├── .editorconfig
├── .gitignore
├── .gitmodules
├── LICENSE.txt
├── README.md
├── img
    ├── KiUserApcDispatcher.png
    ├── KiUserCallForwarder.png
    ├── injection.png
    └── injldr.png
├── include
    ├── README.md
    ├── ntdbg.h
    ├── ntdll.h
    ├── ntdll_ntdef.h
    ├── ntdll_windows.h
    ├── ntexapi.h
    ├── ntgdi.h
    ├── ntioapi.h
    ├── ntkeapi.h
    ├── ntldr.h
    ├── ntlpcapi.h
    ├── ntmisc.h
    ├── ntmmapi.h
    ├── ntnls.h
    ├── ntobapi.h
    ├── ntpebteb.h
    ├── ntpfapi.h
    ├── ntpnpapi.h
    ├── ntpoapi.h
    ├── ntpsapi.h
    ├── ntregapi.h
    ├── ntrtl.h
    ├── ntsam.h
    ├── ntseapi.h
    ├── ntsmss.h
    ├── nttmapi.h
    ├── nttp.h
    ├── ntwow64.h
    ├── ntxcapi.h
    ├── ntzwapi.h
    ├── subprocesstag.h
    └── winsta.h
├── inj.sln
└── src
    ├── injdll
        ├── injdll.vcxproj
        ├── injdll.vcxproj.filters
        └── main.cpp
    ├── injdrv
        ├── injdrv.h
        ├── injdrv.inf
        ├── injdrv.vcxproj
        ├── injdrv.vcxproj.filters
        └── main.c
    └── injldr
        ├── injldr.vcxproj
        ├── injldr.vcxproj.filters
        ├── install.c
        ├── install.h
        └── main.c


/.editorconfig:
--------------------------------------------------------------------------------
1 | root = true
2 | 
3 | [*.{c,h,cpp,hpp,asm}]
4 | charset = utf-8
5 | trim_trailing_whitespace = true
6 | insert_final_newline = true
7 | indent_style = space
8 | indent_size = 2
9 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | #
 2 | # Compiled binaries.
 3 | #
 4 | bin/**
 5 | 
 6 | #
 7 | # Visual Studio files.
 8 | #
 9 | .vs/**
10 | *.VC.db
11 | *.VC.opendb
12 | *.vcxproj.user
13 | 
14 | #
15 | # VS Code files.
16 | #
17 | .vscode/**
18 | 


--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "src/DetoursNT"]
2 | 	path = src/DetoursNT
3 | 	url = git@github.com:wbenny/DetoursNT.git
4 | 


--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2018 Petr Benes
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/img/KiUserApcDispatcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GoodstudyChina/APC-injection-x86-x64/d623f75b91d8a3130cc12bd06ea584ffaf4af50c/img/KiUserApcDispatcher.png


--------------------------------------------------------------------------------
/img/KiUserCallForwarder.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GoodstudyChina/APC-injection-x86-x64/d623f75b91d8a3130cc12bd06ea584ffaf4af50c/img/KiUserCallForwarder.png


--------------------------------------------------------------------------------
/img/injection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GoodstudyChina/APC-injection-x86-x64/d623f75b91d8a3130cc12bd06ea584ffaf4af50c/img/injection.png


--------------------------------------------------------------------------------
/img/injldr.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GoodstudyChina/APC-injection-x86-x64/d623f75b91d8a3130cc12bd06ea584ffaf4af50c/img/injldr.png


--------------------------------------------------------------------------------
/include/README.md:
--------------------------------------------------------------------------------
 1 | This collection of Native API header files has been maintained since 2009 for the Process Hacker project, and is the most up-to-date set of Native API definitions that I know of. I have gathered these definitions from official Microsoft header files and symbol files, as well as a lot of reverse engineering and guessing. See `phnt.h` for more information.
 2 | 
 3 | ## Usage
 4 | 
 5 | First make sure that your program is using the latest Windows SDK.
 6 | 
 7 | These header files are designed to be used by user-mode programs. Instead of `#include <windows.h>`, place
 8 | 
 9 | ```
10 | #include <NTDLL_windows.h>
11 | #include <phnt.h>
12 | ```
13 | 
14 | at the top of your program. The first line provides access to the Win32 API as well as the `NTSTATUS` values. The second line provides access to the entire Native API. By default, only definitions present in Windows XP are included into your program. To change this, use one of the following:
15 | 
16 | ```
17 | #define NTDLL_VERSION NTDLL_WINXP // Windows XP
18 | #define NTDLL_VERSION NTDLL_WS03 // Windows Server 2003
19 | #define NTDLL_VERSION NTDLL_VISTA // Windows Vista
20 | #define NTDLL_VERSION NTDLL_WIN7 // Windows 7
21 | #define NTDLL_VERSION NTDLL_WIN8 // Windows 8
22 | #define NTDLL_VERSION NTDLL_WINBLUE // Windows 8.1
23 | #define NTDLL_VERSION NTDLL_THRESHOLD // Windows 10
24 | ```
25 | 


--------------------------------------------------------------------------------
/include/ntdbg.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * Process Hacker -
  3 |  *   Debugger support functions
  4 |  *
  5 |  * This file is part of Process Hacker.
  6 |  *
  7 |  * Process Hacker is free software; you can redistribute it and/or modify
  8 |  * it under the terms of the GNU General Public License as published by
  9 |  * the Free Software Foundation, either version 3 of the License, or
 10 |  * (at your option) any later version.
 11 |  *
 12 |  * Process Hacker is distributed in the hope that it will be useful,
 13 |  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 14 |  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 15 |  * GNU General Public License for more details.
 16 |  *
 17 |  * You should have received a copy of the GNU General Public License
 18 |  * along with Process Hacker.  If not, see <http://www.gnu.org/licenses/>.
 19 |  */
 20 | 
 21 | #ifndef _NTDBG_H
 22 | #define _NTDBG_H
 23 | 
 24 | // Debugging
 25 | 
 26 | NTSYSAPI
 27 | VOID
 28 | NTAPI
 29 | DbgUserBreakPoint(
 30 |     VOID
 31 |     );
 32 | 
 33 | NTSYSAPI
 34 | VOID
 35 | NTAPI
 36 | DbgBreakPoint(
 37 |     VOID
 38 |     );
 39 | 
 40 | NTSYSAPI
 41 | VOID
 42 | NTAPI
 43 | DbgBreakPointWithStatus(
 44 |     _In_ ULONG Status
 45 |     );
 46 | 
 47 | #define DBG_STATUS_CONTROL_C 1
 48 | #define DBG_STATUS_SYSRQ 2
 49 | #define DBG_STATUS_BUGCHECK_FIRST 3
 50 | #define DBG_STATUS_BUGCHECK_SECOND 4
 51 | #define DBG_STATUS_FATAL 5
 52 | #define DBG_STATUS_DEBUG_CONTROL 6
 53 | #define DBG_STATUS_WORKER 7
 54 | 
 55 | NTSYSAPI
 56 | ULONG
 57 | STDAPIVCALLTYPE
 58 | DbgPrint(
 59 |     _In_z_ _Printf_format_string_ PSTR Format,
 60 |     ...
 61 |     );
 62 | 
 63 | NTSYSAPI
 64 | ULONG
 65 | STDAPIVCALLTYPE
 66 | DbgPrintEx(
 67 |     _In_ ULONG ComponentId,
 68 |     _In_ ULONG Level,
 69 |     _In_z_ _Printf_format_string_ PSTR Format,
 70 |     ...
 71 |     );
 72 | 
 73 | NTSYSAPI
 74 | ULONG
 75 | NTAPI
 76 | vDbgPrintEx(
 77 |     _In_ ULONG ComponentId,
 78 |     _In_ ULONG Level,
 79 |     _In_z_ PCH Format,
 80 |     _In_ va_list arglist
 81 |     );
 82 | 
 83 | NTSYSAPI
 84 | ULONG
 85 | NTAPI
 86 | vDbgPrintExWithPrefix(
 87 |     _In_z_ PCH Prefix,
 88 |     _In_ ULONG ComponentId,
 89 |     _In_ ULONG Level,
 90 |     _In_z_ PCH Format,
 91 |     _In_ va_list arglist
 92 |     );
 93 | 
 94 | NTSYSAPI
 95 | NTSTATUS
 96 | NTAPI
 97 | DbgQueryDebugFilterState(
 98 |     _In_ ULONG ComponentId,
 99 |     _In_ ULONG Level
100 |     );
101 | 
102 | NTSYSAPI
103 | NTSTATUS
104 | NTAPI
105 | DbgSetDebugFilterState(
106 |     _In_ ULONG ComponentId,
107 |     _In_ ULONG Level,
108 |     _In_ BOOLEAN State
109 |     );
110 | 
111 | NTSYSAPI
112 | ULONG
113 | NTAPI
114 | DbgPrompt(
115 |     _In_ PCH Prompt,
116 |     _Out_writes_bytes_(Length) PCH Response,
117 |     _In_ ULONG Length
118 |     );
119 | 
120 | // Definitions
121 | 
122 | typedef struct _DBGKM_EXCEPTION
123 | {
124 |     EXCEPTION_RECORD ExceptionRecord;
125 |     ULONG FirstChance;
126 | } DBGKM_EXCEPTION, *PDBGKM_EXCEPTION;
127 | 
128 | typedef struct _DBGKM_CREATE_THREAD
129 | {
130 |     ULONG SubSystemKey;
131 |     PVOID StartAddress;
132 | } DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD;
133 | 
134 | typedef struct _DBGKM_CREATE_PROCESS
135 | {
136 |     ULONG SubSystemKey;
137 |     HANDLE FileHandle;
138 |     PVOID BaseOfImage;
139 |     ULONG DebugInfoFileOffset;
140 |     ULONG DebugInfoSize;
141 |     DBGKM_CREATE_THREAD InitialThread;
142 | } DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS;
143 | 
144 | typedef struct _DBGKM_EXIT_THREAD
145 | {
146 |     NTSTATUS ExitStatus;
147 | } DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD;
148 | 
149 | typedef struct _DBGKM_EXIT_PROCESS
150 | {
151 |     NTSTATUS ExitStatus;
152 | } DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS;
153 | 
154 | typedef struct _DBGKM_LOAD_DLL
155 | {
156 |     HANDLE FileHandle;
157 |     PVOID BaseOfDll;
158 |     ULONG DebugInfoFileOffset;
159 |     ULONG DebugInfoSize;
160 |     PVOID NamePointer;
161 | } DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL;
162 | 
163 | typedef struct _DBGKM_UNLOAD_DLL
164 | {
165 |     PVOID BaseAddress;
166 | } DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL;
167 | 
168 | typedef enum _DBG_STATE
169 | {
170 |     DbgIdle,
171 |     DbgReplyPending,
172 |     DbgCreateThreadStateChange,
173 |     DbgCreateProcessStateChange,
174 |     DbgExitThreadStateChange,
175 |     DbgExitProcessStateChange,
176 |     DbgExceptionStateChange,
177 |     DbgBreakpointStateChange,
178 |     DbgSingleStepStateChange,
179 |     DbgLoadDllStateChange,
180 |     DbgUnloadDllStateChange
181 | } DBG_STATE, *PDBG_STATE;
182 | 
183 | typedef struct _DBGUI_CREATE_THREAD
184 | {
185 |     HANDLE HandleToThread;
186 |     DBGKM_CREATE_THREAD NewThread;
187 | } DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD;
188 | 
189 | typedef struct _DBGUI_CREATE_PROCESS
190 | {
191 |     HANDLE HandleToProcess;
192 |     HANDLE HandleToThread;
193 |     DBGKM_CREATE_PROCESS NewProcess;
194 | } DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS;
195 | 
196 | typedef struct _DBGUI_WAIT_STATE_CHANGE
197 | {
198 |     DBG_STATE NewState;
199 |     CLIENT_ID AppClientId;
200 |     union
201 |     {
202 |         DBGKM_EXCEPTION Exception;
203 |         DBGUI_CREATE_THREAD CreateThread;
204 |         DBGUI_CREATE_PROCESS CreateProcessInfo;
205 |         DBGKM_EXIT_THREAD ExitThread;
206 |         DBGKM_EXIT_PROCESS ExitProcess;
207 |         DBGKM_LOAD_DLL LoadDll;
208 |         DBGKM_UNLOAD_DLL UnloadDll;
209 |     } StateInfo;
210 | } DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE;
211 | 
212 | #define DEBUG_READ_EVENT 0x0001
213 | #define DEBUG_PROCESS_ASSIGN 0x0002
214 | #define DEBUG_SET_INFORMATION 0x0004
215 | #define DEBUG_QUERY_INFORMATION 0x0008
216 | #define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
217 |     DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \
218 |     DEBUG_QUERY_INFORMATION)
219 | 
220 | #define DEBUG_KILL_ON_CLOSE 0x1
221 | 
222 | typedef enum _DEBUGOBJECTINFOCLASS
223 | {
224 |     DebugObjectUnusedInformation,
225 |     DebugObjectKillProcessOnExitInformation,
226 |     MaxDebugObjectInfoClass
227 | } DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS;
228 | 
229 | // System calls
230 | 
231 | NTSYSCALLAPI
232 | NTSTATUS
233 | NTAPI
234 | NtCreateDebugObject(
235 |     _Out_ PHANDLE DebugObjectHandle,
236 |     _In_ ACCESS_MASK DesiredAccess,
237 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
238 |     _In_ ULONG Flags
239 |     );
240 | 
241 | NTSYSCALLAPI
242 | NTSTATUS
243 | NTAPI
244 | NtDebugActiveProcess(
245 |     _In_ HANDLE ProcessHandle,
246 |     _In_ HANDLE DebugObjectHandle
247 |     );
248 | 
249 | NTSYSCALLAPI
250 | NTSTATUS
251 | NTAPI
252 | NtDebugContinue(
253 |     _In_ HANDLE DebugObjectHandle,
254 |     _In_ PCLIENT_ID ClientId,
255 |     _In_ NTSTATUS ContinueStatus
256 |     );
257 | 
258 | NTSYSCALLAPI
259 | NTSTATUS
260 | NTAPI
261 | NtRemoveProcessDebug(
262 |     _In_ HANDLE ProcessHandle,
263 |     _In_ HANDLE DebugObjectHandle
264 |     );
265 | 
266 | NTSYSCALLAPI
267 | NTSTATUS
268 | NTAPI
269 | NtSetInformationDebugObject(
270 |     _In_ HANDLE DebugObjectHandle,
271 |     _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass,
272 |     _In_ PVOID DebugInformation,
273 |     _In_ ULONG DebugInformationLength,
274 |     _Out_opt_ PULONG ReturnLength
275 |     );
276 | 
277 | NTSYSCALLAPI
278 | NTSTATUS
279 | NTAPI
280 | NtWaitForDebugEvent(
281 |     _In_ HANDLE DebugObjectHandle,
282 |     _In_ BOOLEAN Alertable,
283 |     _In_opt_ PLARGE_INTEGER Timeout,
284 |     _Out_ PVOID WaitStateChange
285 |     );
286 | 
287 | // Debugging UI
288 | 
289 | NTSYSAPI
290 | NTSTATUS
291 | NTAPI
292 | DbgUiConnectToDbg(
293 |     VOID
294 |     );
295 | 
296 | NTSYSAPI
297 | HANDLE
298 | NTAPI
299 | DbgUiGetThreadDebugObject(
300 |     VOID
301 |     );
302 | 
303 | NTSYSAPI
304 | VOID
305 | NTAPI
306 | DbgUiSetThreadDebugObject(
307 |     _In_ HANDLE DebugObject
308 |     );
309 | 
310 | NTSYSAPI
311 | NTSTATUS
312 | NTAPI
313 | DbgUiWaitStateChange(
314 |     _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange,
315 |     _In_opt_ PLARGE_INTEGER Timeout
316 |     );
317 | 
318 | NTSYSAPI
319 | NTSTATUS
320 | NTAPI
321 | DbgUiContinue(
322 |     _In_ PCLIENT_ID AppClientId,
323 |     _In_ NTSTATUS ContinueStatus
324 |     );
325 | 
326 | NTSYSAPI
327 | NTSTATUS
328 | NTAPI
329 | DbgUiStopDebugging(
330 |     _In_ HANDLE Process
331 |     );
332 | 
333 | NTSYSAPI
334 | NTSTATUS
335 | NTAPI
336 | DbgUiDebugActiveProcess(
337 |     _In_ HANDLE Process
338 |     );
339 | 
340 | NTSYSAPI
341 | VOID
342 | NTAPI
343 | DbgUiRemoteBreakin(
344 |     _In_ PVOID Context
345 |     );
346 | 
347 | NTSYSAPI
348 | NTSTATUS
349 | NTAPI
350 | DbgUiIssueRemoteBreakin(
351 |     _In_ HANDLE Process
352 |     );
353 | 
354 | NTSYSAPI
355 | NTSTATUS
356 | NTAPI
357 | DbgUiConvertStateChangeStructure(
358 |     _In_ PDBGUI_WAIT_STATE_CHANGE StateChange,
359 |     _Out_ LPDEBUG_EVENT DebugEvent
360 |     );
361 | 
362 | struct _EVENT_FILTER_DESCRIPTOR;
363 | 
364 | typedef VOID (NTAPI *PENABLECALLBACK)(
365 |     _In_ LPCGUID SourceId,
366 |     _In_ ULONG IsEnabled,
367 |     _In_ UCHAR Level,
368 |     _In_ ULONGLONG MatchAnyKeyword,
369 |     _In_ ULONGLONG MatchAllKeyword,
370 |     _In_opt_ struct _EVENT_FILTER_DESCRIPTOR *FilterData,
371 |     _Inout_opt_ PVOID CallbackContext
372 |     );
373 | 
374 | typedef ULONGLONG REGHANDLE, *PREGHANDLE;
375 | 
376 | // NTSYSAPI
377 | // NTSTATUS
378 | // NTAPI
379 | // EtwEventRegister(
380 | //     _In_ LPCGUID ProviderId,
381 | //     _In_opt_ PENABLECALLBACK EnableCallback,
382 | //     _In_opt_ PVOID CallbackContext,
383 | //     _Out_ PREGHANDLE RegHandle
384 | //     );
385 | 
386 | #endif
387 | 


--------------------------------------------------------------------------------
/include/ntdll.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTDLL_H
  2 | #define _NTDLL_H
  3 | 
  4 | // This header file provides access to NT APIs.
  5 | 
  6 | // Definitions are annotated to indicate their source. If a definition is not annotated, it has been
  7 | // retrieved from an official Microsoft source (NT headers, DDK headers, winnt.h).
  8 | 
  9 | // * "winbase" indicates that a definition has been reconstructed from a Win32-ized NT definition in
 10 | //   winbase.h.
 11 | // * "rev" indicates that a definition has been reverse-engineered.
 12 | // * "dbg" indicates that a definition has been obtained from a debug message or assertion in a
 13 | //   checked build of the kernel or file.
 14 | 
 15 | // Reliability:
 16 | // 1. No annotation.
 17 | // 2. dbg.
 18 | // 3. symbols, private. Types may be incorrect.
 19 | // 4. winbase. Names and types may be incorrect.
 20 | // 5. rev.
 21 | 
 22 | // Mode
 23 | #define NTDLL_MODE_KERNEL 0
 24 | #define NTDLL_MODE_USER 1
 25 | 
 26 | // Version
 27 | #define NTDLL_WIN2K 50
 28 | #define NTDLL_WINXP 51
 29 | #define NTDLL_WS03 52
 30 | #define NTDLL_VISTA 60
 31 | #define NTDLL_WIN7 61
 32 | #define NTDLL_WIN8 62
 33 | #define NTDLL_WINBLUE 63
 34 | #define NTDLL_THRESHOLD 100
 35 | #define NTDLL_THRESHOLD2 101
 36 | #define NTDLL_REDSTONE 102
 37 | #define NTDLL_REDSTONE2 103
 38 | #define NTDLL_REDSTONE3 104
 39 | #define NTDLL_REDSTONE4 105
 40 | 
 41 | #ifndef NTDLL_MODE
 42 | #define NTDLL_MODE NTDLL_MODE_USER
 43 | #endif
 44 | 
 45 | #ifndef NTDLL_VERSION
 46 | #define NTDLL_VERSION NTDLL_WIN7
 47 | #endif
 48 | 
 49 | // Options
 50 | 
 51 | //#define NTDLL_NO_INLINE_INIT_STRING
 52 | 
 53 | #ifdef __cplusplus
 54 | extern "C" {
 55 | #endif
 56 | 
 57 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
 58 | #include <ntdll_ntdef.h>
 59 | #include <ntnls.h>
 60 | #include <ntkeapi.h>
 61 | #endif
 62 | 
 63 | #include <ntldr.h>
 64 | #include <ntexapi.h>
 65 | 
 66 | #include <ntmmapi.h>
 67 | #include <ntobapi.h>
 68 | #include <ntpsapi.h>
 69 | 
 70 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
 71 | #include <cfg.h>
 72 | #include <ntdbg.h>
 73 | #include <ntioapi.h>
 74 | #include <ntlpcapi.h>
 75 | #include <ntpfapi.h>
 76 | #include <ntpnpapi.h>
 77 | #include <ntpoapi.h>
 78 | #include <ntregapi.h>
 79 | #include <ntrtl.h>
 80 | #endif
 81 | 
 82 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
 83 | 
 84 | #include <ntseapi.h>
 85 | #include <nttmapi.h>
 86 | #include <nttp.h>
 87 | #include <ntxcapi.h>
 88 | 
 89 | #include <ntwow64.h>
 90 | 
 91 | #include <ntlsa.h>
 92 | #include <ntsam.h>
 93 | 
 94 | #include <ntmisc.h>
 95 | 
 96 | #include <ntzwapi.h>
 97 | 
 98 | #endif
 99 | 
100 | #ifdef __cplusplus
101 | }
102 | #endif
103 | 
104 | #endif
105 | 


--------------------------------------------------------------------------------
/include/ntdll_ntdef.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTDLL_NTDEF_H
  2 | #define _NTDLL_NTDEF_H
  3 | 
  4 | #ifndef _NTDEF_
  5 | #define _NTDEF_
  6 | 
  7 | // This header file provides basic NT types not included in Win32. If you have included winnt.h
  8 | // (perhaps indirectly), you must use this file instead of ntdef.h.
  9 | 
 10 | #ifndef NOTHING
 11 | #define NOTHING
 12 | #endif
 13 | 
 14 | // Basic types
 15 | 
 16 | typedef struct _QUAD
 17 | {
 18 |     union
 19 |     {
 20 |         __int64 UseThisFieldToCopy;
 21 |         double DoNotUseThisField;
 22 |     };
 23 | } QUAD, *PQUAD;
 24 | 
 25 | // This isn't in NT, but it's useful.
 26 | typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _QUAD_PTR
 27 | {
 28 |     ULONG_PTR DoNotUseThisField1;
 29 |     ULONG_PTR DoNotUseThisField2;
 30 | } QUAD_PTR, *PQUAD_PTR;
 31 | 
 32 | typedef ULONG LOGICAL;
 33 | typedef ULONG *PLOGICAL;
 34 | 
 35 | typedef _Success_(return >= 0) LONG NTSTATUS;
 36 | typedef NTSTATUS *PNTSTATUS;
 37 | 
 38 | // Cardinal types
 39 | 
 40 | typedef char CCHAR;
 41 | typedef short CSHORT;
 42 | typedef ULONG CLONG;
 43 | 
 44 | typedef CCHAR *PCCHAR;
 45 | typedef CSHORT *PCSHORT;
 46 | typedef CLONG *PCLONG;
 47 | 
 48 | typedef PCSTR PCSZ;
 49 | 
 50 | // Specific
 51 | 
 52 | typedef UCHAR KIRQL, *PKIRQL;
 53 | typedef LONG KPRIORITY;
 54 | typedef USHORT RTL_ATOM, *PRTL_ATOM;
 55 | 
 56 | typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
 57 | 
 58 | // NT status macros
 59 | 
 60 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
 61 | #define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1)
 62 | #define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2)
 63 | #define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3)
 64 | 
 65 | #define NT_FACILITY_MASK 0xfff
 66 | #define NT_FACILITY_SHIFT 16
 67 | #define NT_FACILITY(Status) ((((ULONG)(Status)) >> NT_FACILITY_SHIFT) & NT_FACILITY_MASK)
 68 | 
 69 | #define NT_NTWIN32(Status) (NT_FACILITY(Status) == FACILITY_NTWIN32)
 70 | #define WIN32_FROM_NTSTATUS(Status) (((ULONG)(Status)) & 0xffff)
 71 | 
 72 | // Functions
 73 | 
 74 | #ifndef _WIN64
 75 | #define FASTCALL __fastcall
 76 | #else
 77 | #define FASTCALL
 78 | #endif
 79 | 
 80 | // Synchronization enumerations
 81 | 
 82 | typedef enum _EVENT_TYPE
 83 | {
 84 |     NotificationEvent,
 85 |     SynchronizationEvent
 86 | } EVENT_TYPE;
 87 | 
 88 | typedef enum _TIMER_TYPE
 89 | {
 90 |     NotificationTimer,
 91 |     SynchronizationTimer
 92 | } TIMER_TYPE;
 93 | 
 94 | typedef enum _WAIT_TYPE
 95 | {
 96 |     WaitAll,
 97 |     WaitAny,
 98 |     WaitNotification
 99 | } WAIT_TYPE;
100 | 
101 | // Strings
102 | 
103 | typedef struct _STRING
104 | {
105 |     USHORT Length;
106 |     USHORT MaximumLength;
107 |     _Field_size_bytes_part_opt_(MaximumLength, Length) PCHAR Buffer;
108 | } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING;
109 | 
110 | typedef const STRING *PCSTRING;
111 | typedef const ANSI_STRING *PCANSI_STRING;
112 | typedef const OEM_STRING *PCOEM_STRING;
113 | 
114 | typedef struct _UNICODE_STRING
115 | {
116 |     USHORT Length;
117 |     USHORT MaximumLength;
118 |     _Field_size_bytes_part_(MaximumLength, Length) PWCH Buffer;
119 | } UNICODE_STRING, *PUNICODE_STRING;
120 | 
121 | typedef const UNICODE_STRING *PCUNICODE_STRING;
122 | 
123 | #define RTL_CONSTANT_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), s }
124 | 
125 | // Balanced tree node
126 | 
127 | #define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3
128 | 
129 | typedef struct _RTL_BALANCED_NODE
130 | {
131 |     union
132 |     {
133 |         struct _RTL_BALANCED_NODE *Children[2];
134 |         struct
135 |         {
136 |             struct _RTL_BALANCED_NODE *Left;
137 |             struct _RTL_BALANCED_NODE *Right;
138 |         };
139 |     };
140 |     union
141 |     {
142 |         UCHAR Red : 1;
143 |         UCHAR Balance : 2;
144 |         ULONG_PTR ParentValue;
145 |     };
146 | } RTL_BALANCED_NODE, *PRTL_BALANCED_NODE;
147 | 
148 | #define RTL_BALANCED_NODE_GET_PARENT_POINTER(Node) \
149 |     ((PRTL_BALANCED_NODE)((Node)->ParentValue & ~RTL_BALANCED_NODE_RESERVED_PARENT_MASK))
150 | 
151 | // Portability
152 | 
153 | typedef struct _SINGLE_LIST_ENTRY32
154 | {
155 |     ULONG Next;
156 | } SINGLE_LIST_ENTRY32, *PSINGLE_LIST_ENTRY32;
157 | 
158 | typedef struct _STRING32
159 | {
160 |     USHORT Length;
161 |     USHORT MaximumLength;
162 |     ULONG Buffer;
163 | } STRING32, *PSTRING32;
164 | 
165 | typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32;
166 | typedef STRING32 ANSI_STRING32, *PANSI_STRING32;
167 | 
168 | typedef struct _STRING64
169 | {
170 |     USHORT Length;
171 |     USHORT MaximumLength;
172 |     ULONGLONG Buffer;
173 | } STRING64, *PSTRING64;
174 | 
175 | typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64;
176 | typedef STRING64 ANSI_STRING64, *PANSI_STRING64;
177 | 
178 | // Object attributes
179 | 
180 | #define OBJ_INHERIT 0x00000002
181 | #define OBJ_PERMANENT 0x00000010
182 | #define OBJ_EXCLUSIVE 0x00000020
183 | #define OBJ_CASE_INSENSITIVE 0x00000040
184 | #define OBJ_OPENIF 0x00000080
185 | #define OBJ_OPENLINK 0x00000100
186 | #define OBJ_KERNEL_HANDLE 0x00000200
187 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400
188 | #define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800
189 | #define OBJ_DONT_REPARSE 0x00001000
190 | #define OBJ_VALID_ATTRIBUTES 0x00001ff2
191 | 
192 | typedef struct _OBJECT_ATTRIBUTES
193 | {
194 |     ULONG Length;
195 |     HANDLE RootDirectory;
196 |     PUNICODE_STRING ObjectName;
197 |     ULONG Attributes;
198 |     PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR;
199 |     PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE
200 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
201 | 
202 | typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES;
203 | 
204 | #define InitializeObjectAttributes(p, n, a, r, s) { \
205 |     (p)->Length = sizeof(OBJECT_ATTRIBUTES); \
206 |     (p)->RootDirectory = r; \
207 |     (p)->Attributes = a; \
208 |     (p)->ObjectName = n; \
209 |     (p)->SecurityDescriptor = s; \
210 |     (p)->SecurityQualityOfService = NULL; \
211 |     }
212 | 
213 | #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL }
214 | #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a)
215 | 
216 | #define OBJ_NAME_PATH_SEPARATOR ((WCHAR)L'\\')
217 | 
218 | // Portability
219 | 
220 | typedef struct _OBJECT_ATTRIBUTES64
221 | {
222 |     ULONG Length;
223 |     ULONG64 RootDirectory;
224 |     ULONG64 ObjectName;
225 |     ULONG Attributes;
226 |     ULONG64 SecurityDescriptor;
227 |     ULONG64 SecurityQualityOfService;
228 | } OBJECT_ATTRIBUTES64, *POBJECT_ATTRIBUTES64;
229 | 
230 | typedef const OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64;
231 | 
232 | typedef struct _OBJECT_ATTRIBUTES32
233 | {
234 |     ULONG Length;
235 |     ULONG RootDirectory;
236 |     ULONG ObjectName;
237 |     ULONG Attributes;
238 |     ULONG SecurityDescriptor;
239 |     ULONG SecurityQualityOfService;
240 | } OBJECT_ATTRIBUTES32, *POBJECT_ATTRIBUTES32;
241 | 
242 | typedef const OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32;
243 | 
244 | // Product types
245 | 
246 | typedef enum _NT_PRODUCT_TYPE
247 | {
248 |     NtProductWinNt = 1,
249 |     NtProductLanManNt,
250 |     NtProductServer
251 | } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE;
252 | 
253 | typedef enum _SUITE_TYPE
254 | {
255 |     SmallBusiness,
256 |     Enterprise,
257 |     BackOffice,
258 |     CommunicationServer,
259 |     TerminalServer,
260 |     SmallBusinessRestricted,
261 |     EmbeddedNT,
262 |     DataCenter,
263 |     SingleUserTS,
264 |     Personal,
265 |     Blade,
266 |     EmbeddedRestricted,
267 |     SecurityAppliance,
268 |     StorageServer,
269 |     ComputeServer,
270 |     WHServer,
271 |     PhoneNT,
272 |     MaxSuiteType
273 | } SUITE_TYPE;
274 | 
275 | // Specific
276 | 
277 | typedef struct _CLIENT_ID
278 | {
279 |     HANDLE UniqueProcess;
280 |     HANDLE UniqueThread;
281 | } CLIENT_ID, *PCLIENT_ID;
282 | 
283 | typedef struct _CLIENT_ID32
284 | {
285 |     ULONG UniqueProcess;
286 |     ULONG UniqueThread;
287 | } CLIENT_ID32, *PCLIENT_ID32;
288 | 
289 | typedef struct _CLIENT_ID64
290 | {
291 |     ULONGLONG UniqueProcess;
292 |     ULONGLONG UniqueThread;
293 | } CLIENT_ID64, *PCLIENT_ID64;
294 | 
295 | #include <pshpack4.h>
296 | 
297 | typedef struct _KSYSTEM_TIME
298 | {
299 |     ULONG LowPart;
300 |     LONG High1Time;
301 |     LONG High2Time;
302 | } KSYSTEM_TIME, *PKSYSTEM_TIME;
303 | 
304 | #include <poppack.h>
305 | 
306 | #endif
307 | 
308 | #endif
309 | 


--------------------------------------------------------------------------------
/include/ntdll_windows.h:
--------------------------------------------------------------------------------
 1 | #ifndef _NTDLL_WINDOWS_H
 2 | #define _NTDLL_WINDOWS_H
 3 | 
 4 | // This header file provides access to Win32, plus NTSTATUS values and some access mask values.
 5 | 
 6 | #ifndef CINTERFACE
 7 | #define CINTERFACE
 8 | #endif
 9 | 
10 | #ifndef COBJMACROS
11 | #define COBJMACROS
12 | #endif
13 | 
14 | #ifndef INITGUID
15 | #define INITGUID
16 | #endif
17 | 
18 | #ifndef WIN32_LEAN_AND_MEAN
19 | #define WIN32_LEAN_AND_MEAN
20 | #endif
21 | 
22 | #ifndef WIN32_NO_STATUS
23 | #define WIN32_NO_STATUS
24 | #endif
25 | 
26 | #include <windows.h>
27 | #include <windowsx.h>
28 | #undef WIN32_NO_STATUS
29 | #include <ntstatus.h>
30 | #include <winioctl.h>
31 | 
32 | typedef double DOUBLE;
33 | typedef GUID *PGUID;
34 | 
35 | // Desktop access rights
36 | #define DESKTOP_ALL_ACCESS \
37 |     (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_ENUMERATE | \
38 |     DESKTOP_HOOKCONTROL | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | \
39 |     DESKTOP_READOBJECTS | DESKTOP_SWITCHDESKTOP | DESKTOP_WRITEOBJECTS | \
40 |     STANDARD_RIGHTS_REQUIRED)
41 | #define DESKTOP_GENERIC_READ \
42 |     (DESKTOP_ENUMERATE | DESKTOP_READOBJECTS | STANDARD_RIGHTS_READ)
43 | #define DESKTOP_GENERIC_WRITE \
44 |     (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_HOOKCONTROL | \
45 |     DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | DESKTOP_WRITEOBJECTS | \
46 |     STANDARD_RIGHTS_WRITE)
47 | #define DESKTOP_GENERIC_EXECUTE \
48 |     (DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_EXECUTE)
49 | 
50 | // Window station access rights
51 | #define WINSTA_GENERIC_READ \
52 |     (WINSTA_ENUMDESKTOPS | WINSTA_ENUMERATE | WINSTA_READATTRIBUTES | \
53 |     WINSTA_READSCREEN | STANDARD_RIGHTS_READ)
54 | #define WINSTA_GENERIC_WRITE \
55 |     (WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | WINSTA_WRITEATTRIBUTES | \
56 |     STANDARD_RIGHTS_WRITE)
57 | #define WINSTA_GENERIC_EXECUTE \
58 |     (WINSTA_ACCESSGLOBALATOMS | WINSTA_EXITWINDOWS | STANDARD_RIGHTS_EXECUTE)
59 | 
60 | // WMI access rights
61 | #define WMIGUID_GENERIC_READ \
62 |     (WMIGUID_QUERY | WMIGUID_NOTIFICATION | WMIGUID_READ_DESCRIPTION | \
63 |     STANDARD_RIGHTS_READ)
64 | #define WMIGUID_GENERIC_WRITE \
65 |     (WMIGUID_SET | TRACELOG_CREATE_REALTIME | TRACELOG_CREATE_ONDISK | \
66 |     STANDARD_RIGHTS_WRITE)
67 | #define WMIGUID_GENERIC_EXECUTE \
68 |     (WMIGUID_EXECUTE | TRACELOG_GUID_ENABLE | TRACELOG_LOG_EVENT | \
69 |     TRACELOG_ACCESS_REALTIME | TRACELOG_REGISTER_GUIDS | \
70 |     STANDARD_RIGHTS_EXECUTE)
71 | 
72 | #endif
73 | 


--------------------------------------------------------------------------------
/include/ntgdi.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * Process Hacker -
  3 |  *   Graphics device interface support
  4 |  *
  5 |  * This file is part of Process Hacker.
  6 |  *
  7 |  * Process Hacker is free software; you can redistribute it and/or modify
  8 |  * it under the terms of the GNU General Public License as published by
  9 |  * the Free Software Foundation, either version 3 of the License, or
 10 |  * (at your option) any later version.
 11 |  *
 12 |  * Process Hacker is distributed in the hope that it will be useful,
 13 |  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 14 |  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 15 |  * GNU General Public License for more details.
 16 |  *
 17 |  * You should have received a copy of the GNU General Public License
 18 |  * along with Process Hacker.  If not, see <http://www.gnu.org/licenses/>.
 19 |  */
 20 | 
 21 | #ifndef _NTGDI_H
 22 | #define _NTGDI_H
 23 | 
 24 | #define GDI_MAX_HANDLE_COUNT 0x4000
 25 | 
 26 | #define GDI_HANDLE_INDEX_SHIFT 0
 27 | #define GDI_HANDLE_INDEX_BITS 16
 28 | #define GDI_HANDLE_INDEX_MASK 0xffff
 29 | 
 30 | #define GDI_HANDLE_TYPE_SHIFT 16
 31 | #define GDI_HANDLE_TYPE_BITS 5
 32 | #define GDI_HANDLE_TYPE_MASK 0x1f
 33 | 
 34 | #define GDI_HANDLE_ALTTYPE_SHIFT 21
 35 | #define GDI_HANDLE_ALTTYPE_BITS 2
 36 | #define GDI_HANDLE_ALTTYPE_MASK 0x3
 37 | 
 38 | #define GDI_HANDLE_STOCK_SHIFT 23
 39 | #define GDI_HANDLE_STOCK_BITS 1
 40 | #define GDI_HANDLE_STOCK_MASK 0x1
 41 | 
 42 | #define GDI_HANDLE_UNIQUE_SHIFT 24
 43 | #define GDI_HANDLE_UNIQUE_BITS 8
 44 | #define GDI_HANDLE_UNIQUE_MASK 0xff
 45 | 
 46 | #define GDI_HANDLE_INDEX(Handle) ((ULONG)(Handle) & GDI_HANDLE_INDEX_MASK)
 47 | #define GDI_HANDLE_TYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_TYPE_SHIFT) & GDI_HANDLE_TYPE_MASK)
 48 | #define GDI_HANDLE_ALTTYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_ALTTYPE_SHIFT) & GDI_HANDLE_ALTTYPE_MASK)
 49 | #define GDI_HANDLE_STOCK(Handle) (((ULONG)(Handle) >> GDI_HANDLE_STOCK_SHIFT)) & GDI_HANDLE_STOCK_MASK)
 50 | 
 51 | #define GDI_MAKE_HANDLE(Index, Unique) ((ULONG)(((ULONG)(Unique) << GDI_HANDLE_INDEX_BITS) | (ULONG)(Index)))
 52 | 
 53 | // GDI server-side types
 54 | 
 55 | #define GDI_DEF_TYPE 0 // invalid handle
 56 | #define GDI_DC_TYPE 1
 57 | #define GDI_DD_DIRECTDRAW_TYPE 2
 58 | #define GDI_DD_SURFACE_TYPE 3
 59 | #define GDI_RGN_TYPE 4
 60 | #define GDI_SURF_TYPE 5
 61 | #define GDI_CLIENTOBJ_TYPE 6
 62 | #define GDI_PATH_TYPE 7
 63 | #define GDI_PAL_TYPE 8
 64 | #define GDI_ICMLCS_TYPE 9
 65 | #define GDI_LFONT_TYPE 10
 66 | #define GDI_RFONT_TYPE 11
 67 | #define GDI_PFE_TYPE 12
 68 | #define GDI_PFT_TYPE 13
 69 | #define GDI_ICMCXF_TYPE 14
 70 | #define GDI_ICMDLL_TYPE 15
 71 | #define GDI_BRUSH_TYPE 16
 72 | #define GDI_PFF_TYPE 17 // unused
 73 | #define GDI_CACHE_TYPE 18 // unused
 74 | #define GDI_SPACE_TYPE 19
 75 | #define GDI_DBRUSH_TYPE 20 // unused
 76 | #define GDI_META_TYPE 21
 77 | #define GDI_EFSTATE_TYPE 22
 78 | #define GDI_BMFD_TYPE 23 // unused
 79 | #define GDI_VTFD_TYPE 24 // unused
 80 | #define GDI_TTFD_TYPE 25 // unused
 81 | #define GDI_RC_TYPE 26 // unused
 82 | #define GDI_TEMP_TYPE 27 // unused
 83 | #define GDI_DRVOBJ_TYPE 28
 84 | #define GDI_DCIOBJ_TYPE 29 // unused
 85 | #define GDI_SPOOL_TYPE 30
 86 | 
 87 | // GDI client-side types
 88 | 
 89 | #define GDI_CLIENT_TYPE_FROM_HANDLE(Handle) ((ULONG)(Handle) & ((GDI_HANDLE_ALTTYPE_MASK << GDI_HANDLE_ALTTYPE_SHIFT) | \
 90 |     (GDI_HANDLE_TYPE_MASK << GDI_HANDLE_TYPE_SHIFT)))
 91 | #define GDI_CLIENT_TYPE_FROM_UNIQUE(Unique) GDI_CLIENT_TYPE_FROM_HANDLE((ULONG)(Unique) << 16)
 92 | 
 93 | #define GDI_ALTTYPE_1 (1 << GDI_HANDLE_ALTTYPE_SHIFT)
 94 | #define GDI_ALTTYPE_2 (2 << GDI_HANDLE_ALTTYPE_SHIFT)
 95 | #define GDI_ALTTYPE_3 (3 << GDI_HANDLE_ALTTYPE_SHIFT)
 96 | 
 97 | #define GDI_CLIENT_BITMAP_TYPE (GDI_SURF_TYPE << GDI_HANDLE_TYPE_SHIFT)
 98 | #define GDI_CLIENT_BRUSH_TYPE (GDI_BRUSH_TYPE << GDI_HANDLE_TYPE_SHIFT)
 99 | #define GDI_CLIENT_CLIENTOBJ_TYPE (GDI_CLIENTOBJ_TYPE << GDI_HANDLE_TYPE_SHIFT)
100 | #define GDI_CLIENT_DC_TYPE (GDI_DC_TYPE << GDI_HANDLE_TYPE_SHIFT)
101 | #define GDI_CLIENT_FONT_TYPE (GDI_LFONT_TYPE << GDI_HANDLE_TYPE_SHIFT)
102 | #define GDI_CLIENT_PALETTE_TYPE (GDI_PAL_TYPE << GDI_HANDLE_TYPE_SHIFT)
103 | #define GDI_CLIENT_REGION_TYPE (GDI_RGN_TYPE << GDI_HANDLE_TYPE_SHIFT)
104 | 
105 | #define GDI_CLIENT_ALTDC_TYPE (GDI_CLIENT_DC_TYPE | GDI_ALTTYPE_1)
106 | #define GDI_CLIENT_DIBSECTION_TYPE (GDI_CLIENT_BITMAP_TYPE | GDI_ALTTYPE_1)
107 | #define GDI_CLIENT_EXTPEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_2)
108 | #define GDI_CLIENT_METADC16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_3)
109 | #define GDI_CLIENT_METAFILE_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_2)
110 | #define GDI_CLIENT_METAFILE16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_1)
111 | #define GDI_CLIENT_PEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_1)
112 | 
113 | typedef struct _GDI_HANDLE_ENTRY
114 | {
115 |     union
116 |     {
117 |         PVOID Object;
118 |         PVOID NextFree;
119 |     };
120 |     union
121 |     {
122 |         struct
123 |         {
124 |             USHORT ProcessId;
125 |             USHORT Lock : 1;
126 |             USHORT Count : 15;
127 |         };
128 |         ULONG Value;
129 |     } Owner;
130 |     USHORT Unique;
131 |     UCHAR Type;
132 |     UCHAR Flags;
133 |     PVOID UserPointer;
134 | } GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY;
135 | 
136 | typedef struct _GDI_SHARED_MEMORY
137 | {
138 |     GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT];
139 | } GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY;
140 | 
141 | #endif
142 | 


--------------------------------------------------------------------------------
/include/ntkeapi.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTKEAPI_H
  2 | #define _NTKEAPI_H
  3 | 
  4 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
  5 | #define LOW_PRIORITY 0 // Lowest thread priority level
  6 | #define LOW_REALTIME_PRIORITY 16 // Lowest realtime priority level
  7 | #define HIGH_PRIORITY 31 // Highest thread priority level
  8 | #define MAXIMUM_PRIORITY 32 // Number of thread priority levels
  9 | #endif
 10 | 
 11 | typedef enum _KTHREAD_STATE
 12 | {
 13 |     Initialized,
 14 |     Ready,
 15 |     Running,
 16 |     Standby,
 17 |     Terminated,
 18 |     Waiting,
 19 |     Transition,
 20 |     DeferredReady,
 21 |     GateWaitObsolete,
 22 |     WaitingForProcessInSwap,
 23 |     MaximumThreadState
 24 | } KTHREAD_STATE, *PKTHREAD_STATE;
 25 | 
 26 | // private
 27 | typedef enum _KHETERO_CPU_POLICY
 28 | {
 29 |     KHeteroCpuPolicyAll,
 30 |     KHeteroCpuPolicyLarge,
 31 |     KHeteroCpuPolicyLargeOrIdle,
 32 |     KHeteroCpuPolicySmall,
 33 |     KHeteroCpuPolicySmallOrIdle,
 34 |     KHeteroCpuPolicyDynamic,
 35 |     KHeteroCpuPolicyStaticMax,
 36 |     KHeteroCpuPolicyBiasedSmall,
 37 |     KHeteroCpuPolicyBiasedLarge,
 38 |     KHeteroCpuPolicyDefault,
 39 |     KHeteroCpuPolicyMax
 40 | } KHETERO_CPU_POLICY, *PKHETERO_CPU_POLICY;
 41 | 
 42 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
 43 | 
 44 | typedef enum _KWAIT_REASON
 45 | {
 46 |     Executive,
 47 |     FreePage,
 48 |     PageIn,
 49 |     PoolAllocation,
 50 |     DelayExecution,
 51 |     Suspended,
 52 |     UserRequest,
 53 |     WrExecutive,
 54 |     WrFreePage,
 55 |     WrPageIn,
 56 |     WrPoolAllocation,
 57 |     WrDelayExecution,
 58 |     WrSuspended,
 59 |     WrUserRequest,
 60 |     WrEventPair,
 61 |     WrQueue,
 62 |     WrLpcReceive,
 63 |     WrLpcReply,
 64 |     WrVirtualMemory,
 65 |     WrPageOut,
 66 |     WrRendezvous,
 67 |     WrKeyedEvent,
 68 |     WrTerminated,
 69 |     WrProcessInSwap,
 70 |     WrCpuRateControl,
 71 |     WrCalloutStack,
 72 |     WrKernel,
 73 |     WrResource,
 74 |     WrPushLock,
 75 |     WrMutex,
 76 |     WrQuantumEnd,
 77 |     WrDispatchInt,
 78 |     WrPreempted,
 79 |     WrYieldExecution,
 80 |     WrFastMutex,
 81 |     WrGuardedMutex,
 82 |     WrRundown,
 83 |     WrAlertByThreadId,
 84 |     WrDeferredPreempt,
 85 |     MaximumWaitReason
 86 | } KWAIT_REASON, *PKWAIT_REASON;
 87 | 
 88 | typedef enum _KPROFILE_SOURCE
 89 | {
 90 |     ProfileTime,
 91 |     ProfileAlignmentFixup,
 92 |     ProfileTotalIssues,
 93 |     ProfilePipelineDry,
 94 |     ProfileLoadInstructions,
 95 |     ProfilePipelineFrozen,
 96 |     ProfileBranchInstructions,
 97 |     ProfileTotalNonissues,
 98 |     ProfileDcacheMisses,
 99 |     ProfileIcacheMisses,
100 |     ProfileCacheMisses,
101 |     ProfileBranchMispredictions,
102 |     ProfileStoreInstructions,
103 |     ProfileFpInstructions,
104 |     ProfileIntegerInstructions,
105 |     Profile2Issue,
106 |     Profile3Issue,
107 |     Profile4Issue,
108 |     ProfileSpecialInstructions,
109 |     ProfileTotalCycles,
110 |     ProfileIcacheIssues,
111 |     ProfileDcacheAccesses,
112 |     ProfileMemoryBarrierCycles,
113 |     ProfileLoadLinkedIssues,
114 |     ProfileMaximum
115 | } KPROFILE_SOURCE;
116 | 
117 | #endif
118 | 
119 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
120 | 
121 | NTSYSCALLAPI
122 | NTSTATUS
123 | NTAPI
124 | NtCallbackReturn(
125 |     _In_reads_bytes_opt_(OutputLength) PVOID OutputBuffer,
126 |     _In_ ULONG OutputLength,
127 |     _In_ NTSTATUS Status
128 |     );
129 | 
130 | #if (NTDLL_VERSION >= NTDLL_VISTA)
131 | NTSYSCALLAPI
132 | VOID
133 | NTAPI
134 | NtFlushProcessWriteBuffers(
135 |     VOID
136 |     );
137 | #endif
138 | 
139 | NTSYSCALLAPI
140 | NTSTATUS
141 | NTAPI
142 | NtQueryDebugFilterState(
143 |     _In_ ULONG ComponentId,
144 |     _In_ ULONG Level
145 |     );
146 | 
147 | NTSYSCALLAPI
148 | NTSTATUS
149 | NTAPI
150 | NtSetDebugFilterState(
151 |     _In_ ULONG ComponentId,
152 |     _In_ ULONG Level,
153 |     _In_ BOOLEAN State
154 |     );
155 | 
156 | NTSYSCALLAPI
157 | NTSTATUS
158 | NTAPI
159 | NtYieldExecution(
160 |     VOID
161 |     );
162 | 
163 | #endif
164 | 
165 | #endif
166 | 


--------------------------------------------------------------------------------
/include/ntmisc.h:
--------------------------------------------------------------------------------
 1 | #ifndef _NTMISC_H
 2 | #define _NTMISC_H
 3 | 
 4 | // Filter manager
 5 | 
 6 | #define FLT_PORT_CONNECT 0x0001
 7 | #define FLT_PORT_ALL_ACCESS (FLT_PORT_CONNECT | STANDARD_RIGHTS_ALL)
 8 | 
 9 | // VDM
10 | 
11 | typedef enum _VDMSERVICECLASS
12 | {
13 |     VdmStartExecution,
14 |     VdmQueueInterrupt,
15 |     VdmDelayInterrupt,
16 |     VdmInitialize,
17 |     VdmFeatures,
18 |     VdmSetInt21Handler,
19 |     VdmQueryDir,
20 |     VdmPrinterDirectIoOpen,
21 |     VdmPrinterDirectIoClose,
22 |     VdmPrinterInitialize,
23 |     VdmSetLdtEntries,
24 |     VdmSetProcessLdtInfo,
25 |     VdmAdlibEmulation,
26 |     VdmPMCliControl,
27 |     VdmQueryVdmProcess
28 | } VDMSERVICECLASS, *PVDMSERVICECLASS;
29 | 
30 | NTSYSCALLAPI
31 | NTSTATUS
32 | NTAPI
33 | NtVdmControl(
34 |     _In_ VDMSERVICECLASS Service,
35 |     _Inout_ PVOID ServiceData
36 |     );
37 | 
38 | // WMI/ETW
39 | 
40 | NTSYSCALLAPI
41 | NTSTATUS
42 | NTAPI
43 | NtTraceEvent(
44 |     _In_ HANDLE TraceHandle,
45 |     _In_ ULONG Flags,
46 |     _In_ ULONG FieldSize,
47 |     _In_ PVOID Fields
48 |     );
49 | 
50 | #if (NTDLL_VERSION >= NTDLL_VISTA)
51 | // private
52 | NTSYSCALLAPI
53 | NTSTATUS
54 | NTAPI
55 | NtTraceControl(
56 |     _In_ ULONG FunctionCode,
57 |     _In_reads_bytes_opt_(InBufferLen) PVOID InBuffer,
58 |     _In_ ULONG InBufferLen,
59 |     _Out_writes_bytes_opt_(OutBufferLen) PVOID OutBuffer,
60 |     _In_ ULONG OutBufferLen,
61 |     _Out_ PULONG ReturnLength
62 |     );
63 | #endif
64 | 
65 | #endif
66 | 


--------------------------------------------------------------------------------
/include/ntnls.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Process Hacker -
 3 |  *   National Language Support functions
 4 |  *
 5 |  * This file is part of Process Hacker.
 6 |  *
 7 |  * Process Hacker is free software; you can redistribute it and/or modify
 8 |  * it under the terms of the GNU General Public License as published by
 9 |  * the Free Software Foundation, either version 3 of the License, or
10 |  * (at your option) any later version.
11 |  *
12 |  * Process Hacker is distributed in the hope that it will be useful,
13 |  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 |  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 |  * GNU General Public License for more details.
16 |  *
17 |  * You should have received a copy of the GNU General Public License
18 |  * along with Process Hacker.  If not, see <http://www.gnu.org/licenses/>.
19 |  */
20 | 
21 | #ifndef _NTNLS_H
22 | #define _NTNLS_H
23 | 
24 | #define MAXIMUM_LEADBYTES 12
25 | 
26 | typedef struct _CPTABLEINFO
27 | {
28 |     USHORT CodePage;
29 |     USHORT MaximumCharacterSize;
30 |     USHORT DefaultChar;
31 |     USHORT UniDefaultChar;
32 |     USHORT TransDefaultChar;
33 |     USHORT TransUniDefaultChar;
34 |     USHORT DBCSCodePage;
35 |     UCHAR LeadByte[MAXIMUM_LEADBYTES];
36 |     PUSHORT MultiByteTable;
37 |     PVOID WideCharTable;
38 |     PUSHORT DBCSRanges;
39 |     PUSHORT DBCSOffsets;
40 | } CPTABLEINFO, *PCPTABLEINFO;
41 | 
42 | typedef struct _NLSTABLEINFO
43 | {
44 |     CPTABLEINFO OemTableInfo;
45 |     CPTABLEINFO AnsiTableInfo;
46 |     PUSHORT UpperCaseTable;
47 |     PUSHORT LowerCaseTable;
48 | } NLSTABLEINFO, *PNLSTABLEINFO;
49 | 
50 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
51 | NTSYSAPI USHORT NlsAnsiCodePage;
52 | NTSYSAPI BOOLEAN NlsMbCodePageTag;
53 | NTSYSAPI BOOLEAN NlsMbOemCodePageTag;
54 | #endif
55 | 
56 | #endif
57 | 


--------------------------------------------------------------------------------
/include/ntobapi.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTOBAPI_H
  2 | #define _NTOBAPI_H
  3 | 
  4 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
  5 | #define OBJECT_TYPE_CREATE 0x0001
  6 | #define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
  7 | #endif
  8 | 
  9 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
 10 | #define DIRECTORY_QUERY 0x0001
 11 | #define DIRECTORY_TRAVERSE 0x0002
 12 | #define DIRECTORY_CREATE_OBJECT 0x0004
 13 | #define DIRECTORY_CREATE_SUBDIRECTORY 0x0008
 14 | #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xf)
 15 | #endif
 16 | 
 17 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
 18 | #define SYMBOLIC_LINK_QUERY 0x0001
 19 | #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
 20 | #endif
 21 | 
 22 | #define OBJ_PROTECT_CLOSE 0x00000001
 23 | #ifndef OBJ_INHERIT
 24 | #define OBJ_INHERIT 0x00000002
 25 | #endif
 26 | #define OBJ_AUDIT_OBJECT_CLOSE 0x00000004
 27 | 
 28 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
 29 | typedef enum _OBJECT_INFORMATION_CLASS
 30 | {
 31 |     ObjectBasicInformation, // OBJECT_BASIC_INFORMATION
 32 |     ObjectNameInformation, // OBJECT_NAME_INFORMATION
 33 |     ObjectTypeInformation, // OBJECT_TYPE_INFORMATION
 34 |     ObjectTypesInformation, // OBJECT_TYPES_INFORMATION
 35 |     ObjectHandleFlagInformation, // OBJECT_HANDLE_FLAG_INFORMATION
 36 |     ObjectSessionInformation,
 37 |     ObjectSessionObjectInformation,
 38 |     MaxObjectInfoClass
 39 | } OBJECT_INFORMATION_CLASS;
 40 | #else
 41 | #define ObjectNameInformation 1
 42 | #define ObjectTypesInformation 3
 43 | #define ObjectHandleFlagInformation 4
 44 | #define ObjectSessionInformation 5
 45 | #endif
 46 | 
 47 | typedef struct _OBJECT_BASIC_INFORMATION
 48 | {
 49 |     ULONG Attributes;
 50 |     ACCESS_MASK GrantedAccess;
 51 |     ULONG HandleCount;
 52 |     ULONG PointerCount;
 53 |     ULONG PagedPoolCharge;
 54 |     ULONG NonPagedPoolCharge;
 55 |     ULONG Reserved[3];
 56 |     ULONG NameInfoSize;
 57 |     ULONG TypeInfoSize;
 58 |     ULONG SecurityDescriptorSize;
 59 |     LARGE_INTEGER CreationTime;
 60 | } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
 61 | 
 62 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
 63 | typedef struct _OBJECT_NAME_INFORMATION
 64 | {
 65 |     UNICODE_STRING Name;
 66 | } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
 67 | #endif
 68 | 
 69 | typedef struct _OBJECT_TYPE_INFORMATION
 70 | {
 71 |     UNICODE_STRING TypeName;
 72 |     ULONG TotalNumberOfObjects;
 73 |     ULONG TotalNumberOfHandles;
 74 |     ULONG TotalPagedPoolUsage;
 75 |     ULONG TotalNonPagedPoolUsage;
 76 |     ULONG TotalNamePoolUsage;
 77 |     ULONG TotalHandleTableUsage;
 78 |     ULONG HighWaterNumberOfObjects;
 79 |     ULONG HighWaterNumberOfHandles;
 80 |     ULONG HighWaterPagedPoolUsage;
 81 |     ULONG HighWaterNonPagedPoolUsage;
 82 |     ULONG HighWaterNamePoolUsage;
 83 |     ULONG HighWaterHandleTableUsage;
 84 |     ULONG InvalidAttributes;
 85 |     GENERIC_MAPPING GenericMapping;
 86 |     ULONG ValidAccessMask;
 87 |     BOOLEAN SecurityRequired;
 88 |     BOOLEAN MaintainHandleCount;
 89 |     UCHAR TypeIndex; // since WINBLUE
 90 |     CHAR ReservedByte;
 91 |     ULONG PoolType;
 92 |     ULONG DefaultPagedPoolCharge;
 93 |     ULONG DefaultNonPagedPoolCharge;
 94 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
 95 | 
 96 | typedef struct _OBJECT_TYPES_INFORMATION
 97 | {
 98 |     ULONG NumberOfTypes;
 99 | } OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION;
100 | 
101 | typedef struct _OBJECT_HANDLE_FLAG_INFORMATION
102 | {
103 |     BOOLEAN Inherit;
104 |     BOOLEAN ProtectFromClose;
105 | } OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION;
106 | 
107 | // Objects, handles
108 | 
109 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
110 | 
111 | NTSYSCALLAPI
112 | NTSTATUS
113 | NTAPI
114 | NtQueryObject(
115 |     _In_opt_ HANDLE Handle,
116 |     _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
117 |     _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation,
118 |     _In_ ULONG ObjectInformationLength,
119 |     _Out_opt_ PULONG ReturnLength
120 |     );
121 | 
122 | NTSYSCALLAPI
123 | NTSTATUS
124 | NTAPI
125 | NtSetInformationObject(
126 |     _In_ HANDLE Handle,
127 |     _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
128 |     _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation,
129 |     _In_ ULONG ObjectInformationLength
130 |     );
131 | 
132 | #define DUPLICATE_CLOSE_SOURCE 0x00000001
133 | #define DUPLICATE_SAME_ACCESS 0x00000002
134 | #define DUPLICATE_SAME_ATTRIBUTES 0x00000004
135 | 
136 | NTSYSCALLAPI
137 | NTSTATUS
138 | NTAPI
139 | NtDuplicateObject(
140 |     _In_ HANDLE SourceProcessHandle,
141 |     _In_ HANDLE SourceHandle,
142 |     _In_opt_ HANDLE TargetProcessHandle,
143 |     _Out_opt_ PHANDLE TargetHandle,
144 |     _In_ ACCESS_MASK DesiredAccess,
145 |     _In_ ULONG HandleAttributes,
146 |     _In_ ULONG Options
147 |     );
148 | 
149 | NTSYSCALLAPI
150 | NTSTATUS
151 | NTAPI
152 | NtMakeTemporaryObject(
153 |     _In_ HANDLE Handle
154 |     );
155 | 
156 | NTSYSCALLAPI
157 | NTSTATUS
158 | NTAPI
159 | NtMakePermanentObject(
160 |     _In_ HANDLE Handle
161 |     );
162 | 
163 | NTSYSCALLAPI
164 | NTSTATUS
165 | NTAPI
166 | NtSignalAndWaitForSingleObject(
167 |     _In_ HANDLE SignalHandle,
168 |     _In_ HANDLE WaitHandle,
169 |     _In_ BOOLEAN Alertable,
170 |     _In_opt_ PLARGE_INTEGER Timeout
171 |     );
172 | 
173 | NTSYSCALLAPI
174 | NTSTATUS
175 | NTAPI
176 | NtWaitForSingleObject(
177 |     _In_ HANDLE Handle,
178 |     _In_ BOOLEAN Alertable,
179 |     _In_opt_ PLARGE_INTEGER Timeout
180 |     );
181 | 
182 | NTSYSCALLAPI
183 | NTSTATUS
184 | NTAPI
185 | NtWaitForMultipleObjects(
186 |     _In_ ULONG Count,
187 |     _In_reads_(Count) HANDLE Handles[],
188 |     _In_ WAIT_TYPE WaitType,
189 |     _In_ BOOLEAN Alertable,
190 |     _In_opt_ PLARGE_INTEGER Timeout
191 |     );
192 | 
193 | #if (NTDLL_VERSION >= NTDLL_WS03)
194 | NTSYSCALLAPI
195 | NTSTATUS
196 | NTAPI
197 | NtWaitForMultipleObjects32(
198 |     _In_ ULONG Count,
199 |     _In_reads_(Count) LONG Handles[],
200 |     _In_ WAIT_TYPE WaitType,
201 |     _In_ BOOLEAN Alertable,
202 |     _In_opt_ PLARGE_INTEGER Timeout
203 |     );
204 | #endif
205 | 
206 | NTSYSCALLAPI
207 | NTSTATUS
208 | NTAPI
209 | NtSetSecurityObject(
210 |     _In_ HANDLE Handle,
211 |     _In_ SECURITY_INFORMATION SecurityInformation,
212 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
213 |     );
214 | 
215 | NTSYSCALLAPI
216 | NTSTATUS
217 | NTAPI
218 | NtQuerySecurityObject(
219 |     _In_ HANDLE Handle,
220 |     _In_ SECURITY_INFORMATION SecurityInformation,
221 |     _Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor,
222 |     _In_ ULONG Length,
223 |     _Out_ PULONG LengthNeeded
224 |     );
225 | 
226 | NTSYSCALLAPI
227 | NTSTATUS
228 | NTAPI
229 | NtClose(
230 |     _In_ HANDLE Handle
231 |     );
232 | 
233 | #if (NTDLL_VERSION >= NTDLL_THRESHOLD)
234 | NTSYSCALLAPI
235 | NTSTATUS
236 | NTAPI
237 | NtCompareObjects(
238 |     _In_ HANDLE FirstObjectHandle,
239 |     _In_ HANDLE SecondObjectHandle
240 |     );
241 | #endif
242 | 
243 | #endif
244 | 
245 | // Directory objects
246 | 
247 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
248 | 
249 | NTSYSCALLAPI
250 | NTSTATUS
251 | NTAPI
252 | NtCreateDirectoryObject(
253 |     _Out_ PHANDLE DirectoryHandle,
254 |     _In_ ACCESS_MASK DesiredAccess,
255 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes
256 |     );
257 | 
258 | #if (NTDLL_VERSION >= NTDLL_WIN8)
259 | NTSYSCALLAPI
260 | NTSTATUS
261 | NTAPI
262 | NtCreateDirectoryObjectEx(
263 |     _Out_ PHANDLE DirectoryHandle,
264 |     _In_ ACCESS_MASK DesiredAccess,
265 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
266 |     _In_ HANDLE ShadowDirectoryHandle,
267 |     _In_ ULONG Flags
268 |     );
269 | #endif
270 | 
271 | NTSYSCALLAPI
272 | NTSTATUS
273 | NTAPI
274 | NtOpenDirectoryObject(
275 |     _Out_ PHANDLE DirectoryHandle,
276 |     _In_ ACCESS_MASK DesiredAccess,
277 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes
278 |     );
279 | 
280 | typedef struct _OBJECT_DIRECTORY_INFORMATION
281 | {
282 |     UNICODE_STRING Name;
283 |     UNICODE_STRING TypeName;
284 | } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;
285 | 
286 | NTSYSCALLAPI
287 | NTSTATUS
288 | NTAPI
289 | NtQueryDirectoryObject(
290 |     _In_ HANDLE DirectoryHandle,
291 |     _Out_writes_bytes_opt_(Length) PVOID Buffer,
292 |     _In_ ULONG Length,
293 |     _In_ BOOLEAN ReturnSingleEntry,
294 |     _In_ BOOLEAN RestartScan,
295 |     _Inout_ PULONG Context,
296 |     _Out_opt_ PULONG ReturnLength
297 |     );
298 | 
299 | #endif
300 | 
301 | // Private namespaces
302 | 
303 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
304 | 
305 | #if (NTDLL_VERSION >= NTDLL_VISTA)
306 | 
307 | NTSYSCALLAPI
308 | NTSTATUS
309 | NTAPI
310 | NtCreatePrivateNamespace(
311 |     _Out_ PHANDLE NamespaceHandle,
312 |     _In_ ACCESS_MASK DesiredAccess,
313 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
314 |     _In_ PVOID BoundaryDescriptor
315 |     );
316 | 
317 | NTSYSCALLAPI
318 | NTSTATUS
319 | NTAPI
320 | NtOpenPrivateNamespace(
321 |     _Out_ PHANDLE NamespaceHandle,
322 |     _In_ ACCESS_MASK DesiredAccess,
323 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
324 |     _In_ PVOID BoundaryDescriptor
325 |     );
326 | 
327 | NTSYSCALLAPI
328 | NTSTATUS
329 | NTAPI
330 | NtDeletePrivateNamespace(
331 |     _In_ HANDLE NamespaceHandle
332 |     );
333 | 
334 | #endif
335 | 
336 | #endif
337 | 
338 | // Symbolic links
339 | 
340 | #if (NTDLL_MODE != NTDLL_MODE_KERNEL)
341 | 
342 | NTSYSCALLAPI
343 | NTSTATUS
344 | NTAPI
345 | NtCreateSymbolicLinkObject(
346 |     _Out_ PHANDLE LinkHandle,
347 |     _In_ ACCESS_MASK DesiredAccess,
348 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
349 |     _In_ PUNICODE_STRING LinkTarget
350 |     );
351 | 
352 | NTSYSCALLAPI
353 | NTSTATUS
354 | NTAPI
355 | NtOpenSymbolicLinkObject(
356 |     _Out_ PHANDLE LinkHandle,
357 |     _In_ ACCESS_MASK DesiredAccess,
358 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes
359 |     );
360 | 
361 | NTSYSCALLAPI
362 | NTSTATUS
363 | NTAPI
364 | NtQuerySymbolicLinkObject(
365 |     _In_ HANDLE LinkHandle,
366 |     _Inout_ PUNICODE_STRING LinkTarget,
367 |     _Out_opt_ PULONG ReturnedLength
368 |     );
369 | 
370 | #endif
371 | 
372 | #endif
373 | 


--------------------------------------------------------------------------------
/include/ntpebteb.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTPEBTEB_H
  2 | #define _NTPEBTEB_H
  3 | 
  4 | typedef struct _RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS;
  5 | typedef struct _RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION;
  6 | 
  7 | // private
  8 | typedef struct _ACTIVATION_CONTEXT_STACK
  9 | {
 10 |     struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* ActiveFrame;
 11 |     LIST_ENTRY FrameListCache;
 12 |     ULONG Flags;
 13 |     ULONG NextCookieSequenceNumber;
 14 |     ULONG StackId;
 15 | } ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;
 16 | 
 17 | // private
 18 | typedef struct _API_SET_NAMESPACE
 19 | {
 20 |     ULONG Version;
 21 |     ULONG Size;
 22 |     ULONG Flags;
 23 |     ULONG Count;
 24 |     ULONG EntryOffset;
 25 |     ULONG HashOffset;
 26 |     ULONG HashFactor;
 27 | } API_SET_NAMESPACE, *PAPI_SET_NAMESPACE;
 28 | 
 29 | // private
 30 | typedef struct _API_SET_HASH_ENTRY
 31 | {
 32 |     ULONG Hash;
 33 |     ULONG Index;
 34 | } API_SET_HASH_ENTRY, *PAPI_SET_HASH_ENTRY;
 35 | 
 36 | // private
 37 | typedef struct _API_SET_NAMESPACE_ENTRY
 38 | {
 39 |     ULONG Flags;
 40 |     ULONG NameOffset;
 41 |     ULONG NameLength;
 42 |     ULONG HashedLength;
 43 |     ULONG ValueOffset;
 44 |     ULONG ValueCount;
 45 | } API_SET_NAMESPACE_ENTRY, *PAPI_SET_NAMESPACE_ENTRY;
 46 | 
 47 | // private
 48 | typedef struct _API_SET_VALUE_ENTRY 
 49 | {
 50 |     ULONG Flags;
 51 |     ULONG NameOffset;
 52 |     ULONG NameLength;
 53 |     ULONG ValueOffset;
 54 |     ULONG ValueLength;
 55 | } API_SET_VALUE_ENTRY, *PAPI_SET_VALUE_ENTRY;
 56 | 
 57 | // symbols
 58 | typedef struct _PEB
 59 | {
 60 |     BOOLEAN InheritedAddressSpace;
 61 |     BOOLEAN ReadImageFileExecOptions;
 62 |     BOOLEAN BeingDebugged;
 63 |     union
 64 |     {
 65 |         BOOLEAN BitField;
 66 |         struct
 67 |         {
 68 |             BOOLEAN ImageUsesLargePages : 1;
 69 |             BOOLEAN IsProtectedProcess : 1;
 70 |             BOOLEAN IsImageDynamicallyRelocated : 1;
 71 |             BOOLEAN SkipPatchingUser32Forwarders : 1;
 72 |             BOOLEAN IsPackagedProcess : 1;
 73 |             BOOLEAN IsAppContainer : 1;
 74 |             BOOLEAN IsProtectedProcessLight : 1;
 75 |             BOOLEAN IsLongPathAwareProcess : 1;
 76 |         };
 77 |     };
 78 | 
 79 |     HANDLE Mutant;
 80 | 
 81 |     PVOID ImageBaseAddress;
 82 |     PPEB_LDR_DATA Ldr;
 83 |     PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
 84 |     PVOID SubSystemData;
 85 |     PVOID ProcessHeap;
 86 |     PRTL_CRITICAL_SECTION FastPebLock;
 87 |     PVOID IFEOKey;
 88 |     PSLIST_HEADER AtlThunkSListPtr;
 89 |     union
 90 |     {
 91 |         ULONG CrossProcessFlags;
 92 |         struct
 93 |         {
 94 |             ULONG ProcessInJob : 1;
 95 |             ULONG ProcessInitializing : 1;
 96 |             ULONG ProcessUsingVEH : 1;
 97 |             ULONG ProcessUsingVCH : 1;
 98 |             ULONG ProcessUsingFTH : 1;
 99 |             ULONG ProcessPreviouslyThrottled : 1;
100 |             ULONG ProcessCurrentlyThrottled : 1;
101 |             ULONG ReservedBits0 : 25;
102 |         };
103 |     };
104 |     union
105 |     {
106 |         PVOID KernelCallbackTable;
107 |         PVOID UserSharedInfoPtr;
108 |     };
109 |     ULONG SystemReserved[1];
110 |     ULONG AtlThunkSListPtr32;
111 |     PAPI_SET_NAMESPACE ApiSetMap;
112 |     ULONG TlsExpansionCounter;
113 |     PVOID TlsBitmap;
114 |     ULONG TlsBitmapBits[2];
115 |     
116 |     PVOID ReadOnlySharedMemoryBase; 
117 |     PVOID SharedData; // HotpatchInformation
118 |     PVOID *ReadOnlyStaticServerData;
119 |     
120 |     PVOID AnsiCodePageData; // PCPTABLEINFO
121 |     PVOID OemCodePageData; // PCPTABLEINFO
122 |     PVOID UnicodeCaseTableData; // PNLSTABLEINFO
123 | 
124 |     ULONG NumberOfProcessors;
125 |     ULONG NtGlobalFlag;
126 | 
127 |     ULARGE_INTEGER CriticalSectionTimeout;
128 |     SIZE_T HeapSegmentReserve;
129 |     SIZE_T HeapSegmentCommit;
130 |     SIZE_T HeapDeCommitTotalFreeThreshold;
131 |     SIZE_T HeapDeCommitFreeBlockThreshold;
132 | 
133 |     ULONG NumberOfHeaps;
134 |     ULONG MaximumNumberOfHeaps;
135 |     PVOID *ProcessHeaps; // PHEAP
136 | 
137 |     PVOID GdiSharedHandleTable;
138 |     PVOID ProcessStarterHelper;
139 |     ULONG GdiDCAttributeList;
140 | 
141 |     PRTL_CRITICAL_SECTION LoaderLock;
142 | 
143 |     ULONG OSMajorVersion;
144 |     ULONG OSMinorVersion;
145 |     USHORT OSBuildNumber;
146 |     USHORT OSCSDVersion;
147 |     ULONG OSPlatformId;
148 |     ULONG ImageSubsystem;
149 |     ULONG ImageSubsystemMajorVersion;
150 |     ULONG ImageSubsystemMinorVersion;
151 |     ULONG_PTR ActiveProcessAffinityMask;
152 |     GDI_HANDLE_BUFFER GdiHandleBuffer;
153 |     PVOID PostProcessInitRoutine;
154 | 
155 |     PVOID TlsExpansionBitmap;
156 |     ULONG TlsExpansionBitmapBits[32];
157 | 
158 |     ULONG SessionId;
159 | 
160 |     ULARGE_INTEGER AppCompatFlags;
161 |     ULARGE_INTEGER AppCompatFlagsUser;
162 |     PVOID pShimData;
163 |     PVOID AppCompatInfo; // APPCOMPAT_EXE_DATA
164 | 
165 |     UNICODE_STRING CSDVersion;
166 | 
167 |     PVOID ActivationContextData; // ACTIVATION_CONTEXT_DATA
168 |     PVOID ProcessAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP
169 |     PVOID SystemDefaultActivationContextData; // ACTIVATION_CONTEXT_DATA
170 |     PVOID SystemAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP
171 | 
172 |     SIZE_T MinimumStackCommit;
173 | 
174 |     PVOID *FlsCallback;
175 |     LIST_ENTRY FlsListHead;
176 |     PVOID FlsBitmap;
177 |     ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
178 |     ULONG FlsHighIndex;
179 | 
180 |     PVOID WerRegistrationData;
181 |     PVOID WerShipAssertPtr;
182 |     PVOID pUnused; // pContextData
183 |     PVOID pImageHeaderHash;
184 |     union
185 |     {
186 |         ULONG TracingFlags;
187 |         struct
188 |         {
189 |             ULONG HeapTracingEnabled : 1;
190 |             ULONG CritSecTracingEnabled : 1;
191 |             ULONG LibLoaderTracingEnabled : 1;
192 |             ULONG SpareTracingBits : 29;
193 |         };
194 |     };
195 |     ULONGLONG CsrServerReadOnlySharedMemoryBase;
196 |     PRTL_CRITICAL_SECTION TppWorkerpListLock;
197 |     LIST_ENTRY TppWorkerpList;
198 |     PVOID WaitOnAddressHashTable[128];
199 |     PVOID TelemetryCoverageHeader; // REDSTONE3
200 |     ULONG CloudFileFlags;
201 |     ULONG CloudFileDiagFlags; // REDSTONE4
202 |     CHAR PlaceholderCompatibilityMode;
203 |     CHAR PlaceholderCompatibilityModeReserved[7];
204 | } PEB, *PPEB;
205 | 
206 | #ifdef _WIN64
207 | C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x2C0);
208 | //C_ASSERT(sizeof(PEB) == 0x7B0); // REDSTONE3
209 | C_ASSERT(sizeof(PEB) == 0x7B8); // REDSTONE4
210 | #else
211 | C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x1D4);
212 | //C_ASSERT(sizeof(PEB) == 0x468); // REDSTONE3
213 | C_ASSERT(sizeof(PEB) == 0x470);
214 | #endif
215 | 
216 | #define GDI_BATCH_BUFFER_SIZE 310
217 | 
218 | typedef struct _GDI_TEB_BATCH
219 | {
220 |     ULONG Offset;
221 |     ULONG_PTR HDC;
222 |     ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
223 | } GDI_TEB_BATCH, *PGDI_TEB_BATCH;
224 | 
225 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT
226 | {
227 |     ULONG Flags;
228 |     PSTR FrameName;
229 | } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
230 | 
231 | typedef struct _TEB_ACTIVE_FRAME
232 | {
233 |     ULONG Flags;
234 |     struct _TEB_ACTIVE_FRAME *Previous;
235 |     PTEB_ACTIVE_FRAME_CONTEXT Context;
236 | } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
237 | 
238 | typedef struct _TEB
239 | {
240 |     NT_TIB NtTib;
241 | 
242 |     PVOID EnvironmentPointer;
243 |     CLIENT_ID ClientId;
244 |     PVOID ActiveRpcHandle;
245 |     PVOID ThreadLocalStoragePointer;
246 |     PPEB ProcessEnvironmentBlock;
247 | 
248 |     ULONG LastErrorValue;
249 |     ULONG CountOfOwnedCriticalSections;
250 |     PVOID CsrClientThread;
251 |     PVOID Win32ThreadInfo;
252 |     ULONG User32Reserved[26];
253 |     ULONG UserReserved[5];
254 |     PVOID WOW32Reserved;
255 |     LCID CurrentLocale;
256 |     ULONG FpSoftwareStatusRegister;
257 |     PVOID ReservedForDebuggerInstrumentation[16];
258 | #ifdef _WIN64
259 |     PVOID SystemReserved1[30];
260 | #else
261 |     PVOID SystemReserved1[26];
262 | #endif
263 |     
264 |     CHAR PlaceholderCompatibilityMode;
265 |     CHAR PlaceholderReserved[11];
266 |     ULONG ProxiedProcessId;
267 |     ACTIVATION_CONTEXT_STACK ActivationStack;
268 |     
269 |     UCHAR WorkingOnBehalfTicket[8];
270 |     NTSTATUS ExceptionCode;
271 | 
272 |     PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
273 |     ULONG_PTR InstrumentationCallbackSp;
274 |     ULONG_PTR InstrumentationCallbackPreviousPc;
275 |     ULONG_PTR InstrumentationCallbackPreviousSp;
276 | #ifdef _WIN64
277 |     ULONG TxFsContext;
278 | #endif
279 | 
280 |     BOOLEAN InstrumentationCallbackDisabled;
281 | #ifndef _WIN64
282 |     UCHAR SpareBytes[23];
283 |     ULONG TxFsContext;
284 | #endif
285 |     GDI_TEB_BATCH GdiTebBatch;
286 |     CLIENT_ID RealClientId;
287 |     HANDLE GdiCachedProcessHandle;
288 |     ULONG GdiClientPID;
289 |     ULONG GdiClientTID;
290 |     PVOID GdiThreadLocalInfo;
291 |     ULONG_PTR Win32ClientInfo[62];
292 |     PVOID glDispatchTable[233];
293 |     ULONG_PTR glReserved1[29];
294 |     PVOID glReserved2;
295 |     PVOID glSectionInfo;
296 |     PVOID glSection;
297 |     PVOID glTable;
298 |     PVOID glCurrentRC;
299 |     PVOID glContext;
300 | 
301 |     NTSTATUS LastStatusValue;
302 |     UNICODE_STRING StaticUnicodeString;
303 |     WCHAR StaticUnicodeBuffer[261];
304 | 
305 |     PVOID DeallocationStack;
306 |     PVOID TlsSlots[64];
307 |     LIST_ENTRY TlsLinks;
308 | 
309 |     PVOID Vdm;
310 |     PVOID ReservedForNtRpc;
311 |     PVOID DbgSsReserved[2];
312 | 
313 |     ULONG HardErrorMode;
314 | #ifdef _WIN64
315 |     PVOID Instrumentation[11];
316 | #else
317 |     PVOID Instrumentation[9];
318 | #endif
319 |     GUID ActivityId;
320 | 
321 |     PVOID SubProcessTag;
322 |     PVOID PerflibData;
323 |     PVOID EtwTraceData;
324 |     PVOID WinSockData;
325 |     ULONG GdiBatchCount;
326 | 
327 |     union
328 |     {
329 |         PROCESSOR_NUMBER CurrentIdealProcessor;
330 |         ULONG IdealProcessorValue;
331 |         struct
332 |         {
333 |             UCHAR ReservedPad0;
334 |             UCHAR ReservedPad1;
335 |             UCHAR ReservedPad2;
336 |             UCHAR IdealProcessor;
337 |         };
338 |     };
339 | 
340 |     ULONG GuaranteedStackBytes;
341 |     PVOID ReservedForPerf;
342 |     PVOID ReservedForOle;
343 |     ULONG WaitingOnLoaderLock;
344 |     PVOID SavedPriorityState;
345 |     ULONG_PTR ReservedForCodeCoverage;
346 |     PVOID ThreadPoolData;
347 |     PVOID *TlsExpansionSlots;
348 | #ifdef _WIN64
349 |     PVOID DeallocationBStore;
350 |     PVOID BStoreLimit;
351 | #endif
352 |     ULONG MuiGeneration;
353 |     ULONG IsImpersonating;
354 |     PVOID NlsCache;
355 |     PVOID pShimData;
356 |     USHORT HeapVirtualAffinity;
357 |     USHORT LowFragHeapDataSlot;
358 |     HANDLE CurrentTransactionHandle;
359 |     PTEB_ACTIVE_FRAME ActiveFrame;
360 |     PVOID FlsData;
361 | 
362 |     PVOID PreferredLanguages;
363 |     PVOID UserPrefLanguages;
364 |     PVOID MergedPrefLanguages;
365 |     ULONG MuiImpersonation;
366 | 
367 |     union
368 |     {
369 |         USHORT CrossTebFlags;
370 |         USHORT SpareCrossTebBits : 16;
371 |     };
372 |     union
373 |     {
374 |         USHORT SameTebFlags;
375 |         struct
376 |         {
377 |             USHORT SafeThunkCall : 1;
378 |             USHORT InDebugPrint : 1;
379 |             USHORT HasFiberData : 1;
380 |             USHORT SkipThreadAttach : 1;
381 |             USHORT WerInShipAssertCode : 1;
382 |             USHORT RanProcessInit : 1;
383 |             USHORT ClonedThread : 1;
384 |             USHORT SuppressDebugMsg : 1;
385 |             USHORT DisableUserStackWalk : 1;
386 |             USHORT RtlExceptionAttached : 1;
387 |             USHORT InitialThread : 1;
388 |             USHORT SessionAware : 1;
389 |             USHORT LoadOwner : 1;
390 |             USHORT LoaderWorker : 1;
391 |             USHORT SkipLoaderInit : 1;
392 |             USHORT SpareSameTebBits : 1;
393 |         };
394 |     };
395 | 
396 |     PVOID TxnScopeEnterCallback;
397 |     PVOID TxnScopeExitCallback;
398 |     PVOID TxnScopeContext;
399 |     ULONG LockCount;
400 |     LONG WowTebOffset;
401 |     PVOID ResourceRetValue;
402 |     PVOID ReservedForWdf;
403 |     ULONGLONG ReservedForCrt;
404 |     GUID EffectiveContainerId;
405 | } TEB, *PTEB;
406 | 
407 | #endif
408 | 


--------------------------------------------------------------------------------
/include/ntpfapi.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTPFAPI_H
  2 | #define _NTPFAPI_H
  3 | 
  4 | // begin_private
  5 | 
  6 | // Prefetch
  7 | 
  8 | typedef enum _PF_BOOT_PHASE_ID
  9 | {
 10 |     PfKernelInitPhase = 0,
 11 |     PfBootDriverInitPhase = 90,
 12 |     PfSystemDriverInitPhase = 120,
 13 |     PfSessionManagerInitPhase = 150,
 14 |     PfSMRegistryInitPhase = 180,
 15 |     PfVideoInitPhase = 210,
 16 |     PfPostVideoInitPhase = 240,
 17 |     PfBootAcceptedRegistryInitPhase = 270,
 18 |     PfUserShellReadyPhase = 300,
 19 |     PfMaxBootPhaseId = 900
 20 | } PF_BOOT_PHASE_ID;
 21 | 
 22 | typedef enum _PF_ENABLE_STATUS
 23 | {
 24 |     PfSvNotSpecified,
 25 |     PfSvEnabled,
 26 |     PfSvDisabled,
 27 |     PfSvMaxEnableStatus
 28 | } PF_ENABLE_STATUS;
 29 | 
 30 | typedef struct _PF_TRACE_LIMITS
 31 | {
 32 |     ULONG MaxNumPages;
 33 |     ULONG MaxNumSections;
 34 |     LONGLONG TimerPeriod;
 35 | } PF_TRACE_LIMITS, *PPF_TRACE_LIMITS;
 36 | 
 37 | typedef struct _PF_SYSTEM_PREFETCH_PARAMETERS
 38 | {
 39 |     PF_ENABLE_STATUS EnableStatus[2];
 40 |     PF_TRACE_LIMITS TraceLimits[2];
 41 |     ULONG MaxNumActiveTraces;
 42 |     ULONG MaxNumSavedTraces;
 43 |     WCHAR RootDirPath[32];
 44 |     WCHAR HostingApplicationList[128];
 45 | } PF_SYSTEM_PREFETCH_PARAMETERS, *PPF_SYSTEM_PREFETCH_PARAMETERS;
 46 | 
 47 | #define PF_BOOT_CONTROL_VERSION 1
 48 | 
 49 | typedef struct _PF_BOOT_CONTROL
 50 | {
 51 |     ULONG Version;
 52 |     ULONG DisableBootPrefetching;
 53 | } PF_BOOT_CONTROL, *PPF_BOOT_CONTROL;
 54 | 
 55 | typedef enum _PREFETCHER_INFORMATION_CLASS
 56 | {
 57 |     PrefetcherRetrieveTrace = 1, // q: CHAR[]
 58 |     PrefetcherSystemParameters, // q: PF_SYSTEM_PREFETCH_PARAMETERS
 59 |     PrefetcherBootPhase, // s: PF_BOOT_PHASE_ID
 60 |     PrefetcherRetrieveBootLoaderTrace, // q: CHAR[]
 61 |     PrefetcherBootControl // s: PF_BOOT_CONTROL
 62 | } PREFETCHER_INFORMATION_CLASS;
 63 | 
 64 | #define PREFETCHER_INFORMATION_VERSION 23 // rev
 65 | #define PREFETCHER_INFORMATION_MAGIC ('kuhC') // rev
 66 | 
 67 | typedef struct _PREFETCHER_INFORMATION
 68 | {
 69 |     ULONG Version;
 70 |     ULONG Magic;
 71 |     PREFETCHER_INFORMATION_CLASS PrefetcherInformationClass;
 72 |     PVOID PrefetcherInformation;
 73 |     ULONG PrefetcherInformationLength;
 74 | } PREFETCHER_INFORMATION, *PPREFETCHER_INFORMATION;
 75 | 
 76 | // Superfetch
 77 | 
 78 | typedef struct _PF_SYSTEM_SUPERFETCH_PARAMETERS
 79 | {
 80 |     ULONG EnabledComponents;
 81 |     ULONG BootID;
 82 |     ULONG SavedSectInfoTracesMax;
 83 |     ULONG SavedPageAccessTracesMax;
 84 |     ULONG ScenarioPrefetchTimeoutStandby;
 85 |     ULONG ScenarioPrefetchTimeoutHibernate;
 86 | } PF_SYSTEM_SUPERFETCH_PARAMETERS, *PPF_SYSTEM_SUPERFETCH_PARAMETERS;
 87 | 
 88 | #define PF_PFN_PRIO_REQUEST_VERSION 1
 89 | #define PF_PFN_PRIO_REQUEST_QUERY_MEMORY_LIST 0x1
 90 | #define PF_PFN_PRIO_REQUEST_VALID_FLAGS 0x1
 91 | 
 92 | typedef struct _PF_PFN_PRIO_REQUEST
 93 | {
 94 |     ULONG Version;
 95 |     ULONG RequestFlags;
 96 |     ULONG_PTR PfnCount;
 97 |     SYSTEM_MEMORY_LIST_INFORMATION MemInfo;
 98 |     MMPFN_IDENTITY PageData[256];
 99 | } PF_PFN_PRIO_REQUEST, *PPF_PFN_PRIO_REQUEST;
100 | 
101 | typedef enum _PFS_PRIVATE_PAGE_SOURCE_TYPE
102 | {
103 |     PfsPrivateSourceKernel,
104 |     PfsPrivateSourceSession,
105 |     PfsPrivateSourceProcess,
106 |     PfsPrivateSourceMax
107 | } PFS_PRIVATE_PAGE_SOURCE_TYPE;
108 | 
109 | typedef struct _PFS_PRIVATE_PAGE_SOURCE
110 | {
111 |     PFS_PRIVATE_PAGE_SOURCE_TYPE Type;
112 |     union
113 |     {
114 |         ULONG SessionId;
115 |         ULONG ProcessId;
116 |     };
117 |     ULONG ImagePathHash;
118 |     ULONG_PTR UniqueProcessHash;
119 | } PFS_PRIVATE_PAGE_SOURCE, *PPFS_PRIVATE_PAGE_SOURCE;
120 | 
121 | typedef struct _PF_PRIVSOURCE_INFO
122 | {
123 |     PFS_PRIVATE_PAGE_SOURCE DbInfo;
124 |     PVOID EProcess;
125 |     SIZE_T WsPrivatePages;
126 |     SIZE_T TotalPrivatePages;
127 |     ULONG SessionID;
128 |     CHAR ImageName[16];
129 |     union {
130 |         ULONG_PTR WsSwapPages;                 // process only PF_PRIVSOURCE_QUERY_WS_SWAP_PAGES.
131 |         ULONG_PTR SessionPagedPoolPages;       // session only.
132 |         ULONG_PTR StoreSizePages;              // process only PF_PRIVSOURCE_QUERY_STORE_INFO.
133 |     };
134 |     ULONG_PTR WsTotalPages;         // process/session only.
135 |     ULONG DeepFreezeTimeMs;         // process only.
136 |     ULONG ModernApp : 1;            // process only.
137 |     ULONG DeepFrozen : 1;           // process only. If set, DeepFreezeTimeMs contains the time at which the freeze occurred
138 |     ULONG Foreground : 1;           // process only.
139 |     ULONG PerProcessStore : 1;      // process only.
140 |     ULONG Spare : 28;
141 | } PF_PRIVSOURCE_INFO, *PPF_PRIVSOURCE_INFO;
142 | 
143 | #define PF_PRIVSOURCE_QUERY_REQUEST_VERSION 3
144 | 
145 | typedef struct _PF_PRIVSOURCE_QUERY_REQUEST
146 | {
147 |     ULONG Version;
148 |     ULONG Flags;
149 |     ULONG InfoCount;
150 |     PF_PRIVSOURCE_INFO InfoArray[1];
151 | } PF_PRIVSOURCE_QUERY_REQUEST, *PPF_PRIVSOURCE_QUERY_REQUEST;
152 | 
153 | typedef enum _PF_PHASED_SCENARIO_TYPE
154 | {
155 |     PfScenarioTypeNone,
156 |     PfScenarioTypeStandby,
157 |     PfScenarioTypeHibernate,
158 |     PfScenarioTypeFUS,
159 |     PfScenarioTypeMax
160 | } PF_PHASED_SCENARIO_TYPE;
161 | 
162 | #define PF_SCENARIO_PHASE_INFO_VERSION 4
163 | 
164 | typedef struct _PF_SCENARIO_PHASE_INFO
165 | {
166 |     ULONG Version;
167 |     PF_PHASED_SCENARIO_TYPE ScenType;
168 |     ULONG PhaseId;
169 |     ULONG SequenceNumber;
170 |     ULONG Flags;
171 |     ULONG FUSUserId;
172 | } PF_SCENARIO_PHASE_INFO, *PPF_SCENARIO_PHASE_INFO;
173 | 
174 | typedef struct _PF_MEMORY_LIST_NODE
175 | {
176 |     ULONGLONG Node : 8;
177 |     ULONGLONG Spare : 56;
178 |     ULONGLONG StandbyLowPageCount;
179 |     ULONGLONG StandbyMediumPageCount;
180 |     ULONGLONG StandbyHighPageCount;
181 |     ULONGLONG FreePageCount;
182 |     ULONGLONG ModifiedPageCount;
183 | } PF_MEMORY_LIST_NODE, *PPF_MEMORY_LIST_NODE;
184 | 
185 | #define PF_MEMORY_LIST_INFO_VERSION 1
186 | 
187 | typedef struct _PF_MEMORY_LIST_INFO
188 | {
189 |     ULONG Version;
190 |     ULONG Size;
191 |     ULONG NodeCount;
192 |     PF_MEMORY_LIST_NODE Nodes[1];
193 | } PF_MEMORY_LIST_INFO, *PPF_MEMORY_LIST_INFO;
194 | 
195 | typedef struct _PF_PHYSICAL_MEMORY_RANGE
196 | {
197 |     ULONG_PTR BasePfn;
198 |     ULONG_PTR PageCount;
199 | } PF_PHYSICAL_MEMORY_RANGE, *PPF_PHYSICAL_MEMORY_RANGE;
200 | 
201 | #define PF_PHYSICAL_MEMORY_RANGE_INFO_VERSION 1
202 | 
203 | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO
204 | {
205 |     ULONG Version;
206 |     ULONG RangeCount;
207 |     PF_PHYSICAL_MEMORY_RANGE Ranges[1];
208 | } PF_PHYSICAL_MEMORY_RANGE_INFO, *PPF_PHYSICAL_MEMORY_RANGE_INFO;
209 | 
210 | // begin_rev
211 | 
212 | #define PF_REPURPOSED_BY_PREFETCH_INFO_VERSION 1
213 | 
214 | typedef struct _PF_REPURPOSED_BY_PREFETCH_INFO
215 | {
216 |     ULONG Version;
217 |     ULONG RepurposedByPrefetch;
218 | } PF_REPURPOSED_BY_PREFETCH_INFO, *PPF_REPURPOSED_BY_PREFETCH_INFO;
219 | 
220 | // end_rev
221 | 
222 | typedef enum _SUPERFETCH_INFORMATION_CLASS
223 | {
224 |     SuperfetchRetrieveTrace = 1, // q: CHAR[]
225 |     SuperfetchSystemParameters, // q: PF_SYSTEM_SUPERFETCH_PARAMETERS
226 |     SuperfetchLogEvent,
227 |     SuperfetchGenerateTrace,
228 |     SuperfetchPrefetch,
229 |     SuperfetchPfnQuery, // q: PF_PFN_PRIO_REQUEST
230 |     SuperfetchPfnSetPriority,
231 |     SuperfetchPrivSourceQuery, // q: PF_PRIVSOURCE_QUERY_REQUEST
232 |     SuperfetchSequenceNumberQuery, // q: ULONG
233 |     SuperfetchScenarioPhase, // 10
234 |     SuperfetchWorkerPriority,
235 |     SuperfetchScenarioQuery, // q: PF_SCENARIO_PHASE_INFO
236 |     SuperfetchScenarioPrefetch,
237 |     SuperfetchRobustnessControl,
238 |     SuperfetchTimeControl,
239 |     SuperfetchMemoryListQuery, // q: PF_MEMORY_LIST_INFO
240 |     SuperfetchMemoryRangesQuery, // q: PF_PHYSICAL_MEMORY_RANGE_INFO
241 |     SuperfetchTracingControl,
242 |     SuperfetchTrimWhileAgingControl,
243 |     SuperfetchRepurposedByPrefetch, // q: PF_REPURPOSED_BY_PREFETCH_INFO // rev
244 |     SuperfetchInformationMax
245 | } SUPERFETCH_INFORMATION_CLASS;
246 | 
247 | #define SUPERFETCH_INFORMATION_VERSION 45 // rev
248 | #define SUPERFETCH_INFORMATION_MAGIC ('kuhC') // rev
249 | 
250 | typedef struct _SUPERFETCH_INFORMATION
251 | {
252 |     _In_ ULONG Version;
253 |     _In_ ULONG Magic;
254 |     _In_ SUPERFETCH_INFORMATION_CLASS InfoClass;
255 |     _Inout_ PVOID Data;
256 |     _Inout_ ULONG Length;
257 | } SUPERFETCH_INFORMATION, *PSUPERFETCH_INFORMATION;
258 | 
259 | // end_private
260 | 
261 | #endif
262 | 


--------------------------------------------------------------------------------
/include/ntpnpapi.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTPNPAPI_H
  2 | #define _NTPNPAPI_H
  3 | 
  4 | typedef enum _PLUGPLAY_EVENT_CATEGORY
  5 | {
  6 |     HardwareProfileChangeEvent,
  7 |     TargetDeviceChangeEvent,
  8 |     DeviceClassChangeEvent,
  9 |     CustomDeviceEvent,
 10 |     DeviceInstallEvent,
 11 |     DeviceArrivalEvent,
 12 |     PowerEvent,
 13 |     VetoEvent,
 14 |     BlockedDriverEvent,
 15 |     InvalidIDEvent,
 16 |     MaxPlugEventCategory
 17 | } PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY;
 18 | 
 19 | typedef struct _PLUGPLAY_EVENT_BLOCK
 20 | {
 21 |     GUID EventGuid;
 22 |     PLUGPLAY_EVENT_CATEGORY EventCategory;
 23 |     PULONG Result;
 24 |     ULONG Flags;
 25 |     ULONG TotalSize;
 26 |     PVOID DeviceObject;
 27 | 
 28 |     union
 29 |     {
 30 |         struct
 31 |         {
 32 |             GUID ClassGuid;
 33 |             WCHAR SymbolicLinkName[1];
 34 |         } DeviceClass;
 35 |         struct
 36 |         {
 37 |             WCHAR DeviceIds[1];
 38 |         } TargetDevice;
 39 |         struct
 40 |         {
 41 |             WCHAR DeviceId[1];
 42 |         } InstallDevice;
 43 |         struct
 44 |         {
 45 |             PVOID NotificationStructure;
 46 |             WCHAR DeviceIds[1];
 47 |         } CustomNotification;
 48 |         struct
 49 |         {
 50 |             PVOID Notification;
 51 |         } ProfileNotification;
 52 |         struct
 53 |         {
 54 |             ULONG NotificationCode;
 55 |             ULONG NotificationData;
 56 |         } PowerNotification;
 57 |         struct
 58 |         {
 59 |             PNP_VETO_TYPE VetoType;
 60 |             WCHAR DeviceIdVetoNameBuffer[1]; // DeviceId<null>VetoName<null><null>
 61 |         } VetoNotification;
 62 |         struct
 63 |         {
 64 |             GUID BlockedDriverGuid;
 65 |         } BlockedDriverNotification;
 66 |         struct
 67 |         {
 68 |             WCHAR ParentId[1];
 69 |         } InvalidIDNotification;
 70 |     } u;
 71 | } PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK;
 72 | 
 73 | typedef enum _PLUGPLAY_CONTROL_CLASS
 74 | {
 75 |     PlugPlayControlEnumerateDevice,
 76 |     PlugPlayControlRegisterNewDevice,
 77 |     PlugPlayControlDeregisterDevice,
 78 |     PlugPlayControlInitializeDevice,
 79 |     PlugPlayControlStartDevice,
 80 |     PlugPlayControlUnlockDevice,
 81 |     PlugPlayControlQueryAndRemoveDevice,
 82 |     PlugPlayControlUserResponse,
 83 |     PlugPlayControlGenerateLegacyDevice,
 84 |     PlugPlayControlGetInterfaceDeviceList,
 85 |     PlugPlayControlProperty,
 86 |     PlugPlayControlDeviceClassAssociation,
 87 |     PlugPlayControlGetRelatedDevice,
 88 |     PlugPlayControlGetInterfaceDeviceAlias,
 89 |     PlugPlayControlDeviceStatus,
 90 |     PlugPlayControlGetDeviceDepth,
 91 |     PlugPlayControlQueryDeviceRelations,
 92 |     PlugPlayControlTargetDeviceRelation,
 93 |     PlugPlayControlQueryConflictList,
 94 |     PlugPlayControlRetrieveDock,
 95 |     PlugPlayControlResetDevice,
 96 |     PlugPlayControlHaltDevice,
 97 |     PlugPlayControlGetBlockedDriverList,
 98 |     PlugPlayControlGetDeviceInterfaceEnabled,
 99 |     MaxPlugPlayControl
100 | } PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS;
101 | 
102 | #if (NTDLL_VERSION < NTDLL_WIN8)
103 | NTSYSCALLAPI
104 | NTSTATUS
105 | NTAPI
106 | NtGetPlugPlayEvent(
107 |     _In_ HANDLE EventHandle,
108 |     _In_opt_ PVOID Context,
109 |     _Out_writes_bytes_(EventBufferSize) PPLUGPLAY_EVENT_BLOCK EventBlock,
110 |     _In_ ULONG EventBufferSize
111 |     );
112 | #endif
113 | 
114 | NTSYSCALLAPI
115 | NTSTATUS
116 | NTAPI
117 | NtPlugPlayControl(
118 |     _In_ PLUGPLAY_CONTROL_CLASS PnPControlClass,
119 |     _Inout_updates_bytes_(PnPControlDataLength) PVOID PnPControlData,
120 |     _In_ ULONG PnPControlDataLength
121 |     );
122 | 
123 | #if (NTDLL_VERSION >= NTDLL_WIN7)
124 | 
125 | NTSYSCALLAPI
126 | NTSTATUS
127 | NTAPI
128 | NtSerializeBoot(
129 |     VOID
130 |     );
131 | 
132 | NTSYSCALLAPI
133 | NTSTATUS
134 | NTAPI
135 | NtEnableLastKnownGood(
136 |     VOID
137 |     );
138 | 
139 | NTSYSCALLAPI
140 | NTSTATUS
141 | NTAPI
142 | NtDisableLastKnownGood(
143 |     VOID
144 |     );
145 | 
146 | #endif
147 | 
148 | #if (NTDLL_VERSION >= NTDLL_VISTA)
149 | NTSYSCALLAPI
150 | NTSTATUS
151 | NTAPI
152 | NtReplacePartitionUnit(
153 |     _In_ PUNICODE_STRING TargetInstancePath,
154 |     _In_ PUNICODE_STRING SpareInstancePath,
155 |     _In_ ULONG Flags
156 |     );
157 | #endif
158 | 
159 | #endif
160 | 


--------------------------------------------------------------------------------
/include/ntpoapi.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTPOAPI_H
  2 | #define _NTPOAPI_H
  3 | 
  4 | typedef union _POWER_STATE
  5 | {
  6 |     SYSTEM_POWER_STATE SystemState;
  7 |     DEVICE_POWER_STATE DeviceState;
  8 | } POWER_STATE, *PPOWER_STATE;
  9 | 
 10 | typedef enum _POWER_STATE_TYPE
 11 | {
 12 |     SystemPowerState = 0,
 13 |     DevicePowerState
 14 | } POWER_STATE_TYPE, *PPOWER_STATE_TYPE;
 15 | 
 16 | #if (NTDLL_VERSION >= NTDLL_VISTA)
 17 | // wdm
 18 | typedef struct _SYSTEM_POWER_STATE_CONTEXT
 19 | {
 20 |     union
 21 |     {
 22 |         struct
 23 |         {
 24 |             ULONG Reserved1 : 8;
 25 |             ULONG TargetSystemState : 4;
 26 |             ULONG EffectiveSystemState : 4;
 27 |             ULONG CurrentSystemState : 4;
 28 |             ULONG IgnoreHibernationPath : 1;
 29 |             ULONG PseudoTransition : 1;
 30 |             ULONG Reserved2 : 10;
 31 |         };
 32 |         ULONG ContextAsUlong;
 33 |     };
 34 | } SYSTEM_POWER_STATE_CONTEXT, *PSYSTEM_POWER_STATE_CONTEXT;
 35 | #endif
 36 | 
 37 | #if (NTDLL_VERSION >= NTDLL_WIN7)
 38 | /** \cond NEVER */ // disable doxygen warning
 39 | // wdm
 40 | typedef struct _COUNTED_REASON_CONTEXT
 41 | {
 42 |     ULONG Version;
 43 |     ULONG Flags;
 44 |     union
 45 |     {
 46 |         struct
 47 |         {
 48 |             UNICODE_STRING ResourceFileName;
 49 |             USHORT ResourceReasonId;
 50 |             ULONG StringCount;
 51 |             PUNICODE_STRING _Field_size_(StringCount) ReasonStrings;
 52 |         };
 53 |         UNICODE_STRING SimpleString;
 54 |     };
 55 | } COUNTED_REASON_CONTEXT, *PCOUNTED_REASON_CONTEXT;
 56 | /** \endcond */
 57 | #endif
 58 | 
 59 | typedef enum
 60 | {
 61 |     PowerStateSleeping1 = 0,
 62 |     PowerStateSleeping2 = 1,
 63 |     PowerStateSleeping3 = 2,
 64 |     PowerStateSleeping4 = 3,
 65 |     PowerStateShutdownOff = 4,
 66 |     PowerStateShutdownReset = 5,
 67 |     PowerStateSleeping4Firmware = 6,
 68 |     PowerStateMaximum = 7
 69 | } POWER_STATE_HANDLER_TYPE, *PPOWER_STATE_HANDLER_TYPE;
 70 | 
 71 | typedef NTSTATUS (NTAPI *PENTER_STATE_SYSTEM_HANDLER)(
 72 |     _In_ PVOID SystemContext
 73 |     );
 74 | 
 75 | typedef NTSTATUS (NTAPI *PENTER_STATE_HANDLER)(
 76 |     _In_ PVOID Context,
 77 |     _In_opt_ PENTER_STATE_SYSTEM_HANDLER SystemHandler,
 78 |     _In_ PVOID SystemContext,
 79 |     _In_ LONG NumberProcessors,
 80 |     _In_ volatile PLONG Number
 81 |     );
 82 | 
 83 | typedef struct _POWER_STATE_HANDLER
 84 | {
 85 |     POWER_STATE_HANDLER_TYPE Type;
 86 |     BOOLEAN RtcWake;
 87 |     UCHAR Spare[3];
 88 |     PENTER_STATE_HANDLER Handler;
 89 |     PVOID Context;
 90 | } POWER_STATE_HANDLER, *PPOWER_STATE_HANDLER;
 91 | 
 92 | typedef NTSTATUS (NTAPI *PENTER_STATE_NOTIFY_HANDLER)(
 93 |     _In_ POWER_STATE_HANDLER_TYPE State,
 94 |     _In_ PVOID Context,
 95 |     _In_ BOOLEAN Entering
 96 |     );
 97 | 
 98 | typedef struct _POWER_STATE_NOTIFY_HANDLER
 99 | {
100 |     PENTER_STATE_NOTIFY_HANDLER Handler;
101 |     PVOID Context;
102 | } POWER_STATE_NOTIFY_HANDLER, *PPOWER_STATE_NOTIFY_HANDLER;
103 | 
104 | typedef struct _PROCESSOR_POWER_INFORMATION
105 | {
106 |     ULONG Number;
107 |     ULONG MaxMhz;
108 |     ULONG CurrentMhz;
109 |     ULONG MhzLimit;
110 |     ULONG MaxIdleState;
111 |     ULONG CurrentIdleState;
112 | } PROCESSOR_POWER_INFORMATION, *PPROCESSOR_POWER_INFORMATION;
113 | 
114 | typedef struct _SYSTEM_POWER_INFORMATION
115 | {
116 |     ULONG MaxIdlenessAllowed;
117 |     ULONG Idleness;
118 |     ULONG TimeRemaining;
119 |     UCHAR CoolingMode;
120 | } SYSTEM_POWER_INFORMATION, *PSYSTEM_POWER_INFORMATION;
121 | 
122 | NTSYSCALLAPI
123 | NTSTATUS
124 | NTAPI
125 | NtPowerInformation(
126 |     _In_ POWER_INFORMATION_LEVEL InformationLevel,
127 |     _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,
128 |     _In_ ULONG InputBufferLength,
129 |     _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,
130 |     _In_ ULONG OutputBufferLength
131 |     );
132 | 
133 | NTSYSCALLAPI
134 | NTSTATUS
135 | NTAPI
136 | NtSetThreadExecutionState(
137 |     _In_ EXECUTION_STATE NewFlags, // ES_* flags
138 |     _Out_ EXECUTION_STATE *PreviousFlags
139 |     );
140 | 
141 | NTSYSCALLAPI
142 | NTSTATUS
143 | NTAPI
144 | NtRequestWakeupLatency(
145 |     _In_ LATENCY_TIME latency
146 |     );
147 | 
148 | NTSYSCALLAPI
149 | NTSTATUS
150 | NTAPI
151 | NtInitiatePowerAction(
152 |     _In_ POWER_ACTION SystemAction,
153 |     _In_ SYSTEM_POWER_STATE LightestSystemState,
154 |     _In_ ULONG Flags, // POWER_ACTION_* flags
155 |     _In_ BOOLEAN Asynchronous
156 |     );
157 | 
158 | NTSYSCALLAPI
159 | NTSTATUS
160 | NTAPI
161 | NtSetSystemPowerState(
162 |     _In_ POWER_ACTION SystemAction,
163 |     _In_ SYSTEM_POWER_STATE LightestSystemState,
164 |     _In_ ULONG Flags // POWER_ACTION_* flags
165 |     );
166 | 
167 | NTSYSCALLAPI
168 | NTSTATUS
169 | NTAPI
170 | NtGetDevicePowerState(
171 |     _In_ HANDLE Device,
172 |     _Out_ PDEVICE_POWER_STATE State
173 |     );
174 | 
175 | NTSYSCALLAPI
176 | BOOLEAN
177 | NTAPI
178 | NtIsSystemResumeAutomatic(
179 |     VOID
180 |     );
181 | 
182 | #endif
183 | 


--------------------------------------------------------------------------------
/include/ntregapi.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTREGAPI_H
  2 | #define _NTREGAPI_H
  3 | 
  4 | // Boot condition flags (NtInitializeRegistry)
  5 | 
  6 | #define REG_INIT_BOOT_SM 0x0000
  7 | #define REG_INIT_BOOT_SETUP 0x0001
  8 | #define REG_INIT_BOOT_ACCEPTED_BASE 0x0002
  9 | #define REG_INIT_BOOT_ACCEPTED_MAX REG_INIT_BOOT_ACCEPTED_BASE + 999
 10 | 
 11 | #define REG_MAX_KEY_VALUE_NAME_LENGTH 32767
 12 | #define REG_MAX_KEY_NAME_LENGTH 512
 13 | 
 14 | typedef enum _KEY_INFORMATION_CLASS
 15 | {
 16 |     KeyBasicInformation, // KEY_BASIC_INFORMATION
 17 |     KeyNodeInformation, // KEY_NODE_INFORMATION
 18 |     KeyFullInformation, // KEY_FULL_INFORMATION
 19 |     KeyNameInformation, // KEY_NAME_INFORMATION
 20 |     KeyCachedInformation, // KEY_CACHED_INFORMATION
 21 |     KeyFlagsInformation, // KEY_FLAGS_INFORMATION
 22 |     KeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION
 23 |     KeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION
 24 |     KeyTrustInformation, // KEY_TRUST_INFORMATION
 25 |     KeyLayerInformation, // KEY_LAYER_INFORMATION
 26 |     MaxKeyInfoClass
 27 | } KEY_INFORMATION_CLASS;
 28 | 
 29 | typedef struct _KEY_BASIC_INFORMATION
 30 | {
 31 |     LARGE_INTEGER LastWriteTime;
 32 |     ULONG TitleIndex;
 33 |     ULONG NameLength;
 34 |     WCHAR Name[1];
 35 | } KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;
 36 | 
 37 | typedef struct _KEY_NODE_INFORMATION
 38 | {
 39 |     LARGE_INTEGER LastWriteTime;
 40 |     ULONG TitleIndex;
 41 |     ULONG ClassOffset;
 42 |     ULONG ClassLength;
 43 |     ULONG NameLength;
 44 |     WCHAR Name[1];
 45 |     // ...
 46 |     // WCHAR Class[1];
 47 | } KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION;
 48 | 
 49 | typedef struct _KEY_FULL_INFORMATION
 50 | {
 51 |     LARGE_INTEGER LastWriteTime;
 52 |     ULONG TitleIndex;
 53 |     ULONG ClassOffset;
 54 |     ULONG ClassLength;
 55 |     ULONG SubKeys;
 56 |     ULONG MaxNameLen;
 57 |     ULONG MaxClassLen;
 58 |     ULONG Values;
 59 |     ULONG MaxValueNameLen;
 60 |     ULONG MaxValueDataLen;
 61 |     WCHAR Class[1];
 62 | } KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;
 63 | 
 64 | typedef struct _KEY_NAME_INFORMATION
 65 | {
 66 |     ULONG NameLength;
 67 |     WCHAR Name[1];
 68 | } KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION;
 69 | 
 70 | typedef struct _KEY_CACHED_INFORMATION
 71 | {
 72 |     LARGE_INTEGER LastWriteTime;
 73 |     ULONG TitleIndex;
 74 |     ULONG SubKeys;
 75 |     ULONG MaxNameLen;
 76 |     ULONG Values;
 77 |     ULONG MaxValueNameLen;
 78 |     ULONG MaxValueDataLen;
 79 |     ULONG NameLength;
 80 |     WCHAR Name[1];
 81 | } KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION;
 82 | 
 83 | typedef struct _KEY_FLAGS_INFORMATION
 84 | {
 85 |     ULONG UserFlags;
 86 | } KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION;
 87 | 
 88 | typedef struct _KEY_VIRTUALIZATION_INFORMATION
 89 | {
 90 |     ULONG VirtualizationCandidate : 1; // Tells whether the key is part of the virtualization namespace scope (only HKLM\Software for now).
 91 |     ULONG VirtualizationEnabled : 1; // Tells whether virtualization is enabled on this key. Can be 1 only if above flag is 1.
 92 |     ULONG VirtualTarget : 1; // Tells if the key is a virtual key. Can be 1 only if above 2 are 0. Valid only on the virtual store key handles.
 93 |     ULONG VirtualStore : 1; // Tells if the key is a part of the virtual store path. Valid only on the virtual store key handles.
 94 |     ULONG VirtualSource : 1; // Tells if the key has ever been virtualized, can be 1 only if VirtualizationCandidate is 1.
 95 |     ULONG Reserved : 27;
 96 | } KEY_VIRTUALIZATION_INFORMATION, *PKEY_VIRTUALIZATION_INFORMATION;
 97 | 
 98 | // private
 99 | typedef struct _KEY_TRUST_INFORMATION
100 | {
101 |     ULONG TrustedKey : 1;
102 |     ULONG Reserved : 31;
103 | } KEY_TRUST_INFORMATION, *PKEY_TRUST_INFORMATION;
104 | 
105 | // private
106 | typedef struct _KEY_LAYER_INFORMATION
107 | {
108 |     ULONG IsTombstone;
109 |     ULONG IsSupersedeLocal;
110 |     ULONG IsSupersedeTree;
111 |     ULONG ClassIsInherited;
112 |     ULONG Reserved;
113 | } KEY_LAYER_INFORMATION, *PKEY_LAYER_INFORMATION;
114 | 
115 | typedef enum _KEY_SET_INFORMATION_CLASS
116 | {
117 |     KeyWriteTimeInformation, // KEY_WRITE_TIME_INFORMATION
118 |     KeyWow64FlagsInformation, // KEY_WOW64_FLAGS_INFORMATION
119 |     KeyControlFlagsInformation, // KEY_CONTROL_FLAGS_INFORMATION
120 |     KeySetVirtualizationInformation, // KEY_SET_VIRTUALIZATION_INFORMATION
121 |     KeySetDebugInformation,
122 |     KeySetHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION
123 |     KeySetLayerInformation, // KEY_SET_LAYER_INFORMATION
124 |     MaxKeySetInfoClass
125 | } KEY_SET_INFORMATION_CLASS;
126 | 
127 | typedef struct _KEY_WRITE_TIME_INFORMATION
128 | {
129 |     LARGE_INTEGER LastWriteTime;
130 | } KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION;
131 | 
132 | typedef struct _KEY_WOW64_FLAGS_INFORMATION
133 | {
134 |     ULONG UserFlags;
135 | } KEY_WOW64_FLAGS_INFORMATION, *PKEY_WOW64_FLAGS_INFORMATION;
136 | 
137 | typedef struct _KEY_HANDLE_TAGS_INFORMATION
138 | {
139 |     ULONG HandleTags;
140 | } KEY_HANDLE_TAGS_INFORMATION, *PKEY_HANDLE_TAGS_INFORMATION;
141 | 
142 | typedef struct _KEY_SET_LAYER_INFORMATION
143 | {
144 |     ULONG IsTombstone : 1;
145 |     ULONG IsSupersedeLocal : 1;
146 |     ULONG IsSupersedeTree : 1;
147 |     ULONG ClassIsInherited : 1;
148 |     ULONG Reserved : 28;
149 | } KEY_SET_LAYER_INFORMATION, *PKEY_SET_LAYER_INFORMATION;
150 | 
151 | typedef struct _KEY_CONTROL_FLAGS_INFORMATION
152 | {
153 |     ULONG ControlFlags;
154 | } KEY_CONTROL_FLAGS_INFORMATION, *PKEY_CONTROL_FLAGS_INFORMATION;
155 | 
156 | typedef struct _KEY_SET_VIRTUALIZATION_INFORMATION
157 | {
158 |     ULONG VirtualTarget : 1;
159 |     ULONG VirtualStore : 1;
160 |     ULONG VirtualSource : 1; // true if key has been virtualized at least once
161 |     ULONG Reserved : 29;
162 | } KEY_SET_VIRTUALIZATION_INFORMATION, *PKEY_SET_VIRTUALIZATION_INFORMATION;
163 | 
164 | typedef enum _KEY_VALUE_INFORMATION_CLASS
165 | {
166 |     KeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION
167 |     KeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION
168 |     KeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION
169 |     KeyValueFullInformationAlign64,
170 |     KeyValuePartialInformationAlign64,  // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64
171 |     KeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION
172 |     MaxKeyValueInfoClass
173 | } KEY_VALUE_INFORMATION_CLASS;
174 | 
175 | typedef struct _KEY_VALUE_BASIC_INFORMATION
176 | {
177 |     ULONG TitleIndex;
178 |     ULONG Type;
179 |     ULONG NameLength;
180 |     WCHAR Name[1];
181 | } KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;
182 | 
183 | typedef struct _KEY_VALUE_FULL_INFORMATION
184 | {
185 |     ULONG TitleIndex;
186 |     ULONG Type;
187 |     ULONG DataOffset;
188 |     ULONG DataLength;
189 |     ULONG NameLength;
190 |     WCHAR Name[1];
191 |     // ...
192 |     // UCHAR Data[1];
193 | } KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;
194 | 
195 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION
196 | {
197 |     ULONG TitleIndex;
198 |     ULONG Type;
199 |     ULONG DataLength;
200 |     UCHAR Data[1];
201 | } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
202 | 
203 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64
204 | {
205 |     ULONG Type;
206 |     ULONG DataLength;
207 |     UCHAR Data[1];
208 | } KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64;
209 | 
210 | // private
211 | typedef struct _KEY_VALUE_LAYER_INFORMATION
212 | {
213 |     ULONG IsTombstone;
214 |     ULONG Reserved;
215 | } KEY_VALUE_LAYER_INFORMATION, *PKEY_VALUE_LAYER_INFORMATION;
216 | 
217 | typedef struct _KEY_VALUE_ENTRY
218 | {
219 |     PUNICODE_STRING ValueName;
220 |     ULONG DataLength;
221 |     ULONG DataOffset;
222 |     ULONG Type;
223 | } KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;
224 | 
225 | typedef enum _REG_ACTION
226 | {
227 |     KeyAdded,
228 |     KeyRemoved,
229 |     KeyModified
230 | } REG_ACTION;
231 | 
232 | typedef struct _REG_NOTIFY_INFORMATION
233 | {
234 |     ULONG NextEntryOffset;
235 |     REG_ACTION Action;
236 |     ULONG KeyLength;
237 |     WCHAR Key[1];
238 | } REG_NOTIFY_INFORMATION, *PREG_NOTIFY_INFORMATION;
239 | 
240 | typedef struct _KEY_PID_ARRAY
241 | {
242 |     HANDLE PID;
243 |     UNICODE_STRING KeyName;
244 | } KEY_PID_ARRAY, *PKEY_PID_ARRAY;
245 | 
246 | typedef struct _KEY_OPEN_SUBKEYS_INFORMATION
247 | {
248 |     ULONG Count;
249 |     KEY_PID_ARRAY KeyArray[1];
250 | } KEY_OPEN_SUBKEYS_INFORMATION, *PKEY_OPEN_SUBKEYS_INFORMATION;
251 | 
252 | // System calls
253 | 
254 | NTSYSCALLAPI
255 | NTSTATUS
256 | NTAPI
257 | NtCreateKey(
258 |     _Out_ PHANDLE KeyHandle,
259 |     _In_ ACCESS_MASK DesiredAccess,
260 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
261 |     _Reserved_ ULONG TitleIndex,
262 |     _In_opt_ PUNICODE_STRING Class,
263 |     _In_ ULONG CreateOptions,
264 |     _Out_opt_ PULONG Disposition
265 |     );
266 | 
267 | #if (NTDLL_VERSION >= NTDLL_VISTA)
268 | NTSYSCALLAPI
269 | NTSTATUS
270 | NTAPI
271 | NtCreateKeyTransacted(
272 |     _Out_ PHANDLE KeyHandle,
273 |     _In_ ACCESS_MASK DesiredAccess,
274 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
275 |     _Reserved_ ULONG TitleIndex,
276 |     _In_opt_ PUNICODE_STRING Class,
277 |     _In_ ULONG CreateOptions,
278 |     _In_ HANDLE TransactionHandle,
279 |     _Out_opt_ PULONG Disposition
280 |     );
281 | #endif
282 | 
283 | NTSYSCALLAPI
284 | NTSTATUS
285 | NTAPI
286 | NtOpenKey(
287 |     _Out_ PHANDLE KeyHandle,
288 |     _In_ ACCESS_MASK DesiredAccess,
289 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes
290 |     );
291 | 
292 | #if (NTDLL_VERSION >= NTDLL_VISTA)
293 | NTSYSCALLAPI
294 | NTSTATUS
295 | NTAPI
296 | NtOpenKeyTransacted(
297 |     _Out_ PHANDLE KeyHandle,
298 |     _In_ ACCESS_MASK DesiredAccess,
299 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
300 |     _In_ HANDLE TransactionHandle
301 |     );
302 | #endif
303 | 
304 | #if (NTDLL_VERSION >= NTDLL_WIN7)
305 | NTSYSCALLAPI
306 | NTSTATUS
307 | NTAPI
308 | NtOpenKeyEx(
309 |     _Out_ PHANDLE KeyHandle,
310 |     _In_ ACCESS_MASK DesiredAccess,
311 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
312 |     _In_ ULONG OpenOptions
313 |     );
314 | #endif
315 | 
316 | #if (NTDLL_VERSION >= NTDLL_WIN7)
317 | NTSYSCALLAPI
318 | NTSTATUS
319 | NTAPI
320 | NtOpenKeyTransactedEx(
321 |     _Out_ PHANDLE KeyHandle,
322 |     _In_ ACCESS_MASK DesiredAccess,
323 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
324 |     _In_ ULONG OpenOptions,
325 |     _In_ HANDLE TransactionHandle
326 |     );
327 | #endif
328 | 
329 | NTSYSCALLAPI
330 | NTSTATUS
331 | NTAPI
332 | NtDeleteKey(
333 |     _In_ HANDLE KeyHandle
334 |     );
335 | 
336 | NTSYSCALLAPI
337 | NTSTATUS
338 | NTAPI
339 | NtRenameKey(
340 |     _In_ HANDLE KeyHandle,
341 |     _In_ PUNICODE_STRING NewName
342 |     );
343 | 
344 | NTSYSCALLAPI
345 | NTSTATUS
346 | NTAPI
347 | NtDeleteValueKey(
348 |     _In_ HANDLE KeyHandle,
349 |     _In_ PUNICODE_STRING ValueName
350 |     );
351 | 
352 | NTSYSCALLAPI
353 | NTSTATUS
354 | NTAPI
355 | NtQueryKey(
356 |     _In_ HANDLE KeyHandle,
357 |     _In_ KEY_INFORMATION_CLASS KeyInformationClass,
358 |     _Out_writes_bytes_opt_(Length) PVOID KeyInformation,
359 |     _In_ ULONG Length,
360 |     _Out_ PULONG ResultLength
361 |     );
362 | 
363 | NTSYSCALLAPI
364 | NTSTATUS
365 | NTAPI
366 | NtSetInformationKey(
367 |     _In_ HANDLE KeyHandle,
368 |     _In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass,
369 |     _In_reads_bytes_(KeySetInformationLength) PVOID KeySetInformation,
370 |     _In_ ULONG KeySetInformationLength
371 |     );
372 | 
373 | NTSYSCALLAPI
374 | NTSTATUS
375 | NTAPI
376 | NtQueryValueKey(
377 |     _In_ HANDLE KeyHandle,
378 |     _In_ PUNICODE_STRING ValueName,
379 |     _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
380 |     _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation,
381 |     _In_ ULONG Length,
382 |     _Out_ PULONG ResultLength
383 |     );
384 | 
385 | NTSYSCALLAPI
386 | NTSTATUS
387 | NTAPI
388 | NtSetValueKey(
389 |     _In_ HANDLE KeyHandle,
390 |     _In_ PUNICODE_STRING ValueName,
391 |     _In_opt_ ULONG TitleIndex,
392 |     _In_ ULONG Type,
393 |     _In_reads_bytes_opt_(DataSize) PVOID Data,
394 |     _In_ ULONG DataSize
395 |     );
396 | 
397 | NTSYSCALLAPI
398 | NTSTATUS
399 | NTAPI
400 | NtQueryMultipleValueKey(
401 |     _In_ HANDLE KeyHandle,
402 |     _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries,
403 |     _In_ ULONG EntryCount,
404 |     _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer,
405 |     _Inout_ PULONG BufferLength,
406 |     _Out_opt_ PULONG RequiredBufferLength
407 |     );
408 | 
409 | NTSYSCALLAPI
410 | NTSTATUS
411 | NTAPI
412 | NtEnumerateKey(
413 |     _In_ HANDLE KeyHandle,
414 |     _In_ ULONG Index,
415 |     _In_ KEY_INFORMATION_CLASS KeyInformationClass,
416 |     _Out_writes_bytes_opt_(Length) PVOID KeyInformation,
417 |     _In_ ULONG Length,
418 |     _Out_ PULONG ResultLength
419 |     );
420 | 
421 | NTSYSCALLAPI
422 | NTSTATUS
423 | NTAPI
424 | NtEnumerateValueKey(
425 |     _In_ HANDLE KeyHandle,
426 |     _In_ ULONG Index,
427 |     _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
428 |     _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation,
429 |     _In_ ULONG Length,
430 |     _Out_ PULONG ResultLength
431 |     );
432 | 
433 | NTSYSCALLAPI
434 | NTSTATUS
435 | NTAPI
436 | NtFlushKey(
437 |     _In_ HANDLE KeyHandle
438 |     );
439 | 
440 | NTSYSCALLAPI
441 | NTSTATUS
442 | NTAPI
443 | NtCompactKeys(
444 |     _In_ ULONG Count,
445 |     _In_reads_(Count) HANDLE KeyArray[]
446 |     );
447 | 
448 | NTSYSCALLAPI
449 | NTSTATUS
450 | NTAPI
451 | NtCompressKey(
452 |     _In_ HANDLE Key
453 |     );
454 | 
455 | NTSYSCALLAPI
456 | NTSTATUS
457 | NTAPI
458 | NtLoadKey(
459 |     _In_ POBJECT_ATTRIBUTES TargetKey,
460 |     _In_ POBJECT_ATTRIBUTES SourceFile
461 |     );
462 | 
463 | NTSYSCALLAPI
464 | NTSTATUS
465 | NTAPI
466 | NtLoadKey2(
467 |     _In_ POBJECT_ATTRIBUTES TargetKey,
468 |     _In_ POBJECT_ATTRIBUTES SourceFile,
469 |     _In_ ULONG Flags
470 |     );
471 | 
472 | NTSYSCALLAPI
473 | NTSTATUS
474 | NTAPI
475 | NtLoadKeyEx(
476 |     _In_ POBJECT_ATTRIBUTES TargetKey,
477 |     _In_ POBJECT_ATTRIBUTES SourceFile,
478 |     _In_ ULONG Flags,
479 |     _In_opt_ HANDLE TrustClassKey,
480 |     _In_opt_ HANDLE Event,
481 |     _In_opt_ ACCESS_MASK DesiredAccess,
482 |     _Out_opt_ PHANDLE RootHandle,
483 |     _Out_opt_ PIO_STATUS_BLOCK IoStatus
484 |     );
485 | 
486 | NTSYSCALLAPI
487 | NTSTATUS
488 | NTAPI
489 | NtReplaceKey(
490 |     _In_ POBJECT_ATTRIBUTES NewFile,
491 |     _In_ HANDLE TargetHandle,
492 |     _In_ POBJECT_ATTRIBUTES OldFile
493 |     );
494 | 
495 | NTSYSCALLAPI
496 | NTSTATUS
497 | NTAPI
498 | NtSaveKey(
499 |     _In_ HANDLE KeyHandle,
500 |     _In_ HANDLE FileHandle
501 |     );
502 | 
503 | NTSYSCALLAPI
504 | NTSTATUS
505 | NTAPI
506 | NtSaveKeyEx(
507 |     _In_ HANDLE KeyHandle,
508 |     _In_ HANDLE FileHandle,
509 |     _In_ ULONG Format
510 |     );
511 | 
512 | NTSYSCALLAPI
513 | NTSTATUS
514 | NTAPI
515 | NtSaveMergedKeys(
516 |     _In_ HANDLE HighPrecedenceKeyHandle,
517 |     _In_ HANDLE LowPrecedenceKeyHandle,
518 |     _In_ HANDLE FileHandle
519 |     );
520 | 
521 | NTSYSCALLAPI
522 | NTSTATUS
523 | NTAPI
524 | NtRestoreKey(
525 |     _In_ HANDLE KeyHandle,
526 |     _In_ HANDLE FileHandle,
527 |     _In_ ULONG Flags
528 |     );
529 | 
530 | NTSYSCALLAPI
531 | NTSTATUS
532 | NTAPI
533 | NtUnloadKey(
534 |     _In_ POBJECT_ATTRIBUTES TargetKey
535 |     );
536 | 
537 | //
538 | // NtUnloadKey2 Flags (from winnt.h)
539 | //
540 | //#define REG_FORCE_UNLOAD            1
541 | //#define REG_UNLOAD_LEGAL_FLAGS      (REG_FORCE_UNLOAD)
542 | 
543 | NTSYSCALLAPI
544 | NTSTATUS
545 | NTAPI
546 | NtUnloadKey2(
547 |     _In_ POBJECT_ATTRIBUTES TargetKey,
548 |     _In_ ULONG Flags
549 |     );
550 | 
551 | NTSYSCALLAPI
552 | NTSTATUS
553 | NTAPI
554 | NtUnloadKeyEx(
555 |     _In_ POBJECT_ATTRIBUTES TargetKey,
556 |     _In_opt_ HANDLE Event
557 |     );
558 | 
559 | NTSYSCALLAPI
560 | NTSTATUS
561 | NTAPI
562 | NtNotifyChangeKey(
563 |     _In_ HANDLE KeyHandle,
564 |     _In_opt_ HANDLE Event,
565 |     _In_opt_ PIO_APC_ROUTINE ApcRoutine,
566 |     _In_opt_ PVOID ApcContext,
567 |     _Out_ PIO_STATUS_BLOCK IoStatusBlock,
568 |     _In_ ULONG CompletionFilter,
569 |     _In_ BOOLEAN WatchTree,
570 |     _Out_writes_bytes_opt_(BufferSize) PVOID Buffer,
571 |     _In_ ULONG BufferSize,
572 |     _In_ BOOLEAN Asynchronous
573 |     );
574 | 
575 | NTSYSCALLAPI
576 | NTSTATUS
577 | NTAPI
578 | NtNotifyChangeMultipleKeys(
579 |     _In_ HANDLE MasterKeyHandle,
580 |     _In_opt_ ULONG Count,
581 |     _In_reads_opt_(Count) OBJECT_ATTRIBUTES SubordinateObjects[],
582 |     _In_opt_ HANDLE Event,
583 |     _In_opt_ PIO_APC_ROUTINE ApcRoutine,
584 |     _In_opt_ PVOID ApcContext,
585 |     _Out_ PIO_STATUS_BLOCK IoStatusBlock,
586 |     _In_ ULONG CompletionFilter,
587 |     _In_ BOOLEAN WatchTree,
588 |     _Out_writes_bytes_opt_(BufferSize) PVOID Buffer,
589 |     _In_ ULONG BufferSize,
590 |     _In_ BOOLEAN Asynchronous
591 |     );
592 | 
593 | NTSYSCALLAPI
594 | NTSTATUS
595 | NTAPI
596 | NtQueryOpenSubKeys(
597 |     _In_ POBJECT_ATTRIBUTES TargetKey,
598 |     _Out_ PULONG HandleCount
599 |     );
600 | 
601 | NTSYSCALLAPI
602 | NTSTATUS
603 | NTAPI
604 | NtQueryOpenSubKeysEx(
605 |     _In_ POBJECT_ATTRIBUTES TargetKey,
606 |     _In_ ULONG BufferLength,
607 |     _Out_writes_bytes_(BufferLength) PVOID Buffer,
608 |     _Out_ PULONG RequiredSize
609 |     );
610 | 
611 | NTSYSCALLAPI
612 | NTSTATUS
613 | NTAPI
614 | NtInitializeRegistry(
615 |     _In_ USHORT BootCondition
616 |     );
617 | 
618 | NTSYSCALLAPI
619 | NTSTATUS
620 | NTAPI
621 | NtLockRegistryKey(
622 |     _In_ HANDLE KeyHandle
623 |     );
624 | 
625 | NTSYSCALLAPI
626 | NTSTATUS
627 | NTAPI
628 | NtLockProductActivationKeys(
629 |     _Inout_opt_ ULONG *pPrivateVer,
630 |     _Out_opt_ ULONG *pSafeMode
631 |     );
632 | 
633 | #if (NTDLL_VERSION >= NTDLL_VISTA)
634 | // private
635 | NTSYSCALLAPI
636 | NTSTATUS
637 | NTAPI
638 | NtFreezeRegistry(
639 |     _In_ ULONG TimeOutInSeconds
640 |     );
641 | #endif
642 | 
643 | #if (NTDLL_VERSION >= NTDLL_VISTA)
644 | // private
645 | NTSYSCALLAPI
646 | NTSTATUS
647 | NTAPI
648 | NtThawRegistry(
649 |     VOID
650 |     );
651 | #endif
652 | 
653 | #endif
654 | 


--------------------------------------------------------------------------------
/include/ntseapi.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * Process Hacker -
  3 |  *   Authorization functions
  4 |  *
  5 |  * This file is part of Process Hacker.
  6 |  *
  7 |  * Process Hacker is free software; you can redistribute it and/or modify
  8 |  * it under the terms of the GNU General Public License as published by
  9 |  * the Free Software Foundation, either version 3 of the License, or
 10 |  * (at your option) any later version.
 11 |  *
 12 |  * Process Hacker is distributed in the hope that it will be useful,
 13 |  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 14 |  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 15 |  * GNU General Public License for more details.
 16 |  *
 17 |  * You should have received a copy of the GNU General Public License
 18 |  * along with Process Hacker.  If not, see <http://www.gnu.org/licenses/>.
 19 |  */
 20 | 
 21 | #ifndef _NTSEAPI_H
 22 | #define _NTSEAPI_H
 23 | 
 24 | // Privileges
 25 | 
 26 | #define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
 27 | #define SE_CREATE_TOKEN_PRIVILEGE (2L)
 28 | #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
 29 | #define SE_LOCK_MEMORY_PRIVILEGE (4L)
 30 | #define SE_INCREASE_QUOTA_PRIVILEGE (5L)
 31 | 
 32 | #define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
 33 | #define SE_TCB_PRIVILEGE (7L)
 34 | #define SE_SECURITY_PRIVILEGE (8L)
 35 | #define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
 36 | #define SE_LOAD_DRIVER_PRIVILEGE (10L)
 37 | #define SE_SYSTEM_PROFILE_PRIVILEGE (11L)
 38 | #define SE_SYSTEMTIME_PRIVILEGE (12L)
 39 | #define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
 40 | #define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
 41 | #define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
 42 | #define SE_CREATE_PERMANENT_PRIVILEGE (16L)
 43 | #define SE_BACKUP_PRIVILEGE (17L)
 44 | #define SE_RESTORE_PRIVILEGE (18L)
 45 | #define SE_SHUTDOWN_PRIVILEGE (19L)
 46 | #define SE_DEBUG_PRIVILEGE (20L)
 47 | #define SE_AUDIT_PRIVILEGE (21L)
 48 | #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
 49 | #define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
 50 | #define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
 51 | #define SE_UNDOCK_PRIVILEGE (25L)
 52 | #define SE_SYNC_AGENT_PRIVILEGE (26L)
 53 | #define SE_ENABLE_DELEGATION_PRIVILEGE (27L)
 54 | #define SE_MANAGE_VOLUME_PRIVILEGE (28L)
 55 | #define SE_IMPERSONATE_PRIVILEGE (29L)
 56 | #define SE_CREATE_GLOBAL_PRIVILEGE (30L)
 57 | #define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L)
 58 | #define SE_RELABEL_PRIVILEGE (32L)
 59 | #define SE_INC_WORKING_SET_PRIVILEGE (33L)
 60 | #define SE_TIME_ZONE_PRIVILEGE (34L)
 61 | #define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L)
 62 | #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE
 63 | 
 64 | // Authz
 65 | 
 66 | // begin_rev
 67 | 
 68 | // Types
 69 | 
 70 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID 0x00
 71 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 0x01
 72 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 0x02
 73 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING 0x03
 74 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN 0x04
 75 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_SID 0x05
 76 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x06
 77 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING 0x10
 78 | 
 79 | // Flags
 80 | 
 81 | #define TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001
 82 | #define TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002
 83 | #define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004
 84 | #define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008
 85 | #define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010
 86 | #define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020
 87 | 
 88 | #define TOKEN_SECURITY_ATTRIBUTE_VALID_FLAGS ( \
 89 |     TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE | \
 90 |     TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE | \
 91 |     TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY | \
 92 |     TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT | \
 93 |     TOKEN_SECURITY_ATTRIBUTE_DISABLED | \
 94 |     TOKEN_SECURITY_ATTRIBUTE_MANDATORY)
 95 | 
 96 | #define TOKEN_SECURITY_ATTRIBUTE_CUSTOM_FLAGS 0xffff0000
 97 | 
 98 | // end_rev
 99 | 
100 | // private
101 | typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE
102 | {
103 |     ULONG64 Version;
104 |     UNICODE_STRING Name;
105 | } TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;
106 | 
107 | // private
108 | typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
109 | {
110 |     PVOID pValue;
111 |     ULONG ValueLength;
112 | } TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;
113 | 
114 | // private
115 | typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1
116 | {
117 |     UNICODE_STRING Name;
118 |     USHORT ValueType;
119 |     USHORT Reserved;
120 |     ULONG Flags;
121 |     ULONG ValueCount;
122 |     union
123 |     {
124 |         PLONG64 pInt64;
125 |         PULONG64 pUint64;
126 |         PUNICODE_STRING pString;
127 |         PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn;
128 |         PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;
129 |     } Values;
130 | } TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1;
131 | 
132 | // rev
133 | #define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1
134 | // rev
135 | #define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1
136 | 
137 | // private
138 | typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION
139 | {
140 |     USHORT Version;
141 |     USHORT Reserved;
142 |     ULONG AttributeCount;
143 |     union
144 |     {
145 |         PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1;
146 |     } Attribute;
147 | } TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION;
148 | 
149 | // rev
150 | typedef struct _TOKEN_PROCESS_TRUST_LEVEL
151 | {
152 |     PSID TrustLevelSid;
153 | } TOKEN_PROCESS_TRUST_LEVEL, *PTOKEN_PROCESS_TRUST_LEVEL;
154 | 
155 | // Tokens
156 | 
157 | NTSYSCALLAPI
158 | NTSTATUS
159 | NTAPI
160 | NtCreateToken(
161 |     _Out_ PHANDLE TokenHandle,
162 |     _In_ ACCESS_MASK DesiredAccess,
163 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
164 |     _In_ TOKEN_TYPE TokenType,
165 |     _In_ PLUID AuthenticationId,
166 |     _In_ PLARGE_INTEGER ExpirationTime,
167 |     _In_ PTOKEN_USER User,
168 |     _In_ PTOKEN_GROUPS Groups,
169 |     _In_ PTOKEN_PRIVILEGES Privileges,
170 |     _In_opt_ PTOKEN_OWNER Owner,
171 |     _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
172 |     _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
173 |     _In_ PTOKEN_SOURCE TokenSource
174 |     );
175 | 
176 | #if (NTDLL_VERSION >= NTDLL_WIN8)
177 | NTSYSCALLAPI
178 | NTSTATUS
179 | NTAPI
180 | NtCreateLowBoxToken(
181 |     _Out_ PHANDLE TokenHandle,
182 |     _In_ HANDLE ExistingTokenHandle,
183 |     _In_ ACCESS_MASK DesiredAccess,
184 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
185 |     _In_ PSID PackageSid,
186 |     _In_ ULONG CapabilityCount,
187 |     _In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,
188 |     _In_ ULONG HandleCount,
189 |     _In_reads_opt_(HandleCount) HANDLE *Handles
190 |     );
191 | #endif
192 | 
193 | #if (NTDLL_VERSION >= NTDLL_WIN8)
194 | NTSYSCALLAPI
195 | NTSTATUS
196 | NTAPI
197 | NtCreateTokenEx(
198 |     _Out_ PHANDLE TokenHandle,
199 |     _In_ ACCESS_MASK DesiredAccess,
200 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
201 |     _In_ TOKEN_TYPE TokenType,
202 |     _In_ PLUID AuthenticationId,
203 |     _In_ PLARGE_INTEGER ExpirationTime,
204 |     _In_ PTOKEN_USER User,
205 |     _In_ PTOKEN_GROUPS Groups,
206 |     _In_ PTOKEN_PRIVILEGES Privileges,
207 |     _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes,
208 |     _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes,
209 |     _In_opt_ PTOKEN_GROUPS DeviceGroups,
210 |     _In_opt_ PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy,
211 |     _In_opt_ PTOKEN_OWNER Owner,
212 |     _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
213 |     _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
214 |     _In_ PTOKEN_SOURCE TokenSource
215 |     );
216 | #endif
217 | 
218 | NTSYSCALLAPI
219 | NTSTATUS
220 | NTAPI
221 | NtOpenProcessToken(
222 |     _In_ HANDLE ProcessHandle,
223 |     _In_ ACCESS_MASK DesiredAccess,
224 |     _Out_ PHANDLE TokenHandle
225 |     );
226 | 
227 | NTSYSCALLAPI
228 | NTSTATUS
229 | NTAPI
230 | NtOpenProcessTokenEx(
231 |     _In_ HANDLE ProcessHandle,
232 |     _In_ ACCESS_MASK DesiredAccess,
233 |     _In_ ULONG HandleAttributes,
234 |     _Out_ PHANDLE TokenHandle
235 |     );
236 | 
237 | NTSYSCALLAPI
238 | NTSTATUS
239 | NTAPI
240 | NtOpenThreadToken(
241 |     _In_ HANDLE ThreadHandle,
242 |     _In_ ACCESS_MASK DesiredAccess,
243 |     _In_ BOOLEAN OpenAsSelf,
244 |     _Out_ PHANDLE TokenHandle
245 |     );
246 | 
247 | NTSYSCALLAPI
248 | NTSTATUS
249 | NTAPI
250 | NtOpenThreadTokenEx(
251 |     _In_ HANDLE ThreadHandle,
252 |     _In_ ACCESS_MASK DesiredAccess,
253 |     _In_ BOOLEAN OpenAsSelf,
254 |     _In_ ULONG HandleAttributes,
255 |     _Out_ PHANDLE TokenHandle
256 |     );
257 | 
258 | NTSYSCALLAPI
259 | NTSTATUS
260 | NTAPI
261 | NtDuplicateToken(
262 |     _In_ HANDLE ExistingTokenHandle,
263 |     _In_ ACCESS_MASK DesiredAccess,
264 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
265 |     _In_ BOOLEAN EffectiveOnly,
266 |     _In_ TOKEN_TYPE TokenType,
267 |     _Out_ PHANDLE NewTokenHandle
268 |     );
269 | 
270 | NTSYSCALLAPI
271 | NTSTATUS
272 | NTAPI
273 | NtQueryInformationToken(
274 |     _In_ HANDLE TokenHandle,
275 |     _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
276 |     _Out_writes_bytes_(TokenInformationLength) PVOID TokenInformation,
277 |     _In_ ULONG TokenInformationLength,
278 |     _Out_ PULONG ReturnLength
279 |     );
280 | 
281 | NTSYSCALLAPI
282 | NTSTATUS
283 | NTAPI
284 | NtSetInformationToken(
285 |     _In_ HANDLE TokenHandle,
286 |     _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
287 |     _In_reads_bytes_(TokenInformationLength) PVOID TokenInformation,
288 |     _In_ ULONG TokenInformationLength
289 |     );
290 | 
291 | NTSYSCALLAPI
292 | NTSTATUS
293 | NTAPI
294 | NtAdjustPrivilegesToken(
295 |     _In_ HANDLE TokenHandle,
296 |     _In_ BOOLEAN DisableAllPrivileges,
297 |     _In_opt_ PTOKEN_PRIVILEGES NewState,
298 |     _In_ ULONG BufferLength,
299 |     _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
300 |     _Out_ _When_(PreviousState == NULL, _Out_opt_) PULONG ReturnLength
301 |     );
302 | 
303 | NTSYSCALLAPI
304 | NTSTATUS
305 | NTAPI
306 | NtAdjustGroupsToken(
307 |     _In_ HANDLE TokenHandle,
308 |     _In_ BOOLEAN ResetToDefault,
309 |     _In_opt_ PTOKEN_GROUPS NewState,
310 |     _In_opt_ ULONG BufferLength,
311 |     _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,
312 |     _Out_ PULONG ReturnLength
313 |     );
314 | 
315 | #if (NTDLL_VERSION >= NTDLL_WIN8)
316 | NTSYSCALLAPI
317 | NTSTATUS
318 | NTAPI
319 | NtAdjustTokenClaimsAndDeviceGroups(
320 |     _In_ HANDLE TokenHandle,
321 |     _In_ BOOLEAN UserResetToDefault,
322 |     _In_ BOOLEAN DeviceResetToDefault,
323 |     _In_ BOOLEAN DeviceGroupsResetToDefault,
324 |     _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState,
325 |     _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState,
326 |     _In_opt_ PTOKEN_GROUPS NewDeviceGroupsState,
327 |     _In_ ULONG UserBufferLength,
328 |     _Out_writes_bytes_to_opt_(UserBufferLength, *UserReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState,
329 |     _In_ ULONG DeviceBufferLength,
330 |     _Out_writes_bytes_to_opt_(DeviceBufferLength, *DeviceReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState,
331 |     _In_ ULONG DeviceGroupsBufferLength,
332 |     _Out_writes_bytes_to_opt_(DeviceGroupsBufferLength, *DeviceGroupsReturnBufferLength) PTOKEN_GROUPS PreviousDeviceGroups,
333 |     _Out_opt_ PULONG UserReturnLength,
334 |     _Out_opt_ PULONG DeviceReturnLength,
335 |     _Out_opt_ PULONG DeviceGroupsReturnBufferLength
336 |     );
337 | #endif
338 | 
339 | NTSYSCALLAPI
340 | NTSTATUS
341 | NTAPI
342 | NtFilterToken(
343 |     _In_ HANDLE ExistingTokenHandle,
344 |     _In_ ULONG Flags,
345 |     _In_opt_ PTOKEN_GROUPS SidsToDisable,
346 |     _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
347 |     _In_opt_ PTOKEN_GROUPS RestrictedSids,
348 |     _Out_ PHANDLE NewTokenHandle
349 |     );
350 | 
351 | #if (NTDLL_VERSION >= NTDLL_WIN8)
352 | NTSYSCALLAPI
353 | NTSTATUS
354 | NTAPI
355 | NtFilterTokenEx(
356 |     _In_ HANDLE ExistingTokenHandle,
357 |     _In_ ULONG Flags,
358 |     _In_opt_ PTOKEN_GROUPS SidsToDisable,
359 |     _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
360 |     _In_opt_ PTOKEN_GROUPS RestrictedSids,
361 |     _In_ ULONG DisableUserClaimsCount,
362 |     _In_opt_ PUNICODE_STRING UserClaimsToDisable,
363 |     _In_ ULONG DisableDeviceClaimsCount,
364 |     _In_opt_ PUNICODE_STRING DeviceClaimsToDisable,
365 |     _In_opt_ PTOKEN_GROUPS DeviceGroupsToDisable,
366 |     _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes,
367 |     _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes,
368 |     _In_opt_ PTOKEN_GROUPS RestrictedDeviceGroups,
369 |     _Out_ PHANDLE NewTokenHandle
370 |     );
371 | #endif
372 | 
373 | NTSYSCALLAPI
374 | NTSTATUS
375 | NTAPI
376 | NtCompareTokens(
377 |     _In_ HANDLE FirstTokenHandle,
378 |     _In_ HANDLE SecondTokenHandle,
379 |     _Out_ PBOOLEAN Equal
380 |     );
381 | 
382 | NTSYSCALLAPI
383 | NTSTATUS
384 | NTAPI
385 | NtPrivilegeCheck(
386 |     _In_ HANDLE ClientToken,
387 |     _Inout_ PPRIVILEGE_SET RequiredPrivileges,
388 |     _Out_ PBOOLEAN Result
389 |     );
390 | 
391 | NTSYSCALLAPI
392 | NTSTATUS
393 | NTAPI
394 | NtImpersonateAnonymousToken(
395 |     _In_ HANDLE ThreadHandle
396 |     );
397 | 
398 | #if (NTDLL_VERSION >= NTDLL_WIN7)
399 | // rev
400 | NTSYSCALLAPI
401 | NTSTATUS
402 | NTAPI
403 | NtQuerySecurityAttributesToken(
404 |     _In_ HANDLE TokenHandle,
405 |     _In_reads_opt_(NumberOfAttributes) PUNICODE_STRING Attributes,
406 |     _In_ ULONG NumberOfAttributes,
407 |     _Out_writes_bytes_(Length) PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION
408 |     _In_ ULONG Length,
409 |     _Out_ PULONG ReturnLength
410 |     );
411 | #endif
412 | 
413 | // Access checking
414 | 
415 | NTSYSCALLAPI
416 | NTSTATUS
417 | NTAPI
418 | NtAccessCheck(
419 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
420 |     _In_ HANDLE ClientToken,
421 |     _In_ ACCESS_MASK DesiredAccess,
422 |     _In_ PGENERIC_MAPPING GenericMapping,
423 |     _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
424 |     _Inout_ PULONG PrivilegeSetLength,
425 |     _Out_ PACCESS_MASK GrantedAccess,
426 |     _Out_ PNTSTATUS AccessStatus
427 |     );
428 | 
429 | NTSYSCALLAPI
430 | NTSTATUS
431 | NTAPI
432 | NtAccessCheckByType(
433 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
434 |     _In_opt_ PSID PrincipalSelfSid,
435 |     _In_ HANDLE ClientToken,
436 |     _In_ ACCESS_MASK DesiredAccess,
437 |     _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
438 |     _In_ ULONG ObjectTypeListLength,
439 |     _In_ PGENERIC_MAPPING GenericMapping,
440 |     _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
441 |     _Inout_ PULONG PrivilegeSetLength,
442 |     _Out_ PACCESS_MASK GrantedAccess,
443 |     _Out_ PNTSTATUS AccessStatus
444 |     );
445 | 
446 | NTSYSCALLAPI
447 | NTSTATUS
448 | NTAPI
449 | NtAccessCheckByTypeResultList(
450 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
451 |     _In_opt_ PSID PrincipalSelfSid,
452 |     _In_ HANDLE ClientToken,
453 |     _In_ ACCESS_MASK DesiredAccess,
454 |     _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
455 |     _In_ ULONG ObjectTypeListLength,
456 |     _In_ PGENERIC_MAPPING GenericMapping,
457 |     _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
458 |     _Inout_ PULONG PrivilegeSetLength,
459 |     _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
460 |     _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus
461 |     );
462 | 
463 | // Signing
464 | 
465 | #if (NTDLL_VERSION >= NTDLL_THRESHOLD)
466 | 
467 | NTSYSCALLAPI
468 | NTSTATUS
469 | NTAPI
470 | NtSetCachedSigningLevel(
471 |     _In_ ULONG Flags,
472 |     _In_ SE_SIGNING_LEVEL InputSigningLevel,
473 |     _In_reads_(SourceFileCount) PHANDLE SourceFiles,
474 |     _In_ ULONG SourceFileCount,
475 |     _In_opt_ HANDLE TargetFile
476 |     );
477 | 
478 | NTSYSCALLAPI
479 | NTSTATUS
480 | NTAPI
481 | NtGetCachedSigningLevel(
482 |     _In_ HANDLE File,
483 |     _Out_ PULONG Flags,
484 |     _Out_ PSE_SIGNING_LEVEL SigningLevel,
485 |     _Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint,
486 |     _Inout_opt_ PULONG ThumbprintSize,
487 |     _Out_opt_ PULONG ThumbprintAlgorithm
488 |     );
489 | 
490 | #endif
491 | 
492 | // Audit alarm
493 | 
494 | NTSYSCALLAPI
495 | NTSTATUS
496 | NTAPI
497 | NtAccessCheckAndAuditAlarm(
498 |     _In_ PUNICODE_STRING SubsystemName,
499 |     _In_opt_ PVOID HandleId,
500 |     _In_ PUNICODE_STRING ObjectTypeName,
501 |     _In_ PUNICODE_STRING ObjectName,
502 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
503 |     _In_ ACCESS_MASK DesiredAccess,
504 |     _In_ PGENERIC_MAPPING GenericMapping,
505 |     _In_ BOOLEAN ObjectCreation,
506 |     _Out_ PACCESS_MASK GrantedAccess,
507 |     _Out_ PNTSTATUS AccessStatus,
508 |     _Out_ PBOOLEAN GenerateOnClose
509 |     );
510 | 
511 | NTSYSCALLAPI
512 | NTSTATUS
513 | NTAPI
514 | NtAccessCheckByTypeAndAuditAlarm(
515 |     _In_ PUNICODE_STRING SubsystemName,
516 |     _In_opt_ PVOID HandleId,
517 |     _In_ PUNICODE_STRING ObjectTypeName,
518 |     _In_ PUNICODE_STRING ObjectName,
519 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
520 |     _In_opt_ PSID PrincipalSelfSid,
521 |     _In_ ACCESS_MASK DesiredAccess,
522 |     _In_ AUDIT_EVENT_TYPE AuditType,
523 |     _In_ ULONG Flags,
524 |     _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
525 |     _In_ ULONG ObjectTypeListLength,
526 |     _In_ PGENERIC_MAPPING GenericMapping,
527 |     _In_ BOOLEAN ObjectCreation,
528 |     _Out_ PACCESS_MASK GrantedAccess,
529 |     _Out_ PNTSTATUS AccessStatus,
530 |     _Out_ PBOOLEAN GenerateOnClose
531 |     );
532 | 
533 | NTSYSCALLAPI
534 | NTSTATUS
535 | NTAPI
536 | NtAccessCheckByTypeResultListAndAuditAlarm(
537 |     _In_ PUNICODE_STRING SubsystemName,
538 |     _In_opt_ PVOID HandleId,
539 |     _In_ PUNICODE_STRING ObjectTypeName,
540 |     _In_ PUNICODE_STRING ObjectName,
541 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
542 |     _In_opt_ PSID PrincipalSelfSid,
543 |     _In_ ACCESS_MASK DesiredAccess,
544 |     _In_ AUDIT_EVENT_TYPE AuditType,
545 |     _In_ ULONG Flags,
546 |     _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
547 |     _In_ ULONG ObjectTypeListLength,
548 |     _In_ PGENERIC_MAPPING GenericMapping,
549 |     _In_ BOOLEAN ObjectCreation,
550 |     _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
551 |     _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
552 |     _Out_ PBOOLEAN GenerateOnClose
553 |     );
554 | 
555 | NTSYSCALLAPI
556 | NTSTATUS
557 | NTAPI
558 | NtAccessCheckByTypeResultListAndAuditAlarmByHandle(
559 |     _In_ PUNICODE_STRING SubsystemName,
560 |     _In_opt_ PVOID HandleId,
561 |     _In_ HANDLE ClientToken,
562 |     _In_ PUNICODE_STRING ObjectTypeName,
563 |     _In_ PUNICODE_STRING ObjectName,
564 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
565 |     _In_opt_ PSID PrincipalSelfSid,
566 |     _In_ ACCESS_MASK DesiredAccess,
567 |     _In_ AUDIT_EVENT_TYPE AuditType,
568 |     _In_ ULONG Flags,
569 |     _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
570 |     _In_ ULONG ObjectTypeListLength,
571 |     _In_ PGENERIC_MAPPING GenericMapping,
572 |     _In_ BOOLEAN ObjectCreation,
573 |     _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
574 |     _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
575 |     _Out_ PBOOLEAN GenerateOnClose
576 |     );
577 | 
578 | NTSYSCALLAPI
579 | NTSTATUS
580 | NTAPI
581 | NtOpenObjectAuditAlarm(
582 |     _In_ PUNICODE_STRING SubsystemName,
583 |     _In_opt_ PVOID HandleId,
584 |     _In_ PUNICODE_STRING ObjectTypeName,
585 |     _In_ PUNICODE_STRING ObjectName,
586 |     _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
587 |     _In_ HANDLE ClientToken,
588 |     _In_ ACCESS_MASK DesiredAccess,
589 |     _In_ ACCESS_MASK GrantedAccess,
590 |     _In_opt_ PPRIVILEGE_SET Privileges,
591 |     _In_ BOOLEAN ObjectCreation,
592 |     _In_ BOOLEAN AccessGranted,
593 |     _Out_ PBOOLEAN GenerateOnClose
594 |     );
595 | 
596 | NTSYSCALLAPI
597 | NTSTATUS
598 | NTAPI
599 | NtPrivilegeObjectAuditAlarm(
600 |     _In_ PUNICODE_STRING SubsystemName,
601 |     _In_opt_ PVOID HandleId,
602 |     _In_ HANDLE ClientToken,
603 |     _In_ ACCESS_MASK DesiredAccess,
604 |     _In_ PPRIVILEGE_SET Privileges,
605 |     _In_ BOOLEAN AccessGranted
606 |     );
607 | 
608 | NTSYSCALLAPI
609 | NTSTATUS
610 | NTAPI
611 | NtCloseObjectAuditAlarm(
612 |     _In_ PUNICODE_STRING SubsystemName,
613 |     _In_opt_ PVOID HandleId,
614 |     _In_ BOOLEAN GenerateOnClose
615 |     );
616 | 
617 | NTSYSCALLAPI
618 | NTSTATUS
619 | NTAPI
620 | NtDeleteObjectAuditAlarm(
621 |     _In_ PUNICODE_STRING SubsystemName,
622 |     _In_opt_ PVOID HandleId,
623 |     _In_ BOOLEAN GenerateOnClose
624 |     );
625 | 
626 | NTSYSCALLAPI
627 | NTSTATUS
628 | NTAPI
629 | NtPrivilegedServiceAuditAlarm(
630 |     _In_ PUNICODE_STRING SubsystemName,
631 |     _In_ PUNICODE_STRING ServiceName,
632 |     _In_ HANDLE ClientToken,
633 |     _In_ PPRIVILEGE_SET Privileges,
634 |     _In_ BOOLEAN AccessGranted
635 |     );
636 | 
637 | #endif
638 | 


--------------------------------------------------------------------------------
/include/ntsmss.h:
--------------------------------------------------------------------------------
 1 | #ifndef _NTSMSS_H
 2 | #define _NTSMSS_H
 3 | 
 4 | NTSYSAPI
 5 | NTSTATUS
 6 | NTAPI
 7 | RtlConnectToSm(
 8 |     _In_ PUNICODE_STRING ApiPortName,
 9 |     _In_ HANDLE ApiPortHandle,
10 |     _In_ DWORD ProcessImageType,
11 |     _Out_ PHANDLE SmssConnection
12 |     );
13 | 
14 | NTSYSAPI
15 | NTSTATUS
16 | NTAPI
17 | RtlSendMsgToSm(
18 |     _In_ HANDLE ApiPortHandle,
19 |     _In_ PPORT_MESSAGE MessageData
20 |     );
21 | 
22 | #endif
23 | 


--------------------------------------------------------------------------------
/include/nttmapi.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTTMAPI_H
  2 | #define _NTTMAPI_H
  3 | 
  4 | #if (NTDLL_VERSION >= NTDLL_VISTA)
  5 | NTSYSCALLAPI
  6 | NTSTATUS
  7 | NTAPI
  8 | NtCreateTransactionManager(
  9 |     _Out_ PHANDLE TmHandle,
 10 |     _In_ ACCESS_MASK DesiredAccess,
 11 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
 12 |     _In_opt_ PUNICODE_STRING LogFileName,
 13 |     _In_opt_ ULONG CreateOptions,
 14 |     _In_opt_ ULONG CommitStrength
 15 |     );
 16 | #endif
 17 | 
 18 | #if (NTDLL_VERSION >= NTDLL_VISTA)
 19 | NTSYSCALLAPI
 20 | NTSTATUS
 21 | NTAPI
 22 | NtOpenTransactionManager(
 23 |     _Out_ PHANDLE TmHandle,
 24 |     _In_ ACCESS_MASK DesiredAccess,
 25 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
 26 |     _In_opt_ PUNICODE_STRING LogFileName,
 27 |     _In_opt_ LPGUID TmIdentity,
 28 |     _In_opt_ ULONG OpenOptions
 29 |     );
 30 | #endif
 31 | 
 32 | #if (NTDLL_VERSION >= NTDLL_VISTA)
 33 | NTSYSCALLAPI
 34 | NTSTATUS
 35 | NTAPI
 36 | NtRenameTransactionManager(
 37 |     _In_ PUNICODE_STRING LogFileName,
 38 |     _In_ LPGUID ExistingTransactionManagerGuid
 39 |     );
 40 | #endif
 41 | 
 42 | #if (NTDLL_VERSION >= NTDLL_VISTA)
 43 | NTSYSCALLAPI
 44 | NTSTATUS
 45 | NTAPI
 46 | NtRollforwardTransactionManager(
 47 |     _In_ HANDLE TransactionManagerHandle,
 48 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
 49 |     );
 50 | #endif
 51 | 
 52 | #if (NTDLL_VERSION >= NTDLL_VISTA)
 53 | NTSYSCALLAPI
 54 | NTSTATUS
 55 | NTAPI
 56 | NtRecoverTransactionManager(
 57 |     _In_ HANDLE TransactionManagerHandle
 58 |     );
 59 | #endif
 60 | 
 61 | #if (NTDLL_VERSION >= NTDLL_VISTA)
 62 | NTSYSCALLAPI
 63 | NTSTATUS
 64 | NTAPI
 65 | NtQueryInformationTransactionManager(
 66 |     _In_ HANDLE TransactionManagerHandle,
 67 |     _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass,
 68 |     _Out_writes_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation,
 69 |     _In_ ULONG TransactionManagerInformationLength,
 70 |     _Out_opt_ PULONG ReturnLength
 71 |     );
 72 | #endif
 73 | 
 74 | #if (NTDLL_VERSION >= NTDLL_VISTA)
 75 | NTSYSCALLAPI
 76 | NTSTATUS
 77 | NTAPI
 78 | NtSetInformationTransactionManager(
 79 |     _In_opt_ HANDLE TmHandle,
 80 |     _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass,
 81 |     _In_reads_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation,
 82 |     _In_ ULONG TransactionManagerInformationLength
 83 |     );
 84 | #endif
 85 | 
 86 | #if (NTDLL_VERSION >= NTDLL_VISTA)
 87 | NTSYSCALLAPI
 88 | NTSTATUS
 89 | NTAPI
 90 | NtEnumerateTransactionObject(
 91 |     _In_opt_ HANDLE RootObjectHandle,
 92 |     _In_ KTMOBJECT_TYPE QueryType,
 93 |     _Inout_updates_bytes_(ObjectCursorLength) PKTMOBJECT_CURSOR ObjectCursor,
 94 |     _In_ ULONG ObjectCursorLength,
 95 |     _Out_ PULONG ReturnLength
 96 |     );
 97 | #endif
 98 | 
 99 | #if (NTDLL_VERSION >= NTDLL_VISTA)
100 | NTSYSCALLAPI
101 | NTSTATUS
102 | NTAPI
103 | NtCreateTransaction(
104 |     _Out_ PHANDLE TransactionHandle,
105 |     _In_ ACCESS_MASK DesiredAccess,
106 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
107 |     _In_opt_ LPGUID Uow,
108 |     _In_opt_ HANDLE TmHandle,
109 |     _In_opt_ ULONG CreateOptions,
110 |     _In_opt_ ULONG IsolationLevel,
111 |     _In_opt_ ULONG IsolationFlags,
112 |     _In_opt_ PLARGE_INTEGER Timeout,
113 |     _In_opt_ PUNICODE_STRING Description
114 |     );
115 | #endif
116 | 
117 | #if (NTDLL_VERSION >= NTDLL_VISTA)
118 | NTSYSCALLAPI
119 | NTSTATUS
120 | NTAPI
121 | NtOpenTransaction(
122 |     _Out_ PHANDLE TransactionHandle,
123 |     _In_ ACCESS_MASK DesiredAccess,
124 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
125 |     _In_ LPGUID Uow,
126 |     _In_opt_ HANDLE TmHandle
127 |     );
128 | #endif
129 | 
130 | #if (NTDLL_VERSION >= NTDLL_VISTA)
131 | NTSYSCALLAPI
132 | NTSTATUS
133 | NTAPI
134 | NtQueryInformationTransaction(
135 |     _In_ HANDLE TransactionHandle,
136 |     _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass,
137 |     _Out_writes_bytes_(TransactionInformationLength) PVOID TransactionInformation,
138 |     _In_ ULONG TransactionInformationLength,
139 |     _Out_opt_ PULONG ReturnLength
140 |     );
141 | #endif
142 | 
143 | #if (NTDLL_VERSION >= NTDLL_VISTA)
144 | NTSYSCALLAPI
145 | NTSTATUS
146 | NTAPI
147 | NtSetInformationTransaction(
148 |     _In_ HANDLE TransactionHandle,
149 |     _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass,
150 |     _In_reads_bytes_(TransactionInformationLength) PVOID TransactionInformation,
151 |     _In_ ULONG TransactionInformationLength
152 |     );
153 | #endif
154 | 
155 | #if (NTDLL_VERSION >= NTDLL_VISTA)
156 | NTSYSCALLAPI
157 | NTSTATUS
158 | NTAPI
159 | NtCommitTransaction(
160 |     _In_ HANDLE TransactionHandle,
161 |     _In_ BOOLEAN Wait
162 |     );
163 | #endif
164 | 
165 | #if (NTDLL_VERSION >= NTDLL_VISTA)
166 | NTSYSCALLAPI
167 | NTSTATUS
168 | NTAPI
169 | NtRollbackTransaction(
170 |     _In_ HANDLE TransactionHandle,
171 |     _In_ BOOLEAN Wait
172 |     );
173 | #endif
174 | 
175 | #if (NTDLL_VERSION >= NTDLL_VISTA)
176 | NTSYSCALLAPI
177 | NTSTATUS
178 | NTAPI
179 | NtCreateEnlistment(
180 |     _Out_ PHANDLE EnlistmentHandle,
181 |     _In_ ACCESS_MASK DesiredAccess,
182 |     _In_ HANDLE ResourceManagerHandle,
183 |     _In_ HANDLE TransactionHandle,
184 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
185 |     _In_opt_ ULONG CreateOptions,
186 |     _In_ NOTIFICATION_MASK NotificationMask,
187 |     _In_opt_ PVOID EnlistmentKey
188 |     );
189 | #endif
190 | 
191 | #if (NTDLL_VERSION >= NTDLL_VISTA)
192 | NTSYSCALLAPI
193 | NTSTATUS
194 | NTAPI
195 | NtOpenEnlistment(
196 |     _Out_ PHANDLE EnlistmentHandle,
197 |     _In_ ACCESS_MASK DesiredAccess,
198 |     _In_ HANDLE ResourceManagerHandle,
199 |     _In_ LPGUID EnlistmentGuid,
200 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
201 |     );
202 | #endif
203 | 
204 | #if (NTDLL_VERSION >= NTDLL_VISTA)
205 | NTSYSCALLAPI
206 | NTSTATUS
207 | NTAPI
208 | NtQueryInformationEnlistment(
209 |     _In_ HANDLE EnlistmentHandle,
210 |     _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass,
211 |     _Out_writes_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation,
212 |     _In_ ULONG EnlistmentInformationLength,
213 |     _Out_opt_ PULONG ReturnLength
214 |     );
215 | #endif
216 | 
217 | #if (NTDLL_VERSION >= NTDLL_VISTA)
218 | NTSYSCALLAPI
219 | NTSTATUS
220 | NTAPI
221 | NtSetInformationEnlistment(
222 |     _In_opt_ HANDLE EnlistmentHandle,
223 |     _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass,
224 |     _In_reads_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation,
225 |     _In_ ULONG EnlistmentInformationLength
226 |     );
227 | #endif
228 | 
229 | #if (NTDLL_VERSION >= NTDLL_VISTA)
230 | NTSYSCALLAPI
231 | NTSTATUS
232 | NTAPI
233 | NtRecoverEnlistment(
234 |     _In_ HANDLE EnlistmentHandle,
235 |     _In_opt_ PVOID EnlistmentKey
236 |     );
237 | #endif
238 | 
239 | #if (NTDLL_VERSION >= NTDLL_VISTA)
240 | NTSYSCALLAPI
241 | NTSTATUS
242 | NTAPI
243 | NtPrePrepareEnlistment(
244 |     _In_ HANDLE EnlistmentHandle,
245 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
246 |     );
247 | #endif
248 | 
249 | #if (NTDLL_VERSION >= NTDLL_VISTA)
250 | NTSYSCALLAPI
251 | NTSTATUS
252 | NTAPI
253 | NtPrepareEnlistment(
254 |     _In_ HANDLE EnlistmentHandle,
255 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
256 |     );
257 | #endif
258 | 
259 | #if (NTDLL_VERSION >= NTDLL_VISTA)
260 | NTSYSCALLAPI
261 | NTSTATUS
262 | NTAPI
263 | NtCommitEnlistment(
264 |     _In_ HANDLE EnlistmentHandle,
265 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
266 |     );
267 | #endif
268 | 
269 | #if (NTDLL_VERSION >= NTDLL_VISTA)
270 | NTSYSCALLAPI
271 | NTSTATUS
272 | NTAPI
273 | NtRollbackEnlistment(
274 |     _In_ HANDLE EnlistmentHandle,
275 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
276 |     );
277 | #endif
278 | 
279 | #if (NTDLL_VERSION >= NTDLL_VISTA)
280 | NTSYSCALLAPI
281 | NTSTATUS
282 | NTAPI
283 | NtPrePrepareComplete(
284 |     _In_ HANDLE EnlistmentHandle,
285 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
286 |     );
287 | #endif
288 | 
289 | #if (NTDLL_VERSION >= NTDLL_VISTA)
290 | NTSYSCALLAPI
291 | NTSTATUS
292 | NTAPI
293 | NtPrepareComplete(
294 |     _In_ HANDLE EnlistmentHandle,
295 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
296 |     );
297 | #endif
298 | 
299 | #if (NTDLL_VERSION >= NTDLL_VISTA)
300 | NTSYSCALLAPI
301 | NTSTATUS
302 | NTAPI
303 | NtCommitComplete(
304 |     _In_ HANDLE EnlistmentHandle,
305 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
306 |     );
307 | #endif
308 | 
309 | #if (NTDLL_VERSION >= NTDLL_VISTA)
310 | NTSYSCALLAPI
311 | NTSTATUS
312 | NTAPI
313 | NtReadOnlyEnlistment(
314 |     _In_ HANDLE EnlistmentHandle,
315 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
316 |     );
317 | #endif
318 | 
319 | #if (NTDLL_VERSION >= NTDLL_VISTA)
320 | NTSYSCALLAPI
321 | NTSTATUS
322 | NTAPI
323 | NtRollbackComplete(
324 |     _In_ HANDLE EnlistmentHandle,
325 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
326 |     );
327 | #endif
328 | 
329 | #if (NTDLL_VERSION >= NTDLL_VISTA)
330 | NTSYSCALLAPI
331 | NTSTATUS
332 | NTAPI
333 | NtSinglePhaseReject(
334 |     _In_ HANDLE EnlistmentHandle,
335 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
336 |     );
337 | #endif
338 | 
339 | #if (NTDLL_VERSION >= NTDLL_VISTA)
340 | NTSYSCALLAPI
341 | NTSTATUS
342 | NTAPI
343 | NtCreateResourceManager(
344 |     _Out_ PHANDLE ResourceManagerHandle,
345 |     _In_ ACCESS_MASK DesiredAccess,
346 |     _In_ HANDLE TmHandle,
347 |     _In_ LPGUID RmGuid,
348 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
349 |     _In_opt_ ULONG CreateOptions,
350 |     _In_opt_ PUNICODE_STRING Description
351 |     );
352 | #endif
353 | 
354 | #if (NTDLL_VERSION >= NTDLL_VISTA)
355 | NTSYSCALLAPI
356 | NTSTATUS
357 | NTAPI
358 | NtOpenResourceManager(
359 |     _Out_ PHANDLE ResourceManagerHandle,
360 |     _In_ ACCESS_MASK DesiredAccess,
361 |     _In_ HANDLE TmHandle,
362 |     _In_opt_ LPGUID ResourceManagerGuid,
363 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
364 |     );
365 | #endif
366 | 
367 | #if (NTDLL_VERSION >= NTDLL_VISTA)
368 | NTSYSCALLAPI
369 | NTSTATUS
370 | NTAPI
371 | NtRecoverResourceManager(
372 |     _In_ HANDLE ResourceManagerHandle
373 |     );
374 | #endif
375 | 
376 | #if (NTDLL_VERSION >= NTDLL_VISTA)
377 | NTSYSCALLAPI
378 | NTSTATUS
379 | NTAPI
380 | NtGetNotificationResourceManager(
381 |     _In_ HANDLE ResourceManagerHandle,
382 |     _Out_ PTRANSACTION_NOTIFICATION TransactionNotification,
383 |     _In_ ULONG NotificationLength,
384 |     _In_opt_ PLARGE_INTEGER Timeout,
385 |     _Out_opt_ PULONG ReturnLength,
386 |     _In_ ULONG Asynchronous,
387 |     _In_opt_ ULONG_PTR AsynchronousContext
388 |     );
389 | #endif
390 | 
391 | #if (NTDLL_VERSION >= NTDLL_VISTA)
392 | NTSYSCALLAPI
393 | NTSTATUS
394 | NTAPI
395 | NtQueryInformationResourceManager(
396 |     _In_ HANDLE ResourceManagerHandle,
397 |     _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass,
398 |     _Out_writes_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation,
399 |     _In_ ULONG ResourceManagerInformationLength,
400 |     _Out_opt_ PULONG ReturnLength
401 |     );
402 | #endif
403 | 
404 | #if (NTDLL_VERSION >= NTDLL_VISTA)
405 | NTSYSCALLAPI
406 | NTSTATUS
407 | NTAPI
408 | NtSetInformationResourceManager(
409 |     _In_ HANDLE ResourceManagerHandle,
410 |     _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass,
411 |     _In_reads_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation,
412 |     _In_ ULONG ResourceManagerInformationLength
413 |     );
414 | #endif
415 | 
416 | #if (NTDLL_VERSION >= NTDLL_VISTA)
417 | NTSYSCALLAPI
418 | NTSTATUS
419 | NTAPI
420 | NtRegisterProtocolAddressInformation(
421 |     _In_ HANDLE ResourceManager,
422 |     _In_ PCRM_PROTOCOL_ID ProtocolId,
423 |     _In_ ULONG ProtocolInformationSize,
424 |     _In_ PVOID ProtocolInformation,
425 |     _In_opt_ ULONG CreateOptions
426 |     );
427 | #endif
428 | 
429 | #if (NTDLL_VERSION >= NTDLL_VISTA)
430 | NTSYSCALLAPI
431 | NTSTATUS
432 | NTAPI
433 | NtPropagationComplete(
434 |     _In_ HANDLE ResourceManagerHandle,
435 |     _In_ ULONG RequestCookie,
436 |     _In_ ULONG BufferLength,
437 |     _In_ PVOID Buffer
438 |     );
439 | #endif
440 | 
441 | #if (NTDLL_VERSION >= NTDLL_VISTA)
442 | NTSYSCALLAPI
443 | NTSTATUS
444 | NTAPI
445 | NtPropagationFailed(
446 |     _In_ HANDLE ResourceManagerHandle,
447 |     _In_ ULONG RequestCookie,
448 |     _In_ NTSTATUS PropStatus
449 |     );
450 | #endif
451 | 
452 | #if (NTDLL_VERSION >= NTDLL_VISTA)
453 | // private
454 | NTSYSCALLAPI
455 | NTSTATUS
456 | NTAPI
457 | NtFreezeTransactions(
458 |     _In_ PLARGE_INTEGER FreezeTimeout,
459 |     _In_ PLARGE_INTEGER ThawTimeout
460 |     );
461 | #endif
462 | 
463 | #if (NTDLL_VERSION >= NTDLL_VISTA)
464 | // private
465 | NTSYSCALLAPI
466 | NTSTATUS
467 | NTAPI
468 | NtThawTransactions(
469 |     VOID
470 |     );
471 | #endif
472 | 
473 | #endif
474 | 


--------------------------------------------------------------------------------
/include/nttp.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTTP_H
  2 | #define _NTTP_H
  3 | 
  4 | // Some types are already defined in winnt.h.
  5 | 
  6 | typedef struct _TP_ALPC TP_ALPC, *PTP_ALPC;
  7 | 
  8 | // private
  9 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK)(
 10 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
 11 |     _Inout_opt_ PVOID Context,
 12 |     _In_ PTP_ALPC Alpc
 13 |     );
 14 | 
 15 | // rev
 16 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK_EX)(
 17 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
 18 |     _Inout_opt_ PVOID Context,
 19 |     _In_ PTP_ALPC Alpc,
 20 |     _In_ PVOID ApcContext
 21 |     );
 22 | 
 23 | #if (NTDLL_VERSION >= NTDLL_VISTA)
 24 | 
 25 | // private
 26 | _Check_return_
 27 | NTSYSAPI
 28 | NTSTATUS
 29 | NTAPI
 30 | TpAllocPool(
 31 |     _Out_ PTP_POOL *PoolReturn,
 32 |     _Reserved_ PVOID Reserved
 33 |     );
 34 | 
 35 | // winbase:CloseThreadpool
 36 | NTSYSAPI
 37 | VOID
 38 | NTAPI
 39 | TpReleasePool(
 40 |     _Inout_ PTP_POOL Pool
 41 |     );
 42 | 
 43 | // winbase:SetThreadpoolThreadMaximum
 44 | NTSYSAPI
 45 | VOID
 46 | NTAPI
 47 | TpSetPoolMaxThreads(
 48 |     _Inout_ PTP_POOL Pool,
 49 |     _In_ LONG MaxThreads
 50 |     );
 51 | 
 52 | // private
 53 | NTSYSAPI
 54 | NTSTATUS
 55 | NTAPI
 56 | TpSetPoolMinThreads(
 57 |     _Inout_ PTP_POOL Pool,
 58 |     _In_ LONG MinThreads
 59 |     );
 60 | 
 61 | #if (NTDLL_VERSION >= NTDLL_WIN7)
 62 | // rev
 63 | NTSYSAPI
 64 | NTSTATUS
 65 | NTAPI
 66 | TpQueryPoolStackInformation(
 67 |     _In_ PTP_POOL Pool,
 68 |     _Out_ PTP_POOL_STACK_INFORMATION PoolStackInformation
 69 |     );
 70 | #endif
 71 | 
 72 | #if (NTDLL_VERSION >= NTDLL_WIN7)
 73 | // rev
 74 | NTSYSAPI
 75 | NTSTATUS
 76 | NTAPI
 77 | TpSetPoolStackInformation(
 78 |     _Inout_ PTP_POOL Pool,
 79 |     _In_ PTP_POOL_STACK_INFORMATION PoolStackInformation
 80 |     );
 81 | #endif
 82 | 
 83 | // private
 84 | _Check_return_
 85 | NTSYSAPI
 86 | NTSTATUS
 87 | NTAPI
 88 | TpAllocCleanupGroup(
 89 |     _Out_ PTP_CLEANUP_GROUP *CleanupGroupReturn
 90 |     );
 91 | 
 92 | // winbase:CloseThreadpoolCleanupGroup
 93 | NTSYSAPI
 94 | VOID
 95 | NTAPI
 96 | TpReleaseCleanupGroup(
 97 |     _Inout_ PTP_CLEANUP_GROUP CleanupGroup
 98 |     );
 99 | 
100 | // winbase:CloseThreadpoolCleanupGroupMembers
101 | NTSYSAPI
102 | VOID
103 | NTAPI
104 | TpReleaseCleanupGroupMembers(
105 |     _Inout_ PTP_CLEANUP_GROUP CleanupGroup,
106 |     _In_ LOGICAL CancelPendingCallbacks,
107 |     _Inout_opt_ PVOID CleanupParameter
108 |     );
109 | 
110 | // winbase:SetEventWhenCallbackReturns
111 | NTSYSAPI
112 | VOID
113 | NTAPI
114 | TpCallbackSetEventOnCompletion(
115 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
116 |     _In_ HANDLE Event
117 |     );
118 | 
119 | // winbase:ReleaseSemaphoreWhenCallbackReturns
120 | NTSYSAPI
121 | VOID
122 | NTAPI
123 | TpCallbackReleaseSemaphoreOnCompletion(
124 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
125 |     _In_ HANDLE Semaphore,
126 |     _In_ LONG ReleaseCount
127 |     );
128 | 
129 | // winbase:ReleaseMutexWhenCallbackReturns
130 | NTSYSAPI
131 | VOID
132 | NTAPI
133 | TpCallbackReleaseMutexOnCompletion(
134 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
135 |     _In_ HANDLE Mutex
136 |     );
137 | 
138 | // winbase:LeaveCriticalSectionWhenCallbackReturns
139 | NTSYSAPI
140 | VOID
141 | NTAPI
142 | TpCallbackLeaveCriticalSectionOnCompletion(
143 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
144 |     _Inout_ PRTL_CRITICAL_SECTION CriticalSection
145 |     );
146 | 
147 | // winbase:FreeLibraryWhenCallbackReturns
148 | NTSYSAPI
149 | VOID
150 | NTAPI
151 | TpCallbackUnloadDllOnCompletion(
152 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
153 |     _In_ PVOID DllHandle
154 |     );
155 | 
156 | // winbase:CallbackMayRunLong
157 | NTSYSAPI
158 | NTSTATUS
159 | NTAPI
160 | TpCallbackMayRunLong(
161 |     _Inout_ PTP_CALLBACK_INSTANCE Instance
162 |     );
163 | 
164 | // winbase:DisassociateCurrentThreadFromCallback
165 | NTSYSAPI
166 | VOID
167 | NTAPI
168 | TpDisassociateCallback(
169 |     _Inout_ PTP_CALLBACK_INSTANCE Instance
170 |     );
171 | 
172 | // winbase:TrySubmitThreadpoolCallback
173 | _Check_return_
174 | NTSYSAPI
175 | NTSTATUS
176 | NTAPI
177 | TpSimpleTryPost(
178 |     _In_ PTP_SIMPLE_CALLBACK Callback,
179 |     _Inout_opt_ PVOID Context,
180 |     _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
181 |     );
182 | 
183 | // private
184 | _Check_return_
185 | NTSYSAPI
186 | NTSTATUS
187 | NTAPI
188 | TpAllocWork(
189 |     _Out_ PTP_WORK *WorkReturn,
190 |     _In_ PTP_WORK_CALLBACK Callback,
191 |     _Inout_opt_ PVOID Context,
192 |     _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
193 |     );
194 | 
195 | // winbase:CloseThreadpoolWork
196 | NTSYSAPI
197 | VOID
198 | NTAPI
199 | TpReleaseWork(
200 |     _Inout_ PTP_WORK Work
201 |     );
202 | 
203 | // winbase:SubmitThreadpoolWork
204 | NTSYSAPI
205 | VOID
206 | NTAPI
207 | TpPostWork(
208 |     _Inout_ PTP_WORK Work
209 |     );
210 | 
211 | // winbase:WaitForThreadpoolWorkCallbacks
212 | NTSYSAPI
213 | VOID
214 | NTAPI
215 | TpWaitForWork(
216 |     _Inout_ PTP_WORK Work,
217 |     _In_ LOGICAL CancelPendingCallbacks
218 |     );
219 | 
220 | // private
221 | _Check_return_
222 | NTSYSAPI
223 | NTSTATUS
224 | NTAPI
225 | TpAllocTimer(
226 |     _Out_ PTP_TIMER *Timer,
227 |     _In_ PTP_TIMER_CALLBACK Callback,
228 |     _Inout_opt_ PVOID Context,
229 |     _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
230 |     );
231 | 
232 | // winbase:CloseThreadpoolTimer
233 | NTSYSAPI
234 | VOID
235 | NTAPI
236 | TpReleaseTimer(
237 |     _Inout_ PTP_TIMER Timer
238 |     );
239 | 
240 | // winbase:SetThreadpoolTimer
241 | NTSYSAPI
242 | VOID
243 | NTAPI
244 | TpSetTimer(
245 |     _Inout_ PTP_TIMER Timer,
246 |     _In_opt_ PLARGE_INTEGER DueTime,
247 |     _In_ LONG Period,
248 |     _In_opt_ LONG WindowLength
249 |     );
250 | 
251 | // winbase:IsThreadpoolTimerSet
252 | NTSYSAPI
253 | LOGICAL
254 | NTAPI
255 | TpIsTimerSet(
256 |     _In_ PTP_TIMER Timer
257 |     );
258 | 
259 | // winbase:WaitForThreadpoolTimerCallbacks
260 | NTSYSAPI
261 | VOID
262 | NTAPI
263 | TpWaitForTimer(
264 |     _Inout_ PTP_TIMER Timer,
265 |     _In_ LOGICAL CancelPendingCallbacks
266 |     );
267 | 
268 | // private
269 | _Check_return_
270 | NTSYSAPI
271 | NTSTATUS
272 | NTAPI
273 | TpAllocWait(
274 |     _Out_ PTP_WAIT *WaitReturn,
275 |     _In_ PTP_WAIT_CALLBACK Callback,
276 |     _Inout_opt_ PVOID Context,
277 |     _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
278 |     );
279 | 
280 | // winbase:CloseThreadpoolWait
281 | NTSYSAPI
282 | VOID
283 | NTAPI
284 | TpReleaseWait(
285 |     _Inout_ PTP_WAIT Wait
286 |     );
287 | 
288 | // winbase:SetThreadpoolWait
289 | NTSYSAPI
290 | VOID
291 | NTAPI
292 | TpSetWait(
293 |     _Inout_ PTP_WAIT Wait,
294 |     _In_opt_ HANDLE Handle,
295 |     _In_opt_ PLARGE_INTEGER Timeout
296 |     );
297 | 
298 | // winbase:WaitForThreadpoolWaitCallbacks
299 | NTSYSAPI
300 | VOID
301 | NTAPI
302 | TpWaitForWait(
303 |     _Inout_ PTP_WAIT Wait,
304 |     _In_ LOGICAL CancelPendingCallbacks
305 |     );
306 | 
307 | // private
308 | typedef VOID (NTAPI *PTP_IO_CALLBACK)(
309 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
310 |     _Inout_opt_ PVOID Context,
311 |     _In_ PVOID ApcContext,
312 |     _In_ PIO_STATUS_BLOCK IoSB,
313 |     _In_ PTP_IO Io
314 |     );
315 | 
316 | // private
317 | _Check_return_
318 | NTSYSAPI
319 | NTSTATUS
320 | NTAPI
321 | TpAllocIoCompletion(
322 |     _Out_ PTP_IO *IoReturn,
323 |     _In_ HANDLE File,
324 |     _In_ PTP_IO_CALLBACK Callback,
325 |     _Inout_opt_ PVOID Context,
326 |     _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
327 |     );
328 | 
329 | // winbase:CloseThreadpoolIo
330 | NTSYSAPI
331 | VOID
332 | NTAPI
333 | TpReleaseIoCompletion(
334 |     _Inout_ PTP_IO Io
335 |     );
336 | 
337 | // winbase:StartThreadpoolIo
338 | NTSYSAPI
339 | VOID
340 | NTAPI
341 | TpStartAsyncIoOperation(
342 |     _Inout_ PTP_IO Io
343 |     );
344 | 
345 | // winbase:CancelThreadpoolIo
346 | NTSYSAPI
347 | VOID
348 | NTAPI
349 | TpCancelAsyncIoOperation(
350 |     _Inout_ PTP_IO Io
351 |     );
352 | 
353 | // winbase:WaitForThreadpoolIoCallbacks
354 | NTSYSAPI
355 | VOID
356 | NTAPI
357 | TpWaitForIoCompletion(
358 |     _Inout_ PTP_IO Io,
359 |     _In_ LOGICAL CancelPendingCallbacks
360 |     );
361 | 
362 | // private
363 | NTSYSAPI
364 | NTSTATUS
365 | NTAPI
366 | TpAllocAlpcCompletion(
367 |     _Out_ PTP_ALPC *AlpcReturn,
368 |     _In_ HANDLE AlpcPort,
369 |     _In_ PTP_ALPC_CALLBACK Callback,
370 |     _Inout_opt_ PVOID Context,
371 |     _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
372 |     );
373 | 
374 | #if (NTDLL_VERSION >= NTDLL_WIN7)
375 | // rev
376 | NTSYSAPI
377 | NTSTATUS
378 | NTAPI
379 | TpAllocAlpcCompletionEx(
380 |     _Out_ PTP_ALPC *AlpcReturn,
381 |     _In_ HANDLE AlpcPort,
382 |     _In_ PTP_ALPC_CALLBACK_EX Callback,
383 |     _Inout_opt_ PVOID Context,
384 |     _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
385 |     );
386 | #endif
387 | 
388 | // private
389 | NTSYSAPI
390 | VOID
391 | NTAPI
392 | TpReleaseAlpcCompletion(
393 |     _Inout_ PTP_ALPC Alpc
394 |     );
395 | 
396 | // private
397 | NTSYSAPI
398 | VOID
399 | NTAPI
400 | TpWaitForAlpcCompletion(
401 |     _Inout_ PTP_ALPC Alpc
402 |     );
403 | 
404 | // private
405 | typedef enum _TP_TRACE_TYPE
406 | {
407 |     TpTraceThreadPriority = 1,
408 |     TpTraceThreadAffinity,
409 |     MaxTpTraceType
410 | } TP_TRACE_TYPE;
411 | 
412 | // private
413 | NTSYSAPI
414 | VOID
415 | NTAPI
416 | TpCaptureCaller(
417 |     _In_ TP_TRACE_TYPE Type
418 |     );
419 | 
420 | // private
421 | NTSYSAPI
422 | VOID
423 | NTAPI
424 | TpCheckTerminateWorker(
425 |     _In_ HANDLE Thread
426 |     );
427 | 
428 | #endif
429 | 
430 | #endif
431 | 


--------------------------------------------------------------------------------
/include/ntwow64.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTWOW64_H
  2 | #define _NTWOW64_H
  3 | 
  4 | #define WOW64_SYSTEM_DIRECTORY "SysWOW64"
  5 | #define WOW64_SYSTEM_DIRECTORY_U L"SysWOW64"
  6 | #define WOW64_X86_TAG " (x86)"
  7 | #define WOW64_X86_TAG_U L" (x86)"
  8 | 
  9 | // In USER_SHARED_DATA
 10 | typedef enum _WOW64_SHARED_INFORMATION
 11 | {
 12 |     SharedNtdll32LdrInitializeThunk,
 13 |     SharedNtdll32KiUserExceptionDispatcher,
 14 |     SharedNtdll32KiUserApcDispatcher,
 15 |     SharedNtdll32KiUserCallbackDispatcher,
 16 |     SharedNtdll32ExpInterlockedPopEntrySListFault,
 17 |     SharedNtdll32ExpInterlockedPopEntrySListResume,
 18 |     SharedNtdll32ExpInterlockedPopEntrySListEnd,
 19 |     SharedNtdll32RtlUserThreadStart,
 20 |     SharedNtdll32pQueryProcessDebugInformationRemote,
 21 |     SharedNtdll32BaseAddress,
 22 |     SharedNtdll32LdrSystemDllInitBlock,
 23 |     Wow64SharedPageEntriesCount
 24 | } WOW64_SHARED_INFORMATION;
 25 | 
 26 | // 32-bit definitions
 27 | 
 28 | #define WOW64_POINTER(Type) ULONG
 29 | 
 30 | typedef struct _RTL_BALANCED_NODE32
 31 | {
 32 |     union
 33 |     {
 34 |         WOW64_POINTER(struct _RTL_BALANCED_NODE *) Children[2];
 35 |         struct
 36 |         {
 37 |             WOW64_POINTER(struct _RTL_BALANCED_NODE *) Left;
 38 |             WOW64_POINTER(struct _RTL_BALANCED_NODE *) Right;
 39 |         };
 40 |     };
 41 |     union
 42 |     {
 43 |         WOW64_POINTER(UCHAR) Red : 1;
 44 |         WOW64_POINTER(UCHAR) Balance : 2;
 45 |         WOW64_POINTER(ULONG_PTR) ParentValue;
 46 |     };
 47 | } RTL_BALANCED_NODE32, *PRTL_BALANCED_NODE32;
 48 | 
 49 | typedef struct _RTL_RB_TREE32
 50 | {
 51 |     WOW64_POINTER(PRTL_BALANCED_NODE) Root;
 52 |     WOW64_POINTER(PRTL_BALANCED_NODE) Min;
 53 | } RTL_RB_TREE32, *PRTL_RB_TREE32;
 54 | 
 55 | typedef struct _PEB_LDR_DATA32
 56 | {
 57 |     ULONG Length;
 58 |     BOOLEAN Initialized;
 59 |     WOW64_POINTER(HANDLE) SsHandle;
 60 |     LIST_ENTRY32 InLoadOrderModuleList;
 61 |     LIST_ENTRY32 InMemoryOrderModuleList;
 62 |     LIST_ENTRY32 InInitializationOrderModuleList;
 63 |     WOW64_POINTER(PVOID) EntryInProgress;
 64 |     BOOLEAN ShutdownInProgress;
 65 |     WOW64_POINTER(HANDLE) ShutdownThreadId;
 66 | } PEB_LDR_DATA32, *PPEB_LDR_DATA32;
 67 | 
 68 | typedef struct _LDR_SERVICE_TAG_RECORD32
 69 | {
 70 |     WOW64_POINTER(struct _LDR_SERVICE_TAG_RECORD *) Next;
 71 |     ULONG ServiceTag;
 72 | } LDR_SERVICE_TAG_RECORD32, *PLDR_SERVICE_TAG_RECORD32;
 73 | 
 74 | typedef struct _LDRP_CSLIST32
 75 | {
 76 |     WOW64_POINTER(PSINGLE_LIST_ENTRY) Tail;
 77 | } LDRP_CSLIST32, *PLDRP_CSLIST32;
 78 | 
 79 | typedef struct _LDR_DDAG_NODE32
 80 | {
 81 |     LIST_ENTRY32 Modules;
 82 |     WOW64_POINTER(PLDR_SERVICE_TAG_RECORD) ServiceTagList;
 83 |     ULONG LoadCount;
 84 |     ULONG LoadWhileUnloadingCount;
 85 |     ULONG LowestLink;
 86 |     union
 87 |     {
 88 |         LDRP_CSLIST32 Dependencies;
 89 |         SINGLE_LIST_ENTRY32 RemovalLink;
 90 |     };
 91 |     LDRP_CSLIST32 IncomingDependencies;
 92 |     LDR_DDAG_STATE State;
 93 |     SINGLE_LIST_ENTRY32 CondenseLink;
 94 |     ULONG PreorderNumber;
 95 | } LDR_DDAG_NODE32, *PLDR_DDAG_NODE32;
 96 | 
 97 | #define LDR_DATA_TABLE_ENTRY_SIZE_WINXP_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, DdagNode)
 98 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN7_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, BaseNameHashValue)
 99 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN8_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, ImplicitPathOptions)
100 | 
101 | typedef struct _LDR_DATA_TABLE_ENTRY32
102 | {
103 |     LIST_ENTRY32 InLoadOrderLinks;
104 |     LIST_ENTRY32 InMemoryOrderLinks;
105 |     union
106 |     {
107 |         LIST_ENTRY32 InInitializationOrderLinks;
108 |         LIST_ENTRY32 InProgressLinks;
109 |     };
110 |     WOW64_POINTER(PVOID) DllBase;
111 |     WOW64_POINTER(PVOID) EntryPoint;
112 |     ULONG SizeOfImage;
113 |     UNICODE_STRING32 FullDllName;
114 |     UNICODE_STRING32 BaseDllName;
115 |     union
116 |     {
117 |         UCHAR FlagGroup[4];
118 |         ULONG Flags;
119 |         struct
120 |         {
121 |             ULONG PackagedBinary : 1;
122 |             ULONG MarkedForRemoval : 1;
123 |             ULONG ImageDll : 1;
124 |             ULONG LoadNotificationsSent : 1;
125 |             ULONG TelemetryEntryProcessed : 1;
126 |             ULONG ProcessStaticImport : 1;
127 |             ULONG InLegacyLists : 1;
128 |             ULONG InIndexes : 1;
129 |             ULONG ShimDll : 1;
130 |             ULONG InExceptionTable : 1;
131 |             ULONG ReservedFlags1 : 2;
132 |             ULONG LoadInProgress : 1;
133 |             ULONG LoadConfigProcessed : 1;
134 |             ULONG EntryProcessed : 1;
135 |             ULONG ProtectDelayLoad : 1;
136 |             ULONG ReservedFlags3 : 2;
137 |             ULONG DontCallForThreads : 1;
138 |             ULONG ProcessAttachCalled : 1;
139 |             ULONG ProcessAttachFailed : 1;
140 |             ULONG CorDeferredValidate : 1;
141 |             ULONG CorImage : 1;
142 |             ULONG DontRelocate : 1;
143 |             ULONG CorILOnly : 1;
144 |             ULONG ReservedFlags5 : 3;
145 |             ULONG Redirected : 1;
146 |             ULONG ReservedFlags6 : 2;
147 |             ULONG CompatDatabaseProcessed : 1;
148 |         };
149 |     };
150 |     USHORT ObsoleteLoadCount;
151 |     USHORT TlsIndex;
152 |     LIST_ENTRY32 HashLinks;
153 |     ULONG TimeDateStamp;
154 |     WOW64_POINTER(struct _ACTIVATION_CONTEXT *) EntryPointActivationContext;
155 |     WOW64_POINTER(PVOID) Lock;
156 |     WOW64_POINTER(PLDR_DDAG_NODE) DdagNode;
157 |     LIST_ENTRY32 NodeModuleLink;
158 |     WOW64_POINTER(struct _LDRP_LOAD_CONTEXT *) LoadContext;
159 |     WOW64_POINTER(PVOID) ParentDllBase;
160 |     WOW64_POINTER(PVOID) SwitchBackContext;
161 |     RTL_BALANCED_NODE32 BaseAddressIndexNode;
162 |     RTL_BALANCED_NODE32 MappingInfoIndexNode;
163 |     WOW64_POINTER(ULONG_PTR) OriginalBase;
164 |     LARGE_INTEGER LoadTime;
165 |     ULONG BaseNameHashValue;
166 |     LDR_DLL_LOAD_REASON LoadReason;
167 |     ULONG ImplicitPathOptions;
168 |     ULONG ReferenceCount;
169 |     ULONG DependentLoadFlags;
170 |     UCHAR SigningLevel; // since REDSTONE2
171 | } LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;
172 | 
173 | typedef struct _CURDIR32
174 | {
175 |     UNICODE_STRING32 DosPath;
176 |     WOW64_POINTER(HANDLE) Handle;
177 | } CURDIR32, *PCURDIR32;
178 | 
179 | typedef struct _RTL_DRIVE_LETTER_CURDIR32
180 | {
181 |     USHORT Flags;
182 |     USHORT Length;
183 |     ULONG TimeStamp;
184 |     STRING32 DosPath;
185 | } RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32;
186 | 
187 | typedef struct _RTL_USER_PROCESS_PARAMETERS32
188 | {
189 |     ULONG MaximumLength;
190 |     ULONG Length;
191 | 
192 |     ULONG Flags;
193 |     ULONG DebugFlags;
194 | 
195 |     WOW64_POINTER(HANDLE) ConsoleHandle;
196 |     ULONG ConsoleFlags;
197 |     WOW64_POINTER(HANDLE) StandardInput;
198 |     WOW64_POINTER(HANDLE) StandardOutput;
199 |     WOW64_POINTER(HANDLE) StandardError;
200 | 
201 |     CURDIR32 CurrentDirectory;
202 |     UNICODE_STRING32 DllPath;
203 |     UNICODE_STRING32 ImagePathName;
204 |     UNICODE_STRING32 CommandLine;
205 |     WOW64_POINTER(PVOID) Environment;
206 | 
207 |     ULONG StartingX;
208 |     ULONG StartingY;
209 |     ULONG CountX;
210 |     ULONG CountY;
211 |     ULONG CountCharsX;
212 |     ULONG CountCharsY;
213 |     ULONG FillAttribute;
214 | 
215 |     ULONG WindowFlags;
216 |     ULONG ShowWindowFlags;
217 |     UNICODE_STRING32 WindowTitle;
218 |     UNICODE_STRING32 DesktopInfo;
219 |     UNICODE_STRING32 ShellInfo;
220 |     UNICODE_STRING32 RuntimeData;
221 |     RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
222 | 
223 |     WOW64_POINTER(ULONG_PTR) EnvironmentSize;
224 |     WOW64_POINTER(ULONG_PTR) EnvironmentVersion;
225 |     WOW64_POINTER(PVOID) PackageDependencyData;
226 |     ULONG ProcessGroupId;
227 |     ULONG LoaderThreads;
228 | } RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32;
229 | 
230 | typedef struct _PEB32
231 | {
232 |     BOOLEAN InheritedAddressSpace;
233 |     BOOLEAN ReadImageFileExecOptions;
234 |     BOOLEAN BeingDebugged;
235 |     union
236 |     {
237 |         BOOLEAN BitField;
238 |         struct
239 |         {
240 |             BOOLEAN ImageUsesLargePages : 1;
241 |             BOOLEAN IsProtectedProcess : 1;
242 |             BOOLEAN IsImageDynamicallyRelocated : 1;
243 |             BOOLEAN SkipPatchingUser32Forwarders : 1;
244 |             BOOLEAN IsPackagedProcess : 1;
245 |             BOOLEAN IsAppContainer : 1;
246 |             BOOLEAN IsProtectedProcessLight : 1;
247 |             BOOLEAN IsLongPathAwareProcess : 1;
248 |         };
249 |     };
250 |     WOW64_POINTER(HANDLE) Mutant;
251 | 
252 |     WOW64_POINTER(PVOID) ImageBaseAddress;
253 |     WOW64_POINTER(PPEB_LDR_DATA) Ldr;
254 |     WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters;
255 |     WOW64_POINTER(PVOID) SubSystemData;
256 |     WOW64_POINTER(PVOID) ProcessHeap;
257 |     WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock;
258 |     WOW64_POINTER(PVOID) AtlThunkSListPtr;
259 |     WOW64_POINTER(PVOID) IFEOKey;
260 |     union
261 |     {
262 |         ULONG CrossProcessFlags;
263 |         struct
264 |         {
265 |             ULONG ProcessInJob : 1;
266 |             ULONG ProcessInitializing : 1;
267 |             ULONG ProcessUsingVEH : 1;
268 |             ULONG ProcessUsingVCH : 1;
269 |             ULONG ProcessUsingFTH : 1;
270 |             ULONG ReservedBits0 : 27;
271 |         };
272 |     };
273 |     union
274 |     {
275 |         WOW64_POINTER(PVOID) KernelCallbackTable;
276 |         WOW64_POINTER(PVOID) UserSharedInfoPtr;
277 |     };
278 |     ULONG SystemReserved[1];
279 |     ULONG AtlThunkSListPtr32;
280 |     WOW64_POINTER(PVOID) ApiSetMap;
281 |     ULONG TlsExpansionCounter;
282 |     WOW64_POINTER(PVOID) TlsBitmap;
283 |     ULONG TlsBitmapBits[2];
284 |     WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase;
285 |     WOW64_POINTER(PVOID) HotpatchInformation;
286 |     WOW64_POINTER(PVOID *) ReadOnlyStaticServerData;
287 |     WOW64_POINTER(PVOID) AnsiCodePageData;
288 |     WOW64_POINTER(PVOID) OemCodePageData;
289 |     WOW64_POINTER(PVOID) UnicodeCaseTableData;
290 | 
291 |     ULONG NumberOfProcessors;
292 |     ULONG NtGlobalFlag;
293 | 
294 |     LARGE_INTEGER CriticalSectionTimeout;
295 |     WOW64_POINTER(SIZE_T) HeapSegmentReserve;
296 |     WOW64_POINTER(SIZE_T) HeapSegmentCommit;
297 |     WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold;
298 |     WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold;
299 | 
300 |     ULONG NumberOfHeaps;
301 |     ULONG MaximumNumberOfHeaps;
302 |     WOW64_POINTER(PVOID *) ProcessHeaps;
303 | 
304 |     WOW64_POINTER(PVOID) GdiSharedHandleTable;
305 |     WOW64_POINTER(PVOID) ProcessStarterHelper;
306 |     ULONG GdiDCAttributeList;
307 | 
308 |     WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock;
309 | 
310 |     ULONG OSMajorVersion;
311 |     ULONG OSMinorVersion;
312 |     USHORT OSBuildNumber;
313 |     USHORT OSCSDVersion;
314 |     ULONG OSPlatformId;
315 |     ULONG ImageSubsystem;
316 |     ULONG ImageSubsystemMajorVersion;
317 |     ULONG ImageSubsystemMinorVersion;
318 |     WOW64_POINTER(ULONG_PTR) ActiveProcessAffinityMask;
319 |     GDI_HANDLE_BUFFER32 GdiHandleBuffer;
320 |     WOW64_POINTER(PVOID) PostProcessInitRoutine;
321 | 
322 |     WOW64_POINTER(PVOID) TlsExpansionBitmap;
323 |     ULONG TlsExpansionBitmapBits[32];
324 | 
325 |     ULONG SessionId;
326 | 
327 |     ULARGE_INTEGER AppCompatFlags;
328 |     ULARGE_INTEGER AppCompatFlagsUser;
329 |     WOW64_POINTER(PVOID) pShimData;
330 |     WOW64_POINTER(PVOID) AppCompatInfo;
331 | 
332 |     UNICODE_STRING32 CSDVersion;
333 | 
334 |     WOW64_POINTER(PVOID) ActivationContextData;
335 |     WOW64_POINTER(PVOID) ProcessAssemblyStorageMap;
336 |     WOW64_POINTER(PVOID) SystemDefaultActivationContextData;
337 |     WOW64_POINTER(PVOID) SystemAssemblyStorageMap;
338 | 
339 |     WOW64_POINTER(SIZE_T) MinimumStackCommit;
340 | 
341 |     WOW64_POINTER(PVOID *) FlsCallback;
342 |     LIST_ENTRY32 FlsListHead;
343 |     WOW64_POINTER(PVOID) FlsBitmap;
344 |     ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
345 |     ULONG FlsHighIndex;
346 | 
347 |     WOW64_POINTER(PVOID) WerRegistrationData;
348 |     WOW64_POINTER(PVOID) WerShipAssertPtr;
349 |     WOW64_POINTER(PVOID) pContextData;
350 |     WOW64_POINTER(PVOID) pImageHeaderHash;
351 |     union
352 |     {
353 |         ULONG TracingFlags;
354 |         struct
355 |         {
356 |             ULONG HeapTracingEnabled : 1;
357 |             ULONG CritSecTracingEnabled : 1;
358 |             ULONG LibLoaderTracingEnabled : 1;
359 |             ULONG SpareTracingBits : 29;
360 |         };
361 |     };
362 |     ULONGLONG CsrServerReadOnlySharedMemoryBase;
363 |     WOW64_POINTER(PVOID) TppWorkerpListLock;
364 |     LIST_ENTRY32 TppWorkerpList;
365 |     WOW64_POINTER(PVOID) WaitOnAddressHashTable[128];
366 |     WOW64_POINTER(PVOID) TelemetryCoverageHeader; // REDSTONE3
367 |     ULONG CloudFileFlags;
368 |     ULONG CloudFileDiagFlags; // REDSTONE4
369 |     CHAR PlaceholderCompatibilityMode;
370 |     CHAR PlaceholderCompatibilityModeReserved[7];
371 | } PEB32, *PPEB32;
372 | 
373 | C_ASSERT(FIELD_OFFSET(PEB32, IFEOKey) == 0x024);
374 | C_ASSERT(FIELD_OFFSET(PEB32, UnicodeCaseTableData) == 0x060);
375 | C_ASSERT(FIELD_OFFSET(PEB32, SystemAssemblyStorageMap) == 0x204);
376 | C_ASSERT(FIELD_OFFSET(PEB32, pImageHeaderHash) == 0x23c);
377 | C_ASSERT(FIELD_OFFSET(PEB32, WaitOnAddressHashTable) == 0x25c);
378 | //C_ASSERT(sizeof(PEB32) == 0x460); // REDSTONE3
379 | C_ASSERT(sizeof(PEB32) == 0x470);
380 | 
381 | #define GDI_BATCH_BUFFER_SIZE 310
382 | 
383 | typedef struct _GDI_TEB_BATCH32
384 | {
385 |     ULONG Offset;
386 |     WOW64_POINTER(ULONG_PTR) HDC;
387 |     ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
388 | } GDI_TEB_BATCH32, *PGDI_TEB_BATCH32;
389 | 
390 | typedef struct _TEB32
391 | {
392 |     NT_TIB32 NtTib;
393 | 
394 |     WOW64_POINTER(PVOID) EnvironmentPointer;
395 |     CLIENT_ID32 ClientId;
396 |     WOW64_POINTER(PVOID) ActiveRpcHandle;
397 |     WOW64_POINTER(PVOID) ThreadLocalStoragePointer;
398 |     WOW64_POINTER(PPEB) ProcessEnvironmentBlock;
399 | 
400 |     ULONG LastErrorValue;
401 |     ULONG CountOfOwnedCriticalSections;
402 |     WOW64_POINTER(PVOID) CsrClientThread;
403 |     WOW64_POINTER(PVOID) Win32ThreadInfo;
404 |     ULONG User32Reserved[26];
405 |     ULONG UserReserved[5];
406 |     WOW64_POINTER(PVOID) WOW32Reserved;
407 |     LCID CurrentLocale;
408 |     ULONG FpSoftwareStatusRegister;
409 |     WOW64_POINTER(PVOID) ReservedForDebuggerInstrumentation[16];
410 |     WOW64_POINTER(PVOID) SystemReserved1[36];
411 |     UCHAR WorkingOnBehalfTicket[8];
412 |     NTSTATUS ExceptionCode;
413 | 
414 |     WOW64_POINTER(PVOID) ActivationContextStackPointer;
415 |     WOW64_POINTER(ULONG_PTR) InstrumentationCallbackSp;
416 |     WOW64_POINTER(ULONG_PTR) InstrumentationCallbackPreviousPc;
417 |     WOW64_POINTER(ULONG_PTR) InstrumentationCallbackPreviousSp;
418 |     BOOLEAN InstrumentationCallbackDisabled;
419 |     UCHAR SpareBytes[23];
420 |     ULONG TxFsContext;
421 | 
422 |     GDI_TEB_BATCH32 GdiTebBatch;
423 |     CLIENT_ID32 RealClientId;
424 |     WOW64_POINTER(HANDLE) GdiCachedProcessHandle;
425 |     ULONG GdiClientPID;
426 |     ULONG GdiClientTID;
427 |     WOW64_POINTER(PVOID) GdiThreadLocalInfo;
428 |     WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62];
429 |     WOW64_POINTER(PVOID) glDispatchTable[233];
430 |     WOW64_POINTER(ULONG_PTR) glReserved1[29];
431 |     WOW64_POINTER(PVOID) glReserved2;
432 |     WOW64_POINTER(PVOID) glSectionInfo;
433 |     WOW64_POINTER(PVOID) glSection;
434 |     WOW64_POINTER(PVOID) glTable;
435 |     WOW64_POINTER(PVOID) glCurrentRC;
436 |     WOW64_POINTER(PVOID) glContext;
437 | 
438 |     NTSTATUS LastStatusValue;
439 |     UNICODE_STRING32 StaticUnicodeString;
440 |     WCHAR StaticUnicodeBuffer[261];
441 | 
442 |     WOW64_POINTER(PVOID) DeallocationStack;
443 |     WOW64_POINTER(PVOID) TlsSlots[64];
444 |     LIST_ENTRY32 TlsLinks;
445 | 
446 |     WOW64_POINTER(PVOID) Vdm;
447 |     WOW64_POINTER(PVOID) ReservedForNtRpc;
448 |     WOW64_POINTER(PVOID) DbgSsReserved[2];
449 | 
450 |     ULONG HardErrorMode;
451 |     WOW64_POINTER(PVOID) Instrumentation[9];
452 |     GUID ActivityId;
453 | 
454 |     WOW64_POINTER(PVOID) SubProcessTag;
455 |     WOW64_POINTER(PVOID) PerflibData;
456 |     WOW64_POINTER(PVOID) EtwTraceData;
457 |     WOW64_POINTER(PVOID) WinSockData;
458 |     ULONG GdiBatchCount;
459 | 
460 |     union
461 |     {
462 |         PROCESSOR_NUMBER CurrentIdealProcessor;
463 |         ULONG IdealProcessorValue;
464 |         struct
465 |         {
466 |             UCHAR ReservedPad0;
467 |             UCHAR ReservedPad1;
468 |             UCHAR ReservedPad2;
469 |             UCHAR IdealProcessor;
470 |         };
471 |     };
472 | 
473 |     ULONG GuaranteedStackBytes;
474 |     WOW64_POINTER(PVOID) ReservedForPerf;
475 |     WOW64_POINTER(PVOID) ReservedForOle;
476 |     ULONG WaitingOnLoaderLock;
477 |     WOW64_POINTER(PVOID) SavedPriorityState;
478 |     WOW64_POINTER(ULONG_PTR) ReservedForCodeCoverage;
479 |     WOW64_POINTER(PVOID) ThreadPoolData;
480 |     WOW64_POINTER(PVOID *) TlsExpansionSlots;
481 | 
482 |     ULONG MuiGeneration;
483 |     ULONG IsImpersonating;
484 |     WOW64_POINTER(PVOID) NlsCache;
485 |     WOW64_POINTER(PVOID) pShimData;
486 |     USHORT HeapVirtualAffinity;
487 |     USHORT LowFragHeapDataSlot;
488 |     WOW64_POINTER(HANDLE) CurrentTransactionHandle;
489 |     WOW64_POINTER(PTEB_ACTIVE_FRAME) ActiveFrame;
490 |     WOW64_POINTER(PVOID) FlsData;
491 | 
492 |     WOW64_POINTER(PVOID) PreferredLanguages;
493 |     WOW64_POINTER(PVOID) UserPrefLanguages;
494 |     WOW64_POINTER(PVOID) MergedPrefLanguages;
495 |     ULONG MuiImpersonation;
496 | 
497 |     union
498 |     {
499 |         USHORT CrossTebFlags;
500 |         USHORT SpareCrossTebBits : 16;
501 |     };
502 |     union
503 |     {
504 |         USHORT SameTebFlags;
505 |         struct
506 |         {
507 |             USHORT SafeThunkCall : 1;
508 |             USHORT InDebugPrint : 1;
509 |             USHORT HasFiberData : 1;
510 |             USHORT SkipThreadAttach : 1;
511 |             USHORT WerInShipAssertCode : 1;
512 |             USHORT RanProcessInit : 1;
513 |             USHORT ClonedThread : 1;
514 |             USHORT SuppressDebugMsg : 1;
515 |             USHORT DisableUserStackWalk : 1;
516 |             USHORT RtlExceptionAttached : 1;
517 |             USHORT InitialThread : 1;
518 |             USHORT SessionAware : 1;
519 |             USHORT LoadOwner : 1;
520 |             USHORT LoaderWorker : 1;
521 |             USHORT SpareSameTebBits : 2;
522 |         };
523 |     };
524 | 
525 |     WOW64_POINTER(PVOID) TxnScopeEnterCallback;
526 |     WOW64_POINTER(PVOID) TxnScopeExitCallback;
527 |     WOW64_POINTER(PVOID) TxnScopeContext;
528 |     ULONG LockCount;
529 |     LONG WowTebOffset;
530 |     WOW64_POINTER(PVOID) ResourceRetValue;
531 |     WOW64_POINTER(PVOID) ReservedForWdf;
532 |     ULONGLONG ReservedForCrt;
533 |     GUID EffectiveContainerId;
534 | } TEB32, *PTEB32;
535 | 
536 | C_ASSERT(FIELD_OFFSET(TEB32, ProcessEnvironmentBlock) == 0x030);
537 | C_ASSERT(FIELD_OFFSET(TEB32, ExceptionCode) == 0x1a4);
538 | C_ASSERT(FIELD_OFFSET(TEB32, TxFsContext) == 0x1d0);
539 | C_ASSERT(FIELD_OFFSET(TEB32, glContext) == 0xbf0);
540 | C_ASSERT(FIELD_OFFSET(TEB32, StaticUnicodeBuffer) == 0xc00);
541 | C_ASSERT(FIELD_OFFSET(TEB32, TlsLinks) == 0xf10);
542 | C_ASSERT(FIELD_OFFSET(TEB32, DbgSsReserved) == 0xf20);
543 | C_ASSERT(FIELD_OFFSET(TEB32, ActivityId) == 0xf50);
544 | C_ASSERT(FIELD_OFFSET(TEB32, GdiBatchCount) == 0xf70);
545 | C_ASSERT(FIELD_OFFSET(TEB32, TlsExpansionSlots) == 0xf94);
546 | C_ASSERT(FIELD_OFFSET(TEB32, FlsData) == 0xfb4);
547 | C_ASSERT(FIELD_OFFSET(TEB32, MuiImpersonation) == 0xfc4);
548 | C_ASSERT(FIELD_OFFSET(TEB32, ReservedForCrt) == 0xfe8);
549 | C_ASSERT(FIELD_OFFSET(TEB32, EffectiveContainerId) == 0xff0);
550 | C_ASSERT(sizeof(TEB32) == 0x1000);
551 | 
552 | // Conversion
553 | 
554 | FORCEINLINE VOID UStr32ToUStr(
555 |     _Out_ PUNICODE_STRING Destination,
556 |     _In_ PUNICODE_STRING32 Source
557 |     )
558 | {
559 |     Destination->Length = Source->Length;
560 |     Destination->MaximumLength = Source->MaximumLength;
561 |     Destination->Buffer = (PWCH)UlongToPtr(Source->Buffer);
562 | }
563 | 
564 | FORCEINLINE VOID UStrToUStr32(
565 |     _Out_ PUNICODE_STRING32 Destination,
566 |     _In_ PUNICODE_STRING Source
567 |     )
568 | {
569 |     Destination->Length = Source->Length;
570 |     Destination->MaximumLength = Source->MaximumLength;
571 |     Destination->Buffer = PtrToUlong(Source->Buffer);
572 | }
573 | 
574 | #endif
575 | 


--------------------------------------------------------------------------------
/include/ntxcapi.h:
--------------------------------------------------------------------------------
 1 | #ifndef _NTXCAPI_H
 2 | #define _NTXCAPI_H
 3 | 
 4 | NTSYSAPI
 5 | BOOLEAN
 6 | NTAPI
 7 | RtlDispatchException(
 8 |     _In_ PEXCEPTION_RECORD ExceptionRecord,
 9 |     _In_ PCONTEXT ContextRecord
10 |     );
11 | 
12 | NTSYSAPI
13 | DECLSPEC_NORETURN
14 | VOID
15 | NTAPI
16 | RtlRaiseStatus(
17 |     _In_ NTSTATUS Status
18 |     );
19 | 
20 | NTSYSAPI
21 | VOID
22 | NTAPI
23 | RtlRaiseException(
24 |     _In_ PEXCEPTION_RECORD ExceptionRecord
25 |     );
26 | 
27 | NTSYSCALLAPI
28 | NTSTATUS
29 | NTAPI
30 | NtContinue(
31 |     _In_ PCONTEXT ContextRecord,
32 |     _In_ BOOLEAN TestAlert
33 |     );
34 | 
35 | NTSYSCALLAPI
36 | NTSTATUS
37 | NTAPI
38 | NtRaiseException(
39 |     _In_ PEXCEPTION_RECORD ExceptionRecord,
40 |     _In_ PCONTEXT ContextRecord,
41 |     _In_ BOOLEAN FirstChance
42 |     );
43 | 
44 | __analysis_noreturn
45 | NTSYSCALLAPI
46 | VOID
47 | NTAPI
48 | RtlAssert(
49 |     _In_ PVOID VoidFailedAssertion,
50 |     _In_ PVOID VoidFileName,
51 |     _In_ ULONG LineNumber,
52 |     _In_opt_ PSTR MutableMessage
53 |     );
54 | 
55 | #define RTL_ASSERT(exp) \
56 |     ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, NULL), FALSE) : TRUE)
57 | #define RTL_ASSERTMSG(msg, exp) \
58 |     ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, msg), FALSE) : TRUE)
59 | #define RTL_SOFT_ASSERT(_exp) \
60 |     ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n   Expression: %s\n", __FILE__, __LINE__, #_exp), FALSE) : TRUE)
61 | #define RTL_SOFT_ASSERTMSG(_msg, _exp) \
62 |     ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n   Expression: %s\n   Message: %s\n", __FILE__, __LINE__, #_exp, (_msg)), FALSE) : TRUE)
63 | 
64 | #endif
65 | 


--------------------------------------------------------------------------------
/include/subprocesstag.h:
--------------------------------------------------------------------------------
 1 | #ifndef _SUBPROCESSTAG_H
 2 | #define _SUBPROCESSTAG_H
 3 | 
 4 | // Subprocess tag information
 5 | 
 6 | typedef enum _TAG_INFO_LEVEL
 7 | {
 8 |     eTagInfoLevelNameFromTag = 1, // TAG_INFO_NAME_FROM_TAG
 9 |     eTagInfoLevelNamesReferencingModule, // TAG_INFO_NAMES_REFERENCING_MODULE
10 |     eTagInfoLevelNameTagMapping, // TAG_INFO_NAME_TAG_MAPPING
11 |     eTagInfoLevelMax
12 | } TAG_INFO_LEVEL;
13 | 
14 | typedef enum _TAG_TYPE
15 | {
16 |     eTagTypeService = 1,
17 |     eTagTypeMax
18 | } TAG_TYPE;
19 | 
20 | typedef struct _TAG_INFO_NAME_FROM_TAG_IN_PARAMS
21 | {
22 |     DWORD dwPid;
23 |     DWORD dwTag;
24 | } TAG_INFO_NAME_FROM_TAG_IN_PARAMS, *PTAG_INFO_NAME_FROM_TAG_IN_PARAMS;
25 | 
26 | typedef struct _TAG_INFO_NAME_FROM_TAG_OUT_PARAMS
27 | {
28 |     DWORD eTagType;
29 |     LPWSTR pszName;
30 | } TAG_INFO_NAME_FROM_TAG_OUT_PARAMS, *PTAG_INFO_NAME_FROM_TAG_OUT_PARAMS;
31 | 
32 | typedef struct _TAG_INFO_NAME_FROM_TAG
33 | {
34 |     TAG_INFO_NAME_FROM_TAG_IN_PARAMS InParams;
35 |     TAG_INFO_NAME_FROM_TAG_OUT_PARAMS OutParams;
36 | } TAG_INFO_NAME_FROM_TAG, *PTAG_INFO_NAME_FROM_TAG;
37 | 
38 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS
39 | {
40 |     DWORD dwPid;
41 |     LPWSTR pszModule;
42 | } TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS;
43 | 
44 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS
45 | {
46 |     DWORD eTagType;
47 |     LPWSTR pmszNames;
48 | } TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS;
49 | 
50 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE
51 | {
52 |     TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS InParams;
53 |     TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS OutParams;
54 | } TAG_INFO_NAMES_REFERENCING_MODULE, *PTAG_INFO_NAMES_REFERENCING_MODULE;
55 | 
56 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS
57 | {
58 |     DWORD dwPid;
59 | } TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_IN_PARAMS;
60 | 
61 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_ELEMENT
62 | {
63 |     DWORD eTagType;
64 |     DWORD dwTag;
65 |     LPWSTR pszName;
66 |     LPWSTR pszGroupName;
67 | } TAG_INFO_NAME_TAG_MAPPING_ELEMENT, *PTAG_INFO_NAME_TAG_MAPPING_ELEMENT;
68 | 
69 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS
70 | {
71 |     DWORD cElements;
72 |     PTAG_INFO_NAME_TAG_MAPPING_ELEMENT pNameTagMappingElements;
73 | } TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS;
74 | 
75 | typedef struct _TAG_INFO_NAME_TAG_MAPPING
76 | {
77 |     TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS InParams;
78 |     PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS pOutParams;
79 | } TAG_INFO_NAME_TAG_MAPPING, *PTAG_INFO_NAME_TAG_MAPPING;
80 | 
81 | _Must_inspect_result_
82 | DWORD
83 | WINAPI
84 | I_QueryTagInformation(
85 |     _In_opt_ LPCWSTR pszMachineName,
86 |     _In_ TAG_INFO_LEVEL eInfoLevel,
87 |     _Inout_ PVOID pTagInfo
88 |     );
89 | 
90 | typedef DWORD (WINAPI *PQUERY_TAG_INFORMATION)(
91 |     _In_opt_ LPCWSTR pszMachineName,
92 |     _In_ TAG_INFO_LEVEL eInfoLevel,
93 |     _Inout_ PVOID pTagInfo
94 |     );
95 | 
96 | #endif
97 | 


--------------------------------------------------------------------------------
/inj.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 15
 4 | VisualStudioVersion = 15.0.27703.2000
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{01B84E09-7D4F-4415-95AD-C9291497D28C}"
 7 | 	ProjectSection(SolutionItems) = preProject
 8 | 		.editorconfig = .editorconfig
 9 | 	EndProjectSection
10 | EndProject
11 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "injdrv", "src\injdrv\injdrv.vcxproj", "{46A74761-6CFA-41AF-A536-47F08E2C7B48}"
12 | EndProject
13 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "injdll", "src\injdll\injdll.vcxproj", "{558C8AC2-041C-44AC-B41C-2DAB9277A3AB}"
14 | EndProject
15 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DetoursNT", "src\DetoursNT\DetoursNT\DetoursNT.vcxproj", "{C78B9003-FC49-4BBF-8F29-52FAD48BB58A}"
16 | EndProject
17 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "injldr", "src\injldr\injldr.vcxproj", "{A72DAEF5-C739-4E70-B57E-4310ABA03749}"
18 | EndProject
19 | Global
20 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
21 | 		Debug|x64 = Debug|x64
22 | 		Debug|x86 = Debug|x86
23 | 		Release|x64 = Release|x64
24 | 		Release|x86 = Release|x86
25 | 	EndGlobalSection
26 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
27 | 		{46A74761-6CFA-41AF-A536-47F08E2C7B48}.Debug|x64.ActiveCfg = Debug|x64
28 | 		{46A74761-6CFA-41AF-A536-47F08E2C7B48}.Debug|x64.Build.0 = Debug|x64
29 | 		{46A74761-6CFA-41AF-A536-47F08E2C7B48}.Debug|x86.ActiveCfg = Debug|Win32
30 | 		{46A74761-6CFA-41AF-A536-47F08E2C7B48}.Debug|x86.Build.0 = Debug|Win32
31 | 		{46A74761-6CFA-41AF-A536-47F08E2C7B48}.Release|x64.ActiveCfg = Release|x64
32 | 		{46A74761-6CFA-41AF-A536-47F08E2C7B48}.Release|x64.Build.0 = Release|x64
33 | 		{46A74761-6CFA-41AF-A536-47F08E2C7B48}.Release|x86.ActiveCfg = Release|Win32
34 | 		{46A74761-6CFA-41AF-A536-47F08E2C7B48}.Release|x86.Build.0 = Release|Win32
35 | 		{558C8AC2-041C-44AC-B41C-2DAB9277A3AB}.Debug|x64.ActiveCfg = Debug|x64
36 | 		{558C8AC2-041C-44AC-B41C-2DAB9277A3AB}.Debug|x64.Build.0 = Debug|x64
37 | 		{558C8AC2-041C-44AC-B41C-2DAB9277A3AB}.Debug|x86.ActiveCfg = Debug|Win32
38 | 		{558C8AC2-041C-44AC-B41C-2DAB9277A3AB}.Debug|x86.Build.0 = Debug|Win32
39 | 		{558C8AC2-041C-44AC-B41C-2DAB9277A3AB}.Release|x64.ActiveCfg = Release|x64
40 | 		{558C8AC2-041C-44AC-B41C-2DAB9277A3AB}.Release|x64.Build.0 = Release|x64
41 | 		{558C8AC2-041C-44AC-B41C-2DAB9277A3AB}.Release|x86.ActiveCfg = Release|Win32
42 | 		{558C8AC2-041C-44AC-B41C-2DAB9277A3AB}.Release|x86.Build.0 = Release|Win32
43 | 		{C78B9003-FC49-4BBF-8F29-52FAD48BB58A}.Debug|x64.ActiveCfg = Debug|x64
44 | 		{C78B9003-FC49-4BBF-8F29-52FAD48BB58A}.Debug|x64.Build.0 = Debug|x64
45 | 		{C78B9003-FC49-4BBF-8F29-52FAD48BB58A}.Debug|x86.ActiveCfg = Debug|Win32
46 | 		{C78B9003-FC49-4BBF-8F29-52FAD48BB58A}.Debug|x86.Build.0 = Debug|Win32
47 | 		{C78B9003-FC49-4BBF-8F29-52FAD48BB58A}.Release|x64.ActiveCfg = Release|x64
48 | 		{C78B9003-FC49-4BBF-8F29-52FAD48BB58A}.Release|x64.Build.0 = Release|x64
49 | 		{C78B9003-FC49-4BBF-8F29-52FAD48BB58A}.Release|x86.ActiveCfg = Release|Win32
50 | 		{C78B9003-FC49-4BBF-8F29-52FAD48BB58A}.Release|x86.Build.0 = Release|Win32
51 | 		{A72DAEF5-C739-4E70-B57E-4310ABA03749}.Debug|x64.ActiveCfg = Debug|x64
52 | 		{A72DAEF5-C739-4E70-B57E-4310ABA03749}.Debug|x64.Build.0 = Debug|x64
53 | 		{A72DAEF5-C739-4E70-B57E-4310ABA03749}.Debug|x86.ActiveCfg = Debug|Win32
54 | 		{A72DAEF5-C739-4E70-B57E-4310ABA03749}.Debug|x86.Build.0 = Debug|Win32
55 | 		{A72DAEF5-C739-4E70-B57E-4310ABA03749}.Release|x64.ActiveCfg = Release|x64
56 | 		{A72DAEF5-C739-4E70-B57E-4310ABA03749}.Release|x64.Build.0 = Release|x64
57 | 		{A72DAEF5-C739-4E70-B57E-4310ABA03749}.Release|x86.ActiveCfg = Release|Win32
58 | 		{A72DAEF5-C739-4E70-B57E-4310ABA03749}.Release|x86.Build.0 = Release|Win32
59 | 	EndGlobalSection
60 | 	GlobalSection(SolutionProperties) = preSolution
61 | 		HideSolutionNode = FALSE
62 | 	EndGlobalSection
63 | 	GlobalSection(ExtensibilityGlobals) = postSolution
64 | 		SolutionGuid = {B2F42D07-8CF5-40C5-924F-6EAB82D9ABF0}
65 | 	EndGlobalSection
66 | EndGlobal
67 | 


--------------------------------------------------------------------------------
/src/injdll/injdll.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <!-- ProjectConfigurations -->
  4 |   <ItemGroup Label="ProjectConfigurations">
  5 |     <ProjectConfiguration Include="Debug|Win32">
  6 |       <Configuration>Debug</Configuration>
  7 |       <Platform>Win32</Platform>
  8 |     </ProjectConfiguration>
  9 |     <ProjectConfiguration Include="Release|Win32">
 10 |       <Configuration>Release</Configuration>
 11 |       <Platform>Win32</Platform>
 12 |     </ProjectConfiguration>
 13 |     <ProjectConfiguration Include="Debug|x64">
 14 |       <Configuration>Debug</Configuration>
 15 |       <Platform>x64</Platform>
 16 |     </ProjectConfiguration>
 17 |     <ProjectConfiguration Include="Release|x64">
 18 |       <Configuration>Release</Configuration>
 19 |       <Platform>x64</Platform>
 20 |     </ProjectConfiguration>
 21 |   </ItemGroup>
 22 |   <!-- Common settings -->
 23 |   <PropertyGroup Label="Globals">
 24 |     <RootNamespace>injdll</RootNamespace>
 25 |     <ProjectGuid>{558C8AC2-041C-44AC-B41C-2DAB9277A3AB}</ProjectGuid>
 26 |     <VCProjectVersion>15.0</VCProjectVersion>
 27 |     <Keyword>Win32Proj</Keyword>
 28 |     <WindowsTargetPlatformVersion>10.0.17134.0</WindowsTargetPlatformVersion>
 29 |   </PropertyGroup>
 30 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 31 |   <PropertyGroup Label="Configuration">
 32 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 33 |     <PlatformToolset>v141</PlatformToolset>
 34 |     <CharacterSet>Unicode</CharacterSet>
 35 |   </PropertyGroup>
 36 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 37 |   <ImportGroup Label="ExtensionSettings">
 38 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
 39 |   </ImportGroup>
 40 |   <ImportGroup Label="Shared" />
 41 |   <ImportGroup Label="PropertySheets">
 42 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 43 |   </ImportGroup>
 44 |   <PropertyGroup>
 45 |     <TargetName>$(ProjectName)$(PlatformShortName)</TargetName>
 46 |     <OutDir>$(SolutionDir)bin\$(PlatformShortName)\$(Configuration)\</OutDir>
 47 |     <IntDir>$(SolutionDir)bin\obj\$(PlatformShortName)\$(Configuration)\$(ProjectName)\</IntDir>
 48 |   </PropertyGroup>
 49 |   <ItemDefinitionGroup>
 50 |     <ClCompile>
 51 |       <WarningLevel>Level3</WarningLevel>
 52 |       <ConformanceMode>true</ConformanceMode>
 53 |       <LanguageStandard>stdcpplatest</LanguageStandard>
 54 |       <ObjectFileName>$(IntDir)%(RelativeDir)%(Filename)%(Extension).obj</ObjectFileName>
 55 |       <AdditionalIncludeDirectories>$(SolutionDir)include;$(SolutionDir)src\DetoursNT\Detours\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
 56 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 57 |       <MultiProcessorCompilation>true</MultiProcessorCompilation>
 58 |       <SupportJustMyCode>false</SupportJustMyCode>
 59 |       <ExceptionHandling>false</ExceptionHandling>
 60 |       <BufferSecurityCheck>false</BufferSecurityCheck>
 61 |       <BasicRuntimeChecks>Default</BasicRuntimeChecks>
 62 |     </ClCompile>
 63 |     <Link>
 64 |       <SubSystem>Windows</SubSystem>
 65 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 66 |       <AdditionalDependencies>ntdll.lib;%(AdditionalDependencies)</AdditionalDependencies>
 67 |       <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
 68 |       <EntryPointSymbol>NtDllMain</EntryPointSymbol>
 69 |     </Link>
 70 |   </ItemDefinitionGroup>
 71 |   <!-- Debug -->
 72 |   <PropertyGroup Condition="'$(Configuration)'=='Debug'" Label="Configuration">
 73 |     <UseDebugLibraries>true</UseDebugLibraries>
 74 |   </PropertyGroup>
 75 |   <PropertyGroup Condition="'$(Configuration)'=='Debug'">
 76 |     <LinkIncremental>true</LinkIncremental>
 77 |   </PropertyGroup>
 78 |   <ItemDefinitionGroup Condition="'$(Configuration)'=='Debug'">
 79 |     <ClCompile>
 80 |       <PreprocessorDefinitions>_DEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 81 |       <Optimization>Disabled</Optimization>
 82 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
 83 |     </ClCompile>
 84 |   </ItemDefinitionGroup>
 85 |   <!-- Release -->
 86 |   <PropertyGroup Condition="'$(Configuration)'=='Release'" Label="Configuration">
 87 |     <UseDebugLibraries>false</UseDebugLibraries>
 88 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 89 |   </PropertyGroup>
 90 |   <PropertyGroup Condition="'$(Configuration)'=='Release'">
 91 |     <LinkIncremental>false</LinkIncremental>
 92 |   </PropertyGroup>
 93 |   <ItemDefinitionGroup Condition="'$(Configuration)'=='Release'">
 94 |     <ClCompile>
 95 |       <PreprocessorDefinitions>NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 96 |       <Optimization>MaxSpeed</Optimization>
 97 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
 98 |       <MultiProcessorCompilation>true</MultiProcessorCompilation>
 99 |       <FunctionLevelLinking>true</FunctionLevelLinking>
100 |     </ClCompile>
101 |     <Link>
102 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
103 |       <OptimizeReferences>true</OptimizeReferences>
104 |     </Link>
105 |   </ItemDefinitionGroup>
106 |   <!-- Targets -->
107 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
108 |   <ImportGroup Label="ExtensionTargets">
109 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
110 |   </ImportGroup>
111 |   <!-- Items -->
112 |   <ItemGroup>
113 |     <ClCompile Include="main.cpp" />
114 |   </ItemGroup>
115 |   <ItemGroup>
116 |     <ProjectReference Include="..\DetoursNT\DetoursNT\DetoursNT.vcxproj">
117 |       <Project>{c78b9003-fc49-4bbf-8f29-52fad48bb58a}</Project>
118 |     </ProjectReference>
119 |   </ItemGroup>
120 |   <ItemGroup>
121 |     <ClInclude Include="..\..\include\ntdbg.h" />
122 |     <ClInclude Include="..\..\include\ntdll.h" />
123 |     <ClInclude Include="..\..\include\ntdll_ntdef.h" />
124 |     <ClInclude Include="..\..\include\ntdll_windows.h" />
125 |     <ClInclude Include="..\..\include\ntexapi.h" />
126 |     <ClInclude Include="..\..\include\ntgdi.h" />
127 |     <ClInclude Include="..\..\include\ntioapi.h" />
128 |     <ClInclude Include="..\..\include\ntkeapi.h" />
129 |     <ClInclude Include="..\..\include\ntldr.h" />
130 |     <ClInclude Include="..\..\include\ntlpcapi.h" />
131 |     <ClInclude Include="..\..\include\ntmisc.h" />
132 |     <ClInclude Include="..\..\include\ntmmapi.h" />
133 |     <ClInclude Include="..\..\include\ntnls.h" />
134 |     <ClInclude Include="..\..\include\ntobapi.h" />
135 |     <ClInclude Include="..\..\include\ntpebteb.h" />
136 |     <ClInclude Include="..\..\include\ntpfapi.h" />
137 |     <ClInclude Include="..\..\include\ntpnpapi.h" />
138 |     <ClInclude Include="..\..\include\ntpoapi.h" />
139 |     <ClInclude Include="..\..\include\ntpsapi.h" />
140 |     <ClInclude Include="..\..\include\ntregapi.h" />
141 |     <ClInclude Include="..\..\include\ntrtl.h" />
142 |     <ClInclude Include="..\..\include\ntsam.h" />
143 |     <ClInclude Include="..\..\include\ntseapi.h" />
144 |     <ClInclude Include="..\..\include\ntsmss.h" />
145 |     <ClInclude Include="..\..\include\nttmapi.h" />
146 |     <ClInclude Include="..\..\include\nttp.h" />
147 |     <ClInclude Include="..\..\include\ntwow64.h" />
148 |     <ClInclude Include="..\..\include\ntxcapi.h" />
149 |     <ClInclude Include="..\..\include\ntzwapi.h" />
150 |     <ClInclude Include="..\..\include\subprocesstag.h" />
151 |     <ClInclude Include="..\..\include\winsta.h" />
152 |   </ItemGroup>
153 | </Project>


--------------------------------------------------------------------------------
/src/injdll/injdll.vcxproj.filters:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup>
  4 |     <Filter Include="Source Files">
  5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
  6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
  7 |     </Filter>
  8 |     <Filter Include="Header Files">
  9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
 10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
 11 |     </Filter>
 12 |     <Filter Include="Resource Files">
 13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
 14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
 15 |     </Filter>
 16 |     <Filter Include="Header Files\ntdll">
 17 |       <UniqueIdentifier>{40251b32-677c-4466-8e51-cd6f878b2f71}</UniqueIdentifier>
 18 |     </Filter>
 19 |   </ItemGroup>
 20 |   <ItemGroup>
 21 |     <ClCompile Include="main.cpp">
 22 |       <Filter>Source Files</Filter>
 23 |     </ClCompile>
 24 |   </ItemGroup>
 25 |   <ItemGroup>
 26 |     <ClInclude Include="..\..\include\ntdbg.h">
 27 |       <Filter>Header Files\ntdll</Filter>
 28 |     </ClInclude>
 29 |     <ClInclude Include="..\..\include\ntdll.h">
 30 |       <Filter>Header Files\ntdll</Filter>
 31 |     </ClInclude>
 32 |     <ClInclude Include="..\..\include\ntdll_ntdef.h">
 33 |       <Filter>Header Files\ntdll</Filter>
 34 |     </ClInclude>
 35 |     <ClInclude Include="..\..\include\ntdll_windows.h">
 36 |       <Filter>Header Files\ntdll</Filter>
 37 |     </ClInclude>
 38 |     <ClInclude Include="..\..\include\ntexapi.h">
 39 |       <Filter>Header Files\ntdll</Filter>
 40 |     </ClInclude>
 41 |     <ClInclude Include="..\..\include\ntgdi.h">
 42 |       <Filter>Header Files\ntdll</Filter>
 43 |     </ClInclude>
 44 |     <ClInclude Include="..\..\include\ntioapi.h">
 45 |       <Filter>Header Files\ntdll</Filter>
 46 |     </ClInclude>
 47 |     <ClInclude Include="..\..\include\ntkeapi.h">
 48 |       <Filter>Header Files\ntdll</Filter>
 49 |     </ClInclude>
 50 |     <ClInclude Include="..\..\include\ntldr.h">
 51 |       <Filter>Header Files\ntdll</Filter>
 52 |     </ClInclude>
 53 |     <ClInclude Include="..\..\include\ntlpcapi.h">
 54 |       <Filter>Header Files\ntdll</Filter>
 55 |     </ClInclude>
 56 |     <ClInclude Include="..\..\include\ntmisc.h">
 57 |       <Filter>Header Files\ntdll</Filter>
 58 |     </ClInclude>
 59 |     <ClInclude Include="..\..\include\ntmmapi.h">
 60 |       <Filter>Header Files\ntdll</Filter>
 61 |     </ClInclude>
 62 |     <ClInclude Include="..\..\include\ntnls.h">
 63 |       <Filter>Header Files\ntdll</Filter>
 64 |     </ClInclude>
 65 |     <ClInclude Include="..\..\include\ntobapi.h">
 66 |       <Filter>Header Files\ntdll</Filter>
 67 |     </ClInclude>
 68 |     <ClInclude Include="..\..\include\ntpebteb.h">
 69 |       <Filter>Header Files\ntdll</Filter>
 70 |     </ClInclude>
 71 |     <ClInclude Include="..\..\include\ntpfapi.h">
 72 |       <Filter>Header Files\ntdll</Filter>
 73 |     </ClInclude>
 74 |     <ClInclude Include="..\..\include\ntpnpapi.h">
 75 |       <Filter>Header Files\ntdll</Filter>
 76 |     </ClInclude>
 77 |     <ClInclude Include="..\..\include\ntpoapi.h">
 78 |       <Filter>Header Files\ntdll</Filter>
 79 |     </ClInclude>
 80 |     <ClInclude Include="..\..\include\ntpsapi.h">
 81 |       <Filter>Header Files\ntdll</Filter>
 82 |     </ClInclude>
 83 |     <ClInclude Include="..\..\include\ntregapi.h">
 84 |       <Filter>Header Files\ntdll</Filter>
 85 |     </ClInclude>
 86 |     <ClInclude Include="..\..\include\ntrtl.h">
 87 |       <Filter>Header Files\ntdll</Filter>
 88 |     </ClInclude>
 89 |     <ClInclude Include="..\..\include\ntsam.h">
 90 |       <Filter>Header Files\ntdll</Filter>
 91 |     </ClInclude>
 92 |     <ClInclude Include="..\..\include\ntseapi.h">
 93 |       <Filter>Header Files\ntdll</Filter>
 94 |     </ClInclude>
 95 |     <ClInclude Include="..\..\include\ntsmss.h">
 96 |       <Filter>Header Files\ntdll</Filter>
 97 |     </ClInclude>
 98 |     <ClInclude Include="..\..\include\nttmapi.h">
 99 |       <Filter>Header Files\ntdll</Filter>
100 |     </ClInclude>
101 |     <ClInclude Include="..\..\include\nttp.h">
102 |       <Filter>Header Files\ntdll</Filter>
103 |     </ClInclude>
104 |     <ClInclude Include="..\..\include\ntwow64.h">
105 |       <Filter>Header Files\ntdll</Filter>
106 |     </ClInclude>
107 |     <ClInclude Include="..\..\include\ntxcapi.h">
108 |       <Filter>Header Files\ntdll</Filter>
109 |     </ClInclude>
110 |     <ClInclude Include="..\..\include\ntzwapi.h">
111 |       <Filter>Header Files\ntdll</Filter>
112 |     </ClInclude>
113 |     <ClInclude Include="..\..\include\subprocesstag.h">
114 |       <Filter>Header Files\ntdll</Filter>
115 |     </ClInclude>
116 |     <ClInclude Include="..\..\include\winsta.h">
117 |       <Filter>Header Files\ntdll</Filter>
118 |     </ClInclude>
119 |   </ItemGroup>
120 | </Project>


--------------------------------------------------------------------------------
/src/injdll/main.cpp:
--------------------------------------------------------------------------------
  1 | //
  2 | // Include NTDLL-related headers.
  3 | //
  4 | 
  5 | #include <ntdll_windows.h>
  6 | #include <ntdll.h>
  7 | 
  8 | //
  9 | // Include support for ETW logging.
 10 | // Note that following functions are mocked, because they're
 11 | // located in advapi32.dll.  Fortunatelly, advapi32.dll simply
 12 | // redirects calls to these functions to the ntdll.dll.
 13 | //
 14 | 
 15 | #define EventActivityIdControl  EtwEventActivityIdControl
 16 | #define EventEnabled            EtwEventEnabled
 17 | #define EventProviderEnabled    EtwEventProviderEnabled
 18 | #define EventRegister           EtwEventRegister
 19 | #define EventSetInformation     EtwEventSetInformation
 20 | #define EventUnregister         EtwEventUnregister
 21 | #define EventWrite              EtwEventWrite
 22 | #define EventWriteEndScenario   EtwEventWriteEndScenario
 23 | #define EventWriteEx            EtwEventWriteEx
 24 | #define EventWriteStartScenario EtwEventWriteStartScenario
 25 | #define EventWriteString        EtwEventWriteString
 26 | #define EventWriteTransfer      EtwEventWriteTransfer
 27 | 
 28 | #include <evntprov.h>
 29 | 
 30 | //
 31 | // Include Detours.
 32 | //
 33 | #include <detours.h>
 34 | 
 35 | //
 36 | // Unfortunatelly sprintf-like functions are not exposed
 37 | // by ntdll.lib, which we're linking against.  We have to
 38 | // load them dynamically.
 39 | //
 40 | 
 41 | using _snwprintf_fn_t = int (__cdecl*)(
 42 |   wchar_t *buffer,
 43 |   size_t count,
 44 |   const wchar_t *format,
 45 |   ...
 46 |   );
 47 | 
 48 | inline _snwprintf_fn_t _snwprintf = nullptr;
 49 | 
 50 | //
 51 | // ETW provider GUID and global provider handle.
 52 | //
 53 | 
 54 | //
 55 | // GUID:
 56 | //   {a4b4ba50-a667-43f5-919b-1e52a6d69bd5}
 57 | //
 58 | 
 59 | GUID ProviderGuid = {
 60 |   0xa4b4ba50, 0xa667, 0x43f5, { 0x91, 0x9b, 0x1e, 0x52, 0xa6, 0xd6, 0x9b, 0xd5 }
 61 | };
 62 | 
 63 | REGHANDLE ProviderHandle;
 64 | 
 65 | //
 66 | // Hooking functions and prototypes.
 67 | //
 68 | 
 69 | inline decltype(NtQuerySystemInformation)* OrigNtQuerySystemInformation = nullptr;
 70 | 
 71 | EXTERN_C
 72 | NTSTATUS
 73 | NTAPI
 74 | HookNtQuerySystemInformation(
 75 |   _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
 76 |   _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
 77 |   _In_ ULONG SystemInformationLength,
 78 |   _Out_opt_ PULONG ReturnLength
 79 |   )
 80 | {
 81 |   //
 82 |   // Log the function call.
 83 |   //
 84 | 
 85 |   WCHAR Buffer[128];
 86 |   _snwprintf(Buffer,
 87 |              RTL_NUMBER_OF(Buffer),
 88 |              L"NtQuerySystemInformation(%i, %p, %i)",
 89 |              SystemInformationClass,
 90 |              SystemInformation,
 91 |              SystemInformationLength);
 92 | 
 93 |   EtwEventWriteString(ProviderHandle, 0, 0, Buffer);
 94 | 
 95 |   //
 96 |   // Call original function.
 97 |   //
 98 | 
 99 |   return OrigNtQuerySystemInformation(SystemInformationClass,
100 |                                       SystemInformation,
101 |                                       SystemInformationLength,
102 |                                       ReturnLength);
103 | }
104 | 
105 | inline decltype(NtCreateThreadEx)* OrigNtCreateThreadEx = nullptr;
106 | 
107 | NTSTATUS
108 | NTAPI
109 | HookNtCreateThreadEx(
110 |   _Out_ PHANDLE ThreadHandle,
111 |   _In_ ACCESS_MASK DesiredAccess,
112 |   _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
113 |   _In_ HANDLE ProcessHandle,
114 |   _In_ PVOID StartRoutine, // PUSER_THREAD_START_ROUTINE
115 |   _In_opt_ PVOID Argument,
116 |   _In_ ULONG CreateFlags, // THREAD_CREATE_FLAGS_*
117 |   _In_ SIZE_T ZeroBits,
118 |   _In_ SIZE_T StackSize,
119 |   _In_ SIZE_T MaximumStackSize,
120 |   _In_opt_ PPS_ATTRIBUTE_LIST AttributeList
121 |   )
122 | {
123 |   //
124 |   // Log the function call.
125 |   //
126 |   WCHAR Buffer[128];
127 |   _snwprintf(Buffer,
128 |              RTL_NUMBER_OF(Buffer),
129 |              L"NtCreateThreadEx(%p, %p)",
130 |              ProcessHandle,
131 |              StartRoutine);
132 | 
133 |   EtwEventWriteString(ProviderHandle, 0, 0, Buffer);
134 | 
135 |   //
136 |   // Call original function.
137 |   //
138 | 
139 |   return OrigNtCreateThreadEx(ThreadHandle,
140 |                               DesiredAccess,
141 |                               ObjectAttributes,
142 |                               ProcessHandle,
143 |                               StartRoutine,
144 |                               Argument,
145 |                               CreateFlags,
146 |                               ZeroBits,
147 |                               StackSize,
148 |                               MaximumStackSize,
149 |                               AttributeList);
150 | }
151 | 
152 | NTSTATUS
153 | NTAPI
154 | ThreadRoutine(
155 |   _In_ PVOID ThreadParameter
156 |   )
157 | {
158 |   LARGE_INTEGER Delay;
159 |   Delay.QuadPart = -10 * 1000 * 100; // 100ms
160 | 
161 |   for (;;)
162 |   {
163 |     // EtwEventWriteString(ProviderHandle, 0, 0, L"NtDelayExecution(100ms)");
164 | 
165 |     NtDelayExecution(FALSE, &Delay);
166 |   }
167 | }
168 | 
169 | NTSTATUS
170 | NTAPI
171 | EnableDetours(
172 |   VOID
173 |   )
174 | {
175 |   DetourTransactionBegin();
176 |   {
177 |     OrigNtQuerySystemInformation = NtQuerySystemInformation;
178 |     DetourAttach((PVOID*)&OrigNtQuerySystemInformation, HookNtQuerySystemInformation);
179 | 
180 |     OrigNtCreateThreadEx = NtCreateThreadEx;
181 |     DetourAttach((PVOID*)&OrigNtCreateThreadEx, HookNtCreateThreadEx);
182 |   }
183 |   DetourTransactionCommit();
184 | 
185 |   return STATUS_SUCCESS;
186 | }
187 | 
188 | NTSTATUS
189 | NTAPI
190 | DisableDetours(
191 |   VOID
192 |   )
193 | {
194 |   DetourTransactionBegin();
195 |   {
196 |     DetourDetach((PVOID*)&OrigNtQuerySystemInformation, HookNtQuerySystemInformation);
197 |     DetourDetach((PVOID*)&OrigNtCreateThreadEx, HookNtCreateThreadEx);
198 |   }
199 |   DetourTransactionCommit();
200 | 
201 |   return STATUS_SUCCESS;
202 | }
203 | 
204 | NTSTATUS
205 | NTAPI
206 | OnProcessAttach(
207 |   _In_ PVOID ModuleHandle
208 |   )
209 | {
210 |   //
211 |   // First, resolve address of the _snwprintf function.
212 |   //
213 | 
214 |   ANSI_STRING RoutineName;
215 |   RtlInitAnsiString(&RoutineName, (PSTR)"_snwprintf");
216 | 
217 |   UNICODE_STRING NtdllPath;
218 |   RtlInitUnicodeString(&NtdllPath, (PWSTR)L"ntdll.dll");
219 | 
220 |   HANDLE NtdllHandle;
221 |   LdrGetDllHandle(NULL, 0, &NtdllPath, &NtdllHandle);
222 |   LdrGetProcedureAddress(NtdllHandle, &RoutineName, 0, (PVOID*)&_snwprintf);
223 | 
224 |   //
225 |   // Make us unloadable (by FreeLibrary calls).
226 |   //
227 | 
228 |   LdrAddRefDll(LDR_ADDREF_DLL_PIN, ModuleHandle);
229 | 
230 |   //
231 |   // Hide this DLL from the PEB.
232 |   //
233 | 
234 |   PPEB Peb = NtCurrentPeb();
235 |   PLIST_ENTRY ListEntry;
236 | 
237 |   for (ListEntry =   Peb->Ldr->InLoadOrderModuleList.Flink;
238 |        ListEntry != &Peb->Ldr->InLoadOrderModuleList;
239 |        ListEntry =   ListEntry->Flink)
240 |   {
241 |     PLDR_DATA_TABLE_ENTRY LdrEntry = CONTAINING_RECORD(ListEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
242 | 
243 |     //
244 |     // ModuleHandle is same as DLL base address.
245 |     //
246 | 
247 |     if (LdrEntry->DllBase == ModuleHandle)
248 |     {
249 |       RemoveEntryList(&LdrEntry->InLoadOrderLinks);
250 |       RemoveEntryList(&LdrEntry->InInitializationOrderLinks);
251 |       RemoveEntryList(&LdrEntry->InMemoryOrderLinks);
252 |       RemoveEntryList(&LdrEntry->HashLinks);
253 | 
254 |       break;
255 |     }
256 |   }
257 | 
258 |   //
259 |   // Register ETW provider.
260 |   //
261 | 
262 |   EtwEventRegister(&ProviderGuid,
263 |                    NULL,
264 |                    NULL,
265 |                    &ProviderHandle);
266 | 
267 |   //
268 |   // Create dummy thread - used for testing.
269 |   //
270 | 
271 |   // RtlCreateUserThread(NtCurrentProcess(),
272 |   //                     NULL,
273 |   //                     FALSE,
274 |   //                     0,
275 |   //                     0,
276 |   //                     0,
277 |   //                     &ThreadRoutine,
278 |   //                     NULL,
279 |   //                     NULL,
280 |   //                     NULL);
281 | 
282 |   //
283 |   // Get command line of the current process and send it.
284 |   //
285 | 
286 |   PWSTR CommandLine = Peb->ProcessParameters->CommandLine.Buffer;
287 | 
288 |   EtwEventWriteString(ProviderHandle,
289 |                       0,
290 |                       0,
291 |                       CommandLine);
292 | 
293 |   //
294 |   // Hook all functions.
295 |   //
296 | 
297 |   return EnableDetours();
298 | }
299 | 
300 | NTSTATUS
301 | NTAPI
302 | OnProcessDetach(
303 |   _In_ HANDLE ModuleHandle
304 |   )
305 | {
306 |   //
307 |   // Unhook all functions.
308 |   //
309 | 
310 |   return DisableDetours();
311 | }
312 | 
313 | EXTERN_C
314 | BOOL
315 | WINAPI
316 | NtDllMain(
317 |   _In_ HANDLE ModuleHandle,
318 |   _In_ ULONG Reason,
319 |   _In_ LPVOID Reserved
320 |   )
321 | {
322 |   switch (Reason)
323 |   {
324 |     case DLL_PROCESS_ATTACH:
325 |       OnProcessAttach(ModuleHandle);
326 |       break;
327 | 
328 |     case DLL_PROCESS_DETACH:
329 |       OnProcessDetach(ModuleHandle);
330 |       break;
331 | 
332 |     case DLL_THREAD_ATTACH:
333 | 
334 |       break;
335 | 
336 |     case DLL_THREAD_DETACH:
337 | 
338 |       break;
339 |   }
340 | 
341 |   return TRUE;
342 | }
343 | 


--------------------------------------------------------------------------------
/src/injdrv/injdrv.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include <ntddk.h>
  3 | 
  4 | //////////////////////////////////////////////////////////////////////////
  5 | // Structures.
  6 | //////////////////////////////////////////////////////////////////////////
  7 | 
  8 | typedef struct _INJ_INJECTION_INFO
  9 | {
 10 |   LIST_ENTRY  ListEntry;
 11 | 
 12 |   //
 13 |   // Process ID.
 14 |   //
 15 |   HANDLE      ProcessId;
 16 | 
 17 |   //
 18 |   // Combination of INJ_SYSTEM_DLL flags indicating
 19 |   // which DLLs has been already loaded into this
 20 |   // process.
 21 |   //
 22 |   ULONG       LoadedDlls;
 23 | 
 24 |   //
 25 |   // If true, the process has been already injected.
 26 |   //
 27 |   BOOLEAN     IsInjected;
 28 | 
 29 |   //
 30 |   // If true, trigger of the queued user APC will be
 31 |   // immediately forced upon next kernel->user transition.
 32 |   //
 33 |   BOOLEAN     ForceUserApc;
 34 | 
 35 |   //
 36 |   // Address of LdrLoadDll routine within 32-bit ntdll.dll.
 37 |   //
 38 |   PVOID       LdrLoadDllX86;
 39 | 
 40 | #if defined(_M_AMD64)
 41 |   //
 42 |   // Address of LdrLoadDll routine within 64-bit ntdll.dll.
 43 |   //
 44 |   PVOID       LdrLoadDllX64;
 45 | 
 46 |   //
 47 |   // If true, 32-bit DLL will be injected into Wow64
 48 |   // processes.  If false, 64-bit DLL will be injected
 49 |   // into Wow64 processes.
 50 |   //
 51 |   BOOLEAN     UseWow64Injection;
 52 | #endif
 53 | } INJ_INJECTION_INFO, *PINJ_INJECTION_INFO;
 54 | 
 55 | //////////////////////////////////////////////////////////////////////////
 56 | // Public functions.
 57 | //////////////////////////////////////////////////////////////////////////
 58 | 
 59 | NTSTATUS
 60 | NTAPI
 61 | InjInitialize(
 62 |   _In_ PUNICODE_STRING DllPathX86,
 63 |   _In_ PUNICODE_STRING DllPathX64,
 64 |   _In_ BOOLEAN UseWow64Injection
 65 |   );
 66 | 
 67 | VOID
 68 | NTAPI
 69 | InjDestroy(
 70 |   VOID
 71 |   );
 72 | 
 73 | NTSTATUS
 74 | NTAPI
 75 | InjCreateInjectionInfo(
 76 |   _In_ HANDLE ProcessId
 77 |   );
 78 | 
 79 | VOID
 80 | NTAPI
 81 | InjRemoveInjectionInfo(
 82 |   _In_ HANDLE ProcessId
 83 |   );
 84 | 
 85 | PINJ_INJECTION_INFO
 86 | NTAPI
 87 | InjFindInjectionInfo(
 88 |   _In_ HANDLE ProcessId
 89 |   );
 90 | 
 91 | BOOLEAN
 92 | NTAPI
 93 | InjCanInject(
 94 |   _In_ PINJ_INJECTION_INFO InjectionInfo
 95 |   );
 96 | 
 97 | NTSTATUS
 98 | NTAPI
 99 | InjInject(
100 |   _In_ PINJ_INJECTION_INFO InjectionInfo
101 |   );
102 | 


--------------------------------------------------------------------------------
/src/injdrv/injdrv.inf:
--------------------------------------------------------------------------------
 1 | ;
 2 | ; injdrv.inf
 3 | ;
 4 | 
 5 | [Version]
 6 | Signature="$WINDOWS NT$"
 7 | Class=Sample ; TODO: edit Class
 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
 9 | Provider=%ManufacturerName%
10 | CatalogFile=injdrv.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 | 
13 | [DestinationDirs]
14 | DefaultDestDir = 12
15 | injdrv_Device_CoInstaller_CopyFiles = 11
16 | 
17 | ; ================= Class section =====================
18 | 
19 | [ClassInstall32]
20 | Addreg=SampleClassReg
21 | 
22 | [SampleClassReg]
23 | HKR,,,0,%ClassName%
24 | HKR,,Icon,,-5
25 | 
26 | [SourceDisksNames]
27 | 1 = %DiskName%,,,""
28 | 
29 | [SourceDisksFiles]
30 | injdrv.sys  = 1,,
31 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
32 | 
33 | ;*****************************************
34 | ; Install Section
35 | ;*****************************************
36 | 
37 | [Manufacturer]
38 | %ManufacturerName%=Standard,NT$ARCH$
39 | 
40 | [Standard.NT$ARCH$]
41 | %injdrv.DeviceDesc%=injdrv_Device, Root\injdrv ; TODO: edit hw-id
42 | 
43 | [injdrv_Device.NT]
44 | CopyFiles=Drivers_Dir
45 | 
46 | [Drivers_Dir]
47 | injdrv.sys
48 | 
49 | ;-------------- Service installation
50 | [injdrv_Device.NT.Services]
51 | AddService = injdrv,%SPSVCINST_ASSOCSERVICE%, injdrv_Service_Inst
52 | 
53 | ; -------------- injdrv driver install sections
54 | [injdrv_Service_Inst]
55 | DisplayName    = %injdrv.SVCDESC%
56 | ServiceType    = 1               ; SERVICE_KERNEL_DRIVER
57 | StartType      = 3               ; SERVICE_DEMAND_START
58 | ErrorControl   = 1               ; SERVICE_ERROR_NORMAL
59 | ServiceBinary  = %12%\injdrv.sys
60 | 
61 | ;
62 | ;--- injdrv_Device Coinstaller installation ------
63 | ;
64 | 
65 | [Strings]
66 | SPSVCINST_ASSOCSERVICE= 0x00000002
67 | ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
68 | ClassName="Samples" ; TODO: edit ClassName
69 | DiskName = "injdrv Installation Disk"
70 | injdrv.DeviceDesc = "injdrv Device"
71 | injdrv.SVCDESC = "injdrv Service"
72 | 


--------------------------------------------------------------------------------
/src/injdrv/injdrv.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <!-- ProjectConfigurations -->
  4 |   <ItemGroup Label="ProjectConfigurations">
  5 |     <ProjectConfiguration Include="Debug|Win32">
  6 |       <Configuration>Debug</Configuration>
  7 |       <Platform>Win32</Platform>
  8 |     </ProjectConfiguration>
  9 |     <ProjectConfiguration Include="Release|Win32">
 10 |       <Configuration>Release</Configuration>
 11 |       <Platform>Win32</Platform>
 12 |     </ProjectConfiguration>
 13 |     <ProjectConfiguration Include="Debug|x64">
 14 |       <Configuration>Debug</Configuration>
 15 |       <Platform>x64</Platform>
 16 |     </ProjectConfiguration>
 17 |     <ProjectConfiguration Include="Release|x64">
 18 |       <Configuration>Release</Configuration>
 19 |       <Platform>x64</Platform>
 20 |     </ProjectConfiguration>
 21 |   </ItemGroup>
 22 |   <!-- Common settings -->
 23 |   <PropertyGroup Label="Globals">
 24 |     <RootNamespace>injdrv</RootNamespace>
 25 |     <ProjectGuid>{46A74761-6CFA-41AF-A536-47F08E2C7B48}</ProjectGuid>
 26 |     <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
 27 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 28 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 29 |     <Configuration>Debug</Configuration>
 30 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 31 |     <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
 32 |   </PropertyGroup>
 33 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 34 |   <PropertyGroup Label="Configuration">
 35 |     <TargetVersion>Windows7</TargetVersion>
 36 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 37 |     <ConfigurationType>Driver</ConfigurationType>
 38 |     <DriverType>WDM</DriverType>
 39 |   </PropertyGroup>
 40 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 41 |   <ImportGroup Label="ExtensionSettings" />
 42 |   <ImportGroup Label="PropertySheets">
 43 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 44 |   </ImportGroup>
 45 |   <PropertyGroup>
 46 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
 47 |     <IncludePath>$(ProjectDir);$(VC_IncludePath);$(IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH)</IncludePath>
 48 |     <OutDir>$(SolutionDir)bin\$(PlatformShortName)\$(Configuration)\</OutDir>
 49 |     <IntDir>$(SolutionDir)bin\obj\$(PlatformShortName)\$(Configuration)\$(ProjectName)\</IntDir>
 50 |     <EnableInf2cat>false</EnableInf2cat>
 51 |     <Inf2CatUseLocalTime>true</Inf2CatUseLocalTime>
 52 |   </PropertyGroup>
 53 |   <ItemDefinitionGroup>
 54 |     <ClCompile>
 55 |       <DisableSpecificWarnings>4201;4748;%(DisableSpecificWarnings)</DisableSpecificWarnings>
 56 |       <!--                     4201;4603;4627;4986;4987;4996;%(DisableSpecificWarnings) -->
 57 |       <LanguageStandard>stdcpplatest</LanguageStandard>
 58 |       <ObjectFileName>$(IntDir)%(RelativeDir)%(Filename)%(Extension).obj</ObjectFileName>
 59 |       <MultiProcessorCompilation>true</MultiProcessorCompilation>
 60 |       <SupportJustMyCode>false</SupportJustMyCode>
 61 |     </ClCompile>
 62 |     <Link>
 63 |       <GenerateDebugInformation>DebugFull</GenerateDebugInformation>
 64 |       <AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>
 65 |     </Link>
 66 |   </ItemDefinitionGroup>
 67 |   <!-- Debug -->
 68 |   <PropertyGroup Condition="'$(Configuration)'=='Debug'" Label="Configuration">
 69 |     <UseDebugLibraries>true</UseDebugLibraries>
 70 |   </PropertyGroup>
 71 |   <ItemDefinitionGroup Condition="'$(Configuration)'=='Debug'">
 72 |   </ItemDefinitionGroup>
 73 |   <!-- Release -->
 74 |   <PropertyGroup Condition="'$(Configuration)'=='Release'" Label="Configuration">
 75 |     <UseDebugLibraries>false</UseDebugLibraries>
 76 |   </PropertyGroup>
 77 |   <ItemDefinitionGroup Condition="'$(Configuration)'=='Release'">
 78 |     <ClCompile>
 79 |       <InlineFunctionExpansion>AnySuitable</InlineFunctionExpansion>
 80 |       <WholeProgramOptimization>true</WholeProgramOptimization>
 81 |     </ClCompile>
 82 |     <Link>
 83 |       <LinkTimeCodeGeneration>UseLinkTimeCodeGeneration</LinkTimeCodeGeneration>
 84 |     </Link>
 85 |   </ItemDefinitionGroup>
 86 |   <!-- Targets -->
 87 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
 88 |   <!-- Items -->
 89 |   <ItemGroup>
 90 |     <Inf Include="injdrv.inf">
 91 |       <ExcludedFromBuild Condition="'$(Configuration)'=='Debug'">true</ExcludedFromBuild>
 92 |     </Inf>
 93 |   </ItemGroup>
 94 |   <ItemGroup>
 95 |     <FilesToPackage Include="$(TargetPath)" />
 96 |   </ItemGroup>
 97 |   <ItemGroup>
 98 |     <ClCompile Include="main.c" />
 99 |   </ItemGroup>
100 |   <ItemGroup>
101 |     <ClInclude Include="injdrv.h" />
102 |   </ItemGroup>
103 | </Project>


--------------------------------------------------------------------------------
/src/injdrv/injdrv.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <Inf Include="injdrv.inf">
23 |       <Filter>Driver Files</Filter>
24 |     </Inf>
25 |   </ItemGroup>
26 |   <ItemGroup>
27 |     <ClCompile Include="main.c">
28 |       <Filter>Source Files</Filter>
29 |     </ClCompile>
30 |   </ItemGroup>
31 |   <ItemGroup>
32 |     <ClInclude Include="injdrv.h">
33 |       <Filter>Header Files</Filter>
34 |     </ClInclude>
35 |   </ItemGroup>
36 | </Project>


--------------------------------------------------------------------------------
/src/injldr/injldr.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <!-- ProjectConfigurations -->
  4 |   <ItemGroup Label="ProjectConfigurations">
  5 |     <ProjectConfiguration Include="Debug|Win32">
  6 |       <Configuration>Debug</Configuration>
  7 |       <Platform>Win32</Platform>
  8 |     </ProjectConfiguration>
  9 |     <ProjectConfiguration Include="Release|Win32">
 10 |       <Configuration>Release</Configuration>
 11 |       <Platform>Win32</Platform>
 12 |     </ProjectConfiguration>
 13 |     <ProjectConfiguration Include="Debug|x64">
 14 |       <Configuration>Debug</Configuration>
 15 |       <Platform>x64</Platform>
 16 |     </ProjectConfiguration>
 17 |     <ProjectConfiguration Include="Release|x64">
 18 |       <Configuration>Release</Configuration>
 19 |       <Platform>x64</Platform>
 20 |     </ProjectConfiguration>
 21 |   </ItemGroup>
 22 |   <!-- Common settings -->
 23 |   <PropertyGroup Label="Globals">
 24 |     <RootNamespace>injldr</RootNamespace>
 25 |     <ProjectGuid>{A72DAEF5-C739-4E70-B57E-4310ABA03749}</ProjectGuid>
 26 |     <VCProjectVersion>15.0</VCProjectVersion>
 27 |     <Keyword>Win32Proj</Keyword>
 28 |     <WindowsTargetPlatformVersion>10.0.17134.0</WindowsTargetPlatformVersion>
 29 |   </PropertyGroup>
 30 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 31 |   <PropertyGroup Label="Configuration">
 32 |     <ConfigurationType>Application</ConfigurationType>
 33 |     <PlatformToolset>v141</PlatformToolset>
 34 |     <CharacterSet>Unicode</CharacterSet>
 35 |   </PropertyGroup>
 36 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 37 |   <ImportGroup Label="ExtensionSettings">
 38 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
 39 |   </ImportGroup>
 40 |   <ImportGroup Label="Shared" />
 41 |   <ImportGroup Label="PropertySheets">
 42 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 43 |   </ImportGroup>
 44 |   <PropertyGroup>
 45 |     <OutDir>$(SolutionDir)bin\$(PlatformShortName)\$(Configuration)\</OutDir>
 46 |     <IntDir>$(SolutionDir)bin\obj\$(PlatformShortName)\$(Configuration)\$(ProjectName)\</IntDir>
 47 |   </PropertyGroup>
 48 |   <ItemDefinitionGroup>
 49 |     <ClCompile>
 50 |       <WarningLevel>Level3</WarningLevel>
 51 |       <SDLCheck>true</SDLCheck>
 52 |       <ConformanceMode>true</ConformanceMode>
 53 |       <LanguageStandard>stdcpplatest</LanguageStandard>
 54 |       <ObjectFileName>$(IntDir)%(RelativeDir)%(Filename)%(Extension).obj</ObjectFileName>
 55 |       <MultiProcessorCompilation>true</MultiProcessorCompilation>
 56 |     </ClCompile>
 57 |     <Link>
 58 |       <SubSystem>Console</SubSystem>
 59 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 60 |       <AdditionalDependencies>ntdll.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
 61 |     </Link>
 62 |   </ItemDefinitionGroup>
 63 |   <!-- Debug -->
 64 |   <PropertyGroup Condition="'$(Configuration)'=='Debug'" Label="Configuration">
 65 |     <UseDebugLibraries>true</UseDebugLibraries>
 66 |   </PropertyGroup>
 67 |   <PropertyGroup Condition="'$(Configuration)'=='Debug'">
 68 |     <LinkIncremental>true</LinkIncremental>
 69 |   </PropertyGroup>
 70 |   <ItemDefinitionGroup Condition="'$(Configuration)'=='Debug'">
 71 |     <ClCompile>
 72 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 73 |       <Optimization>Disabled</Optimization>
 74 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
 75 |     </ClCompile>
 76 |   </ItemDefinitionGroup>
 77 |   <!-- Release -->
 78 |   <PropertyGroup Condition="'$(Configuration)'=='Release'" Label="Configuration">
 79 |     <UseDebugLibraries>false</UseDebugLibraries>
 80 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)'=='Release'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)'=='Release'">
 86 |     <ClCompile>
 87 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 88 |       <Optimization>MaxSpeed</Optimization>
 89 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
 90 |       <MultiProcessorCompilation>true</MultiProcessorCompilation>
 91 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 92 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 93 |     </ClCompile>
 94 |     <Link>
 95 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
 96 |       <OptimizeReferences>true</OptimizeReferences>
 97 |     </Link>
 98 |   </ItemDefinitionGroup>
 99 |   <!-- Targets -->
100 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
101 |   <ImportGroup Label="ExtensionTargets">
102 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
103 |   </ImportGroup>
104 |   <!-- Items -->
105 |   <ItemGroup>
106 |     <ClCompile Include="install.c" />
107 |     <ClCompile Include="main.c" />
108 |   </ItemGroup>
109 |   <ItemGroup>
110 |     <ClInclude Include="install.h" />
111 |   </ItemGroup>
112 | </Project>


--------------------------------------------------------------------------------
/src/injldr/injldr.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="main.c">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="install.c">
22 |       <Filter>Source Files</Filter>
23 |     </ClCompile>
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <ClInclude Include="install.h">
27 |       <Filter>Header Files</Filter>
28 |     </ClInclude>
29 |   </ItemGroup>
30 | </Project>


--------------------------------------------------------------------------------
/src/injldr/install.c:
--------------------------------------------------------------------------------
  1 | #include "install.h"
  2 | 
  3 | #include <stdio.h>
  4 | #include <strsafe.h>
  5 | 
  6 | //
  7 | // Code taken from the Windows-driver-samples github repository.
  8 | // https://github.com/Microsoft/Windows-driver-samples/blob/master/general/event/exe/install.c
  9 | //
 10 | 
 11 | //////////////////////////////////////////////////////////////////////////
 12 | // Function prototypes.
 13 | //////////////////////////////////////////////////////////////////////////
 14 | 
 15 | BOOLEAN
 16 | InstallDriver(
 17 |   _In_ SC_HANDLE  SchSCManager,
 18 |   _In_ LPCTSTR    DriverName,
 19 |   _In_ LPCTSTR    ServiceExe
 20 |   );
 21 | 
 22 | BOOLEAN
 23 | RemoveDriver(
 24 |   _In_ SC_HANDLE  SchSCManager,
 25 |   _In_ LPCTSTR    DriverName
 26 |   );
 27 | 
 28 | BOOLEAN
 29 | StartDriver(
 30 |   _In_ SC_HANDLE  SchSCManager,
 31 |   _In_ LPCTSTR    DriverName
 32 |   );
 33 | 
 34 | BOOLEAN
 35 | StopDriver(
 36 |   _In_ SC_HANDLE  SchSCManager,
 37 |   _In_ LPCTSTR    DriverName
 38 |   );
 39 | 
 40 | //////////////////////////////////////////////////////////////////////////
 41 | // Private functions.
 42 | //////////////////////////////////////////////////////////////////////////
 43 | 
 44 | BOOLEAN
 45 | InstallDriver(
 46 |   _In_ SC_HANDLE  SchSCManager,
 47 |   _In_ LPCTSTR    DriverName,
 48 |   _In_ LPCTSTR    ServiceExe
 49 |   )
 50 | {
 51 |   SC_HANDLE   schService;
 52 |   DWORD       err;
 53 | 
 54 |   //
 55 |   // NOTE: This creates an entry for a standalone driver. If this
 56 |   //       is modified for use with a driver that requires a Tag,
 57 |   //       Group, and/or Dependencies, it may be necessary to
 58 |   //       query the registry for existing driver information
 59 |   //       (in order to determine a unique Tag, etc.).
 60 |   //
 61 | 
 62 |   //
 63 |   // Create a new a service object.
 64 |   //
 65 | 
 66 |   schService = CreateService(SchSCManager,           // handle of service control manager database
 67 |                              DriverName,             // address of name of service to start
 68 |                              DriverName,             // address of display name
 69 |                              SERVICE_ALL_ACCESS,     // type of access to service
 70 |                              SERVICE_KERNEL_DRIVER,  // type of service
 71 |                              SERVICE_DEMAND_START,   // when to start service
 72 |                              SERVICE_ERROR_NORMAL,   // severity if service fails to start
 73 |                              ServiceExe,             // address of name of binary file
 74 |                              NULL,                   // service does not belong to a group
 75 |                              NULL,                   // no tag requested
 76 |                              NULL,                   // no dependency names
 77 |                              NULL,                   // use LocalSystem account
 78 |                              NULL);                  // no password for service account
 79 | 
 80 |   if (schService == NULL)
 81 |   {
 82 |     err = GetLastError();
 83 | 
 84 |     if (err == ERROR_SERVICE_EXISTS)
 85 |     {
 86 |       //
 87 |       // Ignore this error.
 88 |       //
 89 |       return TRUE;
 90 |     }
 91 |     else if (err == ERROR_SERVICE_MARKED_FOR_DELETE)
 92 |     {
 93 |       //
 94 |       // Previous instance of the service is not fully deleted so sleep
 95 |       // and try again.
 96 |       //
 97 |       printf("Previous instance of the service is not fully deleted. Try again...\n");
 98 |       return FALSE;
 99 |     }
100 |     else
101 |     {
102 |       printf("CreateService failed!  Error = %d \n", err);
103 | 
104 |       //
105 |       // Indicate an error.
106 |       //
107 |       return  FALSE;
108 |     }
109 |   }
110 | 
111 |   //
112 |   // Close the service object.
113 |   //
114 | 
115 |   if (schService)
116 |   {
117 |     CloseServiceHandle(schService);
118 |   }
119 | 
120 |   //
121 |   // Indicate success.
122 |   //
123 | 
124 |   return TRUE;
125 | }
126 | 
127 | BOOLEAN
128 | RemoveDriver(
129 |   _In_ SC_HANDLE    SchSCManager,
130 |   _In_ LPCTSTR      DriverName
131 |   )
132 | {
133 |   SC_HANDLE   schService;
134 |   BOOLEAN     rCode;
135 | 
136 |   //
137 |   // Open the handle to the existing service.
138 |   //
139 | 
140 |   schService = OpenService(SchSCManager,
141 |                            DriverName,
142 |                            SERVICE_ALL_ACCESS);
143 | 
144 |   if (schService == NULL)
145 |   {
146 |     printf("OpenService failed!  Error = %d \n", GetLastError());
147 | 
148 |     //
149 |     // Indicate error.
150 |     //
151 | 
152 |     return FALSE;
153 |   }
154 | 
155 |   //
156 |   // Mark the service for deletion from the service control manager database.
157 |   //
158 | 
159 |   if (DeleteService(schService))
160 |   {
161 |     //
162 |     // Indicate success.
163 |     //
164 | 
165 |     rCode = TRUE;
166 |   }
167 |   else
168 |   {
169 |     printf("DeleteService failed!  Error = %d \n", GetLastError());
170 | 
171 |     //
172 |     // Indicate failure.  Fall through to properly close the service handle.
173 |     //
174 | 
175 |     rCode = FALSE;
176 |   }
177 | 
178 |   //
179 |   // Close the service object.
180 |   //
181 | 
182 |   if (schService)
183 |   {
184 |     CloseServiceHandle(schService);
185 |   }
186 | 
187 |   return rCode;
188 | }
189 | 
190 | BOOLEAN
191 | StartDriver(
192 |   _In_ SC_HANDLE    SchSCManager,
193 |   _In_ LPCTSTR      DriverName
194 |   )
195 | {
196 |   SC_HANDLE   schService;
197 |   DWORD       err;
198 | 
199 |   //
200 |   // Open the handle to the existing service.
201 |   //
202 | 
203 |   schService = OpenService(SchSCManager,
204 |                            DriverName,
205 |                            SERVICE_ALL_ACCESS);
206 | 
207 |   if (schService == NULL)
208 |   {
209 |     printf("OpenService failed!  Error = %d \n", GetLastError());
210 | 
211 |     //
212 |     // Indicate failure.
213 |     //
214 | 
215 |     return FALSE;
216 |   }
217 | 
218 |   //
219 |   // Start the execution of the service (i.e. start the driver).
220 |   //
221 | 
222 |   if (!StartService(schService,     // service identifier
223 |                     0,              // number of arguments
224 |                     NULL))          // pointer to arguments
225 |   {
226 | 
227 |     err = GetLastError();
228 | 
229 |     if (err == ERROR_SERVICE_ALREADY_RUNNING)
230 |     {
231 |       //
232 |       // Ignore this error.
233 |       //
234 | 
235 |       return TRUE;
236 |     }
237 |     else
238 |     {
239 |       printf("StartService failure! Error = %d \n", err);
240 | 
241 |       //
242 |       // Indicate failure.  Fall through to properly close the service handle.
243 |       //
244 | 
245 |       return FALSE;
246 |     }
247 |   }
248 | 
249 |   //
250 |   // Close the service object.
251 |   //
252 | 
253 |   if (schService)
254 |   {
255 |     CloseServiceHandle(schService);
256 |   }
257 | 
258 |   return TRUE;
259 | }
260 | 
261 | BOOLEAN
262 | StopDriver(
263 |   _In_ SC_HANDLE    SchSCManager,
264 |   _In_ LPCTSTR      DriverName
265 |   )
266 | {
267 |   BOOLEAN         rCode = TRUE;
268 |   SC_HANDLE       schService;
269 |   SERVICE_STATUS  serviceStatus;
270 | 
271 |   //
272 |   // Open the handle to the existing service.
273 |   //
274 | 
275 |   schService = OpenService(SchSCManager,
276 |                            DriverName,
277 |                            SERVICE_ALL_ACCESS);
278 | 
279 |   if (schService == NULL)
280 |   {
281 |     printf("OpenService failed!  Error = %d \n", GetLastError());
282 | 
283 |     return FALSE;
284 |   }
285 | 
286 |   //
287 |   // Request that the service stop.
288 |   //
289 | 
290 |   if (ControlService(schService,
291 |                      SERVICE_CONTROL_STOP,
292 |                      &serviceStatus))
293 |   {
294 |     //
295 |     // Indicate success.
296 |     //
297 | 
298 |     rCode = TRUE;
299 |   }
300 |   else
301 |   {
302 |     printf("ControlService failed!  Error = %d \n", GetLastError());
303 | 
304 |     //
305 |     // Indicate failure.  Fall through to properly close the service handle.
306 |     //
307 | 
308 |     rCode = FALSE;
309 |   }
310 | 
311 |   //
312 |   // Close the service object.
313 |   //
314 | 
315 |   if (schService)
316 |   {
317 |     CloseServiceHandle(schService);
318 |   }
319 | 
320 |   return rCode;
321 | }
322 | 
323 | //////////////////////////////////////////////////////////////////////////
324 | // Public functions.
325 | //////////////////////////////////////////////////////////////////////////
326 | 
327 | BOOLEAN
328 | ManageDriver(
329 |   _In_ LPCTSTR  DriverName,
330 |   _In_ LPCTSTR  ServiceName,
331 |   _In_ USHORT   Function
332 |   )
333 | {
334 |   SC_HANDLE   schSCManager;
335 | 
336 |   BOOLEAN rCode = TRUE;
337 | 
338 |   //
339 |   // Insure (somewhat) that the driver and service names are valid.
340 |   //
341 | 
342 |   if (!DriverName || !ServiceName)
343 |   {
344 |     printf("Invalid Driver or Service provided to ManageDriver() \n");
345 | 
346 |     return FALSE;
347 |   }
348 | 
349 |   //
350 |   // Connect to the Service Control Manager and open the Services database.
351 |   //
352 | 
353 |   schSCManager = OpenSCManager(NULL,                   // local machine
354 |                                NULL,                   // local database
355 |                                SC_MANAGER_ALL_ACCESS); // access required
356 | 
357 |   if (!schSCManager)
358 |   {
359 |     printf("Open SC Manager failed! Error = %d \n", GetLastError());
360 | 
361 |     return FALSE;
362 |   }
363 | 
364 |   //
365 |   // Do the requested function.
366 |   //
367 | 
368 |   switch (Function)
369 |   {
370 |     case DRIVER_FUNC_INSTALL:
371 | 
372 |       //
373 |       // Install the driver service.
374 |       //
375 | 
376 |       if (InstallDriver(schSCManager,
377 |                         DriverName,
378 |                         ServiceName))
379 |       {
380 |         //
381 |         // Start the driver service (i.e. start the driver).
382 |         //
383 | 
384 |         rCode = StartDriver(schSCManager, DriverName);
385 |       }
386 |       else
387 |       {
388 |         //
389 |         // Indicate an error.
390 |         //
391 | 
392 |         rCode = FALSE;
393 |       }
394 | 
395 |       break;
396 | 
397 |     case DRIVER_FUNC_REMOVE:
398 | 
399 |       //
400 |       // Stop the driver.
401 |       //
402 | 
403 |       StopDriver(schSCManager, DriverName);
404 | 
405 |       //
406 |       // Remove the driver service.
407 |       //
408 | 
409 |       RemoveDriver(schSCManager, DriverName);
410 | 
411 |       //
412 |       // Ignore all errors.
413 |       //
414 | 
415 |       rCode = TRUE;
416 |       break;
417 | 
418 |     default:
419 |       printf("Unknown ManageDriver() function. \n");
420 | 
421 |       rCode = FALSE;
422 |       break;
423 |   }
424 | 
425 |   //
426 |   // Close handle to service control manager.
427 |   //
428 | 
429 |   if (schSCManager)
430 |   {
431 |     CloseServiceHandle(schSCManager);
432 |   }
433 | 
434 |   return rCode;
435 | }
436 | 
437 | BOOLEAN
438 | SetupDriverName(
439 |   _Inout_updates_bytes_all_(BufferLength) PTCHAR DriverLocation,
440 |   _In_ ULONG BufferLength
441 |   )
442 | {
443 |   HANDLE fileHandle;
444 |   DWORD driverLocLen = 0;
445 | 
446 |   //
447 |   // Get the current directory.
448 |   //
449 | 
450 |   driverLocLen = GetCurrentDirectory(BufferLength,
451 |                                      DriverLocation);
452 | 
453 |   if (driverLocLen == 0)
454 |   {
455 |     printf("GetCurrentDirectory failed!  Error = %d \n", GetLastError());
456 | 
457 |     return FALSE;
458 |   }
459 | 
460 |   //
461 |   // Setup path name to driver file.
462 |   //
463 | 
464 |   if (FAILED(StringCbCat(DriverLocation, BufferLength, TEXT("\\" DRIVER_NAME ".sys"))))
465 |   {
466 |     return FALSE;
467 |   }
468 | 
469 |   //
470 |   // Insure driver file is in the specified directory.
471 |   //
472 | 
473 |   if ((fileHandle = CreateFile(DriverLocation,
474 |                                GENERIC_READ,
475 |                                0,
476 |                                NULL,
477 |                                OPEN_EXISTING,
478 |                                FILE_ATTRIBUTE_NORMAL,
479 |                                NULL)) == INVALID_HANDLE_VALUE)
480 |   {
481 |     printf("%s.sys is not loaded.\n", DRIVER_NAME);
482 | 
483 |     //
484 |     // Indicate failure.
485 |     //
486 | 
487 |     return FALSE;
488 |   }
489 | 
490 |   //
491 |   // Close open file handle.
492 |   //
493 | 
494 |   if (fileHandle)
495 |   {
496 |     CloseHandle(fileHandle);
497 |   }
498 | 
499 |   //
500 |   // Indicate success.
501 |   //
502 | 
503 |   return TRUE;
504 | }
505 | 


--------------------------------------------------------------------------------
/src/injldr/install.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <windows.h>
 3 | 
 4 | #define DRIVER_FUNC_INSTALL     0x01
 5 | #define DRIVER_FUNC_REMOVE      0x02
 6 | 
 7 | #define DRIVER_NAME             "injdrv"
 8 | 
 9 | BOOLEAN
10 | ManageDriver(
11 |   _In_ LPCTSTR  DriverName,
12 |   _In_ LPCTSTR  ServiceName,
13 |   _In_ USHORT   Function
14 |   );
15 | 
16 | BOOLEAN
17 | SetupDriverName(
18 |   _Inout_updates_bytes_all_(BufferLength) PTCHAR DriverLocation,
19 |   _In_ ULONG BufferLength
20 |   );
21 | 


--------------------------------------------------------------------------------
/src/injldr/main.c:
--------------------------------------------------------------------------------
  1 | #include <stdio.h>
  2 | #include <windows.h>
  3 | #include <evntrace.h>
  4 | #include <evntcons.h>
  5 | 
  6 | #include "install.h"
  7 | 
  8 | //
  9 | // GUID:
 10 | //   {53d82d11-cede-4dff-8eb4-f06631800128}
 11 | //
 12 | 
 13 | GUID ProviderGuid = {
 14 |   0xa4b4ba50, 0xa667, 0x43f5, { 0x91, 0x9b, 0x1e, 0x52, 0xa6, 0xd6, 0x9b, 0xd5 }
 15 | };
 16 | 
 17 | //
 18 | // GUID:
 19 | //   {a4b4ba50-a667-43f5-919b-1e52a6d69bd5}
 20 | //
 21 | 
 22 | GUID SessionGuid = {
 23 |   0x53d82d11, 0xcede, 0x4dff, { 0x8e, 0xb4, 0xf0, 0x66, 0x31, 0x80, 0x1, 0x28 }
 24 | };
 25 | 
 26 | TCHAR SessionName[] = TEXT("InjSession");
 27 | 
 28 | VOID
 29 | WINAPI
 30 | TraceEventCallback(
 31 |   _In_ PEVENT_RECORD EventRecord
 32 |   )
 33 | {
 34 |   if (!EventRecord->UserData)
 35 |   {
 36 |     return;
 37 |   }
 38 | 
 39 |   //
 40 |   // TODO: Check that EventRecord contains only WCHAR string.
 41 |   //
 42 | 
 43 |   wprintf(L"[PID:%04X][TID:%04X] %s\n",
 44 |           EventRecord->EventHeader.ProcessId,
 45 |           EventRecord->EventHeader.ThreadId,
 46 |           (PWCHAR)EventRecord->UserData);
 47 | }
 48 | 
 49 | ULONG
 50 | NTAPI
 51 | TraceStart(
 52 |   VOID
 53 |   )
 54 | {
 55 |   //
 56 |   // Start new trace session.
 57 |   // For an awesome blogpost on ETW API, see:
 58 |   // https://caseymuratori.com/blog_0025
 59 |   //
 60 | 
 61 |   ULONG ErrorCode;
 62 | 
 63 |   TRACEHANDLE TraceSessionHandle = INVALID_PROCESSTRACE_HANDLE;
 64 | 
 65 |   BYTE Buffer[sizeof(EVENT_TRACE_PROPERTIES) + 4096];
 66 |   RtlZeroMemory(Buffer, sizeof(Buffer));
 67 | 
 68 |   PEVENT_TRACE_PROPERTIES EventTraceProperties = (PEVENT_TRACE_PROPERTIES)Buffer;
 69 |   EventTraceProperties->Wnode.BufferSize = sizeof(Buffer);
 70 | 
 71 |   RtlZeroMemory(Buffer, sizeof(Buffer));
 72 |   EventTraceProperties->Wnode.BufferSize = sizeof(Buffer);
 73 |   EventTraceProperties->Wnode.ClientContext = 1; // Use QueryPerformanceCounter, see MSDN
 74 |   EventTraceProperties->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
 75 |   EventTraceProperties->LogFileMode = PROCESS_TRACE_MODE_REAL_TIME;
 76 |   EventTraceProperties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
 77 | 
 78 |   ErrorCode = StartTrace(&TraceSessionHandle, SessionName, EventTraceProperties);
 79 |   if (ErrorCode != ERROR_SUCCESS)
 80 |   {
 81 |     goto Exit;
 82 |   }
 83 | 
 84 |   //
 85 |   // Enable tracing of our provider.
 86 |   //
 87 | 
 88 |   ErrorCode = EnableTrace(TRUE, 0, 0, &ProviderGuid, TraceSessionHandle);
 89 |   if (ErrorCode != ERROR_SUCCESS)
 90 |   {
 91 |     goto Exit;
 92 |   }
 93 | 
 94 |   EVENT_TRACE_LOGFILE TraceLogfile = { 0 };
 95 |   TraceLogfile.LoggerName = SessionName;
 96 |   TraceLogfile.ProcessTraceMode = PROCESS_TRACE_MODE_EVENT_RECORD | PROCESS_TRACE_MODE_REAL_TIME;
 97 |   TraceLogfile.EventRecordCallback = &TraceEventCallback;
 98 | 
 99 |   //
100 |   // Open real-time tracing session.
101 |   //
102 | 
103 |   TRACEHANDLE TraceHandle = OpenTrace(&TraceLogfile);
104 |   if (TraceHandle == INVALID_PROCESSTRACE_HANDLE)
105 |   {
106 |     //
107 |     // Synthetic error code.
108 |     //
109 |     ErrorCode = ERROR_FUNCTION_FAILED;
110 |     goto Exit;
111 |   }
112 | 
113 |   //
114 |   // Process trace events.  This call is blocking.
115 |   //
116 | 
117 |   ErrorCode = ProcessTrace(&TraceHandle, 1, NULL, NULL);
118 | 
119 | Exit:
120 |   if (TraceHandle)
121 |   {
122 |     CloseTrace(TraceHandle);
123 |   }
124 | 
125 |   if (TraceSessionHandle)
126 |   {
127 |     CloseTrace(TraceSessionHandle);
128 |   }
129 | 
130 |   RtlZeroMemory(Buffer, sizeof(Buffer));
131 |   EventTraceProperties->Wnode.BufferSize = sizeof(Buffer);
132 |   StopTrace(0, SessionName, EventTraceProperties);
133 | 
134 |   if (ErrorCode != ERROR_SUCCESS)
135 |   {
136 |     printf("Error: %08x\n", ErrorCode);
137 |   }
138 | 
139 |   return ErrorCode;
140 | }
141 | 
142 | VOID
143 | NTAPI
144 | TraceStop(
145 |   VOID
146 |   )
147 | {
148 |   BYTE Buffer[sizeof(EVENT_TRACE_PROPERTIES) + 4096];
149 |   RtlZeroMemory(Buffer, sizeof(Buffer));
150 | 
151 |   PEVENT_TRACE_PROPERTIES EventTraceProperties = (PEVENT_TRACE_PROPERTIES)Buffer;
152 |   EventTraceProperties->Wnode.BufferSize = sizeof(Buffer);
153 | 
154 |   StopTrace(0, SessionName, EventTraceProperties);
155 | }
156 | 
157 | //////////////////////////////////////////////////////////////////////////
158 | 
159 | BOOLEAN
160 | DoInstallUninstall(
161 |   _In_ BOOLEAN Install
162 |   )
163 | {
164 |   TCHAR driverLocation[MAX_PATH] = { 0 };
165 | 
166 |   //
167 |   // The driver is not started yet so let us install the driver.
168 |   // First setup full path to driver name.
169 |   //
170 | 
171 |   if (!SetupDriverName(driverLocation, sizeof(driverLocation)))
172 |   {
173 |     return FALSE;
174 |   }
175 | 
176 |   if (Install)
177 |   {
178 |     if (!ManageDriver(TEXT(DRIVER_NAME),
179 |                       driverLocation,
180 |                       DRIVER_FUNC_INSTALL))
181 |     {
182 |       printf("Unable to install driver. \n");
183 | 
184 |       //
185 |       // Error - remove driver.
186 |       //
187 | 
188 |       ManageDriver(TEXT(DRIVER_NAME),
189 |                    driverLocation,
190 |                    DRIVER_FUNC_REMOVE);
191 | 
192 |       return FALSE;
193 |     }
194 |   }
195 |   else
196 |   {
197 |     //
198 |     // Ignore errors.
199 |     //
200 | 
201 |     ManageDriver(TEXT(DRIVER_NAME),
202 |                  driverLocation,
203 |                  DRIVER_FUNC_REMOVE);
204 |   }
205 | 
206 |   return TRUE;
207 | }
208 | 
209 | BOOL
210 | WINAPI
211 | CtrlCHandlerRoutine(
212 |   _In_ DWORD dwCtrlType
213 |   )
214 | {
215 |   if (dwCtrlType == CTRL_C_EVENT)
216 |   {
217 |     //
218 |     // Ctrl+C was pressed, stop the trace session.
219 |     //
220 |     printf("Ctrl+C pressed, stopping trace session...\n");
221 | 
222 |     TraceStop();
223 |   }
224 | 
225 |   return FALSE;
226 | }
227 | 
228 | int main(int argc, char* argv[])
229 | {
230 |   SetConsoleCtrlHandler(&CtrlCHandlerRoutine, TRUE);
231 | 
232 |   //
233 |   // Stop any previous trace session (if exists).
234 |   //
235 | 
236 |   TraceStop();
237 | 
238 |   //
239 |   // Parse command-line parameters.
240 |   //
241 | 
242 |   if (argc == 2)
243 |   {
244 |     TCHAR DriverLocation[MAX_PATH];
245 |     SetupDriverName(DriverLocation, sizeof(DriverLocation));
246 | 
247 |     if (!strcmp(argv[1], "-i"))
248 |     {
249 |       printf("Installing driver...\n");
250 | 
251 |       if (DoInstallUninstall(TRUE))
252 |       {
253 |         printf("Driver installed!\n");
254 |       }
255 |       else
256 |       {
257 |         printf("Error!\n");
258 |         return EXIT_FAILURE;
259 |       }
260 |     }
261 |     else if (!strcmp(argv[1], "-u"))
262 |     {
263 |       printf("Uninstalling driver...\n");
264 | 
265 |       DoInstallUninstall(FALSE);
266 | 
267 |       return EXIT_SUCCESS;
268 |     }
269 |   }
270 | 
271 |   printf("Starting tracing session...\n");
272 | 
273 |   ULONG ErrorCode = TraceStart();
274 | 
275 |   return ErrorCode == ERROR_SUCCESS
276 |     ? EXIT_SUCCESS
277 |     : EXIT_FAILURE;
278 | }
279 | 


--------------------------------------------------------------------------------