ¼þ
+// injectdll64.pch ½«×÷ÎªÔ¤±àÒëÍ·
+// stdafx.obj ½«°üº¬Ô¤±àÒëÀàÐÍÐÅÏ¢
+
+#include "stdafx.h"
+
+// TODO: ÔÚ STDAFX.H ÖÐ
+// ÒýÓÃÈÎºÎËùÐèµÄ¸½¼ÓÍ·ÎÄ¼þ£¬¶ø²»ÊÇÔÚ´ËÎÄ¼þÖÐÒýÓÃ
diff --git a/arkProject/HeavenShadow/injectdll64/stdafx.h b/arkProject/HeavenShadow/injectdll64/stdafx.h
new file mode 100644
index 0000000..cc8ca39
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll64/stdafx.h
@@ -0,0 +1,22 @@
+// stdafx.h : ±ê×¼ÏµÍ³°üº¬ÎÄ¼þµÄ°üº¬ÎÄ¼þ£¬
+// »òÊÇ¾­³£Ê¹ÓÃµ«²»³£¸ü¸ÄµÄ
+// ÌØ¶¨ÓÚÏîÄ¿µÄ°üº¬ÎÄ¼þ
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#define WIN32_LEAN_AND_MEAN             //  ´Ó Windows Í·ÎÄ¼þÖÐÅÅ³ý¼«ÉÙÊ¹ÓÃµÄÐÅÏ¢
+// Windows Í·ÎÄ¼þ:
+#include <windows.h>
+
+// C ÔËÐÐÊ±Í·ÎÄ¼þ
+#include <stdlib.h>
+#include <malloc.h>
+#include <memory.h>
+#include <tchar.h>
+#include <Windows.h>
+#include <CommDlg.h>
+
+// TODO: ÔÚ´Ë´¦ÒýÓÃ³ÌÐòÐèÒªµÄÆäËûÍ·ÎÄ¼þ
diff --git a/arkProject/HeavenShadow/injectdll64/targetver.h b/arkProject/HeavenShadow/injectdll64/targetver.h
new file mode 100644
index 0000000..7a7d2c8
--- /dev/null
+++ b/arkProject/HeavenShadow/injectdll64/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// °üÀ¨ SDKDDKVer.h ½«¶¨Òå¿ÉÓÃµÄ×î¸ß°æ±¾µÄ Windows Æ½Ì¨¡£
+
+// Èç¹ûÒªÎªÒÔÇ°µÄ Windows Æ½Ì¨Éú³ÉÓ¦ÓÃ³ÌÐò£¬Çë°üÀ¨ WinSDKVer.h£¬²¢½«
+// WIN32_WINNT ºêÉèÖÃÎªÒªÖ§³ÖµÄÆ½Ì¨£¬È»ºóÔÙ°üÀ¨ SDKDDKVer.h¡£
+
+#include <SDKDDKVer.h>
diff --git a/arkProject/HeavenShadowDrv/Build/HeavenShadowDrv/DbgX64/HeavenShadowDrv.sys b/arkProject/HeavenShadowDrv/Build/HeavenShadowDrv/DbgX64/HeavenShadowDrv.sys
new file mode 100644
index 0000000..9ecc7b1
Binary files /dev/null and b/arkProject/HeavenShadowDrv/Build/HeavenShadowDrv/DbgX64/HeavenShadowDrv.sys differ
diff --git a/arkProject/HeavenShadowDrv/Build/HeavenShadowDrv/DbgX86/HeavenShadowDrv.sys b/arkProject/HeavenShadowDrv/Build/HeavenShadowDrv/DbgX86/HeavenShadowDrv.sys
new file mode 100644
index 0000000..c0ccb2c
Binary files /dev/null and b/arkProject/HeavenShadowDrv/Build/HeavenShadowDrv/DbgX86/HeavenShadowDrv.sys differ
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv.sln b/arkProject/HeavenShadowDrv/HeavenShadowDrv.sln
new file mode 100644
index 0000000..3dd365a
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv.sln
@@ -0,0 +1,26 @@
+ï»¿
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual Studio 2010
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HeavenShadowDrv", "HeavenShadowDrv\HeavenShadowDrv.vcxproj", "{9CE3B5BD-26EB-448B-B7C2-B70BBB649328}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{9CE3B5BD-26EB-448B-B7C2-B70BBB649328}.Debug|Win32.ActiveCfg = Debug|Win32
+		{9CE3B5BD-26EB-448B-B7C2-B70BBB649328}.Debug|Win32.Build.0 = Debug|Win32
+		{9CE3B5BD-26EB-448B-B7C2-B70BBB649328}.Debug|x64.ActiveCfg = Debug|x64
+		{9CE3B5BD-26EB-448B-B7C2-B70BBB649328}.Debug|x64.Build.0 = Debug|x64
+		{9CE3B5BD-26EB-448B-B7C2-B70BBB649328}.Release|Win32.ActiveCfg = Release|Win32
+		{9CE3B5BD-26EB-448B-B7C2-B70BBB649328}.Release|Win32.Build.0 = Release|Win32
+		{9CE3B5BD-26EB-448B-B7C2-B70BBB649328}.Release|x64.ActiveCfg = Release|x64
+		{9CE3B5BD-26EB-448B-B7C2-B70BBB649328}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv.suo b/arkProject/HeavenShadowDrv/HeavenShadowDrv.suo
new file mode 100644
index 0000000..5b9f726
Binary files /dev/null and b/arkProject/HeavenShadowDrv/HeavenShadowDrv.suo differ
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/HeavenShadowDrv.vcxproj b/arkProject/HeavenShadowDrv/HeavenShadowDrv/HeavenShadowDrv.vcxproj
new file mode 100644
index 0000000..0d4415f
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/HeavenShadowDrv.vcxproj
@@ -0,0 +1,278 @@
+ï»¿<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{9CE3B5BD-26EB-448B-B7C2-B70BBB649328}</ProjectGuid>
+    <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <PropertyGroup>
+    <IncludePath>$(IncludePath)</IncludePath>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</LinkIncremental>
+    <GenerateManifest Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</GenerateManifest>
+    <GenerateManifest Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</GenerateManifest>
+    <GenerateManifest Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</GenerateManifest>
+    <GenerateManifest Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</GenerateManifest>
+    <TargetExt Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">.sys</TargetExt>
+    <TargetExt Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">.sys</TargetExt>
+    <TargetExt Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">.sys</TargetExt>
+    <TargetExt Condition="'$(Configuration)|$(Platform)'=='Release|x64'">.sys</TargetExt>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)Build\$(ProjectName)\DbgX86\</OutDir>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">$(SolutionDir)Build\$(ProjectName)\DbgX64\</OutDir>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)Build\$(ProjectName)\RlsX86\</OutDir>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|x64'">$(SolutionDir)Build\$(ProjectName)\RlsX64\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)Build\$(ProjectName)\DbgX86\</IntDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">$(SolutionDir)Build\$(ProjectName)\DbgX64\</IntDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)Build\$(ProjectName)\RlsX86\</IntDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|x64'">$(SolutionDir)Build\$(ProjectName)\RlsX64\</IntDir>
+    <TargetName Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(ProjectName)</TargetName>
+    <TargetName Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">$(ProjectName)</TargetName>
+    <TargetName Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(ProjectName)</TargetName>
+    <TargetName Condition="'$(Configuration)|$(Platform)'=='Release|x64'">$(ProjectName)</TargetName>
+    <CustomBuildAfterTargets Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    </CustomBuildAfterTargets>
+    <CustomBuildAfterTargets Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" />
+    <CustomBuildAfterTargets Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" />
+    <CustomBuildAfterTargets Condition="'$(Configuration)|$(Platform)'=='Release|x64'" />
+    <CustomBuildBeforeTargets Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    </CustomBuildBeforeTargets>
+    <CustomBuildBeforeTargets Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" />
+    <CustomBuildBeforeTargets Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" />
+    <CustomBuildBeforeTargets Condition="'$(Configuration)|$(Platform)'=='Release|x64'" />
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <AdditionalIncludeDirectories>$(SolutionDir)$(ProjectName);$(WLHBASE)\inc\api;$(WLHBASE)\inc\crt;$(WLHBASE)\inc\ddk;$(WLHBASE)\inc;%(AdditionalIncludeDirectori</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN32;_CONSOLE;_X86_;_DDK_;_DEBUG;DBG=1;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <CallingConvention>StdCall</CallingConvention>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>
+      </EnableCOMDATFolding>
+      <OptimizeReferences>
+      </OptimizeReferences>
+      <AdditionalLibraryDirectories>$(WLHBASE)\lib\win7\i386;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>ntoskrnl.lib;hal.lib;wdm.lib;ntstrsafe.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <SubSystem>Native</SubSystem>
+      <Driver>Driver</Driver>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+      <RandomizedBaseAddress>
+      </RandomizedBaseAddress>
+      <DataExecutionPrevention>
+      </DataExecutionPrevention>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <AdditionalIncludeDirectories>$(SolutionDir)$(ProjectName);$(WLHBASE)\inc\api;$(WLHBASE)\inc\crt;$(WLHBASE)\inc\ddk;$(WLHBASE)\inc;%(AdditionalIncludeDirectori</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN64;_CONSOLE;_AMD64_;_DDK_;_DEBUG;DBG=1;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <CallingConvention>StdCall</CallingConvention>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>
+      </EnableCOMDATFolding>
+      <OptimizeReferences>
+      </OptimizeReferences>
+      <AdditionalLibraryDirectories>$(WLHBASE)\lib\win7\amd64;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>ntoskrnl.lib;hal.lib;wdm.lib;ntstrsafe.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <SubSystem>Native</SubSystem>
+      <Driver>Driver</Driver>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+      <RandomizedBaseAddress>
+      </RandomizedBaseAddress>
+      <DataExecutionPrevention>
+      </DataExecutionPrevention>
+      <TargetMachine>MachineX64</TargetMachine>
+    </Link>
+    <PreBuildEvent>
+      <Command>if exist "$(SolutionDir)$(SolutionName).suo" (
+attrib -h "$(SolutionDir)$(SolutionName).suo"
+del "$(SolutionDir)$(SolutionName).suo")
+</Command>
+    </PreBuildEvent>
+    <PostBuildEvent>
+      <Command>"$(ProjectDir)Signature.bat" "$(TargetPath)"</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <AdditionalIncludeDirectories>$(SolutionDir)$(ProjectName);$(WLHBASE)\inc\api;$(WLHBASE)\inc\crt;$(WLHBASE)\inc\ddk;$(WLHBASE)\inc;%(AdditionalIncludeDirectori</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN32;_CONSOLE;_X86_;_DDK_;_NDEBUG;DBG=0;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <CallingConvention>StdCall</CallingConvention>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>$(WLHBASE)\lib\win7\i386;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>ntoskrnl.lib;hal.lib;wdm.lib;ntstrsafe.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <SubSystem>Native</SubSystem>
+      <Driver>Driver</Driver>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+      <RandomizedBaseAddress>
+      </RandomizedBaseAddress>
+      <DataExecutionPrevention>
+      </DataExecutionPrevention>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <AdditionalIncludeDirectories>$(SolutionDir)$(ProjectName);$(WLHBASE)\inc\api;$(WLHBASE)\inc\crt;$(WLHBASE)\inc\ddk;$(WLHBASE)\inc;%(AdditionalIncludeDirectori</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN64;_CONSOLE;_AMD64_;_DDK_;_NDEBUG;DBG=0;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <CallingConvention>StdCall</CallingConvention>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>$(WLHBASE)\lib\win7\amd64;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>ntoskrnl.lib;hal.lib;wdm.lib;ntstrsafe.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <SubSystem>Native</SubSystem>
+      <Driver>Driver</Driver>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+      <RandomizedBaseAddress>
+      </RandomizedBaseAddress>
+      <DataExecutionPrevention>
+      </DataExecutionPrevention>
+    </Link>
+    <PreBuildEvent>
+      <Command>if exist "$(SolutionDir)$(SolutionName).suo" (
+attrib -h "$(SolutionDir)$(SolutionName).suo"
+del "$(SolutionDir)$(SolutionName).suo")
+</Command>
+    </PreBuildEvent>
+    <PostBuildEvent>
+      <Command>"$(ProjectDir)Signature.bat" "$(TargetPath)"</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="Source\CallBack.h" />
+    <ClInclude Include="Source\common.h" />
+    <ClInclude Include="Source\DpcTimer.h" />
+    <ClInclude Include="Source\FilterDriver.h" />
+    <ClInclude Include="Source\GetFuncAddress.h" />
+    <ClInclude Include="Source\GetSSSDTFuncAddress.h" />
+    <ClInclude Include="Source\Handle.h" />
+    <ClInclude Include="Source\HeavenShadowDrv.h" />
+    <ClInclude Include="Source\IoTimer.h" />
+    <ClInclude Include="Source\Kernel.h" />
+    <ClInclude Include="Source\KrnlFile.h" />
+    <ClInclude Include="Source\Memory.h" />
+    <ClInclude Include="Source\Module.h" />
+    <ClInclude Include="Source\Privilege.h" />
+    <ClInclude Include="Source\Process.h" />
+    <ClInclude Include="Source\System.h" />
+    <ClInclude Include="Source\SysThread.h" />
+    <ClInclude Include="Source\Thread.h" />
+    <ClInclude Include="Source\Window.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Source\CallBack.c" />
+    <ClCompile Include="Source\common.c" />
+    <ClCompile Include="Source\DpcTimer.c" />
+    <ClCompile Include="Source\FilterDriver.c" />
+    <ClCompile Include="Source\GetFuncAddress.c" />
+    <ClCompile Include="Source\GetSSSDTFuncAddress.c" />
+    <ClCompile Include="Source\Handle.c" />
+    <ClCompile Include="Source\HeavenShadowDrv.c" />
+    <ClCompile Include="Source\IoTimer.c" />
+    <ClCompile Include="Source\Kernel.c" />
+    <ClCompile Include="Source\KrnlFile.c" />
+    <ClCompile Include="Source\Memory.c" />
+    <ClCompile Include="Source\Module.c" />
+    <ClCompile Include="Source\Privilege.c" />
+    <ClCompile Include="Source\Process.c" />
+    <ClCompile Include="Source\System.c" />
+    <ClCompile Include="Source\SysThread.c" />
+    <ClCompile Include="Source\Thread.c" />
+    <ClCompile Include="Source\Window.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/HeavenShadowDrv.vcxproj.filters b/arkProject/HeavenShadowDrv/HeavenShadowDrv/HeavenShadowDrv.vcxproj.filters
new file mode 100644
index 0000000..0dda30e
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/HeavenShadowDrv.vcxproj.filters
@@ -0,0 +1,143 @@
+ï»¿<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="ä¸»è¦æ–‡ä»¶">
+      <UniqueIdentifier>{bad0c572-5768-45b3-8fad-cd53d570d7fa}</UniqueIdentifier>
+      <Extensions>hpp;h</Extensions>
+    </Filter>
+    <Filter Include="æºç æ–‡ä»¶">
+      <UniqueIdentifier>{b1de6577-e8f0-441c-a634-bbdff67996a8}</UniqueIdentifier>
+      <Extensions>cpp;c;def</Extensions>
+    </Filter>
+    <Filter Include="æºç æ–‡ä»¶\è¿›ç¨‹">
+      <UniqueIdentifier>{0b59cd14-c3b3-4f18-905c-9dd96064bb7e}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="æºç æ–‡ä»¶\æ¨¡å—">
+      <UniqueIdentifier>{a354b1b6-0408-4505-a6ca-f894ee1cc5b7}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="æºç æ–‡ä»¶\å†…æ ¸">
+      <UniqueIdentifier>{cf9b4149-a063-4ef4-a736-da90f4c361d8}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="æºç æ–‡ä»¶\é’©å­">
+      <UniqueIdentifier>{9d1b22be-ff73-4cd4-a9d7-62e52ddfc61c}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Source\HeavenShadowDrv.h">
+      <Filter>ä¸»è¦æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\Process.h">
+      <Filter>æºç æ–‡ä»¶\è¿›ç¨‹</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\Thread.h">
+      <Filter>æºç æ–‡ä»¶\è¿›ç¨‹</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\Window.h">
+      <Filter>æºç æ–‡ä»¶\è¿›ç¨‹</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\Privilege.h">
+      <Filter>æºç æ–‡ä»¶\è¿›ç¨‹</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\Handle.h">
+      <Filter>æºç æ–‡ä»¶\è¿›ç¨‹</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\Memory.h">
+      <Filter>æºç æ–‡ä»¶\è¿›ç¨‹</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\Module.h">
+      <Filter>æºç æ–‡ä»¶\æ¨¡å—</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\CallBack.h">
+      <Filter>æºç æ–‡ä»¶\å†…æ ¸</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\DpcTimer.h">
+      <Filter>æºç æ–‡ä»¶\å†…æ ¸</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\FilterDriver.h">
+      <Filter>æºç æ–‡ä»¶\å†…æ ¸</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\IoTimer.h">
+      <Filter>æºç æ–‡ä»¶\å†…æ ¸</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\SysThread.h">
+      <Filter>æºç æ–‡ä»¶\å†…æ ¸</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\System.h">
+      <Filter>æºç æ–‡ä»¶\å†…æ ¸</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\GetSSSDTFuncAddress.h">
+      <Filter>ä¸»è¦æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\common.h">
+      <Filter>ä¸»è¦æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\GetFuncAddress.h">
+      <Filter>ä¸»è¦æ–‡ä»¶</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\Kernel.h">
+      <Filter>æºç æ–‡ä»¶\é’©å­</Filter>
+    </ClInclude>
+    <ClInclude Include="Source\KrnlFile.h">
+      <Filter>æºç æ–‡ä»¶\é’©å­</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Source\HeavenShadowDrv.c">
+      <Filter>ä¸»è¦æ–‡ä»¶</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\Process.c">
+      <Filter>æºç æ–‡ä»¶\è¿›ç¨‹</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\Thread.c">
+      <Filter>æºç æ–‡ä»¶\è¿›ç¨‹</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\Window.c">
+      <Filter>æºç æ–‡ä»¶\è¿›ç¨‹</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\Privilege.c">
+      <Filter>æºç æ–‡ä»¶\è¿›ç¨‹</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\Handle.c">
+      <Filter>æºç æ–‡ä»¶\è¿›ç¨‹</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\Memory.c">
+      <Filter>æºç æ–‡ä»¶\è¿›ç¨‹</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\Module.c">
+      <Filter>æºç æ–‡ä»¶\æ¨¡å—</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\CallBack.c">
+      <Filter>æºç æ–‡ä»¶\å†…æ ¸</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\DpcTimer.c">
+      <Filter>æºç æ–‡ä»¶\å†…æ ¸</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\FilterDriver.c">
+      <Filter>æºç æ–‡ä»¶\å†…æ ¸</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\IoTimer.c">
+      <Filter>æºç æ–‡ä»¶\å†…æ ¸</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\SysThread.c">
+      <Filter>æºç æ–‡ä»¶\å†…æ ¸</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\System.c">
+      <Filter>æºç æ–‡ä»¶\å†…æ ¸</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\common.c">
+      <Filter>ä¸»è¦æ–‡ä»¶</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\GetFuncAddress.c">
+      <Filter>ä¸»è¦æ–‡ä»¶</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\GetSSSDTFuncAddress.c">
+      <Filter>ä¸»è¦æ–‡ä»¶</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\Kernel.c">
+      <Filter>æºç æ–‡ä»¶\é’©å­</Filter>
+    </ClCompile>
+    <ClCompile Include="Source\KrnlFile.c">
+      <Filter>æºç æ–‡ä»¶\é’©å­</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/HeavenShadowDrv.vcxproj.user b/arkProject/HeavenShadowDrv/HeavenShadowDrv/HeavenShadowDrv.vcxproj.user
new file mode 100644
index 0000000..ace9a86
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/HeavenShadowDrv.vcxproj.user
@@ -0,0 +1,3 @@
+ï»¿<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>
\ No newline at end of file
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Signature.bat b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Signature.bat
new file mode 100644
index 0000000..4624ac8
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Signature.bat
@@ -0,0 +1,35 @@
+rem ¸ÃÅú´¦ÀíÎª64Î»Çý¶¯Ç©Ãû
+rem @echo off
+
+set iPath=%1
+set iDate=%date:~0,10%
+
+echo ³¢ÊÔ½øÐÐÇý¶¯Ç©Ãû...
+
+if exist "C:\Windows\CSignTool.exe" goto SIGN
+
+echo Î´ÕÒµ½Ç©Ãû¹¤¾ß£¬·ÅÆúÇ©Ãû£¡
+goto END
+
+:SIGN
+echo.
+
+echo ÐÞ¸ÄÏµÍ³ÈÕÆÚÎª 2011/11/11
+date 2011/11/11
+
+CSignTool.exe sign /r iDriverSign /f %iPath% /ac
+
+echo »Ö¸´ÏµÍ³ÈÕÆÚµ½ %iDate%
+date %iDate%
+
+:END
+
+	
+
+
+
+
+
+
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/CallBack.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/CallBack.c
new file mode 100644
index 0000000..6104964
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/CallBack.c
@@ -0,0 +1,1507 @@
+#include "CallBack.h"
+
+
+
+//////////////////////////////////////////////////////////////////////////
+extern     PDEVICE_OBJECT g_DeviceObject;
+extern     PDRIVER_OBJECT g_DriverObject;
+//////////////////////////////////////////////////////////////////////////
+
+extern  PVOID        Ntoskrnl_KLDR_DATA_TABLE_ENTRY;
+extern  ULONG_PTR    SYSTEM_ADDRESS_START;
+extern  WIN_VERSION  WinVersion;
+
+pfnPsSetLoadImageNotifyRoutine PsSetLoadImageNotifyRoutineAddress = NULL;
+pfnCmUnRegisterCallback CmUnRegisterCallbackAddress = NULL;
+ULONG_PTR      PspLoadImageNotifyRoutineAddress = NULL;
+ULONG_PTR      CallBackList = 0;  
+pfnKeRegisterBugCheckReasonCallback KeRegisterBugCheckReasonCallbackAddress = NULL;
+ULONG_PTR KeBugCheckReasonCallbackListHead = NULL;
+pfnKeRegisterBugCheckCallback KeRegisterBugCheckCallbackAddress = NULL;
+ULONG_PTR KeBugCheckCallbackListHead = NULL;
+pfnIoRegisterShutdownNotification   IoRegisterShutdownNotificationAddress = NULL;
+ULONG_PTR IopNotifyShutdownQueueHead = NULL;
+pfnPsSetCreateThreadNotifyRoutine   PsSetCreateThreadNotifyRoutineAddress = NULL;
+ULONG_PTR PspCreateThreadNotifyRoutineAddress = NULL;
+
+
+NTSTATUS HsEnumCallBackList(int InputBuffer, PVOID OutputBuffer)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+
+	Status = GetAllCallbackNotify(OutputBuffer);
+
+// 	switch(InputBuffer)
+// 	{
+// 	case NotifyLoadImage:
+// 		{
+// 			Status = HsGetCallbackLoadImage(OutputBuffer);
+// 		}
+// 	case NotifyCreateProcess:
+// 		{
+// 
+// 		}
+// 	case NotifyCreateThread:
+// 		{
+// 
+// 		}
+// 	case NotifyShutdown:
+// 		{
+// 
+// 		}
+// 	default:
+// 		{
+// 			Status = STATUS_UNSUCCESSFUL;
+// 		}
+// 	}
+
+	return Status;
+}
+
+
+
+
+
+NTSTATUS GetAllCallbackNotify(PVOID OutBuffer)
+{
+	NTSTATUS Status = STATUS_SUCCESS;
+	BOOLEAN  bRet = FALSE;
+	PGET_CALLBACK GetCallback = (PGET_CALLBACK)OutBuffer;
+
+	DbgPrint("GetAllCallbackNotify\r\n");
+
+
+	bRet = GetLoadImageCallbackNotify(GetCallback);
+	bRet = GetRegisterCallbackNotify(GetCallback);
+	bRet = GetBugCheckCallbackNotify(GetCallback);
+	bRet = GetBugCheckReasonCallbackNotify(GetCallback);
+	bRet = GetShutDownCallbackNotify(GetCallback);
+	bRet = GetCreateThreadCallbackNotify(GetCallback);
+
+
+	if (GetCallback->ulRetCnt > GetCallback->ulCnt)
+	{
+		DbgPrint("STATUS_BUFFER_TOO_SMALL\r\n");
+		Status = STATUS_BUFFER_TOO_SMALL;
+	}
+
+	return Status;
+}
+
+
+
+
+NTSTATUS RemoveCallbackNotify(PVOID InBuffer)
+{	
+	NTSTATUS Status = STATUS_SUCCESS;
+	PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer;
+
+	ULONG_PTR CallbackAddress  = Temp->CallbackAddress;
+	CALLBACK_TYPE CallBackType = Temp->NotifyType;
+
+	if (!CallbackAddress ||
+		!MmIsAddressValid((PVOID)CallbackAddress))
+	{
+		return STATUS_UNSUCCESSFUL;
+	}
+
+	DbgPrint("CallBackType: %d\r\n",CallBackType);
+	switch(CallBackType)
+	{
+	case NotifyLoadImage:
+		{
+			DbgPrint("Remove NotifyLoadImage\r\n");
+			Status = PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)CallbackAddress);
+			break;
+		}
+	case NotifyCmCallBack:
+		{
+			LARGE_INTEGER Cookie;
+			ULONG_PTR Note = Temp->Note;
+			Cookie.QuadPart = 0;
+
+			DbgPrint("Remove NotifyCmCallBack\r\n");
+
+			if (WinVersion == WINDOWS_XP)
+			{
+				Cookie = XpGetRegisterCallbackCookie(Note);
+			}
+
+			if (WinVersion==WINDOWS_7)
+			{
+				Cookie.QuadPart = Note;
+			}
+
+			if (Cookie.LowPart == 0 && Cookie.HighPart == 0)
+			{
+				return STATUS_UNSUCCESSFUL;
+			}
+
+			Status = CmUnRegisterCallback(Cookie);
+
+			break;
+		}
+	case NotifyKeBugCheckReason:
+		{
+			PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer;
+
+			ULONG_PTR Note = Temp->Note;
+
+
+			if (Note!=NULL&&MmIsAddressValid((PVOID)Note))
+			{
+				KeDeregisterBugCheckReasonCallback((PKBUGCHECK_REASON_CALLBACK_RECORD)Note);
+			}
+
+			break;
+		}
+	case NotifyShutdown:
+		{
+			LARGE_INTEGER Cookie;
+
+			PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer;
+
+			ULONG_PTR Note = Temp->Note;
+
+
+			if (Note!=NULL&&MmIsAddressValid((PVOID)Note))
+			{
+				IoUnregisterShutdownNotification((PDEVICE_OBJECT)Note);
+			}
+
+			break;
+		}
+	case NotifyCreateThread:
+		{
+			NTSTATUS Status = STATUS_SUCCESS;
+			PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer;
+
+			ULONG_PTR CallbackAddress = Temp->CallbackAddress;
+
+			if (!CallbackAddress ||
+				!MmIsAddressValid((PVOID)CallbackAddress)||!PsRemoveCreateThreadNotifyRoutine)
+			{
+				return STATUS_UNSUCCESSFUL;
+			}
+
+			Status = PsRemoveCreateThreadNotifyRoutine((PCREATE_THREAD_NOTIFY_ROUTINE)CallbackAddress);
+
+			break;
+		}
+	default:
+		{
+			Status = STATUS_UNSUCCESSFUL;
+		}
+	}
+
+	return Status;
+}
+
+
+BOOLEAN GetLoadImageCallbackNotify(PGET_CALLBACK GetCallback)
+{
+
+	PsSetLoadImageNotifyRoutineAddress = 
+		(pfnPsSetLoadImageNotifyRoutine)HsGetFunctionAddressByName(L"PsSetLoadImageNotifyRoutine");
+	DbgPrint("%p\r\n",PsSetLoadImageNotifyRoutineAddress);
+	PspLoadImageNotifyRoutineAddress = 
+		FindPspLoadImageNotifyRoutine((ULONG_PTR)PsSetLoadImageNotifyRoutineAddress);
+	DbgPrint("%p\r\n",PspLoadImageNotifyRoutineAddress);
+
+
+	if (!PspLoadImageNotifyRoutineAddress)
+	{
+		DbgPrint("PspLoadImageNotifyRoutineAddress NULL\r\n");
+		return FALSE;
+	}
+
+	else
+	{
+		ULONG i = 0;
+
+		switch(WinVersion)
+		{
+		case WINDOWS_7:
+			{
+				SYSTEM_ADDRESS_START = 0x80000000000;
+
+				for ( i = 0; i < 64; i++ )
+				{
+					ULONG64 NotifyItem = 0, CallBackAddress = 0;
+
+					DbgPrint("i = %d\r\n",i);
+
+					if (!MmIsAddressValid( (PVOID)(PspLoadImageNotifyRoutineAddress + i * sizeof(ULONG64))) )
+					{
+						break;
+					}
+
+					NotifyItem = *(PULONG64)(PspLoadImageNotifyRoutineAddress + i * sizeof(ULONG64));
+
+					DbgPrint("NotifyItem: %p\r\n",NotifyItem);
+
+					if (!(NotifyItem > SYSTEM_ADDRESS_START && MmIsAddressValid((PVOID)(NotifyItem & 0xfffffffffffffff8))) )
+					{
+						break;
+					}
+
+					CallBackAddress = *((PULONG64)(NotifyItem & 0xfffffffffffffff8));
+
+					DbgPrint("CallBackAddress: %p\r\n",CallBackAddress);
+
+					if (CallBackAddress && MmIsAddressValid((PVOID)CallBackAddress))
+					{
+						if (GetCallback->ulCnt > GetCallback->ulRetCnt)
+						{
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Type = NotifyLoadImage;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].CallbackAddress = CallBackAddress;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Note = NotifyItem;
+
+							DbgPrint("GetCallback->ulCnt > GetCallback->ulRetCnt\r\n");
+						}
+
+						GetCallback->ulRetCnt++;
+					}
+
+				}
+				break;
+			}
+
+		case WINDOWS_XP:
+			{
+				SYSTEM_ADDRESS_START = 0x80000000;
+				for ( i = 0; i < 64; i++ )
+				{
+					ULONG32 NotifyItem = 0, CallBackAddress = 0;
+
+					if (!MmIsAddressValid( (PVOID)(PspLoadImageNotifyRoutineAddress + i * sizeof(ULONG32))) )
+					{
+						break;
+					}
+
+					NotifyItem = *(PULONG32)(PspLoadImageNotifyRoutineAddress + i * sizeof(ULONG32));
+					if (!(NotifyItem > SYSTEM_ADDRESS_START && MmIsAddressValid((PVOID)(NotifyItem & 0xFFFFFFF8 + sizeof(ULONG32)))) )
+					{
+						break;
+					}
+
+					CallBackAddress = *(PULONG32)(NotifyItem & 0xFFFFFFF8 + sizeof(ULONG));
+
+					if (CallBackAddress && MmIsAddressValid((PVOID)CallBackAddress))
+					{
+						if (GetCallback->ulCnt > GetCallback->ulRetCnt)
+						{
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Type = NotifyLoadImage;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].CallbackAddress = CallBackAddress;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Note = NotifyItem;
+						}
+
+						GetCallback->ulRetCnt++;
+					}
+				}
+				break;
+			}
+		}
+	}
+
+	return TRUE;
+}
+
+
+BOOLEAN GetRegisterCallbackNotify(PGET_CALLBACK GetCallback)
+{
+	CmUnRegisterCallbackAddress = 
+		(pfnCmUnRegisterCallback)HsGetFunctionAddressByName(L"CmUnRegisterCallback");
+	DbgPrint("%p\r\n",CmUnRegisterCallbackAddress);
+	CallBackList = 
+		CmpCallBackVector((ULONG_PTR)CmUnRegisterCallbackAddress);
+	DbgPrint("%p\r\n",CallBackList);
+
+	//DbgPrint("%02x\r\n",*(char*)((char*)CmUnRegisterCallbackAddress+0xe));
+
+	if (!CallBackList)
+	{
+		return FALSE;
+	}
+
+	else
+	{
+
+		ULONG i = 0;
+		switch(WinVersion)
+		{
+		case WINDOWS_7:   //ÕâÊÇ¸öList
+			{
+				PCM_NOTIFY_ENTRY	Notify = NULL;
+				PLIST_ENTRY			NotifyList = (LIST_ENTRY*)(*(ULONG_PTR*)CallBackList);
+				SYSTEM_ADDRESS_START = 0x80000000000;  
+
+				do
+				{		
+					Notify = (CM_NOTIFY_ENTRY *)NotifyList;
+					if (MmIsAddressValid(Notify))
+					{
+						if (MmIsAddressValid((PVOID)(Notify->Function)) && Notify->Function > SYSTEM_ADDRESS_START)
+						{
+							if (GetCallback->ulCnt > GetCallback->ulRetCnt)
+							{
+								GetCallback->Callbacks[GetCallback->ulRetCnt].Type = NotifyCmCallBack;
+								GetCallback->Callbacks[GetCallback->ulRetCnt].CallbackAddress = Notify->Function;
+								GetCallback->Callbacks[GetCallback->ulRetCnt].Note = Notify->Cookie.QuadPart;
+							}
+
+							GetCallback->ulRetCnt++;
+						}
+					}
+					NotifyList = NotifyList->Flink;
+				}while ( NotifyList != ((LIST_ENTRY*)(*(ULONG_PTR*)CallBackList)) );
+				break;
+			}
+
+		case WINDOWS_XP:
+			{
+
+				SYSTEM_ADDRESS_START = 0x80000000;
+				for ( i = 0; i < 64; i++ )
+				{
+					ULONG32 NotifyItem = 0, CallBackAddress = 0;
+					ULONG   Temp = 0;
+
+					if (!MmIsAddressValid( (PVOID)(CallBackList + i * sizeof(ULONG32))) )
+					{
+						break;
+					}
+
+
+					NotifyItem = *(PULONG32)(CallBackList + i * sizeof(ULONG32));
+					if (!(NotifyItem > SYSTEM_ADDRESS_START && MmIsAddressValid((PVOID)(NotifyItem & 0xFFFFFFF8 + sizeof(ULONG32)))) )
+					{
+						break;
+					}
+
+					CallBackAddress = *(PULONG32)(NotifyItem & 0xFFFFFFF8 + sizeof(ULONG));
+					if (CallBackAddress && MmIsAddressValid((PVOID)CallBackAddress))
+					{
+						if (GetCallback->ulCnt > GetCallback->ulRetCnt)
+						{
+
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Type = NotifyCmCallBack;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].CallbackAddress = CallBackAddress;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Note = NotifyItem;
+
+						}
+
+						GetCallback->ulRetCnt++;
+					}
+				}
+				break;
+			}
+		}
+
+	}
+
+}
+
+
+BOOLEAN GetBugCheckReasonCallbackNotify(PGET_CALLBACK GetCallback)
+{
+
+	KeRegisterBugCheckReasonCallbackAddress = 
+		(pfnKeRegisterBugCheckReasonCallback)HsGetFunctionAddressByName(L"KeRegisterBugCheckReasonCallback");
+	DbgPrint("%p\r\n",KeRegisterBugCheckReasonCallbackAddress);
+	KeBugCheckReasonCallbackListHead = 
+		FindKeBugCheckReasonCallbackListHeadNotifyRoutine((ULONG_PTR)KeRegisterBugCheckReasonCallbackAddress);
+	DbgPrint("%p\r\n",KeBugCheckReasonCallbackListHead);
+
+
+	if (!KeBugCheckReasonCallbackListHead)
+	{
+		return FALSE;
+	}
+
+	else
+	{
+
+		PLIST_ENTRY Entry = NULL;
+		ULONG_PTR   Dispatch = 0;
+
+		switch(WinVersion)
+		{
+		case WINDOWS_7:
+			{
+				Entry = ((PLIST_ENTRY)KeBugCheckReasonCallbackListHead)->Flink;
+				do
+				{
+					Dispatch = *(ULONG64*)((ULONG64)Entry+sizeof(LIST_ENTRY));
+					if(Dispatch&&MmIsAddressValid((PVOID)Dispatch))
+					{
+						if (GetCallback->ulCnt > GetCallback->ulRetCnt)
+						{
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Type = NotifyKeBugCheckReason;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].CallbackAddress = Dispatch;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Note = (PVOID)Entry;
+						}
+
+						GetCallback->ulRetCnt++;
+
+					}
+					Entry = Entry->Flink;
+
+				}
+				while(Entry != (PLIST_ENTRY)KeBugCheckReasonCallbackListHead);
+
+				break;
+			}
+
+		case WINDOWS_XP:
+			{
+				//ÔÚWrkÖÐËÑË÷ _KBUGCHECK_CALLBACK_RECORD ½á¹¹
+				Entry = ((PLIST_ENTRY)KeBugCheckReasonCallbackListHead)->Flink;
+				do
+				{
+					Dispatch = *(ULONG32*)((ULONG32)Entry+sizeof(LIST_ENTRY));
+					if(Dispatch&&MmIsAddressValid((PVOID)Dispatch))
+					{
+						if (GetCallback->ulCnt > GetCallback->ulRetCnt)
+						{
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Type = NotifyKeBugCheckReason;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].CallbackAddress = Dispatch;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Note = (PVOID)Entry;;
+						}
+
+						GetCallback->ulRetCnt++;
+
+					}
+					Entry = Entry->Flink;
+
+				}
+				while(Entry != (PLIST_ENTRY)KeBugCheckReasonCallbackListHead);
+				break;
+			}
+		}
+
+	}
+
+}
+
+
+BOOLEAN GetBugCheckCallbackNotify(PGET_CALLBACK GetCallback)
+{
+
+	KeRegisterBugCheckCallbackAddress = 
+		(pfnKeRegisterBugCheckCallback)HsGetFunctionAddressByName(L"KeRegisterBugCheckCallback");
+	DbgPrint("%p\r\n",KeRegisterBugCheckCallbackAddress);
+	KeBugCheckCallbackListHead = 
+		FindKeBugCheckReasonCallbackListHeadNotifyRoutine((ULONG_PTR)KeRegisterBugCheckCallbackAddress);
+	DbgPrint("%p\r\n",KeBugCheckCallbackListHead);
+
+
+	if (!KeBugCheckCallbackListHead)
+	{
+		return FALSE;
+	}
+
+	else
+	{
+
+		PLIST_ENTRY Entry = NULL;
+		ULONG_PTR   Dispatch = 0;
+
+		switch(WinVersion)
+		{
+		case WINDOWS_7:
+			{
+				Entry = ((PLIST_ENTRY)KeBugCheckCallbackListHead)->Flink;
+				do
+				{
+					Dispatch = *(ULONG64*)((ULONG64)Entry+sizeof(LIST_ENTRY));
+					if(Dispatch&&MmIsAddressValid((PVOID)Dispatch))
+					{
+						if (GetCallback->ulCnt > GetCallback->ulRetCnt)
+						{
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Type = NotifyKeBugCheck;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].CallbackAddress = Dispatch;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Note = (PVOID)Entry;
+						}
+
+						GetCallback->ulRetCnt++;
+
+					}
+					Entry = Entry->Flink;
+
+				}
+				while(Entry != (PLIST_ENTRY)KeBugCheckCallbackListHead);
+
+				break;
+			}
+
+		case WINDOWS_XP:
+			{
+				//ÔÚWrkÖÐËÑË÷ _KBUGCHECK_CALLBACK_RECORD ½á¹¹
+				Entry = ((PLIST_ENTRY)KeBugCheckCallbackListHead)->Flink;
+				do
+				{
+					Dispatch = *(ULONG32*)((ULONG32)Entry+sizeof(LIST_ENTRY));
+					if(Dispatch&&MmIsAddressValid((PVOID)Dispatch))
+					{
+						if (GetCallback->ulCnt > GetCallback->ulRetCnt)
+						{
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Type = NotifyKeBugCheck;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].CallbackAddress = Dispatch;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Note = (PVOID)Entry;;
+						}
+
+						GetCallback->ulRetCnt++;
+
+					}
+					Entry = Entry->Flink;
+
+				}
+				while(Entry != (PLIST_ENTRY)KeBugCheckCallbackListHead);
+				break;
+			}
+		}
+
+	}
+
+}
+
+
+BOOLEAN GetShutDownCallbackNotify(PGET_CALLBACK GetCallback)
+{
+
+	IoRegisterShutdownNotificationAddress = 
+		(pfnIoRegisterShutdownNotification)HsGetFunctionAddressByName(L"IoRegisterShutdownNotification");
+	DbgPrint("%p\r\n",IoRegisterShutdownNotificationAddress);
+	IopNotifyShutdownQueueHead = 
+		FindIopNotifyShutdownQueueHeadNotifyRoutine((ULONG_PTR)IoRegisterShutdownNotificationAddress);
+	DbgPrint("%p\r\n",IopNotifyShutdownQueueHead);
+
+
+	if (!IopNotifyShutdownQueueHead)
+	{
+		return FALSE;
+	}
+	else
+	{
+		ULONG i = 0;
+
+		switch(WinVersion)
+		{
+		case WINDOWS_7:
+			{
+
+				SYSTEM_ADDRESS_START = 0x80000000000;
+
+				if (IopNotifyShutdownQueueHead && MmIsAddressValid((PVOID)IopNotifyShutdownQueueHead))
+				{
+					PLIST_ENTRY Entry = ((PLIST_ENTRY)IopNotifyShutdownQueueHead)->Flink;
+					while (MmIsAddressValid(Entry) && Entry != (PLIST_ENTRY)IopNotifyShutdownQueueHead)
+					{
+						ULONG64 ValidAddress = (ULONG64)Entry + sizeof(LIST_ENTRY);
+
+						if (ValidAddress && 
+							MmIsAddressValid((PVOID)ValidAddress))
+						{
+							ULONG64 DeviceObject = *(PULONG64)ValidAddress;
+
+							if (DeviceObject && 
+								MmIsAddressValid((PVOID)DeviceObject))
+							{
+								if (GetCallback->ulCnt > GetCallback->ulRetCnt)
+								{
+									GetCallback->Callbacks[GetCallback->ulRetCnt].Type = NotifyShutdown;
+									GetCallback->Callbacks[GetCallback->ulRetCnt].CallbackAddress = GetShutdownDispatch((PDEVICE_OBJECT)DeviceObject);
+									GetCallback->Callbacks[GetCallback->ulRetCnt].Note = DeviceObject;
+								}
+
+								GetCallback->ulRetCnt++;
+							}
+						}
+
+						Entry = Entry->Flink;
+					}
+				}
+				break;
+			}
+
+		case WINDOWS_XP:
+			{
+
+				SYSTEM_ADDRESS_START = 0x80000000;
+				if (IopNotifyShutdownQueueHead && MmIsAddressValid((PVOID)IopNotifyShutdownQueueHead))
+				{
+					PLIST_ENTRY Entry = ((PLIST_ENTRY)IopNotifyShutdownQueueHead)->Flink;
+					while (MmIsAddressValid(Entry) && Entry != (PLIST_ENTRY)IopNotifyShutdownQueueHead)
+					{
+						ULONG ValidAddress = (ULONG)Entry + sizeof(LIST_ENTRY);
+
+						if (ValidAddress && 
+							MmIsAddressValid((PVOID)ValidAddress))
+						{
+							ULONG DeviceObject = *(PULONG)ValidAddress;
+
+							if (DeviceObject && 
+								MmIsAddressValid((PVOID)DeviceObject))
+							{
+								if (GetCallback->ulCnt > GetCallback->ulRetCnt)
+								{
+									GetCallback->Callbacks[GetCallback->ulRetCnt].Type = NotifyShutdown;
+									GetCallback->Callbacks[GetCallback->ulRetCnt].CallbackAddress = GetShutdownDispatch((PDEVICE_OBJECT)DeviceObject);
+									GetCallback->Callbacks[GetCallback->ulRetCnt].Note = DeviceObject;
+								}
+
+								GetCallback->ulRetCnt++;
+							}
+						}
+
+						Entry = Entry->Flink;
+					}
+				}
+				break;
+			}
+		}
+
+	}
+
+}
+
+
+BOOLEAN GetCreateThreadCallbackNotify(PGET_CALLBACK GetCallback)
+{
+	PsSetCreateThreadNotifyRoutineAddress = 
+		(pfnPsSetCreateThreadNotifyRoutine)HsGetFunctionAddressByName(L"PsSetCreateThreadNotifyRoutine");
+	DbgPrint("%p\r\n",PsSetCreateThreadNotifyRoutineAddress);
+	PspCreateThreadNotifyRoutineAddress = 
+		FindPspCreateThreadNotifyRoutine((ULONG_PTR)PsSetCreateThreadNotifyRoutineAddress);
+	DbgPrint("%p\r\n",PspCreateThreadNotifyRoutineAddress);
+
+
+	if (!PspCreateThreadNotifyRoutineAddress)
+	{
+		return FALSE;
+	}
+
+	else
+	{
+
+		ULONG i = 0;
+
+
+		switch(WinVersion)
+		{
+		case WINDOWS_7:
+			{
+
+				SYSTEM_ADDRESS_START = 0x80000000000;
+
+				for ( i = 0; i < 64; i++ )
+				{
+					ULONG64 NotifyItem = 0, CallBackAddress = 0;
+
+					if (!MmIsAddressValid( (PVOID)(PspCreateThreadNotifyRoutineAddress + i * sizeof(ULONG64))) )
+					{
+						break;
+					}
+
+					NotifyItem = *(PULONG64)(PspCreateThreadNotifyRoutineAddress + i * sizeof(ULONG64));
+
+					if (!(NotifyItem > SYSTEM_ADDRESS_START && MmIsAddressValid((PVOID)(NotifyItem & 0xfffffffffffffff8))) )
+					{
+						break;
+					}
+
+					CallBackAddress = *((PULONG64)(NotifyItem & 0xfffffffffffffff8));
+
+					if (CallBackAddress && MmIsAddressValid((PVOID)CallBackAddress))
+					{
+						if (GetCallback->ulCnt > GetCallback->ulRetCnt)
+						{
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Type = NotifyCreateThread;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].CallbackAddress = CallBackAddress;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Note = NotifyItem;
+						}
+
+						GetCallback->ulRetCnt++;
+					}
+
+
+
+				}
+				break;
+			}
+
+		case WINDOWS_XP:
+			{
+
+				SYSTEM_ADDRESS_START = 0x80000000;
+				for ( i = 0; i < 64; i++ )
+				{
+					ULONG32 NotifyItem = 0, CallBackAddress = 0;
+
+					if (!MmIsAddressValid( (PVOID)(PspCreateThreadNotifyRoutineAddress + i * sizeof(ULONG32))) )
+					{
+						break;
+					}
+
+					NotifyItem = *(PULONG32)(PspCreateThreadNotifyRoutineAddress + i * sizeof(ULONG32));
+					if (!(NotifyItem > SYSTEM_ADDRESS_START && MmIsAddressValid((PVOID)(NotifyItem & 0xFFFFFFF8 + sizeof(ULONG32)))) )
+					{
+						break;
+					}
+
+					CallBackAddress = *(PULONG32)(NotifyItem & 0xFFFFFFF8 + sizeof(ULONG));
+
+					if (CallBackAddress && MmIsAddressValid((PVOID)CallBackAddress))
+					{
+						if (GetCallback->ulCnt > GetCallback->ulRetCnt)
+						{
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Type = NotifyCreateThread;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].CallbackAddress = CallBackAddress;
+							GetCallback->Callbacks[GetCallback->ulRetCnt].Note = NotifyItem;
+						}
+
+						GetCallback->ulRetCnt++;
+					}
+				}
+				break;
+			}
+		}
+
+	}
+
+}
+
+
+
+
+//////////////////////////////////////////////////////////////////////////
+
+
+ULONG_PTR CmpCallBackVector(ULONG_PTR Address)
+{
+	ULONG_PTR i = 0;
+
+	/*
+	XP:
+	kd> u CmUnRegisterCallback l 20
+	nt!CmUnRegisterCallback:
+	8061ce6f 8bff            mov     edi,edi
+	8061ce71 55              push    ebp
+	8061ce72 8bec            mov     ebp,esp
+	8061ce74 51              push    ecx
+	8061ce75 8365fc00        and     dword ptr [ebp-4],0
+	8061ce79 53              push    ebx
+	8061ce7a 56              push    esi
+	8061ce7b 57              push    edi
+	8061ce7c bba0135680      mov     ebx,offset nt!CmpCallBackVector (805613a0)
+	8061ce81 53              push    ebx
+
+	kd> u 805613a0
+	nt!CmpCallBackVector:
+	805613a0 0000            add     byte ptr [eax],al
+	805613a2 0000            add     byte ptr [eax],al
+	805613a4 0000            add     byte ptr [eax],al
+	805613a6 0000            add     byte ptr [eax],al
+	805613a8 0000            add     byte ptr [eax],al
+	805613aa 0000            add     byte ptr [eax],al
+	805613ac 0000            add     byte ptr [eax],al
+	805613ae 0000            add     byte ptr [eax],al
+
+
+	Win7
+
+	kd> u CmUnRegisterCallback l 50
+	nt!CmUnRegisterCallback:
+	fffff800`0430f790 48894c2408      mov     qword ptr [rsp+8],rcx
+	fffff800`0430f795 53              push    rbx
+	fffff800`0430f796 56              push    rsi
+	fffff800`0430f797 57              push    rdi
+	fffff800`0430f798 4154            push    r12
+	fffff800`0430f79a 4155            push    r13
+	fffff800`0430f79c 4156            push    r14
+	fffff800`0430f79e 4157            push    r15
+	fffff800`0430f7a0 4883ec60        sub     rsp,60h
+	fffff800`0430f7a4 41bc0d0000c0    mov     r12d,0C000000Dh
+	fffff800`0430f7aa 4489a424b0000000 mov     dword ptr [rsp+0B0h],r12d
+	fffff800`0430f7b2 33db            xor     ebx,ebx
+	fffff800`0430f7b4 48895c2448      mov     qword ptr [rsp+48h],rbx
+	fffff800`0430f7b9 33c0            xor     eax,eax
+	fffff800`0430f7bb 4889442450      mov     qword ptr [rsp+50h],rax
+	fffff800`0430f7c0 4889442458      mov     qword ptr [rsp+58h],rax
+	fffff800`0430f7c5 448d6b01        lea     r13d,[rbx+1]
+	fffff800`0430f7c9 458afd          mov     r15b,r13b
+	fffff800`0430f7cc 4488ac24a8000000 mov     byte ptr [rsp+0A8h],r13b
+	fffff800`0430f7d4 440f20c7        mov     rdi,cr8
+	fffff800`0430f7d8 450f22c5        mov     cr8,r13
+	fffff800`0430f7dc f00fba351b6adcff00 lock btr dword ptr [nt!CallbackUnregisterLock (fffff800`040d6200)],0
+	fffff800`0430f7e5 720c            jb      nt!CmUnRegisterCallback+0x63 (fffff800`0430f7f3)
+	fffff800`0430f7e7 488d0d126adcff  lea     rcx,[nt!CallbackUnregisterLock (fffff800`040d6200)]
+	fffff800`0430f7ee e85db7b9ff      call    nt!KiAcquireFastMutex (fffff800`03eaaf50)
+	fffff800`0430f7f3 65488b042588010000 mov   rax,qword ptr gs:[188h]
+	fffff800`0430f7fc 488905056adcff  mov     qword ptr [nt!CallbackUnregisterLock+0x8 (fffff800`040d6208)],rax
+	fffff800`0430f803 400fb6c7        movzx   eax,dil
+	fffff800`0430f807 8905236adcff    mov     dword ptr [nt!CallbackUnregisterLock+0x30 (fffff800`040d6230)],eax
+	fffff800`0430f80d 48c78424b80000009cffffff mov qword ptr [rsp+0B8h],0FFFFFFFFFFFFFF9Ch
+	fffff800`0430f819 48895c2420      mov     qword ptr [rsp+20h],rbx
+	fffff800`0430f81e 65488b042588010000 mov   rax,qword ptr gs:[188h]
+	fffff800`0430f827 4183ceff        or      r14d,0FFFFFFFFh
+	fffff800`0430f82b 664401b0c4010000 add     word ptr [rax+1C4h],r14w
+	fffff800`0430f833 f0480fba2dab69dcff00 lock bts qword ptr [nt!CallbackListLock (fffff800`040d61e8)],0
+	fffff800`0430f83d 730c            jae     nt!CmUnRegisterCallback+0xbb (fffff800`0430f84b)
+	fffff800`0430f83f 488d0da269dcff  lea     rcx,[nt!CallbackListLock (fffff800`040d61e8)]
+	fffff800`0430f846 e875aabbff      call    nt!ExfAcquirePushLockExclusive (fffff800`03eca2c0)
+	fffff800`0430f84b 418af5          mov     sil,r13b
+	fffff800`0430f84e 4c8b9424a0000000 mov     r10,qword ptr [rsp+0A0h]
+	fffff800`0430f856 4533c0          xor     r8d,r8d
+	fffff800`0430f859 488d542420      lea     rdx,[rsp+20h]
+	fffff800`0430f85e 488d0d6b69dcff  lea     rcx,[nt!CallbackListHead (fffff800`040d61d0)]      //×¢ÒâÕâÀïµÄµØÖ·   ÔÚWin7 ÖÐÕâÀïÊÇ¸öÁ´±í
+
+	kd> u fffff800`040d61d0
+	nt!CallbackListHead:
+	fffff800`040d61d0 d0610d          shl     byte ptr [rcx+0Dh],1
+	fffff800`040d61d3 0400            add     al,0
+	fffff800`040d61d5 f8              clc
+	fffff800`040d61d6 ff              ???
+	fffff800`040d61d7 ffd0            call    rax
+	fffff800`040d61d9 61              ???
+	fffff800`040d61da 0d0400f8ff      or      eax,0FFF80004h
+	fffff800`040d61df ff00            inc     dword ptr [rax]
+
+
+
+
+	*/
+	switch(WinVersion)
+	{
+	case WINDOWS_7:
+		{
+			for(i=Address;i<Address+0xFF;i++)
+			{
+				if(*(PUCHAR)i==0x48 && *(PUCHAR)(i+1)==0x8d && *(PUCHAR)(i+2)==0x0d )
+				{
+					ULONG_PTR j = 0;
+					j = i-5;
+					if (*(PUCHAR)j==0x48 && *(PUCHAR)(j+1)==0x8d && *(PUCHAR)(j+2)==0x54)
+					{
+						LONG OffsetAddr = 0;
+						
+						memcpy(&OffsetAddr,(PVOID)(i+3),4);
+
+						return OffsetAddr+7+i;
+					}
+				}
+					
+			}
+			break;
+		}
+
+	case WINDOWS_XP:
+		{
+			for(i=Address;i<Address+0xFF;i++)
+			{
+				if(*(PUCHAR)i==0xbb && *(PUCHAR)(i-1)==0x57)	
+				{
+					LONG OffsetAddr = 0;
+					memcpy(&OffsetAddr,(PUCHAR)(i+1),4);
+					return OffsetAddr;
+				}
+			}
+			break;
+		}
+	}
+
+	
+
+	return 0;
+}
+
+
+LARGE_INTEGER XpGetRegisterCallbackCookie(ULONG Address)
+{
+
+	LARGE_INTEGER Cookie;
+	ULONG Temp = 0;
+	ULONG Item = 0;
+
+	Cookie.QuadPart = 0;
+
+	if (Address && MmIsAddressValid((PVOID)Address))
+	{
+		Item = Address & 0xFFFFFFF8;
+
+
+		if (MmIsAddressValid((PVOID)Item) &&
+			MmIsAddressValid((PVOID)(Item + 8)))
+		{
+			Temp = *(PULONG)(Item + 8);
+
+
+			if (MmIsAddressValid((PVOID)Temp))
+			{
+				Cookie.LowPart = *(PULONG)Temp;
+				Cookie.HighPart = *(PULONG)(Temp + sizeof(ULONG));
+			}
+		}
+	}
+
+	return Cookie;
+}
+
+
+ULONG_PTR FindPspLoadImageNotifyRoutine(ULONG_PTR Address)
+{
+	ULONG_PTR i = 0;
+
+	/*
+	XP:
+	kd> u PsSetLoadImageNotifyRoutine l 20
+	nt!PsSetLoadImageNotifyRoutine:
+	805d0f90 8bff            mov     edi,edi
+	805d0f92 55              push    ebp
+	805d0f93 8bec            mov     ebp,esp
+	805d0f95 53              push    ebx
+	805d0f96 57              push    edi
+	805d0f97 33ff            xor     edi,edi
+	805d0f99 57              push    edi
+	805d0f9a ff7508          push    dword ptr [ebp+8]
+	805d0f9d e8faca0300      call    nt!ExAllocateCallBack (8060da9c)
+	805d0fa2 8bd8            mov     ebx,eax
+	805d0fa4 3bdf            cmp     ebx,edi
+	805d0fa6 7507            jne     nt!PsSetLoadImageNotifyRoutine+0x1f (805d0faf)
+	805d0fa8 b89a0000c0      mov     eax,0C000009Ah
+	805d0fad eb2a            jmp     nt!PsSetLoadImageNotifyRoutine+0x49 (805d0fd9)
+	805d0faf 56              push    esi
+	805d0fb0 bee0495680      mov     esi,offset nt!PspLoadImageNotifyRoutine (805649e0)
+	805d0fb5 6a00            push    0
+	805d0fb7 53              push    ebx
+	805d0fb8 56              push    esi
+	805d0fb9 e80ecb0300      call    nt!ExCompareExchangeCallBack (8060dacc)
+	805d0fbe 84c0            test    al,al
+	805d0fc0 751d            jne     nt!PsSetLoadImageNotifyRoutine+0x4f (805d0fdf)
+	805d0fc2 83c704          add     edi,4
+	805d0fc5 83c604          add     esi,4
+	805d0fc8 83ff20          cmp     edi,20h
+	805d0fcb 72e8            jb      nt!PsSetLoadImageNotifyRoutine+0x25 (805d0fb5)
+	805d0fcd 53              push    ebx
+	805d0fce e83f1a0000      call    nt!RtlpFreeAtom (805d2a12)
+	805d0fd3 b89a0000c0      mov     eax,0C000009Ah
+	805d0fd8 5e              pop     esi
+	805d0fd9 5f              pop     edi
+	805d0fda 5b              pop     ebx
+	kd> u 805649e0
+	nt!PspLoadImageNotifyRoutine:
+	805649e0 0000            add     byte ptr [eax],al
+	805649e2 0000            add     byte ptr [eax],al
+	805649e4 0000            add     byte ptr [eax],al
+	805649e6 0000            add     byte ptr [eax],al
+	805649e8 0000            add     byte ptr [eax],al
+	805649ea 0000            add     byte ptr [eax],al
+	805649ec 0000            add     byte ptr [eax],al
+	805649ee 0000            add     byte ptr [eax],al
+
+	Win7
+
+	kd> u PsSetLoadImageNotifyRoutine l 20
+	nt!PsSetLoadImageNotifyRoutine:
+	fffff800`0429db60 48895c2408      mov     qword ptr [rsp+8],rbx
+	fffff800`0429db65 57              push    rdi
+	fffff800`0429db66 4883ec20        sub     rsp,20h
+	fffff800`0429db6a 33d2            xor     edx,edx
+	fffff800`0429db6c e8efaffeff      call    nt!ExAllocateCallBack (fffff800`04288b60)
+	fffff800`0429db71 488bf8          mov     rdi,rax
+	fffff800`0429db74 4885c0          test    rax,rax
+	fffff800`0429db77 7507            jne     nt!PsSetLoadImageNotifyRoutine+0x20 (fffff800`0429db80)
+	fffff800`0429db79 b89a0000c0      mov     eax,0C000009Ah
+	fffff800`0429db7e eb4a            jmp     nt!PsSetLoadImageNotifyRoutine+0x6a (fffff800`0429dbca)
+	fffff800`0429db80 33db            xor     ebx,ebx
+	fffff800`0429db82 488d0d7799d9ff  lea     rcx,[nt!PspLoadImageNotifyRoutine (fffff800`04037500)]
+
+
+	kd> u fffff800`04037500
+	nt!PspLoadImageNotifyRoutine:
+	fffff800`04037500 ff6014          jmp     qword ptr [rax+14h]
+	fffff800`04037503 00a0f8ffff00    add     byte ptr [rax+0FFFFF8h],ah
+	fffff800`04037509 0000            add     byte ptr [rax],al
+	fffff800`0403750b 0000            add     byte ptr [rax],al
+	fffff800`0403750d 0000            add     byte ptr [rax],al
+	fffff800`0403750f 0000            add     byte ptr [rax],al
+	fffff800`04037511 0000            add     byte ptr [rax],al
+	fffff800`04037513 0000            add     byte ptr [rax],al
+
+
+
+	*/
+	switch(WinVersion)
+	{
+	case WINDOWS_7:
+		{
+			for(i=Address;i<Address+0xFF;i++)
+			{
+				if(*(PUCHAR)i==0x48 && *(PUCHAR)(i+1)==0x8d && *(PUCHAR)(i+2)==0x0d)	//lea rcx,xxxx
+				{
+					LONG OffsetAddr = 0;
+					memcpy(&OffsetAddr,(PUCHAR)(i+3),4);
+					return OffsetAddr+7+i;
+				}
+			}
+			break;
+		}
+
+	case WINDOWS_XP:
+		{
+// 			UCHAR TempChar = *(UCHAR*)((UCHAR*)IoRegisterShutdownNotificationAddress+0xe);
+// 
+// 			DbgPrint("%x\r\n",TempChar);
+
+			for(i=Address;i<Address+0xFF;i++)
+			{
+				if(*(PUCHAR)i==0x56 && *(PUCHAR)(i+1)==0xbe)	//lea rcx,xxxx
+				{
+					LONG OffsetAddr = 0;
+					memcpy(&OffsetAddr,(PUCHAR)(i+2),4);
+					return OffsetAddr;
+				}
+			}
+			break;
+		}
+	}
+
+	
+
+	return 0;
+}
+
+
+ULONG_PTR FindKeBugCheckReasonCallbackListHeadNotifyRoutine(ULONG_PTR Address)
+{
+	ULONG_PTR i = 0;
+
+	/*
+	XP:
+	kd> u KeRegisterBugCheckReasonCallback l 20
+	nt!KeRegisterBugCheckReasonCallback:
+	8050f0c1 8bff            mov     edi,edi
+	8050f0c3 55              push    ebp
+	8050f0c4 8bec            mov     ebp,esp
+	8050f0c6 51              push    ecx
+	8050f0c7 53              push    ebx
+	8050f0c8 57              push    edi
+	8050f0c9 b11f            mov     cl,1Fh
+	8050f0cb ff152c904d80    call    dword ptr [nt!_imp_KfRaiseIrql (804d902c)]
+	8050f0d1 bf6c355680      mov     edi,offset nt!KeBugCheckCallbackLock (8056356c)
+	8050f0d6 8bcf            mov     ecx,edi
+	8050f0d8 8845ff          mov     byte ptr [ebp-1],al
+	8050f0db e86843fdff      call    nt!KiAcquireSpinLock (804e3448)
+	8050f0e0 8b4508          mov     eax,dword ptr [ebp+8]
+	8050f0e3 32db            xor     bl,bl
+	8050f0e5 385818          cmp     byte ptr [eax+18h],bl
+	8050f0e8 7538            jne     nt!KeRegisterBugCheckReasonCallback+0x61 (8050f122)
+	8050f0ea 8b4d0c          mov     ecx,dword ptr [ebp+0Ch]
+	8050f0ed 8b5510          mov     edx,dword ptr [ebp+10h]
+	8050f0f0 894808          mov     dword ptr [eax+8],ecx
+	8050f0f3 56              push    esi
+	8050f0f4 8b7514          mov     esi,dword ptr [ebp+14h]
+	8050f0f7 03ca            add     ecx,edx
+	8050f0f9 03ce            add     ecx,esi
+	8050f0fb 89700c          mov     dword ptr [eax+0Ch],esi
+	8050f0fe 895014          mov     dword ptr [eax+14h],edx
+	8050f101 894810          mov     dword ptr [eax+10h],ecx
+	8050f104 c6401801        mov     byte ptr [eax+18h],1
+	8050f108 8b0d70355680    mov     ecx,dword ptr [nt!KeBugCheckReasonCallbackListHead (80563570)]
+
+
+
+	kd> u 80563570
+	nt!KeBugCheckReasonCallbackListHead:
+	80563570 809afdba602bbb  sbb     byte ptr [edx+2B60BAFDh],0BBh
+	80563577 ba38ca6589      mov     edx,8965CA38h
+	8056357c c02071          shl     byte ptr [eax],71h
+	8056357f 800000          add     byte ptr [eax],0
+	80563582 0000            add     byte ptr [eax],al
+	80563584 0000            add     byte ptr [eax],al
+	80563586 0000            add     byte ptr [eax],al
+
+
+	Win7
+
+	kd> u KeRegisterBugCheckReasonCallback l 50
+	nt!KeRegisterBugCheckReasonCallback:
+	fffff800`03f3d390 48895c2418      mov     qword ptr [rsp+18h],rbx
+	fffff800`03f3d395 4c894c2420      mov     qword ptr [rsp+20h],r9
+	fffff800`03f3d39a 4889542410      mov     qword ptr [rsp+10h],rdx
+	fffff800`03f3d39f 55              push    rbp
+	fffff800`03f3d3a0 56              push    rsi
+	fffff800`03f3d3a1 57              push    rdi
+	fffff800`03f3d3a2 4154            push    r12
+	fffff800`03f3d3a4 4155            push    r13
+	fffff800`03f3d3a6 4156            push    r14
+	fffff800`03f3d3a8 4157            push    r15
+	fffff800`03f3d3aa 4883ec30        sub     rsp,30h
+	fffff800`03f3d3ae bf01000000      mov     edi,1
+	fffff800`03f3d3b3 4963e8          movsxd  rbp,r8d
+	fffff800`03f3d3b6 488bd9          mov     rbx,rcx
+	fffff800`03f3d3b9 448aef          mov     r13b,dil
+	fffff800`03f3d3bc 440f20c0        mov     rax,cr8
+	fffff800`03f3d3c0 4889442470      mov     qword ptr [rsp+70h],rax
+	fffff800`03f3d3c5 8d470e          lea     eax,[rdi+0Eh]
+	fffff800`03f3d3c8 440f22c0        mov     cr8,rax
+	fffff800`03f3d3cc 65488b342520000000 mov   rsi,qword ptr gs:[20h]
+	fffff800`03f3d3d5 4533c9          xor     r9d,r9d
+	fffff800`03f3d3d8 0fba25a4120e0010 bt      dword ptr [nt!PerfGlobalGroupMask+0x4 (fffff800`0401e684)],10h
+	fffff800`03f3d3e0 7318            jae     nt!KeRegisterBugCheckReasonCallback+0x6a (fffff800`03f3d3fa)
+	fffff800`03f3d3e2 448ae7          mov     r12b,dil
+	fffff800`03f3d3e5 0f31            rdtsc
+	fffff800`03f3d3e7 448bbe00470000  mov     r15d,dword ptr [rsi+4700h]
+	fffff800`03f3d3ee 48c1e220        shl     rdx,20h
+	fffff800`03f3d3f2 480bc2          or      rax,rdx
+	fffff800`03f3d3f5 4c8bf0          mov     r14,rax
+	fffff800`03f3d3f8 eb0d            jmp     nt!KeRegisterBugCheckReasonCallback+0x77 (fffff800`03f3d407)
+	fffff800`03f3d3fa 4c8b742470      mov     r14,qword ptr [rsp+70h]
+	fffff800`03f3d3ff 448b7c2470      mov     r15d,dword ptr [rsp+70h]
+	fffff800`03f3d404 4532e4          xor     r12b,r12b
+	fffff800`03f3d407 01be004b0000    add     dword ptr [rsi+4B00h],edi
+	fffff800`03f3d40d f0480fba2d3927150000 lock bts qword ptr [nt!KeBugCheckCallbackLock (fffff800`0408fb50)],0
+	fffff800`03f3d417 731d            jae     nt!KeRegisterBugCheckReasonCallback+0xa6 (fffff800`03f3d436)
+	fffff800`03f3d419 488d0d30271500  lea     rcx,[nt!KeBugCheckCallbackLock (fffff800`0408fb50)]
+	fffff800`03f3d420 e8ab1ef4ff      call    nt!KxWaitForSpinLockAndAcquire (fffff800`03e7f2d0)
+	fffff800`03f3d425 01be044b0000    add     dword ptr [rsi+4B04h],edi
+	fffff800`03f3d42b 0186084b0000    add     dword ptr [rsi+4B08h],eax
+	fffff800`03f3d431 448bc8          mov     r9d,eax
+	fffff800`03f3d434 eb03            jmp     nt!KeRegisterBugCheckReasonCallback+0xa9 (fffff800`03f3d439)
+	fffff800`03f3d436 0faee8          lfence
+	fffff800`03f3d439 4584e4          test    r12b,r12b
+	fffff800`03f3d43c 7428            je      nt!KeRegisterBugCheckReasonCallback+0xd6 (fffff800`03f3d466)
+	fffff800`03f3d43e 0f31            rdtsc
+	fffff800`03f3d440 48c1e220        shl     rdx,20h
+	fffff800`03f3d444 488d0d05271500  lea     rcx,[nt!KeBugCheckCallbackLock (fffff800`0408fb50)]
+	fffff800`03f3d44b c644242800      mov     byte ptr [rsp+28h],0
+	fffff800`03f3d450 480bc2          or      rax,rdx
+	fffff800`03f3d453 44897c2420      mov     dword ptr [rsp+20h],r15d
+	fffff800`03f3d458 448bc0          mov     r8d,eax
+	fffff800`03f3d45b 488bd0          mov     rdx,rax
+	fffff800`03f3d45e 452bc6          sub     r8d,r14d
+	fffff800`03f3d461 e86a66feff      call    nt!PerfLogSpinLockAcquire (fffff800`03f23ad0)
+	fffff800`03f3d466 807b2c00        cmp     byte ptr [rbx+2Ch],0
+	fffff800`03f3d46a 7570            jne     nt!KeRegisterBugCheckReasonCallback+0x14c (fffff800`03f3d4dc)
+	fffff800`03f3d46c 488b542478      mov     rdx,qword ptr [rsp+78h]
+	fffff800`03f3d471 488b8c2488000000 mov     rcx,qword ptr [rsp+88h]
+	fffff800`03f3d479 896b28          mov     dword ptr [rbx+28h],ebp
+	fffff800`03f3d47c 488d042a        lea     rax,[rdx+rbp]
+	fffff800`03f3d480 48895310        mov     qword ptr [rbx+10h],rdx
+	fffff800`03f3d484 48894b18        mov     qword ptr [rbx+18h],rcx
+	fffff800`03f3d488 4803c1          add     rax,rcx
+	fffff800`03f3d48b 40887b2c        mov     byte ptr [rbx+2Ch],dil
+	fffff800`03f3d48f 48894320        mov     qword ptr [rbx+20h],rax
+	fffff800`03f3d493 83fd04          cmp     ebp,4
+	fffff800`03f3d496 7422            je      nt!KeRegisterBugCheckReasonCallback+0x12a (fffff800`03f3d4ba)
+	fffff800`03f3d498 488b05d1261500  mov     rax,qword ptr [nt!KeBugCheckReasonCallbackListHead (fffff800`0408fb70)]
+	fffff800`03f3d49f 488d0dca261500  lea     rcx,[nt!KeBugCheckReasonCallbackListHead (fffff800`0408fb70)]
+
+	kd> u fffff800`0408fb70
+	nt!KeBugCheckReasonCallbackListHead:
+	fffff800`0408fb70 58              pop     rax
+	fffff800`0408fb71 52              push    rdx
+	fffff800`0408fb72 de18            ficomp  word ptr [rax]
+	fffff800`0408fb74 80faff          cmp     dl,0FFh
+	fffff800`0408fb77 ffe0            jmp     rax
+	fffff800`0408fb79 011d0180f8ff    add     dword ptr [nt!KeNodeBlock+0x180 (fffff800`04017b80)],ebx
+	fffff800`0408fb7f ffa0ce651980    jmp     qword ptr [rax-7FE69A32h]
+	fffff800`0408fb85 fa              cli
+
+	*/
+	switch(WinVersion)
+	{
+	case WINDOWS_7:
+		{
+			for(i=Address;i<Address+0xFFF;i++)
+			{
+				if(*(PUCHAR)i==0x48 && *(PUCHAR)(i+1)==0x8b && *(PUCHAR)(i+2)==0x05)	
+				{
+					LONG OffsetAddr = 0;
+					memcpy(&OffsetAddr,(PUCHAR)(i+3),4);
+					return OffsetAddr+7+i;
+				}
+			}
+			break;
+		}
+
+	case WINDOWS_XP:
+		{
+			for(i=Address;i<Address+0xFF;i++)
+			{
+				if(*(PUCHAR)i==0x8b && *(PUCHAR)(i+1)==0x0d)	
+				{
+					LONG OffsetAddr = 0;
+					memcpy(&OffsetAddr,(PUCHAR)(i+2),4);
+					return OffsetAddr;
+				}
+			}
+			break;
+		}
+	}
+
+	
+
+	return 0;
+}
+
+
+ULONG_PTR FindIopNotifyShutdownQueueHeadNotifyRoutine(ULONG_PTR Address)
+{
+	ULONG_PTR i = 0;
+
+	/*
+	XP:
+	kd> u IoRegisterShutdownNotification l 20
+	nt!IoRegisterShutdownNotification:
+	805b6b58 8bff            mov     edi,edi
+	805b6b5a 55              push    ebp
+	805b6b5b 8bec            mov     ebp,esp
+	805b6b5d 57              push    edi
+	805b6b5e 68496f5368      push    68536F49h
+	805b6b63 6a0c            push    0Ch
+	805b6b65 6a00            push    0
+	805b6b67 e899b4f9ff      call    nt!ExAllocatePoolWithTag (80552005)
+	805b6b6c 8bf8            mov     edi,eax
+	805b6b6e 85ff            test    edi,edi
+	805b6b70 0f84748d0300    je      nt!IoRegisterShutdownNotification+0x1a (805ef8ea)
+	805b6b76 56              push    esi
+	805b6b77 8b7508          mov     esi,dword ptr [ebp+8]
+	805b6b7a 8bce            mov     ecx,esi
+	805b6b7c 897708          mov     dword ptr [edi+8],esi
+	805b6b7f e8df44f2ff      call    nt!ObfReferenceObject (804db063)
+	805b6b84 8bd7            mov     edx,edi
+	805b6b86 b9601e5680      mov     ecx,offset nt!IopNotifyShutdownQueueHead (80561e60)
+	805b6b8b e83c5ff5ff      call    nt!IopInterlockedInsertHeadList (8050cacc)
+
+
+	kd> u IoRegisterShutdownNotification l 20
+	nt!IoRegisterShutdownNotification:
+	8056ab64 8bff            mov     edi,edi
+	8056ab66 55              push    ebp
+	8056ab67 8bec            mov     ebp,esp
+	8056ab69 57              push    edi
+	8056ab6a 68496f5368      push    68536F49h
+	8056ab6f 6a0c            push    0Ch
+	8056ab71 6a00            push    0
+	8056ab73 e808b3fdff      call    nt!ExAllocatePoolWithTag (80545e80)
+	8056ab78 8bf8            mov     edi,eax
+	8056ab7a 85ff            test    edi,edi
+	8056ab7c 7507            jne     nt!IoRegisterShutdownNotification+0x21 (8056ab85)
+	8056ab7e b89a0000c0      mov     eax,0C000009Ah
+	8056ab83 eb21            jmp     nt!IoRegisterShutdownNotification+0x42 (8056aba6)
+	8056ab85 56              push    esi
+	8056ab86 8b7508          mov     esi,dword ptr [ebp+8]
+	8056ab89 8bce            mov     ecx,esi
+	8056ab8b 897708          mov     dword ptr [edi+8],esi
+	8056ab8e e8bd8dfbff      call    nt!ObfReferenceObject (80523950)
+	8056ab93 8bd7            mov     edx,edi
+	8056ab95 b9e0285580      mov     ecx,offset nt!IopNotifyShutdownQueueHead (805528e0)
+	8056ab9a e8d59bf8ff      call    nt!IopInterlockedInsertHeadList (804f4774)
+
+
+	kd> dd 80561e60
+	80561e60  89616ba8 897d8150 80561e68 80561e68
+	80561e70  80561e70 80561e70 897d223c 897d223c
+	80561e80  8958052c 8973b7b4 897041fc 897d35d4
+	80561e90  895844d4 8981a5d4 00000000 00000000
+	80561ea0  80561ba0 80561ee0 89806340 00000000
+	80561eb0  00000000 00000000 00000000 00000000
+	80561ec0  00000000 00000000 00000000 00000000
+	80561ed0  00000000 00000000 00000000 00000000
+
+
+	Win7
+
+	kd> u IoRegisterShutdownNotification l 20
+	nt!IoRegisterShutdownNotification:
+	fffff800`0428bf20 48895c2408      mov     qword ptr [rsp+8],rbx
+	fffff800`0428bf25 57              push    rdi
+	fffff800`0428bf26 4883ec20        sub     rsp,20h
+	fffff800`0428bf2a 488bd9          mov     rbx,rcx
+	fffff800`0428bf2d ba18000000      mov     edx,18h
+	fffff800`0428bf32 41b8496f5368    mov     r8d,68536F49h
+	fffff800`0428bf38 33c9            xor     ecx,ecx
+	fffff800`0428bf3a e8a111d3ff      call    nt!ExAllocatePoolWithTag (fffff800`03fbd0e0)
+	fffff800`0428bf3f 488bf8          mov     rdi,rax
+	fffff800`0428bf42 4885c0          test    rax,rax
+	fffff800`0428bf45 7507            jne     nt!IoRegisterShutdownNotification+0x2e (fffff800`0428bf4e)
+	fffff800`0428bf47 b89a0000c0      mov     eax,0C000009Ah
+	fffff800`0428bf4c eb22            jmp     nt!IoRegisterShutdownNotification+0x50 (fffff800`0428bf70)
+	fffff800`0428bf4e 488bcb          mov     rcx,rbx
+	fffff800`0428bf51 48895810        mov     qword ptr [rax+10h],rbx
+	fffff800`0428bf55 e8962fc1ff      call    nt!ObfReferenceObject (fffff800`03e9eef0)
+	fffff800`0428bf5a 488d0d8f32e0ff  lea     rcx,[nt!IopNotifyShutdownQueueHead (fffff800`0408f1f0)]
+	fffff800`0428bf61 488bd7          mov     rdx,rdi
+
+	kd> dq fffff800`0408f1f0
+	fffff800`0408f1f0  fffffa80`197d9170 fffffa80`18e1b280
+	fffff800`0408f200  fffff800`0408f200 fffff800`0408f200
+	fffff800`0408f210  fffff800`0408f210 fffff800`0408f210
+	fffff800`0408f220  fffffa80`18d46e90 fffffa80`18d46e90
+	fffff800`0408f230  fffffa80`191f0680 fffffa80`191f0680
+	fffff800`0408f240  fffffa80`191067d0 fffffa80`18d460b0
+	fffff800`0408f250  fffffa80`191077d0 fffffa80`18d452a0
+	fffff800`0408f260  fffff800`0408ecc0 fffff800`0408f360
+
+	*/
+	switch(WinVersion)
+	{
+	case WINDOWS_7:
+		{
+			for(i=Address;i<Address+0xFF;i++)
+			{
+				if(*(PUCHAR)i==0x48 && *(PUCHAR)(i+1)==0x8d && *(PUCHAR)(i+2)==0x0d)
+				{
+					LONG OffsetAddr = 0;
+					memcpy(&OffsetAddr,(PUCHAR)(i+3),4);
+					return OffsetAddr+7+i;
+				}
+			}
+			break;
+		}
+
+	case WINDOWS_XP:
+		{
+			for(i=Address;i<Address+0xFF;i++)
+			{
+				if(*(PUCHAR)i==0xb9 && *(PUCHAR)(i-1)==0xd7)
+				{
+					LONG OffsetAddr = 0;
+					memcpy(&OffsetAddr,(PUCHAR)(i+1),4);
+					return OffsetAddr;
+				}
+			}
+			break;
+		}
+	}
+
+	return 0;
+}
+
+
+ULONG_PTR FindPspCreateThreadNotifyRoutine(ULONG_PTR Address)
+{
+	ULONG_PTR i = 0;
+
+	/*
+	XP:
+	kd> u PsSetCreateThreadNotifyRoutine l 20
+	nt!PsSetCreateThreadNotifyRoutine:
+	8063622d 8bff            mov     edi,edi
+	8063622f 55              push    ebp
+	80636230 8bec            mov     ebp,esp
+	80636232 53              push    ebx
+	80636233 57              push    edi
+	80636234 33ff            xor     edi,edi
+	80636236 57              push    edi
+	80636237 ff7508          push    dword ptr [ebp+8]
+	8063623a e829760100      call    nt!ExAllocateCallBack (8064d868)
+	8063623f 8bd8            mov     ebx,eax
+	80636241 3bdf            cmp     ebx,edi
+	80636243 7507            jne     nt!PsSetCreateThreadNotifyRoutine+0x1f (8063624c)
+	80636245 b89a0000c0      mov     eax,0C000009Ah
+	8063624a eb2a            jmp     nt!PsSetCreateThreadNotifyRoutine+0x49 (80636276)
+	8063624c 56              push    esi
+	8063624d bea0a75680      mov     esi,offset nt!PspCreateThreadNotifyRoutine (8056a7a0)
+
+	kd> u 8056a7a0
+	nt!PspCreateThreadNotifyRoutine:
+	8056a7a0 0000            add     byte ptr [eax],al
+	8056a7a2 0000            add     byte ptr [eax],al
+	8056a7a4 0000            add     byte ptr [eax],al
+	8056a7a6 0000            add     byte ptr [eax],al
+	8056a7a8 0000            add     byte ptr [eax],al
+	8056a7aa 0000            add     byte ptr [eax],al
+	8056a7ac 0000            add     byte ptr [eax],al
+	8056a7ae 0000            add     byte ptr [eax],al
+
+
+	Win7
+
+	kd>  u PsSetCreateThreadNotifyRoutine l 20
+	nt!PsSetCreateThreadNotifyRoutine:
+	fffff800`042ddbe0 48895c2408      mov     qword ptr [rsp+8],rbx
+	fffff800`042ddbe5 57              push    rdi
+	fffff800`042ddbe6 4883ec20        sub     rsp,20h
+	fffff800`042ddbea 33d2            xor     edx,edx
+	fffff800`042ddbec e86faffeff      call    nt!ExAllocateCallBack (fffff800`042c8b60)
+	fffff800`042ddbf1 488bf8          mov     rdi,rax
+	fffff800`042ddbf4 4885c0          test    rax,rax
+	fffff800`042ddbf7 7507            jne     nt!PsSetCreateThreadNotifyRoutine+0x20 (fffff800`042ddc00)
+	fffff800`042ddbf9 b89a0000c0      mov     eax,0C000009Ah
+	fffff800`042ddbfe eb4a            jmp     nt!PsSetCreateThreadNotifyRoutine+0x6a (fffff800`042ddc4a)
+	fffff800`042ddc00 33db            xor     ebx,ebx
+	fffff800`042ddc02 488d0d5799d9ff  lea     rcx,[nt!PspCreateThreadNotifyRoutine (fffff800`04077560)]
+	fffff800`042ddc09 4533c0          xor     r8d,r8d
+
+	kd> u fffff800`04077560
+	nt!PspCreateThreadNotifyRoutine:
+	fffff800`04077560 0000            add     byte ptr [rax],al
+	fffff800`04077562 0000            add     byte ptr [rax],al
+	fffff800`04077564 0000            add     byte ptr [rax],al
+	fffff800`04077566 0000            add     byte ptr [rax],al
+	fffff800`04077568 0000            add     byte ptr [rax],al
+	fffff800`0407756a 0000            add     byte ptr [rax],al
+	fffff800`0407756c 0000            add     byte ptr [rax],al
+	fffff800`0407756e 0000            add     byte ptr [rax],al
+
+
+
+
+	*/
+	switch(WinVersion)
+	{
+	case WINDOWS_7:
+		{
+			for(i=Address;i<Address+0xFF;i++)
+			{
+				if(*(PUCHAR)i==0x48 && *(PUCHAR)(i+1)==0x8d && *(PUCHAR)(i+2)==0x0d)	
+				{
+					LONG OffsetAddr = 0;
+					memcpy(&OffsetAddr,(PUCHAR)(i+3),4);
+					return OffsetAddr+7+i;
+				}
+			}
+			break;
+		}
+
+	case WINDOWS_XP:
+		{
+			for(i=Address;i<Address+0xFF;i++)
+			{
+				if(*(PUCHAR)i==0xbe && *(PUCHAR)(i+1)==0xa0)	
+				{
+					LONG OffsetAddr = 0;
+					memcpy(&OffsetAddr,(PUCHAR)(i+1),4);
+					return OffsetAddr;
+				}
+			}
+			break;
+		}
+	}
+
+	
+
+	return 0;
+}
+
+
+ULONG_PTR GetShutdownDispatch(PDEVICE_OBJECT DeviceObject)
+{
+	PDRIVER_OBJECT DriverObject = NULL;
+	ULONG_PTR ShutdownDispatch = 0;
+
+
+	if (DeviceObject && MmIsAddressValid((PVOID)DeviceObject))
+	{
+		DriverObject = DeviceObject->DriverObject;
+		if (DriverObject && MmIsAddressValid((PVOID)DriverObject))
+		{
+			ShutdownDispatch = (ULONG_PTR)DriverObject->MajorFunction[IRP_MJ_SHUTDOWN];
+		}
+	}
+
+	return ShutdownDispatch;
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/CallBack.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/CallBack.h
new file mode 100644
index 0000000..023e631
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/CallBack.h
@@ -0,0 +1,134 @@
+#pragma once 
+
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+#include <ntifs.h>
+#include "common.h"
+
+
+typedef enum _CALLBACK_TYPE_
+{
+	NotifyCreateProcess,
+	NotifyCreateThread,
+	NotifyLoadImage,
+	NotifyShutdown,
+	NotifyCmCallBack,
+	NotifyKeBugCheckReason,
+	NotifyKeBugCheck
+}CALLBACK_TYPE;
+
+typedef struct _REMOVE_CALLBACK
+{
+	CALLBACK_TYPE NotifyType;
+	ULONG_PTR     CallbackAddress;
+	ULONG_PTR     Note;
+}REMOVE_CALLBACK,*PREMOVE_CALLBACK;
+
+typedef struct _CM_NOTIFY_ENTRY
+{
+	LIST_ENTRY		ListEntryHead;
+	ULONG			UnKnown1;
+	ULONG			UnKnown2;
+	LARGE_INTEGER	Cookie;
+	ULONG64			Context; 
+	ULONG64			Function;
+}CM_NOTIFY_ENTRY, *PCM_NOTIFY_ENTRY;
+
+typedef struct _CALLBACK_INFO_
+{
+	CALLBACK_TYPE Type;
+	ULONG_PTR     CallbackAddress;
+	ULONG_PTR     Note;
+}CALLBACK_INFO, *PCALLBACK_INFO;
+
+typedef struct _GET_CALLBACK_
+{
+	ULONG_PTR ulCnt;
+	ULONG_PTR ulRetCnt;
+	CALLBACK_INFO Callbacks[1];
+}GET_CALLBACK, *PGET_CALLBACK;
+
+
+typedef
+	NTSTATUS (*pfnPsSetLoadImageNotifyRoutine)(PVOID NotifyRoutine);
+
+typedef
+	NTSTATUS (*pfnCmUnRegisterCallback)(LARGE_INTEGER  Cookie);
+
+typedef
+	NTKERNELAPI
+	BOOLEAN
+	(*pfnKeRegisterBugCheckReasonCallback)(
+	PKBUGCHECK_REASON_CALLBACK_RECORD CallbackRecord,
+	PKBUGCHECK_REASON_CALLBACK_ROUTINE CallbackRoutine,
+	KBUGCHECK_CALLBACK_REASON Reason,
+	PUCHAR Component);
+
+typedef
+	NTKERNELAPI
+	NTSTATUS
+	(*pfnKeRegisterBugCheckCallback)(
+	PKBUGCHECK_CALLBACK_RECORD CallbackRecord,
+	PKBUGCHECK_CALLBACK_ROUTINE CallbackRoutine,
+	PVOID Buffer,
+	ULONG Length,
+	PUCHAR Component
+	);
+
+typedef
+	NTKERNELAPI
+	NTSTATUS
+	(*pfnIoRegisterShutdownNotification)(
+	IN PDEVICE_OBJECT DeviceObject);
+
+typedef
+	NTKERNELAPI
+	NTSTATUS
+	(*pfnPsSetCreateThreadNotifyRoutine)(
+	PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine);
+
+
+
+
+//////////////////////////////////////////////////////////////////////////
+
+NTSTATUS HsEnumCallBackList(int InputBuffer, PVOID OutputBuffer);
+
+ULONG_PTR FindPspLoadImageNotifyRoutine(ULONG_PTR Address);
+
+ULONG_PTR FindKeBugCheckReasonCallbackListHeadNotifyRoutine(ULONG_PTR Address);
+
+ULONG_PTR FindIopNotifyShutdownQueueHeadNotifyRoutine(ULONG_PTR Address);
+
+ULONG_PTR FindPspCreateThreadNotifyRoutine(ULONG_PTR Address);
+
+BOOLEAN GetLoadImageCallbackNotify(PGET_CALLBACK GetCallback);
+
+BOOLEAN GetRegisterCallbackNotify(PGET_CALLBACK GetCallback);
+
+BOOLEAN GetBugCheckReasonCallbackNotify(PGET_CALLBACK GetCallback);
+
+BOOLEAN GetBugCheckCallbackNotify(PGET_CALLBACK GetCallback);
+
+BOOLEAN GetShutDownCallbackNotify(PGET_CALLBACK GetCallback);
+
+BOOLEAN GetCreateThreadCallbackNotify(PGET_CALLBACK GetCallback);
+
+ULONG_PTR CmpCallBackVector(ULONG_PTR Address);
+
+NTSTATUS GetAllCallbackNotify(PVOID OutBuffer);
+
+NTSTATUS RemoveCallbackNotify(PVOID InBuffer);
+
+LARGE_INTEGER XpGetRegisterCallbackCookie(ULONG Address);
+
+ULONG_PTR GetShutdownDispatch(PDEVICE_OBJECT DeviceObject);
+
+
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/DpcTimer.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/DpcTimer.c
new file mode 100644
index 0000000..dcc9a28
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/DpcTimer.c
@@ -0,0 +1,400 @@
+#include "DpcTimer.h"
+#include "Module.h"
+
+extern ULONG_PTR		SYSTEM_ADDRESS_START;
+extern PDRIVER_OBJECT	g_DriverObject;
+extern WIN_VERSION		WinVersion;
+
+
+
+NTSTATUS HsEnumDPCTimer(PVOID OutBuffer)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+	PDPC_TIMER_INFOR DpcTimerInfor = (PDPC_TIMER_INFOR)OutBuffer;
+
+	switch(WinVersion)
+	{
+	case WINDOWS_XP:
+		{
+			ULONG KiTimerTableListHead = 0;
+
+			KiTimerTableListHead = GetKiTimerTableListHeadXP();
+
+			GetDpcTimerInformationWinXP((PLIST_ENTRY)KiTimerTableListHead,DpcTimerInfor);
+			break;
+		}
+
+	case WINDOWS_7:
+		{
+			GetDpcTimerInformationWin7(DpcTimerInfor);
+			break;
+		}
+	}
+
+
+	if (DpcTimerInfor->ulCnt >= DpcTimerInfor->ulRetCnt)
+	{
+		Status = STATUS_SUCCESS;
+	}
+
+	return Status;
+}
+
+
+
+ULONG GetKiTimerTableListHeadXP()
+{
+	ULONG KiTimerTableListHead = 0;
+	ULONG KeUpdateSystemTime = 0;
+	UCHAR Temp = 0;
+
+	KeUpdateSystemTime = (ULONG)HsGetFunctionAddressByName(L"KeUpdateSystemTime");
+
+	DbgPrint("KeUpdateSystemTime: 0X%08x\n", KeUpdateSystemTime);
+
+	if (KeUpdateSystemTime)
+	{
+		ULONG Start = KeUpdateSystemTime;
+		ULONG End = KeUpdateSystemTime + PAGE_SIZE;
+
+		for (;Start<End; Start++)
+		{
+			/*
+
+			kd> u KeUpdateSystemTime l 50
+			nt!KeUpdateSystemTime:
+			804e35d8 b90000dfff      mov     ecx,0FFDF0000h
+			804e35dd 8b7908          mov     edi,dword ptr [ecx+8]
+			804e35e0 8b710c          mov     esi,dword ptr [ecx+0Ch]
+			804e35e3 03f8            add     edi,eax
+			804e35e5 83d600          adc     esi,0
+			804e35e8 897110          mov     dword ptr [ecx+10h],esi
+			804e35eb 897908          mov     dword ptr [ecx+8],edi
+			804e35ee 89710c          mov     dword ptr [ecx+0Ch],esi
+			804e35f1 290514b05580    sub     dword ptr [nt!KiTickOffset (8055b014)],eax
+			804e35f7 a100b05580      mov     eax,dword ptr [nt!KeTickCount (8055b000)]
+			804e35fc 8bd8            mov     ebx,eax
+			804e35fe 0f8f84000000    jg      nt!KeUpdateSystemTime+0xb0 (804e3688)
+			804e3604 bb0000dfff      mov     ebx,0FFDF0000h
+			804e3609 8b4b14          mov     ecx,dword ptr [ebx+14h]
+			804e360c 8b5318          mov     edx,dword ptr [ebx+18h]
+			804e360f 030d10b05580    add     ecx,dword ptr [nt!KeTimeAdjustment (8055b010)]
+			804e3615 83d200          adc     edx,0
+			804e3618 89531c          mov     dword ptr [ebx+1Ch],edx
+			804e361b 894b14          mov     dword ptr [ebx+14h],ecx
+			804e361e 895318          mov     dword ptr [ebx+18h],edx
+			804e3621 8bd8            mov     ebx,eax
+			804e3623 8bc8            mov     ecx,eax
+			804e3625 8b1504b05580    mov     edx,dword ptr [nt!KeTickCount+0x4 (8055b004)]
+			804e362b 83c101          add     ecx,1
+			804e362e 83d200          adc     edx,0
+			804e3631 891508b05580    mov     dword ptr [nt!KeTickCount+0x8 (8055b008)],edx
+			804e3637 890d00b05580    mov     dword ptr [nt!KeTickCount (8055b000)],ecx
+			804e363d 891504b05580    mov     dword ptr [nt!KeTickCount+0x4 (8055b004)],edx
+			804e3643 50              push    eax
+			804e3644 a10000dfff      mov     eax,dword ptr ds:[FFDF0000h]
+			804e3649 83c001          add     eax,1
+			804e364c 7306            jae     nt!KeUpdateSystemTime+0x7c (804e3654)
+			804e364e ff059c005680    inc     dword ptr [nt!ExpTickCountAdjustmentCount (8056009c)]
+			804e3654 a198005680      mov     eax,dword ptr [nt!ExpTickCountAdjustment (80560098)]
+			804e3659 0faf059c005680  imul    eax,dword ptr [nt!ExpTickCountAdjustmentCount (8056009c)]
+			804e3660 03c1            add     eax,ecx
+			804e3662 a30000dfff      mov     dword ptr ds:[FFDF0000h],eax
+			804e3667 58              pop     eax
+			804e3668 25ff000000      and     eax,0FFh
+			804e366d 8d0cc5a0355680  lea     ecx,nt!KiTimerTableListHead (805635a0)[eax*8]
+
+			*/
+
+			Temp = *(PCHAR)Start;
+			if (Temp == 0x8d)
+			{
+				KiTimerTableListHead = *(PULONG)(Start + 3);
+				if (KiTimerTableListHead && MmIsAddressValid((PVOID)KiTimerTableListHead))
+				{
+					break;
+				}
+			}
+		}
+	}
+
+	return KiTimerTableListHead;
+}
+
+
+
+NTSTATUS GetDpcTimerInformationWinXP(PLIST_ENTRY KiTimerTableListHead, PDPC_TIMER_INFOR DpcTimerInfor)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+	ULONG TIMER_TABLE_SIZE = 0x100;     //²é¿´Wrk´úÂëÊÇ0x200 µ« Ð´³É0x200 »áÀ¶ÆÁ
+
+
+
+	if (KiTimerTableListHead &&
+		DpcTimerInfor &&
+		TIMER_TABLE_SIZE && 
+		MmIsAddressValid((PVOID)KiTimerTableListHead))
+	{
+		ULONG i = 0, n = 0;
+		KIRQL OldIrql = KeRaiseIrqlToDpcLevel();
+
+		for (i = 0; i < TIMER_TABLE_SIZE; i++)
+		{
+			PLIST_ENTRY NextEntry = (&KiTimerTableListHead[i])->Flink;
+
+			while (MmIsAddressValid(NextEntry) && &KiTimerTableListHead[i] != NextEntry)
+			{
+				PKTIMER Timer = CONTAINING_RECORD(NextEntry, KTIMER, TimerListEntry);
+
+				if (Timer && 
+					MmIsAddressValid(Timer) &&
+					MmIsAddressValid(Timer->Dpc) &&
+					MmIsAddressValid(Timer->Dpc->DeferredRoutine))
+				{
+					if (DpcTimerInfor->ulCnt > DpcTimerInfor->ulRetCnt)
+					{
+						PKDPC Dpc = Timer->Dpc;
+						PVOID TimerDispatch = Dpc->DeferredRoutine;
+
+
+						DpcTimerInfor->DpcTimer[n].Dpc = (ULONG)Dpc;
+						DpcTimerInfor->DpcTimer[n].Period = Timer->Period;
+						DpcTimerInfor->DpcTimer[n].TimeDispatch = (ULONG)TimerDispatch;
+						DpcTimerInfor->DpcTimer[n].TimerObject = (ULONG)Timer;
+
+						n++;
+					}
+
+					DpcTimerInfor->ulRetCnt++;
+				}
+
+				NextEntry = NextEntry->Flink;
+			}
+		}
+
+		KeLowerIrql(OldIrql);
+	}
+
+	return Status;
+}
+
+
+
+NTSTATUS GetDpcTimerInformationWin7(PDPC_TIMER_INFOR DpcTimerInfor)
+{
+	ULONG CPUNumber = KeNumberProcessors;   //ÏµÍ³±äÁ¿
+	PUCHAR CurrentKPRCBAddress = NULL;             //CPU¿ØÖÆ¿é
+	PUCHAR CurrentTimerTableEntry = NULL;
+	PLIST_ENTRY CurrentEntry = NULL;
+	PLIST_ENTRY NextEntry = NULL;
+	PULONG64    KiWaitAlways = NULL;
+	PULONG64    KiWaitNever  = NULL;
+	int i = 0;
+	int j = 0;
+	int n = 0;
+	PKTIMER Timer;
+	for(j=0; j<CPUNumber; j++)
+	{
+		KeSetSystemAffinityThread(j+1);   //Ê¹µ±Ç°Ïß³ÌÔËÐÐÔÚµÚÒ»¸ö´¦ÀíÆ÷ÉÏ£¬ÒòÎªÖ»ÓÐµÚÒ»¸ö´¦ÀíÆ÷µÄÖµ²ÅÓÐÐ§
+		CurrentKPRCBAddress=(PUCHAR)__readmsr(0xC0000101) + 0x20;
+		KeRevertToUserAffinityThread();   ////»Ö¸´Ïß³ÌÔËÐÐµÄ´¦ÀíÆ÷
+	
+		CurrentTimerTableEntry=(PUCHAR)(*(ULONG64*)CurrentKPRCBAddress + 0x2200 + 0x200);
+		/*
+		kd> dt _Kprcb
+		nt!_KPRCB
+		+0x000 MxCsr            : Uint4B
+		+0x004 LegacyNumber     : UChar
+		+0x005 ReservedMustBeZero : UChar
+		+0x006 InterruptRequest : UChar
+		+0x21ec UnusedPad        : Uint4B
+		+0x21f0 PrcbPad50        : [2] Uint8B
+		+0x2200 TimerTable       : _KTIMER_TABLE
+
+
+		kd> dt _KTIMER_TABLE
+		nt!_KTIMER_TABLE
+		+0x000 TimerExpiry      : [64] Ptr64 _KTIMER
+		+0x200 TimerEntries     : [256] _KTIMER_TABLE_ENTRY
+
+
+		kd> dt _KTIMER_TABLE_ENTRY
+		nt!_KTIMER_TABLE_ENTRY
+		+0x000 Lock             : Uint8B
+		+0x008 Entry            : _LIST_ENTRY
+		+0x018 Time             : _ULARGE_INTEGER
+		*/
+
+	
+		FindKiWaitFunc(&KiWaitNever,&KiWaitAlways);
+		for(i=0; i<0x100; i++)
+		{
+			typedef struct _KTIMER_TABLE_ENTRY
+			{
+				ULONG64			Lock;
+				LIST_ENTRY		Entry;
+				ULARGE_INTEGER	Time;
+			} KTIMER_TABLE_ENTRY, *PKTIMER_TABLE_ENTRY;
+			CurrentEntry = (PLIST_ENTRY)(CurrentTimerTableEntry + sizeof(KTIMER_TABLE_ENTRY) * i + 8);  //ÕâÀïÊÇ¸öÊý×é  + 8 ¹ýLock
+			NextEntry = CurrentEntry->Blink;
+			if( MmIsAddressValid(CurrentEntry) && MmIsAddressValid(CurrentEntry) )
+			{
+				while( NextEntry != CurrentEntry )
+				{
+					PKDPC RealDpc;
+
+					//»ñµÃÊ×µØÖ·
+					Timer = CONTAINING_RECORD(NextEntry,KTIMER,TimerListEntry);
+					/*
+					kd> dt _KTIMER
+					nt!_KTIMER
+					+0x000 Header           : _DISPATCHER_HEADER
+					+0x018 DueTime          : _ULARGE_INTEGER
+					+0x020 TimerListEntry   : _LIST_ENTRY
+					+0x030 Dpc              : Ptr64 _KDPC
+					+0x038 Processor        : Uint4B
+					+0x03c Period           : Uint4B
+					*/
+					RealDpc=TransTimerDpcEx(Timer,*KiWaitNever,*KiWaitAlways);
+					if( MmIsAddressValid(Timer)&&MmIsAddressValid(RealDpc)&&MmIsAddressValid(RealDpc->DeferredRoutine))
+					{
+				
+						if (DpcTimerInfor->ulCnt > DpcTimerInfor->ulRetCnt)
+						{
+							DpcTimerInfor->DpcTimer[n].Dpc = (ULONG64)RealDpc;
+							DpcTimerInfor->DpcTimer[n].Period = Timer->Period;
+							DpcTimerInfor->DpcTimer[n].TimeDispatch = (ULONG64)RealDpc->DeferredRoutine;
+							DpcTimerInfor->DpcTimer[n].TimerObject = (ULONG64)Timer;
+
+							n++;
+						}
+					
+						DpcTimerInfor->ulRetCnt++;
+					
+					}
+					NextEntry = NextEntry->Blink;
+				}
+			}
+		}
+	}
+}
+
+
+
+VOID FindKiWaitFunc(PULONG64 *KiWaitNeverAddr, PULONG64 *KiWaitAlwaysAddr)
+{
+	/*
+	kd> u kesettimer l 50
+	nt!KeSetTimer:
+	fffff800`03ef10a8 4883ec38        sub     rsp,38h
+	fffff800`03ef10ac 4c89442420      mov     qword ptr [rsp+20h],r8
+	fffff800`03ef10b1 4533c9          xor     r9d,r9d
+	fffff800`03ef10b4 4533c0          xor     r8d,r8d
+	fffff800`03ef10b7 e814000000      call    nt!KiSetTimerEx (fffff800`03ef10d0)
+	fffff800`03ef10bc 4883c438        add     rsp,38h
+	fffff800`03ef10c0 c3              ret
+	fffff800`03ef10c1 90              nop
+	fffff800`03ef10c2 90              nop
+	fffff800`03ef10c3 90              nop
+	fffff800`03ef10c4 90              nop
+	fffff800`03ef10c5 90              nop
+	fffff800`03ef10c6 90              nop
+	fffff800`03ef10c7 90              nop
+	nt!KxWaitForLockChainValid:
+	fffff800`03ef10c8 90              nop
+	fffff800`03ef10c9 90              nop
+	fffff800`03ef10ca 90              nop
+	fffff800`03ef10cb 90              nop
+	fffff800`03ef10cc 90              nop
+	fffff800`03ef10cd 90              nop
+	fffff800`03ef10ce 90              nop
+	fffff800`03ef10cf 90              nop
+	nt!KiSetTimerEx:
+	fffff800`03ef10d0 48895c2408      mov     qword ptr [rsp+8],rbx
+	fffff800`03ef10d5 4889542410      mov     qword ptr [rsp+10h],rdx
+	fffff800`03ef10da 55              push    rbp
+	fffff800`03ef10db 56              push    rsi
+	fffff800`03ef10dc 57              push    rdi
+	fffff800`03ef10dd 4154            push    r12
+	fffff800`03ef10df 4155            push    r13
+	fffff800`03ef10e1 4156            push    r14
+	fffff800`03ef10e3 4157            push    r15
+	fffff800`03ef10e5 4883ec50        sub     rsp,50h
+	fffff800`03ef10e9 488b0518502200  mov     rax,qword ptr [nt!KiWaitNever (fffff800`04116108)]
+	fffff800`03ef10f0 488b1de9502200  mov     rbx,qword ptr [nt!KiWaitAlways (fffff800`041161e0)]
+    */
+	long Temp;
+	PUCHAR StartAddress,i;
+	UNICODE_STRING  uniFuncName;
+	WCHAR wzFunName[] = L"KeSetTimer";
+	RtlInitUnicodeString(&uniFuncName,wzFunName);
+	StartAddress = (PUCHAR)MmGetSystemRoutineAddress(&uniFuncName);
+	for(i=StartAddress; i<StartAddress+0xFF; i++)
+	{
+		if(*i==0x48 && *(i+1)==0x8B && *(i+2)==0x05)
+		{
+			memcpy(&Temp,i+3,4);
+			*KiWaitNeverAddr=(PULONG64)((ULONGLONG)Temp + (ULONGLONG)i + 7);
+			i=i+7;
+			memcpy(&Temp,i+3,4);
+			*KiWaitAlwaysAddr=(PULONG64)((ULONGLONG)Temp + (ULONGLONG)i + 7);
+			return;
+		}
+	}
+}
+
+
+
+
+KDPC* TransTimerDpcEx(
+	IN PKTIMER InTimer,
+	IN ULONGLONG InKiWaitNever,
+	IN ULONGLONG InKiWaitAlways)
+{
+	ULONGLONG			RDX = (ULONGLONG)InTimer->Dpc;
+	RDX ^= InKiWaitNever;
+	RDX = _rotl64(RDX, (UCHAR)(InKiWaitNever & 0xFF));
+	RDX ^= (ULONGLONG)InTimer;
+	RDX = _byteswap_uint64(RDX);
+	RDX ^= InKiWaitAlways;
+	return (KDPC*)RDX;
+}
+
+
+
+
+
+
+NTSTATUS RemoveDPCTimer(PVOID InBuffer)
+{
+	PREMOVE_DPCTIMER Temp = (PREMOVE_DPCTIMER)InBuffer;
+
+	ULONG_PTR TimerObject = Temp->TimerObject;
+
+
+	if (TimerObject&&MmIsAddressValid((PVOID)TimerObject))
+	{
+
+		if (KeCancelTimer((PKTIMER)TimerObject))
+		{
+			return STATUS_SUCCESS;
+		}
+	}
+
+	return STATUS_UNSUCCESSFUL;
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/DpcTimer.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/DpcTimer.h
new file mode 100644
index 0000000..0417d55
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/DpcTimer.h
@@ -0,0 +1,75 @@
+#pragma once 
+
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+#include <ntifs.h>
+#include "common.h"
+
+
+
+
+typedef struct _REMOVE_DPCTIMER
+{
+	ULONG_PTR     TimerObject;
+}REMOVE_DPCTIMER,*PREMOVE_DPCTIMER;
+
+
+
+
+typedef struct _DPC_TIMER_
+{
+	ULONG_PTR TimerObject;
+	ULONG_PTR Period;			// ÖÜÆÚ
+	ULONG_PTR TimeDispatch;
+	ULONG_PTR Dpc;
+}DPC_TIMER, *PDPC_TIMER;
+
+
+typedef struct _DPC_TIMER_INFOR_
+{
+	ULONG ulCnt;
+	ULONG ulRetCnt;
+	DPC_TIMER DpcTimer[1];
+}DPC_TIMER_INFOR, *PDPC_TIMER_INFOR;
+
+
+
+
+NTSTATUS HsEnumDPCTimer(PVOID OutBuffer);
+
+ULONG GetKiTimerTableListHeadXP();
+
+NTSTATUS GetDpcTimerInformationWinXP(PLIST_ENTRY KiTimerTableListHead, PDPC_TIMER_INFOR DpcTimerInfor);
+
+NTSTATUS GetDpcTimerInformationWin7(PDPC_TIMER_INFOR DpcTimerInfor);
+
+VOID FindKiWaitFunc(PULONG64 *KiWaitNeverAddr, PULONG64 *KiWaitAlwaysAddr);
+
+KDPC* TransTimerDpcEx(
+	IN PKTIMER InTimer,
+	IN ULONGLONG InKiWaitNever,
+	IN ULONGLONG InKiWaitAlways);
+
+NTSTATUS RemoveDPCTimer(PVOID InBuffer);
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/FilterDriver.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/FilterDriver.c
new file mode 100644
index 0000000..b3ce99c
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/FilterDriver.c
@@ -0,0 +1,267 @@
+#include "FilterDriver.h"
+#include "Module.h"
+
+extern ULONG_PTR		SYSTEM_ADDRESS_START;
+extern PDRIVER_OBJECT	g_DriverObject;
+extern WIN_VERSION		WinVersion;
+
+ULONG_PTR ulVolumeStartCount = 0;
+ULONG_PTR ulFileSystemStartCount = 0;
+
+NTSTATUS HsEnumFilterDriver(PFILTER_DRIVER FilterDriverInfor)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+
+	// Ð´ÉÏËùÓÐµÄÇý¶¯Ãû¡£
+
+	ulVolumeStartCount = 0;
+	ulFileSystemStartCount = 0;
+
+	Status = GetFilterDriverByDriverName(L"\\Driver\\Disk", FilterDriverInfor,Disk);
+	Status = GetFilterDriverByDriverName(L"\\Driver\\volmgr", FilterDriverInfor,Volume);
+	Status = GetFilterDriverByDriverName(L"\\FileSystem\\ntfs", FilterDriverInfor,File);
+	Status = GetFilterDriverByDriverName(L"\\FileSystem\\fastfat", FilterDriverInfor,File);
+	Status = GetFilterDriverByDriverName(L"\\FileSystem\\Raw", FilterDriverInfor,RAW);
+	Status = GetFilterDriverByDriverName(L"\\driver\\kbdclass", FilterDriverInfor,Keyboard);
+	Status = GetFilterDriverByDriverName(L"\\driver\\mouclass", FilterDriverInfor,Mouse);
+	Status = GetFilterDriverByDriverName(L"\\driver\\i8042prt", FilterDriverInfor,I8042prt);
+	Status = GetFilterDriverByDriverName(L"\\Driver\\tdx", FilterDriverInfor,Tdx);
+	Status = GetFilterDriverByDriverName(L"\\Driver\\NDIS", FilterDriverInfor,NDIS);
+	Status = GetFilterDriverByDriverName(L"\\Driver\\PnpManager", FilterDriverInfor,PnpManager);
+
+	return Status;
+}
+
+
+
+NTSTATUS HsUnloadFilterDriver(PUNLOAD_FILTER UnloadFilter)
+{
+	NTSTATUS Status;
+
+	DbgPrint("FilterType: %d\r\n",UnloadFilter->Type);
+	DbgPrint("DeviceObject: %d\r\n",UnloadFilter->DeviceObject);
+
+	switch(UnloadFilter->Type)
+	{
+	case Disk:
+		{
+			Status = ClearFilters(L"\\Driver\\Disk", UnloadFilter->DeviceObject);
+			break;
+		}
+	default:
+		{
+
+		}
+	}
+
+	return Status;
+}
+
+
+
+
+NTSTATUS ClearFilters(WCHAR* wzDriverName,ULONG_PTR DeviceObject)
+{
+	UNICODE_STRING uniDriverName;
+	PDRIVER_OBJECT DriverObject;
+	PDEVICE_OBJECT CurrentDevice;
+	NTSTATUS Status;
+
+
+	RtlInitUnicodeString(&uniDriverName, wzDriverName);
+	Status = ObReferenceObjectByName(&uniDriverName,
+		OBJ_CASE_INSENSITIVE,
+		NULL,
+		0,
+		*IoDriverObjectType,
+		KernelMode,
+		NULL,
+		(PVOID*)&DriverObject);
+
+	if (!NT_SUCCESS(Status)) return ;
+	if(!DriverObject) return ;
+	CurrentDevice = DriverObject->DeviceObject;
+	while(CurrentDevice != NULL )
+	{
+		if ((ULONG_PTR)CurrentDevice->AttachedDevice == DeviceObject)
+		{
+
+			CurrentDevice->AttachedDevice = ((PDEVICE_OBJECT)DeviceObject)->AttachedDevice;
+
+		}
+		CurrentDevice = CurrentDevice->NextDevice;
+	}
+	ObDereferenceObject(DriverObject);
+
+	return Status;
+}
+
+
+
+NTSTATUS GetFilterDriverByDriverName(WCHAR *wzDriverName, PFILTER_DRIVER FilterDriverInfor, FILTER_TYPE Type)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+	UNICODE_STRING uniDriverName;
+	PDRIVER_OBJECT DriverObject = NULL;
+	POBJECT_TYPE DriverObjectType = *IoDriverObjectType;
+
+
+	if (!DriverObjectType)
+	{
+		return Status;
+	}
+
+	RtlInitUnicodeString(&uniDriverName, wzDriverName);
+
+	Status = ObReferenceObjectByName(
+		&uniDriverName,
+		OBJ_CASE_INSENSITIVE,
+		NULL,
+		0,
+		DriverObjectType,
+		KernelMode,
+		NULL,
+		(PVOID*)&DriverObject);
+
+	if (NT_SUCCESS(Status) && DriverObject)
+	{
+		PDEVICE_OBJECT DeviceObject = NULL;
+
+		for ( DeviceObject = DriverObject->DeviceObject;
+			  DeviceObject;
+			  DeviceObject = DeviceObject->NextDevice )
+		{
+
+
+			PDRIVER_OBJECT AttachedDriverObject = DeviceObject->DriverObject;
+			PDEVICE_OBJECT AttachDeviceObject = NULL;
+
+			for ( AttachDeviceObject = DeviceObject->AttachedDevice; 
+				  AttachDeviceObject; 
+				  AttachDeviceObject = AttachDeviceObject->AttachedDevice )
+			{
+				Status = AddFilterInfo( AttachDeviceObject, AttachedDriverObject, FilterDriverInfor, Type );
+				AttachedDriverObject = AttachDeviceObject->DriverObject;
+			}
+
+		}
+
+		ObfDereferenceObject(DriverObject);
+	}
+
+	return Status;
+}
+
+
+
+
+NTSTATUS AddFilterInfo(PDEVICE_OBJECT AttachDeviceObject, PDRIVER_OBJECT AttachedDriverObject, PFILTER_DRIVER FilterDriverInfor, FILTER_TYPE Type)
+{
+	if (AttachDeviceObject && AttachedDriverObject && FilterDriverInfor)
+	{
+		if (FilterDriverInfor->ulCnt > FilterDriverInfor->ulRetCnt)
+		{
+			ULONG_PTR ulRetCnt = FilterDriverInfor->ulRetCnt;
+			PDRIVER_OBJECT   AttachDriverObject = AttachDeviceObject->DriverObject;
+			PKLDR_DATA_TABLE_ENTRY Entry = NULL;
+
+			BOOLEAN bIsExist = FALSE;
+			ULONG_PTR i = 0;
+			char Temp[260] = {0};
+
+
+			if (Type == File || Type == RAW)
+			{
+				if (ulFileSystemStartCount == 0)
+				{
+					ulFileSystemStartCount = ulRetCnt;
+				}
+				for (i = ulFileSystemStartCount; i < ulRetCnt; i++)
+				{
+					if (_wcsnicmp(FilterDriverInfor->Filter[i].wzFilterDriverName,
+						AttachDriverObject->DriverName.Buffer,
+						wcslen(FilterDriverInfor->Filter[i].wzFilterDriverName))==0 && 
+						_wcsnicmp(FilterDriverInfor->Filter[i].wzAttachedDriverName,
+						AttachedDriverObject->DriverName.Buffer,
+						wcslen(FilterDriverInfor->Filter[i].wzAttachedDriverName))==0)
+					{
+						return STATUS_SUCCESS;
+					}
+				}
+			}
+			if (Type == Volume)
+			{
+				if (ulVolumeStartCount == 0)
+				{
+					ulVolumeStartCount = ulRetCnt;
+				}
+				for (i = 0; i < ulRetCnt; i++)
+				{
+					if (_wcsnicmp(FilterDriverInfor->Filter[i].wzFilterDriverName,
+						AttachDriverObject->DriverName.Buffer,
+						wcslen(FilterDriverInfor->Filter[i].wzFilterDriverName))==0 && 
+						_wcsnicmp(FilterDriverInfor->Filter[i].wzAttachedDriverName,
+						AttachedDriverObject->DriverName.Buffer,
+						wcslen(FilterDriverInfor->Filter[i].wzAttachedDriverName))==0)
+					{
+						return STATUS_SUCCESS;
+					}
+				}
+
+			}
+			
+
+			FilterDriverInfor->Filter[ulRetCnt].FileterDeviceObject = (ULONG_PTR)AttachDeviceObject;
+			FilterDriverInfor->Filter[ulRetCnt].Type = Type;
+
+			if (IsUnicodeStringValid(&(AttachDriverObject->DriverName)))
+			{
+				RtlZeroMemory(FilterDriverInfor->Filter[ulRetCnt].wzAttachedDriverName,100);
+				memcpy(
+					FilterDriverInfor->Filter[ulRetCnt].wzFilterDriverName, 
+					AttachDriverObject->DriverName.Buffer,
+					AttachDriverObject->DriverName.Length);
+			}
+
+			if (IsUnicodeStringValid(&(AttachedDriverObject->DriverName)))
+			{
+				RtlZeroMemory(FilterDriverInfor->Filter[ulRetCnt].wzAttachedDriverName,100);
+				memcpy(
+					FilterDriverInfor->Filter[ulRetCnt].wzAttachedDriverName,
+					AttachedDriverObject->DriverName.Buffer, 
+					AttachedDriverObject->DriverName.Length);
+			}
+
+			Entry = (PKLDR_DATA_TABLE_ENTRY)AttachDriverObject->DriverSection;
+
+			if ((ULONG_PTR)Entry > SYSTEM_ADDRESS_START)
+			{
+				if (IsUnicodeStringValid(&(Entry->FullDllName)))
+				{
+
+					memcpy(FilterDriverInfor->Filter[ulRetCnt].wzPath, Entry->FullDllName.Buffer,Entry->FullDllName.Length);
+				}
+				else if (IsUnicodeStringValid(&(Entry->BaseDllName)))
+				{
+
+					memcpy(FilterDriverInfor->Filter[ulRetCnt].wzPath, Entry->BaseDllName.Buffer, Entry->BaseDllName.Length);
+				}
+			}
+		}
+
+		else
+		{
+
+			return STATUS_BUFFER_TOO_SMALL;
+		}
+
+		FilterDriverInfor->ulRetCnt++;
+
+		return STATUS_SUCCESS;
+	}
+}
+
+
+
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/FilterDriver.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/FilterDriver.h
new file mode 100644
index 0000000..49f01dd
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/FilterDriver.h
@@ -0,0 +1,93 @@
+#pragma once 
+
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+#include <ntifs.h>
+#include "common.h"
+
+
+#define MAX_PATH 260
+
+typedef enum _FILTER_TYPE_
+{
+	Unkonw,
+	File,
+	Disk,
+	Volume,
+	Keyboard,
+	Mouse,
+	I8042prt,
+	Tcpip,
+	NDIS,
+	PnpManager,
+	Tdx,
+	RAW
+}FILTER_TYPE;
+
+typedef struct _FILTER_INFO_
+{
+	FILTER_TYPE Type;
+	ULONG_PTR FileterDeviceObject;
+	WCHAR wzFilterDriverName[100];
+	WCHAR wzAttachedDriverName[100];
+	WCHAR wzPath[MAX_PATH];
+}FILTER_INFO, *PFILTER_INFO;
+
+typedef struct _FILTER_DRIVER_
+{
+	ULONG_PTR ulCnt;
+	ULONG_PTR ulRetCnt;
+	FILTER_INFO Filter[1];
+}FILTER_DRIVER, *PFILTER_DRIVER;
+
+typedef struct _UNLOAD_FILTER_
+{
+	FILTER_TYPE Type;
+	ULONG_PTR   DeviceObject;
+}UNLOAD_FILTER, *PUNLOAD_FILTER;
+
+
+
+extern
+	POBJECT_TYPE* IoDriverObjectType;
+
+typedef 
+	NTSTATUS (*pfnRtlGetVersion)(OUT PRTL_OSVERSIONINFOW lpVersionInformation);
+
+NTSTATUS 
+	ObReferenceObjectByName( 
+	IN PUNICODE_STRING ObjectName, 
+	IN ULONG Attributes, 
+	IN PACCESS_STATE AccessState OPTIONAL, 
+	IN ACCESS_MASK DesiredAccess OPTIONAL, 
+	IN POBJECT_TYPE ObjectType, 
+	IN KPROCESSOR_MODE AccessMode, 
+	IN OUT PVOID ParseContext OPTIONAL, 
+	OUT PVOID *Object 
+	);
+
+
+
+
+NTSTATUS HsEnumFilterDriver(PFILTER_DRIVER FilterDriverInfor);
+
+NTSTATUS GetFilterDriverByDriverName(WCHAR *wzDriverName, PFILTER_DRIVER FilterDriverInfor, FILTER_TYPE Type);
+
+NTSTATUS AddFilterInfo(PDEVICE_OBJECT AttachDeviceObject, PDRIVER_OBJECT AttachedDriverObject, PFILTER_DRIVER FilterDriverInfor, FILTER_TYPE Type);
+
+NTSTATUS HsUnloadFilterDriver(PUNLOAD_FILTER UnloadFilter);
+
+NTSTATUS ClearFilters(WCHAR* wzDriverName,ULONG_PTR DeviceObject);
+
+
+
+
+
+
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/GetFuncAddress.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/GetFuncAddress.c
new file mode 100644
index 0000000..ea9a70f
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/GetFuncAddress.c
@@ -0,0 +1,275 @@
+#include "GetFuncAddress.h"
+#include "common.h"
+
+
+ULONG_PTR   IndexOffset = 0;
+
+extern WIN_VERSION WinVersion;
+
+
+ULONG_PTR  HsGetFuncAddress(char* szFuncAddress)
+{
+
+	ULONG_PTR SSDTDescriptor = 0;
+	ULONG_PTR ulIndex = 0;
+	ULONG_PTR SSDTFuncAddress = 0;
+
+	switch(WinVersion)
+	{
+	case WINDOWS_7:
+		{
+
+			SSDTDescriptor = GetKeServiceDescriptorTable64();
+			IndexOffset = 4;
+
+			break;
+		}
+
+	case WINDOWS_XP:
+		{
+			SSDTDescriptor = (ULONG_PTR)HsGetFunctionAddressByName(L"KeServiceDescriptorTable");
+			IndexOffset = 1;
+
+			break;
+		}
+	}
+
+	ulIndex = GetSSDTApiFunIndex(szFuncAddress);
+
+
+	SSDTFuncAddress =  GetSSDTApiFunAddress(ulIndex,SSDTDescriptor);
+
+
+	return SSDTFuncAddress;
+}
+
+
+
+ULONG_PTR GetSSDTApiFunAddress(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
+{
+	ULONG_PTR  SSDTFuncAddress = 0;
+	switch(WinVersion)
+	{
+	case WINDOWS_7:
+		{
+			SSDTFuncAddress = GetSSDTFunctionAddress64(ulIndex,SSDTDescriptor);
+			break;
+		}
+
+	case WINDOWS_XP:
+		{
+			SSDTFuncAddress = GetSSDTFunctionAddress32(ulIndex,SSDTDescriptor);
+			break;
+		}
+	}
+}
+
+
+ULONG_PTR GetSSDTFunctionAddress32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
+{
+	ULONG_PTR ServiceTableBase= 0 ;
+	PSYSTEM_SERVICE_TABLE32 SSDT = (PSYSTEM_SERVICE_TABLE32)SSDTDescriptor;
+
+	ServiceTableBase=(ULONG_PTR)(SSDT ->ServiceTableBase);
+
+	return (ULONG_PTR)(((ULONG*)ServiceTableBase)[(ULONG)ulIndex]);
+}
+
+
+
+ULONG_PTR GetSSDTFunctionAddress64(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
+{
+	LONG dwTemp=0;
+	ULONG_PTR qwTemp=0;
+	ULONG_PTR ServiceTableBase= 0 ;
+	ULONG_PTR FuncAddress =0;
+	PSYSTEM_SERVICE_TABLE64 SSDT = (PSYSTEM_SERVICE_TABLE64)SSDTDescriptor;
+	ServiceTableBase=(ULONG_PTR)(SSDT ->ServiceTableBase);
+	qwTemp = ServiceTableBase + 4 * ulIndex;
+	dwTemp = *(PLONG)qwTemp;
+	dwTemp = dwTemp>>4;
+	FuncAddress = ServiceTableBase + (ULONG_PTR)dwTemp;
+	return FuncAddress;
+}
+
+
+LONG GetSSDTApiFunIndex(IN LPSTR lpszFunName)
+{
+	LONG Index = -1;
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+	PVOID    MapBase = NULL;
+	PIMAGE_NT_HEADERS  NtHeader;
+	PIMAGE_EXPORT_DIRECTORY ExportTable;
+	ULONG*  FunctionAddresses;
+	ULONG*  FunctionNames;
+	USHORT* FunIndexs;
+	ULONG   ulFunIndex;
+	ULONG   i;
+	CHAR*   FunName;
+	SIZE_T  ViewSize=0;
+	ULONG_PTR FunAddress;
+	WCHAR wzNtdll[] = L"\\SystemRoot\\System32\\ntdll.dll";
+
+	Status = MapFileInUserSpace(wzNtdll, NtCurrentProcess(), &MapBase, &ViewSize);
+	if (!NT_SUCCESS(Status))
+	{
+
+		return STATUS_UNSUCCESSFUL;
+
+	}
+	else
+	{
+		__try{
+			NtHeader = RtlImageNtHeader(MapBase);
+			if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress){
+				ExportTable =(IMAGE_EXPORT_DIRECTORY *)((ULONG_PTR)MapBase + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
+				FunctionAddresses = (ULONG*)((ULONG_PTR)MapBase + ExportTable->AddressOfFunctions);
+				FunctionNames = (ULONG*)((ULONG_PTR)MapBase + ExportTable->AddressOfNames);
+				FunIndexs = (USHORT*)((ULONG_PTR)MapBase + ExportTable->AddressOfNameOrdinals);
+				for(i = 0; i < ExportTable->NumberOfNames; i++)
+				{
+					FunName = (LPSTR)((ULONG_PTR)MapBase + FunctionNames[i]);
+					if (_stricmp(FunName, lpszFunName) == 0) 
+					{
+						ulFunIndex = FunIndexs[i]; 
+						FunAddress = (ULONG_PTR)((ULONG_PTR)MapBase + FunctionAddresses[ulFunIndex]);
+						Index=*(ULONG*)(FunAddress+IndexOffset);
+						break;
+					}
+				}
+			}
+		}__except(EXCEPTION_EXECUTE_HANDLER)
+		{
+			;
+		}
+	}
+
+	if (Index == -1)
+	{
+		DbgPrint("%s Get Index Error\n", lpszFunName);
+	}
+
+	ZwUnmapViewOfSection(NtCurrentProcess(), MapBase);
+	return Index;
+}
+
+
+
+
+ULONG_PTR GetKeServiceDescriptorTable64()
+{
+	PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082);
+	PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
+	PUCHAR i = NULL;
+	UCHAR b1=0,b2=0,b3=0;
+	ULONG_PTR Temp = 0;
+	ULONG_PTR Address = 0;
+	for(i=StartSearchAddress;i<EndSearchAddress;i++)
+	{
+		if( MmIsAddressValid(i) && MmIsAddressValid(i+1) && MmIsAddressValid(i+2) )
+		{
+			b1=*i;
+			b2=*(i+1);
+			b3=*(i+2);
+			if( b1==0x4c && b2==0x8d && b3==0x15 ) //4c8d15
+			{
+				memcpy(&Temp,i+3,4);
+				Address = (ULONG_PTR)Temp + (ULONG_PTR)i + 7;
+				return Address;
+			}
+		}
+	}
+	return 0;
+}
+
+
+
+
+NTSTATUS 
+	MapFileInUserSpace(IN LPWSTR lpszFileName,IN HANDLE ProcessHandle OPTIONAL,
+	OUT PVOID *BaseAddress,
+	OUT PSIZE_T ViewSize OPTIONAL)
+{
+	NTSTATUS Status = STATUS_INVALID_PARAMETER;
+	HANDLE   hFile = NULL;
+	HANDLE   hSection = NULL;
+	OBJECT_ATTRIBUTES oa;
+	SIZE_T MapViewSize = 0;
+	IO_STATUS_BLOCK Iosb;
+	UNICODE_STRING uniFileName;
+
+	if (!lpszFileName || !BaseAddress){
+		return Status;
+	}
+
+	RtlInitUnicodeString(&uniFileName, lpszFileName);
+	InitializeObjectAttributes(&oa,
+		&uniFileName,
+		OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
+		NULL,
+		NULL
+		);
+
+	Status = IoCreateFile(&hFile,
+		GENERIC_READ | SYNCHRONIZE,
+		&oa,
+		&Iosb,
+		NULL,
+		FILE_ATTRIBUTE_NORMAL,
+		FILE_SHARE_READ,
+		FILE_OPEN,
+		FILE_SYNCHRONOUS_IO_NONALERT,
+		NULL,
+		0,
+		CreateFileTypeNone,
+		NULL,
+		IO_NO_PARAMETER_CHECKING
+		);
+
+	if (!NT_SUCCESS(Status))
+	{
+		DbgPrint("ZwCreateFile Failed! Error=%08x\n",Status);
+		return Status;
+	}
+
+	oa.ObjectName = NULL;
+	Status = ZwCreateSection(&hSection,
+		SECTION_QUERY | SECTION_MAP_READ,
+		&oa,
+		NULL,
+		PAGE_WRITECOPY,
+		SEC_IMAGE,
+		hFile
+		);
+	ZwClose(hFile);
+	if (!NT_SUCCESS(Status))
+	{
+		DbgPrint("ZwCreateSection Failed! Error=%08x\n",Status);
+		return Status;
+
+	}
+
+	if (!ProcessHandle){
+		ProcessHandle = NtCurrentProcess();
+	}
+
+	Status = ZwMapViewOfSection(hSection, 
+		ProcessHandle, 
+		BaseAddress, 
+		0, 
+		0, 
+		0, 
+		ViewSize ? ViewSize : &MapViewSize, 
+		ViewUnmap, 
+		0, 
+		PAGE_WRITECOPY
+		);
+	ZwClose(hSection);
+	if (!NT_SUCCESS(Status))
+	{
+		DbgPrint("ZwMapViewOfSection Failed! Error=%08x\n",Status);
+		return Status;
+	}
+
+	return Status;
+}
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/GetFuncAddress.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/GetFuncAddress.h
new file mode 100644
index 0000000..9b29a68
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/GetFuncAddress.h
@@ -0,0 +1,47 @@
+#ifndef _GETFUNCADDRESS_H 
+#define _GETFUNCADDRESS_H
+
+
+
+#include <ntifs.h>
+#include <ntimage.h>
+
+
+#define SEC_IMAGE 0x01000000
+
+typedef struct _SYSTEM_SERVICE_TABLE64{
+	PVOID  		ServiceTableBase; 
+	PVOID  		ServiceCounterTableBase; 
+	ULONG64  	NumberOfServices; 
+	PVOID  		ParamTableBase; 
+} SYSTEM_SERVICE_TABLE64, *PSYSTEM_SERVICE_TABLE64;
+
+typedef struct _SYSTEM_SERVICE_TABLE32 {
+	PVOID   ServiceTableBase;
+	PVOID   ServiceCounterTableBase;
+	ULONG32 NumberOfServices;
+	PVOID   ParamTableBase;
+} SYSTEM_SERVICE_TABLE32, *PSYSTEM_SERVICE_TABLE32;
+
+NTSYSAPI
+	PIMAGE_NT_HEADERS
+	NTAPI
+	RtlImageNtHeader(PVOID Base);
+
+ULONG_PTR  HsGetFuncAddress(char* szFuncAddress);
+
+LONG GetSSDTApiFunIndex(IN LPSTR lpszFunName);
+
+NTSTATUS 
+MapFileInUserSpace(IN LPWSTR lpszFileName,IN HANDLE ProcessHandle OPTIONAL,
+	OUT PVOID *BaseAddress,
+	OUT PSIZE_T ViewSize OPTIONAL);
+
+ULONG_PTR GetSSDTApiFunAddress(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);
+
+ULONG_PTR GetSSDTFunctionAddress32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);
+ULONG_PTR GetSSDTFunctionAddress64(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);
+ULONG_PTR GetKeServiceDescriptorTable64();
+
+
+#endif
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/GetSSSDTFuncAddress.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/GetSSSDTFuncAddress.c
new file mode 100644
index 0000000..74f31b3
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/GetSSSDTFuncAddress.c
@@ -0,0 +1,191 @@
+#include "GetSSSDTFuncAddress.h"
+#include "common.h"
+
+
+ULONG32	NtUserBuildHwndListIndex32WinXP = 312;
+ULONG32	NtUserQueryWindowIndex32WinXP = 483;
+
+
+ULONG64	NtUserQueryWindowIndex64Win7 = 0x1010;
+ULONG64	NtUserBuildHwndListIndex64Win7 = 0x101C;
+
+pfnNtUserBuildHwndList AddressNtUserBuildHwndList = 0;
+pfnNtUserQueryWindow AddressNtUserQueryWindow = 0;
+
+extern 
+WIN_VERSION WinVersion;
+extern
+ULONG_PTR ulBuildNumber;
+
+ULONG_PTR  GetSSSDTApi()
+{
+	ULONG_PTR       SSSDTDescriptor = 0;
+	ULONG_PTR       SSSDTFuncAddress = 0;
+
+	switch(WinVersion)
+	{
+	case WINDOWS_7:
+		{
+
+			SSSDTDescriptor = GetKeServiceDescriptorTableShadow64Win7();
+
+			AddressNtUserBuildHwndList = (pfnNtUserBuildHwndList)GetSSSDTFunctionAddress64Win7(NtUserBuildHwndListIndex64Win7,SSSDTDescriptor);
+
+			AddressNtUserQueryWindow = (pfnNtUserQueryWindow)GetSSSDTFunctionAddress64Win7(NtUserQueryWindowIndex64Win7,SSSDTDescriptor);
+			break;
+		}
+
+	case WINDOWS_XP:
+		{
+			SSSDTDescriptor = GetKeServiceDescriptorTableShadow32WinXP();
+
+			AddressNtUserBuildHwndList = (pfnNtUserBuildHwndList)GetSSSDTFunctionAddress32WinXP(NtUserBuildHwndListIndex32WinXP,SSSDTDescriptor);
+
+			AddressNtUserQueryWindow = (pfnNtUserQueryWindow)GetSSSDTFunctionAddress32WinXP(NtUserQueryWindowIndex32WinXP,SSSDTDescriptor);
+			break;
+		}
+	}
+
+
+	return SSSDTFuncAddress;
+
+}
+
+
+
+
+
+ULONG_PTR GetKeServiceDescriptorTableShadow32WinXP()
+{
+	WCHAR szKeAddSystemServiceTable[] = L"KeAddSystemServiceTable";
+	ULONG_PTR KeAddSystemServiceTableAddress = NULL;
+	ULONG_PTR Temp = 0;
+	ULONG_PTR Address = 0;
+	int i = 0;
+	PUCHAR StartSearchAddress;
+	KeAddSystemServiceTableAddress = (ULONG_PTR)HsGetFunctionAddressByName(szKeAddSystemServiceTable);
+
+	if (KeAddSystemServiceTableAddress==NULL)
+	{
+		return 0;
+	}
+
+
+	for (StartSearchAddress = (PUCHAR)KeAddSystemServiceTableAddress; 
+			StartSearchAddress < (PUCHAR)KeAddSystemServiceTableAddress + PAGE_SIZE; 
+			StartSearchAddress++)
+		{
+			if (ulBuildNumber < 8000)
+			{
+			
+				if (*(unsigned short*)StartSearchAddress == 0x888d)
+				{
+					Temp = *(ULONG_PTR*)(StartSearchAddress+2);
+			
+					Address = Temp + 16;
+				
+				
+					/*
+					kd> dd 80553f60
+					80553f60  80502b8c 00000000 0000011c 80503000    SSDT
+					80553f70  bf999b80 00000000 0000029b bf99a890    ShadowSSDT  ËùÒÔÒª¼Ó16
+					80553f80  00000000 00000000 00000000 00000000
+					80553f90  00000000 00000000 00000000 00000000
+					80553fa0  80502b8c 00000000 0000011c 80503000
+					80553fb0  00000000 00000000 00000000 00000000
+					80553fc0  00000000 00000000 00000000 00000000
+					80553fd0  00000000 00000000 00000000 00000000
+					*/
+					break;
+				}
+			}
+
+			//ÆäËû°æ±¾
+			else if (ulBuildNumber>=8000)
+			{
+				if (*(unsigned short*)StartSearchAddress==0xb983)
+				{
+					i++;
+					if (i==1)
+					{
+					}
+
+					if (i==2)
+					{
+						Temp = *(ULONG_PTR*)(StartSearchAddress+2);
+
+						Address = Temp + 16;
+						break;
+					}
+				}
+			}
+		}
+
+
+
+	return Address;
+
+}
+
+
+
+
+ULONG_PTR GetKeServiceDescriptorTableShadow64Win7()
+{
+	PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082);
+	PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
+	PUCHAR i = NULL;
+	UCHAR b1=0,b2=0,b3=0;
+	ULONG_PTR Temp = 0;
+	ULONG_PTR Address = 0;
+	for(i=StartSearchAddress;i<EndSearchAddress;i++)
+	{
+		if( MmIsAddressValid(i) && MmIsAddressValid(i+1) && MmIsAddressValid(i+2) )
+		{
+			b1=*i;
+			b2=*(i+1);
+			b3=*(i+2);
+			if( b1==0x4c && b2==0x8d && b3==0x1d ) //4C8D1D
+			{
+				memcpy(&Temp,i+3,4);
+				Address = (ULONG_PTR)Temp + (ULONG_PTR)i + 7;
+				
+				
+
+				Address+=32;
+				
+				return Address;
+			}
+		}
+	}
+	return 0;
+}
+
+
+
+ULONG_PTR GetSSSDTFunctionAddress32WinXP(ULONG_PTR ulIndex,ULONG_PTR SSSDTDescriptor)
+{
+	ULONG_PTR ServiceTableBase= 0 ;
+	PSYSTEM_SERVICE_TABLE_SSSDT32 SSSDT = (PSYSTEM_SERVICE_TABLE_SSSDT32)SSSDTDescriptor;
+
+	ServiceTableBase=(ULONG_PTR)(SSSDT ->ServiceTableBase);
+
+	return (ULONG_PTR)(((ULONG*)ServiceTableBase)[(ULONG)ulIndex]);
+}
+
+
+
+ULONG_PTR GetSSSDTFunctionAddress64Win7(ULONG_PTR ulIndex,ULONG_PTR SSSDTDescriptor)
+{
+	LONG dwTemp=0;
+	ULONG_PTR qwTemp=0;
+	ULONG_PTR ServiceTableBase= 0 ;
+	ULONG_PTR FuncAddress =0;
+	PSYSTEM_SERVICE_TABLE_SSSDT64 SSSDT = (PSYSTEM_SERVICE_TABLE_SSSDT64)SSSDTDescriptor;
+	ServiceTableBase=(ULONG_PTR)(SSSDT ->ServiceTableBase);
+	qwTemp = ServiceTableBase + 4 * (ulIndex-0x1000);
+	dwTemp = *(PLONG)qwTemp;
+	dwTemp = dwTemp>>4;
+	FuncAddress = ServiceTableBase + (ULONG_PTR)dwTemp;
+	return FuncAddress;
+}
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/GetSSSDTFuncAddress.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/GetSSSDTFuncAddress.h
new file mode 100644
index 0000000..683487f
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/GetSSSDTFuncAddress.h
@@ -0,0 +1,50 @@
+#ifndef _GETSSSDTFUNCADDRESS_H 
+#define _GETSSSDTFUNCADDRESS_H
+
+#include <ntifs.h>
+#include <windef.h>
+
+#endif
+
+typedef struct _SYSTEM_SERVICE_TABLE_SSSDT64{
+	PVOID  		ServiceTableBase; 
+	PVOID  		ServiceCounterTableBase; 
+	ULONG64  	NumberOfServices; 
+	PVOID  		ParamTableBase; 
+} SYSTEM_SERVICE_TABLE_SSSDT64, *PSYSTEM_SERVICE_TABLE_SSSDT64;
+
+typedef struct _SYSTEM_SERVICE_TABLE_SSSDT32 {
+	PVOID   ServiceTableBase;
+	PVOID   ServiceCounterTableBase;
+	ULONG32 NumberOfServices;
+	PVOID   ParamTableBase;
+} SYSTEM_SERVICE_TABLE_SSSDT32, *PSYSTEM_SERVICE_TABLE_SSSDT32;
+
+
+
+
+ULONG_PTR GetKeServiceDescriptorTableShadow32WinXP();
+ULONG_PTR GetKeServiceDescriptorTableShadow64Win7();
+ULONG_PTR GetSSSDTFunctionAddress32WinXP(ULONG_PTR ulIndex,ULONG_PTR SSSDTDescriptor);
+ULONG_PTR GetSSSDTFunctionAddress64Win7(ULONG_PTR ulIndex,ULONG_PTR SSSDTDescriptor);
+ULONG_PTR GetSSSDTApi();
+
+
+
+typedef
+	ULONG_PTR
+	(*pfnNtUserQueryWindow)(
+	HWND hWnd, 
+	ULONG_PTR Index);
+
+
+typedef
+	NTSTATUS
+	(*pfnNtUserBuildHwndList)(
+	HDESK hDesktop,
+	HWND hwndParent,
+	BOOLEAN bChildren,
+	ULONG dwThreadId,
+	ULONG lParam,
+	HWND* pWnd,
+	ULONG* pBufSize);
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Handle.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Handle.c
new file mode 100644
index 0000000..af47a90
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Handle.c
@@ -0,0 +1,300 @@
+#include "Handle.h"
+#include "GetFuncAddress.h"
+#include <ntimage.h>
+
+pfnNtQueryObject  NtQueryObjectAddress = NULL;
+
+
+#define SystemHandleInformation 16
+#define SEC_IMAGE 0x01000000
+
+extern
+	WIN_VERSION  WinVersion;
+
+extern ULONG_PTR ulBuildNumber;
+
+extern ULONG_PTR ObjectHeaderSize;
+
+extern ULONG_PTR PreviousModeOffsetOf_KTHREAD;
+extern ULONG_PTR ObjectTypeOffsetOf_Object_Header;
+extern ULONG_PTR ObjectTableOffsetOf_EPROCESS;
+
+
+
+NTSTATUS HsEnumProcessHandle(PVOID InBuffer, ULONG_PTR InSize, PVOID OutBuffer, ULONG_PTR OutSize)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL, LookupStatus = STATUS_UNSUCCESSFUL;
+
+	PEPROCESS EProcess = NULL;
+	ULONG ulPid = 0;
+	ULONG_PTR ulCount = (OutSize - sizeof(ALL_HANDLES)) / sizeof(HANDLE_INFO);
+
+	HsInitHandleVariable();
+	NtQueryObjectAddress = (pfnNtQueryObject)HsGetFuncAddress("NtQueryObject");
+
+
+	if (!InBuffer ||
+		!OutBuffer)
+	{
+		return STATUS_INVALID_PARAMETER;
+	}
+
+	ulPid = (ULONG)InBuffer;
+
+	if (ulPid)
+	{
+		LookupStatus = PsLookupProcessByProcessId((HANDLE)ulPid, &EProcess);
+		if (!NT_SUCCESS(LookupStatus) || !EProcess)
+		{
+			return STATUS_UNSUCCESSFUL;
+		}
+	}
+
+
+	if (HsIsRealProcess(EProcess))
+	{
+		Status = HsGetHandles(ulPid, (ULONG_PTR)EProcess, (PALL_HANDLES)OutBuffer, ulCount);
+	}
+
+	if (NT_SUCCESS(LookupStatus))
+	{
+		ObfDereferenceObject(EProcess);
+	}
+
+	return Status;
+}
+
+
+
+
+NTSTATUS HsGetHandles(ULONG_PTR ulPid, ULONG_PTR EProcess, PALL_HANDLES OutHandles, ULONG_PTR ulCount)
+{
+	NTSTATUS  Status = STATUS_UNSUCCESSFUL;
+	ULONG_PTR ulRet= 0x10000;
+	PETHREAD EThread = NULL;
+	CHAR PreMode = 0;
+
+
+	EThread = PsGetCurrentThread();
+	PreMode = HsChangePreMode(EThread);
+
+	do 
+	{
+		PVOID Buffer = ExAllocatePool(PagedPool,ulRet);
+		if (Buffer)
+		{
+			memset(Buffer, 0, ulRet);
+			Status = NtQuerySystemInformation(SystemHandleInformation, Buffer, ulRet, &ulRet);
+			if (NT_SUCCESS(Status))
+			{
+				PSYSTEM_HANDLE_INFORMATION Handles = (PSYSTEM_HANDLE_INFORMATION)Buffer;
+				ULONG i = 0;
+				for (i = 0; i < Handles->NumberOfHandles; i++)
+				{
+					if (ulPid == Handles->Handles[i].UniqueProcessId)
+					{
+						if (ulCount > OutHandles->ulCount)
+						{
+							HsInsertHandleToList((PEPROCESS)EProcess, 
+								(HANDLE)Handles->Handles[i].HandleValue, 
+								(ULONG_PTR)Handles->Handles[i].Object, 
+								OutHandles);
+						}
+
+						OutHandles->ulCount++;
+					}
+				}
+			}
+
+			ExFreePool(Buffer);
+			ulRet *= 2;
+		}
+	} while (Status == STATUS_INFO_LENGTH_MISMATCH);
+
+	HsRecoverPreMode(EThread, PreMode);
+
+	if (NT_SUCCESS(Status))
+	{
+		if (ulCount >= OutHandles->ulCount)
+		{
+			Status = STATUS_SUCCESS;
+		}
+		else
+		{
+			Status = STATUS_BUFFER_TOO_SMALL;
+		}
+	}
+
+	return Status;
+}
+
+
+
+
+
+VOID HsInsertHandleToList(PEPROCESS EProcess, HANDLE Handle, ULONG_PTR Object, PALL_HANDLES Handles)
+{
+
+	BOOLEAN bAttach = FALSE;
+	KAPC_STATE as;
+	PHANDLE_INFO Buffer = NULL;
+
+	if (Object && 
+		MmIsAddressValid((PVOID)Object) && 
+		(Buffer = (PHANDLE_INFO)ExAllocatePool(NonPagedPool,sizeof(HANDLE_INFO))) != NULL)
+	{
+		memset(Buffer,0,sizeof(HANDLE_INFO));
+
+
+		KeStackAttachProcess(EProcess, &as);
+		bAttach = TRUE;
+
+
+		Buffer->Handle = (ULONG_PTR)Handle;
+		Buffer->Object = Object;
+		if (MmIsAddressValid((PVOID)(Object - 0x18)))
+		{
+			Buffer->ReferenceCount = *(ULONG_PTR*)((ULONG_PTR)Object - ObjectHeaderSize);
+		}
+		else
+		{
+			Buffer->ReferenceCount = 0;
+		}
+
+
+		HsGetHandleObjectName((HANDLE)Handle,Buffer->HandleName);
+		HsGetHandleTypeName((HANDLE)Handle, Object, Buffer->ObjectName);
+
+		if (bAttach)
+		{
+			KeUnstackDetachProcess(&as);
+			bAttach = FALSE;
+		}
+
+		memcpy(&Handles->Handles[Handles->ulCount],Buffer,sizeof(HANDLE_INFO));
+		ExFreePool(Buffer);
+		Buffer = NULL;
+	}
+}
+
+
+
+
+VOID HsGetHandleObjectName(HANDLE hHandle,WCHAR* wzObjectName)
+{
+	PVOID HandleName = NULL;
+
+	HandleName = ExAllocatePool(PagedPool,0x1000);
+	if (HandleName)
+	{
+		ULONG uRet= 0;
+		PETHREAD EThread = NULL;
+		CHAR PreMode = 0;
+
+		memset(HandleName, 0, 0x1000);
+
+		EThread = PsGetCurrentThread();
+		PreMode = HsChangePreMode(EThread);
+
+		__try
+		{
+			if (NT_SUCCESS(NtQueryObjectAddress((HANDLE)hHandle, ObjectNameInfo, HandleName, 0x1000, &uRet)))
+			{
+				POBJECT_NAME_INFORMATION ObjectNameInformation = (POBJECT_NAME_INFORMATION)HandleName;
+				if (ObjectNameInformation->Name.Buffer!=NULL)
+				{
+
+
+					if (HsIsUnicodeStringValid(&ObjectNameInformation->Name))
+					{
+						wcsncpy(wzObjectName,
+							ObjectNameInformation->Name.Buffer,ObjectNameInformation->Name.Length);
+					}
+
+
+				}
+			}
+		}
+		__except(1)
+		{
+			DbgPrint("GetHandleObjectName Catch __Except\r\n");
+		}
+
+		HsRecoverPreMode(EThread, PreMode);
+		ExFreePool(HandleName);
+	}
+}
+
+
+VOID HsGetHandleTypeName(HANDLE hHandle, ULONG_PTR Object,WCHAR* wzTypeName)
+{
+	PVOID HandleName = NULL;
+	BOOLEAN bOk = FALSE;
+
+	HandleName = ExAllocatePool(PagedPool,0x1000);
+	if (HandleName)
+	{
+		ULONG uRet= 0;
+		PETHREAD EThread = NULL;
+		CHAR PreMode = 0;
+
+		memset(HandleName, 0, 0x1000);
+
+		EThread = PsGetCurrentThread();
+		PreMode = HsChangePreMode(EThread);
+
+		__try
+		{
+			if (NT_SUCCESS(NtQueryObjectAddress((HANDLE)hHandle, ObjectTypeInfo, HandleName, 0x1000, &uRet)))
+			{
+				POBJECT_NAME_INFORMATION ObjectNameInformation = (POBJECT_NAME_INFORMATION)HandleName;
+				if (ObjectNameInformation->Name.Buffer!=NULL)
+				{
+
+
+					if (HsIsUnicodeStringValid(&ObjectNameInformation->Name))
+					{
+						wcsncpy(wzTypeName, ObjectNameInformation->Name.Buffer,ObjectNameInformation->Name.Length);
+					}		
+
+				}
+			}
+		}
+		__except(1)
+		{
+			DbgPrint("GetHandleObjectName Catch __Except\r\n");
+		}
+
+		HsRecoverPreMode(EThread, PreMode);
+		ExFreePool(HandleName);
+
+
+
+	}
+}
+
+
+
+
+VOID HsInitHandleVariable()
+{
+	switch(WinVersion)
+	{
+	case WINDOWS_XP:
+		{
+			PreviousModeOffsetOf_KTHREAD = 0x140;
+			ObjectHeaderSize = 0x18;
+			ObjectTypeOffsetOf_Object_Header = 0x8;
+			ObjectTableOffsetOf_EPROCESS = 0x0c4;
+			break;
+		}
+
+	case WINDOWS_7:
+		{
+			PreviousModeOffsetOf_KTHREAD = 0x1f6;
+			ObjectTableOffsetOf_EPROCESS = 0x200;
+			ObjectHeaderSize = 0x30;
+			break;
+		}
+	}
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Handle.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Handle.h
new file mode 100644
index 0000000..260369c
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Handle.h
@@ -0,0 +1,148 @@
+#pragma once 
+
+
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+#include <ntifs.h>
+#include "common.h"
+
+#include "Process.h"
+
+typedef enum _SYSTEM_INFORMATION_CLASS {    
+	SystemBasicInformation,    
+	SystemProcessorInformation,    
+	SystemPerformanceInformation,    
+	SystemTimeOfDayInformation,    
+	SystemNotImplemented1,    
+	SystemProcessesInformation,    
+	SystemCallCounts,    
+	SystemConfigurationInformation,    
+	SystemProcessorTimes,    
+	SystemGlobalFlag,    
+	SystemNotImplemented2,    
+	SystemModuleInformation,    
+	SystemLockInformation,    
+	SystemNotImplemented3,    
+	SystemNotImplemented4,    
+	SystemNotImplemented5,    
+	SystemHandleInformation, //Ã¶¾ÙÏµÍ³ÖÐµÄÈ«²¿¾ä±ú 
+	SystemObjectInformation,    
+	SystemPagefileInformation,    
+	SystemInstructionEmulationCounts,    
+	SystemInvalidInfoClass1,    
+	SystemCacheInformation,    
+	SystemPoolTagInformation,    
+	SystemProcessorStatistics,    
+	SystemDpcInformation,    
+	SystemNotImplemented6,    
+	SystemLoadImage,    
+	SystemUnloadImage,    
+	SystemTimeAdjustment,    
+	SystemNotImplemented7,    
+	SystemNotImplemented8,    
+	SystemNotImplemented9,    
+	SystemCrashDumpInformation,    
+	SystemExceptionInformation,    
+	SystemCrashDumpStateInformation,    
+	SystemKernelDebuggerInformation,    
+	SystemContextSwitchInformation,    
+	SystemRegistryQuotaInformation,    
+	SystemLoadAndCallImage,    
+	SystemPrioritySeparation,    
+	SystemNotImplemented10,    
+	SystemNotImplemented11,    
+	SystemInvalidInfoClass2,    
+	SystemInvalidInfoClass3,    
+	SystemTimeZoneInformation,    
+	SystemLookasideInformation,    
+	SystemSetTimeSlipEvent,    
+	SystemCreateSession,    
+	SystemDeleteSession,    
+	SystemInvalidInfoClass4,    
+	SystemRangeStartInformation,    
+	SystemVerifierInformation,    
+	SystemAddVerifier,    
+	SystemSessionProcessesInformation    
+} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
+
+
+typedef enum _OBJECT_INFO_CLASS {
+	ObjectBasicInfo,
+	ObjectNameInfo,
+	ObjectTypeInfo,
+	ObjectAllInfo,
+	ObjectDataInfo
+} OBJECT_INFO_CLASS, *POBJECT_INFO_CLASS;
+
+
+#define MAX_OBJECT_NAME  50
+#define MAX_PATH         500
+
+
+typedef struct _HANDLE_INFO_
+{
+	ULONG_PTR Handle;
+	ULONG_PTR Object;
+	ULONG_PTR ReferenceCount;
+	WCHAR ObjectName[MAX_OBJECT_NAME];
+	WCHAR HandleName[MAX_PATH];
+}HANDLE_INFO, *PHANDLE_INFO;
+
+typedef struct _PROCESS_HANDLES_
+{
+	ULONG_PTR ulCount;
+	HANDLE_INFO Handles[1];
+}ALL_HANDLES, *PALL_HANDLES;
+
+
+
+
+typedef
+	NTSTATUS (NTAPI *pfnNtQueryObject)(HANDLE Handle,OBJECT_INFORMATION_CLASS ObjectInformationClass,
+	PVOID ObjectInformation,
+	ULONG ObjectInformationLength,
+	PULONG ReturnLength);
+
+
+
+
+NTSTATUS HsEnumProcessHandle(PVOID InBuffer, ULONG_PTR InSize, PVOID OutBuffer, ULONG_PTR OutSize);
+NTSTATUS HsGetHandles(ULONG_PTR ulPid, ULONG_PTR EProcess, PALL_HANDLES OutHandles, ULONG_PTR ulCount);
+VOID HsInsertHandleToList(PEPROCESS EProcess, HANDLE Handle, ULONG_PTR Object, PALL_HANDLES Handles);
+VOID HsGetHandleObjectName(HANDLE hHandle,WCHAR* wzObjectName);
+VOID HsGetHandleTypeName(HANDLE hHandle, ULONG_PTR Object,WCHAR* wzTypeName);
+VOID HsInitHandleVariable();
+
+NTSYSAPI
+PIMAGE_NT_HEADERS
+NTAPI
+RtlImageNtHeader(PVOID Base);
+
+
+extern 
+	NTSTATUS 
+	NtQuerySystemInformation(   
+	IN ULONG SystemInformationClass,   
+	IN PVOID SystemInformation,   
+	IN ULONG SystemInformationLength,   
+	OUT PULONG ReturnLength);
+
+typedef 
+ULONG_PTR 
+(*pfnObGetObjectType)(PVOID pObject);
+
+
+
+
+
+NTSTATUS 
+	MapFileInUserSpace(IN LPWSTR lpszFileName,IN HANDLE ProcessHandle OPTIONAL,
+	OUT PVOID *BaseAddress,
+	OUT PSIZE_T ViewSize OPTIONAL);
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/HeavenShadowDrv.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/HeavenShadowDrv.c
new file mode 100644
index 0000000..907ee53
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/HeavenShadowDrv.c
@@ -0,0 +1,198 @@
+/***************************************************************************************
+* AUTHOR : HeavenShadow
+* DATE   : 2014-10-28
+* MODULE : HeavenShadowDrv.C
+* 
+* Command: 
+*	
+*
+* Description:
+*		Demonstrates communications between USER and KERNEL.
+*
+****************************************************************************************
+* Copyright (C) 2014 HeavenShadow.
+****************************************************************************************/
+
+
+#ifndef _HeavenShadowDrv_H
+# include "HeavenShadowDrv.h"
+#endif
+
+#include "Process.h"
+#include "Module.h"
+#include "Kernel.h"
+#include "System.h"
+
+PDEVICE_OBJECT g_DeviceObject;
+PDRIVER_OBJECT g_DriverObject;
+
+WIN_VERSION  WinVersion = WINDOWS_UNKNOW;
+
+PEPROCESS    SystemEProcess = NULL;
+
+//////////////////////////////////////////////////////////////////////////
+
+NTSTATUS
+DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
+{
+	ULONG i = 0;
+	
+	NTSTATUS Status;
+	UNICODE_STRING DeviceName;
+	UNICODE_STRING LinkName;
+	PDEVICE_OBJECT DeviceObject;
+
+
+	WinVersion =  HsGetWindowsVersion();
+
+	//ÅÉÇ²Àú³Ì
+	for (i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i++)
+	{
+		DriverObject->MajorFunction[i] = HsDispatchPass;
+	}
+
+	DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = HsDispatchControl;
+
+	DriverObject->DriverUnload = HsDriverUnload;
+
+	//´´½¨Ò»¸öUniCode Ãû×ÖµÄ¿ØÖÆÉè±¸¶ÔÏóÊ¹ÓÃ
+
+	RtlInitUnicodeString(&DeviceName,HS_DEVICE_NAME);
+
+	//´´½¨Ò»¸ö¿ØÖÆÉè±¸¶ÔÏó ÓëÓ¦ÓÃ²ã½øÐÐ½»»¥
+
+
+
+	Status = IoCreateDevice(DriverObject,(ULONG)NULL,&DeviceName,
+		FILE_DEVICE_UNKNOWN,0,FALSE,&DeviceObject);
+
+
+	if (!NT_SUCCESS(Status))
+	{
+		return STATUS_SUCCESS;
+	}
+
+
+
+	//´´½¨¹ØÁª
+
+	RtlInitUnicodeString(&LinkName,HS_LINK_NAME);
+
+
+	Status = IoCreateSymbolicLink(&LinkName,&DeviceName);
+
+	if (!NT_SUCCESS(Status))
+	{
+		IoDeleteDevice(DeviceObject);
+		return STATUS_UNSUCCESSFUL;
+	}
+
+	g_DeviceObject = DeviceObject;
+	g_DriverObject = DriverObject;
+
+	SystemEProcess = PsGetCurrentProcess();
+
+
+	return STATUS_SUCCESS;
+}
+
+VOID
+HsDriverUnload(IN PDRIVER_OBJECT DriverObject)
+{	
+	UNICODE_STRING  uniLinkName;
+
+	RtlInitUnicodeString(&uniLinkName,HS_LINK_NAME);
+
+	IoDeleteSymbolicLink(&uniLinkName);
+
+	if (DriverObject->DeviceObject!=NULL)
+	{
+		IoDeleteDevice(DriverObject->DeviceObject);
+	}
+
+	return;
+}
+
+NTSTATUS 
+HsDispatchControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
+{
+	PIO_STACK_LOCATION  IrpSp;
+	ULONG				ulIoControlCode  = 0;
+	NTSTATUS			Status = STATUS_UNSUCCESSFUL;
+	ULONG_PTR			ulRet = 0;
+	PVOID               pvInputBuffer  = NULL;
+	PVOID               pvOutputBuffer = NULL;
+	ULONG_PTR			ulOutputLen    = 0;
+
+
+	//////////////////////////////////////////////////////////////////////////
+	ULONG  ulIoControlFunc = 0;	   //HS_IOCTL_±àÂë
+	//////////////////////////////////////////////////////////////////////////
+
+
+	IrpSp = IoGetCurrentIrpStackLocation(Irp);
+
+	pvOutputBuffer = Irp->UserBuffer;	//UserBuffer
+	ulOutputLen    = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
+	ProbeForWrite(pvOutputBuffer,ulOutputLen,sizeof(CHAR));
+
+	ulRet = ulOutputLen;
+
+	DbgPrint("Hello HeavenShadow!\r\n");
+
+	ulIoControlCode = IrpSp->Parameters.DeviceIoControl.IoControlCode;
+
+	ulIoControlFunc = (ulIoControlCode>>2)&0x00000FFF&0xF80;
+	DbgPrint("Major Func Code: %x\r\n",ulIoControlFunc);
+
+	switch(ulIoControlFunc) //ÅÐ¶ÏµÄÊÇH_IOCTL_±àÂë£¨×Ô¶¨ÒåÃ¶¾Ù£©¶ø²»ÊÇ´«ÈëµÄCTL_CODE
+	{
+	case HS_IOCTL_PROC:		//½ø³Ì´ó¹¦ÄÜ
+		{
+			Status = HsDispatchControlForProcess(IrpSp, pvOutputBuffer, &ulRet);
+			break;
+		}
+	case HS_IOCTL_MODU:		//Ä£¿é´ó¹¦ÄÜ
+		{
+			Status = HsDispatchControlForModule(IrpSp, pvOutputBuffer, &ulRet);
+			break;
+		}
+	case HS_IOCTL_KRNL:		//ÄÚºË¹³×Ó´ó¹¦ÄÜ
+		{
+			Status = HsDispatchControlForKernel(IrpSp, pvOutputBuffer, &ulRet);
+			break;
+		}
+	case HS_IOCTL_SYSK:		//ÄÚºË´ó¹¦ÄÜ
+		{
+			Status = HsDispatchControlForSystem(IrpSp, pvOutputBuffer, &ulRet);
+			break;
+		}
+	default:				//´íÎóÇëÇó
+		{
+			Status = STATUS_UNSUCCESSFUL;
+		}
+	}
+
+
+	
+	Irp->IoStatus.Status = Status;
+	Irp->IoStatus.Information = ulRet;
+	IoCompleteRequest(Irp,IO_NO_INCREMENT);
+
+	return Status;
+}
+
+
+
+NTSTATUS
+HsDispatchPass(PDEVICE_OBJECT DeviceObject,PIRP Irp)
+{
+
+	Irp->IoStatus.Status = STATUS_SUCCESS;
+	Irp->IoStatus.Information = 0;
+
+	IoCompleteRequest(Irp,IO_NO_INCREMENT);
+
+	return STATUS_SUCCESS;
+
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/HeavenShadowDrv.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/HeavenShadowDrv.h
new file mode 100644
index 0000000..6d9558d
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/HeavenShadowDrv.h
@@ -0,0 +1,78 @@
+/***************************************************************************************
+* AUTHOR : HeavenShadow
+* DATE   : 2014-10-28
+* MODULE : HeavenShadowDrv.H
+*
+* ÌìÓ° Çý¶¯³ÌÐòÖ÷ÎÄ¼þ
+*
+* Description:
+*		ÌìÓ° Çý¶¯³ÌÐòÖ÷ÎÄ¼þ
+*
+****************************************************************************************
+* Copyright (C) 2015 HeavenShadow.
+****************************************************************************************/
+
+
+#ifndef _HeavenShadowDrv_H
+#define _HeavenShadowDrv_H
+
+
+#include <ntifs.h>
+#include <devioctl.h>
+#include "common.h"
+
+#endif	//_HeavenShadowDrv_H
+
+
+/***************************************************************************************
+* NAME:			DriverEntry
+*
+* DESCRIPTION:	×¢²áÅÉÇ²Àý³Ì
+*					
+* PARAMETERS:		DriverObject					IN		
+*						±»NT´´½¨ÓÃÓÚ´ËÇý¶¯µÄDRIVER_OBJECTµÄµØÖ·
+*					RegisterPath					IN		
+*						´ú±íÁËÇý¶¯Ïà¹ØµÄ·þÎñ×¢²á±íÏîµÄUNICODE_STRING 	
+*
+* RETURNS:		NTSTATUS
+****************************************************************************************/
+NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath);
+
+/***************************************************************************************
+* NAME:			HsDriverUnload
+*
+* DESCRIPTION:	¶¯Ì¬Ð¶ÔØÈë¿ÚµãµÄÀý³Ì
+*					
+* PARAMETERS:		DriverObject					IN		DRIVER_OBJECTµÄµØÖ·
+*
+* RETURNS:		None
+****************************************************************************************/
+VOID HsDriverUnload(IN PDRIVER_OBJECT DriverObject);
+
+/***************************************************************************************
+* NAME:			HsDispatchControl
+*
+* DESCRIPTION:	IRP_MJ_DEVICE_CONTROLµÄÅÉÇ²Èë¿Úµã
+*					
+* PARAMETERS:		DriverObject				IN		DRIVER_OBJECTµÄµØÖ·
+*					Irp							IN		IRPµÄµØÖ·
+*
+* RETURNS:		NTSTATUS
+*
+* NOTES:			IRP_MJ_DEVICE_CONTROL
+*					Parameters:
+*					Parameters.DeviceIoControl.OutputBufferLength	OutBufferµÄ³¤¶È
+*						×Ö½Ú¼Æ (À´×ÔGUIµÄ»º³åÇø³¤¶È)
+*					Parameters.DeviceIoControl.InputBufferLength	InBufferµÄ³¤¶È
+*						×Ö½Ú¼Æ (À´×ÔDRIVERµÄ»º³åÇø³¤¶È)
+*					Parameters.DeviceIoControl.ControlCode			I/O ¿ØÖÆÂë
+****************************************************************************************/
+NTSTATUS HsDispatchControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
+
+
+
+NTSTATUS
+HsDispatchPass(PDEVICE_OBJECT DeviceObject,PIRP Irp);
+
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/IoTimer.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/IoTimer.c
new file mode 100644
index 0000000..34c3a6a
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/IoTimer.c
@@ -0,0 +1,279 @@
+#include "IoTimer.h"
+#include "Module.h"
+
+extern ULONG_PTR		SYSTEM_ADDRESS_START;
+extern PDRIVER_OBJECT	g_DriverObject;
+extern WIN_VERSION		WinVersion;
+
+pfnIoStartTimer  IoStartTimerAddress = NULL;
+pfnIoStopTimer   IoStopTimerAddress = NULL;
+
+
+NTSTATUS HsEnumIOTimer(PVOID OutBuffer)
+{
+	NTSTATUS Status = STATUS_SUCCESS;
+	PLIST_ENTRY IopTimerQueueHead = 0;
+	PIO_TIMER_INFOR  IoTimerInfor = (PIO_TIMER_INFOR)OutBuffer;
+
+	KIRQL OldIrql;
+
+
+	IopTimerQueueHead = (PLIST_ENTRY)GetIopTimerQueueHead();
+	OldIrql = KeRaiseIrqlToDpcLevel();
+
+	if (IopTimerQueueHead && MmIsAddressValid((PVOID)IopTimerQueueHead))
+	{
+		PLIST_ENTRY CurrentEntry = IopTimerQueueHead->Flink;
+
+		while (MmIsAddressValid(CurrentEntry) && CurrentEntry != (PLIST_ENTRY)IopTimerQueueHead)
+		{
+			PIO_TIMER Timer = CONTAINING_RECORD(CurrentEntry,IO_TIMER,TimerList);
+
+			if (Timer && MmIsAddressValid(Timer))
+			{
+
+				if (IoTimerInfor->ulCnt > IoTimerInfor->ulRetCnt)
+				{
+					IoTimerInfor->IoTimer[IoTimerInfor->ulRetCnt].TimerObject = (ULONG_PTR)Timer;
+
+					DbgPrint("%p\r\n",Timer);
+					IoTimerInfor->IoTimer[IoTimerInfor->ulRetCnt].TimerEntry = (ULONG_PTR)CurrentEntry;
+					IoTimerInfor->IoTimer[IoTimerInfor->ulRetCnt].DeviceObject = (ULONG_PTR)Timer->DeviceObject;
+					IoTimerInfor->IoTimer[IoTimerInfor->ulRetCnt].TimeDispatch = (ULONG_PTR)Timer->TimerRoutine;
+					IoTimerInfor->IoTimer[IoTimerInfor->ulRetCnt].Status = (ULONG_PTR)Timer->TimerFlag;
+				}
+
+				IoTimerInfor->ulRetCnt++;
+			}
+
+			CurrentEntry = CurrentEntry->Flink;
+		}
+	}
+
+	KeLowerIrql(OldIrql);
+
+	return Status;
+}
+
+
+
+
+ULONG_PTR GetIopTimerQueueHead()
+{
+	ULONG_PTR i = 0;
+	ULONG_PTR IopTimerQueueHead = 0;
+	ULONG_PTR IoInitializeTimer = 0;
+	long Temp = 0;
+
+
+	IoInitializeTimer = (ULONG_PTR)HsGetFunctionAddressByName(L"IoInitializeTimer");
+
+	if (IoInitializeTimer)
+	{
+
+		switch(WinVersion)
+		{
+		case WINDOWS_7:
+			{
+				/*
+				kd> u IoInitializeTimer l 50
+				nt!IoInitializeTimer:
+				fffff800`0427f3b0 48895c2408      mov     qword ptr [rsp+8],rbx
+				fffff800`0427f3b5 48896c2410      mov     qword ptr [rsp+10h],rbp
+				fffff800`0427f3ba 4889742418      mov     qword ptr [rsp+18h],rsi
+				fffff800`0427f3bf 57              push    rdi
+				fffff800`0427f3c0 4883ec20        sub     rsp,20h
+				fffff800`0427f3c4 488b5928        mov     rbx,qword ptr [rcx+28h]
+				fffff800`0427f3c8 498bf0          mov     rsi,r8
+				fffff800`0427f3cb 488bea          mov     rbp,rdx
+				fffff800`0427f3ce 488bf9          mov     rdi,rcx
+				fffff800`0427f3d1 4885db          test    rbx,rbx
+				fffff800`0427f3d4 753f            jne     nt!IoInitializeTimer+0x65 (fffff800`0427f415)
+				fffff800`0427f3d6 8d5330          lea     edx,[rbx+30h]
+				fffff800`0427f3d9 33c9            xor     ecx,ecx
+				fffff800`0427f3db 41b8496f5469    mov     r8d,69546F49h
+				fffff800`0427f3e1 e8fa2cd3ff      call    nt!ExAllocatePoolWithTag (fffff800`03fb20e0)
+				fffff800`0427f3e6 488bd8          mov     rbx,rax
+				fffff800`0427f3e9 4885c0          test    rax,rax
+				fffff800`0427f3ec 7507            jne     nt!IoInitializeTimer+0x45 (fffff800`0427f3f5)
+				fffff800`0427f3ee b89a0000c0      mov     eax,0C000009Ah
+				fffff800`0427f3f3 eb41            jmp     nt!IoInitializeTimer+0x86 (fffff800`0427f436)
+				fffff800`0427f3f5 33d2            xor     edx,edx
+				fffff800`0427f3f7 488bc8          mov     rcx,rax
+				fffff800`0427f3fa 448d4230        lea     r8d,[rdx+30h]
+				fffff800`0427f3fe e88da4c0ff      call    nt!memset (fffff800`03e89890)
+				fffff800`0427f403 41bb09000000    mov     r11d,9
+				fffff800`0427f409 48897b28        mov     qword ptr [rbx+28h],rdi
+				fffff800`0427f40d 6644891b        mov     word ptr [rbx],r11w
+				fffff800`0427f411 48895f28        mov     qword ptr [rdi+28h],rbx
+				fffff800`0427f415 488d5308        lea     rdx,[rbx+8]
+				fffff800`0427f419 4c8d0520ade3ff  lea     r8,[nt!IopTimerLock (fffff800`040ba140)]
+				fffff800`0427f420 488d0dd94ce0ff  lea     rcx,[nt!IopTimerQueueHead (fffff800`04084100)]
+
+				*/
+
+				for(i=IoInitializeTimer; i<IoInitializeTimer+0xff; i++)
+				{
+					if(*(PUCHAR)i==0x48 && *(PUCHAR)(i+1)==0x8D && *(PUCHAR)(i+2)==0x0D)	
+					{
+						memcpy(&Temp,(PUCHAR)i+3,4);
+						IopTimerQueueHead = (ULONGLONG)Temp + (ULONGLONG)i + 7;
+
+						break;
+					}
+				}
+				break;
+			}
+
+		case WINDOWS_XP:
+			{
+				/*
+				kd> u IoInitializeTimer l 20
+				nt!IoInitializeTimer:
+				805d3044 8bff            mov     edi,edi
+				805d3046 55              push    ebp
+				805d3047 8bec            mov     ebp,esp
+				805d3049 56              push    esi
+				805d304a 8b7508          mov     esi,dword ptr [ebp+8]
+				805d304d 8b5618          mov     edx,dword ptr [esi+18h]
+				805d3050 85d2            test    edx,edx
+				805d3052 752d            jne     nt!IoInitializeTimer+0x40 (805d3081)
+				805d3054 68496f5469      push    69546F49h
+				805d3059 6a18            push    18h
+				805d305b 52              push    edx
+				805d305c e8a4eff7ff      call    nt!ExAllocatePoolWithTag (80552005)
+				805d3061 8bd0            mov     edx,eax
+				805d3063 85d2            test    edx,edx
+				805d3065 0f84f4c70100    je      nt!IoInitializeTimer+0x23 (805ef85f)
+				805d306b 57              push    edi
+				805d306c 6a06            push    6
+				805d306e 59              pop     ecx
+				805d306f 33c0            xor     eax,eax
+				805d3071 8bfa            mov     edi,edx
+				805d3073 f3ab            rep stos dword ptr es:[edi]
+				805d3075 66c7020900      mov     word ptr [edx],9
+				805d307a 897214          mov     dword ptr [edx+14h],esi
+				805d307d 895618          mov     dword ptr [esi+18h],edx
+				805d3080 5f              pop     edi
+				805d3081 8b450c          mov     eax,dword ptr [ebp+0Ch]
+				805d3084 89420c          mov     dword ptr [edx+0Ch],eax
+				805d3087 8b4510          mov     eax,dword ptr [ebp+10h]
+				805d308a 894210          mov     dword ptr [edx+10h],eax
+				805d308d 6880a65580      push    offset nt!IopTimerLock (8055a680)
+				805d3092 83c204          add     edx,4
+				805d3095 b9e01d5680      mov     ecx,offset nt!IopTimerQueueHead (80561de0)
+
+
+
+				*/
+
+				for(i=IoInitializeTimer;i<IoInitializeTimer+0xFF;i++)
+				{
+					if(*(PUCHAR)i==0xb9)	
+					{
+						IopTimerQueueHead = *(PULONG)(i + 1);
+						if (IopTimerQueueHead && MmIsAddressValid((PVOID)IopTimerQueueHead))
+						{
+							break;
+						}
+					}
+				}
+				break;
+			}
+		}
+
+
+	}
+	
+	return IopTimerQueueHead;
+}
+
+
+
+
+
+NTSTATUS HsOperIOTimer(PVOID InBuffer)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+	PCOMMUNICATE_IO_TIMER IoTimerInfor = (PCOMMUNICATE_IO_TIMER)InBuffer;
+	PDEVICE_OBJECT DeviceObject = (PDEVICE_OBJECT)IoTimerInfor->DeviceObject;
+
+	if (!DeviceObject ||
+		!MmIsAddressValid(DeviceObject))
+	{
+		return Status;
+	}
+
+	if (IoTimerInfor->bStart)
+	{
+		IoStartTimerAddress = (pfnIoStartTimer)HsGetFunctionAddressByName(L"IoStartTimer");
+		if (IoStartTimerAddress)
+		{
+			IoStartTimerAddress(DeviceObject);
+			Status = STATUS_SUCCESS;
+		}
+	}
+	else 
+	{
+		IoStopTimerAddress = (pfnIoStopTimer)HsGetFunctionAddressByName(L"IoStopTimer");
+		IoStopTimerAddress(DeviceObject);
+		Status = STATUS_SUCCESS;
+	}
+
+	return Status;
+}
+
+
+
+
+
+
+NTSTATUS RemoveIOTimer(PVOID InBuffer)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+	PLIST_ENTRY IopTimerQueueHead = 0;
+	KIRQL OldIrql;
+	PCOMMUNICATE_IO_TIMER IoTimerInfor = (PCOMMUNICATE_IO_TIMER)InBuffer;
+	PLIST_ENTRY  TimerEntry = (PLIST_ENTRY)IoTimerInfor->TimerEntry;
+
+
+
+	IopTimerQueueHead = (PLIST_ENTRY)GetIopTimerQueueHead();
+
+	if (!TimerEntry ||
+		!MmIsAddressValid(TimerEntry))
+	{
+		return Status;
+	}
+
+
+
+	OldIrql = KeRaiseIrqlToDpcLevel();
+
+	if (IopTimerQueueHead && MmIsAddressValid((PVOID)IopTimerQueueHead))
+	{
+		PLIST_ENTRY Temp = IopTimerQueueHead->Flink;
+
+		while (MmIsAddressValid(Temp) && Temp != IopTimerQueueHead)
+		{
+			if (Temp == TimerEntry)
+			{
+				PIO_TIMER Timer = CONTAINING_RECORD(Temp,IO_TIMER, TimerList);
+				if (Timer && MmIsAddressValid(Timer))
+				{
+					RemoveEntryList(Temp);
+					ExFreePoolWithTag(Timer,0);
+					Status = STATUS_SUCCESS;
+				}
+
+				break;
+			}
+
+			Temp = Temp->Flink;
+		}
+	}
+
+	KeLowerIrql(OldIrql);
+
+	return Status;
+}
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/IoTimer.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/IoTimer.h
new file mode 100644
index 0000000..a573de7
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/IoTimer.h
@@ -0,0 +1,102 @@
+#pragma once 
+
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+#include <ntifs.h>
+#include "common.h"
+
+typedef struct _IO_TIMER64
+{
+	short		Type;
+	short		TimerFlag;
+	long		Unknown;
+	LIST_ENTRY	TimerList;
+	PVOID		TimerRoutine;
+	PVOID		Context;
+	PVOID		DeviceObject;
+} IO_TIMER64,*PIO_TIMER64;
+
+
+typedef struct _IO_TIMER32
+{
+	short		Type;
+	short		TimerFlag;
+	LIST_ENTRY	TimerList;
+	PVOID		TimerRoutine;
+	PVOID		Context;
+	PVOID		DeviceObject;
+} IO_TIMER32,*PIO_TIMER32;
+
+#ifdef _WIN64
+#define PIO_TIMER PIO_TIMER64
+#define IO_TIMER  IO_TIMER64
+#else
+#define PIO_TIMER PIO_TIMER32
+#define IO_TIMER  IO_TIMER32
+#endif
+
+
+typedef struct _IO_TIMERS_
+{
+	ULONG_PTR TimerObject;
+	ULONG_PTR DeviceObject;
+	ULONG_PTR TimeDispatch;
+	ULONG_PTR TimerEntry;
+	ULONG     Status;
+}IO_TIMERS, *PIO_TIMERS;
+
+typedef struct _IO_TIMER_INFOR_
+{
+	ULONG ulCnt;
+	ULONG ulRetCnt;
+	IO_TIMERS IoTimer[1];
+}IO_TIMER_INFOR, *PIO_TIMER_INFOR;
+
+
+
+typedef struct _PCOMMUNICATE_IO_TIMER_  
+{
+	PLIST_ENTRY     TimerEntry;
+	PDEVICE_OBJECT  DeviceObject;
+	BOOLEAN         bStart;
+}COMMUNICATE_IO_TIMER,*PCOMMUNICATE_IO_TIMER;
+typedef
+	NTKERNELAPI
+	VOID
+	(*pfnIoStartTimer)(
+	IN PDEVICE_OBJECT DeviceObject);
+
+typedef
+	NTKERNELAPI
+	VOID
+	(*pfnIoStopTimer)(
+	IN PDEVICE_OBJECT DeviceObject);
+
+
+
+NTSTATUS HsEnumIOTimer(PVOID OutBuffer);
+
+ULONG_PTR GetIopTimerQueueHead();
+
+NTSTATUS HsOperIOTimer(PVOID InBuffer);
+
+NTSTATUS RemoveIOTimer(PVOID InBuffer);
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Kernel.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Kernel.c
new file mode 100644
index 0000000..c2740d1
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Kernel.c
@@ -0,0 +1,463 @@
+#include "Kernel.h"
+#include "KrnlFile.h"
+
+#include "GetFuncAddress.h"
+//////////////////////////////////////////////////////////////////////////
+extern     PDEVICE_OBJECT g_DeviceObject;
+extern     PDRIVER_OBJECT g_DriverObject;
+//////////////////////////////////////////////////////////////////////////
+
+//////////////////////////////////////////////////////////////////////////
+extern POBJECT_TYPE *IoDriverObjectType;
+extern POBJECT_TYPE *IoDeviceObjectType;
+//////////////////////////////////////////////////////////////////////////
+
+extern
+	WIN_VERSION WinVersion;
+extern
+	ULONG_PTR PreviousModeOffsetOf_KTHREAD;
+extern
+	ULONG_PTR ObjectTableOffsetOf_EPROCESS;
+extern
+	ULONG_PTR SYSTEM_ADDRESS_START;
+extern
+	ULONG_PTR ObjectHeaderSize;
+extern
+	ULONG_PTR ObjectTypeOffsetOf_Object_Header;
+
+
+extern ULONG_PTR
+	ulBuildNumber;
+//////////////////////////////////////////////////////////////////////////
+
+ULONG_PTR KiServiceTable = 0;
+KIRQL Irql;
+
+NTSTATUS HsDispatchControlForKernel(PIO_STACK_LOCATION  IrpSp, PVOID OutputBuffer, ULONG_PTR* ulRet)
+{
+
+	WCHAR* szOutputBuffer = (WCHAR*)OutputBuffer;
+	ULONG				ulIoControlCode  = 0;
+	NTSTATUS			Status = STATUS_UNSUCCESSFUL;
+	PVOID               pvInputBuffer  = NULL;
+	ULONG               ulInputLen     = 0;
+	ULONG				ulOutputLen    = 0;
+
+
+	ULONG     ulFuncIndex = 0;
+	ULONG_PTR ulFuncAddr  = 0;
+	ULONG_PTR IndexOffset = 0;
+
+
+	pvInputBuffer   = IrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
+	ulInputLen      = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
+	ProbeForRead(pvInputBuffer,ulInputLen,sizeof(CHAR));
+
+	ulOutputLen     = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
+
+	ProbeForWrite(OutputBuffer,ulOutputLen,sizeof(CHAR));
+
+	ulIoControlCode = IrpSp->Parameters.DeviceIoControl.IoControlCode;
+	ulIoControlCode = (ulIoControlCode>>2)&0x00000FFF;
+
+	DbgPrint("%x\r\n",ulIoControlCode);
+
+	HsInitKernelGlobalVariable();
+
+	switch(ulIoControlCode)
+	{
+	case HS_IOCTL_KRNL_KISRVTAB:
+		{
+			DbgPrint("HS_IOCTL_KRNL_KISRVTAB\r\n");
+
+			switch(WinVersion)
+			{
+			case WINDOWS_7:
+				{
+					KiServiceTable = *((ULONG_PTR*)GetKeServiceDescriptorTable64());
+					break;
+				}
+			case WINDOWS_XP:
+				{
+					KiServiceTable = *((ULONG_PTR*)HsGetFunctionAddressByName(L"KeServiceDescriptorTable"));
+					break;
+				}
+
+			}
+
+			memcpy(OutputBuffer, &KiServiceTable,sizeof(KiServiceTable));	
+			*ulRet = sizeof(ULONG_PTR);
+			Status = STATUS_SUCCESS;
+
+			break;
+		}
+	case HS_IOCTL_KRNL_SSDTLIST:
+		{
+			ULONG_PTR SSDTDescriptor = 0;
+
+			DbgPrint("HS_IOCTL_KRNL_SSDTLIST\r\n");
+
+			memcpy(&ulFuncIndex, pvInputBuffer,sizeof(ULONG));
+			switch(WinVersion)
+			{
+			case WINDOWS_7:
+				{
+					SSDTDescriptor = GetKeServiceDescriptorTable64();
+					IndexOffset = 4;
+
+					break;
+				}
+
+			case WINDOWS_XP:
+				{
+					SSDTDescriptor = (ULONG_PTR)HsGetFunctionAddressByName(L"KeServiceDescriptorTable");
+					IndexOffset = 1;
+
+					break;
+				}
+			}
+
+			ulFuncAddr =  GetSSDTApiFunAddress(ulFuncIndex,SSDTDescriptor);
+
+			DbgPrint("%p\r\n",ulFuncAddr);
+
+			memcpy(OutputBuffer, &ulFuncAddr,sizeof(ULONG_PTR));
+			*ulRet = sizeof(ULONG_PTR);
+			Status = STATUS_SUCCESS;
+
+			break;
+		}
+
+	case HS_IOCTL_KRNL_WIN32KSERVICE:
+		{
+			DbgPrint("HS_IOCTL_KRNL_WIN32KSERVICE\r\n");
+
+			switch(WinVersion)
+			{
+			case WINDOWS_7:
+				{
+					KiServiceTable = GetKeServiceDescriptorTableShadow64();
+
+					KiServiceTable = (ULONG_PTR)((PSYSTEM_SERVICE_TABLE64)KiServiceTable)->ServiceTableBase;
+					break;
+				}
+
+			case WINDOWS_XP:
+				{
+					KiServiceTable = GetKeServiceDescriptorTableShadow32();
+
+					KiServiceTable = (ULONG_PTR)((PSYSTEM_SERVICE_TABLE32)KiServiceTable)->ServiceTableBase;
+					break;
+				}
+			}
+			memcpy(OutputBuffer, &KiServiceTable,sizeof(KiServiceTable));	
+
+			*ulRet = sizeof(ULONG_PTR);
+			Status = STATUS_SUCCESS;
+			break;
+		}
+	case HS_IOCTL_KRNL_RESUMESSDT:
+		{
+			RESUME_DATA  Data = {0};
+
+			DbgPrint("HS_IOCTL_KRNL_RESUMESSDT\r\n");
+
+			memcpy(&Data, pvInputBuffer,sizeof(Data));
+
+			HsUnHookSSDT(Data.ulIndex,Data.ulFuncAddress);
+
+			*ulRet = sizeof(ULONG_PTR);
+			Status = STATUS_SUCCESS;
+			break;
+		}
+	case HS_IOCTL_KRNL_SSSDTLIST:
+		{
+			ULONG_PTR SSSDTFuncAddress = 0;
+
+			DbgPrint("HS_IOCTL_KRNL_WIN32KSERVICE\r\n");
+
+			memcpy(&ulFuncIndex,pvInputBuffer,4);
+			switch(WinVersion)
+			{
+			case WINDOWS_7:
+				{
+
+					KiServiceTable = GetKeServiceDescriptorTableShadow64();
+
+					KiServiceTable = (ULONG_PTR)((PSYSTEM_SERVICE_TABLE64)KiServiceTable)->ServiceTableBase;
+
+					SSSDTFuncAddress = GetSSSDTFunctionAddress64(ulFuncIndex,KiServiceTable);
+
+					break;
+				}
+
+			case WINDOWS_XP:
+				{
+					KiServiceTable = GetKeServiceDescriptorTableShadow32();
+
+					KiServiceTable = (ULONG_PTR)((PSYSTEM_SERVICE_TABLE32)KiServiceTable)->ServiceTableBase;
+
+					SSSDTFuncAddress = GetSSSDTFunctionAddress32(ulFuncIndex,KiServiceTable);
+					break;
+				}
+			}
+
+
+			memcpy(OutputBuffer, &SSSDTFuncAddress,sizeof(SSSDTFuncAddress));	
+
+			*ulRet = sizeof(ULONG_PTR);
+			Status = STATUS_SUCCESS;
+			break;
+		}
+
+	case HS_IOCTL_KRNL_KRNLFILE:
+		{
+			DbgPrint("HS_IOCTL_KRNL_KRNLFILE\r\n");
+
+			Status = HsEnumKernelFileFunc(*(int*)pvInputBuffer,OutputBuffer,ulOutputLen);
+			*ulRet = sizeof(ULONG_PTR);
+			break;
+		}
+	case HS_IOCTL_KRNL_KRNLIAT:
+		{
+			DbgPrint("HS_IOCTL_KRNL_KRNLIAT\r\n");
+			DbgPrint("EAT: %s\r\n",pvInputBuffer);
+
+			Status = HsQueryKernelFileFuncIAT(OutputBuffer,ulOutputLen,(char*)pvInputBuffer);
+			
+			*ulRet = sizeof(ULONG_PTR);
+			break;
+		}
+	case HS_IOCTL_KRNL_KRNLEAT:
+		{
+			DbgPrint("HS_IOCTL_KRNL_KRNLEAT\r\n");
+			DbgPrint("EAT: %s\r\n",pvInputBuffer);
+
+			Status = HsQueryKernelFileFuncEAT(OutputBuffer,ulOutputLen,(char*)pvInputBuffer);
+
+			*ulRet = sizeof(ULONG_PTR);
+			break;
+		}
+	default:
+		{
+			Status = STATUS_UNSUCCESSFUL;
+		}
+	}
+
+	return Status;
+}
+
+
+
+VOID HsInitKernelGlobalVariable()
+{
+	switch(WinVersion)
+	{
+	case WINDOWS_XP:
+		{
+			PreviousModeOffsetOf_KTHREAD = 0x140;
+			ObjectHeaderSize = 0x18;
+			ObjectTypeOffsetOf_Object_Header = 0x8;
+			ObjectTableOffsetOf_EPROCESS = 0x0c4;
+			SYSTEM_ADDRESS_START = 0x80000000;
+			break;
+		}
+
+	case WINDOWS_7:
+		{
+			PreviousModeOffsetOf_KTHREAD = 0x1f6;
+			ObjectTableOffsetOf_EPROCESS = 0x200;
+			ObjectHeaderSize = 0x30;
+			SYSTEM_ADDRESS_START = 0x80000000000;
+			break;
+		}
+	}
+}
+
+
+
+ULONG_PTR GetKeServiceDescriptorTableShadow64()
+{
+	PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082);
+	PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
+	PUCHAR i = NULL;
+	UCHAR b1=0,b2=0,b3=0;
+	ULONG_PTR Temp = 0;
+	ULONG_PTR Address = 0;
+	for(i=StartSearchAddress;i<EndSearchAddress;i++)
+	{
+		if( MmIsAddressValid(i) && MmIsAddressValid(i+1) && MmIsAddressValid(i+2) )
+		{
+			b1=*i;
+			b2=*(i+1);
+			b3=*(i+2);
+			if( b1==0x4c && b2==0x8d && b3==0x1d ) //4C8D1D
+			{
+				memcpy(&Temp,i+3,4);
+				Address = (ULONG_PTR)Temp + (ULONG_PTR)i + 7;
+
+
+
+				Address+=32;
+
+				return Address;
+			}
+		}
+	}
+	return 0;
+}
+
+ULONG_PTR GetSSSDTFunctionAddress32(ULONG_PTR ulIndex,ULONG_PTR ServiceTableBase)
+{
+
+	return (ULONG_PTR)(((ULONG*)ServiceTableBase)[(ULONG)ulIndex]);
+}
+
+
+ULONG_PTR GetSSSDTFunctionAddress64(ULONG_PTR ulIndex,ULONG_PTR ServiceTableBase)
+{
+	LONG dwTemp=0;
+	ULONG_PTR qwTemp=0;
+	ULONG_PTR FuncAddress =0;
+	qwTemp = ServiceTableBase + 4 * (ulIndex);
+	dwTemp = *(PLONG)qwTemp;
+	dwTemp = dwTemp>>4;
+	FuncAddress = ServiceTableBase + (ULONG_PTR)dwTemp;
+	return FuncAddress;
+}
+
+
+
+ULONG_PTR GetKeServiceDescriptorTableShadow32()
+{
+	WCHAR szKeAddSystemServiceTable[] = L"KeAddSystemServiceTable";
+	ULONG_PTR KeAddSystemServiceTableAddress = NULL;
+	ULONG_PTR Temp = 0;
+	ULONG_PTR Address = 0;
+	int i = 0;
+	PUCHAR StartSearchAddress;
+	KeAddSystemServiceTableAddress = (ULONG_PTR)HsGetFunctionAddressByName(szKeAddSystemServiceTable);
+
+	if (KeAddSystemServiceTableAddress==NULL)
+	{
+		return 0;
+	}
+
+
+	for (StartSearchAddress = (PUCHAR)KeAddSystemServiceTableAddress; 
+			StartSearchAddress < (PUCHAR)KeAddSystemServiceTableAddress + PAGE_SIZE; 
+			StartSearchAddress++)
+		{
+			if (ulBuildNumber < 8000)
+			{
+			
+				if (*(unsigned short*)StartSearchAddress == 0x888d)
+				{
+					Temp = *(ULONG_PTR*)(StartSearchAddress+2);
+			
+					Address = Temp + 16;
+				
+				
+					/*
+					kd> dd 80553f60
+					80553f60  80502b8c 00000000 0000011c 80503000    SSDT
+					80553f70  bf999b80 00000000 0000029b bf99a890    ShadowSSDT  ËùÒÔÒª¼Ó16
+					80553f80  00000000 00000000 00000000 00000000
+					80553f90  00000000 00000000 00000000 00000000
+					80553fa0  80502b8c 00000000 0000011c 80503000
+					80553fb0  00000000 00000000 00000000 00000000
+					80553fc0  00000000 00000000 00000000 00000000
+					80553fd0  00000000 00000000 00000000 00000000
+					*/
+					break;
+				}
+			}
+
+			//ÆäËû°æ±¾
+			else if (ulBuildNumber>=8000)
+			{
+				if (*(unsigned short*)StartSearchAddress==0xb983)
+				{
+					i++;
+					if (i==1)
+					{
+					}
+
+					if (i==2)
+					{
+						Temp = *(ULONG_PTR*)(StartSearchAddress+2);
+
+						Address = Temp + 16;
+						break;
+					}
+				}
+			}
+		}
+
+
+
+	return Address;
+
+}
+
+
+ULONG GetOffsetAddress(ULONG_PTR FuncAddr)
+{
+	ULONG dwTemp=0;
+	dwTemp= (ULONG)(FuncAddr-(ULONG_PTR)KiServiceTable);
+	return dwTemp<<4;
+}
+
+
+VOID HsUnHookSSDT(ULONG Index, ULONG_PTR FuncAddr)
+{
+	ULONG dwTemp;
+	PULONG ServiceTableBase=NULL;
+
+	switch(WinVersion)
+	{
+	case WINDOWS_7:
+		{
+			dwTemp=GetOffsetAddress(FuncAddr);
+			ServiceTableBase=(PULONG)KiServiceTable;
+			WPOFF();
+			ServiceTableBase[Index]=dwTemp;
+			WPON();
+
+			break;
+		}
+
+	case WINDOWS_XP:
+		{
+			ServiceTableBase=(PULONG)KiServiceTable;
+			WPOFF();
+			ServiceTableBase[Index]=FuncAddr;
+			WPON();
+
+			break;
+		}
+	}
+
+}
+
+
+VOID WPOFF()
+{
+	ULONG_PTR cr0 = 0;
+	Irql = KeRaiseIrqlToDpcLevel();
+	cr0 =__readcr0();
+	cr0 &= 0xfffffffffffeffff;
+	__writecr0(cr0);
+	//_disable();                      //Õâ¾ä»° ÆÁ±ÎÒ²Ã»ÓÐÉ¶
+
+}
+
+VOID WPON()
+{
+
+	ULONG_PTR cr0=__readcr0();
+	cr0 |= 0x10000;
+	//_enable();                      //Õâ¾ä»° ÆÁ±ÎÒ²Ã»ÓÐÉ¶
+	__writecr0(cr0);
+	KeLowerIrql(Irql);
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Kernel.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Kernel.h
new file mode 100644
index 0000000..67c9002
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Kernel.h
@@ -0,0 +1,56 @@
+/**************************************************************************************
+* AUTHOR : HeavenShadow
+* DATE   : 2014-10-28
+* MODULE : Kernel.h
+*
+* Command: 
+*	ÄÚºË¹³×Ó´ó¹¦ÄÜµÄÖ÷ÎÄ¼þ
+*
+* Description:
+*	ÓëÄÚºË¹³×ÓÏà¹ØµÄËùÓÐ¹¦ÄÜ¼¯ºÏÎÄ¼þ
+*
+****************************************************************************************
+* Copyright (C) 2015 HeavenShadow.
+****************************************************************************************/
+
+
+#pragma once 
+
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+#include <ntifs.h>
+#include "common.h"
+
+typedef struct _RESUME_DATA_ 
+{
+	ULONG ulIndex;
+	ULONG_PTR ulFuncAddress;
+}RESUME_DATA,*PRESUME_DATA;
+
+#define MAX_PATH 260
+
+
+NTSTATUS HsDispatchControlForKernel(PIO_STACK_LOCATION  IrpSp, PVOID OutputBuffer, ULONG_PTR* ulRet);
+
+VOID HsInitKernelGlobalVariable();
+
+ULONG_PTR GetKeServiceDescriptorTableShadow64();
+
+ULONG_PTR GetSSSDTFunctionAddress64(ULONG_PTR ulIndex,ULONG_PTR ServiceTableBase);
+
+ULONG_PTR GetKeServiceDescriptorTableShadow32();
+
+ULONG_PTR GetSSSDTFunctionAddress32(ULONG_PTR ulIndex,ULONG_PTR ServiceTableBase);
+
+VOID HsUnHookSSDT(ULONG Index, ULONG_PTR FuncAddr);
+
+ULONG GetOffsetAddress(ULONG_PTR FuncAddr);
+
+VOID WPOFF();
+
+VOID WPON();
\ No newline at end of file
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/KrnlFile.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/KrnlFile.c
new file mode 100644
index 0000000..d90f026
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/KrnlFile.c
@@ -0,0 +1,953 @@
+#include "KrnlFile.h"
+
+#include <stdlib.h>
+
+
+FILE_INFOR	 FileInfor;
+char szModuleFileFullName[256] = {0};
+ULONG_PTR  ulKernelBase = 0;
+ULONG_PTR  ulKernelSize = 0;
+
+PSYSTEM_MODULE_INFORMATION ModuleInforBuffer = NULL;
+ULONG_PTR ModuleInforNeedSize = 0;
+PFILE_INFOR PFileInfor = NULL;
+
+NTSTATUS HsEnumKernelFileFunc(int KernelFile, PVOID OutputBuffer, ULONG_PTR ulOutputLen)
+{
+	NTSTATUS Status = STATUS_SUCCESS;
+
+	switch(KernelFile)
+	{
+	case HS_KERNEL_KERNELFILE_NTOSKRNL_IAT:
+		{
+			DbgPrint("HS_KERNEL_KERNELFILE_NTOSKRNL_IAT:%d\r\n",ulOutputLen);
+			Status = HsQueryKernelFileFuncIAT(OutputBuffer,ulOutputLen,"ntoskrnl.exe");
+			break;
+		}
+	case HS_KERNEL_KERNELFILE_NTOSKRNL_EAT:
+		{
+			DbgPrint("HS_KERNEL_KERNELFILE_NTOSKRNL_EAT\r\n");
+			Status = HsQueryKernelFileFuncEAT(OutputBuffer,ulOutputLen,"ntoskrnl.exe");
+			break;
+		}
+	case HS_KERNEL_KERNELFILE_WIN32K_IAT:
+		{
+			DbgPrint("HS_KERNEL_KERNELFILE_WIN32K_IAT\r\n");
+			Status = HsQueryKernelFileFuncIAT(OutputBuffer,ulOutputLen,"win32k.sys");
+			break;
+		}
+	case HS_KERNEL_KERNELFILE_WIN32K_EAT:
+		{
+			DbgPrint("HS_KERNEL_KERNELFILE_WIN32K_EAT\r\n");
+			Status = HsQueryKernelFileFuncEAT(OutputBuffer,ulOutputLen,"win32k.sys");
+			break;
+		}
+	case HS_KERNEL_KERNELFILE_HALDLL_IAT:
+		{
+			DbgPrint("HS_KERNEL_KERNELFILE_HALDLL_IAT\r\n");
+			Status = HsQueryKernelFileFuncIAT(OutputBuffer,ulOutputLen,"hal.dll");
+			break;
+		}
+	case HS_KERNEL_KERNELFILE_HALDLL_EAT:
+		{
+			DbgPrint("HS_KERNEL_KERNELFILE_HALDLL_EAT\r\n");
+			Status = HsQueryKernelFileFuncEAT(OutputBuffer,ulOutputLen,"hal.dll");
+			break;
+		}
+	default:
+		{
+			DbgPrint("HS_KERNEL_KERNELFILE_UNKNOWN\r\n");
+			Status = STATUS_UNSUCCESSFUL;
+		}
+	}
+
+	return Status;
+}
+
+
+
+//////////////////////////////////////////////////////////////////////////
+
+NTSTATUS HsQueryKernelFileFuncIAT(PVOID OutputBuffer, ULONG_PTR ulOutputLen, char* szModuleFile)
+{
+
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+	SYSTEM_MODULE_INFORMATION_ENTRY  Temp;
+	BOOLEAN bRet = FALSE;
+
+	DbgPrint("GetModuleInforNtoskrnl now:::\r\n");
+
+	if (GetModuleInforKernelFile(&ulKernelBase,&ulKernelSize,szModuleFileFullName,szModuleFile))
+	{
+		DbgPrint("GetModuleInforNtoskrnl success\r\n");
+	}
+	FileInfor.BaseAddress = (PVOID)ulKernelBase;
+	FileInfor.Size = ulKernelSize;
+
+// 	if (GetModuleInfor(szModuleFile,szModuleFileFullName,&Temp))
+// 	{
+// 		DbgPrint("GetModuleInforNtoskrnl success\r\n");
+// 	}
+// 	FileInfor.BaseAddress = (PVOID)Temp.Base;
+// 	FileInfor.Size = Temp.Size;
+
+	strcpy(FileInfor.szFileFullName,szModuleFileFullName);
+	ReadFileData(&FileInfor);
+
+	Status = HsEnumIATTable((PMODULE_IAT)OutputBuffer,ulOutputLen);
+
+	if (FileInfor.szFileData!=NULL)
+	{
+		ExFreePool(FileInfor.szFileData);
+	}
+
+	Status = STATUS_SUCCESS;
+
+	return Status;
+}
+
+NTSTATUS HsEnumIATTable(PMODULE_IAT OutBuffer, ULONG_PTR OutSize)
+{
+
+	NTSTATUS						 Status = STATUS_UNSUCCESSFUL;
+	ULONG_PTR                        NeedSize = 0;
+	PSYSTEM_MODULE_INFORMATION       Buffer = NULL;
+	ULONG_PTR                        KernelModuleCount = 0;
+	PIMAGE_IMPORT_DESCRIPTOR	     ImportTable = NULL;
+	ULONG_PTR                        ImportSize  = 0;
+	ULONG_PTR                        ImportDiff  = 0;
+
+	PIMAGE_THUNK_DATA				 ImportFirstThunk  = NULL;
+	ULONG_PTR						 IATSize     = 0;
+	ULONG_PTR						 IATDiff     = 0;
+
+	PSYSTEM_MODULE_INFORMATION       ModuleInfor = NULL;
+	char                             szIATOriImageFile[60] = {0};
+	PFILE_INFOR                      ModuleFile = NULL;
+	ULONG_PTR                        OriginalFuncAddress      = 0;
+
+	PIMAGE_IMPORT_DESCRIPTOR		 ImportDescArray[64];
+	ULONG_PTR						 ImportDescIndex = 0;
+	char*                            ImportModuleName         = NULL;
+	ULONG_PTR                        Max = 0;
+	PIMAGE_THUNK_DATA                ImportOriFirstThunk      = NULL;
+	PIMAGE_IMPORT_BY_NAME            OrdinalName              = NULL;
+	ULONG                            x = 0;
+	ULONG_PTR                        ulCount = (OutSize - sizeof(MODULE_IAT)) / sizeof(IAT_INFO);
+
+	if(FileInfor.BaseAddress!=0)
+	{
+		ImportTable = (PIMAGE_IMPORT_DESCRIPTOR)GetDirectoryAddr((PUCHAR)FileInfor.szFileData, 
+			IMAGE_DIRECTORY_ENTRY_IMPORT, &ImportSize, &ImportDiff, TRUE);	//ÎÄ¼þÄÚÈÝ
+
+		ImportFirstThunk = (PIMAGE_THUNK_DATA)GetDirectoryAddr((PUCHAR)FileInfor.BaseAddress, 
+			IMAGE_DIRECTORY_ENTRY_IAT, &IATSize, &IATDiff, FALSE);			//ÄÚ´æÄÚÈÝ
+
+		if (IATSize/sizeof(ULONG)> ulCount)
+		{
+			OutBuffer->ulCount = IATSize/sizeof(ULONG);
+
+			Status = STATUS_BUFFER_TOO_SMALL;
+
+			goto Exit;
+		}
+
+		if(!ImportFirstThunk || !ImportTable)
+		{
+			goto Exit;
+		}
+
+		while (ImportTable->Name)  //µ¼ÈëÄ£¿é²»Îª¿Õ  ´Ó×Ô¼ºµÄÄÚ´æÖÐ»ñµÃËùÓÐµÄÄ£¿é
+		{
+			ImportDescArray[ImportDescIndex] = ImportTable;
+
+			ImportDescIndex++;
+			ImportTable++;
+		}
+
+		if (ImportDescIndex==0)
+		{
+			goto Exit;  //¸ÃÄ£¿éÃ»ÓÐÈÎºÎµÄµ¼ÈëÄ£¿é
+		}
+
+		Max = ImportDescIndex;
+		ImportDescIndex = 0;
+		ImportTable = ImportDescArray[ImportDescIndex];
+		ImportDescIndex++;
+
+		ImportModuleName = MakePtr(char*,FileInfor.szFileData,ImportTable->Name - ImportDiff);  //ÎÄ¼þÄÚÈÝ
+
+		if (!ImportModuleName)
+		{
+			goto Exit;
+		}
+
+		ImportOriFirstThunk = MakePtr(PIMAGE_THUNK_DATA,FileInfor.szFileData,
+			ImportTable->OriginalFirstThunk - ImportDiff);//ÎÄ¼þÄÚÈÝ
+
+		//Í¨¹ýµ¼ÈëµÄÄ£¿éÃûÕÒµ½µ¼ÈëÄ£¿é
+
+		while (ImportOriFirstThunk && ImportModuleName && //µ¼ÈëÄ£¿éµÄº¯ÊýÃû³Æ  µ¼ÈëµÄÄ£¿éÃû³Æ 
+			IATSize && ImportFirstThunk->u1.Function) 
+		{
+
+			if (_stricmp(szIATOriImageFile,ImportModuleName)!=0)
+			{
+				if (ModuleFile!=NULL && ModuleFile->szFileData != NULL && MmIsAddressValid(ModuleFile->szFileData))
+				{
+					DbgPrint("ExFreePool(ModuleFile->szFileData)\r\n");
+					ExFreePool(ModuleFile->szFileData);
+				}
+				ModuleFile = CreateFileData(NULL,ImportModuleName);
+				if (ModuleFile == NULL)
+				{
+					DbgPrint("CreateFileData Failed\r\n");
+					goto Exit;
+				}
+
+				memset(szIATOriImageFile,0,60);
+				strcpy(szIATOriImageFile,ImportModuleName);
+			}
+
+			strcpy(OutBuffer->Data[x].szModuleName,ImportModuleName);
+
+			OrdinalName   = MakePtr(PIMAGE_IMPORT_BY_NAME, 
+				FileInfor.szFileData, 
+				(ULONG_PTR)ImportOriFirstThunk->u1.AddressOfData - ImportDiff);  //Í¨¹ýOriginal(ÎÄ¼þ)»ñµÃº¯ÊýÃû³Æ
+
+			//DbgPrint("º¯ÊýÃû³Æ:%s   º¯ÊýµØÖ·:0x%p\r\n",OrdinalName->Name,ImportFirstThunk->u1.Function);  //´ÓFirst(ÄÚ´æ)ÖÐ»ñµÃº¯ÊýµØÖ·
+
+			if(GetAddrOfExportFuncAddr((PUCHAR)ModuleFile->szFileData,(CHAR*)OrdinalName->Name, &OriginalFuncAddress, 
+				TRUE))//´Óµ¼ÈëµÄÄ£¿éÖÐ»ñµÃº¯ÊýµØÖ·
+			{
+				OriginalFuncAddress += (ULONG_PTR)ModuleFile->BaseAddress;
+				DbgPrint("ExportFuncAddr: %p\r\n",OriginalFuncAddress);
+			}
+
+
+			strcpy(OutBuffer->Data[x].szFunctionName,(char*)OrdinalName->Name);
+			OutBuffer->Data[x].CurFuncAddress = ImportFirstThunk->u1.Function;
+			OutBuffer->Data[x].OriFuncAddress = OriginalFuncAddress;
+
+			x++;
+
+			ImportFirstThunk++;
+			IATSize   -= sizeof(ULONG);
+			ImportOriFirstThunk++;
+
+			if (IATSize==0)
+			{
+				break;
+			}
+
+			if(ImportFirstThunk->u1.Function == 0)  //Ò»¸öµ¼ÈëÄ£¿éÒÑ¾­±éÀúÍê³É
+			{
+				ImportFirstThunk++; 
+				IATSize -= sizeof(ULONG);
+
+				ImportTable = ImportDescArray[ImportDescIndex];  // ´ÓÊý×éÖÐ»ñµÃÏÂÒ»¸öµ¼³öÄ£¿é
+
+				if (ImportDescIndex==Max)
+				{
+					break;
+				}
+
+				ImportDescIndex++;
+
+				ImportModuleName = MakePtr(char*,FileInfor.szFileData,ImportTable->Name - ImportDiff);
+				ImportOriFirstThunk = MakePtr(PIMAGE_THUNK_DATA,FileInfor.szFileData,
+					ImportTable->OriginalFirstThunk - ImportDiff);//ÎÄ¼þÄÚÈÝ
+
+				if( ImportOriFirstThunk == NULL || 
+					ImportModuleName	 == NULL || 
+					(PULONG)ImportFirstThunk->u1.Function == NULL || 
+					IATSize == 0)
+				{
+					break;
+				}
+			}
+		}
+	}
+
+	OutBuffer->ulCount = x;
+
+	Status = STATUS_SUCCESS;
+
+Exit:
+
+	if (ModuleFile!=NULL && ModuleFile->szFileData != NULL && MmIsAddressValid(ModuleFile->szFileData))
+	{
+		DbgPrint("ExFreePool(ModuleFile->szFileData)\r\n");
+		ExFreePool(ModuleFile->szFileData);
+	}
+
+	return Status;
+}
+
+
+
+//////////////////////////////////////////////////////////////////////////
+
+NTSTATUS HsQueryKernelFileFuncEAT(PVOID OutputBuffer, ULONG_PTR ulOutputLen, char* szModuleFile)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+
+	DbgPrint("GetModuleInforNtoskrnl now:::\r\n");
+
+	if (GetModuleInforKernelFile(&ulKernelBase,&ulKernelSize,szModuleFileFullName,szModuleFile))
+	{
+		DbgPrint("GetModuleInforNtoskrnl success\r\n");
+	}
+
+	Status = HsEnumEATTable((PVOID)ulKernelBase,(PMODULE_EAT)OutputBuffer,ulOutputLen,szModuleFile);
+
+	return Status;
+}
+
+
+NTSTATUS HsEnumEATTable(PVOID  KernelBase,PMODULE_EAT OutBuffer, ULONG_PTR OutSize, char* szModuleFileName)
+{
+	PIMAGE_DOS_HEADER  DosHeader;
+	PIMAGE_NT_HEADERS  NtHeader;
+	IMAGE_OPTIONAL_HEADER  OptionHead;
+	PIMAGE_EXPORT_DIRECTORY ExportTable;
+	ULONG*             ArrayOfFunctionAddress;
+	ULONG*             ArrayOfFunctionName;
+	short*             ArrayOfFunctionOrdinals;
+	ULONG_PTR          Base; 
+	ULONG_PTR          x;
+	char*              FunctionName;
+	ULONG_PTR          FunctionOrdinals;
+	ULONG_PTR          FunctionAddress;
+	ULONG_PTR          ulCount = (OutSize - sizeof(MODULE_EAT)) / sizeof(EAT_INFO);
+
+	PFILE_INFOR        ModuleFile = NULL;
+	ULONG_PTR          OriginalFuncAddress      = 0;
+
+	DosHeader = (PIMAGE_DOS_HEADER)KernelBase;
+
+	if (DosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
+	{
+		return STATUS_UNSUCCESSFUL;
+	}
+
+	NtHeader =  (PIMAGE_NT_HEADERS)((ULONG_PTR)DosHeader + DosHeader->e_lfanew);
+
+	if (NtHeader->Signature!=IMAGE_NT_SIGNATURE)
+	{
+
+		return STATUS_UNSUCCESSFUL;
+	}
+
+	//////////////////////////////////////////////////////////////////////////
+	ModuleFile = CreateFileData(NULL,szModuleFileName);
+
+	if (ModuleFile == NULL)
+	{
+		DbgPrint("CreateFileData Failed\r\n");
+		return STATUS_UNSUCCESSFUL;
+	}
+	//////////////////////////////////////////////////////////////////////////
+
+	OptionHead = NtHeader->OptionalHeader;
+
+	ExportTable = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)DosHeader + 
+		OptionHead.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);  //»ñµÃµ¼³ö±íµÄRVA
+
+
+	ArrayOfFunctionAddress = (ULONG*)((ULONG_PTR)DosHeader + ExportTable->AddressOfFunctions);
+	ArrayOfFunctionName = (ULONG*)((ULONG_PTR)DosHeader+ExportTable->AddressOfNames);
+	ArrayOfFunctionOrdinals = (short*)((ULONG_PTR)DosHeader+ExportTable->AddressOfNameOrdinals);
+
+	Base = ExportTable->Base;
+
+
+	if (ExportTable->NumberOfFunctions > ulCount)
+	{
+		OutBuffer->ulCount = ExportTable->NumberOfFunctions ;
+
+		return STATUS_BUFFER_TOO_SMALL;
+	}
+
+	for (x=0;x<ExportTable->NumberOfFunctions;x++)
+	{
+		FunctionName = (char*)((ULONG_PTR)DosHeader+ArrayOfFunctionName[x]);
+		FunctionOrdinals = ArrayOfFunctionOrdinals[x] + Base -1;
+		FunctionAddress  = (ULONG_PTR)((ULONG_PTR)DosHeader +  
+			ArrayOfFunctionAddress[FunctionOrdinals]);
+
+		if(GetAddrOfExportFuncAddr((PUCHAR)ModuleFile->szFileData,(CHAR*)FunctionName, &OriginalFuncAddress, 
+			TRUE))//´Óµ¼ÈëµÄÄ£¿éÖÐ»ñµÃº¯ÊýµØÖ·
+		{
+			OriginalFuncAddress += (ULONG_PTR)ModuleFile->BaseAddress;
+			DbgPrint("OriFuncAddr: %p\r\n",OriginalFuncAddress);
+		}
+
+		//DbgPrint("%s    %p\r\n",FunctionName,FunctionAddress);
+		OutBuffer->Data[x].CurFuncAddress = FunctionAddress;
+		OutBuffer->Data[x].OriFuncAddress = OriginalFuncAddress;
+
+		memcpy(OutBuffer->Data[x].szFunctionName,FunctionName,strlen(FunctionName));
+	}
+	OutBuffer->ulCount = ExportTable->NumberOfFunctions;
+
+	//////////////////////////////////////////////////////////////////////////
+	if (ModuleFile!=NULL && ModuleFile->szFileData != NULL && MmIsAddressValid(ModuleFile->szFileData))
+	{
+		DbgPrint("ExFreePool(ModuleFile->szFileData)\r\n");
+		ExFreePool(ModuleFile->szFileData);
+	}
+	//////////////////////////////////////////////////////////////////////////
+
+	return STATUS_SUCCESS;
+}
+
+
+
+//////////////////////////////////////////////////////////////////////////
+//////////////////////////////////////////////////////////////////////////
+//////////////////////////////////////////////////////////////////////////
+//////////////////////////////////////////////////////////////////////////
+//////////////////////////////////////////////////////////////////////////
+//////////////////////////////////////////////////////////////////////////
+
+
+
+BOOLEAN  ReadFileData(PFILE_INFOR FileInfor)
+{
+
+	WCHAR     wzFileName[256];
+	HANDLE    hFile  = NULL;
+	IO_STATUS_BLOCK   iosb;
+	OBJECT_ATTRIBUTES oa;
+	UNICODE_STRING    uniFileName;
+	NTSTATUS          Status;
+	FILE_STANDARD_INFORMATION   FileStandardInfor;
+	LARGE_INTEGER               Offset = {0,0};
+
+	mbstowcs(wzFileName,FileInfor->szFileFullName,256);
+
+
+	//DbgPrint("%S\r\n",uniFileName);
+
+	RtlInitUnicodeString(&uniFileName,wzFileName);
+
+	//³õÊ¼»¯ÎÒÃÇµÄ¶ÔÏóÊôÐÔ
+
+	InitializeObjectAttributes(&oa,&uniFileName,OBJ_CASE_INSENSITIVE,NULL,NULL);
+
+
+	Status = ZwCreateFile(&hFile,GENERIC_READ,&oa,&iosb,NULL,
+		FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ|FILE_SHARE_WRITE,FILE_OPEN,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);
+
+	if(Status!=STATUS_SUCCESS)
+	{
+
+		return FALSE;
+	}
+	else
+	{
+		//	DbgPrint("Get File Success\n");
+	}
+
+
+	//»ñµÃÎÄ¼þÐÅÏ¢
+
+	Status = ZwQueryInformationFile(hFile,&iosb,&FileStandardInfor,sizeof(FILE_STANDARD_INFORMATION),
+		FileStandardInformation);
+
+
+	if (!NT_SUCCESS(Status))
+	{
+		ZwClose(hFile);
+
+		return FALSE;
+	}
+
+	//¶¯Ì¬ÉêÇëÄÚ´æ
+
+	if (FileStandardInfor.AllocationSize.u.LowPart == 0)
+	{
+		ZwClose(hFile);
+
+		return FALSE;
+	}
+
+	FileInfor->szFileData = (char*)ExAllocatePool(PagedPool,FileStandardInfor.AllocationSize.u.LowPart);
+
+	if (FileInfor->szFileData==NULL)
+	{
+		ZwClose(hFile);
+
+		return FALSE;
+	}
+
+
+	//¶ÁÈ¡ÎÄ¼þ³¤¶È
+
+	Status = ZwReadFile(hFile,
+		NULL,
+		NULL,
+		NULL,
+		&iosb,
+		FileInfor->szFileData ,
+		FileStandardInfor.AllocationSize.u.LowPart,
+		&Offset,
+		NULL);
+
+	if (!NT_SUCCESS(Status))
+	{
+		//DbgPrint("SysÎÄ¼þ¶ÁÈ¡Ê§°Ü\r\n");
+		ExFreePool(FileInfor->szFileData);
+		ZwClose(hFile);
+		return FALSE;
+	}
+	ZwClose(hFile);
+
+	return TRUE;
+
+}
+
+PVOID
+	GetDirectoryAddr(PUCHAR AddressBase,USHORT DirectoryIndex,
+	ULONG_PTR* ulSize,ULONG_PTR* ulDiff,BOOLEAN IsFile)
+{
+	PIMAGE_DOS_HEADER  DosHeader = NULL;
+	PIMAGE_NT_HEADERS  NtHeader  = NULL;
+	PIMAGE_SECTION_HEADER  SectionHeader = NULL;
+	PVOID			   DirAddr   = NULL;
+
+
+	DosHeader = (PIMAGE_DOS_HEADER)AddressBase;
+
+	if (!MmIsAddressValid(DosHeader))
+	{
+		return NULL;
+	}
+
+	if (DosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
+	{
+		return NULL;
+	}
+
+
+	NtHeader = MakePtr(PIMAGE_NT_HEADERS,DosHeader,DosHeader->e_lfanew);
+
+
+	if (!MmIsAddressValid(NtHeader))
+	{
+		return NULL;
+	}
+
+	if (NtHeader->Signature!=IMAGE_NT_SIGNATURE)
+	{
+		return NULL;
+	}
+
+
+
+	if (IsFile)  //ÕâÀïÅÐ¶ÏÊÇ·ñÊÇÎÄ¼þÓ³Éä »¹ÊÇ½«ÎÄ¼þ¶ÁÈëµ½ÄÚ´æµÄÐÎÊ½
+	{
+
+
+		//ÅÐ¶Ïµ¼Èë±íÊôÓÚÄÇ¸ö½Ú±íÖÐ
+		SectionHeader = GetSectionHeaderFromRva(NtHeader->OptionalHeader.DataDirectory[DirectoryIndex].VirtualAddress,
+			NtHeader);   
+
+
+		if (SectionHeader==NULL)
+		{
+			return NULL;
+		}
+
+		//  PointerToRawData == 0x200       VirtualAddress == 0x1000    
+		//                                              RVA = 0x1030
+
+		//	ÄÇÃ´µ¼³ö±íÔÚÎÄ¼þÖÐµÄÆ«ÒÆ¾ÍÊÇ0x230  ·µ»Ø	
+
+		//½ÚÔÚÄÚ´æÖÐµÄRVA - ÔÚÎÄ¼þÖÐ½ÚµÄÆ«ÒÆ = ¸Ã½Ú±»Ìá¸ßÁË¶àÉÙ        
+		*ulDiff = (int)(SectionHeader->VirtualAddress - SectionHeader->PointerToRawData);   
+		//0x1000 - 0x200 = 0xE00	
+
+	}
+
+	else
+	{
+		*ulDiff = 0;
+	}
+
+
+	DirAddr = MakePtr(PVOID,DosHeader,NtHeader->OptionalHeader.DataDirectory[DirectoryIndex].VirtualAddress - *ulDiff); 
+
+
+	if (DirAddr == (VOID*)NtHeader)
+	{
+		return NULL;
+	}
+
+
+	if (ulSize)
+	{
+		*ulSize = MakePtr(ULONG_PTR,DosHeader,NtHeader->OptionalHeader.DataDirectory[DirectoryIndex].Size); 
+
+
+		if (ulSize)
+		{
+			*ulSize -= (ULONG_PTR)DosHeader; 
+		}
+
+	}
+
+
+	return DirAddr;
+}
+
+PIMAGE_SECTION_HEADER
+	GetSectionHeaderFromRva(ULONG RVA,PIMAGE_NT_HEADERS NtHeader)  //ÅÐ¶ÏRVAÊÇÔÚÄÇ¸ö½Ú±íµ±ÖÐ
+{
+	ULONG   i = 0;
+	PIMAGE_SECTION_HEADER  SectionHeader = IMAGE_FIRST_SECTION(NtHeader);
+
+	for (i=0;i<NtHeader->FileHeader.NumberOfSections;i++,SectionHeader++)
+	{
+
+		if ((RVA>=SectionHeader->VirtualAddress)&&
+			(RVA<(SectionHeader->VirtualAddress + SectionHeader->Misc.VirtualSize)))
+		{
+			return SectionHeader;
+		}
+	}
+
+	return NULL;	
+}
+
+//////////////////////////////////////////////////////////////////////////
+
+BOOLEAN
+	GetModuleInfor(char* szModuleName,char* szFullName, SYSTEM_MODULE_INFORMATION_ENTRY* Temp)
+{
+	ULONG_PTR  NeedSize;
+	ULONG_PTR  KernelModuleCount = 0;
+	SYSTEM_MODULE_INFORMATION_ENTRY* ModuleInfor;
+	ULONG_PTR  i = 0;
+	BOOLEAN    bOk = FALSE;
+	//PSYSTEM_MODULE_INFORMATION Buffer = NULL;
+
+	PETHREAD EThread = NULL;
+	CHAR     PreMode = 0;
+
+	EThread = PsGetCurrentThread();
+	PreMode = HsChangePreMode(EThread);
+
+	NtQuerySystemInformation(SystemModuleInformation,NULL, 
+		0,&NeedSize);
+
+	if (ModuleInforNeedSize != NeedSize && ModuleInforNeedSize > 0)	//Èç¹û´óÐ¡ÓÐ±ä£¬ÔòÇå¿Õ»º³åÇø
+	{
+		ExFreePool(ModuleInforBuffer);
+		DbgPrint("ExFreePool\r\n");
+		ModuleInforBuffer = NULL;
+		ModuleInforNeedSize = NeedSize;	//¸üÐÂ´óÐ¡È«¾Ö±äÁ¿
+	}
+	if (ModuleInforBuffer == NULL)
+	{
+		DbgPrint("NeedSize: %d\r\n");
+		ModuleInforBuffer = (PSYSTEM_MODULE_INFORMATION)ExAllocatePool(NonPagedPool,NeedSize);
+	}
+	if (ModuleInforBuffer == NULL)
+	{
+		DbgPrint("ModuleInforBuffer ExAllocatePool Failed");
+	}
+
+	if(NtQuerySystemInformation(SystemModuleInformation,ModuleInforBuffer,NeedSize,&NeedSize)
+		==STATUS_SUCCESS)
+	{
+		char szKernelModuleName[60] = {0};
+
+		KernelModuleCount = ModuleInforBuffer->ulCount;
+		ModuleInfor = ModuleInforBuffer->smi;
+
+		strcpy(szKernelModuleName, ModuleInfor->ImageName + ModuleInfor->ModuleNameOffset);
+
+		for (i=0;i<KernelModuleCount;i++)
+		{
+			//DbgPrint("%s : %s\r\n",szModuleName,ModuleInfor->ImageName + ModuleInfor->ModuleNameOffset);
+
+			if(_stricmp(szModuleName, ModuleInfor->ImageName + ModuleInfor->ModuleNameOffset) == 0 || 
+				(_stricmp(szModuleName, "ntoskrnl.exe") == 0 && 
+				 _stricmp(szKernelModuleName, ModuleInfor->ImageName + ModuleInfor->ModuleNameOffset) == 0 ))
+			{
+				//DbgPrint("%s\r\n",ModuleInfor->ImageName);  //ÕâÀïÊÇÃ»ÓÐÅÌ·ûµÄÎÒÔÚÕâÀïÍµÀÁÐ´ËÀÁË
+
+				//////////////////////////////////////////////////////////////////////////
+				if (strstr(ModuleInfor->ImageName,"SystemRoot")==NULL)
+				{
+					Temp->Base = ModuleInfor->Base;
+					Temp->Size = ModuleInfor->Size;
+					strcpy(szFullName,ModuleInfor->ImageName);
+				}
+				else
+				{
+					CHAR ImageFull[260] = {0};
+
+					Temp->Base = ModuleInfor->Base;
+					Temp->Size = ModuleInfor->Size;
+
+					strcpy(szFullName,"\\??\\C:");
+					strcat(szFullName,ModuleInfor->ImageName);
+				}
+
+				//////////////////////////////////////////////////////////////////////////
+				Temp->Base = ModuleInfor->Base;
+				Temp->Size = ModuleInfor->Size;
+
+				if (strnicmp(ModuleInfor->ImageName,"\\Windows\\",strlen("\\Windows\\"))==0)
+				{
+					char* Temp = NULL;
+					strcpy(szFullName,"\\??\\C:\\");
+
+					Temp = ModuleInfor->ImageName;
+
+					strcat(szFullName,Temp);
+				}
+				else
+				{
+					strcpy(szFullName,ModuleInfor->ImageName);
+				}
+
+				DbgPrint("%s\r\n",szFullName);
+				DbgPrint("%s\r\n",ModuleInfor->ImageName);
+
+				bOk = TRUE;
+				break;
+			}
+			ModuleInfor++;
+		}
+	}
+	else
+	{
+		DbgPrint("NtQuerySystemInformation Failed\r\n");
+	}
+
+	HsRecoverPreMode(EThread, PreMode);
+
+	return bOk;
+}
+
+
+
+//////////////////////////////////////////////////////////////////////////
+
+
+
+PFILE_INFOR
+	CreateFileData(SYSTEM_MODULE_INFORMATION_ENTRY* ModuleInfor,char* ModuleName)
+{
+	BOOLEAN        bOk     = FALSE;
+	char           szFullName[256] = {0};
+
+	SYSTEM_MODULE_INFORMATION_ENTRY  Temp;
+
+	if (!ModuleInfor)  //Í¨¹ýÎÄ¼þÃû³Æ»ñµÃÎÄ¼þÈ«Â·¾¶
+	{
+
+		bOk = GetModuleInfor(ModuleName,szFullName,&Temp);
+
+		if (bOk==FALSE)
+		{
+			DbgPrint("GetModuleInfor Failed\r\n");
+			return NULL;
+		}
+	}
+
+	if (PFileInfor == NULL)
+	{
+		PFileInfor = (PFILE_INFOR)ExAllocatePool(PagedPool,sizeof(FILE_INFOR));
+	}
+ 	if (PFileInfor == NULL)
+ 	{
+ 		DbgPrint("ExAllocatePool Failed\r\n");
+ 		return NULL;
+ 	}
+
+
+	RtlZeroMemory(PFileInfor,sizeof(FILE_INFOR));
+
+	if (ModuleInfor)
+	{
+		PFileInfor->BaseAddress = ModuleInfor->Base;
+		PFileInfor->Size        = ModuleInfor->Size;
+		strcpy(PFileInfor->szFileFullName,ModuleInfor->ImageName);
+
+
+		//DbgPrint("%x    %d    %s\r\n",RvrFile->BaseAddress,RvrFile->Size,RvrFile->FileName);
+	}
+
+	else
+	{
+		PFileInfor->BaseAddress = (PVOID)Temp.Base;
+		PFileInfor->Size        = Temp.Size;
+		memcpy(PFileInfor->szFileFullName,szFullName,strlen(szFullName)+1);
+
+	}
+	//¶ÁÈ¡ÎÄ¼þ
+
+	bOk = ReadFileData(PFileInfor);
+
+	if (bOk==FALSE)
+	{
+		//ExFreePool(FileInfor);
+		DbgPrint("ReadFileData Failed\r\n");
+		return NULL;
+	}
+
+	return PFileInfor;
+
+}
+
+
+
+
+BOOLEAN GetAddrOfExportFuncAddr(
+	UCHAR*  Base,				  
+	CHAR*	FunctionName,	      
+	ULONG_PTR*  AddrOfExportFuncAddr, BOOLEAN IsFile)
+{
+	PIMAGE_EXPORT_DIRECTORY 		ExportTable = NULL;
+	ULONG*	    FuncName = NULL;
+	ULONG*      FuncAddr = NULL;
+	ULONG_PTR   j = 0;
+	ULONG_PTR	ExportDiff;
+	PSHORT		Ordinal;
+
+	ExportTable = 
+		(PIMAGE_EXPORT_DIRECTORY)GetDirectoryAddr(Base, 
+		IMAGE_DIRECTORY_ENTRY_EXPORT, 
+		NULL, &ExportDiff, IsFile);
+
+	if(!ExportTable) 
+	{
+		return FALSE;
+	}
+
+
+	FuncName = MakePtr(PULONG, Base, ExportTable->AddressOfNames - ExportDiff);
+	FuncAddr = MakePtr(PULONG, Base, ExportTable->AddressOfFunctions - ExportDiff);
+	Ordinal  = MakePtr(PSHORT, Base, ExportTable->AddressOfNameOrdinals - ExportDiff);
+
+
+	for(j = 0; j < ExportTable->NumberOfNames; j++, FuncName++){
+
+		if (_stricmp(FunctionName, (CHAR*)Base + *FuncName - ExportDiff) == 0)
+		{
+
+			*AddrOfExportFuncAddr = *(FuncAddr + Ordinal[j]);
+			return TRUE;
+		}
+	}
+
+
+	return FALSE;   
+}
+
+
+//////////////////////////////////////////////////////////////////////////
+
+BOOLEAN	GetModuleInforKernelFile(PULONG_PTR ulKernelBase,PULONG_PTR ulKernelSize,char* szModuleFileFullName, char* szModuleFile)
+{
+	NTSTATUS  Status;
+	ULONG_PTR NeedSize = 0;
+	PSYSTEM_MODULE_INFORMATION  ModuleList = NULL;
+
+	int ModuleId = 0;
+
+	PETHREAD EThread = NULL;
+	CHAR     PreMode = 0;
+
+	EThread = PsGetCurrentThread();
+	PreMode = HsChangePreMode(EThread);
+
+	Status = NtQuerySystemInformation(SystemModuleInformation,NULL,
+		0,&NeedSize);  //²»ÄÜ±»Hook
+
+
+	if (Status!=STATUS_INFO_LENGTH_MISMATCH)
+	{
+		DbgPrint("STATUS_INFO_LENGTH_MISMATCH FAILED\r\n");
+		return FALSE;
+	}
+
+	ModuleList = (PSYSTEM_MODULE_INFORMATION)ExAllocatePool(PagedPool,NeedSize);
+
+	if (ModuleList==NULL)
+	{
+		DbgPrint("ModuleList==NULL\r\n");
+		return FALSE;
+	}
+
+	Status = NtQuerySystemInformation(SystemModuleInformation,ModuleList,NeedSize,&NeedSize);
+
+	if (!NT_SUCCESS(Status))
+	{
+		DbgPrint("NtQuerySystemInformation Failed\r\n");
+		ExFreePool(ModuleList);
+		return FALSE;
+	}
+
+
+	for (ModuleId = 0; ModuleId < ModuleList->ulCount; ModuleId++)
+	{
+		if (_stricmp(szModuleFile, "ntoskrnl.exe") == 0)
+		{
+			ModuleId = 0;
+			DbgPrint("Win32k ModuleId: %d\r\n",ModuleId);
+			break;
+		}
+		else if (_stricmp(
+			ModuleList->smi[ModuleId].ImageName+ModuleList->smi[ModuleId].ModuleNameOffset,
+			szModuleFile) == 0)
+		{
+
+			DbgPrint("Win32k ModuleId: %d\r\n",ModuleId);
+			break;
+		}
+	}
+
+	DbgPrint("%s\r\n",ModuleList->smi[ModuleId].ImageName);
+
+	*ulKernelBase = ModuleList->smi[ModuleId].Base;
+	*ulKernelSize = ModuleList->smi[ModuleId].Size;
+
+	if (memcmp(ModuleList->smi[ModuleId].ImageName,"\\??\\",strlen("\\??\\"))==0)
+	{
+		strcpy(szModuleFileFullName,ModuleList->smi[ModuleId].ImageName);
+	}
+	else if (strnicmp(ModuleList->smi[ModuleId].ImageName,"\\SystemRoot\\",strlen("\\SystemRoot\\"))==0)
+	{
+		char* Temp = NULL;
+		strcpy(szModuleFileFullName,"\\??\\C:\\Windows\\"); /*System32\\*/
+		
+		Temp = ModuleList->smi[ModuleId].ImageName + strlen("\\SystemRoot\\");
+
+		strcat(szModuleFileFullName,Temp);
+	}
+	else if (strnicmp(ModuleList->smi[ModuleId].ImageName,"\\Windows\\",strlen("\\Windows\\"))==0)
+	{
+		char* Temp = NULL;
+		strcpy(szModuleFileFullName,"\\??\\C:\\");
+
+		Temp = ModuleList->smi[ModuleId].ImageName;
+
+		strcat(szModuleFileFullName,Temp);
+	}
+	
+
+	DbgPrint("szModuleFileFullName: %s\r\n",szModuleFileFullName);
+
+	ExFreePool(ModuleList);
+
+	HsRecoverPreMode(EThread, PreMode);
+
+	return TRUE;
+
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/KrnlFile.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/KrnlFile.h
new file mode 100644
index 0000000..6fd5df9
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/KrnlFile.h
@@ -0,0 +1,175 @@
+#pragma once 
+
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+#include <ntifs.h>
+#include <ntimage.h>
+#include "common.h"
+
+#define MAX_PATH 60
+
+//////////////////////////////////////////////////////////////////////////
+
+enum HS_KERNEL_KERNELFILE
+{
+	HS_KERNEL_KERNELFILE_NTOSKRNL_IAT,
+	HS_KERNEL_KERNELFILE_NTOSKRNL_EAT,
+	HS_KERNEL_KERNELFILE_WIN32K_IAT,
+	HS_KERNEL_KERNELFILE_WIN32K_EAT,
+	HS_KERNEL_KERNELFILE_HALDLL_IAT,
+	HS_KERNEL_KERNELFILE_HALDLL_EAT,
+};
+
+//////////////////////////////////////////////////////////////////////////
+
+
+typedef struct _IAT_INFO_
+{
+	ULONG_PTR CurFuncAddress;
+	ULONG_PTR OriFuncAddress;
+	CHAR  szFunctionName[MAX_PATH];
+	CHAR  szModuleName[MAX_PATH];
+}IAT_INFO, *PIAT_INFO;
+
+typedef struct _MODULE_IAT_
+{
+	ULONG_PTR ulCount;
+	IAT_INFO  Data[1];
+}MODULE_IAT, *PMODULE_IAT;
+
+typedef struct _EAT_INFO_
+{
+	ULONG_PTR CurFuncAddress;
+	ULONG_PTR OriFuncAddress;
+	CHAR  szFunctionName[MAX_PATH];
+}EAT_INFO, *PEAT_INFO;
+
+typedef struct _MODULE_EAT_
+{
+	ULONG_PTR ulCount;
+	EAT_INFO  Data[1];
+}MODULE_EAT, *PMODULE_EAT;
+
+
+
+
+
+#define MakePtr(a,b,c) ((a)((char*)b+c))
+
+#define SystemModuleInformation 11
+
+typedef struct  _FILE_INFOR_
+{
+	char  szFileFullName[512];
+	char*  szFileData;
+	PVOID BaseAddress;
+	ULONG_PTR Size;
+}FILE_INFOR,*PFILE_INFOR;
+
+
+typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY64
+{
+	ULONG Reserved[4];  
+	PVOID Base;
+	ULONG Size;
+	ULONG Flags;
+	USHORT Index;
+	USHORT NameLength;
+	USHORT LoadCount;
+	USHORT ModuleNameOffset;
+	char ImageName[256];
+} SYSTEM_MODULE_INFORMATION_ENTRY64, *PSYSTEM_MODULE_INFORMATION_ENTRY64;
+
+
+
+typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY32
+{
+	ULONG  Reserved[2];  
+	ULONG  Base;        
+	ULONG  Size;         
+	ULONG  Flags;        
+	USHORT Index;       
+	USHORT Unknown;     
+	USHORT LoadCount;   
+	USHORT ModuleNameOffset;
+	CHAR   ImageName[256];   
+} SYSTEM_MODULE_INFORMATION_ENTRY32, *PSYSTEM_MODULE_INFORMATION_ENTRY32;
+
+
+
+#ifdef _WIN64
+#define SYSTEM_MODULE_INFORMATION_ENTRY SYSTEM_MODULE_INFORMATION_ENTRY64
+#else
+#define SYSTEM_MODULE_INFORMATION_ENTRY SYSTEM_MODULE_INFORMATION_ENTRY32
+#endif
+
+
+typedef struct _SYSTEM_MODULE_INFORMATION{          //Ä£¿éÁ´½á¹¹
+	ULONG ulCount;
+	SYSTEM_MODULE_INFORMATION_ENTRY smi[1];
+}SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
+
+
+NTSYSAPI
+	NTSTATUS
+	NtQuerySystemInformation(IN ULONG SystemInformationClass,IN PVOID SystemInformation,
+	IN ULONG SystemInformationLength,
+	OUT PULONG ReturnLength);
+
+
+
+
+BOOLEAN  ReadFileData(PFILE_INFOR FileInfor);
+
+PVOID
+	GetDirectoryAddr(PUCHAR AddressBase,USHORT DirectoryIndex,
+	ULONG_PTR* ulSize,ULONG_PTR* ulDiff,BOOLEAN IsFile);
+
+PIMAGE_SECTION_HEADER
+	GetSectionHeaderFromRva(ULONG RVA,PIMAGE_NT_HEADERS NtHeader);  //ÅÐ¶ÏRVAÊÇÔÚÄÇ¸ö½Ú±íµ±ÖÐ
+
+
+NTSTATUS HsEnumKernelFileFunc(int KernelFile, PVOID OutputBuffer, ULONG_PTR ulOutputLen);
+
+NTSTATUS HsQueryKernelFileFuncIAT(PVOID OutputBuffer, ULONG_PTR ulOutputLen, char* szModuleFile);
+
+NTSTATUS HsQueryKernelFileFuncEAT(PVOID OutputBuffer, ULONG_PTR ulOutputLen, char* szModuleFile);
+
+NTSTATUS HsEnumEATTable(PVOID  KernelBase,PMODULE_EAT OutBuffer, ULONG_PTR OutSize, char* szModuleFileName);
+
+NTSTATUS HsEnumIATTable(PMODULE_IAT OutBuffer, ULONG_PTR OutSize);
+
+BOOLEAN	GetModuleInforKernelFile(PULONG_PTR ulKernelBase,PULONG_PTR ulKernelSize,char* szWin32kFullName, char* szModuleFile);
+
+BOOLEAN GetModuleInfor(char* szModuleName,char* szFullName, SYSTEM_MODULE_INFORMATION_ENTRY* Temp);
+
+//////////////////////////////////////////////////////////////////////////
+
+
+VOID HsInitKrnlFileGlobalVariable();
+
+PFILE_INFOR CreateFileData(SYSTEM_MODULE_INFORMATION_ENTRY* ModuleInfor,char* ModuleName);
+
+BOOLEAN GetAddrOfExportFuncAddr(
+	UCHAR*  Base,				  
+	CHAR*	FunctionName,	      
+	ULONG_PTR*  AddrOfExportFuncAddr, BOOLEAN IsFile);
+
+
+
+NTSYSAPI
+	NTSTATUS
+	NTAPI
+	ZwQuerySystemInformation(
+	IN ULONG_PTR SystemInformationClass,
+	IN OUT PVOID SystemInformation,
+	IN ULONG SystemInformationLength,
+	OUT PULONG ReturnLength OPTIONAL
+	);
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Memory.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Memory.c
new file mode 100644
index 0000000..4d8134e
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Memory.c
@@ -0,0 +1,248 @@
+#include "Memory.h"
+#include "GetFuncAddress.h"
+#include <ntimage.h>
+
+//////////////////////////////////////////////////////////////////////////
+
+
+//////////////////////////////////////////////////////////////////////////
+
+extern BOOLEAN IsModuleInList(ULONG_PTR Base, ULONG_PTR Size, PALL_MODULES AllModules, ULONG_PTR ulCount);
+extern VOID WalkerModuleList64(PLIST_ENTRY64 ListEntry, ULONG nType, PALL_MODULES AllModules, ULONG ulCount);
+extern VOID WalkerModuleList32(PLIST_ENTRY32 ListEntry, ULONG nType, PALL_MODULES AllModules, ULONG ulCount);
+extern NTSTATUS EnumDllModuleByPeb( PEPROCESS EProcess, PALL_MODULES AllModules, ULONG_PTR ulCount);
+
+
+extern WIN_VERSION  WinVersion;
+
+extern ULONG_PTR    ObjectTableOffsetOf_EPROCESS;
+extern ULONG_PTR    ObjectHeaderSize;
+extern ULONG_PTR    ObjectTypeOffsetOf_Object_Header;
+extern ULONG_PTR    PreviousModeOffsetOf_KTHREAD;
+extern ULONG_PTR    IndexOffset;
+ULONG_PTR    SSDTDescriptor;
+ULONG_PTR    ulIndex;
+ULONG_PTR    SSDTFuncAddress;
+
+pfnNtQueryVirtualMemory  NtQueryVirtualMemoryAddress = NULL;
+
+extern ULONG_PTR    SSDTDescriptor;
+
+
+NTSTATUS
+	HsEnumProcessesModule(ULONG ulProcessID,PVOID OutBuffer,ULONG_PTR ulOutSize)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+	PEPROCESS EProcess = NULL;
+
+	ULONG ulCount = (ulOutSize - sizeof(ALL_MODULES)) / sizeof(MODULE_INFO);
+
+	HsInitMemoryVariable();
+
+	if (ulProcessID)
+	{
+		Status = PsLookupProcessByProcessId((HANDLE)ulProcessID, &EProcess);
+
+		if (!NT_SUCCESS(Status))
+		{
+			return Status;
+		}
+	}
+
+	DbgPrint("Enter EnumProcessModule\r\n");
+
+	if (HsIsRealProcess(EProcess))
+	{
+		PALL_MODULES AllModules = (PALL_MODULES)ExAllocatePool(PagedPool,ulOutSize);
+		if (AllModules)
+		{
+			memset(AllModules, 0, ulOutSize);
+
+			Status = EnumDllModuleByPeb(EProcess, AllModules, ulCount);
+
+			if (ulCount >= AllModules->ulCount)
+			{
+				RtlCopyMemory(OutBuffer, AllModules, ulOutSize);
+				Status = STATUS_SUCCESS;
+			}
+			else
+			{
+				Status = STATUS_BUFFER_TOO_SMALL;
+			}
+
+			ExFreePool(AllModules, 0);
+			AllModules = NULL;
+		}
+	}
+
+	if (NT_SUCCESS(Status))
+	{
+		ObfDereferenceObject(EProcess);
+	}
+
+	return Status;
+}
+
+
+
+
+
+//////////////////////////////////////////////////////////////////////////
+NTSTATUS
+HsEnumProcessesMemory(ULONG ulProcessID,PVOID OutBuffer,ULONG_PTR ulOutSize)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+	PEPROCESS EProcess = NULL;
+
+	HsInitMemoryVariable();
+
+	if (!PsLookupProcessByProcessId || !ObfDereferenceObject)
+	{
+		return STATUS_UNSUCCESSFUL;
+	}
+
+	if (ulProcessID)
+	{
+		Status = PsLookupProcessByProcessId((HANDLE)ulProcessID, &EProcess);
+		if (!NT_SUCCESS(Status))
+		{
+			return Status;
+		}
+	}
+
+	if (HsIsRealProcess(EProcess))
+	{
+		ULONG_PTR  ulCount = (ulOutSize - sizeof(ALL_MEMORYS)) / sizeof(MEMORY_INFO);
+		DbgPrint("EnumProcessMemory\r\n");
+		Status = GetMemorys(EProcess, (PALL_MEMORYS)OutBuffer,ulCount);
+		if (NT_SUCCESS(Status))
+		{
+			if (ulCount >= ((PALL_MEMORYS)OutBuffer)->ulCount)
+			{
+				DbgPrint("GetSuccess\r\n");
+				Status = STATUS_SUCCESS;
+			}
+			else
+			{
+				Status = STATUS_BUFFER_TOO_SMALL;
+			}
+		}
+	}
+
+	if (NT_SUCCESS(Status))
+	{
+		ObfDereferenceObject(EProcess);
+	}
+
+	return Status;
+}
+
+
+NTSTATUS GetMemorys(PEPROCESS EProcess, PALL_MEMORYS Memorys, ULONG_PTR ulCount)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+	HANDLE hProcess = NULL;
+
+
+
+	Status = ObOpenObjectByPointer(EProcess, 
+		OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, 
+		NULL, 
+		GENERIC_ALL, 
+		*PsProcessType, 
+		KernelMode, 
+		&hProcess
+		);
+
+	if (NT_SUCCESS(Status))
+	{
+		ULONG_PTR ulBase = 0;
+		PETHREAD EThread = PsGetCurrentThread();
+		CHAR PreMode = HsChangePreMode(EThread);
+
+		while (ulBase < (ULONG_PTR)MM_HIGHEST_USER_ADDRESS)
+		{
+			MEMORY_BASIC_INFORMATION mbi;
+			ULONG_PTR ulRet = 0;
+			Status = NtQueryVirtualMemoryAddress(hProcess, 
+				(PVOID)ulBase, 
+				MemoryBasicInformation, 
+				&mbi, 
+				sizeof(MEMORY_BASIC_INFORMATION), 
+				&ulRet);
+
+			if (NT_SUCCESS(Status))
+			{
+				ULONG_PTR ulCurCnt = Memorys->ulCount;
+				if (ulCount > ulCurCnt)
+				{
+					Memorys->Memorys[ulCurCnt].ulBase = ulBase;
+					Memorys->Memorys[ulCurCnt].ulSize = mbi.RegionSize;
+					Memorys->Memorys[ulCurCnt].ulProtect = mbi.Protect;
+					Memorys->Memorys[ulCurCnt].ulState = mbi.State;
+					Memorys->Memorys[ulCurCnt].ulType = mbi.Type;
+				}
+
+				Memorys->ulCount++;
+				ulBase += mbi.RegionSize;
+			}
+			else
+			{
+				ulBase += PAGE_SIZE;
+			}
+		}
+
+		NtClose(hProcess);
+		HsRecoverPreMode(EThread,PreMode);
+	}
+
+	return Status;
+}
+
+
+
+
+
+
+
+
+VOID HsInitMemoryVariable()
+{
+
+	switch(WinVersion)
+	{
+	case WINDOWS_7:
+		{
+			PreviousModeOffsetOf_KTHREAD = 0x1f6;
+			ObjectTableOffsetOf_EPROCESS = 0x200;
+			IndexOffset = 4;
+			SSDTDescriptor = GetKeServiceDescriptorTable64();
+			ulIndex = GetSSDTApiFunIndex("NtQueryVirtualMemory");
+			SSDTFuncAddress =  GetSSDTApiFunAddress(ulIndex,SSDTDescriptor);
+
+			NtQueryVirtualMemoryAddress  = (pfnNtQueryVirtualMemory)SSDTFuncAddress;
+			break;
+		}
+
+	case WINDOWS_XP:
+		{
+
+			ObjectHeaderSize = 0x18;
+			ObjectTypeOffsetOf_Object_Header = 0x8;
+			ObjectTableOffsetOf_EPROCESS = 0x0c4;
+			PreviousModeOffsetOf_KTHREAD = 0x140;
+
+
+			IndexOffset = 1;
+			SSDTDescriptor = (ULONG_PTR)HsGetFunctionAddressByName(L"KeServiceDescriptorTable");
+			//»ñµÃNtQueryObjectº¯ÊýµÄµØÖ·
+			ulIndex = GetSSDTApiFunIndex("NtQueryVirtualMemory");
+
+
+			SSDTFuncAddress =  GetSSDTApiFunAddress(ulIndex,SSDTDescriptor);
+
+			NtQueryVirtualMemoryAddress  = (pfnNtQueryVirtualMemory)SSDTFuncAddress;
+			break;
+		}
+	}
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Memory.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Memory.h
new file mode 100644
index 0000000..07bf7fe
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Memory.h
@@ -0,0 +1,91 @@
+#pragma once 
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+#include <ntifs.h>
+#include "common.h"
+
+#include "Process.h"
+
+typedef struct _MEMORY_INFO_
+{
+	ULONG_PTR ulBase;
+	ULONG_PTR ulSize;
+	ULONG ulProtect;
+	ULONG ulState;
+	ULONG ulType;
+}MEMORY_INFO, *PMEMORY_INFO;
+
+typedef struct _ALL_MEMORYS_
+{
+	ULONG_PTR ulCount;
+	MEMORY_INFO Memorys[1];
+}ALL_MEMORYS, *PALL_MEMORYS;
+
+
+
+typedef enum _MEMORY_INFORMATION_CLASS
+{
+	MemoryBasicInformation,
+	MemoryWorkingSetList,
+	MemorySectionName
+}MEMORY_INFORMATION_CLASS;
+
+typedef struct _MEMORY_BASIC_INFORMATION {
+	PVOID BaseAddress;
+	PVOID AllocationBase;
+	ULONG AllocationProtect;
+	SIZE_T RegionSize;
+	ULONG State;
+	ULONG Protect;
+	ULONG Type;
+} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
+
+
+
+
+
+
+
+
+//////////////////////////////////////////////////////////////////////////
+
+NTSYSAPI
+	PIMAGE_NT_HEADERS
+	NTAPI
+	RtlImageNtHeader(PVOID Base);
+
+extern
+	PPEB
+	PsGetProcessPeb(PEPROCESS Process);
+
+typedef 
+	ULONG_PTR 
+	(*pfnObGetObjectType)(PVOID pObject);
+
+typedef
+	NTSTATUS
+	(*pfnNtQueryVirtualMemory)(HANDLE ProcessHandle,PVOID BaseAddress,MEMORY_INFORMATION_CLASS MemoryInformationClass,
+	PVOID MemoryInformation,
+	SIZE_T MemoryInformationLength,
+	PSIZE_T ReturnLength);
+
+
+VOID HsInitMemoryVariable();
+
+NTSTATUS
+	HsEnumProcessesMemory(ULONG ulProcessID,PVOID OutBuffer,ULONG_PTR ulOutSize);
+
+NTSTATUS
+	HsEnumProcessesModule(ULONG ulProcessID,PVOID OutBuffer,ULONG_PTR ulOutSize);
+
+NTSTATUS GetMemorys(PEPROCESS EProcess, PALL_MEMORYS Memorys, ULONG_PTR ulCount);
+
+
+
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Module.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Module.c
new file mode 100644
index 0000000..fb3930b
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Module.c
@@ -0,0 +1,751 @@
+#include "Module.h"
+
+#include "GetFuncAddress.h"
+//////////////////////////////////////////////////////////////////////////
+extern     PDEVICE_OBJECT g_DeviceObject;
+extern     PDRIVER_OBJECT g_DriverObject;
+//////////////////////////////////////////////////////////////////////////
+
+extern
+	ULONG_PTR    PreviousModeOffsetOf_KTHREAD;
+extern
+	ULONG_PTR    ObjectTableOffsetOf_EPROCESS;
+extern
+	ULONG_PTR ulBuildNumber;
+extern
+	WIN_VERSION  WinVersion;
+extern
+	ULONG_PTR SYSTEM_ADDRESS_START;
+extern
+	ULONG_PTR ObjectHeaderSize;
+extern
+	ULONG_PTR ObjectTypeOffsetOf_Object_Header;
+
+
+
+PVOID
+	Ntoskrnl_KLDR_DATA_TABLE_ENTRY = NULL;
+
+pfnNtOpenDirectoryObject  NtOpenDirectoryObjectAddress = NULL;
+POBJECT_TYPE DirectoryObjectType = NULL;
+
+//////////////////////////////////////////////////////////////////////////
+extern POBJECT_TYPE *IoDriverObjectType;
+extern POBJECT_TYPE *IoDeviceObjectType;
+//////////////////////////////////////////////////////////////////////////
+
+
+//////////////////////////////////////////////////////////////////////////
+
+
+NTSTATUS HsDispatchControlForModule(PIO_STACK_LOCATION  IrpSp, PVOID OutputBuffer, ULONG_PTR* ulRet)
+{
+
+	WCHAR* szOutputBuffer = (WCHAR*)OutputBuffer;
+	ULONG				ulIoControlCode  = 0;
+	NTSTATUS			Status = STATUS_UNSUCCESSFUL;
+	PVOID               pvInputBuffer  = NULL;
+	ULONG               ulInputLen     = 0;
+	ULONG				ulOutputLen    = 0;
+
+
+	pvInputBuffer   = IrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
+	ulInputLen      = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
+	ProbeForRead(pvInputBuffer,ulInputLen,sizeof(CHAR));
+
+	ulOutputLen     = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
+
+	ProbeForWrite(OutputBuffer,ulOutputLen,sizeof(CHAR));
+
+	ulIoControlCode = IrpSp->Parameters.DeviceIoControl.IoControlCode;
+	ulIoControlCode = (ulIoControlCode>>2)&0x00000FFF;
+
+	DbgPrint("%x\r\n",ulIoControlCode);
+
+	HsInitModuleGlobalVariable();
+
+	switch(ulIoControlCode)
+	{
+	case HS_IOCTL_MODU_MODULELIST:			//µ±Ç°½ø³ÌPID
+		{
+			DbgPrint("HS_IOCTL_MODU_MODULELIST\r\n");
+
+			NtOpenDirectoryObjectAddress = (pfnNtOpenDirectoryObject)HsGetFuncAddress("NtOpenDirectoryObject");
+			GetKernelLdrDataTableEntry(g_DriverObject);
+			Status = HsEnumSystemModuleList(OutputBuffer,ulOutputLen);
+			break;
+		}
+	case HS_IOCTL_MODU_REMOVEMODULE:
+		{
+			DbgPrint("HS_IOCTL_MODU_REMOVEMODULE\r\n");
+
+			if (pvInputBuffer!=NULL&&ulInputLen==sizeof(ULONG_PTR))
+			{
+				Status = HsUnloadDriverModule(*(PULONG_PTR)pvInputBuffer,ulInputLen);
+			}
+			break;
+		}
+	default:
+		{
+			Status = STATUS_UNSUCCESSFUL;
+		}
+	}
+
+	return Status;
+}
+
+
+
+NTSTATUS HsEnumSystemModuleList(PVOID OutBuffer, ULONG OutSize)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+	PALL_DRIVERS DriversInfor = (PALL_DRIVERS)OutBuffer;
+	ULONG ulCount = (OutSize - sizeof(ALL_DRIVERS)) / sizeof(DRIVER_INFO);
+
+	// ¼ì²é²ÎÊý
+	if (!OutBuffer)
+	{
+		return STATUS_INVALID_PARAMETER;
+	}
+
+	EnumDriverByLdrDataTableEntry(DriversInfor,ulCount);
+	EnumDriversByWalkerDirectoryObject(DriversInfor, ulCount);
+	if (ulCount >= DriversInfor->ulCount)
+	{
+		Status = STATUS_SUCCESS;
+	}
+	else
+	{
+		Status = STATUS_BUFFER_TOO_SMALL;
+	}
+
+	return Status;
+}
+
+
+
+
+
+BOOLEAN GetKernelLdrDataTableEntry(PDRIVER_OBJECT DriverObject)
+{
+	BOOLEAN bRet = FALSE;
+	if (DriverObject)
+	{
+		PKLDR_DATA_TABLE_ENTRY Entry = NULL, FirstEntry = NULL;
+		WCHAR wzNtoskrnl[] = L"ntoskrnl.exe";
+		int nLen = wcslen(wzNtoskrnl) * sizeof(WCHAR);
+
+		FirstEntry = Entry = (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;
+
+		while((PKLDR_DATA_TABLE_ENTRY)Entry->InLoadOrderLinks.Flink != FirstEntry)
+		{
+
+			if (Entry->BaseDllName.Buffer								&& 
+				nLen == Entry->BaseDllName.Length						&&
+				MmIsAddressValid((PVOID)Entry->BaseDllName.Buffer)		&&
+				!_wcsnicmp(wzNtoskrnl,(WCHAR*)Entry->BaseDllName.Buffer, nLen / sizeof(WCHAR)))
+			{
+				Ntoskrnl_KLDR_DATA_TABLE_ENTRY = (PVOID)Entry;
+				bRet = TRUE;
+				break;
+			}
+
+			Entry = (PKLDR_DATA_TABLE_ENTRY)Entry->InLoadOrderLinks.Flink;
+		}
+
+		// Èç¹ûÊµÔÚÃ»ÕÒµ½ntoskrnl,ÄÇÃ´Ê¹ÓÃ×Ô¼ºµÄ
+		if (!bRet)
+		{
+			Ntoskrnl_KLDR_DATA_TABLE_ENTRY = (PVOID)FirstEntry;
+			bRet = TRUE;
+		}
+	}
+
+	return bRet;
+}
+
+
+
+VOID EnumDriverByLdrDataTableEntry(PALL_DRIVERS DriversInfor, ULONG_PTR ulCount)
+{
+	PKLDR_DATA_TABLE_ENTRY Entry = NULL, FirstEntry = NULL;
+	ULONG nMax = PAGE_SIZE;
+	ULONG i = 0;
+	KIRQL OldIrql;
+
+	FirstEntry = Entry = (PKLDR_DATA_TABLE_ENTRY)Ntoskrnl_KLDR_DATA_TABLE_ENTRY;
+
+	if (!FirstEntry || !DriversInfor)
+	{
+		return;
+	}
+
+	OldIrql = KeRaiseIrqlToDpcLevel();
+
+	__try
+	{
+		do
+		{
+			if ((ULONG_PTR)Entry->DllBase > SYSTEM_ADDRESS_START && Entry->SizeOfImage > 0)
+			{
+				ULONG_PTR Temp = DriversInfor->ulCount;
+				if (ulCount > Temp)
+				{
+
+					DriversInfor->Drivers[Temp].LodeOrder = ++i;
+					DriversInfor->Drivers[Temp].Base = (ULONG_PTR)Entry->DllBase;
+					DriversInfor->Drivers[Temp].Size = Entry->SizeOfImage;
+
+
+
+					if (IsUnicodeStringValid(&(Entry->FullDllName)))
+					{
+						memcpy(DriversInfor->Drivers[Temp].wzDriverPath, (WCHAR*)Entry->FullDllName.Buffer, Entry->FullDllName.Length);
+
+
+					}
+					else if (IsUnicodeStringValid(&(Entry->BaseDllName)))
+					{
+
+						memcpy(DriversInfor->Drivers[Temp].wzDriverPath, (WCHAR*)Entry->BaseDllName.Buffer, Entry->BaseDllName.Length);
+
+					}
+
+				}
+
+				DriversInfor->ulCount++;
+			}
+
+			Entry = (PKLDR_DATA_TABLE_ENTRY)Entry->InLoadOrderLinks.Flink;
+
+		}while(Entry && Entry != FirstEntry && nMax--);	
+	}
+	__except(1)
+	{}
+
+	KeLowerIrql(OldIrql);
+}
+
+
+
+
+
+VOID EnumDriversByWalkerDirectoryObject(PALL_DRIVERS DriversInfor, ULONG_PTR ulCount)
+{	
+	NTSTATUS Status;
+	OBJECT_ATTRIBUTES oa; 
+	UNICODE_STRING uniDirectory; 
+	HANDLE hDirectory;
+	PVOID  DirectoryObject = NULL;
+	WCHAR  wzDirectory[] = {L'\\', L'\0'};
+	PETHREAD EThread = NULL;
+	CHAR PreMode = 0;
+
+
+	RtlInitUnicodeString(&uniDirectory, wzDirectory);
+	InitializeObjectAttributes(&oa, &uniDirectory, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
+
+	EThread =  PsGetCurrentThread();
+	PreMode = HsChangePreMode(EThread);
+
+	Status = NtOpenDirectoryObjectAddress(&hDirectory, 0, &oa);
+	if (NT_SUCCESS(Status) )
+	{
+		Status = ObReferenceObjectByHandle(hDirectory, 0x10000000, 0, 0, &DirectoryObject, 0);
+		if ( NT_SUCCESS(Status) )
+		{
+
+			DirectoryObjectType = KeGetObjectType(DirectoryObject);
+
+			WalkerDirectoryObject(DriversInfor, DirectoryObject, ulCount);
+			ObfDereferenceObject(DirectoryObject);
+		}
+
+		Status = NtClose(hDirectory);
+	}
+
+	HsRecoverPreMode(EThread, PreMode);
+}
+
+
+
+VOID WalkerDirectoryObject(PALL_DRIVERS DriversInfor, PVOID DirectoryObject, ULONG_PTR ulCount)
+{
+
+
+	if (DirectoryObject			    &&
+		DriversInfor				&&
+		MmIsAddressValid(DirectoryObject)
+		)
+	{
+		ULONG i = 0;
+		POBJECT_DIRECTORY ObjectDir = (POBJECT_DIRECTORY)DirectoryObject;
+		KIRQL OldIrql = KeRaiseIrqlToDpcLevel();
+
+		__try
+		{
+			for (i = 0; i < NUMBER_HASH_BUCKETS; i++)
+			{
+				POBJECT_DIRECTORY_ENTRY ObjectDirEntry = ObjectDir->HashBuckets[i];
+				for (; (ULONG_PTR)ObjectDirEntry > SYSTEM_ADDRESS_START && MmIsAddressValid(ObjectDirEntry); ObjectDirEntry = ObjectDirEntry->ChainLink)
+				{
+					if (MmIsAddressValid(ObjectDirEntry->Object))
+					{
+						POBJECT_TYPE ObjectType = KeGetObjectType(ObjectDirEntry->Object);
+
+						//
+						// Èç¹ûÊÇÄ¿Â¼£¬ÄÇÃ´¼ÌÐøµÝ¹é±éÀú
+						//
+						if (ObjectType == DirectoryObjectType)
+						{
+							WalkerDirectoryObject(DriversInfor, ObjectDirEntry->Object, ulCount);
+						}
+
+						//
+						// Èç¹ûÊÇÇý¶¯¶ÔÏó
+						//
+						else if (ObjectType == *IoDriverObjectType)
+						{
+							PDEVICE_OBJECT DeviceObject = NULL;
+
+							if (!IsDriverInList(DriversInfor,(PDRIVER_OBJECT)ObjectDirEntry->Object,ulCount))
+							{
+								InsertDriver(DriversInfor, (PDRIVER_OBJECT)ObjectDirEntry->Object,ulCount);
+							}
+
+							//
+							// ±éÀúÉè±¸Õ»
+							//
+							for (DeviceObject = ((PDRIVER_OBJECT)ObjectDirEntry->Object)->DeviceObject; 
+								DeviceObject && MmIsAddressValid(DeviceObject);
+								DeviceObject = DeviceObject->AttachedDevice)
+							{
+								if (!IsDriverInList(DriversInfor, DeviceObject->DriverObject,ulCount))
+								{
+									InsertDriver(DriversInfor, DeviceObject->DriverObject,ulCount);
+								}
+							}
+						}
+
+						//
+						// Èç¹ûÊÇÉè±¸¶ÔÏó
+						//
+						else if (ObjectType == *IoDeviceObjectType)
+						{
+							PDEVICE_OBJECT DeviceObject = NULL;
+
+							if (!IsDriverInList(DriversInfor,((PDEVICE_OBJECT)ObjectDirEntry->Object)->DriverObject,ulCount))
+							{
+								InsertDriver(DriversInfor, ((PDEVICE_OBJECT)ObjectDirEntry->Object)->DriverObject,ulCount);
+							}
+
+							//
+							// ±éÀúÉè±¸Õ»
+							//
+							for (DeviceObject = ((PDEVICE_OBJECT)ObjectDirEntry->Object)->AttachedDevice; 
+								DeviceObject && MmIsAddressValid(DeviceObject);
+								DeviceObject = DeviceObject->AttachedDevice)
+							{
+								if (!IsDriverInList(DriversInfor, DeviceObject->DriverObject,ulCount))
+								{
+									InsertDriver(DriversInfor, DeviceObject->DriverObject, ulCount);
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+		__except(1)
+		{
+		}
+
+		KeLowerIrql(OldIrql);
+	}
+}
+
+
+
+
+
+POBJECT_TYPE KeGetObjectType(PVOID Object)
+{
+	ULONG_PTR ObjectType = NULL;
+	pfnObGetObjectType        ObGetObjectType = NULL;    
+
+	if (!Object || !MmIsAddressValid(Object))
+	{
+		return NULL;
+	}
+
+	if (ulBuildNumber < 6000)
+	{
+		ULONG ObjectTypeAddress = 0;
+
+		ObjectTypeAddress = (ULONG_PTR)Object - ObjectHeaderSize + ObjectTypeOffsetOf_Object_Header;
+
+		if (MmIsAddressValid((PVOID)ObjectTypeAddress))
+		{ 
+			ObjectType = *(ULONG_PTR*)ObjectTypeAddress;
+		}
+	}
+	else
+	{
+		ObGetObjectType = (pfnObGetObjectType)HsGetFunctionAddressByName(L"ObGetObjectType");
+
+
+		if (ObGetObjectType)
+		{
+			ObjectType = ObGetObjectType(Object);
+		}
+	}
+
+	return (POBJECT_TYPE)ObjectType;
+}
+
+
+
+BOOLEAN IsDriverInList(PALL_DRIVERS DriversInfor, PDRIVER_OBJECT DriverObject, ULONG_PTR ulCount)
+{
+	BOOLEAN bIn = TRUE, bFind = FALSE;
+
+	if (!DriversInfor			|| 
+		!DriverObject			|| 
+		!MmIsAddressValid(DriverObject))
+	{
+		return TRUE;
+	}
+
+	__try
+	{
+		if (MmIsAddressValid(DriverObject))
+		{
+			PKLDR_DATA_TABLE_ENTRY Entry = (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;
+
+			if (Entry &&
+				MmIsAddressValid(Entry) && 
+				MmIsAddressValid((PVOID)Entry->DllBase) &&
+				(ULONG_PTR)Entry->DllBase > SYSTEM_ADDRESS_START)
+			{
+				ULONG i = 0;
+				ULONG Temp = ulCount > DriversInfor->ulCount ? DriversInfor->ulCount : ulCount;
+
+				for (i = 0; i < Temp; i++)
+				{
+					if (DriversInfor->Drivers[i].Base == (ULONG_PTR)Entry->DllBase)
+					{
+						if (DriversInfor->Drivers[i].DriverObject == 0)
+						{
+							//»ñµÃÇý¶¯¶ÔÏó
+							DriversInfor->Drivers[i].DriverObject = (ULONG_PTR)DriverObject;
+
+							//»ñµÃÇý¶¯Èë¿Ú
+							DriversInfor->Drivers[i].DirverStartAddress = (ULONG_PTR)Entry->EntryPoint;
+
+
+							//»ñµÃ·þÎñÃû
+							wcsncpy(DriversInfor->Drivers[i].wzKeyName,DriverObject->DriverExtension->ServiceKeyName.Buffer,DriverObject->DriverExtension->ServiceKeyName.Length);
+						}
+
+						bFind = TRUE;
+						break;
+					}
+				}
+
+				if (!bFind)
+				{
+					bIn = FALSE; 
+				}
+			}
+		}
+	}
+	__except(1)
+	{
+		bIn = TRUE;
+	}
+
+	return bIn;
+}
+
+
+
+VOID InsertDriver(PALL_DRIVERS DriversInfor, PDRIVER_OBJECT DriverObject, ULONG_PTR ulCount)
+{
+	if (!DriversInfor || !DriverObject || !MmIsAddressValid(DriverObject))
+	{
+		return;
+	}
+	else
+	{
+		PKLDR_DATA_TABLE_ENTRY Entry = (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;
+
+		if (Entry &&
+			MmIsAddressValid(Entry) && 
+			MmIsAddressValid((PVOID)Entry->DllBase) &&
+			(ULONG_PTR)Entry->DllBase > SYSTEM_ADDRESS_START)
+		{
+			ULONG Temp = DriversInfor->ulCount;
+			if (ulCount > Temp)
+			{
+				DriversInfor->Drivers[Temp].Base = (ULONG_PTR)Entry->DllBase;
+				DriversInfor->Drivers[Temp].Size = Entry->SizeOfImage;
+				DriversInfor->Drivers[Temp].DriverObject = (ULONG_PTR)DriverObject;
+
+				if (IsUnicodeStringValid(&(Entry->FullDllName)))
+				{
+					wcsncpy(DriversInfor->Drivers[Temp].wzDriverPath, (WCHAR*)(Entry->FullDllName.Buffer), Entry->FullDllName.Length);
+				}
+				else if (IsUnicodeStringValid(&(Entry->BaseDllName)))
+				{
+					wcsncpy(DriversInfor->Drivers[Temp].wzDriverPath, (WCHAR*)(Entry->BaseDllName.Buffer), Entry->BaseDllName.Length);
+				}
+			}
+			DriversInfor->ulCount++;
+		}
+	}
+}
+
+
+
+
+BOOLEAN IsUnicodeStringValid(PUNICODE_STRING uniString)
+{
+	BOOLEAN bRet = FALSE;
+
+	__try
+	{
+		if (uniString->Length > 0	&&
+			uniString->Buffer		&&
+			MmIsAddressValid(uniString->Buffer) &&
+			MmIsAddressValid(&uniString->Buffer[uniString->Length / sizeof(WCHAR) - 1]))
+		{
+			bRet = TRUE;
+		}
+
+	}
+	__except(1)
+	{	
+		bRet = FALSE;
+	}
+
+	return bRet;
+}
+
+
+
+
+VOID HsInitModuleGlobalVariable()
+{
+	switch(WinVersion)
+	{
+	case WINDOWS_XP:
+		{
+			PreviousModeOffsetOf_KTHREAD = 0x140;
+			ObjectHeaderSize = 0x18;
+			ObjectTypeOffsetOf_Object_Header = 0x8;
+			ObjectTableOffsetOf_EPROCESS = 0x0c4;
+			SYSTEM_ADDRESS_START	 = 0x80000000; 
+			break;
+		}
+
+	case WINDOWS_7:
+		{
+			PreviousModeOffsetOf_KTHREAD = 0x1f6;
+			ObjectTableOffsetOf_EPROCESS = 0x200;
+			ObjectHeaderSize = 0x30;
+			SYSTEM_ADDRESS_START =  0x80000000000;
+			break;
+		}
+	}
+}
+
+
+
+
+
+NTSTATUS HsUnloadDriverModule(ULONG_PTR InBuffer, ULONG_PTR InSize)
+{
+
+	PDRIVER_OBJECT DriverObject = (PDRIVER_OBJECT)InBuffer;
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+
+	DbgPrint("g_DriverObject: %p\r\n",g_DriverObject);
+	DbgPrint("  DriverObject: %p\r\n",  DriverObject);
+
+	if ((ULONG_PTR)DriverObject > SYSTEM_ADDRESS_START &&
+		MmIsAddressValid(DriverObject) &&
+		g_DriverObject != DriverObject && 
+		IsRealDriverObject(DriverObject) )
+	{
+		Status = PspUnloadDriver(DriverObject);
+	}
+
+	return Status;
+}
+
+
+
+
+//ÅÐ¶ÏÒ»¸öÇý¶¯ÊÇ·ñÎªÕæµÄÇý¶¯¶ÔÏó
+BOOLEAN IsRealDriverObject(PDRIVER_OBJECT DriverObject)
+{
+	BOOLEAN bRet = FALSE;
+	if (!*IoDriverObjectType||
+		!*IoDeviceObjectType)
+	{
+		return bRet;
+	}
+
+	__try
+	{
+		if (DriverObject->Type == 4 && 
+			DriverObject->Size == sizeof(DRIVER_OBJECT) &&
+			KeGetObjectType(DriverObject) == *IoDriverObjectType &&
+			MmIsAddressValid(DriverObject->DriverSection) &&
+			(ULONG_PTR)DriverObject->DriverSection > SYSTEM_ADDRESS_START &&
+			!(DriverObject->DriverSize & 0x1F) &&
+			DriverObject->DriverSize < SYSTEM_ADDRESS_START &&
+			!((ULONG_PTR)(DriverObject->DriverStart) & 0xFFF) &&
+			(ULONG_PTR)DriverObject->DriverStart > SYSTEM_ADDRESS_START
+			)
+		{
+			PDEVICE_OBJECT DeviceObject = DriverObject->DeviceObject;
+			if (DeviceObject)
+			{
+				if (MmIsAddressValid(DeviceObject) &&
+					KeGetObjectType(DeviceObject) == *IoDeviceObjectType &&
+					DeviceObject->Type == 3 && 
+					DeviceObject->Size >= sizeof(DEVICE_OBJECT))
+				{
+					bRet = TRUE;
+				}
+			}
+			else
+			{
+				bRet = TRUE;
+			}
+		}
+	}
+	__except(1)
+	{
+		bRet = FALSE;
+	}
+
+	return bRet;
+}
+
+
+
+
+
+NTSTATUS PspUnloadDriver(PDRIVER_OBJECT DriverObject)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+
+
+	if (MmIsAddressValid(DriverObject))
+	{
+		BOOLEAN bDriverUnload = FALSE;
+		HANDLE  hSystemThread = NULL;
+
+		if (DriverObject->DriverUnload &&
+			(ULONG_PTR)DriverObject->DriverUnload > SYSTEM_ADDRESS_START &&
+			MmIsAddressValid(DriverObject->DriverUnload))
+		{
+			bDriverUnload = TRUE;
+		}
+
+		if (bDriverUnload)
+		{
+			Status = PsCreateSystemThread(&hSystemThread, 0, NULL, NULL, NULL,HaveDriverUnloadThread, DriverObject);  //Èç¹û´æÔÚÐ¶ÔØº¯Êý
+
+
+			//Ð¶ÔØÆäËûµÄÇý¶¯Ã»ÓÐÎÊÌâ
+			//Ð¶ÔØ32Î»XutreµÄÇý¶¯±ÀÀ£ ²»ÊÇÎÒÃÇµÄÔ­Òò XutreµÄUnloadDriverÃ»ÓÐ´¦ÀíºÃ
+		}
+		else
+		{
+			Status = PsCreateSystemThread(&hSystemThread, 0, NULL, NULL, NULL,NotHaveDriverUnloadThread,DriverObject);
+		}
+
+		if (NT_SUCCESS(Status))
+		{
+			PETHREAD EThread = NULL, CurrentThread = NULL;
+			CHAR PreMode = 0;
+
+			Status = ObReferenceObjectByHandle(hSystemThread, 0, NULL, KernelMode, &EThread, NULL);
+			if (NT_SUCCESS(Status))
+			{
+				LARGE_INTEGER TimeOut;
+				TimeOut.QuadPart = -10 * 1000 * 1000 * 3;
+				Status = KeWaitForSingleObject(EThread, Executive, KernelMode, TRUE, &TimeOut); // µÈ´ý3Ãë
+				ObfDereferenceObject(EThread);
+			}
+
+			CurrentThread = PsGetCurrentThread();
+			PreMode = HsChangePreMode(CurrentThread);
+			NtClose(hSystemThread);
+			HsRecoverPreMode(CurrentThread, PreMode);
+		}
+	}
+
+	return Status;
+}
+
+
+
+VOID HaveDriverUnloadThread(PVOID lParam)
+{
+
+	PDRIVER_OBJECT DriverObject = (PDRIVER_OBJECT)lParam;
+
+	if (DriverObject)
+	{
+		PDRIVER_UNLOAD DriverUnloadAddress = DriverObject->DriverUnload;
+
+		if (DriverUnloadAddress)
+		{
+			DriverUnloadAddress(DriverObject);
+
+
+
+			DriverObject->FastIoDispatch = NULL;
+			memset(DriverObject->MajorFunction, 0, sizeof(DriverObject->MajorFunction));
+			DriverObject->DriverUnload = NULL;
+
+			ObMakeTemporaryObject(DriverObject);
+			ObfDereferenceObject(DriverObject);
+		}
+	}
+
+	PsTerminateSystemThread(STATUS_SUCCESS);
+}
+
+
+VOID NotHaveDriverUnloadThread(IN PVOID lParam)
+{
+
+	PDRIVER_OBJECT DriverObject = (PDRIVER_OBJECT)lParam;
+	PDEVICE_OBJECT DeviceObject = NULL;
+
+	if (DriverObject)
+	{
+
+		DriverObject->FastIoDispatch = NULL;
+		memset(DriverObject->MajorFunction, 0, sizeof(DriverObject->MajorFunction));
+		DriverObject->DriverUnload = NULL;
+
+		DeviceObject = DriverObject->DeviceObject;
+
+		while ( DeviceObject && MmIsAddressValid(DeviceObject) )
+		{
+			IoDeleteDevice(DeviceObject);
+			DeviceObject = DeviceObject->NextDevice;
+		}
+
+		ObMakeTemporaryObject(DriverObject);
+		ObfDereferenceObject(DriverObject);
+	}
+
+	PsTerminateSystemThread(STATUS_SUCCESS);
+}
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Module.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Module.h
new file mode 100644
index 0000000..f51d57b
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Module.h
@@ -0,0 +1,176 @@
+/**************************************************************************************
+* AUTHOR : HeavenShadow
+* DATE   : 2014-10-28
+* MODULE : Module.h
+*
+* Command: 
+*	Ä£¿é´ó¹¦ÄÜµÄÖ÷ÎÄ¼þ
+*
+* Description:
+*	ÓëÄ£¿éÏà¹ØµÄËùÓÐ¹¦ÄÜ¼¯ºÏÎÄ¼þ
+*
+****************************************************************************************
+* Copyright (C) 2015 HeavenShadow.
+****************************************************************************************/
+
+
+#pragma once 
+
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+#include <ntifs.h>
+#include "common.h"
+
+
+#define MAX_PATH 260
+
+
+typedef struct _DRIVER_INFO_
+{
+	ULONG_PTR LodeOrder;
+	ULONG_PTR Base;
+	ULONG_PTR Size;
+	ULONG_PTR DriverObject;
+	ULONG_PTR DirverStartAddress;
+	WCHAR wzDriverPath[MAX_PATH];
+	WCHAR wzKeyName[MAX_PATH];
+}DRIVER_INFO, *PDRIVER_INFO;
+
+typedef struct _ALL_DRIVERS_
+{
+	ULONG_PTR ulCount;
+	DRIVER_INFO Drivers[1];
+}ALL_DRIVERS, *PALL_DRIVERS;
+
+
+
+typedef struct _KLDR_DATA_TABLE_ENTRY64 {
+	LIST_ENTRY64 InLoadOrderLinks;
+	ULONG64 __Undefined1;
+	ULONG64 __Undefined2;
+	ULONG64 __Undefined3;
+	ULONG64 NonPagedDebugInfo;
+	ULONG64 DllBase;
+	ULONG64 EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING64 FullDllName;
+	UNICODE_STRING64 BaseDllName;
+	ULONG   Flags;
+	USHORT  LoadCount;
+	USHORT  __Undefined5;
+	ULONG64 __Undefined6;
+	ULONG   CheckSum;
+	ULONG   __padding1;
+	ULONG   TimeDateStamp;
+	ULONG   __padding2;
+} KLDR_DATA_TABLE_ENTRY64, *PKLDR_DATA_TABLE_ENTRY64;
+
+
+
+
+typedef struct _KLDR_DATA_TABLE_ENTRY32 {
+	LIST_ENTRY32 InLoadOrderLinks;
+	ULONG __Undefined1;
+	ULONG __Undefined2;
+	ULONG __Undefined3;
+	ULONG NonPagedDebugInfo;
+	ULONG DllBase;
+	ULONG EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING32 FullDllName;
+	UNICODE_STRING32 BaseDllName;
+	ULONG Flags;
+	USHORT LoadCount;
+	USHORT __Undefined5;
+	ULONG  __Undefined6;
+	ULONG  CheckSum;
+	ULONG  TimeDateStamp;
+} KLDR_DATA_TABLE_ENTRY32, *PKLDR_DATA_TABLE_ENTRY32;
+
+
+#ifdef _WIN64
+#define PKLDR_DATA_TABLE_ENTRY  PKLDR_DATA_TABLE_ENTRY64
+#else
+#define PKLDR_DATA_TABLE_ENTRY  PKLDR_DATA_TABLE_ENTRY32
+#endif
+
+
+#define NUMBER_HASH_BUCKETS 37
+typedef struct _OBJECT_DIRECTORY_ENTRY
+{
+	struct _OBJECT_DIRECTORY_ENTRY *ChainLink;
+	PVOID Object;
+	ULONG HashValue;
+} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;
+
+typedef struct _OBJECT_DIRECTORY
+{
+	struct _OBJECT_DIRECTORY_ENTRY *HashBuckets[NUMBER_HASH_BUCKETS];
+} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
+
+
+
+typedef
+	NTSTATUS
+	(*pfnNtOpenDirectoryObject)(PHANDLE  DirectoryHandle,ACCESS_MASK  DesiredAccess,POBJECT_ATTRIBUTES  ObjectAttributes);
+
+typedef 
+	ULONG_PTR 
+	(*pfnObGetObjectType)(PVOID Object);
+
+//////////////////////////////////////////////////////////////////////////
+
+NTSTATUS HsDispatchControlForModule(PIO_STACK_LOCATION  IrpSp, PVOID OutputBuffer, ULONG_PTR* ulRet);
+
+
+
+
+// Ã¶¾ÙÏµÍ³Çý¶¯Ä£¿éÁÐ±í
+NTSTATUS HsEnumSystemModuleList(PVOID OutBuffer, ULONG OutSize);
+
+
+
+
+VOID EnumDriverByLdrDataTableEntry(PALL_DRIVERS DriversInfor, ULONG_PTR ulCount);
+
+BOOLEAN GetKernelLdrDataTableEntry(PDRIVER_OBJECT DriverObject);
+
+VOID EnumDriversByWalkerDirectoryObject(PALL_DRIVERS DriversInfor, ULONG_PTR ulCount);
+
+VOID WalkerDirectoryObject(PALL_DRIVERS DriversInfor, PVOID DirectoryObject, ULONG_PTR ulCount);
+
+POBJECT_TYPE KeGetObjectType(PVOID Object);
+
+BOOLEAN IsDriverInList(PALL_DRIVERS DriversInfor, PDRIVER_OBJECT DriverObject, ULONG_PTR ulCount);
+
+VOID InsertDriver(PALL_DRIVERS DriversInfor, PDRIVER_OBJECT DriverObject, ULONG_PTR ulCount);
+
+BOOLEAN IsUnicodeStringValid(PUNICODE_STRING uniString);
+
+
+
+NTSTATUS HsUnloadDriverModule(ULONG_PTR InBuffer, ULONG_PTR InSize);
+
+VOID HsInitModuleGlobalVariable();
+
+
+//ÅÐ¶ÏÒ»¸öÇý¶¯ÊÇ·ñÎªÕæµÄÇý¶¯¶ÔÏó
+BOOLEAN IsRealDriverObject(PDRIVER_OBJECT DriverObject);
+
+NTSTATUS PspUnloadDriver(PDRIVER_OBJECT DriverObject);
+
+VOID HaveDriverUnloadThread(PVOID lParam);
+
+VOID NotHaveDriverUnloadThread(IN PVOID lParam);
+
+
+
+
+
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Privilege.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Privilege.c
new file mode 100644
index 0000000..83e255d
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Privilege.c
@@ -0,0 +1,200 @@
+#include "Privilege.h"
+
+
+extern WIN_VERSION  WinVersion;
+
+
+extern ULONG_PTR    ObjectHeaderSize;
+extern ULONG_PTR    ObjectTypeOffsetOf_Object_Header;
+extern ULONG_PTR    ObjectTableOffsetOf_EPROCESS;
+extern ULONG_PTR    PreviousModeOffsetOf_KTHREAD;
+
+
+NTSTATUS HsEnumProcessPrivilege(WCHAR* szOutBuffer,ULONG_PTR ProcessID,ULONG_PTR ulOutSize)
+{
+	NTSTATUS  Status = STATUS_UNSUCCESSFUL;
+	PEPROCESS EProcess = NULL;
+	HANDLE    hProcess = NULL;
+	HANDLE    hToken   = NULL;
+
+	ULONG_PTR ulRet = 0;
+
+	Status = PsLookupProcessByProcessId((HANDLE)ProcessID,&EProcess);
+
+
+	if (!NT_SUCCESS(Status))
+	{
+		return Status;
+	}
+
+	if (!HsIsRealProcess(EProcess))
+	{
+		ObfDereferenceObject(EProcess);
+		return Status;
+	}
+
+
+	Status = ObOpenObjectByPointer(EProcess, 
+		OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, 
+		NULL, 
+		GENERIC_ALL, 
+		*PsProcessType, 
+		KernelMode, 
+		&hProcess
+		);
+
+	if (NT_SUCCESS(Status))
+	{
+		PETHREAD EThread = NULL;
+		CHAR     PreMode = 0;
+
+		EThread = PsGetCurrentThread();
+		PreMode = HsChangePreMode(EThread);
+
+		Status = NtOpenProcessToken(hProcess, SACL_SECURITY_INFORMATION, &hToken);
+
+		if (NT_SUCCESS(Status))
+		{
+			Status = NtQueryInformationToken(hToken, TokenPrivileges, szOutBuffer,ulOutSize, &ulRet);
+
+			if (NT_SUCCESS(Status))
+			{
+				DbgPrint("NtQueryInformationToken Success\r\n");
+
+			}
+			else if (Status == STATUS_BUFFER_TOO_SMALL)
+			{
+				DbgPrint("Memory Too Small\r\n");
+			}
+		}
+
+		if (hToken)
+		{
+			NtClose(hToken);
+		}
+
+		if (hProcess)
+		{
+			NtClose(hProcess);
+		}
+
+		HsRecoverPreMode(EThread, PreMode);
+		ObfDereferenceObject(EProcess);
+
+		Status = STATUS_SUCCESS;
+	}
+	return Status;
+}
+
+
+
+
+
+
+
+ULONG_PTR HsKeGetObjectType(PVOID Object)
+{
+	ULONG_PTR ObjectType = NULL;
+	pfnObGetObjectType ObGetObjectType = NULL;
+
+
+	if (!MmIsAddressValid ||!Object||!MmIsAddressValid(Object))
+	{
+		return NULL;
+	}
+
+	if (WinVersion < WINDOWS_7)
+	{
+		ULONG SizeOfObjectHeader = 0, ObjectTypeOffset = 0, ObjectTypeAddress = 0;
+
+		ObjectTypeAddress = (ULONG_PTR)Object - ObjectHeaderSize + ObjectTypeOffsetOf_Object_Header;
+
+		if (MmIsAddressValid((PVOID)ObjectTypeAddress))
+		{ 
+			ObjectType = *(ULONG_PTR*)ObjectTypeAddress;
+		}
+	}
+	else
+	{
+		//¸ß°æ±¾Ê¹ÓÃº¯Êý
+
+		ObGetObjectType = (pfnObGetObjectType)HsGetFunctionAddressByName(L"ObGetObjectType");
+
+
+		if (ObGetObjectType)
+		{
+			ObjectType = ObGetObjectType(Object);
+		}
+	}
+
+	return ObjectType;
+}
+
+
+
+NTSTATUS HsAdjustProcessTokenPrivileges(PPRIVILEGEDATA PrivilegeData, int* bFeedBack)
+{
+	NTSTATUS  Status;
+	PEPROCESS EProcess = NULL;
+	HANDLE    hProcess = NULL;
+	HANDLE    hToken   = NULL;
+
+	if (PrivilegeData->ProcessID)
+	{
+		DbgPrint("PID: %d\r\n",PrivilegeData->ProcessID);
+		DbgPrint("ATT: %d\r\n",PrivilegeData->TokenPrivileges.Privileges->Attributes);
+
+		Status = PsLookupProcessByProcessId((HANDLE)PrivilegeData->ProcessID,&EProcess);
+
+
+		if (!NT_SUCCESS(Status))
+		{
+			return Status;
+		}
+	}
+
+	if (HsIsRealProcess(EProcess))
+	{
+		Status = ObOpenObjectByPointer(EProcess, OBJ_KERNEL_HANDLE, NULL, GENERIC_ALL, *PsProcessType, KernelMode, &hProcess);
+
+		if (NT_SUCCESS(Status))
+		{
+			PETHREAD EThread = PsGetCurrentThread();
+			CHAR PreMode = HsChangePreMode(EThread);
+
+			Status = NtOpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken);   //
+
+			if (NT_SUCCESS(Status))
+			{
+				Status = NtAdjustPrivilegesToken(hToken, FALSE, 
+					&PrivilegeData->TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL);  
+
+				if (NT_SUCCESS(Status))
+				{
+					DbgPrint("NtAdjustPrivilegesToken Success\r\n");
+				}
+			}
+
+			if (hToken)
+			{
+				NtClose(hToken);
+			}
+
+			if (hProcess)
+			{
+				NtClose(hProcess);
+			}
+
+			HsRecoverPreMode(EThread, PreMode);
+		}
+	}
+
+	if (NT_SUCCESS(Status))
+	{
+
+		*bFeedBack = 1;
+		ObfDereferenceObject(EProcess);
+	}
+
+	return Status;
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Privilege.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Privilege.h
new file mode 100644
index 0000000..23ea2d3
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Privilege.h
@@ -0,0 +1,35 @@
+#pragma once 
+
+
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+#include <ntifs.h>
+#include "common.h"
+
+#include "Process.h"
+
+
+typedef struct _PRIVILEGE_DATA_ 
+{
+	ULONG_PTR  ProcessID;
+	TOKEN_PRIVILEGES TokenPrivileges;   //ºê
+}PRIVILEGEDATA,*PPRIVILEGEDATA;
+
+
+typedef 
+ULONG_PTR (*pfnObGetObjectType)(PVOID pObject);
+
+
+NTSTATUS HsEnumProcessPrivilege(WCHAR* szOutBuffer,ULONG_PTR ProcessID,ULONG_PTR ulOutSize);
+
+
+ULONG_PTR HsKeGetObjectType(PVOID Object);
+
+
+//ÐÞ¸ÄÈ¨ÏÞµÄÖµ
+NTSTATUS HsAdjustProcessTokenPrivileges(PPRIVILEGEDATA PrivilegeData, int* bFeedBack);
\ No newline at end of file
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Process.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Process.c
new file mode 100644
index 0000000..54000a4
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Process.c
@@ -0,0 +1,734 @@
+#include "Process.h"
+
+
+#include "Thread.h"
+#include "Handle.h"
+#include "Window.h"
+#include "Privilege.h"
+#include "Memory.h"
+
+
+ULONG_PTR ulCurrentProcessId = 1000000;				//ÖØÒª
+//////////////////////////////////////////////////////////////////////////
+#define MAX_PROCESS_COUNT 100000
+//////////////////////////////////////////////////////////////////////////
+ULONG_PTR    ObjectTableOffsetOf_EPROCESS  = 0;		//¾ä±ú±íÆ«ÒÆ¡£
+ULONG_PTR    PreviousModeOffsetOf_KTHREAD  = 0;		//È¨ÏÞÏà¹ØµÄÆ«ÒÆ¡£
+ULONG_PTR    ImageFileNameOffset           = 0;		//ÎÄ¼þÃûÆ«ÒÆ¡£
+ULONG_PTR    SectionObjectOffsetOfEProcess = 0;		//SectionObject
+ULONG_PTR    ParentProcessIdOffset         = 0;		//¸¸½ø³ÌIDÆ«ÒÆInheritedFromUniqueProcessId
+
+
+ULONG_PTR    ObjectHeaderSize = 0;
+ULONG_PTR    ObjectTypeOffsetOf_Object_Header = 0;
+
+
+//////////////////////////////////////////////////////////////////////////
+
+//PEPROCESS  PsInitialSystemProcessAddress = NULL;
+
+
+//////////////////////////////////////////////////////////////////////////
+extern     PDEVICE_OBJECT g_DeviceObject;
+//////////////////////////////////////////////////////////////////////////
+
+
+extern WIN_VERSION  WinVersion;
+
+
+//////////////////////////////////////////////////////////////////////////
+
+
+NTSTATUS HsDispatchControlForProcess(PIO_STACK_LOCATION  IrpSp, PVOID OutputBuffer, ULONG_PTR* ulRet)
+{
+
+	WCHAR* szOutputBuffer = (WCHAR*)OutputBuffer;
+	ULONG				ulIoControlCode  = 0;
+	NTSTATUS			Status = STATUS_UNSUCCESSFUL;
+	PVOID               pvInputBuffer  = NULL;
+	ULONG               ulInputLen     = 0;
+	ULONG				ulOutputLen    = 0;
+
+	pvInputBuffer   = IrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
+	ulInputLen      = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
+	ProbeForRead(pvInputBuffer,ulInputLen,sizeof(CHAR));
+
+	ulOutputLen     = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
+
+	ProbeForWrite(OutputBuffer,ulOutputLen,sizeof(CHAR));
+
+	ulIoControlCode = IrpSp->Parameters.DeviceIoControl.IoControlCode;
+	ulIoControlCode = (ulIoControlCode>>2)&0x00000FFF;
+
+	DbgPrint("%x\r\n",ulIoControlCode);
+
+	HsInitProcessGlobalVariable();
+	
+
+	switch(ulIoControlCode)
+	{
+	case HS_IOCTL_PROC_SENDSELFPID:			//µ±Ç°½ø³ÌPID
+		{
+			DbgPrint("HS_IOCTL_PROC_SENDSELFPID\r\n");
+			ulCurrentProcessId = *(ULONG_PTR*)pvInputBuffer;
+			DbgPrint("CURRENTPID: %d\r\n",ulCurrentProcessId);
+			*(ULONG_PTR*)OutputBuffer = 444;
+			Status = STATUS_SUCCESS;
+			break;
+		}
+	case HS_IOCTL_PROC_PROCESSCOUNT:		//½ø³Ì¼ÆÊý
+		{
+			DbgPrint("HS_IOCTL_PROC_PROCESSCOUNT\r\n");
+			Status = HsGetSystemProcessCount((ULONG_PTR*)OutputBuffer);
+			break;
+		}
+	case HS_IOCTL_PROC_PROCESSLIST:			//½ø³Ì
+		{
+			DbgPrint("HS_IOCTL_PROC_PROCESSLIST\r\n");
+			Status = HsEnumSystemProcessList(*(ULONG_PTR*)pvInputBuffer,(PHSPROCESSINFO)OutputBuffer, ulRet);
+			break;
+		}
+	case HS_IOCTL_PROC_PROCESSTHREAD:		//Ïß³Ì
+		{
+			DbgPrint("HS_IOCTL_PROC_PROCESSTHREAD\r\n");
+			//Status = HsEnumProcessThread(pvInputBuffer);
+			Status = EnumProcessThread(pvInputBuffer,ulInputLen,OutputBuffer,ulOutputLen);
+			break;
+		}
+	case HS_IOCTL_PROC_PROCESSTHREADMODULE://Ïß³Ì
+		{
+			DbgPrint("HS_IOCTL_PROC_PROCESSTHREADMODULE\r\n");
+			//Status = HsEnumProcessThread(pvInputBuffer);
+			Status = EnumProcessThreadModule(*((ULONG_PTR*)pvInputBuffer),OutputBuffer,ulOutputLen);
+			break;
+		}
+	case HS_IOCTL_PROC_PROCESSPRIVILEGE:	//È¨ÏÞ
+		{
+			DbgPrint("HS_IOCTL_PROC_PROCESSPRIVILEGE\r\n");
+			Status = HsEnumProcessPrivilege((WCHAR*)OutputBuffer,*(ULONG_PTR*)pvInputBuffer,*ulRet);
+			break;
+		}
+	case HS_IOCTL_PROC_PRIVILEGE_ADJUST:	//È¨ÏÞÐÞ¸Ä
+		{
+			DbgPrint("HS_IOCTL_PROC_PRIVILEGE_ADJUST\r\n");
+			Status = HsAdjustProcessTokenPrivileges((PPRIVILEGEDATA)pvInputBuffer,(int*)OutputBuffer);
+			break;
+		}
+	case HS_IOCTL_PROC_PROCESSHANDLE:		//½ø³Ì¾ä±ú
+		{
+			DbgPrint("HS_IOCTL_PROC_PROCESSHANDLE\r\n");
+			Status = HsEnumProcessHandle((PVOID)*(PULONG)pvInputBuffer,ulInputLen,OutputBuffer,ulOutputLen);
+			break;
+		}
+
+	case HS_IOCTL_PROC_KILLPROCESSBYFORCE:	//±©Á¦É±ËÀ½ø³Ì
+		{
+			DbgPrint("HS_IOCTL_PROC_KILLPROCESSBYFORCE\r\n");
+			Status = HsKillProcessByZeroMemory(*((ULONG_PTR*)pvInputBuffer),(int*)OutputBuffer);
+			break;
+		}
+	case HS_IOCTL_PROC_PROCESSWINDOW:		//´°¿Ú
+		{
+			DbgPrint("HS_IOCTL_PROC_PROCESSWINDOW\r\n");
+			Status = HsEnumProcessWindow(pvInputBuffer,ulInputLen,OutputBuffer,ulOutputLen);
+			break;
+		}
+	case HS_IOCTL_PROC_PROCESSMODULE:		//½ø³ÌÄ£¿é
+		{
+			DbgPrint("HS_IOCTL_PROC_PROCESSMODULE\r\n");
+			Status = HsEnumProcessesModule(*((ULONG_PTR*)pvInputBuffer),OutputBuffer,ulOutputLen);
+			break;
+		}
+	case HS_IOCTL_PROC_PROCESSMEMORY:		//½ø³ÌÄÚ´æ
+		{
+			DbgPrint("HS_IOCTL_PROC_PROCESSMEMORY\r\n");
+			Status = HsEnumProcessesMemory(*((ULONG_PTR*)pvInputBuffer),OutputBuffer,ulOutputLen);
+			break;
+		}
+	default:
+		{
+			Status = STATUS_UNSUCCESSFUL;
+		}
+	}
+
+	return Status;
+}
+
+
+VOID HsInitProcessGlobalVariable()
+{
+	switch(WinVersion)
+	{
+	case WINDOWS_7:
+		{
+			ImageFileNameOffset          = 0x2e0;
+			PreviousModeOffsetOf_KTHREAD = 0x1f6;
+			ObjectTableOffsetOf_EPROCESS = 0x200;
+			ParentProcessIdOffset        = 0x290;
+			break;
+		}
+	case WINDOWS_XP:
+		{
+			ImageFileNameOffset          = 0x174;
+			PreviousModeOffsetOf_KTHREAD = 0x140;
+			ObjectTableOffsetOf_EPROCESS = 0x0c4;
+			ParentProcessIdOffset        = 0x14c;
+			ObjectHeaderSize             = 0x18;
+			ObjectTypeOffsetOf_Object_Header = 0x8;
+			break;
+		}
+	}
+}
+
+
+//////////////////////////////////////////////////////////////////////////
+// ½ø³Ì
+//////////////////////////////////////////////////////////////////////////
+
+
+
+NTSTATUS HsGetSystemProcessCount(ULONG_PTR* ulRetCount)
+{
+	NTSTATUS            Status = STATUS_UNSUCCESSFUL;
+	ULONG_PTR           iPid = 0;
+	PEPROCESS           EProcess = NULL;
+
+
+	//////////////////////////////////////////////////////////////////////////
+
+
+
+	// 	EThread = PsGetCurrentThread();
+	// 	PreMode = HsChangePreMode(EThread);
+
+
+	for (iPid = 0; iPid < MAX_PROCESS_COUNT; iPid += 4)
+	{
+
+		//Í¨¹ýID µÃµ½ Handle
+
+		if (!iPid)
+		{
+			(*ulRetCount) += 1;
+			continue;
+		}
+		else if (ulCurrentProcessId == iPid)
+		{
+			(*ulRetCount) += 1;
+			continue;
+		}
+
+		Status = PsLookupProcessByProcessId((HANDLE)iPid,&EProcess);   //System   Session  Native API   
+
+		if (NT_SUCCESS(Status)&& !HsIsProcessDie(EProcess))
+		{
+			(*ulRetCount) += 1;
+			ObDereferenceObject(EProcess);
+		}
+		//memset(&oa,0,sizeof(OBJECT_ATTRIBUTES));
+	}
+
+	return Status;
+}
+
+
+
+//ÄÚ´æÇåÁã·¨½áÊø½ø³Ì
+NTSTATUS HsKillProcessByZeroMemory(ULONG_PTR ProcessID, int* bFeedBack)
+{
+
+	OBJECT_ATTRIBUTES oa = {0};
+	CLIENT_ID         Cid = {0};
+	NTSTATUS  Status;
+	HANDLE hProcess = NULL;
+
+	Cid.UniqueProcess = (HANDLE)ProcessID;
+	Cid.UniqueThread = 0;
+
+
+	Status = ZwOpenProcess(&hProcess,GENERIC_ALL,&oa,&Cid);
+
+
+
+
+	if (!NT_SUCCESS(Status))
+	{
+
+		return FALSE;
+	}
+
+	ZwTerminateProcess(hProcess,0);   //Sys
+
+	ZwClose(hProcess);
+
+	*bFeedBack = TRUE;
+
+ 	return Status;
+}
+
+
+
+NTSTATUS HsEnumSystemProcessList(ULONG_PTR ulBasePid, PHSPROCESSINFO plProcessList, ULONG_PTR* ulRet)
+{
+	NTSTATUS            Status = STATUS_UNSUCCESSFUL;
+	ULONG_PTR           iPid = 0;
+	OBJECT_ATTRIBUTES   oa = {0};
+	CLIENT_ID           Cid = {0};
+	HANDLE              hProcess = NULL;
+	PEPROCESS           EProcess = NULL;
+
+	WCHAR				szImageFilePath[260] = {0};
+
+	ULONG_PTR	        ulParentPid = 0;
+
+	//////////////////////////////////////////////////////////////////////////
+
+// 	EThread = PsGetCurrentThread();
+// 	PreMode = HsChangePreMode(EThread);
+
+	for (iPid = ulBasePid; iPid < MAX_PROCESS_COUNT; iPid += 4)
+	{
+		Cid.UniqueProcess = (HANDLE)iPid;
+		Cid.UniqueThread = 0;
+
+		//Í¨¹ýID µÃµ½ Handle
+
+		if (!iPid)
+		{
+			plProcessList->Pid = iPid;
+			plProcessList->PPid = 0;
+			plProcessList->Eprocess = (ULONG_PTR)HsGetIdleEProcess();
+
+			break;
+		}
+
+		if (ulCurrentProcessId == iPid)
+		{
+			EProcess = PsGetCurrentProcess();
+			goto NEXT;
+		}
+
+		Status = ZwOpenProcess(&hProcess,GENERIC_ALL,&oa,&Cid);   //System   Session  Native API   
+
+		if (NT_SUCCESS(Status))
+		{
+			DbgPrint("PID : %d\r\n",iPid);
+
+			//×ª»» Handle  ³É EProcess
+
+			ObReferenceObjectByHandle(hProcess,GENERIC_ALL,NULL,KernelMode,(PVOID*)&EProcess,NULL);
+
+NEXT:
+			if(HsIsRealProcess(EProcess))	//ÅÐ¶ÏÊÇ·ñ½©Ê¬½ø³Ì
+			{
+
+				ulParentPid = HsGetParentProcessIdByEProcess(EProcess);
+
+				plProcessList->Pid = iPid;
+
+				plProcessList->PPid = ulParentPid;
+				
+				DbgPrint("NAME: %s\r\n",(char*)((ULONG_PTR)EProcess + ImageFileNameOffset));
+				
+				HsGetProcessPathBySectionObject(iPid,szImageFilePath);
+				
+				memcpy(plProcessList->Path,szImageFilePath,sizeof(szImageFilePath));
+
+				memset(szImageFilePath,0,sizeof(szImageFilePath));
+
+				DbgPrint("EPRO: 0x%x\r\n",(ULONG_PTR)EProcess);
+
+				plProcessList->Eprocess = (ULONG_PTR)EProcess;
+
+				ObDereferenceObject(EProcess);
+
+				ZwClose(hProcess);
+
+				break;
+			}
+
+			ObDereferenceObject(EProcess);
+
+			ZwClose(hProcess);
+		}
+		memset(&oa,0,sizeof(OBJECT_ATTRIBUTES));
+	}
+
+	Status = STATUS_SUCCESS;
+
+	if (iPid >= MAX_PROCESS_COUNT)
+	{
+		plProcessList->Eprocess = 0;
+		plProcessList->PPid = 0;
+		*ulRet = 0;
+		Status = STATUS_UNSUCCESSFUL;
+	}
+
+	//HsRecoverPreMode(EThread, PreMode);
+
+	return Status;
+}
+
+
+
+BOOLEAN HsIsRealProcess(PEPROCESS EProcess) 
+{ 
+	ULONG_PTR ObjectType; 
+	ULONG_PTR    ObjectTypeAddress; 
+	BOOLEAN bRet = FALSE;
+
+	ULONG_PTR ProcessType = ((ULONG_PTR)*PsProcessType);
+
+	if (ProcessType && MmIsAddressValid && EProcess && MmIsAddressValid((PVOID)(EProcess)))
+	{ 
+		ObjectType = HsKeGetObjectType((PVOID)EProcess);
+		if (ObjectType && 
+			ProcessType == ObjectType &&
+			!HsIsProcessDie(EProcess))
+		{
+			bRet = TRUE; 
+		}
+	} 
+
+	return bRet; 
+} 
+
+
+BOOLEAN HsIsProcessDie(PEPROCESS EProcess)
+{
+	BOOLEAN bDie = FALSE;
+
+	if (MmIsAddressValid &&
+		EProcess && 
+		MmIsAddressValid(EProcess) &&
+		MmIsAddressValid((PVOID)((ULONG_PTR)EProcess + ObjectTableOffsetOf_EPROCESS)))
+	{
+		PVOID ObjectTable = *(PVOID*)((ULONG_PTR)EProcess + ObjectTableOffsetOf_EPROCESS );
+
+		if (!ObjectTable||!MmIsAddressValid(ObjectTable) )
+		{
+			DbgPrint("Process is Die\r\n");
+			bDie = TRUE;
+		}
+	}
+	else
+	{
+		DbgPrint("Process is Die2\r\n");
+		bDie = TRUE;
+	}
+	return bDie;
+}
+
+
+
+
+CHAR HsChangePreMode(PETHREAD EThread)
+{
+
+	CHAR PreMode = *(PCHAR)((ULONG_PTR)EThread + PreviousModeOffsetOf_KTHREAD);
+	*(PCHAR)((ULONG_PTR)EThread + PreviousModeOffsetOf_KTHREAD) = KernelMode;
+	return PreMode;
+}
+
+
+VOID HsRecoverPreMode(PETHREAD EThread, CHAR PreMode)
+{
+	*(PCHAR)((ULONG_PTR)EThread + PreviousModeOffsetOf_KTHREAD) = PreMode;
+}
+
+
+
+
+
+
+BOOLEAN HsGetProcessPathBySectionObject(ULONG_PTR ulProcessID,WCHAR* wzProcessPath)
+{
+	PEPROCESS         EProcess = NULL;
+	PSECTION_OBJECT   SectionObject   = NULL;
+	PSECTION_OBJECT64 SectionObject64 = NULL;
+	PSEGMENT        Segment   = NULL;
+	PSEGMENT64      Segment64 = NULL;
+	PCONTROL_AREA   ControlArea = NULL;
+	PCONTROL_AREA64 ControlArea64 = NULL;
+	PFILE_OBJECT    FileObject  = NULL;
+	BOOLEAN         bGetPath = FALSE;
+
+	if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)ulProcessID, &EProcess)))
+	{
+
+		switch(WinVersion)
+		{
+		case WINDOWS_XP:
+			{
+				SectionObjectOffsetOfEProcess  = 0x138;
+
+				if (SectionObjectOffsetOfEProcess!=0&&MmIsAddressValid((PVOID)((ULONG_PTR)EProcess + SectionObjectOffsetOfEProcess)))
+				{
+					SectionObject = *(PSECTION_OBJECT*)((ULONG_PTR)EProcess + SectionObjectOffsetOfEProcess);
+
+					if (SectionObject && MmIsAddressValid(SectionObject))
+					{
+
+						Segment = (PSEGMENT)SectionObject->Segment;
+						if (Segment && MmIsAddressValid(Segment))
+						{
+							ControlArea = Segment->ControlArea;
+							if (ControlArea && MmIsAddressValid(ControlArea))
+							{
+								FileObject = ControlArea->FilePointer;
+
+								if (FileObject&&MmIsAddressValid(FileObject))
+								{
+									bGetPath = HsGetPathByFileObject(FileObject, wzProcessPath);
+									if (!bGetPath)
+									{
+										DbgPrint("SectionObject: 0x%08X, FileObject: 0x%08X\n", SectionObject, FileObject);
+									}
+								}
+							}
+						}
+					}
+				}
+				break;
+			}
+
+		case WINDOWS_7:
+			{
+				SectionObjectOffsetOfEProcess = 0x268;
+
+
+				if (SectionObjectOffsetOfEProcess!=0&&MmIsAddressValid((PVOID)((ULONG_PTR)EProcess + SectionObjectOffsetOfEProcess)))
+				{
+					SectionObject64 = *(PSECTION_OBJECT64*)((ULONG_PTR)EProcess + SectionObjectOffsetOfEProcess);
+
+
+
+					if (SectionObject64 && MmIsAddressValid(SectionObject64))
+					{
+
+						Segment64 = (PSEGMENT64)(SectionObject64->Segment);
+						if (Segment64 && MmIsAddressValid(Segment64))
+						{
+							ControlArea64 = (PCONTROL_AREA64)Segment64->ControlArea;
+							if (ControlArea64 && MmIsAddressValid(ControlArea64))
+							{
+								FileObject = (PFILE_OBJECT)ControlArea64->FilePointer;
+
+								if (FileObject&&MmIsAddressValid(FileObject))
+								{
+									FileObject = (PFILE_OBJECT)((ULONG_PTR)FileObject & 0xFFFFFFFFFFFFFFF0);
+									bGetPath = HsGetPathByFileObject(FileObject, wzProcessPath);
+									if (!bGetPath)
+									{
+										DbgPrint("SectionObject: 0x%08X, FileObject: 0x%08X\n", SectionObject, FileObject);
+									}
+								}
+							}
+						}
+					}
+				}
+				break;
+			}
+		}
+	}
+
+	if (bGetPath==FALSE)
+	{
+		wcscpy(wzProcessPath,L"Unknow");
+	}
+
+	return bGetPath;
+}
+
+
+BOOLEAN HsGetPathByFileObject(PFILE_OBJECT FileObject, WCHAR* wzPath)
+{
+	BOOLEAN bGetPath = FALSE;
+	CHAR szIoQueryFileDosDeviceName[] = "IoQueryFileDosDeviceName";
+	CHAR szIoVolumeDeviceToDosName[] = "IoVolumeDeviceToDosName";
+	CHAR szRtlVolumeDeviceToDosName[] = "RtlVolumeDeviceToDosName";
+
+	POBJECT_NAME_INFORMATION ObjectNameInformation = NULL;
+	__try
+	{
+		if (FileObject && MmIsAddressValid(FileObject) && wzPath)
+		{
+
+			if (NT_SUCCESS(IoQueryFileDosDeviceName(FileObject,&ObjectNameInformation)))   //×¢Òâ¸Ãº¯Êýµ÷ÓÃºóÒªÊÍ·ÅÄÚ´æ
+			{
+				wcsncpy(wzPath,ObjectNameInformation->Name.Buffer,ObjectNameInformation->Name.Length);
+
+				bGetPath = TRUE;
+
+				ExFreePool(ObjectNameInformation);
+			}
+
+			if (!bGetPath)
+			{
+
+				if (IoVolumeDeviceToDosName||RtlVolumeDeviceToDosName)
+				{
+					NTSTATUS  Status = STATUS_UNSUCCESSFUL;
+					ULONG_PTR ulRet= 0;
+					PVOID     Buffer = ExAllocatePool(PagedPool,0x1000);
+
+					if (Buffer)
+					{
+						// ObQueryNameString : \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\VMwareTray.exe
+						memset(Buffer, 0, 0x1000);
+						Status = ObQueryNameString(FileObject, (POBJECT_NAME_INFORMATION)Buffer, 0x1000, &ulRet);
+						if (NT_SUCCESS(Status))
+						{
+							POBJECT_NAME_INFORMATION Temp = (POBJECT_NAME_INFORMATION)Buffer;
+
+							WCHAR szHarddiskVolume[100] = L"\\Device\\HarddiskVolume";
+
+							if (Temp->Name.Buffer!=NULL)
+							{
+								if (Temp->Name.Length / sizeof(WCHAR) > wcslen(szHarddiskVolume) &&
+									!_wcsnicmp(Temp->Name.Buffer, szHarddiskVolume, wcslen(szHarddiskVolume)))
+								{
+									// Èç¹ûÊÇÒÔ "\\Device\\HarddiskVolume" ÕâÑùµÄÐÎÊ½´æÔÚµÄ£¬ÄÇÃ´ÔÙ²éÑ¯Æä¾íÃû¡£
+									UNICODE_STRING uniDosName;
+
+									if (NT_SUCCESS(IoVolumeDeviceToDosName(FileObject->DeviceObject, &uniDosName)))
+									{
+										if (uniDosName.Buffer!=NULL)
+										{
+
+											wcsncpy(wzPath, uniDosName.Buffer, uniDosName.Length);
+											wcsncat(wzPath, Temp->Name.Buffer + wcslen(szHarddiskVolume) + 1, Temp->Name.Length - (wcslen(szHarddiskVolume) + 1));
+											bGetPath = TRUE;
+										}	
+
+										ExFreePool(uniDosName.Buffer);
+									}
+
+									else if (NT_SUCCESS(RtlVolumeDeviceToDosName(FileObject->DeviceObject, &uniDosName)))
+									{
+										if (uniDosName.Buffer!=NULL)
+										{
+
+											wcsncpy(wzPath, uniDosName.Buffer, uniDosName.Length);
+											wcsncat(wzPath, Temp->Name.Buffer + wcslen(szHarddiskVolume) + 1, Temp->Name.Length - (wcslen(szHarddiskVolume) + 1));
+											bGetPath = TRUE;
+										}	
+
+										ExFreePool(uniDosName.Buffer);
+									}
+
+								}
+								else
+								{
+									// Èç¹û²»ÊÇÒÔ "\\Device\\HarddiskVolume" ÕâÑùµÄÐÎÊ½¿ªÍ·µÄ£¬ÄÇÃ´Ö±½Ó¸´ÖÆÃû³Æ¡£
+
+									wcsncpy(wzPath, Temp->Name.Buffer, Temp->Name.Length);
+									bGetPath = TRUE;
+								}
+							}
+						}
+
+						ExFreePool(Buffer);
+					}
+				}
+			}
+		}
+	}
+	__except(1)
+	{
+		DbgPrint("HsGetPathByFileObject Catch __Except\r\n");
+		bGetPath = FALSE;
+	}
+
+	return bGetPath;
+}
+
+
+ULONG_PTR HsGetParentProcessIdByEProcess(PEPROCESS EProcess)
+{
+	if (MmIsAddressValid &&
+		EProcess && 
+		MmIsAddressValid(EProcess) &&
+		MmIsAddressValid((PVOID)((ULONG_PTR)EProcess + ObjectTableOffsetOf_EPROCESS)))
+	{
+		ULONG_PTR ulParentPid = 0;
+
+		ulParentPid = *(ULONG_PTR*)((ULONG_PTR)EProcess + ParentProcessIdOffset);
+		
+		return ulParentPid;
+	}
+
+	return 0;
+}
+
+
+
+PEPROCESS HsGetIdleEProcess()
+{
+	ULONG_PTR uIdleAddr = 0;
+	ULONG_PTR PsInitialSystemProcessAddress = (ULONG_PTR)&PsInitialSystemProcess;
+
+
+	DbgPrint("%x\r\n",PsInitialSystemProcessAddress);
+	switch (WinVersion)
+	{
+	case WINDOWS_7:
+		{
+			if (PsInitialSystemProcessAddress && MmIsAddressValid((PVOID)((ULONG_PTR)PsInitialSystemProcessAddress + 0xA0)))
+			{
+				uIdleAddr = *(PULONG_PTR)((ULONG_PTR)PsInitialSystemProcessAddress + 0xA0);	//0xA0Ô­À´µÄ
+
+				if (uIdleAddr <=0xffff)
+				{
+					uIdleAddr = *(PULONG_PTR)((ULONG_PTR)PsInitialSystemProcessAddress + 0xB0);	//0xB0¸üÐÂºóµÄ
+				}
+			}
+			break;
+		}
+	case WINDOWS_XP:
+		{
+			if (PsInitialSystemProcessAddress && MmIsAddressValid((PVOID)((ULONG_PTR)PsInitialSystemProcessAddress - 0x78B4)))
+			{
+				uIdleAddr = (ULONG_PTR)((ULONG_PTR)PsInitialSystemProcessAddress - 0x78B4);
+			}
+			break;
+		}
+	}
+
+	DbgPrint("IdleEProcess:%p\r\n",uIdleAddr);
+
+	return (PEPROCESS)uIdleAddr;
+
+}
+
+
+
+
+BOOLEAN
+HsGetProcessCreateTime(ULONG_PTR ProcessID,LONGLONG* OutputBuffer)
+{
+
+	NTSTATUS  Status;
+	PEPROCESS EProcess = NULL;
+	PETHREAD EThread = NULL;
+	CHAR     PreMode = 0;
+
+	Status = PsLookupProcessByProcessId((HANDLE)ProcessID,&EProcess);
+
+
+	if (!NT_SUCCESS(Status))
+	{
+		return FALSE;
+	}
+
+	EThread = PsGetCurrentThread();
+	PreMode = HsChangePreMode(EThread);
+
+	*OutputBuffer = PsGetProcessCreateTimeQuadPart(EProcess);
+
+	HsRecoverPreMode(EThread, PreMode);
+	ObfDereferenceObject(EProcess);
+
+	return TRUE;
+}
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Process.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Process.h
new file mode 100644
index 0000000..28c05c0
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Process.h
@@ -0,0 +1,322 @@
+/**************************************************************************************
+* AUTHOR : HeavenShadow
+* DATE   : 2014-10-28
+* MODULE : Process.h
+*
+* Command: 
+*	½ø³Ì´ó¹¦ÄÜµÄÖ÷ÎÄ¼þ
+*
+* Description:
+*	Óë½ø³ÌÏà¹ØµÄËùÓÐ¹¦ÄÜ¼¯ºÏÎÄ¼þ
+*
+****************************************************************************************
+* Copyright (C) 2015 HeavenShadow.
+****************************************************************************************/
+
+#pragma once 
+
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+#include <ntifs.h>
+#include "common.h"
+
+
+
+typedef struct HS_PROCESSINFO
+{
+	WCHAR       Name[100];
+	WCHAR       Path[260];
+	WCHAR       CompanyName[100];
+	INT         UserAccess;
+	ULONG_PTR   Pid;
+	ULONG_PTR   PPid;
+	ULONG_PTR   Eprocess;
+	LONGLONG    CreateTime;
+}HSPROCESSINFO, *PHSPROCESSINFO;
+
+
+
+typedef struct _CONTROL_AREA64
+{
+	PVOID64 Segment;
+	PVOID64 p1;
+	PVOID64 p2;
+	ULONG64 NumberOfSectionReferences;
+	ULONG64 NumberOfPfnReferences;
+	ULONG64 NumberOfMappedViews;
+	ULONG64 NumberOfUserReferences;
+	union
+	{
+		ULONG LongFlags;
+		ULONG Flags;
+	} u;
+	PVOID64 FilePointer;
+} CONTROL_AREA64, *PCONTROL_AREA64;
+
+
+
+typedef struct _CONTROL_AREA
+{
+	PVOID Segment;
+	LIST_ENTRY DereferenceList;
+	ULONG NumberOfSectionReferences;
+	ULONG NumberOfPfnReferences;
+	ULONG NumberOfMappedViews;
+	ULONG NumberOfSystemCacheViews;
+	ULONG NumberOfUserReferences;
+	union
+	{
+		ULONG LongFlags;
+		ULONG Flags;
+	} u;
+	PFILE_OBJECT FilePointer;
+} CONTROL_AREA, *PCONTROL_AREA;
+
+
+
+
+typedef struct _SEGMENT64
+{
+	PVOID64 ControlArea;
+	ULONG TotalNumberOfPtes;
+	ULONG NonExtendedPtes;
+	ULONG Spare0;
+}SEGMENT64,*PSEGMENT64;
+
+
+typedef struct _SEGMENT
+{
+	struct _CONTROL_AREA *ControlArea;
+	ULONG TotalNumberOfPtes;
+	ULONG NonExtendedPtes;
+	ULONG Spare0;
+} SEGMENT, *PSEGMENT;
+
+
+
+
+typedef struct _SECTION_OBJECT
+{
+	PVOID StartingVa;
+	PVOID EndingVa;
+	PVOID Parent;
+	PVOID LeftChild;
+	PVOID RightChild;
+	PSEGMENT Segment;
+} SECTION_OBJECT, *PSECTION_OBJECT;
+
+
+typedef struct _SECTION_OBJECT64
+{
+	PVOID64 StartingVa;
+	PVOID64 EndingVa;
+	PVOID64 Parent;
+	PVOID64 LeftChild;
+	PVOID64 RightChild;
+	PVOID64 Segment;
+} SECTION_OBJECT64, *PSECTION_OBJECT64;
+
+
+//////////////////////////////////////////////////////////////////////////
+//¾ä±ú½á¹¹
+typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO{
+	USHORT UniqueProcessId;
+	USHORT CreatorBackTraceIndex;
+	UCHAR ObjectTypeIndex;
+	UCHAR HandleAttributes;
+	USHORT HandleValue;
+	PVOID Object;
+	ULONG GrantedAccess;
+} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
+
+typedef struct _SYSTEM_HANDLE_INFORMATION{
+	ULONG NumberOfHandles;
+	SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
+} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
+
+
+typedef struct _HS_HANDLE_INFO{
+	UCHAR  ObjectTypeIndex;
+	USHORT HandleValue;
+	WCHAR  HandleObjectName[100];
+	WCHAR  HandleTypeName[100];
+	PVOID  Object;
+	ULONG_PTR HandleCount;
+}HSHANDLEINFO, *PHSHANDLEINFO;
+
+typedef struct _HS_HANDLE {
+	ULONG NumberOfHandles;
+	HSHANDLEINFO Handles[1];
+}HSHANDLE, *PHSHANDLE;
+
+
+//////////////////////////////////////////////////////////////////////////
+
+
+typedef struct _MODULE_INFO_
+{
+	ULONG_PTR Base;
+	ULONG_PTR Size;
+	WCHAR Path[260]; 
+}MODULE_INFO, *PMODULE_INFO;
+
+typedef struct _ALL_MODULES_
+{
+	ULONG_PTR   ulCount;
+	MODULE_INFO Modules[1];
+}ALL_MODULES, *PALL_MODULES;
+
+typedef struct _PEB_LDR_DATA32 
+{
+	ULONG Length;
+	BOOLEAN Initialized;
+	HANDLE SsHandle;
+	LIST_ENTRY InLoadOrderModuleList;
+	LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+	PVOID EntryInProgress;
+} PEB_LDR_DATA32, *PPEB_LDR_DATA32;
+
+typedef struct _PEB_LDR_DATA64 
+{
+	ULONG Length;
+	BOOLEAN Initialized;
+	HANDLE SsHandle;
+	LIST_ENTRY64 InLoadOrderModuleList;
+	LIST_ENTRY64 InMemoryOrderModuleList;
+	LIST_ENTRY64 InInitializationOrderModuleList;
+	PVOID EntryInProgress;
+	BOOLEAN  ShutdownInProgress;
+	PVOID    ShutdownThreadId;
+} PEB_LDR_DATA64, *PPEB_LDR_DATA64;
+
+
+typedef struct _LDR_DATA_TABLE_ENTRY64
+{
+	LIST_ENTRY64	InLoadOrderLinks;
+	LIST_ENTRY64	InMemoryOrderLinks;
+	LIST_ENTRY64	InInitializationOrderLinks;
+	PVOID			DllBase;
+	PVOID			EntryPoint;
+	ULONG			SizeOfImage;
+	UNICODE_STRING	FullDllName;
+	UNICODE_STRING 	BaseDllName;
+	ULONG			Flags;
+	USHORT			LoadCount;
+	USHORT			TlsIndex;
+	PVOID			SectionPointer;
+	ULONG			CheckSum;
+	PVOID			LoadedImports;
+	PVOID			EntryPointActivationContext;
+	PVOID			PatchInformation;
+	LIST_ENTRY64	ForwarderLinks;
+	LIST_ENTRY64	ServiceTagLinks;
+	LIST_ENTRY64	StaticLinks;
+	PVOID			ContextInformation;
+	ULONG64			OriginalBase;
+	LARGE_INTEGER	LoadTime;
+} LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64;
+
+
+
+typedef struct _LDR_DATA_TABLE_ENTRY {
+	LIST_ENTRY InLoadOrderLinks;
+	LIST_ENTRY InMemoryOrderLinks;
+	LIST_ENTRY InInitializationOrderLinks;
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING FullDllName;
+	UNICODE_STRING BaseDllName;
+	ULONG Flags;
+	USHORT LoadCount;
+	USHORT TlsIndex;
+	union {
+		LIST_ENTRY HashLinks;
+		struct {
+			PVOID SectionPointer;
+			ULONG CheckSum;
+		};
+	};
+	union {
+		struct {
+			ULONG TimeDateStamp;
+		};
+		struct {
+			PVOID LoadedImports;
+		};
+	};
+} LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY;
+
+//////////////////////////////////////////////////////////////////////////
+
+
+
+NTKERNELAPI VOID NTAPI KeAttachProcess(PEPROCESS Process);
+NTKERNELAPI VOID NTAPI KeDetachProcess();
+
+
+
+
+/***************************************************************************************
+* NAME:			HsDispatchControlForProcess
+*
+* DESCRIPTION:	×Ô¶¨ÒåµÄ½ø³Ì´ó¹¦ÄÜDispatchControlÅÐ¶Ïº¯Êý£¬ÓÉÖ÷DispatchControlµ÷ÓÃ
+*					
+* PARAMETERS:		IrpSp				IN		IrpSpÕ»µÄµØÖ·
+*					OutputBuffer		IN		Ó¦ÓÃ²ãUserBufferµÄµØÖ·
+*                   ulRet               Out     ·µ»Ø³¤¶ÈµÄÖµµÄµØÖ·
+*
+* RETURNS:		NTSTATUS
+*
+* NOTES:		ÔÚÕâ¸öº¯ÊýÖÐ£¬Ö»´«ÈëÉÏÊöÁ½¸ö²ÎÊý£¬ÆäËû²ÎÊý²»´«Èë¡£
+				·µ»Ø½á¹ûµ½Ö÷DIspatchControlº¯ÊýÖÐ¡£
+****************************************************************************************/
+NTSTATUS HsDispatchControlForProcess(PIO_STACK_LOCATION  IrpSp, PVOID OutputBuffer, ULONG_PTR* ulRet);
+
+
+/***************************************************************************************
+* NAME:			HsEnumSystemProcessList
+*
+* DESCRIPTION:	²éÑ¯ÏµÍ³½ø³ÌÁÐ±íµÄÀý³Ì¡£Í¨¹ý¸Ãº¯Êý½«½ø³ÇÐÅÏ¢ListÐ´ÈëÓ¦ÓÃ²ãUserBufferÖÐ¡£
+*					
+* PARAMETERS:		OutputBuffer		IN		Ó¦ÓÃ²ãUserBufferµÄµØÖ·
+*
+* RETURNS:		NTSTATUS
+****************************************************************************************/
+NTSTATUS HsEnumSystemProcessList(ULONG_PTR ulBasePid, PHSPROCESSINFO plProcessList, ULONG_PTR* ulRet);
+
+
+
+
+
+VOID HsInitProcessGlobalVariable();
+
+
+BOOLEAN HsGetProcessPathBySectionObject(ULONG_PTR ulProcessID,WCHAR* wzProcessPath);
+BOOLEAN HsGetPathByFileObject(PFILE_OBJECT FileObject, WCHAR* wzPath);
+
+
+BOOLEAN HsIsRealProcess(PEPROCESS EProcess);
+BOOLEAN HsIsProcessDie(PEPROCESS EProcess);
+
+ULONG_PTR HsGetParentProcessIdByEProcess(PEPROCESS EProcess);
+
+PEPROCESS HsGetIdleEProcess();
+
+NTSTATUS HsGetSystemProcessCount(ULONG_PTR* ulRetCount);
+
+
+
+//ÄÚ´æÇåÁã·¨½áÊø½ø³Ì
+NTSTATUS HsKillProcessByZeroMemory(ULONG_PTR ProcessID, int* bFeedBack);
+
+
+//»ñÈ¡½ø³Ì´´½¨Ê±¼ä
+BOOLEAN
+HsGetProcessCreateTime(ULONG_PTR ProcessID,LONGLONG* OutputBuffer);
\ No newline at end of file
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/SysThread.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/SysThread.c
new file mode 100644
index 0000000..306dfe2
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/SysThread.c
@@ -0,0 +1,319 @@
+#include "SysThread.h"
+#include "System.h"
+
+
+extern PDRIVER_OBJECT	g_DriverObject;
+extern WIN_VERSION		WinVersion;
+extern ULONG_PTR		SYSTEM_ADDRESS_START;
+extern ULONG_PTR		ObjectHeaderSize;
+extern ULONG_PTR		ObjectTypeOffsetOf_Object_Header;
+extern ULONG_PTR		ObjectTableOffsetOf_EPROCESS;
+extern ULONG_PTR		TebOffset;
+extern ULONG_PTR		PriorityOffset;
+extern ULONG_PTR		ContextSwitchesOffset;
+extern ULONG_PTR		StateOffset;
+extern ULONG_PTR		Win32StartAddressOffset;
+extern ULONG_PTR		StartAddressOffset;
+extern ULONG_PTR		SameThreadApcFlags;
+extern PVOID			Ntoskrnl_KLDR_DATA_TABLE_ENTRY;
+
+extern PEPROCESS		SystemEProcess;
+
+ULONG_PTR		ulOffset = 0;
+ULONG_PTR		ulImageNameOffset = 0;
+ULONG_PTR		ulPspCidTable = 0;
+
+
+
+
+
+
+NTSTATUS HsEnumSysThread(PVOID OutBuffer, ULONG_PTR OutSize)
+{
+	NTSTATUS Status;
+	PETHREAD EThread;
+	CHAR PreMode;
+
+	ULONG_PTR ulCnt = (OutSize - sizeof(ALL_THREADS)) / sizeof(THREAD_INFO);
+
+	//////////////////////////////////////////////////////////////////////////
+	
+	EThread = PsGetCurrentThread();
+	PreMode = HsChangePreMode(EThread);
+	
+	HsSetGolbalMemberSysThread();
+	ulPspCidTable = HsGetPspCidTableValue();
+	if ( ulPspCidTable == 0 )  
+	{  
+		return STATUS_UNSUCCESSFUL;
+	}  
+
+	HsRecoverPreMode(EThread, PreMode);
+
+	//////////////////////////////////////////////////////////////////////////
+
+	ScanHandleTableToFindThread(SystemEProcess, (PALL_THREADS)OutBuffer, ulCnt);
+	if (ulCnt >= ((PALL_THREADS)OutBuffer)->nCnt)
+	{
+		Status = STATUS_SUCCESS;
+	}
+	else
+	{
+		Status = STATUS_BUFFER_TOO_SMALL;
+	}
+
+	return Status;
+}
+
+
+
+ULONG_PTR HsGetPspCidTableValue()  
+{  
+	PVOID PsLookupProcessByProcessIdAddress = NULL;  
+	ULONG_PTR ulPspCidTableValue = 0;  
+	UNICODE_STRING uniFuncName; 
+	ULONG  uIndex = 0;
+	int    Offset = 0;
+
+	// »ñÈ¡PsLookupProcessByProcessIdµÄº¯ÊýµØÖ·   
+	RtlInitUnicodeString(&uniFuncName, L"PsLookupProcessByProcessId");    //´ÓNtosµ¼³ö±íÖÐ»ñµÃº¯ÊýPsLookupProcessByProcessIdµØÖ·
+	PsLookupProcessByProcessIdAddress = MmGetSystemRoutineAddress(&uniFuncName);  
+	if (PsLookupProcessByProcessIdAddress== NULL )  
+	{  
+		return ulPspCidTableValue;  
+	}  
+	DbgPrint("PsLookupProcessByProcessId->%08X",PsLookupProcessByProcessIdAddress);  
+
+	switch(WinVersion)
+	{
+	case WINDOWS_7:
+		{
+			/*
+			kd> u PsLookupProcessByProcessId l 20
+			nt!PsLookupProcessByProcessId:
+			fffff800`041a61fc 48895c2408      mov     qword ptr [rsp+8],rbx
+			fffff800`041a6201 48896c2410      mov     qword ptr [rsp+10h],rbp
+			fffff800`041a6206 4889742418      mov     qword ptr [rsp+18h],rsi
+			fffff800`041a620b 57              push    rdi
+			fffff800`041a620c 4154            push    r12
+			fffff800`041a620e 4155            push    r13
+			fffff800`041a6210 4883ec20        sub     rsp,20h
+			fffff800`041a6214 65488b3c2588010000 mov   rdi,qword ptr gs:[188h]
+			fffff800`041a621d 4533e4          xor     r12d,r12d
+			fffff800`041a6220 488bea          mov     rbp,rdx
+			fffff800`041a6223 66ff8fc4010000  dec     word ptr [rdi+1C4h]
+			fffff800`041a622a 498bdc          mov     rbx,r12
+			fffff800`041a622d 488bd1          mov     rdx,rcx
+			fffff800`041a6230 488b0d9149edff  mov     rcx,qword ptr [nt!PspCidTable (fffff800`0407abc8)]
+			fffff800`041a6237 e834480200      call    nt!ExMapHandleToPointer (fffff800`041caa70)
+			*/
+			for (uIndex=0;uIndex<0x1000;uIndex++ )  
+			{  
+				if (*((PUCHAR)((ULONG_PTR)PsLookupProcessByProcessIdAddress+ uIndex)) == 0x48 &&  
+					*((PUCHAR)((ULONG_PTR)PsLookupProcessByProcessIdAddress+ uIndex + 1) ) == 0x8B &&  
+					*((PUCHAR)((ULONG_PTR)PsLookupProcessByProcessIdAddress+ uIndex + 7) ) == 0xE8 )  
+				{  
+			
+					memcpy(&Offset,(PUCHAR)((ULONG_PTR)PsLookupProcessByProcessIdAddress+ uIndex + 3),4);
+					ulPspCidTableValue = (ULONG_PTR)PsLookupProcessByProcessIdAddress+uIndex+Offset+7; 
+
+					DbgPrint("Found OK!!\r\n");
+					break;  
+				}  
+			}  
+			break;
+		}
+
+	case WINDOWS_XP:
+		{
+			/*
+			kd> u PsLookupProcessByProcessId l 20
+			nt!PsLookupProcessByProcessId:
+			80582687 8bff            mov     edi,edi
+			80582689 55              push    ebp
+			8058268a 8bec            mov     ebp,esp
+			8058268c 53              push    ebx
+			8058268d 56              push    esi
+			8058268e 64a124010000    mov     eax,dword ptr fs:[00000124h]
+			80582694 ff7508          push    dword ptr [ebp+8]
+			80582697 8bf0            mov     esi,eax
+			80582699 ff8ed4000000    dec     dword ptr [esi+0D4h]
+			8058269f ff3560a75680    push    dword ptr [nt!PspCidTable (8056a760)]
+
+			*/
+	    	for (uIndex = 0; uIndex < 0x1000; uIndex++ )  
+			{  
+				if ( *( (PUCHAR)((ULONG_PTR)PsLookupProcessByProcessIdAddress+ uIndex) ) == 0xFF &&  
+					*( (PUCHAR)((ULONG_PTR)PsLookupProcessByProcessIdAddress+ uIndex + 1) ) == 0x35 &&  
+					*( (PUCHAR)((ULONG_PTR)PsLookupProcessByProcessIdAddress+ uIndex + 6) ) == 0xE8 )  
+				{  
+					DbgPrint("Found OK!!\r\n");  
+					ulPspCidTableValue = *((PULONG)((ULONG)PsLookupProcessByProcessIdAddress+ uIndex + 2) );  
+					break;  
+				}  
+			}  
+			break;
+		}
+	}
+
+	return ulPspCidTableValue;  
+}  
+
+
+
+
+VOID ScanHandleTableToFindThread(PEPROCESS EProcess, PALL_THREADS AllThreads, ULONG_PTR ulCnt)
+{
+	PHANDLE_TABLE   HandleTable = NULL;    // Ö¸Ïò¾ä±ú±íµÄÖ¸Õë   
+	ULONG_PTR uTableCode = 0;  
+	ULONG uFlag = 0;
+
+
+	HandleTable = (PHANDLE_TABLE)(*(ULONG_PTR*)ulPspCidTable);  
+
+	if (HandleTable && MmIsAddressValid((PVOID)HandleTable))
+	{
+		uTableCode = (ULONG_PTR)(HandleTable->TableCode) & 0xFFFFFFFFFFFFFFFC;  ;
+		if (uTableCode && MmIsAddressValid((PVOID)uTableCode))
+		{
+			uFlag = (ULONG)(HandleTable->TableCode) & 0x03;    //00  01  10  
+
+			switch (uFlag)
+			{
+			case 0:
+				{
+					EnumTable1(uTableCode, EProcess, AllThreads, ulCnt);
+					break;
+				}
+			case 1:
+				{
+					EnumTable2(uTableCode, EProcess, AllThreads, ulCnt);
+					break;
+				}
+
+
+			case 2:
+				{
+					EnumTable3(uTableCode, EProcess, AllThreads, ulCnt);
+					break; 
+				}
+
+
+			default:
+				KdPrint(("TableCode error\n"));
+			} 			
+		}
+	}
+}
+
+
+
+NTSTATUS EnumTable1(ULONG_PTR uTableCode, PEPROCESS EProcess, PALL_THREADS AllThreads, ULONG_PTR ulCnt)
+{
+
+
+	PVOID  Object = NULL;
+	PHANDLE_TABLE_ENTRY HandleTableEntry = NULL;  
+	ULONG uIndex = 0;
+
+
+	HandleTableEntry = (PHANDLE_TABLE_ENTRY)((ULONG_PTR)(*(ULONG_PTR*)uTableCode) + ulOffset);  
+
+	for (uIndex = 0;uIndex<0x200; uIndex++ )  
+	{  
+		if (MmIsAddressValid((PVOID)&(HandleTableEntry->NextFreeTableEntry)))
+		{
+			if (HandleTableEntry->NextFreeTableEntry==0)
+			{
+				if (HandleTableEntry->Object != NULL )  
+				{  
+
+					if (MmIsAddressValid(HandleTableEntry->Object))
+					{
+
+						Object = (PVOID)(((ULONG_PTR)HandleTableEntry->Object)  & 0xFFFFFFFFFFFFFFF8);  
+						InsertThread((PETHREAD)Object,EProcess,AllThreads, ulCnt);
+
+					}
+
+				}
+			}
+
+		}
+
+		HandleTableEntry++;  
+
+	}  
+}
+
+
+
+NTSTATUS EnumTable2(ULONG_PTR uTableCode, PEPROCESS EProcess, PALL_THREADS AllThreads, ULONG_PTR ulCnt)
+{
+	do   
+	{  
+		EnumTable1(uTableCode,EProcess,AllThreads,ulCnt);  
+		uTableCode += sizeof(ULONG_PTR);  
+	} while (*(PULONG_PTR)uTableCode != 0&&MmIsAddressValid((PVOID)*(PULONG_PTR)uTableCode));  
+
+	return STATUS_SUCCESS;
+}
+
+
+
+NTSTATUS EnumTable3(ULONG_PTR uTableCode, PEPROCESS EProcess, PALL_THREADS AllThreads, ULONG_PTR ulCnt)
+{
+	do   
+	{  
+		EnumTable2(uTableCode,EProcess,AllThreads,ulCnt);  
+		uTableCode += sizeof(ULONG_PTR);  
+	} while (*(PULONG_PTR)uTableCode != 0);  
+
+	return STATUS_SUCCESS;  
+}
+
+
+//////////////////////////////////////////////////////////////////////////
+
+VOID HsSetGolbalMemberSysThread()
+{
+	switch(WinVersion)
+	{
+	case WINDOWS_XP:
+		{
+			ulOffset = 0x8;
+			ulImageNameOffset = 0x174;
+			ObjectTypeOffsetOf_Object_Header = 0x8;
+			ObjectTableOffsetOf_EPROCESS = 0x0c4;
+			ObjectHeaderSize = 0x18;
+			SYSTEM_ADDRESS_START = 0x80000000;
+
+			TebOffset = 0x020;
+			PriorityOffset = 0x033;
+			ContextSwitchesOffset = 0x04c;
+			StateOffset = 0x02d;
+
+			Win32StartAddressOffset = 0x228;
+			StartAddressOffset = 0x224;
+			SameThreadApcFlags = 0x250;
+			break;
+		}
+	case WINDOWS_7:
+		{
+			ulOffset = 0x10;
+			ulImageNameOffset = 0x2e0;
+			ObjectTableOffsetOf_EPROCESS = 0x200;
+			ObjectHeaderSize = 0x30;
+			SYSTEM_ADDRESS_START = 0x80000000000;
+			TebOffset = 0x0b8;
+			PriorityOffset = 0x07b;
+			ContextSwitchesOffset = 0x134;
+			StateOffset = 0x164;
+
+			Win32StartAddressOffset = 0x410;
+			StartAddressOffset = 0x388;
+			SameThreadApcFlags = 0x450;
+			break;
+		}
+	}
+}
\ No newline at end of file
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/SysThread.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/SysThread.h
new file mode 100644
index 0000000..4308293
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/SysThread.h
@@ -0,0 +1,127 @@
+#pragma once 
+
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+#include <ntifs.h>
+#include "common.h"
+#include "Thread.h"
+
+
+typedef struct _HANDLE_TABLE64
+{
+	PVOID64 TableCode;
+	PVOID64 QuotaProcess;
+	PVOID64 UniqueProcessID;
+	PVOID64 HandleLock;
+	LIST_ENTRY HandleTableList;
+	PVOID64    HandleContentionEvent;
+	PVOID64    DebugInfo;
+	ULONG      ExtraInfoPages;
+	ULONG      Flags;
+	ULONG      FirstFreeHandle;
+	PVOID64    LastFreeHandleEntry;
+	ULONG      HandleCount;
+	ULONG      NextHandleNeedingPool;
+	ULONG      HandleCountHighWatermark;
+}HANDLE_TABLE64,*PHANDLE_TABLE64;
+
+
+
+typedef struct _HANDLE_TABLE32
+{
+	PVOID TableCode;
+	PVOID QuotaProcess;
+	PVOID UniqueProcessID;
+	ULONG HandleLock[4];
+	LIST_ENTRY HandleTableList;
+	PVOID    HandleContentionEvent;
+	PVOID    DebugInfo;
+	ULONG    ExtraInfoPages;
+	ULONG    FirstFree;
+	ULONG    LastFree;
+	ULONG    NextHandleNeedingPool;
+	ULONG    HandleCount;
+	ULONG    Flags;
+}HANDLE_TABLE32,*PHANDLE_TABLE32;
+
+#ifdef _WIN64
+#define PHANDLE_TABLE PHANDLE_TABLE64
+#else
+#define PHANDLE_TABLE PHANDLE_TABLE32
+#endif
+
+typedef struct _HANDLE_TABLE_ENTRY64 
+{
+	union {
+		PVOID64 Object;
+		ULONG ObAttributes;
+		PVOID64 InfoTable;
+		ULONG_PTR Value;
+	};
+	union {
+		union {
+			ULONG GrantedAccess;
+			struct {
+				USHORT GrantedAccessIndex;
+				USHORT CreatorBackTraceIndex;
+			};
+		};
+		ULONG NextFreeTableEntry;
+	};
+
+} HANDLE_TABLE_ENTRY64, *PHANDLE_TABLE_ENTRY64;
+
+
+typedef struct _HANDLE_TABLE_ENTRY32 
+{
+	union {
+		PVOID Object;
+		ULONG ObAttributes;
+		PVOID InfoTable;
+		ULONG_PTR Value;
+	};
+	union {
+		union {
+			ULONG GrantedAccess;
+			struct {
+				USHORT GrantedAccessIndex;
+				USHORT CreatorBackTraceIndex;
+			};
+		};
+		ULONG NextFreeTableEntry;
+	};
+
+} HANDLE_TABLE_ENTRY32, *PHANDLE_TABLE_ENTRY32;
+
+
+#ifdef _WIN64
+#define PHANDLE_TABLE_ENTRY PHANDLE_TABLE_ENTRY64
+#else
+#define PHANDLE_TABLE_ENTRY PHANDLE_TABLE_ENTRY32
+#endif
+
+
+
+//////////////////////////////////////////////////////////////////////////
+
+
+NTSTATUS HsEnumSysThread(PVOID OutBuffer, ULONG_PTR OutSize);
+
+VOID HsSetGolbalMemberSysThread();
+
+ULONG_PTR HsGetPspCidTableValue();
+
+VOID ScanHandleTableToFindThread(PEPROCESS EProcess, PALL_THREADS AllThreads, ULONG_PTR ulCnt);
+
+NTSTATUS EnumTable1(ULONG_PTR uTableCode, PEPROCESS EProcess, PALL_THREADS AllThreads, ULONG_PTR ulCnt);
+
+NTSTATUS EnumTable2(ULONG_PTR uTableCode, PEPROCESS EProcess, PALL_THREADS AllThreads, ULONG_PTR ulCnt);
+
+NTSTATUS EnumTable3(ULONG_PTR uTableCode, PEPROCESS EProcess, PALL_THREADS AllThreads, ULONG_PTR ulCnt);
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/System.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/System.c
new file mode 100644
index 0000000..bb00822
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/System.c
@@ -0,0 +1,228 @@
+#include "System.h"
+#include "SysThread.h"
+#include "IoTimer.h"
+#include "CallBack.h"
+#include "DpcTimer.h"
+#include "FilterDriver.h"
+
+
+#include "GetFuncAddress.h"
+//////////////////////////////////////////////////////////////////////////
+extern     PDEVICE_OBJECT g_DeviceObject;
+extern     PDRIVER_OBJECT g_DriverObject;
+//////////////////////////////////////////////////////////////////////////
+
+//////////////////////////////////////////////////////////////////////////
+extern POBJECT_TYPE *IoDriverObjectType;
+extern POBJECT_TYPE *IoDeviceObjectType;
+//////////////////////////////////////////////////////////////////////////
+
+extern
+	WIN_VERSION WinVersion;
+extern
+	ULONG_PTR PreviousModeOffsetOf_KTHREAD;
+extern
+	ULONG_PTR ObjectTableOffsetOf_EPROCESS;
+extern
+	ULONG_PTR SYSTEM_ADDRESS_START;
+extern
+	ULONG_PTR ObjectHeaderSize;
+extern
+	ULONG_PTR ObjectTypeOffsetOf_Object_Header;
+
+
+extern ULONG_PTR
+	ulBuildNumber;
+//////////////////////////////////////////////////////////////////////////
+
+
+
+
+NTSTATUS HsDispatchControlForSystem(PIO_STACK_LOCATION  IrpSp, PVOID OutputBuffer, ULONG_PTR* ulRet)
+{
+
+	WCHAR* szOutputBuffer = (WCHAR*)OutputBuffer;
+	ULONG				ulIoControlCode  = 0;
+	NTSTATUS			Status = STATUS_UNSUCCESSFUL;
+	PVOID               pvInputBuffer  = NULL;
+	ULONG               ulInputLen     = 0;
+	ULONG				ulOutputLen    = 0;
+
+	pvInputBuffer   = IrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
+	ulInputLen      = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
+	ProbeForRead(pvInputBuffer,ulInputLen,sizeof(CHAR));
+
+	ulOutputLen     = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
+
+	ProbeForWrite(OutputBuffer,ulOutputLen,sizeof(CHAR));
+
+	ulIoControlCode = IrpSp->Parameters.DeviceIoControl.IoControlCode;
+	ulIoControlCode = (ulIoControlCode>>2)&0x00000FFF;
+
+	DbgPrint("%x\r\n",ulIoControlCode);
+
+	HsInitSystemGlobalVariable();
+
+	switch(ulIoControlCode)
+	{
+	case HS_IOCTL_SYSK_SYSTHREAD:
+		{
+			DbgPrint("HS_IOCTL_SYSK_SYSTHREAD\r\n");
+
+			Status = HsEnumSysThread(OutputBuffer, ulOutputLen);
+			
+			*ulRet = sizeof(ULONG_PTR);
+			break;
+		}
+	case HS_IOCTL_SYSK_IOTIMER:		//Ã¶¾ÙIOTIMER
+		{
+			DbgPrint("HS_IOCTL_SYSK_IOTIMER\r\n");
+
+			Status = HsEnumIOTimer(OutputBuffer);
+
+			if (Status)
+			{
+				*ulRet = sizeof(ULONG_PTR);
+			}
+			break;
+		}
+	case HS_IOCTL_SYSK_OPERIOTIMER:		//ÇÐ»»IOTIMERÔËÐÐ×´Ì¬
+		{
+			DbgPrint("HS_IOCTL_SYSK_OPERIOTIMER\r\n");
+
+			Status = HsOperIOTimer(pvInputBuffer);
+
+			if (Status)
+			{
+				*ulRet = sizeof(ULONG_PTR);
+			}
+			break;
+		}
+	case HS_IOCTL_SYSK_REMOVEIOTIMER:
+		{
+			DbgPrint("HS_IOCTL_SYSK_REMOVEIOTIMER\r\n");
+
+			Status =  RemoveIOTimer(pvInputBuffer);
+
+			if (Status)
+			{
+				*ulRet = sizeof(ULONG_PTR);
+			}
+			break;
+		}
+	case HS_IOCTL_SYSK_DPCTIMER:		//Ã¶¾ÙIOTIMER
+		{
+			DbgPrint("HS_IOCTL_SYSK_DPCTIMER\r\n");
+
+			Status = HsEnumDPCTimer(OutputBuffer);
+
+			if (Status)
+			{
+				*ulRet = sizeof(ULONG_PTR);
+			}
+			break;
+		}
+	case HS_IOCTL_SYSK_REMOVEDPCTIMER:
+		{
+			DbgPrint("HS_IOCTL_SYSK_REMOVEDPCTIMER\r\n");
+
+			Status =  RemoveDPCTimer(pvInputBuffer);
+
+			if (Status)
+			{
+				*ulRet = sizeof(ULONG_PTR);
+			}
+			break;
+		}
+	case HS_IOCTL_SYSK_CALLBACKLIST:
+		{
+			DbgPrint("HS_IOCTL_SYSK_CALLBACKLIST\r\n");
+
+			Status = HsEnumCallBackList(*(int*)pvInputBuffer,OutputBuffer);
+
+			if (Status)
+			{
+				*ulRet = sizeof(ULONG_PTR);
+			}
+			break;
+		}
+	case HS_IOCTL_SYSK_REMOVECALLBACK:
+		{
+			DbgPrint("HS_IOCTL_SYSK_REMOVECALLBACK\r\n");
+
+			Status = RemoveCallbackNotify(pvInputBuffer);
+
+			if (Status)
+			{
+				*ulRet = sizeof(ULONG_PTR);
+			}
+			break;
+		}
+	case HS_IOCTL_SYSK_FILTERDRIVER:
+		{
+			DbgPrint("HS_IOCTL_SYSK_FILTERDRIVER\r\n");
+
+			Status = HsEnumFilterDriver((PFILTER_DRIVER)OutputBuffer);
+
+			if (Status)
+			{
+				*ulRet = sizeof(ULONG_PTR);
+			}
+			break;
+		}
+	case HS_IOCTL_SYSK_FILTERUNLOAD:
+		{
+			DbgPrint("HS_IOCTL_SYSK_FILTERUNLOAD\r\n");
+
+			Status = HsUnloadFilterDriver((PUNLOAD_FILTER)pvInputBuffer);
+
+			if (Status)
+			{
+				*ulRet = sizeof(ULONG_PTR);
+			}
+			break;
+		}
+	default:
+		{
+			Status = STATUS_UNSUCCESSFUL;
+		}
+	}
+
+	return Status;
+
+
+}
+
+
+
+
+
+
+//////////////////////////////////////////////////////////////////////////
+
+VOID HsInitSystemGlobalVariable()
+{
+	switch(WinVersion)
+	{
+	case WINDOWS_XP:
+		{
+			PreviousModeOffsetOf_KTHREAD = 0x140;
+			ObjectHeaderSize = 0x18;
+			ObjectTypeOffsetOf_Object_Header = 0x8;
+			ObjectTableOffsetOf_EPROCESS = 0x0c4;
+			SYSTEM_ADDRESS_START = 0x80000000;
+			break;
+		}
+
+	case WINDOWS_7:
+		{
+			PreviousModeOffsetOf_KTHREAD = 0x1f6;
+			ObjectTableOffsetOf_EPROCESS = 0x200;
+			ObjectHeaderSize = 0x30;
+			SYSTEM_ADDRESS_START = 0x80000000000;
+			break;
+		}
+	}
+}
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/System.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/System.h
new file mode 100644
index 0000000..948dbdd
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/System.h
@@ -0,0 +1,40 @@
+/**************************************************************************************
+* AUTHOR : HeavenShadow
+* DATE   : 2014-10-28
+* MODULE : System.h
+*
+* Command: 
+*	ÄÚºË´ó¹¦ÄÜµÄÖ÷ÎÄ¼þ
+*
+* Description:
+*	ÓëÄÚºËÏà¹ØµÄËùÓÐ¹¦ÄÜ¼¯ºÏÎÄ¼þ
+*
+****************************************************************************************
+* Copyright (C) 2015 HeavenShadow.
+****************************************************************************************/
+
+
+#pragma once 
+
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+#include <ntifs.h>
+#include "common.h"
+
+
+#define MAX_PATH 260
+
+
+NTSTATUS HsDispatchControlForSystem(PIO_STACK_LOCATION  IrpSp, PVOID OutputBuffer, ULONG_PTR* ulRet);
+
+VOID HsInitSystemGlobalVariable();
+
+
+
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Thread.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Thread.c
new file mode 100644
index 0000000..e3da9a8
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Thread.c
@@ -0,0 +1,727 @@
+#include "Thread.h"
+
+
+
+extern WIN_VERSION  WinVersion;
+
+extern ULONG_PTR    ObjectHeaderSize;
+extern ULONG_PTR    ObjectTypeOffsetOf_Object_Header;
+extern ULONG_PTR    ObjectTableOffsetOf_EPROCESS;
+extern ULONG_PTR    PreviousModeOffsetOf_KTHREAD;
+
+extern ULONG_PTR    ulBuildNumber;
+
+//////////////////////////////////////////////////////////////////////////
+// Ïß³Ì
+//////////////////////////////////////////////////////////////////////////
+
+//ÕâÊÇÁ½¸ö¹ØÓÚÏß³ÌµÄÁ´±í
+ULONG_PTR ThreadListHeadOffset = 0;
+ULONG_PTR ThreadListEntryOffset = 0;
+ULONG_PTR ThreadListHeadOffsetOther = 0;
+ULONG_PTR ThreadListEntryOffsetOther =0;
+ULONG_PTR ThreadsProcessOffset  = 0;
+ULONG_PTR CidOffset = 0;
+ULONG_PTR WinOffset = 0;
+ULONG_PTR TebOffset = 0;
+ULONG_PTR PriorityOffset = 0;
+ULONG_PTR ContextSwitchesOffset = 0;
+ULONG_PTR StateOffset = 0;
+ULONG_PTR SystemRangeStart = 0;
+ULONG_PTR Win32StartAddressOffset = 0;
+ULONG_PTR StartAddressOffset = 0;
+ULONG_PTR SameThreadApcFlags = 0;
+
+
+
+NTSTATUS HsEnumProcessThread(PVOID ProcessId)
+{
+	NTSTATUS status = STATUS_UNSUCCESSFUL;
+	PEPROCESS EProcess = NULL;
+
+	PETHREAD            EThread = NULL;
+	CHAR                PreMode = 0;
+
+	DbgPrint("PID: %d\r\n",*((ULONG32*)ProcessId));
+
+
+
+	status = PsLookupProcessByProcessId((HANDLE)*((ULONG*)ProcessId),&EProcess);
+
+	if (status==STATUS_SUCCESS)
+	{
+		ObDereferenceObject(EProcess);
+	}
+
+	DbgPrint("%d\r\n",status);
+	DbgPrint("%x\r\n",EProcess);
+
+
+	HsEnumThreadByForce(EProcess);
+
+
+	return STATUS_SUCCESS;
+}
+
+
+
+VOID
+	HsEnumThreadByForce(PEPROCESS EProcess)
+{
+	NTSTATUS   Status;
+	ULONG_PTR  i = 0;
+	PEPROCESS  EProcessTemp;
+	PETHREAD   EThread = NULL;
+
+	for (i=0;i<100000;i+=4)
+	{
+		Status = PsLookupThreadByThreadId((HANDLE)i,&EThread);
+
+		if (Status==STATUS_SUCCESS)
+		{
+			ObDereferenceObject(EThread);
+
+			//Í¨¹ýÏß³ÌÌå »ñµÃ½ø³ÌÌå
+			EProcessTemp = IoThreadToProcess(EThread);
+			if (EProcessTemp==EProcess)
+			{
+				DbgPrint("[THREAD]ETHREAD=%p TID=%ld\n",
+					EThread, 
+					(ULONG)PsGetThreadId(EThread));
+			}
+		}
+	}
+}
+
+
+
+
+
+
+VOID InitGlobalVariable()
+{
+	switch(WinVersion)
+	{
+	case WINDOWS_XP:
+		{
+			PreviousModeOffsetOf_KTHREAD = 0x140;
+			ObjectHeaderSize = 0x18;
+			ObjectTypeOffsetOf_Object_Header = 0x8;
+			ObjectTableOffsetOf_EPROCESS = 0x0c4;
+
+
+			Win32StartAddressOffset = 0x228;
+			StartAddressOffset = 0x224;
+			ThreadListHeadOffset = 0x050;
+			ThreadListEntryOffset = 0x1b0;
+			ThreadListHeadOffsetOther = 0x190;
+			ThreadListEntryOffsetOther = 0x22c;
+			ThreadsProcessOffset = 0x220;
+			CidOffset  = 0x1ec;
+			WinOffset = 4;
+			TebOffset = 0x020;
+			PriorityOffset = 0x033;
+			ContextSwitchesOffset = 0x04c;
+			StateOffset = 0x02d;
+			SystemRangeStart = 0x80000000;
+			SameThreadApcFlags = 0x250;
+			break;
+		}
+
+	case WINDOWS_7:
+		{
+			PreviousModeOffsetOf_KTHREAD = 0x1f6;
+			ObjectTableOffsetOf_EPROCESS = 0x200;
+			ObjectHeaderSize = 0x30;
+			SystemRangeStart = 0x80000000000;
+			Win32StartAddressOffset = 0x410;	//0x410 0x418
+			StartAddressOffset = 0x388;			//0x388 0x390
+			ThreadListHeadOffset = 0x030;
+			ThreadListEntryOffset = 0x2f8; 
+			ThreadListHeadOffsetOther = 0x300;
+			ThreadListEntryOffsetOther = 0x420;
+			ThreadsProcessOffset = 0x210;
+			CidOffset = 0x3b0;
+			WinOffset = 8;
+			TebOffset = 0x0b8;
+			PriorityOffset = 0x07b;
+			ContextSwitchesOffset = 0x134;
+			StateOffset = 0x164;
+			SameThreadApcFlags = 0x450;
+			break;
+		}
+	}
+}
+
+
+
+
+NTSTATUS EnumProcessThread(PVOID InBuffer, ULONG InSize, PVOID OutBuffer, ULONG_PTR OutSize)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL, PsStatus = STATUS_UNSUCCESSFUL;
+
+	PEPROCESS EProcess = NULL;
+	ULONG_PTR ulPid = 0, ulCount = 0;
+
+	ULONG_PTR  i = 0;
+	PETHREAD   EThread = NULL;
+	PEPROCESS  EProcessTemp;
+
+
+	InitGlobalVariable();
+
+	if (!InBuffer								||
+		!OutBuffer								||
+		InSize != sizeof(ULONG)					||
+		OutSize < sizeof(ALL_THREADS))
+	{
+		return STATUS_INVALID_PARAMETER;
+	}
+
+	ulCount = (OutSize - sizeof(ALL_THREADS)) / sizeof(THREAD_INFO);
+
+	ulPid = *(ULONG*)InBuffer;
+
+
+	if (ulPid != 0)
+	{
+		PsStatus = PsLookupProcessByProcessId((HANDLE)ulPid, &EProcess);
+		if (!NT_SUCCESS(PsStatus))
+		{
+			return STATUS_UNSUCCESSFUL;
+		}
+	}
+
+	if (HsIsRealProcess(EProcess))
+	{
+		EnumThreads(EProcess, (PALL_THREADS)OutBuffer,ulCount);
+		if (ulCount >= ((PALL_THREADS)OutBuffer)->nCnt)
+		{
+			Status = STATUS_SUCCESS;
+		}
+		else
+		{
+			Status = STATUS_BUFFER_TOO_SMALL;
+		}
+	}
+
+	if (NT_SUCCESS(PsStatus))
+	{
+		ObfDereferenceObject(EProcess);
+	}
+
+	return Status;
+}
+
+
+VOID EnumThreads(PEPROCESS EProcess, PALL_THREADS ProcessThreads, ULONG_PTR ulCount)
+{
+	if (!EProcess || !ProcessThreads)
+	{
+		return;
+	}
+
+	EnumProcessThreadByList(EProcess,ProcessThreads,ulCount);
+}
+
+
+
+VOID EnumProcessThreadByList(PEPROCESS EProcess, PALL_THREADS ProcessThreads, ULONG_PTR ulCount)
+{
+// 	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+// 	ULONG_PTR  i = 0;
+// 	PEPROCESS  EProcessTemp;
+// 	PETHREAD   EThread = NULL;
+// 	if (EProcess && MmIsAddressValid(EProcess))
+// 	{
+// 		for (i=0;i<100000;i+=4)
+// 		{
+// 			Status = PsLookupThreadByThreadId((HANDLE)i,&EThread);
+// 
+// 			if (Status==STATUS_SUCCESS)
+// 			{
+// 				ObDereferenceObject(EThread);
+// 
+// 				//Í¨¹ýÏß³ÌÌå »ñµÃ½ø³ÌÌå
+// 				EProcessTemp = IoThreadToProcess(EThread);
+// 				if (EProcessTemp==EProcess)
+// 				{
+// 
+// 					DbgPrint("[THREAD]ETHREAD=%p TID=%ld\n",
+// 						EThread, 
+// 						(ULONG)PsGetThreadId(EThread));
+// 
+// 					InsertThread(EThread, EProcess, ProcessThreads, ulCount);
+// 
+// 				}
+// 			}
+// 		}
+// 	}
+	
+
+	if (EProcess && MmIsAddressValid(EProcess))
+	{
+		PLIST_ENTRY  ListEntry = (PLIST_ENTRY)((ULONG_PTR)EProcess + ThreadListHeadOffset);
+		if (ListEntry && MmIsAddressValid(ListEntry) && MmIsAddressValid(ListEntry->Flink))
+		{
+			KIRQL     OldIrql = KeRaiseIrqlToDpcLevel();
+			ULONG_PTR nMaxCnt = PAGE_SIZE * 2;
+			PLIST_ENTRY Temp = ListEntry->Flink;
+			while (MmIsAddressValid(Temp) && Temp != ListEntry && nMaxCnt--)
+			{
+				PETHREAD EThread = (PETHREAD)((ULONG_PTR)Temp - ThreadListEntryOffset);
+				InsertThread(EThread, EProcess, ProcessThreads, ulCount);
+				Temp = Temp->Flink;
+			}
+
+			KeLowerIrql(OldIrql);
+		}
+
+		ListEntry = (PLIST_ENTRY)((ULONG)EProcess + ThreadListHeadOffsetOther);
+		if (ListEntry && MmIsAddressValid(ListEntry) && MmIsAddressValid(ListEntry->Flink))
+		{
+			KIRQL     OldIrql = KeRaiseIrqlToDpcLevel();
+			ULONG_PTR nMaxCnt = PAGE_SIZE * 2;
+			PLIST_ENTRY Temp = ListEntry->Flink;
+			while (MmIsAddressValid(Temp) && Temp != ListEntry && nMaxCnt--)
+			{
+				PETHREAD EThread = (PETHREAD)((ULONG_PTR)Temp - ThreadListEntryOffsetOther);
+				InsertThread(EThread,EProcess, ProcessThreads,ulCount);
+				Temp = Temp->Flink;
+			}
+
+			KeLowerIrql(OldIrql);
+		}
+	}
+}
+
+
+
+
+VOID InsertThread(PETHREAD EThread, PEPROCESS EProcess, PALL_THREADS ProcessThreads, ULONG ulCount)
+{
+
+	if (EThread && EProcess && MmIsAddressValid((PVOID)EThread))
+	{ 
+
+		PEPROCESS Temp = NULL;
+
+		if (IoThreadToProcess)
+		{
+			Temp = IoThreadToProcess(EThread);
+		}
+		else
+		{
+			Temp = (PEPROCESS)(*(PULONG_PTR)(ULONG_PTR)EThread + ThreadsProcessOffset);
+		}
+
+		if (EProcess == Temp &&
+			!IsThreadInList(EThread, ProcessThreads,ulCount) && 
+			NT_SUCCESS(ObReferenceObjectByPointer(EThread, 0, NULL, KernelMode)))
+		{
+			ULONG_PTR nCurCnt = ProcessThreads->nCnt;
+			if (ulCount > nCurCnt)
+			{
+				if (PsGetThreadId)
+				{
+					ProcessThreads->Threads[nCurCnt].Tid = (ULONG_PTR)PsGetThreadId(EThread);
+				}
+				else
+				{
+					ProcessThreads->Threads[nCurCnt].Tid = *(PULONG_PTR)((ULONG_PTR)EThread + CidOffset + WinOffset);
+				}
+
+				ProcessThreads->Threads[nCurCnt].Thread = (ULONG_PTR)EThread;
+				ProcessThreads->Threads[nCurCnt].Win32StartAddress = GetThreadStartAddress(EThread);
+				ProcessThreads->Threads[nCurCnt].Teb = *(PULONG_PTR)((ULONG_PTR)EThread + TebOffset);
+				ProcessThreads->Threads[nCurCnt].Priority = *(PUCHAR)((ULONG_PTR)EThread + PriorityOffset);
+				ProcessThreads->Threads[nCurCnt].ContextSwitches = *(PULONG)((ULONG_PTR)EThread + ContextSwitchesOffset);
+				ProcessThreads->Threads[nCurCnt].State = *(PUCHAR)((ULONG_PTR)EThread + StateOffset);
+			}
+
+			ProcessThreads->nCnt++;
+			ObfDereferenceObject(EThread);
+		}
+	} 
+}
+
+
+
+BOOLEAN IsThreadInList(PETHREAD EThread, PALL_THREADS ProcessThreads, ULONG ulCount)
+{
+	BOOLEAN bRet = FALSE;
+	ULONG_PTR Temp = ulCount > ProcessThreads->nCnt ? ProcessThreads->nCnt : ulCount;
+	ULONG_PTR i = 0;
+
+	if (!EThread || !ProcessThreads)
+	{
+		return TRUE;
+	}
+
+	for (i = 0; i < Temp; i++)
+	{
+		if (ProcessThreads->Threads[i].Thread == (ULONG_PTR)EThread)
+		{
+			bRet = TRUE;
+			break;
+		}
+	}
+
+	return bRet; 
+}
+
+
+
+
+ULONG_PTR GetThreadStartAddress(PETHREAD EThread)
+{
+
+
+	ULONG_PTR ulStartAddress = 0;
+
+	if (!EThread ||
+		!MmIsAddressValid(EThread))
+	{
+		return ulStartAddress;
+	}
+
+	__try
+	{
+		ulStartAddress = *(PULONG_PTR)((ULONG_PTR)EThread + StartAddressOffset);
+
+		if ( ulBuildNumber < 6000 )
+		{
+			if (ulStartAddress < (ULONG_PTR)SystemRangeStart)
+			{
+				ULONG_PTR Win32StartAddress = *(PULONG_PTR)((ULONG_PTR)EThread + Win32StartAddressOffset);
+				if ( Win32StartAddress )
+				{
+
+					ulStartAddress = Win32StartAddress;
+
+				}
+			}
+		}
+		else
+		{
+			if (*(ULONG_PTR*)((ULONG_PTR)EThread + SameThreadApcFlags) & 2 )
+			{
+				ulStartAddress = *(ULONG_PTR*)((ULONG_PTR)EThread + Win32StartAddressOffset);
+			}
+			else
+			{
+				if (*(ULONG_PTR*)((ULONG_PTR)EThread + StartAddressOffset))
+				{
+					ulStartAddress = *(ULONG_PTR*)((ULONG_PTR)EThread + StartAddressOffset);
+				}
+			}
+
+			if (ulStartAddress <= 0xf)
+			{
+				Win32StartAddressOffset = 0x418;	//0x410 0x418
+				StartAddressOffset = 0x390;			//0x388 0x390
+			}
+
+			if (*(ULONG_PTR*)((ULONG_PTR)EThread + SameThreadApcFlags) & 2 )
+			{
+				ulStartAddress = *(ULONG_PTR*)((ULONG_PTR)EThread + Win32StartAddressOffset);
+			}
+			else
+			{
+				if (*(ULONG_PTR*)((ULONG_PTR)EThread + StartAddressOffset))
+				{
+					ulStartAddress = *(ULONG_PTR*)((ULONG_PTR)EThread + StartAddressOffset);
+				}
+			}
+		}
+	}
+	__except(1)
+	{}
+
+	return ulStartAddress;
+}
+
+
+
+NTSTATUS
+EnumProcessThreadModule(ULONG ulProcessID,PVOID OutBuffer,ULONG_PTR ulOutSize)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+	PEPROCESS EProcess = NULL;
+
+	ULONG ulCount = (ulOutSize - sizeof(ALL_MODULES)) / sizeof(MODULE_INFO);
+
+	if (ulProcessID)
+	{
+		Status = PsLookupProcessByProcessId((HANDLE)ulProcessID, &EProcess);
+
+		if (!NT_SUCCESS(Status))
+		{
+			return Status;
+		}
+	}
+
+	DbgPrint("Enter EnumProcessModule\r\n");
+
+	if (HsIsRealProcess(EProcess))
+	{
+		PALL_MODULES AllModules = (PALL_MODULES)ExAllocatePool(PagedPool,ulOutSize);
+		if (AllModules)
+		{
+			memset(AllModules, 0, ulOutSize);
+
+			Status = EnumDllModuleByPeb(EProcess, AllModules, ulCount);
+
+			if (ulCount >= AllModules->ulCount)
+			{
+				RtlCopyMemory(OutBuffer, AllModules, ulOutSize);
+				Status = STATUS_SUCCESS;
+			}
+			else
+			{
+				Status = STATUS_BUFFER_TOO_SMALL;
+			}
+
+			ExFreePool(AllModules, 0);
+			AllModules = NULL;
+		}
+	}
+
+	if (NT_SUCCESS(Status))
+	{
+		ObfDereferenceObject(EProcess);
+	}
+
+	return Status;
+}
+
+
+NTSTATUS EnumDllModuleByPeb( PEPROCESS EProcess, PALL_MODULES AllModules, ULONG_PTR ulCount)
+{
+
+	BOOLEAN bAttach = FALSE;
+	KAPC_STATE ApcState;
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+	ULONG_PTR LdrInPebOffset = 0;
+
+
+
+	KeStackAttachProcess(EProcess, &ApcState);
+	bAttach = TRUE;
+
+
+	__try
+	{
+		ULONG_PTR Peb = 0;
+		Peb = (ULONG_PTR)PsGetProcessPeb(EProcess);
+
+		if ((ULONG)Peb > 0)
+		{
+
+
+
+			switch(WinVersion)
+			{
+			case WINDOWS_7:
+				{
+					PPEB_LDR_DATA64 LdrEntry = NULL;
+					LdrInPebOffset = 0x18;
+
+
+					LdrEntry = (PPEB_LDR_DATA64)(*(PULONG_PTR)((Peb + (ULONG_PTR)LdrInPebOffset)));
+					ProbeForRead((PVOID)LdrEntry,8,8);
+
+					if ((ULONG_PTR)LdrEntry>0)
+					{
+						WalkerModuleList64((PLIST_ENTRY64)&(LdrEntry->InLoadOrderModuleList), 1, AllModules, ulCount);
+						WalkerModuleList64((PLIST_ENTRY64)&(LdrEntry->InMemoryOrderModuleList), 2, AllModules, ulCount);
+						WalkerModuleList64((PLIST_ENTRY64)&(LdrEntry->InInitializationOrderModuleList), 3, AllModules, ulCount);
+
+						Status = STATUS_SUCCESS;
+					}
+
+					break;
+				}
+
+			case WINDOWS_XP:
+				{
+
+
+					PPEB_LDR_DATA32 LdrEntry = NULL;
+					LdrInPebOffset = 0x00c;
+
+
+					LdrEntry = (PPEB_LDR_DATA32)(*(PULONG_PTR)((Peb + (ULONG_PTR)LdrInPebOffset)));
+					ProbeForRead((PVOID)LdrEntry,4,4);
+
+					if ((ULONG_PTR)LdrEntry>0)
+					{
+						WalkerModuleList32((PLIST_ENTRY32)&(LdrEntry->InLoadOrderModuleList), 1, AllModules, ulCount);
+						WalkerModuleList32((PLIST_ENTRY32)&(LdrEntry->InMemoryOrderModuleList), 2, AllModules, ulCount);
+						WalkerModuleList32((PLIST_ENTRY32)&(LdrEntry->InInitializationOrderModuleList), 3, AllModules, ulCount);
+
+						Status = STATUS_SUCCESS;
+					}
+
+					break;
+				}
+			}
+
+
+
+		}
+	}
+	__except(1)
+	{
+		DbgPrint("EnumDllModuleByPeb Catch __Except\r\n");
+		Status = STATUS_UNSUCCESSFUL;
+	}
+
+	if (bAttach)
+	{
+		KeUnstackDetachProcess(&ApcState);
+		bAttach = FALSE;
+	}
+
+	return Status;
+}
+
+
+
+VOID WalkerModuleList32(PLIST_ENTRY32 ListEntry, ULONG nType, PALL_MODULES AllModules, ULONG ulCount)
+{
+	PLIST_ENTRY32 Entry = NULL;
+	PLDR_DATA_TABLE_ENTRY LdrEntry = NULL;
+	Entry = (PLIST_ENTRY32)ListEntry->Flink;
+
+	while ((ULONG_PTR)Entry > 0 && Entry != ListEntry)
+	{
+
+
+		switch (nType)
+		{
+		case 1:
+			LdrEntry = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
+			break;
+
+		case 2:
+			LdrEntry = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
+			break;
+
+		case 3:
+			LdrEntry = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks);
+			break;
+		}
+
+		if ((ULONG)LdrEntry > 0)
+		{
+			__try
+			{
+				ProbeForRead(LdrEntry, sizeof(LDR_DATA_TABLE_ENTRY), 1);
+
+				if (!IsModuleInList((ULONG_PTR)LdrEntry->DllBase, (ULONG_PTR)(LdrEntry->SizeOfImage), AllModules, ulCount))
+				{
+					if (ulCount > AllModules->ulCount)
+					{
+
+
+						AllModules->Modules[AllModules->ulCount].Base = (ULONG_PTR)LdrEntry->DllBase;
+						AllModules->Modules[AllModules->ulCount].Size = LdrEntry->SizeOfImage;
+
+						wcsncpy(AllModules->Modules[AllModules->ulCount].Path, LdrEntry->FullDllName.Buffer,LdrEntry->FullDllName.Length);
+					}
+
+					AllModules->ulCount++;
+				}
+			}
+			__except(1)
+			{
+				DbgPrint("WalkerModuleList __Except(1)\r\n");
+			}
+		}
+
+		Entry = (PLIST_ENTRY32)Entry->Flink;
+	}
+}
+
+
+
+VOID WalkerModuleList64(PLIST_ENTRY64 ListEntry, ULONG nType, PALL_MODULES AllModules, ULONG ulCount)
+{
+	PLIST_ENTRY64 Entry = NULL;
+	PLDR_DATA_TABLE_ENTRY64 LdrEntry = NULL;
+	Entry = (PLIST_ENTRY64)ListEntry->Flink;
+
+	while ((ULONG_PTR)Entry > 0 && Entry != ListEntry)
+	{
+
+
+		switch (nType)
+		{
+		case 1:
+			LdrEntry = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY64, InLoadOrderLinks);
+			break;
+
+		case 2:
+			LdrEntry = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY64, InMemoryOrderLinks);
+			break;
+
+		case 3:
+			LdrEntry = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY64, InInitializationOrderLinks);
+			break;
+		}
+
+		if ((ULONG)LdrEntry > 0)
+		{
+			__try
+			{
+				ProbeForRead(LdrEntry, sizeof(LDR_DATA_TABLE_ENTRY64), 8);
+
+				if (!IsModuleInList((ULONG_PTR)LdrEntry->DllBase, (ULONG_PTR)(LdrEntry->SizeOfImage), AllModules, ulCount))
+				{
+					if (ulCount > AllModules->ulCount)
+					{
+
+
+						AllModules->Modules[AllModules->ulCount].Base = (ULONG_PTR)LdrEntry->DllBase;
+						AllModules->Modules[AllModules->ulCount].Size = LdrEntry->SizeOfImage;
+
+						wcsncpy(AllModules->Modules[AllModules->ulCount].Path, LdrEntry->FullDllName.Buffer,LdrEntry->FullDllName.Length);
+					}
+
+					AllModules->ulCount++;
+				}
+			}
+			__except(1)
+			{
+				DbgPrint("WalkerModuleList __Except(1)\r\n");
+			}
+		}
+
+		Entry = (PLIST_ENTRY64)Entry->Flink;
+	}
+}
+
+
+
+
+BOOLEAN IsModuleInList(ULONG_PTR Base, ULONG_PTR Size, PALL_MODULES AllModules, ULONG_PTR ulCount)
+{
+	BOOLEAN bIn = FALSE;
+	ULONG i = 0;
+	ULONG ulTempCount = AllModules->ulCount > ulCount ? ulCount : AllModules->ulCount;
+
+	for (i = 0; i < ulTempCount; i++)
+	{
+		if (Base == AllModules->Modules[i].Base && Size == AllModules->Modules[i].Size)
+		{
+			bIn = TRUE;
+			break;
+		}
+	}
+
+	return bIn;
+}
+
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Thread.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Thread.h
new file mode 100644
index 0000000..d3ec82e
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Thread.h
@@ -0,0 +1,64 @@
+#pragma once 
+
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+#include <ntifs.h>
+#include <ntimage.h>
+
+#include "common.h"
+
+#include "Process.h"
+
+
+
+typedef struct _THREAD_INFO_
+{
+	ULONG_PTR Thread;
+	ULONG_PTR Tid;
+	ULONG_PTR Teb;
+	UCHAR Priority;
+	ULONG_PTR Win32StartAddress;
+	ULONG ContextSwitches;
+	UCHAR State;
+}THREAD_INFO, *PTHREAD_INFO;
+
+typedef struct _ALL_THREADS_
+{
+	ULONG_PTR    nCnt;
+	THREAD_INFO Threads[1];
+}ALL_THREADS, *PALL_THREADS;
+
+
+
+
+NTSTATUS HsEnumProcessThread(PVOID ProcessId);
+VOID HsEnumThreadByForce(PEPROCESS EProcess);
+
+
+
+
+extern
+	PPEB
+	PsGetProcessPeb(PEPROCESS Process);
+
+
+NTSTATUS EnumProcessThread(PVOID InBuffer, ULONG InSize, PVOID OutBuffer, ULONG_PTR OutSize);
+VOID EnumThreads(PEPROCESS EProcess, PALL_THREADS ProcessThreads, ULONG_PTR ulCount);
+VOID EnumProcessThreadByList(PEPROCESS EProcess, PALL_THREADS ProcessThreads, ULONG_PTR ulCount);
+VOID InsertThread(PETHREAD EThread, PEPROCESS EProcess, PALL_THREADS ProcessThreads, ULONG ulCount);
+BOOLEAN IsThreadInList(PETHREAD EThread, PALL_THREADS ProcessThreads, ULONG ulCount);
+ULONG_PTR GetThreadStartAddress(PETHREAD EThread);
+NTSTATUS EnumProcessThreadModule(ULONG ulProcessID,PVOID OutBuffer,ULONG_PTR ulOutSize);
+NTSTATUS EnumDllModuleByPeb( PEPROCESS EProcess, PALL_MODULES AllModules, ULONG_PTR ulCount);
+VOID WalkerModuleList64(PLIST_ENTRY64 ListEntry, ULONG nType, PALL_MODULES AllModules, ULONG ulCount);
+VOID WalkerModuleList32(PLIST_ENTRY32 ListEntry, ULONG nType, PALL_MODULES AllModules, ULONG ulCount);
+BOOLEAN IsModuleInList(ULONG_PTR Base, ULONG_PTR Size, PALL_MODULES AllModules, ULONG_PTR ulCount);
+
+
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Window.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Window.c
new file mode 100644
index 0000000..556028e
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Window.c
@@ -0,0 +1,91 @@
+#include "Window.h"
+
+
+
+extern
+	WIN_VERSION  WinVersion;
+extern       
+	ULONG_PTR ulBuildNumber;
+
+extern
+	pfnNtUserBuildHwndList AddressNtUserBuildHwndList;
+extern
+	pfnNtUserQueryWindow AddressNtUserQueryWindow;
+
+
+
+
+NTSTATUS HsEnumProcessWindow(PVOID InBuffer, ULONG_PTR InSize, PVOID OutBuffer, ULONG_PTR OutLen)
+{
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+
+	GetSSSDTApi();
+
+	if (!InBuffer || 
+		!OutBuffer)
+	{
+		return STATUS_INVALID_PARAMETER;
+	}
+
+
+	if (AddressNtUserBuildHwndList==NULL)
+	{
+		return Status;
+	}
+
+	else
+	{
+
+		Status = AddressNtUserBuildHwndList(
+			NULL,
+			NULL,
+			FALSE,
+			0,
+			(OutLen - sizeof(ALL_WNDS)) / sizeof(WND_INFO),
+			(HWND*)((ULONG)OutBuffer + sizeof(ULONG)),
+			(ULONG*)OutBuffer);
+	}
+
+	if (NT_SUCCESS(Status))
+	{
+		DWORD ulCount = *((DWORD*)OutBuffer);
+		ULONG i = 0;
+		HWND* hWndBuffer = (HWND*)ExAllocatePool(NonPagedPool,sizeof(HWND) * ulCount);
+
+
+
+		if (hWndBuffer)
+		{
+			PALL_WNDS Wnds = (PALL_WNDS)OutBuffer;
+			memcpy(hWndBuffer, (PVOID)((ULONG)OutBuffer + sizeof(ULONG)), sizeof(HWND) * ulCount);
+
+			for (i = 0; i < ulCount; i++)
+			{
+				ULONG Tid = 0, Pid = 0;
+				HWND hWnd = hWndBuffer[i];
+
+				Pid = AddressNtUserQueryWindow(hWnd, 0);
+
+				if (WinVersion == WINDOWS_7)
+				{
+					Tid = AddressNtUserQueryWindow(hWnd, 2);
+				}
+				else
+				{
+					Tid = AddressNtUserQueryWindow(hWnd, 1);
+				}
+
+				Wnds->WndInfo[i].hWnd = hWnd;
+				Wnds->WndInfo[i].uPid = Pid;
+				Wnds->WndInfo[i].uTid = Tid;
+			}
+
+			Wnds->nCnt = ulCount;
+
+			ExFreePool(hWndBuffer,0);
+		}
+	}
+
+	return Status;
+}
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Window.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Window.h
new file mode 100644
index 0000000..6852b34
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/Window.h
@@ -0,0 +1,39 @@
+#pragma once 
+
+
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+#include <ntifs.h>
+#include <WINDEF.H>
+#include "GetSSSDTFuncAddress.h"
+#include "common.h"
+#include "Process.h"
+
+
+
+typedef struct _WND_INFO_
+{
+	HWND  hWnd;
+	ULONG uPid;
+	ULONG uTid;
+}WND_INFO, *PWND_INFO;
+
+typedef struct _ALL_WNDS_
+{
+	ULONG nCnt;
+	WND_INFO WndInfo[1];
+}ALL_WNDS, *PALL_WNDS;
+
+
+
+NTSTATUS 
+	HsEnumProcessWindow(
+	PVOID InBuffer, 
+	ULONG_PTR InSize, 
+	PVOID OutBuffer, 
+	ULONG_PTR OutLen);
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/common.c b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/common.c
new file mode 100644
index 0000000..c7c7598
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/common.c
@@ -0,0 +1,184 @@
+#include "common.h"
+
+
+//////////////////////////////////////////////////////////////////////////
+ULONG_PTR  ulBuildNumber = 0;	//GetWindowsVersion
+
+ULONG_PTR    SYSTEM_ADDRESS_START = 0;
+
+//////////////////////////////////////////////////////////////////////////
+
+
+VOID HsWcharToChar(WCHAR *wzFuncName,CHAR *szFuncName)
+{
+	UNICODE_STRING UnicodeFuncName;
+	ANSI_STRING AnsiFuncName;
+
+	RtlInitUnicodeString(&UnicodeFuncName,wzFuncName);
+	if (RtlUnicodeStringToAnsiString(&AnsiFuncName,&UnicodeFuncName,TRUE) == STATUS_SUCCESS){
+		memcpy(szFuncName,AnsiFuncName.Buffer,AnsiFuncName.Length);
+		RtlFreeAnsiString(&AnsiFuncName);
+	}
+}
+
+
+//Í¨¹ý º¯ÊýÃû³Æ µÃµ½º¯ÊýµØÖ·
+PVOID 
+HsGetFunctionAddressByName(WCHAR *szFunction)
+{
+	UNICODE_STRING uniFunction;  
+	PVOID AddrBase = NULL;
+
+	if (szFunction && wcslen(szFunction) > 0)
+	{
+		RtlInitUnicodeString(&uniFunction, szFunction);   //³£Á¿Ö¸Õë
+		AddrBase = MmGetSystemRoutineAddress(&uniFunction);
+	}
+
+	return AddrBase;
+}
+
+
+
+WIN_VERSION HsGetWindowsVersion()
+{
+
+
+	RTL_OSVERSIONINFOEXW osverInfo = {sizeof(osverInfo)}; 
+	pfnRtlGetVersion RtlGetVersion = NULL;
+	WIN_VERSION WinVersion;
+	WCHAR szRtlGetVersion[] = L"RtlGetVersion";
+
+
+	RtlGetVersion = (pfnRtlGetVersion)HsGetFunctionAddressByName(szRtlGetVersion); 
+
+	if (RtlGetVersion)
+	{
+		RtlGetVersion((PRTL_OSVERSIONINFOW)&osverInfo); 
+	} 
+	else 
+	{
+		PsGetVersion(&osverInfo.dwMajorVersion, &osverInfo.dwMinorVersion, &osverInfo.dwBuildNumber, NULL);
+	}
+
+	ulBuildNumber =  osverInfo.dwBuildNumber;
+
+	if (osverInfo.dwMajorVersion == 5 && osverInfo.dwMinorVersion == 1) 
+	{
+		DbgPrint("WINDOWS_XP\r\n");
+		WinVersion = WINDOWS_XP;
+	}
+	else if (osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 1)
+	{
+		DbgPrint("WINDOWS 7\r\n");
+		WinVersion = WINDOWS_7;
+	}
+	else if (osverInfo.dwMajorVersion == 6 && 
+		osverInfo.dwMinorVersion == 2 &&
+		osverInfo.dwBuildNumber == 9200)
+	{
+		DbgPrint("WINDOWS 8\r\n");
+		WinVersion = WINDOWS_8;
+	}
+	else if (osverInfo.dwMajorVersion == 6 && 
+		osverInfo.dwMinorVersion == 3 && 
+		osverInfo.dwBuildNumber == 9600)
+	{
+		DbgPrint("WINDOWS 8.1\r\n");
+		WinVersion = WINDOWS_8_1;
+	}
+	else
+	{
+		DbgPrint("WINDOWS_UNKNOW\r\n");
+		WinVersion = WINDOWS_UNKNOW;
+	}
+
+	return WinVersion;
+}
+
+NTSTATUS HsSafeCopyMemory(PVOID SrcAddr, PVOID DstAddr, ULONG SrcSize)
+{
+	PMDL SrcMdl, DstMdl;
+	PUCHAR SrcAddress, DstAddress;
+	NTSTATUS Status = STATUS_UNSUCCESSFUL;
+	ULONG_PTR r;
+
+	//Îª¿½±´Ô´´´½¨Ò»¸öMDL
+	SrcMdl = IoAllocateMdl(SrcAddr, SrcSize, FALSE, FALSE, NULL);  
+	if (MmIsAddressValid(SrcMdl))
+	{
+		MmBuildMdlForNonPagedPool(SrcMdl);
+		SrcAddress = MmGetSystemAddressForMdlSafe(SrcMdl, NormalPagePriority);
+		//ÏµÍ³ÎªÎÒÃÇ´´½¨ÄÚ´æ
+
+		if (MmIsAddressValid(SrcAddress))
+		{
+			//Îª¿½±´Ä¿±ê´´½¨Ò»¸öMDL
+			DstMdl = IoAllocateMdl(DstAddr,SrcSize,FALSE,FALSE, NULL);
+			if (MmIsAddressValid(DstMdl))
+			{
+				__try
+				{
+					MmProbeAndLockPages(DstMdl, KernelMode, IoWriteAccess);
+					DstAddress = MmGetSystemAddressForMdlSafe(DstMdl, NormalPagePriority);
+					if (MmIsAddressValid(DstAddress))
+					{
+						RtlZeroMemory(DstAddress,SrcSize);
+						RtlCopyMemory(DstAddress, SrcAddress, SrcSize);
+						Status = STATUS_SUCCESS;
+					}
+					MmUnlockPages(DstMdl);
+				}
+				__except(EXCEPTION_EXECUTE_HANDLER)
+				{                 
+					if (DstMdl)
+					{
+						MmUnlockPages(DstMdl);
+					}
+
+					if (DstMdl)
+					{
+						IoFreeMdl(DstMdl);
+					}
+
+					if (SrcMdl)
+					{
+						IoFreeMdl(SrcMdl);
+					}
+
+					return GetExceptionCode();
+				}
+				IoFreeMdl(DstMdl);
+			}
+		}            
+		IoFreeMdl(SrcMdl);
+	}
+	return Status;
+}
+
+
+BOOLEAN HsIsUnicodeStringValid(PUNICODE_STRING uniString)
+{
+	BOOLEAN bRet = FALSE;
+
+	__try
+	{
+		if (uniString->Length > 0	&&
+			uniString->Buffer		&&
+			MmIsAddressValid(uniString->Buffer) &&
+			MmIsAddressValid(&uniString->Buffer[uniString->Length / sizeof(WCHAR) - 1]))
+		{
+			bRet = TRUE;
+		}
+
+	}
+	__except(1)
+	{	
+		bRet = FALSE;
+	}
+
+	return bRet;
+}
+
+
+
diff --git a/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/common.h b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/common.h
new file mode 100644
index 0000000..ad6b9c8
--- /dev/null
+++ b/arkProject/HeavenShadowDrv/HeavenShadowDrv/Source/common.h
@@ -0,0 +1,136 @@
+/**************************************************************************************
+* AUTHOR : HeavenShadow
+* DATE   : 2014-10-28
+* MODULE : common.h
+*
+* Command: 
+*	IOCTRL Í¨ÓÃÍ·ÎÄ¼þ
+*
+* Description:
+*	Çý¶¯ºÍÓ¦ÓÃ³ÌÐòµÄIoCtrlµÄÍ¨ÓÃÊý¾Ý
+*
+****************************************************************************************
+* Copyright (C) 2015 HeavenShadow.
+****************************************************************************************/
+
+#pragma once 
+
+#include <ntifs.h>
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+//²»Ö§³Ö·ûºÅÁ´½ÓÓÃ»§Ïà¹ØÐÔ
+#define HS_DEVICE_NAME                  L"\\Device\\HeavenShadowDevice"
+#define HS_LINK_NAME                    L"\\DosDevices\\HeavenShadowLink"
+
+#define HS_EVENT_PROCESS_NAME           L"\\BaseNamedObjects\\HeavenShadowProcessEvent"
+
+#define HS_WIN32_LINK_NAME              "\\\\.\\HeavenShadowLink"
+
+//Ö§³Ö·ûºÅÁ´½ÓÓÃ»§Ïà¹ØÐÔ
+#define SYMBOLIC_LINK_GLOBAL_NAME       L"\\DosDevices\\Global\\HeavenShadowDevice"
+
+#define DATA_TO_APP                     "HeavenShadow"
+
+
+enum HS_ENUM_IOCTL
+{
+	HS_IOCTL_PROC = 0x100,					//½ø³ÌÏà¹Ø
+	HS_IOCTL_PROC_SENDSELFPID,				//·¢ËÍ×Ô¼ºµÄPIDµ½Çý¶¯²ã
+	HS_IOCTL_PROC_PROCESSCOUNT,				//½ø³Ì¼ÆÊý
+	HS_IOCTL_PROC_PROCESSLIST,				//ÁÐ¾Ù½ø³ÌÁÐ±í
+	HS_IOCTL_PROC_PROTECTPROCESS,			//±£»¤½ø³Ì
+	HS_IOCTL_PROC_KILLPROCESSBYFORCE,		//Ç¿ÖÆ¹Ø±Õ½ø³Ì
+	HS_IOCTL_PROC_PROCESSTHREAD,			//Ïß³Ì
+	HS_IOCTL_PROC_PROCESSTHREADMODULE,		//Ïß³ÌÄ£¿é
+	HS_IOCTL_PROC_PROCESSPRIVILEGE,			//ÁÐ¾Ù½ø³ÌÈ¨ÏÞ
+	HS_IOCTL_PROC_PRIVILEGE_ADJUST,			//¸Ä±ä½ø³ÌÈ¨ÏÞ
+	HS_IOCTL_PROC_PROCESSHANDLE,			//¾ä±ú
+	HS_IOCTL_PROC_PROCESSWINDOW,			//´°¿Ú
+	HS_IOCTL_PROC_PROCESSMODULE,			//½ø³ÌÄ£¿é
+	HS_IOCTL_PROC_PROCESSMEMORY,			//½ø³ÌÄÚ´æ
+
+	HS_IOCTL_MODU = 0x180,					//Ä£¿éÏà¹Ø
+	HS_IOCTL_MODU_MODULELIST,				//ÁÐ¾ÙÏµÍ³Ä£¿éÁÐ±í
+	HS_IOCTL_MODU_REMOVEMODULE,				//Ð¶ÔØÏµÍ³Ä£¿é
+
+	HS_IOCTL_KRNL = 0x200,					//ÄÚºË¹³×ÓÏà¹Ø
+	HS_IOCTL_KRNL_SSDTLIST,					//ÁÐ¾ÙSSDTÁÐ±í
+	HS_IOCTL_KRNL_KISRVTAB,					//»ñÈ¡·þÎñ±í
+	HS_IOCTL_KRNL_RESUMESSDT,				//»Ö¸´SSDTº¯Êý
+	HS_IOCTL_KRNL_SSSDTLIST,				//ÁÐ¾ÙSSSDTÁÐ±í
+	HS_IOCTL_KRNL_WIN32KSERVICE,			//»ñÈ¡Win32k·þÎñ±í
+	HS_IOCTL_KRNL_KRNLFILE,					//»ñÈ¡ÄÚºËÎÄ¼þ		//¾ßÌåÄÄ¸öÎÄ¼þÔÚInputBufferµÄ²¼¶ûÐÍÖÐÈ·¶¨
+	HS_IOCTL_KRNL_KRNLIAT,					//»ñÈ¡ÄÚºËµ¼Èë±í
+	HS_IOCTL_KRNL_KRNLEAT,					//»ñÈ¡ÄÚºËµ¼³ö±í
+
+	HS_IOCTL_SYSK = 0x280,					//ÄÚºËÏà¹Ø
+	HS_IOCTL_SYSK_SYSTHREAD,				//ÄÚºËÏß³Ì
+	HS_IOCTL_SYSK_IOTIMER,					//IOTIMER
+	HS_IOCTL_SYSK_OPERIOTIMER,				//IOTIMERÇÐ»»
+	HS_IOCTL_SYSK_REMOVEIOTIMER,			//IOTIMERÉ¾³ý
+	HS_IOCTL_SYSK_CALLBACKLIST,				//ÏµÍ³»Øµ÷£ºÇý¶¯¼ÓÔØ
+	HS_IOCTL_SYSK_REMOVECALLBACK,			//É¾³ýÏµÍ³»Øµ÷
+	HS_IOCTL_SYSK_DPCTIMER,					//DPCTimer
+	HS_IOCTL_SYSK_REMOVEDPCTIMER,			//DPCTimerÉ¾³ý
+	HS_IOCTL_SYSK_FILTERDRIVER,				//¹ýÂËÇý¶¯
+	HS_IOCTL_SYSK_FILTERUNLOAD,				//Ð¶ÔØ¹ýÂËÇý¶¯
+};
+
+
+#define HS_IOCTL(i)			 \
+	CTL_CODE                 \
+	(                        \
+	FILE_DEVICE_UNKNOWN,     \
+	i,						 \
+	METHOD_BUFFERED,         \
+	FILE_ANY_ACCESS          \
+	)
+
+// HS_IOCTL(HS_IOCTL_PROC_PROCESSLIST)
+
+
+
+
+typedef 
+NTSTATUS 
+(*pfnRtlGetVersion)(OUT PRTL_OSVERSIONINFOW lpVersionInformation);
+
+typedef enum WIN_VERSION {
+	WINDOWS_UNKNOW,
+	WINDOWS_XP,
+	WINDOWS_7,
+	WINDOWS_8,
+	WINDOWS_8_1
+} WIN_VERSION;
+
+WIN_VERSION HsGetWindowsVersion();
+
+
+
+
+
+//////////////////////////////////////////////////////////////////////////
+///×Ô¶¨Òåº¯Êý
+//////////////////////////////////////////////////////////////////////////
+
+
+//Í¨¹ý º¯ÊýÃû³Æ µÃµ½º¯ÊýµØÖ·
+PVOID 
+HsGetFunctionAddressByName(WCHAR *szFunction);
+
+NTSTATUS HsSafeCopyMemory(PVOID SrcAddr, PVOID DstAddr, ULONG SrcSize);
+
+VOID HsWcharToChar(WCHAR *wzFuncName,CHAR *szFuncName);
+
+
+CHAR HsChangePreMode(PETHREAD EThread);
+VOID HsRecoverPreMode(PETHREAD EThread, CHAR PreMode);
+
+extern NTSTATUS PsLookupProcessByProcessId(PVOID ProcessID, PEPROCESS *Process);
+
+BOOLEAN HsIsUnicodeStringValid(PUNICODE_STRING uniString);
\ No newline at end of file
diff --git a/arkProject/ReadMe.md b/arkProject/ReadMe.md
new file mode 100644
index 0000000..66b5f03
--- /dev/null
+++ b/arkProject/ReadMe.md
@@ -0,0 +1,34 @@
+#Ark¹¤¾ß  ¡ª¡ª¡ª¡ª HeavenShadow
+
+##¹ØÓÚ
+WindowsÏÂÀàËÆÓÚPCHunterµÄark¹¤¾ß
+
+##ÎÄ¼þ½á¹¹
+* bin - ¿ÉÖ´ÐÐÎÄ¼þ
+* HeavenShadow - Ó¦ÓÃ²ãÎÄ¼þ
+* HeavenShadowDrv - Çý¶¯ÎÄ¼þ
+
+##ÊµÏÖ¹¦ÄÜ
+* ÄÚºË¼¶½ø³Ì£¬Ïß³Ì£¬ÄÚ´æ£¬Ä£¿é£¬´°¿Ú¹ÜÀíÓë×¢Èë¹¦ÄÜ
+* ÄÚºËÄ£¿éµÄ¹ÜÀí
+* SSDTÓëShadowSSDTµÄhookÓëinline hook¼ì²â
+* ¹Ø¼üÄÚºËÄ£¿éµÄIAT,EATµÄhook¼ì²â
+* ÏµÍ³IoTimer,DpcTimerºÍÄÚºËÀÍÎñÏß³ÌµÄ¹ÜÀí
+* ÏµÍ³ÄÚºË»Øµ÷µÄ¹ÜÀí£¬ÀýÈçCreateProcess¡¢LoadImage¡¢CreateThreadµÈµÈ
+
+##¿ª·¢»·¾³
+* Visual Studio 2010 + WDK 7600
+
+##²âÊÔ»·¾³
+* ±¾»ú£ºWindows7 x64 Ultimate SP1
+* ÐéÄâ»ú£ºVMWare + Windows7 x64 Ultimate SP1 / Windows XP SP3
+
+##²Î¿¼×ÊÁÏ
+* ¡¶WindowsÄÚºËÇé¾°·ÖÎö¡·
+* ¡¶WindowsPEÈ¨ÍþÖ¸ÄÏ¡·
+* ¡¶¼ÓÃÜÓë½âÃÜ¡·
+* ¡¶WindowsÄÚºËÔ­Àí¼°ÊµÏÖ¡·
+* ¡¶ÉîÈë½âÎöWindows²Ù×÷ÏµÍ³¡·
+*  [Windows x64Çý¶¯×ÊÁÏ](http://bbs.pediy.com/showthread.php?t=187348)
+*  [BlackBone](https://github.com/DarthTon/Blackbone)
+*  wrk-v1.2Ô´Âë
\ No newline at end of file
diff --git a/arkProject/bin/HeavenShadow.exe b/arkProject/bin/HeavenShadow.exe
new file mode 100644
index 0000000..015c52a
Binary files /dev/null and b/arkProject/bin/HeavenShadow.exe differ
diff --git a/arkProject/bin/injectdll32.exe b/arkProject/bin/injectdll32.exe
new file mode 100644
index 0000000..9cc0909
Binary files /dev/null and b/arkProject/bin/injectdll32.exe differ
diff --git a/arkProject/bin/injectdll64.exe b/arkProject/bin/injectdll64.exe
new file mode 100644
index 0000000..975f1e1
Binary files /dev/null and b/arkProject/bin/injectdll64.exe differ
diff --git a/arkProject/bin/sys/x64/HeavenShadowDrv.sys b/arkProject/bin/sys/x64/HeavenShadowDrv.sys
new file mode 100644
index 0000000..9784231
Binary files /dev/null and b/arkProject/bin/sys/x64/HeavenShadowDrv.sys differ