forked from Public-Mirror/Textractor
4341 lines
110 KiB
C++
4341 lines
110 KiB
C++
//#pragma once
|
|
#ifndef NTDLL_H
|
|
#define NTDLL_H
|
|
|
|
// ntdll.h 10/14/2011
|
|
|
|
/* Artikash 7/13/2018: WHERE THE FUCK DID THIS FILE COME FROM?
|
|
Redefines a bunch of stuff in the standard windows headers (especially winnt.h) but has additional information that isn't documented anywhere else I can find.
|
|
It's like someone stole this file from Microsoft's internal database of windows source code?? */
|
|
|
|
#include <windows.h>
|
|
|
|
#ifdef _MSC_VER
|
|
# pragma warning(disable:4005) // C4005: macro redefinition
|
|
# pragma warning(disable:4200) // C4200: nonstandard extension used : zero-sized array in struct/union
|
|
# pragma warning(disable:4010) // C4010: single-line comment contains line-continuation character
|
|
# pragma warning(disable:4996) // C4996: unsafe function or variable used such as swprintf, wcscpy; alternatively use __CRT_SECURE_NO_WARNINGS
|
|
#endif // _MSC_VER
|
|
|
|
#define NT_INCLUDED
|
|
#define _NTDEF_
|
|
#define _CTYPE_DISABLE_MACROS
|
|
|
|
// Remove official macros from WSDK
|
|
#undef STATUS_WAIT_0
|
|
#undef STATUS_ABANDONED_WAIT_0
|
|
#undef STATUS_USER_APC
|
|
#undef STATUS_TIMEOUT
|
|
#undef STATUS_PENDING
|
|
#undef DBG_CONTINUE
|
|
#undef STATUS_SEGMENT_NOTIFICATION
|
|
#undef DBG_TERMINATE_THREAD
|
|
#undef DBG_TERMINATE_PROCESS
|
|
#undef DBG_CONTROL_C
|
|
#undef DBG_CONTROL_BREAK
|
|
#undef STATUS_GUARD_PAGE_VIOLATION
|
|
#undef STATUS_DATATYPE_MISALIGNMENT
|
|
#undef STATUS_BREAKPOINT
|
|
#undef STATUS_SINGLE_STEP
|
|
#undef DBG_EXCEPTION_NOT_HANDLED
|
|
#undef STATUS_ACCESS_VIOLATION
|
|
#undef STATUS_IN_PAGE_ERROR
|
|
#undef STATUS_INVALID_HANDLE
|
|
#undef STATUS_NO_MEMORY
|
|
#undef STATUS_ILLEGAL_INSTRUCTION
|
|
#undef STATUS_NONCONTINUABLE_EXCEPTION
|
|
#undef STATUS_INVALID_DISPOSITION
|
|
#undef STATUS_ARRAY_BOUNDS_EXCEEDED
|
|
#undef STATUS_FLOAT_DENORMAL_OPERAND
|
|
#undef STATUS_FLOAT_DIVIDE_BY_ZERO
|
|
#undef STATUS_FLOAT_INEXACT_RESULT
|
|
#undef STATUS_FLOAT_INVALID_OPERATION
|
|
#undef STATUS_FLOAT_OVERFLOW
|
|
#undef STATUS_FLOAT_STACK_CHECK
|
|
#undef STATUS_FLOAT_UNDERFLOW
|
|
#undef STATUS_INTEGER_DIVIDE_BY_ZERO
|
|
#undef STATUS_INTEGER_OVERFLOW
|
|
#undef STATUS_PRIVILEGED_INSTRUCTION
|
|
#undef STATUS_STACK_OVERFLOW
|
|
#undef STATUS_CONTROL_C_EXIT
|
|
#undef STATUS_FLOAT_MULTIPLE_FAULTS
|
|
#undef STATUS_FLOAT_MULTIPLE_TRAPS
|
|
#undef STATUS_ILLEGAL_VLM_REFERENCE
|
|
#undef STATUS_REG_NAT_CONSUMPTION
|
|
#undef DBG_EXCEPTION_HANDLED
|
|
|
|
#include <ntstatus.h>
|
|
|
|
#if (_MSC_VER >= 800) || defined(_STDCALL_SUPPORTED)
|
|
# define NTAPI __stdcall
|
|
#else
|
|
# define _cdecl
|
|
# define NTAPI
|
|
#endif // STDCALL
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif // __cplusplus
|
|
|
|
// - Macros -
|
|
|
|
#define MAXIMUM_FILENAME_LENGTH 256
|
|
#define PORT_MAXIMUM_MESSAGE_LENGTH 256
|
|
#define INITIAL_PRIVILEGE_COUNT 3
|
|
|
|
#define FSCTL_GET_VOLUME_INFORMATION 0x90064
|
|
|
|
// Constants for RtlDetermineDosPathNameType_U
|
|
#define DOS_PATHTYPE_UNC 0x00000001 // \\COMPUTER1
|
|
#define DOS_PATHTYPE_ROOTDRIVE 0x00000002 // C:\
|
|
#define DOS_PATHTYPE_STREAM 0x00000003 // X:X or C:
|
|
#define DOS_PATHTYPE_NT 0x00000004 // \\??\\C:
|
|
#define DOS_PATHTYPE_NAME 0x00000005 // C
|
|
#define DOS_PATHTYPE_DEVICE 0x00000006 // \\.\C:
|
|
#define DOS_PATHTYPE_LOCALUNCROOT 0x00000007 // \\.
|
|
|
|
// Define the various device characteristics flags
|
|
#define FILE_REMOVABLE_MEDIA 0x00000001
|
|
#define FILE_READ_ONLY_DEVICE 0x00000002
|
|
#define FILE_FLOPPY_DISKETTE 0x00000004
|
|
#define FILE_WRITE_ONCE_MEDIA 0x00000008
|
|
#define FILE_REMOTE_DEVICE 0x00000010
|
|
#define FILE_DEVICE_IS_MOUNTED 0x00000020
|
|
#define FILE_VIRTUAL_VOLUME 0x00000040
|
|
#define FILE_AUTOGENERATED_DEVICE_NAME 0x00000080
|
|
#define FILE_DEVICE_SECURE_OPEN 0x00000100
|
|
|
|
#define FILE_SUPERSEDE 0x00000000
|
|
#define FILE_OPEN 0x00000001
|
|
#define FILE_CREATE 0x00000002
|
|
#define FILE_OPEN_IF 0x00000003
|
|
#define FILE_OVERWRITE 0x00000004
|
|
#define FILE_OVERWRITE_IF 0x00000005
|
|
#define FILE_MAXIMUM_DISPOSITION 0x00000005
|
|
|
|
#define FILE_DIRECTORY_FILE 0x00000001
|
|
#define FILE_WRITE_THROUGH 0x00000002
|
|
#define FILE_SEQUENTIAL_ONLY 0x00000004
|
|
#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008
|
|
|
|
#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010
|
|
#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
|
|
#define FILE_NON_DIRECTORY_FILE 0x00000040
|
|
#define FILE_CREATE_TREE_CONNECTION 0x00000080
|
|
|
|
#define FILE_COMPLETE_IF_OPLOCKED 0x00000100
|
|
#define FILE_NO_EA_KNOWLEDGE 0x00000200
|
|
#define FILE_OPEN_FOR_RECOVERY 0x00000400
|
|
#define FILE_RANDOM_ACCESS 0x00000800
|
|
|
|
#define FILE_DELETE_ON_CLOSE 0x00001000
|
|
#define FILE_OPEN_BY_FILE_ID 0x00002000
|
|
#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000
|
|
#define FILE_NO_COMPRESSION 0x00008000
|
|
|
|
#define FILE_RESERVE_OPFILTER 0x00100000
|
|
#define FILE_OPEN_REPARSE_POINT 0x00200000
|
|
#define FILE_OPEN_NO_RECALL 0x00400000
|
|
#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000
|
|
|
|
#define FILE_COPY_STRUCTURED_STORAGE 0x00000041
|
|
#define FILE_STRUCTURED_STORAGE 0x00000441
|
|
|
|
#define FILE_VALID_OPTION_FLAGS 0x00ffffff
|
|
#define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032
|
|
#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032
|
|
#define FILE_VALID_SET_FLAGS 0x00000036
|
|
|
|
// Thread states
|
|
#define THREAD_STATE_INITIALIZED 0
|
|
#define THREAD_STATE_READY 1
|
|
#define THREAD_STATE_RUNNING 2
|
|
#define THREAD_STATE_STANDBY 3
|
|
#define THREAD_STATE_TERMINATED 4
|
|
#define THREAD_STATE_WAIT 5
|
|
#define THREAD_STATE_TRANSITION 6
|
|
#define THREAD_STATE_UNKNOWN 7
|
|
|
|
// Object types
|
|
#define OB_TYPE_TYPE 1
|
|
#define OB_TYPE_DIRECTORY 2
|
|
#define OB_TYPE_SYMBOLIC_LINK 3
|
|
#define OB_TYPE_TOKEN 4
|
|
#define OB_TYPE_PROCESS 5
|
|
#define OB_TYPE_THREAD 6
|
|
#define OB_TYPE_EVENT 7
|
|
#define OB_TYPE_EVENT_PAIR 8
|
|
#define OB_TYPE_MUTANT 9
|
|
#define OB_TYPE_SEMAPHORE 10
|
|
#define OB_TYPE_TIMER 11
|
|
#define OB_TYPE_PROFILE 12
|
|
#define OB_TYPE_WINDOW_STATION 13
|
|
#define OB_TYPE_DESKTOP 14
|
|
#define OB_TYPE_SECTION 15
|
|
#define OB_TYPE_KEY 16
|
|
#define OB_TYPE_PORT 17
|
|
#define OB_TYPE_ADAPTER 18
|
|
#define OB_TYPE_CONTROLLER 19
|
|
#define OB_TYPE_DEVICE 20
|
|
#define OB_TYPE_DRIVER 21
|
|
#define OB_TYPE_IO_COMPLETION 22
|
|
#define OB_TYPE_FILE 23
|
|
|
|
#define OBJ_INHERIT 0x00000002
|
|
#define OBJ_PERMANENT 0x00000010
|
|
#define OBJ_EXCLUSIVE 0x00000020
|
|
#define OBJ_CASE_INSENSITIVE 0x00000040
|
|
#define OBJ_OPENIF 0x00000080
|
|
#define OBJ_OPENLINK 0x00000100
|
|
#define OBJ_VALID_ATTRIBUTES 0x000001F2
|
|
|
|
// Object Manager Directory Specific Access Rights.
|
|
#define DIRECTORY_QUERY 0x0001
|
|
#define DIRECTORY_TRAVERSE 0x0002
|
|
#define DIRECTORY_CREATE_OBJECT 0x0004
|
|
#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008
|
|
#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF)
|
|
|
|
// Object Manager Symbolic Link Specific Access Rights.
|
|
#define SYMBOLIC_LINK_QUERY 0x0001
|
|
#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
|
|
|
|
#define NT_SUCCESS(Status) ((LONG)(Status) >= 0)
|
|
#define NT_ERROR(Status) ((ULONG)(Status) >> 30 == 3)
|
|
|
|
#define DEVICE_TYPE DWORD
|
|
|
|
// Values for RtlAdjustPrivilege
|
|
#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
|
|
#define SE_CREATE_TOKEN_PRIVILEGE (2L)
|
|
#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
|
|
#define SE_LOCK_MEMORY_PRIVILEGE (4L)
|
|
#define SE_INCREASE_QUOTA_PRIVILEGE (5L)
|
|
#define SE_UNSOLICITED_INPUT_PRIVILEGE (6L) // obsolete and unused
|
|
#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
|
|
#define SE_TCB_PRIVILEGE (7L)
|
|
#define SE_SECURITY_PRIVILEGE (8L)
|
|
#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
|
|
#define SE_LOAD_DRIVER_PRIVILEGE (10L)
|
|
#define SE_PROFILE_PRIVILEGE (11L)
|
|
#define SE_SYSTEMTIME_PRIVILEGE (12L)
|
|
#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
|
|
#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
|
|
#define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
|
|
#define SE_CREATE_PERMANENT_PRIVILEGE (16L)
|
|
#define SE_BACKUP_PRIVILEGE (17L)
|
|
#define SE_RESTORE_PRIVILEGE (18L)
|
|
#define SE_SHUTDOWN_PRIVILEGE (19L)
|
|
#define SE_DEBUG_PRIVILEGE (20L)
|
|
#define SE_AUDIT_PRIVILEGE (21L)
|
|
#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
|
|
#define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
|
|
#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
|
|
#define SE_MAX_WELL_KNOWN_PRIVILEGE (SE_REMOTE_SHUTDOWN_PRIVILEGE)
|
|
|
|
#define VdmDirectoryFile 6
|
|
|
|
#define InitializeObjectAttributes( p, n, a, r, s ) { \
|
|
(p)->uLength = sizeof( OBJECT_ATTRIBUTES ); \
|
|
(p)->hRootDirectory = r; \
|
|
(p)->uAttributes = a; \
|
|
(p)->pObjectName = n; \
|
|
(p)->pSecurityDescriptor = s; \
|
|
(p)->pSecurityQualityOfService = NULL; \
|
|
}
|
|
|
|
// - Basic Types -
|
|
|
|
typedef LONG NTSTATUS;
|
|
//lint -e624 // Don't complain about different typedefs.
|
|
//
|
|
typedef NTSTATUS *PNTSTATUS;
|
|
//lint +e624 // Resume checking for different typedefs.
|
|
|
|
typedef NTSTATUS (NTAPI *NTSYSCALL)();
|
|
typedef NTSYSCALL *PNTSYSCALL;
|
|
|
|
typedef ULONG KAFFINITY;
|
|
typedef KAFFINITY *PKAFFINITY;
|
|
typedef LONG KPRIORITY;
|
|
|
|
typedef BYTE KPROCESSOR_MODE;
|
|
|
|
// - Structures -
|
|
|
|
typedef VOID *POBJECT;
|
|
typedef VOID (*PKNORMAL_ROUTINE) (
|
|
__in PVOID NormalContext,
|
|
__in PVOID SystemArgument1,
|
|
__in PVOID SystemArgument2
|
|
);
|
|
|
|
typedef struct _STRING
|
|
{
|
|
USHORT Length;
|
|
USHORT MaximumLength;
|
|
#ifdef MIDL_PASS
|
|
[ size_is(MaximumLength), length_is(Length) ]
|
|
#endif // MIDL_PASS
|
|
PCHAR Buffer;
|
|
} STRING, *PSTRING;
|
|
|
|
typedef STRING ANSI_STRING;
|
|
typedef PSTRING PANSI_STRING;
|
|
|
|
typedef STRING OEM_STRING;
|
|
typedef PSTRING POEM_STRING;
|
|
|
|
|
|
typedef struct _UNICODE_STRING
|
|
{
|
|
USHORT Length;
|
|
USHORT MaximumLength;
|
|
PWSTR Buffer;
|
|
} UNICODE_STRING, *PUNICODE_STRING;
|
|
|
|
// - APIs -
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnicodeStringToAnsiString(
|
|
PANSI_STRING DestinationString,
|
|
PUNICODE_STRING SourceString,
|
|
BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
typedef struct _HARDWARE_PTE
|
|
{
|
|
ULONG Valid : 1;
|
|
ULONG Write : 1;
|
|
ULONG Owner : 1;
|
|
ULONG WriteThrough : 1;
|
|
ULONG CacheDisable : 1;
|
|
ULONG Accessed : 1;
|
|
ULONG Dirty : 1;
|
|
ULONG LargePage : 1;
|
|
ULONG Global : 1;
|
|
ULONG CopyOnWrite : 1;
|
|
ULONG Prototype : 1;
|
|
ULONG reserved : 1;
|
|
ULONG PageFrameNumber : 20;
|
|
} HARDWARE_PTE, *PHARDWARE_PTE;
|
|
|
|
typedef struct _OBJECT_ATTRIBUTES
|
|
{
|
|
ULONG uLength;
|
|
HANDLE hRootDirectory;
|
|
PUNICODE_STRING pObjectName;
|
|
ULONG uAttributes;
|
|
PVOID pSecurityDescriptor;
|
|
PVOID pSecurityQualityOfService;
|
|
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
|
|
|
|
typedef struct _CLIENT_ID
|
|
{
|
|
DWORD UniqueProcess;
|
|
DWORD UniqueThread;
|
|
} CLIENT_ID, *PCLIENT_ID;
|
|
|
|
typedef struct _PEB_FREE_BLOCK
|
|
{
|
|
struct _PEB_FREE_BLOCK *Next;
|
|
ULONG Size;
|
|
} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
|
|
|
|
typedef struct _CURDIR
|
|
{
|
|
UNICODE_STRING DosPath;
|
|
HANDLE Handle;
|
|
} CURDIR, *PCURDIR;
|
|
|
|
typedef struct _RTL_DRIVE_LETTER_CURDIR
|
|
{
|
|
WORD Flags;
|
|
WORD Length;
|
|
DWORD TimeStamp;
|
|
STRING DosPath;
|
|
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
|
|
|
|
#define PROCESS_PARAMETERS_NORMALIZED 1 // pointers in are absolute (not self-relative)
|
|
|
|
typedef struct _PROCESS_PARAMETERS
|
|
{
|
|
ULONG MaximumLength;
|
|
ULONG Length;
|
|
ULONG Flags; // PROCESS_PARAMETERS_NORMALIZED
|
|
ULONG DebugFlags;
|
|
HANDLE ConsoleHandle;
|
|
ULONG ConsoleFlags;
|
|
HANDLE StandardInput;
|
|
HANDLE StandardOutput;
|
|
HANDLE StandardError;
|
|
CURDIR CurrentDirectory;
|
|
UNICODE_STRING DllPath;
|
|
UNICODE_STRING ImagePathName;
|
|
UNICODE_STRING CommandLine;
|
|
PWSTR Environment;
|
|
ULONG StartingX;
|
|
ULONG StartingY;
|
|
ULONG CountX;
|
|
ULONG CountY;
|
|
ULONG ountCharsX;
|
|
ULONG CountCharsY;
|
|
ULONG FillAttribute;
|
|
ULONG WindowFlags;
|
|
ULONG ShowWindowFlags;
|
|
UNICODE_STRING WindowTitle;
|
|
UNICODE_STRING Desktop;
|
|
UNICODE_STRING ShellInfo;
|
|
UNICODE_STRING RuntimeInfo;
|
|
RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32];
|
|
} PROCESS_PARAMETERS, *PPROCESS_PARAMETERS;
|
|
|
|
typedef struct _RTL_BITMAP
|
|
{
|
|
DWORD SizeOfBitMap;
|
|
PDWORD Buffer;
|
|
} RTL_BITMAP, *PRTL_BITMAP, **PPRTL_BITMAP;
|
|
|
|
#define LDR_STATIC_LINK 0x0000002
|
|
#define LDR_IMAGE_DLL 0x0000004
|
|
#define LDR_LOAD_IN_PROGRESS 0x0001000
|
|
#define LDR_UNLOAD_IN_PROGRESS 0x0002000
|
|
#define LDR_ENTRY_PROCESSED 0x0004000
|
|
#define LDR_ENTRY_INSERTED 0x0008000
|
|
#define LDR_CURRENT_LOAD 0x0010000
|
|
#define LDR_FAILED_BUILTIN_LOAD 0x0020000
|
|
#define LDR_DONT_CALL_FOR_THREADS 0x0040000
|
|
#define LDR_PROCESS_ATTACH_CALLED 0x0080000
|
|
#define LDR_DEBUG_SYMBOLS_LOADED 0x0100000
|
|
#define LDR_IMAGE_NOT_AT_BASE 0x0200000
|
|
#define LDR_WX86_IGNORE_MACHINETYPE 0x0400000
|
|
|
|
typedef struct _LDR_DATA_TABLE_ENTRY
|
|
{
|
|
LIST_ENTRY InLoadOrderModuleList;
|
|
LIST_ENTRY InMemoryOrderModuleList;
|
|
LIST_ENTRY InInitializationOrderModuleList;
|
|
PVOID DllBase;
|
|
PVOID EntryPoint;
|
|
ULONG SizeOfImage; // in bytes
|
|
UNICODE_STRING FullDllName;
|
|
UNICODE_STRING BaseDllName;
|
|
ULONG Flags; // LDR_*
|
|
USHORT LoadCount;
|
|
USHORT TlsIndex;
|
|
LIST_ENTRY HashLinks;
|
|
PVOID SectionPointer;
|
|
ULONG CheckSum;
|
|
ULONG TimeDateStamp;
|
|
//PVOID LoadedImports; // seems they are exist only on XP !!!
|
|
//PVOID EntryPointActivationContext; // the same as above
|
|
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
|
|
|
|
// See: http://en.wikipedia.org/wiki/Process_Environment_Block
|
|
typedef struct _PEB_LDR_DATA
|
|
{
|
|
ULONG Length; // 0
|
|
BOOLEAN Initialized; // 4
|
|
PVOID SsHandle; // 8?
|
|
LIST_ENTRY InLoadOrderModuleList; // C, ref. to PLDR_DATA_TABLE_ENTRY->InLoadOrderModuleList
|
|
LIST_ENTRY InMemoryOrderModuleList; // 14, ref. to PLDR_DATA_TABLE_ENTRY->InMemoryOrderModuleList
|
|
LIST_ENTRY InInitializationOrderModuleList; // 1C, ref. to PLDR_DATA_TABLE_ENTRY->InInitializationOrderModuleList
|
|
} PEB_LDR_DATA, *PPEB_LDR_DATA;
|
|
|
|
typedef VOID NTSYSAPI (*PPEBLOCKROUTINE)(PVOID);
|
|
|
|
typedef struct _SYSTEM_STRINGS
|
|
{
|
|
UNICODE_STRING SystemRoot; // C:\WINNT
|
|
UNICODE_STRING System32Root; // C:\WINNT\System32
|
|
UNICODE_STRING BaseNamedObjects; // \BaseNamedObjects
|
|
} SYSTEM_STRINGS,*PSYSTEM_STRINGS;
|
|
|
|
typedef struct _TEXT_INFO
|
|
{
|
|
PVOID Reserved;
|
|
PSYSTEM_STRINGS SystemStrings;
|
|
} TEXT_INFO, *PTEXT_INFO;
|
|
|
|
// See: http://en.wikipedia.org/wiki/Process_Environment_Block
|
|
typedef struct _PEB
|
|
{
|
|
UCHAR InheritedAddressSpace; // 0
|
|
UCHAR ReadImageFileExecOptions; // 1
|
|
UCHAR BeingDebugged; // 2
|
|
BYTE b003; // 3
|
|
PVOID Mutant; // 4
|
|
PVOID ImageBaseAddress; // 8
|
|
PPEB_LDR_DATA Ldr; // C
|
|
PPROCESS_PARAMETERS ProcessParameters; // 10
|
|
PVOID SubSystemData; // 14
|
|
PVOID ProcessHeap; // 18
|
|
KSPIN_LOCK FastPebLock; // 1C
|
|
PPEBLOCKROUTINE FastPebLockRoutine; // 20
|
|
PPEBLOCKROUTINE FastPebUnlockRoutine; // 24
|
|
ULONG EnvironmentUpdateCount; // 28
|
|
PVOID *KernelCallbackTable; // 2C
|
|
PVOID EventLogSection; // 30
|
|
PVOID EventLog; // 34
|
|
PPEB_FREE_BLOCK FreeList; // 38
|
|
ULONG TlsExpansionCounter; // 3C
|
|
PRTL_BITMAP TlsBitmap; // 40
|
|
ULONG TlsBitmapData[0x2]; // 44
|
|
PVOID ReadOnlySharedMemoryBase; // 4C
|
|
PVOID ReadOnlySharedMemoryHeap; // 50
|
|
PTEXT_INFO ReadOnlyStaticServerData; // 54
|
|
PVOID InitAnsiCodePageData; // 58
|
|
PVOID InitOemCodePageData; // 5C
|
|
PVOID InitUnicodeCaseTableData; // 60
|
|
ULONG KeNumberProcessors; // 64
|
|
ULONG NtGlobalFlag; // 68
|
|
DWORD d6C; // 6C
|
|
LARGE_INTEGER MmCriticalSectionTimeout; // 70
|
|
ULONG MmHeapSegmentReserve; // 78
|
|
ULONG MmHeapSegmentCommit; // 7C
|
|
ULONG MmHeapDeCommitTotalFreeThreshold; // 80
|
|
ULONG MmHeapDeCommitFreeBlockThreshold; // 84
|
|
ULONG NumberOfHeaps; // 88
|
|
ULONG AvailableHeaps; // 8C
|
|
PHANDLE ProcessHeapsListBuffer; // 90
|
|
PVOID GdiSharedHandleTable; // 94
|
|
PVOID ProcessStarterHelper; // 98
|
|
PVOID GdiDCAttributeList; // 9C
|
|
KSPIN_LOCK LoaderLock; // A0
|
|
ULONG NtMajorVersion; // A4
|
|
ULONG NtMinorVersion; // A8
|
|
USHORT NtBuildNumber; // AC
|
|
USHORT NtCSDVersion; // AE
|
|
ULONG PlatformId; // B0
|
|
ULONG Subsystem; // B4
|
|
ULONG MajorSubsystemVersion; // B8
|
|
ULONG MinorSubsystemVersion; // BC
|
|
KAFFINITY AffinityMask; // C0
|
|
ULONG GdiHandleBuffer[0x22]; // C4
|
|
ULONG PostProcessInitRoutine; // 14C
|
|
ULONG TlsExpansionBitmap; // 150
|
|
UCHAR TlsExpansionBitmapBits[0x80]; // 154
|
|
ULONG SessionId; // 1D4
|
|
ULARGE_INTEGER AppCompatFlags; // 1D8
|
|
PWORD CSDVersion; // 1E0
|
|
/* PVOID AppCompatInfo; // 1E4
|
|
UNICODE_STRING usCSDVersion;
|
|
PVOID ActivationContextData;
|
|
PVOID ProcessAssemblyStorageMap;
|
|
PVOID SystemDefaultActivationContextData;
|
|
PVOID SystemAssemblyStorageMap;
|
|
ULONG MinimumStackCommit; */
|
|
} PEB, *PPEB;
|
|
|
|
typedef struct _PEB64 {
|
|
BYTE Reserved1[2];
|
|
BYTE BeingDebugged;
|
|
BYTE Reserved2[21];
|
|
PPEB_LDR_DATA Ldr;
|
|
PPROCESS_PARAMETERS ProcessParameters;
|
|
BYTE Reserved3[520];
|
|
ULONG PostProcessInitRoutine;
|
|
BYTE Reserved4[136];
|
|
ULONG SessionId;
|
|
} PEB64;
|
|
|
|
typedef struct _TEB
|
|
{
|
|
NT_TIB Tib;
|
|
PVOID EnvironmentPointer;
|
|
CLIENT_ID Cid;
|
|
PVOID ActiveRpcInfo;
|
|
PVOID ThreadLocalStoragePointer;
|
|
PPEB Peb;
|
|
ULONG LastErrorValue;
|
|
ULONG CountOfOwnedCriticalSections;
|
|
PVOID CsrClientThread;
|
|
PVOID Win32ThreadInfo;
|
|
ULONG Win32ClientInfo[0x1F];
|
|
PVOID WOW32Reserved;
|
|
ULONG CurrentLocale;
|
|
ULONG FpSoftwareStatusRegister;
|
|
PVOID SystemReserved1[0x36];
|
|
PVOID Spare1;
|
|
LONG ExceptionCode;
|
|
ULONG SpareBytes1[0x28];
|
|
PVOID SystemReserved2[0xA];
|
|
ULONG gdiRgn;
|
|
ULONG gdiPen;
|
|
ULONG gdiBrush;
|
|
CLIENT_ID RealClientId;
|
|
PVOID GdiCachedProcessHandle;
|
|
ULONG GdiClientPID;
|
|
ULONG GdiClientTID;
|
|
PVOID GdiThreadLocaleInfo;
|
|
PVOID UserReserved[5];
|
|
PVOID glDispatchTable[0x118];
|
|
ULONG glReserved1[0x1A];
|
|
PVOID glReserved2;
|
|
PVOID glSectionInfo;
|
|
PVOID glSection;
|
|
PVOID glTable;
|
|
PVOID glCurrentRC;
|
|
PVOID glContext;
|
|
NTSTATUS LastStatusValue;
|
|
UNICODE_STRING StaticUnicodeString;
|
|
WCHAR StaticUnicodeBuffer[0x105];
|
|
PVOID DeallocationStack;
|
|
PVOID TlsSlots[0x40];
|
|
LIST_ENTRY TlsLinks;
|
|
PVOID Vdm;
|
|
PVOID ReservedForNtRpc;
|
|
PVOID DbgSsReserved[0x2];
|
|
ULONG HardErrorDisabled;
|
|
PVOID Instrumentation[0x10];
|
|
PVOID WinSockData;
|
|
ULONG GdiBatchCount;
|
|
ULONG Spare2;
|
|
ULONG Spare3;
|
|
ULONG Spare4;
|
|
PVOID ReservedForOle;
|
|
ULONG WaitingOnLoaderLock;
|
|
PVOID StackCommit;
|
|
PVOID StackCommitMax;
|
|
PVOID StackReserve;
|
|
} TEB, *PTEB;
|
|
|
|
typedef enum _POOL_TYPE
|
|
{
|
|
NonPagedPool,
|
|
PagedPool,
|
|
NonPagedPoolMustSucceed,
|
|
DontUseThisType,
|
|
NonPagedPoolCacheAligned,
|
|
PagedPoolCacheAligned,
|
|
NonPagedPoolCacheAlignedMustS,
|
|
MaxPoolType
|
|
} POOL_TYPE, *PPOOL_TYPE;
|
|
|
|
typedef enum _KWAIT_REASON
|
|
{
|
|
Executive,
|
|
FreePage,
|
|
PageIn,
|
|
PoolAllocation,
|
|
DelayExecution,
|
|
Suspended,
|
|
UserRequest,
|
|
WrExecutive,
|
|
WrFreePage,
|
|
WrPageIn,
|
|
WrPoolAllocation,
|
|
WrDelayExecution,
|
|
WrSuspended,
|
|
WrUserRequest,
|
|
WrEventPair,
|
|
WrQueue,
|
|
WrLpcReceive,
|
|
WrLpcReply,
|
|
WrVirtualMemory,
|
|
WrPageOut,
|
|
WrRendezvous,
|
|
Spare2,
|
|
Spare3,
|
|
Spare4,
|
|
Spare5,
|
|
Spare6,
|
|
WrKernel,
|
|
MaximumWaitReason
|
|
} KWAIT_REASON, *PKWAIT_REASON;
|
|
|
|
typedef struct _DISPATCHER_HEADER
|
|
{
|
|
BYTE uType; //DO_TYPE_*
|
|
BYTE uAbsolute;
|
|
BYTE uSize; // number of DWORDs
|
|
BYTE uInserted;
|
|
LONG lSignalState;
|
|
LIST_ENTRY WaitListHead;
|
|
} DISPATCHER_HEADER, *PDISPATCHER_HEADER;
|
|
|
|
typedef struct _KPROCESS
|
|
{
|
|
DISPATCHER_HEADER Header; // DO_TYPE_PROCESS (0x1A)
|
|
LIST_ENTRY le10;
|
|
DWORD d18;
|
|
DWORD d1C;
|
|
DWORD d20;
|
|
DWORD d24;
|
|
DWORD d28;
|
|
DWORD d2C;
|
|
DWORD d30;
|
|
DWORD d34;
|
|
DWORD dKernelTime; // ticks
|
|
DWORD dUserTime; // ticks
|
|
LIST_ENTRY le40;
|
|
LIST_ENTRY OutSwapList;
|
|
LIST_ENTRY ThreadListHead; // KTHREAD.ThreadList
|
|
DWORD d58;
|
|
KAFFINITY AffinityMask;
|
|
WORD w60;
|
|
BYTE bBasePriority;
|
|
BYTE b63;
|
|
WORD w64;
|
|
BYTE b66;
|
|
BOOLEAN fPriorityBoost;
|
|
} KPROCESS, *PKPROCESS;
|
|
|
|
typedef struct _PORT_MESSAGE
|
|
{
|
|
USHORT DataSize;
|
|
USHORT MessageSize;
|
|
USHORT MessageType;
|
|
USHORT VirtualRangesOffset;
|
|
CLIENT_ID ClientId;
|
|
ULONG MessageId;
|
|
ULONG SectionSize;
|
|
//UCHAR Data[];
|
|
} PORT_MESSAGE, *PPORT_MESSAGE;
|
|
|
|
typedef struct _SERVICE_DESCRIPTOR_TABLE
|
|
{
|
|
PNTSYSCALL ServiceTable; // array of entrypoints
|
|
PULONG puCounterTable; // array of counters
|
|
ULONG uTableSize; // number of table entries
|
|
PBYTE pbArgumentTable; // array of byte counts
|
|
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
|
|
|
|
typedef struct _KSEMAPHORE
|
|
{
|
|
DISPATCHER_HEADER Header;
|
|
LONG lLimit;
|
|
} KSEMAPHORE, *PKSEMAPHORE;
|
|
|
|
typedef struct _KTHREAD
|
|
{
|
|
DISPATCHER_HEADER Header; // DO_TYPE_THREAD (0x6C)
|
|
LIST_ENTRY le010;
|
|
DWORD d018;
|
|
DWORD d01C;
|
|
PTEB pTeb;
|
|
DWORD d024;
|
|
DWORD d028;
|
|
BYTE b02C;
|
|
BYTE bThreadState; // THREAD_STATE_*
|
|
WORD w02E;
|
|
WORD w030;
|
|
BYTE b032;
|
|
BYTE bPriority;
|
|
LIST_ENTRY le034;
|
|
LIST_ENTRY le03C;
|
|
PKPROCESS pProcess;
|
|
DWORD d048;
|
|
DWORD dContextSwitches;
|
|
DWORD d050;
|
|
WORD w054;
|
|
BYTE b056;
|
|
BYTE bWaitReason;
|
|
DWORD d058;
|
|
PLIST_ENTRY ple05C;
|
|
PLIST_ENTRY ple060;
|
|
DWORD d064;
|
|
BYTE bBasePriority;
|
|
BYTE b069;
|
|
WORD w06A;
|
|
DWORD d06C;
|
|
DWORD d070;
|
|
DWORD d074;
|
|
DWORD d078;
|
|
DWORD d07C;
|
|
DWORD d080;
|
|
DWORD d084;
|
|
DWORD d088;
|
|
DWORD d08C;
|
|
DWORD d090;
|
|
DWORD d094;
|
|
DWORD d098;
|
|
DWORD d09C;
|
|
DWORD d0A0;
|
|
DWORD d0A4;
|
|
DWORD d0A8;
|
|
DWORD d0AC;
|
|
DWORD d0B0;
|
|
DWORD d0B4;
|
|
DWORD d0B8;
|
|
DWORD d0BC;
|
|
DWORD d0C0;
|
|
DWORD d0C4;
|
|
DWORD d0C8;
|
|
DWORD d0CC;
|
|
DWORD d0D0;
|
|
DWORD d0D4;
|
|
DWORD d0D8;
|
|
PSERVICE_DESCRIPTOR_TABLE pServiceDescriptorTable;
|
|
DWORD d0E0;
|
|
DWORD d0E4;
|
|
DWORD d0E8;
|
|
DWORD d0EC;
|
|
LIST_ENTRY le0F0;
|
|
DWORD d0F8;
|
|
DWORD d0FC;
|
|
DWORD d100;
|
|
DWORD d104;
|
|
DWORD d108;
|
|
DWORD d10C;
|
|
DWORD d110;
|
|
DWORD d114;
|
|
DWORD d118;
|
|
BYTE b11C;
|
|
BYTE b11D;
|
|
WORD w11E;
|
|
DWORD d120;
|
|
DWORD d124;
|
|
DWORD d128;
|
|
DWORD d12C;
|
|
DWORD d130;
|
|
WORD w134;
|
|
BYTE b136;
|
|
KPROCESSOR_MODE ProcessorMode;
|
|
DWORD dKernelTime; // ticks
|
|
DWORD dUserTime; // ticks
|
|
DWORD d140;
|
|
DWORD d144;
|
|
DWORD d148;
|
|
DWORD d14C;
|
|
DWORD d150;
|
|
DWORD d154;
|
|
DWORD d158;
|
|
DWORD d15C;
|
|
DWORD d160;
|
|
DWORD d164;
|
|
DWORD d168;
|
|
DWORD d16C;
|
|
DWORD d170;
|
|
PROC SuspendNop;
|
|
DWORD d178;
|
|
DWORD d17C;
|
|
DWORD d180;
|
|
DWORD d184;
|
|
DWORD d188;
|
|
DWORD d18C;
|
|
KSEMAPHORE SuspendSemaphore;
|
|
LIST_ENTRY ThreadList; // KPROCESS.ThreadListHead
|
|
DWORD d1AC;
|
|
} KTHREAD, *PKTHREAD;
|
|
|
|
typedef struct _ETHREAD
|
|
{
|
|
KTHREAD Tcb;
|
|
LARGE_INTEGER liCreateTime;
|
|
LARGE_INTEGER liExitTime;
|
|
NTSTATUS ExitStatus;
|
|
LIST_ENTRY PostBlockList;
|
|
LIST_ENTRY TerminationPortList;
|
|
ULONG uActiveTimerListLock;
|
|
LIST_ENTRY ActiveTimerListHead;
|
|
CLIENT_ID Cid;
|
|
KSEMAPHORE LpcReplySemaphore;
|
|
ULONG uLpcReplyMessage;
|
|
LARGE_INTEGER liLpcReplyMessageId;
|
|
ULONG uImpersonationInfo;
|
|
LIST_ENTRY IrpList;
|
|
LIST_ENTRY TopLevelIrp;
|
|
ULONG uReadClusterSize;
|
|
BOOLEAN fForwardClusterOnly;
|
|
BOOLEAN fDisablePageFaultClustering;
|
|
BOOLEAN fDeadThread;
|
|
BOOLEAN fHasTerminated;
|
|
ULONG uEventPair;
|
|
ULONG uGrantedAccess;
|
|
ULONG uThreadsProcess;
|
|
PVOID pStartAddress;
|
|
PVOID Win32StartAddress;
|
|
BOOLEAN fLpcExitThreadCalled;
|
|
BOOLEAN fHardErrorsAreDisabled;
|
|
WORD wUknown1;
|
|
DWORD dwUknown2;
|
|
} ETHREAD, *PETHREAD;
|
|
|
|
typedef PETHREAD
|
|
ERESOURCE_THREAD, *PERESOURCE_THREAD;
|
|
|
|
typedef struct _KEVENT
|
|
{
|
|
DISPATCHER_HEADER Header;
|
|
} KEVENT, *PKEVENT;
|
|
|
|
typedef struct _ERESOURCE_OLD
|
|
{
|
|
LIST_ENTRY SystemResourcesList;
|
|
PERESOURCE_THREAD OwnerThreads;
|
|
PBYTE pbOwnerCounts;
|
|
WORD wTableSize;
|
|
WORD wActiveCount;
|
|
WORD wFlag;
|
|
WORD wTableRover;
|
|
BYTE bInitialOwnerCounts[4];
|
|
ERESOURCE_THREAD InitialOwnerThreads[4];
|
|
DWORD dwUknown1;
|
|
ULONG uContentionCount;
|
|
WORD wNumberOfExclusiveWaiters;
|
|
WORD wNumberOfSharedWaiters;
|
|
KSEMAPHORE SharedWaiters;
|
|
KEVENT ExclusiveWaiters;
|
|
KSPIN_LOCK SpinLock;
|
|
ULONG uCreatorBackTraceIndex;
|
|
WORD wDepth;
|
|
WORD wUknown2;
|
|
PVOID pOwnerBackTrace[4];
|
|
} ERESOURCE_OLD, *PERESOURCE_OLD;
|
|
|
|
typedef struct _OWNER_ENTRY
|
|
{
|
|
ERESOURCE_THREAD OwnerThread;
|
|
SHORT sOwnerCount;
|
|
WORD wTableSize;
|
|
} OWNER_ENTRY, *POWNER_ENTRY;
|
|
|
|
typedef struct _ERESOURCE_LITE
|
|
{
|
|
LIST_ENTRY SystemResourcesList;
|
|
POWNER_ENTRY OwnerTable;
|
|
SHORT sActiveCount;
|
|
WORD wFlag;
|
|
PKSEMAPHORE SharedWaiters;
|
|
PKEVENT ExclusiveWaiters;
|
|
OWNER_ENTRY OwnerThreads[2];
|
|
ULONG uContentionCount;
|
|
WORD wNumberOfSharedWaiters;
|
|
WORD wNumberOfExclusiveWaiters;
|
|
union
|
|
{
|
|
PVOID pAddress;
|
|
ULONG uCreatorBackTraceIndex;
|
|
};
|
|
KSPIN_LOCK SpinLock;
|
|
} ERESOURCE_LITE, *PERESOURCE_LITE;
|
|
|
|
typedef ERESOURCE_LITE ERESOURCE,
|
|
*PERESOURCE;
|
|
|
|
typedef struct _IO_STATUS_BLOCK
|
|
{
|
|
NTSTATUS Status;
|
|
ULONG uInformation;
|
|
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
|
|
|
|
/* Defined in Winnt.h
|
|
typedef struct _QUOTA_LIMITS {
|
|
SIZE_T PagedPoolLimit;
|
|
SIZE_T NonPagedPoolLimit;
|
|
SIZE_T MinimumWorkingSetSize;
|
|
SIZE_T MaximumWorkingSetSize;
|
|
SIZE_T PagefileLimit;
|
|
LARGE_INTEGER TimeLimit;
|
|
} QUOTA_LIMITS, *PQUOTA_LIMITS;
|
|
*/
|
|
|
|
typedef struct _IOCOUNTERS
|
|
{
|
|
ULONG uReadOperationCount;
|
|
ULONG uWriteOperationCount;
|
|
ULONG uOtherOperationCount;
|
|
LARGE_INTEGER liReadTransferCount;
|
|
LARGE_INTEGER liWriteTransferCount;
|
|
LARGE_INTEGER liOtherTransferCount;
|
|
} IOCOUNTERS, *PIOCOUNTERS;
|
|
|
|
typedef struct _VM_COUNTERS
|
|
{
|
|
ULONG uPeakVirtualSize;
|
|
ULONG uVirtualSize;
|
|
ULONG uPageFaultCount;
|
|
ULONG uPeakWorkingSetSize;
|
|
ULONG uWorkingSetSize;
|
|
ULONG uQuotaPeakPagedPoolUsage;
|
|
ULONG uQuotaPagedPoolUsage;
|
|
ULONG uQuotaPeakNonPagedPoolUsage;
|
|
ULONG uQuotaNonPagedPoolUsage;
|
|
ULONG uPagefileUsage;
|
|
ULONG uPeakPagefileUsage;
|
|
} VM_COUNTERS, *PVM_COUNTERS;
|
|
|
|
typedef struct _KERNEL_USER_TIMES
|
|
{
|
|
LARGE_INTEGER liCreateTime;
|
|
LARGE_INTEGER liExitTime;
|
|
LARGE_INTEGER liKernelTime;
|
|
LARGE_INTEGER liUserTime;
|
|
} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES;
|
|
|
|
typedef struct _BASE_PRIORITY_INFORMATION
|
|
{
|
|
KPRIORITY BasePriority;
|
|
} BASE_PRIORITY_INFORMATION, *PBASE_PRIORITY_INFORMATION;
|
|
|
|
typedef struct _AFFINITY_MASK
|
|
{
|
|
KAFFINITY AffinityMask;
|
|
} AFFINITY_MASK, *PAFFINITY_MASK;
|
|
|
|
typedef struct _TIME_FIELDS
|
|
{
|
|
WORD wYear;
|
|
WORD wMonth;
|
|
WORD wDay;
|
|
WORD wHour;
|
|
WORD wMinute;
|
|
WORD wSecond;
|
|
WORD wMilliseconds;
|
|
WORD wWeekday;
|
|
} TIME_FIELDS, *PTIME_FIELDS;
|
|
|
|
typedef void (*PIO_APC_ROUTINE)
|
|
(PVOID ApcContext,
|
|
PIO_STATUS_BLOCK IoStatusBlock,
|
|
ULONG Reserved);
|
|
|
|
#if(_WIN32_WINNT < 0x0400)
|
|
|
|
typedef struct _NTVOLUME_DATA_BUFFER
|
|
{
|
|
LARGE_INTEGER liSerialNumber;
|
|
LARGE_INTEGER liNumberOfSectors;
|
|
LARGE_INTEGER liTotalClusters;
|
|
LARGE_INTEGER liFreeClusters;
|
|
LARGE_INTEGER liReserved;
|
|
ULONG uBytesPerSector;
|
|
ULONG uBytesPerCluster;
|
|
ULONG uBytesPerMFTRecord;
|
|
ULONG uClustersPerMFTRecord;
|
|
LARGE_INTEGER liMFTLength;
|
|
LARGE_INTEGER liMFTStart;
|
|
LARGE_INTEGER liMFTMirrorStart;
|
|
LARGE_INTEGER liMFTZoneStart;
|
|
LARGE_INTEGER liMFTZoneEnd;
|
|
} NTFS_VOLUME_DATA_BUFFER, *PNTFS_VOLUME_DATA_BUFFER;
|
|
|
|
#endif // _WIN23_WINNT < 0x0400
|
|
|
|
typedef struct _OBJDIR_INFORMATION
|
|
{
|
|
UNICODE_STRING ObjectName;
|
|
UNICODE_STRING ObjectTypeName; // e.g. Directory, Device ...
|
|
UCHAR Data[1]; // variable length
|
|
} OBJDIR_INFORMATION, *POBJDIR_INFORMATION;
|
|
|
|
// Define the file system information class values
|
|
typedef enum _FSINFOCLASS {
|
|
FileFsVolumeInformation = 1,
|
|
FileFsLabelInformation, // 2
|
|
FileFsSizeInformation, // 3
|
|
FileFsDeviceInformation, // 4
|
|
FileFsAttributeInformation, // 5
|
|
FileFsControlInformation, // 6
|
|
FileFsFullSizeInformation, // 7
|
|
FileFsObjectIdInformation, // 8
|
|
FileFsMaximumInformation
|
|
} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;
|
|
|
|
typedef struct _FILE_FS_VOLUME_INFORMATION {
|
|
LARGE_INTEGER VolumeCreationTime;
|
|
ULONG VolumeSerialNumber;
|
|
ULONG VolumeLabelLength;
|
|
BOOLEAN SupportsObjects;
|
|
WCHAR VolumeLabel[1];
|
|
} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;
|
|
|
|
typedef struct _FILE_FS_LABEL_INFORMATION {
|
|
ULONG VolumeLabelLength;
|
|
WCHAR VolumeLabel[1];
|
|
} FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION;
|
|
|
|
typedef struct _FILE_FS_SIZE_INFORMATION {
|
|
LARGE_INTEGER TotalAllocationUnits;
|
|
LARGE_INTEGER AvailableAllocationUnits;
|
|
ULONG SectorsPerAllocationUnit;
|
|
ULONG BytesPerSector;
|
|
} FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION;
|
|
|
|
typedef struct _FILE_FS_DEVICE_INFORMATION {
|
|
DEVICE_TYPE DeviceType;
|
|
ULONG Characteristics;
|
|
} FILE_FS_DEVICE_INFORMATION, *PFILE_FS_DEVICE_INFORMATION;
|
|
|
|
typedef struct _FILE_FS_ATTRIBUTE_INFORMATION {
|
|
ULONG FileSystemAttributes;
|
|
LONG MaximumComponentNameLength;
|
|
ULONG FileSystemNameLength;
|
|
WCHAR FileSystemName[1];
|
|
} FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION;
|
|
|
|
typedef struct _FILE_FS_CONTROL_INFORMATION {
|
|
LARGE_INTEGER FreeSpaceStartFiltering;
|
|
LARGE_INTEGER FreeSpaceThreshold;
|
|
LARGE_INTEGER FreeSpaceStopFiltering;
|
|
LARGE_INTEGER DefaultQuotaThreshold;
|
|
LARGE_INTEGER DefaultQuotaLimit;
|
|
ULONG FileSystemControlFlags;
|
|
} FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION;
|
|
|
|
typedef struct _FILE_FS_FULL_SIZE_INFORMATION {
|
|
LARGE_INTEGER TotalQuotaAllocationUnits;
|
|
LARGE_INTEGER AvailableQuotaAllocationUnits;
|
|
LARGE_INTEGER AvailableAllocationUnits;
|
|
ULONG SectorsPerAllocationUnit;
|
|
ULONG BytesPerSector;
|
|
} FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION;
|
|
|
|
typedef struct _FILE_FS_OBJECT_ID_INFORMATION {
|
|
GUID VolumeObjectId;
|
|
ULONG VolumeObjectIdExtendedInfo[12];
|
|
} FILE_FS_OBJECT_ID_INFORMATION, *PFILE_FS_OBJECT_ID_INFORMATION;
|
|
|
|
typedef enum _SYSTEMINFOCLASS
|
|
{
|
|
SystemBasicInformation, // 0x002C
|
|
SystemProcessorInformation, // 0x000C
|
|
SystemPerformanceInformation, // 0x0138
|
|
SystemTimeInformation, // 0x0020
|
|
SystemPathInformation, // not implemented
|
|
SystemProcessInformation, // 0x00C8+ per process
|
|
SystemCallInformation, // 0x0018 + (n * 0x0004)
|
|
SystemConfigurationInformation, // 0x0018
|
|
SystemProcessorCounters, // 0x0030 per cpu
|
|
SystemGlobalFlag, // 0x0004 (fails if size != 4)
|
|
SystemCallTimeInformation, // not implemented
|
|
SystemModuleInformation, // 0x0004 + (n * 0x011C)
|
|
SystemLockInformation, // 0x0004 + (n * 0x0024)
|
|
SystemStackTraceInformation, // not implemented
|
|
SystemPagedPoolInformation, // checked build only
|
|
SystemNonPagedPoolInformation, // checked build only
|
|
SystemHandleInformation, // 0x0004 + (n * 0x0010)
|
|
SystemObjectTypeInformation, // 0x0038+ + (n * 0x0030+)
|
|
SystemPageFileInformation, // 0x0018+ per page file
|
|
SystemVdmInstemulInformation, // 0x0088
|
|
SystemVdmBopInformation, // invalid info class
|
|
SystemCacheInformation, // 0x0024
|
|
SystemPoolTagInformation, // 0x0004 + (n * 0x001C)
|
|
SystemInterruptInformation, // 0x0000, or 0x0018 per cpu
|
|
SystemDpcInformation, // 0x0014
|
|
SystemFullMemoryInformation, // checked build only
|
|
SystemLoadDriver, // 0x0018, set mode only
|
|
SystemUnloadDriver, // 0x0004, set mode only
|
|
SystemTimeAdjustmentInformation, // 0x000C, 0x0008 writeable
|
|
SystemSummaryMemoryInformation, // checked build only
|
|
SystemNextEventIdInformation, // checked build only
|
|
SystemEventIdsInformation, // checked build only
|
|
SystemCrashDumpInformation, // 0x0004
|
|
SystemExceptionInformation, // 0x0010
|
|
SystemCrashDumpStateInformation, // 0x0004
|
|
SystemDebuggerInformation, // 0x0002
|
|
SystemContextSwitchInformation, // 0x0030
|
|
SystemRegistryQuotaInformation, // 0x000C
|
|
SystemAddDriver, // 0x0008, set mode only
|
|
SystemPrioritySeparationInformation, // 0x0004, set mode only
|
|
SystemPlugPlayBusInformation, // not implemented
|
|
SystemDockInformation, // not implemented
|
|
SystemPowerInfo, // 0x0060 (XP only!)
|
|
SystemProcessorSpeedInformation, // 0x000C (XP only!)
|
|
SystemTimeZoneInformation, // 0x00AC
|
|
SystemLookasideInformation, // n * 0x0020
|
|
SystemSetTimeSlipEvent,
|
|
SystemCreateSession, // set mode only
|
|
SystemDeleteSession, // set mode only
|
|
SystemInvalidInfoClass1, // invalid info class
|
|
SystemRangeStartInformation, // 0x0004 (fails if size != 4)
|
|
SystemVerifierInformation,
|
|
SystemAddVerifier,
|
|
SystemSessionProcessesInformation, // checked build only
|
|
MaxSystemInfoClass
|
|
} SYSTEMINFOCLASS, *PSYSTEMINFOCLASS;
|
|
|
|
typedef struct _SYSTEM_BASIC_INFORMATION
|
|
{
|
|
DWORD dwUnknown1; // 0
|
|
ULONG uKeMaximumIncrement; // x86: 0x0002625A or 0x00018730
|
|
ULONG uPageSize; // bytes
|
|
ULONG uMmNumberOfPhysicalPages;
|
|
ULONG uMmLowestPhysicalPage;
|
|
ULONG uMmHighestPhysicalPage;
|
|
ULONG uAllocationGranularity; // bytes
|
|
PVOID pLowestUserAddress;
|
|
PVOID pMmHighestUserAddress;
|
|
KAFFINITY uKeActiveProcessors;
|
|
BYTE bKeNumberProcessors;
|
|
BYTE bUnknown2;
|
|
WORD wUnknown3;
|
|
} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_PROCESSOR_INFORMATION
|
|
{
|
|
WORD wKeProcessorArchitecture; // PROCESSOR_ARCHITECTURE_* (PROCESSOR_ARCHITECTURE_INTEL)
|
|
WORD wKeProcessorLevel; // PROCESSOR_* (PROCESSOR_INTEL_PENTIUM)
|
|
WORD wKeProcessorRevision; // Pentium: H=model, L=stepping
|
|
WORD wUnknown1; // 0
|
|
ULONG uKeFeatureBits;
|
|
} SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION;
|
|
|
|
typedef struct _MM_INFO_COUNTERS
|
|
{
|
|
ULONG uPageFaults;
|
|
ULONG uWriteCopyFaults;
|
|
ULONG uTransistionFaults;
|
|
ULONG uCacheTransitionCount;
|
|
ULONG uDemandZeroFaults;
|
|
ULONG uPagesRead;
|
|
ULONG uPageReadIos;
|
|
ULONG uCacheReadCount;
|
|
ULONG uCacheIoCount;
|
|
ULONG uPagefilePagesWritten;
|
|
ULONG uPagefilePageWriteIos;
|
|
ULONG uMappedFilePagesWritten;
|
|
ULONG uMappedFilePageWriteIos;
|
|
} MM_INFO_COUNTERS, *PMM_INFO_COUNTERS;
|
|
|
|
typedef struct _SYSTEM_PERFORMANCE_INFORMATION
|
|
{
|
|
LARGE_INTEGER liIdleTime; // 100 nsec units
|
|
LARGE_INTEGER liIoReadTransferCount;
|
|
LARGE_INTEGER liIoWriteTransferCount;
|
|
LARGE_INTEGER liIoOtherTransferCount;
|
|
ULONG uIoReadOperationCount;
|
|
ULONG uIoWriteOperationCount;
|
|
ULONG uIoOtherOperationCount;
|
|
ULONG uMmAvailablePages;
|
|
ULONG uMmTotalCommittedPages;
|
|
ULONG uMmTotalCommitLimit; // pages
|
|
ULONG uMmPeakCommitLimit; // pages
|
|
MM_INFO_COUNTERS MmInfoCounters;
|
|
ULONG uPoolPaged; // pages
|
|
ULONG uPoolNonPaged; // pages
|
|
ULONG uPagedPoolAllocs;
|
|
ULONG uPagedPoolFrees;
|
|
ULONG uNonPagedPoolAllocs;
|
|
ULONG uNonPagedPoolFrees;
|
|
ULONG uMmTotalFreeSystemPages;
|
|
ULONG uMmSystemCodePage;
|
|
ULONG uMmTotalSystemDriverPages;
|
|
ULONG uMmTotalSystemCodePages;
|
|
ULONG uSmallNonPagedLookasideListAllocateHits;
|
|
ULONG uSmallPagedLookasideListAllocateHits;
|
|
DWORD dwUnknown1;
|
|
ULONG uMmSystemCachePage;
|
|
ULONG uMmPagedPoolPage;
|
|
ULONG uMmSystemDriverPage;
|
|
ULONG uCcFastReadNoWait;
|
|
ULONG uCcFastReadWait;
|
|
ULONG uCcFastReadResourceMiss;
|
|
ULONG uCcFastReadNotPossible;
|
|
ULONG uCcFastMdlReadNoWait;
|
|
ULONG uCcFastMdlReadWait;
|
|
ULONG uCcFastMdlReadResourceMiss;
|
|
ULONG uCcFastMdlReadNotPossible;
|
|
ULONG uCcMapDataNoWait;
|
|
ULONG uCcMapDataWait;
|
|
ULONG uCcMapDataNoWaitMiss;
|
|
ULONG uCcMapDataWaitMiss;
|
|
ULONG uCcPinMappedDataCount;
|
|
ULONG uCcPinReadNoWait;
|
|
ULONG uCcPinReadWait;
|
|
ULONG uCcPinReadNoWaitMiss;
|
|
ULONG uCcPinReadWaitMiss;
|
|
ULONG uCcCopyReadNoWait;
|
|
ULONG uCcCopyReadWait;
|
|
ULONG uCcCopyReadNoWaitMiss;
|
|
ULONG uCcCopyReadWaitMiss;
|
|
ULONG uCcMdlReadNoWait;
|
|
ULONG uCcMdlReadWait;
|
|
ULONG uCcMdlReadNoWaitMiss;
|
|
ULONG uCcMdlReadWaitMiss;
|
|
ULONG uCcReadAheadIos;
|
|
ULONG uCcLazyWriteIos;
|
|
ULONG uCcLazyWritePages;
|
|
ULONG uCcDataFlushes;
|
|
ULONG uCcDataPages;
|
|
ULONG uTotalContextSwitches; // total across cpus
|
|
ULONG uFirstLevelTbFills;
|
|
ULONG uSecondLevelTbFills;
|
|
ULONG uSystemCalls;
|
|
} SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_TIME_INFORMATION
|
|
{
|
|
LARGE_INTEGER liKeBootTime; // relative to 01-01-1601
|
|
LARGE_INTEGER liKeSystemTime; // relative to 01-01-1601
|
|
LARGE_INTEGER liExpTimeZoneBias; // utc time = local time + bias
|
|
ULONG uExpCurrentTimeZoneId; // TIME_ZONE_ID_* (TIME_ZONE_ID_UNKNOWN, etc.)
|
|
DWORD dwUnknown1;
|
|
} SYSTEM_TIME_INFORMATION, *PSYSTEM_TIME_INFORMATION;
|
|
|
|
typedef enum
|
|
{
|
|
StateInitialized,
|
|
StateReady,
|
|
StateRunning,
|
|
StateStandby,
|
|
StateTerminated,
|
|
StateWait,
|
|
StateTransition,
|
|
StateUnknown
|
|
} THREAD_STATE;
|
|
|
|
/*typedef struct _IO_COUNTERSEX
|
|
{
|
|
LARGE_INTEGER ReadOperationCount;
|
|
LARGE_INTEGER WriteOperationCount;
|
|
LARGE_INTEGER OtherOperationCount;
|
|
LARGE_INTEGER ReadTransferCount;
|
|
LARGE_INTEGER WriteTransferCount;
|
|
LARGE_INTEGER OtherTransferCount;
|
|
} IO_COUNTERS, *PIO_COUNTERS;*/
|
|
|
|
typedef struct _SYSTEM_THREAD {
|
|
FILETIME ftKernelTime; // 100 nsec units
|
|
FILETIME ftUserTime; // 100 nsec units
|
|
FILETIME ftCreateTime; // relative to 01-01-1601
|
|
DWORD dWaitTime;
|
|
PVOID pStartAddress;
|
|
CLIENT_ID Cid; // process/thread ids
|
|
DWORD dPriority;
|
|
DWORD dBasePriority;
|
|
DWORD dContextSwitches;
|
|
DWORD dThreadState; // 2=running, 5=waiting
|
|
KWAIT_REASON WaitReason;
|
|
DWORD dReserved01;
|
|
} SYSTEM_THREAD, * PSYSTEM_THREAD, **PPSYSTEM_THREAD;
|
|
|
|
typedef struct _SYSTEM_PROCESS_INFORMATION { // common members
|
|
DWORD dNext; // relative offset
|
|
DWORD dThreadCount;
|
|
DWORD dReserved01;
|
|
DWORD dReserved02;
|
|
DWORD dReserved03;
|
|
DWORD dReserved04;
|
|
DWORD dReserved05;
|
|
DWORD dReserved06;
|
|
FILETIME ftCreateTime; // relative to 01-01-1601
|
|
FILETIME ftUserTime; // 100 nsec units
|
|
FILETIME ftKernelTime; // 100 nsec units
|
|
UNICODE_STRING usName;
|
|
KPRIORITY BasePriority;
|
|
DWORD dUniqueProcessId;
|
|
DWORD dInheritedFromUniqueProcessId;
|
|
DWORD dHandleCount;
|
|
DWORD dReserved07;
|
|
DWORD dReserved08;
|
|
VM_COUNTERS VmCounters; // see ntddk.h
|
|
DWORD dCommitCharge; // bytes
|
|
LARGE_INTEGER Reserved6[6];
|
|
|
|
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION, **PPSYSTEM_PROCESS_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_PROCESS_INFORMATION_NT4 { // Windows NT 4.0
|
|
SYSTEM_PROCESS_INFORMATION Process; // common members
|
|
SYSTEM_THREAD aThreads [1]; // thread array
|
|
} SYSTEM_PROCESS_INFORMATION_NT4, * PSYSTEM_PROCESS_INFORMATION_NT4, **PPSYSTEM_PROCESS_INFORMATION_NT4;
|
|
|
|
typedef struct _SYSTEM_PROCESS_NT5 { // Windows 2000 and up
|
|
SYSTEM_PROCESS_INFORMATION Process; // common members
|
|
IO_COUNTERS IoCounters; // see ntddk.h
|
|
SYSTEM_THREAD aThreads [1]; // thread array
|
|
} SYSTEM_PROCESS_INFORMATION_NT5, * PSYSTEM_PROCESS_INFORMATION_NT5, **PPSYSTEM_PROCESS_INFORMATION_NT5;
|
|
|
|
typedef struct _SYSTEM_CALL_INFORMATION
|
|
{
|
|
ULONG Length;
|
|
ULONG NumberOfTables;
|
|
// ULONG NumberOfEntries[NumberOfTables]
|
|
// ULONG CallCounts[NumberOfTables][NumberOfEntries];
|
|
} SYSTEM_CALL_INFORMATION, *PSYSTEM_CALL_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_CONFIGURATION_INFORMATION
|
|
{
|
|
ULONG uDiskCount;
|
|
ULONG uFloppyCount;
|
|
ULONG uCDRomCount;
|
|
ULONG uTapeCount;
|
|
ULONG uSerialCount; // com port with mouse not included
|
|
ULONG uParallelCount;
|
|
} SYSTEM_CONFIGURATION_INFORMATION, *PSYSTEM_CONFIGURATION_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_PROCESSOR_COUNTERS
|
|
{
|
|
LARGE_INTEGER liProcessorTime; // 100 nsec units
|
|
LARGE_INTEGER liKernelTime; // 100 nsec units
|
|
LARGE_INTEGER liUserTime; // 100 nsec units
|
|
LARGE_INTEGER liDpcTime; // 100 nsec units
|
|
LARGE_INTEGER liInterruptTime; // 100 nsec units
|
|
ULONG uInterruptCount;
|
|
DWORD dwUnknown1;
|
|
} SYSTEM_PROCESSOR_COUNTERS, *PSYSTEM_PROCESSOR_COUNTERS;
|
|
|
|
typedef struct _SYSTEM_GLOBAL_FLAG
|
|
{
|
|
ULONG NtGlobalFlag; // see Q147314, Q102985, Q105677
|
|
} SYSTEM_GLOBAL_FLAG, *PSYSTEM_GLOBAL_FLAG;
|
|
|
|
typedef struct _SYSTEM_CALL_TIME_INFORMATION
|
|
{
|
|
ULONG Length;
|
|
ULONG TotalCalls;
|
|
LARGE_INTEGER TimeOfCalls[1];
|
|
} SYSTEM_CALL_TIME_INFORMATION, *PSYSTEM_CALL_TIME_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_MODULE
|
|
{
|
|
ULONG Reserved[2];
|
|
ULONG Base;
|
|
ULONG Size;
|
|
ULONG Flags;
|
|
USHORT Index;
|
|
USHORT Unknown;
|
|
USHORT LoadCount;
|
|
USHORT ModuleNameOffset;
|
|
CHAR ImageName[256];
|
|
} SYSTEM_MODULE, *PSYSTEM_MODULE;
|
|
|
|
typedef struct _SYSTEM_MODULE_INFORMATION
|
|
{
|
|
ULONG uCount;
|
|
SYSTEM_MODULE aSM[];
|
|
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_LOCK
|
|
{
|
|
union
|
|
{
|
|
PERESOURCE_OLD pEResourceOld; // old ERESOURCE format
|
|
PERESOURCE_LITE pEResourceLite; // new "lite" format
|
|
PERESOURCE pEResource; // current format
|
|
};
|
|
WORD wUnknown1; // 1
|
|
WORD wUnknown2; // 0
|
|
ULONG ExclusiveOwnerThreadId;
|
|
ULONG uActiveCount;
|
|
ULONG uContentionCount;
|
|
DWORD dwUnknown3;
|
|
DWORD dwUnknown4;
|
|
ULONG uNumberOfSharedWaiters;
|
|
ULONG uNumberOfExclusiveWaiters;
|
|
} SYSTEM_LOCK, *PSYSTEM_LOCK;
|
|
|
|
typedef struct _SYSTEM_LOCK_INFORMATION
|
|
{
|
|
ULONG uCount;
|
|
SYSTEM_LOCK aSL[];
|
|
} SYSTEM_LOCK_INFORMATION, *PSYSTEM_LOCK_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_HANDLE
|
|
{
|
|
ULONG uIdProcess;
|
|
UCHAR ObjectType; // OB_TYPE_* (OB_TYPE_TYPE, etc.)
|
|
UCHAR Flags; // HANDLE_FLAG_* (HANDLE_FLAG_INHERIT, etc.)
|
|
USHORT Handle;
|
|
POBJECT pObject;
|
|
ACCESS_MASK GrantedAccess;
|
|
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
|
|
|
|
typedef struct _SYSTEM_HANDLE_INFORMATION
|
|
{
|
|
ULONG NumberOfHandles;
|
|
SYSTEM_HANDLE Information[];
|
|
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_OBJECTTYPE_INFORMATION
|
|
{
|
|
ULONG NextEntryOffset; // absolute offset
|
|
ULONG ObjectCount;
|
|
ULONG HandleCount;
|
|
ULONG TypeIndex; // OB_TYPE_* (OB_TYPE_TYPE, etc.)
|
|
ULONG InvalidAttributes; // OBJ_* (OBJ_INHERIT, etc.)
|
|
GENERIC_MAPPING GenericMapping;
|
|
ACCESS_MASK ValidAccessMask;
|
|
POOL_TYPE PoolType;
|
|
BOOLEAN SecurityRequired;
|
|
BOOLEAN WaitableObject;
|
|
UNICODE_STRING TypeName;
|
|
} SYSTEM_OBJECTTYPE_INFORMATION, *PSYSTEM_OBJECTTYPE_INFORMATION;
|
|
|
|
// follows after SYSTEM_OBJECTTYPE_INFORMATION.TypeName
|
|
typedef struct _SYSTEM_OBJECT_INFORMATION
|
|
{
|
|
ULONG NextEntryOffset; // absolute offset
|
|
POBJECT Object;
|
|
ULONG CreatorProcessId;
|
|
USHORT CreatorBackTraceIndex;
|
|
USHORT Flags; // see "Native API Reference" page 24
|
|
LONG PointerCount;
|
|
LONG HandleCount;
|
|
ULONG PagedPoolCharge;
|
|
ULONG NonPagedPoolCharge;
|
|
ULONG ExclusiveProcessId;
|
|
PSECURITY_DESCRIPTOR SecurityDescriptor;
|
|
UNICODE_STRING ObjectName;
|
|
} SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_PAGE_FILE_INFORMATION
|
|
{
|
|
ULONG NextEntryOffset; // relative offset
|
|
ULONG CurrentSize; // pages
|
|
ULONG TotalUsed; // pages
|
|
ULONG PeakUsed; // pages
|
|
UNICODE_STRING FileName;
|
|
} SYSTEM_PAGE_FILE_INFORMATION, *PSYSTEM_PAGE_FILE_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_VDM_INSTEMUL_INFO
|
|
{
|
|
BOOL fExVdmSegmentNotPresent;
|
|
ULONG uOpcode0FV86;
|
|
ULONG uOpcodeESPrefixV86;
|
|
ULONG uOpcodeCSPrefixV86;
|
|
ULONG uOpcodeSSPrefixV86;
|
|
ULONG uOpcodeDSPrefixV86;
|
|
ULONG uOpcodeFSPrefixV86;
|
|
ULONG uOpcodeGSPrefixV86;
|
|
ULONG uOpcodeOPER32PrefixV86;
|
|
ULONG uOpcodeADDR32PrefixV86;
|
|
ULONG uOpcodeINSBV86;
|
|
ULONG uOpcodeINSWV86;
|
|
ULONG uOpcodeOUTSBV86;
|
|
ULONG uOpcodeOUTSWV86;
|
|
ULONG uOpcodePUSHFV86;
|
|
ULONG uOpcodePOPFV86;
|
|
ULONG uOpcodeINTnnV86;
|
|
ULONG uOpcodeINTOV86;
|
|
ULONG uOpcodeIRETV86;
|
|
ULONG uOpcodeINBimmV86;
|
|
ULONG uOpcodeINWimmV86;
|
|
ULONG uOpcodeOUTBimmV86;
|
|
ULONG uOpcodeOUTWimmV86;
|
|
ULONG uOpcodeINBV86;
|
|
ULONG uOpcodeINWV86;
|
|
ULONG uOpcodeOUTBV86;
|
|
ULONG uOpcodeOUTWV86;
|
|
ULONG uOpcodeLOCKPrefixV86;
|
|
ULONG uOpcodeREPNEPrefixV86;
|
|
ULONG uOpcodeREPPrefixV86;
|
|
ULONG uOpcodeHLTV86;
|
|
ULONG uOpcodeCLIV86;
|
|
ULONG uOpcodeSTIV86;
|
|
ULONG uVdmBopCount;
|
|
} SYSTEM_VDM_INSTEMUL_INFO, *PSYSTEM_VDM_INSTEMUL_INFO;
|
|
|
|
typedef struct _SYSTEM_CACHE_INFORMATION
|
|
{
|
|
ULONG uFileCache; // bytes
|
|
ULONG uFileCachePeak; // bytes
|
|
ULONG PageFaultCount;
|
|
ULONG MinimumWorkingSet;
|
|
ULONG MaximumWorkingSet;
|
|
ULONG TransitionSharedPages;
|
|
ULONG TransitionSharedPagesPeak;
|
|
ULONG Reserved[2];
|
|
} SYSTEM_CACHE_INFORMATION, *PSYSTEM_CACHE_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_POOL_ENTRY
|
|
{
|
|
BOOLEAN Allocated;
|
|
BOOLEAN Spare0;
|
|
USHORT AllocatorBackTraceIndex;
|
|
ULONG Size;
|
|
union
|
|
{
|
|
UCHAR Tag[4];
|
|
ULONG TagUlong;
|
|
PVOID ProcessChargedQuota;
|
|
};
|
|
} SYSTEM_POOL_ENTRY, *PSYSTEM_POOL_ENTRY;
|
|
|
|
typedef struct _SYSTEM_POOL_INFORMATION
|
|
{
|
|
ULONG TotalSize;
|
|
PVOID FirstEntry;
|
|
USHORT EntryOverhead;
|
|
BOOLEAN PoolTagPresent;
|
|
BOOLEAN Spare0;
|
|
ULONG NumberOfEntries;
|
|
SYSTEM_POOL_ENTRY Entries[1];
|
|
} SYSTEM_POOL_INFORMATION, *PSYSTEM_POOL_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_POOL_TAG
|
|
{
|
|
union
|
|
{
|
|
UCHAR Tag[4];
|
|
ULONG TagUlong;
|
|
};
|
|
ULONG PagedPoolAllocs;
|
|
ULONG PagedPoolFrees;
|
|
ULONG PagedPoolUsage;
|
|
ULONG NonPagedPoolAllocs;
|
|
ULONG NonPagedPoolFrees;
|
|
ULONG NonPagedPoolUsage;
|
|
} SYSTEM_POOL_TAG, *PSYSTEM_POOL_TAG;
|
|
|
|
typedef struct _SYSTEM_POOL_TAG_INFORMATION
|
|
{
|
|
ULONG uCount;
|
|
SYSTEM_POOL_TAG aSPT[];
|
|
} SYSTEM_POOL_TAG_INFORMATION, *PSYSTEM_POOL_TAG_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_INTERRUPT_INFORMATION
|
|
{
|
|
ULONG ContextSwitches;
|
|
ULONG DpcCount;
|
|
ULONG DpcRate;
|
|
ULONG TimeIncrement;
|
|
ULONG DpcBypassCount;
|
|
ULONG ApcBypassCount;
|
|
} SYSTEM_INTERRUPT_INFORMATION, *PSYSTEM_INTERRUPT_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_DPC_INFORMATION
|
|
{
|
|
DWORD dwUnknown1;
|
|
ULONG MaximumDpcQueueDepth;
|
|
ULONG MinimumDpcRate;
|
|
ULONG AdjustDpcThreshold;
|
|
ULONG IdealDpcRate;
|
|
} SYSTEM_DPC_INFORMATION, *PSYSTEM_DPC_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_MEMORY_INFO
|
|
{
|
|
PUCHAR StringOffset;
|
|
USHORT ValidCount;
|
|
USHORT TransitionCount;
|
|
USHORT ModifiedCount;
|
|
USHORT PageTableCount;
|
|
} SYSTEM_MEMORY_INFO, *PSYSTEM_MEMORY_INFO;
|
|
|
|
typedef struct _SYSTEM_MEMORY_INFORMATION
|
|
{
|
|
ULONG InfoSize;
|
|
ULONG StringStart;
|
|
SYSTEM_MEMORY_INFO Memory[1];
|
|
} SYSTEM_MEMORY_INFORMATION, *PSYSTEM_MEMORY_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_LOAD_DRIVER
|
|
{
|
|
UNICODE_STRING DriverName; // input
|
|
PVOID BaseAddress; // output
|
|
PVOID SectionPointer; // output
|
|
PVOID EntryPoint; // output
|
|
PIMAGE_EXPORT_DIRECTORY ExportDirectory; // output
|
|
} SYSTEM_LOAD_DRIVER, *PSYSTEM_LOAD_DRIVER;
|
|
|
|
typedef struct _SYSTEM_UNLOAD_DRIVER
|
|
{
|
|
PVOID SectionPointer;
|
|
} SYSTEM_UNLOAD_DRIVER, *PSYSTEM_UNLOAD_DRIVER;
|
|
|
|
typedef struct _SYSTEM_QUERY_TIME_ADJUSTMENT
|
|
{
|
|
ULONG TimeAdjustment;
|
|
ULONG MaximumIncrement;
|
|
BOOLEAN TimeSynchronization;
|
|
} SYSTEM_QUERY_TIME_ADJUSTMENT, *PSYSTEM_QUERY_TIME_ADJUSTMENT;
|
|
|
|
typedef struct _SYSTEM_SET_TIME_ADJUSTMENT
|
|
{
|
|
ULONG TimeAdjustment;
|
|
BOOLEAN TimeSynchronization;
|
|
} SYSTEM_SET_TIME_ADJUSTMENT, *PSYSTEM_SET_TIME_ADJUSTMENT;
|
|
|
|
typedef struct _SYSTEM_CRASH_DUMP_INFORMATION
|
|
{
|
|
HANDLE CrashDumpSectionHandle;
|
|
} SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_CRASH_DUMP_INFORMATION_2000
|
|
{
|
|
HANDLE CrashDumpSectionHandle;
|
|
HANDLE Unknown; // Windows 2000 only
|
|
} SYSTEM_CRASH_DUMP_INFORMATION_2000, *PSYSTEM_CRASH_DUMP_INFORMATION_2000;
|
|
|
|
typedef struct _SYSTEM_EXCEPTION_INFORMATION
|
|
{
|
|
ULONG AlignmentFixupCount;
|
|
ULONG ExceptionDispatchCount;
|
|
ULONG FloatingEmulationCount;
|
|
ULONG ByteWordEmulationCount;
|
|
} SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION
|
|
{
|
|
ULONG ValidCrashDump;
|
|
} SYSTEM_CRASH_DUMP_STATE_INFORMATION, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION_2000
|
|
{
|
|
ULONG ValidCrashDump;
|
|
ULONG Unknown; // Windows 2000 only
|
|
} SYSTEM_CRASH_DUMP_STATE_INFORMATION_2000, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION_2000;
|
|
|
|
typedef struct _SYSTEM_DEBUGGER_INFORMATION
|
|
{
|
|
BOOLEAN KernelDebuggerEnabled;
|
|
BOOLEAN KernelDebuggerNotPresent;
|
|
} SYSTEM_DEBUGGER_INFORMATION, *PSYSTEM_DEBUGGER_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION
|
|
{
|
|
ULONG ContextSwitches;
|
|
ULONG FindAny;
|
|
ULONG FindLast;
|
|
ULONG FindIdeal;
|
|
ULONG IdleAny;
|
|
ULONG IdleCurrent;
|
|
ULONG IdleLast;
|
|
ULONG IdleIdeal;
|
|
ULONG PreemptAny;
|
|
ULONG PreemptCurrent;
|
|
ULONG PreemptLast;
|
|
ULONG SwitchToIdle;
|
|
} SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION
|
|
{
|
|
ULONG RegistryQuotaAllowed; // bytes
|
|
ULONG RegistryQuotaUsed; // bytes
|
|
ULONG PagedPoolSize; // bytes
|
|
} SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_ADD_DRIVER
|
|
{
|
|
UNICODE_STRING ModuleName;
|
|
} SYSTEM_ADD_DRIVER, *PSYSTEM_ADD_DRIVER;
|
|
|
|
typedef struct _SYSTEM_PRIORITY_SEPARATION_INFORMATION
|
|
{
|
|
ULONG PrioritySeparation; // 0..2
|
|
} SYSTEM_PRIORITY_SEPARATION_INFORMATION, *PSYSTEM_PRIORITY_SEPARATION_INFORMATION;
|
|
|
|
#define MAX_BUS_NAME 24
|
|
|
|
typedef enum _PLUGPLAY_BUS_CLASS
|
|
{
|
|
SystemBus,
|
|
PlugPlayVirtualBus,
|
|
MaxPlugPlayBusClass
|
|
} PLUGPLAY_BUS_CLASS, *PPLUGPLAY_BUS_CLASS;
|
|
|
|
typedef enum _PLUGPLAY_VIRTUAL_BUS_TYPE
|
|
{
|
|
Root,
|
|
MaxPlugPlayVirtualBusType
|
|
} PLUGPLAY_VIRTUAL_BUS_TYPE, *PPLUGPLAY_VIRTUAL_BUS_TYPE;
|
|
|
|
typedef enum _INTERFACE_TYPE
|
|
{
|
|
InterfaceTypeUndefined = -1,
|
|
Internal,
|
|
Isa,
|
|
Eisa,
|
|
MicroChannel,
|
|
TurboChannel,
|
|
PCIBus,
|
|
VMEBus,
|
|
NuBus,
|
|
PCMCIABus,
|
|
CBus,
|
|
MPIBus,
|
|
MPSABus,
|
|
ProcessorInternal,
|
|
InternalPowerBus,
|
|
PNPISABus,
|
|
PNPBus,
|
|
MaximumInterfaceType
|
|
}INTERFACE_TYPE, *PINTERFACE_TYPE;
|
|
|
|
typedef struct _PLUGPLAY_BUS_TYPE
|
|
{
|
|
PLUGPLAY_BUS_CLASS BusClass;
|
|
union
|
|
{
|
|
INTERFACE_TYPE SystemBusType;
|
|
PLUGPLAY_VIRTUAL_BUS_TYPE PlugPlayVirtualBusType;
|
|
};
|
|
} PLUGPLAY_BUS_TYPE, *PPLUGPLAY_BUS_TYPE;
|
|
|
|
typedef struct _PLUGPLAY_BUS_INSTANCE
|
|
{
|
|
PLUGPLAY_BUS_TYPE BusType;
|
|
ULONG BusNumber;
|
|
WCHAR BusName[MAX_BUS_NAME];
|
|
} PLUGPLAY_BUS_INSTANCE, *PPLUGPLAY_BUS_INSTANCE;
|
|
|
|
typedef struct _SYSTEM_PLUGPLAY_BUS_INFORMATION
|
|
{
|
|
ULONG BusCount;
|
|
PLUGPLAY_BUS_INSTANCE BusInstance[1];
|
|
} SYSTEM_PLUGPLAY_BUS_INFORMATION, *PSYSTEM_PLUGPLAY_BUS_INFORMATION;
|
|
|
|
typedef enum _SYSTEM_DOCK_STATE
|
|
{
|
|
SystemDockStateUnknown,
|
|
SystemUndocked,
|
|
SystemDocked
|
|
} SYSTEM_DOCK_STATE, *PSYSTEM_DOCK_STATE;
|
|
|
|
typedef struct _SYSTEM_DOCK_INFORMATION
|
|
{
|
|
SYSTEM_DOCK_STATE DockState;
|
|
INTERFACE_TYPE DeviceBusType;
|
|
ULONG DeviceBusNumber;
|
|
ULONG SlotNumber;
|
|
} SYSTEM_DOCK_INFORMATION, *PSYSTEM_DOCK_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_POWER_INFORMATION // not for SystemPowerInfo !
|
|
{
|
|
BOOLEAN SystemSuspendSupported;
|
|
BOOLEAN SystemHibernateSupported;
|
|
BOOLEAN ResumeTimerSupportsSuspend;
|
|
BOOLEAN ResumeTimerSupportsHibernate;
|
|
BOOLEAN LidSupported;
|
|
BOOLEAN TurboSettingSupported;
|
|
BOOLEAN TurboMode;
|
|
BOOLEAN SystemAcOrDc;
|
|
BOOLEAN PowerDownDisabled;
|
|
LARGE_INTEGER SpindownDrives;
|
|
} SYSTEM_POWER_INFORMATION, *PSYSTEM_POWER_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_PROCESSOR_SPEED_INFORMATION // not for SystemProcessorSpeedInformation !
|
|
{
|
|
ULONG MaximumProcessorSpeed;
|
|
ULONG CurrentAvailableSpeed;
|
|
ULONG ConfiguredSpeedLimit;
|
|
BOOLEAN PowerLimit;
|
|
BOOLEAN ThermalLimit;
|
|
BOOLEAN TurboLimit;
|
|
} SYSTEM_PROCESSOR_SPEED_INFORMATION, *PSYSTEM_PROCESSOR_SPEED_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_TIME_ZONE_INFORMATION
|
|
{
|
|
LONG Bias;
|
|
WCHAR StandardName[32];
|
|
TIME_FIELDS StandardDate;
|
|
LONG StandardBias;
|
|
WCHAR DaylightName[32];
|
|
TIME_FIELDS DaylightDate;
|
|
LONG DaylightBias;
|
|
} SYSTEM_TIME_ZONE_INFORMATION, *PSYSTEM_TIME_ZONE_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_LOOKASIDE
|
|
{
|
|
USHORT Depth;
|
|
USHORT MaximumDepth;
|
|
ULONG TotalAllocates;
|
|
ULONG AllocateMisses;
|
|
ULONG TotalFrees;
|
|
ULONG FreeMisses;
|
|
POOL_TYPE Type;
|
|
ULONG Tag;
|
|
ULONG Size;
|
|
} SYSTEM_LOOKASIDE, *PSYSTEM_LOOKASIDE;
|
|
|
|
typedef struct _SYSTEM_LOOKASIDE_INFORMATION
|
|
{
|
|
SYSTEM_LOOKASIDE asl[];
|
|
} SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_SET_TIME_SLIP_EVENT
|
|
{
|
|
HANDLE TimeSlipEvent;
|
|
} SYSTEM_SET_TIME_SLIP_EVENT, *PSYSTEM_SET_TIME_SLIP_EVENT;
|
|
|
|
typedef struct _SYSTEM_CREATE_SESSION
|
|
{
|
|
ULONG Session;
|
|
} SYSTEM_CREATE_SESSION, *PSYSTEM_CREATE_SESSION;
|
|
|
|
typedef struct _SYSTEM_DELETE_SESSION
|
|
{
|
|
ULONG Session;
|
|
} SYSTEM_DELETE_SESSION, *PSYSTEM_DELETE_SESSION;
|
|
|
|
typedef struct _SYSTEM_RANGE_START_INFORMATION
|
|
{
|
|
PVOID SystemRangeStart;
|
|
} SYSTEM_RANGE_START_INFORMATION, *PSYSTEM_RANGE_START_INFORMATION;
|
|
|
|
|
|
// - NTAPI -
|
|
// See also: WSK 1.2
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQuerySystemInformation(
|
|
__in SYSTEMINFOCLASS SystemInformationClass,
|
|
__out PVOID pSystemInformation,
|
|
__in ULONG uSystemInformationLength,
|
|
__out_opt PULONG puReturnLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtSetSystemInformation(
|
|
__in SYSTEMINFOCLASS SystemInformationClass,
|
|
__in PVOID pSystemInformation,
|
|
__in ULONG uSystemInformationLength
|
|
);
|
|
|
|
// Time functions
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQuerySystemTime(
|
|
__out PLARGE_INTEGER SystemTime
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtSetSystemTime(
|
|
__in PLARGE_INTEGER NewTime,
|
|
__out_opt PLARGE_INTEGER OldTime
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlTimeToTimeFields(
|
|
__in PLARGE_INTEGER pliTime,
|
|
__out PTIME_FIELDS pTimeFields
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlTimeFieldsToTime(
|
|
__in PTIME_FIELDS pTimeFields,
|
|
__out PLARGE_INTEGER pliTime
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlSecondsSince1970ToTime(
|
|
__in ULONG SecondsSince1970,
|
|
__out PLARGE_INTEGER Time
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlTimeToSecondsSince1970(
|
|
__in PLARGE_INTEGER Time,
|
|
__out PULONG SecondsSince1970
|
|
);
|
|
|
|
//Mutex functions
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtCreateMutant(
|
|
__out PHANDLE MutantHandle,
|
|
ACCESS_MASK AccessMask,
|
|
POBJECT_ATTRIBUTES pObjectAttributes,
|
|
BOOL InitialOwner
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtOpenMutant(
|
|
__out PHANDLE MutantHandle,
|
|
ACCESS_MASK AccessMask,
|
|
POBJECT_ATTRIBUTES pObjectAttributes
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtReleaseMutant(
|
|
__in HANDLE hMutex,
|
|
PULONG Optional
|
|
);
|
|
|
|
// Event functions
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtCreateEvent(
|
|
__out PHANDLE EventHandle,
|
|
ACCESS_MASK AccessMask,
|
|
POBJECT_ATTRIBUTES pObjectAttributes,
|
|
DWORD AutoReset,
|
|
DWORD InitialState
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtOpenEvent(
|
|
PHANDLE phEvent,
|
|
ACCESS_MASK AccessMask,
|
|
POBJECT_ATTRIBUTES pObjectAttributes
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtClearEvent(
|
|
__in HANDLE hEvent
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtSetEvent(
|
|
__in HANDLE hEvent,
|
|
__out_opt PLONG plSignaled
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtCreateSemaphore(
|
|
__out PHANDLE SemaphoreHandle,
|
|
__in ACCESS_MASK DesiredAccess,
|
|
__in POBJECT_ATTRIBUTES ObjectAttributes,
|
|
__in LONG InitialCount,
|
|
__in LONG MaximumCount
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtOpenSemaphore(
|
|
__out PHANDLE SemaphoreHandle,
|
|
__in ACCESS_MASK DesiredAccess,
|
|
__in POBJECT_ATTRIBUTES ObjectAttributes
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtReleaseSemaphore(
|
|
__in HANDLE SemaphoreHandle,
|
|
__in LONG ReleaseCount,
|
|
__out_opt PLONG PreviousCount
|
|
);
|
|
|
|
typedef enum _SEMAPHORE_INFORMATION_CLASS
|
|
{
|
|
SemaphoreBasicInformation
|
|
} SEMAPHORE_INFORMATION_CLASS;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQuerySemaphore(
|
|
__in HANDLE SemaphoreHandle,
|
|
__in SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
|
|
__out PVOID SemaphoreInformation,
|
|
__in ULONG SemaphoreInformationLength,
|
|
__out_opt PULONG ResultLength
|
|
);
|
|
|
|
typedef struct _SEMAPHORE_BASIC_INFORMATION
|
|
{
|
|
LONG CurrentCount;
|
|
LONG MaximumCount;
|
|
} SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION;
|
|
|
|
// Directory and Symbolic Link functions
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtCreateDirectoryObject(
|
|
__out PHANDLE phDirectory,
|
|
__in ACCESS_MASK AccessMask,
|
|
__in POBJECT_ATTRIBUTES pObjectAttributes
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtOpenDirectoryObject(
|
|
__out PHANDLE DirectoryHandle,
|
|
__in ACCESS_MASK DesiredAccess,
|
|
__in POBJECT_ATTRIBUTES ObjectAttributes
|
|
);
|
|
|
|
typedef struct _DIRECTORY_CONTENTS
|
|
{
|
|
struct
|
|
{
|
|
UNICODE_STRING Name;
|
|
UNICODE_STRING Type;
|
|
} Entry[ANYSIZE_ARRAY];
|
|
} DIRECTORY_CONTENTS, *PDIRECTORY_CONTENTS;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQueryDirectoryObject(
|
|
__in HANDLE DirectoryHandle,
|
|
__out PDIRECTORY_CONTENTS Buffer,
|
|
__in ULONG Length,
|
|
__in BOOLEAN ReturnSingleEntry,
|
|
__in BOOLEAN RestartScan,
|
|
__inout PULONG Index,
|
|
__out_opt PULONG ResultLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtOpenSymbolicLinkObject(
|
|
__out PHANDLE SymbolicLinkHandle,
|
|
__in ACCESS_MASK DesiredAccess,
|
|
__in POBJECT_ATTRIBUTES ObjectAttributes
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQuerySymbolicLinkObject(
|
|
__in HANDLE SymbolicLinkHandle,
|
|
__out PUNICODE_STRING NameString,
|
|
__out_opt PULONG ResultLength
|
|
);
|
|
|
|
// File functions
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtCreateFile(
|
|
PHANDLE phFile,
|
|
ACCESS_MASK AccessMask,
|
|
POBJECT_ATTRIBUTES pObjectAttributes,
|
|
PIO_STATUS_BLOCK pIoStatusBlock,
|
|
PLARGE_INTEGER pliAllocationSize,
|
|
ULONG uFileAttributes,
|
|
ULONG uShareAccess,
|
|
ULONG uCreateDisposition,
|
|
ULONG uCreateOptions,
|
|
PVOID pEaBuffer,
|
|
ULONG uEaLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtCreateNamedPipeFile(
|
|
PHANDLE phFile,
|
|
ACCESS_MASK AccessMask,
|
|
POBJECT_ATTRIBUTES pObjectAttributes,
|
|
PIO_STATUS_BLOCK pIoStatusBlock,
|
|
ULONG uShareAccess,
|
|
ULONG uCreateDisposition,
|
|
ULONG uCreateOptions,
|
|
BOOLEAN TypeMessage,
|
|
BOOLEAN ReadModeMessage,
|
|
BOOLEAN NonBlocking,
|
|
ULONG MaxInstance,
|
|
ULONG InBufferSize,
|
|
ULONG OutBufferSize,
|
|
PLARGE_INTEGER DefaultTimeout
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtOpenFile(
|
|
PHANDLE phFile,
|
|
ACCESS_MASK AccessMask,
|
|
POBJECT_ATTRIBUTES pObjectAttributes,
|
|
PIO_STATUS_BLOCK pIoStatusBlock,
|
|
ULONG uShareAccess,
|
|
ULONG uOpenOptions
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtDeleteFile(
|
|
__in POBJECT_ATTRIBUTES pObjectAttributes
|
|
);
|
|
|
|
typedef enum _FILE_INFORMATION_CLASS
|
|
{
|
|
FileDirectoryInformation = 1,
|
|
FileFullDirectoryInformation, // 2
|
|
FileBothDirectoryInformation, // 3
|
|
FileBasicInformation, // 4
|
|
FileStandardInformation, // 5
|
|
FileInternalInformation, // 6
|
|
FileEaInformation, // 7
|
|
FileAccessInformation, // 8
|
|
FileNameInformation, // 9
|
|
FileRenameInformation, // 10
|
|
FileLinkInformation, // 11
|
|
FileNamesInformation, // 12
|
|
FileDispositionInformation, // 13
|
|
FilePositionInformation, // 14
|
|
FileFullEaInformation, // 15
|
|
FileModeInformation, // 16
|
|
FileAlignmentInformation, // 17
|
|
FileAllInformation, // 18
|
|
FileAllocationInformation, // 19
|
|
FileEndOfFileInformation, // 20
|
|
FileAlternateNameInformation, // 21
|
|
FileStreamInformation, // 22
|
|
FilePipeInformation, // 23
|
|
FilePipeLocalInformation, // 24
|
|
FilePipeRemoteInformation, // 25
|
|
FileMailslotQueryInformation, // 26
|
|
FileMailslotSetInformation, // 27
|
|
FileCompressionInformation, // 28
|
|
FileObjectIdInformation, // 29
|
|
FileCompletionInformation, // 30
|
|
FileMoveClusterInformation, // 31
|
|
FileInformationReserved32, // 32
|
|
FileInformationReserved33, // 33
|
|
FileNetworkOpenInformation, // 34
|
|
FileAttributeTagInformation, // 35
|
|
FileTrackingInformation, // 36
|
|
FileIdBothDirectoryInformation, // 37
|
|
FileIdFullDirectoryInformation, // 38
|
|
FileValidDataLengthInformation, // 39
|
|
FileShortNameInformation, // 40
|
|
FileMaximumInformation
|
|
|
|
} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
|
|
|
|
typedef struct _FILE_DIRECTORY_INFORMATION
|
|
{
|
|
ULONG NextEntryOffset;
|
|
ULONG FileIndex;
|
|
LARGE_INTEGER CreationTime;
|
|
LARGE_INTEGER LastAccessTime;
|
|
LARGE_INTEGER LastWriteTime;
|
|
LARGE_INTEGER ChangeTime;
|
|
LARGE_INTEGER EndOfFile;
|
|
LARGE_INTEGER AllocationSize;
|
|
ULONG FileAttributes;
|
|
ULONG FileNameLength;
|
|
WCHAR FileName[1];
|
|
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
|
|
|
|
typedef struct _FILE_FULL_DIR_INFORMATION
|
|
{
|
|
ULONG NextEntryOffset;
|
|
ULONG FileIndex;
|
|
LARGE_INTEGER CreationTime;
|
|
LARGE_INTEGER LastAccessTime;
|
|
LARGE_INTEGER LastWriteTime;
|
|
LARGE_INTEGER ChangeTime;
|
|
LARGE_INTEGER EndOfFile;
|
|
LARGE_INTEGER AllocationSize;
|
|
ULONG FileAttributes;
|
|
ULONG FileNameLength;
|
|
ULONG EaSize;
|
|
WCHAR FileName[1];
|
|
} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;
|
|
|
|
typedef struct _FILE_BOTH_DIR_INFORMATION
|
|
{
|
|
ULONG NextEntryOffset;
|
|
ULONG FileIndex;
|
|
LARGE_INTEGER CreationTime;
|
|
LARGE_INTEGER LastAccessTime;
|
|
LARGE_INTEGER LastWriteTime;
|
|
LARGE_INTEGER ChangeTime;
|
|
LARGE_INTEGER EndOfFile;
|
|
LARGE_INTEGER AllocationSize;
|
|
ULONG FileAttributes;
|
|
ULONG FileNameLength;
|
|
ULONG EaSize;
|
|
UCHAR ShortNameLength;
|
|
WCHAR ShortName[12];
|
|
WCHAR FileName[1];
|
|
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;
|
|
|
|
typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
ULONG FileIndex;
|
|
LARGE_INTEGER CreationTime;
|
|
LARGE_INTEGER LastAccessTime;
|
|
LARGE_INTEGER LastWriteTime;
|
|
LARGE_INTEGER ChangeTime;
|
|
LARGE_INTEGER EndOfFile;
|
|
LARGE_INTEGER AllocationSize;
|
|
ULONG FileAttributes;
|
|
ULONG FileNameLength;
|
|
ULONG EaSize;
|
|
CCHAR ShortNameLength;
|
|
WCHAR ShortName[12];
|
|
LARGE_INTEGER FileId;
|
|
WCHAR FileName[1];
|
|
} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
|
|
|
|
typedef struct _FILE_ID_FULL_DIR_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
ULONG FileIndex;
|
|
LARGE_INTEGER CreationTime;
|
|
LARGE_INTEGER LastAccessTime;
|
|
LARGE_INTEGER LastWriteTime;
|
|
LARGE_INTEGER ChangeTime;
|
|
LARGE_INTEGER EndOfFile;
|
|
LARGE_INTEGER AllocationSize;
|
|
ULONG FileAttributes;
|
|
ULONG FileNameLength;
|
|
ULONG EaSize;
|
|
LARGE_INTEGER FileId;
|
|
WCHAR FileName[1];
|
|
} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;
|
|
|
|
typedef struct _FILE_BASIC_INFORMATION
|
|
{
|
|
LARGE_INTEGER CreationTime;
|
|
LARGE_INTEGER LastAccessTime;
|
|
LARGE_INTEGER LastWriteTime;
|
|
LARGE_INTEGER ChangeTime;
|
|
ULONG FileAttributes;
|
|
} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
|
|
|
|
typedef struct _FILE_STANDARD_INFORMATION
|
|
{
|
|
LARGE_INTEGER AllocationSize;
|
|
LARGE_INTEGER EndOfFile;
|
|
ULONG NumberOfLinks;
|
|
BOOLEAN DeletePending;
|
|
BOOLEAN Directory;
|
|
} FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION;
|
|
|
|
typedef struct _FILE_INTERNAL_INFORMATION
|
|
{
|
|
LARGE_INTEGER IndexNumber;
|
|
} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;
|
|
|
|
typedef struct _FILE_EA_INFORMATION
|
|
{
|
|
ULONG EaSize;
|
|
} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;
|
|
|
|
typedef struct _FILE_ACCESS_INFORMATION
|
|
{
|
|
ACCESS_MASK AccessFlags;
|
|
} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;
|
|
|
|
typedef struct _FILE_NAME_INFORMATION
|
|
{
|
|
ULONG FileNameLength;
|
|
WCHAR FileName[1];
|
|
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
|
|
|
|
typedef struct _FILE_RENAME_INFORMATION
|
|
{
|
|
BOOLEAN ReplaceIfExists;
|
|
HANDLE RootDirectory;
|
|
ULONG FileNameLength;
|
|
WCHAR FileName[1];
|
|
} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;
|
|
|
|
typedef struct _FILE_LINK_INFORMATION
|
|
{
|
|
BOOLEAN ReplaceIfExists;
|
|
HANDLE RootDirectory;
|
|
ULONG FileNameLength;
|
|
WCHAR FileName[1];
|
|
} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;
|
|
|
|
typedef struct _FILE_NAMES_INFORMATION
|
|
{
|
|
ULONG NextEntryOffset;
|
|
ULONG FileIndex;
|
|
ULONG FileNameLength;
|
|
WCHAR FileName[1];
|
|
} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
|
|
|
|
typedef struct _FILE_ALLOCATION_INFORMATION
|
|
{
|
|
LARGE_INTEGER AllocationSize;
|
|
} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;
|
|
|
|
typedef struct _FILE_COMPRESSION_INFORMATION
|
|
{
|
|
LARGE_INTEGER CompressedFileSize;
|
|
USHORT CompressionFormat;
|
|
UCHAR CompressionUnitShift;
|
|
UCHAR ChunkShift;
|
|
UCHAR ClusterShift;
|
|
UCHAR Reserved[3];
|
|
} FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION;
|
|
|
|
typedef struct _FILE_COMPLETION_INFORMATION
|
|
{
|
|
HANDLE Port;
|
|
ULONG Key;
|
|
} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQueryInformationFile(
|
|
__in HANDLE FileHandle,
|
|
__out PIO_STATUS_BLOCK IoStatusBlock,
|
|
__out PVOID FileInformation,
|
|
__in ULONG Length,
|
|
__in FILE_INFORMATION_CLASS FileInformationClass
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtDeviceIoControlFile(
|
|
__in HANDLE FileHandle,
|
|
__in_opt HANDLE Event,
|
|
__in_opt PIO_APC_ROUTINE ApcRoutine,
|
|
__in_opt PVOID ApcContext,
|
|
__out PIO_STATUS_BLOCK IoStatusBlock,
|
|
__in ULONG IoControlCode,
|
|
__in_opt PVOID InputBuffer,
|
|
__in ULONG InputBufferLength,
|
|
__out_opt PVOID OutputBuffer,
|
|
__in ULONG OutputBufferLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtFsControlFile(
|
|
__in HANDLE FileHandle,
|
|
__in_opt HANDLE Event,
|
|
__in_opt PIO_APC_ROUTINE ApcRoutine,
|
|
__in_opt PVOID ApcContext,
|
|
__out PIO_STATUS_BLOCK IoStatusBlock,
|
|
__in ULONG FsControlCode,
|
|
__in_opt PVOID InputBuffer,
|
|
__in ULONG InputBufferLength,
|
|
__out_opt PVOID OutputBuffer,
|
|
__in ULONG OutputBufferLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQueryVolumeInformationFile(
|
|
__in HANDLE FileHandle,
|
|
__out PIO_STATUS_BLOCK IoStatusBlock,
|
|
__out PVOID FsInformation,
|
|
__in ULONG Length,
|
|
__in FS_INFORMATION_CLASS FsInformationClass
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtFlushBuffersFile(
|
|
__in HANDLE FileHandle,
|
|
__out PIO_STATUS_BLOCK IoStatusBlock
|
|
);
|
|
|
|
// Process functions
|
|
//#define NtCurrentProcess() ((HANDLE) -1)
|
|
inline HANDLE NtCurrentProcess() { return (HANDLE)-1; }
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtOpenProcess(
|
|
__out PHANDLE phProcess,
|
|
__in ACCESS_MASK AccessMask,
|
|
__in POBJECT_ATTRIBUTES pObjectAttributes,
|
|
__in PCLIENT_ID pClientId
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtCreateProcess(
|
|
__out PHANDLE ProcessHandle,
|
|
__in ACCESS_MASK DesiredAccess,
|
|
__in POBJECT_ATTRIBUTES ObjectAttributes,
|
|
__in HANDLE InheritFromProcessHandle,
|
|
__in BOOLEAN InheritHandles,
|
|
__in_opt HANDLE SectionHandle,
|
|
__in_opt HANDLE DebugPort,
|
|
__in_opt HANDLE ExceptionPort
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtTerminateProcess(
|
|
__in HANDLE ProcessHandle,
|
|
__in DWORD ExitCode
|
|
);
|
|
|
|
typedef enum _PROCESSINFOCLASS
|
|
{
|
|
ProcessBasicInformation,
|
|
ProcessQuotaLimits, // QUOTA_LIMITS
|
|
ProcessIoCounters, // IOCOUNTERS
|
|
ProcessVmCounters, // VM_COUNTERS
|
|
ProcessTimes, // KERNEL_USER_TIMES
|
|
ProcessBasePriority, // BASE_PRIORITY_INFORMATION
|
|
ProcessRaisePriority,
|
|
ProcessDebugPort,
|
|
ProcessExceptionPort,
|
|
ProcessAccessToken,
|
|
ProcessLdtInformation,
|
|
ProcessLdtSize,
|
|
ProcessDefaultHardErrorMode,
|
|
ProcessIoPortHandlers, // Note: this is kernel mode only
|
|
ProcessPooledUsageAndLimits,
|
|
ProcessWorkingSetWatch,
|
|
ProcessUserModeIOPL,
|
|
ProcessEnableAlignmentFaultFixup,
|
|
ProcessPriorityClass,
|
|
ProcessWx86Information,
|
|
ProcessHandleCount,
|
|
ProcessAffinityMask, // AFFINITY_MASK
|
|
ProcessPriorityBoost,
|
|
ProcessDeviceMap,
|
|
ProcessSessionInformation,
|
|
ProcessForegroundInformation,
|
|
ProcessWow64Information,
|
|
MaxProcessInfoClass
|
|
} PROCESSINFOCLASS;
|
|
|
|
typedef struct _PROCESS_BASIC_INFORMATION
|
|
{
|
|
NTSTATUS ExitStatus;
|
|
PPEB PebBaseAddress;
|
|
KAFFINITY AffinityMask;
|
|
KPRIORITY BasePriority;
|
|
ULONG uUniqueProcessId;
|
|
ULONG uInheritedFromUniqueProcessId;
|
|
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
|
|
|
|
typedef struct _PROCESS_RAISE_PRIORITY
|
|
{
|
|
KPRIORITY RaisePriority;
|
|
} PROCESS_RAISE_PRIORITY, *PPROCESS_RAISE_PRIORITY;
|
|
|
|
typedef struct _PROCESS_DEBUG_PORT_INFORMATION
|
|
{
|
|
HANDLE DebugPort;
|
|
} PROCESS_DEBUG_PORT_INFORMATION, *PPROCESS_DEBUG_PORT_INFORMATION;
|
|
|
|
typedef struct _PROCESS_EXCEPTION_PORT
|
|
{
|
|
HANDLE ExceptionPort;
|
|
} PROCESS_EXCEPTION_PORT, *PPROCESS_EXCEPTION_PORT;
|
|
|
|
typedef struct _PROCESS_ACCESS_TOKEN
|
|
{
|
|
HANDLE Token;
|
|
HANDLE Thread;
|
|
} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;
|
|
|
|
#ifndef _LDT_ENTRY_DEFINED
|
|
#define _LDT_ENTRY_DEFINED
|
|
|
|
typedef struct _LDT_ENTRY
|
|
{
|
|
USHORT LimitLow;
|
|
USHORT BaseLow;
|
|
union
|
|
{
|
|
struct
|
|
{
|
|
UCHAR BaseMid;
|
|
UCHAR Flags1; // Declare as bytes to avoid alignment
|
|
UCHAR Flags2; // Problems.
|
|
UCHAR BaseHi;
|
|
} Bytes;
|
|
|
|
struct
|
|
{
|
|
ULONG BaseMid : 8;
|
|
ULONG Type : 5;
|
|
ULONG Dpl : 2;
|
|
ULONG Pres : 1;
|
|
ULONG LimitHi : 4;
|
|
ULONG Sys : 1;
|
|
ULONG Reserved_0 : 1;
|
|
ULONG Default_Big : 1;
|
|
ULONG Granularity : 1;
|
|
ULONG BaseHi : 8;
|
|
} Bits;
|
|
} HighWord;
|
|
} LDT_ENTRY, *PLDT_ENTRY;
|
|
|
|
#endif // _LDT_ENTRY_DEFINED
|
|
|
|
#define LDT_TABLE_SIZE (8 * 1024 * sizeof(LDT_ENTRY))
|
|
|
|
typedef struct _LDT_INFORMATION
|
|
{
|
|
ULONG Start;
|
|
ULONG Length;
|
|
LDT_ENTRY LdtEntries[1];
|
|
} PROCESS_LDT_INFORMATION, *PPROCESS_LDT_INFORMATION;
|
|
|
|
typedef struct _LDT_SIZE
|
|
{
|
|
ULONG Length;
|
|
} PROCESS_LDT_SIZE, *PPROCESS_LDT_SIZE;
|
|
|
|
typedef struct _PROCESS_DEFAULT_HARDERROR_MODE_INFORMATION
|
|
{
|
|
ULONG HardErrorMode; // SEM_* (SEM_FAILCRITICALERRORS, etc.)
|
|
} PROCESS_DEFAULT_HARDERROR_MODE_INFORMATION, *PPROCESS_DEFAULT_HARDERROR_MODE_INFORMATION;
|
|
|
|
typedef struct _PROCESS_POOLED_USAGE_AND_LIMITS_INFORMATION
|
|
{
|
|
ULONG PeakPagedPoolUsage;
|
|
ULONG PagedPoolUsage;
|
|
ULONG PagedPoolLimit;
|
|
ULONG PeakNonPagedPoolUsage;
|
|
ULONG NonPagedPoolUsage;
|
|
ULONG NonPagedPoolLimit;
|
|
ULONG PeakPagefileUsage;
|
|
ULONG PagefileUsage;
|
|
ULONG PagefileLimit;
|
|
} PROCESS_POOLED_USAGE_AND_LIMITS_INFORMATION, *PPROCESS_POOLED_USAGE_AND_LIMITS_INFORMATION;
|
|
|
|
typedef struct _PROCESS_WS_WATCH_INFORMATION
|
|
{
|
|
PVOID FaultingPc;
|
|
PVOID FaultingVa;
|
|
} PROCESS_WS_WATCH_INFORMATION, *PPROCESS_WS_WATCH_INFORMATION;
|
|
|
|
typedef struct _PROCESS_IOPL
|
|
{
|
|
ULONG Iopl;
|
|
} PROCESS_IOPL, *PPROCESS_IOPL;
|
|
|
|
typedef struct _PROCESS_ALLIGNMENT_FAULT_FIXUP
|
|
{
|
|
BOOLEAN EnableAllignmentFaultFixup;
|
|
} PROCESS_ALLIGNMENT_FAULT_FIXUP, *PPROCESS_ALLIGNMENT_FAULT_FIXUP;
|
|
|
|
#define KRNL_NORMAL_PRIORITY_CLASS 0x02
|
|
#define KRNL_IDLE_PRIORITY_CLASS 0x01
|
|
#define KRNL_HIGH_PRIORITY_CLASS 0x03
|
|
#define KRNL_REALTIME_PRIORITY_CLASS 0x04
|
|
|
|
typedef struct _PROCESS_PRIORITY_CLASS_INFORMATION
|
|
{
|
|
UCHAR Unknown;
|
|
UCHAR PriorityClass;
|
|
} PROCESS_PRIORITY_CLASS_INFORMATION, *PPROCESS_PRIORITY_CLASS_INFORMATION;
|
|
|
|
typedef struct _PROCESS_X86_INFORMATION
|
|
{
|
|
ULONG x86Info;
|
|
} PROCESS_X86_INFORMATION, *PPROCESS_X86_INFORMATION;
|
|
|
|
typedef struct _PROCESS_HANDLE_COUNT_INFORMATION
|
|
{
|
|
ULONG HandleCount;
|
|
} PROCESS_HANDLE_COUNT_INFORMATION, *PPROCESS_HANDLE_COUNT_INFORMATION;
|
|
|
|
typedef struct _PROCESS_PRIORITY_BOOST_INFORMATION
|
|
{
|
|
ULONG PriorityBoostEnabled;
|
|
} PROCESS_PRIORITY_BOOST_INFORMATION, *PPROCESS_PRIORITY_BOOST_INFORMATION;
|
|
|
|
typedef struct _PROCESS_DEVICE_MAP_INFORMATION
|
|
{
|
|
union
|
|
{
|
|
struct
|
|
{
|
|
HANDLE DirectoryHandle;
|
|
} Set;
|
|
|
|
struct
|
|
{
|
|
ULONG DriveMap;
|
|
UCHAR DriveType[32];
|
|
} Query;
|
|
};
|
|
|
|
} PROCESS_DEVICE_MAP_INFORMATION, *PPROCESS_DEVICE_MAP_INFORMATION;
|
|
|
|
typedef struct _PROCESS_SESSION_INFORMATION
|
|
{
|
|
ULONG SessionId;
|
|
} PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQueryInformationProcess(
|
|
__in HANDLE hProcess,
|
|
__in PROCESSINFOCLASS ProcessInformationClass,
|
|
__out PVOID pProcessInformation,
|
|
__in ULONG uProcessInformationLength,
|
|
__out_opt PULONG puReturnLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtSetInformationProcess(
|
|
__in HANDLE hProcess,
|
|
__in PROCESSINFOCLASS ProcessInformationClass,
|
|
__out PVOID pProcessInformation,
|
|
__in ULONG uProcessInformationLength
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateProcessParameters(
|
|
__out PPROCESS_PARAMETERS *ProcessParameters,
|
|
__in PUNICODE_STRING ImageFile,
|
|
__in_opt PUNICODE_STRING DllPath,
|
|
__in_opt PUNICODE_STRING CurrentDirectory,
|
|
__in_opt PUNICODE_STRING CommandLine,
|
|
__in ULONG CreationFlags,
|
|
__in_opt PUNICODE_STRING WindowTitle,
|
|
__in_opt PUNICODE_STRING Desktop,
|
|
__in_opt PUNICODE_STRING Reserved,
|
|
__in_opt PUNICODE_STRING Reserved2
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDestroyProcessParameters(
|
|
__in PPROCESS_PARAMETERS ProcessParameters
|
|
);
|
|
|
|
// jichi 9/28/2013
|
|
// See: http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Executable%20Images/RtlCreateUserThread.html
|
|
// See: http://waleedassar.blogspot.com/2012/06/createremotethread-vs.html
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateUserThread(
|
|
__in HANDLE ProcessHandle,
|
|
__in_opt PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
__in BOOLEAN CreateSuspended,
|
|
__in ULONG StackZeroBits,
|
|
__inout PULONG StackReserved,
|
|
__inout PULONG StackCommit,
|
|
__in PVOID StartAddress,
|
|
__in_opt PVOID StartParameter,
|
|
__out PHANDLE ThreadHandle,
|
|
__out PCLIENT_ID ClientID
|
|
);
|
|
|
|
// Thread functions
|
|
#define NtCurrentThread() ((HANDLE) -2)
|
|
|
|
typedef struct _USER_STACK
|
|
{
|
|
PVOID FixedStackBase;
|
|
PVOID FixedStackLimit;
|
|
PVOID ExpandableStackBase;
|
|
PVOID ExpandableStackLimit;
|
|
PVOID ExpandableStackBottom;
|
|
} USER_STACK, *PUSER_STACK;
|
|
|
|
/*
|
|
typedef struct _INITIAL_TEB {
|
|
struct {
|
|
PVOID OldStackBase;
|
|
PVOID OldStackLimit;
|
|
} OldInitialTeb;
|
|
PVOID StackBase;
|
|
PVOID StackLimit;
|
|
PVOID StackAllocationBase;
|
|
} INITIAL_TEB, *PINITIAL_TEB;
|
|
*/
|
|
typedef _USER_STACK _INITIAL_TEB;
|
|
typedef USER_STACK INITIAL_TEB;
|
|
typedef PUSER_STACK PINITIAL_TEB;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtCreateThread(
|
|
__out PHANDLE ThreadHandle,
|
|
__in ACCESS_MASK DesiredAccess,
|
|
__in POBJECT_ATTRIBUTES ObjectAttributes,
|
|
__in HANDLE ProcessHandle,
|
|
__out PCLIENT_ID ClientId,
|
|
__in PCONTEXT ThreadContext,
|
|
__in PUSER_STACK UserStack,
|
|
__in BOOLEAN CreateSuspended
|
|
);
|
|
|
|
typedef
|
|
NTSTATUS
|
|
(WINAPI *FpNtCreateThread)(
|
|
__out PHANDLE ThreadHandle,
|
|
__in ACCESS_MASK DesiredAccess,
|
|
__in POBJECT_ATTRIBUTES ObjectAttributes,
|
|
__in HANDLE ProcessHandle,
|
|
__out PCLIENT_ID ClientId,
|
|
__in PCONTEXT ThreadContext,
|
|
__in PUSER_STACK UserStack,
|
|
__in BOOLEAN CreateSuspended
|
|
);
|
|
|
|
typedef struct _NtCreateThreadExBuffer{
|
|
ULONG Size; // sizeof(NtCreateThreadEx)
|
|
ULONG Unknown1;
|
|
ULONG Unknown2;
|
|
PULONG Unknown3; // &dw1: SizeOfStackCommit
|
|
ULONG Unknown4;
|
|
ULONG Unknown5;
|
|
ULONG Unknown6;
|
|
PULONG Unknown7; // &dw2: SizeOfStackReserve
|
|
ULONG Unknown8;
|
|
} NtCreateThreadExBuffer, *PNtCreateThreadExBuffer;
|
|
|
|
// jichi 9/28/2013: An alternative way to create thread on Windows Vista and later
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtCreateThreadEx (
|
|
__out PHANDLE hThread,
|
|
__in ACCESS_MASK DesiredAccess,
|
|
__in LPVOID ObjectAttributes,
|
|
__in HANDLE ProcessHandle,
|
|
__in LPTHREAD_START_ROUTINE lpStartAddress,
|
|
__in LPVOID lpParameter,
|
|
__in BOOL CreateSuspended,
|
|
__in ULONG StackZeroBits,
|
|
__in ULONG SizeOfStackCommit,
|
|
__in ULONG SizeOfStackReserve,
|
|
__out LPVOID lpBytesBuffer
|
|
);
|
|
|
|
typedef
|
|
NTSTATUS
|
|
(WINAPI *FpNtCreateThreadEx) (
|
|
__out PHANDLE hThread,
|
|
__in ACCESS_MASK DesiredAccess,
|
|
__in LPVOID ObjectAttributes,
|
|
__in HANDLE ProcessHandle,
|
|
__in LPTHREAD_START_ROUTINE lpStartAddress,
|
|
__in LPVOID lpParameter,
|
|
__in BOOL CreateSuspended,
|
|
__in ULONG StackZeroBits,
|
|
__in ULONG SizeOfStackCommit,
|
|
__in ULONG SizeOfStackReserve,
|
|
__out LPVOID lpBytesBuffer
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtOpenThread(
|
|
__out PHANDLE phThread,
|
|
__in ACCESS_MASK AccessMask,
|
|
__in POBJECT_ATTRIBUTES pObjectAttributes,
|
|
__in PCLIENT_ID pClientId
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtTerminateThread(
|
|
__in_opt HANDLE ThreadHandle,
|
|
__in NTSTATUS ExitStatus
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtSuspendThread(
|
|
__in HANDLE ThreadHandle,
|
|
__out_opt PULONG PreviousSuspendCount
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtResumeThread(
|
|
__in HANDLE ThreadHandle,
|
|
__out_opt PULONG PreviousSuspendCount
|
|
);
|
|
typedef
|
|
NTSTATUS
|
|
(WINAPI
|
|
* LpNtResumeThread)(
|
|
__in HANDLE ThreadHandle,
|
|
__out_opt PULONG PreviousSuspendCount
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlExitUserThread(
|
|
__in DWORD ExitCode
|
|
);
|
|
|
|
typedef enum _THREADINFOCLASS
|
|
{
|
|
ThreadBasicInformation,
|
|
ThreadTimes, // KERNEL_USER_TIMES
|
|
ThreadPriority,
|
|
ThreadBasePriority, // BASE_PRIORITY_INFORMATION
|
|
ThreadAffinityMask, // AFFINITY_MASK
|
|
ThreadImpersonationToken,
|
|
ThreadDescriptorTableEntry,
|
|
ThreadEnableAlignmentFaultFixup,
|
|
ThreadEventPair,
|
|
ThreadQuerySetWin32StartAddress,
|
|
ThreadZeroTlsCell,
|
|
ThreadPerformanceCount,
|
|
ThreadAmILastThread,
|
|
ThreadIdealProcessor,
|
|
ThreadPriorityBoost,
|
|
ThreadSetTlsArrayAddress,
|
|
ThreadIsIoPending, // W2K
|
|
ThreadHideFromDebugger, // W2K
|
|
MaxThreadInfoClass
|
|
} THREADINFOCLASS;
|
|
|
|
typedef struct _THREAD_BASIC_INFORMATION
|
|
{
|
|
NTSTATUS ExitStatus;
|
|
PTEB TebBaseAddress;
|
|
CLIENT_ID ClientId;
|
|
KAFFINITY AffinityMask;
|
|
KPRIORITY Priority;
|
|
KPRIORITY BasePriority;
|
|
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
|
|
|
|
typedef struct _THREAD_PRIORITY
|
|
{
|
|
KPRIORITY Priority;
|
|
} THREAD_PRIORITY, *PTHREAD_PRIORITY;
|
|
|
|
typedef struct _THREAD_DESCRIPTOR_TABLE_ENTRY_INFORMATION
|
|
{
|
|
ULONG Selector;
|
|
LDT_ENTRY Descriptor;
|
|
} THREAD_DESCRIPTOR_TABLE_ENTRY_INFORMATION, *PTHREAD_DESCRIPTOR_TABLE_ENTRY_INFORMATION;
|
|
|
|
typedef struct _THREAD_EVENTPAIR
|
|
{
|
|
HANDLE EventPair;
|
|
} THREAD_EVENTPAIR, *PTHREAD_EVENTPAIR;
|
|
|
|
typedef struct _THREAD_WIN32_START_ADDRESS_INFORMATION
|
|
{
|
|
PVOID Win32StartAddress;
|
|
} THREAD_WIN32_START_ADDRESS_INFORMATION, *PTHREAD_WIN32_START_ADDRESS_INFORMATION;
|
|
|
|
typedef struct _THREAD_ZERO_TLSCELL
|
|
{
|
|
ULONG TlsIndex;
|
|
} THREAD_ZERO_TLSCELL, *PTHREAD_ZERO_TLSCELL;
|
|
|
|
typedef struct _THREAD_PERFORMANCE_COUNTER_INFORMATION
|
|
{
|
|
ULONG Count1;
|
|
ULONG Count2;
|
|
} THREAD_PERFORMANCE_COUNTER_INFORMATION, *PTHREAD_PERFORMANCE_COUNTER_INFORMATION;
|
|
|
|
typedef struct _THREAD_AMI_LAST_THREAD
|
|
{
|
|
ULONG AmILastThread;
|
|
} THREAD_AMI_LAST_THREAD, *PTHREAD_AMI_LAST_THREAD;
|
|
|
|
typedef struct _THREAD_IDEAL_PROCESSOR
|
|
{
|
|
ULONG IdealProcessor;
|
|
} THREAD_IDEAL_PROCESSOR, *PTHREAD_IDEAL_PROCESSOR;
|
|
|
|
typedef struct _THREAD_TLS_ARRAY
|
|
{
|
|
PULONG TlsArray;
|
|
} THREAD_TLS_ARRAY, *PTHREAD_TLS_ARRAY;
|
|
|
|
typedef struct _THREAD_IS_IO_PENDING_INFORMATION
|
|
{
|
|
ULONG IsIOPending;
|
|
} THREAD_IS_IO_PENDING_INFORMATION, *PTHREAD_IS_IO_PENDING_INFORMATION;
|
|
|
|
typedef struct _THREAD_HIDE_FROM_DEBUGGER
|
|
{
|
|
ULONG HideFromDebugger;
|
|
} THREAD_HIDE_FROM_DEBUGGER, *PTHREAD_HIDE_FROM_DEBUGGER;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQueryInformationThread(
|
|
__in HANDLE hThread,
|
|
__in THREADINFOCLASS ThreadInformationClass,
|
|
__out PVOID pThreadInformation,
|
|
__in ULONG uThreadInformationLength,
|
|
__out_opt PULONG puReturnLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtSetInformationThread(
|
|
__in HANDLE hThread,
|
|
__in THREADINFOCLASS ThreadInformationClass,
|
|
__out PVOID pThreadInformation,
|
|
__in ULONG uthreadInformationLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtOpenThreadToken(
|
|
__in HANDLE hThread,
|
|
__in ACCESS_MASK DesiredAccess,
|
|
__in BOOLEAN bOpenAsSelf,
|
|
__out PHANDLE phToken
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtImpersonateThread(
|
|
__in HANDLE ThreadHandle,
|
|
__in HANDLE TargetThreadHandle,
|
|
__in PSECURITY_QUALITY_OF_SERVICE SecurityQos
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtGetContextThread(
|
|
__in HANDLE ThreadHandle,
|
|
__out PCONTEXT Context
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtSetContextThread(
|
|
__in HANDLE ThreadHandle,
|
|
__in PCONTEXT Context
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQueueApcThread(
|
|
__in HANDLE ThreadHandle,
|
|
__in PKNORMAL_ROUTINE ApcRoutine,
|
|
__in_opt PVOID ApcContext,
|
|
__in_opt PVOID Argument1,
|
|
__in_opt PVOID Argument2
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtImpersonateAnonymousToken(
|
|
__in HANDLE hThread
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtCreateSection(
|
|
__out PHANDLE SectionHandle,
|
|
__in ACCESS_MASK DesiredAccess,
|
|
__in POBJECT_ATTRIBUTES ObjectAttributes,
|
|
__in_opt PLARGE_INTEGER SectionSize,
|
|
__in ULONG Protect,
|
|
__in ULONG Attributes,
|
|
__in HANDLE FileHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtOpenSection(
|
|
__out PHANDLE SectionHandle,
|
|
__in ACCESS_MASK DesiredAccess,
|
|
__in POBJECT_ATTRIBUTES ObjectAttributes
|
|
);
|
|
|
|
typedef enum _SECTION_INFORMATION_CLASS
|
|
{
|
|
SectionBasicInformation,
|
|
SectionImageInformation
|
|
} SECTION_INFORMATION_CLASS;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQuerySection(
|
|
__in HANDLE SectionHandle,
|
|
__in SECTION_INFORMATION_CLASS SectionInformationClass,
|
|
__out PVOID SectionInformation,
|
|
__in ULONG SectionInformationLength,
|
|
__out_opt PULONG ResultLength
|
|
);
|
|
|
|
typedef struct _SECTION_BASIC_INFORMATION
|
|
{
|
|
PVOID BaseAddress;
|
|
ULONG Attributes;
|
|
LARGE_INTEGER Size;
|
|
} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
|
|
|
|
typedef struct _SECTION_IMAGE_INFORMATION
|
|
{
|
|
PVOID EntryPoint;
|
|
ULONG Unknown1;
|
|
ULONG StackReserve;
|
|
ULONG StackCommit;
|
|
ULONG Subsystem;
|
|
USHORT MinorSubsystemVersion;
|
|
USHORT MajorSubsystemVersion;
|
|
ULONG Unknown2;
|
|
ULONG Characteristics;
|
|
USHORT ImageNumber;
|
|
BOOLEAN Executable;
|
|
UCHAR Unknown3;
|
|
ULONG Unknown4[3];
|
|
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtExtendSection(
|
|
__in HANDLE SectionHandle,
|
|
__in PLARGE_INTEGER SectionSize
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtUnmapViewOfSection(
|
|
__in HANDLE hProcess,
|
|
__in PVOID pBaseAddress
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtWaitForSingleObject(
|
|
__in HANDLE hObject,
|
|
__in BOOL fAlertable,
|
|
__in PLARGE_INTEGER pliTimeout // NULL = infinite
|
|
);
|
|
|
|
// Object functions
|
|
typedef enum _OBJECT_INFORMATION_CLASS
|
|
{
|
|
ObjectBasicInformation, // 0 Y N
|
|
ObjectNameInformation, // 1 Y N
|
|
ObjectTypeInformation, // 2 Y N
|
|
ObjectAllTypesInformation, // 3 Y N
|
|
ObjectHandleInformation // 4 Y Y
|
|
} OBJECT_INFORMATION_CLASS;
|
|
|
|
typedef struct _OBJECT_BASIC_INFORMATION
|
|
{
|
|
ULONG Attributes;
|
|
ACCESS_MASK GrantedAccess;
|
|
ULONG HandleCount;
|
|
ULONG PointerCount;
|
|
ULONG PagedPoolUsage;
|
|
ULONG NonPagedPoolUsage;
|
|
ULONG Reserved[3];
|
|
ULONG NameInformationLength;
|
|
ULONG TypeInformationLength;
|
|
ULONG SecurityDescriptorLength;
|
|
LARGE_INTEGER CreateTime;
|
|
} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
|
|
|
|
typedef struct _OBJECT_NAME_INFORMATION
|
|
{
|
|
UNICODE_STRING Name;
|
|
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
|
|
|
|
typedef struct _OBJECT_TYPE_INFORMATION
|
|
{
|
|
UNICODE_STRING Name;
|
|
ULONG ObjectCount;
|
|
ULONG HandleCount;
|
|
ULONG Reserved1[4];
|
|
ULONG PeakObjectCount;
|
|
ULONG PeakHandleCount;
|
|
ULONG Reserved2[4];
|
|
ULONG InvalidAttributes;
|
|
GENERIC_MAPPING GenericMapping;
|
|
ULONG ValidAccess;
|
|
UCHAR Unknown;
|
|
BOOLEAN MaintainHandleDatabase;
|
|
UCHAR Reserved3[2];
|
|
POOL_TYPE PoolType;
|
|
ULONG PagedPoolUsage;
|
|
ULONG NonPagedPoolUsage;
|
|
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
|
|
|
|
typedef struct _OBJECT_ALL_TYPES_INFORMATION
|
|
{
|
|
ULONG NumberOfTypes;
|
|
OBJECT_TYPE_INFORMATION TypeInformation;
|
|
} OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION;
|
|
|
|
typedef struct _OBJECT_HANDLE_ATTRIBUTE_INFORMATION
|
|
{
|
|
BOOLEAN Inherit;
|
|
BOOLEAN ProtectFromClose;
|
|
} OBJECT_HANDLE_ATTRIBUTE_INFORMATION, *POBJECT_HANDLE_ATTRIBUTE_INFORMATION;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQueryObject(
|
|
__in HANDLE ObjectHandle,
|
|
__in OBJECT_INFORMATION_CLASS ObjectInformationClass,
|
|
__out PVOID ObjectInformation,
|
|
__in ULONG ObjectInformationLength,
|
|
__out_opt PULONG ReturnLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtSetInformationObject(
|
|
__in HANDLE ObjectHandle,
|
|
__in OBJECT_INFORMATION_CLASS ObjectInformationClass,
|
|
__in PVOID ObjectInformation,
|
|
__in ULONG ObjectInformationLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtDuplicateObject(
|
|
__in HANDLE SourceProcessHandle,
|
|
__in HANDLE SourceHandle,
|
|
__in_opt HANDLE TargetProcessHandle,
|
|
__out_opt PHANDLE TargetHandle,
|
|
__in ACCESS_MASK DesiredAccess,
|
|
__in ULONG HandleAttributes,
|
|
__in ULONG Options
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQuerySecurityObject(
|
|
__in HANDLE FileHandle,
|
|
__in SECURITY_INFORMATION SecurityInformation,
|
|
__out PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
__in ULONG Length,
|
|
__out PULONG ResultLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtSetSecurityObject(
|
|
__in HANDLE FileHandle,
|
|
__in SECURITY_INFORMATION SecurityInformation,
|
|
__in PSECURITY_DESCRIPTOR SecurityDescriptor
|
|
);
|
|
|
|
// Memory management functions
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtAllocateVirtualMemory(
|
|
__in HANDLE ProcessHandle,
|
|
__inout PVOID *BaseAddress,
|
|
__in ULONG ZeroBits,
|
|
__inout PULONG AllocationSize,
|
|
__in ULONG AllocationType,
|
|
__in ULONG Protect
|
|
);
|
|
|
|
typedef enum _MEMORY_INFORMATION_CLASS
|
|
{
|
|
MemoryBasicInformation,
|
|
MemoryWorkingSetList,
|
|
MemorySectionName,
|
|
MemoryBasicVlmInformation
|
|
} MEMORY_INFORMATION_CLASS;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQueryVirtualMemory(
|
|
__in HANDLE ProcessHandle,
|
|
__in PVOID BaseAddress,
|
|
__in MEMORY_INFORMATION_CLASS MemoryInformationClass,
|
|
__out PVOID MemoryInformation,
|
|
__in ULONG MemoryInformationLength,
|
|
__out PULONG ReturnLength OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI NTSTATUS NTAPI LdrUnloadDll(IN HANDLE ModuleHandl);
|
|
|
|
/* Defined in Winnt.h
|
|
typedef struct _MEMORY_BASIC_INFORMATION
|
|
{
|
|
PVOID BaseAddress;
|
|
PVOID AllocationBase;
|
|
ULONG AllocationProtect;
|
|
ULONG RegionSize;
|
|
ULONG State;
|
|
ULONG Protect;
|
|
ULONG Type;
|
|
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
|
|
*/
|
|
|
|
typedef struct _MEMORY_WORKING_SET_LIST
|
|
{
|
|
ULONG NumberOfPages;
|
|
ULONG WorkingSetList[1];
|
|
} MEMORY_WORKING_SET_LIST, *PMEMORY_WORKING_SET_LIST;
|
|
|
|
typedef struct _WORKING_SET_LIST{
|
|
ULONG_PTR Protection : 5;
|
|
ULONG_PTR ShareCount : 3;
|
|
ULONG_PTR Shared : 1;
|
|
ULONG_PTR Reserved : 3;
|
|
ULONG_PTR VirtualPage : 20;
|
|
} WORKING_SET_LIST, *PWORKING_SET_LIST;
|
|
|
|
typedef struct _MEMORY_SECTION_NAME
|
|
{
|
|
UNICODE_STRING SectionFileName;
|
|
} MEMORY_SECTION_NAME, *PMEMORY_SECTION_NAME;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtReadVirtualMemory(
|
|
__in HANDLE ProcessHandle,
|
|
__in PVOID BaseAddress,
|
|
__out PVOID Buffer,
|
|
__in ULONG BufferLength,
|
|
__out PULONG ReturnLength OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtWriteVirtualMemory(
|
|
__in HANDLE ProcessHandle,
|
|
__in PVOID BaseAddress,
|
|
__in PVOID Buffer,
|
|
__in ULONG BufferLength,
|
|
__out PULONG ReturnLength OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtProtectVirtualMemory(
|
|
__in HANDLE ProcessHandle,
|
|
__inout PVOID *BaseAddress,
|
|
__inout PULONG ProtectSize,
|
|
__in ULONG NewProtect,
|
|
__out PULONG OldProtect
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtFlushVirtualMemory(
|
|
__in HANDLE ProcessHandle,
|
|
__inout PVOID *BaseAddress,
|
|
__inout PULONG FlushSize,
|
|
__out PIO_STATUS_BLOCK IoStatusBlock
|
|
);
|
|
|
|
// Ldr Functions
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
LdrDisableThreadCalloutsForDll(
|
|
__in HANDLE hModule
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
LdrGetDllHandle(
|
|
__in PWORD pwPath OPTIONAL,
|
|
__in PVOID Unused OPTIONAL,
|
|
__in PUNICODE_STRING ModuleFileName,
|
|
__out PHANDLE pHModule
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
LdrGetProcedureAddress(
|
|
__in HMODULE ModuleHandle,
|
|
__in PANSI_STRING FunctionName OPTIONAL,
|
|
__in WORD Oridinal OPTIONAL,
|
|
__out PVOID *FunctionAddress
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
LdrLoadDll(
|
|
__in PWCHAR PathToFile OPTIONAL,
|
|
__in ULONG Flags OPTIONAL,
|
|
__in PUNICODE_STRING ModuleFileName,
|
|
__out PHANDLE ModuleHandle
|
|
);
|
|
|
|
// Modified from ntdef.h
|
|
#ifdef __cplusplus
|
|
extern "C++" {
|
|
char _RTL_CONSTANT_STRING_type_check(const char *s);
|
|
char _RTL_CONSTANT_STRING_type_check(const WCHAR *s);
|
|
// __typeof would be desirable here instead of sizeof.
|
|
template <size_t N> class _RTL_CONSTANT_STRING_remove_const_template_class;
|
|
template <> class _RTL_CONSTANT_STRING_remove_const_template_class<sizeof(char)> {public: typedef char T; };
|
|
template <> class _RTL_CONSTANT_STRING_remove_const_template_class<sizeof(WCHAR)> {public: typedef WCHAR T; };
|
|
#define _RTL_CONSTANT_STRING_remove_const_macro(s) \
|
|
(const_cast<_RTL_CONSTANT_STRING_remove_const_template_class<sizeof((s)[0])>::T*>(s))
|
|
} // extern "C++"
|
|
#else
|
|
char _RTL_CONSTANT_STRING_type_check(const void *s);
|
|
#define _RTL_CONSTANT_STRING_remove_const_macro(s) (s)
|
|
#endif // __cplusplus
|
|
#define RTL_CONSTANT_STRING(s) \
|
|
{ \
|
|
sizeof( s ) - sizeof( (s)[0] ), \
|
|
sizeof( s ) / sizeof(_RTL_CONSTANT_STRING_type_check(s)), \
|
|
_RTL_CONSTANT_STRING_remove_const_macro(s) \
|
|
}
|
|
|
|
// Rtl String Functions
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitUnicodeString (
|
|
__out PUNICODE_STRING DestinationString,
|
|
__in PCWSTR SourceString
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlCreateUnicodeString(
|
|
__out PUNICODE_STRING AllocatedString,
|
|
__in PCWSTR SourceString
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlFreeUnicodeString(
|
|
__in PUNICODE_STRING UnicodeString
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlAnsiStringToUnicodeSize(
|
|
__in PANSI_STRING AnsiString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAnsiStringToUnicodeString(
|
|
__out PUNICODE_STRING DestinationString,
|
|
__in PANSI_STRING SourceString,
|
|
__in BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAppendUnicodeStringToString(
|
|
__out PUNICODE_STRING Destination,
|
|
__in PUNICODE_STRING Source
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAppendUnicodeToString(
|
|
__out PUNICODE_STRING Destination,
|
|
__in PWSTR Source
|
|
);
|
|
|
|
NTSYSAPI
|
|
LONG
|
|
NTAPI
|
|
RtlCompareUnicodeString(
|
|
__in PUNICODE_STRING String1,
|
|
__in PUNICODE_STRING String2,
|
|
__in BOOLEAN CaseInSensitive
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlCopyUnicodeString(
|
|
__out PUNICODE_STRING DestinationString,
|
|
__in PUNICODE_STRING SourceString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDowncaseUnicodeString(
|
|
__out PUNICODE_STRING DestinationString,
|
|
__in PUNICODE_STRING SourceString,
|
|
__in BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlEqualUnicodeString(
|
|
__in PUNICODE_STRING String1,
|
|
__in PUNICODE_STRING String2,
|
|
__in BOOLEAN CaseInSensitive
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIntegerToUnicodeString(
|
|
__in ULONG Value,
|
|
__in ULONG Base,
|
|
__out PUNICODE_STRING String
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnicodeStringToInteger(
|
|
__in PUNICODE_STRING String,
|
|
__in ULONG Base,
|
|
__out PULONG Value
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlOemStringToUnicodeString(
|
|
__out PUNICODE_STRING DestinationString,
|
|
__in POEM_STRING SourceString,
|
|
__in BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlPrefixUnicodeString(
|
|
__in PUNICODE_STRING String1,
|
|
__in PUNICODE_STRING String2,
|
|
__in BOOLEAN CaseInSensitive
|
|
);
|
|
|
|
NTSYSAPI
|
|
WCHAR
|
|
NTAPI
|
|
RtlUpcaseUnicodeChar(
|
|
__in WCHAR SourceCharacter
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUpcaseUnicodeString(
|
|
__out PUNICODE_STRING DestinationString,
|
|
__in PUNICODE_STRING SourceString,
|
|
__in BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlxAnsiStringToUnicodeSize(
|
|
__in PANSI_STRING AnsiString
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlxOemStringToUnicodeSize(
|
|
__in POEM_STRING OemString
|
|
);
|
|
|
|
// Rtl Misc Operations
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtReplyPort(
|
|
__in HANDLE hPort,
|
|
__out PVOID pReply
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtClose(
|
|
__in HANDLE hObject
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlNtStatusToDosError(
|
|
NTSTATUS status
|
|
);
|
|
|
|
NTSYSAPI
|
|
UINT
|
|
NTAPI
|
|
RtlGetLongestNtPathLength();
|
|
|
|
NTSYSAPI
|
|
UINT
|
|
NTAPI
|
|
RtlDetermineDosPathNameType_U(
|
|
__in PWSTR Path
|
|
);
|
|
|
|
NTSYSAPI
|
|
UINT
|
|
NTAPI
|
|
RtlIsDosDeviceName_U(
|
|
__in PWSTR Path
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlDosPathNameToNtPathName_U(
|
|
__in PCWSTR DosName,
|
|
__out PUNICODE_STRING NtName,
|
|
__out PCWSTR *DosFilePath OPTIONAL,
|
|
__out PUNICODE_STRING NtFilePath OPTIONAL
|
|
);
|
|
|
|
// Rtl Large Integer Operations
|
|
|
|
#define RtlLargeIntegerLessThanZero($a) (($a).HighPart < 0)
|
|
#define Li2Double(x) ((double)((x).HighPart) * 4.294967296E9 + (double)((x).LowPart))
|
|
|
|
NTSYSAPI
|
|
LARGE_INTEGER
|
|
NTAPI
|
|
RtlEnlargedIntegerMultiply(
|
|
__in LONG lMultiplicand,
|
|
__in LONG lMultiplier
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlEnlargedUnsignedDivide(
|
|
__in LARGE_INTEGER liDividend,
|
|
__in ULONG uDivisor,
|
|
__out PULONG puRemainder OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
LARGE_INTEGER
|
|
NTAPI
|
|
RtlEnlargedUnsignedMultiply(
|
|
__in ULONG uMultiplicand,
|
|
__in ULONG uMultiplier
|
|
);
|
|
|
|
NTSYSAPI
|
|
LARGE_INTEGER
|
|
NTAPI
|
|
RtlExtendedIntegerMultiply(
|
|
__in LARGE_INTEGER liMultiplicand,
|
|
__in LONG lMultiplier
|
|
);
|
|
|
|
NTSYSAPI
|
|
LARGE_INTEGER
|
|
NTAPI
|
|
RtlExtendedLargeIntegerDivide(
|
|
__in LARGE_INTEGER liDividend,
|
|
__in ULONG uDivisor,
|
|
__out PULONG puRemainder OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
LARGE_INTEGER
|
|
NTAPI
|
|
RtlLargeIntegerAdd(
|
|
__in LARGE_INTEGER liAddend1,
|
|
__in LARGE_INTEGER liAddend2
|
|
);
|
|
|
|
NTSYSAPI
|
|
LARGE_INTEGER
|
|
NTAPI
|
|
RtlLargeIntegerDivide(
|
|
__in LARGE_INTEGER liDividend,
|
|
__in LARGE_INTEGER liDivisor,
|
|
__out PLARGE_INTEGER pliRemainder OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
LARGE_INTEGER
|
|
NTAPI
|
|
RtlLargeIntegerNegate(
|
|
__in LARGE_INTEGER liSubtrahend
|
|
);
|
|
|
|
NTSYSAPI
|
|
LARGE_INTEGER
|
|
NTAPI
|
|
RtlLargeIntegerSubtract(
|
|
__in LARGE_INTEGER liMinuend,
|
|
__in LARGE_INTEGER liSubtrahend
|
|
);
|
|
|
|
// Debug Functions
|
|
typedef struct _DEBUG_BUFFER
|
|
{
|
|
HANDLE SectionHandle;
|
|
PVOID SectionBase;
|
|
PVOID RemoteSectionBase;
|
|
ULONG SectionBaseDelta;
|
|
HANDLE EventPairHandle;
|
|
ULONG Unknown[2];
|
|
HANDLE RemoteThreadHandle;
|
|
ULONG InfoClassMask;
|
|
ULONG SizeOfInfo;
|
|
ULONG AllocatedSize;
|
|
ULONG SectionSize;
|
|
PVOID ModuleInformation;
|
|
PVOID BackTraceInformation;
|
|
PVOID HeapInformation;
|
|
PVOID LockInformation;
|
|
PVOID Reserved[8];
|
|
} DEBUG_BUFFER, *PDEBUG_BUFFER;
|
|
|
|
#define PDI_MODULES 0x01
|
|
#define PDI_BACKTRACE 0x02
|
|
#define PDI_HEAPS 0x04
|
|
#define PDI_HEAP_TAGS 0x08
|
|
#define PDI_HEAP_BLOCKS 0x10
|
|
#define PDI_LOCKS 0x20
|
|
|
|
typedef struct _DEBUG_MODULE_INFORMATION // c.f. SYSTEM_MODULE_INFORMATION
|
|
{
|
|
ULONG Reserved[2];
|
|
ULONG Base;
|
|
ULONG Size;
|
|
ULONG Flags;
|
|
USHORT Index;
|
|
USHORT Unknown;
|
|
USHORT LoadCount;
|
|
USHORT ModuleNameOffset;
|
|
CHAR ImageName[256];
|
|
} DEBUG_MODULE_INFORMATION, *PDEBUG_MODULE_INFORMATION;
|
|
|
|
typedef struct _DEBUG_HEAP_INFORMATION
|
|
{
|
|
ULONG Base;
|
|
ULONG Flags;
|
|
USHORT Granularity;
|
|
USHORT Unknown;
|
|
ULONG Allocated;
|
|
ULONG Committed;
|
|
ULONG TagCount;
|
|
ULONG BlockCount;
|
|
ULONG Reserved[7];
|
|
PVOID Tags;
|
|
PVOID Blocks;
|
|
} DEBUG_HEAP_INFORMATION, *PDEBUG_HEAP_INFORMATION;
|
|
|
|
typedef struct _DEBUG_LOCK_INFORMATION // c.f. SYSTEM_LOCK_INFORMATION
|
|
{
|
|
PVOID Address;
|
|
USHORT Type;
|
|
USHORT CreatorBackTraceIndex;
|
|
ULONG OwnerThreadId;
|
|
ULONG ActiveCount;
|
|
ULONG ContentionCount;
|
|
ULONG EntryCount;
|
|
ULONG RecursionCount;
|
|
ULONG NumberOfSharedWaiters;
|
|
ULONG NumberOfExclusiveWaiters;
|
|
} DEBUG_LOCK_INFORMATION, *PDEBUG_LOCK_INFORMATION;
|
|
|
|
|
|
NTSYSAPI
|
|
PDEBUG_BUFFER
|
|
NTAPI
|
|
RtlCreateQueryDebugBuffer(
|
|
__in ULONG Size,
|
|
__in BOOLEAN EventPair
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryProcessDebugInformation(
|
|
__in ULONG ProcessId,
|
|
__in ULONG DebugInfoClassMask,
|
|
__inout PDEBUG_BUFFER DebugBuffer
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDestroyQueryDebugBuffer(
|
|
__in PDEBUG_BUFFER DebugBuffer
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtLoadDriver(
|
|
// "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>"
|
|
__in PUNICODE_STRING RegistryPath
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtFlushInstructionCache(
|
|
__in HANDLE ProcessHandle,
|
|
__in PVOID BaseAddress,
|
|
__in ULONG NumberOfBytesToFlush
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtProtectVirtualMemory(
|
|
__in HANDLE ProcessHandle,
|
|
__inout PVOID *BaseAddress,
|
|
__inout PULONG NumberOfBytesToProtect,
|
|
__in ULONG NewAccessProtection,
|
|
__out PULONG OldAccessProtection
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtFreeVirtualMemory(
|
|
__in HANDLE ProcessHandle,
|
|
__in PVOID *BaseAddress,
|
|
__inout PULONG RegionSize,
|
|
__in ULONG FreeType
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtUnloadDriver(
|
|
// "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>"
|
|
__in PUNICODE_STRING RegistryPath
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAdjustPrivilege(
|
|
__in ULONG Privilege,
|
|
__in BOOLEAN NewValue,
|
|
__in BOOLEAN ForThread,
|
|
__out PBOOLEAN OldValue
|
|
);
|
|
|
|
/*typedef struct _RTL_OSVERSIONINFOW
|
|
{
|
|
ULONG dwOSVersionInfoSize;
|
|
ULONG dwMajorVersion;
|
|
ULONG dwMinorVersion;
|
|
ULONG dwBuildNumber;
|
|
ULONG dwPlatformId;
|
|
WCHAR szCSDVersion[128]; // Maintenance string for PSS usage
|
|
} RTL_OSVERSIONINFOW, *PRTL_OSVERSIONINFOW;*/
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetVersion(
|
|
__inout PRTL_OSVERSIONINFOW lpVersionInformation
|
|
);
|
|
NTSYSAPI
|
|
void
|
|
NTAPI
|
|
RtlFreeAnsiString(PANSI_STRING AnsiString);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlRunDecodeUnicodeString(BYTE bHash,PUNICODE_STRING uString);
|
|
|
|
// - Extra -
|
|
|
|
typedef struct _TDI_CONNECTION_INFORMATION {
|
|
LONG UserDataLength;
|
|
PVOID UserData;
|
|
LONG OptionsLength;
|
|
PVOID Options;
|
|
LONG RemoteAddressLength;
|
|
PVOID RemoteAddress;
|
|
} TDI_CONNECTION_INFORMATION, *PTDI_CONNECTION_INFORMATION;
|
|
|
|
typedef struct _TDI_CONNECTION_INFO {
|
|
ULONG State;
|
|
ULONG Event;
|
|
ULONG TransmittedTsdus;
|
|
ULONG ReceivedTsdus;
|
|
ULONG TransmissionErrors;
|
|
ULONG ReceiveErrors;
|
|
LARGE_INTEGER Throughput;
|
|
LARGE_INTEGER Delay;
|
|
ULONG SendBufferSize;
|
|
ULONG ReceiveBufferSize;
|
|
BOOLEAN Unreliable;
|
|
} TDI_CONNECTION_INFO, *PTDI_CONNECTION_INFO;
|
|
|
|
typedef enum _KEY_INFORMATION_CLASS {
|
|
KeyBasicInformation,
|
|
KeyNodeInformation,
|
|
KeyFullInformation
|
|
} KEY_INFORMATION_CLASS;
|
|
|
|
typedef struct _KEY_BASIC_INFORMATION {
|
|
LARGE_INTEGER LastWriteTime;
|
|
ULONG TitleIndex;
|
|
ULONG NameLength;
|
|
WCHAR Name[1];
|
|
} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;
|
|
|
|
typedef struct _KEY_NODE_INFORMATION
|
|
{
|
|
LARGE_INTEGER LastWriteTime;
|
|
ULONG TitleIndex;
|
|
ULONG ClassOffset;
|
|
ULONG ClassLength;
|
|
ULONG NameLength;
|
|
WCHAR Name[1];
|
|
/* Class[1]; */
|
|
} KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION;
|
|
|
|
typedef struct _KEY_FULL_INFORMATION
|
|
{
|
|
LARGE_INTEGER LastWriteTime;
|
|
ULONG TitleIndex;
|
|
ULONG ClassOffset;
|
|
ULONG ClassLength;
|
|
ULONG SubKeys;
|
|
ULONG MaxNameLen;
|
|
ULONG MaxClassLen;
|
|
ULONG Values;
|
|
ULONG MaxValueNameLen;
|
|
ULONG MaxValueDataLen;
|
|
WCHAR Class[1];
|
|
} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;
|
|
|
|
typedef enum _KEY_VALUE_INFORMATION_CLASS {
|
|
KeyValueBasicInformation,
|
|
KeyValueFullInformation,
|
|
KeyValuePartialInformation,
|
|
KeyValueFullInformationAlign64,
|
|
KeyValuePartialInformationAlign64
|
|
} KEY_VALUE_INFORMATION_CLASS;
|
|
|
|
typedef struct _KEY_VALUE_BASIC_INFORMATION {
|
|
ULONG TitleIndex;
|
|
ULONG Type;
|
|
ULONG NameLength;
|
|
WCHAR Name[1];
|
|
} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;
|
|
|
|
typedef struct _KEY_VALUE_FULL_INFORMATION {
|
|
ULONG TitleIndex;
|
|
ULONG Type;
|
|
ULONG DataOffset;
|
|
ULONG DataLength;
|
|
ULONG NameLength;
|
|
WCHAR Name[1];
|
|
} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;
|
|
|
|
typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
|
|
ULONG TitleIndex;
|
|
ULONG Type;
|
|
ULONG DataLength;
|
|
UCHAR Data[1];
|
|
} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
|
|
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtOpenKey(
|
|
__out PHANDLE KeyHandle,
|
|
__in ACCESS_MASK DesiredAccess,
|
|
__in POBJECT_ATTRIBUTES ObjectAttributes
|
|
);
|
|
|
|
NTSYSAPI
|
|
void
|
|
NTAPI
|
|
RtlInitAnsiString(
|
|
__out ANSI_STRING* DestinationString,
|
|
__in CHAR* SourceString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtWriteFile(
|
|
__in HANDLE FileHandle,
|
|
__in HANDLE Event OPTIONAL,
|
|
__in PIO_APC_ROUTINE ApcRoutine OPTIONAL,
|
|
__in PVOID ApcContext OPTIONAL,
|
|
__out PIO_STATUS_BLOCK IoStatusBlock,
|
|
__in PVOID Buffer,
|
|
__in ULONG Length,
|
|
__in PLARGE_INTEGER ByteOffset OPTIONAL,
|
|
__in PULONG Key OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtReadFile(
|
|
__in HANDLE FileHandle,
|
|
__in HANDLE Event OPTIONAL,
|
|
__in PIO_APC_ROUTINE ApcRoutine OPTIONAL,
|
|
__in PVOID ApcContext OPTIONAL,
|
|
__out PIO_STATUS_BLOCK IoStatusBlock,
|
|
__out PVOID Buffer,
|
|
__in ULONG Length,
|
|
__in PLARGE_INTEGER ByteOffset OPTIONAL,
|
|
__in PULONG Key OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
DbgPrint(
|
|
__in LPCSTR Format,
|
|
...
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtGetContextThread(
|
|
__in HANDLE ThreadHandle,
|
|
__out PCONTEXT pContext
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtSetContextThread(
|
|
__in HANDLE ThreadHandle,
|
|
__in PCONTEXT Context
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtAlertThread(
|
|
__in HANDLE ThreadHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlInitializeCriticalSection(
|
|
__in PCRITICAL_SECTION CriticalSection
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlEnterCriticalSection(
|
|
__in PCRITICAL_SECTION CriticalSection
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlLeaveCriticalSection(
|
|
__in PCRITICAL_SECTION CriticalSection
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtDelayExecution(
|
|
__in BOOLEAN Alertable,
|
|
__in PLARGE_INTEGER DelayInterval
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtYieldExecution();
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
NtGetTickCount(void);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQueryPerformanceCounter(
|
|
__out PLARGE_INTEGER PerformanceCounter,
|
|
__out PLARGE_INTEGER PerformanceFrequency OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQueryDirectoryFile(
|
|
__in HANDLE FileHandle,
|
|
__in HANDLE Event OPTIONAL,
|
|
__in PIO_APC_ROUTINE ApcRoutine OPTIONAL,
|
|
__in PVOID ApcContext OPTIONAL,
|
|
__out PIO_STATUS_BLOCK IoStatusBlock,
|
|
__out PVOID FileInformation,
|
|
__in ULONG Length,
|
|
__in FILE_INFORMATION_CLASS FileInformationClass,
|
|
__in BOOLEAN ReturnSingleEntry,
|
|
__in PUNICODE_STRING FileMask OPTIONAL,
|
|
__in BOOLEAN RestartScan
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtVdmControl(
|
|
__in ULONG ControlCode,
|
|
__in PVOID ControlData
|
|
);
|
|
|
|
#define KEY_QUERY_VALUE (0x0001)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtEnumerateKey(
|
|
__in HANDLE KeyHandle,
|
|
__in ULONG Index,
|
|
__in KEY_INFORMATION_CLASS KeyInformationClass,
|
|
__out PVOID KeyInformation,
|
|
__in ULONG KeyInformationLength,
|
|
__out PULONG ResultLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtEnumerateValueKey(
|
|
__in HANDLE KeyHandle,
|
|
__in ULONG Index,
|
|
__in KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
|
|
__out PVOID KeyValueInformation,
|
|
__in ULONG KeyValueInformationLength,
|
|
__out PULONG ResultLength
|
|
);
|
|
|
|
BOOL
|
|
WINAPI
|
|
EnumServiceGroupW(
|
|
SC_HANDLE hSCManager,
|
|
DWORD dwServiceType,
|
|
DWORD dwServiceState,
|
|
LPBYTE lpServices,
|
|
DWORD cbBufSize,
|
|
LPDWORD pcbBytesNeeded,
|
|
LPDWORD lpServicesReturned,
|
|
LPDWORD lpResumeHandle,
|
|
DWORD dwUnknown
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtQueryKey(
|
|
__in HANDLE KeyHandle,
|
|
__in KEY_INFORMATION_CLASS KeyInformationClass,
|
|
__out PVOID KeyInformation,
|
|
__in ULONG Length,
|
|
__out PULONG ResultLength );
|
|
|
|
typedef enum _SECTION_INHERIT {
|
|
ViewShare = 1,
|
|
ViewUnmap = 2
|
|
} SECTION_INHERIT;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtMapViewOfSection(
|
|
__in HANDLE SectionHandle,
|
|
__in HANDLE ProcessHandle,
|
|
__inout PVOID *BaseAddress,
|
|
__in ULONG ZeroBits OPTIONAL,
|
|
__in ULONG CommitSize,
|
|
__inout PLARGE_INTEGER SectionOffset,
|
|
__inout PULONG ViewSize,
|
|
__in SECTION_INHERIT InheritDisposition,
|
|
__in ULONG AllocationType,
|
|
__in ULONG Protect
|
|
);
|
|
|
|
typedef struct _LDR_RESOURCE_INFO
|
|
{
|
|
ULONG Type;
|
|
ULONG Name;
|
|
ULONG Language;
|
|
} LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
LdrFindResourceDirectory_U(
|
|
HMODULE hModule,
|
|
LDR_RESOURCE_INFO* pResInfo,
|
|
ULONG ulNrOfItems,
|
|
IMAGE_RESOURCE_DIRECTORY** pResDir
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
LdrFindResource_U(
|
|
HMODULE hModule,
|
|
LDR_RESOURCE_INFO* pResInfo,
|
|
ULONG ulNrOfItems,
|
|
IMAGE_RESOURCE_DATA_ENTRY** pResDataDir
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
LdrAccessResource(
|
|
HMODULE hModule,
|
|
IMAGE_RESOURCE_DATA_ENTRY* pResDataEntry,
|
|
void ** pData,
|
|
PULONG pulOptional
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtSaveKey(
|
|
HANDLE KeyHandle,
|
|
HANDLE FileHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtSaveMergedKeys(
|
|
__in HANDLE KeyHandle1,
|
|
__in HANDLE KeyHandle2,
|
|
__in HANDLE FileHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtOpenProcessToken (
|
|
__in HANDLE ProcessHandle,
|
|
__in DWORD DesiredAccess,
|
|
__deref_out PHANDLE TokenHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
NtAdjustPrivilegesToken(
|
|
__in HANDLE TokenHandle,
|
|
__in BOOL DisableAllPrivileges,
|
|
__in_opt PTOKEN_PRIVILEGES NewState,
|
|
__in DWORD BufferLength,
|
|
__out_bcount_part_opt(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
|
|
__out_opt PDWORD ReturnLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateSecurityDescriptor (
|
|
__out PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
|
__in DWORD dwRevision
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetDaclSecurityDescriptor (
|
|
__inout PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
|
__in BOOL bDaclPresent,
|
|
__in_opt PACL pDacl,
|
|
__in BOOL bDaclDefaulted
|
|
);
|
|
|
|
NTSYSAPI
|
|
HANDLE
|
|
NTAPI
|
|
RtlCreateHeap (
|
|
__in DWORD flag,
|
|
__in DWORD v1,
|
|
__in DWORD v2,
|
|
__in DWORD v3,
|
|
__in DWORD v4,
|
|
__in DWORD v5
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI RtlSetHeapInformation(
|
|
__in HANDLE HeapHandle,
|
|
__in HEAP_INFORMATION_CLASS HeapInformationClass,
|
|
__in PVOID HeapInformation,
|
|
__in SIZE_T HeapInformationLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
LPVOID
|
|
NTAPI
|
|
RtlAllocateHeap(
|
|
__in HANDLE hHeap,
|
|
__in DWORD dwFlags,
|
|
__in SIZE_T dwBytes
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOL
|
|
NTAPI
|
|
RtlFreeHeap(
|
|
__in HANDLE hHeap,
|
|
__in DWORD dwFlags,
|
|
__in LPVOID lpMem
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDestroyHeap (
|
|
__in HANDLE hHeap
|
|
);
|
|
|
|
#ifdef __cplusplus
|
|
} // extern "C"
|
|
#endif // __cplusplus
|
|
|
|
#endif // NTDLL_H
|