From 2ad278255d5b1149cd6ad7b46c3129178568fcbd Mon Sep 17 00:00:00 2001 From: Akash Mozumdar Date: Tue, 11 Sep 2018 13:23:10 -0400 Subject: [PATCH] bugfixes, and remove ntdll for good --- vnrhook/CMakeLists.txt | 1 - vnrhook/engine/engine.cc | 99 +- vnrhook/engine/match.cc | 15 +- vnrhook/util/ntdll/ntdll.h | 4340 ------------------------------------ vnrhook/util/util.cc | 2 +- 5 files changed, 23 insertions(+), 4434 deletions(-) delete mode 100644 vnrhook/util/ntdll/ntdll.h diff --git a/vnrhook/CMakeLists.txt b/vnrhook/CMakeLists.txt index e2bf28a..d3f2fe9 100644 --- a/vnrhook/CMakeLists.txt +++ b/vnrhook/CMakeLists.txt @@ -46,7 +46,6 @@ target_compile_options(vnrhook PRIVATE ) set(vnrhook_libs - ntdll.lib Version.lib minhook ) diff --git a/vnrhook/engine/engine.cc b/vnrhook/engine/engine.cc index 032829e..5acace4 100644 --- a/vnrhook/engine/engine.cc +++ b/vnrhook/engine/engine.cc @@ -8,7 +8,6 @@ #endif // _MSC_VER #include "engine/engine.h" -#include "ntdll/ntdll.h" #include "engine/match.h" #include "util/util.h" #include "main.h" @@ -5763,11 +5762,10 @@ int GetShinaRioVersion() } if (hFile != INVALID_HANDLE_VALUE) { - IO_STATUS_BLOCK ios; //char *buffer,*version;//,*ptr; enum { BufferSize = 0x40 }; char buffer[BufferSize]; - ReadFile(hFile, buffer, BufferSize, nullptr, nullptr); + ReadFile(hFile, buffer, BufferSize, (DWORD*)buffer, nullptr); CloseHandle(hFile); if (buffer[0] == '[') { buffer[0x3f] = 0; // jichi 8/24/2013: prevent strstr from overflow @@ -8842,33 +8840,7 @@ AkabeiSoft2Try hook: ********************************************************************************************/ namespace { // unnamed -MEMORY_WORKING_SET_LIST *GetWorkingSet() -{ - DWORD len,retl; - NTSTATUS status; - LPVOID buffer = 0; - len = 0x4000; - status = NtAllocateVirtualMemory(GetCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); - if (!NT_SUCCESS(status)) return 0; - status = NtQueryVirtualMemory(GetCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl); - if (status == STATUS_INFO_LENGTH_MISMATCH) { - len = *(DWORD*)buffer; - len = ((len << 2) & 0xfffff000) + 0x4000; - retl = 0; - NtFreeVirtualMemory(GetCurrentProcess(), &buffer, &retl, MEM_RELEASE); - buffer = 0; - status = NtAllocateVirtualMemory(GetCurrentProcess(), &buffer, 0, &len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); - if (!NT_SUCCESS(status)) return 0; - status = NtQueryVirtualMemory(GetCurrentProcess(), 0, MemoryWorkingSetList, buffer, len, &retl); - if (!NT_SUCCESS(status)) return 0; - return (MEMORY_WORKING_SET_LIST*)buffer; - } else { - retl = 0; - NtFreeVirtualMemory(GetCurrentProcess(), &buffer, &retl, MEM_RELEASE); - return 0; - } -} typedef struct _NSTRING { PVOID vfTable; @@ -8897,67 +8869,32 @@ void SpecialHookAB2Try(DWORD esp_base, HookParam *, BYTE, DWORD *data, DWORD *sp } } -BOOL FindCharacteristInstruction(MEMORY_WORKING_SET_LIST *list) +BOOL FindCharacteristInstruction() { - DWORD base, size; - DWORD i, j, k, addr, retl; - NTSTATUS status; - ::qsort(&list->WorkingSetList, list->NumberOfPages, 4, cmp); - base = list->WorkingSetList[0]; - size = 0x1000; - for (i = 1; i < list->NumberOfPages; i++) { - if ((list->WorkingSetList[i] & 2) == 0) - continue; - if (list->WorkingSetList[i] >> 31) - break; - if (base + size == list->WorkingSetList[i]) - size += 0x1000; - else { - if (size > 0x2000) { - addr = base & ~0xfff; - status = NtQueryVirtualMemory(GetCurrentProcess(),(PVOID)addr, - MemorySectionName,text_buffer_prev,0x1000,&retl); - if (!NT_SUCCESS(status)) { - k = addr + size - 4; - for (j = addr; j < k; j++) { - if (*(DWORD*)j == 0x5044b70f) { - if (*(WORD*)(j + 4) == 0x890c) { // movzx eax, word ptr [edx*2 + eax + 0xC]; wchar = string[i]; - HookParam hp = {}; - hp.address = j; - hp.text_fun = SpecialHookAB2Try; - hp.type = USING_STRING|NO_CONTEXT|USING_UNICODE; - ConsoleOutput("vnreng: INSERT AB2Try"); - NewHook(hp, "AB2Try"); - //ConsoleOutput("Please adjust text speed to fastest/immediate."); - //RegisterEngineType(ENGINE_AB2T); - return TRUE; - } - } - } - } - } - size = 0x1000; - base = list->WorkingSetList[i]; - } - } + const BYTE bytes[] = { 0x0F, 0xB7, 0x44, 0x50, 0x0C, 0x89 }; + if (DWORD addr = Util::SearchMemory(bytes, sizeof(bytes), PAGE_EXECUTE_READWRITE)) + { + //GROWL_DWORD(addr); + HookParam hp = {}; + hp.address = addr; + hp.text_fun = SpecialHookAB2Try; + hp.type = USING_STRING | NO_CONTEXT | USING_UNICODE; + ConsoleOutput("vnreng: INSERT AB2Try"); + NewHook(hp, "AB2Try"); + //ConsoleOutput("Please adjust text speed to fastest/immediate."); + //RegisterEngineType(ENGINE_AB2T); + return TRUE; + } return FALSE; } } // unnamed namespace bool InsertAB2TryHook() { - MEMORY_WORKING_SET_LIST *list = GetWorkingSet(); - if (!list) { - ConsoleOutput("vnreng:AB2Try: cannot find working list"); - return false; - } - bool ret = FindCharacteristInstruction(list); + bool ret = FindCharacteristInstruction(); if (ret) ConsoleOutput("vnreng:AB2Try: found characteristic sequence"); else - ConsoleOutput("vnreng:AB2Try: cannot find characteristic sequence"); - //L"Make sure you have start the game and have seen some text on the screen."); - DWORD size = 0; - NtFreeVirtualMemory(GetCurrentProcess(), (PVOID *)&list, &size, MEM_RELEASE); + ConsoleOutput("vnreng:AB2Try: cannot find characteristic sequence. Make sure you have start the game and have seen some text on the screen."); return ret; } diff --git a/vnrhook/engine/match.cc b/vnrhook/engine/match.cc index 413d43d..16eb10b 100644 --- a/vnrhook/engine/match.cc +++ b/vnrhook/engine/match.cc @@ -87,7 +87,7 @@ bool DeterminePCEngine() PcHooks::hookGDIPlusFunctions(); const char check[] = "sdffffffkjldfjlhjweiumxnvq1204tergdmnxcq1111111111111111111111408t03kxjb40"; __try { Util::SearchMemory((const BYTE*)check, sizeof(check)); } // Not too sure about the stability of this guy - __except (1) { ConsoleOutput("NextHooker threw while searching memory (NextHooker will likely still work fine, but please let Artikash know this happened!)"); } + __except (1) { ConsoleOutput("NextHooker: SearchMemory ERROR (NextHooker will likely still work fine, but please let Artikash know if this happens a lot!)"); } return false; } @@ -489,13 +489,6 @@ bool DetermineEngineByProcessName() return true; } - // jichi 10/3/2013: FIXME: Does not work - // Raise C0000005 even with admin priv - //if (wcsstr(str, L"bsz")) { // BALDRSKY ZERO - // InsertBaldrHook(); - // return true; - //} - if (wcsstr(processName, L"SAISYS") || Util::CheckFile(L"SaiSys.exe")) { // jichi 4/19/2014: Marine Heart InsertMarineHeartHook(); return true; @@ -558,8 +551,8 @@ bool DetermineEngineOther() return true; } - // Artikash 7/16/2018: Uses libuv: likely Tyranobuilder - sample game https://vndb.org/v22975 - if (GetProcAddress(GetModuleHandleW(nullptr), "uv_uptime")) + // Artikash 7/16/2018: Uses node/libuv: likely Tyranobuilder - sample game https://vndb.org/v22975 + if (GetProcAddress(GetModuleHandleW(nullptr), "uv_uptime") || GetModuleHandleW(L"node.dll")) { InsertTyranobuilderHook(); return true; @@ -850,7 +843,7 @@ bool UnsafeDetermineEngineType() || DetermineEngineByProcessName() || DetermineEngineOther() || DetermineEngineAtLast() - //|| DetermineEngineGeneric() + || DetermineEngineGeneric() || DetermineNoEngine() ; } diff --git a/vnrhook/util/ntdll/ntdll.h b/vnrhook/util/ntdll/ntdll.h deleted file mode 100644 index e6b2aeb..0000000 --- a/vnrhook/util/ntdll/ntdll.h +++ /dev/null @@ -1,4340 +0,0 @@ -//#pragma once -#ifndef NTDLL_H -#define NTDLL_H - -// ntdll.h 10/14/2011 - -/* Artikash 7/13/2018: WHERE THE FUCK DID THIS FILE COME FROM? -Redefines a bunch of stuff in the standard windows headers (especially winnt.h) but has additional information that isn't documented anywhere else I can find. -It's like someone stole this file from Microsoft's internal database of windows source code?? */ - -#include - -#ifdef _MSC_VER -# pragma warning(disable:4005) // C4005: macro redefinition -# pragma warning(disable:4200) // C4200: nonstandard extension used : zero-sized array in struct/union -# pragma warning(disable:4010) // C4010: single-line comment contains line-continuation character -# pragma warning(disable:4996) // C4996: unsafe function or variable used such as swprintf, wcscpy; alternatively use __CRT_SECURE_NO_WARNINGS -#endif // _MSC_VER - -#define NT_INCLUDED -#define _NTDEF_ -#define _CTYPE_DISABLE_MACROS - -// Remove official macros from WSDK -#undef STATUS_WAIT_0 -#undef STATUS_ABANDONED_WAIT_0 -#undef STATUS_USER_APC -#undef STATUS_TIMEOUT -#undef STATUS_PENDING -#undef DBG_CONTINUE -#undef STATUS_SEGMENT_NOTIFICATION -#undef DBG_TERMINATE_THREAD -#undef DBG_TERMINATE_PROCESS -#undef DBG_CONTROL_C -#undef DBG_CONTROL_BREAK -#undef STATUS_GUARD_PAGE_VIOLATION -#undef STATUS_DATATYPE_MISALIGNMENT -#undef STATUS_BREAKPOINT -#undef STATUS_SINGLE_STEP -#undef DBG_EXCEPTION_NOT_HANDLED -#undef STATUS_ACCESS_VIOLATION -#undef STATUS_IN_PAGE_ERROR -#undef STATUS_INVALID_HANDLE -#undef STATUS_NO_MEMORY -#undef STATUS_ILLEGAL_INSTRUCTION -#undef STATUS_NONCONTINUABLE_EXCEPTION -#undef STATUS_INVALID_DISPOSITION -#undef STATUS_ARRAY_BOUNDS_EXCEEDED -#undef STATUS_FLOAT_DENORMAL_OPERAND -#undef STATUS_FLOAT_DIVIDE_BY_ZERO -#undef STATUS_FLOAT_INEXACT_RESULT -#undef STATUS_FLOAT_INVALID_OPERATION -#undef STATUS_FLOAT_OVERFLOW -#undef STATUS_FLOAT_STACK_CHECK -#undef STATUS_FLOAT_UNDERFLOW -#undef STATUS_INTEGER_DIVIDE_BY_ZERO -#undef STATUS_INTEGER_OVERFLOW -#undef STATUS_PRIVILEGED_INSTRUCTION -#undef STATUS_STACK_OVERFLOW -#undef STATUS_CONTROL_C_EXIT -#undef STATUS_FLOAT_MULTIPLE_FAULTS -#undef STATUS_FLOAT_MULTIPLE_TRAPS -#undef STATUS_ILLEGAL_VLM_REFERENCE -#undef STATUS_REG_NAT_CONSUMPTION -#undef DBG_EXCEPTION_HANDLED - -#include - -#if (_MSC_VER >= 800) || defined(_STDCALL_SUPPORTED) -# define NTAPI __stdcall -#else -# define _cdecl -# define NTAPI -#endif // STDCALL - -#ifdef __cplusplus -extern "C" { -#endif // __cplusplus - -// - Macros - - -#define MAXIMUM_FILENAME_LENGTH 256 -#define PORT_MAXIMUM_MESSAGE_LENGTH 256 -#define INITIAL_PRIVILEGE_COUNT 3 - -#define FSCTL_GET_VOLUME_INFORMATION 0x90064 - -// Constants for RtlDetermineDosPathNameType_U -#define DOS_PATHTYPE_UNC 0x00000001 // \\COMPUTER1 -#define DOS_PATHTYPE_ROOTDRIVE 0x00000002 // C:\ -#define DOS_PATHTYPE_STREAM 0x00000003 // X:X or C: -#define DOS_PATHTYPE_NT 0x00000004 // \\??\\C: -#define DOS_PATHTYPE_NAME 0x00000005 // C -#define DOS_PATHTYPE_DEVICE 0x00000006 // \\.\C: -#define DOS_PATHTYPE_LOCALUNCROOT 0x00000007 // \\. - -// Define the various device characteristics flags -#define FILE_REMOVABLE_MEDIA 0x00000001 -#define FILE_READ_ONLY_DEVICE 0x00000002 -#define FILE_FLOPPY_DISKETTE 0x00000004 -#define FILE_WRITE_ONCE_MEDIA 0x00000008 -#define FILE_REMOTE_DEVICE 0x00000010 -#define FILE_DEVICE_IS_MOUNTED 0x00000020 -#define FILE_VIRTUAL_VOLUME 0x00000040 -#define FILE_AUTOGENERATED_DEVICE_NAME 0x00000080 -#define FILE_DEVICE_SECURE_OPEN 0x00000100 - -#define FILE_SUPERSEDE 0x00000000 -#define FILE_OPEN 0x00000001 -#define FILE_CREATE 0x00000002 -#define FILE_OPEN_IF 0x00000003 -#define FILE_OVERWRITE 0x00000004 -#define FILE_OVERWRITE_IF 0x00000005 -#define FILE_MAXIMUM_DISPOSITION 0x00000005 - -#define FILE_DIRECTORY_FILE 0x00000001 -#define FILE_WRITE_THROUGH 0x00000002 -#define FILE_SEQUENTIAL_ONLY 0x00000004 -#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 - -#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 -#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 -#define FILE_NON_DIRECTORY_FILE 0x00000040 -#define FILE_CREATE_TREE_CONNECTION 0x00000080 - -#define FILE_COMPLETE_IF_OPLOCKED 0x00000100 -#define FILE_NO_EA_KNOWLEDGE 0x00000200 -#define FILE_OPEN_FOR_RECOVERY 0x00000400 -#define FILE_RANDOM_ACCESS 0x00000800 - -#define FILE_DELETE_ON_CLOSE 0x00001000 -#define FILE_OPEN_BY_FILE_ID 0x00002000 -#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 -#define FILE_NO_COMPRESSION 0x00008000 - -#define FILE_RESERVE_OPFILTER 0x00100000 -#define FILE_OPEN_REPARSE_POINT 0x00200000 -#define FILE_OPEN_NO_RECALL 0x00400000 -#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 - -#define FILE_COPY_STRUCTURED_STORAGE 0x00000041 -#define FILE_STRUCTURED_STORAGE 0x00000441 - -#define FILE_VALID_OPTION_FLAGS 0x00ffffff -#define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032 -#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032 -#define FILE_VALID_SET_FLAGS 0x00000036 - -// Thread states -#define THREAD_STATE_INITIALIZED 0 -#define THREAD_STATE_READY 1 -#define THREAD_STATE_RUNNING 2 -#define THREAD_STATE_STANDBY 3 -#define THREAD_STATE_TERMINATED 4 -#define THREAD_STATE_WAIT 5 -#define THREAD_STATE_TRANSITION 6 -#define THREAD_STATE_UNKNOWN 7 - -// Object types -#define OB_TYPE_TYPE 1 -#define OB_TYPE_DIRECTORY 2 -#define OB_TYPE_SYMBOLIC_LINK 3 -#define OB_TYPE_TOKEN 4 -#define OB_TYPE_PROCESS 5 -#define OB_TYPE_THREAD 6 -#define OB_TYPE_EVENT 7 -#define OB_TYPE_EVENT_PAIR 8 -#define OB_TYPE_MUTANT 9 -#define OB_TYPE_SEMAPHORE 10 -#define OB_TYPE_TIMER 11 -#define OB_TYPE_PROFILE 12 -#define OB_TYPE_WINDOW_STATION 13 -#define OB_TYPE_DESKTOP 14 -#define OB_TYPE_SECTION 15 -#define OB_TYPE_KEY 16 -#define OB_TYPE_PORT 17 -#define OB_TYPE_ADAPTER 18 -#define OB_TYPE_CONTROLLER 19 -#define OB_TYPE_DEVICE 20 -#define OB_TYPE_DRIVER 21 -#define OB_TYPE_IO_COMPLETION 22 -#define OB_TYPE_FILE 23 - -#define OBJ_INHERIT 0x00000002 -#define OBJ_PERMANENT 0x00000010 -#define OBJ_EXCLUSIVE 0x00000020 -#define OBJ_CASE_INSENSITIVE 0x00000040 -#define OBJ_OPENIF 0x00000080 -#define OBJ_OPENLINK 0x00000100 -#define OBJ_VALID_ATTRIBUTES 0x000001F2 - -// Object Manager Directory Specific Access Rights. -#define DIRECTORY_QUERY 0x0001 -#define DIRECTORY_TRAVERSE 0x0002 -#define DIRECTORY_CREATE_OBJECT 0x0004 -#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 -#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF) - -// Object Manager Symbolic Link Specific Access Rights. -#define SYMBOLIC_LINK_QUERY 0x0001 -#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) - -#define NT_SUCCESS(Status) ((LONG)(Status) >= 0) -#define NT_ERROR(Status) ((ULONG)(Status) >> 30 == 3) - -#define DEVICE_TYPE DWORD - -// Values for RtlAdjustPrivilege -#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L) -#define SE_CREATE_TOKEN_PRIVILEGE (2L) -#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L) -#define SE_LOCK_MEMORY_PRIVILEGE (4L) -#define SE_INCREASE_QUOTA_PRIVILEGE (5L) -#define SE_UNSOLICITED_INPUT_PRIVILEGE (6L) // obsolete and unused -#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L) -#define SE_TCB_PRIVILEGE (7L) -#define SE_SECURITY_PRIVILEGE (8L) -#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L) -#define SE_LOAD_DRIVER_PRIVILEGE (10L) -#define SE_PROFILE_PRIVILEGE (11L) -#define SE_SYSTEMTIME_PRIVILEGE (12L) -#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L) -#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L) -#define SE_CREATE_PAGEFILE_PRIVILEGE (15L) -#define SE_CREATE_PERMANENT_PRIVILEGE (16L) -#define SE_BACKUP_PRIVILEGE (17L) -#define SE_RESTORE_PRIVILEGE (18L) -#define SE_SHUTDOWN_PRIVILEGE (19L) -#define SE_DEBUG_PRIVILEGE (20L) -#define SE_AUDIT_PRIVILEGE (21L) -#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L) -#define SE_CHANGE_NOTIFY_PRIVILEGE (23L) -#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L) -#define SE_MAX_WELL_KNOWN_PRIVILEGE (SE_REMOTE_SHUTDOWN_PRIVILEGE) - -#define VdmDirectoryFile 6 - -#define InitializeObjectAttributes( p, n, a, r, s ) { \ - (p)->uLength = sizeof( OBJECT_ATTRIBUTES ); \ - (p)->hRootDirectory = r; \ - (p)->uAttributes = a; \ - (p)->pObjectName = n; \ - (p)->pSecurityDescriptor = s; \ - (p)->pSecurityQualityOfService = NULL; \ -} - -// - Basic Types - - -typedef LONG NTSTATUS; -//lint -e624 // Don't complain about different typedefs. -// -typedef NTSTATUS *PNTSTATUS; -//lint +e624 // Resume checking for different typedefs. - -typedef NTSTATUS (NTAPI *NTSYSCALL)(); -typedef NTSYSCALL *PNTSYSCALL; - -typedef ULONG KAFFINITY; -typedef KAFFINITY *PKAFFINITY; -typedef LONG KPRIORITY; - -typedef BYTE KPROCESSOR_MODE; - -// - Structures - - -typedef VOID *POBJECT; -typedef VOID (*PKNORMAL_ROUTINE) ( - __in PVOID NormalContext, - __in PVOID SystemArgument1, - __in PVOID SystemArgument2 -); - -typedef struct _STRING -{ - USHORT Length; - USHORT MaximumLength; -#ifdef MIDL_PASS - [ size_is(MaximumLength), length_is(Length) ] -#endif // MIDL_PASS - PCHAR Buffer; -} STRING, *PSTRING; - -typedef STRING ANSI_STRING; -typedef PSTRING PANSI_STRING; - -typedef STRING OEM_STRING; -typedef PSTRING POEM_STRING; - - -typedef struct _UNICODE_STRING -{ - USHORT Length; - USHORT MaximumLength; - PWSTR Buffer; -} UNICODE_STRING, *PUNICODE_STRING; - -// - APIs - - -NTSYSAPI -NTSTATUS -NTAPI -RtlUnicodeStringToAnsiString( - PANSI_STRING DestinationString, - PUNICODE_STRING SourceString, - BOOLEAN AllocateDestinationString -); - -typedef struct _HARDWARE_PTE -{ - ULONG Valid : 1; - ULONG Write : 1; - ULONG Owner : 1; - ULONG WriteThrough : 1; - ULONG CacheDisable : 1; - ULONG Accessed : 1; - ULONG Dirty : 1; - ULONG LargePage : 1; - ULONG Global : 1; - ULONG CopyOnWrite : 1; - ULONG Prototype : 1; - ULONG reserved : 1; - ULONG PageFrameNumber : 20; -} HARDWARE_PTE, *PHARDWARE_PTE; - -typedef struct _OBJECT_ATTRIBUTES -{ - ULONG uLength; - HANDLE hRootDirectory; - PUNICODE_STRING pObjectName; - ULONG uAttributes; - PVOID pSecurityDescriptor; - PVOID pSecurityQualityOfService; -} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; - -typedef struct _CLIENT_ID -{ - DWORD UniqueProcess; - DWORD UniqueThread; -} CLIENT_ID, *PCLIENT_ID; - -typedef struct _PEB_FREE_BLOCK -{ - struct _PEB_FREE_BLOCK *Next; - ULONG Size; -} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK; - -typedef struct _CURDIR -{ - UNICODE_STRING DosPath; - HANDLE Handle; -} CURDIR, *PCURDIR; - -typedef struct _RTL_DRIVE_LETTER_CURDIR -{ - WORD Flags; - WORD Length; - DWORD TimeStamp; - STRING DosPath; -} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; - -#define PROCESS_PARAMETERS_NORMALIZED 1 // pointers in are absolute (not self-relative) - -typedef struct _PROCESS_PARAMETERS -{ - ULONG MaximumLength; - ULONG Length; - ULONG Flags; // PROCESS_PARAMETERS_NORMALIZED - ULONG DebugFlags; - HANDLE ConsoleHandle; - ULONG ConsoleFlags; - HANDLE StandardInput; - HANDLE StandardOutput; - HANDLE StandardError; - CURDIR CurrentDirectory; - UNICODE_STRING DllPath; - UNICODE_STRING ImagePathName; - UNICODE_STRING CommandLine; - PWSTR Environment; - ULONG StartingX; - ULONG StartingY; - ULONG CountX; - ULONG CountY; - ULONG ountCharsX; - ULONG CountCharsY; - ULONG FillAttribute; - ULONG WindowFlags; - ULONG ShowWindowFlags; - UNICODE_STRING WindowTitle; - UNICODE_STRING Desktop; - UNICODE_STRING ShellInfo; - UNICODE_STRING RuntimeInfo; - RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32]; -} PROCESS_PARAMETERS, *PPROCESS_PARAMETERS; - -typedef struct _RTL_BITMAP -{ - DWORD SizeOfBitMap; - PDWORD Buffer; -} RTL_BITMAP, *PRTL_BITMAP, **PPRTL_BITMAP; - -#define LDR_STATIC_LINK 0x0000002 -#define LDR_IMAGE_DLL 0x0000004 -#define LDR_LOAD_IN_PROGRESS 0x0001000 -#define LDR_UNLOAD_IN_PROGRESS 0x0002000 -#define LDR_ENTRY_PROCESSED 0x0004000 -#define LDR_ENTRY_INSERTED 0x0008000 -#define LDR_CURRENT_LOAD 0x0010000 -#define LDR_FAILED_BUILTIN_LOAD 0x0020000 -#define LDR_DONT_CALL_FOR_THREADS 0x0040000 -#define LDR_PROCESS_ATTACH_CALLED 0x0080000 -#define LDR_DEBUG_SYMBOLS_LOADED 0x0100000 -#define LDR_IMAGE_NOT_AT_BASE 0x0200000 -#define LDR_WX86_IGNORE_MACHINETYPE 0x0400000 - -typedef struct _LDR_DATA_TABLE_ENTRY -{ - LIST_ENTRY InLoadOrderModuleList; - LIST_ENTRY InMemoryOrderModuleList; - LIST_ENTRY InInitializationOrderModuleList; - PVOID DllBase; - PVOID EntryPoint; - ULONG SizeOfImage; // in bytes - UNICODE_STRING FullDllName; - UNICODE_STRING BaseDllName; - ULONG Flags; // LDR_* - USHORT LoadCount; - USHORT TlsIndex; - LIST_ENTRY HashLinks; - PVOID SectionPointer; - ULONG CheckSum; - ULONG TimeDateStamp; -//PVOID LoadedImports; // seems they are exist only on XP !!! -//PVOID EntryPointActivationContext; // the same as above -} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; - -// See: http://en.wikipedia.org/wiki/Process_Environment_Block -typedef struct _PEB_LDR_DATA -{ - ULONG Length; // 0 - BOOLEAN Initialized; // 4 - PVOID SsHandle; // 8? - LIST_ENTRY InLoadOrderModuleList; // C, ref. to PLDR_DATA_TABLE_ENTRY->InLoadOrderModuleList - LIST_ENTRY InMemoryOrderModuleList; // 14, ref. to PLDR_DATA_TABLE_ENTRY->InMemoryOrderModuleList - LIST_ENTRY InInitializationOrderModuleList; // 1C, ref. to PLDR_DATA_TABLE_ENTRY->InInitializationOrderModuleList -} PEB_LDR_DATA, *PPEB_LDR_DATA; - -typedef VOID NTSYSAPI (*PPEBLOCKROUTINE)(PVOID); - -typedef struct _SYSTEM_STRINGS -{ - UNICODE_STRING SystemRoot; // C:\WINNT - UNICODE_STRING System32Root; // C:\WINNT\System32 - UNICODE_STRING BaseNamedObjects; // \BaseNamedObjects -} SYSTEM_STRINGS,*PSYSTEM_STRINGS; - -typedef struct _TEXT_INFO -{ - PVOID Reserved; - PSYSTEM_STRINGS SystemStrings; -} TEXT_INFO, *PTEXT_INFO; - -// See: http://en.wikipedia.org/wiki/Process_Environment_Block -typedef struct _PEB -{ - UCHAR InheritedAddressSpace; // 0 - UCHAR ReadImageFileExecOptions; // 1 - UCHAR BeingDebugged; // 2 - BYTE b003; // 3 - PVOID Mutant; // 4 - PVOID ImageBaseAddress; // 8 - PPEB_LDR_DATA Ldr; // C - PPROCESS_PARAMETERS ProcessParameters; // 10 - PVOID SubSystemData; // 14 - PVOID ProcessHeap; // 18 - KSPIN_LOCK FastPebLock; // 1C - PPEBLOCKROUTINE FastPebLockRoutine; // 20 - PPEBLOCKROUTINE FastPebUnlockRoutine; // 24 - ULONG EnvironmentUpdateCount; // 28 - PVOID *KernelCallbackTable; // 2C - PVOID EventLogSection; // 30 - PVOID EventLog; // 34 - PPEB_FREE_BLOCK FreeList; // 38 - ULONG TlsExpansionCounter; // 3C - PRTL_BITMAP TlsBitmap; // 40 - ULONG TlsBitmapData[0x2]; // 44 - PVOID ReadOnlySharedMemoryBase; // 4C - PVOID ReadOnlySharedMemoryHeap; // 50 - PTEXT_INFO ReadOnlyStaticServerData; // 54 - PVOID InitAnsiCodePageData; // 58 - PVOID InitOemCodePageData; // 5C - PVOID InitUnicodeCaseTableData; // 60 - ULONG KeNumberProcessors; // 64 - ULONG NtGlobalFlag; // 68 - DWORD d6C; // 6C - LARGE_INTEGER MmCriticalSectionTimeout; // 70 - ULONG MmHeapSegmentReserve; // 78 - ULONG MmHeapSegmentCommit; // 7C - ULONG MmHeapDeCommitTotalFreeThreshold; // 80 - ULONG MmHeapDeCommitFreeBlockThreshold; // 84 - ULONG NumberOfHeaps; // 88 - ULONG AvailableHeaps; // 8C - PHANDLE ProcessHeapsListBuffer; // 90 - PVOID GdiSharedHandleTable; // 94 - PVOID ProcessStarterHelper; // 98 - PVOID GdiDCAttributeList; // 9C - KSPIN_LOCK LoaderLock; // A0 - ULONG NtMajorVersion; // A4 - ULONG NtMinorVersion; // A8 - USHORT NtBuildNumber; // AC - USHORT NtCSDVersion; // AE - ULONG PlatformId; // B0 - ULONG Subsystem; // B4 - ULONG MajorSubsystemVersion; // B8 - ULONG MinorSubsystemVersion; // BC - KAFFINITY AffinityMask; // C0 - ULONG GdiHandleBuffer[0x22]; // C4 - ULONG PostProcessInitRoutine; // 14C - ULONG TlsExpansionBitmap; // 150 - UCHAR TlsExpansionBitmapBits[0x80]; // 154 - ULONG SessionId; // 1D4 - ULARGE_INTEGER AppCompatFlags; // 1D8 - PWORD CSDVersion; // 1E0 -/* PVOID AppCompatInfo; // 1E4 - UNICODE_STRING usCSDVersion; - PVOID ActivationContextData; - PVOID ProcessAssemblyStorageMap; - PVOID SystemDefaultActivationContextData; - PVOID SystemAssemblyStorageMap; - ULONG MinimumStackCommit; */ -} PEB, *PPEB; - -typedef struct _PEB64 { - BYTE Reserved1[2]; - BYTE BeingDebugged; - BYTE Reserved2[21]; - PPEB_LDR_DATA Ldr; - PPROCESS_PARAMETERS ProcessParameters; - BYTE Reserved3[520]; - ULONG PostProcessInitRoutine; - BYTE Reserved4[136]; - ULONG SessionId; -} PEB64; - -typedef struct _TEB -{ - NT_TIB Tib; - PVOID EnvironmentPointer; - CLIENT_ID Cid; - PVOID ActiveRpcInfo; - PVOID ThreadLocalStoragePointer; - PPEB Peb; - ULONG LastErrorValue; - ULONG CountOfOwnedCriticalSections; - PVOID CsrClientThread; - PVOID Win32ThreadInfo; - ULONG Win32ClientInfo[0x1F]; - PVOID WOW32Reserved; - ULONG CurrentLocale; - ULONG FpSoftwareStatusRegister; - PVOID SystemReserved1[0x36]; - PVOID Spare1; - LONG ExceptionCode; - ULONG SpareBytes1[0x28]; - PVOID SystemReserved2[0xA]; - ULONG gdiRgn; - ULONG gdiPen; - ULONG gdiBrush; - CLIENT_ID RealClientId; - PVOID GdiCachedProcessHandle; - ULONG GdiClientPID; - ULONG GdiClientTID; - PVOID GdiThreadLocaleInfo; - PVOID UserReserved[5]; - PVOID glDispatchTable[0x118]; - ULONG glReserved1[0x1A]; - PVOID glReserved2; - PVOID glSectionInfo; - PVOID glSection; - PVOID glTable; - PVOID glCurrentRC; - PVOID glContext; - NTSTATUS LastStatusValue; - UNICODE_STRING StaticUnicodeString; - WCHAR StaticUnicodeBuffer[0x105]; - PVOID DeallocationStack; - PVOID TlsSlots[0x40]; - LIST_ENTRY TlsLinks; - PVOID Vdm; - PVOID ReservedForNtRpc; - PVOID DbgSsReserved[0x2]; - ULONG HardErrorDisabled; - PVOID Instrumentation[0x10]; - PVOID WinSockData; - ULONG GdiBatchCount; - ULONG Spare2; - ULONG Spare3; - ULONG Spare4; - PVOID ReservedForOle; - ULONG WaitingOnLoaderLock; - PVOID StackCommit; - PVOID StackCommitMax; - PVOID StackReserve; -} TEB, *PTEB; - -typedef enum _POOL_TYPE -{ - NonPagedPool, - PagedPool, - NonPagedPoolMustSucceed, - DontUseThisType, - NonPagedPoolCacheAligned, - PagedPoolCacheAligned, - NonPagedPoolCacheAlignedMustS, - MaxPoolType -} POOL_TYPE, *PPOOL_TYPE; - -typedef enum _KWAIT_REASON -{ - Executive, - FreePage, - PageIn, - PoolAllocation, - DelayExecution, - Suspended, - UserRequest, - WrExecutive, - WrFreePage, - WrPageIn, - WrPoolAllocation, - WrDelayExecution, - WrSuspended, - WrUserRequest, - WrEventPair, - WrQueue, - WrLpcReceive, - WrLpcReply, - WrVirtualMemory, - WrPageOut, - WrRendezvous, - Spare2, - Spare3, - Spare4, - Spare5, - Spare6, - WrKernel, - MaximumWaitReason -} KWAIT_REASON, *PKWAIT_REASON; - -typedef struct _DISPATCHER_HEADER -{ - BYTE uType; //DO_TYPE_* - BYTE uAbsolute; - BYTE uSize; // number of DWORDs - BYTE uInserted; - LONG lSignalState; - LIST_ENTRY WaitListHead; -} DISPATCHER_HEADER, *PDISPATCHER_HEADER; - -typedef struct _KPROCESS -{ - DISPATCHER_HEADER Header; // DO_TYPE_PROCESS (0x1A) - LIST_ENTRY le10; - DWORD d18; - DWORD d1C; - DWORD d20; - DWORD d24; - DWORD d28; - DWORD d2C; - DWORD d30; - DWORD d34; - DWORD dKernelTime; // ticks - DWORD dUserTime; // ticks - LIST_ENTRY le40; - LIST_ENTRY OutSwapList; - LIST_ENTRY ThreadListHead; // KTHREAD.ThreadList - DWORD d58; - KAFFINITY AffinityMask; - WORD w60; - BYTE bBasePriority; - BYTE b63; - WORD w64; - BYTE b66; - BOOLEAN fPriorityBoost; -} KPROCESS, *PKPROCESS; - -typedef struct _PORT_MESSAGE -{ - USHORT DataSize; - USHORT MessageSize; - USHORT MessageType; - USHORT VirtualRangesOffset; - CLIENT_ID ClientId; - ULONG MessageId; - ULONG SectionSize; -//UCHAR Data[]; -} PORT_MESSAGE, *PPORT_MESSAGE; - -typedef struct _SERVICE_DESCRIPTOR_TABLE -{ - PNTSYSCALL ServiceTable; // array of entrypoints - PULONG puCounterTable; // array of counters - ULONG uTableSize; // number of table entries - PBYTE pbArgumentTable; // array of byte counts -} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE; - -typedef struct _KSEMAPHORE -{ - DISPATCHER_HEADER Header; - LONG lLimit; -} KSEMAPHORE, *PKSEMAPHORE; - -typedef struct _KTHREAD -{ - DISPATCHER_HEADER Header; // DO_TYPE_THREAD (0x6C) - LIST_ENTRY le010; - DWORD d018; - DWORD d01C; - PTEB pTeb; - DWORD d024; - DWORD d028; - BYTE b02C; - BYTE bThreadState; // THREAD_STATE_* - WORD w02E; - WORD w030; - BYTE b032; - BYTE bPriority; - LIST_ENTRY le034; - LIST_ENTRY le03C; - PKPROCESS pProcess; - DWORD d048; - DWORD dContextSwitches; - DWORD d050; - WORD w054; - BYTE b056; - BYTE bWaitReason; - DWORD d058; - PLIST_ENTRY ple05C; - PLIST_ENTRY ple060; - DWORD d064; - BYTE bBasePriority; - BYTE b069; - WORD w06A; - DWORD d06C; - DWORD d070; - DWORD d074; - DWORD d078; - DWORD d07C; - DWORD d080; - DWORD d084; - DWORD d088; - DWORD d08C; - DWORD d090; - DWORD d094; - DWORD d098; - DWORD d09C; - DWORD d0A0; - DWORD d0A4; - DWORD d0A8; - DWORD d0AC; - DWORD d0B0; - DWORD d0B4; - DWORD d0B8; - DWORD d0BC; - DWORD d0C0; - DWORD d0C4; - DWORD d0C8; - DWORD d0CC; - DWORD d0D0; - DWORD d0D4; - DWORD d0D8; - PSERVICE_DESCRIPTOR_TABLE pServiceDescriptorTable; - DWORD d0E0; - DWORD d0E4; - DWORD d0E8; - DWORD d0EC; - LIST_ENTRY le0F0; - DWORD d0F8; - DWORD d0FC; - DWORD d100; - DWORD d104; - DWORD d108; - DWORD d10C; - DWORD d110; - DWORD d114; - DWORD d118; - BYTE b11C; - BYTE b11D; - WORD w11E; - DWORD d120; - DWORD d124; - DWORD d128; - DWORD d12C; - DWORD d130; - WORD w134; - BYTE b136; - KPROCESSOR_MODE ProcessorMode; - DWORD dKernelTime; // ticks - DWORD dUserTime; // ticks - DWORD d140; - DWORD d144; - DWORD d148; - DWORD d14C; - DWORD d150; - DWORD d154; - DWORD d158; - DWORD d15C; - DWORD d160; - DWORD d164; - DWORD d168; - DWORD d16C; - DWORD d170; - PROC SuspendNop; - DWORD d178; - DWORD d17C; - DWORD d180; - DWORD d184; - DWORD d188; - DWORD d18C; - KSEMAPHORE SuspendSemaphore; - LIST_ENTRY ThreadList; // KPROCESS.ThreadListHead - DWORD d1AC; -} KTHREAD, *PKTHREAD; - -typedef struct _ETHREAD -{ - KTHREAD Tcb; - LARGE_INTEGER liCreateTime; - LARGE_INTEGER liExitTime; - NTSTATUS ExitStatus; - LIST_ENTRY PostBlockList; - LIST_ENTRY TerminationPortList; - ULONG uActiveTimerListLock; - LIST_ENTRY ActiveTimerListHead; - CLIENT_ID Cid; - KSEMAPHORE LpcReplySemaphore; - ULONG uLpcReplyMessage; - LARGE_INTEGER liLpcReplyMessageId; - ULONG uImpersonationInfo; - LIST_ENTRY IrpList; - LIST_ENTRY TopLevelIrp; - ULONG uReadClusterSize; - BOOLEAN fForwardClusterOnly; - BOOLEAN fDisablePageFaultClustering; - BOOLEAN fDeadThread; - BOOLEAN fHasTerminated; - ULONG uEventPair; - ULONG uGrantedAccess; - ULONG uThreadsProcess; - PVOID pStartAddress; - PVOID Win32StartAddress; - BOOLEAN fLpcExitThreadCalled; - BOOLEAN fHardErrorsAreDisabled; - WORD wUknown1; - DWORD dwUknown2; -} ETHREAD, *PETHREAD; - -typedef PETHREAD - ERESOURCE_THREAD, *PERESOURCE_THREAD; - -typedef struct _KEVENT -{ - DISPATCHER_HEADER Header; -} KEVENT, *PKEVENT; - -typedef struct _ERESOURCE_OLD -{ - LIST_ENTRY SystemResourcesList; - PERESOURCE_THREAD OwnerThreads; - PBYTE pbOwnerCounts; - WORD wTableSize; - WORD wActiveCount; - WORD wFlag; - WORD wTableRover; - BYTE bInitialOwnerCounts[4]; - ERESOURCE_THREAD InitialOwnerThreads[4]; - DWORD dwUknown1; - ULONG uContentionCount; - WORD wNumberOfExclusiveWaiters; - WORD wNumberOfSharedWaiters; - KSEMAPHORE SharedWaiters; - KEVENT ExclusiveWaiters; - KSPIN_LOCK SpinLock; - ULONG uCreatorBackTraceIndex; - WORD wDepth; - WORD wUknown2; - PVOID pOwnerBackTrace[4]; -} ERESOURCE_OLD, *PERESOURCE_OLD; - -typedef struct _OWNER_ENTRY -{ - ERESOURCE_THREAD OwnerThread; - SHORT sOwnerCount; - WORD wTableSize; -} OWNER_ENTRY, *POWNER_ENTRY; - -typedef struct _ERESOURCE_LITE -{ - LIST_ENTRY SystemResourcesList; - POWNER_ENTRY OwnerTable; - SHORT sActiveCount; - WORD wFlag; - PKSEMAPHORE SharedWaiters; - PKEVENT ExclusiveWaiters; - OWNER_ENTRY OwnerThreads[2]; - ULONG uContentionCount; - WORD wNumberOfSharedWaiters; - WORD wNumberOfExclusiveWaiters; - union - { - PVOID pAddress; - ULONG uCreatorBackTraceIndex; - }; - KSPIN_LOCK SpinLock; -} ERESOURCE_LITE, *PERESOURCE_LITE; - -typedef ERESOURCE_LITE ERESOURCE, - *PERESOURCE; - -typedef struct _IO_STATUS_BLOCK -{ - NTSTATUS Status; - ULONG uInformation; -} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; - -/* Defined in Winnt.h -typedef struct _QUOTA_LIMITS { - SIZE_T PagedPoolLimit; - SIZE_T NonPagedPoolLimit; - SIZE_T MinimumWorkingSetSize; - SIZE_T MaximumWorkingSetSize; - SIZE_T PagefileLimit; - LARGE_INTEGER TimeLimit; -} QUOTA_LIMITS, *PQUOTA_LIMITS; -*/ - -typedef struct _IOCOUNTERS -{ - ULONG uReadOperationCount; - ULONG uWriteOperationCount; - ULONG uOtherOperationCount; - LARGE_INTEGER liReadTransferCount; - LARGE_INTEGER liWriteTransferCount; - LARGE_INTEGER liOtherTransferCount; -} IOCOUNTERS, *PIOCOUNTERS; - -typedef struct _VM_COUNTERS -{ - ULONG uPeakVirtualSize; - ULONG uVirtualSize; - ULONG uPageFaultCount; - ULONG uPeakWorkingSetSize; - ULONG uWorkingSetSize; - ULONG uQuotaPeakPagedPoolUsage; - ULONG uQuotaPagedPoolUsage; - ULONG uQuotaPeakNonPagedPoolUsage; - ULONG uQuotaNonPagedPoolUsage; - ULONG uPagefileUsage; - ULONG uPeakPagefileUsage; -} VM_COUNTERS, *PVM_COUNTERS; - -typedef struct _KERNEL_USER_TIMES -{ - LARGE_INTEGER liCreateTime; - LARGE_INTEGER liExitTime; - LARGE_INTEGER liKernelTime; - LARGE_INTEGER liUserTime; -} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES; - -typedef struct _BASE_PRIORITY_INFORMATION -{ - KPRIORITY BasePriority; -} BASE_PRIORITY_INFORMATION, *PBASE_PRIORITY_INFORMATION; - -typedef struct _AFFINITY_MASK -{ - KAFFINITY AffinityMask; -} AFFINITY_MASK, *PAFFINITY_MASK; - -typedef struct _TIME_FIELDS -{ - WORD wYear; - WORD wMonth; - WORD wDay; - WORD wHour; - WORD wMinute; - WORD wSecond; - WORD wMilliseconds; - WORD wWeekday; -} TIME_FIELDS, *PTIME_FIELDS; - -typedef void (*PIO_APC_ROUTINE) - (PVOID ApcContext, - PIO_STATUS_BLOCK IoStatusBlock, - ULONG Reserved); - -#if(_WIN32_WINNT < 0x0400) - -typedef struct _NTVOLUME_DATA_BUFFER -{ - LARGE_INTEGER liSerialNumber; - LARGE_INTEGER liNumberOfSectors; - LARGE_INTEGER liTotalClusters; - LARGE_INTEGER liFreeClusters; - LARGE_INTEGER liReserved; - ULONG uBytesPerSector; - ULONG uBytesPerCluster; - ULONG uBytesPerMFTRecord; - ULONG uClustersPerMFTRecord; - LARGE_INTEGER liMFTLength; - LARGE_INTEGER liMFTStart; - LARGE_INTEGER liMFTMirrorStart; - LARGE_INTEGER liMFTZoneStart; - LARGE_INTEGER liMFTZoneEnd; -} NTFS_VOLUME_DATA_BUFFER, *PNTFS_VOLUME_DATA_BUFFER; - -#endif // _WIN23_WINNT < 0x0400 - -typedef struct _OBJDIR_INFORMATION -{ - UNICODE_STRING ObjectName; - UNICODE_STRING ObjectTypeName; // e.g. Directory, Device ... - UCHAR Data[1]; // variable length -} OBJDIR_INFORMATION, *POBJDIR_INFORMATION; - -// Define the file system information class values -typedef enum _FSINFOCLASS { - FileFsVolumeInformation = 1, - FileFsLabelInformation, // 2 - FileFsSizeInformation, // 3 - FileFsDeviceInformation, // 4 - FileFsAttributeInformation, // 5 - FileFsControlInformation, // 6 - FileFsFullSizeInformation, // 7 - FileFsObjectIdInformation, // 8 - FileFsMaximumInformation -} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS; - -typedef struct _FILE_FS_VOLUME_INFORMATION { - LARGE_INTEGER VolumeCreationTime; - ULONG VolumeSerialNumber; - ULONG VolumeLabelLength; - BOOLEAN SupportsObjects; - WCHAR VolumeLabel[1]; -} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION; - -typedef struct _FILE_FS_LABEL_INFORMATION { - ULONG VolumeLabelLength; - WCHAR VolumeLabel[1]; -} FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION; - -typedef struct _FILE_FS_SIZE_INFORMATION { - LARGE_INTEGER TotalAllocationUnits; - LARGE_INTEGER AvailableAllocationUnits; - ULONG SectorsPerAllocationUnit; - ULONG BytesPerSector; -} FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION; - -typedef struct _FILE_FS_DEVICE_INFORMATION { - DEVICE_TYPE DeviceType; - ULONG Characteristics; -} FILE_FS_DEVICE_INFORMATION, *PFILE_FS_DEVICE_INFORMATION; - -typedef struct _FILE_FS_ATTRIBUTE_INFORMATION { - ULONG FileSystemAttributes; - LONG MaximumComponentNameLength; - ULONG FileSystemNameLength; - WCHAR FileSystemName[1]; -} FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION; - -typedef struct _FILE_FS_CONTROL_INFORMATION { - LARGE_INTEGER FreeSpaceStartFiltering; - LARGE_INTEGER FreeSpaceThreshold; - LARGE_INTEGER FreeSpaceStopFiltering; - LARGE_INTEGER DefaultQuotaThreshold; - LARGE_INTEGER DefaultQuotaLimit; - ULONG FileSystemControlFlags; -} FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION; - -typedef struct _FILE_FS_FULL_SIZE_INFORMATION { - LARGE_INTEGER TotalQuotaAllocationUnits; - LARGE_INTEGER AvailableQuotaAllocationUnits; - LARGE_INTEGER AvailableAllocationUnits; - ULONG SectorsPerAllocationUnit; - ULONG BytesPerSector; -} FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION; - -typedef struct _FILE_FS_OBJECT_ID_INFORMATION { - GUID VolumeObjectId; - ULONG VolumeObjectIdExtendedInfo[12]; -} FILE_FS_OBJECT_ID_INFORMATION, *PFILE_FS_OBJECT_ID_INFORMATION; - -typedef enum _SYSTEMINFOCLASS -{ - SystemBasicInformation, // 0x002C - SystemProcessorInformation, // 0x000C - SystemPerformanceInformation, // 0x0138 - SystemTimeInformation, // 0x0020 - SystemPathInformation, // not implemented - SystemProcessInformation, // 0x00C8+ per process - SystemCallInformation, // 0x0018 + (n * 0x0004) - SystemConfigurationInformation, // 0x0018 - SystemProcessorCounters, // 0x0030 per cpu - SystemGlobalFlag, // 0x0004 (fails if size != 4) - SystemCallTimeInformation, // not implemented - SystemModuleInformation, // 0x0004 + (n * 0x011C) - SystemLockInformation, // 0x0004 + (n * 0x0024) - SystemStackTraceInformation, // not implemented - SystemPagedPoolInformation, // checked build only - SystemNonPagedPoolInformation, // checked build only - SystemHandleInformation, // 0x0004 + (n * 0x0010) - SystemObjectTypeInformation, // 0x0038+ + (n * 0x0030+) - SystemPageFileInformation, // 0x0018+ per page file - SystemVdmInstemulInformation, // 0x0088 - SystemVdmBopInformation, // invalid info class - SystemCacheInformation, // 0x0024 - SystemPoolTagInformation, // 0x0004 + (n * 0x001C) - SystemInterruptInformation, // 0x0000, or 0x0018 per cpu - SystemDpcInformation, // 0x0014 - SystemFullMemoryInformation, // checked build only - SystemLoadDriver, // 0x0018, set mode only - SystemUnloadDriver, // 0x0004, set mode only - SystemTimeAdjustmentInformation, // 0x000C, 0x0008 writeable - SystemSummaryMemoryInformation, // checked build only - SystemNextEventIdInformation, // checked build only - SystemEventIdsInformation, // checked build only - SystemCrashDumpInformation, // 0x0004 - SystemExceptionInformation, // 0x0010 - SystemCrashDumpStateInformation, // 0x0004 - SystemDebuggerInformation, // 0x0002 - SystemContextSwitchInformation, // 0x0030 - SystemRegistryQuotaInformation, // 0x000C - SystemAddDriver, // 0x0008, set mode only - SystemPrioritySeparationInformation, // 0x0004, set mode only - SystemPlugPlayBusInformation, // not implemented - SystemDockInformation, // not implemented - SystemPowerInfo, // 0x0060 (XP only!) - SystemProcessorSpeedInformation, // 0x000C (XP only!) - SystemTimeZoneInformation, // 0x00AC - SystemLookasideInformation, // n * 0x0020 - SystemSetTimeSlipEvent, - SystemCreateSession, // set mode only - SystemDeleteSession, // set mode only - SystemInvalidInfoClass1, // invalid info class - SystemRangeStartInformation, // 0x0004 (fails if size != 4) - SystemVerifierInformation, - SystemAddVerifier, - SystemSessionProcessesInformation, // checked build only - MaxSystemInfoClass -} SYSTEMINFOCLASS, *PSYSTEMINFOCLASS; - -typedef struct _SYSTEM_BASIC_INFORMATION -{ - DWORD dwUnknown1; // 0 - ULONG uKeMaximumIncrement; // x86: 0x0002625A or 0x00018730 - ULONG uPageSize; // bytes - ULONG uMmNumberOfPhysicalPages; - ULONG uMmLowestPhysicalPage; - ULONG uMmHighestPhysicalPage; - ULONG uAllocationGranularity; // bytes - PVOID pLowestUserAddress; - PVOID pMmHighestUserAddress; - KAFFINITY uKeActiveProcessors; - BYTE bKeNumberProcessors; - BYTE bUnknown2; - WORD wUnknown3; -} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION; - -typedef struct _SYSTEM_PROCESSOR_INFORMATION -{ - WORD wKeProcessorArchitecture; // PROCESSOR_ARCHITECTURE_* (PROCESSOR_ARCHITECTURE_INTEL) - WORD wKeProcessorLevel; // PROCESSOR_* (PROCESSOR_INTEL_PENTIUM) - WORD wKeProcessorRevision; // Pentium: H=model, L=stepping - WORD wUnknown1; // 0 - ULONG uKeFeatureBits; -} SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION; - -typedef struct _MM_INFO_COUNTERS -{ - ULONG uPageFaults; - ULONG uWriteCopyFaults; - ULONG uTransistionFaults; - ULONG uCacheTransitionCount; - ULONG uDemandZeroFaults; - ULONG uPagesRead; - ULONG uPageReadIos; - ULONG uCacheReadCount; - ULONG uCacheIoCount; - ULONG uPagefilePagesWritten; - ULONG uPagefilePageWriteIos; - ULONG uMappedFilePagesWritten; - ULONG uMappedFilePageWriteIos; -} MM_INFO_COUNTERS, *PMM_INFO_COUNTERS; - -typedef struct _SYSTEM_PERFORMANCE_INFORMATION -{ - LARGE_INTEGER liIdleTime; // 100 nsec units - LARGE_INTEGER liIoReadTransferCount; - LARGE_INTEGER liIoWriteTransferCount; - LARGE_INTEGER liIoOtherTransferCount; - ULONG uIoReadOperationCount; - ULONG uIoWriteOperationCount; - ULONG uIoOtherOperationCount; - ULONG uMmAvailablePages; - ULONG uMmTotalCommittedPages; - ULONG uMmTotalCommitLimit; // pages - ULONG uMmPeakCommitLimit; // pages - MM_INFO_COUNTERS MmInfoCounters; - ULONG uPoolPaged; // pages - ULONG uPoolNonPaged; // pages - ULONG uPagedPoolAllocs; - ULONG uPagedPoolFrees; - ULONG uNonPagedPoolAllocs; - ULONG uNonPagedPoolFrees; - ULONG uMmTotalFreeSystemPages; - ULONG uMmSystemCodePage; - ULONG uMmTotalSystemDriverPages; - ULONG uMmTotalSystemCodePages; - ULONG uSmallNonPagedLookasideListAllocateHits; - ULONG uSmallPagedLookasideListAllocateHits; - DWORD dwUnknown1; - ULONG uMmSystemCachePage; - ULONG uMmPagedPoolPage; - ULONG uMmSystemDriverPage; - ULONG uCcFastReadNoWait; - ULONG uCcFastReadWait; - ULONG uCcFastReadResourceMiss; - ULONG uCcFastReadNotPossible; - ULONG uCcFastMdlReadNoWait; - ULONG uCcFastMdlReadWait; - ULONG uCcFastMdlReadResourceMiss; - ULONG uCcFastMdlReadNotPossible; - ULONG uCcMapDataNoWait; - ULONG uCcMapDataWait; - ULONG uCcMapDataNoWaitMiss; - ULONG uCcMapDataWaitMiss; - ULONG uCcPinMappedDataCount; - ULONG uCcPinReadNoWait; - ULONG uCcPinReadWait; - ULONG uCcPinReadNoWaitMiss; - ULONG uCcPinReadWaitMiss; - ULONG uCcCopyReadNoWait; - ULONG uCcCopyReadWait; - ULONG uCcCopyReadNoWaitMiss; - ULONG uCcCopyReadWaitMiss; - ULONG uCcMdlReadNoWait; - ULONG uCcMdlReadWait; - ULONG uCcMdlReadNoWaitMiss; - ULONG uCcMdlReadWaitMiss; - ULONG uCcReadAheadIos; - ULONG uCcLazyWriteIos; - ULONG uCcLazyWritePages; - ULONG uCcDataFlushes; - ULONG uCcDataPages; - ULONG uTotalContextSwitches; // total across cpus - ULONG uFirstLevelTbFills; - ULONG uSecondLevelTbFills; - ULONG uSystemCalls; -} SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION; - -typedef struct _SYSTEM_TIME_INFORMATION -{ - LARGE_INTEGER liKeBootTime; // relative to 01-01-1601 - LARGE_INTEGER liKeSystemTime; // relative to 01-01-1601 - LARGE_INTEGER liExpTimeZoneBias; // utc time = local time + bias - ULONG uExpCurrentTimeZoneId; // TIME_ZONE_ID_* (TIME_ZONE_ID_UNKNOWN, etc.) - DWORD dwUnknown1; -} SYSTEM_TIME_INFORMATION, *PSYSTEM_TIME_INFORMATION; - -typedef enum -{ - StateInitialized, - StateReady, - StateRunning, - StateStandby, - StateTerminated, - StateWait, - StateTransition, - StateUnknown -} THREAD_STATE; - -/*typedef struct _IO_COUNTERSEX -{ - LARGE_INTEGER ReadOperationCount; - LARGE_INTEGER WriteOperationCount; - LARGE_INTEGER OtherOperationCount; - LARGE_INTEGER ReadTransferCount; - LARGE_INTEGER WriteTransferCount; - LARGE_INTEGER OtherTransferCount; -} IO_COUNTERS, *PIO_COUNTERS;*/ - -typedef struct _SYSTEM_THREAD { - FILETIME ftKernelTime; // 100 nsec units - FILETIME ftUserTime; // 100 nsec units - FILETIME ftCreateTime; // relative to 01-01-1601 - DWORD dWaitTime; - PVOID pStartAddress; - CLIENT_ID Cid; // process/thread ids - DWORD dPriority; - DWORD dBasePriority; - DWORD dContextSwitches; - DWORD dThreadState; // 2=running, 5=waiting - KWAIT_REASON WaitReason; - DWORD dReserved01; -} SYSTEM_THREAD, * PSYSTEM_THREAD, **PPSYSTEM_THREAD; - -typedef struct _SYSTEM_PROCESS_INFORMATION { // common members - DWORD dNext; // relative offset - DWORD dThreadCount; - DWORD dReserved01; - DWORD dReserved02; - DWORD dReserved03; - DWORD dReserved04; - DWORD dReserved05; - DWORD dReserved06; - FILETIME ftCreateTime; // relative to 01-01-1601 - FILETIME ftUserTime; // 100 nsec units - FILETIME ftKernelTime; // 100 nsec units - UNICODE_STRING usName; - KPRIORITY BasePriority; - DWORD dUniqueProcessId; - DWORD dInheritedFromUniqueProcessId; - DWORD dHandleCount; - DWORD dReserved07; - DWORD dReserved08; - VM_COUNTERS VmCounters; // see ntddk.h - DWORD dCommitCharge; // bytes - LARGE_INTEGER Reserved6[6]; - -} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION, **PPSYSTEM_PROCESS_INFORMATION; - -typedef struct _SYSTEM_PROCESS_INFORMATION_NT4 { // Windows NT 4.0 - SYSTEM_PROCESS_INFORMATION Process; // common members - SYSTEM_THREAD aThreads [1]; // thread array -} SYSTEM_PROCESS_INFORMATION_NT4, * PSYSTEM_PROCESS_INFORMATION_NT4, **PPSYSTEM_PROCESS_INFORMATION_NT4; - -typedef struct _SYSTEM_PROCESS_NT5 { // Windows 2000 and up - SYSTEM_PROCESS_INFORMATION Process; // common members - IO_COUNTERS IoCounters; // see ntddk.h - SYSTEM_THREAD aThreads [1]; // thread array -} SYSTEM_PROCESS_INFORMATION_NT5, * PSYSTEM_PROCESS_INFORMATION_NT5, **PPSYSTEM_PROCESS_INFORMATION_NT5; - -typedef struct _SYSTEM_CALL_INFORMATION -{ - ULONG Length; - ULONG NumberOfTables; -// ULONG NumberOfEntries[NumberOfTables] -// ULONG CallCounts[NumberOfTables][NumberOfEntries]; -} SYSTEM_CALL_INFORMATION, *PSYSTEM_CALL_INFORMATION; - -typedef struct _SYSTEM_CONFIGURATION_INFORMATION -{ - ULONG uDiskCount; - ULONG uFloppyCount; - ULONG uCDRomCount; - ULONG uTapeCount; - ULONG uSerialCount; // com port with mouse not included - ULONG uParallelCount; -} SYSTEM_CONFIGURATION_INFORMATION, *PSYSTEM_CONFIGURATION_INFORMATION; - -typedef struct _SYSTEM_PROCESSOR_COUNTERS -{ - LARGE_INTEGER liProcessorTime; // 100 nsec units - LARGE_INTEGER liKernelTime; // 100 nsec units - LARGE_INTEGER liUserTime; // 100 nsec units - LARGE_INTEGER liDpcTime; // 100 nsec units - LARGE_INTEGER liInterruptTime; // 100 nsec units - ULONG uInterruptCount; - DWORD dwUnknown1; -} SYSTEM_PROCESSOR_COUNTERS, *PSYSTEM_PROCESSOR_COUNTERS; - -typedef struct _SYSTEM_GLOBAL_FLAG -{ - ULONG NtGlobalFlag; // see Q147314, Q102985, Q105677 -} SYSTEM_GLOBAL_FLAG, *PSYSTEM_GLOBAL_FLAG; - -typedef struct _SYSTEM_CALL_TIME_INFORMATION -{ - ULONG Length; - ULONG TotalCalls; - LARGE_INTEGER TimeOfCalls[1]; -} SYSTEM_CALL_TIME_INFORMATION, *PSYSTEM_CALL_TIME_INFORMATION; - -typedef struct _SYSTEM_MODULE -{ - ULONG Reserved[2]; - ULONG Base; - ULONG Size; - ULONG Flags; - USHORT Index; - USHORT Unknown; - USHORT LoadCount; - USHORT ModuleNameOffset; - CHAR ImageName[256]; -} SYSTEM_MODULE, *PSYSTEM_MODULE; - -typedef struct _SYSTEM_MODULE_INFORMATION -{ - ULONG uCount; - SYSTEM_MODULE aSM[]; -} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; - -typedef struct _SYSTEM_LOCK -{ - union - { - PERESOURCE_OLD pEResourceOld; // old ERESOURCE format - PERESOURCE_LITE pEResourceLite; // new "lite" format - PERESOURCE pEResource; // current format - }; - WORD wUnknown1; // 1 - WORD wUnknown2; // 0 - ULONG ExclusiveOwnerThreadId; - ULONG uActiveCount; - ULONG uContentionCount; - DWORD dwUnknown3; - DWORD dwUnknown4; - ULONG uNumberOfSharedWaiters; - ULONG uNumberOfExclusiveWaiters; -} SYSTEM_LOCK, *PSYSTEM_LOCK; - -typedef struct _SYSTEM_LOCK_INFORMATION -{ - ULONG uCount; - SYSTEM_LOCK aSL[]; -} SYSTEM_LOCK_INFORMATION, *PSYSTEM_LOCK_INFORMATION; - -typedef struct _SYSTEM_HANDLE -{ - ULONG uIdProcess; - UCHAR ObjectType; // OB_TYPE_* (OB_TYPE_TYPE, etc.) - UCHAR Flags; // HANDLE_FLAG_* (HANDLE_FLAG_INHERIT, etc.) - USHORT Handle; - POBJECT pObject; - ACCESS_MASK GrantedAccess; -} SYSTEM_HANDLE, *PSYSTEM_HANDLE; - -typedef struct _SYSTEM_HANDLE_INFORMATION -{ - ULONG NumberOfHandles; - SYSTEM_HANDLE Information[]; -} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; - -typedef struct _SYSTEM_OBJECTTYPE_INFORMATION -{ - ULONG NextEntryOffset; // absolute offset - ULONG ObjectCount; - ULONG HandleCount; - ULONG TypeIndex; // OB_TYPE_* (OB_TYPE_TYPE, etc.) - ULONG InvalidAttributes; // OBJ_* (OBJ_INHERIT, etc.) - GENERIC_MAPPING GenericMapping; - ACCESS_MASK ValidAccessMask; - POOL_TYPE PoolType; - BOOLEAN SecurityRequired; - BOOLEAN WaitableObject; - UNICODE_STRING TypeName; -} SYSTEM_OBJECTTYPE_INFORMATION, *PSYSTEM_OBJECTTYPE_INFORMATION; - -// follows after SYSTEM_OBJECTTYPE_INFORMATION.TypeName -typedef struct _SYSTEM_OBJECT_INFORMATION -{ - ULONG NextEntryOffset; // absolute offset - POBJECT Object; - ULONG CreatorProcessId; - USHORT CreatorBackTraceIndex; - USHORT Flags; // see "Native API Reference" page 24 - LONG PointerCount; - LONG HandleCount; - ULONG PagedPoolCharge; - ULONG NonPagedPoolCharge; - ULONG ExclusiveProcessId; - PSECURITY_DESCRIPTOR SecurityDescriptor; - UNICODE_STRING ObjectName; -} SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION; - -typedef struct _SYSTEM_PAGE_FILE_INFORMATION -{ - ULONG NextEntryOffset; // relative offset - ULONG CurrentSize; // pages - ULONG TotalUsed; // pages - ULONG PeakUsed; // pages - UNICODE_STRING FileName; -} SYSTEM_PAGE_FILE_INFORMATION, *PSYSTEM_PAGE_FILE_INFORMATION; - -typedef struct _SYSTEM_VDM_INSTEMUL_INFO -{ - BOOL fExVdmSegmentNotPresent; - ULONG uOpcode0FV86; - ULONG uOpcodeESPrefixV86; - ULONG uOpcodeCSPrefixV86; - ULONG uOpcodeSSPrefixV86; - ULONG uOpcodeDSPrefixV86; - ULONG uOpcodeFSPrefixV86; - ULONG uOpcodeGSPrefixV86; - ULONG uOpcodeOPER32PrefixV86; - ULONG uOpcodeADDR32PrefixV86; - ULONG uOpcodeINSBV86; - ULONG uOpcodeINSWV86; - ULONG uOpcodeOUTSBV86; - ULONG uOpcodeOUTSWV86; - ULONG uOpcodePUSHFV86; - ULONG uOpcodePOPFV86; - ULONG uOpcodeINTnnV86; - ULONG uOpcodeINTOV86; - ULONG uOpcodeIRETV86; - ULONG uOpcodeINBimmV86; - ULONG uOpcodeINWimmV86; - ULONG uOpcodeOUTBimmV86; - ULONG uOpcodeOUTWimmV86; - ULONG uOpcodeINBV86; - ULONG uOpcodeINWV86; - ULONG uOpcodeOUTBV86; - ULONG uOpcodeOUTWV86; - ULONG uOpcodeLOCKPrefixV86; - ULONG uOpcodeREPNEPrefixV86; - ULONG uOpcodeREPPrefixV86; - ULONG uOpcodeHLTV86; - ULONG uOpcodeCLIV86; - ULONG uOpcodeSTIV86; - ULONG uVdmBopCount; -} SYSTEM_VDM_INSTEMUL_INFO, *PSYSTEM_VDM_INSTEMUL_INFO; - -typedef struct _SYSTEM_CACHE_INFORMATION -{ - ULONG uFileCache; // bytes - ULONG uFileCachePeak; // bytes - ULONG PageFaultCount; - ULONG MinimumWorkingSet; - ULONG MaximumWorkingSet; - ULONG TransitionSharedPages; - ULONG TransitionSharedPagesPeak; - ULONG Reserved[2]; -} SYSTEM_CACHE_INFORMATION, *PSYSTEM_CACHE_INFORMATION; - -typedef struct _SYSTEM_POOL_ENTRY -{ - BOOLEAN Allocated; - BOOLEAN Spare0; - USHORT AllocatorBackTraceIndex; - ULONG Size; - union - { - UCHAR Tag[4]; - ULONG TagUlong; - PVOID ProcessChargedQuota; - }; -} SYSTEM_POOL_ENTRY, *PSYSTEM_POOL_ENTRY; - -typedef struct _SYSTEM_POOL_INFORMATION -{ - ULONG TotalSize; - PVOID FirstEntry; - USHORT EntryOverhead; - BOOLEAN PoolTagPresent; - BOOLEAN Spare0; - ULONG NumberOfEntries; - SYSTEM_POOL_ENTRY Entries[1]; -} SYSTEM_POOL_INFORMATION, *PSYSTEM_POOL_INFORMATION; - -typedef struct _SYSTEM_POOL_TAG -{ - union - { - UCHAR Tag[4]; - ULONG TagUlong; - }; - ULONG PagedPoolAllocs; - ULONG PagedPoolFrees; - ULONG PagedPoolUsage; - ULONG NonPagedPoolAllocs; - ULONG NonPagedPoolFrees; - ULONG NonPagedPoolUsage; -} SYSTEM_POOL_TAG, *PSYSTEM_POOL_TAG; - -typedef struct _SYSTEM_POOL_TAG_INFORMATION -{ - ULONG uCount; - SYSTEM_POOL_TAG aSPT[]; -} SYSTEM_POOL_TAG_INFORMATION, *PSYSTEM_POOL_TAG_INFORMATION; - -typedef struct _SYSTEM_INTERRUPT_INFORMATION -{ - ULONG ContextSwitches; - ULONG DpcCount; - ULONG DpcRate; - ULONG TimeIncrement; - ULONG DpcBypassCount; - ULONG ApcBypassCount; -} SYSTEM_INTERRUPT_INFORMATION, *PSYSTEM_INTERRUPT_INFORMATION; - -typedef struct _SYSTEM_DPC_INFORMATION -{ - DWORD dwUnknown1; - ULONG MaximumDpcQueueDepth; - ULONG MinimumDpcRate; - ULONG AdjustDpcThreshold; - ULONG IdealDpcRate; -} SYSTEM_DPC_INFORMATION, *PSYSTEM_DPC_INFORMATION; - -typedef struct _SYSTEM_MEMORY_INFO -{ - PUCHAR StringOffset; - USHORT ValidCount; - USHORT TransitionCount; - USHORT ModifiedCount; - USHORT PageTableCount; -} SYSTEM_MEMORY_INFO, *PSYSTEM_MEMORY_INFO; - -typedef struct _SYSTEM_MEMORY_INFORMATION -{ - ULONG InfoSize; - ULONG StringStart; - SYSTEM_MEMORY_INFO Memory[1]; -} SYSTEM_MEMORY_INFORMATION, *PSYSTEM_MEMORY_INFORMATION; - -typedef struct _SYSTEM_LOAD_DRIVER -{ - UNICODE_STRING DriverName; // input - PVOID BaseAddress; // output - PVOID SectionPointer; // output - PVOID EntryPoint; // output - PIMAGE_EXPORT_DIRECTORY ExportDirectory; // output -} SYSTEM_LOAD_DRIVER, *PSYSTEM_LOAD_DRIVER; - -typedef struct _SYSTEM_UNLOAD_DRIVER -{ - PVOID SectionPointer; -} SYSTEM_UNLOAD_DRIVER, *PSYSTEM_UNLOAD_DRIVER; - -typedef struct _SYSTEM_QUERY_TIME_ADJUSTMENT -{ - ULONG TimeAdjustment; - ULONG MaximumIncrement; - BOOLEAN TimeSynchronization; -} SYSTEM_QUERY_TIME_ADJUSTMENT, *PSYSTEM_QUERY_TIME_ADJUSTMENT; - -typedef struct _SYSTEM_SET_TIME_ADJUSTMENT -{ - ULONG TimeAdjustment; - BOOLEAN TimeSynchronization; -} SYSTEM_SET_TIME_ADJUSTMENT, *PSYSTEM_SET_TIME_ADJUSTMENT; - -typedef struct _SYSTEM_CRASH_DUMP_INFORMATION -{ - HANDLE CrashDumpSectionHandle; -} SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION; - -typedef struct _SYSTEM_CRASH_DUMP_INFORMATION_2000 -{ - HANDLE CrashDumpSectionHandle; - HANDLE Unknown; // Windows 2000 only -} SYSTEM_CRASH_DUMP_INFORMATION_2000, *PSYSTEM_CRASH_DUMP_INFORMATION_2000; - -typedef struct _SYSTEM_EXCEPTION_INFORMATION -{ - ULONG AlignmentFixupCount; - ULONG ExceptionDispatchCount; - ULONG FloatingEmulationCount; - ULONG ByteWordEmulationCount; -} SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION; - -typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION -{ - ULONG ValidCrashDump; -} SYSTEM_CRASH_DUMP_STATE_INFORMATION, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION; - -typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION_2000 -{ - ULONG ValidCrashDump; - ULONG Unknown; // Windows 2000 only -} SYSTEM_CRASH_DUMP_STATE_INFORMATION_2000, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION_2000; - -typedef struct _SYSTEM_DEBUGGER_INFORMATION -{ - BOOLEAN KernelDebuggerEnabled; - BOOLEAN KernelDebuggerNotPresent; -} SYSTEM_DEBUGGER_INFORMATION, *PSYSTEM_DEBUGGER_INFORMATION; - -typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION -{ - ULONG ContextSwitches; - ULONG FindAny; - ULONG FindLast; - ULONG FindIdeal; - ULONG IdleAny; - ULONG IdleCurrent; - ULONG IdleLast; - ULONG IdleIdeal; - ULONG PreemptAny; - ULONG PreemptCurrent; - ULONG PreemptLast; - ULONG SwitchToIdle; -} SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION; - -typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION -{ - ULONG RegistryQuotaAllowed; // bytes - ULONG RegistryQuotaUsed; // bytes - ULONG PagedPoolSize; // bytes -} SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION; - -typedef struct _SYSTEM_ADD_DRIVER -{ - UNICODE_STRING ModuleName; -} SYSTEM_ADD_DRIVER, *PSYSTEM_ADD_DRIVER; - -typedef struct _SYSTEM_PRIORITY_SEPARATION_INFORMATION -{ - ULONG PrioritySeparation; // 0..2 -} SYSTEM_PRIORITY_SEPARATION_INFORMATION, *PSYSTEM_PRIORITY_SEPARATION_INFORMATION; - -#define MAX_BUS_NAME 24 - -typedef enum _PLUGPLAY_BUS_CLASS -{ - SystemBus, - PlugPlayVirtualBus, - MaxPlugPlayBusClass -} PLUGPLAY_BUS_CLASS, *PPLUGPLAY_BUS_CLASS; - -typedef enum _PLUGPLAY_VIRTUAL_BUS_TYPE -{ - Root, - MaxPlugPlayVirtualBusType -} PLUGPLAY_VIRTUAL_BUS_TYPE, *PPLUGPLAY_VIRTUAL_BUS_TYPE; - -typedef enum _INTERFACE_TYPE -{ - InterfaceTypeUndefined = -1, - Internal, - Isa, - Eisa, - MicroChannel, - TurboChannel, - PCIBus, - VMEBus, - NuBus, - PCMCIABus, - CBus, - MPIBus, - MPSABus, - ProcessorInternal, - InternalPowerBus, - PNPISABus, - PNPBus, - MaximumInterfaceType -}INTERFACE_TYPE, *PINTERFACE_TYPE; - -typedef struct _PLUGPLAY_BUS_TYPE -{ - PLUGPLAY_BUS_CLASS BusClass; - union - { - INTERFACE_TYPE SystemBusType; - PLUGPLAY_VIRTUAL_BUS_TYPE PlugPlayVirtualBusType; - }; -} PLUGPLAY_BUS_TYPE, *PPLUGPLAY_BUS_TYPE; - -typedef struct _PLUGPLAY_BUS_INSTANCE -{ - PLUGPLAY_BUS_TYPE BusType; - ULONG BusNumber; - WCHAR BusName[MAX_BUS_NAME]; -} PLUGPLAY_BUS_INSTANCE, *PPLUGPLAY_BUS_INSTANCE; - -typedef struct _SYSTEM_PLUGPLAY_BUS_INFORMATION -{ - ULONG BusCount; - PLUGPLAY_BUS_INSTANCE BusInstance[1]; -} SYSTEM_PLUGPLAY_BUS_INFORMATION, *PSYSTEM_PLUGPLAY_BUS_INFORMATION; - -typedef enum _SYSTEM_DOCK_STATE -{ - SystemDockStateUnknown, - SystemUndocked, - SystemDocked -} SYSTEM_DOCK_STATE, *PSYSTEM_DOCK_STATE; - -typedef struct _SYSTEM_DOCK_INFORMATION -{ - SYSTEM_DOCK_STATE DockState; - INTERFACE_TYPE DeviceBusType; - ULONG DeviceBusNumber; - ULONG SlotNumber; -} SYSTEM_DOCK_INFORMATION, *PSYSTEM_DOCK_INFORMATION; - -typedef struct _SYSTEM_POWER_INFORMATION // not for SystemPowerInfo ! -{ - BOOLEAN SystemSuspendSupported; - BOOLEAN SystemHibernateSupported; - BOOLEAN ResumeTimerSupportsSuspend; - BOOLEAN ResumeTimerSupportsHibernate; - BOOLEAN LidSupported; - BOOLEAN TurboSettingSupported; - BOOLEAN TurboMode; - BOOLEAN SystemAcOrDc; - BOOLEAN PowerDownDisabled; - LARGE_INTEGER SpindownDrives; -} SYSTEM_POWER_INFORMATION, *PSYSTEM_POWER_INFORMATION; - -typedef struct _SYSTEM_PROCESSOR_SPEED_INFORMATION // not for SystemProcessorSpeedInformation ! -{ - ULONG MaximumProcessorSpeed; - ULONG CurrentAvailableSpeed; - ULONG ConfiguredSpeedLimit; - BOOLEAN PowerLimit; - BOOLEAN ThermalLimit; - BOOLEAN TurboLimit; -} SYSTEM_PROCESSOR_SPEED_INFORMATION, *PSYSTEM_PROCESSOR_SPEED_INFORMATION; - -typedef struct _SYSTEM_TIME_ZONE_INFORMATION -{ - LONG Bias; - WCHAR StandardName[32]; - TIME_FIELDS StandardDate; - LONG StandardBias; - WCHAR DaylightName[32]; - TIME_FIELDS DaylightDate; - LONG DaylightBias; -} SYSTEM_TIME_ZONE_INFORMATION, *PSYSTEM_TIME_ZONE_INFORMATION; - -typedef struct _SYSTEM_LOOKASIDE -{ - USHORT Depth; - USHORT MaximumDepth; - ULONG TotalAllocates; - ULONG AllocateMisses; - ULONG TotalFrees; - ULONG FreeMisses; - POOL_TYPE Type; - ULONG Tag; - ULONG Size; -} SYSTEM_LOOKASIDE, *PSYSTEM_LOOKASIDE; - -typedef struct _SYSTEM_LOOKASIDE_INFORMATION -{ - SYSTEM_LOOKASIDE asl[]; -} SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION; - -typedef struct _SYSTEM_SET_TIME_SLIP_EVENT -{ - HANDLE TimeSlipEvent; -} SYSTEM_SET_TIME_SLIP_EVENT, *PSYSTEM_SET_TIME_SLIP_EVENT; - -typedef struct _SYSTEM_CREATE_SESSION -{ - ULONG Session; -} SYSTEM_CREATE_SESSION, *PSYSTEM_CREATE_SESSION; - -typedef struct _SYSTEM_DELETE_SESSION -{ - ULONG Session; -} SYSTEM_DELETE_SESSION, *PSYSTEM_DELETE_SESSION; - -typedef struct _SYSTEM_RANGE_START_INFORMATION -{ - PVOID SystemRangeStart; -} SYSTEM_RANGE_START_INFORMATION, *PSYSTEM_RANGE_START_INFORMATION; - - -// - NTAPI - -// See also: WSK 1.2 - -NTSYSAPI -NTSTATUS -NTAPI -NtQuerySystemInformation( - __in SYSTEMINFOCLASS SystemInformationClass, - __out PVOID pSystemInformation, - __in ULONG uSystemInformationLength, - __out_opt PULONG puReturnLength -); - -NTSYSAPI -NTSTATUS -NTAPI -NtSetSystemInformation( - __in SYSTEMINFOCLASS SystemInformationClass, - __in PVOID pSystemInformation, - __in ULONG uSystemInformationLength -); - -// Time functions -NTSYSAPI -NTSTATUS -NTAPI -NtQuerySystemTime( - __out PLARGE_INTEGER SystemTime -); - -NTSYSAPI -NTSTATUS -NTAPI -NtSetSystemTime( - __in PLARGE_INTEGER NewTime, - __out_opt PLARGE_INTEGER OldTime -); - -NTSYSAPI -VOID -NTAPI -RtlTimeToTimeFields( - __in PLARGE_INTEGER pliTime, - __out PTIME_FIELDS pTimeFields -); - -NTSYSAPI -BOOLEAN -NTAPI -RtlTimeFieldsToTime( - __in PTIME_FIELDS pTimeFields, - __out PLARGE_INTEGER pliTime -); - -NTSYSAPI -VOID -NTAPI -RtlSecondsSince1970ToTime( - __in ULONG SecondsSince1970, - __out PLARGE_INTEGER Time -); - -NTSYSAPI -VOID -NTAPI -RtlTimeToSecondsSince1970( - __in PLARGE_INTEGER Time, - __out PULONG SecondsSince1970 -); - -//Mutex functions -NTSYSAPI -NTSTATUS -NTAPI -NtCreateMutant( - __out PHANDLE MutantHandle, - ACCESS_MASK AccessMask, - POBJECT_ATTRIBUTES pObjectAttributes, - BOOL InitialOwner -); - -NTSYSAPI -NTSTATUS -NTAPI -NtOpenMutant( - __out PHANDLE MutantHandle, - ACCESS_MASK AccessMask, - POBJECT_ATTRIBUTES pObjectAttributes -); - -NTSYSAPI -NTSTATUS -NTAPI -NtReleaseMutant( - __in HANDLE hMutex, - PULONG Optional -); - -// Event functions -NTSYSAPI -NTSTATUS -NTAPI -NtCreateEvent( - __out PHANDLE EventHandle, - ACCESS_MASK AccessMask, - POBJECT_ATTRIBUTES pObjectAttributes, - DWORD AutoReset, - DWORD InitialState -); - -NTSYSAPI -NTSTATUS -NTAPI -NtOpenEvent( - PHANDLE phEvent, - ACCESS_MASK AccessMask, - POBJECT_ATTRIBUTES pObjectAttributes -); - -NTSYSAPI -NTSTATUS -NTAPI -NtClearEvent( - __in HANDLE hEvent -); - -NTSYSAPI -NTSTATUS -NTAPI -NtSetEvent( - __in HANDLE hEvent, - __out_opt PLONG plSignaled -); - -NTSYSAPI -NTSTATUS -NTAPI -NtCreateSemaphore( - __out PHANDLE SemaphoreHandle, - __in ACCESS_MASK DesiredAccess, - __in POBJECT_ATTRIBUTES ObjectAttributes, - __in LONG InitialCount, - __in LONG MaximumCount -); - -NTSYSAPI -NTSTATUS -NTAPI -NtOpenSemaphore( - __out PHANDLE SemaphoreHandle, - __in ACCESS_MASK DesiredAccess, - __in POBJECT_ATTRIBUTES ObjectAttributes -); - -NTSYSAPI -NTSTATUS -NTAPI -NtReleaseSemaphore( - __in HANDLE SemaphoreHandle, - __in LONG ReleaseCount, - __out_opt PLONG PreviousCount -); - -typedef enum _SEMAPHORE_INFORMATION_CLASS -{ - SemaphoreBasicInformation -} SEMAPHORE_INFORMATION_CLASS; - -NTSYSAPI -NTSTATUS -NTAPI -NtQuerySemaphore( - __in HANDLE SemaphoreHandle, - __in SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, - __out PVOID SemaphoreInformation, - __in ULONG SemaphoreInformationLength, - __out_opt PULONG ResultLength -); - -typedef struct _SEMAPHORE_BASIC_INFORMATION -{ - LONG CurrentCount; - LONG MaximumCount; -} SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION; - -// Directory and Symbolic Link functions -NTSYSAPI -NTSTATUS -NTAPI -NtCreateDirectoryObject( - __out PHANDLE phDirectory, - __in ACCESS_MASK AccessMask, - __in POBJECT_ATTRIBUTES pObjectAttributes -); - -NTSYSAPI -NTSTATUS -NTAPI -NtOpenDirectoryObject( - __out PHANDLE DirectoryHandle, - __in ACCESS_MASK DesiredAccess, - __in POBJECT_ATTRIBUTES ObjectAttributes -); - -typedef struct _DIRECTORY_CONTENTS -{ - struct - { - UNICODE_STRING Name; - UNICODE_STRING Type; - } Entry[ANYSIZE_ARRAY]; -} DIRECTORY_CONTENTS, *PDIRECTORY_CONTENTS; - -NTSYSAPI -NTSTATUS -NTAPI -NtQueryDirectoryObject( - __in HANDLE DirectoryHandle, - __out PDIRECTORY_CONTENTS Buffer, - __in ULONG Length, - __in BOOLEAN ReturnSingleEntry, - __in BOOLEAN RestartScan, - __inout PULONG Index, - __out_opt PULONG ResultLength -); - -NTSYSAPI -NTSTATUS -NTAPI -NtOpenSymbolicLinkObject( - __out PHANDLE SymbolicLinkHandle, - __in ACCESS_MASK DesiredAccess, - __in POBJECT_ATTRIBUTES ObjectAttributes -); - -NTSYSAPI -NTSTATUS -NTAPI -NtQuerySymbolicLinkObject( - __in HANDLE SymbolicLinkHandle, - __out PUNICODE_STRING NameString, - __out_opt PULONG ResultLength -); - -// File functions -NTSYSAPI -NTSTATUS -NTAPI -NtCreateFile( - PHANDLE phFile, - ACCESS_MASK AccessMask, - POBJECT_ATTRIBUTES pObjectAttributes, - PIO_STATUS_BLOCK pIoStatusBlock, - PLARGE_INTEGER pliAllocationSize, - ULONG uFileAttributes, - ULONG uShareAccess, - ULONG uCreateDisposition, - ULONG uCreateOptions, - PVOID pEaBuffer, - ULONG uEaLength -); - -NTSYSAPI -NTSTATUS -NTAPI -NtCreateNamedPipeFile( - PHANDLE phFile, - ACCESS_MASK AccessMask, - POBJECT_ATTRIBUTES pObjectAttributes, - PIO_STATUS_BLOCK pIoStatusBlock, - ULONG uShareAccess, - ULONG uCreateDisposition, - ULONG uCreateOptions, - BOOLEAN TypeMessage, - BOOLEAN ReadModeMessage, - BOOLEAN NonBlocking, - ULONG MaxInstance, - ULONG InBufferSize, - ULONG OutBufferSize, - PLARGE_INTEGER DefaultTimeout -); - -NTSYSAPI -NTSTATUS -NTAPI -NtOpenFile( - PHANDLE phFile, - ACCESS_MASK AccessMask, - POBJECT_ATTRIBUTES pObjectAttributes, - PIO_STATUS_BLOCK pIoStatusBlock, - ULONG uShareAccess, - ULONG uOpenOptions -); - -NTSYSAPI -NTSTATUS -NTAPI -NtDeleteFile( - __in POBJECT_ATTRIBUTES pObjectAttributes -); - -typedef enum _FILE_INFORMATION_CLASS -{ - FileDirectoryInformation = 1, - FileFullDirectoryInformation, // 2 - FileBothDirectoryInformation, // 3 - FileBasicInformation, // 4 - FileStandardInformation, // 5 - FileInternalInformation, // 6 - FileEaInformation, // 7 - FileAccessInformation, // 8 - FileNameInformation, // 9 - FileRenameInformation, // 10 - FileLinkInformation, // 11 - FileNamesInformation, // 12 - FileDispositionInformation, // 13 - FilePositionInformation, // 14 - FileFullEaInformation, // 15 - FileModeInformation, // 16 - FileAlignmentInformation, // 17 - FileAllInformation, // 18 - FileAllocationInformation, // 19 - FileEndOfFileInformation, // 20 - FileAlternateNameInformation, // 21 - FileStreamInformation, // 22 - FilePipeInformation, // 23 - FilePipeLocalInformation, // 24 - FilePipeRemoteInformation, // 25 - FileMailslotQueryInformation, // 26 - FileMailslotSetInformation, // 27 - FileCompressionInformation, // 28 - FileObjectIdInformation, // 29 - FileCompletionInformation, // 30 - FileMoveClusterInformation, // 31 - FileInformationReserved32, // 32 - FileInformationReserved33, // 33 - FileNetworkOpenInformation, // 34 - FileAttributeTagInformation, // 35 - FileTrackingInformation, // 36 - FileIdBothDirectoryInformation, // 37 - FileIdFullDirectoryInformation, // 38 - FileValidDataLengthInformation, // 39 - FileShortNameInformation, // 40 - FileMaximumInformation - -} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; - -typedef struct _FILE_DIRECTORY_INFORMATION -{ - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - WCHAR FileName[1]; -} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; - -typedef struct _FILE_FULL_DIR_INFORMATION -{ - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - WCHAR FileName[1]; -} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION; - -typedef struct _FILE_BOTH_DIR_INFORMATION -{ - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - UCHAR ShortNameLength; - WCHAR ShortName[12]; - WCHAR FileName[1]; -} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION; - -typedef struct _FILE_ID_BOTH_DIR_INFORMATION { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - CCHAR ShortNameLength; - WCHAR ShortName[12]; - LARGE_INTEGER FileId; - WCHAR FileName[1]; -} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION; - -typedef struct _FILE_ID_FULL_DIR_INFORMATION { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - LARGE_INTEGER FileId; - WCHAR FileName[1]; -} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION; - -typedef struct _FILE_BASIC_INFORMATION -{ - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - ULONG FileAttributes; -} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; - -typedef struct _FILE_STANDARD_INFORMATION -{ - LARGE_INTEGER AllocationSize; - LARGE_INTEGER EndOfFile; - ULONG NumberOfLinks; - BOOLEAN DeletePending; - BOOLEAN Directory; -} FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION; - -typedef struct _FILE_INTERNAL_INFORMATION -{ - LARGE_INTEGER IndexNumber; -} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION; - -typedef struct _FILE_EA_INFORMATION -{ - ULONG EaSize; -} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION; - -typedef struct _FILE_ACCESS_INFORMATION -{ - ACCESS_MASK AccessFlags; -} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION; - -typedef struct _FILE_NAME_INFORMATION -{ - ULONG FileNameLength; - WCHAR FileName[1]; -} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION; - -typedef struct _FILE_RENAME_INFORMATION -{ - BOOLEAN ReplaceIfExists; - HANDLE RootDirectory; - ULONG FileNameLength; - WCHAR FileName[1]; -} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION; - -typedef struct _FILE_LINK_INFORMATION -{ - BOOLEAN ReplaceIfExists; - HANDLE RootDirectory; - ULONG FileNameLength; - WCHAR FileName[1]; -} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION; - -typedef struct _FILE_NAMES_INFORMATION -{ - ULONG NextEntryOffset; - ULONG FileIndex; - ULONG FileNameLength; - WCHAR FileName[1]; -} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION; - -typedef struct _FILE_ALLOCATION_INFORMATION -{ - LARGE_INTEGER AllocationSize; -} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION; - -typedef struct _FILE_COMPRESSION_INFORMATION -{ - LARGE_INTEGER CompressedFileSize; - USHORT CompressionFormat; - UCHAR CompressionUnitShift; - UCHAR ChunkShift; - UCHAR ClusterShift; - UCHAR Reserved[3]; -} FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION; - -typedef struct _FILE_COMPLETION_INFORMATION -{ - HANDLE Port; - ULONG Key; -} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION; - -NTSYSAPI -NTSTATUS -NTAPI -NtQueryInformationFile( - __in HANDLE FileHandle, - __out PIO_STATUS_BLOCK IoStatusBlock, - __out PVOID FileInformation, - __in ULONG Length, - __in FILE_INFORMATION_CLASS FileInformationClass -); - -NTSYSAPI -NTSTATUS -NTAPI -NtDeviceIoControlFile( - __in HANDLE FileHandle, - __in_opt HANDLE Event, - __in_opt PIO_APC_ROUTINE ApcRoutine, - __in_opt PVOID ApcContext, - __out PIO_STATUS_BLOCK IoStatusBlock, - __in ULONG IoControlCode, - __in_opt PVOID InputBuffer, - __in ULONG InputBufferLength, - __out_opt PVOID OutputBuffer, - __in ULONG OutputBufferLength -); - -NTSYSAPI -NTSTATUS -NTAPI -NtFsControlFile( - __in HANDLE FileHandle, - __in_opt HANDLE Event, - __in_opt PIO_APC_ROUTINE ApcRoutine, - __in_opt PVOID ApcContext, - __out PIO_STATUS_BLOCK IoStatusBlock, - __in ULONG FsControlCode, - __in_opt PVOID InputBuffer, - __in ULONG InputBufferLength, - __out_opt PVOID OutputBuffer, - __in ULONG OutputBufferLength -); - -NTSYSAPI -NTSTATUS -NTAPI -NtQueryVolumeInformationFile( - __in HANDLE FileHandle, - __out PIO_STATUS_BLOCK IoStatusBlock, - __out PVOID FsInformation, - __in ULONG Length, - __in FS_INFORMATION_CLASS FsInformationClass -); - -NTSYSAPI -NTSTATUS -NTAPI -NtFlushBuffersFile( - __in HANDLE FileHandle, - __out PIO_STATUS_BLOCK IoStatusBlock -); - -// Process functions -//#define NtCurrentProcess() ((HANDLE) -1) -inline HANDLE NtCurrentProcess() { return (HANDLE)-1; } - -NTSYSAPI -NTSTATUS -NTAPI -NtOpenProcess( - __out PHANDLE phProcess, - __in ACCESS_MASK AccessMask, - __in POBJECT_ATTRIBUTES pObjectAttributes, - __in PCLIENT_ID pClientId -); - -NTSYSAPI -NTSTATUS -NTAPI -NtCreateProcess( - __out PHANDLE ProcessHandle, - __in ACCESS_MASK DesiredAccess, - __in POBJECT_ATTRIBUTES ObjectAttributes, - __in HANDLE InheritFromProcessHandle, - __in BOOLEAN InheritHandles, - __in_opt HANDLE SectionHandle, - __in_opt HANDLE DebugPort, - __in_opt HANDLE ExceptionPort -); - -NTSYSAPI -NTSTATUS -NTAPI -NtTerminateProcess( - __in HANDLE ProcessHandle, - __in DWORD ExitCode -); - -typedef enum _PROCESSINFOCLASS -{ - ProcessBasicInformation, - ProcessQuotaLimits, // QUOTA_LIMITS - ProcessIoCounters, // IOCOUNTERS - ProcessVmCounters, // VM_COUNTERS - ProcessTimes, // KERNEL_USER_TIMES - ProcessBasePriority, // BASE_PRIORITY_INFORMATION - ProcessRaisePriority, - ProcessDebugPort, - ProcessExceptionPort, - ProcessAccessToken, - ProcessLdtInformation, - ProcessLdtSize, - ProcessDefaultHardErrorMode, - ProcessIoPortHandlers, // Note: this is kernel mode only - ProcessPooledUsageAndLimits, - ProcessWorkingSetWatch, - ProcessUserModeIOPL, - ProcessEnableAlignmentFaultFixup, - ProcessPriorityClass, - ProcessWx86Information, - ProcessHandleCount, - ProcessAffinityMask, // AFFINITY_MASK - ProcessPriorityBoost, - ProcessDeviceMap, - ProcessSessionInformation, - ProcessForegroundInformation, - ProcessWow64Information, - MaxProcessInfoClass -} PROCESSINFOCLASS; - -typedef struct _PROCESS_BASIC_INFORMATION -{ - NTSTATUS ExitStatus; - PPEB PebBaseAddress; - KAFFINITY AffinityMask; - KPRIORITY BasePriority; - ULONG uUniqueProcessId; - ULONG uInheritedFromUniqueProcessId; -} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; - -typedef struct _PROCESS_RAISE_PRIORITY -{ - KPRIORITY RaisePriority; -} PROCESS_RAISE_PRIORITY, *PPROCESS_RAISE_PRIORITY; - -typedef struct _PROCESS_DEBUG_PORT_INFORMATION -{ - HANDLE DebugPort; -} PROCESS_DEBUG_PORT_INFORMATION, *PPROCESS_DEBUG_PORT_INFORMATION; - -typedef struct _PROCESS_EXCEPTION_PORT -{ - HANDLE ExceptionPort; -} PROCESS_EXCEPTION_PORT, *PPROCESS_EXCEPTION_PORT; - -typedef struct _PROCESS_ACCESS_TOKEN -{ - HANDLE Token; - HANDLE Thread; -} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN; - -#ifndef _LDT_ENTRY_DEFINED -#define _LDT_ENTRY_DEFINED - -typedef struct _LDT_ENTRY -{ - USHORT LimitLow; - USHORT BaseLow; - union - { - struct - { - UCHAR BaseMid; - UCHAR Flags1; // Declare as bytes to avoid alignment - UCHAR Flags2; // Problems. - UCHAR BaseHi; - } Bytes; - - struct - { - ULONG BaseMid : 8; - ULONG Type : 5; - ULONG Dpl : 2; - ULONG Pres : 1; - ULONG LimitHi : 4; - ULONG Sys : 1; - ULONG Reserved_0 : 1; - ULONG Default_Big : 1; - ULONG Granularity : 1; - ULONG BaseHi : 8; - } Bits; - } HighWord; -} LDT_ENTRY, *PLDT_ENTRY; - -#endif // _LDT_ENTRY_DEFINED - -#define LDT_TABLE_SIZE (8 * 1024 * sizeof(LDT_ENTRY)) - -typedef struct _LDT_INFORMATION -{ - ULONG Start; - ULONG Length; - LDT_ENTRY LdtEntries[1]; -} PROCESS_LDT_INFORMATION, *PPROCESS_LDT_INFORMATION; - -typedef struct _LDT_SIZE -{ - ULONG Length; -} PROCESS_LDT_SIZE, *PPROCESS_LDT_SIZE; - -typedef struct _PROCESS_DEFAULT_HARDERROR_MODE_INFORMATION -{ - ULONG HardErrorMode; // SEM_* (SEM_FAILCRITICALERRORS, etc.) -} PROCESS_DEFAULT_HARDERROR_MODE_INFORMATION, *PPROCESS_DEFAULT_HARDERROR_MODE_INFORMATION; - -typedef struct _PROCESS_POOLED_USAGE_AND_LIMITS_INFORMATION -{ - ULONG PeakPagedPoolUsage; - ULONG PagedPoolUsage; - ULONG PagedPoolLimit; - ULONG PeakNonPagedPoolUsage; - ULONG NonPagedPoolUsage; - ULONG NonPagedPoolLimit; - ULONG PeakPagefileUsage; - ULONG PagefileUsage; - ULONG PagefileLimit; -} PROCESS_POOLED_USAGE_AND_LIMITS_INFORMATION, *PPROCESS_POOLED_USAGE_AND_LIMITS_INFORMATION; - -typedef struct _PROCESS_WS_WATCH_INFORMATION -{ - PVOID FaultingPc; - PVOID FaultingVa; -} PROCESS_WS_WATCH_INFORMATION, *PPROCESS_WS_WATCH_INFORMATION; - -typedef struct _PROCESS_IOPL -{ - ULONG Iopl; -} PROCESS_IOPL, *PPROCESS_IOPL; - -typedef struct _PROCESS_ALLIGNMENT_FAULT_FIXUP -{ - BOOLEAN EnableAllignmentFaultFixup; -} PROCESS_ALLIGNMENT_FAULT_FIXUP, *PPROCESS_ALLIGNMENT_FAULT_FIXUP; - -#define KRNL_NORMAL_PRIORITY_CLASS 0x02 -#define KRNL_IDLE_PRIORITY_CLASS 0x01 -#define KRNL_HIGH_PRIORITY_CLASS 0x03 -#define KRNL_REALTIME_PRIORITY_CLASS 0x04 - -typedef struct _PROCESS_PRIORITY_CLASS_INFORMATION -{ - UCHAR Unknown; - UCHAR PriorityClass; -} PROCESS_PRIORITY_CLASS_INFORMATION, *PPROCESS_PRIORITY_CLASS_INFORMATION; - -typedef struct _PROCESS_X86_INFORMATION -{ - ULONG x86Info; -} PROCESS_X86_INFORMATION, *PPROCESS_X86_INFORMATION; - -typedef struct _PROCESS_HANDLE_COUNT_INFORMATION -{ - ULONG HandleCount; -} PROCESS_HANDLE_COUNT_INFORMATION, *PPROCESS_HANDLE_COUNT_INFORMATION; - -typedef struct _PROCESS_PRIORITY_BOOST_INFORMATION -{ - ULONG PriorityBoostEnabled; -} PROCESS_PRIORITY_BOOST_INFORMATION, *PPROCESS_PRIORITY_BOOST_INFORMATION; - -typedef struct _PROCESS_DEVICE_MAP_INFORMATION -{ - union - { - struct - { - HANDLE DirectoryHandle; - } Set; - - struct - { - ULONG DriveMap; - UCHAR DriveType[32]; - } Query; - }; - -} PROCESS_DEVICE_MAP_INFORMATION, *PPROCESS_DEVICE_MAP_INFORMATION; - -typedef struct _PROCESS_SESSION_INFORMATION -{ - ULONG SessionId; -} PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION; - -NTSYSAPI -NTSTATUS -NTAPI -NtQueryInformationProcess( - __in HANDLE hProcess, - __in PROCESSINFOCLASS ProcessInformationClass, - __out PVOID pProcessInformation, - __in ULONG uProcessInformationLength, - __out_opt PULONG puReturnLength -); - -NTSYSAPI -NTSTATUS -NTAPI -NtSetInformationProcess( - __in HANDLE hProcess, - __in PROCESSINFOCLASS ProcessInformationClass, - __out PVOID pProcessInformation, - __in ULONG uProcessInformationLength -); - -NTSTATUS -NTAPI -RtlCreateProcessParameters( - __out PPROCESS_PARAMETERS *ProcessParameters, - __in PUNICODE_STRING ImageFile, - __in_opt PUNICODE_STRING DllPath, - __in_opt PUNICODE_STRING CurrentDirectory, - __in_opt PUNICODE_STRING CommandLine, - __in ULONG CreationFlags, - __in_opt PUNICODE_STRING WindowTitle, - __in_opt PUNICODE_STRING Desktop, - __in_opt PUNICODE_STRING Reserved, - __in_opt PUNICODE_STRING Reserved2 -); - -NTSTATUS -NTAPI -RtlDestroyProcessParameters( - __in PPROCESS_PARAMETERS ProcessParameters -); - -// jichi 9/28/2013 -// See: http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Executable%20Images/RtlCreateUserThread.html -// See: http://waleedassar.blogspot.com/2012/06/createremotethread-vs.html -NTSYSAPI -NTSTATUS -NTAPI -RtlCreateUserThread( - __in HANDLE ProcessHandle, - __in_opt PSECURITY_DESCRIPTOR SecurityDescriptor, - __in BOOLEAN CreateSuspended, - __in ULONG StackZeroBits, - __inout PULONG StackReserved, - __inout PULONG StackCommit, - __in PVOID StartAddress, - __in_opt PVOID StartParameter, - __out PHANDLE ThreadHandle, - __out PCLIENT_ID ClientID -); - -// Thread functions -#define NtCurrentThread() ((HANDLE) -2) - -typedef struct _USER_STACK -{ - PVOID FixedStackBase; - PVOID FixedStackLimit; - PVOID ExpandableStackBase; - PVOID ExpandableStackLimit; - PVOID ExpandableStackBottom; -} USER_STACK, *PUSER_STACK; - -/* -typedef struct _INITIAL_TEB { - struct { - PVOID OldStackBase; - PVOID OldStackLimit; - } OldInitialTeb; - PVOID StackBase; - PVOID StackLimit; - PVOID StackAllocationBase; -} INITIAL_TEB, *PINITIAL_TEB; -*/ -typedef _USER_STACK _INITIAL_TEB; -typedef USER_STACK INITIAL_TEB; -typedef PUSER_STACK PINITIAL_TEB; - -NTSYSAPI -NTSTATUS -NTAPI -NtCreateThread( - __out PHANDLE ThreadHandle, - __in ACCESS_MASK DesiredAccess, - __in POBJECT_ATTRIBUTES ObjectAttributes, - __in HANDLE ProcessHandle, - __out PCLIENT_ID ClientId, - __in PCONTEXT ThreadContext, - __in PUSER_STACK UserStack, - __in BOOLEAN CreateSuspended -); - -typedef -NTSTATUS -(WINAPI *FpNtCreateThread)( - __out PHANDLE ThreadHandle, - __in ACCESS_MASK DesiredAccess, - __in POBJECT_ATTRIBUTES ObjectAttributes, - __in HANDLE ProcessHandle, - __out PCLIENT_ID ClientId, - __in PCONTEXT ThreadContext, - __in PUSER_STACK UserStack, - __in BOOLEAN CreateSuspended -); - -typedef struct _NtCreateThreadExBuffer{ - ULONG Size; // sizeof(NtCreateThreadEx) - ULONG Unknown1; - ULONG Unknown2; - PULONG Unknown3; // &dw1: SizeOfStackCommit - ULONG Unknown4; - ULONG Unknown5; - ULONG Unknown6; - PULONG Unknown7; // &dw2: SizeOfStackReserve - ULONG Unknown8; -} NtCreateThreadExBuffer, *PNtCreateThreadExBuffer; - -// jichi 9/28/2013: An alternative way to create thread on Windows Vista and later -NTSYSAPI -NTSTATUS -NTAPI -NtCreateThreadEx ( - __out PHANDLE hThread, - __in ACCESS_MASK DesiredAccess, - __in LPVOID ObjectAttributes, - __in HANDLE ProcessHandle, - __in LPTHREAD_START_ROUTINE lpStartAddress, - __in LPVOID lpParameter, - __in BOOL CreateSuspended, - __in ULONG StackZeroBits, - __in ULONG SizeOfStackCommit, - __in ULONG SizeOfStackReserve, - __out LPVOID lpBytesBuffer -); - -typedef -NTSTATUS -(WINAPI *FpNtCreateThreadEx) ( - __out PHANDLE hThread, - __in ACCESS_MASK DesiredAccess, - __in LPVOID ObjectAttributes, - __in HANDLE ProcessHandle, - __in LPTHREAD_START_ROUTINE lpStartAddress, - __in LPVOID lpParameter, - __in BOOL CreateSuspended, - __in ULONG StackZeroBits, - __in ULONG SizeOfStackCommit, - __in ULONG SizeOfStackReserve, - __out LPVOID lpBytesBuffer -); - -NTSYSAPI -NTSTATUS -NTAPI -NtOpenThread( - __out PHANDLE phThread, - __in ACCESS_MASK AccessMask, - __in POBJECT_ATTRIBUTES pObjectAttributes, - __in PCLIENT_ID pClientId -); - -NTSYSAPI -NTSTATUS -NTAPI -NtTerminateThread( - __in_opt HANDLE ThreadHandle, - __in NTSTATUS ExitStatus -); - -NTSYSAPI -NTSTATUS -NTAPI -NtSuspendThread( - __in HANDLE ThreadHandle, - __out_opt PULONG PreviousSuspendCount -); - -NTSYSAPI -NTSTATUS -NTAPI -NtResumeThread( - __in HANDLE ThreadHandle, - __out_opt PULONG PreviousSuspendCount -); -typedef -NTSTATUS -(WINAPI -* LpNtResumeThread)( - __in HANDLE ThreadHandle, - __out_opt PULONG PreviousSuspendCount -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlExitUserThread( - __in DWORD ExitCode -); - -typedef enum _THREADINFOCLASS -{ - ThreadBasicInformation, - ThreadTimes, // KERNEL_USER_TIMES - ThreadPriority, - ThreadBasePriority, // BASE_PRIORITY_INFORMATION - ThreadAffinityMask, // AFFINITY_MASK - ThreadImpersonationToken, - ThreadDescriptorTableEntry, - ThreadEnableAlignmentFaultFixup, - ThreadEventPair, - ThreadQuerySetWin32StartAddress, - ThreadZeroTlsCell, - ThreadPerformanceCount, - ThreadAmILastThread, - ThreadIdealProcessor, - ThreadPriorityBoost, - ThreadSetTlsArrayAddress, - ThreadIsIoPending, // W2K - ThreadHideFromDebugger, // W2K - MaxThreadInfoClass -} THREADINFOCLASS; - -typedef struct _THREAD_BASIC_INFORMATION -{ - NTSTATUS ExitStatus; - PTEB TebBaseAddress; - CLIENT_ID ClientId; - KAFFINITY AffinityMask; - KPRIORITY Priority; - KPRIORITY BasePriority; -} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; - -typedef struct _THREAD_PRIORITY -{ - KPRIORITY Priority; -} THREAD_PRIORITY, *PTHREAD_PRIORITY; - -typedef struct _THREAD_DESCRIPTOR_TABLE_ENTRY_INFORMATION -{ - ULONG Selector; - LDT_ENTRY Descriptor; -} THREAD_DESCRIPTOR_TABLE_ENTRY_INFORMATION, *PTHREAD_DESCRIPTOR_TABLE_ENTRY_INFORMATION; - -typedef struct _THREAD_EVENTPAIR -{ - HANDLE EventPair; -} THREAD_EVENTPAIR, *PTHREAD_EVENTPAIR; - -typedef struct _THREAD_WIN32_START_ADDRESS_INFORMATION -{ - PVOID Win32StartAddress; -} THREAD_WIN32_START_ADDRESS_INFORMATION, *PTHREAD_WIN32_START_ADDRESS_INFORMATION; - -typedef struct _THREAD_ZERO_TLSCELL -{ - ULONG TlsIndex; -} THREAD_ZERO_TLSCELL, *PTHREAD_ZERO_TLSCELL; - -typedef struct _THREAD_PERFORMANCE_COUNTER_INFORMATION -{ - ULONG Count1; - ULONG Count2; -} THREAD_PERFORMANCE_COUNTER_INFORMATION, *PTHREAD_PERFORMANCE_COUNTER_INFORMATION; - -typedef struct _THREAD_AMI_LAST_THREAD -{ - ULONG AmILastThread; -} THREAD_AMI_LAST_THREAD, *PTHREAD_AMI_LAST_THREAD; - -typedef struct _THREAD_IDEAL_PROCESSOR -{ - ULONG IdealProcessor; -} THREAD_IDEAL_PROCESSOR, *PTHREAD_IDEAL_PROCESSOR; - -typedef struct _THREAD_TLS_ARRAY -{ - PULONG TlsArray; -} THREAD_TLS_ARRAY, *PTHREAD_TLS_ARRAY; - -typedef struct _THREAD_IS_IO_PENDING_INFORMATION -{ - ULONG IsIOPending; -} THREAD_IS_IO_PENDING_INFORMATION, *PTHREAD_IS_IO_PENDING_INFORMATION; - -typedef struct _THREAD_HIDE_FROM_DEBUGGER -{ - ULONG HideFromDebugger; -} THREAD_HIDE_FROM_DEBUGGER, *PTHREAD_HIDE_FROM_DEBUGGER; - -NTSYSAPI -NTSTATUS -NTAPI -NtQueryInformationThread( - __in HANDLE hThread, - __in THREADINFOCLASS ThreadInformationClass, - __out PVOID pThreadInformation, - __in ULONG uThreadInformationLength, - __out_opt PULONG puReturnLength -); - -NTSYSAPI -NTSTATUS -NTAPI -NtSetInformationThread( - __in HANDLE hThread, - __in THREADINFOCLASS ThreadInformationClass, - __out PVOID pThreadInformation, - __in ULONG uthreadInformationLength -); - -NTSYSAPI -NTSTATUS -NTAPI -NtOpenThreadToken( - __in HANDLE hThread, - __in ACCESS_MASK DesiredAccess, - __in BOOLEAN bOpenAsSelf, - __out PHANDLE phToken -); - -NTSYSAPI -NTSTATUS -NTAPI -NtImpersonateThread( - __in HANDLE ThreadHandle, - __in HANDLE TargetThreadHandle, - __in PSECURITY_QUALITY_OF_SERVICE SecurityQos -); - -NTSYSAPI -NTSTATUS -NTAPI -NtGetContextThread( - __in HANDLE ThreadHandle, - __out PCONTEXT Context -); - -NTSYSAPI -NTSTATUS -NTAPI -NtSetContextThread( - __in HANDLE ThreadHandle, - __in PCONTEXT Context -); - -NTSYSAPI -NTSTATUS -NTAPI -NtQueueApcThread( - __in HANDLE ThreadHandle, - __in PKNORMAL_ROUTINE ApcRoutine, - __in_opt PVOID ApcContext, - __in_opt PVOID Argument1, - __in_opt PVOID Argument2 -); - -NTSYSAPI -NTSTATUS -NTAPI -NtImpersonateAnonymousToken( - __in HANDLE hThread -); - -NTSYSAPI -NTSTATUS -NTAPI -NtCreateSection( - __out PHANDLE SectionHandle, - __in ACCESS_MASK DesiredAccess, - __in POBJECT_ATTRIBUTES ObjectAttributes, - __in_opt PLARGE_INTEGER SectionSize, - __in ULONG Protect, - __in ULONG Attributes, - __in HANDLE FileHandle -); - -NTSYSAPI -NTSTATUS -NTAPI -NtOpenSection( - __out PHANDLE SectionHandle, - __in ACCESS_MASK DesiredAccess, - __in POBJECT_ATTRIBUTES ObjectAttributes -); - -typedef enum _SECTION_INFORMATION_CLASS -{ - SectionBasicInformation, - SectionImageInformation -} SECTION_INFORMATION_CLASS; - -NTSYSAPI -NTSTATUS -NTAPI -NtQuerySection( - __in HANDLE SectionHandle, - __in SECTION_INFORMATION_CLASS SectionInformationClass, - __out PVOID SectionInformation, - __in ULONG SectionInformationLength, - __out_opt PULONG ResultLength -); - -typedef struct _SECTION_BASIC_INFORMATION -{ - PVOID BaseAddress; - ULONG Attributes; - LARGE_INTEGER Size; -} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION; - -typedef struct _SECTION_IMAGE_INFORMATION -{ - PVOID EntryPoint; - ULONG Unknown1; - ULONG StackReserve; - ULONG StackCommit; - ULONG Subsystem; - USHORT MinorSubsystemVersion; - USHORT MajorSubsystemVersion; - ULONG Unknown2; - ULONG Characteristics; - USHORT ImageNumber; - BOOLEAN Executable; - UCHAR Unknown3; - ULONG Unknown4[3]; -} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; - -NTSYSAPI -NTSTATUS -NTAPI -NtExtendSection( - __in HANDLE SectionHandle, - __in PLARGE_INTEGER SectionSize -); - -NTSYSAPI -NTSTATUS -NTAPI -NtUnmapViewOfSection( - __in HANDLE hProcess, - __in PVOID pBaseAddress -); - -NTSYSAPI -NTSTATUS -NTAPI -NtWaitForSingleObject( - __in HANDLE hObject, - __in BOOL fAlertable, - __in PLARGE_INTEGER pliTimeout // NULL = infinite -); - -// Object functions -typedef enum _OBJECT_INFORMATION_CLASS -{ - ObjectBasicInformation, // 0 Y N - ObjectNameInformation, // 1 Y N - ObjectTypeInformation, // 2 Y N - ObjectAllTypesInformation, // 3 Y N - ObjectHandleInformation // 4 Y Y -} OBJECT_INFORMATION_CLASS; - -typedef struct _OBJECT_BASIC_INFORMATION -{ - ULONG Attributes; - ACCESS_MASK GrantedAccess; - ULONG HandleCount; - ULONG PointerCount; - ULONG PagedPoolUsage; - ULONG NonPagedPoolUsage; - ULONG Reserved[3]; - ULONG NameInformationLength; - ULONG TypeInformationLength; - ULONG SecurityDescriptorLength; - LARGE_INTEGER CreateTime; -} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; - -typedef struct _OBJECT_NAME_INFORMATION -{ - UNICODE_STRING Name; -} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; - -typedef struct _OBJECT_TYPE_INFORMATION -{ - UNICODE_STRING Name; - ULONG ObjectCount; - ULONG HandleCount; - ULONG Reserved1[4]; - ULONG PeakObjectCount; - ULONG PeakHandleCount; - ULONG Reserved2[4]; - ULONG InvalidAttributes; - GENERIC_MAPPING GenericMapping; - ULONG ValidAccess; - UCHAR Unknown; - BOOLEAN MaintainHandleDatabase; - UCHAR Reserved3[2]; - POOL_TYPE PoolType; - ULONG PagedPoolUsage; - ULONG NonPagedPoolUsage; -} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; - -typedef struct _OBJECT_ALL_TYPES_INFORMATION -{ - ULONG NumberOfTypes; - OBJECT_TYPE_INFORMATION TypeInformation; -} OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION; - -typedef struct _OBJECT_HANDLE_ATTRIBUTE_INFORMATION -{ - BOOLEAN Inherit; - BOOLEAN ProtectFromClose; -} OBJECT_HANDLE_ATTRIBUTE_INFORMATION, *POBJECT_HANDLE_ATTRIBUTE_INFORMATION; - -NTSYSAPI -NTSTATUS -NTAPI -NtQueryObject( - __in HANDLE ObjectHandle, - __in OBJECT_INFORMATION_CLASS ObjectInformationClass, - __out PVOID ObjectInformation, - __in ULONG ObjectInformationLength, - __out_opt PULONG ReturnLength -); - -NTSYSAPI -NTSTATUS -NTAPI -NtSetInformationObject( - __in HANDLE ObjectHandle, - __in OBJECT_INFORMATION_CLASS ObjectInformationClass, - __in PVOID ObjectInformation, - __in ULONG ObjectInformationLength -); - -NTSYSAPI -NTSTATUS -NTAPI -NtDuplicateObject( - __in HANDLE SourceProcessHandle, - __in HANDLE SourceHandle, - __in_opt HANDLE TargetProcessHandle, - __out_opt PHANDLE TargetHandle, - __in ACCESS_MASK DesiredAccess, - __in ULONG HandleAttributes, - __in ULONG Options -); - -NTSYSAPI -NTSTATUS -NTAPI -NtQuerySecurityObject( - __in HANDLE FileHandle, - __in SECURITY_INFORMATION SecurityInformation, - __out PSECURITY_DESCRIPTOR SecurityDescriptor, - __in ULONG Length, - __out PULONG ResultLength -); - -NTSYSAPI -NTSTATUS -NTAPI -NtSetSecurityObject( - __in HANDLE FileHandle, - __in SECURITY_INFORMATION SecurityInformation, - __in PSECURITY_DESCRIPTOR SecurityDescriptor -); - -// Memory management functions -NTSYSAPI -NTSTATUS -NTAPI -NtAllocateVirtualMemory( - __in HANDLE ProcessHandle, - __inout PVOID *BaseAddress, - __in ULONG ZeroBits, - __inout PULONG AllocationSize, - __in ULONG AllocationType, - __in ULONG Protect -); - -typedef enum _MEMORY_INFORMATION_CLASS -{ - MemoryBasicInformation, - MemoryWorkingSetList, - MemorySectionName, - MemoryBasicVlmInformation -} MEMORY_INFORMATION_CLASS; - -NTSYSAPI -NTSTATUS -NTAPI -NtQueryVirtualMemory( - __in HANDLE ProcessHandle, - __in PVOID BaseAddress, - __in MEMORY_INFORMATION_CLASS MemoryInformationClass, - __out PVOID MemoryInformation, - __in ULONG MemoryInformationLength, - __out PULONG ReturnLength OPTIONAL -); - -NTSYSAPI NTSTATUS NTAPI LdrUnloadDll(IN HANDLE ModuleHandl); - -/* Defined in Winnt.h -typedef struct _MEMORY_BASIC_INFORMATION -{ - PVOID BaseAddress; - PVOID AllocationBase; - ULONG AllocationProtect; - ULONG RegionSize; - ULONG State; - ULONG Protect; - ULONG Type; -} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION; -*/ - -typedef struct _MEMORY_WORKING_SET_LIST -{ - ULONG NumberOfPages; - ULONG WorkingSetList[1]; -} MEMORY_WORKING_SET_LIST, *PMEMORY_WORKING_SET_LIST; - -typedef struct _WORKING_SET_LIST{ - ULONG_PTR Protection : 5; - ULONG_PTR ShareCount : 3; - ULONG_PTR Shared : 1; - ULONG_PTR Reserved : 3; - ULONG_PTR VirtualPage : 20; -} WORKING_SET_LIST, *PWORKING_SET_LIST; - -typedef struct _MEMORY_SECTION_NAME -{ - UNICODE_STRING SectionFileName; -} MEMORY_SECTION_NAME, *PMEMORY_SECTION_NAME; - -NTSYSAPI -NTSTATUS -NTAPI -NtReadVirtualMemory( - __in HANDLE ProcessHandle, - __in PVOID BaseAddress, - __out PVOID Buffer, - __in ULONG BufferLength, - __out PULONG ReturnLength OPTIONAL -); - -NTSYSAPI -NTSTATUS -NTAPI -NtWriteVirtualMemory( - __in HANDLE ProcessHandle, - __in PVOID BaseAddress, - __in PVOID Buffer, - __in ULONG BufferLength, - __out PULONG ReturnLength OPTIONAL -); - -NTSYSAPI -NTSTATUS -NTAPI -NtProtectVirtualMemory( - __in HANDLE ProcessHandle, - __inout PVOID *BaseAddress, - __inout PULONG ProtectSize, - __in ULONG NewProtect, - __out PULONG OldProtect -); - -NTSYSAPI -NTSTATUS -NTAPI -NtFlushVirtualMemory( - __in HANDLE ProcessHandle, - __inout PVOID *BaseAddress, - __inout PULONG FlushSize, - __out PIO_STATUS_BLOCK IoStatusBlock -); - -// Ldr Functions -NTSYSAPI -NTSTATUS -NTAPI -LdrDisableThreadCalloutsForDll( - __in HANDLE hModule -); - -NTSYSAPI -NTSTATUS -NTAPI -LdrGetDllHandle( - __in PWORD pwPath OPTIONAL, - __in PVOID Unused OPTIONAL, - __in PUNICODE_STRING ModuleFileName, - __out PHANDLE pHModule -); - -NTSYSAPI -NTSTATUS -NTAPI -LdrGetProcedureAddress( - __in HMODULE ModuleHandle, - __in PANSI_STRING FunctionName OPTIONAL, - __in WORD Oridinal OPTIONAL, - __out PVOID *FunctionAddress -); - -NTSYSAPI -NTSTATUS -NTAPI -LdrLoadDll( - __in PWCHAR PathToFile OPTIONAL, - __in ULONG Flags OPTIONAL, - __in PUNICODE_STRING ModuleFileName, - __out PHANDLE ModuleHandle - ); - -// Modified from ntdef.h -#ifdef __cplusplus -extern "C++" { - char _RTL_CONSTANT_STRING_type_check(const char *s); - char _RTL_CONSTANT_STRING_type_check(const WCHAR *s); - // __typeof would be desirable here instead of sizeof. - template class _RTL_CONSTANT_STRING_remove_const_template_class; - template <> class _RTL_CONSTANT_STRING_remove_const_template_class {public: typedef char T; }; - template <> class _RTL_CONSTANT_STRING_remove_const_template_class {public: typedef WCHAR T; }; - #define _RTL_CONSTANT_STRING_remove_const_macro(s) \ - (const_cast<_RTL_CONSTANT_STRING_remove_const_template_class::T*>(s)) -} // extern "C++" -#else - char _RTL_CONSTANT_STRING_type_check(const void *s); - #define _RTL_CONSTANT_STRING_remove_const_macro(s) (s) -#endif // __cplusplus -#define RTL_CONSTANT_STRING(s) \ - { \ - sizeof( s ) - sizeof( (s)[0] ), \ - sizeof( s ) / sizeof(_RTL_CONSTANT_STRING_type_check(s)), \ - _RTL_CONSTANT_STRING_remove_const_macro(s) \ - } - -// Rtl String Functions -NTSYSAPI -VOID -NTAPI -RtlInitUnicodeString ( - __out PUNICODE_STRING DestinationString, - __in PCWSTR SourceString -); - -NTSYSAPI -VOID -NTAPI -RtlCreateUnicodeString( - __out PUNICODE_STRING AllocatedString, - __in PCWSTR SourceString -); - -NTSYSAPI -VOID -NTAPI -RtlFreeUnicodeString( - __in PUNICODE_STRING UnicodeString -); - -NTSYSAPI -ULONG -NTAPI -RtlAnsiStringToUnicodeSize( - __in PANSI_STRING AnsiString -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlAnsiStringToUnicodeString( - __out PUNICODE_STRING DestinationString, - __in PANSI_STRING SourceString, - __in BOOLEAN AllocateDestinationString -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlAppendUnicodeStringToString( - __out PUNICODE_STRING Destination, - __in PUNICODE_STRING Source -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlAppendUnicodeToString( - __out PUNICODE_STRING Destination, - __in PWSTR Source -); - -NTSYSAPI -LONG -NTAPI -RtlCompareUnicodeString( - __in PUNICODE_STRING String1, - __in PUNICODE_STRING String2, - __in BOOLEAN CaseInSensitive -); - -NTSYSAPI -VOID -NTAPI -RtlCopyUnicodeString( - __out PUNICODE_STRING DestinationString, - __in PUNICODE_STRING SourceString -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlDowncaseUnicodeString( - __out PUNICODE_STRING DestinationString, - __in PUNICODE_STRING SourceString, - __in BOOLEAN AllocateDestinationString -); - -NTSYSAPI -BOOLEAN -NTAPI -RtlEqualUnicodeString( - __in PUNICODE_STRING String1, - __in PUNICODE_STRING String2, - __in BOOLEAN CaseInSensitive -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlIntegerToUnicodeString( - __in ULONG Value, - __in ULONG Base, - __out PUNICODE_STRING String -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlUnicodeStringToInteger( - __in PUNICODE_STRING String, - __in ULONG Base, - __out PULONG Value -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlOemStringToUnicodeString( - __out PUNICODE_STRING DestinationString, - __in POEM_STRING SourceString, - __in BOOLEAN AllocateDestinationString -); - -NTSYSAPI -BOOLEAN -NTAPI -RtlPrefixUnicodeString( - __in PUNICODE_STRING String1, - __in PUNICODE_STRING String2, - __in BOOLEAN CaseInSensitive -); - -NTSYSAPI -WCHAR -NTAPI -RtlUpcaseUnicodeChar( - __in WCHAR SourceCharacter -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlUpcaseUnicodeString( - __out PUNICODE_STRING DestinationString, - __in PUNICODE_STRING SourceString, - __in BOOLEAN AllocateDestinationString -); - -NTSYSAPI -ULONG -NTAPI -RtlxAnsiStringToUnicodeSize( - __in PANSI_STRING AnsiString -); - -NTSYSAPI -ULONG -NTAPI -RtlxOemStringToUnicodeSize( - __in POEM_STRING OemString -); - -// Rtl Misc Operations -NTSYSAPI -NTSTATUS -NTAPI -NtReplyPort( - __in HANDLE hPort, - __out PVOID pReply -); - -NTSYSAPI -NTSTATUS -NTAPI -NtClose( - __in HANDLE hObject -); - -NTSYSAPI -ULONG -NTAPI -RtlNtStatusToDosError( - NTSTATUS status -); - -NTSYSAPI -UINT -NTAPI -RtlGetLongestNtPathLength(); - -NTSYSAPI -UINT -NTAPI -RtlDetermineDosPathNameType_U( - __in PWSTR Path -); - -NTSYSAPI -UINT -NTAPI -RtlIsDosDeviceName_U( - __in PWSTR Path -); - -NTSYSAPI -BOOLEAN -NTAPI -RtlDosPathNameToNtPathName_U( - __in PCWSTR DosName, - __out PUNICODE_STRING NtName, - __out PCWSTR *DosFilePath OPTIONAL, - __out PUNICODE_STRING NtFilePath OPTIONAL -); - -// Rtl Large Integer Operations - -#define RtlLargeIntegerLessThanZero($a) (($a).HighPart < 0) -#define Li2Double(x) ((double)((x).HighPart) * 4.294967296E9 + (double)((x).LowPart)) - -NTSYSAPI -LARGE_INTEGER -NTAPI -RtlEnlargedIntegerMultiply( - __in LONG lMultiplicand, - __in LONG lMultiplier -); - -NTSYSAPI -ULONG -NTAPI -RtlEnlargedUnsignedDivide( - __in LARGE_INTEGER liDividend, - __in ULONG uDivisor, - __out PULONG puRemainder OPTIONAL -); - -NTSYSAPI -LARGE_INTEGER -NTAPI -RtlEnlargedUnsignedMultiply( - __in ULONG uMultiplicand, - __in ULONG uMultiplier -); - -NTSYSAPI -LARGE_INTEGER -NTAPI -RtlExtendedIntegerMultiply( - __in LARGE_INTEGER liMultiplicand, - __in LONG lMultiplier -); - -NTSYSAPI -LARGE_INTEGER -NTAPI -RtlExtendedLargeIntegerDivide( - __in LARGE_INTEGER liDividend, - __in ULONG uDivisor, - __out PULONG puRemainder OPTIONAL -); - -NTSYSAPI -LARGE_INTEGER -NTAPI -RtlLargeIntegerAdd( - __in LARGE_INTEGER liAddend1, - __in LARGE_INTEGER liAddend2 -); - -NTSYSAPI -LARGE_INTEGER -NTAPI -RtlLargeIntegerDivide( - __in LARGE_INTEGER liDividend, - __in LARGE_INTEGER liDivisor, - __out PLARGE_INTEGER pliRemainder OPTIONAL -); - -NTSYSAPI -LARGE_INTEGER -NTAPI -RtlLargeIntegerNegate( - __in LARGE_INTEGER liSubtrahend -); - -NTSYSAPI -LARGE_INTEGER -NTAPI -RtlLargeIntegerSubtract( - __in LARGE_INTEGER liMinuend, - __in LARGE_INTEGER liSubtrahend -); - -// Debug Functions -typedef struct _DEBUG_BUFFER -{ - HANDLE SectionHandle; - PVOID SectionBase; - PVOID RemoteSectionBase; - ULONG SectionBaseDelta; - HANDLE EventPairHandle; - ULONG Unknown[2]; - HANDLE RemoteThreadHandle; - ULONG InfoClassMask; - ULONG SizeOfInfo; - ULONG AllocatedSize; - ULONG SectionSize; - PVOID ModuleInformation; - PVOID BackTraceInformation; - PVOID HeapInformation; - PVOID LockInformation; - PVOID Reserved[8]; -} DEBUG_BUFFER, *PDEBUG_BUFFER; - -#define PDI_MODULES 0x01 -#define PDI_BACKTRACE 0x02 -#define PDI_HEAPS 0x04 -#define PDI_HEAP_TAGS 0x08 -#define PDI_HEAP_BLOCKS 0x10 -#define PDI_LOCKS 0x20 - -typedef struct _DEBUG_MODULE_INFORMATION // c.f. SYSTEM_MODULE_INFORMATION -{ - ULONG Reserved[2]; - ULONG Base; - ULONG Size; - ULONG Flags; - USHORT Index; - USHORT Unknown; - USHORT LoadCount; - USHORT ModuleNameOffset; - CHAR ImageName[256]; -} DEBUG_MODULE_INFORMATION, *PDEBUG_MODULE_INFORMATION; - -typedef struct _DEBUG_HEAP_INFORMATION -{ - ULONG Base; - ULONG Flags; - USHORT Granularity; - USHORT Unknown; - ULONG Allocated; - ULONG Committed; - ULONG TagCount; - ULONG BlockCount; - ULONG Reserved[7]; - PVOID Tags; - PVOID Blocks; -} DEBUG_HEAP_INFORMATION, *PDEBUG_HEAP_INFORMATION; - -typedef struct _DEBUG_LOCK_INFORMATION // c.f. SYSTEM_LOCK_INFORMATION -{ - PVOID Address; - USHORT Type; - USHORT CreatorBackTraceIndex; - ULONG OwnerThreadId; - ULONG ActiveCount; - ULONG ContentionCount; - ULONG EntryCount; - ULONG RecursionCount; - ULONG NumberOfSharedWaiters; - ULONG NumberOfExclusiveWaiters; -} DEBUG_LOCK_INFORMATION, *PDEBUG_LOCK_INFORMATION; - - -NTSYSAPI -PDEBUG_BUFFER -NTAPI -RtlCreateQueryDebugBuffer( - __in ULONG Size, - __in BOOLEAN EventPair -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlQueryProcessDebugInformation( - __in ULONG ProcessId, - __in ULONG DebugInfoClassMask, - __inout PDEBUG_BUFFER DebugBuffer -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlDestroyQueryDebugBuffer( - __in PDEBUG_BUFFER DebugBuffer -); - -NTSYSAPI -NTSTATUS -NTAPI -NtLoadDriver( - // "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" - __in PUNICODE_STRING RegistryPath -); - -NTSYSAPI -NTSTATUS -NTAPI -NtFlushInstructionCache( - __in HANDLE ProcessHandle, - __in PVOID BaseAddress, - __in ULONG NumberOfBytesToFlush -); - -NTSYSAPI -NTSTATUS -NTAPI -NtProtectVirtualMemory( - __in HANDLE ProcessHandle, - __inout PVOID *BaseAddress, - __inout PULONG NumberOfBytesToProtect, - __in ULONG NewAccessProtection, - __out PULONG OldAccessProtection -); - -NTSYSAPI -NTSTATUS -NTAPI -NtFreeVirtualMemory( - __in HANDLE ProcessHandle, - __in PVOID *BaseAddress, - __inout PULONG RegionSize, - __in ULONG FreeType -); - -NTSYSAPI -NTSTATUS -NTAPI -NtUnloadDriver( - // "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" - __in PUNICODE_STRING RegistryPath -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlAdjustPrivilege( - __in ULONG Privilege, - __in BOOLEAN NewValue, - __in BOOLEAN ForThread, - __out PBOOLEAN OldValue -); - -/*typedef struct _RTL_OSVERSIONINFOW -{ - ULONG dwOSVersionInfoSize; - ULONG dwMajorVersion; - ULONG dwMinorVersion; - ULONG dwBuildNumber; - ULONG dwPlatformId; - WCHAR szCSDVersion[128]; // Maintenance string for PSS usage -} RTL_OSVERSIONINFOW, *PRTL_OSVERSIONINFOW;*/ - -NTSYSAPI -NTSTATUS -NTAPI -RtlGetVersion( - __inout PRTL_OSVERSIONINFOW lpVersionInformation -); -NTSYSAPI -void -NTAPI -RtlFreeAnsiString(PANSI_STRING AnsiString); - -NTSYSAPI -NTSTATUS -NTAPI -RtlRunDecodeUnicodeString(BYTE bHash,PUNICODE_STRING uString); - -// - Extra - - -typedef struct _TDI_CONNECTION_INFORMATION { - LONG UserDataLength; - PVOID UserData; - LONG OptionsLength; - PVOID Options; - LONG RemoteAddressLength; - PVOID RemoteAddress; -} TDI_CONNECTION_INFORMATION, *PTDI_CONNECTION_INFORMATION; - -typedef struct _TDI_CONNECTION_INFO { - ULONG State; - ULONG Event; - ULONG TransmittedTsdus; - ULONG ReceivedTsdus; - ULONG TransmissionErrors; - ULONG ReceiveErrors; - LARGE_INTEGER Throughput; - LARGE_INTEGER Delay; - ULONG SendBufferSize; - ULONG ReceiveBufferSize; - BOOLEAN Unreliable; -} TDI_CONNECTION_INFO, *PTDI_CONNECTION_INFO; - -typedef enum _KEY_INFORMATION_CLASS { - KeyBasicInformation, - KeyNodeInformation, - KeyFullInformation -} KEY_INFORMATION_CLASS; - -typedef struct _KEY_BASIC_INFORMATION { - LARGE_INTEGER LastWriteTime; - ULONG TitleIndex; - ULONG NameLength; - WCHAR Name[1]; -} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION; - -typedef struct _KEY_NODE_INFORMATION -{ - LARGE_INTEGER LastWriteTime; - ULONG TitleIndex; - ULONG ClassOffset; - ULONG ClassLength; - ULONG NameLength; - WCHAR Name[1]; - /* Class[1]; */ -} KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION; - -typedef struct _KEY_FULL_INFORMATION -{ - LARGE_INTEGER LastWriteTime; - ULONG TitleIndex; - ULONG ClassOffset; - ULONG ClassLength; - ULONG SubKeys; - ULONG MaxNameLen; - ULONG MaxClassLen; - ULONG Values; - ULONG MaxValueNameLen; - ULONG MaxValueDataLen; - WCHAR Class[1]; -} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION; - -typedef enum _KEY_VALUE_INFORMATION_CLASS { - KeyValueBasicInformation, - KeyValueFullInformation, - KeyValuePartialInformation, - KeyValueFullInformationAlign64, - KeyValuePartialInformationAlign64 -} KEY_VALUE_INFORMATION_CLASS; - -typedef struct _KEY_VALUE_BASIC_INFORMATION { - ULONG TitleIndex; - ULONG Type; - ULONG NameLength; - WCHAR Name[1]; -} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION; - -typedef struct _KEY_VALUE_FULL_INFORMATION { - ULONG TitleIndex; - ULONG Type; - ULONG DataOffset; - ULONG DataLength; - ULONG NameLength; - WCHAR Name[1]; -} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; - -typedef struct _KEY_VALUE_PARTIAL_INFORMATION { - ULONG TitleIndex; - ULONG Type; - ULONG DataLength; - UCHAR Data[1]; -} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; - - -NTSYSAPI -NTSTATUS -NTAPI -NtOpenKey( - __out PHANDLE KeyHandle, - __in ACCESS_MASK DesiredAccess, - __in POBJECT_ATTRIBUTES ObjectAttributes -); - -NTSYSAPI -void -NTAPI -RtlInitAnsiString( - __out ANSI_STRING* DestinationString, - __in CHAR* SourceString -); - -NTSYSAPI -NTSTATUS -NTAPI -NtWriteFile( - __in HANDLE FileHandle, - __in HANDLE Event OPTIONAL, - __in PIO_APC_ROUTINE ApcRoutine OPTIONAL, - __in PVOID ApcContext OPTIONAL, - __out PIO_STATUS_BLOCK IoStatusBlock, - __in PVOID Buffer, - __in ULONG Length, - __in PLARGE_INTEGER ByteOffset OPTIONAL, - __in PULONG Key OPTIONAL -); - -NTSYSAPI -NTSTATUS -NTAPI -NtReadFile( - __in HANDLE FileHandle, - __in HANDLE Event OPTIONAL, - __in PIO_APC_ROUTINE ApcRoutine OPTIONAL, - __in PVOID ApcContext OPTIONAL, - __out PIO_STATUS_BLOCK IoStatusBlock, - __out PVOID Buffer, - __in ULONG Length, - __in PLARGE_INTEGER ByteOffset OPTIONAL, - __in PULONG Key OPTIONAL -); - -NTSYSAPI -NTSTATUS -NTAPI -DbgPrint( - __in LPCSTR Format, - ... -); - -NTSYSAPI -NTSTATUS -NTAPI -NtGetContextThread( - __in HANDLE ThreadHandle, - __out PCONTEXT pContext -); - -NTSYSAPI -NTSTATUS -NTAPI -NtSetContextThread( - __in HANDLE ThreadHandle, - __in PCONTEXT Context -); - -NTSYSAPI -NTSTATUS -NTAPI -NtAlertThread( - __in HANDLE ThreadHandle -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlInitializeCriticalSection( - __in PCRITICAL_SECTION CriticalSection -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlEnterCriticalSection( - __in PCRITICAL_SECTION CriticalSection -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlLeaveCriticalSection( - __in PCRITICAL_SECTION CriticalSection -); - -NTSYSAPI -NTSTATUS -NTAPI -NtDelayExecution( - __in BOOLEAN Alertable, - __in PLARGE_INTEGER DelayInterval -); - -NTSYSAPI -NTSTATUS -NTAPI -NtYieldExecution(); - -NTSYSAPI -ULONG -NTAPI -NtGetTickCount(void); - -NTSYSAPI -NTSTATUS -NTAPI -NtQueryPerformanceCounter( - __out PLARGE_INTEGER PerformanceCounter, - __out PLARGE_INTEGER PerformanceFrequency OPTIONAL -); - -NTSYSAPI -NTSTATUS -NTAPI -NtQueryDirectoryFile( - __in HANDLE FileHandle, - __in HANDLE Event OPTIONAL, - __in PIO_APC_ROUTINE ApcRoutine OPTIONAL, - __in PVOID ApcContext OPTIONAL, - __out PIO_STATUS_BLOCK IoStatusBlock, - __out PVOID FileInformation, - __in ULONG Length, - __in FILE_INFORMATION_CLASS FileInformationClass, - __in BOOLEAN ReturnSingleEntry, - __in PUNICODE_STRING FileMask OPTIONAL, - __in BOOLEAN RestartScan -); - -NTSYSAPI -NTSTATUS -NTAPI -NtVdmControl( - __in ULONG ControlCode, - __in PVOID ControlData -); - -#define KEY_QUERY_VALUE (0x0001) - -NTSYSAPI -NTSTATUS -NTAPI -NtEnumerateKey( - __in HANDLE KeyHandle, - __in ULONG Index, - __in KEY_INFORMATION_CLASS KeyInformationClass, - __out PVOID KeyInformation, - __in ULONG KeyInformationLength, - __out PULONG ResultLength -); - -NTSYSAPI -NTSTATUS -NTAPI -NtEnumerateValueKey( - __in HANDLE KeyHandle, - __in ULONG Index, - __in KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, - __out PVOID KeyValueInformation, - __in ULONG KeyValueInformationLength, - __out PULONG ResultLength -); - -BOOL -WINAPI -EnumServiceGroupW( - SC_HANDLE hSCManager, - DWORD dwServiceType, - DWORD dwServiceState, - LPBYTE lpServices, - DWORD cbBufSize, - LPDWORD pcbBytesNeeded, - LPDWORD lpServicesReturned, - LPDWORD lpResumeHandle, - DWORD dwUnknown -); - -NTSYSAPI -NTSTATUS -NTAPI -NtQueryKey( - __in HANDLE KeyHandle, - __in KEY_INFORMATION_CLASS KeyInformationClass, - __out PVOID KeyInformation, - __in ULONG Length, - __out PULONG ResultLength ); - -typedef enum _SECTION_INHERIT { - ViewShare = 1, - ViewUnmap = 2 -} SECTION_INHERIT; - -NTSYSAPI -NTSTATUS -NTAPI -NtMapViewOfSection( - __in HANDLE SectionHandle, - __in HANDLE ProcessHandle, - __inout PVOID *BaseAddress, - __in ULONG ZeroBits OPTIONAL, - __in ULONG CommitSize, - __inout PLARGE_INTEGER SectionOffset, - __inout PULONG ViewSize, - __in SECTION_INHERIT InheritDisposition, - __in ULONG AllocationType, - __in ULONG Protect -); - -typedef struct _LDR_RESOURCE_INFO -{ - ULONG Type; - ULONG Name; - ULONG Language; -} LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO; - -NTSYSAPI -NTSTATUS -NTAPI -LdrFindResourceDirectory_U( - HMODULE hModule, - LDR_RESOURCE_INFO* pResInfo, - ULONG ulNrOfItems, - IMAGE_RESOURCE_DIRECTORY** pResDir -); - -NTSYSAPI -NTSTATUS -NTAPI -LdrFindResource_U( - HMODULE hModule, - LDR_RESOURCE_INFO* pResInfo, - ULONG ulNrOfItems, - IMAGE_RESOURCE_DATA_ENTRY** pResDataDir -); - -NTSYSAPI -NTSTATUS -NTAPI -LdrAccessResource( - HMODULE hModule, - IMAGE_RESOURCE_DATA_ENTRY* pResDataEntry, - void ** pData, - PULONG pulOptional - ); - -NTSYSAPI -NTSTATUS -NTAPI -NtSaveKey( - HANDLE KeyHandle, - HANDLE FileHandle -); - -NTSYSAPI -NTSTATUS -NTAPI -NtSaveMergedKeys( - __in HANDLE KeyHandle1, - __in HANDLE KeyHandle2, - __in HANDLE FileHandle -); - -NTSYSAPI -NTSTATUS -NTAPI -NtOpenProcessToken ( - __in HANDLE ProcessHandle, - __in DWORD DesiredAccess, - __deref_out PHANDLE TokenHandle -); - -NTSYSAPI -NTSTATUS -NTAPI -NtAdjustPrivilegesToken( - __in HANDLE TokenHandle, - __in BOOL DisableAllPrivileges, - __in_opt PTOKEN_PRIVILEGES NewState, - __in DWORD BufferLength, - __out_bcount_part_opt(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState, - __out_opt PDWORD ReturnLength -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlCreateSecurityDescriptor ( - __out PSECURITY_DESCRIPTOR pSecurityDescriptor, - __in DWORD dwRevision -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlSetDaclSecurityDescriptor ( - __inout PSECURITY_DESCRIPTOR pSecurityDescriptor, - __in BOOL bDaclPresent, - __in_opt PACL pDacl, - __in BOOL bDaclDefaulted -); - -NTSYSAPI -HANDLE -NTAPI -RtlCreateHeap ( - __in DWORD flag, - __in DWORD v1, - __in DWORD v2, - __in DWORD v3, - __in DWORD v4, - __in DWORD v5 -); - -NTSYSAPI -NTSTATUS -NTAPI RtlSetHeapInformation( - __in HANDLE HeapHandle, - __in HEAP_INFORMATION_CLASS HeapInformationClass, - __in PVOID HeapInformation, - __in SIZE_T HeapInformationLength -); - -NTSYSAPI -LPVOID -NTAPI -RtlAllocateHeap( - __in HANDLE hHeap, - __in DWORD dwFlags, - __in SIZE_T dwBytes -); - -NTSYSAPI -BOOL -NTAPI -RtlFreeHeap( - __in HANDLE hHeap, - __in DWORD dwFlags, - __in LPVOID lpMem -); - -NTSYSAPI -NTSTATUS -NTAPI -RtlDestroyHeap ( - __in HANDLE hHeap -); - -#ifdef __cplusplus -} // extern "C" -#endif // __cplusplus - -#endif // NTDLL_H diff --git a/vnrhook/util/util.cc b/vnrhook/util/util.cc index 529c568..86d2cb6 100644 --- a/vnrhook/util/util.cc +++ b/vnrhook/util/util.cc @@ -297,7 +297,7 @@ DWORD Util::SearchMemory(const BYTE* bytes, unsigned short length, DWORD protect } else { - if (info.Protect > protect && !(info.Protect & PAGE_GUARD)) validMemory.push_back({ (DWORD)info.BaseAddress, info.RegionSize }); + if (info.Protect >= protect && !(info.Protect & PAGE_GUARD)) validMemory.push_back({ (DWORD)info.BaseAddress, info.RegionSize }); probe += info.RegionSize; } }