1 2 3 #ifndef NTDLL_H 4 #define NTDLL_H 5 #ifdef __cplusplus 6 extern "C" { 7 #endif 8 9 //#define DEBUG 10 #define NTDLL_WRAPPER 11 12 #ifdef NTDLL_WRAPPER 13 #define _NTSYSTEM_ 14 #endif 15 16 #include <windows.h> 17 #include <stdio.h> 18 #include <stdlib.h> 19 #include <assert.h> 20 21 22 #define NTAPI __stdcall 23 24 #undef NTSYSAPI 25 #undef NTHALAPI 26 #define NTSYSAPI 27 #define NTHALAPI 28 29 #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) 30 #define STATUS_SEVERITY_WARNING 0x2 31 #define STATUS_SEVERITY_SUCCESS 0x0 32 #define STATUS_SEVERITY_INFORMATIONAL 0x1 33 #define STATUS_SEVERITY_ERROR 0x3 34 35 typedef LONG NTSTATUS; 36 typedef LONG KPRIORITY; 37 typedef CHAR SCHAR; 38 typedef SHORT CSHORT; 39 typedef SHORT SSHORT; 40 typedef UCHAR KIRQL; 41 typedef KIRQL *PKIRQL; 42 typedef ULONG ULONG_PTR, *PULONG_PTR; 43 typedef ULONG_PTR ERESOURCE_THREAD; 44 typedef ULONG KPAGE_FRAME; 45 typedef ULONG KAFFINITY; 46 typedef KAFFINITY *PKAFFINITY; 47 typedef ULONG_PTR KSPIN_LOCK; 48 typedef KSPIN_LOCK *PKSPIN_LOCK; 49 typedef CHAR *PSZ; 50 typedef CONST char *PCSZ; 51 typedef ULONG KPROCESSOR_MODE; 52 53 #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) 54 #define NT_INFORMATION(Status) ((ULONG)(Status) >> 30 == 1) 55 #define NT_WARNING(Status) ((ULONG)(Status) >> 30 == 2) 56 #define NT_ERROR(Status) ((ULONG)(Status) >> 30 == 3) 57 #define APPLICATION_ERROR_MASK 0x20000000 58 #define ERROR_SEVERITY_SUCCESS 0x00000000 59 #define ERROR_SEVERITY_INFORMATIONAL 0x40000000 60 #define ERROR_SEVERITY_WARNING 0x80000000 61 #define ERROR_SEVERITY_ERROR 0xC0000000 62 #define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L) 63 #define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L) 64 #define STATUS_INVALID_INFO_CLASS ((NTSTATUS)0xC0000003L) 65 #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) 66 #define STATUS_INVALID_PARAMETER ((NTSTATUS)0xC000000DL) 67 #define STATUS_NO_SUCH_DEVICE ((NTSTATUS)0xC000000EL) 68 #define STATUS_NO_SUCH_FILE ((NTSTATUS)0xC000000FL) 69 #define STATUS_INVALID_DEVICE_REQUEST ((NTSTATUS)0xC0000010L) 70 #define STATUS_END_OF_FILE ((NTSTATUS)0xC0000011L) 71 #define STATUS_NO_MEDIA_IN_DEVICE ((NTSTATUS)0xC0000013L) 72 #define STATUS_UNRECOGNIZED_MEDIA ((NTSTATUS)0xC0000014L) 73 #define STATUS_MORE_PROCESSING_REQUIRED ((NTSTATUS)0xC0000016L) 74 #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) 75 #define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L) 76 #define STATUS_OBJECT_NAME_NOT_FOUND ((NTSTATUS)0xC0000034L) 77 78 typedef enum _EVENT_TYPE 79 { 80 NotificationEvent, 81 SynchronizationEvent 82 } EVENT_TYPE; 83 84 typedef enum _TIMER_TYPE 85 { 86 NotificationTimer, 87 SynchronizationTimer 88 } TIMER_TYPE; 89 90 typedef enum _WAIT_TYPE 91 { 92 WaitAll, 93 WaitAny 94 } WAIT_TYPE; 95 96 typedef struct _STRING 97 { 98 USHORT Length; 99 USHORT MaximumLength; 100 PCHAR Buffer; 101 } STRING; 102 typedef STRING *PSTRING; 103 typedef STRING ANSI_STRING; 104 typedef PSTRING PANSI_STRING; 105 typedef STRING OEM_STRING; 106 typedef PSTRING POEM_STRING; 107 108 typedef struct _UNICODE_STRING 109 { 110 USHORT Length; 111 USHORT MaximumLength; 112 PWSTR Buffer; 113 } UNICODE_STRING; 114 typedef UNICODE_STRING *PUNICODE_STRING; 115 typedef const UNICODE_STRING *PCUNICODE_STRING; 116 117 #define OBJ_INHERIT 0x00000002L 118 #define OBJ_PERMANENT 0x00000010L 119 #define OBJ_EXCLUSIVE 0x00000020L 120 #define OBJ_CASE_INSENSITIVE 0x00000040L 121 #define OBJ_OPENIF 0x00000080L 122 #define OBJ_OPENLINK 0x00000100L 123 #define OBJ_KERNEL_HANDLE 0x00000200L 124 #define OBJ_VALID_ATTRIBUTES 0x000003F2L 125 typedef struct _OBJECT_ATTRIBUTES 126 { 127 ULONG Length; 128 HANDLE RootDirectory; 129 PUNICODE_STRING ObjectName; 130 ULONG Attributes; 131 SECURITY_DESCRIPTOR *SecurityDescriptor; 132 SECURITY_QUALITY_OF_SERVICE *SecurityQualityOfService; 133 } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 134 135 // useful macros 136 #define InitializeObjectAttributes( p, n, a, r, s ) { \ 137 (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 138 (p)->RootDirectory = r; \ 139 (p)->Attributes = a; \ 140 (p)->ObjectName = n; \ 141 (p)->SecurityDescriptor = s; \ 142 (p)->SecurityQualityOfService = NULL; \ 143 } 144 145 typedef enum _OBJECT_INFORMATION_CLASS { 146 ObjectBasicInformation, 147 ObjectNameInformation, 148 ObjectTypeInformation, 149 ObjectTypesInformation, 150 ObjectHandleFlagInformation 151 } OBJECT_INFORMATION_CLASS; 152 153 typedef struct _KSYSTEM_TIME 154 { 155 ULONG LowPart; 156 LONG High1Time; 157 LONG High2Time; 158 } KSYSTEM_TIME, *PKSYSTEM_TIME; 159 160 typedef enum _NT_PRODUCT_TYPE 161 { 162 NtProductWinNt = 1, 163 NtProductLanManNt, 164 NtProductServer 165 } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; 166 167 typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE 168 { 169 StandardDesign, 170 NEC98x86, 171 EndAlternatives 172 } ALTERNATIVE_ARCHITECTURE_TYPE; 173 174 #define PROCESSOR_FEATURE_MAX 64 175 176 #define SYSTEM_FLAG_REMOTE_BOOT_CLIENT 0x00000001 177 #define SYSTEM_FLAG_DISKLESS_CLIENT 0x00000002 178 typedef struct _KUSER_SHARED_DATA 179 { 180 volatile ULONG TickCountLow; 181 ULONG TickCountMultiplier; 182 volatile KSYSTEM_TIME InterruptTime; 183 volatile KSYSTEM_TIME SystemTime; 184 volatile KSYSTEM_TIME TimeZoneBias; 185 USHORT ImageNumberLow; 186 USHORT ImageNumberHigh; 187 WCHAR NtSystemRoot[260]; 188 ULONG MaxStackTraceDepth; 189 ULONG CryptoExponent; 190 ULONG TimeZoneId; 191 ULONG Reserved2[8]; 192 NT_PRODUCT_TYPE NtProductType; 193 BOOLEAN ProductTypeIsValid; 194 ULONG NtMajorVersion; 195 ULONG NtMinorVersion; 196 BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; 197 ULONG Reserved1; 198 ULONG Reserved3; 199 volatile ULONG TimeSlip; 200 ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; 201 LARGE_INTEGER SystemExpirationDate; 202 ULONG SuiteMask; 203 BOOLEAN KdDebuggerEnabled; 204 volatile ULONG ActiveConsoleId; 205 volatile ULONG DismountCount; 206 ULONG ComPlusPackage; 207 ULONG LastSystemRITEventTickCount; 208 ULONG NumberOfPhysicalPages; 209 BOOLEAN SafeBootMode; 210 ULONG TraceLogging; 211 ULONGLONG Fill; 212 ULONGLONG SystemCall[4]; 213 } KUSER_SHARED_DATA, *PKUSER_SHARED_DATA; 214 215 #define PF_FLOATING_POINT_PRECISION_ERRATA 0 216 #define PF_FLOATING_POINT_EMULATED 1 217 #define PF_COMPARE_EXCHANGE_DOUBLE 2 218 #define PF_MMX_INSTRUCTIONS_AVAILABLE 3 219 #define PF_PPC_MOVEMEM_64BIT_OK 4 220 #define PF_ALPHA_BYTE_INSTRUCTIONS 5 221 #define PF_XMMI_INSTRUCTIONS_AVAILABLE 6 222 #define PF_3DNOW_INSTRUCTIONS_AVAILABLE 7 223 #define PF_RDTSC_INSTRUCTION_AVAILABLE 8 224 #define PF_PAE_ENABLED 9 225 226 typedef struct _CLIENT_ID 227 { 228 HANDLE UniqueProcess; 229 HANDLE UniqueThread; 230 } CLIENT_ID, *PCLIENT_ID; 231 232 233 // from ntddk.h 234 typedef enum _POOL_TYPE { 235 NonPagedPool, 236 PagedPool, 237 NonPagedPoolMustSucceed, 238 DontUseThisType, 239 NonPagedPoolCacheAligned, 240 PagedPoolCacheAligned, 241 NonPagedPoolCacheAlignedMustS, 242 MaxPoolType, 243 NonPagedPoolSession = 32, 244 PagedPoolSession = NonPagedPoolSession + 1, 245 NonPagedPoolMustSucceedSession = PagedPoolSession + 1, 246 DontUseThisTypeSession = NonPagedPoolMustSucceedSession + 1, 247 NonPagedPoolCacheAlignedSession = DontUseThisTypeSession + 1, 248 PagedPoolCacheAlignedSession = NonPagedPoolCacheAlignedSession + 1, 249 NonPagedPoolCacheAlignedMustSSession = PagedPoolCacheAlignedSession + 1, 250 } POOL_TYPE; 251 252 253 /***********************************************************/ 254 typedef struct _OBJECT_NAME_INFORMATION { // Information Class 1 255 UNICODE_STRING Name; 256 } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; 257 258 typedef struct _OBJECT_TYPE_INFORMATION { // Information Class 2 259 UNICODE_STRING Name; 260 ULONG ObjectCount; 261 ULONG HandleCount; 262 ULONG Reserved1[4]; 263 ULONG PeakObjectCount; 264 ULONG PeakHandleCount; 265 ULONG Reserved2[4]; 266 ULONG InvalidAttributes; 267 GENERIC_MAPPING GenericMapping; 268 ULONG ValidAccess; 269 UCHAR Unknown; 270 BOOLEAN MaintainHandleDatabase; 271 POOL_TYPE PoolType; 272 ULONG PagedPoolUsage; 273 ULONG NonPagedPoolUsage; 274 } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; 275 276 277 /***********************************************************/ 278 279 typedef DWORD KWAIT_REASON; 280 281 NTSYSAPI 282 NTSTATUS 283 NTAPI 284 ZwSetInformationObject( 285 IN HANDLE Handle, 286 IN OBJECT_INFORMATION_CLASS ObjectInformationClass, 287 IN PVOID ObjectInformation, 288 IN ULONG ObjectInformationLength 289 ); 290 291 NTSYSAPI 292 NTSTATUS 293 NTAPI 294 ZwQueryObject( 295 IN HANDLE Handle, 296 IN OBJECT_INFORMATION_CLASS ObjectInformationClass, 297 OUT PVOID ObjectInformation, 298 IN ULONG Length, 299 OUT PULONG ReturnLength OPTIONAL 300 ); 301 302 NTSYSAPI 303 NTSTATUS 304 NTAPI 305 ZwQuerySecurityObject( 306 IN HANDLE Handle, 307 IN SECURITY_INFORMATION SecurityInformation, 308 OUT PSECURITY_DESCRIPTOR SecurityDescriptor, 309 IN ULONG Length, 310 OUT PULONG LengthNeeded 311 ); 312 313 NTSYSAPI 314 NTSTATUS 315 NTAPI 316 ZwDuplicateObject( 317 IN HANDLE SourceProcessHandle, 318 IN HANDLE SourceHandle, 319 IN HANDLE TargetProcessHandle, 320 OUT PHANDLE TargetHandle OPTIONAL, 321 IN ACCESS_MASK DesiredAccess, 322 IN ULONG Attributes, 323 IN ULONG Options 324 ); 325 326 NTSYSAPI 327 NTSTATUS 328 NTAPI 329 ZwQueryDirectoryObject( 330 IN HANDLE DirectoryHandle, 331 OUT PVOID Buffer, 332 IN ULONG Length, 333 IN BOOLEAN ReturnSingleEntry, 334 IN BOOLEAN RestartScan, 335 IN OUT PULONG Context, 336 OUT PULONG ReturnLength OPTIONAL 337 ); 338 339 typedef enum _SYSTEM_INFORMATION_CLASS { 340 SystemBasicInformation, // 0 341 SystemProcessorInformation, // 1 342 SystemPerformanceInformation, // 2 343 SystemTimeOfDayInformation, // 3 344 SystemPathInformation, // 4 345 SystemProcessInformation, // 5 346 SystemCallCountInformation, // 6 347 SystemDeviceInformation, // 7 348 SystemProcessorPerformanceInformation, // 8 349 SystemFlagsInformation, // 9 350 SystemCallTimeInformation, // 10 351 SystemModuleInformation, // 11 352 SystemLocksInformation, // 12 353 SystemStackTraceInformation, // 13 354 SystemPagedPoolInformation, // 14 355 SystemNonPagedPoolInformation, // 15 356 SystemHandleInformation, // 16 357 SystemObjectInformation, // 17 358 SystemPageFileInformation, // 18 359 SystemVdmInstemulInformation, // 19 360 SystemVdmBopInformation, // 20 361 SystemFileCacheInformation, // 21 362 SystemPoolTagInformation, // 22 363 SystemInterruptInformation, // 23 364 SystemDpcBehaviorInformation, // 24 365 SystemFullMemoryInformation, // 25 366 SystemLoadGdiDriverInformation, // 26 367 SystemUnloadGdiDriverInformation, // 27 368 SystemTimeAdjustmentInformation, // 28 369 SystemSummaryMemoryInformation, // 29 370 SystemNextEventIdInformation, // 30 371 SystemEventIdsInformation, // 31 372 SystemCrashDumpInformation, // 32 373 SystemExceptionInformation, // 33 374 SystemCrashDumpStateInformation, // 34 375 SystemKernelDebuggerInformation, // 35 376 SystemContextSwitchInformation, // 36 377 SystemRegistryQuotaInformation, // 37 378 SystemExtendServiceTableInformation, // 38 379 SystemPrioritySeperation, // 39 380 SystemPlugPlayBusInformation, // 40 381 SystemDockInformation, // 41 382 SystemPwrInformation, // 42 383 SystemProcessorSpeedInformation, // 43 384 SystemCurrentTimeZoneInformation, // 44 385 SystemLookasideInformation // 45 386 } SYSTEM_INFORMATION_CLASS; 387 388 #define SystemProcessesAndThreadsInformation SystemProcessInformation 389 #define SystemLoadImage SystemLoadGdiDriverInformation 390 #define SystemUnloadImage SystemUnloadGdiDriverInformation 391 #define SystemLoadAndCallImage SystemExtendServiceTableInformation 392 393 typedef struct _SYSTEM_THREAD 394 { 395 LARGE_INTEGER KernelTime; 396 LARGE_INTEGER UserTime; 397 LARGE_INTEGER CreateTime; 398 union 399 { 400 ULONG WaitTime; 401 struct _SYSTEM_PROCESS *Process; // used by process.c:GetThread* 402 }; 403 PVOID StartAddress; 404 CLIENT_ID ClientId; 405 KPRIORITY Priority; 406 KPRIORITY BasePriority; 407 ULONG ContextSwitchCount; 408 ULONG State; 409 KWAIT_REASON KWaitReason; 410 } SYSTEM_THREAD, *PSYSTEM_THREAD, SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; 411 412 typedef struct _SYSTEM_LOAD_IMAGE 413 { 414 UNICODE_STRING ModuleName; 415 ULONG ModuleBase; 416 ULONG Section; 417 ULONG EntryPoint; 418 ULONG ExportDirectory; 419 } SYSTEM_LOAD_IMAGE; 420 421 typedef struct _SYSTEM_UNLOAD_IMAGE 422 { 423 ULONG ModuleBase; 424 } SYSTEM_UNLOAD_IMAGE; 425 426 typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE 427 { 428 UNICODE_STRING ModuleName; 429 } SYSTEM_LOAD_AND_CALL_IMAGE; 430 431 typedef struct _VM_COUNTERS 432 { 433 SIZE_T PeakVirtualSize; 434 SIZE_T VirtualSize; 435 ULONG PageFaultCount; 436 SIZE_T PeakWorkingSetSize; 437 SIZE_T WorkingSetSize; 438 SIZE_T QuotaPeakPagedPoolUsage; 439 SIZE_T QuotaPagedPoolUsage; 440 SIZE_T QuotaPeakNonPagedPoolUsage; 441 SIZE_T QuotaNonPagedPoolUsage; 442 SIZE_T PagefileUsage; 443 SIZE_T PeakPagefileUsage; 444 } VM_COUNTERS; 445 446 typedef struct _SYSTEM_PROCESS 447 { 448 ULONG Next; 449 ULONG ThreadCount; 450 ULONG Reserved1[5]; 451 struct _SYSTEM_PROCESS *FirstProcess; // Used by process.c:GetProcess* 452 LARGE_INTEGER CreateTime; 453 LARGE_INTEGER UserTime; 454 LARGE_INTEGER KernelTime; 455 UNICODE_STRING ProcessName; 456 KPRIORITY BasePriority; 457 ULONG ProcessID; 458 ULONG ParentProcessID; 459 ULONG HandleCount; 460 ULONG Reserved2[2]; 461 VM_COUNTERS VmCounters; 462 IO_COUNTERS IoCounters; 463 SYSTEM_THREAD Thread[1]; 464 } SYSTEM_PROCESS, *PSYSTEM_PROCESS, SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; 465 466 typedef struct _SYSTEM_FLAGS_INFORMATION 467 { 468 ULONG Flags; 469 } SYSTEM_FLAGS_INFORMATION, *PSYSTEM_FLAGS_INFORMATION; 470 471 typedef struct _PROCESS_BASIC_INFORMATION 472 { 473 NTSTATUS ExitStatus; 474 struct _PEB *PebBaseAddress; 475 ULONG_PTR AffinityMask; 476 KPRIORITY BasePriority; 477 ULONG_PTR UniqueProcessId; 478 ULONG_PTR InheritedFromUniqueProcessId; 479 } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; 480 481 typedef enum _PROCESSINFOCLASS 482 { 483 ProcessBasicInformation, 484 ProcessQuotaLimits, 485 ProcessIoCounters, 486 ProcessVmCounters, 487 ProcessTimes, 488 ProcessBasePriority, 489 ProcessRaisePriority, 490 ProcessDebugPort, 491 ProcessExceptionPort, 492 ProcessAccessToken, 493 ProcessLdtInformation, 494 ProcessLdtSize, 495 ProcessDefaultHardErrorMode, 496 ProcessIoPortHandlers, 497 ProcessPooledUsageAndLimits, 498 ProcessWorkingSetWatch, 499 ProcessUserModeIOPL, 500 ProcessEnableAlignmentFaultFixup, 501 ProcessPriorityClass, 502 ProcessWx86Information, 503 ProcessHandleCount, 504 ProcessAffinityMask, 505 ProcessPriorityBoost, 506 ProcessDeviceMap, 507 ProcessSessionInformation, 508 ProcessForegroundInformation, 509 ProcessWow64Information, 510 MaxProcessInfoClass 511 } PROCESSINFOCLASS; 512 513 typedef struct _RTL_PROCESS_MODULE_INFORMATION 514 { 515 HANDLE Section; 516 PVOID MappedBase; 517 PVOID ImageBase; 518 ULONG ImageSize; 519 ULONG Flags; 520 USHORT LoadOrderIndex; 521 USHORT InitOrderIndex; 522 USHORT LoadCount; 523 USHORT OffsetToFileName; 524 UCHAR FullPathName[256]; 525 } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION, PROCESS_MODULE, *PPROCESS_MODULE, SYSTEM_MODULE, *PSYSTEM_MODULE; 526 527 typedef struct _SYSTEM_HANDLE_INFORMATION { // Information Class 16 528 ULONG ProcessId; 529 UCHAR ObjectTypeNumber; 530 UCHAR Flags; // 0x01 = PROTECT_FROM_CLOSE, 0x02 = INHERIT 531 USHORT Handle; 532 PVOID Object; 533 ACCESS_MASK GrantedAccess; 534 } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; 535 536 typedef struct _RTL_HEAP_TAG 537 { 538 ULONG NumberOfAllocations; 539 ULONG NumberOfFrees; 540 ULONG BytesAllocated; 541 USHORT TagIndex; 542 USHORT CreatorBackTraceIndex; 543 WCHAR TagName[24]; 544 } RTL_HEAP_TAG, *PRTL_HEAP_TAG; 545 546 typedef struct _RTL_HEAP_ENTRY 547 { 548 ULONG Size; 549 USHORT Flags; 550 USHORT AllocatorBackTraceIndex; 551 union 552 { 553 struct 554 { 555 ULONG Settable; 556 ULONG Tag; 557 } s1; 558 struct 559 { 560 ULONG CommittedSize; 561 PVOID FirstBlock; 562 } s2; 563 } u; 564 } RTL_HEAP_ENTRY, *PRTL_HEAP_ENTRY; 565 566 567 typedef struct _RTL_HEAP_INFORMATION 568 { 569 PVOID BaseAddress; 570 ULONG Flags; 571 USHORT EntryOverhead; 572 USHORT CreatorBackTraceIndex; 573 ULONG BytesAllocated; 574 ULONG BytesCommitted; 575 ULONG NumberOfTags; 576 ULONG NumberOfEntries; 577 ULONG NumberOfPseudoTags; 578 ULONG PseudoTagGranularity; 579 ULONG Reserved[5]; 580 PRTL_HEAP_TAG Tags; 581 PRTL_HEAP_ENTRY Entries; 582 } RTL_HEAP_INFORMATION, *PRTL_HEAP_INFORMATION; 583 584 typedef struct _RTL_PROCESS_HEAPS 585 { 586 ULONG NumberOfHeaps; 587 RTL_HEAP_INFORMATION Heaps[1]; 588 } RTL_PROCESS_HEAPS, *PRTL_PROCESS_HEAPS; 589 590 typedef struct _RTL_PROCESS_MODULES 591 { 592 ULONG NumberOfModules; 593 RTL_PROCESS_MODULE_INFORMATION Modules[1]; 594 } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES, SYSTEM_MODULES, *PSYSTEM_MODULES; 595 596 typedef struct _PROCESS_ACCESS_TOKEN { 597 HANDLE Token; 598 HANDLE Thread; 599 } PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN; 600 601 typedef struct _PEB_LDR_DATA 602 { 603 ULONG Length; 604 BOOLEAN Initialized; 605 HANDLE SsHandle; 606 LIST_ENTRY InLoadOrderModuleList; 607 LIST_ENTRY InMemoryOrderModuleList; 608 LIST_ENTRY InInitializationOrderModuleList; 609 } PEB_LDR_DATA, *PPEB_LDR_DATA; 610 611 typedef struct _LDR_DATA_TABLE_ENTRY 612 { 613 LIST_ENTRY InLoadOrderLinks; 614 LIST_ENTRY InMemoryOrderLinks; 615 LIST_ENTRY InInitializationOrderLinks; 616 PVOID DllBase; 617 PVOID EntryPoint; 618 ULONG SizeOfImage; 619 UNICODE_STRING FullDllName; 620 UNICODE_STRING BaseDllName; 621 ULONG Flags; 622 USHORT LoadCount; 623 USHORT TlsIndex; 624 union 625 { 626 LIST_ENTRY HashLinks; 627 struct 628 { 629 PVOID SectionPointer; 630 ULONG CheckSum; 631 }; 632 }; 633 ULONG TimeDateStamp; 634 } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; 635 636 typedef struct _PEB 637 { 638 BOOLEAN InheritedAddressSpace; 639 BOOLEAN ReadImageFileExecOptions; 640 BOOLEAN BeingDebugged; 641 BOOLEAN Unused; 642 HANDLE Mutant; 643 PVOID ImageBaseAddress; 644 PPEB_LDR_DATA Ldr; 645 struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters; 646 } PEB, *PPEB; 647 648 typedef struct _IO_STATUS_BLOCK 649 { 650 union 651 { 652 NTSTATUS Status; 653 PVOID Pointer; 654 }; 655 ULONG_PTR Information; 656 } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; 657 658 #ifndef PIO_APC_ROUTINE_DEFINED 659 typedef 660 VOID 661 (NTAPI *PIO_APC_ROUTINE) ( 662 IN PVOID ApcContext, 663 IN PIO_STATUS_BLOCK IoStatusBlock, 664 IN ULONG Reserved 665 ); 666 #define PIO_APC_ROUTINE_DEFINED 667 #endif 668 669 typedef enum _FILE_INFORMATION_CLASS 670 { 671 FileDirectoryInformation = 1, 672 FileFullDirectoryInformation, // 2 673 FileBothDirectoryInformation, // 3 674 FileBasicInformation, // 4 675 FileStandardInformation, // 5 676 FileInternalInformation, // 6 677 FileEaInformation, // 7 678 FileAccessInformation, // 8 679 FileNameInformation, // 9 680 FileRenameInformation, // 10 681 FileLinkInformation, // 11 682 FileNamesInformation, // 12 683 FileDispositionInformation, // 13 684 FilePositionInformation, // 14 685 FileFullEaInformation, // 15 686 FileModeInformation, // 16 687 FileAlignmentInformation, // 17 688 FileAllInformation, // 18 689 FileAllocationInformation, // 19 690 FileEndOfFileInformation, // 20 691 FileAlternateNameInformation, // 21 692 FileStreamInformation, // 22 693 FilePipeInformation, // 23 694 FilePipeLocalInformation, // 24 695 FilePipeRemoteInformation, // 25 696 FileMailslotQueryInformation, // 26 697 FileMailslotSetInformation, // 27 698 FileCompressionInformation, // 28 699 FileObjectIdInformation, // 29 700 FileCompletionInformation, // 30 701 FileMoveClusterInformation, // 31 702 FileQuotaInformation, // 32 703 FileReparsePointInformation, // 33 704 FileNetworkOpenInformation, // 34 705 FileAttributeTagInformation, // 35 706 FileTrackingInformation, // 36 707 FileIdBothDirectoryInformation, // 37 708 FileIdFullDirectoryInformation, // 38 709 FileValidDataLengthInformation, // 39 710 FileShortNameInformation, // 40 711 FileMaximumInformation 712 } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; 713 714 typedef struct _FILE_DIRECTORY_INFORMATION 715 { 716 ULONG NextEntryOffset; 717 ULONG Unknown; 718 LARGE_INTEGER CreationTime; 719 LARGE_INTEGER LastAccessTime; 720 LARGE_INTEGER LastWriteTime; 721 LARGE_INTEGER ChangeTime; 722 LARGE_INTEGER EndOfFile; 723 LARGE_INTEGER AllocationSize; 724 ULONG FileAttributes; 725 ULONG FileNameLength; 726 WCHAR FileName[1]; 727 } FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; 728 729 typedef struct _FILE_FULL_DIRECTORY_INFORMATION 730 { 731 ULONG NextEntryOffset; 732 ULONG Unknown; 733 LARGE_INTEGER CreationTime; 734 LARGE_INTEGER LastAccessTime; 735 LARGE_INTEGER LastWriteTime; 736 LARGE_INTEGER ChangeTime; 737 LARGE_INTEGER EndOfFile; 738 LARGE_INTEGER AllocationSize; 739 ULONG FileAttributes; 740 ULONG FileNameLength; 741 ULONG EaInformationLength; 742 WCHAR FileName[1]; 743 } FILE_FULL_DIRECTORY_INFORMATION, *PFILE_FULL_DIRECTORY_INFORMATION; 744 745 typedef struct _FILE_BOTH_DIRECTORY_INFORMATION 746 { 747 ULONG NextEntryOffset; 748 ULONG Unknown; 749 LARGE_INTEGER CreationTime; 750 LARGE_INTEGER LastAccessTime; 751 LARGE_INTEGER LastWriteTime; 752 LARGE_INTEGER ChangeTime; 753 LARGE_INTEGER EndOfFile; 754 LARGE_INTEGER AllocationSize; 755 ULONG FileAttributes; 756 ULONG FileNameLength; 757 ULONG EaInformationLength; 758 UCHAR AlternateNameLength; 759 WCHAR AlternateName[12]; 760 WCHAR FileName[1]; 761 } FILE_BOTH_DIRECTORY_INFORMATION, *PFILE_BOTH_DIRECTORY_INFORMATION; 762 763 typedef struct _FILE_NAME_INFORMATION { 764 ULONG FileNameLength; 765 WCHAR FileName[1]; 766 } FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION; 767 768 typedef struct _FILE_NAMES_INFORMATION 769 { 770 ULONG NextEntryOffset; 771 ULONG Unknown; 772 ULONG FileNameLength; 773 WCHAR FileName[1]; 774 } FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION; 775 776 typedef struct _RTL_DEBUG_INFORMATION 777 { 778 HANDLE SectionHandleClient; 779 PVOID ViewBaseClient; 780 PVOID ViewBaseTarget; 781 ULONG ViewBaseDelta; 782 HANDLE EventPairClient; 783 HANDLE EventPairTarget; 784 HANDLE TargetProcessId; 785 HANDLE TargetThreadHandle; 786 ULONG Flags; 787 ULONG OffsetFree; 788 ULONG CommitSize; 789 ULONG ViewSize; 790 struct _RTL_PROCESS_MODULES *Modules; 791 struct _RTL_PROCESS_BACKTRACES *BackTraces; 792 struct _RTL_PROCESS_HEAPS *Heaps; 793 struct _RTL_PROCESS_LOCKS *Locks; 794 PVOID SpecificHeap; 795 HANDLE TargetProcessHandle; 796 PVOID Reserved[6]; 797 } RTL_DEBUG_INFORMATION, *PRTL_DEBUG_INFORMATION; 798 799 typedef ERESOURCE_THREAD *PERESOURCE_THREAD; 800 801 typedef struct _PROTOTYPE_PTE_ENTRY 802 { 803 ULONG Present : 1; 804 ULONG AddressLow : 7; 805 ULONG ReadOnly : 1; 806 ULONG WhichPool : 1; 807 ULONG Prototype : 1; 808 ULONG AddressHigh : 21; 809 } PROTOTYPE_PTE_ENTRY; 810 811 typedef struct _KSERVICE_TABLE_DESCRIPTOR 812 { 813 PULONG_PTR Base; 814 PULONG Count; 815 ULONG Limit; 816 PUCHAR Number; 817 } KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR; 818 819 typedef struct _KPCR 820 { 821 NT_TIB NtTib; 822 struct _KPCR *SelfPcr; 823 struct _KPRCB *Prcb; 824 } KPCR, *PKPCR; 825 typedef struct _KPRCB 826 { 827 USHORT MinorVersion; 828 USHORT MajorVersion; 829 struct _KTHREAD *CurrentThread; 830 struct _KTHREAD *NextThread; 831 struct _KTHREAD *IdleThread; 832 } KPRCB, *PKPRCB; 833 834 //////////////////////////////////////////////////////////////////////////////// 835 // Function prototypes 836 //////////////////////////////////////////////////////////////////////////////// 837 838 NTSYSAPI 839 NTSTATUS 840 NTAPI 841 ZwSetSystemInformation ( 842 IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 843 IN PVOID SystemInformation, 844 IN ULONG SystemInformationLength 845 ); 846 847 NTSYSAPI 848 NTSTATUS 849 NTAPI 850 ZwQuerySystemInformation( 851 IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 852 IN OUT PVOID SystemInformation, 853 IN ULONG SystemInformationLength, 854 OUT PULONG ReturnLength 855 ); 856 857 858 NTSYSAPI 859 NTSTATUS 860 NTAPI ZwQueryDirectoryFile( 861 IN HANDLE FileHandle, 862 IN HANDLE Event OPTIONAL, 863 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 864 IN PVOID ApcContext OPTIONAL, 865 OUT PIO_STATUS_BLOCK IoStatusBlock, 866 OUT PVOID FileInformation, 867 IN ULONG FileInformationLength, 868 IN FILE_INFORMATION_CLASS FileInformationClass, 869 IN BOOLEAN ReturnSingleEntry, 870 IN PUNICODE_STRING FileName OPTIONAL, 871 IN BOOLEAN RestartScan 872 ); 873 874 // 875 // LPC 876 // 877 878 #define LPC_REQUEST 1 879 #define LPC_REPLY 2 880 #define LPC_DATAGRAM 3 881 #define LPC_LOST_REPLY 4 882 #define LPC_PORT_CLOSED 5 883 #define LPC_CLIENT_DIED 6 884 #define LPC_EXCEPTION 7 885 #define LPC_DEBUG_EVENT 8 886 #define LPC_ERROR_EVENT 9 887 #define LPC_CONNECTION_REQUEST 10 888 889 typedef struct _PORT_MESSAGE { 890 union { 891 struct { 892 CSHORT DataLength; 893 CSHORT TotalLength; 894 } s1; 895 ULONG Length; 896 } u1; 897 union { 898 struct { 899 CSHORT Type; 900 CSHORT DataInfoOffset; 901 } s2; 902 ULONG ZeroInit; 903 } u2; 904 union { 905 CLIENT_ID ClientId; 906 double DoNotUseThisField; 907 }; 908 ULONG MessageId; 909 union { 910 SIZE_T ClientViewSize; 911 ULONG CallbackId; 912 }; 913 // UCHAR Data[]; 914 } PORT_MESSAGE, *PPORT_MESSAGE; 915 916 typedef struct _PORT_VIEW { 917 ULONG Length; 918 HANDLE SectionHandle; 919 ULONG SectionOffset; 920 SIZE_T ViewSize; 921 PVOID ViewBase; 922 PVOID ViewRemoteBase; 923 } PORT_VIEW, *PPORT_VIEW; 924 925 typedef struct _REMOTE_PORT_VIEW { 926 ULONG Length; 927 SIZE_T ViewSize; 928 PVOID ViewBase; 929 } REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW; 930 931 NTSYSAPI 932 NTSTATUS 933 NTAPI 934 ZwCreatePort( 935 OUT PHANDLE PortHandle, 936 IN POBJECT_ATTRIBUTES ObjectAttributes, 937 IN ULONG MaxConnectionInfoLength, 938 IN ULONG MaxMessageLength, 939 IN ULONG MaxPoolUsage 940 ); 941 942 NTSYSAPI 943 NTSTATUS 944 NTAPI 945 ZwConnectPort( 946 OUT PHANDLE PortHandle, 947 IN PUNICODE_STRING PortName, 948 IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, 949 IN OUT PPORT_VIEW ClientView OPTIONAL, 950 IN OUT PREMOTE_PORT_VIEW ServerView OPTIONAL, 951 OUT PULONG MaxMessageLength OPTIONAL, 952 IN OUT PVOID ConnectionInformation OPTIONAL, 953 IN OUT PULONG ConnectionInformationLength OPTIONAL 954 ); 955 956 NTSYSAPI 957 NTSTATUS 958 NTAPI 959 ZwSecureConnectPort( 960 OUT PHANDLE PortHandle, 961 IN PUNICODE_STRING PortName, 962 IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, 963 IN OUT PPORT_VIEW ClientView OPTIONAL, 964 IN PSID RequiredServerSid, 965 OUT PREMOTE_PORT_VIEW ServerView OPTIONAL, 966 OUT PULONG MaxMessageLength OPTIONAL, 967 IN OUT PVOID ConnectionInformation OPTIONAL, 968 IN OUT PULONG ConnectionInformationLength OPTIONAL 969 ); 970 971 NTSYSAPI 972 NTSTATUS 973 NTAPI 974 ZwListenPort( 975 IN HANDLE PortHandle, 976 OUT PPORT_MESSAGE ConnectionRequest 977 ); 978 979 NTSYSAPI 980 NTSTATUS 981 NTAPI 982 ZwAcceptConnectPort( 983 OUT PHANDLE PortHandle, 984 IN PVOID PortContext, 985 IN PPORT_MESSAGE ConnectionRequest, 986 IN BOOLEAN AcceptConnection, 987 IN OUT PPORT_VIEW ServerView OPTIONAL, 988 OUT PREMOTE_PORT_VIEW ClientView OPTIONAL 989 ); 990 991 NTSYSAPI 992 NTSTATUS 993 NTAPI 994 ZwCompleteConnectPort( 995 IN HANDLE PortHandle 996 ); 997 998 NTSYSAPI 999 NTSTATUS 1000 NTAPI 1001 ZwRequestPort( 1002 IN HANDLE PortHandle, 1003 IN PPORT_MESSAGE RequestMessage 1004 ); 1005 1006 1007 NTSYSAPI 1008 NTSTATUS 1009 NTAPI 1010 ZwRequestWaitReplyPort( 1011 IN HANDLE PortHandle, 1012 IN PPORT_MESSAGE RequestMessage, 1013 OUT PPORT_MESSAGE ReplyMessage 1014 ); 1015 1016 NTSYSAPI 1017 NTSTATUS 1018 NTAPI 1019 ZwReplyPort( 1020 IN HANDLE PortHandle, 1021 IN PPORT_MESSAGE ReplyMessage 1022 ); 1023 1024 NTSYSAPI 1025 NTSTATUS 1026 NTAPI 1027 ZwReplyWaitReplyPort( 1028 IN HANDLE PortHandle, 1029 IN OUT PPORT_MESSAGE ReplyMessage 1030 ); 1031 1032 NTSYSAPI 1033 NTSTATUS 1034 NTAPI 1035 ZwReplyWaitReceivePort( 1036 IN HANDLE PortHandle, 1037 OUT PVOID *PortContext OPTIONAL, 1038 IN PPORT_MESSAGE ReplyMessage OPTIONAL, 1039 OUT PPORT_MESSAGE ReceiveMessage 1040 ); 1041 1042 NTSYSAPI 1043 NTSTATUS 1044 NTAPI 1045 ZwImpersonateClientOfPort( 1046 IN HANDLE PortHandle, 1047 IN PPORT_MESSAGE Message 1048 ); 1049 1050 NTSYSAPI 1051 NTSTATUS 1052 NTAPI 1053 ZwReadRequestData( 1054 IN HANDLE PortHandle, 1055 IN PPORT_MESSAGE Message, 1056 IN ULONG DataEntryIndex, 1057 OUT PVOID Buffer, 1058 IN ULONG BufferSize, 1059 OUT PULONG NumberOfBytesRead OPTIONAL 1060 ); 1061 1062 NTSYSAPI 1063 NTSTATUS 1064 NTAPI 1065 ZwWriteRequestData( 1066 IN HANDLE PortHandle, 1067 IN PPORT_MESSAGE Message, 1068 IN ULONG DataEntryIndex, 1069 IN PVOID Buffer, 1070 IN ULONG BufferSize, 1071 OUT PULONG NumberOfBytesWritten OPTIONAL 1072 ); 1073 1074 NTSYSAPI 1075 NTSTATUS 1076 NTAPI 1077 ZwCreateProcess( 1078 OUT PHANDLE ProcessHandle, 1079 IN ACCESS_MASK DesiredAccess, 1080 IN POBJECT_ATTRIBUTES ObjectAttributes, 1081 IN HANDLE InheritFromProcessHandle, 1082 IN BOOLEAN InheritHandles, 1083 IN HANDLE SectionHandle OPTIONAL, 1084 IN HANDLE DebugPort OPTIONAL, 1085 IN HANDLE ExceptionPort OPTIONAL 1086 ); 1087 typedef struct _TEB 1088 { 1089 NT_TIB NtTib; 1090 PVOID EnvironmentPointer; 1091 CLIENT_ID ClientId; 1092 PVOID ActiveRpcHandle; 1093 PVOID ThreadLocalStoragePointer; 1094 struct _PEB *ProcessEnvironmentBlock; 1095 } TEB, *PTEB; 1096 1097 typedef struct _THREAD_BASIC_INFORMATION { 1098 NTSTATUS ExitStatus; 1099 PTEB TebBaseAddress; 1100 CLIENT_ID ClientId; 1101 KAFFINITY AffinityMask; 1102 KPRIORITY Priority; 1103 LONG BasePriority; 1104 } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; 1105 1106 typedef enum _THREADINFOCLASS 1107 { 1108 ThreadBasicInformation, 1109 ThreadTimes, 1110 ThreadPriority, 1111 ThreadBasePriority, 1112 ThreadAffinityMask, 1113 ThreadImpersonationToken, 1114 ThreadDescriptorTableEntry, 1115 ThreadEnableAlignmentFaultFixup, 1116 ThreadEventPair_Reusable, 1117 ThreadQuerySetWin32StartAddress, 1118 ThreadZeroTlsCell, 1119 ThreadPerformanceCount, 1120 ThreadAmILastThread, 1121 ThreadIdealProcessor, 1122 ThreadPriorityBoost, 1123 ThreadSetTlsArrayAddress, 1124 ThreadIsIoPending, 1125 ThreadHideFromDebugger, 1126 MaxThreadInfoClass 1127 } THREADINFOCLASS; 1128 1129 NTSYSAPI 1130 NTSTATUS 1131 NTAPI 1132 ZwSetInformationProcess( 1133 IN HANDLE ProcessHandle, 1134 IN PROCESSINFOCLASS ProcessInformationClass, 1135 IN PVOID ProcessInformation, 1136 IN ULONG ProcessInformationLength); 1137 1138 NTSYSAPI 1139 NTSTATUS 1140 NTAPI 1141 ZwQueryInformationProcess( 1142 IN HANDLE ProcessHandle, 1143 IN PROCESSINFOCLASS ProcessInformationClass, 1144 OUT PVOID ProcessInformation, 1145 IN ULONG ProcessInformationLength, 1146 OUT PULONG ReturnLength OPTIONAL); 1147 1148 NTSYSAPI 1149 NTSTATUS 1150 NTAPI 1151 ZwSetInformationThread( 1152 IN HANDLE ThreadHandle, 1153 IN THREADINFOCLASS ThreadInformationClass, 1154 IN PVOID ThreadInformation, 1155 IN ULONG ThreadInformationLength 1156 ); 1157 1158 NTSYSAPI 1159 NTSTATUS 1160 NTAPI 1161 ZwQueryInformationThread( 1162 IN HANDLE ThreadHandle, 1163 IN THREADINFOCLASS ThreadInformationClass, 1164 OUT PVOID ThreadInformation, 1165 IN ULONG ThreadInformationLength, 1166 OUT PULONG ReturnLength OPTIONAL 1167 ); 1168 1169 NTSYSAPI 1170 NTSTATUS 1171 NTAPI 1172 ZwOpenThread( 1173 OUT PHANDLE ThreadHandle, 1174 IN ACCESS_MASK DesiredAccess, 1175 IN POBJECT_ATTRIBUTES ObjectAttributes, 1176 IN PCLIENT_ID ClientId 1177 ); 1178 NTSYSAPI 1179 NTSTATUS 1180 NTAPI 1181 ZwOpenProcess( 1182 OUT PHANDLE ProcessHandle, 1183 IN ACCESS_MASK DesiredAccess, 1184 IN POBJECT_ATTRIBUTES ObjectAttributes, 1185 IN PCLIENT_ID ClientId OPTIONAL 1186 ); 1187 1188 NTSYSAPI 1189 NTSTATUS 1190 NTAPI 1191 ZwAlertResumeThread( 1192 IN HANDLE ThreadHandle, 1193 OUT PULONG PreviousSuspendCount OPTIONAL 1194 ); 1195 1196 NTSYSAPI 1197 NTSTATUS 1198 NTAPI 1199 ZwAlertThread( 1200 IN HANDLE ThreadHandle 1201 ); 1202 1203 NTSYSAPI 1204 PRTL_DEBUG_INFORMATION 1205 NTAPI 1206 RtlCreateQueryDebugBuffer( 1207 IN ULONG MaximumCommit OPTIONAL, 1208 IN BOOLEAN UseEventPair 1209 ); 1210 1211 NTSYSAPI 1212 NTSTATUS 1213 NTAPI 1214 RtlDestroyQueryDebugBuffer( 1215 IN PRTL_DEBUG_INFORMATION Buffer 1216 ); 1217 1218 NTSYSAPI 1219 NTSTATUS 1220 NTAPI 1221 RtlQueryProcessDebugInformation( 1222 IN HANDLE UniqueProcessId, 1223 IN ULONG Flags, 1224 IN OUT PRTL_DEBUG_INFORMATION Buffer 1225 ); 1226 1227 #define RTL_QUERY_PROCESS_MODULES 0x00000001 1228 #define RTL_QUERY_PROCESS_HEAP_SUMMARY 0x00000004 1229 #define RTL_QUERY_PROCESS_HEAP_TAGS 0x00000008 1230 #define RTL_QUERY_PROCESS_HEAP_ENTRIES 0x00000010 1231 NTSTATUS 1232 NTAPI 1233 RtlQueryProcessModuleInformation( 1234 IN OUT PRTL_DEBUG_INFORMATION Buffer 1235 ); 1236 1237 NTSYSAPI 1238 NTSTATUS 1239 NTAPI 1240 RtlQueryProcessHeapInformation( 1241 IN OUT PRTL_DEBUG_INFORMATION Buffer 1242 ); 1243 1244 typedef struct _SECTION_IMAGE_INFORMATION { 1245 PVOID TransferAddress; 1246 ULONG ZeroBits; 1247 SIZE_T MaximumStackSize; 1248 SIZE_T CommittedStackSize; 1249 ULONG SubSystemType; 1250 union { 1251 struct { 1252 USHORT SubSystemMinorVersion; 1253 USHORT SubSystemMajorVersion; 1254 }; 1255 ULONG SubSystemVersion; 1256 }; 1257 ULONG GpValue; 1258 USHORT ImageCharacteristics; 1259 USHORT DllCharacteristics; 1260 USHORT Machine; 1261 BOOLEAN ImageContainsCode; 1262 BOOLEAN Spare1; 1263 ULONG LoaderFlags; 1264 ULONG Reserved[ 2 ]; 1265 } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; 1266 1267 typedef struct _RTL_USER_PROCESS_INFORMATION { 1268 ULONG Length; 1269 HANDLE Process; 1270 HANDLE Thread; 1271 CLIENT_ID ClientId; 1272 SECTION_IMAGE_INFORMATION ImageInformation; 1273 } RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION; 1274 1275 NTSYSAPI 1276 NTSTATUS 1277 NTAPI 1278 ZwAllocateVirtualMemory( 1279 IN HANDLE ProcessHandle, 1280 IN OUT PVOID *BaseAddress, 1281 IN ULONG ZeroBits, 1282 IN OUT PULONG AllocationSize, 1283 IN ULONG AllocateType, 1284 IN ULONG Protect); 1285 1286 NTSYSAPI 1287 NTSTATUS 1288 NTAPI 1289 ZwFreeVirtualMemory( 1290 IN HANDLE ProcessHandle, 1291 IN OUT PVOID *BaseAddress, 1292 IN OUT PULONG FreeSize, 1293 IN ULONG FreeType); 1294 1295 NTSYSAPI 1296 NTSTATUS 1297 NTAPI 1298 ZwCreateSection( 1299 OUT PHANDLE SectionHandle, 1300 IN ACCESS_MASK DesiredAccess, 1301 IN POBJECT_ATTRIBUTES ObjectAttributes, 1302 IN PLARGE_INTEGER SectionSize OPTIONAL, 1303 IN ULONG Protect, 1304 IN ULONG Attributes, 1305 IN HANDLE FileHandle); 1306 1307 NTSYSAPI 1308 NTSTATUS 1309 NTAPI 1310 ZwOpenSection( 1311 OUT PHANDLE SectionHandle, 1312 IN ACCESS_MASK DesiredAccess, 1313 IN POBJECT_ATTRIBUTES ObjectAttributes 1314 ); 1315 1316 #define VIEW_SHARE 1 1317 #define VIEW_UNMAP 2 1318 #define ViewShare VIEW_SHARE 1319 #define ViewUnmap VIEW_UNMAP 1320 1321 NTSYSAPI 1322 NTSTATUS 1323 NTAPI 1324 ZwMapViewOfSection( 1325 IN HANDLE SectionHandle, 1326 IN HANDLE ProcessHandle, 1327 IN OUT PVOID *BaseAddress, 1328 IN ULONG ZeroBits, 1329 IN ULONG CommitSize, 1330 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, 1331 IN OUT PULONG ViewSize, 1332 IN ULONG InheritDisposition, 1333 IN ULONG AllocationType, 1334 IN ULONG Protect); 1335 1336 NTSYSAPI 1337 NTSTATUS 1338 NTAPI 1339 ZwUnmapViewOfSection( 1340 IN HANDLE ProcessHandle, 1341 IN PVOID BaseAddress); 1342 1343 NTSYSAPI 1344 NTSTATUS 1345 NTAPI 1346 ZwCreateEvent( 1347 OUT PHANDLE EventHandle, 1348 IN ACCESS_MASK DesiredAccess, 1349 IN POBJECT_ATTRIBUTES ObjectAttributes, 1350 IN ULONG EventType, 1351 IN BOOLEAN InitialState); 1352 1353 NTSYSAPI 1354 NTSTATUS 1355 NTAPI 1356 ZwCreateFile( 1357 OUT PHANDLE FileHandle, 1358 IN ACCESS_MASK DesiredAccess, 1359 IN POBJECT_ATTRIBUTES ObjectAttributes, 1360 OUT PIO_STATUS_BLOCK IoStatusBlock, 1361 IN PLARGE_INTEGER AllocationSize OPTIONAL, 1362 IN ULONG FileAttributes, 1363 IN ULONG ShareAccess, 1364 IN ULONG CreateDisposition, 1365 IN ULONG CreateOptions, 1366 IN PVOID EaBuffer OPTIONAL, 1367 IN ULONG EaLength 1368 ); 1369 1370 NTSYSAPI 1371 NTSTATUS 1372 NTAPI 1373 ZwOpenFile( 1374 OUT PHANDLE FileHandle, 1375 IN ACCESS_MASK DesiredAccess, 1376 IN POBJECT_ATTRIBUTES ObjectAttributes, 1377 OUT PIO_STATUS_BLOCK IoStatusBlock, 1378 IN ULONG ShareAccess, 1379 IN ULONG OpenOptions 1380 ); 1381 1382 NTSYSAPI 1383 NTSTATUS 1384 NTAPI 1385 ZwQueryInformationFile( 1386 IN HANDLE FileHandle, 1387 OUT PIO_STATUS_BLOCK IoStatusBlock, 1388 OUT PVOID FileInformation, 1389 IN ULONG Length, 1390 IN FILE_INFORMATION_CLASS FileInformationClass 1391 ); 1392 1393 NTSYSAPI 1394 NTSTATUS 1395 NTAPI 1396 ZwSetInformationFile( 1397 IN HANDLE FileHandle, 1398 OUT PIO_STATUS_BLOCK IoStatusBlock, 1399 IN PVOID FileInformation, 1400 IN ULONG Length, 1401 IN FILE_INFORMATION_CLASS FileInformationClass 1402 ); 1403 1404 NTSYSAPI 1405 NTSTATUS 1406 NTAPI 1407 ZwReadFile( 1408 IN HANDLE FileHandle, 1409 IN HANDLE Event OPTIONAL, 1410 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 1411 IN PVOID ApcContext OPTIONAL, 1412 OUT PIO_STATUS_BLOCK IoStatusBlock, 1413 OUT PVOID Buffer, 1414 IN ULONG Length, 1415 IN PLARGE_INTEGER ByteOffset OPTIONAL, 1416 IN PULONG Key OPTIONAL 1417 ); 1418 1419 NTSYSAPI 1420 NTSTATUS 1421 NTAPI 1422 ZwWriteFile( 1423 IN HANDLE FileHandle, 1424 IN HANDLE Event OPTIONAL, 1425 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 1426 IN PVOID ApcContext OPTIONAL, 1427 OUT PIO_STATUS_BLOCK IoStatusBlock, 1428 IN PVOID Buffer, 1429 IN ULONG Length, 1430 IN PLARGE_INTEGER ByteOffset OPTIONAL, 1431 IN PULONG Key OPTIONAL 1432 ); 1433 1434 NTSYSAPI 1435 NTSTATUS 1436 NTAPI 1437 ZwClose( 1438 IN HANDLE Handle 1439 ); 1440 1441 NTSYSAPI 1442 NTSTATUS 1443 NTAPI 1444 ZwFsControlFile( 1445 IN HANDLE FileHandle, 1446 IN HANDLE Event OPTIONAL, 1447 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 1448 IN PVOID ApcContext OPTIONAL, 1449 OUT PIO_STATUS_BLOCK IoStatusBlock, 1450 IN ULONG FsControlCode, 1451 IN PVOID InputBuffer OPTIONAL, 1452 IN ULONG InputBufferLength, 1453 OUT PVOID OutputBuffer OPTIONAL, 1454 IN ULONG OutputBufferLength); 1455 1456 NTSYSAPI 1457 NTSTATUS 1458 NTAPI 1459 ZwDeviceIoControlFile( 1460 IN HANDLE FileHandle, 1461 IN HANDLE Event OPTIONAL, 1462 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 1463 IN PVOID ApcContext OPTIONAL, 1464 OUT PIO_STATUS_BLOCK IoStatusBlock, 1465 IN ULONG IoControlCode, 1466 IN PVOID InputBuffer OPTIONAL, 1467 IN ULONG InputBufferLength, 1468 OUT PVOID OutputBuffer OPTIONAL, 1469 IN ULONG OutputBufferLength 1470 ); 1471 1472 typedef struct _KEY_BASIC_INFORMATION { 1473 LARGE_INTEGER LastWriteTime; 1474 ULONG TitleIndex; 1475 ULONG NameLength; 1476 WCHAR Name[1]; 1477 } KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION; 1478 1479 typedef struct _KEY_NODE_INFORMATION { 1480 LARGE_INTEGER LastWriteTime; 1481 ULONG TitleIndex; 1482 ULONG ClassOffset; 1483 ULONG ClassLength; 1484 ULONG NameLength; 1485 WCHAR Name[1]; 1486 // WCHAR Class[1] // follows Name 1487 } KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION; 1488 1489 typedef struct _KEY_FULL_INFORMATION { 1490 LARGE_INTEGER LastWriteTime; 1491 ULONG TitleIndex; 1492 ULONG ClassOffset; 1493 ULONG ClassLength; 1494 ULONG SubKeys; 1495 ULONG MaxNameLen; 1496 ULONG MaxClassLen; 1497 ULONG Values; 1498 ULONG MaxValueNameLen; 1499 ULONG MaxValueDataLen; 1500 WCHAR Class[1]; 1501 } KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION; 1502 1503 typedef struct _KEY_NAME_INFORMATION { 1504 ULONG NameLength; 1505 WCHAR Name[1]; 1506 } KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION; 1507 1508 typedef struct _KEY_CACHED_INFORMATION { 1509 LARGE_INTEGER LastWriteTime; 1510 ULONG TitleIndex; 1511 ULONG SubKeys; 1512 ULONG MaxNameLen; 1513 ULONG Values; 1514 ULONG MaxValueNameLen; 1515 ULONG MaxValueDataLen; 1516 ULONG NameLength; 1517 WCHAR Name[1]; // Variable length string 1518 } KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION; 1519 1520 typedef struct _KEY_FLAGS_INFORMATION { 1521 ULONG UserFlags; 1522 } KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION; 1523 1524 typedef enum _KEY_INFORMATION_CLASS { 1525 KeyBasicInformation, 1526 KeyNodeInformation, 1527 KeyFullInformation, 1528 KeyNameInformation, 1529 KeyCachedInformation, 1530 KeyFlagsInformation 1531 } KEY_INFORMATION_CLASS; 1532 1533 typedef struct _KEY_WRITE_TIME_INFORMATION { 1534 LARGE_INTEGER LastWriteTime; 1535 } KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION; 1536 1537 typedef struct _KEY_USER_FLAGS_INFORMATION { 1538 ULONG UserFlags; 1539 } KEY_USER_FLAGS_INFORMATION, *PKEY_USER_FLAGS_INFORMATION; 1540 1541 typedef enum _KEY_SET_INFORMATION_CLASS { 1542 KeyWriteTimeInformation, 1543 KeyUserFlagsInformation 1544 } KEY_SET_INFORMATION_CLASS; 1545 1546 typedef struct _KEY_VALUE_BASIC_INFORMATION { 1547 ULONG TitleIndex; 1548 ULONG Type; 1549 ULONG NameLength; 1550 WCHAR Name[1]; 1551 } KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION; 1552 1553 typedef struct _KEY_VALUE_FULL_INFORMATION { 1554 ULONG TitleIndex; 1555 ULONG Type; 1556 ULONG DataOffset; 1557 ULONG DataLength; 1558 ULONG NameLength; 1559 WCHAR Name[1]; 1560 // WCHAR Data[1]; // follows Name 1561 } KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; 1562 1563 typedef struct _KEY_VALUE_PARTIAL_INFORMATION { 1564 ULONG TitleIndex; 1565 ULONG Type; 1566 ULONG DataLength; 1567 UCHAR Data[1]; 1568 } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; 1569 1570 typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 { 1571 ULONG Type; 1572 ULONG DataLength; 1573 UCHAR Data[1]; 1574 } KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64; 1575 1576 typedef struct _KEY_VALUE_ENTRY { 1577 PUNICODE_STRING ValueName; 1578 ULONG DataLength; 1579 ULONG DataOffset; 1580 ULONG Type; 1581 } KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; 1582 1583 typedef enum _KEY_VALUE_INFORMATION_CLASS { 1584 KeyValueBasicInformation, 1585 KeyValueFullInformation, 1586 KeyValuePartialInformation, 1587 KeyValueFullInformationAlign64, 1588 KeyValuePartialInformationAlign64 1589 } KEY_VALUE_INFORMATION_CLASS; 1590 1591 NTSYSAPI 1592 NTSTATUS 1593 NTAPI ZwEnumerateKey( 1594 IN HANDLE KeyHandle, 1595 IN ULONG Index, 1596 IN KEY_INFORMATION_CLASS KeyInformationClass, 1597 OUT PVOID KeyInformation, 1598 IN ULONG KeyInformationLength, 1599 OUT PULONG ResultLength 1600 ); 1601 1602 NTSYSAPI 1603 NTSTATUS 1604 NTAPI 1605 ZwEnumerateValueKey( 1606 IN HANDLE KeyHandle, 1607 IN ULONG Index, 1608 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, 1609 OUT PVOID KeyValueInformation, 1610 IN ULONG KeyValueInformationLength, 1611 OUT PULONG ResultLength 1612 ); 1613 1614 NTSYSAPI 1615 NTSTATUS 1616 NTAPI 1617 ZwSaveKey( 1618 IN HANDLE KeyHandle, 1619 IN HANDLE FileHandle 1620 ); 1621 1622 NTSYSAPI 1623 NTSTATUS 1624 NTAPI 1625 ZwOpenDirectoryObject( 1626 OUT HANDLE DirectoryHandle, 1627 IN ACCESS_MASK DesiredAccess, 1628 IN POBJECT_ATTRIBUTES ObjectAttributes); 1629 1630 1631 NTSYSAPI 1632 NTSTATUS 1633 NTAPI 1634 ZwQueryDirectoryObject( 1635 IN HANDLE DirectoryHandle, 1636 OUT PVOID Buffer, 1637 IN ULONG BufferLength, 1638 IN BOOLEAN ReturnSingleEntry, 1639 IN BOOLEAN RestartScan, 1640 IN OUT PULONG Context, 1641 OUT PULONG ReturnLength OPTIONAL 1642 ); 1643 1644 NTSYSAPI 1645 NTSTATUS 1646 NTAPI 1647 ZwCreateToken( 1648 OUT PHANDLE TokenHandle, 1649 IN ACCESS_MASK DesiredAccess, 1650 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 1651 IN TOKEN_TYPE TokenType, 1652 IN PLUID AuthenticationId, 1653 IN PLARGE_INTEGER ExpirationTime, 1654 IN PTOKEN_USER User, 1655 IN PTOKEN_GROUPS Groups, 1656 IN PTOKEN_PRIVILEGES Privileges, 1657 IN PTOKEN_OWNER Owner OPTIONAL, 1658 IN PTOKEN_PRIMARY_GROUP PrimaryGroup, 1659 IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, 1660 IN PTOKEN_SOURCE TokenSource 1661 ); 1662 1663 NTSYSAPI 1664 NTSTATUS 1665 NTAPI 1666 ZwSetInformationToken( 1667 IN HANDLE TokenHandle, 1668 IN TOKEN_INFORMATION_CLASS TokenInformationClass, 1669 IN PVOID TokenInformation, 1670 IN ULONG TokenInformationLength 1671 ); 1672 1673 NTSYSAPI 1674 NTSTATUS 1675 NTAPI 1676 ZwQueryInformationToken( 1677 IN HANDLE TokenHandle, 1678 IN TOKEN_INFORMATION_CLASS ProcessInformationClass, 1679 OUT PVOID ProcessInformation, 1680 IN ULONG ProcessInformationLength, 1681 OUT PULONG ReturnLength OPTIONAL 1682 ); 1683 1684 NTSYSAPI 1685 NTSTATUS 1686 NTAPI 1687 ZwImpersonateThread( 1688 IN HANDLE ServerThreadHandle, 1689 IN HANDLE ClientThreadHandle, 1690 IN PSECURITY_QUALITY_OF_SERVICE SecurityQos 1691 ); 1692 1693 NTSYSAPI 1694 NTSTATUS 1695 NTAPI 1696 ZwCreateSymbolicLinkObject( 1697 OUT PHANDLE LinkHandle, 1698 IN ACCESS_MASK DesiredAccess, 1699 IN POBJECT_ATTRIBUTES ObjectAttributes, 1700 IN PUNICODE_STRING LinkTarget 1701 ); 1702 1703 NTSYSAPI 1704 NTSTATUS 1705 NTAPI 1706 ZwOpenSymbolicLinkObject( 1707 OUT PHANDLE LinkHandle, 1708 IN ACCESS_MASK DesiredAccess, 1709 IN POBJECT_ATTRIBUTES ObjectAttributes 1710 ); 1711 1712 NTSYSAPI 1713 NTSTATUS 1714 NTAPI 1715 ZwQuerySymbolicLinkObject( 1716 IN HANDLE LinkHandle, 1717 IN OUT PUNICODE_STRING LinkTarget, 1718 OUT PULONG ReturnedLength OPTIONAL 1719 ); 1720 1721 NTSYSAPI 1722 VOID 1723 NTAPI 1724 ZwYieldExecution(); 1725 1726 NTSYSAPI 1727 VOID 1728 NTAPI 1729 RtlInitUnicodeString( 1730 PUNICODE_STRING DestinationString, 1731 PCWSTR SourceString 1732 ); 1733 NTSYSAPI 1734 VOID 1735 NTAPI 1736 RtlFreeUnicodeString( 1737 PUNICODE_STRING UnicodeString 1738 ); 1739 1740 NTSYSAPI 1741 NTSTATUS 1742 NTAPI 1743 ZwLoadDriver(IN PUNICODE_STRING UnicodeString); 1744 1745 typedef enum _SHUTDOWN_ACTION 1746 { 1747 ShutdownNoReboot, 1748 ShutdownReboot, 1749 ShutdownPowerOff 1750 } SHUTDOWN_ACTION; 1751 1752 NTSYSAPI 1753 NTSTATUS 1754 NTAPI 1755 ZwShutdownSystem( 1756 IN SHUTDOWN_ACTION Action 1757 ); 1758 1759 NTSYSAPI 1760 NTSTATUS 1761 NTAPI 1762 ZwSetSystemEnvironmentValue( 1763 IN PUNICODE_STRING Name, 1764 IN PUNICODE_STRING Value 1765 ); 1766 1767 1768 NTSYSAPI 1769 NTSTATUS 1770 NTAPI 1771 ZwSetSystemTime( 1772 IN PLARGE_INTEGER NewTime, 1773 OUT PLARGE_INTEGER OldTime OPTIONAL 1774 ); 1775 1776 NTSYSAPI 1777 PVOID 1778 NTAPI 1779 RtlDestroyHeap( 1780 IN PVOID HeapHandle 1781 ); 1782 1783 NTSYSAPI 1784 PVOID 1785 NTAPI 1786 RtlAllocateHeap( 1787 IN PVOID HeapHandle, 1788 IN ULONG Flags, 1789 IN ULONG Size 1790 ); 1791 1792 NTSYSAPI 1793 BOOLEAN 1794 NTAPI 1795 RtlFreeHeap( 1796 IN PVOID HeapHandle, 1797 IN ULONG Flags, 1798 IN PVOID BaseAddress 1799 ); 1800 1801 KUSER_SHARED_DATA *GetSharedData(); 1802 BOOL GetNtGlobalFlag(DWORD *OutFlags); 1803 BOOL SetNtGlobalFlag(DWORD Flags); 1804 1805 1806 NTSYSAPI 1807 NTSTATUS 1808 NTAPI 1809 RtlNtStatusToDosError( 1810 NTSTATUS Status 1811 ); 1812 1813 #ifdef __cplusplus 1814 } 1815 #endif 1816 #endif // NTDLL_H 1817