//#pragma once
#ifndef NTDLL_H
#define NTDLL_H

// ntdll.h  10/14/2011

/* Artikash 7/13/2018: WHERE THE FUCK DID THIS FILE COME FROM?
Redefines a bunch of stuff in the standard windows headers (especially winnt.h) but has additional information that isn't documented anywhere else I can find.
It's like someone stole this file from Microsoft's internal database of windows source code?? */

#include <windows.h>

#ifdef _MSC_VER
# pragma warning(disable:4005) // C4005: macro redefinition
# pragma warning(disable:4200) // C4200: nonstandard extension used : zero-sized array in struct/union
# pragma warning(disable:4010) // C4010: single-line comment contains line-continuation character
# pragma warning(disable:4996) // C4996: unsafe function or variable used such as swprintf, wcscpy; alternatively use __CRT_SECURE_NO_WARNINGS
#endif // _MSC_VER

#define NT_INCLUDED
#define _NTDEF_
#define _CTYPE_DISABLE_MACROS

// Remove official macros from WSDK
#undef STATUS_WAIT_0
#undef STATUS_ABANDONED_WAIT_0
#undef STATUS_USER_APC
#undef STATUS_TIMEOUT
#undef STATUS_PENDING
#undef DBG_CONTINUE
#undef STATUS_SEGMENT_NOTIFICATION
#undef DBG_TERMINATE_THREAD
#undef DBG_TERMINATE_PROCESS
#undef DBG_CONTROL_C
#undef DBG_CONTROL_BREAK
#undef STATUS_GUARD_PAGE_VIOLATION
#undef STATUS_DATATYPE_MISALIGNMENT
#undef STATUS_BREAKPOINT
#undef STATUS_SINGLE_STEP
#undef DBG_EXCEPTION_NOT_HANDLED
#undef STATUS_ACCESS_VIOLATION
#undef STATUS_IN_PAGE_ERROR
#undef STATUS_INVALID_HANDLE
#undef STATUS_NO_MEMORY
#undef STATUS_ILLEGAL_INSTRUCTION
#undef STATUS_NONCONTINUABLE_EXCEPTION
#undef STATUS_INVALID_DISPOSITION
#undef STATUS_ARRAY_BOUNDS_EXCEEDED
#undef STATUS_FLOAT_DENORMAL_OPERAND
#undef STATUS_FLOAT_DIVIDE_BY_ZERO
#undef STATUS_FLOAT_INEXACT_RESULT
#undef STATUS_FLOAT_INVALID_OPERATION
#undef STATUS_FLOAT_OVERFLOW
#undef STATUS_FLOAT_STACK_CHECK
#undef STATUS_FLOAT_UNDERFLOW
#undef STATUS_INTEGER_DIVIDE_BY_ZERO
#undef STATUS_INTEGER_OVERFLOW
#undef STATUS_PRIVILEGED_INSTRUCTION
#undef STATUS_STACK_OVERFLOW
#undef STATUS_CONTROL_C_EXIT
#undef STATUS_FLOAT_MULTIPLE_FAULTS
#undef STATUS_FLOAT_MULTIPLE_TRAPS
#undef STATUS_ILLEGAL_VLM_REFERENCE
#undef STATUS_REG_NAT_CONSUMPTION
#undef DBG_EXCEPTION_HANDLED

#include <ntstatus.h>

#if (_MSC_VER >= 800) || defined(_STDCALL_SUPPORTED)
# define NTAPI __stdcall
#else
# define _cdecl
# define NTAPI
#endif // STDCALL

#ifdef __cplusplus
extern "C" {
#endif // __cplusplus

// - Macros -

#define MAXIMUM_FILENAME_LENGTH         256
#define PORT_MAXIMUM_MESSAGE_LENGTH     256
#define INITIAL_PRIVILEGE_COUNT         3

#define FSCTL_GET_VOLUME_INFORMATION    0x90064

// Constants for RtlDetermineDosPathNameType_U
#define DOS_PATHTYPE_UNC            0x00000001  // \\COMPUTER1
#define DOS_PATHTYPE_ROOTDRIVE      0x00000002  // C:\
#define DOS_PATHTYPE_STREAM         0x00000003  // X:X or C:
#define DOS_PATHTYPE_NT             0x00000004  // \\??\\C:
#define DOS_PATHTYPE_NAME           0x00000005  // C
#define DOS_PATHTYPE_DEVICE         0x00000006  // \\.\C:
#define DOS_PATHTYPE_LOCALUNCROOT   0x00000007  // \\.

// Define the various device characteristics flags
#define FILE_REMOVABLE_MEDIA            0x00000001
#define FILE_READ_ONLY_DEVICE           0x00000002
#define FILE_FLOPPY_DISKETTE            0x00000004
#define FILE_WRITE_ONCE_MEDIA           0x00000008
#define FILE_REMOTE_DEVICE              0x00000010
#define FILE_DEVICE_IS_MOUNTED          0x00000020
#define FILE_VIRTUAL_VOLUME             0x00000040
#define FILE_AUTOGENERATED_DEVICE_NAME  0x00000080
#define FILE_DEVICE_SECURE_OPEN         0x00000100

#define FILE_SUPERSEDE                  0x00000000
#define FILE_OPEN                       0x00000001
#define FILE_CREATE                     0x00000002
#define FILE_OPEN_IF                    0x00000003
#define FILE_OVERWRITE                  0x00000004
#define FILE_OVERWRITE_IF               0x00000005
#define FILE_MAXIMUM_DISPOSITION        0x00000005

#define FILE_DIRECTORY_FILE             0x00000001
#define FILE_WRITE_THROUGH              0x00000002
#define FILE_SEQUENTIAL_ONLY            0x00000004
#define FILE_NO_INTERMEDIATE_BUFFERING  0x00000008

#define FILE_SYNCHRONOUS_IO_ALERT       0x00000010
#define FILE_SYNCHRONOUS_IO_NONALERT    0x00000020
#define FILE_NON_DIRECTORY_FILE         0x00000040
#define FILE_CREATE_TREE_CONNECTION     0x00000080

#define FILE_COMPLETE_IF_OPLOCKED       0x00000100
#define FILE_NO_EA_KNOWLEDGE            0x00000200
#define FILE_OPEN_FOR_RECOVERY          0x00000400
#define FILE_RANDOM_ACCESS              0x00000800

#define FILE_DELETE_ON_CLOSE            0x00001000
#define FILE_OPEN_BY_FILE_ID            0x00002000
#define FILE_OPEN_FOR_BACKUP_INTENT     0x00004000
#define FILE_NO_COMPRESSION             0x00008000

#define FILE_RESERVE_OPFILTER           0x00100000
#define FILE_OPEN_REPARSE_POINT         0x00200000
#define FILE_OPEN_NO_RECALL             0x00400000
#define FILE_OPEN_FOR_FREE_SPACE_QUERY  0x00800000

#define FILE_COPY_STRUCTURED_STORAGE    0x00000041
#define FILE_STRUCTURED_STORAGE         0x00000441

#define FILE_VALID_OPTION_FLAGS         0x00ffffff
#define FILE_VALID_PIPE_OPTION_FLAGS    0x00000032
#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032
#define FILE_VALID_SET_FLAGS            0x00000036

// Thread states
#define THREAD_STATE_INITIALIZED        0
#define THREAD_STATE_READY              1
#define THREAD_STATE_RUNNING            2
#define THREAD_STATE_STANDBY            3
#define THREAD_STATE_TERMINATED         4
#define THREAD_STATE_WAIT               5
#define THREAD_STATE_TRANSITION         6
#define THREAD_STATE_UNKNOWN            7

// Object types
#define OB_TYPE_TYPE            1
#define OB_TYPE_DIRECTORY       2
#define OB_TYPE_SYMBOLIC_LINK   3
#define OB_TYPE_TOKEN           4
#define OB_TYPE_PROCESS         5
#define OB_TYPE_THREAD          6
#define OB_TYPE_EVENT           7
#define OB_TYPE_EVENT_PAIR      8
#define OB_TYPE_MUTANT          9
#define OB_TYPE_SEMAPHORE       10
#define OB_TYPE_TIMER           11
#define OB_TYPE_PROFILE         12
#define OB_TYPE_WINDOW_STATION  13
#define OB_TYPE_DESKTOP         14
#define OB_TYPE_SECTION         15
#define OB_TYPE_KEY             16
#define OB_TYPE_PORT            17
#define OB_TYPE_ADAPTER         18
#define OB_TYPE_CONTROLLER      19
#define OB_TYPE_DEVICE          20
#define OB_TYPE_DRIVER          21
#define OB_TYPE_IO_COMPLETION   22
#define OB_TYPE_FILE            23

#define OBJ_INHERIT             0x00000002
#define OBJ_PERMANENT           0x00000010
#define OBJ_EXCLUSIVE           0x00000020
#define OBJ_CASE_INSENSITIVE    0x00000040
#define OBJ_OPENIF              0x00000080
#define OBJ_OPENLINK            0x00000100
#define OBJ_VALID_ATTRIBUTES    0x000001F2

// Object Manager Directory Specific Access Rights.
#define DIRECTORY_QUERY                 0x0001
#define DIRECTORY_TRAVERSE              0x0002
#define DIRECTORY_CREATE_OBJECT         0x0004
#define DIRECTORY_CREATE_SUBDIRECTORY   0x0008
#define DIRECTORY_ALL_ACCESS            (STANDARD_RIGHTS_REQUIRED | 0xF)

// Object Manager Symbolic Link Specific Access Rights.
#define SYMBOLIC_LINK_QUERY         0x0001
#define SYMBOLIC_LINK_ALL_ACCESS    (STANDARD_RIGHTS_REQUIRED | 0x1)

#define NT_SUCCESS(Status)          ((LONG)(Status) >= 0)
#define NT_ERROR(Status)            ((ULONG)(Status) >> 30 == 3)

#define DEVICE_TYPE     DWORD

// Values for RtlAdjustPrivilege
#define SE_MIN_WELL_KNOWN_PRIVILEGE       (2L)
#define SE_CREATE_TOKEN_PRIVILEGE         (2L)
#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE   (3L)
#define SE_LOCK_MEMORY_PRIVILEGE          (4L)
#define SE_INCREASE_QUOTA_PRIVILEGE       (5L)
#define SE_UNSOLICITED_INPUT_PRIVILEGE    (6L) // obsolete and unused
#define SE_MACHINE_ACCOUNT_PRIVILEGE      (6L)
#define SE_TCB_PRIVILEGE                  (7L)
#define SE_SECURITY_PRIVILEGE             (8L)
#define SE_TAKE_OWNERSHIP_PRIVILEGE       (9L)
#define SE_LOAD_DRIVER_PRIVILEGE          (10L)
#define SE_PROFILE_PRIVILEGE              (11L)
#define SE_SYSTEMTIME_PRIVILEGE           (12L)
#define SE_PROF_SINGLE_PROCESS_PRIVILEGE  (13L)
#define SE_INC_BASE_PRIORITY_PRIVILEGE    (14L)
#define SE_CREATE_PAGEFILE_PRIVILEGE      (15L)
#define SE_CREATE_PERMANENT_PRIVILEGE     (16L)
#define SE_BACKUP_PRIVILEGE               (17L)
#define SE_RESTORE_PRIVILEGE              (18L)
#define SE_SHUTDOWN_PRIVILEGE             (19L)
#define SE_DEBUG_PRIVILEGE                (20L)
#define SE_AUDIT_PRIVILEGE                (21L)
#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE   (22L)
#define SE_CHANGE_NOTIFY_PRIVILEGE        (23L)
#define SE_REMOTE_SHUTDOWN_PRIVILEGE      (24L)
#define SE_MAX_WELL_KNOWN_PRIVILEGE       (SE_REMOTE_SHUTDOWN_PRIVILEGE)

#define VdmDirectoryFile 6

#define InitializeObjectAttributes( p, n, a, r, s ) {   \
  (p)->uLength = sizeof( OBJECT_ATTRIBUTES );           \
  (p)->hRootDirectory = r;                              \
  (p)->uAttributes = a;                                 \
  (p)->pObjectName = n;                                 \
  (p)->pSecurityDescriptor = s;                         \
  (p)->pSecurityQualityOfService = NULL;                \
}

// - Basic Types -

typedef LONG        NTSTATUS;
//lint -e624        // Don't complain about different typedefs.
//
typedef NTSTATUS    *PNTSTATUS;
//lint +e624        // Resume checking for different typedefs.

typedef NTSTATUS    (NTAPI *NTSYSCALL)();
typedef NTSYSCALL   *PNTSYSCALL;

typedef ULONG       KAFFINITY;
typedef KAFFINITY   *PKAFFINITY;
typedef LONG        KPRIORITY;

typedef BYTE        KPROCESSOR_MODE;

// - Structures -

typedef VOID *POBJECT;
typedef VOID (*PKNORMAL_ROUTINE) (
 __in  PVOID    NormalContext,
 __in  PVOID    SystemArgument1,
 __in  PVOID    SystemArgument2
);

typedef struct _STRING
{
  USHORT Length;
  USHORT MaximumLength;
#ifdef MIDL_PASS
  [ size_is(MaximumLength), length_is(Length) ]
#endif // MIDL_PASS
  PCHAR Buffer;
} STRING, *PSTRING;

typedef STRING ANSI_STRING;
typedef PSTRING PANSI_STRING;

typedef STRING OEM_STRING;
typedef PSTRING POEM_STRING;


typedef struct _UNICODE_STRING
{
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

// - APIs -

NTSYSAPI
NTSTATUS
NTAPI
RtlUnicodeStringToAnsiString(
  PANSI_STRING DestinationString,
  PUNICODE_STRING SourceString,
  BOOLEAN AllocateDestinationString
);

typedef struct _HARDWARE_PTE
{
  ULONG Valid             : 1;
  ULONG Write             : 1;
  ULONG Owner             : 1;
  ULONG WriteThrough      : 1;
  ULONG CacheDisable      : 1;
  ULONG Accessed          : 1;
  ULONG Dirty             : 1;
  ULONG LargePage         : 1;
  ULONG Global            : 1;
  ULONG CopyOnWrite       : 1;
  ULONG Prototype         : 1;
  ULONG reserved          : 1;
  ULONG PageFrameNumber   : 20;
} HARDWARE_PTE, *PHARDWARE_PTE;

typedef struct _OBJECT_ATTRIBUTES
{
  ULONG             uLength;
  HANDLE            hRootDirectory;
  PUNICODE_STRING   pObjectName;
  ULONG             uAttributes;
  PVOID             pSecurityDescriptor;
  PVOID             pSecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

typedef struct _CLIENT_ID
{
  DWORD  UniqueProcess;
  DWORD  UniqueThread;
} CLIENT_ID, *PCLIENT_ID;

typedef struct _PEB_FREE_BLOCK
{
  struct    _PEB_FREE_BLOCK  *Next;
  ULONG     Size;
} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;

typedef struct _CURDIR
{
  UNICODE_STRING    DosPath;
  HANDLE            Handle;
} CURDIR, *PCURDIR;

typedef struct _RTL_DRIVE_LETTER_CURDIR
{
  WORD      Flags;
  WORD      Length;
  DWORD     TimeStamp;
  STRING    DosPath;
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;

#define  PROCESS_PARAMETERS_NORMALIZED  1  // pointers in are absolute (not self-relative)

typedef struct _PROCESS_PARAMETERS
{
  ULONG             MaximumLength;
  ULONG             Length;
  ULONG             Flags;  // PROCESS_PARAMETERS_NORMALIZED
  ULONG             DebugFlags;
  HANDLE            ConsoleHandle;
  ULONG             ConsoleFlags;
  HANDLE            StandardInput;
  HANDLE            StandardOutput;
  HANDLE            StandardError;
  CURDIR            CurrentDirectory;
  UNICODE_STRING    DllPath;
  UNICODE_STRING    ImagePathName;
  UNICODE_STRING    CommandLine;
  PWSTR             Environment;
  ULONG             StartingX;
  ULONG             StartingY;
  ULONG             CountX;
  ULONG             CountY;
  ULONG             ountCharsX;
  ULONG             CountCharsY;
  ULONG             FillAttribute;
  ULONG             WindowFlags;
  ULONG             ShowWindowFlags;
  UNICODE_STRING    WindowTitle;
  UNICODE_STRING    Desktop;
  UNICODE_STRING    ShellInfo;
  UNICODE_STRING    RuntimeInfo;
  RTL_DRIVE_LETTER_CURDIR  CurrentDirectores[32];
} PROCESS_PARAMETERS, *PPROCESS_PARAMETERS;

typedef struct _RTL_BITMAP
{
  DWORD  SizeOfBitMap;
  PDWORD  Buffer;
} RTL_BITMAP, *PRTL_BITMAP, **PPRTL_BITMAP;

#define LDR_STATIC_LINK             0x0000002
#define LDR_IMAGE_DLL               0x0000004
#define LDR_LOAD_IN_PROGRESS        0x0001000
#define LDR_UNLOAD_IN_PROGRESS      0x0002000
#define LDR_ENTRY_PROCESSED         0x0004000
#define LDR_ENTRY_INSERTED          0x0008000
#define LDR_CURRENT_LOAD            0x0010000
#define LDR_FAILED_BUILTIN_LOAD     0x0020000
#define LDR_DONT_CALL_FOR_THREADS   0x0040000
#define LDR_PROCESS_ATTACH_CALLED   0x0080000
#define LDR_DEBUG_SYMBOLS_LOADED    0x0100000
#define LDR_IMAGE_NOT_AT_BASE       0x0200000
#define LDR_WX86_IGNORE_MACHINETYPE 0x0400000

typedef struct _LDR_DATA_TABLE_ENTRY
{
  LIST_ENTRY        InLoadOrderModuleList;
  LIST_ENTRY        InMemoryOrderModuleList;
  LIST_ENTRY        InInitializationOrderModuleList;
  PVOID             DllBase;
  PVOID             EntryPoint;
  ULONG             SizeOfImage;  // in bytes
  UNICODE_STRING    FullDllName;
  UNICODE_STRING    BaseDllName;
  ULONG             Flags;      // LDR_*
  USHORT            LoadCount;
  USHORT            TlsIndex;
  LIST_ENTRY        HashLinks;
  PVOID             SectionPointer;
  ULONG             CheckSum;
  ULONG             TimeDateStamp;
//PVOID             LoadedImports; // seems they are exist only on XP !!!
//PVOID             EntryPointActivationContext;  // the same as above
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

// See: http://en.wikipedia.org/wiki/Process_Environment_Block
typedef struct _PEB_LDR_DATA
{
  ULONG       Length;       // 0
  BOOLEAN     Initialized;  // 4
  PVOID       SsHandle;     // 8?
  LIST_ENTRY  InLoadOrderModuleList;            // C, ref. to PLDR_DATA_TABLE_ENTRY->InLoadOrderModuleList
  LIST_ENTRY  InMemoryOrderModuleList;          // 14, ref. to PLDR_DATA_TABLE_ENTRY->InMemoryOrderModuleList
  LIST_ENTRY  InInitializationOrderModuleList;  // 1C, ref. to PLDR_DATA_TABLE_ENTRY->InInitializationOrderModuleList
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef VOID NTSYSAPI (*PPEBLOCKROUTINE)(PVOID);

typedef struct _SYSTEM_STRINGS
{
  UNICODE_STRING SystemRoot;       // C:\WINNT
  UNICODE_STRING System32Root;     // C:\WINNT\System32
  UNICODE_STRING BaseNamedObjects; // \BaseNamedObjects
} SYSTEM_STRINGS,*PSYSTEM_STRINGS;

typedef struct _TEXT_INFO
{
  PVOID           Reserved;
  PSYSTEM_STRINGS SystemStrings;
} TEXT_INFO, *PTEXT_INFO;

// See: http://en.wikipedia.org/wiki/Process_Environment_Block
typedef struct _PEB
{
  UCHAR         InheritedAddressSpace;          // 0
  UCHAR         ReadImageFileExecOptions;       // 1
  UCHAR         BeingDebugged;                  // 2
  BYTE          b003;                           // 3
  PVOID         Mutant;                         // 4
  PVOID         ImageBaseAddress;               // 8
  PPEB_LDR_DATA         Ldr;                    // C
  PPROCESS_PARAMETERS   ProcessParameters;      // 10
  PVOID        SubSystemData;                   // 14
  PVOID        ProcessHeap;                     // 18
  KSPIN_LOCK            FastPebLock;            // 1C
  PPEBLOCKROUTINE       FastPebLockRoutine;     // 20
  PPEBLOCKROUTINE       FastPebUnlockRoutine;   // 24
  ULONG        EnvironmentUpdateCount;          // 28
  PVOID       *KernelCallbackTable;             // 2C
  PVOID        EventLogSection;                 // 30
  PVOID        EventLog;                        // 34
  PPEB_FREE_BLOCK    FreeList;                  // 38
  ULONG        TlsExpansionCounter;             // 3C
  PRTL_BITMAP  TlsBitmap;                       // 40
  ULONG        TlsBitmapData[0x2];              // 44
  PVOID        ReadOnlySharedMemoryBase;        // 4C
  PVOID        ReadOnlySharedMemoryHeap;        // 50
  PTEXT_INFO   ReadOnlyStaticServerData;        // 54
  PVOID        InitAnsiCodePageData;            // 58
  PVOID        InitOemCodePageData;             // 5C
  PVOID        InitUnicodeCaseTableData;        // 60
  ULONG        KeNumberProcessors;              // 64
  ULONG        NtGlobalFlag;                    // 68
  DWORD        d6C;                             // 6C
  LARGE_INTEGER MmCriticalSectionTimeout;       // 70
  ULONG        MmHeapSegmentReserve;            // 78
  ULONG        MmHeapSegmentCommit;             // 7C
  ULONG        MmHeapDeCommitTotalFreeThreshold; // 80
  ULONG        MmHeapDeCommitFreeBlockThreshold; // 84
  ULONG        NumberOfHeaps;                   // 88
  ULONG        AvailableHeaps;                  // 8C
  PHANDLE      ProcessHeapsListBuffer;          // 90
  PVOID        GdiSharedHandleTable;            // 94
  PVOID        ProcessStarterHelper;            // 98
  PVOID        GdiDCAttributeList;              // 9C
  KSPIN_LOCK   LoaderLock;                      // A0
  ULONG        NtMajorVersion;                  // A4
  ULONG        NtMinorVersion;                  // A8
  USHORT       NtBuildNumber;                   // AC
  USHORT       NtCSDVersion;                    // AE
  ULONG        PlatformId;                      // B0
  ULONG        Subsystem;                       // B4
  ULONG        MajorSubsystemVersion;           // B8
  ULONG        MinorSubsystemVersion;           // BC
  KAFFINITY    AffinityMask;                    // C0
  ULONG        GdiHandleBuffer[0x22];           // C4
  ULONG        PostProcessInitRoutine;          // 14C
  ULONG        TlsExpansionBitmap;              // 150
  UCHAR        TlsExpansionBitmapBits[0x80];    // 154
  ULONG        SessionId;                       // 1D4
  ULARGE_INTEGER    AppCompatFlags;             // 1D8
  PWORD        CSDVersion;                      // 1E0
/*  PVOID        AppCompatInfo;                 // 1E4
  UNICODE_STRING    usCSDVersion;
  PVOID        ActivationContextData;
  PVOID        ProcessAssemblyStorageMap;
  PVOID        SystemDefaultActivationContextData;
  PVOID        SystemAssemblyStorageMap;
  ULONG        MinimumStackCommit; */
} PEB, *PPEB;

typedef struct _PEB64 {
  BYTE          Reserved1[2];
  BYTE          BeingDebugged;
  BYTE          Reserved2[21];
  PPEB_LDR_DATA Ldr;
  PPROCESS_PARAMETERS   ProcessParameters;
  BYTE          Reserved3[520];
  ULONG         PostProcessInitRoutine;
  BYTE          Reserved4[136];
  ULONG         SessionId;
} PEB64;

typedef struct _TEB
{
  NT_TIB        Tib;
  PVOID         EnvironmentPointer;
  CLIENT_ID     Cid;
  PVOID         ActiveRpcInfo;
  PVOID         ThreadLocalStoragePointer;
  PPEB          Peb;
  ULONG         LastErrorValue;
  ULONG         CountOfOwnedCriticalSections;
  PVOID         CsrClientThread;
  PVOID         Win32ThreadInfo;
  ULONG         Win32ClientInfo[0x1F];
  PVOID         WOW32Reserved;
  ULONG         CurrentLocale;
  ULONG         FpSoftwareStatusRegister;
  PVOID         SystemReserved1[0x36];
  PVOID         Spare1;
  LONG          ExceptionCode;
  ULONG         SpareBytes1[0x28];
  PVOID         SystemReserved2[0xA];
  ULONG         gdiRgn;
  ULONG         gdiPen;
  ULONG         gdiBrush;
  CLIENT_ID     RealClientId;
  PVOID         GdiCachedProcessHandle;
  ULONG         GdiClientPID;
  ULONG         GdiClientTID;
  PVOID         GdiThreadLocaleInfo;
  PVOID         UserReserved[5];
  PVOID         glDispatchTable[0x118];
  ULONG         glReserved1[0x1A];
  PVOID         glReserved2;
  PVOID         glSectionInfo;
  PVOID         glSection;
  PVOID         glTable;
  PVOID         glCurrentRC;
  PVOID         glContext;
  NTSTATUS      LastStatusValue;
  UNICODE_STRING    StaticUnicodeString;
  WCHAR         StaticUnicodeBuffer[0x105];
  PVOID         DeallocationStack;
  PVOID         TlsSlots[0x40];
  LIST_ENTRY    TlsLinks;
  PVOID         Vdm;
  PVOID         ReservedForNtRpc;
  PVOID         DbgSsReserved[0x2];
  ULONG         HardErrorDisabled;
  PVOID         Instrumentation[0x10];
  PVOID         WinSockData;
  ULONG         GdiBatchCount;
  ULONG         Spare2;
  ULONG         Spare3;
  ULONG         Spare4;
  PVOID         ReservedForOle;
  ULONG         WaitingOnLoaderLock;
  PVOID         StackCommit;
  PVOID         StackCommitMax;
  PVOID         StackReserve;
} TEB, *PTEB;

typedef enum _POOL_TYPE
{
  NonPagedPool,
  PagedPool,
  NonPagedPoolMustSucceed,
  DontUseThisType,
  NonPagedPoolCacheAligned,
  PagedPoolCacheAligned,
  NonPagedPoolCacheAlignedMustS,
  MaxPoolType
} POOL_TYPE, *PPOOL_TYPE;

typedef enum _KWAIT_REASON
{
  Executive,
  FreePage,
  PageIn,
  PoolAllocation,
  DelayExecution,
  Suspended,
  UserRequest,
  WrExecutive,
  WrFreePage,
  WrPageIn,
  WrPoolAllocation,
  WrDelayExecution,
  WrSuspended,
  WrUserRequest,
  WrEventPair,
  WrQueue,
  WrLpcReceive,
  WrLpcReply,
  WrVirtualMemory,
  WrPageOut,
  WrRendezvous,
  Spare2,
  Spare3,
  Spare4,
  Spare5,
  Spare6,
  WrKernel,
  MaximumWaitReason
} KWAIT_REASON, *PKWAIT_REASON;

typedef struct _DISPATCHER_HEADER
{
  BYTE          uType;      //DO_TYPE_*
  BYTE          uAbsolute;
  BYTE          uSize;      // number of DWORDs
  BYTE          uInserted;
  LONG          lSignalState;
  LIST_ENTRY    WaitListHead;
} DISPATCHER_HEADER, *PDISPATCHER_HEADER;

typedef struct _KPROCESS
{
  DISPATCHER_HEADER  Header;           // DO_TYPE_PROCESS (0x1A)
  LIST_ENTRY    le10;
  DWORD         d18;
  DWORD         d1C;
  DWORD         d20;
  DWORD         d24;
  DWORD         d28;
  DWORD         d2C;
  DWORD         d30;
  DWORD         d34;
  DWORD         dKernelTime;      // ticks
  DWORD         dUserTime;        // ticks
  LIST_ENTRY    le40;
  LIST_ENTRY    OutSwapList;
  LIST_ENTRY    ThreadListHead;   // KTHREAD.ThreadList
  DWORD         d58;
  KAFFINITY     AffinityMask;
  WORD          w60;
  BYTE          bBasePriority;
  BYTE          b63;
  WORD          w64;
  BYTE          b66;
  BOOLEAN       fPriorityBoost;
} KPROCESS, *PKPROCESS;

typedef struct _PORT_MESSAGE
{
  USHORT        DataSize;
  USHORT        MessageSize;
  USHORT        MessageType;
  USHORT        VirtualRangesOffset;
  CLIENT_ID     ClientId;
  ULONG         MessageId;
  ULONG         SectionSize;
//UCHAR         Data[];
} PORT_MESSAGE, *PPORT_MESSAGE;

typedef struct _SERVICE_DESCRIPTOR_TABLE
{
  PNTSYSCALL    ServiceTable;    // array of entrypoints
  PULONG        puCounterTable;  // array of counters
  ULONG         uTableSize;      // number of table entries
  PBYTE         pbArgumentTable; // array of byte counts
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

typedef struct _KSEMAPHORE
{
  DISPATCHER_HEADER Header;
  LONG              lLimit;
} KSEMAPHORE, *PKSEMAPHORE;

typedef struct _KTHREAD
{
  DISPATCHER_HEADER Header; // DO_TYPE_THREAD (0x6C)
  LIST_ENTRY    le010;
  DWORD         d018;
  DWORD         d01C;
  PTEB          pTeb;
  DWORD         d024;
  DWORD         d028;
  BYTE          b02C;
  BYTE          bThreadState; // THREAD_STATE_*
  WORD          w02E;
  WORD          w030;
  BYTE          b032;
  BYTE          bPriority;
  LIST_ENTRY    le034;
  LIST_ENTRY    le03C;
  PKPROCESS     pProcess;
  DWORD         d048;
  DWORD         dContextSwitches;
  DWORD         d050;
  WORD          w054;
  BYTE          b056;
  BYTE          bWaitReason;
  DWORD         d058;
  PLIST_ENTRY   ple05C;
  PLIST_ENTRY   ple060;
  DWORD         d064;
  BYTE          bBasePriority;
  BYTE          b069;
  WORD          w06A;
  DWORD         d06C;
  DWORD         d070;
  DWORD         d074;
  DWORD         d078;
  DWORD         d07C;
  DWORD         d080;
  DWORD         d084;
  DWORD         d088;
  DWORD         d08C;
  DWORD         d090;
  DWORD         d094;
  DWORD         d098;
  DWORD         d09C;
  DWORD         d0A0;
  DWORD         d0A4;
  DWORD         d0A8;
  DWORD         d0AC;
  DWORD         d0B0;
  DWORD         d0B4;
  DWORD         d0B8;
  DWORD         d0BC;
  DWORD         d0C0;
  DWORD         d0C4;
  DWORD         d0C8;
  DWORD         d0CC;
  DWORD         d0D0;
  DWORD         d0D4;
  DWORD         d0D8;
  PSERVICE_DESCRIPTOR_TABLE pServiceDescriptorTable;
  DWORD         d0E0;
  DWORD         d0E4;
  DWORD         d0E8;
  DWORD         d0EC;
  LIST_ENTRY    le0F0;
  DWORD         d0F8;
  DWORD         d0FC;
  DWORD         d100;
  DWORD         d104;
  DWORD         d108;
  DWORD         d10C;
  DWORD         d110;
  DWORD         d114;
  DWORD         d118;
  BYTE          b11C;
  BYTE          b11D;
  WORD          w11E;
  DWORD         d120;
  DWORD         d124;
  DWORD         d128;
  DWORD         d12C;
  DWORD         d130;
  WORD          w134;
  BYTE          b136;
  KPROCESSOR_MODE ProcessorMode;
  DWORD         dKernelTime;  // ticks
  DWORD         dUserTime;    // ticks
  DWORD         d140;
  DWORD         d144;
  DWORD         d148;
  DWORD         d14C;
  DWORD         d150;
  DWORD         d154;
  DWORD         d158;
  DWORD         d15C;
  DWORD         d160;
  DWORD         d164;
  DWORD         d168;
  DWORD         d16C;
  DWORD         d170;
  PROC          SuspendNop;
  DWORD         d178;
  DWORD         d17C;
  DWORD         d180;
  DWORD         d184;
  DWORD         d188;
  DWORD         d18C;
  KSEMAPHORE    SuspendSemaphore;
  LIST_ENTRY    ThreadList; // KPROCESS.ThreadListHead
  DWORD         d1AC;
} KTHREAD, *PKTHREAD;

typedef struct _ETHREAD
{
  KTHREAD       Tcb;
  LARGE_INTEGER liCreateTime;
  LARGE_INTEGER liExitTime;
  NTSTATUS      ExitStatus;
  LIST_ENTRY    PostBlockList;
  LIST_ENTRY    TerminationPortList;
  ULONG         uActiveTimerListLock;
  LIST_ENTRY    ActiveTimerListHead;
  CLIENT_ID     Cid;
  KSEMAPHORE    LpcReplySemaphore;
  ULONG         uLpcReplyMessage;
  LARGE_INTEGER liLpcReplyMessageId;
  ULONG         uImpersonationInfo;
  LIST_ENTRY    IrpList;
  LIST_ENTRY    TopLevelIrp;
  ULONG         uReadClusterSize;
  BOOLEAN       fForwardClusterOnly;
  BOOLEAN       fDisablePageFaultClustering;
  BOOLEAN       fDeadThread;
  BOOLEAN       fHasTerminated;
  ULONG         uEventPair;
  ULONG         uGrantedAccess;
  ULONG         uThreadsProcess;
  PVOID         pStartAddress;
  PVOID         Win32StartAddress;
  BOOLEAN       fLpcExitThreadCalled;
  BOOLEAN       fHardErrorsAreDisabled;
  WORD          wUknown1;
  DWORD         dwUknown2;
} ETHREAD, *PETHREAD;

typedef PETHREAD
  ERESOURCE_THREAD, *PERESOURCE_THREAD;

typedef struct _KEVENT
{
  DISPATCHER_HEADER  Header;
} KEVENT, *PKEVENT;

typedef struct _ERESOURCE_OLD
{
  LIST_ENTRY            SystemResourcesList;
  PERESOURCE_THREAD     OwnerThreads;
  PBYTE                 pbOwnerCounts;
  WORD                  wTableSize;
  WORD                  wActiveCount;
  WORD                  wFlag;
  WORD                  wTableRover;
  BYTE                  bInitialOwnerCounts[4];
  ERESOURCE_THREAD      InitialOwnerThreads[4];
  DWORD                 dwUknown1;
  ULONG                 uContentionCount;
  WORD                  wNumberOfExclusiveWaiters;
  WORD                  wNumberOfSharedWaiters;
  KSEMAPHORE            SharedWaiters;
  KEVENT                ExclusiveWaiters;
  KSPIN_LOCK            SpinLock;
  ULONG                 uCreatorBackTraceIndex;
  WORD                  wDepth;
  WORD                  wUknown2;
  PVOID                 pOwnerBackTrace[4];
} ERESOURCE_OLD, *PERESOURCE_OLD;

typedef struct _OWNER_ENTRY
{
  ERESOURCE_THREAD  OwnerThread;
  SHORT             sOwnerCount;
  WORD              wTableSize;
} OWNER_ENTRY, *POWNER_ENTRY;

typedef struct _ERESOURCE_LITE
{
  LIST_ENTRY    SystemResourcesList;
  POWNER_ENTRY  OwnerTable;
  SHORT         sActiveCount;
  WORD          wFlag;
  PKSEMAPHORE   SharedWaiters;
  PKEVENT       ExclusiveWaiters;
  OWNER_ENTRY   OwnerThreads[2];
  ULONG         uContentionCount;
  WORD          wNumberOfSharedWaiters;
  WORD          wNumberOfExclusiveWaiters;
  union
  {
    PVOID       pAddress;
    ULONG       uCreatorBackTraceIndex;
  };
  KSPIN_LOCK    SpinLock;
} ERESOURCE_LITE, *PERESOURCE_LITE;

typedef ERESOURCE_LITE  ERESOURCE,
            *PERESOURCE;

typedef struct _IO_STATUS_BLOCK
{
  NTSTATUS      Status;
  ULONG         uInformation;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

/* Defined in Winnt.h
typedef struct _QUOTA_LIMITS {
  SIZE_T PagedPoolLimit;
  SIZE_T NonPagedPoolLimit;
  SIZE_T MinimumWorkingSetSize;
  SIZE_T MaximumWorkingSetSize;
  SIZE_T PagefileLimit;
  LARGE_INTEGER TimeLimit;
} QUOTA_LIMITS, *PQUOTA_LIMITS;
*/

typedef struct _IOCOUNTERS
{
  ULONG         uReadOperationCount;
  ULONG         uWriteOperationCount;
  ULONG         uOtherOperationCount;
  LARGE_INTEGER liReadTransferCount;
  LARGE_INTEGER liWriteTransferCount;
  LARGE_INTEGER liOtherTransferCount;
} IOCOUNTERS, *PIOCOUNTERS;

typedef struct _VM_COUNTERS
{
  ULONG  uPeakVirtualSize;
  ULONG  uVirtualSize;
  ULONG  uPageFaultCount;
  ULONG  uPeakWorkingSetSize;
  ULONG  uWorkingSetSize;
  ULONG  uQuotaPeakPagedPoolUsage;
  ULONG  uQuotaPagedPoolUsage;
  ULONG  uQuotaPeakNonPagedPoolUsage;
  ULONG  uQuotaNonPagedPoolUsage;
  ULONG  uPagefileUsage;
  ULONG  uPeakPagefileUsage;
} VM_COUNTERS, *PVM_COUNTERS;

typedef struct _KERNEL_USER_TIMES
{
  LARGE_INTEGER liCreateTime;
  LARGE_INTEGER liExitTime;
  LARGE_INTEGER liKernelTime;
  LARGE_INTEGER liUserTime;
} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES;

typedef struct _BASE_PRIORITY_INFORMATION
{
  KPRIORITY  BasePriority;
} BASE_PRIORITY_INFORMATION, *PBASE_PRIORITY_INFORMATION;

typedef struct _AFFINITY_MASK
{
  KAFFINITY  AffinityMask;
} AFFINITY_MASK, *PAFFINITY_MASK;

typedef struct _TIME_FIELDS
{
  WORD  wYear;
  WORD  wMonth;
  WORD  wDay;
  WORD  wHour;
  WORD  wMinute;
  WORD  wSecond;
  WORD  wMilliseconds;
  WORD  wWeekday;
} TIME_FIELDS, *PTIME_FIELDS;

typedef void (*PIO_APC_ROUTINE)
  (PVOID        ApcContext,
   PIO_STATUS_BLOCK  IoStatusBlock,
   ULONG        Reserved);

#if(_WIN32_WINNT < 0x0400)

typedef struct _NTVOLUME_DATA_BUFFER
{
  LARGE_INTEGER  liSerialNumber;
  LARGE_INTEGER  liNumberOfSectors;
  LARGE_INTEGER  liTotalClusters;
  LARGE_INTEGER  liFreeClusters;
  LARGE_INTEGER  liReserved;
  ULONG          uBytesPerSector;
  ULONG          uBytesPerCluster;
  ULONG          uBytesPerMFTRecord;
  ULONG          uClustersPerMFTRecord;
  LARGE_INTEGER  liMFTLength;
  LARGE_INTEGER  liMFTStart;
  LARGE_INTEGER  liMFTMirrorStart;
  LARGE_INTEGER  liMFTZoneStart;
  LARGE_INTEGER  liMFTZoneEnd;
} NTFS_VOLUME_DATA_BUFFER, *PNTFS_VOLUME_DATA_BUFFER;

#endif // _WIN23_WINNT < 0x0400

typedef struct _OBJDIR_INFORMATION
{
  UNICODE_STRING  ObjectName;
  UNICODE_STRING  ObjectTypeName; // e.g. Directory, Device ...
  UCHAR      Data[1];        // variable length
} OBJDIR_INFORMATION, *POBJDIR_INFORMATION;

// Define the file system information class values
typedef enum _FSINFOCLASS {
  FileFsVolumeInformation       = 1,
  FileFsLabelInformation,      // 2
  FileFsSizeInformation,       // 3
  FileFsDeviceInformation,     // 4
  FileFsAttributeInformation,  // 5
  FileFsControlInformation,    // 6
  FileFsFullSizeInformation,   // 7
  FileFsObjectIdInformation,   // 8
  FileFsMaximumInformation
} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;

typedef struct _FILE_FS_VOLUME_INFORMATION {
  LARGE_INTEGER VolumeCreationTime;
  ULONG VolumeSerialNumber;
  ULONG VolumeLabelLength;
  BOOLEAN SupportsObjects;
  WCHAR VolumeLabel[1];
} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;

typedef struct _FILE_FS_LABEL_INFORMATION {
  ULONG VolumeLabelLength;
  WCHAR VolumeLabel[1];
} FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION;

typedef struct _FILE_FS_SIZE_INFORMATION {
  LARGE_INTEGER TotalAllocationUnits;
  LARGE_INTEGER AvailableAllocationUnits;
  ULONG SectorsPerAllocationUnit;
  ULONG BytesPerSector;
} FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION;

typedef struct _FILE_FS_DEVICE_INFORMATION {
  DEVICE_TYPE DeviceType;
  ULONG Characteristics;
} FILE_FS_DEVICE_INFORMATION, *PFILE_FS_DEVICE_INFORMATION;

typedef struct _FILE_FS_ATTRIBUTE_INFORMATION {
  ULONG FileSystemAttributes;
  LONG MaximumComponentNameLength;
  ULONG FileSystemNameLength;
  WCHAR FileSystemName[1];
} FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION;

typedef struct _FILE_FS_CONTROL_INFORMATION {
  LARGE_INTEGER FreeSpaceStartFiltering;
  LARGE_INTEGER FreeSpaceThreshold;
  LARGE_INTEGER FreeSpaceStopFiltering;
  LARGE_INTEGER DefaultQuotaThreshold;
  LARGE_INTEGER DefaultQuotaLimit;
  ULONG FileSystemControlFlags;
} FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION;

typedef struct _FILE_FS_FULL_SIZE_INFORMATION {
  LARGE_INTEGER TotalQuotaAllocationUnits;
  LARGE_INTEGER AvailableQuotaAllocationUnits;
  LARGE_INTEGER AvailableAllocationUnits;
  ULONG SectorsPerAllocationUnit;
  ULONG BytesPerSector;
} FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION;

typedef struct _FILE_FS_OBJECT_ID_INFORMATION {
  GUID VolumeObjectId;
  ULONG VolumeObjectIdExtendedInfo[12];
} FILE_FS_OBJECT_ID_INFORMATION, *PFILE_FS_OBJECT_ID_INFORMATION;

typedef enum _SYSTEMINFOCLASS
{
  SystemBasicInformation,               // 0x002C
  SystemProcessorInformation,           // 0x000C
  SystemPerformanceInformation,         // 0x0138
  SystemTimeInformation,                // 0x0020
  SystemPathInformation,                // not implemented
  SystemProcessInformation,             // 0x00C8+ per process
  SystemCallInformation,                // 0x0018 + (n * 0x0004)
  SystemConfigurationInformation,       // 0x0018
  SystemProcessorCounters,              // 0x0030 per cpu
  SystemGlobalFlag,                     // 0x0004 (fails if size != 4)
  SystemCallTimeInformation,            // not implemented
  SystemModuleInformation,              // 0x0004 + (n * 0x011C)
  SystemLockInformation,                // 0x0004 + (n * 0x0024)
  SystemStackTraceInformation,          // not implemented
  SystemPagedPoolInformation,           // checked build only
  SystemNonPagedPoolInformation,        // checked build only
  SystemHandleInformation,              // 0x0004  + (n * 0x0010)
  SystemObjectTypeInformation,          // 0x0038+ + (n * 0x0030+)
  SystemPageFileInformation,            // 0x0018+ per page file
  SystemVdmInstemulInformation,         // 0x0088
  SystemVdmBopInformation,              // invalid info class
  SystemCacheInformation,               // 0x0024
  SystemPoolTagInformation,             // 0x0004 + (n * 0x001C)
  SystemInterruptInformation,           // 0x0000, or 0x0018 per cpu
  SystemDpcInformation,                 // 0x0014
  SystemFullMemoryInformation,          // checked build only
  SystemLoadDriver,                     // 0x0018, set mode only
  SystemUnloadDriver,                   // 0x0004, set mode only
  SystemTimeAdjustmentInformation,      // 0x000C, 0x0008 writeable
  SystemSummaryMemoryInformation,       // checked build only
  SystemNextEventIdInformation,         // checked build only
  SystemEventIdsInformation,            // checked build only
  SystemCrashDumpInformation,           // 0x0004
  SystemExceptionInformation,           // 0x0010
  SystemCrashDumpStateInformation,      // 0x0004
  SystemDebuggerInformation,            // 0x0002
  SystemContextSwitchInformation,       // 0x0030
  SystemRegistryQuotaInformation,       // 0x000C
  SystemAddDriver,                      // 0x0008, set mode only
  SystemPrioritySeparationInformation,  // 0x0004, set mode only
  SystemPlugPlayBusInformation,         // not implemented
  SystemDockInformation,                // not implemented
  SystemPowerInfo,                      // 0x0060 (XP only!)
  SystemProcessorSpeedInformation,      // 0x000C (XP only!)
  SystemTimeZoneInformation,            // 0x00AC
  SystemLookasideInformation,           // n * 0x0020
  SystemSetTimeSlipEvent,
  SystemCreateSession,                  // set mode only
  SystemDeleteSession,                  // set mode only
  SystemInvalidInfoClass1,              // invalid info class
  SystemRangeStartInformation,          // 0x0004 (fails if size != 4)
  SystemVerifierInformation,
  SystemAddVerifier,
  SystemSessionProcessesInformation,    // checked build only
  MaxSystemInfoClass
} SYSTEMINFOCLASS, *PSYSTEMINFOCLASS;

typedef struct _SYSTEM_BASIC_INFORMATION
{
  DWORD         dwUnknown1;             // 0
  ULONG         uKeMaximumIncrement;    // x86: 0x0002625A or 0x00018730
  ULONG         uPageSize;              // bytes
  ULONG         uMmNumberOfPhysicalPages;
  ULONG         uMmLowestPhysicalPage;
  ULONG         uMmHighestPhysicalPage;
  ULONG         uAllocationGranularity; // bytes
  PVOID         pLowestUserAddress;
  PVOID         pMmHighestUserAddress;
  KAFFINITY     uKeActiveProcessors;
  BYTE          bKeNumberProcessors;
  BYTE          bUnknown2;
  WORD          wUnknown3;
} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;

typedef struct _SYSTEM_PROCESSOR_INFORMATION
{
  WORD  wKeProcessorArchitecture; // PROCESSOR_ARCHITECTURE_* (PROCESSOR_ARCHITECTURE_INTEL)
  WORD  wKeProcessorLevel;        // PROCESSOR_* (PROCESSOR_INTEL_PENTIUM)
  WORD  wKeProcessorRevision;     // Pentium: H=model, L=stepping
  WORD  wUnknown1;                // 0
  ULONG uKeFeatureBits;
} SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION;

typedef struct _MM_INFO_COUNTERS
{
  ULONG  uPageFaults;
  ULONG  uWriteCopyFaults;
  ULONG  uTransistionFaults;
  ULONG  uCacheTransitionCount;
  ULONG  uDemandZeroFaults;
  ULONG  uPagesRead;
  ULONG  uPageReadIos;
  ULONG  uCacheReadCount;
  ULONG  uCacheIoCount;
  ULONG  uPagefilePagesWritten;
  ULONG  uPagefilePageWriteIos;
  ULONG  uMappedFilePagesWritten;
  ULONG  uMappedFilePageWriteIos;
} MM_INFO_COUNTERS, *PMM_INFO_COUNTERS;

typedef struct _SYSTEM_PERFORMANCE_INFORMATION
{
  LARGE_INTEGER    liIdleTime;             // 100 nsec units
  LARGE_INTEGER    liIoReadTransferCount;
  LARGE_INTEGER    liIoWriteTransferCount;
  LARGE_INTEGER    liIoOtherTransferCount;
  ULONG        uIoReadOperationCount;
  ULONG        uIoWriteOperationCount;
  ULONG        uIoOtherOperationCount;
  ULONG        uMmAvailablePages;
  ULONG        uMmTotalCommittedPages;
  ULONG        uMmTotalCommitLimit;   // pages
  ULONG        uMmPeakCommitLimit;    // pages
  MM_INFO_COUNTERS  MmInfoCounters;
  ULONG        uPoolPaged;            // pages
  ULONG        uPoolNonPaged;         // pages
  ULONG        uPagedPoolAllocs;
  ULONG        uPagedPoolFrees;
  ULONG        uNonPagedPoolAllocs;
  ULONG        uNonPagedPoolFrees;
  ULONG        uMmTotalFreeSystemPages;
  ULONG        uMmSystemCodePage;
  ULONG        uMmTotalSystemDriverPages;
  ULONG        uMmTotalSystemCodePages;
  ULONG        uSmallNonPagedLookasideListAllocateHits;
  ULONG        uSmallPagedLookasideListAllocateHits;
  DWORD        dwUnknown1;
  ULONG        uMmSystemCachePage;
  ULONG        uMmPagedPoolPage;
  ULONG        uMmSystemDriverPage;
  ULONG        uCcFastReadNoWait;
  ULONG        uCcFastReadWait;
  ULONG        uCcFastReadResourceMiss;
  ULONG        uCcFastReadNotPossible;
  ULONG        uCcFastMdlReadNoWait;
  ULONG        uCcFastMdlReadWait;
  ULONG        uCcFastMdlReadResourceMiss;
  ULONG        uCcFastMdlReadNotPossible;
  ULONG        uCcMapDataNoWait;
  ULONG        uCcMapDataWait;
  ULONG        uCcMapDataNoWaitMiss;
  ULONG        uCcMapDataWaitMiss;
  ULONG        uCcPinMappedDataCount;
  ULONG        uCcPinReadNoWait;
  ULONG        uCcPinReadWait;
  ULONG        uCcPinReadNoWaitMiss;
  ULONG        uCcPinReadWaitMiss;
  ULONG        uCcCopyReadNoWait;
  ULONG        uCcCopyReadWait;
  ULONG        uCcCopyReadNoWaitMiss;
  ULONG        uCcCopyReadWaitMiss;
  ULONG        uCcMdlReadNoWait;
  ULONG        uCcMdlReadWait;
  ULONG        uCcMdlReadNoWaitMiss;
  ULONG        uCcMdlReadWaitMiss;
  ULONG        uCcReadAheadIos;
  ULONG        uCcLazyWriteIos;
  ULONG        uCcLazyWritePages;
  ULONG        uCcDataFlushes;
  ULONG        uCcDataPages;
  ULONG        uTotalContextSwitches; // total across cpus
  ULONG        uFirstLevelTbFills;
  ULONG        uSecondLevelTbFills;
  ULONG        uSystemCalls;
} SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION;

typedef struct _SYSTEM_TIME_INFORMATION
{
  LARGE_INTEGER  liKeBootTime;      // relative to 01-01-1601
  LARGE_INTEGER  liKeSystemTime;      // relative to 01-01-1601
  LARGE_INTEGER  liExpTimeZoneBias;    // utc time = local time + bias
  ULONG      uExpCurrentTimeZoneId;  // TIME_ZONE_ID_* (TIME_ZONE_ID_UNKNOWN, etc.)
  DWORD      dwUnknown1;
} SYSTEM_TIME_INFORMATION, *PSYSTEM_TIME_INFORMATION;

typedef enum
{
  StateInitialized,
  StateReady,
  StateRunning,
  StateStandby,
  StateTerminated,
  StateWait,
  StateTransition,
  StateUnknown
} THREAD_STATE;

/*typedef struct _IO_COUNTERSEX
{
  LARGE_INTEGER  ReadOperationCount;
  LARGE_INTEGER  WriteOperationCount;
  LARGE_INTEGER  OtherOperationCount;
  LARGE_INTEGER  ReadTransferCount;
  LARGE_INTEGER  WriteTransferCount;
  LARGE_INTEGER  OtherTransferCount;
} IO_COUNTERS, *PIO_COUNTERS;*/

typedef struct _SYSTEM_THREAD {
  FILETIME     ftKernelTime;      // 100 nsec units
  FILETIME     ftUserTime;        // 100 nsec units
  FILETIME     ftCreateTime;      // relative to 01-01-1601
  DWORD        dWaitTime;
  PVOID        pStartAddress;
  CLIENT_ID    Cid;               // process/thread ids
  DWORD        dPriority;
  DWORD        dBasePriority;
  DWORD        dContextSwitches;
  DWORD        dThreadState;      // 2=running, 5=waiting
  KWAIT_REASON WaitReason;
  DWORD        dReserved01;
} SYSTEM_THREAD, * PSYSTEM_THREAD, **PPSYSTEM_THREAD;

typedef struct _SYSTEM_PROCESS_INFORMATION {          // common members
  DWORD          dNext;           // relative offset
  DWORD          dThreadCount;
  DWORD          dReserved01;
  DWORD          dReserved02;
  DWORD          dReserved03;
  DWORD          dReserved04;
  DWORD          dReserved05;
  DWORD          dReserved06;
  FILETIME       ftCreateTime;    // relative to 01-01-1601
  FILETIME       ftUserTime;      // 100 nsec units
  FILETIME       ftKernelTime;    // 100 nsec units
  UNICODE_STRING usName;
  KPRIORITY      BasePriority;
  DWORD          dUniqueProcessId;
  DWORD          dInheritedFromUniqueProcessId;
  DWORD          dHandleCount;
  DWORD          dReserved07;
  DWORD          dReserved08;
  VM_COUNTERS    VmCounters;      // see ntddk.h
  DWORD          dCommitCharge;   // bytes
  LARGE_INTEGER Reserved6[6];

} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION, **PPSYSTEM_PROCESS_INFORMATION;

typedef struct _SYSTEM_PROCESS_INFORMATION_NT4 {     // Windows NT 4.0
  SYSTEM_PROCESS_INFORMATION Process;         // common members
  SYSTEM_THREAD  aThreads [1];     // thread array
} SYSTEM_PROCESS_INFORMATION_NT4, * PSYSTEM_PROCESS_INFORMATION_NT4, **PPSYSTEM_PROCESS_INFORMATION_NT4;

typedef struct _SYSTEM_PROCESS_NT5 {      // Windows 2000 and up
  SYSTEM_PROCESS_INFORMATION Process;         // common members
  IO_COUNTERS    IoCounters;      // see ntddk.h
  SYSTEM_THREAD  aThreads [1];     // thread array
} SYSTEM_PROCESS_INFORMATION_NT5, * PSYSTEM_PROCESS_INFORMATION_NT5, **PPSYSTEM_PROCESS_INFORMATION_NT5;

typedef struct _SYSTEM_CALL_INFORMATION
{
  ULONG  Length;
  ULONG  NumberOfTables;
//  ULONG  NumberOfEntries[NumberOfTables]
//  ULONG  CallCounts[NumberOfTables][NumberOfEntries];
} SYSTEM_CALL_INFORMATION, *PSYSTEM_CALL_INFORMATION;

typedef struct _SYSTEM_CONFIGURATION_INFORMATION
{
  ULONG  uDiskCount;
  ULONG  uFloppyCount;
  ULONG  uCDRomCount;
  ULONG  uTapeCount;
  ULONG  uSerialCount;         // com port with mouse not included
  ULONG  uParallelCount;
} SYSTEM_CONFIGURATION_INFORMATION, *PSYSTEM_CONFIGURATION_INFORMATION;

typedef struct _SYSTEM_PROCESSOR_COUNTERS
{
  LARGE_INTEGER  liProcessorTime;       // 100 nsec units
  LARGE_INTEGER  liKernelTime;          // 100 nsec units
  LARGE_INTEGER  liUserTime;            // 100 nsec units
  LARGE_INTEGER  liDpcTime;             // 100 nsec units
  LARGE_INTEGER  liInterruptTime;       // 100 nsec units
  ULONG      uInterruptCount;
  DWORD      dwUnknown1;
} SYSTEM_PROCESSOR_COUNTERS, *PSYSTEM_PROCESSOR_COUNTERS;

typedef struct _SYSTEM_GLOBAL_FLAG
{
  ULONG  NtGlobalFlag;        // see Q147314, Q102985, Q105677
} SYSTEM_GLOBAL_FLAG, *PSYSTEM_GLOBAL_FLAG;

typedef struct _SYSTEM_CALL_TIME_INFORMATION
{
  ULONG      Length;
  ULONG      TotalCalls;
  LARGE_INTEGER  TimeOfCalls[1];
} SYSTEM_CALL_TIME_INFORMATION, *PSYSTEM_CALL_TIME_INFORMATION;

typedef struct _SYSTEM_MODULE
{
  ULONG  Reserved[2];
  ULONG  Base;
  ULONG  Size;
  ULONG  Flags;
  USHORT  Index;
  USHORT  Unknown;
  USHORT  LoadCount;
  USHORT  ModuleNameOffset;
  CHAR  ImageName[256];
} SYSTEM_MODULE, *PSYSTEM_MODULE;

typedef struct _SYSTEM_MODULE_INFORMATION
{
  ULONG      uCount;
  SYSTEM_MODULE  aSM[];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef struct _SYSTEM_LOCK
{
  union
  {
    PERESOURCE_OLD  pEResourceOld;  // old ERESOURCE format
    PERESOURCE_LITE  pEResourceLite; // new "lite" format
    PERESOURCE    pEResource;     // current format
  };
  WORD   wUnknown1;                  // 1
  WORD   wUnknown2;                  // 0
  ULONG  ExclusiveOwnerThreadId;
  ULONG  uActiveCount;
  ULONG  uContentionCount;
  DWORD  dwUnknown3;
  DWORD  dwUnknown4;
  ULONG  uNumberOfSharedWaiters;
  ULONG  uNumberOfExclusiveWaiters;
} SYSTEM_LOCK, *PSYSTEM_LOCK;

typedef struct _SYSTEM_LOCK_INFORMATION
{
  ULONG    uCount;
  SYSTEM_LOCK  aSL[];
} SYSTEM_LOCK_INFORMATION, *PSYSTEM_LOCK_INFORMATION;

typedef struct _SYSTEM_HANDLE
{
  ULONG         uIdProcess;
  UCHAR         ObjectType;    // OB_TYPE_* (OB_TYPE_TYPE, etc.)
  UCHAR         Flags;         // HANDLE_FLAG_* (HANDLE_FLAG_INHERIT, etc.)
  USHORT        Handle;
  POBJECT       pObject;
  ACCESS_MASK   GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;

typedef struct _SYSTEM_HANDLE_INFORMATION
{
  ULONG         NumberOfHandles;
  SYSTEM_HANDLE  Information[];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

typedef struct _SYSTEM_OBJECTTYPE_INFORMATION
{
  ULONG         NextEntryOffset;  // absolute offset
  ULONG         ObjectCount;
  ULONG         HandleCount;
  ULONG         TypeIndex;      // OB_TYPE_* (OB_TYPE_TYPE, etc.)
  ULONG         InvalidAttributes;  // OBJ_* (OBJ_INHERIT, etc.)
  GENERIC_MAPPING  GenericMapping;
  ACCESS_MASK   ValidAccessMask;
  POOL_TYPE     PoolType;
  BOOLEAN       SecurityRequired;
  BOOLEAN       WaitableObject;
  UNICODE_STRING  TypeName;
} SYSTEM_OBJECTTYPE_INFORMATION, *PSYSTEM_OBJECTTYPE_INFORMATION;

// follows after SYSTEM_OBJECTTYPE_INFORMATION.TypeName
typedef struct _SYSTEM_OBJECT_INFORMATION
{
  ULONG         NextEntryOffset;    // absolute offset
  POBJECT       Object;
  ULONG         CreatorProcessId;
  USHORT        CreatorBackTraceIndex;
  USHORT        Flags;          // see "Native API Reference" page 24
  LONG          PointerCount;
  LONG          HandleCount;
  ULONG         PagedPoolCharge;
  ULONG         NonPagedPoolCharge;
  ULONG         ExclusiveProcessId;
  PSECURITY_DESCRIPTOR  SecurityDescriptor;
  UNICODE_STRING      ObjectName;
} SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION;

typedef struct _SYSTEM_PAGE_FILE_INFORMATION
{
  ULONG      NextEntryOffset;  // relative offset
  ULONG      CurrentSize;    // pages
  ULONG      TotalUsed;      // pages
  ULONG      PeakUsed;      // pages
  UNICODE_STRING  FileName;
} SYSTEM_PAGE_FILE_INFORMATION, *PSYSTEM_PAGE_FILE_INFORMATION;

typedef struct _SYSTEM_VDM_INSTEMUL_INFO
{
  BOOL   fExVdmSegmentNotPresent;
  ULONG  uOpcode0FV86;
  ULONG  uOpcodeESPrefixV86;
  ULONG  uOpcodeCSPrefixV86;
  ULONG  uOpcodeSSPrefixV86;
  ULONG  uOpcodeDSPrefixV86;
  ULONG  uOpcodeFSPrefixV86;
  ULONG  uOpcodeGSPrefixV86;
  ULONG  uOpcodeOPER32PrefixV86;
  ULONG  uOpcodeADDR32PrefixV86;
  ULONG  uOpcodeINSBV86;
  ULONG  uOpcodeINSWV86;
  ULONG  uOpcodeOUTSBV86;
  ULONG  uOpcodeOUTSWV86;
  ULONG  uOpcodePUSHFV86;
  ULONG  uOpcodePOPFV86;
  ULONG  uOpcodeINTnnV86;
  ULONG  uOpcodeINTOV86;
  ULONG  uOpcodeIRETV86;
  ULONG  uOpcodeINBimmV86;
  ULONG  uOpcodeINWimmV86;
  ULONG  uOpcodeOUTBimmV86;
  ULONG  uOpcodeOUTWimmV86;
  ULONG  uOpcodeINBV86;
  ULONG  uOpcodeINWV86;
  ULONG  uOpcodeOUTBV86;
  ULONG  uOpcodeOUTWV86;
  ULONG  uOpcodeLOCKPrefixV86;
  ULONG  uOpcodeREPNEPrefixV86;
  ULONG  uOpcodeREPPrefixV86;
  ULONG  uOpcodeHLTV86;
  ULONG  uOpcodeCLIV86;
  ULONG  uOpcodeSTIV86;
  ULONG  uVdmBopCount;
} SYSTEM_VDM_INSTEMUL_INFO, *PSYSTEM_VDM_INSTEMUL_INFO;

typedef struct _SYSTEM_CACHE_INFORMATION
{
  ULONG uFileCache;           // bytes
  ULONG uFileCachePeak;       // bytes
  ULONG PageFaultCount;
  ULONG MinimumWorkingSet;
  ULONG MaximumWorkingSet;
  ULONG TransitionSharedPages;
  ULONG TransitionSharedPagesPeak;
  ULONG Reserved[2];
} SYSTEM_CACHE_INFORMATION, *PSYSTEM_CACHE_INFORMATION;

typedef struct _SYSTEM_POOL_ENTRY
{
  BOOLEAN  Allocated;
  BOOLEAN  Spare0;
  USHORT   AllocatorBackTraceIndex;
  ULONG    Size;
  union
  {
    UCHAR  Tag[4];
    ULONG  TagUlong;
    PVOID  ProcessChargedQuota;
  };
} SYSTEM_POOL_ENTRY, *PSYSTEM_POOL_ENTRY;

typedef struct _SYSTEM_POOL_INFORMATION
{
  ULONG    TotalSize;
  PVOID    FirstEntry;
  USHORT   EntryOverhead;
  BOOLEAN  PoolTagPresent;
  BOOLEAN  Spare0;
  ULONG    NumberOfEntries;
  SYSTEM_POOL_ENTRY  Entries[1];
} SYSTEM_POOL_INFORMATION, *PSYSTEM_POOL_INFORMATION;

typedef struct _SYSTEM_POOL_TAG
{
  union
  {
    UCHAR  Tag[4];
    ULONG  TagUlong;
  };
  ULONG  PagedPoolAllocs;
  ULONG  PagedPoolFrees;
  ULONG  PagedPoolUsage;
  ULONG  NonPagedPoolAllocs;
  ULONG  NonPagedPoolFrees;
  ULONG  NonPagedPoolUsage;
} SYSTEM_POOL_TAG, *PSYSTEM_POOL_TAG;

typedef struct _SYSTEM_POOL_TAG_INFORMATION
{
  ULONG      uCount;
  SYSTEM_POOL_TAG  aSPT[];
} SYSTEM_POOL_TAG_INFORMATION, *PSYSTEM_POOL_TAG_INFORMATION;

typedef struct _SYSTEM_INTERRUPT_INFORMATION
{
  ULONG  ContextSwitches;
  ULONG  DpcCount;
  ULONG  DpcRate;
  ULONG  TimeIncrement;
  ULONG  DpcBypassCount;
  ULONG  ApcBypassCount;
} SYSTEM_INTERRUPT_INFORMATION, *PSYSTEM_INTERRUPT_INFORMATION;

typedef struct _SYSTEM_DPC_INFORMATION
{
  DWORD  dwUnknown1;
  ULONG  MaximumDpcQueueDepth;
  ULONG  MinimumDpcRate;
  ULONG  AdjustDpcThreshold;
  ULONG  IdealDpcRate;
} SYSTEM_DPC_INFORMATION, *PSYSTEM_DPC_INFORMATION;

typedef struct _SYSTEM_MEMORY_INFO
{
  PUCHAR  StringOffset;
  USHORT  ValidCount;
  USHORT  TransitionCount;
  USHORT  ModifiedCount;
  USHORT  PageTableCount;
} SYSTEM_MEMORY_INFO, *PSYSTEM_MEMORY_INFO;

typedef struct _SYSTEM_MEMORY_INFORMATION
{
  ULONG        InfoSize;
  ULONG        StringStart;
  SYSTEM_MEMORY_INFO  Memory[1];
} SYSTEM_MEMORY_INFORMATION, *PSYSTEM_MEMORY_INFORMATION;

typedef struct _SYSTEM_LOAD_DRIVER
{
  UNICODE_STRING      DriverName;      // input
  PVOID          BaseAddress;    // output
  PVOID          SectionPointer;    // output
  PVOID          EntryPoint;      // output
  PIMAGE_EXPORT_DIRECTORY  ExportDirectory;  // output
} SYSTEM_LOAD_DRIVER, *PSYSTEM_LOAD_DRIVER;

typedef struct _SYSTEM_UNLOAD_DRIVER
{
  PVOID  SectionPointer;
} SYSTEM_UNLOAD_DRIVER, *PSYSTEM_UNLOAD_DRIVER;

typedef struct _SYSTEM_QUERY_TIME_ADJUSTMENT
{
  ULONG  TimeAdjustment;
  ULONG  MaximumIncrement;
  BOOLEAN  TimeSynchronization;
} SYSTEM_QUERY_TIME_ADJUSTMENT, *PSYSTEM_QUERY_TIME_ADJUSTMENT;

typedef struct _SYSTEM_SET_TIME_ADJUSTMENT
{
  ULONG  TimeAdjustment;
  BOOLEAN  TimeSynchronization;
} SYSTEM_SET_TIME_ADJUSTMENT, *PSYSTEM_SET_TIME_ADJUSTMENT;

typedef struct _SYSTEM_CRASH_DUMP_INFORMATION
{
  HANDLE  CrashDumpSectionHandle;
} SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION;

typedef struct _SYSTEM_CRASH_DUMP_INFORMATION_2000
{
  HANDLE  CrashDumpSectionHandle;
  HANDLE  Unknown;        // Windows 2000 only
} SYSTEM_CRASH_DUMP_INFORMATION_2000, *PSYSTEM_CRASH_DUMP_INFORMATION_2000;

typedef struct _SYSTEM_EXCEPTION_INFORMATION
{
  ULONG  AlignmentFixupCount;
  ULONG  ExceptionDispatchCount;
  ULONG  FloatingEmulationCount;
  ULONG  ByteWordEmulationCount;
} SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION;

typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION
{
  ULONG  ValidCrashDump;
} SYSTEM_CRASH_DUMP_STATE_INFORMATION, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION;

typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION_2000
{
  ULONG  ValidCrashDump;
  ULONG  Unknown;    // Windows 2000 only
} SYSTEM_CRASH_DUMP_STATE_INFORMATION_2000, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION_2000;

typedef struct _SYSTEM_DEBUGGER_INFORMATION
{
  BOOLEAN  KernelDebuggerEnabled;
  BOOLEAN  KernelDebuggerNotPresent;
} SYSTEM_DEBUGGER_INFORMATION, *PSYSTEM_DEBUGGER_INFORMATION;

typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION
{
  ULONG  ContextSwitches;
  ULONG  FindAny;
  ULONG  FindLast;
  ULONG  FindIdeal;
  ULONG  IdleAny;
  ULONG  IdleCurrent;
  ULONG  IdleLast;
  ULONG  IdleIdeal;
  ULONG  PreemptAny;
  ULONG  PreemptCurrent;
  ULONG  PreemptLast;
  ULONG  SwitchToIdle;
} SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION;

typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION
{
  ULONG  RegistryQuotaAllowed;  // bytes
  ULONG  RegistryQuotaUsed;     // bytes
  ULONG  PagedPoolSize;         // bytes
} SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION;

typedef struct _SYSTEM_ADD_DRIVER
{
  UNICODE_STRING  ModuleName;
} SYSTEM_ADD_DRIVER, *PSYSTEM_ADD_DRIVER;

typedef struct _SYSTEM_PRIORITY_SEPARATION_INFORMATION
{
  ULONG  PrioritySeparation;    // 0..2
} SYSTEM_PRIORITY_SEPARATION_INFORMATION, *PSYSTEM_PRIORITY_SEPARATION_INFORMATION;

#define MAX_BUS_NAME  24

typedef enum _PLUGPLAY_BUS_CLASS
{
  SystemBus,
  PlugPlayVirtualBus,
  MaxPlugPlayBusClass
} PLUGPLAY_BUS_CLASS, *PPLUGPLAY_BUS_CLASS;

typedef enum _PLUGPLAY_VIRTUAL_BUS_TYPE
{
  Root,
  MaxPlugPlayVirtualBusType
} PLUGPLAY_VIRTUAL_BUS_TYPE, *PPLUGPLAY_VIRTUAL_BUS_TYPE;

typedef enum _INTERFACE_TYPE
{
  InterfaceTypeUndefined = -1,
  Internal,
  Isa,
  Eisa,
  MicroChannel,
  TurboChannel,
  PCIBus,
  VMEBus,
  NuBus,
  PCMCIABus,
  CBus,
  MPIBus,
  MPSABus,
  ProcessorInternal,
  InternalPowerBus,
  PNPISABus,
  PNPBus,
  MaximumInterfaceType
}INTERFACE_TYPE, *PINTERFACE_TYPE;

typedef struct _PLUGPLAY_BUS_TYPE
{
  PLUGPLAY_BUS_CLASS  BusClass;
  union
  {
    INTERFACE_TYPE        SystemBusType;
    PLUGPLAY_VIRTUAL_BUS_TYPE  PlugPlayVirtualBusType;
  };
} PLUGPLAY_BUS_TYPE, *PPLUGPLAY_BUS_TYPE;

typedef struct _PLUGPLAY_BUS_INSTANCE
{
  PLUGPLAY_BUS_TYPE  BusType;
  ULONG        BusNumber;
  WCHAR        BusName[MAX_BUS_NAME];
} PLUGPLAY_BUS_INSTANCE, *PPLUGPLAY_BUS_INSTANCE;

typedef struct _SYSTEM_PLUGPLAY_BUS_INFORMATION
{
  ULONG          BusCount;
  PLUGPLAY_BUS_INSTANCE  BusInstance[1];
} SYSTEM_PLUGPLAY_BUS_INFORMATION, *PSYSTEM_PLUGPLAY_BUS_INFORMATION;

typedef enum _SYSTEM_DOCK_STATE
{
  SystemDockStateUnknown,
  SystemUndocked,
  SystemDocked
} SYSTEM_DOCK_STATE, *PSYSTEM_DOCK_STATE;

typedef struct _SYSTEM_DOCK_INFORMATION
{
  SYSTEM_DOCK_STATE  DockState;
  INTERFACE_TYPE    DeviceBusType;
  ULONG        DeviceBusNumber;
  ULONG        SlotNumber;
} SYSTEM_DOCK_INFORMATION, *PSYSTEM_DOCK_INFORMATION;

typedef struct _SYSTEM_POWER_INFORMATION  // not for SystemPowerInfo !
{
  BOOLEAN      SystemSuspendSupported;
  BOOLEAN      SystemHibernateSupported;
  BOOLEAN      ResumeTimerSupportsSuspend;
  BOOLEAN      ResumeTimerSupportsHibernate;
  BOOLEAN      LidSupported;
  BOOLEAN      TurboSettingSupported;
  BOOLEAN      TurboMode;
  BOOLEAN      SystemAcOrDc;
  BOOLEAN      PowerDownDisabled;
  LARGE_INTEGER  SpindownDrives;
} SYSTEM_POWER_INFORMATION, *PSYSTEM_POWER_INFORMATION;

typedef struct _SYSTEM_PROCESSOR_SPEED_INFORMATION  // not for SystemProcessorSpeedInformation !
{
  ULONG  MaximumProcessorSpeed;
  ULONG  CurrentAvailableSpeed;
  ULONG  ConfiguredSpeedLimit;
  BOOLEAN  PowerLimit;
  BOOLEAN  ThermalLimit;
  BOOLEAN  TurboLimit;
} SYSTEM_PROCESSOR_SPEED_INFORMATION, *PSYSTEM_PROCESSOR_SPEED_INFORMATION;

typedef struct _SYSTEM_TIME_ZONE_INFORMATION
{
  LONG    Bias;
  WCHAR    StandardName[32];
  TIME_FIELDS  StandardDate;
  LONG    StandardBias;
  WCHAR    DaylightName[32];
  TIME_FIELDS  DaylightDate;
  LONG    DaylightBias;
} SYSTEM_TIME_ZONE_INFORMATION, *PSYSTEM_TIME_ZONE_INFORMATION;

typedef struct _SYSTEM_LOOKASIDE
{
  USHORT    Depth;
  USHORT    MaximumDepth;
  ULONG     TotalAllocates;
  ULONG     AllocateMisses;
  ULONG     TotalFrees;
  ULONG     FreeMisses;
  POOL_TYPE Type;
  ULONG     Tag;
  ULONG     Size;
} SYSTEM_LOOKASIDE, *PSYSTEM_LOOKASIDE;

typedef struct _SYSTEM_LOOKASIDE_INFORMATION
{
  SYSTEM_LOOKASIDE  asl[];
} SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION;

typedef struct _SYSTEM_SET_TIME_SLIP_EVENT
{
  HANDLE  TimeSlipEvent;
} SYSTEM_SET_TIME_SLIP_EVENT, *PSYSTEM_SET_TIME_SLIP_EVENT;

typedef struct _SYSTEM_CREATE_SESSION
{
  ULONG  Session;
} SYSTEM_CREATE_SESSION, *PSYSTEM_CREATE_SESSION;

typedef struct _SYSTEM_DELETE_SESSION
{
  ULONG  Session;
} SYSTEM_DELETE_SESSION, *PSYSTEM_DELETE_SESSION;

typedef struct _SYSTEM_RANGE_START_INFORMATION
{
  PVOID  SystemRangeStart;
} SYSTEM_RANGE_START_INFORMATION, *PSYSTEM_RANGE_START_INFORMATION;


// - NTAPI -
// See also: WSK 1.2

NTSYSAPI
NTSTATUS
NTAPI
NtQuerySystemInformation(
  __in  SYSTEMINFOCLASS SystemInformationClass,
  __out PVOID           pSystemInformation,
  __in  ULONG           uSystemInformationLength,
  __out_opt PULONG      puReturnLength
);

NTSYSAPI
NTSTATUS
NTAPI
NtSetSystemInformation(
  __in  SYSTEMINFOCLASS SystemInformationClass,
  __in  PVOID           pSystemInformation,
  __in  ULONG           uSystemInformationLength
);

// Time functions
NTSYSAPI
NTSTATUS
NTAPI
NtQuerySystemTime(
  __out PLARGE_INTEGER  SystemTime
);

NTSYSAPI
NTSTATUS
NTAPI
NtSetSystemTime(
  __in      PLARGE_INTEGER  NewTime,
  __out_opt PLARGE_INTEGER  OldTime
);

NTSYSAPI
VOID
NTAPI
RtlTimeToTimeFields(
  __in  PLARGE_INTEGER  pliTime,
  __out PTIME_FIELDS    pTimeFields
);

NTSYSAPI
BOOLEAN
NTAPI
RtlTimeFieldsToTime(
  __in  PTIME_FIELDS    pTimeFields,
  __out PLARGE_INTEGER  pliTime
);

NTSYSAPI
VOID
NTAPI
RtlSecondsSince1970ToTime(
  __in  ULONG           SecondsSince1970,
  __out PLARGE_INTEGER  Time
);

NTSYSAPI
VOID
NTAPI
RtlTimeToSecondsSince1970(
  __in  PLARGE_INTEGER  Time,
  __out PULONG          SecondsSince1970
);

//Mutex functions
NTSYSAPI
NTSTATUS
NTAPI
NtCreateMutant(
  __out PHANDLE         MutantHandle,
  ACCESS_MASK           AccessMask,
  POBJECT_ATTRIBUTES    pObjectAttributes,
  BOOL                  InitialOwner
);

NTSYSAPI
NTSTATUS
NTAPI
NtOpenMutant(
  __out PHANDLE         MutantHandle,
  ACCESS_MASK           AccessMask,
  POBJECT_ATTRIBUTES    pObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
NtReleaseMutant(
  __in  HANDLE  hMutex,
  PULONG Optional
);

// Event functions
NTSYSAPI
NTSTATUS
NTAPI
NtCreateEvent(
  __out PHANDLE         EventHandle,
  ACCESS_MASK           AccessMask,
  POBJECT_ATTRIBUTES    pObjectAttributes,
  DWORD                 AutoReset,
  DWORD                 InitialState
);

NTSYSAPI
NTSTATUS
NTAPI
NtOpenEvent(
  PHANDLE               phEvent,
  ACCESS_MASK           AccessMask,
  POBJECT_ATTRIBUTES    pObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
NtClearEvent(
  __in  HANDLE hEvent
);

NTSYSAPI
NTSTATUS
NTAPI
NtSetEvent(
  __in      HANDLE hEvent,
  __out_opt PLONG  plSignaled
);

NTSYSAPI
NTSTATUS
NTAPI
NtCreateSemaphore(
  __out PHANDLE SemaphoreHandle,
  __in  ACCESS_MASK DesiredAccess,
  __in  POBJECT_ATTRIBUTES ObjectAttributes,
  __in  LONG    InitialCount,
  __in  LONG    MaximumCount
);

NTSYSAPI
NTSTATUS
NTAPI
NtOpenSemaphore(
  __out PHANDLE     SemaphoreHandle,
  __in  ACCESS_MASK DesiredAccess,
  __in  POBJECT_ATTRIBUTES ObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
NtReleaseSemaphore(
  __in      HANDLE  SemaphoreHandle,
  __in      LONG    ReleaseCount,
  __out_opt PLONG   PreviousCount
);

typedef enum _SEMAPHORE_INFORMATION_CLASS
{
  SemaphoreBasicInformation
} SEMAPHORE_INFORMATION_CLASS;

NTSYSAPI
NTSTATUS
NTAPI
NtQuerySemaphore(
  __in  HANDLE  SemaphoreHandle,
  __in  SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
  __out PVOID   SemaphoreInformation,
  __in  ULONG   SemaphoreInformationLength,
  __out_opt PULONG  ResultLength
);

typedef struct _SEMAPHORE_BASIC_INFORMATION
{
  LONG CurrentCount;
  LONG MaximumCount;
} SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION;

// Directory and Symbolic Link functions
NTSYSAPI
NTSTATUS
NTAPI
NtCreateDirectoryObject(
  __out PHANDLE        phDirectory,
  __in  ACCESS_MASK      AccessMask,
  __in  POBJECT_ATTRIBUTES  pObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
NtOpenDirectoryObject(
  __out PHANDLE             DirectoryHandle,
  __in  ACCESS_MASK         DesiredAccess,
  __in  POBJECT_ATTRIBUTES  ObjectAttributes
);

typedef struct _DIRECTORY_CONTENTS
{
  struct
  {
    UNICODE_STRING Name;
    UNICODE_STRING Type;
  } Entry[ANYSIZE_ARRAY];
} DIRECTORY_CONTENTS, *PDIRECTORY_CONTENTS;

NTSYSAPI
NTSTATUS
NTAPI
NtQueryDirectoryObject(
  __in      HANDLE      DirectoryHandle,
  __out     PDIRECTORY_CONTENTS  Buffer,
  __in      ULONG       Length,
  __in      BOOLEAN     ReturnSingleEntry,
  __in      BOOLEAN     RestartScan,
  __inout   PULONG      Index,
  __out_opt PULONG      ResultLength
);

NTSYSAPI
NTSTATUS
NTAPI
NtOpenSymbolicLinkObject(
  __out PHANDLE             SymbolicLinkHandle,
  __in  ACCESS_MASK         DesiredAccess,
  __in  POBJECT_ATTRIBUTES  ObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
NtQuerySymbolicLinkObject(
  __in      HANDLE          SymbolicLinkHandle,
  __out     PUNICODE_STRING NameString,
  __out_opt PULONG          ResultLength
);

// File functions
NTSYSAPI
NTSTATUS
NTAPI
NtCreateFile(
  PHANDLE      phFile,
  ACCESS_MASK  AccessMask,
  POBJECT_ATTRIBUTES  pObjectAttributes,
  PIO_STATUS_BLOCK    pIoStatusBlock,
  PLARGE_INTEGER      pliAllocationSize,
  ULONG        uFileAttributes,
  ULONG        uShareAccess,
  ULONG        uCreateDisposition,
  ULONG        uCreateOptions,
  PVOID        pEaBuffer,
  ULONG        uEaLength
);

NTSYSAPI
NTSTATUS
NTAPI
NtCreateNamedPipeFile(
  PHANDLE      phFile,
  ACCESS_MASK  AccessMask,
  POBJECT_ATTRIBUTES  pObjectAttributes,
  PIO_STATUS_BLOCK  pIoStatusBlock,
  ULONG        uShareAccess,
  ULONG        uCreateDisposition,
  ULONG        uCreateOptions,
  BOOLEAN      TypeMessage,
  BOOLEAN      ReadModeMessage,
  BOOLEAN      NonBlocking,
  ULONG        MaxInstance,
  ULONG        InBufferSize,
  ULONG        OutBufferSize,
  PLARGE_INTEGER  DefaultTimeout
);

NTSYSAPI
NTSTATUS
NTAPI
NtOpenFile(
  PHANDLE      phFile,
  ACCESS_MASK  AccessMask,
  POBJECT_ATTRIBUTES  pObjectAttributes,
  PIO_STATUS_BLOCK  pIoStatusBlock,
  ULONG        uShareAccess,
  ULONG        uOpenOptions
);

NTSYSAPI
NTSTATUS
NTAPI
NtDeleteFile(
  __in  POBJECT_ATTRIBUTES  pObjectAttributes
);

typedef enum _FILE_INFORMATION_CLASS
{
  FileDirectoryInformation       = 1,
  FileFullDirectoryInformation, // 2
  FileBothDirectoryInformation, // 3
  FileBasicInformation,         // 4
  FileStandardInformation,      // 5
  FileInternalInformation,      // 6
  FileEaInformation,            // 7
  FileAccessInformation,        // 8
  FileNameInformation,          // 9
  FileRenameInformation,        // 10
  FileLinkInformation,          // 11
  FileNamesInformation,         // 12
  FileDispositionInformation,   // 13
  FilePositionInformation,      // 14
  FileFullEaInformation,        // 15
  FileModeInformation,          // 16
  FileAlignmentInformation,     // 17
  FileAllInformation,           // 18
  FileAllocationInformation,    // 19
  FileEndOfFileInformation,     // 20
  FileAlternateNameInformation, // 21
  FileStreamInformation,        // 22
  FilePipeInformation,          // 23
  FilePipeLocalInformation,     // 24
  FilePipeRemoteInformation,    // 25
  FileMailslotQueryInformation, // 26
  FileMailslotSetInformation,   // 27
  FileCompressionInformation,   // 28
  FileObjectIdInformation,      // 29
  FileCompletionInformation,    // 30
  FileMoveClusterInformation,   // 31
  FileInformationReserved32,    // 32
  FileInformationReserved33,    // 33
  FileNetworkOpenInformation,   // 34
  FileAttributeTagInformation,    // 35
  FileTrackingInformation,        // 36
  FileIdBothDirectoryInformation, // 37
  FileIdFullDirectoryInformation, // 38
  FileValidDataLengthInformation, // 39
  FileShortNameInformation,       // 40
  FileMaximumInformation

} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;

typedef struct _FILE_DIRECTORY_INFORMATION
{
  ULONG         NextEntryOffset;
  ULONG         FileIndex;
  LARGE_INTEGER CreationTime;
  LARGE_INTEGER LastAccessTime;
  LARGE_INTEGER LastWriteTime;
  LARGE_INTEGER ChangeTime;
  LARGE_INTEGER EndOfFile;
  LARGE_INTEGER AllocationSize;
  ULONG         FileAttributes;
  ULONG         FileNameLength;
  WCHAR         FileName[1];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;

typedef struct _FILE_FULL_DIR_INFORMATION
{
  ULONG         NextEntryOffset;
  ULONG         FileIndex;
  LARGE_INTEGER CreationTime;
  LARGE_INTEGER LastAccessTime;
  LARGE_INTEGER LastWriteTime;
  LARGE_INTEGER ChangeTime;
  LARGE_INTEGER EndOfFile;
  LARGE_INTEGER AllocationSize;
  ULONG         FileAttributes;
  ULONG         FileNameLength;
  ULONG         EaSize;
  WCHAR         FileName[1];
} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;

typedef struct _FILE_BOTH_DIR_INFORMATION
{
  ULONG         NextEntryOffset;
  ULONG         FileIndex;
  LARGE_INTEGER CreationTime;
  LARGE_INTEGER LastAccessTime;
  LARGE_INTEGER LastWriteTime;
  LARGE_INTEGER ChangeTime;
  LARGE_INTEGER EndOfFile;
  LARGE_INTEGER AllocationSize;
  ULONG         FileAttributes;
  ULONG         FileNameLength;
  ULONG         EaSize;
  UCHAR         ShortNameLength;
  WCHAR         ShortName[12];
  WCHAR         FileName[1];
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;

typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
  ULONG         NextEntryOffset;
  ULONG         FileIndex;
  LARGE_INTEGER CreationTime;
  LARGE_INTEGER LastAccessTime;
  LARGE_INTEGER LastWriteTime;
  LARGE_INTEGER ChangeTime;
  LARGE_INTEGER EndOfFile;
  LARGE_INTEGER AllocationSize;
  ULONG         FileAttributes;
  ULONG         FileNameLength;
  ULONG         EaSize;
  CCHAR         ShortNameLength;
  WCHAR         ShortName[12];
  LARGE_INTEGER FileId;
  WCHAR         FileName[1];
} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;

typedef struct _FILE_ID_FULL_DIR_INFORMATION {
  ULONG         NextEntryOffset;
  ULONG         FileIndex;
  LARGE_INTEGER CreationTime;
  LARGE_INTEGER LastAccessTime;
  LARGE_INTEGER LastWriteTime;
  LARGE_INTEGER ChangeTime;
  LARGE_INTEGER EndOfFile;
  LARGE_INTEGER AllocationSize;
  ULONG         FileAttributes;
  ULONG         FileNameLength;
  ULONG         EaSize;
  LARGE_INTEGER FileId;
  WCHAR         FileName[1];
} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;

typedef struct _FILE_BASIC_INFORMATION
{
  LARGE_INTEGER CreationTime;
  LARGE_INTEGER LastAccessTime;
  LARGE_INTEGER LastWriteTime;
  LARGE_INTEGER ChangeTime;
  ULONG         FileAttributes;
} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;

typedef struct _FILE_STANDARD_INFORMATION
{
  LARGE_INTEGER AllocationSize;
  LARGE_INTEGER EndOfFile;
  ULONG         NumberOfLinks;
  BOOLEAN       DeletePending;
  BOOLEAN       Directory;
} FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION;

typedef struct _FILE_INTERNAL_INFORMATION
{
  LARGE_INTEGER IndexNumber;
} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;

typedef struct _FILE_EA_INFORMATION
{
  ULONG  EaSize;
} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;

typedef struct _FILE_ACCESS_INFORMATION
{
  ACCESS_MASK  AccessFlags;
} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;

typedef struct _FILE_NAME_INFORMATION
{
  ULONG  FileNameLength;
  WCHAR  FileName[1];
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;

typedef struct _FILE_RENAME_INFORMATION
{
  BOOLEAN   ReplaceIfExists;
  HANDLE    RootDirectory;
  ULONG     FileNameLength;
  WCHAR     FileName[1];
} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;

typedef struct _FILE_LINK_INFORMATION
{
  BOOLEAN   ReplaceIfExists;
  HANDLE    RootDirectory;
  ULONG     FileNameLength;
  WCHAR     FileName[1];
} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;

typedef struct _FILE_NAMES_INFORMATION
{
  ULONG  NextEntryOffset;
  ULONG  FileIndex;
  ULONG  FileNameLength;
  WCHAR  FileName[1];
} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;

typedef struct _FILE_ALLOCATION_INFORMATION
{
  LARGE_INTEGER  AllocationSize;
} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;

typedef struct _FILE_COMPRESSION_INFORMATION
{
  LARGE_INTEGER   CompressedFileSize;
  USHORT          CompressionFormat;
  UCHAR           CompressionUnitShift;
  UCHAR           ChunkShift;
  UCHAR           ClusterShift;
  UCHAR           Reserved[3];
} FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION;

typedef struct _FILE_COMPLETION_INFORMATION
{
  HANDLE  Port;
  ULONG   Key;
} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION;

NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationFile(
  __in  HANDLE              FileHandle,
  __out PIO_STATUS_BLOCK    IoStatusBlock,
  __out PVOID               FileInformation,
  __in  ULONG               Length,
  __in  FILE_INFORMATION_CLASS  FileInformationClass
);

NTSYSAPI
NTSTATUS
NTAPI
NtDeviceIoControlFile(
  __in      HANDLE      FileHandle,
  __in_opt  HANDLE      Event,
  __in_opt  PIO_APC_ROUTINE     ApcRoutine,
  __in_opt  PVOID       ApcContext,
  __out     PIO_STATUS_BLOCK    IoStatusBlock,
  __in      ULONG       IoControlCode,
  __in_opt  PVOID       InputBuffer,
  __in      ULONG       InputBufferLength,
  __out_opt PVOID       OutputBuffer,
  __in      ULONG       OutputBufferLength
);

NTSYSAPI
NTSTATUS
NTAPI
NtFsControlFile(
  __in      HANDLE              FileHandle,
  __in_opt  HANDLE              Event,
  __in_opt  PIO_APC_ROUTINE     ApcRoutine,
  __in_opt  PVOID               ApcContext,
  __out     PIO_STATUS_BLOCK    IoStatusBlock,
  __in      ULONG               FsControlCode,
  __in_opt  PVOID               InputBuffer,
  __in      ULONG               InputBufferLength,
  __out_opt PVOID               OutputBuffer,
  __in      ULONG               OutputBufferLength
);

NTSYSAPI
NTSTATUS
NTAPI
NtQueryVolumeInformationFile(
  __in  HANDLE                  FileHandle,
  __out PIO_STATUS_BLOCK        IoStatusBlock,
  __out PVOID                   FsInformation,
  __in  ULONG                   Length,
  __in  FS_INFORMATION_CLASS    FsInformationClass
);

NTSYSAPI
NTSTATUS
NTAPI
NtFlushBuffersFile(
  __in  HANDLE              FileHandle,
  __out PIO_STATUS_BLOCK    IoStatusBlock
);

// Process functions
//#define NtCurrentProcess()        ((HANDLE) -1)
inline HANDLE NtCurrentProcess() { return (HANDLE)-1; }

NTSYSAPI
NTSTATUS
NTAPI
NtOpenProcess(
  __out PHANDLE         phProcess,
  __in  ACCESS_MASK     AccessMask,
  __in  POBJECT_ATTRIBUTES  pObjectAttributes,
  __in  PCLIENT_ID      pClientId
);

NTSYSAPI
NTSTATUS
NTAPI
NtCreateProcess(
  __out PHANDLE             ProcessHandle,
  __in  ACCESS_MASK         DesiredAccess,
  __in  POBJECT_ATTRIBUTES  ObjectAttributes,
  __in  HANDLE              InheritFromProcessHandle,
  __in  BOOLEAN             InheritHandles,
  __in_opt  HANDLE          SectionHandle,
  __in_opt  HANDLE          DebugPort,
  __in_opt  HANDLE          ExceptionPort
);

NTSYSAPI
NTSTATUS
NTAPI
NtTerminateProcess(
  __in  HANDLE  ProcessHandle,
  __in  DWORD   ExitCode
);

typedef enum _PROCESSINFOCLASS
{
  ProcessBasicInformation,
  ProcessQuotaLimits,       // QUOTA_LIMITS
  ProcessIoCounters,        // IOCOUNTERS
  ProcessVmCounters,        // VM_COUNTERS
  ProcessTimes,             // KERNEL_USER_TIMES
  ProcessBasePriority,      // BASE_PRIORITY_INFORMATION
  ProcessRaisePriority,
  ProcessDebugPort,
  ProcessExceptionPort,
  ProcessAccessToken,
  ProcessLdtInformation,
  ProcessLdtSize,
  ProcessDefaultHardErrorMode,
  ProcessIoPortHandlers,          // Note: this is kernel mode only
  ProcessPooledUsageAndLimits,
  ProcessWorkingSetWatch,
  ProcessUserModeIOPL,
  ProcessEnableAlignmentFaultFixup,
  ProcessPriorityClass,
  ProcessWx86Information,
  ProcessHandleCount,
  ProcessAffinityMask,    // AFFINITY_MASK
  ProcessPriorityBoost,
  ProcessDeviceMap,
  ProcessSessionInformation,
  ProcessForegroundInformation,
  ProcessWow64Information,
  MaxProcessInfoClass
} PROCESSINFOCLASS;

typedef struct _PROCESS_BASIC_INFORMATION
{
  NTSTATUS  ExitStatus;
  PPEB    PebBaseAddress;
  KAFFINITY  AffinityMask;
  KPRIORITY  BasePriority;
  ULONG    uUniqueProcessId;
  ULONG    uInheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;

typedef struct _PROCESS_RAISE_PRIORITY
{
  KPRIORITY  RaisePriority;
} PROCESS_RAISE_PRIORITY, *PPROCESS_RAISE_PRIORITY;

typedef struct _PROCESS_DEBUG_PORT_INFORMATION
{
  HANDLE  DebugPort;
} PROCESS_DEBUG_PORT_INFORMATION, *PPROCESS_DEBUG_PORT_INFORMATION;

typedef struct _PROCESS_EXCEPTION_PORT
{
  HANDLE  ExceptionPort;
} PROCESS_EXCEPTION_PORT, *PPROCESS_EXCEPTION_PORT;

typedef struct _PROCESS_ACCESS_TOKEN
{
  HANDLE  Token;
  HANDLE  Thread;
} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;

#ifndef _LDT_ENTRY_DEFINED
#define _LDT_ENTRY_DEFINED

typedef struct _LDT_ENTRY
{
  USHORT  LimitLow;
  USHORT  BaseLow;
  union
  {
    struct
    {
      UCHAR  BaseMid;
      UCHAR  Flags1;     // Declare as bytes to avoid alignment
      UCHAR  Flags2;     // Problems.
      UCHAR  BaseHi;
    } Bytes;

    struct
    {
      ULONG  BaseMid : 8;
      ULONG  Type : 5;
      ULONG  Dpl : 2;
      ULONG  Pres : 1;
      ULONG  LimitHi : 4;
      ULONG  Sys : 1;
      ULONG  Reserved_0 : 1;
      ULONG  Default_Big : 1;
      ULONG  Granularity : 1;
      ULONG  BaseHi : 8;
    } Bits;
  } HighWord;
} LDT_ENTRY, *PLDT_ENTRY;

#endif // _LDT_ENTRY_DEFINED

#define LDT_TABLE_SIZE  (8 * 1024 * sizeof(LDT_ENTRY))

typedef struct _LDT_INFORMATION
{
  ULONG     Start;
  ULONG     Length;
  LDT_ENTRY LdtEntries[1];
} PROCESS_LDT_INFORMATION, *PPROCESS_LDT_INFORMATION;

typedef struct _LDT_SIZE
{
  ULONG  Length;
} PROCESS_LDT_SIZE, *PPROCESS_LDT_SIZE;

typedef struct _PROCESS_DEFAULT_HARDERROR_MODE_INFORMATION
{
  ULONG  HardErrorMode;  // SEM_* (SEM_FAILCRITICALERRORS, etc.)
} PROCESS_DEFAULT_HARDERROR_MODE_INFORMATION, *PPROCESS_DEFAULT_HARDERROR_MODE_INFORMATION;

typedef struct _PROCESS_POOLED_USAGE_AND_LIMITS_INFORMATION
{
  ULONG  PeakPagedPoolUsage;
  ULONG  PagedPoolUsage;
  ULONG  PagedPoolLimit;
  ULONG  PeakNonPagedPoolUsage;
  ULONG  NonPagedPoolUsage;
  ULONG  NonPagedPoolLimit;
  ULONG  PeakPagefileUsage;
  ULONG  PagefileUsage;
  ULONG  PagefileLimit;
} PROCESS_POOLED_USAGE_AND_LIMITS_INFORMATION, *PPROCESS_POOLED_USAGE_AND_LIMITS_INFORMATION;

typedef struct _PROCESS_WS_WATCH_INFORMATION
{
  PVOID  FaultingPc;
  PVOID  FaultingVa;
} PROCESS_WS_WATCH_INFORMATION, *PPROCESS_WS_WATCH_INFORMATION;

typedef struct _PROCESS_IOPL
{
  ULONG  Iopl;
} PROCESS_IOPL, *PPROCESS_IOPL;

typedef struct _PROCESS_ALLIGNMENT_FAULT_FIXUP
{
  BOOLEAN  EnableAllignmentFaultFixup;
} PROCESS_ALLIGNMENT_FAULT_FIXUP, *PPROCESS_ALLIGNMENT_FAULT_FIXUP;

#define KRNL_NORMAL_PRIORITY_CLASS       0x02
#define KRNL_IDLE_PRIORITY_CLASS         0x01
#define KRNL_HIGH_PRIORITY_CLASS         0x03
#define KRNL_REALTIME_PRIORITY_CLASS     0x04

typedef struct _PROCESS_PRIORITY_CLASS_INFORMATION
{
  UCHAR  Unknown;
  UCHAR  PriorityClass;
} PROCESS_PRIORITY_CLASS_INFORMATION, *PPROCESS_PRIORITY_CLASS_INFORMATION;

typedef struct _PROCESS_X86_INFORMATION
{
  ULONG  x86Info;
} PROCESS_X86_INFORMATION, *PPROCESS_X86_INFORMATION;

typedef struct _PROCESS_HANDLE_COUNT_INFORMATION
{
  ULONG  HandleCount;
} PROCESS_HANDLE_COUNT_INFORMATION, *PPROCESS_HANDLE_COUNT_INFORMATION;

typedef struct _PROCESS_PRIORITY_BOOST_INFORMATION
{
  ULONG  PriorityBoostEnabled;
} PROCESS_PRIORITY_BOOST_INFORMATION, *PPROCESS_PRIORITY_BOOST_INFORMATION;

typedef struct _PROCESS_DEVICE_MAP_INFORMATION
{
  union
  {
    struct
    {
      HANDLE  DirectoryHandle;
    } Set;

    struct
    {
      ULONG  DriveMap;
      UCHAR  DriveType[32];
    } Query;
  };

} PROCESS_DEVICE_MAP_INFORMATION, *PPROCESS_DEVICE_MAP_INFORMATION;

typedef struct _PROCESS_SESSION_INFORMATION
{
  ULONG  SessionId;
} PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION;

NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationProcess(
  __in  HANDLE      hProcess,
  __in  PROCESSINFOCLASS  ProcessInformationClass,
  __out PVOID       pProcessInformation,
  __in  ULONG       uProcessInformationLength,
  __out_opt PULONG  puReturnLength
);

NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationProcess(
  __in  HANDLE      hProcess,
  __in  PROCESSINFOCLASS  ProcessInformationClass,
  __out PVOID       pProcessInformation,
  __in  ULONG       uProcessInformationLength
);

NTSTATUS
NTAPI
RtlCreateProcessParameters(
  __out     PPROCESS_PARAMETERS *ProcessParameters,
  __in      PUNICODE_STRING     ImageFile,
  __in_opt  PUNICODE_STRING     DllPath,
  __in_opt  PUNICODE_STRING     CurrentDirectory,
  __in_opt  PUNICODE_STRING     CommandLine,
  __in      ULONG               CreationFlags,
  __in_opt  PUNICODE_STRING     WindowTitle,
  __in_opt  PUNICODE_STRING     Desktop,
  __in_opt  PUNICODE_STRING     Reserved,
  __in_opt  PUNICODE_STRING     Reserved2
);

NTSTATUS
NTAPI
RtlDestroyProcessParameters(
  __in  PPROCESS_PARAMETERS ProcessParameters
);

// jichi 9/28/2013
// See: http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Executable%20Images/RtlCreateUserThread.html
// See: http://waleedassar.blogspot.com/2012/06/createremotethread-vs.html
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateUserThread(
  __in      HANDLE              ProcessHandle,
  __in_opt  PSECURITY_DESCRIPTOR SecurityDescriptor,
  __in      BOOLEAN             CreateSuspended,
  __in      ULONG               StackZeroBits,
  __inout   PULONG              StackReserved,
  __inout   PULONG              StackCommit,
  __in      PVOID               StartAddress,
  __in_opt  PVOID               StartParameter,
  __out     PHANDLE             ThreadHandle,
  __out     PCLIENT_ID          ClientID
);

// Thread functions
#define NtCurrentThread()        ((HANDLE) -2)

typedef struct _USER_STACK
{
  PVOID  FixedStackBase;
  PVOID  FixedStackLimit;
  PVOID  ExpandableStackBase;
  PVOID  ExpandableStackLimit;
  PVOID  ExpandableStackBottom;
} USER_STACK, *PUSER_STACK;

/*
typedef struct _INITIAL_TEB {
  struct {
    PVOID OldStackBase;
    PVOID OldStackLimit;
  } OldInitialTeb;
  PVOID StackBase;
  PVOID StackLimit;
  PVOID StackAllocationBase;
} INITIAL_TEB, *PINITIAL_TEB;
*/
typedef _USER_STACK _INITIAL_TEB;
typedef USER_STACK  INITIAL_TEB;
typedef PUSER_STACK PINITIAL_TEB;

NTSYSAPI
NTSTATUS
NTAPI
NtCreateThread(
  __out PHANDLE             ThreadHandle,
  __in  ACCESS_MASK         DesiredAccess,
  __in  POBJECT_ATTRIBUTES  ObjectAttributes,
  __in  HANDLE              ProcessHandle,
  __out PCLIENT_ID          ClientId,
  __in  PCONTEXT            ThreadContext,
  __in  PUSER_STACK         UserStack,
  __in  BOOLEAN             CreateSuspended
);

typedef
NTSTATUS
(WINAPI *FpNtCreateThread)(
  __out PHANDLE             ThreadHandle,
  __in  ACCESS_MASK         DesiredAccess,
  __in  POBJECT_ATTRIBUTES  ObjectAttributes,
  __in  HANDLE              ProcessHandle,
  __out PCLIENT_ID          ClientId,
  __in  PCONTEXT            ThreadContext,
  __in  PUSER_STACK         UserStack,
  __in  BOOLEAN             CreateSuspended
);

typedef struct _NtCreateThreadExBuffer{
  ULONG  Size;  // sizeof(NtCreateThreadEx)
  ULONG  Unknown1;
  ULONG  Unknown2;
  PULONG Unknown3; // &dw1: SizeOfStackCommit
  ULONG  Unknown4;
  ULONG  Unknown5;
  ULONG  Unknown6;
  PULONG Unknown7; // &dw2: SizeOfStackReserve
  ULONG  Unknown8;
} NtCreateThreadExBuffer, *PNtCreateThreadExBuffer;

// jichi 9/28/2013: An alternative way to create thread on Windows Vista and later
NTSYSAPI
NTSTATUS
NTAPI
NtCreateThreadEx (
  __out PHANDLE         hThread,
  __in  ACCESS_MASK     DesiredAccess,
  __in  LPVOID          ObjectAttributes,
  __in  HANDLE          ProcessHandle,
  __in  LPTHREAD_START_ROUTINE lpStartAddress,
  __in  LPVOID          lpParameter,
  __in  BOOL            CreateSuspended,
  __in  ULONG           StackZeroBits,
  __in  ULONG           SizeOfStackCommit,
  __in  ULONG           SizeOfStackReserve,
  __out LPVOID          lpBytesBuffer
);

typedef
NTSTATUS
(WINAPI *FpNtCreateThreadEx) (
  __out PHANDLE         hThread,
  __in  ACCESS_MASK     DesiredAccess,
  __in  LPVOID          ObjectAttributes,
  __in  HANDLE          ProcessHandle,
  __in  LPTHREAD_START_ROUTINE lpStartAddress,
  __in  LPVOID          lpParameter,
  __in  BOOL            CreateSuspended,
  __in  ULONG           StackZeroBits,
  __in  ULONG           SizeOfStackCommit,
  __in  ULONG           SizeOfStackReserve,
  __out LPVOID          lpBytesBuffer
);

NTSYSAPI
NTSTATUS
NTAPI
NtOpenThread(
  __out PHANDLE         phThread,
  __in  ACCESS_MASK     AccessMask,
  __in  POBJECT_ATTRIBUTES pObjectAttributes,
  __in  PCLIENT_ID      pClientId
);

NTSYSAPI
NTSTATUS
NTAPI
NtTerminateThread(
  __in_opt  HANDLE      ThreadHandle,
  __in      NTSTATUS    ExitStatus
);

NTSYSAPI
NTSTATUS
NTAPI
NtSuspendThread(
  __in      HANDLE  ThreadHandle,
  __out_opt PULONG  PreviousSuspendCount
);

NTSYSAPI
NTSTATUS
NTAPI
NtResumeThread(
  __in      HANDLE  ThreadHandle,
  __out_opt PULONG  PreviousSuspendCount
);
typedef
NTSTATUS
(WINAPI
* LpNtResumeThread)(
  __in      HANDLE  ThreadHandle,
  __out_opt PULONG  PreviousSuspendCount
);

NTSYSAPI
NTSTATUS
NTAPI
RtlExitUserThread(
  __in  DWORD  ExitCode
);

typedef enum _THREADINFOCLASS
{
  ThreadBasicInformation,
  ThreadTimes,        // KERNEL_USER_TIMES
  ThreadPriority,
  ThreadBasePriority,      // BASE_PRIORITY_INFORMATION
  ThreadAffinityMask,      // AFFINITY_MASK
  ThreadImpersonationToken,
  ThreadDescriptorTableEntry,
  ThreadEnableAlignmentFaultFixup,
  ThreadEventPair,
  ThreadQuerySetWin32StartAddress,
  ThreadZeroTlsCell,
  ThreadPerformanceCount,
  ThreadAmILastThread,
  ThreadIdealProcessor,
  ThreadPriorityBoost,
  ThreadSetTlsArrayAddress,
  ThreadIsIoPending,      // W2K
  ThreadHideFromDebugger,    // W2K
  MaxThreadInfoClass
} THREADINFOCLASS;

typedef struct _THREAD_BASIC_INFORMATION
{
  NTSTATUS  ExitStatus;
  PTEB      TebBaseAddress;
  CLIENT_ID ClientId;
  KAFFINITY AffinityMask;
  KPRIORITY Priority;
  KPRIORITY BasePriority;
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;

typedef struct _THREAD_PRIORITY
{
  KPRIORITY  Priority;
} THREAD_PRIORITY, *PTHREAD_PRIORITY;

typedef struct _THREAD_DESCRIPTOR_TABLE_ENTRY_INFORMATION
{
  ULONG     Selector;
  LDT_ENTRY Descriptor;
} THREAD_DESCRIPTOR_TABLE_ENTRY_INFORMATION, *PTHREAD_DESCRIPTOR_TABLE_ENTRY_INFORMATION;

typedef struct _THREAD_EVENTPAIR
{
  HANDLE  EventPair;
} THREAD_EVENTPAIR, *PTHREAD_EVENTPAIR;

typedef struct _THREAD_WIN32_START_ADDRESS_INFORMATION
{
  PVOID  Win32StartAddress;
} THREAD_WIN32_START_ADDRESS_INFORMATION, *PTHREAD_WIN32_START_ADDRESS_INFORMATION;

typedef struct _THREAD_ZERO_TLSCELL
{
  ULONG  TlsIndex;
} THREAD_ZERO_TLSCELL, *PTHREAD_ZERO_TLSCELL;

typedef struct _THREAD_PERFORMANCE_COUNTER_INFORMATION
{
  ULONG  Count1;
  ULONG  Count2;
} THREAD_PERFORMANCE_COUNTER_INFORMATION, *PTHREAD_PERFORMANCE_COUNTER_INFORMATION;

typedef struct _THREAD_AMI_LAST_THREAD
{
  ULONG  AmILastThread;
} THREAD_AMI_LAST_THREAD, *PTHREAD_AMI_LAST_THREAD;

typedef struct _THREAD_IDEAL_PROCESSOR
{
  ULONG  IdealProcessor;
} THREAD_IDEAL_PROCESSOR, *PTHREAD_IDEAL_PROCESSOR;

typedef struct _THREAD_TLS_ARRAY
{
  PULONG  TlsArray;
} THREAD_TLS_ARRAY, *PTHREAD_TLS_ARRAY;

typedef struct _THREAD_IS_IO_PENDING_INFORMATION
{
  ULONG  IsIOPending;
} THREAD_IS_IO_PENDING_INFORMATION, *PTHREAD_IS_IO_PENDING_INFORMATION;

typedef struct _THREAD_HIDE_FROM_DEBUGGER
{
  ULONG  HideFromDebugger;
} THREAD_HIDE_FROM_DEBUGGER, *PTHREAD_HIDE_FROM_DEBUGGER;

NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationThread(
  __in  HANDLE      hThread,
  __in  THREADINFOCLASS  ThreadInformationClass,
  __out PVOID       pThreadInformation,
  __in  ULONG       uThreadInformationLength,
  __out_opt PULONG  puReturnLength
);

NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationThread(
  __in  HANDLE      hThread,
  __in  THREADINFOCLASS  ThreadInformationClass,
  __out PVOID       pThreadInformation,
  __in  ULONG       uthreadInformationLength
);

NTSYSAPI
NTSTATUS
NTAPI
NtOpenThreadToken(
  __in  HANDLE      hThread,
  __in  ACCESS_MASK DesiredAccess,
  __in  BOOLEAN     bOpenAsSelf,
  __out PHANDLE     phToken
);

NTSYSAPI
NTSTATUS
NTAPI
NtImpersonateThread(
  __in  HANDLE      ThreadHandle,
  __in  HANDLE      TargetThreadHandle,
  __in  PSECURITY_QUALITY_OF_SERVICE  SecurityQos
);

NTSYSAPI
NTSTATUS
NTAPI
NtGetContextThread(
  __in  HANDLE      ThreadHandle,
  __out PCONTEXT    Context
);

NTSYSAPI
NTSTATUS
NTAPI
NtSetContextThread(
  __in  HANDLE      ThreadHandle,
  __in  PCONTEXT    Context
);

NTSYSAPI
NTSTATUS
NTAPI
NtQueueApcThread(
  __in  HANDLE ThreadHandle,
  __in  PKNORMAL_ROUTINE  ApcRoutine,
  __in_opt  PVOID  ApcContext,
  __in_opt  PVOID  Argument1,
  __in_opt  PVOID  Argument2
);

NTSYSAPI
NTSTATUS
NTAPI
NtImpersonateAnonymousToken(
  __in  HANDLE  hThread
);

NTSYSAPI
NTSTATUS
NTAPI
NtCreateSection(
  __out     PHANDLE             SectionHandle,
  __in      ACCESS_MASK         DesiredAccess,
  __in      POBJECT_ATTRIBUTES  ObjectAttributes,
  __in_opt  PLARGE_INTEGER      SectionSize,
  __in      ULONG               Protect,
  __in      ULONG               Attributes,
  __in      HANDLE              FileHandle
);

NTSYSAPI
NTSTATUS
NTAPI
NtOpenSection(
  __out PHANDLE             SectionHandle,
  __in  ACCESS_MASK         DesiredAccess,
  __in  POBJECT_ATTRIBUTES  ObjectAttributes
);

typedef enum _SECTION_INFORMATION_CLASS
{
  SectionBasicInformation,
  SectionImageInformation
} SECTION_INFORMATION_CLASS;

NTSYSAPI
NTSTATUS
NTAPI
NtQuerySection(
  __in  HANDLE SectionHandle,
  __in  SECTION_INFORMATION_CLASS SectionInformationClass,
  __out PVOID SectionInformation,
  __in  ULONG SectionInformationLength,
  __out_opt PULONG ResultLength
);

typedef struct _SECTION_BASIC_INFORMATION
{
  PVOID      BaseAddress;
  ULONG      Attributes;
  LARGE_INTEGER  Size;
} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;

typedef struct _SECTION_IMAGE_INFORMATION
{
  PVOID     EntryPoint;
  ULONG     Unknown1;
  ULONG     StackReserve;
  ULONG     StackCommit;
  ULONG     Subsystem;
  USHORT    MinorSubsystemVersion;
  USHORT    MajorSubsystemVersion;
  ULONG     Unknown2;
  ULONG     Characteristics;
  USHORT    ImageNumber;
  BOOLEAN   Executable;
  UCHAR     Unknown3;
  ULONG     Unknown4[3];
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;

NTSYSAPI
NTSTATUS
NTAPI
NtExtendSection(
  __in  HANDLE SectionHandle,
  __in  PLARGE_INTEGER SectionSize
);

NTSYSAPI
NTSTATUS
NTAPI
NtUnmapViewOfSection(
  __in  HANDLE  hProcess,
  __in  PVOID  pBaseAddress
);

NTSYSAPI
NTSTATUS
NTAPI
NtWaitForSingleObject(
  __in  HANDLE      hObject,
  __in  BOOL        fAlertable,
  __in  PLARGE_INTEGER  pliTimeout   // NULL = infinite
);

// Object functions
typedef enum _OBJECT_INFORMATION_CLASS
{
  ObjectBasicInformation,             // 0    Y       N
  ObjectNameInformation,              // 1    Y       N
  ObjectTypeInformation,              // 2    Y       N
  ObjectAllTypesInformation,          // 3    Y       N
  ObjectHandleInformation             // 4    Y       Y
} OBJECT_INFORMATION_CLASS;

typedef struct _OBJECT_BASIC_INFORMATION
{
  ULONG      Attributes;
  ACCESS_MASK    GrantedAccess;
  ULONG      HandleCount;
  ULONG      PointerCount;
  ULONG      PagedPoolUsage;
  ULONG      NonPagedPoolUsage;
  ULONG      Reserved[3];
  ULONG      NameInformationLength;
  ULONG      TypeInformationLength;
  ULONG      SecurityDescriptorLength;
  LARGE_INTEGER  CreateTime;
} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;

typedef struct _OBJECT_NAME_INFORMATION
{
  UNICODE_STRING  Name;
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;

typedef struct _OBJECT_TYPE_INFORMATION
{
  UNICODE_STRING  Name;
  ULONG      ObjectCount;
  ULONG      HandleCount;
  ULONG      Reserved1[4];
  ULONG      PeakObjectCount;
  ULONG      PeakHandleCount;
  ULONG      Reserved2[4];
  ULONG      InvalidAttributes;
  GENERIC_MAPPING  GenericMapping;
  ULONG      ValidAccess;
  UCHAR      Unknown;
  BOOLEAN    MaintainHandleDatabase;
  UCHAR      Reserved3[2];
  POOL_TYPE  PoolType;
  ULONG      PagedPoolUsage;
  ULONG      NonPagedPoolUsage;
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;

typedef struct _OBJECT_ALL_TYPES_INFORMATION
{
  ULONG          NumberOfTypes;
  OBJECT_TYPE_INFORMATION  TypeInformation;
} OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION;

typedef struct _OBJECT_HANDLE_ATTRIBUTE_INFORMATION
{
  BOOLEAN  Inherit;
  BOOLEAN  ProtectFromClose;
} OBJECT_HANDLE_ATTRIBUTE_INFORMATION, *POBJECT_HANDLE_ATTRIBUTE_INFORMATION;

NTSYSAPI
NTSTATUS
NTAPI
NtQueryObject(
  __in  HANDLE ObjectHandle,
  __in  OBJECT_INFORMATION_CLASS ObjectInformationClass,
  __out PVOID ObjectInformation,
  __in  ULONG ObjectInformationLength,
  __out_opt PULONG ReturnLength
);

NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationObject(
  __in  HANDLE ObjectHandle,
  __in  OBJECT_INFORMATION_CLASS ObjectInformationClass,
  __in  PVOID ObjectInformation,
  __in  ULONG ObjectInformationLength
);

NTSYSAPI
NTSTATUS
NTAPI
NtDuplicateObject(
  __in      HANDLE  SourceProcessHandle,
  __in      HANDLE  SourceHandle,
  __in_opt  HANDLE  TargetProcessHandle,
  __out_opt PHANDLE TargetHandle,
  __in      ACCESS_MASK DesiredAccess,
  __in      ULONG   HandleAttributes,
  __in      ULONG   Options
);

NTSYSAPI
NTSTATUS
NTAPI
NtQuerySecurityObject(
  __in  HANDLE FileHandle,
  __in  SECURITY_INFORMATION SecurityInformation,
  __out PSECURITY_DESCRIPTOR SecurityDescriptor,
  __in  ULONG Length,
  __out PULONG ResultLength
);

NTSYSAPI
NTSTATUS
NTAPI
NtSetSecurityObject(
  __in  HANDLE FileHandle,
  __in  SECURITY_INFORMATION SecurityInformation,
  __in  PSECURITY_DESCRIPTOR SecurityDescriptor
);

// Memory management functions
NTSYSAPI
NTSTATUS
NTAPI
NtAllocateVirtualMemory(
  __in      HANDLE  ProcessHandle,
  __inout   PVOID   *BaseAddress,
  __in      ULONG   ZeroBits,
  __inout   PULONG  AllocationSize,
  __in      ULONG   AllocationType,
  __in      ULONG   Protect
);

typedef enum _MEMORY_INFORMATION_CLASS
{
  MemoryBasicInformation,
  MemoryWorkingSetList,
  MemorySectionName,
  MemoryBasicVlmInformation
} MEMORY_INFORMATION_CLASS;

NTSYSAPI
NTSTATUS
NTAPI
NtQueryVirtualMemory(
  __in  HANDLE ProcessHandle,
  __in  PVOID BaseAddress,
  __in  MEMORY_INFORMATION_CLASS MemoryInformationClass,
  __out PVOID MemoryInformation,
  __in  ULONG MemoryInformationLength,
  __out PULONG ReturnLength OPTIONAL
);

NTSYSAPI NTSTATUS NTAPI LdrUnloadDll(IN HANDLE ModuleHandl);

/* Defined in Winnt.h
typedef struct _MEMORY_BASIC_INFORMATION
{
  PVOID  BaseAddress;
  PVOID  AllocationBase;
  ULONG  AllocationProtect;
  ULONG  RegionSize;
  ULONG  State;
  ULONG  Protect;
  ULONG  Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
*/

typedef struct _MEMORY_WORKING_SET_LIST
{
  ULONG  NumberOfPages;
  ULONG  WorkingSetList[1];
} MEMORY_WORKING_SET_LIST, *PMEMORY_WORKING_SET_LIST;

typedef struct _WORKING_SET_LIST{
  ULONG_PTR Protection : 5;
  ULONG_PTR ShareCount : 3;
  ULONG_PTR Shared : 1;
  ULONG_PTR Reserved : 3;
  ULONG_PTR VirtualPage : 20;
} WORKING_SET_LIST, *PWORKING_SET_LIST;

typedef struct _MEMORY_SECTION_NAME
{
  UNICODE_STRING  SectionFileName;
} MEMORY_SECTION_NAME, *PMEMORY_SECTION_NAME;

NTSYSAPI
NTSTATUS
NTAPI
NtReadVirtualMemory(
  __in  HANDLE ProcessHandle,
  __in  PVOID BaseAddress,
  __out PVOID Buffer,
  __in  ULONG BufferLength,
  __out PULONG ReturnLength OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
NtWriteVirtualMemory(
  __in  HANDLE ProcessHandle,
  __in  PVOID BaseAddress,
  __in  PVOID Buffer,
  __in  ULONG BufferLength,
  __out PULONG ReturnLength OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
NtProtectVirtualMemory(
  __in      HANDLE  ProcessHandle,
  __inout   PVOID   *BaseAddress,
  __inout   PULONG  ProtectSize,
  __in      ULONG   NewProtect,
  __out     PULONG  OldProtect
);

NTSYSAPI
NTSTATUS
NTAPI
NtFlushVirtualMemory(
  __in      HANDLE  ProcessHandle,
  __inout   PVOID   *BaseAddress,
  __inout   PULONG  FlushSize,
  __out     PIO_STATUS_BLOCK IoStatusBlock
);

// Ldr Functions
NTSYSAPI
NTSTATUS
NTAPI
LdrDisableThreadCalloutsForDll(
  __in  HANDLE hModule
);

NTSYSAPI
NTSTATUS
NTAPI
LdrGetDllHandle(
  __in  PWORD pwPath OPTIONAL,
  __in  PVOID Unused OPTIONAL,
  __in  PUNICODE_STRING ModuleFileName,
  __out PHANDLE pHModule
);

NTSYSAPI
NTSTATUS
NTAPI
LdrGetProcedureAddress(
  __in  HMODULE ModuleHandle,
  __in  PANSI_STRING FunctionName OPTIONAL,
  __in  WORD Oridinal OPTIONAL,
  __out PVOID *FunctionAddress
);

NTSYSAPI
NTSTATUS
NTAPI
LdrLoadDll(
  __in  PWCHAR PathToFile OPTIONAL,
  __in  ULONG Flags OPTIONAL,
  __in  PUNICODE_STRING ModuleFileName,
  __out PHANDLE ModuleHandle
 );

// Modified from ntdef.h
#ifdef __cplusplus
extern "C++" {
  char _RTL_CONSTANT_STRING_type_check(const char *s);
  char _RTL_CONSTANT_STRING_type_check(const WCHAR *s);
  // __typeof would be desirable here instead of sizeof.
  template <size_t N> class _RTL_CONSTANT_STRING_remove_const_template_class;
  template <> class _RTL_CONSTANT_STRING_remove_const_template_class<sizeof(char)>  {public: typedef  char T; };
  template <> class _RTL_CONSTANT_STRING_remove_const_template_class<sizeof(WCHAR)> {public: typedef WCHAR T; };
  #define _RTL_CONSTANT_STRING_remove_const_macro(s) \
    (const_cast<_RTL_CONSTANT_STRING_remove_const_template_class<sizeof((s)[0])>::T*>(s))
} // extern "C++"
#else
  char _RTL_CONSTANT_STRING_type_check(const void *s);
  #define _RTL_CONSTANT_STRING_remove_const_macro(s) (s)
#endif // __cplusplus
#define RTL_CONSTANT_STRING(s) \
  { \
    sizeof( s ) - sizeof( (s)[0] ), \
    sizeof( s ) / sizeof(_RTL_CONSTANT_STRING_type_check(s)), \
    _RTL_CONSTANT_STRING_remove_const_macro(s) \
  }

// Rtl String Functions
NTSYSAPI
VOID
NTAPI
RtlInitUnicodeString (
  __out PUNICODE_STRING DestinationString,
  __in  PCWSTR SourceString
);

NTSYSAPI
VOID
NTAPI
RtlCreateUnicodeString(
  __out PUNICODE_STRING AllocatedString,
  __in  PCWSTR SourceString
);

NTSYSAPI
VOID
NTAPI
RtlFreeUnicodeString(
  __in  PUNICODE_STRING UnicodeString
);

NTSYSAPI
ULONG
NTAPI
RtlAnsiStringToUnicodeSize(
  __in  PANSI_STRING AnsiString
);

NTSYSAPI
NTSTATUS
NTAPI
RtlAnsiStringToUnicodeString(
  __out PUNICODE_STRING DestinationString,
  __in  PANSI_STRING SourceString,
  __in  BOOLEAN AllocateDestinationString
);

NTSYSAPI
NTSTATUS
NTAPI
RtlAppendUnicodeStringToString(
  __out PUNICODE_STRING Destination,
  __in  PUNICODE_STRING Source
);

NTSYSAPI
NTSTATUS
NTAPI
RtlAppendUnicodeToString(
  __out PUNICODE_STRING Destination,
  __in  PWSTR Source
);

NTSYSAPI
LONG
NTAPI
RtlCompareUnicodeString(
  __in  PUNICODE_STRING String1,
  __in  PUNICODE_STRING String2,
  __in  BOOLEAN CaseInSensitive
);

NTSYSAPI
VOID
NTAPI
RtlCopyUnicodeString(
  __out PUNICODE_STRING DestinationString,
  __in  PUNICODE_STRING SourceString
);

NTSYSAPI
NTSTATUS
NTAPI
RtlDowncaseUnicodeString(
  __out PUNICODE_STRING DestinationString,
  __in  PUNICODE_STRING SourceString,
  __in  BOOLEAN AllocateDestinationString
);

NTSYSAPI
BOOLEAN
NTAPI
RtlEqualUnicodeString(
  __in  PUNICODE_STRING String1,
  __in  PUNICODE_STRING String2,
  __in  BOOLEAN CaseInSensitive
);

NTSYSAPI
NTSTATUS
NTAPI
RtlIntegerToUnicodeString(
  __in  ULONG Value,
  __in  ULONG Base,
  __out PUNICODE_STRING String
);

NTSYSAPI
NTSTATUS
NTAPI
RtlUnicodeStringToInteger(
  __in  PUNICODE_STRING String,
  __in  ULONG Base,
  __out PULONG Value
);

NTSYSAPI
NTSTATUS
NTAPI
RtlOemStringToUnicodeString(
  __out PUNICODE_STRING DestinationString,
  __in  POEM_STRING SourceString,
  __in  BOOLEAN AllocateDestinationString
);

NTSYSAPI
BOOLEAN
NTAPI
RtlPrefixUnicodeString(
  __in  PUNICODE_STRING String1,
  __in  PUNICODE_STRING String2,
  __in  BOOLEAN CaseInSensitive
);

NTSYSAPI
WCHAR
NTAPI
RtlUpcaseUnicodeChar(
  __in  WCHAR SourceCharacter
);

NTSYSAPI
NTSTATUS
NTAPI
RtlUpcaseUnicodeString(
  __out PUNICODE_STRING DestinationString,
  __in  PUNICODE_STRING SourceString,
  __in  BOOLEAN AllocateDestinationString
);

NTSYSAPI
ULONG
NTAPI
RtlxAnsiStringToUnicodeSize(
  __in  PANSI_STRING AnsiString
);

NTSYSAPI
ULONG
NTAPI
RtlxOemStringToUnicodeSize(
  __in  POEM_STRING OemString
);

// Rtl Misc Operations
NTSYSAPI
NTSTATUS
NTAPI
NtReplyPort(
  __in  HANDLE  hPort,
  __out PVOID  pReply
);

NTSYSAPI
NTSTATUS
NTAPI
NtClose(
  __in  HANDLE  hObject
);

NTSYSAPI
ULONG
NTAPI
RtlNtStatusToDosError(
  NTSTATUS  status
);

NTSYSAPI
UINT
NTAPI
RtlGetLongestNtPathLength();

NTSYSAPI
UINT
NTAPI
RtlDetermineDosPathNameType_U(
  __in  PWSTR  Path
);

NTSYSAPI
UINT
NTAPI
RtlIsDosDeviceName_U(
  __in  PWSTR  Path
);

NTSYSAPI
BOOLEAN
NTAPI
RtlDosPathNameToNtPathName_U(
  __in  PCWSTR      DosName,
  __out PUNICODE_STRING  NtName,
  __out PCWSTR      *DosFilePath OPTIONAL,
  __out PUNICODE_STRING  NtFilePath OPTIONAL
);

// Rtl Large Integer Operations

#define RtlLargeIntegerLessThanZero($a)  (($a).HighPart < 0)
#define Li2Double(x)          ((double)((x).HighPart) * 4.294967296E9 + (double)((x).LowPart))

NTSYSAPI
LARGE_INTEGER
NTAPI
RtlEnlargedIntegerMultiply(
  __in  LONG lMultiplicand,
  __in  LONG lMultiplier
);

NTSYSAPI
ULONG
NTAPI
RtlEnlargedUnsignedDivide(
  __in  LARGE_INTEGER  liDividend,
  __in  ULONG      uDivisor,
  __out PULONG      puRemainder OPTIONAL
);

NTSYSAPI
LARGE_INTEGER
NTAPI
RtlEnlargedUnsignedMultiply(
  __in  ULONG  uMultiplicand,
  __in  ULONG  uMultiplier
);

NTSYSAPI
LARGE_INTEGER
NTAPI
RtlExtendedIntegerMultiply(
  __in  LARGE_INTEGER  liMultiplicand,
  __in  LONG        lMultiplier
);

NTSYSAPI
LARGE_INTEGER
NTAPI
RtlExtendedLargeIntegerDivide(
  __in  LARGE_INTEGER  liDividend,
  __in  ULONG      uDivisor,
  __out PULONG      puRemainder OPTIONAL
);

NTSYSAPI
LARGE_INTEGER
NTAPI
RtlLargeIntegerAdd(
  __in  LARGE_INTEGER  liAddend1,
  __in  LARGE_INTEGER  liAddend2
);

NTSYSAPI
LARGE_INTEGER
NTAPI
RtlLargeIntegerDivide(
  __in  LARGE_INTEGER  liDividend,
  __in  LARGE_INTEGER  liDivisor,
  __out PLARGE_INTEGER  pliRemainder OPTIONAL
);

NTSYSAPI
LARGE_INTEGER
NTAPI
RtlLargeIntegerNegate(
  __in  LARGE_INTEGER  liSubtrahend
);

NTSYSAPI
LARGE_INTEGER
NTAPI
RtlLargeIntegerSubtract(
  __in  LARGE_INTEGER  liMinuend,
  __in  LARGE_INTEGER  liSubtrahend
);

// Debug Functions
typedef struct _DEBUG_BUFFER
{
  HANDLE    SectionHandle;
  PVOID     SectionBase;
  PVOID     RemoteSectionBase;
  ULONG     SectionBaseDelta;
  HANDLE    EventPairHandle;
  ULONG     Unknown[2];
  HANDLE    RemoteThreadHandle;
  ULONG     InfoClassMask;
  ULONG     SizeOfInfo;
  ULONG     AllocatedSize;
  ULONG     SectionSize;
  PVOID     ModuleInformation;
  PVOID     BackTraceInformation;
  PVOID     HeapInformation;
  PVOID     LockInformation;
  PVOID     Reserved[8];
} DEBUG_BUFFER, *PDEBUG_BUFFER;

#define PDI_MODULES    0x01
#define PDI_BACKTRACE  0x02
#define PDI_HEAPS    0x04
#define PDI_HEAP_TAGS  0x08
#define PDI_HEAP_BLOCKS  0x10
#define PDI_LOCKS    0x20

typedef struct _DEBUG_MODULE_INFORMATION // c.f. SYSTEM_MODULE_INFORMATION
{
  ULONG     Reserved[2];
  ULONG     Base;
  ULONG     Size;
  ULONG     Flags;
  USHORT    Index;
  USHORT    Unknown;
  USHORT    LoadCount;
  USHORT    ModuleNameOffset;
  CHAR      ImageName[256];
} DEBUG_MODULE_INFORMATION, *PDEBUG_MODULE_INFORMATION;

typedef struct _DEBUG_HEAP_INFORMATION
{
  ULONG     Base;
  ULONG     Flags;
  USHORT    Granularity;
  USHORT    Unknown;
  ULONG     Allocated;
  ULONG     Committed;
  ULONG     TagCount;
  ULONG     BlockCount;
  ULONG     Reserved[7];
  PVOID     Tags;
  PVOID     Blocks;
} DEBUG_HEAP_INFORMATION, *PDEBUG_HEAP_INFORMATION;

typedef struct _DEBUG_LOCK_INFORMATION // c.f. SYSTEM_LOCK_INFORMATION
{
  PVOID     Address;
  USHORT    Type;
  USHORT    CreatorBackTraceIndex;
  ULONG     OwnerThreadId;
  ULONG     ActiveCount;
  ULONG     ContentionCount;
  ULONG     EntryCount;
  ULONG     RecursionCount;
  ULONG     NumberOfSharedWaiters;
  ULONG     NumberOfExclusiveWaiters;
} DEBUG_LOCK_INFORMATION, *PDEBUG_LOCK_INFORMATION;


NTSYSAPI
PDEBUG_BUFFER
NTAPI
RtlCreateQueryDebugBuffer(
  __in  ULONG Size,
  __in  BOOLEAN EventPair
);

NTSYSAPI
NTSTATUS
NTAPI
RtlQueryProcessDebugInformation(
  __in      ULONG   ProcessId,
  __in      ULONG   DebugInfoClassMask,
  __inout   PDEBUG_BUFFER DebugBuffer
);

NTSYSAPI
NTSTATUS
NTAPI
RtlDestroyQueryDebugBuffer(
  __in  PDEBUG_BUFFER DebugBuffer
);

NTSYSAPI
NTSTATUS
NTAPI
NtLoadDriver(
  // "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>"
  __in  PUNICODE_STRING RegistryPath
);

NTSYSAPI
NTSTATUS
NTAPI
NtFlushInstructionCache(
  __in  HANDLE ProcessHandle,
  __in  PVOID  BaseAddress,
  __in  ULONG  NumberOfBytesToFlush
);

NTSYSAPI
NTSTATUS
NTAPI
NtProtectVirtualMemory(
  __in      HANDLE  ProcessHandle,
  __inout   PVOID  *BaseAddress,
  __inout   PULONG  NumberOfBytesToProtect,
  __in      ULONG   NewAccessProtection,
  __out     PULONG  OldAccessProtection
);

NTSYSAPI
NTSTATUS
NTAPI
NtFreeVirtualMemory(
  __in      HANDLE  ProcessHandle,
  __in      PVOID   *BaseAddress,
  __inout   PULONG  RegionSize,
  __in      ULONG   FreeType
);

NTSYSAPI
NTSTATUS
NTAPI
NtUnloadDriver(
  // "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>"
  __in  PUNICODE_STRING RegistryPath
);

NTSYSAPI
NTSTATUS
NTAPI
RtlAdjustPrivilege(
  __in  ULONG   Privilege,
  __in  BOOLEAN NewValue,
  __in  BOOLEAN ForThread,
  __out PBOOLEAN OldValue
);

/*typedef struct _RTL_OSVERSIONINFOW
{
  ULONG dwOSVersionInfoSize;
  ULONG dwMajorVersion;
  ULONG dwMinorVersion;
  ULONG dwBuildNumber;
  ULONG dwPlatformId;
  WCHAR  szCSDVersion[128];     // Maintenance string for PSS usage
} RTL_OSVERSIONINFOW, *PRTL_OSVERSIONINFOW;*/

NTSYSAPI
NTSTATUS
NTAPI
RtlGetVersion(
  __inout   PRTL_OSVERSIONINFOW  lpVersionInformation
);
NTSYSAPI
void
NTAPI
RtlFreeAnsiString(PANSI_STRING AnsiString);

NTSYSAPI
NTSTATUS
NTAPI
RtlRunDecodeUnicodeString(BYTE bHash,PUNICODE_STRING uString);

// - Extra -

typedef struct _TDI_CONNECTION_INFORMATION {
  LONG      UserDataLength;
  PVOID     UserData;
  LONG      OptionsLength;
  PVOID     Options;
  LONG      RemoteAddressLength;
  PVOID     RemoteAddress;
} TDI_CONNECTION_INFORMATION, *PTDI_CONNECTION_INFORMATION;

typedef struct _TDI_CONNECTION_INFO {
  ULONG     State;
  ULONG     Event;
  ULONG     TransmittedTsdus;
  ULONG     ReceivedTsdus;
  ULONG     TransmissionErrors;
  ULONG     ReceiveErrors;
  LARGE_INTEGER  Throughput;
  LARGE_INTEGER  Delay;
  ULONG     SendBufferSize;
  ULONG     ReceiveBufferSize;
  BOOLEAN   Unreliable;
} TDI_CONNECTION_INFO, *PTDI_CONNECTION_INFO;

typedef enum _KEY_INFORMATION_CLASS {
  KeyBasicInformation,
  KeyNodeInformation,
  KeyFullInformation
} KEY_INFORMATION_CLASS;

typedef struct _KEY_BASIC_INFORMATION {
  LARGE_INTEGER LastWriteTime;
  ULONG         TitleIndex;
  ULONG         NameLength;
  WCHAR         Name[1];
} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;

typedef struct _KEY_NODE_INFORMATION
{
  LARGE_INTEGER LastWriteTime;
  ULONG         TitleIndex;
  ULONG         ClassOffset;
  ULONG         ClassLength;
  ULONG         NameLength;
  WCHAR         Name[1];
   /* Class[1]; */
} KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION;

typedef struct _KEY_FULL_INFORMATION
{
  LARGE_INTEGER LastWriteTime;
  ULONG         TitleIndex;
  ULONG         ClassOffset;
  ULONG         ClassLength;
  ULONG         SubKeys;
  ULONG         MaxNameLen;
  ULONG         MaxClassLen;
  ULONG         Values;
  ULONG         MaxValueNameLen;
  ULONG         MaxValueDataLen;
  WCHAR         Class[1];
} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;

typedef enum _KEY_VALUE_INFORMATION_CLASS {
  KeyValueBasicInformation,
  KeyValueFullInformation,
  KeyValuePartialInformation,
  KeyValueFullInformationAlign64,
  KeyValuePartialInformationAlign64
} KEY_VALUE_INFORMATION_CLASS;

typedef struct _KEY_VALUE_BASIC_INFORMATION {
  ULONG TitleIndex;
  ULONG Type;
  ULONG NameLength;
  WCHAR Name[1];
} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;

typedef struct _KEY_VALUE_FULL_INFORMATION {
  ULONG TitleIndex;
  ULONG Type;
  ULONG DataOffset;
  ULONG DataLength;
  ULONG NameLength;
  WCHAR Name[1];
} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;

typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
  ULONG TitleIndex;
  ULONG Type;
  ULONG DataLength;
  UCHAR Data[1];
} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;


NTSYSAPI
NTSTATUS
NTAPI
NtOpenKey(
  __out PHANDLE   KeyHandle,
  __in  ACCESS_MASK  DesiredAccess,
  __in  POBJECT_ATTRIBUTES  ObjectAttributes
);

NTSYSAPI
void
NTAPI
RtlInitAnsiString(
  __out ANSI_STRING* DestinationString,
  __in  CHAR* SourceString
);

NTSYSAPI
NTSTATUS
NTAPI
NtWriteFile(
  __in  HANDLE     FileHandle,
  __in  HANDLE     Event  OPTIONAL,
  __in  PIO_APC_ROUTINE    ApcRoutine OPTIONAL,
  __in  PVOID  ApcContext  OPTIONAL,
  __out PIO_STATUS_BLOCK  IoStatusBlock,
  __in  PVOID      Buffer,
  __in  ULONG      Length,
  __in  PLARGE_INTEGER  ByteOffset OPTIONAL,
  __in  PULONG  Key  OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
NtReadFile(
  __in  HANDLE               FileHandle,
  __in  HANDLE               Event OPTIONAL,
  __in  PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
  __in  PVOID                ApcContext OPTIONAL,
  __out PIO_STATUS_BLOCK    IoStatusBlock,
  __out PVOID               Buffer,
  __in  ULONG                Length,
  __in  PLARGE_INTEGER       ByteOffset OPTIONAL,
  __in  PULONG               Key OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
DbgPrint(
  __in  LPCSTR Format,
  ...
);

NTSYSAPI
NTSTATUS
NTAPI
NtGetContextThread(
  __in  HANDLE ThreadHandle,
  __out PCONTEXT pContext
);

NTSYSAPI
NTSTATUS
NTAPI
NtSetContextThread(
  __in  HANDLE ThreadHandle,
  __in  PCONTEXT Context
);

NTSYSAPI
NTSTATUS
NTAPI
NtAlertThread(
  __in  HANDLE ThreadHandle
);

NTSYSAPI
NTSTATUS
NTAPI
RtlInitializeCriticalSection(
  __in  PCRITICAL_SECTION CriticalSection
);

NTSYSAPI
NTSTATUS
NTAPI
RtlEnterCriticalSection(
  __in  PCRITICAL_SECTION CriticalSection
);

NTSYSAPI
NTSTATUS
NTAPI
RtlLeaveCriticalSection(
  __in  PCRITICAL_SECTION CriticalSection
);

NTSYSAPI
NTSTATUS
NTAPI
NtDelayExecution(
  __in  BOOLEAN              Alertable,
  __in  PLARGE_INTEGER       DelayInterval
);

NTSYSAPI
NTSTATUS
NTAPI
NtYieldExecution();

NTSYSAPI
ULONG
NTAPI
NtGetTickCount(void);

NTSYSAPI
NTSTATUS
NTAPI
NtQueryPerformanceCounter(
  __out PLARGE_INTEGER      PerformanceCounter,
  __out PLARGE_INTEGER      PerformanceFrequency OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
NtQueryDirectoryFile(
  __in  HANDLE                 FileHandle,
  __in  HANDLE                 Event OPTIONAL,
  __in  PIO_APC_ROUTINE        ApcRoutine OPTIONAL,
  __in  PVOID                  ApcContext OPTIONAL,
  __out PIO_STATUS_BLOCK      IoStatusBlock,
  __out PVOID                 FileInformation,
  __in  ULONG                  Length,
  __in  FILE_INFORMATION_CLASS FileInformationClass,
  __in  BOOLEAN                ReturnSingleEntry,
  __in  PUNICODE_STRING        FileMask OPTIONAL,
  __in  BOOLEAN                RestartScan
);

NTSYSAPI
NTSTATUS
NTAPI
NtVdmControl(
  __in  ULONG ControlCode,
  __in  PVOID ControlData
);

#define KEY_QUERY_VALUE (0x0001)

NTSYSAPI
NTSTATUS
NTAPI
NtEnumerateKey(
  __in  HANDLE KeyHandle,
  __in  ULONG Index,
  __in  KEY_INFORMATION_CLASS KeyInformationClass,
  __out PVOID KeyInformation,
  __in  ULONG KeyInformationLength,
  __out PULONG ResultLength
);

NTSYSAPI
NTSTATUS
NTAPI
NtEnumerateValueKey(
  __in  HANDLE KeyHandle,
  __in  ULONG Index,
  __in  KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
  __out PVOID KeyValueInformation,
  __in  ULONG KeyValueInformationLength,
  __out PULONG ResultLength
);

BOOL
WINAPI
EnumServiceGroupW(
  SC_HANDLE hSCManager,
  DWORD     dwServiceType,
  DWORD     dwServiceState,
  LPBYTE    lpServices,
  DWORD     cbBufSize,
  LPDWORD   pcbBytesNeeded,
  LPDWORD   lpServicesReturned,
  LPDWORD   lpResumeHandle,
  DWORD dwUnknown
);

NTSYSAPI
NTSTATUS
NTAPI
NtQueryKey(
  __in  HANDLE                 KeyHandle,
  __in  KEY_INFORMATION_CLASS  KeyInformationClass,
  __out PVOID                 KeyInformation,
  __in  ULONG                  Length,
  __out PULONG                ResultLength );

typedef enum _SECTION_INHERIT {
   ViewShare = 1,
   ViewUnmap = 2
} SECTION_INHERIT;

NTSYSAPI
NTSTATUS
NTAPI
NtMapViewOfSection(
  __in  HANDLE              SectionHandle,
  __in  HANDLE              ProcessHandle,
  __inout PVOID            *BaseAddress,
  __in  ULONG               ZeroBits OPTIONAL,
  __in  ULONG               CommitSize,
  __inout PLARGE_INTEGER    SectionOffset,
  __inout PULONG            ViewSize,
  __in  SECTION_INHERIT     InheritDisposition,
  __in  ULONG               AllocationType,
  __in  ULONG               Protect
);

typedef struct _LDR_RESOURCE_INFO
{
   ULONG Type;
   ULONG Name;
   ULONG Language;
} LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO;

NTSYSAPI
NTSTATUS
NTAPI
LdrFindResourceDirectory_U(
  HMODULE               hModule,
  LDR_RESOURCE_INFO*    pResInfo,
  ULONG                 ulNrOfItems,
  IMAGE_RESOURCE_DIRECTORY**  pResDir
);

NTSYSAPI
NTSTATUS
NTAPI
LdrFindResource_U(
  HMODULE               hModule,
  LDR_RESOURCE_INFO*    pResInfo,
  ULONG                 ulNrOfItems,
  IMAGE_RESOURCE_DATA_ENTRY**    pResDataDir
);

NTSYSAPI
NTSTATUS
NTAPI
LdrAccessResource(
  HMODULE               hModule,
  IMAGE_RESOURCE_DATA_ENTRY*  pResDataEntry,
  void **               pData,
  PULONG                pulOptional
 );

NTSYSAPI
NTSTATUS
NTAPI
NtSaveKey(
  HANDLE               KeyHandle,
  HANDLE               FileHandle
);

NTSYSAPI
NTSTATUS
NTAPI
NtSaveMergedKeys(
  __in  HANDLE KeyHandle1,
  __in  HANDLE KeyHandle2,
  __in  HANDLE FileHandle
);

NTSYSAPI
NTSTATUS
NTAPI
NtOpenProcessToken (
  __in        HANDLE ProcessHandle,
  __in        DWORD DesiredAccess,
  __deref_out PHANDLE TokenHandle
);

NTSYSAPI
NTSTATUS
NTAPI
NtAdjustPrivilegesToken(
  __in      HANDLE TokenHandle,
  __in      BOOL DisableAllPrivileges,
  __in_opt  PTOKEN_PRIVILEGES NewState,
  __in      DWORD BufferLength,
  __out_bcount_part_opt(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
  __out_opt PDWORD ReturnLength
);

NTSYSAPI
NTSTATUS
NTAPI
RtlCreateSecurityDescriptor (
  __out PSECURITY_DESCRIPTOR pSecurityDescriptor,
  __in  DWORD dwRevision
);

NTSYSAPI
NTSTATUS
NTAPI
RtlSetDaclSecurityDescriptor (
  __inout  PSECURITY_DESCRIPTOR pSecurityDescriptor,
  __in     BOOL bDaclPresent,
  __in_opt PACL pDacl,
  __in     BOOL bDaclDefaulted
);

NTSYSAPI
HANDLE
NTAPI
RtlCreateHeap (
  __in  DWORD flag,
  __in  DWORD v1,
  __in  DWORD v2,
  __in  DWORD v3,
  __in  DWORD v4,
  __in  DWORD v5
);

NTSYSAPI
NTSTATUS
NTAPI RtlSetHeapInformation(
  __in          HANDLE HeapHandle,
  __in          HEAP_INFORMATION_CLASS HeapInformationClass,
  __in          PVOID HeapInformation,
  __in          SIZE_T HeapInformationLength
);

NTSYSAPI
LPVOID
NTAPI
RtlAllocateHeap(
  __in  HANDLE hHeap,
  __in  DWORD dwFlags,
  __in  SIZE_T dwBytes
);

NTSYSAPI
BOOL
NTAPI
RtlFreeHeap(
  __in  HANDLE   hHeap,
  __in  DWORD    dwFlags,
  __in  LPVOID   lpMem
);

NTSYSAPI
NTSTATUS
NTAPI
RtlDestroyHeap (
  __in  HANDLE hHeap
);

#ifdef __cplusplus
} // extern "C"
#endif // __cplusplus

#endif // NTDLL_H