From b435ee57d31ff16d637a601741d18ab250fb324b Mon Sep 17 00:00:00 2001 From: Duncan Ogilvie Date: Sat, 10 Sep 2022 00:04:42 +0200 Subject: [PATCH] Implement UE_ENGINE_DISABLE_ASLR --- GleeBug/Debugger.Loop.cpp | 12 + .../Debugger.NativeAttach.h | 2 + GleeBug/Debugger.cpp | 139 +- GleeBug/Debugger.h | 7 +- GleeBug/GleeBug.vcxproj | 2 + GleeBug/GleeBug.vcxproj.filters | 6 + GleeBug/ntdll.h | 9394 +++++++++++++++++ GleeBug/ntdll_x64.lib | Bin 0 -> 266752 bytes GleeBug/ntdll_x86.lib | Bin 0 -> 271654 bytes TitanEngineEmulator/Emulator.h | 10 +- .../TitanEngineEmulator.vcxproj | 1 - .../TitanEngineEmulator.vcxproj.filters | 3 - 12 files changed, 9562 insertions(+), 14 deletions(-) rename TitanEngineEmulator/NativeAttach.h => GleeBug/Debugger.NativeAttach.h (96%) create mode 100644 GleeBug/ntdll.h create mode 100644 GleeBug/ntdll_x64.lib create mode 100644 GleeBug/ntdll_x86.lib diff --git a/GleeBug/Debugger.Loop.cpp b/GleeBug/Debugger.Loop.cpp index 12010df..9082434 100644 --- a/GleeBug/Debugger.Loop.cpp +++ b/GleeBug/Debugger.Loop.cpp @@ -138,6 +138,18 @@ namespace GleeBug switch(mDebugEvent.dwDebugEventCode) { case CREATE_PROCESS_DEBUG_EVENT: + // HACK: when hollowing the process the debug event still delivers the original image base + if (mDisableAslr && mDebugModuleImageBase != 0) + { + auto startAddress = ULONG_PTR(mDebugEvent.u.CreateProcessInfo.lpStartAddress); + if (startAddress) + { + startAddress -= ULONG_PTR(mDebugEvent.u.CreateProcessInfo.lpBaseOfImage); + startAddress += mDebugModuleImageBase; + mDebugEvent.u.CreateProcessInfo.lpStartAddress = LPTHREAD_START_ROUTINE(startAddress); + } + mDebugEvent.u.CreateProcessInfo.lpBaseOfImage = LPVOID(mDebugModuleImageBase); + } createProcessEvent(mDebugEvent.u.CreateProcessInfo); break; case EXIT_PROCESS_DEBUG_EVENT: diff --git a/TitanEngineEmulator/NativeAttach.h b/GleeBug/Debugger.NativeAttach.h similarity index 96% rename from TitanEngineEmulator/NativeAttach.h rename to GleeBug/Debugger.NativeAttach.h index 5331e91..d2a504c 100644 --- a/TitanEngineEmulator/NativeAttach.h +++ b/GleeBug/Debugger.NativeAttach.h @@ -1,5 +1,7 @@ #pragma once +#include "ntdll.h" + static DWORD BaseSetLastNTError(IN NTSTATUS Status) { DWORD dwErrCode; diff --git a/GleeBug/Debugger.cpp b/GleeBug/Debugger.cpp index 3c8ab78..f0fc50d 100644 --- a/GleeBug/Debugger.cpp +++ b/GleeBug/Debugger.cpp @@ -1,3 +1,4 @@ +#include "Debugger.NativeAttach.h" #include "Debugger.h" #include "Debugger.Thread.Registers.h" @@ -37,29 +38,52 @@ namespace GleeBug szFileNameCreateProcess = nullptr; } + auto creationFlags = DEBUG_PROCESS; + creationFlags |= DEBUG_ONLY_THIS_PROCESS; // TODO: support child process debugging + if (newConsole) + creationFlags |= CREATE_NEW_CONSOLE; + if (startSuspended) + creationFlags |= CREATE_SUSPENDED; + + if (mDisableAslr) + { + creationFlags |= CREATE_SUSPENDED; + // We will attach manually later + creationFlags &= ~(DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS); + } + bool result = !!CreateProcessW(szFileNameCreateProcess, szCommandLineCreateProcess, nullptr, nullptr, FALSE, - DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS | (newConsole ? CREATE_NEW_CONSOLE : 0) | (startSuspended ? CREATE_SUSPENDED : 0), + creationFlags, nullptr, szCurrentDirectory, &mMainStartupInfo, &mMainProcess); + if (result && mDisableAslr) + { + HollowProcessWithoutASLR(szFileNameCreateProcess, mMainProcess); + DebugActiveProcess_(mMainProcess.dwProcessId); + DebugSetProcessKillOnExit(TRUE); + if (!startSuspended) + ResumeThread(mMainProcess.hThread); + } + delete[] szCreateWithCmdLine; mAttachedToProcess = false; return result; } - bool Debugger::Attach(DWORD processId, decltype(&DebugActiveProcess) debugActiveProcess) + bool Debugger::Attach(DWORD processId) { //don't allow attaching when still debugging if(mIsDebugging) return false; - if(!debugActiveProcess(processId)) + if(!DebugActiveProcess_(processId)) return false; mAttachedToProcess = true; memset(&mMainStartupInfo, 0, sizeof(mMainStartupInfo)); @@ -102,4 +126,113 @@ namespace GleeBug mDetachAndBreak = true; mDetach = false; } + + static bool GetPeData(HANDLE hFile, ULONG_PTR& imageBase, ULONG_PTR& entryPoint) + { + IMAGE_DOS_HEADER idh; + DWORD read = 0; + if (!ReadFile(hFile, &idh, sizeof(idh), &read, nullptr)) + return false; + if (idh.e_magic != IMAGE_DOS_SIGNATURE) + return false; + if (!SetFilePointer(hFile, idh.e_lfanew, nullptr, FILE_BEGIN)) + return false; + IMAGE_NT_HEADERS64 inth; + if (!ReadFile(hFile, &inth, sizeof(inth), &read, nullptr)) + return false; + if (inth.Signature != IMAGE_NT_SIGNATURE) + return false; + switch (inth.FileHeader.Machine) + { + case IMAGE_FILE_MACHINE_AMD64: + { + imageBase = inth.OptionalHeader.ImageBase; + entryPoint = inth.OptionalHeader.AddressOfEntryPoint; + } + break; + + case IMAGE_FILE_MACHINE_I386: + { + auto nth32 = (IMAGE_NT_HEADERS32*)&inth; + imageBase = nth32->OptionalHeader.ImageBase; + entryPoint = nth32->OptionalHeader.AddressOfEntryPoint; + } + break; + + default: + return false; + } + return true; + } + + bool Debugger::HollowProcessWithoutASLR(const wchar_t* szFileName, PROCESS_INFORMATION& pi) + { + bool success = false; + auto hFile = CreateFileW(szFileName, GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING, 0, nullptr); + if (hFile != INVALID_HANDLE_VALUE) + { + // Retrieve image base and entry point + ULONG_PTR debugModuleEntryPoint = 0; + if (GetPeData(hFile, mDebugModuleImageBase, debugModuleEntryPoint)) + { + SetFilePointer(hFile, 0, nullptr, FILE_BEGIN); + + auto hMapping = CreateFileMappingW(hFile, nullptr, SEC_IMAGE | PAGE_READONLY, 0, 0, nullptr); + if (hMapping) + { + CONTEXT ctx; + ctx.ContextFlags = CONTEXT_ALL; + if (GetThreadContext(pi.hThread, &ctx)) + { + PVOID imageBase; + // TODO: support wow64 processes +#ifdef _WIN64 + auto& pebRegister = ctx.Rdx; + auto& entryPointRegister = ctx.Rcx; +#else + auto& pebRegister = ctx.Ebx; + auto& entryPointRegister = ctx.Eax; +#endif // _WIN64 + if (ReadProcessMemory(pi.hProcess, (char*)pebRegister + offsetof(PEB, ImageBaseAddress), &imageBase, sizeof(PVOID), nullptr)) + { + auto status = NtUnmapViewOfSection(pi.hProcess, imageBase); + if (status == STATUS_SUCCESS) + { + SIZE_T viewSize = 0; + imageBase = PVOID(mDebugModuleImageBase); + status = NtMapViewOfSection(hMapping, pi.hProcess, &imageBase, 0, 0, nullptr, &viewSize, ViewUnmap, 0, PAGE_READONLY); + if (status == STATUS_SUCCESS || status == STATUS_IMAGE_NOT_AT_BASE) + { + if (WriteProcessMemory(pi.hProcess, (char*)pebRegister + offsetof(PEB, ImageBaseAddress), &imageBase, sizeof(PVOID), nullptr)) + { + entryPointRegister = mDebugModuleImageBase + debugModuleEntryPoint; + if (SetThreadContext(pi.hThread, &ctx)) + { + success = true; +#ifndef _WIN64 + // For Wow64 processes, also adjust the 64-bit PEB + if (IsThisProcessWow64() && !WriteProcessMemory(pi.hProcess, (char*)pebRegister - 0x1000 + 0x10, &imageBase, sizeof(PVOID), nullptr)) + success = false; +#endif // _WIN64 + } + } + } + } + } + } + + CloseHandle(hMapping); + } + } + + CloseHandle(hFile); + } + + if (!success) + { + mDebugModuleImageBase = 0; + } + + return success; + } }; \ No newline at end of file diff --git a/GleeBug/Debugger.h b/GleeBug/Debugger.h index f537c56..8abc4fa 100644 --- a/GleeBug/Debugger.h +++ b/GleeBug/Debugger.h @@ -47,7 +47,7 @@ namespace GleeBug \param processId Process to attach to. \return true if the debuggee was attached to successfully, false otherwise. */ - bool Attach(DWORD processId, decltype(&DebugActiveProcess) = &DebugActiveProcess); + bool Attach(DWORD processId); /** \brief Stops the debuggee (terminate the process) @@ -293,6 +293,7 @@ namespace GleeBug bool mDetachAndBreak = false; bool mAttachedToProcess = false; bool mSafeStep = true; + bool mDisableAslr = false; /** \brief The current process (can be null in some cases). @@ -303,6 +304,10 @@ namespace GleeBug \brief The current thread (can be null in some cases). Should be a copy of mProcess->thread. */ Thread* mThread = nullptr; + + private: + bool HollowProcessWithoutASLR(const wchar_t* szFileName, PROCESS_INFORMATION& pi); + ULONG_PTR mDebugModuleImageBase = 0; }; }; diff --git a/GleeBug/GleeBug.vcxproj b/GleeBug/GleeBug.vcxproj index caa7900..07713d9 100644 --- a/GleeBug/GleeBug.vcxproj +++ b/GleeBug/GleeBug.vcxproj @@ -188,6 +188,7 @@ + @@ -196,6 +197,7 @@ + diff --git a/GleeBug/GleeBug.vcxproj.filters b/GleeBug/GleeBug.vcxproj.filters index 9f8c1ea..0ea63f8 100644 --- a/GleeBug/GleeBug.vcxproj.filters +++ b/GleeBug/GleeBug.vcxproj.filters @@ -199,6 +199,12 @@ Header Files + + Header Files + + + Header Files + diff --git a/GleeBug/ntdll.h b/GleeBug/ntdll.h new file mode 100644 index 0000000..5064065 --- /dev/null +++ b/GleeBug/ntdll.h @@ -0,0 +1,9394 @@ +#ifndef _NTDLL_H +#define _NTDLL_H + +#pragma once + +#ifdef __cplusplus +extern "C" { +#endif + +#ifndef WIN32_NO_STATUS +#define WIN32_NO_STATUS +#endif +#include +#undef WIN32_NO_STATUS +#include +#include + +#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) +#define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3) + +#define FASTCALL __fastcall + +#ifndef _Reserved_ +#define _Reserved_ +#endif + +#define ALIGN_DOWN(length, type) \ + ((ULONG)(length) & ~(sizeof(type) - 1)) + +#define ALIGN_UP(length, type) \ + (ALIGN_DOWN(((ULONG)(length) + sizeof(type) - 1), type)) + +#define MIN(a,b) (((a) < (b)) ? (a) : (b)) +#define MAX(a,b) (((a) > (b)) ? (a) : (b)) + +typedef LONG NTSTATUS, *PNTSTATUS; +typedef LONG KPRIORITY, *PKPRIORITY; +typedef ULONG LOGICAL, *PLOGICAL; + +typedef struct _CLIENT_ID +{ + HANDLE UniqueProcess; + HANDLE UniqueThread; +} CLIENT_ID, *PCLIENT_ID; + +enum KPROCESSOR_MODE +{ + KernelMode, + UserMode +}; + +typedef enum _KTHREAD_STATE +{ + Initialized, + Ready, + Running, + Standby, + Terminated, + Waiting, + Transition, + DeferredReady, + GateWaitObsolete, + WaitingForProcessInSwap, + MaximumThreadState +} KTHREAD_STATE, *PKTHREAD_STATE; + +typedef enum _KWAIT_REASON +{ + Executive, + FreePage, + PageIn, + PoolAllocation, + DelayExecution, + Suspended, + UserRequest, + WrExecutive, + WrFreePage, + WrPageIn, + WrPoolAllocation, + WrDelayExecution, + WrSuspended, + WrUserRequest, + WrEventPair, + WrQueue, + WrLpcReceive, + WrLpcReply, + WrVirtualMemory, + WrPageOut, + WrRendezvous, + WrKeyedEvent, + WrTerminated, + WrProcessInSwap, + WrCpuRateControl, + WrCalloutStack, + WrKernel, + WrResource, + WrPushLock, + WrMutex, + WrQuantumEnd, + WrDispatchInt, + WrPreempted, + WrYieldExecution, + WrFastMutex, + WrGuardedMutex, + WrRundown, + WrAlertByThreadId, + WrDeferredPreempt, + MaximumWaitReason +} KWAIT_REASON; + +typedef enum _EVENT_TYPE +{ + NotificationEvent, + SynchronizationEvent +} EVENT_TYPE; + +typedef enum _TIMER_TYPE +{ + NotificationTimer, + SynchronizationTimer +} TIMER_TYPE; + +typedef enum _WAIT_TYPE +{ + WaitAll, + WaitAny, + WaitNotification, + WaitDequeue +} WAIT_TYPE; + +typedef enum _SECTION_INHERIT +{ + ViewShare = 1, + ViewUnmap = 2 +} SECTION_INHERIT; + +#define HARDERROR_OVERRIDE_ERRORMODE 0x10000000 + +typedef enum _HARDERROR_RESPONSE_OPTION +{ + OptionAbortRetryIgnore, + OptionOk, + OptionOkCancel, + OptionRetryCancel, + OptionYesNo, + OptionYesNoCancel, + OptionShutdownSystem, + OptionOkNoWait, + OptionCancelTryContinue +} HARDERROR_RESPONSE_OPTION, *PHARDERROR_RESPONSE_OPTION; + +typedef enum _HARDERROR_RESPONSE +{ + ResponseReturnToCaller, + ResponseNotHandled, + ResponseAbort, + ResponseCancel, + ResponseIgnore, + ResponseNo, + ResponseOk, + ResponseRetry, + ResponseYes, + ResponseTryAgain, + ResponseContinue +} HARDERROR_RESPONSE, *PHARDERROR_RESPONSE; + +typedef struct _UNICODE_STRING +{ + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING, *PUNICODE_STRING; +typedef const UNICODE_STRING* PCUNICODE_STRING; + +#define DECLARE_UNICODE_STRING_SIZE(_var, _size) \ +WCHAR _var ## _buffer[_size]; \ +__pragma(warning(push)) \ +__pragma(warning(disable:4221)) __pragma(warning(disable:4204)) \ +UNICODE_STRING _var = { 0, (_size) * sizeof(WCHAR) , _var ## _buffer } \ +__pragma(warning(pop)) + +#define DECLARE_STATIC_UNICODE_STRING_SIZE(_var, _size) \ +WCHAR _var ## _buffer[_size]; \ +__pragma(warning(push)) \ +__pragma(warning(disable:4221)) __pragma(warning(disable:4204)) \ +static UNICODE_STRING _var = { 0, (_size) * sizeof(WCHAR) , _var ## _buffer } \ +__pragma(warning(pop)) + +#if defined(__clang__) +#define RTL_CONSTANT_STRING(s) \ +__pragma(clang diagnostic push) \ +__pragma(clang diagnostic ignored "-Wwritable-strings") \ +{ sizeof(s) - sizeof((s)[0]), sizeof(s), s } \ +__pragma(clang diagnostic pop) +#else +#define RTL_CONSTANT_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), (PWSTR)s } +#define RTL_CONSTANT_ANSI_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), (PSTR)s } +#endif + +FORCEINLINE +VOID +RtlInitEmptyUnicodeString( + _Out_ PUNICODE_STRING UnicodeString, + _In_ PWCHAR Buffer, + _In_ USHORT BufferSize) +{ + UnicodeString->Length = 0; + UnicodeString->MaximumLength = BufferSize; + UnicodeString->Buffer = Buffer; +} + +typedef struct _STRING +{ + USHORT Length; + USHORT MaximumLength; + PCHAR Buffer; +} ANSI_STRING, *PANSI_STRING; + +typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION +{ + ULONG SessionId; + ULONG SizeOfBuf; + PVOID Buffer; +} SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION; + +typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION +{ + BOOLEAN KernelDebuggerEnabled; + BOOLEAN KernelDebuggerNotPresent; +} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; + +typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX +{ + BOOLEAN DebuggerAllowed; + BOOLEAN DebuggerEnabled; + BOOLEAN DebuggerPresent; +} SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX; + +typedef struct _LDT_INFORMATION +{ + ULONG Start; + ULONG Length; + LDT_ENTRY LdtEntries[1]; +} PROCESS_LDT_INFORMATION, *PPROCESS_LDT_INFORMATION; + +typedef struct _KERNEL_USER_TIMES +{ + LARGE_INTEGER CreateTime; + LARGE_INTEGER ExitTime; + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; +} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES; + +typedef struct _SYSTEM_THREAD_INFORMATION +{ + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER CreateTime; + ULONG WaitTime; + PVOID StartAddress; + CLIENT_ID ClientId; + KPRIORITY Priority; + LONG BasePriority; + ULONG ContextSwitches; + ULONG ThreadState; + KWAIT_REASON WaitReason; +} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; + +typedef struct _SYSTEM_PROCESS_INFORMATION +{ + ULONG NextEntryOffset; + ULONG NumberOfThreads; + LARGE_INTEGER WorkingSetPrivateSize; // Since Vista + ULONG HardFaultCount; // Since Windows 7 + ULONG NumberOfThreadsHighWatermark; // Since Windows 7 + ULONGLONG CycleTime; // Since Windows 7 + LARGE_INTEGER CreateTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER KernelTime; + UNICODE_STRING ImageName; + KPRIORITY BasePriority; + HANDLE UniqueProcessId; + HANDLE InheritedFromUniqueProcessId; + ULONG HandleCount; + ULONG SessionId; + ULONG_PTR UniqueProcessKey; // Since Vista (requires SystemExtendedProcessInformation) + SIZE_T PeakVirtualSize; + SIZE_T VirtualSize; + ULONG PageFaultCount; + SIZE_T PeakWorkingSetSize; + SIZE_T WorkingSetSize; + SIZE_T QuotaPeakPagedPoolUsage; + SIZE_T QuotaPagedPoolUsage; + SIZE_T QuotaPeakNonPagedPoolUsage; + SIZE_T QuotaNonPagedPoolUsage; + SIZE_T PagefileUsage; + SIZE_T PeakPagefileUsage; + SIZE_T PrivatePageCount; + LARGE_INTEGER ReadOperationCount; + LARGE_INTEGER WriteOperationCount; + LARGE_INTEGER OtherOperationCount; + LARGE_INTEGER ReadTransferCount; + LARGE_INTEGER WriteTransferCount; + LARGE_INTEGER OtherTransferCount; + SYSTEM_THREAD_INFORMATION Threads[1]; +} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; + +typedef struct _PROCESS_SESSION_INFORMATION +{ + ULONG SessionId; +} PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION; + +// File attribute values +#define FILE_ATTRIBUTE_READONLY 0x00000001 +#define FILE_ATTRIBUTE_HIDDEN 0x00000002 +#define FILE_ATTRIBUTE_SYSTEM 0x00000004 + +#define FILE_ATTRIBUTE_DIRECTORY 0x00000010 +#define FILE_ATTRIBUTE_ARCHIVE 0x00000020 +#define FILE_ATTRIBUTE_DEVICE 0x00000040 +#define FILE_ATTRIBUTE_NORMAL 0x00000080 + +#define FILE_ATTRIBUTE_TEMPORARY 0x00000100 +#define FILE_ATTRIBUTE_SPARSE_FILE 0x00000200 +#define FILE_ATTRIBUTE_REPARSE_POINT 0x00000400 +#define FILE_ATTRIBUTE_COMPRESSED 0x00000800 + +#define FILE_ATTRIBUTE_OFFLINE 0x00001000 +#define FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000 +#define FILE_ATTRIBUTE_ENCRYPTED 0x00004000 + +#define FILE_ATTRIBUTE_INTEGRITY_STREAM 0x00008000 +#define FILE_ATTRIBUTE_VIRTUAL 0x00010000 +#define FILE_ATTRIBUTE_NO_SCRUB_DATA 0x00020000 + +#define FILE_ATTRIBUTE_EA 0x00040000 +#define FILE_ATTRIBUTE_PINNED 0x00080000 +#define FILE_ATTRIBUTE_UNPINNED 0x00100000 +#define FILE_ATTRIBUTE_RECALL_ON_OPEN 0x00040000 +#define FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS 0x00400000 + +#if NTDDI_VERSION < NTDDI_WIN8 +#define FILE_ATTRIBUTE_VALID_FLAGS 0x00007fb7 +#define FILE_ATTRIBUTE_VALID_SET_FLAGS 0x000031a7 +#elif NTDDI_VERSION < NTDDI_WIN10_RS2 +#define FILE_ATTRIBUTE_VALID_FLAGS 0x0002ffb7 +#define FILE_ATTRIBUTE_VALID_SET_FLAGS 0x000231a7 +#else +#define FILE_ATTRIBUTE_VALID_FLAGS 0x005affb7 +#define FILE_ATTRIBUTE_VALID_SET_FLAGS 0x001a31a7 +#endif + +// File create disposition values +#define FILE_SUPERSEDE 0x00000000 +#define FILE_OPEN 0x00000001 +#define FILE_CREATE 0x00000002 +#define FILE_OPEN_IF 0x00000003 +#define FILE_OVERWRITE 0x00000004 +#define FILE_OVERWRITE_IF 0x00000005 +#define FILE_MAXIMUM_DISPOSITION 0x00000005 + +// File create/open option flags +#define FILE_DIRECTORY_FILE 0x00000001 +#define FILE_WRITE_THROUGH 0x00000002 +#define FILE_SEQUENTIAL_ONLY 0x00000004 +#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 + +#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 +#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 +#define FILE_NON_DIRECTORY_FILE 0x00000040 +#define FILE_CREATE_TREE_CONNECTION 0x00000080 + +#define FILE_COMPLETE_IF_OPLOCKED 0x00000100 +#define FILE_NO_EA_KNOWLEDGE 0x00000200 +#define FILE_OPEN_FOR_RECOVERY 0x00000400 +#define FILE_RANDOM_ACCESS 0x00000800 + +#define FILE_DELETE_ON_CLOSE 0x00001000 +#define FILE_OPEN_BY_FILE_ID 0x00002000 +#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 +#define FILE_NO_COMPRESSION 0x00008000 + +#if NTDDI_VERSION >= NTDDI_WIN7 +#define FILE_OPEN_REQUIRING_OPLOCK 0x00010000 +#define FILE_DISALLOW_EXCLUSIVE 0x00020000 +#endif +#if NTDDI_VERSION >= NTDDI_WIN8 +#define FILE_SESSION_AWARE 0x00040000 +#endif + +#define FILE_RESERVE_OPFILTER 0x00100000 +#define FILE_OPEN_REPARSE_POINT 0x00200000 +#define FILE_OPEN_NO_RECALL 0x00400000 +#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 + +#define FILE_VALID_OPTION_FLAGS 0x00ffffff +#define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032 +#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032 +#define FILE_VALID_SET_FLAGS 0x00000036 + +// Named pipe type flags +#define FILE_PIPE_BYTE_STREAM_TYPE 0x00000000 +#define FILE_PIPE_MESSAGE_TYPE 0x00000001 +#define FILE_PIPE_ACCEPT_REMOTE_CLIENTS 0x00000000 +#define FILE_PIPE_REJECT_REMOTE_CLIENTS 0x00000002 +#define FILE_PIPE_TYPE_VALID_MASK 0x00000003 + +// Named pipe completion mode flags +#define FILE_PIPE_QUEUE_OPERATION 0x00000000 +#define FILE_PIPE_COMPLETE_OPERATION 0x00000001 + +// Named pipe read mode flags +#define FILE_PIPE_BYTE_STREAM_MODE 0x00000000 +#define FILE_PIPE_MESSAGE_MODE 0x00000001 + +// NamedPipeConfiguration flags +#define FILE_PIPE_INBOUND 0x00000000 +#define FILE_PIPE_OUTBOUND 0x00000001 +#define FILE_PIPE_FULL_DUPLEX 0x00000002 + +// NamedPipeState flags +#define FILE_PIPE_DISCONNECTED_STATE 0x00000001 +#define FILE_PIPE_LISTENING_STATE 0x00000002 +#define FILE_PIPE_CONNECTED_STATE 0x00000003 +#define FILE_PIPE_CLOSING_STATE 0x00000004 + +// NamedPipeEnd flags +#define FILE_PIPE_CLIENT_END 0x00000000 +#define FILE_PIPE_SERVER_END 0x00000001 + +typedef struct _FILE_BASIC_INFORMATION +{ + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + ULONG FileAttributes; +} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; + +typedef struct _FILE_STANDARD_INFORMATION +{ + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG NumberOfLinks; + BOOLEAN DeletePending; + BOOLEAN Directory; +} FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION; + +typedef struct _FILE_POSITION_INFORMATION +{ + LARGE_INTEGER CurrentByteOffset; +} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION; + +typedef struct _THREAD_BASIC_INFORMATION +{ + NTSTATUS ExitStatus; + PVOID TebBaseAddress; + CLIENT_ID ClientId; + ULONG_PTR AffinityMask; + KPRIORITY Priority; + LONG BasePriority; +} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; + +typedef struct _MEMORY_REGION_INFORMATION +{ + PVOID AllocationBase; + ULONG AllocationProtect; + union + { + ULONG RegionType; + struct + { + ULONG Private : 1; + ULONG MappedDataFile : 1; + ULONG MappedImage : 1; + ULONG MappedPageFile : 1; + ULONG MappedPhysical : 1; + ULONG DirectMapped : 1; + ULONG Reserved : 26; + } s; + } u; + SIZE_T RegionSize; + SIZE_T CommitSize; +} MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION; + +typedef struct _SECTION_BASIC_INFORMATION +{ + PVOID BaseAddress; + ULONG AllocationAttributes; + LARGE_INTEGER MaximumSize; +} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION; + +typedef struct _SECTION_IMAGE_INFORMATION +{ + PVOID TransferAddress; // Entry point + ULONG ZeroBits; + SIZE_T MaximumStackSize; + SIZE_T CommittedStackSize; + ULONG SubSystemType; + union + { + struct + { + USHORT SubSystemMinorVersion; + USHORT SubSystemMajorVersion; + } s1; + ULONG SubSystemVersion; + } u1; + union + { + struct + { + USHORT MajorOperatingSystemVersion; + USHORT MinorOperatingSystemVersion; + } s2; + ULONG OperatingSystemVersion; + } u2; + USHORT ImageCharacteristics; + USHORT DllCharacteristics; + USHORT Machine; + BOOLEAN ImageContainsCode; + union + { + UCHAR ImageFlags; + struct + { + UCHAR ComPlusNativeReady : 1; + UCHAR ComPlusILOnly : 1; + UCHAR ImageDynamicallyRelocated : 1; + UCHAR ImageMappedFlat : 1; + UCHAR BaseBelow4gb : 1; + UCHAR ComPlusPrefer32bit : 1; + UCHAR Reserved : 2; + } s3; + } u3; + ULONG LoaderFlags; + ULONG ImageFileSize; + ULONG CheckSum; +} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; + +typedef struct _SECTION_INTERNAL_IMAGE_INFORMATION +{ + SECTION_IMAGE_INFORMATION SectionInformation; + union + { + ULONG ExtendedFlags; + struct + { + ULONG ImageReturnFlowGuardEnabled : 1; + ULONG ImageReturnFlowGuardStrict : 1; + ULONG ImageExportSuppressionEnabled : 1; + ULONG Reserved : 29; + } s; + } u; +} SECTION_INTERNAL_IMAGE_INFORMATION, *PSECTION_INTERNAL_IMAGE_INFORMATION; + +typedef struct _OBJECT_ATTRIBUTES +{ + ULONG Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; + PVOID SecurityQualityOfService; +} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; + +// https://stackoverflow.com/questions/36961152/detect-windows-kit-8-0-and-windows-kit-8-1-sdks +#if defined(WINAPI_PARTITION_APP) +#if defined(WINAPI_FAMILY_SYSTEM) +#define USING_WINDOWS_10_SDK +#elif (WINAPI_PARTITION_APP == 0x00000002) || (WINAPI_PARTITION_APP == 1) +#define USING_WINDOWS_8_x_SDK +#endif +#endif + +// This struct was included in winnt.h starting in the Windows 8.0 SDK +#if !(defined(USING_WINDOWS_8_x_SDK) || defined(USING_WINDOWS_10_SDK)) +typedef struct _EXCEPTION_REGISTRATION_RECORD +{ + _EXCEPTION_REGISTRATION_RECORD* Next; + _EXCEPTION_DISPOSITION Handler; +} EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD; +#endif + +#define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT 0x00000001 +#define LDR_GET_DLL_HANDLE_EX_PIN 0x00000002 + +#define LDR_GET_PROCEDURE_ADDRESS_EX_DONT_RECORD_FORWARDER 0x00000001 + +#define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001 +#define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002 + +#define LDR_LOCK_LOADER_LOCK_DISPOSITION_INVALID 0 +#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_ACQUIRED 1 +#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_NOT_ACQUIRED 2 + +#define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001 + +typedef struct _LDR_RESOURCE_INFO +{ + ULONG_PTR Type; + ULONG_PTR Name; + ULONG_PTR Language; +} LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO; + +typedef struct _LDR_ENUM_RESOURCE_INFO +{ + ULONG_PTR Type; + ULONG_PTR Name; + ULONG_PTR Language; + PVOID Data; + SIZE_T Size; + ULONG_PTR Reserved; +} LDR_ENUM_RESOURCE_INFO, *PLDR_ENUM_RESOURCE_INFO; + +#define LDR_FIND_RESOURCE_LANGUAGE_CAN_FALLBACK 0x00000000 +#define LDR_FIND_RESOURCE_LANGUAGE_EXACT 0x00000004 +#define LDR_FIND_RESOURCE_LANGUAGE_REDIRECT_VERSION 0x00000008 + +typedef struct _RTL_PROCESS_MODULE_INFORMATION +{ + HANDLE Section; + PVOID MappedBase; + PVOID ImageBase; + ULONG ImageSize; + ULONG Flags; + USHORT LoadOrderIndex; + USHORT InitOrderIndex; + USHORT LoadCount; + USHORT OffsetToFileName; + UCHAR FullPathName[256]; +} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; + +typedef struct _RTL_PROCESS_MODULES +{ + ULONG NumberOfModules; + RTL_PROCESS_MODULE_INFORMATION Modules[1]; +} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; + +typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX +{ + USHORT NextOffset; + RTL_PROCESS_MODULE_INFORMATION BaseInfo; + ULONG ImageChecksum; + ULONG TimeDateStamp; + PVOID DefaultBase; +} RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX; + +typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO +{ + USHORT UniqueProcessId; + USHORT CreatorBackTraceIndex; + UCHAR ObjectTypeIndex; + UCHAR HandleAttributes; + USHORT HandleValue; + PVOID Object; + ULONG GrantedAccess; +} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; + +typedef struct _SYSTEM_HANDLE_INFORMATION +{ + ULONG NumberOfHandles; + SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + +typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX +{ + PVOID Object; + ULONG_PTR UniqueProcessId; + ULONG_PTR HandleValue; + ULONG GrantedAccess; + USHORT CreatorBackTraceIndex; + USHORT ObjectTypeIndex; + ULONG HandleAttributes; + ULONG Reserved; +} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX; + +typedef struct _SYSTEM_HANDLE_INFORMATION_EX +{ + ULONG_PTR NumberOfHandles; + ULONG_PTR Reserved; + SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; +} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX; + +typedef struct _OBJECT_BASIC_INFORMATION +{ + ULONG Attributes; + ACCESS_MASK GrantedAccess; + ULONG HandleCount; + ULONG PointerCount; + ULONG PagedPoolCharge; + ULONG NonPagedPoolCharge; + ULONG Reserved[ 3 ]; + ULONG NameInfoSize; + ULONG TypeInfoSize; + ULONG SecurityDescriptorSize; + LARGE_INTEGER CreationTime; +} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; + +typedef struct _OBJECT_NAME_INFORMATION +{ + UNICODE_STRING Name; +} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; + +typedef struct _OBJECT_TYPE_INFORMATION +{ + UNICODE_STRING TypeName; + ULONG TotalNumberOfObjects; + ULONG TotalNumberOfHandles; + ULONG TotalPagedPoolUsage; + ULONG TotalNonPagedPoolUsage; + ULONG TotalNamePoolUsage; + ULONG TotalHandleTableUsage; + ULONG HighWaterNumberOfObjects; + ULONG HighWaterNumberOfHandles; + ULONG HighWaterPagedPoolUsage; + ULONG HighWaterNonPagedPoolUsage; + ULONG HighWaterNamePoolUsage; + ULONG HighWaterHandleTableUsage; + ULONG InvalidAttributes; + GENERIC_MAPPING GenericMapping; + ULONG ValidAccessMask; + BOOLEAN SecurityRequired; + BOOLEAN MaintainHandleCount; + UCHAR TypeIndex; // Since Windows 8.1 + CHAR ReservedByte; + ULONG PoolType; + ULONG DefaultPagedPoolCharge; + ULONG DefaultNonPagedPoolCharge; +} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; + +typedef struct _OBJECT_TYPES_INFORMATION +{ + ULONG NumberOfTypes; + OBJECT_TYPE_INFORMATION TypeInformation[1]; +} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; + +typedef struct _OBJECT_HANDLE_FLAG_INFORMATION +{ + BOOLEAN Inherit; + BOOLEAN ProtectFromClose; +} OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION; + +typedef struct _DBGKM_EXCEPTION +{ + EXCEPTION_RECORD ExceptionRecord; + ULONG FirstChance; +} DBGKM_EXCEPTION, *PDBGKM_EXCEPTION; + +typedef struct _DBGKM_CREATE_THREAD +{ + ULONG SubSystemKey; + PVOID StartAddress; +} DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD; + +typedef struct _DBGKM_CREATE_PROCESS +{ + ULONG SubSystemKey; + HANDLE FileHandle; + PVOID BaseOfImage; + ULONG DebugInfoFileOffset; + ULONG DebugInfoSize; + DBGKM_CREATE_THREAD InitialThread; +} DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS; + +typedef struct _DBGKM_EXIT_THREAD +{ + NTSTATUS ExitStatus; +} DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD; + +typedef struct _DBGKM_EXIT_PROCESS +{ + NTSTATUS ExitStatus; +} DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS; + +typedef struct _DBGKM_LOAD_DLL +{ + HANDLE FileHandle; + PVOID BaseOfDll; + ULONG DebugInfoFileOffset; + ULONG DebugInfoSize; + PVOID NamePointer; +} DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL; + +typedef struct _DBGKM_UNLOAD_DLL +{ + PVOID BaseAddress; +} DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL; + +typedef enum _DBG_STATE +{ + DbgIdle, + DbgReplyPending, + DbgCreateThreadStateChange, + DbgCreateProcessStateChange, + DbgExitThreadStateChange, + DbgExitProcessStateChange, + DbgExceptionStateChange, + DbgBreakpointStateChange, + DbgSingleStepStateChange, + DbgLoadDllStateChange, + DbgUnloadDllStateChange +} DBG_STATE, *PDBG_STATE; + +typedef struct _DBGUI_CREATE_THREAD +{ + HANDLE HandleToThread; + DBGKM_CREATE_THREAD NewThread; +} DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD; + +typedef struct _DBGUI_CREATE_PROCESS +{ + HANDLE HandleToProcess; + HANDLE HandleToThread; + DBGKM_CREATE_PROCESS NewProcess; +} DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS; + +typedef struct _DBGUI_WAIT_STATE_CHANGE +{ + DBG_STATE NewState; + CLIENT_ID AppClientId; + union + { + DBGKM_EXCEPTION Exception; + DBGUI_CREATE_THREAD CreateThread; + DBGUI_CREATE_PROCESS CreateProcessInfo; + DBGKM_EXIT_THREAD ExitThread; + DBGKM_EXIT_PROCESS ExitProcess; + DBGKM_LOAD_DLL LoadDll; + DBGKM_UNLOAD_DLL UnloadDll; + } StateInfo; +} DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE; + +typedef struct _DBGSS_THREAD_DATA +{ + struct _DBGSS_THREAD_DATA* Next; + HANDLE ThreadHandle; + HANDLE ProcessHandle; + ULONG ProcessId; + ULONG ThreadId; + BOOLEAN HandleMarked; +} DBGSS_THREAD_DATA, *PDBGSS_THREAD_DATA; + +#define DbgSsSetThreadData(d) \ + NtCurrentTeb()->DbgSsReserved[0] = d + +#define DbgSsGetThreadData() \ + ((PDBGSS_THREAD_DATA)NtCurrentTeb()->DbgSsReserved[0]) + +typedef USHORT RTL_ATOM, *PRTL_ATOM; +typedef long SECURITY_STATUS; + +typedef struct _RTL_SPLAY_LINKS +{ + struct _RTL_SPLAY_LINKS* Parent; + struct _RTL_SPLAY_LINKS* LeftChild; + struct _RTL_SPLAY_LINKS* RightChild; +} RTL_SPLAY_LINKS, *PRTL_SPLAY_LINKS; + +#define RtlInitializeSplayLinks(Links) \ +{ \ + PRTL_SPLAY_LINKS _SplayLinks; \ + _SplayLinks = (PRTL_SPLAY_LINKS)(Links); \ + _SplayLinks->Parent = _SplayLinks; \ + _SplayLinks->LeftChild = NULL; \ + _SplayLinks->RightChild = NULL; \ +} + +typedef struct _PREFIX_TABLE_ENTRY +{ + SHORT NodeTypeCode; + SHORT NameLength; + struct _PREFIX_TABLE_ENTRY* NextPrefixTree; + RTL_SPLAY_LINKS Links; + PANSI_STRING Prefix; +} PREFIX_TABLE_ENTRY, *PPREFIX_TABLE_ENTRY; + +typedef struct _PREFIX_TABLE +{ + SHORT NodeTypeCode; + SHORT NameLength; + PPREFIX_TABLE_ENTRY NextPrefixTree; +} PREFIX_TABLE, *PPREFIX_TABLE; + +typedef struct _RTL_BITMAP +{ + ULONG SizeOfBitMap; + PULONG Buffer; +} RTL_BITMAP, *PRTL_BITMAP; + +typedef struct _RTL_BITMAP_RUN +{ + ULONG StartingIndex; + ULONG NumberOfBits; +} RTL_BITMAP_RUN, *PRTL_BITMAP_RUN; + +typedef enum +{ + RtlBsdItemVersionNumber = 0x00, + RtlBsdItemProductType, + RtlBsdItemAabEnabled, + RtlBsdItemAabTimeout, + RtlBsdItemBootGood, + RtlBsdItemBootShutdown, + RtlBsdItemMax +} RTL_BSD_ITEM_TYPE, *PRTL_BSD_ITEM_TYPE; + +#define DUPLICATE_CLOSE_SOURCE 0x00000001 +#define DUPLICATE_SAME_ACCESS 0x00000002 +#define DUPLICATE_SAME_ATTRIBUTES 0x00000004 + +#define RTL_WALK_MAX_STACK_DEPTH 128 + +// These cannot be ORed together +#define RTL_WALK_KERNEL_MODE_STACK 0x00000000 // Kernel mode callers only +#define RTL_WALK_USER_MODE_STACK 0x00000001 +#define RTL_WALK_TRACE_HANDLES 0x00000300 + +typedef struct _RTL_PROCESS_VERIFIER_OPTIONS +{ + ULONG SizeStruct; + ULONG Option; + UCHAR OptionData[1]; +} RTL_PROCESS_VERIFIER_OPTIONS, *PRTL_PROCESS_VERIFIER_OPTIONS; + +typedef struct _RTL_DEBUG_INFORMATION +{ + HANDLE SectionHandleClient; + PVOID ViewBaseClient; + PVOID ViewBaseTarget; + ULONG_PTR ViewBaseDelta; + HANDLE EventPairClient; + HANDLE EventPairTarget; + HANDLE TargetProcessId; + HANDLE TargetThreadHandle; + ULONG Flags; + SIZE_T OffsetFree; + SIZE_T CommitSize; + SIZE_T ViewSize; + union + { + PRTL_PROCESS_MODULES Modules; + PRTL_PROCESS_MODULE_INFORMATION_EX ModulesEx; + }; + struct _RTL_PROCESS_BACKTRACES* BackTraces; + struct _RTL_PROCESS_HEAPS* Heaps; + struct _RTL_PROCESS_LOCKS* Locks; + PVOID SpecificHeap; + HANDLE TargetProcessHandle; + PRTL_PROCESS_VERIFIER_OPTIONS VerifierOptions; + PVOID ProcessHeap; + HANDLE CriticalSectionHandle; + HANDLE CriticalSectionOwnerThread; + PVOID Reserved[4]; +} RTL_DEBUG_INFORMATION, *PRTL_DEBUG_INFORMATION; + +typedef +VOID +(*PPS_APC_ROUTINE)( + _In_opt_ PVOID ApcArgument1, + _In_opt_ PVOID ApcArgument2, + _In_opt_ PVOID ApcArgument3 +); + +typedef struct _RTLP_CURDIR_REF* PRTLP_CURDIR_REF; + +typedef struct _RTL_RELATIVE_NAME_U +{ + UNICODE_STRING RelativeName; + HANDLE ContainingDirectory; + PRTLP_CURDIR_REF CurDirRef; +} RTL_RELATIVE_NAME_U, *PRTL_RELATIVE_NAME_U; + +typedef enum _RTL_PATH_TYPE +{ + RtlPathTypeUnknown, + RtlPathTypeUncAbsolute, + RtlPathTypeDriveAbsolute, + RtlPathTypeDriveRelative, + RtlPathTypeRooted, + RtlPathTypeRelative, + RtlPathTypeLocalDevice, + RtlPathTypeRootLocalDevice, +} RTL_PATH_TYPE; + +#define DOS_MAX_COMPONENT_LENGTH 255 +#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5) + +typedef struct _CURDIR +{ + UNICODE_STRING DosPath; + HANDLE Handle; +} CURDIR, *PCURDIR; + +#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002 +#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003 + +typedef struct _RTL_DRIVE_LETTER_CURDIR +{ + USHORT Flags; + USHORT Length; + ULONG TimeStamp; + UNICODE_STRING DosPath; +} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; + +#define RTL_MAX_DRIVE_LETTERS 32 +#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 + +typedef struct _LDR_SERVICE_TAG_RECORD +{ + struct _LDR_SERVICE_TAG_RECORD* Next; + ULONG ServiceTag; +} LDR_SERVICE_TAG_RECORD, *PLDR_SERVICE_TAG_RECORD; + +typedef struct _LDRP_CSLIST +{ + PSINGLE_LIST_ENTRY Tail; +} LDRP_CSLIST, *PLDRP_CSLIST; + +typedef enum _LDR_DDAG_STATE +{ + LdrModulesMerged = -5, + LdrModulesInitError = -4, + LdrModulesSnapError = -3, + LdrModulesUnloaded = -2, + LdrModulesUnloading = -1, + LdrModulesPlaceHolder = 0, + LdrModulesMapping = 1, + LdrModulesMapped = 2, + LdrModulesWaitingForDependencies = 3, + LdrModulesSnapping = 4, + LdrModulesSnapped = 5, + LdrModulesCondensed = 6, + LdrModulesReadyToInit = 7, + LdrModulesInitializing = 8, + LdrModulesReadyToRun = 9 +} LDR_DDAG_STATE; + +typedef struct _LDR_DDAG_NODE +{ + LIST_ENTRY Modules; + PLDR_SERVICE_TAG_RECORD ServiceTagList; + ULONG LoadCount; + ULONG LoadWhileUnloadingCount; + ULONG LowestLink; + union + { + LDRP_CSLIST Dependencies; + SINGLE_LIST_ENTRY RemovalLink; + }; + LDRP_CSLIST IncomingDependencies; + LDR_DDAG_STATE State; + SINGLE_LIST_ENTRY CondenseLink; + ULONG PreorderNumber; +} LDR_DDAG_NODE, *PLDR_DDAG_NODE; + +typedef struct _LDR_DEPENDENCY_RECORD +{ + SINGLE_LIST_ENTRY DependencyLink; + PLDR_DDAG_NODE DependencyNode; + SINGLE_LIST_ENTRY IncomingDependencyLink; + PLDR_DDAG_NODE IncomingDependencyNode; +} LDR_DEPENDENCY_RECORD, *PLDR_DEPENDENCY_RECORD; + +typedef enum _LDR_DLL_LOAD_REASON +{ + LoadReasonStaticDependency, + LoadReasonStaticForwarderDependency, + LoadReasonDynamicForwarderDependency, + LoadReasonDelayloadDependency, + LoadReasonDynamicLoad, + LoadReasonAsImageLoad, + LoadReasonAsDataLoad, + LoadReasonUnknown = -1 +} LDR_DLL_LOAD_REASON, *PLDR_DLL_LOAD_REASON; + +#define LDRP_PACKAGED_BINARY 0x00000001 +#define LDRP_IMAGE_DLL 0x00000004 +#define LDRP_LOAD_IN_PROGRESS 0x00001000 +#define LDRP_ENTRY_PROCESSED 0x00004000 +#define LDRP_DONT_CALL_FOR_THREADS 0x00040000 +#define LDRP_PROCESS_ATTACH_CALLED 0x00080000 +#define LDRP_PROCESS_ATTACH_FAILED 0x00100000 +#define LDRP_IMAGE_NOT_AT_BASE 0x00200000 // Vista and below +#define LDRP_COR_IMAGE 0x00400000 +#define LDRP_DONT_RELOCATE 0x00800000 +#define LDRP_REDIRECTED 0x10000000 +#define LDRP_COMPAT_DATABASE_PROCESSED 0x80000000 + +#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DdagNode) +#define LDR_DATA_TABLE_ENTRY_SIZE_WIN7 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, BaseNameHashValue) +#define LDR_DATA_TABLE_ENTRY_SIZE_WIN8 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ImplicitPathOptions) + +#define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3 + +typedef struct _RTL_BALANCED_NODE +{ + union + { + struct _RTL_BALANCED_NODE* Children[2]; + struct + { + struct _RTL_BALANCED_NODE* Left; + struct _RTL_BALANCED_NODE* Right; + } s; + }; + union + { + UCHAR Red : 1; + UCHAR Balance : 2; + ULONG_PTR ParentValue; + } u; +} RTL_BALANCED_NODE, *PRTL_BALANCED_NODE; + +typedef struct _LDR_DATA_TABLE_ENTRY +{ + LIST_ENTRY InLoadOrderLinks; + LIST_ENTRY InMemoryOrderLinks; + union + { + LIST_ENTRY InInitializationOrderLinks; + LIST_ENTRY InProgressLinks; + }; + PVOID DllBase; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + union + { + UCHAR FlagGroup[4]; + ULONG Flags; + struct + { + ULONG PackagedBinary : 1; + ULONG MarkedForRemoval : 1; + ULONG ImageDll : 1; + ULONG LoadNotificationsSent : 1; + ULONG TelemetryEntryProcessed : 1; + ULONG ProcessStaticImport : 1; + ULONG InLegacyLists : 1; + ULONG InIndexes : 1; + ULONG ShimDll : 1; + ULONG InExceptionTable : 1; + ULONG ReservedFlags1 : 2; + ULONG LoadInProgress : 1; + ULONG LoadConfigProcessed : 1; + ULONG EntryProcessed : 1; + ULONG ProtectDelayLoad : 1; + ULONG ReservedFlags3 : 2; + ULONG DontCallForThreads : 1; + ULONG ProcessAttachCalled : 1; + ULONG ProcessAttachFailed : 1; + ULONG CorDeferredValidate : 1; + ULONG CorImage : 1; + ULONG DontRelocate : 1; + ULONG CorILOnly : 1; + ULONG ReservedFlags5 : 3; + ULONG Redirected : 1; + ULONG ReservedFlags6 : 2; + ULONG CompatDatabaseProcessed : 1; + } s; + } u; + USHORT ObsoleteLoadCount; + USHORT TlsIndex; + LIST_ENTRY HashLinks; + ULONG TimeDateStamp; + struct _ACTIVATION_CONTEXT* EntryPointActivationContext; + PVOID Lock; + PLDR_DDAG_NODE DdagNode; + LIST_ENTRY NodeModuleLink; + struct _LDRP_LOAD_CONTEXT* LoadContext; + PVOID ParentDllBase; + PVOID SwitchBackContext; + RTL_BALANCED_NODE BaseAddressIndexNode; + RTL_BALANCED_NODE MappingInfoIndexNode; + ULONG_PTR OriginalBase; + LARGE_INTEGER LoadTime; + ULONG BaseNameHashValue; + LDR_DLL_LOAD_REASON LoadReason; + ULONG ImplicitPathOptions; + ULONG ReferenceCount; + ULONG DependentLoadFlags; + UCHAR SigningLevel; // Since Windows 10 RS2 +} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; + +typedef struct _INITIAL_TEB +{ + struct + { + PVOID OldStackBase; + PVOID OldStackLimit; + } OldInitialTeb; + PVOID StackBase; + PVOID StackLimit; + PVOID StackAllocationBase; +} INITIAL_TEB, *PINITIAL_TEB; + +typedef struct _IO_STATUS_BLOCK +{ + union + { + NTSTATUS Status; + PVOID Pointer; + }; + ULONG_PTR Information; +} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; + +typedef +VOID +(NTAPI* + PIO_APC_ROUTINE)( + _In_ PVOID ApcContext, + _In_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG Reserved + ); + +typedef struct _FILE_IO_COMPLETION_INFORMATION +{ + PVOID KeyContext; + PVOID ApcContext; + IO_STATUS_BLOCK IoStatusBlock; +} FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION; + +typedef struct _FILE_COMPLETION_INFORMATION +{ + HANDLE Port; + PVOID Key; +} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION; + +#ifdef __cplusplus +typedef enum _PRIORITY_CLASS : UCHAR +{ + Undefined, + Idle, + Normal, + High, + Realtime, + BelowNormal, + AboveNormal +} PRIORITY_CLASS; +#else +typedef UCHAR PRIORITY_CLASS; +#endif + +typedef struct _PROCESS_PRIORITY_CLASS +{ + BOOLEAN Foreground; + PRIORITY_CLASS PriorityClass; +} PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS; + +typedef struct _PS_ATTRIBUTE +{ + ULONG_PTR Attribute; // PROC_THREAD_ATTRIBUTE_XXX | PROC_THREAD_ATTRIBUTE_XXX modifiers, see ProcThreadAttributeValue macro and Windows Internals 6 (372) + SIZE_T Size; // Size of Value or *ValuePtr + union + { + ULONG_PTR Value; // Reserve 8 bytes for data (such as a Handle or a data pointer) + PVOID ValuePtr; // data pointer + }; + PSIZE_T ReturnLength; // Either 0 or specifies size of data returned to caller via "ValuePtr" +} PS_ATTRIBUTE, *PPS_ATTRIBUTE; + +typedef struct _PS_ATTRIBUTE_LIST +{ + SIZE_T TotalLength; // sizeof(PS_ATTRIBUTE_LIST) + PS_ATTRIBUTE Attributes[2]; // Depends on how many attribute entries should be supplied to NtCreateUserProcess +} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST; + +typedef struct _PS_MEMORY_RESERVE +{ + PVOID ReserveAddress; + SIZE_T ReserveSize; +} PS_MEMORY_RESERVE, *PPS_MEMORY_RESERVE; + +#define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff +#define PS_ATTRIBUTE_THREAD 0x00010000 // Attribute may be used with thread creation +#define PS_ATTRIBUTE_INPUT 0x00020000 // Attribute is input only +#define PS_ATTRIBUTE_ADDITIVE 0x00040000 // Attribute may be "accumulated", e.g. bitmasks, counters, etc. + +typedef enum _PS_ATTRIBUTE_NUM +{ + PsAttributeParentProcess, // in HANDLE + PsAttributeDebugPort, // in HANDLE + PsAttributeToken, // in HANDLE + PsAttributeClientId, // out PCLIENT_ID + PsAttributeTebAddress, // out PTEB + PsAttributeImageName, // in PWSTR + PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION + PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE + PsAttributePriorityClass, // in UCHAR + PsAttributeErrorMode, // in ULONG + PsAttributeStdHandleInfo, // in PPS_STD_HANDLE_INFO + PsAttributeHandleList, // in PHANDLE + PsAttributeGroupAffinity, // in PGROUP_AFFINITY + PsAttributePreferredNode, // in PUSHORT + PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER + PsAttributeUmsThread, // see MSDN UpdateProceThreadAttributeList (CreateProcessW) - in PUMS_CREATE_THREAD_ATTRIBUTES + PsAttributeMitigationOptions, // in UCHAR + PsAttributeProtectionLevel, // in ULONG + PsAttributeSecureProcess, // since THRESHOLD (Virtual Secure Mode, Device Guard) + PsAttributeJobList, + PsAttributeChildProcessPolicy, // since THRESHOLD2 + PsAttributeAllApplicationPackagesPolicy, // since REDSTONE + PsAttributeWin32kFilter, + PsAttributeSafeOpenPromptOriginClaim, + PsAttributeBnoIsolation, + PsAttributeDesktopAppPolicy, + PsAttributeMax +} PS_ATTRIBUTE_NUM; + +#define PsAttributeValue(Number, Thread, Input, Additive) \ + (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \ + ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \ + ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \ + ((Additive) ? PS_ATTRIBUTE_ADDITIVE : 0)) + +#define PS_ATTRIBUTE_PARENT_PROCESS \ + PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE) // 0x60000 +#define PS_ATTRIBUTE_DEBUG_PORT \ + PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE) // 0x60001 +#define PS_ATTRIBUTE_TOKEN \ + PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE) // 0x60002 +#define PS_ATTRIBUTE_CLIENT_ID \ + PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE) // 0x10003 +#define PS_ATTRIBUTE_TEB_ADDRESS \ + PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE) // 0x10004 +#define PS_ATTRIBUTE_IMAGE_NAME \ + PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE) // 0x20005 +#define PS_ATTRIBUTE_IMAGE_INFO \ + PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE) // 0x6 +#define PS_ATTRIBUTE_MEMORY_RESERVE \ + PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE) // 0x20007 +#define PS_ATTRIBUTE_PRIORITY_CLASS \ + PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE) // 0x20008 +#define PS_ATTRIBUTE_ERROR_MODE \ + PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE) // 0x20009 +#define PS_ATTRIBUTE_STD_HANDLE_INFO \ + PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE) // 0x2000A +#define PS_ATTRIBUTE_HANDLE_LIST \ + PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE) // 0x2000B +#define PS_ATTRIBUTE_GROUP_AFFINITY \ + PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE) // 0x2000C +#define PS_ATTRIBUTE_PREFERRED_NODE \ + PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE) // 0x2000D +#define PS_ATTRIBUTE_IDEAL_PROCESSOR \ + PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE) // 0x2000E +#define PS_ATTRIBUTE_MITIGATION_OPTIONS \ + PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, TRUE) // 0x60010 +#define PS_ATTRIBUTE_PROTECTION_LEVEL \ + PsAttributeValue(PsAttributeProtectionLevel, FALSE, TRUE, FALSE) // 0x20011 + +typedef enum _PS_STD_HANDLE_STATE +{ + PsNeverDuplicate, + PsRequestDuplicate, // Duplicate standard handles specified by PseudoHandleMask, and only if StdHandleSubsystemType matches the image subsystem + PsAlwaysDuplicate, // Always duplicate standard handles + PsMaxStdHandleStates +} PS_STD_HANDLE_STATE; + +#define HANDLE_DETACHED_PROCESS ((HANDLE)-1) +#define HANDLE_CREATE_NEW_CONSOLE ((HANDLE)-2) +#define HANDLE_CREATE_NO_WINDOW ((HANDLE)-3) + +#define PS_STD_INPUT_HANDLE 0x1 +#define PS_STD_OUTPUT_HANDLE 0x2 +#define PS_STD_ERROR_HANDLE 0x4 + +typedef struct _PS_STD_HANDLE_INFO +{ + union + { + ULONG Flags; + struct + { + ULONG StdHandleState : 2; // PS_STD_HANDLE_STATE + ULONG PseudoHandleMask : 3; // PS_STD_* + } s; + }; + ULONG StdHandleSubsystemType; +} PS_STD_HANDLE_INFO, *PPS_STD_HANDLE_INFO; + +typedef struct _PS_BNO_ISOLATION_PARAMETERS +{ + UNICODE_STRING IsolationPrefix; + ULONG HandleCount; + PVOID* Handles; + BOOLEAN IsolationEnabled; +} PS_BNO_ISOLATION_PARAMETERS, *PPS_BNO_ISOLATION_PARAMETERS; + +typedef enum _PS_MITIGATION_OPTION +{ + PS_MITIGATION_OPTION_NX, + PS_MITIGATION_OPTION_SEHOP, + PS_MITIGATION_OPTION_FORCE_RELOCATE_IMAGES, + PS_MITIGATION_OPTION_HEAP_TERMINATE, + PS_MITIGATION_OPTION_BOTTOM_UP_ASLR, + PS_MITIGATION_OPTION_HIGH_ENTROPY_ASLR, + PS_MITIGATION_OPTION_STRICT_HANDLE_CHECKS, + PS_MITIGATION_OPTION_WIN32K_SYSTEM_CALL_DISABLE, + PS_MITIGATION_OPTION_EXTENSION_POINT_DISABLE, + PS_MITIGATION_OPTION_PROHIBIT_DYNAMIC_CODE, + PS_MITIGATION_OPTION_CONTROL_FLOW_GUARD, + PS_MITIGATION_OPTION_BLOCK_NON_MICROSOFT_BINARIES, + PS_MITIGATION_OPTION_FONT_DISABLE, + PS_MITIGATION_OPTION_IMAGE_LOAD_NO_REMOTE, + PS_MITIGATION_OPTION_IMAGE_LOAD_NO_LOW_LABEL, + PS_MITIGATION_OPTION_IMAGE_LOAD_PREFER_SYSTEM32, + PS_MITIGATION_OPTION_RETURN_FLOW_GUARD, + PS_MITIGATION_OPTION_LOADER_INTEGRITY_CONTINUITY, + PS_MITIGATION_OPTION_STRICT_CONTROL_FLOW_GUARD, + PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT +} PS_MITIGATION_OPTION; + +typedef enum _PS_CREATE_STATE +{ + PsCreateInitialState, + PsCreateFailOnFileOpen, + PsCreateFailOnSectionCreate, + PsCreateFailExeFormat, + PsCreateFailMachineMismatch, + PsCreateFailExeName, // Debugger specified + PsCreateSuccess, + PsCreateMaximumStates +} PS_CREATE_STATE; + +typedef struct _PS_CREATE_INFO +{ + SIZE_T Size; + PS_CREATE_STATE State; + union + { + // PsCreateInitialState + struct + { + union + { + ULONG InitFlags; + struct + { + UCHAR WriteOutputOnExit : 1; + UCHAR DetectManifest : 1; + UCHAR IFEOSkipDebugger : 1; + UCHAR IFEODoNotPropagateKeyState : 1; + UCHAR SpareBits1 : 4; + UCHAR SpareBits2 : 8; + USHORT ProhibitedImageCharacteristics : 16; + } s1; + } u1; + ACCESS_MASK AdditionalFileAccess; + } InitState; + + // PsCreateFailOnSectionCreate + struct + { + HANDLE FileHandle; + } FailSection; + + // PsCreateFailExeFormat + struct + { + USHORT DllCharacteristics; + } ExeFormat; + + // PsCreateFailExeName + struct + { + HANDLE IFEOKey; + } ExeName; + + // PsCreateSuccess + struct + { + union + { + ULONG OutputFlags; + struct + { + UCHAR ProtectedProcess : 1; + UCHAR AddressSpaceOverride : 1; + UCHAR DevOverrideEnabled : 1; // From Image File Execution Options + UCHAR ManifestDetected : 1; + UCHAR ProtectedProcessLight : 1; + UCHAR SpareBits1 : 3; + UCHAR SpareBits2 : 8; + USHORT SpareBits3 : 16; + } s2; + } u2; + HANDLE FileHandle; + HANDLE SectionHandle; + ULONGLONG UserProcessParametersNative; + ULONG UserProcessParametersWow64; + ULONG CurrentParameterFlags; + ULONGLONG PebAddressNative; + ULONG PebAddressWow64; + ULONGLONG ManifestAddress; + ULONG ManifestSize; + } SuccessState; + }; +} PS_CREATE_INFO, *PPS_CREATE_INFO; + +#define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001 +#define PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT 0x00000002 +#define PROCESS_CREATE_FLAGS_INHERIT_HANDLES 0x00000004 +#define PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00000008 +#define PROCESS_CREATE_FLAGS_LARGE_PAGES 0x00000010 + +// Only usable with NtCreateUserProcess (Vista+): +#define PROCESS_CREATE_FLAGS_LARGE_PAGE_SYSTEM_DLL 0x00000020 +#define PROCESS_CREATE_FLAGS_PROTECTED_PROCESS 0x00000040 // Only allowed if the calling process is itself protected +#define PROCESS_CREATE_FLAGS_CREATE_SESSION 0x00000080 +#define PROCESS_CREATE_FLAGS_INHERIT_FROM_PARENT 0x00000100 + +typedef enum _MEMORY_RESERVE_TYPE +{ + MemoryReserveUserApc, + MemoryReserveIoCompletion, + MemoryReserveTypeMax +} MEMORY_RESERVE_TYPE; + +typedef struct _PROCESS_HANDLE_TRACING_ENABLE +{ + ULONG Flags; +} PROCESS_HANDLE_TRACING_ENABLE, *PPROCESS_HANDLE_TRACING_ENABLE; + +#define PROCESS_HANDLE_TRACING_MAX_SLOTS 0x20000 + +typedef struct _PROCESS_HANDLE_TRACING_ENABLE_EX +{ + ULONG Flags; + ULONG TotalSlots; +} PROCESS_HANDLE_TRACING_ENABLE_EX, *PPROCESS_HANDLE_TRACING_ENABLE_EX; + +// Source: http://processhacker.sourceforge.net +typedef enum _PROCESSINFOCLASS +{ + ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION + ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX + ProcessIoCounters, // q: IO_COUNTERS + ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2 + ProcessTimes, // q: KERNEL_USER_TIMES + ProcessBasePriority, // s: KPRIORITY + ProcessRaisePriority, // s: ULONG + ProcessDebugPort, // q: HANDLE + ProcessExceptionPort, // s: HANDLE + ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN + ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 + ProcessLdtSize, // s: PROCESS_LDT_SIZE + ProcessDefaultHardErrorMode, // qs: ULONG + ProcessIoPortHandlers, // (kernel-mode only) + ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS + ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void + ProcessUserModeIOPL, + ProcessEnableAlignmentFaultFixup, // s: BOOLEAN + ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS + ProcessWx86Information, + ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20 + ProcessAffinityMask, // s: KAFFINITY + ProcessPriorityBoost, // qs: ULONG + ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX + ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION + ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND + ProcessWow64Information, // q: ULONG_PTR + ProcessImageFileName, // q: UNICODE_STRING + ProcessLUIDDeviceMapsEnabled, // q: ULONG + ProcessBreakOnTermination, // qs: ULONG + ProcessDebugObjectHandle, // q: HANDLE // 30 + ProcessDebugFlags, // qs: ULONG + ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables + ProcessIoPriority, // qs: IO_PRIORITY_HINT + ProcessExecuteFlags, // qs: ULONG + ProcessResourceManagement, + ProcessCookie, // q: ULONG + ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION + ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA + ProcessPagePriority, // q: ULONG + ProcessInstrumentationCallback, // 40 + ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX + ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[] + ProcessImageFileNameWin32, // q: UNICODE_STRING + ProcessImageFileMapping, // q: HANDLE (input) + ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE + ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE + ProcessGroupInformation, // q: USHORT[] + ProcessTokenVirtualizationEnabled, // s: ULONG + ProcessConsoleHostProcess, // q: ULONG_PTR + ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 + ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 + ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION + ProcessDynamicFunctionTableInformation, + ProcessHandleCheckingMode, + ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION + ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION + ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL + ProcessHandleTable, // since WINBLUE + ProcessCheckStackExtentsMode, + ProcessCommandLineInformation, // q: UNICODE_STRING // 60 + ProcessProtectionInformation, // q: PS_PROTECTION + ProcessMemoryExhaustion, // PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD + ProcessFaultInformation, // PROCESS_FAULT_INFORMATION + ProcessTelemetryIdInformation, // PROCESS_TELEMETRY_ID_INFORMATION + ProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION + ProcessDefaultCpuSetsInformation, + ProcessAllowedCpuSetsInformation, + ProcessSubsystemProcess, + ProcessJobMemoryInformation, // PROCESS_JOB_MEMORY_INFO + ProcessInPrivate, // since THRESHOLD2 // 70 + ProcessRaiseUMExceptionOnInvalidHandleClose, + ProcessIumChallengeResponse, + ProcessChildProcessInformation, // PROCESS_CHILD_PROCESS_INFORMATION + ProcessHighGraphicsPriorityInformation, + ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 + ProcessEnergyValues, // PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES + ProcessActivityThrottleState, // PROCESS_ACTIVITY_THROTTLE_STATE + ProcessActivityThrottlePolicy, // PROCESS_ACTIVITY_THROTTLE_POLICY + ProcessWin32kSyscallFilterInformation, + ProcessDisableSystemAllowedCpuSets, + ProcessWakeInformation, // PROCESS_WAKE_INFORMATION + ProcessEnergyTrackingState, // PROCESS_ENERGY_TRACKING_STATE + MaxProcessInfoClass +} PROCESSINFOCLASS; + +// Source: http://processhacker.sourceforge.net +typedef enum _SYSTEM_INFORMATION_CLASS +{ + SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION + SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION + SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION + SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION + SystemPathInformation, // not implemented + SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION + SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION + SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION + SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION + SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION + SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10 + SystemModuleInformation, // q: RTL_PROCESS_MODULES + SystemLocksInformation, // q: RTL_PROCESS_LOCKS + SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES + SystemPagedPoolInformation, // not implemented + SystemNonPagedPoolInformation, // not implemented + SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION + SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION + SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION + SystemVdmInstemulInformation, // q + SystemVdmBopInformation, // not implemented // 20 + SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache) + SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION + SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION + SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege) + SystemFullMemoryInformation, // not implemented + SystemLoadGdiDriverInformation, // s (kernel-mode only) + SystemUnloadGdiDriverInformation, // s (kernel-mode only) + SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege) + SystemSummaryMemoryInformation, // not implemented + SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30 + SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS) + SystemObsolete0, // not implemented + SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION + SystemCrashDumpStateInformation, // s (requires SeDebugPrivilege) + SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION + SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION + SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) + SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only + SystemPrioritySeperation, // s (requires SeTcbPrivilege) + SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40 + SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege) + SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION + SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION + SystemCurrentTimeZoneInformation, // q + SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION + SystemTimeSlipNotification, // s (requires SeSystemtimePrivilege) + SystemSessionCreate, // not implemented + SystemSessionDetach, // not implemented + SystemSessionInformation, // not implemented + SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50 + SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) + SystemVerifierThunkExtend, // s (kernel-mode only) + SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION + SystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation) + SystemNumaProcessorMap, // q + SystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation + SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION + SystemRecommendedSharedDataAlignment, // q + SystemComPlusPackage, // q; s + SystemNumaAvailableMemory, // 60 + SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION + SystemEmulationBasicInformation, // q + SystemEmulationProcessorInformation, + SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX + SystemLostDelayedWriteInformation, // q: ULONG + SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION + SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION + SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION + SystemHotpatchInformation, // q; s + SystemObjectSecurityMode, // q // 70 + SystemWatchdogTimerHandler, // s (kernel-mode only) + SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only) + SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION + SystemWow64SharedInformationObsolete, // not implemented + SystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only) + SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION + SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX + SystemVerifierTriageInformation, // not implemented + SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation + SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80 + SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation) + SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege) + SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] + SystemVerifierCancellationInformation, // not implemented // name:wow64:whNT32QuerySystemVerifierCancellationInformation + SystemProcessorPowerInformationEx, // not implemented + SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation + SystemSpecialPoolInformation, // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0 + SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION + SystemErrorPortInformation, // s (requires SeTcbPrivilege) + SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90 + SystemHypervisorInformation, // q; s (kernel-mode only) + SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX + SystemTimeZoneInformation, // s (requires SeTimeZonePrivilege) + SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege) + SystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation + SystemPrefetchPatchInformation, // not implemented + SystemVerifierFaultsInformation, // s (requires SeDebugPrivilege) + SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION + SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION + SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION // 100 + SystemNumaProximityNodeInformation, // q + SystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege) + SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation + SystemProcessorMicrocodeUpdateInformation, // s + SystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 + SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation + SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship + SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] + SystemStoreInformation, // q; s // SmQueryStoreInformation + SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110 + SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege) + SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION + SystemCpuQuotaInformation, // q; s // PsQueryCpuQuotaInformation + SystemNativeBasicInformation, // not implemented + SystemSpare1, // not implemented + SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION + SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation + SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION + SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) + SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120 + SystemNodeDistanceInformation, // q + SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26 + SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation + SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1 + SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8 + SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only) + SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION + SystemBadPageInformation, + SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA + SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130 + SystemEntropyInterruptTimingCallback, + SystemConsoleInformation, // q: SYSTEM_CONSOLE_INFORMATION + SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION + SystemThrottleNotificationInformation, + SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION + SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION + SystemDeviceDataEnumerationInformation, + SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION + SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION + SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140 + SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE + SystemSpare0, + SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION + SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX + SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION + SystemEntropyInterruptTimingRawInformation, + SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION + SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) + SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX + SystemBootMetadataInformation, // 150 + SystemSoftRebootInformation, + SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION + SystemOfflineDumpConfigInformation, + SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION + SystemRegistryReconciliationInformation, + SystemEdidInformation, + SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD + SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION + SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION + SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160 + SystemVmGenerationCountInformation, + SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION + SystemKernelDebuggerFlags, + SystemCodeIntegrityPolicyInformation, // q: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION + SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION + SystemHardwareSecurityTestInterfaceResultsInformation, + SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION + SystemAllowedCpuSetsInformation, + SystemDmaProtectionInformation, // q: SYSTEM_DMA_PROTECTION_INFORMATION + SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170 + SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION + SystemCodeIntegrityPolicyFullInformation, + SystemAffinitizedInterruptProcessorInformation, + SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION + SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2 + SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION + SystemWin32WerStartCallout, + SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION + SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE + SystemInterruptSteeringInformation, // 180 + SystemSupportedProcessorArchitectures, + SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION + SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION + SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2 + SystemControlFlowTransition, + SystemKernelDebuggingAllowed, + SystemActivityModerationExeState, // SYSTEM_ACTIVITY_MODERATION_EXE_STATE + SystemActivityModerationUserSettings, // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS + SystemCodeIntegrityPoliciesFullInformation, + SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190 + SystemIntegrityQuotaInformation, + SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION + MaxSystemInfoClass +} SYSTEM_INFORMATION_CLASS; + +typedef enum _OBJECT_INFORMATION_CLASS +{ + ObjectBasicInformation, // OBJECT_BASIC_INFORMATION + ObjectNameInformation, // OBJECT_NAME_INFORMATION + ObjectTypeInformation, // OBJECT_TYPE_INFORMATION + ObjectTypesInformation, // OBJECT_TYPES_INFORMATION + ObjectHandleFlagInformation, // OBJECT_HANDLE_FLAG_INFORMATION + ObjectSessionInformation, + ObjectSessionObjectInformation, + MaxObjectInfoClass +} OBJECT_INFORMATION_CLASS; + +//Source: http://processhacker.sourceforge.net +typedef enum _THREADINFOCLASS +{ + ThreadBasicInformation, // q: THREAD_BASIC_INFORMATION + ThreadTimes, // q: KERNEL_USER_TIMES + ThreadPriority, // s: KPRIORITY + ThreadBasePriority, // s: LONG + ThreadAffinityMask, // s: KAFFINITY + ThreadImpersonationToken, // s: HANDLE + ThreadDescriptorTableEntry, // q: DESCRIPTOR_TABLE_ENTRY (or WOW64_DESCRIPTOR_TABLE_ENTRY) + ThreadEnableAlignmentFaultFixup, // s: BOOLEAN + ThreadEventPair, + ThreadQuerySetWin32StartAddress, // q: PVOID + ThreadZeroTlsCell, // 10 + ThreadPerformanceCount, // q: LARGE_INTEGER + ThreadAmILastThread, // q: ULONG + ThreadIdealProcessor, // s: ULONG + ThreadPriorityBoost, // qs: ULONG + ThreadSetTlsArrayAddress, + ThreadIsIoPending, // q: ULONG + ThreadHideFromDebugger, // s: void + ThreadBreakOnTermination, // qs: ULONG + ThreadSwitchLegacyState, + ThreadIsTerminated, // q: ULONG // 20 + ThreadLastSystemCall, // q: THREAD_LAST_SYSCALL_INFORMATION + ThreadIoPriority, // qs: IO_PRIORITY_HINT + ThreadCycleTime, // q: THREAD_CYCLE_TIME_INFORMATION + ThreadPagePriority, // q: ULONG + ThreadActualBasePriority, + ThreadTebInformation, // q: THREAD_TEB_INFORMATION (requires THREAD_GET_CONTEXT + THREAD_SET_CONTEXT) + ThreadCSwitchMon, + ThreadCSwitchPmu, + ThreadWow64Context, // q: WOW64_CONTEXT + ThreadGroupInformation, // q: GROUP_AFFINITY // 30 + ThreadUmsInformation, // q: THREAD_UMS_INFORMATION + ThreadCounterProfiling, + ThreadIdealProcessorEx, // q: PROCESSOR_NUMBER + ThreadCpuAccountingInformation, // since WIN8 + ThreadSuspendCount, // since WINBLUE + ThreadHeterogeneousCpuPolicy, // q: KHETERO_CPU_POLICY // since THRESHOLD + ThreadContainerId, // q: GUID + ThreadNameInformation, // qs: THREAD_NAME_INFORMATION + ThreadSelectedCpuSets, + ThreadSystemThreadInformation, // q: SYSTEM_THREAD_INFORMATION // 40 + ThreadActualGroupAffinity, // since THRESHOLD2 + ThreadDynamicCodePolicyInfo, + ThreadExplicitCaseSensitivity, + ThreadWorkOnBehalfTicket, + ThreadSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 + ThreadDbgkWerReportActive, + ThreadAttachContainer, + MaxThreadInfoClass +} THREADINFOCLASS; + +typedef enum _FSINFOCLASS +{ + FileFsVolumeInformation = 1, // FILE_FS_VOLUME_INFORMATION + FileFsLabelInformation = 2, // FILE_FS_LABEL_INFORMATION + FileFsSizeInformation = 3, // FILE_FS_SIZE_INFORMATION + FileFsDeviceInformation = 4, // FILE_FS_DEVICE_INFORMATION + FileFsAttributeInformation = 5, // FILE_FS_ATTRIBUTE_INFORMATION + FileFsControlInformation = 6, // FILE_FS_CONTROL_INFORMATION + FileFsFullSizeInformation = 7, // FILE_FS_FULL_SIZE_INFORMATION + FileFsObjectIdInformation = 8, // FILE_FS_OBJECTID_INFORMATION + FileFsDriverPathInformation = 9, // FILE_FS_DRIVER_PATH_INFORMATION + FileFsVolumeFlagsInformation = 10, // FILE_FS_VOLUME_FLAGS_INFORMATION + FileFsSectorSizeInformation = 11, // FILE_FS_SECTOR_SIZE_INFORMATION // since WIN8 + FileFsDataCopyInformation = 12, // FILE_FS_DATA_COPY_INFORMATION + FileFsMetadataSizeInformation = 13, // FILE_FS_METADATA_SIZE_INFORMATION // since THRESHOLD + FileFsMaximumInformation +} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS; + +typedef enum _MEMORY_INFORMATION_CLASS +{ + MemoryBasicInformation, // MEMORY_BASIC_INFORMATION + MemoryWorkingSetInformation, // MEMORY_WORKING_SET_INFORMATION + MemoryMappedFilenameInformation, // UNICODE_STRING + MemoryRegionInformation, // MEMORY_REGION_INFORMATION + MemoryWorkingSetExInformation, // MEMORY_WORKING_SET_EX_INFORMATION + MemorySharedCommitInformation, // MEMORY_SHARED_COMMIT_INFORMATION + MemoryImageInformation, // MEMORY_IMAGE_INFORMATION + MemoryRegionInformationEx, + MemoryPrivilegedBasicInformation +} MEMORY_INFORMATION_CLASS; + +typedef enum _SECTION_INFORMATION_CLASS +{ + SectionBasicInformation, + SectionImageInformation, + SectionRelocationInformation, // name:wow64:whNtQuerySection_SectionRelocationInformation + SectionOriginalBaseInformation, // PVOID BaseAddress + SectionInternalImageInformation, // SECTION_INTERNAL_IMAGE_INFORMATION // since REDSTONE2 + MaxSectionInfoClass +} SECTION_INFORMATION_CLASS; + +// Boot condition flags (NtInitializeRegistry) +#define REG_INIT_BOOT_SM 0x0000 +#define REG_INIT_BOOT_SETUP 0x0001 +#define REG_INIT_BOOT_ACCEPTED_BASE 0x0002 +#define REG_INIT_BOOT_ACCEPTED_MAX REG_INIT_BOOT_ACCEPTED_BASE + 999 + +#define REG_MAX_KEY_VALUE_NAME_LENGTH 32767 +#define REG_MAX_KEY_NAME_LENGTH 512 + +typedef enum _KEY_INFORMATION_CLASS +{ + KeyBasicInformation, // KEY_BASIC_INFORMATION + KeyNodeInformation, // KEY_NODE_INFORMATION + KeyFullInformation, // KEY_FULL_INFORMATION + KeyNameInformation, // KEY_NAME_INFORMATION + KeyCachedInformation, // KEY_CACHED_INFORMATION + KeyFlagsInformation, // KEY_FLAGS_INFORMATION + KeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION + KeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION + KeyTrustInformation, // KEY_TRUST_INFORMATION + KeyLayerInformation, // KEY_LAYER_INFORMATION + MaxKeyInfoClass +} KEY_INFORMATION_CLASS; + +typedef struct _KEY_BASIC_INFORMATION +{ + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG NameLength; + WCHAR Name[1]; +} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION; + +typedef struct _KEY_NODE_INFORMATION +{ + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG ClassOffset; + ULONG ClassLength; + ULONG NameLength; + WCHAR Name[1]; + // ... + // WCHAR Class[1]; +} KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION; + +typedef struct _KEY_FULL_INFORMATION +{ + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG ClassOffset; + ULONG ClassLength; + ULONG SubKeys; + ULONG MaxNameLen; + ULONG MaxClassLen; + ULONG Values; + ULONG MaxValueNameLen; + ULONG MaxValueDataLen; + WCHAR Class[1]; +} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION; + +typedef struct _KEY_NAME_INFORMATION +{ + ULONG NameLength; + WCHAR Name[1]; +} KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION; + +typedef struct _KEY_CACHED_INFORMATION +{ + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG SubKeys; + ULONG MaxNameLen; + ULONG Values; + ULONG MaxValueNameLen; + ULONG MaxValueDataLen; + ULONG NameLength; + WCHAR Name[1]; +} KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION; + +typedef struct _KEY_FLAGS_INFORMATION +{ + ULONG UserFlags; +} KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION; + +typedef struct _KEY_VIRTUALIZATION_INFORMATION +{ + ULONG VirtualizationCandidate : 1; // Tells whether the key is part of the virtualization namespace scope (only HKLM\Software for now). + ULONG VirtualizationEnabled : 1; // Tells whether virtualization is enabled on this key. Can be 1 only if above flag is 1. + ULONG VirtualTarget : 1; // Tells if the key is a virtual key. Can be 1 only if above 2 are 0. Valid only on the virtual store key handles. + ULONG VirtualStore : 1; // Tells if the key is a part of the virtual store path. Valid only on the virtual store key handles. + ULONG VirtualSource : 1; // Tells if the key has ever been virtualized, can be 1 only if VirtualizationCandidate is 1. + ULONG Reserved : 27; +} KEY_VIRTUALIZATION_INFORMATION, *PKEY_VIRTUALIZATION_INFORMATION; + +// private +typedef struct _KEY_TRUST_INFORMATION +{ + ULONG TrustedKey : 1; + ULONG Reserved : 31; +} KEY_TRUST_INFORMATION, *PKEY_TRUST_INFORMATION; + +// private +typedef struct _KEY_LAYER_INFORMATION +{ + ULONG IsTombstone; + ULONG IsSupersedeLocal; + ULONG IsSupersedeTree; + ULONG ClassIsInherited; + ULONG Reserved; +} KEY_LAYER_INFORMATION, *PKEY_LAYER_INFORMATION; + +typedef enum _KEY_SET_INFORMATION_CLASS +{ + KeyWriteTimeInformation, // KEY_WRITE_TIME_INFORMATION + KeyWow64FlagsInformation, // KEY_WOW64_FLAGS_INFORMATION + KeyControlFlagsInformation, // KEY_CONTROL_FLAGS_INFORMATION + KeySetVirtualizationInformation, // KEY_SET_VIRTUALIZATION_INFORMATION + KeySetDebugInformation, + KeySetHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION + MaxKeySetInfoClass +} KEY_SET_INFORMATION_CLASS; + +typedef struct _KEY_WRITE_TIME_INFORMATION +{ + LARGE_INTEGER LastWriteTime; +} KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION; + +typedef struct _KEY_WOW64_FLAGS_INFORMATION +{ + ULONG UserFlags; +} KEY_WOW64_FLAGS_INFORMATION, *PKEY_WOW64_FLAGS_INFORMATION; + +typedef struct _KEY_HANDLE_TAGS_INFORMATION +{ + ULONG HandleTags; +} KEY_HANDLE_TAGS_INFORMATION, *PKEY_HANDLE_TAGS_INFORMATION; + +typedef struct _KEY_CONTROL_FLAGS_INFORMATION +{ + ULONG ControlFlags; +} KEY_CONTROL_FLAGS_INFORMATION, *PKEY_CONTROL_FLAGS_INFORMATION; + +typedef struct _KEY_SET_VIRTUALIZATION_INFORMATION +{ + ULONG VirtualTarget : 1; + ULONG VirtualStore : 1; + ULONG VirtualSource : 1; // true if key has been virtualized at least once + ULONG Reserved : 29; +} KEY_SET_VIRTUALIZATION_INFORMATION, *PKEY_SET_VIRTUALIZATION_INFORMATION; + +typedef enum _KEY_VALUE_INFORMATION_CLASS +{ + KeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION + KeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION + KeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION + KeyValueFullInformationAlign64, + KeyValuePartialInformationAlign64, // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 + KeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION + MaxKeyValueInfoClass +} KEY_VALUE_INFORMATION_CLASS; + +typedef struct _KEY_VALUE_BASIC_INFORMATION +{ + ULONG TitleIndex; + ULONG Type; + ULONG NameLength; + WCHAR Name[1]; +} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION; + +typedef struct _KEY_VALUE_FULL_INFORMATION +{ + ULONG TitleIndex; + ULONG Type; + ULONG DataOffset; + ULONG DataLength; + ULONG NameLength; + WCHAR Name[1]; + // ... + // UCHAR Data[1]; +} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; + +typedef struct _KEY_VALUE_PARTIAL_INFORMATION +{ + ULONG TitleIndex; + ULONG Type; + ULONG DataLength; + UCHAR Data[1]; +} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; + +typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 +{ + ULONG Type; + ULONG DataLength; + UCHAR Data[1]; +} KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64; + +// private +typedef struct _KEY_VALUE_LAYER_INFORMATION +{ + ULONG IsTombstone; + ULONG Reserved; +} KEY_VALUE_LAYER_INFORMATION, *PKEY_VALUE_LAYER_INFORMATION; + +typedef struct _KEY_VALUE_ENTRY +{ + PUNICODE_STRING ValueName; + ULONG DataLength; + ULONG DataOffset; + ULONG Type; +} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; + +typedef enum _REG_ACTION +{ + KeyAdded, + KeyRemoved, + KeyModified +} REG_ACTION; + +typedef struct _REG_NOTIFY_INFORMATION +{ + ULONG NextEntryOffset; + REG_ACTION Action; + ULONG KeyLength; + WCHAR Key[1]; +} REG_NOTIFY_INFORMATION, *PREG_NOTIFY_INFORMATION; + +typedef struct _KEY_PID_ARRAY +{ + HANDLE PID; + UNICODE_STRING KeyName; +} KEY_PID_ARRAY, *PKEY_PID_ARRAY; + +typedef struct _KEY_OPEN_SUBKEYS_INFORMATION +{ + ULONG Count; + KEY_PID_ARRAY KeyArray[1]; +} KEY_OPEN_SUBKEYS_INFORMATION, *PKEY_OPEN_SUBKEYS_INFORMATION; + +typedef enum _SYSDBG_COMMAND +{ + SysDbgQueryModuleInformation, + SysDbgQueryTraceInformation, + SysDbgSetTracepoint, + SysDbgSetSpecialCall, + SysDbgClearSpecialCalls, + SysDbgQuerySpecialCalls, + SysDbgBreakPoint, + SysDbgQueryVersion, + SysDbgReadVirtual, + SysDbgWriteVirtual, + SysDbgReadPhysical, + SysDbgWritePhysical, + SysDbgReadControlSpace, + SysDbgWriteControlSpace, + SysDbgReadIoSpace, + SysDbgWriteIoSpace, + SysDbgReadMsr, + SysDbgWriteMsr, + SysDbgReadBusData, + SysDbgWriteBusData, + SysDbgCheckLowMemory, + SysDbgEnableKernelDebugger, + SysDbgDisableKernelDebugger, + SysDbgGetAutoKdEnable, + SysDbgSetAutoKdEnable, + SysDbgGetPrintBufferSize, + SysDbgSetPrintBufferSize, + SysDbgGetKdUmExceptionEnable, + SysDbgSetKdUmExceptionEnable, + SysDbgGetTriageDump, + SysDbgGetKdBlockEnable, + SysDbgSetKdBlockEnable, + SysDbgRegisterForUmBreakInfo, + SysDbgGetUmBreakPid, + SysDbgClearUmBreakPid, + SysDbgGetUmAttachPid, + SysDbgClearUmAttachPid, + SysDbgGetLiveKernelDump +} SYSDBG_COMMAND, *PSYSDBG_COMMAND; + +typedef enum _DEBUGOBJECTINFOCLASS +{ + DebugObjectFlags = 1, + MaxDebugObjectInfoClass +} DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; + +//Source: http://processhacker.sourceforge.net +typedef enum _FILE_INFORMATION_CLASS +{ + FileDirectoryInformation = 1, // FILE_DIRECTORY_INFORMATION + FileFullDirectoryInformation, // FILE_FULL_DIR_INFORMATION + FileBothDirectoryInformation, // FILE_BOTH_DIR_INFORMATION + FileBasicInformation, // FILE_BASIC_INFORMATION + FileStandardInformation, // FILE_STANDARD_INFORMATION + FileInternalInformation, // FILE_INTERNAL_INFORMATION + FileEaInformation, // FILE_EA_INFORMATION + FileAccessInformation, // FILE_ACCESS_INFORMATION + FileNameInformation, // FILE_NAME_INFORMATION + FileRenameInformation, // FILE_RENAME_INFORMATION // 10 + FileLinkInformation, // FILE_LINK_INFORMATION + FileNamesInformation, // FILE_NAMES_INFORMATION + FileDispositionInformation, // FILE_DISPOSITION_INFORMATION + FilePositionInformation, // FILE_POSITION_INFORMATION + FileFullEaInformation, // FILE_FULL_EA_INFORMATION + FileModeInformation, // FILE_MODE_INFORMATION + FileAlignmentInformation, // FILE_ALIGNMENT_INFORMATION + FileAllInformation, // FILE_ALL_INFORMATION + FileAllocationInformation, // FILE_ALLOCATION_INFORMATION + FileEndOfFileInformation, // FILE_END_OF_FILE_INFORMATION // 20 + FileAlternateNameInformation, // FILE_NAME_INFORMATION + FileStreamInformation, // FILE_STREAM_INFORMATION + FilePipeInformation, // FILE_PIPE_INFORMATION + FilePipeLocalInformation, // FILE_PIPE_LOCAL_INFORMATION + FilePipeRemoteInformation, // FILE_PIPE_REMOTE_INFORMATION + FileMailslotQueryInformation, // FILE_MAILSLOT_QUERY_INFORMATION + FileMailslotSetInformation, // FILE_MAILSLOT_SET_INFORMATION + FileCompressionInformation, // FILE_COMPRESSION_INFORMATION + FileObjectIdInformation, // FILE_OBJECTID_INFORMATION + FileCompletionInformation, // FILE_COMPLETION_INFORMATION // 30 + FileMoveClusterInformation, // FILE_MOVE_CLUSTER_INFORMATION + FileQuotaInformation, // FILE_QUOTA_INFORMATION + FileReparsePointInformation, // FILE_REPARSE_POINT_INFORMATION + FileNetworkOpenInformation, // FILE_NETWORK_OPEN_INFORMATION + FileAttributeTagInformation, // FILE_ATTRIBUTE_TAG_INFORMATION + FileTrackingInformation, // FILE_TRACKING_INFORMATION + FileIdBothDirectoryInformation, // FILE_ID_BOTH_DIR_INFORMATION + FileIdFullDirectoryInformation, // FILE_ID_FULL_DIR_INFORMATION + FileValidDataLengthInformation, // FILE_VALID_DATA_LENGTH_INFORMATION + FileShortNameInformation, // FILE_NAME_INFORMATION // 40 + FileIoCompletionNotificationInformation, // FILE_IO_COMPLETION_NOTIFICATION_INFORMATION // since VISTA + FileIoStatusBlockRangeInformation, // FILE_IOSTATUSBLOCK_RANGE_INFORMATION + FileIoPriorityHintInformation, // FILE_IO_PRIORITY_HINT_INFORMATION + FileSfioReserveInformation, // FILE_SFIO_RESERVE_INFORMATION + FileSfioVolumeInformation, // FILE_SFIO_VOLUME_INFORMATION + FileHardLinkInformation, // FILE_LINKS_INFORMATION + FileProcessIdsUsingFileInformation, // FILE_PROCESS_IDS_USING_FILE_INFORMATION + FileNormalizedNameInformation, // FILE_NAME_INFORMATION + FileNetworkPhysicalNameInformation, // FILE_NETWORK_PHYSICAL_NAME_INFORMATION + FileIdGlobalTxDirectoryInformation, // FILE_ID_GLOBAL_TX_DIR_INFORMATION // since WIN7 // 50 + FileIsRemoteDeviceInformation, // FILE_IS_REMOTE_DEVICE_INFORMATION + FileUnusedInformation, + FileNumaNodeInformation, // FILE_NUMA_NODE_INFORMATION + FileStandardLinkInformation, // FILE_STANDARD_LINK_INFORMATION + FileRemoteProtocolInformation, // FILE_REMOTE_PROTOCOL_INFORMATION + FileRenameInformationBypassAccessCheck, // (kernel-mode only); FILE_RENAME_INFORMATION // since WIN8 + FileLinkInformationBypassAccessCheck, // (kernel-mode only); FILE_LINK_INFORMATION + FileVolumeNameInformation, // FILE_VOLUME_NAME_INFORMATION + FileIdInformation, // FILE_ID_INFORMATION + FileIdExtdDirectoryInformation, // FILE_ID_EXTD_DIR_INFORMATION + FileReplaceCompletionInformation, // FILE_COMPLETION_INFORMATION // since WINBLUE + FileHardLinkFullIdInformation, // FILE_LINK_ENTRY_FULL_ID_INFORMATION + FileIdExtdBothDirectoryInformation, // FILE_ID_EXTD_BOTH_DIR_INFORMATION // since THRESHOLD + FileDispositionInformationEx, // FILE_DISPOSITION_INFO_EX // since REDSTONE + FileRenameInformationEx, + FileRenameInformationExBypassAccessCheck, + FileDesiredStorageClassInformation, // FILE_DESIRED_STORAGE_CLASS_INFORMATION // since REDSTONE2 + FileStatInformation, // FILE_STAT_INFORMATION + FileMaximumInformation +} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; + +typedef struct _SYSTEM_BASIC_INFORMATION +{ + ULONG Reserved; + ULONG TimerResolution; + ULONG PageSize; + ULONG NumberOfPhysicalPages; + ULONG LowestPhysicalPageNumber; + ULONG HighestPhysicalPageNumber; + ULONG AllocationGranularity; + ULONG_PTR MinimumUserModeAddress; + ULONG_PTR MaximumUserModeAddress; + ULONG_PTR ActiveProcessorsAffinityMask; + CCHAR NumberOfProcessors; +} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION; + +typedef struct _FILE_PIPE_PEEK_BUFFER +{ + ULONG NamedPipeState; + ULONG ReadDataAvailable; + ULONG NumberOfMessages; + ULONG MessageLength; + CHAR Data[1]; +} FILE_PIPE_PEEK_BUFFER, *PFILE_PIPE_PEEK_BUFFER; + +typedef struct _NAMED_PIPE_CREATE_PARAMETERS +{ + ULONG NamedPipeType; + ULONG ReadMode; + ULONG CompletionMode; + ULONG MaximumInstances; + ULONG InboundQuota; + ULONG OutboundQuota; + LARGE_INTEGER DefaultTimeout; + BOOLEAN TimeoutSpecified; +} NAMED_PIPE_CREATE_PARAMETERS, *PNAMED_PIPE_CREATE_PARAMETERS; + +typedef struct _FILE_NETWORK_OPEN_INFORMATION +{ + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG FileAttributes; +} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; + +typedef struct _SYSTEM_TIMEOFDAY_INFORMATION +{ + LARGE_INTEGER BootTime; + LARGE_INTEGER CurrentTime; + LARGE_INTEGER TimeZoneBias; + ULONG TimeZoneId; + ULONG Reserved; + ULONGLONG BootTimeBias; + ULONGLONG SleepTimeBias; +} SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION; + +typedef struct _SYSTEM_CONSOLE_INFORMATION +{ + ULONG DriverLoaded : 1; + ULONG Spare : 31; +} SYSTEM_CONSOLE_INFORMATION, *PSYSTEM_CONSOLE_INFORMATION; + +typedef struct _KSYSTEM_TIME +{ + ULONG LowPart; + LONG High1Time; + LONG High2Time; +} KSYSTEM_TIME, *PKSYSTEM_TIME; + +typedef struct _PROCESS_ACCESS_TOKEN +{ + HANDLE Token; // Needs TOKEN_ASSIGN_PRIMARY access + HANDLE Thread; // Handle to initial/only thread; needs THREAD_QUERY_INFORMATION access +} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN; + +#ifdef __cplusplus +typedef enum _PS_PROTECTED_TYPE : UCHAR +{ + PsProtectedTypeNone, + PsProtectedTypeProtectedLight, + PsProtectedTypeProtected, + PsProtectedTypeMax +} PS_PROTECTED_TYPE; +#else +typedef UCHAR PS_PROTECTED_TYPE; +#endif + +#ifdef __cplusplus +typedef enum _PS_PROTECTED_SIGNER : UCHAR +{ + PsProtectedSignerNone, + PsProtectedSignerAuthenticode, + PsProtectedSignerCodeGen, + PsProtectedSignerAntimalware, + PsProtectedSignerLsa, + PsProtectedSignerWindows, + PsProtectedSignerWinTcb, + PsProtectedSignerWinSystem, + PsProtectedSignerApp, + PsProtectedSignerMax +} PS_PROTECTED_SIGNER; +#else +typedef UCHAR PS_PROTECTED_SIGNER; +#endif + +typedef struct _PS_PROTECTION +{ + union + { + struct + { + PS_PROTECTED_TYPE Type : 3; + BOOLEAN Audit : 1; + PS_PROTECTED_SIGNER Signer : 4; + } s; + UCHAR Level; + }; +} PS_PROTECTION, *PPS_PROTECTION; + +#define RTL_CREATE_ENVIRONMENT_TRANSLATE 0x1 // Translate from multi-byte to Unicode +#define RTL_CREATE_ENVIRONMENT_TRANSLATE_FROM_OEM 0x2 // Translate from OEM to Unicode (Translate flag must also be set) +#define RTL_CREATE_ENVIRONMENT_EMPTY 0x4 // Create empty environment block + +typedef struct _RTL_BUFFER +{ + PUCHAR Buffer; + PUCHAR StaticBuffer; + SIZE_T Size; + SIZE_T StaticSize; + SIZE_T ReservedForAllocatedSize; // for future doubling + PVOID ReservedForIMalloc; // for future pluggable growth +} RTL_BUFFER, *PRTL_BUFFER; + +typedef struct _RTL_UNICODE_STRING_BUFFER +{ + UNICODE_STRING String; + RTL_BUFFER ByteBuffer; + UCHAR MinimumStaticBufferForTerminalNul[sizeof(WCHAR)]; +} RTL_UNICODE_STRING_BUFFER, *PRTL_UNICODE_STRING_BUFFER; + +typedef struct _RTL_USER_PROCESS_PARAMETERS +{ + ULONG MaximumLength; + ULONG Length; + + ULONG Flags; + ULONG DebugFlags; + + HANDLE ConsoleHandle; + ULONG ConsoleFlags; + HANDLE StandardInput; + HANDLE StandardOutput; + HANDLE StandardError; + + CURDIR CurrentDirectory; + UNICODE_STRING DllPath; + UNICODE_STRING ImagePathName; + UNICODE_STRING CommandLine; + PWCHAR Environment; + + ULONG StartingX; + ULONG StartingY; + ULONG CountX; + ULONG CountY; + ULONG CountCharsX; + ULONG CountCharsY; + ULONG FillAttribute; + + ULONG WindowFlags; + ULONG ShowWindowFlags; + UNICODE_STRING WindowTitle; + UNICODE_STRING DesktopInfo; + UNICODE_STRING ShellInfo; + UNICODE_STRING RuntimeData; + RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; + + ULONG_PTR EnvironmentSize; + ULONG_PTR EnvironmentVersion; + PVOID PackageDependencyData; + ULONG ProcessGroupId; + ULONG LoaderThreads; +} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; + +#define RTL_USER_PROCESS_PARAMETERS_NORMALIZED 0x01 +#define RTL_USER_PROCESS_PARAMETERS_PROFILE_USER 0x02 +#define RTL_USER_PROCESS_PARAMETERS_PROFILE_KERNEL 0x04 +#define RTL_USER_PROCESS_PARAMETERS_PROFILE_SERVER 0x08 +#define RTL_USER_PROCESS_PARAMETERS_RESERVE_1MB 0x20 +#define RTL_USER_PROCESS_PARAMETERS_RESERVE_16MB 0x40 +#define RTL_USER_PROCESS_PARAMETERS_CASE_SENSITIVE 0x80 +#define RTL_USER_PROCESS_PARAMETERS_DISABLE_HEAP_DECOMMIT 0x100 +#define RTL_USER_PROCESS_PARAMETERS_DLL_REDIRECTION_LOCAL 0x1000 +#define RTL_USER_PROCESS_PARAMETERS_APP_MANIFEST_PRESENT 0x2000 +#define RTL_USER_PROCESS_PARAMETERS_IMAGE_KEY_MISSING 0x4000 +#define RTL_USER_PROCESS_PARAMETERS_NX_OPTIN 0x20000 + +typedef struct _RTL_USER_PROCESS_INFORMATION +{ + ULONG Length; + HANDLE Process; + HANDLE Thread; + CLIENT_ID ClientId; + SECTION_IMAGE_INFORMATION ImageInformation; +} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION; + +// Handle tag bits for PEB stdio file handles +#define PEB_STDIO_HANDLE_NATIVE 0 +#define PEB_STDIO_HANDLE_SUBSYS 1 +#define PEB_STDIO_HANDLE_PM 2 +#define PEB_STDIO_HANDLE_RESERVED 3 + +#define GDI_HANDLE_BUFFER_SIZE32 34 +#define GDI_HANDLE_BUFFER_SIZE64 60 + +#ifndef _WIN64 +#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32 +#else +#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64 +#endif + +typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32]; +typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64]; +typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE]; + +#define FLS_MAXIMUM_AVAILABLE 128 +#define TLS_MINIMUM_AVAILABLE 64 +#define TLS_EXPANSION_SLOTS 1024 + +typedef struct _PEB_LDR_DATA +{ + ULONG Length; + BOOLEAN Initialized; + HANDLE SsHandle; + LIST_ENTRY InLoadOrderModuleList; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; + PVOID EntryInProgress; + BOOLEAN ShutdownInProgress; + HANDLE ShutdownThreadId; +} PEB_LDR_DATA, *PPEB_LDR_DATA; + +typedef struct _ACTIVATION_CONTEXT_STACK +{ + struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* ActiveFrame; + LIST_ENTRY FrameListCache; + ULONG Flags; + ULONG NextCookieSequenceNumber; + ULONG StackId; +} ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK; + +typedef struct _PEB +{ + BOOLEAN InheritedAddressSpace; + BOOLEAN ReadImageFileExecOptions; + BOOLEAN BeingDebugged; + union + { + BOOLEAN BitField; + struct + { + BOOLEAN ImageUsesLargePages : 1; + BOOLEAN IsProtectedProcess : 1; + BOOLEAN IsImageDynamicallyRelocated : 1; + BOOLEAN SkipPatchingUser32Forwarders : 1; + BOOLEAN IsPackagedProcess : 1; + BOOLEAN IsAppContainer : 1; + BOOLEAN IsProtectedProcessLight : 1; + BOOLEAN IsLongPathAwareProcess : 1; + } s1; + } u1; + + HANDLE Mutant; + + PVOID ImageBaseAddress; + PPEB_LDR_DATA Ldr; + PRTL_USER_PROCESS_PARAMETERS ProcessParameters; + PVOID SubSystemData; + PVOID ProcessHeap; + PRTL_CRITICAL_SECTION FastPebLock; + PVOID AtlThunkSListPtr; + PVOID IFEOKey; + union + { + ULONG CrossProcessFlags; + struct + { + ULONG ProcessInJob : 1; + ULONG ProcessInitializing : 1; + ULONG ProcessUsingVEH : 1; + ULONG ProcessUsingVCH : 1; + ULONG ProcessUsingFTH : 1; + ULONG ProcessPreviouslyThrottled : 1; + ULONG ProcessCurrentlyThrottled : 1; + ULONG ReservedBits0 : 25; + } s2; + } u2; + union + { + PVOID KernelCallbackTable; + PVOID UserSharedInfoPtr; + } u3; + ULONG SystemReserved[1]; + ULONG AtlThunkSListPtr32; + PVOID ApiSetMap; + ULONG TlsExpansionCounter; + PVOID TlsBitmap; + ULONG TlsBitmapBits[2]; + + PVOID ReadOnlySharedMemoryBase; + PVOID SharedData; // HotpatchInformation + PVOID* ReadOnlyStaticServerData; + + PVOID AnsiCodePageData; // PCPTABLEINFO + PVOID OemCodePageData; // PCPTABLEINFO + PVOID UnicodeCaseTableData; // PNLSTABLEINFO + + ULONG NumberOfProcessors; + ULONG NtGlobalFlag; + + LARGE_INTEGER CriticalSectionTimeout; + SIZE_T HeapSegmentReserve; + SIZE_T HeapSegmentCommit; + SIZE_T HeapDeCommitTotalFreeThreshold; + SIZE_T HeapDeCommitFreeBlockThreshold; + + ULONG NumberOfHeaps; + ULONG MaximumNumberOfHeaps; + PVOID* ProcessHeaps; // PHEAP + + PVOID GdiSharedHandleTable; + PVOID ProcessStarterHelper; + ULONG GdiDCAttributeList; + + PRTL_CRITICAL_SECTION LoaderLock; + + ULONG OSMajorVersion; + ULONG OSMinorVersion; + USHORT OSBuildNumber; + USHORT OSCSDVersion; + ULONG OSPlatformId; + ULONG ImageSubsystem; + ULONG ImageSubsystemMajorVersion; + ULONG ImageSubsystemMinorVersion; + ULONG_PTR ActiveProcessAffinityMask; + GDI_HANDLE_BUFFER GdiHandleBuffer; + PVOID PostProcessInitRoutine; + + PVOID TlsExpansionBitmap; + ULONG TlsExpansionBitmapBits[32]; + + ULONG SessionId; + + ULARGE_INTEGER AppCompatFlags; + ULARGE_INTEGER AppCompatFlagsUser; + PVOID pShimData; + PVOID AppCompatInfo; // APPCOMPAT_EXE_DATA + + UNICODE_STRING CSDVersion; + + PVOID ActivationContextData; // ACTIVATION_CONTEXT_DATA + PVOID ProcessAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP + PVOID SystemDefaultActivationContextData; // ACTIVATION_CONTEXT_DATA + PVOID SystemAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP + + SIZE_T MinimumStackCommit; + + PVOID* FlsCallback; + LIST_ENTRY FlsListHead; + PVOID FlsBitmap; + ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)]; + ULONG FlsHighIndex; + + PVOID WerRegistrationData; + PVOID WerShipAssertPtr; + PVOID pUnused; // pContextData + PVOID pImageHeaderHash; + union + { + ULONG TracingFlags; + struct + { + ULONG HeapTracingEnabled : 1; + ULONG CritSecTracingEnabled : 1; + ULONG LibLoaderTracingEnabled : 1; + ULONG SpareTracingBits : 29; + } s3; + } u4; + ULONGLONG CsrServerReadOnlySharedMemoryBase; + PVOID TppWorkerpListLock; + LIST_ENTRY TppWorkerpList; + PVOID WaitOnAddressHashTable[128]; + PVOID TelemetryCoverageHeader; // REDSTONE3 + ULONG CloudFileFlags; +} PEB, *PPEB; + +#define GDI_BATCH_BUFFER_SIZE 310 + +typedef struct _GDI_TEB_BATCH +{ + ULONG Offset; + ULONG_PTR HDC; + ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; +} GDI_TEB_BATCH, *PGDI_TEB_BATCH; + +typedef struct _TEB_ACTIVE_FRAME_CONTEXT +{ + ULONG Flags; + PSTR FrameName; +} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; + +typedef struct _TEB_ACTIVE_FRAME +{ + ULONG Flags; + struct _TEB_ACTIVE_FRAME* Previous; + PTEB_ACTIVE_FRAME_CONTEXT Context; +} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; + +typedef struct _TEB +{ + NT_TIB NtTib; + + PVOID EnvironmentPointer; + CLIENT_ID ClientId; + PVOID ActiveRpcHandle; + PVOID ThreadLocalStoragePointer; + PPEB ProcessEnvironmentBlock; + + ULONG LastErrorValue; + ULONG CountOfOwnedCriticalSections; + PVOID CsrClientThread; + PVOID Win32ThreadInfo; + ULONG User32Reserved[26]; + ULONG UserReserved[5]; + PVOID WOW32Reserved; + LCID CurrentLocale; + ULONG FpSoftwareStatusRegister; + PVOID ReservedForDebuggerInstrumentation[16]; +#ifdef _WIN64 + PVOID SystemReserved1[30]; +#else + PVOID SystemReserved1[26]; +#endif + CHAR PlaceholderCompatibilityMode; + CHAR PlaceholderReserved[11]; + ULONG ProxiedProcessId; + ACTIVATION_CONTEXT_STACK ActivationStack; + + UCHAR WorkingOnBehalfTicket[8]; + NTSTATUS ExceptionCode; + + PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; + ULONG_PTR InstrumentationCallbackSp; + ULONG_PTR InstrumentationCallbackPreviousPc; + ULONG_PTR InstrumentationCallbackPreviousSp; +#ifdef _WIN64 + ULONG TxFsContext; +#endif + BOOLEAN InstrumentationCallbackDisabled; +#ifndef _WIN64 + UCHAR SpareBytes[23]; + ULONG TxFsContext; +#endif + GDI_TEB_BATCH GdiTebBatch; + CLIENT_ID RealClientId; + HANDLE GdiCachedProcessHandle; + ULONG GdiClientPID; + ULONG GdiClientTID; + PVOID GdiThreadLocalInfo; + ULONG_PTR Win32ClientInfo[62]; + PVOID glDispatchTable[233]; + ULONG_PTR glReserved1[29]; + PVOID glReserved2; + PVOID glSectionInfo; + PVOID glSection; + PVOID glTable; + PVOID glCurrentRC; + PVOID glContext; + + NTSTATUS LastStatusValue; + UNICODE_STRING StaticUnicodeString; + WCHAR StaticUnicodeBuffer[261]; + + PVOID DeallocationStack; + PVOID TlsSlots[64]; + LIST_ENTRY TlsLinks; + + PVOID Vdm; + PVOID ReservedForNtRpc; + PVOID DbgSsReserved[2]; + + ULONG HardErrorMode; +#ifdef _WIN64 + PVOID Instrumentation[11]; +#else + PVOID Instrumentation[9]; +#endif + GUID ActivityId; + + PVOID SubProcessTag; + PVOID PerflibData; + PVOID EtwTraceData; + PVOID WinSockData; + ULONG GdiBatchCount; + + union + { + PROCESSOR_NUMBER CurrentIdealProcessor; + ULONG IdealProcessorValue; + struct + { + UCHAR ReservedPad0; + UCHAR ReservedPad1; + UCHAR ReservedPad2; + UCHAR IdealProcessor; + } s1; + } u1; + + ULONG GuaranteedStackBytes; + PVOID ReservedForPerf; + PVOID ReservedForOle; + ULONG WaitingOnLoaderLock; + PVOID SavedPriorityState; + ULONG_PTR ReservedForCodeCoverage; + PVOID ThreadPoolData; + PVOID* TlsExpansionSlots; +#ifdef _WIN64 + PVOID DeallocationBStore; + PVOID BStoreLimit; +#endif + ULONG MuiGeneration; + ULONG IsImpersonating; + PVOID NlsCache; + PVOID pShimData; + USHORT HeapVirtualAffinity; + USHORT LowFragHeapDataSlot; + HANDLE CurrentTransactionHandle; + PTEB_ACTIVE_FRAME ActiveFrame; + PVOID FlsData; + + PVOID PreferredLanguages; + PVOID UserPrefLanguages; + PVOID MergedPrefLanguages; + ULONG MuiImpersonation; + + union + { + USHORT CrossTebFlags; + USHORT SpareCrossTebBits : 16; + } u2; + union + { + USHORT SameTebFlags; + struct + { + USHORT SafeThunkCall : 1; + USHORT InDebugPrint : 1; + USHORT HasFiberData : 1; + USHORT SkipThreadAttach : 1; + USHORT WerInShipAssertCode : 1; + USHORT RanProcessInit : 1; + USHORT ClonedThread : 1; + USHORT SuppressDebugMsg : 1; + USHORT DisableUserStackWalk : 1; + USHORT RtlExceptionAttached : 1; + USHORT InitialThread : 1; + USHORT SessionAware : 1; + USHORT LoadOwner : 1; + USHORT LoaderWorker : 1; + USHORT SkipLoaderInit : 1; + USHORT SpareSameTebBits : 1; + } s2; + } u3; + + PVOID TxnScopeEnterCallback; + PVOID TxnScopeExitCallback; + PVOID TxnScopeContext; + ULONG LockCount; + LONG WowTebOffset; + PVOID ResourceRetValue; + PVOID ReservedForWdf; + ULONGLONG ReservedForCrt; + GUID EffectiveContainerId; +} TEB, *PTEB; + +typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE +{ + StandardDesign, + NEC98x86, + EndAlternatives +} ALTERNATIVE_ARCHITECTURE_TYPE; + +#define PROCESSOR_FEATURE_MAX 64 + +#define MAX_WOW64_SHARED_ENTRIES 16 + +#define NX_SUPPORT_POLICY_ALWAYSOFF 0 +#define NX_SUPPORT_POLICY_ALWAYSON 1 +#define NX_SUPPORT_POLICY_OPTIN 2 +#define NX_SUPPORT_POLICY_OPTOUT 3 + +#pragma pack(push, 4) +typedef struct _KUSER_SHARED_DATA +{ + ULONG TickCountLowDeprecated; + ULONG TickCountMultiplier; + + volatile KSYSTEM_TIME InterruptTime; + volatile KSYSTEM_TIME SystemTime; + volatile KSYSTEM_TIME TimeZoneBias; + + USHORT ImageNumberLow; + USHORT ImageNumberHigh; + + WCHAR NtSystemRoot[260]; + + ULONG MaxStackTraceDepth; + + ULONG CryptoExponent; + + ULONG TimeZoneId; + ULONG LargePageMinimum; + ULONG AitSamplingValue; + ULONG AppCompatFlag; + ULONGLONG RNGSeedVersion; + ULONG GlobalValidationRunlevel; + LONG TimeZoneBiasStamp; + + ULONG NtBuildNumber; + ULONG NtProductType; + BOOLEAN ProductTypeIsValid; + UCHAR Reserved0[1]; + USHORT NativeProcessorArchitecture; + + ULONG NtMajorVersion; + ULONG NtMinorVersion; + + BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; + + ULONG Reserved1; + ULONG Reserved3; + + volatile ULONG TimeSlip; + + ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; + ULONG BootId; + + LARGE_INTEGER SystemExpirationDate; + + ULONG SuiteMask; + + BOOLEAN KdDebuggerEnabled; + union + { + UCHAR MitigationPolicies; + struct + { + UCHAR NXSupportPolicy : 2; + UCHAR SEHValidationPolicy : 2; + UCHAR CurDirDevicesSkippedForDlls : 2; + UCHAR Reserved : 2; + } s1; + } u1; + UCHAR Reserved6[2]; + + volatile ULONG ActiveConsoleId; + + volatile ULONG DismountCount; + + ULONG ComPlusPackage; + + ULONG LastSystemRITEventTickCount; + + ULONG NumberOfPhysicalPages; + + BOOLEAN SafeBootMode; + UCHAR VirtualizationFlags; + UCHAR Reserved12[2]; + + union + { + ULONG SharedDataFlags; + struct + { + ULONG DbgErrorPortPresent : 1; + ULONG DbgElevationEnabled : 1; + ULONG DbgVirtEnabled : 1; + ULONG DbgInstallerDetectEnabled : 1; + ULONG DbgLkgEnabled : 1; + ULONG DbgDynProcessorEnabled : 1; + ULONG DbgConsoleBrokerEnabled : 1; + ULONG DbgSecureBootEnabled : 1; + ULONG DbgMultiSessionSku : 1; + ULONG DbgMultiUsersInSessionSku : 1; + ULONG SpareBits : 22; + } s2; + } u2; + ULONG DataFlagsPad[1]; + + ULONGLONG TestRetInstruction; + LONGLONG QpcFrequency; + ULONG SystemCall; + ULONG SystemCallPad0; + ULONGLONG SystemCallPad[2]; + + union + { + volatile KSYSTEM_TIME TickCount; + volatile ULONG64 TickCountQuad; + ULONG ReservedTickCountOverlay[3]; + }; + ULONG TickCountPad[1]; + + ULONG Cookie; + ULONG CookiePad[1]; + + LONGLONG ConsoleSessionForegroundProcessId; + ULONGLONG TimeUpdateLock; + ULONGLONG BaselineSystemTimeQpc; + ULONGLONG BaselineInterruptTimeQpc; + ULONGLONG QpcSystemTimeIncrement; + ULONGLONG QpcInterruptTimeIncrement; + UCHAR QpcSystemTimeIncrementShift; + UCHAR QpcInterruptTimeIncrementShift; + + USHORT UnparkedProcessorCount; + ULONG EnclaveFeatureMask[4]; + ULONG Reserved8; + USHORT UserModeGlobalLogger[16]; + ULONG ImageFileExecutionOptions; + + ULONG LangGenerationCount; + ULONGLONG Reserved4; + volatile ULONG64 InterruptTimeBias; + volatile ULONG64 QpcBias; + + ULONG ActiveProcessorCount; + volatile UCHAR ActiveGroupCount; + UCHAR Reserved9; + union + { + USHORT QpcData; + struct + { + UCHAR QpcBypassEnabled : 1; + UCHAR QpcShift : 1; + } s3; + } u3; + + LARGE_INTEGER TimeZoneBiasEffectiveStart; + LARGE_INTEGER TimeZoneBiasEffectiveEnd; + XSTATE_CONFIGURATION XState; +} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA; +#pragma pack(pop) + +#ifdef __cplusplus +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountMultiplier) == 0x4, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTime) == 0x8, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SystemTime) == 0x14, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBias) == 0x20, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberLow) == 0x2c, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberHigh) == 0x2e, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtSystemRoot) == 0x30, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, MaxStackTraceDepth) == 0x238, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, CryptoExponent) == 0x23c, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneId) == 0x240, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, LargePageMinimum) == 0x244, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtProductType) == 0x264, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ProductTypeIsValid) == 0x268, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtMajorVersion) == 0x26c, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtMinorVersion) == 0x270, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ProcessorFeatures) == 0x274, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved1) == 0x2b4, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved3) == 0x2b8, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeSlip) == 0x2bc, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, AlternativeArchitecture) == 0x2c0, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SystemExpirationDate) == 0x2c8, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SuiteMask) == 0x2d0, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, KdDebuggerEnabled) == 0x2d4, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveConsoleId) == 0x2d8, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, DismountCount) == 0x2dc, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ComPlusPackage) == 0x2e0, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, LastSystemRITEventTickCount) == 0x2e4, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NumberOfPhysicalPages) == 0x2e8, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SafeBootMode) == 0x2ec, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TestRetInstruction) == 0x2f8, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad) == 0x310, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TickCount) == 0x320, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountQuad) == 0x320, "Offset check"); +static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3d8, "Offset check"); +#endif + +#if !defined(_KERNEL_MODE) && !defined(KERNELMODE) +#define USER_SHARED_DATA 0x7FFE0000 +#define SharedUserData ((KUSER_SHARED_DATA * const)USER_SHARED_DATA) +#else +#if defined(_M_IX86) +#define KI_USER_SHARED_DATA 0xFFDF0000 +#elif defined (_M_AMD64) +#define KI_USER_SHARED_DATA 0xFFFFF78000000000Ui64 +#elif defined (_M_ARM) +#define KI_USER_SHARED_DATA 0xFFFF9000 +#elif defined(M_ARM64) +#define KI_USER_SHARED_DATA 0xFFFFF78000000000Ui64 +#endif +#define SharedUserData ((KUSER_SHARED_DATA * const)KI_USER_SHARED_DATA) +#endif + +typedef struct _PROCESS_BASIC_INFORMATION +{ + NTSTATUS ExitStatus; + PPEB PebBaseAddress; + ULONG_PTR AffinityMask; + KPRIORITY BasePriority; + HANDLE UniqueProcessId; + HANDLE InheritedFromUniqueProcessId; +} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; + +typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION +{ + SIZE_T Size; // Set to sizeof structure on input + PROCESS_BASIC_INFORMATION BasicInfo; + union + { + ULONG Flags; + struct + { + ULONG IsProtectedProcess : 1; + ULONG IsWow64Process : 1; + ULONG IsProcessDeleting : 1; + ULONG IsCrossSessionCreate : 1; + ULONG IsFrozen : 1; + ULONG IsBackground : 1; + ULONG IsStronglyNamed : 1; + ULONG IsSecureProcess : 1; + ULONG IsSubsystemProcess : 1; + ULONG SpareBits : 23; + } s; + } u; +} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION; + +typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION +{ + SYSTEM_THREAD_INFORMATION ThreadInfo; + PVOID StackBase; + PVOID StackLimit; + PVOID Win32StartAddress; + PTEB TebBase; // Since Vista + ULONG_PTR Reserved2; + ULONG_PTR Reserved3; + ULONG_PTR Reserved4; +} SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION; + +#ifndef FIELD_OFFSET +#if !defined(__clang__) +#define FIELD_OFFSET(type, field) ((LONG)(LONG_PTR)&(((type *)0)->field)) +#else +#define FIELD_OFFSET(type, field) ((LONG)__builtin_offsetof(type, field)) +#endif +#endif +#ifndef UFIELD_OFFSET +#if !defined(__clang__) +#define UFIELD_OFFSET(type, field) ((ULONG)(LONG_PTR)&(((type *)0)->field)) +#else +#define UFIELD_OFFSET(type, field) ((ULONG)__builtin_offsetof(type, field)) +#endif +#endif + +#define PTR_ADD_OFFSET(Pointer, Offset) ((PVOID)((ULONG_PTR)(Pointer) + (ULONG_PTR)(Offset))) +#define PTR_SUB_OFFSET(Pointer, Offset) ((PVOID)((ULONG_PTR)(Pointer) - (ULONG_PTR)(Offset))) +#define ALIGN_DOWN_BY(Address, Align) ((ULONG_PTR)(Address) & ~(Align - 1)) +#define ALIGN_DOWN_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_DOWN_BY(Pointer, Align)) +#define ALIGN_DOWN_POINTER(Pointer, Type) ((PVOID)ALIGN_DOWN(Pointer, Type)) +#define ALIGN_UP_BY(Address, Align) (((ULONG_PTR)(Address) + (Align) - 1) & ~((Align) - 1)) +#define ALIGN_UP_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_UP_BY(Pointer, Align)) +#define ALIGN_UP_POINTER(Pointer, Type) ((PVOID)ALIGN_UP(Pointer, Type)) + +#define InitializeObjectAttributes( p, n, a, r, s ) { \ + (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ + (p)->RootDirectory = r; \ + (p)->Attributes = a; \ + (p)->ObjectName = n; \ + (p)->SecurityDescriptor = s; \ + (p)->SecurityQualityOfService = NULL; \ + } + +#define OBJ_INHERIT 0x00000002L +#define OBJ_PERMANENT 0x00000010L +#define OBJ_EXCLUSIVE 0x00000020L +#define OBJ_CASE_INSENSITIVE 0x00000040L +#define OBJ_OPENIF 0x00000080L +#define OBJ_OPENLINK 0x00000100L +#define OBJ_KERNEL_HANDLE 0x00000200L +#define OBJ_FORCE_ACCESS_CHECK 0x00000400L +#define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800 +#define OBJ_DONT_REPARSE 0x00001000 +#define OBJ_VALID_ATTRIBUTES 0x00001FF2 + +#if NTDDI_VERSION >= NTDDI_VISTA +#define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ + 0xFFFF) +#else +#define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ + 0x3FF) +#endif + +#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001 +#define THREAD_CREATE_FLAGS_SUPPRESS_DLLMAINS 0x00000002 +#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004 +#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 // ? +#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 // ? +#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080 + +#define DEBUG_READ_EVENT 0x0001 +#define DEBUG_PROCESS_ASSIGN 0x0002 +#define DEBUG_SET_INFORMATION 0x0004 +#define DEBUG_QUERY_INFORMATION 0x0008 + +#define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ + DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \ + DEBUG_QUERY_INFORMATION) + +#define DEBUG_KILL_ON_CLOSE 0x1 + +#ifndef IO_COMPLETION_QUERY_STATE +#define IO_COMPLETION_QUERY_STATE 0x0001 +#endif +#ifndef IO_COMPLETION_MODIFY_STATE +#define IO_COMPLETION_MODIFY_STATE 0x0002 +#endif +#ifndef IO_COMPLETION_ALL_ACCESS +#define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ + IO_COMPLETION_QUERY_STATE | IO_COMPLETION_MODIFY_STATE) +#endif + +#ifndef SEMAPHORE_ALL_ACCESS +#define SEMAPHORE_QUERY_STATE 0x0001 +#define SEMAPHORE_MODIFY_STATE 0x0002 + +#define SEMAPHORE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ + SEMAPHORE_QUERY_STATE | SEMAPHORE_MODIFY_STATE) +#endif + +#ifndef MUTANT_ALL_ACCESS +#define MUTANT_QUERY_STATE 0x0001 + +#define MUTANT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ + MUTANT_QUERY_STATE) +#endif + +#ifndef EVENT_ALL_ACCESS +#define EVENT_QUERY_STATE 0x0001 +#define EVENT_MODIFY_STATE 0x0002 + +#define EVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ + EVENT_QUERY_STATE | EVENT_MODIFY_STATE) +#endif + +#define KEYEDEVENT_WAIT 0x0001 +#define KEYEDEVENT_WAKE 0x0002 +#define KEYEDEVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ + KEYEDEVENT_WAIT | KEYEDEVENT_WAKE) + +#define DIRECTORY_QUERY 0x0001 +#define DIRECTORY_TRAVERSE 0x0002 +#define DIRECTORY_CREATE_OBJECT 0x0004 +#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 + +#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ + DIRECTORY_QUERY | DIRECTORY_TRAVERSE | \ + DIRECTORY_CREATE_OBJECT | DIRECTORY_CREATE_SUBDIRECTORY) + +#define SYMBOLIC_LINK_QUERY 0x0001 + +#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ + SYMBOLIC_LINK_QUERY) + +#ifndef TOKEN_ALL_ACCESS +#define TOKEN_ASSIGN_PRIMARY 0x0001 +#define TOKEN_DUPLICATE 0x0002 +#define TOKEN_IMPERSONATE 0x0004 +#define TOKEN_QUERY 0x0008 +#define TOKEN_QUERY_SOURCE 0x0010 +#define TOKEN_ADJUST_PRIVILEGES 0x0020 +#define TOKEN_ADJUST_GROUPS 0x0040 +#define TOKEN_ADJUST_DEFAULT 0x0080 +#define TOKEN_ADJUST_SESSIONID 0x0100 + +#define TOKEN_ALL_ACCESS_P (STANDARD_RIGHTS_REQUIRED | \ + TOKEN_ASSIGN_PRIMARY | \ + TOKEN_DUPLICATE | \ + TOKEN_IMPERSONATE | \ + TOKEN_QUERY | \ + TOKEN_QUERY_SOURCE | \ + TOKEN_ADJUST_PRIVILEGES | \ + TOKEN_ADJUST_GROUPS | \ + TOKEN_ADJUST_DEFAULT) + +#define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P | \ + TOKEN_ADJUST_SESSIONID) +#endif + +#define WORKER_FACTORY_RELEASE_WORKER 0x0001 +#define WORKER_FACTORY_WAIT 0x0002 +#define WORKER_FACTORY_SET_INFORMATION 0x0004 +#define WORKER_FACTORY_QUERY_INFORMATION 0x0008 +#define WORKER_FACTORY_READY_WORKER 0x0010 +#define WORKER_FACTORY_SHUTDOWN 0x0020 + +#define WORKER_FACTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ + WORKER_FACTORY_RELEASE_WORKER | \ + WORKER_FACTORY_WAIT | \ + WORKER_FACTORY_SET_INFORMATION | \ + WORKER_FACTORY_QUERY_INFORMATION | \ + WORKER_FACTORY_READY_WORKER | \ + WORKER_FACTORY_SHUTDOWN) + +#define NtCurrentProcess ((HANDLE)(LONG_PTR)-1) +#define NtCurrentThread ((HANDLE)(LONG_PTR)-2) +#define NtCurrentPeb() (NtCurrentTeb()->ProcessEnvironmentBlock) +#define NtCurrentProcessId() (NtCurrentTeb()->ClientId.UniqueProcess) +#define NtCurrentThreadId() (NtCurrentTeb()->ClientId.UniqueThread) +#define RtlProcessHeap() (NtCurrentPeb()->ProcessHeap) + +typedef struct _RTL_HEAP_ENTRY +{ + SIZE_T Size; + USHORT Flags; + USHORT AllocatorBackTraceIndex; + union + { + struct + { + SIZE_T Settable; + ULONG Tag; + } s1; + struct + { + SIZE_T CommittedSize; + PVOID FirstBlock; + } s2; + } u; +} RTL_HEAP_ENTRY, *PRTL_HEAP_ENTRY; + +#define RTL_HEAP_BUSY (USHORT)0x0001 +#define RTL_HEAP_SEGMENT (USHORT)0x0002 +#define RTL_HEAP_SETTABLE_VALUE (USHORT)0x0010 +#define RTL_HEAP_SETTABLE_FLAG1 (USHORT)0x0020 +#define RTL_HEAP_SETTABLE_FLAG2 (USHORT)0x0040 +#define RTL_HEAP_SETTABLE_FLAG3 (USHORT)0x0080 +#define RTL_HEAP_SETTABLE_FLAGS (USHORT)0x00e0 +#define RTL_HEAP_UNCOMMITTED_RANGE (USHORT)0x0100 +#define RTL_HEAP_PROTECTED_ENTRY (USHORT)0x0200 + +typedef struct _RTL_HEAP_TAG +{ + ULONG NumberOfAllocations; + ULONG NumberOfFrees; + SIZE_T BytesAllocated; + USHORT TagIndex; + USHORT CreatorBackTraceIndex; + WCHAR TagName[24]; +} RTL_HEAP_TAG, *PRTL_HEAP_TAG; + +typedef struct _RTL_HEAP_INFORMATION +{ + PVOID BaseAddress; + ULONG Flags; + USHORT EntryOverhead; + USHORT CreatorBackTraceIndex; + SIZE_T BytesAllocated; + SIZE_T BytesCommitted; + ULONG NumberOfTags; + ULONG NumberOfEntries; + ULONG NumberOfPseudoTags; + ULONG PseudoTagGranularity; + ULONG Reserved[5]; + PRTL_HEAP_TAG Tags; + PRTL_HEAP_ENTRY Entries; +} RTL_HEAP_INFORMATION, *PRTL_HEAP_INFORMATION; + +typedef struct _RTL_PROCESS_HEAPS +{ + ULONG NumberOfHeaps; + RTL_HEAP_INFORMATION Heaps[1]; +} RTL_PROCESS_HEAPS, *PRTL_PROCESS_HEAPS; + +typedef +NTSTATUS +(NTAPI* + PRTL_HEAP_COMMIT_ROUTINE)( + _In_ PVOID Base, + _Inout_ PVOID* CommitAddress, + _Inout_ PSIZE_T CommitSize + ); + +typedef struct _RTL_HEAP_PARAMETERS +{ + ULONG Length; + SIZE_T SegmentReserve; + SIZE_T SegmentCommit; + SIZE_T DeCommitFreeBlockThreshold; + SIZE_T DeCommitTotalFreeThreshold; + SIZE_T MaximumAllocationSize; + SIZE_T VirtualMemoryThreshold; + SIZE_T InitialCommit; + SIZE_T InitialReserve; + PRTL_HEAP_COMMIT_ROUTINE CommitRoutine; + SIZE_T Reserved[2]; +} RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS; + +#define HEAP_SETTABLE_USER_VALUE 0x00000100 +#define HEAP_SETTABLE_USER_FLAG1 0x00000200 +#define HEAP_SETTABLE_USER_FLAG2 0x00000400 +#define HEAP_SETTABLE_USER_FLAG3 0x00000800 +#define HEAP_SETTABLE_USER_FLAGS 0x00000e00 + +#define HEAP_CLASS_0 0x00000000 // Process heap +#define HEAP_CLASS_1 0x00001000 // Private heap +#define HEAP_CLASS_2 0x00002000 // Kernel heap +#define HEAP_CLASS_3 0x00003000 // GDI heap +#define HEAP_CLASS_4 0x00004000 // User heap +#define HEAP_CLASS_5 0x00005000 // Console heap +#define HEAP_CLASS_6 0x00006000 // User desktop heap +#define HEAP_CLASS_7 0x00007000 // CSR shared heap +#define HEAP_CLASS_8 0x00008000 // CSR port heap +#define HEAP_CLASS_MASK 0x0000f000 + +typedef struct _RTL_HEAP_TAG_INFO +{ + ULONG NumberOfAllocations; + ULONG NumberOfFrees; + SIZE_T BytesAllocated; +} RTL_HEAP_TAG_INFO, *PRTL_HEAP_TAG_INFO; + +#define RTL_HEAP_MAKE_TAG HEAP_MAKE_TAG_FLAGS + +typedef struct _RTL_HEAP_WALK_ENTRY +{ + PVOID DataAddress; + SIZE_T DataSize; + UCHAR OverheadBytes; + UCHAR SegmentIndex; + USHORT Flags; + union + { + struct + { + SIZE_T Settable; + USHORT TagIndex; + USHORT AllocatorBackTraceIndex; + ULONG Reserved[2]; + } Block; + struct + { + ULONG CommittedSize; + ULONG UnCommittedSize; + PVOID FirstEntry; + PVOID LastEntry; + } Segment; + }; +} RTL_HEAP_WALK_ENTRY, *PRTL_HEAP_WALK_ENTRY; + +// HEAP_INFORMATION_CLASS. winnt.h is incomplete +#define HeapCompatibilityInformation 0x0 // q; s: ULONG +#define HeapEnableTerminationOnCorruption 0x1 // q; s: NULL +#define HeapExtendedInformation 0x2 // q; s: HEAP_EXTENDED_INFORMATION +#define HeapOptimizeResources 0x3 // q; s: HEAP_OPTIMIZE_RESOURCES_INFORMATION +#define HeapTaggingInformation 0x4 +#define HeapStackDatabase 0x5 +#define HeapDetailedFailureInformation 0x80000001 +#define HeapSetDebuggingInformation 0x80000002 // q; s: HEAP_DEBUGGING_INFORMATION + +typedef struct _PROCESS_HEAP_INFORMATION +{ + ULONG_PTR ReserveSize; + ULONG_PTR CommitSize; + ULONG NumberOfHeaps; + ULONG_PTR FirstHeapInformationOffset; +} PROCESS_HEAP_INFORMATION, *PPROCESS_HEAP_INFORMATION; + +typedef struct _HEAP_INFORMATION +{ + ULONG_PTR Address; + ULONG Mode; + ULONG_PTR ReserveSize; + ULONG_PTR CommitSize; + ULONG_PTR FirstRegionInformationOffset; + ULONG_PTR NextHeapInformationOffset; +} HEAP_INFORMATION, *PHEAP_INFORMATION; + +typedef struct _HEAP_EXTENDED_INFORMATION +{ + HANDLE Process; + ULONG_PTR Heap; + ULONG Level; + PVOID CallbackRoutine; + PVOID CallbackContext; + PROCESS_HEAP_INFORMATION ProcessHeapInformation; + HEAP_INFORMATION HeapInformation; +} HEAP_EXTENDED_INFORMATION, *PHEAP_EXTENDED_INFORMATION; + +typedef +NTSTATUS +(NTAPI* + PRTL_HEAP_LEAK_ENUMERATION_ROUTINE)( + _In_ LONG Reserved, + _In_ PVOID HeapHandle, + _In_ PVOID BaseAddress, + _In_ SIZE_T BlockSize, + _In_ ULONG StackTraceDepth, + _In_ PVOID* StackTrace + ); + +typedef struct _HEAP_DEBUGGING_INFORMATION +{ + PVOID InterceptorFunction; + USHORT InterceptorValue; + ULONG ExtendedOptions; + ULONG StackTraceDepth; + SIZE_T MinTotalBlockSize; + SIZE_T MaxTotalBlockSize; + PRTL_HEAP_LEAK_ENUMERATION_ROUTINE HeapLeakEnumerationRoutine; +} HEAP_DEBUGGING_INFORMATION, *PHEAP_DEBUGGING_INFORMATION; + +typedef +NTSTATUS +(NTAPI* + PRTL_ENUM_HEAPS_ROUTINE)( + _In_ PVOID HeapHandle, + _In_ PVOID Parameter + ); + +typedef +NTSTATUS +(NTAPI* + PUSER_THREAD_START_ROUTINE)( + _In_ PVOID ThreadParameter + ); + +#define LDR_FORMAT_MESSAGE_FROM_SYSTEM_MESSAGE_TABLE 11 + +#define RTL_ERRORMODE_NOGPFAULTERRORBOX 0x0020 +#define RTL_ERRORMODE_NOOPENFILEERRORBOX 0x0040 + +#define RTL_ACQUIRE_PRIVILEGE_REVERT 0x00000001 +#define RTL_ACQUIRE_PRIVILEGE_PROCESS 0x00000002 + +typedef +VOID +(NTAPI* + PLDR_IMPORT_MODULE_CALLBACK)( + _In_ PVOID Parameter, + _In_ PSTR ModuleName + ); + +typedef struct _LDR_IMPORT_CALLBACK_INFO +{ + PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine; + PVOID ImportCallbackParameter; +} LDR_IMPORT_CALLBACK_INFO, *PLDR_IMPORT_CALLBACK_INFO; + +typedef struct _LDR_SECTION_INFO +{ + HANDLE SectionHandle; + ACCESS_MASK DesiredAccess; + POBJECT_ATTRIBUTES ObjectAttributes; + ULONG SectionPageProtection; + ULONG AllocationAttributes; +} LDR_SECTION_INFO, *PLDR_SECTION_INFO; + +typedef struct _LDR_VERIFY_IMAGE_INFO +{ + ULONG Size; + ULONG Flags; + LDR_IMPORT_CALLBACK_INFO CallbackInfo; + LDR_SECTION_INFO SectionInfo; + USHORT ImageCharacteristics; +} LDR_VERIFY_IMAGE_INFO, *PLDR_VERIFY_IMAGE_INFO; + +typedef enum _SEMAPHORE_INFORMATION_CLASS +{ + SemaphoreBasicInformation +} SEMAPHORE_INFORMATION_CLASS; + +typedef struct _SEMAPHORE_BASIC_INFORMATION +{ + LONG CurrentCount; + LONG MaximumCount; +} SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION; + +typedef enum _TIMER_INFORMATION_CLASS +{ + TimerBasicInformation +} TIMER_INFORMATION_CLASS; + +typedef struct _TIMER_BASIC_INFORMATION +{ + LARGE_INTEGER RemainingTime; + BOOLEAN TimerState; +} TIMER_BASIC_INFORMATION, *PTIMER_BASIC_INFORMATION; + +typedef +VOID +(NTAPI* + PTIMER_APC_ROUTINE)( + _In_ PVOID TimerContext, + _In_ ULONG TimerLowValue, + _In_ LONG TimerHighValue + ); + +typedef enum _TIMER_SET_INFORMATION_CLASS +{ + TimerSetCoalescableTimer, + MaxTimerInfoClass +} TIMER_SET_INFORMATION_CLASS; + +typedef struct _TIMER_SET_COALESCABLE_TIMER_INFO +{ + _In_ LARGE_INTEGER DueTime; + _In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine; + _In_opt_ PVOID TimerContext; + _In_opt_ struct _COUNTED_REASON_CONTEXT* WakeContext; + _In_opt_ ULONG Period; + _In_ ULONG TolerableDelay; + _Out_opt_ PBOOLEAN PreviousState; +} TIMER_SET_COALESCABLE_TIMER_INFO, *PTIMER_SET_COALESCABLE_TIMER_INFO; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE +{ + ULONG64 Version; + UNICODE_STRING Name; +} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE +{ + PVOID pValue; + ULONG ValueLength; +} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1 +{ + UNICODE_STRING Name; + USHORT ValueType; + USHORT Reserved; + ULONG Flags; + ULONG ValueCount; + union + { + PLONG64 pInt64; + PULONG64 pUint64; + PUNICODE_STRING pString; + PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn; + PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString; + } Values; +} TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1; + +#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1 +#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 + +typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION +{ + USHORT Version; + USHORT Reserved; + ULONG AttributeCount; + union + { + PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1; + } Attribute; +} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; + +typedef enum _FILTER_BOOT_OPTION_OPERATION +{ + FilterBootOptionOperationOpenSystemStore, + FilterBootOptionOperationSetElement, + FilterBootOptionOperationDeleteElement, + FilterBootOptionOperationMax +} FILTER_BOOT_OPTION_OPERATION; + +typedef enum _IO_SESSION_EVENT +{ + IoSessionEventIgnore, + IoSessionEventCreated, + IoSessionEventTerminated, + IoSessionEventConnected, + IoSessionEventDisconnected, + IoSessionEventLogon, + IoSessionEventLogoff, + IoSessionEventMax +} IO_SESSION_EVENT; + +typedef enum _IO_SESSION_STATE +{ + IoSessionStateCreated, + IoSessionStateInitialized, + IoSessionStateConnected, + IoSessionStateDisconnected, + IoSessionStateDisconnectedLoggedOn, + IoSessionStateLoggedOn, + IoSessionStateLoggedOff, + IoSessionStateTerminated, + IoSessionStateMax +} IO_SESSION_STATE; + +typedef struct _PORT_MESSAGE PORT_MESSAGE, *PPORT_MESSAGE; +typedef struct _TP_ALPC TP_ALPC, *PTP_ALPC; + +typedef +VOID +(NTAPI* + PTP_ALPC_CALLBACK)( + _Inout_ PTP_CALLBACK_INSTANCE Instance, + _Inout_opt_ PVOID Context, + _In_ PTP_ALPC Alpc + ); + +typedef +VOID +(NTAPI* + PTP_ALPC_CALLBACK_EX)( + _Inout_ PTP_CALLBACK_INSTANCE Instance, + _Inout_opt_ PVOID Context, + _In_ PTP_ALPC Alpc, + _In_ PVOID ApcContext + ); + +typedef +VOID +(NTAPI* + PTP_IO_CALLBACK)( + _Inout_ PTP_CALLBACK_INSTANCE Instance, + _Inout_opt_ PVOID Context, + _In_ PVOID ApcContext, + _In_ PIO_STATUS_BLOCK IoSB, + _In_ PTP_IO Io + ); + +typedef enum _IO_COMPLETION_INFORMATION_CLASS +{ + IoCompletionBasicInformation +} IO_COMPLETION_INFORMATION_CLASS; + +typedef struct _IO_COMPLETION_BASIC_INFORMATION +{ + LONG Depth; +} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION; + +typedef enum _WORKERFACTORYINFOCLASS +{ + WorkerFactoryTimeout, + WorkerFactoryRetryTimeout, + WorkerFactoryIdleTimeout, + WorkerFactoryBindingCount, + WorkerFactoryThreadMinimum, + WorkerFactoryThreadMaximum, + WorkerFactoryPaused, + WorkerFactoryBasicInformation, + WorkerFactoryAdjustThreadGoal, + WorkerFactoryCallbackType, + WorkerFactoryStackInformation, // 10 + WorkerFactoryThreadBasePriority, + WorkerFactoryTimeoutWaiters, // since THRESHOLD + WorkerFactoryFlags, + WorkerFactoryThreadSoftMaximum, + MaxWorkerFactoryInfoClass +} WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS; + +typedef struct _WORKER_FACTORY_BASIC_INFORMATION +{ + LARGE_INTEGER Timeout; + LARGE_INTEGER RetryTimeout; + LARGE_INTEGER IdleTimeout; + BOOLEAN Paused; + BOOLEAN TimerSet; + BOOLEAN QueuedToExWorker; + BOOLEAN MayCreate; + BOOLEAN CreateInProgress; + BOOLEAN InsertedIntoQueue; + BOOLEAN Shutdown; + ULONG BindingCount; + ULONG ThreadMinimum; + ULONG ThreadMaximum; + ULONG PendingWorkerCount; + ULONG WaitingWorkerCount; + ULONG TotalWorkerCount; + ULONG ReleaseCount; + LONGLONG InfiniteWaitGoal; + PVOID StartRoutine; + PVOID StartParameter; + HANDLE ProcessId; + SIZE_T StackReserve; + SIZE_T StackCommit; + NTSTATUS LastThreadCreationStatus; +} WORKER_FACTORY_BASIC_INFORMATION, *PWORKER_FACTORY_BASIC_INFORMATION; + +typedef struct _BOOT_ENTRY +{ + ULONG Version; + ULONG Length; + ULONG Id; + ULONG Attributes; + ULONG FriendlyNameOffset; + ULONG BootFilePathOffset; + ULONG OsOptionsLength; + UCHAR OsOptions[1]; +} BOOT_ENTRY, *PBOOT_ENTRY; + +typedef struct _BOOT_ENTRY_LIST +{ + ULONG NextEntryOffset; + BOOT_ENTRY BootEntry; +} BOOT_ENTRY_LIST, *PBOOT_ENTRY_LIST; + +typedef struct _BOOT_OPTIONS +{ + ULONG Version; + ULONG Length; + ULONG Timeout; + ULONG CurrentBootEntryId; + ULONG NextBootEntryId; + WCHAR HeadlessRedirection[1]; +} BOOT_OPTIONS, *PBOOT_OPTIONS; + +typedef struct _FILE_PATH +{ + ULONG Version; + ULONG Length; + ULONG Type; + UCHAR FilePath[1]; +} FILE_PATH, *PFILE_PATH; + +typedef struct _EFI_DRIVER_ENTRY +{ + ULONG Version; + ULONG Length; + ULONG Id; + ULONG FriendlyNameOffset; + ULONG DriverFilePathOffset; +} EFI_DRIVER_ENTRY, *PEFI_DRIVER_ENTRY; + +typedef struct _EFI_DRIVER_ENTRY_LIST +{ + ULONG NextEntryOffset; + EFI_DRIVER_ENTRY DriverEntry; +} EFI_DRIVER_ENTRY_LIST, *PEFI_DRIVER_ENTRY_LIST; + +FORCEINLINE +VOID +InitializeListHead( + _Out_ PLIST_ENTRY ListHead +) +{ + ListHead->Flink = ListHead->Blink = ListHead; +} + +FORCEINLINE +BOOLEAN +IsListEmpty( + _In_ PLIST_ENTRY ListHead +) +{ + return ListHead->Flink == ListHead; +} + +FORCEINLINE +BOOLEAN +RemoveEntryList( + _In_ PLIST_ENTRY Entry +) +{ + PLIST_ENTRY Flink = Entry->Flink; + PLIST_ENTRY Blink = Entry->Blink; + Blink->Flink = Flink; + Flink->Blink = Blink; + + return Flink == Blink; +} + +FORCEINLINE +PLIST_ENTRY +RemoveHeadList( + _Inout_ PLIST_ENTRY ListHead +) +{ + PLIST_ENTRY Entry = ListHead->Flink; + PLIST_ENTRY Flink = Entry->Flink; + ListHead->Flink = Flink; + Flink->Blink = ListHead; + + return Entry; +} + +FORCEINLINE +PLIST_ENTRY +RemoveTailList( + _Inout_ PLIST_ENTRY ListHead +) +{ + PLIST_ENTRY Entry = ListHead->Blink; + PLIST_ENTRY Blink = Entry->Blink; + ListHead->Blink = Blink; + Blink->Flink = ListHead; + + return Entry; +} + +FORCEINLINE +VOID +InsertTailList( + _Inout_ PLIST_ENTRY ListHead, + _Inout_ PLIST_ENTRY Entry +) +{ + PLIST_ENTRY Blink = ListHead->Blink; + Entry->Flink = ListHead; + Entry->Blink = Blink; + Blink->Flink = Entry; + ListHead->Blink = Entry; +} + +FORCEINLINE +VOID +InsertHeadList( + _Inout_ PLIST_ENTRY ListHead, + _Inout_ PLIST_ENTRY Entry +) +{ + PLIST_ENTRY Flink = ListHead->Flink; + Entry->Flink = Flink; + Entry->Blink = ListHead; + Flink->Blink = Entry; + ListHead->Flink = Entry; +} + +FORCEINLINE +VOID +AppendTailList( + _Inout_ PLIST_ENTRY ListHead, + _Inout_ PLIST_ENTRY ListToAppend +) +{ + PLIST_ENTRY ListEnd = ListHead->Blink; + + ListHead->Blink->Flink = ListToAppend; + ListHead->Blink = ListToAppend->Blink; + ListToAppend->Blink->Flink = ListHead; + ListToAppend->Blink = ListEnd; +} + +FORCEINLINE +PSINGLE_LIST_ENTRY +PopEntryList( + _Inout_ PSINGLE_LIST_ENTRY ListHead +) +{ + PSINGLE_LIST_ENTRY FirstEntry = ListHead->Next; + + if(FirstEntry) + ListHead->Next = FirstEntry->Next; + + return FirstEntry; +} + +FORCEINLINE +VOID +PushEntryList( + _Inout_ PSINGLE_LIST_ENTRY ListHead, + _Inout_ PSINGLE_LIST_ENTRY Entry +) +{ + Entry->Next = ListHead->Next; + ListHead->Next = Entry; +} + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateProcess( + _Out_ PHANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ParentProcess, + _In_ BOOLEAN InheritObjectTable, + _In_opt_ HANDLE SectionHandle, + _In_opt_ HANDLE DebugPort, + _In_opt_ HANDLE ExceptionPort +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateProcessEx( + _Out_ PHANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ParentProcess, + _In_ ULONG Flags, + _In_opt_ HANDLE SectionHandle, + _In_opt_ HANDLE DebugPort, + _In_opt_ HANDLE ExceptionPort, + _In_ BOOLEAN InJob +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateUserProcess( + _Out_ PHANDLE ProcessHandle, + _Out_ PHANDLE ThreadHandle, + _In_ ACCESS_MASK ProcessDesiredAccess, + _In_ ACCESS_MASK ThreadDesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes, + _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes, + _In_ ULONG ProcessFlags, + _In_ ULONG ThreadFlags, + _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters, + _Inout_ PPS_CREATE_INFO CreateInfo, + _In_ PPS_ATTRIBUTE_LIST AttributeList +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationProcess( + _In_ HANDLE ProcessHandle, + _In_ PROCESSINFOCLASS ProcessInformationClass, + _In_ PVOID ProcessInformation, + _In_ ULONG ProcessInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationProcess( + _In_ HANDLE ProcessHandle, + _In_ PROCESSINFOCLASS ProcessInformationClass, + _Out_ PVOID ProcessInformation, + _In_ ULONG ProcessInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryObject( + _In_ HANDLE Handle, + _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, + _Out_opt_ PVOID ObjectInformation, + _In_ ULONG ObjectInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySystemInformation( + _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, + _Out_opt_ PVOID SystemInformation, + _In_ ULONG SystemInformationLength, + _Out_opt_ PULONG ReturnLength +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySystemInformationEx( + _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, + _In_ PVOID InputBuffer, + _In_ ULONG InputBufferLength, + _Out_ PVOID SystemInformation, + _In_ ULONG SystemInformationLength, + _Out_opt_ PULONG ReturnLength +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetSystemInformation( + _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, + _In_opt_ PVOID SystemInformation, + _In_ ULONG SystemInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationThread( + _In_ HANDLE ThreadHandle, + _In_ THREADINFOCLASS ThreadInformationClass, + _In_ PVOID ThreadInformation, + _In_ ULONG ThreadInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationThread( + _In_ HANDLE ThreadHandle, + _In_ THREADINFOCLASS ThreadInformationClass, + _Out_ PVOID ThreadInformation, + _In_ ULONG ThreadInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnmapViewOfSection( + _In_ HANDLE ProcessHandle, + _In_ PVOID BaseAddress +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtExtendSection( + _In_ HANDLE SectionHandle, + _Inout_ PLARGE_INTEGER NewSectionSize +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSuspendThread( + _In_ HANDLE ThreadHandle, + _Out_opt_ PULONG PreviousSuspendCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtResumeThread( + _In_ HANDLE ThreadHandle, + _Out_opt_ PULONG PreviousSuspendCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSuspendProcess( + _In_ HANDLE ProcessHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtResumeProcess( + _In_ HANDLE ProcessHandle +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSCALLAPI +ULONG +NTAPI +NtGetCurrentProcessorNumber( +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSignalAndWaitForSingleObject( + _In_ HANDLE SignalHandle, + _In_ HANDLE WaitHandle, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWaitForSingleObject( + _In_ HANDLE Handle, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWaitForMultipleObjects( + _In_ ULONG Count, + _In_ PHANDLE Handles, + _In_ WAIT_TYPE WaitType, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWaitForMultipleObjects32( + _In_ ULONG Count, + _In_ PHANDLE Handles, + _In_ WAIT_TYPE WaitType, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetSecurityObject( + _In_ HANDLE Handle, + _In_ SECURITY_INFORMATION SecurityInformation, + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySecurityObject( + _In_ HANDLE Handle, + _In_ SECURITY_INFORMATION SecurityInformation, + _Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_ ULONG Length, + _Out_ PULONG LengthNeeded +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueueApcThread( + _In_ HANDLE ThreadHandle, + _In_ PPS_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcArgument1, + _In_opt_ PVOID ApcArgument2, + _In_opt_ PVOID ApcArgument3 +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueueApcThreadEx( + _In_ HANDLE ThreadHandle, + _In_opt_ HANDLE UserApcReserveHandle, + _In_ PPS_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcArgument1, + _In_opt_ PVOID ApcArgument2, + _In_opt_ PVOID ApcArgument3 +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtProtectVirtualMemory( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _Inout_ PSIZE_T RegionSize, + _In_ ULONG NewProtect, + _Out_ PULONG OldProtect +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFlushBuffersFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFlushInstructionCache( + _In_ HANDLE ProcessHandle, + _In_opt_ PVOID BaseAddress, + _In_ SIZE_T Length +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFlushWriteBuffer( +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFsControlFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG FsControlCode, + _In_opt_ PVOID InputBuffer, + _In_ ULONG InputBufferLength, + _Out_opt_ PVOID OutputBuffer, + _In_ ULONG OutputBufferLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLockFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PLARGE_INTEGER ByteOffset, + _In_ PLARGE_INTEGER Length, + _In_ ULONG Key, + _In_ BOOLEAN FailImmediately, + _In_ BOOLEAN ExclusiveLock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnlockFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PLARGE_INTEGER ByteOffset, + _In_ PLARGE_INTEGER Length, + _In_ ULONG Key +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFlushVirtualMemory( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _Inout_ PSIZE_T RegionSize, + _Out_ PIO_STATUS_BLOCK IoStatus +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryVirtualMemory( + _In_ HANDLE ProcessHandle, + _In_ PVOID BaseAddress, + _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass, + _Out_ PVOID MemoryInformation, + _In_ SIZE_T MemoryInformationLength, + _Out_opt_ PSIZE_T ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLockVirtualMemory( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _Inout_ PSIZE_T RegionSize, + _In_ ULONG MapType +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnlockVirtualMemory( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _Inout_ PSIZE_T RegionSize, + _In_ ULONG MapType +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSystemDebugControl( + _In_ SYSDBG_COMMAND Command, + _Inout_opt_ PVOID InputBuffer, + _In_ ULONG InputBufferLength, + _Out_opt_ PVOID OutputBuffer, + _In_ ULONG OutputBufferLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtYieldExecution( +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtClose( + _In_ HANDLE Handle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryAttributesFile( + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PFILE_BASIC_INFORMATION FileInformation +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryFullAttributesFile( + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID FileInformation, + _In_ ULONG Length, + _In_ FILE_INFORMATION_CLASS FileInformationClass +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PVOID FileInformation, + _In_ ULONG Length, + _In_ FILE_INFORMATION_CLASS FileInformationClass +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetQuotaInformationFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PVOID Buffer, + _In_ ULONG Length +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetVolumeInformationFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PVOID FsInformation, + _In_ ULONG Length, + _In_ FS_INFORMATION_CLASS FsInformationClass +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateFile( + _Out_ PHANDLE FileHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_opt_ PLARGE_INTEGER AllocationSize, + _In_ ULONG FileAttributes, + _In_ ULONG ShareAccess, + _In_ ULONG CreateDisposition, + _In_ ULONG CreateOptions, + _In_opt_ PVOID EaBuffer, + _In_ ULONG EaLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateNamedPipeFile( + _Out_ PHANDLE FileHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG ShareAccess, + _In_ ULONG CreateDisposition, + _In_ ULONG CreateOptions, + _In_ ULONG NamedPipeType, + _In_ ULONG ReadMode, + _In_ ULONG CompletionMode, + _In_ ULONG MaximumInstances, + _In_ ULONG InboundQuota, + _In_ ULONG OutboundQuota, + _In_opt_ PLARGE_INTEGER DefaultTimeout +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateMailslotFile( + _Out_ PHANDLE FileHandle, + _In_ ULONG DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG CreateOptions, + _In_ ULONG MailslotQuota, + _In_ ULONG MaximumMessageSize, + _In_ PLARGE_INTEGER ReadTimeout +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCancelIoFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCancelIoFileEx( + _In_ HANDLE FileHandle, + _In_opt_ PIO_STATUS_BLOCK IoRequestToCancel, + _Out_ PIO_STATUS_BLOCK IoStatusBlock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCancelSynchronousIoFile( + _In_ HANDLE ThreadHandle, + _In_opt_ PIO_STATUS_BLOCK IoRequestToCancel, + _Out_ PIO_STATUS_BLOCK IoStatusBlock +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateSymbolicLinkObject( + _Out_ PHANDLE LinkHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ PUNICODE_STRING LinkTarget +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenSymbolicLinkObject( + _Out_ PHANDLE LinkHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySymbolicLinkObject( + _In_ HANDLE LinkHandle, + _Inout_ PUNICODE_STRING LinkTarget, + _Out_opt_ PULONG ReturnedLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtGetContextThread( + _In_ HANDLE ThreadHandle, + _Inout_ PCONTEXT ThreadContext +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetContextThread( + _In_ HANDLE ThreadHandle, + _In_ PCONTEXT ThreadContext +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenProcess( + _Out_ PHANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCLIENT_ID ClientId +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtTerminateProcess( + _In_opt_ HANDLE ProcessHandle, + _In_ NTSTATUS ExitStatus +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtGetNextProcess( + _In_ HANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ ULONG HandleAttributes, + _In_ ULONG Flags, + _Out_ PHANDLE NewProcessHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtGetNextThread( + _In_ HANDLE ProcessHandle, + _In_ HANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ ULONG HandleAttributes, + _In_ ULONG Flags, + _Out_ PHANDLE NewThreadHandle +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateDebugObject( + _Out_ PHANDLE DebugObjectHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ ULONG Flags +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDebugActiveProcess( + _In_ HANDLE ProcessHandle, + _In_ HANDLE DebugObjectHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtContinue( + _In_ PCONTEXT ContextRecord, + _In_ BOOLEAN TestAlert +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRaiseException( + _In_ PEXCEPTION_RECORD ExceptionRecord, + _In_ PCONTEXT ContextRecord, + _In_ BOOLEAN FirstChance +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateThread( + _Out_ PHANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ProcessHandle, + _Out_ PCLIENT_ID ClientId, + _In_ PCONTEXT ThreadContext, + _In_ PINITIAL_TEB InitialTeb, + _In_ BOOLEAN CreateSuspended +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateThreadEx( + _Out_ PHANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ProcessHandle, + _In_ PUSER_THREAD_START_ROUTINE StartRoutine, + _In_opt_ PVOID Argument, + _In_ ULONG CreateFlags, + _In_opt_ ULONG_PTR ZeroBits, + _In_opt_ SIZE_T StackSize, + _In_opt_ SIZE_T MaximumStackSize, + _In_opt_ PPS_ATTRIBUTE_LIST AttributeList +); +#endif + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAllocateReserveObject( + _Out_ PHANDLE MemoryReserveHandle, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ MEMORY_RESERVE_TYPE Type +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRegisterThreadTerminatePort( + _In_ HANDLE PortHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRaiseHardError( + _In_ NTSTATUS ErrorStatus, + _In_ ULONG NumberOfParameters, + _In_opt_ ULONG UnicodeStringParameterMask, + _In_ PULONG_PTR Parameters, + _In_ HARDERROR_RESPONSE_OPTION ResponseOption, + _Out_ PHARDERROR_RESPONSE Response +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAllocateVirtualMemory( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _In_ ULONG_PTR ZeroBits, + _Inout_ PSIZE_T RegionSize, + _In_ ULONG AllocationType, + _In_ ULONG Protect +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFreeVirtualMemory( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _Inout_ PSIZE_T RegionSize, + _In_ ULONG FreeType +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReadVirtualMemory( + _In_ HANDLE ProcessHandle, + _In_opt_ PVOID BaseAddress, + _Out_ PVOID Buffer, + _In_ SIZE_T BufferSize, + _Out_opt_ PSIZE_T NumberOfBytesRead +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWriteVirtualMemory( + _In_ HANDLE ProcessHandle, + _In_opt_ PVOID BaseAddress, + _In_ CONST VOID* Buffer, + _In_ SIZE_T BufferSize, + _Out_opt_ PSIZE_T NumberOfBytesWritten +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAllocateUserPhysicalPages( + _In_ HANDLE ProcessHandle, + _Inout_ PULONG_PTR NumberOfPages, + _Out_ PULONG_PTR UserPfnArray +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtMapUserPhysicalPages( + _In_ PVOID VirtualAddress, + _In_ ULONG_PTR NumberOfPages, + _In_ PULONG_PTR UserPfnArray +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtMapUserPhysicalPagesScatter( + _In_ PVOID* VirtualAddresses, + _In_ ULONG_PTR NumberOfPages, + _In_ PULONG_PTR UserPfnArray +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFreeUserPhysicalPages( + _In_ HANDLE ProcessHandle, + _Inout_ PULONG_PTR NumberOfPages, + _In_ PULONG_PTR UserPfnArray +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySection( + _In_ HANDLE SectionHandle, + _In_ SECTION_INFORMATION_CLASS SectionInformationClass, + _Out_ PVOID SectionInformation, + _In_ SIZE_T SectionInformationLength, + _Out_opt_ PSIZE_T ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAreMappedFilesTheSame( + _In_ PVOID File1MappedAsAnImage, + _In_ PVOID File2MappedAsFile +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateSection( + _Out_ PHANDLE SectionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PLARGE_INTEGER MaximumSize, + _In_ ULONG SectionPageProtection, + _In_ ULONG AllocationAttributes, + _In_opt_ HANDLE FileHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenSection( + _Out_ PHANDLE SectionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtMapViewOfSection( + _In_ HANDLE SectionHandle, + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _In_ ULONG_PTR ZeroBits, + _In_ SIZE_T CommitSize, + _Inout_opt_ PLARGE_INTEGER SectionOffset, + _Inout_ PSIZE_T ViewSize, + _In_ SECTION_INHERIT InheritDisposition, + _In_ ULONG AllocationType, + _In_ ULONG Win32Protect +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenSession( + _Out_ PHANDLE SessionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtNotifyChangeDirectoryFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ FILE_NOTIFY_INFORMATION Buffer, + _In_ ULONG Length, + _In_ ULONG CompletionFilter, + _In_ BOOLEAN WatchTree +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenFile( + _Out_ PHANDLE FileHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG ShareAccess, + _In_ ULONG OpenOptions +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryDirectoryFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID FileInformation, + _In_ ULONG Length, + _In_ FILE_INFORMATION_CLASS FileInformationClass, + _In_ BOOLEAN ReturnSingleEntry, + _In_opt_ PUNICODE_STRING FileName, + _In_ BOOLEAN RestartScan +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryEaFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID Buffer, + _In_ ULONG Length, + _In_ BOOLEAN ReturnSingleEntry, + _In_ PVOID EaList, + _In_ ULONG EaListLength, + _In_opt_ PULONG EaIndex, + _In_ BOOLEAN RestartScan +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetEaFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PVOID Buffer, + _In_ ULONG Length +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLoadDriver( + _In_ PUNICODE_STRING DriverServiceName +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnloadDriver( + _In_ PUNICODE_STRING DriverServiceName +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReadFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID Buffer, + _In_ ULONG Length, + _In_opt_ PLARGE_INTEGER ByteOffset, + _In_opt_ PULONG Key +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReadFileScatter( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PFILE_SEGMENT_ELEMENT SegmentArray, + _In_ ULONG Length, + _In_opt_ PLARGE_INTEGER ByteOffset, + _In_opt_ PULONG Key +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWriteFileGather( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PFILE_SEGMENT_ELEMENT SegmentArray, + _In_ ULONG Length, + _In_opt_ PLARGE_INTEGER ByteOffset, + _In_opt_ PULONG Key +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDeleteFile( + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWriteFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ PVOID Buffer, + _In_ ULONG Length, + _In_opt_ PLARGE_INTEGER ByteOffset, + _In_opt_ PULONG Key +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDeviceIoControlFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG IoControlCode, + _In_opt_ PVOID InputBuffer, + _In_ ULONG InputBufferLength, + _Out_opt_ PVOID OutputBuffer, + _In_ ULONG OutputBufferLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationObject( + _In_ HANDLE Handle, + _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, + _In_ PVOID ObjectInformation, + _In_ ULONG ObjectInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDuplicateObject( + _In_ HANDLE SourceProcessHandle, + _In_ HANDLE SourceHandle, + _In_opt_ HANDLE TargetProcessHandle, + _Out_opt_ PHANDLE TargetHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ ULONG HandleAttributes, + _In_ ULONG Options +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtMakePermanentObject( + _In_ HANDLE Object +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtMakeTemporaryObject( + _In_ HANDLE Handle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateDirectoryObject( + _Out_ PHANDLE DirectoryHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenDirectoryObject( + _Out_ PHANDLE DirectoryHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryDirectoryObject( + _In_ HANDLE DirectoryHandle, + _Out_ PVOID Buffer, + _In_ ULONG BufferLength, + _In_ BOOLEAN ReturnSingleEntry, + _In_ BOOLEAN RestartScan, + _Inout_ PULONG Context, + _Out_opt_ PULONG ReturnLength +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreatePrivateNamespace( + _Out_ PHANDLE NamespaceHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ PVOID BoundaryDescriptor +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenPrivateNamespace( + _Out_ PHANDLE NamespaceHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ PVOID BoundaryDescriptor +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDeletePrivateNamespace( + _In_ HANDLE NamespaceHandle +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenThread( + _Out_ PHANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCLIENT_ID ClientId +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtTerminateThread( + _In_opt_ HANDLE ThreadHandle, + _In_ NTSTATUS ExitStatus +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySystemTime( + _Out_ PLARGE_INTEGER SystemTime +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetSystemTime( + _In_opt_ PLARGE_INTEGER SystemTime, + _Out_opt_ PLARGE_INTEGER PreviousTime +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryTimerResolution( + _Out_ PULONG MaximumTime, + _Out_ PULONG MinimumTime, + _Out_ PULONG CurrentTime +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetTimerResolution( + _In_ ULONG DesiredTime, + _In_ BOOLEAN SetResolution, + _Out_ PULONG ActualTime +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryPerformanceCounter( + _Out_ PLARGE_INTEGER PerformanceCounter, + _Out_opt_ PLARGE_INTEGER PerformanceFrequency +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAllocateLocallyUniqueId( + _Out_ PLUID Luid +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetUuidSeed( + _In_ PCHAR Seed +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAllocateUuids( + _Out_ PULARGE_INTEGER Time, + _Out_ PULONG Range, + _Out_ PULONG Sequence, + _Out_ PCHAR Seed +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateEvent( + _Out_ PHANDLE EventHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ EVENT_TYPE EventType, + _In_ BOOLEAN InitialState +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenEvent( + _Out_ PHANDLE EventHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetEvent( + _In_ HANDLE EventHandle, + _Out_opt_ PLONG PreviousState +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtResetEvent( + _In_ HANDLE EventHandle, + _Out_opt_ PLONG PreviousState +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtClearEvent( + _In_ HANDLE EventHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryQuotaInformationFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID Buffer, + _In_ ULONG Length, + _In_ BOOLEAN ReturnSingleEntry, + _In_opt_ PVOID SidList, + _In_ ULONG SidListLength, + _In_opt_ PSID StartSid, + _In_ BOOLEAN RestartScan +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryVolumeInformationFile( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID FsInformation, + _In_ ULONG Length, + _In_ FS_INFORMATION_CLASS FsInformationClass +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateKey( + _Out_ PHANDLE KeyHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Reserved_ ULONG TitleIndex, + _In_opt_ PUNICODE_STRING Class, + _In_ ULONG CreateOptions, + _Out_opt_ PULONG Disposition +); + +#if NTDDI_VERSION >= PNTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateKeyTransacted( + _Out_ PHANDLE KeyHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Reserved_ ULONG TitleIndex, + _In_opt_ PUNICODE_STRING Class, + _In_ ULONG CreateOptions, + _In_ HANDLE TransactionHandle, + _Out_opt_ PULONG Disposition +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenKey( + _Out_ PHANDLE KeyHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +#if NTDDI_VERSION >= PNTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenKeyTransacted( + _Out_ PHANDLE KeyHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE TransactionHandle +); +#endif + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenKeyEx( + _Out_ PHANDLE KeyHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ ULONG OpenOptions +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenKeyTransactedEx( + _Out_ PHANDLE KeyHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ ULONG OpenOptions, + _In_ HANDLE TransactionHandle +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDeleteKey( + _In_ HANDLE KeyHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRenameKey( + _In_ HANDLE KeyHandle, + _In_ PUNICODE_STRING NewName +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDeleteValueKey( + _In_ HANDLE KeyHandle, + _In_ PUNICODE_STRING ValueName +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryKey( + _In_ HANDLE KeyHandle, + _In_ KEY_INFORMATION_CLASS KeyInformationClass, + _Out_ PVOID KeyInformation, + _In_ ULONG Length, + _Out_ PULONG ResultLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationKey( + _In_ HANDLE KeyHandle, + _In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass, + _In_ PVOID KeySetInformation, + _In_ ULONG KeySetInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryValueKey( + _In_ HANDLE KeyHandle, + _In_ PUNICODE_STRING ValueName, + _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + _Out_ PVOID KeyValueInformation, + _In_ ULONG Length, + _Out_ PULONG ResultLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetValueKey( + _In_ HANDLE KeyHandle, + _In_ PUNICODE_STRING ValueName, + _In_opt_ ULONG TitleIndex, + _In_ ULONG Type, + _In_ PVOID Data, + _In_ ULONG DataSize +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryMultipleValueKey( + _In_ HANDLE KeyHandle, + _Inout_ PKEY_VALUE_ENTRY ValueEntries, + _In_ ULONG EntryCount, + _Out_ PVOID ValueBuffer, + _Inout_ PULONG BufferLength, + _Out_opt_ PULONG RequiredBufferLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtEnumerateKey( + _In_ HANDLE KeyHandle, + _In_ ULONG Index, + _In_ KEY_INFORMATION_CLASS KeyInformationClass, + _Out_ PVOID KeyInformation, + _In_ ULONG Length, + _Out_ PULONG ResultLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtEnumerateValueKey( + _In_ HANDLE KeyHandle, + _In_ ULONG Index, + _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + _Out_ PVOID KeyValueInformation, + _In_ ULONG Length, + _Out_ PULONG ResultLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFlushKey( + _In_ HANDLE KeyHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCompactKeys( + _In_ ULONG Count, + _In_ PHANDLE KeyArray +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCompressKey( + _In_ HANDLE Key +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLoadKey( + _In_ POBJECT_ATTRIBUTES TargetKey, + _In_ POBJECT_ATTRIBUTES SourceFile +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLoadKey2( + _In_ POBJECT_ATTRIBUTES TargetKey, + _In_ POBJECT_ATTRIBUTES SourceFile, + _In_ ULONG Flags +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLoadKeyEx( + _In_ POBJECT_ATTRIBUTES TargetKey, + _In_ POBJECT_ATTRIBUTES SourceFile, + _In_ ULONG Flags, + _In_opt_ HANDLE TrustClassKey, + _In_opt_ HANDLE Event, + _In_opt_ ACCESS_MASK DesiredAccess, + _Out_opt_ PHANDLE RootHandle, + _Out_opt_ PIO_STATUS_BLOCK IoStatus +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReplaceKey( + _In_ POBJECT_ATTRIBUTES NewFile, + _In_ HANDLE TargetHandle, + _In_ POBJECT_ATTRIBUTES OldFile +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSaveKey( + _In_ HANDLE KeyHandle, + _In_ HANDLE FileHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSaveKeyEx( + _In_ HANDLE KeyHandle, + _In_ HANDLE FileHandle, + _In_ ULONG Format +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSaveMergedKeys( + _In_ HANDLE HighPrecedenceKeyHandle, + _In_ HANDLE LowPrecedenceKeyHandle, + _In_ HANDLE FileHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRestoreKey( + _In_ HANDLE KeyHandle, + _In_ HANDLE FileHandle, + _In_ ULONG Flags +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnloadKey( + _In_ POBJECT_ATTRIBUTES TargetKey +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnloadKey2( + _In_ POBJECT_ATTRIBUTES TargetKey, + _In_ ULONG Flags +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnloadKeyEx( + _In_ POBJECT_ATTRIBUTES TargetKey, + _In_opt_ HANDLE Event +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtNotifyChangeKey( + _In_ HANDLE KeyHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG CompletionFilter, + _In_ BOOLEAN WatchTree, + _Out_ PVOID Buffer, + _In_ ULONG BufferSize, + _In_ BOOLEAN Asynchronous +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtNotifyChangeMultipleKeys( + _In_ HANDLE MasterKeyHandle, + _In_opt_ ULONG Count, + _In_ POBJECT_ATTRIBUTES SubordinateObjects, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG CompletionFilter, + _In_ BOOLEAN WatchTree, + _Out_ PVOID Buffer, + _In_ ULONG BufferSize, + _In_ BOOLEAN Asynchronous +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryOpenSubKeys( + _In_ POBJECT_ATTRIBUTES TargetKey, + _Out_ PULONG HandleCount +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryOpenSubKeysEx( + _In_ POBJECT_ATTRIBUTES TargetKey, + _In_ ULONG BufferLength, + _Out_ PVOID Buffer, + _Out_ PULONG RequiredSize +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtInitializeRegistry( + _In_ USHORT BootCondition +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLockRegistryKey( + _In_ HANDLE KeyHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtLockProductActivationKeys( + _Inout_opt_ ULONG* pPrivateVer, + _Out_opt_ ULONG* pSafeMode +); + +#if NTDDI_VERSION >= PNTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFreezeRegistry( + _In_ ULONG TimeOutInSeconds +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtThawRegistry( +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDelayExecution( + _In_ BOOLEAN Alertable, + _In_ PLARGE_INTEGER DelayInterval +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCallbackReturn( + _In_ PVOID OutputBuffer, + _In_ ULONG OutputLength, + _In_ NTSTATUS Status +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +VOID +NTAPI +NtFlushProcessWriteBuffers( +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryDebugFilterState( + _In_ ULONG ComponentId, + _In_ ULONG Level +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetDebugFilterState( + _In_ ULONG ComponentId, + _In_ ULONG Level, + _In_ BOOLEAN State +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRemoveProcessDebug( + _In_ HANDLE ProcessHandle, + _In_ HANDLE DebugObjectHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWaitForDebugEvent( + _In_ HANDLE DebugObjectHandle, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout, + _Out_ PDBGUI_WAIT_STATE_CHANGE WaitStateChange +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDebugContinue( + _In_ HANDLE DebugObjectHandle, + _In_ PCLIENT_ID ClientId, + _In_ NTSTATUS ContinueStatus +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationDebugObject( + _In_ HANDLE DebugObjectHandle, + _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass, + _In_ PVOID DebugInformation, + _In_ ULONG DebugInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenProcessToken( + _In_ HANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _Out_ PHANDLE TokenHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenProcessTokenEx( + _In_ HANDLE ProcessHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ ULONG HandleAttributes, + _Out_ PHANDLE TokenHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenThreadToken( + _In_ HANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ BOOLEAN OpenAsSelf, + _Out_ PHANDLE TokenHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenThreadTokenEx( + _In_ HANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ BOOLEAN OpenAsSelf, + _In_ ULONG HandleAttributes, + _Out_ PHANDLE TokenHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateToken( + _Out_ PHANDLE TokenHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ TOKEN_TYPE TokenType, + _In_ PLUID AuthenticationId, + _In_ PLARGE_INTEGER ExpirationTime, + _In_ PTOKEN_USER User, + _In_ PTOKEN_GROUPS Groups, + _In_ PTOKEN_PRIVILEGES Privileges, + _In_opt_ PTOKEN_OWNER Owner, + _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup, + _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl, + _In_ PTOKEN_SOURCE TokenSource +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDuplicateToken( + _In_ HANDLE ExistingTokenHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ BOOLEAN EffectiveOnly, + _In_ TOKEN_TYPE TokenType, + _Out_ PHANDLE NewTokenHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAdjustPrivilegesToken( + _In_ HANDLE TokenHandle, + _In_ BOOLEAN DisableAllPrivileges, + _In_opt_ PTOKEN_PRIVILEGES NewState, + _In_ ULONG BufferLength, + _Out_opt_ PTOKEN_PRIVILEGES PreviousState, + _Out_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAdjustGroupsToken( + _In_ HANDLE TokenHandle, + _In_ BOOLEAN ResetToDefault, + _In_opt_ PTOKEN_GROUPS NewState, + _In_opt_ ULONG BufferLength, + _Out_ PTOKEN_GROUPS PreviousState, + _Out_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFilterToken( + _In_ HANDLE ExistingTokenHandle, + _In_ ULONG Flags, + _In_opt_ PTOKEN_GROUPS SidsToDisable, + _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, + _In_opt_ PTOKEN_GROUPS RestrictedSids, + _Out_ PHANDLE NewTokenHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationToken( + _In_ HANDLE TokenHandle, + _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, + _In_ PVOID TokenInformation, + _In_ ULONG TokenInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCompareTokens( + _In_ HANDLE FirstTokenHandle, + _In_ HANDLE SecondTokenHandle, + _Out_ PBOOLEAN Equal +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtPrivilegeCheck( + _In_ HANDLE ClientToken, + _Inout_ PPRIVILEGE_SET RequiredPrivileges, + _Out_ PBOOLEAN Result +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtImpersonateAnonymousToken( + _In_ HANDLE ThreadHandle +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySecurityAttributesToken( + _In_ HANDLE TokenHandle, + _In_reads_opt_(NumberOfAttributes) PUNICODE_STRING Attributes, + _In_ ULONG NumberOfAttributes, + _Out_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION Buffer, + _In_ ULONG Length, + _Out_ PULONG ReturnLength +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAccessCheck( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_ HANDLE ClientToken, + _In_ ACCESS_MASK DesiredAccess, + _In_ PGENERIC_MAPPING GenericMapping, + _Out_ PPRIVILEGE_SET PrivilegeSet, + _Inout_ PULONG PrivilegeSetLength, + _Out_ PACCESS_MASK GrantedAccess, + _Out_ PNTSTATUS AccessStatus +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAccessCheckByType( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_opt_ PSID PrincipalSelfSid, + _In_ HANDLE ClientToken, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_TYPE_LIST ObjectTypeList, + _In_ ULONG ObjectTypeListLength, + _In_ PGENERIC_MAPPING GenericMapping, + _Out_ PPRIVILEGE_SET PrivilegeSet, + _Inout_ PULONG PrivilegeSetLength, + _Out_ PACCESS_MASK GrantedAccess, + _Out_ PNTSTATUS AccessStatus +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAccessCheckByTypeResultList( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_opt_ PSID PrincipalSelfSid, + _In_ HANDLE ClientToken, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_TYPE_LIST ObjectTypeList, + _In_ ULONG ObjectTypeListLength, + _In_ PGENERIC_MAPPING GenericMapping, + _Out_ PPRIVILEGE_SET PrivilegeSet, + _Inout_ PULONG PrivilegeSetLength, + _Out_ PACCESS_MASK GrantedAccess, + _Out_ PNTSTATUS AccessStatus +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateIoCompletion( + _Out_ PHANDLE IoCompletionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ ULONG Count +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenIoCompletion( + _Out_ PHANDLE IoCompletionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryIoCompletion( + _In_ HANDLE IoCompletionHandle, + _In_ IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, + _Out_ PVOID IoCompletionInformation, + _In_ ULONG IoCompletionInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetIoCompletion( + _In_ HANDLE IoCompletionHandle, + _In_opt_ PVOID KeyContext, + _In_opt_ PVOID ApcContext, + _In_ NTSTATUS IoStatus, + _In_ ULONG_PTR IoStatusInformation +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetIoCompletionEx( + _In_ HANDLE IoCompletionHandle, + _In_ HANDLE IoCompletionPacketHandle, + _In_opt_ PVOID KeyContext, + _In_opt_ PVOID ApcContext, + _In_ NTSTATUS IoStatus, + _In_ ULONG_PTR IoStatusInformation +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRemoveIoCompletion( + _In_ HANDLE IoCompletionHandle, + _Out_ PVOID* KeyContext, + _Out_ PVOID* ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_opt_ PLARGE_INTEGER Timeout +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRemoveIoCompletionEx( + _In_ HANDLE IoCompletionHandle, + _Out_ PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, + _In_ ULONG Count, + _Out_ PULONG NumEntriesRemoved, + _In_opt_ PLARGE_INTEGER Timeout, + _In_ BOOLEAN Alertable +); +#endif + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtNotifyChangeSession( + _In_ HANDLE SessionHandle, + _In_ ULONG ChangeSequenceNumber, + _In_ PLARGE_INTEGER ChangeTimeStamp, + _In_ IO_SESSION_EVENT Event, + _In_ IO_SESSION_STATE NewState, + _In_ IO_SESSION_STATE PreviousState, + _In_ PVOID Payload, + _In_ ULONG PayloadSize +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateMutant( + _Out_ PHANDLE MutantHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ BOOLEAN InitialOwner +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenMutant( + _Out_ PHANDLE MutantHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReleaseMutant( + _In_ HANDLE MutantHandle, + _Out_opt_ PLONG PreviousCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAlertThread( + _In_ HANDLE ThreadHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAlertResumeThread( + _In_ HANDLE ThreadHandle, + _Out_opt_ PULONG PreviousSuspendCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtTestAlert( +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtImpersonateThread( + _In_ HANDLE ServerThreadHandle, + _In_ HANDLE ClientThreadHandle, + _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateSemaphore( + _Out_ PHANDLE SemaphoreHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ LONG InitialCount, + _In_ LONG MaximumCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenSemaphore( + _Out_ PHANDLE SemaphoreHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReleaseSemaphore( + _In_ HANDLE SemaphoreHandle, + _In_ LONG ReleaseCount, + _Out_opt_ PLONG PreviousCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySemaphore( + _In_ HANDLE SemaphoreHandle, + _In_ SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, + _Out_ PVOID SemaphoreInformation, + _In_ ULONG SemaphoreInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateTimer( + _Out_ PHANDLE TimerHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ TIMER_TYPE TimerType +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenTimer( + _Out_ PHANDLE TimerHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetTimer( + _In_ HANDLE TimerHandle, + _In_ PLARGE_INTEGER DueTime, + _In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine, + _In_opt_ PVOID TimerContext, + _In_ BOOLEAN ResumeTimer, + _In_opt_ LONG Period, + _Out_opt_ PBOOLEAN PreviousState +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetTimerEx( + _In_ HANDLE TimerHandle, + _In_ TIMER_SET_INFORMATION_CLASS TimerSetInformationClass, + _Inout_ PVOID TimerSetInformation, + _In_ ULONG TimerSetInformationLength +); +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCancelTimer( + _In_ HANDLE TimerHandle, + _Out_opt_ PBOOLEAN CurrentState +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryTimer( + _In_ HANDLE TimerHandle, + _In_ TIMER_INFORMATION_CLASS TimerInformationClass, + _Out_ PVOID TimerInformation, + _In_ ULONG TimerInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateKeyedEvent( + _Out_ PHANDLE KeyedEventHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ ULONG Flags +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenKeyedEvent( + _Out_ PHANDLE KeyedEventHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReleaseKeyedEvent( + _In_ HANDLE KeyedEventHandle, + _In_ PVOID KeyValue, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWaitForKeyedEvent( + _In_ HANDLE KeyedEventHandle, + _In_ PVOID KeyValue, + _In_ BOOLEAN Alertable, + _In_opt_ PLARGE_INTEGER Timeout +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUmsThreadYield( + _In_ PVOID SchedulerParam +); +#endif + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateTransactionManager( + _Out_ PHANDLE TmHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PUNICODE_STRING LogFileName, + _In_opt_ ULONG CreateOptions, + _In_opt_ ULONG CommitStrength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenTransactionManager( + _Out_ PHANDLE TmHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PUNICODE_STRING LogFileName, + _In_opt_ LPGUID TmIdentity, + _In_opt_ ULONG OpenOptions +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRenameTransactionManager( + _In_ PUNICODE_STRING LogFileName, + _In_ LPGUID ExistingTransactionManagerGuid +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRollforwardTransactionManager( + _In_ HANDLE TransactionManagerHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRecoverTransactionManager( + _In_ HANDLE TransactionManagerHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationTransactionManager( + _In_ HANDLE TransactionManagerHandle, + _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, + _Out_ PVOID TransactionManagerInformation, + _In_ ULONG TransactionManagerInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationTransactionManager( + _In_opt_ HANDLE TmHandle, + _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, + _In_ PVOID TransactionManagerInformation, + _In_ ULONG TransactionManagerInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtEnumerateTransactionObject( + _In_opt_ HANDLE RootObjectHandle, + _In_ KTMOBJECT_TYPE QueryType, + _Inout_updates_bytes_(ObjectCursorLength) PKTMOBJECT_CURSOR ObjectCursor, + _In_ ULONG ObjectCursorLength, + _Out_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateTransaction( + _Out_ PHANDLE TransactionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ LPGUID Uow, + _In_opt_ HANDLE TmHandle, + _In_opt_ ULONG CreateOptions, + _In_opt_ ULONG IsolationLevel, + _In_opt_ ULONG IsolationFlags, + _In_opt_ PLARGE_INTEGER Timeout, + _In_opt_ PUNICODE_STRING Description +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenTransaction( + _Out_ PHANDLE TransactionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ LPGUID Uow, + _In_opt_ HANDLE TmHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationTransaction( + _In_ HANDLE TransactionHandle, + _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, + _Out_ PVOID TransactionInformation, + _In_ ULONG TransactionInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationTransaction( + _In_ HANDLE TransactionHandle, + _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, + _In_ PVOID TransactionInformation, + _In_ ULONG TransactionInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCommitTransaction( + _In_ HANDLE TransactionHandle, + _In_ BOOLEAN Wait +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRollbackTransaction( + _In_ HANDLE TransactionHandle, + _In_ BOOLEAN Wait +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateEnlistment( + _Out_ PHANDLE EnlistmentHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ HANDLE ResourceManagerHandle, + _In_ HANDLE TransactionHandle, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ ULONG CreateOptions, + _In_ NOTIFICATION_MASK NotificationMask, + _In_opt_ PVOID EnlistmentKey +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenEnlistment( + _Out_ PHANDLE EnlistmentHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ HANDLE ResourceManagerHandle, + _In_ LPGUID EnlistmentGuid, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationEnlistment( + _In_ HANDLE EnlistmentHandle, + _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, + _Out_ PVOID EnlistmentInformation, + _In_ ULONG EnlistmentInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationEnlistment( + _In_opt_ HANDLE EnlistmentHandle, + _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, + _In_ PVOID EnlistmentInformation, + _In_ ULONG EnlistmentInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRecoverEnlistment( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PVOID EnlistmentKey +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtPrePrepareEnlistment( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtPrepareEnlistment( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCommitEnlistment( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRollbackEnlistment( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtPrePrepareComplete( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtPrepareComplete( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCommitComplete( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReadOnlyEnlistment( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRollbackComplete( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSinglePhaseReject( + _In_ HANDLE EnlistmentHandle, + _In_opt_ PLARGE_INTEGER TmVirtualClock +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateResourceManager( + _Out_ PHANDLE ResourceManagerHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ HANDLE TmHandle, + _In_ LPGUID RmGuid, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ ULONG CreateOptions, + _In_opt_ PUNICODE_STRING Description +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtOpenResourceManager( + _Out_ PHANDLE ResourceManagerHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ HANDLE TmHandle, + _In_opt_ LPGUID ResourceManagerGuid, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRecoverResourceManager( + _In_ HANDLE ResourceManagerHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtGetNotificationResourceManager( + _In_ HANDLE ResourceManagerHandle, + _Out_ PTRANSACTION_NOTIFICATION TransactionNotification, + _In_ ULONG NotificationLength, + _In_opt_ PLARGE_INTEGER Timeout, + _Out_opt_ PULONG ReturnLength, + _In_ ULONG Asynchronous, + _In_opt_ ULONG_PTR AsynchronousContext +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationResourceManager( + _In_ HANDLE ResourceManagerHandle, + _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, + _Out_ PVOID ResourceManagerInformation, + _In_ ULONG ResourceManagerInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationResourceManager( + _In_ HANDLE ResourceManagerHandle, + _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, + _In_ PVOID ResourceManagerInformation, + _In_ ULONG ResourceManagerInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRegisterProtocolAddressInformation( + _In_ HANDLE ResourceManager, + _In_ PCRM_PROTOCOL_ID ProtocolId, + _In_ ULONG ProtocolInformationSize, + _In_ PVOID ProtocolInformation, + _In_opt_ ULONG CreateOptions +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtPropagationComplete( + _In_ HANDLE ResourceManagerHandle, + _In_ ULONG RequestCookie, + _In_ ULONG BufferLength, + _In_ PVOID Buffer +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtPropagationFailed( + _In_ HANDLE ResourceManagerHandle, + _In_ ULONG RequestCookie, + _In_ NTSTATUS PropStatus +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtFreezeTransactions( + _In_ PLARGE_INTEGER FreezeTimeout, + _In_ PLARGE_INTEGER ThawTimeout +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtThawTransactions( +); +#endif + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSCALLAPI +NTSTATUS +NTAPI +NtCreateWorkerFactory( + _Out_ PHANDLE WorkerFactoryHandleReturn, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE CompletionPortHandle, + _In_ HANDLE WorkerProcessHandle, + _In_ PUSER_THREAD_START_ROUTINE StartRoutine, + _In_opt_ PVOID StartParameter, + _In_opt_ ULONG MaxThreadCount, + _In_opt_ SIZE_T StackReserve, + _In_opt_ SIZE_T StackCommit +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationWorkerFactory( + _In_ HANDLE WorkerFactoryHandle, + _In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, + _Out_ PVOID WorkerFactoryInformation, + _In_ ULONG WorkerFactoryInformationLength, + _Out_opt_ PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationWorkerFactory( + _In_ HANDLE WorkerFactoryHandle, + _In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, + _In_ PVOID WorkerFactoryInformation, + _In_ ULONG WorkerFactoryInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtShutdownWorkerFactory( + _In_ HANDLE WorkerFactoryHandle, + _Inout_ volatile LONG* PendingWorkerCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtReleaseWorkerFactoryWorker( + _In_ HANDLE WorkerFactoryHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWorkerFactoryWorkerReady( + _In_ HANDLE WorkerFactoryHandle +); +#endif + +#if NTDDI_VERSION >= NTDDI_VISTA +#if NTDDI_VERSION >= NTDDI_WIN8 || defined(_WIN64) +// Windows 8+ declaration, but can be used on any x64 Windows Vista+ +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWaitForWorkViaWorkerFactory( + _In_ HANDLE WorkerFactoryHandle, + _Out_ PFILE_IO_COMPLETION_INFORMATION MiniPacket, + _In_ ULONG Count, + _Out_ PULONG NumEntriesRemoved, + _In_ PLARGE_INTEGER Unknown // Wrong type (but works) +); +#else +// Windows Vista/7 x86 +NTSYSCALLAPI +NTSTATUS +NTAPI +NtWaitForWorkViaWorkerFactory( + _In_ HANDLE WorkerFactoryHandle, + _Out_ PFILE_IO_COMPLETION_INFORMATION MiniPacket +); +#endif +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySystemEnvironmentValue( + _In_ PUNICODE_STRING VariableName, + _Out_ PWSTR VariableValue, + _In_ USHORT ValueLength, + _Out_opt_ PUSHORT ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetSystemEnvironmentValue( + _In_ PUNICODE_STRING VariableName, + _In_ PUNICODE_STRING VariableValue +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySystemEnvironmentValueEx( + _In_ PUNICODE_STRING VariableName, + _In_ LPGUID VendorGuid, + _Out_ PVOID Value, + _Inout_ PULONG ValueLength, + _Out_opt_ PULONG Attributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetSystemEnvironmentValueEx( + _In_ PUNICODE_STRING VariableName, + _In_ LPGUID VendorGuid, + _In_ PVOID Value, + _In_ ULONG ValueLength, + _In_ ULONG Attributes +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtEnumerateSystemEnvironmentValuesEx( + _In_ ULONG InformationClass, + _Out_ PVOID Buffer, + _Inout_ PULONG BufferLength +); + +#if NTDDI_VERSION >= NTDDI_VISTA + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAddBootEntry( + _In_ PBOOT_ENTRY BootEntry, + _Out_opt_ PULONG Id +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDeleteBootEntry( + _In_ ULONG Id +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtModifyBootEntry( + _In_ PBOOT_ENTRY BootEntry +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtEnumerateBootEntries( + _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer, + _Inout_ PULONG BufferLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryBootEntryOrder( + _Out_writes_opt_(*Count) PULONG Ids, + _Inout_ PULONG Count +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetBootEntryOrder( + _In_reads_(Count) PULONG Ids, + _In_ ULONG Count +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryBootOptions( + _Out_writes_bytes_opt_(*BootOptionsLength) PBOOT_OPTIONS BootOptions, + _Inout_ PULONG BootOptionsLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetBootOptions( + _In_ PBOOT_OPTIONS BootOptions, + _In_ ULONG FieldsToChange +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtTranslateFilePath( + _In_ PFILE_PATH InputFilePath, + _In_ ULONG OutputType, + _Out_writes_bytes_opt_(*OutputFilePathLength) PFILE_PATH OutputFilePath, + _Inout_opt_ PULONG OutputFilePathLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtAddDriverEntry( + _In_ PEFI_DRIVER_ENTRY DriverEntry, + _Out_opt_ PULONG Id +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDeleteDriverEntry( + _In_ ULONG Id +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtModifyDriverEntry( + _In_ PEFI_DRIVER_ENTRY DriverEntry +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtEnumerateDriverEntries( + _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer, + _Inout_ PULONG BufferLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryDriverEntryOrder( + _Out_writes_opt_(*Count) PULONG Ids, + _Inout_ PULONG Count +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetDriverEntryOrder( + _In_reads_(Count) PULONG Ids, + _In_ ULONG Count +); + +#endif + +#if NTDDI_VERSION >= NTDDI_WIN7 + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSerializeBoot( +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtEnableLastKnownGood( +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtDisableLastKnownGood( +); + +#endif + +NTSYSAPI +ULONG +__cdecl +DbgPrint( + _In_ PCH Format, + ... +); + +NTSYSAPI +ULONG +__cdecl +DbgPrintEx( + _In_ ULONG ComponentId, + _In_ ULONG Level, + _In_ PCSTR Format, + ... +); + +NTSYSAPI +VOID +NTAPI +DbgBreakPoint( +); + +NTSYSAPI +NTSTATUS +NTAPI +DbgUiConnectToDbg( +); + +NTSYSAPI +HANDLE +NTAPI +DbgUiGetThreadDebugObject( +); + +NTSYSAPI +VOID +NTAPI +DbgUiSetThreadDebugObject( + _In_ HANDLE DebugObject +); + +NTSYSAPI +NTSTATUS +NTAPI +DbgUiWaitStateChange( + _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange, + _In_opt_ PLARGE_INTEGER Timeout +); + +NTSYSAPI +NTSTATUS +NTAPI +DbgUiContinue( + _In_ PCLIENT_ID AppClientId, + _In_ NTSTATUS ContinueStatus +); + +NTSYSAPI +NTSTATUS +NTAPI +DbgUiStopDebugging( + _In_ HANDLE Process +); + +NTSYSAPI +NTSTATUS +NTAPI +DbgUiDebugActiveProcess( + _In_ HANDLE Process +); + +NTSYSAPI +VOID +NTAPI +DbgUiRemoteBreakin( + _In_ PVOID Context +); + +NTSYSAPI +NTSTATUS +NTAPI +DbgUiIssueRemoteBreakin( + _In_ HANDLE Process +); + +NTSYSAPI +NTSTATUS +NTAPI +DbgUiConvertStateChangeStructure( + _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, + _Out_ DEBUG_EVENT* DebugEvent +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrLoadDll( + _In_opt_ PCWSTR DllPath, + _In_opt_ PULONG DllCharacteristics, + _In_ PUNICODE_STRING DllName, + _Out_ PVOID* DllHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrGetDllHandle( + _In_opt_ PCWSTR DllPath, + _In_opt_ PULONG DllCharacteristics, + _In_ PUNICODE_STRING DllName, + _Out_ PVOID* DllHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrGetDllHandleEx( + _In_ ULONG Flags, + _In_opt_ PCWSTR DllPath, + _In_opt_ PULONG DllCharacteristics, + _In_ PUNICODE_STRING DllName, + _Out_opt_ PVOID* DllHandle +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +NTSTATUS +NTAPI +LdrGetDllHandleByMapping( + _In_ PVOID Base, + _Out_ PVOID* DllHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrGetDllHandleByName( + _In_opt_ PUNICODE_STRING BaseDllName, + _In_opt_ PUNICODE_STRING FullDllName, + _Out_ PVOID* DllHandle +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +LdrGetProcedureAddress( + _In_ PVOID DllHandle, + _In_opt_ CONST PANSI_STRING ProcedureName, + _In_opt_ ULONG ProcedureNumber, + _Out_ PVOID* ProcedureAddress +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +LdrGetProcedureAddressEx( + _In_ PVOID DllHandle, + _In_opt_ PANSI_STRING ProcedureName, + _In_opt_ ULONG ProcedureNumber, + _Out_ PVOID* ProcedureAddress, + _In_ ULONG Flags +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +LdrLockLoaderLock( + _In_ ULONG Flags, + _Out_opt_ ULONG* Disposition, + _Out_ PVOID* Cookie +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrUnlockLoaderLock( + _In_ ULONG Flags, + _Inout_ PVOID Cookie +); + +NTSYSAPI +PIMAGE_BASE_RELOCATION +NTAPI +LdrProcessRelocationBlock( + _In_ ULONG_PTR VA, + _In_ ULONG SizeOfBlock, + _In_ PUSHORT NextOffset, + _In_ LONG_PTR Diff +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrUnloadDll( + _In_ PVOID DllHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrDisableThreadCalloutsForDll( + _In_ PVOID DllHandle +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +NTSTATUS +NTAPI +LdrOpenImageFileOptionsKey( + _In_ PUNICODE_STRING SubKey, + _In_ BOOLEAN Wow64, + _Out_ PHANDLE NewKeyHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrQueryImageFileKeyOption( + _In_ HANDLE KeyHandle, + _In_ PCWSTR ValueName, + _In_ ULONG Type, + _Out_ PVOID Buffer, + _In_ ULONG BufferSize, + _Out_opt_ PULONG ReturnedLength +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +LdrVerifyImageMatchesChecksum( + _In_ HANDLE ImageFileHandle, + _In_opt_ PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine, + _In_ PVOID ImportCallbackParameter, + _Out_opt_ PUSHORT ImageCharacteristics +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +LdrVerifyImageMatchesChecksumEx( + _In_ HANDLE ImageFileHandle, + _Inout_ PLDR_VERIFY_IMAGE_INFO VerifyInfo +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +LdrFindResourceDirectory_U( + _In_ PVOID DllHandle, + _In_ CONST LDR_RESOURCE_INFO* ResourceIdPath, + _In_ ULONG ResourceIdPathLength, + _Out_ PIMAGE_RESOURCE_DIRECTORY* ResourceDirectory +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrFindResource_U( + _In_ PVOID DllHandle, + _In_ CONST LDR_RESOURCE_INFO* ResourceIdPath, + _In_ ULONG ResourceIdPathLength, + _Out_ PIMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry +); + +NTSYSAPI +NTSTATUS +NTAPI +LdrFindResourceEx_U( + _In_opt_ ULONG Flags, + _In_ PVOID DllHandle, + _In_ CONST LDR_RESOURCE_INFO* ResourceIdPath, + _In_ ULONG ResourceIdPathLength, + _Out_ PIMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry +); + +NTSYSAPI +VOID +NTAPI +RtlAssert( + _In_ PVOID VoidFailedAssertion, + _In_ PVOID VoidFileName, + _In_ ULONG LineNumber, + _In_opt_ PSTR MutableMessage +); + +NTSYSAPI +DECLSPEC_NORETURN +VOID +NTAPI +RtlRaiseStatus( + _In_ NTSTATUS Status +); + +NTSYSAPI +VOID +NTAPI +RtlRaiseException( + _In_ PEXCEPTION_RECORD ExceptionRecord +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +RtlConnectToSm( + _In_ PUNICODE_STRING ApiPortName, + _In_ HANDLE ApiPortHandle, + _In_ DWORD ProcessImageType, + _Out_ PHANDLE SmssConnection +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSendMsgToSm( + _In_ HANDLE ApiPortHandle, + _In_ PPORT_MESSAGE MessageData +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlRegisterThreadWithCsrss( +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlEnterCriticalSection( + _Inout_ PRTL_CRITICAL_SECTION CriticalSection +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlLeaveCriticalSection( + _Inout_ PRTL_CRITICAL_SECTION CriticalSection +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +LOGICAL +NTAPI +RtlIsCriticalSectionLocked( + _In_ PRTL_CRITICAL_SECTION CriticalSection +); + +NTSYSAPI +LOGICAL +NTAPI +RtlIsCriticalSectionLockedByThread( + _In_ PRTL_CRITICAL_SECTION CriticalSection +); + +NTSYSAPI +ULONG +NTAPI +RtlGetCriticalSectionRecursionCount( + _In_ PRTL_CRITICAL_SECTION CriticalSection +); +#endif + +NTSYSAPI +LOGICAL +NTAPI +RtlTryEnterCriticalSection( + _Inout_ PRTL_CRITICAL_SECTION CriticalSection +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlInitializeCriticalSection( + _Out_ PRTL_CRITICAL_SECTION CriticalSection +); + +NTSYSAPI +VOID +NTAPI +RtlEnableEarlyCriticalSectionEventCreation( +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlInitializeCriticalSectionAndSpinCount( + _Out_ PRTL_CRITICAL_SECTION CriticalSection, + _In_ ULONG SpinCount +); + +NTSYSAPI +ULONG +NTAPI +RtlSetCriticalSectionSpinCount( + _Inout_ PRTL_CRITICAL_SECTION CriticalSection, + _In_ ULONG SpinCount +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDeleteCriticalSection( + _Inout_ PRTL_CRITICAL_SECTION CriticalSection +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +BOOL +NTAPI +RtlQueryPerformanceFrequency( + _Out_ PLARGE_INTEGER Frequency +); +#else +FORCEINLINE +BOOL +NTAPI +RtlQueryPerformanceFrequency( + _Out_ PLARGE_INTEGER Frequency +) +{ + LARGE_INTEGER _; + return NT_SUCCESS(NtQueryPerformanceCounter(&_, + Frequency)); +} +#endif + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +BOOL +NTAPI +RtlQueryPerformanceCounter( + _Out_ PLARGE_INTEGER PerformanceCount +); +#else +FORCEINLINE +BOOL +NTAPI +RtlQueryPerformanceCounter( + _Out_ PLARGE_INTEGER PerformanceCount +) +{ + return NT_SUCCESS(NtQueryPerformanceCounter(PerformanceCount, + NULL)); +} +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlGetCompressionWorkSpaceSize( + _In_ USHORT CompressionFormatAndEngine, + _Out_ PULONG CompressBufferWorkSpaceSize, + _Out_ PULONG CompressFragmentWorkSpaceSize +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCompressBuffer( + _In_ USHORT CompressionFormatAndEngine, + _In_ PUCHAR UncompressedBuffer, + _In_ ULONG UncompressedBufferSize, + _Out_ PUCHAR CompressedBuffer, + _In_ ULONG CompressedBufferSize, + _In_ ULONG UncompressedChunkSize, + _Out_ PULONG FinalCompressedSize, + _In_ PVOID WorkSpace +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDecompressBuffer( + _In_ USHORT CompressionFormat, + _Out_ PUCHAR UncompressedBuffer, + _In_ ULONG UncompressedBufferSize, + _In_ PUCHAR CompressedBuffer, + _In_ ULONG CompressedBufferSize, + _Out_ PULONG FinalUncompressedSize +); + +NTSYSAPI +PVOID +NTAPI +RtlCreateHeap( + _In_ ULONG Flags, + _In_opt_ PVOID HeapBase, + _In_opt_ SIZE_T ReserveSize, + _In_opt_ SIZE_T CommitSize, + _In_opt_ PVOID Lock, + _In_opt_ PRTL_HEAP_PARAMETERS Parameters +); + +NTSYSAPI +PVOID +NTAPI +RtlDestroyHeap( + _Inout_ PVOID HeapHandle +); + +NTSYSAPI +PVOID +NTAPI +RtlAllocateHeap( + _In_ PVOID HeapHandle, + _In_opt_ ULONG Flags, + _In_ SIZE_T Size +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlFreeHeap( + _In_ PVOID HeapHandle, + _In_opt_ ULONG Flags, + _Inout_opt_ PVOID BaseAddress +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlWalkHeap( + _In_ PVOID HeapHandle, + _Inout_ PRTL_HEAP_WALK_ENTRY Entry +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlQueryHeapInformation( + _In_ PVOID HeapHandle, + _In_ HEAP_INFORMATION_CLASS HeapInformationClass, + _Out_opt_ PVOID HeapInformation, + _In_opt_ SIZE_T HeapInformationLength, + _Out_opt_ PSIZE_T ReturnLength +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetHeapInformation( + _In_ PVOID HeapHandle, + _In_ HEAP_INFORMATION_CLASS HeapInformationClass, + _In_opt_ PVOID HeapInformation, + _In_opt_ SIZE_T HeapInformationLength +); + +NTSYSAPI +SIZE_T +NTAPI +RtlSizeHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_ PVOID BaseAddress +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlZeroHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags +); + +NTSYSAPI +VOID +NTAPI +RtlProtectHeap( + _In_ PVOID HeapHandle, + _In_ BOOLEAN MakeReadOnly +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlLockHeap( + _In_ PVOID HeapHandle +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlUnlockHeap( + _In_ PVOID HeapHandle +); + +NTSYSAPI +PVOID +NTAPI +RtlReAllocateHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _Inout_opt_ PVOID BaseAddress, + _In_ SIZE_T Size +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlGetUserInfoHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_ PVOID BaseAddress, + _Out_opt_ PVOID* UserValue, + _Out_opt_ PULONG UserFlags +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlSetUserValueHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_ PVOID BaseAddress, + _In_ PVOID UserValue +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlSetUserFlagsHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_ PVOID BaseAddress, + _In_ ULONG UserFlagsReset, + _In_ ULONG UserFlagsSet +); + +NTSYSAPI +ULONG +NTAPI +RtlCreateTagHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_opt_ PWSTR TagPrefix, + _In_ PWSTR TagNames +); + +NTSYSAPI +PWSTR +NTAPI +RtlQueryTagHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_ USHORT TagIndex, + _In_ BOOLEAN ResetCounters, + _Out_opt_ PRTL_HEAP_TAG_INFO TagInfo +); + +NTSYSAPI +SIZE_T +NTAPI +RtlCompactHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlValidateHeap( + _In_ PVOID HeapHandle, + _In_ ULONG Flags, + _In_ PVOID BaseAddress +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlValidateProcessHeaps( +); + +NTSYSAPI +ULONG +NTAPI +RtlGetProcessHeaps( + _In_ ULONG NumberOfHeaps, + _Out_ PVOID* ProcessHeaps +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlEnumProcessHeaps( + _In_ PRTL_ENUM_HEAPS_ROUTINE EnumRoutine, + _In_ PVOID Parameter +); + +NTSYSAPI +ULONG +NTAPI +RtlUniform( + _Inout_ PULONG Seed +); + +NTSYSAPI +ULONG +NTAPI +RtlRandom( + _Inout_ PULONG Seed +); + +NTSYSAPI +ULONG +NTAPI +RtlRandomEx( + _Inout_ PULONG Seed +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlFindMessage( + _In_ PVOID DllHandle, + _In_ ULONG MessageTableId, + _In_ ULONG MessageLanguageId, + _In_ ULONG MessageId, + _Out_ PMESSAGE_RESOURCE_ENTRY* MessageEntry +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlFormatMessage( + _In_ PCWSTR MessageFormat, + _In_ ULONG MaximumWidth, + _In_ BOOLEAN IgnoreInserts, + _In_ BOOLEAN ArgumentsAreAnsi, + _In_ BOOLEAN ArgumentsAreAnArray, + _In_ va_list* Arguments, + _Out_ PWSTR Buffer, + _In_ ULONG Length, + _Out_opt_ PULONG ReturnLength +); + +NTSYSAPI +ULONG +NTAPI +RtlNtStatusToDosError( + _In_ NTSTATUS Status +); + +NTSYSAPI +ULONG +NTAPI +RtlNtStatusToDosErrorNoTeb( + _In_ NTSTATUS Status +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGetLastNtStatus( +); + +NTSYSAPI +LONG +NTAPI +RtlGetLastWin32Error( +); + +NTSYSAPI +VOID +NTAPI +RtlSetLastWin32ErrorAndNtStatusFromNtStatus( + _In_ NTSTATUS Status +); + +NTSYSAPI +VOID +NTAPI +RtlSetLastWin32Error( + _In_ LONG Win32Error +); + +NTSYSAPI +VOID +NTAPI +RtlRestoreLastWin32Error( + _In_ LONG Win32Error +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +ULONG +NTAPI +RtlGetThreadErrorMode( +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetThreadErrorMode( + _In_ ULONG NewMode, + _Out_opt_ PULONG OldMode +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlUpcaseUnicodeString( + _Out_ PUNICODE_STRING DestinationString, + _In_ PCUNICODE_STRING SourceString, + _In_ BOOLEAN AllocateDestinationString +); + +NTSYSAPI +VOID +NTAPI +RtlInitUnicodeString( + _Out_ PUNICODE_STRING DestinationString, + _In_opt_ PWSTR SourceString +); + +NTSYSAPI +VOID +NTAPI +RtlInitAnsiString( + _Out_ PANSI_STRING DestinationString, + _In_opt_ PSTR SourceString +); + +NTSYSAPI +VOID +NTAPI +RtlCopyUnicodeString( + _Out_ PUNICODE_STRING DestinationString, + _In_ PCUNICODE_STRING SourceString +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAppendUnicodeToString( + _In_ PUNICODE_STRING Destination, + _In_opt_ PCWSTR Source +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAnsiStringToUnicodeString( + _Inout_ PUNICODE_STRING DestinationString, + _In_ PANSI_STRING SourceString, + _In_ BOOLEAN AllocateDestinationString +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlUnicodeStringToAnsiString( + _Inout_ PANSI_STRING DestinationString, + _In_ PUNICODE_STRING SourceString, + _In_ BOOLEAN AllocateDestinationString +); + +NTSYSAPI +VOID +NTAPI +RtlFreeAnsiString( + _Inout_ PANSI_STRING AnsiString +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDefaultNpAcl( + _Out_ PACL* Dacl +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateEnvironment( + _In_ BOOLEAN CloneCurrentEnvironment, + _Out_ PVOID* Environment +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateEnvironmentEx( + _In_ PVOID SourceEnv, + _Out_ PVOID* Environment, + _In_ ULONG Flags +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlDestroyEnvironment( + _In_ PVOID Environment +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetCurrentEnvironment( + _In_ PVOID Environment, + _Out_opt_ PVOID* PreviousEnvironment +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +RtlSetEnvironmentVar( + _In_opt_ PWSTR* Environment, + _In_ PWSTR Name, + _In_ SIZE_T NameLength, + _In_ PWSTR Value, + _In_ SIZE_T ValueLength +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetEnvironmentVariable( + _In_opt_ PVOID* Environment, + _In_ PUNICODE_STRING Name, + _In_ PUNICODE_STRING Value +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +RtlQueryEnvironmentVariable( + _In_opt_ PVOID Environment, + _In_ PWSTR Name, + _In_ SIZE_T NameLength, + _Out_ PWSTR Value, + _In_ SIZE_T ValueLength, + _Out_ PSIZE_T ReturnLength +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlQueryEnvironmentVariable_U( + _In_opt_ PVOID Environment, + _In_ PUNICODE_STRING Name, + _Out_ PUNICODE_STRING Value +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +RtlExpandEnvironmentStrings( + _In_opt_ PVOID Environment, + _In_ PWSTR Src, + _In_ SIZE_T SrcLength, + _Out_ PWSTR Dst, + _In_ SIZE_T DstLength, + _Out_opt_ PSIZE_T ReturnLength +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlExpandEnvironmentStrings_U( + _In_opt_ PVOID Environment, + _In_ PUNICODE_STRING Source, + _Out_ PUNICODE_STRING Destination, + _Out_opt_ PULONG ReturnedLength +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +NTSTATUS +NTAPI +RtlSetEnvironmentStrings( + _In_ PWCHAR NewEnvironment, + _In_ SIZE_T NewEnvironmentSize +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateProcessParameters( + _Out_ PRTL_USER_PROCESS_PARAMETERS* pProcessParameters, + _In_ PUNICODE_STRING ImagePathName, + _In_opt_ PUNICODE_STRING DllPath, + _In_opt_ PUNICODE_STRING CurrentDirectory, + _In_opt_ PUNICODE_STRING CommandLine, + _In_opt_ PVOID Environment, + _In_opt_ PUNICODE_STRING WindowTitle, + _In_opt_ PUNICODE_STRING DesktopInfo, + _In_opt_ PUNICODE_STRING ShellInfo, + _In_opt_ PUNICODE_STRING RuntimeData +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateProcessParametersEx( + _Out_ PRTL_USER_PROCESS_PARAMETERS* pProcessParameters, + _In_ PUNICODE_STRING ImagePathName, + _In_opt_ PUNICODE_STRING DllPath, + _In_opt_ PUNICODE_STRING CurrentDirectory, + _In_opt_ PUNICODE_STRING CommandLine, + _In_opt_ PVOID Environment, + _In_opt_ PUNICODE_STRING WindowTitle, + _In_opt_ PUNICODE_STRING DesktopInfo, + _In_opt_ PUNICODE_STRING ShellInfo, + _In_opt_ PUNICODE_STRING RuntimeData, + _In_ ULONG Flags // Pass RTL_USER_PROCESS_PARAMETERS_NORMALIZED to keep parameters normalized +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlDestroyProcessParameters( + _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters +); + +NTSYSAPI +PRTL_USER_PROCESS_PARAMETERS +NTAPI +RtlNormalizeProcessParams( + _Inout_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters +); + +NTSYSAPI +PRTL_USER_PROCESS_PARAMETERS +NTAPI +RtlDeNormalizeProcessParams( + _Inout_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateUserProcess( + _In_ PUNICODE_STRING NtImagePathName, + _In_ ULONG AttributesDeprecated, + _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters, + _In_opt_ PSECURITY_DESCRIPTOR ProcessSecurityDescriptor, + _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, + _In_opt_ HANDLE ParentProcess, + _In_ BOOLEAN InheritHandles, + _In_opt_ HANDLE DebugPort, + _In_opt_ HANDLE TokenHandle, // used to be ExceptionPort + _Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformation +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateUserThread( + _In_ HANDLE Process, + _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, + _In_ BOOLEAN CreateSuspended, + _In_opt_ ULONG ZeroBits, + _In_opt_ SIZE_T MaximumStackSize, + _In_opt_ SIZE_T CommittedStackSize, + _In_ PUSER_THREAD_START_ROUTINE StartAddress, + _In_opt_ PVOID Parameter, + _Out_opt_ PHANDLE Thread, + _Out_opt_ PCLIENT_ID ClientId +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDosApplyFileIsolationRedirection_Ustr( + _In_ ULONG Flags, + _In_ PUNICODE_STRING OriginalName, + _In_ PUNICODE_STRING Extension, + _Inout_ PUNICODE_STRING StaticString, + _Inout_ PUNICODE_STRING DynamicString, + _Inout_ PUNICODE_STRING* NewName, + _In_ PULONG NewFlags, + _In_ PSIZE_T FileNameSize, + _In_ PSIZE_T RequiredLength +); + +NTSYSAPI +PIMAGE_NT_HEADERS +NTAPI +RtlImageNtHeader( + _In_ PVOID ImageBase +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +NTSTATUS +NTAPI +RtlImageNtHeaderEx( + _In_opt_ ULONG Flags, + _In_ PVOID Base, + _In_ ULONG64 Size, + _Out_ PIMAGE_NT_HEADERS* OutHeaders +); +#endif + +NTSYSAPI +PVOID +NTAPI +RtlImageDirectoryEntryToData( + _In_ PVOID ImageBase, + _In_ BOOLEAN MappedAsImage, + _In_ USHORT DirectoryEntry, + _Out_ PULONG Size +); + +NTSYSAPI +PVOID +NTAPI +RtlPcToFileHeader( + _In_ PVOID PcValue, + _Out_ PVOID* BaseOfImage +); + +NTSYSAPI +PVOID +NTAPI +RtlAddressInSectionTable( + _In_ PIMAGE_NT_HEADERS NtHeaders, + _In_ PVOID BaseOfImage, + _In_ ULONG VirtualAddress +); + +NTSYSAPI +PIMAGE_SECTION_HEADER +NTAPI +RtlImageRvaToSection( + _In_ PIMAGE_NT_HEADERS NtHeaders, + _In_ PVOID Base, + _In_ ULONG Rva +); + +NTSYSAPI +PVOID +NTAPI +RtlImageRvaToVa( + _In_ PIMAGE_NT_HEADERS NtHeaders, + _In_ PVOID Base, + _In_ ULONG Rva, + _Inout_opt_ PIMAGE_SECTION_HEADER* LastRvaSection +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlQueryProcessHeapInformation( + _Inout_ PRTL_DEBUG_INFORMATION Buffer +); + +NTSYSAPI +PRTL_DEBUG_INFORMATION +NTAPI +RtlCreateQueryDebugBuffer( + _In_opt_ ULONG MaximumCommit, + _In_ BOOLEAN UseEventPair +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlQueryProcessDebugInformation( + _In_ HANDLE UniqueProcessId, + _In_ ULONG Flags, + _Inout_ PRTL_DEBUG_INFORMATION Buffer +); + +#ifdef _WIN64 +NTSYSAPI +VOID +WINAPI +RtlRestoreContext( + _In_ PCONTEXT ContextRecord, + _In_opt_ PEXCEPTION_RECORD ExceptionRecord +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlAdjustPrivilege( + _In_ ULONG Privilege, + _In_ BOOLEAN Enable, + _In_ BOOLEAN Client, + _Out_ PBOOLEAN WasEnabled +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +NTSTATUS +NTAPI +RtlAcquirePrivilege( + _In_ PULONG Privilege, + _In_ ULONG NumPriv, + _In_ ULONG Flags, + _Out_ PVOID* ReturnedState +); + +NTSYSAPI +VOID +NTAPI +RtlReleasePrivilege( + _In_ PVOID StatePointer +); +#endif + +NTSYSAPI +ULONG +NTAPI +RtlGetFullPathName_U( + _In_ PWSTR FileName, + _In_ ULONG BufferLength, + _Out_ PWSTR Buffer, + _Out_opt_ PWSTR* FilePart +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlDosPathNameToNtPathName_U( + _In_ PCWSTR DosFileName, + _Out_ PUNICODE_STRING NtFileName, + _Out_opt_ PWSTR* FilePart, + _Reserved_ PVOID Reserved +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +BOOLEAN +NTAPI +RtlDosPathNameToRelativeNtPathName_U( + _In_ PCWSTR DosFileName, + _Out_ PUNICODE_STRING NtFileName, + _Out_opt_ PWSTR* FilePart, + _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDosPathNameToRelativeNtPathName_U_WithStatus( + _In_ PWSTR DosFileName, + _Out_ PUNICODE_STRING NtFileName, + _Out_opt_ PWSTR* FilePart, + _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName +); +#endif + +NTSYSAPI +RTL_PATH_TYPE +NTAPI +RtlDetermineDosPathNameType_U( + _In_ PCWSTR Path +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +NTSTATUS +NTAPI +RtlGetFullPathName_UstrEx( + _In_ PUNICODE_STRING FileName, + _In_opt_ PUNICODE_STRING StaticString, + _In_opt_ PUNICODE_STRING DynamicString, + _Out_opt_ PUNICODE_STRING* StringUsed, + _Out_opt_ PSIZE_T FilePartSize, + _Out_opt_ PBOOLEAN NameInvalid, + _Out_ RTL_PATH_TYPE* PathType, + _Out_opt_ PSIZE_T LengthNeeded +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetCurrentDirectory_U( + _In_ PUNICODE_STRING PathName +); + +#if NTDDI_VERSION >= NTDDI_WS03 +NTSYSAPI +VOID +NTAPI +RtlReleaseRelativeName( + _In_ PRTL_RELATIVE_NAME_U RelativeName +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +RtlNtPathNameToDosPathName( + _In_ ULONG Flags, + _Inout_ PRTL_UNICODE_STRING_BUFFER Path, + _Out_opt_ PULONG Disposition, + _Inout_opt_ PWSTR* FilePart +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +VOID +NTAPI +RtlInitializeSRWLock( + _Out_ PRTL_SRWLOCK SRWLock +); + +NTSYSAPI +VOID +NTAPI +RtlAcquireSRWLockExclusive( + _Inout_ PRTL_SRWLOCK SRWLock +); + +NTSYSAPI +VOID +NTAPI +RtlAcquireSRWLockShared( + _Inout_ PRTL_SRWLOCK SRWLock +); + +NTSYSAPI +VOID +NTAPI +RtlReleaseSRWLockExclusive( + _Inout_ PRTL_SRWLOCK SRWLock +); + +NTSYSAPI +VOID +NTAPI +RtlReleaseSRWLockShared( + _Inout_ PRTL_SRWLOCK SRWLock +); +#endif + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +BOOLEAN +NTAPI +RtlTryAcquireSRWLockExclusive( + _Inout_ PRTL_SRWLOCK SRWLock +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlTryAcquireSRWLockShared( + _Inout_ PRTL_SRWLOCK SRWLock +); + +NTSYSAPI +VOID +NTAPI +RtlAcquireReleaseSRWLockExclusive( + _Inout_ PRTL_SRWLOCK SRWLock +); +#endif + +NTSYSAPI +ULONG +NTAPI +RtlWalkFrameChain( + _Out_ PVOID* Callers, + _In_ ULONG Count, + _In_ ULONG Flags +); + +NTSYSAPI +PPREFIX_TABLE_ENTRY +NTAPI +PfxFindPrefix( + _In_ PPREFIX_TABLE PrefixTable, + _In_ PANSI_STRING FullName +); + +NTSYSAPI +VOID +NTAPI +PfxInitialize( + _Out_ PPREFIX_TABLE PrefixTable +); + +NTSYSAPI +BOOLEAN +NTAPI +PfxInsertPrefix( + _In_ PPREFIX_TABLE PrefixTable, + _In_ PANSI_STRING Prefix, + _Out_ PPREFIX_TABLE_ENTRY PrefixTableEntry +); + +NTSYSAPI +VOID +NTAPI +PfxRemovePrefix( + _In_ PPREFIX_TABLE PrefixTable, + _In_ PPREFIX_TABLE_ENTRY PrefixTableEntry +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAbsoluteToSelfRelativeSD( + _In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, + _Out_ PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, + _Inout_ PULONG BufferLength +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAddAccessAllowedAce( + _Inout_ PACL Acl, + _In_ ULONG AceRevision, + _In_ ACCESS_MASK AccessMask, + _In_ PSID Sid +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAddAccessAllowedAceEx( + _Inout_ PACL Acl, + _In_ ULONG AceRevision, + _In_ ULONG AceFlags, + _In_ ACCESS_MASK AccessMask, + _In_ PSID Sid +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAddAce( + _Inout_ PACL Acl, + _In_ ULONG AceRevision, + _In_ ULONG StartingAceIndex, + _In_ PVOID AceList, + _In_ ULONG AceListLength +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAddAtomToAtomTable( + _In_ PVOID AtomTableHandle, + _In_ PWSTR AtomName, + _Inout_opt_ PRTL_ATOM Atom +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAppendUnicodeStringToString( + PUNICODE_STRING Destination, + PCUNICODE_STRING Source +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlAreAllAccessesGranted( + _In_ ACCESS_MASK GrantedAccess, + _In_ ACCESS_MASK DesiredAccess +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlAreAnyAccessesGranted( + _In_ ACCESS_MASK GrantedAccess, + _In_ ACCESS_MASK DesiredAccess +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlAreBitsClear( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG StartingIndex, + _In_ ULONG Length +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlAreBitsSet( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG StartingIndex, + _In_ ULONG Length +); + +NTSYSAPI +VOID +NTAPI +RtlCaptureContext( + _Out_ PCONTEXT ContextRecord +); + +NTSYSAPI +USHORT +NTAPI +RtlCaptureStackBackTrace( + _In_ ULONG FramesToSkip, + _In_ ULONG FramesToCapture, + _Out_ PVOID* BackTrace, + _Out_opt_ PULONG BackTraceHash +); + +NTSYSAPI +VOID +NTAPI +RtlClearAllBits( + _In_ PRTL_BITMAP BitMapHeader +); + +NTSYSAPI +VOID +NTAPI +RtlClearBits( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG StartingIndex, + _In_ ULONG NumberToClear +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateSystemVolumeInformationFolder( + _In_ PCUNICODE_STRING VolumeRootPath +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +LONG +NTAPI +RtlCompareAltitudes( + _In_ PCUNICODE_STRING Altitude1, + _In_ PCUNICODE_STRING Altitude2 +); +#endif + +NTSYSAPI +LONG +NTAPI +RtlCompareUnicodeString( + _In_ PCUNICODE_STRING String1, + _In_ PCUNICODE_STRING String2, + _In_ BOOLEAN CaseInSensitive +); + +NTSYSAPI +ULONG32 +NTAPI +RtlComputeCrc32( + _In_ ULONG32 PartialCrc, + _In_ PVOID Buffer, + _In_ ULONG Length +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlConvertSidToUnicodeString( + _Inout_ PUNICODE_STRING UnicodeString, + _In_ PSID Sid, + _In_ BOOLEAN AllocateDestinationString +); + +NTSYSAPI +VOID +NTAPI +RtlCopyLuid( + _Out_ PLUID DestinationLuid, + _In_ PLUID SourceLuid +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCopySid( + _In_ ULONG DestinationSidLength, + _Out_ PSID DestinationSid, + _In_ PSID SourceSid +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateAcl( + _Out_ PACL Acl, + _In_ ULONG AclLength, + _In_ ULONG AclRevision +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateAtomTable( + _In_ ULONG NumberOfBuckets, + _Out_ PVOID* AtomTableHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDecompressFragment( + _In_ USHORT CompressionFormat, + _Out_ PUCHAR UncompressedFragment, + _In_ ULONG UncompressedFragmentSize, + _In_ PUCHAR CompressedBuffer, + _In_ ULONG CompressedBufferSize, + _In_ ULONG FragmentOffset, + _Out_ PULONG FinalUncompressedSize, + _In_ PVOID WorkSpace +); + +NTSYSAPI +PRTL_SPLAY_LINKS +NTAPI +RtlDelete( + _In_ PRTL_SPLAY_LINKS Links +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDeleteAce( + _Inout_ PACL Acl, + _In_ ULONG AceIndex +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDeleteAtomFromAtomTable( + _In_ PVOID AtomTableHandle, + _In_ RTL_ATOM Atom +); + +NTSYSAPI +VOID +NTAPI +RtlDeleteNoSplay( + _In_ PRTL_SPLAY_LINKS Links, + _Inout_ PRTL_SPLAY_LINKS* Root +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDowncaseUnicodeString( + _Out_ PUNICODE_STRING DestinationString, + _In_ PCUNICODE_STRING SourceString, + _In_ BOOLEAN AllocateDestinationString +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlDuplicateUnicodeString( + _In_ ULONG Flags, + _In_ UNICODE_STRING* StringIn, + _Out_ UNICODE_STRING* StringOut +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlEmptyAtomTable( + _In_ PVOID AtomTableHandle, + _In_ BOOLEAN IncludePinnedAtoms +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlEqualSid( + _In_ PSID Sid1, + _In_ PSID Sid2 +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlEqualString( + _In_ PANSI_STRING String1, + _In_ PANSI_STRING String2, + _In_ BOOLEAN CaseInSensitive +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlEqualUnicodeString( + _In_ PCUNICODE_STRING String1, + _In_ PCUNICODE_STRING String2, + _In_ BOOLEAN CaseInSensitive +); + +NTSYSAPI +ULONG +NTAPI +RtlFindClearBits( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG NumberToFind, + _In_ ULONG HintIndex +); + +NTSYSAPI +ULONG +NTAPI +RtlFindClearBitsAndSet( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG NumberToFind, + _In_ ULONG HintIndex +); + +NTSYSAPI +ULONG +NTAPI +RtlFindClearRuns( + _In_ PRTL_BITMAP BitMapHeader, + _Out_ PRTL_BITMAP_RUN RunArray, + _In_ ULONG SizeOfRunArray, + _In_ BOOLEAN LocateLongestRuns +); + +NTSYSAPI +ULONG +NTAPI +RtlFindLastBackwardRunClear( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG FromIndex, + _In_ PULONG StartingRunIndex +); + +NTSYSAPI +CCHAR +NTAPI +RtlFindLeastSignificantBit( + _In_ ULONGLONG Set +); + +NTSYSAPI +ULONG +NTAPI +RtlFindLongestRunClear( + _In_ PRTL_BITMAP BitMapHeader, + _In_ PULONG StartingIndex +); + +NTSYSAPI +CCHAR +NTAPI +RtlFindMostSignificantBit( + _In_ ULONGLONG Set +); + +NTSYSAPI +ULONG +NTAPI +RtlFindNextForwardRunClear( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG FromIndex, + _In_ PULONG StartingRunIndex +); + +NTSYSAPI +ULONG +NTAPI +RtlFindSetBits( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG NumberToFind, + _In_ ULONG HintIndex +); + +NTSYSAPI +ULONG +NTAPI +RtlFindSetBitsAndClear( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG NumberToFind, + _In_ ULONG HintIndex +); + +NTSYSAPI +VOID +NTAPI +RtlGetCallersAddress( + _Out_ PVOID* CallersAddress, + _Out_ PVOID* CallersCaller +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGetDaclSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _Out_ PBOOLEAN DaclPresent, + _Out_ PACL* Dacl, + _Out_ PBOOLEAN DaclDefaulted +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGetGroupSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _Out_ PSID* Group, + _Out_ PBOOLEAN GroupDefaulted +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGetOwnerSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _Out_ PSID* Owner, + _Out_ PBOOLEAN OwnerDefaulted +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGetSaclSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _Out_ PBOOLEAN SaclPresent, + _Out_ PACL* Sacl, + _Out_ PBOOLEAN SaclDefaulted +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGetSetBootStatusData( + _In_ HANDLE Handle, + _In_ BOOLEAN Get, + _In_ RTL_BSD_ITEM_TYPE DataItem, + _In_ PVOID DataBuffer, + _In_ ULONG DataBufferLength, + _Out_opt_ PULONG ByteRead +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateBootStatusDataFile( +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGetVersion( + _Out_ PRTL_OSVERSIONINFOW lpVersionInformation +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlGUIDFromString( + _In_ PUNICODE_STRING GuidString, + _Out_ GUID* Guid +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlHashUnicodeString( + _In_ UNICODE_STRING* String, + _In_ BOOLEAN CaseInSensitive, + _In_ ULONG HashAlgorithm, + _Out_ PULONG HashValue +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlInitializeSid( + _Out_ PSID Sid, + _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, + _In_ UCHAR SubAuthorityCount +); + +NTSYSAPI +ULONG +NTAPI +RtlLengthRequiredSid( + _In_ ULONG SubAuthorityCount +); + +NTSYSAPI +ULONG +NTAPI +RtlLengthSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor +); + +NTSYSAPI +ULONG +NTAPI +RtlLengthSid( + _In_ PSID Sid +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlLockBootStatusData( + _Out_ PHANDLE BootStatusDataHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlLookupAtomInAtomTable( + _In_ PVOID AtomTableHandle, + _In_ PWSTR AtomName, + _Out_opt_ PRTL_ATOM Atom +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlMapSecurityErrorToNtStatus( + _In_ SECURITY_STATUS Error +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlMultiByteToUnicodeN( + _Out_ PWCH UnicodeString, + _In_ ULONG MaxBytesInUnicodeString, + _Out_opt_ PULONG BytesInUnicodeString, + _In_ PCSTR MultiByteString, + _In_ ULONG BytesInMultiByteString +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlMultiByteToUnicodeSize( + _Out_ PULONG BytesInUnicodeString, + _In_ PCSTR MultiByteString, + _In_ ULONG BytesInMultiByteString +); + +NTSYSAPI +ULONG +NTAPI +RtlNumberOfClearBits( + _In_ PRTL_BITMAP BitMapHeader +); + +NTSYSAPI +ULONG +NTAPI +RtlNumberOfSetBits( + _In_ PRTL_BITMAP BitMapHeader +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlQueryAtomInAtomTable( + _In_ PVOID AtomTableHandle, + _In_ RTL_ATOM Atom, + _Out_opt_ PULONG AtomUsage, + _Out_opt_ PULONG AtomFlags, + _Inout_opt_ PWSTR AtomName, + _Inout_opt_ PULONG AtomNameLength +); + +NTSYSAPI +PRTL_SPLAY_LINKS +NTAPI +RtlRealPredecessor( + _In_ PRTL_SPLAY_LINKS Links +); + +NTSYSAPI +PRTL_SPLAY_LINKS +NTAPI +RtlRealSuccessor( + _In_ PRTL_SPLAY_LINKS Links +); + +NTSYSAPI +VOID +NTAPI +RtlRunDecodeUnicodeString( + _In_ UCHAR Seed, + _Inout_ PUNICODE_STRING String +); + +NTSYSAPI +VOID +NTAPI +RtlRunEncodeUnicodeString( + _In_opt_ PUCHAR Seed, + _Inout_ PUNICODE_STRING String +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSelfRelativeToAbsoluteSD( + _In_ PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, + _Out_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, + _Inout_ PULONG AbsoluteSecurityDescriptorSize, + _Out_ PACL Dacl, + _Inout_ PULONG DaclSize, + _Out_ PACL Sacl, + _Inout_ PULONG SaclSize, + _Out_opt_ PSID Owner, + _Inout_ PULONG OwnerSize, + _Out_opt_ PSID PrimaryGroup, + _Inout_ PULONG PrimaryGroupSize +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSelfRelativeToAbsoluteSD2( + _Inout_ PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor, + _Inout_ PULONG pBufferSize +); + +NTSYSAPI +VOID +NTAPI +RtlSetAllBits( + _In_ PRTL_BITMAP BitMapHeader +); + +NTSYSAPI +VOID +NTAPI +RtlSetBits( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG StartingIndex, + _In_ ULONG NumberToSet +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetDaclSecurityDescriptor( + _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_ BOOLEAN DaclPresent, + _In_opt_ PACL Dacl, + _In_ BOOLEAN DaclDefaulted +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetGroupSecurityDescriptor( + _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_opt_ PSID Group, + _In_opt_ BOOLEAN GroupDefaulted +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetOwnerSecurityDescriptor( + _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_opt_ PSID Owner, + _In_ BOOLEAN OwnerDefaulted +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetSaclSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_ BOOLEAN SaclPresent, + _In_opt_ PACL Sacl, + _In_opt_ BOOLEAN SaclDefaulted +); + +NTSYSAPI +PRTL_SPLAY_LINKS +NTAPI +RtlSplay( + _Inout_ PRTL_SPLAY_LINKS Links +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlStringFromGUID( + _In_ REFGUID Guid, + _Out_ PUNICODE_STRING GuidString +); + +NTSYSAPI +PUCHAR +NTAPI +RtlSubAuthorityCountSid( + _In_ PSID Sid +); + +NTSYSAPI +PULONG +NTAPI +RtlSubAuthoritySid( + _In_ PSID Sid, + _In_ ULONG SubAuthority +); + +NTSYSAPI +PRTL_SPLAY_LINKS +NTAPI +RtlSubtreePredecessor( + _In_ PRTL_SPLAY_LINKS Links +); + +NTSYSAPI +PRTL_SPLAY_LINKS +NTAPI +RtlSubtreeSuccessor( + _In_ PRTL_SPLAY_LINKS Links +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +BOOLEAN +NTAPI +RtlTestBit( + _In_ PRTL_BITMAP BitMapHeader, + _In_ ULONG BitNumber +); +#endif + +NTSYSAPI +VOID +NTAPI +RtlUnlockBootStatusData( + _In_ HANDLE BootStatusDataHandle +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateSecurityDescriptor( + _Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_ ULONG Revision +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlValidRelativeSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptorInput, + _In_ ULONG SecurityDescriptorLength, + _In_ SECURITY_INFORMATION RequiredInformation +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlValidSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor +); + +NTSYSAPI +BOOLEAN +NTAPI +RtlValidSid( + _In_ PSID Sid +); + +NTSYSAPI +NTSTATUS +NTAPI +RtlVerifyVersionInfo( + _In_ RTL_OSVERSIONINFOEXW VersionInfo, + _In_ ULONG TypeMask, + _In_ ULONGLONG ConditionMask +); + +NTSYSAPI +ULONGLONG +NTAPI +VerSetConditionMask( + _In_ ULONGLONG ConditionMask, + _In_ ULONG TypeMask, + _In_ UCHAR Condition +); + +#if NTDDI_VERSION >= NTDDI_VISTA +NTSYSAPI +NTSTATUS +NTAPI +TpAllocPool( + _Out_ PTP_POOL* PoolReturn, + _Reserved_ PVOID Reserved +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +NTSTATUS +NTAPI +TpDisablePoolCallbackChecks( + _Inout_ PTP_POOL Pool +); +#endif + +NTSYSAPI +VOID +NTAPI +TpReleasePool( + _Inout_ PTP_POOL Pool +); + +NTSYSAPI +VOID +NTAPI +TpSetPoolMaxThreads( + _Inout_ PTP_POOL Pool, + _In_ LONG MaxThreads +); + +NTSYSAPI +NTSTATUS +NTAPI +TpSetPoolMinThreads( + _Inout_ PTP_POOL Pool, + _In_ LONG MinThreads +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +NTSTATUS +NTAPI +TpQueryPoolStackInformation( + _In_ PTP_POOL Pool, + _Out_ PTP_POOL_STACK_INFORMATION PoolStackInformation +); + +NTSYSAPI +NTSTATUS +NTAPI +TpSetPoolStackInformation( + _Inout_ PTP_POOL Pool, + _In_ PTP_POOL_STACK_INFORMATION PoolStackInformation +); +#endif + +NTSYSAPI +NTSTATUS +NTAPI +TpAllocCleanupGroup( + _Out_ PTP_CLEANUP_GROUP* CleanupGroupReturn +); + +NTSYSAPI +VOID +NTAPI +TpReleaseCleanupGroup( + _Inout_ PTP_CLEANUP_GROUP CleanupGroup +); + +NTSYSAPI +VOID +NTAPI +TpReleaseCleanupGroupMembers( + _Inout_ PTP_CLEANUP_GROUP CleanupGroup, + _In_ LOGICAL CancelPendingCallbacks, + _Inout_opt_ PVOID CleanupParameter +); + +NTSYSAPI +NTSTATUS +NTAPI +TpSimpleTryPost( + _In_ PTP_SIMPLE_CALLBACK Callback, + _Inout_opt_ PVOID Context, + _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron +); + +NTSYSAPI +NTSTATUS +NTAPI +TpAllocWork( + _Out_ PTP_WORK* WorkReturn, + _In_ PTP_WORK_CALLBACK Callback, + _Inout_opt_ PVOID Context, + _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron +); + +NTSYSAPI +VOID +NTAPI +TpReleaseWork( + _Inout_ PTP_WORK Work +); + +NTSYSAPI +VOID +NTAPI +TpPostWork( + _Inout_ PTP_WORK Work +); + +NTSYSAPI +VOID +NTAPI +TpWaitForWork( + _Inout_ PTP_WORK Work, + _In_ LOGICAL CancelPendingCallbacks +); + +NTSYSAPI +NTSTATUS +NTAPI +TpAllocTimer( + _Out_ PTP_TIMER* Timer, + _In_ PTP_TIMER_CALLBACK Callback, + _Inout_opt_ PVOID Context, + _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron +); + +NTSYSAPI +VOID +NTAPI +TpReleaseTimer( + _Inout_ PTP_TIMER Timer +); + +NTSYSAPI +VOID +NTAPI +TpSetTimer( + _Inout_ PTP_TIMER Timer, + _In_opt_ PLARGE_INTEGER DueTime, + _In_ LONG Period, + _In_opt_ LONG WindowLength +); + +NTSYSAPI +LOGICAL +NTAPI +TpIsTimerSet( + _In_ PTP_TIMER Timer +); + +NTSYSAPI +VOID +NTAPI +TpWaitForTimer( + _Inout_ PTP_TIMER Timer, + _In_ LOGICAL CancelPendingCallbacks +); + +NTSYSAPI +NTSTATUS +NTAPI +TpAllocWait( + _Out_ PTP_WAIT* WaitReturn, + _In_ PTP_WAIT_CALLBACK Callback, + _Inout_opt_ PVOID Context, + _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron +); + +NTSYSAPI +VOID +NTAPI +TpReleaseWait( + _Inout_ PTP_WAIT Wait +); + +NTSYSAPI +VOID +NTAPI +TpSetWait( + _Inout_ PTP_WAIT Wait, + _In_opt_ HANDLE Handle, + _In_opt_ PLARGE_INTEGER Timeout +); + +NTSYSAPI +NTSTATUS +NTAPI +TpAllocIoCompletion( + _Out_ PTP_IO* IoReturn, + _In_ HANDLE File, + _In_ PTP_IO_CALLBACK Callback, + _Inout_opt_ PVOID Context, + _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron +); + +NTSYSAPI +VOID +NTAPI +TpWaitForIoCompletion( + _Inout_ PTP_IO Io, + _In_ LOGICAL CancelPendingCallbacks +); + +NTSYSAPI +NTSTATUS +NTAPI +TpAllocAlpcCompletion( + _Out_ PTP_ALPC* AlpcReturn, + _In_ HANDLE AlpcPort, + _In_ PTP_ALPC_CALLBACK Callback, + _Inout_opt_ PVOID Context, + _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron +); + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +NTSTATUS +NTAPI +TpAllocAlpcCompletionEx( + _Out_ PTP_ALPC* AlpcReturn, + _In_ HANDLE AlpcPort, + _In_ PTP_ALPC_CALLBACK_EX Callback, + _Inout_opt_ PVOID Context, + _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron +); +#endif + +NTSYSAPI +VOID +NTAPI +TpReleaseAlpcCompletion( + _Inout_ PTP_ALPC Alpc +); + +NTSYSAPI +VOID +NTAPI +TpWaitForAlpcCompletion( + _Inout_ PTP_ALPC Alpc +); +#endif + +#if NTDDI_VERSION >= NTDDI_WIN7 +NTSYSAPI +NTSTATUS +NTAPI +TpAlpcRegisterCompletionList( + _Inout_ PTP_ALPC Alpc +); + +NTSYSAPI +NTSTATUS +NTAPI +TpAlpcUnregisterCompletionList( + _Inout_ PTP_ALPC Alpc +); +#endif + +#ifdef __cplusplus +}; +#endif + +#endif // _NTDLL_H diff --git a/GleeBug/ntdll_x64.lib b/GleeBug/ntdll_x64.lib new file mode 100644 index 0000000000000000000000000000000000000000..8fae16c83dd69da1b1961b99389f8ac0aeae02e4 GIT binary patch literal 266752 zcmeF4f1FiC{r~68oCuK+iHyj|h{%W#5ebcm9}BX$EbH!qxDj}F?_KuF-Fw%2@9wf@ zYG!6;W=5uFW@ctaW=3XaW@ct)W@biaW<*3rL_|hL_IX|?4xMSSE<7b~V=fs&aXU>}A%4h1IbLO0M(k%J^nWGpx z>^Q~`e~$4nqZvP90pnw@QXDyoamjfIiM@((1B^>{Aq1~%*W8Z~jGv>q86kMpSk1)< ziT#SB)-o=+4eT+-CBLuH$*4&8@Oq`{;2_bmx1kI%gi35tGON>jN zLI_^BT!T1X2PRF^T!#?6evIY2_aFps!f{A$KnSLyJ|u`^DuMKgH?Pwm?KgvCmul`t2;MSVb1gzJZG`4rgapci zcq__7vI`-Y-mQ5WA$Z#w%{GK!2J$Pp3n4geiUxT-4$K^>89+$vQ5?U9amfP+!7Lo7 z1U|FC3GkDkjh#U3R?O~UT=FbJa3b<2*^dy+LA(;QxjEqNGc?yB1anb;l5-IfI}|6u zPx2^2aPnLY>h5Ilj)|Jf5Q2GJQ$|Q^Q@nElmn|1j>nMSgpASAy_g^gSuY=mWG--LSnn(l;w;| zwju<}j?r9-kl3$iJd<$=+H50OzCeRKEeEF}UlQc$R03_CXzI{Bh!Cupp+TNjfaZ~! zK7<6~CRQR}k~xkW2WW?grH-T20k6cbBcGbV_fnGLa-L~ zEZKq(yk~;uGK9o_#k#eOOYTDm)}ve`uvt%_Zy?S@xk#Qs2y%-wcOV3vlQo+Wg09h; za}W|c75R3?B@ZJ6g*lon2toJJnhOyUyA>N+8J8fB8$i!A4cdAS@q(h*$+!f0EP}I8 z4w73Df{hb3hNq~hbqGQK7|j4e0_}_#K)Fbe_5c{1qd{2?f=!b&S0V&M zBQ$8MLj;bUI0x-V@(4ok-dUQP5Q1|@YjEu65;%V1eMn#OAVP57e9cyb;C!Snxf~&Z zdLk|;Yjz?8???GdoQ`je3a%wgv1`j zht@JKL0TUImn_n3K?pvK^dy%eB#>v~Qsh&DHgYNW$PCR52*G9JHOS*-#BRk$QN9wC z(MQ4MC|}972*Jlf4a((X#N&!9<}xn12_g9SIL!qJ3B*ra*`awDA@~I9L4srX1lWvv zkX(+CK=~1$grDRQgy5=^HMb!IpPHiCj1XKsQiC>lHL*)^4dRg?j%&cRI1eOS5Q0xn z(4Y=JP3%!z*U7l#Nrd1t4Vt?Vg6mOE5*+*W;Ird3=OHBaDQ;N9xCC`_1Na>JP07^= z!Hr`y=O83-?8N8SX;3Gh2R9)-3C_8jz!yeq&P7N(r?`1FS+_OY5x2#IGEUt7+&WGg~&$I%)b%N@jvim#U#mmr^C2U}4Nl1CAOZ!FW` zSib@8oTtILcqjPgu^QCLH^E&vehJ$0UBnK>w^|vO+>a34eX{0Ogy7rAp9FdPHi7&R z_aJ`~Ev1KnL`avehOt8to(5faZUoJTpRr{5(VK zQ2ZA0NFGB7o?Wha6e0NCJk2c#!S;!oOArz$AL93&ng|N-jZ2pnizI z3}~K12=?GOBq)nL;IHkPM-YO&%^H-=Uhuay8sznFVBZ`K(%c9BezfLdgv1Mq{oRa9 zkpKPQABactFhcM=%3X3RLh#Q?n#~Boful56BLx3~UUE4?;-KP%JmV4^%M0M&$e-i} zgy7&<4a)K$fxHm^fuH0Ngy6;H8szOo@ZSZREeN+T!6s=gMF;|>89+$vQt(zLBo874 zVxHz^gdm)txfmg_SMjnu6OyM8f)PtKTM>enPuEIM=}EaN-%o=w>D)4icfmcq}AaAb(<0opaM+jauPJ=Rk6>&gu6!I?Fh7i2EMRPAgFkz174us$} zQ#6|qf{7zEb%eyziq|$VA;B@f792fSa}z@FI^;)kAwpueVp0ba5**_s@cP*r_`Dt* zGgh++A%XTnya9faM-hU_C?CmIgy4-xUxGIHMlfZH=4yoCO*jq-+TfcA#7RtT*F1s{ zym_hSeuUuI1)94Ng11c9AkMddX`?k4AS9kwytT}PWCubpeYNIcgy3!SHMb)KGbU@U zLI{o?gy0>MG#4Qx_ABP~Fd=ys zA$Vtp26=fWnBT5Jo0$*ZHCJ;BLa<=G2FJL7K)l4lKFxN7V9{#LLkPj*IU3|`F=&{g z*^Ce@LA#M4&Lv+2$r>I?n4L~XJ~Fj2$oOKpbVB1`xK|HV?y#M zLeMl@b3H<^Vyp&bzJkCp5zXzI`w@bbD0j&ggrEiGET4xXk z6didcB#$Em?{3f_t#^a96E(>5TJWB68kFgKh`ow+h)1#wAz0s}LEWqeXU^8#iV)-` zYc53yI!9{C2#H;au1+Q-Pa*{Q<(m5u0?ZF75N82&BVNgs2*C!f*@TclyhIPukf43_ zfZ`g>V+g@n$iL(sgka+g&GiUD3H2vI8I*_vir#fhNVXvaWz?T!D?(5~c}mVhNFZ&Z zuT}E^LU8sh&5Z~_73oQkR+ZSNsP!-*c^V<8w`lG~2>Q_uB-bMZ1Bge0I0lIQiorY+ z5|r^E*o1PHpzbz-A(XS^HiY1uDVpmLg7@OMB$p!u=c3#tn-CHxbK-p+nnw|W^G?>> zfDoKNPIC@I;u*yS4NOQ-h8KYMPu1Ln5L|eyhW-bb4^mu-5L^^$$_NP@Bk{onnwt@V zi>GL=MF>8`G-n|sP{zb1C}+ui2*HO@&XTJU5-%z)turCnjSzfft>%7&;Ie6&8xVqz z;`k*OA|wtdF7ISQ@;E~9u?Ec+gy0GsujFEc#0!d#_c0;ai4a_g^d*SnO7MwgnmZAK z%{YF^WeCA1xd!oklGv@dD$j)EIfUR-sACDr=2PJ6rJ6esf@_Y^T!|1|%QQU*3HT77 zZq?j_5L`DygSLAe_{>-hj`1_ZKE?HGnUFky5PWvJ=5mDK2BarJS~n1nD?Yb~3CXPp z!HwfIIG!5`lo|2)HJbYnf}0S(WHUnWg;0Ys`U3Hk;^qZRNNz(2zBoy92}0t4;+AeE zB#$BlUz)4A2_d+3j0SnSmDr*9at9NV2M~fS$d?3p+5)~3YU&7yXB4+BXF_rZLhx1O zOL7@PV!z^c#4kafZUcya*^H1l zsJIjDT=Ez~@J-Z@5^;CrJr7a}C~DDGd&gya!~;QRA5 zw;==%Ox2)F9srmZQj`%AI}{JLFd=ymA^71O&2SM@(@CBV7}%ygy3J3HE4tX0xxh4 z;&_2TJjB0OYmoN8!NFM?)WJdUpOKn#5fXb9FRo)k@&rQgUzC#s$Nt}YS;%H+u0{xg z(V8kkV!MJbXQAW{gg_jt*^Cf`V>Fu(63;4L*2F@|oe05*shX=0f|rMyK7_=RijnhK zDA|G#9CnoET!h39#VEut*@_SxK1G8(9Znonj6REnl5GgVE8r)&A0ZesOLGH4a0HG= zQb$POc!;sh8kF5waO5=26$r0bzrJxr%gWaF^$knf7PmIGw6APkU#{m%CANNj^Qxw% zq?(;C^-9~mY*q8A>l+rfFJy~r)rF-}r7Kr2EY9`S`>TaT{oUP#Dk3WO_N~uUTZ$Eh zS}nJs&{8Ru>uHXj9-cZSt?&~})h4`F^q1h@X_NNr;E!9dFYOpaM=iZURsxgnO7rTcRmI~E+uCr8V@2M7YmP3{SeA_66 zVx?NF4=pa`YPC3(gr=c$!y?4HQMM#)=gRO4kzsv!_viQ`LG!w<)s?Ukm4&#EFa ztl9v6#ff-wV_7ej`>m`6Pi=Dx@unf7raG z>Xm1`(kBmS1G*qPTWyX)+Mb>(+J$dh`zo@p6{>0HgC}27A6$&Hre0{TqVsDk*Xp@4 zLUVRzs-d6~C#NN4I;oeIavRL)nW0RGn+gL3y6DigB1373n<^VN6spT|<$TFBxGXK? zt%VK68qP17#Z&r=`P#xbr8H%#&*{VYoX+5*ieLa;oGHB6B}HdE^wrC=HB!%NbuQfw za#*e^R};q?+ox)q^3{c1)Ni*IYL)(Kbk$4BNs`aE7P=ec@PKN{5#dKeu@?90bcw>X zthTgLbv%YMLL5uV{kxi(dD`9gk0CEs5vcn&FgcrGoL^Gncs4$*JYaU>T9Np`ePDa!TCk7Rp;*3-Y*_Bx(m)O(@~h zSVn)?Q|w(*M(0^*7%Jy_i(PTuq^sdaO(&xOWAEXNbR16mCVLV{UDrn0Jdsk@MmtJJ z4$GB&g>qvrM!y&e6jt_8q18?;48<;42JkflFBC#CS1O*9Bk#o+Wt0lhc;b*|u|aD= z4&xEWBK%|JTBqad;VFkIQTCT?Ds=Tz9`td<2XP3yL&jvcyW!)4Wg<3|r^-=QhGGNb zs}EV7Q;p^BO0`#(t`|e58REeee_>xARY#6av(`dhb{|wl=pZ|Db_u@(TNNWBT9GRk zy9+fsA3CGEfGjP^d;05noRvDS@e%k6%hnm5C*_c=Dwkf$IW)Xk6pwQrDIa|%(GTaG zQ9}jo>1ZHZU8v$NLpI12xq4Smp|-fE(6zDF-y0wHFgDGl+QM=TBj$Xe1*fF;@um2^ zqSM&4=ggQbA(n!bh29KPPt#nd%W+>_57%2NRWr6t(w4Y9H#0%EC@VYf`KanVxcW%~ImQwGDUaO&G-E`5AbJ_dKTV@$PVeK&=$E`o zVf5F9ZgdC}IA{0AH!IotSVOlzEj>fEA|jyE+zbMTv#@k@9}yR+&dn+*jjdJ}tM&d| zX$5XM?F!J=t`=T>eLaOz-{Ks4EIq#vr;wt9N42mb*Vk9b)3Bk|-cxAH^;+j>suo_g zT5*H95VTj8S2~@W=wS?+<-`+RwA4gLls$7T(_*s2&10#tLK(BHETOTXxh*qI=*sY` zRLE7A&@ELQM=TYq?GPX`XsdQqDypF9fN?lUTvASs21cY;@Lz}Wkn;e zv>x1y%50tTsNyap9`Ly``XwiCoU4H?lNR=*jU~Xp^0q!XTau=UWacKvYZ^K(Piwrq zs*>p{nPbtCD_S)kTS>XGbX$%zk|LvTtmx9jP%3U6(#}yC`(!g$#}dmeON_+4IAKOY zW8>77Oq3*+wvbON3>X=Ov0afXmTIL+J>_^ERb=0fi5Wk4E0oaKG@~2Hw-o#2?SywA zuFiO%2gJNnN**jlWNQyfR3XZi8R^wbu$QhGczRaRm_8}DB;8IoBFh``NvW~Y_nKa+ zMjBi7=K6Xn(L`lZ9!Z9JJ1eDPS5vXPG4&*9OBxto@6x5pNDCtyx8IY;r24|h!nqdf zNTkeI&}<*gxVRmIjLK0ps~O|8sn%4L7NU!BI~Cc7L{hRU<%XjBy{PCtv9v>v=nQ3G zV?;(Dk6p~LOc}*;V`-0HTw7aXtesY^qLd<|x6fszR_C(%KXIvW6HKU0tgCaS{z5Y9 zNKAGEMa;0GACu1#ylf_Q@F>>$P~y&0C0~l){e5V+m=p4vtuMDM-C!`RcZOeRg&uEsx3de?4mSO%|t)jhA^{>d7pt|wNmcII6)R~&FWNMf~l2e zR6C}UBlk!H>rM4SId6KF$kLHEQ-4mA&dxb(%g6%vWA^Yq55>zGX>v%)6*%qA+bghJW&SF31Y`Z`vrHuv|&GcUtgNS!*_TPlO@ zgT8c~l(rYUHZHF8Ti1HzD;7!{S>~tH9EY8GOWIs-?CmR5YZaO!URbV_hk7gh-aT8k zh2yQBFR$!&E;g30qjx;L%c12HT@z`JR?c2xBAXu9Shq_lD#R}B>$vivK4Fc12 z@TlpUYb;|d7ZsN$COg%ssGHS={Ww7}=Vzvqv-Qn#f}&7%iihSbvFpDel|IX*%W6Ug+(sRCCp#6c1lV z9(~zeP^vQBrwvzGbn;QPq`4X!8N=#gVQ^))f9ZgmtAK4Kk10%Zxs4}pe7UiVucE%K zt!b_|S7-r-dT1X#$Z{G;wuS3$*SYPZ>fDyd1v7XW0ZrVrG7XyR^sFPwn^&J{I_2Ts zZjqh2^Njv??mJznio+=gGLQnLb8ae4111|sp={%OO4~4&Dl5ALDI!&J`ag4$RNtR85)_f z==JX4l#P*UtK`j@T}r9r{?nT1XWU3NA{iRyL?G7wab6q|9j}G8LzD7tv+9Rcsk3& zeF&PO&?0$jjqV1Q6MG?8mNt@i=jhQ0&4R~6ewn3)f~|7xS2Z?a)mFdta7z`6_OaB) z&rJ9^J)}y_w9OUrSXwNqb2mLBBg|_%b3z?uO+!;mbA=RIP=Fc2jcE+Z@qg1B&c(Zv4H?2>4 zdVQ(ysMRTc&OLL&P0xU7IhLuFN>+pQip5t)so^{uz=Iz>iRgK`O5>9@;jD6DYqYg} zahFEw>Ms8^1EOe7!AU-$)iHV(dmWRU4AvHDC!2eY$xCH_C-M@H#AHOa!o)_GUS(@t zz_E1HZYwB1}d~AtnHTNs`(|= zY9+o&m3FZhc36Y&{wk5S?lGy z@?C*;%nTH1F3Y);4QE3!;F)oaZa>Z4Q=Fc!iLAZeR>u+DUFqL#1#>ccQN{|2v9~fH z=lSKDJg3f*Dr2vEK{+mr+OvwvQIS0sJUWjWVhL&S$e_zpMq$FBP&yrdT zT?JaFZ$JB^sE2%Ix{uYRq_is6JX*s$RE>Iv-=`YNgk*;)Wg>t24z02Uii<(n;4;8O(G^=%uH1Rh3of zjm3~$hK29#T~E zYUKbPNxk$;y_>K+Q}xo*yH~J$JdLtWeZFnCsPwV9YFX(z`&v+_XWCflTP;1Aw5_y! zQl508u2gE4&hn7seY-s5u}i76QmrytZQ{<7A?{SY@^mIw$yCp+ntyRQ_3s=~R5C7F z;@MUxnAhT5nfw*qL0HEU$&^Lv4S;Q)Y5-roh+h?BToWUQoA3trjM3%SJk3SwW!z@Dk4R&OgsQo|I*->a`m!Lfg8HCdwgY$5l1g&nOm3`RGa#wGmI; z(!GgRWVKWa-9@t@fGfkVcy)@7#+Aumc+&tqsT&JcWW`cgnLB&e%8|C#OA9-3|J}L< z>(q5>u1x-tmoltUZ!46#F-?J09Rr272HQTvg1o!V?#J_-mO>})S)muO68cnwItv`ufp3>NUiF31#Rx{q@dNiV2V{8WE7 zY>Kgo?cY!+7qhY&>ry>ZGaC7L`Bd^a52_cT{AyM#qB% zW9=1s9@tJxv#q8EdrxOP^rL7uIw#}iX|-#j{pCA-szLZI!BwT%`-SUx#AO?cBnkYF}qpYzP!Ek4`+^isJpnO-$SNIEg>JVtN6ZNj1 znIs?H#??j>@xw)tFj8?;@zzhHS>KXuE-7m1N3ZKe%O>mw<|@cmziO5!1`On#{(X2m zJEn3zzT~wP&3({t7M9L=B{C_uC52p{b!a+&%ScLA^nNZb1ML;Pbrb!t%v06cPpzJh zJll%r*e5AG(+o0v<%Usiy1utEA%DE6hm)YzRV`YSP74 zMfN5W>8W_y$jjLVD=UlXMt&TJ@Q&2VPrj~zK32YzU8EH-6}$5L)cXv+f%YBp`(>DG znPbshk!#nT^3#S!MfTWs0_#C!Z(69Gf?KS*GuB8|Yrpc)uzpFk@>^7_*W{ayR@Sh8 zS|p9FFe#C+AsJcJXgq0Y)o*CjtC(uaBkHkjp|p{Ewk3u~dgn7Ek1b{Yu?T&LyjP8r z)efGT{N&l%h|3TWYLQOr(hP>P1r7RmI6!LSuv1bL|&{6JlSms#J-#hDz7P zQvbx4nX2j??x?+Jfpa!n$4uF+7F@0NqN|d#*IrVtC0JdzxY`xn!urzqH{J-qeT}>T zF3VvXaHrT1i?5G8=`x6s{W%5NbA?`QjP}eK-bQN6xDhJIJMl$B*!Rj@OPcNUGi_81 zc)K3&1L?aN^lE6%c6WgjC*30URxa(8C>AGm@=jV<-o<>B?_{0J#Bq`KO=5qHRPlyG zV;T42*h9x%$70ojjA%Gp8Drm26J|&4{A-D&rTrJoV79ifTFsf~Bg5Nh?F#v}d-AmD z8*((pI&pfzPRSgLW{mFD`vYbVvP`vBn38HJ)Viw0K0MQPk2*zfJpBTqF;uKORPn$% z#l-k~V~WLZ0XrEu0Qqu8m&XIW}=3(h;-JwgjSWxL$y_rz1Pi4Lo-TMS=3X; zEx9VXr#jxn^5ab!M6sV1?Gc&iab-#gedK9h+TwbaPPQttPie89TZ%>OEhpxa3!5sX zc&YSDG>*)$r%qbo8gXoAJ>Bty?oSj}w5w&BCX%_Qf>#W#GTmoswbH8w`hHzI-j-P$ z4~B8(A%mZ?rE=^|&8R!`M3QjxEF5p=`9+$BWVqw3^e%3RE+qCfGO3dubu4E{y#wjbpvEn%m&s zgvR!fPI}0-GR=L?kd)B1@%nhnP-#-E?FmrdUd?|t z6smd=Dn0MAi^P%3xNV6Wv!{{PHEbe1lrmS0aiyz?t?f~WReI9i*2Nxb(k;eQja?gYk18KsSvyCrUxm7}Qm(uda}{q?Y!$pGr;E_dPF%9C$#DMbPcPPc z)R^1JmPw)AiORP2V>J&fUqbFuO;qT%;jyr!WT?C;CzyWZbEvsU>Aw9NA@zrj)g- zls@PUyd2w^OwmfO{$AZhQrBvAL$v9PqtVuK3!e0mN3>6kqt5bkMjWZGdbE+MYbtIm zER0^zw+~eB5@hGWGtSBpbs*R+T#iuU4e(#8^-Hun^kIA1Fr{!dHgTj0(`2u|B%z|b zkgx&!h7`;0HNsaITX)(_T1k=7tHmSE(>7@o%Z+8yM$a!vd%sVxg(e2~{EhlYY3l08 zqZ)ToiO7>W^4L_Y)7~5YU8g6PmVG(eseQog?W7WLuAWOaW!fMHTtD5tH(i)h=7qMPOMa4X!NTEQ`q7R8(Ah(#42?NM)W*o7O#kok3qrOJazp7tO_KC@( z9@bK)l+|k?Ay)2%elQY4Qc@`sU^<^%LAHY*HodvB8yftA>5l^gNRM z4;4JzRN*i-DsI~R7}NUh*D6v~TBs-3aE&>=Qr*~wZHG|<_9_%4Ny81gIZYUuIOOtX zGhdSS97;x#Wu;?rAFksa&;BZZNmT5# zL5aE3_R8E-rPCYn}O)m((GT{qd6=#!EH*3A@4 zxYMDEYb#)j#vC3Zdk1C5o?)+JR%02J(I)BU<}*dFJe$?>aQS@3ev`{?*I70?hWaU` zN@ori{`j+BX&NKLjV-fpH=kIHkm%50{Qv_QJ zy4Ofwr##fVK5|0FTlB9o8yPHUeULkJh-xUQg1!Ev zBo-B7p$j(t#uhHl@Fzo0p7cGY=wc@KrE0HOTU!ikVwBCYi?mm~$!H_7Z)bPKj-?ur zN>S@T4v$pTO=?_BNtKCP+DBiG^QH1P`X9ALEWI>h$LT7_78|dojc7f2!qPb~Ck}mN zkS*3<-0>b&P}HtU$Bs|yNK>m{Alq21?felX8EKie$Y@by=&I7}{X=s+;-gdB+tS0H z7TgWTd#~vzlWIqSTR$vuvZ@AIQ!ZNLSZ7W~(h(^)-()y{y7BKT`oqG^xEymQUVCOR z?N}Urrl&J@igRH*>#$XuJx03PN!MFk9D68*Ynzxwx6F;s@sM}j?jS05iIuL8 zJuPKft94}Ry|T2SsCCrnb+bmRnf_j(XG9T|dxo9{Rd&S>XC{w&7=xFVBT6yO73~)1 zJRdh-u5mJzZ6)(mpEEmJ2$SqvQnbp8Rz9~^+-Es@L9`azc1|y1=T5Gm_S4s%ReJLl zp97MUEbfdBrIb{=el3+gd7bkngDh9q!t=(=&!OC1lcYc8d6?AU9$S!i-@t5r-)&wg zFdui#(x%IoY#QE=^jV(f)3Dk4bj|R7rE$!w znU&Mw{fyU~Ve2ocRk`%#{_&;hvpn5=COxxqI=o-x<&~FPe{&LAol8%iIKC8pmZz7` zglASxhxb!nwZu%J6j(PBjhQBt-1@u`4*}nK3p#4?(mtZJOaHp?6(LnQw z_AE+c%~wf#d$1v&WLsTyEvZcRaj#%WH*?*pQKp&-8}L+dW!u~a%zE0XC6zL@c06m) z7ZKaq7ArehTr}}fEYqh0@F*J>Nj!{oyfTes99Sz>%=^>VjWt^w+clQ+g-sd8whkUm zIc!emUL&JnOp1;?3fR2NYgF-pq-v!XP5#iP0(kp9@7y4&=@eTP*(Yzx?UX3S6pPr~ z9>=Lv^gKLHf?O$kF41u70=jlhkPs_okfUkP@lg;JwHd7k{Sucd8y)BmN<37+yx=Fq9#K$r4 z+9A&Rdci##rJt|0yrL(7QJXRzkp|Yyg+clN6n&D@l(GM+K(>kUH-7qsSoNN3+z{cO zZsB^Tq-xx>D$U-WU$GKW9%_CiA*RcjDGL2|8y$XXj#Wfi9+aa)yp52dC(me+C8iGJ z6^2$eG7O}zI!C0Z_YlLJKb9`lqq)*iLlkMEzI2d^3WbWd-AWs0w|P~K6B)~hpc zvBYGDEds0+5OF*46|imTYL}narRgJkg4vUkWl>&^Q!mOXI`XLWdCwdp32EhCM(REy z&Y~lYteno+H+GfMM}F?Z?F8}Ig}wn|MkOtn1n@H#i4cceIi5KPN!1#!25hO_<4r&4 zh3JvO*jfwIR_Cfk+OfpGZIEv1HYNr-pwwq>(%07-FU!Muxkfs9%2Xe3Jxg3C$ryao ztoVjoK9L%0ii3$;KV*yc7O)P<%j$5JUTkuww?oF1u<~N@t0cPU%44*i4%#VsanShM zR;R|{8<{v-^>@|et2tK3EYtUt#>czBy6JgJ<73{jbd8NPvckK49hI`Z*}YdobPwZO zC~vu={ppoK%%pmE>o}H#()iGFnMQo@(@Cbk5Q$;u?Sda2fhRYX{xDRUX`!?!=POon ztvUHS(%3^2rBmaP){OC-C#QG{^c9jq9^0$eYW8d7zCzo!^~<0_@n3ad(MDQ9+E2Zaoa*gLWF9A3qsSdHAWOzu2qY$Hu< z9lg=vETqv6j?(t=Uuui&wL;qV;_5^N8#hYYwNJ~m#X#YZ8&0XM{<6#x@g#PXvPzjg zH((-4*vXh`g*rk!zn2?`Vu6L#nc!WJq*i&+-t}fL7%M%z8yw4HOIk#ewgLwUkb|ct zzy314PMY`D2F59+>y@W^H^UuK*q&*6c;XzXl=C%gkJ(i?{-n3hY_CwK71w2kKH)j{ z5T21@6rhwrvZZ_S4wI$OQ(Hy(Ez zRB}eUaPU;x-r6)id9@?2Gy~=9bx8JMd8#yfEP61v*R+b+{O^>l8%>snial$Mnw_mI z8x?~dkj9TtoV+Bp$}3~Jnw@NhiS~afE80*I$y450(Pmlrvqnjkn{qTUfBT2`^Lv~0d7ovqiJlo7O(#}s|+X}u(jLZb_te7h9? zuPXOoC|kmY*5*4>cv%Vy1e_+4X{1u1#d~tqC!M;kqoawf<$X)4b*v$4%*l9GMnYP5 z7X$T^xM3T`LW^Cat#Q`PXJMzWN)$HqtE-H}j2qph)Z zSqZPN7V@z{oDRv-3?g5DeC4|)^ckLWXAbWPedL*)QAwQmpdoIICs(gEzmB_G{D&Jo1<)7i9mA;RB zVvNTi8D5cE`VHZ6*f1|%w^!2*;G5aAMdwte#W3F12t3POj=-Ip6b$d_1u^eF>$uzxWthy1eomhmh0!NHDf!_F!06LGhd=!I&|+^a zx6_+eS(EYlfNh=a5k107bFq}EKB-67UWweK-u6VU)6$V*W!H^|Qch7zfz*|f&-$%) zouZAr+^eoSN2N?!3_2ags-3 zx}H&c?aQN6r>mu(V zoplfC*Kp{@+ww`M$X3h-!$C(x>-jt3ru=Jgc0lGF6Jm#76ct5IAwpO&IX*vdJ0aPE^m$5Rz`ciC~ zM#*Zm#kA$TZpp69`Gsl0h4N!6rCc<^8^*v>o0vNJ{|^o?-E`5Avk>|J!x1j(!#;7T>)%pC>v8Q>o1Reqw7%hMM`DY~ zj=t_9=hrbcv$0^VmT4Lzi#`&Q>fvkQg?%jO1K8Nd%XuuHrqQxAJ1rv%+-#r+$MgUm zkkS_8XZIHx&7?!NKGx72V@uCajXnXwy`#ILydkSswL+C6mdogC}PB}nSHW21y7vc}sAU3iv0la?27|Y%fljkzEv@@O&lH6bt-x*_ zwNj;?a=eZzvhT-oYd?1@l+f7Fdpr4-VxRrB%ygZRq6ef07|AlX6p<~ysN$859H&Hj z)wB2}TIyLvcS1?ICFxGdnErsUvBC{8jjy~^jWo9E&Glik2ES>w6^uNx9O~_?;PX*U z#q!3~lb|hWV0^txmuhIywM+lBrYs^qDT{tN*JAA@WyXSr*|a>=873-2N7XSX&wlj+ zo$mOff=W?od%6hGC+u9)NJ>`N_S^s3X+kUo=n-kVm$pMYpG&`0XOMCoc zuByt`));H2RVykd!NVWy~bTymz$c_}JI z0TJ!cmpS%M*D9}!3?V*O1M6DaIps<_2C+*Jnc-ztufI+xl&xB)rMpjWlepn5q)wge zE%>M|CY5pH5_N<~ETNMgvOG`E)w|3-mAS9F$7biIpr5;60b(ZQ#v5WCz-1{2U!Sai*@uIgzzc+_;QG?p<= zi(_}iWT!d|bt6jOC+o#7WoE@pw!UMKCLaoAr+6$8^mx5l^<+`%mPqOClZ}+>T+{!V zC%lpAEL?%K&g#x$32E^?LwjHp36u_HLi?e`6S+t*zHcGpbPMHe>dMWv`(;CA>7IS2 zqoDX*O~)WjfVSWx3i$jYT3hE?7_vphm8Mf3(R^x(hp!`#zU=NLRhjP7hUtZP+0yVf zQoFiX7^HW_+y;vjT?K3_dCaeyOR1TGPRflWzC!x8wx(kcGv0_7&pWU;akRUb(?GH< zTyMM1Z6DQQZHauwhkIJ5X=NI84AQ)IlsB(F({#$iy{{xYb5|Mt@7zxjxMWy2QPYp6OGGk%x!tBGg@6Du7^2WB*GzeO^lm-|WJGUXNCydhz8QgYsHvtxJwg=^|+> zU~Aq|aUTnKV#_YGDMc;`3(FfL;VRv%q%_6IKgEV(kZ)hQ7YS37sY>|tmudyKJFr9@ zgYtP;{N{jj(x>UPN7Nawtj2G=rt2)}%03#K#Ftc=07YdK+E(6SBP+O^xMM%*kkCe6 z@=Is9j^?bHFzsTiT>DjxO}GH`$GZS#s*S=-<|PX&>Zx^KsS-E#UiY10*eqymjGDT->>N`qhijOx_mvD>b?0k*xII}XU)yWjy-Zc@cp54;& z8ts;s)t=?P6OKAc4d>Yaz57_{wnxW0Qdenwtamru=H!h4WF+>*Jrd}c%z!AGFK~(| zp^dzpNnIIfbhVei(oQxl({ad4qgiNX=`1;R6=xBR?$GE?J;PlMS%2BM=d}z zi>tBsq{hEpokI#XN!iDJhf6Sw6_^xI0+hIY$LaBPb*`X+PcWY zAE?N(vqvgQkQ|G+8A<9*3UV2}KeOew&GgwXQ)lT~zq&K6oP1ctpOyt%?fB8dy)*|Y z*Ou-BKv`@`Wb1LqUMclEQvtE1rPMy@XI~^WR%$Jovm7c_WrWB=ul-VbvMDA%R7_ov z^q23RC;LrX+%f3AOl}&BC)Re$@ZB4G`<8?l0&L;o9XTq3lA6fcyS37mQGcs{ z$0u`C3o5Z#K{3)R(auF8woa&wz3v6&$j>TFvUgNuU&gaM`+^foNQ=h-U7k7;DgBUF zn)v#o9u1K95IrZt*EtFppCt`_rH;`PTU|<8l=3QKDNF|9a*DEHRFsZvZC;jQS!AK| zVjSZ*rKzhVpBmm@b;gXANb6JPU8RvFmzMOVxmz*v<#Q5AJ-Q12YKM3%sj>3<1Z5PB zpxUtOpq-5Q-7%>Dvx+~KDD8>@HaVnu#&|?PCYBg>bb(79i{(qQ4*Q>TOT&E-ZG@3fnei#2VXM zO68MvXGAW(PI`EEMX=KnrFB|2DWxFR;r_H%$BnuCU_sRR7(-Vpy_OX>^vFn@DKxtU_-rhU79Vd~fG!=ekLiZy(=NS*^%QE7tp-&ROZ?PxS$A z;=>+LG?I6H{Qe_d>*vesPh6+CUvYBm-j{hU`mRh$-P!_JZ_tBiK#v^Qf(4b5$%R(9c$)JxCQy9vuPRWCigdj-qK(O-m&8a+@T%PS5%xWtygAkY1WhJY{x-#>T!fDFbyyivEwE zHd`Xg+v-Om1KDrTFYl?dB~mf?&wWj`C`11qa8(&oDefcE*dd|n7+jt2_1lLf>X5xU zP7B#u+@jYfjHQXJQ9SmJ#=8fEQVK27P9v7>-3y>R9Xuwsd&Jq2H$i(bb}%C*FvIEd0zZ?wfT4cgXiG>)~a z>KHtOwwQ>nB++S^DjsO)+<>8QxsJAN|F06TB(#OE+J)4%v!urzZ2K&L(CtT%G@Bv?L$vwOg-H*t0Y z7(Ep>U>{ibX841p$8vTznEe*ct_35eads{^07`GgF@o;toIMTJyp6MMVEGKr?gCSe zL%d+*Oq2)M1J)eR*#ltKEaaCRBs^EfMmZD7GWIlBdnnh!s)12n&jvwOkR1)N)*R zpreVi2f>ULhzpEtMty@P!Sa=;OE9&Cvn#+s&~qB<88o+|Ji**Hv>`CIowH5g8PK!} z#{;IU=4>H=x)v~1iL}&2E+-b^`P9r z3!t-zIKjNLP={dRM%aVh;LH+d4}saeoZSdUmXUX`9W+;1A{uBA;N=CeE$|BZg3}U^iHI4$242dN0mDF#24i z54MBW_n{ua{PR%%VAA)S^-GsUWqrZUj7d!`6-;DDSO!*?}3>*ZVx8PX7tS{l%!Khmi7uXJ3zKrt& z%-Vu_0297~wgUEpj@yt9nEh4c4~)GX^$(r}%fE)Y1xMe3bij+C^mW7uR&Pb$1D1UQ z>4JH8q8`Dq-^8(iQFo!7!4A;+E%agF+p52LIA|1t6bwt;1j;F!VGpCFImAn1D(^$pJaDe4q7J%)1!H2e(5113L?{t6rb zrJo~@VCfSmb1?N6xGsVhLH$YSK=Uu*4`y#e-GXtyLVbYeLFp;9AJFk@*nnA2qh7!< zzd;&c#50Ho>;N6V!K8no{=h+ye*x)$ zIseAF55^uuKEZB~{}0jz%U?u%V8MTJPJ&5HuuB081RDUmKr0vQK`>7Ub~Bg|3U)Er z3-T`$>?yExgkW32^p^{EHDDtJ>jsa5xrYgMCzv`)uqy#S96Im}XdW%tLtxP>1iKH+ z9wXQdV8RiCT>-+ef}IPtgVrOF4=`^W(gKrTiTJ?8@q%3s#=Q!82M0j+QG#s)Ew2{r zUNC2ZV0VBiuMuoB7%@?>I(Qm1y%uSMxkn3j6Bze8!7c>5LB}Md31+_@IxzMa!8UxZxl-FBe3r0^9 z>;mvSD8E&(9bolz!5#+l-zM1YVDb#Xt^%WuLz#d*pmU~RPl9E~BR()=mS8u6@h1p& z8Q`-KFW3t@PlPR4HV63yGu|%PwP4g-!Oj7@!P=8hXW-af&HLoo?y>{ zj&~v+&^{k!1LnR?YJX7`p;_2irk=Gs+g6yb|>QCbhr@OgRnl zfTLSceqd}H>KE(>>)MefSh@=B158>i*d<^$XgwWm2TWgsIsy~UfFC#j@*OBA(C}{f zfr)DoHyHOGT*7mO_-58wb;*NZ%WrDfDPm{<|)Jg^hA z_6ha?m~}SF2aK)459|XyHJlrurH(QH)B6!O7&`zPupi_Hk!P@c6OIqe8A2U{Ddz}w z9hmrD!7c~0v+!|{ehFu!+8$Iosaqh&wz#tkVi1}{W#aau@@o)6F-150O3VA zcJL%v@ImxNV9Ld4!+?EAu(QC^pyd+e2TcDk>J7XI>X)KU!P<|Ye8IHKkUkjqQPe3o z06H&6oq~psq5Xh~SD>E*FMz&}qs+kCD`5kceFA+Nn6eq|81PTR2J8m;s|0%vZ2A=P z1D0NmHUf^h2FC%|wJ2ZkG-&-a>JH4f4&@8RegvnWTvZh#+n94z`A z+6NeSBhmpo!J5zGxWV+BaE^iS3&<0A3M{x8bps}S5$zis0NuBsF2LL`p`5{(TM-x7 z0Xn{nw88W(hzo>YK^cN)!1CL0JYdpSaqM6}=(rtmfs?<6e1Y+Ipx*(z!Md*_&tTqG z94nai4a5l!g3de9hQXq5q7MNR?!xhd1EBj`(1H1Pqg{Y0-$prr@E+t7>;$X7gFXn% zx)<#MjQKA56YvyRa35q~^!HH5U=LV(Kl))X@B1hZF!cfC1+X8WZGj!2syGuo8F*H2etp1mhn@9}M<@)jvjAf!UA19*p=2+BDb>njgh6gULTd-oZi8^BBqz zto|ALMlkbnv_&xX=QuaPUU23U=$AmlFVN1wu}|W92o8YKFX0bbwjrNj?yt~Z!7)#v zeSs0bM)`o9py_FxzhLTbkUlsFO3$Dl2Wx(dIsL2j zPB3B*@(Z2?O@BpQgGqal7qA<&{td?frtibK4o3VPZ4vAMYxW}@F!vug1~BG%=)g|U z{!f%In129u4JQ8!WeE5SumL;4>VLx@%sPl;03-i{dIfvIx))Igpy|IzAIxAOyBdrR zLRJOa!Ezq5JHW9bWSha5Fl3v+v!Ll^A-fYy9TBptK=|^I^?@hB{E;Es0**Q?Waok% zplMXdwt^{#BQ9_doHaUR+d$JRLUuoxH73OP2;A0ywX;=hH9MWHVP~)o z_HMS8y@#!1>)Dws$2wUT%d-OOW*b-!E3&iLMpk0ItjsE`kDbk`tj6lBpAE1VjpA|vk$RL*oQHm{Rq2^eUx3!KE|$KA7@vxPq5AG zlk6(?Db(jR>{|9|b{+c+yPkcP-M~J_Ze*WlH?c3Uo7orHE$mC|R`zAKg?)wH#=gpK zXJ2D?u&=YN>>KP(_Dyyd`xd*KeVg6GzQgWi-(~l)@3H&Y_t^vN2kb%iL-r8+5qp^Z zm_5RN!X9NmWsk9+vB%lZ*%Ry+>`C@ZwvGLYJ;i>_o@T#c&#>RJXW8%AcJ_O=gZ+W+ zWPfD4*q_*Q?9XgB`wQE{{>t{Uzp;Jn?`%K&2Ya6VlO16HVlS|NvxDqE>_zrpjN5~N z2OR>|fnqXq^+TiHm zb-|?I^}#X08-mHf8-ppqn}Vsqn}cJ6w*=FIw+7RLw*@nTO~HzwIanFA1g8b9 zL0ixstO`~Krw40-GlGub-ND-6J;AzQeQ;)w3p#_YARiQh?qEaE6BL89f{j5b=ncw2 zCFl#z4yr*ds0aPQKrk3=3WkDng7*gJ2JZ{b3(gNN2;LuD7!S3KM!Jgo+ z!QS9+!M@<{!T#VM!SlgCg9E|8f)|2+2M2@y1TO~v4HyqN=Yog)WqbsGIUmUnZD zd^CRrAH$E}WBHMM9DgMr&tJul;;-ft_-pt?{#t%Ce;uF1U(b)>Z{U;p8~GIeCO(zF znIFsF!l&`K^6C6-d-m{H z$2)l!&+`KB<{NkqFY>eaMqc8*yv!@SkDtw}yvFOipAYaszKIX*KfyQiPx7nyr})+U8h$PR zG{262hF{M=%WvSH<2Ulp^PBh=_|5!_{1*Ntek=bn-@?DbZ{uI(xAU*@JNVc6R{jls zC;ukDi+_vX&A-j>;osr+^6&Ed`1knz{QLX?{saCX{~>>f|A;?~36n?oPxzz!r~EPg zGyXXLIe&uxfg%F{5nHV8nE=G#O z#3*sN7%g5Q#)u=tSaGBnCtfMWi&u%G#H+;w@ftBvyjC17UMD7r*NbDs8^mPsMlnUa zNlX=Q7RQRWh-u=jV!C*nm?4f6GsW>@mN-Go7AJ~1;_YItI7yr=-XZ3RcZ&JqU1EV) zC>DvuqCqSXOT{T-nP?Qt#i^o6tPss&rDzeSiB{1j+QlldTAVJ{h%-coc(+(9-XqqD z_2NvC6P=<<5i4Tg4#fQWt;=|%n@ey&E_^7yCd`w&+J}#~lpAehHC&g9bQ{rlI zjks2PT3jbSBd!;p6*q{_i5tb|#ZBT1;%4zhaf|qpxK(^vY!P1(w~4Qc+r`(!9pdX^ ztN4bvQ+!k0CB7x@7T*^4i0_Dd#dpPh;(OwL@qO`t_JU=i>JkJ#53Zz;#u)Kv0eOL>=1ttJH;QxF7YSv zocOcYE&d|*h`)-x;%{P~_`BFI{vny zg!968hV#RBg$u%k;i7PH*bpuWmxiZ=%fiNRd3b8r6s`!H!9tn|OJ(*MRv{~Ig)Z>;pcvC{v> zN~vR|tHWzTLa@cPs@a%zajp+Lgz6o=ZN&=gbcvVKTPj#~g+*d;(WY9VcaTcR<*GVo z3+Gy68Jj2I)9VRay+K+mr$xb){<^f3TOHAcrL=E>&ViDtT{hb*v4XavN*oDxY|=|b zvEeMzXw2g!blNeU_PC|(`1I;fsIcDGylSzyl&jSk7Mv}r7IGWq;nOd<{4Dwh>(Go$ z?XaqsI%49COtF1vo&Gzmzfc{L>lm>Z52dKqOGAP5(!{HZh==x*##h}tH&6^xqBi$4 zzfcx+8IjsS24#rNgHVOaTt>SPd)q{>s3|!LLmjR((94izl#R7oKX$IC50=V9#xDF) zo+6?J+45t(iAZP_vJ}$xl**shC0hBELhL7I73-3^-t$y0wv{i6@l;qTMWv~o0yj(#q20PaB1kI!MTG^((!`ga^y-Uhy zOofIayjfZ7qPXa|Gje0py6o__*G5@N@WGDj@THgQ8+*~A(Xv?mMjI`*hRSpjayzq9 z@f>V5hRyl(7QmJP-Z!Patf5?le`Kuk1dpPPR1s6h1u(wqM`n#R9cZM7rU_#9`SXeLnXO>YeA=Ai*)A*Bek-8 zn1WXZy6DyFakucXgFgCQSxzfxqr8IJ2_G+6vgT5azBI5H-~6TBz3KOgPV)=j8&`sr z1uQ047E*@I()```o2AU`vG4qH_mX#1dQj60SZ(&KzxdCpSAMfwil-`Keww!moIS`Qf~}XN2)PIFt&P;$pE?rJ z{?ySAy@ieU8y%!2>8AIf%x`@;v3{GqJ|c_ct{p}dHF3RNvwRsXQpy)8%`Y0qM4LA^ zt8tq9@1tvJ{wYl+6$OJWg(kY^-#h#`_%`MM`5;M$vn2WSQKZ7*c0< zV*K{@A+{u@tB8gkCe!r(XEWXe#cT3aYQ@nT(4IoIr^rsdA?ELvLi+$)ky!`eZr0mO zo3CRqVsaJj!wZGK53d#_w%gTmm9Lada<56>xSQ$6cWY znx<)(qcA6qEz3^YG?sOeeTj6s+@0)11?B19C+S7+-a9{#bSb2mQp(KC%#cFL%*@Qp z+;nD^W)?=b-cQc&7wg{ae*0gXot>SXk=|?979bMg#0cJN4Jq%WmeS0qu?Lz&-5PCQ zBA-6cRZu4LacU^TUhDoesd$K1Z zq-Ok+=E=?h3#G~@azKi_h&oDGGPp}{SDao{x9#R>rmr}~y<&qDT#_i~`T~4okm`01 z|F_*c@V7<6KcjsENqpD9-=-4wudqcR!8&I#^~kU&%;SVjlga*aYno*s5={am26k_L z1!hmbbF3Z{{LBtNIFw12NKR0Qy*sW!n5W2zBaoa}Wt=!NLZjiewp#J2;|^O zacx28fyi&7r8?HUXMFQ9symKY5{Vp!lNyDDr*m(GlE~a)xCAGp*ttVBOJ|-T`|Uwi z&N{@fCAtYppJY7#*=+0pL>~WAGOrQK&8IP8urzWsl9m*vYW#tpS4n~u9xQzx`Ns1Y zu#a61&hH$V`&+Oyv)ZUQx7OJXY3bya&VJxmJ*Cm=uM;!rNPe~;P!qVBG%MWqc zJBnig^d0?xP0hI{uyFAp#G4I$oA)9>C2)sgYm3Npm?d~eH&C$+=OQfp88#kF-X|bm!PYZk-GQ~n9kTQ&%s2LwhRHpTw1hNu(s^uiX-m#37VFT5( zYy6ws6;T=VC+t4VT@lgc3wBS!VG!@tDTOUdc_aobmS$PIByz?sQw;BvG|wI-Ik0+3 z4`VDU;)Dpw9P@G{N=^C?TV2V9nyFUdp1)_K8LRDmp71Bx^)Tu5_-LRgTFBM4UzEtpM zaFGJPq%Rat2!o$`Jy~0L2FfR(Cx!{-Nxrz?d<04f&PV7+r3!IM9Nr$IF1%l{r^Evs%EHONeLG8MQ(?bDei#C*~I$!tEf`24kX}LI1L}5UvPZ|QhIlO zbQOP_jnDpu(6dL*fuOYU`T+#XpkE{~Kp4W!ZhRj0O}II@+-V~)x%dh_+hG)l5Me3f;|{TU#)bLQCgO#MnxHVT2iP9-qUPN!*CcCI)oDj zwZs6#kAcl$sa$GOeB2SkPMaq}qLT>Y#z|CNO)P}>m z;OY$ASPq?v(cGcUY!h56%n%4k4DFW5Gtfn^y7Myw6t@CYlvVd9wE*5}r>V;^8HTlC zqt?620(-xQ^U3CRG1}>(2WF~|2@N;crVVfdWNZO^5(RC>GBQapU~tKdi4ap2dUd`% z8oe3TSwvq4_cq7I9i9_HW(N~z78VO>SvEOJfUtvfA4vCGqYm!(r@Izvycee4F36np zYi&vzN6G?Mo?}?8cthOH@0bl>k(vbz2@{Cwo=doWw3yTNg)ISp!xl-upcqi6L#LR_ z53}XcPcrbZ;-kqx6dKgqVPI(kq68Y7Rj3JEq8kFls|NmmYPNe3VgU`KK;msv6nxVGY!mwF_7&rGh&UmZ5 z#o9oDu)dGZwqf51zd>mV{F>IoorC#BmV#;;7}qykPOJr|%}f(mUGZZr@t~ zXSd*MHWe*1JeP*4;+ZmZK3Q!LVQcF1uN8keVNs@U${ z3Ak)C#hJhHD$#Ma`H|UdVEcA=4-}gaiJ12{&{*%gUu(b&JM5#u*cI%cSGxK3Y_tn3 z$)^N#Xh|8IH*FWgL2tvgE+f*#(~)h1Xn)X#CO0y3YXdMa`^}bWDV(_*5~{^e6kX2I zB{rQOu*;}yrb(cN5YbOe`emiK^}!700m%7gK2s7M@aeF^<{G8M%Ylf6&NFEwUZ$e% zbc|t6e0|~WTh=bDaw>*?LbV_isQ;$W$AWwuES3xxW#0imaUyIe42Z5BW|Na2SOFLF z!%PDeNO$o(hW4RMoE^E3k?>m z?g^bpY|%Iaos}EagQg_aEh6viO2)F%Z3AmT+VR=og4<{8DSK_#PGfT`XPQW{RE-c| z$S93a@AHXkk|Jgs3b1?H9o+=j!M5Mf%~zSkBbRA8ne;^PFyyuACg@{`M;L;e!bZbJ z{eqR>aK=oYl1>LxfS;P|r=OZJ%?ME|-OSoip~P<*%qcF{d@-Bu2{{fJ64IjeY^g>d zVf{pT-9oaNvg_QYFQip&rRQvM zQ9g%!&vM}8C_i0~A#nvlbB-o%1{2ANBJ{%?kL?kGDB^EFmXwr^+bm3nFz&EE7N=n+ z3cJm*tGfdp?17R*hbdZRuuF-iod`uP~Rr}9CR0cj6 zf8k75ZQ&<@{p7!20~-Yp_H(EpW;yX4D`9^^Gg#ebbMg$nw}}B)O`U**rW5wqOJ^V2 zF08a~0w80(aOYnfH8v4AvY=c-W=Ro3BqHGKh1o!C0MhQ5O_#gHy5dSD)iN9}Y$cI&_h@p{ zjV9ucY4C||a$#}N@>a}&m4U7O)XZ$Iwq>peo*Pc*qcL!7Y|mx~aij-u?DAk{$(uq9 zh%IBys2fR)<@$V6A21;rPtOg;#;)GcV3R`Q8Wdw(DGN|-;3QaE?tsa#gFSTxM9*TU z#Csj|;-)s>X+aw&?PRspKz<{Rah7gYBXu;G*|tL#LL9hg_sET@q~Lf}dGEA4@p z7|I{fSq;VTb=a%Wb{lI9`Aq`s7ocg7w1~y1iMU7Zj=&Dza-UE#7i(k@JjHT`@L6;W z2nk+M$4Km$6R5PaIo`m?MrHt0L)8Bmg(I(tsbeA0SF@0gj6y8{GlW9W+C&`joNcrz zV{!P9Kalg0Cyn3M)Jfb{1z5;B!;7VEXtr~=+2bcRVSTzw3&INmJPjU{sEJr!_;B~~ zA-l&p&Fc|rNJ>9;wVZNy;TumkT>)A)^LECU6ww(*l2R(m(GM5e5z_-kno=su)1z9s zb{vlA3?oS?m1XGjL?9u8S^D#6dE?!d(P^*dli=|M8KThe%wan;maixenO%Ez&estg z;!NIz>{h@WKR(f2fP=}Y&0AMMx-uVZfoyA;nYVb7n_6HV>ApR zq9v?OhTYXbJu!f=U4E^&#RC%hWl%N?VG0X1+cVxu!qwlIbh~r|!EvP%F#*XaO zIcU9`-mt>fW9P`p!Tb__4iwkTBru>JBq%;kf?6^h5lO{wE|_f~$?aYQSeS zRBll-8+1b;{sc`JePp|r61*_%Iz3R=rd#IJU}Q|Ow9RHp!b&;SP8*Zq)Ok9Ry3?v7 zvIDF?-i7VW9+EOCUOxe8K0m3l(XNu6Sh2!@gB8|;?!I&7o92vSdGRn2oW6^h|XwM zv7M5m6F62pn<;;;rL6Yw;O`|FtS`>yA#J{rUTTT`99d-UYoYn3sYexai!LlIBC{(Q z^Bb-+&P*pf`mC)t*?ZnSy#gYb-}T^=Wrv6LRj_Nte32QbqXb5^0eY^f&5D1S#k`U5 zm5mOKi@PC&44u!-JspxZmvpi02qvs6HI3_JxX@_2qnkOEytM#L1Ocjj2P&^Qw`;Mv zz2Q5{-@1p`Ku^fV9ZHN5v3rfMEYF`D6I^+E?vC&M|II&F6^f5j~~Y)##* zmrS`;qy(!WkW9}RYa(;m$@e>+b|cmtSRHIKjsfB?e-G^Du++IQ-Uxr%lXo#|B-w~F z8h)PD5QPNBd~9XQ${_fPWjCTK4VO%COw5+2Xl&rS3{wCq;{%qtA(5GI@)ZF|>9k0Q zaDH`r9qRtv-?oy91_es894d&-_N%fQ1wKkgOsG*oZqZGZR)(CBW` z(_j<#f4jR(s*XS3n;C?off`vVe0k1mc1Y7;rEPc};pu_20OfAPQz0W#1zQdG+FMiD zWQ^F3XxQZA81@RDU^@nY|AIxx8199-VaVXJlX^(-j#A34H-wa^95gUR-PAeY&2S8* ze4J*CAri8^{Y>co-Y7}IyMcs=`)ooq2B`^|j$I%fn*_Me&EKeL^QDwVyissw;GB3X zV1>V2l9$S&M4Bqy(94Th-6)Ga7G_fLt2}0|JW$FkjU@$1ofc(l>Q5R4as;t8g~DCd z^B~TfiosbVb9gj^;}+BD$rU@S<}bq{PVcfSS$FgmM6=omhv)Sg2XP~l`4U==y1%%a zb7jen<2mB)lW9>W%0%B`yF-|fxTJ_5od)ZvS!gi)2o0s_Yc~-3+sQa7Z^nM1ELxIL zEV@PE2E_fgy9APHS9EkS6A6dhZ&+nFZgoT)%@%Nf8%Fo;!T1uLDWGxS0|@Ge6bDLz ztGP5k4lZqm^!g9PC(4IHZ6?jk6tcV)LN$JKrki<9JpLUH-)E*f=g>=2d_{|2?UF5o zQJOeS0MU<4=1b?r%1!-UcqU8xY$USK2kv!0+Rt4(43nU@e3p#<~u_qSvM;g+BH7{(cHON$$TDCD+&@> zy_*#%-PnjjFi-dkb!tZUL_gV!C`ymrtY9W#P;K3;06lTDVrljmh`)dj1CJqLVT@Lh z_bky3R!Biv^;b6}{ zIHL??VF_Ao|AVh%V|FN)vZ2{AH9ySgn7=cV)g*Z4j@3%ttN>NGS%KfqI?YcvPjNlr zC2Ln{^rmv=iYJGfM+v6JKA$;(u(LB&7Tv6{!dL^2U0uLCiZIgV^yO-WQa!2{;bXe< zGg@%6RCJ`o&5F%x>P270Y>9{@8(6J6e1gU^8BT}v{msk3BM{L#n&a=7CT7@i>J%-1y~=0TM3-&w9F#E zDv+(ERwGH^w=#d)|&kMWM%m6!}$gl(0r{Ti~8jyt#&LH%~Kt#VPJ81X6GfqQK`1 z@Qp#L+b;aycC*0W77721HVP#1Z32IrO4z@`o`3}V0N>Oj!;>&i;FIi^Tf{MmCIJ$| zsyDv^ccPG4*p_MyJ}MNjqZ4>A|=3So}Hb)bgZ69yv}a`R~%e`3!J z3E7Jwaf+W;Ndoy*v8|x%(eXI#Ju)@99Q>-d{7jYWhQ+Klf^ln|ZHbmnepPHCe$`VN ztq$u~#bvy&IMgdczo1(&m~VlnTbgI< z_BR)3~D%XDCTg|j;Rif-0ib$sl2#}=jIGQb##mIu2@#YTc2dF1ktjJi zP?%p8YH`{JK*7$*^jm?+La7N)MOu~-!U8O&(Ms~EtiSn3%&!V73b~`nWqQgVbDeAf z#X5HC{uImvsz5T{_`x8bHw<`_`Bi~L=~u-Q!r)Vv z(#*8yIY8WU43tkmPYe^vlYDW(uL_hB{HoB8$gj#7aN9oSM<(;r%xwSnjZhu`gGLj7 z`Jzba?0Fuy8iXgY$*m)h-CJWf%dK?TA#VQEf2F-r`OBl!e)-|mxyUll`* z7XTI#trj}|T4vz?wtiKh5cISnw?iVu9T53dIeT{X%I6GMk z!K&lz*|pOrPNd0@FxuHY3y~R|Zd68hNRsXQAopO`r)OhU6jG^|g?ijat|)wAZ+_xb zT$X4_8t8E>i#WyXTzJ__p)PzfYCZ}r2MvZ@37{$VACzKT_zbY};j~0g8BC-LlL8SR zSYQTEgRJoONB)FWAPG?f43-EFlGxWIxFvh5&ki*!Cq|Jm{6{Q4hNN8vTYTb_aGM3s z;$Wm~lnj=Q;G~X`r9uZAzCzjT?#9wHaWhz|F4*-7z?*CHR7TbADZwDEFJZ#ban@>Z(j$5k1^4e=}-S)rs+X>28!U3O%Y$H(LDU;s2cS#J+f5K z0icnPJ0IVJe@TprNBQuHr~*x6efVVTxl-T>kqK%Xx(1b&)aNGphtG&dc6xV(8=O4^ z;C}BjIELyTG0|gtyp6(Jg(MrC+3?y9w6-Q5h%bg1od@!Qn>%*wGav6|St8WglohH( z8Eo~4Zb0GE zx)fK$;KtEKJXOXRVPv=u4-e-q*bav16Ujxm{YFF`$)0p9KJ~ zaM$F;qC%ePLd6IE%G@K_i*xqdpS?qyheLM!W#srOJ(QBWQ1_|HwYo?V(+|e4aK#?J zp|za3eoAuCb$d*e60lFrT)q3W>;=3}EnUOA4AEtLAhRoZNi>H=PYc)cfrPP8#4jWD zFm1X|1*SN#7xseYqoZ(Ye0k5)X7&m{(1I3+(ad$eC(s3QDwsK|9=~G>vCXBL6PGND zXmoQU>2wy7B%y+kN#Ven(1G=azNPAit;bc2o&DtZ!XO|@GG+miD2)ST8Z!}y63|c} zB3V6smg+YsSAE!jNDClyJ7slDb=v8Oo+_zjhG=1P!-6OyT^L9j%Fy1(z$F!r0T@8# z-0}h{Cdim1d?3sY7#YL_x+#~WlouKkf*d|Na#je=g3~*bqz)1Nv2lDt zWXU1vfnB(Rnieg`eakI5_$Y9?)2c#xU{iQTEJ+WTCS?at5t0K^#W*4%D>Yz3Dl;IJ zSK9t|YGKz#B-;x_PAYB-nBN`|{Ul^G$qVBIHcc@p-qZ~(-qML$-q0~QTFHTwR>x!| zdQ=-J+Q#-Ju5%JA6Q3Y$O%igkM>V^XP)f%7#3zQ>K8{2u`N$GQq`A%2+M^_CQq5q4 zm5?A~_B?ZcBtDZDn7Jf&ktvgfwMsrIlEJBgY*ib}74fOP5S28#7!{<9EsIEJDi9%+ z8Ep!@gFvripuQ1nHBL;IXPkpa&Vg*QZf+zu}g0L-M>5PR@mqZ%}0J9uo zbCyZz)-2QcG?FPQVm#O6r}3NiW_*bok4M?_x+Wclw~oUp6Rk;N?RS|_0~}=d$RdK zK7D_S?4^8Jn$?ug#BHYnF+`^FG-*c_k>e?u+Elp@yv0A~WP zks`Y*mtrsah(Y-|VTgR)dP-27coLgwNQ;ywhLqp*GZtE|Ud&F*k&u^3Ypo~+DjXlq z?Ke(}HVh}I8S=?szZI1%thjhup7|EJF735~m3oS`?(&7lHeMnj-<^rQ7aDKLXj-Ne z8B>eVz=Q?tk|?s4r#f3_Mun%L z;%{9J8}5ZAlRK=8ud8ck@iQA6XCA_*<*?Wmp+vZeB@a({;b~)YX^8?T`qs?ZBj5rq zEy2g-($cbp$C0~a*)bL#&s`KRkrQ61z{7U@FU9hbY2ddbjp!w^gjiik`$SUQgpio; z9W$tJonP%{{JE+I=U zdRUZ-Ubn3;Ojb61=-`DBD6UsZb(JDa=e#y9!e+`QXJd=;+PMg08JdeT7Lu~j#zb-& zbBrgWJ2B(yKc<3!#F}NIkoi1378xUoh-5LHCYJaA7s@uX!THq*UtPRLj53+iJ--by z1`HXs3^*n^O$+(aL?R*?vj;gCB&jO8gtJmY!L*4D=~gUJlb7X1FkISiRcKTC3? zG0@^H!1Ifd&{$p@4=tgf8IynfXriKtJSPXRcwKBXnPMWOWoSH3nn-p>E9Pxarh|K* zm~gEMrZXmvq83UdBNOySl#pUSopA;iS1qQe+pRIbz$*znim@1L(WmV7U|gMOF;T7U z8Du>~U5m;i#Um*XlGQ*3U^sim|mKg z28nBQe81%u63b3YjEnA3WI0yr8H+e4znIG?bL<;R$#OL7GSP^*k*x31z+D^f0V+)4 zclNU~!&4&Bg*s>B(S_t_7kCwXLq4_WGFh;DZ!Dr%)$f9O?(x0*oY26G7|b=_Mc0F0_cpwPVy>Iuk^Whkbe!<1Wzm z8R?FFz~kLTb069;1P*T=|OSMF3d~}jOK9aHfSWzs3U!bB@EN$A{ zXMC8apeoNt^9v#qj3SsLo5u*#nF;D4vaAfU5e0cEs$dMQ$fOJI z4p~gd4PGdkpgD1dOB$G2B!O_iXEdefq7L%HOP=g`9^_Bnw|tzy;t+}?9$yd(z^Z1V z5f;CJXScbSgd%??G9gbd#U~VbM3h3A0ur;2RVY*7Q6P_4$P-Im_jw*GiX(eqTLFw$ z!TCP_HeDyd1;5M}$1~)qhQEZUhCI#OeUhODy?qvo08jaN(=J&XRNZz-$eczy^dN

xZP%P5kmr4`v;%Np}qJ(AkYOi zq=W~b7%5Q{7UCreax9f#`2}X5B*o}y97O>oqA6xlBIYZrZ$6H)p!DM-D`raMvUaXG zo-R0Kc!rTZ0Ec7~ks$+}stCeIA^KwGL$OK2!<<4SM)qYPOVpr3E@YUzYm{tpf#nE| zta6z+jXbrxfKQj?nbKa2cwJpOMZppYjU+_mMp0@ueq%O=jN(|z5@I=q9BJgnBdjCS zRE$-qeSPezb07h-^J@BilxlhfZV_ChM^Sc^nqVjCdg(GXj^`-b6{p77X}Vr|lp57M z!j4iC>?B<;ou|$d0hI`x&E|tcvQf`x@X;f~5GFAsSrX@3CX%FnWkjWxOSq)9OkHTHI$?1!x zOB=k<;{iZr>I%eHvGF-&0=r*w0q(ehfr`coq^8v%2vI6a5mo?cV$mKTn^n^}(Fb<+ zdmA2BkxLz1yv#p zCOJU&heMdsQwv@D%F5s4VH{Cb4FXILl*Tb1Dn@x`EwU&plV>a2S^{VqWt5ddZ=9?d zC9ee0qtKG!vwYl9o}P<7>eFF%i#UQd1YsfFMStO(}t|+zxOkz)woMS10U7D2etxN*ll9N+J)KfM|OiZ?GjF{!-EYc`1 z;aaL#s8(8jMitBQ#Y{g*;*udG7L~L#BZ!hy zh@r{>F@@}Pq&S1ZTSTF#s^L?7ycB8j%)IsyRzqGEPu0g+&87-P9y}0_W3KX#WaQP5 zLgstePdxsrPsRihg;k{FVzEXUU}_0Y8v5B_%5;d!8hsxsz*6w(6pzswzTqjxjIi*T zwG=9(dP9jqI^GZ$lH`U=_YSVA=8;w5J5p|7AQaY^d`wrL;o5V#l!NUuLTZP-%0+o) zC?hm+@oKHiwQ*EN5{k4`R$`wX6@;fC@lYX?9vzEp4j#%hMi=p5mBcKxjSb5`L)RE# z)XX54lsP6s$$}r}#`y(ss3!X1O zBr=Crjj$7~XhhQeEZ%JBK(I?UQD-G7?jBllVtXfwlabS1F|>>_UONL<0lEb)2j5Zc z9*&7j(s8L`-m_XHv1)yT?c2k6ZbflxeRdzcHc$$2Y6E&H$}OL{^l(xfB*XVUs;$Rl zv26pb6yetA$i}%1sY$fkkOU5{vN3O24zSngfGdj^Fq!zb{0re2EdCJnGck=$$1v0; zA}%iq1eOdvA00P*XWz?4f_&)sVx(MOL@8cw$RK89Zrdou&NW5AB|EeY4kRpsu1SHY zss;DKCdEb5<+&{l`(Qv4?t|$!ZZ=$F zPDJL-!j3$W^X`LPig(dvbJ`AB^9ODS|J`(lSnOz_U4+`{3|h z?pZaY7TpI!n&LhfQg!#i5OWpuALrl!r;X+7YAGW6N+L?FPWKAmqqQXW7lNeVKG^;; zhpNm3riX6AeK34s-pi2-4YywyYTkXYNt=NQTVOs&i`@qkjXQ7!0x`hU_lQq%Ud_a* z(4|Jrrm~2}oB+DK?8&_&@x!*CV5UZ~R|fY9(1Eo?nMJD|N0)90-1iyx!9Iz*4|c?y z`(T%rxDWOT!F{kN3HQMf)$gf{ejbAe`FTf;0*QnIqsG)78-+Ncm%MQ~kZ56>evjrh z;c{0l?ql4ABKN^ID6zTJwi1tT0nIQ}Q8D+y_(8^fFp;JEU`I-Mp?T_(V}~Y1%sNBj zv&B$~i_;`Wn>1FYrhX5%EgDVan|76}FS!7OsJ$e!OKk|@gl8!%KZ??!mjS}0J&Rd%I; z4IxhB5M7xkXzqjak(Sxli4!mpKl#XHI@#NqE~Cwx`4Y}}3Kk_q>phs0ISJk`R+A*7 zF}sRJF_{C|%q*0QQcuAUD>=kxcAucvUo(Y0uyq6+|8@!u9=AD^BAnfrsLa59ik^Z^ z4%cSBNKmAU#MXcE_M=Lpy((0J3M2~7Cclx}i;7mMf*D?MyVWLte z&{KZI8}afIqnO3_m=R4MipY@_9dt1~f===|;WQQ;}reurt&ccD!nnZ;~xc;6hv zF)A|WhR}aV@17G!gf7|1)M-6StH>adhcG$|a!Dn21g`m3a!b$Pu@se8d5Sr(l;EnMmX**d`S{1-o?3Q?SjWI7qZPVh%>t zb&AqlQ$iGH(WRSZ{$`5Q94@-LWb-g4$4X*zOOBusT96e=x@3-25|Kc>k)DEWW%2`_ z7bd8*)TIVL??IN-Q!vDf9*pLlH@5IKCUWd47^6!MhGLaELM&t;orf}YLxuEw6O8l( zmiI+Z!3a-gC$L81J=ms1+pwjkGsZZ-%ZdWdFWz(;bRWd7L#Oyi;GsE@r(mq3^w4W5 zc(_eH1?Lmlge!Uq#xL)QJOz820ZZ#K2Qvx5zG3c(_~D^lWG%y)k&(hCP# z3u)0Nixe?NjsP-6;whM_lyg?;6L2bIyxUSbV`0=K5w`_kmP0IinUrqLGM!H&nW7@b zb4`94&pA<9DYVju`P~?ka(gk*6Hmd^XQjSWJO$Ht>P84?g&hx5vYV1;O2r&}xw%r< zc%}s;o`R|3ne7Z9P48zt1=Ck@v%?Qi!JXOaASv<`Oy4J)ALP^bx2&gNDC^puf+17t zDHw^dr(mGvJOz7lJSA!1Xk{TQ0z*3A=icjYx^#R}JpFw_1QUA-7O~kKLkF{xtfycX ze?3x~n1`@@-Fiw;oOlwOX~tYZ@Crl9Z~8?~!6Kr&YXtJLoTp$Pl^rS^3kLQZCq)~E z6Vwd(WbY~1mz?nwoQwL-YntU0-Y>A93Z5c71!tnc`?Ar6aK1aUo`Nq!^l|dp<%fw; z@X>|!49utp*xxM2TPUo&2`ayJ=jpZAo?SVzb>sk1UpgF*Uv`lG_wqxpIDGRBH{5XJ zVe{Ml_XhjNp<8dZf4%Wx!?!-*z$<_J#y33peg_UbFZ|!-L;7t8 z4!-05@b4oJJQRN(c&KmG^A0@vkq-vSFA)8}fk(jiZy!AB~olnm%4nBY51qV;8 zuD#Z#i+>&tzpxtk{{sgeNPj&N{`(;M%VQk4Z5yuVpq_6Z-0yzxd?(Kj84qB^?tj2F z_qGEEsHztog&Jm1Y@S1y2R=IB^V}RLNPims$NmpXKXBj{`wRcM|A965@7c4fC)ZDH zY@J;>ws~}8b$#p9##yQ{q^zAjaUxAVP?#VO^9|kS47u^pt!#$epJvE+QpK=(2M*+B z$j~JD|FRi!lOy5``BL}8{);o@I*j~&M)avrg<@Y;_t~vCvOY7b>bC*F3~#>AlvQ=J z>n2>4xT^U7ZaZ+BTUCb~9rOLN`(gjZd_DK=e){#v0AHAjwY_??V^s&=2y6qF=J2h^ zubxFMeBgnj^O>_wI65H5yY^+D2Rcwa`)~GqQ(`_FFz*LUgkf4IKhC#e0QGBw{>pIjj)jYzl+5hkGctYGD6ik*r43|mT7C{ z!2-=#kzhQ52(o^yygWZ|pAId2h{43$*xuIWp~BjH65u`5;K6OK72Q{dExmb5zGcq= zq=y+K>r7^kY^u<5!k!Gm5Z3pnGGpG=pu$NE#K|d0p?gQigZaFnjfV<6;0e&ihXWc& zuD8#+!6o8v4LCQwBHx#f2Ap>@I3yu6i0Ym@RG5j61&l{943NTG#^!2b;&CTOeSY``q=NR-T;;4oL`^JQn= z-V(zcO~OcqzxFw%hYH*hk1J1fh$XQ4Q7r7JDD6JUp}|V*vrn}aKG|b}{*Q+6!f3*m zVtoq>I|IrnPjP6dh$4#svp~Y2)t?_UKJ!$I2bR>m?5vv1_cXvdwy@^F^sWt!@&=Rb zP6$Tz{aN5SxCcJnVB#92aB1Y7nOTK5}k(*!pwQLK{V3_FW}r{Wq`hS z_sdBOybVta&tZ7ZSFbNWVD1;mDa@jl;i>YuDbihofDr!LCziJFKF?sCp3JQ0f9g+~ zD*-3`wNFHiqdgxGPYh=!E*oAjVLZ8j5dPXPR$(1H9(wWx7HbH$4d++D$3+;hYA$xT zuq(U(a9(I|!0tPo>hMhoXanYW0n&zisBp4Gwb_ddGTL^#zT^kI>Q-tJ(~AQZIjKiW zT?h{ZX0~I9EfTuc|FzE%)cDFv3?>?rlhGUWrgc`x0P9;>=uteYzce7a9`zP^;Bv?} z?q2ZE!pRJ^J1(QH1B%wH{9le_i`@?f#t{n1MuboVNT(NoA)%R zPNfTzhul6x92^YRxdUz&!HT;9TiYSuOJIXFBR+!#+}q)gOAOS*@3WT=7fu&1h7o<0 z!6bc~?`Ci4Kr=EEYs%D(E6QPn_ssvR6EJc zF2-%OLU-5C?ZWE40s8xh!3OOLJcgzh!nm<*bVGVgfD_z4WM+-`RoUlwYo~?VJwCvm z985;%J2Y{eo@=^?(zH8AE#k%HVhDSk?Qqt->i*Ss@fC@dT+h_@r8bX_87yOzbv^bP z@}V>j+LH!D)@9Ra7O{pN51?fI}e?lfrNd17>ak67W!!D9PjH>c-G@FtN>o7$1o zq|8;og~$l#SjojsXhAA)JUs2a#vq+M=WxIeCxfb93)d!<6pgFHrP=05qDcB69Aqd8|I_Z~-+fYxFh;rSypseXsj`tnqaYQ3V|`!;HP zY(0-Fq~Rx1R}U&GMUe)_Wg|Lub4Wj?o}`?}51+ zJn|CPWxkdB9lL`3kD8zN6_}}80gqKZV>J2Z{Uj>6Y`XVI+T479fh29_8xWOSq_YMw z<65c#uW(vN3xGEoysW#b2E>BQi2Ce-K`gnz3ZV77K>-yd)pLaEj-%GERtuK0D{NaV zxTqelPU$U63sPb9(8g`Zkj#sz0ObGL=Q=-BkT3AwsxvsjtC%mmUQ)cNz)v0pIOi=6 zx+)70{;z$uL|f4p0)nxuVeZd7PQczLqQ?I(8boxTW?iZ^;1qOUcpp3pI5Tjqe5r$2 zx%VFFW`#$+$s@(C-|ju0)`OQk-psm_yFNH$ixXVbHQ*HFWVGhoaX7K@Ts6njq_~Me z0rS^Icl|BNrX0=r5^1(w(`LmkLo^Sb8%C?ZlkkS(o*0K*1T|nOe0IjLTKA2c3o{U{ z#^wx1JYNpYs-BCQ9&^F)!i&`a=KtC+zg2eMrNjc=G-HGHtt#-r$3ZV%W=Qe^sk%Li z#pD%<;@+ovi25B^n;BObn(#~6fOkk4tv!xsoLx2`X}i{&8Its%836rX`<;i%xP1V_ zV_rEuME$sF650oHG<5aZf}=XQ>3PwJMBdI7KwEp{oeSt zgunLNDy9EEgdtfgiBNv{YrjZJ|9z-Havt68eXBIR@`rJ()Q?gCt>?cA@Azck`|Jv`EDL5a=amZtsFTHwhXk7lS34cf=IE!pB%7;WO9+^vmNv)?qnE#4R`q=lD2=lT&Pa*nRe& zc1n30!^*3+Ytgh_^5Yp=t9*S(kqke9;j~GH+WUx4WGIRYndLJjrd;6F{du@Bb}xh0eU?PZd-6g@ z=`Fph+?0K`#Lp~v58T80`y7LIbR*i2KDU z=vh$H_jwk_dY<=1*YiouChhYL3L3NopazcV99C)$_Ar}Hz{kRomalB#w3XhhL;}Br|U;FG$P4fCmhiamV zFvpG_rM^!KyExj>e3ir78f{;qD1f2(d%-J}dGgf`iAA=!_ifT%#e5ARu~-;Uw2TJS zLi_N=``5;(A_7MPrXnSLU5uG1V?6GD=VoC~#k-5IH)!r11w7rt;ODcZ_Z!+;_y&e2 z!;kn@g~__l_Gy-0-)QjW{=o=bm;`|O)u7o7eUrs9f+d6s+-FZ}cyIT3Tiwp?bT*jnHCq#Cnv3tXc$wHpp@G%>NwXFIz9OQFg%E)K zU;FG?O@94;hkMtkyK?G$deE+JrKain0fQDrhVt#HpECtcjCQ^6U|2yB#03M7yU%{q z=1i}g@} zhoCg~Qy!^pU1<{jPjieO?0GaP_-8zp4Q=C@(Y=tj3Q|4#&H7o7)9X!?qQm_;kC;Bf z^^M#opV#)wpO0~3g>m(|(zKAjkVO;1cr~78Mfr;!FBJr;dr?`zzr=8Quth28lJG|8 zmjhD2mMDeUkM{Au;xQA|NBw9i=ZjyBaN?<0J7U`T;@5ImVj|X}X}j>R2eelE8m0e! zgHYnQlD-|)(x}Eae$!x0uXMAXJTYi{%5NDo2onXiYZt&vY9}0gRL??9^8Iazr7(Qo zv-{-3+Ii`BBx)v7r$?(EN9|yc1M^MB2gMjBO18nS5k5WBy+6w$biI=*bsU9`$hV7368X3Bo+huae8d??p+HZdr zBz@F`|1n3TsB`q{lbf#Aw@}$x|0Kag)?+Gd{8NVMo|UwoYqZt=XBoWY_*vh= zf*gx4F#nt(#!>!4r~1G4Id3$X?=J$PjUDJqub!V8ANxy&LlFrBOnna)WJ|pB`m2DG zi6k6A{a^d+Lv5b?b--l1`w@&z>|y#nVf{@Ov3V^Nq$Rw2{@W~KA183FXa6pX8aZF- zb^iQ)96~ok(2%_izbfi_47m7bN@Tw zWx~AsehkgsXOC(p!2e;G`OxwA9#=c>{%^p|M&Z5psG61W{{_@kHCI2D%8koA1=11& zGqtab!o3pu;y7?W^sPqc&JbBWbYgwmlzDnThNY8uFNAJ=z_oA%JE(23Ce1uBMrJZ`XktCb({4f^6l071`y%5e~W~A1~2kFKbveqW0$HApx<6{aw4+cql^}%@)hS_++;;ZM54f z?7z>0)$lNe2c5Xnu{qg#YSJ{Z@9J=u-I3kxc8OlYdN^Ti3`X(0S!cx*PC@?ekkv$7z~puO883|2Q7Hjh-{e2dmv?=Db!u)0yO9_g_*I`GIgU#vjr zX|||qxs`Tv^Bx|nFUv4ZDtnYgLn~Z(O>+?(&J4G@+0F>#Dn!TjK3n-{iwjPv<{g}b z(u?$3G>uO_hNC4{>D5RDzJ(Fe9?OyXk&g;14Ry$mvuHch%UxfV9NI4Mc!p>1?MYkC zmO?!zDab_VqvZ(}4}vt{Bw;YsV^-L=@&5OT7G)Qs2}_t>Tk|B3v)8(^3avp6%98^M zItSS3w!6{gcqv!6OOqd;QbZIYYdxki^Pd`H?vCS5t;W-|?oYFL#Qm@1=slg|nDOhQ zWrg{Iv;Uw)oOg@Zgs#2^l|A$s0jHPOJDSA*Ooz3Y&YD+r;e3jAfzNU{AfWbO$5hb8 z;v1`HGo&7*(tLX1mo|Frl>=1k+qfc(IJO;=jg&kk~bn_`f8a& zdm(uW*3VXDHNIyCv0bXvtTo;%gV-)zYF31=$|1JeFckPGYDnHY;Pqxr zpxtY{+T-8hF@`*a6jD7t*y2z9rI{=ecx#oI5x&mJFcTPo%}Suc8A1eJ24Y$>UnoT zDm(}+y;CCg<8!63N^tG3O1#F~Q*CX$#vz%F!N&q^wT;%Sq+aVWqvs^`W2Wp4Cj?4Q zx3z`+9c`peI=s^m^k%c`hHNs{ax+a=x#n>CxDzhu1@MLODUWks-q5ZaR2#z6_&#AB zSv^Cv_|2~~SfdM*!5D(D;dTTe<2Of>3lMww+?&A5T??{iKeSIC;q;SX694irMYg?tAyY4bbw5if55A{~F z>9}QHXn1!Mp1+~Z9l7dzQaP``UgGsJZpt0O8zfru$Z2mD&sePa;t0l)V*^$@KeU^O z_c16lxLItzUD2e;_jNdv`512Q@#w!kSX^vrm2w;LeuQR%4I5t_45)to733<^w!J?? zYCG#|qjXlHwE1XKB!D+coF@5KYtO*r^x&tdFggcebj~rHzN}R=?ze66;0=0z{%;C8 zAiNtL65d@y2wB|D)eGk&yglj&$BGxUjl|5NmM3Yv;yg!#Mb&P5qge-B;ArkOf)SqD zZsQ8F21=$E70jEOR=1|x8gbNukl5!qzRBbDr6bYqkuG_(f)c$~zCSi-a1%j$8QWfJ zdr;GB?MRe6V8`sZS!6YqB1ugGR^EuPy8kpzISptf#$1i3*|P2u-Wx{Uc<40*Y|!el zlwI^5z*;|l_4o+S5#9L_cc5N9VhYa8;H-LQrK~~KILc{d?r`QHhqkv!L0TB34KUpX zld$XAcS}IpSd5RHgQq?luZP%~4SlESH7`3HGPQ@unVa4C{6+^dFc`gUt~8)(eB+8m z-M(iD&)V0!b8xACsR2vdt*=Tf=Od&At#AUvSHpV(4RvD685~`%Zi9b%=+PF`!g&I{ z{=7Mhx_NOh6H2mbE^>2$AL9#y4{(?;Q{cpO1R@r|zhHuIEl*fet8q1*(g$7xR~!oJ zkqa$;IkfnLu7P}dG9R4pjt}O1u~yeW)60Lbt-)}3WP2N;!5$fp!NU&x;1jDJQJGn9 zDI&J@vo^CnB#&ui-qyA%r?C%>a96s?DDK?aeM@_h{$V9N(Y4ix3U~VOEMl%>Yf%ps zPG@Kl`4J42Pt;lrjmv)|!$2mqHErHCm6`I^fCfGpnJ9dMV!(ZVvFMs8Ek7ohdq#}x3yf~aqya?<_S9Aa)kRHJJ0 z&&PSxqYxQ=x`YThqEoBqPGR+-Zsctq>-cg)VTGD!s?why@6k58^Zm*Mg*M_n`6qbP zyWmafgG?pv5(~Ap{>T$ zG#H=kFyFK!J4fSek9BP|+Tp_K@x?HvpJLHK#M#ctmvDdHc4koa$xn^2C&O@v-5fRD zI~P##MdqhTR5OEE_ttU+?M2_GM_Aopw*g6;sh?qyCiBrzIFM{jPfteM(;+x%9PnjX zJ$JN-yq_5`H(|e=T=1xyqc`(Sx*k>8r9Z2TN|j(8T#s8=DQJcK*%o&fZ-$S|w@0Hl z!#O^NteriYcIde;*mNDNLxMc3)}>)&%Z5TfhzClY+D#r z)FNrt=ie@nARZ^&Cz6uj&VdksYB4pRINu>K;Xx$c3%$7;u8hZP;E3ex>4p*1aKF>x zPT(@LBU72%_ZD!cX{XOx1Fm+5`duFPGKdZSt`CIv_yVrBmo?Py7N`blYwFQk+Nzv! zzel2uhQ4>(`N84B>bwC~%-aPnXxx{J>FNZmO-75}-v4OUuHWnMclS=f>w|{g)n@Sb zNfa=d51|Q;%w~g@SH+rq@%;h!I9x^E!wP! z3NsUZ#{Hzg%3Q@(kDIpd{uD<;|1tQGZ#hSghLOX7YF?)3uzs4OGLO29rBt_4TXjFf z@uCA$b-R?=`Li6yzK&TR%s@$ zBqp>(`vs2I>t1xYuolrq>K6qnJ?pwFdEGc258E^~npWtScn!7&7oy2q-N%|<;g$H{m z>jE28zdgLt({_;Gi1FO&Gtjt7p7sJM-rP2e>zFz`dNR3b&&8g5fVXYILi{I<&r} z1z8oXYX6dBS__stx(VnMx0~(g4j1liFjC21T?6;XWv&dUou?Xy`D>0`G6${hV~v0Q z4M$v?Zi0_+uEeay(pvYo9Lt@s;*c}dh?d@xkvt_TBR}jj${hL6`E5T~VO_NvtUEmpW+<0TC#naZ?e@MJWD+TS`@}B~U zpIKtHTW$L^$>P5Rs-kwQ=F!@n+J8G#klZ0GOSdweqs1!TL~rfww%tZ+w@?3LamV9L z>uYOu0zG{J#ca0ttJ|u*ocmvkIho%Hu866LDt0g zEYbAp5x%9+(>DTtzuz@*&)z*+Tr@Wltm(C@_;5kf@-nEw{WCRi55{}zfr4K9m4N?% zed71i6PhOCfxaf2U@5nK5l6pm`v1-_>GG@Ez>2!EC%29plL*(^0(c2IkB7^rel_Wa0NvFxxaS+CAx` z6x0)=OWlzb5@Q-8gldw+qm>$<5HVdYNLvH1=Njgg#xWkV{~E}FsOA{j?cZZb}z?yC*ZG(q(%!mo4<)L1@`iEZ!`Lb=Or2d8);`I$E5D+x6yq zXYI8AG>5ed5C55p$TYC+Osd&SJ>B5KSu_poTswB!JEVgS2VF))wtS!zM$zhyM*HN# z*$b_(pK)#U=9#2vke(Uv@gTA~DJ_@k^{L5}&tjf2g451|d!^BF3<$%3HQnPyfaYWm|B1jLh|WE@;*)AuP>?k{9WplB?1Xf5Z{M)5@f za}D0H!XwPW)akWPUmQ?j4PMWc|B?g=)_uGz>f2V(VWQpiOC92DPVtZSHcx=wwq-qN znwFO_wBxf5Oy2qQtez>#?7YDu;TwOtD7Eh}j}EpkHenWaMzpqlxy3{~u*K2kYzE#i zP}l+Y(5MzQ4s zG)ps@%y>9pwfp)h$oqI+x`pA$OT|9t;;jMYRJW6KT=neGUOc@bV95huHHs!{zcQeh zGfOIQH_k*&FY%rMy+0|pz`@Y_)O#7cJ5H~zpv6}*fVFc)Yul?V78+ZDn(x-(ba7L& z7Nl@%hW2^y?eM^bVapDnajaJ}3}9HQL)JdE_jGn?6MQRlt^Tz%ySdvLGKG_HR#3gXu+%ug(SR%+er#auLF|B|;KY%OPSqn^ z&_tnaRF&QM<0an}3bR1!HevfKuJM!n*{F zQv2F~vK){5vBJ>qa!(ZS=8KsSiL2XK*q`x)agt#&KdyLWgDbh~<&j{`quw!_E_c;M zQrlYXv~kMgqM~TcKC*4%K+61C7if2nCO6%9Y&H`Q_NzI-Ed>s6D~#pq0$w+{u()XN z+pwv}VFH6y(W#lSrAZwt*7ou(g_FS{sK-XW9^kcWG=_UWTu7VUF3Mfi(gIx}cY0`7pP&xY}*{>43YqV>~@K7#|-GE^u{g zpJ;b6G`PGUF1HtG@z~I(n&$d$h6dgvQ7AIoH*a3`D$+*r^&aum6*x%TXT0eR9=Bi; zQQb;SIy&RgHhY&+H2=%*6L1sBXyarW(5-srDt0dK%di*H$3n~OEpWnvzzN^aBbuW= zvHz3s=C1`$xgB_ak7uGll5teKx5R=3h}zz>0TJ|)$m^P4#ur8qV>Q3gqgh_i(vQl{ zJuo=v&8#;qiMCsvGkB{*(C?CiTyR8naSDgRJ*kMQUJZqj!*j~E#oU1#9e?yY1}EUX zttq-4VO?9zd9*X&km0V8klA(?)8xG_gC#`i>XvExr}GSLIt;|srgVobP{2B&>&iC3=!W$&5AXl1kG>Yml!_{^_? zi#9R4qeSgmT?cKiU&M7Nm?QVu-%Aa%QBSAMnSy^69 z(0X|9p>U(U7>}$gB2`^=3$;Du%?aZ5^9K0=4hzl_3tf#}-A3&W=mW2TE0;*^%G5km zeb6+bw1h%Hl@7)TcioRk$EW#=YNwu?BrywQP$Oi{reEDKw`R<+i?HH(YaG|jD5R?0_N)ZNR6?ESxs z8FYj(rRx4wX75KA5szKHUYH-FVBX!*PNio*wupJX5I-&;8eRwP&W%mS_3GER6%nuB zSbn^MdA)k}6N;GE3-J>@;^F&fU4Bv#@%oMBCo7oOt7ku@h5 zEI(bryk0%~8AZ${L`6FIOp7>AY&wa+uYKyJgM#-A^v3>K4mZ-HoFG|@ZDG}@hYJ>D zF9FogR#9)?OP=Iaqied<&vEEr*RaxE9&LAM>)B?zrrkt;uEXQ{8uEeA(!ZLf=<|w* zZKpD=m7ni0u`^F}7Y5^%Q=7N0fF*59E48!H7dXT%czmFX9Htc&0=Vu%JZ zqsfWs033(onG+tTw;*e+{33@8o&!h2#4x{pWfV@<2Vq@)vA|lL47;ldV71Jy;C+d~ zJ29AD=xo5efpb$HWD%U!&cTAk$FGuE#KMW*^Xj(H#Igunh8xNUo| zrW5{#Yam}wo$xpA1G}x|n)LBa9NnpeNx8-td;RPx@H~7^{mnVV<~w=q#^_rN;>p1! zGNN!!?%LuQ74{OerubHew`&F0lY{vs)}6KdNVA>%Hjm{tEwXsq0w;#e-UBt;gKxLE z5T&6x#++uo_#GB!IbMvwOJp}03hjD(q#tFbeka2&2B5588;UOWyGn@BbFA7Kq(x}` zZicx##!%-VB`mtuJyfxL_#TOfkH}lml-=y@25qgovO1YBFj}`;DM^@?`mro<0hB1e z*W)@o8#>-Zb#LGY+8O=(64V}AsjQLjFW|M=>fBN|iyVf2{ec1^9xW+WEKFh>Q4|Ne zrJt3R`VL!*zT?Gco-=;XVtV(qU^W_@AhU+n&tpZ7{~?EJ_7lR4AJtUzBSo|J!zH}6 z=~mm@MQtDb5sOL>6@|WO++k=FZp2sHT21o&(QDyK(XW1Fl{5B_aqLs)$wx`6XB5p& z=*J~qAAVSr75Wnf&HFG2b_WpNi7l4e(bVpYf3k=fJD#gW)ihl{7OxZ>)TsX^bU?jSHg6?wimTi!p~Z)5goAe$Lv}>O<(bI z7H_)S`l43z*7NfgW!9Y^U2V3w(N2=Tz>$QI-ZVQ3S}pYK_=^s4x&X8PNQA7PhXpAI z^>n{vk-+dI9;|8{O&0%UgF_(|%F3SVSy+&c@ioz}FvOK^7v71s`i|0e*cH8&-@qhJWNym)()w?YpN}z(Sa=iWy+_7;4h;A2URBceJ|b zcABsh`Sni>*2Z8ohhRF}u)ntTq~nhdAB>uP7CCLRAd z#}LY-Y7}LB{=%a4rS;TKPJijJ24irnKJ1KVq^6ly(4ssU#^|pC+U9b*9ZQou{@P)g zsCdK}xvS318>#?Kis=yn6l=`WN37{j0;C zcZ-e17^M8k+{BOLB490|=2!OLJRp0ukZ@x9E4ef_&7}#5Sp)}|J6}%WF6cqzx_XlyMSx#=qjUj#%gxh z?+iE#(CnXszMQ-BU_X8*HLuAB9zZcGd$>Q*bQ$;aDAq@m+Q91GRWu6s56IHiv>#6a z1&uP=Nj@MT_v)cloRFUn^XMTSvwv@!+8x$IJ#Ja~SKCg_+T>v#k7pbd=F2yTh@w#`S^g@>m7ln3x0yYGw|Gv z`#eT+VU4QA()QYe7HfIVyFaA>81kWAEuwY{@{ANwg4M6A!t6T;^WvEvZ2?B+`D>Tj z)@f_&SpqM2@luVZoTi>_(a7mJ>aDh>a5G?D_^}C7-=hkzdXB+FwBw_0Je;>{%nG+y z_{#pd0c~q~YzzU*yJ3KCYNN8pJ&&Wt8bStIJ(ddQ^UIjG-q3=njO7bBX0}_aTd1JD z(4x&Cx)6FhK8H7G!$;Jqw^7hQkW<0&_iH)Qb8v%9!(tw&V2_{%eh zMu)ivPd&jCgH*G!sZ-xl}cx{J_sRX01_ z5#DKeM?>gdTRuRj?_;I4hs&t(6NGA9?MCF5EG`L?-O#_mXqs6HC%iR_Zarf#(CT@m zV7?-YiA|NmTaBr#pjQ?#%1V`8TBa>=8g$KV^gh#LX@BuCd zte(Bv9l@(gh>c^Z*&)7ngb6dJseRgw;j29s+Hd;Mnk;Hh z`-U>RUz^2k=H!Lb0={`W;Sh&#Jis%1lUDjrp>6o)?W9A32sEu6LbF?6V>s=cLF2He z3=$o#kZc3gYhMLu?rk*)bfT&oBeMHSdB8M_CD*3MZp(R$0qn(_V|3G8-icN z?Z#I{+Kb)y(NWvvROQV1z7`iWQ=NF*$0ld(`qRen{S4ljZWf1AtVSvD6+ExJe?V#W znx)N^vleH%a}Jhv;u^W354GFGHyYGk@Y6NkGjV^NN4XY6g@X+&;<3qmIqQrwu;|EM z%~iC1J!kROrVBEPDl1N_XH7xVgzuZS9qPi|V7#_#x=~P8-OwZXdxXv9xkkK#jES%0 zJCBFX`L?>9-RW#F+mnFRBdFctpZAETz=eqfsvR@!CisHKA!iO`X3>VG?RFPE8W@H5 zfTiimMi%Sz1RvVf;a2wq|rmC#tC)- z?aUQ)`nQXC6A;(dr?ZwfV;XSVliL?D`exYgqubSEnhv<^2L6X(9V0#V&?@gNhFKegpH#?*ic--C1nz1zA_W>5` zO>kpKFJZu3>{8cq4%f~fAIQ+w-OKfMM1>!HkU<`YvlV1XCAE~#Cc8gKvLfYywo zNqBFuIB<;zYBsR8frsmRAQ;@U>{hv=+avEX(3c$HjWvaYO0QZ!Q^&5+`2rRo(|IPv4H(#IGa@Sid}cDb8y zF}S)tHx=$79|brcYjLLYrrB5MF}x%AxPV|LTvq(8?z;jaY7gIL5T`r4gY5+<6Iytc z#uYz4;LO0L95(D0B<;QGCwL@y$%*{wI-ia{(c{g!`Mgmdqm0xiS)5+lQ;?G%3p3)A z9S%8qY2gi;6!$3xg{-H^ongXYYiGH(k9;aequY(?Y_AznldC?BA;wIpwq=@@?$cwO z^}&c=-&bQPeD*UK7H-8&bE7Z=@g3=BGMrWRCc6bs>%-4tc)6{Dy=!=?K zRgl&2mE7krq(-h(u#!Pvzn?2n;C*B34y;+4eI7$QIT(%S&*ykc2=vi3 zTH3Dl1q=y&l?~TNyYL!HEVAl(sEpeeGCVj9;j=&qRxLScc0XUl(WIiX9!I&=`eKeV zo1%+Cw!EtQuOJJe7x^zqk(%zUHQDJ)CDwU4P}Qwc`tQpa5?J~)+5l)g_sa#+&S3W< zxISwbEA3486&!1C=iGEW+CDLwTuKCh`njlZ`mbcDiE5=DNs$b{iX%nld)2c;!TD;A z)2ee*_W!S8ICwjUb}7;IMs@#byUN!R9!a4lz_UI0v*}okr>*C&3wY=T3;iiFsOk|b z+=ZdX)~~ln@Pz%?RqzKAE$I4IDbnFLI4n4IMM~{@9EJ0KBg4rlwrl%OJEeRR!^*3+ zYtgh_@|zi2^KPt2hTp<)+9X5G`tVyBilWS@pBu`2|2Br1FNTw^$gn98W0| zc$GVjhOK&bD0}mF7`)LO9a1Dl&DBWC3j0ojwA_V#5|s7HHd&3OjM#TctoSOYe#8nK z3N3@ao3OkUl4BktaTQRHSdanG_uuzO#K1xtF|{+x+a;!4;MJ|ud~|=WMA{^u5zGl6 zt-!eui>vW9?)-fcKeOPgXR5OPzTco-T|m6h9%N%h&iVmD0#*XgsN)4u-J*h=g_^#1 zSRAmjkeATaqojFf`9Xs+hB!yYm~tL5$!auB)AvIG4MTIzmUM`rtEv_mOX?NkY1V%+Sz{c>BpyyJ7z+k7iuk+Jn<{wni~88&;eqdHu9QUFlHxTAyA4 z!@C7YDh+trdF^K$9<7AC2aD~C4M_i{p zKNq7O9gpA|_0;+3&|SMCwDtG%F=jGRtI-NP8gCSS!JtjRE^{yjD^U0PgAHRnKP#ND z4g%gUGQ5SEpr~1Big={i5B!qBo7?rbI)Q79rnV`w<(Dm%5%-LV5_o!>?hF>A77vly z$@o_Y6HOGmNi->|$4$feRf97f42`JX(ubP$->-QbDKgZ~dCfn=uXBthk2KmFr{CZx zLe%fGEx&0|wl6iyj)ikCM&kJ`j{@sx2$ExX1eI+oL+J)HWwHuKPP4t1qcX z+oyk*(C`(`dN|Q`p)-f^UBwDy}$5yvAIL_xD_NVe53i75~bC$ryw7rCg`s`QZx;#M@i!% zf9+9vv+7ZL?{7R>FE%{|9)g~n{?;S4tt(B!|2vM+gO!aY1^>OrI@xaXqU@jl;Bm}i z%^JJb&p<`9`i~wlz2dE2xr!F%pJJR?ja%I+O*i<@Su`PxSL126jsN2DQbC})7nK$K zuMDRL3lZg>=HCKRzxE-8*^gH1|L!pp)kpnkDZBrFL^$zOtQ|4!eDR+-EHM#l(X?Io zzXDpT)r-=9|4k_CSsnlRzvHM|21gtRa^YD zw;D^+Z2q6bQW$>i4AIU@@06%;Z#P4YadxAr#nn88A9x_X&xSo_0jJ&4QMR8kwI#N5Ub#^)5q`72bs-o*&@DZ+wf%uTJV)sO+o{PVi2zo`8ez5?)}o z@HMTC4`G;v<8^%-3p+X5l{_?qmmELq5esrGz7u;GLkusjo7Y7F5#NcuYd}0UXk70a zAA2~%Y35@E*%I%(-Ywu9UyjH9@iJweJR)GS-M!WJLfePlJ&PC(U;WH1NK2?ge`FT1 zj}y4o&iBZow%!zJ@7W)fM{Is`pjlKtI*ZwUdeC;L$K)|vt-qBWAd5(ete8{!?(C9B`72y&6Z+8$E^LfHK?o$!n873$p^PBA%K>6UX)X z`JwE&PYZZ(A&5}}2H=Ficrb5yv#Ol{pUyDh;ThX^+ckjNdG}zzecf`p7%<>y`>mco z1>T9Cyq^(JQ`KDkSSshTX9}bxm)fY`(SuASsx%#aH1jq3Zdu>WFQua_`9 z=)|3l&B=&uSL158doOjk%kIeTcDqEcVZDs7HU=Zm6kbIKlF}@(*LK|yu6U7#FJxbwxi?$Ru3X~qKZWOGWJk~}Be$wU(3~|XCR?Drl zo0~%(tE8^3Mbmb>n=RS}wCJ3f`Mw1AzHAjP#^dh|$O|u)n zg`*``>D5RDzJ*>mZskauT_5sMVWr`@;T0BbXL^}lKJI{ZPb(MEc7aziJS(-6wwx`6 z`ZZpViO_S(ds@5+_~DSp&hy$26f=?9Z>Me z{zkXmfhW)iu)1BE{P^l3q7Yf@F_oErTZ{=o30m8zSy~*ic*Ol9pxU{p$&j~m95a4> zw5%{+aP}Xyi1TjId|#qcdDAu^6Xg&J62(t$(gTiit(#J-G*3*rVGKQNTvB&%O0v^hwTMn=N_PrqA z;2HX~M`^x$FWjc!J<(kP1(?Zv0j|}js6%EVeKk*3&PR7U#5+e9E|Rp2=qQzxcZa-g*>)b1PJ;4qoSir7o@eU)}HJCi|e)styG`#u@GUTh1LJ@$Pwm{Pc_ z9!G_fy%@?Pibz*RwQE6Z)zBmL#6JtILK&%JSje(V8%1sVG;Vg@VfK7O ztjX{f946ck_j7Bj?MfFtTGlsI!)~u>mq$8k)5%ZcYj2XcY$s+7t>@hZsqi4o+Dj7g zx_d$yOT5P0Q*CYRI3%+%c<+_1w$Yl$go($Do|Dv%nX)%b1xio1wT1m1ZKQS`-f0L$ zv)Oem(RMUltob2%(*xjQjD=RFJDs+xDRhsqL(1umAu6 literal 0 HcmV?d00001 diff --git a/GleeBug/ntdll_x86.lib b/GleeBug/ntdll_x86.lib new file mode 100644 index 0000000000000000000000000000000000000000..c6ccc8cfc98e6e21f715fd92c36e3b466ff47847 GIT binary patch literal 271654 zcmeFaf1FiC{rErUoSPXLnGqS8nVD}gGejgbGJY%wwk#_wXd9vX;{prIz3aVqfi*KT zGcz+YGcz+YGcz+YD>E}QGcz+YGcz+YGcz+HBQmq^^EET)oSF0Eu6_Rc{*jNz(_!cJ zV}6`Db7tnunft2QeT{*2hfR3HUjBav&NyV|!P5?$Hhq>KKh6I6#%YJlny&wS>;$ED z{+bG3H(73f(6t)>=@NW%&&wzvbEq4>b%udS@syp{ZGP9qe!CPL?+=$U2V+V{YUJuKAG3Rp=!X^tlp zwi=FFr$WuWgm83+g*rJJ-ZsTTUf(8cH}v+aP;)0Cyd66YHgAVjq^~)JP{2-j2kl5h zTJM0>i!9XnYB+}a(ws*K$5LOK5ki5sC-kkf+)N1lvn-br!oXw;X%7fb8V1R?=1xMW z&aqra2x~}Ra}FV_RhAZ^K-~-Lx-B;l!qEPfa|vNR`PPu<^}>CI4a-!hxsectXIL&K zgpIpdP9_w#8)}0p)I3TE^TrXc z5_T9qQd6PkVL~{2wdHO?_-Lo)WHPpc;;evIRdkNuF9TwWer{Kb=mJ0~s)4N+v zBNV6y;UfHK?jnTGaD6r8?K5yO<+s>O+Ii zYv619TP`GouaiH`353GqhHnh2P;);aTuc5mw-UlPJ1o}`!gU8&E+B+&(f&2$^;-gE z7Or1yp)a@|zKtKv)r4@vGz&g%fbZ;V*+eK%M&ZVzE%>+*zI&+UazeO?^ff0D3ZyN3 zkMuQ^;d^j1*IC20x*5KYo#s?Rfi^GP(r>w&5Pr~UxsecVoo>095PrCen*gEAHy9z7Rr7H{A8iw4O|Q1CpR1JJXD1m>h@0f zDc4Cu9)AjV?QS`nP+@h6i@G98V~0HT;Hj zG+eviz=LxvcM`(H4$Jj~@IunjTtNuC?rAxP5MDIVBL9ZnrdTc}gcnb;kcSrw zPZ%bxR*~jbLU;-3Xf7v&$)uw>lMr4y!Ge#M!tTnliBNdR@Uk8iY3?C}DZQ4v3E|}( zmg@*%kNqr{5W*|=u$)CGJY(3CG&EZY;g#fHgU?sOUij5;E%t&};a7vtSHa$sET<3( z_z+%A{xsCVt6`sM7JTdjui3|P4k7Hjvt@)(c--)RDyuPI(&C`T%0Do(?62cp3Pnx?4VcHRvTL|I6nHI`+ zAWSD8n#%~`pgk;H^Miz^3^Qsf(mX;4tm_yk+rcoi!-CJ5@W#C@XA{D#iiP~n5*{=h zvP?x9@^%OuI@@w3A-rj-Mg9%5_qAM12ydQZIfD=mqg`r9<1pc2!&{D3k>&wHnA2mq znGoiZu7$U(E(mphI6T;!0 z7JMHLiw?D1MF@*2x8@>3ID+<}Ig1e98d_)@Zxx;}u&xtnNTU;$bX#s9gs$n9O9)}< z-j;I-p?iXbvUCevf8odx%fp1Qtk-foAuL~Lxrz{axK5h$31LOWLS9!0<%el=W^qv37jUvn8D^zLQ3fDqn3*>XA|tWp;FH@t&-)0{vkY&EPV9~#QG z8jk6=P>09Bu^pD{388PM2rc|-ZX$%yLoHVm!lp|s z`w_xs>P>SxA#B;jvWZZ5(lAEeHIER&@vAKN62d#XE!4?7;e)?N6(O90U(HE`!sCYbk$=ry zgur@@;p>FJdX3>iLO5+#%V~u00rI2SLMV_Q;dK0J@Oe6XaFOLkLO5fFg)*N3A0mI6 zvk1>p;em_`HH>W!yh251o^08fPWBBqG6=@zJ zgsWCrxOP{;SB|h;M+jH%YdM=xc-rt)@~gR*5U%O4TulgH!%l%23)(J1_6atR@PZ=&TyLV-LBH4YbVpo%oq{g2@GMV1=~ z;m6Y~7ZSo9ltXhep|I8Pll3anP!~UeJ86%aTL|H&hgvQpguC{#P^P=!XR8f&J;~qj zGi-#rNndk0A^e>B(40XC_b5w?PP5%Qy)W%_&fEWd5{pccU!I}gn!U3G#3%V zj!BlY2;rZ~LOuLbz=!bE5f-lPQ}8eHr=g7hf~R-4oK7fEm%_i-TOJ^UXSyx;cn1En zuZ6V#bC#;8oh&C33R?}qDpk?kMF`<+%N2yc!h+#cLSdVs(yJ<(n+f4LGc1=9!cN#} zu-Qr2Zg}o`Rna^|2swy>62cVxXs#xNm+x&M?UxHX4118i zhP3y9S5OYk6@;)S*Gq%Vp29PRSFTeP&3%NhSEuD>LU`3I%jJZy_Y})1gaY*{yn2lV zAFqae7Fo#iK35-e%;F{8OPBQ=)3IRr{AG)~dzLOcrq&u99#+R3)3u_rGcQ)})^a25 zS+t_-t;clC?U}2Nncr;89UiU^^tGz<`$k%$jq1G7HEXJkIkWIJv~lE^wi=H0l4`Tr zx3=0{AF8!5KX7`1eSr=hY`RuxlV_nPO}|tlXT4-}xHYt*HZ)KltS)aghH7h@i)-D( zeFIfLN502#ta7Os&vT|vE6t;$ky`f*ZLHQuTVB=Lj5s3EA0DdKTJ!schnH6yo1`|q z+9;ByR`pt~I?(E=TT?%i#hNl-yHOwD>MtIg<5oykfbQZ! ziZ!%mZ0>Ni(dz3TuJ){JRQr6hHad7%E~yRG8$+$J`NMt9rdO9m!jAs6^GIWZZkK8P za?wQKxYmkGoc66tsxuX(f}E>_UC?aXpAZNb&d=hiQ4nToM*)kkze*U}|s zGP*n~(-ued4Y`*ob9D-&V%4lRO76D2sB^F}cR>1$Wz}YVv>`oo(#sXgBzACcS#?dv z@Nk-+Y%G6w3^miUX-R8o2L+p}D8($BN1+~$QasHZ4hhHeNk<|wGX=lA}usXP; zJ~%pDZ8~>(dmW?;hiZch=taiJFQsizL0(x)^MbQ6|mAw@c8<#A0}~xo)oXYBee=&QM%k$z$Z%XrjZ7%B5Y@R~sD8w4$6OqrG5@ zUqV;k%8Z5XUk2%>;%nkHR?G?&uw7i^K3X@laY2n+ui7zI>)SXq;I+b14XmXZl~j{| zUB^?jzT^(@axQjpq}CbOpqnl!4{Y$;t;A$xSlEttSyc}rhw8O?`~yq(UT&j<2mPE| zyph2p&$;S?E!Bb17JinF$p5+N+&lJJ=*AvxqNYtPuC1vzHui}}zfjs?TUGqgway(G zna=~ePa4{?>Y%>8a3-Bge_ytyo~6F=jKd{;wV^fDrnI4cZ|vMoLuBhlTZ8q@HJktR z@l`ByVzUFULJ^TGYQt?>pnGM;)l9rebIV)WSgYl=v}7t$A|!fcwZXVjH=-qdt$}sb z=KOWlfep>kjebiUN3UzRIk(ni^fOrPrai{PxLh<5OZsE2p1!q?VkTZ|F0F1XQ_hOI zTJlgFY1si-cfHYa?tn6>iEo-h&p9ZWd*$Q3n7OsVxub(at+~T}jg50=Bo}2IB~LtW ztY>VbT4wA>3#|O~XBMY#T;x>?{P7%N{?|FwY_-o%Mz5`>e8Og0{9hV9d-Zu^_CYo? zY4`t+#+VHb&TZAX2iz9n#A%Ir^?FN>IMQ)OK3-zhk2YI}H|nD!&7S&(YRzw#h0@rH zsnsU>_O;bg%OVY|WuhooYhyfBbnB!@Xl-o&=C&x&PNPLnKd~684bX{?v1oAIXq7pv zXH%+@+RMncd)-)b2shGcxTC%Cv>f^9&>)t{Q?p2t#;qJ`v_|`emoWWkjQQ8WmMX7- zb)&kZZ)Bu8D9_nu&${aJzKzbbtBnGpW^-t5{GjQnA5rhOQzrLhG;?9E zNybl6MvrVqLlZ)1AB6WG0Svw5o%q67!b~Wmg#6Ea@8>ZVuO5x+1)$ zqw|szCw8N)KJL+cI!jVPtlLEwHrPEhqUR2C4$f6-ULIT0SF;wP^OjF3BTQ`ca4eag z=Ax4bvm)w^#7w=$Lv^W+j5hPlgL3(|`c~#xtdVZ9P(P8x+RIrAkS3SE%C02U-q<&? zuFis7{%%=bb!Cag*v9_)@X$c#P;EnebLI-NyjUsrVV}(TR^kW}UER~?FPeD*NPMEH z$0-LpqaSk>%=ks(V@+Amk~JeU;Lcs)oEW>&MuSI5PqjatcV%O{%o?n}MCsgX1q+x+ ztyR)>x_7;{@Fb!=+&7lYo84z+UZS;mTIgY+^O!)>iH)_=p ziDQzsk+DwUBQ$=f7>h!c*nVZ-@Mu+hdbKTObS0v_X=tD-U9VobH(7Nqf0-Q1q2>tn zZr}8{h0Y4l9UbBR;L&Gq5BE+ik~tRnp>|@Bin&$JV^^?0s|K$(*-43!uY&{>v`?UDIuhaImQAUOZuL;}FdCE16b(?JBJ1@nmS$2Qs zC0#96V@18XC7$m&SEop(EzFJHUEiF0(N-$f0$o2x$(ob*d?lTXq^q@f<4Cp9tjmh` z+*-Xhwy{2H=fh6#(N@XxVcrriU85gaP7xgsSryOTK3Uxx)-iRYSh0vb)HghIJWKU! zSzck%>1Mf58e6q^rc$Z$43x!JXJBBw=H*y6?YL)gjS;KckL4wzZTc6pP%w9to0pZ| z0r#=oMx{$H7*%W8YLsQ9G!`vcDQ6vnNv2bFKh|hv9y_99qZ0Xa@7A{(CQ@_;Hsl^e zUZl~Xjs|&msz(=kX`58MPG4+Fm5h)0dfJX8?iR%|BQpB=yVEtvOS@W2`ZiR%t1Q0P zcud&mpHqP)Vq@1+-8fQj^fktc?Fz(VH`2a)Dpe@9UCwjc-_bI@p4M17RNcIEP5gM8 z;dHFzATPwGKFA_=`~dfEu>w(7tE(=XDa>p19d?Lf z5@~e&DS9UPoY2_#GxYdw5$C?dXiF_;>miOyG?K}7CI=|GBBLKqnlrjiw9zvc!CBUF zucl3iCEH!gL-XP9oaMij7@->t&O1<73TuUYpl- zC04s&Dx0a@qS-Dg#y)m#ou5cvV+|;8) zZ0(W<%hJZ6zf!L4@?ys>ei`rNEirOr)lX;Q zMC_Qysk!*R%+|IOZ+*%GboppM`Shk(x`r|`Yr&*PZ#v>N=KT7o-W8wiK8saidtNp; zw@uvYvRReJT&!mO964HV^*I{F{Z6Tt^%4)7a+T@|Qr%J6qV3e8ckM9A$`i|YxK)sj zD~k2o55@G=DIJShY0*liH^>}MFUd=hr_4C4jW4U|d2=pXS(dUYp1lm>a*sl@S`v$_ zz8UW2YCVm1^;l`C59?ie-Y88MPFrLYtZn(->`7wn(oGIJoy;(cC570ItZl41)sj4L zyhgaPR89LCtDtW0`$(kXn z@A_+x9@c_}WDQh5g`Jh4an!^Q8#tP>)R4?_omo+_G_kUMztaO-gH({{rms2O>7dp3 zg<`X@zDd79O5W|ecTtHrwzIvu9x=P?oW?9G6)QFnXJ2f2k)p$ksR6Cz=iiGqdSm)3 zc(pPzoJ3k3dHcDnI#8AGEaVNiI|G-*#)=e*Z8P0rk#*7!IzlH;@r_t4l~i?$&X>!J zPV`LHWB-1AX^Xsq*fy)J+-%K{wOYJ= zVqM#lc^BH>R@c>9-nS{+vYeFiVpVLc(OOb%tgXtTx4(T!R5K#oYWyYwv*3FKtjA~*B(YO3UuENiJ}wn@*Q?Hx(dPJVML zu6=&qoEoMw*P?jVkXre2ZE5GIZa09w6Kk~e1l4JAq7%oZ8eB%%`EEYybH^&NdQL&x zE*e_9PJ7eKxXvwrSx%N%$j#hY-`viyNJZN_BMN<)3r4r3-9{_xB{wed%@c9fE}j2o zu7H!auaos4v#oO5Semu61ui#q6tcE)msD=-YGkc#?^SN>DCBJQe7cQkBDa>g*{;(| zES71UKUX$Z*}1N3la*nFZE;ymyHEChWj+zs?#fh*P%r(v+mR@?o%1DWh)!lg=d`2Z z`5taou%&%@wd(Dt&qV7ycym9;u@`SNOQ&qES*a2}><3e(CcTGEPJ%W&-us6607UK+ zKF3_ne$nB03zv5@jHigNR$oJ25Ui0EHuq_ji5JcKNTH$^joxUJC8@!<+jM>AB#E}| zC*5{slv4q^x@qcXT>Qev>!OOqU2KK4GrRQR<0Mopb*$o&6xld3$0E&ieEpL|QjzF4 z&6gzZju0;rodz=|GdgjvY$jUk)tbZ1UghcB-Pc;@Jx5V5kao4q$8q`HBiZ;^Q=Y)i z1vP3m($S%>aw;p)GSNoQ?j&(%q@w3U$9n$E-K_*;ke7=kYjXZp1}{TJ(yrFZK|Y7m z+b!Mf`>|aud(-J=n7=T^(!`3oDq173RvBqx6|X6qag6)DcUzT2=ywp#B2ZxmqTj5F zr1U9WC^V^MpZf6)ASPKE7P7%lk0;%^l^^S99ZtLE4Pl|KBeNFSWuhc2l4w?FZT!aM zwoaX?ytu3NwxR0qVDhAMZ{@tCd(9TvvDw|It{HOfkz6zp>DIRNj>|>s2)^^82iG3c zXL*r?xOn*{mwr~TtTjBhpEZ?bNAqP+nuA=lj?jy)d>6F5I=qI}DE549sxI$v1|{QZ ziG1L=QQl{ESNoX`Zb+-KP?Sc>^Ir~WV3Cu(ucVvay5lJ2#mm?AH5e8oJw-bWEu);W zXHpLO(EHr%+&fcnBQ8;E=ZF3>?e4}`oYPKaMXlMlrn<1NnI7}=U+9ZxKF`$0V#xQ2 zo2&fc9%;}BH=!jT274 zml;>hD(LUMO#_qbnv60^#YFz-q)kh4uIJAJr}qh!SL!vX@N&U zPu(8aCV%*kz%mVMZN9xp?3c4YJ!fB{Q{q7%8JEdAnaDax)x-~@>m)og~`R>#FO|TKsmBs5?@z;fZG5Yo zNb7Tc42wQX8zbxZbYXBlvl%(!!FJ+JuL0=|tK%rgKHbkMyy}$$YcfKykwXh;g>uRL zG&6!&S1bDE6U`)A^mv#u-B=`@v6lruKGx*e2y@Vc?^TpNQC5G&aGk^E%8gQaYH7Q& zA|pqX>U-T&VOn_&Yb{S)d)lZsjFQ^P$gBl>Zs#`!4st)5 zO4bD0>!eb7vNPv7zAC45$;a$+hFXD_GCl37#>BCz7dPgOwU|HJD(Uivf80^+^o%Dy zf8x7KI|rmg=hksoc*jvn#ho;bo_c2=?}_7k((69zHA$&hEA?WM@2Mv_^6wDiq)^H6 zF*KOeh||Q9857kaSz+*0q?Y<&+|HM0i)*Z$aN=8Lhg(6}#?wzd>-%K<$|_OQen!SR zS&h%!>}jN1Y33tiGJciF zRHq=b-n?XfU0ao?#eVW5Hf@(gTRp!c@%zmYIX@^pbXW>2Rt-7sWbOcG?s>PY7wza} z*EhV0PVB5mDfJ=WL$_EHN|)4%Woc|O8TCqJvgpbZ3)y!eFPcW1vTIDQDtgUZn-(i2 zKAbPd{f429Gt$ILKd=faC5cZo?fZi6z6M<;uWWgACL7hpQA)%|Cg<;FkHl`Pk_a=; z^0Y(IWz0wutK!=tV_dA{_|PA+#P>_i*psGK`n^tmTV#D$J{QSfV)L4)jeg>p6Y}&W z@>bdGNgR$S)z7?@ED-onTq@2U&Sy~%ViRFvle6xwh21;<`rUA?g>)7ie8M-X)_IMiS~zJm z`I&;T^gV=MXL+GcM@PFuvjVG(IJGnD#HJw^*k#0yovcw58QAz#(|sz~Azyrk<2XvG zmwGb7E7=|@pWcs7{pZz;pXDrw4XhInSo@E#dNU`? z+Y}YVHH+oia&v8fuU71MF!zq5gY&x!BKD&jN8AoGwaN&zu05d4 z8@6T|O?-%1UIz~g_%#!!M{)bQyh!wG@)~SGUt@SI^B~llee@7kzNK=fZU2RhP9Zb$ zNh)ALEh9;^b7P*2O-`;YIX;`u9qc-m-9+R+DHqgAbsP^29ob39&qm0v7;z_gPmI__ zk&^boot~*lujg4HTbBzIwC(6d+kMJB&H2E!L};V+fpeu}l;rfctVWr2c5G7Uz$%sb z=p5Qmotqpi<4=nU{S_FL`95l>wT@pB(c>Wb85OUM*X;RwZea@yo~7?+RTUZcPR$(0 z;n1>-o%H@*R*R&PFNyEq?5v@heq!Wod|7OfTUgY7;@DWrY@Cu6iJV(c6zdmi+Q>ww zphwh+`~9Gf%J*66oh{|g%O#aY+HqT-?z6mDEOuLlS~B~N=g-bKBrnqXBYpC#FPq}i z6is6C-1U}B7Hny&r#;D$i21(A8{wLB6N{A`AMWCO2j{mBW+v>hn-V?8(-Mx_9k4FE zg~`}ORsmZ^5%KxvUgk6Lo@V+&DY>|*dMea5vXvyWl*&9o_GcU}E9G7`_34k}X^-R8 zwx4J1*U`70W$3WDmT9QT2e9KP#bWPOpi@h=LH(l9eM=~%P9j-Ck6$7eTR94DTFXZH z2^X&sCvFpw)$e4}oV*p@%y-eq3f_E+X{lE1g-?X_&i$b^ysoXaD3RCYXdlHou?JpF zv12^Rg4%81r+Mh7YHy&3I>oQE24-DF5b4j6!weRA1OWruQudFg9>w_zrTyXEI zx&mL9%Up6{tc|CjZ5vJV^AgL=4|6!3;liPuEVhs{M6*jZTHO(dt{lXw=lAv<_540L zSJk^@r7B{te-+3c&dj(?=M9yjv6VdZX3vpL|+!yct1C5u--bz%#q#Rv{PI4;)U z;Zm>{*)51RDpfOn6>PEAin=nQePWh&J0tl7NoH7hBIv9c1Q-O)E7+jaC& zGj6v1tIXLKrE11c$uetlCz5=LN~wKzd|&J$9nm9aX`E#ocRK7wnv~>xud;O!(awvF zo&HsyqN;LVTjQXep7A7)XZeOrUJqw8o0X*&M-9~unr_ZQ$rMm*e5tjn*4DPx*%^>1 zN!eI>TiP%yL-vB?8hqz}VONk6JJyDVnfpm4FRyZ(b01q9+(QojI~%KQ1{5aaCWE=E zD^@Y~UFJg&{a(%c7B$n*+v!aIE0B-G@(RXw>1Mj^XVF&M=^0O@OCDrAD>D|$%exAjGg`UXtolw8H*n=;SjRy@TFWu z?B!=DlZO*aW{t6)x;`AqOTWEZ?59h1SZ4Q5Xj4}bYcJc>$IEdu1@*fvZITmvb}Re* zNmgoNC0d*Q${as0ACP$$z&ZFmmWc%iyE`LQ_d%T(S^fF;w-fX4EX5=zwO0I0qBh9P z6~)9CS^a`Bp6I60R?lxk*#hLGMOK+tYLbj+m%LRIi8&-+UaWO9_VvyowZ02AJQ-86 zCD~DY>f4ceRs}1&Ntcvb7ihKfB9r=&A%51J;|slxsnlcE!t?H~jrx=1)L%}g)PszU zyycW)C$XC6$9>=E4P#RuSryOTd|OarnF@Uy=jC<5rEy=?cy@Z;EIo;T$0n`Kllzu- z!(>5f(kn{#wLTqn;Rx36^J?wX+WCw2$cOd(yrN!l$gOtB`=LS&o4%EG*GKeoC%;_cILIkw ze6T9wIPv?vBp2OTE!n5!CW2f_VRDjG;<#GkWn|L~J7llQDhO6GU-Bb&-}$~+wPEIb&UVh_1%pUr@C?Pq3cj%)AEqPa7Q zHEhZm>-f65*FI|>>y&xOU%R{q@9JgpfNY!+7!66knOg<1D%xJM*;!r7`_rY%XLYcin5nX6v4Xbk zVI|)_cCuDkkAoMNU+}x(B4O5sS=>5y@ed6wUpKTS^MRvhU!a)rRrC_l zb>YY}mR($3c9*)3Qr9pQXY6#IJFD&T?W+{oFXOPoHU-xXQk|@a(f$^v8)d%vbTiMn z=BY-;x@ZXH+B$Nvta8L>!6YMTT4f5_R+jYSz!=Ua8O%=G&AM1dnpovmNxZw)7#Az0 zJ~Hn)tdWToE%`|b*|F*EVfPwDnTE06kXeCo`xiNkB`>yidU++Q9Y<=NwV4lQ-KCh$ zdVy41)i;ce$Xs=CE!_(0-PE1+GL^)>WaT@(;MzrrRy!}!z510ac`0yY74ap%CD!h2 zoD#XV9I^fTlD_5!FJ0#18IjSCTa#Y4?qR2)UG#RZ6Si&C#1Ef56n$Kqi5E@T6K0MY z@a8CXqpEk=o`r7gG5bNN+id7^`duIgs_u}k@p_qdAer!3ybDDBmZ zpV;1hpl`mo_g6r1Q?BKEi9e`uucKq`h>Pr44e~y1$XQy2B3pS>>q_JI)a-YpQa%2b z*_^|6R+7s2U(J-Oh<&ormW9xCYpwqjZ>OYvn0rHeFt2&M+O@ZiFD|s}s>|;!w>M67 z#Djjn;0@i(IUD|WL+#bt`pFIy%Uz}8MWeHHO|rYjFOkl3Mw;Y7eo@fu+VE<@+Bh;S zlDGNknnm`Alya3~`+_ZZ1ujx8<0VO-PsZFH2Gfj4^f^w&*^%LO#sxAgx(9mdvg_O~ zx4Tb`yh!wi^aIa*?0GhYVzH}_n76QQ)w_|Rqfdx4Gbn#JpOYloUWZ;}lvmKU`q#wt zIKa!k`5Ce}UNl+ADag1Ri(QAL@b>D8#n$ht&DD?Mf1D<|@7Qn)_2Y z`D-c@ngS)`L;upvQT5HN#OuWbzxO7$g$l8)Y&}}c&&20$=h3PsLO=5>IqoINi(>tP z0k>98iP^V1X!6Dc}!3>0&_mfcC`?yD$}X$$#1wdx>0n$m1? z_=V@Znv+?J<)iwjsRDgZqP5LW>gcxOZhe%cpnlnQ=co8Av>mVd%R{f{Hx0hpNF-XD z&BV=uPRUQYTq*TYbQ-DsxgAH8>bvjCl9{G8aAn$JBaca`7QZW&gIJw-tGTIKdgz~D zD*4TycBVb#6aavDZdKqsZSFVz?pEbU{tD^1G^Kp3x({Ikr z zjcpQXbnMQfXOU=oP3w(SSm&U$;{5|;BC|^9=~++touKX=AU+B;JZop*n7MATbw-AwqjSY4Y*9NlPgfY#jSo`APvs?S+BWwyJLVf_!eKdQqCKdTI zMeoU#Tht$fqn($gR{8)AZI!*-#mbk873)Jr+k4!&v7)6<0`dCdI7XyWk;&n!X-#<1 zT8|TM*2?`TpJ({Bt{0G8k?4>1C!0F;jhPEDKuUp~S2FZ=r(#uVIq%aR%F))9tCRO2*%_yL9F=1GwA5vl;}<&h z!uE<$bL?K`v^`rLS-ESOynxNTbxBM!3Wc`GJKJo|d+LdKqT_m?L}lqFBBQ^CSCpCC zU?`5$8mzq)Y>sd;RIHHL>Jg3GotWMyj@EjcbKT>LS`sH3BL%1Qq**AEX03`|3VCiF zg<{(__nMml<0q$F=CkltDlS^=xzMD{zu&goJN9+697qSL^Q zTHa66kjpZXC}`V39&0iv;rw}b33uFaZW?5Is9?WnEf(N7Fqmu zQ!K{rsJ`J1`h71gXsG62hyt0l(A}Zij6^k#6de}!IDt`KB{as!HYe_S)AJHJmc7-6 z`9#q5?nYW2yAvv_l}3wRePchBlG|qNHIa5o_!!aW)S3N#GUJz1U;L^q)e!3iwI;t< zZZ=*ekG`Y_C>D!dSG}c|g5pIU+OSU9y~o-qX&a>GHU*LdjcRYOGlD zNNlp@$;!lHMNM8?wXOA16|omE=o1wEZ%v ziElRbZ?ia?^78Rs46DB8r_6@?WK^0o`f-#z@w_qfEqt-DBQ3D<)1TSSMP9YQA1@i% zIch#eYv(MZ*Va=$VblBlmqyQCecqV;SI_vDEkNbWTv`YPFZnlv`hiprX1I4M}0l@f?vIE zuhY9ZekZo9+8S-R1GPetMDj*`c(LB>=w>n-A8VS)hEtl%Z+M}{_Kb%4d1a@@{8-Vd zH=PAJC&K>Iys&XP&h#Z;I}K!vZ))4gQ*crT{AZ^-@Ov|?EtE4P#P^fbjxqGLVx<*ze1EfvRt z^k(x~nyyP<=2$TH@Vb4IC)8s>tgA<(?iEYN+{8Ls`5zfC5ysI=I6tU4TyN=$@S2WJ zA}3DlM)_32{e-JP5J$#=a3&P~2YyE|w*+ zV;lSH{Jdr7P;EnebLK9@@?xdfhkY{VE6fojx|wCAe0&n4$0-NrdI~cNk@#3s<}|V) z+YGpKS2!o`-K={t^TBU?QJuS}SZb~4Qcb7m-p|^?lZZAyLy`UtyyrhF(b_x*^nlNK z0HiUKnHVv*~{dPrS9ULawI0Pz|l4D=e=!OtbR4=oZQBmcxbQg_)RWOx{^~SC4P$>?Hu=8 zZeg>6-pyQCUM;3I7EjNz@uDfe_m`Otd6DSIc_wDLtEroelX#KLTFB>p4bFvQqHj)R zbt_BT6>3=P%x$Cfle)2yH*)>^toKa89rIv%nrp1rLcw+%X`juflp zXr*|yJ6-!Mlg9Bao|aUqJOjNo<#IWarhQm0t}zyM`?0)4v`znFmH^~8M>lf*<3M`& zLtB;J&9W3!t!1mxk41}vB|2E4a5pGqW6j@kQ##i}3~f{*cYiQ96Dfc4JIi{u;M|N} zq|u>{=IsgkywT!x_T+>{-EiCye|s(8i*5x@MqS%j=3D6Z#w;D^ zrZ>ZB^{#17sduxy`AG6?udZ9eWpZO_=IL4eG}h6|&C$iP)=VTuTUVSr>=4By(&+ee zb7#UJx;de-@#o(0-696Q#Ar(`XUi4GB^t>bJCg$xU6IjWV&};jT_@V;nTy~oSh-hI zvRkNNY~!hoJLC`(H{R1U1F>vDt$HfV+sFvhnKe3zXe%o=cJZy3O~#FnH8e<>TR8D0%3u?k$$C8RN3B>gzQfp;q%9$eAZ5cY( z-NXF)CX*dI3iDcMk*s&Ke&#!0L3o)d6k-#v|C<+7?xiRYIr_Pl>E6bPX`z zzSWAwojeRjy;Ek}X~eR4(O6fg`-aoxHYd*7nWp7U0DMbF!P+h`zZ330skMm{A8T%6 z;N;yuMlp%DdUD?TIBla?#o9Y}tDgV5Emx;lq>#5Yk4$F}k+n?}^0w&{v0dW6R^Cf) zbuOEOM4`aeuF1AbKYpr-PTqs<#@jh?R0{0PThlfbXnK7w^=6B=lWkhRK3FKLk)+Li zx=FskuCI|r)<}X2(#z7tF}41(P1xvnwws&F0X2pIfXF+w&U1x#i+km(8j) z=3+JL=g84|tIyHU_g}8xDb=!G;z3icQe8o+tAAp|sl|BQtFIjf-k<~ZD zyG<&%LZrHPg8`<;iIHAn@C?(%Bf)p%FZB<~BwMozxSJ?!H4QX-D+ zY_F~d#O{;Vm}RA6RpVW@JT1MFIFX{mi>U#vd1S|WgOhX z;-{9lGjK_4tVp5QHq#vzSttFVBXshVR&0{6Bb8Kji;jzss(aCip2>Rb!LKiEkyjAg zCWjR00k~InZmiXE-VgZB(ap%Tg&bibmp7yAMr%E~xOhb1-9xeq&Jo1AwkPv*>us3p z-MpNWYBMd%iAv;LA2)MW#l{+~B~|(PXMFh^lSDNmLSF_0-o7Na=PH(pmHzb}y(2L< zpDh$7HqLxCZXDLYk!bDGw@B#cWZEJ(vGr<7UL*C7%5IWmW-M}Rsb{uH&#&9Bb7e`= zPJVMLu6=&qoEoMw*P?jVkXre2ZE5GIZa09w6Kk}x_lM}jaj6DN2u;p&7}7sYF}^$lAtTQn|6Kk+rtHSGlpHkh9hE={BZ`+*+2- zhIK9Fq{gajCM-5tnYQR0)Z3|Ln}$35Lq8)i+U0FF+ni&4X~(%6!Rhd@D^$_;g|op- z9hT~751Bb$rXMVj8Y_LOLvA+aJhrHy;@u=NAZp_yGw>*NlZ-wR4d<@%AAE66vI!p8pJCax=k*Q8*Lg%!j;`ttK zR0o_J=LK75>nilvTKT#_OiN9I_hnU1eSl1M5N z{U%4t@nMI%BgBhDM-D)ek3bI^7KO7slR_8EIlgT_tbAopFw}%19Hdcum>d;_fN7ZB-JX-$6JFV}%`v z9{G!;^eJ5^G^u5u`tc1QCRrI4@}aUGPr7p}Ki1JYoZs^04Pl|KBeNFSWuhc2=IdyG zeaYJRjmd4DI#YRZ@8-A3flkSj&b^h(B%3<=*D|rFwYVXqJ!k(m8FgaihXc%+TuFbqP$K6{?fr5$HSw8SHy#s4jrr-h>REfZ^Gp zdI);o9I88E&S9at7N))>ROiElIiWfp9)@G*q63TOh3a~kIX_gF!R{TQIu|MnLe+xD z;Mj$sdH@z3jz5^TC{$O$w8f#i2KGAw|1jaLp*jt=!C+^o9)!*%*uc~-bYQ2Yp*jh+ zL8F^|!N=RZCRFEuT1$Pw1JJ#WYXtibk#E>(J-*>SShgWlH^PkJP+bhWZRGmFb{MRM z>QU&ehw4_CF%qf^Vd8P550AsK4bq2&P3jf)ZIK2{7^NOz8?4_Hs{5g9bEs~DX)DFJPnO^ab4ip6G;n>csFH*87JWfc6$$X4UfU9lS6eI zOn)zaVB#s{6}CeE`$BaO%sZ9q08`&jT|wovP;G(-q5A{m5vHFWsw-gX2Pre`dQJ8pss7{3K(D)>IfOQwpZlL2+)CEkvkoymI|1|XmJ7C>Kp}Gs^ zeFlH9&&8p-2zL7{`Gjq-<`VqCyw8Q|O4$8U`UBYM^ISi87ybbXm?3wvEfnPI1|paVN#_-fLCm0u0j?J(~ebYcIm zQSUJE>(o0u4ujvI9YNQ%v`6UpCS`{MuA}TQ>09`PZLs=!+5vQYo3g{S8_ zcmn!wqpia1AJH~o^6j)k*b3`^OuazQ9i$Hne?mFlKphhvdMEjX1AdB6*!`|hoefXH z@Xu(Yu`!P)3+|FKqyJz?xrDXV7yWHn8wlqy^LNr+vfTzs3f3 zet>HVTVc&_C?Cvu5Wg_#x8xn3hQ>o&cNqK~_W*P}OnZhsejlncKs`d=0*}DTKTsx^ z{V3NIX8e&h22&rSY_R8_2w~61$uCs?O#Q(l(EmiJ?tnReA)m1CR@x5i^jEGCY=hO? zXuHt;H||-O{UrWj`rq*jyKbj1gYD4z2Yngz@1Sh3=%3iY?59F?*fjD-IQ3to0TZ4k zAFvfx|C_!araePlz@Go1e}>5_Qm4REus(>?gU}U5>PDCmMd}imT#3|a@HC7(CsOyr z%AF#02ORNSbYb?+k-8FQJ}**N!#)!tbsp^UeEh>USiei8?t}gpMCwlHm>8++Vde`X zbp`CXYoyMBi7z6ADZ54LVwm(|e83a1dQzlrg_$pj)a9_}a6^Sz+?)B6T|Kv_EOXqtJRi zbquWoNC*1gKwjX8X_2}GW*$g-FnxNYE`vP|qU`V#)MiBL5$Hdd^q^xVy0G^fBXu@Z zX5kkegk^`|4`v_AHG`>dB7}WsQ{OP<&5=3-)M41b!*J|dBJ}|D%!$;^FncckVgGsj zO}o34aF6-a1MJcfsgq#`j4YsRuzDe7fzHFxheH=djCDwRailJS$wzQ4AbczJ0Z+hS zCpOT%BvLoP^e(Oi?7cKn=fZ?;(t)R7)fXQ#?8i86x2;n;-bpmXKb*o7a`i~)x&~Yqn8D{oH z>Qb28AE{H}DHt4x)LpP>FjCjRo>l4zDr+Kj5^RUzwfKeO*U<*x_#xt@Y9qxl8>a;PKI>NmHyC283hp>SkcmP&6$uAtyiquVT=qP1}OE%Hg zVb9H!6?WM|eZiA3GDdyDs^cSdFLb|?yuh3jC=VR)F0LW$cOqqnDeva`z~qzg1?oMd z5063r$=JeS@8$ZylvAh!cpO%}k9vZ6r$*}QF!lYBx)63fjs6GJ2O_lv9)ne%-JBG|s{Y^nZkV6uQsmet^S1%6$Nn&!PRp z4mkE>qyvl2rLDlSkMlQlo<|=5hkb(k877}k-AyMw!pEWZN$L!`FQDzhj8Ab*V9yJ= zXJH2nf13UY=3T@!h3TK646xV5=s@^ct^qs*J(qCb!0gXa=WxKK=)zu~r=Nuhm(e!i zQRx2y*BE*(r!RosFOnzdxq`Za>0hFq!;~v&qwoxD`7-&1Raa3yIN~d`CD`|B+7LVq z{a@w!L&r6=8QAx0$lw`R^L1p<^$qM`ziVj&FyWiDWq1^pT}K&U*0;zzOu3$Vh8?ix z+tdYg+<2^f9m%*8hZjK+m1D7dZ5% z)FbS57iq!jpK-qs-a`8j0-br0z3#&g?127X zaSdVK{rG_?zb3EnG^~4o`yIM|LtVqv2f6=Xm*3I`;0ZYTA?gYa{T=qO&%@}zjV@3LK}i7 zpm!^E05ku}{RI1M<9fkvf1?br9coWf7qIT{Jd>b%JNE!g{|EVmNjtcYLH(0Fz=Lqa zQ`xj}#?oU%+umjfroBj>DpFs!q{SWrAld7l_VJoZ(D(Wtn9ahv8uzOTdr@}Vq ztyI*_FylEDbt&w=6EfHi>z`Xu55cmXE9w@Q_PmNZ4<=5)H*ANI=U3Fjuxgizx&u01 zP*K;xw22jU2~2(={@_U%+_j?ahn^SV59aJvQP;!t7n3$jnp9C|z;;;wl8U+q=1oQi z_IqhXT?UhOuc(vY30U>AinVegk?4?AG}9@xX2S5RiyeNSZY46J))McoIT zdr@|n^{R@x9H#7DVXQ-5Va==2fkpe^8@{%)Qq|z*pg(+Wv~#o%HTN9q__=Cl^*l8} zJzwpjUZ5tb7ph&=i_~uF#cGmz31iHcs@>Jg)D-n{wTF6z+Ecw!?WJC&_ExV}`>5Bb zebxV|sp_?AKlM7bzk0noK)pdtQwOT)>L4{k9js=mH>z3c5Ot_}lbWsGtPWFeQFGK> zHBZe~9cqDEs18?))M9mndaLSGOH`Lys=C#YYMENDdejQFQXQp^R&P_i>g{TkdWTxA zj#0;|KGm-V)S#-WHEOL|r-syewLuN5jjE>VYD68U8mg&UYE*4fo7EOIrjA$dR41r+ z(VpI|PEzktC#(0WQ`Gy^sp|deH1z>>y856xLw!h{sXnaEQXf%gtBf`D> z^$B&p`lPx*eM()ZKCLcNpHUa9OVnr8=hUU@^XfA71$DXlqPjwTNnNSFtgcdDQCF+4 zs%zBO)YsKF)V1oH>N@o;b-ntwx>ZfThtHKt?GyBHuWQQyZW)Z zL;XbEseY>NQa@97tDmcT)GyS%>X+(1^(%G1`n7sM{YE{geybi*zf%vZ->XN|AJn7j zkLoe?C-u1cvwA}Ph5O~NYMc6-dQ$yeZCC$LJJdg!Bm7G}t^Tc^QU6gY2!b$(f=ck5 zV5i`@!Op?+f(gO%gI$6b1QUZ72D=6?3U&)#983yc5=;(W8tfjtESM6!JlG?6MX+b^ z%3!bHRl(lDtAl-l*97|p{})URUK{Keye`;3cztj{@P=Soa9}V!I4GDA930FH-WbdZ z4haqo-W1FZ-W(hjyd{_u%njxR^Mj6HL9j45JXjPg4vq-k8gvFrg05g`&>b8ZEDM$g zJ;91#WpGq*bnv#IH+XxnDtJe*IyfdcHs}lbgMnZ$SQD%b)&)bs`d~va9Bd3~K|L4= zjtd$=GiU{)!KPqyuq7A^jt|}$oDjS#I5Bv4a8mG|;N;-F!70J}f>VR{2d4!e2u=?^ z7@QG&C^$3taBx=ek>Kp$qro}B$AWW%j|b-kp9szmJ{epPd@8sw_;hel@R{J^;IqLc z!RLZYgU<(-1z!j*555>&5qv4QGWc?ERq&PI>fo!vHNn?{uLs`RxIg%H@IdgJ;KAUx!9&6Cf`^0O2ag1Q2p$do7(5pIDR?~ibMQp)mtbq~ z*I--lx8TX(@4@!qAHj~`pTSeXzk;WOe+SP5{|QtWgkczkmGC*?PT_OIox|sa6T;_* zyM!+YCx$N!cMV?@?iRi{oD{w!oE*M1+&z3*I3;{}xJUSkaL@3S;a=gZ!o9;+hx>%D z3HJ^EFPs{_Hry|KUATYv`tX484dJx#z;JqaP&gwzIGh>2F`N}15*`}9DV!a?IXoOROcuaU~*cT3jgJCsX6Rr){g+t-`a6>p8ZVYQ-Jsb&-3maiGY=xuYrf_q( zB^(Qn58oM{5WXusF?@G;QuvQ!gIrqhv$W#2+t2c8D0>6D!efKba+wtnegK9v*9J-=fX?F&xe(&REeGw?G#Ojo)^QqjREGP)r8RCHnV>FA>9GttG-XQR(WmqeFFpN}q!z7Sm=eKEQs`ciad^yTQP=qu6H z(O08uqOV0?kG>II8+|jnF8Wq*#^#H_?O9Z=;8z-$f5c zzmFb?{t!JH{V{qh`cw3H^ylb_=r7UM=&#YX=x@=J(ch!((LbUc(LbZ7qJKqCNB@qV zi5N^(f=XD4DwWD}Dmzu4TiLntyvl^i^DDblUQn4>d0}PO%8M$yRbE_~RC!5da^EWoG4#m06WTDu-6yRGD3QbLFtgTPkxZb1U;I^D7;d1(k)B!z+s_ ziz`P|-dgFbEU9!=mR7neM^=_qmREWzD=I51M^%olysgq(p}YFuh~-=zPY%@ z;Ti*+Fv^y&oW4C^Q1(crGTC%nAC)@Pk@_SsIXYR6u#imIgiX9TnzyHJh1Qdt(&m?w z9fzdAVP|%?CC6NwL>CWo0)hO*glwYhf3hmK5+8;-T8wwCs4&Qqe+Ia-T0AXTh&bQ-!nyWdx75mjbtMC;fM!luwG zh88!Qqx?vS{I<5P5`KP!iq>|;v6Lt8EjE$e!8#Q=mNs!DyZ)Ta$9d+=asMiG4ss5g z`~bUb=N@fHlcS|b>>yuzuIb<>!6`0(bGT)Couy&X*qX8%6AiM0hMesfdui(JayGKs z(8s0s4ORy^&}x)3#C5wyDu*cQ54Lbbf(`OvlM_koEIAeGm=$sET=9Y}#7h&l4r4P% zTMlQOE3KqPPGWhS7h@?W`V9};BlK+@xN+(6+^rQ2n|BG$(ZLxSG z-H~kWOg2Zx-?7QAZK_FYSx2TCvR^EqM62UBVD!=9QZ>t}gZk7H>AAW5{e5Yc!P`ub}^fooQzj~gQ?{ChRpw|02|?*{BPn4 zj`lZ#27R#ou0SIEGyHW-@}T4|p6IQr`;3#WD~XR!Ns2#^FE z*3(A;MQ`{F?5b|dxObw>T!Ce zQMxs4P8*U_&|@7LZOG_Af1+%Y8*MZgBlcALrOWR!12TWGq_2T)JTlJHzxH4*UH}4CZCwu%oU#nj&}A)Z=wp0^mbzH8BIE$ z$uZb*{_WY^&TozBR_ZGkf8`h-vF+F`P2R-Z9qSKnSKxZXAt+}h^ zoOql+li3qz&rj(ab1@3IPu!XU57GBY z!tL(cf9uTb?Cgx$xcF1@JO5?O?XV~|(hP(B<=LA5jQMyqEo#XTp&L$OH@gk1v?+#c z1SFnpA6A*l9a{=T15;vYX>VMn3b&1jM`0UGf^9-7)gILB=k##dV5QuWE<>a|a7E5f zKZbpI*)(__g|f~aX=~KXeEIy0Lr|d~mak#^nPeWTS?Uc}EX1xvC0!gnBhQw049F<_*h@3%)9C$(OqYPPu zlu%0~&(xpxAYsUwQo<7wR)#Gnqew6TSPfrBNg0(rwpB)OW^Jbg)IKpsdA4k7z9c&} z6o#6T_fto;#m?xKrwNa9HqmeVn-Ahbbp+ zK0SD2^GPum$#_)5^5}`p@+UfJ7=cIlOv7Tr51L8vF3;>wJmbVJ&(c|b;iTP_;YatO zi#_L%%qJKK?s*KeCd^5a{mq0{!`q+~_XkGBq}wl-WQi5A2Ik9ac`ChjnctCXE=Wwe z=EC%Z^DUn&_z@IMi0F_?^8@tTEAvg)C@1X+ivSY*D|`}jFUVm|spxydh0J)^kp|`} z9Z*rh)}wr%it`pfv8PN%F1V7!&;)1;%V&&BW(2lnD3;76nUBOEnQlpY>Jz&iEd7$7 z32`gR@?Mc_*AlD>zi2ZmNR2!gQ4PrvgG3z7^jIf3iSJ^>H2msGADay!fTpFh{T}uu z*j!mD+h;{Sd#HDeCAhU^2G{H4{f!lsx7@;)MZvYjD*%!E(4h|_)&WH{{@~Q{rg?^2 z?d#PBa3W_lm?FH-KtjvMj879ZC+#a{88k)XogUuLgauE7;nUr^m8raL;lTxJlpb6t zA>oW=d1@~ed?+86f}4x@xhViYVObEoxprWC)+9*&XI5s~Bg*nrdN)~~;<9ghH}UBJ z?vHb{-)(s(@tF;8?%n)HE%zfPC$YQIB#ihB_0n*D|C{;zfGSgNJ#4ZZ5kvUe-Z@q- zUqk(q^|S#a3<*JJf^$F#aC-?SsOECd_?v_@$KWXqzC%NUOCXT0z7A{%@HsjAR*6irD)4JOiSYsp&7haA*XJav zHF@b;P2f+5f%@q6p_vDiU2Qr<;#wc#`E4Eb#ePKa9%(x6U78sKk?<*MqV1=%ZqHt` zQGY_6A_E&8x*D=Vn{g?dD)F{tID_DRI6l5Uxb`MJHC?V+QN=B#ZueeLwSz-e@H>MS zfzU~FWlWyjO|4_NL0KHwQ%%%OybkkP0zcXIvI=h6!lGa6ftxhjCYx_Br)}?CV$&J< zVZ=L4Sc>aIYfXYbT+<=X7>@YdwceZPyn@Y6@N+ECBJpVW1|Pz22K(Bbhwg z63SWu4?(B<%?{}Nl zl(0M`#k3m}xWI=98MM)w$=zd!9vpTtEf0-qdu#rU0+;&}zgic^F|}91StpyY{BQKWu}R9kGBCXe8vB11wX+2<*6;?4{vg zYkj!X0SCx#enh_cW_{?Zaf59>2SVVH<6$Crpr;VvaB%<*y1@D*3Zx*AXyh|Z8SO2> zUAUh_^Aqp>9bKNB9FIF}Mn`)NYoVEJj(Z~@i|lixUw$B=Y_FTB%u?!8Lny#W3MRDn9Zi zokZ^TsbJX0s876mVB|tQu~LZXNjRDKv7;pD!p!jxQ!+ngBInF_xMMhp7(!X+hc(H4%qB)=hTYdIAP1eR)IZ>9e~|R1A~7%3cJuOV}O=E5ClGf zj{Yg8skSRLr9f2R<{PS=SZQ*h*+erUYanVy+@zT%v~zYwjL6xAgT^k5}K~2Z}jnnT5-Anu};BnB0h2h?*>;zq=U#&Dk_E4zD?pfAT6>62cNP z)h`d%KeSmYsj zA}c$Yj)!|eq;;*JWKJ(chLPpW$jJ<3r6PqdL`zACi~-q2pdq_7Ifq9aM#ta89o`)ur3@d1tpB;VOHzuP=67cA+)?JyYGf+=7RX2GszFtBaL zQIqT%Ksyw>ypZmb@huFzH&01y@MK=t+{x^v-j(L0zhZa9J6RMRZh~bo(FQzzxUmIg zHd+z$21P|#8}5T3K~^F(tJc zc5x7mqB*W3Ae~6~@k1nne92BTwDw~q@c>TY?%2tRl`(VR=_Ty^0Acb#S82xpnzPW^OjhW-mypIn zjfu=aNuhQSHG%D$qYM6okfLo)4Hb*&j8^BBSzEQ~Uq%3&j$%FL&sQOh8> zfQp!o2jbqxk15y=_J@}`{WJZ}7V8aEXAI|1)CwyGwEeJPU|lTFcHnIUZ^yY^kfGIa zOE72{@3sAAy?27LCtfFH0fM>oAmPPmq5Rw+dB9;Yr(U0I`)Iq3$`-jh zEfKbF$3STZdJ8b+=uJ^OV85a#8-D47=rZ1ems%K$&V7woan3} zw4LXWaWAU?R>Ne7H%)jS;BdhbGblmr0HHQEy#GLbwb_W64lhPXdiT5q69vV=1UUfV zYmx5H68J@r4xf0OSOH20ePs}v**!orL_AbRTn*>DH4?aNd_AxxrwL-_*UcbP06XB; z)?j-4sMi_T$qad@T3sK~sUl7k^BLL%f_ES8l$x$#z4S8GbRl`9~lT%LD4 z-^(})A>B$GU2W%HP;yx>k4LS6UK+V&5h{)HWG~yfq9@U}kZ0?iw4@wL@H>A3Y|q%Q zquc`GfL%fpz7Oe4n$N*i?moj>mYOX%3!PiLeF4Ow(2{i!O6^)^iQAw?>>?}f4a`eB zlz{NDu_6776HwUnxaxt3XtwADOA0heL#6U`N(ldD+1Q)Qd3 zv@$>{u-e^L7H&nWW`3tVTb$dM5fTzK)(MB?gq@% zqwzC40NX{lvbjD)eWsN-&01gS(f;7O#AXaf=EP(gY4u0~+oXxr>1Zv8`csf#X{Xxy zfcx_bN!uH5P^%cVn&1(fc$lO?sZ5`AZ)e;?O(iOn%x<6(h{=ySc1$RbrPJM;IR&+| zA~law^d$=>4%k+xqT=?@blv=~kRE3(K17xJFHyDa;}q zZpkVTj^~bA0RS5LM7jz4*=%60?&J~KWreEq|dTu zUTGtn`8z+@WozU7h+XtE69AEJcDElr{)t!9go`aVjHzPT8A%mx4=yj28e*BB7-(5Q z4Ctr}YaBPQasLLQ&UrA^9g8u6-*zkv!J@5!49*NK{q!dDEk5A}kcze02(KhiO1Jws zDRya0R(H25E=w$8OQYb%0p9i7dk5sujzC=K^smsd2|5ez)$9afDxsRb+II^mnvVAX z2CUgE@7id_=5oUn#Gh8pU=xNrm(crNe6ejiJR&0)qqsrlM!s1r69QfDWab$qz}zZjGV6(e3W9F32B~Y0z<(Zhq5dkEMS(e2hX{(ES*+p1gLg%gn`z9m!lV|1Cm#Ey~8aERBQZ0sR2M72Xek zj8FO{?99e4s%A!*gAM`B^KTd=lg^!ai4+jknA;^Z(HGgwnO7oRevHn%5{2OO!JT=j zB?>DP#f393K*2{Ca8kt0LcdUxNH-6-+b|{N%*&WbB ziOQiGjgF+Q7(Y7^>2ew24Iuv>Qeh{HDv4g1K_&?J&7aA+`dZGsd`58Q<&yAvq`T4^ znef=hh*Fp_h@5%354__DpTL}XMQNzj#8xJIw8YPfd7EVU^nr zX6KrQCrAUX4&$E!oq4$wq~XGu*Tya_3UeuCIkX`Ol#VI^@4O4kf?2PB_SiA{K1=qXCp?t z>9*P2c#xH@nFLBrI`4ui(cPCHYWgK9ry&KDL1L4=Pod!?JFE}cpR3Y7MP8TKP7)78jHy>cf&MnWT+c{ zc{b)hW6rxacJZ4QF$~>sWZLXoENoK@*$7BH8JJTj@7Pc%D&4M_CS+Xim`t~gh$mqi zOoDAfDizg-G*eXC99^mZDd$}qyGiF=knH?)1?OEXu{CODzWhfS=UrGs#(5WH3FloK zyL6xm8g^P1w8SXGF^=H8%YK0w%vp*}B`yn90MW;r9l9~_S>zc7c6G;Cr^$5b{>0@u zNsd}&4lvZLcy%Y2d+QRY~PTjJ=UujI308$|YcncH zjhuH;4apJ9Iq#w`lAOf1HDVfm^`wu@W;a38(%F6w`x0z$t(5JvBIjMyR#Ppp1h=-# z;Cj6V6U3k<%Po9a6kJ=p0?KjcT?7=d4k)7W2lrmrG|zCWeVum!PUO4`Q-t#_NN73l z@@azR5I3gXV2|%~6|u4FIYU_RG#EbJty`JO>lV(tphoGuixLvfyEb;sGnEDJyvwEF z<|5K*3cycT76flD5ZRtJ36lSrm6>+lwXrLmcWsc*I=J_sk+J7Q+Sf>2ARWN{agL`u ziO+0!V^`)YYdP;SISERZCSk;9m^|QrGv{4UB^c{KNF3s6^v=e}5|k`Q#Bk-d^RA1F zXIIXxu3ua@y>@DKab^A7>czpd+wUK_cyams(o#DcGI~3six{8F-k`OO0Yy}>P+oDs zz`lTK_XyET3e>b1>qwknUy9zgqLY`kUGw~2=0wrL*mtd%Ve}zJ&2qOEGNKkNz*Y(S zs?s@uK-%Za*spC7XT|KA&fJ62aFVB2Wj^+p$%Ft~GWL~Eh7Sf)*L5gHzcCt_ zED^^fW4Uk%W9}t<8VUO?smM=1pg>Do`C;xU9GI2Wz~=o2&!^Ii2`Q)9gXh)P@`9~Ui|+xl|97-_y1RLF}+X~`TbgYi6) z0ph4>z5uGzld;o$3Dk<`qJw#Aj?u+PeQx8Zv9DXv)O?fL1ujY%wE&yv0y4lsDtnu`grX;iit z8_(qi9*J~eDM6Rki9*cSBbzHLLX(edQP{cM@Z$jG?pNjFBVh#M5t%6nOY>TSFt-r@ zENK=Jz7j4knQ@3OkunhxnRc=Ak;|KlgfD3?XN*Q#rM&4#oD<2wyb(Dw5?_U4OybHU zOiDtQG%S(n=E&)p9$1H=Z$@+WV2$*qCjRTJ!HF+{RwlvhL?nwyay%ztg2J;p(ts$ zC7gnTKI)9Hg&W<}ePj#N5)?Fyk(g#vwdd2^SfY`PERQm% zFqQGy=7Ecie&4o0=O;e_W1g0F)>cn*k+?SZcvHWZERif15E3 z^7$?Eppau$Aqs+#k&r7QO@(}_Fc{*guo8^fP?X3;I26|nN$>{(6VVTjFlj@gP+7~I zh-c-OMaHzqeVj2c3fUPmBdvhD2jvr)G&%B>v<;737B?jFf(H#DXK}m~?MODfJkP0t zp^Py_axi$K@2gM9HJESJ&5Sqs)Rs(xIn+u{v@lW1Gf`b>X$C*TPVwQiXuWfI3PbTBDHD4&;#W#}{8Mp3P-)=cnqvY&xes4ZhA~ z9L%Leql!>kBs(l*bEO0;giWqy1EE^?9H zwVLIqcTysxVPwWzqB^$};$bKHMDMwn3fL~wv^kfkHgD7=iX|`PIs2lvJ386wc64K( z$lqa476fwYkjALD!Oa_fMRkGc^iFIb7Lig`BU|%=C$J)T3Jj`EJMQLa*y<%EqsE=Z zbQJB&uL>y~aY{>V$r}Q&`eSo3mz6LY6Is%9%x7@}vN+L+Pke=-*;ssc%)g7e$kzEj zhGn4=vKfPY=Vc1UKU+p-(PwF1ZtTj0#KWgGZFUxF9>DV;qyvn>L?&pVtg{A-%I=}w zAT~!6UquC?<(xK63l-eQ4b-A!Q?qLrmvLYfGh?;z8KknqR`dnBNr|OEb9!-IQCJ?s3gk6RTG>zA#v0av-RmX^d%(bjF|G8V9`4S0XUShNbddklV7?_(AFCZ^6vtz@njC{`Ij(wfv z^HH}WX3jS`v@ER};}kGkD56}x99s+Vt}$qlSsv?;$tNZ)SGk!me=}>gWK;w#^MsZi zTBPxC$mT|StQkqh4#oH9+if#GUoE(u??5oNF77w51CS-G0D2^82*{EX=728OUQv6aK$(uDgRv!37!qNz zvWA)q?G~jn$x^c6yD4ol=o%mm2VJV2Zlax5pTj2G=0XEgLXgdMrw~KJFg3ZPj4W%~Y2%~Wpo*-IrMstNiv{6=qd@r``C>e3p z%q?N%hc%1^!2lo?e>4EL3kXu5sKcyGjI|K%ba*izcQn%!pPvOvMJJUlHZN^t8ru8t zNTnhd9;<<`5&SRS^F^bHRubT?DIK*`R1@NmQvW^ivHcg>*ga2%S_Q%=hAn3bp$!p_ zX386oi)qTsWZfl3jTysTej>gpt4f%BM6+ovH-N{5OBC`AB*w&+3NEEX?Jf)BWCb|| zhX5Qlp>HGaJ;pgY3g3E{PQHwD5~G$09=SrXOgz-60EVBi9+9KQ()Y&h7Kn#I5CcsG zgeC9(<#Hvm(NcMHSTi&U~teQeRQfyqW7Xm~l={vla!sDil8XHx>bkuTxQx&vbgA&-c+n%7J zII>aIq%fw_gWY89CT6J%q3<`9wvdP~8@0h4%iE`4A7wTw@0?=`xzo&*)wQ=fK^f3l z6L&VMQ1Hsc2#b7*drHyFQzg;fg+-!`fgsxrnAI~0fz5ORjb`i-7h?m2I;x&5V@nH%-n`)WlHWyEM--WrY*{|3PJKjMmVp*;f+8D3H59C6ubgQd&2@73nlBUH3M05gP>TdsqLdAN5mm=x z-$prZmy&Wx@?g_ecTh|WK(r(|bu-_ZZ6&xj%V=+_I1>&ga)8HClw8&sp4Iwp(u$bN zzNAb}D`iJ0+nfu`kt~&MW9Y`UCTJI@JQF5_+4a)LBGzu}6qb+08z7>Hyewlx zXPGGOqgd1J=)C^(f*8H*n;Zqq#Oq~W_H$8tTV+zQds!h^bsCjIBUZb(QI23%127-n z!j(r~5j#0qA|_qQLW#(}tkqz{xKGgD{hN`F@*6->v3_N)jQA__T-;xoYNNIoFYYqS zx^|Be6AFS%JmBzQGAeM$Zp8*>S!#q}Rt|j1b<=TzTZMQ;D;6!dRW6Ph>0;TzA`a3E@FB76ZKV^~y+ zAs&*EhGnUAykS|U9d%gb+sEI`HVO7Uwk{okSbUp{Lo5nG*V~E)1h5$}ItdL9#UQ3P ztv(B*o6^D9S5sO0>*t7><)IyZPm+1+uBPF*qj+pA5 zR=29L9?u1;IS^Q{2e8PkR*5uB7)?(U76%qleLKRj|B#40i2O3nG0XPRj%6Ag6cWb- zF8iRpekYE6%qu}<4k~(}U+wtEvY-|PS(I!Cis2$CHc3Q8=HD)KvT>1lv4qqv78_tB zip1OzN|`WSd=fFS9WR-KYY}O9IV2@MC`<$)Bgu$W1Pw4==noc0Ss?QG%ixS97fo4w zla8s(i)fLRMY%Y>vdjcw2OlQ5D9bVv9vjE8mU#g!lnyVK6{uiTm6$rb3U?$68Zr@C zM;1**V&)~xH8ouilXIMSrcvR5W)()06fF`vCW4BjBQ$%+e4OS`1cNdA2MR>#!B>Tg z)+~$hn9VY$6}dT)ZR0ny9Ee;Yqd12=cz?slJ0}=;=M>(H+lbEMLmAguWUaLol31T4 z(=nRJjZVVh1`KZ)S-fWf+lu;}$kh%90VOJhA`OoKov2qF8NyvWNEe}2UIxixrWil7 zi}PBjDMW@&G$pC|2;Y)~0ZU&h>sfxRiH1jXO2lZ^fJ`y$s?c4+HBdTwG^=YG#gJ}i ziS;5iKzPrTj3+H>abct5sM5(oAZjuBOsw5@plFIP9ja*;aN&^kGA1apR)(T6ivnir z!3_wHJgt>THYKX%^tD7&qB89gabW4zsKf=zBSL%qFl3b zpqk~euH&4=DB`ux=O=7f#*%i3%tZ9-WGyTPb}~Oi!cJz(c-Z+OAu4vd43CYSEWsjV zhx|;OY*t{fHQmO?1@NxQMazzI+v1g246K^nJ!1G+ILcsHr*lg{{-~O|7{O^#>qJW3QF`0cyeJ{VDGqiq;UB)yMJ?WbZxwFSq|wS zH{}h#RWVcl=nz(F`EljuKtZ{P6c(w5$aDu_h zAz$GYw#tdyUv9z;=Pjzp5im!ZIH{xp&Zwe256I;bamRVrlhMaz0TF}TXGO0KdA}&j zn8pZF6rz%|S};&K5LEGfJ3@K*pdF`NbE+0AdNND6%$24lp&uH!WLh^ zZ1zyj`N(UvCDMFH!y;eQe9JMYqd3w!}$bpNhO2#kG)tP+h5LJjrG8=h0SB*clC0iDUL62)`#hX_Ow6z7cwd+G@ zM06H}tjll^j|RT4YlF<{Au`3+2a8D`n#W_cx6I;l@#)i_?>oyJ%N5>du2Y}nriz!% zPnay_l{xXa%VLR%i6YsvA%R=K#7IJ_J!kXtBW+|9HuywQBFOUafaEG@%)p66Z@QP0 z`lxWCP^-e&_QTPTHal}UR-nKF(gNER5Zg?UW4POeVD$Ee7v(BR3Nh+EDG6YpdIP!T zFpt{A$BEwWinFMcCN`R}xn$-aVd7Z`JfO;Bgrkg;S@6s@$3yZ!UtADJc1n0WlR7)If9Tc91>y$e99r; zdcJFYN2hX_!Wnr<5yx`)3S=gqC;NMTfG1A1JNDtXR_0o`2KNfE7ID7j_qb9);BT~1A7Jj684&8?6>+s}wg!uz70W_|}{4kr`w$pZz4njWjR2$qj zi$X1@?TK7jQE=LxC<+Jow$paC-2JLte3Wq74u~zM?Ud$y<^`I8>G(#M&T=i6>@L^) z`%9I`J8g&0G1EPLaW-w346GF7D3HcLv9Sk><-S?7$nNVy5j+&EZ0}8aP!fDm!<&>~ zF~CYiPTNCH?Y{(XLQOyz(KhoCb#X{e5j=gwPtcjWIUw<5 zv^+H)A6O$Jr|t0dK2F=Agn9G{l!+OC+vJ4Pc9WBJ+HSJZmQRp6Ob&Z9+Ei2=|1 zMvulwjcO0Ae6Jf)?6n%Mgg@y)o%FpKoIp55dgS2L<Toz2r|mvFcG~VTa!%V_e$r{X&y-HveR9ibdz6FsTiz83 z%eyR{w!0jVjgYc4t!2n*y94xj3D2r6P)kt6s-r0|o2tFGjC-cwwB4a0-%L1d-`J(4 zY77^wG{#9L<)V78H-P7de2Kt2sib>$tkJze3-W?X4Ro39eDi@>zkza^)MzW3M6+)g z(~BAgZ{@s%!Ir6Uu8kXl)RhL%-zGp4)9%?JBkP`><(ZKWBG$&P7q48eg?o0EPy2}t zi2u-NPK1UMgevKtoz>$zEn0C6UqrYy%7z2_52jV^W}{w#T&MC;C1>hJ5}nY%@ruxR zU2)I8u}fb^Q>nUVx1W$uZeRDZi9!=}om*lF$q)Hf$+>6W*aa(BTpbDb?39;x&raFY z+}J()#_j>!vx`D$_w1sGr3-w9g4Lfp#qjNCa;FV>7{l!j^okG3V#Yl?piayxM3FD) zo_%9C<(?f<6YkkfDy#(Vp4}&M%7f~w)(*u)pi-K9cC0Mpp50{Smxbz{ePdUghAiu5 zn-+{q^fj3(;QWj7iG*_Z_L^NZ4>0o-UQ$CNa_-qTcDZwPFJjOTa%RR$(T-&Misw1k zT2O|&XW!VxL!YlcA;Dn2b?3$88lT#dUNDDR$%z&wO35XvD=oL+XV@t|oHosiCQ(H# z_w1&JEfy2pvzr2rS@KPUP&VDVNsPdFCI}hvw{F7Y=BHe`npUVzg-sDhDwu46?KH`@ znfW}tRADQGzN8Be-p0Ip_KjU4IPBg_ROe4yr_gbXm^Po)nhCy6d?{dXjtDcmRl zWp2t@NLkGvMKnY_jH_-4}X5Ck!T9nI5xiVX=KE7wKKA zS&n)qB|`eF<(}O(#w~?-*m36@HK90bQ(c;Sc3bU!?%8dzq}x``z6j6J$yT=^gH+kM zP6R^Q{xoqMW7ON=?&qG}_988|N2HY1$kx2z39Ja7_qaSqS>_Pf>Ix;JiA~EryKP^7 zRYU}mi8ln;c65X5HEKZGJ^RLPWH7}U2xX<*v%^1>mK;g4@QS5Cb9!-((l9~{cp+_MvK#yvaFOUoQkeak&NePzxAe01%sf^;K%nrf^-x;zDtvW^wWUg&N{&TlH z^Cc3(yu@e=^pu|!FfcbKUO-;bJv$ArGV;26cKSNW=c8^%%sg7hX&%d|1T;TgD56}x z99s+GDB=qw-Lq4F3=lDCxysFi<=nH=x0Z`X-{B!E!^5FHZTIX{Rg$qo@%{OB&OJL+ zdocIxP%!D99n*&+C)zT?yOwd!4j-7D1Wnf5vv2Hrjvclt8&sd`c3CQ~jhS%I4oE5Y z?3A2!&%Uv1p0Y1Q?%7>Bk`6XHrZ6PJVr30AhBqxrWs;?2!*`SBo_%9C<(_?G*WR=f z?X>zFM%ipGG%zIu*<5!DF@%rX_WSCkvwz0*>`p8e{=r7ciS48X4{6X{thK9Mp{U`T#uIaHqgmL=ajn0EX9i_7PimM*T} zbAI_X7Z*;hpFBdTH$l$JZlr&1IeN$OV>jP&^R2g=-|oLR+dq!pe$4*$hKDX)cf*nA zyz|!AKj^w6M;?5H{<-d^ZgXk2^_(^H^T?4`!5?pNKkWbSJo3o9Zt8Wx^TBg&by<&v zKi&!d{=QAP0sepIk(=LP%N@7LM;;1)yc_;?@#uu!<@W!RZ<=2>O`QL}bPy7%oICA6x^w%Td zzYnCpJjRhbH{m)N+WGd*b=SS;Jq`@Z<3HH2>yNnZ-g)E*HFeviP{$DE2A6Ua%Rs^r zU*=dy!Stu&f9yY4`;j9j>@WP^^+%TBzZWkqo?SV&x_)ut^xCP_#g+AQs~4%okV8wL zm3<_$KpyHldcYNO>ruCKaD`k?E97m|Fl^qDyS=icRSZT{K%bPYHw}q+FqQ%w_xXTa|T=p0sr*K z;jaVk0zaWQ$~NGBe}`?uLeqhZnxxBF){3J6JN$LPRvgca#EYO6A9TGL3Fatc1@2?< zPR=+W13}>a_y3q<7*YR`c-?S=K_(w}_+EK!7s33)u@Nh1H2-n;evpT*;u zS$qLtUKgQSw|Xl>5MJPIFdVz?Kd#o>>n*PBrG>Sfty;4uGGqL5=)BP>W_gr0tQxE1HzqGcyM+?d7rC()0OD=;gyKE~qi!KsCgd3a9#=3Eo0^ zm?OnKJ$fRIh~mq`5fRRBcY&qd6{3T6qk1$$eNhsAZ#Z!w7M&GYhkVx#x=u0@!s7ws z5gg<6wF(rCKfe!0F-F4H(C$!}_OHLql=WVTJ+ zZc*gar#VD;6f-YAd`ww6Pe;6^?$`u?#ETb&KPY@gn!>Z} zvlt#lVL%(?1{}h7XMOXYDggVx4ocfIv-upreYV9#(|K|&3gc?McGk^nW^7*wn9pID zZfw0>u8D2pyI4NTnxyyK1oG)?04WYv9{ix=tL)C_B@p8-mf~rW!t)&-zHB&&_L&1P z&vc{gmJ?^5rRbVo?FAMcI5uof>zKdpysV7v3lnJOhTQk5T$)xSgBJxnI<@DhxAtO-itix62k6e}0Wi#FVGk^)dYe`B@3^~2i!^#K1=N>VR3t;0Wh7Zl zai5Q7(4Pe8FJw`xqfU3G=^|cc@vPbdOzZHGExc*D3;qDy z8r{E2O~w86CIJzzdn&Bh_qAAOFF7Re%gMmzxjSCrvB2F%8m_o+n#B8lIETv+L@42^ z!}lxn^?>_d8_ib+MCShE{$m}_&>B2RysCvI{BEEh$pAdpalNyJ9Q>37NdMOX$5rE? zCo_n$$Kd5UpfZMKO*kI_B3nEIQ*P90^tQQL`&r zlDNsY?E%{Vb?Ldt`b_fw;?s}2wSPc1sXQ~}KYb-=!9 zv|x>6nYSEOX9?|`v~IDu11;Z|;$3kxGh>f~89VQgh7){u8bFHasKzhuWhmxGlD*#- zm)yPqbC|IU7FBo;^8n>5QPbtVj$v_^WC70qb-xr0E_#kafB_77&~FCz|`zgw*{v6>{x+zOu2jSakQ4Z$N=j9Iw*ZnPMmM#n9>EM zhnX*zy&@2;U&{(CO=jr}tl%s&!1=!pI+hA;*-4XF-Nv481RxBx>=5<$ej~` zX8fP=u6fu4u1`%)nhGrPDFyCaJwo{FfLI!Lm~kvL?c*+D17!JFX6Q9qzFoDLv+)>S zgseB0>h4f8H*aXQxNDFS=C)P)PoXW>7$O?KJFmH6DE(gtojnC@&!I)0cs)k(TG6DW zH+eL0uS>q$xLUwt9<*N>-2-ZiKA0l~H93cy>x%pkj%TFzFmmCq1NKa_$oWu?WIR6j zfh(66G_CQ6aU@-}QaqNL?C@re>)nx5?Y9gqLA%QjcW768o8&!9ICc(0>;F3F94cp% zkFc1LvuF=-Kju;4=pSj(+8(F_p#STDz0=-*d{l&I{0Rwzrtfz;&d_ zXCH47Bj@8DqI{QVGSep*G@#vJs+(A{9`>L;%jjRws`3*ZR`8PUt1s`Brp5Xsi-bnV z()D@(^nV?&XPRE{EetQ^&fQ~`@5ap9#8-Tu%ur*N=n)UvyUe_yZv0aij=bbMJiXbc zGEDL^Vp^rIRDoH=TFlce2ziW0wZ|1 z`$1DPydU2~er^jnindULtL%}_YvEd@MU@U+yI1;riwF-MdYwLmBx7MALMQ!S2b@(+ z6Z-`mu@!2kZFLyX0 za!EyxH2V1!0SO*HB*URpAZzEtw+3WKPhz31cuX}a_LTu|p0Y(|7Ew<8Dub8~22(St z3g%Y_%=KnxG#q!vd-guQ>RftEu|WG8hnWsrQ_)k+{`qV3sLq*t9Y@U20rVvEbsoDF zU#FtC+HU!Ji`WX+ZP}8TlLA$V3-vWO9uHep4IId7A}X zida-J#+sD#%?26cVfe9~i|tHCONMtQ-x4r=Xr<6S|JMQezox(a)(B}1b~72ehaB_U z0vat(p^hr&Bg)?Y_JAa9X86@wIiez&en&u@m&Huxe1Te&?+j?T@9Jo1Mw^LuGv6g} zy!}emC~B5f-yQHmq%ObU@5k9t;fQYwSgjkAqx=e^c%5jv%kK%O_C;^qdqB3YQ5(^>2TW&iQMVtIUH<(X%h_Ahp(*FjA7E$+Ym2H`)OO(y z23)7M;N}m-`$5xs|4@u&mnaAH3+JF5FGD#|d-;weUabcV?Tr1y4AIz<@QEw#n23RpE?3>9EsL6a#4SSZn*_rz|QD%^0BkUk4mp zjZ6KsK_a&vt#FSX=zd5W8QB;03_rs#-L1EeAz6c|(1UkIn9gAd7j8WCLB~~DH$Thp z$PCNe(7Irk9_oIKtU}R$PN2#NngP=Pb;uue(9gFKMT9JmRlX~g74$BS>Yj0! ztFS}U8vQ~F(;k0?*?c)A$c!((`}swN8e)>(|54RsonPWuF3xFyD(;tNrS;1UD;Yes z23Ogazrt`CpLP*h4+-^G)2Qa;&lN?*W2|xPUrVEgGr15>eAf?36_io_^)xaCITWDf z{mq<6&st(Rh6y%V}?hA|b{9ZGqa3 z@LPeJ(F3Br&5K)4p3;#eYFv_~o5g9^p@V}_RuK^S7CPIzveU)8R=WrO+ZHZ`imf`OX=j+fV|X^aY!yY) z>vPsn(YFy@@ zI3^6}PQ%vf9L`MIdi`gQJ!?*mHs>S5E0p(N4Bl#|HvwRBMn1R^_Qk(TBxh420R5IcD9=>z{v+V6HuufI z6Ym1VgOx*BjHjGN{xjf7doaPKOA)nw_+Jij3nD7Q>ymA7)Y4sV#ydUq2~UUlDjJ|! zzx}tv28U0R2F^nM!oB7;Oq25dM;v+s zu~1w*t{RnjU<-HDZx3+s`pk?kM*Vs(he#abaOd(t0?W*%>t7w6(e5rE>`*7o)R^q? z#acR+n!UtB7!rHCBf3_Kr|tNMdc5gyJdYip*%9am>R}!W#9yadsp7Vp-O$51nw5EL zX6_cmB-ovU-8&lx=mT8=(K;Go%6m92>)!@o~JI@^r5nl3PdiG-Ug)q14G zYc?T(j15*ul%!79&CD4}E01!B)4AT)E2rE?3&gqH)+@67V>}u@t8A{>h;~AFD5WHt zCG}%HUduM1Zk1*z3cmk)9K$5b0Dt_OgCwtv?c-xy2$0hO$5S=*MH|~E#CUVEN6>iQ z6FsKAqZgu5>B`Z3b3Q2`(G7joC}!jo^wRufi38gnBh8o~#Fbugm9_E|k9tpUYn!A8 zGQ;PLuXHput>{w)9!f|{!`(D&F$LFd=AY(qnP!Vf!CY>tGA9YNy?S~Ic@8=?P22yB z6lSnOsM;%(>SRU%TfBD^3i0d|s+AoD zXn9{VQXSd>JST}t77qfnxTlI1~Z0?n%^H+$(Gui#Fqrb zz2vPb7gNf|II}k~#_vn_L5|f&#p_t1fHy_hjF;D*{uB!MvIunrpBxyw;;Q-8bmKQi zm~@9*HK*Esy~U#$cH*N<&cS+G(;eR$aOrVMomH=Pt9qM6n%ljxroB4qG0#I-nYE_r z*2(djKIxdpn$HcjMthD2ti!k~R&*36EV2!ZX*{EdK`o^=T14I3En07D(CI_CGGt^B zY7 zs-9(ZFsRjig+NOvTFd*Uob}$%q7h4`)1`G9CPlk)%nU!qH-)b>nEsYH9P>E4DBTy@ zEx@ZHL^p?3c#8CTXM{J8S=6}FNryL?p2RqB!fABz+-dvnE{imV`%LR>fghBMv9z=K zDUUUn^ud|{RS+wk>9#aQD_tiV1zRwPCd}^wyqbid$yNJ2v-9x2_B6*rjROZN9!G7? z&O}Hc@A8E|SFF1Omi6;gX*r-sx%Y4^Y437q=cYx63C0-GPYxf_;x(D+CEiiJ+92NB zg;2iaz*$UQDU!C|USp7~&_K)}vBl?!xFir^6U@beM>{v16^QOtgAt8Dol$28nwdq^ zNi7RpDUem&IVv}D=K|&&wHX?pT?vR;C3)%k(e6}UYw^ZC!yPIkl_=V_)d=Zs;6uP1 z4(&E|jp1cY2a74UcHUfPh?1CA?h55}blzaTzSs1-{sb?Cm*Ulu(Z!%$&Ao`Wa{1bs z9!l}e<=!Fk!3!2^(K{He!NePkz7BaDHxO-g+CO;- zo)WFTuCqC<8%OQN?fpF#ndmp`!?mV=d9?xA6C}a41*xzrU74Ci`3E@U&HHBXRDGqn z1Q*~}#6~FI>zY2~10^2nmS$rR=&x;pH+AT%5HX68wR@-!N+YjrcgCP>s*#~IE9HwG z6=o7n5+^t5|6tf^Z8_xB7WY`w$-H4dY&1KnJ40n?9^TPka_A7ceRC5cke=-KK^Y7` znp)J14g>8-HuI>lvb}t)GZGKJJ?v(1jeLiFuGH5m5?&KyFEoQ*VxWuZM&|u0zO%lZ z#f*o!6jh^>TWQqHAeSO*mMz;H877m9>!mo_NvOwh(EfdWXn0TEeW$W|-pCNA!=3dZ zdYf49Tmltp6(`rI;uVew_qms5hBAik*2Rp|q|H9Vo^^XuOPp|rR_Q@B%Zr^HCTpOFY1(yGFaq9tFJB=5m|I@`)|R z&FGWye)qnBdvCLecGqy2u+QY~=?uD{5v`IeG=0K2V2^>jE)MMD@5I(EpW6(lLu=cK z$9?0BtnQ41w@RL_QT?ey1OZ|bWvD?n9B$Tna8p<_znXMBi;&HniYYB0Tjf-GHO6Z? zqdF?ANyNJjZ7}Jb0x@`fcz)2^9CpE3U#Cv{tnJln40R1?|6t4Gu0b>mamXs(tC@9+ z655`EOU;l2T|TdhEc_;iJ;HmulatL}?@e&VGq6?kU*mKiEKu?O;&i`3Ujm2N(+?4t zZhq&{Q_XY2hYD1?iWTtEb*1g14@+SuC$|(;J4e4cp!Rz}6hTtFw;A^?_t4sAIJ)yF z7f_4WvUaEQ;S70i4tfzy8vckD*7EQShFzPfXy>M^~ne?k71^l7kjuw{L;$E)KxOy*!@LQ{4h9=Pe!&{33&) z)Vc9!yEACIr{F>f=y~4?^AIp2xaPVao?0^U5X$kN%v-=?2Jr=4+-J>B^HUrm5*nbc zNObD@r}3#zZ#*OuNQ`a}`#oA}2@Xq&# zgDtr|=Gn*3l$ch0tn6ckj-xj7vm~AnAS-*R-0XffL&YP!4MHkZU&W)U@cYkUc%X1Q zHQu}}3h!2mrk(RXSE4~oNw`NN<-|Q55a7gQ7UO1kKk8&YPvXL}K)82-gJpN2-(Lo| z8yC+X9`@&Z>;YWlHDu&**WMKF^X!sZmP*FrekcCrb$45EzJp24b64`WgedzmM$6YiH_7_LUy{@0*xlpSU8M<*4R`{1l zY|z-xro+VnScUYa(VH5f(k>qPjP!uolrNQSAby}sdbu2-*e`yW#~$r1!D|7*YKxIH zy~3AANT7KPVF*r+$DP`UP8kUiZ!*7vVY^vfXeOKE-Ut-Ub$!+>df&=%VQ>YZE+1WG z4Sl6VN(^q@-H0X~eig@_haN7&kpr6|W!dmg(yx@&KLC?rt_icW;Dw{CbJ!uSsiWQPc5#gTO=ICiui`HbGB* z^eCRQ)$);5R_r$lWafodkeyO~qMe|=Ng&bzN-UgGENxuBSzy^087rMJ2#4^18jhq@ zx>HT3@+|_H!rG9rvz7e$LYnJ*eyhOE9rour#@{9o=gq$~o$}foz80pV z6vj$L8po9GS&d4(y@hOF%8AYvBPuKE`yC=!O$>KVt@!ieA?gHvz++CqVtR}h6rc_u z0!5GH>*#~VV}H;hFEq=;@lK}?3K-64EA_tGneB%>GH7BmHn*J77SFLFA^xz(zBJnc z&C_6t!#ok@)Wvv;M(;;F9-3{e3<0o~$0#fKM+KT$MsvYbB+(yZm^&k;C9RSUHGTJw zw-C>aJ6mKnQKgyHxam)LO!9rVJi;Sem2|K9xco_v1}>H>d8qbA>Zb$_8UWVpJ5AU8 z(-H~jD>2NuoY1s;`=1fG(cPVxz|vi>am{xMRBO|7cQXL}-=?wts~YEw=Ix~*hyCn+ z$S1G%#Uz)@WD2$WIf1@BTm#?M(uH>EC~G#mKQGYSnaPG>;SVRv`x^%MX2U^ zj95zLc*<@2F9^Iy`l_Qq8Qms&n)pS5YV0P&@vOX$%IV>k+Gz7QJ!JL?`Z4_F3?i6& z^Q~FlOJ(K!ipLx`CL{trr>YQomL8IJ0i? zuIzU_E=cDPo}^hAPS6?`Z==`uMtCF5q06a)V%hM!4!hr9v!0+92QcPaC`wnIOSIe3 z-*c#g$vxnjmpV$WBEjrnjK8EZuDr*Y(MDa-?>p>aGeIr+>1z-lW>P!GCo8T#HF-L!~7GExjWc|$UjyuSp8l?yEFLHH0E5a z474-ppE=yw&S=#>)2^da8g2e_k2WHEb~m)CZWhm|A~pSm#XY?AwE1a{v=#L?9hHN>TJgf zb9nbOsXXZ@GR;3Q#AXZz4)fD}WGDr`ru|0^wOa3SA~V9r0QsLZ!i zj&doj_-CyZ7kbm};cQA88F1zg=8+0%9uJ*doBe2q5Yr6OABJ8uBt=^^u73O`#J=U~f*IQILzq>HfVt9*t znBk_VrMRJmm3UH9+`AK*+ml-X@c|wYopD4~nxOc{o~tFr+_ z8>|{t?Jo483~#A3nc@r8U5FeGuyc6Nter0(#*rZm^mGl5dGG*#6P}90)C%#XbQftl zsE2c0cxnToy?tl7$W)4{>4M&yVV(uWac3)XfmObSGEx)1e0T&$1NE^ou*J9|-4odZ(akbo(;*RA+O$5?5QZk8`+aWj8%F8;`-i3kt>H z(i&CpVtC7YtnjnP3uH$XDt(G6cu#P6IF+DNo5v|bdqeX?hBpttPuf}gNgS)*=Tk-s zd^*t9Co`mT%}!zvi}zsW!$U(eP`cjU9ZqjEcez#4 zo#u7(Mvn<@8ly|&(y`QTPM^tf;AoU^)61u^d|Z{4^Q?eQnF5S-asVweo zW+u^!@7W9yG?$14XTJ->@s&03UIA}qzzdr=_!jq9d*$#Pj!t1EoYfh7-74Tq`>t7R zK9`{zX6be3pvI{gaqYJ4c`a0Mv@M8HX&<%K{QQ8n(Ah*+G8AT!4{z0u)o!a_5U}?% zOf6qk8SVIsU`@YJ#jU*w(6q@f3dmq64yG-2uLm>x7Im#JW=OMse{OainilXS0rT$h za5hRUCTm-09(RTWdzh`-kvI zwvIw8C#hRlJB)h648Rf%keG^c3X++9)bigNaF@aM0>UoPJ1G%1m6OfVvDfaIxJ%%G#bc{!Lf$VR z+I?F|B@`Lwl@<$qgvoPs-5r7^v%bn=E_Ok8MlN*0q0;scyeaL)N{ixg)%NS14tEFi z>HZjk0q*zKhv?*^^4>%{k(}h%%jmJN+B<8=>1lsdYhaMbf{%-CsE@e0zUzk59%Nb%E@ zvb0X()pYO|_QS@_Bj8J^mUdQqokyP@KkD7!Se{#ls?6`}11kD{+xEJbhwSD`>JnkXx+bayUy>Dx7Dz!20=TQ%J-|lF*wL3`Jw}U(` zpjM5t!s&+&b<(o#qJ+cKDU3Wa+{i98=us9epTJ_IN{gZBYwq)i{47nc)ax*nGwnE! ziRS^{)nbW8qZAX5i-Wqap(yJzO_o&RUG7tleFSwg~Umu35+`+Mwx0 zu31d}N)33s6ibWO&+&|21g+@yQiyP8v<+Uwdz)+9y~|O6yJB=rL-M8sdg_5(@w{ew zjP^$#oWNX$-3mS=`4OwUp9)R-kOU@;?NU=cz8XjW&>Ze+Z)-c6*y1r(IO~U{aA%jM z5Ol9Hj-j@i-kd;9DM*TYsz~7*S4hiCOQy5I)WttO*VpN45eM~^T z5?Orkjuz7+&D!&0877%sR3T|Mt{>--wxZaZ+|Z+VJQZ5|@g8w_Wj4aQy2U|ovM5-0 z@tA7&XP+Q&Q=0Ia6{PX-PuveVHXJVQw?=h8$)ca_Tp?qD)dpS0f#KnT6hn*WSdn_) z;xR||U~#rHxl+f!wOfu)4tS3AkxA`3IHohvYy?p%9$)P}|ED-?@O_^OlUX{h$1{BU zX5cHI>ab@0X%D;rg0lvp@3#?N#3m}m*UnI%#_{8jgPdR#kFX{seR>wP{fMNrx7w=u z42!$m>@E%_Q;fdsR+kMNA;LJ6_gT?Gd}hFQm^M7PiQ8RiZK&|O&uSyPFd21RNRiS$ zJBJB&Bf=ei@fe@T?53B)Zu*=YDju4xBQ*#vNf8fm@}*PF(v_y!27az<$zepX$k1u@ zHuiZA*Sqfolfd9Mw(?x7`8@u7k8J2O;hJX3w9F3&#WSf7hdCUX*MwE; zRMQE6wL=;=mwVTo^-ay)jV7OdjX)Eku{`V)&!Bb!_*#!ToPxnQ9oYHQm99=r+wye| z3ye?NQ&)pcap?B5Qv$M`ef0)zIDL*K3;kPGR zKtW5-QwMil9X*`~iT>#+L!qfrYe=312uuF=vT^Jw5ec9IZ`csI+}twPm)Tq1+}BIL}%V5uBW*(X0C z@sa^(O4qGM)qc|B?Z8nHmyHy6OR+Rx2|vZKt~U3=!E^{a)01vvDkZmQ`PeE_$4`6w zNi$uY_CdBCOiZ+@N`0qxYW2bg$6_2NYw*Z29%F+ z<{W`OY=1W3o*w)^;{Ke)1xh#^bSG;)xE;CWjuSVp4=LdHq4oFYleo9f1y|Fy{({Ht zUv~HB@KWOvgkOV*9BT`=R%s(OlVpvnq zUtfYzow$<<_bA6zF~u#=WV2rmEtrE}WbIYtuLLCPuV%lFmQpJ1^!uv}U0TD<=LNS$ zn}3aAx4k0PtYZ!J*ITGe%~!W?l~?1x5l|1sJEC^a`I`Zob=7G!P>{yXhcj{3rC4MJhGEGCh9#xagf0toWtkXW&fe#1%1R_*+#S~Jz%l*B8 zJV&YOL`H%{eeLh(5W(Msv+F{i#O`l#{3`CdMm7H+wB&I7yD6*e53hglk&7Td!%eo; z6faJkAv1GyUEW`Xdi_!8@Bh1xw?Agshvwr=8Sg)7=rj3opmd!c&FF<5 z5Bu?N9nz@Z*%NG~7$vjop8_a<=TLA17zaCC2rl0Nie~NaJ=Pe!>>}4hkN%ZAF4H%p zX#e2wW|zF1L-G$5KY}UmWoF)P1k`^_pduhwNR-Z?X1nuG0dEQcLvpI`@;+vGGsblL zXNj3sf0rXFb_)OE5Xn_BYIxR%pqDjoaO%cZ>F2*%RKz>eYx>>EJhV&Nx#`~+;`;D( zAHoYa-2h+LQ-wSIyTFZgY67-=UKQN`P;hU*xe`~I+5Z%{nE@{Esq!B0zZ@bwaBR@$ z=_S0^h#&42QwD|p{dWqH;;mQ5G*eLjCxr_7v*~y!*;w)DYWwEhDb&-0*$zc;sna)T z)c1c=xMzBU+V|L+)bpMcCS6i-)?K`k6wStw8%%^$vJG-;7yUrj-Zv@~|GE?=NO-+2 zKEtl*skV-;_o#c|S4$5rUpm5?j{UtX?)kxXXVC4lOER$kg?3bG_cKx%zQ1_jKFDII z=elPf1Zpo36LumjtW4 z1sS^q^w#&#bPE+a0FCcFHH|$FdYqA_o(6OMG>?jh z0zAco08{mTMAQ8~-J?O|i)tF8+2}okBU#!}qd(NFPM&G8=xBu($DAzX?XZP!09LKDHi>RxqZ zC_KJddwztPH*_qWLrv530*Bg+dzbfYcqp{FsH8ZWP5TQi=7moG3ca)hs?!_Pozb*) z`XYu$@*gKUA8@<>efdN<}ULn<;jkMmq#A0qVV-rZMs&|^*;!7El^~Y0%rCH;eI3?p7XZ!*@r2Y+(M$d2c$Wx=ae@(Mjw?i~PUAF}^uRC9xT|&&d`BW&u z(SV8W!Pc9d(Qw=u?;&UvKhAKFrve8#7BJ6&ONaXYDJRh50gIlolaT_=B4?1rJ0zp= zx)FMJA|QgnmdC4`!Hg7+F92?Lc;^TBC}^&GL(@9l;cyZ4%y6s$myWMS4PI_>uZ459 z_d+rUU8W+xzOO^}=h!^(JbU~Khbu%at5~Sl-YPwQzYH=CKnz^kW9^RZm52*M9&8}6 zkne)e*5QEs2iEN(g-*N*5jS?xwb}?V2f$iZhT~}+wbxFWcLv1C7F3edI})g)?O>xogilZa-cnscSm#yKRfQ zU36trd5Tk{n|nMC-W*VPC}BubI^WvvT69=%gu5+zaRDY$SDHZ`)zVHKujYs=hR6hph4J?pUGx(Sp< zU`qneg7<*g-#2R(r8DhfTuoQLEOF6lcx8KU(gS!5y9+^Zt29>`xdJ_doQsfWy>1k8 zw|JLib|h-7RwUZJz43I`>08afq1^?))}oFZ2nsub;CQf8ChObH8pIwE1fhIRGb4-k z1*;ZyGU;s%tU_>o`0C*$`+|XQnBpS%KAZAZKktvq$(@!rzSnEJ3M%I z++QR&ePU2c`=;rW&T}kt&B2GUykD8~_>*BA@3mOqcVT?`DtHF1JB4Rv>~Vl}!66MN z(x9ujKN`Py9YZlokcpjD^hKMo*IU%#&IsaJz;S;f7DssxGdm7x*#^TJgIzSR-&)F< zk*hE^%KHa2c=y-vlS&nT(nj+G0_GUJy2PrX;?dOh^#?kva00736=@RT2YIY%Z!nWY zxs-lrQrbm}1JRhK4Y^pe#JKJ>t8lzG2tq#g zsz-iBQ9h!I%rX#I;~~0FtJ6Mev}Kq;!>|rjbEouf6yaUQi90m3`#74rk-W8vz9@We zEYWs4qit|GhYB)6sM+zF?DD}L4bFR{y5^fl#jB)2|qq+gWs4{w+`AEe}YB4HigK5P8#JCTHHTPlKDh~1{)t9 z$tIR;@&3aDTxP%V~`=qMze2X`No^OgFdde1vJI`Oh_Ii#zayYBC%^&rS}8 zgT0;M%vx|%abry`{=63QseTWxH_u(B!zd@M<>RaDkADMRH@ zj{5R|1Z@9SDPR=uJuRxrmkA`XILdL99({$w*}T#|f)*ob^z*F&3D$iVi$TU0V}5MyUagYlG_L%u0n=XN z*PO;R{q46!NOQ1e$v!Jps#XXl5c>M^7}}<@W|u zcRg8mT2eUR_qDK$vQ#XW@?DVG;V4bLJ&lOk?z$U$@?#bc6_zXzjU38y`l8%d{K*o&}5xo=2%2^>L{Fc8}%y;>&&d*pDXQAX7N`UF5}Z=&rsQ01@+g`sOIF)g{|VX zqjBtCPosu2x#)25{#5$=8)@V@SiNfgaDFp`YOU+*daImGek+Y@&kF*!cz!jThu_ZN z8vg@)SryN%Lh*k`piZXn-gsUVU(r4Ou0RD&dKIJG4=>}x0xmQZ_f+AgzsE88BQP>YT9Z@f%bO3|8!6Cc_ zuDFjHr~WIBw~sonw4a(L;jaZQn3U|q*2q#hTa2CIU^l@k`kQ^RYc+40y#2Q=bhdqD zr;BG=TUmeC!bSHT;$T>er=4N`p5YlsA$6-*(+&MYj0ILv!@hZoRHuj2?kWF~q0Wb6 zYr2|$;%IrdJ;igVahZSSm@uF_4O^>oI5TPM^FZy4Bw$?bAtCDXhI@9+! z#GT<)dNH^&0{=xwZ7MmWa)Lhc0P^X&+90MqA&@q_>ddauo9i6n0K8P-5xQyyHA&-o zhXjuyHwmh4?zCRr5U}=IM$qN!QqkN!fFa>y_0?vx0b^(at+QLuq|*oHQDdRFytm5w ze6JQRIPz}|a4AjIR?UMPB5{lsRC(`|xqPs|GPCLWSGiU*=N$B(_Yj9VX{K|yyHvC; z4`oQ~?T+Z$Jm>CV9uItZ&11(aI){gQED(R4Zl#LbYPU@9&C#sP%L!-kC}ud{6JUKj z!eFg+uFiozE9>xm1P+>AaiO}jN19Ci$bfXV8E-XR;5(56!t#BsP_0K$&JQ`5BlH>NOy6++cs(R2vUOyT00untk#HP1>R z+9?&F#j8oP19)}{)ya$kws`L-eSJ;})yj?nw7jnhb$@OWl`I|vXmL*!dFy!$bB>k= ziahfCfH*h11MN=X1s-pyO93;`36W3=7muf+^L}AKn;W&&sQimK9uoOHb17b{8r^%b z$4%Z>AKH3-iN}T8YJPuQC0lB55?>k+lRlp6v~b#u?oIn3$Lgcvb*xapmqpl&m&?Ou z@v74718$B`nU9pJ`PFpew?vq9hszZNKti!k~R&*4%TjcH8v^(4# z7|$r;a8ycdj%OtIm%{n|4vPj+WjcKbB8H3%f6tqm_3@NFeX>g+EuUdjgjA^Hga$pq%p;IhM3{5sR{zk|?z6 z)eaMkF{GayKBT3Hn%?*|2JznRj-$*qNZNi|GDucvAZC!*;-!7l5YGxk*aUO2;L*b>Y$$Tv83Dc-voNC#dcA*F{JddeiNdadWvB`OWx0fW66Y literal 0 HcmV?d00001 diff --git a/TitanEngineEmulator/Emulator.h b/TitanEngineEmulator/Emulator.h index d4ce969..9d95801 100644 --- a/TitanEngineEmulator/Emulator.h +++ b/TitanEngineEmulator/Emulator.h @@ -6,7 +6,6 @@ #include "TitanEngine.h" #include "FileMap.h" #include "PEB.h" -#include "NativeAttach.h" #include "Global.Engine.Context.h" #include "Hider.h" @@ -68,7 +67,7 @@ public: bool AttachDebugger(DWORD ProcessId, bool KillOnExit, LPVOID DebugInfo, LPVOID CallBack) { - if(!Attach(ProcessId, DebugActiveProcess_)) + if(!Attach(ProcessId)) return false; mCbATTACHBREAKPOINT = STEPCALLBACK(CallBack); mAttachProcessInfo = (PROCESS_INFORMATION*)DebugInfo; @@ -188,12 +187,12 @@ public: case UE_ENGINE_SET_DEBUG_PRIVILEGE: mSetDebugPrivilege = VariableSet; break; - case UE_ENGINE_SAFE_ATTACH: - mSafeAttach = VariableSet; - break; case UE_ENGINE_SAFE_STEP: mSafeStep = VariableSet; break; + case UE_ENGINE_DISABLE_ASLR: + mDisableAslr = VariableSet; + break; } } @@ -1301,7 +1300,6 @@ private: //functions private: //variables bool mSetDebugPrivilege = false; - bool mSafeAttach = false; typedef void(*CUSTOMHANDLER)(const void*); typedef void(*STEPCALLBACK)(); typedef STEPCALLBACK BPCALLBACK; diff --git a/TitanEngineEmulator/TitanEngineEmulator.vcxproj b/TitanEngineEmulator/TitanEngineEmulator.vcxproj index 5ec6e89..98ff208 100644 --- a/TitanEngineEmulator/TitanEngineEmulator.vcxproj +++ b/TitanEngineEmulator/TitanEngineEmulator.vcxproj @@ -154,7 +154,6 @@ - diff --git a/TitanEngineEmulator/TitanEngineEmulator.vcxproj.filters b/TitanEngineEmulator/TitanEngineEmulator.vcxproj.filters index 3db2bb6..6381934 100644 --- a/TitanEngineEmulator/TitanEngineEmulator.vcxproj.filters +++ b/TitanEngineEmulator/TitanEngineEmulator.vcxproj.filters @@ -43,9 +43,6 @@ Header Files - - Header Files - Header Files