1 #pragma once 2 3 #ifndef __NTDLL_H__ 4 #define __NTDLL_H__ 5 6 #ifdef __cplusplus 7 extern "C" { 8 #endif 9 10 #ifdef _NTDDK_ 11 #error This header cannot be compiled together with NTDDK 12 #endif 13 14 #ifndef _NTDLL_SELF_ // Auto-insert the library 15 16 #ifndef WIN64 17 #pragma comment(lib, "Lib\\x86\\Ntdll.lib") 18 #else 19 #pragma comment(lib, "Lib\\x64\\Ntdll.lib") 20 #endif 21 22 #endif 23 24 #pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union 25 26 //------------------------------------------------------------------------------ 27 // Defines for NTSTATUS 28 29 typedef long NTSTATUS; 30 31 #ifndef NT_SUCCESS 32 #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) 33 #endif 34 35 #ifndef STATUS_SUCCESS 36 #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) 37 #endif 38 39 #ifndef STATUS_UNSUCCESSFUL 40 #define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L) 41 #endif 42 43 #ifndef ASSERT 44 #ifdef _DEBUG 45 #define ASSERT(x) assert(x) 46 #else 47 #define ASSERT(x) /* x */ 48 #endif 49 #endif 50 51 #ifndef DEVICE_TYPE 52 #define DEVICE_TYPE DWORD 53 #endif 54 55 //----------------------------------------------------------------------------- 56 // Definition of intervals for waiting functions 57 58 #define ABSOLUTE_INTERVAL(wait) (wait) 59 60 #define RELATIVE_INTERVAL(wait) (-(wait)) 61 62 #define NANOSECONDS(nanos) 63 (((signed __int64)(nanos)) / 100L) 64 65 #define MICROSECONDS(micros) 66 (((signed __int64)(micros)) * NANOSECONDS(1000L)) 67 68 #define MILISECONDS(mili) 69 (((signed __int64)(mili)) * MICROSECONDS(1000L)) 70 71 #define SECONDS(seconds) 72 (((signed __int64)(seconds)) * MILISECONDS(1000L)) 73 74 //------------------------------------------------------------------------------ 75 // Structures 76 77 #ifndef _NTDEF_ 78 typedef enum _EVENT_TYPE 79 { 80 NotificationEvent, 81 SynchronizationEvent 82 83 } EVENT_TYPE; 84 85 // 86 // ANSI strings are counted 8-bit character strings. If they are 87 // NULL terminated, Length does not include trailing NULL. 88 // 89 90 typedef struct _STRING 91 { 92 USHORT Length; 93 USHORT MaximumLength; 94 PCHAR Buffer; 95 96 } STRING, *PSTRING; 97 98 // 99 // Unicode strings are counted 16-bit character strings. If they are 100 // NULL terminated, Length does not include trailing NULL. 101 // 102 103 typedef struct _UNICODE_STRING 104 { 105 USHORT Length; 106 USHORT MaximumLength; 107 PWSTR Buffer; 108 109 } UNICODE_STRING, *PUNICODE_STRING; 110 111 typedef STRING ANSI_STRING; 112 typedef PSTRING PANSI_STRING; 113 114 typedef STRING OEM_STRING; 115 typedef PSTRING POEM_STRING; 116 typedef CONST STRING* PCOEM_STRING; 117 118 typedef const UNICODE_STRING *PCUNICODE_STRING; 119 120 #define UNICODE_NULL ((WCHAR)0) // winnt 121 122 // 123 // Valid values for the Attributes field 124 // 125 126 #define OBJ_INHERIT 0x00000002L 127 #define OBJ_PERMANENT 0x00000010L 128 #define OBJ_EXCLUSIVE 0x00000020L 129 #define OBJ_CASE_INSENSITIVE 0x00000040L 130 #define OBJ_OPENIF 0x00000080L 131 #define OBJ_OPENLINK 0x00000100L 132 #define OBJ_KERNEL_HANDLE 0x00000200L 133 #define OBJ_FORCE_ACCESS_CHECK 0x00000400L 134 #define OBJ_VALID_ATTRIBUTES 0x000007F2L 135 136 // 137 // Object Attributes structure 138 // 139 140 typedef struct _OBJECT_ATTRIBUTES 141 { 142 ULONG Length; 143 HANDLE RootDirectory; 144 PUNICODE_STRING ObjectName; 145 ULONG Attributes; 146 PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR 147 PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE 148 149 } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 150 151 // 152 // IO_STATUS_BLOCK 153 // 154 155 typedef struct _IO_STATUS_BLOCK 156 { 157 union 158 { 159 NTSTATUS Status; 160 PVOID Pointer; 161 }; 162 163 ULONG_PTR Information; 164 165 } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; 166 167 // 168 // ClientId 169 // 170 171 typedef struct _CLIENT_ID 172 { 173 HANDLE UniqueProcess; 174 HANDLE UniqueThread; 175 176 } CLIENT_ID, *PCLIENT_ID; 177 #endif // _NTDEF_ 178 179 180 // 181 // CURDIR structure 182 // 183 184 typedef struct _CURDIR 185 { 186 UNICODE_STRING DosPath; 187 HANDLE Handle; 188 189 } CURDIR, *PCURDIR; 190 191 192 //------------------------------------------------------------------------------ 193 // Macros 194 195 #ifndef InitializeObjectAttributes 196 #define InitializeObjectAttributes( p, n, a, r, s ) { 197 (p)->Length = sizeof( OBJECT_ATTRIBUTES ); 198 (p)->RootDirectory = r; 199 (p)->Attributes = a; 200 (p)->ObjectName = n; 201 (p)->SecurityDescriptor = s; 202 (p)->SecurityQualityOfService = NULL; 203 } 204 #endif 205 206 // 207 // Macros for handling LIST_ENTRY-based lists 208 // 209 210 #if !defined(_WDMDDK_) && !defined(_LIST_ENTRY_MACROS_DEFINED_) 211 #define _LIST_ENTRY_MACROS_DEFINED_ 212 213 BOOLEAN 214 FORCEINLINE 215 IsListEmpty( 216 IN const LIST_ENTRY * ListHead 217 ) 218 { 219 return (BOOLEAN)(ListHead->Flink == ListHead); 220 } 221 222 FORCEINLINE 223 VOID 224 InitializeListHead( 225 IN PLIST_ENTRY ListHead 226 ) 227 { 228 ListHead->Flink = ListHead->Blink = ListHead; 229 } 230 231 FORCEINLINE 232 VOID 233 InsertHeadList( 234 IN OUT PLIST_ENTRY ListHead, 235 IN OUT PLIST_ENTRY Entry 236 ) 237 { 238 PLIST_ENTRY Flink; 239 240 Flink = ListHead->Flink; 241 Entry->Flink = Flink; 242 Entry->Blink = ListHead; 243 Flink->Blink = Entry; 244 ListHead->Flink = Entry; 245 } 246 247 FORCEINLINE 248 VOID 249 InsertTailList( 250 IN OUT PLIST_ENTRY ListHead, 251 IN OUT PLIST_ENTRY Entry 252 ) 253 { 254 PLIST_ENTRY Blink; 255 256 Blink = ListHead->Blink; 257 Entry->Flink = ListHead; 258 Entry->Blink = Blink; 259 Blink->Flink = Entry; 260 ListHead->Blink = Entry; 261 } 262 263 FORCEINLINE 264 BOOLEAN 265 RemoveEntryList( 266 IN PLIST_ENTRY Entry 267 ) 268 { 269 PLIST_ENTRY Blink; 270 PLIST_ENTRY Flink; 271 272 Flink = Entry->Flink; 273 Blink = Entry->Blink; 274 Blink->Flink = Flink; 275 Flink->Blink = Blink; 276 return (BOOLEAN)(Flink == Blink); 277 } 278 #endif // #if !defined(_WDMDDK_) && !defined(_LIST_ENTRY_MACROS_DEFINED_) 279 280 //----------------------------------------------------------------------------- 281 // Unicode string functions 282 283 NTSYSAPI 284 VOID 285 NTAPI 286 RtlInitString( 287 PSTRING DestinationString, 288 PCSTR SourceString 289 ); 290 291 292 NTSYSAPI 293 VOID 294 NTAPI 295 RtlInitUnicodeString( 296 PUNICODE_STRING DestinationString, 297 PCWSTR SourceString 298 ); 299 300 301 NTSYSAPI 302 BOOLEAN 303 NTAPI 304 RtlCreateUnicodeString( 305 OUT PUNICODE_STRING DestinationString, 306 IN PCWSTR SourceString 307 ); 308 309 310 NTSYSAPI 311 BOOLEAN 312 NTAPI 313 RtlCreateUnicodeStringFromAsciiz( 314 OUT PUNICODE_STRING Destination, 315 IN PCSTR Source 316 ); 317 318 319 NTSYSAPI 320 BOOLEAN 321 NTAPI 322 RtlPrefixUnicodeString ( 323 IN PUNICODE_STRING String1, 324 IN PUNICODE_STRING String2, 325 IN BOOLEAN CaseInSensitive 326 ); 327 328 329 NTSYSAPI 330 NTSTATUS 331 NTAPI 332 RtlDuplicateUnicodeString( 333 IN BOOLEAN AllocateNew, 334 IN PUNICODE_STRING SourceString, 335 OUT PUNICODE_STRING TargetString 336 ); 337 338 339 NTSYSAPI 340 NTSTATUS 341 NTAPI 342 RtlAppendUnicodeToString ( 343 PUNICODE_STRING Destination, 344 PCWSTR Source 345 ); 346 347 348 NTSYSAPI 349 NTSTATUS 350 NTAPI 351 RtlAppendUnicodeStringToString( 352 IN OUT PUNICODE_STRING Destination, 353 IN PUNICODE_STRING Source 354 ); 355 356 357 NTSYSAPI 358 NTSTATUS 359 NTAPI 360 RtlUnicodeStringToInteger ( 361 IN PUNICODE_STRING String, 362 IN ULONG Base OPTIONAL, 363 OUT PULONG Value 364 ); 365 366 367 NTSYSAPI 368 NTSTATUS 369 NTAPI 370 RtlIntegerToUnicodeString ( 371 IN ULONG Value, 372 IN ULONG Base OPTIONAL, 373 IN OUT PUNICODE_STRING String 374 ); 375 376 377 NTSYSAPI 378 NTSTATUS 379 NTAPI 380 RtlGUIDFromString( 381 IN PUNICODE_STRING GuidString, 382 OUT GUID *Guid 383 ); 384 385 386 NTSYSAPI 387 LONG 388 NTAPI 389 RtlCompareUnicodeString ( 390 IN PUNICODE_STRING String1, 391 IN PUNICODE_STRING String2, 392 IN BOOLEAN CaseInSensitive 393 ); 394 395 396 NTSYSAPI 397 VOID 398 NTAPI 399 RtlCopyUnicodeString( 400 OUT PUNICODE_STRING DestinationString, 401 IN PUNICODE_STRING SourceString 402 ); 403 404 405 NTSYSAPI 406 NTSTATUS 407 NTAPI 408 RtlUpcaseUnicodeString ( 409 OUT PUNICODE_STRING DestinationString, 410 IN PUNICODE_STRING SourceString, 411 IN BOOLEAN AllocateDestinationString 412 ); 413 414 415 NTSYSAPI 416 NTSTATUS 417 NTAPI 418 RtlDowncaseUnicodeString ( 419 OUT PUNICODE_STRING DestinationString, 420 IN PUNICODE_STRING SourceString, 421 IN BOOLEAN AllocateDestinationString 422 ); 423 424 425 NTSYSAPI 426 BOOLEAN 427 NTAPI 428 RtlEqualUnicodeString ( 429 IN PUNICODE_STRING String1, 430 IN PUNICODE_STRING String2, 431 IN BOOLEAN CaseInSensitive 432 ); 433 434 435 NTSYSAPI 436 VOID 437 NTAPI 438 RtlFreeUnicodeString( 439 IN PUNICODE_STRING UnicodeString 440 ); 441 442 443 NTSYSAPI 444 NTSTATUS 445 NTAPI 446 RtlAnsiStringToUnicodeString ( 447 OUT PUNICODE_STRING DestinationString, 448 IN PANSI_STRING SourceString, 449 IN BOOLEAN AllocateDestinationString 450 ); 451 452 453 NTSYSAPI 454 NTSTATUS 455 NTAPI 456 RtlUnicodeStringToAnsiString ( 457 OUT PANSI_STRING DestinationString, 458 IN PUNICODE_STRING SourceString, 459 IN BOOLEAN AllocateDestinationString 460 ); 461 462 463 NTSYSAPI 464 VOID 465 NTAPI 466 RtlInitAnsiString ( 467 OUT PANSI_STRING DestinationString, 468 IN PCHAR SourceString 469 ); 470 471 472 NTSYSAPI 473 VOID 474 NTAPI 475 RtlFreeAnsiString ( 476 IN PANSI_STRING AnsiString 477 ); 478 479 480 NTSYSAPI 481 NTSTATUS 482 NTAPI 483 RtlFormatCurrentUserKeyPath( 484 OUT PUNICODE_STRING CurrentUserKeyPath 485 ); 486 487 488 NTSYSAPI 489 VOID 490 NTAPI 491 RtlRaiseStatus ( 492 IN NTSTATUS Status 493 ); 494 495 496 NTSYSAPI 497 VOID 498 NTAPI 499 DbgBreakPoint( 500 VOID 501 ); 502 503 504 NTSYSAPI 505 ULONG 506 _cdecl 507 DbgPrint ( 508 PCH Format, 509 ... 510 ); 511 512 513 NTSYSAPI 514 ULONG 515 NTAPI 516 RtlRandom( 517 IN OUT PULONG Seed 518 ); 519 520 //----------------------------------------------------------------------------- 521 // Critical section functions 522 523 NTSYSAPI 524 NTSTATUS 525 NTAPI 526 RtlInitializeCriticalSection( 527 IN PRTL_CRITICAL_SECTION CriticalSection 528 ); 529 530 531 NTSYSAPI 532 BOOL 533 NTAPI 534 RtlTryEnterCriticalSection( 535 IN PRTL_CRITICAL_SECTION CriticalSection 536 ); 537 538 539 NTSYSAPI 540 NTSTATUS 541 NTAPI 542 RtlEnterCriticalSection( 543 IN PRTL_CRITICAL_SECTION CriticalSection 544 ); 545 546 547 NTSYSAPI 548 NTSTATUS 549 NTAPI 550 RtlLeaveCriticalSection( 551 IN PRTL_CRITICAL_SECTION CriticalSection 552 ); 553 554 555 NTSYSAPI 556 NTSTATUS 557 NTAPI 558 RtlDeleteCriticalSection( 559 IN PRTL_CRITICAL_SECTION CriticalSection 560 ); 561 562 //----------------------------------------------------------------------------- 563 // Compression and decompression 564 565 NTSYSAPI 566 NTSTATUS 567 NTAPI 568 RtlCompressBuffer( 569 IN USHORT CompressionFormatAndEngine, 570 IN PUCHAR UncompressedBuffer, 571 IN ULONG UncompressedBufferSize, 572 OUT PUCHAR CompressedBuffer, 573 IN ULONG CompressedBufferSize, 574 IN ULONG UncompressedChunkSize, 575 OUT PULONG FinalCompressedSize, 576 IN PVOID WorkSpace 577 ); 578 579 580 NTSYSAPI 581 NTSTATUS 582 NTAPI 583 RtlDecompressBuffer( 584 IN USHORT CompressionFormat, 585 OUT PUCHAR UncompressedBuffer, 586 IN ULONG UncompressedBufferSize, 587 IN PUCHAR CompressedBuffer, 588 IN ULONG CompressedBufferSize, 589 OUT PULONG FinalUncompressedSize 590 ); 591 592 //----------------------------------------------------------------------------- 593 // Object functions 594 595 // 596 // Object Manager Directory Specific Access Rights. 597 // 598 599 #ifndef DIRECTORY_QUERY 600 #define DIRECTORY_QUERY (0x0001) 601 #define DIRECTORY_TRAVERSE (0x0002) 602 #define DIRECTORY_CREATE_OBJECT (0x0004) 603 #define DIRECTORY_CREATE_SUBDIRECTORY (0x0008) 604 #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF) 605 #endif 606 607 typedef enum _POOL_TYPE { 608 NonPagedPool, 609 PagedPool, 610 NonPagedPoolMustSucceed, 611 DontUseThisType, 612 NonPagedPoolCacheAligned, 613 PagedPoolCacheAligned, 614 NonPagedPoolCacheAlignedMustS, 615 MaxPoolType 616 } POOL_TYPE; 617 618 619 // 620 // For NtQueryObject 621 // 622 623 typedef enum _OBJECT_INFORMATION_CLASS { 624 ObjectBasicInformation, // = 0x00 625 ObjectNameInformation, // = 0x01 626 ObjectTypeInformation, // = 0x02 627 ObjectTypesInformation, // = 0x03 // object handle is ignored 628 ObjectHandleFlagInformation // = 0x04 629 } OBJECT_INFORMATION_CLASS; 630 631 // 632 // NtQueryObject uses ObjectBasicInformation 633 // 634 635 typedef struct _OBJECT_BASIC_INFORMATION { 636 ULONG Attributes; 637 ACCESS_MASK GrantedAccess; 638 ULONG HandleCount; 639 ULONG PointerCount; 640 ULONG PagedPoolCharge; 641 ULONG NonPagedPoolCharge; 642 ULONG Reserved[3]; 643 ULONG NameInfoSize; 644 ULONG TypeInfoSize; 645 ULONG SecurityDescriptorSize; 646 LARGE_INTEGER CreationTime; 647 } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; 648 649 // 650 // NtQueryObject uses ObjectNameInformation 651 // 652 653 typedef struct _OBJECT_NAME_INFORMATION { 654 UNICODE_STRING Name; 655 } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; 656 657 // 658 // NtQueryObject uses ObjectTypeInformation 659 // 660 661 typedef struct _OBJECT_TYPE_INFORMATION { 662 UNICODE_STRING TypeName; 663 ULONG TotalNumberOfObjects; 664 ULONG TotalNumberOfHandles; 665 ULONG TotalPagedPoolUsage; 666 ULONG TotalNonPagedPoolUsage; 667 ULONG TotalNamePoolUsage; 668 ULONG TotalHandleTableUsage; 669 ULONG HighWaterNumberOfObjects; 670 ULONG HighWaterNumberOfHandles; 671 ULONG HighWaterPagedPoolUsage; 672 ULONG HighWaterNonPagedPoolUsage; 673 ULONG HighWaterNamePoolUsage; 674 ULONG HighWaterHandleTableUsage; 675 ULONG InvalidAttributes; 676 GENERIC_MAPPING GenericMapping; 677 ULONG ValidAccessMask; 678 BOOLEAN SecurityRequired; 679 BOOLEAN MaintainHandleCount; 680 POOL_TYPE PoolType; 681 ULONG DefaultPagedPoolCharge; 682 ULONG DefaultNonPagedPoolCharge; 683 } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; 684 685 // 686 // NtQueryObject uses ObjectHandleFlagInformation 687 // NtSetInformationObject uses ObjectHandleFlagInformation 688 // 689 690 typedef struct _OBJECT_HANDLE_FLAG_INFORMATION { 691 BOOLEAN Inherit; 692 BOOLEAN ProtectFromClose; 693 } OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION; 694 695 // 696 // NtQueryDirectoryObject uses this type 697 // 698 699 typedef struct _OBJECT_DIRECTORY_INFORMATION { 700 UNICODE_STRING Name; 701 UNICODE_STRING TypeName; 702 } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION; 703 704 705 NTSYSAPI 706 NTSTATUS 707 NTAPI 708 NtOpenDirectoryObject( 709 OUT PHANDLE DirectoryHandle, 710 IN ACCESS_MASK DesiredAccess, 711 IN POBJECT_ATTRIBUTES ObjectAttributes 712 ); 713 714 715 NTSYSAPI 716 NTSTATUS 717 NTAPI 718 NtQueryDirectoryObject( 719 IN HANDLE DirectoryHandle, 720 OUT PVOID Buffer, 721 IN ULONG Length, 722 IN BOOLEAN ReturnSingleEntry, 723 IN BOOLEAN RestartScan, 724 IN OUT PULONG Context, 725 OUT PULONG ReturnLength OPTIONAL 726 ); 727 728 729 NTSYSAPI 730 NTSTATUS 731 NTAPI 732 NtQueryObject ( 733 IN HANDLE ObjectHandle, 734 IN OBJECT_INFORMATION_CLASS ObjectInformationClass, 735 OUT PVOID ObjectInformation, 736 IN ULONG Length, 737 OUT PULONG ResultLength OPTIONAL 738 ); 739 740 741 NTSYSAPI 742 NTSTATUS 743 NTAPI 744 NtSetInformationObject ( 745 IN HANDLE ObjectHandle, 746 IN OBJECT_INFORMATION_CLASS ObjectInformationClass, 747 IN PVOID ObjectInformation, 748 IN ULONG Length 749 ); 750 751 752 NTSYSAPI 753 NTSTATUS 754 NTAPI 755 NtDuplicateObject ( 756 IN HANDLE SourceProcessHandle, 757 IN HANDLE SourceHandle, 758 IN HANDLE TargetProcessHandle OPTIONAL, 759 OUT PHANDLE TargetHandle OPTIONAL, 760 IN ACCESS_MASK DesiredAccess, 761 IN ULONG HandleAttributes, 762 IN ULONG Options 763 ); 764 765 766 NTSYSAPI 767 NTSTATUS 768 NTAPI 769 NtQuerySecurityObject ( 770 IN HANDLE ObjectHandle, 771 IN SECURITY_INFORMATION SecurityInformation, 772 OUT PSECURITY_DESCRIPTOR SecurityDescriptor, 773 IN ULONG DescriptorLength, 774 OUT PULONG ReturnLength 775 ); 776 777 778 NTSYSAPI 779 NTSTATUS 780 NTAPI 781 ZwQuerySecurityObject ( 782 IN HANDLE ObjectHandle, 783 IN SECURITY_INFORMATION SecurityInformation, 784 OUT PSECURITY_DESCRIPTOR SecurityDescriptor, 785 IN ULONG DescriptorLength, 786 OUT PULONG ReturnLength 787 ); 788 789 790 NTSYSAPI 791 NTSTATUS 792 NTAPI 793 NtSetSecurityObject ( 794 IN HANDLE ObjectHandle, 795 IN SECURITY_INFORMATION SecurityInformation, 796 IN PSECURITY_DESCRIPTOR SecurityDescriptor 797 ); 798 799 800 NTSYSAPI 801 NTSTATUS 802 NTAPI 803 ZwSetSecurityObject ( 804 IN HANDLE ObjectHandle, 805 IN SECURITY_INFORMATION SecurityInformation, 806 IN PSECURITY_DESCRIPTOR SecurityDescriptor 807 ); 808 809 810 NTSYSAPI 811 NTSTATUS 812 NTAPI 813 NtMakeTemporaryObject( 814 IN HANDLE ObjectHandle 815 ); 816 817 818 NTSYSAPI 819 NTSTATUS 820 NTAPI 821 ZwMakeTemporaryObject( 822 IN HANDLE ObjectHandle 823 ); 824 825 //----------------------------------------------------------------------------- 826 // Handle table RTL functions 827 828 #define LEVEL_HANDLE_ID 0x74000000 829 #define LEVEL_HANDLE_ID_MASK 0xFF000000 830 #define LEVEL_HANDLE_INDEX_MASK 0x00FFFFFF 831 832 typedef enum _RTL_GENERIC_COMPARE_RESULTS { 833 GenericLessThan, 834 GenericGreaterThan, 835 GenericEqual 836 } RTL_GENERIC_COMPARE_RESULTS; 837 838 839 typedef struct _RTL_SPLAY_LINKS 840 { 841 struct _RTL_SPLAY_LINKS *Parent; 842 struct _RTL_SPLAY_LINKS *LeftChild; 843 struct _RTL_SPLAY_LINKS *RightChild; 844 } RTL_SPLAY_LINKS, *PRTL_SPLAY_LINKS; 845 846 847 struct _RTL_GENERIC_TABLE; 848 849 typedef 850 RTL_GENERIC_COMPARE_RESULTS 851 (NTAPI * PRTL_GENERIC_COMPARE_ROUTINE) ( 852 struct _RTL_GENERIC_TABLE *Table, 853 PVOID FirstStruct, 854 PVOID SecondStruct 855 ); 856 857 typedef 858 PVOID 859 (NTAPI *PRTL_GENERIC_ALLOCATE_ROUTINE) ( 860 struct _RTL_GENERIC_TABLE *Table, 861 ULONG ByteSize 862 ); 863 864 typedef 865 VOID 866 (NTAPI *PRTL_GENERIC_FREE_ROUTINE) ( 867 struct _RTL_GENERIC_TABLE *Table, 868 PVOID Buffer 869 ); 870 871 872 typedef struct _RTL_GENERIC_TABLE { 873 PRTL_SPLAY_LINKS TableRoot; 874 LIST_ENTRY InsertOrderList; 875 PLIST_ENTRY OrderedPointer; 876 ULONG WhichOrderedElement; 877 ULONG NumberGenericTableElements; 878 PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine; 879 PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine; 880 PRTL_GENERIC_FREE_ROUTINE FreeRoutine; 881 PVOID TableContext; 882 } RTL_GENERIC_TABLE, *PRTL_GENERIC_TABLE; 883 884 885 typedef struct _RTL_HANDLE_TABLE_ENTRY 886 { 887 struct _RTL_HANDLE_TABLE_ENTRY *Next; /* pointer to next free handle */ 888 PVOID Object; 889 890 } RTL_HANDLE_TABLE_ENTRY, *PRTL_HANDLE_TABLE_ENTRY; 891 892 893 typedef struct _RTL_HANDLE_TABLE 894 { 895 ULONG MaximumNumberOfHandles; 896 ULONG SizeOfHandleTableEntry; 897 ULONG Unknown01; 898 ULONG Unknown02; 899 PRTL_HANDLE_TABLE_ENTRY FreeHandles; 900 PRTL_HANDLE_TABLE_ENTRY CommittedHandles; 901 PRTL_HANDLE_TABLE_ENTRY UnCommittedHandles; 902 PRTL_HANDLE_TABLE_ENTRY MaxReservedHandles; 903 } RTL_HANDLE_TABLE, *PRTL_HANDLE_TABLE; 904 905 906 NTSYSAPI 907 VOID 908 NTAPI 909 RtlInitializeGenericTable ( 910 IN PRTL_GENERIC_TABLE Table, 911 IN PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine, 912 IN PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine, 913 IN PRTL_GENERIC_FREE_ROUTINE FreeRoutine, 914 IN PVOID TableContext 915 ); 916 917 918 NTSYSAPI 919 VOID 920 NTAPI 921 RtlInitializeHandleTable( 922 IN ULONG MaximumNumberOfHandles, 923 IN ULONG SizeOfHandleTableEntry, 924 OUT PRTL_HANDLE_TABLE HandleTable 925 ); 926 927 928 NTSYSAPI 929 PRTL_HANDLE_TABLE_ENTRY 930 NTAPI 931 RtlAllocateHandle( 932 IN PRTL_HANDLE_TABLE HandleTable, 933 OUT PULONG HandleIndex OPTIONAL 934 ); 935 936 937 NTSYSAPI 938 BOOLEAN 939 NTAPI 940 RtlFreeHandle( 941 IN PRTL_HANDLE_TABLE HandleTable, 942 IN PRTL_HANDLE_TABLE_ENTRY Handle 943 ); 944 945 946 NTSYSAPI 947 BOOLEAN 948 NTAPI 949 RtlIsValidIndexHandle( 950 IN PRTL_HANDLE_TABLE HandleTable, 951 IN ULONG HandleIndex, 952 OUT PRTL_HANDLE_TABLE_ENTRY *Handle 953 ); 954 955 956 NTSYSAPI 957 PVOID 958 NTAPI 959 RtlInsertElementGenericTable ( 960 IN PRTL_GENERIC_TABLE Table, 961 IN PVOID Buffer, 962 IN LONG BufferSize, 963 OUT PBOOLEAN NewElement OPTIONAL 964 ); 965 966 967 NTSYSAPI 968 BOOLEAN 969 NTAPI 970 RtlIsGenericTableEmpty ( 971 IN PRTL_GENERIC_TABLE Table 972 ); 973 974 975 NTSYSAPI 976 BOOLEAN 977 NTAPI 978 RtlIsGenericTableEmpty ( 979 IN PRTL_GENERIC_TABLE Table 980 ); 981 982 983 NTSYSAPI 984 PVOID 985 NTAPI 986 RtlLookupElementGenericTable ( 987 IN PRTL_GENERIC_TABLE Table, 988 IN PVOID Buffer 989 ); 990 991 992 NTSYSAPI 993 PVOID 994 NTAPI 995 RtlEnumerateGenericTableWithoutSplaying( 996 IN PRTL_GENERIC_TABLE Table, 997 IN PVOID *RestartKey 998 ); 999 1000 1001 NTSYSAPI 1002 NTSTATUS 1003 NTAPI 1004 NtClose( 1005 IN HANDLE Handle 1006 ); 1007 1008 1009 NTSYSAPI 1010 NTSTATUS 1011 NTAPI 1012 ZwClose( 1013 IN HANDLE Handle 1014 ); 1015 1016 //----------------------------------------------------------------------------- 1017 // Environment functions 1018 1019 NTSYSAPI 1020 NTSTATUS 1021 NTAPI 1022 RtlOpenCurrentUser( 1023 IN ULONG DesiredAccess, 1024 OUT PHANDLE CurrentUserKey 1025 ); 1026 1027 1028 NTSYSAPI 1029 NTSTATUS 1030 NTAPI 1031 RtlCreateEnvironment( 1032 BOOLEAN CloneCurrentEnvironment, 1033 PVOID *Environment 1034 ); 1035 1036 1037 NTSYSAPI 1038 NTSTATUS 1039 NTAPI 1040 RtlQueryEnvironmentVariable_U ( 1041 PVOID Environment, 1042 PUNICODE_STRING Name, 1043 PUNICODE_STRING Value 1044 ); 1045 1046 1047 NTSYSAPI 1048 NTSTATUS 1049 NTAPI 1050 RtlSetEnvironmentVariable( 1051 PVOID *Environment, 1052 PUNICODE_STRING Name, 1053 PUNICODE_STRING Value 1054 ); 1055 1056 1057 NTSYSAPI 1058 NTSTATUS 1059 NTAPI 1060 RtlDestroyEnvironment( 1061 PVOID Environment 1062 ); 1063 1064 //----------------------------------------------------------------------------- 1065 // Registry functions 1066 1067 1068 typedef enum _KEY_INFORMATION_CLASS 1069 { 1070 KeyBasicInformation, // 0x00 1071 KeyNodeInformation, // 0x01 1072 KeyFullInformation, // 0x02 1073 KeyNameInformation, // 0x03 1074 KeyCachedInformation, // 0x04 1075 KeyFlagsInformation, // 0x05 1076 MaxKeyInfoClass // MaxKeyInfoClass should always be the last enum 1077 1078 } KEY_INFORMATION_CLASS; 1079 1080 // 1081 // Key query structures 1082 // 1083 1084 typedef struct _KEY_BASIC_INFORMATION 1085 { 1086 LARGE_INTEGER LastWriteTime; 1087 ULONG TitleIndex; 1088 ULONG NameLength; 1089 WCHAR Name[1]; // Variable length string 1090 1091 } KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION; 1092 1093 1094 typedef struct _KEY_NODE_INFORMATION 1095 { 1096 LARGE_INTEGER LastWriteTime; 1097 ULONG TitleIndex; 1098 ULONG ClassOffset; 1099 ULONG ClassLength; 1100 ULONG NameLength; 1101 WCHAR Name[1]; // Variable length string 1102 // Class[1]; // Variable length string not declared 1103 } KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION; 1104 1105 1106 typedef struct _KEY_FULL_INFORMATION 1107 { 1108 LARGE_INTEGER LastWriteTime; 1109 ULONG TitleIndex; 1110 ULONG ClassOffset; 1111 ULONG ClassLength; 1112 ULONG SubKeys; 1113 ULONG MaxNameLen; 1114 ULONG MaxClassLen; 1115 ULONG Values; 1116 ULONG MaxValueNameLen; 1117 ULONG MaxValueDataLen; 1118 WCHAR Class[1]; // Variable length 1119 1120 } KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION; 1121 1122 1123 // end_wdm 1124 typedef struct _KEY_NAME_INFORMATION 1125 { 1126 ULONG NameLength; 1127 WCHAR Name[1]; // Variable length string 1128 1129 } KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION; 1130 1131 typedef struct _KEY_CACHED_INFORMATION 1132 { 1133 LARGE_INTEGER LastWriteTime; 1134 ULONG TitleIndex; 1135 ULONG SubKeys; 1136 ULONG MaxNameLen; 1137 ULONG Values; 1138 ULONG MaxValueNameLen; 1139 ULONG MaxValueDataLen; 1140 ULONG NameLength; 1141 WCHAR Name[1]; // Variable length string 1142 1143 } KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION; 1144 1145 1146 typedef struct _KEY_FLAGS_INFORMATION 1147 { 1148 ULONG UserFlags; 1149 1150 } KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION; 1151 1152 1153 1154 typedef enum _KEY_VALUE_INFORMATION_CLASS { 1155 KeyValueBasicInformation, // 0x00 1156 KeyValueFullInformation, // 0x01 1157 KeyValuePartialInformation, // 0x02 1158 KeyValueFullInformationAlign64, // 0x03 1159 KeyValuePartialInformationAlign64, // 0x04 1160 MaxKeyValueInfoClass // MaxKeyValueInfoClass should always be the last enum 1161 } KEY_VALUE_INFORMATION_CLASS; 1162 1163 typedef struct _KEY_VALUE_BASIC_INFORMATION 1164 { 1165 ULONG TitleIndex; 1166 ULONG Type; 1167 ULONG NameLength; 1168 WCHAR Name[1]; // Variable size 1169 } KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION; 1170 1171 typedef struct _KEY_VALUE_FULL_INFORMATION 1172 { 1173 ULONG TitleIndex; 1174 ULONG Type; 1175 ULONG DataOffset; 1176 ULONG DataLength; 1177 ULONG NameLength; 1178 WCHAR Name[1]; // Variable size 1179 // Data[1]; // Variable size data not declared 1180 } KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; 1181 1182 1183 typedef struct _KEY_VALUE_PARTIAL_INFORMATION { 1184 ULONG TitleIndex; 1185 ULONG Type; 1186 ULONG DataLength; 1187 UCHAR Data[1]; // Variable size 1188 } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; 1189 1190 1191 1192 NTSYSAPI 1193 NTSTATUS 1194 NTAPI 1195 NtCreateKey( 1196 OUT PHANDLE KeyHandle, 1197 IN ACCESS_MASK DesiredAccess, 1198 IN POBJECT_ATTRIBUTES ObjectAttributes, 1199 IN ULONG TitleIndex, 1200 IN PUNICODE_STRING Class OPTIONAL, 1201 IN ULONG CreateOptions, 1202 OUT PULONG Disposition OPTIONAL 1203 ); 1204 1205 1206 NTSYSAPI 1207 NTSTATUS 1208 NTAPI 1209 NtOpenKey( 1210 OUT PHANDLE KeyHandle, 1211 IN ACCESS_MASK DesiredAccess, 1212 IN POBJECT_ATTRIBUTES ObjectAttributes 1213 ); 1214 1215 1216 NTSYSAPI 1217 NTSTATUS 1218 NTAPI 1219 NtEnumerateKey( 1220 IN HANDLE KeyHandle, 1221 IN ULONG Index, 1222 IN KEY_INFORMATION_CLASS KeyInformationClass, 1223 IN PVOID KeyInformation, 1224 IN ULONG Length, 1225 IN PULONG ResultLength 1226 ); 1227 1228 1229 NTSYSAPI 1230 NTSTATUS 1231 NTAPI 1232 ZwEnumerateKey( 1233 IN HANDLE KeyHandle, 1234 IN ULONG Index, 1235 IN KEY_INFORMATION_CLASS KeyInformationClass, 1236 IN PVOID KeyInformation, 1237 IN ULONG Length, 1238 IN PULONG ResultLength 1239 ); 1240 1241 1242 NTSYSAPI 1243 NTSTATUS 1244 NTAPI 1245 NtEnumerateValueKey( 1246 IN HANDLE KeyHandle, 1247 IN ULONG Index, 1248 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, 1249 OUT PVOID KeyValueInformation, 1250 IN ULONG Length, 1251 OUT PULONG ResultLength 1252 ); 1253 1254 1255 NTSYSAPI 1256 NTSTATUS 1257 NTAPI 1258 ZwEnumerateValueKey( 1259 IN HANDLE KeyHandle, 1260 IN ULONG Index, 1261 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, 1262 OUT PVOID KeyValueInformation, 1263 IN ULONG Length, 1264 OUT PULONG ResultLength 1265 ); 1266 1267 1268 NTSYSAPI 1269 NTSTATUS 1270 NTAPI 1271 NtDeleteKey( 1272 IN HANDLE KeyHandle 1273 ); 1274 1275 1276 NTSYSAPI 1277 NTSTATUS 1278 NTAPI 1279 NtQueryKey( 1280 IN HANDLE KeyHandle, 1281 IN KEY_INFORMATION_CLASS KeyInformationClass, 1282 OUT PVOID KeyInformation OPTIONAL, 1283 IN ULONG Length, 1284 OUT PULONG ResultLength 1285 ); 1286 1287 1288 NTSYSAPI 1289 NTSTATUS 1290 NTAPI 1291 NtQueryValueKey( 1292 IN HANDLE KeyHandle, 1293 IN PUNICODE_STRING ValueName, 1294 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, 1295 OUT PVOID KeyValueInformation, 1296 IN ULONG Length, 1297 OUT PULONG ResultLength 1298 ); 1299 1300 1301 NTSYSAPI 1302 NTSTATUS 1303 NTAPI 1304 NtSetValueKey( 1305 IN HANDLE KeyHandle, 1306 IN PUNICODE_STRING ValueName, 1307 IN ULONG TitleIndex OPTIONAL, 1308 IN ULONG Type, 1309 IN PVOID Data, 1310 IN ULONG DataSize 1311 ); 1312 1313 1314 NTSYSAPI 1315 NTSTATUS 1316 NTAPI 1317 NtDeleteValueKey( 1318 IN HANDLE KeyHandle, 1319 IN PUNICODE_STRING ValueName 1320 ); 1321 1322 1323 NTSYSAPI 1324 NTSTATUS 1325 NTAPI 1326 NtFlushKey( 1327 IN HANDLE KeyHandle 1328 ); 1329 1330 //----------------------------------------------------------------------------- 1331 // RtlQueryRegistryValues 1332 1333 // 1334 // The following flags specify how the Name field of a RTL_QUERY_REGISTRY_TABLE 1335 // entry is interpreted. A NULL name indicates the end of the table. 1336 // 1337 1338 #define RTL_QUERY_REGISTRY_SUBKEY 0x00000001 // Name is a subkey and remainder of 1339 // table or until next subkey are value 1340 // names for that subkey to look at. 1341 1342 #define RTL_QUERY_REGISTRY_TOPKEY 0x00000002 // Reset current key to original key for 1343 // this and all following table entries. 1344 1345 #define RTL_QUERY_REGISTRY_REQUIRED 0x00000004 // Fail if no match found for this table 1346 // entry. 1347 1348 #define RTL_QUERY_REGISTRY_NOVALUE 0x00000008 // Used to mark a table entry that has no 1349 // value name, just wants a call out, not 1350 // an enumeration of all values. 1351 1352 #define RTL_QUERY_REGISTRY_NOEXPAND 0x00000010 // Used to suppress the expansion of 1353 // REG_MULTI_SZ into multiple callouts or 1354 // to prevent the expansion of environment 1355 // variable values in REG_EXPAND_SZ 1356 1357 #define RTL_QUERY_REGISTRY_DIRECT 0x00000020 // QueryRoutine field ignored. EntryContext 1358 // field points to location to store value. 1359 // For null terminated strings, EntryContext 1360 // points to UNICODE_STRING structure that 1361 // that describes maximum size of buffer. 1362 // If .Buffer field is NULL then a buffer is 1363 // allocated. 1364 // 1365 1366 #define RTL_QUERY_REGISTRY_DELETE 0x00000040 // Used to delete value keys after they 1367 // are queried. 1368 1369 1370 // 1371 // The following values for the RelativeTo parameter determine what the 1372 // Path parameter to RtlQueryRegistryValues is relative to. 1373 // 1374 1375 #define RTL_REGISTRY_ABSOLUTE 0 // Path is a full path 1376 #define RTL_REGISTRY_SERVICES 1 // \Registry\Machine\System\CurrentControlSet\Services 1377 #define RTL_REGISTRY_CONTROL 2 // \Registry\Machine\System\CurrentControlSet\Control 1378 #define RTL_REGISTRY_WINDOWS_NT 3 // \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion 1379 #define RTL_REGISTRY_DEVICEMAP 4 // \Registry\Machine\Hardware\DeviceMap 1380 #define RTL_REGISTRY_USER 5 // \Registry\User\CurrentUser 1381 #define RTL_REGISTRY_MAXIMUM 6 1382 #define RTL_REGISTRY_HANDLE 0x40000000 // Low order bits are registry handle 1383 #define RTL_REGISTRY_OPTIONAL 0x80000000 // Indicates the key node is optional 1384 1385 1386 typedef NTSTATUS (NTAPI * PRTL_QUERY_REGISTRY_ROUTINE)( 1387 IN PWSTR ValueName, 1388 IN ULONG ValueType, 1389 IN PVOID ValueData, 1390 IN ULONG ValueLength, 1391 IN PVOID Context, 1392 IN PVOID EntryContext 1393 ); 1394 1395 typedef struct _RTL_QUERY_REGISTRY_TABLE 1396 { 1397 PRTL_QUERY_REGISTRY_ROUTINE QueryRoutine; 1398 ULONG Flags; 1399 PWSTR Name; 1400 PVOID EntryContext; 1401 ULONG DefaultType; 1402 PVOID DefaultData; 1403 ULONG DefaultLength; 1404 1405 } RTL_QUERY_REGISTRY_TABLE, *PRTL_QUERY_REGISTRY_TABLE; 1406 1407 1408 NTSYSAPI 1409 NTSTATUS 1410 NTAPI 1411 RtlQueryRegistryValues( 1412 IN ULONG RelativeTo, 1413 IN PCWSTR Path, 1414 IN PRTL_QUERY_REGISTRY_TABLE QueryTable, 1415 IN PVOID Context, 1416 IN PVOID Environment OPTIONAL 1417 ); 1418 1419 1420 //----------------------------------------------------------------------------- 1421 // Query system information 1422 1423 typedef enum _SYSTEM_INFORMATION_CLASS 1424 { 1425 SystemBasicInformation, // 0x00 SYSTEM_BASIC_INFORMATION 1426 SystemProcessorInformation, // 0x01 SYSTEM_PROCESSOR_INFORMATION 1427 SystemPerformanceInformation, // 0x02 1428 SystemTimeOfDayInformation, // 0x03 1429 SystemPathInformation, // 0x04 1430 SystemProcessInformation, // 0x05 1431 SystemCallCountInformation, // 0x06 1432 SystemDeviceInformation, // 0x07 1433 SystemProcessorPerformanceInformation, // 0x08 1434 SystemFlagsInformation, // 0x09 1435 SystemCallTimeInformation, // 0x0A 1436 SystemModuleInformation, // 0x0B SYSTEM_MODULE_INFORMATION 1437 SystemLocksInformation, // 0x0C 1438 SystemStackTraceInformation, // 0x0D 1439 SystemPagedPoolInformation, // 0x0E 1440 SystemNonPagedPoolInformation, // 0x0F 1441 SystemHandleInformation, // 0x10 1442 SystemObjectInformation, // 0x11 1443 SystemPageFileInformation, // 0x12 1444 SystemVdmInstemulInformation, // 0x13 1445 SystemVdmBopInformation, // 0x14 1446 SystemFileCacheInformation, // 0x15 1447 SystemPoolTagInformation, // 0x16 1448 SystemInterruptInformation, // 0x17 1449 SystemDpcBehaviorInformation, // 0x18 1450 SystemFullMemoryInformation, // 0x19 1451 SystemLoadGdiDriverInformation, // 0x1A 1452 SystemUnloadGdiDriverInformation, // 0x1B 1453 SystemTimeAdjustmentInformation, // 0x1C 1454 SystemSummaryMemoryInformation, // 0x1D 1455 SystemMirrorMemoryInformation, // 0x1E 1456 SystemPerformanceTraceInformation, // 0x1F 1457 SystemObsolete0, // 0x20 1458 SystemExceptionInformation, // 0x21 1459 SystemCrashDumpStateInformation, // 0x22 1460 SystemKernelDebuggerInformation, // 0x23 1461 SystemContextSwitchInformation, // 0x24 1462 SystemRegistryQuotaInformation, // 0x25 1463 SystemExtendServiceTableInformation, // 0x26 1464 SystemPrioritySeperation, // 0x27 1465 SystemPlugPlayBusInformation, // 0x28 1466 SystemDockInformation, // 0x29 1467 SystemPowerInformationNative, // 0x2A 1468 SystemProcessorSpeedInformation, // 0x2B 1469 SystemCurrentTimeZoneInformation, // 0x2C 1470 SystemLookasideInformation, // 0x2D 1471 SystemTimeSlipNotification, // 0x2E 1472 SystemSessionCreate, // 0x2F 1473 SystemSessionDetach, // 0x30 1474 SystemSessionInformation, // 0x31 1475 SystemRangeStartInformation, // 0x32 1476 SystemVerifierInformation, // 0x33 1477 SystemAddVerifier, // 0x34 1478 SystemSessionProcessesInformation, // 0x35 1479 SystemLoadGdiDriverInSystemSpaceInformation, // 0x36 1480 SystemNumaProcessorMap, // 0x37 1481 SystemPrefetcherInformation, // 0x38 1482 SystemExtendedProcessInformation, // 0x39 1483 SystemRecommendedSharedDataAlignment, // 0x3A 1484 SystemComPlusPackage, // 0x3B 1485 SystemNumaAvailableMemory, // 0x3C 1486 SystemProcessorPowerInformation, // 0x3D 1487 SystemEmulationBasicInformation, // 0x3E 1488 SystemEmulationProcessorInformation, // 0x3F 1489 SystemExtendedHanfleInformation, // 0x40 1490 SystemLostDelayedWriteInformation, // 0x41 1491 SystemBigPoolInformation, // 0x42 1492 SystemSessionPoolTagInformation, // 0x43 1493 SystemSessionMappedViewInformation, // 0x44 1494 SystemHotpatchInformation, // 0x45 1495 SystemObjectSecurityMode, // 0x46 1496 SystemWatchDogTimerHandler, // 0x47 1497 SystemWatchDogTimerInformation, // 0x48 1498 SystemLogicalProcessorInformation, // 0x49 1499 SystemWo64SharedInformationObosolete, // 0x4A 1500 SystemRegisterFirmwareTableInformationHandler, // 0x4B 1501 SystemFirmwareTableInformation, // 0x4C 1502 SystemModuleInformationEx, // 0x4D 1503 SystemVerifierTriageInformation, // 0x4E 1504 SystemSuperfetchInformation, // 0x4F 1505 SystemMemoryListInformation, // 0x50 1506 SystemFileCacheInformationEx, // 0x51 1507 SystemThreadPriorityClientIdInformation, // 0x52 1508 SystemProcessorIdleCycleTimeInformation, // 0x53 1509 SystemVerifierCancellationInformation, // 0x54 1510 SystemProcessorPowerInformationEx, // 0x55 1511 SystemRefTraceInformation, // 0x56 1512 SystemSpecialPoolInformation, // 0x57 1513 SystemProcessIdInformation, // 0x58 1514 SystemErrorPortInformation, // 0x59 1515 SystemBootEnvironmentInformation, // 0x5A SYSTEM_BOOT_ENVIRONMENT_INFORMATION 1516 SystemHypervisorInformation, // 0x5B 1517 SystemVerifierInformationEx, // 0x5C 1518 SystemTimeZoneInformation, // 0x5D 1519 SystemImageFileExecutionOptionsInformation, // 0x5E 1520 SystemCoverageInformation, // 0x5F 1521 SystemPrefetchPathInformation, // 0x60 1522 SystemVerifierFaultsInformation, // 0x61 1523 MaxSystemInfoClass // 0x67 1524 1525 } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; 1526 1527 // 1528 // Thread priority 1529 // 1530 1531 typedef LONG KPRIORITY; 1532 1533 // 1534 // Basic System information 1535 // NtQuerySystemInformation with SystemBasicInformation 1536 // 1537 1538 typedef struct _SYSTEM_BASIC_INFORMATION { 1539 ULONG Reserved; 1540 ULONG TimerResolution; 1541 ULONG PageSize; 1542 ULONG NumberOfPhysicalPages; 1543 ULONG LowestPhysicalPageNumber; 1544 ULONG HighestPhysicalPageNumber; 1545 ULONG AllocationGranularity; 1546 ULONG MinimumUserModeAddress; 1547 ULONG MaximumUserModeAddress; 1548 KAFFINITY ActiveProcessorsAffinityMask; 1549 CCHAR NumberOfProcessors; 1550 } SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION; 1551 1552 // 1553 // Processor information 1554 // NtQuerySystemInformation with SystemProcessorInformation 1555 // 1556 1557 typedef struct _SYSTEM_PROCESSOR_INFORMATION { 1558 USHORT ProcessorArchitecture; 1559 USHORT ProcessorLevel; 1560 USHORT ProcessorRevision; 1561 USHORT Reserved; 1562 ULONG ProcessorFeatureBits; 1563 } SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION; 1564 1565 // 1566 // Performance information 1567 // NtQuerySystemInformation with SystemPerformanceInformation 1568 // 1569 1570 typedef struct _SYSTEM_PERFORMANCE_INFORMATION { 1571 LARGE_INTEGER IdleProcessTime; 1572 LARGE_INTEGER IoReadTransferCount; 1573 LARGE_INTEGER IoWriteTransferCount; 1574 LARGE_INTEGER IoOtherTransferCount; 1575 ULONG IoReadOperationCount; 1576 ULONG IoWriteOperationCount; 1577 ULONG IoOtherOperationCount; 1578 ULONG AvailablePages; 1579 ULONG CommittedPages; 1580 ULONG CommitLimit; 1581 ULONG PeakCommitment; 1582 ULONG PageFaultCount; 1583 ULONG CopyOnWriteCount; 1584 ULONG TransitionCount; 1585 ULONG CacheTransitionCount; 1586 ULONG DemandZeroCount; 1587 ULONG PageReadCount; 1588 ULONG PageReadIoCount; 1589 ULONG CacheReadCount; 1590 ULONG CacheIoCount; 1591 ULONG DirtyPagesWriteCount; 1592 ULONG DirtyWriteIoCount; 1593 ULONG MappedPagesWriteCount; 1594 ULONG MappedWriteIoCount; 1595 ULONG PagedPoolPages; 1596 ULONG NonPagedPoolPages; 1597 ULONG PagedPoolAllocs; 1598 ULONG PagedPoolFrees; 1599 ULONG NonPagedPoolAllocs; 1600 ULONG NonPagedPoolFrees; 1601 ULONG FreeSystemPtes; 1602 ULONG ResidentSystemCodePage; 1603 ULONG TotalSystemDriverPages; 1604 ULONG TotalSystemCodePages; 1605 ULONG NonPagedPoolLookasideHits; 1606 ULONG PagedPoolLookasideHits; 1607 ULONG Spare3Count; 1608 ULONG ResidentSystemCachePage; 1609 ULONG ResidentPagedPoolPage; 1610 ULONG ResidentSystemDriverPage; 1611 ULONG CcFastReadNoWait; 1612 ULONG CcFastReadWait; 1613 ULONG CcFastReadResourceMiss; 1614 ULONG CcFastReadNotPossible; 1615 ULONG CcFastMdlReadNoWait; 1616 ULONG CcFastMdlReadWait; 1617 ULONG CcFastMdlReadResourceMiss; 1618 ULONG CcFastMdlReadNotPossible; 1619 ULONG CcMapDataNoWait; 1620 ULONG CcMapDataWait; 1621 ULONG CcMapDataNoWaitMiss; 1622 ULONG CcMapDataWaitMiss; 1623 ULONG CcPinMappedDataCount; 1624 ULONG CcPinReadNoWait; 1625 ULONG CcPinReadWait; 1626 ULONG CcPinReadNoWaitMiss; 1627 ULONG CcPinReadWaitMiss; 1628 ULONG CcCopyReadNoWait; 1629 ULONG CcCopyReadWait; 1630 ULONG CcCopyReadNoWaitMiss; 1631 ULONG CcCopyReadWaitMiss; 1632 ULONG CcMdlReadNoWait; 1633 ULONG CcMdlReadWait; 1634 ULONG CcMdlReadNoWaitMiss; 1635 ULONG CcMdlReadWaitMiss; 1636 ULONG CcReadAheadIos; 1637 ULONG CcLazyWriteIos; 1638 ULONG CcLazyWritePages; 1639 ULONG CcDataFlushes; 1640 ULONG CcDataPages; 1641 ULONG ContextSwitches; 1642 ULONG FirstLevelTbFills; 1643 ULONG SecondLevelTbFills; 1644 ULONG SystemCalls; 1645 } SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION; 1646 1647 // 1648 // Time of Day information 1649 // NtQuerySystemInformation with SystemTimeOfDayInformation 1650 // 1651 1652 typedef struct _SYSTEM_TIMEOFDAY_INFORMATION { 1653 LARGE_INTEGER BootTime; 1654 LARGE_INTEGER CurrentTime; 1655 LARGE_INTEGER TimeZoneBias; 1656 ULONG TimeZoneId; 1657 ULONG Reserved; 1658 } SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION; 1659 1660 // 1661 // Process information 1662 // NtQuerySystemInformation with SystemProcessInformation 1663 // 1664 1665 typedef struct _SYSTEM_PROCESS_INFORMATION { 1666 ULONG NextEntryOffset; 1667 ULONG NumberOfThreads; 1668 LARGE_INTEGER SpareLi1; 1669 LARGE_INTEGER SpareLi2; 1670 LARGE_INTEGER SpareLi3; 1671 LARGE_INTEGER CreateTime; 1672 LARGE_INTEGER UserTime; 1673 LARGE_INTEGER KernelTime; 1674 UNICODE_STRING ImageName; 1675 KPRIORITY BasePriority; 1676 ULONG_PTR UniqueProcessId; 1677 ULONG_PTR InheritedFromUniqueProcessId; 1678 ULONG HandleCount; 1679 // Next part is platform dependent 1680 1681 } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; 1682 1683 // 1684 // Device information 1685 // NtQuerySystemInformation with SystemDeviceInformation 1686 // 1687 1688 typedef struct _SYSTEM_DEVICE_INFORMATION { 1689 ULONG NumberOfDisks; 1690 ULONG NumberOfFloppies; 1691 ULONG NumberOfCdRoms; 1692 ULONG NumberOfTapes; 1693 ULONG NumberOfSerialPorts; 1694 ULONG NumberOfParallelPorts; 1695 } SYSTEM_DEVICE_INFORMATION, *PSYSTEM_DEVICE_INFORMATION; 1696 1697 // 1698 // Processor performance information 1699 // NtQuerySystemInformation with SystemProcessorPerformanceInformation 1700 // 1701 1702 typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION { 1703 LARGE_INTEGER IdleTime; 1704 LARGE_INTEGER KernelTime; 1705 LARGE_INTEGER UserTime; 1706 LARGE_INTEGER DpcTime; // DEVL only 1707 LARGE_INTEGER InterruptTime; // DEVL only 1708 ULONG InterruptCount; 1709 } SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION, *PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION; 1710 1711 // 1712 // NT Global Flag information 1713 // NtQuerySystemInformation with SystemFlagsInformation 1714 // 1715 1716 typedef struct _SYSTEM_FLAGS_INFORMATION 1717 { 1718 ULONG GlobalFlag; 1719 1720 } SYSTEM_FLAGS_INFORMATION, *PSYSTEM_FLAGS_INFORMATION; 1721 1722 // 1723 // System Module information 1724 // NtQuerySystemInformation with SystemModuleInformation 1725 // 1726 1727 typedef struct _SYSTEM_MODULE 1728 { 1729 HANDLE Section; // Not filled in 1730 PVOID MappedBase; 1731 PVOID ImageBase; 1732 ULONG ImageSize; 1733 ULONG Flags; 1734 USHORT LoadOrderIndex; 1735 USHORT InitOrderIndex; 1736 USHORT LoadCount; 1737 USHORT OffsetToFileName; 1738 CHAR ImageName[256]; 1739 1740 } SYSTEM_MODULE, *PSYSTEM_MODULE; 1741 1742 1743 typedef struct _SYSTEM_MODULE_INFORMATION 1744 { 1745 ULONG ModulesCount; 1746 SYSTEM_MODULE Modules[1]; 1747 1748 } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 1749 1750 /* 1751 typedef struct _SYSTEM_VDM_INSTEMUL_INFO { 1752 ULONG SegmentNotPresent ; 1753 ULONG VdmOpcode0F ; 1754 ULONG OpcodeESPrefix ; 1755 ULONG OpcodeCSPrefix ; 1756 ULONG OpcodeSSPrefix ; 1757 ULONG OpcodeDSPrefix ; 1758 ULONG OpcodeFSPrefix ; 1759 ULONG OpcodeGSPrefix ; 1760 ULONG OpcodeOPER32Prefix; 1761 ULONG OpcodeADDR32Prefix; 1762 ULONG OpcodeINSB ; 1763 ULONG OpcodeINSW ; 1764 ULONG OpcodeOUTSB ; 1765 ULONG OpcodeOUTSW ; 1766 ULONG OpcodePUSHF ; 1767 ULONG OpcodePOPF ; 1768 ULONG OpcodeINTnn ; 1769 ULONG OpcodeINTO ; 1770 ULONG OpcodeIRET ; 1771 ULONG OpcodeINBimm ; 1772 ULONG OpcodeINWimm ; 1773 ULONG OpcodeOUTBimm ; 1774 ULONG OpcodeOUTWimm ; 1775 ULONG OpcodeINB ; 1776 ULONG OpcodeINW ; 1777 ULONG OpcodeOUTB ; 1778 ULONG OpcodeOUTW ; 1779 ULONG OpcodeLOCKPrefix ; 1780 ULONG OpcodeREPNEPrefix ; 1781 ULONG OpcodeREPPrefix ; 1782 ULONG OpcodeHLT ; 1783 ULONG OpcodeCLI ; 1784 ULONG OpcodeSTI ; 1785 ULONG BopCount ; 1786 } SYSTEM_VDM_INSTEMUL_INFO, *PSYSTEM_VDM_INSTEMUL_INFO; 1787 1788 1789 typedef struct _SYSTEM_QUERY_TIME_ADJUST_INFORMATION { 1790 ULONG TimeAdjustment; 1791 ULONG TimeIncrement; 1792 BOOLEAN Enable; 1793 } SYSTEM_QUERY_TIME_ADJUST_INFORMATION, *PSYSTEM_QUERY_TIME_ADJUST_INFORMATION; 1794 1795 typedef struct _SYSTEM_SET_TIME_ADJUST_INFORMATION { 1796 ULONG TimeAdjustment; 1797 BOOLEAN Enable; 1798 } SYSTEM_SET_TIME_ADJUST_INFORMATION, *PSYSTEM_SET_TIME_ADJUST_INFORMATION; 1799 1800 1801 typedef struct _SYSTEM_THREAD_INFORMATION { 1802 LARGE_INTEGER KernelTime; 1803 LARGE_INTEGER UserTime; 1804 LARGE_INTEGER CreateTime; 1805 ULONG WaitTime; 1806 PVOID StartAddress; 1807 CLIENT_ID ClientId; 1808 KPRIORITY Priority; 1809 LONG BasePriority; 1810 ULONG ContextSwitches; 1811 ULONG ThreadState; 1812 ULONG WaitReason; 1813 } SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; 1814 1815 typedef struct _SYSTEM_MEMORY_INFO { 1816 PUCHAR StringOffset; 1817 USHORT ValidCount; 1818 USHORT TransitionCount; 1819 USHORT ModifiedCount; 1820 USHORT PageTableCount; 1821 } SYSTEM_MEMORY_INFO, *PSYSTEM_MEMORY_INFO; 1822 1823 typedef struct _SYSTEM_MEMORY_INFORMATION { 1824 ULONG InfoSize; 1825 ULONG StringStart; 1826 SYSTEM_MEMORY_INFO Memory[1]; 1827 } SYSTEM_MEMORY_INFORMATION, *PSYSTEM_MEMORY_INFORMATION; 1828 1829 typedef struct _SYSTEM_CALL_COUNT_INFORMATION { 1830 ULONG Length; 1831 ULONG NumberOfTables; 1832 //ULONG NumberOfEntries[NumberOfTables]; 1833 //ULONG CallCounts[NumberOfTables][NumberOfEntries]; 1834 } SYSTEM_CALL_COUNT_INFORMATION, *PSYSTEM_CALL_COUNT_INFORMATION; 1835 1836 typedef struct _SYSTEM_CRASH_DUMP_INFORMATION { 1837 HANDLE CrashDumpSection; 1838 } SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION; 1839 1840 typedef struct _SYSTEM_EXCEPTION_INFORMATION { 1841 ULONG AlignmentFixupCount; 1842 ULONG ExceptionDispatchCount; 1843 ULONG FloatingEmulationCount; 1844 ULONG ByteWordEmulationCount; 1845 } SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION; 1846 1847 typedef struct _SYSTEM_CRASH_STATE_INFORMATION { 1848 ULONG ValidCrashDump; 1849 } SYSTEM_CRASH_STATE_INFORMATION, *PSYSTEM_CRASH_STATE_INFORMATION; 1850 1851 typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION { 1852 BOOLEAN KernelDebuggerEnabled; 1853 BOOLEAN KernelDebuggerNotPresent; 1854 } SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; 1855 1856 typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION { 1857 ULONG RegistryQuotaAllowed; 1858 ULONG RegistryQuotaUsed; 1859 ULONG PagedPoolSize; 1860 } SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION; 1861 */ 1862 1863 typedef struct _SYSTEM_GDI_DRIVER_INFORMATION { 1864 UNICODE_STRING DriverName; 1865 PVOID ImageAddress; 1866 PVOID SectionPointer; 1867 PVOID EntryPoint; 1868 PIMAGE_EXPORT_DIRECTORY ExportSectionPointer; 1869 ULONG ImageLength; 1870 } SYSTEM_GDI_DRIVER_INFORMATION, *PSYSTEM_GDI_DRIVER_INFORMATION; 1871 1872 typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION { 1873 GUID CurrentBootGuid; 1874 ULONG Unknown; 1875 } SYSTEM_BOOT_ENVIRONMENT_INFORMATION, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION; 1876 1877 1878 NTSYSAPI 1879 NTSTATUS 1880 NTAPI 1881 NtQuerySystemInformation( 1882 IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 1883 OUT PVOID SystemInformation, 1884 IN ULONG SystemInformationLength, 1885 OUT PULONG ReturnLength 1886 ); 1887 1888 NTSYSAPI 1889 NTSTATUS 1890 NTAPI 1891 ZwQuerySystemInformation( 1892 IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 1893 OUT PVOID SystemInformation, 1894 IN ULONG SystemInformationLength, 1895 OUT PULONG ReturnLength 1896 ); 1897 1898 1899 NTSYSAPI 1900 NTSTATUS 1901 NTAPI 1902 NtSetSystemInformation( 1903 IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 1904 IN PVOID SystemInformation, 1905 IN ULONG SystemInformationLength 1906 ); 1907 1908 1909 NTSYSAPI 1910 NTSTATUS 1911 NTAPI 1912 ZwSetSystemInformation( 1913 IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 1914 IN PVOID SystemInformation, 1915 IN ULONG SystemInformationLength 1916 ); 1917 1918 //------------------------------------------------------------------------------ 1919 // Shutdown system 1920 1921 typedef enum _SHUTDOWN_ACTION 1922 { 1923 ShutdownNoReboot, 1924 ShutdownReboot, 1925 ShutdownPowerOff 1926 1927 } SHUTDOWN_ACTION, *PSHUTDOWN_ACTION; 1928 1929 1930 NTSYSAPI 1931 NTSTATUS 1932 NTAPI 1933 NtShutdownSystem( 1934 IN SHUTDOWN_ACTION Action 1935 ); 1936 1937 //----------------------------------------------------------------------------- 1938 // File functions 1939 1940 #ifndef OLD_DOS_VOLID 1941 #define OLD_DOS_VOLID 0x00000008 1942 #endif 1943 1944 #ifndef FILE_SUPERSEDE 1945 #define FILE_SUPERSEDE 0x00000000 1946 #define FILE_OPEN 0x00000001 1947 #define FILE_CREATE 0x00000002 1948 #define FILE_OPEN_IF 0x00000003 1949 #define FILE_OVERWRITE 0x00000004 1950 #define FILE_OVERWRITE_IF 0x00000005 1951 #define FILE_MAXIMUM_DISPOSITION 0x00000005 1952 #endif // File create flags 1953 1954 1955 // Define the create/open option flags 1956 #ifndef FILE_DIRECTORY_FILE 1957 #define FILE_DIRECTORY_FILE 0x00000001 1958 #define FILE_WRITE_THROUGH 0x00000002 1959 #define FILE_SEQUENTIAL_ONLY 0x00000004 1960 #define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 1961 #define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 1962 #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 1963 #define FILE_NON_DIRECTORY_FILE 0x00000040 1964 #define FILE_CREATE_TREE_CONNECTION 0x00000080 1965 #define FILE_COMPLETE_IF_OPLOCKED 0x00000100 1966 #define FILE_NO_EA_KNOWLEDGE 0x00000200 1967 #define FILE_OPEN_FOR_RECOVERY 0x00000400 1968 #define FILE_RANDOM_ACCESS 0x00000800 1969 #define FILE_DELETE_ON_CLOSE 0x00001000 1970 #define FILE_OPEN_BY_FILE_ID 0x00002000 1971 #define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 1972 #define FILE_NO_COMPRESSION 0x00008000 1973 #define FILE_OPEN_REQUIRING_OPLOCK 0x00010000 1974 #define FILE_DISALLOW_EXCLUSIVE 0x00020000 1975 #define FILE_RESERVE_OPFILTER 0x00100000 1976 #define FILE_OPEN_REPARSE_POINT 0x00200000 1977 #define FILE_OPEN_NO_RECALL 0x00400000 1978 #define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 1979 #endif // FILE_DIRECTORY_FILE 1980 1981 1982 // 1983 // Define the I/O status information return values for NtCreateFile/NtOpenFile 1984 // 1985 1986 #ifndef FILE_SUPERSEDED 1987 #define FILE_SUPERSEDED 0x00000000 1988 #define FILE_OPENED 0x00000001 1989 #define FILE_CREATED 0x00000002 1990 #define FILE_OVERWRITTEN 0x00000003 1991 #define FILE_EXISTS 0x00000004 1992 #define FILE_DOES_NOT_EXIST 0x00000005 1993 #endif 1994 1995 1996 #ifndef PIO_APC_ROUTINE_DEFINED 1997 typedef 1998 VOID 1999 (NTAPI *PIO_APC_ROUTINE) ( 2000 IN PVOID ApcContext, 2001 IN PIO_STATUS_BLOCK IoStatusBlock, 2002 IN ULONG Reserved 2003 ); 2004 #define PIO_APC_ROUTINE_DEFINED 2005 #endif // PIO_APC_ROUTINE_DEFINED 2006 2007 2008 typedef enum _FILE_INFORMATION_CLASS 2009 { 2010 FileDirectoryInformation = 1, 2011 FileFullDirectoryInformation, // 0x02 2012 FileBothDirectoryInformation, // 0x03 2013 FileBasicInformation, // 0x04 wdm 2014 FileStandardInformation, // 0x05 wdm 2015 FileInternalInformation, // 0x06 2016 FileEaInformation, // 0x07 2017 FileAccessInformation, // 0x08 2018 FileNameInformation, // 0x09 2019 FileRenameInformation, // 0x0A 2020 FileLinkInformation, // 0x0B 2021 FileNamesInformation, // 0x0C 2022 FileDispositionInformation, // 0x0D 2023 FilePositionInformation, // 0x0E wdm 2024 FileFullEaInformation, // 0x0F 2025 FileModeInformation, // 0x10 2026 FileAlignmentInformation, // 0x11 2027 FileAllInformation, // 0x12 2028 FileAllocationInformation, // 0x13 2029 FileEndOfFileInformation, // 0x14 wdm 2030 FileAlternateNameInformation, // 0x15 2031 FileStreamInformation, // 0x16 2032 FilePipeInformation, // 0x17 2033 FilePipeLocalInformation, // 0x18 2034 FilePipeRemoteInformation, // 0x19 2035 FileMailslotQueryInformation, // 0x1A 2036 FileMailslotSetInformation, // 0x1B 2037 FileCompressionInformation, // 0x1C 2038 FileObjectIdInformation, // 0x1D 2039 FileCompletionInformation, // 0x1E 2040 FileMoveClusterInformation, // 0x1F 2041 FileQuotaInformation, // 0x20 2042 FileReparsePointInformation, // 0x21 2043 FileNetworkOpenInformation, // 0x22 2044 FileAttributeTagInformation, // 0x23 2045 FileTrackingInformation, // 0x24 2046 FileIdBothDirectoryInformation, // 0x25 2047 FileIdFullDirectoryInformation, // 0x26 2048 FileValidDataLengthInformation, // 0x27 2049 FileShortNameInformation, // 0x28 2050 FileIoCompletionNotificationInformation,// 0x29 2051 FileIoStatusBlockRangeInformation, // 0x2A 2052 FileIoPriorityHintInformation, // 0x2B 2053 FileSfioReserveInformation, // 0x2C 2054 FileSfioVolumeInformation, // 0x2D 2055 FileHardLinkInformation, // 0x2E 2056 FileProcessIdsUsingFileInformation, // 0x2F 2057 FileNormalizedNameInformation, // 0x30 2058 FileNetworkPhysicalNameInformation, // 0x31 2059 FileIdGlobalTxDirectoryInformation, // 0x32 2060 FileIsRemoteDeviceInformation, // 0x33 2061 FileAttributeCacheInformation, // 0x34 2062 FileNumaNodeInformation, // 0x35 2063 FileStandardLinkInformation, // 0x36 2064 FileRemoteProtocolInformation, // 0x37 2065 FileMaximumInformation 2066 } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; 2067 2068 2069 typedef struct _FILE_DIRECTORY_INFORMATION { 2070 ULONG NextEntryOffset; 2071 ULONG FileIndex; 2072 LARGE_INTEGER CreationTime; 2073 LARGE_INTEGER LastAccessTime; 2074 LARGE_INTEGER LastWriteTime; 2075 LARGE_INTEGER ChangeTime; 2076 LARGE_INTEGER EndOfFile; 2077 LARGE_INTEGER AllocationSize; 2078 ULONG FileAttributes; 2079 ULONG FileNameLength; 2080 WCHAR FileName[1]; 2081 } FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; 2082 2083 2084 typedef struct _FILE_FULL_DIR_INFORMATION { 2085 ULONG NextEntryOffset; 2086 ULONG FileIndex; 2087 LARGE_INTEGER CreationTime; 2088 LARGE_INTEGER LastAccessTime; 2089 LARGE_INTEGER LastWriteTime; 2090 LARGE_INTEGER ChangeTime; 2091 LARGE_INTEGER EndOfFile; 2092 LARGE_INTEGER AllocationSize; 2093 ULONG FileAttributes; 2094 ULONG FileNameLength; 2095 ULONG EaSize; 2096 WCHAR FileName[1]; 2097 } FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION; 2098 2099 2100 typedef struct _FILE_BOTH_DIR_INFORMATION { 2101 ULONG NextEntryOffset; 2102 ULONG FileIndex; 2103 LARGE_INTEGER CreationTime; 2104 LARGE_INTEGER LastAccessTime; 2105 LARGE_INTEGER LastWriteTime; 2106 LARGE_INTEGER ChangeTime; 2107 LARGE_INTEGER EndOfFile; 2108 LARGE_INTEGER AllocationSize; 2109 ULONG FileAttributes; 2110 ULONG FileNameLength; 2111 ULONG EaSize; 2112 CCHAR ShortNameLength; 2113 WCHAR ShortName[12]; 2114 WCHAR FileName[1]; 2115 } FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION; 2116 2117 2118 typedef struct _FILE_BASIC_INFORMATION { 2119 LARGE_INTEGER CreationTime; 2120 LARGE_INTEGER LastAccessTime; 2121 LARGE_INTEGER LastWriteTime; 2122 LARGE_INTEGER ChangeTime; 2123 ULONG FileAttributes; 2124 } FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; 2125 2126 2127 typedef struct _FILE_STANDARD_INFORMATION { 2128 LARGE_INTEGER AllocationSize; 2129 LARGE_INTEGER EndOfFile; 2130 ULONG NumberOfLinks; 2131 BOOLEAN DeletePending; 2132 BOOLEAN Directory; 2133 } FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION; 2134 2135 2136 typedef struct _FILE_INTERNAL_INFORMATION { 2137 LARGE_INTEGER IndexNumber; 2138 } FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION; 2139 2140 2141 typedef struct _FILE_EA_INFORMATION { 2142 ULONG EaSize; 2143 } FILE_EA_INFORMATION, *PFILE_EA_INFORMATION; 2144 2145 2146 typedef struct _FILE_ACCESS_INFORMATION { 2147 ACCESS_MASK AccessFlags; 2148 } FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION; 2149 2150 2151 typedef struct _FILE_NAME_INFORMATION { 2152 ULONG FileNameLength; 2153 WCHAR FileName[1]; 2154 } FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION; 2155 2156 2157 typedef struct _FILE_RENAME_INFORMATION { 2158 BOOLEAN ReplaceIfExists; 2159 HANDLE RootDirectory; 2160 ULONG FileNameLength; 2161 WCHAR FileName[1]; 2162 } FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION; 2163 2164 2165 typedef struct _FILE_NAMES_INFORMATION { 2166 ULONG NextEntryOffset; 2167 ULONG FileIndex; 2168 ULONG FileNameLength; 2169 WCHAR FileName[1]; 2170 } FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION; 2171 2172 2173 typedef struct _FILE_DISPOSITION_INFORMATION { 2174 BOOLEAN DeleteFile; 2175 } FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION; 2176 2177 2178 typedef struct _FILE_POSITION_INFORMATION { 2179 LARGE_INTEGER CurrentByteOffset; 2180 } FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION; 2181 2182 2183 typedef struct _FILE_FULL_EA_INFORMATION { 2184 ULONG NextEntryOffset; 2185 UCHAR Flags; 2186 UCHAR EaNameLength; 2187 USHORT EaValueLength; 2188 CHAR EaName[1]; 2189 } FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION; 2190 2191 2192 typedef struct _FILE_MODE_INFORMATION { 2193 ULONG Mode; 2194 } FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION; 2195 2196 2197 typedef struct _FILE_ALIGNMENT_INFORMATION { 2198 ULONG AlignmentRequirement; 2199 } FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION; 2200 2201 2202 typedef struct _FILE_ALL_INFORMATION { 2203 FILE_BASIC_INFORMATION BasicInformation; 2204 FILE_STANDARD_INFORMATION StandardInformation; 2205 FILE_INTERNAL_INFORMATION InternalInformation; 2206 FILE_EA_INFORMATION EaInformation; 2207 FILE_ACCESS_INFORMATION AccessInformation; 2208 FILE_POSITION_INFORMATION PositionInformation; 2209 FILE_MODE_INFORMATION ModeInformation; 2210 FILE_ALIGNMENT_INFORMATION AlignmentInformation; 2211 FILE_NAME_INFORMATION NameInformation; 2212 } FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION; 2213 2214 2215 typedef struct _FILE_ALLOCATION_INFORMATION { 2216 LARGE_INTEGER AllocationSize; 2217 } FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION; 2218 2219 2220 typedef struct _FILE_END_OF_FILE_INFORMATION { 2221 LARGE_INTEGER EndOfFile; 2222 } FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION; 2223 2224 2225 typedef struct _FILE_STREAM_INFORMATION { 2226 ULONG NextEntryOffset; 2227 ULONG StreamNameLength; 2228 LARGE_INTEGER StreamSize; 2229 LARGE_INTEGER StreamAllocationSize; 2230 WCHAR StreamName[1]; 2231 } FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION; 2232 2233 typedef struct _FILE_PIPE_INFORMATION { 2234 ULONG ReadMode; 2235 ULONG CompletionMode; 2236 } FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION; 2237 2238 2239 typedef struct _FILE_PIPE_LOCAL_INFORMATION { 2240 ULONG NamedPipeType; 2241 ULONG NamedPipeConfiguration; 2242 ULONG MaximumInstances; 2243 ULONG CurrentInstances; 2244 ULONG InboundQuota; 2245 ULONG ReadDataAvailable; 2246 ULONG OutboundQuota; 2247 ULONG WriteQuotaAvailable; 2248 ULONG NamedPipeState; 2249 ULONG NamedPipeEnd; 2250 } FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION; 2251 2252 2253 typedef struct _FILE_PIPE_REMOTE_INFORMATION { 2254 LARGE_INTEGER CollectDataTime; 2255 ULONG MaximumCollectionCount; 2256 } FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION; 2257 2258 2259 typedef struct _FILE_MAILSLOT_QUERY_INFORMATION { 2260 ULONG MaximumMessageSize; 2261 ULONG MailslotQuota; 2262 ULONG NextMessageSize; 2263 ULONG MessagesAvailable; 2264 LARGE_INTEGER ReadTimeout; 2265 } FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION; 2266 2267 2268 typedef struct _FILE_MAILSLOT_SET_INFORMATION { 2269 PLARGE_INTEGER ReadTimeout; 2270 } FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION; 2271 2272 2273 typedef struct _FILE_COMPRESSION_INFORMATION { 2274 LARGE_INTEGER CompressedFileSize; 2275 USHORT CompressionFormat; 2276 UCHAR CompressionUnitShift; 2277 UCHAR ChunkShift; 2278 UCHAR ClusterShift; 2279 UCHAR Reserved[3]; 2280 } FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION; 2281 2282 2283 typedef struct _FILE_LINK_INFORMATION { 2284 BOOLEAN ReplaceIfExists; 2285 HANDLE RootDirectory; 2286 ULONG FileNameLength; 2287 WCHAR FileName[1]; 2288 } FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION; 2289 2290 2291 typedef struct _FILE_OBJECTID_INFORMATION 2292 { 2293 LONGLONG FileReference; 2294 UCHAR ObjectId[16]; 2295 union { 2296 struct { 2297 UCHAR BirthVolumeId[16]; 2298 UCHAR BirthObjectId[16]; 2299 UCHAR DomainId[16]; 2300 } ; 2301 UCHAR ExtendedInfo[48]; 2302 }; 2303 } FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION; 2304 2305 2306 typedef struct _FILE_COMPLETION_INFORMATION { 2307 HANDLE Port; 2308 PVOID Key; 2309 } FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION; 2310 2311 2312 typedef struct _FILE_MOVE_CLUSTER_INFORMATION { 2313 ULONG ClusterCount; 2314 HANDLE RootDirectory; 2315 ULONG FileNameLength; 2316 WCHAR FileName[1]; 2317 } FILE_MOVE_CLUSTER_INFORMATION, *PFILE_MOVE_CLUSTER_INFORMATION; 2318 2319 2320 typedef struct _FILE_NETWORK_OPEN_INFORMATION { 2321 LARGE_INTEGER CreationTime; 2322 LARGE_INTEGER LastAccessTime; 2323 LARGE_INTEGER LastWriteTime; 2324 LARGE_INTEGER ChangeTime; 2325 LARGE_INTEGER AllocationSize; 2326 LARGE_INTEGER EndOfFile; 2327 ULONG FileAttributes; 2328 } FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; 2329 2330 2331 typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION { 2332 ULONG FileAttributes; 2333 ULONG ReparseTag; 2334 } FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION; 2335 2336 2337 typedef struct _FILE_TRACKING_INFORMATION { 2338 HANDLE DestinationFile; 2339 ULONG ObjectInformationLength; 2340 CHAR ObjectInformation[1]; 2341 } FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION; 2342 2343 2344 typedef struct _FILE_REPARSE_POINT_INFORMATION { 2345 LONGLONG FileReference; 2346 ULONG Tag; 2347 } FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION; 2348 2349 2350 typedef struct _FILE_QUOTA_INFORMATION { 2351 ULONG NextEntryOffset; 2352 ULONG SidLength; 2353 LARGE_INTEGER ChangeTime; 2354 LARGE_INTEGER QuotaUsed; 2355 LARGE_INTEGER QuotaThreshold; 2356 LARGE_INTEGER QuotaLimit; 2357 SID Sid; 2358 } FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION; 2359 2360 2361 typedef struct _FILE_ID_BOTH_DIR_INFORMATION { 2362 ULONG NextEntryOffset; 2363 ULONG FileIndex; 2364 LARGE_INTEGER CreationTime; 2365 LARGE_INTEGER LastAccessTime; 2366 LARGE_INTEGER LastWriteTime; 2367 LARGE_INTEGER ChangeTime; 2368 LARGE_INTEGER EndOfFile; 2369 LARGE_INTEGER AllocationSize; 2370 ULONG FileAttributes; 2371 ULONG FileNameLength; 2372 ULONG EaSize; 2373 CCHAR ShortNameLength; 2374 WCHAR ShortName[12]; 2375 LARGE_INTEGER FileId; 2376 WCHAR FileName[1]; 2377 } FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION; 2378 2379 2380 typedef struct _FILE_ID_FULL_DIR_INFORMATION { 2381 ULONG NextEntryOffset; 2382 ULONG FileIndex; 2383 LARGE_INTEGER CreationTime; 2384 LARGE_INTEGER LastAccessTime; 2385 LARGE_INTEGER LastWriteTime; 2386 LARGE_INTEGER ChangeTime; 2387 LARGE_INTEGER EndOfFile; 2388 LARGE_INTEGER AllocationSize; 2389 ULONG FileAttributes; 2390 ULONG FileNameLength; 2391 ULONG EaSize; 2392 LARGE_INTEGER FileId; 2393 WCHAR FileName[1]; 2394 } FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION; 2395 2396 2397 typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION { 2398 LARGE_INTEGER ValidDataLength; 2399 } FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION; 2400 2401 // 2402 // Don‘t queue an entry to an associated completion port if returning success 2403 // synchronously. 2404 // 2405 #define FILE_SKIP_COMPLETION_PORT_ON_SUCCESS 0x1 2406 2407 // 2408 // Don‘t set the file handle event on IO completion. 2409 // 2410 #define FILE_SKIP_SET_EVENT_ON_HANDLE 0x2 2411 2412 // 2413 // Don‘t set user supplied event on successful fast-path IO completion. 2414 // 2415 #define FILE_SKIP_SET_USER_EVENT_ON_FAST_IO 0x4 2416 2417 typedef struct _FILE_IO_COMPLETION_NOTIFICATION_INFORMATION { 2418 ULONG Flags; 2419 } FILE_IO_COMPLETION_NOTIFICATION_INFORMATION, *PFILE_IO_COMPLETION_NOTIFICATION_INFORMATION; 2420 2421 2422 typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION { 2423 ULONG NumberOfProcessIdsInList; 2424 ULONG_PTR ProcessIdList[1]; 2425 } FILE_PROCESS_IDS_USING_FILE_INFORMATION, *PFILE_PROCESS_IDS_USING_FILE_INFORMATION; 2426 2427 2428 typedef struct _FILE_IOSTATUSBLOCK_RANGE_INFORMATION { 2429 PUCHAR IoStatusBlockRange; 2430 ULONG Length; 2431 } FILE_IOSTATUSBLOCK_RANGE_INFORMATION, *PFILE_IOSTATUSBLOCK_RANGE_INFORMATION; 2432 2433 2434 typedef enum _IO_PRIORITY_HINT { 2435 IoPriorityVeryLow = 0, // Winfs promotion, defragging, content indexing and other background I/Os 2436 IoPriorityLow, // Prefetching for applications. 2437 IoPriorityNormal, // Normal I/Os 2438 IoPriorityHigh, // Used by filesystems for checkpoint I/O 2439 IoPriorityCritical, // Used by memory manager. Not available for applications. 2440 MaxIoPriorityTypes 2441 } IO_PRIORITY_HINT; 2442 2443 2444 typedef struct _FILE_IO_PRIORITY_HINT_INFORMATION { 2445 IO_PRIORITY_HINT PriorityHint; 2446 } FILE_IO_PRIORITY_HINT_INFORMATION, *PFILE_IO_PRIORITY_HINT_INFORMATION; 2447 2448 2449 // 2450 // Support to reserve bandwidth for a file handle. 2451 // 2452 2453 typedef struct _FILE_SFIO_RESERVE_INFORMATION { 2454 ULONG RequestsPerPeriod; 2455 ULONG Period; 2456 BOOLEAN RetryFailures; 2457 BOOLEAN Discardable; 2458 ULONG RequestSize; 2459 ULONG NumOutstandingRequests; 2460 } FILE_SFIO_RESERVE_INFORMATION, *PFILE_SFIO_RESERVE_INFORMATION; 2461 2462 // 2463 // Support to query bandwidth properties of a volume. 2464 // 2465 2466 typedef struct _FILE_SFIO_VOLUME_INFORMATION { 2467 ULONG MaximumRequestsPerPeriod; 2468 ULONG MinimumPeriod; 2469 ULONG MinimumTransferSize; 2470 } FILE_SFIO_VOLUME_INFORMATION, *PFILE_SFIO_VOLUME_INFORMATION; 2471 2472 2473 typedef struct _FILE_LINK_ENTRY_INFORMATION { 2474 ULONG NextEntryOffset; 2475 LONGLONG ParentFileId; 2476 ULONG FileNameLength; 2477 WCHAR FileName[1]; 2478 } FILE_LINK_ENTRY_INFORMATION, *PFILE_LINK_ENTRY_INFORMATION; 2479 2480 2481 typedef struct _FILE_LINKS_INFORMATION 2482 { 2483 ULONG BytesNeeded; 2484 ULONG EntriesReturned; 2485 FILE_LINK_ENTRY_INFORMATION Entry; 2486 } FILE_LINKS_INFORMATION, *PFILE_LINKS_INFORMATION; 2487 2488 typedef struct _FILE_ID_GLOBAL_TX_DIR_INFORMATION 2489 { 2490 ULONG NextEntryOffset; 2491 ULONG FileIndex; 2492 LARGE_INTEGER CreationTime; 2493 LARGE_INTEGER LastAccessTime; 2494 LARGE_INTEGER LastWriteTime; 2495 LARGE_INTEGER ChangeTime; 2496 LARGE_INTEGER EndOfFile; 2497 LARGE_INTEGER AllocationSize; 2498 ULONG FileAttributes; 2499 ULONG FileNameLength; 2500 LARGE_INTEGER FileId; 2501 GUID LockingTransactionId; 2502 ULONG TxInfoFlags; 2503 WCHAR FileName[1]; 2504 } FILE_ID_GLOBAL_TX_DIR_INFORMATION, *PFILE_ID_GLOBAL_TX_DIR_INFORMATION; 2505 2506 2507 typedef struct _FILE_IS_REMOTE_DEVICE_INFORMATION 2508 { 2509 BOOLEAN IsRemote; 2510 } FILE_IS_REMOTE_DEVICE_INFORMATION, *PFILE_IS_REMOTE_DEVICE_INFORMATION; 2511 2512 typedef struct _FILE_NUMA_NODE_INFORMATION { 2513 USHORT NodeNumber; 2514 } FILE_NUMA_NODE_INFORMATION, *PFILE_NUMA_NODE_INFORMATION; 2515 2516 /* 2517 typedef struct _FILE_REMOTE_PROTOCOL_INFO 2518 { 2519 USHORT StructureVersion; 2520 USHORT StructureSize; 2521 ULONG Protocol; 2522 USHORT ProtocolMajorVersion; 2523 USHORT ProtocolMinorVersion; 2524 USHORT ProtocolRevision; 2525 USHORT Reserved; 2526 ULONG Flags; 2527 struct { 2528 ULONG Reserved[8]; 2529 } GenericReserved; 2530 struct { 2531 ULONG Reserved[16]; 2532 } ProtocolSpecificReserved; 2533 } FILE_REMOTE_PROTOCOL_INFO, *PFILE_REMOTE_PROTOCOL_INFO; 2534 */ 2535 2536 typedef enum _FSINFOCLASS { 2537 FileFsVolumeInformation = 1, 2538 FileFsLabelInformation, // 0x02 2539 FileFsSizeInformation, // 0x03 2540 FileFsDeviceInformation, // 0x04 2541 FileFsAttributeInformation, // 0x05 2542 FileFsControlInformation, // 0x06 2543 FileFsFullSizeInformation, // 0x07 2544 FileFsObjectIdInformation, // 0x08 2545 FileFsDriverPathInformation, // 0x09 2546 FileFsVolumeFlagsInformation, // 0x0A 2547 FileFsMaximumInformation // 0x0B 2548 } FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS; 2549 2550 2551 typedef struct _FILE_FS_VOLUME_INFORMATION { 2552 LARGE_INTEGER VolumeCreationTime; 2553 ULONG VolumeSerialNumber; 2554 ULONG VolumeLabelLength; 2555 BOOLEAN SupportsObjects; 2556 WCHAR VolumeLabel[1]; 2557 } FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION; 2558 2559 2560 typedef struct _FILE_FS_LABEL_INFORMATION { 2561 ULONG VolumeLabelLength; 2562 WCHAR VolumeLabel[1]; 2563 } FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION; 2564 2565 2566 typedef struct _FILE_FS_SIZE_INFORMATION { 2567 LARGE_INTEGER TotalAllocationUnits; 2568 LARGE_INTEGER AvailableAllocationUnits; 2569 ULONG SectorsPerAllocationUnit; 2570 ULONG BytesPerSector; 2571 } FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION; 2572 2573 2574 typedef struct _FILE_FS_DEVICE_INFORMATION { 2575 DEVICE_TYPE DeviceType; 2576 ULONG Characteristics; 2577 } FILE_FS_DEVICE_INFORMATION, *PFILE_FS_DEVICE_INFORMATION; 2578 2579 2580 typedef struct _FILE_FS_ATTRIBUTE_INFORMATION { 2581 ULONG FileSystemAttributes; 2582 LONG MaximumComponentNameLength; 2583 ULONG FileSystemNameLength; 2584 WCHAR FileSystemName[1]; 2585 } FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION; 2586 2587 2588 typedef struct _FILE_FS_CONTROL_INFORMATION { 2589 LARGE_INTEGER FreeSpaceStartFiltering; 2590 LARGE_INTEGER FreeSpaceThreshold; 2591 LARGE_INTEGER FreeSpaceStopFiltering; 2592 LARGE_INTEGER DefaultQuotaThreshold; 2593 LARGE_INTEGER DefaultQuotaLimit; 2594 ULONG FileSystemControlFlags; 2595 } FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION; 2596 2597 2598 typedef struct _FILE_FS_FULL_SIZE_INFORMATION { 2599 LARGE_INTEGER TotalAllocationUnits; 2600 LARGE_INTEGER CallerAvailableAllocationUnits; 2601 LARGE_INTEGER ActualAvailableAllocationUnits; 2602 ULONG SectorsPerAllocationUnit; 2603 ULONG BytesPerSector; 2604 } FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION; 2605 2606 2607 typedef struct _FILE_FS_OBJECTID_INFORMATION { 2608 UCHAR ObjectId[16]; 2609 UCHAR ExtendedInfo[48]; 2610 } FILE_FS_OBJECTID_INFORMATION, *PFILE_FS_OBJECTID_INFORMATION; 2611 2612 2613 typedef struct _FILE_FS_DRIVER_PATH_INFORMATION { 2614 BOOLEAN DriverInPath; 2615 ULONG DriverNameLength; 2616 WCHAR DriverName[1]; 2617 } FILE_FS_DRIVER_PATH_INFORMATION, *PFILE_FS_DRIVER_PATH_INFORMATION; 2618 2619 2620 typedef struct _FILE_FS_VOLUME_FLAGS_INFORMATION { 2621 ULONG Flags; 2622 } FILE_FS_VOLUME_FLAGS_INFORMATION, *PFILE_FS_VOLUME_FLAGS_INFORMATION; 2623 2624 2625 NTSYSAPI 2626 NTSTATUS 2627 NTAPI 2628 NtCreateFile( 2629 OUT PHANDLE FileHandle, 2630 IN ACCESS_MASK DesiredAccess, 2631 IN POBJECT_ATTRIBUTES ObjectAttributes, 2632 OUT PIO_STATUS_BLOCK IoStatusBlock, 2633 IN PLARGE_INTEGER AllocationSize, 2634 IN ULONG FileAttributes, 2635 IN ULONG ShareAccess, 2636 IN ULONG CreateDisposition, 2637 IN ULONG CreateOptions, 2638 IN PVOID EaBuffer, 2639 IN ULONG EaLength); 2640 2641 2642 NTSYSAPI 2643 NTSTATUS 2644 NTAPI 2645 ZwCreateFile( 2646 OUT PHANDLE FileHandle, 2647 IN ACCESS_MASK DesiredAccess, 2648 IN POBJECT_ATTRIBUTES ObjectAttributes, 2649 OUT PIO_STATUS_BLOCK IoStatusBlock, 2650 IN PLARGE_INTEGER AllocationSize, 2651 IN ULONG FileAttributes, 2652 IN ULONG ShareAccess, 2653 IN ULONG CreateDisposition, 2654 IN ULONG CreateOptions, 2655 IN PVOID EaBuffer, 2656 IN ULONG EaLength); 2657 2658 2659 NTSYSAPI 2660 NTSTATUS 2661 NTAPI 2662 NtOpenFile( 2663 OUT PHANDLE FileHandle, 2664 IN ACCESS_MASK DesiredAccess, 2665 IN POBJECT_ATTRIBUTES ObjectAttributes, 2666 OUT PIO_STATUS_BLOCK IoStatusBlock, 2667 IN ULONG ShareAccess, 2668 IN ULONG OpenOptions 2669 ); 2670 2671 2672 NTSYSAPI 2673 NTSTATUS 2674 NTAPI 2675 ZwOpenFile( 2676 OUT PHANDLE FileHandle, 2677 IN ACCESS_MASK DesiredAccess, 2678 IN POBJECT_ATTRIBUTES ObjectAttributes, 2679 OUT PIO_STATUS_BLOCK IoStatusBlock, 2680 IN ULONG ShareAccess, 2681 IN ULONG OpenOptions 2682 ); 2683 2684 2685 NTSYSAPI 2686 NTSTATUS 2687 NTAPI 2688 NtQueryAttributesFile( 2689 IN POBJECT_ATTRIBUTES ObjectAttributes, 2690 OUT PFILE_BASIC_INFORMATION FileInformation 2691 ); 2692 2693 2694 NTSYSAPI 2695 NTSTATUS 2696 NTAPI 2697 ZwQueryAttributesFile( 2698 IN POBJECT_ATTRIBUTES ObjectAttributes, 2699 OUT PFILE_BASIC_INFORMATION FileInformation 2700 ); 2701 2702 2703 NTSYSAPI 2704 NTSTATUS 2705 NTAPI 2706 NtQueryInformationFile( 2707 IN HANDLE FileHandle, 2708 OUT PIO_STATUS_BLOCK IoStatusBlock, 2709 OUT PVOID FileInformation, 2710 IN ULONG Length, 2711 IN FILE_INFORMATION_CLASS FileInformationClass 2712 ); 2713 2714 2715 NTSYSAPI 2716 NTSTATUS 2717 NTAPI 2718 ZwQueryInformationFile( 2719 IN HANDLE FileHandle, 2720 OUT PIO_STATUS_BLOCK IoStatusBlock, 2721 OUT PVOID FileInformation, 2722 IN ULONG Length, 2723 IN FILE_INFORMATION_CLASS FileInformationClass 2724 ); 2725 2726 2727 NTSYSAPI 2728 NTSTATUS 2729 NTAPI 2730 NtQueryDirectoryFile( 2731 IN HANDLE FileHandle, 2732 IN HANDLE Event OPTIONAL, 2733 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2734 IN PVOID ApcContext OPTIONAL, 2735 OUT PIO_STATUS_BLOCK IoStatusBlock, 2736 OUT PVOID FileInformation, 2737 IN ULONG Length, 2738 IN FILE_INFORMATION_CLASS FileInformationClass, 2739 IN BOOLEAN ReturnSingleEntry, 2740 IN PUNICODE_STRING FileName OPTIONAL, 2741 IN BOOLEAN RestartScan 2742 ); 2743 2744 2745 NTSYSAPI 2746 NTSTATUS 2747 NTAPI 2748 ZwQueryDirectoryFile( 2749 IN HANDLE FileHandle, 2750 IN HANDLE Event OPTIONAL, 2751 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2752 IN PVOID ApcContext OPTIONAL, 2753 OUT PIO_STATUS_BLOCK IoStatusBlock, 2754 OUT PVOID FileInformation, 2755 IN ULONG Length, 2756 IN FILE_INFORMATION_CLASS FileInformationClass, 2757 IN BOOLEAN ReturnSingleEntry, 2758 IN PUNICODE_STRING FileName OPTIONAL, 2759 IN BOOLEAN RestartScan 2760 ); 2761 2762 2763 NTSYSAPI 2764 NTSTATUS 2765 NTAPI 2766 NtQueryVolumeInformationFile( 2767 IN HANDLE FileHandle, 2768 OUT PIO_STATUS_BLOCK IoStatusBlock, 2769 OUT PVOID FsInformation, 2770 IN ULONG Length, 2771 IN FS_INFORMATION_CLASS FsInformationClass 2772 ); 2773 2774 2775 NTSYSAPI 2776 NTSTATUS 2777 NTAPI 2778 ZwQueryVolumeInformationFile( 2779 IN HANDLE FileHandle, 2780 OUT PIO_STATUS_BLOCK IoStatusBlock, 2781 OUT PVOID FsInformation, 2782 IN ULONG Length, 2783 IN FS_INFORMATION_CLASS FsInformationClass 2784 ); 2785 2786 2787 NTSYSAPI 2788 NTSTATUS 2789 NTAPI 2790 NtSetInformationFile( 2791 IN HANDLE FileHandle, 2792 OUT PIO_STATUS_BLOCK IoStatusBlock, 2793 IN PVOID FileInformation, 2794 IN ULONG Length, 2795 IN FILE_INFORMATION_CLASS FileInformationClass 2796 ); 2797 2798 2799 NTSYSAPI 2800 NTSTATUS 2801 NTAPI 2802 ZwSetInformationFile( 2803 IN HANDLE FileHandle, 2804 OUT PIO_STATUS_BLOCK IoStatusBlock, 2805 IN PVOID FileInformation, 2806 IN ULONG Length, 2807 IN FILE_INFORMATION_CLASS FileInformationClass 2808 ); 2809 2810 2811 NTSYSAPI 2812 NTSTATUS 2813 NTAPI 2814 NtSetVolumeInformationFile( 2815 IN HANDLE FileHandle, 2816 OUT PIO_STATUS_BLOCK IoStatusBlock, 2817 OUT PVOID FsInformation, 2818 IN ULONG Length, 2819 IN FS_INFORMATION_CLASS FsInformationClass 2820 ); 2821 2822 2823 NTSYSAPI 2824 NTSTATUS 2825 NTAPI 2826 ZwSetVolumeInformationFile( 2827 IN HANDLE FileHandle, 2828 OUT PIO_STATUS_BLOCK IoStatusBlock, 2829 OUT PVOID FsInformation, 2830 IN ULONG Length, 2831 IN FS_INFORMATION_CLASS FsInformationClass 2832 ); 2833 2834 2835 NTSYSAPI 2836 NTSTATUS 2837 NTAPI 2838 NtQueryEaFile( 2839 IN HANDLE FileHandle, 2840 OUT PIO_STATUS_BLOCK IoStatusBlock, 2841 OUT PVOID Buffer, 2842 IN ULONG Length, 2843 IN BOOLEAN ReturnSingleEntry, 2844 IN PVOID EaList OPTIONAL, 2845 IN ULONG EaListLength, 2846 IN PULONG EaIndex OPTIONAL, 2847 IN BOOLEAN RestartScan); 2848 2849 2850 NTSYSAPI 2851 NTSTATUS 2852 NTAPI 2853 ZwQueryEaFile( 2854 IN HANDLE FileHandle, 2855 OUT PIO_STATUS_BLOCK IoStatusBlock, 2856 OUT PVOID Buffer, 2857 IN ULONG Length, 2858 IN BOOLEAN ReturnSingleEntry, 2859 IN PVOID EaList OPTIONAL, 2860 IN ULONG EaListLength, 2861 IN PULONG EaIndex OPTIONAL, 2862 IN BOOLEAN RestartScan); 2863 2864 2865 NTSYSAPI 2866 NTSTATUS 2867 NTAPI 2868 NtSetEaFile( 2869 IN HANDLE FileHandle, 2870 OUT PIO_STATUS_BLOCK IoStatusBlock, 2871 IN PVOID Buffer, 2872 IN ULONG Length); 2873 2874 2875 NTSYSAPI 2876 NTSTATUS 2877 NTAPI 2878 ZwSetEaFile( 2879 IN HANDLE FileHandle, 2880 OUT PIO_STATUS_BLOCK IoStatusBlock, 2881 IN PVOID Buffer, 2882 IN ULONG Length); 2883 2884 2885 NTSYSAPI 2886 NTSTATUS 2887 NTAPI 2888 NtReadFile( 2889 IN HANDLE FileHandle, 2890 IN HANDLE Event OPTIONAL, 2891 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2892 IN PVOID ApcContext OPTIONAL, 2893 OUT PIO_STATUS_BLOCK IoStatusBlock, 2894 OUT PVOID Buffer, 2895 IN ULONG Length, 2896 IN PLARGE_INTEGER ByteOffset OPTIONAL, 2897 IN PULONG Key OPTIONAL 2898 ); 2899 2900 2901 NTSYSAPI 2902 NTSTATUS 2903 NTAPI 2904 ZwReadFile( 2905 IN HANDLE FileHandle, 2906 IN HANDLE Event OPTIONAL, 2907 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2908 IN PVOID ApcContext OPTIONAL, 2909 OUT PIO_STATUS_BLOCK IoStatusBlock, 2910 OUT PVOID Buffer, 2911 IN ULONG Length, 2912 IN PLARGE_INTEGER ByteOffset OPTIONAL, 2913 IN PULONG Key OPTIONAL 2914 ); 2915 2916 2917 NTSYSAPI 2918 NTSTATUS 2919 NTAPI 2920 NtWriteFile( 2921 IN HANDLE FileHandle, 2922 IN HANDLE Event OPTIONAL, 2923 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2924 IN PVOID ApcContext OPTIONAL, 2925 OUT PIO_STATUS_BLOCK IoStatusBlock, 2926 IN PVOID Buffer, 2927 IN ULONG Length, 2928 IN PLARGE_INTEGER ByteOffset OPTIONAL, 2929 IN PULONG Key OPTIONAL 2930 ); 2931 2932 2933 NTSYSAPI 2934 NTSTATUS 2935 NTAPI 2936 ZwWriteFile( 2937 IN HANDLE FileHandle, 2938 IN HANDLE Event OPTIONAL, 2939 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2940 IN PVOID ApcContext OPTIONAL, 2941 OUT PIO_STATUS_BLOCK IoStatusBlock, 2942 IN PVOID Buffer, 2943 IN ULONG Length, 2944 IN PLARGE_INTEGER ByteOffset OPTIONAL, 2945 IN PULONG Key OPTIONAL 2946 ); 2947 2948 2949 NTSYSAPI 2950 NTSTATUS 2951 NTAPI 2952 NtDeleteFile( 2953 IN POBJECT_ATTRIBUTES ObjectAttributes 2954 ); 2955 2956 2957 NTSYSAPI 2958 NTSTATUS 2959 NTAPI 2960 ZwDeleteFile( 2961 IN POBJECT_ATTRIBUTES ObjectAttributes 2962 ); 2963 2964 2965 NTSYSAPI 2966 NTSTATUS 2967 NTAPI 2968 NtFlushBuffersFile( 2969 IN HANDLE FileHandle, 2970 OUT PIO_STATUS_BLOCK IoStatusBlock 2971 ); 2972 2973 2974 NTSYSAPI 2975 NTSTATUS 2976 NTAPI 2977 ZwFlushBuffersFile( 2978 IN HANDLE FileHandle, 2979 OUT PIO_STATUS_BLOCK IoStatusBlock 2980 ); 2981 2982 2983 NTSYSAPI 2984 NTSTATUS 2985 NTAPI 2986 NtDeviceIoControlFile( 2987 IN HANDLE FileHandle, 2988 IN HANDLE Event, 2989 IN PIO_APC_ROUTINE ApcRoutine, 2990 IN PVOID ApcContext, 2991 OUT PIO_STATUS_BLOCK IoStatusBlock, 2992 IN ULONG IoControlCode, 2993 IN PVOID InputBuffer, 2994 IN ULONG InputBufferLength, 2995 IN PVOID OutputBuffer, 2996 IN ULONG OutputBufferLength 2997 ); 2998 2999 3000 NTSYSAPI 3001 NTSTATUS 3002 NTAPI 3003 ZwDeviceIoControlFile( 3004 IN HANDLE FileHandle, 3005 IN HANDLE Event, 3006 IN PIO_APC_ROUTINE ApcRoutine, 3007 IN PVOID ApcContext, 3008 OUT PIO_STATUS_BLOCK IoStatusBlock, 3009 IN ULONG IoControlCode, 3010 IN PVOID InputBuffer, 3011 IN ULONG InputBufferLength, 3012 IN PVOID OutputBuffer, 3013 IN ULONG OutputBufferLength 3014 ); 3015 3016 3017 NTSYSAPI 3018 NTSTATUS 3019 NTAPI 3020 NtFsControlFile( 3021 IN HANDLE FileHandle, 3022 IN HANDLE Event, 3023 IN PIO_APC_ROUTINE ApcRoutine, 3024 IN PVOID ApcContext, 3025 OUT PIO_STATUS_BLOCK IoStatusBlock, 3026 IN ULONG FsControlCode, 3027 IN PVOID InputBuffer, 3028 IN ULONG InputBufferLength, 3029 IN PVOID OutputBuffer, 3030 IN ULONG OutputBufferLength 3031 ); 3032 3033 3034 NTSYSAPI 3035 NTSTATUS 3036 NTAPI 3037 ZwFsControlFile( 3038 IN HANDLE FileHandle, 3039 IN HANDLE Event, 3040 IN PIO_APC_ROUTINE ApcRoutine, 3041 IN PVOID ApcContext, 3042 OUT PIO_STATUS_BLOCK IoStatusBlock, 3043 IN ULONG FsControlCode, 3044 IN PVOID InputBuffer, 3045 IN ULONG InputBufferLength, 3046 IN PVOID OutputBuffer, 3047 IN ULONG OutputBufferLength 3048 ); 3049 3050 3051 NTSYSAPI 3052 NTSTATUS 3053 NTAPI 3054 NtCancelIoFile( 3055 IN HANDLE Filehandle, 3056 OUT PIO_STATUS_BLOCK IoStatusBlock 3057 ); 3058 3059 3060 NTSYSAPI 3061 NTSTATUS 3062 NTAPI 3063 ZwCancelIoFile( 3064 IN HANDLE Filehandle, 3065 OUT PIO_STATUS_BLOCK IoStatusBlock 3066 ); 3067 3068 3069 NTSYSAPI 3070 NTSTATUS 3071 NTAPI 3072 NtLockFile( 3073 IN HANDLE FileHandle, 3074 IN HANDLE Event OPTIONAL, 3075 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 3076 IN PVOID ApcContext OPTIONAL, 3077 OUT PIO_STATUS_BLOCK IoStatusBlock, 3078 IN PLARGE_INTEGER ByteOffset, 3079 IN PLARGE_INTEGER Length, 3080 IN ULONG Key, 3081 IN BOOLEAN FailImmediately, 3082 IN BOOLEAN ExclusiveLock 3083 ); 3084 3085 3086 NTSYSAPI 3087 NTSTATUS 3088 NTAPI 3089 ZwLockFile( 3090 IN HANDLE FileHandle, 3091 IN HANDLE Event OPTIONAL, 3092 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 3093 IN PVOID ApcContext OPTIONAL, 3094 OUT PIO_STATUS_BLOCK IoStatusBlock, 3095 IN PLARGE_INTEGER ByteOffset, 3096 IN PLARGE_INTEGER Length, 3097 IN ULONG Key, 3098 IN BOOLEAN FailImmediately, 3099 IN BOOLEAN ExclusiveLock 3100 ); 3101 3102 3103 NTSTATUS 3104 NtUnlockFile( 3105 IN HANDLE FileHandle, 3106 OUT PIO_STATUS_BLOCK IoStatusBlock, 3107 IN PLARGE_INTEGER ByteOffset, 3108 IN PLARGE_INTEGER Length, 3109 IN ULONG Key 3110 ); 3111 3112 3113 NTSTATUS 3114 ZwUnlockFile( 3115 IN HANDLE FileHandle, 3116 OUT PIO_STATUS_BLOCK IoStatusBlock, 3117 IN PLARGE_INTEGER ByteOffset, 3118 IN PLARGE_INTEGER Length, 3119 IN ULONG Key 3120 ); 3121 3122 3123 NTSYSAPI 3124 BOOLEAN 3125 NTAPI 3126 RtlDosPathNameToNtPathName_U ( 3127 IN PWSTR DosPathName, 3128 OUT PUNICODE_STRING NtPathName, 3129 OUT PWSTR * NtFileNamePart OPTIONAL, 3130 OUT PCURDIR DirectoryInfo OPTIONAL 3131 ); 3132 3133 3134 //----------------------------------------------------------------------------- 3135 // Process functions 3136 3137 #define GDI_HANDLE_BUFFER_SIZE 34 3138 3139 // For ProcessExecuteFlags 3140 #define MEM_EXECUTE_OPTION_DISABLE 0x01 3141 #define MEM_EXECUTE_OPTION_ENABLE 0x02 3142 #define MEM_EXECUTE_OPTION_PERMANENT 0x08 3143 3144 // 3145 // Process Information Classes 3146 // 3147 3148 typedef enum _PROCESSINFOCLASS { 3149 ProcessBasicInformation, // 0x00 3150 ProcessQuotaLimits, // 0x01 3151 ProcessIoCounters, // 0x02 3152 ProcessVmCounters, // 0x03 3153 ProcessTimes, // 0x04 3154 ProcessBasePriority, // 0x05 3155 ProcessRaisePriority, // 0x06 3156 ProcessDebugPort, // 0x07 3157 ProcessExceptionPort, // 0x08 3158 ProcessAccessToken, // 0x09 3159 ProcessLdtInformation, // 0x0A 3160 ProcessLdtSize, // 0x0B 3161 ProcessDefaultHardErrorMode, // 0x0C 3162 ProcessIoPortHandlers, // 0x0D Note: this is kernel mode only 3163 ProcessPooledUsageAndLimits, // 0x0E 3164 ProcessWorkingSetWatch, // 0x0F 3165 ProcessUserModeIOPL, // 0x10 3166 ProcessEnableAlignmentFaultFixup, // 0x11 3167 ProcessPriorityClass, // 0x12 3168 ProcessWx86Information, // 0x13 3169 ProcessHandleCount, // 0x14 3170 ProcessAffinityMask, // 0x15 3171 ProcessPriorityBoost, // 0x16 3172 ProcessDeviceMap, // 0x17 3173 ProcessSessionInformation, // 0x18 3174 ProcessForegroundInformation, // 0x19 3175 ProcessWow64Information, // 0x1A 3176 ProcessImageFileName, // 0x1B 3177 ProcessLUIDDeviceMapsEnabled, // 0x1C 3178 ProcessBreakOnTermination, // 0x1D 3179 ProcessDebugObjectHandle, // 0x1E 3180 ProcessDebugFlags, // 0x1F 3181 ProcessHandleTracing, // 0x20 3182 ProcessIoPriority, // 0x21 3183 ProcessExecuteFlags, // 0x22 3184 ProcessTlsInformation, 3185 ProcessCookie, 3186 ProcessImageInformation, 3187 ProcessCycleTime, 3188 ProcessPagePriority, 3189 ProcessInstrumentationCallback, 3190 ProcessThreadStackAllocation, 3191 ProcessWorkingSetWatchEx, 3192 ProcessImageFileNameWin32, 3193 ProcessImageFileMapping, 3194 ProcessAffinityUpdateMode, 3195 ProcessMemoryAllocationMode, 3196 ProcessGroupInformation, 3197 ProcessTokenVirtualizationEnabled, 3198 ProcessConsoleHostProcess, 3199 ProcessWindowInformation, 3200 MaxProcessInfoClass // MaxProcessInfoClass should always be the last enum 3201 } PROCESSINFOCLASS; 3202 3203 // 3204 // Thread Information Classes 3205 // 3206 3207 typedef enum _THREADINFOCLASS { 3208 ThreadBasicInformation, // 0x00 3209 ThreadTimes, // 0x01 3210 ThreadPriority, // 0x02 3211 ThreadBasePriority, // 0x03 3212 ThreadAffinityMask, // 0x04 3213 ThreadImpersonationToken, // 0x05 HANDLE 3214 ThreadDescriptorTableEntry, // 0x06 ULONG Selector + LDT_ENTRY 3215 ThreadEnableAlignmentFaultFixup, // 0x07 3216 ThreadEventPair, // 0x08 3217 ThreadQuerySetWin32StartAddress, // 0x09 3218 ThreadZeroTlsCell, // 0x0A 3219 ThreadPerformanceCount, // 0x0B 3220 ThreadAmILastThread, // 0x0C ULONG 3221 ThreadIdealProcessor, // 0x0D 3222 ThreadPriorityBoost, // 0x0E 3223 ThreadSetTlsArrayAddress, // 0x0F 3224 MaxThreadInfoClass 3225 } THREADINFOCLASS; 3226 3227 3228 typedef struct _RTL_DRIVE_LETTER_CURDIR 3229 { 3230 USHORT Flags; 3231 USHORT Length; 3232 ULONG TimeStamp; 3233 STRING DosPath; 3234 3235 } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; 3236 3237 3238 typedef struct _SECTION_IMAGE_INFORMATION 3239 { 3240 PVOID TransferAddress; 3241 ULONG ZeroBits; 3242 ULONG_PTR MaximumStackSize; 3243 ULONG_PTR CommittedStackSize; 3244 ULONG SubSystemType; 3245 union _SECTION_IMAGE_INFORMATION_u0 3246 { 3247 struct _SECTION_IMAGE_INFORMATION_s0 3248 { 3249 USHORT SubSystemMinorVersion; 3250 USHORT SubSystemMajorVersion; 3251 }; 3252 ULONG SubSystemVersion; 3253 }; 3254 ULONG GpValue; 3255 USHORT ImageCharacteristics; 3256 USHORT DllCharacteristics; 3257 USHORT Machine; 3258 BOOLEAN ImageContainsCode; 3259 BOOLEAN Spare1; 3260 ULONG LoaderFlags; 3261 ULONG Reserved[2]; 3262 3263 } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; 3264 3265 3266 typedef struct _RTL_USER_PROCESS_INFORMATION 3267 { 3268 ULONG Length; 3269 HANDLE ProcessHandle; 3270 HANDLE ThreadHandle; 3271 CLIENT_ID ClientId; 3272 SECTION_IMAGE_INFORMATION ImageInformation; 3273 3274 } RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION; 3275 3276 3277 typedef struct _RTL_USER_PROCESS_PARAMETERS 3278 { 3279 ULONG MaximumLength; // Should be set before call RtlCreateProcessParameters 3280 ULONG Length; // Length of valid structure 3281 ULONG Flags; // Currently only PPF_NORMALIZED (1) is known: 3282 // - Means that structure is normalized by call RtlNormalizeProcessParameters 3283 ULONG DebugFlags; 3284 3285 PVOID ConsoleHandle; // HWND to console window associated with process (if any). 3286 ULONG ConsoleFlags; 3287 HANDLE StandardInput; 3288 HANDLE StandardOutput; 3289 HANDLE StandardError; 3290 3291 CURDIR CurrentDirectory; // Specified in DOS-like symbolic link path, ex: "C:/WinNT/SYSTEM32" 3292 UNICODE_STRING DllPath; // DOS-like paths separated by ‘;‘ where system should search for DLL files. 3293 UNICODE_STRING ImagePathName; // Full path in DOS-like format to process‘es file image. 3294 UNICODE_STRING CommandLine; // Command line 3295 PVOID Environment; // Pointer to environment block (see RtlCreateEnvironment) 3296 ULONG StartingX; 3297 ULONG StartingY; 3298 ULONG CountX; 3299 ULONG CountY; 3300 ULONG CountCharsX; 3301 ULONG CountCharsY; 3302 ULONG FillAttribute; // Fill attribute for console window 3303 ULONG WindowFlags; 3304 ULONG ShowWindowFlags; 3305 UNICODE_STRING WindowTitle; 3306 UNICODE_STRING DesktopInfo; // Name of WindowStation and Desktop objects, where process is assigned 3307 UNICODE_STRING ShellInfo; 3308 UNICODE_STRING RuntimeData; 3309 RTL_DRIVE_LETTER_CURDIR CurrentDirectores[0x20]; 3310 3311 } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; 3312 3313 // 3314 // Process Environment Block 3315 // 3316 3317 typedef struct _PEB_FREE_BLOCK 3318 { 3319 struct _PEB_FREE_BLOCK *Next; 3320 ULONG Size; 3321 3322 } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK; 3323 3324 3325 typedef struct _PEB_LDR_DATA 3326 { 3327 ULONG Length; 3328 BOOLEAN Initialized; 3329 HANDLE SsHandle; 3330 LIST_ENTRY InLoadOrderModuleList; // Points to the loaded modules (main EXE usually) 3331 LIST_ENTRY InMemoryOrderModuleList; // Points to all modules (EXE and all DLLs) 3332 LIST_ENTRY InInitializationOrderModuleList; 3333 PVOID EntryInProgress; 3334 3335 } PEB_LDR_DATA, *PPEB_LDR_DATA; 3336 3337 3338 typedef struct _LDR_DATA_TABLE_ENTRY 3339 { 3340 LIST_ENTRY InLoadOrderLinks; 3341 LIST_ENTRY InMemoryOrderLinks; 3342 LIST_ENTRY InInitializationOrderLinks; 3343 PVOID DllBase; // Base address of the module 3344 PVOID EntryPoint; 3345 ULONG SizeOfImage; 3346 UNICODE_STRING FullDllName; 3347 UNICODE_STRING BaseDllName; 3348 ULONG Flags; 3349 USHORT LoadCount; 3350 USHORT TlsIndex; 3351 LIST_ENTRY HashLinks; 3352 PVOID SectionPointer; 3353 ULONG CheckSum; 3354 ULONG TimeDateStamp; 3355 PVOID LoadedImports; 3356 PVOID EntryPointActivationContext; 3357 PVOID PatchInformation; 3358 PVOID Unknown1; 3359 PVOID Unknown2; 3360 PVOID Unknown3; 3361 3362 } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; 3363 3364 3365 typedef struct _PEB 3366 { 3367 BOOLEAN InheritedAddressSpace; // These four fields cannot change unless the 3368 BOOLEAN ReadImageFileExecOptions; // 3369 BOOLEAN BeingDebugged; // 3370 BOOLEAN SpareBool; // 3371 HANDLE Mutant; // INITIAL_PEB structure is also updated. 3372 3373 PVOID ImageBaseAddress; 3374 PPEB_LDR_DATA Ldr; 3375 PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 3376 PVOID SubSystemData; 3377 PVOID ProcessHeap; 3378 PVOID FastPebLock; 3379 PVOID FastPebLockRoutine; 3380 PVOID FastPebUnlockRoutine; 3381 ULONG EnvironmentUpdateCount; 3382 PVOID KernelCallbackTable; 3383 HANDLE SystemReserved; 3384 PVOID AtlThunkSListPtr32; 3385 PPEB_FREE_BLOCK FreeList; 3386 ULONG TlsExpansionCounter; 3387 PVOID TlsBitmap; 3388 ULONG TlsBitmapBits[2]; // relates to TLS_MINIMUM_AVAILABLE 3389 PVOID ReadOnlySharedMemoryBase; 3390 PVOID ReadOnlySharedMemoryHeap; 3391 PVOID *ReadOnlyStaticServerData; 3392 PVOID AnsiCodePageData; 3393 PVOID OemCodePageData; 3394 PVOID UnicodeCaseTableData; 3395 3396 // 3397 // Useful information for LdrpInitialize 3398 3399 ULONG NumberOfProcessors; 3400 ULONG NtGlobalFlag; 3401 3402 // 3403 // Passed up from MmCreatePeb from Session Manager registry key 3404 // 3405 3406 LARGE_INTEGER CriticalSectionTimeout; 3407 ULONG HeapSegmentReserve; 3408 ULONG HeapSegmentCommit; 3409 ULONG HeapDeCommitTotalFreeThreshold; 3410 ULONG HeapDeCommitFreeBlockThreshold; 3411 3412 // 3413 // Where heap manager keeps track of all heaps created for a process 3414 // Fields initialized by MmCreatePeb. ProcessHeaps is initialized 3415 // to point to the first free byte after the PEB and MaximumNumberOfHeaps 3416 // is computed from the page size used to hold the PEB, less the fixed 3417 // size of this data structure. 3418 // 3419 3420 ULONG NumberOfHeaps; 3421 ULONG MaximumNumberOfHeaps; 3422 PVOID *ProcessHeaps; 3423 3424 // 3425 // 3426 PVOID GdiSharedHandleTable; 3427 PVOID ProcessStarterHelper; 3428 PVOID GdiDCAttributeList; 3429 PVOID LoaderLock; 3430 3431 // 3432 // Following fields filled in by MmCreatePeb from system values and/or 3433 // image header. These fields have changed since Windows NT 4.0, 3434 // so use with caution 3435 // 3436 3437 ULONG OSMajorVersion; 3438 ULONG OSMinorVersion; 3439 USHORT OSBuildNumber; 3440 USHORT OSCSDVersion; 3441 ULONG OSPlatformId; 3442 ULONG ImageSubsystem; 3443 ULONG ImageSubsystemMajorVersion; 3444 ULONG ImageSubsystemMinorVersion; 3445 ULONG ImageProcessAffinityMask; 3446 ULONG GdiHandleBuffer[GDI_HANDLE_BUFFER_SIZE]; 3447 3448 } PEB, *PPEB; 3449 3450 3451 // 3452 // Thread environment block 3453 // 3454 3455 typedef struct _TEB 3456 { 3457 NT_TIB NtTib; 3458 PVOID EnvironmentPointer; 3459 CLIENT_ID ClientId; 3460 PVOID ActiveRpcHandle; 3461 PVOID ThreadLocalStoragePointer; 3462 PPEB ProcessEnvironmentBlock; 3463 ULONG LastErrorValue; 3464 ULONG CountOfOwnedCriticalSections; 3465 PVOID CsrClientThread; 3466 PVOID Win32ThreadInfo; 3467 // Incomplete 3468 3469 } TEB, *PTEB; 3470 3471 3472 typedef struct _PROCESS_BASIC_INFORMATION 3473 { 3474 NTSTATUS ExitStatus; 3475 PPEB PebBaseAddress; 3476 ULONG_PTR AffinityMask; 3477 KPRIORITY BasePriority; 3478 ULONG_PTR UniqueProcessId; 3479 ULONG_PTR InheritedFromUniqueProcessId; 3480 3481 } PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION; 3482 3483 3484 typedef VOID (NTAPI *PUSER_THREAD_START_ROUTINE)(IN PVOID ApcArgument1); 3485 3486 #define SE_BACKUP_PRIVILEGE 0x11 3487 #define SE_RESTORE_PRIVILEGE 0x12 3488 #define SE_SHUTDOWN_PRIVILEGE 0x13 3489 #define SE_DEBUG_PRIVILEGE 0x14 3490 3491 NTSYSAPI 3492 NTSTATUS 3493 NTAPI 3494 RtlAdjustPrivilege( 3495 ULONG Privilege, 3496 BOOLEAN Enable, 3497 BOOLEAN CurrentThread, 3498 PBOOLEAN Enabled 3499 ); 3500 3501 3502 NTSYSAPI 3503 NTSTATUS 3504 NTAPI 3505 RtlCreateProcessParameters( 3506 PRTL_USER_PROCESS_PARAMETERS *ProcessParameters, 3507 PUNICODE_STRING ImagePathName, 3508 PUNICODE_STRING DllPath, 3509 PUNICODE_STRING CurrentDirectory, 3510 PUNICODE_STRING CommandLine, 3511 PVOID Environment, 3512 PUNICODE_STRING WindowTitle, 3513 PUNICODE_STRING DesktopInfo, 3514 PUNICODE_STRING ShellInfo, 3515 PUNICODE_STRING RuntimeData 3516 ); 3517 3518 3519 NTSYSAPI 3520 NTSTATUS 3521 NTAPI 3522 RtlDestroyProcessParameters( 3523 PRTL_USER_PROCESS_PARAMETERS ProcessParameters 3524 ); 3525 3526 3527 NTSYSAPI 3528 NTSTATUS 3529 NTAPI 3530 RtlCreateUserProcess( 3531 PUNICODE_STRING NtImagePathName, 3532 ULONG Attributes, 3533 PRTL_USER_PROCESS_PARAMETERS ProcessParameters, 3534 PSECURITY_DESCRIPTOR ProcessSecurityDescriptor, 3535 PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, 3536 HANDLE ParentProcess, 3537 BOOLEAN InheritHandles, 3538 HANDLE DebugPort, 3539 HANDLE ExceptionPort, 3540 PRTL_USER_PROCESS_INFORMATION ProcessInformation 3541 ); 3542 3543 3544 NTSYSAPI 3545 NTSTATUS 3546 NTAPI 3547 RtlCreateUserThread( 3548 IN HANDLE Process, 3549 IN PSECURITY_DESCRIPTOR ThreadSecurityDescriptor OPTIONAL, 3550 IN BOOLEAN CreateSuspended, 3551 IN ULONG_PTR ZeroBits OPTIONAL, 3552 IN SIZE_T MaximumStackSize OPTIONAL, 3553 IN SIZE_T CommittedStackSize OPTIONAL, 3554 IN PUSER_THREAD_START_ROUTINE StartAddress, 3555 IN PVOID Parameter OPTIONAL, 3556 OUT PHANDLE Thread OPTIONAL, 3557 OUT PCLIENT_ID ClientId OPTIONAL 3558 ); 3559 3560 3561 #define NtCurrentProcess() ((HANDLE) -1) 3562 #define NtCurrentThread() ((HANDLE) -2) 3563 #define NtCurrentPeb() (PPEB)(NtCurrentTeb()->ProcessEnvironmentBlock) 3564 3565 3566 NTSYSAPI 3567 NTSTATUS 3568 NTAPI 3569 NtCreateProcess( 3570 OUT PHANDLE ProcessHandle, 3571 IN ACCESS_MASK DesiredAccess, 3572 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 3573 IN HANDLE ParentProcess, 3574 IN BOOLEAN InheritObjectTable, 3575 IN HANDLE SectionHandle OPTIONAL, 3576 IN HANDLE DebugPort OPTIONAL, 3577 IN HANDLE ExceptionPort OPTIONAL 3578 ); 3579 3580 NTSYSAPI 3581 NTSTATUS 3582 NTAPI 3583 ZwCreateProcess( 3584 OUT PHANDLE ProcessHandle, 3585 IN ACCESS_MASK DesiredAccess, 3586 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 3587 IN HANDLE ParentProcess, 3588 IN BOOLEAN InheritObjectTable, 3589 IN HANDLE SectionHandle OPTIONAL, 3590 IN HANDLE DebugPort OPTIONAL, 3591 IN HANDLE ExceptionPort OPTIONAL 3592 ); 3593 3594 NTSYSAPI 3595 NTSTATUS 3596 NTAPI 3597 NtOpenProcess ( 3598 OUT PHANDLE ProcessHandle, 3599 IN ACCESS_MASK DesiredAccess, 3600 IN POBJECT_ATTRIBUTES ObjectAttributes, 3601 IN PCLIENT_ID ClientId OPTIONAL 3602 ); 3603 3604 NTSYSAPI 3605 NTSTATUS 3606 NTAPI 3607 ZwOpenProcess ( 3608 OUT PHANDLE ProcessHandle, 3609 IN ACCESS_MASK DesiredAccess, 3610 IN POBJECT_ATTRIBUTES ObjectAttributes, 3611 IN PCLIENT_ID ClientId OPTIONAL 3612 ); 3613 3614 NTSYSAPI 3615 NTSTATUS 3616 NTAPI 3617 NtOpenThread ( 3618 OUT PHANDLE ThreadHandle, 3619 IN ACCESS_MASK DesiredAccess, 3620 IN POBJECT_ATTRIBUTES ObjectAttributes, 3621 IN PCLIENT_ID ClientId OPTIONAL 3622 ); 3623 3624 NTSYSAPI 3625 NTSTATUS 3626 NTAPI 3627 ZwOpenThread ( 3628 OUT PHANDLE ThreadHandle, 3629 IN ACCESS_MASK DesiredAccess, 3630 IN POBJECT_ATTRIBUTES ObjectAttributes, 3631 IN PCLIENT_ID ClientId OPTIONAL 3632 ); 3633 3634 NTSYSAPI 3635 NTSTATUS 3636 NTAPI 3637 NtQueryInformationProcess( 3638 IN HANDLE ProcessHandle, 3639 IN PROCESSINFOCLASS ProcessInformationClass, 3640 OUT PVOID ProcessInformation, 3641 IN ULONG ProcessInformationLength, 3642 OUT PULONG ReturnLength OPTIONAL 3643 ); 3644 3645 NTSYSAPI 3646 NTSTATUS 3647 NTAPI 3648 ZwQueryInformationProcess( 3649 IN HANDLE ProcessHandle, 3650 IN PROCESSINFOCLASS ProcessInformationClass, 3651 OUT PVOID ProcessInformation, 3652 IN ULONG ProcessInformationLength, 3653 OUT PULONG ReturnLength OPTIONAL 3654 ); 3655 3656 NTSYSAPI 3657 NTSTATUS 3658 NTAPI 3659 NtQueryInformationThread( 3660 IN HANDLE ThreadHandle, 3661 IN THREADINFOCLASS ThreadInformationClass, 3662 OUT PVOID ThreadInformation, 3663 IN ULONG ThreadInformationLength, 3664 OUT PULONG ReturnLength OPTIONAL 3665 ); 3666 3667 NTSYSAPI 3668 NTSTATUS 3669 NTAPI 3670 ZwQueryInformationThread( 3671 IN HANDLE ThreadHandle, 3672 IN THREADINFOCLASS ThreadInformationClass, 3673 OUT PVOID ThreadInformation, 3674 IN ULONG ThreadInformationLength, 3675 OUT PULONG ReturnLength OPTIONAL 3676 ); 3677 3678 NTSYSAPI 3679 NTSTATUS 3680 NTAPI 3681 NtSetInformationProcess ( 3682 IN HANDLE ProcessHandle, 3683 IN PROCESSINFOCLASS ProcessInformationClass, 3684 IN PVOID ProcessInformation, 3685 IN ULONG ProcessInformationLength 3686 ); 3687 3688 NTSYSAPI 3689 NTSTATUS 3690 NTAPI 3691 ZwSetInformationProcess( 3692 IN HANDLE ProcessHandle, 3693 IN PROCESSINFOCLASS ProcessInformationClass, 3694 IN PVOID ProcessInformation, 3695 IN ULONG ProcessInformationLength 3696 ); 3697 3698 NTSYSAPI 3699 NTSTATUS 3700 NTAPI 3701 NtSuspendProcess( 3702 IN HANDLE Process 3703 ); 3704 3705 NTSYSAPI 3706 NTSTATUS 3707 NTAPI 3708 NtResumeProcess( 3709 IN HANDLE Process 3710 ); 3711 3712 NTSYSAPI 3713 NTSTATUS 3714 NTAPI 3715 NtSuspendThread( 3716 IN HANDLE ThreadHandle, 3717 OUT PULONG PreviousSuspendCount OPTIONAL 3718 ); 3719 3720 NTSYSAPI 3721 NTSTATUS 3722 NTAPI 3723 NtResumeThread( 3724 IN HANDLE ThreadHandle, 3725 OUT PULONG PreviousSuspendCount OPTIONAL 3726 ); 3727 3728 NTSYSAPI 3729 NTSTATUS 3730 NTAPI 3731 NtTerminateThread( 3732 HANDLE Thread, 3733 NTSTATUS ExitStatus 3734 ); 3735 3736 3737 NTSYSAPI 3738 NTSTATUS 3739 NTAPI 3740 ZwTerminateThread( 3741 HANDLE Thread, 3742 NTSTATUS ExitStatus 3743 ); 3744 3745 3746 NTSYSAPI 3747 NTSTATUS 3748 NTAPI 3749 NtTerminateProcess( 3750 HANDLE Process, 3751 NTSTATUS ExitStatus 3752 ); 3753 3754 3755 NTSYSAPI 3756 NTSTATUS 3757 NTAPI 3758 ZwTerminateProcess( 3759 HANDLE Process, 3760 NTSTATUS ExitStatus 3761 ); 3762 3763 //------------------------------------------------------------------------------ 3764 // LPC Functions 3765 3766 #define MAX_LPC_DATA 0x130 // Maximum number of bytes that can be copied through LPC 3767 3768 // Valid values for PORT_MESSAGE::u2::s2::Type 3769 #define LPC_REQUEST 1 3770 #define LPC_REPLY 2 3771 #define LPC_DATAGRAM 3 3772 #define LPC_LOST_REPLY 4 3773 #define LPC_PORT_CLOSED 5 3774 #define LPC_CLIENT_DIED 6 3775 #define LPC_EXCEPTION 7 3776 #define LPC_DEBUG_EVENT 8 3777 #define LPC_ERROR_EVENT 9 3778 #define LPC_CONNECTION_REQUEST 10 3779 3780 #define ALPC_REQUEST 0x2000 | LPC_REQUEST 3781 #define ALPC_CONNECTION_REQUEST 0x2000 | LPC_CONNECTION_REQUEST 3782 3783 3784 // 3785 // Define header for Port Message 3786 // 3787 3788 typedef struct _PORT_MESSAGE 3789 { 3790 union 3791 { 3792 struct 3793 { 3794 USHORT DataLength; // Length of data following the header (bytes) 3795 USHORT TotalLength; // Length of data + sizeof(PORT_MESSAGE) 3796 } s1; 3797 ULONG Length; 3798 } u1; 3799 3800 union 3801 { 3802 struct 3803 { 3804 USHORT Type; 3805 USHORT DataInfoOffset; 3806 } s2; 3807 ULONG ZeroInit; 3808 } u2; 3809 3810 union 3811 { 3812 CLIENT_ID ClientId; 3813 double DoNotUseThisField; // Force quadword alignment 3814 }; 3815 3816 ULONG MessageId; // Identifier of the particular message instance 3817 3818 union 3819 { 3820 ULONG_PTR ClientViewSize; // Size of section created by the sender (in bytes) 3821 ULONG CallbackId; // 3822 }; 3823 3824 } PORT_MESSAGE, *PPORT_MESSAGE; 3825 3826 // 3827 // Define structure for initializing shared memory on the caller‘s side of the port 3828 // 3829 3830 typedef struct _PORT_VIEW { 3831 3832 ULONG Length; // Size of this structure 3833 HANDLE SectionHandle; // Handle to section object with 3834 // SECTION_MAP_WRITE and SECTION_MAP_READ 3835 ULONG SectionOffset; // The offset in the section to map a view for 3836 // the port data area. The offset must be aligned 3837 // with the allocation granularity of the system. 3838 SIZE_T ViewSize; // The size of the view (in bytes) 3839 PVOID ViewBase; // The base address of the view in the creator 3840 // 3841 PVOID ViewRemoteBase; // The base address of the view in the process 3842 // connected to the port. 3843 } PORT_VIEW, *PPORT_VIEW; 3844 3845 // 3846 // Define structure for shared memory coming from remote side of the port 3847 // 3848 3849 typedef struct _REMOTE_PORT_VIEW { 3850 3851 ULONG Length; // Size of this structure 3852 SIZE_T ViewSize; // The size of the view (bytes) 3853 PVOID ViewBase; // Base address of the view 3854 3855 } REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW; 3856 3857 // 3858 // Macro for initializing the message header 3859 // 3860 3861 #ifndef InitializeMessageHeader 3862 #define InitializeMessageHeader(ph, l, t) 3863 { 3864 (ph)->u1.s1.TotalLength = (USHORT)(l); 3865 (ph)->u1.s1.DataLength = (USHORT)(l - sizeof(PORT_MESSAGE)); 3866 (ph)->u2.s2.Type = (USHORT)(t); 3867 (ph)->u2.s2.DataInfoOffset = 0; 3868 (ph)->ClientId.UniqueProcess = NULL; 3869 (ph)->ClientId.UniqueThread = NULL; 3870 (ph)->MessageId = 0; 3871 (ph)->ClientViewSize = 0; 3872 } 3873 #endif 3874 3875 /*++ 3876 3877 NtCreatePort 3878 ============ 3879 3880 Creates a LPC port object. The creator of the LPC port becomes a server 3881 of LPC communication 3882 3883 PortHandle - Points to a variable that will receive the 3884 port object handle if the call is successful. 3885 3886 ObjectAttributes - Points to a structure that specifies the object抯 3887 attributes. OBJ_KERNEL_HANDLE, OBJ_OPENLINK, OBJ_OPENIF, OBJ_EXCLUSIVE, 3888 OBJ_PERMANENT, and OBJ_INHERIT are not valid attributes for a port object. 3889 3890 MaxConnectionInfoLength - The maximum size, in bytes, of data that can 3891 be sent through the port. 3892 3893 MaxMessageLength - The maximum size, in bytes, of a message 3894 that can be sent through the port. 3895 3896 MaxPoolUsage - Specifies the maximum amount of NonPaged pool that can be used for 3897 message storage. Zero means default value. 3898 3899 ZwCreatePort verifies that (MaxDataSize <= 0x104) and (MaxMessageSize <= 0x148). 3900 3901 --*/ 3902 3903 NTSYSAPI 3904 NTSTATUS 3905 NTAPI 3906 NtCreatePort( 3907 OUT PHANDLE PortHandle, 3908 IN POBJECT_ATTRIBUTES ObjectAttributes, 3909 IN ULONG MaxConnectionInfoLength, 3910 IN ULONG MaxMessageLength, 3911 IN ULONG MaxPoolUsage 3912 ); 3913 3914 NTSYSAPI 3915 NTSTATUS 3916 NTAPI 3917 ZwCreatePort( 3918 OUT PHANDLE PortHandle, 3919 IN POBJECT_ATTRIBUTES ObjectAttributes, 3920 IN ULONG MaxConnectionInfoLength, 3921 IN ULONG MaxMessageLength, 3922 IN ULONG MaxPoolUsage 3923 ); 3924 3925 3926 /*++ 3927 3928 NtConnectPort 3929 ============= 3930 3931 Creates a port connected to a named port (cliend side). 3932 3933 PortHandle - A pointer to a variable that will receive the client 3934 communication port object handle value. 3935 3936 PortName - Points to a structure that specifies the name 3937 of the port to connect to. 3938 3939 SecurityQos - Points to a structure that specifies the level 3940 of impersonation available to the port listener. 3941 3942 ClientView - Optionally points to a structure describing 3943 the shared memory region used to send large amounts of data 3944 to the listener; if the call is successful, this will be updated. 3945 3946 ServerView - Optionally points to a caller-allocated buffer 3947 or variable that receives information on the shared memory region 3948 used by the listener to send large amounts of data to the 3949 caller. 3950 3951 MaxMessageLength - Optionally points to a variable that receives the size, 3952 in bytes, of the largest message that can be sent through the port. 3953 3954 ConnectionInformation - Optionally points to a caller-allocated 3955 buffer or variable that specifies connect data to send to the listener, 3956 and receives connect data sent by the listener. 3957 3958 ConnectionInformationLength - Optionally points to a variable that 3959 specifies the size, in bytes, of the connect data to send 3960 to the listener, and receives the size of the connect data 3961 sent by the listener. 3962 3963 --*/ 3964 3965 NTSYSAPI 3966 NTSTATUS 3967 NTAPI 3968 NtConnectPort( 3969 OUT PHANDLE PortHandle, 3970 IN PUNICODE_STRING PortName, 3971 IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, 3972 IN OUT PPORT_VIEW ClientView OPTIONAL, 3973 OUT PREMOTE_PORT_VIEW ServerView OPTIONAL, 3974 OUT PULONG MaxMessageLength OPTIONAL, 3975 IN OUT PVOID ConnectionInformation OPTIONAL, 3976 IN OUT PULONG ConnectionInformationLength OPTIONAL 3977 ); 3978 3979 3980 NTSYSAPI 3981 NTSTATUS 3982 NTAPI 3983 ZwConnectPort( 3984 OUT PHANDLE PortHandle, 3985 IN PUNICODE_STRING PortName, 3986 IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, 3987 IN OUT PPORT_VIEW ClientView OPTIONAL, 3988 OUT PREMOTE_PORT_VIEW ServerView OPTIONAL, 3989 OUT PULONG MaxMessageLength OPTIONAL, 3990 IN OUT PVOID ConnectionInformation OPTIONAL, 3991 IN OUT PULONG ConnectionInformationLength OPTIONAL 3992 ); 3993 3994 3995 /*++ 3996 3997 NtListenPort 3998 ============ 3999 4000 Listens on a port for a connection request message on the server side. 4001 4002 PortHandle - A handle to a port object. The handle doesn‘t need 4003 to grant any specific access. 4004 4005 ConnectionRequest - Points to a caller-allocated buffer 4006 or variable that receives the connect message sent to 4007 the port. 4008 4009 --*/ 4010 4011 4012 NTSYSAPI 4013 NTSTATUS 4014 NTAPI 4015 NtListenPort( 4016 IN HANDLE PortHandle, 4017 OUT PPORT_MESSAGE RequestMessage 4018 ); 4019 4020 NTSYSAPI 4021 NTSTATUS 4022 NTAPI 4023 ZwListenPort( 4024 IN HANDLE PortHandle, 4025 OUT PPORT_MESSAGE RequestMessage 4026 ); 4027 4028 /*++ 4029 4030 NtAcceptConnectPort 4031 =================== 4032 4033 Accepts or rejects a connection request on the server side. 4034 4035 PortHandle - Points to a variable that will receive the port object 4036 handle if the call is successful. 4037 4038 PortContext - A numeric identifier to be associated with the port. 4039 4040 ConnectionRequest - Points to a caller-allocated buffer or variable 4041 that identifies the connection request and contains any connect 4042 data that should be returned to requestor of the connection 4043 4044 AcceptConnection - Specifies whether the connection should 4045 be accepted or not 4046 4047 ServerView - Optionally points to a structure describing 4048 the shared memory region used to send large amounts of data to the 4049 requestor; if the call is successful, this will be updated 4050 4051 ClientView - Optionally points to a caller-allocated buffer 4052 or variable that receives information on the shared memory 4053 region used by the requestor to send large amounts of data to the 4054 caller 4055 4056 --*/ 4057 4058 4059 NTSYSAPI 4060 NTSTATUS 4061 NTAPI 4062 NtAcceptConnectPort( 4063 OUT PHANDLE PortHandle, 4064 IN PVOID PortContext OPTIONAL, 4065 IN PPORT_MESSAGE ConnectionRequest, 4066 IN BOOLEAN AcceptConnection, 4067 IN OUT PPORT_VIEW ServerView OPTIONAL, 4068 OUT PREMOTE_PORT_VIEW ClientView OPTIONAL 4069 ); 4070 4071 NTSYSAPI 4072 NTSTATUS 4073 NTAPI 4074 ZwAcceptConnectPort( 4075 OUT PHANDLE PortHandle, 4076 IN PVOID PortContext OPTIONAL, 4077 IN PPORT_MESSAGE ConnectionRequest, 4078 IN BOOLEAN AcceptConnection, 4079 IN OUT PPORT_VIEW ServerView OPTIONAL, 4080 OUT PREMOTE_PORT_VIEW ClientView OPTIONAL 4081 ); 4082 4083 4084 /*++ 4085 4086 NtCompleteConnectPort 4087 ===================== 4088 4089 Completes the port connection process on the server side. 4090 4091 PortHandle - A handle to a port object. The handle doesn‘t need 4092 to grant any specific access. 4093 4094 --*/ 4095 4096 4097 NTSYSAPI 4098 NTSTATUS 4099 NTAPI 4100 NtCompleteConnectPort( 4101 IN HANDLE PortHandle 4102 ); 4103 4104 4105 NTSYSAPI 4106 NTSTATUS 4107 NTAPI 4108 ZwCompleteConnectPort( 4109 IN HANDLE PortHandle 4110 ); 4111 4112 4113 /*++ 4114 4115 NtRequestPort 4116 ============= 4117 4118 Sends a request message to a port (client side) 4119 4120 PortHandle - A handle to a port object. The handle doesn‘t need 4121 to grant any specific access. 4122 4123 RequestMessage - Points to a caller-allocated buffer or variable 4124 that specifies the request message to send to the port. 4125 4126 --*/ 4127 4128 NTSYSAPI 4129 NTSTATUS 4130 NTAPI 4131 NtRequestPort ( 4132 IN HANDLE PortHandle, 4133 IN PPORT_MESSAGE RequestMessage 4134 ); 4135 4136 NTSYSAPI 4137 NTSTATUS 4138 NTAPI 4139 ZwRequestPort ( 4140 IN HANDLE PortHandle, 4141 IN PPORT_MESSAGE RequestMessage 4142 ); 4143 4144 /*++ 4145 4146 NtRequestWaitReplyPort 4147 ====================== 4148 4149 Sends a request message to a port and waits for a reply (client side) 4150 4151 PortHandle - A handle to a port object. The handle doesn‘t need 4152 to grant any specific access. 4153 4154 RequestMessage - Points to a caller-allocated buffer or variable 4155 that specifies the request message to send to the port. 4156 4157 ReplyMessage - Points to a caller-allocated buffer or variable 4158 that receives the reply message sent to the port. 4159 4160 --*/ 4161 4162 NTSYSAPI 4163 NTSTATUS 4164 NTAPI 4165 NtRequestWaitReplyPort( 4166 IN HANDLE PortHandle, 4167 IN PPORT_MESSAGE RequestMessage, 4168 OUT PPORT_MESSAGE ReplyMessage 4169 ); 4170 4171 4172 NTSYSAPI 4173 NTSTATUS 4174 NTAPI 4175 ZwRequestWaitReplyPort( 4176 IN HANDLE PortHandle, 4177 IN PPORT_MESSAGE RequestMessage, 4178 OUT PPORT_MESSAGE ReplyMessage 4179 ); 4180 4181 4182 /*++ 4183 4184 NtReplyPort 4185 =========== 4186 4187 Sends a reply message to a port (Server side) 4188 4189 PortHandle - A handle to a port object. The handle doesn‘t need 4190 to grant any specific access. 4191 4192 ReplyMessage - Points to a caller-allocated buffer or variable 4193 that specifies the reply message to send to the port. 4194 4195 --*/ 4196 4197 4198 NTSYSAPI 4199 NTSTATUS 4200 NTAPI 4201 NtReplyPort( 4202 IN HANDLE PortHandle, 4203 IN PPORT_MESSAGE ReplyMessage 4204 ); 4205 4206 NTSYSAPI 4207 NTSTATUS 4208 NTAPI 4209 ZwReplyPort( 4210 IN HANDLE PortHandle, 4211 IN PPORT_MESSAGE ReplyMessage 4212 ); 4213 4214 /*++ 4215 4216 NtReplyWaitReplyPort 4217 ==================== 4218 4219 Sends a reply message to a port and waits for a reply message 4220 4221 PortHandle - A handle to a port object. The handle doesn‘t need 4222 to grant any specific access. 4223 4224 ReplyMessage - Points to a caller-allocated buffer or variable 4225 that specifies the reply message to send to the port. 4226 4227 --*/ 4228 4229 NTSYSAPI 4230 NTSTATUS 4231 NTAPI 4232 NtReplyWaitReplyPort( 4233 IN HANDLE PortHandle, 4234 IN OUT PPORT_MESSAGE ReplyMessage 4235 ); 4236 4237 NTSYSAPI 4238 NTSTATUS 4239 NTAPI 4240 ZwReplyWaitReplyPort( 4241 IN HANDLE PortHandle, 4242 IN OUT PPORT_MESSAGE ReplyMessage 4243 ); 4244 4245 /*++ 4246 4247 NtReplyWaitReceivePort 4248 ====================== 4249 4250 Optionally sends a reply message to a port and waits for a 4251 message 4252 4253 PortHandle - A handle to a port object. The handle doesn‘t need 4254 to grant any specific access. 4255 4256 PortContext - Optionally points to a variable that receives 4257 a numeric identifier associated with the port. 4258 4259 ReplyMessage - Optionally points to a caller-allocated buffer 4260 or variable that specifies the reply message to send to the port. 4261 4262 ReceiveMessage - Points to a caller-allocated buffer or variable 4263 that receives the message sent to the port. 4264 4265 --*/ 4266 4267 NTSYSAPI 4268 NTSTATUS 4269 NTAPI 4270 NtReplyWaitReceivePort( 4271 IN HANDLE PortHandle, 4272 OUT PVOID *PortContext OPTIONAL, 4273 IN PPORT_MESSAGE ReplyMessage OPTIONAL, 4274 OUT PPORT_MESSAGE ReceiveMessage 4275 ); 4276 4277 NTSYSAPI 4278 NTSTATUS 4279 NTAPI 4280 ZwReplyWaitReceivePort( 4281 IN HANDLE PortHandle, 4282 OUT PVOID *PortContext OPTIONAL, 4283 IN PPORT_MESSAGE ReplyMessage OPTIONAL, 4284 OUT PPORT_MESSAGE ReceiveMessage 4285 ); 4286 4287 //----------------------------------------------------------------------------- 4288 // Heap functions 4289 4290 #define HEAP_NO_SERIALIZE 0x00000001 4291 #define HEAP_GROWABLE 0x00000002 4292 #define HEAP_GENERATE_EXCEPTIONS 0x00000004 4293 #define HEAP_ZERO_MEMORY 0x00000008 4294 #define HEAP_REALLOC_IN_PLACE_ONLY 0x00000010 4295 #define HEAP_TAIL_CHECKING_ENABLED 0x00000020 4296 #define HEAP_FREE_CHECKING_ENABLED 0x00000040 4297 #define HEAP_DISABLE_COALESCE_ON_FREE 0x00000080 4298 #define HEAP_CREATE_ALIGN_16 0x00010000 4299 #define HEAP_CREATE_ENABLE_TRACING 0x00020000 4300 #define HEAP_MAXIMUM_TAG 0x0FFF 4301 #define HEAP_PSEUDO_TAG_FLAG 0x8000 4302 4303 // 4304 // Data structure for heap definition. This includes various 4305 // sizing parameters and callback routines, which, if left NULL, 4306 // result in default behavior 4307 // 4308 4309 typedef struct RTL_HEAP_PARAMETERS { 4310 ULONG Length; //sizeof(RTL_HEAP_PARAMETERS) 4311 ULONG SegmentReserve; 4312 ULONG SegmentCommit; 4313 ULONG DeCommitFreeBlockThreshold; 4314 ULONG DeCommitTotalFreeThreshold; 4315 ULONG MaximumAllocationSize; 4316 ULONG VirtualMemoryThreshold; 4317 ULONG InitialCommit; 4318 ULONG InitialReserve; 4319 PVOID CommitRoutine; 4320 ULONG Reserved; 4321 } RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS; 4322 4323 4324 #define RtlProcessHeap() (HANDLE)(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap) 4325 4326 4327 NTSYSAPI 4328 HANDLE 4329 NTAPI 4330 RtlCreateHeap ( 4331 IN ULONG Flags, 4332 IN PVOID BaseAddress OPTIONAL, 4333 IN ULONG SizeToReserve, 4334 IN ULONG SizeToCommit, 4335 IN BOOLEAN Lock OPTIONAL, 4336 IN PRTL_HEAP_PARAMETERS Definition OPTIONAL 4337 ); 4338 4339 4340 NTSYSAPI 4341 ULONG 4342 NTAPI 4343 RtlDestroyHeap ( 4344 IN HANDLE HeapHandle 4345 ); 4346 4347 4348 NTSYSAPI 4349 PVOID 4350 NTAPI 4351 RtlAllocateHeap ( 4352 IN HANDLE HeapHandle, 4353 IN ULONG Flags, 4354 IN SIZE_T Size 4355 ); 4356 4357 4358 NTSYSAPI 4359 PVOID 4360 NTAPI 4361 RtlReAllocateHeap ( 4362 IN HANDLE HeapHandle, 4363 IN ULONG Flags, 4364 IN LPVOID Address, 4365 IN SIZE_T Size 4366 ); 4367 4368 4369 NTSYSAPI 4370 BOOLEAN 4371 NTAPI 4372 RtlFreeHeap ( 4373 IN HANDLE HeapHandle, 4374 IN ULONG Flags, 4375 IN PVOID Address 4376 ); 4377 4378 4379 NTSYSAPI 4380 ULONG 4381 NTAPI 4382 RtlCompactHeap ( 4383 IN HANDLE HeapHandle, 4384 IN ULONG Flags 4385 ); 4386 4387 4388 NTSYSAPI 4389 BOOLEAN 4390 NTAPI 4391 RtlLockHeap ( 4392 IN HANDLE HeapHandle 4393 ); 4394 4395 4396 NTSYSAPI 4397 BOOLEAN 4398 NTAPI 4399 RtlUnlockHeap ( 4400 IN HANDLE HeapHandle 4401 ); 4402 4403 4404 NTSYSAPI 4405 ULONG 4406 NTAPI 4407 RtlSizeHeap ( 4408 IN HANDLE HeapHandle, 4409 IN ULONG Flags, 4410 IN PVOID Address 4411 ); 4412 4413 4414 NTSYSAPI 4415 BOOLEAN 4416 NTAPI 4417 RtlValidateHeap ( 4418 IN HANDLE HeapHandle, 4419 IN ULONG Flags, 4420 IN PVOID Address OPTIONAL 4421 ); 4422 4423 4424 //----------------------------------------------------------------------------- 4425 // Virtual memory functions 4426 4427 typedef enum _MEMORY_INFORMATION_CLASS 4428 { 4429 MemoryBasicInformation, // 0x00 MEMORY_BASIC_INFORMATION 4430 MemoryWorkingSetInformation, // 0x01 4431 MemoryMappedFilenameInformation, // 0x02 UNICODE_STRING 4432 MemoryRegionInformation, // 0x03 4433 MemoryWorkingSetExInformation // 0x04 4434 4435 } MEMORY_INFORMATION_CLASS; 4436 4437 4438 NTSYSAPI 4439 NTSTATUS 4440 NTAPI 4441 NtAllocateVirtualMemory ( 4442 IN HANDLE ProcessHandle, 4443 IN OUT PVOID *BaseAddress, 4444 IN ULONG ZeroBits, 4445 IN OUT PSIZE_T RegionSize, 4446 IN ULONG AllocationType, 4447 IN ULONG Protect 4448 ); 4449 4450 4451 NTSYSAPI 4452 NTSTATUS 4453 NTAPI 4454 ZwAllocateVirtualMemory ( 4455 IN HANDLE ProcessHandle, 4456 IN OUT PVOID *BaseAddress, 4457 IN ULONG ZeroBits, 4458 IN OUT PSIZE_T RegionSize, 4459 IN ULONG AllocationType, 4460 IN ULONG Protect 4461 ); 4462 4463 4464 NTSYSAPI 4465 NTSTATUS 4466 NTAPI 4467 NtFreeVirtualMemory ( 4468 IN HANDLE ProcessHandle, 4469 IN OUT PVOID *BaseAddress, 4470 IN OUT PSIZE_T RegionSize, 4471 IN ULONG FreeType 4472 ); 4473 4474 4475 NTSYSAPI 4476 NTSTATUS 4477 NTAPI 4478 ZwFreeVirtualMemory ( 4479 IN HANDLE ProcessHandle, 4480 IN OUT PVOID *BaseAddress, 4481 IN OUT PSIZE_T RegionSize, 4482 IN ULONG FreeType 4483 ); 4484 4485 NTSYSAPI 4486 NTSTATUS 4487 NTAPI 4488 NtProtectVirtualMemory( 4489 IN HANDLE ProcessHandle, 4490 IN OUT PVOID *BaseAddress, 4491 IN OUT PSIZE_T RegionSize, 4492 IN ULONG NewProtect, 4493 OUT PULONG OldProtect 4494 ); 4495 4496 4497 NTSYSAPI 4498 NTSTATUS 4499 NTAPI 4500 ZwProtectVirtualMemory( 4501 IN HANDLE ProcessHandle, 4502 IN OUT PVOID *BaseAddress, 4503 IN OUT PSIZE_T RegionSize, 4504 IN ULONG NewProtect, 4505 OUT PULONG OldProtect 4506 ); 4507 4508 4509 NTSYSAPI 4510 NTSTATUS 4511 NTAPI 4512 NtReadVirtualMemory( 4513 IN HANDLE ProcessHandle, 4514 IN PVOID BaseAddress, 4515 OUT PVOID Buffer, 4516 IN ULONG BufferSize, 4517 OUT PULONG NumberOfBytesRead OPTIONAL 4518 ); 4519 4520 NTSYSAPI 4521 NTSTATUS 4522 NTAPI 4523 ZwReadVirtualMemory( 4524 IN HANDLE ProcessHandle, 4525 IN PVOID BaseAddress, 4526 OUT PVOID Buffer, 4527 IN ULONG BufferSize, 4528 OUT PULONG NumberOfBytesRead OPTIONAL 4529 ); 4530 4531 4532 NTSYSAPI 4533 NTSTATUS 4534 NTAPI 4535 NtWriteVirtualMemory( 4536 IN HANDLE ProcessHandle, 4537 IN PVOID BaseAddress, 4538 IN PVOID Buffer, 4539 IN ULONG BufferSize, 4540 OUT PULONG NumberOfBytesWritten OPTIONAL 4541 ); 4542 4543 4544 NTSYSAPI 4545 NTSTATUS 4546 NTAPI 4547 ZwWriteVirtualMemory( 4548 IN HANDLE ProcessHandle, 4549 IN PVOID BaseAddress, 4550 IN PVOID Buffer, 4551 IN ULONG BufferSize, 4552 OUT PULONG NumberOfBytesWritten OPTIONAL 4553 ); 4554 4555 4556 NTSYSAPI 4557 NTSTATUS 4558 NTAPI 4559 NtFlushVirtualMemory ( 4560 IN HANDLE ProcessHandle, 4561 IN OUT PVOID *BaseAddress, 4562 IN OUT PSIZE_T RegionSize, 4563 OUT PIO_STATUS_BLOCK IoStatus 4564 ); 4565 4566 4567 NTSYSAPI 4568 NTSTATUS 4569 NTAPI 4570 ZwFlushVirtualMemory ( 4571 IN HANDLE ProcessHandle, 4572 IN OUT PVOID *BaseAddress, 4573 IN OUT PSIZE_T RegionSize, 4574 OUT PIO_STATUS_BLOCK IoStatus 4575 ); 4576 4577 4578 NTSYSAPI 4579 NTSTATUS 4580 NTAPI 4581 NtQueryVirtualMemory( 4582 IN HANDLE ProcessHandle, 4583 IN PVOID BaseAddress, 4584 IN MEMORY_INFORMATION_CLASS MemoryInformationClass, 4585 OUT PVOID MemoryInformation, 4586 IN SIZE_T MemoryInformationLength, 4587 OUT PSIZE_T ReturnLength OPTIONAL 4588 ); 4589 4590 4591 NTSYSAPI 4592 NTSTATUS 4593 NTAPI 4594 ZwQueryVirtualMemory( 4595 IN HANDLE ProcessHandle, 4596 IN PVOID BaseAddress, 4597 IN MEMORY_INFORMATION_CLASS MemoryInformationClass, 4598 OUT PVOID MemoryInformation, 4599 IN SIZE_T MemoryInformationLength, 4600 OUT PSIZE_T ReturnLength OPTIONAL 4601 ); 4602 4603 //----------------------------------------------------------------------------- 4604 // Section functions 4605 4606 typedef enum _SECTION_INHERIT 4607 { 4608 ViewShare = 1, 4609 ViewUnmap = 2 4610 4611 } SECTION_INHERIT; 4612 4613 4614 typedef enum _SECTION_INFORMATION_CLASS 4615 { 4616 SectionBasicInformation, 4617 SectionImageInformation 4618 4619 } SECTION_INFORMATION_CLASS, *PSECTION_INFORMATION_CLASS; 4620 4621 4622 /*++ 4623 4624 NtCreateSection 4625 =============== 4626 4627 Creates a section object. 4628 4629 SectionHandle - Points to a variable that will receive the section 4630 object handle if the call is successful. 4631 4632 DesiredAccess - Specifies the type of access that the caller requires 4633 to the section object. This parameter can be zero, or any combination 4634 of the following flags: 4635 4636 SECTION_QUERY - Query access 4637 SECTION_MAP_WRITE - Can be written when mapped 4638 SECTION_MAP_READ - Can be read when mapped 4639 SECTION_MAP_EXECUTE - Can be executed when mapped 4640 SECTION_EXTEND_SIZE - Extend access 4641 SECTION_ALL_ACCESS - All of the preceding + 4642 STANDARD_RIGHTS_REQUIRED 4643 4644 ObjectAttributes - Points to a structure that specifies the object抯 attributes. 4645 OBJ_OPENLINK is not a valid attribute for a section object. 4646 4647 MaximumSize - Optionally points to a variable that specifies the size, 4648 in bytes, of the section. If FileHandle is zero, the size must be 4649 specified; otherwise, it can be defaulted from the size of the file 4650 referred to by FileHandle. 4651 4652 SectionPageProtection - The protection desired for the pages 4653 of the section when the section is mapped. This parameter can take 4654 one of the following values: 4655 4656 PAGE_READONLY 4657 PAGE_READWRITE 4658 PAGE_WRITECOPY 4659 PAGE_EXECUTE 4660 PAGE_EXECUTE_READ 4661 PAGE_EXECUTE_READWRITE 4662 PAGE_EXECUTE_WRITECOPY 4663 4664 AllocationAttributes - The attributes for the section. This parameter must 4665 be a combination of the following values: 4666 4667 SEC_BASED 0x00200000 // Map section at same address in each process 4668 SEC_NO_CHANGE 0x00400000 // Disable changes to protection of pages 4669 SEC_IMAGE 0x01000000 // Map section as an image 4670 SEC_VLM 0x02000000 // Map section in VLM region 4671 SEC_RESERVE 0x04000000 // Reserve without allocating pagefile storage 4672 SEC_COMMIT 0x08000000 // Commit pages; the default behavior 4673 SEC_NOCACHE 0x10000000 // Mark pages as non-cacheable 4674 4675 FileHandle - Identifies the file from which to create the section object. 4676 The file must be opened with an access mode compatible with the protection 4677 flags specified by the Protect parameter. If FileHandle is zero, 4678 the function creates a section object of the specified size backed 4679 by the paging file rather than by a named file in the file system. 4680 4681 --*/ 4682 4683 4684 NTSYSAPI 4685 NTSTATUS 4686 NTAPI 4687 NtCreateSection( 4688 OUT PHANDLE SectionHandle, 4689 IN ACCESS_MASK DesiredAccess, 4690 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 4691 IN PLARGE_INTEGER MaximumSize OPTIONAL, 4692 IN ULONG SectionPageProtection, 4693 IN ULONG AllocationAttributes, 4694 IN HANDLE FileHandle OPTIONAL 4695 ); 4696 4697 4698 NTSYSAPI 4699 NTSTATUS 4700 NTAPI 4701 ZwCreateSection( 4702 OUT PHANDLE SectionHandle, 4703 IN ACCESS_MASK DesiredAccess, 4704 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 4705 IN PLARGE_INTEGER MaximumSize OPTIONAL, 4706 IN ULONG SectionPageProtection, 4707 IN ULONG AllocationAttributes, 4708 IN HANDLE FileHandle OPTIONAL 4709 ); 4710 4711 4712 NTSYSAPI 4713 NTSTATUS 4714 NTAPI 4715 NtOpenSection ( 4716 OUT PHANDLE SectionHandle, 4717 IN ACCESS_MASK DesiredAccess, 4718 IN POBJECT_ATTRIBUTES ObjectAttributes 4719 ); 4720 4721 4722 NTSYSAPI 4723 NTSTATUS 4724 NTAPI 4725 ZwOpenSection ( 4726 OUT PHANDLE SectionHandle, 4727 IN ACCESS_MASK DesiredAccess, 4728 IN POBJECT_ATTRIBUTES ObjectAttributes 4729 ); 4730 4731 4732 NTSYSAPI 4733 NTSTATUS 4734 NTAPI 4735 NtMapViewOfSection ( 4736 IN HANDLE SectionHandle, 4737 IN HANDLE ProcessHandle, 4738 IN OUT PVOID *BaseAddress, 4739 IN ULONG ZeroBits, 4740 IN ULONG CommitSize, 4741 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, 4742 IN OUT PULONG ViewSize, 4743 IN SECTION_INHERIT InheritDisposition, 4744 IN ULONG AllocationType, 4745 IN ULONG Protect 4746 ); 4747 4748 4749 NTSYSAPI 4750 NTSTATUS 4751 NTAPI 4752 ZwMapViewOfSection ( 4753 IN HANDLE SectionHandle, 4754 IN HANDLE ProcessHandle, 4755 IN OUT PVOID *BaseAddress, 4756 IN ULONG ZeroBits, 4757 IN ULONG CommitSize, 4758 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, 4759 IN OUT PULONG ViewSize, 4760 IN SECTION_INHERIT InheritDisposition, 4761 IN ULONG AllocationType, 4762 IN ULONG Protect 4763 ); 4764 4765 4766 NTSYSAPI 4767 NTSTATUS 4768 NTAPI 4769 NtUnmapViewOfSection ( 4770 IN HANDLE ProcessHandle, 4771 IN PVOID BaseAddress 4772 ); 4773 4774 4775 NTSYSAPI 4776 NTSTATUS 4777 NTAPI 4778 ZwUnmapViewOfSection ( 4779 IN HANDLE ProcessHandle, 4780 IN PVOID BaseAddress 4781 ); 4782 4783 4784 NTSYSAPI 4785 NTSTATUS 4786 NTAPI 4787 NtExtendSection ( 4788 IN HANDLE SectionHandle, 4789 IN OUT PLARGE_INTEGER SectionSize 4790 ); 4791 4792 4793 NTSYSAPI 4794 NTSTATUS 4795 NTAPI 4796 ZwExtendSection ( 4797 IN HANDLE SectionHandle, 4798 IN OUT PLARGE_INTEGER SectionSize 4799 ); 4800 4801 4802 NTSYSAPI 4803 NTSTATUS 4804 NTAPI 4805 NtQuerySection ( 4806 IN HANDLE SectionHandle, 4807 IN SECTION_INFORMATION_CLASS SectionInformationClass, 4808 OUT PVOID SectionInformation, 4809 IN ULONG Length, 4810 OUT PULONG ResultLength OPTIONAL 4811 ); 4812 4813 4814 NTSYSAPI 4815 NTSTATUS 4816 NTAPI 4817 ZwQuerySection ( 4818 IN HANDLE SectionHandle, 4819 IN SECTION_INFORMATION_CLASS SectionInformationClass, 4820 OUT PVOID SectionInformation, 4821 IN ULONG Length, 4822 OUT PULONG ResultLength OPTIONAL 4823 ); 4824 4825 4826 //----------------------------------------------------------------------------- 4827 // Synchronization 4828 4829 // 4830 // Wait type 4831 // 4832 4833 typedef enum _WAIT_TYPE { 4834 WaitAll, 4835 WaitAny 4836 } WAIT_TYPE; 4837 4838 4839 NTSYSAPI 4840 NTSTATUS 4841 NTAPI 4842 NtWaitForSingleObject ( 4843 IN HANDLE Handle, 4844 IN BOOLEAN Alertable, 4845 IN PLARGE_INTEGER Timeout OPTIONAL 4846 ); 4847 4848 4849 NTSYSAPI 4850 NTSTATUS 4851 NTAPI 4852 ZwWaitForSingleObject ( 4853 IN HANDLE Handle, 4854 IN BOOLEAN Alertable, 4855 IN PLARGE_INTEGER Timeout OPTIONAL 4856 ); 4857 4858 4859 NTSYSAPI 4860 NTSTATUS 4861 NTAPI 4862 NtWaitForMultipleObjects ( 4863 IN ULONG Count, 4864 IN HANDLE Handle[], 4865 IN WAIT_TYPE WaitType, 4866 IN BOOLEAN Alertable, 4867 IN PLARGE_INTEGER Timeout OPTIONAL 4868 ); 4869 4870 4871 NTSYSAPI 4872 NTSTATUS 4873 NTAPI 4874 ZwWaitForMultipleObjects ( 4875 IN ULONG Count, 4876 IN HANDLE Handle[], 4877 IN WAIT_TYPE WaitType, 4878 IN BOOLEAN Alertable, 4879 IN PLARGE_INTEGER Timeout OPTIONAL 4880 ); 4881 4882 4883 //----------------------------------------------------------------------------- 4884 // Event support 4885 4886 typedef enum _EVENT_INFORMATION_CLASS { 4887 EventBasicInformation // = 0 4888 } EVENT_INFORMATION_CLASS; 4889 4890 typedef struct _EVENT_BASIC_INFORMATION { 4891 EVENT_TYPE EventType; 4892 LONG EventState; 4893 } EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION; 4894 4895 // 4896 // Event handling routines 4897 // 4898 4899 4900 NTSYSAPI 4901 NTSTATUS 4902 NTAPI 4903 NtCreateEvent ( 4904 OUT PHANDLE EventHandle, 4905 IN ACCESS_MASK DesiredAccess, 4906 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 4907 IN EVENT_TYPE EventType, 4908 IN BOOLEAN InitialState 4909 ); 4910 4911 4912 NTSYSAPI 4913 NTSTATUS 4914 NTAPI 4915 ZwCreateEvent ( 4916 OUT PHANDLE EventHandle, 4917 IN ACCESS_MASK DesiredAccess, 4918 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 4919 IN EVENT_TYPE EventType, 4920 IN BOOLEAN InitialState 4921 ); 4922 4923 4924 NTSYSAPI 4925 NTSTATUS 4926 NTAPI 4927 NtClearEvent ( 4928 IN HANDLE Handle 4929 ); 4930 4931 4932 NTSYSAPI 4933 NTSTATUS 4934 NTAPI 4935 ZwClearEvent ( 4936 IN HANDLE Handle 4937 ); 4938 4939 4940 NTSYSAPI 4941 NTSTATUS 4942 NTAPI 4943 NtPulseEvent ( 4944 IN HANDLE Handle, 4945 OUT PLONG PreviousState OPTIONAL 4946 ); 4947 4948 4949 NTSYSAPI 4950 NTSTATUS 4951 NTAPI 4952 ZwPulseEvent ( 4953 IN HANDLE Handle, 4954 OUT PLONG PreviousState OPTIONAL 4955 ); 4956 4957 4958 NTSYSAPI 4959 NTSTATUS 4960 NTAPI 4961 NtResetEvent ( 4962 IN HANDLE Handle, 4963 OUT PLONG PreviousState OPTIONAL 4964 ); 4965 4966 4967 NTSYSAPI 4968 NTSTATUS 4969 NTAPI 4970 ZwResetEvent ( 4971 IN HANDLE Handle, 4972 OUT PLONG PreviousState OPTIONAL 4973 ); 4974 4975 4976 NTSYSAPI 4977 NTSTATUS 4978 NTAPI 4979 NtSetEvent ( 4980 IN HANDLE Handle, 4981 OUT PLONG PreviousState OPTIONAL 4982 ); 4983 4984 4985 NTSYSAPI 4986 NTSTATUS 4987 NTAPI 4988 ZwSetEvent ( 4989 IN HANDLE Handle, 4990 OUT PLONG PreviousState OPTIONAL 4991 ); 4992 4993 4994 NTSYSAPI 4995 NTSTATUS 4996 NTAPI 4997 NtOpenEvent ( 4998 OUT PHANDLE EventHandle, 4999 IN ACCESS_MASK DesiredAccess, 5000 IN POBJECT_ATTRIBUTES ObjectAttributes 5001 ); 5002 5003 5004 NTSYSAPI 5005 NTSTATUS 5006 NTAPI 5007 ZwOpenEvent ( 5008 OUT PHANDLE EventHandle, 5009 IN ACCESS_MASK DesiredAccess, 5010 IN POBJECT_ATTRIBUTES ObjectAttributes 5011 ); 5012 5013 5014 NTSYSAPI 5015 NTSTATUS 5016 NTAPI 5017 NtQueryEvent ( 5018 IN HANDLE EventHandle, 5019 IN EVENT_INFORMATION_CLASS EventInfoClass, 5020 OUT PVOID EventInfo, 5021 IN ULONG Length, 5022 OUT PULONG ResultLength OPTIONAL 5023 ); 5024 5025 5026 NTSYSAPI 5027 NTSTATUS 5028 NTAPI 5029 ZwQueryEvent ( 5030 IN HANDLE EventHandle, 5031 IN EVENT_INFORMATION_CLASS EventInfoClass, 5032 OUT PVOID EventInfo, 5033 IN ULONG Length, 5034 OUT PULONG ResultLength OPTIONAL 5035 ); 5036 5037 5038 //----------------------------------------------------------------------------- 5039 // Mutant support 5040 5041 NTSYSAPI 5042 NTSTATUS 5043 NTAPI 5044 NtCreateMutant( 5045 OUT PHANDLE MutantHandle, 5046 IN ACCESS_MASK DesiredAccess, 5047 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 5048 IN BOOLEAN InitialOwner 5049 ); 5050 5051 NTSYSAPI 5052 NTSTATUS 5053 NTAPI 5054 NtOpenMutant( 5055 OUT PHANDLE MutantHandle, 5056 IN ACCESS_MASK DesiredAccess, 5057 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL 5058 ); 5059 5060 //----------------------------------------------------------------------------- 5061 // Semaphore support 5062 5063 NTSYSAPI 5064 NTSTATUS 5065 NTAPI 5066 NtCreateSemaphore( 5067 OUT PHANDLE SemaphoreHandle, 5068 IN ACCESS_MASK DesiredAccess, 5069 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 5070 IN ULONG InitialCount, 5071 IN ULONG MaximumCount 5072 ); 5073 5074 NTSYSAPI 5075 NTSTATUS 5076 NTAPI 5077 NtOpenSemaphore( 5078 OUT PHANDLE SemaphoreHandle, 5079 IN ACCESS_MASK DesiredAccess, 5080 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL 5081 ); 5082 5083 //----------------------------------------------------------------------------- 5084 // EventPair support 5085 5086 #define EVENT_PAIR_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE ) 5087 5088 NTSYSAPI 5089 NTSTATUS 5090 NTAPI 5091 NtCreateEventPair( 5092 OUT PHANDLE EventPairHandle, 5093 IN ACCESS_MASK DesiredAccess, 5094 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL 5095 ); 5096 5097 5098 NTSYSAPI 5099 NTSTATUS 5100 NTAPI 5101 NtOpenEventPair( 5102 OUT PHANDLE EventPairHandle, 5103 IN ACCESS_MASK DesiredAccess, 5104 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL 5105 ); 5106 5107 5108 //----------------------------------------------------------------------------- 5109 // Security descriptor functions 5110 5111 NTSYSAPI 5112 NTSTATUS 5113 NTAPI 5114 RtlCreateSecurityDescriptor ( 5115 IN PSECURITY_DESCRIPTOR SecurityDescriptor, 5116 IN ULONG Revision 5117 ); 5118 5119 5120 NTSYSAPI 5121 NTSTATUS 5122 NTAPI 5123 RtlGetDaclSecurityDescriptor( 5124 IN PSECURITY_DESCRIPTOR SecurityDescriptor, 5125 OUT PBOOLEAN DaclPresent, 5126 OUT PACL *Dacl, 5127 OUT PBOOLEAN DaclDefaulted 5128 ); 5129 5130 NTSYSAPI 5131 NTSTATUS 5132 NTAPI 5133 RtlSetDaclSecurityDescriptor( 5134 IN PSECURITY_DESCRIPTOR SecurityDescriptor, 5135 IN BOOLEAN DaclPresent, 5136 IN PACL Dacl OPTIONAL, 5137 IN BOOLEAN DaclDefaulted OPTIONAL 5138 ); 5139 5140 5141 NTSYSAPI 5142 NTSTATUS 5143 NTAPI 5144 RtlSetOwnerSecurityDescriptor ( 5145 IN PSECURITY_DESCRIPTOR SecurityDescriptor, 5146 IN PSID Owner OPTIONAL, 5147 IN BOOLEAN OwnerDefaulted OPTIONAL 5148 ); 5149 5150 5151 NTSYSAPI 5152 NTSTATUS 5153 NTAPI 5154 RtlAllocateAndInitializeSid( 5155 IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, 5156 IN UCHAR SubAuthorityCount, 5157 IN ULONG SubAuthority0, 5158 IN ULONG SubAuthority1, 5159 IN ULONG SubAuthority2, 5160 IN ULONG SubAuthority3, 5161 IN ULONG SubAuthority4, 5162 IN ULONG SubAuthority5, 5163 IN ULONG SubAuthority6, 5164 IN ULONG SubAuthority7, 5165 OUT PSID *Sid 5166 ); 5167 5168 5169 NTSYSAPI 5170 ULONG 5171 NTAPI 5172 RtlLengthSid ( 5173 IN PSID Sid 5174 ); 5175 5176 5177 NTSYSAPI 5178 BOOLEAN 5179 NTAPI 5180 RtlEqualSid ( 5181 IN PSID Sid1, 5182 IN PSID Sid2 5183 ); 5184 5185 5186 NTSYSAPI 5187 PVOID 5188 NTAPI 5189 RtlFreeSid( 5190 IN PSID Sid 5191 ); 5192 5193 5194 NTSYSAPI 5195 NTSTATUS 5196 NTAPI 5197 RtlCreateAcl( 5198 IN PACL Acl, 5199 IN ULONG AclLength, 5200 IN ULONG AclRevision 5201 ); 5202 5203 5204 NTSYSAPI 5205 NTSTATUS 5206 NTAPI 5207 RtlGetAce( 5208 IN PACL Acl, 5209 IN ULONG AceIndex, 5210 OUT PVOID *Ace 5211 ); 5212 5213 5214 NTSYSAPI 5215 NTSTATUS 5216 NTAPI 5217 RtlAddAccessAllowedAce( 5218 IN OUT PACL Acl, 5219 IN ULONG AceRevision, 5220 IN ACCESS_MASK AccessMask, 5221 IN PSID Sid 5222 ); 5223 5224 5225 NTSYSAPI 5226 NTSTATUS 5227 NTAPI 5228 RtlAddAccessAllowedAceEx( 5229 IN OUT PACL Acl, 5230 IN ULONG AceRevision, 5231 IN ULONG AceFlags, 5232 IN ULONG AccessMask, 5233 IN PSID Sid 5234 ); 5235 5236 //----------------------------------------------------------------------------- 5237 // Token functions 5238 5239 NTSYSAPI 5240 NTSTATUS 5241 NTAPI 5242 NtOpenProcessToken( 5243 IN HANDLE ProcessHandle, 5244 IN ACCESS_MASK DesiredAccess, 5245 OUT PHANDLE TokenHandle 5246 ); 5247 5248 5249 NTSYSAPI 5250 NTSTATUS 5251 NTAPI 5252 NtOpenThreadToken( 5253 IN HANDLE ThreadHandle, 5254 IN ACCESS_MASK DesiredAccess, 5255 IN BOOLEAN OpenAsSelf, 5256 OUT PHANDLE TokenHandle 5257 ); 5258 5259 5260 NTSYSAPI 5261 NTSTATUS 5262 NTAPI 5263 NtQueryInformationToken( 5264 IN HANDLE TokenHandle, 5265 IN TOKEN_INFORMATION_CLASS TokenInformationClass, 5266 OUT PVOID TokenInformation, 5267 IN ULONG TokenInformationLength, 5268 OUT PULONG ReturnLength 5269 ); 5270 5271 NTSYSAPI 5272 NTSTATUS 5273 NTAPI 5274 ZwQueryInformationToken( 5275 IN HANDLE TokenHandle, 5276 IN TOKEN_INFORMATION_CLASS TokenInformationClass, 5277 OUT PVOID TokenInformation, 5278 IN ULONG TokenInformationLength, 5279 OUT PULONG ReturnLength 5280 ); 5281 5282 NTSYSAPI 5283 NTSTATUS 5284 NTAPI 5285 NtSetInformationToken( 5286 IN HANDLE TokenHandle, 5287 IN TOKEN_INFORMATION_CLASS TokenInformationClass, 5288 IN PVOID TokenInformation, 5289 IN ULONG TokenInformationLength 5290 ); 5291 5292 5293 NTSYSAPI 5294 NTSTATUS 5295 NTAPI 5296 NtAdjustPrivilegesToken( 5297 IN HANDLE TokenHandle, 5298 IN BOOLEAN DisableAllPrivileges, 5299 IN PTOKEN_PRIVILEGES NewState OPTIONAL, 5300 IN ULONG BufferLength OPTIONAL, 5301 IN PTOKEN_PRIVILEGES PreviousState OPTIONAL, 5302 OUT PULONG ReturnLength 5303 ); 5304 5305 5306 NTSYSAPI 5307 NTSTATUS 5308 NTAPI 5309 NtDuplicateToken( 5310 IN HANDLE ExistingTokenHandle, 5311 IN ACCESS_MASK DesiredAccess, 5312 IN POBJECT_ATTRIBUTES ObjectAttributes, 5313 IN BOOLEAN EffectiveOnly, 5314 IN TOKEN_TYPE TokenType, 5315 OUT PHANDLE NewTokenHandle 5316 ); 5317 5318 5319 NTSYSAPI 5320 NTSTATUS 5321 NTAPI 5322 NtCompareTokens( 5323 IN HANDLE FirstTokenHandle, 5324 IN HANDLE SecondTokenHandle, 5325 OUT PBOOLEAN IdenticalTokens 5326 ); 5327 5328 5329 //----------------------------------------------------------------------------- 5330 // Symbolic links 5331 5332 // 5333 // Object Manager Symbolic Link Specific Access Rights. 5334 // 5335 5336 #ifndef SYMBOLIC_LINK_QUERY 5337 #define SYMBOLIC_LINK_QUERY (0x0001) 5338 #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) 5339 #endif 5340 5341 NTSYSAPI 5342 NTSTATUS 5343 NTAPI 5344 NtCreateSymbolicLinkObject( 5345 OUT PHANDLE SymbolicLinkHandle, 5346 IN ACCESS_MASK DesiredAccess, 5347 IN POBJECT_ATTRIBUTES ObjectAttributes, 5348 IN PUNICODE_STRING DestinationName 5349 ); 5350 5351 5352 NTSYSAPI 5353 NTSTATUS 5354 NTAPI 5355 NtOpenSymbolicLinkObject ( 5356 OUT PHANDLE SymbolicLinkHandle, 5357 IN ACCESS_MASK DesiredAccess, 5358 IN POBJECT_ATTRIBUTES ObjectAttributes 5359 ); 5360 5361 5362 NTSYSAPI 5363 NTSTATUS 5364 NTAPI 5365 NtQuerySymbolicLinkObject ( 5366 IN HANDLE SymbolicLinkHandle, 5367 OUT PUNICODE_STRING NameString, 5368 OUT PULONG ResultLength OPTIONAL 5369 ); 5370 5371 //----------------------------------------------------------------------------- 5372 // Loader functions 5373 5374 NTSYSAPI 5375 NTSTATUS 5376 NTAPI 5377 LdrLoadDll( 5378 IN PWSTR DllPath OPTIONAL, 5379 IN PULONG DllCharacteristics OPTIONAL, 5380 IN PUNICODE_STRING DllName, 5381 OUT PVOID *DllHandle 5382 ); 5383 5384 NTSYSAPI 5385 NTSTATUS 5386 NTAPI 5387 LdrGetDllHandle( 5388 IN PWSTR DllPath OPTIONAL, 5389 IN PULONG DllCharacteristics OPTIONAL, 5390 IN PUNICODE_STRING DllName, 5391 OUT PVOID * DllHandle 5392 ); 5393 5394 NTSYSAPI 5395 NTSTATUS 5396 NTAPI 5397 LdrUnloadDll( 5398 IN PVOID DllHandle 5399 ); 5400 5401 NTSYSAPI 5402 NTSTATUS 5403 NTAPI 5404 LdrGetProcedureAddress( 5405 IN PVOID DllHandle, 5406 IN PANSI_STRING ProcedureName OPTIONAL, 5407 IN ULONG ProcedureNumber OPTIONAL, 5408 OUT PVOID *ProcedureAddress 5409 ); 5410 5411 //----------------------------------------------------------------------------- 5412 // Driver functions 5413 5414 NTSYSAPI 5415 NTSTATUS 5416 NTAPI 5417 NtLoadDriver( 5418 PUNICODE_STRING DriverServiceName 5419 ); 5420 5421 NTSYSAPI 5422 NTSTATUS 5423 NTAPI 5424 ZwLoadDriver( 5425 PUNICODE_STRING DriverServiceName 5426 ); 5427 5428 NTSYSAPI 5429 NTSTATUS 5430 NTAPI 5431 NtUnloadDriver( 5432 PUNICODE_STRING DriverServiceName 5433 ); 5434 5435 NTSYSAPI 5436 NTSTATUS 5437 NTAPI 5438 ZwUnloadDriver( 5439 PUNICODE_STRING DriverServiceName 5440 ); 5441 5442 //----------------------------------------------------------------------------- 5443 // Functions dealing with NTSTATUS and Win32 error 5444 5445 NTSYSAPI 5446 ULONG 5447 NTAPI 5448 RtlNtStatusToDosError( 5449 NTSTATUS Status 5450 ); 5451 5452 5453 NTSYSAPI 5454 ULONG 5455 NTAPI 5456 RtlNtStatusToDosErrorNoTeb( 5457 NTSTATUS Status 5458 ); 5459 5460 5461 NTSYSAPI 5462 NTSTATUS 5463 NTAPI 5464 RtlGetLastNtStatus( 5465 ); 5466 5467 5468 NTSYSAPI 5469 ULONG 5470 NTAPI 5471 RtlGetLastWin32Error( 5472 ); 5473 5474 5475 NTSYSAPI 5476 VOID 5477 NTAPI 5478 RtlSetLastWin32Error( 5479 ULONG WinError 5480 ); 5481 5482 5483 NTSYSAPI 5484 VOID 5485 NTAPI 5486 RtlSetLastWin32ErrorAndNtStatusFromNtStatus( 5487 NTSTATUS Status 5488 ); 5489 5490 5491 //----------------------------------------------------------------------------- 5492 // Other functions 5493 5494 NTSYSAPI 5495 NTSTATUS 5496 NTAPI 5497 NtAllocateLocallyUniqueId( 5498 OUT PLUID LocallyUniqueId 5499 ); 5500 5501 5502 NTSYSAPI 5503 NTSTATUS 5504 NTAPI 5505 NtDelayExecution( 5506 IN BOOLEAN Alertable, 5507 IN PLARGE_INTEGER DelayInterval 5508 ); 5509 5510 5511 NTSYSAPI 5512 NTSTATUS 5513 NTAPI 5514 NtDisplayString( 5515 IN PUNICODE_STRING String 5516 ); 5517 5518 5519 #ifdef __cplusplus 5520 } // extern "C" 5521 #endif 5522 5523 #endif // __NTDLL_H__
原文:http://www.cnblogs.com/gwsbhqt/p/5092390.html
