diff --git a/GleeBug/Debugger.cpp b/GleeBug/Debugger.cpp index d98e87d..8e388f9 100644 --- a/GleeBug/Debugger.cpp +++ b/GleeBug/Debugger.cpp @@ -54,12 +54,12 @@ namespace GleeBug return result; } - bool Debugger::Attach(DWORD processId) + bool Debugger::Attach(DWORD processId, decltype(&DebugActiveProcess) debugActiveProcess) { //don't allow attaching when still debugging if(mIsDebugging) return false; - if(!DebugActiveProcess(processId)) + if(!debugActiveProcess(processId)) return false; mAttachedToProcess = true; memset(&mMainStartupInfo, 0, sizeof(mMainStartupInfo)); diff --git a/GleeBug/Debugger.h b/GleeBug/Debugger.h index 8eddc32..7f487cc 100644 --- a/GleeBug/Debugger.h +++ b/GleeBug/Debugger.h @@ -47,7 +47,7 @@ namespace GleeBug \param processId Process to attach to. \return true if the debuggee was attached to successfully, false otherwise. */ - bool Attach(DWORD processId); + bool Attach(DWORD processId, decltype(&DebugActiveProcess) = &DebugActiveProcess); /** \brief Stops the debuggee (terminate the process) diff --git a/TitanEngineEmulator/Emulator.h b/TitanEngineEmulator/Emulator.h index b8ecb03..c9043fb 100644 --- a/TitanEngineEmulator/Emulator.h +++ b/TitanEngineEmulator/Emulator.h @@ -3,9 +3,9 @@ #include #include #include "TitanEngine.h" -#include "ntdll.h" #include "FileMap.h" #include "PEB.h" +#include "NativeAttach.h" #include "Global.Engine.Context.h" #include "Hider.h" @@ -67,7 +67,7 @@ public: bool AttachDebugger(DWORD ProcessId, bool KillOnExit, LPVOID DebugInfo, LPVOID CallBack) { - if(!Attach(ProcessId)) + if(!Attach(ProcessId, mSafeAttach ? DebugActiveProcess_ : DebugActiveProcess)) return false; mCbATTACHBREAKPOINT = STEPCALLBACK(CallBack); mAttachProcessInfo = (PROCESS_INFORMATION*)DebugInfo; @@ -182,8 +182,15 @@ public: void SetEngineVariable(DWORD VariableId, bool VariableSet) { - if (VariableId == UE_ENGINE_SET_DEBUG_PRIVILEGE) + switch (VariableId) + { + case UE_ENGINE_SET_DEBUG_PRIVILEGE: mSetDebugPrivilege = VariableSet; + break; + case UE_ENGINE_SAFE_ATTACH: + mSafeAttach = VariableSet; + break; + } } //Misc @@ -1145,6 +1152,7 @@ private: //functions private: //variables bool mSetDebugPrivilege = false; + bool mSafeAttach = false; typedef void(*CUSTOMHANDLER)(const void*); typedef void(*STEPCALLBACK)(); typedef STEPCALLBACK BPCALLBACK; diff --git a/TitanEngineEmulator/NativeAttach.h b/TitanEngineEmulator/NativeAttach.h new file mode 100644 index 0000000..567b119 --- /dev/null +++ b/TitanEngineEmulator/NativeAttach.h @@ -0,0 +1,191 @@ +#pragma once + +static DWORD BaseSetLastNTError(IN NTSTATUS Status) +{ + DWORD dwErrCode; + dwErrCode = RtlNtStatusToDosError(Status); + SetLastError(dwErrCode); + return dwErrCode; +} + +static HANDLE WINAPI ProcessIdToHandle(IN DWORD dwProcessId) +{ + NTSTATUS Status; + OBJECT_ATTRIBUTES ObjectAttributes; + HANDLE Handle; + CLIENT_ID ClientId; + + /* If we don't have a PID, look it up */ + //if (dwProcessId == MAXDWORD) dwProcessId = (DWORD_PTR)CsrGetProcessId(); + + /* Open a handle to the process */ + ClientId.UniqueThread = NULL; + ClientId.UniqueProcess = UlongToHandle(dwProcessId); + InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); + Status = NtOpenProcess(&Handle, + PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | + PROCESS_VM_WRITE | PROCESS_VM_READ | + PROCESS_SUSPEND_RESUME | PROCESS_QUERY_INFORMATION, + &ObjectAttributes, + &ClientId); + if (!NT_SUCCESS(Status)) + { + /* Fail */ + BaseSetLastNTError(Status); + return 0; + } + + /* Return the handle */ + return Handle; +} + +#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001 +#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 +#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004 +#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 +#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 +#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080 + +static NTSTATUS CreateThreadSkipAttach(IN HANDLE ProcessHandle, IN PUSER_THREAD_START_ROUTINE StartRoutine, IN PVOID Argument) +{ + NTSTATUS Status; + HANDLE hThread; + + typedef NTSTATUS(NTAPI *t_NtCreateThreadEx)( + PHANDLE /* ThreadHandle */, + ACCESS_MASK /* DesiredAccess */, + POBJECT_ATTRIBUTES /* ObjectAttributes */, + HANDLE /* ProcessHandle */, + PUSER_THREAD_START_ROUTINE /* StartRoutine */, + PVOID /* Argument */, + ULONG /* CreateFlags */, + ULONG_PTR /* ZeroBits */, + SIZE_T /* StackSize */, + SIZE_T /* MaximumStackSize */, + PPS_ATTRIBUTE_LIST /* AttributeList */ + ); + + auto p_NtCreateThreadEx = (t_NtCreateThreadEx)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtCreateThreadEx"); + if (p_NtCreateThreadEx) + { + // Based on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/339263/16/client/crashpad_client_win.cc#697 + Status = p_NtCreateThreadEx(&hThread, + STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL, + nullptr, + ProcessHandle, + StartRoutine, + Argument, + THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH, + 0, + 0x4000 /* PAGE_SIZE * 4 */, + 0x4000, + nullptr); + } + else + { + CLIENT_ID ClientId; + Status = RtlCreateUserThread(ProcessHandle, + NULL, + FALSE, + 0, + 0x4000, + 0x4000 /* PAGE_SIZE * 4 */, + StartRoutine, + Argument, + &hThread, + &ClientId); + } + + if (NT_SUCCESS(Status)) + { + NtClose(hThread); + } + + return Status; +} + +static NTSTATUS NTAPI DbgUiIssueRemoteBreakin_(IN HANDLE Process) +{ + PUSER_THREAD_START_ROUTINE RemoteBreakFunction = (PUSER_THREAD_START_ROUTINE)DbgUiRemoteBreakin; + LPVOID RemoteMemory = VirtualAllocEx(Process, 0, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READ); + if (RemoteMemory) + { + SIZE_T written = 0; + unsigned char payload[] = { 0xCC, 0xC3 }; + if (WriteProcessMemory(Process, RemoteMemory, payload, sizeof(payload), &written)) + { + RemoteBreakFunction = (PUSER_THREAD_START_ROUTINE)RemoteMemory; + } + else + { + VirtualFreeEx(Process, RemoteMemory, 0, MEM_RELEASE); + } + } + + /* Create the thread that will perform the breakin (on Vista+ it will skip DllMain and TLS callbacks) */ + return CreateThreadSkipAttach(Process, RemoteBreakFunction, NULL); +} + +static NTSTATUS NTAPI DbgUiDebugActiveProcess_(IN HANDLE Process) +{ + /* Tell the kernel to start debugging */ + NTSTATUS Status = NtDebugActiveProcess(Process, NtCurrentTeb()->DbgSsReserved[1]); + if (NT_SUCCESS(Status)) + { + /* Now break-in the process */ + Status = DbgUiIssueRemoteBreakin_(Process); + if (!NT_SUCCESS(Status)) + { + /* We couldn't break-in, cancel debugging */ + DbgUiStopDebugging(Process); + } + } + + /* Return status */ + return Status; +} + +static NTSTATUS NTAPI DbgUiConnectToDbg_() +{ + if (NtCurrentTeb()->DbgSsReserved[1] != NULL) + return STATUS_SUCCESS; + + OBJECT_ATTRIBUTES ObjectAttributes; + InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); + return NtCreateDebugObject(&NtCurrentTeb()->DbgSsReserved[1], DEBUG_ALL_ACCESS, &ObjectAttributes, 0); +} + +// Source: https://github.com/mirror/reactos/blob/c6d2b35ffc91e09f50dfb214ea58237509329d6b/reactos/dll/win32/kernel32/client/debugger.c#L480 +BOOL WINAPI DebugActiveProcess_(IN DWORD dwProcessId) +{ + /* Connect to the debugger */ + NTSTATUS Status = DbgUiConnectToDbg_(); + if (!NT_SUCCESS(Status)) + { + BaseSetLastNTError(Status); + return FALSE; + } + + /* Get the process handle */ + HANDLE Handle = ProcessIdToHandle(dwProcessId); + if (!Handle) + { + return FALSE; + } + + /* Now debug the process */ + Status = DbgUiDebugActiveProcess_(Handle); + + /* Close the handle since we're done */ + NtClose(Handle); + + /* Check if debugging worked */ + if (!NT_SUCCESS(Status)) + { + /* Fail */ + BaseSetLastNTError(Status); + return FALSE; + } + + /* Success */ +} \ No newline at end of file diff --git a/TitanEngineEmulator/TitanEngine.h b/TitanEngineEmulator/TitanEngine.h index 0a44c83..9c0a2b4 100644 --- a/TitanEngineEmulator/TitanEngine.h +++ b/TitanEngineEmulator/TitanEngine.h @@ -56,31 +56,32 @@ #define UE_ENGINE_RESET_CUSTOM_HANDLER 7 #define UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK 8 #define UE_ENGINE_SET_DEBUG_PRIVILEGE 9 +#define UE_ENGINE_SAFE_ATTACH 10 #define UE_OPTION_REMOVEALL 1 #define UE_OPTION_DISABLEALL 2 #define UE_OPTION_REMOVEALLDISABLED 3 #define UE_OPTION_REMOVEALLENABLED 4 -#define UESTATIC_DECRYPTOR_XOR 1 -#define UESTATIC_DECRYPTOR_SUB 2 -#define UESTATIC_DECRYPTOR_ADD 3 +#define UE_STATIC_DECRYPTOR_XOR 1 +#define UE_STATIC_DECRYPTOR_SUB 2 +#define UE_STATIC_DECRYPTOR_ADD 3 -#define UESTATIC_DECRYPTOR_FOREWARD 1 -#define UESTATIC_DECRYPTOR_BACKWARD 2 +#define UE_STATIC_DECRYPTOR_FOREWARD 1 +#define UE_STATIC_DECRYPTOR_BACKWARD 2 -#define UESTATIC_KEY_SIZE_1 1 -#define UESTATIC_KEY_SIZE_2 2 -#define UESTATIC_KEY_SIZE_4 4 -#define UESTATIC_KEY_SIZE_8 8 +#define UE_STATIC_KEY_SIZE_1 1 +#define UE_STATIC_KEY_SIZE_2 2 +#define UE_STATIC_KEY_SIZE_4 4 +#define UE_STATIC_KEY_SIZE_8 8 -#define UESTATIC_APLIB 1 -#define UESTATIC_APLIB_DEPACK 2 -#define UESTATIC_LZMA 3 +#define UE_STATIC_APLIB 1 +#define UE_STATIC_APLIB_DEPACK 2 +#define UE_STATIC_LZMA 3 -#define UESTATIC_HASH_MD5 1 -#define UESTATIC_HASH_SHA1 2 -#define UESTATIC_HASH_CRC32 3 +#define UE_STATIC_HASH_MD5 1 +#define UE_STATIC_HASH_SHA1 2 +#define UE_STATIC_HASH_CRC32 3 #define UE_RESOURCE_LANGUAGE_ANY -1 @@ -505,7 +506,7 @@ typedef struct HOOK_ENTRY #define UE_FIELD_OK 0 #define UE_FIELD_BROKEN_NON_FIXABLE 1 #define UE_FIELD_BROKEN_NON_CRITICAL 2 -#define UE_FIELD_BROKEN_FIXABLE_FORSTATIC_USE 3 +#define UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE 3 #define UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED 4 #define UE_FIELD_FIXABLE_NON_CRITICAL 5 #define UE_FIELD_FIXABLE_CRITICAL 6 @@ -782,7 +783,7 @@ __declspec(dllexport) bool TITCALL RelocaterWipeRelocationTableW(const wchar_t* __declspec(dllexport) ULONG_PTR TITCALL ResourcerLoadFileForResourceUse(const char* szFileName); __declspec(dllexport) ULONG_PTR TITCALL ResourcerLoadFileForResourceUseW(const wchar_t* szFileName); __declspec(dllexport) bool TITCALL ResourcerFreeLoadedFile(LPVOID LoadedFileBase); -__declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFileEx(ULONG_PTR FileMapVA, const char* szResourceType, const char* szResourceName, const char* szExtractedFileName); +__declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFileEx(HMODULE hFile, const char* szResourceType, const char* szResourceName, const char* szExtractedFileName); __declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFile(const char* szFileName, const char* szResourceType, const char* szResourceName, const char* szExtractedFileName); __declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFileW(const wchar_t* szFileName, char* szResourceType, const char* szResourceName, const char* szExtractedFileName); __declspec(dllexport) bool TITCALL ResourcerFindResource(const char* szFileName, const char* szResourceType, DWORD ResourceType, const char* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize); @@ -823,6 +824,8 @@ __declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID D __declspec(dllexport) long TITCALL LengthDisassemble(LPVOID DisassmAddress); __declspec(dllexport) void* TITCALL InitDebug(char* szFileName, char* szCommandLine, char* szCurrentFolder); __declspec(dllexport) void* TITCALL InitDebugW(const wchar_t* szFileName, const wchar_t* szCommandLine, const wchar_t* szCurrentFolder); +__declspec(dllexport) void* TITCALL InitNativeDebug(char* szFileName, char* szCommandLine, char* szCurrentFolder); +__declspec(dllexport) void* TITCALL InitNativeDebugW(const wchar_t* szFileName, const wchar_t* szCommandLine, const wchar_t* szCurrentFolder); __declspec(dllexport) void* TITCALL InitDebugEx(const char* szFileName, const char* szCommandLine, const char* szCurrentFolder, LPVOID EntryCallBack); __declspec(dllexport) void* TITCALL InitDebugExW(const wchar_t* szFileName, const wchar_t* szCommandLine, const wchar_t* szCurrentFolder, LPVOID EntryCallBack); __declspec(dllexport) void* TITCALL InitDLLDebug(const char* szFileName, bool ReserveModuleBase, const char* szCommandLine, const char* szCurrentFolder, LPVOID EntryCallBack); diff --git a/TitanEngineEmulator/TitanEngineEmulator.cpp b/TitanEngineEmulator/TitanEngineEmulator.cpp index 172a0ae..fb03228 100644 --- a/TitanEngineEmulator/TitanEngineEmulator.cpp +++ b/TitanEngineEmulator/TitanEngineEmulator.cpp @@ -1,4 +1,4 @@ -#include +#include "ntdll.h" #include "Emulator.h" Emulator emu; diff --git a/TitanEngineEmulator/TitanEngineEmulator.vcxproj b/TitanEngineEmulator/TitanEngineEmulator.vcxproj index 9795cbc..62fa71b 100644 --- a/TitanEngineEmulator/TitanEngineEmulator.vcxproj +++ b/TitanEngineEmulator/TitanEngineEmulator.vcxproj @@ -158,6 +158,8 @@ + + diff --git a/TitanEngineEmulator/TitanEngineEmulator.vcxproj.filters b/TitanEngineEmulator/TitanEngineEmulator.vcxproj.filters index c954387..3db2bb6 100644 --- a/TitanEngineEmulator/TitanEngineEmulator.vcxproj.filters +++ b/TitanEngineEmulator/TitanEngineEmulator.vcxproj.filters @@ -43,6 +43,12 @@ Header Files + + Header Files + + + Header Files + diff --git a/TitanEngineEmulator/ntdll.h b/TitanEngineEmulator/ntdll.h index 0ac4245..5064065 100644 --- a/TitanEngineEmulator/ntdll.h +++ b/TitanEngineEmulator/ntdll.h @@ -1,17 +1,41 @@ +#ifndef _NTDLL_H +#define _NTDLL_H + #pragma once -#include - -#ifndef _WIN64 -#pragma comment(lib, "ntdll_x86.lib") -#else -#pragma comment(lib, "ntdll_x64.lib") +#ifdef __cplusplus +extern "C" { #endif -#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) +#ifndef WIN32_NO_STATUS +#define WIN32_NO_STATUS +#endif +#include +#undef WIN32_NO_STATUS +#include +#include -typedef LONG NTSTATUS; -typedef LONG KPRIORITY; +#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) +#define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3) + +#define FASTCALL __fastcall + +#ifndef _Reserved_ +#define _Reserved_ +#endif + +#define ALIGN_DOWN(length, type) \ + ((ULONG)(length) & ~(sizeof(type) - 1)) + +#define ALIGN_UP(length, type) \ + (ALIGN_DOWN(((ULONG)(length) + sizeof(type) - 1), type)) + +#define MIN(a,b) (((a) < (b)) ? (a) : (b)) +#define MAX(a,b) (((a) > (b)) ? (a) : (b)) + +typedef LONG NTSTATUS, *PNTSTATUS; +typedef LONG KPRIORITY, *PKPRIORITY; +typedef ULONG LOGICAL, *PLOGICAL; typedef struct _CLIENT_ID { @@ -19,6 +43,12 @@ typedef struct _CLIENT_ID HANDLE UniqueThread; } CLIENT_ID, *PCLIENT_ID; +enum KPROCESSOR_MODE +{ + KernelMode, + UserMode +}; + typedef enum _KTHREAD_STATE { Initialized, @@ -29,8 +59,10 @@ typedef enum _KTHREAD_STATE Waiting, Transition, DeferredReady, - GateWait -} KTHREAD_STATE; + GateWaitObsolete, + WaitingForProcessInSwap, + MaximumThreadState +} KTHREAD_STATE, *PKTHREAD_STATE; typedef enum _KWAIT_REASON { @@ -55,11 +87,11 @@ typedef enum _KWAIT_REASON WrVirtualMemory, WrPageOut, WrRendezvous, - Spare2, - Spare3, - Spare4, - Spare5, - Spare6, + WrKeyedEvent, + WrTerminated, + WrProcessInSwap, + WrCpuRateControl, + WrCalloutStack, WrKernel, WrResource, WrPushLock, @@ -71,15 +103,118 @@ typedef enum _KWAIT_REASON WrFastMutex, WrGuardedMutex, WrRundown, + WrAlertByThreadId, + WrDeferredPreempt, MaximumWaitReason } KWAIT_REASON; +typedef enum _EVENT_TYPE +{ + NotificationEvent, + SynchronizationEvent +} EVENT_TYPE; + +typedef enum _TIMER_TYPE +{ + NotificationTimer, + SynchronizationTimer +} TIMER_TYPE; + +typedef enum _WAIT_TYPE +{ + WaitAll, + WaitAny, + WaitNotification, + WaitDequeue +} WAIT_TYPE; + +typedef enum _SECTION_INHERIT +{ + ViewShare = 1, + ViewUnmap = 2 +} SECTION_INHERIT; + +#define HARDERROR_OVERRIDE_ERRORMODE 0x10000000 + +typedef enum _HARDERROR_RESPONSE_OPTION +{ + OptionAbortRetryIgnore, + OptionOk, + OptionOkCancel, + OptionRetryCancel, + OptionYesNo, + OptionYesNoCancel, + OptionShutdownSystem, + OptionOkNoWait, + OptionCancelTryContinue +} HARDERROR_RESPONSE_OPTION, *PHARDERROR_RESPONSE_OPTION; + +typedef enum _HARDERROR_RESPONSE +{ + ResponseReturnToCaller, + ResponseNotHandled, + ResponseAbort, + ResponseCancel, + ResponseIgnore, + ResponseNo, + ResponseOk, + ResponseRetry, + ResponseYes, + ResponseTryAgain, + ResponseContinue +} HARDERROR_RESPONSE, *PHARDERROR_RESPONSE; + typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; - PWSTR Buffer; + PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; +typedef const UNICODE_STRING* PCUNICODE_STRING; + +#define DECLARE_UNICODE_STRING_SIZE(_var, _size) \ +WCHAR _var ## _buffer[_size]; \ +__pragma(warning(push)) \ +__pragma(warning(disable:4221)) __pragma(warning(disable:4204)) \ +UNICODE_STRING _var = { 0, (_size) * sizeof(WCHAR) , _var ## _buffer } \ +__pragma(warning(pop)) + +#define DECLARE_STATIC_UNICODE_STRING_SIZE(_var, _size) \ +WCHAR _var ## _buffer[_size]; \ +__pragma(warning(push)) \ +__pragma(warning(disable:4221)) __pragma(warning(disable:4204)) \ +static UNICODE_STRING _var = { 0, (_size) * sizeof(WCHAR) , _var ## _buffer } \ +__pragma(warning(pop)) + +#if defined(__clang__) +#define RTL_CONSTANT_STRING(s) \ +__pragma(clang diagnostic push) \ +__pragma(clang diagnostic ignored "-Wwritable-strings") \ +{ sizeof(s) - sizeof((s)[0]), sizeof(s), s } \ +__pragma(clang diagnostic pop) +#else +#define RTL_CONSTANT_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), (PWSTR)s } +#define RTL_CONSTANT_ANSI_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), (PSTR)s } +#endif + +FORCEINLINE +VOID +RtlInitEmptyUnicodeString( + _Out_ PUNICODE_STRING UnicodeString, + _In_ PWCHAR Buffer, + _In_ USHORT BufferSize) +{ + UnicodeString->Length = 0; + UnicodeString->MaximumLength = BufferSize; + UnicodeString->Buffer = Buffer; +} + +typedef struct _STRING +{ + USHORT Length; + USHORT MaximumLength; + PCHAR Buffer; +} ANSI_STRING, *PANSI_STRING; typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION { @@ -88,6 +223,34 @@ typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION PVOID Buffer; } SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION; +typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION +{ + BOOLEAN KernelDebuggerEnabled; + BOOLEAN KernelDebuggerNotPresent; +} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; + +typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX +{ + BOOLEAN DebuggerAllowed; + BOOLEAN DebuggerEnabled; + BOOLEAN DebuggerPresent; +} SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX; + +typedef struct _LDT_INFORMATION +{ + ULONG Start; + ULONG Length; + LDT_ENTRY LdtEntries[1]; +} PROCESS_LDT_INFORMATION, *PPROCESS_LDT_INFORMATION; + +typedef struct _KERNEL_USER_TIMES +{ + LARGE_INTEGER CreateTime; + LARGE_INTEGER ExitTime; + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; +} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES; + typedef struct _SYSTEM_THREAD_INFORMATION { LARGE_INTEGER KernelTime; @@ -100,45 +263,17 @@ typedef struct _SYSTEM_THREAD_INFORMATION LONG BasePriority; ULONG ContextSwitches; ULONG ThreadState; - ULONG WaitReason; + KWAIT_REASON WaitReason; } SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; -typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO -{ - USHORT UniqueProcessId; - USHORT CreatorBackTraceIndex; - UCHAR ObjectTypeIndex; - UCHAR HandleAttributes; - USHORT HandleValue; - PVOID Object; - ULONG GrantedAccess; -} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; - -typedef struct _SYSTEM_HANDLE_INFORMATION -{ - ULONG NumberOfHandles; - SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; -} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; - -typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION -{ - SYSTEM_THREAD_INFORMATION ThreadInfo; - PVOID StackBase; - PVOID StackLimit; - PVOID Win32StartAddress; - PVOID TebAddress; /* This is only filled in on Vista and above */ - ULONG_PTR Reserved2; - ULONG_PTR Reserved3; - ULONG_PTR Reserved4; -} SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION; - typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfThreads; - LARGE_INTEGER SpareLi1; - LARGE_INTEGER SpareLi2; - LARGE_INTEGER SpareLi3; + LARGE_INTEGER WorkingSetPrivateSize; // Since Vista + ULONG HardFaultCount; // Since Windows 7 + ULONG NumberOfThreadsHighWatermark; // Since Windows 7 + ULONGLONG CycleTime; // Since Windows 7 LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; @@ -148,7 +283,7 @@ typedef struct _SYSTEM_PROCESS_INFORMATION HANDLE InheritedFromUniqueProcessId; ULONG HandleCount; ULONG SessionId; - ULONG_PTR PageDirectoryBase; + ULONG_PTR UniqueProcessKey; // Since Vista (requires SystemExtendedProcessInformation) SIZE_T PeakVirtualSize; SIZE_T VirtualSize; ULONG PageFaultCount; @@ -170,6 +305,382 @@ typedef struct _SYSTEM_PROCESS_INFORMATION SYSTEM_THREAD_INFORMATION Threads[1]; } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; +typedef struct _PROCESS_SESSION_INFORMATION +{ + ULONG SessionId; +} PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION; + +// File attribute values +#define FILE_ATTRIBUTE_READONLY 0x00000001 +#define FILE_ATTRIBUTE_HIDDEN 0x00000002 +#define FILE_ATTRIBUTE_SYSTEM 0x00000004 + +#define FILE_ATTRIBUTE_DIRECTORY 0x00000010 +#define FILE_ATTRIBUTE_ARCHIVE 0x00000020 +#define FILE_ATTRIBUTE_DEVICE 0x00000040 +#define FILE_ATTRIBUTE_NORMAL 0x00000080 + +#define FILE_ATTRIBUTE_TEMPORARY 0x00000100 +#define FILE_ATTRIBUTE_SPARSE_FILE 0x00000200 +#define FILE_ATTRIBUTE_REPARSE_POINT 0x00000400 +#define FILE_ATTRIBUTE_COMPRESSED 0x00000800 + +#define FILE_ATTRIBUTE_OFFLINE 0x00001000 +#define FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000 +#define FILE_ATTRIBUTE_ENCRYPTED 0x00004000 + +#define FILE_ATTRIBUTE_INTEGRITY_STREAM 0x00008000 +#define FILE_ATTRIBUTE_VIRTUAL 0x00010000 +#define FILE_ATTRIBUTE_NO_SCRUB_DATA 0x00020000 + +#define FILE_ATTRIBUTE_EA 0x00040000 +#define FILE_ATTRIBUTE_PINNED 0x00080000 +#define FILE_ATTRIBUTE_UNPINNED 0x00100000 +#define FILE_ATTRIBUTE_RECALL_ON_OPEN 0x00040000 +#define FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS 0x00400000 + +#if NTDDI_VERSION < NTDDI_WIN8 +#define FILE_ATTRIBUTE_VALID_FLAGS 0x00007fb7 +#define FILE_ATTRIBUTE_VALID_SET_FLAGS 0x000031a7 +#elif NTDDI_VERSION < NTDDI_WIN10_RS2 +#define FILE_ATTRIBUTE_VALID_FLAGS 0x0002ffb7 +#define FILE_ATTRIBUTE_VALID_SET_FLAGS 0x000231a7 +#else +#define FILE_ATTRIBUTE_VALID_FLAGS 0x005affb7 +#define FILE_ATTRIBUTE_VALID_SET_FLAGS 0x001a31a7 +#endif + +// File create disposition values +#define FILE_SUPERSEDE 0x00000000 +#define FILE_OPEN 0x00000001 +#define FILE_CREATE 0x00000002 +#define FILE_OPEN_IF 0x00000003 +#define FILE_OVERWRITE 0x00000004 +#define FILE_OVERWRITE_IF 0x00000005 +#define FILE_MAXIMUM_DISPOSITION 0x00000005 + +// File create/open option flags +#define FILE_DIRECTORY_FILE 0x00000001 +#define FILE_WRITE_THROUGH 0x00000002 +#define FILE_SEQUENTIAL_ONLY 0x00000004 +#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 + +#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 +#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 +#define FILE_NON_DIRECTORY_FILE 0x00000040 +#define FILE_CREATE_TREE_CONNECTION 0x00000080 + +#define FILE_COMPLETE_IF_OPLOCKED 0x00000100 +#define FILE_NO_EA_KNOWLEDGE 0x00000200 +#define FILE_OPEN_FOR_RECOVERY 0x00000400 +#define FILE_RANDOM_ACCESS 0x00000800 + +#define FILE_DELETE_ON_CLOSE 0x00001000 +#define FILE_OPEN_BY_FILE_ID 0x00002000 +#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 +#define FILE_NO_COMPRESSION 0x00008000 + +#if NTDDI_VERSION >= NTDDI_WIN7 +#define FILE_OPEN_REQUIRING_OPLOCK 0x00010000 +#define FILE_DISALLOW_EXCLUSIVE 0x00020000 +#endif +#if NTDDI_VERSION >= NTDDI_WIN8 +#define FILE_SESSION_AWARE 0x00040000 +#endif + +#define FILE_RESERVE_OPFILTER 0x00100000 +#define FILE_OPEN_REPARSE_POINT 0x00200000 +#define FILE_OPEN_NO_RECALL 0x00400000 +#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 + +#define FILE_VALID_OPTION_FLAGS 0x00ffffff +#define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032 +#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032 +#define FILE_VALID_SET_FLAGS 0x00000036 + +// Named pipe type flags +#define FILE_PIPE_BYTE_STREAM_TYPE 0x00000000 +#define FILE_PIPE_MESSAGE_TYPE 0x00000001 +#define FILE_PIPE_ACCEPT_REMOTE_CLIENTS 0x00000000 +#define FILE_PIPE_REJECT_REMOTE_CLIENTS 0x00000002 +#define FILE_PIPE_TYPE_VALID_MASK 0x00000003 + +// Named pipe completion mode flags +#define FILE_PIPE_QUEUE_OPERATION 0x00000000 +#define FILE_PIPE_COMPLETE_OPERATION 0x00000001 + +// Named pipe read mode flags +#define FILE_PIPE_BYTE_STREAM_MODE 0x00000000 +#define FILE_PIPE_MESSAGE_MODE 0x00000001 + +// NamedPipeConfiguration flags +#define FILE_PIPE_INBOUND 0x00000000 +#define FILE_PIPE_OUTBOUND 0x00000001 +#define FILE_PIPE_FULL_DUPLEX 0x00000002 + +// NamedPipeState flags +#define FILE_PIPE_DISCONNECTED_STATE 0x00000001 +#define FILE_PIPE_LISTENING_STATE 0x00000002 +#define FILE_PIPE_CONNECTED_STATE 0x00000003 +#define FILE_PIPE_CLOSING_STATE 0x00000004 + +// NamedPipeEnd flags +#define FILE_PIPE_CLIENT_END 0x00000000 +#define FILE_PIPE_SERVER_END 0x00000001 + +typedef struct _FILE_BASIC_INFORMATION +{ + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + ULONG FileAttributes; +} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; + +typedef struct _FILE_STANDARD_INFORMATION +{ + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG NumberOfLinks; + BOOLEAN DeletePending; + BOOLEAN Directory; +} FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION; + +typedef struct _FILE_POSITION_INFORMATION +{ + LARGE_INTEGER CurrentByteOffset; +} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION; + +typedef struct _THREAD_BASIC_INFORMATION +{ + NTSTATUS ExitStatus; + PVOID TebBaseAddress; + CLIENT_ID ClientId; + ULONG_PTR AffinityMask; + KPRIORITY Priority; + LONG BasePriority; +} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; + +typedef struct _MEMORY_REGION_INFORMATION +{ + PVOID AllocationBase; + ULONG AllocationProtect; + union + { + ULONG RegionType; + struct + { + ULONG Private : 1; + ULONG MappedDataFile : 1; + ULONG MappedImage : 1; + ULONG MappedPageFile : 1; + ULONG MappedPhysical : 1; + ULONG DirectMapped : 1; + ULONG Reserved : 26; + } s; + } u; + SIZE_T RegionSize; + SIZE_T CommitSize; +} MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION; + +typedef struct _SECTION_BASIC_INFORMATION +{ + PVOID BaseAddress; + ULONG AllocationAttributes; + LARGE_INTEGER MaximumSize; +} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION; + +typedef struct _SECTION_IMAGE_INFORMATION +{ + PVOID TransferAddress; // Entry point + ULONG ZeroBits; + SIZE_T MaximumStackSize; + SIZE_T CommittedStackSize; + ULONG SubSystemType; + union + { + struct + { + USHORT SubSystemMinorVersion; + USHORT SubSystemMajorVersion; + } s1; + ULONG SubSystemVersion; + } u1; + union + { + struct + { + USHORT MajorOperatingSystemVersion; + USHORT MinorOperatingSystemVersion; + } s2; + ULONG OperatingSystemVersion; + } u2; + USHORT ImageCharacteristics; + USHORT DllCharacteristics; + USHORT Machine; + BOOLEAN ImageContainsCode; + union + { + UCHAR ImageFlags; + struct + { + UCHAR ComPlusNativeReady : 1; + UCHAR ComPlusILOnly : 1; + UCHAR ImageDynamicallyRelocated : 1; + UCHAR ImageMappedFlat : 1; + UCHAR BaseBelow4gb : 1; + UCHAR ComPlusPrefer32bit : 1; + UCHAR Reserved : 2; + } s3; + } u3; + ULONG LoaderFlags; + ULONG ImageFileSize; + ULONG CheckSum; +} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; + +typedef struct _SECTION_INTERNAL_IMAGE_INFORMATION +{ + SECTION_IMAGE_INFORMATION SectionInformation; + union + { + ULONG ExtendedFlags; + struct + { + ULONG ImageReturnFlowGuardEnabled : 1; + ULONG ImageReturnFlowGuardStrict : 1; + ULONG ImageExportSuppressionEnabled : 1; + ULONG Reserved : 29; + } s; + } u; +} SECTION_INTERNAL_IMAGE_INFORMATION, *PSECTION_INTERNAL_IMAGE_INFORMATION; + +typedef struct _OBJECT_ATTRIBUTES +{ + ULONG Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; + PVOID SecurityQualityOfService; +} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; + +// https://stackoverflow.com/questions/36961152/detect-windows-kit-8-0-and-windows-kit-8-1-sdks +#if defined(WINAPI_PARTITION_APP) +#if defined(WINAPI_FAMILY_SYSTEM) +#define USING_WINDOWS_10_SDK +#elif (WINAPI_PARTITION_APP == 0x00000002) || (WINAPI_PARTITION_APP == 1) +#define USING_WINDOWS_8_x_SDK +#endif +#endif + +// This struct was included in winnt.h starting in the Windows 8.0 SDK +#if !(defined(USING_WINDOWS_8_x_SDK) || defined(USING_WINDOWS_10_SDK)) +typedef struct _EXCEPTION_REGISTRATION_RECORD +{ + _EXCEPTION_REGISTRATION_RECORD* Next; + _EXCEPTION_DISPOSITION Handler; +} EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD; +#endif + +#define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT 0x00000001 +#define LDR_GET_DLL_HANDLE_EX_PIN 0x00000002 + +#define LDR_GET_PROCEDURE_ADDRESS_EX_DONT_RECORD_FORWARDER 0x00000001 + +#define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001 +#define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002 + +#define LDR_LOCK_LOADER_LOCK_DISPOSITION_INVALID 0 +#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_ACQUIRED 1 +#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_NOT_ACQUIRED 2 + +#define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001 + +typedef struct _LDR_RESOURCE_INFO +{ + ULONG_PTR Type; + ULONG_PTR Name; + ULONG_PTR Language; +} LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO; + +typedef struct _LDR_ENUM_RESOURCE_INFO +{ + ULONG_PTR Type; + ULONG_PTR Name; + ULONG_PTR Language; + PVOID Data; + SIZE_T Size; + ULONG_PTR Reserved; +} LDR_ENUM_RESOURCE_INFO, *PLDR_ENUM_RESOURCE_INFO; + +#define LDR_FIND_RESOURCE_LANGUAGE_CAN_FALLBACK 0x00000000 +#define LDR_FIND_RESOURCE_LANGUAGE_EXACT 0x00000004 +#define LDR_FIND_RESOURCE_LANGUAGE_REDIRECT_VERSION 0x00000008 + +typedef struct _RTL_PROCESS_MODULE_INFORMATION +{ + HANDLE Section; + PVOID MappedBase; + PVOID ImageBase; + ULONG ImageSize; + ULONG Flags; + USHORT LoadOrderIndex; + USHORT InitOrderIndex; + USHORT LoadCount; + USHORT OffsetToFileName; + UCHAR FullPathName[256]; +} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; + +typedef struct _RTL_PROCESS_MODULES +{ + ULONG NumberOfModules; + RTL_PROCESS_MODULE_INFORMATION Modules[1]; +} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; + +typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX +{ + USHORT NextOffset; + RTL_PROCESS_MODULE_INFORMATION BaseInfo; + ULONG ImageChecksum; + ULONG TimeDateStamp; + PVOID DefaultBase; +} RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX; + +typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO +{ + USHORT UniqueProcessId; + USHORT CreatorBackTraceIndex; + UCHAR ObjectTypeIndex; + UCHAR HandleAttributes; + USHORT HandleValue; + PVOID Object; + ULONG GrantedAccess; +} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; + +typedef struct _SYSTEM_HANDLE_INFORMATION +{ + ULONG NumberOfHandles; + SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + +typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX +{ + PVOID Object; + ULONG_PTR UniqueProcessId; + ULONG_PTR HandleValue; + ULONG GrantedAccess; + USHORT CreatorBackTraceIndex; + USHORT ObjectTypeIndex; + ULONG HandleAttributes; + ULONG Reserved; +} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX; + +typedef struct _SYSTEM_HANDLE_INFORMATION_EX +{ + ULONG_PTR NumberOfHandles; + ULONG_PTR Reserved; + SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; +} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX; typedef struct _OBJECT_BASIC_INFORMATION { @@ -211,6 +722,8 @@ typedef struct _OBJECT_TYPE_INFORMATION ULONG ValidAccessMask; BOOLEAN SecurityRequired; BOOLEAN MaintainHandleCount; + UCHAR TypeIndex; // Since Windows 8.1 + CHAR ReservedByte; ULONG PoolType; ULONG DefaultPagedPoolCharge; ULONG DefaultNonPagedPoolCharge; @@ -222,389 +735,8660 @@ typedef struct _OBJECT_TYPES_INFORMATION OBJECT_TYPE_INFORMATION TypeInformation[1]; } OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; -//typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION -//{ -// ULONG Attributes; -// ACCESS_MASK GrantedAccess; -// ULONG HandleCount; -// ULONG PointerCount; -// -// ULONG Reserved[10]; // reserved for internal use -// -//} PUBLIC_OBJECT_BASIC_INFORMATION, *PPUBLIC_OBJECT_BASIC_INFORMATION; - -typedef struct __PUBLIC_OBJECT_TYPE_INFORMATION +typedef struct _OBJECT_HANDLE_FLAG_INFORMATION { + BOOLEAN Inherit; + BOOLEAN ProtectFromClose; +} OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION; - UNICODE_STRING TypeName; - - ULONG Reserved [22]; // reserved for internal use - -} PUBLIC_OBJECT_TYPE_INFORMATION, *PPUBLIC_OBJECT_TYPE_INFORMATION; - -typedef struct _PROCESS_BASIC_INFORMATION +typedef struct _DBGKM_EXCEPTION { - PVOID Reserved1; - PVOID PebBaseAddress; - PVOID Reserved2[2]; - ULONG_PTR UniqueProcessId; - PVOID Reserved3; -} PROCESS_BASIC_INFORMATION; -typedef PROCESS_BASIC_INFORMATION* PPROCESS_BASIC_INFORMATION; + EXCEPTION_RECORD ExceptionRecord; + ULONG FirstChance; +} DBGKM_EXCEPTION, *PDBGKM_EXCEPTION; -typedef struct _THREAD_BASIC_INFORMATION +typedef struct _DBGKM_CREATE_THREAD +{ + ULONG SubSystemKey; + PVOID StartAddress; +} DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD; + +typedef struct _DBGKM_CREATE_PROCESS +{ + ULONG SubSystemKey; + HANDLE FileHandle; + PVOID BaseOfImage; + ULONG DebugInfoFileOffset; + ULONG DebugInfoSize; + DBGKM_CREATE_THREAD InitialThread; +} DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS; + +typedef struct _DBGKM_EXIT_THREAD { NTSTATUS ExitStatus; - PVOID TebBaseAddress; - CLIENT_ID ClientId; - ULONG_PTR AffinityMask; - KPRIORITY Priority; - LONG BasePriority; -} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; +} DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD; + +typedef struct _DBGKM_EXIT_PROCESS +{ + NTSTATUS ExitStatus; +} DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS; + +typedef struct _DBGKM_LOAD_DLL +{ + HANDLE FileHandle; + PVOID BaseOfDll; + ULONG DebugInfoFileOffset; + ULONG DebugInfoSize; + PVOID NamePointer; +} DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL; + +typedef struct _DBGKM_UNLOAD_DLL +{ + PVOID BaseAddress; +} DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL; + +typedef enum _DBG_STATE +{ + DbgIdle, + DbgReplyPending, + DbgCreateThreadStateChange, + DbgCreateProcessStateChange, + DbgExitThreadStateChange, + DbgExitProcessStateChange, + DbgExceptionStateChange, + DbgBreakpointStateChange, + DbgSingleStepStateChange, + DbgLoadDllStateChange, + DbgUnloadDllStateChange +} DBG_STATE, *PDBG_STATE; + +typedef struct _DBGUI_CREATE_THREAD +{ + HANDLE HandleToThread; + DBGKM_CREATE_THREAD NewThread; +} DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD; + +typedef struct _DBGUI_CREATE_PROCESS +{ + HANDLE HandleToProcess; + HANDLE HandleToThread; + DBGKM_CREATE_PROCESS NewProcess; +} DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS; + +typedef struct _DBGUI_WAIT_STATE_CHANGE +{ + DBG_STATE NewState; + CLIENT_ID AppClientId; + union + { + DBGKM_EXCEPTION Exception; + DBGUI_CREATE_THREAD CreateThread; + DBGUI_CREATE_PROCESS CreateProcessInfo; + DBGKM_EXIT_THREAD ExitThread; + DBGKM_EXIT_PROCESS ExitProcess; + DBGKM_LOAD_DLL LoadDll; + DBGKM_UNLOAD_DLL UnloadDll; + } StateInfo; +} DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE; + +typedef struct _DBGSS_THREAD_DATA +{ + struct _DBGSS_THREAD_DATA* Next; + HANDLE ThreadHandle; + HANDLE ProcessHandle; + ULONG ProcessId; + ULONG ThreadId; + BOOLEAN HandleMarked; +} DBGSS_THREAD_DATA, *PDBGSS_THREAD_DATA; + +#define DbgSsSetThreadData(d) \ + NtCurrentTeb()->DbgSsReserved[0] = d + +#define DbgSsGetThreadData() \ + ((PDBGSS_THREAD_DATA)NtCurrentTeb()->DbgSsReserved[0]) + +typedef USHORT RTL_ATOM, *PRTL_ATOM; +typedef long SECURITY_STATUS; + +typedef struct _RTL_SPLAY_LINKS +{ + struct _RTL_SPLAY_LINKS* Parent; + struct _RTL_SPLAY_LINKS* LeftChild; + struct _RTL_SPLAY_LINKS* RightChild; +} RTL_SPLAY_LINKS, *PRTL_SPLAY_LINKS; + +#define RtlInitializeSplayLinks(Links) \ +{ \ + PRTL_SPLAY_LINKS _SplayLinks; \ + _SplayLinks = (PRTL_SPLAY_LINKS)(Links); \ + _SplayLinks->Parent = _SplayLinks; \ + _SplayLinks->LeftChild = NULL; \ + _SplayLinks->RightChild = NULL; \ +} + +typedef struct _PREFIX_TABLE_ENTRY +{ + SHORT NodeTypeCode; + SHORT NameLength; + struct _PREFIX_TABLE_ENTRY* NextPrefixTree; + RTL_SPLAY_LINKS Links; + PANSI_STRING Prefix; +} PREFIX_TABLE_ENTRY, *PPREFIX_TABLE_ENTRY; + +typedef struct _PREFIX_TABLE +{ + SHORT NodeTypeCode; + SHORT NameLength; + PPREFIX_TABLE_ENTRY NextPrefixTree; +} PREFIX_TABLE, *PPREFIX_TABLE; + +typedef struct _RTL_BITMAP +{ + ULONG SizeOfBitMap; + PULONG Buffer; +} RTL_BITMAP, *PRTL_BITMAP; + +typedef struct _RTL_BITMAP_RUN +{ + ULONG StartingIndex; + ULONG NumberOfBits; +} RTL_BITMAP_RUN, *PRTL_BITMAP_RUN; + +typedef enum +{ + RtlBsdItemVersionNumber = 0x00, + RtlBsdItemProductType, + RtlBsdItemAabEnabled, + RtlBsdItemAabTimeout, + RtlBsdItemBootGood, + RtlBsdItemBootShutdown, + RtlBsdItemMax +} RTL_BSD_ITEM_TYPE, *PRTL_BSD_ITEM_TYPE; + +#define DUPLICATE_CLOSE_SOURCE 0x00000001 +#define DUPLICATE_SAME_ACCESS 0x00000002 +#define DUPLICATE_SAME_ATTRIBUTES 0x00000004 + +#define RTL_WALK_MAX_STACK_DEPTH 128 + +// These cannot be ORed together +#define RTL_WALK_KERNEL_MODE_STACK 0x00000000 // Kernel mode callers only +#define RTL_WALK_USER_MODE_STACK 0x00000001 +#define RTL_WALK_TRACE_HANDLES 0x00000300 + +typedef struct _RTL_PROCESS_VERIFIER_OPTIONS +{ + ULONG SizeStruct; + ULONG Option; + UCHAR OptionData[1]; +} RTL_PROCESS_VERIFIER_OPTIONS, *PRTL_PROCESS_VERIFIER_OPTIONS; + +typedef struct _RTL_DEBUG_INFORMATION +{ + HANDLE SectionHandleClient; + PVOID ViewBaseClient; + PVOID ViewBaseTarget; + ULONG_PTR ViewBaseDelta; + HANDLE EventPairClient; + HANDLE EventPairTarget; + HANDLE TargetProcessId; + HANDLE TargetThreadHandle; + ULONG Flags; + SIZE_T OffsetFree; + SIZE_T CommitSize; + SIZE_T ViewSize; + union + { + PRTL_PROCESS_MODULES Modules; + PRTL_PROCESS_MODULE_INFORMATION_EX ModulesEx; + }; + struct _RTL_PROCESS_BACKTRACES* BackTraces; + struct _RTL_PROCESS_HEAPS* Heaps; + struct _RTL_PROCESS_LOCKS* Locks; + PVOID SpecificHeap; + HANDLE TargetProcessHandle; + PRTL_PROCESS_VERIFIER_OPTIONS VerifierOptions; + PVOID ProcessHeap; + HANDLE CriticalSectionHandle; + HANDLE CriticalSectionOwnerThread; + PVOID Reserved[4]; +} RTL_DEBUG_INFORMATION, *PRTL_DEBUG_INFORMATION; typedef VOID (*PPS_APC_ROUTINE)( - __in_opt PVOID ApcArgument1, - __in_opt PVOID ApcArgument2, - __in_opt PVOID ApcArgument3 + _In_opt_ PVOID ApcArgument1, + _In_opt_ PVOID ApcArgument2, + _In_opt_ PVOID ApcArgument3 ); +typedef struct _RTLP_CURDIR_REF* PRTLP_CURDIR_REF; + +typedef struct _RTL_RELATIVE_NAME_U +{ + UNICODE_STRING RelativeName; + HANDLE ContainingDirectory; + PRTLP_CURDIR_REF CurDirRef; +} RTL_RELATIVE_NAME_U, *PRTL_RELATIVE_NAME_U; + +typedef enum _RTL_PATH_TYPE +{ + RtlPathTypeUnknown, + RtlPathTypeUncAbsolute, + RtlPathTypeDriveAbsolute, + RtlPathTypeDriveRelative, + RtlPathTypeRooted, + RtlPathTypeRelative, + RtlPathTypeLocalDevice, + RtlPathTypeRootLocalDevice, +} RTL_PATH_TYPE; + +#define DOS_MAX_COMPONENT_LENGTH 255 +#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5) + +typedef struct _CURDIR +{ + UNICODE_STRING DosPath; + HANDLE Handle; +} CURDIR, *PCURDIR; + +#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002 +#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003 + +typedef struct _RTL_DRIVE_LETTER_CURDIR +{ + USHORT Flags; + USHORT Length; + ULONG TimeStamp; + UNICODE_STRING DosPath; +} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; + +#define RTL_MAX_DRIVE_LETTERS 32 +#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 + +typedef struct _LDR_SERVICE_TAG_RECORD +{ + struct _LDR_SERVICE_TAG_RECORD* Next; + ULONG ServiceTag; +} LDR_SERVICE_TAG_RECORD, *PLDR_SERVICE_TAG_RECORD; + +typedef struct _LDRP_CSLIST +{ + PSINGLE_LIST_ENTRY Tail; +} LDRP_CSLIST, *PLDRP_CSLIST; + +typedef enum _LDR_DDAG_STATE +{ + LdrModulesMerged = -5, + LdrModulesInitError = -4, + LdrModulesSnapError = -3, + LdrModulesUnloaded = -2, + LdrModulesUnloading = -1, + LdrModulesPlaceHolder = 0, + LdrModulesMapping = 1, + LdrModulesMapped = 2, + LdrModulesWaitingForDependencies = 3, + LdrModulesSnapping = 4, + LdrModulesSnapped = 5, + LdrModulesCondensed = 6, + LdrModulesReadyToInit = 7, + LdrModulesInitializing = 8, + LdrModulesReadyToRun = 9 +} LDR_DDAG_STATE; + +typedef struct _LDR_DDAG_NODE +{ + LIST_ENTRY Modules; + PLDR_SERVICE_TAG_RECORD ServiceTagList; + ULONG LoadCount; + ULONG LoadWhileUnloadingCount; + ULONG LowestLink; + union + { + LDRP_CSLIST Dependencies; + SINGLE_LIST_ENTRY RemovalLink; + }; + LDRP_CSLIST IncomingDependencies; + LDR_DDAG_STATE State; + SINGLE_LIST_ENTRY CondenseLink; + ULONG PreorderNumber; +} LDR_DDAG_NODE, *PLDR_DDAG_NODE; + +typedef struct _LDR_DEPENDENCY_RECORD +{ + SINGLE_LIST_ENTRY DependencyLink; + PLDR_DDAG_NODE DependencyNode; + SINGLE_LIST_ENTRY IncomingDependencyLink; + PLDR_DDAG_NODE IncomingDependencyNode; +} LDR_DEPENDENCY_RECORD, *PLDR_DEPENDENCY_RECORD; + +typedef enum _LDR_DLL_LOAD_REASON +{ + LoadReasonStaticDependency, + LoadReasonStaticForwarderDependency, + LoadReasonDynamicForwarderDependency, + LoadReasonDelayloadDependency, + LoadReasonDynamicLoad, + LoadReasonAsImageLoad, + LoadReasonAsDataLoad, + LoadReasonUnknown = -1 +} LDR_DLL_LOAD_REASON, *PLDR_DLL_LOAD_REASON; + +#define LDRP_PACKAGED_BINARY 0x00000001 +#define LDRP_IMAGE_DLL 0x00000004 +#define LDRP_LOAD_IN_PROGRESS 0x00001000 +#define LDRP_ENTRY_PROCESSED 0x00004000 +#define LDRP_DONT_CALL_FOR_THREADS 0x00040000 +#define LDRP_PROCESS_ATTACH_CALLED 0x00080000 +#define LDRP_PROCESS_ATTACH_FAILED 0x00100000 +#define LDRP_IMAGE_NOT_AT_BASE 0x00200000 // Vista and below +#define LDRP_COR_IMAGE 0x00400000 +#define LDRP_DONT_RELOCATE 0x00800000 +#define LDRP_REDIRECTED 0x10000000 +#define LDRP_COMPAT_DATABASE_PROCESSED 0x80000000 + +#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DdagNode) +#define LDR_DATA_TABLE_ENTRY_SIZE_WIN7 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, BaseNameHashValue) +#define LDR_DATA_TABLE_ENTRY_SIZE_WIN8 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ImplicitPathOptions) + +#define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3 + +typedef struct _RTL_BALANCED_NODE +{ + union + { + struct _RTL_BALANCED_NODE* Children[2]; + struct + { + struct _RTL_BALANCED_NODE* Left; + struct _RTL_BALANCED_NODE* Right; + } s; + }; + union + { + UCHAR Red : 1; + UCHAR Balance : 2; + ULONG_PTR ParentValue; + } u; +} RTL_BALANCED_NODE, *PRTL_BALANCED_NODE; + +typedef struct _LDR_DATA_TABLE_ENTRY +{ + LIST_ENTRY InLoadOrderLinks; + LIST_ENTRY InMemoryOrderLinks; + union + { + LIST_ENTRY InInitializationOrderLinks; + LIST_ENTRY InProgressLinks; + }; + PVOID DllBase; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + union + { + UCHAR FlagGroup[4]; + ULONG Flags; + struct + { + ULONG PackagedBinary : 1; + ULONG MarkedForRemoval : 1; + ULONG ImageDll : 1; + ULONG LoadNotificationsSent : 1; + ULONG TelemetryEntryProcessed : 1; + ULONG ProcessStaticImport : 1; + ULONG InLegacyLists : 1; + ULONG InIndexes : 1; + ULONG ShimDll : 1; + ULONG InExceptionTable : 1; + ULONG ReservedFlags1 : 2; + ULONG LoadInProgress : 1; + ULONG LoadConfigProcessed : 1; + ULONG EntryProcessed : 1; + ULONG ProtectDelayLoad : 1; + ULONG ReservedFlags3 : 2; + ULONG DontCallForThreads : 1; + ULONG ProcessAttachCalled : 1; + ULONG ProcessAttachFailed : 1; + ULONG CorDeferredValidate : 1; + ULONG CorImage : 1; + ULONG DontRelocate : 1; + ULONG CorILOnly : 1; + ULONG ReservedFlags5 : 3; + ULONG Redirected : 1; + ULONG ReservedFlags6 : 2; + ULONG CompatDatabaseProcessed : 1; + } s; + } u; + USHORT ObsoleteLoadCount; + USHORT TlsIndex; + LIST_ENTRY HashLinks; + ULONG TimeDateStamp; + struct _ACTIVATION_CONTEXT* EntryPointActivationContext; + PVOID Lock; + PLDR_DDAG_NODE DdagNode; + LIST_ENTRY NodeModuleLink; + struct _LDRP_LOAD_CONTEXT* LoadContext; + PVOID ParentDllBase; + PVOID SwitchBackContext; + RTL_BALANCED_NODE BaseAddressIndexNode; + RTL_BALANCED_NODE MappingInfoIndexNode; + ULONG_PTR OriginalBase; + LARGE_INTEGER LoadTime; + ULONG BaseNameHashValue; + LDR_DLL_LOAD_REASON LoadReason; + ULONG ImplicitPathOptions; + ULONG ReferenceCount; + ULONG DependentLoadFlags; + UCHAR SigningLevel; // Since Windows 10 RS2 +} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; + +typedef struct _INITIAL_TEB +{ + struct + { + PVOID OldStackBase; + PVOID OldStackLimit; + } OldInitialTeb; + PVOID StackBase; + PVOID StackLimit; + PVOID StackAllocationBase; +} INITIAL_TEB, *PINITIAL_TEB; + +typedef struct _IO_STATUS_BLOCK +{ + union + { + NTSTATUS Status; + PVOID Pointer; + }; + ULONG_PTR Information; +} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; + +typedef +VOID +(NTAPI* + PIO_APC_ROUTINE)( + _In_ PVOID ApcContext, + _In_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG Reserved + ); + +typedef struct _FILE_IO_COMPLETION_INFORMATION +{ + PVOID KeyContext; + PVOID ApcContext; + IO_STATUS_BLOCK IoStatusBlock; +} FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION; + +typedef struct _FILE_COMPLETION_INFORMATION +{ + HANDLE Port; + PVOID Key; +} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION; + +#ifdef __cplusplus +typedef enum _PRIORITY_CLASS : UCHAR +{ + Undefined, + Idle, + Normal, + High, + Realtime, + BelowNormal, + AboveNormal +} PRIORITY_CLASS; +#else +typedef UCHAR PRIORITY_CLASS; +#endif + +typedef struct _PROCESS_PRIORITY_CLASS +{ + BOOLEAN Foreground; + PRIORITY_CLASS PriorityClass; +} PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS; + +typedef struct _PS_ATTRIBUTE +{ + ULONG_PTR Attribute; // PROC_THREAD_ATTRIBUTE_XXX | PROC_THREAD_ATTRIBUTE_XXX modifiers, see ProcThreadAttributeValue macro and Windows Internals 6 (372) + SIZE_T Size; // Size of Value or *ValuePtr + union + { + ULONG_PTR Value; // Reserve 8 bytes for data (such as a Handle or a data pointer) + PVOID ValuePtr; // data pointer + }; + PSIZE_T ReturnLength; // Either 0 or specifies size of data returned to caller via "ValuePtr" +} PS_ATTRIBUTE, *PPS_ATTRIBUTE; + +typedef struct _PS_ATTRIBUTE_LIST +{ + SIZE_T TotalLength; // sizeof(PS_ATTRIBUTE_LIST) + PS_ATTRIBUTE Attributes[2]; // Depends on how many attribute entries should be supplied to NtCreateUserProcess +} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST; + +typedef struct _PS_MEMORY_RESERVE +{ + PVOID ReserveAddress; + SIZE_T ReserveSize; +} PS_MEMORY_RESERVE, *PPS_MEMORY_RESERVE; + +#define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff +#define PS_ATTRIBUTE_THREAD 0x00010000 // Attribute may be used with thread creation +#define PS_ATTRIBUTE_INPUT 0x00020000 // Attribute is input only +#define PS_ATTRIBUTE_ADDITIVE 0x00040000 // Attribute may be "accumulated", e.g. bitmasks, counters, etc. + +typedef enum _PS_ATTRIBUTE_NUM +{ + PsAttributeParentProcess, // in HANDLE + PsAttributeDebugPort, // in HANDLE + PsAttributeToken, // in HANDLE + PsAttributeClientId, // out PCLIENT_ID + PsAttributeTebAddress, // out PTEB + PsAttributeImageName, // in PWSTR + PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION + PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE + PsAttributePriorityClass, // in UCHAR + PsAttributeErrorMode, // in ULONG + PsAttributeStdHandleInfo, // in PPS_STD_HANDLE_INFO + PsAttributeHandleList, // in PHANDLE + PsAttributeGroupAffinity, // in PGROUP_AFFINITY + PsAttributePreferredNode, // in PUSHORT + PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER + PsAttributeUmsThread, // see MSDN UpdateProceThreadAttributeList (CreateProcessW) - in PUMS_CREATE_THREAD_ATTRIBUTES + PsAttributeMitigationOptions, // in UCHAR + PsAttributeProtectionLevel, // in ULONG + PsAttributeSecureProcess, // since THRESHOLD (Virtual Secure Mode, Device Guard) + PsAttributeJobList, + PsAttributeChildProcessPolicy, // since THRESHOLD2 + PsAttributeAllApplicationPackagesPolicy, // since REDSTONE + PsAttributeWin32kFilter, + PsAttributeSafeOpenPromptOriginClaim, + PsAttributeBnoIsolation, + PsAttributeDesktopAppPolicy, + PsAttributeMax +} PS_ATTRIBUTE_NUM; + +#define PsAttributeValue(Number, Thread, Input, Additive) \ + (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \ + ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \ + ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \ + ((Additive) ? PS_ATTRIBUTE_ADDITIVE : 0)) + +#define PS_ATTRIBUTE_PARENT_PROCESS \ + PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE) // 0x60000 +#define PS_ATTRIBUTE_DEBUG_PORT \ + PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE) // 0x60001 +#define PS_ATTRIBUTE_TOKEN \ + PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE) // 0x60002 +#define PS_ATTRIBUTE_CLIENT_ID \ + PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE) // 0x10003 +#define PS_ATTRIBUTE_TEB_ADDRESS \ + PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE) // 0x10004 +#define PS_ATTRIBUTE_IMAGE_NAME \ + PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE) // 0x20005 +#define PS_ATTRIBUTE_IMAGE_INFO \ + PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE) // 0x6 +#define PS_ATTRIBUTE_MEMORY_RESERVE \ + PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE) // 0x20007 +#define PS_ATTRIBUTE_PRIORITY_CLASS \ + PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE) // 0x20008 +#define PS_ATTRIBUTE_ERROR_MODE \ + PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE) // 0x20009 +#define PS_ATTRIBUTE_STD_HANDLE_INFO \ + PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE) // 0x2000A +#define PS_ATTRIBUTE_HANDLE_LIST \ + PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE) // 0x2000B +#define PS_ATTRIBUTE_GROUP_AFFINITY \ + PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE) // 0x2000C +#define PS_ATTRIBUTE_PREFERRED_NODE \ + PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE) // 0x2000D +#define PS_ATTRIBUTE_IDEAL_PROCESSOR \ + PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE) // 0x2000E +#define PS_ATTRIBUTE_MITIGATION_OPTIONS \ + PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, TRUE) // 0x60010 +#define PS_ATTRIBUTE_PROTECTION_LEVEL \ + PsAttributeValue(PsAttributeProtectionLevel, FALSE, TRUE, FALSE) // 0x20011 + +typedef enum _PS_STD_HANDLE_STATE +{ + PsNeverDuplicate, + PsRequestDuplicate, // Duplicate standard handles specified by PseudoHandleMask, and only if StdHandleSubsystemType matches the image subsystem + PsAlwaysDuplicate, // Always duplicate standard handles + PsMaxStdHandleStates +} PS_STD_HANDLE_STATE; + +#define HANDLE_DETACHED_PROCESS ((HANDLE)-1) +#define HANDLE_CREATE_NEW_CONSOLE ((HANDLE)-2) +#define HANDLE_CREATE_NO_WINDOW ((HANDLE)-3) + +#define PS_STD_INPUT_HANDLE 0x1 +#define PS_STD_OUTPUT_HANDLE 0x2 +#define PS_STD_ERROR_HANDLE 0x4 + +typedef struct _PS_STD_HANDLE_INFO +{ + union + { + ULONG Flags; + struct + { + ULONG StdHandleState : 2; // PS_STD_HANDLE_STATE + ULONG PseudoHandleMask : 3; // PS_STD_* + } s; + }; + ULONG StdHandleSubsystemType; +} PS_STD_HANDLE_INFO, *PPS_STD_HANDLE_INFO; + +typedef struct _PS_BNO_ISOLATION_PARAMETERS +{ + UNICODE_STRING IsolationPrefix; + ULONG HandleCount; + PVOID* Handles; + BOOLEAN IsolationEnabled; +} PS_BNO_ISOLATION_PARAMETERS, *PPS_BNO_ISOLATION_PARAMETERS; + +typedef enum _PS_MITIGATION_OPTION +{ + PS_MITIGATION_OPTION_NX, + PS_MITIGATION_OPTION_SEHOP, + PS_MITIGATION_OPTION_FORCE_RELOCATE_IMAGES, + PS_MITIGATION_OPTION_HEAP_TERMINATE, + PS_MITIGATION_OPTION_BOTTOM_UP_ASLR, + PS_MITIGATION_OPTION_HIGH_ENTROPY_ASLR, + PS_MITIGATION_OPTION_STRICT_HANDLE_CHECKS, + PS_MITIGATION_OPTION_WIN32K_SYSTEM_CALL_DISABLE, + PS_MITIGATION_OPTION_EXTENSION_POINT_DISABLE, + PS_MITIGATION_OPTION_PROHIBIT_DYNAMIC_CODE, + PS_MITIGATION_OPTION_CONTROL_FLOW_GUARD, + PS_MITIGATION_OPTION_BLOCK_NON_MICROSOFT_BINARIES, + PS_MITIGATION_OPTION_FONT_DISABLE, + PS_MITIGATION_OPTION_IMAGE_LOAD_NO_REMOTE, + PS_MITIGATION_OPTION_IMAGE_LOAD_NO_LOW_LABEL, + PS_MITIGATION_OPTION_IMAGE_LOAD_PREFER_SYSTEM32, + PS_MITIGATION_OPTION_RETURN_FLOW_GUARD, + PS_MITIGATION_OPTION_LOADER_INTEGRITY_CONTINUITY, + PS_MITIGATION_OPTION_STRICT_CONTROL_FLOW_GUARD, + PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT +} PS_MITIGATION_OPTION; + +typedef enum _PS_CREATE_STATE +{ + PsCreateInitialState, + PsCreateFailOnFileOpen, + PsCreateFailOnSectionCreate, + PsCreateFailExeFormat, + PsCreateFailMachineMismatch, + PsCreateFailExeName, // Debugger specified + PsCreateSuccess, + PsCreateMaximumStates +} PS_CREATE_STATE; + +typedef struct _PS_CREATE_INFO +{ + SIZE_T Size; + PS_CREATE_STATE State; + union + { + // PsCreateInitialState + struct + { + union + { + ULONG InitFlags; + struct + { + UCHAR WriteOutputOnExit : 1; + UCHAR DetectManifest : 1; + UCHAR IFEOSkipDebugger : 1; + UCHAR IFEODoNotPropagateKeyState : 1; + UCHAR SpareBits1 : 4; + UCHAR SpareBits2 : 8; + USHORT ProhibitedImageCharacteristics : 16; + } s1; + } u1; + ACCESS_MASK AdditionalFileAccess; + } InitState; + + // PsCreateFailOnSectionCreate + struct + { + HANDLE FileHandle; + } FailSection; + + // PsCreateFailExeFormat + struct + { + USHORT DllCharacteristics; + } ExeFormat; + + // PsCreateFailExeName + struct + { + HANDLE IFEOKey; + } ExeName; + + // PsCreateSuccess + struct + { + union + { + ULONG OutputFlags; + struct + { + UCHAR ProtectedProcess : 1; + UCHAR AddressSpaceOverride : 1; + UCHAR DevOverrideEnabled : 1; // From Image File Execution Options + UCHAR ManifestDetected : 1; + UCHAR ProtectedProcessLight : 1; + UCHAR SpareBits1 : 3; + UCHAR SpareBits2 : 8; + USHORT SpareBits3 : 16; + } s2; + } u2; + HANDLE FileHandle; + HANDLE SectionHandle; + ULONGLONG UserProcessParametersNative; + ULONG UserProcessParametersWow64; + ULONG CurrentParameterFlags; + ULONGLONG PebAddressNative; + ULONG PebAddressWow64; + ULONGLONG ManifestAddress; + ULONG ManifestSize; + } SuccessState; + }; +} PS_CREATE_INFO, *PPS_CREATE_INFO; + +#define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001 +#define PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT 0x00000002 +#define PROCESS_CREATE_FLAGS_INHERIT_HANDLES 0x00000004 +#define PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00000008 +#define PROCESS_CREATE_FLAGS_LARGE_PAGES 0x00000010 + +// Only usable with NtCreateUserProcess (Vista+): +#define PROCESS_CREATE_FLAGS_LARGE_PAGE_SYSTEM_DLL 0x00000020 +#define PROCESS_CREATE_FLAGS_PROTECTED_PROCESS 0x00000040 // Only allowed if the calling process is itself protected +#define PROCESS_CREATE_FLAGS_CREATE_SESSION 0x00000080 +#define PROCESS_CREATE_FLAGS_INHERIT_FROM_PARENT 0x00000100 + +typedef enum _MEMORY_RESERVE_TYPE +{ + MemoryReserveUserApc, + MemoryReserveIoCompletion, + MemoryReserveTypeMax +} MEMORY_RESERVE_TYPE; + +typedef struct _PROCESS_HANDLE_TRACING_ENABLE +{ + ULONG Flags; +} PROCESS_HANDLE_TRACING_ENABLE, *PPROCESS_HANDLE_TRACING_ENABLE; + +#define PROCESS_HANDLE_TRACING_MAX_SLOTS 0x20000 + +typedef struct _PROCESS_HANDLE_TRACING_ENABLE_EX +{ + ULONG Flags; + ULONG TotalSlots; +} PROCESS_HANDLE_TRACING_ENABLE_EX, *PPROCESS_HANDLE_TRACING_ENABLE_EX; + +// Source: http://processhacker.sourceforge.net typedef enum _PROCESSINFOCLASS { - ProcessBasicInformation, - ProcessQuotaLimits, - ProcessIoCounters, - ProcessVmCounters, - ProcessTimes, - ProcessBasePriority, - ProcessRaisePriority, - ProcessDebugPort, - ProcessExceptionPort, - ProcessAccessToken, - ProcessLdtInformation, - ProcessLdtSize, - ProcessDefaultHardErrorMode, - ProcessIoPortHandlers, // Note: this is kernel mode only - ProcessPooledUsageAndLimits, - ProcessWorkingSetWatch, + ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION + ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX + ProcessIoCounters, // q: IO_COUNTERS + ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2 + ProcessTimes, // q: KERNEL_USER_TIMES + ProcessBasePriority, // s: KPRIORITY + ProcessRaisePriority, // s: ULONG + ProcessDebugPort, // q: HANDLE + ProcessExceptionPort, // s: HANDLE + ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN + ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 + ProcessLdtSize, // s: PROCESS_LDT_SIZE + ProcessDefaultHardErrorMode, // qs: ULONG + ProcessIoPortHandlers, // (kernel-mode only) + ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS + ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void ProcessUserModeIOPL, - ProcessEnableAlignmentFaultFixup, - ProcessPriorityClass, + ProcessEnableAlignmentFaultFixup, // s: BOOLEAN + ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS ProcessWx86Information, - ProcessHandleCount, - ProcessAffinityMask, - ProcessPriorityBoost, - ProcessDeviceMap, - ProcessSessionInformation, - ProcessForegroundInformation, - ProcessWow64Information, - ProcessImageFileName, - ProcessLUIDDeviceMapsEnabled, - ProcessBreakOnTermination, - ProcessDebugObjectHandle, - ProcessDebugFlags, - ProcessHandleTracing, - ProcessIoPriority, - ProcessExecuteFlags, + ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20 + ProcessAffinityMask, // s: KAFFINITY + ProcessPriorityBoost, // qs: ULONG + ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX + ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION + ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND + ProcessWow64Information, // q: ULONG_PTR + ProcessImageFileName, // q: UNICODE_STRING + ProcessLUIDDeviceMapsEnabled, // q: ULONG + ProcessBreakOnTermination, // qs: ULONG + ProcessDebugObjectHandle, // q: HANDLE // 30 + ProcessDebugFlags, // qs: ULONG + ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables + ProcessIoPriority, // qs: IO_PRIORITY_HINT + ProcessExecuteFlags, // qs: ULONG ProcessResourceManagement, - ProcessCookie, - ProcessImageInformation, - MaxProcessInfoClass // MaxProcessInfoClass should always be the last enum + ProcessCookie, // q: ULONG + ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION + ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA + ProcessPagePriority, // q: ULONG + ProcessInstrumentationCallback, // 40 + ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX + ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[] + ProcessImageFileNameWin32, // q: UNICODE_STRING + ProcessImageFileMapping, // q: HANDLE (input) + ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE + ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE + ProcessGroupInformation, // q: USHORT[] + ProcessTokenVirtualizationEnabled, // s: ULONG + ProcessConsoleHostProcess, // q: ULONG_PTR + ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 + ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 + ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION + ProcessDynamicFunctionTableInformation, + ProcessHandleCheckingMode, + ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION + ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION + ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL + ProcessHandleTable, // since WINBLUE + ProcessCheckStackExtentsMode, + ProcessCommandLineInformation, // q: UNICODE_STRING // 60 + ProcessProtectionInformation, // q: PS_PROTECTION + ProcessMemoryExhaustion, // PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD + ProcessFaultInformation, // PROCESS_FAULT_INFORMATION + ProcessTelemetryIdInformation, // PROCESS_TELEMETRY_ID_INFORMATION + ProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION + ProcessDefaultCpuSetsInformation, + ProcessAllowedCpuSetsInformation, + ProcessSubsystemProcess, + ProcessJobMemoryInformation, // PROCESS_JOB_MEMORY_INFO + ProcessInPrivate, // since THRESHOLD2 // 70 + ProcessRaiseUMExceptionOnInvalidHandleClose, + ProcessIumChallengeResponse, + ProcessChildProcessInformation, // PROCESS_CHILD_PROCESS_INFORMATION + ProcessHighGraphicsPriorityInformation, + ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 + ProcessEnergyValues, // PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES + ProcessActivityThrottleState, // PROCESS_ACTIVITY_THROTTLE_STATE + ProcessActivityThrottlePolicy, // PROCESS_ACTIVITY_THROTTLE_POLICY + ProcessWin32kSyscallFilterInformation, + ProcessDisableSystemAllowedCpuSets, + ProcessWakeInformation, // PROCESS_WAKE_INFORMATION + ProcessEnergyTrackingState, // PROCESS_ENERGY_TRACKING_STATE + MaxProcessInfoClass } PROCESSINFOCLASS; +// Source: http://processhacker.sourceforge.net typedef enum _SYSTEM_INFORMATION_CLASS { - SystemBasicInformation, - SystemProcessorInformation, // obsolete...delete - SystemPerformanceInformation, - SystemTimeOfDayInformation, - SystemPathInformation, - SystemProcessInformation, - SystemCallCountInformation, - SystemDeviceInformation, - SystemProcessorPerformanceInformation, - SystemFlagsInformation, - SystemCallTimeInformation, - SystemModuleInformation, - SystemLocksInformation, - SystemStackTraceInformation, - SystemPagedPoolInformation, - SystemNonPagedPoolInformation, - SystemHandleInformation, - SystemObjectInformation, - SystemPageFileInformation, - SystemVdmInstemulInformation, - SystemVdmBopInformation, - SystemFileCacheInformation, - SystemPoolTagInformation, - SystemInterruptInformation, - SystemDpcBehaviorInformation, - SystemFullMemoryInformation, - SystemLoadGdiDriverInformation, - SystemUnloadGdiDriverInformation, - SystemTimeAdjustmentInformation, - SystemSummaryMemoryInformation, - SystemMirrorMemoryInformation, - SystemPerformanceTraceInformation, - SystemObsolete0, - SystemExceptionInformation, - SystemCrashDumpStateInformation, - SystemKernelDebuggerInformation, - SystemContextSwitchInformation, - SystemRegistryQuotaInformation, - SystemExtendServiceTableInformation, - SystemPrioritySeperation, - SystemVerifierAddDriverInformation, - SystemVerifierRemoveDriverInformation, - SystemProcessorIdleInformation, - SystemLegacyDriverInformation, - SystemCurrentTimeZoneInformation, - SystemLookasideInformation, - SystemTimeSlipNotification, - SystemSessionCreate, - SystemSessionDetach, - SystemSessionInformation, - SystemRangeStartInformation, - SystemVerifierInformation, - SystemVerifierThunkExtend, - SystemSessionProcessInformation, - SystemLoadGdiDriverInSystemSpace, - SystemNumaProcessorMap, - SystemPrefetcherInformation, - SystemExtendedProcessInformation, - SystemRecommendedSharedDataAlignment, - SystemComPlusPackage, - SystemNumaAvailableMemory, - SystemProcessorPowerInformation, - SystemEmulationBasicInformation, + SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION + SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION + SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION + SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION + SystemPathInformation, // not implemented + SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION + SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION + SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION + SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION + SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION + SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10 + SystemModuleInformation, // q: RTL_PROCESS_MODULES + SystemLocksInformation, // q: RTL_PROCESS_LOCKS + SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES + SystemPagedPoolInformation, // not implemented + SystemNonPagedPoolInformation, // not implemented + SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION + SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION + SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION + SystemVdmInstemulInformation, // q + SystemVdmBopInformation, // not implemented // 20 + SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache) + SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION + SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION + SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege) + SystemFullMemoryInformation, // not implemented + SystemLoadGdiDriverInformation, // s (kernel-mode only) + SystemUnloadGdiDriverInformation, // s (kernel-mode only) + SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege) + SystemSummaryMemoryInformation, // not implemented + SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30 + SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS) + SystemObsolete0, // not implemented + SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION + SystemCrashDumpStateInformation, // s (requires SeDebugPrivilege) + SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION + SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION + SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) + SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only + SystemPrioritySeperation, // s (requires SeTcbPrivilege) + SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40 + SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege) + SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION + SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION + SystemCurrentTimeZoneInformation, // q + SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION + SystemTimeSlipNotification, // s (requires SeSystemtimePrivilege) + SystemSessionCreate, // not implemented + SystemSessionDetach, // not implemented + SystemSessionInformation, // not implemented + SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50 + SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) + SystemVerifierThunkExtend, // s (kernel-mode only) + SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION + SystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation) + SystemNumaProcessorMap, // q + SystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation + SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION + SystemRecommendedSharedDataAlignment, // q + SystemComPlusPackage, // q; s + SystemNumaAvailableMemory, // 60 + SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION + SystemEmulationBasicInformation, // q SystemEmulationProcessorInformation, - SystemExtendedHandleInformation, - SystemLostDelayedWriteInformation, - SystemBigPoolInformation, - SystemSessionPoolTagInformation, - SystemSessionMappedViewInformation, - SystemHotpatchInformation, - SystemObjectSecurityMode, - SystemWatchdogTimerHandler, - SystemWatchdogTimerInformation, - SystemLogicalProcessorInformation, - SystemWow64SharedInformation, - SystemRegisterFirmwareTableInformationHandler, - SystemFirmwareTableInformation, - SystemModuleInformationEx, - SystemVerifierTriageInformation, - SystemSuperfetchInformation, - SystemMemoryListInformation, - SystemFileCacheInformationEx, - MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum + SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX + SystemLostDelayedWriteInformation, // q: ULONG + SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION + SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION + SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION + SystemHotpatchInformation, // q; s + SystemObjectSecurityMode, // q // 70 + SystemWatchdogTimerHandler, // s (kernel-mode only) + SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only) + SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION + SystemWow64SharedInformationObsolete, // not implemented + SystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only) + SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION + SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX + SystemVerifierTriageInformation, // not implemented + SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation + SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80 + SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation) + SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege) + SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] + SystemVerifierCancellationInformation, // not implemented // name:wow64:whNT32QuerySystemVerifierCancellationInformation + SystemProcessorPowerInformationEx, // not implemented + SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation + SystemSpecialPoolInformation, // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0 + SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION + SystemErrorPortInformation, // s (requires SeTcbPrivilege) + SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90 + SystemHypervisorInformation, // q; s (kernel-mode only) + SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX + SystemTimeZoneInformation, // s (requires SeTimeZonePrivilege) + SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege) + SystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation + SystemPrefetchPatchInformation, // not implemented + SystemVerifierFaultsInformation, // s (requires SeDebugPrivilege) + SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION + SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION + SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION // 100 + SystemNumaProximityNodeInformation, // q + SystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege) + SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation + SystemProcessorMicrocodeUpdateInformation, // s + SystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 + SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation + SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship + SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] + SystemStoreInformation, // q; s // SmQueryStoreInformation + SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110 + SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege) + SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION + SystemCpuQuotaInformation, // q; s // PsQueryCpuQuotaInformation + SystemNativeBasicInformation, // not implemented + SystemSpare1, // not implemented + SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION + SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation + SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION + SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) + SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120 + SystemNodeDistanceInformation, // q + SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26 + SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation + SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1 + SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8 + SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only) + SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION + SystemBadPageInformation, + SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA + SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130 + SystemEntropyInterruptTimingCallback, + SystemConsoleInformation, // q: SYSTEM_CONSOLE_INFORMATION + SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION + SystemThrottleNotificationInformation, + SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION + SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION + SystemDeviceDataEnumerationInformation, + SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION + SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION + SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140 + SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE + SystemSpare0, + SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION + SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX + SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION + SystemEntropyInterruptTimingRawInformation, + SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION + SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) + SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX + SystemBootMetadataInformation, // 150 + SystemSoftRebootInformation, + SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION + SystemOfflineDumpConfigInformation, + SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION + SystemRegistryReconciliationInformation, + SystemEdidInformation, + SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD + SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION + SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION + SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160 + SystemVmGenerationCountInformation, + SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION + SystemKernelDebuggerFlags, + SystemCodeIntegrityPolicyInformation, // q: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION + SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION + SystemHardwareSecurityTestInterfaceResultsInformation, + SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION + SystemAllowedCpuSetsInformation, + SystemDmaProtectionInformation, // q: SYSTEM_DMA_PROTECTION_INFORMATION + SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170 + SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION + SystemCodeIntegrityPolicyFullInformation, + SystemAffinitizedInterruptProcessorInformation, + SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION + SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2 + SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION + SystemWin32WerStartCallout, + SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION + SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE + SystemInterruptSteeringInformation, // 180 + SystemSupportedProcessorArchitectures, + SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION + SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION + SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2 + SystemControlFlowTransition, + SystemKernelDebuggingAllowed, + SystemActivityModerationExeState, // SYSTEM_ACTIVITY_MODERATION_EXE_STATE + SystemActivityModerationUserSettings, // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS + SystemCodeIntegrityPoliciesFullInformation, + SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190 + SystemIntegrityQuotaInformation, + SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION + MaxSystemInfoClass } SYSTEM_INFORMATION_CLASS; typedef enum _OBJECT_INFORMATION_CLASS { - ObjectBasicInformation, - ObjectNameInformation, - ObjectTypeInformation, - ObjectTypesInformation, - ObjectHandleFlagInformation, + ObjectBasicInformation, // OBJECT_BASIC_INFORMATION + ObjectNameInformation, // OBJECT_NAME_INFORMATION + ObjectTypeInformation, // OBJECT_TYPE_INFORMATION + ObjectTypesInformation, // OBJECT_TYPES_INFORMATION + ObjectHandleFlagInformation, // OBJECT_HANDLE_FLAG_INFORMATION ObjectSessionInformation, - MaxObjectInfoClass // MaxObjectInfoClass should always be the last enum + ObjectSessionObjectInformation, + MaxObjectInfoClass } OBJECT_INFORMATION_CLASS; +//Source: http://processhacker.sourceforge.net typedef enum _THREADINFOCLASS { - ThreadBasicInformation, - ThreadTimes, - ThreadPriority, - ThreadBasePriority, - ThreadAffinityMask, - ThreadImpersonationToken, - ThreadDescriptorTableEntry, - ThreadEnableAlignmentFaultFixup, - ThreadEventPair_Reusable, - ThreadQuerySetWin32StartAddress, - ThreadZeroTlsCell, - ThreadPerformanceCount, - ThreadAmILastThread, - ThreadIdealProcessor, - ThreadPriorityBoost, + ThreadBasicInformation, // q: THREAD_BASIC_INFORMATION + ThreadTimes, // q: KERNEL_USER_TIMES + ThreadPriority, // s: KPRIORITY + ThreadBasePriority, // s: LONG + ThreadAffinityMask, // s: KAFFINITY + ThreadImpersonationToken, // s: HANDLE + ThreadDescriptorTableEntry, // q: DESCRIPTOR_TABLE_ENTRY (or WOW64_DESCRIPTOR_TABLE_ENTRY) + ThreadEnableAlignmentFaultFixup, // s: BOOLEAN + ThreadEventPair, + ThreadQuerySetWin32StartAddress, // q: PVOID + ThreadZeroTlsCell, // 10 + ThreadPerformanceCount, // q: LARGE_INTEGER + ThreadAmILastThread, // q: ULONG + ThreadIdealProcessor, // s: ULONG + ThreadPriorityBoost, // qs: ULONG ThreadSetTlsArrayAddress, - ThreadIsIoPending, - ThreadHideFromDebugger, - ThreadBreakOnTermination, + ThreadIsIoPending, // q: ULONG + ThreadHideFromDebugger, // s: void + ThreadBreakOnTermination, // qs: ULONG ThreadSwitchLegacyState, - ThreadIsTerminated, + ThreadIsTerminated, // q: ULONG // 20 + ThreadLastSystemCall, // q: THREAD_LAST_SYSCALL_INFORMATION + ThreadIoPriority, // qs: IO_PRIORITY_HINT + ThreadCycleTime, // q: THREAD_CYCLE_TIME_INFORMATION + ThreadPagePriority, // q: ULONG + ThreadActualBasePriority, + ThreadTebInformation, // q: THREAD_TEB_INFORMATION (requires THREAD_GET_CONTEXT + THREAD_SET_CONTEXT) + ThreadCSwitchMon, + ThreadCSwitchPmu, + ThreadWow64Context, // q: WOW64_CONTEXT + ThreadGroupInformation, // q: GROUP_AFFINITY // 30 + ThreadUmsInformation, // q: THREAD_UMS_INFORMATION + ThreadCounterProfiling, + ThreadIdealProcessorEx, // q: PROCESSOR_NUMBER + ThreadCpuAccountingInformation, // since WIN8 + ThreadSuspendCount, // since WINBLUE + ThreadHeterogeneousCpuPolicy, // q: KHETERO_CPU_POLICY // since THRESHOLD + ThreadContainerId, // q: GUID + ThreadNameInformation, // qs: THREAD_NAME_INFORMATION + ThreadSelectedCpuSets, + ThreadSystemThreadInformation, // q: SYSTEM_THREAD_INFORMATION // 40 + ThreadActualGroupAffinity, // since THRESHOLD2 + ThreadDynamicCodePolicyInfo, + ThreadExplicitCaseSensitivity, + ThreadWorkOnBehalfTicket, + ThreadSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 + ThreadDbgkWerReportActive, + ThreadAttachContainer, MaxThreadInfoClass } THREADINFOCLASS; +typedef enum _FSINFOCLASS +{ + FileFsVolumeInformation = 1, // FILE_FS_VOLUME_INFORMATION + FileFsLabelInformation = 2, // FILE_FS_LABEL_INFORMATION + FileFsSizeInformation = 3, // FILE_FS_SIZE_INFORMATION + FileFsDeviceInformation = 4, // FILE_FS_DEVICE_INFORMATION + FileFsAttributeInformation = 5, // FILE_FS_ATTRIBUTE_INFORMATION + FileFsControlInformation = 6, // FILE_FS_CONTROL_INFORMATION + FileFsFullSizeInformation = 7, // FILE_FS_FULL_SIZE_INFORMATION + FileFsObjectIdInformation = 8, // FILE_FS_OBJECTID_INFORMATION + FileFsDriverPathInformation = 9, // FILE_FS_DRIVER_PATH_INFORMATION + FileFsVolumeFlagsInformation = 10, // FILE_FS_VOLUME_FLAGS_INFORMATION + FileFsSectorSizeInformation = 11, // FILE_FS_SECTOR_SIZE_INFORMATION // since WIN8 + FileFsDataCopyInformation = 12, // FILE_FS_DATA_COPY_INFORMATION + FileFsMetadataSizeInformation = 13, // FILE_FS_METADATA_SIZE_INFORMATION // since THRESHOLD + FileFsMaximumInformation +} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS; + +typedef enum _MEMORY_INFORMATION_CLASS +{ + MemoryBasicInformation, // MEMORY_BASIC_INFORMATION + MemoryWorkingSetInformation, // MEMORY_WORKING_SET_INFORMATION + MemoryMappedFilenameInformation, // UNICODE_STRING + MemoryRegionInformation, // MEMORY_REGION_INFORMATION + MemoryWorkingSetExInformation, // MEMORY_WORKING_SET_EX_INFORMATION + MemorySharedCommitInformation, // MEMORY_SHARED_COMMIT_INFORMATION + MemoryImageInformation, // MEMORY_IMAGE_INFORMATION + MemoryRegionInformationEx, + MemoryPrivilegedBasicInformation +} MEMORY_INFORMATION_CLASS; + +typedef enum _SECTION_INFORMATION_CLASS +{ + SectionBasicInformation, + SectionImageInformation, + SectionRelocationInformation, // name:wow64:whNtQuerySection_SectionRelocationInformation + SectionOriginalBaseInformation, // PVOID BaseAddress + SectionInternalImageInformation, // SECTION_INTERNAL_IMAGE_INFORMATION // since REDSTONE2 + MaxSectionInfoClass +} SECTION_INFORMATION_CLASS; + +// Boot condition flags (NtInitializeRegistry) +#define REG_INIT_BOOT_SM 0x0000 +#define REG_INIT_BOOT_SETUP 0x0001 +#define REG_INIT_BOOT_ACCEPTED_BASE 0x0002 +#define REG_INIT_BOOT_ACCEPTED_MAX REG_INIT_BOOT_ACCEPTED_BASE + 999 + +#define REG_MAX_KEY_VALUE_NAME_LENGTH 32767 +#define REG_MAX_KEY_NAME_LENGTH 512 + +typedef enum _KEY_INFORMATION_CLASS +{ + KeyBasicInformation, // KEY_BASIC_INFORMATION + KeyNodeInformation, // KEY_NODE_INFORMATION + KeyFullInformation, // KEY_FULL_INFORMATION + KeyNameInformation, // KEY_NAME_INFORMATION + KeyCachedInformation, // KEY_CACHED_INFORMATION + KeyFlagsInformation, // KEY_FLAGS_INFORMATION + KeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION + KeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION + KeyTrustInformation, // KEY_TRUST_INFORMATION + KeyLayerInformation, // KEY_LAYER_INFORMATION + MaxKeyInfoClass +} KEY_INFORMATION_CLASS; + +typedef struct _KEY_BASIC_INFORMATION +{ + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG NameLength; + WCHAR Name[1]; +} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION; + +typedef struct _KEY_NODE_INFORMATION +{ + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG ClassOffset; + ULONG ClassLength; + ULONG NameLength; + WCHAR Name[1]; + // ... + // WCHAR Class[1]; +} KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION; + +typedef struct _KEY_FULL_INFORMATION +{ + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG ClassOffset; + ULONG ClassLength; + ULONG SubKeys; + ULONG MaxNameLen; + ULONG MaxClassLen; + ULONG Values; + ULONG MaxValueNameLen; + ULONG MaxValueDataLen; + WCHAR Class[1]; +} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION; + +typedef struct _KEY_NAME_INFORMATION +{ + ULONG NameLength; + WCHAR Name[1]; +} KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION; + +typedef struct _KEY_CACHED_INFORMATION +{ + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG SubKeys; + ULONG MaxNameLen; + ULONG Values; + ULONG MaxValueNameLen; + ULONG MaxValueDataLen; + ULONG NameLength; + WCHAR Name[1]; +} KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION; + +typedef struct _KEY_FLAGS_INFORMATION +{ + ULONG UserFlags; +} KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION; + +typedef struct _KEY_VIRTUALIZATION_INFORMATION +{ + ULONG VirtualizationCandidate : 1; // Tells whether the key is part of the virtualization namespace scope (only HKLM\Software for now). + ULONG VirtualizationEnabled : 1; // Tells whether virtualization is enabled on this key. Can be 1 only if above flag is 1. + ULONG VirtualTarget : 1; // Tells if the key is a virtual key. Can be 1 only if above 2 are 0. Valid only on the virtual store key handles. + ULONG VirtualStore : 1; // Tells if the key is a part of the virtual store path. Valid only on the virtual store key handles. + ULONG VirtualSource : 1; // Tells if the key has ever been virtualized, can be 1 only if VirtualizationCandidate is 1. + ULONG Reserved : 27; +} KEY_VIRTUALIZATION_INFORMATION, *PKEY_VIRTUALIZATION_INFORMATION; + +// private +typedef struct _KEY_TRUST_INFORMATION +{ + ULONG TrustedKey : 1; + ULONG Reserved : 31; +} KEY_TRUST_INFORMATION, *PKEY_TRUST_INFORMATION; + +// private +typedef struct _KEY_LAYER_INFORMATION +{ + ULONG IsTombstone; + ULONG IsSupersedeLocal; + ULONG IsSupersedeTree; + ULONG ClassIsInherited; + ULONG Reserved; +} KEY_LAYER_INFORMATION, *PKEY_LAYER_INFORMATION; + +typedef enum _KEY_SET_INFORMATION_CLASS +{ + KeyWriteTimeInformation, // KEY_WRITE_TIME_INFORMATION + KeyWow64FlagsInformation, // KEY_WOW64_FLAGS_INFORMATION + KeyControlFlagsInformation, // KEY_CONTROL_FLAGS_INFORMATION + KeySetVirtualizationInformation, // KEY_SET_VIRTUALIZATION_INFORMATION + KeySetDebugInformation, + KeySetHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION + MaxKeySetInfoClass +} KEY_SET_INFORMATION_CLASS; + +typedef struct _KEY_WRITE_TIME_INFORMATION +{ + LARGE_INTEGER LastWriteTime; +} KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION; + +typedef struct _KEY_WOW64_FLAGS_INFORMATION +{ + ULONG UserFlags; +} KEY_WOW64_FLAGS_INFORMATION, *PKEY_WOW64_FLAGS_INFORMATION; + +typedef struct _KEY_HANDLE_TAGS_INFORMATION +{ + ULONG HandleTags; +} KEY_HANDLE_TAGS_INFORMATION, *PKEY_HANDLE_TAGS_INFORMATION; + +typedef struct _KEY_CONTROL_FLAGS_INFORMATION +{ + ULONG ControlFlags; +} KEY_CONTROL_FLAGS_INFORMATION, *PKEY_CONTROL_FLAGS_INFORMATION; + +typedef struct _KEY_SET_VIRTUALIZATION_INFORMATION +{ + ULONG VirtualTarget : 1; + ULONG VirtualStore : 1; + ULONG VirtualSource : 1; // true if key has been virtualized at least once + ULONG Reserved : 29; +} KEY_SET_VIRTUALIZATION_INFORMATION, *PKEY_SET_VIRTUALIZATION_INFORMATION; + +typedef enum _KEY_VALUE_INFORMATION_CLASS +{ + KeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION + KeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION + KeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION + KeyValueFullInformationAlign64, + KeyValuePartialInformationAlign64, // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 + KeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION + MaxKeyValueInfoClass +} KEY_VALUE_INFORMATION_CLASS; + +typedef struct _KEY_VALUE_BASIC_INFORMATION +{ + ULONG TitleIndex; + ULONG Type; + ULONG NameLength; + WCHAR Name[1]; +} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION; + +typedef struct _KEY_VALUE_FULL_INFORMATION +{ + ULONG TitleIndex; + ULONG Type; + ULONG DataOffset; + ULONG DataLength; + ULONG NameLength; + WCHAR Name[1]; + // ... + // UCHAR Data[1]; +} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; + +typedef struct _KEY_VALUE_PARTIAL_INFORMATION +{ + ULONG TitleIndex; + ULONG Type; + ULONG DataLength; + UCHAR Data[1]; +} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; + +typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 +{ + ULONG Type; + ULONG DataLength; + UCHAR Data[1]; +} KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64; + +// private +typedef struct _KEY_VALUE_LAYER_INFORMATION +{ + ULONG IsTombstone; + ULONG Reserved; +} KEY_VALUE_LAYER_INFORMATION, *PKEY_VALUE_LAYER_INFORMATION; + +typedef struct _KEY_VALUE_ENTRY +{ + PUNICODE_STRING ValueName; + ULONG DataLength; + ULONG DataOffset; + ULONG Type; +} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; + +typedef enum _REG_ACTION +{ + KeyAdded, + KeyRemoved, + KeyModified +} REG_ACTION; + +typedef struct _REG_NOTIFY_INFORMATION +{ + ULONG NextEntryOffset; + REG_ACTION Action; + ULONG KeyLength; + WCHAR Key[1]; +} REG_NOTIFY_INFORMATION, *PREG_NOTIFY_INFORMATION; + +typedef struct _KEY_PID_ARRAY +{ + HANDLE PID; + UNICODE_STRING KeyName; +} KEY_PID_ARRAY, *PKEY_PID_ARRAY; + +typedef struct _KEY_OPEN_SUBKEYS_INFORMATION +{ + ULONG Count; + KEY_PID_ARRAY KeyArray[1]; +} KEY_OPEN_SUBKEYS_INFORMATION, *PKEY_OPEN_SUBKEYS_INFORMATION; + +typedef enum _SYSDBG_COMMAND +{ + SysDbgQueryModuleInformation, + SysDbgQueryTraceInformation, + SysDbgSetTracepoint, + SysDbgSetSpecialCall, + SysDbgClearSpecialCalls, + SysDbgQuerySpecialCalls, + SysDbgBreakPoint, + SysDbgQueryVersion, + SysDbgReadVirtual, + SysDbgWriteVirtual, + SysDbgReadPhysical, + SysDbgWritePhysical, + SysDbgReadControlSpace, + SysDbgWriteControlSpace, + SysDbgReadIoSpace, + SysDbgWriteIoSpace, + SysDbgReadMsr, + SysDbgWriteMsr, + SysDbgReadBusData, + SysDbgWriteBusData, + SysDbgCheckLowMemory, + SysDbgEnableKernelDebugger, + SysDbgDisableKernelDebugger, + SysDbgGetAutoKdEnable, + SysDbgSetAutoKdEnable, + SysDbgGetPrintBufferSize, + SysDbgSetPrintBufferSize, + SysDbgGetKdUmExceptionEnable, + SysDbgSetKdUmExceptionEnable, + SysDbgGetTriageDump, + SysDbgGetKdBlockEnable, + SysDbgSetKdBlockEnable, + SysDbgRegisterForUmBreakInfo, + SysDbgGetUmBreakPid, + SysDbgClearUmBreakPid, + SysDbgGetUmAttachPid, + SysDbgClearUmAttachPid, + SysDbgGetLiveKernelDump +} SYSDBG_COMMAND, *PSYSDBG_COMMAND; + +typedef enum _DEBUGOBJECTINFOCLASS +{ + DebugObjectFlags = 1, + MaxDebugObjectInfoClass +} DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; + +//Source: http://processhacker.sourceforge.net +typedef enum _FILE_INFORMATION_CLASS +{ + FileDirectoryInformation = 1, // FILE_DIRECTORY_INFORMATION + FileFullDirectoryInformation, // FILE_FULL_DIR_INFORMATION + FileBothDirectoryInformation, // FILE_BOTH_DIR_INFORMATION + FileBasicInformation, // FILE_BASIC_INFORMATION + FileStandardInformation, // FILE_STANDARD_INFORMATION + FileInternalInformation, // FILE_INTERNAL_INFORMATION + FileEaInformation, // FILE_EA_INFORMATION + FileAccessInformation, // FILE_ACCESS_INFORMATION + FileNameInformation, // FILE_NAME_INFORMATION + FileRenameInformation, // FILE_RENAME_INFORMATION // 10 + FileLinkInformation, // FILE_LINK_INFORMATION + FileNamesInformation, // FILE_NAMES_INFORMATION + FileDispositionInformation, // FILE_DISPOSITION_INFORMATION + FilePositionInformation, // FILE_POSITION_INFORMATION + FileFullEaInformation, // FILE_FULL_EA_INFORMATION + FileModeInformation, // FILE_MODE_INFORMATION + FileAlignmentInformation, // FILE_ALIGNMENT_INFORMATION + FileAllInformation, // FILE_ALL_INFORMATION + FileAllocationInformation, // FILE_ALLOCATION_INFORMATION + FileEndOfFileInformation, // FILE_END_OF_FILE_INFORMATION // 20 + FileAlternateNameInformation, // FILE_NAME_INFORMATION + FileStreamInformation, // FILE_STREAM_INFORMATION + FilePipeInformation, // FILE_PIPE_INFORMATION + FilePipeLocalInformation, // FILE_PIPE_LOCAL_INFORMATION + FilePipeRemoteInformation, // FILE_PIPE_REMOTE_INFORMATION + FileMailslotQueryInformation, // FILE_MAILSLOT_QUERY_INFORMATION + FileMailslotSetInformation, // FILE_MAILSLOT_SET_INFORMATION + FileCompressionInformation, // FILE_COMPRESSION_INFORMATION + FileObjectIdInformation, // FILE_OBJECTID_INFORMATION + FileCompletionInformation, // FILE_COMPLETION_INFORMATION // 30 + FileMoveClusterInformation, // FILE_MOVE_CLUSTER_INFORMATION + FileQuotaInformation, // FILE_QUOTA_INFORMATION + FileReparsePointInformation, // FILE_REPARSE_POINT_INFORMATION + FileNetworkOpenInformation, // FILE_NETWORK_OPEN_INFORMATION + FileAttributeTagInformation, // FILE_ATTRIBUTE_TAG_INFORMATION + FileTrackingInformation, // FILE_TRACKING_INFORMATION + FileIdBothDirectoryInformation, // FILE_ID_BOTH_DIR_INFORMATION + FileIdFullDirectoryInformation, // FILE_ID_FULL_DIR_INFORMATION + FileValidDataLengthInformation, // FILE_VALID_DATA_LENGTH_INFORMATION + FileShortNameInformation, // FILE_NAME_INFORMATION // 40 + FileIoCompletionNotificationInformation, // FILE_IO_COMPLETION_NOTIFICATION_INFORMATION // since VISTA + FileIoStatusBlockRangeInformation, // FILE_IOSTATUSBLOCK_RANGE_INFORMATION + FileIoPriorityHintInformation, // FILE_IO_PRIORITY_HINT_INFORMATION + FileSfioReserveInformation, // FILE_SFIO_RESERVE_INFORMATION + FileSfioVolumeInformation, // FILE_SFIO_VOLUME_INFORMATION + FileHardLinkInformation, // FILE_LINKS_INFORMATION + FileProcessIdsUsingFileInformation, // FILE_PROCESS_IDS_USING_FILE_INFORMATION + FileNormalizedNameInformation, // FILE_NAME_INFORMATION + FileNetworkPhysicalNameInformation, // FILE_NETWORK_PHYSICAL_NAME_INFORMATION + FileIdGlobalTxDirectoryInformation, // FILE_ID_GLOBAL_TX_DIR_INFORMATION // since WIN7 // 50 + FileIsRemoteDeviceInformation, // FILE_IS_REMOTE_DEVICE_INFORMATION + FileUnusedInformation, + FileNumaNodeInformation, // FILE_NUMA_NODE_INFORMATION + FileStandardLinkInformation, // FILE_STANDARD_LINK_INFORMATION + FileRemoteProtocolInformation, // FILE_REMOTE_PROTOCOL_INFORMATION + FileRenameInformationBypassAccessCheck, // (kernel-mode only); FILE_RENAME_INFORMATION // since WIN8 + FileLinkInformationBypassAccessCheck, // (kernel-mode only); FILE_LINK_INFORMATION + FileVolumeNameInformation, // FILE_VOLUME_NAME_INFORMATION + FileIdInformation, // FILE_ID_INFORMATION + FileIdExtdDirectoryInformation, // FILE_ID_EXTD_DIR_INFORMATION + FileReplaceCompletionInformation, // FILE_COMPLETION_INFORMATION // since WINBLUE + FileHardLinkFullIdInformation, // FILE_LINK_ENTRY_FULL_ID_INFORMATION + FileIdExtdBothDirectoryInformation, // FILE_ID_EXTD_BOTH_DIR_INFORMATION // since THRESHOLD + FileDispositionInformationEx, // FILE_DISPOSITION_INFO_EX // since REDSTONE + FileRenameInformationEx, + FileRenameInformationExBypassAccessCheck, + FileDesiredStorageClassInformation, // FILE_DESIRED_STORAGE_CLASS_INFORMATION // since REDSTONE2 + FileStatInformation, // FILE_STAT_INFORMATION + FileMaximumInformation +} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; + +typedef struct _SYSTEM_BASIC_INFORMATION +{ + ULONG Reserved; + ULONG TimerResolution; + ULONG PageSize; + ULONG NumberOfPhysicalPages; + ULONG LowestPhysicalPageNumber; + ULONG HighestPhysicalPageNumber; + ULONG AllocationGranularity; + ULONG_PTR MinimumUserModeAddress; + ULONG_PTR MaximumUserModeAddress; + ULONG_PTR ActiveProcessorsAffinityMask; + CCHAR NumberOfProcessors; +} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION; + +typedef struct _FILE_PIPE_PEEK_BUFFER +{ + ULONG NamedPipeState; + ULONG ReadDataAvailable; + ULONG NumberOfMessages; + ULONG MessageLength; + CHAR Data[1]; +} FILE_PIPE_PEEK_BUFFER, *PFILE_PIPE_PEEK_BUFFER; + +typedef struct _NAMED_PIPE_CREATE_PARAMETERS +{ + ULONG NamedPipeType; + ULONG ReadMode; + ULONG CompletionMode; + ULONG MaximumInstances; + ULONG InboundQuota; + ULONG OutboundQuota; + LARGE_INTEGER DefaultTimeout; + BOOLEAN TimeoutSpecified; +} NAMED_PIPE_CREATE_PARAMETERS, *PNAMED_PIPE_CREATE_PARAMETERS; + +typedef struct _FILE_NETWORK_OPEN_INFORMATION +{ + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG FileAttributes; +} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; + +typedef struct _SYSTEM_TIMEOFDAY_INFORMATION +{ + LARGE_INTEGER BootTime; + LARGE_INTEGER CurrentTime; + LARGE_INTEGER TimeZoneBias; + ULONG TimeZoneId; + ULONG Reserved; + ULONGLONG BootTimeBias; + ULONGLONG SleepTimeBias; +} SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION; + +typedef struct _SYSTEM_CONSOLE_INFORMATION +{ + ULONG DriverLoaded : 1; + ULONG Spare : 31; +} SYSTEM_CONSOLE_INFORMATION, *PSYSTEM_CONSOLE_INFORMATION; + +typedef struct _KSYSTEM_TIME +{ + ULONG LowPart; + LONG High1Time; + LONG High2Time; +} KSYSTEM_TIME, *PKSYSTEM_TIME; + +typedef struct _PROCESS_ACCESS_TOKEN +{ + HANDLE Token; // Needs TOKEN_ASSIGN_PRIMARY access + HANDLE Thread; // Handle to initial/only thread; needs THREAD_QUERY_INFORMATION access +} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN; #ifdef __cplusplus -extern "C" { +typedef enum _PS_PROTECTED_TYPE : UCHAR +{ + PsProtectedTypeNone, + PsProtectedTypeProtectedLight, + PsProtectedTypeProtected, + PsProtectedTypeMax +} PS_PROTECTED_TYPE; +#else +typedef UCHAR PS_PROTECTED_TYPE; +#endif + +#ifdef __cplusplus +typedef enum _PS_PROTECTED_SIGNER : UCHAR +{ + PsProtectedSignerNone, + PsProtectedSignerAuthenticode, + PsProtectedSignerCodeGen, + PsProtectedSignerAntimalware, + PsProtectedSignerLsa, + PsProtectedSignerWindows, + PsProtectedSignerWinTcb, + PsProtectedSignerWinSystem, + PsProtectedSignerApp, + PsProtectedSignerMax +} PS_PROTECTED_SIGNER; +#else +typedef UCHAR PS_PROTECTED_SIGNER; +#endif + +typedef struct _PS_PROTECTION +{ + union + { + struct + { + PS_PROTECTED_TYPE Type : 3; + BOOLEAN Audit : 1; + PS_PROTECTED_SIGNER Signer : 4; + } s; + UCHAR Level; + }; +} PS_PROTECTION, *PPS_PROTECTION; + +#define RTL_CREATE_ENVIRONMENT_TRANSLATE 0x1 // Translate from multi-byte to Unicode +#define RTL_CREATE_ENVIRONMENT_TRANSLATE_FROM_OEM 0x2 // Translate from OEM to Unicode (Translate flag must also be set) +#define RTL_CREATE_ENVIRONMENT_EMPTY 0x4 // Create empty environment block + +typedef struct _RTL_BUFFER +{ + PUCHAR Buffer; + PUCHAR StaticBuffer; + SIZE_T Size; + SIZE_T StaticSize; + SIZE_T ReservedForAllocatedSize; // for future doubling + PVOID ReservedForIMalloc; // for future pluggable growth +} RTL_BUFFER, *PRTL_BUFFER; + +typedef struct _RTL_UNICODE_STRING_BUFFER +{ + UNICODE_STRING String; + RTL_BUFFER ByteBuffer; + UCHAR MinimumStaticBufferForTerminalNul[sizeof(WCHAR)]; +} RTL_UNICODE_STRING_BUFFER, *PRTL_UNICODE_STRING_BUFFER; + +typedef struct _RTL_USER_PROCESS_PARAMETERS +{ + ULONG MaximumLength; + ULONG Length; + + ULONG Flags; + ULONG DebugFlags; + + HANDLE ConsoleHandle; + ULONG ConsoleFlags; + HANDLE StandardInput; + HANDLE StandardOutput; + HANDLE StandardError; + + CURDIR CurrentDirectory; + UNICODE_STRING DllPath; + UNICODE_STRING ImagePathName; + UNICODE_STRING CommandLine; + PWCHAR Environment; + + ULONG StartingX; + ULONG StartingY; + ULONG CountX; + ULONG CountY; + ULONG CountCharsX; + ULONG CountCharsY; + ULONG FillAttribute; + + ULONG WindowFlags; + ULONG ShowWindowFlags; + UNICODE_STRING WindowTitle; + UNICODE_STRING DesktopInfo; + UNICODE_STRING ShellInfo; + UNICODE_STRING RuntimeData; + RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; + + ULONG_PTR EnvironmentSize; + ULONG_PTR EnvironmentVersion; + PVOID PackageDependencyData; + ULONG ProcessGroupId; + ULONG LoaderThreads; +} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; + +#define RTL_USER_PROCESS_PARAMETERS_NORMALIZED 0x01 +#define RTL_USER_PROCESS_PARAMETERS_PROFILE_USER 0x02 +#define RTL_USER_PROCESS_PARAMETERS_PROFILE_KERNEL 0x04 +#define RTL_USER_PROCESS_PARAMETERS_PROFILE_SERVER 0x08 +#define RTL_USER_PROCESS_PARAMETERS_RESERVE_1MB 0x20 +#define RTL_USER_PROCESS_PARAMETERS_RESERVE_16MB 0x40 +#define RTL_USER_PROCESS_PARAMETERS_CASE_SENSITIVE 0x80 +#define RTL_USER_PROCESS_PARAMETERS_DISABLE_HEAP_DECOMMIT 0x100 +#define RTL_USER_PROCESS_PARAMETERS_DLL_REDIRECTION_LOCAL 0x1000 +#define RTL_USER_PROCESS_PARAMETERS_APP_MANIFEST_PRESENT 0x2000 +#define RTL_USER_PROCESS_PARAMETERS_IMAGE_KEY_MISSING 0x4000 +#define RTL_USER_PROCESS_PARAMETERS_NX_OPTIN 0x20000 + +typedef struct _RTL_USER_PROCESS_INFORMATION +{ + ULONG Length; + HANDLE Process; + HANDLE Thread; + CLIENT_ID ClientId; + SECTION_IMAGE_INFORMATION ImageInformation; +} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION; + +// Handle tag bits for PEB stdio file handles +#define PEB_STDIO_HANDLE_NATIVE 0 +#define PEB_STDIO_HANDLE_SUBSYS 1 +#define PEB_STDIO_HANDLE_PM 2 +#define PEB_STDIO_HANDLE_RESERVED 3 + +#define GDI_HANDLE_BUFFER_SIZE32 34 +#define GDI_HANDLE_BUFFER_SIZE64 60 + +#ifndef _WIN64 +#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32 +#else +#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64 +#endif + +typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32]; +typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64]; +typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE]; + +#define FLS_MAXIMUM_AVAILABLE 128 +#define TLS_MINIMUM_AVAILABLE 64 +#define TLS_EXPANSION_SLOTS 1024 + +typedef struct _PEB_LDR_DATA +{ + ULONG Length; + BOOLEAN Initialized; + HANDLE SsHandle; + LIST_ENTRY InLoadOrderModuleList; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; + PVOID EntryInProgress; + BOOLEAN ShutdownInProgress; + HANDLE ShutdownThreadId; +} PEB_LDR_DATA, *PPEB_LDR_DATA; + +typedef struct _ACTIVATION_CONTEXT_STACK +{ + struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* ActiveFrame; + LIST_ENTRY FrameListCache; + ULONG Flags; + ULONG NextCookieSequenceNumber; + ULONG StackId; +} ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK; + +typedef struct _PEB +{ + BOOLEAN InheritedAddressSpace; + BOOLEAN ReadImageFileExecOptions; + BOOLEAN BeingDebugged; + union + { + BOOLEAN BitField; + struct + { + BOOLEAN ImageUsesLargePages : 1; + BOOLEAN IsProtectedProcess : 1; + BOOLEAN IsImageDynamicallyRelocated : 1; + BOOLEAN SkipPatchingUser32Forwarders : 1; + BOOLEAN IsPackagedProcess : 1; + BOOLEAN IsAppContainer : 1; + BOOLEAN IsProtectedProcessLight : 1; + BOOLEAN IsLongPathAwareProcess : 1; + } s1; + } u1; + + HANDLE Mutant; + + PVOID ImageBaseAddress; + PPEB_LDR_DATA Ldr; + PRTL_USER_PROCESS_PARAMETERS ProcessParameters; + PVOID SubSystemData; + PVOID ProcessHeap; + PRTL_CRITICAL_SECTION FastPebLock; + PVOID AtlThunkSListPtr; + PVOID IFEOKey; + union + { + ULONG CrossProcessFlags; + struct + { + ULONG ProcessInJob : 1; + ULONG ProcessInitializing : 1; + ULONG ProcessUsingVEH : 1; + ULONG ProcessUsingVCH : 1; + ULONG ProcessUsingFTH : 1; + ULONG ProcessPreviouslyThrottled : 1; + ULONG ProcessCurrentlyThrottled : 1; + ULONG ReservedBits0 : 25; + } s2; + } u2; + union + { + PVOID KernelCallbackTable; + PVOID UserSharedInfoPtr; + } u3; + ULONG SystemReserved[1]; + ULONG AtlThunkSListPtr32; + PVOID ApiSetMap; + ULONG TlsExpansionCounter; + PVOID TlsBitmap; + ULONG TlsBitmapBits[2]; + + PVOID ReadOnlySharedMemoryBase; + PVOID SharedData; // HotpatchInformation + PVOID* ReadOnlyStaticServerData; + + PVOID AnsiCodePageData; // PCPTABLEINFO + PVOID OemCodePageData; // PCPTABLEINFO + PVOID UnicodeCaseTableData; // PNLSTABLEINFO + + ULONG NumberOfProcessors; + ULONG NtGlobalFlag; + + LARGE_INTEGER CriticalSectionTimeout; + SIZE_T HeapSegmentReserve; + SIZE_T HeapSegmentCommit; + SIZE_T HeapDeCommitTotalFreeThreshold; + SIZE_T HeapDeCommitFreeBlockThreshold; + + ULONG NumberOfHeaps; + ULONG MaximumNumberOfHeaps; + PVOID* ProcessHeaps; // PHEAP + + PVOID GdiSharedHandleTable; + PVOID ProcessStarterHelper; + ULONG GdiDCAttributeList; + + PRTL_CRITICAL_SECTION LoaderLock; + + ULONG OSMajorVersion; + ULONG OSMinorVersion; + USHORT OSBuildNumber; + USHORT OSCSDVersion; + ULONG OSPlatformId; + ULONG ImageSubsystem; + ULONG ImageSubsystemMajorVersion; + ULONG ImageSubsystemMinorVersion; + ULONG_PTR ActiveProcessAffinityMask; + GDI_HANDLE_BUFFER GdiHandleBuffer; + PVOID PostProcessInitRoutine; + + PVOID TlsExpansionBitmap; + ULONG TlsExpansionBitmapBits[32]; + + ULONG SessionId; + + ULARGE_INTEGER AppCompatFlags; + ULARGE_INTEGER AppCompatFlagsUser; + PVOID pShimData; + PVOID AppCompatInfo; // APPCOMPAT_EXE_DATA + + UNICODE_STRING CSDVersion; + + PVOID ActivationContextData; // ACTIVATION_CONTEXT_DATA + PVOID ProcessAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP + PVOID SystemDefaultActivationContextData; // ACTIVATION_CONTEXT_DATA + PVOID SystemAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP + + SIZE_T MinimumStackCommit; + + PVOID* FlsCallback; + LIST_ENTRY FlsListHead; + PVOID FlsBitmap; + ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)]; + ULONG FlsHighIndex; + + PVOID WerRegistrationData; + PVOID WerShipAssertPtr; + PVOID pUnused; // pContextData + PVOID pImageHeaderHash; + union + { + ULONG TracingFlags; + struct + { + ULONG HeapTracingEnabled : 1; + ULONG CritSecTracingEnabled : 1; + ULONG LibLoaderTracingEnabled : 1; + ULONG SpareTracingBits : 29; + } s3; + } u4; + ULONGLONG CsrServerReadOnlySharedMemoryBase; + PVOID TppWorkerpListLock; + LIST_ENTRY TppWorkerpList; + PVOID WaitOnAddressHashTable[128]; + PVOID TelemetryCoverageHeader; // REDSTONE3 + ULONG CloudFileFlags; +} PEB, *PPEB; + +#define GDI_BATCH_BUFFER_SIZE 310 + +typedef struct _GDI_TEB_BATCH +{ + ULONG Offset; + ULONG_PTR HDC; + ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; +} GDI_TEB_BATCH, *PGDI_TEB_BATCH; + +typedef struct _TEB_ACTIVE_FRAME_CONTEXT +{ + ULONG Flags; + PSTR FrameName; +} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; + +typedef struct _TEB_ACTIVE_FRAME +{ + ULONG Flags; + struct _TEB_ACTIVE_FRAME* Previous; + PTEB_ACTIVE_FRAME_CONTEXT Context; +} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; + +typedef struct _TEB +{ + NT_TIB NtTib; + + PVOID EnvironmentPointer; + CLIENT_ID ClientId; + PVOID ActiveRpcHandle; + PVOID ThreadLocalStoragePointer; + PPEB ProcessEnvironmentBlock; + + ULONG LastErrorValue; + ULONG CountOfOwnedCriticalSections; + PVOID CsrClientThread; + PVOID Win32ThreadInfo; + ULONG User32Reserved[26]; + ULONG UserReserved[5]; + PVOID WOW32Reserved; + LCID CurrentLocale; + ULONG FpSoftwareStatusRegister; + PVOID ReservedForDebuggerInstrumentation[16]; +#ifdef _WIN64 + PVOID SystemReserved1[30]; +#else + PVOID SystemReserved1[26]; +#endif + CHAR PlaceholderCompatibilityMode; + CHAR PlaceholderReserved[11]; + ULONG ProxiedProcessId; + ACTIVATION_CONTEXT_STACK ActivationStack; + + UCHAR WorkingOnBehalfTicket[8]; + NTSTATUS ExceptionCode; + + PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; + ULONG_PTR InstrumentationCallbackSp; + ULONG_PTR InstrumentationCallbackPreviousPc; + ULONG_PTR InstrumentationCallbackPreviousSp; +#ifdef _WIN64 + ULONG TxFsContext; +#endif + BOOLEAN InstrumentationCallbackDisabled; +#ifndef _WIN64 + UCHAR SpareBytes[23]; + ULONG TxFsContext; +#endif + GDI_TEB_BATCH GdiTebBatch; + CLIENT_ID RealClientId; + HANDLE GdiCachedProcessHandle; + ULONG GdiClientPID; + ULONG GdiClientTID; + PVOID GdiThreadLocalInfo; + ULONG_PTR Win32ClientInfo[62]; + PVOID glDispatchTable[233]; + ULONG_PTR glReserved1[29]; + PVOID glReserved2; + PVOID glSectionInfo; + PVOID glSection; + PVOID glTable; + PVOID glCurrentRC; + PVOID glContext; + + NTSTATUS LastStatusValue; + UNICODE_STRING StaticUnicodeString; + WCHAR StaticUnicodeBuffer[261]; + + PVOID DeallocationStack; + PVOID TlsSlots[64]; + LIST_ENTRY TlsLinks; + + PVOID Vdm; + PVOID ReservedForNtRpc; + PVOID DbgSsReserved[2]; + + ULONG HardErrorMode; +#ifdef _WIN64 + PVOID Instrumentation[11]; +#else + PVOID Instrumentation[9]; +#endif + GUID ActivityId; + + PVOID SubProcessTag; + PVOID PerflibData; + PVOID EtwTraceData; + PVOID WinSockData; + ULONG GdiBatchCount; + + union + { + PROCESSOR_NUMBER CurrentIdealProcessor; + ULONG IdealProcessorValue; + struct + { + UCHAR ReservedPad0; + UCHAR ReservedPad1; + UCHAR ReservedPad2; + UCHAR IdealProcessor; + } s1; + } u1; + + ULONG GuaranteedStackBytes; + PVOID ReservedForPerf; + PVOID ReservedForOle; + ULONG WaitingOnLoaderLock; + PVOID SavedPriorityState; + ULONG_PTR ReservedForCodeCoverage; + PVOID ThreadPoolData; + PVOID* TlsExpansionSlots; +#ifdef _WIN64 + PVOID DeallocationBStore; + PVOID BStoreLimit; +#endif + ULONG MuiGeneration; + ULONG IsImpersonating; + PVOID NlsCache; + PVOID pShimData; + USHORT HeapVirtualAffinity; + USHORT LowFragHeapDataSlot; + HANDLE CurrentTransactionHandle; + PTEB_ACTIVE_FRAME ActiveFrame; + PVOID FlsData; + + PVOID PreferredLanguages; + PVOID UserPrefLanguages; + PVOID MergedPrefLanguages; + ULONG MuiImpersonation; + + union + { + USHORT CrossTebFlags; + USHORT SpareCrossTebBits : 16; + } u2; + union + { + USHORT SameTebFlags; + struct + { + USHORT SafeThunkCall : 1; + USHORT InDebugPrint : 1; + USHORT HasFiberData : 1; + USHORT SkipThreadAttach : 1; + USHORT WerInShipAssertCode : 1; + USHORT RanProcessInit : 1; + USHORT ClonedThread : 1; + USHORT SuppressDebugMsg : 1; + USHORT DisableUserStackWalk : 1; + USHORT RtlExceptionAttached : 1; + USHORT InitialThread : 1; + USHORT SessionAware : 1; + USHORT LoadOwner : 1; + USHORT LoaderWorker : 1; + USHORT SkipLoaderInit : 1; + USHORT SpareSameTebBits : 1; + } s2; + } u3; + + PVOID TxnScopeEnterCallback; + PVOID TxnScopeExitCallback; + PVOID TxnScopeContext; + ULONG LockCount; + LONG WowTebOffset; + PVOID ResourceRetValue; + PVOID ReservedForWdf; + ULONGLONG ReservedForCrt; + GUID EffectiveContainerId; +} TEB, *PTEB; + +typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE +{ + StandardDesign, + NEC98x86, + EndAlternatives +} ALTERNATIVE_ARCHITECTURE_TYPE; + +#define PROCESSOR_FEATURE_MAX 64 + +#define MAX_WOW64_SHARED_ENTRIES 16 + +#define NX_SUPPORT_POLICY_ALWAYSOFF 0 +#define NX_SUPPORT_POLICY_ALWAYSON 1 +#define NX_SUPPORT_POLICY_OPTIN 2 +#define NX_SUPPORT_POLICY_OPTOUT 3 + +#pragma pack(push, 4) +typedef struct _KUSER_SHARED_DATA +{ + ULONG TickCountLowDeprecated; + ULONG TickCountMultiplier; + + volatile KSYSTEM_TIME InterruptTime; + volatile KSYSTEM_TIME SystemTime; + volatile KSYSTEM_TIME TimeZoneBias; + + USHORT ImageNumberLow; + USHORT ImageNumberHigh; + + WCHAR NtSystemRoot[260]; + + ULONG MaxStackTraceDepth; + + ULONG CryptoExponent; + + ULONG TimeZoneId; + ULONG LargePageMinimum; + ULONG AitSamplingValue; + ULONG AppCompatFlag; + ULONGLONG RNGSeedVersion; + ULONG GlobalValidationRunlevel; + LONG TimeZoneBiasStamp; + + ULONG NtBuildNumber; + ULONG NtProductType; + BOOLEAN ProductTypeIsValid; + UCHAR Reserved0[1]; + USHORT NativeProcessorArchitecture; + + ULONG NtMajorVersion; + ULONG NtMinorVersion; + + BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; + + ULONG Reserved1; + ULONG Reserved3; + + volatile ULONG TimeSlip; + + ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; + ULONG BootId; + + LARGE_INTEGER SystemExpirationDate; + + ULONG SuiteMask; + + BOOLEAN KdDebuggerEnabled; + union + { + UCHAR MitigationPolicies; + struct + { + UCHAR NXSupportPolicy : 2; + UCHAR SEHValidationPolicy : 2; + UCHAR CurDirDevicesSkippedForDlls : 2; + UCHAR Reserved : 2; + } s1; + } u1; + UCHAR Reserved6[2]; + + volatile ULONG ActiveConsoleId; + + volatile ULONG DismountCount; + + ULONG ComPlusPackage; + + ULONG LastSystemRITEventTickCount; + + ULONG NumberOfPhysicalPages; + + BOOLEAN SafeBootMode; + UCHAR VirtualizationFlags; + UCHAR Reserved12[2]; + + union + { + ULONG SharedDataFlags; + struct + { + ULONG DbgErrorPortPresent : 1; + ULONG DbgElevationEnabled : 1; + ULONG DbgVirtEnabled : 1; + ULONG DbgInstallerDetectEnabled : 1; + ULONG DbgLkgEnabled : 1; + ULONG DbgDynProcessorEnabled : 1; + ULONG DbgConsoleBrokerEnabled : 1; + ULONG DbgSecureBootEnabled : 1; + ULONG DbgMultiSessionSku : 1; + ULONG DbgMultiUsersInSessionSku : 1; + ULONG SpareBits : 22; + } s2; + } u2; + ULONG DataFlagsPad[1]; + + ULONGLONG TestRetInstruction; + LONGLONG QpcFrequency; + ULONG SystemCall; + ULONG SystemCallPad0; + ULONGLONG SystemCallPad[2]; + + union + { + volatile KSYSTEM_TIME TickCount; + volatile ULONG64 TickCountQuad; + ULONG ReservedTickCountOverlay[3]; + }; + ULONG TickCountPad[1]; + + ULONG Cookie; + ULONG CookiePad[1]; + + LONGLONG ConsoleSessionForegroundProcessId; + ULONGLONG TimeUpdateLock; + ULONGLONG BaselineSystemTimeQpc; + ULONGLONG BaselineInterruptTimeQpc; + ULONGLONG QpcSystemTimeIncrement; + ULONGLONG QpcInterruptTimeIncrement; + UCHAR QpcSystemTimeIncrementShift; + UCHAR QpcInterruptTimeIncrementShift; + + USHORT UnparkedProcessorCount; + ULONG EnclaveFeatureMask[4]; + ULONG Reserved8; + USHORT UserModeGlobalLogger[16]; + ULONG ImageFileExecutionOptions; + + ULONG LangGenerationCount; + ULONGLONG Reserved4; + volatile ULONG64 InterruptTimeBias; + volatile ULONG64 QpcBias; + + ULONG ActiveProcessorCount; + volatile UCHAR ActiveGroupCount; + UCHAR Reserved9; + union + { + USHORT QpcData; + struct + { + UCHAR QpcBypassEnabled : 1; + UCHAR QpcShift : 1; + } s3; + } u3; + + LARGE_INTEGER TimeZoneBiasEffectiveStart; + LARGE_INTEGER TimeZoneBiasEffectiveEnd; + XSTATE_CONFIGURATION XState; +} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA; +#pragma pack(pop) + +#ifdef __cplusplus +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountMultiplier) == 0x4, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTime) == 0x8, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SystemTime) == 0x14, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBias) == 0x20, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberLow) == 0x2c, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberHigh) == 0x2e, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtSystemRoot) == 0x30, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, MaxStackTraceDepth) == 0x238, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, CryptoExponent) == 0x23c, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneId) == 0x240, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, LargePageMinimum) == 0x244, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtProductType) == 0x264, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ProductTypeIsValid) == 0x268, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtMajorVersion) == 0x26c, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtMinorVersion) == 0x270, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ProcessorFeatures) == 0x274, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved1) == 0x2b4, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved3) == 0x2b8, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeSlip) == 0x2bc, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, AlternativeArchitecture) == 0x2c0, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SystemExpirationDate) == 0x2c8, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SuiteMask) == 0x2d0, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, KdDebuggerEnabled) == 0x2d4, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveConsoleId) == 0x2d8, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, DismountCount) == 0x2dc, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ComPlusPackage) == 0x2e0, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, LastSystemRITEventTickCount) == 0x2e4, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NumberOfPhysicalPages) == 0x2e8, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SafeBootMode) == 0x2ec, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TestRetInstruction) == 0x2f8, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad) == 0x310, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TickCount) == 0x320, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountQuad) == 0x320, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3d8, "Offset check"); +#endif + +#if !defined(_KERNEL_MODE) && !defined(KERNELMODE) +#define USER_SHARED_DATA 0x7FFE0000 +#define SharedUserData ((KUSER_SHARED_DATA * const)USER_SHARED_DATA) +#else +#if defined(_M_IX86) +#define KI_USER_SHARED_DATA 0xFFDF0000 +#elif defined (_M_AMD64) +#define KI_USER_SHARED_DATA 0xFFFFF78000000000Ui64 +#elif defined (_M_ARM) +#define KI_USER_SHARED_DATA 0xFFFF9000 +#elif defined(M_ARM64) +#define KI_USER_SHARED_DATA 0xFFFFF78000000000Ui64 +#endif +#define SharedUserData ((KUSER_SHARED_DATA * const)KI_USER_SHARED_DATA) +#endif + +typedef struct _PROCESS_BASIC_INFORMATION +{ + NTSTATUS ExitStatus; + PPEB PebBaseAddress; + ULONG_PTR AffinityMask; + KPRIORITY BasePriority; + HANDLE UniqueProcessId; + HANDLE InheritedFromUniqueProcessId; +} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; + +typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION +{ + SIZE_T Size; // Set to sizeof structure on input + PROCESS_BASIC_INFORMATION BasicInfo; + union + { + ULONG Flags; + struct + { + ULONG IsProtectedProcess : 1; + ULONG IsWow64Process : 1; + ULONG IsProcessDeleting : 1; + ULONG IsCrossSessionCreate : 1; + ULONG IsFrozen : 1; + ULONG IsBackground : 1; + ULONG IsStronglyNamed : 1; + ULONG IsSecureProcess : 1; + ULONG IsSubsystemProcess : 1; + ULONG SpareBits : 23; + } s; + } u; +} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION; + +typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION +{ + SYSTEM_THREAD_INFORMATION ThreadInfo; + PVOID StackBase; + PVOID StackLimit; + PVOID Win32StartAddress; + PTEB TebBase; // Since Vista + ULONG_PTR Reserved2; + ULONG_PTR Reserved3; + ULONG_PTR Reserved4; +} SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION; + +#ifndef FIELD_OFFSET +#if !defined(__clang__) +#define FIELD_OFFSET(type, field) ((LONG)(LONG_PTR)&(((type *)0)->field)) +#else +#define FIELD_OFFSET(type, field) ((LONG)__builtin_offsetof(type, field)) +#endif +#endif +#ifndef UFIELD_OFFSET +#if !defined(__clang__) +#define UFIELD_OFFSET(type, field) ((ULONG)(LONG_PTR)&(((type *)0)->field)) +#else +#define UFIELD_OFFSET(type, field) ((ULONG)__builtin_offsetof(type, field)) +#endif +#endif + +#define PTR_ADD_OFFSET(Pointer, Offset) ((PVOID)((ULONG_PTR)(Pointer) + (ULONG_PTR)(Offset))) +#define PTR_SUB_OFFSET(Pointer, Offset) ((PVOID)((ULONG_PTR)(Pointer) - (ULONG_PTR)(Offset))) +#define ALIGN_DOWN_BY(Address, Align) ((ULONG_PTR)(Address) & ~(Align - 1)) +#define ALIGN_DOWN_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_DOWN_BY(Pointer, Align)) +#define ALIGN_DOWN_POINTER(Pointer, Type) ((PVOID)ALIGN_DOWN(Pointer, Type)) +#define ALIGN_UP_BY(Address, Align) (((ULONG_PTR)(Address) + (Align) - 1) & ~((Align) - 1)) +#define ALIGN_UP_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_UP_BY(Pointer, Align)) +#define ALIGN_UP_POINTER(Pointer, Type) ((PVOID)ALIGN_UP(Pointer, Type)) + +#define InitializeObjectAttributes( p, n, a, r, s ) { \ + (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ + (p)->RootDirectory = r; \ + (p)->Attributes = a; \ + (p)->ObjectName = n; \ + (p)->SecurityDescriptor = s; \ + (p)->SecurityQualityOfService = NULL; \ + } + +#define OBJ_INHERIT 0x00000002L +#define OBJ_PERMANENT 0x00000010L +#define OBJ_EXCLUSIVE 0x00000020L +#define OBJ_CASE_INSENSITIVE 0x00000040L +#define OBJ_OPENIF 0x00000080L +#define OBJ_OPENLINK 0x00000100L +#define OBJ_KERNEL_HANDLE 0x00000200L +#define OBJ_FORCE_ACCESS_CHECK 0x00000400L +#define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800 +#define OBJ_DONT_REPARSE 0x00001000 +#define OBJ_VALID_ATTRIBUTES 0x00001FF2 + +#if NTDDI_VERSION >= NTDDI_VISTA +#define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ + 0xFFFF) +#else +#define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ + 0x3FF) +#endif + +#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001 +#define THREAD_CREATE_FLAGS_SUPPRESS_DLLMAINS 0x00000002 +#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004 +#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 // ? +#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 // ? +#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080 + +#define DEBUG_READ_EVENT 0x0001 +#define DEBUG_PROCESS_ASSIGN 0x0002 +#define DEBUG_SET_INFORMATION 0x0004 +#define DEBUG_QUERY_INFORMATION 0x0008 + +#define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ + DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \ + DEBUG_QUERY_INFORMATION) + +#define DEBUG_KILL_ON_CLOSE 0x1 + +#ifndef IO_COMPLETION_QUERY_STATE +#define IO_COMPLETION_QUERY_STATE 0x0001 +#endif +#ifndef IO_COMPLETION_MODIFY_STATE +#define IO_COMPLETION_MODIFY_STATE 0x0002 +#endif +#ifndef IO_COMPLETION_ALL_ACCESS +#define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ + IO_COMPLETION_QUERY_STATE | IO_COMPLETION_MODIFY_STATE) +#endif + +#ifndef SEMAPHORE_ALL_ACCESS +#define SEMAPHORE_QUERY_STATE 0x0001 +#define SEMAPHORE_MODIFY_STATE 0x0002 + +#define SEMAPHORE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ + SEMAPHORE_QUERY_STATE | SEMAPHORE_MODIFY_STATE) +#endif + +#ifndef MUTANT_ALL_ACCESS +#define MUTANT_QUERY_STATE 0x0001 + +#define MUTANT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ + MUTANT_QUERY_STATE) +#endif + +#ifndef EVENT_ALL_ACCESS +#define EVENT_QUERY_STATE 0x0001 +#define EVENT_MODIFY_STATE 0x0002 + +#define EVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ + EVENT_QUERY_STATE | EVENT_MODIFY_STATE) +#endif + +#define KEYEDEVENT_WAIT 0x0001 +#define KEYEDEVENT_WAKE 0x0002 +#define KEYEDEVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ + KEYEDEVENT_WAIT | KEYEDEVENT_WAKE) + +#define DIRECTORY_QUERY 0x0001 +#define DIRECTORY_TRAVERSE 0x0002 +#define DIRECTORY_CREATE_OBJECT 0x0004 +#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 + +#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ + DIRECTORY_QUERY | DIRECTORY_TRAVERSE | \ + DIRECTORY_CREATE_OBJECT | DIRECTORY_CREATE_SUBDIRECTORY) + +#define SYMBOLIC_LINK_QUERY 0x0001 + +#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ + SYMBOLIC_LINK_QUERY) + +#ifndef TOKEN_ALL_ACCESS +#define TOKEN_ASSIGN_PRIMARY 0x0001 +#define TOKEN_DUPLICATE 0x0002 +#define TOKEN_IMPERSONATE 0x0004 +#define TOKEN_QUERY 0x0008 +#define TOKEN_QUERY_SOURCE 0x0010 +#define TOKEN_ADJUST_PRIVILEGES 0x0020 +#define TOKEN_ADJUST_GROUPS 0x0040 +#define TOKEN_ADJUST_DEFAULT 0x0080 +#define TOKEN_ADJUST_SESSIONID 0x0100 + +#define TOKEN_ALL_ACCESS_P (STANDARD_RIGHTS_REQUIRED | \ + TOKEN_ASSIGN_PRIMARY | \ + TOKEN_DUPLICATE | \ + TOKEN_IMPERSONATE | \ + TOKEN_QUERY | \ + TOKEN_QUERY_SOURCE | \ + TOKEN_ADJUST_PRIVILEGES | \ + TOKEN_ADJUST_GROUPS | \ + TOKEN_ADJUST_DEFAULT) + +#define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P | \ + TOKEN_ADJUST_SESSIONID) +#endif + +#define WORKER_FACTORY_RELEASE_WORKER 0x0001 +#define WORKER_FACTORY_WAIT 0x0002 +#define WORKER_FACTORY_SET_INFORMATION 0x0004 +#define WORKER_FACTORY_QUERY_INFORMATION 0x0008 +#define WORKER_FACTORY_READY_WORKER 0x0010 +#define WORKER_FACTORY_SHUTDOWN 0x0020 + +#define WORKER_FACTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ + WORKER_FACTORY_RELEASE_WORKER | \ + WORKER_FACTORY_WAIT | \ + WORKER_FACTORY_SET_INFORMATION | \ + WORKER_FACTORY_QUERY_INFORMATION | \ + WORKER_FACTORY_READY_WORKER | \ + WORKER_FACTORY_SHUTDOWN) + +#define NtCurrentProcess ((HANDLE)(LONG_PTR)-1) +#define NtCurrentThread ((HANDLE)(LONG_PTR)-2) +#define NtCurrentPeb() (NtCurrentTeb()->ProcessEnvironmentBlock) +#define NtCurrentProcessId() (NtCurrentTeb()->ClientId.UniqueProcess) +#define NtCurrentThreadId() (NtCurrentTeb()->ClientId.UniqueThread) +#define RtlProcessHeap() (NtCurrentPeb()->ProcessHeap) + +typedef struct _RTL_HEAP_ENTRY +{ + SIZE_T Size; + USHORT Flags; + USHORT AllocatorBackTraceIndex; + union + { + struct + { + SIZE_T Settable; + ULONG Tag; + } s1; + struct + { + SIZE_T CommittedSize; + PVOID FirstBlock; + } s2; + } u; +} RTL_HEAP_ENTRY, *PRTL_HEAP_ENTRY; + +#define RTL_HEAP_BUSY (USHORT)0x0001 +#define RTL_HEAP_SEGMENT (USHORT)0x0002 +#define RTL_HEAP_SETTABLE_VALUE (USHORT)0x0010 +#define RTL_HEAP_SETTABLE_FLAG1 (USHORT)0x0020 +#define RTL_HEAP_SETTABLE_FLAG2 (USHORT)0x0040 +#define RTL_HEAP_SETTABLE_FLAG3 (USHORT)0x0080 +#define RTL_HEAP_SETTABLE_FLAGS (USHORT)0x00e0 +#define RTL_HEAP_UNCOMMITTED_RANGE (USHORT)0x0100 +#define RTL_HEAP_PROTECTED_ENTRY (USHORT)0x0200 + +typedef struct _RTL_HEAP_TAG +{ + ULONG NumberOfAllocations; + ULONG NumberOfFrees; + SIZE_T BytesAllocated; + USHORT TagIndex; + USHORT CreatorBackTraceIndex; + WCHAR TagName[24]; +} RTL_HEAP_TAG, *PRTL_HEAP_TAG; + +typedef struct _RTL_HEAP_INFORMATION +{ + PVOID BaseAddress; + ULONG Flags; + USHORT EntryOverhead; + USHORT CreatorBackTraceIndex; + SIZE_T BytesAllocated; + SIZE_T BytesCommitted; + ULONG NumberOfTags; + ULONG NumberOfEntries; + ULONG NumberOfPseudoTags; + ULONG PseudoTagGranularity; + ULONG Reserved[5]; + PRTL_HEAP_TAG Tags; + PRTL_HEAP_ENTRY Entries; +} RTL_HEAP_INFORMATION, *PRTL_HEAP_INFORMATION; + +typedef struct _RTL_PROCESS_HEAPS +{ + ULONG NumberOfHeaps; + RTL_HEAP_INFORMATION Heaps[1]; +} RTL_PROCESS_HEAPS, *PRTL_PROCESS_HEAPS; + +typedef +NTSTATUS +(NTAPI* + PRTL_HEAP_COMMIT_ROUTINE)( + _In_ PVOID Base, + _Inout_ PVOID* CommitAddress, + _Inout_ PSIZE_T CommitSize + ); + +typedef struct _RTL_HEAP_PARAMETERS +{ + ULONG Length; + SIZE_T SegmentReserve; + SIZE_T SegmentCommit; + SIZE_T DeCommitFreeBlockThreshold; + SIZE_T DeCommitTotalFreeThreshold; + SIZE_T MaximumAllocationSize; + SIZE_T VirtualMemoryThreshold; + SIZE_T InitialCommit; + SIZE_T InitialReserve; + PRTL_HEAP_COMMIT_ROUTINE CommitRoutine; + SIZE_T Reserved[2]; +} RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS; + +#define HEAP_SETTABLE_USER_VALUE 0x00000100 +#define HEAP_SETTABLE_USER_FLAG1 0x00000200 +#define HEAP_SETTABLE_USER_FLAG2 0x00000400 +#define HEAP_SETTABLE_USER_FLAG3 0x00000800 +#define HEAP_SETTABLE_USER_FLAGS 0x00000e00 + +#define HEAP_CLASS_0 0x00000000 // Process heap +#define HEAP_CLASS_1 0x00001000 // Private heap +#define HEAP_CLASS_2 0x00002000 // Kernel heap +#define HEAP_CLASS_3 0x00003000 // GDI heap +#define HEAP_CLASS_4 0x00004000 // User heap +#define HEAP_CLASS_5 0x00005000 // Console heap +#define HEAP_CLASS_6 0x00006000 // User desktop heap +#define HEAP_CLASS_7 0x00007000 // CSR shared heap +#define HEAP_CLASS_8 0x00008000 // CSR port heap +#define HEAP_CLASS_MASK 0x0000f000 + +typedef struct _RTL_HEAP_TAG_INFO +{ + ULONG NumberOfAllocations; + ULONG NumberOfFrees; + SIZE_T BytesAllocated; +} RTL_HEAP_TAG_INFO, *PRTL_HEAP_TAG_INFO; + +#define RTL_HEAP_MAKE_TAG HEAP_MAKE_TAG_FLAGS + +typedef struct _RTL_HEAP_WALK_ENTRY +{ + PVOID DataAddress; + SIZE_T DataSize; + UCHAR OverheadBytes; + UCHAR SegmentIndex; + USHORT Flags; + union + { + struct + { + SIZE_T Settable; + USHORT TagIndex; + USHORT AllocatorBackTraceIndex; + ULONG Reserved[2]; + } Block; + struct + { + ULONG CommittedSize; + ULONG UnCommittedSize; + PVOID FirstEntry; + PVOID LastEntry; + } Segment; + }; +} RTL_HEAP_WALK_ENTRY, *PRTL_HEAP_WALK_ENTRY; + +// HEAP_INFORMATION_CLASS. winnt.h is incomplete +#define HeapCompatibilityInformation 0x0 // q; s: ULONG +#define HeapEnableTerminationOnCorruption 0x1 // q; s: NULL +#define HeapExtendedInformation 0x2 // q; s: HEAP_EXTENDED_INFORMATION +#define HeapOptimizeResources 0x3 // q; s: HEAP_OPTIMIZE_RESOURCES_INFORMATION +#define HeapTaggingInformation 0x4 +#define HeapStackDatabase 0x5 +#define HeapDetailedFailureInformation 0x80000001 +#define HeapSetDebuggingInformation 0x80000002 // q; s: HEAP_DEBUGGING_INFORMATION + +typedef struct _PROCESS_HEAP_INFORMATION +{ + ULONG_PTR ReserveSize; + ULONG_PTR CommitSize; + ULONG NumberOfHeaps; + ULONG_PTR FirstHeapInformationOffset; +} PROCESS_HEAP_INFORMATION, *PPROCESS_HEAP_INFORMATION; + +typedef struct _HEAP_INFORMATION +{ + ULONG_PTR Address; + ULONG Mode; + ULONG_PTR ReserveSize; + ULONG_PTR CommitSize; + ULONG_PTR FirstRegionInformationOffset; + ULONG_PTR NextHeapInformationOffset; +} HEAP_INFORMATION, *PHEAP_INFORMATION; + +typedef struct _HEAP_EXTENDED_INFORMATION +{ + HANDLE Process; + ULONG_PTR Heap; + ULONG Level; + PVOID CallbackRoutine; + PVOID CallbackContext; + PROCESS_HEAP_INFORMATION ProcessHeapInformation; + HEAP_INFORMATION HeapInformation; +} HEAP_EXTENDED_INFORMATION, *PHEAP_EXTENDED_INFORMATION; + +typedef +NTSTATUS +(NTAPI* + PRTL_HEAP_LEAK_ENUMERATION_ROUTINE)( + _In_ LONG Reserved, + _In_ PVOID HeapHandle, + _In_ PVOID BaseAddress, + _In_ SIZE_T BlockSize, + _In_ ULONG StackTraceDepth, + _In_ PVOID* StackTrace + ); + +typedef struct _HEAP_DEBUGGING_INFORMATION +{ + PVOID InterceptorFunction; + USHORT InterceptorValue; + ULONG ExtendedOptions; + ULONG StackTraceDepth; + SIZE_T MinTotalBlockSize; + SIZE_T MaxTotalBlockSize; + PRTL_HEAP_LEAK_ENUMERATION_ROUTINE HeapLeakEnumerationRoutine; +} HEAP_DEBUGGING_INFORMATION, *PHEAP_DEBUGGING_INFORMATION; + +typedef +NTSTATUS +(NTAPI* + PRTL_ENUM_HEAPS_ROUTINE)( + _In_ PVOID HeapHandle, + _In_ PVOID Parameter + ); + +typedef +NTSTATUS +(NTAPI* + PUSER_THREAD_START_ROUTINE)( + _In_ PVOID ThreadParameter + ); + +#define LDR_FORMAT_MESSAGE_FROM_SYSTEM_MESSAGE_TABLE 11 + +#define RTL_ERRORMODE_NOGPFAULTERRORBOX 0x0020 +#define RTL_ERRORMODE_NOOPENFILEERRORBOX 0x0040 + +#define RTL_ACQUIRE_PRIVILEGE_REVERT 0x00000001 +#define RTL_ACQUIRE_PRIVILEGE_PROCESS 0x00000002 + +typedef +VOID +(NTAPI* + PLDR_IMPORT_MODULE_CALLBACK)( + _In_ PVOID Parameter, + _In_ PSTR ModuleName + ); + +typedef struct _LDR_IMPORT_CALLBACK_INFO +{ + PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine; + PVOID ImportCallbackParameter; +} LDR_IMPORT_CALLBACK_INFO, *PLDR_IMPORT_CALLBACK_INFO; + +typedef struct _LDR_SECTION_INFO +{ + HANDLE SectionHandle; + ACCESS_MASK DesiredAccess; + POBJECT_ATTRIBUTES ObjectAttributes; + ULONG SectionPageProtection; + ULONG AllocationAttributes; +} LDR_SECTION_INFO, *PLDR_SECTION_INFO; + +typedef struct _LDR_VERIFY_IMAGE_INFO +{ + ULONG Size; + ULONG Flags; + LDR_IMPORT_CALLBACK_INFO CallbackInfo; + LDR_SECTION_INFO SectionInfo; + USHORT ImageCharacteristics; +} LDR_VERIFY_IMAGE_INFO, *PLDR_VERIFY_IMAGE_INFO; + +typedef enum _SEMAPHORE_INFORMATION_CLASS +{ + SemaphoreBasicInformation +} SEMAPHORE_INFORMATION_CLASS; + +typedef struct _SEMAPHORE_BASIC_INFORMATION +{ + LONG CurrentCount; + LONG MaximumCount; +} SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION; + +typedef enum _TIMER_INFORMATION_CLASS +{ + TimerBasicInformation +} TIMER_INFORMATION_CLASS; + +typedef struct _TIMER_BASIC_INFORMATION +{ + LARGE_INTEGER RemainingTime; + BOOLEAN TimerState; +} TIMER_BASIC_INFORMATION, *PTIMER_BASIC_INFORMATION; + +typedef +VOID +(NTAPI* + PTIMER_APC_ROUTINE)( + _In_ PVOID TimerContext, + _In_ ULONG TimerLowValue, + _In_ LONG TimerHighValue + ); + +typedef enum _TIMER_SET_INFORMATION_CLASS +{ + TimerSetCoalescableTimer, + MaxTimerInfoClass +} TIMER_SET_INFORMATION_CLASS; + +typedef struct _TIMER_SET_COALESCABLE_TIMER_INFO +{ + _In_ LARGE_INTEGER DueTime; + _In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine; + _In_opt_ PVOID TimerContext; + _In_opt_ struct _COUNTED_REASON_CONTEXT* WakeContext; + _In_opt_ ULONG Period; + _In_ ULONG TolerableDelay; + _Out_opt_ PBOOLEAN PreviousState; +} TIMER_SET_COALESCABLE_TIMER_INFO, *PTIMER_SET_COALESCABLE_TIMER_INFO; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE +{ + ULONG64 Version; + UNICODE_STRING Name; +} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE +{ + PVOID pValue; + ULONG ValueLength; +} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1 +{ + UNICODE_STRING Name; + USHORT ValueType; + USHORT Reserved; + ULONG Flags; + ULONG ValueCount; + union + { + PLONG64 pInt64; + PULONG64 pUint64; + PUNICODE_STRING pString; + PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn; + PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString; + } Values; +} TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1; + +#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1 +#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 + +typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION +{ + USHORT Version; + USHORT Reserved; + ULONG AttributeCount; + union + { + PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1; + } Attribute; +} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; + +typedef enum _FILTER_BOOT_OPTION_OPERATION +{ + FilterBootOptionOperationOpenSystemStore, + FilterBootOptionOperationSetElement, + FilterBootOptionOperationDeleteElement, + FilterBootOptionOperationMax +} FILTER_BOOT_OPTION_OPERATION; + +typedef enum _IO_SESSION_EVENT +{ + IoSessionEventIgnore, + IoSessionEventCreated, + IoSessionEventTerminated, + IoSessionEventConnected, + IoSessionEventDisconnected, + IoSessionEventLogon, + IoSessionEventLogoff, + IoSessionEventMax +} IO_SESSION_EVENT; + +typedef enum _IO_SESSION_STATE +{ + IoSessionStateCreated, + IoSessionStateInitialized, + IoSessionStateConnected, + IoSessionStateDisconnected, + IoSessionStateDisconnectedLoggedOn, + IoSessionStateLoggedOn, + IoSessionStateLoggedOff, + IoSessionStateTerminated, + IoSessionStateMax +} IO_SESSION_STATE; + +typedef struct _PORT_MESSAGE PORT_MESSAGE, *PPORT_MESSAGE; +typedef struct _TP_ALPC TP_ALPC, *PTP_ALPC; + +typedef +VOID +(NTAPI* + PTP_ALPC_CALLBACK)( + _Inout_ PTP_CALLBACK_INSTANCE Instance, + _Inout_opt_ PVOID Context, + _In_ PTP_ALPC Alpc + ); + +typedef +VOID +(NTAPI* + PTP_ALPC_CALLBACK_EX)( + _Inout_ PTP_CALLBACK_INSTANCE Instance, + _Inout_opt_ PVOID Context, + _In_ PTP_ALPC Alpc, + _In_ PVOID ApcContext + ); + +typedef +VOID +(NTAPI* + PTP_IO_CALLBACK)( + _Inout_ PTP_CALLBACK_INSTANCE Instance, + _Inout_opt_ PVOID Context, + _In_ PVOID ApcContext, + _In_ PIO_STATUS_BLOCK IoSB, + _In_ PTP_IO Io + ); + +typedef enum _IO_COMPLETION_INFORMATION_CLASS +{ + IoCompletionBasicInformation +} IO_COMPLETION_INFORMATION_CLASS; + +typedef struct _IO_COMPLETION_BASIC_INFORMATION +{ + LONG Depth; +} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION; + +typedef enum _WORKERFACTORYINFOCLASS +{ + WorkerFactoryTimeout, + WorkerFactoryRetryTimeout, + WorkerFactoryIdleTimeout, + WorkerFactoryBindingCount, + WorkerFactoryThreadMinimum, + WorkerFactoryThreadMaximum, + WorkerFactoryPaused, + WorkerFactoryBasicInformation, + WorkerFactoryAdjustThreadGoal, + WorkerFactoryCallbackType, + WorkerFactoryStackInformation, // 10 + WorkerFactoryThreadBasePriority, + WorkerFactoryTimeoutWaiters, // since THRESHOLD + WorkerFactoryFlags, + WorkerFactoryThreadSoftMaximum, + MaxWorkerFactoryInfoClass +} WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS; + +typedef struct _WORKER_FACTORY_BASIC_INFORMATION +{ + LARGE_INTEGER Timeout; + LARGE_INTEGER RetryTimeout; + LARGE_INTEGER IdleTimeout; + BOOLEAN Paused; + BOOLEAN TimerSet; + BOOLEAN QueuedToExWorker; + BOOLEAN MayCreate; + BOOLEAN CreateInProgress; + BOOLEAN InsertedIntoQueue; + BOOLEAN Shutdown; + ULONG BindingCount; + ULONG ThreadMinimum; + ULONG ThreadMaximum; + ULONG PendingWorkerCount; + ULONG WaitingWorkerCount; + ULONG TotalWorkerCount; + ULONG ReleaseCount; + LONGLONG InfiniteWaitGoal; + PVOID StartRoutine; + PVOID StartParameter; + HANDLE ProcessId; + SIZE_T StackReserve; + SIZE_T StackCommit; + NTSTATUS LastThreadCreationStatus; +} WORKER_FACTORY_BASIC_INFORMATION, *PWORKER_FACTORY_BASIC_INFORMATION; + +typedef struct _BOOT_ENTRY +{ + ULONG Version; + ULONG Length; + ULONG Id; + ULONG Attributes; + ULONG FriendlyNameOffset; + ULONG BootFilePathOffset; + ULONG OsOptionsLength; + UCHAR OsOptions[1]; +} BOOT_ENTRY, *PBOOT_ENTRY; + +typedef struct _BOOT_ENTRY_LIST +{ + ULONG NextEntryOffset; + BOOT_ENTRY BootEntry; +} BOOT_ENTRY_LIST, *PBOOT_ENTRY_LIST; + +typedef struct _BOOT_OPTIONS +{ + ULONG Version; + ULONG Length; + ULONG Timeout; + ULONG CurrentBootEntryId; + ULONG NextBootEntryId; + WCHAR HeadlessRedirection[1]; +} BOOT_OPTIONS, *PBOOT_OPTIONS; + +typedef struct _FILE_PATH +{ + ULONG Version; + ULONG Length; + ULONG Type; + UCHAR FilePath[1]; +} FILE_PATH, *PFILE_PATH; + +typedef struct _EFI_DRIVER_ENTRY +{ + ULONG Version; + ULONG Length; + ULONG Id; + ULONG FriendlyNameOffset; + ULONG DriverFilePathOffset; +} EFI_DRIVER_ENTRY, *PEFI_DRIVER_ENTRY; + +typedef struct _EFI_DRIVER_ENTRY_LIST +{ + ULONG NextEntryOffset; + EFI_DRIVER_ENTRY DriverEntry; +} EFI_DRIVER_ENTRY_LIST, *PEFI_DRIVER_ENTRY_LIST; + +FORCEINLINE +VOID +InitializeListHead( + _Out_ PLIST_ENTRY ListHead +) +{ + ListHead->Flink = ListHead->Blink = ListHead; +} + +FORCEINLINE +BOOLEAN +IsListEmpty( + _In_ PLIST_ENTRY ListHead +) +{ + return ListHead->Flink == ListHead; +} + +FORCEINLINE +BOOLEAN +RemoveEntryList( + _In_ PLIST_ENTRY Entry +) +{ + PLIST_ENTRY Flink = Entry->Flink; + PLIST_ENTRY Blink = Entry->Blink; + Blink->Flink = Flink; + Flink->Blink = Blink; + + return Flink == Blink; +} + +FORCEINLINE +PLIST_ENTRY +RemoveHeadList( + _Inout_ PLIST_ENTRY ListHead +) +{ + PLIST_ENTRY Entry = ListHead->Flink; + PLIST_ENTRY Flink = Entry->Flink; + ListHead->Flink = Flink; + Flink->Blink = ListHead; + + return Entry; +} + +FORCEINLINE +PLIST_ENTRY +RemoveTailList( + _Inout_ PLIST_ENTRY ListHead +) +{ + PLIST_ENTRY Entry = ListHead->Blink; + PLIST_ENTRY Blink = Entry->Blink; + ListHead->Blink = Blink; + Blink->Flink = ListHead; + + return Entry; +} + +FORCEINLINE +VOID +InsertTailList( + _Inout_ PLIST_ENTRY ListHead, + _Inout_ PLIST_ENTRY Entry +) +{ + PLIST_ENTRY Blink = ListHead->Blink; + Entry->Flink = ListHead; + Entry->Blink = Blink; + Blink->Flink = Entry; + ListHead->Blink = Entry; +} + +FORCEINLINE +VOID +InsertHeadList( + _Inout_ PLIST_ENTRY ListHead, + _Inout_ PLIST_ENTRY Entry +) +{ + PLIST_ENTRY Flink = ListHead->Flink; + Entry->Flink = Flink; + Entry->Blink = ListHead; + Flink->Blink = Entry; + ListHead->Flink = Entry; +} + +FORCEINLINE +VOID +AppendTailList( + _Inout_ PLIST_ENTRY ListHead, + _Inout_ PLIST_ENTRY ListToAppend +) +{ + PLIST_ENTRY ListEnd = ListHead->Blink; + + ListHead->Blink->Flink = ListToAppend; + ListHead->Blink = ListToAppend->Blink; + ListToAppend->Blink->Flink = ListHead; + ListToAppend->Blink = ListEnd; +} + +FORCEINLINE +PSINGLE_LIST_ENTRY +PopEntryList( + _Inout_ PSINGLE_LIST_ENTRY ListHead +) +{ + PSINGLE_LIST_ENTRY FirstEntry = ListHead->Next; + + if(FirstEntry) + ListHead->Next = FirstEntry->Next; + + return FirstEntry; +} + +FORCEINLINE +VOID +PushEntryList( + _Inout_ PSINGLE_LIST_ENTRY ListHead, + _Inout_ PSINGLE_LIST_ENTRY Entry +) +{ + Entry->Next = ListHead->Next; + ListHead->Next = Entry; +} + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateProcess( + _Out_ PHANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ParentProcess, + _In_ BOOLEAN InheritObjectTable, + _In_opt_ HANDLE SectionHandle, + _In_opt_ HANDLE DebugPort, + _In_opt_ HANDLE ExceptionPort +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateProcessEx( + _Out_ PHANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ParentProcess, + _In_ ULONG Flags, + _In_opt_ HANDLE SectionHandle, + _In_opt_ HANDLE DebugPort, + _In_opt_ HANDLE ExceptionPort, + _In_ BOOLEAN InJob +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateUserProcess( + _Out_ PHANDLE ProcessHandle, + _Out_ PHANDLE ThreadHandle, + _In_ ACCESS_MASK ProcessDesiredAccess, + _In_ ACCESS_MASK ThreadDesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes, + _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes, + _In_ ULONG ProcessFlags, + _In_ ULONG ThreadFlags, + _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters, + _Inout_ PPS_CREATE_INFO CreateInfo, + _In_ PPS_ATTRIBUTE_LIST AttributeList +); #endif NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationProcess( - __in HANDLE ProcessHandle, - __in PROCESSINFOCLASS ProcessInformationClass, - __in_bcount(ProcessInformationLength) PVOID ProcessInformation, - __in ULONG ProcessInformationLength + _In_ HANDLE ProcessHandle, + _In_ PROCESSINFOCLASS ProcessInformationClass, + _In_ PVOID ProcessInformation, + _In_ ULONG ProcessInformationLength ); NTSYSCALLAPI NTSTATUS NTAPI NtQueryInformationProcess( - __in HANDLE ProcessHandle, - __in PROCESSINFOCLASS ProcessInformationClass, - __out_bcount(ProcessInformationLength) PVOID ProcessInformation, - __in ULONG ProcessInformationLength, - __out_opt PULONG ReturnLength + _In_ HANDLE ProcessHandle, + _In_ PROCESSINFOCLASS ProcessInformationClass, + _Out_ PVOID ProcessInformation, + _In_ ULONG ProcessInformationLength, + _Out_opt_ PULONG ReturnLength ); NTSYSCALLAPI NTSTATUS NTAPI NtQueryObject( - __in HANDLE Handle, - __in OBJECT_INFORMATION_CLASS ObjectInformationClass, - __out_bcount_opt(ObjectInformationLength) PVOID ObjectInformation, - __in ULONG ObjectInformationLength, - __out_opt PULONG ReturnLength -); - -NTSYSCALLAPI -NTSTATUS -NTAPI -NtSetSystemInformation( - __in SYSTEM_INFORMATION_CLASS SystemInformationClass, - __in_bcount_opt(SystemInformationLength) PVOID SystemInformation, - __in ULONG SystemInformationLength + _In_ HANDLE Handle, + _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, + _Out_opt_ PVOID ObjectInformation, + _In_ ULONG ObjectInformationLength, + _Out_opt_ PULONG ReturnLength ); NTSYSCALLAPI NTSTATUS NTAPI NtQuerySystemInformation( - __in SYSTEM_INFORMATION_CLASS SystemInformationClass, - __out_bcount_opt(SystemInformationLength) PVOID SystemInformation, - __in ULONG SystemInformationLength, - __out_opt PULONG ReturnLength + _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, + _Out_opt_ PVOID SystemInformation, + _In_ ULONG SystemInformationLength, + _Out_opt_ PULONG ReturnLength +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySystemInformationEx( + _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, + _In_ PVOID InputBuffer, + _In_ ULONG InputBufferLength, + _Out_ PVOID SystemInformation, + _In_ ULONG SystemInformationLength, + _Out_opt_ PULONG ReturnLength +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetSystemInformation( + _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, + _In_opt_ PVOID SystemInformation, + _In_ ULONG SystemInformationLength ); NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationThread( - __in HANDLE ThreadHandle, - __in THREADINFOCLASS ThreadInformationClass, - __in_bcount(ThreadInformationLength) PVOID ThreadInformation, - __in ULONG ThreadInformationLength + _In_ HANDLE ThreadHandle, + _In_ THREADINFOCLASS ThreadInformationClass, + _In_ PVOID ThreadInformation, + _In_ ULONG ThreadInformationLength ); NTSYSCALLAPI NTSTATUS NTAPI NtQueryInformationThread( - __in HANDLE ThreadHandle, - __in THREADINFOCLASS ThreadInformationClass, - __out_bcount(ThreadInformationLength) PVOID ThreadInformation, - __in ULONG ThreadInformationLength, - __out_opt PULONG ReturnLength + _In_ HANDLE ThreadHandle, + _In_ THREADINFOCLASS ThreadInformationClass, + _Out_ PVOID ThreadInformation, + _In_ ULONG ThreadInformationLength, + _Out_opt_ PULONG ReturnLength ); NTSYSCALLAPI NTSTATUS NTAPI NtUnmapViewOfSection( - __in HANDLE ProcessHandle, - __in PVOID BaseAddress + _In_ HANDLE ProcessHandle, + _In_ PVOID BaseAddress +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtExtendSection( + _In_ HANDLE SectionHandle, + _Inout_ PLARGE_INTEGER NewSectionSize ); NTSYSCALLAPI NTSTATUS NTAPI NtSuspendThread( - __in HANDLE ThreadHandle, - __out_opt PULONG PreviousSuspendCount + _In_ HANDLE ThreadHandle, + _Out_opt_ PULONG PreviousSuspendCount ); NTSYSCALLAPI NTSTATUS NTAPI NtResumeThread( - __in HANDLE ThreadHandle, - __out_opt PULONG PreviousSuspendCount + _In_ HANDLE ThreadHandle, + _Out_opt_ PULONG PreviousSuspendCount ); NTSYSCALLAPI NTSTATUS NTAPI NtSuspendProcess( - __in HANDLE ProcessHandle + _In_ HANDLE ProcessHandle ); NTSYSCALLAPI NTSTATUS NTAPI NtResumeProcess( - __in HANDLE ProcessHandle + _In_ HANDLE ProcessHandle +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSCALLAPI +ULONG +NTAPI +NtGetCurrentProcessorNumber( +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSignalAndWaitForSingleObject( + _In_ HANDLE SignalHandle, + _In_ HANDLE WaitHandle, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWaitForSingleObject( + _In_ HANDLE Handle, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWaitForMultipleObjects( + _In_ ULONG Count, + _In_ PHANDLE Handles, + _In_ WAIT_TYPE WaitType, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWaitForMultipleObjects32( + _In_ ULONG Count, + _In_ PHANDLE Handles, + _In_ WAIT_TYPE WaitType, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetSecurityObject( + _In_ HANDLE Handle, + _In_ SECURITY_INFORMATION SecurityInformation, + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySecurityObject( + _In_ HANDLE Handle, + _In_ SECURITY_INFORMATION SecurityInformation, + _Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_ ULONG Length, + _Out_ PULONG LengthNeeded ); NTSYSCALLAPI NTSTATUS NTAPI NtQueueApcThread( - __in HANDLE ThreadHandle, - __in PPS_APC_ROUTINE ApcRoutine, - __in_opt PVOID ApcArgument1, - __in_opt PVOID ApcArgument2, - __in_opt PVOID ApcArgument3 + _In_ HANDLE ThreadHandle, + _In_ PPS_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcArgument1, + _In_opt_ PVOID ApcArgument2, + _In_opt_ PVOID ApcArgument3 +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueueApcThreadEx( + _In_ HANDLE ThreadHandle, + _In_opt_ HANDLE UserApcReserveHandle, + _In_ PPS_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcArgument1, + _In_opt_ PVOID ApcArgument2, + _In_opt_ PVOID ApcArgument3 +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtProtectVirtualMemory( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _Inout_ PSIZE_T RegionSize, + _In_ ULONG NewProtect, + _Out_ PULONG OldProtect ); NTSYSCALLAPI NTSTATUS NTAPI +NtFlushBuffersFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFlushInstructionCache( + _In_ HANDLE ProcessHandle, + _In_opt_ PVOID BaseAddress, + _In_ SIZE_T Length +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFlushWriteBuffer( +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFsControlFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG FsControlCode, + _In_opt_ PVOID InputBuffer, + _In_ ULONG InputBufferLength, + _Out_opt_ PVOID OutputBuffer, + _In_ ULONG OutputBufferLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLockFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PLARGE_INTEGER ByteOffset, + _In_ PLARGE_INTEGER Length, + _In_ ULONG Key, + _In_ BOOLEAN FailImmediately, + _In_ BOOLEAN ExclusiveLock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnlockFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PLARGE_INTEGER ByteOffset, + _In_ PLARGE_INTEGER Length, + _In_ ULONG Key +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFlushVirtualMemory( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _Inout_ PSIZE_T RegionSize, + _Out_ PIO_STATUS_BLOCK IoStatus +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryVirtualMemory( + _In_ HANDLE ProcessHandle, + _In_ PVOID BaseAddress, + _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass, + _Out_ PVOID MemoryInformation, + _In_ SIZE_T MemoryInformationLength, + _Out_opt_ PSIZE_T ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLockVirtualMemory( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _Inout_ PSIZE_T RegionSize, + _In_ ULONG MapType +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnlockVirtualMemory( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _Inout_ PSIZE_T RegionSize, + _In_ ULONG MapType +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSystemDebugControl( + _In_ SYSDBG_COMMAND Command, + _Inout_opt_ PVOID InputBuffer, + _In_ ULONG InputBufferLength, + _Out_opt_ PVOID OutputBuffer, + _In_ ULONG OutputBufferLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtYieldExecution( +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtClose( + _In_ HANDLE Handle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryAttributesFile( + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PFILE_BASIC_INFORMATION FileInformation +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryFullAttributesFile( + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID FileInformation, + _In_ ULONG Length, + _In_ FILE_INFORMATION_CLASS FileInformationClass +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PVOID FileInformation, + _In_ ULONG Length, + _In_ FILE_INFORMATION_CLASS FileInformationClass +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetQuotaInformationFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PVOID Buffer, + _In_ ULONG Length +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetVolumeInformationFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PVOID FsInformation, + _In_ ULONG Length, + _In_ FS_INFORMATION_CLASS FsInformationClass +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateFile( + _Out_ PHANDLE FileHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_opt_ PLARGE_INTEGER AllocationSize, + _In_ ULONG FileAttributes, + _In_ ULONG ShareAccess, + _In_ ULONG CreateDisposition, + _In_ ULONG CreateOptions, + _In_opt_ PVOID EaBuffer, + _In_ ULONG EaLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateNamedPipeFile( + _Out_ PHANDLE FileHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG ShareAccess, + _In_ ULONG CreateDisposition, + _In_ ULONG CreateOptions, + _In_ ULONG NamedPipeType, + _In_ ULONG ReadMode, + _In_ ULONG CompletionMode, + _In_ ULONG MaximumInstances, + _In_ ULONG InboundQuota, + _In_ ULONG OutboundQuota, + _In_opt_ PLARGE_INTEGER DefaultTimeout +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateMailslotFile( + _Out_ PHANDLE FileHandle, + _In_ ULONG DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG CreateOptions, + _In_ ULONG MailslotQuota, + _In_ ULONG MaximumMessageSize, + _In_ PLARGE_INTEGER ReadTimeout +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCancelIoFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCancelIoFileEx( + _In_ HANDLE FileHandle, + _In_opt_ PIO_STATUS_BLOCK IoRequestToCancel, + _Out_ PIO_STATUS_BLOCK IoStatusBlock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCancelSynchronousIoFile( + _In_ HANDLE ThreadHandle, + _In_opt_ PIO_STATUS_BLOCK IoRequestToCancel, + _Out_ PIO_STATUS_BLOCK IoStatusBlock +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateSymbolicLinkObject( + _Out_ PHANDLE LinkHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ PUNICODE_STRING LinkTarget +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenSymbolicLinkObject( + _Out_ PHANDLE LinkHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySymbolicLinkObject( + _In_ HANDLE LinkHandle, + _Inout_ PUNICODE_STRING LinkTarget, + _Out_opt_ PULONG ReturnedLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtGetContextThread( + _In_ HANDLE ThreadHandle, + _Inout_ PCONTEXT ThreadContext +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetContextThread( + _In_ HANDLE ThreadHandle, + _In_ PCONTEXT ThreadContext +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenProcess( + _Out_ PHANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCLIENT_ID ClientId +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtTerminateProcess( + _In_opt_ HANDLE ProcessHandle, + _In_ NTSTATUS ExitStatus +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtGetNextProcess( + _In_ HANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ ULONG HandleAttributes, + _In_ ULONG Flags, + _Out_ PHANDLE NewProcessHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtGetNextThread( + _In_ HANDLE ProcessHandle, + _In_ HANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ ULONG HandleAttributes, + _In_ ULONG Flags, + _Out_ PHANDLE NewThreadHandle +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateDebugObject( + _Out_ PHANDLE DebugObjectHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ ULONG Flags +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDebugActiveProcess( + _In_ HANDLE ProcessHandle, + _In_ HANDLE DebugObjectHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtContinue( + _In_ PCONTEXT ContextRecord, + _In_ BOOLEAN TestAlert +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRaiseException( + _In_ PEXCEPTION_RECORD ExceptionRecord, + _In_ PCONTEXT ContextRecord, + _In_ BOOLEAN FirstChance +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateThread( + _Out_ PHANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ProcessHandle, + _Out_ PCLIENT_ID ClientId, + _In_ PCONTEXT ThreadContext, + _In_ PINITIAL_TEB InitialTeb, + _In_ BOOLEAN CreateSuspended +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateThreadEx( + _Out_ PHANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ProcessHandle, + _In_ PUSER_THREAD_START_ROUTINE StartRoutine, + _In_opt_ PVOID Argument, + _In_ ULONG CreateFlags, + _In_opt_ ULONG_PTR ZeroBits, + _In_opt_ SIZE_T StackSize, + _In_opt_ SIZE_T MaximumStackSize, + _In_opt_ PPS_ATTRIBUTE_LIST AttributeList +); +#endif + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAllocateReserveObject( + _Out_ PHANDLE MemoryReserveHandle, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ MEMORY_RESERVE_TYPE Type +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRegisterThreadTerminatePort( + _In_ HANDLE PortHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRaiseHardError( + _In_ NTSTATUS ErrorStatus, + _In_ ULONG NumberOfParameters, + _In_opt_ ULONG UnicodeStringParameterMask, + _In_ PULONG_PTR Parameters, + _In_ HARDERROR_RESPONSE_OPTION ResponseOption, + _Out_ PHARDERROR_RESPONSE Response +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAllocateVirtualMemory( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _In_ ULONG_PTR ZeroBits, + _Inout_ PSIZE_T RegionSize, + _In_ ULONG AllocationType, + _In_ ULONG Protect +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFreeVirtualMemory( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _Inout_ PSIZE_T RegionSize, + _In_ ULONG FreeType +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReadVirtualMemory( + _In_ HANDLE ProcessHandle, + _In_opt_ PVOID BaseAddress, + _Out_ PVOID Buffer, + _In_ SIZE_T BufferSize, + _Out_opt_ PSIZE_T NumberOfBytesRead +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWriteVirtualMemory( + _In_ HANDLE ProcessHandle, + _In_opt_ PVOID BaseAddress, + _In_ CONST VOID* Buffer, + _In_ SIZE_T BufferSize, + _Out_opt_ PSIZE_T NumberOfBytesWritten +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAllocateUserPhysicalPages( + _In_ HANDLE ProcessHandle, + _Inout_ PULONG_PTR NumberOfPages, + _Out_ PULONG_PTR UserPfnArray +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtMapUserPhysicalPages( + _In_ PVOID VirtualAddress, + _In_ ULONG_PTR NumberOfPages, + _In_ PULONG_PTR UserPfnArray +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtMapUserPhysicalPagesScatter( + _In_ PVOID* VirtualAddresses, + _In_ ULONG_PTR NumberOfPages, + _In_ PULONG_PTR UserPfnArray +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFreeUserPhysicalPages( + _In_ HANDLE ProcessHandle, + _Inout_ PULONG_PTR NumberOfPages, + _In_ PULONG_PTR UserPfnArray +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySection( + _In_ HANDLE SectionHandle, + _In_ SECTION_INFORMATION_CLASS SectionInformationClass, + _Out_ PVOID SectionInformation, + _In_ SIZE_T SectionInformationLength, + _Out_opt_ PSIZE_T ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAreMappedFilesTheSame( + _In_ PVOID File1MappedAsAnImage, + _In_ PVOID File2MappedAsFile +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateSection( + _Out_ PHANDLE SectionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PLARGE_INTEGER MaximumSize, + _In_ ULONG SectionPageProtection, + _In_ ULONG AllocationAttributes, + _In_opt_ HANDLE FileHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenSection( + _Out_ PHANDLE SectionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtMapViewOfSection( + _In_ HANDLE SectionHandle, + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _In_ ULONG_PTR ZeroBits, + _In_ SIZE_T CommitSize, + _Inout_opt_ PLARGE_INTEGER SectionOffset, + _Inout_ PSIZE_T ViewSize, + _In_ SECTION_INHERIT InheritDisposition, + _In_ ULONG AllocationType, + _In_ ULONG Win32Protect +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenSession( + _Out_ PHANDLE SessionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtNotifyChangeDirectoryFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ FILE_NOTIFY_INFORMATION Buffer, + _In_ ULONG Length, + _In_ ULONG CompletionFilter, + _In_ BOOLEAN WatchTree +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenFile( + _Out_ PHANDLE FileHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG ShareAccess, + _In_ ULONG OpenOptions +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryDirectoryFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID FileInformation, + _In_ ULONG Length, + _In_ FILE_INFORMATION_CLASS FileInformationClass, + _In_ BOOLEAN ReturnSingleEntry, + _In_opt_ PUNICODE_STRING FileName, + _In_ BOOLEAN RestartScan +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryEaFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID Buffer, + _In_ ULONG Length, + _In_ BOOLEAN ReturnSingleEntry, + _In_ PVOID EaList, + _In_ ULONG EaListLength, + _In_opt_ PULONG EaIndex, + _In_ BOOLEAN RestartScan +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetEaFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PVOID Buffer, + _In_ ULONG Length +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLoadDriver( + _In_ PUNICODE_STRING DriverServiceName +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnloadDriver( + _In_ PUNICODE_STRING DriverServiceName +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReadFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID Buffer, + _In_ ULONG Length, + _In_opt_ PLARGE_INTEGER ByteOffset, + _In_opt_ PULONG Key +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReadFileScatter( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PFILE_SEGMENT_ELEMENT SegmentArray, + _In_ ULONG Length, + _In_opt_ PLARGE_INTEGER ByteOffset, + _In_opt_ PULONG Key +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWriteFileGather( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PFILE_SEGMENT_ELEMENT SegmentArray, + _In_ ULONG Length, + _In_opt_ PLARGE_INTEGER ByteOffset, + _In_opt_ PULONG Key +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDeleteFile( + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWriteFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PVOID Buffer, + _In_ ULONG Length, + _In_opt_ PLARGE_INTEGER ByteOffset, + _In_opt_ PULONG Key +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDeviceIoControlFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG IoControlCode, + _In_opt_ PVOID InputBuffer, + _In_ ULONG InputBufferLength, + _Out_opt_ PVOID OutputBuffer, + _In_ ULONG OutputBufferLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationObject( + _In_ HANDLE Handle, + _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, + _In_ PVOID ObjectInformation, + _In_ ULONG ObjectInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDuplicateObject( + _In_ HANDLE SourceProcessHandle, + _In_ HANDLE SourceHandle, + _In_opt_ HANDLE TargetProcessHandle, + _Out_opt_ PHANDLE TargetHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ ULONG HandleAttributes, + _In_ ULONG Options +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtMakePermanentObject( + _In_ HANDLE Object +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtMakeTemporaryObject( + _In_ HANDLE Handle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateDirectoryObject( + _Out_ PHANDLE DirectoryHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenDirectoryObject( + _Out_ PHANDLE DirectoryHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryDirectoryObject( + _In_ HANDLE DirectoryHandle, + _Out_ PVOID Buffer, + _In_ ULONG BufferLength, + _In_ BOOLEAN ReturnSingleEntry, + _In_ BOOLEAN RestartScan, + _Inout_ PULONG Context, + _Out_opt_ PULONG ReturnLength +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreatePrivateNamespace( + _Out_ PHANDLE NamespaceHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ PVOID BoundaryDescriptor +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenPrivateNamespace( + _Out_ PHANDLE NamespaceHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ PVOID BoundaryDescriptor +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDeletePrivateNamespace( + _In_ HANDLE NamespaceHandle +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenThread( + _Out_ PHANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCLIENT_ID ClientId +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtTerminateThread( + _In_opt_ HANDLE ThreadHandle, + _In_ NTSTATUS ExitStatus +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySystemTime( + _Out_ PLARGE_INTEGER SystemTime +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetSystemTime( + _In_opt_ PLARGE_INTEGER SystemTime, + _Out_opt_ PLARGE_INTEGER PreviousTime +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryTimerResolution( + _Out_ PULONG MaximumTime, + _Out_ PULONG MinimumTime, + _Out_ PULONG CurrentTime +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetTimerResolution( + _In_ ULONG DesiredTime, + _In_ BOOLEAN SetResolution, + _Out_ PULONG ActualTime +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryPerformanceCounter( + _Out_ PLARGE_INTEGER PerformanceCounter, + _Out_opt_ PLARGE_INTEGER PerformanceFrequency +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAllocateLocallyUniqueId( + _Out_ PLUID Luid +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetUuidSeed( + _In_ PCHAR Seed +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAllocateUuids( + _Out_ PULARGE_INTEGER Time, + _Out_ PULONG Range, + _Out_ PULONG Sequence, + _Out_ PCHAR Seed +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateEvent( + _Out_ PHANDLE EventHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ EVENT_TYPE EventType, + _In_ BOOLEAN InitialState +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenEvent( + _Out_ PHANDLE EventHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetEvent( + _In_ HANDLE EventHandle, + _Out_opt_ PLONG PreviousState +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtResetEvent( + _In_ HANDLE EventHandle, + _Out_opt_ PLONG PreviousState +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtClearEvent( + _In_ HANDLE EventHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryQuotaInformationFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID Buffer, + _In_ ULONG Length, + _In_ BOOLEAN ReturnSingleEntry, + _In_opt_ PVOID SidList, + _In_ ULONG SidListLength, + _In_opt_ PSID StartSid, + _In_ BOOLEAN RestartScan +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryVolumeInformationFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID FsInformation, + _In_ ULONG Length, + _In_ FS_INFORMATION_CLASS FsInformationClass +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateKey( + _Out_ PHANDLE KeyHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Reserved_ ULONG TitleIndex, + _In_opt_ PUNICODE_STRING Class, + _In_ ULONG CreateOptions, + _Out_opt_ PULONG Disposition +); + +#if NTDDI_VERSION >= PNTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateKeyTransacted( + _Out_ PHANDLE KeyHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Reserved_ ULONG TitleIndex, + _In_opt_ PUNICODE_STRING Class, + _In_ ULONG CreateOptions, + _In_ HANDLE TransactionHandle, + _Out_opt_ PULONG Disposition +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenKey( + _Out_ PHANDLE KeyHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +#if NTDDI_VERSION >= PNTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenKeyTransacted( + _Out_ PHANDLE KeyHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE TransactionHandle +); +#endif + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenKeyEx( + _Out_ PHANDLE KeyHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ ULONG OpenOptions +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenKeyTransactedEx( + _Out_ PHANDLE KeyHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ ULONG OpenOptions, + _In_ HANDLE TransactionHandle +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDeleteKey( + _In_ HANDLE KeyHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRenameKey( + _In_ HANDLE KeyHandle, + _In_ PUNICODE_STRING NewName +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDeleteValueKey( + _In_ HANDLE KeyHandle, + _In_ PUNICODE_STRING ValueName +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryKey( + _In_ HANDLE KeyHandle, + _In_ KEY_INFORMATION_CLASS KeyInformationClass, + _Out_ PVOID KeyInformation, + _In_ ULONG Length, + _Out_ PULONG ResultLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationKey( + _In_ HANDLE KeyHandle, + _In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass, + _In_ PVOID KeySetInformation, + _In_ ULONG KeySetInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryValueKey( + _In_ HANDLE KeyHandle, + _In_ PUNICODE_STRING ValueName, + _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + _Out_ PVOID KeyValueInformation, + _In_ ULONG Length, + _Out_ PULONG ResultLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetValueKey( + _In_ HANDLE KeyHandle, + _In_ PUNICODE_STRING ValueName, + _In_opt_ ULONG TitleIndex, + _In_ ULONG Type, + _In_ PVOID Data, + _In_ ULONG DataSize +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryMultipleValueKey( + _In_ HANDLE KeyHandle, + _Inout_ PKEY_VALUE_ENTRY ValueEntries, + _In_ ULONG EntryCount, + _Out_ PVOID ValueBuffer, + _Inout_ PULONG BufferLength, + _Out_opt_ PULONG RequiredBufferLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtEnumerateKey( + _In_ HANDLE KeyHandle, + _In_ ULONG Index, + _In_ KEY_INFORMATION_CLASS KeyInformationClass, + _Out_ PVOID KeyInformation, + _In_ ULONG Length, + _Out_ PULONG ResultLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtEnumerateValueKey( + _In_ HANDLE KeyHandle, + _In_ ULONG Index, + _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + _Out_ PVOID KeyValueInformation, + _In_ ULONG Length, + _Out_ PULONG ResultLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFlushKey( + _In_ HANDLE KeyHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCompactKeys( + _In_ ULONG Count, + _In_ PHANDLE KeyArray +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCompressKey( + _In_ HANDLE Key +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLoadKey( + _In_ POBJECT_ATTRIBUTES TargetKey, + _In_ POBJECT_ATTRIBUTES SourceFile +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLoadKey2( + _In_ POBJECT_ATTRIBUTES TargetKey, + _In_ POBJECT_ATTRIBUTES SourceFile, + _In_ ULONG Flags +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLoadKeyEx( + _In_ POBJECT_ATTRIBUTES TargetKey, + _In_ POBJECT_ATTRIBUTES SourceFile, + _In_ ULONG Flags, + _In_opt_ HANDLE TrustClassKey, + _In_opt_ HANDLE Event, + _In_opt_ ACCESS_MASK DesiredAccess, + _Out_opt_ PHANDLE RootHandle, + _Out_opt_ PIO_STATUS_BLOCK IoStatus +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReplaceKey( + _In_ POBJECT_ATTRIBUTES NewFile, + _In_ HANDLE TargetHandle, + _In_ POBJECT_ATTRIBUTES OldFile +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSaveKey( + _In_ HANDLE KeyHandle, + _In_ HANDLE FileHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSaveKeyEx( + _In_ HANDLE KeyHandle, + _In_ HANDLE FileHandle, + _In_ ULONG Format +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSaveMergedKeys( + _In_ HANDLE HighPrecedenceKeyHandle, + _In_ HANDLE LowPrecedenceKeyHandle, + _In_ HANDLE FileHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRestoreKey( + _In_ HANDLE KeyHandle, + _In_ HANDLE FileHandle, + _In_ ULONG Flags +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnloadKey( + _In_ POBJECT_ATTRIBUTES TargetKey +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnloadKey2( + _In_ POBJECT_ATTRIBUTES TargetKey, + _In_ ULONG Flags +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnloadKeyEx( + _In_ POBJECT_ATTRIBUTES TargetKey, + _In_opt_ HANDLE Event +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtNotifyChangeKey( + _In_ HANDLE KeyHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG CompletionFilter, + _In_ BOOLEAN WatchTree, + _Out_ PVOID Buffer, + _In_ ULONG BufferSize, + _In_ BOOLEAN Asynchronous +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtNotifyChangeMultipleKeys( + _In_ HANDLE MasterKeyHandle, + _In_opt_ ULONG Count, + _In_ POBJECT_ATTRIBUTES SubordinateObjects, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG CompletionFilter, + _In_ BOOLEAN WatchTree, + _Out_ PVOID Buffer, + _In_ ULONG BufferSize, + _In_ BOOLEAN Asynchronous +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryOpenSubKeys( + _In_ POBJECT_ATTRIBUTES TargetKey, + _Out_ PULONG HandleCount +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryOpenSubKeysEx( + _In_ POBJECT_ATTRIBUTES TargetKey, + _In_ ULONG BufferLength, + _Out_ PVOID Buffer, + _Out_ PULONG RequiredSize +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtInitializeRegistry( + _In_ USHORT BootCondition +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLockRegistryKey( + _In_ HANDLE KeyHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLockProductActivationKeys( + _Inout_opt_ ULONG* pPrivateVer, + _Out_opt_ ULONG* pSafeMode +); + +#if NTDDI_VERSION >= PNTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFreezeRegistry( + _In_ ULONG TimeOutInSeconds +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtThawRegistry( +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDelayExecution( + _In_ BOOLEAN Alertable, + _In_ PLARGE_INTEGER DelayInterval +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCallbackReturn( + _In_ PVOID OutputBuffer, + _In_ ULONG OutputLength, + _In_ NTSTATUS Status +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +VOID +NTAPI +NtFlushProcessWriteBuffers( +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryDebugFilterState( + _In_ ULONG ComponentId, + _In_ ULONG Level +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetDebugFilterState( + _In_ ULONG ComponentId, + _In_ ULONG Level, + _In_ BOOLEAN State +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRemoveProcessDebug( + _In_ HANDLE ProcessHandle, + _In_ HANDLE DebugObjectHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWaitForDebugEvent( + _In_ HANDLE DebugObjectHandle, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout, + _Out_ PDBGUI_WAIT_STATE_CHANGE WaitStateChange +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDebugContinue( + _In_ HANDLE DebugObjectHandle, + _In_ PCLIENT_ID ClientId, + _In_ NTSTATUS ContinueStatus +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationDebugObject( + _In_ HANDLE DebugObjectHandle, + _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass, + _In_ PVOID DebugInformation, + _In_ ULONG DebugInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenProcessToken( + _In_ HANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _Out_ PHANDLE TokenHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenProcessTokenEx( + _In_ HANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ ULONG HandleAttributes, + _Out_ PHANDLE TokenHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenThreadToken( + _In_ HANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ BOOLEAN OpenAsSelf, + _Out_ PHANDLE TokenHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenThreadTokenEx( + _In_ HANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ BOOLEAN OpenAsSelf, + _In_ ULONG HandleAttributes, + _Out_ PHANDLE TokenHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateToken( + _Out_ PHANDLE TokenHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ TOKEN_TYPE TokenType, + _In_ PLUID AuthenticationId, + _In_ PLARGE_INTEGER ExpirationTime, + _In_ PTOKEN_USER User, + _In_ PTOKEN_GROUPS Groups, + _In_ PTOKEN_PRIVILEGES Privileges, + _In_opt_ PTOKEN_OWNER Owner, + _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup, + _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl, + _In_ PTOKEN_SOURCE TokenSource +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDuplicateToken( + _In_ HANDLE ExistingTokenHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ BOOLEAN EffectiveOnly, + _In_ TOKEN_TYPE TokenType, + _Out_ PHANDLE NewTokenHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAdjustPrivilegesToken( + _In_ HANDLE TokenHandle, + _In_ BOOLEAN DisableAllPrivileges, + _In_opt_ PTOKEN_PRIVILEGES NewState, + _In_ ULONG BufferLength, + _Out_opt_ PTOKEN_PRIVILEGES PreviousState, + _Out_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAdjustGroupsToken( + _In_ HANDLE TokenHandle, + _In_ BOOLEAN ResetToDefault, + _In_opt_ PTOKEN_GROUPS NewState, + _In_opt_ ULONG BufferLength, + _Out_ PTOKEN_GROUPS PreviousState, + _Out_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFilterToken( + _In_ HANDLE ExistingTokenHandle, + _In_ ULONG Flags, + _In_opt_ PTOKEN_GROUPS SidsToDisable, + _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, + _In_opt_ PTOKEN_GROUPS RestrictedSids, + _Out_ PHANDLE NewTokenHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationToken( + _In_ HANDLE TokenHandle, + _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, + _In_ PVOID TokenInformation, + _In_ ULONG TokenInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCompareTokens( + _In_ HANDLE FirstTokenHandle, + _In_ HANDLE SecondTokenHandle, + _Out_ PBOOLEAN Equal +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtPrivilegeCheck( + _In_ HANDLE ClientToken, + _Inout_ PPRIVILEGE_SET RequiredPrivileges, + _Out_ PBOOLEAN Result +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtImpersonateAnonymousToken( + _In_ HANDLE ThreadHandle +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySecurityAttributesToken( + _In_ HANDLE TokenHandle, + _In_reads_opt_(NumberOfAttributes) PUNICODE_STRING Attributes, + _In_ ULONG NumberOfAttributes, + _Out_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION Buffer, + _In_ ULONG Length, + _Out_ PULONG ReturnLength +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAccessCheck( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_ HANDLE ClientToken, + _In_ ACCESS_MASK DesiredAccess, + _In_ PGENERIC_MAPPING GenericMapping, + _Out_ PPRIVILEGE_SET PrivilegeSet, + _Inout_ PULONG PrivilegeSetLength, + _Out_ PACCESS_MASK GrantedAccess, + _Out_ PNTSTATUS AccessStatus +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAccessCheckByType( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_opt_ PSID PrincipalSelfSid, + _In_ HANDLE ClientToken, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_TYPE_LIST ObjectTypeList, + _In_ ULONG ObjectTypeListLength, + _In_ PGENERIC_MAPPING GenericMapping, + _Out_ PPRIVILEGE_SET PrivilegeSet, + _Inout_ PULONG PrivilegeSetLength, + _Out_ PACCESS_MASK GrantedAccess, + _Out_ PNTSTATUS AccessStatus +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAccessCheckByTypeResultList( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_opt_ PSID PrincipalSelfSid, + _In_ HANDLE ClientToken, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_TYPE_LIST ObjectTypeList, + _In_ ULONG ObjectTypeListLength, + _In_ PGENERIC_MAPPING GenericMapping, + _Out_ PPRIVILEGE_SET PrivilegeSet, + _Inout_ PULONG PrivilegeSetLength, + _Out_ PACCESS_MASK GrantedAccess, + _Out_ PNTSTATUS AccessStatus +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateIoCompletion( + _Out_ PHANDLE IoCompletionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ ULONG Count +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenIoCompletion( + _Out_ PHANDLE IoCompletionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryIoCompletion( + _In_ HANDLE IoCompletionHandle, + _In_ IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, + _Out_ PVOID IoCompletionInformation, + _In_ ULONG IoCompletionInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetIoCompletion( + _In_ HANDLE IoCompletionHandle, + _In_opt_ PVOID KeyContext, + _In_opt_ PVOID ApcContext, + _In_ NTSTATUS IoStatus, + _In_ ULONG_PTR IoStatusInformation +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetIoCompletionEx( + _In_ HANDLE IoCompletionHandle, + _In_ HANDLE IoCompletionPacketHandle, + _In_opt_ PVOID KeyContext, + _In_opt_ PVOID ApcContext, + _In_ NTSTATUS IoStatus, + _In_ ULONG_PTR IoStatusInformation +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRemoveIoCompletion( + _In_ HANDLE IoCompletionHandle, + _Out_ PVOID* KeyContext, + _Out_ PVOID* ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_opt_ PLARGE_INTEGER Timeout +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRemoveIoCompletionEx( + _In_ HANDLE IoCompletionHandle, + _Out_ PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, + _In_ ULONG Count, + _Out_ PULONG NumEntriesRemoved, + _In_opt_ PLARGE_INTEGER Timeout, + _In_ BOOLEAN Alertable +); +#endif + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtNotifyChangeSession( + _In_ HANDLE SessionHandle, + _In_ ULONG ChangeSequenceNumber, + _In_ PLARGE_INTEGER ChangeTimeStamp, + _In_ IO_SESSION_EVENT Event, + _In_ IO_SESSION_STATE NewState, + _In_ IO_SESSION_STATE PreviousState, + _In_ PVOID Payload, + _In_ ULONG PayloadSize +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateMutant( + _Out_ PHANDLE MutantHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ BOOLEAN InitialOwner +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenMutant( + _Out_ PHANDLE MutantHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReleaseMutant( + _In_ HANDLE MutantHandle, + _Out_opt_ PLONG PreviousCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAlertThread( + _In_ HANDLE ThreadHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAlertResumeThread( + _In_ HANDLE ThreadHandle, + _Out_opt_ PULONG PreviousSuspendCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtTestAlert( +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtImpersonateThread( + _In_ HANDLE ServerThreadHandle, + _In_ HANDLE ClientThreadHandle, + _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateSemaphore( + _Out_ PHANDLE SemaphoreHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ LONG InitialCount, + _In_ LONG MaximumCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenSemaphore( + _Out_ PHANDLE SemaphoreHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReleaseSemaphore( + _In_ HANDLE SemaphoreHandle, + _In_ LONG ReleaseCount, + _Out_opt_ PLONG PreviousCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySemaphore( + _In_ HANDLE SemaphoreHandle, + _In_ SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, + _Out_ PVOID SemaphoreInformation, + _In_ ULONG SemaphoreInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateTimer( + _Out_ PHANDLE TimerHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ TIMER_TYPE TimerType +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenTimer( + _Out_ PHANDLE TimerHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetTimer( + _In_ HANDLE TimerHandle, + _In_ PLARGE_INTEGER DueTime, + _In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine, + _In_opt_ PVOID TimerContext, + _In_ BOOLEAN ResumeTimer, + _In_opt_ LONG Period, + _Out_opt_ PBOOLEAN PreviousState +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetTimerEx( + _In_ HANDLE TimerHandle, + _In_ TIMER_SET_INFORMATION_CLASS TimerSetInformationClass, + _Inout_ PVOID TimerSetInformation, + _In_ ULONG TimerSetInformationLength +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCancelTimer( + _In_ HANDLE TimerHandle, + _Out_opt_ PBOOLEAN CurrentState +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryTimer( + _In_ HANDLE TimerHandle, + _In_ TIMER_INFORMATION_CLASS TimerInformationClass, + _Out_ PVOID TimerInformation, + _In_ ULONG TimerInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateKeyedEvent( + _Out_ PHANDLE KeyedEventHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ ULONG Flags +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenKeyedEvent( + _Out_ PHANDLE KeyedEventHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReleaseKeyedEvent( + _In_ HANDLE KeyedEventHandle, + _In_ PVOID KeyValue, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWaitForKeyedEvent( + _In_ HANDLE KeyedEventHandle, + _In_ PVOID KeyValue, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUmsThreadYield( + _In_ PVOID SchedulerParam +); +#endif + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateTransactionManager( + _Out_ PHANDLE TmHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PUNICODE_STRING LogFileName, + _In_opt_ ULONG CreateOptions, + _In_opt_ ULONG CommitStrength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenTransactionManager( + _Out_ PHANDLE TmHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PUNICODE_STRING LogFileName, + _In_opt_ LPGUID TmIdentity, + _In_opt_ ULONG OpenOptions +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRenameTransactionManager( + _In_ PUNICODE_STRING LogFileName, + _In_ LPGUID ExistingTransactionManagerGuid +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRollforwardTransactionManager( + _In_ HANDLE TransactionManagerHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRecoverTransactionManager( + _In_ HANDLE TransactionManagerHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationTransactionManager( + _In_ HANDLE TransactionManagerHandle, + _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, + _Out_ PVOID TransactionManagerInformation, + _In_ ULONG TransactionManagerInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationTransactionManager( + _In_opt_ HANDLE TmHandle, + _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, + _In_ PVOID TransactionManagerInformation, + _In_ ULONG TransactionManagerInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtEnumerateTransactionObject( + _In_opt_ HANDLE RootObjectHandle, + _In_ KTMOBJECT_TYPE QueryType, + _Inout_updates_bytes_(ObjectCursorLength) PKTMOBJECT_CURSOR ObjectCursor, + _In_ ULONG ObjectCursorLength, + _Out_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateTransaction( + _Out_ PHANDLE TransactionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ LPGUID Uow, + _In_opt_ HANDLE TmHandle, + _In_opt_ ULONG CreateOptions, + _In_opt_ ULONG IsolationLevel, + _In_opt_ ULONG IsolationFlags, + _In_opt_ PLARGE_INTEGER Timeout, + _In_opt_ PUNICODE_STRING Description +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenTransaction( + _Out_ PHANDLE TransactionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ LPGUID Uow, + _In_opt_ HANDLE TmHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationTransaction( + _In_ HANDLE TransactionHandle, + _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, + _Out_ PVOID TransactionInformation, + _In_ ULONG TransactionInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationTransaction( + _In_ HANDLE TransactionHandle, + _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, + _In_ PVOID TransactionInformation, + _In_ ULONG TransactionInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCommitTransaction( + _In_ HANDLE TransactionHandle, + _In_ BOOLEAN Wait +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRollbackTransaction( + _In_ HANDLE TransactionHandle, + _In_ BOOLEAN Wait +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateEnlistment( + _Out_ PHANDLE EnlistmentHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ HANDLE ResourceManagerHandle, + _In_ HANDLE TransactionHandle, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ ULONG CreateOptions, + _In_ NOTIFICATION_MASK NotificationMask, + _In_opt_ PVOID EnlistmentKey +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenEnlistment( + _Out_ PHANDLE EnlistmentHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ HANDLE ResourceManagerHandle, + _In_ LPGUID EnlistmentGuid, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationEnlistment( + _In_ HANDLE EnlistmentHandle, + _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, + _Out_ PVOID EnlistmentInformation, + _In_ ULONG EnlistmentInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationEnlistment( + _In_opt_ HANDLE EnlistmentHandle, + _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, + _In_ PVOID EnlistmentInformation, + _In_ ULONG EnlistmentInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRecoverEnlistment( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PVOID EnlistmentKey +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtPrePrepareEnlistment( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtPrepareEnlistment( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCommitEnlistment( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRollbackEnlistment( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtPrePrepareComplete( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtPrepareComplete( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCommitComplete( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReadOnlyEnlistment( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRollbackComplete( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSinglePhaseReject( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateResourceManager( + _Out_ PHANDLE ResourceManagerHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ HANDLE TmHandle, + _In_ LPGUID RmGuid, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ ULONG CreateOptions, + _In_opt_ PUNICODE_STRING Description +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenResourceManager( + _Out_ PHANDLE ResourceManagerHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ HANDLE TmHandle, + _In_opt_ LPGUID ResourceManagerGuid, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRecoverResourceManager( + _In_ HANDLE ResourceManagerHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtGetNotificationResourceManager( + _In_ HANDLE ResourceManagerHandle, + _Out_ PTRANSACTION_NOTIFICATION TransactionNotification, + _In_ ULONG NotificationLength, + _In_opt_ PLARGE_INTEGER Timeout, + _Out_opt_ PULONG ReturnLength, + _In_ ULONG Asynchronous, + _In_opt_ ULONG_PTR AsynchronousContext +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationResourceManager( + _In_ HANDLE ResourceManagerHandle, + _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, + _Out_ PVOID ResourceManagerInformation, + _In_ ULONG ResourceManagerInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationResourceManager( + _In_ HANDLE ResourceManagerHandle, + _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, + _In_ PVOID ResourceManagerInformation, + _In_ ULONG ResourceManagerInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRegisterProtocolAddressInformation( + _In_ HANDLE ResourceManager, + _In_ PCRM_PROTOCOL_ID ProtocolId, + _In_ ULONG ProtocolInformationSize, + _In_ PVOID ProtocolInformation, + _In_opt_ ULONG CreateOptions +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtPropagationComplete( + _In_ HANDLE ResourceManagerHandle, + _In_ ULONG RequestCookie, + _In_ ULONG BufferLength, + _In_ PVOID Buffer +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtPropagationFailed( + _In_ HANDLE ResourceManagerHandle, + _In_ ULONG RequestCookie, + _In_ NTSTATUS PropStatus +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFreezeTransactions( + _In_ PLARGE_INTEGER FreezeTimeout, + _In_ PLARGE_INTEGER ThawTimeout +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtThawTransactions( +); +#endif + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateWorkerFactory( + _Out_ PHANDLE WorkerFactoryHandleReturn, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE CompletionPortHandle, + _In_ HANDLE WorkerProcessHandle, + _In_ PUSER_THREAD_START_ROUTINE StartRoutine, + _In_opt_ PVOID StartParameter, + _In_opt_ ULONG MaxThreadCount, + _In_opt_ SIZE_T StackReserve, + _In_opt_ SIZE_T StackCommit +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationWorkerFactory( + _In_ HANDLE WorkerFactoryHandle, + _In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, + _Out_ PVOID WorkerFactoryInformation, + _In_ ULONG WorkerFactoryInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationWorkerFactory( + _In_ HANDLE WorkerFactoryHandle, + _In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, + _In_ PVOID WorkerFactoryInformation, + _In_ ULONG WorkerFactoryInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtShutdownWorkerFactory( + _In_ HANDLE WorkerFactoryHandle, + _Inout_ volatile LONG* PendingWorkerCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReleaseWorkerFactoryWorker( + _In_ HANDLE WorkerFactoryHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWorkerFactoryWorkerReady( + _In_ HANDLE WorkerFactoryHandle +); +#endif + +#if NTDDI_VERSION >= NTDDI_VISTA +#if NTDDI_VERSION >= NTDDI_WIN8 || defined(_WIN64) +// Windows 8+ declaration, but can be used on any x64 Windows Vista+ +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWaitForWorkViaWorkerFactory( + _In_ HANDLE WorkerFactoryHandle, + _Out_ PFILE_IO_COMPLETION_INFORMATION MiniPacket, + _In_ ULONG Count, + _Out_ PULONG NumEntriesRemoved, + _In_ PLARGE_INTEGER Unknown // Wrong type (but works) +); +#else +// Windows Vista/7 x86 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWaitForWorkViaWorkerFactory( + _In_ HANDLE WorkerFactoryHandle, + _Out_ PFILE_IO_COMPLETION_INFORMATION MiniPacket +); +#endif +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySystemEnvironmentValue( + _In_ PUNICODE_STRING VariableName, + _Out_ PWSTR VariableValue, + _In_ USHORT ValueLength, + _Out_opt_ PUSHORT ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetSystemEnvironmentValue( + _In_ PUNICODE_STRING VariableName, + _In_ PUNICODE_STRING VariableValue +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySystemEnvironmentValueEx( + _In_ PUNICODE_STRING VariableName, + _In_ LPGUID VendorGuid, + _Out_ PVOID Value, + _Inout_ PULONG ValueLength, + _Out_opt_ PULONG Attributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetSystemEnvironmentValueEx( + _In_ PUNICODE_STRING VariableName, + _In_ LPGUID VendorGuid, + _In_ PVOID Value, + _In_ ULONG ValueLength, + _In_ ULONG Attributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtEnumerateSystemEnvironmentValuesEx( + _In_ ULONG InformationClass, + _Out_ PVOID Buffer, + _Inout_ PULONG BufferLength +); + +#if NTDDI_VERSION >= NTDDI_VISTA + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAddBootEntry( + _In_ PBOOT_ENTRY BootEntry, + _Out_opt_ PULONG Id +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDeleteBootEntry( + _In_ ULONG Id +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtModifyBootEntry( + _In_ PBOOT_ENTRY BootEntry +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtEnumerateBootEntries( + _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer, + _Inout_ PULONG BufferLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryBootEntryOrder( + _Out_writes_opt_(*Count) PULONG Ids, + _Inout_ PULONG Count +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetBootEntryOrder( + _In_reads_(Count) PULONG Ids, + _In_ ULONG Count +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryBootOptions( + _Out_writes_bytes_opt_(*BootOptionsLength) PBOOT_OPTIONS BootOptions, + _Inout_ PULONG BootOptionsLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetBootOptions( + _In_ PBOOT_OPTIONS BootOptions, + _In_ ULONG FieldsToChange +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtTranslateFilePath( + _In_ PFILE_PATH InputFilePath, + _In_ ULONG OutputType, + _Out_writes_bytes_opt_(*OutputFilePathLength) PFILE_PATH OutputFilePath, + _Inout_opt_ PULONG OutputFilePathLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAddDriverEntry( + _In_ PEFI_DRIVER_ENTRY DriverEntry, + _Out_opt_ PULONG Id +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDeleteDriverEntry( + _In_ ULONG Id +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtModifyDriverEntry( + _In_ PEFI_DRIVER_ENTRY DriverEntry +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtEnumerateDriverEntries( + _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer, + _Inout_ PULONG BufferLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryDriverEntryOrder( + _Out_writes_opt_(*Count) PULONG Ids, + _Inout_ PULONG Count +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetDriverEntryOrder( + _In_reads_(Count) PULONG Ids, + _In_ ULONG Count +); + +#endif + +#if NTDDI_VERSION >= NTDDI_WIN7 + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSerializeBoot( +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtEnableLastKnownGood( +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDisableLastKnownGood( +); + +#endif + +NTSYSAPI +ULONG +__cdecl +DbgPrint( + _In_ PCH Format, + ... +); + +NTSYSAPI +ULONG +__cdecl +DbgPrintEx( + _In_ ULONG ComponentId, + _In_ ULONG Level, + _In_ PCSTR Format, + ... +); + +NTSYSAPI +VOID +NTAPI +DbgBreakPoint( +); + +NTSYSAPI +NTSTATUS +NTAPI +DbgUiConnectToDbg( +); + +NTSYSAPI +HANDLE +NTAPI +DbgUiGetThreadDebugObject( +); + +NTSYSAPI +VOID +NTAPI +DbgUiSetThreadDebugObject( + _In_ HANDLE DebugObject +); + +NTSYSAPI +NTSTATUS +NTAPI +DbgUiWaitStateChange( + _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange, + _In_opt_ PLARGE_INTEGER Timeout +); + +NTSYSAPI +NTSTATUS +NTAPI +DbgUiContinue( + _In_ PCLIENT_ID AppClientId, + _In_ NTSTATUS ContinueStatus +); + +NTSYSAPI +NTSTATUS +NTAPI +DbgUiStopDebugging( + _In_ HANDLE Process +); + +NTSYSAPI +NTSTATUS +NTAPI +DbgUiDebugActiveProcess( + _In_ HANDLE Process +); + +NTSYSAPI +VOID +NTAPI +DbgUiRemoteBreakin( + _In_ PVOID Context +); + +NTSYSAPI +NTSTATUS +NTAPI +DbgUiIssueRemoteBreakin( + _In_ HANDLE Process +); + +NTSYSAPI +NTSTATUS +NTAPI +DbgUiConvertStateChangeStructure( + _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, + _Out_ DEBUG_EVENT* DebugEvent +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrLoadDll( + _In_opt_ PCWSTR DllPath, + _In_opt_ PULONG DllCharacteristics, + _In_ PUNICODE_STRING DllName, + _Out_ PVOID* DllHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrGetDllHandle( + _In_opt_ PCWSTR DllPath, + _In_opt_ PULONG DllCharacteristics, + _In_ PUNICODE_STRING DllName, + _Out_ PVOID* DllHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrGetDllHandleEx( + _In_ ULONG Flags, + _In_opt_ PCWSTR DllPath, + _In_opt_ PULONG DllCharacteristics, + _In_ PUNICODE_STRING DllName, + _Out_opt_ PVOID* DllHandle +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +NTSTATUS +NTAPI +LdrGetDllHandleByMapping( + _In_ PVOID Base, + _Out_ PVOID* DllHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrGetDllHandleByName( + _In_opt_ PUNICODE_STRING BaseDllName, + _In_opt_ PUNICODE_STRING FullDllName, + _Out_ PVOID* DllHandle +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +LdrGetProcedureAddress( + _In_ PVOID DllHandle, + _In_opt_ CONST PANSI_STRING ProcedureName, + _In_opt_ ULONG ProcedureNumber, + _Out_ PVOID* ProcedureAddress +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +LdrGetProcedureAddressEx( + _In_ PVOID DllHandle, + _In_opt_ PANSI_STRING ProcedureName, + _In_opt_ ULONG ProcedureNumber, + _Out_ PVOID* ProcedureAddress, + _In_ ULONG Flags +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +LdrLockLoaderLock( + _In_ ULONG Flags, + _Out_opt_ ULONG* Disposition, + _Out_ PVOID* Cookie +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrUnlockLoaderLock( + _In_ ULONG Flags, + _Inout_ PVOID Cookie +); + +NTSYSAPI +PIMAGE_BASE_RELOCATION +NTAPI +LdrProcessRelocationBlock( + _In_ ULONG_PTR VA, + _In_ ULONG SizeOfBlock, + _In_ PUSHORT NextOffset, + _In_ LONG_PTR Diff +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrUnloadDll( + _In_ PVOID DllHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrDisableThreadCalloutsForDll( + _In_ PVOID DllHandle +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +NTSTATUS +NTAPI +LdrOpenImageFileOptionsKey( + _In_ PUNICODE_STRING SubKey, + _In_ BOOLEAN Wow64, + _Out_ PHANDLE NewKeyHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrQueryImageFileKeyOption( + _In_ HANDLE KeyHandle, + _In_ PCWSTR ValueName, + _In_ ULONG Type, + _Out_ PVOID Buffer, + _In_ ULONG BufferSize, + _Out_opt_ PULONG ReturnedLength +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +LdrVerifyImageMatchesChecksum( + _In_ HANDLE ImageFileHandle, + _In_opt_ PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine, + _In_ PVOID ImportCallbackParameter, + _Out_opt_ PUSHORT ImageCharacteristics +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +LdrVerifyImageMatchesChecksumEx( + _In_ HANDLE ImageFileHandle, + _Inout_ PLDR_VERIFY_IMAGE_INFO VerifyInfo +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +LdrFindResourceDirectory_U( + _In_ PVOID DllHandle, + _In_ CONST LDR_RESOURCE_INFO* ResourceIdPath, + _In_ ULONG ResourceIdPathLength, + _Out_ PIMAGE_RESOURCE_DIRECTORY* ResourceDirectory +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrFindResource_U( + _In_ PVOID DllHandle, + _In_ CONST LDR_RESOURCE_INFO* ResourceIdPath, + _In_ ULONG ResourceIdPathLength, + _Out_ PIMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrFindResourceEx_U( + _In_opt_ ULONG Flags, + _In_ PVOID DllHandle, + _In_ CONST LDR_RESOURCE_INFO* ResourceIdPath, + _In_ ULONG ResourceIdPathLength, + _Out_ PIMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry +); + +NTSYSAPI +VOID +NTAPI +RtlAssert( + _In_ PVOID VoidFailedAssertion, + _In_ PVOID VoidFileName, + _In_ ULONG LineNumber, + _In_opt_ PSTR MutableMessage +); + +NTSYSAPI +DECLSPEC_NORETURN +VOID +NTAPI +RtlRaiseStatus( + _In_ NTSTATUS Status +); + +NTSYSAPI +VOID +NTAPI +RtlRaiseException( + _In_ PEXCEPTION_RECORD ExceptionRecord +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +RtlConnectToSm( + _In_ PUNICODE_STRING ApiPortName, + _In_ HANDLE ApiPortHandle, + _In_ DWORD ProcessImageType, + _Out_ PHANDLE SmssConnection +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSendMsgToSm( + _In_ HANDLE ApiPortHandle, + _In_ PPORT_MESSAGE MessageData +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlRegisterThreadWithCsrss( +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlEnterCriticalSection( + _Inout_ PRTL_CRITICAL_SECTION CriticalSection +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlLeaveCriticalSection( + _Inout_ PRTL_CRITICAL_SECTION CriticalSection +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +LOGICAL +NTAPI +RtlIsCriticalSectionLocked( + _In_ PRTL_CRITICAL_SECTION CriticalSection +); + +NTSYSAPI +LOGICAL +NTAPI +RtlIsCriticalSectionLockedByThread( + _In_ PRTL_CRITICAL_SECTION CriticalSection +); + +NTSYSAPI +ULONG +NTAPI +RtlGetCriticalSectionRecursionCount( + _In_ PRTL_CRITICAL_SECTION CriticalSection +); +#endif + +NTSYSAPI +LOGICAL +NTAPI +RtlTryEnterCriticalSection( + _Inout_ PRTL_CRITICAL_SECTION CriticalSection +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlInitializeCriticalSection( + _Out_ PRTL_CRITICAL_SECTION CriticalSection +); + +NTSYSAPI +VOID +NTAPI +RtlEnableEarlyCriticalSectionEventCreation( +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlInitializeCriticalSectionAndSpinCount( + _Out_ PRTL_CRITICAL_SECTION CriticalSection, + _In_ ULONG SpinCount +); + +NTSYSAPI +ULONG +NTAPI +RtlSetCriticalSectionSpinCount( + _Inout_ PRTL_CRITICAL_SECTION CriticalSection, + _In_ ULONG SpinCount +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDeleteCriticalSection( + _Inout_ PRTL_CRITICAL_SECTION CriticalSection +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +BOOL +NTAPI +RtlQueryPerformanceFrequency( + _Out_ PLARGE_INTEGER Frequency +); +#else +FORCEINLINE +BOOL +NTAPI +RtlQueryPerformanceFrequency( + _Out_ PLARGE_INTEGER Frequency +) +{ + LARGE_INTEGER _; + return NT_SUCCESS(NtQueryPerformanceCounter(&_, + Frequency)); +} +#endif + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +BOOL +NTAPI +RtlQueryPerformanceCounter( + _Out_ PLARGE_INTEGER PerformanceCount +); +#else +FORCEINLINE +BOOL +NTAPI +RtlQueryPerformanceCounter( + _Out_ PLARGE_INTEGER PerformanceCount +) +{ + return NT_SUCCESS(NtQueryPerformanceCounter(PerformanceCount, + NULL)); +} +#endif + +NTSYSAPI +NTSTATUS +NTAPI RtlGetCompressionWorkSpaceSize( - IN USHORT CompressionFormatAndEngine, - OUT PULONG CompressBufferWorkSpaceSize, - OUT PULONG CompressFragmentWorkSpaceSize + _In_ USHORT CompressionFormatAndEngine, + _Out_ PULONG CompressBufferWorkSpaceSize, + _Out_ PULONG CompressFragmentWorkSpaceSize ); -NTSYSCALLAPI +NTSYSAPI NTSTATUS NTAPI RtlCompressBuffer( - IN USHORT CompressionFormatAndEngine, - IN PUCHAR UncompressedBuffer, - IN ULONG UncompressedBufferSize, - OUT PUCHAR CompressedBuffer, - IN ULONG CompressedBufferSize, - IN ULONG UncompressedChunkSize, - OUT PULONG FinalCompressedSize, - IN PVOID WorkSpace + _In_ USHORT CompressionFormatAndEngine, + _In_ PUCHAR UncompressedBuffer, + _In_ ULONG UncompressedBufferSize, + _Out_ PUCHAR CompressedBuffer, + _In_ ULONG CompressedBufferSize, + _In_ ULONG UncompressedChunkSize, + _Out_ PULONG FinalCompressedSize, + _In_ PVOID WorkSpace ); -NTSYSCALLAPI +NTSYSAPI NTSTATUS NTAPI RtlDecompressBuffer( - IN USHORT CompressionFormat, - OUT PUCHAR UncompressedBuffer, - IN ULONG UncompressedBufferSize, - IN PUCHAR CompressedBuffer, - IN ULONG CompressedBufferSize, - OUT PULONG FinalUncompressedSize + _In_ USHORT CompressionFormat, + _Out_ PUCHAR UncompressedBuffer, + _In_ ULONG UncompressedBufferSize, + _In_ PUCHAR CompressedBuffer, + _In_ ULONG CompressedBufferSize, + _Out_ PULONG FinalUncompressedSize ); -NTSYSCALLAPI +NTSYSAPI +PVOID +NTAPI +RtlCreateHeap( + _In_ ULONG Flags, + _In_opt_ PVOID HeapBase, + _In_opt_ SIZE_T ReserveSize, + _In_opt_ SIZE_T CommitSize, + _In_opt_ PVOID Lock, + _In_opt_ PRTL_HEAP_PARAMETERS Parameters +); + +NTSYSAPI +PVOID +NTAPI +RtlDestroyHeap( + _Inout_ PVOID HeapHandle +); + +NTSYSAPI +PVOID +NTAPI +RtlAllocateHeap( + _In_ PVOID HeapHandle, + _In_opt_ ULONG Flags, + _In_ SIZE_T Size +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlFreeHeap( + _In_ PVOID HeapHandle, + _In_opt_ ULONG Flags, + _Inout_opt_ PVOID BaseAddress +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlWalkHeap( + _In_ PVOID HeapHandle, + _Inout_ PRTL_HEAP_WALK_ENTRY Entry +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlQueryHeapInformation( + _In_ PVOID HeapHandle, + _In_ HEAP_INFORMATION_CLASS HeapInformationClass, + _Out_opt_ PVOID HeapInformation, + _In_opt_ SIZE_T HeapInformationLength, + _Out_opt_ PSIZE_T ReturnLength +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetHeapInformation( + _In_ PVOID HeapHandle, + _In_ HEAP_INFORMATION_CLASS HeapInformationClass, + _In_opt_ PVOID HeapInformation, + _In_opt_ SIZE_T HeapInformationLength +); + +NTSYSAPI +SIZE_T +NTAPI +RtlSizeHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_ PVOID BaseAddress +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlZeroHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags +); + +NTSYSAPI +VOID +NTAPI +RtlProtectHeap( + _In_ PVOID HeapHandle, + _In_ BOOLEAN MakeReadOnly +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlLockHeap( + _In_ PVOID HeapHandle +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlUnlockHeap( + _In_ PVOID HeapHandle +); + +NTSYSAPI +PVOID +NTAPI +RtlReAllocateHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _Inout_opt_ PVOID BaseAddress, + _In_ SIZE_T Size +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlGetUserInfoHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_ PVOID BaseAddress, + _Out_opt_ PVOID* UserValue, + _Out_opt_ PULONG UserFlags +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlSetUserValueHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_ PVOID BaseAddress, + _In_ PVOID UserValue +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlSetUserFlagsHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_ PVOID BaseAddress, + _In_ ULONG UserFlagsReset, + _In_ ULONG UserFlagsSet +); + +NTSYSAPI +ULONG +NTAPI +RtlCreateTagHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_opt_ PWSTR TagPrefix, + _In_ PWSTR TagNames +); + +NTSYSAPI +PWSTR +NTAPI +RtlQueryTagHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_ USHORT TagIndex, + _In_ BOOLEAN ResetCounters, + _Out_opt_ PRTL_HEAP_TAG_INFO TagInfo +); + +NTSYSAPI +SIZE_T +NTAPI +RtlCompactHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlValidateHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_ PVOID BaseAddress +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlValidateProcessHeaps( +); + +NTSYSAPI +ULONG +NTAPI +RtlGetProcessHeaps( + _In_ ULONG NumberOfHeaps, + _Out_ PVOID* ProcessHeaps +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlEnumProcessHeaps( + _In_ PRTL_ENUM_HEAPS_ROUTINE EnumRoutine, + _In_ PVOID Parameter +); + +NTSYSAPI +ULONG +NTAPI +RtlUniform( + _Inout_ PULONG Seed +); + +NTSYSAPI +ULONG +NTAPI +RtlRandom( + _Inout_ PULONG Seed +); + +NTSYSAPI +ULONG +NTAPI +RtlRandomEx( + _Inout_ PULONG Seed +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlFindMessage( + _In_ PVOID DllHandle, + _In_ ULONG MessageTableId, + _In_ ULONG MessageLanguageId, + _In_ ULONG MessageId, + _Out_ PMESSAGE_RESOURCE_ENTRY* MessageEntry +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlFormatMessage( + _In_ PCWSTR MessageFormat, + _In_ ULONG MaximumWidth, + _In_ BOOLEAN IgnoreInserts, + _In_ BOOLEAN ArgumentsAreAnsi, + _In_ BOOLEAN ArgumentsAreAnArray, + _In_ va_list* Arguments, + _Out_ PWSTR Buffer, + _In_ ULONG Length, + _Out_opt_ PULONG ReturnLength +); + +NTSYSAPI ULONG NTAPI RtlNtStatusToDosError( - NTSTATUS Status + _In_ NTSTATUS Status ); +NTSYSAPI +ULONG +NTAPI +RtlNtStatusToDosErrorNoTeb( + _In_ NTSTATUS Status +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGetLastNtStatus( +); + +NTSYSAPI +LONG +NTAPI +RtlGetLastWin32Error( +); + +NTSYSAPI +VOID +NTAPI +RtlSetLastWin32ErrorAndNtStatusFromNtStatus( + _In_ NTSTATUS Status +); + +NTSYSAPI +VOID +NTAPI +RtlSetLastWin32Error( + _In_ LONG Win32Error +); + +NTSYSAPI +VOID +NTAPI +RtlRestoreLastWin32Error( + _In_ LONG Win32Error +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +ULONG +NTAPI +RtlGetThreadErrorMode( +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetThreadErrorMode( + _In_ ULONG NewMode, + _Out_opt_ PULONG OldMode +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlUpcaseUnicodeString( + _Out_ PUNICODE_STRING DestinationString, + _In_ PCUNICODE_STRING SourceString, + _In_ BOOLEAN AllocateDestinationString +); + +NTSYSAPI +VOID +NTAPI +RtlInitUnicodeString( + _Out_ PUNICODE_STRING DestinationString, + _In_opt_ PWSTR SourceString +); + +NTSYSAPI +VOID +NTAPI +RtlInitAnsiString( + _Out_ PANSI_STRING DestinationString, + _In_opt_ PSTR SourceString +); + +NTSYSAPI +VOID +NTAPI +RtlCopyUnicodeString( + _Out_ PUNICODE_STRING DestinationString, + _In_ PCUNICODE_STRING SourceString +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAppendUnicodeToString( + _In_ PUNICODE_STRING Destination, + _In_opt_ PCWSTR Source +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAnsiStringToUnicodeString( + _Inout_ PUNICODE_STRING DestinationString, + _In_ PANSI_STRING SourceString, + _In_ BOOLEAN AllocateDestinationString +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlUnicodeStringToAnsiString( + _Inout_ PANSI_STRING DestinationString, + _In_ PUNICODE_STRING SourceString, + _In_ BOOLEAN AllocateDestinationString +); + +NTSYSAPI +VOID +NTAPI +RtlFreeAnsiString( + _Inout_ PANSI_STRING AnsiString +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDefaultNpAcl( + _Out_ PACL* Dacl +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateEnvironment( + _In_ BOOLEAN CloneCurrentEnvironment, + _Out_ PVOID* Environment +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateEnvironmentEx( + _In_ PVOID SourceEnv, + _Out_ PVOID* Environment, + _In_ ULONG Flags +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlDestroyEnvironment( + _In_ PVOID Environment +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetCurrentEnvironment( + _In_ PVOID Environment, + _Out_opt_ PVOID* PreviousEnvironment +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +RtlSetEnvironmentVar( + _In_opt_ PWSTR* Environment, + _In_ PWSTR Name, + _In_ SIZE_T NameLength, + _In_ PWSTR Value, + _In_ SIZE_T ValueLength +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetEnvironmentVariable( + _In_opt_ PVOID* Environment, + _In_ PUNICODE_STRING Name, + _In_ PUNICODE_STRING Value +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +RtlQueryEnvironmentVariable( + _In_opt_ PVOID Environment, + _In_ PWSTR Name, + _In_ SIZE_T NameLength, + _Out_ PWSTR Value, + _In_ SIZE_T ValueLength, + _Out_ PSIZE_T ReturnLength +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlQueryEnvironmentVariable_U( + _In_opt_ PVOID Environment, + _In_ PUNICODE_STRING Name, + _Out_ PUNICODE_STRING Value +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +RtlExpandEnvironmentStrings( + _In_opt_ PVOID Environment, + _In_ PWSTR Src, + _In_ SIZE_T SrcLength, + _Out_ PWSTR Dst, + _In_ SIZE_T DstLength, + _Out_opt_ PSIZE_T ReturnLength +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlExpandEnvironmentStrings_U( + _In_opt_ PVOID Environment, + _In_ PUNICODE_STRING Source, + _Out_ PUNICODE_STRING Destination, + _Out_opt_ PULONG ReturnedLength +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +NTSTATUS +NTAPI +RtlSetEnvironmentStrings( + _In_ PWCHAR NewEnvironment, + _In_ SIZE_T NewEnvironmentSize +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateProcessParameters( + _Out_ PRTL_USER_PROCESS_PARAMETERS* pProcessParameters, + _In_ PUNICODE_STRING ImagePathName, + _In_opt_ PUNICODE_STRING DllPath, + _In_opt_ PUNICODE_STRING CurrentDirectory, + _In_opt_ PUNICODE_STRING CommandLine, + _In_opt_ PVOID Environment, + _In_opt_ PUNICODE_STRING WindowTitle, + _In_opt_ PUNICODE_STRING DesktopInfo, + _In_opt_ PUNICODE_STRING ShellInfo, + _In_opt_ PUNICODE_STRING RuntimeData +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateProcessParametersEx( + _Out_ PRTL_USER_PROCESS_PARAMETERS* pProcessParameters, + _In_ PUNICODE_STRING ImagePathName, + _In_opt_ PUNICODE_STRING DllPath, + _In_opt_ PUNICODE_STRING CurrentDirectory, + _In_opt_ PUNICODE_STRING CommandLine, + _In_opt_ PVOID Environment, + _In_opt_ PUNICODE_STRING WindowTitle, + _In_opt_ PUNICODE_STRING DesktopInfo, + _In_opt_ PUNICODE_STRING ShellInfo, + _In_opt_ PUNICODE_STRING RuntimeData, + _In_ ULONG Flags // Pass RTL_USER_PROCESS_PARAMETERS_NORMALIZED to keep parameters normalized +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlDestroyProcessParameters( + _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters +); + +NTSYSAPI +PRTL_USER_PROCESS_PARAMETERS +NTAPI +RtlNormalizeProcessParams( + _Inout_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters +); + +NTSYSAPI +PRTL_USER_PROCESS_PARAMETERS +NTAPI +RtlDeNormalizeProcessParams( + _Inout_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateUserProcess( + _In_ PUNICODE_STRING NtImagePathName, + _In_ ULONG AttributesDeprecated, + _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters, + _In_opt_ PSECURITY_DESCRIPTOR ProcessSecurityDescriptor, + _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, + _In_opt_ HANDLE ParentProcess, + _In_ BOOLEAN InheritHandles, + _In_opt_ HANDLE DebugPort, + _In_opt_ HANDLE TokenHandle, // used to be ExceptionPort + _Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformation +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateUserThread( + _In_ HANDLE Process, + _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, + _In_ BOOLEAN CreateSuspended, + _In_opt_ ULONG ZeroBits, + _In_opt_ SIZE_T MaximumStackSize, + _In_opt_ SIZE_T CommittedStackSize, + _In_ PUSER_THREAD_START_ROUTINE StartAddress, + _In_opt_ PVOID Parameter, + _Out_opt_ PHANDLE Thread, + _Out_opt_ PCLIENT_ID ClientId +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDosApplyFileIsolationRedirection_Ustr( + _In_ ULONG Flags, + _In_ PUNICODE_STRING OriginalName, + _In_ PUNICODE_STRING Extension, + _Inout_ PUNICODE_STRING StaticString, + _Inout_ PUNICODE_STRING DynamicString, + _Inout_ PUNICODE_STRING* NewName, + _In_ PULONG NewFlags, + _In_ PSIZE_T FileNameSize, + _In_ PSIZE_T RequiredLength +); + +NTSYSAPI +PIMAGE_NT_HEADERS +NTAPI +RtlImageNtHeader( + _In_ PVOID ImageBase +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +NTSTATUS +NTAPI +RtlImageNtHeaderEx( + _In_opt_ ULONG Flags, + _In_ PVOID Base, + _In_ ULONG64 Size, + _Out_ PIMAGE_NT_HEADERS* OutHeaders +); +#endif + +NTSYSAPI +PVOID +NTAPI +RtlImageDirectoryEntryToData( + _In_ PVOID ImageBase, + _In_ BOOLEAN MappedAsImage, + _In_ USHORT DirectoryEntry, + _Out_ PULONG Size +); + +NTSYSAPI +PVOID +NTAPI +RtlPcToFileHeader( + _In_ PVOID PcValue, + _Out_ PVOID* BaseOfImage +); + +NTSYSAPI +PVOID +NTAPI +RtlAddressInSectionTable( + _In_ PIMAGE_NT_HEADERS NtHeaders, + _In_ PVOID BaseOfImage, + _In_ ULONG VirtualAddress +); + +NTSYSAPI +PIMAGE_SECTION_HEADER +NTAPI +RtlImageRvaToSection( + _In_ PIMAGE_NT_HEADERS NtHeaders, + _In_ PVOID Base, + _In_ ULONG Rva +); + +NTSYSAPI +PVOID +NTAPI +RtlImageRvaToVa( + _In_ PIMAGE_NT_HEADERS NtHeaders, + _In_ PVOID Base, + _In_ ULONG Rva, + _Inout_opt_ PIMAGE_SECTION_HEADER* LastRvaSection +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlQueryProcessHeapInformation( + _Inout_ PRTL_DEBUG_INFORMATION Buffer +); + +NTSYSAPI +PRTL_DEBUG_INFORMATION +NTAPI +RtlCreateQueryDebugBuffer( + _In_opt_ ULONG MaximumCommit, + _In_ BOOLEAN UseEventPair +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlQueryProcessDebugInformation( + _In_ HANDLE UniqueProcessId, + _In_ ULONG Flags, + _Inout_ PRTL_DEBUG_INFORMATION Buffer +); + +#ifdef _WIN64 +NTSYSAPI +VOID +WINAPI +RtlRestoreContext( + _In_ PCONTEXT ContextRecord, + _In_opt_ PEXCEPTION_RECORD ExceptionRecord +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlAdjustPrivilege( + _In_ ULONG Privilege, + _In_ BOOLEAN Enable, + _In_ BOOLEAN Client, + _Out_ PBOOLEAN WasEnabled +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +NTSTATUS +NTAPI +RtlAcquirePrivilege( + _In_ PULONG Privilege, + _In_ ULONG NumPriv, + _In_ ULONG Flags, + _Out_ PVOID* ReturnedState +); + +NTSYSAPI +VOID +NTAPI +RtlReleasePrivilege( + _In_ PVOID StatePointer +); +#endif + +NTSYSAPI +ULONG +NTAPI +RtlGetFullPathName_U( + _In_ PWSTR FileName, + _In_ ULONG BufferLength, + _Out_ PWSTR Buffer, + _Out_opt_ PWSTR* FilePart +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlDosPathNameToNtPathName_U( + _In_ PCWSTR DosFileName, + _Out_ PUNICODE_STRING NtFileName, + _Out_opt_ PWSTR* FilePart, + _Reserved_ PVOID Reserved +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +BOOLEAN +NTAPI +RtlDosPathNameToRelativeNtPathName_U( + _In_ PCWSTR DosFileName, + _Out_ PUNICODE_STRING NtFileName, + _Out_opt_ PWSTR* FilePart, + _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDosPathNameToRelativeNtPathName_U_WithStatus( + _In_ PWSTR DosFileName, + _Out_ PUNICODE_STRING NtFileName, + _Out_opt_ PWSTR* FilePart, + _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName +); +#endif + +NTSYSAPI +RTL_PATH_TYPE +NTAPI +RtlDetermineDosPathNameType_U( + _In_ PCWSTR Path +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +NTSTATUS +NTAPI +RtlGetFullPathName_UstrEx( + _In_ PUNICODE_STRING FileName, + _In_opt_ PUNICODE_STRING StaticString, + _In_opt_ PUNICODE_STRING DynamicString, + _Out_opt_ PUNICODE_STRING* StringUsed, + _Out_opt_ PSIZE_T FilePartSize, + _Out_opt_ PBOOLEAN NameInvalid, + _Out_ RTL_PATH_TYPE* PathType, + _Out_opt_ PSIZE_T LengthNeeded +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetCurrentDirectory_U( + _In_ PUNICODE_STRING PathName +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +VOID +NTAPI +RtlReleaseRelativeName( + _In_ PRTL_RELATIVE_NAME_U RelativeName +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlNtPathNameToDosPathName( + _In_ ULONG Flags, + _Inout_ PRTL_UNICODE_STRING_BUFFER Path, + _Out_opt_ PULONG Disposition, + _Inout_opt_ PWSTR* FilePart +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +VOID +NTAPI +RtlInitializeSRWLock( + _Out_ PRTL_SRWLOCK SRWLock +); + +NTSYSAPI +VOID +NTAPI +RtlAcquireSRWLockExclusive( + _Inout_ PRTL_SRWLOCK SRWLock +); + +NTSYSAPI +VOID +NTAPI +RtlAcquireSRWLockShared( + _Inout_ PRTL_SRWLOCK SRWLock +); + +NTSYSAPI +VOID +NTAPI +RtlReleaseSRWLockExclusive( + _Inout_ PRTL_SRWLOCK SRWLock +); + +NTSYSAPI +VOID +NTAPI +RtlReleaseSRWLockShared( + _Inout_ PRTL_SRWLOCK SRWLock +); +#endif + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +BOOLEAN +NTAPI +RtlTryAcquireSRWLockExclusive( + _Inout_ PRTL_SRWLOCK SRWLock +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlTryAcquireSRWLockShared( + _Inout_ PRTL_SRWLOCK SRWLock +); + +NTSYSAPI +VOID +NTAPI +RtlAcquireReleaseSRWLockExclusive( + _Inout_ PRTL_SRWLOCK SRWLock +); +#endif + +NTSYSAPI +ULONG +NTAPI +RtlWalkFrameChain( + _Out_ PVOID* Callers, + _In_ ULONG Count, + _In_ ULONG Flags +); + +NTSYSAPI +PPREFIX_TABLE_ENTRY +NTAPI +PfxFindPrefix( + _In_ PPREFIX_TABLE PrefixTable, + _In_ PANSI_STRING FullName +); + +NTSYSAPI +VOID +NTAPI +PfxInitialize( + _Out_ PPREFIX_TABLE PrefixTable +); + +NTSYSAPI +BOOLEAN +NTAPI +PfxInsertPrefix( + _In_ PPREFIX_TABLE PrefixTable, + _In_ PANSI_STRING Prefix, + _Out_ PPREFIX_TABLE_ENTRY PrefixTableEntry +); + +NTSYSAPI +VOID +NTAPI +PfxRemovePrefix( + _In_ PPREFIX_TABLE PrefixTable, + _In_ PPREFIX_TABLE_ENTRY PrefixTableEntry +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAbsoluteToSelfRelativeSD( + _In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, + _Out_ PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, + _Inout_ PULONG BufferLength +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAddAccessAllowedAce( + _Inout_ PACL Acl, + _In_ ULONG AceRevision, + _In_ ACCESS_MASK AccessMask, + _In_ PSID Sid +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAddAccessAllowedAceEx( + _Inout_ PACL Acl, + _In_ ULONG AceRevision, + _In_ ULONG AceFlags, + _In_ ACCESS_MASK AccessMask, + _In_ PSID Sid +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAddAce( + _Inout_ PACL Acl, + _In_ ULONG AceRevision, + _In_ ULONG StartingAceIndex, + _In_ PVOID AceList, + _In_ ULONG AceListLength +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAddAtomToAtomTable( + _In_ PVOID AtomTableHandle, + _In_ PWSTR AtomName, + _Inout_opt_ PRTL_ATOM Atom +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAppendUnicodeStringToString( + PUNICODE_STRING Destination, + PCUNICODE_STRING Source +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlAreAllAccessesGranted( + _In_ ACCESS_MASK GrantedAccess, + _In_ ACCESS_MASK DesiredAccess +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlAreAnyAccessesGranted( + _In_ ACCESS_MASK GrantedAccess, + _In_ ACCESS_MASK DesiredAccess +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlAreBitsClear( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG StartingIndex, + _In_ ULONG Length +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlAreBitsSet( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG StartingIndex, + _In_ ULONG Length +); + +NTSYSAPI +VOID +NTAPI +RtlCaptureContext( + _Out_ PCONTEXT ContextRecord +); + +NTSYSAPI +USHORT +NTAPI +RtlCaptureStackBackTrace( + _In_ ULONG FramesToSkip, + _In_ ULONG FramesToCapture, + _Out_ PVOID* BackTrace, + _Out_opt_ PULONG BackTraceHash +); + +NTSYSAPI +VOID +NTAPI +RtlClearAllBits( + _In_ PRTL_BITMAP BitMapHeader +); + +NTSYSAPI +VOID +NTAPI +RtlClearBits( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG StartingIndex, + _In_ ULONG NumberToClear +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateSystemVolumeInformationFolder( + _In_ PCUNICODE_STRING VolumeRootPath +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +LONG +NTAPI +RtlCompareAltitudes( + _In_ PCUNICODE_STRING Altitude1, + _In_ PCUNICODE_STRING Altitude2 +); +#endif + +NTSYSAPI +LONG +NTAPI +RtlCompareUnicodeString( + _In_ PCUNICODE_STRING String1, + _In_ PCUNICODE_STRING String2, + _In_ BOOLEAN CaseInSensitive +); + +NTSYSAPI +ULONG32 +NTAPI +RtlComputeCrc32( + _In_ ULONG32 PartialCrc, + _In_ PVOID Buffer, + _In_ ULONG Length +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlConvertSidToUnicodeString( + _Inout_ PUNICODE_STRING UnicodeString, + _In_ PSID Sid, + _In_ BOOLEAN AllocateDestinationString +); + +NTSYSAPI +VOID +NTAPI +RtlCopyLuid( + _Out_ PLUID DestinationLuid, + _In_ PLUID SourceLuid +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCopySid( + _In_ ULONG DestinationSidLength, + _Out_ PSID DestinationSid, + _In_ PSID SourceSid +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateAcl( + _Out_ PACL Acl, + _In_ ULONG AclLength, + _In_ ULONG AclRevision +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateAtomTable( + _In_ ULONG NumberOfBuckets, + _Out_ PVOID* AtomTableHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDecompressFragment( + _In_ USHORT CompressionFormat, + _Out_ PUCHAR UncompressedFragment, + _In_ ULONG UncompressedFragmentSize, + _In_ PUCHAR CompressedBuffer, + _In_ ULONG CompressedBufferSize, + _In_ ULONG FragmentOffset, + _Out_ PULONG FinalUncompressedSize, + _In_ PVOID WorkSpace +); + +NTSYSAPI +PRTL_SPLAY_LINKS +NTAPI +RtlDelete( + _In_ PRTL_SPLAY_LINKS Links +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDeleteAce( + _Inout_ PACL Acl, + _In_ ULONG AceIndex +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDeleteAtomFromAtomTable( + _In_ PVOID AtomTableHandle, + _In_ RTL_ATOM Atom +); + +NTSYSAPI +VOID +NTAPI +RtlDeleteNoSplay( + _In_ PRTL_SPLAY_LINKS Links, + _Inout_ PRTL_SPLAY_LINKS* Root +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDowncaseUnicodeString( + _Out_ PUNICODE_STRING DestinationString, + _In_ PCUNICODE_STRING SourceString, + _In_ BOOLEAN AllocateDestinationString +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDuplicateUnicodeString( + _In_ ULONG Flags, + _In_ UNICODE_STRING* StringIn, + _Out_ UNICODE_STRING* StringOut +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlEmptyAtomTable( + _In_ PVOID AtomTableHandle, + _In_ BOOLEAN IncludePinnedAtoms +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlEqualSid( + _In_ PSID Sid1, + _In_ PSID Sid2 +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlEqualString( + _In_ PANSI_STRING String1, + _In_ PANSI_STRING String2, + _In_ BOOLEAN CaseInSensitive +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlEqualUnicodeString( + _In_ PCUNICODE_STRING String1, + _In_ PCUNICODE_STRING String2, + _In_ BOOLEAN CaseInSensitive +); + +NTSYSAPI +ULONG +NTAPI +RtlFindClearBits( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG NumberToFind, + _In_ ULONG HintIndex +); + +NTSYSAPI +ULONG +NTAPI +RtlFindClearBitsAndSet( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG NumberToFind, + _In_ ULONG HintIndex +); + +NTSYSAPI +ULONG +NTAPI +RtlFindClearRuns( + _In_ PRTL_BITMAP BitMapHeader, + _Out_ PRTL_BITMAP_RUN RunArray, + _In_ ULONG SizeOfRunArray, + _In_ BOOLEAN LocateLongestRuns +); + +NTSYSAPI +ULONG +NTAPI +RtlFindLastBackwardRunClear( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG FromIndex, + _In_ PULONG StartingRunIndex +); + +NTSYSAPI +CCHAR +NTAPI +RtlFindLeastSignificantBit( + _In_ ULONGLONG Set +); + +NTSYSAPI +ULONG +NTAPI +RtlFindLongestRunClear( + _In_ PRTL_BITMAP BitMapHeader, + _In_ PULONG StartingIndex +); + +NTSYSAPI +CCHAR +NTAPI +RtlFindMostSignificantBit( + _In_ ULONGLONG Set +); + +NTSYSAPI +ULONG +NTAPI +RtlFindNextForwardRunClear( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG FromIndex, + _In_ PULONG StartingRunIndex +); + +NTSYSAPI +ULONG +NTAPI +RtlFindSetBits( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG NumberToFind, + _In_ ULONG HintIndex +); + +NTSYSAPI +ULONG +NTAPI +RtlFindSetBitsAndClear( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG NumberToFind, + _In_ ULONG HintIndex +); + +NTSYSAPI +VOID +NTAPI +RtlGetCallersAddress( + _Out_ PVOID* CallersAddress, + _Out_ PVOID* CallersCaller +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGetDaclSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _Out_ PBOOLEAN DaclPresent, + _Out_ PACL* Dacl, + _Out_ PBOOLEAN DaclDefaulted +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGetGroupSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _Out_ PSID* Group, + _Out_ PBOOLEAN GroupDefaulted +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGetOwnerSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _Out_ PSID* Owner, + _Out_ PBOOLEAN OwnerDefaulted +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGetSaclSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _Out_ PBOOLEAN SaclPresent, + _Out_ PACL* Sacl, + _Out_ PBOOLEAN SaclDefaulted +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGetSetBootStatusData( + _In_ HANDLE Handle, + _In_ BOOLEAN Get, + _In_ RTL_BSD_ITEM_TYPE DataItem, + _In_ PVOID DataBuffer, + _In_ ULONG DataBufferLength, + _Out_opt_ PULONG ByteRead +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateBootStatusDataFile( +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGetVersion( + _Out_ PRTL_OSVERSIONINFOW lpVersionInformation +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGUIDFromString( + _In_ PUNICODE_STRING GuidString, + _Out_ GUID* Guid +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlHashUnicodeString( + _In_ UNICODE_STRING* String, + _In_ BOOLEAN CaseInSensitive, + _In_ ULONG HashAlgorithm, + _Out_ PULONG HashValue +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlInitializeSid( + _Out_ PSID Sid, + _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, + _In_ UCHAR SubAuthorityCount +); + +NTSYSAPI +ULONG +NTAPI +RtlLengthRequiredSid( + _In_ ULONG SubAuthorityCount +); + +NTSYSAPI +ULONG +NTAPI +RtlLengthSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor +); + +NTSYSAPI +ULONG +NTAPI +RtlLengthSid( + _In_ PSID Sid +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlLockBootStatusData( + _Out_ PHANDLE BootStatusDataHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlLookupAtomInAtomTable( + _In_ PVOID AtomTableHandle, + _In_ PWSTR AtomName, + _Out_opt_ PRTL_ATOM Atom +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlMapSecurityErrorToNtStatus( + _In_ SECURITY_STATUS Error +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlMultiByteToUnicodeN( + _Out_ PWCH UnicodeString, + _In_ ULONG MaxBytesInUnicodeString, + _Out_opt_ PULONG BytesInUnicodeString, + _In_ PCSTR MultiByteString, + _In_ ULONG BytesInMultiByteString +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlMultiByteToUnicodeSize( + _Out_ PULONG BytesInUnicodeString, + _In_ PCSTR MultiByteString, + _In_ ULONG BytesInMultiByteString +); + +NTSYSAPI +ULONG +NTAPI +RtlNumberOfClearBits( + _In_ PRTL_BITMAP BitMapHeader +); + +NTSYSAPI +ULONG +NTAPI +RtlNumberOfSetBits( + _In_ PRTL_BITMAP BitMapHeader +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlQueryAtomInAtomTable( + _In_ PVOID AtomTableHandle, + _In_ RTL_ATOM Atom, + _Out_opt_ PULONG AtomUsage, + _Out_opt_ PULONG AtomFlags, + _Inout_opt_ PWSTR AtomName, + _Inout_opt_ PULONG AtomNameLength +); + +NTSYSAPI +PRTL_SPLAY_LINKS +NTAPI +RtlRealPredecessor( + _In_ PRTL_SPLAY_LINKS Links +); + +NTSYSAPI +PRTL_SPLAY_LINKS +NTAPI +RtlRealSuccessor( + _In_ PRTL_SPLAY_LINKS Links +); + +NTSYSAPI +VOID +NTAPI +RtlRunDecodeUnicodeString( + _In_ UCHAR Seed, + _Inout_ PUNICODE_STRING String +); + +NTSYSAPI +VOID +NTAPI +RtlRunEncodeUnicodeString( + _In_opt_ PUCHAR Seed, + _Inout_ PUNICODE_STRING String +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSelfRelativeToAbsoluteSD( + _In_ PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, + _Out_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, + _Inout_ PULONG AbsoluteSecurityDescriptorSize, + _Out_ PACL Dacl, + _Inout_ PULONG DaclSize, + _Out_ PACL Sacl, + _Inout_ PULONG SaclSize, + _Out_opt_ PSID Owner, + _Inout_ PULONG OwnerSize, + _Out_opt_ PSID PrimaryGroup, + _Inout_ PULONG PrimaryGroupSize +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSelfRelativeToAbsoluteSD2( + _Inout_ PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor, + _Inout_ PULONG pBufferSize +); + +NTSYSAPI +VOID +NTAPI +RtlSetAllBits( + _In_ PRTL_BITMAP BitMapHeader +); + +NTSYSAPI +VOID +NTAPI +RtlSetBits( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG StartingIndex, + _In_ ULONG NumberToSet +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetDaclSecurityDescriptor( + _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_ BOOLEAN DaclPresent, + _In_opt_ PACL Dacl, + _In_ BOOLEAN DaclDefaulted +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetGroupSecurityDescriptor( + _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_opt_ PSID Group, + _In_opt_ BOOLEAN GroupDefaulted +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetOwnerSecurityDescriptor( + _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_opt_ PSID Owner, + _In_ BOOLEAN OwnerDefaulted +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetSaclSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_ BOOLEAN SaclPresent, + _In_opt_ PACL Sacl, + _In_opt_ BOOLEAN SaclDefaulted +); + +NTSYSAPI +PRTL_SPLAY_LINKS +NTAPI +RtlSplay( + _Inout_ PRTL_SPLAY_LINKS Links +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlStringFromGUID( + _In_ REFGUID Guid, + _Out_ PUNICODE_STRING GuidString +); + +NTSYSAPI +PUCHAR +NTAPI +RtlSubAuthorityCountSid( + _In_ PSID Sid +); + +NTSYSAPI +PULONG +NTAPI +RtlSubAuthoritySid( + _In_ PSID Sid, + _In_ ULONG SubAuthority +); + +NTSYSAPI +PRTL_SPLAY_LINKS +NTAPI +RtlSubtreePredecessor( + _In_ PRTL_SPLAY_LINKS Links +); + +NTSYSAPI +PRTL_SPLAY_LINKS +NTAPI +RtlSubtreeSuccessor( + _In_ PRTL_SPLAY_LINKS Links +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +BOOLEAN +NTAPI +RtlTestBit( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG BitNumber +); +#endif + +NTSYSAPI +VOID +NTAPI +RtlUnlockBootStatusData( + _In_ HANDLE BootStatusDataHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateSecurityDescriptor( + _Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_ ULONG Revision +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlValidRelativeSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptorInput, + _In_ ULONG SecurityDescriptorLength, + _In_ SECURITY_INFORMATION RequiredInformation +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlValidSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlValidSid( + _In_ PSID Sid +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlVerifyVersionInfo( + _In_ RTL_OSVERSIONINFOEXW VersionInfo, + _In_ ULONG TypeMask, + _In_ ULONGLONG ConditionMask +); + +NTSYSAPI +ULONGLONG +NTAPI +VerSetConditionMask( + _In_ ULONGLONG ConditionMask, + _In_ ULONG TypeMask, + _In_ UCHAR Condition +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +TpAllocPool( + _Out_ PTP_POOL* PoolReturn, + _Reserved_ PVOID Reserved +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +NTSTATUS +NTAPI +TpDisablePoolCallbackChecks( + _Inout_ PTP_POOL Pool +); +#endif + +NTSYSAPI +VOID +NTAPI +TpReleasePool( + _Inout_ PTP_POOL Pool +); + +NTSYSAPI +VOID +NTAPI +TpSetPoolMaxThreads( + _Inout_ PTP_POOL Pool, + _In_ LONG MaxThreads +); + +NTSYSAPI +NTSTATUS +NTAPI +TpSetPoolMinThreads( + _Inout_ PTP_POOL Pool, + _In_ LONG MinThreads +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +NTSTATUS +NTAPI +TpQueryPoolStackInformation( + _In_ PTP_POOL Pool, + _Out_ PTP_POOL_STACK_INFORMATION PoolStackInformation +); + +NTSYSAPI +NTSTATUS +NTAPI +TpSetPoolStackInformation( + _Inout_ PTP_POOL Pool, + _In_ PTP_POOL_STACK_INFORMATION PoolStackInformation +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +TpAllocCleanupGroup( + _Out_ PTP_CLEANUP_GROUP* CleanupGroupReturn +); + +NTSYSAPI +VOID +NTAPI +TpReleaseCleanupGroup( + _Inout_ PTP_CLEANUP_GROUP CleanupGroup +); + +NTSYSAPI +VOID +NTAPI +TpReleaseCleanupGroupMembers( + _Inout_ PTP_CLEANUP_GROUP CleanupGroup, + _In_ LOGICAL CancelPendingCallbacks, + _Inout_opt_ PVOID CleanupParameter +); + +NTSYSAPI +NTSTATUS +NTAPI +TpSimpleTryPost( + _In_ PTP_SIMPLE_CALLBACK Callback, + _Inout_opt_ PVOID Context, + _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron +); + +NTSYSAPI +NTSTATUS +NTAPI +TpAllocWork( + _Out_ PTP_WORK* WorkReturn, + _In_ PTP_WORK_CALLBACK Callback, + _Inout_opt_ PVOID Context, + _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron +); + +NTSYSAPI +VOID +NTAPI +TpReleaseWork( + _Inout_ PTP_WORK Work +); + +NTSYSAPI +VOID +NTAPI +TpPostWork( + _Inout_ PTP_WORK Work +); + +NTSYSAPI +VOID +NTAPI +TpWaitForWork( + _Inout_ PTP_WORK Work, + _In_ LOGICAL CancelPendingCallbacks +); + +NTSYSAPI +NTSTATUS +NTAPI +TpAllocTimer( + _Out_ PTP_TIMER* Timer, + _In_ PTP_TIMER_CALLBACK Callback, + _Inout_opt_ PVOID Context, + _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron +); + +NTSYSAPI +VOID +NTAPI +TpReleaseTimer( + _Inout_ PTP_TIMER Timer +); + +NTSYSAPI +VOID +NTAPI +TpSetTimer( + _Inout_ PTP_TIMER Timer, + _In_opt_ PLARGE_INTEGER DueTime, + _In_ LONG Period, + _In_opt_ LONG WindowLength +); + +NTSYSAPI +LOGICAL +NTAPI +TpIsTimerSet( + _In_ PTP_TIMER Timer +); + +NTSYSAPI +VOID +NTAPI +TpWaitForTimer( + _Inout_ PTP_TIMER Timer, + _In_ LOGICAL CancelPendingCallbacks +); + +NTSYSAPI +NTSTATUS +NTAPI +TpAllocWait( + _Out_ PTP_WAIT* WaitReturn, + _In_ PTP_WAIT_CALLBACK Callback, + _Inout_opt_ PVOID Context, + _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron +); + +NTSYSAPI +VOID +NTAPI +TpReleaseWait( + _Inout_ PTP_WAIT Wait +); + +NTSYSAPI +VOID +NTAPI +TpSetWait( + _Inout_ PTP_WAIT Wait, + _In_opt_ HANDLE Handle, + _In_opt_ PLARGE_INTEGER Timeout +); + +NTSYSAPI +NTSTATUS +NTAPI +TpAllocIoCompletion( + _Out_ PTP_IO* IoReturn, + _In_ HANDLE File, + _In_ PTP_IO_CALLBACK Callback, + _Inout_opt_ PVOID Context, + _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron +); + +NTSYSAPI +VOID +NTAPI +TpWaitForIoCompletion( + _Inout_ PTP_IO Io, + _In_ LOGICAL CancelPendingCallbacks +); + +NTSYSAPI +NTSTATUS +NTAPI +TpAllocAlpcCompletion( + _Out_ PTP_ALPC* AlpcReturn, + _In_ HANDLE AlpcPort, + _In_ PTP_ALPC_CALLBACK Callback, + _Inout_opt_ PVOID Context, + _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +NTSTATUS +NTAPI +TpAllocAlpcCompletionEx( + _Out_ PTP_ALPC* AlpcReturn, + _In_ HANDLE AlpcPort, + _In_ PTP_ALPC_CALLBACK_EX Callback, + _Inout_opt_ PVOID Context, + _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron +); +#endif + +NTSYSAPI +VOID +NTAPI +TpReleaseAlpcCompletion( + _Inout_ PTP_ALPC Alpc +); + +NTSYSAPI +VOID +NTAPI +TpWaitForAlpcCompletion( + _Inout_ PTP_ALPC Alpc +); +#endif + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +NTSTATUS +NTAPI +TpAlpcRegisterCompletionList( + _Inout_ PTP_ALPC Alpc +); + +NTSYSAPI +NTSTATUS +NTAPI +TpAlpcUnregisterCompletionList( + _Inout_ PTP_ALPC Alpc +); +#endif + #ifdef __cplusplus }; #endif + +#endif // _NTDLL_H diff --git a/TitanEngineEmulator/ntdll_x64.lib b/TitanEngineEmulator/ntdll_x64.lib index 45bce84..8fae16c 100644 Binary files a/TitanEngineEmulator/ntdll_x64.lib and b/TitanEngineEmulator/ntdll_x64.lib differ diff --git a/TitanEngineEmulator/ntdll_x86.lib b/TitanEngineEmulator/ntdll_x86.lib index 0d3e918..c6ccc8c 100644 Binary files a/TitanEngineEmulator/ntdll_x86.lib and b/TitanEngineEmulator/ntdll_x86.lib differ