//#pragma once #ifndef NTDLL_H #define NTDLL_H // ntdll.h 10/14/2011 /* Artikash 7/13/2018: WHERE THE FUCK DID THIS FILE COME FROM? Redefines a bunch of stuff in the standard windows headers (especially winnt.h) but has additional information that isn't documented anywhere else I can find. It's like someone stole this file from Microsoft's internal database of windows source code?? */ #include <windows.h> #ifdef _MSC_VER # pragma warning(disable:4005) // C4005: macro redefinition # pragma warning(disable:4200) // C4200: nonstandard extension used : zero-sized array in struct/union # pragma warning(disable:4010) // C4010: single-line comment contains line-continuation character # pragma warning(disable:4996) // C4996: unsafe function or variable used such as swprintf, wcscpy; alternatively use __CRT_SECURE_NO_WARNINGS #endif // _MSC_VER #define NT_INCLUDED #define _NTDEF_ #define _CTYPE_DISABLE_MACROS // Remove official macros from WSDK #undef STATUS_WAIT_0 #undef STATUS_ABANDONED_WAIT_0 #undef STATUS_USER_APC #undef STATUS_TIMEOUT #undef STATUS_PENDING #undef DBG_CONTINUE #undef STATUS_SEGMENT_NOTIFICATION #undef DBG_TERMINATE_THREAD #undef DBG_TERMINATE_PROCESS #undef DBG_CONTROL_C #undef DBG_CONTROL_BREAK #undef STATUS_GUARD_PAGE_VIOLATION #undef STATUS_DATATYPE_MISALIGNMENT #undef STATUS_BREAKPOINT #undef STATUS_SINGLE_STEP #undef DBG_EXCEPTION_NOT_HANDLED #undef STATUS_ACCESS_VIOLATION #undef STATUS_IN_PAGE_ERROR #undef STATUS_INVALID_HANDLE #undef STATUS_NO_MEMORY #undef STATUS_ILLEGAL_INSTRUCTION #undef STATUS_NONCONTINUABLE_EXCEPTION #undef STATUS_INVALID_DISPOSITION #undef STATUS_ARRAY_BOUNDS_EXCEEDED #undef STATUS_FLOAT_DENORMAL_OPERAND #undef STATUS_FLOAT_DIVIDE_BY_ZERO #undef STATUS_FLOAT_INEXACT_RESULT #undef STATUS_FLOAT_INVALID_OPERATION #undef STATUS_FLOAT_OVERFLOW #undef STATUS_FLOAT_STACK_CHECK #undef STATUS_FLOAT_UNDERFLOW #undef STATUS_INTEGER_DIVIDE_BY_ZERO #undef STATUS_INTEGER_OVERFLOW #undef STATUS_PRIVILEGED_INSTRUCTION #undef STATUS_STACK_OVERFLOW #undef STATUS_CONTROL_C_EXIT #undef STATUS_FLOAT_MULTIPLE_FAULTS #undef STATUS_FLOAT_MULTIPLE_TRAPS #undef STATUS_ILLEGAL_VLM_REFERENCE #undef STATUS_REG_NAT_CONSUMPTION #undef DBG_EXCEPTION_HANDLED #include <ntstatus.h> #if (_MSC_VER >= 800) || defined(_STDCALL_SUPPORTED) # define NTAPI __stdcall #else # define _cdecl # define NTAPI #endif // STDCALL #ifdef __cplusplus extern "C" { #endif // __cplusplus // - Macros - #define MAXIMUM_FILENAME_LENGTH 256 #define PORT_MAXIMUM_MESSAGE_LENGTH 256 #define INITIAL_PRIVILEGE_COUNT 3 #define FSCTL_GET_VOLUME_INFORMATION 0x90064 // Constants for RtlDetermineDosPathNameType_U #define DOS_PATHTYPE_UNC 0x00000001 // \\COMPUTER1 #define DOS_PATHTYPE_ROOTDRIVE 0x00000002 // C:\ #define DOS_PATHTYPE_STREAM 0x00000003 // X:X or C: #define DOS_PATHTYPE_NT 0x00000004 // \\??\\C: #define DOS_PATHTYPE_NAME 0x00000005 // C #define DOS_PATHTYPE_DEVICE 0x00000006 // \\.\C: #define DOS_PATHTYPE_LOCALUNCROOT 0x00000007 // \\. // Define the various device characteristics flags #define FILE_REMOVABLE_MEDIA 0x00000001 #define FILE_READ_ONLY_DEVICE 0x00000002 #define FILE_FLOPPY_DISKETTE 0x00000004 #define FILE_WRITE_ONCE_MEDIA 0x00000008 #define FILE_REMOTE_DEVICE 0x00000010 #define FILE_DEVICE_IS_MOUNTED 0x00000020 #define FILE_VIRTUAL_VOLUME 0x00000040 #define FILE_AUTOGENERATED_DEVICE_NAME 0x00000080 #define FILE_DEVICE_SECURE_OPEN 0x00000100 #define FILE_SUPERSEDE 0x00000000 #define FILE_OPEN 0x00000001 #define FILE_CREATE 0x00000002 #define FILE_OPEN_IF 0x00000003 #define FILE_OVERWRITE 0x00000004 #define FILE_OVERWRITE_IF 0x00000005 #define FILE_MAXIMUM_DISPOSITION 0x00000005 #define FILE_DIRECTORY_FILE 0x00000001 #define FILE_WRITE_THROUGH 0x00000002 #define FILE_SEQUENTIAL_ONLY 0x00000004 #define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 #define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 #define FILE_NON_DIRECTORY_FILE 0x00000040 #define FILE_CREATE_TREE_CONNECTION 0x00000080 #define FILE_COMPLETE_IF_OPLOCKED 0x00000100 #define FILE_NO_EA_KNOWLEDGE 0x00000200 #define FILE_OPEN_FOR_RECOVERY 0x00000400 #define FILE_RANDOM_ACCESS 0x00000800 #define FILE_DELETE_ON_CLOSE 0x00001000 #define FILE_OPEN_BY_FILE_ID 0x00002000 #define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 #define FILE_NO_COMPRESSION 0x00008000 #define FILE_RESERVE_OPFILTER 0x00100000 #define FILE_OPEN_REPARSE_POINT 0x00200000 #define FILE_OPEN_NO_RECALL 0x00400000 #define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 #define FILE_COPY_STRUCTURED_STORAGE 0x00000041 #define FILE_STRUCTURED_STORAGE 0x00000441 #define FILE_VALID_OPTION_FLAGS 0x00ffffff #define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032 #define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032 #define FILE_VALID_SET_FLAGS 0x00000036 // Thread states #define THREAD_STATE_INITIALIZED 0 #define THREAD_STATE_READY 1 #define THREAD_STATE_RUNNING 2 #define THREAD_STATE_STANDBY 3 #define THREAD_STATE_TERMINATED 4 #define THREAD_STATE_WAIT 5 #define THREAD_STATE_TRANSITION 6 #define THREAD_STATE_UNKNOWN 7 // Object types #define OB_TYPE_TYPE 1 #define OB_TYPE_DIRECTORY 2 #define OB_TYPE_SYMBOLIC_LINK 3 #define OB_TYPE_TOKEN 4 #define OB_TYPE_PROCESS 5 #define OB_TYPE_THREAD 6 #define OB_TYPE_EVENT 7 #define OB_TYPE_EVENT_PAIR 8 #define OB_TYPE_MUTANT 9 #define OB_TYPE_SEMAPHORE 10 #define OB_TYPE_TIMER 11 #define OB_TYPE_PROFILE 12 #define OB_TYPE_WINDOW_STATION 13 #define OB_TYPE_DESKTOP 14 #define OB_TYPE_SECTION 15 #define OB_TYPE_KEY 16 #define OB_TYPE_PORT 17 #define OB_TYPE_ADAPTER 18 #define OB_TYPE_CONTROLLER 19 #define OB_TYPE_DEVICE 20 #define OB_TYPE_DRIVER 21 #define OB_TYPE_IO_COMPLETION 22 #define OB_TYPE_FILE 23 #define OBJ_INHERIT 0x00000002 #define OBJ_PERMANENT 0x00000010 #define OBJ_EXCLUSIVE 0x00000020 #define OBJ_CASE_INSENSITIVE 0x00000040 #define OBJ_OPENIF 0x00000080 #define OBJ_OPENLINK 0x00000100 #define OBJ_VALID_ATTRIBUTES 0x000001F2 // Object Manager Directory Specific Access Rights. #define DIRECTORY_QUERY 0x0001 #define DIRECTORY_TRAVERSE 0x0002 #define DIRECTORY_CREATE_OBJECT 0x0004 #define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF) // Object Manager Symbolic Link Specific Access Rights. #define SYMBOLIC_LINK_QUERY 0x0001 #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) #define NT_SUCCESS(Status) ((LONG)(Status) >= 0) #define NT_ERROR(Status) ((ULONG)(Status) >> 30 == 3) #define DEVICE_TYPE DWORD // Values for RtlAdjustPrivilege #define SE_MIN_WELL_KNOWN_PRIVILEGE (2L) #define SE_CREATE_TOKEN_PRIVILEGE (2L) #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L) #define SE_LOCK_MEMORY_PRIVILEGE (4L) #define SE_INCREASE_QUOTA_PRIVILEGE (5L) #define SE_UNSOLICITED_INPUT_PRIVILEGE (6L) // obsolete and unused #define SE_MACHINE_ACCOUNT_PRIVILEGE (6L) #define SE_TCB_PRIVILEGE (7L) #define SE_SECURITY_PRIVILEGE (8L) #define SE_TAKE_OWNERSHIP_PRIVILEGE (9L) #define SE_LOAD_DRIVER_PRIVILEGE (10L) #define SE_PROFILE_PRIVILEGE (11L) #define SE_SYSTEMTIME_PRIVILEGE (12L) #define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L) #define SE_INC_BASE_PRIORITY_PRIVILEGE (14L) #define SE_CREATE_PAGEFILE_PRIVILEGE (15L) #define SE_CREATE_PERMANENT_PRIVILEGE (16L) #define SE_BACKUP_PRIVILEGE (17L) #define SE_RESTORE_PRIVILEGE (18L) #define SE_SHUTDOWN_PRIVILEGE (19L) #define SE_DEBUG_PRIVILEGE (20L) #define SE_AUDIT_PRIVILEGE (21L) #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L) #define SE_CHANGE_NOTIFY_PRIVILEGE (23L) #define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L) #define SE_MAX_WELL_KNOWN_PRIVILEGE (SE_REMOTE_SHUTDOWN_PRIVILEGE) #define VdmDirectoryFile 6 #define InitializeObjectAttributes( p, n, a, r, s ) { \ (p)->uLength = sizeof( OBJECT_ATTRIBUTES ); \ (p)->hRootDirectory = r; \ (p)->uAttributes = a; \ (p)->pObjectName = n; \ (p)->pSecurityDescriptor = s; \ (p)->pSecurityQualityOfService = NULL; \ } // - Basic Types - typedef LONG NTSTATUS; //lint -e624 // Don't complain about different typedefs. // typedef NTSTATUS *PNTSTATUS; //lint +e624 // Resume checking for different typedefs. typedef NTSTATUS (NTAPI *NTSYSCALL)(); typedef NTSYSCALL *PNTSYSCALL; typedef ULONG KAFFINITY; typedef KAFFINITY *PKAFFINITY; typedef LONG KPRIORITY; typedef BYTE KPROCESSOR_MODE; // - Structures - typedef VOID *POBJECT; typedef VOID (*PKNORMAL_ROUTINE) ( __in PVOID NormalContext, __in PVOID SystemArgument1, __in PVOID SystemArgument2 ); typedef struct _STRING { USHORT Length; USHORT MaximumLength; #ifdef MIDL_PASS [ size_is(MaximumLength), length_is(Length) ] #endif // MIDL_PASS PCHAR Buffer; } STRING, *PSTRING; typedef STRING ANSI_STRING; typedef PSTRING PANSI_STRING; typedef STRING OEM_STRING; typedef PSTRING POEM_STRING; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; // - APIs - NTSYSAPI NTSTATUS NTAPI RtlUnicodeStringToAnsiString( PANSI_STRING DestinationString, PUNICODE_STRING SourceString, BOOLEAN AllocateDestinationString ); typedef struct _HARDWARE_PTE { ULONG Valid : 1; ULONG Write : 1; ULONG Owner : 1; ULONG WriteThrough : 1; ULONG CacheDisable : 1; ULONG Accessed : 1; ULONG Dirty : 1; ULONG LargePage : 1; ULONG Global : 1; ULONG CopyOnWrite : 1; ULONG Prototype : 1; ULONG reserved : 1; ULONG PageFrameNumber : 20; } HARDWARE_PTE, *PHARDWARE_PTE; typedef struct _OBJECT_ATTRIBUTES { ULONG uLength; HANDLE hRootDirectory; PUNICODE_STRING pObjectName; ULONG uAttributes; PVOID pSecurityDescriptor; PVOID pSecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef struct _CLIENT_ID { DWORD UniqueProcess; DWORD UniqueThread; } CLIENT_ID, *PCLIENT_ID; typedef struct _PEB_FREE_BLOCK { struct _PEB_FREE_BLOCK *Next; ULONG Size; } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK; typedef struct _CURDIR { UNICODE_STRING DosPath; HANDLE Handle; } CURDIR, *PCURDIR; typedef struct _RTL_DRIVE_LETTER_CURDIR { WORD Flags; WORD Length; DWORD TimeStamp; STRING DosPath; } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; #define PROCESS_PARAMETERS_NORMALIZED 1 // pointers in are absolute (not self-relative) typedef struct _PROCESS_PARAMETERS { ULONG MaximumLength; ULONG Length; ULONG Flags; // PROCESS_PARAMETERS_NORMALIZED ULONG DebugFlags; HANDLE ConsoleHandle; ULONG ConsoleFlags; HANDLE StandardInput; HANDLE StandardOutput; HANDLE StandardError; CURDIR CurrentDirectory; UNICODE_STRING DllPath; UNICODE_STRING ImagePathName; UNICODE_STRING CommandLine; PWSTR Environment; ULONG StartingX; ULONG StartingY; ULONG CountX; ULONG CountY; ULONG ountCharsX; ULONG CountCharsY; ULONG FillAttribute; ULONG WindowFlags; ULONG ShowWindowFlags; UNICODE_STRING WindowTitle; UNICODE_STRING Desktop; UNICODE_STRING ShellInfo; UNICODE_STRING RuntimeInfo; RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32]; } PROCESS_PARAMETERS, *PPROCESS_PARAMETERS; typedef struct _RTL_BITMAP { DWORD SizeOfBitMap; PDWORD Buffer; } RTL_BITMAP, *PRTL_BITMAP, **PPRTL_BITMAP; #define LDR_STATIC_LINK 0x0000002 #define LDR_IMAGE_DLL 0x0000004 #define LDR_LOAD_IN_PROGRESS 0x0001000 #define LDR_UNLOAD_IN_PROGRESS 0x0002000 #define LDR_ENTRY_PROCESSED 0x0004000 #define LDR_ENTRY_INSERTED 0x0008000 #define LDR_CURRENT_LOAD 0x0010000 #define LDR_FAILED_BUILTIN_LOAD 0x0020000 #define LDR_DONT_CALL_FOR_THREADS 0x0040000 #define LDR_PROCESS_ATTACH_CALLED 0x0080000 #define LDR_DEBUG_SYMBOLS_LOADED 0x0100000 #define LDR_IMAGE_NOT_AT_BASE 0x0200000 #define LDR_WX86_IGNORE_MACHINETYPE 0x0400000 typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; // in bytes UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; // LDR_* USHORT LoadCount; USHORT TlsIndex; LIST_ENTRY HashLinks; PVOID SectionPointer; ULONG CheckSum; ULONG TimeDateStamp; //PVOID LoadedImports; // seems they are exist only on XP !!! //PVOID EntryPointActivationContext; // the same as above } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; // See: http://en.wikipedia.org/wiki/Process_Environment_Block typedef struct _PEB_LDR_DATA { ULONG Length; // 0 BOOLEAN Initialized; // 4 PVOID SsHandle; // 8? LIST_ENTRY InLoadOrderModuleList; // C, ref. to PLDR_DATA_TABLE_ENTRY->InLoadOrderModuleList LIST_ENTRY InMemoryOrderModuleList; // 14, ref. to PLDR_DATA_TABLE_ENTRY->InMemoryOrderModuleList LIST_ENTRY InInitializationOrderModuleList; // 1C, ref. to PLDR_DATA_TABLE_ENTRY->InInitializationOrderModuleList } PEB_LDR_DATA, *PPEB_LDR_DATA; typedef VOID NTSYSAPI (*PPEBLOCKROUTINE)(PVOID); typedef struct _SYSTEM_STRINGS { UNICODE_STRING SystemRoot; // C:\WINNT UNICODE_STRING System32Root; // C:\WINNT\System32 UNICODE_STRING BaseNamedObjects; // \BaseNamedObjects } SYSTEM_STRINGS,*PSYSTEM_STRINGS; typedef struct _TEXT_INFO { PVOID Reserved; PSYSTEM_STRINGS SystemStrings; } TEXT_INFO, *PTEXT_INFO; // See: http://en.wikipedia.org/wiki/Process_Environment_Block typedef struct _PEB { UCHAR InheritedAddressSpace; // 0 UCHAR ReadImageFileExecOptions; // 1 UCHAR BeingDebugged; // 2 BYTE b003; // 3 PVOID Mutant; // 4 PVOID ImageBaseAddress; // 8 PPEB_LDR_DATA Ldr; // C PPROCESS_PARAMETERS ProcessParameters; // 10 PVOID SubSystemData; // 14 PVOID ProcessHeap; // 18 KSPIN_LOCK FastPebLock; // 1C PPEBLOCKROUTINE FastPebLockRoutine; // 20 PPEBLOCKROUTINE FastPebUnlockRoutine; // 24 ULONG EnvironmentUpdateCount; // 28 PVOID *KernelCallbackTable; // 2C PVOID EventLogSection; // 30 PVOID EventLog; // 34 PPEB_FREE_BLOCK FreeList; // 38 ULONG TlsExpansionCounter; // 3C PRTL_BITMAP TlsBitmap; // 40 ULONG TlsBitmapData[0x2]; // 44 PVOID ReadOnlySharedMemoryBase; // 4C PVOID ReadOnlySharedMemoryHeap; // 50 PTEXT_INFO ReadOnlyStaticServerData; // 54 PVOID InitAnsiCodePageData; // 58 PVOID InitOemCodePageData; // 5C PVOID InitUnicodeCaseTableData; // 60 ULONG KeNumberProcessors; // 64 ULONG NtGlobalFlag; // 68 DWORD d6C; // 6C LARGE_INTEGER MmCriticalSectionTimeout; // 70 ULONG MmHeapSegmentReserve; // 78 ULONG MmHeapSegmentCommit; // 7C ULONG MmHeapDeCommitTotalFreeThreshold; // 80 ULONG MmHeapDeCommitFreeBlockThreshold; // 84 ULONG NumberOfHeaps; // 88 ULONG AvailableHeaps; // 8C PHANDLE ProcessHeapsListBuffer; // 90 PVOID GdiSharedHandleTable; // 94 PVOID ProcessStarterHelper; // 98 PVOID GdiDCAttributeList; // 9C KSPIN_LOCK LoaderLock; // A0 ULONG NtMajorVersion; // A4 ULONG NtMinorVersion; // A8 USHORT NtBuildNumber; // AC USHORT NtCSDVersion; // AE ULONG PlatformId; // B0 ULONG Subsystem; // B4 ULONG MajorSubsystemVersion; // B8 ULONG MinorSubsystemVersion; // BC KAFFINITY AffinityMask; // C0 ULONG GdiHandleBuffer[0x22]; // C4 ULONG PostProcessInitRoutine; // 14C ULONG TlsExpansionBitmap; // 150 UCHAR TlsExpansionBitmapBits[0x80]; // 154 ULONG SessionId; // 1D4 ULARGE_INTEGER AppCompatFlags; // 1D8 PWORD CSDVersion; // 1E0 /* PVOID AppCompatInfo; // 1E4 UNICODE_STRING usCSDVersion; PVOID ActivationContextData; PVOID ProcessAssemblyStorageMap; PVOID SystemDefaultActivationContextData; PVOID SystemAssemblyStorageMap; ULONG MinimumStackCommit; */ } PEB, *PPEB; typedef struct _PEB64 { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[21]; PPEB_LDR_DATA Ldr; PPROCESS_PARAMETERS ProcessParameters; BYTE Reserved3[520]; ULONG PostProcessInitRoutine; BYTE Reserved4[136]; ULONG SessionId; } PEB64; typedef struct _TEB { NT_TIB Tib; PVOID EnvironmentPointer; CLIENT_ID Cid; PVOID ActiveRpcInfo; PVOID ThreadLocalStoragePointer; PPEB Peb; ULONG LastErrorValue; ULONG CountOfOwnedCriticalSections; PVOID CsrClientThread; PVOID Win32ThreadInfo; ULONG Win32ClientInfo[0x1F]; PVOID WOW32Reserved; ULONG CurrentLocale; ULONG FpSoftwareStatusRegister; PVOID SystemReserved1[0x36]; PVOID Spare1; LONG ExceptionCode; ULONG SpareBytes1[0x28]; PVOID SystemReserved2[0xA]; ULONG gdiRgn; ULONG gdiPen; ULONG gdiBrush; CLIENT_ID RealClientId; PVOID GdiCachedProcessHandle; ULONG GdiClientPID; ULONG GdiClientTID; PVOID GdiThreadLocaleInfo; PVOID UserReserved[5]; PVOID glDispatchTable[0x118]; ULONG glReserved1[0x1A]; PVOID glReserved2; PVOID glSectionInfo; PVOID glSection; PVOID glTable; PVOID glCurrentRC; PVOID glContext; NTSTATUS LastStatusValue; UNICODE_STRING StaticUnicodeString; WCHAR StaticUnicodeBuffer[0x105]; PVOID DeallocationStack; PVOID TlsSlots[0x40]; LIST_ENTRY TlsLinks; PVOID Vdm; PVOID ReservedForNtRpc; PVOID DbgSsReserved[0x2]; ULONG HardErrorDisabled; PVOID Instrumentation[0x10]; PVOID WinSockData; ULONG GdiBatchCount; ULONG Spare2; ULONG Spare3; ULONG Spare4; PVOID ReservedForOle; ULONG WaitingOnLoaderLock; PVOID StackCommit; PVOID StackCommitMax; PVOID StackReserve; } TEB, *PTEB; typedef enum _POOL_TYPE { NonPagedPool, PagedPool, NonPagedPoolMustSucceed, DontUseThisType, NonPagedPoolCacheAligned, PagedPoolCacheAligned, NonPagedPoolCacheAlignedMustS, MaxPoolType } POOL_TYPE, *PPOOL_TYPE; typedef enum _KWAIT_REASON { Executive, FreePage, PageIn, PoolAllocation, DelayExecution, Suspended, UserRequest, WrExecutive, WrFreePage, WrPageIn, WrPoolAllocation, WrDelayExecution, WrSuspended, WrUserRequest, WrEventPair, WrQueue, WrLpcReceive, WrLpcReply, WrVirtualMemory, WrPageOut, WrRendezvous, Spare2, Spare3, Spare4, Spare5, Spare6, WrKernel, MaximumWaitReason } KWAIT_REASON, *PKWAIT_REASON; typedef struct _DISPATCHER_HEADER { BYTE uType; //DO_TYPE_* BYTE uAbsolute; BYTE uSize; // number of DWORDs BYTE uInserted; LONG lSignalState; LIST_ENTRY WaitListHead; } DISPATCHER_HEADER, *PDISPATCHER_HEADER; typedef struct _KPROCESS { DISPATCHER_HEADER Header; // DO_TYPE_PROCESS (0x1A) LIST_ENTRY le10; DWORD d18; DWORD d1C; DWORD d20; DWORD d24; DWORD d28; DWORD d2C; DWORD d30; DWORD d34; DWORD dKernelTime; // ticks DWORD dUserTime; // ticks LIST_ENTRY le40; LIST_ENTRY OutSwapList; LIST_ENTRY ThreadListHead; // KTHREAD.ThreadList DWORD d58; KAFFINITY AffinityMask; WORD w60; BYTE bBasePriority; BYTE b63; WORD w64; BYTE b66; BOOLEAN fPriorityBoost; } KPROCESS, *PKPROCESS; typedef struct _PORT_MESSAGE { USHORT DataSize; USHORT MessageSize; USHORT MessageType; USHORT VirtualRangesOffset; CLIENT_ID ClientId; ULONG MessageId; ULONG SectionSize; //UCHAR Data[]; } PORT_MESSAGE, *PPORT_MESSAGE; typedef struct _SERVICE_DESCRIPTOR_TABLE { PNTSYSCALL ServiceTable; // array of entrypoints PULONG puCounterTable; // array of counters ULONG uTableSize; // number of table entries PBYTE pbArgumentTable; // array of byte counts } SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE; typedef struct _KSEMAPHORE { DISPATCHER_HEADER Header; LONG lLimit; } KSEMAPHORE, *PKSEMAPHORE; typedef struct _KTHREAD { DISPATCHER_HEADER Header; // DO_TYPE_THREAD (0x6C) LIST_ENTRY le010; DWORD d018; DWORD d01C; PTEB pTeb; DWORD d024; DWORD d028; BYTE b02C; BYTE bThreadState; // THREAD_STATE_* WORD w02E; WORD w030; BYTE b032; BYTE bPriority; LIST_ENTRY le034; LIST_ENTRY le03C; PKPROCESS pProcess; DWORD d048; DWORD dContextSwitches; DWORD d050; WORD w054; BYTE b056; BYTE bWaitReason; DWORD d058; PLIST_ENTRY ple05C; PLIST_ENTRY ple060; DWORD d064; BYTE bBasePriority; BYTE b069; WORD w06A; DWORD d06C; DWORD d070; DWORD d074; DWORD d078; DWORD d07C; DWORD d080; DWORD d084; DWORD d088; DWORD d08C; DWORD d090; DWORD d094; DWORD d098; DWORD d09C; DWORD d0A0; DWORD d0A4; DWORD d0A8; DWORD d0AC; DWORD d0B0; DWORD d0B4; DWORD d0B8; DWORD d0BC; DWORD d0C0; DWORD d0C4; DWORD d0C8; DWORD d0CC; DWORD d0D0; DWORD d0D4; DWORD d0D8; PSERVICE_DESCRIPTOR_TABLE pServiceDescriptorTable; DWORD d0E0; DWORD d0E4; DWORD d0E8; DWORD d0EC; LIST_ENTRY le0F0; DWORD d0F8; DWORD d0FC; DWORD d100; DWORD d104; DWORD d108; DWORD d10C; DWORD d110; DWORD d114; DWORD d118; BYTE b11C; BYTE b11D; WORD w11E; DWORD d120; DWORD d124; DWORD d128; DWORD d12C; DWORD d130; WORD w134; BYTE b136; KPROCESSOR_MODE ProcessorMode; DWORD dKernelTime; // ticks DWORD dUserTime; // ticks DWORD d140; DWORD d144; DWORD d148; DWORD d14C; DWORD d150; DWORD d154; DWORD d158; DWORD d15C; DWORD d160; DWORD d164; DWORD d168; DWORD d16C; DWORD d170; PROC SuspendNop; DWORD d178; DWORD d17C; DWORD d180; DWORD d184; DWORD d188; DWORD d18C; KSEMAPHORE SuspendSemaphore; LIST_ENTRY ThreadList; // KPROCESS.ThreadListHead DWORD d1AC; } KTHREAD, *PKTHREAD; typedef struct _ETHREAD { KTHREAD Tcb; LARGE_INTEGER liCreateTime; LARGE_INTEGER liExitTime; NTSTATUS ExitStatus; LIST_ENTRY PostBlockList; LIST_ENTRY TerminationPortList; ULONG uActiveTimerListLock; LIST_ENTRY ActiveTimerListHead; CLIENT_ID Cid; KSEMAPHORE LpcReplySemaphore; ULONG uLpcReplyMessage; LARGE_INTEGER liLpcReplyMessageId; ULONG uImpersonationInfo; LIST_ENTRY IrpList; LIST_ENTRY TopLevelIrp; ULONG uReadClusterSize; BOOLEAN fForwardClusterOnly; BOOLEAN fDisablePageFaultClustering; BOOLEAN fDeadThread; BOOLEAN fHasTerminated; ULONG uEventPair; ULONG uGrantedAccess; ULONG uThreadsProcess; PVOID pStartAddress; PVOID Win32StartAddress; BOOLEAN fLpcExitThreadCalled; BOOLEAN fHardErrorsAreDisabled; WORD wUknown1; DWORD dwUknown2; } ETHREAD, *PETHREAD; typedef PETHREAD ERESOURCE_THREAD, *PERESOURCE_THREAD; typedef struct _KEVENT { DISPATCHER_HEADER Header; } KEVENT, *PKEVENT; typedef struct _ERESOURCE_OLD { LIST_ENTRY SystemResourcesList; PERESOURCE_THREAD OwnerThreads; PBYTE pbOwnerCounts; WORD wTableSize; WORD wActiveCount; WORD wFlag; WORD wTableRover; BYTE bInitialOwnerCounts[4]; ERESOURCE_THREAD InitialOwnerThreads[4]; DWORD dwUknown1; ULONG uContentionCount; WORD wNumberOfExclusiveWaiters; WORD wNumberOfSharedWaiters; KSEMAPHORE SharedWaiters; KEVENT ExclusiveWaiters; KSPIN_LOCK SpinLock; ULONG uCreatorBackTraceIndex; WORD wDepth; WORD wUknown2; PVOID pOwnerBackTrace[4]; } ERESOURCE_OLD, *PERESOURCE_OLD; typedef struct _OWNER_ENTRY { ERESOURCE_THREAD OwnerThread; SHORT sOwnerCount; WORD wTableSize; } OWNER_ENTRY, *POWNER_ENTRY; typedef struct _ERESOURCE_LITE { LIST_ENTRY SystemResourcesList; POWNER_ENTRY OwnerTable; SHORT sActiveCount; WORD wFlag; PKSEMAPHORE SharedWaiters; PKEVENT ExclusiveWaiters; OWNER_ENTRY OwnerThreads[2]; ULONG uContentionCount; WORD wNumberOfSharedWaiters; WORD wNumberOfExclusiveWaiters; union { PVOID pAddress; ULONG uCreatorBackTraceIndex; }; KSPIN_LOCK SpinLock; } ERESOURCE_LITE, *PERESOURCE_LITE; typedef ERESOURCE_LITE ERESOURCE, *PERESOURCE; typedef struct _IO_STATUS_BLOCK { NTSTATUS Status; ULONG uInformation; } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; /* Defined in Winnt.h typedef struct _QUOTA_LIMITS { SIZE_T PagedPoolLimit; SIZE_T NonPagedPoolLimit; SIZE_T MinimumWorkingSetSize; SIZE_T MaximumWorkingSetSize; SIZE_T PagefileLimit; LARGE_INTEGER TimeLimit; } QUOTA_LIMITS, *PQUOTA_LIMITS; */ typedef struct _IOCOUNTERS { ULONG uReadOperationCount; ULONG uWriteOperationCount; ULONG uOtherOperationCount; LARGE_INTEGER liReadTransferCount; LARGE_INTEGER liWriteTransferCount; LARGE_INTEGER liOtherTransferCount; } IOCOUNTERS, *PIOCOUNTERS; typedef struct _VM_COUNTERS { ULONG uPeakVirtualSize; ULONG uVirtualSize; ULONG uPageFaultCount; ULONG uPeakWorkingSetSize; ULONG uWorkingSetSize; ULONG uQuotaPeakPagedPoolUsage; ULONG uQuotaPagedPoolUsage; ULONG uQuotaPeakNonPagedPoolUsage; ULONG uQuotaNonPagedPoolUsage; ULONG uPagefileUsage; ULONG uPeakPagefileUsage; } VM_COUNTERS, *PVM_COUNTERS; typedef struct _KERNEL_USER_TIMES { LARGE_INTEGER liCreateTime; LARGE_INTEGER liExitTime; LARGE_INTEGER liKernelTime; LARGE_INTEGER liUserTime; } KERNEL_USER_TIMES, *PKERNEL_USER_TIMES; typedef struct _BASE_PRIORITY_INFORMATION { KPRIORITY BasePriority; } BASE_PRIORITY_INFORMATION, *PBASE_PRIORITY_INFORMATION; typedef struct _AFFINITY_MASK { KAFFINITY AffinityMask; } AFFINITY_MASK, *PAFFINITY_MASK; typedef struct _TIME_FIELDS { WORD wYear; WORD wMonth; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; WORD wWeekday; } TIME_FIELDS, *PTIME_FIELDS; typedef void (*PIO_APC_ROUTINE) (PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG Reserved); #if(_WIN32_WINNT < 0x0400) typedef struct _NTVOLUME_DATA_BUFFER { LARGE_INTEGER liSerialNumber; LARGE_INTEGER liNumberOfSectors; LARGE_INTEGER liTotalClusters; LARGE_INTEGER liFreeClusters; LARGE_INTEGER liReserved; ULONG uBytesPerSector; ULONG uBytesPerCluster; ULONG uBytesPerMFTRecord; ULONG uClustersPerMFTRecord; LARGE_INTEGER liMFTLength; LARGE_INTEGER liMFTStart; LARGE_INTEGER liMFTMirrorStart; LARGE_INTEGER liMFTZoneStart; LARGE_INTEGER liMFTZoneEnd; } NTFS_VOLUME_DATA_BUFFER, *PNTFS_VOLUME_DATA_BUFFER; #endif // _WIN23_WINNT < 0x0400 typedef struct _OBJDIR_INFORMATION { UNICODE_STRING ObjectName; UNICODE_STRING ObjectTypeName; // e.g. Directory, Device ... UCHAR Data[1]; // variable length } OBJDIR_INFORMATION, *POBJDIR_INFORMATION; // Define the file system information class values typedef enum _FSINFOCLASS { FileFsVolumeInformation = 1, FileFsLabelInformation, // 2 FileFsSizeInformation, // 3 FileFsDeviceInformation, // 4 FileFsAttributeInformation, // 5 FileFsControlInformation, // 6 FileFsFullSizeInformation, // 7 FileFsObjectIdInformation, // 8 FileFsMaximumInformation } FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS; typedef struct _FILE_FS_VOLUME_INFORMATION { LARGE_INTEGER VolumeCreationTime; ULONG VolumeSerialNumber; ULONG VolumeLabelLength; BOOLEAN SupportsObjects; WCHAR VolumeLabel[1]; } FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION; typedef struct _FILE_FS_LABEL_INFORMATION { ULONG VolumeLabelLength; WCHAR VolumeLabel[1]; } FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION; typedef struct _FILE_FS_SIZE_INFORMATION { LARGE_INTEGER TotalAllocationUnits; LARGE_INTEGER AvailableAllocationUnits; ULONG SectorsPerAllocationUnit; ULONG BytesPerSector; } FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION; typedef struct _FILE_FS_DEVICE_INFORMATION { DEVICE_TYPE DeviceType; ULONG Characteristics; } FILE_FS_DEVICE_INFORMATION, *PFILE_FS_DEVICE_INFORMATION; typedef struct _FILE_FS_ATTRIBUTE_INFORMATION { ULONG FileSystemAttributes; LONG MaximumComponentNameLength; ULONG FileSystemNameLength; WCHAR FileSystemName[1]; } FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION; typedef struct _FILE_FS_CONTROL_INFORMATION { LARGE_INTEGER FreeSpaceStartFiltering; LARGE_INTEGER FreeSpaceThreshold; LARGE_INTEGER FreeSpaceStopFiltering; LARGE_INTEGER DefaultQuotaThreshold; LARGE_INTEGER DefaultQuotaLimit; ULONG FileSystemControlFlags; } FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION; typedef struct _FILE_FS_FULL_SIZE_INFORMATION { LARGE_INTEGER TotalQuotaAllocationUnits; LARGE_INTEGER AvailableQuotaAllocationUnits; LARGE_INTEGER AvailableAllocationUnits; ULONG SectorsPerAllocationUnit; ULONG BytesPerSector; } FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION; typedef struct _FILE_FS_OBJECT_ID_INFORMATION { GUID VolumeObjectId; ULONG VolumeObjectIdExtendedInfo[12]; } FILE_FS_OBJECT_ID_INFORMATION, *PFILE_FS_OBJECT_ID_INFORMATION; typedef enum _SYSTEMINFOCLASS { SystemBasicInformation, // 0x002C SystemProcessorInformation, // 0x000C SystemPerformanceInformation, // 0x0138 SystemTimeInformation, // 0x0020 SystemPathInformation, // not implemented SystemProcessInformation, // 0x00C8+ per process SystemCallInformation, // 0x0018 + (n * 0x0004) SystemConfigurationInformation, // 0x0018 SystemProcessorCounters, // 0x0030 per cpu SystemGlobalFlag, // 0x0004 (fails if size != 4) SystemCallTimeInformation, // not implemented SystemModuleInformation, // 0x0004 + (n * 0x011C) SystemLockInformation, // 0x0004 + (n * 0x0024) SystemStackTraceInformation, // not implemented SystemPagedPoolInformation, // checked build only SystemNonPagedPoolInformation, // checked build only SystemHandleInformation, // 0x0004 + (n * 0x0010) SystemObjectTypeInformation, // 0x0038+ + (n * 0x0030+) SystemPageFileInformation, // 0x0018+ per page file SystemVdmInstemulInformation, // 0x0088 SystemVdmBopInformation, // invalid info class SystemCacheInformation, // 0x0024 SystemPoolTagInformation, // 0x0004 + (n * 0x001C) SystemInterruptInformation, // 0x0000, or 0x0018 per cpu SystemDpcInformation, // 0x0014 SystemFullMemoryInformation, // checked build only SystemLoadDriver, // 0x0018, set mode only SystemUnloadDriver, // 0x0004, set mode only SystemTimeAdjustmentInformation, // 0x000C, 0x0008 writeable SystemSummaryMemoryInformation, // checked build only SystemNextEventIdInformation, // checked build only SystemEventIdsInformation, // checked build only SystemCrashDumpInformation, // 0x0004 SystemExceptionInformation, // 0x0010 SystemCrashDumpStateInformation, // 0x0004 SystemDebuggerInformation, // 0x0002 SystemContextSwitchInformation, // 0x0030 SystemRegistryQuotaInformation, // 0x000C SystemAddDriver, // 0x0008, set mode only SystemPrioritySeparationInformation, // 0x0004, set mode only SystemPlugPlayBusInformation, // not implemented SystemDockInformation, // not implemented SystemPowerInfo, // 0x0060 (XP only!) SystemProcessorSpeedInformation, // 0x000C (XP only!) SystemTimeZoneInformation, // 0x00AC SystemLookasideInformation, // n * 0x0020 SystemSetTimeSlipEvent, SystemCreateSession, // set mode only SystemDeleteSession, // set mode only SystemInvalidInfoClass1, // invalid info class SystemRangeStartInformation, // 0x0004 (fails if size != 4) SystemVerifierInformation, SystemAddVerifier, SystemSessionProcessesInformation, // checked build only MaxSystemInfoClass } SYSTEMINFOCLASS, *PSYSTEMINFOCLASS; typedef struct _SYSTEM_BASIC_INFORMATION { DWORD dwUnknown1; // 0 ULONG uKeMaximumIncrement; // x86: 0x0002625A or 0x00018730 ULONG uPageSize; // bytes ULONG uMmNumberOfPhysicalPages; ULONG uMmLowestPhysicalPage; ULONG uMmHighestPhysicalPage; ULONG uAllocationGranularity; // bytes PVOID pLowestUserAddress; PVOID pMmHighestUserAddress; KAFFINITY uKeActiveProcessors; BYTE bKeNumberProcessors; BYTE bUnknown2; WORD wUnknown3; } SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION; typedef struct _SYSTEM_PROCESSOR_INFORMATION { WORD wKeProcessorArchitecture; // PROCESSOR_ARCHITECTURE_* (PROCESSOR_ARCHITECTURE_INTEL) WORD wKeProcessorLevel; // PROCESSOR_* (PROCESSOR_INTEL_PENTIUM) WORD wKeProcessorRevision; // Pentium: H=model, L=stepping WORD wUnknown1; // 0 ULONG uKeFeatureBits; } SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION; typedef struct _MM_INFO_COUNTERS { ULONG uPageFaults; ULONG uWriteCopyFaults; ULONG uTransistionFaults; ULONG uCacheTransitionCount; ULONG uDemandZeroFaults; ULONG uPagesRead; ULONG uPageReadIos; ULONG uCacheReadCount; ULONG uCacheIoCount; ULONG uPagefilePagesWritten; ULONG uPagefilePageWriteIos; ULONG uMappedFilePagesWritten; ULONG uMappedFilePageWriteIos; } MM_INFO_COUNTERS, *PMM_INFO_COUNTERS; typedef struct _SYSTEM_PERFORMANCE_INFORMATION { LARGE_INTEGER liIdleTime; // 100 nsec units LARGE_INTEGER liIoReadTransferCount; LARGE_INTEGER liIoWriteTransferCount; LARGE_INTEGER liIoOtherTransferCount; ULONG uIoReadOperationCount; ULONG uIoWriteOperationCount; ULONG uIoOtherOperationCount; ULONG uMmAvailablePages; ULONG uMmTotalCommittedPages; ULONG uMmTotalCommitLimit; // pages ULONG uMmPeakCommitLimit; // pages MM_INFO_COUNTERS MmInfoCounters; ULONG uPoolPaged; // pages ULONG uPoolNonPaged; // pages ULONG uPagedPoolAllocs; ULONG uPagedPoolFrees; ULONG uNonPagedPoolAllocs; ULONG uNonPagedPoolFrees; ULONG uMmTotalFreeSystemPages; ULONG uMmSystemCodePage; ULONG uMmTotalSystemDriverPages; ULONG uMmTotalSystemCodePages; ULONG uSmallNonPagedLookasideListAllocateHits; ULONG uSmallPagedLookasideListAllocateHits; DWORD dwUnknown1; ULONG uMmSystemCachePage; ULONG uMmPagedPoolPage; ULONG uMmSystemDriverPage; ULONG uCcFastReadNoWait; ULONG uCcFastReadWait; ULONG uCcFastReadResourceMiss; ULONG uCcFastReadNotPossible; ULONG uCcFastMdlReadNoWait; ULONG uCcFastMdlReadWait; ULONG uCcFastMdlReadResourceMiss; ULONG uCcFastMdlReadNotPossible; ULONG uCcMapDataNoWait; ULONG uCcMapDataWait; ULONG uCcMapDataNoWaitMiss; ULONG uCcMapDataWaitMiss; ULONG uCcPinMappedDataCount; ULONG uCcPinReadNoWait; ULONG uCcPinReadWait; ULONG uCcPinReadNoWaitMiss; ULONG uCcPinReadWaitMiss; ULONG uCcCopyReadNoWait; ULONG uCcCopyReadWait; ULONG uCcCopyReadNoWaitMiss; ULONG uCcCopyReadWaitMiss; ULONG uCcMdlReadNoWait; ULONG uCcMdlReadWait; ULONG uCcMdlReadNoWaitMiss; ULONG uCcMdlReadWaitMiss; ULONG uCcReadAheadIos; ULONG uCcLazyWriteIos; ULONG uCcLazyWritePages; ULONG uCcDataFlushes; ULONG uCcDataPages; ULONG uTotalContextSwitches; // total across cpus ULONG uFirstLevelTbFills; ULONG uSecondLevelTbFills; ULONG uSystemCalls; } SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION; typedef struct _SYSTEM_TIME_INFORMATION { LARGE_INTEGER liKeBootTime; // relative to 01-01-1601 LARGE_INTEGER liKeSystemTime; // relative to 01-01-1601 LARGE_INTEGER liExpTimeZoneBias; // utc time = local time + bias ULONG uExpCurrentTimeZoneId; // TIME_ZONE_ID_* (TIME_ZONE_ID_UNKNOWN, etc.) DWORD dwUnknown1; } SYSTEM_TIME_INFORMATION, *PSYSTEM_TIME_INFORMATION; typedef enum { StateInitialized, StateReady, StateRunning, StateStandby, StateTerminated, StateWait, StateTransition, StateUnknown } THREAD_STATE; /*typedef struct _IO_COUNTERSEX { LARGE_INTEGER ReadOperationCount; LARGE_INTEGER WriteOperationCount; LARGE_INTEGER OtherOperationCount; LARGE_INTEGER ReadTransferCount; LARGE_INTEGER WriteTransferCount; LARGE_INTEGER OtherTransferCount; } IO_COUNTERS, *PIO_COUNTERS;*/ typedef struct _SYSTEM_THREAD { FILETIME ftKernelTime; // 100 nsec units FILETIME ftUserTime; // 100 nsec units FILETIME ftCreateTime; // relative to 01-01-1601 DWORD dWaitTime; PVOID pStartAddress; CLIENT_ID Cid; // process/thread ids DWORD dPriority; DWORD dBasePriority; DWORD dContextSwitches; DWORD dThreadState; // 2=running, 5=waiting KWAIT_REASON WaitReason; DWORD dReserved01; } SYSTEM_THREAD, * PSYSTEM_THREAD, **PPSYSTEM_THREAD; typedef struct _SYSTEM_PROCESS_INFORMATION { // common members DWORD dNext; // relative offset DWORD dThreadCount; DWORD dReserved01; DWORD dReserved02; DWORD dReserved03; DWORD dReserved04; DWORD dReserved05; DWORD dReserved06; FILETIME ftCreateTime; // relative to 01-01-1601 FILETIME ftUserTime; // 100 nsec units FILETIME ftKernelTime; // 100 nsec units UNICODE_STRING usName; KPRIORITY BasePriority; DWORD dUniqueProcessId; DWORD dInheritedFromUniqueProcessId; DWORD dHandleCount; DWORD dReserved07; DWORD dReserved08; VM_COUNTERS VmCounters; // see ntddk.h DWORD dCommitCharge; // bytes LARGE_INTEGER Reserved6[6]; } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION, **PPSYSTEM_PROCESS_INFORMATION; typedef struct _SYSTEM_PROCESS_INFORMATION_NT4 { // Windows NT 4.0 SYSTEM_PROCESS_INFORMATION Process; // common members SYSTEM_THREAD aThreads [1]; // thread array } SYSTEM_PROCESS_INFORMATION_NT4, * PSYSTEM_PROCESS_INFORMATION_NT4, **PPSYSTEM_PROCESS_INFORMATION_NT4; typedef struct _SYSTEM_PROCESS_NT5 { // Windows 2000 and up SYSTEM_PROCESS_INFORMATION Process; // common members IO_COUNTERS IoCounters; // see ntddk.h SYSTEM_THREAD aThreads [1]; // thread array } SYSTEM_PROCESS_INFORMATION_NT5, * PSYSTEM_PROCESS_INFORMATION_NT5, **PPSYSTEM_PROCESS_INFORMATION_NT5; typedef struct _SYSTEM_CALL_INFORMATION { ULONG Length; ULONG NumberOfTables; // ULONG NumberOfEntries[NumberOfTables] // ULONG CallCounts[NumberOfTables][NumberOfEntries]; } SYSTEM_CALL_INFORMATION, *PSYSTEM_CALL_INFORMATION; typedef struct _SYSTEM_CONFIGURATION_INFORMATION { ULONG uDiskCount; ULONG uFloppyCount; ULONG uCDRomCount; ULONG uTapeCount; ULONG uSerialCount; // com port with mouse not included ULONG uParallelCount; } SYSTEM_CONFIGURATION_INFORMATION, *PSYSTEM_CONFIGURATION_INFORMATION; typedef struct _SYSTEM_PROCESSOR_COUNTERS { LARGE_INTEGER liProcessorTime; // 100 nsec units LARGE_INTEGER liKernelTime; // 100 nsec units LARGE_INTEGER liUserTime; // 100 nsec units LARGE_INTEGER liDpcTime; // 100 nsec units LARGE_INTEGER liInterruptTime; // 100 nsec units ULONG uInterruptCount; DWORD dwUnknown1; } SYSTEM_PROCESSOR_COUNTERS, *PSYSTEM_PROCESSOR_COUNTERS; typedef struct _SYSTEM_GLOBAL_FLAG { ULONG NtGlobalFlag; // see Q147314, Q102985, Q105677 } SYSTEM_GLOBAL_FLAG, *PSYSTEM_GLOBAL_FLAG; typedef struct _SYSTEM_CALL_TIME_INFORMATION { ULONG Length; ULONG TotalCalls; LARGE_INTEGER TimeOfCalls[1]; } SYSTEM_CALL_TIME_INFORMATION, *PSYSTEM_CALL_TIME_INFORMATION; typedef struct _SYSTEM_MODULE { ULONG Reserved[2]; ULONG Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } SYSTEM_MODULE, *PSYSTEM_MODULE; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG uCount; SYSTEM_MODULE aSM[]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef struct _SYSTEM_LOCK { union { PERESOURCE_OLD pEResourceOld; // old ERESOURCE format PERESOURCE_LITE pEResourceLite; // new "lite" format PERESOURCE pEResource; // current format }; WORD wUnknown1; // 1 WORD wUnknown2; // 0 ULONG ExclusiveOwnerThreadId; ULONG uActiveCount; ULONG uContentionCount; DWORD dwUnknown3; DWORD dwUnknown4; ULONG uNumberOfSharedWaiters; ULONG uNumberOfExclusiveWaiters; } SYSTEM_LOCK, *PSYSTEM_LOCK; typedef struct _SYSTEM_LOCK_INFORMATION { ULONG uCount; SYSTEM_LOCK aSL[]; } SYSTEM_LOCK_INFORMATION, *PSYSTEM_LOCK_INFORMATION; typedef struct _SYSTEM_HANDLE { ULONG uIdProcess; UCHAR ObjectType; // OB_TYPE_* (OB_TYPE_TYPE, etc.) UCHAR Flags; // HANDLE_FLAG_* (HANDLE_FLAG_INHERIT, etc.) USHORT Handle; POBJECT pObject; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE, *PSYSTEM_HANDLE; typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG NumberOfHandles; SYSTEM_HANDLE Information[]; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; typedef struct _SYSTEM_OBJECTTYPE_INFORMATION { ULONG NextEntryOffset; // absolute offset ULONG ObjectCount; ULONG HandleCount; ULONG TypeIndex; // OB_TYPE_* (OB_TYPE_TYPE, etc.) ULONG InvalidAttributes; // OBJ_* (OBJ_INHERIT, etc.) GENERIC_MAPPING GenericMapping; ACCESS_MASK ValidAccessMask; POOL_TYPE PoolType; BOOLEAN SecurityRequired; BOOLEAN WaitableObject; UNICODE_STRING TypeName; } SYSTEM_OBJECTTYPE_INFORMATION, *PSYSTEM_OBJECTTYPE_INFORMATION; // follows after SYSTEM_OBJECTTYPE_INFORMATION.TypeName typedef struct _SYSTEM_OBJECT_INFORMATION { ULONG NextEntryOffset; // absolute offset POBJECT Object; ULONG CreatorProcessId; USHORT CreatorBackTraceIndex; USHORT Flags; // see "Native API Reference" page 24 LONG PointerCount; LONG HandleCount; ULONG PagedPoolCharge; ULONG NonPagedPoolCharge; ULONG ExclusiveProcessId; PSECURITY_DESCRIPTOR SecurityDescriptor; UNICODE_STRING ObjectName; } SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION; typedef struct _SYSTEM_PAGE_FILE_INFORMATION { ULONG NextEntryOffset; // relative offset ULONG CurrentSize; // pages ULONG TotalUsed; // pages ULONG PeakUsed; // pages UNICODE_STRING FileName; } SYSTEM_PAGE_FILE_INFORMATION, *PSYSTEM_PAGE_FILE_INFORMATION; typedef struct _SYSTEM_VDM_INSTEMUL_INFO { BOOL fExVdmSegmentNotPresent; ULONG uOpcode0FV86; ULONG uOpcodeESPrefixV86; ULONG uOpcodeCSPrefixV86; ULONG uOpcodeSSPrefixV86; ULONG uOpcodeDSPrefixV86; ULONG uOpcodeFSPrefixV86; ULONG uOpcodeGSPrefixV86; ULONG uOpcodeOPER32PrefixV86; ULONG uOpcodeADDR32PrefixV86; ULONG uOpcodeINSBV86; ULONG uOpcodeINSWV86; ULONG uOpcodeOUTSBV86; ULONG uOpcodeOUTSWV86; ULONG uOpcodePUSHFV86; ULONG uOpcodePOPFV86; ULONG uOpcodeINTnnV86; ULONG uOpcodeINTOV86; ULONG uOpcodeIRETV86; ULONG uOpcodeINBimmV86; ULONG uOpcodeINWimmV86; ULONG uOpcodeOUTBimmV86; ULONG uOpcodeOUTWimmV86; ULONG uOpcodeINBV86; ULONG uOpcodeINWV86; ULONG uOpcodeOUTBV86; ULONG uOpcodeOUTWV86; ULONG uOpcodeLOCKPrefixV86; ULONG uOpcodeREPNEPrefixV86; ULONG uOpcodeREPPrefixV86; ULONG uOpcodeHLTV86; ULONG uOpcodeCLIV86; ULONG uOpcodeSTIV86; ULONG uVdmBopCount; } SYSTEM_VDM_INSTEMUL_INFO, *PSYSTEM_VDM_INSTEMUL_INFO; typedef struct _SYSTEM_CACHE_INFORMATION { ULONG uFileCache; // bytes ULONG uFileCachePeak; // bytes ULONG PageFaultCount; ULONG MinimumWorkingSet; ULONG MaximumWorkingSet; ULONG TransitionSharedPages; ULONG TransitionSharedPagesPeak; ULONG Reserved[2]; } SYSTEM_CACHE_INFORMATION, *PSYSTEM_CACHE_INFORMATION; typedef struct _SYSTEM_POOL_ENTRY { BOOLEAN Allocated; BOOLEAN Spare0; USHORT AllocatorBackTraceIndex; ULONG Size; union { UCHAR Tag[4]; ULONG TagUlong; PVOID ProcessChargedQuota; }; } SYSTEM_POOL_ENTRY, *PSYSTEM_POOL_ENTRY; typedef struct _SYSTEM_POOL_INFORMATION { ULONG TotalSize; PVOID FirstEntry; USHORT EntryOverhead; BOOLEAN PoolTagPresent; BOOLEAN Spare0; ULONG NumberOfEntries; SYSTEM_POOL_ENTRY Entries[1]; } SYSTEM_POOL_INFORMATION, *PSYSTEM_POOL_INFORMATION; typedef struct _SYSTEM_POOL_TAG { union { UCHAR Tag[4]; ULONG TagUlong; }; ULONG PagedPoolAllocs; ULONG PagedPoolFrees; ULONG PagedPoolUsage; ULONG NonPagedPoolAllocs; ULONG NonPagedPoolFrees; ULONG NonPagedPoolUsage; } SYSTEM_POOL_TAG, *PSYSTEM_POOL_TAG; typedef struct _SYSTEM_POOL_TAG_INFORMATION { ULONG uCount; SYSTEM_POOL_TAG aSPT[]; } SYSTEM_POOL_TAG_INFORMATION, *PSYSTEM_POOL_TAG_INFORMATION; typedef struct _SYSTEM_INTERRUPT_INFORMATION { ULONG ContextSwitches; ULONG DpcCount; ULONG DpcRate; ULONG TimeIncrement; ULONG DpcBypassCount; ULONG ApcBypassCount; } SYSTEM_INTERRUPT_INFORMATION, *PSYSTEM_INTERRUPT_INFORMATION; typedef struct _SYSTEM_DPC_INFORMATION { DWORD dwUnknown1; ULONG MaximumDpcQueueDepth; ULONG MinimumDpcRate; ULONG AdjustDpcThreshold; ULONG IdealDpcRate; } SYSTEM_DPC_INFORMATION, *PSYSTEM_DPC_INFORMATION; typedef struct _SYSTEM_MEMORY_INFO { PUCHAR StringOffset; USHORT ValidCount; USHORT TransitionCount; USHORT ModifiedCount; USHORT PageTableCount; } SYSTEM_MEMORY_INFO, *PSYSTEM_MEMORY_INFO; typedef struct _SYSTEM_MEMORY_INFORMATION { ULONG InfoSize; ULONG StringStart; SYSTEM_MEMORY_INFO Memory[1]; } SYSTEM_MEMORY_INFORMATION, *PSYSTEM_MEMORY_INFORMATION; typedef struct _SYSTEM_LOAD_DRIVER { UNICODE_STRING DriverName; // input PVOID BaseAddress; // output PVOID SectionPointer; // output PVOID EntryPoint; // output PIMAGE_EXPORT_DIRECTORY ExportDirectory; // output } SYSTEM_LOAD_DRIVER, *PSYSTEM_LOAD_DRIVER; typedef struct _SYSTEM_UNLOAD_DRIVER { PVOID SectionPointer; } SYSTEM_UNLOAD_DRIVER, *PSYSTEM_UNLOAD_DRIVER; typedef struct _SYSTEM_QUERY_TIME_ADJUSTMENT { ULONG TimeAdjustment; ULONG MaximumIncrement; BOOLEAN TimeSynchronization; } SYSTEM_QUERY_TIME_ADJUSTMENT, *PSYSTEM_QUERY_TIME_ADJUSTMENT; typedef struct _SYSTEM_SET_TIME_ADJUSTMENT { ULONG TimeAdjustment; BOOLEAN TimeSynchronization; } SYSTEM_SET_TIME_ADJUSTMENT, *PSYSTEM_SET_TIME_ADJUSTMENT; typedef struct _SYSTEM_CRASH_DUMP_INFORMATION { HANDLE CrashDumpSectionHandle; } SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION; typedef struct _SYSTEM_CRASH_DUMP_INFORMATION_2000 { HANDLE CrashDumpSectionHandle; HANDLE Unknown; // Windows 2000 only } SYSTEM_CRASH_DUMP_INFORMATION_2000, *PSYSTEM_CRASH_DUMP_INFORMATION_2000; typedef struct _SYSTEM_EXCEPTION_INFORMATION { ULONG AlignmentFixupCount; ULONG ExceptionDispatchCount; ULONG FloatingEmulationCount; ULONG ByteWordEmulationCount; } SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION; typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION { ULONG ValidCrashDump; } SYSTEM_CRASH_DUMP_STATE_INFORMATION, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION; typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION_2000 { ULONG ValidCrashDump; ULONG Unknown; // Windows 2000 only } SYSTEM_CRASH_DUMP_STATE_INFORMATION_2000, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION_2000; typedef struct _SYSTEM_DEBUGGER_INFORMATION { BOOLEAN KernelDebuggerEnabled; BOOLEAN KernelDebuggerNotPresent; } SYSTEM_DEBUGGER_INFORMATION, *PSYSTEM_DEBUGGER_INFORMATION; typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION { ULONG ContextSwitches; ULONG FindAny; ULONG FindLast; ULONG FindIdeal; ULONG IdleAny; ULONG IdleCurrent; ULONG IdleLast; ULONG IdleIdeal; ULONG PreemptAny; ULONG PreemptCurrent; ULONG PreemptLast; ULONG SwitchToIdle; } SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION; typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION { ULONG RegistryQuotaAllowed; // bytes ULONG RegistryQuotaUsed; // bytes ULONG PagedPoolSize; // bytes } SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION; typedef struct _SYSTEM_ADD_DRIVER { UNICODE_STRING ModuleName; } SYSTEM_ADD_DRIVER, *PSYSTEM_ADD_DRIVER; typedef struct _SYSTEM_PRIORITY_SEPARATION_INFORMATION { ULONG PrioritySeparation; // 0..2 } SYSTEM_PRIORITY_SEPARATION_INFORMATION, *PSYSTEM_PRIORITY_SEPARATION_INFORMATION; #define MAX_BUS_NAME 24 typedef enum _PLUGPLAY_BUS_CLASS { SystemBus, PlugPlayVirtualBus, MaxPlugPlayBusClass } PLUGPLAY_BUS_CLASS, *PPLUGPLAY_BUS_CLASS; typedef enum _PLUGPLAY_VIRTUAL_BUS_TYPE { Root, MaxPlugPlayVirtualBusType } PLUGPLAY_VIRTUAL_BUS_TYPE, *PPLUGPLAY_VIRTUAL_BUS_TYPE; typedef enum _INTERFACE_TYPE { InterfaceTypeUndefined = -1, Internal, Isa, Eisa, MicroChannel, TurboChannel, PCIBus, VMEBus, NuBus, PCMCIABus, CBus, MPIBus, MPSABus, ProcessorInternal, InternalPowerBus, PNPISABus, PNPBus, MaximumInterfaceType }INTERFACE_TYPE, *PINTERFACE_TYPE; typedef struct _PLUGPLAY_BUS_TYPE { PLUGPLAY_BUS_CLASS BusClass; union { INTERFACE_TYPE SystemBusType; PLUGPLAY_VIRTUAL_BUS_TYPE PlugPlayVirtualBusType; }; } PLUGPLAY_BUS_TYPE, *PPLUGPLAY_BUS_TYPE; typedef struct _PLUGPLAY_BUS_INSTANCE { PLUGPLAY_BUS_TYPE BusType; ULONG BusNumber; WCHAR BusName[MAX_BUS_NAME]; } PLUGPLAY_BUS_INSTANCE, *PPLUGPLAY_BUS_INSTANCE; typedef struct _SYSTEM_PLUGPLAY_BUS_INFORMATION { ULONG BusCount; PLUGPLAY_BUS_INSTANCE BusInstance[1]; } SYSTEM_PLUGPLAY_BUS_INFORMATION, *PSYSTEM_PLUGPLAY_BUS_INFORMATION; typedef enum _SYSTEM_DOCK_STATE { SystemDockStateUnknown, SystemUndocked, SystemDocked } SYSTEM_DOCK_STATE, *PSYSTEM_DOCK_STATE; typedef struct _SYSTEM_DOCK_INFORMATION { SYSTEM_DOCK_STATE DockState; INTERFACE_TYPE DeviceBusType; ULONG DeviceBusNumber; ULONG SlotNumber; } SYSTEM_DOCK_INFORMATION, *PSYSTEM_DOCK_INFORMATION; typedef struct _SYSTEM_POWER_INFORMATION // not for SystemPowerInfo ! { BOOLEAN SystemSuspendSupported; BOOLEAN SystemHibernateSupported; BOOLEAN ResumeTimerSupportsSuspend; BOOLEAN ResumeTimerSupportsHibernate; BOOLEAN LidSupported; BOOLEAN TurboSettingSupported; BOOLEAN TurboMode; BOOLEAN SystemAcOrDc; BOOLEAN PowerDownDisabled; LARGE_INTEGER SpindownDrives; } SYSTEM_POWER_INFORMATION, *PSYSTEM_POWER_INFORMATION; typedef struct _SYSTEM_PROCESSOR_SPEED_INFORMATION // not for SystemProcessorSpeedInformation ! { ULONG MaximumProcessorSpeed; ULONG CurrentAvailableSpeed; ULONG ConfiguredSpeedLimit; BOOLEAN PowerLimit; BOOLEAN ThermalLimit; BOOLEAN TurboLimit; } SYSTEM_PROCESSOR_SPEED_INFORMATION, *PSYSTEM_PROCESSOR_SPEED_INFORMATION; typedef struct _SYSTEM_TIME_ZONE_INFORMATION { LONG Bias; WCHAR StandardName[32]; TIME_FIELDS StandardDate; LONG StandardBias; WCHAR DaylightName[32]; TIME_FIELDS DaylightDate; LONG DaylightBias; } SYSTEM_TIME_ZONE_INFORMATION, *PSYSTEM_TIME_ZONE_INFORMATION; typedef struct _SYSTEM_LOOKASIDE { USHORT Depth; USHORT MaximumDepth; ULONG TotalAllocates; ULONG AllocateMisses; ULONG TotalFrees; ULONG FreeMisses; POOL_TYPE Type; ULONG Tag; ULONG Size; } SYSTEM_LOOKASIDE, *PSYSTEM_LOOKASIDE; typedef struct _SYSTEM_LOOKASIDE_INFORMATION { SYSTEM_LOOKASIDE asl[]; } SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION; typedef struct _SYSTEM_SET_TIME_SLIP_EVENT { HANDLE TimeSlipEvent; } SYSTEM_SET_TIME_SLIP_EVENT, *PSYSTEM_SET_TIME_SLIP_EVENT; typedef struct _SYSTEM_CREATE_SESSION { ULONG Session; } SYSTEM_CREATE_SESSION, *PSYSTEM_CREATE_SESSION; typedef struct _SYSTEM_DELETE_SESSION { ULONG Session; } SYSTEM_DELETE_SESSION, *PSYSTEM_DELETE_SESSION; typedef struct _SYSTEM_RANGE_START_INFORMATION { PVOID SystemRangeStart; } SYSTEM_RANGE_START_INFORMATION, *PSYSTEM_RANGE_START_INFORMATION; // - NTAPI - // See also: WSK 1.2 NTSYSAPI NTSTATUS NTAPI NtQuerySystemInformation( __in SYSTEMINFOCLASS SystemInformationClass, __out PVOID pSystemInformation, __in ULONG uSystemInformationLength, __out_opt PULONG puReturnLength ); NTSYSAPI NTSTATUS NTAPI NtSetSystemInformation( __in SYSTEMINFOCLASS SystemInformationClass, __in PVOID pSystemInformation, __in ULONG uSystemInformationLength ); // Time functions NTSYSAPI NTSTATUS NTAPI NtQuerySystemTime( __out PLARGE_INTEGER SystemTime ); NTSYSAPI NTSTATUS NTAPI NtSetSystemTime( __in PLARGE_INTEGER NewTime, __out_opt PLARGE_INTEGER OldTime ); NTSYSAPI VOID NTAPI RtlTimeToTimeFields( __in PLARGE_INTEGER pliTime, __out PTIME_FIELDS pTimeFields ); NTSYSAPI BOOLEAN NTAPI RtlTimeFieldsToTime( __in PTIME_FIELDS pTimeFields, __out PLARGE_INTEGER pliTime ); NTSYSAPI VOID NTAPI RtlSecondsSince1970ToTime( __in ULONG SecondsSince1970, __out PLARGE_INTEGER Time ); NTSYSAPI VOID NTAPI RtlTimeToSecondsSince1970( __in PLARGE_INTEGER Time, __out PULONG SecondsSince1970 ); //Mutex functions NTSYSAPI NTSTATUS NTAPI NtCreateMutant( __out PHANDLE MutantHandle, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES pObjectAttributes, BOOL InitialOwner ); NTSYSAPI NTSTATUS NTAPI NtOpenMutant( __out PHANDLE MutantHandle, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES pObjectAttributes ); NTSYSAPI NTSTATUS NTAPI NtReleaseMutant( __in HANDLE hMutex, PULONG Optional ); // Event functions NTSYSAPI NTSTATUS NTAPI NtCreateEvent( __out PHANDLE EventHandle, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES pObjectAttributes, DWORD AutoReset, DWORD InitialState ); NTSYSAPI NTSTATUS NTAPI NtOpenEvent( PHANDLE phEvent, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES pObjectAttributes ); NTSYSAPI NTSTATUS NTAPI NtClearEvent( __in HANDLE hEvent ); NTSYSAPI NTSTATUS NTAPI NtSetEvent( __in HANDLE hEvent, __out_opt PLONG plSignaled ); NTSYSAPI NTSTATUS NTAPI NtCreateSemaphore( __out PHANDLE SemaphoreHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __in LONG InitialCount, __in LONG MaximumCount ); NTSYSAPI NTSTATUS NTAPI NtOpenSemaphore( __out PHANDLE SemaphoreHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes ); NTSYSAPI NTSTATUS NTAPI NtReleaseSemaphore( __in HANDLE SemaphoreHandle, __in LONG ReleaseCount, __out_opt PLONG PreviousCount ); typedef enum _SEMAPHORE_INFORMATION_CLASS { SemaphoreBasicInformation } SEMAPHORE_INFORMATION_CLASS; NTSYSAPI NTSTATUS NTAPI NtQuerySemaphore( __in HANDLE SemaphoreHandle, __in SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, __out PVOID SemaphoreInformation, __in ULONG SemaphoreInformationLength, __out_opt PULONG ResultLength ); typedef struct _SEMAPHORE_BASIC_INFORMATION { LONG CurrentCount; LONG MaximumCount; } SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION; // Directory and Symbolic Link functions NTSYSAPI NTSTATUS NTAPI NtCreateDirectoryObject( __out PHANDLE phDirectory, __in ACCESS_MASK AccessMask, __in POBJECT_ATTRIBUTES pObjectAttributes ); NTSYSAPI NTSTATUS NTAPI NtOpenDirectoryObject( __out PHANDLE DirectoryHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes ); typedef struct _DIRECTORY_CONTENTS { struct { UNICODE_STRING Name; UNICODE_STRING Type; } Entry[ANYSIZE_ARRAY]; } DIRECTORY_CONTENTS, *PDIRECTORY_CONTENTS; NTSYSAPI NTSTATUS NTAPI NtQueryDirectoryObject( __in HANDLE DirectoryHandle, __out PDIRECTORY_CONTENTS Buffer, __in ULONG Length, __in BOOLEAN ReturnSingleEntry, __in BOOLEAN RestartScan, __inout PULONG Index, __out_opt PULONG ResultLength ); NTSYSAPI NTSTATUS NTAPI NtOpenSymbolicLinkObject( __out PHANDLE SymbolicLinkHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes ); NTSYSAPI NTSTATUS NTAPI NtQuerySymbolicLinkObject( __in HANDLE SymbolicLinkHandle, __out PUNICODE_STRING NameString, __out_opt PULONG ResultLength ); // File functions NTSYSAPI NTSTATUS NTAPI NtCreateFile( PHANDLE phFile, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES pObjectAttributes, PIO_STATUS_BLOCK pIoStatusBlock, PLARGE_INTEGER pliAllocationSize, ULONG uFileAttributes, ULONG uShareAccess, ULONG uCreateDisposition, ULONG uCreateOptions, PVOID pEaBuffer, ULONG uEaLength ); NTSYSAPI NTSTATUS NTAPI NtCreateNamedPipeFile( PHANDLE phFile, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES pObjectAttributes, PIO_STATUS_BLOCK pIoStatusBlock, ULONG uShareAccess, ULONG uCreateDisposition, ULONG uCreateOptions, BOOLEAN TypeMessage, BOOLEAN ReadModeMessage, BOOLEAN NonBlocking, ULONG MaxInstance, ULONG InBufferSize, ULONG OutBufferSize, PLARGE_INTEGER DefaultTimeout ); NTSYSAPI NTSTATUS NTAPI NtOpenFile( PHANDLE phFile, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES pObjectAttributes, PIO_STATUS_BLOCK pIoStatusBlock, ULONG uShareAccess, ULONG uOpenOptions ); NTSYSAPI NTSTATUS NTAPI NtDeleteFile( __in POBJECT_ATTRIBUTES pObjectAttributes ); typedef enum _FILE_INFORMATION_CLASS { FileDirectoryInformation = 1, FileFullDirectoryInformation, // 2 FileBothDirectoryInformation, // 3 FileBasicInformation, // 4 FileStandardInformation, // 5 FileInternalInformation, // 6 FileEaInformation, // 7 FileAccessInformation, // 8 FileNameInformation, // 9 FileRenameInformation, // 10 FileLinkInformation, // 11 FileNamesInformation, // 12 FileDispositionInformation, // 13 FilePositionInformation, // 14 FileFullEaInformation, // 15 FileModeInformation, // 16 FileAlignmentInformation, // 17 FileAllInformation, // 18 FileAllocationInformation, // 19 FileEndOfFileInformation, // 20 FileAlternateNameInformation, // 21 FileStreamInformation, // 22 FilePipeInformation, // 23 FilePipeLocalInformation, // 24 FilePipeRemoteInformation, // 25 FileMailslotQueryInformation, // 26 FileMailslotSetInformation, // 27 FileCompressionInformation, // 28 FileObjectIdInformation, // 29 FileCompletionInformation, // 30 FileMoveClusterInformation, // 31 FileInformationReserved32, // 32 FileInformationReserved33, // 33 FileNetworkOpenInformation, // 34 FileAttributeTagInformation, // 35 FileTrackingInformation, // 36 FileIdBothDirectoryInformation, // 37 FileIdFullDirectoryInformation, // 38 FileValidDataLengthInformation, // 39 FileShortNameInformation, // 40 FileMaximumInformation } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; typedef struct _FILE_DIRECTORY_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; WCHAR FileName[1]; } FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; typedef struct _FILE_FULL_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; WCHAR FileName[1]; } FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION; typedef struct _FILE_BOTH_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; UCHAR ShortNameLength; WCHAR ShortName[12]; WCHAR FileName[1]; } FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION; typedef struct _FILE_ID_BOTH_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; CCHAR ShortNameLength; WCHAR ShortName[12]; LARGE_INTEGER FileId; WCHAR FileName[1]; } FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION; typedef struct _FILE_ID_FULL_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; LARGE_INTEGER FileId; WCHAR FileName[1]; } FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION; typedef struct _FILE_BASIC_INFORMATION { LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; ULONG FileAttributes; } FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; typedef struct _FILE_STANDARD_INFORMATION { LARGE_INTEGER AllocationSize; LARGE_INTEGER EndOfFile; ULONG NumberOfLinks; BOOLEAN DeletePending; BOOLEAN Directory; } FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION; typedef struct _FILE_INTERNAL_INFORMATION { LARGE_INTEGER IndexNumber; } FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION; typedef struct _FILE_EA_INFORMATION { ULONG EaSize; } FILE_EA_INFORMATION, *PFILE_EA_INFORMATION; typedef struct _FILE_ACCESS_INFORMATION { ACCESS_MASK AccessFlags; } FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION; typedef struct _FILE_NAME_INFORMATION { ULONG FileNameLength; WCHAR FileName[1]; } FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION; typedef struct _FILE_RENAME_INFORMATION { BOOLEAN ReplaceIfExists; HANDLE RootDirectory; ULONG FileNameLength; WCHAR FileName[1]; } FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION; typedef struct _FILE_LINK_INFORMATION { BOOLEAN ReplaceIfExists; HANDLE RootDirectory; ULONG FileNameLength; WCHAR FileName[1]; } FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION; typedef struct _FILE_NAMES_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; ULONG FileNameLength; WCHAR FileName[1]; } FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION; typedef struct _FILE_ALLOCATION_INFORMATION { LARGE_INTEGER AllocationSize; } FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION; typedef struct _FILE_COMPRESSION_INFORMATION { LARGE_INTEGER CompressedFileSize; USHORT CompressionFormat; UCHAR CompressionUnitShift; UCHAR ChunkShift; UCHAR ClusterShift; UCHAR Reserved[3]; } FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION; typedef struct _FILE_COMPLETION_INFORMATION { HANDLE Port; ULONG Key; } FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION; NTSYSAPI NTSTATUS NTAPI NtQueryInformationFile( __in HANDLE FileHandle, __out PIO_STATUS_BLOCK IoStatusBlock, __out PVOID FileInformation, __in ULONG Length, __in FILE_INFORMATION_CLASS FileInformationClass ); NTSYSAPI NTSTATUS NTAPI NtDeviceIoControlFile( __in HANDLE FileHandle, __in_opt HANDLE Event, __in_opt PIO_APC_ROUTINE ApcRoutine, __in_opt PVOID ApcContext, __out PIO_STATUS_BLOCK IoStatusBlock, __in ULONG IoControlCode, __in_opt PVOID InputBuffer, __in ULONG InputBufferLength, __out_opt PVOID OutputBuffer, __in ULONG OutputBufferLength ); NTSYSAPI NTSTATUS NTAPI NtFsControlFile( __in HANDLE FileHandle, __in_opt HANDLE Event, __in_opt PIO_APC_ROUTINE ApcRoutine, __in_opt PVOID ApcContext, __out PIO_STATUS_BLOCK IoStatusBlock, __in ULONG FsControlCode, __in_opt PVOID InputBuffer, __in ULONG InputBufferLength, __out_opt PVOID OutputBuffer, __in ULONG OutputBufferLength ); NTSYSAPI NTSTATUS NTAPI NtQueryVolumeInformationFile( __in HANDLE FileHandle, __out PIO_STATUS_BLOCK IoStatusBlock, __out PVOID FsInformation, __in ULONG Length, __in FS_INFORMATION_CLASS FsInformationClass ); NTSYSAPI NTSTATUS NTAPI NtFlushBuffersFile( __in HANDLE FileHandle, __out PIO_STATUS_BLOCK IoStatusBlock ); // Process functions //#define NtCurrentProcess() ((HANDLE) -1) inline HANDLE NtCurrentProcess() { return (HANDLE)-1; } NTSYSAPI NTSTATUS NTAPI NtOpenProcess( __out PHANDLE phProcess, __in ACCESS_MASK AccessMask, __in POBJECT_ATTRIBUTES pObjectAttributes, __in PCLIENT_ID pClientId ); NTSYSAPI NTSTATUS NTAPI NtCreateProcess( __out PHANDLE ProcessHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __in HANDLE InheritFromProcessHandle, __in BOOLEAN InheritHandles, __in_opt HANDLE SectionHandle, __in_opt HANDLE DebugPort, __in_opt HANDLE ExceptionPort ); NTSYSAPI NTSTATUS NTAPI NtTerminateProcess( __in HANDLE ProcessHandle, __in DWORD ExitCode ); typedef enum _PROCESSINFOCLASS { ProcessBasicInformation, ProcessQuotaLimits, // QUOTA_LIMITS ProcessIoCounters, // IOCOUNTERS ProcessVmCounters, // VM_COUNTERS ProcessTimes, // KERNEL_USER_TIMES ProcessBasePriority, // BASE_PRIORITY_INFORMATION ProcessRaisePriority, ProcessDebugPort, ProcessExceptionPort, ProcessAccessToken, ProcessLdtInformation, ProcessLdtSize, ProcessDefaultHardErrorMode, ProcessIoPortHandlers, // Note: this is kernel mode only ProcessPooledUsageAndLimits, ProcessWorkingSetWatch, ProcessUserModeIOPL, ProcessEnableAlignmentFaultFixup, ProcessPriorityClass, ProcessWx86Information, ProcessHandleCount, ProcessAffinityMask, // AFFINITY_MASK ProcessPriorityBoost, ProcessDeviceMap, ProcessSessionInformation, ProcessForegroundInformation, ProcessWow64Information, MaxProcessInfoClass } PROCESSINFOCLASS; typedef struct _PROCESS_BASIC_INFORMATION { NTSTATUS ExitStatus; PPEB PebBaseAddress; KAFFINITY AffinityMask; KPRIORITY BasePriority; ULONG uUniqueProcessId; ULONG uInheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; typedef struct _PROCESS_RAISE_PRIORITY { KPRIORITY RaisePriority; } PROCESS_RAISE_PRIORITY, *PPROCESS_RAISE_PRIORITY; typedef struct _PROCESS_DEBUG_PORT_INFORMATION { HANDLE DebugPort; } PROCESS_DEBUG_PORT_INFORMATION, *PPROCESS_DEBUG_PORT_INFORMATION; typedef struct _PROCESS_EXCEPTION_PORT { HANDLE ExceptionPort; } PROCESS_EXCEPTION_PORT, *PPROCESS_EXCEPTION_PORT; typedef struct _PROCESS_ACCESS_TOKEN { HANDLE Token; HANDLE Thread; } PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN; #ifndef _LDT_ENTRY_DEFINED #define _LDT_ENTRY_DEFINED typedef struct _LDT_ENTRY { USHORT LimitLow; USHORT BaseLow; union { struct { UCHAR BaseMid; UCHAR Flags1; // Declare as bytes to avoid alignment UCHAR Flags2; // Problems. UCHAR BaseHi; } Bytes; struct { ULONG BaseMid : 8; ULONG Type : 5; ULONG Dpl : 2; ULONG Pres : 1; ULONG LimitHi : 4; ULONG Sys : 1; ULONG Reserved_0 : 1; ULONG Default_Big : 1; ULONG Granularity : 1; ULONG BaseHi : 8; } Bits; } HighWord; } LDT_ENTRY, *PLDT_ENTRY; #endif // _LDT_ENTRY_DEFINED #define LDT_TABLE_SIZE (8 * 1024 * sizeof(LDT_ENTRY)) typedef struct _LDT_INFORMATION { ULONG Start; ULONG Length; LDT_ENTRY LdtEntries[1]; } PROCESS_LDT_INFORMATION, *PPROCESS_LDT_INFORMATION; typedef struct _LDT_SIZE { ULONG Length; } PROCESS_LDT_SIZE, *PPROCESS_LDT_SIZE; typedef struct _PROCESS_DEFAULT_HARDERROR_MODE_INFORMATION { ULONG HardErrorMode; // SEM_* (SEM_FAILCRITICALERRORS, etc.) } PROCESS_DEFAULT_HARDERROR_MODE_INFORMATION, *PPROCESS_DEFAULT_HARDERROR_MODE_INFORMATION; typedef struct _PROCESS_POOLED_USAGE_AND_LIMITS_INFORMATION { ULONG PeakPagedPoolUsage; ULONG PagedPoolUsage; ULONG PagedPoolLimit; ULONG PeakNonPagedPoolUsage; ULONG NonPagedPoolUsage; ULONG NonPagedPoolLimit; ULONG PeakPagefileUsage; ULONG PagefileUsage; ULONG PagefileLimit; } PROCESS_POOLED_USAGE_AND_LIMITS_INFORMATION, *PPROCESS_POOLED_USAGE_AND_LIMITS_INFORMATION; typedef struct _PROCESS_WS_WATCH_INFORMATION { PVOID FaultingPc; PVOID FaultingVa; } PROCESS_WS_WATCH_INFORMATION, *PPROCESS_WS_WATCH_INFORMATION; typedef struct _PROCESS_IOPL { ULONG Iopl; } PROCESS_IOPL, *PPROCESS_IOPL; typedef struct _PROCESS_ALLIGNMENT_FAULT_FIXUP { BOOLEAN EnableAllignmentFaultFixup; } PROCESS_ALLIGNMENT_FAULT_FIXUP, *PPROCESS_ALLIGNMENT_FAULT_FIXUP; #define KRNL_NORMAL_PRIORITY_CLASS 0x02 #define KRNL_IDLE_PRIORITY_CLASS 0x01 #define KRNL_HIGH_PRIORITY_CLASS 0x03 #define KRNL_REALTIME_PRIORITY_CLASS 0x04 typedef struct _PROCESS_PRIORITY_CLASS_INFORMATION { UCHAR Unknown; UCHAR PriorityClass; } PROCESS_PRIORITY_CLASS_INFORMATION, *PPROCESS_PRIORITY_CLASS_INFORMATION; typedef struct _PROCESS_X86_INFORMATION { ULONG x86Info; } PROCESS_X86_INFORMATION, *PPROCESS_X86_INFORMATION; typedef struct _PROCESS_HANDLE_COUNT_INFORMATION { ULONG HandleCount; } PROCESS_HANDLE_COUNT_INFORMATION, *PPROCESS_HANDLE_COUNT_INFORMATION; typedef struct _PROCESS_PRIORITY_BOOST_INFORMATION { ULONG PriorityBoostEnabled; } PROCESS_PRIORITY_BOOST_INFORMATION, *PPROCESS_PRIORITY_BOOST_INFORMATION; typedef struct _PROCESS_DEVICE_MAP_INFORMATION { union { struct { HANDLE DirectoryHandle; } Set; struct { ULONG DriveMap; UCHAR DriveType[32]; } Query; }; } PROCESS_DEVICE_MAP_INFORMATION, *PPROCESS_DEVICE_MAP_INFORMATION; typedef struct _PROCESS_SESSION_INFORMATION { ULONG SessionId; } PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION; NTSYSAPI NTSTATUS NTAPI NtQueryInformationProcess( __in HANDLE hProcess, __in PROCESSINFOCLASS ProcessInformationClass, __out PVOID pProcessInformation, __in ULONG uProcessInformationLength, __out_opt PULONG puReturnLength ); NTSYSAPI NTSTATUS NTAPI NtSetInformationProcess( __in HANDLE hProcess, __in PROCESSINFOCLASS ProcessInformationClass, __out PVOID pProcessInformation, __in ULONG uProcessInformationLength ); NTSTATUS NTAPI RtlCreateProcessParameters( __out PPROCESS_PARAMETERS *ProcessParameters, __in PUNICODE_STRING ImageFile, __in_opt PUNICODE_STRING DllPath, __in_opt PUNICODE_STRING CurrentDirectory, __in_opt PUNICODE_STRING CommandLine, __in ULONG CreationFlags, __in_opt PUNICODE_STRING WindowTitle, __in_opt PUNICODE_STRING Desktop, __in_opt PUNICODE_STRING Reserved, __in_opt PUNICODE_STRING Reserved2 ); NTSTATUS NTAPI RtlDestroyProcessParameters( __in PPROCESS_PARAMETERS ProcessParameters ); // jichi 9/28/2013 // See: http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Executable%20Images/RtlCreateUserThread.html // See: http://waleedassar.blogspot.com/2012/06/createremotethread-vs.html NTSYSAPI NTSTATUS NTAPI RtlCreateUserThread( __in HANDLE ProcessHandle, __in_opt PSECURITY_DESCRIPTOR SecurityDescriptor, __in BOOLEAN CreateSuspended, __in ULONG StackZeroBits, __inout PULONG StackReserved, __inout PULONG StackCommit, __in PVOID StartAddress, __in_opt PVOID StartParameter, __out PHANDLE ThreadHandle, __out PCLIENT_ID ClientID ); // Thread functions #define NtCurrentThread() ((HANDLE) -2) typedef struct _USER_STACK { PVOID FixedStackBase; PVOID FixedStackLimit; PVOID ExpandableStackBase; PVOID ExpandableStackLimit; PVOID ExpandableStackBottom; } USER_STACK, *PUSER_STACK; /* typedef struct _INITIAL_TEB { struct { PVOID OldStackBase; PVOID OldStackLimit; } OldInitialTeb; PVOID StackBase; PVOID StackLimit; PVOID StackAllocationBase; } INITIAL_TEB, *PINITIAL_TEB; */ typedef _USER_STACK _INITIAL_TEB; typedef USER_STACK INITIAL_TEB; typedef PUSER_STACK PINITIAL_TEB; NTSYSAPI NTSTATUS NTAPI NtCreateThread( __out PHANDLE ThreadHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __in HANDLE ProcessHandle, __out PCLIENT_ID ClientId, __in PCONTEXT ThreadContext, __in PUSER_STACK UserStack, __in BOOLEAN CreateSuspended ); typedef NTSTATUS (WINAPI *FpNtCreateThread)( __out PHANDLE ThreadHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __in HANDLE ProcessHandle, __out PCLIENT_ID ClientId, __in PCONTEXT ThreadContext, __in PUSER_STACK UserStack, __in BOOLEAN CreateSuspended ); typedef struct _NtCreateThreadExBuffer{ ULONG Size; // sizeof(NtCreateThreadEx) ULONG Unknown1; ULONG Unknown2; PULONG Unknown3; // &dw1: SizeOfStackCommit ULONG Unknown4; ULONG Unknown5; ULONG Unknown6; PULONG Unknown7; // &dw2: SizeOfStackReserve ULONG Unknown8; } NtCreateThreadExBuffer, *PNtCreateThreadExBuffer; // jichi 9/28/2013: An alternative way to create thread on Windows Vista and later NTSYSAPI NTSTATUS NTAPI NtCreateThreadEx ( __out PHANDLE hThread, __in ACCESS_MASK DesiredAccess, __in LPVOID ObjectAttributes, __in HANDLE ProcessHandle, __in LPTHREAD_START_ROUTINE lpStartAddress, __in LPVOID lpParameter, __in BOOL CreateSuspended, __in ULONG StackZeroBits, __in ULONG SizeOfStackCommit, __in ULONG SizeOfStackReserve, __out LPVOID lpBytesBuffer ); typedef NTSTATUS (WINAPI *FpNtCreateThreadEx) ( __out PHANDLE hThread, __in ACCESS_MASK DesiredAccess, __in LPVOID ObjectAttributes, __in HANDLE ProcessHandle, __in LPTHREAD_START_ROUTINE lpStartAddress, __in LPVOID lpParameter, __in BOOL CreateSuspended, __in ULONG StackZeroBits, __in ULONG SizeOfStackCommit, __in ULONG SizeOfStackReserve, __out LPVOID lpBytesBuffer ); NTSYSAPI NTSTATUS NTAPI NtOpenThread( __out PHANDLE phThread, __in ACCESS_MASK AccessMask, __in POBJECT_ATTRIBUTES pObjectAttributes, __in PCLIENT_ID pClientId ); NTSYSAPI NTSTATUS NTAPI NtTerminateThread( __in_opt HANDLE ThreadHandle, __in NTSTATUS ExitStatus ); NTSYSAPI NTSTATUS NTAPI NtSuspendThread( __in HANDLE ThreadHandle, __out_opt PULONG PreviousSuspendCount ); NTSYSAPI NTSTATUS NTAPI NtResumeThread( __in HANDLE ThreadHandle, __out_opt PULONG PreviousSuspendCount ); typedef NTSTATUS (WINAPI * LpNtResumeThread)( __in HANDLE ThreadHandle, __out_opt PULONG PreviousSuspendCount ); NTSYSAPI NTSTATUS NTAPI RtlExitUserThread( __in DWORD ExitCode ); typedef enum _THREADINFOCLASS { ThreadBasicInformation, ThreadTimes, // KERNEL_USER_TIMES ThreadPriority, ThreadBasePriority, // BASE_PRIORITY_INFORMATION ThreadAffinityMask, // AFFINITY_MASK ThreadImpersonationToken, ThreadDescriptorTableEntry, ThreadEnableAlignmentFaultFixup, ThreadEventPair, ThreadQuerySetWin32StartAddress, ThreadZeroTlsCell, ThreadPerformanceCount, ThreadAmILastThread, ThreadIdealProcessor, ThreadPriorityBoost, ThreadSetTlsArrayAddress, ThreadIsIoPending, // W2K ThreadHideFromDebugger, // W2K MaxThreadInfoClass } THREADINFOCLASS; typedef struct _THREAD_BASIC_INFORMATION { NTSTATUS ExitStatus; PTEB TebBaseAddress; CLIENT_ID ClientId; KAFFINITY AffinityMask; KPRIORITY Priority; KPRIORITY BasePriority; } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; typedef struct _THREAD_PRIORITY { KPRIORITY Priority; } THREAD_PRIORITY, *PTHREAD_PRIORITY; typedef struct _THREAD_DESCRIPTOR_TABLE_ENTRY_INFORMATION { ULONG Selector; LDT_ENTRY Descriptor; } THREAD_DESCRIPTOR_TABLE_ENTRY_INFORMATION, *PTHREAD_DESCRIPTOR_TABLE_ENTRY_INFORMATION; typedef struct _THREAD_EVENTPAIR { HANDLE EventPair; } THREAD_EVENTPAIR, *PTHREAD_EVENTPAIR; typedef struct _THREAD_WIN32_START_ADDRESS_INFORMATION { PVOID Win32StartAddress; } THREAD_WIN32_START_ADDRESS_INFORMATION, *PTHREAD_WIN32_START_ADDRESS_INFORMATION; typedef struct _THREAD_ZERO_TLSCELL { ULONG TlsIndex; } THREAD_ZERO_TLSCELL, *PTHREAD_ZERO_TLSCELL; typedef struct _THREAD_PERFORMANCE_COUNTER_INFORMATION { ULONG Count1; ULONG Count2; } THREAD_PERFORMANCE_COUNTER_INFORMATION, *PTHREAD_PERFORMANCE_COUNTER_INFORMATION; typedef struct _THREAD_AMI_LAST_THREAD { ULONG AmILastThread; } THREAD_AMI_LAST_THREAD, *PTHREAD_AMI_LAST_THREAD; typedef struct _THREAD_IDEAL_PROCESSOR { ULONG IdealProcessor; } THREAD_IDEAL_PROCESSOR, *PTHREAD_IDEAL_PROCESSOR; typedef struct _THREAD_TLS_ARRAY { PULONG TlsArray; } THREAD_TLS_ARRAY, *PTHREAD_TLS_ARRAY; typedef struct _THREAD_IS_IO_PENDING_INFORMATION { ULONG IsIOPending; } THREAD_IS_IO_PENDING_INFORMATION, *PTHREAD_IS_IO_PENDING_INFORMATION; typedef struct _THREAD_HIDE_FROM_DEBUGGER { ULONG HideFromDebugger; } THREAD_HIDE_FROM_DEBUGGER, *PTHREAD_HIDE_FROM_DEBUGGER; NTSYSAPI NTSTATUS NTAPI NtQueryInformationThread( __in HANDLE hThread, __in THREADINFOCLASS ThreadInformationClass, __out PVOID pThreadInformation, __in ULONG uThreadInformationLength, __out_opt PULONG puReturnLength ); NTSYSAPI NTSTATUS NTAPI NtSetInformationThread( __in HANDLE hThread, __in THREADINFOCLASS ThreadInformationClass, __out PVOID pThreadInformation, __in ULONG uthreadInformationLength ); NTSYSAPI NTSTATUS NTAPI NtOpenThreadToken( __in HANDLE hThread, __in ACCESS_MASK DesiredAccess, __in BOOLEAN bOpenAsSelf, __out PHANDLE phToken ); NTSYSAPI NTSTATUS NTAPI NtImpersonateThread( __in HANDLE ThreadHandle, __in HANDLE TargetThreadHandle, __in PSECURITY_QUALITY_OF_SERVICE SecurityQos ); NTSYSAPI NTSTATUS NTAPI NtGetContextThread( __in HANDLE ThreadHandle, __out PCONTEXT Context ); NTSYSAPI NTSTATUS NTAPI NtSetContextThread( __in HANDLE ThreadHandle, __in PCONTEXT Context ); NTSYSAPI NTSTATUS NTAPI NtQueueApcThread( __in HANDLE ThreadHandle, __in PKNORMAL_ROUTINE ApcRoutine, __in_opt PVOID ApcContext, __in_opt PVOID Argument1, __in_opt PVOID Argument2 ); NTSYSAPI NTSTATUS NTAPI NtImpersonateAnonymousToken( __in HANDLE hThread ); NTSYSAPI NTSTATUS NTAPI NtCreateSection( __out PHANDLE SectionHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __in_opt PLARGE_INTEGER SectionSize, __in ULONG Protect, __in ULONG Attributes, __in HANDLE FileHandle ); NTSYSAPI NTSTATUS NTAPI NtOpenSection( __out PHANDLE SectionHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes ); typedef enum _SECTION_INFORMATION_CLASS { SectionBasicInformation, SectionImageInformation } SECTION_INFORMATION_CLASS; NTSYSAPI NTSTATUS NTAPI NtQuerySection( __in HANDLE SectionHandle, __in SECTION_INFORMATION_CLASS SectionInformationClass, __out PVOID SectionInformation, __in ULONG SectionInformationLength, __out_opt PULONG ResultLength ); typedef struct _SECTION_BASIC_INFORMATION { PVOID BaseAddress; ULONG Attributes; LARGE_INTEGER Size; } SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION; typedef struct _SECTION_IMAGE_INFORMATION { PVOID EntryPoint; ULONG Unknown1; ULONG StackReserve; ULONG StackCommit; ULONG Subsystem; USHORT MinorSubsystemVersion; USHORT MajorSubsystemVersion; ULONG Unknown2; ULONG Characteristics; USHORT ImageNumber; BOOLEAN Executable; UCHAR Unknown3; ULONG Unknown4[3]; } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; NTSYSAPI NTSTATUS NTAPI NtExtendSection( __in HANDLE SectionHandle, __in PLARGE_INTEGER SectionSize ); NTSYSAPI NTSTATUS NTAPI NtUnmapViewOfSection( __in HANDLE hProcess, __in PVOID pBaseAddress ); NTSYSAPI NTSTATUS NTAPI NtWaitForSingleObject( __in HANDLE hObject, __in BOOL fAlertable, __in PLARGE_INTEGER pliTimeout // NULL = infinite ); // Object functions typedef enum _OBJECT_INFORMATION_CLASS { ObjectBasicInformation, // 0 Y N ObjectNameInformation, // 1 Y N ObjectTypeInformation, // 2 Y N ObjectAllTypesInformation, // 3 Y N ObjectHandleInformation // 4 Y Y } OBJECT_INFORMATION_CLASS; typedef struct _OBJECT_BASIC_INFORMATION { ULONG Attributes; ACCESS_MASK GrantedAccess; ULONG HandleCount; ULONG PointerCount; ULONG PagedPoolUsage; ULONG NonPagedPoolUsage; ULONG Reserved[3]; ULONG NameInformationLength; ULONG TypeInformationLength; ULONG SecurityDescriptorLength; LARGE_INTEGER CreateTime; } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; typedef struct _OBJECT_NAME_INFORMATION { UNICODE_STRING Name; } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; typedef struct _OBJECT_TYPE_INFORMATION { UNICODE_STRING Name; ULONG ObjectCount; ULONG HandleCount; ULONG Reserved1[4]; ULONG PeakObjectCount; ULONG PeakHandleCount; ULONG Reserved2[4]; ULONG InvalidAttributes; GENERIC_MAPPING GenericMapping; ULONG ValidAccess; UCHAR Unknown; BOOLEAN MaintainHandleDatabase; UCHAR Reserved3[2]; POOL_TYPE PoolType; ULONG PagedPoolUsage; ULONG NonPagedPoolUsage; } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; typedef struct _OBJECT_ALL_TYPES_INFORMATION { ULONG NumberOfTypes; OBJECT_TYPE_INFORMATION TypeInformation; } OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION; typedef struct _OBJECT_HANDLE_ATTRIBUTE_INFORMATION { BOOLEAN Inherit; BOOLEAN ProtectFromClose; } OBJECT_HANDLE_ATTRIBUTE_INFORMATION, *POBJECT_HANDLE_ATTRIBUTE_INFORMATION; NTSYSAPI NTSTATUS NTAPI NtQueryObject( __in HANDLE ObjectHandle, __in OBJECT_INFORMATION_CLASS ObjectInformationClass, __out PVOID ObjectInformation, __in ULONG ObjectInformationLength, __out_opt PULONG ReturnLength ); NTSYSAPI NTSTATUS NTAPI NtSetInformationObject( __in HANDLE ObjectHandle, __in OBJECT_INFORMATION_CLASS ObjectInformationClass, __in PVOID ObjectInformation, __in ULONG ObjectInformationLength ); NTSYSAPI NTSTATUS NTAPI NtDuplicateObject( __in HANDLE SourceProcessHandle, __in HANDLE SourceHandle, __in_opt HANDLE TargetProcessHandle, __out_opt PHANDLE TargetHandle, __in ACCESS_MASK DesiredAccess, __in ULONG HandleAttributes, __in ULONG Options ); NTSYSAPI NTSTATUS NTAPI NtQuerySecurityObject( __in HANDLE FileHandle, __in SECURITY_INFORMATION SecurityInformation, __out PSECURITY_DESCRIPTOR SecurityDescriptor, __in ULONG Length, __out PULONG ResultLength ); NTSYSAPI NTSTATUS NTAPI NtSetSecurityObject( __in HANDLE FileHandle, __in SECURITY_INFORMATION SecurityInformation, __in PSECURITY_DESCRIPTOR SecurityDescriptor ); // Memory management functions NTSYSAPI NTSTATUS NTAPI NtAllocateVirtualMemory( __in HANDLE ProcessHandle, __inout PVOID *BaseAddress, __in ULONG ZeroBits, __inout PULONG AllocationSize, __in ULONG AllocationType, __in ULONG Protect ); typedef enum _MEMORY_INFORMATION_CLASS { MemoryBasicInformation, MemoryWorkingSetList, MemorySectionName, MemoryBasicVlmInformation } MEMORY_INFORMATION_CLASS; NTSYSAPI NTSTATUS NTAPI NtQueryVirtualMemory( __in HANDLE ProcessHandle, __in PVOID BaseAddress, __in MEMORY_INFORMATION_CLASS MemoryInformationClass, __out PVOID MemoryInformation, __in ULONG MemoryInformationLength, __out PULONG ReturnLength OPTIONAL ); NTSYSAPI NTSTATUS NTAPI LdrUnloadDll(IN HANDLE ModuleHandl); /* Defined in Winnt.h typedef struct _MEMORY_BASIC_INFORMATION { PVOID BaseAddress; PVOID AllocationBase; ULONG AllocationProtect; ULONG RegionSize; ULONG State; ULONG Protect; ULONG Type; } MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION; */ typedef struct _MEMORY_WORKING_SET_LIST { ULONG NumberOfPages; ULONG WorkingSetList[1]; } MEMORY_WORKING_SET_LIST, *PMEMORY_WORKING_SET_LIST; typedef struct _WORKING_SET_LIST{ ULONG_PTR Protection : 5; ULONG_PTR ShareCount : 3; ULONG_PTR Shared : 1; ULONG_PTR Reserved : 3; ULONG_PTR VirtualPage : 20; } WORKING_SET_LIST, *PWORKING_SET_LIST; typedef struct _MEMORY_SECTION_NAME { UNICODE_STRING SectionFileName; } MEMORY_SECTION_NAME, *PMEMORY_SECTION_NAME; NTSYSAPI NTSTATUS NTAPI NtReadVirtualMemory( __in HANDLE ProcessHandle, __in PVOID BaseAddress, __out PVOID Buffer, __in ULONG BufferLength, __out PULONG ReturnLength OPTIONAL ); NTSYSAPI NTSTATUS NTAPI NtWriteVirtualMemory( __in HANDLE ProcessHandle, __in PVOID BaseAddress, __in PVOID Buffer, __in ULONG BufferLength, __out PULONG ReturnLength OPTIONAL ); NTSYSAPI NTSTATUS NTAPI NtProtectVirtualMemory( __in HANDLE ProcessHandle, __inout PVOID *BaseAddress, __inout PULONG ProtectSize, __in ULONG NewProtect, __out PULONG OldProtect ); NTSYSAPI NTSTATUS NTAPI NtFlushVirtualMemory( __in HANDLE ProcessHandle, __inout PVOID *BaseAddress, __inout PULONG FlushSize, __out PIO_STATUS_BLOCK IoStatusBlock ); // Ldr Functions NTSYSAPI NTSTATUS NTAPI LdrDisableThreadCalloutsForDll( __in HANDLE hModule ); NTSYSAPI NTSTATUS NTAPI LdrGetDllHandle( __in PWORD pwPath OPTIONAL, __in PVOID Unused OPTIONAL, __in PUNICODE_STRING ModuleFileName, __out PHANDLE pHModule ); NTSYSAPI NTSTATUS NTAPI LdrGetProcedureAddress( __in HMODULE ModuleHandle, __in PANSI_STRING FunctionName OPTIONAL, __in WORD Oridinal OPTIONAL, __out PVOID *FunctionAddress ); NTSYSAPI NTSTATUS NTAPI LdrLoadDll( __in PWCHAR PathToFile OPTIONAL, __in ULONG Flags OPTIONAL, __in PUNICODE_STRING ModuleFileName, __out PHANDLE ModuleHandle ); // Modified from ntdef.h #ifdef __cplusplus extern "C++" { char _RTL_CONSTANT_STRING_type_check(const char *s); char _RTL_CONSTANT_STRING_type_check(const WCHAR *s); // __typeof would be desirable here instead of sizeof. template <size_t N> class _RTL_CONSTANT_STRING_remove_const_template_class; template <> class _RTL_CONSTANT_STRING_remove_const_template_class<sizeof(char)> {public: typedef char T; }; template <> class _RTL_CONSTANT_STRING_remove_const_template_class<sizeof(WCHAR)> {public: typedef WCHAR T; }; #define _RTL_CONSTANT_STRING_remove_const_macro(s) \ (const_cast<_RTL_CONSTANT_STRING_remove_const_template_class<sizeof((s)[0])>::T*>(s)) } // extern "C++" #else char _RTL_CONSTANT_STRING_type_check(const void *s); #define _RTL_CONSTANT_STRING_remove_const_macro(s) (s) #endif // __cplusplus #define RTL_CONSTANT_STRING(s) \ { \ sizeof( s ) - sizeof( (s)[0] ), \ sizeof( s ) / sizeof(_RTL_CONSTANT_STRING_type_check(s)), \ _RTL_CONSTANT_STRING_remove_const_macro(s) \ } // Rtl String Functions NTSYSAPI VOID NTAPI RtlInitUnicodeString ( __out PUNICODE_STRING DestinationString, __in PCWSTR SourceString ); NTSYSAPI VOID NTAPI RtlCreateUnicodeString( __out PUNICODE_STRING AllocatedString, __in PCWSTR SourceString ); NTSYSAPI VOID NTAPI RtlFreeUnicodeString( __in PUNICODE_STRING UnicodeString ); NTSYSAPI ULONG NTAPI RtlAnsiStringToUnicodeSize( __in PANSI_STRING AnsiString ); NTSYSAPI NTSTATUS NTAPI RtlAnsiStringToUnicodeString( __out PUNICODE_STRING DestinationString, __in PANSI_STRING SourceString, __in BOOLEAN AllocateDestinationString ); NTSYSAPI NTSTATUS NTAPI RtlAppendUnicodeStringToString( __out PUNICODE_STRING Destination, __in PUNICODE_STRING Source ); NTSYSAPI NTSTATUS NTAPI RtlAppendUnicodeToString( __out PUNICODE_STRING Destination, __in PWSTR Source ); NTSYSAPI LONG NTAPI RtlCompareUnicodeString( __in PUNICODE_STRING String1, __in PUNICODE_STRING String2, __in BOOLEAN CaseInSensitive ); NTSYSAPI VOID NTAPI RtlCopyUnicodeString( __out PUNICODE_STRING DestinationString, __in PUNICODE_STRING SourceString ); NTSYSAPI NTSTATUS NTAPI RtlDowncaseUnicodeString( __out PUNICODE_STRING DestinationString, __in PUNICODE_STRING SourceString, __in BOOLEAN AllocateDestinationString ); NTSYSAPI BOOLEAN NTAPI RtlEqualUnicodeString( __in PUNICODE_STRING String1, __in PUNICODE_STRING String2, __in BOOLEAN CaseInSensitive ); NTSYSAPI NTSTATUS NTAPI RtlIntegerToUnicodeString( __in ULONG Value, __in ULONG Base, __out PUNICODE_STRING String ); NTSYSAPI NTSTATUS NTAPI RtlUnicodeStringToInteger( __in PUNICODE_STRING String, __in ULONG Base, __out PULONG Value ); NTSYSAPI NTSTATUS NTAPI RtlOemStringToUnicodeString( __out PUNICODE_STRING DestinationString, __in POEM_STRING SourceString, __in BOOLEAN AllocateDestinationString ); NTSYSAPI BOOLEAN NTAPI RtlPrefixUnicodeString( __in PUNICODE_STRING String1, __in PUNICODE_STRING String2, __in BOOLEAN CaseInSensitive ); NTSYSAPI WCHAR NTAPI RtlUpcaseUnicodeChar( __in WCHAR SourceCharacter ); NTSYSAPI NTSTATUS NTAPI RtlUpcaseUnicodeString( __out PUNICODE_STRING DestinationString, __in PUNICODE_STRING SourceString, __in BOOLEAN AllocateDestinationString ); NTSYSAPI ULONG NTAPI RtlxAnsiStringToUnicodeSize( __in PANSI_STRING AnsiString ); NTSYSAPI ULONG NTAPI RtlxOemStringToUnicodeSize( __in POEM_STRING OemString ); // Rtl Misc Operations NTSYSAPI NTSTATUS NTAPI NtReplyPort( __in HANDLE hPort, __out PVOID pReply ); NTSYSAPI NTSTATUS NTAPI NtClose( __in HANDLE hObject ); NTSYSAPI ULONG NTAPI RtlNtStatusToDosError( NTSTATUS status ); NTSYSAPI UINT NTAPI RtlGetLongestNtPathLength(); NTSYSAPI UINT NTAPI RtlDetermineDosPathNameType_U( __in PWSTR Path ); NTSYSAPI UINT NTAPI RtlIsDosDeviceName_U( __in PWSTR Path ); NTSYSAPI BOOLEAN NTAPI RtlDosPathNameToNtPathName_U( __in PCWSTR DosName, __out PUNICODE_STRING NtName, __out PCWSTR *DosFilePath OPTIONAL, __out PUNICODE_STRING NtFilePath OPTIONAL ); // Rtl Large Integer Operations #define RtlLargeIntegerLessThanZero($a) (($a).HighPart < 0) #define Li2Double(x) ((double)((x).HighPart) * 4.294967296E9 + (double)((x).LowPart)) NTSYSAPI LARGE_INTEGER NTAPI RtlEnlargedIntegerMultiply( __in LONG lMultiplicand, __in LONG lMultiplier ); NTSYSAPI ULONG NTAPI RtlEnlargedUnsignedDivide( __in LARGE_INTEGER liDividend, __in ULONG uDivisor, __out PULONG puRemainder OPTIONAL ); NTSYSAPI LARGE_INTEGER NTAPI RtlEnlargedUnsignedMultiply( __in ULONG uMultiplicand, __in ULONG uMultiplier ); NTSYSAPI LARGE_INTEGER NTAPI RtlExtendedIntegerMultiply( __in LARGE_INTEGER liMultiplicand, __in LONG lMultiplier ); NTSYSAPI LARGE_INTEGER NTAPI RtlExtendedLargeIntegerDivide( __in LARGE_INTEGER liDividend, __in ULONG uDivisor, __out PULONG puRemainder OPTIONAL ); NTSYSAPI LARGE_INTEGER NTAPI RtlLargeIntegerAdd( __in LARGE_INTEGER liAddend1, __in LARGE_INTEGER liAddend2 ); NTSYSAPI LARGE_INTEGER NTAPI RtlLargeIntegerDivide( __in LARGE_INTEGER liDividend, __in LARGE_INTEGER liDivisor, __out PLARGE_INTEGER pliRemainder OPTIONAL ); NTSYSAPI LARGE_INTEGER NTAPI RtlLargeIntegerNegate( __in LARGE_INTEGER liSubtrahend ); NTSYSAPI LARGE_INTEGER NTAPI RtlLargeIntegerSubtract( __in LARGE_INTEGER liMinuend, __in LARGE_INTEGER liSubtrahend ); // Debug Functions typedef struct _DEBUG_BUFFER { HANDLE SectionHandle; PVOID SectionBase; PVOID RemoteSectionBase; ULONG SectionBaseDelta; HANDLE EventPairHandle; ULONG Unknown[2]; HANDLE RemoteThreadHandle; ULONG InfoClassMask; ULONG SizeOfInfo; ULONG AllocatedSize; ULONG SectionSize; PVOID ModuleInformation; PVOID BackTraceInformation; PVOID HeapInformation; PVOID LockInformation; PVOID Reserved[8]; } DEBUG_BUFFER, *PDEBUG_BUFFER; #define PDI_MODULES 0x01 #define PDI_BACKTRACE 0x02 #define PDI_HEAPS 0x04 #define PDI_HEAP_TAGS 0x08 #define PDI_HEAP_BLOCKS 0x10 #define PDI_LOCKS 0x20 typedef struct _DEBUG_MODULE_INFORMATION // c.f. SYSTEM_MODULE_INFORMATION { ULONG Reserved[2]; ULONG Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } DEBUG_MODULE_INFORMATION, *PDEBUG_MODULE_INFORMATION; typedef struct _DEBUG_HEAP_INFORMATION { ULONG Base; ULONG Flags; USHORT Granularity; USHORT Unknown; ULONG Allocated; ULONG Committed; ULONG TagCount; ULONG BlockCount; ULONG Reserved[7]; PVOID Tags; PVOID Blocks; } DEBUG_HEAP_INFORMATION, *PDEBUG_HEAP_INFORMATION; typedef struct _DEBUG_LOCK_INFORMATION // c.f. SYSTEM_LOCK_INFORMATION { PVOID Address; USHORT Type; USHORT CreatorBackTraceIndex; ULONG OwnerThreadId; ULONG ActiveCount; ULONG ContentionCount; ULONG EntryCount; ULONG RecursionCount; ULONG NumberOfSharedWaiters; ULONG NumberOfExclusiveWaiters; } DEBUG_LOCK_INFORMATION, *PDEBUG_LOCK_INFORMATION; NTSYSAPI PDEBUG_BUFFER NTAPI RtlCreateQueryDebugBuffer( __in ULONG Size, __in BOOLEAN EventPair ); NTSYSAPI NTSTATUS NTAPI RtlQueryProcessDebugInformation( __in ULONG ProcessId, __in ULONG DebugInfoClassMask, __inout PDEBUG_BUFFER DebugBuffer ); NTSYSAPI NTSTATUS NTAPI RtlDestroyQueryDebugBuffer( __in PDEBUG_BUFFER DebugBuffer ); NTSYSAPI NTSTATUS NTAPI NtLoadDriver( // "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>" __in PUNICODE_STRING RegistryPath ); NTSYSAPI NTSTATUS NTAPI NtFlushInstructionCache( __in HANDLE ProcessHandle, __in PVOID BaseAddress, __in ULONG NumberOfBytesToFlush ); NTSYSAPI NTSTATUS NTAPI NtProtectVirtualMemory( __in HANDLE ProcessHandle, __inout PVOID *BaseAddress, __inout PULONG NumberOfBytesToProtect, __in ULONG NewAccessProtection, __out PULONG OldAccessProtection ); NTSYSAPI NTSTATUS NTAPI NtFreeVirtualMemory( __in HANDLE ProcessHandle, __in PVOID *BaseAddress, __inout PULONG RegionSize, __in ULONG FreeType ); NTSYSAPI NTSTATUS NTAPI NtUnloadDriver( // "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>" __in PUNICODE_STRING RegistryPath ); NTSYSAPI NTSTATUS NTAPI RtlAdjustPrivilege( __in ULONG Privilege, __in BOOLEAN NewValue, __in BOOLEAN ForThread, __out PBOOLEAN OldValue ); /*typedef struct _RTL_OSVERSIONINFOW { ULONG dwOSVersionInfoSize; ULONG dwMajorVersion; ULONG dwMinorVersion; ULONG dwBuildNumber; ULONG dwPlatformId; WCHAR szCSDVersion[128]; // Maintenance string for PSS usage } RTL_OSVERSIONINFOW, *PRTL_OSVERSIONINFOW;*/ NTSYSAPI NTSTATUS NTAPI RtlGetVersion( __inout PRTL_OSVERSIONINFOW lpVersionInformation ); NTSYSAPI void NTAPI RtlFreeAnsiString(PANSI_STRING AnsiString); NTSYSAPI NTSTATUS NTAPI RtlRunDecodeUnicodeString(BYTE bHash,PUNICODE_STRING uString); // - Extra - typedef struct _TDI_CONNECTION_INFORMATION { LONG UserDataLength; PVOID UserData; LONG OptionsLength; PVOID Options; LONG RemoteAddressLength; PVOID RemoteAddress; } TDI_CONNECTION_INFORMATION, *PTDI_CONNECTION_INFORMATION; typedef struct _TDI_CONNECTION_INFO { ULONG State; ULONG Event; ULONG TransmittedTsdus; ULONG ReceivedTsdus; ULONG TransmissionErrors; ULONG ReceiveErrors; LARGE_INTEGER Throughput; LARGE_INTEGER Delay; ULONG SendBufferSize; ULONG ReceiveBufferSize; BOOLEAN Unreliable; } TDI_CONNECTION_INFO, *PTDI_CONNECTION_INFO; typedef enum _KEY_INFORMATION_CLASS { KeyBasicInformation, KeyNodeInformation, KeyFullInformation } KEY_INFORMATION_CLASS; typedef struct _KEY_BASIC_INFORMATION { LARGE_INTEGER LastWriteTime; ULONG TitleIndex; ULONG NameLength; WCHAR Name[1]; } KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION; typedef struct _KEY_NODE_INFORMATION { LARGE_INTEGER LastWriteTime; ULONG TitleIndex; ULONG ClassOffset; ULONG ClassLength; ULONG NameLength; WCHAR Name[1]; /* Class[1]; */ } KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION; typedef struct _KEY_FULL_INFORMATION { LARGE_INTEGER LastWriteTime; ULONG TitleIndex; ULONG ClassOffset; ULONG ClassLength; ULONG SubKeys; ULONG MaxNameLen; ULONG MaxClassLen; ULONG Values; ULONG MaxValueNameLen; ULONG MaxValueDataLen; WCHAR Class[1]; } KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION; typedef enum _KEY_VALUE_INFORMATION_CLASS { KeyValueBasicInformation, KeyValueFullInformation, KeyValuePartialInformation, KeyValueFullInformationAlign64, KeyValuePartialInformationAlign64 } KEY_VALUE_INFORMATION_CLASS; typedef struct _KEY_VALUE_BASIC_INFORMATION { ULONG TitleIndex; ULONG Type; ULONG NameLength; WCHAR Name[1]; } KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION; typedef struct _KEY_VALUE_FULL_INFORMATION { ULONG TitleIndex; ULONG Type; ULONG DataOffset; ULONG DataLength; ULONG NameLength; WCHAR Name[1]; } KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; typedef struct _KEY_VALUE_PARTIAL_INFORMATION { ULONG TitleIndex; ULONG Type; ULONG DataLength; UCHAR Data[1]; } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; NTSYSAPI NTSTATUS NTAPI NtOpenKey( __out PHANDLE KeyHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes ); NTSYSAPI void NTAPI RtlInitAnsiString( __out ANSI_STRING* DestinationString, __in CHAR* SourceString ); NTSYSAPI NTSTATUS NTAPI NtWriteFile( __in HANDLE FileHandle, __in HANDLE Event OPTIONAL, __in PIO_APC_ROUTINE ApcRoutine OPTIONAL, __in PVOID ApcContext OPTIONAL, __out PIO_STATUS_BLOCK IoStatusBlock, __in PVOID Buffer, __in ULONG Length, __in PLARGE_INTEGER ByteOffset OPTIONAL, __in PULONG Key OPTIONAL ); NTSYSAPI NTSTATUS NTAPI NtReadFile( __in HANDLE FileHandle, __in HANDLE Event OPTIONAL, __in PIO_APC_ROUTINE ApcRoutine OPTIONAL, __in PVOID ApcContext OPTIONAL, __out PIO_STATUS_BLOCK IoStatusBlock, __out PVOID Buffer, __in ULONG Length, __in PLARGE_INTEGER ByteOffset OPTIONAL, __in PULONG Key OPTIONAL ); NTSYSAPI NTSTATUS NTAPI DbgPrint( __in LPCSTR Format, ... ); NTSYSAPI NTSTATUS NTAPI NtGetContextThread( __in HANDLE ThreadHandle, __out PCONTEXT pContext ); NTSYSAPI NTSTATUS NTAPI NtSetContextThread( __in HANDLE ThreadHandle, __in PCONTEXT Context ); NTSYSAPI NTSTATUS NTAPI NtAlertThread( __in HANDLE ThreadHandle ); NTSYSAPI NTSTATUS NTAPI RtlInitializeCriticalSection( __in PCRITICAL_SECTION CriticalSection ); NTSYSAPI NTSTATUS NTAPI RtlEnterCriticalSection( __in PCRITICAL_SECTION CriticalSection ); NTSYSAPI NTSTATUS NTAPI RtlLeaveCriticalSection( __in PCRITICAL_SECTION CriticalSection ); NTSYSAPI NTSTATUS NTAPI NtDelayExecution( __in BOOLEAN Alertable, __in PLARGE_INTEGER DelayInterval ); NTSYSAPI NTSTATUS NTAPI NtYieldExecution(); NTSYSAPI ULONG NTAPI NtGetTickCount(void); NTSYSAPI NTSTATUS NTAPI NtQueryPerformanceCounter( __out PLARGE_INTEGER PerformanceCounter, __out PLARGE_INTEGER PerformanceFrequency OPTIONAL ); NTSYSAPI NTSTATUS NTAPI NtQueryDirectoryFile( __in HANDLE FileHandle, __in HANDLE Event OPTIONAL, __in PIO_APC_ROUTINE ApcRoutine OPTIONAL, __in PVOID ApcContext OPTIONAL, __out PIO_STATUS_BLOCK IoStatusBlock, __out PVOID FileInformation, __in ULONG Length, __in FILE_INFORMATION_CLASS FileInformationClass, __in BOOLEAN ReturnSingleEntry, __in PUNICODE_STRING FileMask OPTIONAL, __in BOOLEAN RestartScan ); NTSYSAPI NTSTATUS NTAPI NtVdmControl( __in ULONG ControlCode, __in PVOID ControlData ); #define KEY_QUERY_VALUE (0x0001) NTSYSAPI NTSTATUS NTAPI NtEnumerateKey( __in HANDLE KeyHandle, __in ULONG Index, __in KEY_INFORMATION_CLASS KeyInformationClass, __out PVOID KeyInformation, __in ULONG KeyInformationLength, __out PULONG ResultLength ); NTSYSAPI NTSTATUS NTAPI NtEnumerateValueKey( __in HANDLE KeyHandle, __in ULONG Index, __in KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, __out PVOID KeyValueInformation, __in ULONG KeyValueInformationLength, __out PULONG ResultLength ); BOOL WINAPI EnumServiceGroupW( SC_HANDLE hSCManager, DWORD dwServiceType, DWORD dwServiceState, LPBYTE lpServices, DWORD cbBufSize, LPDWORD pcbBytesNeeded, LPDWORD lpServicesReturned, LPDWORD lpResumeHandle, DWORD dwUnknown ); NTSYSAPI NTSTATUS NTAPI NtQueryKey( __in HANDLE KeyHandle, __in KEY_INFORMATION_CLASS KeyInformationClass, __out PVOID KeyInformation, __in ULONG Length, __out PULONG ResultLength ); typedef enum _SECTION_INHERIT { ViewShare = 1, ViewUnmap = 2 } SECTION_INHERIT; NTSYSAPI NTSTATUS NTAPI NtMapViewOfSection( __in HANDLE SectionHandle, __in HANDLE ProcessHandle, __inout PVOID *BaseAddress, __in ULONG ZeroBits OPTIONAL, __in ULONG CommitSize, __inout PLARGE_INTEGER SectionOffset, __inout PULONG ViewSize, __in SECTION_INHERIT InheritDisposition, __in ULONG AllocationType, __in ULONG Protect ); typedef struct _LDR_RESOURCE_INFO { ULONG Type; ULONG Name; ULONG Language; } LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO; NTSYSAPI NTSTATUS NTAPI LdrFindResourceDirectory_U( HMODULE hModule, LDR_RESOURCE_INFO* pResInfo, ULONG ulNrOfItems, IMAGE_RESOURCE_DIRECTORY** pResDir ); NTSYSAPI NTSTATUS NTAPI LdrFindResource_U( HMODULE hModule, LDR_RESOURCE_INFO* pResInfo, ULONG ulNrOfItems, IMAGE_RESOURCE_DATA_ENTRY** pResDataDir ); NTSYSAPI NTSTATUS NTAPI LdrAccessResource( HMODULE hModule, IMAGE_RESOURCE_DATA_ENTRY* pResDataEntry, void ** pData, PULONG pulOptional ); NTSYSAPI NTSTATUS NTAPI NtSaveKey( HANDLE KeyHandle, HANDLE FileHandle ); NTSYSAPI NTSTATUS NTAPI NtSaveMergedKeys( __in HANDLE KeyHandle1, __in HANDLE KeyHandle2, __in HANDLE FileHandle ); NTSYSAPI NTSTATUS NTAPI NtOpenProcessToken ( __in HANDLE ProcessHandle, __in DWORD DesiredAccess, __deref_out PHANDLE TokenHandle ); NTSYSAPI NTSTATUS NTAPI NtAdjustPrivilegesToken( __in HANDLE TokenHandle, __in BOOL DisableAllPrivileges, __in_opt PTOKEN_PRIVILEGES NewState, __in DWORD BufferLength, __out_bcount_part_opt(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState, __out_opt PDWORD ReturnLength ); NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor ( __out PSECURITY_DESCRIPTOR pSecurityDescriptor, __in DWORD dwRevision ); NTSYSAPI NTSTATUS NTAPI RtlSetDaclSecurityDescriptor ( __inout PSECURITY_DESCRIPTOR pSecurityDescriptor, __in BOOL bDaclPresent, __in_opt PACL pDacl, __in BOOL bDaclDefaulted ); NTSYSAPI HANDLE NTAPI RtlCreateHeap ( __in DWORD flag, __in DWORD v1, __in DWORD v2, __in DWORD v3, __in DWORD v4, __in DWORD v5 ); NTSYSAPI NTSTATUS NTAPI RtlSetHeapInformation( __in HANDLE HeapHandle, __in HEAP_INFORMATION_CLASS HeapInformationClass, __in PVOID HeapInformation, __in SIZE_T HeapInformationLength ); NTSYSAPI LPVOID NTAPI RtlAllocateHeap( __in HANDLE hHeap, __in DWORD dwFlags, __in SIZE_T dwBytes ); NTSYSAPI BOOL NTAPI RtlFreeHeap( __in HANDLE hHeap, __in DWORD dwFlags, __in LPVOID lpMem ); NTSYSAPI NTSTATUS NTAPI RtlDestroyHeap ( __in HANDLE hHeap ); #ifdef __cplusplus } // extern "C" #endif // __cplusplus #endif // NTDLL_H