├── README.md
├── .gitmodules
├── src
    ├── SneakCallsStub.asm
    └── SneakCalls.cpp
├── .gitignore
├── Makefile
└── include
    └── SneakCalls.hpp


/README.md:
--------------------------------------------------------------------------------
1 | # SneakCalls
2 | direct systemcalls with a modern c++20 interface.
3 | 


--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "lib/PeHelper"]
2 | 	path = lib/PeHelper
3 | 	url = https://github.com/bytesundso/PeHelper
4 | 


--------------------------------------------------------------------------------
/src/SneakCallsStub.asm:
--------------------------------------------------------------------------------
 1 | IFDEF RAX
 2 | 
 3 | .code
 4 | 
 5 | executeSyscall PROC
 6 |     add rsp, 8
 7 |     mov rax, rcx
 8 |     mov rcx, rdx
 9 |     mov rdx, r8
10 |     mov r8, r9
11 |     mov r9, [rsp + 20h]
12 |     mov r10, rcx
13 |     syscall
14 |     sub rsp, 8
15 |     ret
16 | executeSyscall ENDP
17 | 
18 | ELSE
19 | ENDIF
20 | END


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Prerequisites
 2 | *.d
 3 | 
 4 | # Compiled Object files
 5 | *.slo
 6 | *.lo
 7 | *.o
 8 | *.obj
 9 | 
10 | # Precompiled Headers
11 | *.gch
12 | *.pch
13 | 
14 | # Compiled Dynamic libraries
15 | *.so
16 | *.dylib
17 | *.dll
18 | 
19 | # Fortran module files
20 | *.mod
21 | *.smod
22 | 
23 | # Compiled Static libraries
24 | *.lai
25 | *.la
26 | *.a
27 | *.lib
28 | 
29 | # Executables
30 | *.exe
31 | *.out
32 | *.app
33 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | NAME_BIN=SneakCalls.lib
 2 | NAME_LIBS=PeHelper
 3 | 
 4 | DIR_INC=include
 5 | DIR_SRC=src
 6 | DIR_BUILD=build
 7 | DIR_LIB=lib
 8 | 
 9 | FLAGS_ASM=
10 | FLAGS_C=
11 | FLAGS_CPP=/std:c++20 /Gd /GR- /O1 /sdl- /GS-
12 | 
13 | LINK=lib /NODEFAULTLIB /SUBSYSTEM:WINDOWS
14 | 
15 | !IF !DEFINED(VSCMD_ARG_TGT_ARCH) || !DEFINED(AS) || !DEFINED(CC) || !DEFINED(CPP)
16 | !ERROR "Not all macros are defined! (Did you use VS Development Powershell/Command Prompt?)"
17 | !ENDIF
18 | 
19 | all: $(DIR_INC) $(DIR_SRC) $(DIR_BUILD) $(DIR_BUILD)\\$(VSCMD_ARG_TGT_ARCH) $(DIR_LIB) $(DIR_BUILD)\\$(VSCMD_ARG_TGT_ARCH)\\$(NAME_BIN)
20 | 
21 | $(DIR_BUILD)\\$(VSCMD_ARG_TGT_ARCH)\\$(NAME_BIN): $(DIR_SRC)\\*.asm $(DIR_SRC)\\*.c $(DIR_SRC)\\*.cpp
22 | 	@$(MAKE) $(patsubst $(DIR_SRC)\\%, $(DIR_BUILD)\\$(VSCMD_ARG_TGT_ARCH)\\%, $(subst $(DIR_SRC)\\*.obj,, $(patsubst %.cpp, %.obj, $(patsubst %.c, %.obj, $(patsubst %.asm, %.obj, $(**))))))
23 | 	@$(LINK) $(patsubst %, -libpath:$(DIR_LIB)\\%\\$(DIR_BUILD)\\$(VSCMD_ARG_TGT_ARCH), $(NAME_LIBS)) -out:$(DIR_BUILD)\\$(VSCMD_ARG_TGT_ARCH)\\$(NAME_BIN) $(patsubst $(DIR_SRC)\\%, $(DIR_BUILD)\\$(VSCMD_ARG_TGT_ARCH)\\%, $(subst $(DIR_SRC)\\*.obj,, $(patsubst %.cpp, %.obj, $(patsubst %.c, %.obj, $(patsubst %.asm, %.obj, $(**))))))
24 | 
25 | $(DIR_SRC)\\*.asm:
26 | {$(DIR_SRC)}.asm{$(DIR_BUILD)\\$(VSCMD_ARG_TGT_ARCH)}.obj:
27 | 	@$(AS) $(FLAGS_ASM) -Fo $(@) -c $(<)
28 | 
29 | $(DIR_SRC)\\*.c:
30 | {$(DIR_SRC)}.c{$(DIR_BUILD)\\$(VSCMD_ARG_TGT_ARCH)}.obj:
31 | 	@$(CC) $(FLAGS_C) -Fo:$(@) -I $(DIR_INC) $(patsubst %, -I $(DIR_LIB)\\%\\$(DIR_INC), $(NAME_LIBS)) -c $(<)
32 | 
33 | $(DIR_SRC)\\*.cpp:
34 | {$(DIR_SRC)}.cpp{$(DIR_BUILD)\\$(VSCMD_ARG_TGT_ARCH)}.obj:
35 | 	@$(CPP) $(FLAGS_CPP) -Fo:$(@) -I $(DIR_INC) $(patsubst %, -I $(DIR_LIB)\\%\\$(DIR_INC), $(NAME_LIBS)) -c $(<)
36 | 
37 | 
38 | $(DIR_INC) $(DIR_SRC) $(DIR_BUILD) $(DIR_BUILD)\\$(VSCMD_ARG_TGT_ARCH) $(DIR_LIB):
39 | 	@mkdir $(@)
40 | 
41 | clean:
42 | 	@rmdir /s /q $(DIR_BUILD)


--------------------------------------------------------------------------------
/src/SneakCalls.cpp:
--------------------------------------------------------------------------------
 1 | #include "SneakCalls.hpp"
 2 | #include "PeHelper.hpp"
 3 | 
 4 | UINT_PTR SneakHelper::getNtdllBase()
 5 | {
 6 |     #if defined(_WIN64)
 7 |     PPEB pPeb = (PEB*)__readgsqword(0x60);
 8 | #else
 9 |     PEB* pPeb = (PEB*)__readfsdword(0x30);
10 | #endif
11 | 
12 |     for(PLIST_ENTRY pEntry = pPeb->Ldr->InMemoryOrderModuleList.Flink; pEntry != &pPeb->Ldr->InMemoryOrderModuleList; pEntry = pEntry->Flink)
13 |     {
14 |         PeImage image(((LDR_DATA_TABLE_ENTRY*)((UINT_PTR)pEntry - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks)))->DllBase);
15 | 
16 |         if (!PeHelper::isValid(image))
17 |             continue;
18 | 
19 |         if ((*(ULONG*)PeHelper::rvaToVA(image, PeHelper::getExportDirectory(image)->Name) | 0x20202020) != 'ldtn') 
20 |             continue;
21 | 
22 |         if ((*(ULONG*)PeHelper::rvaToVA(image, (PeHelper::getExportDirectory(image)->Name + 4)) | 0x20202020) == 'ld.l') 
23 |             return image.base;
24 |     }
25 | 
26 |     return NULL;
27 | }
28 | 
29 | UINT32 SneakHelper::hashToScn(UINT32 hash)
30 | {
31 |     PeImage ntdll((PVOID)getNtdllBase());
32 | 
33 |     if (!ntdll.base || !PeHelper::isValid(ntdll))
34 |         return NULL;
35 | 
36 |     PIMAGE_EXPORT_DIRECTORY pExportDirectory = PeHelper::getExportDirectory(ntdll);
37 | 
38 |     PDWORD pFunctions = (PDWORD)PeHelper::rvaToVA(ntdll, pExportDirectory->AddressOfFunctions);
39 |     PDWORD pNames = (PDWORD)PeHelper::rvaToVA(ntdll, pExportDirectory->AddressOfNames);
40 |     PWORD pOrdinals = (PWORD)PeHelper::rvaToVA(ntdll, pExportDirectory->AddressOfNameOrdinals);
41 | 
42 |     DWORD pFunction = 0;
43 |     
44 |     for (int i = pExportDirectory->NumberOfNames - 1; i >= 0; i--)
45 |     {
46 |         PCHAR functionName = (PCHAR)PeHelper::rvaToVA(ntdll, pNames[i]);
47 | 
48 |         if (*(USHORT*)functionName == 'wZ' && SneakHelper::hash(functionName) == hash)
49 |         {
50 |             pFunction = pFunctions[pOrdinals[i]];
51 |             break;
52 |         }
53 |     }
54 | 
55 |     if (!pFunction)
56 |         return -1;
57 | 
58 |     DWORD syscallNumber = 0;
59 | 
60 |     for (int i = pExportDirectory->NumberOfNames - 1; i >= 0; i--)
61 |     {
62 |         PCHAR functionName = (PCHAR)PeHelper::rvaToVA(ntdll, pNames[i]);
63 | 
64 |         if (*(USHORT*)functionName == 'wZ' && pFunction > pFunctions[pOrdinals[i]])
65 |             syscallNumber++;
66 |     }
67 | 
68 |     return syscallNumber;
69 | }


--------------------------------------------------------------------------------
/include/SneakCalls.hpp:
--------------------------------------------------------------------------------
   1 | #pragma once
   2 | 
   3 | #include <utility>
   4 | #include <cstdint>
   5 | #include <Windows.h>
   6 | 
   7 | extern "C" void executeSyscall();
   8 | 
   9 | class SneakHelper
  10 | {
  11 | public:
  12 |     static constexpr UINT32 hash(LPSTR functionName)
  13 |     {
  14 |         UINT32 r = 37;
  15 | 
  16 |         for(int i = 0; functionName[i]; i++)
  17 |             r = ((r << 5) + r) + functionName[i];
  18 | 
  19 |         return r;
  20 |     }
  21 | 
  22 |     static consteval UINT32 hash(LPCSTR functionName) 
  23 |     { 
  24 |         return hash(const_cast<LPSTR>(functionName)); 
  25 |     }
  26 | 
  27 |     static UINT_PTR getNtdllBase();
  28 |     static UINT32 hashToScn(UINT32 hash);
  29 | };
  30 | 
  31 | template <UINT32 hash, typename... ArgTypes>
  32 | class SneakCall
  33 | {
  34 | public:
  35 |     SneakCall() : scn(SneakHelper::hashToScn(hash)) 
  36 |     {
  37 | 
  38 |     }
  39 | 
  40 |     NTSTATUS call(ArgTypes... args)
  41 |     {
  42 |         using Executor = NTSTATUS(NTAPI*)(UINT32, ArgTypes...); 
  43 |         return (Executor(executeSyscall))(scn, std::forward<ArgTypes>(args)...);
  44 |     }
  45 | 
  46 | private:
  47 |     UINT32 scn;
  48 | };
  49 | 
  50 | typedef struct _PEB_LDR_DATA 
  51 | {
  52 | 	BYTE Reserved1[8];
  53 | 	PVOID Reserved2[3];
  54 | 	LIST_ENTRY InMemoryOrderModuleList;
  55 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
  56 | 
  57 | typedef struct LDR_DATA_TABLE_ENTRY 
  58 | {
  59 | 	PVOID Reserved1[2];
  60 | 	LIST_ENTRY InMemoryOrderLinks;
  61 | 	PVOID Reserved2[2];
  62 | 	PVOID DllBase;
  63 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
  64 | 
  65 | typedef struct PEB 
  66 | {
  67 | 	BYTE Reserved1[2];
  68 | 	BYTE BeingDebugged;
  69 | 	BYTE Reserved2[1];
  70 | 	PVOID Reserved3[2];
  71 | 	PPEB_LDR_DATA Ldr;
  72 | } PEB, *PPEB;
  73 | 
  74 | typedef struct _UNICODE_STRING
  75 | {
  76 | 	USHORT Length;
  77 | 	USHORT MaximumLength;
  78 | 	PWSTR  Buffer;
  79 | } UNICODE_STRING, *PUNICODE_STRING;
  80 | 
  81 | typedef struct _SYSTEM_HANDLE
  82 | {
  83 | 	ULONG ProcessId;
  84 | 	BYTE ObjectTypeNumber;
  85 | 	BYTE Flags;
  86 | 	USHORT Handle;
  87 | 	PVOID Object;
  88 | 	ACCESS_MASK GrantedAccess;
  89 | } SYSTEM_HANDLE, *PSYSTEM_HANDLE;
  90 | 
  91 | typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE
  92 | {
  93 | 	ULONG64        Version;
  94 | 	UNICODE_STRING Name;
  95 | } TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;
  96 | 
  97 | typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
  98 | {
  99 | 	PVOID pValue;
 100 | 	ULONG ValueLength;
 101 | } TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;
 102 | 
 103 | typedef struct _WNF_TYPE_ID
 104 | {
 105 | 	GUID TypeId;
 106 | } WNF_TYPE_ID, *PWNF_TYPE_ID;
 107 | 
 108 | typedef enum _KCONTINUE_TYPE
 109 | {
 110 | 	KCONTINUE_UNWIND,
 111 | 	KCONTINUE_RESUME,
 112 | 	KCONTINUE_LONGJUMP,
 113 | 	KCONTINUE_SET,
 114 | 	KCONTINUE_LAST
 115 | } KCONTINUE_TYPE;
 116 | 
 117 | typedef struct _IO_STATUS_BLOCK
 118 | {
 119 | 	union
 120 | 	{
 121 | 		NTSTATUS Status;
 122 | 		VOID*    Pointer;
 123 | 	};
 124 | 	ULONG_PTR Information;
 125 | } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
 126 | 
 127 | typedef enum _PS_CREATE_STATE
 128 | {
 129 | 	PsCreateInitialState,
 130 | 	PsCreateFailOnFileOpen,
 131 | 	PsCreateFailOnSectionCreate,
 132 | 	PsCreateFailExeFormat,
 133 | 	PsCreateFailMachineMismatch,
 134 | 	PsCreateFailExeName,
 135 | 	PsCreateSuccess,
 136 | 	PsCreateMaximumStates
 137 | } PS_CREATE_STATE, *PPS_CREATE_STATE;
 138 | 
 139 | typedef struct _SYSTEM_HANDLE_INFORMATION
 140 | {
 141 | 	ULONG HandleCount;
 142 | 	SYSTEM_HANDLE Handles[1];
 143 | } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
 144 | 
 145 | typedef struct _CLIENT_ID
 146 | {
 147 | 	HANDLE UniqueProcess;
 148 | 	HANDLE UniqueThread;
 149 | } CLIENT_ID, *PCLIENT_ID;
 150 | 
 151 | typedef enum _PLUGPLAY_EVENT_CATEGORY
 152 | {
 153 | 	HardwareProfileChangeEvent,
 154 | 	TargetDeviceChangeEvent,
 155 | 	DeviceClassChangeEvent,
 156 | 	CustomDeviceEvent,
 157 | 	DeviceInstallEvent,
 158 | 	DeviceArrivalEvent,
 159 | 	PowerEvent,
 160 | 	VetoEvent,
 161 | 	BlockedDriverEvent,
 162 | 	InvalidIDEvent,
 163 | 	MaxPlugEventCategory
 164 | } PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY;
 165 | 
 166 | typedef enum _PNP_VETO_TYPE
 167 | {
 168 | 	PNP_VetoTypeUnknown, // unspecified
 169 | 	PNP_VetoLegacyDevice, // instance path
 170 | 	PNP_VetoPendingClose, // instance path
 171 | 	PNP_VetoWindowsApp, // module
 172 | 	PNP_VetoWindowsService, // service
 173 | 	PNP_VetoOutstandingOpen, // instance path
 174 | 	PNP_VetoDevice, // instance path
 175 | 	PNP_VetoDriver, // driver service name
 176 | 	PNP_VetoIllegalDeviceRequest, // instance path
 177 | 	PNP_VetoInsufficientPower, // unspecified
 178 | 	PNP_VetoNonDisableable, // instance path
 179 | 	PNP_VetoLegacyDriver, // service
 180 | 	PNP_VetoInsufficientRights  // unspecified
 181 | } PNP_VETO_TYPE, *PPNP_VETO_TYPE;
 182 | 
 183 | typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1
 184 | {
 185 | 	UNICODE_STRING Name;
 186 | 	USHORT         ValueType;
 187 | 	USHORT         Reserved;
 188 | 	ULONG          Flags;
 189 | 	ULONG          ValueCount;
 190 | 	union
 191 | 	{
 192 | 		PLONG64                                      pInt64;
 193 | 		PULONG64                                     pUint64;
 194 | 		PUNICODE_STRING                              pString;
 195 | 		PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE         pFqbn;
 196 | 		PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;
 197 | 	} Values;
 198 | } TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1;
 199 | 
 200 | typedef VOID(KNORMAL_ROUTINE) (
 201 | 	IN PVOID NormalContext,
 202 | 	IN PVOID SystemArgument1,
 203 | 	IN PVOID SystemArgument2);
 204 | 
 205 | typedef struct _PS_ATTRIBUTE
 206 | {
 207 | 	ULONG  Attribute;
 208 | 	SIZE_T Size;
 209 | 	union
 210 | 	{
 211 | 		ULONG Value;
 212 | 		PVOID ValuePtr;
 213 | 	} u1;
 214 | 	PSIZE_T ReturnLength;
 215 | } PS_ATTRIBUTE, *PPS_ATTRIBUTE;
 216 | 
 217 | #ifndef InitializeObjectAttributes
 218 | #define InitializeObjectAttributes( p, n, a, r, s ) { \
 219 | 	(p)->Length = sizeof( OBJECT_ATTRIBUTES );        \
 220 | 	(p)->RootDirectory = r;                           \
 221 | 	(p)->Attributes = a;                              \
 222 | 	(p)->ObjectName = n;                              \
 223 | 	(p)->SecurityDescriptor = s;                      \
 224 | 	(p)->SecurityQualityOfService = NULL;             \
 225 | }
 226 | #endif
 227 | 
 228 | typedef struct _WNF_STATE_NAME
 229 | {
 230 | 	ULONG Data[2];
 231 | } WNF_STATE_NAME, *PWNF_STATE_NAME;
 232 | 
 233 | typedef struct _KEY_VALUE_ENTRY
 234 | {
 235 | 	PUNICODE_STRING ValueName;
 236 | 	ULONG           DataLength;
 237 | 	ULONG           DataOffset;
 238 | 	ULONG           Type;
 239 | } KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;
 240 | 
 241 | typedef enum _KEY_SET_INFORMATION_CLASS
 242 | {
 243 | 	KeyWriteTimeInformation,
 244 | 	KeyWow64FlagsInformation,
 245 | 	KeyControlFlagsInformation,
 246 | 	KeySetVirtualizationInformation,
 247 | 	KeySetDebugInformation,
 248 | 	KeySetHandleTagsInformation,
 249 | 	MaxKeySetInfoClass  // MaxKeySetInfoClass should always be the last enum.
 250 | } KEY_SET_INFORMATION_CLASS, *PKEY_SET_INFORMATION_CLASS;
 251 | 
 252 | typedef enum _SYSTEM_INFORMATION_CLASS
 253 | {
 254 | 	SystemBasicInformation = 0,
 255 | 	SystemPerformanceInformation = 2,
 256 | 	SystemTimeOfDayInformation = 3,
 257 | 	SystemProcessInformation = 5,
 258 | 	SystemProcessorPerformanceInformation = 8,
 259 | 	SystemHandleInformation = 16,
 260 | 	SystemInterruptInformation = 23,
 261 | 	SystemExceptionInformation = 33,
 262 | 	SystemRegistryQuotaInformation = 37,
 263 | 	SystemLookasideInformation = 45,
 264 | 	SystemCodeIntegrityInformation = 103,
 265 | 	SystemPolicyInformation = 134,
 266 | } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
 267 | 
 268 | typedef enum _PROCESSINFOCLASS
 269 | {
 270 | 	ProcessBasicInformation = 0,
 271 | 	ProcessDebugPort = 7,
 272 | 	ProcessWow64Information = 26,
 273 | 	ProcessImageFileName = 27,
 274 | 	ProcessBreakOnTermination = 29
 275 | } PROCESSINFOCLASS, *PPROCESSINFOCLASS;
 276 | 
 277 | typedef struct _MEMORY_RANGE_ENTRY
 278 | {
 279 | 	PVOID  VirtualAddress;
 280 | 	SIZE_T NumberOfBytes;
 281 | } MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY;
 282 | 
 283 | typedef struct _T2_SET_PARAMETERS_V0
 284 | {
 285 | 	ULONG    Version;
 286 | 	ULONG    Reserved;
 287 | 	LONGLONG NoWakeTolerance;
 288 | } T2_SET_PARAMETERS, *PT2_SET_PARAMETERS;
 289 | 
 290 | typedef struct _FILE_PATH
 291 | {
 292 | 	ULONG Version;
 293 | 	ULONG Length;
 294 | 	ULONG Type;
 295 | 	CHAR  FilePath[1];
 296 | } FILE_PATH, *PFILE_PATH;
 297 | 
 298 | typedef struct _FILE_USER_QUOTA_INFORMATION
 299 | {
 300 | 	ULONG         NextEntryOffset;
 301 | 	ULONG         SidLength;
 302 | 	LARGE_INTEGER ChangeTime;
 303 | 	LARGE_INTEGER QuotaUsed;
 304 | 	LARGE_INTEGER QuotaThreshold;
 305 | 	LARGE_INTEGER QuotaLimit;
 306 | 	SID           Sid[1];
 307 | } FILE_USER_QUOTA_INFORMATION, *PFILE_USER_QUOTA_INFORMATION;
 308 | 
 309 | typedef struct _FILE_QUOTA_LIST_INFORMATION
 310 | {
 311 | 	ULONG NextEntryOffset;
 312 | 	ULONG SidLength;
 313 | 	SID   Sid[1];
 314 | } FILE_QUOTA_LIST_INFORMATION, *PFILE_QUOTA_LIST_INFORMATION;
 315 | 
 316 | typedef struct _FILE_NETWORK_OPEN_INFORMATION
 317 | {
 318 | 	LARGE_INTEGER CreationTime;
 319 | 	LARGE_INTEGER LastAccessTime;
 320 | 	LARGE_INTEGER LastWriteTime;
 321 | 	LARGE_INTEGER ChangeTime;
 322 | 	LARGE_INTEGER AllocationSize;
 323 | 	LARGE_INTEGER EndOfFile;
 324 | 	ULONG         FileAttributes;
 325 | 	ULONG         Unknown;
 326 | } FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;
 327 | 
 328 | typedef enum _FILTER_BOOT_OPTION_OPERATION
 329 | {
 330 | 	FilterBootOptionOperationOpenSystemStore,
 331 | 	FilterBootOptionOperationSetElement,
 332 | 	FilterBootOptionOperationDeleteElement,
 333 | 	FilterBootOptionOperationMax
 334 | } FILTER_BOOT_OPTION_OPERATION, *PFILTER_BOOT_OPTION_OPERATION;
 335 | 
 336 | typedef enum _EVENT_TYPE
 337 | {
 338 | 	NotificationEvent = 0,
 339 | 	SynchronizationEvent = 1,
 340 | } EVENT_TYPE, *PEVENT_TYPE;
 341 | 
 342 | typedef struct _FILE_FULL_EA_INFORMATION
 343 | {
 344 | 	ULONG  NextEntryOffset;
 345 | 	UCHAR  Flags;
 346 | 	UCHAR  EaNameLength;
 347 | 	USHORT EaValueLength;
 348 | 	CHAR   EaName[1];
 349 | } FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION;
 350 | 
 351 | typedef struct _FILE_GET_EA_INFORMATION
 352 | {
 353 | 	ULONG NextEntryOffset;
 354 | 	BYTE  EaNameLength;
 355 | 	CHAR  EaName[1];
 356 | } FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION;
 357 | 
 358 | typedef struct _BOOT_OPTIONS
 359 | {
 360 | 	ULONG Version;
 361 | 	ULONG Length;
 362 | 	ULONG Timeout;
 363 | 	ULONG CurrentBootEntryId;
 364 | 	ULONG NextBootEntryId;
 365 | 	WCHAR HeadlessRedirection[1];
 366 | } BOOT_OPTIONS, *PBOOT_OPTIONS;
 367 | 
 368 | typedef ULONG WNF_CHANGE_STAMP, *PWNF_CHANGE_STAMP;
 369 | 
 370 | typedef enum _WNF_DATA_SCOPE
 371 | {
 372 | 	WnfDataScopeSystem = 0,
 373 | 	WnfDataScopeSession = 1,
 374 | 	WnfDataScopeUser = 2,
 375 | 	WnfDataScopeProcess = 3,
 376 | 	WnfDataScopeMachine = 4
 377 | } WNF_DATA_SCOPE, *PWNF_DATA_SCOPE;
 378 | 
 379 | typedef enum _WNF_STATE_NAME_LIFETIME
 380 | {
 381 | 	WnfWellKnownStateName = 0,
 382 | 	WnfPermanentStateName = 1,
 383 | 	WnfPersistentStateName = 2,
 384 | 	WnfTemporaryStateName = 3
 385 | } WNF_STATE_NAME_LIFETIME, *PWNF_STATE_NAME_LIFETIME;
 386 | 
 387 | typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS
 388 | {
 389 | 	VmPrefetchInformation,
 390 | 	VmPagePriorityInformation,
 391 | 	VmCfgCallTargetInformation
 392 | } VIRTUAL_MEMORY_INFORMATION_CLASS, *PVIRTUAL_MEMORY_INFORMATION_CLASS;
 393 | 
 394 | typedef enum _IO_SESSION_EVENT
 395 | {
 396 | 	IoSessionEventIgnore,
 397 | 	IoSessionEventCreated,
 398 | 	IoSessionEventTerminated,
 399 | 	IoSessionEventConnected,
 400 | 	IoSessionEventDisconnected,
 401 | 	IoSessionEventLogon,
 402 | 	IoSessionEventLogoff,
 403 | 	IoSessionEventMax
 404 | } IO_SESSION_EVENT, *PIO_SESSION_EVENT;
 405 | 
 406 | typedef enum _PORT_INFORMATION_CLASS
 407 | {
 408 | 	PortBasicInformation,
 409 | #if DEVL
 410 | 	PortDumpInformation
 411 | #endif
 412 | } PORT_INFORMATION_CLASS, *PPORT_INFORMATION_CLASS;
 413 | 
 414 | typedef enum _PLUGPLAY_CONTROL_CLASS
 415 | {
 416 | 	PlugPlayControlEnumerateDevice,
 417 | 	PlugPlayControlRegisterNewDevice,
 418 | 	PlugPlayControlDeregisterDevice,
 419 | 	PlugPlayControlInitializeDevice,
 420 | 	PlugPlayControlStartDevice,
 421 | 	PlugPlayControlUnlockDevice,
 422 | 	PlugPlayControlQueryAndRemoveDevice,
 423 | 	PlugPlayControlUserResponse,
 424 | 	PlugPlayControlGenerateLegacyDevice,
 425 | 	PlugPlayControlGetInterfaceDeviceList,
 426 | 	PlugPlayControlProperty,
 427 | 	PlugPlayControlDeviceClassAssociation,
 428 | 	PlugPlayControlGetRelatedDevice,
 429 | 	PlugPlayControlGetInterfaceDeviceAlias,
 430 | 	PlugPlayControlDeviceStatus,
 431 | 	PlugPlayControlGetDeviceDepth,
 432 | 	PlugPlayControlQueryDeviceRelations,
 433 | 	PlugPlayControlTargetDeviceRelation,
 434 | 	PlugPlayControlQueryConflictList,
 435 | 	PlugPlayControlRetrieveDock,
 436 | 	PlugPlayControlResetDevice,
 437 | 	PlugPlayControlHaltDevice,
 438 | 	PlugPlayControlGetBlockedDriverList,
 439 | 	MaxPlugPlayControl
 440 | } PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS;
 441 | 
 442 | typedef enum _IO_COMPLETION_INFORMATION_CLASS
 443 | {
 444 | 	IoCompletionBasicInformation
 445 | } IO_COMPLETION_INFORMATION_CLASS, *PIO_COMPLETION_INFORMATION_CLASS;
 446 | 
 447 | typedef enum _SECTION_INHERIT
 448 | {
 449 | 	ViewShare = 1,
 450 | 	ViewUnmap = 2
 451 | } SECTION_INHERIT, *PSECTION_INHERIT;
 452 | 
 453 | typedef enum _DEBUGOBJECTINFOCLASS
 454 | {
 455 | 	DebugObjectFlags = 1,
 456 | 	MaxDebugObjectInfoClass
 457 | } DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS;
 458 | 
 459 | typedef enum _SEMAPHORE_INFORMATION_CLASS
 460 | {
 461 | 	SemaphoreBasicInformation
 462 | } SEMAPHORE_INFORMATION_CLASS, *PSEMAPHORE_INFORMATION_CLASS;
 463 | 
 464 | typedef struct _PS_ATTRIBUTE_LIST
 465 | {
 466 | 	SIZE_T       TotalLength;
 467 | 	PS_ATTRIBUTE Attributes[1];
 468 | } PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;
 469 | 
 470 | typedef enum _VDMSERVICECLASS
 471 | {
 472 | 	VdmStartExecution,
 473 | 	VdmQueueInterrupt,
 474 | 	VdmDelayInterrupt,
 475 | 	VdmInitialize,
 476 | 	VdmFeatures,
 477 | 	VdmSetInt21Handler,
 478 | 	VdmQueryDir,
 479 | 	VdmPrinterDirectIoOpen,
 480 | 	VdmPrinterDirectIoClose,
 481 | 	VdmPrinterInitialize,
 482 | 	VdmSetLdtEntries,
 483 | 	VdmSetProcessLdtInfo,
 484 | 	VdmAdlibEmulation,
 485 | 	VdmPMCliControl,
 486 | 	VdmQueryVdmProcess
 487 | } VDMSERVICECLASS, *PVDMSERVICECLASS;
 488 | 
 489 | typedef struct _PS_CREATE_INFO
 490 | {
 491 | 	SIZE_T Size;
 492 | 	PS_CREATE_STATE State;
 493 | 	union
 494 | 	{
 495 | 		// PsCreateInitialState
 496 | 		struct {
 497 | 			union {
 498 | 				ULONG InitFlags;
 499 | 				struct {
 500 | 					UCHAR  WriteOutputOnExit : 1;
 501 | 					UCHAR  DetectManifest : 1;
 502 | 					UCHAR  IFEOSkipDebugger : 1;
 503 | 					UCHAR  IFEODoNotPropagateKeyState : 1;
 504 | 					UCHAR  SpareBits1 : 4;
 505 | 					UCHAR  SpareBits2 : 8;
 506 | 					USHORT ProhibitedImageCharacteristics : 16;
 507 | 				};
 508 | 			};
 509 | 			ACCESS_MASK AdditionalFileAccess;
 510 | 		} InitState;
 511 | 		// PsCreateFailOnSectionCreate
 512 | 		struct {
 513 | 			HANDLE FileHandle;
 514 | 		} FailSection;
 515 | 		// PsCreateFailExeFormat
 516 | 		struct {
 517 | 			USHORT DllCharacteristics;
 518 | 		} ExeFormat;
 519 | 		// PsCreateFailExeName
 520 | 		struct {
 521 | 			HANDLE IFEOKey;
 522 | 		} ExeName;
 523 | 		// PsCreateSuccess
 524 | 		struct {
 525 | 			union {
 526 | 				ULONG OutputFlags;
 527 | 				struct {
 528 | 					UCHAR  ProtectedProcess : 1;
 529 | 					UCHAR  AddressSpaceOverride : 1;
 530 | 					UCHAR  DevOverrideEnabled : 1; // from Image File Execution Options
 531 | 					UCHAR  ManifestDetected : 1;
 532 | 					UCHAR  ProtectedProcessLight : 1;
 533 | 					UCHAR  SpareBits1 : 3;
 534 | 					UCHAR  SpareBits2 : 8;
 535 | 					USHORT SpareBits3 : 16;
 536 | 				};
 537 | 			};
 538 | 			HANDLE    FileHandle;
 539 | 			HANDLE    SectionHandle;
 540 | 			ULONGLONG UserProcessParametersNative;
 541 | 			ULONG     UserProcessParametersWow64;
 542 | 			ULONG     CurrentParameterFlags;
 543 | 			ULONGLONG PebAddressNative;
 544 | 			ULONG     PebAddressWow64;
 545 | 			ULONGLONG ManifestAddress;
 546 | 			ULONG     ManifestSize;
 547 | 		} SuccessState;
 548 | 	};
 549 | } PS_CREATE_INFO, *PPS_CREATE_INFO;
 550 | 
 551 | typedef enum _MEMORY_INFORMATION_CLASS
 552 | {
 553 | 	MemoryBasicInformation,
 554 | 	MemoryWorkingSetInformation,
 555 | 	MemoryMappedFilenameInformation,
 556 | 	MemoryRegionInformation,
 557 | 	MemoryWorkingSetExInformation,
 558 | 	MemorySharedCommitInformation,
 559 | 	MemoryImageInformation,
 560 | 	MemoryRegionInformationEx,
 561 | 	MemoryPrivilegedBasicInformation,
 562 | 	MemoryEnclaveImageInformation,
 563 | 	MemoryBasicInformationCapped
 564 | } MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS;
 565 | 
 566 | typedef enum _MEMORY_RESERVE_TYPE
 567 | {
 568 | 	MemoryReserveUserApc,
 569 | 	MemoryReserveIoCompletion,
 570 | 	MemoryReserveTypeMax
 571 | } MEMORY_RESERVE_TYPE, *PMEMORY_RESERVE_TYPE;
 572 | 
 573 | typedef enum _ALPC_PORT_INFORMATION_CLASS
 574 | {
 575 | 	AlpcBasicInformation,
 576 | 	AlpcPortInformation,
 577 | 	AlpcAssociateCompletionPortInformation,
 578 | 	AlpcConnectedSIDInformation,
 579 | 	AlpcServerInformation,
 580 | 	AlpcMessageZoneInformation,
 581 | 	AlpcRegisterCompletionListInformation,
 582 | 	AlpcUnregisterCompletionListInformation,
 583 | 	AlpcAdjustCompletionListConcurrencyCountInformation,
 584 | 	AlpcRegisterCallbackInformation,
 585 | 	AlpcCompletionListRundownInformation
 586 | } ALPC_PORT_INFORMATION_CLASS, *PALPC_PORT_INFORMATION_CLASS;
 587 | 
 588 | typedef struct _ALPC_CONTEXT_ATTR
 589 | {
 590 | 	PVOID PortContext;
 591 | 	PVOID MessageContext;
 592 | 	ULONG SequenceNumber;
 593 | 	ULONG MessageID;
 594 | 	ULONG CallbackID;
 595 | } ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR;
 596 | 
 597 | typedef struct _ALPC_DATA_VIEW_ATTR
 598 | {
 599 | 	ULONG  Flags;
 600 | 	HANDLE SectionHandle;
 601 | 	PVOID  ViewBase;
 602 | 	SIZE_T ViewSize;
 603 | } ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR;
 604 | 
 605 | typedef struct _ALPC_SECURITY_ATTR
 606 | {
 607 | 	ULONG                        Flags;
 608 | 	PSECURITY_QUALITY_OF_SERVICE SecurityQos;
 609 | 	HANDLE                       ContextHandle;
 610 | 	ULONG                        Reserved1;
 611 | 	ULONG                        Reserved2;
 612 | } ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR;
 613 | 
 614 | typedef PVOID* PPVOID;
 615 | 
 616 | typedef enum _KPROFILE_SOURCE
 617 | {
 618 | 	ProfileTime = 0,
 619 | 	ProfileAlignmentFixup = 1,
 620 | 	ProfileTotalIssues = 2,
 621 | 	ProfilePipelineDry = 3,
 622 | 	ProfileLoadInstructions = 4,
 623 | 	ProfilePipelineFrozen = 5,
 624 | 	ProfileBranchInstructions = 6,
 625 | 	ProfileTotalNonissues = 7,
 626 | 	ProfileDcacheMisses = 8,
 627 | 	ProfileIcacheMisses = 9,
 628 | 	ProfileCacheMisses = 10,
 629 | 	ProfileBranchMispredictions = 11,
 630 | 	ProfileStoreInstructions = 12,
 631 | 	ProfileFpInstructions = 13,
 632 | 	ProfileIntegerInstructions = 14,
 633 | 	Profile2Issue = 15,
 634 | 	Profile3Issue = 16,
 635 | 	Profile4Issue = 17,
 636 | 	ProfileSpecialInstructions = 18,
 637 | 	ProfileTotalCycles = 19,
 638 | 	ProfileIcacheIssues = 20,
 639 | 	ProfileDcacheAccesses = 21,
 640 | 	ProfileMemoryBarrierCycles = 22,
 641 | 	ProfileLoadLinkedIssues = 23,
 642 | 	ProfileMaximum = 24,
 643 | } KPROFILE_SOURCE, *PKPROFILE_SOURCE;
 644 | 
 645 | typedef enum _ALPC_MESSAGE_INFORMATION_CLASS
 646 | {
 647 | 	AlpcMessageSidInformation,
 648 | 	AlpcMessageTokenModifiedIdInformation
 649 | } ALPC_MESSAGE_INFORMATION_CLASS, *PALPC_MESSAGE_INFORMATION_CLASS;
 650 | 
 651 | typedef enum _WORKERFACTORYINFOCLASS
 652 | {
 653 | 	WorkerFactoryTimeout,
 654 | 	WorkerFactoryRetryTimeout,
 655 | 	WorkerFactoryIdleTimeout,
 656 | 	WorkerFactoryBindingCount,
 657 | 	WorkerFactoryThreadMinimum,
 658 | 	WorkerFactoryThreadMaximum,
 659 | 	WorkerFactoryPaused,
 660 | 	WorkerFactoryBasicInformation,
 661 | 	WorkerFactoryAdjustThreadGoal,
 662 | 	WorkerFactoryCallbackType,
 663 | 	WorkerFactoryStackInformation,
 664 | 	MaxWorkerFactoryInfoClass
 665 | } WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS;
 666 | 
 667 | typedef enum _MEMORY_PARTITION_INFORMATION_CLASS
 668 | {
 669 | 	SystemMemoryPartitionInformation,
 670 | 	SystemMemoryPartitionMoveMemory,
 671 | 	SystemMemoryPartitionAddPagefile,
 672 | 	SystemMemoryPartitionCombineMemory,
 673 | 	SystemMemoryPartitionInitialAddMemory,
 674 | 	SystemMemoryPartitionGetMemoryEvents,
 675 | 	SystemMemoryPartitionMax
 676 | } MEMORY_PARTITION_INFORMATION_CLASS, *PMEMORY_PARTITION_INFORMATION_CLASS;
 677 | 
 678 | typedef enum _MUTANT_INFORMATION_CLASS
 679 | {
 680 | 	MutantBasicInformation,
 681 | 	MutantOwnerInformation
 682 | } MUTANT_INFORMATION_CLASS, *PMUTANT_INFORMATION_CLASS;
 683 | 
 684 | typedef enum _ATOM_INFORMATION_CLASS
 685 | {
 686 | 	AtomBasicInformation,
 687 | 	AtomTableInformation
 688 | } ATOM_INFORMATION_CLASS, *PATOM_INFORMATION_CLASS;
 689 | 
 690 | typedef enum _SHUTDOWN_ACTION {
 691 | 	ShutdownNoReboot,
 692 | 	ShutdownReboot,
 693 | 	ShutdownPowerOff
 694 | } SHUTDOWN_ACTION;
 695 | 
 696 | typedef VOID(CALLBACK* PTIMER_APC_ROUTINE)(
 697 | 	IN PVOID TimerContext,
 698 | 	IN ULONG TimerLowValue,
 699 | 	IN LONG TimerHighValue);
 700 | 
 701 | typedef enum _KEY_VALUE_INFORMATION_CLASS {
 702 | 	KeyValueBasicInformation = 0,
 703 | 	KeyValueFullInformation,
 704 | 	KeyValuePartialInformation,
 705 | 	KeyValueFullInformationAlign64,
 706 | 	KeyValuePartialInformationAlign64,
 707 | 	MaxKeyValueInfoClass
 708 | } KEY_VALUE_INFORMATION_CLASS;
 709 | 
 710 | typedef LANGID* PLANGID;
 711 | 
 712 | typedef struct _PLUGPLAY_EVENT_BLOCK
 713 | {
 714 | 	GUID EventGuid;
 715 | 	PLUGPLAY_EVENT_CATEGORY EventCategory;
 716 | 	PULONG Result;
 717 | 	ULONG Flags;
 718 | 	ULONG TotalSize;
 719 | 	PVOID DeviceObject;
 720 | 
 721 | 	union
 722 | 	{
 723 | 		struct
 724 | 		{
 725 | 			GUID ClassGuid;
 726 | 			WCHAR SymbolicLinkName[1];
 727 | 		} DeviceClass;
 728 | 		struct
 729 | 		{
 730 | 			WCHAR DeviceIds[1];
 731 | 		} TargetDevice;
 732 | 		struct
 733 | 		{
 734 | 			WCHAR DeviceId[1];
 735 | 		} InstallDevice;
 736 | 		struct
 737 | 		{
 738 | 			PVOID NotificationStructure;
 739 | 			WCHAR DeviceIds[1];
 740 | 		} CustomNotification;
 741 | 		struct
 742 | 		{
 743 | 			PVOID Notification;
 744 | 		} ProfileNotification;
 745 | 		struct
 746 | 		{
 747 | 			ULONG NotificationCode;
 748 | 			ULONG NotificationData;
 749 | 		} PowerNotification;
 750 | 		struct
 751 | 		{
 752 | 			PNP_VETO_TYPE VetoType;
 753 | 			WCHAR DeviceIdVetoNameBuffer[1]; // DeviceId<null>VetoName<null><null>
 754 | 		} VetoNotification;
 755 | 		struct
 756 | 		{
 757 | 			GUID BlockedDriverGuid;
 758 | 		} BlockedDriverNotification;
 759 | 		struct
 760 | 		{
 761 | 			WCHAR ParentId[1];
 762 | 		} InvalidIDNotification;
 763 | 	} u;
 764 | } PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK;
 765 | 
 766 | typedef VOID(NTAPI* PIO_APC_ROUTINE) (
 767 | 	IN PVOID            ApcContext,
 768 | 	IN PIO_STATUS_BLOCK IoStatusBlock,
 769 | 	IN ULONG            Reserved);
 770 | 
 771 | typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE;
 772 | 
 773 | typedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS
 774 | {
 775 | 	DirectoryNotifyInformation = 1,
 776 | 	DirectoryNotifyExtendedInformation = 2,
 777 | } DIRECTORY_NOTIFY_INFORMATION_CLASS, *PDIRECTORY_NOTIFY_INFORMATION_CLASS;
 778 | 
 779 | typedef enum _EVENT_INFORMATION_CLASS
 780 | {
 781 | 	EventBasicInformation
 782 | } EVENT_INFORMATION_CLASS, *PEVENT_INFORMATION_CLASS;
 783 | 
 784 | typedef struct _ALPC_MESSAGE_ATTRIBUTES
 785 | {
 786 | 	unsigned long AllocatedAttributes;
 787 | 	unsigned long ValidAttributes;
 788 | } ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES;
 789 | 
 790 | typedef struct _ALPC_PORT_ATTRIBUTES
 791 | {
 792 | 	ULONG                       Flags;
 793 | 	SECURITY_QUALITY_OF_SERVICE SecurityQos;
 794 | 	SIZE_T                      MaxMessageLength;
 795 | 	SIZE_T                      MemoryBandwidth;
 796 | 	SIZE_T                      MaxPoolUsage;
 797 | 	SIZE_T                      MaxSectionSize;
 798 | 	SIZE_T                      MaxViewSize;
 799 | 	SIZE_T                      MaxTotalSectionSize;
 800 | 	ULONG                       DupObjectTypes;
 801 | #ifdef _WIN64
 802 | 	ULONG                       Reserved;
 803 | #endif
 804 | } ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES;
 805 | 
 806 | typedef enum _IO_SESSION_STATE
 807 | {
 808 | 	IoSessionStateCreated = 1,
 809 | 	IoSessionStateInitialized = 2,
 810 | 	IoSessionStateConnected = 3,
 811 | 	IoSessionStateDisconnected = 4,
 812 | 	IoSessionStateDisconnectedLoggedOn = 5,
 813 | 	IoSessionStateLoggedOn = 6,
 814 | 	IoSessionStateLoggedOff = 7,
 815 | 	IoSessionStateTerminated = 8,
 816 | 	IoSessionStateMax = 9,
 817 | } IO_SESSION_STATE, *PIO_SESSION_STATE;
 818 | 
 819 | typedef const WNF_STATE_NAME *PCWNF_STATE_NAME;
 820 | 
 821 | typedef const WNF_TYPE_ID *PCWNF_TYPE_ID;
 822 | 
 823 | typedef struct _WNF_DELIVERY_DESCRIPTOR
 824 | {
 825 | 	unsigned __int64 SubscriptionId;
 826 | 	WNF_STATE_NAME   StateName;
 827 | 	unsigned long    ChangeStamp;
 828 | 	unsigned long    StateDataSize;
 829 | 	unsigned long    EventMask;
 830 | 	WNF_TYPE_ID      TypeId;
 831 | 	unsigned long    StateDataOffset;
 832 | } WNF_DELIVERY_DESCRIPTOR, *PWNF_DELIVERY_DESCRIPTOR;
 833 | 
 834 | typedef enum _DEBUG_CONTROL_CODE
 835 | {
 836 | 	SysDbgQueryModuleInformation = 0,
 837 | 	SysDbgQueryTraceInformation = 1,
 838 | 	SysDbgSetTracePoint = 2,
 839 | 	SysDbgSetSpecialCall = 3,
 840 | 	SysDbgClearSpecialCalls = 4,
 841 | 	SysDbgQuerySpecialCalls = 5,
 842 | 	SysDbgBreakPoint = 6,
 843 | 	SysDbgQueryVersion = 7,
 844 | 	SysDbgReadVirtual = 8,
 845 | 	SysDbgWriteVirtual = 9,
 846 | 	SysDbgReadPhysical = 10,
 847 | 	SysDbgWritePhysical = 11,
 848 | 	SysDbgReadControlSpace = 12,
 849 | 	SysDbgWriteControlSpace = 13,
 850 | 	SysDbgReadIoSpace = 14,
 851 | 	SysDbgWriteIoSpace = 15,
 852 | 	SysDbgReadMsr = 16,
 853 | 	SysDbgWriteMsr = 17,
 854 | 	SysDbgReadBusData = 18,
 855 | 	SysDbgWriteBusData = 19,
 856 | 	SysDbgCheckLowMemory = 20,
 857 | 	SysDbgEnableKernelDebugger = 21,
 858 | 	SysDbgDisableKernelDebugger = 22,
 859 | 	SysDbgGetAutoKdEnable = 23,
 860 | 	SysDbgSetAutoKdEnable = 24,
 861 | 	SysDbgGetPrintBufferSize = 25,
 862 | 	SysDbgSetPrintBufferSize = 26,
 863 | 	SysDbgGetKdUmExceptionEnable = 27,
 864 | 	SysDbgSetKdUmExceptionEnable = 28,
 865 | 	SysDbgGetTriageDump = 29,
 866 | 	SysDbgGetKdBlockEnable = 30,
 867 | 	SysDbgSetKdBlockEnable = 31
 868 | } DEBUG_CONTROL_CODE, *PDEBUG_CONTROL_CODE;
 869 | 
 870 | typedef struct _PORT_MESSAGE
 871 | {
 872 | 	union
 873 | 	{
 874 | 		union
 875 | 		{
 876 | 			struct
 877 | 			{
 878 | 				short DataLength;
 879 | 				short TotalLength;
 880 | 			} s1;
 881 | 			unsigned long Length;
 882 | 		};
 883 | 	} u1;
 884 | 	union
 885 | 	{
 886 | 		union
 887 | 		{
 888 | 			struct
 889 | 			{
 890 | 				short Type;
 891 | 				short DataInfoOffset;
 892 | 			} s2;
 893 | 			unsigned long ZeroInit;
 894 | 		};
 895 | 	} u2;
 896 | 	union
 897 | 	{
 898 | 		CLIENT_ID ClientId;
 899 | 		double    DoNotUseThisField;
 900 | 	};
 901 | 	unsigned long MessageId;
 902 | 	union
 903 | 	{
 904 | 		unsigned __int64 ClientViewSize;
 905 | 		struct
 906 | 		{
 907 | 			unsigned long CallbackId;
 908 | 			long          __PADDING__[1];
 909 | 		};
 910 | 	};
 911 | } PORT_MESSAGE, *PPORT_MESSAGE;
 912 | 
 913 | typedef struct FILE_BASIC_INFORMATION
 914 | {
 915 | 	LARGE_INTEGER CreationTime;
 916 | 	LARGE_INTEGER LastAccessTime;
 917 | 	LARGE_INTEGER LastWriteTime;
 918 | 	LARGE_INTEGER ChangeTime;
 919 | 	ULONG         FileAttributes;
 920 | } FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
 921 | 
 922 | typedef struct _PORT_SECTION_READ
 923 | {
 924 | 	ULONG Length;
 925 | 	ULONG ViewSize;
 926 | 	ULONG ViewBase;
 927 | } PORT_SECTION_READ, *PPORT_SECTION_READ;
 928 | 
 929 | typedef struct _PORT_SECTION_WRITE
 930 | {
 931 | 	ULONG  Length;
 932 | 	HANDLE SectionHandle;
 933 | 	ULONG  SectionOffset;
 934 | 	ULONG  ViewSize;
 935 | 	PVOID  ViewBase;
 936 | 	PVOID  TargetViewBase;
 937 | } PORT_SECTION_WRITE, *PPORT_SECTION_WRITE;
 938 | 
 939 | typedef enum _TIMER_TYPE
 940 | {
 941 | 	NotificationTimer,
 942 | 	SynchronizationTimer
 943 | } TIMER_TYPE, *PTIMER_TYPE;
 944 | 
 945 | typedef struct _BOOT_ENTRY
 946 | {
 947 | 	ULONG Version;
 948 | 	ULONG Length;
 949 | 	ULONG Id;
 950 | 	ULONG Attributes;
 951 | 	ULONG FriendlyNameOffset;
 952 | 	ULONG BootFilePathOffset;
 953 | 	ULONG OsOptionsLength;
 954 | 	UCHAR OsOptions[ANYSIZE_ARRAY];
 955 | } BOOT_ENTRY, *PBOOT_ENTRY;
 956 | 
 957 | typedef struct _EFI_DRIVER_ENTRY
 958 | {
 959 | 	ULONG Version;
 960 | 	ULONG Length;
 961 | 	ULONG Id;
 962 | 	ULONG Attributes;
 963 | 	ULONG FriendlyNameOffset;
 964 | 	ULONG DriverFilePathOffset;
 965 | } EFI_DRIVER_ENTRY, *PEFI_DRIVER_ENTRY;
 966 | 
 967 | typedef USHORT RTL_ATOM, *PRTL_ATOM;
 968 | 
 969 | typedef enum _TIMER_SET_INFORMATION_CLASS
 970 | {
 971 | 	TimerSetCoalescableTimer,
 972 | 	MaxTimerInfoClass
 973 | } TIMER_SET_INFORMATION_CLASS, *PTIMER_SET_INFORMATION_CLASS;
 974 | 
 975 | typedef enum _FSINFOCLASS
 976 | {
 977 | 	FileFsVolumeInformation = 1,
 978 | 	FileFsLabelInformation = 2,
 979 | 	FileFsSizeInformation = 3,
 980 | 	FileFsDeviceInformation = 4,
 981 | 	FileFsAttributeInformation = 5,
 982 | 	FileFsControlInformation = 6,
 983 | 	FileFsFullSizeInformation = 7,
 984 | 	FileFsObjectIdInformation = 8,
 985 | 	FileFsDriverPathInformation = 9,
 986 | 	FileFsVolumeFlagsInformation = 10,
 987 | 	FileFsSectorSizeInformation = 11,
 988 | 	FileFsDataCopyInformation = 12,
 989 | 	FileFsMetadataSizeInformation = 13,
 990 | 	FileFsFullSizeInformationEx = 14,
 991 | 	FileFsMaximumInformation = 15,
 992 | } FSINFOCLASS, *PFSINFOCLASS;
 993 | 
 994 | typedef enum _WAIT_TYPE
 995 | {
 996 | 	WaitAll = 0,
 997 | 	WaitAny = 1
 998 | } WAIT_TYPE, *PWAIT_TYPE;
 999 | 
1000 | typedef struct _USER_STACK
1001 | {
1002 | 	PVOID FixedStackBase;
1003 | 	PVOID FixedStackLimit;
1004 | 	PVOID ExpandableStackBase;
1005 | 	PVOID ExpandableStackLimit;
1006 | 	PVOID ExpandableStackBottom;
1007 | } USER_STACK, *PUSER_STACK;
1008 | 
1009 | typedef enum _SECTION_INFORMATION_CLASS
1010 | {
1011 | 	SectionBasicInformation,
1012 | 	SectionImageInformation,
1013 | } SECTION_INFORMATION_CLASS, *PSECTION_INFORMATION_CLASS;
1014 | 
1015 | typedef enum _APPHELPCACHESERVICECLASS
1016 | {
1017 | 	ApphelpCacheServiceLookup = 0,
1018 | 	ApphelpCacheServiceRemove = 1,
1019 | 	ApphelpCacheServiceUpdate = 2,
1020 | 	ApphelpCacheServiceFlush = 3,
1021 | 	ApphelpCacheServiceDump = 4,
1022 | 	ApphelpDBGReadRegistry = 0x100,
1023 | 	ApphelpDBGWriteRegistry = 0x101,
1024 | } APPHELPCACHESERVICECLASS, *PAPPHELPCACHESERVICECLASS;
1025 | 
1026 | typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION
1027 | {
1028 | 	USHORT Version;
1029 | 	USHORT Reserved;
1030 | 	ULONG  AttributeCount;
1031 | 	union
1032 | 	{
1033 | 		PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1;
1034 | 	} Attribute;
1035 | } TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION;
1036 | 
1037 | typedef struct _FILE_IO_COMPLETION_INFORMATION
1038 | {
1039 | 	PVOID           KeyContext;
1040 | 	PVOID           ApcContext;
1041 | 	IO_STATUS_BLOCK IoStatusBlock;
1042 | } FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION;
1043 | 
1044 | typedef PVOID PT2_CANCEL_PARAMETERS;
1045 | 
1046 | typedef enum _THREADINFOCLASS
1047 | {
1048 | 	ThreadBasicInformation,
1049 | 	ThreadTimes,
1050 | 	ThreadPriority,
1051 | 	ThreadBasePriority,
1052 | 	ThreadAffinityMask,
1053 | 	ThreadImpersonationToken,
1054 | 	ThreadDescriptorTableEntry,
1055 | 	ThreadEnableAlignmentFaultFixup,
1056 | 	ThreadEventPair_Reusable,
1057 | 	ThreadQuerySetWin32StartAddress,
1058 | 	ThreadZeroTlsCell,
1059 | 	ThreadPerformanceCount,
1060 | 	ThreadAmILastThread,
1061 | 	ThreadIdealProcessor,
1062 | 	ThreadPriorityBoost,
1063 | 	ThreadSetTlsArrayAddress,
1064 | 	ThreadIsIoPending,
1065 | 	ThreadHideFromDebugger,
1066 | 	ThreadBreakOnTermination,
1067 | 	MaxThreadInfoClass
1068 | } THREADINFOCLASS, *PTHREADINFOCLASS;
1069 | 
1070 | typedef enum _OBJECT_INFORMATION_CLASS
1071 | {
1072 | 	ObjectBasicInformation,
1073 | 	ObjectNameInformation,
1074 | 	ObjectTypeInformation,
1075 | 	ObjectAllTypesInformation,
1076 | 	ObjectHandleInformation
1077 | } OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS;
1078 | 
1079 | typedef enum _FILE_INFORMATION_CLASS
1080 | {
1081 | 	FileDirectoryInformation = 1,
1082 | 	FileFullDirectoryInformation = 2,
1083 | 	FileBothDirectoryInformation = 3,
1084 | 	FileBasicInformation = 4,
1085 | 	FileStandardInformation = 5,
1086 | 	FileInternalInformation = 6,
1087 | 	FileEaInformation = 7,
1088 | 	FileAccessInformation = 8,
1089 | 	FileNameInformation = 9,
1090 | 	FileRenameInformation = 10,
1091 | 	FileLinkInformation = 11,
1092 | 	FileNamesInformation = 12,
1093 | 	FileDispositionInformation = 13,
1094 | 	FilePositionInformation = 14,
1095 | 	FileFullEaInformation = 15,
1096 | 	FileModeInformation = 16,
1097 | 	FileAlignmentInformation = 17,
1098 | 	FileAllInformation = 18,
1099 | 	FileAllocationInformation = 19,
1100 | 	FileEndOfFileInformation = 20,
1101 | 	FileAlternateNameInformation = 21,
1102 | 	FileStreamInformation = 22,
1103 | 	FilePipeInformation = 23,
1104 | 	FilePipeLocalInformation = 24,
1105 | 	FilePipeRemoteInformation = 25,
1106 | 	FileMailslotQueryInformation = 26,
1107 | 	FileMailslotSetInformation = 27,
1108 | 	FileCompressionInformation = 28,
1109 | 	FileObjectIdInformation = 29,
1110 | 	FileCompletionInformation = 30,
1111 | 	FileMoveClusterInformation = 31,
1112 | 	FileQuotaInformation = 32,
1113 | 	FileReparsePointInformation = 33,
1114 | 	FileNetworkOpenInformation = 34,
1115 | 	FileAttributeTagInformation = 35,
1116 | 	FileTrackingInformation = 36,
1117 | 	FileIdBothDirectoryInformation = 37,
1118 | 	FileIdFullDirectoryInformation = 38,
1119 | 	FileValidDataLengthInformation = 39,
1120 | 	FileShortNameInformation = 40,
1121 | 	FileIoCompletionNotificationInformation = 41,
1122 | 	FileIoStatusBlockRangeInformation = 42,
1123 | 	FileIoPriorityHintInformation = 43,
1124 | 	FileSfioReserveInformation = 44,
1125 | 	FileSfioVolumeInformation = 45,
1126 | 	FileHardLinkInformation = 46,
1127 | 	FileProcessIdsUsingFileInformation = 47,
1128 | 	FileNormalizedNameInformation = 48,
1129 | 	FileNetworkPhysicalNameInformation = 49,
1130 | 	FileIdGlobalTxDirectoryInformation = 50,
1131 | 	FileIsRemoteDeviceInformation = 51,
1132 | 	FileUnusedInformation = 52,
1133 | 	FileNumaNodeInformation = 53,
1134 | 	FileStandardLinkInformation = 54,
1135 | 	FileRemoteProtocolInformation = 55,
1136 | 	FileRenameInformationBypassAccessCheck = 56,
1137 | 	FileLinkInformationBypassAccessCheck = 57,
1138 | 	FileVolumeNameInformation = 58,
1139 | 	FileIdInformation = 59,
1140 | 	FileIdExtdDirectoryInformation = 60,
1141 | 	FileReplaceCompletionInformation = 61,
1142 | 	FileHardLinkFullIdInformation = 62,
1143 | 	FileIdExtdBothDirectoryInformation = 63,
1144 | 	FileDispositionInformationEx = 64,
1145 | 	FileRenameInformationEx = 65,
1146 | 	FileRenameInformationExBypassAccessCheck = 66,
1147 | 	FileMaximumInformation = 67,
1148 | } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
1149 | 
1150 | typedef enum _KEY_INFORMATION_CLASS
1151 | {
1152 | 	KeyBasicInformation = 0,
1153 | 	KeyNodeInformation = 1,
1154 | 	KeyFullInformation = 2,
1155 | 	KeyNameInformation = 3,
1156 | 	KeyCachedInformation = 4,
1157 | 	KeyFlagsInformation = 5,
1158 | 	KeyVirtualizationInformation = 6,
1159 | 	KeyHandleTagsInformation = 7,
1160 | 	MaxKeyInfoClass = 8
1161 | } KEY_INFORMATION_CLASS, *PKEY_INFORMATION_CLASS;
1162 | 
1163 | typedef struct _OBJECT_ATTRIBUTES
1164 | {
1165 | 	ULONG           Length;
1166 | 	HANDLE          RootDirectory;
1167 | 	PUNICODE_STRING ObjectName;
1168 | 	ULONG           Attributes;
1169 | 	PVOID           SecurityDescriptor;
1170 | 	PVOID           SecurityQualityOfService;
1171 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
1172 | 
1173 | typedef enum _TIMER_INFORMATION_CLASS
1174 | {
1175 | 	TimerBasicInformation
1176 | } TIMER_INFORMATION_CLASS, *PTIMER_INFORMATION_CLASS;
1177 | 
1178 | typedef struct _KCONTINUE_ARGUMENT
1179 | {
1180 | 	KCONTINUE_TYPE ContinueType;
1181 | 	ULONG          ContinueFlags;
1182 | 	ULONGLONG      Reserved[2];
1183 | } KCONTINUE_ARGUMENT, *PKCONTINUE_ARGUMENT;
1184 | 
1185 | typedef SneakCall<SneakHelper::hash("ZwAccessCheck"), IN PSECURITY_DESCRIPTOR, IN HANDLE, IN ACCESS_MASK, IN PGENERIC_MAPPING, OUT PPRIVILEGE_SET  OPTIONAL, IN OUT PULONG, OUT PACCESS_MASK, OUT PBOOLEAN> NtAccessCheck;
1186 | typedef SneakCall<SneakHelper::hash("ZwWorkerFactoryWorkerReady"), IN HANDLE> NtWorkerFactoryWorkerReady;
1187 | typedef SneakCall<SneakHelper::hash("ZwAcceptConnectPort"), OUT PHANDLE, IN ULONG  OPTIONAL, IN PPORT_MESSAGE, IN BOOLEAN, IN OUT PPORT_SECTION_WRITE  OPTIONAL, OUT PPORT_SECTION_READ  OPTIONAL> NtAcceptConnectPort;
1188 | typedef SneakCall<SneakHelper::hash("ZwMapUserPhysicalPagesScatter"), IN PVOID, IN PULONG, IN PULONG  OPTIONAL> NtMapUserPhysicalPagesScatter;
1189 | typedef SneakCall<SneakHelper::hash("ZwWaitForSingleObject"), IN HANDLE, IN BOOLEAN, IN PLARGE_INTEGER  OPTIONAL> NtWaitForSingleObject;
1190 | typedef SneakCall<SneakHelper::hash("ZwCallbackReturn"), IN PVOID  OPTIONAL, IN ULONG, IN NTSTATUS> NtCallbackReturn;
1191 | typedef SneakCall<SneakHelper::hash("ZwReadFile"), IN HANDLE, IN HANDLE  OPTIONAL, IN PIO_APC_ROUTINE  OPTIONAL, OUT PVOID  OPTIONAL, OUT PIO_STATUS_BLOCK, IN PVOID, IN ULONG, IN PLARGE_INTEGER  OPTIONAL, IN PULONG  OPTIONAL> NtReadFile;
1192 | typedef SneakCall<SneakHelper::hash("ZwDeviceIoControlFile"), IN HANDLE, IN HANDLE  OPTIONAL, IN PIO_APC_ROUTINE  OPTIONAL, IN PVOID  OPTIONAL, OUT PIO_STATUS_BLOCK, IN ULONG, IN PVOID  OPTIONAL, IN ULONG, OUT PVOID  OPTIONAL, IN ULONG> NtDeviceIoControlFile;
1193 | typedef SneakCall<SneakHelper::hash("ZwWriteFile"), IN HANDLE, IN HANDLE  OPTIONAL, IN PIO_APC_ROUTINE  OPTIONAL, IN PVOID  OPTIONAL, OUT PIO_STATUS_BLOCK, IN PVOID, IN ULONG, IN PLARGE_INTEGER  OPTIONAL, IN PULONG  OPTIONAL> NtWriteFile;
1194 | typedef SneakCall<SneakHelper::hash("ZwRemoveIoCompletion"), IN HANDLE, OUT PULONG, OUT PULONG, OUT PIO_STATUS_BLOCK, IN PLARGE_INTEGER  OPTIONAL> NtRemoveIoCompletion;
1195 | typedef SneakCall<SneakHelper::hash("ZwReleaseSemaphore"), IN HANDLE, IN LONG, OUT PLONG  OPTIONAL> NtReleaseSemaphore;
1196 | typedef SneakCall<SneakHelper::hash("ZwReplyWaitReceivePort"), IN HANDLE, OUT PVOID  OPTIONAL, IN PPORT_MESSAGE  OPTIONAL, OUT PPORT_MESSAGE> NtReplyWaitReceivePort;
1197 | typedef SneakCall<SneakHelper::hash("ZwReplyPort"), IN HANDLE, IN PPORT_MESSAGE> NtReplyPort;
1198 | typedef SneakCall<SneakHelper::hash("ZwSetInformationThread"), IN HANDLE, IN THREADINFOCLASS, IN PVOID, IN ULONG> NtSetInformationThread;
1199 | typedef SneakCall<SneakHelper::hash("ZwSetEvent"), IN HANDLE, OUT PULONG  OPTIONAL> NtSetEvent;
1200 | typedef SneakCall<SneakHelper::hash("ZwClose"), IN HANDLE> NtClose;
1201 | typedef SneakCall<SneakHelper::hash("ZwQueryObject"), IN HANDLE, IN OBJECT_INFORMATION_CLASS, OUT PVOID  OPTIONAL, IN ULONG, OUT PULONG  OPTIONAL> NtQueryObject;
1202 | typedef SneakCall<SneakHelper::hash("ZwQueryInformationFile"), IN HANDLE, OUT PIO_STATUS_BLOCK, OUT PVOID, IN ULONG, IN FILE_INFORMATION_CLASS> NtQueryInformationFile;
1203 | typedef SneakCall<SneakHelper::hash("ZwOpenKey"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtOpenKey;
1204 | typedef SneakCall<SneakHelper::hash("ZwEnumerateValueKey"), IN HANDLE, IN ULONG, IN KEY_VALUE_INFORMATION_CLASS, OUT PVOID  OPTIONAL, IN ULONG, OUT PULONG> NtEnumerateValueKey;
1205 | typedef SneakCall<SneakHelper::hash("ZwFindAtom"), IN PWSTR  OPTIONAL, IN ULONG, OUT PUSHORT  OPTIONAL> NtFindAtom;
1206 | typedef SneakCall<SneakHelper::hash("ZwQueryDefaultLocale"), IN BOOLEAN, OUT PLCID> NtQueryDefaultLocale;
1207 | typedef SneakCall<SneakHelper::hash("ZwQueryKey"), IN HANDLE, IN KEY_INFORMATION_CLASS, OUT PVOID  OPTIONAL, IN ULONG, OUT PULONG> NtQueryKey;
1208 | typedef SneakCall<SneakHelper::hash("ZwQueryValueKey"), IN HANDLE, IN PUNICODE_STRING, IN KEY_VALUE_INFORMATION_CLASS, OUT PVOID  OPTIONAL, IN ULONG, OUT PULONG> NtQueryValueKey;
1209 | typedef SneakCall<SneakHelper::hash("ZwAllocateVirtualMemory"), IN HANDLE, IN OUT PVOID *, IN ULONG, IN OUT PSIZE_T, IN ULONG, IN ULONG> NtAllocateVirtualMemory;
1210 | typedef SneakCall<SneakHelper::hash("ZwQueryInformationProcess"), IN HANDLE, IN PROCESSINFOCLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQueryInformationProcess;
1211 | typedef SneakCall<SneakHelper::hash("ZwWaitForMultipleObjects32"), IN ULONG, IN PHANDLE, IN WAIT_TYPE, IN BOOLEAN, IN PLARGE_INTEGER  OPTIONAL> NtWaitForMultipleObjects32;
1212 | typedef SneakCall<SneakHelper::hash("ZwWriteFileGather"), IN HANDLE, IN HANDLE  OPTIONAL, IN PIO_APC_ROUTINE  OPTIONAL, IN PVOID  OPTIONAL, OUT PIO_STATUS_BLOCK, IN PFILE_SEGMENT_ELEMENT, IN ULONG, IN PLARGE_INTEGER, IN PULONG  OPTIONAL> NtWriteFileGather;
1213 | typedef SneakCall<SneakHelper::hash("ZwCreateKey"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN ULONG, IN PUNICODE_STRING  OPTIONAL, IN ULONG, OUT PULONG  OPTIONAL> NtCreateKey;
1214 | typedef SneakCall<SneakHelper::hash("ZwFreeVirtualMemory"), IN HANDLE, IN OUT PVOID *, IN OUT PSIZE_T, IN ULONG> NtFreeVirtualMemory;
1215 | typedef SneakCall<SneakHelper::hash("ZwImpersonateClientOfPort"), IN HANDLE, IN PPORT_MESSAGE> NtImpersonateClientOfPort;
1216 | typedef SneakCall<SneakHelper::hash("ZwReleaseMutant"), IN HANDLE, OUT PULONG  OPTIONAL> NtReleaseMutant;
1217 | typedef SneakCall<SneakHelper::hash("ZwQueryInformationToken"), IN HANDLE, IN TOKEN_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG> NtQueryInformationToken;
1218 | typedef SneakCall<SneakHelper::hash("ZwRequestWaitReplyPort"), IN HANDLE, IN PPORT_MESSAGE, OUT PPORT_MESSAGE> NtRequestWaitReplyPort;
1219 | typedef SneakCall<SneakHelper::hash("ZwQueryVirtualMemory"), IN HANDLE, IN PVOID, IN MEMORY_INFORMATION_CLASS, OUT PVOID, IN SIZE_T, OUT PSIZE_T  OPTIONAL> NtQueryVirtualMemory;
1220 | typedef SneakCall<SneakHelper::hash("ZwOpenThreadToken"), IN HANDLE, IN ACCESS_MASK, IN BOOLEAN, OUT PHANDLE> NtOpenThreadToken;
1221 | typedef SneakCall<SneakHelper::hash("ZwQueryInformationThread"), IN HANDLE, IN THREADINFOCLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQueryInformationThread;
1222 | typedef SneakCall<SneakHelper::hash("ZwOpenProcess"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN PCLIENT_ID  OPTIONAL> NtOpenProcess;
1223 | typedef SneakCall<SneakHelper::hash("ZwSetInformationFile"), IN HANDLE, OUT PIO_STATUS_BLOCK, IN PVOID, IN ULONG, IN FILE_INFORMATION_CLASS> NtSetInformationFile;
1224 | typedef SneakCall<SneakHelper::hash("ZwMapViewOfSection"), IN HANDLE, IN HANDLE, IN OUT PVOID, IN ULONG, IN SIZE_T, IN OUT PLARGE_INTEGER  OPTIONAL, IN OUT PSIZE_T, IN SECTION_INHERIT, IN ULONG, IN ULONG> NtMapViewOfSection;
1225 | typedef SneakCall<SneakHelper::hash("ZwAccessCheckAndAuditAlarm"), IN PUNICODE_STRING, IN PVOID  OPTIONAL, IN PUNICODE_STRING, IN PUNICODE_STRING, IN PSECURITY_DESCRIPTOR, IN ACCESS_MASK, IN PGENERIC_MAPPING, IN BOOLEAN, OUT PACCESS_MASK, OUT PBOOLEAN, OUT PBOOLEAN> NtAccessCheckAndAuditAlarm;
1226 | typedef SneakCall<SneakHelper::hash("ZwUnmapViewOfSection"), IN HANDLE, IN PVOID> NtUnmapViewOfSection;
1227 | typedef SneakCall<SneakHelper::hash("ZwReplyWaitReceivePortEx"), IN HANDLE, OUT PULONG  OPTIONAL, IN PPORT_MESSAGE  OPTIONAL, OUT PPORT_MESSAGE, IN PLARGE_INTEGER  OPTIONAL> NtReplyWaitReceivePortEx;
1228 | typedef SneakCall<SneakHelper::hash("ZwTerminateProcess"), IN HANDLE  OPTIONAL, IN NTSTATUS> NtTerminateProcess;
1229 | typedef SneakCall<SneakHelper::hash("ZwSetEventBoostPriority"), IN HANDLE> NtSetEventBoostPriority;
1230 | typedef SneakCall<SneakHelper::hash("ZwReadFileScatter"), IN HANDLE, IN HANDLE  OPTIONAL, IN PIO_APC_ROUTINE  OPTIONAL, IN PVOID  OPTIONAL, OUT PIO_STATUS_BLOCK, IN PFILE_SEGMENT_ELEMENT, IN ULONG, IN PLARGE_INTEGER  OPTIONAL, IN PULONG  OPTIONAL> NtReadFileScatter;
1231 | typedef SneakCall<SneakHelper::hash("ZwOpenThreadTokenEx"), IN HANDLE, IN ACCESS_MASK, IN BOOLEAN, IN ULONG, OUT PHANDLE> NtOpenThreadTokenEx;
1232 | typedef SneakCall<SneakHelper::hash("ZwOpenProcessTokenEx"), IN HANDLE, IN ACCESS_MASK, IN ULONG, OUT PHANDLE> NtOpenProcessTokenEx;
1233 | typedef SneakCall<SneakHelper::hash("ZwQueryPerformanceCounter"), OUT PLARGE_INTEGER, OUT PLARGE_INTEGER  OPTIONAL> NtQueryPerformanceCounter;
1234 | typedef SneakCall<SneakHelper::hash("ZwEnumerateKey"), IN HANDLE, IN ULONG, IN KEY_INFORMATION_CLASS, OUT PVOID  OPTIONAL, IN ULONG, OUT PULONG> NtEnumerateKey;
1235 | typedef SneakCall<SneakHelper::hash("ZwOpenFile"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, OUT PIO_STATUS_BLOCK, IN ULONG, IN ULONG> NtOpenFile;
1236 | typedef SneakCall<SneakHelper::hash("ZwDelayExecution"), IN BOOLEAN, IN PLARGE_INTEGER> NtDelayExecution;
1237 | typedef SneakCall<SneakHelper::hash("ZwQueryDirectoryFile"), IN HANDLE, IN HANDLE  OPTIONAL, IN PIO_APC_ROUTINE  OPTIONAL, IN PVOID  OPTIONAL, OUT PIO_STATUS_BLOCK, OUT PVOID, IN ULONG, IN FILE_INFORMATION_CLASS, IN BOOLEAN, IN PUNICODE_STRING  OPTIONAL, IN BOOLEAN> NtQueryDirectoryFile;
1238 | typedef SneakCall<SneakHelper::hash("ZwQuerySystemInformation"), IN SYSTEM_INFORMATION_CLASS, IN OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQuerySystemInformation;
1239 | typedef SneakCall<SneakHelper::hash("ZwOpenSection"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtOpenSection;
1240 | typedef SneakCall<SneakHelper::hash("ZwQueryTimer"), IN HANDLE, IN TIMER_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQueryTimer;
1241 | typedef SneakCall<SneakHelper::hash("ZwFsControlFile"), IN HANDLE, IN HANDLE  OPTIONAL, IN PIO_APC_ROUTINE  OPTIONAL, IN PVOID  OPTIONAL, OUT PIO_STATUS_BLOCK, IN ULONG, IN PVOID  OPTIONAL, IN ULONG, OUT PVOID  OPTIONAL, IN ULONG> NtFsControlFile;
1242 | typedef SneakCall<SneakHelper::hash("ZwWriteVirtualMemory"), IN HANDLE, IN PVOID, IN PVOID, IN SIZE_T, OUT PSIZE_T  OPTIONAL> NtWriteVirtualMemory;
1243 | typedef SneakCall<SneakHelper::hash("ZwCloseObjectAuditAlarm"), IN PUNICODE_STRING, IN PVOID  OPTIONAL, IN BOOLEAN> NtCloseObjectAuditAlarm;
1244 | typedef SneakCall<SneakHelper::hash("ZwDuplicateObject"), IN HANDLE, IN HANDLE, IN HANDLE  OPTIONAL, OUT PHANDLE  OPTIONAL, IN ACCESS_MASK, IN ULONG, IN ULONG> NtDuplicateObject;
1245 | typedef SneakCall<SneakHelper::hash("ZwQueryAttributesFile"), IN POBJECT_ATTRIBUTES, OUT PFILE_BASIC_INFORMATION> NtQueryAttributesFile;
1246 | typedef SneakCall<SneakHelper::hash("ZwClearEvent"), IN HANDLE> NtClearEvent;
1247 | typedef SneakCall<SneakHelper::hash("ZwReadVirtualMemory"), IN HANDLE, IN PVOID  OPTIONAL, OUT PVOID, IN SIZE_T, OUT PSIZE_T  OPTIONAL> NtReadVirtualMemory;
1248 | typedef SneakCall<SneakHelper::hash("ZwOpenEvent"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtOpenEvent;
1249 | typedef SneakCall<SneakHelper::hash("ZwAdjustPrivilegesToken"), IN HANDLE, IN BOOLEAN, IN PTOKEN_PRIVILEGES  OPTIONAL, IN ULONG, OUT PTOKEN_PRIVILEGES  OPTIONAL, OUT PULONG  OPTIONAL> NtAdjustPrivilegesToken;
1250 | typedef SneakCall<SneakHelper::hash("ZwDuplicateToken"), IN HANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN BOOLEAN, IN TOKEN_TYPE, OUT PHANDLE> NtDuplicateToken;
1251 | typedef SneakCall<SneakHelper::hash("ZwContinue"), IN PCONTEXT, IN BOOLEAN> NtContinue;
1252 | typedef SneakCall<SneakHelper::hash("ZwQueryDefaultUILanguage"), OUT PLANGID> NtQueryDefaultUILanguage;
1253 | typedef SneakCall<SneakHelper::hash("ZwQueueApcThread"), IN HANDLE, IN PKNORMAL_ROUTINE, IN PVOID  OPTIONAL, IN PVOID  OPTIONAL, IN PVOID  OPTIONAL> NtQueueApcThread;
1254 | typedef SneakCall<SneakHelper::hash("ZwYieldExecution")> NtYieldExecution;
1255 | typedef SneakCall<SneakHelper::hash("ZwAddAtom"), IN PWSTR  OPTIONAL, IN ULONG, OUT PUSHORT  OPTIONAL> NtAddAtom;
1256 | typedef SneakCall<SneakHelper::hash("ZwCreateEvent"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN EVENT_TYPE, IN BOOLEAN> NtCreateEvent;
1257 | typedef SneakCall<SneakHelper::hash("ZwQueryVolumeInformationFile"), IN HANDLE, OUT PIO_STATUS_BLOCK, OUT PVOID, IN ULONG, IN FSINFOCLASS> NtQueryVolumeInformationFile;
1258 | typedef SneakCall<SneakHelper::hash("ZwCreateSection"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN PLARGE_INTEGER  OPTIONAL, IN ULONG, IN ULONG, IN HANDLE  OPTIONAL> NtCreateSection;
1259 | typedef SneakCall<SneakHelper::hash("ZwFlushBuffersFile"), IN HANDLE, OUT PIO_STATUS_BLOCK> NtFlushBuffersFile;
1260 | typedef SneakCall<SneakHelper::hash("ZwApphelpCacheControl"), IN APPHELPCACHESERVICECLASS, IN PVOID> NtApphelpCacheControl;
1261 | typedef SneakCall<SneakHelper::hash("ZwCreateProcessEx"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN HANDLE, IN ULONG, IN HANDLE  OPTIONAL, IN HANDLE  OPTIONAL, IN HANDLE  OPTIONAL, IN ULONG> NtCreateProcessEx;
1262 | typedef SneakCall<SneakHelper::hash("ZwCreateThread"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN HANDLE, OUT PCLIENT_ID, IN PCONTEXT, IN PUSER_STACK, IN BOOLEAN> NtCreateThread;
1263 | typedef SneakCall<SneakHelper::hash("ZwIsProcessInJob"), IN HANDLE, IN HANDLE  OPTIONAL> NtIsProcessInJob;
1264 | typedef SneakCall<SneakHelper::hash("ZwProtectVirtualMemory"), IN HANDLE, IN OUT PVOID *, IN OUT PSIZE_T, IN ULONG, OUT PULONG> NtProtectVirtualMemory;
1265 | typedef SneakCall<SneakHelper::hash("ZwQuerySection"), IN HANDLE, IN SECTION_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQuerySection;
1266 | typedef SneakCall<SneakHelper::hash("ZwResumeThread"), IN HANDLE, IN OUT PULONG  OPTIONAL> NtResumeThread;
1267 | typedef SneakCall<SneakHelper::hash("ZwTerminateThread"), IN HANDLE, IN NTSTATUS> NtTerminateThread;
1268 | typedef SneakCall<SneakHelper::hash("ZwReadRequestData"), IN HANDLE, IN PPORT_MESSAGE, IN ULONG, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtReadRequestData;
1269 | typedef SneakCall<SneakHelper::hash("ZwCreateFile"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, OUT PIO_STATUS_BLOCK, IN PLARGE_INTEGER  OPTIONAL, IN ULONG, IN ULONG, IN ULONG, IN ULONG, IN PVOID  OPTIONAL, IN ULONG> NtCreateFile;
1270 | typedef SneakCall<SneakHelper::hash("ZwQueryEvent"), IN HANDLE, IN EVENT_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQueryEvent;
1271 | typedef SneakCall<SneakHelper::hash("ZwWriteRequestData"), IN HANDLE, IN PPORT_MESSAGE, IN ULONG, IN PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtWriteRequestData;
1272 | typedef SneakCall<SneakHelper::hash("ZwOpenDirectoryObject"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtOpenDirectoryObject;
1273 | typedef SneakCall<SneakHelper::hash("ZwAccessCheckByTypeAndAuditAlarm"), IN PUNICODE_STRING, IN PVOID  OPTIONAL, IN PUNICODE_STRING, IN PUNICODE_STRING, IN PSECURITY_DESCRIPTOR, IN PSID  OPTIONAL, IN ACCESS_MASK, IN AUDIT_EVENT_TYPE, IN ULONG, IN POBJECT_TYPE_LIST  OPTIONAL, IN ULONG, IN PGENERIC_MAPPING, IN BOOLEAN, OUT PACCESS_MASK, OUT PULONG, OUT PBOOLEAN> NtAccessCheckByTypeAndAuditAlarm;
1274 | typedef SneakCall<SneakHelper::hash("ZwWaitForMultipleObjects"), IN ULONG, IN PHANDLE, IN WAIT_TYPE, IN BOOLEAN, IN PLARGE_INTEGER  OPTIONAL> NtWaitForMultipleObjects;
1275 | typedef SneakCall<SneakHelper::hash("ZwSetInformationObject"), IN HANDLE, IN OBJECT_INFORMATION_CLASS, IN PVOID, IN ULONG> NtSetInformationObject;
1276 | typedef SneakCall<SneakHelper::hash("ZwCancelIoFile"), IN HANDLE, OUT PIO_STATUS_BLOCK> NtCancelIoFile;
1277 | typedef SneakCall<SneakHelper::hash("ZwTraceEvent"), IN HANDLE, IN ULONG, IN ULONG, IN PVOID> NtTraceEvent;
1278 | typedef SneakCall<SneakHelper::hash("ZwPowerInformation"), IN POWER_INFORMATION_LEVEL, IN PVOID  OPTIONAL, IN ULONG, OUT PVOID  OPTIONAL, IN ULONG> NtPowerInformation;
1279 | typedef SneakCall<SneakHelper::hash("ZwSetValueKey"), IN HANDLE, IN PUNICODE_STRING, IN ULONG  OPTIONAL, IN ULONG, IN PVOID, IN ULONG> NtSetValueKey;
1280 | typedef SneakCall<SneakHelper::hash("ZwCancelTimer"), IN HANDLE, OUT PBOOLEAN  OPTIONAL> NtCancelTimer;
1281 | typedef SneakCall<SneakHelper::hash("ZwSetTimer"), IN HANDLE, IN PLARGE_INTEGER, IN PTIMER_APC_ROUTINE  OPTIONAL, IN PVOID  OPTIONAL, IN BOOLEAN, IN LONG  OPTIONAL, OUT PBOOLEAN  OPTIONAL> NtSetTimer;
1282 | typedef SneakCall<SneakHelper::hash("ZwAccessCheckByType"), IN PSECURITY_DESCRIPTOR, IN PSID  OPTIONAL, IN HANDLE, IN ULONG, IN POBJECT_TYPE_LIST, IN ULONG, IN PGENERIC_MAPPING, OUT PPRIVILEGE_SET, IN OUT PULONG, OUT PACCESS_MASK, OUT PULONG> NtAccessCheckByType;
1283 | typedef SneakCall<SneakHelper::hash("ZwAccessCheckByTypeResultList"), IN PSECURITY_DESCRIPTOR, IN PSID  OPTIONAL, IN HANDLE, IN ACCESS_MASK, IN POBJECT_TYPE_LIST, IN ULONG, IN PGENERIC_MAPPING, OUT PPRIVILEGE_SET, IN OUT PULONG, OUT PACCESS_MASK, OUT PULONG> NtAccessCheckByTypeResultList;
1284 | typedef SneakCall<SneakHelper::hash("ZwAccessCheckByTypeResultListAndAuditAlarm"), IN PUNICODE_STRING, IN PVOID  OPTIONAL, IN PUNICODE_STRING, IN PUNICODE_STRING, IN PSECURITY_DESCRIPTOR, IN PSID  OPTIONAL, IN ACCESS_MASK, IN AUDIT_EVENT_TYPE, IN ULONG, IN POBJECT_TYPE_LIST  OPTIONAL, IN ULONG, IN PGENERIC_MAPPING, IN BOOLEAN, OUT PACCESS_MASK, OUT PULONG, OUT PULONG> NtAccessCheckByTypeResultListAndAuditAlarm;
1285 | typedef SneakCall<SneakHelper::hash("ZwAccessCheckByTypeResultListAndAuditAlarmByHandle"), IN PUNICODE_STRING, IN PVOID  OPTIONAL, IN HANDLE, IN PUNICODE_STRING, IN PUNICODE_STRING, IN PSECURITY_DESCRIPTOR, IN PSID  OPTIONAL, IN ACCESS_MASK, IN AUDIT_EVENT_TYPE, IN ULONG, IN POBJECT_TYPE_LIST  OPTIONAL, IN ULONG, IN PGENERIC_MAPPING, IN BOOLEAN, OUT PACCESS_MASK, OUT PULONG, OUT PULONG> NtAccessCheckByTypeResultListAndAuditAlarmByHandle;
1286 | typedef SneakCall<SneakHelper::hash("ZwAcquireProcessActivityReference")> NtAcquireProcessActivityReference;
1287 | typedef SneakCall<SneakHelper::hash("ZwAddAtomEx"), IN PWSTR, IN ULONG, IN PRTL_ATOM, IN ULONG> NtAddAtomEx;
1288 | typedef SneakCall<SneakHelper::hash("ZwAddBootEntry"), IN PBOOT_ENTRY, OUT PULONG  OPTIONAL> NtAddBootEntry;
1289 | typedef SneakCall<SneakHelper::hash("ZwAddDriverEntry"), IN PEFI_DRIVER_ENTRY, OUT PULONG  OPTIONAL> NtAddDriverEntry;
1290 | typedef SneakCall<SneakHelper::hash("ZwAdjustGroupsToken"), IN HANDLE, IN BOOLEAN, IN PTOKEN_GROUPS  OPTIONAL, IN ULONG  OPTIONAL, OUT PTOKEN_GROUPS  OPTIONAL, OUT PULONG> NtAdjustGroupsToken;
1291 | typedef SneakCall<SneakHelper::hash("ZwAdjustTokenClaimsAndDeviceGroups"), IN HANDLE, IN BOOLEAN, IN BOOLEAN, IN BOOLEAN, IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION  OPTIONAL, IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION  OPTIONAL, IN PTOKEN_GROUPS  OPTIONAL, IN ULONG, OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION  OPTIONAL, IN ULONG, OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION  OPTIONAL, IN ULONG, OUT PTOKEN_GROUPS  OPTIONAL, OUT PULONG  OPTIONAL, OUT PULONG  OPTIONAL, OUT PULONG  OPTIONAL> NtAdjustTokenClaimsAndDeviceGroups;
1292 | typedef SneakCall<SneakHelper::hash("ZwAlertResumeThread"), IN HANDLE, OUT PULONG  OPTIONAL> NtAlertResumeThread;
1293 | typedef SneakCall<SneakHelper::hash("ZwAlertThread"), IN HANDLE> NtAlertThread;
1294 | typedef SneakCall<SneakHelper::hash("ZwAlertThreadByThreadId"), IN ULONG> NtAlertThreadByThreadId;
1295 | typedef SneakCall<SneakHelper::hash("ZwAllocateLocallyUniqueId"), OUT PLUID> NtAllocateLocallyUniqueId;
1296 | typedef SneakCall<SneakHelper::hash("ZwAllocateReserveObject"), OUT PHANDLE, IN POBJECT_ATTRIBUTES, IN MEMORY_RESERVE_TYPE> NtAllocateReserveObject;
1297 | typedef SneakCall<SneakHelper::hash("ZwAllocateUserPhysicalPages"), IN HANDLE, IN OUT PULONG, OUT PULONG> NtAllocateUserPhysicalPages;
1298 | typedef SneakCall<SneakHelper::hash("ZwAllocateUuids"), OUT PLARGE_INTEGER, OUT PULONG, OUT PULONG, OUT PUCHAR> NtAllocateUuids;
1299 | typedef SneakCall<SneakHelper::hash("ZwAllocateVirtualMemoryEx"), IN HANDLE, IN OUT PPVOID, IN ULONG_PTR, IN OUT PSIZE_T, IN ULONG, IN OUT PVOID  OPTIONAL, IN ULONG> NtAllocateVirtualMemoryEx;
1300 | typedef SneakCall<SneakHelper::hash("ZwAlpcAcceptConnectPort"), OUT PHANDLE, IN HANDLE, IN ULONG, IN POBJECT_ATTRIBUTES  OPTIONAL, IN PALPC_PORT_ATTRIBUTES  OPTIONAL, IN PVOID  OPTIONAL, IN PPORT_MESSAGE, IN OUT PALPC_MESSAGE_ATTRIBUTES  OPTIONAL, IN BOOLEAN> NtAlpcAcceptConnectPort;
1301 | typedef SneakCall<SneakHelper::hash("ZwAlpcCancelMessage"), IN HANDLE, IN ULONG, IN PALPC_CONTEXT_ATTR> NtAlpcCancelMessage;
1302 | typedef SneakCall<SneakHelper::hash("ZwAlpcConnectPort"), OUT PHANDLE, IN PUNICODE_STRING, IN POBJECT_ATTRIBUTES  OPTIONAL, IN PALPC_PORT_ATTRIBUTES  OPTIONAL, IN ULONG, IN PSID  OPTIONAL, IN OUT PPORT_MESSAGE  OPTIONAL, IN OUT PULONG  OPTIONAL, IN OUT PALPC_MESSAGE_ATTRIBUTES  OPTIONAL, IN OUT PALPC_MESSAGE_ATTRIBUTES  OPTIONAL, IN PLARGE_INTEGER  OPTIONAL> NtAlpcConnectPort;
1303 | typedef SneakCall<SneakHelper::hash("ZwAlpcConnectPortEx"), OUT PHANDLE, IN POBJECT_ATTRIBUTES, IN POBJECT_ATTRIBUTES  OPTIONAL, IN PALPC_PORT_ATTRIBUTES  OPTIONAL, IN ULONG, IN PSECURITY_DESCRIPTOR  OPTIONAL, IN OUT PPORT_MESSAGE  OPTIONAL, IN OUT PSIZE_T  OPTIONAL, IN OUT PALPC_MESSAGE_ATTRIBUTES  OPTIONAL, IN OUT PALPC_MESSAGE_ATTRIBUTES  OPTIONAL, IN PLARGE_INTEGER  OPTIONAL> NtAlpcConnectPortEx;
1304 | typedef SneakCall<SneakHelper::hash("ZwAlpcCreatePort"), OUT PHANDLE, IN POBJECT_ATTRIBUTES  OPTIONAL, IN PALPC_PORT_ATTRIBUTES  OPTIONAL> NtAlpcCreatePort;
1305 | typedef SneakCall<SneakHelper::hash("ZwAlpcCreatePortSection"), IN HANDLE, IN ULONG, IN HANDLE  OPTIONAL, IN SIZE_T, OUT PHANDLE, OUT PSIZE_T> NtAlpcCreatePortSection;
1306 | typedef SneakCall<SneakHelper::hash("ZwAlpcCreateResourceReserve"), IN HANDLE, IN ULONG, IN SIZE_T, OUT PHANDLE> NtAlpcCreateResourceReserve;
1307 | typedef SneakCall<SneakHelper::hash("ZwAlpcCreateSectionView"), IN HANDLE, IN ULONG, IN OUT PALPC_DATA_VIEW_ATTR> NtAlpcCreateSectionView;
1308 | typedef SneakCall<SneakHelper::hash("ZwAlpcCreateSecurityContext"), IN HANDLE, IN ULONG, IN OUT PALPC_SECURITY_ATTR> NtAlpcCreateSecurityContext;
1309 | typedef SneakCall<SneakHelper::hash("ZwAlpcDeletePortSection"), IN HANDLE, IN ULONG, IN HANDLE> NtAlpcDeletePortSection;
1310 | typedef SneakCall<SneakHelper::hash("ZwAlpcDeleteResourceReserve"), IN HANDLE, IN ULONG, IN HANDLE> NtAlpcDeleteResourceReserve;
1311 | typedef SneakCall<SneakHelper::hash("ZwAlpcDeleteSectionView"), IN HANDLE, IN ULONG, IN PVOID> NtAlpcDeleteSectionView;
1312 | typedef SneakCall<SneakHelper::hash("ZwAlpcDeleteSecurityContext"), IN HANDLE, IN ULONG, IN HANDLE> NtAlpcDeleteSecurityContext;
1313 | typedef SneakCall<SneakHelper::hash("ZwAlpcDisconnectPort"), IN HANDLE, IN ULONG> NtAlpcDisconnectPort;
1314 | typedef SneakCall<SneakHelper::hash("ZwAlpcImpersonateClientContainerOfPort"), IN HANDLE, IN PPORT_MESSAGE, IN ULONG> NtAlpcImpersonateClientContainerOfPort;
1315 | typedef SneakCall<SneakHelper::hash("ZwAlpcImpersonateClientOfPort"), IN HANDLE, IN PPORT_MESSAGE, IN PVOID> NtAlpcImpersonateClientOfPort;
1316 | typedef SneakCall<SneakHelper::hash("ZwAlpcOpenSenderProcess"), OUT PHANDLE, IN HANDLE, IN PPORT_MESSAGE, IN ULONG, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtAlpcOpenSenderProcess;
1317 | typedef SneakCall<SneakHelper::hash("ZwAlpcOpenSenderThread"), OUT PHANDLE, IN HANDLE, IN PPORT_MESSAGE, IN ULONG, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtAlpcOpenSenderThread;
1318 | typedef SneakCall<SneakHelper::hash("ZwAlpcQueryInformation"), IN HANDLE  OPTIONAL, IN ALPC_PORT_INFORMATION_CLASS, IN OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtAlpcQueryInformation;
1319 | typedef SneakCall<SneakHelper::hash("ZwAlpcQueryInformationMessage"), IN HANDLE, IN PPORT_MESSAGE, IN ALPC_MESSAGE_INFORMATION_CLASS, OUT PVOID  OPTIONAL, IN ULONG, OUT PULONG  OPTIONAL> NtAlpcQueryInformationMessage;
1320 | typedef SneakCall<SneakHelper::hash("ZwAlpcRevokeSecurityContext"), IN HANDLE, IN ULONG, IN HANDLE> NtAlpcRevokeSecurityContext;
1321 | typedef SneakCall<SneakHelper::hash("ZwAlpcSendWaitReceivePort"), IN HANDLE, IN ULONG, IN PPORT_MESSAGE  OPTIONAL, IN OUT PALPC_MESSAGE_ATTRIBUTES  OPTIONAL, OUT PPORT_MESSAGE  OPTIONAL, IN OUT PSIZE_T  OPTIONAL, IN OUT PALPC_MESSAGE_ATTRIBUTES  OPTIONAL, IN PLARGE_INTEGER  OPTIONAL> NtAlpcSendWaitReceivePort;
1322 | typedef SneakCall<SneakHelper::hash("ZwAlpcSetInformation"), IN HANDLE, IN ALPC_PORT_INFORMATION_CLASS, IN PVOID  OPTIONAL, IN ULONG> NtAlpcSetInformation;
1323 | typedef SneakCall<SneakHelper::hash("ZwAreMappedFilesTheSame"), IN PVOID, IN PVOID> NtAreMappedFilesTheSame;
1324 | typedef SneakCall<SneakHelper::hash("ZwAssignProcessToJobObject"), IN HANDLE, IN HANDLE> NtAssignProcessToJobObject;
1325 | typedef SneakCall<SneakHelper::hash("ZwAssociateWaitCompletionPacket"), IN HANDLE, IN HANDLE, IN HANDLE, IN PVOID  OPTIONAL, IN PVOID  OPTIONAL, IN NTSTATUS, IN ULONG_PTR, OUT PBOOLEAN OPTIONAL> NtAssociateWaitCompletionPacket;
1326 | typedef SneakCall<SneakHelper::hash("ZwCallEnclave"), IN PENCLAVE_ROUTINE, IN PVOID, IN BOOLEAN, IN OUT PVOID OPTIONAL> NtCallEnclave;
1327 | typedef SneakCall<SneakHelper::hash("ZwCancelIoFileEx"), IN HANDLE, IN PIO_STATUS_BLOCK  OPTIONAL, OUT PIO_STATUS_BLOCK> NtCancelIoFileEx;
1328 | typedef SneakCall<SneakHelper::hash("ZwCancelSynchronousIoFile"), IN HANDLE, IN PIO_STATUS_BLOCK  OPTIONAL, OUT PIO_STATUS_BLOCK> NtCancelSynchronousIoFile;
1329 | typedef SneakCall<SneakHelper::hash("ZwCancelTimer2"), IN HANDLE, IN PT2_CANCEL_PARAMETERS> NtCancelTimer2;
1330 | typedef SneakCall<SneakHelper::hash("ZwCancelWaitCompletionPacket"), IN HANDLE, IN BOOLEAN> NtCancelWaitCompletionPacket;
1331 | typedef SneakCall<SneakHelper::hash("ZwCommitComplete"), IN HANDLE, IN PLARGE_INTEGER  OPTIONAL> NtCommitComplete;
1332 | typedef SneakCall<SneakHelper::hash("ZwCommitEnlistment"), IN HANDLE, IN PLARGE_INTEGER  OPTIONAL> NtCommitEnlistment;
1333 | typedef SneakCall<SneakHelper::hash("ZwCommitRegistryTransaction"), IN HANDLE, IN BOOL> NtCommitRegistryTransaction;
1334 | typedef SneakCall<SneakHelper::hash("ZwCommitTransaction"), IN HANDLE, IN BOOLEAN> NtCommitTransaction;
1335 | typedef SneakCall<SneakHelper::hash("ZwCompactKeys"), IN ULONG, IN HANDLE> NtCompactKeys;
1336 | typedef SneakCall<SneakHelper::hash("ZwCompareObjects"), IN HANDLE, IN HANDLE> NtCompareObjects;
1337 | typedef SneakCall<SneakHelper::hash("ZwCompareSigningLevels"), IN ULONG, IN ULONG> NtCompareSigningLevels;
1338 | typedef SneakCall<SneakHelper::hash("ZwCompareTokens"), IN HANDLE, IN HANDLE, OUT PBOOLEAN> NtCompareTokens;
1339 | typedef SneakCall<SneakHelper::hash("ZwCompleteConnectPort"), IN HANDLE> NtCompleteConnectPort;
1340 | typedef SneakCall<SneakHelper::hash("ZwCompressKey"), IN HANDLE> NtCompressKey;
1341 | typedef SneakCall<SneakHelper::hash("ZwConnectPort"), OUT PHANDLE, IN PUNICODE_STRING, IN PSECURITY_QUALITY_OF_SERVICE, IN OUT PPORT_SECTION_WRITE  OPTIONAL, IN OUT PPORT_SECTION_READ  OPTIONAL, OUT PULONG  OPTIONAL, IN OUT PVOID  OPTIONAL, IN OUT PULONG  OPTIONAL> NtConnectPort;
1342 | typedef SneakCall<SneakHelper::hash("ZwConvertBetweenAuxiliaryCounterAndPerformanceCounter"), IN ULONG, IN ULONG, IN ULONG, IN ULONG> NtConvertBetweenAuxiliaryCounterAndPerformanceCounter;
1343 | typedef SneakCall<SneakHelper::hash("ZwCreateDebugObject"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN ULONG> NtCreateDebugObject;
1344 | typedef SneakCall<SneakHelper::hash("ZwCreateDirectoryObject"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtCreateDirectoryObject;
1345 | typedef SneakCall<SneakHelper::hash("ZwCreateDirectoryObjectEx"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN HANDLE, IN ULONG> NtCreateDirectoryObjectEx;
1346 | typedef SneakCall<SneakHelper::hash("ZwCreateEnclave"), IN HANDLE, IN OUT PVOID, IN ULONG_PTR, IN SIZE_T, IN SIZE_T, IN ULONG, IN PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtCreateEnclave;
1347 | typedef SneakCall<SneakHelper::hash("ZwCreateEnlistment"), OUT PHANDLE, IN ACCESS_MASK, IN HANDLE, IN HANDLE, IN POBJECT_ATTRIBUTES  OPTIONAL, IN ULONG  OPTIONAL, IN NOTIFICATION_MASK, IN PVOID  OPTIONAL> NtCreateEnlistment;
1348 | typedef SneakCall<SneakHelper::hash("ZwCreateEventPair"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL> NtCreateEventPair;
1349 | typedef SneakCall<SneakHelper::hash("ZwCreateIRTimer"), OUT PHANDLE, IN ACCESS_MASK> NtCreateIRTimer;
1350 | typedef SneakCall<SneakHelper::hash("ZwCreateIoCompletion"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN ULONG  OPTIONAL> NtCreateIoCompletion;
1351 | typedef SneakCall<SneakHelper::hash("ZwCreateJobObject"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL> NtCreateJobObject;
1352 | typedef SneakCall<SneakHelper::hash("ZwCreateJobSet"), IN ULONG, IN PJOB_SET_ARRAY, IN ULONG> NtCreateJobSet;
1353 | typedef SneakCall<SneakHelper::hash("ZwCreateKeyTransacted"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN ULONG, IN PUNICODE_STRING  OPTIONAL, IN ULONG, IN HANDLE, OUT PULONG  OPTIONAL> NtCreateKeyTransacted;
1354 | typedef SneakCall<SneakHelper::hash("ZwCreateKeyedEvent"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN ULONG> NtCreateKeyedEvent;
1355 | typedef SneakCall<SneakHelper::hash("ZwCreateLowBoxToken"), OUT PHANDLE, IN HANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN PSID, IN ULONG, IN PSID_AND_ATTRIBUTES  OPTIONAL, IN ULONG, IN HANDLE  OPTIONAL> NtCreateLowBoxToken;
1356 | typedef SneakCall<SneakHelper::hash("ZwCreateMailslotFile"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, OUT PIO_STATUS_BLOCK, IN ULONG, IN ULONG, IN ULONG, IN PLARGE_INTEGER> NtCreateMailslotFile;
1357 | typedef SneakCall<SneakHelper::hash("ZwCreateMutant"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN BOOLEAN> NtCreateMutant;
1358 | typedef SneakCall<SneakHelper::hash("ZwCreateNamedPipeFile"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, OUT PIO_STATUS_BLOCK, IN ULONG, IN ULONG, IN ULONG, IN BOOLEAN, IN BOOLEAN, IN BOOLEAN, IN ULONG, IN ULONG, IN ULONG, IN PLARGE_INTEGER  OPTIONAL> NtCreateNamedPipeFile;
1359 | typedef SneakCall<SneakHelper::hash("ZwCreatePagingFile"), IN PUNICODE_STRING, IN PULARGE_INTEGER, IN PULARGE_INTEGER, IN ULONG> NtCreatePagingFile;
1360 | typedef SneakCall<SneakHelper::hash("ZwCreatePartition"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN ULONG> NtCreatePartition;
1361 | typedef SneakCall<SneakHelper::hash("ZwCreatePort"), OUT PHANDLE, IN POBJECT_ATTRIBUTES  OPTIONAL, IN ULONG, IN ULONG, IN ULONG  OPTIONAL> NtCreatePort;
1362 | typedef SneakCall<SneakHelper::hash("ZwCreatePrivateNamespace"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN PVOID> NtCreatePrivateNamespace;
1363 | typedef SneakCall<SneakHelper::hash("ZwCreateProcess"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN HANDLE, IN BOOLEAN, IN HANDLE  OPTIONAL, IN HANDLE  OPTIONAL, IN HANDLE  OPTIONAL> NtCreateProcess;
1364 | typedef SneakCall<SneakHelper::hash("ZwCreateProfile"), OUT PHANDLE, IN HANDLE  OPTIONAL, IN PVOID, IN ULONG, IN ULONG, IN PULONG, IN ULONG, IN KPROFILE_SOURCE, IN ULONG> NtCreateProfile;
1365 | typedef SneakCall<SneakHelper::hash("ZwCreateProfileEx"), OUT PHANDLE, IN HANDLE  OPTIONAL, IN PVOID, IN SIZE_T, IN ULONG, IN PULONG, IN ULONG, IN KPROFILE_SOURCE, IN USHORT, IN PGROUP_AFFINITY> NtCreateProfileEx;
1366 | typedef SneakCall<SneakHelper::hash("ZwCreateRegistryTransaction"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN DWORD> NtCreateRegistryTransaction;
1367 | typedef SneakCall<SneakHelper::hash("ZwCreateResourceManager"), OUT PHANDLE, IN ACCESS_MASK, IN HANDLE, IN LPGUID, IN POBJECT_ATTRIBUTES  OPTIONAL, IN ULONG  OPTIONAL, IN PUNICODE_STRING  OPTIONAL> NtCreateResourceManager;
1368 | typedef SneakCall<SneakHelper::hash("ZwCreateSemaphore"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN LONG, IN LONG> NtCreateSemaphore;
1369 | typedef SneakCall<SneakHelper::hash("ZwCreateSymbolicLinkObject"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN PUNICODE_STRING> NtCreateSymbolicLinkObject;
1370 | typedef SneakCall<SneakHelper::hash("ZwCreateThreadEx"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN HANDLE, IN PVOID, IN PVOID  OPTIONAL, IN ULONG, IN SIZE_T, IN SIZE_T, IN SIZE_T, IN PPS_ATTRIBUTE_LIST  OPTIONAL> NtCreateThreadEx;
1371 | typedef SneakCall<SneakHelper::hash("ZwCreateTimer"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN TIMER_TYPE> NtCreateTimer;
1372 | typedef SneakCall<SneakHelper::hash("ZwCreateTimer2"), OUT PHANDLE, IN PVOID  OPTIONAL, IN PVOID  OPTIONAL, IN ULONG, IN ACCESS_MASK> NtCreateTimer2;
1373 | typedef SneakCall<SneakHelper::hash("ZwCreateToken"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN TOKEN_TYPE, IN PLUID, IN PLARGE_INTEGER, IN PTOKEN_USER, IN PTOKEN_GROUPS, IN PTOKEN_PRIVILEGES, IN PTOKEN_OWNER  OPTIONAL, IN PTOKEN_PRIMARY_GROUP, IN PTOKEN_DEFAULT_DACL  OPTIONAL, IN PTOKEN_SOURCE> NtCreateToken;
1374 | typedef SneakCall<SneakHelper::hash("ZwCreateTokenEx"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN TOKEN_TYPE, IN PLUID, IN PLARGE_INTEGER, IN PTOKEN_USER, IN PTOKEN_GROUPS, IN PTOKEN_PRIVILEGES, IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION  OPTIONAL, IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION  OPTIONAL, IN PTOKEN_GROUPS  OPTIONAL, IN PTOKEN_MANDATORY_POLICY  OPTIONAL, IN PTOKEN_OWNER  OPTIONAL, IN PTOKEN_PRIMARY_GROUP, IN PTOKEN_DEFAULT_DACL  OPTIONAL, IN PTOKEN_SOURCE> NtCreateTokenEx;
1375 | typedef SneakCall<SneakHelper::hash("ZwCreateTransaction"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN LPGUID  OPTIONAL, IN HANDLE  OPTIONAL, IN ULONG  OPTIONAL, IN ULONG  OPTIONAL, IN ULONG  OPTIONAL, IN PLARGE_INTEGER  OPTIONAL, IN PUNICODE_STRING  OPTIONAL> NtCreateTransaction;
1376 | typedef SneakCall<SneakHelper::hash("ZwCreateTransactionManager"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN PUNICODE_STRING  OPTIONAL, IN ULONG  OPTIONAL, IN ULONG  OPTIONAL> NtCreateTransactionManager;
1377 | typedef SneakCall<SneakHelper::hash("ZwCreateUserProcess"), OUT PHANDLE, OUT PHANDLE, IN ACCESS_MASK, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN POBJECT_ATTRIBUTES  OPTIONAL, IN ULONG, IN ULONG, IN PVOID  OPTIONAL, IN OUT PPS_CREATE_INFO, IN PPS_ATTRIBUTE_LIST  OPTIONAL> NtCreateUserProcess;
1378 | typedef SneakCall<SneakHelper::hash("ZwCreateWaitCompletionPacket"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL> NtCreateWaitCompletionPacket;
1379 | typedef SneakCall<SneakHelper::hash("ZwCreateWaitablePort"), OUT PHANDLE, IN POBJECT_ATTRIBUTES  OPTIONAL, IN ULONG, IN ULONG, IN ULONG  OPTIONAL> NtCreateWaitablePort;
1380 | typedef SneakCall<SneakHelper::hash("ZwCreateWnfStateName"), OUT PCWNF_STATE_NAME, IN WNF_STATE_NAME_LIFETIME, IN WNF_DATA_SCOPE, IN BOOLEAN, IN PCWNF_TYPE_ID  OPTIONAL, IN ULONG, IN PSECURITY_DESCRIPTOR> NtCreateWnfStateName;
1381 | typedef SneakCall<SneakHelper::hash("ZwCreateWorkerFactory"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN HANDLE, IN HANDLE, IN PVOID, IN PVOID  OPTIONAL, IN ULONG  OPTIONAL, IN SIZE_T  OPTIONAL, IN SIZE_T  OPTIONAL> NtCreateWorkerFactory;
1382 | typedef SneakCall<SneakHelper::hash("ZwDebugActiveProcess"), IN HANDLE, IN HANDLE> NtDebugActiveProcess;
1383 | typedef SneakCall<SneakHelper::hash("ZwDebugContinue"), IN HANDLE, IN PCLIENT_ID, IN NTSTATUS> NtDebugContinue;
1384 | typedef SneakCall<SneakHelper::hash("ZwDeleteAtom"), IN USHORT> NtDeleteAtom;
1385 | typedef SneakCall<SneakHelper::hash("ZwDeleteBootEntry"), IN ULONG> NtDeleteBootEntry;
1386 | typedef SneakCall<SneakHelper::hash("ZwDeleteDriverEntry"), IN ULONG> NtDeleteDriverEntry;
1387 | typedef SneakCall<SneakHelper::hash("ZwDeleteFile"), IN POBJECT_ATTRIBUTES> NtDeleteFile;
1388 | typedef SneakCall<SneakHelper::hash("ZwDeleteKey"), IN HANDLE> NtDeleteKey;
1389 | typedef SneakCall<SneakHelper::hash("ZwDeleteObjectAuditAlarm"), IN PUNICODE_STRING, IN PVOID  OPTIONAL, IN BOOLEAN> NtDeleteObjectAuditAlarm;
1390 | typedef SneakCall<SneakHelper::hash("ZwDeletePrivateNamespace"), IN HANDLE> NtDeletePrivateNamespace;
1391 | typedef SneakCall<SneakHelper::hash("ZwDeleteValueKey"), IN HANDLE, IN PUNICODE_STRING> NtDeleteValueKey;
1392 | typedef SneakCall<SneakHelper::hash("ZwDeleteWnfStateData"), IN PCWNF_STATE_NAME, IN PVOID  OPTIONAL> NtDeleteWnfStateData;
1393 | typedef SneakCall<SneakHelper::hash("ZwDeleteWnfStateName"), IN PCWNF_STATE_NAME> NtDeleteWnfStateName;
1394 | typedef SneakCall<SneakHelper::hash("ZwDisableLastKnownGood")> NtDisableLastKnownGood;
1395 | typedef SneakCall<SneakHelper::hash("ZwDisplayString"), IN PUNICODE_STRING> NtDisplayString;
1396 | typedef SneakCall<SneakHelper::hash("ZwDrawText"), IN PUNICODE_STRING> NtDrawText;
1397 | typedef SneakCall<SneakHelper::hash("ZwEnableLastKnownGood")> NtEnableLastKnownGood;
1398 | typedef SneakCall<SneakHelper::hash("ZwEnumerateBootEntries"), OUT PVOID  OPTIONAL, IN OUT PULONG> NtEnumerateBootEntries;
1399 | typedef SneakCall<SneakHelper::hash("ZwEnumerateDriverEntries"), OUT PVOID  OPTIONAL, IN OUT PULONG> NtEnumerateDriverEntries;
1400 | typedef SneakCall<SneakHelper::hash("ZwEnumerateSystemEnvironmentValuesEx"), IN ULONG, OUT PVOID, IN OUT PULONG> NtEnumerateSystemEnvironmentValuesEx;
1401 | typedef SneakCall<SneakHelper::hash("ZwEnumerateTransactionObject"), IN HANDLE  OPTIONAL, IN KTMOBJECT_TYPE, IN OUT PKTMOBJECT_CURSOR, IN ULONG, OUT PULONG> NtEnumerateTransactionObject;
1402 | typedef SneakCall<SneakHelper::hash("ZwExtendSection"), IN HANDLE, IN OUT PLARGE_INTEGER> NtExtendSection;
1403 | typedef SneakCall<SneakHelper::hash("ZwFilterBootOption"), IN FILTER_BOOT_OPTION_OPERATION, IN ULONG, IN ULONG, IN PVOID  OPTIONAL, IN ULONG> NtFilterBootOption;
1404 | typedef SneakCall<SneakHelper::hash("ZwFilterToken"), IN HANDLE, IN ULONG, IN PTOKEN_GROUPS  OPTIONAL, IN PTOKEN_PRIVILEGES  OPTIONAL, IN PTOKEN_GROUPS  OPTIONAL, OUT PHANDLE> NtFilterToken;
1405 | typedef SneakCall<SneakHelper::hash("ZwFilterTokenEx"), IN HANDLE, IN ULONG, IN PTOKEN_GROUPS  OPTIONAL, IN PTOKEN_PRIVILEGES  OPTIONAL, IN PTOKEN_GROUPS  OPTIONAL, IN ULONG, IN PUNICODE_STRING  OPTIONAL, IN ULONG, IN PUNICODE_STRING  OPTIONAL, IN PTOKEN_GROUPS  OPTIONAL, IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION  OPTIONAL, IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION  OPTIONAL, IN PTOKEN_GROUPS  OPTIONAL, OUT PHANDLE> NtFilterTokenEx;
1406 | typedef SneakCall<SneakHelper::hash("ZwFlushBuffersFileEx"), IN HANDLE, IN ULONG, IN PVOID, IN ULONG, OUT PIO_STATUS_BLOCK> NtFlushBuffersFileEx;
1407 | typedef SneakCall<SneakHelper::hash("ZwFlushInstallUILanguage"), IN LANGID, IN ULONG> NtFlushInstallUILanguage;
1408 | typedef SneakCall<SneakHelper::hash("ZwFlushInstructionCache"), IN HANDLE, IN PVOID  OPTIONAL, IN ULONG> NtFlushInstructionCache;
1409 | typedef SneakCall<SneakHelper::hash("ZwFlushKey"), IN HANDLE> NtFlushKey;
1410 | typedef SneakCall<SneakHelper::hash("ZwFlushProcessWriteBuffers")> NtFlushProcessWriteBuffers;
1411 | typedef SneakCall<SneakHelper::hash("ZwFlushVirtualMemory"), IN HANDLE, IN OUT PVOID, IN OUT PULONG, OUT PIO_STATUS_BLOCK> NtFlushVirtualMemory;
1412 | typedef SneakCall<SneakHelper::hash("ZwFlushWriteBuffer")> NtFlushWriteBuffer;
1413 | typedef SneakCall<SneakHelper::hash("ZwFreeUserPhysicalPages"), IN HANDLE, IN OUT PULONG, IN PULONG> NtFreeUserPhysicalPages;
1414 | typedef SneakCall<SneakHelper::hash("ZwFreezeRegistry"), IN ULONG> NtFreezeRegistry;
1415 | typedef SneakCall<SneakHelper::hash("ZwFreezeTransactions"), IN PLARGE_INTEGER, IN PLARGE_INTEGER> NtFreezeTransactions;
1416 | typedef SneakCall<SneakHelper::hash("ZwGetCachedSigningLevel"), IN HANDLE, OUT PULONG, OUT PSE_SIGNING_LEVEL, OUT PUCHAR  OPTIONAL, IN OUT PULONG  OPTIONAL, OUT PULONG  OPTIONAL> NtGetCachedSigningLevel;
1417 | typedef SneakCall<SneakHelper::hash("ZwGetCompleteWnfStateSubscription"), IN PCWNF_STATE_NAME  OPTIONAL, IN PLARGE_INTEGER  OPTIONAL, IN ULONG  OPTIONAL, IN ULONG  OPTIONAL, OUT PWNF_DELIVERY_DESCRIPTOR, IN ULONG> NtGetCompleteWnfStateSubscription;
1418 | typedef SneakCall<SneakHelper::hash("ZwGetContextThread"), IN HANDLE, IN OUT PCONTEXT> NtGetContextThread;
1419 | typedef SneakCall<SneakHelper::hash("ZwGetCurrentProcessorNumber")> NtGetCurrentProcessorNumber;
1420 | typedef SneakCall<SneakHelper::hash("ZwGetCurrentProcessorNumberEx"), OUT PULONG  OPTIONAL> NtGetCurrentProcessorNumberEx;
1421 | typedef SneakCall<SneakHelper::hash("ZwGetDevicePowerState"), IN HANDLE, OUT PDEVICE_POWER_STATE> NtGetDevicePowerState;
1422 | typedef SneakCall<SneakHelper::hash("ZwGetMUIRegistryInfo"), IN ULONG, IN OUT PULONG, OUT PVOID> NtGetMUIRegistryInfo;
1423 | typedef SneakCall<SneakHelper::hash("ZwGetNextProcess"), IN HANDLE, IN ACCESS_MASK, IN ULONG, IN ULONG, OUT PHANDLE> NtGetNextProcess;
1424 | typedef SneakCall<SneakHelper::hash("ZwGetNextThread"), IN HANDLE, IN HANDLE, IN ACCESS_MASK, IN ULONG, IN ULONG, OUT PHANDLE> NtGetNextThread;
1425 | typedef SneakCall<SneakHelper::hash("ZwGetNlsSectionPtr"), IN ULONG, IN ULONG, IN PVOID, OUT PVOID, OUT PULONG> NtGetNlsSectionPtr;
1426 | typedef SneakCall<SneakHelper::hash("ZwGetNotificationResourceManager"), IN HANDLE, OUT PTRANSACTION_NOTIFICATION, IN ULONG, IN PLARGE_INTEGER  OPTIONAL, OUT PULONG  OPTIONAL, IN ULONG, IN ULONG  OPTIONAL> NtGetNotificationResourceManager;
1427 | typedef SneakCall<SneakHelper::hash("ZwGetWriteWatch"), IN HANDLE, IN ULONG, IN PVOID, IN ULONG, OUT PULONG, IN OUT PULONG, OUT PULONG> NtGetWriteWatch;
1428 | typedef SneakCall<SneakHelper::hash("ZwImpersonateAnonymousToken"), IN HANDLE> NtImpersonateAnonymousToken;
1429 | typedef SneakCall<SneakHelper::hash("ZwImpersonateThread"), IN HANDLE, IN HANDLE, IN PSECURITY_QUALITY_OF_SERVICE> NtImpersonateThread;
1430 | typedef SneakCall<SneakHelper::hash("ZwInitializeEnclave"), IN HANDLE, IN PVOID, IN PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtInitializeEnclave;
1431 | typedef SneakCall<SneakHelper::hash("ZwInitializeNlsFiles"), OUT PVOID, OUT PLCID, OUT PLARGE_INTEGER> NtInitializeNlsFiles;
1432 | typedef SneakCall<SneakHelper::hash("ZwInitializeRegistry"), IN USHORT> NtInitializeRegistry;
1433 | typedef SneakCall<SneakHelper::hash("ZwInitiatePowerAction"), IN POWER_ACTION, IN SYSTEM_POWER_STATE, IN ULONG, IN BOOLEAN> NtInitiatePowerAction;
1434 | typedef SneakCall<SneakHelper::hash("ZwIsSystemResumeAutomatic")> NtIsSystemResumeAutomatic;
1435 | typedef SneakCall<SneakHelper::hash("ZwIsUILanguageComitted")> NtIsUILanguageComitted;
1436 | typedef SneakCall<SneakHelper::hash("ZwListenPort"), IN HANDLE, OUT PPORT_MESSAGE> NtListenPort;
1437 | typedef SneakCall<SneakHelper::hash("ZwLoadDriver"), IN PUNICODE_STRING> NtLoadDriver;
1438 | typedef SneakCall<SneakHelper::hash("ZwLoadEnclaveData"), IN HANDLE, IN PVOID, IN PVOID, IN SIZE_T, IN ULONG, IN PVOID, IN ULONG, OUT PSIZE_T  OPTIONAL, OUT PULONG  OPTIONAL> NtLoadEnclaveData;
1439 | typedef SneakCall<SneakHelper::hash("ZwLoadHotPatch"), IN PUNICODE_STRING, IN ULONG> NtLoadHotPatch;
1440 | typedef SneakCall<SneakHelper::hash("ZwLoadKey"), IN POBJECT_ATTRIBUTES, IN POBJECT_ATTRIBUTES> NtLoadKey;
1441 | typedef SneakCall<SneakHelper::hash("ZwLoadKey2"), IN POBJECT_ATTRIBUTES, IN POBJECT_ATTRIBUTES, IN ULONG> NtLoadKey2;
1442 | typedef SneakCall<SneakHelper::hash("ZwLoadKeyEx"), IN POBJECT_ATTRIBUTES, IN POBJECT_ATTRIBUTES, IN ULONG, IN HANDLE  OPTIONAL, IN HANDLE  OPTIONAL, IN ACCESS_MASK  OPTIONAL, OUT PHANDLE  OPTIONAL, OUT PIO_STATUS_BLOCK  OPTIONAL> NtLoadKeyEx;
1443 | typedef SneakCall<SneakHelper::hash("ZwLockFile"), IN HANDLE, IN HANDLE  OPTIONAL, IN PIO_APC_ROUTINE  OPTIONAL, IN PVOID  OPTIONAL, OUT PIO_STATUS_BLOCK, IN PULARGE_INTEGER, IN PULARGE_INTEGER, IN ULONG, IN BOOLEAN, IN BOOLEAN> NtLockFile;
1444 | typedef SneakCall<SneakHelper::hash("ZwLockProductActivationKeys"), IN OUT PULONG  OPTIONAL, OUT PULONG  OPTIONAL> NtLockProductActivationKeys;
1445 | typedef SneakCall<SneakHelper::hash("ZwLockRegistryKey"), IN HANDLE> NtLockRegistryKey;
1446 | typedef SneakCall<SneakHelper::hash("ZwLockVirtualMemory"), IN HANDLE, IN PVOID, IN PULONG, IN ULONG> NtLockVirtualMemory;
1447 | typedef SneakCall<SneakHelper::hash("ZwMakePermanentObject"), IN HANDLE> NtMakePermanentObject;
1448 | typedef SneakCall<SneakHelper::hash("ZwMakeTemporaryObject"), IN HANDLE> NtMakeTemporaryObject;
1449 | typedef SneakCall<SneakHelper::hash("ZwManagePartition"), IN HANDLE, IN HANDLE, IN MEMORY_PARTITION_INFORMATION_CLASS, IN OUT PVOID, IN ULONG> NtManagePartition;
1450 | typedef SneakCall<SneakHelper::hash("ZwMapCMFModule"), IN ULONG, IN ULONG, OUT PULONG  OPTIONAL, OUT PULONG  OPTIONAL, OUT PULONG  OPTIONAL, OUT PVOID  OPTIONAL> NtMapCMFModule;
1451 | typedef SneakCall<SneakHelper::hash("ZwMapUserPhysicalPages"), IN PVOID, IN PULONG, IN PULONG  OPTIONAL> NtMapUserPhysicalPages;
1452 | typedef SneakCall<SneakHelper::hash("ZwMapViewOfSectionEx"), IN HANDLE, IN HANDLE, IN OUT PLARGE_INTEGER, IN OUT PPVOID, IN OUT PSIZE_T, IN ULONG, IN ULONG, IN OUT PVOID  OPTIONAL, IN ULONG> NtMapViewOfSectionEx;
1453 | typedef SneakCall<SneakHelper::hash("ZwModifyBootEntry"), IN PBOOT_ENTRY> NtModifyBootEntry;
1454 | typedef SneakCall<SneakHelper::hash("ZwModifyDriverEntry"), IN PEFI_DRIVER_ENTRY> NtModifyDriverEntry;
1455 | typedef SneakCall<SneakHelper::hash("ZwNotifyChangeDirectoryFile"), IN HANDLE, IN HANDLE  OPTIONAL, IN PIO_APC_ROUTINE  OPTIONAL, IN PVOID  OPTIONAL, OUT PIO_STATUS_BLOCK, OUT PFILE_NOTIFY_INFORMATION, IN ULONG, IN ULONG, IN BOOLEAN> NtNotifyChangeDirectoryFile;
1456 | typedef SneakCall<SneakHelper::hash("ZwNotifyChangeDirectoryFileEx"), IN HANDLE, IN HANDLE  OPTIONAL, IN PIO_APC_ROUTINE  OPTIONAL, IN PVOID  OPTIONAL, OUT PIO_STATUS_BLOCK, OUT PVOID, IN ULONG, IN ULONG, IN BOOLEAN, IN DIRECTORY_NOTIFY_INFORMATION_CLASS  OPTIONAL> NtNotifyChangeDirectoryFileEx;
1457 | typedef SneakCall<SneakHelper::hash("ZwNotifyChangeKey"), IN HANDLE, IN HANDLE  OPTIONAL, IN PIO_APC_ROUTINE  OPTIONAL, IN PVOID  OPTIONAL, OUT PIO_STATUS_BLOCK, IN ULONG, IN BOOLEAN, OUT PVOID  OPTIONAL, IN ULONG, IN BOOLEAN> NtNotifyChangeKey;
1458 | typedef SneakCall<SneakHelper::hash("ZwNotifyChangeMultipleKeys"), IN HANDLE, IN ULONG  OPTIONAL, IN POBJECT_ATTRIBUTES  OPTIONAL, IN HANDLE  OPTIONAL, IN PIO_APC_ROUTINE  OPTIONAL, IN PVOID  OPTIONAL, OUT PIO_STATUS_BLOCK, IN ULONG, IN BOOLEAN, OUT PVOID  OPTIONAL, IN ULONG, IN BOOLEAN> NtNotifyChangeMultipleKeys;
1459 | typedef SneakCall<SneakHelper::hash("ZwNotifyChangeSession"), IN HANDLE, IN ULONG, IN PLARGE_INTEGER, IN IO_SESSION_EVENT, IN IO_SESSION_STATE, IN IO_SESSION_STATE, IN PVOID  OPTIONAL, IN ULONG> NtNotifyChangeSession;
1460 | typedef SneakCall<SneakHelper::hash("ZwOpenEnlistment"), OUT PHANDLE, IN ACCESS_MASK, IN HANDLE, IN LPGUID, IN POBJECT_ATTRIBUTES  OPTIONAL> NtOpenEnlistment;
1461 | typedef SneakCall<SneakHelper::hash("ZwOpenEventPair"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtOpenEventPair;
1462 | typedef SneakCall<SneakHelper::hash("ZwOpenIoCompletion"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtOpenIoCompletion;
1463 | typedef SneakCall<SneakHelper::hash("ZwOpenJobObject"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtOpenJobObject;
1464 | typedef SneakCall<SneakHelper::hash("ZwOpenKeyEx"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN ULONG> NtOpenKeyEx;
1465 | typedef SneakCall<SneakHelper::hash("ZwOpenKeyTransacted"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN HANDLE> NtOpenKeyTransacted;
1466 | typedef SneakCall<SneakHelper::hash("ZwOpenKeyTransactedEx"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN ULONG, IN HANDLE> NtOpenKeyTransactedEx;
1467 | typedef SneakCall<SneakHelper::hash("ZwOpenKeyedEvent"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtOpenKeyedEvent;
1468 | typedef SneakCall<SneakHelper::hash("ZwOpenMutant"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtOpenMutant;
1469 | typedef SneakCall<SneakHelper::hash("ZwOpenObjectAuditAlarm"), IN PUNICODE_STRING, IN PVOID  OPTIONAL, IN PUNICODE_STRING, IN PUNICODE_STRING, IN PSECURITY_DESCRIPTOR  OPTIONAL, IN HANDLE, IN ACCESS_MASK, IN ACCESS_MASK, IN PPRIVILEGE_SET  OPTIONAL, IN BOOLEAN, IN BOOLEAN, OUT PBOOLEAN> NtOpenObjectAuditAlarm;
1470 | typedef SneakCall<SneakHelper::hash("ZwOpenPartition"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtOpenPartition;
1471 | typedef SneakCall<SneakHelper::hash("ZwOpenPrivateNamespace"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN PVOID> NtOpenPrivateNamespace;
1472 | typedef SneakCall<SneakHelper::hash("ZwOpenProcessToken"), IN HANDLE, IN ACCESS_MASK, OUT PHANDLE> NtOpenProcessToken;
1473 | typedef SneakCall<SneakHelper::hash("ZwOpenRegistryTransaction"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtOpenRegistryTransaction;
1474 | typedef SneakCall<SneakHelper::hash("ZwOpenResourceManager"), OUT PHANDLE, IN ACCESS_MASK, IN HANDLE, IN LPGUID  OPTIONAL, IN POBJECT_ATTRIBUTES  OPTIONAL> NtOpenResourceManager;
1475 | typedef SneakCall<SneakHelper::hash("ZwOpenSemaphore"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtOpenSemaphore;
1476 | typedef SneakCall<SneakHelper::hash("ZwOpenSession"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtOpenSession;
1477 | typedef SneakCall<SneakHelper::hash("ZwOpenSymbolicLinkObject"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtOpenSymbolicLinkObject;
1478 | typedef SneakCall<SneakHelper::hash("ZwOpenThread"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN PCLIENT_ID  OPTIONAL> NtOpenThread;
1479 | typedef SneakCall<SneakHelper::hash("ZwOpenTimer"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES> NtOpenTimer;
1480 | typedef SneakCall<SneakHelper::hash("ZwOpenTransaction"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN LPGUID, IN HANDLE  OPTIONAL> NtOpenTransaction;
1481 | typedef SneakCall<SneakHelper::hash("ZwOpenTransactionManager"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN PUNICODE_STRING  OPTIONAL, IN LPGUID  OPTIONAL, IN ULONG  OPTIONAL> NtOpenTransactionManager;
1482 | typedef SneakCall<SneakHelper::hash("ZwPlugPlayControl"), IN PLUGPLAY_CONTROL_CLASS, IN OUT PVOID, IN ULONG> NtPlugPlayControl;
1483 | typedef SneakCall<SneakHelper::hash("ZwPrePrepareComplete"), IN HANDLE, IN PLARGE_INTEGER  OPTIONAL> NtPrePrepareComplete;
1484 | typedef SneakCall<SneakHelper::hash("ZwPrePrepareEnlistment"), IN HANDLE, IN PLARGE_INTEGER  OPTIONAL> NtPrePrepareEnlistment;
1485 | typedef SneakCall<SneakHelper::hash("ZwPrepareComplete"), IN HANDLE, IN PLARGE_INTEGER  OPTIONAL> NtPrepareComplete;
1486 | typedef SneakCall<SneakHelper::hash("ZwPrepareEnlistment"), IN HANDLE, IN PLARGE_INTEGER  OPTIONAL> NtPrepareEnlistment;
1487 | typedef SneakCall<SneakHelper::hash("ZwPrivilegeCheck"), IN HANDLE, IN OUT PPRIVILEGE_SET, OUT PBOOLEAN> NtPrivilegeCheck;
1488 | typedef SneakCall<SneakHelper::hash("ZwPrivilegeObjectAuditAlarm"), IN PUNICODE_STRING, IN PVOID  OPTIONAL, IN HANDLE, IN ACCESS_MASK, IN PPRIVILEGE_SET, IN BOOLEAN> NtPrivilegeObjectAuditAlarm;
1489 | typedef SneakCall<SneakHelper::hash("ZwPrivilegedServiceAuditAlarm"), IN PUNICODE_STRING, IN PUNICODE_STRING, IN HANDLE, IN PPRIVILEGE_SET, IN BOOLEAN> NtPrivilegedServiceAuditAlarm;
1490 | typedef SneakCall<SneakHelper::hash("ZwPropagationComplete"), IN HANDLE, IN ULONG, IN ULONG, IN PVOID> NtPropagationComplete;
1491 | typedef SneakCall<SneakHelper::hash("ZwPropagationFailed"), IN HANDLE, IN ULONG, IN NTSTATUS> NtPropagationFailed;
1492 | typedef SneakCall<SneakHelper::hash("ZwPulseEvent"), IN HANDLE, OUT PULONG  OPTIONAL> NtPulseEvent;
1493 | typedef SneakCall<SneakHelper::hash("ZwQueryAuxiliaryCounterFrequency"), OUT PULONGLONG> NtQueryAuxiliaryCounterFrequency;
1494 | typedef SneakCall<SneakHelper::hash("ZwQueryBootEntryOrder"), OUT PULONG  OPTIONAL, IN OUT PULONG> NtQueryBootEntryOrder;
1495 | typedef SneakCall<SneakHelper::hash("ZwQueryBootOptions"), OUT PBOOT_OPTIONS  OPTIONAL, IN OUT PULONG> NtQueryBootOptions;
1496 | typedef SneakCall<SneakHelper::hash("ZwQueryDebugFilterState"), IN ULONG, IN ULONG> NtQueryDebugFilterState;
1497 | typedef SneakCall<SneakHelper::hash("ZwQueryDirectoryFileEx"), IN HANDLE, IN HANDLE  OPTIONAL, IN PIO_APC_ROUTINE  OPTIONAL, IN PVOID  OPTIONAL, OUT PIO_STATUS_BLOCK, OUT PVOID, IN ULONG, IN FILE_INFORMATION_CLASS, IN ULONG, IN PUNICODE_STRING  OPTIONAL> NtQueryDirectoryFileEx;
1498 | typedef SneakCall<SneakHelper::hash("ZwQueryDirectoryObject"), IN HANDLE, OUT PVOID  OPTIONAL, IN ULONG, IN BOOLEAN, IN BOOLEAN, IN OUT PULONG, OUT PULONG  OPTIONAL> NtQueryDirectoryObject;
1499 | typedef SneakCall<SneakHelper::hash("ZwQueryDriverEntryOrder"), IN PULONG  OPTIONAL, IN OUT PULONG> NtQueryDriverEntryOrder;
1500 | typedef SneakCall<SneakHelper::hash("ZwQueryEaFile"), IN HANDLE, OUT PIO_STATUS_BLOCK, OUT PFILE_FULL_EA_INFORMATION, IN ULONG, IN BOOLEAN, IN PFILE_GET_EA_INFORMATION  OPTIONAL, IN ULONG, IN PULONG  OPTIONAL, IN BOOLEAN> NtQueryEaFile;
1501 | typedef SneakCall<SneakHelper::hash("ZwQueryFullAttributesFile"), IN POBJECT_ATTRIBUTES, OUT PFILE_NETWORK_OPEN_INFORMATION> NtQueryFullAttributesFile;
1502 | typedef SneakCall<SneakHelper::hash("ZwQueryInformationAtom"), IN USHORT, IN ATOM_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQueryInformationAtom;
1503 | typedef SneakCall<SneakHelper::hash("ZwQueryInformationByName"), IN POBJECT_ATTRIBUTES, OUT PIO_STATUS_BLOCK, OUT PVOID, IN ULONG, IN FILE_INFORMATION_CLASS> NtQueryInformationByName;
1504 | typedef SneakCall<SneakHelper::hash("ZwQueryInformationEnlistment"), IN HANDLE, IN ENLISTMENT_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQueryInformationEnlistment;
1505 | typedef SneakCall<SneakHelper::hash("ZwQueryInformationJobObject"), IN HANDLE, IN JOBOBJECTINFOCLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQueryInformationJobObject;
1506 | typedef SneakCall<SneakHelper::hash("ZwQueryInformationPort"), IN HANDLE, IN PORT_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQueryInformationPort;
1507 | typedef SneakCall<SneakHelper::hash("ZwQueryInformationResourceManager"), IN HANDLE, IN RESOURCEMANAGER_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQueryInformationResourceManager;
1508 | typedef SneakCall<SneakHelper::hash("ZwQueryInformationTransaction"), IN HANDLE, IN TRANSACTION_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQueryInformationTransaction;
1509 | typedef SneakCall<SneakHelper::hash("ZwQueryInformationTransactionManager"), IN HANDLE, IN TRANSACTIONMANAGER_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQueryInformationTransactionManager;
1510 | typedef SneakCall<SneakHelper::hash("ZwQueryInformationWorkerFactory"), IN HANDLE, IN WORKERFACTORYINFOCLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQueryInformationWorkerFactory;
1511 | typedef SneakCall<SneakHelper::hash("ZwQueryInstallUILanguage"), OUT PLANGID> NtQueryInstallUILanguage;
1512 | typedef SneakCall<SneakHelper::hash("ZwQueryIntervalProfile"), IN KPROFILE_SOURCE, OUT PULONG> NtQueryIntervalProfile;
1513 | typedef SneakCall<SneakHelper::hash("ZwQueryIoCompletion"), IN HANDLE, IN IO_COMPLETION_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQueryIoCompletion;
1514 | typedef SneakCall<SneakHelper::hash("ZwQueryLicenseValue"), IN PUNICODE_STRING, OUT PULONG  OPTIONAL, OUT PVOID  OPTIONAL, IN ULONG, OUT PULONG> NtQueryLicenseValue;
1515 | typedef SneakCall<SneakHelper::hash("ZwQueryMultipleValueKey"), IN HANDLE, IN OUT PKEY_VALUE_ENTRY, IN ULONG, OUT PVOID, IN PULONG, OUT PULONG  OPTIONAL> NtQueryMultipleValueKey;
1516 | typedef SneakCall<SneakHelper::hash("ZwQueryMutant"), IN HANDLE, IN MUTANT_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQueryMutant;
1517 | typedef SneakCall<SneakHelper::hash("ZwQueryOpenSubKeys"), IN POBJECT_ATTRIBUTES, OUT PULONG> NtQueryOpenSubKeys;
1518 | typedef SneakCall<SneakHelper::hash("ZwQueryOpenSubKeysEx"), IN POBJECT_ATTRIBUTES, IN ULONG, OUT PVOID, OUT PULONG> NtQueryOpenSubKeysEx;
1519 | typedef SneakCall<SneakHelper::hash("ZwQueryPortInformationProcess")> NtQueryPortInformationProcess;
1520 | typedef SneakCall<SneakHelper::hash("ZwQueryQuotaInformationFile"), IN HANDLE, OUT PIO_STATUS_BLOCK, OUT PFILE_USER_QUOTA_INFORMATION, IN ULONG, IN BOOLEAN, IN PFILE_QUOTA_LIST_INFORMATION  OPTIONAL, IN ULONG, IN PSID  OPTIONAL, IN BOOLEAN> NtQueryQuotaInformationFile;
1521 | typedef SneakCall<SneakHelper::hash("ZwQuerySecurityAttributesToken"), IN HANDLE, IN PUNICODE_STRING  OPTIONAL, IN ULONG, OUT PVOID, IN ULONG, OUT PULONG> NtQuerySecurityAttributesToken;
1522 | typedef SneakCall<SneakHelper::hash("ZwQuerySecurityObject"), IN HANDLE, IN SECURITY_INFORMATION, OUT PSECURITY_DESCRIPTOR  OPTIONAL, IN ULONG, OUT PULONG> NtQuerySecurityObject;
1523 | typedef SneakCall<SneakHelper::hash("ZwQuerySecurityPolicy"), IN ULONG_PTR, IN ULONG_PTR, IN ULONG_PTR, IN ULONG_PTR, IN ULONG_PTR, IN ULONG_PTR> NtQuerySecurityPolicy;
1524 | typedef SneakCall<SneakHelper::hash("ZwQuerySemaphore"), IN HANDLE, IN SEMAPHORE_INFORMATION_CLASS, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQuerySemaphore;
1525 | typedef SneakCall<SneakHelper::hash("ZwQuerySymbolicLinkObject"), IN HANDLE, IN OUT PUNICODE_STRING, OUT PULONG  OPTIONAL> NtQuerySymbolicLinkObject;
1526 | typedef SneakCall<SneakHelper::hash("ZwQuerySystemEnvironmentValue"), IN PUNICODE_STRING, OUT PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtQuerySystemEnvironmentValue;
1527 | typedef SneakCall<SneakHelper::hash("ZwQuerySystemEnvironmentValueEx"), IN PUNICODE_STRING, IN LPGUID, OUT PVOID  OPTIONAL, IN OUT PULONG, OUT PULONG  OPTIONAL> NtQuerySystemEnvironmentValueEx;
1528 | typedef SneakCall<SneakHelper::hash("ZwQuerySystemInformationEx"), IN SYSTEM_INFORMATION_CLASS, IN PVOID, IN ULONG, OUT PVOID  OPTIONAL, IN ULONG, OUT PULONG  OPTIONAL> NtQuerySystemInformationEx;
1529 | typedef SneakCall<SneakHelper::hash("ZwQueryTimerResolution"), OUT PULONG, OUT PULONG, OUT PULONG> NtQueryTimerResolution;
1530 | typedef SneakCall<SneakHelper::hash("ZwQueryWnfStateData"), IN PCWNF_STATE_NAME, IN PCWNF_TYPE_ID  OPTIONAL, IN PVOID  OPTIONAL, OUT PWNF_CHANGE_STAMP, OUT PVOID  OPTIONAL, IN OUT PULONG> NtQueryWnfStateData;
1531 | typedef SneakCall<SneakHelper::hash("ZwQueryWnfStateNameInformation"), IN PCWNF_STATE_NAME, IN PCWNF_TYPE_ID, IN PVOID  OPTIONAL, OUT PVOID, IN ULONG> NtQueryWnfStateNameInformation;
1532 | typedef SneakCall<SneakHelper::hash("ZwQueueApcThreadEx"), IN HANDLE, IN HANDLE  OPTIONAL, IN PKNORMAL_ROUTINE, IN PVOID  OPTIONAL, IN PVOID  OPTIONAL, IN PVOID  OPTIONAL> NtQueueApcThreadEx;
1533 | typedef SneakCall<SneakHelper::hash("ZwRaiseException"), IN PEXCEPTION_RECORD, IN PCONTEXT, IN BOOLEAN> NtRaiseException;
1534 | typedef SneakCall<SneakHelper::hash("ZwRaiseHardError"), IN NTSTATUS, IN ULONG, IN ULONG, IN PULONG_PTR, IN ULONG, OUT PULONG> NtRaiseHardError;
1535 | typedef SneakCall<SneakHelper::hash("ZwReadOnlyEnlistment"), IN HANDLE, IN PLARGE_INTEGER  OPTIONAL> NtReadOnlyEnlistment;
1536 | typedef SneakCall<SneakHelper::hash("ZwRecoverEnlistment"), IN HANDLE, IN PVOID  OPTIONAL> NtRecoverEnlistment;
1537 | typedef SneakCall<SneakHelper::hash("ZwRecoverResourceManager"), IN HANDLE> NtRecoverResourceManager;
1538 | typedef SneakCall<SneakHelper::hash("ZwRecoverTransactionManager"), IN HANDLE> NtRecoverTransactionManager;
1539 | typedef SneakCall<SneakHelper::hash("ZwRegisterProtocolAddressInformation"), IN HANDLE, IN LPGUID, IN ULONG, IN PVOID, IN ULONG  OPTIONAL> NtRegisterProtocolAddressInformation;
1540 | typedef SneakCall<SneakHelper::hash("ZwRegisterThreadTerminatePort"), IN HANDLE> NtRegisterThreadTerminatePort;
1541 | typedef SneakCall<SneakHelper::hash("ZwReleaseKeyedEvent"), IN HANDLE, IN PVOID, IN BOOLEAN, IN PLARGE_INTEGER  OPTIONAL> NtReleaseKeyedEvent;
1542 | typedef SneakCall<SneakHelper::hash("ZwReleaseWorkerFactoryWorker"), IN HANDLE> NtReleaseWorkerFactoryWorker;
1543 | typedef SneakCall<SneakHelper::hash("ZwRemoveIoCompletionEx"), IN HANDLE, OUT PFILE_IO_COMPLETION_INFORMATION, IN ULONG, OUT PULONG, IN PLARGE_INTEGER  OPTIONAL, IN BOOLEAN> NtRemoveIoCompletionEx;
1544 | typedef SneakCall<SneakHelper::hash("ZwRemoveProcessDebug"), IN HANDLE, IN HANDLE> NtRemoveProcessDebug;
1545 | typedef SneakCall<SneakHelper::hash("ZwRenameKey"), IN HANDLE, IN PUNICODE_STRING> NtRenameKey;
1546 | typedef SneakCall<SneakHelper::hash("ZwRenameTransactionManager"), IN PUNICODE_STRING, IN LPGUID> NtRenameTransactionManager;
1547 | typedef SneakCall<SneakHelper::hash("ZwReplaceKey"), IN POBJECT_ATTRIBUTES, IN HANDLE, IN POBJECT_ATTRIBUTES> NtReplaceKey;
1548 | typedef SneakCall<SneakHelper::hash("ZwReplacePartitionUnit"), IN PUNICODE_STRING, IN PUNICODE_STRING, IN ULONG> NtReplacePartitionUnit;
1549 | typedef SneakCall<SneakHelper::hash("ZwReplyWaitReplyPort"), IN HANDLE, IN OUT PPORT_MESSAGE> NtReplyWaitReplyPort;
1550 | typedef SneakCall<SneakHelper::hash("ZwRequestPort"), IN HANDLE, IN PPORT_MESSAGE> NtRequestPort;
1551 | typedef SneakCall<SneakHelper::hash("ZwResetEvent"), IN HANDLE, OUT PULONG  OPTIONAL> NtResetEvent;
1552 | typedef SneakCall<SneakHelper::hash("ZwResetWriteWatch"), IN HANDLE, IN PVOID, IN ULONG> NtResetWriteWatch;
1553 | typedef SneakCall<SneakHelper::hash("ZwRestoreKey"), IN HANDLE, IN HANDLE, IN ULONG> NtRestoreKey;
1554 | typedef SneakCall<SneakHelper::hash("ZwResumeProcess"), IN HANDLE> NtResumeProcess;
1555 | typedef SneakCall<SneakHelper::hash("ZwRevertContainerImpersonation")> NtRevertContainerImpersonation;
1556 | typedef SneakCall<SneakHelper::hash("ZwRollbackComplete"), IN HANDLE, IN PLARGE_INTEGER  OPTIONAL> NtRollbackComplete;
1557 | typedef SneakCall<SneakHelper::hash("ZwRollbackEnlistment"), IN HANDLE, IN PLARGE_INTEGER  OPTIONAL> NtRollbackEnlistment;
1558 | typedef SneakCall<SneakHelper::hash("ZwRollbackRegistryTransaction"), IN HANDLE, IN BOOL> NtRollbackRegistryTransaction;
1559 | typedef SneakCall<SneakHelper::hash("ZwRollbackTransaction"), IN HANDLE, IN BOOLEAN> NtRollbackTransaction;
1560 | typedef SneakCall<SneakHelper::hash("ZwRollforwardTransactionManager"), IN HANDLE, IN PLARGE_INTEGER  OPTIONAL> NtRollforwardTransactionManager;
1561 | typedef SneakCall<SneakHelper::hash("ZwSaveKey"), IN HANDLE, IN HANDLE> NtSaveKey;
1562 | typedef SneakCall<SneakHelper::hash("ZwSaveKeyEx"), IN HANDLE, IN HANDLE, IN ULONG> NtSaveKeyEx;
1563 | typedef SneakCall<SneakHelper::hash("ZwSaveMergedKeys"), IN HANDLE, IN HANDLE, IN HANDLE> NtSaveMergedKeys;
1564 | typedef SneakCall<SneakHelper::hash("ZwSecureConnectPort"), OUT PHANDLE, IN PUNICODE_STRING, IN PSECURITY_QUALITY_OF_SERVICE, IN OUT PPORT_SECTION_WRITE  OPTIONAL, IN PSID  OPTIONAL, IN OUT PPORT_SECTION_READ  OPTIONAL, OUT PULONG  OPTIONAL, IN OUT PVOID  OPTIONAL, IN OUT PULONG  OPTIONAL> NtSecureConnectPort;
1565 | typedef SneakCall<SneakHelper::hash("ZwSerializeBoot")> NtSerializeBoot;
1566 | typedef SneakCall<SneakHelper::hash("ZwSetBootEntryOrder"), IN PULONG, IN ULONG> NtSetBootEntryOrder;
1567 | typedef SneakCall<SneakHelper::hash("ZwSetBootOptions"), IN PBOOT_OPTIONS, IN ULONG> NtSetBootOptions;
1568 | typedef SneakCall<SneakHelper::hash("ZwSetCachedSigningLevel"), IN ULONG, IN SE_SIGNING_LEVEL, IN PHANDLE, IN ULONG, IN HANDLE  OPTIONAL> NtSetCachedSigningLevel;
1569 | typedef SneakCall<SneakHelper::hash("ZwSetCachedSigningLevel2"), IN ULONG, IN ULONG, IN PHANDLE, IN ULONG, IN HANDLE  OPTIONAL, IN PVOID  OPTIONAL> NtSetCachedSigningLevel2;
1570 | typedef SneakCall<SneakHelper::hash("ZwSetContextThread"), IN HANDLE, IN PCONTEXT> NtSetContextThread;
1571 | typedef SneakCall<SneakHelper::hash("ZwSetDebugFilterState"), IN ULONG, IN ULONG, IN BOOLEAN> NtSetDebugFilterState;
1572 | typedef SneakCall<SneakHelper::hash("ZwSetDefaultHardErrorPort"), IN HANDLE> NtSetDefaultHardErrorPort;
1573 | typedef SneakCall<SneakHelper::hash("ZwSetDefaultLocale"), IN BOOLEAN, IN LCID> NtSetDefaultLocale;
1574 | typedef SneakCall<SneakHelper::hash("ZwSetDefaultUILanguage"), IN LANGID> NtSetDefaultUILanguage;
1575 | typedef SneakCall<SneakHelper::hash("ZwSetDriverEntryOrder"), IN PULONG, IN PULONG> NtSetDriverEntryOrder;
1576 | typedef SneakCall<SneakHelper::hash("ZwSetEaFile"), IN HANDLE, OUT PIO_STATUS_BLOCK, IN PFILE_FULL_EA_INFORMATION, IN ULONG> NtSetEaFile;
1577 | typedef SneakCall<SneakHelper::hash("ZwSetHighEventPair"), IN HANDLE> NtSetHighEventPair;
1578 | typedef SneakCall<SneakHelper::hash("ZwSetHighWaitLowEventPair"), IN HANDLE> NtSetHighWaitLowEventPair;
1579 | typedef SneakCall<SneakHelper::hash("ZwSetIRTimer"), IN HANDLE, IN PLARGE_INTEGER  OPTIONAL> NtSetIRTimer;
1580 | typedef SneakCall<SneakHelper::hash("ZwSetInformationDebugObject"), IN HANDLE, IN DEBUGOBJECTINFOCLASS, IN PVOID, IN ULONG, OUT PULONG  OPTIONAL> NtSetInformationDebugObject;
1581 | typedef SneakCall<SneakHelper::hash("ZwSetInformationEnlistment"), IN HANDLE, IN ENLISTMENT_INFORMATION_CLASS, IN PVOID, IN ULONG> NtSetInformationEnlistment;
1582 | typedef SneakCall<SneakHelper::hash("ZwSetInformationJobObject"), IN HANDLE, IN JOBOBJECTINFOCLASS, IN PVOID, IN ULONG> NtSetInformationJobObject;
1583 | typedef SneakCall<SneakHelper::hash("ZwSetInformationKey"), IN HANDLE, IN KEY_SET_INFORMATION_CLASS, IN PVOID, IN ULONG> NtSetInformationKey;
1584 | typedef SneakCall<SneakHelper::hash("ZwSetInformationResourceManager"), IN HANDLE, IN RESOURCEMANAGER_INFORMATION_CLASS, IN PVOID, IN ULONG> NtSetInformationResourceManager;
1585 | typedef SneakCall<SneakHelper::hash("ZwSetInformationSymbolicLink"), IN HANDLE, IN ULONG, IN PVOID, IN ULONG> NtSetInformationSymbolicLink;
1586 | typedef SneakCall<SneakHelper::hash("ZwSetInformationToken"), IN HANDLE, IN TOKEN_INFORMATION_CLASS, IN PVOID, IN ULONG> NtSetInformationToken;
1587 | typedef SneakCall<SneakHelper::hash("ZwSetInformationTransaction"), IN HANDLE, IN TRANSACTIONMANAGER_INFORMATION_CLASS, IN PVOID, IN ULONG> NtSetInformationTransaction;
1588 | typedef SneakCall<SneakHelper::hash("ZwSetInformationTransactionManager"), IN HANDLE, IN TRANSACTION_INFORMATION_CLASS, IN PVOID, IN ULONG> NtSetInformationTransactionManager;
1589 | typedef SneakCall<SneakHelper::hash("ZwSetInformationVirtualMemory"), IN HANDLE, IN VIRTUAL_MEMORY_INFORMATION_CLASS, IN ULONG_PTR, IN PMEMORY_RANGE_ENTRY, IN PVOID, IN ULONG> NtSetInformationVirtualMemory;
1590 | typedef SneakCall<SneakHelper::hash("ZwSetInformationWorkerFactory"), IN HANDLE, IN WORKERFACTORYINFOCLASS, IN PVOID, IN ULONG> NtSetInformationWorkerFactory;
1591 | typedef SneakCall<SneakHelper::hash("ZwSetIntervalProfile"), IN ULONG, IN KPROFILE_SOURCE> NtSetIntervalProfile;
1592 | typedef SneakCall<SneakHelper::hash("ZwSetIoCompletion"), IN HANDLE, IN ULONG, OUT PIO_STATUS_BLOCK, IN NTSTATUS, IN ULONG> NtSetIoCompletion;
1593 | typedef SneakCall<SneakHelper::hash("ZwSetIoCompletionEx"), IN HANDLE, IN HANDLE, IN PVOID  OPTIONAL, IN PVOID  OPTIONAL, IN NTSTATUS, IN ULONG_PTR> NtSetIoCompletionEx;
1594 | typedef SneakCall<SneakHelper::hash("ZwSetLdtEntries"), IN ULONG, IN ULONG, IN ULONG, IN ULONG, IN ULONG, IN ULONG> NtSetLdtEntries;
1595 | typedef SneakCall<SneakHelper::hash("ZwSetLowEventPair"), IN HANDLE> NtSetLowEventPair;
1596 | typedef SneakCall<SneakHelper::hash("ZwSetLowWaitHighEventPair"), IN HANDLE> NtSetLowWaitHighEventPair;
1597 | typedef SneakCall<SneakHelper::hash("ZwSetQuotaInformationFile"), IN HANDLE, OUT PIO_STATUS_BLOCK, IN PFILE_USER_QUOTA_INFORMATION, IN ULONG> NtSetQuotaInformationFile;
1598 | typedef SneakCall<SneakHelper::hash("ZwSetSecurityObject"), IN HANDLE, IN SECURITY_INFORMATION, IN PSECURITY_DESCRIPTOR> NtSetSecurityObject;
1599 | typedef SneakCall<SneakHelper::hash("ZwSetSystemEnvironmentValue"), IN PUNICODE_STRING, IN PUNICODE_STRING> NtSetSystemEnvironmentValue;
1600 | typedef SneakCall<SneakHelper::hash("ZwSetSystemEnvironmentValueEx"), IN PUNICODE_STRING, IN LPGUID, IN PVOID  OPTIONAL, IN ULONG, IN ULONG> NtSetSystemEnvironmentValueEx;
1601 | typedef SneakCall<SneakHelper::hash("ZwSetSystemInformation"), IN SYSTEM_INFORMATION_CLASS, IN PVOID, IN ULONG> NtSetSystemInformation;
1602 | typedef SneakCall<SneakHelper::hash("ZwSetSystemPowerState"), IN POWER_ACTION, IN SYSTEM_POWER_STATE, IN ULONG> NtSetSystemPowerState;
1603 | typedef SneakCall<SneakHelper::hash("ZwSetSystemTime"), IN PLARGE_INTEGER, OUT PLARGE_INTEGER  OPTIONAL> NtSetSystemTime;
1604 | typedef SneakCall<SneakHelper::hash("ZwSetThreadExecutionState"), IN EXECUTION_STATE, OUT PEXECUTION_STATE> NtSetThreadExecutionState;
1605 | typedef SneakCall<SneakHelper::hash("ZwSetTimer2"), IN HANDLE, IN PLARGE_INTEGER, IN PLARGE_INTEGER  OPTIONAL, IN PT2_SET_PARAMETERS> NtSetTimer2;
1606 | typedef SneakCall<SneakHelper::hash("ZwSetTimerEx"), IN HANDLE, IN TIMER_SET_INFORMATION_CLASS, IN OUT PVOID  OPTIONAL, IN ULONG> NtSetTimerEx;
1607 | typedef SneakCall<SneakHelper::hash("ZwSetTimerResolution"), IN ULONG, IN BOOLEAN, OUT PULONG> NtSetTimerResolution;
1608 | typedef SneakCall<SneakHelper::hash("ZwSetUuidSeed"), IN PUCHAR> NtSetUuidSeed;
1609 | typedef SneakCall<SneakHelper::hash("ZwSetVolumeInformationFile"), IN HANDLE, OUT PIO_STATUS_BLOCK, IN PVOID, IN ULONG, IN FSINFOCLASS> NtSetVolumeInformationFile;
1610 | typedef SneakCall<SneakHelper::hash("ZwSetWnfProcessNotificationEvent"), IN HANDLE> NtSetWnfProcessNotificationEvent;
1611 | typedef SneakCall<SneakHelper::hash("ZwShutdownSystem"), IN SHUTDOWN_ACTION> NtShutdownSystem;
1612 | typedef SneakCall<SneakHelper::hash("ZwShutdownWorkerFactory"), IN HANDLE, IN OUT PLONG> NtShutdownWorkerFactory;
1613 | typedef SneakCall<SneakHelper::hash("ZwSignalAndWaitForSingleObject"), IN HANDLE, IN HANDLE, IN BOOLEAN, IN PLARGE_INTEGER  OPTIONAL> NtSignalAndWaitForSingleObject;
1614 | typedef SneakCall<SneakHelper::hash("ZwSinglePhaseReject"), IN HANDLE, IN PLARGE_INTEGER  OPTIONAL> NtSinglePhaseReject;
1615 | typedef SneakCall<SneakHelper::hash("ZwStartProfile"), IN HANDLE> NtStartProfile;
1616 | typedef SneakCall<SneakHelper::hash("ZwStopProfile"), IN HANDLE> NtStopProfile;
1617 | typedef SneakCall<SneakHelper::hash("ZwSubscribeWnfStateChange"), IN PCWNF_STATE_NAME, IN WNF_CHANGE_STAMP  OPTIONAL, IN ULONG, OUT PLARGE_INTEGER  OPTIONAL> NtSubscribeWnfStateChange;
1618 | typedef SneakCall<SneakHelper::hash("ZwSuspendProcess"), IN HANDLE> NtSuspendProcess;
1619 | typedef SneakCall<SneakHelper::hash("ZwSuspendThread"), IN HANDLE, OUT PULONG> NtSuspendThread;
1620 | typedef SneakCall<SneakHelper::hash("ZwSystemDebugControl"), IN DEBUG_CONTROL_CODE, IN PVOID  OPTIONAL, IN ULONG, OUT PVOID  OPTIONAL, IN ULONG, OUT PULONG  OPTIONAL> NtSystemDebugControl;
1621 | typedef SneakCall<SneakHelper::hash("ZwTerminateEnclave"), IN PVOID, IN BOOLEAN> NtTerminateEnclave;
1622 | typedef SneakCall<SneakHelper::hash("ZwTerminateJobObject"), IN HANDLE, IN NTSTATUS> NtTerminateJobObject;
1623 | typedef SneakCall<SneakHelper::hash("ZwTestAlert")> NtTestAlert;
1624 | typedef SneakCall<SneakHelper::hash("ZwThawRegistry")> NtThawRegistry;
1625 | typedef SneakCall<SneakHelper::hash("ZwThawTransactions")> NtThawTransactions;
1626 | typedef SneakCall<SneakHelper::hash("ZwTraceControl"), IN ULONG, IN PVOID  OPTIONAL, IN ULONG, OUT PVOID  OPTIONAL, IN ULONG, OUT PULONG> NtTraceControl;
1627 | typedef SneakCall<SneakHelper::hash("ZwTranslateFilePath"), IN PFILE_PATH, IN ULONG, OUT PFILE_PATH  OPTIONAL, IN OUT PULONG  OPTIONAL> NtTranslateFilePath;
1628 | typedef SneakCall<SneakHelper::hash("ZwUmsThreadYield"), IN PVOID> NtUmsThreadYield;
1629 | typedef SneakCall<SneakHelper::hash("ZwUnloadDriver"), IN PUNICODE_STRING> NtUnloadDriver;
1630 | typedef SneakCall<SneakHelper::hash("ZwUnloadKey"), IN POBJECT_ATTRIBUTES> NtUnloadKey;
1631 | typedef SneakCall<SneakHelper::hash("ZwUnloadKey2"), IN POBJECT_ATTRIBUTES, IN ULONG> NtUnloadKey2;
1632 | typedef SneakCall<SneakHelper::hash("ZwUnloadKeyEx"), IN POBJECT_ATTRIBUTES, IN HANDLE  OPTIONAL> NtUnloadKeyEx;
1633 | typedef SneakCall<SneakHelper::hash("ZwUnlockFile"), IN HANDLE, OUT PIO_STATUS_BLOCK, IN PULARGE_INTEGER, IN PULARGE_INTEGER, IN ULONG> NtUnlockFile;
1634 | typedef SneakCall<SneakHelper::hash("ZwUnlockVirtualMemory"), IN HANDLE, IN PVOID *, IN PSIZE_T, IN ULONG> NtUnlockVirtualMemory;
1635 | typedef SneakCall<SneakHelper::hash("ZwUnmapViewOfSectionEx"), IN HANDLE, IN PVOID  OPTIONAL, IN ULONG> NtUnmapViewOfSectionEx;
1636 | typedef SneakCall<SneakHelper::hash("ZwUnsubscribeWnfStateChange"), IN PCWNF_STATE_NAME> NtUnsubscribeWnfStateChange;
1637 | typedef SneakCall<SneakHelper::hash("ZwUpdateWnfStateData"), IN PCWNF_STATE_NAME, IN PVOID  OPTIONAL, IN ULONG  OPTIONAL, IN PCWNF_TYPE_ID  OPTIONAL, IN PVOID  OPTIONAL, IN WNF_CHANGE_STAMP, IN ULONG> NtUpdateWnfStateData;
1638 | typedef SneakCall<SneakHelper::hash("ZwVdmControl"), IN VDMSERVICECLASS, IN OUT PVOID> NtVdmControl;
1639 | typedef SneakCall<SneakHelper::hash("ZwWaitForAlertByThreadId"), IN HANDLE, IN PLARGE_INTEGER  OPTIONAL> NtWaitForAlertByThreadId;
1640 | typedef SneakCall<SneakHelper::hash("ZwWaitForDebugEvent"), IN HANDLE, IN BOOLEAN, IN PLARGE_INTEGER  OPTIONAL, OUT PVOID> NtWaitForDebugEvent;
1641 | typedef SneakCall<SneakHelper::hash("ZwWaitForKeyedEvent"), IN HANDLE, IN PVOID, IN BOOLEAN, IN PLARGE_INTEGER  OPTIONAL> NtWaitForKeyedEvent;
1642 | typedef SneakCall<SneakHelper::hash("ZwWaitForWorkViaWorkerFactory"), IN HANDLE, OUT PVOID> NtWaitForWorkViaWorkerFactory;
1643 | typedef SneakCall<SneakHelper::hash("ZwWaitHighEventPair"), IN HANDLE> NtWaitHighEventPair;
1644 | typedef SneakCall<SneakHelper::hash("ZwWaitLowEventPair"), IN HANDLE> NtWaitLowEventPair;
1645 | typedef SneakCall<SneakHelper::hash("ZwAcquireCMFViewOwnership"), OUT BOOLEAN, OUT BOOLEAN, IN BOOLEAN> NtAcquireCMFViewOwnership;
1646 | typedef SneakCall<SneakHelper::hash("ZwCancelDeviceWakeupRequest"), IN HANDLE> NtCancelDeviceWakeupRequest;
1647 | typedef SneakCall<SneakHelper::hash("ZwClearAllSavepointsTransaction"), IN HANDLE> NtClearAllSavepointsTransaction;
1648 | typedef SneakCall<SneakHelper::hash("ZwClearSavepointTransaction"), IN HANDLE, IN ULONG> NtClearSavepointTransaction;
1649 | typedef SneakCall<SneakHelper::hash("ZwRollbackSavepointTransaction"), IN HANDLE, IN ULONG> NtRollbackSavepointTransaction;
1650 | typedef SneakCall<SneakHelper::hash("ZwSavepointTransaction"), IN HANDLE, IN BOOLEAN, OUT ULONG> NtSavepointTransaction;
1651 | typedef SneakCall<SneakHelper::hash("ZwSavepointComplete"), IN HANDLE, IN PLARGE_INTEGER  OPTIONAL> NtSavepointComplete;
1652 | typedef SneakCall<SneakHelper::hash("ZwCreateSectionEx"), OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES  OPTIONAL, IN PLARGE_INTEGER  OPTIONAL, IN ULONG, IN ULONG, IN HANDLE  OPTIONAL, IN PMEM_EXTENDED_PARAMETER, IN ULONG> NtCreateSectionEx;
1653 | typedef SneakCall<SneakHelper::hash("ZwCreateCrossVmEvent")> NtCreateCrossVmEvent;
1654 | typedef SneakCall<SneakHelper::hash("ZwGetPlugPlayEvent"), IN HANDLE, IN PVOID  OPTIONAL, OUT PPLUGPLAY_EVENT_BLOCK, IN ULONG> NtGetPlugPlayEvent;
1655 | typedef SneakCall<SneakHelper::hash("ZwListTransactions")> NtListTransactions;
1656 | typedef SneakCall<SneakHelper::hash("ZwMarshallTransaction")> NtMarshallTransaction;
1657 | typedef SneakCall<SneakHelper::hash("ZwPullTransaction")> NtPullTransaction;
1658 | typedef SneakCall<SneakHelper::hash("ZwReleaseCMFViewOwnership")> NtReleaseCMFViewOwnership;
1659 | typedef SneakCall<SneakHelper::hash("ZwWaitForWnfNotifications")> NtWaitForWnfNotifications;
1660 | typedef SneakCall<SneakHelper::hash("ZwStartTm")> NtStartTm;
1661 | typedef SneakCall<SneakHelper::hash("ZwSetInformationProcess"), IN HANDLE, IN PROCESSINFOCLASS, IN PVOID, IN ULONG> NtSetInformationProcess;
1662 | typedef SneakCall<SneakHelper::hash("ZwRequestDeviceWakeup"), IN HANDLE> NtRequestDeviceWakeup;
1663 | typedef SneakCall<SneakHelper::hash("ZwRequestWakeupLatency"), IN ULONG> NtRequestWakeupLatency;
1664 | typedef SneakCall<SneakHelper::hash("ZwQuerySystemTime"), OUT PLARGE_INTEGER> NtQuerySystemTime;
1665 | typedef SneakCall<SneakHelper::hash("ZwManageHotPatch"), IN ULONG, IN ULONG, IN ULONG, IN ULONG> NtManageHotPatch;
1666 | typedef SneakCall<SneakHelper::hash("ZwContinueEx"), IN PCONTEXT, IN PKCONTINUE_ARGUMENT> NtContinueEx;


--------------------------------------------------------------------------------