├── LICENSE ├── README.md ├── ntbcd.h ├── ntdbg.h ├── ntexapi.h ├── ntgdi.h ├── ntioapi.h ├── ntkeapi.h ├── ntldr.h ├── ntlpcapi.h ├── ntmisc.h ├── ntmmapi.h ├── ntnls.h ├── ntobapi.h ├── ntpebteb.h ├── ntpfapi.h ├── ntpnpapi.h ├── ntpoapi.h ├── ntpsapi.h ├── ntregapi.h ├── ntrtl.h ├── ntsam.h ├── ntseapi.h ├── ntsmss.h ├── nttmapi.h ├── nttp.h ├── ntwow64.h ├── ntxcapi.h ├── phnt.h ├── phnt_ntdef.h ├── phnt_windows.h ├── subprocesstag.h └── winsta.h /LICENSE: -------------------------------------------------------------------------------- 1 | Attribution 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution 4.0 International Public License 58 | 59 | By exercising the Licensed Rights (defined below), You accept and agree 60 | to be bound by the terms and conditions of this Creative Commons 61 | Attribution 4.0 International Public License ("Public License"). To the 62 | extent this Public License may be interpreted as a contract, You are 63 | granted the Licensed Rights in consideration of Your acceptance of 64 | these terms and conditions, and the Licensor grants You such rights in 65 | consideration of benefits the Licensor receives from making the 66 | Licensed Material available under these terms and conditions. 67 | 68 | 69 | Section 1 -- Definitions. 70 | 71 | a. Adapted Material means material subject to Copyright and Similar 72 | Rights that is derived from or based upon the Licensed Material 73 | and in which the Licensed Material is translated, altered, 74 | arranged, transformed, or otherwise modified in a manner requiring 75 | permission under the Copyright and Similar Rights held by the 76 | Licensor. For purposes of this Public License, where the Licensed 77 | Material is a musical work, performance, or sound recording, 78 | Adapted Material is always produced where the Licensed Material is 79 | synched in timed relation with a moving image. 80 | 81 | b. Adapter's License means the license You apply to Your Copyright 82 | and Similar Rights in Your contributions to Adapted Material in 83 | accordance with the terms and conditions of this Public License. 84 | 85 | c. Copyright and Similar Rights means copyright and/or similar rights 86 | closely related to copyright including, without limitation, 87 | performance, broadcast, sound recording, and Sui Generis Database 88 | Rights, without regard to how the rights are labeled or 89 | categorized. For purposes of this Public License, the rights 90 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 91 | Rights. 92 | 93 | d. Effective Technological Measures means those measures that, in the 94 | absence of proper authority, may not be circumvented under laws 95 | fulfilling obligations under Article 11 of the WIPO Copyright 96 | Treaty adopted on December 20, 1996, and/or similar international 97 | agreements. 98 | 99 | e. Exceptions and Limitations means fair use, fair dealing, and/or 100 | any other exception or limitation to Copyright and Similar Rights 101 | that applies to Your use of the Licensed Material. 102 | 103 | f. Licensed Material means the artistic or literary work, database, 104 | or other material to which the Licensor applied this Public 105 | License. 106 | 107 | g. Licensed Rights means the rights granted to You subject to the 108 | terms and conditions of this Public License, which are limited to 109 | all Copyright and Similar Rights that apply to Your use of the 110 | Licensed Material and that the Licensor has authority to license. 111 | 112 | h. Licensor means the individual(s) or entity(ies) granting rights 113 | under this Public License. 114 | 115 | i. Share means to provide material to the public by any means or 116 | process that requires permission under the Licensed Rights, such 117 | as reproduction, public display, public performance, distribution, 118 | dissemination, communication, or importation, and to make material 119 | available to the public including in ways that members of the 120 | public may access the material from a place and at a time 121 | individually chosen by them. 122 | 123 | j. Sui Generis Database Rights means rights other than copyright 124 | resulting from Directive 96/9/EC of the European Parliament and of 125 | the Council of 11 March 1996 on the legal protection of databases, 126 | as amended and/or succeeded, as well as other essentially 127 | equivalent rights anywhere in the world. 128 | 129 | k. You means the individual or entity exercising the Licensed Rights 130 | under this Public License. Your has a corresponding meaning. 131 | 132 | 133 | Section 2 -- Scope. 134 | 135 | a. License grant. 136 | 137 | 1. Subject to the terms and conditions of this Public License, 138 | the Licensor hereby grants You a worldwide, royalty-free, 139 | non-sublicensable, non-exclusive, irrevocable license to 140 | exercise the Licensed Rights in the Licensed Material to: 141 | 142 | a. reproduce and Share the Licensed Material, in whole or 143 | in part; and 144 | 145 | b. produce, reproduce, and Share Adapted Material. 146 | 147 | 2. Exceptions and Limitations. For the avoidance of doubt, where 148 | Exceptions and Limitations apply to Your use, this Public 149 | License does not apply, and You do not need to comply with 150 | its terms and conditions. 151 | 152 | 3. Term. The term of this Public License is specified in Section 153 | 6(a). 154 | 155 | 4. Media and formats; technical modifications allowed. The 156 | Licensor authorizes You to exercise the Licensed Rights in 157 | all media and formats whether now known or hereafter created, 158 | and to make technical modifications necessary to do so. The 159 | Licensor waives and/or agrees not to assert any right or 160 | authority to forbid You from making technical modifications 161 | necessary to exercise the Licensed Rights, including 162 | technical modifications necessary to circumvent Effective 163 | Technological Measures. For purposes of this Public License, 164 | simply making modifications authorized by this Section 2(a) 165 | (4) never produces Adapted Material. 166 | 167 | 5. Downstream recipients. 168 | 169 | a. Offer from the Licensor -- Licensed Material. Every 170 | recipient of the Licensed Material automatically 171 | receives an offer from the Licensor to exercise the 172 | Licensed Rights under the terms and conditions of this 173 | Public License. 174 | 175 | b. No downstream restrictions. You may not offer or impose 176 | any additional or different terms or conditions on, or 177 | apply any Effective Technological Measures to, the 178 | Licensed Material if doing so restricts exercise of the 179 | Licensed Rights by any recipient of the Licensed 180 | Material. 181 | 182 | 6. No endorsement. Nothing in this Public License constitutes or 183 | may be construed as permission to assert or imply that You 184 | are, or that Your use of the Licensed Material is, connected 185 | with, or sponsored, endorsed, or granted official status by, 186 | the Licensor or others designated to receive attribution as 187 | provided in Section 3(a)(1)(A)(i). 188 | 189 | b. Other rights. 190 | 191 | 1. Moral rights, such as the right of integrity, are not 192 | licensed under this Public License, nor are publicity, 193 | privacy, and/or other similar personality rights; however, to 194 | the extent possible, the Licensor waives and/or agrees not to 195 | assert any such rights held by the Licensor to the limited 196 | extent necessary to allow You to exercise the Licensed 197 | Rights, but not otherwise. 198 | 199 | 2. Patent and trademark rights are not licensed under this 200 | Public License. 201 | 202 | 3. To the extent possible, the Licensor waives any right to 203 | collect royalties from You for the exercise of the Licensed 204 | Rights, whether directly or through a collecting society 205 | under any voluntary or waivable statutory or compulsory 206 | licensing scheme. In all other cases the Licensor expressly 207 | reserves any right to collect such royalties. 208 | 209 | 210 | Section 3 -- License Conditions. 211 | 212 | Your exercise of the Licensed Rights is expressly made subject to the 213 | following conditions. 214 | 215 | a. Attribution. 216 | 217 | 1. If You Share the Licensed Material (including in modified 218 | form), You must: 219 | 220 | a. retain the following if it is supplied by the Licensor 221 | with the Licensed Material: 222 | 223 | i. identification of the creator(s) of the Licensed 224 | Material and any others designated to receive 225 | attribution, in any reasonable manner requested by 226 | the Licensor (including by pseudonym if 227 | designated); 228 | 229 | ii. a copyright notice; 230 | 231 | iii. a notice that refers to this Public License; 232 | 233 | iv. a notice that refers to the disclaimer of 234 | warranties; 235 | 236 | v. a URI or hyperlink to the Licensed Material to the 237 | extent reasonably practicable; 238 | 239 | b. indicate if You modified the Licensed Material and 240 | retain an indication of any previous modifications; and 241 | 242 | c. indicate the Licensed Material is licensed under this 243 | Public License, and include the text of, or the URI or 244 | hyperlink to, this Public License. 245 | 246 | 2. You may satisfy the conditions in Section 3(a)(1) in any 247 | reasonable manner based on the medium, means, and context in 248 | which You Share the Licensed Material. For example, it may be 249 | reasonable to satisfy the conditions by providing a URI or 250 | hyperlink to a resource that includes the required 251 | information. 252 | 253 | 3. If requested by the Licensor, You must remove any of the 254 | information required by Section 3(a)(1)(A) to the extent 255 | reasonably practicable. 256 | 257 | 4. If You Share Adapted Material You produce, the Adapter's 258 | License You apply must not prevent recipients of the Adapted 259 | Material from complying with this Public License. 260 | 261 | 262 | Section 4 -- Sui Generis Database Rights. 263 | 264 | Where the Licensed Rights include Sui Generis Database Rights that 265 | apply to Your use of the Licensed Material: 266 | 267 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 268 | to extract, reuse, reproduce, and Share all or a substantial 269 | portion of the contents of the database; 270 | 271 | b. if You include all or a substantial portion of the database 272 | contents in a database in which You have Sui Generis Database 273 | Rights, then the database in which You have Sui Generis Database 274 | Rights (but not its individual contents) is Adapted Material; and 275 | 276 | c. You must comply with the conditions in Section 3(a) if You Share 277 | all or a substantial portion of the contents of the database. 278 | 279 | For the avoidance of doubt, this Section 4 supplements and does not 280 | replace Your obligations under this Public License where the Licensed 281 | Rights include other Copyright and Similar Rights. 282 | 283 | 284 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 285 | 286 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 287 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 288 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 289 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 290 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 291 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 292 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 293 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 294 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 295 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 296 | 297 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 298 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 299 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 300 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 301 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 302 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 303 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 304 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 305 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 306 | 307 | c. The disclaimer of warranties and limitation of liability provided 308 | above shall be interpreted in a manner that, to the extent 309 | possible, most closely approximates an absolute disclaimer and 310 | waiver of all liability. 311 | 312 | 313 | Section 6 -- Term and Termination. 314 | 315 | a. This Public License applies for the term of the Copyright and 316 | Similar Rights licensed here. However, if You fail to comply with 317 | this Public License, then Your rights under this Public License 318 | terminate automatically. 319 | 320 | b. Where Your right to use the Licensed Material has terminated under 321 | Section 6(a), it reinstates: 322 | 323 | 1. automatically as of the date the violation is cured, provided 324 | it is cured within 30 days of Your discovery of the 325 | violation; or 326 | 327 | 2. upon express reinstatement by the Licensor. 328 | 329 | For the avoidance of doubt, this Section 6(b) does not affect any 330 | right the Licensor may have to seek remedies for Your violations 331 | of this Public License. 332 | 333 | c. For the avoidance of doubt, the Licensor may also offer the 334 | Licensed Material under separate terms or conditions or stop 335 | distributing the Licensed Material at any time; however, doing so 336 | will not terminate this Public License. 337 | 338 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 339 | License. 340 | 341 | 342 | Section 7 -- Other Terms and Conditions. 343 | 344 | a. The Licensor shall not be bound by any additional or different 345 | terms or conditions communicated by You unless expressly agreed. 346 | 347 | b. Any arrangements, understandings, or agreements regarding the 348 | Licensed Material not stated herein are separate from and 349 | independent of the terms and conditions of this Public License. 350 | 351 | 352 | Section 8 -- Interpretation. 353 | 354 | a. For the avoidance of doubt, this Public License does not, and 355 | shall not be interpreted to, reduce, limit, restrict, or impose 356 | conditions on any use of the Licensed Material that could lawfully 357 | be made without permission under this Public License. 358 | 359 | b. To the extent possible, if any provision of this Public License is 360 | deemed unenforceable, it shall be automatically reformed to the 361 | minimum extent necessary to make it enforceable. If the provision 362 | cannot be reformed, it shall be severed from this Public License 363 | without affecting the enforceability of the remaining terms and 364 | conditions. 365 | 366 | c. No term or condition of this Public License will be waived and no 367 | failure to comply consented to unless expressly agreed to by the 368 | Licensor. 369 | 370 | d. Nothing in this Public License constitutes or may be interpreted 371 | as a limitation upon, or waiver of, any privileges and immunities 372 | that apply to the Licensor or You, including from the legal 373 | processes of any jurisdiction or authority. 374 | 375 | 376 | ======================================================================= 377 | 378 | Creative Commons is not a party to its public 379 | licenses. Notwithstanding, Creative Commons may elect to apply one of 380 | its public licenses to material it publishes and in those instances 381 | will be considered the “Licensor.” The text of the Creative Commons 382 | public licenses is dedicated to the public domain under the CC0 Public 383 | Domain Dedication. Except for the limited purpose of indicating that 384 | material is shared under a Creative Commons public license or as 385 | otherwise permitted by the Creative Commons policies published at 386 | creativecommons.org/policies, Creative Commons does not authorize the 387 | use of the trademark "Creative Commons" or any other trademark or logo 388 | of Creative Commons without its prior written consent including, 389 | without limitation, in connection with any unauthorized modifications 390 | to any of its public licenses or any other arrangements, 391 | understandings, or agreements concerning use of licensed material. For 392 | the avoidance of doubt, this paragraph does not form part of the 393 | public licenses. 394 | 395 | Creative Commons may be contacted at creativecommons.org. 396 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | *You shouldn't use this repository.* 2 | 3 | This collection of Native API header files has been maintained since 2009 for the Process Hacker project, and is the most up-to-date set of Native API definitions that we know of. We have gathered these definitions from official Microsoft header files and symbol files, as well as a lot of reverse engineering and guessing. See `phnt.h` for more information. 4 | 5 | ## Usage 6 | 7 | First make sure that your program is using the latest Windows SDK. 8 | 9 | These header files are designed to be used by user-mode programs. Instead of `#include `, place 10 | 11 | ``` 12 | #include 13 | #include 14 | ``` 15 | 16 | at the top of your program. The first line provides access to the Win32 API as well as the `NTSTATUS` values. The second line provides access to the entire Native API. 17 | 18 | Here is the copyright header which is removed for making amalgamated header. 19 | ``` 20 | /* 21 | * This file is part of the Process Hacker project - https://processhacker.sf.io/ 22 | * 23 | * You can redistribute this file and/or modify it under the terms of the 24 | * Attribution 4.0 International (CC BY 4.0) license. 25 | * 26 | * You must give appropriate credit, provide a link to the license, and 27 | * indicate if changes were made. You may do so in any reasonable manner, but 28 | * not in any way that suggests the licensor endorses you or your use. 29 | */ 30 | ``` 31 | -------------------------------------------------------------------------------- /ntdbg.h: -------------------------------------------------------------------------------- 1 | // Debugging 2 | 3 | NTSYSAPI 4 | VOID 5 | NTAPI 6 | DbgUserBreakPoint( 7 | VOID 8 | ); 9 | 10 | NTSYSAPI 11 | VOID 12 | NTAPI 13 | DbgBreakPoint( 14 | VOID 15 | ); 16 | 17 | NTSYSAPI 18 | VOID 19 | NTAPI 20 | DbgBreakPointWithStatus( 21 | _In_ ULONG Status 22 | ); 23 | 24 | #define DBG_STATUS_CONTROL_C 1 25 | #define DBG_STATUS_SYSRQ 2 26 | #define DBG_STATUS_BUGCHECK_FIRST 3 27 | #define DBG_STATUS_BUGCHECK_SECOND 4 28 | #define DBG_STATUS_FATAL 5 29 | #define DBG_STATUS_DEBUG_CONTROL 6 30 | #define DBG_STATUS_WORKER 7 31 | 32 | NTSYSAPI 33 | ULONG 34 | STDAPIVCALLTYPE 35 | DbgPrint( 36 | _In_z_ _Printf_format_string_ PCSTR Format, 37 | ... 38 | ); 39 | 40 | NTSYSAPI 41 | ULONG 42 | STDAPIVCALLTYPE 43 | DbgPrintEx( 44 | _In_ ULONG ComponentId, 45 | _In_ ULONG Level, 46 | _In_z_ _Printf_format_string_ PCSTR Format, 47 | ... 48 | ); 49 | 50 | NTSYSAPI 51 | ULONG 52 | NTAPI 53 | vDbgPrintEx( 54 | _In_ ULONG ComponentId, 55 | _In_ ULONG Level, 56 | _In_z_ PCCH Format, 57 | _In_ va_list arglist 58 | ); 59 | 60 | NTSYSAPI 61 | ULONG 62 | NTAPI 63 | vDbgPrintExWithPrefix( 64 | _In_z_ PCCH Prefix, 65 | _In_ ULONG ComponentId, 66 | _In_ ULONG Level, 67 | _In_z_ PCCH Format, 68 | _In_ va_list arglist 69 | ); 70 | 71 | NTSYSAPI 72 | NTSTATUS 73 | NTAPI 74 | DbgQueryDebugFilterState( 75 | _In_ ULONG ComponentId, 76 | _In_ ULONG Level 77 | ); 78 | 79 | NTSYSAPI 80 | NTSTATUS 81 | NTAPI 82 | DbgSetDebugFilterState( 83 | _In_ ULONG ComponentId, 84 | _In_ ULONG Level, 85 | _In_ BOOLEAN State 86 | ); 87 | 88 | NTSYSAPI 89 | ULONG 90 | NTAPI 91 | DbgPrompt( 92 | _In_ PCCH Prompt, 93 | _Out_writes_bytes_(Length) PCH Response, 94 | _In_ ULONG Length 95 | ); 96 | 97 | // Definitions 98 | 99 | typedef struct _DBGKM_EXCEPTION 100 | { 101 | EXCEPTION_RECORD ExceptionRecord; 102 | ULONG FirstChance; 103 | } DBGKM_EXCEPTION, *PDBGKM_EXCEPTION; 104 | 105 | typedef struct _DBGKM_CREATE_THREAD 106 | { 107 | ULONG SubSystemKey; 108 | PVOID StartAddress; 109 | } DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD; 110 | 111 | typedef struct _DBGKM_CREATE_PROCESS 112 | { 113 | ULONG SubSystemKey; 114 | HANDLE FileHandle; 115 | PVOID BaseOfImage; 116 | ULONG DebugInfoFileOffset; 117 | ULONG DebugInfoSize; 118 | DBGKM_CREATE_THREAD InitialThread; 119 | } DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS; 120 | 121 | typedef struct _DBGKM_EXIT_THREAD 122 | { 123 | NTSTATUS ExitStatus; 124 | } DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD; 125 | 126 | typedef struct _DBGKM_EXIT_PROCESS 127 | { 128 | NTSTATUS ExitStatus; 129 | } DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS; 130 | 131 | typedef struct _DBGKM_LOAD_DLL 132 | { 133 | HANDLE FileHandle; 134 | PVOID BaseOfDll; 135 | ULONG DebugInfoFileOffset; 136 | ULONG DebugInfoSize; 137 | PVOID NamePointer; 138 | } DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL; 139 | 140 | typedef struct _DBGKM_UNLOAD_DLL 141 | { 142 | PVOID BaseAddress; 143 | } DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL; 144 | 145 | typedef enum _DBG_STATE 146 | { 147 | DbgIdle, 148 | DbgReplyPending, 149 | DbgCreateThreadStateChange, 150 | DbgCreateProcessStateChange, 151 | DbgExitThreadStateChange, 152 | DbgExitProcessStateChange, 153 | DbgExceptionStateChange, 154 | DbgBreakpointStateChange, 155 | DbgSingleStepStateChange, 156 | DbgLoadDllStateChange, 157 | DbgUnloadDllStateChange 158 | } DBG_STATE, *PDBG_STATE; 159 | 160 | typedef struct _DBGUI_CREATE_THREAD 161 | { 162 | HANDLE HandleToThread; 163 | DBGKM_CREATE_THREAD NewThread; 164 | } DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD; 165 | 166 | typedef struct _DBGUI_CREATE_PROCESS 167 | { 168 | HANDLE HandleToProcess; 169 | HANDLE HandleToThread; 170 | DBGKM_CREATE_PROCESS NewProcess; 171 | } DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS; 172 | 173 | typedef struct _DBGUI_WAIT_STATE_CHANGE 174 | { 175 | DBG_STATE NewState; 176 | CLIENT_ID AppClientId; 177 | union 178 | { 179 | DBGKM_EXCEPTION Exception; 180 | DBGUI_CREATE_THREAD CreateThread; 181 | DBGUI_CREATE_PROCESS CreateProcessInfo; 182 | DBGKM_EXIT_THREAD ExitThread; 183 | DBGKM_EXIT_PROCESS ExitProcess; 184 | DBGKM_LOAD_DLL LoadDll; 185 | DBGKM_UNLOAD_DLL UnloadDll; 186 | } StateInfo; 187 | } DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE; 188 | 189 | #define DEBUG_READ_EVENT 0x0001 190 | #define DEBUG_PROCESS_ASSIGN 0x0002 191 | #define DEBUG_SET_INFORMATION 0x0004 192 | #define DEBUG_QUERY_INFORMATION 0x0008 193 | #define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ 194 | DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \ 195 | DEBUG_QUERY_INFORMATION) 196 | 197 | #define DEBUG_KILL_ON_CLOSE 0x1 198 | 199 | typedef enum _DEBUGOBJECTINFOCLASS 200 | { 201 | DebugObjectUnusedInformation, 202 | DebugObjectKillProcessOnExitInformation, // s: ULONG 203 | MaxDebugObjectInfoClass 204 | } DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; 205 | 206 | // System calls 207 | 208 | NTSYSCALLAPI 209 | NTSTATUS 210 | NTAPI 211 | NtCreateDebugObject( 212 | _Out_ PHANDLE DebugObjectHandle, 213 | _In_ ACCESS_MASK DesiredAccess, 214 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 215 | _In_ ULONG Flags 216 | ); 217 | 218 | NTSYSCALLAPI 219 | NTSTATUS 220 | NTAPI 221 | NtDebugActiveProcess( 222 | _In_ HANDLE ProcessHandle, 223 | _In_ HANDLE DebugObjectHandle 224 | ); 225 | 226 | NTSYSCALLAPI 227 | NTSTATUS 228 | NTAPI 229 | NtDebugContinue( 230 | _In_ HANDLE DebugObjectHandle, 231 | _In_ PCLIENT_ID ClientId, 232 | _In_ NTSTATUS ContinueStatus 233 | ); 234 | 235 | NTSYSCALLAPI 236 | NTSTATUS 237 | NTAPI 238 | NtRemoveProcessDebug( 239 | _In_ HANDLE ProcessHandle, 240 | _In_ HANDLE DebugObjectHandle 241 | ); 242 | 243 | NTSYSCALLAPI 244 | NTSTATUS 245 | NTAPI 246 | NtSetInformationDebugObject( 247 | _In_ HANDLE DebugObjectHandle, 248 | _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass, 249 | _In_ PVOID DebugInformation, 250 | _In_ ULONG DebugInformationLength, 251 | _Out_opt_ PULONG ReturnLength 252 | ); 253 | 254 | NTSYSCALLAPI 255 | NTSTATUS 256 | NTAPI 257 | NtWaitForDebugEvent( 258 | _In_ HANDLE DebugObjectHandle, 259 | _In_ BOOLEAN Alertable, 260 | _In_opt_ PLARGE_INTEGER Timeout, 261 | _Out_ PDBGUI_WAIT_STATE_CHANGE WaitStateChange 262 | ); 263 | 264 | // Debugging UI 265 | 266 | NTSYSAPI 267 | NTSTATUS 268 | NTAPI 269 | DbgUiConnectToDbg( 270 | VOID 271 | ); 272 | 273 | NTSYSAPI 274 | HANDLE 275 | NTAPI 276 | DbgUiGetThreadDebugObject( 277 | VOID 278 | ); 279 | 280 | NTSYSAPI 281 | VOID 282 | NTAPI 283 | DbgUiSetThreadDebugObject( 284 | _In_ HANDLE DebugObject 285 | ); 286 | 287 | NTSYSAPI 288 | NTSTATUS 289 | NTAPI 290 | DbgUiWaitStateChange( 291 | _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange, 292 | _In_opt_ PLARGE_INTEGER Timeout 293 | ); 294 | 295 | NTSYSAPI 296 | NTSTATUS 297 | NTAPI 298 | DbgUiContinue( 299 | _In_ PCLIENT_ID AppClientId, 300 | _In_ NTSTATUS ContinueStatus 301 | ); 302 | 303 | NTSYSAPI 304 | NTSTATUS 305 | NTAPI 306 | DbgUiStopDebugging( 307 | _In_ HANDLE Process 308 | ); 309 | 310 | NTSYSAPI 311 | NTSTATUS 312 | NTAPI 313 | DbgUiDebugActiveProcess( 314 | _In_ HANDLE Process 315 | ); 316 | 317 | NTSYSAPI 318 | VOID 319 | NTAPI 320 | DbgUiRemoteBreakin( 321 | _In_ PVOID Context 322 | ); 323 | 324 | NTSYSAPI 325 | NTSTATUS 326 | NTAPI 327 | DbgUiIssueRemoteBreakin( 328 | _In_ HANDLE Process 329 | ); 330 | 331 | NTSYSAPI 332 | NTSTATUS 333 | NTAPI 334 | DbgUiConvertStateChangeStructure( 335 | _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, 336 | _Out_ LPDEBUG_EVENT DebugEvent 337 | ); 338 | 339 | NTSYSAPI 340 | NTSTATUS 341 | NTAPI 342 | DbgUiConvertStateChangeStructureEx( 343 | _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, 344 | _Out_ LPDEBUG_EVENT DebugEvent 345 | ); 346 | 347 | struct _EVENT_FILTER_DESCRIPTOR; 348 | 349 | typedef VOID (NTAPI *PENABLECALLBACK)( 350 | _In_ LPCGUID SourceId, 351 | _In_ ULONG IsEnabled, 352 | _In_ UCHAR Level, 353 | _In_ ULONGLONG MatchAnyKeyword, 354 | _In_ ULONGLONG MatchAllKeyword, 355 | _In_opt_ struct _EVENT_FILTER_DESCRIPTOR *FilterData, 356 | _Inout_opt_ PVOID CallbackContext 357 | ); 358 | 359 | typedef ULONGLONG REGHANDLE, *PREGHANDLE; 360 | 361 | NTSYSAPI 362 | NTSTATUS 363 | NTAPI 364 | EtwEventRegister( 365 | _In_ LPCGUID ProviderId, 366 | _In_opt_ PENABLECALLBACK EnableCallback, 367 | _In_opt_ PVOID CallbackContext, 368 | _Out_ PREGHANDLE RegHandle 369 | ); 370 | 371 | -------------------------------------------------------------------------------- /ntgdi.h: -------------------------------------------------------------------------------- 1 | #define GDI_MAX_HANDLE_COUNT 0xFFFF // 0x4000 2 | 3 | #define GDI_HANDLE_INDEX_SHIFT 0 4 | #define GDI_HANDLE_INDEX_BITS 16 5 | #define GDI_HANDLE_INDEX_MASK 0xffff 6 | 7 | #define GDI_HANDLE_TYPE_SHIFT 16 8 | #define GDI_HANDLE_TYPE_BITS 5 9 | #define GDI_HANDLE_TYPE_MASK 0x1f 10 | 11 | #define GDI_HANDLE_ALTTYPE_SHIFT 21 12 | #define GDI_HANDLE_ALTTYPE_BITS 2 13 | #define GDI_HANDLE_ALTTYPE_MASK 0x3 14 | 15 | #define GDI_HANDLE_STOCK_SHIFT 23 16 | #define GDI_HANDLE_STOCK_BITS 1 17 | #define GDI_HANDLE_STOCK_MASK 0x1 18 | 19 | #define GDI_HANDLE_UNIQUE_SHIFT 24 20 | #define GDI_HANDLE_UNIQUE_BITS 8 21 | #define GDI_HANDLE_UNIQUE_MASK 0xff 22 | 23 | #define GDI_HANDLE_INDEX(Handle) ((ULONG)(Handle) & GDI_HANDLE_INDEX_MASK) 24 | #define GDI_HANDLE_TYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_TYPE_SHIFT) & GDI_HANDLE_TYPE_MASK) 25 | #define GDI_HANDLE_ALTTYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_ALTTYPE_SHIFT) & GDI_HANDLE_ALTTYPE_MASK) 26 | #define GDI_HANDLE_STOCK(Handle) (((ULONG)(Handle) >> GDI_HANDLE_STOCK_SHIFT)) & GDI_HANDLE_STOCK_MASK) 27 | 28 | #define GDI_MAKE_HANDLE(Index, Unique) ((ULONG)(((ULONG)(Unique) << GDI_HANDLE_INDEX_BITS) | (ULONG)(Index))) 29 | 30 | // GDI server-side types 31 | 32 | #define GDI_DEF_TYPE 0 // invalid handle 33 | #define GDI_DC_TYPE 1 34 | #define GDI_DD_DIRECTDRAW_TYPE 2 35 | #define GDI_DD_SURFACE_TYPE 3 36 | #define GDI_RGN_TYPE 4 37 | #define GDI_SURF_TYPE 5 38 | #define GDI_CLIENTOBJ_TYPE 6 39 | #define GDI_PATH_TYPE 7 40 | #define GDI_PAL_TYPE 8 41 | #define GDI_ICMLCS_TYPE 9 42 | #define GDI_LFONT_TYPE 10 43 | #define GDI_RFONT_TYPE 11 44 | #define GDI_PFE_TYPE 12 45 | #define GDI_PFT_TYPE 13 46 | #define GDI_ICMCXF_TYPE 14 47 | #define GDI_ICMDLL_TYPE 15 48 | #define GDI_BRUSH_TYPE 16 49 | #define GDI_PFF_TYPE 17 // unused 50 | #define GDI_CACHE_TYPE 18 // unused 51 | #define GDI_SPACE_TYPE 19 52 | #define GDI_DBRUSH_TYPE 20 // unused 53 | #define GDI_META_TYPE 21 54 | #define GDI_EFSTATE_TYPE 22 55 | #define GDI_BMFD_TYPE 23 // unused 56 | #define GDI_VTFD_TYPE 24 // unused 57 | #define GDI_TTFD_TYPE 25 // unused 58 | #define GDI_RC_TYPE 26 // unused 59 | #define GDI_TEMP_TYPE 27 // unused 60 | #define GDI_DRVOBJ_TYPE 28 61 | #define GDI_DCIOBJ_TYPE 29 // unused 62 | #define GDI_SPOOL_TYPE 30 63 | 64 | // GDI client-side types 65 | 66 | #define GDI_CLIENT_TYPE_FROM_HANDLE(Handle) ((ULONG)(Handle) & ((GDI_HANDLE_ALTTYPE_MASK << GDI_HANDLE_ALTTYPE_SHIFT) | \ 67 | (GDI_HANDLE_TYPE_MASK << GDI_HANDLE_TYPE_SHIFT))) 68 | #define GDI_CLIENT_TYPE_FROM_UNIQUE(Unique) GDI_CLIENT_TYPE_FROM_HANDLE((ULONG)(Unique) << 16) 69 | 70 | #define GDI_ALTTYPE_1 (1 << GDI_HANDLE_ALTTYPE_SHIFT) 71 | #define GDI_ALTTYPE_2 (2 << GDI_HANDLE_ALTTYPE_SHIFT) 72 | #define GDI_ALTTYPE_3 (3 << GDI_HANDLE_ALTTYPE_SHIFT) 73 | 74 | #define GDI_CLIENT_BITMAP_TYPE (GDI_SURF_TYPE << GDI_HANDLE_TYPE_SHIFT) 75 | #define GDI_CLIENT_BRUSH_TYPE (GDI_BRUSH_TYPE << GDI_HANDLE_TYPE_SHIFT) 76 | #define GDI_CLIENT_CLIENTOBJ_TYPE (GDI_CLIENTOBJ_TYPE << GDI_HANDLE_TYPE_SHIFT) 77 | #define GDI_CLIENT_DC_TYPE (GDI_DC_TYPE << GDI_HANDLE_TYPE_SHIFT) 78 | #define GDI_CLIENT_FONT_TYPE (GDI_LFONT_TYPE << GDI_HANDLE_TYPE_SHIFT) 79 | #define GDI_CLIENT_PALETTE_TYPE (GDI_PAL_TYPE << GDI_HANDLE_TYPE_SHIFT) 80 | #define GDI_CLIENT_REGION_TYPE (GDI_RGN_TYPE << GDI_HANDLE_TYPE_SHIFT) 81 | 82 | #define GDI_CLIENT_ALTDC_TYPE (GDI_CLIENT_DC_TYPE | GDI_ALTTYPE_1) 83 | #define GDI_CLIENT_DIBSECTION_TYPE (GDI_CLIENT_BITMAP_TYPE | GDI_ALTTYPE_1) 84 | #define GDI_CLIENT_EXTPEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_2) 85 | #define GDI_CLIENT_METADC16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_3) 86 | #define GDI_CLIENT_METAFILE_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_2) 87 | #define GDI_CLIENT_METAFILE16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_1) 88 | #define GDI_CLIENT_PEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_1) 89 | 90 | typedef struct _GDI_HANDLE_ENTRY 91 | { 92 | union 93 | { 94 | PVOID Object; 95 | PVOID NextFree; 96 | }; 97 | union 98 | { 99 | struct 100 | { 101 | USHORT ProcessId; 102 | USHORT Lock : 1; 103 | USHORT Count : 15; 104 | }; 105 | ULONG Value; 106 | } Owner; 107 | USHORT Unique; 108 | UCHAR Type; 109 | UCHAR Flags; 110 | PVOID UserPointer; 111 | } GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY; 112 | 113 | typedef struct _GDI_SHARED_MEMORY 114 | { 115 | GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT]; 116 | } GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY; 117 | 118 | -------------------------------------------------------------------------------- /ntkeapi.h: -------------------------------------------------------------------------------- 1 | #define LOW_PRIORITY 0 // Lowest thread priority level 2 | #define LOW_REALTIME_PRIORITY 16 // Lowest realtime priority level 3 | #define HIGH_PRIORITY 31 // Highest thread priority level 4 | #define MAXIMUM_PRIORITY 32 // Number of thread priority levels 5 | 6 | typedef enum _KTHREAD_STATE 7 | { 8 | Initialized, 9 | Ready, 10 | Running, 11 | Standby, 12 | Terminated, 13 | Waiting, 14 | Transition, 15 | DeferredReady, 16 | GateWaitObsolete, 17 | WaitingForProcessInSwap, 18 | MaximumThreadState 19 | } KTHREAD_STATE, *PKTHREAD_STATE; 20 | 21 | // private 22 | typedef enum _KHETERO_CPU_POLICY 23 | { 24 | KHeteroCpuPolicyAll = 0, 25 | KHeteroCpuPolicyLarge = 1, 26 | KHeteroCpuPolicyLargeOrIdle = 2, 27 | KHeteroCpuPolicySmall = 3, 28 | KHeteroCpuPolicySmallOrIdle = 4, 29 | KHeteroCpuPolicyDynamic = 5, 30 | KHeteroCpuPolicyStaticMax = 5, // valid 31 | KHeteroCpuPolicyBiasedSmall = 6, 32 | KHeteroCpuPolicyBiasedLarge = 7, 33 | KHeteroCpuPolicyDefault = 8, 34 | KHeteroCpuPolicyMax = 9 35 | } KHETERO_CPU_POLICY, *PKHETERO_CPU_POLICY; 36 | 37 | typedef enum _KWAIT_REASON 38 | { 39 | Executive, 40 | FreePage, 41 | PageIn, 42 | PoolAllocation, 43 | DelayExecution, 44 | Suspended, 45 | UserRequest, 46 | WrExecutive, 47 | WrFreePage, 48 | WrPageIn, 49 | WrPoolAllocation, 50 | WrDelayExecution, 51 | WrSuspended, 52 | WrUserRequest, 53 | WrEventPair, 54 | WrQueue, 55 | WrLpcReceive, 56 | WrLpcReply, 57 | WrVirtualMemory, 58 | WrPageOut, 59 | WrRendezvous, 60 | WrKeyedEvent, 61 | WrTerminated, 62 | WrProcessInSwap, 63 | WrCpuRateControl, 64 | WrCalloutStack, 65 | WrKernel, 66 | WrResource, 67 | WrPushLock, 68 | WrMutex, 69 | WrQuantumEnd, 70 | WrDispatchInt, 71 | WrPreempted, 72 | WrYieldExecution, 73 | WrFastMutex, 74 | WrGuardedMutex, 75 | WrRundown, 76 | WrAlertByThreadId, 77 | WrDeferredPreempt, 78 | WrPhysicalFault, 79 | WrIoRing, 80 | WrMdlCache, 81 | MaximumWaitReason 82 | } KWAIT_REASON, *PKWAIT_REASON; 83 | 84 | typedef enum _KPROFILE_SOURCE 85 | { 86 | ProfileTime, 87 | ProfileAlignmentFixup, 88 | ProfileTotalIssues, 89 | ProfilePipelineDry, 90 | ProfileLoadInstructions, 91 | ProfilePipelineFrozen, 92 | ProfileBranchInstructions, 93 | ProfileTotalNonissues, 94 | ProfileDcacheMisses, 95 | ProfileIcacheMisses, 96 | ProfileCacheMisses, 97 | ProfileBranchMispredictions, 98 | ProfileStoreInstructions, 99 | ProfileFpInstructions, 100 | ProfileIntegerInstructions, 101 | Profile2Issue, 102 | Profile3Issue, 103 | Profile4Issue, 104 | ProfileSpecialInstructions, 105 | ProfileTotalCycles, 106 | ProfileIcacheIssues, 107 | ProfileDcacheAccesses, 108 | ProfileMemoryBarrierCycles, 109 | ProfileLoadLinkedIssues, 110 | ProfileMaximum 111 | } KPROFILE_SOURCE; 112 | 113 | NTSYSCALLAPI 114 | NTSTATUS 115 | NTAPI 116 | NtCallbackReturn( 117 | _In_reads_bytes_opt_(OutputLength) PVOID OutputBuffer, 118 | _In_ ULONG OutputLength, 119 | _In_ NTSTATUS Status 120 | ); 121 | 122 | #if (NTDDI_VERSION >= NTDDI_VISTA) 123 | NTSYSCALLAPI 124 | VOID 125 | NTAPI 126 | NtFlushProcessWriteBuffers( 127 | VOID 128 | ); 129 | #endif 130 | 131 | NTSYSCALLAPI 132 | NTSTATUS 133 | NTAPI 134 | NtQueryDebugFilterState( 135 | _In_ ULONG ComponentId, 136 | _In_ ULONG Level 137 | ); 138 | 139 | NTSYSCALLAPI 140 | NTSTATUS 141 | NTAPI 142 | NtSetDebugFilterState( 143 | _In_ ULONG ComponentId, 144 | _In_ ULONG Level, 145 | _In_ BOOLEAN State 146 | ); 147 | 148 | NTSYSCALLAPI 149 | NTSTATUS 150 | NTAPI 151 | NtYieldExecution( 152 | VOID 153 | ); 154 | 155 | -------------------------------------------------------------------------------- /ntmisc.h: -------------------------------------------------------------------------------- 1 | // Filter manager 2 | 3 | #define FLT_PORT_CONNECT 0x0001 4 | #define FLT_PORT_ALL_ACCESS (FLT_PORT_CONNECT | STANDARD_RIGHTS_ALL) 5 | 6 | // VDM 7 | 8 | typedef enum _VDMSERVICECLASS 9 | { 10 | VdmStartExecution, 11 | VdmQueueInterrupt, 12 | VdmDelayInterrupt, 13 | VdmInitialize, 14 | VdmFeatures, 15 | VdmSetInt21Handler, 16 | VdmQueryDir, 17 | VdmPrinterDirectIoOpen, 18 | VdmPrinterDirectIoClose, 19 | VdmPrinterInitialize, 20 | VdmSetLdtEntries, 21 | VdmSetProcessLdtInfo, 22 | VdmAdlibEmulation, 23 | VdmPMCliControl, 24 | VdmQueryVdmProcess, 25 | VdmPreInitialize 26 | } VDMSERVICECLASS, *PVDMSERVICECLASS; 27 | 28 | NTSYSCALLAPI 29 | NTSTATUS 30 | NTAPI 31 | NtVdmControl( 32 | _In_ VDMSERVICECLASS Service, 33 | _Inout_ PVOID ServiceData 34 | ); 35 | 36 | // WMI/ETW 37 | 38 | NTSYSCALLAPI 39 | NTSTATUS 40 | NTAPI 41 | NtTraceEvent( 42 | _In_ HANDLE TraceHandle, 43 | _In_ ULONG Flags, 44 | _In_ ULONG FieldSize, 45 | _In_ PVOID Fields 46 | ); 47 | 48 | typedef enum _TRACE_CONTROL_INFORMATION_CLASS 49 | { 50 | TraceControlStartLogger = 1, // inout WMI_LOGGER_INFORMATION 51 | TraceControlStopLogger = 2, // inout WMI_LOGGER_INFORMATION 52 | TraceControlQueryLogger = 3, // inout WMI_LOGGER_INFORMATION 53 | TraceControlUpdateLogger = 4, // inout WMI_LOGGER_INFORMATION 54 | TraceControlFlushLogger = 5, // inout WMI_LOGGER_INFORMATION 55 | TraceControlIncrementLoggerFile = 6, // inout WMI_LOGGER_INFORMATION 56 | TraceControlUnknown = 7, 57 | // unused 58 | TraceControlRealtimeConnect = 11, 59 | TraceControlActivityIdCreate = 12, 60 | TraceControlWdiDispatchControl = 13, 61 | TraceControlRealtimeDisconnectConsumerByHandle = 14, // in HANDLE 62 | TraceControlRegisterGuidsCode = 15, 63 | TraceControlReceiveNotification = 16, 64 | TraceControlSendDataBlock = 17, // ETW_ENABLE_NOTIFICATION_PACKET 65 | TraceControlSendReplyDataBlock = 18, 66 | TraceControlReceiveReplyDataBlock = 19, 67 | TraceControlWdiUpdateSem = 20, 68 | TraceControlEnumTraceGuidList = 21, // out GUID[] 69 | TraceControlGetTraceGuidInfo = 22, // in GUID, out TRACE_GUID_INFO 70 | TraceControlEnumerateTraceGuids = 23, 71 | TraceControlRegisterSecurityProv = 24, 72 | TraceControlQueryReferenceTime = 25, 73 | TraceControlTrackProviderBinary = 26, // in HANDLE 74 | TraceControlAddNotificationEvent = 27, 75 | TraceControlUpdateDisallowList = 28, 76 | TraceControlSetEnableAllKeywordsCode = 29, 77 | TraceControlSetProviderTraitsCode = 30, 78 | TraceControlUseDescriptorTypeCode = 31, 79 | TraceControlEnumTraceGroupList = 32, 80 | TraceControlGetTraceGroupInfo = 33, 81 | TraceControlTraceSetDisallowList = 34, 82 | TraceControlSetCompressionSettings = 35, 83 | TraceControlGetCompressionSettings = 36, 84 | TraceControlUpdatePeriodicCaptureState = 37, 85 | TraceControlGetPrivateSessionTraceHandle = 38, 86 | TraceControlRegisterPrivateSession = 39, 87 | TraceControlQuerySessionDemuxObject = 40, 88 | TraceControlSetProviderBinaryTracking = 41, 89 | TraceControlMaxLoggers = 42, // out ULONG 90 | TraceControlMaxPmcCounter = 43, // out ULONG 91 | TraceControlQueryUsedProcessorCount = 44, // ULONG // since WIN11 92 | TraceControlGetPmcOwnership = 45, 93 | } TRACE_CONTROL_INFORMATION_CLASS; 94 | 95 | #if (NTDDI_VERSION >= NTDDI_VISTA) 96 | // private 97 | NTSYSCALLAPI 98 | NTSTATUS 99 | NTAPI 100 | NtTraceControl( 101 | _In_ TRACE_CONTROL_INFORMATION_CLASS TraceInformationClass, 102 | _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, 103 | _In_ ULONG InputBufferLength, 104 | _Out_writes_bytes_opt_(TraceInformationLength) PVOID TraceInformation, 105 | _In_ ULONG TraceInformationLength, 106 | _Out_ PULONG ReturnLength 107 | ); 108 | #endif 109 | 110 | -------------------------------------------------------------------------------- /ntnls.h: -------------------------------------------------------------------------------- 1 | #define MAXIMUM_LEADBYTES 12 2 | 3 | typedef struct _CPTABLEINFO 4 | { 5 | USHORT CodePage; 6 | USHORT MaximumCharacterSize; 7 | USHORT DefaultChar; 8 | USHORT UniDefaultChar; 9 | USHORT TransDefaultChar; 10 | USHORT TransUniDefaultChar; 11 | USHORT DBCSCodePage; 12 | UCHAR LeadByte[MAXIMUM_LEADBYTES]; 13 | PUSHORT MultiByteTable; 14 | PVOID WideCharTable; 15 | PUSHORT DBCSRanges; 16 | PUSHORT DBCSOffsets; 17 | } CPTABLEINFO, *PCPTABLEINFO; 18 | 19 | typedef struct _NLSTABLEINFO 20 | { 21 | CPTABLEINFO OemTableInfo; 22 | CPTABLEINFO AnsiTableInfo; 23 | PUSHORT UpperCaseTable; 24 | PUSHORT LowerCaseTable; 25 | } NLSTABLEINFO, *PNLSTABLEINFO; 26 | 27 | NTSYSAPI USHORT NlsAnsiCodePage; 28 | NTSYSAPI BOOLEAN NlsMbCodePageTag; 29 | NTSYSAPI BOOLEAN NlsMbOemCodePageTag; 30 | 31 | -------------------------------------------------------------------------------- /ntobapi.h: -------------------------------------------------------------------------------- 1 | #define OBJECT_TYPE_CREATE 0x0001 2 | #define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) 3 | 4 | #define DIRECTORY_QUERY 0x0001 5 | #define DIRECTORY_TRAVERSE 0x0002 6 | #define DIRECTORY_CREATE_OBJECT 0x0004 7 | #define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 8 | #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xf) 9 | 10 | #define SYMBOLIC_LINK_QUERY 0x0001 11 | #define SYMBOLIC_LINK_SET 0x0002 12 | #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) 13 | #define SYMBOLIC_LINK_ALL_ACCESS_EX (STANDARD_RIGHTS_REQUIRED | 0xFFFF) 14 | 15 | #ifndef OBJ_PROTECT_CLOSE 16 | #define OBJ_PROTECT_CLOSE 0x00000001 17 | #endif 18 | #ifndef OBJ_INHERIT 19 | #define OBJ_INHERIT 0x00000002 20 | #endif 21 | #ifndef OBJ_AUDIT_OBJECT_CLOSE 22 | #define OBJ_AUDIT_OBJECT_CLOSE 0x00000004 23 | #endif 24 | 25 | typedef enum _OBJECT_INFORMATION_CLASS 26 | { 27 | ObjectBasicInformation, // q: OBJECT_BASIC_INFORMATION 28 | ObjectNameInformation, // q: OBJECT_NAME_INFORMATION 29 | ObjectTypeInformation, // q: OBJECT_TYPE_INFORMATION 30 | ObjectTypesInformation, // q: OBJECT_TYPES_INFORMATION 31 | ObjectHandleFlagInformation, // qs: OBJECT_HANDLE_FLAG_INFORMATION 32 | ObjectSessionInformation, // s: void // change object session // (requires SeTcbPrivilege) 33 | ObjectSessionObjectInformation, // s: void // change object session // (requires SeTcbPrivilege) 34 | MaxObjectInfoClass 35 | } OBJECT_INFORMATION_CLASS; 36 | 37 | typedef struct _OBJECT_BASIC_INFORMATION 38 | { 39 | ULONG Attributes; 40 | ACCESS_MASK GrantedAccess; 41 | ULONG HandleCount; 42 | ULONG PointerCount; 43 | ULONG PagedPoolCharge; 44 | ULONG NonPagedPoolCharge; 45 | ULONG Reserved[3]; 46 | ULONG NameInfoSize; 47 | ULONG TypeInfoSize; 48 | ULONG SecurityDescriptorSize; 49 | LARGE_INTEGER CreationTime; 50 | } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; 51 | 52 | typedef struct _OBJECT_NAME_INFORMATION 53 | { 54 | UNICODE_STRING Name; 55 | } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; 56 | 57 | typedef struct _OBJECT_TYPE_INFORMATION 58 | { 59 | UNICODE_STRING TypeName; 60 | ULONG TotalNumberOfObjects; 61 | ULONG TotalNumberOfHandles; 62 | ULONG TotalPagedPoolUsage; 63 | ULONG TotalNonPagedPoolUsage; 64 | ULONG TotalNamePoolUsage; 65 | ULONG TotalHandleTableUsage; 66 | ULONG HighWaterNumberOfObjects; 67 | ULONG HighWaterNumberOfHandles; 68 | ULONG HighWaterPagedPoolUsage; 69 | ULONG HighWaterNonPagedPoolUsage; 70 | ULONG HighWaterNamePoolUsage; 71 | ULONG HighWaterHandleTableUsage; 72 | ULONG InvalidAttributes; 73 | GENERIC_MAPPING GenericMapping; 74 | ULONG ValidAccessMask; 75 | BOOLEAN SecurityRequired; 76 | BOOLEAN MaintainHandleCount; 77 | UCHAR TypeIndex; // since WINBLUE 78 | CHAR ReservedByte; 79 | ULONG PoolType; 80 | ULONG DefaultPagedPoolCharge; 81 | ULONG DefaultNonPagedPoolCharge; 82 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; 83 | 84 | typedef struct _OBJECT_TYPES_INFORMATION 85 | { 86 | ULONG NumberOfTypes; 87 | } OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; 88 | 89 | typedef struct _OBJECT_HANDLE_FLAG_INFORMATION 90 | { 91 | BOOLEAN Inherit; 92 | BOOLEAN ProtectFromClose; 93 | } OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION; 94 | 95 | // Objects, handles 96 | 97 | NTSYSCALLAPI 98 | NTSTATUS 99 | NTAPI 100 | NtQueryObject( 101 | _In_opt_ HANDLE Handle, 102 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, 103 | _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, 104 | _In_ ULONG ObjectInformationLength, 105 | _Out_opt_ PULONG ReturnLength 106 | ); 107 | 108 | NTSYSCALLAPI 109 | NTSTATUS 110 | NTAPI 111 | NtSetInformationObject( 112 | _In_ HANDLE Handle, 113 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, 114 | _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation, 115 | _In_ ULONG ObjectInformationLength 116 | ); 117 | 118 | #define DUPLICATE_CLOSE_SOURCE 0x00000001 119 | #define DUPLICATE_SAME_ACCESS 0x00000002 120 | #define DUPLICATE_SAME_ATTRIBUTES 0x00000004 121 | 122 | NTSYSCALLAPI 123 | NTSTATUS 124 | NTAPI 125 | NtDuplicateObject( 126 | _In_ HANDLE SourceProcessHandle, 127 | _In_ HANDLE SourceHandle, 128 | _In_opt_ HANDLE TargetProcessHandle, 129 | _Out_opt_ PHANDLE TargetHandle, 130 | _In_ ACCESS_MASK DesiredAccess, 131 | _In_ ULONG HandleAttributes, 132 | _In_ ULONG Options 133 | ); 134 | 135 | NTSYSCALLAPI 136 | NTSTATUS 137 | NTAPI 138 | NtMakeTemporaryObject( 139 | _In_ HANDLE Handle 140 | ); 141 | 142 | NTSYSCALLAPI 143 | NTSTATUS 144 | NTAPI 145 | NtMakePermanentObject( 146 | _In_ HANDLE Handle 147 | ); 148 | 149 | NTSYSCALLAPI 150 | NTSTATUS 151 | NTAPI 152 | NtSignalAndWaitForSingleObject( 153 | _In_ HANDLE SignalHandle, 154 | _In_ HANDLE WaitHandle, 155 | _In_ BOOLEAN Alertable, 156 | _In_opt_ PLARGE_INTEGER Timeout 157 | ); 158 | 159 | NTSYSCALLAPI 160 | NTSTATUS 161 | NTAPI 162 | NtWaitForSingleObject( 163 | _In_ HANDLE Handle, 164 | _In_ BOOLEAN Alertable, 165 | _In_opt_ PLARGE_INTEGER Timeout 166 | ); 167 | 168 | NTSYSCALLAPI 169 | NTSTATUS 170 | NTAPI 171 | NtWaitForMultipleObjects( 172 | _In_ ULONG Count, 173 | _In_reads_(Count) HANDLE Handles[], 174 | _In_ WAIT_TYPE WaitType, 175 | _In_ BOOLEAN Alertable, 176 | _In_opt_ PLARGE_INTEGER Timeout 177 | ); 178 | 179 | #if (NTDDI_VERSION >= NTDDI_WS03) 180 | NTSYSCALLAPI 181 | NTSTATUS 182 | NTAPI 183 | NtWaitForMultipleObjects32( 184 | _In_ ULONG Count, 185 | _In_reads_(Count) LONG Handles[], 186 | _In_ WAIT_TYPE WaitType, 187 | _In_ BOOLEAN Alertable, 188 | _In_opt_ PLARGE_INTEGER Timeout 189 | ); 190 | #endif 191 | 192 | NTSYSCALLAPI 193 | NTSTATUS 194 | NTAPI 195 | NtSetSecurityObject( 196 | _In_ HANDLE Handle, 197 | _In_ SECURITY_INFORMATION SecurityInformation, 198 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor 199 | ); 200 | 201 | NTSYSCALLAPI 202 | NTSTATUS 203 | NTAPI 204 | NtQuerySecurityObject( 205 | _In_ HANDLE Handle, 206 | _In_ SECURITY_INFORMATION SecurityInformation, 207 | _Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor, 208 | _In_ ULONG Length, 209 | _Out_ PULONG LengthNeeded 210 | ); 211 | 212 | NTSYSCALLAPI 213 | NTSTATUS 214 | NTAPI 215 | NtClose( 216 | _In_ _Post_ptr_invalid_ HANDLE Handle 217 | ); 218 | 219 | #if (NTDDI_VERSION >= NTDDI_WIN10) 220 | NTSYSCALLAPI 221 | NTSTATUS 222 | NTAPI 223 | NtCompareObjects( 224 | _In_ HANDLE FirstObjectHandle, 225 | _In_ HANDLE SecondObjectHandle 226 | ); 227 | #endif 228 | 229 | // Directory objects 230 | 231 | NTSYSCALLAPI 232 | NTSTATUS 233 | NTAPI 234 | NtCreateDirectoryObject( 235 | _Out_ PHANDLE DirectoryHandle, 236 | _In_ ACCESS_MASK DesiredAccess, 237 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 238 | ); 239 | 240 | #if (NTDDI_VERSION >= NTDDI_WIN8) 241 | NTSYSCALLAPI 242 | NTSTATUS 243 | NTAPI 244 | NtCreateDirectoryObjectEx( 245 | _Out_ PHANDLE DirectoryHandle, 246 | _In_ ACCESS_MASK DesiredAccess, 247 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 248 | _In_ HANDLE ShadowDirectoryHandle, 249 | _In_ ULONG Flags 250 | ); 251 | #endif 252 | 253 | NTSYSCALLAPI 254 | NTSTATUS 255 | NTAPI 256 | NtOpenDirectoryObject( 257 | _Out_ PHANDLE DirectoryHandle, 258 | _In_ ACCESS_MASK DesiredAccess, 259 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 260 | ); 261 | 262 | typedef struct _OBJECT_DIRECTORY_INFORMATION 263 | { 264 | UNICODE_STRING Name; 265 | UNICODE_STRING TypeName; 266 | } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION; 267 | 268 | NTSYSCALLAPI 269 | NTSTATUS 270 | NTAPI 271 | NtQueryDirectoryObject( 272 | _In_ HANDLE DirectoryHandle, 273 | _Out_writes_bytes_opt_(Length) PVOID Buffer, 274 | _In_ ULONG Length, 275 | _In_ BOOLEAN ReturnSingleEntry, 276 | _In_ BOOLEAN RestartScan, 277 | _Inout_ PULONG Context, 278 | _Out_opt_ PULONG ReturnLength 279 | ); 280 | 281 | // Private namespaces 282 | 283 | #if (NTDDI_VERSION >= NTDDI_VISTA) 284 | 285 | // private 286 | typedef enum _BOUNDARY_ENTRY_TYPE 287 | { 288 | OBNS_Invalid, 289 | OBNS_Name, 290 | OBNS_SID, 291 | OBNS_IL 292 | } BOUNDARY_ENTRY_TYPE; 293 | 294 | // private 295 | typedef struct _OBJECT_BOUNDARY_ENTRY 296 | { 297 | BOUNDARY_ENTRY_TYPE EntryType; 298 | ULONG EntrySize; 299 | } OBJECT_BOUNDARY_ENTRY, *POBJECT_BOUNDARY_ENTRY; 300 | 301 | // rev 302 | #define OBJECT_BOUNDARY_DESCRIPTOR_VERSION 1 303 | 304 | // private 305 | typedef struct _OBJECT_BOUNDARY_DESCRIPTOR 306 | { 307 | ULONG Version; 308 | ULONG Items; 309 | ULONG TotalSize; 310 | union 311 | { 312 | ULONG Flags; 313 | struct 314 | { 315 | ULONG AddAppContainerSid : 1; 316 | ULONG Reserved : 31; 317 | }; 318 | }; 319 | } OBJECT_BOUNDARY_DESCRIPTOR, *POBJECT_BOUNDARY_DESCRIPTOR; 320 | 321 | NTSYSCALLAPI 322 | NTSTATUS 323 | NTAPI 324 | NtCreatePrivateNamespace( 325 | _Out_ PHANDLE NamespaceHandle, 326 | _In_ ACCESS_MASK DesiredAccess, 327 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 328 | _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor 329 | ); 330 | 331 | NTSYSCALLAPI 332 | NTSTATUS 333 | NTAPI 334 | NtOpenPrivateNamespace( 335 | _Out_ PHANDLE NamespaceHandle, 336 | _In_ ACCESS_MASK DesiredAccess, 337 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 338 | _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor 339 | ); 340 | 341 | NTSYSCALLAPI 342 | NTSTATUS 343 | NTAPI 344 | NtDeletePrivateNamespace( 345 | _In_ HANDLE NamespaceHandle 346 | ); 347 | 348 | #endif 349 | 350 | // Symbolic links 351 | 352 | NTSYSCALLAPI 353 | NTSTATUS 354 | NTAPI 355 | NtCreateSymbolicLinkObject( 356 | _Out_ PHANDLE LinkHandle, 357 | _In_ ACCESS_MASK DesiredAccess, 358 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 359 | _In_ PUNICODE_STRING LinkTarget 360 | ); 361 | 362 | NTSYSCALLAPI 363 | NTSTATUS 364 | NTAPI 365 | NtOpenSymbolicLinkObject( 366 | _Out_ PHANDLE LinkHandle, 367 | _In_ ACCESS_MASK DesiredAccess, 368 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 369 | ); 370 | 371 | NTSYSCALLAPI 372 | NTSTATUS 373 | NTAPI 374 | NtQuerySymbolicLinkObject( 375 | _In_ HANDLE LinkHandle, 376 | _Inout_ PUNICODE_STRING LinkTarget, 377 | _Out_opt_ PULONG ReturnedLength 378 | ); 379 | 380 | typedef enum _SYMBOLIC_LINK_INFO_CLASS 381 | { 382 | SymbolicLinkGlobalInformation = 1, // s: ULONG 383 | SymbolicLinkAccessMask, // s: ACCESS_MASK 384 | MaxnSymbolicLinkInfoClass 385 | } SYMBOLIC_LINK_INFO_CLASS; 386 | 387 | #if (NTDDI_VERSION >= NTDDI_WIN10) 388 | NTSYSCALLAPI 389 | NTSTATUS 390 | NTAPI 391 | NtSetInformationSymbolicLink( 392 | _In_ HANDLE LinkHandle, 393 | _In_ SYMBOLIC_LINK_INFO_CLASS SymbolicLinkInformationClass, 394 | _In_reads_bytes_(SymbolicLinkInformationLength) PVOID SymbolicLinkInformation, 395 | _In_ ULONG SymbolicLinkInformationLength 396 | ); 397 | #endif 398 | -------------------------------------------------------------------------------- /ntpebteb.h: -------------------------------------------------------------------------------- 1 | typedef struct _RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS; 2 | typedef struct _RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION; 3 | 4 | // private 5 | typedef struct _ACTIVATION_CONTEXT_STACK 6 | { 7 | struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* ActiveFrame; 8 | LIST_ENTRY FrameListCache; 9 | ULONG Flags; 10 | ULONG NextCookieSequenceNumber; 11 | ULONG StackId; 12 | } ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK; 13 | 14 | // private 15 | typedef struct _API_SET_NAMESPACE 16 | { 17 | ULONG Version; 18 | ULONG Size; 19 | ULONG Flags; 20 | ULONG Count; 21 | ULONG EntryOffset; 22 | ULONG HashOffset; 23 | ULONG HashFactor; 24 | } API_SET_NAMESPACE, *PAPI_SET_NAMESPACE; 25 | 26 | // private 27 | typedef struct _API_SET_HASH_ENTRY 28 | { 29 | ULONG Hash; 30 | ULONG Index; 31 | } API_SET_HASH_ENTRY, *PAPI_SET_HASH_ENTRY; 32 | 33 | // private 34 | typedef struct _API_SET_NAMESPACE_ENTRY 35 | { 36 | ULONG Flags; 37 | ULONG NameOffset; 38 | ULONG NameLength; 39 | ULONG HashedLength; 40 | ULONG ValueOffset; 41 | ULONG ValueCount; 42 | } API_SET_NAMESPACE_ENTRY, *PAPI_SET_NAMESPACE_ENTRY; 43 | 44 | // private 45 | typedef struct _API_SET_VALUE_ENTRY 46 | { 47 | ULONG Flags; 48 | ULONG NameOffset; 49 | ULONG NameLength; 50 | ULONG ValueOffset; 51 | ULONG ValueLength; 52 | } API_SET_VALUE_ENTRY, *PAPI_SET_VALUE_ENTRY; 53 | 54 | // symbols 55 | typedef struct _PEB 56 | { 57 | BOOLEAN InheritedAddressSpace; 58 | BOOLEAN ReadImageFileExecOptions; 59 | BOOLEAN BeingDebugged; 60 | union 61 | { 62 | BOOLEAN BitField; 63 | struct 64 | { 65 | BOOLEAN ImageUsesLargePages : 1; 66 | BOOLEAN IsProtectedProcess : 1; 67 | BOOLEAN IsImageDynamicallyRelocated : 1; 68 | BOOLEAN SkipPatchingUser32Forwarders : 1; 69 | BOOLEAN IsPackagedProcess : 1; 70 | BOOLEAN IsAppContainer : 1; 71 | BOOLEAN IsProtectedProcessLight : 1; 72 | BOOLEAN IsLongPathAwareProcess : 1; 73 | }; 74 | }; 75 | 76 | HANDLE Mutant; 77 | 78 | PVOID ImageBaseAddress; 79 | PPEB_LDR_DATA Ldr; 80 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 81 | PVOID SubSystemData; 82 | PVOID ProcessHeap; 83 | PRTL_CRITICAL_SECTION FastPebLock; 84 | PSLIST_HEADER AtlThunkSListPtr; 85 | PVOID IFEOKey; 86 | 87 | union 88 | { 89 | ULONG CrossProcessFlags; 90 | struct 91 | { 92 | ULONG ProcessInJob : 1; 93 | ULONG ProcessInitializing : 1; 94 | ULONG ProcessUsingVEH : 1; 95 | ULONG ProcessUsingVCH : 1; 96 | ULONG ProcessUsingFTH : 1; 97 | ULONG ProcessPreviouslyThrottled : 1; 98 | ULONG ProcessCurrentlyThrottled : 1; 99 | ULONG ProcessImagesHotPatched : 1; // REDSTONE5 100 | ULONG ReservedBits0 : 24; 101 | }; 102 | }; 103 | union 104 | { 105 | PVOID KernelCallbackTable; 106 | PVOID UserSharedInfoPtr; 107 | }; 108 | ULONG SystemReserved; 109 | ULONG AtlThunkSListPtr32; 110 | PAPI_SET_NAMESPACE ApiSetMap; 111 | ULONG TlsExpansionCounter; 112 | PVOID TlsBitmap; 113 | ULONG TlsBitmapBits[2]; 114 | 115 | PVOID ReadOnlySharedMemoryBase; 116 | PVOID SharedData; // HotpatchInformation 117 | PVOID *ReadOnlyStaticServerData; 118 | 119 | PVOID AnsiCodePageData; // PCPTABLEINFO 120 | PVOID OemCodePageData; // PCPTABLEINFO 121 | PVOID UnicodeCaseTableData; // PNLSTABLEINFO 122 | 123 | ULONG NumberOfProcessors; 124 | ULONG NtGlobalFlag; 125 | 126 | ULARGE_INTEGER CriticalSectionTimeout; 127 | SIZE_T HeapSegmentReserve; 128 | SIZE_T HeapSegmentCommit; 129 | SIZE_T HeapDeCommitTotalFreeThreshold; 130 | SIZE_T HeapDeCommitFreeBlockThreshold; 131 | 132 | ULONG NumberOfHeaps; 133 | ULONG MaximumNumberOfHeaps; 134 | PVOID *ProcessHeaps; // PHEAP 135 | 136 | PVOID GdiSharedHandleTable; 137 | PVOID ProcessStarterHelper; 138 | ULONG GdiDCAttributeList; 139 | 140 | PRTL_CRITICAL_SECTION LoaderLock; 141 | 142 | ULONG OSMajorVersion; 143 | ULONG OSMinorVersion; 144 | USHORT OSBuildNumber; 145 | USHORT OSCSDVersion; 146 | ULONG OSPlatformId; 147 | ULONG ImageSubsystem; 148 | ULONG ImageSubsystemMajorVersion; 149 | ULONG ImageSubsystemMinorVersion; 150 | KAFFINITY ActiveProcessAffinityMask; 151 | GDI_HANDLE_BUFFER GdiHandleBuffer; 152 | PVOID PostProcessInitRoutine; 153 | 154 | PVOID TlsExpansionBitmap; 155 | ULONG TlsExpansionBitmapBits[32]; 156 | 157 | ULONG SessionId; 158 | 159 | ULARGE_INTEGER AppCompatFlags; 160 | ULARGE_INTEGER AppCompatFlagsUser; 161 | PVOID pShimData; 162 | PVOID AppCompatInfo; // APPCOMPAT_EXE_DATA 163 | 164 | UNICODE_STRING CSDVersion; 165 | 166 | PVOID ActivationContextData; // ACTIVATION_CONTEXT_DATA 167 | PVOID ProcessAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP 168 | PVOID SystemDefaultActivationContextData; // ACTIVATION_CONTEXT_DATA 169 | PVOID SystemAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP 170 | 171 | SIZE_T MinimumStackCommit; 172 | 173 | PVOID SparePointers[2]; // 19H1 (previously FlsCallback to FlsHighIndex) 174 | PVOID PatchLoaderData; 175 | PVOID ChpeV2ProcessInfo; // _CHPEV2_PROCESS_INFO 176 | 177 | ULONG AppModelFeatureState; 178 | ULONG SpareUlongs[2]; 179 | 180 | USHORT ActiveCodePage; 181 | USHORT OemCodePage; 182 | USHORT UseCaseMapping; 183 | USHORT UnusedNlsField; 184 | 185 | PVOID WerRegistrationData; 186 | PVOID WerShipAssertPtr; 187 | 188 | union 189 | { 190 | PVOID pContextData; // WIN7 191 | PVOID pUnused; // WIN10 192 | PVOID EcCodeBitMap; // WIN11 193 | }; 194 | 195 | PVOID pImageHeaderHash; 196 | union 197 | { 198 | ULONG TracingFlags; 199 | struct 200 | { 201 | ULONG HeapTracingEnabled : 1; 202 | ULONG CritSecTracingEnabled : 1; 203 | ULONG LibLoaderTracingEnabled : 1; 204 | ULONG SpareTracingBits : 29; 205 | }; 206 | }; 207 | ULONGLONG CsrServerReadOnlySharedMemoryBase; 208 | PRTL_CRITICAL_SECTION TppWorkerpListLock; 209 | LIST_ENTRY TppWorkerpList; 210 | PVOID WaitOnAddressHashTable[128]; 211 | PVOID TelemetryCoverageHeader; // REDSTONE3 212 | ULONG CloudFileFlags; 213 | ULONG CloudFileDiagFlags; // REDSTONE4 214 | CHAR PlaceholderCompatibilityMode; 215 | CHAR PlaceholderCompatibilityModeReserved[7]; 216 | struct _LEAP_SECOND_DATA *LeapSecondData; // REDSTONE5 217 | union 218 | { 219 | ULONG LeapSecondFlags; 220 | struct 221 | { 222 | ULONG SixtySecondEnabled : 1; 223 | ULONG Reserved : 31; 224 | }; 225 | }; 226 | ULONG NtGlobalFlag2; 227 | ULONGLONG ExtendedFeatureDisableMask; // since WIN11 228 | } PEB, *PPEB; 229 | 230 | #ifdef _WIN64 231 | C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x2C0); 232 | //C_ASSERT(sizeof(PEB) == 0x7B0); // REDSTONE3 233 | //C_ASSERT(sizeof(PEB) == 0x7B8); // REDSTONE4 234 | //C_ASSERT(sizeof(PEB) == 0x7C8); // REDSTONE5 // 19H1 235 | C_ASSERT(sizeof(PEB) == 0x7d0); // WIN11 236 | #else 237 | C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x1D4); 238 | //C_ASSERT(sizeof(PEB) == 0x468); // REDSTONE3 239 | //C_ASSERT(sizeof(PEB) == 0x470); // REDSTONE4 240 | //C_ASSERT(sizeof(PEB) == 0x480); // REDSTONE5 // 19H1 241 | C_ASSERT(sizeof(PEB) == 0x488); // WIN11 242 | #endif 243 | 244 | #define GDI_BATCH_BUFFER_SIZE 310 245 | 246 | typedef struct _GDI_TEB_BATCH 247 | { 248 | ULONG Offset; 249 | ULONG_PTR HDC; 250 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 251 | } GDI_TEB_BATCH, *PGDI_TEB_BATCH; 252 | 253 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT 254 | { 255 | ULONG Flags; 256 | PSTR FrameName; 257 | } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; 258 | 259 | typedef struct _TEB_ACTIVE_FRAME 260 | { 261 | ULONG Flags; 262 | struct _TEB_ACTIVE_FRAME *Previous; 263 | PTEB_ACTIVE_FRAME_CONTEXT Context; 264 | } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; 265 | 266 | typedef struct _TEB 267 | { 268 | NT_TIB NtTib; 269 | 270 | PVOID EnvironmentPointer; 271 | CLIENT_ID ClientId; 272 | PVOID ActiveRpcHandle; 273 | PVOID ThreadLocalStoragePointer; 274 | PPEB ProcessEnvironmentBlock; 275 | 276 | ULONG LastErrorValue; 277 | ULONG CountOfOwnedCriticalSections; 278 | PVOID CsrClientThread; 279 | PVOID Win32ThreadInfo; 280 | ULONG User32Reserved[26]; 281 | ULONG UserReserved[5]; 282 | PVOID WOW32Reserved; 283 | LCID CurrentLocale; 284 | ULONG FpSoftwareStatusRegister; 285 | PVOID ReservedForDebuggerInstrumentation[16]; 286 | #ifdef _WIN64 287 | PVOID SystemReserved1[30]; 288 | #else 289 | PVOID SystemReserved1[26]; 290 | #endif 291 | 292 | CHAR PlaceholderCompatibilityMode; 293 | BOOLEAN PlaceholderHydrationAlwaysExplicit; 294 | CHAR PlaceholderReserved[10]; 295 | 296 | ULONG ProxiedProcessId; 297 | ACTIVATION_CONTEXT_STACK ActivationStack; 298 | 299 | UCHAR WorkingOnBehalfTicket[8]; 300 | NTSTATUS ExceptionCode; 301 | 302 | PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; 303 | ULONG_PTR InstrumentationCallbackSp; 304 | ULONG_PTR InstrumentationCallbackPreviousPc; 305 | ULONG_PTR InstrumentationCallbackPreviousSp; 306 | #ifdef _WIN64 307 | ULONG TxFsContext; 308 | #endif 309 | 310 | BOOLEAN InstrumentationCallbackDisabled; 311 | #ifdef _WIN64 312 | BOOLEAN UnalignedLoadStoreExceptions; 313 | #endif 314 | #ifndef _WIN64 315 | UCHAR SpareBytes[23]; 316 | ULONG TxFsContext; 317 | #endif 318 | GDI_TEB_BATCH GdiTebBatch; 319 | CLIENT_ID RealClientId; 320 | HANDLE GdiCachedProcessHandle; 321 | ULONG GdiClientPID; 322 | ULONG GdiClientTID; 323 | PVOID GdiThreadLocalInfo; 324 | ULONG_PTR Win32ClientInfo[62]; 325 | PVOID glDispatchTable[233]; 326 | ULONG_PTR glReserved1[29]; 327 | PVOID glReserved2; 328 | PVOID glSectionInfo; 329 | PVOID glSection; 330 | PVOID glTable; 331 | PVOID glCurrentRC; 332 | PVOID glContext; 333 | 334 | NTSTATUS LastStatusValue; 335 | UNICODE_STRING StaticUnicodeString; 336 | WCHAR StaticUnicodeBuffer[261]; 337 | 338 | PVOID DeallocationStack; 339 | PVOID TlsSlots[64]; 340 | LIST_ENTRY TlsLinks; 341 | 342 | PVOID Vdm; 343 | PVOID ReservedForNtRpc; 344 | PVOID DbgSsReserved[2]; 345 | 346 | ULONG HardErrorMode; 347 | #ifdef _WIN64 348 | PVOID Instrumentation[11]; 349 | #else 350 | PVOID Instrumentation[9]; 351 | #endif 352 | GUID ActivityId; 353 | 354 | PVOID SubProcessTag; 355 | PVOID PerflibData; 356 | PVOID EtwTraceData; 357 | PVOID WinSockData; 358 | ULONG GdiBatchCount; 359 | 360 | union 361 | { 362 | PROCESSOR_NUMBER CurrentIdealProcessor; 363 | ULONG IdealProcessorValue; 364 | struct 365 | { 366 | UCHAR ReservedPad0; 367 | UCHAR ReservedPad1; 368 | UCHAR ReservedPad2; 369 | UCHAR IdealProcessor; 370 | }; 371 | }; 372 | 373 | ULONG GuaranteedStackBytes; 374 | PVOID ReservedForPerf; 375 | PVOID ReservedForOle; 376 | ULONG WaitingOnLoaderLock; 377 | PVOID SavedPriorityState; 378 | ULONG_PTR ReservedForCodeCoverage; 379 | PVOID ThreadPoolData; 380 | PVOID *TlsExpansionSlots; 381 | #ifdef _WIN64 382 | PVOID DeallocationBStore; 383 | PVOID BStoreLimit; 384 | #endif 385 | ULONG MuiGeneration; 386 | ULONG IsImpersonating; 387 | PVOID NlsCache; 388 | PVOID pShimData; 389 | ULONG HeapData; 390 | HANDLE CurrentTransactionHandle; 391 | PTEB_ACTIVE_FRAME ActiveFrame; 392 | PVOID FlsData; 393 | 394 | PVOID PreferredLanguages; 395 | PVOID UserPrefLanguages; 396 | PVOID MergedPrefLanguages; 397 | ULONG MuiImpersonation; 398 | 399 | union 400 | { 401 | USHORT CrossTebFlags; 402 | USHORT SpareCrossTebBits : 16; 403 | }; 404 | union 405 | { 406 | USHORT SameTebFlags; 407 | struct 408 | { 409 | USHORT SafeThunkCall : 1; 410 | USHORT InDebugPrint : 1; 411 | USHORT HasFiberData : 1; 412 | USHORT SkipThreadAttach : 1; 413 | USHORT WerInShipAssertCode : 1; 414 | USHORT RanProcessInit : 1; 415 | USHORT ClonedThread : 1; 416 | USHORT SuppressDebugMsg : 1; 417 | USHORT DisableUserStackWalk : 1; 418 | USHORT RtlExceptionAttached : 1; 419 | USHORT InitialThread : 1; 420 | USHORT SessionAware : 1; 421 | USHORT LoadOwner : 1; 422 | USHORT LoaderWorker : 1; 423 | USHORT SkipLoaderInit : 1; 424 | USHORT SkipFileAPIBrokering : 1; 425 | }; 426 | }; 427 | 428 | PVOID TxnScopeEnterCallback; 429 | PVOID TxnScopeExitCallback; 430 | PVOID TxnScopeContext; 431 | ULONG LockCount; 432 | LONG WowTebOffset; 433 | PVOID ResourceRetValue; 434 | PVOID ReservedForWdf; 435 | ULONGLONG ReservedForCrt; 436 | GUID EffectiveContainerId; 437 | ULONGLONG LastSleepCounter; // Win11 438 | ULONG SpinCallCount; 439 | ULONGLONG ExtendedFeatureDisableMask; 440 | } TEB, *PTEB; 441 | -------------------------------------------------------------------------------- /ntpfapi.h: -------------------------------------------------------------------------------- 1 | // begin_private 2 | 3 | // Prefetch 4 | 5 | typedef enum _PF_BOOT_PHASE_ID 6 | { 7 | PfKernelInitPhase = 0, 8 | PfBootDriverInitPhase = 90, 9 | PfSystemDriverInitPhase = 120, 10 | PfSessionManagerInitPhase = 150, 11 | PfSMRegistryInitPhase = 180, 12 | PfVideoInitPhase = 210, 13 | PfPostVideoInitPhase = 240, 14 | PfBootAcceptedRegistryInitPhase = 270, 15 | PfUserShellReadyPhase = 300, 16 | PfMaxBootPhaseId = 900 17 | } PF_BOOT_PHASE_ID; 18 | 19 | typedef enum _PF_ENABLE_STATUS 20 | { 21 | PfSvNotSpecified, 22 | PfSvEnabled, 23 | PfSvDisabled, 24 | PfSvMaxEnableStatus 25 | } PF_ENABLE_STATUS; 26 | 27 | typedef struct _PF_TRACE_LIMITS 28 | { 29 | ULONG MaxNumPages; 30 | ULONG MaxNumSections; 31 | LONGLONG TimerPeriod; 32 | } PF_TRACE_LIMITS, *PPF_TRACE_LIMITS; 33 | 34 | typedef struct _PF_SYSTEM_PREFETCH_PARAMETERS 35 | { 36 | PF_ENABLE_STATUS EnableStatus[2]; 37 | PF_TRACE_LIMITS TraceLimits[2]; 38 | ULONG MaxNumActiveTraces; 39 | ULONG MaxNumSavedTraces; 40 | WCHAR RootDirPath[32]; 41 | WCHAR HostingApplicationList[128]; 42 | } PF_SYSTEM_PREFETCH_PARAMETERS, *PPF_SYSTEM_PREFETCH_PARAMETERS; 43 | 44 | #define PF_BOOT_CONTROL_VERSION 1 45 | 46 | typedef struct _PF_BOOT_CONTROL 47 | { 48 | ULONG Version; 49 | ULONG DisableBootPrefetching; 50 | } PF_BOOT_CONTROL, *PPF_BOOT_CONTROL; 51 | 52 | typedef enum _PREFETCHER_INFORMATION_CLASS 53 | { 54 | PrefetcherRetrieveTrace = 1, // q: CHAR[] 55 | PrefetcherSystemParameters, // q: PF_SYSTEM_PREFETCH_PARAMETERS 56 | PrefetcherBootPhase, // s: PF_BOOT_PHASE_ID 57 | PrefetcherSpare1, // PrefetcherRetrieveBootLoaderTrace // q: CHAR[] 58 | PrefetcherBootControl, // s: PF_BOOT_CONTROL 59 | PrefetcherScenarioPolicyControl, 60 | PrefetcherSpare2, 61 | PrefetcherAppLaunchScenarioControl, 62 | PrefetcherInformationMax 63 | } PREFETCHER_INFORMATION_CLASS; 64 | 65 | #define PREFETCHER_INFORMATION_VERSION 23 // rev 66 | #define PREFETCHER_INFORMATION_MAGIC ('kuhC') // rev 67 | 68 | typedef struct _PREFETCHER_INFORMATION 69 | { 70 | _In_ ULONG Version; 71 | _In_ ULONG Magic; 72 | _In_ PREFETCHER_INFORMATION_CLASS PrefetcherInformationClass; 73 | _Inout_ PVOID PrefetcherInformation; 74 | _Inout_ ULONG PrefetcherInformationLength; 75 | } PREFETCHER_INFORMATION, *PPREFETCHER_INFORMATION; 76 | 77 | // Superfetch 78 | 79 | typedef struct _PF_SYSTEM_SUPERFETCH_PARAMETERS 80 | { 81 | ULONG EnabledComponents; 82 | ULONG BootID; 83 | ULONG SavedSectInfoTracesMax; 84 | ULONG SavedPageAccessTracesMax; 85 | ULONG ScenarioPrefetchTimeoutStandby; 86 | ULONG ScenarioPrefetchTimeoutHibernate; 87 | ULONG ScenarioPrefetchTimeoutHiberBoot; 88 | } PF_SYSTEM_SUPERFETCH_PARAMETERS, *PPF_SYSTEM_SUPERFETCH_PARAMETERS; 89 | 90 | #define PF_PFN_PRIO_REQUEST_VERSION 1 91 | #define PF_PFN_PRIO_REQUEST_QUERY_MEMORY_LIST 0x1 92 | #define PF_PFN_PRIO_REQUEST_VALID_FLAGS 0x1 93 | 94 | typedef struct _PF_PFN_PRIO_REQUEST 95 | { 96 | ULONG Version; 97 | ULONG RequestFlags; 98 | ULONG_PTR PfnCount; 99 | SYSTEM_MEMORY_LIST_INFORMATION MemInfo; 100 | MMPFN_IDENTITY PageData[256]; 101 | } PF_PFN_PRIO_REQUEST, *PPF_PFN_PRIO_REQUEST; 102 | 103 | typedef enum _PFS_PRIVATE_PAGE_SOURCE_TYPE 104 | { 105 | PfsPrivateSourceKernel, 106 | PfsPrivateSourceSession, 107 | PfsPrivateSourceProcess, 108 | PfsPrivateSourceMax 109 | } PFS_PRIVATE_PAGE_SOURCE_TYPE; 110 | 111 | typedef struct _PFS_PRIVATE_PAGE_SOURCE 112 | { 113 | PFS_PRIVATE_PAGE_SOURCE_TYPE Type; 114 | union 115 | { 116 | ULONG SessionId; 117 | ULONG ProcessId; 118 | }; 119 | ULONG ImagePathHash; 120 | ULONG_PTR UniqueProcessHash; 121 | } PFS_PRIVATE_PAGE_SOURCE, *PPFS_PRIVATE_PAGE_SOURCE; 122 | 123 | typedef struct _PF_PRIVSOURCE_INFO 124 | { 125 | PFS_PRIVATE_PAGE_SOURCE DbInfo; 126 | PVOID EProcess; 127 | SIZE_T WsPrivatePages; 128 | SIZE_T TotalPrivatePages; 129 | ULONG SessionID; 130 | CHAR ImageName[16]; 131 | union { 132 | ULONG_PTR WsSwapPages; // process only PF_PRIVSOURCE_QUERY_WS_SWAP_PAGES. 133 | ULONG_PTR SessionPagedPoolPages; // session only. 134 | ULONG_PTR StoreSizePages; // process only PF_PRIVSOURCE_QUERY_STORE_INFO. 135 | }; 136 | ULONG_PTR WsTotalPages; // process/session only. 137 | ULONG DeepFreezeTimeMs; // process only. 138 | ULONG ModernApp : 1; // process only. 139 | ULONG DeepFrozen : 1; // process only. If set, DeepFreezeTimeMs contains the time at which the freeze occurred 140 | ULONG Foreground : 1; // process only. 141 | ULONG PerProcessStore : 1; // process only. 142 | ULONG Spare : 28; 143 | } PF_PRIVSOURCE_INFO, *PPF_PRIVSOURCE_INFO; 144 | 145 | #define PF_PRIVSOURCE_QUERY_REQUEST_VERSION 8 146 | 147 | typedef struct _PF_PRIVSOURCE_QUERY_REQUEST 148 | { 149 | ULONG Version; 150 | ULONG Flags; 151 | ULONG InfoCount; 152 | PF_PRIVSOURCE_INFO InfoArray[1]; 153 | } PF_PRIVSOURCE_QUERY_REQUEST, *PPF_PRIVSOURCE_QUERY_REQUEST; 154 | 155 | typedef enum _PF_PHASED_SCENARIO_TYPE 156 | { 157 | PfScenarioTypeNone, 158 | PfScenarioTypeStandby, 159 | PfScenarioTypeHibernate, 160 | PfScenarioTypeFUS, 161 | PfScenarioTypeMax 162 | } PF_PHASED_SCENARIO_TYPE; 163 | 164 | #define PF_SCENARIO_PHASE_INFO_VERSION 4 165 | 166 | typedef struct _PF_SCENARIO_PHASE_INFO 167 | { 168 | ULONG Version; 169 | PF_PHASED_SCENARIO_TYPE ScenType; 170 | ULONG PhaseId; 171 | ULONG SequenceNumber; 172 | ULONG Flags; 173 | ULONG FUSUserId; 174 | } PF_SCENARIO_PHASE_INFO, *PPF_SCENARIO_PHASE_INFO; 175 | 176 | typedef struct _PF_MEMORY_LIST_NODE 177 | { 178 | ULONGLONG Node : 8; 179 | ULONGLONG Spare : 56; 180 | ULONGLONG StandbyLowPageCount; 181 | ULONGLONG StandbyMediumPageCount; 182 | ULONGLONG StandbyHighPageCount; 183 | ULONGLONG FreePageCount; 184 | ULONGLONG ModifiedPageCount; 185 | } PF_MEMORY_LIST_NODE, *PPF_MEMORY_LIST_NODE; 186 | 187 | #define PF_MEMORY_LIST_INFO_VERSION 1 188 | 189 | typedef struct _PF_MEMORY_LIST_INFO 190 | { 191 | ULONG Version; 192 | ULONG Size; 193 | ULONG NodeCount; 194 | PF_MEMORY_LIST_NODE Nodes[1]; 195 | } PF_MEMORY_LIST_INFO, *PPF_MEMORY_LIST_INFO; 196 | 197 | typedef struct _PF_PHYSICAL_MEMORY_RANGE 198 | { 199 | ULONG_PTR BasePfn; 200 | ULONG_PTR PageCount; 201 | } PF_PHYSICAL_MEMORY_RANGE, *PPF_PHYSICAL_MEMORY_RANGE; 202 | 203 | #define PF_PHYSICAL_MEMORY_RANGE_INFO_V1_VERSION 1 204 | 205 | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V1 206 | { 207 | ULONG Version; 208 | ULONG RangeCount; 209 | PF_PHYSICAL_MEMORY_RANGE Ranges[1]; 210 | } PF_PHYSICAL_MEMORY_RANGE_INFO_V1, *PPF_PHYSICAL_MEMORY_RANGE_INFO_V1; 211 | 212 | #define PF_PHYSICAL_MEMORY_RANGE_INFO_V2_VERSION 2 213 | 214 | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V2 215 | { 216 | ULONG Version; 217 | ULONG Flags; 218 | ULONG RangeCount; 219 | PF_PHYSICAL_MEMORY_RANGE Ranges[ANYSIZE_ARRAY]; 220 | } PF_PHYSICAL_MEMORY_RANGE_INFO_V2, *PPF_PHYSICAL_MEMORY_RANGE_INFO_V2; 221 | 222 | // begin_rev 223 | 224 | #define PF_REPURPOSED_BY_PREFETCH_INFO_VERSION 1 225 | 226 | typedef struct _PF_REPURPOSED_BY_PREFETCH_INFO 227 | { 228 | ULONG Version; 229 | ULONG RepurposedByPrefetch; 230 | } PF_REPURPOSED_BY_PREFETCH_INFO, *PPF_REPURPOSED_BY_PREFETCH_INFO; 231 | 232 | // end_rev 233 | 234 | typedef enum _SUPERFETCH_INFORMATION_CLASS 235 | { 236 | SuperfetchRetrieveTrace = 1, // q: CHAR[] 237 | SuperfetchSystemParameters, // q: PF_SYSTEM_SUPERFETCH_PARAMETERS 238 | SuperfetchLogEvent, 239 | SuperfetchGenerateTrace, 240 | SuperfetchPrefetch, 241 | SuperfetchPfnQuery, // q: PF_PFN_PRIO_REQUEST 242 | SuperfetchPfnSetPriority, 243 | SuperfetchPrivSourceQuery, // q: PF_PRIVSOURCE_QUERY_REQUEST 244 | SuperfetchSequenceNumberQuery, // q: ULONG 245 | SuperfetchScenarioPhase, // 10 246 | SuperfetchWorkerPriority, 247 | SuperfetchScenarioQuery, // q: PF_SCENARIO_PHASE_INFO 248 | SuperfetchScenarioPrefetch, 249 | SuperfetchRobustnessControl, 250 | SuperfetchTimeControl, 251 | SuperfetchMemoryListQuery, // q: PF_MEMORY_LIST_INFO 252 | SuperfetchMemoryRangesQuery, // q: PF_PHYSICAL_MEMORY_RANGE_INFO 253 | SuperfetchTracingControl, 254 | SuperfetchTrimWhileAgingControl, 255 | SuperfetchRepurposedByPrefetch, // q: PF_REPURPOSED_BY_PREFETCH_INFO // rev 256 | SuperfetchChannelPowerRequest, 257 | SuperfetchMovePages, 258 | SuperfetchVirtualQuery, 259 | SuperfetchCombineStatsQuery, 260 | SuperfetchSetMinWsAgeRate, 261 | SuperfetchDeprioritizeOldPagesInWs, 262 | SuperfetchFileExtentsQuery, 263 | SuperfetchGpuUtilizationQuery, // PF_GPU_UTILIZATION_INFO 264 | SuperfetchInformationMax 265 | } SUPERFETCH_INFORMATION_CLASS; 266 | 267 | #define SUPERFETCH_INFORMATION_VERSION 45 // rev 268 | #define SUPERFETCH_INFORMATION_MAGIC ('kuhC') // rev 269 | 270 | typedef struct _SUPERFETCH_INFORMATION 271 | { 272 | _In_ ULONG Version; 273 | _In_ ULONG Magic; 274 | _In_ SUPERFETCH_INFORMATION_CLASS SuperfetchInformationClass; 275 | _Inout_ PVOID SuperfetchInformation; 276 | _Inout_ ULONG SuperfetchInformationLength; 277 | } SUPERFETCH_INFORMATION, *PSUPERFETCH_INFORMATION; 278 | 279 | // end_private 280 | 281 | -------------------------------------------------------------------------------- /ntpnpapi.h: -------------------------------------------------------------------------------- 1 | typedef enum _PLUGPLAY_EVENT_CATEGORY 2 | { 3 | HardwareProfileChangeEvent, 4 | TargetDeviceChangeEvent, 5 | DeviceClassChangeEvent, 6 | CustomDeviceEvent, 7 | DeviceInstallEvent, 8 | DeviceArrivalEvent, 9 | PowerEvent, 10 | VetoEvent, 11 | BlockedDriverEvent, 12 | InvalidIDEvent, 13 | MaxPlugEventCategory 14 | } PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY; 15 | 16 | typedef struct _PLUGPLAY_EVENT_BLOCK 17 | { 18 | GUID EventGuid; 19 | PLUGPLAY_EVENT_CATEGORY EventCategory; 20 | PULONG Result; 21 | ULONG Flags; 22 | ULONG TotalSize; 23 | PVOID DeviceObject; 24 | 25 | union 26 | { 27 | struct 28 | { 29 | GUID ClassGuid; 30 | WCHAR SymbolicLinkName[1]; 31 | } DeviceClass; 32 | struct 33 | { 34 | WCHAR DeviceIds[1]; 35 | } TargetDevice; 36 | struct 37 | { 38 | WCHAR DeviceId[1]; 39 | } InstallDevice; 40 | struct 41 | { 42 | PVOID NotificationStructure; 43 | WCHAR DeviceIds[1]; 44 | } CustomNotification; 45 | struct 46 | { 47 | PVOID Notification; 48 | } ProfileNotification; 49 | struct 50 | { 51 | ULONG NotificationCode; 52 | ULONG NotificationData; 53 | } PowerNotification; 54 | struct 55 | { 56 | PNP_VETO_TYPE VetoType; 57 | WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName 58 | } VetoNotification; 59 | struct 60 | { 61 | GUID BlockedDriverGuid; 62 | } BlockedDriverNotification; 63 | struct 64 | { 65 | WCHAR ParentId[1]; 66 | } InvalidIDNotification; 67 | } u; 68 | } PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; 69 | 70 | typedef enum _PLUGPLAY_CONTROL_CLASS 71 | { 72 | PlugPlayControlEnumerateDevice, // PLUGPLAY_CONTROL_ENUMERATE_DEVICE_DATA 73 | PlugPlayControlRegisterNewDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 74 | PlugPlayControlDeregisterDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 75 | PlugPlayControlInitializeDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 76 | PlugPlayControlStartDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 77 | PlugPlayControlUnlockDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 78 | PlugPlayControlQueryAndRemoveDevice, // PLUGPLAY_CONTROL_QUERY_AND_REMOVE_DATA 79 | PlugPlayControlUserResponse, // PLUGPLAY_CONTROL_USER_RESPONSE_DATA 80 | PlugPlayControlGenerateLegacyDevice, // PLUGPLAY_CONTROL_LEGACY_DEVGEN_DATA 81 | PlugPlayControlGetInterfaceDeviceList, // PLUGPLAY_CONTROL_INTERFACE_LIST_DATA 82 | PlugPlayControlProperty, // PLUGPLAY_CONTROL_PROPERTY_DATA 83 | PlugPlayControlDeviceClassAssociation, // PLUGPLAY_CONTROL_CLASS_ASSOCIATION_DATA 84 | PlugPlayControlGetRelatedDevice, // PLUGPLAY_CONTROL_RELATED_DEVICE_DATA 85 | PlugPlayControlGetInterfaceDeviceAlias, // PLUGPLAY_CONTROL_INTERFACE_ALIAS_DATA 86 | PlugPlayControlDeviceStatus, // PLUGPLAY_CONTROL_STATUS_DATA 87 | PlugPlayControlGetDeviceDepth, // PLUGPLAY_CONTROL_DEPTH_DATA 88 | PlugPlayControlQueryDeviceRelations, // PLUGPLAY_CONTROL_DEVICE_RELATIONS_DATA 89 | PlugPlayControlTargetDeviceRelation, // PLUGPLAY_CONTROL_TARGET_RELATION_DATA 90 | PlugPlayControlQueryConflictList, // PLUGPLAY_CONTROL_CONFLICT_LIST 91 | PlugPlayControlRetrieveDock, // PLUGPLAY_CONTROL_RETRIEVE_DOCK_DATA 92 | PlugPlayControlResetDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 93 | PlugPlayControlHaltDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 94 | PlugPlayControlGetBlockedDriverList, // PLUGPLAY_CONTROL_BLOCKED_DRIVER_DATA 95 | PlugPlayControlGetDeviceInterfaceEnabled, // PLUGPLAY_CONTROL_DEVICE_INTERFACE_ENABLED 96 | MaxPlugPlayControl 97 | } PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS; 98 | 99 | #if (NTDDI_VERSION < NTDDI_WIN8) 100 | NTSYSCALLAPI 101 | NTSTATUS 102 | NTAPI 103 | NtGetPlugPlayEvent( 104 | _In_ HANDLE EventHandle, 105 | _In_opt_ PVOID Context, 106 | _Out_writes_bytes_(EventBufferSize) PPLUGPLAY_EVENT_BLOCK EventBlock, 107 | _In_ ULONG EventBufferSize 108 | ); 109 | #endif 110 | 111 | NTSYSCALLAPI 112 | NTSTATUS 113 | NTAPI 114 | NtPlugPlayControl( 115 | _In_ PLUGPLAY_CONTROL_CLASS PnPControlClass, 116 | _Inout_updates_bytes_(PnPControlDataLength) PVOID PnPControlData, 117 | _In_ ULONG PnPControlDataLength 118 | ); 119 | 120 | #if (NTDDI_VERSION >= NTDDI_WIN7) 121 | 122 | NTSYSCALLAPI 123 | NTSTATUS 124 | NTAPI 125 | NtSerializeBoot( 126 | VOID 127 | ); 128 | 129 | NTSYSCALLAPI 130 | NTSTATUS 131 | NTAPI 132 | NtEnableLastKnownGood( 133 | VOID 134 | ); 135 | 136 | NTSYSCALLAPI 137 | NTSTATUS 138 | NTAPI 139 | NtDisableLastKnownGood( 140 | VOID 141 | ); 142 | 143 | #endif 144 | 145 | #if (NTDDI_VERSION >= NTDDI_VISTA) 146 | NTSYSCALLAPI 147 | NTSTATUS 148 | NTAPI 149 | NtReplacePartitionUnit( 150 | _In_ PUNICODE_STRING TargetInstancePath, 151 | _In_ PUNICODE_STRING SpareInstancePath, 152 | _In_ ULONG Flags 153 | ); 154 | #endif 155 | 156 | -------------------------------------------------------------------------------- /ntpoapi.h: -------------------------------------------------------------------------------- 1 | // POWER_INFORMATION_LEVEL 2 | // Note: We don't use an enum for these values to minimize conflicts with the Windows SDK. (dmex) 3 | #define SystemPowerPolicyAc 0 // SYSTEM_POWER_POLICY // GET: InputBuffer NULL. SET: InputBuffer not NULL. 4 | #define SystemPowerPolicyDc 1 // SYSTEM_POWER_POLICY 5 | #define VerifySystemPolicyAc 2 // SYSTEM_POWER_POLICY 6 | #define VerifySystemPolicyDc 3 // SYSTEM_POWER_POLICY 7 | #define SystemPowerCapabilities 4 // SYSTEM_POWER_CAPABILITIES 8 | #define SystemBatteryState 5 // SYSTEM_BATTERY_STATE 9 | #define SystemPowerStateHandler 6 // POWER_STATE_HANDLER // (kernel-mode only) 10 | #define ProcessorStateHandler 7 // PROCESSOR_STATE_HANDLER // (kernel-mode only) 11 | #define SystemPowerPolicyCurrent 8 // SYSTEM_POWER_POLICY 12 | #define AdministratorPowerPolicy 9 // ADMINISTRATOR_POWER_POLICY 13 | #define SystemReserveHiberFile 10 // BOOLEAN // (requires SeCreatePagefilePrivilege) // TRUE: hibernation file created. FALSE: hibernation file deleted. 14 | #define ProcessorInformation 11 // PROCESSOR_POWER_INFORMATION 15 | #define SystemPowerInformation 12 // SYSTEM_POWER_INFORMATION 16 | #define ProcessorStateHandler2 13 // PROCESSOR_STATE_HANDLER2 // not implemented 17 | #define LastWakeTime 14 // ULONGLONG // InterruptTime 18 | #define LastSleepTime 15 // ULONGLONG // InterruptTime 19 | #define SystemExecutionState 16 // EXECUTION_STATE // NtSetThreadExecutionState 20 | #define SystemPowerStateNotifyHandler 17 // POWER_STATE_NOTIFY_HANDLER // (kernel-mode only) 21 | #define ProcessorPowerPolicyAc 18 // PROCESSOR_POWER_POLICY // not implemented 22 | #define ProcessorPowerPolicyDc 19 // PROCESSOR_POWER_POLICY // not implemented 23 | #define VerifyProcessorPowerPolicyAc 20 // PROCESSOR_POWER_POLICY // not implemented 24 | #define VerifyProcessorPowerPolicyDc 21 // PROCESSOR_POWER_POLICY // not implemented 25 | #define ProcessorPowerPolicyCurrent 22 // PROCESSOR_POWER_POLICY // not implemented 26 | #define SystemPowerStateLogging 23 // SYSTEM_POWER_STATE_DISABLE_REASON[] 27 | #define SystemPowerLoggingEntry 24 // SYSTEM_POWER_LOGGING_ENTRY[] // (kernel-mode only) 28 | #define SetPowerSettingValue 25 // (kernel-mode only) 29 | #define NotifyUserPowerSetting 26 // not implemented 30 | #define PowerInformationLevelUnused0 27 // not implemented 31 | #define SystemMonitorHiberBootPowerOff 28 // NULL (PowerMonitorOff) 32 | #define SystemVideoState 29 // MONITOR_DISPLAY_STATE 33 | #define TraceApplicationPowerMessage 30 // (kernel-mode only) 34 | #define TraceApplicationPowerMessageEnd 31 // (kernel-mode only) 35 | #define ProcessorPerfStates 32 // (kernel-mode only) 36 | #define ProcessorIdleStates 33 // (kernel-mode only) 37 | #define ProcessorCap 34 // (kernel-mode only) 38 | #define SystemWakeSource 35 39 | #define SystemHiberFileInformation 36 // q: SYSTEM_HIBERFILE_INFORMATION 40 | #define TraceServicePowerMessage 37 41 | #define ProcessorLoad 38 42 | #define PowerShutdownNotification 39 // (kernel-mode only) 43 | #define MonitorCapabilities 40 // (kernel-mode only) 44 | #define SessionPowerInit 41 // (kernel-mode only) 45 | #define SessionDisplayState 42 // (kernel-mode only) 46 | #define PowerRequestCreate 43 // in: COUNTED_REASON_CONTEXT, out: HANDLE 47 | #define PowerRequestAction 44 // in: POWER_REQUEST_ACTION 48 | #define GetPowerRequestList 45 // out: POWER_REQUEST_LIST 49 | #define ProcessorInformationEx 46 // in: USHORT ProcessorGroup, out: PROCESSOR_POWER_INFORMATION 50 | #define NotifyUserModeLegacyPowerEvent 47 // (kernel-mode only) 51 | #define GroupPark 48 // (debug-mode boot only) 52 | #define ProcessorIdleDomains 49 // (kernel-mode only) 53 | #define WakeTimerList 50 // powercfg.exe /waketimers 54 | #define SystemHiberFileSize 51 // ULONG 55 | #define ProcessorIdleStatesHv 52 // (kernel-mode only) 56 | #define ProcessorPerfStatesHv 53 // (kernel-mode only) 57 | #define ProcessorPerfCapHv 54 // (kernel-mode only) 58 | #define ProcessorSetIdle 55 // (debug-mode boot only) 59 | #define LogicalProcessorIdling 56 // (kernel-mode only) 60 | #define UserPresence 57 // POWER_USER_PRESENCE // not implemented 61 | #define PowerSettingNotificationName 58 62 | #define GetPowerSettingValue 59 // GUID 63 | #define IdleResiliency 60 // POWER_IDLE_RESILIENCY 64 | #define SessionRITState 61 // POWER_SESSION_RIT_STATE 65 | #define SessionConnectNotification 62 // POWER_SESSION_WINLOGON 66 | #define SessionPowerCleanup 63 67 | #define SessionLockState 64 // POWER_SESSION_WINLOGON 68 | #define SystemHiberbootState 65 // BOOLEAN // fast startup supported 69 | #define PlatformInformation 66 // BOOLEAN // connected standby supported 70 | #define PdcInvocation 67 // (kernel-mode only) 71 | #define MonitorInvocation 68 // (kernel-mode only) 72 | #define FirmwareTableInformationRegistered 69 // (kernel-mode only) 73 | #define SetShutdownSelectedTime 70 // NULL 74 | #define SuspendResumeInvocation 71 // (kernel-mode only) 75 | #define PlmPowerRequestCreate 72 // in: COUNTED_REASON_CONTEXT, out: HANDLE 76 | #define ScreenOff 73 // NULL (PowerMonitorOff) 77 | #define CsDeviceNotification 74 // (kernel-mode only) 78 | #define PlatformRole 75 // POWER_PLATFORM_ROLE 79 | #define LastResumePerformance 76 // RESUME_PERFORMANCE 80 | #define DisplayBurst 77 // NULL (PowerMonitorOn) 81 | #define ExitLatencySamplingPercentage 78 82 | #define RegisterSpmPowerSettings 79 // (kernel-mode only) 83 | #define PlatformIdleStates 80 // (kernel-mode only) 84 | #define ProcessorIdleVeto 81 // (kernel-mode only) // deprecated 85 | #define PlatformIdleVeto 82 // (kernel-mode only) // deprecated 86 | #define SystemBatteryStatePrecise 83 // SYSTEM_BATTERY_STATE 87 | #define ThermalEvent 84 // THERMAL_EVENT // PowerReportThermalEvent 88 | #define PowerRequestActionInternal 85 // POWER_REQUEST_ACTION_INTERNAL 89 | #define BatteryDeviceState 86 90 | #define PowerInformationInternal 87 // POWER_INFORMATION_LEVEL_INTERNAL // PopPowerInformationInternal 91 | #define ThermalStandby 88 // NULL // shutdown with thermal standby as reason. 92 | #define SystemHiberFileType 89 // ULONG // zero ? reduced : full // powercfg.exe /h /type 93 | #define PhysicalPowerButtonPress 90 // BOOLEAN 94 | #define QueryPotentialDripsConstraint 91 // (kernel-mode only) 95 | #define EnergyTrackerCreate 92 96 | #define EnergyTrackerQuery 93 97 | #define UpdateBlackBoxRecorder 94 98 | #define SessionAllowExternalDmaDevices 95 99 | #define SendSuspendResumeNotification 96 // since WIN11 100 | #define PowerInformationLevelMaximum 97 101 | 102 | typedef struct _PROCESSOR_POWER_INFORMATION 103 | { 104 | ULONG Number; 105 | ULONG MaxMhz; 106 | ULONG CurrentMhz; 107 | ULONG MhzLimit; 108 | ULONG MaxIdleState; 109 | ULONG CurrentIdleState; 110 | } PROCESSOR_POWER_INFORMATION, *PPROCESSOR_POWER_INFORMATION; 111 | 112 | typedef struct _SYSTEM_POWER_INFORMATION 113 | { 114 | ULONG MaxIdlenessAllowed; 115 | ULONG Idleness; 116 | ULONG TimeRemaining; 117 | UCHAR CoolingMode; 118 | } SYSTEM_POWER_INFORMATION, *PSYSTEM_POWER_INFORMATION; 119 | 120 | typedef struct _SYSTEM_HIBERFILE_INFORMATION 121 | { 122 | ULONG NumberOfMcbPairs; 123 | LARGE_INTEGER Mcb[1]; 124 | } SYSTEM_HIBERFILE_INFORMATION, *PSYSTEM_HIBERFILE_INFORMATION; 125 | 126 | #define POWER_REQUEST_CONTEXT_NOT_SPECIFIED DIAGNOSTIC_REASON_NOT_SPECIFIED 127 | 128 | // wdm 129 | typedef struct _COUNTED_REASON_CONTEXT 130 | { 131 | ULONG Version; 132 | ULONG Flags; 133 | union 134 | { 135 | struct 136 | { 137 | UNICODE_STRING ResourceFileName; 138 | USHORT ResourceReasonId; 139 | ULONG StringCount; 140 | _Field_size_(StringCount) PUNICODE_STRING ReasonStrings; 141 | }; 142 | UNICODE_STRING SimpleString; 143 | }; 144 | } COUNTED_REASON_CONTEXT, *PCOUNTED_REASON_CONTEXT; 145 | 146 | typedef enum _POWER_REQUEST_TYPE_INTERNAL // POWER_REQUEST_TYPE 147 | { 148 | PowerRequestDisplayRequiredInternal, 149 | PowerRequestSystemRequiredInternal, 150 | PowerRequestAwayModeRequiredInternal, 151 | PowerRequestExecutionRequiredInternal, // Windows 8+ 152 | PowerRequestPerfBoostRequiredInternal, // Windows 8+ 153 | PowerRequestActiveLockScreenInternal, // Windows 10 RS1+ (reserved on Windows 8) 154 | // Values 6 and 7 are reserved for Windows 8 only 155 | PowerRequestInternalInvalid, 156 | PowerRequestInternalUnknown, 157 | PowerRequestFullScreenVideoRequired // Windows 8 only 158 | } POWER_REQUEST_TYPE_INTERNAL; 159 | 160 | typedef struct _POWER_REQUEST_ACTION 161 | { 162 | HANDLE PowerRequestHandle; 163 | POWER_REQUEST_TYPE_INTERNAL RequestType; 164 | BOOLEAN SetAction; 165 | HANDLE ProcessHandle; // Windows 8+ and only for requests created via PlmPowerRequestCreate 166 | } POWER_REQUEST_ACTION, *PPOWER_REQUEST_ACTION; 167 | 168 | typedef union _POWER_STATE 169 | { 170 | SYSTEM_POWER_STATE SystemState; 171 | DEVICE_POWER_STATE DeviceState; 172 | } POWER_STATE, *PPOWER_STATE; 173 | 174 | typedef enum _POWER_STATE_TYPE 175 | { 176 | SystemPowerState = 0, 177 | DevicePowerState 178 | } POWER_STATE_TYPE, *PPOWER_STATE_TYPE; 179 | 180 | // wdm 181 | typedef struct _SYSTEM_POWER_STATE_CONTEXT 182 | { 183 | union 184 | { 185 | struct 186 | { 187 | ULONG Reserved1 : 8; 188 | ULONG TargetSystemState : 4; 189 | ULONG EffectiveSystemState : 4; 190 | ULONG CurrentSystemState : 4; 191 | ULONG IgnoreHibernationPath : 1; 192 | ULONG PseudoTransition : 1; 193 | ULONG Reserved2 : 10; 194 | }; 195 | ULONG ContextAsUlong; 196 | }; 197 | } SYSTEM_POWER_STATE_CONTEXT, *PSYSTEM_POWER_STATE_CONTEXT; 198 | 199 | typedef enum _REQUESTER_TYPE 200 | { 201 | KernelRequester = 0, 202 | UserProcessRequester = 1, 203 | UserSharedServiceRequester = 2 204 | } REQUESTER_TYPE; 205 | 206 | typedef struct _COUNTED_REASON_CONTEXT_RELATIVE 207 | { 208 | ULONG Flags; 209 | union 210 | { 211 | struct 212 | { 213 | ULONG_PTR ResourceFileNameOffset; 214 | USHORT ResourceReasonId; 215 | ULONG StringCount; 216 | ULONG_PTR SubstitutionStringsOffset; 217 | }; 218 | ULONG_PTR SimpleStringOffset; 219 | }; 220 | } COUNTED_REASON_CONTEXT_RELATIVE, *PCOUNTED_REASON_CONTEXT_RELATIVE; 221 | 222 | typedef struct _DIAGNOSTIC_BUFFER 223 | { 224 | SIZE_T Size; 225 | REQUESTER_TYPE CallerType; 226 | union 227 | { 228 | struct 229 | { 230 | ULONG_PTR ProcessImageNameOffset; // PWSTR 231 | ULONG ProcessId; 232 | ULONG ServiceTag; 233 | }; 234 | struct 235 | { 236 | ULONG_PTR DeviceDescriptionOffset; // PWSTR 237 | ULONG_PTR DevicePathOffset; // PWSTR 238 | }; 239 | }; 240 | ULONG_PTR ReasonOffset; // PCOUNTED_REASON_CONTEXT_RELATIVE 241 | } DIAGNOSTIC_BUFFER, *PDIAGNOSTIC_BUFFER; 242 | 243 | // The number of supported request types per version 244 | #define POWER_REQUEST_SUPPORTED_TYPES_V1 3 // Windows 7 245 | #define POWER_REQUEST_SUPPORTED_TYPES_V2 9 // Windows 8 246 | #define POWER_REQUEST_SUPPORTED_TYPES_V3 5 // Windows 8.1 and Windows 10 TH1-TH2 247 | #define POWER_REQUEST_SUPPORTED_TYPES_V4 6 // Windows 10 RS1+ 248 | 249 | typedef struct _POWER_REQUEST 250 | { 251 | union 252 | { 253 | struct 254 | { 255 | ULONG SupportedRequestMask; 256 | ULONG PowerRequestCount[POWER_REQUEST_SUPPORTED_TYPES_V1]; 257 | DIAGNOSTIC_BUFFER DiagnosticBuffer; 258 | } V1; 259 | #if (NTDDI_VERSION >= NTDDI_WIN8) 260 | struct 261 | { 262 | ULONG SupportedRequestMask; 263 | ULONG PowerRequestCount[POWER_REQUEST_SUPPORTED_TYPES_V2]; 264 | DIAGNOSTIC_BUFFER DiagnosticBuffer; 265 | } V2; 266 | #endif 267 | #if (NTDDI_VERSION >= NTDDI_WINBLUE) 268 | struct 269 | { 270 | ULONG SupportedRequestMask; 271 | ULONG PowerRequestCount[POWER_REQUEST_SUPPORTED_TYPES_V3]; 272 | DIAGNOSTIC_BUFFER DiagnosticBuffer; 273 | } V3; 274 | #endif 275 | #if (NTDDI_VERSION >= NTDDI_WIN10_RS1) 276 | struct 277 | { 278 | ULONG SupportedRequestMask; 279 | ULONG PowerRequestCount[POWER_REQUEST_SUPPORTED_TYPES_V4]; 280 | DIAGNOSTIC_BUFFER DiagnosticBuffer; 281 | } V4; 282 | #endif 283 | }; 284 | } POWER_REQUEST, *PPOWER_REQUEST; 285 | 286 | typedef struct _POWER_REQUEST_LIST 287 | { 288 | ULONG_PTR Count; 289 | ULONG_PTR PowerRequestOffsets[ANYSIZE_ARRAY]; // PPOWER_REQUEST 290 | } POWER_REQUEST_LIST, *PPOWER_REQUEST_LIST; 291 | 292 | typedef enum _POWER_STATE_HANDLER_TYPE 293 | { 294 | PowerStateSleeping1 = 0, 295 | PowerStateSleeping2 = 1, 296 | PowerStateSleeping3 = 2, 297 | PowerStateSleeping4 = 3, 298 | PowerStateShutdownOff = 4, 299 | PowerStateShutdownReset = 5, 300 | PowerStateSleeping4Firmware = 6, 301 | PowerStateMaximum = 7 302 | } POWER_STATE_HANDLER_TYPE, *PPOWER_STATE_HANDLER_TYPE; 303 | 304 | typedef NTSTATUS (NTAPI *PENTER_STATE_SYSTEM_HANDLER)( 305 | _In_ PVOID SystemContext 306 | ); 307 | 308 | typedef NTSTATUS (NTAPI *PENTER_STATE_HANDLER)( 309 | _In_ PVOID Context, 310 | _In_opt_ PENTER_STATE_SYSTEM_HANDLER SystemHandler, 311 | _In_ PVOID SystemContext, 312 | _In_ LONG NumberProcessors, 313 | _In_ LONG volatile *Number 314 | ); 315 | 316 | typedef struct _POWER_STATE_HANDLER 317 | { 318 | POWER_STATE_HANDLER_TYPE Type; 319 | BOOLEAN RtcWake; 320 | UCHAR Spare[3]; 321 | PENTER_STATE_HANDLER Handler; 322 | PVOID Context; 323 | } POWER_STATE_HANDLER, *PPOWER_STATE_HANDLER; 324 | 325 | typedef NTSTATUS (NTAPI *PENTER_STATE_NOTIFY_HANDLER)( 326 | _In_ POWER_STATE_HANDLER_TYPE State, 327 | _In_ PVOID Context, 328 | _In_ BOOLEAN Entering 329 | ); 330 | 331 | typedef struct _POWER_STATE_NOTIFY_HANDLER 332 | { 333 | PENTER_STATE_NOTIFY_HANDLER Handler; 334 | PVOID Context; 335 | } POWER_STATE_NOTIFY_HANDLER, *PPOWER_STATE_NOTIFY_HANDLER; 336 | 337 | typedef struct _POWER_REQUEST_ACTION_INTERNAL 338 | { 339 | PVOID PowerRequestPointer; 340 | POWER_REQUEST_TYPE_INTERNAL RequestType; 341 | BOOLEAN SetAction; 342 | } POWER_REQUEST_ACTION_INTERNAL, *PPOWER_REQUEST_ACTION_INTERNAL; 343 | 344 | typedef enum _POWER_INFORMATION_LEVEL_INTERNAL 345 | { 346 | PowerInternalAcpiInterfaceRegister, 347 | PowerInternalS0LowPowerIdleInfo, // POWER_S0_LOW_POWER_IDLE_INFO 348 | PowerInternalReapplyBrightnessSettings, 349 | PowerInternalUserAbsencePrediction, // POWER_USER_ABSENCE_PREDICTION 350 | PowerInternalUserAbsencePredictionCapability, // POWER_USER_ABSENCE_PREDICTION_CAPABILITY 351 | PowerInternalPoProcessorLatencyHint, // POWER_PROCESSOR_LATENCY_HINT 352 | PowerInternalStandbyNetworkRequest, // POWER_STANDBY_NETWORK_REQUEST 353 | PowerInternalDirtyTransitionInformation, 354 | PowerInternalSetBackgroundTaskState, // POWER_SET_BACKGROUND_TASK_STATE 355 | PowerInternalTtmOpenTerminal, 356 | PowerInternalTtmCreateTerminal, // 10 357 | PowerInternalTtmEvacuateDevices, 358 | PowerInternalTtmCreateTerminalEventQueue, 359 | PowerInternalTtmGetTerminalEvent, 360 | PowerInternalTtmSetDefaultDeviceAssignment, 361 | PowerInternalTtmAssignDevice, 362 | PowerInternalTtmSetDisplayState, 363 | PowerInternalTtmSetDisplayTimeouts, 364 | PowerInternalBootSessionStandbyActivationInformation, 365 | PowerInternalSessionPowerState, 366 | PowerInternalSessionTerminalInput, // 20 367 | PowerInternalSetWatchdog, 368 | PowerInternalPhysicalPowerButtonPressInfoAtBoot, 369 | PowerInternalExternalMonitorConnected, 370 | PowerInternalHighPrecisionBrightnessSettings, 371 | PowerInternalWinrtScreenToggle, 372 | PowerInternalPpmQosDisable, 373 | PowerInternalTransitionCheckpoint, 374 | PowerInternalInputControllerState, 375 | PowerInternalFirmwareResetReason, 376 | PowerInternalPpmSchedulerQosSupport, // 30 377 | PowerInternalBootStatGet, 378 | PowerInternalBootStatSet, 379 | PowerInternalCallHasNotReturnedWatchdog, 380 | PowerInternalBootStatCheckIntegrity, 381 | PowerInternalBootStatRestoreDefaults, // in: void 382 | PowerInternalHostEsStateUpdate, 383 | PowerInternalGetPowerActionState, 384 | PowerInternalBootStatUnlock, 385 | PowerInternalWakeOnVoiceState, 386 | PowerInternalDeepSleepBlock, // 40 387 | PowerInternalIsPoFxDevice, 388 | PowerInternalPowerTransitionExtensionAtBoot, 389 | PowerInternalProcessorBrandedFrequency, // in: POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_INPUT, out: POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_OUTPUT 390 | PowerInternalTimeBrokerExpirationReason, 391 | PowerInternalNotifyUserShutdownStatus, 392 | PowerInternalPowerRequestTerminalCoreWindow, 393 | PowerInternalProcessorIdleVeto, 394 | PowerInternalPlatformIdleVeto, 395 | PowerInternalIsLongPowerButtonBugcheckEnabled, 396 | PowerInternalAutoChkCausedReboot, // 50 397 | PowerInternalSetWakeAlarmOverride, 398 | 399 | PowerInternalDirectedFxAddTestDevice = 53, 400 | PowerInternalDirectedFxRemoveTestDevice, 401 | 402 | PowerInternalDirectedFxSetMode = 56, 403 | PowerInternalRegisterPowerPlane, 404 | PowerInternalSetDirectedDripsFlags, 405 | PowerInternalClearDirectedDripsFlags, 406 | PowerInternalRetrieveHiberFileResumeContext, // 60 407 | PowerInternalReadHiberFilePage, 408 | PowerInternalLastBootSucceeded, // out: BOOLEAN 409 | PowerInternalQuerySleepStudyHelperRoutineBlock, 410 | PowerInternalDirectedDripsQueryCapabilities, 411 | PowerInternalClearConstraints, 412 | PowerInternalSoftParkVelocityEnabled, 413 | PowerInternalQueryIntelPepCapabilities, 414 | PowerInternalGetSystemIdleLoopEnablement, // since WIN11 415 | PowerInternalGetVmPerfControlSupport, 416 | PowerInternalGetVmPerfControlConfig, // 70 417 | PowerInternalSleepDetailedDiagUpdate, 418 | PowerInternalProcessorClassFrequencyBandsStats, 419 | PowerInternalHostGlobalUserPresenceStateUpdate, 420 | PowerInternalCpuNodeIdleIntervalStats, 421 | PowerInternalClassIdleIntervalStats, 422 | PowerInternalCpuNodeConcurrencyStats, 423 | PowerInternalClassConcurrencyStats, 424 | PowerInternalQueryProcMeasurementCapabilities, 425 | PowerInternalQueryProcMeasurementValues, 426 | PowerInternalPrepareForSystemInitiatedReboot, // 80 427 | PowerInternalGetAdaptiveSessionState, 428 | PowerInternalSetConsoleLockedState, 429 | PowerInternalOverrideSystemInitiatedRebootState, 430 | PowerInternalFanImpactStats, 431 | PowerInternalFanRpmBuckets, 432 | PowerInternalPowerBootAppDiagInfo, 433 | PowerInternalUnregisterShutdownNotification, // since 22H1 434 | PowerInternalManageTransitionStateRecord, 435 | PowerInformationInternalMaximum 436 | } POWER_INFORMATION_LEVEL_INTERNAL; 437 | 438 | typedef enum _POWER_S0_DISCONNECTED_REASON 439 | { 440 | PoS0DisconnectedReasonNone, 441 | PoS0DisconnectedReasonNonCompliantNic, 442 | PoS0DisconnectedReasonSettingPolicy, 443 | PoS0DisconnectedReasonEnforceDsPolicy, 444 | PoS0DisconnectedReasonCsChecksFailed, 445 | PoS0DisconnectedReasonSmartStandby, 446 | PoS0DisconnectedReasonMaximum 447 | } POWER_S0_DISCONNECTED_REASON; 448 | 449 | typedef struct _POWER_S0_LOW_POWER_IDLE_INFO 450 | { 451 | POWER_S0_DISCONNECTED_REASON DisconnectedReason; 452 | union 453 | { 454 | BOOLEAN Storage : 1; 455 | BOOLEAN WiFi : 1; 456 | BOOLEAN Mbn : 1; 457 | BOOLEAN Ethernet : 1; 458 | BOOLEAN Reserved : 4; 459 | UCHAR AsUCHAR; 460 | } CsDeviceCompliance; 461 | union 462 | { 463 | BOOLEAN DisconnectInStandby : 1; 464 | BOOLEAN EnforceDs : 1; 465 | BOOLEAN Reserved : 6; 466 | UCHAR AsUCHAR; 467 | } Policy; 468 | } POWER_S0_LOW_POWER_IDLE_INFO, *PPOWER_S0_LOW_POWER_IDLE_INFO; 469 | 470 | typedef struct _POWER_INFORMATION_INTERNAL_HEADER 471 | { 472 | POWER_INFORMATION_LEVEL_INTERNAL InternalType; 473 | ULONG Version; 474 | } POWER_INFORMATION_INTERNAL_HEADER, *PPOWER_INFORMATION_INTERNAL_HEADER; 475 | 476 | typedef struct _POWER_USER_ABSENCE_PREDICTION 477 | { 478 | POWER_INFORMATION_INTERNAL_HEADER Header; 479 | LARGE_INTEGER ReturnTime; 480 | } POWER_USER_ABSENCE_PREDICTION, *PPOWER_USER_ABSENCE_PREDICTION; 481 | 482 | typedef struct _POWER_USER_ABSENCE_PREDICTION_CAPABILITY 483 | { 484 | BOOLEAN AbsencePredictionCapability; 485 | } POWER_USER_ABSENCE_PREDICTION_CAPABILITY, *PPOWER_USER_ABSENCE_PREDICTION_CAPABILITY; 486 | 487 | typedef struct _POWER_PROCESSOR_LATENCY_HINT 488 | { 489 | POWER_INFORMATION_INTERNAL_HEADER PowerInformationInternalHeader; 490 | ULONG Type; 491 | } POWER_PROCESSOR_LATENCY_HINT, *PPO_PROCESSOR_LATENCY_HINT; 492 | 493 | typedef struct _POWER_STANDBY_NETWORK_REQUEST 494 | { 495 | POWER_INFORMATION_INTERNAL_HEADER PowerInformationInternalHeader; 496 | BOOLEAN Active; 497 | } POWER_STANDBY_NETWORK_REQUEST, *PPOWER_STANDBY_NETWORK_REQUEST; 498 | 499 | typedef struct _POWER_SET_BACKGROUND_TASK_STATE 500 | { 501 | POWER_INFORMATION_INTERNAL_HEADER PowerInformationInternalHeader; 502 | BOOLEAN Engaged; 503 | } POWER_SET_BACKGROUND_TASK_STATE, *PPOWER_SET_BACKGROUND_TASK_STATE; 504 | 505 | typedef struct POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_INPUT 506 | { 507 | POWER_INFORMATION_LEVEL_INTERNAL InternalType; 508 | PROCESSOR_NUMBER ProcessorNumber; // ULONG_MAX 509 | } POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_INPUT, *PPOWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_INPUT; 510 | 511 | typedef struct POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_OUTPUT 512 | { 513 | ULONG Version; 514 | ULONG NominalFrequency; // if (Domain) Prcb->PowerState.CheckContext.Domain.NominalFrequency else Prcb->MHz 515 | } POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_OUTPUT, *PPOWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_OUTPUT; 516 | 517 | NTSYSCALLAPI 518 | NTSTATUS 519 | NTAPI 520 | NtPowerInformation( 521 | _In_ POWER_INFORMATION_LEVEL InformationLevel, 522 | _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, 523 | _In_ ULONG InputBufferLength, 524 | _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, 525 | _In_ ULONG OutputBufferLength 526 | ); 527 | 528 | NTSYSCALLAPI 529 | NTSTATUS 530 | NTAPI 531 | NtSetThreadExecutionState( 532 | _In_ EXECUTION_STATE NewFlags, // ES_* flags 533 | _Out_ EXECUTION_STATE *PreviousFlags 534 | ); 535 | 536 | #if (NTDDI_VERSION < NTDDI_WIN7) 537 | NTSYSCALLAPI 538 | NTSTATUS 539 | NTAPI 540 | NtRequestWakeupLatency( 541 | _In_ LATENCY_TIME latency 542 | ); 543 | #endif 544 | 545 | NTSYSCALLAPI 546 | NTSTATUS 547 | NTAPI 548 | NtInitiatePowerAction( 549 | _In_ POWER_ACTION SystemAction, 550 | _In_ SYSTEM_POWER_STATE LightestSystemState, 551 | _In_ ULONG Flags, // POWER_ACTION_* flags 552 | _In_ BOOLEAN Asynchronous 553 | ); 554 | 555 | NTSYSCALLAPI 556 | NTSTATUS 557 | NTAPI 558 | NtSetSystemPowerState( 559 | _In_ POWER_ACTION SystemAction, 560 | _In_ SYSTEM_POWER_STATE LightestSystemState, 561 | _In_ ULONG Flags // POWER_ACTION_* flags 562 | ); 563 | 564 | NTSYSCALLAPI 565 | NTSTATUS 566 | NTAPI 567 | NtGetDevicePowerState( 568 | _In_ HANDLE Device, 569 | _Out_ PDEVICE_POWER_STATE State 570 | ); 571 | 572 | NTSYSCALLAPI 573 | BOOLEAN 574 | NTAPI 575 | NtIsSystemResumeAutomatic( 576 | VOID 577 | ); 578 | -------------------------------------------------------------------------------- /ntregapi.h: -------------------------------------------------------------------------------- 1 | // Boot condition flags (NtInitializeRegistry) 2 | 3 | #define REG_INIT_BOOT_SM 0x0000 4 | #define REG_INIT_BOOT_SETUP 0x0001 5 | #define REG_INIT_BOOT_ACCEPTED_BASE 0x0002 6 | #define REG_INIT_BOOT_ACCEPTED_MAX REG_INIT_BOOT_ACCEPTED_BASE + 999 7 | 8 | #define REG_MAX_KEY_VALUE_NAME_LENGTH 32767 9 | #define REG_MAX_KEY_NAME_LENGTH 512 10 | 11 | typedef enum _KEY_INFORMATION_CLASS 12 | { 13 | KeyBasicInformation, // KEY_BASIC_INFORMATION 14 | KeyNodeInformation, // KEY_NODE_INFORMATION 15 | KeyFullInformation, // KEY_FULL_INFORMATION 16 | KeyNameInformation, // KEY_NAME_INFORMATION 17 | KeyCachedInformation, // KEY_CACHED_INFORMATION 18 | KeyFlagsInformation, // KEY_FLAGS_INFORMATION 19 | KeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION 20 | KeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION 21 | KeyTrustInformation, // KEY_TRUST_INFORMATION 22 | KeyLayerInformation, // KEY_LAYER_INFORMATION 23 | MaxKeyInfoClass 24 | } KEY_INFORMATION_CLASS; 25 | 26 | typedef struct _KEY_BASIC_INFORMATION 27 | { 28 | LARGE_INTEGER LastWriteTime; 29 | ULONG TitleIndex; 30 | ULONG NameLength; 31 | WCHAR Name[1]; 32 | } KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION; 33 | 34 | typedef struct _KEY_NODE_INFORMATION 35 | { 36 | LARGE_INTEGER LastWriteTime; 37 | ULONG TitleIndex; 38 | ULONG ClassOffset; 39 | ULONG ClassLength; 40 | ULONG NameLength; 41 | WCHAR Name[1]; 42 | // ... 43 | // WCHAR Class[1]; 44 | } KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION; 45 | 46 | typedef struct _KEY_FULL_INFORMATION 47 | { 48 | LARGE_INTEGER LastWriteTime; 49 | ULONG TitleIndex; 50 | ULONG ClassOffset; 51 | ULONG ClassLength; 52 | ULONG SubKeys; 53 | ULONG MaxNameLen; 54 | ULONG MaxClassLen; 55 | ULONG Values; 56 | ULONG MaxValueNameLen; 57 | ULONG MaxValueDataLen; 58 | WCHAR Class[1]; 59 | } KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION; 60 | 61 | typedef struct _KEY_NAME_INFORMATION 62 | { 63 | ULONG NameLength; 64 | WCHAR Name[1]; 65 | } KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION; 66 | 67 | typedef struct _KEY_CACHED_INFORMATION 68 | { 69 | LARGE_INTEGER LastWriteTime; 70 | ULONG TitleIndex; 71 | ULONG SubKeys; 72 | ULONG MaxNameLen; 73 | ULONG Values; 74 | ULONG MaxValueNameLen; 75 | ULONG MaxValueDataLen; 76 | ULONG NameLength; 77 | WCHAR Name[1]; 78 | } KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION; 79 | 80 | // rev 81 | #define REG_FLAG_VOLATILE 0x0001 82 | #define REG_FLAG_LINK 0x0002 83 | 84 | // msdn 85 | #define REG_KEY_DONT_VIRTUALIZE 0x0002 86 | #define REG_KEY_DONT_SILENT_FAIL 0x0004 87 | #define REG_KEY_RECURSE_FLAG 0x0008 88 | 89 | // private 90 | typedef struct _KEY_FLAGS_INFORMATION 91 | { 92 | ULONG Wow64Flags; 93 | ULONG KeyFlags; // REG_FLAG_* 94 | ULONG ControlFlags; // REG_KEY_* 95 | } KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION; 96 | 97 | typedef struct _KEY_VIRTUALIZATION_INFORMATION 98 | { 99 | ULONG VirtualizationCandidate : 1; // Tells whether the key is part of the virtualization namespace scope (only HKLM\Software for now). 100 | ULONG VirtualizationEnabled : 1; // Tells whether virtualization is enabled on this key. Can be 1 only if above flag is 1. 101 | ULONG VirtualTarget : 1; // Tells if the key is a virtual key. Can be 1 only if above 2 are 0. Valid only on the virtual store key handles. 102 | ULONG VirtualStore : 1; // Tells if the key is a part of the virtual store path. Valid only on the virtual store key handles. 103 | ULONG VirtualSource : 1; // Tells if the key has ever been virtualized, can be 1 only if VirtualizationCandidate is 1. 104 | ULONG Reserved : 27; 105 | } KEY_VIRTUALIZATION_INFORMATION, *PKEY_VIRTUALIZATION_INFORMATION; 106 | 107 | // private 108 | typedef struct _KEY_TRUST_INFORMATION 109 | { 110 | ULONG TrustedKey : 1; 111 | ULONG Reserved : 31; 112 | } KEY_TRUST_INFORMATION, *PKEY_TRUST_INFORMATION; 113 | 114 | // private 115 | typedef struct _KEY_LAYER_INFORMATION 116 | { 117 | ULONG IsTombstone : 1; 118 | ULONG IsSupersedeLocal : 1; 119 | ULONG IsSupersedeTree : 1; 120 | ULONG ClassIsInherited : 1; 121 | ULONG Reserved : 28; 122 | } KEY_LAYER_INFORMATION, *PKEY_LAYER_INFORMATION; 123 | 124 | typedef enum _KEY_SET_INFORMATION_CLASS 125 | { 126 | KeyWriteTimeInformation, // KEY_WRITE_TIME_INFORMATION 127 | KeyWow64FlagsInformation, // KEY_WOW64_FLAGS_INFORMATION 128 | KeyControlFlagsInformation, // KEY_CONTROL_FLAGS_INFORMATION 129 | KeySetVirtualizationInformation, // KEY_SET_VIRTUALIZATION_INFORMATION 130 | KeySetDebugInformation, 131 | KeySetHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION 132 | KeySetLayerInformation, // KEY_SET_LAYER_INFORMATION 133 | MaxKeySetInfoClass 134 | } KEY_SET_INFORMATION_CLASS; 135 | 136 | typedef struct _KEY_WRITE_TIME_INFORMATION 137 | { 138 | LARGE_INTEGER LastWriteTime; 139 | } KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION; 140 | 141 | typedef struct _KEY_WOW64_FLAGS_INFORMATION 142 | { 143 | ULONG UserFlags; 144 | } KEY_WOW64_FLAGS_INFORMATION, *PKEY_WOW64_FLAGS_INFORMATION; 145 | 146 | typedef struct _KEY_HANDLE_TAGS_INFORMATION 147 | { 148 | ULONG HandleTags; 149 | } KEY_HANDLE_TAGS_INFORMATION, *PKEY_HANDLE_TAGS_INFORMATION; 150 | 151 | typedef struct _KEY_SET_LAYER_INFORMATION 152 | { 153 | ULONG IsTombstone : 1; 154 | ULONG IsSupersedeLocal : 1; 155 | ULONG IsSupersedeTree : 1; 156 | ULONG ClassIsInherited : 1; 157 | ULONG Reserved : 28; 158 | } KEY_SET_LAYER_INFORMATION, *PKEY_SET_LAYER_INFORMATION; 159 | 160 | typedef struct _KEY_CONTROL_FLAGS_INFORMATION 161 | { 162 | ULONG ControlFlags; 163 | } KEY_CONTROL_FLAGS_INFORMATION, *PKEY_CONTROL_FLAGS_INFORMATION; 164 | 165 | typedef struct _KEY_SET_VIRTUALIZATION_INFORMATION 166 | { 167 | ULONG VirtualTarget : 1; 168 | ULONG VirtualStore : 1; 169 | ULONG VirtualSource : 1; // true if key has been virtualized at least once 170 | ULONG Reserved : 29; 171 | } KEY_SET_VIRTUALIZATION_INFORMATION, *PKEY_SET_VIRTUALIZATION_INFORMATION; 172 | 173 | typedef enum _KEY_VALUE_INFORMATION_CLASS 174 | { 175 | KeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION 176 | KeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION 177 | KeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION 178 | KeyValueFullInformationAlign64, 179 | KeyValuePartialInformationAlign64, // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 180 | KeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION 181 | MaxKeyValueInfoClass 182 | } KEY_VALUE_INFORMATION_CLASS; 183 | 184 | typedef struct _KEY_VALUE_BASIC_INFORMATION 185 | { 186 | ULONG TitleIndex; 187 | ULONG Type; 188 | ULONG NameLength; 189 | WCHAR Name[1]; 190 | } KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION; 191 | 192 | typedef struct _KEY_VALUE_FULL_INFORMATION 193 | { 194 | ULONG TitleIndex; 195 | ULONG Type; 196 | ULONG DataOffset; 197 | ULONG DataLength; 198 | ULONG NameLength; 199 | WCHAR Name[1]; 200 | // ... 201 | // UCHAR Data[1]; 202 | } KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; 203 | 204 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION 205 | { 206 | ULONG TitleIndex; 207 | ULONG Type; 208 | ULONG DataLength; 209 | UCHAR Data[1]; 210 | } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; 211 | 212 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 213 | { 214 | ULONG Type; 215 | ULONG DataLength; 216 | UCHAR Data[1]; 217 | } KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64; 218 | 219 | // private 220 | typedef struct _KEY_VALUE_LAYER_INFORMATION 221 | { 222 | ULONG IsTombstone : 1; 223 | ULONG Reserved : 31; 224 | } KEY_VALUE_LAYER_INFORMATION, *PKEY_VALUE_LAYER_INFORMATION; 225 | 226 | // rev 227 | typedef enum _KEY_LOAD_ENTRY_TYPE 228 | { 229 | KeyLoadTrustClassKey = 1, 230 | KeyLoadEvent, 231 | KeyLoadToken 232 | } KEY_LOAD_ENTRY_TYPE; 233 | 234 | // rev 235 | typedef struct _KEY_LOAD_ENTRY 236 | { 237 | KEY_LOAD_ENTRY_TYPE EntryType; 238 | union 239 | { 240 | HANDLE Handle; 241 | ULONG_PTR Value; 242 | }; 243 | } KEY_LOAD_ENTRY, *PKEY_LOAD_ENTRY; 244 | 245 | typedef struct _KEY_VALUE_ENTRY 246 | { 247 | PUNICODE_STRING ValueName; 248 | ULONG DataLength; 249 | ULONG DataOffset; 250 | ULONG Type; 251 | } KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; 252 | 253 | typedef enum _REG_ACTION 254 | { 255 | KeyAdded, 256 | KeyRemoved, 257 | KeyModified 258 | } REG_ACTION; 259 | 260 | typedef struct _REG_NOTIFY_INFORMATION 261 | { 262 | ULONG NextEntryOffset; 263 | REG_ACTION Action; 264 | ULONG KeyLength; 265 | WCHAR Key[1]; 266 | } REG_NOTIFY_INFORMATION, *PREG_NOTIFY_INFORMATION; 267 | 268 | typedef struct _KEY_PID_ARRAY 269 | { 270 | HANDLE ProcessId; 271 | UNICODE_STRING KeyName; 272 | } KEY_PID_ARRAY, *PKEY_PID_ARRAY; 273 | 274 | typedef struct _KEY_OPEN_SUBKEYS_INFORMATION 275 | { 276 | ULONG Count; 277 | KEY_PID_ARRAY KeyArray[1]; 278 | } KEY_OPEN_SUBKEYS_INFORMATION, *PKEY_OPEN_SUBKEYS_INFORMATION; 279 | 280 | // System calls 281 | 282 | NTSYSCALLAPI 283 | NTSTATUS 284 | NTAPI 285 | NtCreateKey( 286 | _Out_ PHANDLE KeyHandle, 287 | _In_ ACCESS_MASK DesiredAccess, 288 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 289 | _Reserved_ ULONG TitleIndex, 290 | _In_opt_ PUNICODE_STRING Class, 291 | _In_ ULONG CreateOptions, 292 | _Out_opt_ PULONG Disposition 293 | ); 294 | 295 | #if (NTDDI_VERSION >= NTDDI_VISTA) 296 | NTSYSCALLAPI 297 | NTSTATUS 298 | NTAPI 299 | NtCreateKeyTransacted( 300 | _Out_ PHANDLE KeyHandle, 301 | _In_ ACCESS_MASK DesiredAccess, 302 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 303 | _Reserved_ ULONG TitleIndex, 304 | _In_opt_ PUNICODE_STRING Class, 305 | _In_ ULONG CreateOptions, 306 | _In_ HANDLE TransactionHandle, 307 | _Out_opt_ PULONG Disposition 308 | ); 309 | #endif 310 | 311 | NTSYSCALLAPI 312 | NTSTATUS 313 | NTAPI 314 | NtOpenKey( 315 | _Out_ PHANDLE KeyHandle, 316 | _In_ ACCESS_MASK DesiredAccess, 317 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 318 | ); 319 | 320 | #if (NTDDI_VERSION >= NTDDI_VISTA) 321 | NTSYSCALLAPI 322 | NTSTATUS 323 | NTAPI 324 | NtOpenKeyTransacted( 325 | _Out_ PHANDLE KeyHandle, 326 | _In_ ACCESS_MASK DesiredAccess, 327 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 328 | _In_ HANDLE TransactionHandle 329 | ); 330 | #endif 331 | 332 | #if (NTDDI_VERSION >= NTDDI_WIN7) 333 | NTSYSCALLAPI 334 | NTSTATUS 335 | NTAPI 336 | NtOpenKeyEx( 337 | _Out_ PHANDLE KeyHandle, 338 | _In_ ACCESS_MASK DesiredAccess, 339 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 340 | _In_ ULONG OpenOptions 341 | ); 342 | #endif 343 | 344 | #if (NTDDI_VERSION >= NTDDI_WIN7) 345 | NTSYSCALLAPI 346 | NTSTATUS 347 | NTAPI 348 | NtOpenKeyTransactedEx( 349 | _Out_ PHANDLE KeyHandle, 350 | _In_ ACCESS_MASK DesiredAccess, 351 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 352 | _In_ ULONG OpenOptions, 353 | _In_ HANDLE TransactionHandle 354 | ); 355 | #endif 356 | 357 | NTSYSCALLAPI 358 | NTSTATUS 359 | NTAPI 360 | NtDeleteKey( 361 | _In_ HANDLE KeyHandle 362 | ); 363 | 364 | NTSYSCALLAPI 365 | NTSTATUS 366 | NTAPI 367 | NtRenameKey( 368 | _In_ HANDLE KeyHandle, 369 | _In_ PUNICODE_STRING NewName 370 | ); 371 | 372 | NTSYSCALLAPI 373 | NTSTATUS 374 | NTAPI 375 | NtDeleteValueKey( 376 | _In_ HANDLE KeyHandle, 377 | _In_ PUNICODE_STRING ValueName 378 | ); 379 | 380 | NTSYSCALLAPI 381 | NTSTATUS 382 | NTAPI 383 | NtQueryKey( 384 | _In_ HANDLE KeyHandle, 385 | _In_ KEY_INFORMATION_CLASS KeyInformationClass, 386 | _Out_writes_bytes_opt_(Length) PVOID KeyInformation, 387 | _In_ ULONG Length, 388 | _Out_ PULONG ResultLength 389 | ); 390 | 391 | NTSYSCALLAPI 392 | NTSTATUS 393 | NTAPI 394 | NtSetInformationKey( 395 | _In_ HANDLE KeyHandle, 396 | _In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass, 397 | _In_reads_bytes_(KeySetInformationLength) PVOID KeySetInformation, 398 | _In_ ULONG KeySetInformationLength 399 | ); 400 | 401 | NTSYSCALLAPI 402 | NTSTATUS 403 | NTAPI 404 | NtQueryValueKey( 405 | _In_ HANDLE KeyHandle, 406 | _In_ PUNICODE_STRING ValueName, 407 | _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, 408 | _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation, 409 | _In_ ULONG Length, 410 | _Out_ PULONG ResultLength 411 | ); 412 | 413 | NTSYSCALLAPI 414 | NTSTATUS 415 | NTAPI 416 | NtSetValueKey( 417 | _In_ HANDLE KeyHandle, 418 | _In_ PUNICODE_STRING ValueName, 419 | _In_opt_ ULONG TitleIndex, 420 | _In_ ULONG Type, 421 | _In_reads_bytes_opt_(DataSize) PVOID Data, 422 | _In_ ULONG DataSize 423 | ); 424 | 425 | NTSYSCALLAPI 426 | NTSTATUS 427 | NTAPI 428 | NtQueryMultipleValueKey( 429 | _In_ HANDLE KeyHandle, 430 | _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries, 431 | _In_ ULONG EntryCount, 432 | _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer, 433 | _Inout_ PULONG BufferLength, 434 | _Out_opt_ PULONG RequiredBufferLength 435 | ); 436 | 437 | NTSYSCALLAPI 438 | NTSTATUS 439 | NTAPI 440 | NtEnumerateKey( 441 | _In_ HANDLE KeyHandle, 442 | _In_ ULONG Index, 443 | _In_ KEY_INFORMATION_CLASS KeyInformationClass, 444 | _Out_writes_bytes_opt_(Length) PVOID KeyInformation, 445 | _In_ ULONG Length, 446 | _Out_ PULONG ResultLength 447 | ); 448 | 449 | NTSYSCALLAPI 450 | NTSTATUS 451 | NTAPI 452 | NtEnumerateValueKey( 453 | _In_ HANDLE KeyHandle, 454 | _In_ ULONG Index, 455 | _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, 456 | _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation, 457 | _In_ ULONG Length, 458 | _Out_ PULONG ResultLength 459 | ); 460 | 461 | NTSYSCALLAPI 462 | NTSTATUS 463 | NTAPI 464 | NtFlushKey( 465 | _In_ HANDLE KeyHandle 466 | ); 467 | 468 | NTSYSCALLAPI 469 | NTSTATUS 470 | NTAPI 471 | NtCompactKeys( 472 | _In_ ULONG Count, 473 | _In_reads_(Count) HANDLE KeyArray[] 474 | ); 475 | 476 | NTSYSCALLAPI 477 | NTSTATUS 478 | NTAPI 479 | NtCompressKey( 480 | _In_ HANDLE Key 481 | ); 482 | 483 | NTSYSCALLAPI 484 | NTSTATUS 485 | NTAPI 486 | NtLoadKey( 487 | _In_ POBJECT_ATTRIBUTES TargetKey, 488 | _In_ POBJECT_ATTRIBUTES SourceFile 489 | ); 490 | 491 | NTSYSCALLAPI 492 | NTSTATUS 493 | NTAPI 494 | NtLoadKey2( 495 | _In_ POBJECT_ATTRIBUTES TargetKey, 496 | _In_ POBJECT_ATTRIBUTES SourceFile, 497 | _In_ ULONG Flags 498 | ); 499 | 500 | NTSYSCALLAPI 501 | NTSTATUS 502 | NTAPI 503 | NtLoadKeyEx( 504 | _In_ POBJECT_ATTRIBUTES TargetKey, 505 | _In_ POBJECT_ATTRIBUTES SourceFile, 506 | _In_ ULONG Flags, 507 | _In_opt_ HANDLE TrustClassKey, // this and below were added on Win10 508 | _In_opt_ HANDLE Event, 509 | _In_opt_ ACCESS_MASK DesiredAccess, 510 | _Out_opt_ PHANDLE RootHandle, 511 | _Reserved_ PVOID Reserved // previously PIO_STATUS_BLOCK 512 | ); 513 | 514 | // rev by tyranid 515 | #if (NTDDI_VERSION >= NTDDI_WIN10_VB) 516 | NTSYSCALLAPI 517 | NTSTATUS 518 | NTAPI 519 | NtLoadKey3( 520 | _In_ POBJECT_ATTRIBUTES TargetKey, 521 | _In_ POBJECT_ATTRIBUTES SourceFile, 522 | _In_ ULONG Flags, 523 | _In_reads_(LoadEntryCount) PKEY_LOAD_ENTRY LoadEntries, 524 | _In_ ULONG LoadEntryCount, 525 | _In_opt_ ACCESS_MASK DesiredAccess, 526 | _Out_opt_ PHANDLE RootHandle, 527 | _Reserved_ PVOID Reserved 528 | ); 529 | #endif 530 | 531 | NTSYSCALLAPI 532 | NTSTATUS 533 | NTAPI 534 | NtReplaceKey( 535 | _In_ POBJECT_ATTRIBUTES NewFile, 536 | _In_ HANDLE TargetHandle, 537 | _In_ POBJECT_ATTRIBUTES OldFile 538 | ); 539 | 540 | NTSYSCALLAPI 541 | NTSTATUS 542 | NTAPI 543 | NtSaveKey( 544 | _In_ HANDLE KeyHandle, 545 | _In_ HANDLE FileHandle 546 | ); 547 | 548 | NTSYSCALLAPI 549 | NTSTATUS 550 | NTAPI 551 | NtSaveKeyEx( 552 | _In_ HANDLE KeyHandle, 553 | _In_ HANDLE FileHandle, 554 | _In_ ULONG Format 555 | ); 556 | 557 | NTSYSCALLAPI 558 | NTSTATUS 559 | NTAPI 560 | NtSaveMergedKeys( 561 | _In_ HANDLE HighPrecedenceKeyHandle, 562 | _In_ HANDLE LowPrecedenceKeyHandle, 563 | _In_ HANDLE FileHandle 564 | ); 565 | 566 | NTSYSCALLAPI 567 | NTSTATUS 568 | NTAPI 569 | NtRestoreKey( 570 | _In_ HANDLE KeyHandle, 571 | _In_ HANDLE FileHandle, 572 | _In_ ULONG Flags 573 | ); 574 | 575 | NTSYSCALLAPI 576 | NTSTATUS 577 | NTAPI 578 | NtUnloadKey( 579 | _In_ POBJECT_ATTRIBUTES TargetKey 580 | ); 581 | 582 | // 583 | // NtUnloadKey2 Flags (from winnt.h) 584 | // 585 | //#define REG_FORCE_UNLOAD 1 586 | //#define REG_UNLOAD_LEGAL_FLAGS (REG_FORCE_UNLOAD) 587 | 588 | NTSYSCALLAPI 589 | NTSTATUS 590 | NTAPI 591 | NtUnloadKey2( 592 | _In_ POBJECT_ATTRIBUTES TargetKey, 593 | _In_ ULONG Flags 594 | ); 595 | 596 | NTSYSCALLAPI 597 | NTSTATUS 598 | NTAPI 599 | NtUnloadKeyEx( 600 | _In_ POBJECT_ATTRIBUTES TargetKey, 601 | _In_opt_ HANDLE Event 602 | ); 603 | 604 | NTSYSCALLAPI 605 | NTSTATUS 606 | NTAPI 607 | NtNotifyChangeKey( 608 | _In_ HANDLE KeyHandle, 609 | _In_opt_ HANDLE Event, 610 | _In_opt_ PIO_APC_ROUTINE ApcRoutine, 611 | _In_opt_ PVOID ApcContext, 612 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 613 | _In_ ULONG CompletionFilter, 614 | _In_ BOOLEAN WatchTree, 615 | _Out_writes_bytes_opt_(BufferSize) PVOID Buffer, 616 | _In_ ULONG BufferSize, 617 | _In_ BOOLEAN Asynchronous 618 | ); 619 | 620 | NTSYSCALLAPI 621 | NTSTATUS 622 | NTAPI 623 | NtNotifyChangeMultipleKeys( 624 | _In_ HANDLE MasterKeyHandle, 625 | _In_opt_ ULONG Count, 626 | _In_reads_opt_(Count) OBJECT_ATTRIBUTES SubordinateObjects[], 627 | _In_opt_ HANDLE Event, 628 | _In_opt_ PIO_APC_ROUTINE ApcRoutine, 629 | _In_opt_ PVOID ApcContext, 630 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 631 | _In_ ULONG CompletionFilter, 632 | _In_ BOOLEAN WatchTree, 633 | _Out_writes_bytes_opt_(BufferSize) PVOID Buffer, 634 | _In_ ULONG BufferSize, 635 | _In_ BOOLEAN Asynchronous 636 | ); 637 | 638 | NTSYSCALLAPI 639 | NTSTATUS 640 | NTAPI 641 | NtQueryOpenSubKeys( 642 | _In_ POBJECT_ATTRIBUTES TargetKey, 643 | _Out_ PULONG HandleCount 644 | ); 645 | 646 | NTSYSCALLAPI 647 | NTSTATUS 648 | NTAPI 649 | NtQueryOpenSubKeysEx( 650 | _In_ POBJECT_ATTRIBUTES TargetKey, 651 | _In_ ULONG BufferLength, 652 | _Out_writes_bytes_opt_(BufferLength) PVOID Buffer, 653 | _Out_ PULONG RequiredSize 654 | ); 655 | 656 | NTSYSCALLAPI 657 | NTSTATUS 658 | NTAPI 659 | NtInitializeRegistry( 660 | _In_ USHORT BootCondition 661 | ); 662 | 663 | NTSYSCALLAPI 664 | NTSTATUS 665 | NTAPI 666 | NtLockRegistryKey( 667 | _In_ HANDLE KeyHandle 668 | ); 669 | 670 | NTSYSCALLAPI 671 | NTSTATUS 672 | NTAPI 673 | NtLockProductActivationKeys( 674 | _Inout_opt_ ULONG *pPrivateVer, 675 | _Out_opt_ ULONG *pSafeMode 676 | ); 677 | 678 | #if (NTDDI_VERSION >= NTDDI_VISTA) 679 | // private 680 | NTSYSCALLAPI 681 | NTSTATUS 682 | NTAPI 683 | NtFreezeRegistry( 684 | _In_ ULONG TimeOutInSeconds 685 | ); 686 | #endif 687 | 688 | #if (NTDDI_VERSION >= NTDDI_VISTA) 689 | // private 690 | NTSYSCALLAPI 691 | NTSTATUS 692 | NTAPI 693 | NtThawRegistry( 694 | VOID 695 | ); 696 | #endif 697 | 698 | #if (NTDDI_VERSION >= NTDDI_WIN10_RS1) 699 | NTSTATUS NtCreateRegistryTransaction( 700 | _Out_ HANDLE *RegistryTransactionHandle, 701 | _In_ ACCESS_MASK DesiredAccess, 702 | _In_opt_ POBJECT_ATTRIBUTES ObjAttributes, 703 | _Reserved_ ULONG CreateOptions 704 | ); 705 | #endif 706 | 707 | #if (NTDDI_VERSION >= NTDDI_WIN10_RS1) 708 | NTSTATUS NtOpenRegistryTransaction( 709 | _Out_ HANDLE *RegistryTransactionHandle, 710 | _In_ ACCESS_MASK DesiredAccess, 711 | _In_ POBJECT_ATTRIBUTES ObjAttributes 712 | ); 713 | #endif 714 | 715 | #if (NTDDI_VERSION >= NTDDI_WIN10_RS1) 716 | NTSTATUS NtCommitRegistryTransaction( 717 | _In_ HANDLE RegistryTransactionHandle, 718 | _Reserved_ ULONG Flags 719 | ); 720 | #endif 721 | 722 | #if (NTDDI_VERSION >= NTDDI_WIN10_RS1) 723 | NTSTATUS NtRollbackRegistryTransaction( 724 | _In_ HANDLE RegistryTransactionHandle, 725 | _Reserved_ ULONG Flags 726 | ); 727 | #endif 728 | -------------------------------------------------------------------------------- /ntseapi.h: -------------------------------------------------------------------------------- 1 | // Privileges 2 | 3 | #define SE_MIN_WELL_KNOWN_PRIVILEGE (2L) 4 | #define SE_CREATE_TOKEN_PRIVILEGE (2L) 5 | #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L) 6 | #define SE_LOCK_MEMORY_PRIVILEGE (4L) 7 | #define SE_INCREASE_QUOTA_PRIVILEGE (5L) 8 | 9 | #define SE_MACHINE_ACCOUNT_PRIVILEGE (6L) 10 | #define SE_TCB_PRIVILEGE (7L) 11 | #define SE_SECURITY_PRIVILEGE (8L) 12 | #define SE_TAKE_OWNERSHIP_PRIVILEGE (9L) 13 | #define SE_LOAD_DRIVER_PRIVILEGE (10L) 14 | #define SE_SYSTEM_PROFILE_PRIVILEGE (11L) 15 | #define SE_SYSTEMTIME_PRIVILEGE (12L) 16 | #define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L) 17 | #define SE_INC_BASE_PRIORITY_PRIVILEGE (14L) 18 | #define SE_CREATE_PAGEFILE_PRIVILEGE (15L) 19 | #define SE_CREATE_PERMANENT_PRIVILEGE (16L) 20 | #define SE_BACKUP_PRIVILEGE (17L) 21 | #define SE_RESTORE_PRIVILEGE (18L) 22 | #define SE_SHUTDOWN_PRIVILEGE (19L) 23 | #define SE_DEBUG_PRIVILEGE (20L) 24 | #define SE_AUDIT_PRIVILEGE (21L) 25 | #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L) 26 | #define SE_CHANGE_NOTIFY_PRIVILEGE (23L) 27 | #define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L) 28 | #define SE_UNDOCK_PRIVILEGE (25L) 29 | #define SE_SYNC_AGENT_PRIVILEGE (26L) 30 | #define SE_ENABLE_DELEGATION_PRIVILEGE (27L) 31 | #define SE_MANAGE_VOLUME_PRIVILEGE (28L) 32 | #define SE_IMPERSONATE_PRIVILEGE (29L) 33 | #define SE_CREATE_GLOBAL_PRIVILEGE (30L) 34 | #define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L) 35 | #define SE_RELABEL_PRIVILEGE (32L) 36 | #define SE_INC_WORKING_SET_PRIVILEGE (33L) 37 | #define SE_TIME_ZONE_PRIVILEGE (34L) 38 | #define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L) 39 | #define SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE (36L) 40 | #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE 41 | 42 | // Authz 43 | 44 | // begin_rev 45 | 46 | // Types 47 | 48 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID 0x00 49 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 0x01 50 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 0x02 51 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING 0x03 52 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN 0x04 53 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_SID 0x05 54 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x06 55 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING 0x10 56 | 57 | // Flags 58 | 59 | #define TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001 60 | #define TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002 61 | #define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004 62 | #define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008 63 | #define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010 64 | #define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020 65 | #define TOKEN_SECURITY_ATTRIBUTE_COMPARE_IGNORE 0x0040 66 | 67 | #define TOKEN_SECURITY_ATTRIBUTE_VALID_FLAGS ( \ 68 | TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE | \ 69 | TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE | \ 70 | TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY | \ 71 | TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT | \ 72 | TOKEN_SECURITY_ATTRIBUTE_DISABLED | \ 73 | TOKEN_SECURITY_ATTRIBUTE_MANDATORY) 74 | 75 | #define TOKEN_SECURITY_ATTRIBUTE_CUSTOM_FLAGS 0xffff0000 76 | 77 | // end_rev 78 | 79 | // private 80 | typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE 81 | { 82 | ULONG64 Version; 83 | UNICODE_STRING Name; 84 | } TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE; 85 | 86 | // private 87 | typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE 88 | { 89 | PVOID pValue; 90 | ULONG ValueLength; 91 | } TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE; 92 | 93 | // private 94 | typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1 95 | { 96 | UNICODE_STRING Name; 97 | USHORT ValueType; 98 | USHORT Reserved; 99 | ULONG Flags; 100 | ULONG ValueCount; 101 | union 102 | { 103 | PLONG64 pInt64; 104 | PULONG64 pUint64; 105 | PUNICODE_STRING pString; 106 | PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn; 107 | PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString; 108 | } Values; 109 | } TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1; 110 | 111 | // rev 112 | #define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1 113 | // rev 114 | #define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 115 | 116 | // private 117 | typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION 118 | { 119 | USHORT Version; 120 | USHORT Reserved; 121 | ULONG AttributeCount; 122 | union 123 | { 124 | PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1; 125 | } Attribute; 126 | } TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; 127 | 128 | // private 129 | typedef enum _TOKEN_SECURITY_ATTRIBUTE_OPERATION 130 | { 131 | TOKEN_SECURITY_ATTRIBUTE_OPERATION_NONE, 132 | TOKEN_SECURITY_ATTRIBUTE_OPERATION_REPLACE_ALL, 133 | TOKEN_SECURITY_ATTRIBUTE_OPERATION_ADD, 134 | TOKEN_SECURITY_ATTRIBUTE_OPERATION_DELETE, 135 | TOKEN_SECURITY_ATTRIBUTE_OPERATION_REPLACE 136 | } TOKEN_SECURITY_ATTRIBUTE_OPERATION, *PTOKEN_SECURITY_ATTRIBUTE_OPERATION; 137 | 138 | // private 139 | typedef struct _TOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION 140 | { 141 | PTOKEN_SECURITY_ATTRIBUTES_INFORMATION Attributes; 142 | PTOKEN_SECURITY_ATTRIBUTE_OPERATION Operations; 143 | } TOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION; 144 | 145 | // rev 146 | typedef struct _TOKEN_PROCESS_TRUST_LEVEL 147 | { 148 | PSID TrustLevelSid; 149 | } TOKEN_PROCESS_TRUST_LEVEL, *PTOKEN_PROCESS_TRUST_LEVEL; 150 | 151 | // Tokens 152 | 153 | NTSYSCALLAPI 154 | NTSTATUS 155 | NTAPI 156 | NtCreateToken( 157 | _Out_ PHANDLE TokenHandle, 158 | _In_ ACCESS_MASK DesiredAccess, 159 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 160 | _In_ TOKEN_TYPE Type, 161 | _In_ PLUID AuthenticationId, 162 | _In_ PLARGE_INTEGER ExpirationTime, 163 | _In_ PTOKEN_USER User, 164 | _In_ PTOKEN_GROUPS Groups, 165 | _In_ PTOKEN_PRIVILEGES Privileges, 166 | _In_opt_ PTOKEN_OWNER Owner, 167 | _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup, 168 | _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl, 169 | _In_ PTOKEN_SOURCE Source 170 | ); 171 | 172 | #if (NTDDI_VERSION >= NTDDI_WIN8) 173 | NTSYSCALLAPI 174 | NTSTATUS 175 | NTAPI 176 | NtCreateLowBoxToken( 177 | _Out_ PHANDLE TokenHandle, 178 | _In_ HANDLE ExistingTokenHandle, 179 | _In_ ACCESS_MASK DesiredAccess, 180 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 181 | _In_ PSID PackageSid, 182 | _In_ ULONG CapabilityCount, 183 | _In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities, 184 | _In_ ULONG HandleCount, 185 | _In_reads_opt_(HandleCount) HANDLE *Handles 186 | ); 187 | #endif 188 | 189 | #if (NTDDI_VERSION >= NTDDI_WIN8) 190 | NTSYSCALLAPI 191 | NTSTATUS 192 | NTAPI 193 | NtCreateTokenEx( 194 | _Out_ PHANDLE TokenHandle, 195 | _In_ ACCESS_MASK DesiredAccess, 196 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 197 | _In_ TOKEN_TYPE Type, 198 | _In_ PLUID AuthenticationId, 199 | _In_ PLARGE_INTEGER ExpirationTime, 200 | _In_ PTOKEN_USER User, 201 | _In_ PTOKEN_GROUPS Groups, 202 | _In_ PTOKEN_PRIVILEGES Privileges, 203 | _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes, 204 | _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes, 205 | _In_opt_ PTOKEN_GROUPS DeviceGroups, 206 | _In_opt_ PTOKEN_MANDATORY_POLICY MandatoryPolicy, 207 | _In_opt_ PTOKEN_OWNER Owner, 208 | _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup, 209 | _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl, 210 | _In_ PTOKEN_SOURCE Source 211 | ); 212 | #endif 213 | 214 | NTSYSCALLAPI 215 | NTSTATUS 216 | NTAPI 217 | NtOpenProcessToken( 218 | _In_ HANDLE ProcessHandle, 219 | _In_ ACCESS_MASK DesiredAccess, 220 | _Out_ PHANDLE TokenHandle 221 | ); 222 | 223 | NTSYSCALLAPI 224 | NTSTATUS 225 | NTAPI 226 | NtOpenProcessTokenEx( 227 | _In_ HANDLE ProcessHandle, 228 | _In_ ACCESS_MASK DesiredAccess, 229 | _In_ ULONG HandleAttributes, 230 | _Out_ PHANDLE TokenHandle 231 | ); 232 | 233 | NTSYSCALLAPI 234 | NTSTATUS 235 | NTAPI 236 | NtOpenThreadToken( 237 | _In_ HANDLE ThreadHandle, 238 | _In_ ACCESS_MASK DesiredAccess, 239 | _In_ BOOLEAN OpenAsSelf, 240 | _Out_ PHANDLE TokenHandle 241 | ); 242 | 243 | NTSYSCALLAPI 244 | NTSTATUS 245 | NTAPI 246 | NtOpenThreadTokenEx( 247 | _In_ HANDLE ThreadHandle, 248 | _In_ ACCESS_MASK DesiredAccess, 249 | _In_ BOOLEAN OpenAsSelf, 250 | _In_ ULONG HandleAttributes, 251 | _Out_ PHANDLE TokenHandle 252 | ); 253 | 254 | NTSYSCALLAPI 255 | NTSTATUS 256 | NTAPI 257 | NtDuplicateToken( 258 | _In_ HANDLE ExistingTokenHandle, 259 | _In_ ACCESS_MASK DesiredAccess, 260 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 261 | _In_ BOOLEAN EffectiveOnly, 262 | _In_ TOKEN_TYPE Type, 263 | _Out_ PHANDLE NewTokenHandle 264 | ); 265 | 266 | NTSYSCALLAPI 267 | NTSTATUS 268 | NTAPI 269 | NtQueryInformationToken( 270 | _In_ HANDLE TokenHandle, 271 | _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, 272 | _Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation, 273 | _In_ ULONG TokenInformationLength, 274 | _Out_ PULONG ReturnLength 275 | ); 276 | 277 | NTSYSCALLAPI 278 | NTSTATUS 279 | NTAPI 280 | NtSetInformationToken( 281 | _In_ HANDLE TokenHandle, 282 | _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, 283 | _In_reads_bytes_(TokenInformationLength) PVOID TokenInformation, 284 | _In_ ULONG TokenInformationLength 285 | ); 286 | 287 | NTSYSCALLAPI 288 | NTSTATUS 289 | NTAPI 290 | NtAdjustPrivilegesToken( 291 | _In_ HANDLE TokenHandle, 292 | _In_ BOOLEAN DisableAllPrivileges, 293 | _In_opt_ PTOKEN_PRIVILEGES NewState, 294 | _In_ ULONG BufferLength, 295 | _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState, 296 | _Out_opt_ PULONG ReturnLength 297 | ); 298 | 299 | NTSYSCALLAPI 300 | NTSTATUS 301 | NTAPI 302 | NtAdjustGroupsToken( 303 | _In_ HANDLE TokenHandle, 304 | _In_ BOOLEAN ResetToDefault, 305 | _In_opt_ PTOKEN_GROUPS NewState, 306 | _In_opt_ ULONG BufferLength, 307 | _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState, 308 | _Out_opt_ PULONG ReturnLength 309 | ); 310 | 311 | #if (NTDDI_VERSION >= NTDDI_WIN8) 312 | NTSYSCALLAPI 313 | NTSTATUS 314 | NTAPI 315 | NtAdjustTokenClaimsAndDeviceGroups( 316 | _In_ HANDLE TokenHandle, 317 | _In_ BOOLEAN UserResetToDefault, 318 | _In_ BOOLEAN DeviceResetToDefault, 319 | _In_ BOOLEAN DeviceGroupsResetToDefault, 320 | _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState, 321 | _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState, 322 | _In_opt_ PTOKEN_GROUPS NewDeviceGroupsState, 323 | _In_ ULONG UserBufferLength, 324 | _Out_writes_bytes_to_opt_(UserBufferLength, *UserReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState, 325 | _In_ ULONG DeviceBufferLength, 326 | _Out_writes_bytes_to_opt_(DeviceBufferLength, *DeviceReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState, 327 | _In_ ULONG DeviceGroupsBufferLength, 328 | _Out_writes_bytes_to_opt_(DeviceGroupsBufferLength, *DeviceGroupsReturnBufferLength) PTOKEN_GROUPS PreviousDeviceGroups, 329 | _Out_opt_ PULONG UserReturnLength, 330 | _Out_opt_ PULONG DeviceReturnLength, 331 | _Out_opt_ PULONG DeviceGroupsReturnBufferLength 332 | ); 333 | #endif 334 | 335 | NTSYSCALLAPI 336 | NTSTATUS 337 | NTAPI 338 | NtFilterToken( 339 | _In_ HANDLE ExistingTokenHandle, 340 | _In_ ULONG Flags, 341 | _In_opt_ PTOKEN_GROUPS SidsToDisable, 342 | _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, 343 | _In_opt_ PTOKEN_GROUPS RestrictedSids, 344 | _Out_ PHANDLE NewTokenHandle 345 | ); 346 | 347 | #if (NTDDI_VERSION >= NTDDI_WIN8) 348 | NTSYSCALLAPI 349 | NTSTATUS 350 | NTAPI 351 | NtFilterTokenEx( 352 | _In_ HANDLE ExistingTokenHandle, 353 | _In_ ULONG Flags, 354 | _In_opt_ PTOKEN_GROUPS SidsToDisable, 355 | _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, 356 | _In_opt_ PTOKEN_GROUPS RestrictedSids, 357 | _In_ ULONG DisableUserClaimsCount, 358 | _In_opt_ PUNICODE_STRING UserClaimsToDisable, 359 | _In_ ULONG DisableDeviceClaimsCount, 360 | _In_opt_ PUNICODE_STRING DeviceClaimsToDisable, 361 | _In_opt_ PTOKEN_GROUPS DeviceGroupsToDisable, 362 | _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes, 363 | _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes, 364 | _In_opt_ PTOKEN_GROUPS RestrictedDeviceGroups, 365 | _Out_ PHANDLE NewTokenHandle 366 | ); 367 | #endif 368 | 369 | NTSYSCALLAPI 370 | NTSTATUS 371 | NTAPI 372 | NtCompareTokens( 373 | _In_ HANDLE FirstTokenHandle, 374 | _In_ HANDLE SecondTokenHandle, 375 | _Out_ PBOOLEAN Equal 376 | ); 377 | 378 | NTSYSCALLAPI 379 | NTSTATUS 380 | NTAPI 381 | NtPrivilegeCheck( 382 | _In_ HANDLE ClientToken, 383 | _Inout_ PPRIVILEGE_SET RequiredPrivileges, 384 | _Out_ PBOOLEAN Result 385 | ); 386 | 387 | NTSYSCALLAPI 388 | NTSTATUS 389 | NTAPI 390 | NtImpersonateAnonymousToken( 391 | _In_ HANDLE ThreadHandle 392 | ); 393 | 394 | #if (NTDDI_VERSION >= NTDDI_WIN7) 395 | // rev 396 | NTSYSCALLAPI 397 | NTSTATUS 398 | NTAPI 399 | NtQuerySecurityAttributesToken( 400 | _In_ HANDLE TokenHandle, 401 | _In_reads_opt_(NumberOfAttributes) PUNICODE_STRING Attributes, 402 | _In_ ULONG NumberOfAttributes, 403 | _Out_writes_bytes_(Length) PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION 404 | _In_ ULONG Length, 405 | _Out_ PULONG ReturnLength 406 | ); 407 | #endif 408 | 409 | // Access checking 410 | 411 | NTSYSCALLAPI 412 | NTSTATUS 413 | NTAPI 414 | NtAccessCheck( 415 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 416 | _In_ HANDLE ClientToken, 417 | _In_ ACCESS_MASK DesiredAccess, 418 | _In_ PGENERIC_MAPPING GenericMapping, 419 | _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, 420 | _Inout_ PULONG PrivilegeSetLength, 421 | _Out_ PACCESS_MASK GrantedAccess, 422 | _Out_ PNTSTATUS AccessStatus 423 | ); 424 | 425 | NTSYSCALLAPI 426 | NTSTATUS 427 | NTAPI 428 | NtAccessCheckByType( 429 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 430 | _In_opt_ PSID PrincipalSelfSid, 431 | _In_ HANDLE ClientToken, 432 | _In_ ACCESS_MASK DesiredAccess, 433 | _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, 434 | _In_ ULONG ObjectTypeListLength, 435 | _In_ PGENERIC_MAPPING GenericMapping, 436 | _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, 437 | _Inout_ PULONG PrivilegeSetLength, 438 | _Out_ PACCESS_MASK GrantedAccess, 439 | _Out_ PNTSTATUS AccessStatus 440 | ); 441 | 442 | NTSYSCALLAPI 443 | NTSTATUS 444 | NTAPI 445 | NtAccessCheckByTypeResultList( 446 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 447 | _In_opt_ PSID PrincipalSelfSid, 448 | _In_ HANDLE ClientToken, 449 | _In_ ACCESS_MASK DesiredAccess, 450 | _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, 451 | _In_ ULONG ObjectTypeListLength, 452 | _In_ PGENERIC_MAPPING GenericMapping, 453 | _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, 454 | _Inout_ PULONG PrivilegeSetLength, 455 | _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, 456 | _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus 457 | ); 458 | 459 | // Signing 460 | 461 | #if (NTDDI_VERSION >= NTDDI_WIN10) 462 | 463 | NTSYSCALLAPI 464 | NTSTATUS 465 | NTAPI 466 | NtSetCachedSigningLevel( 467 | _In_ ULONG Flags, 468 | _In_ SE_SIGNING_LEVEL InputSigningLevel, 469 | _In_reads_(SourceFileCount) PHANDLE SourceFiles, 470 | _In_ ULONG SourceFileCount, 471 | _In_opt_ HANDLE TargetFile 472 | ); 473 | 474 | NTSYSCALLAPI 475 | NTSTATUS 476 | NTAPI 477 | NtGetCachedSigningLevel( 478 | _In_ HANDLE File, 479 | _Out_ PULONG Flags, 480 | _Out_ PSE_SIGNING_LEVEL SigningLevel, 481 | _Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint, 482 | _Inout_opt_ PULONG ThumbprintSize, 483 | _Out_opt_ PULONG ThumbprintAlgorithm 484 | ); 485 | 486 | // rev 487 | NTSYSCALLAPI 488 | NTSTATUS 489 | NTAPI 490 | NtCompareSigningLevels( 491 | _In_ SE_SIGNING_LEVEL FirstSigningLevel, 492 | _In_ SE_SIGNING_LEVEL SecondSigningLevel 493 | ); 494 | 495 | #endif 496 | 497 | // Audit alarm 498 | 499 | NTSYSCALLAPI 500 | NTSTATUS 501 | NTAPI 502 | NtAccessCheckAndAuditAlarm( 503 | _In_ PUNICODE_STRING SubsystemName, 504 | _In_opt_ PVOID HandleId, 505 | _In_ PUNICODE_STRING ObjectTypeName, 506 | _In_ PUNICODE_STRING ObjectName, 507 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 508 | _In_ ACCESS_MASK DesiredAccess, 509 | _In_ PGENERIC_MAPPING GenericMapping, 510 | _In_ BOOLEAN ObjectCreation, 511 | _Out_ PACCESS_MASK GrantedAccess, 512 | _Out_ PNTSTATUS AccessStatus, 513 | _Out_ PBOOLEAN GenerateOnClose 514 | ); 515 | 516 | NTSYSCALLAPI 517 | NTSTATUS 518 | NTAPI 519 | NtAccessCheckByTypeAndAuditAlarm( 520 | _In_ PUNICODE_STRING SubsystemName, 521 | _In_opt_ PVOID HandleId, 522 | _In_ PUNICODE_STRING ObjectTypeName, 523 | _In_ PUNICODE_STRING ObjectName, 524 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 525 | _In_opt_ PSID PrincipalSelfSid, 526 | _In_ ACCESS_MASK DesiredAccess, 527 | _In_ AUDIT_EVENT_TYPE AuditType, 528 | _In_ ULONG Flags, 529 | _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, 530 | _In_ ULONG ObjectTypeListLength, 531 | _In_ PGENERIC_MAPPING GenericMapping, 532 | _In_ BOOLEAN ObjectCreation, 533 | _Out_ PACCESS_MASK GrantedAccess, 534 | _Out_ PNTSTATUS AccessStatus, 535 | _Out_ PBOOLEAN GenerateOnClose 536 | ); 537 | 538 | NTSYSCALLAPI 539 | NTSTATUS 540 | NTAPI 541 | NtAccessCheckByTypeResultListAndAuditAlarm( 542 | _In_ PUNICODE_STRING SubsystemName, 543 | _In_opt_ PVOID HandleId, 544 | _In_ PUNICODE_STRING ObjectTypeName, 545 | _In_ PUNICODE_STRING ObjectName, 546 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 547 | _In_opt_ PSID PrincipalSelfSid, 548 | _In_ ACCESS_MASK DesiredAccess, 549 | _In_ AUDIT_EVENT_TYPE AuditType, 550 | _In_ ULONG Flags, 551 | _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, 552 | _In_ ULONG ObjectTypeListLength, 553 | _In_ PGENERIC_MAPPING GenericMapping, 554 | _In_ BOOLEAN ObjectCreation, 555 | _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, 556 | _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus, 557 | _Out_ PBOOLEAN GenerateOnClose 558 | ); 559 | 560 | NTSYSCALLAPI 561 | NTSTATUS 562 | NTAPI 563 | NtAccessCheckByTypeResultListAndAuditAlarmByHandle( 564 | _In_ PUNICODE_STRING SubsystemName, 565 | _In_opt_ PVOID HandleId, 566 | _In_ HANDLE ClientToken, 567 | _In_ PUNICODE_STRING ObjectTypeName, 568 | _In_ PUNICODE_STRING ObjectName, 569 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 570 | _In_opt_ PSID PrincipalSelfSid, 571 | _In_ ACCESS_MASK DesiredAccess, 572 | _In_ AUDIT_EVENT_TYPE AuditType, 573 | _In_ ULONG Flags, 574 | _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, 575 | _In_ ULONG ObjectTypeListLength, 576 | _In_ PGENERIC_MAPPING GenericMapping, 577 | _In_ BOOLEAN ObjectCreation, 578 | _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, 579 | _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus, 580 | _Out_ PBOOLEAN GenerateOnClose 581 | ); 582 | 583 | NTSYSCALLAPI 584 | NTSTATUS 585 | NTAPI 586 | NtOpenObjectAuditAlarm( 587 | _In_ PUNICODE_STRING SubsystemName, 588 | _In_opt_ PVOID HandleId, 589 | _In_ PUNICODE_STRING ObjectTypeName, 590 | _In_ PUNICODE_STRING ObjectName, 591 | _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, 592 | _In_ HANDLE ClientToken, 593 | _In_ ACCESS_MASK DesiredAccess, 594 | _In_ ACCESS_MASK GrantedAccess, 595 | _In_opt_ PPRIVILEGE_SET Privileges, 596 | _In_ BOOLEAN ObjectCreation, 597 | _In_ BOOLEAN AccessGranted, 598 | _Out_ PBOOLEAN GenerateOnClose 599 | ); 600 | 601 | NTSYSCALLAPI 602 | NTSTATUS 603 | NTAPI 604 | NtPrivilegeObjectAuditAlarm( 605 | _In_ PUNICODE_STRING SubsystemName, 606 | _In_opt_ PVOID HandleId, 607 | _In_ HANDLE ClientToken, 608 | _In_ ACCESS_MASK DesiredAccess, 609 | _In_ PPRIVILEGE_SET Privileges, 610 | _In_ BOOLEAN AccessGranted 611 | ); 612 | 613 | NTSYSCALLAPI 614 | NTSTATUS 615 | NTAPI 616 | NtCloseObjectAuditAlarm( 617 | _In_ PUNICODE_STRING SubsystemName, 618 | _In_opt_ PVOID HandleId, 619 | _In_ BOOLEAN GenerateOnClose 620 | ); 621 | 622 | NTSYSCALLAPI 623 | NTSTATUS 624 | NTAPI 625 | NtDeleteObjectAuditAlarm( 626 | _In_ PUNICODE_STRING SubsystemName, 627 | _In_opt_ PVOID HandleId, 628 | _In_ BOOLEAN GenerateOnClose 629 | ); 630 | 631 | NTSYSCALLAPI 632 | NTSTATUS 633 | NTAPI 634 | NtPrivilegedServiceAuditAlarm( 635 | _In_ PUNICODE_STRING SubsystemName, 636 | _In_ PUNICODE_STRING ServiceName, 637 | _In_ HANDLE ClientToken, 638 | _In_ PPRIVILEGE_SET Privileges, 639 | _In_ BOOLEAN AccessGranted 640 | ); 641 | 642 | -------------------------------------------------------------------------------- /ntsmss.h: -------------------------------------------------------------------------------- 1 | NTSYSAPI 2 | NTSTATUS 3 | NTAPI 4 | RtlConnectToSm( 5 | _In_ PUNICODE_STRING ApiPortName, 6 | _In_ HANDLE ApiPortHandle, 7 | _In_ DWORD ProcessImageType, 8 | _Out_ PHANDLE SmssConnection 9 | ); 10 | 11 | NTSYSAPI 12 | NTSTATUS 13 | NTAPI 14 | RtlSendMsgToSm( 15 | _In_ HANDLE ApiPortHandle, 16 | _In_ PPORT_MESSAGE MessageData 17 | ); 18 | 19 | -------------------------------------------------------------------------------- /nttmapi.h: -------------------------------------------------------------------------------- 1 | #if (NTDDI_VERSION >= NTDDI_VISTA) 2 | NTSYSCALLAPI 3 | NTSTATUS 4 | NTAPI 5 | NtCreateTransactionManager( 6 | _Out_ PHANDLE TmHandle, 7 | _In_ ACCESS_MASK DesiredAccess, 8 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 9 | _In_opt_ PUNICODE_STRING LogFileName, 10 | _In_opt_ ULONG CreateOptions, 11 | _In_opt_ ULONG CommitStrength 12 | ); 13 | #endif 14 | 15 | #if (NTDDI_VERSION >= NTDDI_VISTA) 16 | NTSYSCALLAPI 17 | NTSTATUS 18 | NTAPI 19 | NtOpenTransactionManager( 20 | _Out_ PHANDLE TmHandle, 21 | _In_ ACCESS_MASK DesiredAccess, 22 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 23 | _In_opt_ PUNICODE_STRING LogFileName, 24 | _In_opt_ LPGUID TmIdentity, 25 | _In_opt_ ULONG OpenOptions 26 | ); 27 | #endif 28 | 29 | #if (NTDDI_VERSION >= NTDDI_VISTA) 30 | NTSYSCALLAPI 31 | NTSTATUS 32 | NTAPI 33 | NtRenameTransactionManager( 34 | _In_ PUNICODE_STRING LogFileName, 35 | _In_ LPGUID ExistingTransactionManagerGuid 36 | ); 37 | #endif 38 | 39 | #if (NTDDI_VERSION >= NTDDI_VISTA) 40 | NTSYSCALLAPI 41 | NTSTATUS 42 | NTAPI 43 | NtRollforwardTransactionManager( 44 | _In_ HANDLE TransactionManagerHandle, 45 | _In_opt_ PLARGE_INTEGER TmVirtualClock 46 | ); 47 | #endif 48 | 49 | #if (NTDDI_VERSION >= NTDDI_VISTA) 50 | NTSYSCALLAPI 51 | NTSTATUS 52 | NTAPI 53 | NtRecoverTransactionManager( 54 | _In_ HANDLE TransactionManagerHandle 55 | ); 56 | #endif 57 | 58 | #if (NTDDI_VERSION >= NTDDI_VISTA) 59 | NTSYSCALLAPI 60 | NTSTATUS 61 | NTAPI 62 | NtQueryInformationTransactionManager( 63 | _In_ HANDLE TransactionManagerHandle, 64 | _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, 65 | _Out_writes_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation, 66 | _In_ ULONG TransactionManagerInformationLength, 67 | _Out_opt_ PULONG ReturnLength 68 | ); 69 | #endif 70 | 71 | #if (NTDDI_VERSION >= NTDDI_VISTA) 72 | NTSYSCALLAPI 73 | NTSTATUS 74 | NTAPI 75 | NtSetInformationTransactionManager( 76 | _In_opt_ HANDLE TmHandle, 77 | _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, 78 | _In_reads_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation, 79 | _In_ ULONG TransactionManagerInformationLength 80 | ); 81 | #endif 82 | 83 | #if (NTDDI_VERSION >= NTDDI_VISTA) 84 | NTSYSCALLAPI 85 | NTSTATUS 86 | NTAPI 87 | NtEnumerateTransactionObject( 88 | _In_opt_ HANDLE RootObjectHandle, 89 | _In_ KTMOBJECT_TYPE QueryType, 90 | _Inout_updates_bytes_(ObjectCursorLength) PKTMOBJECT_CURSOR ObjectCursor, 91 | _In_ ULONG ObjectCursorLength, 92 | _Out_ PULONG ReturnLength 93 | ); 94 | #endif 95 | 96 | #if (NTDDI_VERSION >= NTDDI_VISTA) 97 | NTSYSCALLAPI 98 | NTSTATUS 99 | NTAPI 100 | NtCreateTransaction( 101 | _Out_ PHANDLE TransactionHandle, 102 | _In_ ACCESS_MASK DesiredAccess, 103 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 104 | _In_opt_ LPGUID Uow, 105 | _In_opt_ HANDLE TmHandle, 106 | _In_opt_ ULONG CreateOptions, 107 | _In_opt_ ULONG IsolationLevel, 108 | _In_opt_ ULONG IsolationFlags, 109 | _In_opt_ PLARGE_INTEGER Timeout, 110 | _In_opt_ PUNICODE_STRING Description 111 | ); 112 | #endif 113 | 114 | #if (NTDDI_VERSION >= NTDDI_VISTA) 115 | NTSYSCALLAPI 116 | NTSTATUS 117 | NTAPI 118 | NtOpenTransaction( 119 | _Out_ PHANDLE TransactionHandle, 120 | _In_ ACCESS_MASK DesiredAccess, 121 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 122 | _In_opt_ LPGUID Uow, 123 | _In_opt_ HANDLE TmHandle 124 | ); 125 | #endif 126 | 127 | #if (NTDDI_VERSION >= NTDDI_VISTA) 128 | NTSYSCALLAPI 129 | NTSTATUS 130 | NTAPI 131 | NtQueryInformationTransaction( 132 | _In_ HANDLE TransactionHandle, 133 | _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, 134 | _Out_writes_bytes_(TransactionInformationLength) PVOID TransactionInformation, 135 | _In_ ULONG TransactionInformationLength, 136 | _Out_opt_ PULONG ReturnLength 137 | ); 138 | #endif 139 | 140 | #if (NTDDI_VERSION >= NTDDI_VISTA) 141 | NTSYSCALLAPI 142 | NTSTATUS 143 | NTAPI 144 | NtSetInformationTransaction( 145 | _In_ HANDLE TransactionHandle, 146 | _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, 147 | _In_reads_bytes_(TransactionInformationLength) PVOID TransactionInformation, 148 | _In_ ULONG TransactionInformationLength 149 | ); 150 | #endif 151 | 152 | #if (NTDDI_VERSION >= NTDDI_VISTA) 153 | NTSYSCALLAPI 154 | NTSTATUS 155 | NTAPI 156 | NtCommitTransaction( 157 | _In_ HANDLE TransactionHandle, 158 | _In_ BOOLEAN Wait 159 | ); 160 | #endif 161 | 162 | #if (NTDDI_VERSION >= NTDDI_VISTA) 163 | NTSYSCALLAPI 164 | NTSTATUS 165 | NTAPI 166 | NtRollbackTransaction( 167 | _In_ HANDLE TransactionHandle, 168 | _In_ BOOLEAN Wait 169 | ); 170 | #endif 171 | 172 | #if (NTDDI_VERSION >= NTDDI_VISTA) 173 | NTSYSCALLAPI 174 | NTSTATUS 175 | NTAPI 176 | NtCreateEnlistment( 177 | _Out_ PHANDLE EnlistmentHandle, 178 | _In_ ACCESS_MASK DesiredAccess, 179 | _In_ HANDLE ResourceManagerHandle, 180 | _In_ HANDLE TransactionHandle, 181 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 182 | _In_opt_ ULONG CreateOptions, 183 | _In_ NOTIFICATION_MASK NotificationMask, 184 | _In_opt_ PVOID EnlistmentKey 185 | ); 186 | #endif 187 | 188 | #if (NTDDI_VERSION >= NTDDI_VISTA) 189 | NTSYSCALLAPI 190 | NTSTATUS 191 | NTAPI 192 | NtOpenEnlistment( 193 | _Out_ PHANDLE EnlistmentHandle, 194 | _In_ ACCESS_MASK DesiredAccess, 195 | _In_ HANDLE ResourceManagerHandle, 196 | _In_ LPGUID EnlistmentGuid, 197 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes 198 | ); 199 | #endif 200 | 201 | #if (NTDDI_VERSION >= NTDDI_VISTA) 202 | NTSYSCALLAPI 203 | NTSTATUS 204 | NTAPI 205 | NtQueryInformationEnlistment( 206 | _In_ HANDLE EnlistmentHandle, 207 | _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, 208 | _Out_writes_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation, 209 | _In_ ULONG EnlistmentInformationLength, 210 | _Out_opt_ PULONG ReturnLength 211 | ); 212 | #endif 213 | 214 | #if (NTDDI_VERSION >= NTDDI_VISTA) 215 | NTSYSCALLAPI 216 | NTSTATUS 217 | NTAPI 218 | NtSetInformationEnlistment( 219 | _In_opt_ HANDLE EnlistmentHandle, 220 | _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, 221 | _In_reads_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation, 222 | _In_ ULONG EnlistmentInformationLength 223 | ); 224 | #endif 225 | 226 | #if (NTDDI_VERSION >= NTDDI_VISTA) 227 | NTSYSCALLAPI 228 | NTSTATUS 229 | NTAPI 230 | NtRecoverEnlistment( 231 | _In_ HANDLE EnlistmentHandle, 232 | _In_opt_ PVOID EnlistmentKey 233 | ); 234 | #endif 235 | 236 | #if (NTDDI_VERSION >= NTDDI_VISTA) 237 | NTSYSCALLAPI 238 | NTSTATUS 239 | NTAPI 240 | NtPrePrepareEnlistment( 241 | _In_ HANDLE EnlistmentHandle, 242 | _In_opt_ PLARGE_INTEGER TmVirtualClock 243 | ); 244 | #endif 245 | 246 | #if (NTDDI_VERSION >= NTDDI_VISTA) 247 | NTSYSCALLAPI 248 | NTSTATUS 249 | NTAPI 250 | NtPrepareEnlistment( 251 | _In_ HANDLE EnlistmentHandle, 252 | _In_opt_ PLARGE_INTEGER TmVirtualClock 253 | ); 254 | #endif 255 | 256 | #if (NTDDI_VERSION >= NTDDI_VISTA) 257 | NTSYSCALLAPI 258 | NTSTATUS 259 | NTAPI 260 | NtCommitEnlistment( 261 | _In_ HANDLE EnlistmentHandle, 262 | _In_opt_ PLARGE_INTEGER TmVirtualClock 263 | ); 264 | #endif 265 | 266 | #if (NTDDI_VERSION >= NTDDI_VISTA) 267 | NTSYSCALLAPI 268 | NTSTATUS 269 | NTAPI 270 | NtRollbackEnlistment( 271 | _In_ HANDLE EnlistmentHandle, 272 | _In_opt_ PLARGE_INTEGER TmVirtualClock 273 | ); 274 | #endif 275 | 276 | #if (NTDDI_VERSION >= NTDDI_VISTA) 277 | NTSYSCALLAPI 278 | NTSTATUS 279 | NTAPI 280 | NtPrePrepareComplete( 281 | _In_ HANDLE EnlistmentHandle, 282 | _In_opt_ PLARGE_INTEGER TmVirtualClock 283 | ); 284 | #endif 285 | 286 | #if (NTDDI_VERSION >= NTDDI_VISTA) 287 | NTSYSCALLAPI 288 | NTSTATUS 289 | NTAPI 290 | NtPrepareComplete( 291 | _In_ HANDLE EnlistmentHandle, 292 | _In_opt_ PLARGE_INTEGER TmVirtualClock 293 | ); 294 | #endif 295 | 296 | #if (NTDDI_VERSION >= NTDDI_VISTA) 297 | NTSYSCALLAPI 298 | NTSTATUS 299 | NTAPI 300 | NtCommitComplete( 301 | _In_ HANDLE EnlistmentHandle, 302 | _In_opt_ PLARGE_INTEGER TmVirtualClock 303 | ); 304 | #endif 305 | 306 | #if (NTDDI_VERSION >= NTDDI_VISTA) 307 | NTSYSCALLAPI 308 | NTSTATUS 309 | NTAPI 310 | NtReadOnlyEnlistment( 311 | _In_ HANDLE EnlistmentHandle, 312 | _In_opt_ PLARGE_INTEGER TmVirtualClock 313 | ); 314 | #endif 315 | 316 | #if (NTDDI_VERSION >= NTDDI_VISTA) 317 | NTSYSCALLAPI 318 | NTSTATUS 319 | NTAPI 320 | NtRollbackComplete( 321 | _In_ HANDLE EnlistmentHandle, 322 | _In_opt_ PLARGE_INTEGER TmVirtualClock 323 | ); 324 | #endif 325 | 326 | #if (NTDDI_VERSION >= NTDDI_VISTA) 327 | NTSYSCALLAPI 328 | NTSTATUS 329 | NTAPI 330 | NtSinglePhaseReject( 331 | _In_ HANDLE EnlistmentHandle, 332 | _In_opt_ PLARGE_INTEGER TmVirtualClock 333 | ); 334 | #endif 335 | 336 | #if (NTDDI_VERSION >= NTDDI_VISTA) 337 | NTSYSCALLAPI 338 | NTSTATUS 339 | NTAPI 340 | NtCreateResourceManager( 341 | _Out_ PHANDLE ResourceManagerHandle, 342 | _In_ ACCESS_MASK DesiredAccess, 343 | _In_ HANDLE TmHandle, 344 | _In_ LPGUID RmGuid, 345 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 346 | _In_opt_ ULONG CreateOptions, 347 | _In_opt_ PUNICODE_STRING Description 348 | ); 349 | #endif 350 | 351 | #if (NTDDI_VERSION >= NTDDI_VISTA) 352 | NTSYSCALLAPI 353 | NTSTATUS 354 | NTAPI 355 | NtOpenResourceManager( 356 | _Out_ PHANDLE ResourceManagerHandle, 357 | _In_ ACCESS_MASK DesiredAccess, 358 | _In_ HANDLE TmHandle, 359 | _In_opt_ LPGUID ResourceManagerGuid, 360 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes 361 | ); 362 | #endif 363 | 364 | #if (NTDDI_VERSION >= NTDDI_VISTA) 365 | NTSYSCALLAPI 366 | NTSTATUS 367 | NTAPI 368 | NtRecoverResourceManager( 369 | _In_ HANDLE ResourceManagerHandle 370 | ); 371 | #endif 372 | 373 | #if (NTDDI_VERSION >= NTDDI_VISTA) 374 | NTSYSCALLAPI 375 | NTSTATUS 376 | NTAPI 377 | NtGetNotificationResourceManager( 378 | _In_ HANDLE ResourceManagerHandle, 379 | _Out_ PTRANSACTION_NOTIFICATION TransactionNotification, 380 | _In_ ULONG NotificationLength, 381 | _In_opt_ PLARGE_INTEGER Timeout, 382 | _Out_opt_ PULONG ReturnLength, 383 | _In_ ULONG Asynchronous, 384 | _In_opt_ ULONG_PTR AsynchronousContext 385 | ); 386 | #endif 387 | 388 | #if (NTDDI_VERSION >= NTDDI_VISTA) 389 | NTSYSCALLAPI 390 | NTSTATUS 391 | NTAPI 392 | NtQueryInformationResourceManager( 393 | _In_ HANDLE ResourceManagerHandle, 394 | _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, 395 | _Out_writes_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation, 396 | _In_ ULONG ResourceManagerInformationLength, 397 | _Out_opt_ PULONG ReturnLength 398 | ); 399 | #endif 400 | 401 | #if (NTDDI_VERSION >= NTDDI_VISTA) 402 | NTSYSCALLAPI 403 | NTSTATUS 404 | NTAPI 405 | NtSetInformationResourceManager( 406 | _In_ HANDLE ResourceManagerHandle, 407 | _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, 408 | _In_reads_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation, 409 | _In_ ULONG ResourceManagerInformationLength 410 | ); 411 | #endif 412 | 413 | #if (NTDDI_VERSION >= NTDDI_VISTA) 414 | NTSYSCALLAPI 415 | NTSTATUS 416 | NTAPI 417 | NtRegisterProtocolAddressInformation( 418 | _In_ HANDLE ResourceManager, 419 | _In_ PCRM_PROTOCOL_ID ProtocolId, 420 | _In_ ULONG ProtocolInformationSize, 421 | _In_ PVOID ProtocolInformation, 422 | _In_opt_ ULONG CreateOptions 423 | ); 424 | #endif 425 | 426 | #if (NTDDI_VERSION >= NTDDI_VISTA) 427 | NTSYSCALLAPI 428 | NTSTATUS 429 | NTAPI 430 | NtPropagationComplete( 431 | _In_ HANDLE ResourceManagerHandle, 432 | _In_ ULONG RequestCookie, 433 | _In_ ULONG BufferLength, 434 | _In_ PVOID Buffer 435 | ); 436 | #endif 437 | 438 | #if (NTDDI_VERSION >= NTDDI_VISTA) 439 | NTSYSCALLAPI 440 | NTSTATUS 441 | NTAPI 442 | NtPropagationFailed( 443 | _In_ HANDLE ResourceManagerHandle, 444 | _In_ ULONG RequestCookie, 445 | _In_ NTSTATUS PropStatus 446 | ); 447 | #endif 448 | 449 | #if (NTDDI_VERSION >= NTDDI_VISTA) 450 | // private 451 | NTSYSCALLAPI 452 | NTSTATUS 453 | NTAPI 454 | NtFreezeTransactions( 455 | _In_ PLARGE_INTEGER FreezeTimeout, 456 | _In_ PLARGE_INTEGER ThawTimeout 457 | ); 458 | #endif 459 | 460 | #if (NTDDI_VERSION >= NTDDI_VISTA) 461 | // private 462 | NTSYSCALLAPI 463 | NTSTATUS 464 | NTAPI 465 | NtThawTransactions( 466 | VOID 467 | ); 468 | #endif 469 | 470 | -------------------------------------------------------------------------------- /nttp.h: -------------------------------------------------------------------------------- 1 | // Some types are already defined in winnt.h. 2 | 3 | typedef struct _TP_ALPC TP_ALPC, *PTP_ALPC; 4 | 5 | // private 6 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK)( 7 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 8 | _Inout_opt_ PVOID Context, 9 | _In_ PTP_ALPC Alpc 10 | ); 11 | 12 | // rev 13 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK_EX)( 14 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 15 | _Inout_opt_ PVOID Context, 16 | _In_ PTP_ALPC Alpc, 17 | _In_ PVOID ApcContext 18 | ); 19 | 20 | #if (NTDDI_VERSION >= NTDDI_VISTA) 21 | 22 | // private 23 | _Check_return_ 24 | NTSYSAPI 25 | NTSTATUS 26 | NTAPI 27 | TpAllocPool( 28 | _Out_ PTP_POOL *PoolReturn, 29 | _Reserved_ PVOID Reserved 30 | ); 31 | 32 | // winbase:CloseThreadpool 33 | NTSYSAPI 34 | VOID 35 | NTAPI 36 | TpReleasePool( 37 | _Inout_ PTP_POOL Pool 38 | ); 39 | 40 | // winbase:SetThreadpoolThreadMaximum 41 | NTSYSAPI 42 | VOID 43 | NTAPI 44 | TpSetPoolMaxThreads( 45 | _Inout_ PTP_POOL Pool, 46 | _In_ ULONG MaxThreads 47 | ); 48 | 49 | // private 50 | NTSYSAPI 51 | NTSTATUS 52 | NTAPI 53 | TpSetPoolMinThreads( 54 | _Inout_ PTP_POOL Pool, 55 | _In_ ULONG MinThreads 56 | ); 57 | 58 | #if (NTDDI_VERSION >= NTDDI_WIN7) 59 | // rev 60 | NTSYSAPI 61 | NTSTATUS 62 | NTAPI 63 | TpQueryPoolStackInformation( 64 | _In_ PTP_POOL Pool, 65 | _Out_ PTP_POOL_STACK_INFORMATION PoolStackInformation 66 | ); 67 | #endif 68 | 69 | #if (NTDDI_VERSION >= NTDDI_WIN7) 70 | // rev 71 | NTSYSAPI 72 | NTSTATUS 73 | NTAPI 74 | TpSetPoolStackInformation( 75 | _Inout_ PTP_POOL Pool, 76 | _In_ PTP_POOL_STACK_INFORMATION PoolStackInformation 77 | ); 78 | #endif 79 | 80 | // private 81 | _Check_return_ 82 | NTSYSAPI 83 | NTSTATUS 84 | NTAPI 85 | TpAllocCleanupGroup( 86 | _Out_ PTP_CLEANUP_GROUP *CleanupGroupReturn 87 | ); 88 | 89 | // winbase:CloseThreadpoolCleanupGroup 90 | NTSYSAPI 91 | VOID 92 | NTAPI 93 | TpReleaseCleanupGroup( 94 | _Inout_ PTP_CLEANUP_GROUP CleanupGroup 95 | ); 96 | 97 | // winbase:CloseThreadpoolCleanupGroupMembers 98 | NTSYSAPI 99 | VOID 100 | NTAPI 101 | TpReleaseCleanupGroupMembers( 102 | _Inout_ PTP_CLEANUP_GROUP CleanupGroup, 103 | _In_ LOGICAL CancelPendingCallbacks, 104 | _Inout_opt_ PVOID CleanupParameter 105 | ); 106 | 107 | // winbase:SetEventWhenCallbackReturns 108 | NTSYSAPI 109 | VOID 110 | NTAPI 111 | TpCallbackSetEventOnCompletion( 112 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 113 | _In_ HANDLE Event 114 | ); 115 | 116 | // winbase:ReleaseSemaphoreWhenCallbackReturns 117 | NTSYSAPI 118 | VOID 119 | NTAPI 120 | TpCallbackReleaseSemaphoreOnCompletion( 121 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 122 | _In_ HANDLE Semaphore, 123 | _In_ ULONG ReleaseCount 124 | ); 125 | 126 | // winbase:ReleaseMutexWhenCallbackReturns 127 | NTSYSAPI 128 | VOID 129 | NTAPI 130 | TpCallbackReleaseMutexOnCompletion( 131 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 132 | _In_ HANDLE Mutex 133 | ); 134 | 135 | // winbase:LeaveCriticalSectionWhenCallbackReturns 136 | NTSYSAPI 137 | VOID 138 | NTAPI 139 | TpCallbackLeaveCriticalSectionOnCompletion( 140 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 141 | _Inout_ PRTL_CRITICAL_SECTION CriticalSection 142 | ); 143 | 144 | // winbase:FreeLibraryWhenCallbackReturns 145 | NTSYSAPI 146 | VOID 147 | NTAPI 148 | TpCallbackUnloadDllOnCompletion( 149 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 150 | _In_ PVOID DllHandle 151 | ); 152 | 153 | // winbase:CallbackMayRunLong 154 | NTSYSAPI 155 | NTSTATUS 156 | NTAPI 157 | TpCallbackMayRunLong( 158 | _Inout_ PTP_CALLBACK_INSTANCE Instance 159 | ); 160 | 161 | // winbase:DisassociateCurrentThreadFromCallback 162 | NTSYSAPI 163 | VOID 164 | NTAPI 165 | TpDisassociateCallback( 166 | _Inout_ PTP_CALLBACK_INSTANCE Instance 167 | ); 168 | 169 | // winbase:TrySubmitThreadpoolCallback 170 | _Check_return_ 171 | NTSYSAPI 172 | NTSTATUS 173 | NTAPI 174 | TpSimpleTryPost( 175 | _In_ PTP_SIMPLE_CALLBACK Callback, 176 | _Inout_opt_ PVOID Context, 177 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 178 | ); 179 | 180 | // private 181 | _Check_return_ 182 | NTSYSAPI 183 | NTSTATUS 184 | NTAPI 185 | TpAllocWork( 186 | _Out_ PTP_WORK *WorkReturn, 187 | _In_ PTP_WORK_CALLBACK Callback, 188 | _Inout_opt_ PVOID Context, 189 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 190 | ); 191 | 192 | // winbase:CloseThreadpoolWork 193 | NTSYSAPI 194 | VOID 195 | NTAPI 196 | TpReleaseWork( 197 | _Inout_ PTP_WORK Work 198 | ); 199 | 200 | // winbase:SubmitThreadpoolWork 201 | NTSYSAPI 202 | VOID 203 | NTAPI 204 | TpPostWork( 205 | _Inout_ PTP_WORK Work 206 | ); 207 | 208 | // winbase:WaitForThreadpoolWorkCallbacks 209 | NTSYSAPI 210 | VOID 211 | NTAPI 212 | TpWaitForWork( 213 | _Inout_ PTP_WORK Work, 214 | _In_ LOGICAL CancelPendingCallbacks 215 | ); 216 | 217 | // private 218 | _Check_return_ 219 | NTSYSAPI 220 | NTSTATUS 221 | NTAPI 222 | TpAllocTimer( 223 | _Out_ PTP_TIMER *Timer, 224 | _In_ PTP_TIMER_CALLBACK Callback, 225 | _Inout_opt_ PVOID Context, 226 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 227 | ); 228 | 229 | // winbase:CloseThreadpoolTimer 230 | NTSYSAPI 231 | VOID 232 | NTAPI 233 | TpReleaseTimer( 234 | _Inout_ PTP_TIMER Timer 235 | ); 236 | 237 | // winbase:SetThreadpoolTimer 238 | NTSYSAPI 239 | VOID 240 | NTAPI 241 | TpSetTimer( 242 | _Inout_ PTP_TIMER Timer, 243 | _In_opt_ PLARGE_INTEGER DueTime, 244 | _In_ ULONG Period, 245 | _In_opt_ ULONG WindowLength 246 | ); 247 | 248 | #if (NTDDI_VERSION >= NTDDI_WIN8) 249 | // winbase:SetThreadpoolTimerEx 250 | NTSYSAPI 251 | NTSTATUS 252 | NTAPI 253 | TpSetTimerEx( 254 | _Inout_ PTP_TIMER Timer, 255 | _In_opt_ PLARGE_INTEGER DueTime, 256 | _In_ ULONG Period, 257 | _In_opt_ ULONG WindowLength 258 | ); 259 | #endif 260 | 261 | // winbase:IsThreadpoolTimerSet 262 | NTSYSAPI 263 | LOGICAL 264 | NTAPI 265 | TpIsTimerSet( 266 | _In_ PTP_TIMER Timer 267 | ); 268 | 269 | // winbase:WaitForThreadpoolTimerCallbacks 270 | NTSYSAPI 271 | VOID 272 | NTAPI 273 | TpWaitForTimer( 274 | _Inout_ PTP_TIMER Timer, 275 | _In_ LOGICAL CancelPendingCallbacks 276 | ); 277 | 278 | // private 279 | _Check_return_ 280 | NTSYSAPI 281 | NTSTATUS 282 | NTAPI 283 | TpAllocWait( 284 | _Out_ PTP_WAIT *WaitReturn, 285 | _In_ PTP_WAIT_CALLBACK Callback, 286 | _Inout_opt_ PVOID Context, 287 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 288 | ); 289 | 290 | // winbase:CloseThreadpoolWait 291 | NTSYSAPI 292 | VOID 293 | NTAPI 294 | TpReleaseWait( 295 | _Inout_ PTP_WAIT Wait 296 | ); 297 | 298 | // winbase:SetThreadpoolWait 299 | NTSYSAPI 300 | VOID 301 | NTAPI 302 | TpSetWait( 303 | _Inout_ PTP_WAIT Wait, 304 | _In_opt_ HANDLE Handle, 305 | _In_opt_ PLARGE_INTEGER Timeout 306 | ); 307 | 308 | #if (NTDDI_VERSION >= NTDDI_WIN8) 309 | // winbase:SetThreadpoolWaitEx 310 | NTSYSAPI 311 | NTSTATUS 312 | NTAPI 313 | TpSetWaitEx( 314 | _Inout_ PTP_WAIT Wait, 315 | _In_opt_ HANDLE Handle, 316 | _In_opt_ PLARGE_INTEGER Timeout, 317 | _In_opt_ PVOID Reserved 318 | ); 319 | #endif 320 | 321 | // winbase:WaitForThreadpoolWaitCallbacks 322 | NTSYSAPI 323 | VOID 324 | NTAPI 325 | TpWaitForWait( 326 | _Inout_ PTP_WAIT Wait, 327 | _In_ LOGICAL CancelPendingCallbacks 328 | ); 329 | 330 | // private 331 | typedef VOID (NTAPI *PTP_IO_CALLBACK)( 332 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 333 | _Inout_opt_ PVOID Context, 334 | _In_ PVOID ApcContext, 335 | _In_ PIO_STATUS_BLOCK IoSB, 336 | _In_ PTP_IO Io 337 | ); 338 | 339 | // private 340 | _Check_return_ 341 | NTSYSAPI 342 | NTSTATUS 343 | NTAPI 344 | TpAllocIoCompletion( 345 | _Out_ PTP_IO *IoReturn, 346 | _In_ HANDLE File, 347 | _In_ PTP_IO_CALLBACK Callback, 348 | _Inout_opt_ PVOID Context, 349 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 350 | ); 351 | 352 | // winbase:CloseThreadpoolIo 353 | NTSYSAPI 354 | VOID 355 | NTAPI 356 | TpReleaseIoCompletion( 357 | _Inout_ PTP_IO Io 358 | ); 359 | 360 | // winbase:StartThreadpoolIo 361 | NTSYSAPI 362 | VOID 363 | NTAPI 364 | TpStartAsyncIoOperation( 365 | _Inout_ PTP_IO Io 366 | ); 367 | 368 | // winbase:CancelThreadpoolIo 369 | NTSYSAPI 370 | VOID 371 | NTAPI 372 | TpCancelAsyncIoOperation( 373 | _Inout_ PTP_IO Io 374 | ); 375 | 376 | // winbase:WaitForThreadpoolIoCallbacks 377 | NTSYSAPI 378 | VOID 379 | NTAPI 380 | TpWaitForIoCompletion( 381 | _Inout_ PTP_IO Io, 382 | _In_ LOGICAL CancelPendingCallbacks 383 | ); 384 | 385 | // private 386 | NTSYSAPI 387 | NTSTATUS 388 | NTAPI 389 | TpAllocAlpcCompletion( 390 | _Out_ PTP_ALPC *AlpcReturn, 391 | _In_ HANDLE AlpcPort, 392 | _In_ PTP_ALPC_CALLBACK Callback, 393 | _Inout_opt_ PVOID Context, 394 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 395 | ); 396 | 397 | #if (NTDDI_VERSION >= NTDDI_WIN7) 398 | // rev 399 | NTSYSAPI 400 | NTSTATUS 401 | NTAPI 402 | TpAllocAlpcCompletionEx( 403 | _Out_ PTP_ALPC *AlpcReturn, 404 | _In_ HANDLE AlpcPort, 405 | _In_ PTP_ALPC_CALLBACK_EX Callback, 406 | _Inout_opt_ PVOID Context, 407 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 408 | ); 409 | #endif 410 | 411 | // private 412 | NTSYSAPI 413 | VOID 414 | NTAPI 415 | TpReleaseAlpcCompletion( 416 | _Inout_ PTP_ALPC Alpc 417 | ); 418 | 419 | // private 420 | NTSYSAPI 421 | VOID 422 | NTAPI 423 | TpWaitForAlpcCompletion( 424 | _Inout_ PTP_ALPC Alpc 425 | ); 426 | 427 | // private 428 | typedef enum _TP_TRACE_TYPE 429 | { 430 | TpTraceThreadPriority = 1, 431 | TpTraceThreadAffinity, 432 | MaxTpTraceType 433 | } TP_TRACE_TYPE; 434 | 435 | // private 436 | NTSYSAPI 437 | VOID 438 | NTAPI 439 | TpCaptureCaller( 440 | _In_ TP_TRACE_TYPE Type 441 | ); 442 | 443 | // private 444 | NTSYSAPI 445 | VOID 446 | NTAPI 447 | TpCheckTerminateWorker( 448 | _In_ HANDLE Thread 449 | ); 450 | 451 | #endif 452 | 453 | -------------------------------------------------------------------------------- /ntwow64.h: -------------------------------------------------------------------------------- 1 | #define WOW64_SYSTEM_DIRECTORY "SysWOW64" 2 | #define WOW64_SYSTEM_DIRECTORY_U L"SysWOW64" 3 | #define WOW64_X86_TAG " (x86)" 4 | #define WOW64_X86_TAG_U L" (x86)" 5 | 6 | // In USER_SHARED_DATA 7 | typedef enum _WOW64_SHARED_INFORMATION 8 | { 9 | SharedNtdll32LdrInitializeThunk, 10 | SharedNtdll32KiUserExceptionDispatcher, 11 | SharedNtdll32KiUserApcDispatcher, 12 | SharedNtdll32KiUserCallbackDispatcher, 13 | SharedNtdll32ExpInterlockedPopEntrySListFault, 14 | SharedNtdll32ExpInterlockedPopEntrySListResume, 15 | SharedNtdll32ExpInterlockedPopEntrySListEnd, 16 | SharedNtdll32RtlUserThreadStart, 17 | SharedNtdll32pQueryProcessDebugInformationRemote, 18 | SharedNtdll32BaseAddress, 19 | SharedNtdll32LdrSystemDllInitBlock, 20 | Wow64SharedPageEntriesCount 21 | } WOW64_SHARED_INFORMATION; 22 | 23 | // 32-bit definitions 24 | 25 | #define WOW64_POINTER(Type) ULONG 26 | 27 | typedef struct _RTL_BALANCED_NODE32 28 | { 29 | union 30 | { 31 | WOW64_POINTER(struct _RTL_BALANCED_NODE *) Children[2]; 32 | struct 33 | { 34 | WOW64_POINTER(struct _RTL_BALANCED_NODE *) Left; 35 | WOW64_POINTER(struct _RTL_BALANCED_NODE *) Right; 36 | }; 37 | }; 38 | union 39 | { 40 | WOW64_POINTER(UCHAR) Red : 1; 41 | WOW64_POINTER(UCHAR) Balance : 2; 42 | WOW64_POINTER(ULONG_PTR) ParentValue; 43 | }; 44 | } RTL_BALANCED_NODE32, *PRTL_BALANCED_NODE32; 45 | 46 | typedef struct _RTL_RB_TREE32 47 | { 48 | WOW64_POINTER(PRTL_BALANCED_NODE) Root; 49 | WOW64_POINTER(PRTL_BALANCED_NODE) Min; 50 | } RTL_RB_TREE32, *PRTL_RB_TREE32; 51 | 52 | typedef struct _PEB_LDR_DATA32 53 | { 54 | ULONG Length; 55 | BOOLEAN Initialized; 56 | WOW64_POINTER(HANDLE) SsHandle; 57 | LIST_ENTRY32 InLoadOrderModuleList; 58 | LIST_ENTRY32 InMemoryOrderModuleList; 59 | LIST_ENTRY32 InInitializationOrderModuleList; 60 | WOW64_POINTER(PVOID) EntryInProgress; 61 | BOOLEAN ShutdownInProgress; 62 | WOW64_POINTER(HANDLE) ShutdownThreadId; 63 | } PEB_LDR_DATA32, *PPEB_LDR_DATA32; 64 | 65 | typedef struct _LDR_SERVICE_TAG_RECORD32 66 | { 67 | WOW64_POINTER(struct _LDR_SERVICE_TAG_RECORD *) Next; 68 | ULONG ServiceTag; 69 | } LDR_SERVICE_TAG_RECORD32, *PLDR_SERVICE_TAG_RECORD32; 70 | 71 | typedef struct _LDRP_CSLIST32 72 | { 73 | WOW64_POINTER(PSINGLE_LIST_ENTRY) Tail; 74 | } LDRP_CSLIST32, *PLDRP_CSLIST32; 75 | 76 | typedef struct _LDR_DDAG_NODE32 77 | { 78 | LIST_ENTRY32 Modules; 79 | WOW64_POINTER(PLDR_SERVICE_TAG_RECORD) ServiceTagList; 80 | ULONG LoadCount; 81 | ULONG LoadWhileUnloadingCount; 82 | ULONG LowestLink; 83 | union 84 | { 85 | LDRP_CSLIST32 Dependencies; 86 | SINGLE_LIST_ENTRY32 RemovalLink; 87 | }; 88 | LDRP_CSLIST32 IncomingDependencies; 89 | LDR_DDAG_STATE State; 90 | SINGLE_LIST_ENTRY32 CondenseLink; 91 | ULONG PreorderNumber; 92 | } LDR_DDAG_NODE32, *PLDR_DDAG_NODE32; 93 | 94 | #define LDR_DATA_TABLE_ENTRY_SIZE_WINXP_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, DdagNode) 95 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN7_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, BaseNameHashValue) 96 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN8_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, ImplicitPathOptions) 97 | 98 | typedef struct _LDR_DATA_TABLE_ENTRY32 99 | { 100 | LIST_ENTRY32 InLoadOrderLinks; 101 | LIST_ENTRY32 InMemoryOrderLinks; 102 | union 103 | { 104 | LIST_ENTRY32 InInitializationOrderLinks; 105 | LIST_ENTRY32 InProgressLinks; 106 | }; 107 | WOW64_POINTER(PVOID) DllBase; 108 | WOW64_POINTER(PVOID) EntryPoint; 109 | ULONG SizeOfImage; 110 | UNICODE_STRING32 FullDllName; 111 | UNICODE_STRING32 BaseDllName; 112 | union 113 | { 114 | UCHAR FlagGroup[4]; 115 | ULONG Flags; 116 | struct 117 | { 118 | ULONG PackagedBinary : 1; 119 | ULONG MarkedForRemoval : 1; 120 | ULONG ImageDll : 1; 121 | ULONG LoadNotificationsSent : 1; 122 | ULONG TelemetryEntryProcessed : 1; 123 | ULONG ProcessStaticImport : 1; 124 | ULONG InLegacyLists : 1; 125 | ULONG InIndexes : 1; 126 | ULONG ShimDll : 1; 127 | ULONG InExceptionTable : 1; 128 | ULONG ReservedFlags1 : 2; 129 | ULONG LoadInProgress : 1; 130 | ULONG LoadConfigProcessed : 1; 131 | ULONG EntryProcessed : 1; 132 | ULONG ProtectDelayLoad : 1; 133 | ULONG ReservedFlags3 : 2; 134 | ULONG DontCallForThreads : 1; 135 | ULONG ProcessAttachCalled : 1; 136 | ULONG ProcessAttachFailed : 1; 137 | ULONG CorDeferredValidate : 1; 138 | ULONG CorImage : 1; 139 | ULONG DontRelocate : 1; 140 | ULONG CorILOnly : 1; 141 | ULONG ChpeImage : 1; 142 | ULONG ReservedFlags5 : 2; 143 | ULONG Redirected : 1; 144 | ULONG ReservedFlags6 : 2; 145 | ULONG CompatDatabaseProcessed : 1; 146 | }; 147 | }; 148 | USHORT ObsoleteLoadCount; 149 | USHORT TlsIndex; 150 | LIST_ENTRY32 HashLinks; 151 | ULONG TimeDateStamp; 152 | WOW64_POINTER(struct _ACTIVATION_CONTEXT *) EntryPointActivationContext; 153 | WOW64_POINTER(PVOID) Lock; 154 | WOW64_POINTER(PLDR_DDAG_NODE) DdagNode; 155 | LIST_ENTRY32 NodeModuleLink; 156 | WOW64_POINTER(struct _LDRP_LOAD_CONTEXT *) LoadContext; 157 | WOW64_POINTER(PVOID) ParentDllBase; 158 | WOW64_POINTER(PVOID) SwitchBackContext; 159 | RTL_BALANCED_NODE32 BaseAddressIndexNode; 160 | RTL_BALANCED_NODE32 MappingInfoIndexNode; 161 | WOW64_POINTER(ULONG_PTR) OriginalBase; 162 | LARGE_INTEGER LoadTime; 163 | ULONG BaseNameHashValue; 164 | LDR_DLL_LOAD_REASON LoadReason; 165 | ULONG ImplicitPathOptions; 166 | ULONG ReferenceCount; 167 | ULONG DependentLoadFlags; 168 | UCHAR SigningLevel; // since REDSTONE2 169 | } LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32; 170 | 171 | typedef struct _CURDIR32 172 | { 173 | UNICODE_STRING32 DosPath; 174 | WOW64_POINTER(HANDLE) Handle; 175 | } CURDIR32, *PCURDIR32; 176 | 177 | typedef struct _RTL_DRIVE_LETTER_CURDIR32 178 | { 179 | USHORT Flags; 180 | USHORT Length; 181 | ULONG TimeStamp; 182 | STRING32 DosPath; 183 | } RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32; 184 | 185 | typedef struct _RTL_USER_PROCESS_PARAMETERS32 186 | { 187 | ULONG MaximumLength; 188 | ULONG Length; 189 | 190 | ULONG Flags; 191 | ULONG DebugFlags; 192 | 193 | WOW64_POINTER(HANDLE) ConsoleHandle; 194 | ULONG ConsoleFlags; 195 | WOW64_POINTER(HANDLE) StandardInput; 196 | WOW64_POINTER(HANDLE) StandardOutput; 197 | WOW64_POINTER(HANDLE) StandardError; 198 | 199 | CURDIR32 CurrentDirectory; 200 | UNICODE_STRING32 DllPath; 201 | UNICODE_STRING32 ImagePathName; 202 | UNICODE_STRING32 CommandLine; 203 | WOW64_POINTER(PVOID) Environment; 204 | 205 | ULONG StartingX; 206 | ULONG StartingY; 207 | ULONG CountX; 208 | ULONG CountY; 209 | ULONG CountCharsX; 210 | ULONG CountCharsY; 211 | ULONG FillAttribute; 212 | 213 | ULONG WindowFlags; 214 | ULONG ShowWindowFlags; 215 | UNICODE_STRING32 WindowTitle; 216 | UNICODE_STRING32 DesktopInfo; 217 | UNICODE_STRING32 ShellInfo; 218 | UNICODE_STRING32 RuntimeData; 219 | RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; 220 | 221 | WOW64_POINTER(ULONG_PTR) EnvironmentSize; 222 | WOW64_POINTER(ULONG_PTR) EnvironmentVersion; 223 | WOW64_POINTER(PVOID) PackageDependencyData; 224 | ULONG ProcessGroupId; 225 | ULONG LoaderThreads; 226 | 227 | UNICODE_STRING32 RedirectionDllName; // REDSTONE4 228 | UNICODE_STRING32 HeapPartitionName; // 19H1 229 | WOW64_POINTER(ULONG_PTR) DefaultThreadpoolCpuSetMasks; 230 | ULONG DefaultThreadpoolCpuSetMaskCount; 231 | } RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32; 232 | 233 | typedef struct _PEB32 234 | { 235 | BOOLEAN InheritedAddressSpace; 236 | BOOLEAN ReadImageFileExecOptions; 237 | BOOLEAN BeingDebugged; 238 | union 239 | { 240 | BOOLEAN BitField; 241 | struct 242 | { 243 | BOOLEAN ImageUsesLargePages : 1; 244 | BOOLEAN IsProtectedProcess : 1; 245 | BOOLEAN IsImageDynamicallyRelocated : 1; 246 | BOOLEAN SkipPatchingUser32Forwarders : 1; 247 | BOOLEAN IsPackagedProcess : 1; 248 | BOOLEAN IsAppContainer : 1; 249 | BOOLEAN IsProtectedProcessLight : 1; 250 | BOOLEAN IsLongPathAwareProcess : 1; 251 | }; 252 | }; 253 | WOW64_POINTER(HANDLE) Mutant; 254 | 255 | WOW64_POINTER(PVOID) ImageBaseAddress; 256 | WOW64_POINTER(PPEB_LDR_DATA) Ldr; 257 | WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters; 258 | WOW64_POINTER(PVOID) SubSystemData; 259 | WOW64_POINTER(PVOID) ProcessHeap; 260 | WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock; 261 | WOW64_POINTER(PVOID) AtlThunkSListPtr; 262 | WOW64_POINTER(PVOID) IFEOKey; 263 | union 264 | { 265 | ULONG CrossProcessFlags; 266 | struct 267 | { 268 | ULONG ProcessInJob : 1; 269 | ULONG ProcessInitializing : 1; 270 | ULONG ProcessUsingVEH : 1; 271 | ULONG ProcessUsingVCH : 1; 272 | ULONG ProcessUsingFTH : 1; 273 | ULONG ReservedBits0 : 27; 274 | }; 275 | }; 276 | union 277 | { 278 | WOW64_POINTER(PVOID) KernelCallbackTable; 279 | WOW64_POINTER(PVOID) UserSharedInfoPtr; 280 | }; 281 | ULONG SystemReserved; 282 | ULONG AtlThunkSListPtr32; 283 | WOW64_POINTER(PVOID) ApiSetMap; 284 | ULONG TlsExpansionCounter; 285 | WOW64_POINTER(PVOID) TlsBitmap; 286 | ULONG TlsBitmapBits[2]; 287 | WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase; 288 | WOW64_POINTER(PVOID) HotpatchInformation; 289 | WOW64_POINTER(PVOID *) ReadOnlyStaticServerData; 290 | WOW64_POINTER(PVOID) AnsiCodePageData; 291 | WOW64_POINTER(PVOID) OemCodePageData; 292 | WOW64_POINTER(PVOID) UnicodeCaseTableData; 293 | 294 | ULONG NumberOfProcessors; 295 | ULONG NtGlobalFlag; 296 | 297 | LARGE_INTEGER CriticalSectionTimeout; 298 | WOW64_POINTER(SIZE_T) HeapSegmentReserve; 299 | WOW64_POINTER(SIZE_T) HeapSegmentCommit; 300 | WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold; 301 | WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold; 302 | 303 | ULONG NumberOfHeaps; 304 | ULONG MaximumNumberOfHeaps; 305 | WOW64_POINTER(PVOID *) ProcessHeaps; 306 | 307 | WOW64_POINTER(PVOID) GdiSharedHandleTable; 308 | WOW64_POINTER(PVOID) ProcessStarterHelper; 309 | ULONG GdiDCAttributeList; 310 | 311 | WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock; 312 | 313 | ULONG OSMajorVersion; 314 | ULONG OSMinorVersion; 315 | USHORT OSBuildNumber; 316 | USHORT OSCSDVersion; 317 | ULONG OSPlatformId; 318 | ULONG ImageSubsystem; 319 | ULONG ImageSubsystemMajorVersion; 320 | ULONG ImageSubsystemMinorVersion; 321 | WOW64_POINTER(ULONG_PTR) ActiveProcessAffinityMask; 322 | GDI_HANDLE_BUFFER32 GdiHandleBuffer; 323 | WOW64_POINTER(PVOID) PostProcessInitRoutine; 324 | 325 | WOW64_POINTER(PVOID) TlsExpansionBitmap; 326 | ULONG TlsExpansionBitmapBits[32]; 327 | 328 | ULONG SessionId; 329 | 330 | ULARGE_INTEGER AppCompatFlags; 331 | ULARGE_INTEGER AppCompatFlagsUser; 332 | WOW64_POINTER(PVOID) pShimData; 333 | WOW64_POINTER(PVOID) AppCompatInfo; 334 | 335 | UNICODE_STRING32 CSDVersion; 336 | 337 | WOW64_POINTER(PVOID) ActivationContextData; 338 | WOW64_POINTER(PVOID) ProcessAssemblyStorageMap; 339 | WOW64_POINTER(PVOID) SystemDefaultActivationContextData; 340 | WOW64_POINTER(PVOID) SystemAssemblyStorageMap; 341 | 342 | WOW64_POINTER(SIZE_T) MinimumStackCommit; 343 | 344 | WOW64_POINTER(PVOID) SparePointers[4]; 345 | ULONG SpareUlongs[5]; 346 | //WOW64_POINTER(PVOID *) FlsCallback; 347 | //LIST_ENTRY32 FlsListHead; 348 | //WOW64_POINTER(PVOID) FlsBitmap; 349 | //ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)]; 350 | //ULONG FlsHighIndex; 351 | 352 | WOW64_POINTER(PVOID) WerRegistrationData; 353 | WOW64_POINTER(PVOID) WerShipAssertPtr; 354 | WOW64_POINTER(PVOID) pContextData; 355 | WOW64_POINTER(PVOID) pImageHeaderHash; 356 | union 357 | { 358 | ULONG TracingFlags; 359 | struct 360 | { 361 | ULONG HeapTracingEnabled : 1; 362 | ULONG CritSecTracingEnabled : 1; 363 | ULONG LibLoaderTracingEnabled : 1; 364 | ULONG SpareTracingBits : 29; 365 | }; 366 | }; 367 | ULONGLONG CsrServerReadOnlySharedMemoryBase; 368 | WOW64_POINTER(PVOID) TppWorkerpListLock; 369 | LIST_ENTRY32 TppWorkerpList; 370 | WOW64_POINTER(PVOID) WaitOnAddressHashTable[128]; 371 | WOW64_POINTER(PVOID) TelemetryCoverageHeader; // REDSTONE3 372 | ULONG CloudFileFlags; 373 | ULONG CloudFileDiagFlags; // REDSTONE4 374 | CHAR PlaceholderCompatibilityMode; 375 | CHAR PlaceholderCompatibilityModeReserved[7]; 376 | } PEB32, *PPEB32; 377 | 378 | C_ASSERT(FIELD_OFFSET(PEB32, IFEOKey) == 0x024); 379 | C_ASSERT(FIELD_OFFSET(PEB32, UnicodeCaseTableData) == 0x060); 380 | C_ASSERT(FIELD_OFFSET(PEB32, SystemAssemblyStorageMap) == 0x204); 381 | C_ASSERT(FIELD_OFFSET(PEB32, pImageHeaderHash) == 0x23c); 382 | C_ASSERT(FIELD_OFFSET(PEB32, WaitOnAddressHashTable) == 0x25c); 383 | //C_ASSERT(sizeof(PEB32) == 0x460); // REDSTONE3 384 | C_ASSERT(sizeof(PEB32) == 0x470); 385 | 386 | // Note: Use PhGetProcessPeb32 instead. (dmex) 387 | //#define WOW64_GET_PEB32(peb64) ((PPEB32)PTR_ADD_OFFSET((peb64), ALIGN_UP_BY(sizeof(PEB), PAGE_SIZE))) 388 | 389 | #define GDI_BATCH_BUFFER_SIZE 310 390 | 391 | typedef struct _GDI_TEB_BATCH32 392 | { 393 | ULONG Offset; 394 | WOW64_POINTER(ULONG_PTR) HDC; 395 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 396 | } GDI_TEB_BATCH32, *PGDI_TEB_BATCH32; 397 | 398 | typedef struct _TEB32 399 | { 400 | NT_TIB32 NtTib; 401 | 402 | WOW64_POINTER(PVOID) EnvironmentPointer; 403 | CLIENT_ID32 ClientId; 404 | WOW64_POINTER(PVOID) ActiveRpcHandle; 405 | WOW64_POINTER(PVOID) ThreadLocalStoragePointer; 406 | WOW64_POINTER(PPEB) ProcessEnvironmentBlock; 407 | 408 | ULONG LastErrorValue; 409 | ULONG CountOfOwnedCriticalSections; 410 | WOW64_POINTER(PVOID) CsrClientThread; 411 | WOW64_POINTER(PVOID) Win32ThreadInfo; 412 | ULONG User32Reserved[26]; 413 | ULONG UserReserved[5]; 414 | WOW64_POINTER(PVOID) WOW32Reserved; 415 | LCID CurrentLocale; 416 | ULONG FpSoftwareStatusRegister; 417 | WOW64_POINTER(PVOID) ReservedForDebuggerInstrumentation[16]; 418 | WOW64_POINTER(PVOID) SystemReserved1[36]; 419 | UCHAR WorkingOnBehalfTicket[8]; 420 | NTSTATUS ExceptionCode; 421 | 422 | WOW64_POINTER(PVOID) ActivationContextStackPointer; 423 | WOW64_POINTER(ULONG_PTR) InstrumentationCallbackSp; 424 | WOW64_POINTER(ULONG_PTR) InstrumentationCallbackPreviousPc; 425 | WOW64_POINTER(ULONG_PTR) InstrumentationCallbackPreviousSp; 426 | BOOLEAN InstrumentationCallbackDisabled; 427 | UCHAR SpareBytes[23]; 428 | ULONG TxFsContext; 429 | 430 | GDI_TEB_BATCH32 GdiTebBatch; 431 | CLIENT_ID32 RealClientId; 432 | WOW64_POINTER(HANDLE) GdiCachedProcessHandle; 433 | ULONG GdiClientPID; 434 | ULONG GdiClientTID; 435 | WOW64_POINTER(PVOID) GdiThreadLocalInfo; 436 | WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62]; 437 | WOW64_POINTER(PVOID) glDispatchTable[233]; 438 | WOW64_POINTER(ULONG_PTR) glReserved1[29]; 439 | WOW64_POINTER(PVOID) glReserved2; 440 | WOW64_POINTER(PVOID) glSectionInfo; 441 | WOW64_POINTER(PVOID) glSection; 442 | WOW64_POINTER(PVOID) glTable; 443 | WOW64_POINTER(PVOID) glCurrentRC; 444 | WOW64_POINTER(PVOID) glContext; 445 | 446 | NTSTATUS LastStatusValue; 447 | UNICODE_STRING32 StaticUnicodeString; 448 | WCHAR StaticUnicodeBuffer[261]; 449 | 450 | WOW64_POINTER(PVOID) DeallocationStack; 451 | WOW64_POINTER(PVOID) TlsSlots[64]; 452 | LIST_ENTRY32 TlsLinks; 453 | 454 | WOW64_POINTER(PVOID) Vdm; 455 | WOW64_POINTER(PVOID) ReservedForNtRpc; 456 | WOW64_POINTER(PVOID) DbgSsReserved[2]; 457 | 458 | ULONG HardErrorMode; 459 | WOW64_POINTER(PVOID) Instrumentation[9]; 460 | GUID ActivityId; 461 | 462 | WOW64_POINTER(PVOID) SubProcessTag; 463 | WOW64_POINTER(PVOID) PerflibData; 464 | WOW64_POINTER(PVOID) EtwTraceData; 465 | WOW64_POINTER(PVOID) WinSockData; 466 | ULONG GdiBatchCount; 467 | 468 | union 469 | { 470 | PROCESSOR_NUMBER CurrentIdealProcessor; 471 | ULONG IdealProcessorValue; 472 | struct 473 | { 474 | UCHAR ReservedPad0; 475 | UCHAR ReservedPad1; 476 | UCHAR ReservedPad2; 477 | UCHAR IdealProcessor; 478 | }; 479 | }; 480 | 481 | ULONG GuaranteedStackBytes; 482 | WOW64_POINTER(PVOID) ReservedForPerf; 483 | WOW64_POINTER(PVOID) ReservedForOle; 484 | ULONG WaitingOnLoaderLock; 485 | WOW64_POINTER(PVOID) SavedPriorityState; 486 | WOW64_POINTER(ULONG_PTR) ReservedForCodeCoverage; 487 | WOW64_POINTER(PVOID) ThreadPoolData; 488 | WOW64_POINTER(PVOID *) TlsExpansionSlots; 489 | 490 | ULONG MuiGeneration; 491 | ULONG IsImpersonating; 492 | WOW64_POINTER(PVOID) NlsCache; 493 | WOW64_POINTER(PVOID) pShimData; 494 | USHORT HeapVirtualAffinity; 495 | USHORT LowFragHeapDataSlot; 496 | WOW64_POINTER(HANDLE) CurrentTransactionHandle; 497 | WOW64_POINTER(PTEB_ACTIVE_FRAME) ActiveFrame; 498 | WOW64_POINTER(PVOID) FlsData; 499 | 500 | WOW64_POINTER(PVOID) PreferredLanguages; 501 | WOW64_POINTER(PVOID) UserPrefLanguages; 502 | WOW64_POINTER(PVOID) MergedPrefLanguages; 503 | ULONG MuiImpersonation; 504 | 505 | union 506 | { 507 | USHORT CrossTebFlags; 508 | USHORT SpareCrossTebBits : 16; 509 | }; 510 | union 511 | { 512 | USHORT SameTebFlags; 513 | struct 514 | { 515 | USHORT SafeThunkCall : 1; 516 | USHORT InDebugPrint : 1; 517 | USHORT HasFiberData : 1; 518 | USHORT SkipThreadAttach : 1; 519 | USHORT WerInShipAssertCode : 1; 520 | USHORT RanProcessInit : 1; 521 | USHORT ClonedThread : 1; 522 | USHORT SuppressDebugMsg : 1; 523 | USHORT DisableUserStackWalk : 1; 524 | USHORT RtlExceptionAttached : 1; 525 | USHORT InitialThread : 1; 526 | USHORT SessionAware : 1; 527 | USHORT LoadOwner : 1; 528 | USHORT LoaderWorker : 1; 529 | USHORT SpareSameTebBits : 2; 530 | }; 531 | }; 532 | 533 | WOW64_POINTER(PVOID) TxnScopeEnterCallback; 534 | WOW64_POINTER(PVOID) TxnScopeExitCallback; 535 | WOW64_POINTER(PVOID) TxnScopeContext; 536 | ULONG LockCount; 537 | LONG WowTebOffset; 538 | WOW64_POINTER(PVOID) ResourceRetValue; 539 | WOW64_POINTER(PVOID) ReservedForWdf; 540 | ULONGLONG ReservedForCrt; 541 | GUID EffectiveContainerId; 542 | } TEB32, *PTEB32; 543 | 544 | C_ASSERT(FIELD_OFFSET(TEB32, ProcessEnvironmentBlock) == 0x030); 545 | C_ASSERT(FIELD_OFFSET(TEB32, ExceptionCode) == 0x1a4); 546 | C_ASSERT(FIELD_OFFSET(TEB32, TxFsContext) == 0x1d0); 547 | C_ASSERT(FIELD_OFFSET(TEB32, glContext) == 0xbf0); 548 | C_ASSERT(FIELD_OFFSET(TEB32, StaticUnicodeBuffer) == 0xc00); 549 | C_ASSERT(FIELD_OFFSET(TEB32, TlsLinks) == 0xf10); 550 | C_ASSERT(FIELD_OFFSET(TEB32, DbgSsReserved) == 0xf20); 551 | C_ASSERT(FIELD_OFFSET(TEB32, ActivityId) == 0xf50); 552 | C_ASSERT(FIELD_OFFSET(TEB32, GdiBatchCount) == 0xf70); 553 | C_ASSERT(FIELD_OFFSET(TEB32, TlsExpansionSlots) == 0xf94); 554 | C_ASSERT(FIELD_OFFSET(TEB32, FlsData) == 0xfb4); 555 | C_ASSERT(FIELD_OFFSET(TEB32, MuiImpersonation) == 0xfc4); 556 | C_ASSERT(FIELD_OFFSET(TEB32, ReservedForCrt) == 0xfe8); 557 | C_ASSERT(FIELD_OFFSET(TEB32, EffectiveContainerId) == 0xff0); 558 | C_ASSERT(sizeof(TEB32) == 0x1000); 559 | 560 | // Get the 32-bit TEB without doing a memory reference 561 | // modified from public SDK /10.0.10240.0/um/minwin/wow64t.h (dmex) 562 | #define WOW64_GET_TEB32(teb64) ((PTEB32)PTR_ADD_OFFSET((teb64), ALIGN_UP_BY(sizeof(TEB), PAGE_SIZE))) 563 | #define WOW64_TEB32_POINTER_ADDRESS(teb64) (PVOID)&((teb64)->NtTib.ExceptionList) 564 | 565 | // Conversion 566 | 567 | FORCEINLINE VOID UStr32ToUStr( 568 | _Out_ PUNICODE_STRING Destination, 569 | _In_ PUNICODE_STRING32 Source 570 | ) 571 | { 572 | Destination->Length = Source->Length; 573 | Destination->MaximumLength = Source->MaximumLength; 574 | Destination->Buffer = (PWCH)UlongToPtr(Source->Buffer); 575 | } 576 | 577 | FORCEINLINE VOID UStrToUStr32( 578 | _Out_ PUNICODE_STRING32 Destination, 579 | _In_ PUNICODE_STRING Source 580 | ) 581 | { 582 | Destination->Length = Source->Length; 583 | Destination->MaximumLength = Source->MaximumLength; 584 | Destination->Buffer = PtrToUlong(Source->Buffer); 585 | } 586 | 587 | -------------------------------------------------------------------------------- /ntxcapi.h: -------------------------------------------------------------------------------- 1 | NTSYSAPI 2 | BOOLEAN 3 | NTAPI 4 | RtlDispatchException( 5 | _In_ PEXCEPTION_RECORD ExceptionRecord, 6 | _In_ PCONTEXT ContextRecord 7 | ); 8 | 9 | NTSYSAPI 10 | DECLSPEC_NORETURN 11 | VOID 12 | NTAPI 13 | RtlRaiseStatus( 14 | _In_ NTSTATUS Status 15 | ); 16 | 17 | NTSYSAPI 18 | VOID 19 | NTAPI 20 | RtlRaiseException( 21 | _In_ PEXCEPTION_RECORD ExceptionRecord 22 | ); 23 | 24 | NTSYSCALLAPI 25 | NTSTATUS 26 | NTAPI 27 | NtContinue( 28 | _In_ PCONTEXT ContextRecord, 29 | _In_ BOOLEAN TestAlert 30 | ); 31 | 32 | #if (NTDDI_VERSION >= NTDDI_WIN10) 33 | typedef enum _KCONTINUE_TYPE 34 | { 35 | KCONTINUE_UNWIND, 36 | KCONTINUE_RESUME, 37 | KCONTINUE_LONGJUMP, 38 | KCONTINUE_SET, 39 | KCONTINUE_LAST, 40 | } KCONTINUE_TYPE; 41 | 42 | typedef struct _KCONTINUE_ARGUMENT 43 | { 44 | KCONTINUE_TYPE ContinueType; 45 | ULONG ContinueFlags; 46 | ULONGLONG Reserved[2]; 47 | } KCONTINUE_ARGUMENT, *PKCONTINUE_ARGUMENT; 48 | 49 | #define KCONTINUE_FLAG_TEST_ALERT 0x00000001 // wbenny 50 | #define KCONTINUE_FLAG_DELIVER_APC 0x00000002 // wbenny 51 | 52 | NTSYSCALLAPI 53 | NTSTATUS 54 | NTAPI 55 | NtContinueEx( 56 | _In_ PCONTEXT ContextRecord, 57 | _In_ PVOID ContinueArgument // PKCONTINUE_ARGUMENT and BOOLEAN are valid 58 | ); 59 | 60 | //FORCEINLINE 61 | //NTSTATUS 62 | //NtContinue( 63 | // _In_ PCONTEXT ContextRecord, 64 | // _In_ BOOLEAN TestAlert 65 | // ) 66 | //{ 67 | // return NtContinueEx(ContextRecord, (PCONTINUE_ARGUMENT)TestAlert); 68 | //} 69 | #endif 70 | 71 | NTSYSCALLAPI 72 | NTSTATUS 73 | NTAPI 74 | NtRaiseException( 75 | _In_ PEXCEPTION_RECORD ExceptionRecord, 76 | _In_ PCONTEXT ContextRecord, 77 | _In_ BOOLEAN FirstChance 78 | ); 79 | 80 | __analysis_noreturn 81 | NTSYSCALLAPI 82 | VOID 83 | NTAPI 84 | RtlAssert( 85 | _In_ PVOID VoidFailedAssertion, 86 | _In_ PVOID VoidFileName, 87 | _In_ ULONG LineNumber, 88 | _In_opt_ PSTR MutableMessage 89 | ); 90 | 91 | #define RTL_ASSERT(exp) \ 92 | ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, NULL), FALSE) : TRUE) 93 | #define RTL_ASSERTMSG(msg, exp) \ 94 | ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, msg), FALSE) : TRUE) 95 | #define RTL_SOFT_ASSERT(_exp) \ 96 | ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n Expression: %s\n", __FILE__, __LINE__, #_exp), FALSE) : TRUE) 97 | #define RTL_SOFT_ASSERTMSG(_msg, _exp) \ 98 | ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n Expression: %s\n Message: %s\n", __FILE__, __LINE__, #_exp, (_msg)), FALSE) : TRUE) 99 | 100 | -------------------------------------------------------------------------------- /phnt.h: -------------------------------------------------------------------------------- 1 | // This header file provides access to NT APIs. 2 | 3 | // Definitions are annotated to indicate their source. If a definition is not annotated, it has been 4 | // retrieved from an official Microsoft source (NT headers, DDK headers, winnt.h). 5 | 6 | // * "winbase" indicates that a definition has been reconstructed from a Win32-ized NT definition in 7 | // winbase.h. 8 | // * "rev" indicates that a definition has been reverse-engineered. 9 | // * "dbg" indicates that a definition has been obtained from a debug message or assertion in a 10 | // checked build of the kernel or file. 11 | 12 | // Reliability: 13 | // 1. No annotation. 14 | // 2. dbg. 15 | // 3. symbols, private. Types may be incorrect. 16 | // 4. winbase. Names and types may be incorrect. 17 | // 5. rev. 18 | 19 | // Version 20 | #include 21 | 22 | #pragma comment(lib,"ntdll.lib") 23 | #pragma comment(lib,"samlib.lib") 24 | #pragma comment(lib,"winsta.lib") 25 | 26 | // Warnings which disabled for compiling 27 | #if _MSC_VER >= 1200 28 | #pragma warning(push) 29 | // nonstandard extension used : nameless struct/union 30 | #pragma warning(disable:4201) 31 | // 'struct_name' : structure was padded due to __declspec(align()) 32 | #pragma warning(disable:4324) 33 | // 'enumeration': a forward declaration of an unscoped enumeration must have an 34 | // underlying type (int assumed) 35 | #pragma warning(disable:4471) 36 | #endif 37 | 38 | #ifdef __cplusplus 39 | extern "C" { 40 | #endif 41 | 42 | #include 43 | #include 44 | #include 45 | 46 | #include 47 | #include 48 | 49 | #include 50 | #include 51 | 52 | #include 53 | #include 54 | #include 55 | 56 | #include 57 | #include 58 | #include 59 | #include 60 | #include 61 | #include 62 | #include 63 | #include 64 | #include 65 | 66 | #include 67 | #include 68 | #include 69 | #include 70 | 71 | #include 72 | 73 | #include 74 | #include 75 | 76 | #include 77 | 78 | #include 79 | 80 | #include 81 | 82 | #include 83 | 84 | #ifdef __cplusplus 85 | } 86 | #endif 87 | 88 | #if _MSC_VER >= 1200 89 | #pragma warning(pop) 90 | #endif 91 | 92 | -------------------------------------------------------------------------------- /phnt_ntdef.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTDEF_ 2 | #define _NTDEF_ 3 | 4 | // This header file provides basic NT types not included in Win32. If you have included winnt.h 5 | // (perhaps indirectly), you must use this file instead of ntdef.h. 6 | 7 | #ifndef NOTHING 8 | #define NOTHING 9 | #endif 10 | 11 | // Basic types 12 | 13 | typedef struct _QUAD 14 | { 15 | union 16 | { 17 | __int64 UseThisFieldToCopy; 18 | double DoNotUseThisField; 19 | }; 20 | } QUAD, *PQUAD; 21 | 22 | // This isn't in NT, but it's useful. 23 | typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _QUAD_PTR 24 | { 25 | ULONG_PTR DoNotUseThisField1; 26 | ULONG_PTR DoNotUseThisField2; 27 | } QUAD_PTR, *PQUAD_PTR; 28 | 29 | typedef ULONG LOGICAL; 30 | typedef ULONG *PLOGICAL; 31 | 32 | typedef _Return_type_success_(return >= 0) LONG NTSTATUS; 33 | typedef NTSTATUS *PNTSTATUS; 34 | 35 | // Cardinal types 36 | 37 | typedef char CCHAR; 38 | typedef short CSHORT; 39 | typedef ULONG CLONG; 40 | 41 | typedef CCHAR *PCCHAR; 42 | typedef CSHORT *PCSHORT; 43 | typedef CLONG *PCLONG; 44 | 45 | typedef PCSTR PCSZ; 46 | 47 | // Specific 48 | 49 | typedef UCHAR KIRQL, *PKIRQL; 50 | typedef LONG KPRIORITY, *PKPRIORITY; 51 | typedef USHORT RTL_ATOM, *PRTL_ATOM; 52 | 53 | typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; 54 | 55 | typedef struct _LARGE_INTEGER_128 56 | { 57 | LONGLONG QuadPart[2]; 58 | } LARGE_INTEGER_128, *PLARGE_INTEGER_128; 59 | 60 | // NT status macros 61 | 62 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 63 | #define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1) 64 | #define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2) 65 | #define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3) 66 | 67 | #define NT_FACILITY_MASK 0xfff 68 | #define NT_FACILITY_SHIFT 16 69 | #define NT_FACILITY(Status) ((((ULONG)(Status)) >> NT_FACILITY_SHIFT) & NT_FACILITY_MASK) 70 | 71 | #define NT_NTWIN32(Status) (NT_FACILITY(Status) == FACILITY_NTWIN32) 72 | #define WIN32_FROM_NTSTATUS(Status) (((ULONG)(Status)) & 0xffff) 73 | 74 | // Functions 75 | 76 | #ifndef _WIN64 77 | #define FASTCALL __fastcall 78 | #else 79 | #define FASTCALL 80 | #endif 81 | 82 | // Synchronization enumerations 83 | 84 | typedef enum _EVENT_TYPE 85 | { 86 | NotificationEvent, 87 | SynchronizationEvent 88 | } EVENT_TYPE; 89 | 90 | typedef enum _TIMER_TYPE 91 | { 92 | NotificationTimer, 93 | SynchronizationTimer 94 | } TIMER_TYPE; 95 | 96 | typedef enum _WAIT_TYPE 97 | { 98 | WaitAll, 99 | WaitAny, 100 | WaitNotification 101 | } WAIT_TYPE; 102 | 103 | // Strings 104 | 105 | typedef struct _STRING 106 | { 107 | USHORT Length; 108 | USHORT MaximumLength; 109 | _Field_size_bytes_part_opt_(MaximumLength, Length) PCHAR Buffer; 110 | } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING; 111 | 112 | typedef STRING UTF8_STRING; 113 | typedef PSTRING PUTF8_STRING; 114 | 115 | typedef const STRING *PCSTRING; 116 | typedef const ANSI_STRING *PCANSI_STRING; 117 | typedef const OEM_STRING *PCOEM_STRING; 118 | 119 | typedef struct _UNICODE_STRING 120 | { 121 | USHORT Length; 122 | USHORT MaximumLength; 123 | _Field_size_bytes_part_(MaximumLength, Length) PWCH Buffer; 124 | } UNICODE_STRING, *PUNICODE_STRING; 125 | 126 | typedef const UNICODE_STRING *PCUNICODE_STRING; 127 | 128 | #define RTL_CONSTANT_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), s } 129 | 130 | // Balanced tree node 131 | 132 | #define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3 133 | 134 | typedef struct _RTL_BALANCED_NODE 135 | { 136 | union 137 | { 138 | struct _RTL_BALANCED_NODE *Children[2]; 139 | struct 140 | { 141 | struct _RTL_BALANCED_NODE *Left; 142 | struct _RTL_BALANCED_NODE *Right; 143 | }; 144 | }; 145 | union 146 | { 147 | UCHAR Red : 1; 148 | UCHAR Balance : 2; 149 | ULONG_PTR ParentValue; 150 | }; 151 | } RTL_BALANCED_NODE, *PRTL_BALANCED_NODE; 152 | 153 | #define RTL_BALANCED_NODE_GET_PARENT_POINTER(Node) \ 154 | ((PRTL_BALANCED_NODE)((Node)->ParentValue & ~RTL_BALANCED_NODE_RESERVED_PARENT_MASK)) 155 | 156 | // Portability 157 | 158 | typedef struct _SINGLE_LIST_ENTRY32 159 | { 160 | ULONG Next; 161 | } SINGLE_LIST_ENTRY32, *PSINGLE_LIST_ENTRY32; 162 | 163 | typedef struct _STRING32 164 | { 165 | USHORT Length; 166 | USHORT MaximumLength; 167 | ULONG Buffer; 168 | } STRING32, *PSTRING32; 169 | 170 | typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32; 171 | typedef STRING32 ANSI_STRING32, *PANSI_STRING32; 172 | 173 | typedef struct _STRING64 174 | { 175 | USHORT Length; 176 | USHORT MaximumLength; 177 | ULONGLONG Buffer; 178 | } STRING64, *PSTRING64; 179 | 180 | typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64; 181 | typedef STRING64 ANSI_STRING64, *PANSI_STRING64; 182 | 183 | // Object attributes 184 | 185 | #define OBJ_PROTECT_CLOSE 0x00000001 186 | #define OBJ_INHERIT 0x00000002 187 | #define OBJ_AUDIT_OBJECT_CLOSE 0x00000004 188 | #define OBJ_PERMANENT 0x00000010 189 | #define OBJ_EXCLUSIVE 0x00000020 190 | #define OBJ_CASE_INSENSITIVE 0x00000040 191 | #define OBJ_OPENIF 0x00000080 192 | #define OBJ_OPENLINK 0x00000100 193 | #define OBJ_KERNEL_HANDLE 0x00000200 194 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400 195 | #define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800 196 | #define OBJ_DONT_REPARSE 0x00001000 197 | #define OBJ_VALID_ATTRIBUTES 0x00001ff2 198 | 199 | typedef struct _OBJECT_ATTRIBUTES 200 | { 201 | ULONG Length; 202 | HANDLE RootDirectory; 203 | PUNICODE_STRING ObjectName; 204 | ULONG Attributes; 205 | PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR; 206 | PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE 207 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 208 | 209 | typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; 210 | 211 | #define InitializeObjectAttributes(p, n, a, r, s) { \ 212 | (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ 213 | (p)->RootDirectory = r; \ 214 | (p)->Attributes = a; \ 215 | (p)->ObjectName = n; \ 216 | (p)->SecurityDescriptor = s; \ 217 | (p)->SecurityQualityOfService = NULL; \ 218 | } 219 | 220 | #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL } 221 | #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) 222 | 223 | #define OBJ_NAME_PATH_SEPARATOR ((WCHAR)L'\\') 224 | #define OBJ_NAME_ALTPATH_SEPARATOR ((WCHAR)L'/') 225 | 226 | // Portability 227 | 228 | typedef struct _OBJECT_ATTRIBUTES64 229 | { 230 | ULONG Length; 231 | ULONG64 RootDirectory; 232 | ULONG64 ObjectName; 233 | ULONG Attributes; 234 | ULONG64 SecurityDescriptor; 235 | ULONG64 SecurityQualityOfService; 236 | } OBJECT_ATTRIBUTES64, *POBJECT_ATTRIBUTES64; 237 | 238 | typedef const OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64; 239 | 240 | typedef struct _OBJECT_ATTRIBUTES32 241 | { 242 | ULONG Length; 243 | ULONG RootDirectory; 244 | ULONG ObjectName; 245 | ULONG Attributes; 246 | ULONG SecurityDescriptor; 247 | ULONG SecurityQualityOfService; 248 | } OBJECT_ATTRIBUTES32, *POBJECT_ATTRIBUTES32; 249 | 250 | typedef const OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32; 251 | 252 | // Product types 253 | 254 | typedef enum _NT_PRODUCT_TYPE 255 | { 256 | NtProductWinNt = 1, 257 | NtProductLanManNt, 258 | NtProductServer 259 | } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; 260 | 261 | typedef enum _SUITE_TYPE 262 | { 263 | SmallBusiness, 264 | Enterprise, 265 | BackOffice, 266 | CommunicationServer, 267 | TerminalServer, 268 | SmallBusinessRestricted, 269 | EmbeddedNT, 270 | DataCenter, 271 | SingleUserTS, 272 | Personal, 273 | Blade, 274 | EmbeddedRestricted, 275 | SecurityAppliance, 276 | StorageServer, 277 | ComputeServer, 278 | WHServer, 279 | PhoneNT, 280 | MaxSuiteType 281 | } SUITE_TYPE; 282 | 283 | // Specific 284 | 285 | typedef struct _CLIENT_ID 286 | { 287 | HANDLE UniqueProcess; 288 | HANDLE UniqueThread; 289 | } CLIENT_ID, *PCLIENT_ID; 290 | 291 | typedef struct _CLIENT_ID32 292 | { 293 | ULONG UniqueProcess; 294 | ULONG UniqueThread; 295 | } CLIENT_ID32, *PCLIENT_ID32; 296 | 297 | typedef struct _CLIENT_ID64 298 | { 299 | ULONGLONG UniqueProcess; 300 | ULONGLONG UniqueThread; 301 | } CLIENT_ID64, *PCLIENT_ID64; 302 | 303 | #include 304 | 305 | typedef struct _KSYSTEM_TIME 306 | { 307 | ULONG LowPart; 308 | LONG High1Time; 309 | LONG High2Time; 310 | } KSYSTEM_TIME, *PKSYSTEM_TIME; 311 | 312 | #include 313 | 314 | // NT macros used to test, set and clear flags 315 | #ifndef FlagOn 316 | #define FlagOn(_F, _SF) ((_F) & (_SF)) 317 | #endif 318 | #ifndef BooleanFlagOn 319 | #define BooleanFlagOn(F, SF) ((BOOLEAN)(((F) & (SF)) != 0)) 320 | #endif 321 | #ifndef SetFlag 322 | #define SetFlag(_F, _SF) ((_F) |= (_SF)) 323 | #endif 324 | #ifndef ClearFlag 325 | #define ClearFlag(_F, _SF) ((_F) &= ~(_SF)) 326 | #endif 327 | 328 | #endif 329 | 330 | -------------------------------------------------------------------------------- /phnt_windows.h: -------------------------------------------------------------------------------- 1 | // This header file provides access to Win32, plus NTSTATUS values and some access mask values. 2 | 3 | #ifndef __cplusplus 4 | #ifndef CINTERFACE 5 | #define CINTERFACE 6 | #endif 7 | 8 | #ifndef COBJMACROS 9 | #define COBJMACROS 10 | #endif 11 | #endif 12 | 13 | #ifndef __cplusplus 14 | // This is needed to workaround C17 preprocessor errors when using legacy versions of the Windows SDK. (dmex) 15 | #ifndef MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS 16 | #define MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS 0 17 | #endif 18 | #endif 19 | 20 | #ifndef _NTDEF_ 21 | #include 22 | typedef long LONG; 23 | typedef _Return_type_success_(return >= 0) LONG NTSTATUS; 24 | typedef NTSTATUS* PNTSTATUS; 25 | #endif 26 | 27 | #undef WIN32_NO_STATUS 28 | #include 29 | #define WIN32_NO_STATUS 30 | #include 31 | #include 32 | #include 33 | 34 | typedef double DOUBLE; 35 | typedef GUID *PGUID; 36 | 37 | // Desktop access rights 38 | #define DESKTOP_ALL_ACCESS \ 39 | (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_ENUMERATE | \ 40 | DESKTOP_HOOKCONTROL | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | \ 41 | DESKTOP_READOBJECTS | DESKTOP_SWITCHDESKTOP | DESKTOP_WRITEOBJECTS | \ 42 | STANDARD_RIGHTS_REQUIRED) 43 | #define DESKTOP_GENERIC_READ \ 44 | (DESKTOP_ENUMERATE | DESKTOP_READOBJECTS | STANDARD_RIGHTS_READ) 45 | #define DESKTOP_GENERIC_WRITE \ 46 | (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_HOOKCONTROL | \ 47 | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | DESKTOP_WRITEOBJECTS | \ 48 | STANDARD_RIGHTS_WRITE) 49 | #define DESKTOP_GENERIC_EXECUTE \ 50 | (DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_EXECUTE) 51 | 52 | // Window station access rights 53 | #define WINSTA_GENERIC_READ \ 54 | (WINSTA_ENUMDESKTOPS | WINSTA_ENUMERATE | WINSTA_READATTRIBUTES | \ 55 | WINSTA_READSCREEN | STANDARD_RIGHTS_READ) 56 | #define WINSTA_GENERIC_WRITE \ 57 | (WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | WINSTA_WRITEATTRIBUTES | \ 58 | STANDARD_RIGHTS_WRITE) 59 | #define WINSTA_GENERIC_EXECUTE \ 60 | (WINSTA_ACCESSGLOBALATOMS | WINSTA_EXITWINDOWS | STANDARD_RIGHTS_EXECUTE) 61 | 62 | // WMI access rights 63 | #define WMIGUID_GENERIC_READ \ 64 | (WMIGUID_QUERY | WMIGUID_NOTIFICATION | WMIGUID_READ_DESCRIPTION | \ 65 | STANDARD_RIGHTS_READ) 66 | #define WMIGUID_GENERIC_WRITE \ 67 | (WMIGUID_SET | TRACELOG_CREATE_REALTIME | TRACELOG_CREATE_ONDISK | \ 68 | STANDARD_RIGHTS_WRITE) 69 | #define WMIGUID_GENERIC_EXECUTE \ 70 | (WMIGUID_EXECUTE | TRACELOG_GUID_ENABLE | TRACELOG_LOG_EVENT | \ 71 | TRACELOG_ACCESS_REALTIME | TRACELOG_REGISTER_GUIDS | \ 72 | STANDARD_RIGHTS_EXECUTE) 73 | 74 | -------------------------------------------------------------------------------- /subprocesstag.h: -------------------------------------------------------------------------------- 1 | typedef enum _TAG_INFO_LEVEL 2 | { 3 | eTagInfoLevelNameFromTag = 1, // TAG_INFO_NAME_FROM_TAG 4 | eTagInfoLevelNamesReferencingModule, // TAG_INFO_NAMES_REFERENCING_MODULE 5 | eTagInfoLevelNameTagMapping, // TAG_INFO_NAME_TAG_MAPPING 6 | eTagInfoLevelMax 7 | } TAG_INFO_LEVEL; 8 | 9 | typedef enum _TAG_TYPE 10 | { 11 | eTagTypeService = 1, 12 | eTagTypeMax 13 | } TAG_TYPE; 14 | 15 | typedef struct _TAG_INFO_NAME_FROM_TAG_IN_PARAMS 16 | { 17 | ULONG dwPid; 18 | ULONG dwTag; 19 | } TAG_INFO_NAME_FROM_TAG_IN_PARAMS, *PTAG_INFO_NAME_FROM_TAG_IN_PARAMS; 20 | 21 | typedef struct _TAG_INFO_NAME_FROM_TAG_OUT_PARAMS 22 | { 23 | ULONG eTagType; 24 | PWSTR pszName; 25 | } TAG_INFO_NAME_FROM_TAG_OUT_PARAMS, *PTAG_INFO_NAME_FROM_TAG_OUT_PARAMS; 26 | 27 | typedef struct _TAG_INFO_NAME_FROM_TAG 28 | { 29 | TAG_INFO_NAME_FROM_TAG_IN_PARAMS InParams; 30 | TAG_INFO_NAME_FROM_TAG_OUT_PARAMS OutParams; 31 | } TAG_INFO_NAME_FROM_TAG, *PTAG_INFO_NAME_FROM_TAG; 32 | 33 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS 34 | { 35 | ULONG dwPid; 36 | PWSTR pszModule; 37 | } TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS; 38 | 39 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS 40 | { 41 | ULONG eTagType; 42 | PWSTR pmszNames; 43 | } TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS; 44 | 45 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE 46 | { 47 | TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS InParams; 48 | TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS OutParams; 49 | } TAG_INFO_NAMES_REFERENCING_MODULE, *PTAG_INFO_NAMES_REFERENCING_MODULE; 50 | 51 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS 52 | { 53 | ULONG dwPid; 54 | } TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_IN_PARAMS; 55 | 56 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_ELEMENT 57 | { 58 | ULONG eTagType; 59 | ULONG dwTag; 60 | PWSTR pszName; 61 | PWSTR pszGroupName; 62 | } TAG_INFO_NAME_TAG_MAPPING_ELEMENT, *PTAG_INFO_NAME_TAG_MAPPING_ELEMENT; 63 | 64 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS 65 | { 66 | ULONG cElements; 67 | PTAG_INFO_NAME_TAG_MAPPING_ELEMENT pNameTagMappingElements; 68 | } TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS; 69 | 70 | typedef struct _TAG_INFO_NAME_TAG_MAPPING 71 | { 72 | TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS InParams; 73 | PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS pOutParams; 74 | } TAG_INFO_NAME_TAG_MAPPING, *PTAG_INFO_NAME_TAG_MAPPING; 75 | 76 | _Must_inspect_result_ 77 | ULONG 78 | WINAPI 79 | I_QueryTagInformation( 80 | _In_opt_ PCWSTR MachineName, 81 | _In_ TAG_INFO_LEVEL InfoLevel, 82 | _Inout_ PVOID TagInfo 83 | ); 84 | 85 | typedef ULONG (WINAPI *PQUERY_TAG_INFORMATION)( 86 | _In_opt_ PCWSTR MachineName, 87 | _In_ TAG_INFO_LEVEL InfoLevel, 88 | _Inout_ PVOID TagInfo 89 | ); 90 | 91 | --------------------------------------------------------------------------------