├── .gitignore ├── FilterKeys.reg ├── 2023-01 Silhouette Shmoocon Presentation.pdf ├── phnt ├── zw_options.txt ├── include │ ├── ntsmss.h │ ├── ntnls.h │ ├── ntxcapi.h │ ├── phnt.h │ ├── subprocesstag.h │ ├── phnt_windows.h │ ├── ntmisc.h │ ├── ntkeapi.h │ ├── ntgdi.h │ ├── ntpnpapi.h │ ├── ntdbg.h │ ├── ntpfapi.h │ ├── phnt_ntdef.h │ ├── nttp.h │ ├── ntobapi.h │ ├── nttmapi.h │ ├── ntpebteb.h │ ├── ntregapi.h │ ├── ntwow64.h │ └── ntpoapi.h ├── LICENSE.txt └── README.md ├── Silhouette ├── phnt_subset.h ├── Filter.h ├── Silhouette.vcxproj.filters ├── Silhouette.h ├── Filter_Create.cpp ├── Filter_Read.cpp ├── Silhouette.cpp ├── Silhouette.vcxproj ├── Utils.cpp └── Filter_Main.cpp ├── Silhouette.sln ├── README.md └── LICENSE.txt /.gitignore: -------------------------------------------------------------------------------- 1 | .vs 2 | x64 3 | -------------------------------------------------------------------------------- /FilterKeys.reg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/Silhouette/HEAD/FilterKeys.reg -------------------------------------------------------------------------------- /2023-01 Silhouette Shmoocon Presentation.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/Silhouette/HEAD/2023-01 Silhouette Shmoocon Presentation.pdf -------------------------------------------------------------------------------- /phnt/zw_options.txt: -------------------------------------------------------------------------------- 1 | base=include 2 | in=ntdbg.h;ntexapi.h;ntgdi.h;ntioapi.h;ntkeapi.h;ntldr.h;ntlpcapi.h;ntmisc.h;ntmmapi.h;ntnls.h;ntobapi.h;ntpebteb.h;ntpfapi.h;ntpnpapi.h;ntpoapi.h;ntpsapi.h;ntregapi.h;ntrtl.h;ntsam.h;ntseapi.h;nttmapi.h;nttp.h;ntwow64.h;ntxcapi.h 3 | out=ntzwapi.h 4 | header=#ifndef _NTZWAPI_H\r\n#define _NTZWAPI_H\r\n\r\n// This file was automatically generated. Do not edit.\r\n\r\n 5 | footer=#endif\r\n -------------------------------------------------------------------------------- /phnt/include/ntsmss.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Windows Session Manager support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTSMSS_H 8 | #define _NTSMSS_H 9 | 10 | NTSYSAPI 11 | NTSTATUS 12 | NTAPI 13 | RtlConnectToSm( 14 | _In_ PUNICODE_STRING ApiPortName, 15 | _In_ HANDLE ApiPortHandle, 16 | _In_ DWORD ProcessImageType, 17 | _Out_ PHANDLE SmssConnection 18 | ); 19 | 20 | NTSYSAPI 21 | NTSTATUS 22 | NTAPI 23 | RtlSendMsgToSm( 24 | _In_ HANDLE ApiPortHandle, 25 | _In_ PPORT_MESSAGE MessageData 26 | ); 27 | 28 | #endif 29 | -------------------------------------------------------------------------------- /phnt/include/ntnls.h: -------------------------------------------------------------------------------- 1 | /* 2 | * National Language Support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTNLS_H 8 | #define _NTNLS_H 9 | 10 | #define MAXIMUM_LEADBYTES 12 11 | 12 | typedef struct _CPTABLEINFO 13 | { 14 | USHORT CodePage; 15 | USHORT MaximumCharacterSize; 16 | USHORT DefaultChar; 17 | USHORT UniDefaultChar; 18 | USHORT TransDefaultChar; 19 | USHORT TransUniDefaultChar; 20 | USHORT DBCSCodePage; 21 | UCHAR LeadByte[MAXIMUM_LEADBYTES]; 22 | PUSHORT MultiByteTable; 23 | PVOID WideCharTable; 24 | PUSHORT DBCSRanges; 25 | PUSHORT DBCSOffsets; 26 | } CPTABLEINFO, *PCPTABLEINFO; 27 | 28 | typedef struct _NLSTABLEINFO 29 | { 30 | CPTABLEINFO OemTableInfo; 31 | CPTABLEINFO AnsiTableInfo; 32 | PUSHORT UpperCaseTable; 33 | PUSHORT LowerCaseTable; 34 | } NLSTABLEINFO, *PNLSTABLEINFO; 35 | 36 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 37 | NTSYSAPI USHORT NlsAnsiCodePage; 38 | NTSYSAPI BOOLEAN NlsMbCodePageTag; 39 | NTSYSAPI BOOLEAN NlsMbOemCodePageTag; 40 | #endif 41 | 42 | #endif 43 | -------------------------------------------------------------------------------- /phnt/LICENSE.txt: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Winsider Seminars & Solutions, Inc. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /phnt/README.md: -------------------------------------------------------------------------------- 1 | This collection of Native API header files has been maintained since 2009 for the Process Hacker project, and is the most up-to-date set of Native API definitions that I know of. I have gathered these definitions from official Microsoft header files and symbol files, as well as a lot of reverse engineering and guessing. See `phnt.h` for more information. 2 | 3 | ## Usage 4 | 5 | First make sure that your program is using the latest Windows SDK. 6 | 7 | These header files are designed to be used by user-mode programs. Instead of `#include `, place 8 | 9 | ``` 10 | #include 11 | #include 12 | ``` 13 | 14 | at the top of your program. The first line provides access to the Win32 API as well as the `NTSTATUS` values. The second line provides access to the entire Native API. By default, only definitions present in Windows XP are included into your program. To change this, use one of the following: 15 | 16 | ``` 17 | #define PHNT_VERSION PHNT_WINXP // Windows XP 18 | #define PHNT_VERSION PHNT_WS03 // Windows Server 2003 19 | #define PHNT_VERSION PHNT_VISTA // Windows Vista 20 | #define PHNT_VERSION PHNT_WIN7 // Windows 7 21 | #define PHNT_VERSION PHNT_WIN8 // Windows 8 22 | #define PHNT_VERSION PHNT_WINBLUE // Windows 8.1 23 | #define PHNT_VERSION PHNT_THRESHOLD // Windows 10 24 | ``` 25 | -------------------------------------------------------------------------------- /Silhouette/phnt_subset.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define PHNT_MODE PHNT_MODE_KERNEL 4 | #include 5 | #include 6 | #include 7 | 8 | // These are from phnt's ntzwapi.h but easier to compile with the WDK 9 | 10 | #ifdef __cplusplus 11 | extern "C" { 12 | #endif 13 | 14 | NTSYSCALLAPI 15 | NTSTATUS 16 | NTAPI 17 | ZwSetInformationProcess( 18 | _In_ HANDLE ProcessHandle, 19 | _In_ PROCESSINFOCLASS ProcessInformationClass, 20 | _In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation, 21 | _In_ ULONG ProcessInformationLength 22 | ); 23 | 24 | NTSYSCALLAPI 25 | NTSTATUS 26 | NTAPI 27 | ZwQueryInformationProcess( 28 | _In_ HANDLE ProcessHandle, 29 | _In_ PROCESSINFOCLASS ProcessInformationClass, 30 | _Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation, 31 | _In_ ULONG ProcessInformationLength, 32 | _Out_opt_ PULONG ReturnLength 33 | ); 34 | 35 | NTSYSCALLAPI 36 | NTSTATUS 37 | NTAPI 38 | ZwSetSystemInformation( 39 | _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, 40 | _In_reads_bytes_opt_(SystemInformationLength) PVOID SystemInformation, 41 | _In_ ULONG SystemInformationLength 42 | ); 43 | 44 | NTSYSCALLAPI 45 | NTSTATUS 46 | NTAPI 47 | ZwQuerySystemInformation( 48 | _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, 49 | _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation, 50 | _In_ ULONG SystemInformationLength, 51 | _Out_opt_ PULONG ReturnLength 52 | ); 53 | } 54 | -------------------------------------------------------------------------------- /Silhouette/Filter.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Silhouette.h" 4 | 5 | extern PFLT_FILTER gpFilter; 6 | extern FILE_ID_INFORMATION gProtectedFiles[1]; 7 | 8 | NTSTATUS 9 | RegisterFilter(_In_ PDRIVER_OBJECT pDriverObject); 10 | 11 | VOID 12 | UnregisterFilter(); 13 | 14 | NTSTATUS 15 | FilterUnload( 16 | _In_ FLT_FILTER_UNLOAD_FLAGS Flags 17 | ); 18 | 19 | NTSTATUS InstanceSetupCallback( 20 | PCFLT_RELATED_OBJECTS FltObjects, 21 | FLT_INSTANCE_SETUP_FLAGS Flags, 22 | DEVICE_TYPE VolumeDeviceType, 23 | FLT_FILESYSTEM_TYPE VolumeFilesystemType 24 | ); 25 | 26 | NTSTATUS 27 | QueryTeardown( 28 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 29 | _In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags 30 | ); 31 | 32 | FLT_PREOP_CALLBACK_STATUS 33 | PreCreateCallback( 34 | _Inout_ PFLT_CALLBACK_DATA Data, 35 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 36 | _Flt_CompletionContext_Outptr_ PVOID* CompletionContext 37 | ); 38 | 39 | FLT_POSTOP_CALLBACK_STATUS 40 | PostCreateCallback( 41 | _Inout_ PFLT_CALLBACK_DATA Data, 42 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 43 | _In_ PVOID CompletionContext, 44 | _In_ FLT_POST_OPERATION_FLAGS Flags 45 | ); 46 | 47 | FLT_PREOP_CALLBACK_STATUS 48 | PreReadCallback( 49 | _Inout_ PFLT_CALLBACK_DATA Data, 50 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 51 | _Flt_CompletionContext_Outptr_ PVOID* CompletionContext 52 | ); 53 | 54 | FLT_POSTOP_CALLBACK_STATUS 55 | PostReadCallback( 56 | _Inout_ PFLT_CALLBACK_DATA Data, 57 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 58 | _In_ PVOID CompletionContext, 59 | _In_ FLT_POST_OPERATION_FLAGS Flags 60 | ); 61 | -------------------------------------------------------------------------------- /Silhouette.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.32901.82 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Silhouette", "Silhouette\Silhouette.vcxproj", "{A4148283-ECBB-4B7F-A0ED-936529157761}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {A4148283-ECBB-4B7F-A0ED-936529157761}.Debug|x64.ActiveCfg = Debug|x64 17 | {A4148283-ECBB-4B7F-A0ED-936529157761}.Debug|x64.Build.0 = Debug|x64 18 | {A4148283-ECBB-4B7F-A0ED-936529157761}.Debug|x64.Deploy.0 = Debug|x64 19 | {A4148283-ECBB-4B7F-A0ED-936529157761}.Debug|x86.ActiveCfg = Debug|Win32 20 | {A4148283-ECBB-4B7F-A0ED-936529157761}.Debug|x86.Build.0 = Debug|Win32 21 | {A4148283-ECBB-4B7F-A0ED-936529157761}.Debug|x86.Deploy.0 = Debug|Win32 22 | {A4148283-ECBB-4B7F-A0ED-936529157761}.Release|x64.ActiveCfg = Release|x64 23 | {A4148283-ECBB-4B7F-A0ED-936529157761}.Release|x64.Build.0 = Release|x64 24 | {A4148283-ECBB-4B7F-A0ED-936529157761}.Release|x64.Deploy.0 = Release|x64 25 | {A4148283-ECBB-4B7F-A0ED-936529157761}.Release|x86.ActiveCfg = Release|Win32 26 | {A4148283-ECBB-4B7F-A0ED-936529157761}.Release|x86.Build.0 = Release|Win32 27 | {A4148283-ECBB-4B7F-A0ED-936529157761}.Release|x86.Deploy.0 = Release|Win32 28 | EndGlobalSection 29 | GlobalSection(SolutionProperties) = preSolution 30 | HideSolutionNode = FALSE 31 | EndGlobalSection 32 | GlobalSection(ExtensibilityGlobals) = postSolution 33 | SolutionGuid = {C4E27154-63FC-44C1-9508-80488964564F} 34 | EndGlobalSection 35 | EndGlobal 36 | -------------------------------------------------------------------------------- /Silhouette/Silhouette.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | {665c30d8-7894-450a-a2e8-9de689b9bcf6} 22 | 23 | 24 | 25 | 26 | Source Files 27 | 28 | 29 | Source Files 30 | 31 | 32 | Source Files\Filter 33 | 34 | 35 | Source Files\Filter 36 | 37 | 38 | Source Files\Filter 39 | 40 | 41 | 42 | 43 | Header Files 44 | 45 | 46 | Header Files 47 | 48 | 49 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Silhouette 2 | 3 | By [Gabriel Landau](https://twitter.com/GabrielLandau) and [Mark Mager](https://twitter.com/magerbomb) at [Elastic Security](https://www.elastic.co/security-labs/). 4 | 5 | From [_Hide Your Valuables — Mitigating Physical Credential Dumping Attacks_](https://www.youtube.com/watch?v=NnM9HvDping&t=22652s) presented at [Shmoocon 2023](https://shmoocon.org/). Slides [here](2023-01%20Silhouette%20Shmoocon%20Presentation.pdf). 6 | 7 | ### Keeping LSA secrets out of physical memory 8 | 9 | Silhouette is a POC that mitigates the use of physical memory to dump credentials from LSASS. It does this in three ways: 10 | 11 | 1. Aggressively flush LSASS's pages from RAM to disk. 12 | 2. Block raw disk access within the boot volume, preventing raw copy attacks against `pagefile.sys` and `hiberfil.sys` (e.g. [Invoke-NinjaCopy](https://www.powershellgallery.com/packages/PowerSploit/1.0.0.0/Content/Exfiltration%5CInvoke-NinjaCopy.ps1)). 13 | 3. Block `FILE_READ_DATA` for `pagefile.sys` in all Volume Shadow Copy snapshots to block access with tools like [hobocopy](https://github.com/candera/hobocopy). 14 | 15 | *It is highly recommended to enable RunAsPPL before using Silhouette.* 16 | 17 | ## Building and running it 18 | 19 | **This is a proof of concept. Use it at your own risk.** 20 | 21 | 1. Compile Silhouette.sln with Visual Studio 2019. The WDK is required. This was originally developed with the [Win11 21H2 WDK](https://learn.microsoft.com/en-us/windows-hardware/drivers/other-wdk-downloads#step-2-install-the-wdk). 22 | 2. Enable [Test Signing](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option). 23 | 3. Register the service: 24 | ``` 25 | sc create Silhouette type= filesys start= demand binpath= %CD%\Silhouette.sys 26 | ``` 27 | 4. Add Minifilter keys: 28 | ``` 29 | reg import FilterKeys.reg 30 | ``` 31 | 5. Start the service: 32 | ``` 33 | sc start Silhouette 34 | ``` 35 | 36 | 37 | # License 38 | 39 | Silhouette is covered by the [ELv2 license](LICENSE.txt). It uses [phnt](https://github.com/winsiderss/systeminformer/tree/25846070780183848dc8d8f335a54fa6e636e281/phnt) from SystemInformer under the [MIT license](phnt/LICENSE.txt). 40 | -------------------------------------------------------------------------------- /Silhouette/Silhouette.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma warning(disable: 4201) // warning C4201: nonstandard extension used: nameless struct/union 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include "phnt_subset.h" 10 | 11 | #include "Filter.h" 12 | 13 | #define POOL_TAG 'PASL' 14 | 15 | #define ONCE __pragma( warning(push) ) \ 16 | __pragma( warning(disable:4127) ) \ 17 | while( 0 ) \ 18 | __pragma( warning(pop) ) 19 | 20 | #define ReferenceDelete(_x) \ 21 | do{ \ 22 | if( (_x) != NULL ) \ 23 | { \ 24 | ObDereferenceObject(_x); \ 25 | (_x) = NULL; \ 26 | } \ 27 | } ONCE 28 | 29 | #define HandleDelete(_x) \ 30 | do{ \ 31 | if( (_x) != NULL ) \ 32 | { \ 33 | ZwClose(_x); \ 34 | (_x) = NULL; \ 35 | } \ 36 | } ONCE 37 | 38 | #define PoolDeleteWithTag(_x, _tag)\ 39 | do{ \ 40 | if( (_x) != NULL ) \ 41 | { \ 42 | ExFreePoolWithTag( (_x), (_tag) ); \ 43 | (_x) = NULL; \ 44 | } \ 45 | } ONCE 46 | 47 | // NTQSI truncates high bits off the handle, hiding the fact that it's a kernel handle 48 | #define MAKE_KERNEL_HANDLE(__h) (HANDLE)((ULONG_PTR)(__h) | 0xFFFFFFFF80000000) 49 | 50 | extern HANDLE ghLsass; 51 | extern ULONG gLsaPid; 52 | extern PDRIVER_OBJECT gpDriverObject; 53 | extern KEVENT gWorkerThreadSignal; 54 | 55 | EXTERN_C 56 | NTKERNELAPI 57 | BOOLEAN 58 | NTAPI 59 | PsIsProtectedProcessLight( 60 | _In_ PEPROCESS Process 61 | ); 62 | 63 | _Must_inspect_result_ 64 | _IRQL_requires_(PASSIVE_LEVEL) 65 | NTSTATUS 66 | GetRegistryValue( 67 | _In_ PCUNICODE_STRING pKeyPath, 68 | _In_ PCUNICODE_STRING pValueName, 69 | _In_ ULONG expectedType, 70 | _Inout_ PVOID pValue, 71 | _In_ ULONG valueSize 72 | ); 73 | 74 | _Must_inspect_result_ 75 | _IRQL_requires_(PASSIVE_LEVEL) 76 | NTSTATUS 77 | GetRegistryDword( 78 | _In_ PCUNICODE_STRING pKeyPath, 79 | _In_ PCUNICODE_STRING pValueName, 80 | _Out_ PULONG pValue 81 | ); 82 | 83 | PVOID GetSystemProcAddress(PCWCHAR pFunctionName); 84 | 85 | NTSTATUS EmptyWorkingSet(BOOLEAN bAllowAsync); 86 | 87 | NTSTATUS EmptyWorkingSetAsync(); 88 | 89 | NTSTATUS SetQuotaLimits(HANDLE hProcess); 90 | 91 | NTSTATUS PurgeModifiedAndStandbyLists(); 92 | -------------------------------------------------------------------------------- /Silhouette/Filter_Create.cpp: -------------------------------------------------------------------------------- 1 | #include "Silhouette.h" 2 | 3 | FLT_PREOP_CALLBACK_STATUS 4 | PreCreateCallback( 5 | _Inout_ PFLT_CALLBACK_DATA Data, 6 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 7 | _Flt_CompletionContext_Outptr_ PVOID* CompletionContext 8 | ) 9 | { 10 | FLT_PREOP_CALLBACK_STATUS cbStatus = FLT_PREOP_SUCCESS_NO_CALLBACK; 11 | 12 | UNREFERENCED_PARAMETER(CompletionContext); 13 | UNREFERENCED_PARAMETER(FltObjects); 14 | 15 | // Ignore kernel mode callers 16 | if ((KernelMode == Data->RequestorMode) && !FlagOn(Data->Iopb->OperationFlags, SL_FORCE_ACCESS_CHECK)) 17 | { 18 | goto Cleanup; 19 | } 20 | 21 | // We only care if they're requesting FILE_READ_DATA 22 | if (!FlagOn(Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess, FILE_READ_DATA)) 23 | { 24 | goto Cleanup; 25 | } 26 | 27 | cbStatus = FLT_PREOP_SUCCESS_WITH_CALLBACK; 28 | 29 | Cleanup: 30 | 31 | return cbStatus; 32 | } 33 | 34 | FLT_POSTOP_CALLBACK_STATUS 35 | PostCreateCallback( 36 | _Inout_ PFLT_CALLBACK_DATA Data, 37 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 38 | _In_ PVOID CompletionContext, 39 | _In_ FLT_POST_OPERATION_FLAGS Flags 40 | ) 41 | { 42 | NTSTATUS ntStatus = STATUS_SUCCESS; 43 | FILE_ID_INFORMATION fileId = { 0, }; 44 | ULONG resultSize = 0; 45 | 46 | UNREFERENCED_PARAMETER(Data); 47 | UNREFERENCED_PARAMETER(CompletionContext); 48 | UNREFERENCED_PARAMETER(Flags); 49 | 50 | if ((STATUS_SUCCESS != Data->IoStatus.Status) || 51 | !FltObjects->FileObject || 52 | FlagOn(FltObjects->FileObject->Flags, FO_HANDLE_CREATED) 53 | ) 54 | { 55 | goto Cleanup; 56 | } 57 | 58 | ntStatus = FsRtlQueryInformationFile(FltObjects->FileObject, &fileId, sizeof(fileId), FileIdInformation, &resultSize); 59 | if (!NT_SUCCESS(ntStatus) || (sizeof(fileId) != resultSize)) 60 | { 61 | goto Cleanup; 62 | } 63 | 64 | for (ULONG i = 0; i < ARRAYSIZE(gProtectedFiles); i++) 65 | { 66 | if (0 == memcmp(&fileId, &gProtectedFiles[i], sizeof(fileId))) 67 | { 68 | FltCancelFileOpen(FltObjects->Instance, FltObjects->FileObject); 69 | Data->IoStatus.Status = STATUS_ACCESS_DENIED; 70 | Data->IoStatus.Information = 0; 71 | 72 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, 73 | "Silhouette: DENY pagefile access. PID: %u\n", FltGetRequestorProcessId(Data) 74 | ); 75 | } 76 | } 77 | 78 | Cleanup: 79 | return FLT_POSTOP_FINISHED_PROCESSING; 80 | } -------------------------------------------------------------------------------- /phnt/include/ntxcapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Exception support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTXCAPI_H 8 | #define _NTXCAPI_H 9 | 10 | NTSYSAPI 11 | BOOLEAN 12 | NTAPI 13 | RtlDispatchException( 14 | _In_ PEXCEPTION_RECORD ExceptionRecord, 15 | _In_ PCONTEXT ContextRecord 16 | ); 17 | 18 | NTSYSAPI 19 | DECLSPEC_NORETURN 20 | VOID 21 | NTAPI 22 | RtlRaiseStatus( 23 | _In_ NTSTATUS Status 24 | ); 25 | 26 | NTSYSAPI 27 | VOID 28 | NTAPI 29 | RtlRaiseException( 30 | _In_ PEXCEPTION_RECORD ExceptionRecord 31 | ); 32 | 33 | NTSYSCALLAPI 34 | NTSTATUS 35 | NTAPI 36 | NtContinue( 37 | _In_ PCONTEXT ContextRecord, 38 | _In_ BOOLEAN TestAlert 39 | ); 40 | 41 | #if (PHNT_VERSION >= PHNT_THRESHOLD) 42 | typedef enum _KCONTINUE_TYPE 43 | { 44 | KCONTINUE_UNWIND, 45 | KCONTINUE_RESUME, 46 | KCONTINUE_LONGJUMP, 47 | KCONTINUE_SET, 48 | KCONTINUE_LAST, 49 | } KCONTINUE_TYPE; 50 | 51 | typedef struct _KCONTINUE_ARGUMENT 52 | { 53 | KCONTINUE_TYPE ContinueType; 54 | ULONG ContinueFlags; 55 | ULONGLONG Reserved[2]; 56 | } KCONTINUE_ARGUMENT, *PKCONTINUE_ARGUMENT; 57 | 58 | #define KCONTINUE_FLAG_TEST_ALERT 0x00000001 // wbenny 59 | #define KCONTINUE_FLAG_DELIVER_APC 0x00000002 // wbenny 60 | 61 | NTSYSCALLAPI 62 | NTSTATUS 63 | NTAPI 64 | NtContinueEx( 65 | _In_ PCONTEXT ContextRecord, 66 | _In_ PVOID ContinueArgument // PKCONTINUE_ARGUMENT and BOOLEAN are valid 67 | ); 68 | 69 | //FORCEINLINE 70 | //NTSTATUS 71 | //NtContinue( 72 | // _In_ PCONTEXT ContextRecord, 73 | // _In_ BOOLEAN TestAlert 74 | // ) 75 | //{ 76 | // return NtContinueEx(ContextRecord, (PCONTINUE_ARGUMENT)TestAlert); 77 | //} 78 | #endif 79 | 80 | NTSYSCALLAPI 81 | NTSTATUS 82 | NTAPI 83 | NtRaiseException( 84 | _In_ PEXCEPTION_RECORD ExceptionRecord, 85 | _In_ PCONTEXT ContextRecord, 86 | _In_ BOOLEAN FirstChance 87 | ); 88 | 89 | NTSYSCALLAPI 90 | DECLSPEC_NORETURN 91 | VOID 92 | NTAPI 93 | RtlAssert( 94 | _In_ PVOID VoidFailedAssertion, 95 | _In_ PVOID VoidFileName, 96 | _In_ ULONG LineNumber, 97 | _In_opt_ PSTR MutableMessage 98 | ); 99 | 100 | #define RTL_ASSERT(exp) \ 101 | ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, NULL), FALSE) : TRUE) 102 | #define RTL_ASSERTMSG(msg, exp) \ 103 | ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, msg), FALSE) : TRUE) 104 | #define RTL_SOFT_ASSERT(_exp) \ 105 | ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n Expression: %s\n", __FILE__, __LINE__, #_exp), FALSE) : TRUE) 106 | #define RTL_SOFT_ASSERTMSG(_msg, _exp) \ 107 | ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n Expression: %s\n Message: %s\n", __FILE__, __LINE__, #_exp, (_msg)), FALSE) : TRUE) 108 | 109 | #endif 110 | -------------------------------------------------------------------------------- /phnt/include/phnt.h: -------------------------------------------------------------------------------- 1 | /* 2 | * NT Header annotations 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _PHNT_H 8 | #define _PHNT_H 9 | 10 | // This header file provides access to NT APIs. 11 | 12 | // Definitions are annotated to indicate their source. If a definition is not annotated, it has been 13 | // retrieved from an official Microsoft source (NT headers, DDK headers, winnt.h). 14 | 15 | // * "winbase" indicates that a definition has been reconstructed from a Win32-ized NT definition in 16 | // winbase.h. 17 | // * "rev" indicates that a definition has been reverse-engineered. 18 | // * "dbg" indicates that a definition has been obtained from a debug message or assertion in a 19 | // checked build of the kernel or file. 20 | 21 | // Reliability: 22 | // 1. No annotation. 23 | // 2. dbg. 24 | // 3. symbols, private. Types may be incorrect. 25 | // 4. winbase. Names and types may be incorrect. 26 | // 5. rev. 27 | 28 | // Mode 29 | #define PHNT_MODE_KERNEL 0 30 | #define PHNT_MODE_USER 1 31 | 32 | // Version 33 | #define PHNT_WIN2K 50 34 | #define PHNT_WINXP 51 35 | #define PHNT_WS03 52 36 | #define PHNT_VISTA 60 37 | #define PHNT_WIN7 61 38 | #define PHNT_WIN8 62 39 | #define PHNT_WINBLUE 63 40 | #define PHNT_THRESHOLD 100 41 | #define PHNT_THRESHOLD2 101 42 | #define PHNT_REDSTONE 102 43 | #define PHNT_REDSTONE2 103 44 | #define PHNT_REDSTONE3 104 45 | #define PHNT_REDSTONE4 105 46 | #define PHNT_REDSTONE5 106 47 | #define PHNT_19H1 107 48 | #define PHNT_19H2 108 49 | #define PHNT_20H1 109 50 | #define PHNT_20H2 110 51 | #define PHNT_21H1 111 52 | #define PHNT_WIN10_21H2 112 53 | #define PHNT_WIN10_22H2 113 54 | #define PHNT_WIN11 114 55 | #define PHNT_WIN11_22H2 115 56 | 57 | #ifndef PHNT_MODE 58 | #define PHNT_MODE PHNT_MODE_USER 59 | #endif 60 | 61 | #ifndef PHNT_VERSION 62 | #define PHNT_VERSION PHNT_WIN11 63 | #endif 64 | 65 | // Options 66 | 67 | //#define PHNT_NO_INLINE_INIT_STRING 68 | 69 | #ifdef __cplusplus 70 | extern "C" { 71 | #endif 72 | 73 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 74 | #include 75 | #include 76 | #include 77 | #endif 78 | 79 | #include 80 | #include 81 | 82 | #include 83 | #include 84 | #include 85 | #include 86 | 87 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 88 | #include 89 | #include 90 | #include 91 | #include 92 | #include 93 | #include 94 | #include 95 | #include 96 | #include 97 | #endif 98 | 99 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 100 | 101 | #include 102 | #include 103 | #include 104 | #include 105 | 106 | #include 107 | 108 | #include 109 | #include 110 | 111 | #include 112 | 113 | #include 114 | 115 | #endif 116 | 117 | #ifdef __cplusplus 118 | } 119 | #endif 120 | 121 | #endif 122 | -------------------------------------------------------------------------------- /phnt/include/subprocesstag.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Subprocess tag information 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _SUBPROCESSTAG_H 8 | #define _SUBPROCESSTAG_H 9 | 10 | typedef enum _TAG_INFO_LEVEL 11 | { 12 | eTagInfoLevelNameFromTag = 1, // TAG_INFO_NAME_FROM_TAG 13 | eTagInfoLevelNamesReferencingModule, // TAG_INFO_NAMES_REFERENCING_MODULE 14 | eTagInfoLevelNameTagMapping, // TAG_INFO_NAME_TAG_MAPPING 15 | eTagInfoLevelMax 16 | } TAG_INFO_LEVEL; 17 | 18 | typedef enum _TAG_TYPE 19 | { 20 | eTagTypeService = 1, 21 | eTagTypeMax 22 | } TAG_TYPE; 23 | 24 | typedef struct _TAG_INFO_NAME_FROM_TAG_IN_PARAMS 25 | { 26 | ULONG dwPid; 27 | ULONG dwTag; 28 | } TAG_INFO_NAME_FROM_TAG_IN_PARAMS, *PTAG_INFO_NAME_FROM_TAG_IN_PARAMS; 29 | 30 | typedef struct _TAG_INFO_NAME_FROM_TAG_OUT_PARAMS 31 | { 32 | ULONG eTagType; 33 | PWSTR pszName; 34 | } TAG_INFO_NAME_FROM_TAG_OUT_PARAMS, *PTAG_INFO_NAME_FROM_TAG_OUT_PARAMS; 35 | 36 | typedef struct _TAG_INFO_NAME_FROM_TAG 37 | { 38 | TAG_INFO_NAME_FROM_TAG_IN_PARAMS InParams; 39 | TAG_INFO_NAME_FROM_TAG_OUT_PARAMS OutParams; 40 | } TAG_INFO_NAME_FROM_TAG, *PTAG_INFO_NAME_FROM_TAG; 41 | 42 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS 43 | { 44 | ULONG dwPid; 45 | PWSTR pszModule; 46 | } TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS; 47 | 48 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS 49 | { 50 | ULONG eTagType; 51 | PWSTR pmszNames; 52 | } TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS; 53 | 54 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE 55 | { 56 | TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS InParams; 57 | TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS OutParams; 58 | } TAG_INFO_NAMES_REFERENCING_MODULE, *PTAG_INFO_NAMES_REFERENCING_MODULE; 59 | 60 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS 61 | { 62 | ULONG dwPid; 63 | } TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_IN_PARAMS; 64 | 65 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_ELEMENT 66 | { 67 | ULONG eTagType; 68 | ULONG dwTag; 69 | PWSTR pszName; 70 | PWSTR pszGroupName; 71 | } TAG_INFO_NAME_TAG_MAPPING_ELEMENT, *PTAG_INFO_NAME_TAG_MAPPING_ELEMENT; 72 | 73 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS 74 | { 75 | ULONG cElements; 76 | PTAG_INFO_NAME_TAG_MAPPING_ELEMENT pNameTagMappingElements; 77 | } TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS; 78 | 79 | typedef struct _TAG_INFO_NAME_TAG_MAPPING 80 | { 81 | TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS InParams; 82 | PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS pOutParams; 83 | } TAG_INFO_NAME_TAG_MAPPING, *PTAG_INFO_NAME_TAG_MAPPING; 84 | 85 | _Must_inspect_result_ 86 | ULONG 87 | WINAPI 88 | I_QueryTagInformation( 89 | _In_opt_ PCWSTR MachineName, 90 | _In_ TAG_INFO_LEVEL InfoLevel, 91 | _Inout_ PVOID TagInfo 92 | ); 93 | 94 | typedef ULONG (WINAPI *PQUERY_TAG_INFORMATION)( 95 | _In_opt_ PCWSTR MachineName, 96 | _In_ TAG_INFO_LEVEL InfoLevel, 97 | _Inout_ PVOID TagInfo 98 | ); 99 | 100 | #endif 101 | -------------------------------------------------------------------------------- /phnt/include/phnt_windows.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Win32 definition support 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _PHNT_WINDOWS_H 8 | #define _PHNT_WINDOWS_H 9 | 10 | // This header file provides access to Win32, plus NTSTATUS values and some access mask values. 11 | 12 | #ifndef __cplusplus 13 | #ifndef CINTERFACE 14 | #define CINTERFACE 15 | #endif 16 | 17 | #ifndef COBJMACROS 18 | #define COBJMACROS 19 | #endif 20 | #endif 21 | 22 | #ifndef INT_ERROR 23 | #define INT_ERROR (-1) 24 | #endif 25 | 26 | #ifndef ULONG64_MAX 27 | #define ULONG64_MAX 0xffffffffffffffffui64 28 | #endif 29 | 30 | #ifndef SIZE_T_MAX 31 | #ifdef _WIN64 32 | #define SIZE_T_MAX 0xffffffffffffffffui64 33 | #else 34 | #define SIZE_T_MAX 0xffffffffUL 35 | #endif 36 | #endif 37 | 38 | #ifndef INITGUID 39 | #define INITGUID 40 | #endif 41 | 42 | #ifndef WIN32_LEAN_AND_MEAN 43 | #define WIN32_LEAN_AND_MEAN 44 | #endif 45 | 46 | #ifndef WIN32_NO_STATUS 47 | #define WIN32_NO_STATUS 48 | #endif 49 | 50 | #ifndef __cplusplus 51 | // This is needed to workaround C17 preprocessor errors when using legacy versions of the Windows SDK. (dmex) 52 | #ifndef MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS 53 | #define MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS 0 54 | #endif 55 | #endif 56 | 57 | #include 58 | #include 59 | #undef WIN32_NO_STATUS 60 | #include 61 | #include 62 | 63 | typedef double DOUBLE; 64 | typedef GUID *PGUID; 65 | 66 | // Desktop access rights 67 | #define DESKTOP_ALL_ACCESS \ 68 | (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_ENUMERATE | \ 69 | DESKTOP_HOOKCONTROL | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | \ 70 | DESKTOP_READOBJECTS | DESKTOP_SWITCHDESKTOP | DESKTOP_WRITEOBJECTS | \ 71 | STANDARD_RIGHTS_REQUIRED) 72 | #define DESKTOP_GENERIC_READ \ 73 | (DESKTOP_ENUMERATE | DESKTOP_READOBJECTS | STANDARD_RIGHTS_READ) 74 | #define DESKTOP_GENERIC_WRITE \ 75 | (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_HOOKCONTROL | \ 76 | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | DESKTOP_WRITEOBJECTS | \ 77 | STANDARD_RIGHTS_WRITE) 78 | #define DESKTOP_GENERIC_EXECUTE \ 79 | (DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_EXECUTE) 80 | 81 | // Window station access rights 82 | #define WINSTA_GENERIC_READ \ 83 | (WINSTA_ENUMDESKTOPS | WINSTA_ENUMERATE | WINSTA_READATTRIBUTES | \ 84 | WINSTA_READSCREEN | STANDARD_RIGHTS_READ) 85 | #define WINSTA_GENERIC_WRITE \ 86 | (WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | WINSTA_WRITEATTRIBUTES | \ 87 | STANDARD_RIGHTS_WRITE) 88 | #define WINSTA_GENERIC_EXECUTE \ 89 | (WINSTA_ACCESSGLOBALATOMS | WINSTA_EXITWINDOWS | STANDARD_RIGHTS_EXECUTE) 90 | 91 | // WMI access rights 92 | #define WMIGUID_GENERIC_READ \ 93 | (WMIGUID_QUERY | WMIGUID_NOTIFICATION | WMIGUID_READ_DESCRIPTION | \ 94 | STANDARD_RIGHTS_READ) 95 | #define WMIGUID_GENERIC_WRITE \ 96 | (WMIGUID_SET | TRACELOG_CREATE_REALTIME | TRACELOG_CREATE_ONDISK | \ 97 | STANDARD_RIGHTS_WRITE) 98 | #define WMIGUID_GENERIC_EXECUTE \ 99 | (WMIGUID_EXECUTE | TRACELOG_GUID_ENABLE | TRACELOG_LOG_EVENT | \ 100 | TRACELOG_ACCESS_REALTIME | TRACELOG_REGISTER_GUIDS | \ 101 | STANDARD_RIGHTS_EXECUTE) 102 | 103 | #endif 104 | -------------------------------------------------------------------------------- /phnt/include/ntmisc.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Trace Control support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTMISC_H 8 | #define _NTMISC_H 9 | 10 | // Filter manager 11 | 12 | #define FLT_PORT_CONNECT 0x0001 13 | #define FLT_PORT_ALL_ACCESS (FLT_PORT_CONNECT | STANDARD_RIGHTS_ALL) 14 | 15 | // VDM 16 | 17 | typedef enum _VDMSERVICECLASS 18 | { 19 | VdmStartExecution, 20 | VdmQueueInterrupt, 21 | VdmDelayInterrupt, 22 | VdmInitialize, 23 | VdmFeatures, 24 | VdmSetInt21Handler, 25 | VdmQueryDir, 26 | VdmPrinterDirectIoOpen, 27 | VdmPrinterDirectIoClose, 28 | VdmPrinterInitialize, 29 | VdmSetLdtEntries, 30 | VdmSetProcessLdtInfo, 31 | VdmAdlibEmulation, 32 | VdmPMCliControl, 33 | VdmQueryVdmProcess, 34 | VdmPreInitialize 35 | } VDMSERVICECLASS, *PVDMSERVICECLASS; 36 | 37 | NTSYSCALLAPI 38 | NTSTATUS 39 | NTAPI 40 | NtVdmControl( 41 | _In_ VDMSERVICECLASS Service, 42 | _Inout_ PVOID ServiceData 43 | ); 44 | 45 | // WMI/ETW 46 | 47 | NTSYSCALLAPI 48 | NTSTATUS 49 | NTAPI 50 | NtTraceEvent( 51 | _In_ HANDLE TraceHandle, 52 | _In_ ULONG Flags, 53 | _In_ ULONG FieldSize, 54 | _In_ PVOID Fields 55 | ); 56 | 57 | typedef enum _TRACE_CONTROL_INFORMATION_CLASS 58 | { 59 | TraceControlStartLogger = 1, // inout WMI_LOGGER_INFORMATION 60 | TraceControlStopLogger = 2, // inout WMI_LOGGER_INFORMATION 61 | TraceControlQueryLogger = 3, // inout WMI_LOGGER_INFORMATION 62 | TraceControlUpdateLogger = 4, // inout WMI_LOGGER_INFORMATION 63 | TraceControlFlushLogger = 5, // inout WMI_LOGGER_INFORMATION 64 | TraceControlIncrementLoggerFile = 6, // inout WMI_LOGGER_INFORMATION 65 | TraceControlUnknown = 7, 66 | // unused 67 | TraceControlRealtimeConnect = 11, 68 | TraceControlActivityIdCreate = 12, 69 | TraceControlWdiDispatchControl = 13, 70 | TraceControlRealtimeDisconnectConsumerByHandle = 14, // in HANDLE 71 | TraceControlRegisterGuidsCode = 15, 72 | TraceControlReceiveNotification = 16, 73 | TraceControlSendDataBlock = 17, // ETW_ENABLE_NOTIFICATION_PACKET 74 | TraceControlSendReplyDataBlock = 18, 75 | TraceControlReceiveReplyDataBlock = 19, 76 | TraceControlWdiUpdateSem = 20, 77 | TraceControlEnumTraceGuidList = 21, // out GUID[] 78 | TraceControlGetTraceGuidInfo = 22, // in GUID, out TRACE_GUID_INFO 79 | TraceControlEnumerateTraceGuids = 23, 80 | TraceControlRegisterSecurityProv = 24, 81 | TraceControlQueryReferenceTime = 25, 82 | TraceControlTrackProviderBinary = 26, // in HANDLE 83 | TraceControlAddNotificationEvent = 27, 84 | TraceControlUpdateDisallowList = 28, 85 | TraceControlSetEnableAllKeywordsCode = 29, 86 | TraceControlSetProviderTraitsCode = 30, 87 | TraceControlUseDescriptorTypeCode = 31, 88 | TraceControlEnumTraceGroupList = 32, 89 | TraceControlGetTraceGroupInfo = 33, 90 | TraceControlTraceSetDisallowList = 34, 91 | TraceControlSetCompressionSettings = 35, 92 | TraceControlGetCompressionSettings = 36, 93 | TraceControlUpdatePeriodicCaptureState = 37, 94 | TraceControlGetPrivateSessionTraceHandle = 38, 95 | TraceControlRegisterPrivateSession = 39, 96 | TraceControlQuerySessionDemuxObject = 40, 97 | TraceControlSetProviderBinaryTracking = 41, 98 | TraceControlMaxLoggers = 42, // out ULONG 99 | TraceControlMaxPmcCounter = 43, // out ULONG 100 | TraceControlQueryUsedProcessorCount = 44, // ULONG // since WIN11 101 | TraceControlGetPmcOwnership = 45, 102 | } TRACE_CONTROL_INFORMATION_CLASS; 103 | 104 | #if (PHNT_VERSION >= PHNT_VISTA) 105 | NTSYSCALLAPI 106 | NTSTATUS 107 | NTAPI 108 | NtTraceControl( 109 | _In_ TRACE_CONTROL_INFORMATION_CLASS TraceInformationClass, 110 | _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, 111 | _In_ ULONG InputBufferLength, 112 | _Out_writes_bytes_opt_(TraceInformationLength) PVOID TraceInformation, 113 | _In_ ULONG TraceInformationLength, 114 | _Out_ PULONG ReturnLength 115 | ); 116 | #endif 117 | 118 | #endif 119 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Elastic License 2.0 2 | 3 | URL: https://www.elastic.co/licensing/elastic-license 4 | 5 | ## Acceptance 6 | 7 | By using the software, you agree to all of the terms and conditions below. 8 | 9 | ## Copyright License 10 | 11 | The licensor grants you a non-exclusive, royalty-free, worldwide, 12 | non-sublicensable, non-transferable license to use, copy, distribute, make 13 | available, and prepare derivative works of the software, in each case subject to 14 | the limitations and conditions below. 15 | 16 | ## Limitations 17 | 18 | You may not provide the software to third parties as a hosted or managed 19 | service, where the service provides users with access to any substantial set of 20 | the features or functionality of the software. 21 | 22 | You may not move, change, disable, or circumvent the license key functionality 23 | in the software, and you may not remove or obscure any functionality in the 24 | software that is protected by the license key. 25 | 26 | You may not alter, remove, or obscure any licensing, copyright, or other notices 27 | of the licensor in the software. Any use of the licensor’s trademarks is subject 28 | to applicable law. 29 | 30 | ## Patents 31 | 32 | The licensor grants you a license, under any patent claims the licensor can 33 | license, or becomes able to license, to make, have made, use, sell, offer for 34 | sale, import and have imported the software, in each case subject to the 35 | limitations and conditions in this license. This license does not cover any 36 | patent claims that you cause to be infringed by modifications or additions to 37 | the software. If you or your company make any written claim that the software 38 | infringes or contributes to infringement of any patent, your patent license for 39 | the software granted under these terms ends immediately. If your company makes 40 | such a claim, your patent license ends immediately for work on behalf of your 41 | company. 42 | 43 | ## Notices 44 | 45 | You must ensure that anyone who gets a copy of any part of the software from you 46 | also gets a copy of these terms. 47 | 48 | If you modify the software, you must include in any modified copies of the 49 | software prominent notices stating that you have modified the software. 50 | 51 | ## No Other Rights 52 | 53 | These terms do not imply any licenses other than those expressly granted in 54 | these terms. 55 | 56 | ## Termination 57 | 58 | If you use the software in violation of these terms, such use is not licensed, 59 | and your licenses will automatically terminate. If the licensor provides you 60 | with a notice of your violation, and you cease all violation of this license no 61 | later than 30 days after you receive that notice, your licenses will be 62 | reinstated retroactively. However, if you violate these terms after such 63 | reinstatement, any additional violation of these terms will cause your licenses 64 | to terminate automatically and permanently. 65 | 66 | ## No Liability 67 | 68 | *As far as the law allows, the software comes as is, without any warranty or 69 | condition, and the licensor will not be liable to you for any damages arising 70 | out of these terms or the use or nature of the software, under any kind of 71 | legal claim.* 72 | 73 | ## Definitions 74 | 75 | The **licensor** is the entity offering these terms, and the **software** is the 76 | software the licensor makes available under these terms, including any portion 77 | of it. 78 | 79 | **you** refers to the individual or entity agreeing to these terms. 80 | 81 | **your company** is any legal entity, sole proprietorship, or other kind of 82 | organization that you work for, plus all organizations that have control over, 83 | are under the control of, or are under common control with that 84 | organization. **control** means ownership of substantially all the assets of an 85 | entity, or the power to direct its management and policies by vote, contract, or 86 | otherwise. Control can be direct or indirect. 87 | 88 | **your licenses** are all the licenses granted to you for the software under 89 | these terms. 90 | 91 | **use** means anything you do with the software requiring one of your licenses. 92 | 93 | **trademark** means trademarks, service marks, and similar rights. -------------------------------------------------------------------------------- /phnt/include/ntkeapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Kernel executive support library 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTKEAPI_H 8 | #define _NTKEAPI_H 9 | 10 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 11 | #define LOW_PRIORITY 0 // Lowest thread priority level 12 | #define LOW_REALTIME_PRIORITY 16 // Lowest realtime priority level 13 | #define HIGH_PRIORITY 31 // Highest thread priority level 14 | #define MAXIMUM_PRIORITY 32 // Number of thread priority levels 15 | #endif 16 | 17 | typedef enum _KTHREAD_STATE 18 | { 19 | Initialized, 20 | Ready, 21 | Running, 22 | Standby, 23 | Terminated, 24 | Waiting, 25 | Transition, 26 | DeferredReady, 27 | GateWaitObsolete, 28 | WaitingForProcessInSwap, 29 | MaximumThreadState 30 | } KTHREAD_STATE, *PKTHREAD_STATE; 31 | 32 | // private 33 | typedef enum _KHETERO_CPU_POLICY 34 | { 35 | KHeteroCpuPolicyAll = 0, 36 | KHeteroCpuPolicyLarge = 1, 37 | KHeteroCpuPolicyLargeOrIdle = 2, 38 | KHeteroCpuPolicySmall = 3, 39 | KHeteroCpuPolicySmallOrIdle = 4, 40 | KHeteroCpuPolicyDynamic = 5, 41 | KHeteroCpuPolicyStaticMax = 5, // valid 42 | KHeteroCpuPolicyBiasedSmall = 6, 43 | KHeteroCpuPolicyBiasedLarge = 7, 44 | KHeteroCpuPolicyDefault = 8, 45 | KHeteroCpuPolicyMax = 9 46 | } KHETERO_CPU_POLICY, *PKHETERO_CPU_POLICY; 47 | 48 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 49 | 50 | typedef enum _KWAIT_REASON 51 | { 52 | Executive, 53 | FreePage, 54 | PageIn, 55 | PoolAllocation, 56 | DelayExecution, 57 | Suspended, 58 | UserRequest, 59 | WrExecutive, 60 | WrFreePage, 61 | WrPageIn, 62 | WrPoolAllocation, 63 | WrDelayExecution, 64 | WrSuspended, 65 | WrUserRequest, 66 | WrEventPair, 67 | WrQueue, 68 | WrLpcReceive, 69 | WrLpcReply, 70 | WrVirtualMemory, 71 | WrPageOut, 72 | WrRendezvous, 73 | WrKeyedEvent, 74 | WrTerminated, 75 | WrProcessInSwap, 76 | WrCpuRateControl, 77 | WrCalloutStack, 78 | WrKernel, 79 | WrResource, 80 | WrPushLock, 81 | WrMutex, 82 | WrQuantumEnd, 83 | WrDispatchInt, 84 | WrPreempted, 85 | WrYieldExecution, 86 | WrFastMutex, 87 | WrGuardedMutex, 88 | WrRundown, 89 | WrAlertByThreadId, 90 | WrDeferredPreempt, 91 | WrPhysicalFault, 92 | WrIoRing, 93 | WrMdlCache, 94 | MaximumWaitReason 95 | } KWAIT_REASON, *PKWAIT_REASON; 96 | 97 | typedef enum _KPROFILE_SOURCE 98 | { 99 | ProfileTime, 100 | ProfileAlignmentFixup, 101 | ProfileTotalIssues, 102 | ProfilePipelineDry, 103 | ProfileLoadInstructions, 104 | ProfilePipelineFrozen, 105 | ProfileBranchInstructions, 106 | ProfileTotalNonissues, 107 | ProfileDcacheMisses, 108 | ProfileIcacheMisses, 109 | ProfileCacheMisses, 110 | ProfileBranchMispredictions, 111 | ProfileStoreInstructions, 112 | ProfileFpInstructions, 113 | ProfileIntegerInstructions, 114 | Profile2Issue, 115 | Profile3Issue, 116 | Profile4Issue, 117 | ProfileSpecialInstructions, 118 | ProfileTotalCycles, 119 | ProfileIcacheIssues, 120 | ProfileDcacheAccesses, 121 | ProfileMemoryBarrierCycles, 122 | ProfileLoadLinkedIssues, 123 | ProfileMaximum 124 | } KPROFILE_SOURCE; 125 | 126 | #endif 127 | 128 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 129 | 130 | NTSYSCALLAPI 131 | NTSTATUS 132 | NTAPI 133 | NtCallbackReturn( 134 | _In_reads_bytes_opt_(OutputLength) PVOID OutputBuffer, 135 | _In_ ULONG OutputLength, 136 | _In_ NTSTATUS Status 137 | ); 138 | 139 | #if (PHNT_VERSION >= PHNT_VISTA) 140 | NTSYSCALLAPI 141 | VOID 142 | NTAPI 143 | NtFlushProcessWriteBuffers( 144 | VOID 145 | ); 146 | #endif 147 | 148 | NTSYSCALLAPI 149 | NTSTATUS 150 | NTAPI 151 | NtQueryDebugFilterState( 152 | _In_ ULONG ComponentId, 153 | _In_ ULONG Level 154 | ); 155 | 156 | NTSYSCALLAPI 157 | NTSTATUS 158 | NTAPI 159 | NtSetDebugFilterState( 160 | _In_ ULONG ComponentId, 161 | _In_ ULONG Level, 162 | _In_ BOOLEAN State 163 | ); 164 | 165 | NTSYSCALLAPI 166 | NTSTATUS 167 | NTAPI 168 | NtYieldExecution( 169 | VOID 170 | ); 171 | 172 | #endif 173 | 174 | #endif 175 | -------------------------------------------------------------------------------- /phnt/include/ntgdi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Graphics device interface support 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTGDI_H 8 | #define _NTGDI_H 9 | 10 | #define GDI_MAX_HANDLE_COUNT 0xFFFF // 0x4000 11 | 12 | #define GDI_HANDLE_INDEX_SHIFT 0 13 | #define GDI_HANDLE_INDEX_BITS 16 14 | #define GDI_HANDLE_INDEX_MASK 0xffff 15 | 16 | #define GDI_HANDLE_TYPE_SHIFT 16 17 | #define GDI_HANDLE_TYPE_BITS 5 18 | #define GDI_HANDLE_TYPE_MASK 0x1f 19 | 20 | #define GDI_HANDLE_ALTTYPE_SHIFT 21 21 | #define GDI_HANDLE_ALTTYPE_BITS 2 22 | #define GDI_HANDLE_ALTTYPE_MASK 0x3 23 | 24 | #define GDI_HANDLE_STOCK_SHIFT 23 25 | #define GDI_HANDLE_STOCK_BITS 1 26 | #define GDI_HANDLE_STOCK_MASK 0x1 27 | 28 | #define GDI_HANDLE_UNIQUE_SHIFT 24 29 | #define GDI_HANDLE_UNIQUE_BITS 8 30 | #define GDI_HANDLE_UNIQUE_MASK 0xff 31 | 32 | #define GDI_HANDLE_INDEX(Handle) ((ULONG)(Handle) & GDI_HANDLE_INDEX_MASK) 33 | #define GDI_HANDLE_TYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_TYPE_SHIFT) & GDI_HANDLE_TYPE_MASK) 34 | #define GDI_HANDLE_ALTTYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_ALTTYPE_SHIFT) & GDI_HANDLE_ALTTYPE_MASK) 35 | #define GDI_HANDLE_STOCK(Handle) (((ULONG)(Handle) >> GDI_HANDLE_STOCK_SHIFT)) & GDI_HANDLE_STOCK_MASK) 36 | 37 | #define GDI_MAKE_HANDLE(Index, Unique) ((ULONG)(((ULONG)(Unique) << GDI_HANDLE_INDEX_BITS) | (ULONG)(Index))) 38 | 39 | // GDI server-side types 40 | 41 | #define GDI_DEF_TYPE 0 // invalid handle 42 | #define GDI_DC_TYPE 1 43 | #define GDI_DD_DIRECTDRAW_TYPE 2 44 | #define GDI_DD_SURFACE_TYPE 3 45 | #define GDI_RGN_TYPE 4 46 | #define GDI_SURF_TYPE 5 47 | #define GDI_CLIENTOBJ_TYPE 6 48 | #define GDI_PATH_TYPE 7 49 | #define GDI_PAL_TYPE 8 50 | #define GDI_ICMLCS_TYPE 9 51 | #define GDI_LFONT_TYPE 10 52 | #define GDI_RFONT_TYPE 11 53 | #define GDI_PFE_TYPE 12 54 | #define GDI_PFT_TYPE 13 55 | #define GDI_ICMCXF_TYPE 14 56 | #define GDI_ICMDLL_TYPE 15 57 | #define GDI_BRUSH_TYPE 16 58 | #define GDI_PFF_TYPE 17 // unused 59 | #define GDI_CACHE_TYPE 18 // unused 60 | #define GDI_SPACE_TYPE 19 61 | #define GDI_DBRUSH_TYPE 20 // unused 62 | #define GDI_META_TYPE 21 63 | #define GDI_EFSTATE_TYPE 22 64 | #define GDI_BMFD_TYPE 23 // unused 65 | #define GDI_VTFD_TYPE 24 // unused 66 | #define GDI_TTFD_TYPE 25 // unused 67 | #define GDI_RC_TYPE 26 // unused 68 | #define GDI_TEMP_TYPE 27 // unused 69 | #define GDI_DRVOBJ_TYPE 28 70 | #define GDI_DCIOBJ_TYPE 29 // unused 71 | #define GDI_SPOOL_TYPE 30 72 | 73 | // GDI client-side types 74 | 75 | #define GDI_CLIENT_TYPE_FROM_HANDLE(Handle) ((ULONG)(Handle) & ((GDI_HANDLE_ALTTYPE_MASK << GDI_HANDLE_ALTTYPE_SHIFT) | \ 76 | (GDI_HANDLE_TYPE_MASK << GDI_HANDLE_TYPE_SHIFT))) 77 | #define GDI_CLIENT_TYPE_FROM_UNIQUE(Unique) GDI_CLIENT_TYPE_FROM_HANDLE((ULONG)(Unique) << 16) 78 | 79 | #define GDI_ALTTYPE_1 (1 << GDI_HANDLE_ALTTYPE_SHIFT) 80 | #define GDI_ALTTYPE_2 (2 << GDI_HANDLE_ALTTYPE_SHIFT) 81 | #define GDI_ALTTYPE_3 (3 << GDI_HANDLE_ALTTYPE_SHIFT) 82 | 83 | #define GDI_CLIENT_BITMAP_TYPE (GDI_SURF_TYPE << GDI_HANDLE_TYPE_SHIFT) 84 | #define GDI_CLIENT_BRUSH_TYPE (GDI_BRUSH_TYPE << GDI_HANDLE_TYPE_SHIFT) 85 | #define GDI_CLIENT_CLIENTOBJ_TYPE (GDI_CLIENTOBJ_TYPE << GDI_HANDLE_TYPE_SHIFT) 86 | #define GDI_CLIENT_DC_TYPE (GDI_DC_TYPE << GDI_HANDLE_TYPE_SHIFT) 87 | #define GDI_CLIENT_FONT_TYPE (GDI_LFONT_TYPE << GDI_HANDLE_TYPE_SHIFT) 88 | #define GDI_CLIENT_PALETTE_TYPE (GDI_PAL_TYPE << GDI_HANDLE_TYPE_SHIFT) 89 | #define GDI_CLIENT_REGION_TYPE (GDI_RGN_TYPE << GDI_HANDLE_TYPE_SHIFT) 90 | 91 | #define GDI_CLIENT_ALTDC_TYPE (GDI_CLIENT_DC_TYPE | GDI_ALTTYPE_1) 92 | #define GDI_CLIENT_DIBSECTION_TYPE (GDI_CLIENT_BITMAP_TYPE | GDI_ALTTYPE_1) 93 | #define GDI_CLIENT_EXTPEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_2) 94 | #define GDI_CLIENT_METADC16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_3) 95 | #define GDI_CLIENT_METAFILE_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_2) 96 | #define GDI_CLIENT_METAFILE16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_1) 97 | #define GDI_CLIENT_PEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_1) 98 | 99 | typedef struct _GDI_HANDLE_ENTRY 100 | { 101 | union 102 | { 103 | PVOID Object; 104 | PVOID NextFree; 105 | }; 106 | union 107 | { 108 | struct 109 | { 110 | USHORT ProcessId; 111 | USHORT Lock : 1; 112 | USHORT Count : 15; 113 | }; 114 | ULONG Value; 115 | } Owner; 116 | USHORT Unique; 117 | UCHAR Type; 118 | UCHAR Flags; 119 | PVOID UserPointer; 120 | } GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY; 121 | 122 | typedef struct _GDI_SHARED_MEMORY 123 | { 124 | GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT]; 125 | } GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY; 126 | 127 | #endif 128 | -------------------------------------------------------------------------------- /Silhouette/Filter_Read.cpp: -------------------------------------------------------------------------------- 1 | #include "Silhouette.h" 2 | 3 | BOOLEAN ShouldBlockVolumeRead( 4 | _Inout_ PFLT_CALLBACK_DATA Data, 5 | _In_ PCFLT_RELATED_OBJECTS FltObjects 6 | ) 7 | { 8 | NTSTATUS ntStatus = STATUS_SUCCESS; 9 | BOOLEAN bShouldLog = FALSE; 10 | BOOLEAN bShouldBlock = FALSE; 11 | FLT_FILESYSTEM_TYPE fsType = FLT_FSTYPE_UNKNOWN; 12 | 13 | // Ignore KernelMode requests 14 | // We're only interested in FO_VOLUME_OPEN reads 15 | // We're only interested in reads to the system boot partition 16 | if (((KernelMode == Data->RequestorMode) && !FlagOn(Data->Iopb->OperationFlags, SL_FORCE_ACCESS_CHECK)) || 17 | (0 == FlagOn(FltObjects->FileObject->Flags, FO_VOLUME_OPEN)) || 18 | (0 == FlagOn(FltObjects->FileObject->DeviceObject->Flags, DO_SYSTEM_BOOT_PARTITION))) 19 | { 20 | goto Cleanup; 21 | } 22 | 23 | // The volume should be NTFS 24 | ntStatus = FltGetFileSystemType(FltObjects->Volume, &fsType); 25 | if (!NT_SUCCESS(ntStatus) || (FLT_FSTYPE_NTFS != fsType)) 26 | { 27 | goto Cleanup; 28 | } 29 | 30 | bShouldLog = TRUE; 31 | 32 | // Allow small reads at offset 0 33 | if ((0 == Data->Iopb->Parameters.Read.ByteOffset.QuadPart) && 34 | (Data->Iopb->Parameters.Read.Length <= 512)) 35 | { 36 | goto Cleanup; 37 | } 38 | 39 | #if 0 40 | { 41 | NTFS_VOLUME_DATA_BUFFER volumeData = { 0, }; 42 | ULONG ulBytesReturned = 0; 43 | LONGLONG mftStartOffset = 0; 44 | LONGLONG mftEndOffset = 0; 45 | 46 | // Find MFT region 47 | ntStatus = FltFsControlFile( 48 | FltObjects->Instance, FltObjects->FileObject, FSCTL_GET_NTFS_VOLUME_DATA, NULL, 0, &volumeData, sizeof(volumeData), &ulBytesReturned); 49 | if (!NT_SUCCESS(ntStatus)) 50 | { 51 | goto Cleanup; 52 | } 53 | 54 | mftStartOffset = volumeData.MftZoneStart.QuadPart * volumeData.BytesPerCluster; 55 | mftEndOffset = volumeData.MftZoneEnd.QuadPart * volumeData.BytesPerCluster; 56 | 57 | // Allow reads to the MFT region 58 | if ((Data->Iopb->Parameters.Read.ByteOffset.QuadPart >= mftStartOffset) && 59 | (Data->Iopb->Parameters.Read.ByteOffset.QuadPart < mftEndOffset)) 60 | { 61 | goto Cleanup; 62 | } 63 | } 64 | #endif 65 | 66 | bShouldBlock = TRUE; 67 | 68 | Cleanup: 69 | 70 | if (bShouldLog) 71 | { 72 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, 73 | "Silhouette: %s FO_VOLUME_OPEN read at offset %llu Length %lu PID %u\n", 74 | bShouldBlock ? "DENY" : "ALLOW", 75 | Data->Iopb->Parameters.Read.ByteOffset.QuadPart, 76 | Data->Iopb->Parameters.Read.Length, 77 | FltGetRequestorProcessId(Data) 78 | ); 79 | } 80 | 81 | return bShouldBlock; 82 | } 83 | 84 | FLT_PREOP_CALLBACK_STATUS 85 | PreReadCallback( 86 | _Inout_ PFLT_CALLBACK_DATA Data, 87 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 88 | _Flt_CompletionContext_Outptr_ PVOID* CompletionContext 89 | ) 90 | { 91 | FLT_PREOP_CALLBACK_STATUS cbStatus = FLT_PREOP_SUCCESS_NO_CALLBACK; 92 | 93 | UNREFERENCED_PARAMETER(CompletionContext); 94 | 95 | // Block direct volume reads 96 | // TODO: Block direct device reads (FLT_FSTYPE_RAW to \Device\Harddisk0\DR0) that fall within the bounds of the boot volume 97 | if (ShouldBlockVolumeRead(Data, FltObjects)) 98 | { 99 | cbStatus = FLT_PREOP_COMPLETE; 100 | Data->IoStatus.Status = STATUS_ACCESS_DENIED; 101 | goto Cleanup; 102 | } 103 | 104 | // We're looking for paging I/O from LSASS 105 | if (FlagOn(Data->Iopb->IrpFlags, IRP_PAGING_IO)) 106 | { 107 | if ((gLsaPid == FltGetRequestorProcessId(Data)) || 108 | (gLsaPid == HandleToULong(PsGetCurrentProcessId())) || 109 | (gLsaPid == HandleToULong(PsGetProcessId(PsGetCurrentProcess())))) 110 | { 111 | // Wait for the page fault to complete, then re-empty the WS 112 | cbStatus = FLT_PREOP_SUCCESS_WITH_CALLBACK; 113 | } 114 | } 115 | 116 | Cleanup: 117 | 118 | return cbStatus; 119 | } 120 | 121 | FLT_POSTOP_CALLBACK_STATUS 122 | PostReadCallback( 123 | _Inout_ PFLT_CALLBACK_DATA Data, 124 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 125 | _In_ PVOID CompletionContext, 126 | _In_ FLT_POST_OPERATION_FLAGS Flags 127 | ) 128 | { 129 | UNREFERENCED_PARAMETER(Data); 130 | UNREFERENCED_PARAMETER(FltObjects); 131 | UNREFERENCED_PARAMETER(CompletionContext); 132 | UNREFERENCED_PARAMETER(Flags); 133 | 134 | // Page out LSA asynchronously 135 | EmptyWorkingSet(TRUE); 136 | 137 | return FLT_POSTOP_FINISHED_PROCESSING; 138 | } 139 | -------------------------------------------------------------------------------- /Silhouette/Silhouette.cpp: -------------------------------------------------------------------------------- 1 | #include "Silhouette.h" 2 | 3 | HANDLE ghLsass = NULL; 4 | ULONG gLsaPid = 0; 5 | PDRIVER_OBJECT gpDriverObject = NULL; 6 | KEVENT gWorkerThreadSignal = { 0, }; 7 | KEVENT gWorkerThreadShutdown = { 0, }; 8 | HANDLE ghWorkerThread = NULL; 9 | 10 | static NTSTATUS OpenLSA(HANDLE* phLsass); 11 | void WorkingSetThread(PVOID StartContext); 12 | 13 | void 14 | DriverUnload( 15 | PDRIVER_OBJECT DriverObject) 16 | { 17 | UnregisterFilter(); 18 | 19 | UNREFERENCED_PARAMETER(DriverObject); 20 | 21 | // Shut down and join worker thread 22 | if (ghWorkerThread) 23 | { 24 | KeSetEvent(&gWorkerThreadShutdown, 0, TRUE); 25 | ZwWaitForSingleObject(ghWorkerThread, FALSE, NULL); 26 | HandleDelete(ghWorkerThread); 27 | } 28 | 29 | HandleDelete(ghLsass); 30 | 31 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Silhouette: Unloaded\n"); 32 | } 33 | 34 | extern "C" 35 | NTSTATUS DriverEntry( 36 | _In_ PDRIVER_OBJECT DriverObject, 37 | _In_ PUNICODE_STRING RegistryPath 38 | ) 39 | { 40 | NTSTATUS ntStatus = 0; 41 | 42 | UNREFERENCED_PARAMETER(RegistryPath); 43 | 44 | gpDriverObject = DriverObject; 45 | 46 | ntStatus = OpenLSA(&ghLsass); 47 | if (!NT_SUCCESS(ntStatus)) 48 | { 49 | goto Cleanup; 50 | } 51 | 52 | // Start monitor thread 53 | KeInitializeEvent(&gWorkerThreadShutdown, NotificationEvent, FALSE); 54 | KeInitializeEvent(&gWorkerThreadSignal, SynchronizationEvent, FALSE); 55 | ntStatus = PsCreateSystemThread(&ghWorkerThread, THREAD_ALL_ACCESS, NULL, NULL, NULL, WorkingSetThread, NULL); 56 | if (!NT_SUCCESS(ntStatus)) 57 | { 58 | goto Cleanup; 59 | } 60 | 61 | // Do an initial shrink 62 | ntStatus = EmptyWorkingSet(FALSE); 63 | if (!NT_SUCCESS(ntStatus)) 64 | { 65 | goto Cleanup; 66 | } 67 | 68 | // Register minifilter 69 | ntStatus = RegisterFilter(DriverObject); 70 | if (!NT_SUCCESS(ntStatus)) 71 | { 72 | goto Cleanup; 73 | } 74 | 75 | // Setting this makes it trivial to unload this driver, but easier for development 76 | DriverObject->DriverUnload = DriverUnload; 77 | 78 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Silhouette: Loaded\n"); 79 | 80 | Cleanup: 81 | if (!NT_SUCCESS(ntStatus)) 82 | { 83 | DriverUnload(DriverObject); 84 | } 85 | return ntStatus; 86 | } 87 | 88 | static NTSTATUS OpenLSA(HANDLE* phLsass) 89 | { 90 | const UNICODE_STRING szKeyPath = RTL_CONSTANT_STRING(L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Lsa"); 91 | const UNICODE_STRING szLsaPid = RTL_CONSTANT_STRING(L"LsaPid"); 92 | 93 | NTSTATUS ntStatus = 0; 94 | CLIENT_ID cid = { 0, }; 95 | OBJECT_ATTRIBUTES objAttr = { 0, }; 96 | PEPROCESS pProcess = NULL; 97 | 98 | // Find LSA PID 99 | ntStatus = GetRegistryDword(&szKeyPath, &szLsaPid, &gLsaPid); 100 | if (!NT_SUCCESS(ntStatus)) 101 | { 102 | goto Cleanup; 103 | } 104 | 105 | // Get a handle 106 | cid = { ULongToHandle(gLsaPid), NULL }; 107 | InitializeObjectAttributes(&objAttr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); 108 | ntStatus = ZwOpenProcess(phLsass, 0, &objAttr, &cid); 109 | if (!NT_SUCCESS(ntStatus)) 110 | { 111 | goto Cleanup; 112 | } 113 | 114 | ntStatus = ObReferenceObjectByHandle(*phLsass, 0, *PsProcessType, KernelMode, (PVOID*)&pProcess, NULL); 115 | if (!NT_SUCCESS(ntStatus)) 116 | { 117 | goto Cleanup; 118 | } 119 | 120 | 121 | if (!PsIsProtectedProcessLight(pProcess)) 122 | { 123 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, 124 | "Silhouette: LSASS is not RunAsPPL! Besides making it vulnerable to a variety of virtual memory-based attacks attacks, " 125 | "it greatly increases the chance of page faults due to benign VM accesses from APIs such as EnumProcessModules().\n"); 126 | } 127 | 128 | Cleanup: 129 | ReferenceDelete(pProcess); 130 | 131 | return ntStatus; 132 | } 133 | 134 | #define ONE_SECOND_IN_FILETIME 10000000 135 | #define ONE_MS_IN_FILETIME 10000 136 | 137 | void WorkingSetThread(PVOID StartContext) 138 | { 139 | NTSTATUS ntStatus = STATUS_SUCCESS; 140 | LARGE_INTEGER delay = { 0 }; 141 | delay.QuadPart = -(ONE_MS_IN_FILETIME * 100); // 100ms 142 | PVOID waitEvents[2] = { &gWorkerThreadShutdown, &gWorkerThreadSignal }; 143 | 144 | UNREFERENCED_PARAMETER(StartContext); 145 | 146 | do 147 | { 148 | ntStatus = KeWaitForMultipleObjects(2, waitEvents, WaitAny, Executive, KernelMode, FALSE, &delay, NULL); 149 | switch (ntStatus) 150 | { 151 | case STATUS_WAIT_0: 152 | break; 153 | case STATUS_WAIT_1: 154 | //DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Silhouette: Performing async WS reduction\n"); 155 | // fall through 156 | case STATUS_TIMEOUT: 157 | EmptyWorkingSet(FALSE); 158 | break; 159 | default: 160 | __debugbreak(); 161 | } 162 | } while (ntStatus != STATUS_WAIT_0); 163 | 164 | PsTerminateSystemThread(ntStatus); 165 | } 166 | -------------------------------------------------------------------------------- /phnt/include/ntpnpapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Plug and Play support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTPNPAPI_H 8 | #define _NTPNPAPI_H 9 | 10 | typedef enum _PLUGPLAY_EVENT_CATEGORY 11 | { 12 | HardwareProfileChangeEvent, 13 | TargetDeviceChangeEvent, 14 | DeviceClassChangeEvent, 15 | CustomDeviceEvent, 16 | DeviceInstallEvent, 17 | DeviceArrivalEvent, 18 | PowerEvent, 19 | VetoEvent, 20 | BlockedDriverEvent, 21 | InvalidIDEvent, 22 | MaxPlugEventCategory 23 | } PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY; 24 | 25 | typedef struct _PLUGPLAY_EVENT_BLOCK 26 | { 27 | GUID EventGuid; 28 | PLUGPLAY_EVENT_CATEGORY EventCategory; 29 | PULONG Result; 30 | ULONG Flags; 31 | ULONG TotalSize; 32 | PVOID DeviceObject; 33 | 34 | union 35 | { 36 | struct 37 | { 38 | GUID ClassGuid; 39 | WCHAR SymbolicLinkName[1]; 40 | } DeviceClass; 41 | struct 42 | { 43 | WCHAR DeviceIds[1]; 44 | } TargetDevice; 45 | struct 46 | { 47 | WCHAR DeviceId[1]; 48 | } InstallDevice; 49 | struct 50 | { 51 | PVOID NotificationStructure; 52 | WCHAR DeviceIds[1]; 53 | } CustomNotification; 54 | struct 55 | { 56 | PVOID Notification; 57 | } ProfileNotification; 58 | struct 59 | { 60 | ULONG NotificationCode; 61 | ULONG NotificationData; 62 | } PowerNotification; 63 | struct 64 | { 65 | PNP_VETO_TYPE VetoType; 66 | WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName 67 | } VetoNotification; 68 | struct 69 | { 70 | GUID BlockedDriverGuid; 71 | } BlockedDriverNotification; 72 | struct 73 | { 74 | WCHAR ParentId[1]; 75 | } InvalidIDNotification; 76 | } u; 77 | } PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; 78 | 79 | typedef enum _PLUGPLAY_CONTROL_CLASS 80 | { 81 | PlugPlayControlEnumerateDevice, // PLUGPLAY_CONTROL_ENUMERATE_DEVICE_DATA 82 | PlugPlayControlRegisterNewDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 83 | PlugPlayControlDeregisterDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 84 | PlugPlayControlInitializeDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 85 | PlugPlayControlStartDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 86 | PlugPlayControlUnlockDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 87 | PlugPlayControlQueryAndRemoveDevice, // PLUGPLAY_CONTROL_QUERY_AND_REMOVE_DATA 88 | PlugPlayControlUserResponse, // PLUGPLAY_CONTROL_USER_RESPONSE_DATA 89 | PlugPlayControlGenerateLegacyDevice, // PLUGPLAY_CONTROL_LEGACY_DEVGEN_DATA 90 | PlugPlayControlGetInterfaceDeviceList, // PLUGPLAY_CONTROL_INTERFACE_LIST_DATA 91 | PlugPlayControlProperty, // PLUGPLAY_CONTROL_PROPERTY_DATA 92 | PlugPlayControlDeviceClassAssociation, // PLUGPLAY_CONTROL_CLASS_ASSOCIATION_DATA 93 | PlugPlayControlGetRelatedDevice, // PLUGPLAY_CONTROL_RELATED_DEVICE_DATA 94 | PlugPlayControlGetInterfaceDeviceAlias, // PLUGPLAY_CONTROL_INTERFACE_ALIAS_DATA 95 | PlugPlayControlDeviceStatus, // PLUGPLAY_CONTROL_STATUS_DATA 96 | PlugPlayControlGetDeviceDepth, // PLUGPLAY_CONTROL_DEPTH_DATA 97 | PlugPlayControlQueryDeviceRelations, // PLUGPLAY_CONTROL_DEVICE_RELATIONS_DATA 98 | PlugPlayControlTargetDeviceRelation, // PLUGPLAY_CONTROL_TARGET_RELATION_DATA 99 | PlugPlayControlQueryConflictList, // PLUGPLAY_CONTROL_CONFLICT_LIST 100 | PlugPlayControlRetrieveDock, // PLUGPLAY_CONTROL_RETRIEVE_DOCK_DATA 101 | PlugPlayControlResetDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 102 | PlugPlayControlHaltDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 103 | PlugPlayControlGetBlockedDriverList, // PLUGPLAY_CONTROL_BLOCKED_DRIVER_DATA 104 | PlugPlayControlGetDeviceInterfaceEnabled, // PLUGPLAY_CONTROL_DEVICE_INTERFACE_ENABLED 105 | MaxPlugPlayControl 106 | } PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS; 107 | 108 | #if (PHNT_VERSION < PHNT_WIN8) 109 | NTSYSCALLAPI 110 | NTSTATUS 111 | NTAPI 112 | NtGetPlugPlayEvent( 113 | _In_ HANDLE EventHandle, 114 | _In_opt_ PVOID Context, 115 | _Out_writes_bytes_(EventBufferSize) PPLUGPLAY_EVENT_BLOCK EventBlock, 116 | _In_ ULONG EventBufferSize 117 | ); 118 | #endif 119 | 120 | NTSYSCALLAPI 121 | NTSTATUS 122 | NTAPI 123 | NtPlugPlayControl( 124 | _In_ PLUGPLAY_CONTROL_CLASS PnPControlClass, 125 | _Inout_updates_bytes_(PnPControlDataLength) PVOID PnPControlData, 126 | _In_ ULONG PnPControlDataLength 127 | ); 128 | 129 | #if (PHNT_VERSION >= PHNT_WIN7) 130 | 131 | NTSYSCALLAPI 132 | NTSTATUS 133 | NTAPI 134 | NtSerializeBoot( 135 | VOID 136 | ); 137 | 138 | NTSYSCALLAPI 139 | NTSTATUS 140 | NTAPI 141 | NtEnableLastKnownGood( 142 | VOID 143 | ); 144 | 145 | NTSYSCALLAPI 146 | NTSTATUS 147 | NTAPI 148 | NtDisableLastKnownGood( 149 | VOID 150 | ); 151 | 152 | #endif 153 | 154 | #if (PHNT_VERSION >= PHNT_VISTA) 155 | NTSYSCALLAPI 156 | NTSTATUS 157 | NTAPI 158 | NtReplacePartitionUnit( 159 | _In_ PUNICODE_STRING TargetInstancePath, 160 | _In_ PUNICODE_STRING SpareInstancePath, 161 | _In_ ULONG Flags 162 | ); 163 | #endif 164 | 165 | #endif 166 | -------------------------------------------------------------------------------- /Silhouette/Silhouette.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {A4148283-ECBB-4B7F-A0ED-936529157761} 23 | {dd38f7fc-d7bd-488b-9242-7d8754cde80d} 24 | v4.5 25 | 12.0 26 | Debug 27 | Win32 28 | Silhouette 29 | 30 | 31 | 32 | Windows10 33 | true 34 | WindowsKernelModeDriver10.0 35 | Driver 36 | WDM 37 | 38 | 39 | Windows10 40 | false 41 | WindowsKernelModeDriver10.0 42 | Driver 43 | WDM 44 | 45 | 46 | Windows10 47 | true 48 | WindowsKernelModeDriver10.0 49 | Driver 50 | WDM 51 | 52 | 53 | Windows10 54 | false 55 | WindowsKernelModeDriver10.0 56 | Driver 57 | WDM 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | DbgengKernelDebugger 69 | 70 | 71 | DbgengKernelDebugger 72 | 73 | 74 | DbgengKernelDebugger 75 | 76 | 77 | DbgengKernelDebugger 78 | 79 | 80 | 81 | sha256 82 | 83 | 84 | $(SolutionDir)/phnt/include;$(IntDir);%(AdditionalIncludeDirectories) 85 | 86 | 87 | 88 | 89 | sha256 90 | 91 | 92 | $(SolutionDir)/phnt/include;$(IntDir);%(AdditionalIncludeDirectories) 93 | 94 | 95 | 96 | 97 | sha256 98 | 99 | 100 | fltMgr.lib;%(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib 101 | 102 | 103 | $(SolutionDir)/phnt/include;$(IntDir);%(AdditionalIncludeDirectories) 104 | 105 | 106 | 107 | 108 | sha256 109 | 110 | 111 | fltMgr.lib;%(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib 112 | 113 | 114 | $(SolutionDir)/phnt/include;$(IntDir);%(AdditionalIncludeDirectories) 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | -------------------------------------------------------------------------------- /Silhouette/Utils.cpp: -------------------------------------------------------------------------------- 1 | #include "Silhouette.h" 2 | #include "Filter.h" 3 | 4 | 5 | _Must_inspect_result_ 6 | _IRQL_requires_(PASSIVE_LEVEL) 7 | NTSTATUS 8 | GetRegistryValue( 9 | _In_ PCUNICODE_STRING pKeyPath, 10 | _In_ PCUNICODE_STRING pValueName, 11 | _In_ ULONG expectedType, 12 | _Inout_ PVOID pValue, 13 | _In_ ULONG valueSize 14 | ) 15 | { 16 | NTSTATUS ntStatus = STATUS_SUCCESS; 17 | OBJECT_ATTRIBUTES objAttr; 18 | HANDLE hKey = NULL; 19 | 20 | ULONG returnLength = 0; 21 | PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo = NULL; 22 | ULONG keyInfoSize = 0; 23 | 24 | if (!pKeyPath || !pValueName || !pValue || (0 == valueSize) || (0 == expectedType)) 25 | { 26 | ntStatus = STATUS_INVALID_PARAMETER; 27 | goto Cleanup; 28 | } 29 | 30 | // We are intentionally casting pKeyPath here so all callers don't have to cast it. 31 | InitializeObjectAttributes(&objAttr, (PUNICODE_STRING)pKeyPath, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL); 32 | 33 | // Open the key 34 | ntStatus = ZwOpenKey(&hKey, GENERIC_READ, &objAttr); 35 | if (!NT_SUCCESS(ntStatus)) 36 | { 37 | goto Cleanup; 38 | } 39 | 40 | keyInfoSize = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + valueSize; 41 | pKeyInfo = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePoolWithTag(PagedPool, keyInfoSize, POOL_TAG); 42 | if (!pKeyInfo) 43 | { 44 | ntStatus = STATUS_INSUFFICIENT_RESOURCES; 45 | goto Cleanup; 46 | } 47 | 48 | RtlZeroMemory(pKeyInfo, keyInfoSize); 49 | 50 | // Query the value 51 | // We are intentionally casting pValueName here so all callers don't have to cast it. 52 | ntStatus = ZwQueryValueKey(hKey, (PUNICODE_STRING)pValueName, KeyValuePartialInformation, pKeyInfo, keyInfoSize, &returnLength); 53 | if (!NT_SUCCESS(ntStatus)) 54 | { 55 | KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_WARNING_LEVEL, "GetRegistryValue: Failed to query value with error 0x%08x\n", ntStatus)); 56 | goto Cleanup; 57 | } 58 | 59 | // Validate that the data type and size matches what is expected 60 | if ((expectedType != pKeyInfo->Type) || 61 | (pKeyInfo->DataLength != valueSize)) 62 | { 63 | KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_WARNING_LEVEL, "GetRegistryValue: Value type or size is incorrect\n")); 64 | ntStatus = STATUS_REGISTRY_IO_FAILED; 65 | goto Cleanup; 66 | } 67 | 68 | RtlCopyMemory(pValue, &pKeyInfo->Data, pKeyInfo->DataLength); 69 | 70 | Cleanup: 71 | HandleDelete(hKey); 72 | PoolDeleteWithTag(pKeyInfo, POOL_TAG); 73 | 74 | return ntStatus; 75 | } 76 | 77 | _Must_inspect_result_ 78 | _IRQL_requires_(PASSIVE_LEVEL) 79 | NTSTATUS 80 | GetRegistryDword( 81 | _In_ PCUNICODE_STRING pKeyPath, 82 | _In_ PCUNICODE_STRING pValueName, 83 | _Out_ PULONG pValue 84 | ) 85 | { 86 | return GetRegistryValue(pKeyPath, pValueName, REG_DWORD, pValue, sizeof(*pValue)); 87 | } 88 | 89 | NTSTATUS EmptyWorkingSetAsync() 90 | { 91 | KeSetEvent(&gWorkerThreadSignal, IO_NO_INCREMENT, FALSE); 92 | 93 | return STATUS_SUCCESS; 94 | } 95 | 96 | NTSTATUS EmptyWorkingSet(BOOLEAN bAllowAsync) 97 | { 98 | QUOTA_LIMITS_EX quotaLimits = { 0, }; 99 | VM_COUNTERS_EX2 before = { 0, }; 100 | VM_COUNTERS_EX2 after = { 0, }; 101 | NTSTATUS ntStatus = STATUS_SUCCESS;; 102 | ULONG returnLength = 0; 103 | BOOLEAN bHaveInitialSnapshot = FALSE; 104 | BOOLEAN bShouldPurge = TRUE; 105 | 106 | if (KeGetCurrentIrql() > PASSIVE_LEVEL) 107 | { 108 | if (bAllowAsync) 109 | { 110 | return EmptyWorkingSetAsync(); 111 | } 112 | else 113 | { 114 | return STATUS_INVALID_STATE_TRANSITION; 115 | } 116 | } 117 | 118 | ntStatus = ZwQueryInformationProcess(ghLsass, ProcessVmCounters, &before, sizeof(before), &returnLength); 119 | if (NT_SUCCESS(ntStatus)) 120 | { 121 | if (before.PrivateWorkingSetSize <= PAGE_SIZE) 122 | { 123 | // DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Silhouette: Empty aborted: %zu\n", before.PrivateWorkingSetSize); 124 | goto Cleanup; 125 | } 126 | 127 | bHaveInitialSnapshot = TRUE; 128 | } 129 | 130 | // DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Silhouette: Emptying working set\n"); 131 | 132 | quotaLimits.MinimumWorkingSetSize = (SIZE_T)-1; 133 | quotaLimits.MaximumWorkingSetSize = (SIZE_T)-1; 134 | 135 | ntStatus = ZwSetInformationProcess( ghLsass, ProcessQuotaLimits, "aLimits, sizeof(quotaLimits) ); 136 | if (!NT_SUCCESS(ntStatus)) 137 | { 138 | goto Cleanup; 139 | } 140 | 141 | if (bHaveInitialSnapshot) 142 | { 143 | // If EmptyWorkingSet() didn't remove any pages, skip the MM list purge 144 | ntStatus = ZwQueryInformationProcess(ghLsass, ProcessVmCounters, &after, sizeof(after), &returnLength); 145 | if (NT_SUCCESS(ntStatus) && (after.PrivateWorkingSetSize == before.PrivateWorkingSetSize)) 146 | { 147 | // DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Silhouette: Purge ineffective\n"); 148 | bShouldPurge = FALSE; 149 | } 150 | } 151 | 152 | if (bShouldPurge) 153 | { 154 | // DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Silhouette: Purging. Delta: %lld\n", before.PrivateWorkingSetSize - after.PrivateWorkingSetSize); 155 | ntStatus = PurgeModifiedAndStandbyLists(); 156 | } 157 | 158 | Cleanup: 159 | return ntStatus; 160 | } 161 | 162 | PVOID GetSystemProcAddress( PCWCHAR pFunctionName) 163 | { 164 | UNICODE_STRING routineName; 165 | 166 | RtlInitUnicodeString(&routineName, pFunctionName); 167 | 168 | return MmGetSystemRoutineAddress(&routineName); 169 | } 170 | 171 | 172 | NTSTATUS SetQuotaLimits(HANDLE hProcess) 173 | { 174 | QUOTA_LIMITS_EX quotaLimits = { 0, }; 175 | 176 | if (KeGetCurrentIrql() > PASSIVE_LEVEL) 177 | { 178 | return STATUS_INVALID_STATE_TRANSITION; 179 | } 180 | 181 | // Cap LSASS working set 182 | quotaLimits.WorkingSetLimit = 5 * 1024 * 1024; 183 | quotaLimits.Flags = QUOTA_LIMITS_HARDWS_MAX_ENABLE; 184 | 185 | return ZwSetInformationProcess(hProcess, ProcessQuotaLimits, "aLimits, sizeof(quotaLimits)); 186 | } 187 | 188 | NTSTATUS PurgeModifiedAndStandbyLists() 189 | { 190 | NTSTATUS ntStatus = STATUS_SUCCESS; 191 | ULONG command = 0; 192 | 193 | // Flush pages from modified list to the priority 0 standby list 194 | command = MemoryFlushModifiedList; 195 | ntStatus = ZwSetSystemInformation(SystemMemoryListInformation, &command, sizeof(command)); 196 | if (!NT_SUCCESS(ntStatus)) 197 | { 198 | goto Cleanup; 199 | } 200 | 201 | // Flush the priority 0 standby list 202 | command = MemoryPurgeLowPriorityStandbyList; 203 | ntStatus = ZwSetSystemInformation(SystemMemoryListInformation, &command, sizeof(command)); 204 | if (!NT_SUCCESS(ntStatus)) 205 | { 206 | goto Cleanup; 207 | } 208 | 209 | // DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Silhouette: Purged standby list\n"); 210 | 211 | Cleanup: 212 | return ntStatus; 213 | } 214 | -------------------------------------------------------------------------------- /phnt/include/ntdbg.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Debugger support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTDBG_H 8 | #define _NTDBG_H 9 | 10 | // Debugging 11 | 12 | NTSYSAPI 13 | VOID 14 | NTAPI 15 | DbgUserBreakPoint( 16 | VOID 17 | ); 18 | 19 | NTSYSAPI 20 | VOID 21 | NTAPI 22 | DbgBreakPoint( 23 | VOID 24 | ); 25 | 26 | NTSYSAPI 27 | VOID 28 | NTAPI 29 | DbgBreakPointWithStatus( 30 | _In_ ULONG Status 31 | ); 32 | 33 | #define DBG_STATUS_CONTROL_C 1 34 | #define DBG_STATUS_SYSRQ 2 35 | #define DBG_STATUS_BUGCHECK_FIRST 3 36 | #define DBG_STATUS_BUGCHECK_SECOND 4 37 | #define DBG_STATUS_FATAL 5 38 | #define DBG_STATUS_DEBUG_CONTROL 6 39 | #define DBG_STATUS_WORKER 7 40 | 41 | NTSYSAPI 42 | ULONG 43 | STDAPIVCALLTYPE 44 | DbgPrint( 45 | _In_z_ _Printf_format_string_ PCSTR Format, 46 | ... 47 | ); 48 | 49 | NTSYSAPI 50 | ULONG 51 | STDAPIVCALLTYPE 52 | DbgPrintEx( 53 | _In_ ULONG ComponentId, 54 | _In_ ULONG Level, 55 | _In_z_ _Printf_format_string_ PCSTR Format, 56 | ... 57 | ); 58 | 59 | NTSYSAPI 60 | ULONG 61 | NTAPI 62 | vDbgPrintEx( 63 | _In_ ULONG ComponentId, 64 | _In_ ULONG Level, 65 | _In_z_ PCCH Format, 66 | _In_ va_list arglist 67 | ); 68 | 69 | NTSYSAPI 70 | ULONG 71 | NTAPI 72 | vDbgPrintExWithPrefix( 73 | _In_z_ PCCH Prefix, 74 | _In_ ULONG ComponentId, 75 | _In_ ULONG Level, 76 | _In_z_ PCCH Format, 77 | _In_ va_list arglist 78 | ); 79 | 80 | NTSYSAPI 81 | NTSTATUS 82 | NTAPI 83 | DbgQueryDebugFilterState( 84 | _In_ ULONG ComponentId, 85 | _In_ ULONG Level 86 | ); 87 | 88 | NTSYSAPI 89 | NTSTATUS 90 | NTAPI 91 | DbgSetDebugFilterState( 92 | _In_ ULONG ComponentId, 93 | _In_ ULONG Level, 94 | _In_ BOOLEAN State 95 | ); 96 | 97 | NTSYSAPI 98 | ULONG 99 | NTAPI 100 | DbgPrompt( 101 | _In_ PCCH Prompt, 102 | _Out_writes_bytes_(Length) PCH Response, 103 | _In_ ULONG Length 104 | ); 105 | 106 | // Definitions 107 | 108 | typedef struct _DBGKM_EXCEPTION 109 | { 110 | EXCEPTION_RECORD ExceptionRecord; 111 | ULONG FirstChance; 112 | } DBGKM_EXCEPTION, *PDBGKM_EXCEPTION; 113 | 114 | typedef struct _DBGKM_CREATE_THREAD 115 | { 116 | ULONG SubSystemKey; 117 | PVOID StartAddress; 118 | } DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD; 119 | 120 | typedef struct _DBGKM_CREATE_PROCESS 121 | { 122 | ULONG SubSystemKey; 123 | HANDLE FileHandle; 124 | PVOID BaseOfImage; 125 | ULONG DebugInfoFileOffset; 126 | ULONG DebugInfoSize; 127 | DBGKM_CREATE_THREAD InitialThread; 128 | } DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS; 129 | 130 | typedef struct _DBGKM_EXIT_THREAD 131 | { 132 | NTSTATUS ExitStatus; 133 | } DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD; 134 | 135 | typedef struct _DBGKM_EXIT_PROCESS 136 | { 137 | NTSTATUS ExitStatus; 138 | } DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS; 139 | 140 | typedef struct _DBGKM_LOAD_DLL 141 | { 142 | HANDLE FileHandle; 143 | PVOID BaseOfDll; 144 | ULONG DebugInfoFileOffset; 145 | ULONG DebugInfoSize; 146 | PVOID NamePointer; 147 | } DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL; 148 | 149 | typedef struct _DBGKM_UNLOAD_DLL 150 | { 151 | PVOID BaseAddress; 152 | } DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL; 153 | 154 | typedef enum _DBG_STATE 155 | { 156 | DbgIdle, 157 | DbgReplyPending, 158 | DbgCreateThreadStateChange, 159 | DbgCreateProcessStateChange, 160 | DbgExitThreadStateChange, 161 | DbgExitProcessStateChange, 162 | DbgExceptionStateChange, 163 | DbgBreakpointStateChange, 164 | DbgSingleStepStateChange, 165 | DbgLoadDllStateChange, 166 | DbgUnloadDllStateChange 167 | } DBG_STATE, *PDBG_STATE; 168 | 169 | typedef struct _DBGUI_CREATE_THREAD 170 | { 171 | HANDLE HandleToThread; 172 | DBGKM_CREATE_THREAD NewThread; 173 | } DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD; 174 | 175 | typedef struct _DBGUI_CREATE_PROCESS 176 | { 177 | HANDLE HandleToProcess; 178 | HANDLE HandleToThread; 179 | DBGKM_CREATE_PROCESS NewProcess; 180 | } DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS; 181 | 182 | typedef struct _DBGUI_WAIT_STATE_CHANGE 183 | { 184 | DBG_STATE NewState; 185 | CLIENT_ID AppClientId; 186 | union 187 | { 188 | DBGKM_EXCEPTION Exception; 189 | DBGUI_CREATE_THREAD CreateThread; 190 | DBGUI_CREATE_PROCESS CreateProcessInfo; 191 | DBGKM_EXIT_THREAD ExitThread; 192 | DBGKM_EXIT_PROCESS ExitProcess; 193 | DBGKM_LOAD_DLL LoadDll; 194 | DBGKM_UNLOAD_DLL UnloadDll; 195 | } StateInfo; 196 | } DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE; 197 | 198 | #define DEBUG_READ_EVENT 0x0001 199 | #define DEBUG_PROCESS_ASSIGN 0x0002 200 | #define DEBUG_SET_INFORMATION 0x0004 201 | #define DEBUG_QUERY_INFORMATION 0x0008 202 | #define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ 203 | DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \ 204 | DEBUG_QUERY_INFORMATION) 205 | 206 | #define DEBUG_KILL_ON_CLOSE 0x1 207 | 208 | typedef enum _DEBUGOBJECTINFOCLASS 209 | { 210 | DebugObjectUnusedInformation, 211 | DebugObjectKillProcessOnExitInformation, // s: ULONG 212 | MaxDebugObjectInfoClass 213 | } DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; 214 | 215 | // System calls 216 | 217 | NTSYSCALLAPI 218 | NTSTATUS 219 | NTAPI 220 | NtCreateDebugObject( 221 | _Out_ PHANDLE DebugObjectHandle, 222 | _In_ ACCESS_MASK DesiredAccess, 223 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 224 | _In_ ULONG Flags 225 | ); 226 | 227 | NTSYSCALLAPI 228 | NTSTATUS 229 | NTAPI 230 | NtDebugActiveProcess( 231 | _In_ HANDLE ProcessHandle, 232 | _In_ HANDLE DebugObjectHandle 233 | ); 234 | 235 | NTSYSCALLAPI 236 | NTSTATUS 237 | NTAPI 238 | NtDebugContinue( 239 | _In_ HANDLE DebugObjectHandle, 240 | _In_ PCLIENT_ID ClientId, 241 | _In_ NTSTATUS ContinueStatus 242 | ); 243 | 244 | NTSYSCALLAPI 245 | NTSTATUS 246 | NTAPI 247 | NtRemoveProcessDebug( 248 | _In_ HANDLE ProcessHandle, 249 | _In_ HANDLE DebugObjectHandle 250 | ); 251 | 252 | NTSYSCALLAPI 253 | NTSTATUS 254 | NTAPI 255 | NtSetInformationDebugObject( 256 | _In_ HANDLE DebugObjectHandle, 257 | _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass, 258 | _In_ PVOID DebugInformation, 259 | _In_ ULONG DebugInformationLength, 260 | _Out_opt_ PULONG ReturnLength 261 | ); 262 | 263 | NTSYSCALLAPI 264 | NTSTATUS 265 | NTAPI 266 | NtWaitForDebugEvent( 267 | _In_ HANDLE DebugObjectHandle, 268 | _In_ BOOLEAN Alertable, 269 | _In_opt_ PLARGE_INTEGER Timeout, 270 | _Out_ PDBGUI_WAIT_STATE_CHANGE WaitStateChange 271 | ); 272 | 273 | // Debugging UI 274 | 275 | NTSYSAPI 276 | NTSTATUS 277 | NTAPI 278 | DbgUiConnectToDbg( 279 | VOID 280 | ); 281 | 282 | NTSYSAPI 283 | HANDLE 284 | NTAPI 285 | DbgUiGetThreadDebugObject( 286 | VOID 287 | ); 288 | 289 | NTSYSAPI 290 | VOID 291 | NTAPI 292 | DbgUiSetThreadDebugObject( 293 | _In_ HANDLE DebugObject 294 | ); 295 | 296 | NTSYSAPI 297 | NTSTATUS 298 | NTAPI 299 | DbgUiWaitStateChange( 300 | _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange, 301 | _In_opt_ PLARGE_INTEGER Timeout 302 | ); 303 | 304 | NTSYSAPI 305 | NTSTATUS 306 | NTAPI 307 | DbgUiContinue( 308 | _In_ PCLIENT_ID AppClientId, 309 | _In_ NTSTATUS ContinueStatus 310 | ); 311 | 312 | NTSYSAPI 313 | NTSTATUS 314 | NTAPI 315 | DbgUiStopDebugging( 316 | _In_ HANDLE Process 317 | ); 318 | 319 | NTSYSAPI 320 | NTSTATUS 321 | NTAPI 322 | DbgUiDebugActiveProcess( 323 | _In_ HANDLE Process 324 | ); 325 | 326 | NTSYSAPI 327 | VOID 328 | NTAPI 329 | DbgUiRemoteBreakin( 330 | _In_ PVOID Context 331 | ); 332 | 333 | NTSYSAPI 334 | NTSTATUS 335 | NTAPI 336 | DbgUiIssueRemoteBreakin( 337 | _In_ HANDLE Process 338 | ); 339 | 340 | NTSYSAPI 341 | NTSTATUS 342 | NTAPI 343 | DbgUiConvertStateChangeStructure( 344 | _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, 345 | _Out_ LPDEBUG_EVENT DebugEvent 346 | ); 347 | 348 | NTSYSAPI 349 | NTSTATUS 350 | NTAPI 351 | DbgUiConvertStateChangeStructureEx( 352 | _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, 353 | _Out_ LPDEBUG_EVENT DebugEvent 354 | ); 355 | 356 | struct _EVENT_FILTER_DESCRIPTOR; 357 | 358 | typedef VOID (NTAPI *PENABLECALLBACK)( 359 | _In_ LPCGUID SourceId, 360 | _In_ ULONG IsEnabled, 361 | _In_ UCHAR Level, 362 | _In_ ULONGLONG MatchAnyKeyword, 363 | _In_ ULONGLONG MatchAllKeyword, 364 | _In_opt_ struct _EVENT_FILTER_DESCRIPTOR *FilterData, 365 | _Inout_opt_ PVOID CallbackContext 366 | ); 367 | 368 | typedef ULONGLONG REGHANDLE, *PREGHANDLE; 369 | 370 | NTSYSAPI 371 | NTSTATUS 372 | NTAPI 373 | EtwEventRegister( 374 | _In_ LPCGUID ProviderId, 375 | _In_opt_ PENABLECALLBACK EnableCallback, 376 | _In_opt_ PVOID CallbackContext, 377 | _Out_ PREGHANDLE RegHandle 378 | ); 379 | 380 | #endif 381 | -------------------------------------------------------------------------------- /phnt/include/ntpfapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Prefetcher (Superfetch) support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTPFAPI_H 8 | #define _NTPFAPI_H 9 | 10 | // begin_private 11 | 12 | // Prefetch 13 | 14 | typedef enum _PF_BOOT_PHASE_ID 15 | { 16 | PfKernelInitPhase = 0, 17 | PfBootDriverInitPhase = 90, 18 | PfSystemDriverInitPhase = 120, 19 | PfSessionManagerInitPhase = 150, 20 | PfSMRegistryInitPhase = 180, 21 | PfVideoInitPhase = 210, 22 | PfPostVideoInitPhase = 240, 23 | PfBootAcceptedRegistryInitPhase = 270, 24 | PfUserShellReadyPhase = 300, 25 | PfMaxBootPhaseId = 900 26 | } PF_BOOT_PHASE_ID; 27 | 28 | typedef enum _PF_ENABLE_STATUS 29 | { 30 | PfSvNotSpecified, 31 | PfSvEnabled, 32 | PfSvDisabled, 33 | PfSvMaxEnableStatus 34 | } PF_ENABLE_STATUS; 35 | 36 | typedef struct _PF_TRACE_LIMITS 37 | { 38 | ULONG MaxNumPages; 39 | ULONG MaxNumSections; 40 | LONGLONG TimerPeriod; 41 | } PF_TRACE_LIMITS, *PPF_TRACE_LIMITS; 42 | 43 | typedef struct _PF_SYSTEM_PREFETCH_PARAMETERS 44 | { 45 | PF_ENABLE_STATUS EnableStatus[2]; 46 | PF_TRACE_LIMITS TraceLimits[2]; 47 | ULONG MaxNumActiveTraces; 48 | ULONG MaxNumSavedTraces; 49 | WCHAR RootDirPath[32]; 50 | WCHAR HostingApplicationList[128]; 51 | } PF_SYSTEM_PREFETCH_PARAMETERS, *PPF_SYSTEM_PREFETCH_PARAMETERS; 52 | 53 | #define PF_BOOT_CONTROL_VERSION 1 54 | 55 | typedef struct _PF_BOOT_CONTROL 56 | { 57 | ULONG Version; 58 | ULONG DisableBootPrefetching; 59 | } PF_BOOT_CONTROL, *PPF_BOOT_CONTROL; 60 | 61 | typedef enum _PREFETCHER_INFORMATION_CLASS 62 | { 63 | PrefetcherRetrieveTrace = 1, // q: CHAR[] 64 | PrefetcherSystemParameters, // q: PF_SYSTEM_PREFETCH_PARAMETERS 65 | PrefetcherBootPhase, // s: PF_BOOT_PHASE_ID 66 | PrefetcherSpare1, // PrefetcherRetrieveBootLoaderTrace // q: CHAR[] 67 | PrefetcherBootControl, // s: PF_BOOT_CONTROL 68 | PrefetcherScenarioPolicyControl, 69 | PrefetcherSpare2, 70 | PrefetcherAppLaunchScenarioControl, 71 | PrefetcherInformationMax 72 | } PREFETCHER_INFORMATION_CLASS; 73 | 74 | #define PREFETCHER_INFORMATION_VERSION 23 // rev 75 | #define PREFETCHER_INFORMATION_MAGIC ('kuhC') // rev 76 | 77 | typedef struct _PREFETCHER_INFORMATION 78 | { 79 | _In_ ULONG Version; 80 | _In_ ULONG Magic; 81 | _In_ PREFETCHER_INFORMATION_CLASS PrefetcherInformationClass; 82 | _Inout_ PVOID PrefetcherInformation; 83 | _Inout_ ULONG PrefetcherInformationLength; 84 | } PREFETCHER_INFORMATION, *PPREFETCHER_INFORMATION; 85 | 86 | // Superfetch 87 | 88 | typedef struct _PF_SYSTEM_SUPERFETCH_PARAMETERS 89 | { 90 | ULONG EnabledComponents; 91 | ULONG BootID; 92 | ULONG SavedSectInfoTracesMax; 93 | ULONG SavedPageAccessTracesMax; 94 | ULONG ScenarioPrefetchTimeoutStandby; 95 | ULONG ScenarioPrefetchTimeoutHibernate; 96 | ULONG ScenarioPrefetchTimeoutHiberBoot; 97 | } PF_SYSTEM_SUPERFETCH_PARAMETERS, *PPF_SYSTEM_SUPERFETCH_PARAMETERS; 98 | 99 | #define PF_PFN_PRIO_REQUEST_VERSION 1 100 | #define PF_PFN_PRIO_REQUEST_QUERY_MEMORY_LIST 0x1 101 | #define PF_PFN_PRIO_REQUEST_VALID_FLAGS 0x1 102 | 103 | typedef struct _PF_PFN_PRIO_REQUEST 104 | { 105 | ULONG Version; 106 | ULONG RequestFlags; 107 | ULONG_PTR PfnCount; 108 | SYSTEM_MEMORY_LIST_INFORMATION MemInfo; 109 | MMPFN_IDENTITY PageData[256]; 110 | } PF_PFN_PRIO_REQUEST, *PPF_PFN_PRIO_REQUEST; 111 | 112 | typedef enum _PFS_PRIVATE_PAGE_SOURCE_TYPE 113 | { 114 | PfsPrivateSourceKernel, 115 | PfsPrivateSourceSession, 116 | PfsPrivateSourceProcess, 117 | PfsPrivateSourceMax 118 | } PFS_PRIVATE_PAGE_SOURCE_TYPE; 119 | 120 | typedef struct _PFS_PRIVATE_PAGE_SOURCE 121 | { 122 | PFS_PRIVATE_PAGE_SOURCE_TYPE Type; 123 | union 124 | { 125 | ULONG SessionId; 126 | ULONG ProcessId; 127 | }; 128 | ULONG ImagePathHash; 129 | ULONG_PTR UniqueProcessHash; 130 | } PFS_PRIVATE_PAGE_SOURCE, *PPFS_PRIVATE_PAGE_SOURCE; 131 | 132 | typedef struct _PF_PRIVSOURCE_INFO 133 | { 134 | PFS_PRIVATE_PAGE_SOURCE DbInfo; 135 | PVOID EProcess; 136 | SIZE_T WsPrivatePages; 137 | SIZE_T TotalPrivatePages; 138 | ULONG SessionID; 139 | CHAR ImageName[16]; 140 | union { 141 | ULONG_PTR WsSwapPages; // process only PF_PRIVSOURCE_QUERY_WS_SWAP_PAGES. 142 | ULONG_PTR SessionPagedPoolPages; // session only. 143 | ULONG_PTR StoreSizePages; // process only PF_PRIVSOURCE_QUERY_STORE_INFO. 144 | }; 145 | ULONG_PTR WsTotalPages; // process/session only. 146 | ULONG DeepFreezeTimeMs; // process only. 147 | ULONG ModernApp : 1; // process only. 148 | ULONG DeepFrozen : 1; // process only. If set, DeepFreezeTimeMs contains the time at which the freeze occurred 149 | ULONG Foreground : 1; // process only. 150 | ULONG PerProcessStore : 1; // process only. 151 | ULONG Spare : 28; 152 | } PF_PRIVSOURCE_INFO, *PPF_PRIVSOURCE_INFO; 153 | 154 | #define PF_PRIVSOURCE_QUERY_REQUEST_VERSION 8 155 | 156 | typedef struct _PF_PRIVSOURCE_QUERY_REQUEST 157 | { 158 | ULONG Version; 159 | ULONG Flags; 160 | ULONG InfoCount; 161 | PF_PRIVSOURCE_INFO InfoArray[1]; 162 | } PF_PRIVSOURCE_QUERY_REQUEST, *PPF_PRIVSOURCE_QUERY_REQUEST; 163 | 164 | typedef enum _PF_PHASED_SCENARIO_TYPE 165 | { 166 | PfScenarioTypeNone, 167 | PfScenarioTypeStandby, 168 | PfScenarioTypeHibernate, 169 | PfScenarioTypeFUS, 170 | PfScenarioTypeMax 171 | } PF_PHASED_SCENARIO_TYPE; 172 | 173 | #define PF_SCENARIO_PHASE_INFO_VERSION 4 174 | 175 | typedef struct _PF_SCENARIO_PHASE_INFO 176 | { 177 | ULONG Version; 178 | PF_PHASED_SCENARIO_TYPE ScenType; 179 | ULONG PhaseId; 180 | ULONG SequenceNumber; 181 | ULONG Flags; 182 | ULONG FUSUserId; 183 | } PF_SCENARIO_PHASE_INFO, *PPF_SCENARIO_PHASE_INFO; 184 | 185 | typedef struct _PF_MEMORY_LIST_NODE 186 | { 187 | ULONGLONG Node : 8; 188 | ULONGLONG Spare : 56; 189 | ULONGLONG StandbyLowPageCount; 190 | ULONGLONG StandbyMediumPageCount; 191 | ULONGLONG StandbyHighPageCount; 192 | ULONGLONG FreePageCount; 193 | ULONGLONG ModifiedPageCount; 194 | } PF_MEMORY_LIST_NODE, *PPF_MEMORY_LIST_NODE; 195 | 196 | #define PF_MEMORY_LIST_INFO_VERSION 1 197 | 198 | typedef struct _PF_MEMORY_LIST_INFO 199 | { 200 | ULONG Version; 201 | ULONG Size; 202 | ULONG NodeCount; 203 | PF_MEMORY_LIST_NODE Nodes[1]; 204 | } PF_MEMORY_LIST_INFO, *PPF_MEMORY_LIST_INFO; 205 | 206 | typedef struct _PF_PHYSICAL_MEMORY_RANGE 207 | { 208 | ULONG_PTR BasePfn; 209 | ULONG_PTR PageCount; 210 | } PF_PHYSICAL_MEMORY_RANGE, *PPF_PHYSICAL_MEMORY_RANGE; 211 | 212 | #define PF_PHYSICAL_MEMORY_RANGE_INFO_V1_VERSION 1 213 | 214 | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V1 215 | { 216 | ULONG Version; 217 | ULONG RangeCount; 218 | PF_PHYSICAL_MEMORY_RANGE Ranges[1]; 219 | } PF_PHYSICAL_MEMORY_RANGE_INFO_V1, *PPF_PHYSICAL_MEMORY_RANGE_INFO_V1; 220 | 221 | #define PF_PHYSICAL_MEMORY_RANGE_INFO_V2_VERSION 2 222 | 223 | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V2 224 | { 225 | ULONG Version; 226 | ULONG Flags; 227 | ULONG RangeCount; 228 | PF_PHYSICAL_MEMORY_RANGE Ranges[ANYSIZE_ARRAY]; 229 | } PF_PHYSICAL_MEMORY_RANGE_INFO_V2, *PPF_PHYSICAL_MEMORY_RANGE_INFO_V2; 230 | 231 | // begin_rev 232 | 233 | #define PF_REPURPOSED_BY_PREFETCH_INFO_VERSION 1 234 | 235 | typedef struct _PF_REPURPOSED_BY_PREFETCH_INFO 236 | { 237 | ULONG Version; 238 | ULONG RepurposedByPrefetch; 239 | } PF_REPURPOSED_BY_PREFETCH_INFO, *PPF_REPURPOSED_BY_PREFETCH_INFO; 240 | 241 | // end_rev 242 | 243 | typedef enum _SUPERFETCH_INFORMATION_CLASS 244 | { 245 | SuperfetchRetrieveTrace = 1, // q: CHAR[] 246 | SuperfetchSystemParameters, // q: PF_SYSTEM_SUPERFETCH_PARAMETERS 247 | SuperfetchLogEvent, 248 | SuperfetchGenerateTrace, 249 | SuperfetchPrefetch, 250 | SuperfetchPfnQuery, // q: PF_PFN_PRIO_REQUEST 251 | SuperfetchPfnSetPriority, 252 | SuperfetchPrivSourceQuery, // q: PF_PRIVSOURCE_QUERY_REQUEST 253 | SuperfetchSequenceNumberQuery, // q: ULONG 254 | SuperfetchScenarioPhase, // 10 255 | SuperfetchWorkerPriority, 256 | SuperfetchScenarioQuery, // q: PF_SCENARIO_PHASE_INFO 257 | SuperfetchScenarioPrefetch, 258 | SuperfetchRobustnessControl, 259 | SuperfetchTimeControl, 260 | SuperfetchMemoryListQuery, // q: PF_MEMORY_LIST_INFO 261 | SuperfetchMemoryRangesQuery, // q: PF_PHYSICAL_MEMORY_RANGE_INFO 262 | SuperfetchTracingControl, 263 | SuperfetchTrimWhileAgingControl, 264 | SuperfetchRepurposedByPrefetch, // q: PF_REPURPOSED_BY_PREFETCH_INFO // rev 265 | SuperfetchChannelPowerRequest, 266 | SuperfetchMovePages, 267 | SuperfetchVirtualQuery, 268 | SuperfetchCombineStatsQuery, 269 | SuperfetchSetMinWsAgeRate, 270 | SuperfetchDeprioritizeOldPagesInWs, 271 | SuperfetchFileExtentsQuery, 272 | SuperfetchGpuUtilizationQuery, // PF_GPU_UTILIZATION_INFO 273 | SuperfetchInformationMax 274 | } SUPERFETCH_INFORMATION_CLASS; 275 | 276 | #define SUPERFETCH_INFORMATION_VERSION 45 // rev 277 | #define SUPERFETCH_INFORMATION_MAGIC ('kuhC') // rev 278 | 279 | typedef struct _SUPERFETCH_INFORMATION 280 | { 281 | _In_ ULONG Version; 282 | _In_ ULONG Magic; 283 | _In_ SUPERFETCH_INFORMATION_CLASS SuperfetchInformationClass; 284 | _Inout_ PVOID SuperfetchInformation; 285 | _Inout_ ULONG SuperfetchInformationLength; 286 | } SUPERFETCH_INFORMATION, *PSUPERFETCH_INFORMATION; 287 | 288 | // end_private 289 | 290 | #endif 291 | -------------------------------------------------------------------------------- /phnt/include/phnt_ntdef.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Native definition support 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _PHNT_NTDEF_H 8 | #define _PHNT_NTDEF_H 9 | 10 | #ifndef _NTDEF_ 11 | #define _NTDEF_ 12 | 13 | // This header file provides basic NT types not included in Win32. If you have included winnt.h 14 | // (perhaps indirectly), you must use this file instead of ntdef.h. 15 | 16 | #ifndef NOTHING 17 | #define NOTHING 18 | #endif 19 | 20 | // Basic types 21 | 22 | typedef struct _QUAD 23 | { 24 | union 25 | { 26 | __int64 UseThisFieldToCopy; 27 | double DoNotUseThisField; 28 | }; 29 | } QUAD, *PQUAD; 30 | 31 | // This isn't in NT, but it's useful. 32 | typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _QUAD_PTR 33 | { 34 | ULONG_PTR DoNotUseThisField1; 35 | ULONG_PTR DoNotUseThisField2; 36 | } QUAD_PTR, *PQUAD_PTR; 37 | 38 | typedef ULONG LOGICAL; 39 | typedef ULONG *PLOGICAL; 40 | 41 | typedef _Return_type_success_(return >= 0) LONG NTSTATUS; 42 | typedef NTSTATUS *PNTSTATUS; 43 | 44 | // Cardinal types 45 | 46 | typedef char CCHAR; 47 | typedef short CSHORT; 48 | typedef ULONG CLONG; 49 | 50 | typedef CCHAR *PCCHAR; 51 | typedef CSHORT *PCSHORT; 52 | typedef CLONG *PCLONG; 53 | 54 | typedef PCSTR PCSZ; 55 | 56 | // Specific 57 | 58 | typedef UCHAR KIRQL, *PKIRQL; 59 | typedef LONG KPRIORITY, *PKPRIORITY; 60 | typedef USHORT RTL_ATOM, *PRTL_ATOM; 61 | 62 | typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; 63 | 64 | typedef struct _LARGE_INTEGER_128 65 | { 66 | LONGLONG QuadPart[2]; 67 | } LARGE_INTEGER_128, *PLARGE_INTEGER_128; 68 | 69 | // NT status macros 70 | 71 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 72 | #define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1) 73 | #define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2) 74 | #define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3) 75 | 76 | #define NT_FACILITY_MASK 0xfff 77 | #define NT_FACILITY_SHIFT 16 78 | #define NT_FACILITY(Status) ((((ULONG)(Status)) >> NT_FACILITY_SHIFT) & NT_FACILITY_MASK) 79 | 80 | #define NT_NTWIN32(Status) (NT_FACILITY(Status) == FACILITY_NTWIN32) 81 | #define WIN32_FROM_NTSTATUS(Status) (((ULONG)(Status)) & 0xffff) 82 | 83 | // Functions 84 | 85 | #ifndef _WIN64 86 | #define FASTCALL __fastcall 87 | #else 88 | #define FASTCALL 89 | #endif 90 | 91 | // Synchronization enumerations 92 | 93 | typedef enum _EVENT_TYPE 94 | { 95 | NotificationEvent, 96 | SynchronizationEvent 97 | } EVENT_TYPE; 98 | 99 | typedef enum _TIMER_TYPE 100 | { 101 | NotificationTimer, 102 | SynchronizationTimer 103 | } TIMER_TYPE; 104 | 105 | typedef enum _WAIT_TYPE 106 | { 107 | WaitAll, 108 | WaitAny, 109 | WaitNotification 110 | } WAIT_TYPE; 111 | 112 | // Strings 113 | 114 | typedef struct _STRING 115 | { 116 | USHORT Length; 117 | USHORT MaximumLength; 118 | _Field_size_bytes_part_opt_(MaximumLength, Length) PCHAR Buffer; 119 | } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING; 120 | 121 | typedef STRING UTF8_STRING; 122 | typedef PSTRING PUTF8_STRING; 123 | 124 | typedef const STRING *PCSTRING; 125 | typedef const ANSI_STRING *PCANSI_STRING; 126 | typedef const OEM_STRING *PCOEM_STRING; 127 | 128 | typedef struct _UNICODE_STRING 129 | { 130 | USHORT Length; 131 | USHORT MaximumLength; 132 | _Field_size_bytes_part_opt_(MaximumLength, Length) PWCH Buffer; 133 | } UNICODE_STRING, *PUNICODE_STRING; 134 | 135 | typedef const UNICODE_STRING *PCUNICODE_STRING; 136 | 137 | #define RTL_CONSTANT_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), s } 138 | 139 | // Balanced tree node 140 | 141 | #define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3 142 | 143 | typedef struct _RTL_BALANCED_NODE 144 | { 145 | union 146 | { 147 | struct _RTL_BALANCED_NODE *Children[2]; 148 | struct 149 | { 150 | struct _RTL_BALANCED_NODE *Left; 151 | struct _RTL_BALANCED_NODE *Right; 152 | }; 153 | }; 154 | union 155 | { 156 | UCHAR Red : 1; 157 | UCHAR Balance : 2; 158 | ULONG_PTR ParentValue; 159 | }; 160 | } RTL_BALANCED_NODE, *PRTL_BALANCED_NODE; 161 | 162 | #define RTL_BALANCED_NODE_GET_PARENT_POINTER(Node) \ 163 | ((PRTL_BALANCED_NODE)((Node)->ParentValue & ~RTL_BALANCED_NODE_RESERVED_PARENT_MASK)) 164 | 165 | // Portability 166 | 167 | typedef struct _SINGLE_LIST_ENTRY32 168 | { 169 | ULONG Next; 170 | } SINGLE_LIST_ENTRY32, *PSINGLE_LIST_ENTRY32; 171 | 172 | typedef struct _STRING32 173 | { 174 | USHORT Length; 175 | USHORT MaximumLength; 176 | ULONG Buffer; 177 | } STRING32, *PSTRING32; 178 | 179 | typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32; 180 | typedef STRING32 ANSI_STRING32, *PANSI_STRING32; 181 | 182 | typedef struct _STRING64 183 | { 184 | USHORT Length; 185 | USHORT MaximumLength; 186 | ULONGLONG Buffer; 187 | } STRING64, *PSTRING64; 188 | 189 | typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64; 190 | typedef STRING64 ANSI_STRING64, *PANSI_STRING64; 191 | 192 | // Object attributes 193 | 194 | #define OBJ_PROTECT_CLOSE 0x00000001L 195 | #define OBJ_INHERIT 0x00000002L 196 | #define OBJ_AUDIT_OBJECT_CLOSE 0x00000004L 197 | #define OBJ_PERMANENT 0x00000010L 198 | #define OBJ_EXCLUSIVE 0x00000020L 199 | #define OBJ_CASE_INSENSITIVE 0x00000040L 200 | #define OBJ_OPENIF 0x00000080L 201 | #define OBJ_OPENLINK 0x00000100L 202 | #define OBJ_KERNEL_HANDLE 0x00000200L 203 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400L 204 | #define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800L 205 | #define OBJ_DONT_REPARSE 0x00001000L 206 | #define OBJ_VALID_ATTRIBUTES 0x00001FF2L 207 | 208 | typedef struct _OBJECT_ATTRIBUTES 209 | { 210 | ULONG Length; 211 | HANDLE RootDirectory; 212 | PUNICODE_STRING ObjectName; 213 | ULONG Attributes; 214 | PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR; 215 | PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE 216 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 217 | 218 | typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; 219 | 220 | #define InitializeObjectAttributes(p, n, a, r, s) { \ 221 | (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ 222 | (p)->RootDirectory = r; \ 223 | (p)->Attributes = a; \ 224 | (p)->ObjectName = n; \ 225 | (p)->SecurityDescriptor = s; \ 226 | (p)->SecurityQualityOfService = NULL; \ 227 | } 228 | 229 | #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL } 230 | #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) 231 | 232 | #define OBJ_NAME_PATH_SEPARATOR ((WCHAR)L'\\') 233 | #define OBJ_NAME_ALTPATH_SEPARATOR ((WCHAR)L'/') 234 | 235 | // Portability 236 | 237 | typedef struct _OBJECT_ATTRIBUTES64 238 | { 239 | ULONG Length; 240 | ULONG64 RootDirectory; 241 | ULONG64 ObjectName; 242 | ULONG Attributes; 243 | ULONG64 SecurityDescriptor; 244 | ULONG64 SecurityQualityOfService; 245 | } OBJECT_ATTRIBUTES64, *POBJECT_ATTRIBUTES64; 246 | 247 | typedef const OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64; 248 | 249 | typedef struct _OBJECT_ATTRIBUTES32 250 | { 251 | ULONG Length; 252 | ULONG RootDirectory; 253 | ULONG ObjectName; 254 | ULONG Attributes; 255 | ULONG SecurityDescriptor; 256 | ULONG SecurityQualityOfService; 257 | } OBJECT_ATTRIBUTES32, *POBJECT_ATTRIBUTES32; 258 | 259 | typedef const OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32; 260 | 261 | // Product types 262 | 263 | typedef enum _NT_PRODUCT_TYPE 264 | { 265 | NtProductWinNt = 1, 266 | NtProductLanManNt, 267 | NtProductServer 268 | } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; 269 | 270 | typedef enum _SUITE_TYPE 271 | { 272 | SmallBusiness, 273 | Enterprise, 274 | BackOffice, 275 | CommunicationServer, 276 | TerminalServer, 277 | SmallBusinessRestricted, 278 | EmbeddedNT, 279 | DataCenter, 280 | SingleUserTS, 281 | Personal, 282 | Blade, 283 | EmbeddedRestricted, 284 | SecurityAppliance, 285 | StorageServer, 286 | ComputeServer, 287 | WHServer, 288 | PhoneNT, 289 | MaxSuiteType 290 | } SUITE_TYPE; 291 | 292 | // Specific 293 | 294 | typedef struct _CLIENT_ID 295 | { 296 | HANDLE UniqueProcess; 297 | HANDLE UniqueThread; 298 | } CLIENT_ID, *PCLIENT_ID; 299 | 300 | typedef struct _CLIENT_ID32 301 | { 302 | ULONG UniqueProcess; 303 | ULONG UniqueThread; 304 | } CLIENT_ID32, *PCLIENT_ID32; 305 | 306 | typedef struct _CLIENT_ID64 307 | { 308 | ULONGLONG UniqueProcess; 309 | ULONGLONG UniqueThread; 310 | } CLIENT_ID64, *PCLIENT_ID64; 311 | 312 | #include 313 | 314 | typedef struct _KSYSTEM_TIME 315 | { 316 | ULONG LowPart; 317 | LONG High1Time; 318 | LONG High2Time; 319 | } KSYSTEM_TIME, *PKSYSTEM_TIME; 320 | 321 | #include 322 | 323 | #ifndef AFFINITY_MASK 324 | #define AFFINITY_MASK(n) ((KAFFINITY)1 << (n)) 325 | #endif 326 | 327 | #ifndef FlagOn 328 | #define FlagOn(_F, _SF) ((_F) & (_SF)) 329 | #endif 330 | #ifndef BooleanFlagOn 331 | #define BooleanFlagOn(F, SF) ((BOOLEAN)(((F) & (SF)) != 0)) 332 | #endif 333 | #ifndef SetFlag 334 | #define SetFlag(_F, _SF) ((_F) |= (_SF)) 335 | #endif 336 | #ifndef ClearFlag 337 | #define ClearFlag(_F, _SF) ((_F) &= ~(_SF)) 338 | #endif 339 | 340 | #ifndef STATIC_ASSERT 341 | #define STATIC_ASSERT(expression) \ 342 | static_assert(expression, #expression) 343 | #endif 344 | 345 | #endif 346 | 347 | #endif 348 | -------------------------------------------------------------------------------- /Silhouette/Filter_Main.cpp: -------------------------------------------------------------------------------- 1 | 2 | #include "Silhouette.h" 3 | 4 | PFLT_FILTER gpFilter = NULL; 5 | 6 | // pagefile.sys 7 | FILE_ID_INFORMATION gProtectedFiles[1] = { 0, }; 8 | 9 | CONST FLT_OPERATION_REGISTRATION Callbacks[] = { 10 | { IRP_MJ_CREATE, 11 | 0, 12 | PreCreateCallback, 13 | PostCreateCallback }, 14 | 15 | { IRP_MJ_READ, 16 | 0, 17 | PreReadCallback, 18 | PostReadCallback }, 19 | 20 | { IRP_MJ_OPERATION_END } 21 | }; 22 | 23 | CONST FLT_REGISTRATION FilterRegistration = { 24 | 25 | sizeof(FLT_REGISTRATION), // Size 26 | FLT_REGISTRATION_VERSION, // Version 27 | FLTFL_REGISTRATION_DO_NOT_SUPPORT_SERVICE_STOP, // Flags 28 | NULL, // Context 29 | Callbacks, // Operation callbacks 30 | FilterUnload, // FilterUnload 31 | InstanceSetupCallback, // InstanceSetup 32 | QueryTeardown, // InstanceQueryTeardown 33 | NULL, // InstanceTeardownStart 34 | NULL, // InstanceTeardownComplete 35 | NULL, // GenerateFileName 36 | NULL, // GenerateDestinationFileName 37 | NULL // NormalizeNameComponent 38 | }; 39 | 40 | NTSTATUS GetFileIdByPath(PUNICODE_STRING pFilePath, PFILE_ID_INFORMATION pFileIdInfo) 41 | { 42 | NTSTATUS ntStatus = STATUS_SUCCESS; 43 | OBJECT_ATTRIBUTES objAttr = { 0, }; 44 | IO_STATUS_BLOCK iosb = { 0, }; 45 | HANDLE hFile = NULL; 46 | 47 | InitializeObjectAttributes(&objAttr, pFilePath, OBJ_KERNEL_HANDLE, 0, NULL); 48 | 49 | // This fails with a sharing violation pagefile.sys, even with IO_IGNORE_SHARE_ACCESS_CHECK 50 | ntStatus = FltCreateFile( 51 | gpFilter, NULL, &hFile, 0, &objAttr, &iosb, NULL, 0, 52 | FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 53 | FILE_OPEN, FILE_NON_DIRECTORY_FILE, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK); 54 | if (!NT_SUCCESS(ntStatus)) 55 | { 56 | goto Cleanup; 57 | } 58 | 59 | ntStatus = ZwQueryInformationFile(hFile, &iosb, pFileIdInfo, sizeof(*pFileIdInfo), FileIdInformation); 60 | 61 | Cleanup: 62 | HandleDelete(hFile); 63 | 64 | return ntStatus; 65 | } 66 | 67 | NTSTATUS FindPagefile() 68 | { 69 | const ULONG systemProcessId = HandleToULong(PsGetProcessId(PsInitialSystemProcess)); // Always 4, but you never know? 70 | DECLARE_CONST_UNICODE_STRING(pagefile_sys, L"\\pagefile.sys"); 71 | 72 | NTSTATUS ntStatus = STATUS_SUCCESS; 73 | PSYSTEM_HANDLE_INFORMATION pHandleInfo = NULL; 74 | ULONG handleInfoMem = 0; 75 | ULONG returnLength = 0; 76 | PFILE_OBJECT pFile = NULL; 77 | PFILE_NAME_INFORMATION pNameInfo = NULL; 78 | 79 | for (ULONG tries = 0; tries < 5; tries++) 80 | { 81 | ntStatus = ZwQuerySystemInformation(SystemHandleInformation, pHandleInfo, handleInfoMem, &returnLength); 82 | if (STATUS_INFO_LENGTH_MISMATCH != ntStatus) 83 | { 84 | break; 85 | } 86 | 87 | HandleDelete(pHandleInfo); 88 | handleInfoMem = returnLength * 2; 89 | pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)ExAllocatePoolWithTag(PagedPool, handleInfoMem, POOL_TAG); 90 | if (!pHandleInfo) 91 | { 92 | ntStatus = STATUS_INSUFFICIENT_RESOURCES; 93 | goto Cleanup; 94 | } 95 | RtlZeroMemory(pHandleInfo, handleInfoMem); 96 | } 97 | if (!NT_SUCCESS(ntStatus)) 98 | { 99 | goto Cleanup; 100 | } 101 | 102 | for (ULONG i = 0; i < pHandleInfo->NumberOfHandles; i++) 103 | { 104 | UNICODE_STRING nameInfoUni = { 0, }; 105 | 106 | if (systemProcessId != pHandleInfo->Handles[i].UniqueProcessId) 107 | { 108 | continue; 109 | } 110 | 111 | ReferenceDelete(pFile); 112 | PoolDeleteWithTag(pNameInfo, POOL_TAG); 113 | 114 | // I'm not fond of temporarily referencing other handles in the System process, but the point here is to prove the concept 115 | ntStatus = ObReferenceObjectByHandle( 116 | MAKE_KERNEL_HANDLE(ULongToHandle(pHandleInfo->Handles[i].HandleValue)), FILE_READ_DATA|FILE_WRITE_DATA, *IoFileObjectType, KernelMode, (PVOID*)&pFile, NULL); 117 | if (!NT_SUCCESS(ntStatus)) 118 | { 119 | continue; 120 | } 121 | 122 | // pagefile.sys is opened without buffering 123 | if (!FlagOn(pFile->Flags, FO_NO_INTERMEDIATE_BUFFERING)) 124 | { 125 | continue; 126 | } 127 | 128 | // pagefile.sys is opened for RW- with -W- sharing 129 | if (!pFile->ReadAccess || !pFile->WriteAccess || pFile->DeleteAccess || pFile->SharedRead || pFile->SharedDelete) 130 | { 131 | continue; 132 | } 133 | 134 | pNameInfo = (PFILE_NAME_INFORMATION)ExAllocatePoolWithTag(PagedPool, 4096, POOL_TAG); 135 | if (!pNameInfo) 136 | { 137 | continue; 138 | } 139 | 140 | RtlZeroMemory(pNameInfo, 4096); 141 | pNameInfo->FileNameLength = 4096 - sizeof(*pNameInfo); // Leave room for a NULL 142 | 143 | ntStatus = FsRtlQueryInformationFile(pFile, pNameInfo, 4096, FileNameInformation, &returnLength); 144 | if (!NT_SUCCESS(ntStatus) || (pNameInfo->FileNameLength > MAXUSHORT)) 145 | { 146 | continue; 147 | } 148 | 149 | nameInfoUni.Buffer = pNameInfo->FileName; 150 | nameInfoUni.Length = (USHORT)pNameInfo->FileNameLength; 151 | nameInfoUni.MaximumLength = nameInfoUni.Length; 152 | 153 | if (!RtlEqualUnicodeString(&nameInfoUni, &pagefile_sys, FALSE)) 154 | { 155 | continue; 156 | } 157 | 158 | ntStatus = FsRtlQueryInformationFile(pFile, &gProtectedFiles[0], sizeof(gProtectedFiles[0]), FileIdInformation, &returnLength); 159 | if (NT_SUCCESS(ntStatus) && (sizeof(gProtectedFiles[0]) == returnLength)) 160 | { 161 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, 162 | "Silhouette: Pagefile: %wZ\n", 163 | &nameInfoUni); 164 | 165 | goto Cleanup; 166 | } 167 | } 168 | 169 | ntStatus = STATUS_PAGEFILE_NOT_SUPPORTED; 170 | 171 | Cleanup: 172 | PoolDeleteWithTag(pHandleInfo, POOL_TAG); 173 | PoolDeleteWithTag(pNameInfo, POOL_TAG); 174 | ReferenceDelete(pFile); 175 | 176 | return ntStatus; 177 | } 178 | 179 | NTSTATUS 180 | RegisterFilter(_In_ PDRIVER_OBJECT pDriverObject) 181 | { 182 | NTSTATUS ntStatus = STATUS_SUCCESS; 183 | 184 | ntStatus = FltRegisterFilter(pDriverObject, &FilterRegistration, &gpFilter); 185 | if (!NT_SUCCESS(ntStatus)) 186 | { 187 | goto Cleanup; 188 | } 189 | 190 | ntStatus = FindPagefile(); 191 | if (!NT_SUCCESS(ntStatus)) 192 | { 193 | goto Cleanup; 194 | } 195 | 196 | ntStatus = FltStartFiltering(gpFilter); 197 | if (!NT_SUCCESS(ntStatus)) 198 | { 199 | FltUnregisterFilter(gpFilter); 200 | gpFilter = NULL; 201 | goto Cleanup; 202 | } 203 | 204 | Cleanup: 205 | return ntStatus; 206 | } 207 | 208 | VOID 209 | UnregisterFilter() 210 | { 211 | if (gpFilter) 212 | { 213 | FltUnregisterFilter(gpFilter); 214 | gpFilter = NULL; 215 | } 216 | } 217 | 218 | NTSTATUS 219 | FilterUnload(_In_ FLT_FILTER_UNLOAD_FLAGS Flags 220 | ) 221 | { 222 | UNREFERENCED_PARAMETER(Flags); 223 | 224 | FltUnregisterFilter(gpFilter); 225 | 226 | return STATUS_SUCCESS; 227 | } 228 | 229 | NTSTATUS InstanceSetupCallback( 230 | PCFLT_RELATED_OBJECTS FltObjects, 231 | FLT_INSTANCE_SETUP_FLAGS Flags, 232 | DEVICE_TYPE VolumeDeviceType, 233 | FLT_FILESYSTEM_TYPE VolumeFilesystemType 234 | ) 235 | { 236 | UNREFERENCED_PARAMETER(FltObjects); 237 | UNREFERENCED_PARAMETER(Flags); 238 | UNREFERENCED_PARAMETER(VolumeDeviceType); 239 | UNREFERENCED_PARAMETER(VolumeFilesystemType); 240 | 241 | NTSTATUS ntStatus = STATUS_SUCCESS; 242 | UNICODE_STRING volumeName = { 0, }; 243 | PWCHAR pBuffer = NULL; 244 | ULONG volumeNameLength = 0; 245 | 246 | ntStatus = FltGetVolumeName(FltObjects->Volume, NULL, &volumeNameLength); 247 | pBuffer = (PWCHAR)ExAllocatePoolWithTag(PagedPool, volumeNameLength, POOL_TAG); 248 | if (!pBuffer) 249 | { 250 | ntStatus = STATUS_INSUFFICIENT_RESOURCES; 251 | goto Cleanup; 252 | } 253 | 254 | RtlInitEmptyUnicodeString(&volumeName, pBuffer, (USHORT)volumeNameLength); 255 | ntStatus = FltGetVolumeName(FltObjects->Volume, &volumeName, &volumeNameLength); 256 | if (!NT_SUCCESS(ntStatus)) 257 | { 258 | goto Cleanup; 259 | } 260 | 261 | // Volume Reads 262 | // Flags == FLTFL_INSTANCE_SETUP_AUTOMATIC_ATTACHMENT 263 | // VolumeDeviceType == FILE_DEVICE_DISK_FILE_SYSTEM 264 | // VolumeFilesystemType == FLT_FSTYPE_NTFS 265 | 266 | // TODO: Raw disk reads 267 | 268 | #if 0 269 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, 270 | "Silhouette: InstanceSetupCallback for Flags: 0x%x DevType: %u FS: %u for %wZ\n", 271 | Flags, VolumeDeviceType, VolumeFilesystemType, &volumeName); 272 | #endif 273 | 274 | Cleanup: 275 | PoolDeleteWithTag(pBuffer, POOL_TAG); 276 | 277 | return STATUS_SUCCESS; 278 | } 279 | 280 | NTSTATUS 281 | QueryTeardown( 282 | _In_ PCFLT_RELATED_OBJECTS FltObjects, 283 | _In_ FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags 284 | ) 285 | { 286 | UNREFERENCED_PARAMETER(FltObjects); 287 | UNREFERENCED_PARAMETER(Flags); 288 | 289 | return STATUS_ACCESS_DENIED; 290 | } 291 | -------------------------------------------------------------------------------- /phnt/include/nttp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Thread Pool support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTTP_H 8 | #define _NTTP_H 9 | 10 | // Some types are already defined in winnt.h. 11 | 12 | typedef struct _TP_ALPC TP_ALPC, *PTP_ALPC; 13 | 14 | // private 15 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK)( 16 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 17 | _Inout_opt_ PVOID Context, 18 | _In_ PTP_ALPC Alpc 19 | ); 20 | 21 | // rev 22 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK_EX)( 23 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 24 | _Inout_opt_ PVOID Context, 25 | _In_ PTP_ALPC Alpc, 26 | _In_ PVOID ApcContext 27 | ); 28 | 29 | #if (PHNT_VERSION >= PHNT_VISTA) 30 | 31 | // winbase:CreateThreadpool 32 | NTSYSAPI 33 | NTSTATUS 34 | NTAPI 35 | TpAllocPool( 36 | _Out_ PTP_POOL *PoolReturn, 37 | _Reserved_ PVOID Reserved 38 | ); 39 | 40 | // winbase:CloseThreadpool 41 | NTSYSAPI 42 | VOID 43 | NTAPI 44 | TpReleasePool( 45 | _Inout_ PTP_POOL Pool 46 | ); 47 | 48 | // winbase:SetThreadpoolThreadMaximum 49 | NTSYSAPI 50 | VOID 51 | NTAPI 52 | TpSetPoolMaxThreads( 53 | _Inout_ PTP_POOL Pool, 54 | _In_ ULONG MaxThreads 55 | ); 56 | 57 | // winbase:SetThreadpoolThreadMinimum 58 | NTSYSAPI 59 | NTSTATUS 60 | NTAPI 61 | TpSetPoolMinThreads( 62 | _Inout_ PTP_POOL Pool, 63 | _In_ ULONG MinThreads 64 | ); 65 | 66 | #if (PHNT_VERSION >= PHNT_WIN7) 67 | // winbase:QueryThreadpoolStackInformation 68 | NTSYSAPI 69 | NTSTATUS 70 | NTAPI 71 | TpQueryPoolStackInformation( 72 | _In_ PTP_POOL Pool, 73 | _Out_ PTP_POOL_STACK_INFORMATION PoolStackInformation 74 | ); 75 | 76 | // winbase:SetThreadpoolStackInformation 77 | NTSYSAPI 78 | NTSTATUS 79 | NTAPI 80 | TpSetPoolStackInformation( 81 | _Inout_ PTP_POOL Pool, 82 | _In_ PTP_POOL_STACK_INFORMATION PoolStackInformation 83 | ); 84 | 85 | // rev 86 | NTSYSAPI 87 | NTSTATUS 88 | NTAPI 89 | TpSetPoolThreadBasePriority( 90 | _Inout_ PTP_POOL Pool, 91 | _In_ ULONG BasePriority 92 | ); 93 | #endif 94 | 95 | // winbase:CreateThreadpoolCleanupGroup 96 | NTSYSAPI 97 | NTSTATUS 98 | NTAPI 99 | TpAllocCleanupGroup( 100 | _Out_ PTP_CLEANUP_GROUP *CleanupGroupReturn 101 | ); 102 | 103 | // winbase:CloseThreadpoolCleanupGroup 104 | NTSYSAPI 105 | VOID 106 | NTAPI 107 | TpReleaseCleanupGroup( 108 | _Inout_ PTP_CLEANUP_GROUP CleanupGroup 109 | ); 110 | 111 | // winbase:CloseThreadpoolCleanupGroupMembers 112 | NTSYSAPI 113 | VOID 114 | NTAPI 115 | TpReleaseCleanupGroupMembers( 116 | _Inout_ PTP_CLEANUP_GROUP CleanupGroup, 117 | _In_ LOGICAL CancelPendingCallbacks, 118 | _Inout_opt_ PVOID CleanupParameter 119 | ); 120 | 121 | // winbase:SetEventWhenCallbackReturns 122 | NTSYSAPI 123 | VOID 124 | NTAPI 125 | TpCallbackSetEventOnCompletion( 126 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 127 | _In_ HANDLE Event 128 | ); 129 | 130 | // winbase:ReleaseSemaphoreWhenCallbackReturns 131 | NTSYSAPI 132 | VOID 133 | NTAPI 134 | TpCallbackReleaseSemaphoreOnCompletion( 135 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 136 | _In_ HANDLE Semaphore, 137 | _In_ ULONG ReleaseCount 138 | ); 139 | 140 | // winbase:ReleaseMutexWhenCallbackReturns 141 | NTSYSAPI 142 | VOID 143 | NTAPI 144 | TpCallbackReleaseMutexOnCompletion( 145 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 146 | _In_ HANDLE Mutex 147 | ); 148 | 149 | // winbase:LeaveCriticalSectionWhenCallbackReturns 150 | NTSYSAPI 151 | VOID 152 | NTAPI 153 | TpCallbackLeaveCriticalSectionOnCompletion( 154 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 155 | _Inout_ PRTL_CRITICAL_SECTION CriticalSection 156 | ); 157 | 158 | // winbase:FreeLibraryWhenCallbackReturns 159 | NTSYSAPI 160 | VOID 161 | NTAPI 162 | TpCallbackUnloadDllOnCompletion( 163 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 164 | _In_ PVOID DllHandle 165 | ); 166 | 167 | // winbase:CallbackMayRunLong 168 | NTSYSAPI 169 | NTSTATUS 170 | NTAPI 171 | TpCallbackMayRunLong( 172 | _Inout_ PTP_CALLBACK_INSTANCE Instance 173 | ); 174 | 175 | // winbase:DisassociateCurrentThreadFromCallback 176 | NTSYSAPI 177 | VOID 178 | NTAPI 179 | TpDisassociateCallback( 180 | _Inout_ PTP_CALLBACK_INSTANCE Instance 181 | ); 182 | 183 | // winbase:TrySubmitThreadpoolCallback 184 | NTSYSAPI 185 | NTSTATUS 186 | NTAPI 187 | TpSimpleTryPost( 188 | _In_ PTP_SIMPLE_CALLBACK Callback, 189 | _Inout_opt_ PVOID Context, 190 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 191 | ); 192 | 193 | // winbase:CreateThreadpoolWork 194 | NTSYSAPI 195 | NTSTATUS 196 | NTAPI 197 | TpAllocWork( 198 | _Out_ PTP_WORK *WorkReturn, 199 | _In_ PTP_WORK_CALLBACK Callback, 200 | _Inout_opt_ PVOID Context, 201 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 202 | ); 203 | 204 | // winbase:CloseThreadpoolWork 205 | NTSYSAPI 206 | VOID 207 | NTAPI 208 | TpReleaseWork( 209 | _Inout_ PTP_WORK Work 210 | ); 211 | 212 | // winbase:SubmitThreadpoolWork 213 | NTSYSAPI 214 | VOID 215 | NTAPI 216 | TpPostWork( 217 | _Inout_ PTP_WORK Work 218 | ); 219 | 220 | // winbase:WaitForThreadpoolWorkCallbacks 221 | NTSYSAPI 222 | VOID 223 | NTAPI 224 | TpWaitForWork( 225 | _Inout_ PTP_WORK Work, 226 | _In_ LOGICAL CancelPendingCallbacks 227 | ); 228 | 229 | // winbase:CreateThreadpoolTimer 230 | NTSYSAPI 231 | NTSTATUS 232 | NTAPI 233 | TpAllocTimer( 234 | _Out_ PTP_TIMER *Timer, 235 | _In_ PTP_TIMER_CALLBACK Callback, 236 | _Inout_opt_ PVOID Context, 237 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 238 | ); 239 | 240 | // winbase:CloseThreadpoolTimer 241 | NTSYSAPI 242 | VOID 243 | NTAPI 244 | TpReleaseTimer( 245 | _Inout_ PTP_TIMER Timer 246 | ); 247 | 248 | // winbase:SetThreadpoolTimer 249 | NTSYSAPI 250 | VOID 251 | NTAPI 252 | TpSetTimer( 253 | _Inout_ PTP_TIMER Timer, 254 | _In_opt_ PLARGE_INTEGER DueTime, 255 | _In_ ULONG Period, 256 | _In_opt_ ULONG WindowLength 257 | ); 258 | 259 | #if (PHNT_VERSION >= PHNT_WIN8) 260 | // winbase:SetThreadpoolTimerEx 261 | NTSYSAPI 262 | NTSTATUS 263 | NTAPI 264 | TpSetTimerEx( 265 | _Inout_ PTP_TIMER Timer, 266 | _In_opt_ PLARGE_INTEGER DueTime, 267 | _In_ ULONG Period, 268 | _In_opt_ ULONG WindowLength 269 | ); 270 | #endif 271 | 272 | // winbase:IsThreadpoolTimerSet 273 | NTSYSAPI 274 | LOGICAL 275 | NTAPI 276 | TpIsTimerSet( 277 | _In_ PTP_TIMER Timer 278 | ); 279 | 280 | // winbase:WaitForThreadpoolTimerCallbacks 281 | NTSYSAPI 282 | VOID 283 | NTAPI 284 | TpWaitForTimer( 285 | _Inout_ PTP_TIMER Timer, 286 | _In_ LOGICAL CancelPendingCallbacks 287 | ); 288 | 289 | // winbase:CreateThreadpoolWait 290 | NTSYSAPI 291 | NTSTATUS 292 | NTAPI 293 | TpAllocWait( 294 | _Out_ PTP_WAIT *WaitReturn, 295 | _In_ PTP_WAIT_CALLBACK Callback, 296 | _Inout_opt_ PVOID Context, 297 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 298 | ); 299 | 300 | // winbase:CloseThreadpoolWait 301 | NTSYSAPI 302 | VOID 303 | NTAPI 304 | TpReleaseWait( 305 | _Inout_ PTP_WAIT Wait 306 | ); 307 | 308 | // winbase:SetThreadpoolWait 309 | NTSYSAPI 310 | VOID 311 | NTAPI 312 | TpSetWait( 313 | _Inout_ PTP_WAIT Wait, 314 | _In_opt_ HANDLE Handle, 315 | _In_opt_ PLARGE_INTEGER Timeout 316 | ); 317 | 318 | #if (PHNT_VERSION >= PHNT_WIN8) 319 | // winbase:SetThreadpoolWaitEx 320 | NTSYSAPI 321 | NTSTATUS 322 | NTAPI 323 | TpSetWaitEx( 324 | _Inout_ PTP_WAIT Wait, 325 | _In_opt_ HANDLE Handle, 326 | _In_opt_ PLARGE_INTEGER Timeout, 327 | _In_opt_ PVOID Reserved 328 | ); 329 | #endif 330 | 331 | // winbase:WaitForThreadpoolWaitCallbacks 332 | NTSYSAPI 333 | VOID 334 | NTAPI 335 | TpWaitForWait( 336 | _Inout_ PTP_WAIT Wait, 337 | _In_ LOGICAL CancelPendingCallbacks 338 | ); 339 | 340 | // private 341 | typedef VOID (NTAPI *PTP_IO_CALLBACK)( 342 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 343 | _Inout_opt_ PVOID Context, 344 | _In_ PVOID ApcContext, 345 | _In_ PIO_STATUS_BLOCK IoSB, 346 | _In_ PTP_IO Io 347 | ); 348 | 349 | // winbase:CreateThreadpoolIo 350 | NTSYSAPI 351 | NTSTATUS 352 | NTAPI 353 | TpAllocIoCompletion( 354 | _Out_ PTP_IO *IoReturn, 355 | _In_ HANDLE File, 356 | _In_ PTP_IO_CALLBACK Callback, 357 | _Inout_opt_ PVOID Context, 358 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 359 | ); 360 | 361 | // winbase:CloseThreadpoolIo 362 | NTSYSAPI 363 | VOID 364 | NTAPI 365 | TpReleaseIoCompletion( 366 | _Inout_ PTP_IO Io 367 | ); 368 | 369 | // winbase:StartThreadpoolIo 370 | NTSYSAPI 371 | VOID 372 | NTAPI 373 | TpStartAsyncIoOperation( 374 | _Inout_ PTP_IO Io 375 | ); 376 | 377 | // winbase:CancelThreadpoolIo 378 | NTSYSAPI 379 | VOID 380 | NTAPI 381 | TpCancelAsyncIoOperation( 382 | _Inout_ PTP_IO Io 383 | ); 384 | 385 | // winbase:WaitForThreadpoolIoCallbacks 386 | NTSYSAPI 387 | VOID 388 | NTAPI 389 | TpWaitForIoCompletion( 390 | _Inout_ PTP_IO Io, 391 | _In_ LOGICAL CancelPendingCallbacks 392 | ); 393 | 394 | // private 395 | NTSYSAPI 396 | NTSTATUS 397 | NTAPI 398 | TpAllocAlpcCompletion( 399 | _Out_ PTP_ALPC *AlpcReturn, 400 | _In_ HANDLE AlpcPort, 401 | _In_ PTP_ALPC_CALLBACK Callback, 402 | _Inout_opt_ PVOID Context, 403 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 404 | ); 405 | 406 | #if (PHNT_VERSION >= PHNT_WIN7) 407 | // rev 408 | NTSYSAPI 409 | NTSTATUS 410 | NTAPI 411 | TpAllocAlpcCompletionEx( 412 | _Out_ PTP_ALPC *AlpcReturn, 413 | _In_ HANDLE AlpcPort, 414 | _In_ PTP_ALPC_CALLBACK_EX Callback, 415 | _Inout_opt_ PVOID Context, 416 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 417 | ); 418 | #endif 419 | 420 | // private 421 | NTSYSAPI 422 | VOID 423 | NTAPI 424 | TpReleaseAlpcCompletion( 425 | _Inout_ PTP_ALPC Alpc 426 | ); 427 | 428 | // private 429 | NTSYSAPI 430 | VOID 431 | NTAPI 432 | TpWaitForAlpcCompletion( 433 | _Inout_ PTP_ALPC Alpc 434 | ); 435 | 436 | // private 437 | typedef enum _TP_TRACE_TYPE 438 | { 439 | TpTraceThreadPriority = 1, 440 | TpTraceThreadAffinity, 441 | MaxTpTraceType 442 | } TP_TRACE_TYPE; 443 | 444 | // private 445 | NTSYSAPI 446 | VOID 447 | NTAPI 448 | TpCaptureCaller( 449 | _In_ TP_TRACE_TYPE Type 450 | ); 451 | 452 | // private 453 | NTSYSAPI 454 | VOID 455 | NTAPI 456 | TpCheckTerminateWorker( 457 | _In_ HANDLE Thread 458 | ); 459 | 460 | #endif 461 | 462 | #endif 463 | -------------------------------------------------------------------------------- /phnt/include/ntobapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Object Manager support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTOBAPI_H 8 | #define _NTOBAPI_H 9 | 10 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 11 | #define OBJECT_TYPE_CREATE 0x0001 12 | #define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) 13 | #endif 14 | 15 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 16 | #define DIRECTORY_QUERY 0x0001 17 | #define DIRECTORY_TRAVERSE 0x0002 18 | #define DIRECTORY_CREATE_OBJECT 0x0004 19 | #define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 20 | #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xf) 21 | #endif 22 | 23 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 24 | #define SYMBOLIC_LINK_QUERY 0x0001 25 | #define SYMBOLIC_LINK_SET 0x0002 26 | #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) 27 | #define SYMBOLIC_LINK_ALL_ACCESS_EX (STANDARD_RIGHTS_REQUIRED | 0xFFFF) 28 | #endif 29 | 30 | #ifndef OBJ_PROTECT_CLOSE 31 | #define OBJ_PROTECT_CLOSE 0x00000001 32 | #endif 33 | #ifndef OBJ_INHERIT 34 | #define OBJ_INHERIT 0x00000002 35 | #endif 36 | #ifndef OBJ_AUDIT_OBJECT_CLOSE 37 | #define OBJ_AUDIT_OBJECT_CLOSE 0x00000004 38 | #endif 39 | 40 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 41 | typedef enum _OBJECT_INFORMATION_CLASS 42 | { 43 | ObjectBasicInformation, // q: OBJECT_BASIC_INFORMATION 44 | ObjectNameInformation, // q: OBJECT_NAME_INFORMATION 45 | ObjectTypeInformation, // q: OBJECT_TYPE_INFORMATION 46 | ObjectTypesInformation, // q: OBJECT_TYPES_INFORMATION 47 | ObjectHandleFlagInformation, // qs: OBJECT_HANDLE_FLAG_INFORMATION 48 | ObjectSessionInformation, // s: void // change object session // (requires SeTcbPrivilege) 49 | ObjectSessionObjectInformation, // s: void // change object session // (requires SeTcbPrivilege) 50 | MaxObjectInfoClass 51 | } OBJECT_INFORMATION_CLASS; 52 | #else 53 | #define ObjectBasicInformation 0 54 | #define ObjectNameInformation 1 55 | #define ObjectTypeInformation 2 56 | #define ObjectTypesInformation 3 57 | #define ObjectHandleFlagInformation 4 58 | #define ObjectSessionInformation 5 59 | #define ObjectSessionObjectInformation 6 60 | #endif 61 | 62 | typedef struct _OBJECT_BASIC_INFORMATION 63 | { 64 | ULONG Attributes; 65 | ACCESS_MASK GrantedAccess; 66 | ULONG HandleCount; 67 | ULONG PointerCount; 68 | ULONG PagedPoolCharge; 69 | ULONG NonPagedPoolCharge; 70 | ULONG Reserved[3]; 71 | ULONG NameInfoSize; 72 | ULONG TypeInfoSize; 73 | ULONG SecurityDescriptorSize; 74 | LARGE_INTEGER CreationTime; 75 | } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; 76 | 77 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 78 | typedef struct _OBJECT_NAME_INFORMATION 79 | { 80 | UNICODE_STRING Name; 81 | } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; 82 | #endif 83 | 84 | typedef struct _OBJECT_TYPE_INFORMATION 85 | { 86 | UNICODE_STRING TypeName; 87 | ULONG TotalNumberOfObjects; 88 | ULONG TotalNumberOfHandles; 89 | ULONG TotalPagedPoolUsage; 90 | ULONG TotalNonPagedPoolUsage; 91 | ULONG TotalNamePoolUsage; 92 | ULONG TotalHandleTableUsage; 93 | ULONG HighWaterNumberOfObjects; 94 | ULONG HighWaterNumberOfHandles; 95 | ULONG HighWaterPagedPoolUsage; 96 | ULONG HighWaterNonPagedPoolUsage; 97 | ULONG HighWaterNamePoolUsage; 98 | ULONG HighWaterHandleTableUsage; 99 | ULONG InvalidAttributes; 100 | GENERIC_MAPPING GenericMapping; 101 | ULONG ValidAccessMask; 102 | BOOLEAN SecurityRequired; 103 | BOOLEAN MaintainHandleCount; 104 | UCHAR TypeIndex; // since WINBLUE 105 | CHAR ReservedByte; 106 | ULONG PoolType; 107 | ULONG DefaultPagedPoolCharge; 108 | ULONG DefaultNonPagedPoolCharge; 109 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; 110 | 111 | typedef struct _OBJECT_TYPES_INFORMATION 112 | { 113 | ULONG NumberOfTypes; 114 | } OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; 115 | 116 | typedef struct _OBJECT_HANDLE_FLAG_INFORMATION 117 | { 118 | BOOLEAN Inherit; 119 | BOOLEAN ProtectFromClose; 120 | } OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION; 121 | 122 | // Objects, handles 123 | 124 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 125 | 126 | NTSYSCALLAPI 127 | NTSTATUS 128 | NTAPI 129 | NtQueryObject( 130 | _In_opt_ HANDLE Handle, 131 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, 132 | _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, 133 | _In_ ULONG ObjectInformationLength, 134 | _Out_opt_ PULONG ReturnLength 135 | ); 136 | 137 | NTSYSCALLAPI 138 | NTSTATUS 139 | NTAPI 140 | NtSetInformationObject( 141 | _In_ HANDLE Handle, 142 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, 143 | _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation, 144 | _In_ ULONG ObjectInformationLength 145 | ); 146 | 147 | #define DUPLICATE_CLOSE_SOURCE 0x00000001 148 | #define DUPLICATE_SAME_ACCESS 0x00000002 149 | #define DUPLICATE_SAME_ATTRIBUTES 0x00000004 150 | 151 | NTSYSCALLAPI 152 | NTSTATUS 153 | NTAPI 154 | NtDuplicateObject( 155 | _In_ HANDLE SourceProcessHandle, 156 | _In_ HANDLE SourceHandle, 157 | _In_opt_ HANDLE TargetProcessHandle, 158 | _Out_opt_ PHANDLE TargetHandle, 159 | _In_ ACCESS_MASK DesiredAccess, 160 | _In_ ULONG HandleAttributes, 161 | _In_ ULONG Options 162 | ); 163 | 164 | NTSYSCALLAPI 165 | NTSTATUS 166 | NTAPI 167 | NtMakeTemporaryObject( 168 | _In_ HANDLE Handle 169 | ); 170 | 171 | NTSYSCALLAPI 172 | NTSTATUS 173 | NTAPI 174 | NtMakePermanentObject( 175 | _In_ HANDLE Handle 176 | ); 177 | 178 | NTSYSCALLAPI 179 | NTSTATUS 180 | NTAPI 181 | NtSignalAndWaitForSingleObject( 182 | _In_ HANDLE SignalHandle, 183 | _In_ HANDLE WaitHandle, 184 | _In_ BOOLEAN Alertable, 185 | _In_opt_ PLARGE_INTEGER Timeout 186 | ); 187 | 188 | NTSYSCALLAPI 189 | NTSTATUS 190 | NTAPI 191 | NtWaitForSingleObject( 192 | _In_ HANDLE Handle, 193 | _In_ BOOLEAN Alertable, 194 | _In_opt_ PLARGE_INTEGER Timeout 195 | ); 196 | 197 | NTSYSCALLAPI 198 | NTSTATUS 199 | NTAPI 200 | NtWaitForMultipleObjects( 201 | _In_ ULONG Count, 202 | _In_reads_(Count) HANDLE Handles[], 203 | _In_ WAIT_TYPE WaitType, 204 | _In_ BOOLEAN Alertable, 205 | _In_opt_ PLARGE_INTEGER Timeout 206 | ); 207 | 208 | #if (PHNT_VERSION >= PHNT_WS03) 209 | NTSYSCALLAPI 210 | NTSTATUS 211 | NTAPI 212 | NtWaitForMultipleObjects32( 213 | _In_ ULONG Count, 214 | _In_reads_(Count) LONG Handles[], 215 | _In_ WAIT_TYPE WaitType, 216 | _In_ BOOLEAN Alertable, 217 | _In_opt_ PLARGE_INTEGER Timeout 218 | ); 219 | #endif 220 | 221 | NTSYSCALLAPI 222 | NTSTATUS 223 | NTAPI 224 | NtSetSecurityObject( 225 | _In_ HANDLE Handle, 226 | _In_ SECURITY_INFORMATION SecurityInformation, 227 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor 228 | ); 229 | 230 | NTSYSCALLAPI 231 | NTSTATUS 232 | NTAPI 233 | NtQuerySecurityObject( 234 | _In_ HANDLE Handle, 235 | _In_ SECURITY_INFORMATION SecurityInformation, 236 | _Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor, 237 | _In_ ULONG Length, 238 | _Out_ PULONG LengthNeeded 239 | ); 240 | 241 | NTSYSCALLAPI 242 | NTSTATUS 243 | NTAPI 244 | NtClose( 245 | _In_ _Post_ptr_invalid_ HANDLE Handle 246 | ); 247 | 248 | #if (PHNT_VERSION >= PHNT_THRESHOLD) 249 | NTSYSCALLAPI 250 | NTSTATUS 251 | NTAPI 252 | NtCompareObjects( 253 | _In_ HANDLE FirstObjectHandle, 254 | _In_ HANDLE SecondObjectHandle 255 | ); 256 | #endif 257 | 258 | #endif 259 | 260 | // Directory objects 261 | 262 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 263 | 264 | NTSYSCALLAPI 265 | NTSTATUS 266 | NTAPI 267 | NtCreateDirectoryObject( 268 | _Out_ PHANDLE DirectoryHandle, 269 | _In_ ACCESS_MASK DesiredAccess, 270 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 271 | ); 272 | 273 | #if (PHNT_VERSION >= PHNT_WIN8) 274 | NTSYSCALLAPI 275 | NTSTATUS 276 | NTAPI 277 | NtCreateDirectoryObjectEx( 278 | _Out_ PHANDLE DirectoryHandle, 279 | _In_ ACCESS_MASK DesiredAccess, 280 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 281 | _In_ HANDLE ShadowDirectoryHandle, 282 | _In_ ULONG Flags 283 | ); 284 | #endif 285 | 286 | NTSYSCALLAPI 287 | NTSTATUS 288 | NTAPI 289 | NtOpenDirectoryObject( 290 | _Out_ PHANDLE DirectoryHandle, 291 | _In_ ACCESS_MASK DesiredAccess, 292 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 293 | ); 294 | 295 | typedef struct _OBJECT_DIRECTORY_INFORMATION 296 | { 297 | UNICODE_STRING Name; 298 | UNICODE_STRING TypeName; 299 | } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION; 300 | 301 | NTSYSCALLAPI 302 | NTSTATUS 303 | NTAPI 304 | NtQueryDirectoryObject( 305 | _In_ HANDLE DirectoryHandle, 306 | _Out_writes_bytes_opt_(Length) PVOID Buffer, 307 | _In_ ULONG Length, 308 | _In_ BOOLEAN ReturnSingleEntry, 309 | _In_ BOOLEAN RestartScan, 310 | _Inout_ PULONG Context, 311 | _Out_opt_ PULONG ReturnLength 312 | ); 313 | 314 | #endif 315 | 316 | // Private namespaces 317 | 318 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 319 | 320 | #if (PHNT_VERSION >= PHNT_VISTA) 321 | 322 | // private 323 | typedef enum _BOUNDARY_ENTRY_TYPE 324 | { 325 | OBNS_Invalid, 326 | OBNS_Name, 327 | OBNS_SID, 328 | OBNS_IL 329 | } BOUNDARY_ENTRY_TYPE; 330 | 331 | // private 332 | typedef struct _OBJECT_BOUNDARY_ENTRY 333 | { 334 | BOUNDARY_ENTRY_TYPE EntryType; 335 | ULONG EntrySize; 336 | } OBJECT_BOUNDARY_ENTRY, *POBJECT_BOUNDARY_ENTRY; 337 | 338 | // rev 339 | #define OBJECT_BOUNDARY_DESCRIPTOR_VERSION 1 340 | 341 | // private 342 | typedef struct _OBJECT_BOUNDARY_DESCRIPTOR 343 | { 344 | ULONG Version; 345 | ULONG Items; 346 | ULONG TotalSize; 347 | union 348 | { 349 | ULONG Flags; 350 | struct 351 | { 352 | ULONG AddAppContainerSid : 1; 353 | ULONG Reserved : 31; 354 | }; 355 | }; 356 | } OBJECT_BOUNDARY_DESCRIPTOR, *POBJECT_BOUNDARY_DESCRIPTOR; 357 | 358 | NTSYSCALLAPI 359 | NTSTATUS 360 | NTAPI 361 | NtCreatePrivateNamespace( 362 | _Out_ PHANDLE NamespaceHandle, 363 | _In_ ACCESS_MASK DesiredAccess, 364 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 365 | _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor 366 | ); 367 | 368 | NTSYSCALLAPI 369 | NTSTATUS 370 | NTAPI 371 | NtOpenPrivateNamespace( 372 | _Out_ PHANDLE NamespaceHandle, 373 | _In_ ACCESS_MASK DesiredAccess, 374 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 375 | _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor 376 | ); 377 | 378 | NTSYSCALLAPI 379 | NTSTATUS 380 | NTAPI 381 | NtDeletePrivateNamespace( 382 | _In_ HANDLE NamespaceHandle 383 | ); 384 | 385 | #endif 386 | 387 | #endif 388 | 389 | // Symbolic links 390 | 391 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 392 | 393 | NTSYSCALLAPI 394 | NTSTATUS 395 | NTAPI 396 | NtCreateSymbolicLinkObject( 397 | _Out_ PHANDLE LinkHandle, 398 | _In_ ACCESS_MASK DesiredAccess, 399 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 400 | _In_ PUNICODE_STRING LinkTarget 401 | ); 402 | 403 | NTSYSCALLAPI 404 | NTSTATUS 405 | NTAPI 406 | NtOpenSymbolicLinkObject( 407 | _Out_ PHANDLE LinkHandle, 408 | _In_ ACCESS_MASK DesiredAccess, 409 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 410 | ); 411 | 412 | NTSYSCALLAPI 413 | NTSTATUS 414 | NTAPI 415 | NtQuerySymbolicLinkObject( 416 | _In_ HANDLE LinkHandle, 417 | _Inout_ PUNICODE_STRING LinkTarget, 418 | _Out_opt_ PULONG ReturnedLength 419 | ); 420 | 421 | typedef enum _SYMBOLIC_LINK_INFO_CLASS 422 | { 423 | SymbolicLinkGlobalInformation = 1, // s: ULONG 424 | SymbolicLinkAccessMask, // s: ACCESS_MASK 425 | MaxnSymbolicLinkInfoClass 426 | } SYMBOLIC_LINK_INFO_CLASS; 427 | 428 | #if (PHNT_VERSION >= PHNT_THRESHOLD) 429 | NTSYSCALLAPI 430 | NTSTATUS 431 | NTAPI 432 | NtSetInformationSymbolicLink( 433 | _In_ HANDLE LinkHandle, 434 | _In_ SYMBOLIC_LINK_INFO_CLASS SymbolicLinkInformationClass, 435 | _In_reads_bytes_(SymbolicLinkInformationLength) PVOID SymbolicLinkInformation, 436 | _In_ ULONG SymbolicLinkInformationLength 437 | ); 438 | #endif 439 | 440 | #endif 441 | 442 | #endif 443 | -------------------------------------------------------------------------------- /phnt/include/nttmapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Transaction Manager support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTTMAPI_H 8 | #define _NTTMAPI_H 9 | 10 | #if (PHNT_VERSION >= PHNT_VISTA) 11 | NTSYSCALLAPI 12 | NTSTATUS 13 | NTAPI 14 | NtCreateTransactionManager( 15 | _Out_ PHANDLE TmHandle, 16 | _In_ ACCESS_MASK DesiredAccess, 17 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 18 | _In_opt_ PUNICODE_STRING LogFileName, 19 | _In_opt_ ULONG CreateOptions, 20 | _In_opt_ ULONG CommitStrength 21 | ); 22 | #endif 23 | 24 | #if (PHNT_VERSION >= PHNT_VISTA) 25 | NTSYSCALLAPI 26 | NTSTATUS 27 | NTAPI 28 | NtOpenTransactionManager( 29 | _Out_ PHANDLE TmHandle, 30 | _In_ ACCESS_MASK DesiredAccess, 31 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 32 | _In_opt_ PUNICODE_STRING LogFileName, 33 | _In_opt_ LPGUID TmIdentity, 34 | _In_opt_ ULONG OpenOptions 35 | ); 36 | #endif 37 | 38 | #if (PHNT_VERSION >= PHNT_VISTA) 39 | NTSYSCALLAPI 40 | NTSTATUS 41 | NTAPI 42 | NtRenameTransactionManager( 43 | _In_ PUNICODE_STRING LogFileName, 44 | _In_ LPGUID ExistingTransactionManagerGuid 45 | ); 46 | #endif 47 | 48 | #if (PHNT_VERSION >= PHNT_VISTA) 49 | NTSYSCALLAPI 50 | NTSTATUS 51 | NTAPI 52 | NtRollforwardTransactionManager( 53 | _In_ HANDLE TransactionManagerHandle, 54 | _In_opt_ PLARGE_INTEGER TmVirtualClock 55 | ); 56 | #endif 57 | 58 | #if (PHNT_VERSION >= PHNT_VISTA) 59 | NTSYSCALLAPI 60 | NTSTATUS 61 | NTAPI 62 | NtRecoverTransactionManager( 63 | _In_ HANDLE TransactionManagerHandle 64 | ); 65 | #endif 66 | 67 | #if (PHNT_VERSION >= PHNT_VISTA) 68 | NTSYSCALLAPI 69 | NTSTATUS 70 | NTAPI 71 | NtQueryInformationTransactionManager( 72 | _In_ HANDLE TransactionManagerHandle, 73 | _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, 74 | _Out_writes_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation, 75 | _In_ ULONG TransactionManagerInformationLength, 76 | _Out_opt_ PULONG ReturnLength 77 | ); 78 | #endif 79 | 80 | #if (PHNT_VERSION >= PHNT_VISTA) 81 | NTSYSCALLAPI 82 | NTSTATUS 83 | NTAPI 84 | NtSetInformationTransactionManager( 85 | _In_opt_ HANDLE TmHandle, 86 | _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, 87 | _In_reads_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation, 88 | _In_ ULONG TransactionManagerInformationLength 89 | ); 90 | #endif 91 | 92 | #if (PHNT_VERSION >= PHNT_VISTA) 93 | NTSYSCALLAPI 94 | NTSTATUS 95 | NTAPI 96 | NtEnumerateTransactionObject( 97 | _In_opt_ HANDLE RootObjectHandle, 98 | _In_ KTMOBJECT_TYPE QueryType, 99 | _Inout_updates_bytes_(ObjectCursorLength) PKTMOBJECT_CURSOR ObjectCursor, 100 | _In_ ULONG ObjectCursorLength, 101 | _Out_ PULONG ReturnLength 102 | ); 103 | #endif 104 | 105 | #if (PHNT_VERSION >= PHNT_VISTA) 106 | NTSYSCALLAPI 107 | NTSTATUS 108 | NTAPI 109 | NtCreateTransaction( 110 | _Out_ PHANDLE TransactionHandle, 111 | _In_ ACCESS_MASK DesiredAccess, 112 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 113 | _In_opt_ LPGUID Uow, 114 | _In_opt_ HANDLE TmHandle, 115 | _In_opt_ ULONG CreateOptions, 116 | _In_opt_ ULONG IsolationLevel, 117 | _In_opt_ ULONG IsolationFlags, 118 | _In_opt_ PLARGE_INTEGER Timeout, 119 | _In_opt_ PUNICODE_STRING Description 120 | ); 121 | #endif 122 | 123 | #if (PHNT_VERSION >= PHNT_VISTA) 124 | NTSYSCALLAPI 125 | NTSTATUS 126 | NTAPI 127 | NtOpenTransaction( 128 | _Out_ PHANDLE TransactionHandle, 129 | _In_ ACCESS_MASK DesiredAccess, 130 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 131 | _In_opt_ LPGUID Uow, 132 | _In_opt_ HANDLE TmHandle 133 | ); 134 | #endif 135 | 136 | #if (PHNT_VERSION >= PHNT_VISTA) 137 | NTSYSCALLAPI 138 | NTSTATUS 139 | NTAPI 140 | NtQueryInformationTransaction( 141 | _In_ HANDLE TransactionHandle, 142 | _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, 143 | _Out_writes_bytes_(TransactionInformationLength) PVOID TransactionInformation, 144 | _In_ ULONG TransactionInformationLength, 145 | _Out_opt_ PULONG ReturnLength 146 | ); 147 | #endif 148 | 149 | #if (PHNT_VERSION >= PHNT_VISTA) 150 | NTSYSCALLAPI 151 | NTSTATUS 152 | NTAPI 153 | NtSetInformationTransaction( 154 | _In_ HANDLE TransactionHandle, 155 | _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, 156 | _In_reads_bytes_(TransactionInformationLength) PVOID TransactionInformation, 157 | _In_ ULONG TransactionInformationLength 158 | ); 159 | #endif 160 | 161 | #if (PHNT_VERSION >= PHNT_VISTA) 162 | NTSYSCALLAPI 163 | NTSTATUS 164 | NTAPI 165 | NtCommitTransaction( 166 | _In_ HANDLE TransactionHandle, 167 | _In_ BOOLEAN Wait 168 | ); 169 | #endif 170 | 171 | #if (PHNT_VERSION >= PHNT_VISTA) 172 | NTSYSCALLAPI 173 | NTSTATUS 174 | NTAPI 175 | NtRollbackTransaction( 176 | _In_ HANDLE TransactionHandle, 177 | _In_ BOOLEAN Wait 178 | ); 179 | #endif 180 | 181 | #if (PHNT_VERSION >= PHNT_VISTA) 182 | NTSYSCALLAPI 183 | NTSTATUS 184 | NTAPI 185 | NtCreateEnlistment( 186 | _Out_ PHANDLE EnlistmentHandle, 187 | _In_ ACCESS_MASK DesiredAccess, 188 | _In_ HANDLE ResourceManagerHandle, 189 | _In_ HANDLE TransactionHandle, 190 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 191 | _In_opt_ ULONG CreateOptions, 192 | _In_ NOTIFICATION_MASK NotificationMask, 193 | _In_opt_ PVOID EnlistmentKey 194 | ); 195 | #endif 196 | 197 | #if (PHNT_VERSION >= PHNT_VISTA) 198 | NTSYSCALLAPI 199 | NTSTATUS 200 | NTAPI 201 | NtOpenEnlistment( 202 | _Out_ PHANDLE EnlistmentHandle, 203 | _In_ ACCESS_MASK DesiredAccess, 204 | _In_ HANDLE ResourceManagerHandle, 205 | _In_ LPGUID EnlistmentGuid, 206 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes 207 | ); 208 | #endif 209 | 210 | #if (PHNT_VERSION >= PHNT_VISTA) 211 | NTSYSCALLAPI 212 | NTSTATUS 213 | NTAPI 214 | NtQueryInformationEnlistment( 215 | _In_ HANDLE EnlistmentHandle, 216 | _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, 217 | _Out_writes_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation, 218 | _In_ ULONG EnlistmentInformationLength, 219 | _Out_opt_ PULONG ReturnLength 220 | ); 221 | #endif 222 | 223 | #if (PHNT_VERSION >= PHNT_VISTA) 224 | NTSYSCALLAPI 225 | NTSTATUS 226 | NTAPI 227 | NtSetInformationEnlistment( 228 | _In_opt_ HANDLE EnlistmentHandle, 229 | _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, 230 | _In_reads_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation, 231 | _In_ ULONG EnlistmentInformationLength 232 | ); 233 | #endif 234 | 235 | #if (PHNT_VERSION >= PHNT_VISTA) 236 | NTSYSCALLAPI 237 | NTSTATUS 238 | NTAPI 239 | NtRecoverEnlistment( 240 | _In_ HANDLE EnlistmentHandle, 241 | _In_opt_ PVOID EnlistmentKey 242 | ); 243 | #endif 244 | 245 | #if (PHNT_VERSION >= PHNT_VISTA) 246 | NTSYSCALLAPI 247 | NTSTATUS 248 | NTAPI 249 | NtPrePrepareEnlistment( 250 | _In_ HANDLE EnlistmentHandle, 251 | _In_opt_ PLARGE_INTEGER TmVirtualClock 252 | ); 253 | #endif 254 | 255 | #if (PHNT_VERSION >= PHNT_VISTA) 256 | NTSYSCALLAPI 257 | NTSTATUS 258 | NTAPI 259 | NtPrepareEnlistment( 260 | _In_ HANDLE EnlistmentHandle, 261 | _In_opt_ PLARGE_INTEGER TmVirtualClock 262 | ); 263 | #endif 264 | 265 | #if (PHNT_VERSION >= PHNT_VISTA) 266 | NTSYSCALLAPI 267 | NTSTATUS 268 | NTAPI 269 | NtCommitEnlistment( 270 | _In_ HANDLE EnlistmentHandle, 271 | _In_opt_ PLARGE_INTEGER TmVirtualClock 272 | ); 273 | #endif 274 | 275 | #if (PHNT_VERSION >= PHNT_VISTA) 276 | NTSYSCALLAPI 277 | NTSTATUS 278 | NTAPI 279 | NtRollbackEnlistment( 280 | _In_ HANDLE EnlistmentHandle, 281 | _In_opt_ PLARGE_INTEGER TmVirtualClock 282 | ); 283 | #endif 284 | 285 | #if (PHNT_VERSION >= PHNT_VISTA) 286 | NTSYSCALLAPI 287 | NTSTATUS 288 | NTAPI 289 | NtPrePrepareComplete( 290 | _In_ HANDLE EnlistmentHandle, 291 | _In_opt_ PLARGE_INTEGER TmVirtualClock 292 | ); 293 | #endif 294 | 295 | #if (PHNT_VERSION >= PHNT_VISTA) 296 | NTSYSCALLAPI 297 | NTSTATUS 298 | NTAPI 299 | NtPrepareComplete( 300 | _In_ HANDLE EnlistmentHandle, 301 | _In_opt_ PLARGE_INTEGER TmVirtualClock 302 | ); 303 | #endif 304 | 305 | #if (PHNT_VERSION >= PHNT_VISTA) 306 | NTSYSCALLAPI 307 | NTSTATUS 308 | NTAPI 309 | NtCommitComplete( 310 | _In_ HANDLE EnlistmentHandle, 311 | _In_opt_ PLARGE_INTEGER TmVirtualClock 312 | ); 313 | #endif 314 | 315 | #if (PHNT_VERSION >= PHNT_VISTA) 316 | NTSYSCALLAPI 317 | NTSTATUS 318 | NTAPI 319 | NtReadOnlyEnlistment( 320 | _In_ HANDLE EnlistmentHandle, 321 | _In_opt_ PLARGE_INTEGER TmVirtualClock 322 | ); 323 | #endif 324 | 325 | #if (PHNT_VERSION >= PHNT_VISTA) 326 | NTSYSCALLAPI 327 | NTSTATUS 328 | NTAPI 329 | NtRollbackComplete( 330 | _In_ HANDLE EnlistmentHandle, 331 | _In_opt_ PLARGE_INTEGER TmVirtualClock 332 | ); 333 | #endif 334 | 335 | #if (PHNT_VERSION >= PHNT_VISTA) 336 | NTSYSCALLAPI 337 | NTSTATUS 338 | NTAPI 339 | NtSinglePhaseReject( 340 | _In_ HANDLE EnlistmentHandle, 341 | _In_opt_ PLARGE_INTEGER TmVirtualClock 342 | ); 343 | #endif 344 | 345 | #if (PHNT_VERSION >= PHNT_VISTA) 346 | NTSYSCALLAPI 347 | NTSTATUS 348 | NTAPI 349 | NtCreateResourceManager( 350 | _Out_ PHANDLE ResourceManagerHandle, 351 | _In_ ACCESS_MASK DesiredAccess, 352 | _In_ HANDLE TmHandle, 353 | _In_ LPGUID RmGuid, 354 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 355 | _In_opt_ ULONG CreateOptions, 356 | _In_opt_ PUNICODE_STRING Description 357 | ); 358 | #endif 359 | 360 | #if (PHNT_VERSION >= PHNT_VISTA) 361 | NTSYSCALLAPI 362 | NTSTATUS 363 | NTAPI 364 | NtOpenResourceManager( 365 | _Out_ PHANDLE ResourceManagerHandle, 366 | _In_ ACCESS_MASK DesiredAccess, 367 | _In_ HANDLE TmHandle, 368 | _In_opt_ LPGUID ResourceManagerGuid, 369 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes 370 | ); 371 | #endif 372 | 373 | #if (PHNT_VERSION >= PHNT_VISTA) 374 | NTSYSCALLAPI 375 | NTSTATUS 376 | NTAPI 377 | NtRecoverResourceManager( 378 | _In_ HANDLE ResourceManagerHandle 379 | ); 380 | #endif 381 | 382 | #if (PHNT_VERSION >= PHNT_VISTA) 383 | NTSYSCALLAPI 384 | NTSTATUS 385 | NTAPI 386 | NtGetNotificationResourceManager( 387 | _In_ HANDLE ResourceManagerHandle, 388 | _Out_ PTRANSACTION_NOTIFICATION TransactionNotification, 389 | _In_ ULONG NotificationLength, 390 | _In_opt_ PLARGE_INTEGER Timeout, 391 | _Out_opt_ PULONG ReturnLength, 392 | _In_ ULONG Asynchronous, 393 | _In_opt_ ULONG_PTR AsynchronousContext 394 | ); 395 | #endif 396 | 397 | #if (PHNT_VERSION >= PHNT_VISTA) 398 | NTSYSCALLAPI 399 | NTSTATUS 400 | NTAPI 401 | NtQueryInformationResourceManager( 402 | _In_ HANDLE ResourceManagerHandle, 403 | _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, 404 | _Out_writes_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation, 405 | _In_ ULONG ResourceManagerInformationLength, 406 | _Out_opt_ PULONG ReturnLength 407 | ); 408 | #endif 409 | 410 | #if (PHNT_VERSION >= PHNT_VISTA) 411 | NTSYSCALLAPI 412 | NTSTATUS 413 | NTAPI 414 | NtSetInformationResourceManager( 415 | _In_ HANDLE ResourceManagerHandle, 416 | _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, 417 | _In_reads_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation, 418 | _In_ ULONG ResourceManagerInformationLength 419 | ); 420 | #endif 421 | 422 | #if (PHNT_VERSION >= PHNT_VISTA) 423 | NTSYSCALLAPI 424 | NTSTATUS 425 | NTAPI 426 | NtRegisterProtocolAddressInformation( 427 | _In_ HANDLE ResourceManager, 428 | _In_ PCRM_PROTOCOL_ID ProtocolId, 429 | _In_ ULONG ProtocolInformationSize, 430 | _In_ PVOID ProtocolInformation, 431 | _In_opt_ ULONG CreateOptions 432 | ); 433 | #endif 434 | 435 | #if (PHNT_VERSION >= PHNT_VISTA) 436 | NTSYSCALLAPI 437 | NTSTATUS 438 | NTAPI 439 | NtPropagationComplete( 440 | _In_ HANDLE ResourceManagerHandle, 441 | _In_ ULONG RequestCookie, 442 | _In_ ULONG BufferLength, 443 | _In_ PVOID Buffer 444 | ); 445 | #endif 446 | 447 | #if (PHNT_VERSION >= PHNT_VISTA) 448 | NTSYSCALLAPI 449 | NTSTATUS 450 | NTAPI 451 | NtPropagationFailed( 452 | _In_ HANDLE ResourceManagerHandle, 453 | _In_ ULONG RequestCookie, 454 | _In_ NTSTATUS PropStatus 455 | ); 456 | #endif 457 | 458 | #if (PHNT_VERSION >= PHNT_VISTA) 459 | // private 460 | NTSYSCALLAPI 461 | NTSTATUS 462 | NTAPI 463 | NtFreezeTransactions( 464 | _In_ PLARGE_INTEGER FreezeTimeout, 465 | _In_ PLARGE_INTEGER ThawTimeout 466 | ); 467 | #endif 468 | 469 | #if (PHNT_VERSION >= PHNT_VISTA) 470 | // private 471 | NTSYSCALLAPI 472 | NTSTATUS 473 | NTAPI 474 | NtThawTransactions( 475 | VOID 476 | ); 477 | #endif 478 | 479 | #endif 480 | -------------------------------------------------------------------------------- /phnt/include/ntpebteb.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Process and Thread Environment Block support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTPEBTEB_H 8 | #define _NTPEBTEB_H 9 | 10 | typedef struct _RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS; 11 | typedef struct _RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION; 12 | 13 | #include 14 | 15 | // private 16 | typedef struct _API_SET_NAMESPACE 17 | { 18 | ULONG Version; 19 | ULONG Size; 20 | ULONG Flags; 21 | ULONG Count; 22 | ULONG EntryOffset; 23 | ULONG HashOffset; 24 | ULONG HashFactor; 25 | } API_SET_NAMESPACE, *PAPI_SET_NAMESPACE; 26 | 27 | // private 28 | typedef struct _API_SET_HASH_ENTRY 29 | { 30 | ULONG Hash; 31 | ULONG Index; 32 | } API_SET_HASH_ENTRY, *PAPI_SET_HASH_ENTRY; 33 | 34 | // private 35 | typedef struct _API_SET_NAMESPACE_ENTRY 36 | { 37 | ULONG Flags; 38 | ULONG NameOffset; 39 | ULONG NameLength; 40 | ULONG HashedLength; 41 | ULONG ValueOffset; 42 | ULONG ValueCount; 43 | } API_SET_NAMESPACE_ENTRY, *PAPI_SET_NAMESPACE_ENTRY; 44 | 45 | // private 46 | typedef struct _API_SET_VALUE_ENTRY 47 | { 48 | ULONG Flags; 49 | ULONG NameOffset; 50 | ULONG NameLength; 51 | ULONG ValueOffset; 52 | ULONG ValueLength; 53 | } API_SET_VALUE_ENTRY, *PAPI_SET_VALUE_ENTRY; 54 | 55 | // symbols 56 | typedef struct _PEB 57 | { 58 | BOOLEAN InheritedAddressSpace; 59 | BOOLEAN ReadImageFileExecOptions; 60 | BOOLEAN BeingDebugged; 61 | union 62 | { 63 | BOOLEAN BitField; 64 | struct 65 | { 66 | BOOLEAN ImageUsesLargePages : 1; 67 | BOOLEAN IsProtectedProcess : 1; 68 | BOOLEAN IsImageDynamicallyRelocated : 1; 69 | BOOLEAN SkipPatchingUser32Forwarders : 1; 70 | BOOLEAN IsPackagedProcess : 1; 71 | BOOLEAN IsAppContainer : 1; 72 | BOOLEAN IsProtectedProcessLight : 1; 73 | BOOLEAN IsLongPathAwareProcess : 1; 74 | }; 75 | }; 76 | 77 | HANDLE Mutant; 78 | 79 | PVOID ImageBaseAddress; 80 | PPEB_LDR_DATA Ldr; 81 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 82 | PVOID SubSystemData; 83 | PVOID ProcessHeap; 84 | PRTL_CRITICAL_SECTION FastPebLock; 85 | PSLIST_HEADER AtlThunkSListPtr; 86 | PVOID IFEOKey; 87 | 88 | union 89 | { 90 | ULONG CrossProcessFlags; 91 | struct 92 | { 93 | ULONG ProcessInJob : 1; 94 | ULONG ProcessInitializing : 1; 95 | ULONG ProcessUsingVEH : 1; 96 | ULONG ProcessUsingVCH : 1; 97 | ULONG ProcessUsingFTH : 1; 98 | ULONG ProcessPreviouslyThrottled : 1; 99 | ULONG ProcessCurrentlyThrottled : 1; 100 | ULONG ProcessImagesHotPatched : 1; // REDSTONE5 101 | ULONG ReservedBits0 : 24; 102 | }; 103 | }; 104 | union 105 | { 106 | PVOID KernelCallbackTable; 107 | PVOID UserSharedInfoPtr; 108 | }; 109 | ULONG SystemReserved; 110 | ULONG AtlThunkSListPtr32; 111 | PAPI_SET_NAMESPACE ApiSetMap; 112 | ULONG TlsExpansionCounter; 113 | PVOID TlsBitmap; 114 | ULONG TlsBitmapBits[2]; 115 | 116 | PVOID ReadOnlySharedMemoryBase; 117 | PVOID SharedData; // HotpatchInformation 118 | PVOID *ReadOnlyStaticServerData; 119 | 120 | PVOID AnsiCodePageData; // PCPTABLEINFO 121 | PVOID OemCodePageData; // PCPTABLEINFO 122 | PVOID UnicodeCaseTableData; // PNLSTABLEINFO 123 | 124 | ULONG NumberOfProcessors; 125 | ULONG NtGlobalFlag; 126 | 127 | ULARGE_INTEGER CriticalSectionTimeout; 128 | SIZE_T HeapSegmentReserve; 129 | SIZE_T HeapSegmentCommit; 130 | SIZE_T HeapDeCommitTotalFreeThreshold; 131 | SIZE_T HeapDeCommitFreeBlockThreshold; 132 | 133 | ULONG NumberOfHeaps; 134 | ULONG MaximumNumberOfHeaps; 135 | PVOID *ProcessHeaps; // PHEAP 136 | 137 | PVOID GdiSharedHandleTable; 138 | PVOID ProcessStarterHelper; 139 | ULONG GdiDCAttributeList; 140 | 141 | PRTL_CRITICAL_SECTION LoaderLock; 142 | 143 | ULONG OSMajorVersion; 144 | ULONG OSMinorVersion; 145 | USHORT OSBuildNumber; 146 | USHORT OSCSDVersion; 147 | ULONG OSPlatformId; 148 | ULONG ImageSubsystem; 149 | ULONG ImageSubsystemMajorVersion; 150 | ULONG ImageSubsystemMinorVersion; 151 | KAFFINITY ActiveProcessAffinityMask; 152 | GDI_HANDLE_BUFFER GdiHandleBuffer; 153 | PVOID PostProcessInitRoutine; 154 | 155 | PVOID TlsExpansionBitmap; 156 | ULONG TlsExpansionBitmapBits[32]; 157 | 158 | ULONG SessionId; 159 | 160 | ULARGE_INTEGER AppCompatFlags; 161 | ULARGE_INTEGER AppCompatFlagsUser; 162 | PVOID pShimData; 163 | PVOID AppCompatInfo; // APPCOMPAT_EXE_DATA 164 | 165 | UNICODE_STRING CSDVersion; 166 | 167 | PACTIVATION_CONTEXT_DATA ActivationContextData; 168 | PASSEMBLY_STORAGE_MAP ProcessAssemblyStorageMap; 169 | PACTIVATION_CONTEXT_DATA SystemDefaultActivationContextData; 170 | PASSEMBLY_STORAGE_MAP SystemAssemblyStorageMap; 171 | 172 | SIZE_T MinimumStackCommit; 173 | 174 | PVOID SparePointers[2]; // 19H1 (previously FlsCallback to FlsHighIndex) 175 | PVOID PatchLoaderData; 176 | PVOID ChpeV2ProcessInfo; // _CHPEV2_PROCESS_INFO 177 | 178 | ULONG AppModelFeatureState; 179 | ULONG SpareUlongs[2]; 180 | 181 | USHORT ActiveCodePage; 182 | USHORT OemCodePage; 183 | USHORT UseCaseMapping; 184 | USHORT UnusedNlsField; 185 | 186 | PVOID WerRegistrationData; 187 | PVOID WerShipAssertPtr; 188 | 189 | union 190 | { 191 | PVOID pContextData; // WIN7 192 | PVOID pUnused; // WIN10 193 | PVOID EcCodeBitMap; // WIN11 194 | }; 195 | 196 | PVOID pImageHeaderHash; 197 | union 198 | { 199 | ULONG TracingFlags; 200 | struct 201 | { 202 | ULONG HeapTracingEnabled : 1; 203 | ULONG CritSecTracingEnabled : 1; 204 | ULONG LibLoaderTracingEnabled : 1; 205 | ULONG SpareTracingBits : 29; 206 | }; 207 | }; 208 | ULONGLONG CsrServerReadOnlySharedMemoryBase; 209 | PRTL_CRITICAL_SECTION TppWorkerpListLock; 210 | LIST_ENTRY TppWorkerpList; 211 | PVOID WaitOnAddressHashTable[128]; 212 | PVOID TelemetryCoverageHeader; // REDSTONE3 213 | ULONG CloudFileFlags; 214 | ULONG CloudFileDiagFlags; // REDSTONE4 215 | CHAR PlaceholderCompatibilityMode; 216 | CHAR PlaceholderCompatibilityModeReserved[7]; 217 | struct _LEAP_SECOND_DATA *LeapSecondData; // REDSTONE5 218 | union 219 | { 220 | ULONG LeapSecondFlags; 221 | struct 222 | { 223 | ULONG SixtySecondEnabled : 1; 224 | ULONG Reserved : 31; 225 | }; 226 | }; 227 | ULONG NtGlobalFlag2; 228 | ULONGLONG ExtendedFeatureDisableMask; // since WIN11 229 | } PEB, *PPEB; 230 | 231 | #ifdef _WIN64 232 | C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x2C0); 233 | //C_ASSERT(sizeof(PEB) == 0x7B0); // REDSTONE3 234 | //C_ASSERT(sizeof(PEB) == 0x7B8); // REDSTONE4 235 | //C_ASSERT(sizeof(PEB) == 0x7C8); // REDSTONE5 // 19H1 236 | C_ASSERT(sizeof(PEB) == 0x7d0); // WIN11 237 | #else 238 | C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x1D4); 239 | //C_ASSERT(sizeof(PEB) == 0x468); // REDSTONE3 240 | //C_ASSERT(sizeof(PEB) == 0x470); // REDSTONE4 241 | //C_ASSERT(sizeof(PEB) == 0x480); // REDSTONE5 // 19H1 242 | C_ASSERT(sizeof(PEB) == 0x488); // WIN11 243 | #endif 244 | 245 | #define GDI_BATCH_BUFFER_SIZE 310 246 | 247 | typedef struct _GDI_TEB_BATCH 248 | { 249 | ULONG Offset; 250 | ULONG_PTR HDC; 251 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 252 | } GDI_TEB_BATCH, *PGDI_TEB_BATCH; 253 | 254 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT 255 | { 256 | ULONG Flags; 257 | PSTR FrameName; 258 | } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; 259 | 260 | typedef struct _TEB_ACTIVE_FRAME 261 | { 262 | ULONG Flags; 263 | struct _TEB_ACTIVE_FRAME *Previous; 264 | PTEB_ACTIVE_FRAME_CONTEXT Context; 265 | } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; 266 | 267 | typedef struct _TEB 268 | { 269 | NT_TIB NtTib; 270 | 271 | PVOID EnvironmentPointer; 272 | CLIENT_ID ClientId; 273 | PVOID ActiveRpcHandle; 274 | PVOID ThreadLocalStoragePointer; 275 | PPEB ProcessEnvironmentBlock; 276 | 277 | ULONG LastErrorValue; 278 | ULONG CountOfOwnedCriticalSections; 279 | PVOID CsrClientThread; 280 | PVOID Win32ThreadInfo; 281 | ULONG User32Reserved[26]; 282 | ULONG UserReserved[5]; 283 | PVOID WOW32Reserved; 284 | LCID CurrentLocale; 285 | ULONG FpSoftwareStatusRegister; 286 | PVOID ReservedForDebuggerInstrumentation[16]; 287 | #ifdef _WIN64 288 | PVOID SystemReserved1[30]; 289 | #else 290 | PVOID SystemReserved1[26]; 291 | #endif 292 | 293 | CHAR PlaceholderCompatibilityMode; 294 | BOOLEAN PlaceholderHydrationAlwaysExplicit; 295 | CHAR PlaceholderReserved[10]; 296 | 297 | ULONG ProxiedProcessId; 298 | ACTIVATION_CONTEXT_STACK ActivationStack; 299 | 300 | UCHAR WorkingOnBehalfTicket[8]; 301 | NTSTATUS ExceptionCode; 302 | 303 | PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; 304 | ULONG_PTR InstrumentationCallbackSp; 305 | ULONG_PTR InstrumentationCallbackPreviousPc; 306 | ULONG_PTR InstrumentationCallbackPreviousSp; 307 | #ifdef _WIN64 308 | ULONG TxFsContext; 309 | #endif 310 | 311 | BOOLEAN InstrumentationCallbackDisabled; 312 | #ifdef _WIN64 313 | BOOLEAN UnalignedLoadStoreExceptions; 314 | #endif 315 | #ifndef _WIN64 316 | UCHAR SpareBytes[23]; 317 | ULONG TxFsContext; 318 | #endif 319 | GDI_TEB_BATCH GdiTebBatch; 320 | CLIENT_ID RealClientId; 321 | HANDLE GdiCachedProcessHandle; 322 | ULONG GdiClientPID; 323 | ULONG GdiClientTID; 324 | PVOID GdiThreadLocalInfo; 325 | ULONG_PTR Win32ClientInfo[62]; 326 | PVOID glDispatchTable[233]; 327 | ULONG_PTR glReserved1[29]; 328 | PVOID glReserved2; 329 | PVOID glSectionInfo; 330 | PVOID glSection; 331 | PVOID glTable; 332 | PVOID glCurrentRC; 333 | PVOID glContext; 334 | 335 | NTSTATUS LastStatusValue; 336 | UNICODE_STRING StaticUnicodeString; 337 | WCHAR StaticUnicodeBuffer[261]; 338 | 339 | PVOID DeallocationStack; 340 | PVOID TlsSlots[64]; 341 | LIST_ENTRY TlsLinks; 342 | 343 | PVOID Vdm; 344 | PVOID ReservedForNtRpc; 345 | PVOID DbgSsReserved[2]; 346 | 347 | ULONG HardErrorMode; 348 | #ifdef _WIN64 349 | PVOID Instrumentation[11]; 350 | #else 351 | PVOID Instrumentation[9]; 352 | #endif 353 | GUID ActivityId; 354 | 355 | PVOID SubProcessTag; 356 | PVOID PerflibData; 357 | PVOID EtwTraceData; 358 | PVOID WinSockData; 359 | ULONG GdiBatchCount; 360 | 361 | union 362 | { 363 | PROCESSOR_NUMBER CurrentIdealProcessor; 364 | ULONG IdealProcessorValue; 365 | struct 366 | { 367 | UCHAR ReservedPad0; 368 | UCHAR ReservedPad1; 369 | UCHAR ReservedPad2; 370 | UCHAR IdealProcessor; 371 | }; 372 | }; 373 | 374 | ULONG GuaranteedStackBytes; 375 | PVOID ReservedForPerf; 376 | PVOID ReservedForOle; 377 | ULONG WaitingOnLoaderLock; 378 | PVOID SavedPriorityState; 379 | ULONG_PTR ReservedForCodeCoverage; 380 | PVOID ThreadPoolData; 381 | PVOID *TlsExpansionSlots; 382 | #ifdef _WIN64 383 | PVOID DeallocationBStore; 384 | PVOID BStoreLimit; 385 | #endif 386 | ULONG MuiGeneration; 387 | ULONG IsImpersonating; 388 | PVOID NlsCache; 389 | PVOID pShimData; 390 | ULONG HeapData; 391 | HANDLE CurrentTransactionHandle; 392 | PTEB_ACTIVE_FRAME ActiveFrame; 393 | PVOID FlsData; 394 | 395 | PVOID PreferredLanguages; 396 | PVOID UserPrefLanguages; 397 | PVOID MergedPrefLanguages; 398 | ULONG MuiImpersonation; 399 | 400 | union 401 | { 402 | USHORT CrossTebFlags; 403 | USHORT SpareCrossTebBits : 16; 404 | }; 405 | union 406 | { 407 | USHORT SameTebFlags; 408 | struct 409 | { 410 | USHORT SafeThunkCall : 1; 411 | USHORT InDebugPrint : 1; 412 | USHORT HasFiberData : 1; 413 | USHORT SkipThreadAttach : 1; 414 | USHORT WerInShipAssertCode : 1; 415 | USHORT RanProcessInit : 1; 416 | USHORT ClonedThread : 1; 417 | USHORT SuppressDebugMsg : 1; 418 | USHORT DisableUserStackWalk : 1; 419 | USHORT RtlExceptionAttached : 1; 420 | USHORT InitialThread : 1; 421 | USHORT SessionAware : 1; 422 | USHORT LoadOwner : 1; 423 | USHORT LoaderWorker : 1; 424 | USHORT SkipLoaderInit : 1; 425 | USHORT SkipFileAPIBrokering : 1; 426 | }; 427 | }; 428 | 429 | PVOID TxnScopeEnterCallback; 430 | PVOID TxnScopeExitCallback; 431 | PVOID TxnScopeContext; 432 | ULONG LockCount; 433 | LONG WowTebOffset; 434 | PVOID ResourceRetValue; 435 | PVOID ReservedForWdf; 436 | ULONGLONG ReservedForCrt; 437 | GUID EffectiveContainerId; 438 | ULONGLONG LastSleepCounter; // Win11 439 | ULONG SpinCallCount; 440 | ULONGLONG ExtendedFeatureDisableMask; 441 | } TEB, *PTEB; 442 | 443 | #endif 444 | -------------------------------------------------------------------------------- /phnt/include/ntregapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Registry support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTREGAPI_H 8 | #define _NTREGAPI_H 9 | 10 | // Boot condition flags (NtInitializeRegistry) 11 | 12 | #define REG_INIT_BOOT_SM 0x0000 13 | #define REG_INIT_BOOT_SETUP 0x0001 14 | #define REG_INIT_BOOT_ACCEPTED_BASE 0x0002 15 | #define REG_INIT_BOOT_ACCEPTED_MAX REG_INIT_BOOT_ACCEPTED_BASE + 999 16 | 17 | #define REG_MAX_KEY_VALUE_NAME_LENGTH 32767 18 | #define REG_MAX_KEY_NAME_LENGTH 512 19 | 20 | typedef enum _KEY_INFORMATION_CLASS 21 | { 22 | KeyBasicInformation, // KEY_BASIC_INFORMATION 23 | KeyNodeInformation, // KEY_NODE_INFORMATION 24 | KeyFullInformation, // KEY_FULL_INFORMATION 25 | KeyNameInformation, // KEY_NAME_INFORMATION 26 | KeyCachedInformation, // KEY_CACHED_INFORMATION 27 | KeyFlagsInformation, // KEY_FLAGS_INFORMATION 28 | KeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION 29 | KeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION 30 | KeyTrustInformation, // KEY_TRUST_INFORMATION 31 | KeyLayerInformation, // KEY_LAYER_INFORMATION 32 | MaxKeyInfoClass 33 | } KEY_INFORMATION_CLASS; 34 | 35 | typedef struct _KEY_BASIC_INFORMATION 36 | { 37 | LARGE_INTEGER LastWriteTime; 38 | ULONG TitleIndex; 39 | ULONG NameLength; 40 | _Field_size_bytes_(NameLength) WCHAR Name[1]; 41 | } KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION; 42 | 43 | typedef struct _KEY_NODE_INFORMATION 44 | { 45 | LARGE_INTEGER LastWriteTime; 46 | ULONG TitleIndex; 47 | ULONG ClassOffset; 48 | ULONG ClassLength; 49 | ULONG NameLength; 50 | _Field_size_bytes_(NameLength) WCHAR Name[1]; 51 | // ... 52 | // WCHAR Class[1]; 53 | } KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION; 54 | 55 | typedef struct _KEY_FULL_INFORMATION 56 | { 57 | LARGE_INTEGER LastWriteTime; 58 | ULONG TitleIndex; 59 | ULONG ClassOffset; 60 | ULONG ClassLength; 61 | ULONG SubKeys; 62 | ULONG MaxNameLen; 63 | ULONG MaxClassLen; 64 | ULONG Values; 65 | ULONG MaxValueNameLen; 66 | ULONG MaxValueDataLen; 67 | WCHAR Class[1]; 68 | } KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION; 69 | 70 | typedef struct _KEY_NAME_INFORMATION 71 | { 72 | ULONG NameLength; 73 | _Field_size_bytes_(NameLength) WCHAR Name[1]; 74 | } KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION; 75 | 76 | typedef struct _KEY_CACHED_INFORMATION 77 | { 78 | LARGE_INTEGER LastWriteTime; 79 | ULONG TitleIndex; 80 | ULONG SubKeys; 81 | ULONG MaxNameLen; 82 | ULONG Values; 83 | ULONG MaxValueNameLen; 84 | ULONG MaxValueDataLen; 85 | ULONG NameLength; 86 | _Field_size_bytes_(NameLength) WCHAR Name[1]; 87 | } KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION; 88 | 89 | // rev 90 | #define REG_FLAG_VOLATILE 0x0001 91 | #define REG_FLAG_LINK 0x0002 92 | 93 | // msdn 94 | #define REG_KEY_DONT_VIRTUALIZE 0x0002 95 | #define REG_KEY_DONT_SILENT_FAIL 0x0004 96 | #define REG_KEY_RECURSE_FLAG 0x0008 97 | 98 | // private 99 | typedef struct _KEY_FLAGS_INFORMATION 100 | { 101 | ULONG Wow64Flags; 102 | ULONG KeyFlags; // REG_FLAG_* 103 | ULONG ControlFlags; // REG_KEY_* 104 | } KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION; 105 | 106 | typedef struct _KEY_VIRTUALIZATION_INFORMATION 107 | { 108 | ULONG VirtualizationCandidate : 1; // Tells whether the key is part of the virtualization namespace scope (only HKLM\Software for now). 109 | ULONG VirtualizationEnabled : 1; // Tells whether virtualization is enabled on this key. Can be 1 only if above flag is 1. 110 | ULONG VirtualTarget : 1; // Tells if the key is a virtual key. Can be 1 only if above 2 are 0. Valid only on the virtual store key handles. 111 | ULONG VirtualStore : 1; // Tells if the key is a part of the virtual store path. Valid only on the virtual store key handles. 112 | ULONG VirtualSource : 1; // Tells if the key has ever been virtualized, can be 1 only if VirtualizationCandidate is 1. 113 | ULONG Reserved : 27; 114 | } KEY_VIRTUALIZATION_INFORMATION, *PKEY_VIRTUALIZATION_INFORMATION; 115 | 116 | // private 117 | typedef struct _KEY_TRUST_INFORMATION 118 | { 119 | ULONG TrustedKey : 1; 120 | ULONG Reserved : 31; 121 | } KEY_TRUST_INFORMATION, *PKEY_TRUST_INFORMATION; 122 | 123 | // private 124 | typedef struct _KEY_LAYER_INFORMATION 125 | { 126 | ULONG IsTombstone : 1; 127 | ULONG IsSupersedeLocal : 1; 128 | ULONG IsSupersedeTree : 1; 129 | ULONG ClassIsInherited : 1; 130 | ULONG Reserved : 28; 131 | } KEY_LAYER_INFORMATION, *PKEY_LAYER_INFORMATION; 132 | 133 | typedef enum _KEY_SET_INFORMATION_CLASS 134 | { 135 | KeyWriteTimeInformation, // KEY_WRITE_TIME_INFORMATION 136 | KeyWow64FlagsInformation, // KEY_WOW64_FLAGS_INFORMATION 137 | KeyControlFlagsInformation, // KEY_CONTROL_FLAGS_INFORMATION 138 | KeySetVirtualizationInformation, // KEY_SET_VIRTUALIZATION_INFORMATION 139 | KeySetDebugInformation, 140 | KeySetHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION 141 | KeySetLayerInformation, // KEY_SET_LAYER_INFORMATION 142 | MaxKeySetInfoClass 143 | } KEY_SET_INFORMATION_CLASS; 144 | 145 | typedef struct _KEY_WRITE_TIME_INFORMATION 146 | { 147 | LARGE_INTEGER LastWriteTime; 148 | } KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION; 149 | 150 | typedef struct _KEY_WOW64_FLAGS_INFORMATION 151 | { 152 | ULONG UserFlags; 153 | } KEY_WOW64_FLAGS_INFORMATION, *PKEY_WOW64_FLAGS_INFORMATION; 154 | 155 | typedef struct _KEY_HANDLE_TAGS_INFORMATION 156 | { 157 | ULONG HandleTags; 158 | } KEY_HANDLE_TAGS_INFORMATION, *PKEY_HANDLE_TAGS_INFORMATION; 159 | 160 | typedef struct _KEY_SET_LAYER_INFORMATION 161 | { 162 | ULONG IsTombstone : 1; 163 | ULONG IsSupersedeLocal : 1; 164 | ULONG IsSupersedeTree : 1; 165 | ULONG ClassIsInherited : 1; 166 | ULONG Reserved : 28; 167 | } KEY_SET_LAYER_INFORMATION, *PKEY_SET_LAYER_INFORMATION; 168 | 169 | typedef struct _KEY_CONTROL_FLAGS_INFORMATION 170 | { 171 | ULONG ControlFlags; 172 | } KEY_CONTROL_FLAGS_INFORMATION, *PKEY_CONTROL_FLAGS_INFORMATION; 173 | 174 | typedef struct _KEY_SET_VIRTUALIZATION_INFORMATION 175 | { 176 | ULONG VirtualTarget : 1; 177 | ULONG VirtualStore : 1; 178 | ULONG VirtualSource : 1; // true if key has been virtualized at least once 179 | ULONG Reserved : 29; 180 | } KEY_SET_VIRTUALIZATION_INFORMATION, *PKEY_SET_VIRTUALIZATION_INFORMATION; 181 | 182 | typedef enum _KEY_VALUE_INFORMATION_CLASS 183 | { 184 | KeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION 185 | KeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION 186 | KeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION 187 | KeyValueFullInformationAlign64, 188 | KeyValuePartialInformationAlign64, // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 189 | KeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION 190 | MaxKeyValueInfoClass 191 | } KEY_VALUE_INFORMATION_CLASS; 192 | 193 | typedef struct _KEY_VALUE_BASIC_INFORMATION 194 | { 195 | ULONG TitleIndex; 196 | ULONG Type; 197 | ULONG NameLength; 198 | _Field_size_bytes_(NameLength) WCHAR Name[1]; 199 | } KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION; 200 | 201 | typedef struct _KEY_VALUE_FULL_INFORMATION 202 | { 203 | ULONG TitleIndex; 204 | ULONG Type; 205 | ULONG DataOffset; 206 | ULONG DataLength; 207 | ULONG NameLength; 208 | _Field_size_bytes_(NameLength) WCHAR Name[1]; 209 | // ... 210 | // UCHAR Data[1]; 211 | } KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; 212 | 213 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION 214 | { 215 | ULONG TitleIndex; 216 | ULONG Type; 217 | ULONG DataLength; 218 | _Field_size_bytes_(DataLength) UCHAR Data[1]; 219 | } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; 220 | 221 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 222 | { 223 | ULONG Type; 224 | ULONG DataLength; 225 | _Field_size_bytes_(DataLength) UCHAR Data[1]; 226 | } KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64; 227 | 228 | // private 229 | typedef struct _KEY_VALUE_LAYER_INFORMATION 230 | { 231 | ULONG IsTombstone : 1; 232 | ULONG Reserved : 31; 233 | } KEY_VALUE_LAYER_INFORMATION, *PKEY_VALUE_LAYER_INFORMATION; 234 | 235 | // rev 236 | typedef enum _KEY_LOAD_ENTRY_TYPE 237 | { 238 | KeyLoadTrustClassKey = 1, 239 | KeyLoadEvent, 240 | KeyLoadToken 241 | } KEY_LOAD_ENTRY_TYPE; 242 | 243 | // rev 244 | typedef struct _KEY_LOAD_ENTRY 245 | { 246 | KEY_LOAD_ENTRY_TYPE EntryType; 247 | union 248 | { 249 | HANDLE Handle; 250 | ULONG_PTR Value; 251 | }; 252 | } KEY_LOAD_ENTRY, *PKEY_LOAD_ENTRY; 253 | 254 | typedef struct _KEY_VALUE_ENTRY 255 | { 256 | PUNICODE_STRING ValueName; 257 | ULONG DataLength; 258 | ULONG DataOffset; 259 | ULONG Type; 260 | } KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; 261 | 262 | typedef enum _REG_ACTION 263 | { 264 | KeyAdded, 265 | KeyRemoved, 266 | KeyModified 267 | } REG_ACTION; 268 | 269 | typedef struct _REG_NOTIFY_INFORMATION 270 | { 271 | ULONG NextEntryOffset; 272 | REG_ACTION Action; 273 | ULONG KeyLength; 274 | WCHAR Key[1]; 275 | } REG_NOTIFY_INFORMATION, *PREG_NOTIFY_INFORMATION; 276 | 277 | typedef struct _KEY_PID_ARRAY 278 | { 279 | HANDLE ProcessId; 280 | UNICODE_STRING KeyName; 281 | } KEY_PID_ARRAY, *PKEY_PID_ARRAY; 282 | 283 | typedef struct _KEY_OPEN_SUBKEYS_INFORMATION 284 | { 285 | ULONG Count; 286 | KEY_PID_ARRAY KeyArray[1]; 287 | } KEY_OPEN_SUBKEYS_INFORMATION, *PKEY_OPEN_SUBKEYS_INFORMATION; 288 | 289 | // System calls 290 | 291 | NTSYSCALLAPI 292 | NTSTATUS 293 | NTAPI 294 | NtCreateKey( 295 | _Out_ PHANDLE KeyHandle, 296 | _In_ ACCESS_MASK DesiredAccess, 297 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 298 | _Reserved_ ULONG TitleIndex, 299 | _In_opt_ PUNICODE_STRING Class, 300 | _In_ ULONG CreateOptions, 301 | _Out_opt_ PULONG Disposition 302 | ); 303 | 304 | #if (PHNT_VERSION >= PHNT_VISTA) 305 | NTSYSCALLAPI 306 | NTSTATUS 307 | NTAPI 308 | NtCreateKeyTransacted( 309 | _Out_ PHANDLE KeyHandle, 310 | _In_ ACCESS_MASK DesiredAccess, 311 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 312 | _Reserved_ ULONG TitleIndex, 313 | _In_opt_ PUNICODE_STRING Class, 314 | _In_ ULONG CreateOptions, 315 | _In_ HANDLE TransactionHandle, 316 | _Out_opt_ PULONG Disposition 317 | ); 318 | #endif 319 | 320 | NTSYSCALLAPI 321 | NTSTATUS 322 | NTAPI 323 | NtOpenKey( 324 | _Out_ PHANDLE KeyHandle, 325 | _In_ ACCESS_MASK DesiredAccess, 326 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 327 | ); 328 | 329 | #if (PHNT_VERSION >= PHNT_VISTA) 330 | NTSYSCALLAPI 331 | NTSTATUS 332 | NTAPI 333 | NtOpenKeyTransacted( 334 | _Out_ PHANDLE KeyHandle, 335 | _In_ ACCESS_MASK DesiredAccess, 336 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 337 | _In_ HANDLE TransactionHandle 338 | ); 339 | #endif 340 | 341 | #if (PHNT_VERSION >= PHNT_WIN7) 342 | NTSYSCALLAPI 343 | NTSTATUS 344 | NTAPI 345 | NtOpenKeyEx( 346 | _Out_ PHANDLE KeyHandle, 347 | _In_ ACCESS_MASK DesiredAccess, 348 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 349 | _In_ ULONG OpenOptions 350 | ); 351 | #endif 352 | 353 | #if (PHNT_VERSION >= PHNT_WIN7) 354 | NTSYSCALLAPI 355 | NTSTATUS 356 | NTAPI 357 | NtOpenKeyTransactedEx( 358 | _Out_ PHANDLE KeyHandle, 359 | _In_ ACCESS_MASK DesiredAccess, 360 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 361 | _In_ ULONG OpenOptions, 362 | _In_ HANDLE TransactionHandle 363 | ); 364 | #endif 365 | 366 | NTSYSCALLAPI 367 | NTSTATUS 368 | NTAPI 369 | NtDeleteKey( 370 | _In_ HANDLE KeyHandle 371 | ); 372 | 373 | NTSYSCALLAPI 374 | NTSTATUS 375 | NTAPI 376 | NtRenameKey( 377 | _In_ HANDLE KeyHandle, 378 | _In_ PUNICODE_STRING NewName 379 | ); 380 | 381 | NTSYSCALLAPI 382 | NTSTATUS 383 | NTAPI 384 | NtDeleteValueKey( 385 | _In_ HANDLE KeyHandle, 386 | _In_ PUNICODE_STRING ValueName 387 | ); 388 | 389 | NTSYSCALLAPI 390 | NTSTATUS 391 | NTAPI 392 | NtQueryKey( 393 | _In_ HANDLE KeyHandle, 394 | _In_ KEY_INFORMATION_CLASS KeyInformationClass, 395 | _Out_writes_bytes_opt_(Length) PVOID KeyInformation, 396 | _In_ ULONG Length, 397 | _Out_ PULONG ResultLength 398 | ); 399 | 400 | NTSYSCALLAPI 401 | NTSTATUS 402 | NTAPI 403 | NtSetInformationKey( 404 | _In_ HANDLE KeyHandle, 405 | _In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass, 406 | _In_reads_bytes_(KeySetInformationLength) PVOID KeySetInformation, 407 | _In_ ULONG KeySetInformationLength 408 | ); 409 | 410 | NTSYSCALLAPI 411 | NTSTATUS 412 | NTAPI 413 | NtQueryValueKey( 414 | _In_ HANDLE KeyHandle, 415 | _In_ PUNICODE_STRING ValueName, 416 | _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, 417 | _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation, 418 | _In_ ULONG Length, 419 | _Out_ PULONG ResultLength 420 | ); 421 | 422 | NTSYSCALLAPI 423 | NTSTATUS 424 | NTAPI 425 | NtSetValueKey( 426 | _In_ HANDLE KeyHandle, 427 | _In_ PUNICODE_STRING ValueName, 428 | _In_opt_ ULONG TitleIndex, 429 | _In_ ULONG Type, 430 | _In_reads_bytes_opt_(DataSize) PVOID Data, 431 | _In_ ULONG DataSize 432 | ); 433 | 434 | NTSYSCALLAPI 435 | NTSTATUS 436 | NTAPI 437 | NtQueryMultipleValueKey( 438 | _In_ HANDLE KeyHandle, 439 | _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries, 440 | _In_ ULONG EntryCount, 441 | _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer, 442 | _Inout_ PULONG BufferLength, 443 | _Out_opt_ PULONG RequiredBufferLength 444 | ); 445 | 446 | NTSYSCALLAPI 447 | NTSTATUS 448 | NTAPI 449 | NtEnumerateKey( 450 | _In_ HANDLE KeyHandle, 451 | _In_ ULONG Index, 452 | _In_ KEY_INFORMATION_CLASS KeyInformationClass, 453 | _Out_writes_bytes_opt_(Length) PVOID KeyInformation, 454 | _In_ ULONG Length, 455 | _Out_ PULONG ResultLength 456 | ); 457 | 458 | NTSYSCALLAPI 459 | NTSTATUS 460 | NTAPI 461 | NtEnumerateValueKey( 462 | _In_ HANDLE KeyHandle, 463 | _In_ ULONG Index, 464 | _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, 465 | _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation, 466 | _In_ ULONG Length, 467 | _Out_ PULONG ResultLength 468 | ); 469 | 470 | NTSYSCALLAPI 471 | NTSTATUS 472 | NTAPI 473 | NtFlushKey( 474 | _In_ HANDLE KeyHandle 475 | ); 476 | 477 | NTSYSCALLAPI 478 | NTSTATUS 479 | NTAPI 480 | NtCompactKeys( 481 | _In_ ULONG Count, 482 | _In_reads_(Count) HANDLE KeyArray[] 483 | ); 484 | 485 | NTSYSCALLAPI 486 | NTSTATUS 487 | NTAPI 488 | NtCompressKey( 489 | _In_ HANDLE Key 490 | ); 491 | 492 | NTSYSCALLAPI 493 | NTSTATUS 494 | NTAPI 495 | NtLoadKey( 496 | _In_ POBJECT_ATTRIBUTES TargetKey, 497 | _In_ POBJECT_ATTRIBUTES SourceFile 498 | ); 499 | 500 | NTSYSCALLAPI 501 | NTSTATUS 502 | NTAPI 503 | NtLoadKey2( 504 | _In_ POBJECT_ATTRIBUTES TargetKey, 505 | _In_ POBJECT_ATTRIBUTES SourceFile, 506 | _In_ ULONG Flags 507 | ); 508 | 509 | NTSYSCALLAPI 510 | NTSTATUS 511 | NTAPI 512 | NtLoadKeyEx( 513 | _In_ POBJECT_ATTRIBUTES TargetKey, 514 | _In_ POBJECT_ATTRIBUTES SourceFile, 515 | _In_ ULONG Flags, 516 | _In_opt_ HANDLE TrustClassKey, // this and below were added on Win10 517 | _In_opt_ HANDLE Event, 518 | _In_opt_ ACCESS_MASK DesiredAccess, 519 | _Out_opt_ PHANDLE RootHandle, 520 | _Reserved_ PVOID Reserved // previously PIO_STATUS_BLOCK 521 | ); 522 | 523 | // rev by tyranid 524 | #if (PHNT_VERSION >= PHNT_20H1) 525 | NTSYSCALLAPI 526 | NTSTATUS 527 | NTAPI 528 | NtLoadKey3( 529 | _In_ POBJECT_ATTRIBUTES TargetKey, 530 | _In_ POBJECT_ATTRIBUTES SourceFile, 531 | _In_ ULONG Flags, 532 | _In_reads_(LoadEntryCount) PKEY_LOAD_ENTRY LoadEntries, 533 | _In_ ULONG LoadEntryCount, 534 | _In_opt_ ACCESS_MASK DesiredAccess, 535 | _Out_opt_ PHANDLE RootHandle, 536 | _Reserved_ PVOID Reserved 537 | ); 538 | #endif 539 | 540 | NTSYSCALLAPI 541 | NTSTATUS 542 | NTAPI 543 | NtReplaceKey( 544 | _In_ POBJECT_ATTRIBUTES NewFile, 545 | _In_ HANDLE TargetHandle, 546 | _In_ POBJECT_ATTRIBUTES OldFile 547 | ); 548 | 549 | NTSYSCALLAPI 550 | NTSTATUS 551 | NTAPI 552 | NtSaveKey( 553 | _In_ HANDLE KeyHandle, 554 | _In_ HANDLE FileHandle 555 | ); 556 | 557 | NTSYSCALLAPI 558 | NTSTATUS 559 | NTAPI 560 | NtSaveKeyEx( 561 | _In_ HANDLE KeyHandle, 562 | _In_ HANDLE FileHandle, 563 | _In_ ULONG Format 564 | ); 565 | 566 | NTSYSCALLAPI 567 | NTSTATUS 568 | NTAPI 569 | NtSaveMergedKeys( 570 | _In_ HANDLE HighPrecedenceKeyHandle, 571 | _In_ HANDLE LowPrecedenceKeyHandle, 572 | _In_ HANDLE FileHandle 573 | ); 574 | 575 | NTSYSCALLAPI 576 | NTSTATUS 577 | NTAPI 578 | NtRestoreKey( 579 | _In_ HANDLE KeyHandle, 580 | _In_ HANDLE FileHandle, 581 | _In_ ULONG Flags 582 | ); 583 | 584 | NTSYSCALLAPI 585 | NTSTATUS 586 | NTAPI 587 | NtUnloadKey( 588 | _In_ POBJECT_ATTRIBUTES TargetKey 589 | ); 590 | 591 | // 592 | // NtUnloadKey2 Flags (from winnt.h) 593 | // 594 | //#define REG_FORCE_UNLOAD 1 595 | //#define REG_UNLOAD_LEGAL_FLAGS (REG_FORCE_UNLOAD) 596 | 597 | NTSYSCALLAPI 598 | NTSTATUS 599 | NTAPI 600 | NtUnloadKey2( 601 | _In_ POBJECT_ATTRIBUTES TargetKey, 602 | _In_ ULONG Flags 603 | ); 604 | 605 | NTSYSCALLAPI 606 | NTSTATUS 607 | NTAPI 608 | NtUnloadKeyEx( 609 | _In_ POBJECT_ATTRIBUTES TargetKey, 610 | _In_opt_ HANDLE Event 611 | ); 612 | 613 | NTSYSCALLAPI 614 | NTSTATUS 615 | NTAPI 616 | NtNotifyChangeKey( 617 | _In_ HANDLE KeyHandle, 618 | _In_opt_ HANDLE Event, 619 | _In_opt_ PIO_APC_ROUTINE ApcRoutine, 620 | _In_opt_ PVOID ApcContext, 621 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 622 | _In_ ULONG CompletionFilter, 623 | _In_ BOOLEAN WatchTree, 624 | _Out_writes_bytes_opt_(BufferSize) PVOID Buffer, 625 | _In_ ULONG BufferSize, 626 | _In_ BOOLEAN Asynchronous 627 | ); 628 | 629 | NTSYSCALLAPI 630 | NTSTATUS 631 | NTAPI 632 | NtNotifyChangeMultipleKeys( 633 | _In_ HANDLE MasterKeyHandle, 634 | _In_opt_ ULONG Count, 635 | _In_reads_opt_(Count) OBJECT_ATTRIBUTES SubordinateObjects[], 636 | _In_opt_ HANDLE Event, 637 | _In_opt_ PIO_APC_ROUTINE ApcRoutine, 638 | _In_opt_ PVOID ApcContext, 639 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 640 | _In_ ULONG CompletionFilter, 641 | _In_ BOOLEAN WatchTree, 642 | _Out_writes_bytes_opt_(BufferSize) PVOID Buffer, 643 | _In_ ULONG BufferSize, 644 | _In_ BOOLEAN Asynchronous 645 | ); 646 | 647 | NTSYSCALLAPI 648 | NTSTATUS 649 | NTAPI 650 | NtQueryOpenSubKeys( 651 | _In_ POBJECT_ATTRIBUTES TargetKey, 652 | _Out_ PULONG HandleCount 653 | ); 654 | 655 | NTSYSCALLAPI 656 | NTSTATUS 657 | NTAPI 658 | NtQueryOpenSubKeysEx( 659 | _In_ POBJECT_ATTRIBUTES TargetKey, 660 | _In_ ULONG BufferLength, 661 | _Out_writes_bytes_opt_(BufferLength) PVOID Buffer, 662 | _Out_ PULONG RequiredSize 663 | ); 664 | 665 | NTSYSCALLAPI 666 | NTSTATUS 667 | NTAPI 668 | NtInitializeRegistry( 669 | _In_ USHORT BootCondition 670 | ); 671 | 672 | NTSYSCALLAPI 673 | NTSTATUS 674 | NTAPI 675 | NtLockRegistryKey( 676 | _In_ HANDLE KeyHandle 677 | ); 678 | 679 | NTSYSCALLAPI 680 | NTSTATUS 681 | NTAPI 682 | NtLockProductActivationKeys( 683 | _Inout_opt_ ULONG *pPrivateVer, 684 | _Out_opt_ ULONG *pSafeMode 685 | ); 686 | 687 | #if (PHNT_VERSION >= PHNT_VISTA) 688 | // private 689 | NTSYSCALLAPI 690 | NTSTATUS 691 | NTAPI 692 | NtFreezeRegistry( 693 | _In_ ULONG TimeOutInSeconds 694 | ); 695 | #endif 696 | 697 | #if (PHNT_VERSION >= PHNT_VISTA) 698 | // private 699 | NTSYSCALLAPI 700 | NTSTATUS 701 | NTAPI 702 | NtThawRegistry( 703 | VOID 704 | ); 705 | #endif 706 | 707 | #if (PHNT_VERSION >= PHNT_REDSTONE) 708 | NTSTATUS NtCreateRegistryTransaction( 709 | _Out_ HANDLE *RegistryTransactionHandle, 710 | _In_ ACCESS_MASK DesiredAccess, 711 | _In_opt_ POBJECT_ATTRIBUTES ObjAttributes, 712 | _Reserved_ ULONG CreateOptions 713 | ); 714 | #endif 715 | 716 | #if (PHNT_VERSION >= PHNT_REDSTONE) 717 | NTSTATUS NtOpenRegistryTransaction( 718 | _Out_ HANDLE *RegistryTransactionHandle, 719 | _In_ ACCESS_MASK DesiredAccess, 720 | _In_ POBJECT_ATTRIBUTES ObjAttributes 721 | ); 722 | #endif 723 | 724 | #if (PHNT_VERSION >= PHNT_REDSTONE) 725 | NTSTATUS NtCommitRegistryTransaction( 726 | _In_ HANDLE RegistryTransactionHandle, 727 | _Reserved_ ULONG Flags 728 | ); 729 | #endif 730 | 731 | #if (PHNT_VERSION >= PHNT_REDSTONE) 732 | NTSTATUS NtRollbackRegistryTransaction( 733 | _In_ HANDLE RegistryTransactionHandle, 734 | _Reserved_ ULONG Flags 735 | ); 736 | #endif 737 | 738 | #endif 739 | -------------------------------------------------------------------------------- /phnt/include/ntwow64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Windows on Windows support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTWOW64_H 8 | #define _NTWOW64_H 9 | 10 | #define WOW64_SYSTEM_DIRECTORY "SysWOW64" 11 | #define WOW64_SYSTEM_DIRECTORY_U L"SysWOW64" 12 | #define WOW64_X86_TAG " (x86)" 13 | #define WOW64_X86_TAG_U L" (x86)" 14 | 15 | // In USER_SHARED_DATA 16 | typedef enum _WOW64_SHARED_INFORMATION 17 | { 18 | SharedNtdll32LdrInitializeThunk, 19 | SharedNtdll32KiUserExceptionDispatcher, 20 | SharedNtdll32KiUserApcDispatcher, 21 | SharedNtdll32KiUserCallbackDispatcher, 22 | SharedNtdll32ExpInterlockedPopEntrySListFault, 23 | SharedNtdll32ExpInterlockedPopEntrySListResume, 24 | SharedNtdll32ExpInterlockedPopEntrySListEnd, 25 | SharedNtdll32RtlUserThreadStart, 26 | SharedNtdll32pQueryProcessDebugInformationRemote, 27 | SharedNtdll32BaseAddress, 28 | SharedNtdll32LdrSystemDllInitBlock, 29 | Wow64SharedPageEntriesCount 30 | } WOW64_SHARED_INFORMATION; 31 | 32 | // 32-bit definitions 33 | 34 | #define WOW64_POINTER(Type) ULONG 35 | 36 | typedef struct _RTL_BALANCED_NODE32 37 | { 38 | union 39 | { 40 | WOW64_POINTER(struct _RTL_BALANCED_NODE *) Children[2]; 41 | struct 42 | { 43 | WOW64_POINTER(struct _RTL_BALANCED_NODE *) Left; 44 | WOW64_POINTER(struct _RTL_BALANCED_NODE *) Right; 45 | }; 46 | }; 47 | union 48 | { 49 | WOW64_POINTER(UCHAR) Red : 1; 50 | WOW64_POINTER(UCHAR) Balance : 2; 51 | WOW64_POINTER(ULONG_PTR) ParentValue; 52 | }; 53 | } RTL_BALANCED_NODE32, *PRTL_BALANCED_NODE32; 54 | 55 | typedef struct _RTL_RB_TREE32 56 | { 57 | WOW64_POINTER(PRTL_BALANCED_NODE) Root; 58 | WOW64_POINTER(PRTL_BALANCED_NODE) Min; 59 | } RTL_RB_TREE32, *PRTL_RB_TREE32; 60 | 61 | typedef struct _PEB_LDR_DATA32 62 | { 63 | ULONG Length; 64 | BOOLEAN Initialized; 65 | WOW64_POINTER(HANDLE) SsHandle; 66 | LIST_ENTRY32 InLoadOrderModuleList; 67 | LIST_ENTRY32 InMemoryOrderModuleList; 68 | LIST_ENTRY32 InInitializationOrderModuleList; 69 | WOW64_POINTER(PVOID) EntryInProgress; 70 | BOOLEAN ShutdownInProgress; 71 | WOW64_POINTER(HANDLE) ShutdownThreadId; 72 | } PEB_LDR_DATA32, *PPEB_LDR_DATA32; 73 | 74 | typedef struct _LDR_SERVICE_TAG_RECORD32 75 | { 76 | WOW64_POINTER(struct _LDR_SERVICE_TAG_RECORD *) Next; 77 | ULONG ServiceTag; 78 | } LDR_SERVICE_TAG_RECORD32, *PLDR_SERVICE_TAG_RECORD32; 79 | 80 | typedef struct _LDRP_CSLIST32 81 | { 82 | WOW64_POINTER(PSINGLE_LIST_ENTRY) Tail; 83 | } LDRP_CSLIST32, *PLDRP_CSLIST32; 84 | 85 | typedef struct _LDR_DDAG_NODE32 86 | { 87 | LIST_ENTRY32 Modules; 88 | WOW64_POINTER(PLDR_SERVICE_TAG_RECORD) ServiceTagList; 89 | ULONG LoadCount; 90 | ULONG LoadWhileUnloadingCount; 91 | ULONG LowestLink; 92 | union 93 | { 94 | LDRP_CSLIST32 Dependencies; 95 | SINGLE_LIST_ENTRY32 RemovalLink; 96 | }; 97 | LDRP_CSLIST32 IncomingDependencies; 98 | LDR_DDAG_STATE State; 99 | SINGLE_LIST_ENTRY32 CondenseLink; 100 | ULONG PreorderNumber; 101 | } LDR_DDAG_NODE32, *PLDR_DDAG_NODE32; 102 | 103 | #define LDR_DATA_TABLE_ENTRY_SIZE_WINXP_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, DdagNode) 104 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN7_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, BaseNameHashValue) 105 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN8_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, ImplicitPathOptions) 106 | 107 | typedef struct _LDR_DATA_TABLE_ENTRY32 108 | { 109 | LIST_ENTRY32 InLoadOrderLinks; 110 | LIST_ENTRY32 InMemoryOrderLinks; 111 | union 112 | { 113 | LIST_ENTRY32 InInitializationOrderLinks; 114 | LIST_ENTRY32 InProgressLinks; 115 | }; 116 | WOW64_POINTER(PVOID) DllBase; 117 | WOW64_POINTER(PVOID) EntryPoint; 118 | ULONG SizeOfImage; 119 | UNICODE_STRING32 FullDllName; 120 | UNICODE_STRING32 BaseDllName; 121 | union 122 | { 123 | UCHAR FlagGroup[4]; 124 | ULONG Flags; 125 | struct 126 | { 127 | ULONG PackagedBinary : 1; 128 | ULONG MarkedForRemoval : 1; 129 | ULONG ImageDll : 1; 130 | ULONG LoadNotificationsSent : 1; 131 | ULONG TelemetryEntryProcessed : 1; 132 | ULONG ProcessStaticImport : 1; 133 | ULONG InLegacyLists : 1; 134 | ULONG InIndexes : 1; 135 | ULONG ShimDll : 1; 136 | ULONG InExceptionTable : 1; 137 | ULONG ReservedFlags1 : 2; 138 | ULONG LoadInProgress : 1; 139 | ULONG LoadConfigProcessed : 1; 140 | ULONG EntryProcessed : 1; 141 | ULONG ProtectDelayLoad : 1; 142 | ULONG ReservedFlags3 : 2; 143 | ULONG DontCallForThreads : 1; 144 | ULONG ProcessAttachCalled : 1; 145 | ULONG ProcessAttachFailed : 1; 146 | ULONG CorDeferredValidate : 1; 147 | ULONG CorImage : 1; 148 | ULONG DontRelocate : 1; 149 | ULONG CorILOnly : 1; 150 | ULONG ChpeImage : 1; 151 | ULONG ReservedFlags5 : 2; 152 | ULONG Redirected : 1; 153 | ULONG ReservedFlags6 : 2; 154 | ULONG CompatDatabaseProcessed : 1; 155 | }; 156 | }; 157 | USHORT ObsoleteLoadCount; 158 | USHORT TlsIndex; 159 | LIST_ENTRY32 HashLinks; 160 | ULONG TimeDateStamp; 161 | WOW64_POINTER(struct _ACTIVATION_CONTEXT *) EntryPointActivationContext; 162 | WOW64_POINTER(PVOID) Lock; 163 | WOW64_POINTER(PLDR_DDAG_NODE) DdagNode; 164 | LIST_ENTRY32 NodeModuleLink; 165 | WOW64_POINTER(struct _LDRP_LOAD_CONTEXT *) LoadContext; 166 | WOW64_POINTER(PVOID) ParentDllBase; 167 | WOW64_POINTER(PVOID) SwitchBackContext; 168 | RTL_BALANCED_NODE32 BaseAddressIndexNode; 169 | RTL_BALANCED_NODE32 MappingInfoIndexNode; 170 | WOW64_POINTER(ULONG_PTR) OriginalBase; 171 | LARGE_INTEGER LoadTime; 172 | ULONG BaseNameHashValue; 173 | LDR_DLL_LOAD_REASON LoadReason; 174 | ULONG ImplicitPathOptions; 175 | ULONG ReferenceCount; 176 | ULONG DependentLoadFlags; 177 | UCHAR SigningLevel; // since REDSTONE2 178 | } LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32; 179 | 180 | typedef struct _CURDIR32 181 | { 182 | UNICODE_STRING32 DosPath; 183 | WOW64_POINTER(HANDLE) Handle; 184 | } CURDIR32, *PCURDIR32; 185 | 186 | typedef struct _RTL_DRIVE_LETTER_CURDIR32 187 | { 188 | USHORT Flags; 189 | USHORT Length; 190 | ULONG TimeStamp; 191 | STRING32 DosPath; 192 | } RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32; 193 | 194 | typedef struct _RTL_USER_PROCESS_PARAMETERS32 195 | { 196 | ULONG MaximumLength; 197 | ULONG Length; 198 | 199 | ULONG Flags; 200 | ULONG DebugFlags; 201 | 202 | WOW64_POINTER(HANDLE) ConsoleHandle; 203 | ULONG ConsoleFlags; 204 | WOW64_POINTER(HANDLE) StandardInput; 205 | WOW64_POINTER(HANDLE) StandardOutput; 206 | WOW64_POINTER(HANDLE) StandardError; 207 | 208 | CURDIR32 CurrentDirectory; 209 | UNICODE_STRING32 DllPath; 210 | UNICODE_STRING32 ImagePathName; 211 | UNICODE_STRING32 CommandLine; 212 | WOW64_POINTER(PVOID) Environment; 213 | 214 | ULONG StartingX; 215 | ULONG StartingY; 216 | ULONG CountX; 217 | ULONG CountY; 218 | ULONG CountCharsX; 219 | ULONG CountCharsY; 220 | ULONG FillAttribute; 221 | 222 | ULONG WindowFlags; 223 | ULONG ShowWindowFlags; 224 | UNICODE_STRING32 WindowTitle; 225 | UNICODE_STRING32 DesktopInfo; 226 | UNICODE_STRING32 ShellInfo; 227 | UNICODE_STRING32 RuntimeData; 228 | RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; 229 | 230 | WOW64_POINTER(ULONG_PTR) EnvironmentSize; 231 | WOW64_POINTER(ULONG_PTR) EnvironmentVersion; 232 | WOW64_POINTER(PVOID) PackageDependencyData; 233 | ULONG ProcessGroupId; 234 | ULONG LoaderThreads; 235 | 236 | UNICODE_STRING32 RedirectionDllName; // REDSTONE4 237 | UNICODE_STRING32 HeapPartitionName; // 19H1 238 | WOW64_POINTER(ULONG_PTR) DefaultThreadpoolCpuSetMasks; 239 | ULONG DefaultThreadpoolCpuSetMaskCount; 240 | ULONG DefaultThreadpoolThreadMaximum; 241 | } RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32; 242 | 243 | typedef struct _PEB32 244 | { 245 | BOOLEAN InheritedAddressSpace; 246 | BOOLEAN ReadImageFileExecOptions; 247 | BOOLEAN BeingDebugged; 248 | union 249 | { 250 | BOOLEAN BitField; 251 | struct 252 | { 253 | BOOLEAN ImageUsesLargePages : 1; 254 | BOOLEAN IsProtectedProcess : 1; 255 | BOOLEAN IsImageDynamicallyRelocated : 1; 256 | BOOLEAN SkipPatchingUser32Forwarders : 1; 257 | BOOLEAN IsPackagedProcess : 1; 258 | BOOLEAN IsAppContainer : 1; 259 | BOOLEAN IsProtectedProcessLight : 1; 260 | BOOLEAN IsLongPathAwareProcess : 1; 261 | }; 262 | }; 263 | WOW64_POINTER(HANDLE) Mutant; 264 | 265 | WOW64_POINTER(PVOID) ImageBaseAddress; 266 | WOW64_POINTER(PPEB_LDR_DATA) Ldr; 267 | WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters; 268 | WOW64_POINTER(PVOID) SubSystemData; 269 | WOW64_POINTER(PVOID) ProcessHeap; 270 | WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock; 271 | WOW64_POINTER(PVOID) AtlThunkSListPtr; 272 | WOW64_POINTER(PVOID) IFEOKey; 273 | union 274 | { 275 | ULONG CrossProcessFlags; 276 | struct 277 | { 278 | ULONG ProcessInJob : 1; 279 | ULONG ProcessInitializing : 1; 280 | ULONG ProcessUsingVEH : 1; 281 | ULONG ProcessUsingVCH : 1; 282 | ULONG ProcessUsingFTH : 1; 283 | ULONG ReservedBits0 : 27; 284 | }; 285 | }; 286 | union 287 | { 288 | WOW64_POINTER(PVOID) KernelCallbackTable; 289 | WOW64_POINTER(PVOID) UserSharedInfoPtr; 290 | }; 291 | ULONG SystemReserved; 292 | ULONG AtlThunkSListPtr32; 293 | WOW64_POINTER(PVOID) ApiSetMap; 294 | ULONG TlsExpansionCounter; 295 | WOW64_POINTER(PVOID) TlsBitmap; 296 | ULONG TlsBitmapBits[2]; 297 | WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase; 298 | WOW64_POINTER(PVOID) HotpatchInformation; 299 | WOW64_POINTER(PVOID *) ReadOnlyStaticServerData; 300 | WOW64_POINTER(PVOID) AnsiCodePageData; 301 | WOW64_POINTER(PVOID) OemCodePageData; 302 | WOW64_POINTER(PVOID) UnicodeCaseTableData; 303 | 304 | ULONG NumberOfProcessors; 305 | ULONG NtGlobalFlag; 306 | 307 | LARGE_INTEGER CriticalSectionTimeout; 308 | WOW64_POINTER(SIZE_T) HeapSegmentReserve; 309 | WOW64_POINTER(SIZE_T) HeapSegmentCommit; 310 | WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold; 311 | WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold; 312 | 313 | ULONG NumberOfHeaps; 314 | ULONG MaximumNumberOfHeaps; 315 | WOW64_POINTER(PVOID *) ProcessHeaps; 316 | 317 | WOW64_POINTER(PVOID) GdiSharedHandleTable; 318 | WOW64_POINTER(PVOID) ProcessStarterHelper; 319 | ULONG GdiDCAttributeList; 320 | 321 | WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock; 322 | 323 | ULONG OSMajorVersion; 324 | ULONG OSMinorVersion; 325 | USHORT OSBuildNumber; 326 | USHORT OSCSDVersion; 327 | ULONG OSPlatformId; 328 | ULONG ImageSubsystem; 329 | ULONG ImageSubsystemMajorVersion; 330 | ULONG ImageSubsystemMinorVersion; 331 | WOW64_POINTER(ULONG_PTR) ActiveProcessAffinityMask; 332 | GDI_HANDLE_BUFFER32 GdiHandleBuffer; 333 | WOW64_POINTER(PVOID) PostProcessInitRoutine; 334 | 335 | WOW64_POINTER(PVOID) TlsExpansionBitmap; 336 | ULONG TlsExpansionBitmapBits[32]; 337 | 338 | ULONG SessionId; 339 | 340 | ULARGE_INTEGER AppCompatFlags; 341 | ULARGE_INTEGER AppCompatFlagsUser; 342 | WOW64_POINTER(PVOID) pShimData; 343 | WOW64_POINTER(PVOID) AppCompatInfo; 344 | 345 | UNICODE_STRING32 CSDVersion; 346 | 347 | WOW64_POINTER(PACTIVATION_CONTEXT_DATA) ActivationContextData; 348 | WOW64_POINTER(PVOID) ProcessAssemblyStorageMap; 349 | WOW64_POINTER(PACTIVATION_CONTEXT_DATA) SystemDefaultActivationContextData; 350 | WOW64_POINTER(PVOID) SystemAssemblyStorageMap; 351 | 352 | WOW64_POINTER(SIZE_T) MinimumStackCommit; 353 | 354 | WOW64_POINTER(PVOID) SparePointers[4]; 355 | ULONG SpareUlongs[5]; 356 | //WOW64_POINTER(PVOID *) FlsCallback; 357 | //LIST_ENTRY32 FlsListHead; 358 | //WOW64_POINTER(PVOID) FlsBitmap; 359 | //ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)]; 360 | //ULONG FlsHighIndex; 361 | 362 | WOW64_POINTER(PVOID) WerRegistrationData; 363 | WOW64_POINTER(PVOID) WerShipAssertPtr; 364 | WOW64_POINTER(PVOID) pContextData; 365 | WOW64_POINTER(PVOID) pImageHeaderHash; 366 | union 367 | { 368 | ULONG TracingFlags; 369 | struct 370 | { 371 | ULONG HeapTracingEnabled : 1; 372 | ULONG CritSecTracingEnabled : 1; 373 | ULONG LibLoaderTracingEnabled : 1; 374 | ULONG SpareTracingBits : 29; 375 | }; 376 | }; 377 | ULONGLONG CsrServerReadOnlySharedMemoryBase; 378 | WOW64_POINTER(PVOID) TppWorkerpListLock; 379 | LIST_ENTRY32 TppWorkerpList; 380 | WOW64_POINTER(PVOID) WaitOnAddressHashTable[128]; 381 | WOW64_POINTER(PVOID) TelemetryCoverageHeader; // REDSTONE3 382 | ULONG CloudFileFlags; 383 | ULONG CloudFileDiagFlags; // REDSTONE4 384 | CHAR PlaceholderCompatibilityMode; 385 | CHAR PlaceholderCompatibilityModeReserved[7]; 386 | } PEB32, *PPEB32; 387 | 388 | C_ASSERT(FIELD_OFFSET(PEB32, IFEOKey) == 0x024); 389 | C_ASSERT(FIELD_OFFSET(PEB32, UnicodeCaseTableData) == 0x060); 390 | C_ASSERT(FIELD_OFFSET(PEB32, SystemAssemblyStorageMap) == 0x204); 391 | C_ASSERT(FIELD_OFFSET(PEB32, pImageHeaderHash) == 0x23c); 392 | C_ASSERT(FIELD_OFFSET(PEB32, WaitOnAddressHashTable) == 0x25c); 393 | //C_ASSERT(sizeof(PEB32) == 0x460); // REDSTONE3 394 | C_ASSERT(sizeof(PEB32) == 0x470); 395 | 396 | // Note: Use PhGetProcessPeb32 instead. (dmex) 397 | //#define WOW64_GET_PEB32(peb64) ((PPEB32)PTR_ADD_OFFSET((peb64), ALIGN_UP_BY(sizeof(PEB), PAGE_SIZE))) 398 | 399 | #define GDI_BATCH_BUFFER_SIZE 310 400 | 401 | typedef struct _GDI_TEB_BATCH32 402 | { 403 | ULONG Offset; 404 | WOW64_POINTER(ULONG_PTR) HDC; 405 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 406 | } GDI_TEB_BATCH32, *PGDI_TEB_BATCH32; 407 | 408 | typedef struct _TEB32 409 | { 410 | NT_TIB32 NtTib; 411 | 412 | WOW64_POINTER(PVOID) EnvironmentPointer; 413 | CLIENT_ID32 ClientId; 414 | WOW64_POINTER(PVOID) ActiveRpcHandle; 415 | WOW64_POINTER(PVOID) ThreadLocalStoragePointer; 416 | WOW64_POINTER(PPEB) ProcessEnvironmentBlock; 417 | 418 | ULONG LastErrorValue; 419 | ULONG CountOfOwnedCriticalSections; 420 | WOW64_POINTER(PVOID) CsrClientThread; 421 | WOW64_POINTER(PVOID) Win32ThreadInfo; 422 | ULONG User32Reserved[26]; 423 | ULONG UserReserved[5]; 424 | WOW64_POINTER(PVOID) WOW32Reserved; 425 | LCID CurrentLocale; 426 | ULONG FpSoftwareStatusRegister; 427 | WOW64_POINTER(PVOID) ReservedForDebuggerInstrumentation[16]; 428 | WOW64_POINTER(PVOID) SystemReserved1[36]; 429 | UCHAR WorkingOnBehalfTicket[8]; 430 | NTSTATUS ExceptionCode; 431 | 432 | WOW64_POINTER(PVOID) ActivationContextStackPointer; 433 | WOW64_POINTER(ULONG_PTR) InstrumentationCallbackSp; 434 | WOW64_POINTER(ULONG_PTR) InstrumentationCallbackPreviousPc; 435 | WOW64_POINTER(ULONG_PTR) InstrumentationCallbackPreviousSp; 436 | BOOLEAN InstrumentationCallbackDisabled; 437 | UCHAR SpareBytes[23]; 438 | ULONG TxFsContext; 439 | 440 | GDI_TEB_BATCH32 GdiTebBatch; 441 | CLIENT_ID32 RealClientId; 442 | WOW64_POINTER(HANDLE) GdiCachedProcessHandle; 443 | ULONG GdiClientPID; 444 | ULONG GdiClientTID; 445 | WOW64_POINTER(PVOID) GdiThreadLocalInfo; 446 | WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62]; 447 | WOW64_POINTER(PVOID) glDispatchTable[233]; 448 | WOW64_POINTER(ULONG_PTR) glReserved1[29]; 449 | WOW64_POINTER(PVOID) glReserved2; 450 | WOW64_POINTER(PVOID) glSectionInfo; 451 | WOW64_POINTER(PVOID) glSection; 452 | WOW64_POINTER(PVOID) glTable; 453 | WOW64_POINTER(PVOID) glCurrentRC; 454 | WOW64_POINTER(PVOID) glContext; 455 | 456 | NTSTATUS LastStatusValue; 457 | UNICODE_STRING32 StaticUnicodeString; 458 | WCHAR StaticUnicodeBuffer[261]; 459 | 460 | WOW64_POINTER(PVOID) DeallocationStack; 461 | WOW64_POINTER(PVOID) TlsSlots[64]; 462 | LIST_ENTRY32 TlsLinks; 463 | 464 | WOW64_POINTER(PVOID) Vdm; 465 | WOW64_POINTER(PVOID) ReservedForNtRpc; 466 | WOW64_POINTER(PVOID) DbgSsReserved[2]; 467 | 468 | ULONG HardErrorMode; 469 | WOW64_POINTER(PVOID) Instrumentation[9]; 470 | GUID ActivityId; 471 | 472 | WOW64_POINTER(PVOID) SubProcessTag; 473 | WOW64_POINTER(PVOID) PerflibData; 474 | WOW64_POINTER(PVOID) EtwTraceData; 475 | WOW64_POINTER(PVOID) WinSockData; 476 | ULONG GdiBatchCount; 477 | 478 | union 479 | { 480 | PROCESSOR_NUMBER CurrentIdealProcessor; 481 | ULONG IdealProcessorValue; 482 | struct 483 | { 484 | UCHAR ReservedPad0; 485 | UCHAR ReservedPad1; 486 | UCHAR ReservedPad2; 487 | UCHAR IdealProcessor; 488 | }; 489 | }; 490 | 491 | ULONG GuaranteedStackBytes; 492 | WOW64_POINTER(PVOID) ReservedForPerf; 493 | WOW64_POINTER(PVOID) ReservedForOle; 494 | ULONG WaitingOnLoaderLock; 495 | WOW64_POINTER(PVOID) SavedPriorityState; 496 | WOW64_POINTER(ULONG_PTR) ReservedForCodeCoverage; 497 | WOW64_POINTER(PVOID) ThreadPoolData; 498 | WOW64_POINTER(PVOID *) TlsExpansionSlots; 499 | 500 | ULONG MuiGeneration; 501 | ULONG IsImpersonating; 502 | WOW64_POINTER(PVOID) NlsCache; 503 | WOW64_POINTER(PVOID) pShimData; 504 | USHORT HeapVirtualAffinity; 505 | USHORT LowFragHeapDataSlot; 506 | WOW64_POINTER(HANDLE) CurrentTransactionHandle; 507 | WOW64_POINTER(PTEB_ACTIVE_FRAME) ActiveFrame; 508 | WOW64_POINTER(PVOID) FlsData; 509 | 510 | WOW64_POINTER(PVOID) PreferredLanguages; 511 | WOW64_POINTER(PVOID) UserPrefLanguages; 512 | WOW64_POINTER(PVOID) MergedPrefLanguages; 513 | ULONG MuiImpersonation; 514 | 515 | union 516 | { 517 | USHORT CrossTebFlags; 518 | USHORT SpareCrossTebBits : 16; 519 | }; 520 | union 521 | { 522 | USHORT SameTebFlags; 523 | struct 524 | { 525 | USHORT SafeThunkCall : 1; 526 | USHORT InDebugPrint : 1; 527 | USHORT HasFiberData : 1; 528 | USHORT SkipThreadAttach : 1; 529 | USHORT WerInShipAssertCode : 1; 530 | USHORT RanProcessInit : 1; 531 | USHORT ClonedThread : 1; 532 | USHORT SuppressDebugMsg : 1; 533 | USHORT DisableUserStackWalk : 1; 534 | USHORT RtlExceptionAttached : 1; 535 | USHORT InitialThread : 1; 536 | USHORT SessionAware : 1; 537 | USHORT LoadOwner : 1; 538 | USHORT LoaderWorker : 1; 539 | USHORT SpareSameTebBits : 2; 540 | }; 541 | }; 542 | 543 | WOW64_POINTER(PVOID) TxnScopeEnterCallback; 544 | WOW64_POINTER(PVOID) TxnScopeExitCallback; 545 | WOW64_POINTER(PVOID) TxnScopeContext; 546 | ULONG LockCount; 547 | LONG WowTebOffset; 548 | WOW64_POINTER(PVOID) ResourceRetValue; 549 | WOW64_POINTER(PVOID) ReservedForWdf; 550 | ULONGLONG ReservedForCrt; 551 | GUID EffectiveContainerId; 552 | } TEB32, *PTEB32; 553 | 554 | C_ASSERT(FIELD_OFFSET(TEB32, ProcessEnvironmentBlock) == 0x030); 555 | C_ASSERT(FIELD_OFFSET(TEB32, ExceptionCode) == 0x1a4); 556 | C_ASSERT(FIELD_OFFSET(TEB32, TxFsContext) == 0x1d0); 557 | C_ASSERT(FIELD_OFFSET(TEB32, glContext) == 0xbf0); 558 | C_ASSERT(FIELD_OFFSET(TEB32, StaticUnicodeBuffer) == 0xc00); 559 | C_ASSERT(FIELD_OFFSET(TEB32, TlsLinks) == 0xf10); 560 | C_ASSERT(FIELD_OFFSET(TEB32, DbgSsReserved) == 0xf20); 561 | C_ASSERT(FIELD_OFFSET(TEB32, ActivityId) == 0xf50); 562 | C_ASSERT(FIELD_OFFSET(TEB32, GdiBatchCount) == 0xf70); 563 | C_ASSERT(FIELD_OFFSET(TEB32, TlsExpansionSlots) == 0xf94); 564 | C_ASSERT(FIELD_OFFSET(TEB32, FlsData) == 0xfb4); 565 | C_ASSERT(FIELD_OFFSET(TEB32, MuiImpersonation) == 0xfc4); 566 | C_ASSERT(FIELD_OFFSET(TEB32, ReservedForCrt) == 0xfe8); 567 | C_ASSERT(FIELD_OFFSET(TEB32, EffectiveContainerId) == 0xff0); 568 | C_ASSERT(sizeof(TEB32) == 0x1000); 569 | 570 | // Get the 32-bit TEB without doing a memory reference 571 | // modified from public SDK /10.0.10240.0/um/minwin/wow64t.h (dmex) 572 | #define WOW64_GET_TEB32(teb64) ((PTEB32)PTR_ADD_OFFSET((teb64), ALIGN_UP_BY(sizeof(TEB), PAGE_SIZE))) 573 | #define WOW64_TEB32_POINTER_ADDRESS(teb64) (PVOID)&((teb64)->NtTib.ExceptionList) 574 | 575 | // Conversion 576 | 577 | FORCEINLINE VOID UStr32ToUStr( 578 | _Out_ PUNICODE_STRING Destination, 579 | _In_ PUNICODE_STRING32 Source 580 | ) 581 | { 582 | Destination->Length = Source->Length; 583 | Destination->MaximumLength = Source->MaximumLength; 584 | Destination->Buffer = (PWCH)UlongToPtr(Source->Buffer); 585 | } 586 | 587 | FORCEINLINE VOID UStrToUStr32( 588 | _Out_ PUNICODE_STRING32 Destination, 589 | _In_ PUNICODE_STRING Source 590 | ) 591 | { 592 | Destination->Length = Source->Length; 593 | Destination->MaximumLength = Source->MaximumLength; 594 | Destination->Buffer = PtrToUlong(Source->Buffer); 595 | } 596 | 597 | #endif 598 | -------------------------------------------------------------------------------- /phnt/include/ntpoapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Power Management support functions 3 | * 4 | * This file is part of System Informer. 5 | */ 6 | 7 | #ifndef _NTPOAPI_H 8 | #define _NTPOAPI_H 9 | 10 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 11 | // POWER_INFORMATION_LEVEL 12 | // Note: We don't use an enum for these values to minimize conflicts with the Windows SDK. (dmex) 13 | #define SystemPowerPolicyAc 0 // SYSTEM_POWER_POLICY // GET: InputBuffer NULL. SET: InputBuffer not NULL. 14 | #define SystemPowerPolicyDc 1 // SYSTEM_POWER_POLICY 15 | #define VerifySystemPolicyAc 2 // SYSTEM_POWER_POLICY 16 | #define VerifySystemPolicyDc 3 // SYSTEM_POWER_POLICY 17 | #define SystemPowerCapabilities 4 // SYSTEM_POWER_CAPABILITIES 18 | #define SystemBatteryState 5 // SYSTEM_BATTERY_STATE 19 | #define SystemPowerStateHandler 6 // POWER_STATE_HANDLER // (kernel-mode only) 20 | #define ProcessorStateHandler 7 // PROCESSOR_STATE_HANDLER // (kernel-mode only) 21 | #define SystemPowerPolicyCurrent 8 // SYSTEM_POWER_POLICY 22 | #define AdministratorPowerPolicy 9 // ADMINISTRATOR_POWER_POLICY 23 | #define SystemReserveHiberFile 10 // BOOLEAN // (requires SeCreatePagefilePrivilege) // TRUE: hibernation file created. FALSE: hibernation file deleted. 24 | #define ProcessorInformation 11 // PROCESSOR_POWER_INFORMATION 25 | #define SystemPowerInformation 12 // SYSTEM_POWER_INFORMATION 26 | #define ProcessorStateHandler2 13 // PROCESSOR_STATE_HANDLER2 // not implemented 27 | #define LastWakeTime 14 // ULONGLONG // InterruptTime 28 | #define LastSleepTime 15 // ULONGLONG // InterruptTime 29 | #define SystemExecutionState 16 // EXECUTION_STATE // NtSetThreadExecutionState 30 | #define SystemPowerStateNotifyHandler 17 // POWER_STATE_NOTIFY_HANDLER // (kernel-mode only) 31 | #define ProcessorPowerPolicyAc 18 // PROCESSOR_POWER_POLICY // not implemented 32 | #define ProcessorPowerPolicyDc 19 // PROCESSOR_POWER_POLICY // not implemented 33 | #define VerifyProcessorPowerPolicyAc 20 // PROCESSOR_POWER_POLICY // not implemented 34 | #define VerifyProcessorPowerPolicyDc 21 // PROCESSOR_POWER_POLICY // not implemented 35 | #define ProcessorPowerPolicyCurrent 22 // PROCESSOR_POWER_POLICY // not implemented 36 | #define SystemPowerStateLogging 23 // SYSTEM_POWER_STATE_DISABLE_REASON[] 37 | #define SystemPowerLoggingEntry 24 // SYSTEM_POWER_LOGGING_ENTRY[] // (kernel-mode only) 38 | #define SetPowerSettingValue 25 // (kernel-mode only) 39 | #define NotifyUserPowerSetting 26 // not implemented 40 | #define PowerInformationLevelUnused0 27 // not implemented 41 | #define SystemMonitorHiberBootPowerOff 28 // NULL (PowerMonitorOff) 42 | #define SystemVideoState 29 // MONITOR_DISPLAY_STATE 43 | #define TraceApplicationPowerMessage 30 // (kernel-mode only) 44 | #define TraceApplicationPowerMessageEnd 31 // (kernel-mode only) 45 | #define ProcessorPerfStates 32 // (kernel-mode only) 46 | #define ProcessorIdleStates 33 // (kernel-mode only) 47 | #define ProcessorCap 34 // (kernel-mode only) 48 | #define SystemWakeSource 35 49 | #define SystemHiberFileInformation 36 // q: SYSTEM_HIBERFILE_INFORMATION 50 | #define TraceServicePowerMessage 37 51 | #define ProcessorLoad 38 52 | #define PowerShutdownNotification 39 // (kernel-mode only) 53 | #define MonitorCapabilities 40 // (kernel-mode only) 54 | #define SessionPowerInit 41 // (kernel-mode only) 55 | #define SessionDisplayState 42 // (kernel-mode only) 56 | #define PowerRequestCreate 43 // in: COUNTED_REASON_CONTEXT, out: HANDLE 57 | #define PowerRequestAction 44 // in: POWER_REQUEST_ACTION 58 | #define GetPowerRequestList 45 // out: POWER_REQUEST_LIST 59 | #define ProcessorInformationEx 46 // in: USHORT ProcessorGroup, out: PROCESSOR_POWER_INFORMATION 60 | #define NotifyUserModeLegacyPowerEvent 47 // (kernel-mode only) 61 | #define GroupPark 48 // (debug-mode boot only) 62 | #define ProcessorIdleDomains 49 // (kernel-mode only) 63 | #define WakeTimerList 50 // powercfg.exe /waketimers 64 | #define SystemHiberFileSize 51 // ULONG 65 | #define ProcessorIdleStatesHv 52 // (kernel-mode only) 66 | #define ProcessorPerfStatesHv 53 // (kernel-mode only) 67 | #define ProcessorPerfCapHv 54 // (kernel-mode only) 68 | #define ProcessorSetIdle 55 // (debug-mode boot only) 69 | #define LogicalProcessorIdling 56 // (kernel-mode only) 70 | #define UserPresence 57 // POWER_USER_PRESENCE // not implemented 71 | #define PowerSettingNotificationName 58 72 | #define GetPowerSettingValue 59 // GUID 73 | #define IdleResiliency 60 // POWER_IDLE_RESILIENCY 74 | #define SessionRITState 61 // POWER_SESSION_RIT_STATE 75 | #define SessionConnectNotification 62 // POWER_SESSION_WINLOGON 76 | #define SessionPowerCleanup 63 77 | #define SessionLockState 64 // POWER_SESSION_WINLOGON 78 | #define SystemHiberbootState 65 // BOOLEAN // fast startup supported 79 | #define PlatformInformation 66 // BOOLEAN // connected standby supported 80 | #define PdcInvocation 67 // (kernel-mode only) 81 | #define MonitorInvocation 68 // (kernel-mode only) 82 | #define FirmwareTableInformationRegistered 69 // (kernel-mode only) 83 | #define SetShutdownSelectedTime 70 // NULL 84 | #define SuspendResumeInvocation 71 // (kernel-mode only) 85 | #define PlmPowerRequestCreate 72 // in: COUNTED_REASON_CONTEXT, out: HANDLE 86 | #define ScreenOff 73 // NULL (PowerMonitorOff) 87 | #define CsDeviceNotification 74 // (kernel-mode only) 88 | #define PlatformRole 75 // POWER_PLATFORM_ROLE 89 | #define LastResumePerformance 76 // RESUME_PERFORMANCE 90 | #define DisplayBurst 77 // NULL (PowerMonitorOn) 91 | #define ExitLatencySamplingPercentage 78 92 | #define RegisterSpmPowerSettings 79 // (kernel-mode only) 93 | #define PlatformIdleStates 80 // (kernel-mode only) 94 | #define ProcessorIdleVeto 81 // (kernel-mode only) // deprecated 95 | #define PlatformIdleVeto 82 // (kernel-mode only) // deprecated 96 | #define SystemBatteryStatePrecise 83 // SYSTEM_BATTERY_STATE 97 | #define ThermalEvent 84 // THERMAL_EVENT // PowerReportThermalEvent 98 | #define PowerRequestActionInternal 85 // POWER_REQUEST_ACTION_INTERNAL 99 | #define BatteryDeviceState 86 100 | #define PowerInformationInternal 87 // POWER_INFORMATION_LEVEL_INTERNAL // PopPowerInformationInternal 101 | #define ThermalStandby 88 // NULL // shutdown with thermal standby as reason. 102 | #define SystemHiberFileType 89 // ULONG // zero ? reduced : full // powercfg.exe /h /type 103 | #define PhysicalPowerButtonPress 90 // BOOLEAN 104 | #define QueryPotentialDripsConstraint 91 // (kernel-mode only) 105 | #define EnergyTrackerCreate 92 106 | #define EnergyTrackerQuery 93 107 | #define UpdateBlackBoxRecorder 94 108 | #define SessionAllowExternalDmaDevices 95 109 | #define SendSuspendResumeNotification 96 // since WIN11 110 | #define PowerInformationLevelMaximum 97 111 | #endif 112 | 113 | typedef struct _PROCESSOR_POWER_INFORMATION 114 | { 115 | ULONG Number; 116 | ULONG MaxMhz; 117 | ULONG CurrentMhz; 118 | ULONG MhzLimit; 119 | ULONG MaxIdleState; 120 | ULONG CurrentIdleState; 121 | } PROCESSOR_POWER_INFORMATION, *PPROCESSOR_POWER_INFORMATION; 122 | 123 | typedef struct _SYSTEM_POWER_INFORMATION 124 | { 125 | ULONG MaxIdlenessAllowed; 126 | ULONG Idleness; 127 | ULONG TimeRemaining; 128 | UCHAR CoolingMode; 129 | } SYSTEM_POWER_INFORMATION, *PSYSTEM_POWER_INFORMATION; 130 | 131 | typedef struct _SYSTEM_HIBERFILE_INFORMATION 132 | { 133 | ULONG NumberOfMcbPairs; 134 | LARGE_INTEGER Mcb[1]; 135 | } SYSTEM_HIBERFILE_INFORMATION, *PSYSTEM_HIBERFILE_INFORMATION; 136 | 137 | #define POWER_REQUEST_CONTEXT_NOT_SPECIFIED DIAGNOSTIC_REASON_NOT_SPECIFIED 138 | 139 | // wdm 140 | typedef struct _COUNTED_REASON_CONTEXT 141 | { 142 | ULONG Version; 143 | ULONG Flags; 144 | union 145 | { 146 | struct 147 | { 148 | UNICODE_STRING ResourceFileName; 149 | USHORT ResourceReasonId; 150 | ULONG StringCount; 151 | _Field_size_(StringCount) PUNICODE_STRING ReasonStrings; 152 | }; 153 | UNICODE_STRING SimpleString; 154 | }; 155 | } COUNTED_REASON_CONTEXT, *PCOUNTED_REASON_CONTEXT; 156 | 157 | typedef enum _POWER_REQUEST_TYPE_INTERNAL // POWER_REQUEST_TYPE 158 | { 159 | PowerRequestDisplayRequiredInternal, 160 | PowerRequestSystemRequiredInternal, 161 | PowerRequestAwayModeRequiredInternal, 162 | PowerRequestExecutionRequiredInternal, // Windows 8+ 163 | PowerRequestPerfBoostRequiredInternal, // Windows 8+ 164 | PowerRequestActiveLockScreenInternal, // Windows 10 RS1+ (reserved on Windows 8) 165 | // Values 6 and 7 are reserved for Windows 8 only 166 | PowerRequestInternalInvalid, 167 | PowerRequestInternalUnknown, 168 | PowerRequestFullScreenVideoRequired // Windows 8 only 169 | } POWER_REQUEST_TYPE_INTERNAL; 170 | 171 | typedef struct _POWER_REQUEST_ACTION 172 | { 173 | HANDLE PowerRequestHandle; 174 | POWER_REQUEST_TYPE_INTERNAL RequestType; 175 | BOOLEAN SetAction; 176 | HANDLE ProcessHandle; // Windows 8+ and only for requests created via PlmPowerRequestCreate 177 | } POWER_REQUEST_ACTION, *PPOWER_REQUEST_ACTION; 178 | 179 | typedef union _POWER_STATE 180 | { 181 | SYSTEM_POWER_STATE SystemState; 182 | DEVICE_POWER_STATE DeviceState; 183 | } POWER_STATE, *PPOWER_STATE; 184 | 185 | typedef enum _POWER_STATE_TYPE 186 | { 187 | SystemPowerState = 0, 188 | DevicePowerState 189 | } POWER_STATE_TYPE, *PPOWER_STATE_TYPE; 190 | 191 | // wdm 192 | typedef struct _SYSTEM_POWER_STATE_CONTEXT 193 | { 194 | union 195 | { 196 | struct 197 | { 198 | ULONG Reserved1 : 8; 199 | ULONG TargetSystemState : 4; 200 | ULONG EffectiveSystemState : 4; 201 | ULONG CurrentSystemState : 4; 202 | ULONG IgnoreHibernationPath : 1; 203 | ULONG PseudoTransition : 1; 204 | ULONG Reserved2 : 10; 205 | }; 206 | ULONG ContextAsUlong; 207 | }; 208 | } SYSTEM_POWER_STATE_CONTEXT, *PSYSTEM_POWER_STATE_CONTEXT; 209 | 210 | typedef enum _REQUESTER_TYPE 211 | { 212 | KernelRequester = 0, 213 | UserProcessRequester = 1, 214 | UserSharedServiceRequester = 2 215 | } REQUESTER_TYPE; 216 | 217 | typedef struct _COUNTED_REASON_CONTEXT_RELATIVE 218 | { 219 | ULONG Flags; 220 | union 221 | { 222 | struct 223 | { 224 | ULONG_PTR ResourceFileNameOffset; 225 | USHORT ResourceReasonId; 226 | ULONG StringCount; 227 | ULONG_PTR SubstitutionStringsOffset; 228 | }; 229 | ULONG_PTR SimpleStringOffset; 230 | }; 231 | } COUNTED_REASON_CONTEXT_RELATIVE, *PCOUNTED_REASON_CONTEXT_RELATIVE; 232 | 233 | typedef struct _DIAGNOSTIC_BUFFER 234 | { 235 | SIZE_T Size; 236 | REQUESTER_TYPE CallerType; 237 | union 238 | { 239 | struct 240 | { 241 | ULONG_PTR ProcessImageNameOffset; // PWSTR 242 | ULONG ProcessId; 243 | ULONG ServiceTag; 244 | }; 245 | struct 246 | { 247 | ULONG_PTR DeviceDescriptionOffset; // PWSTR 248 | ULONG_PTR DevicePathOffset; // PWSTR 249 | }; 250 | }; 251 | ULONG_PTR ReasonOffset; // PCOUNTED_REASON_CONTEXT_RELATIVE 252 | } DIAGNOSTIC_BUFFER, *PDIAGNOSTIC_BUFFER; 253 | 254 | // The number of supported request types per version 255 | #define POWER_REQUEST_SUPPORTED_TYPES_V1 3 // Windows 7 256 | #define POWER_REQUEST_SUPPORTED_TYPES_V2 9 // Windows 8 257 | #define POWER_REQUEST_SUPPORTED_TYPES_V3 5 // Windows 8.1 and Windows 10 TH1-TH2 258 | #define POWER_REQUEST_SUPPORTED_TYPES_V4 6 // Windows 10 RS1+ 259 | 260 | typedef struct _POWER_REQUEST 261 | { 262 | union 263 | { 264 | struct 265 | { 266 | ULONG SupportedRequestMask; 267 | ULONG PowerRequestCount[POWER_REQUEST_SUPPORTED_TYPES_V1]; 268 | DIAGNOSTIC_BUFFER DiagnosticBuffer; 269 | } V1; 270 | #if (PHNT_VERSION >= PHNT_WIN8) 271 | struct 272 | { 273 | ULONG SupportedRequestMask; 274 | ULONG PowerRequestCount[POWER_REQUEST_SUPPORTED_TYPES_V2]; 275 | DIAGNOSTIC_BUFFER DiagnosticBuffer; 276 | } V2; 277 | #endif 278 | #if (PHNT_VERSION >= PHNT_WINBLUE) 279 | struct 280 | { 281 | ULONG SupportedRequestMask; 282 | ULONG PowerRequestCount[POWER_REQUEST_SUPPORTED_TYPES_V3]; 283 | DIAGNOSTIC_BUFFER DiagnosticBuffer; 284 | } V3; 285 | #endif 286 | #if (PHNT_VERSION >= PHNT_REDSTONE) 287 | struct 288 | { 289 | ULONG SupportedRequestMask; 290 | ULONG PowerRequestCount[POWER_REQUEST_SUPPORTED_TYPES_V4]; 291 | DIAGNOSTIC_BUFFER DiagnosticBuffer; 292 | } V4; 293 | #endif 294 | }; 295 | } POWER_REQUEST, *PPOWER_REQUEST; 296 | 297 | typedef struct _POWER_REQUEST_LIST 298 | { 299 | ULONG_PTR Count; 300 | ULONG_PTR PowerRequestOffsets[ANYSIZE_ARRAY]; // PPOWER_REQUEST 301 | } POWER_REQUEST_LIST, *PPOWER_REQUEST_LIST; 302 | 303 | typedef enum _POWER_STATE_HANDLER_TYPE 304 | { 305 | PowerStateSleeping1 = 0, 306 | PowerStateSleeping2 = 1, 307 | PowerStateSleeping3 = 2, 308 | PowerStateSleeping4 = 3, 309 | PowerStateShutdownOff = 4, 310 | PowerStateShutdownReset = 5, 311 | PowerStateSleeping4Firmware = 6, 312 | PowerStateMaximum = 7 313 | } POWER_STATE_HANDLER_TYPE, *PPOWER_STATE_HANDLER_TYPE; 314 | 315 | typedef NTSTATUS (NTAPI *PENTER_STATE_SYSTEM_HANDLER)( 316 | _In_ PVOID SystemContext 317 | ); 318 | 319 | typedef NTSTATUS (NTAPI *PENTER_STATE_HANDLER)( 320 | _In_ PVOID Context, 321 | _In_opt_ PENTER_STATE_SYSTEM_HANDLER SystemHandler, 322 | _In_ PVOID SystemContext, 323 | _In_ LONG NumberProcessors, 324 | _In_ LONG volatile *Number 325 | ); 326 | 327 | typedef struct _POWER_STATE_HANDLER 328 | { 329 | POWER_STATE_HANDLER_TYPE Type; 330 | BOOLEAN RtcWake; 331 | UCHAR Spare[3]; 332 | PENTER_STATE_HANDLER Handler; 333 | PVOID Context; 334 | } POWER_STATE_HANDLER, *PPOWER_STATE_HANDLER; 335 | 336 | typedef NTSTATUS (NTAPI *PENTER_STATE_NOTIFY_HANDLER)( 337 | _In_ POWER_STATE_HANDLER_TYPE State, 338 | _In_ PVOID Context, 339 | _In_ BOOLEAN Entering 340 | ); 341 | 342 | typedef struct _POWER_STATE_NOTIFY_HANDLER 343 | { 344 | PENTER_STATE_NOTIFY_HANDLER Handler; 345 | PVOID Context; 346 | } POWER_STATE_NOTIFY_HANDLER, *PPOWER_STATE_NOTIFY_HANDLER; 347 | 348 | typedef struct _POWER_REQUEST_ACTION_INTERNAL 349 | { 350 | PVOID PowerRequestPointer; 351 | POWER_REQUEST_TYPE_INTERNAL RequestType; 352 | BOOLEAN SetAction; 353 | } POWER_REQUEST_ACTION_INTERNAL, *PPOWER_REQUEST_ACTION_INTERNAL; 354 | 355 | typedef enum _POWER_INFORMATION_LEVEL_INTERNAL 356 | { 357 | PowerInternalAcpiInterfaceRegister, 358 | PowerInternalS0LowPowerIdleInfo, // POWER_S0_LOW_POWER_IDLE_INFO 359 | PowerInternalReapplyBrightnessSettings, 360 | PowerInternalUserAbsencePrediction, // POWER_USER_ABSENCE_PREDICTION 361 | PowerInternalUserAbsencePredictionCapability, // POWER_USER_ABSENCE_PREDICTION_CAPABILITY 362 | PowerInternalPoProcessorLatencyHint, // POWER_PROCESSOR_LATENCY_HINT 363 | PowerInternalStandbyNetworkRequest, // POWER_STANDBY_NETWORK_REQUEST 364 | PowerInternalDirtyTransitionInformation, 365 | PowerInternalSetBackgroundTaskState, // POWER_SET_BACKGROUND_TASK_STATE 366 | PowerInternalTtmOpenTerminal, 367 | PowerInternalTtmCreateTerminal, // 10 368 | PowerInternalTtmEvacuateDevices, 369 | PowerInternalTtmCreateTerminalEventQueue, 370 | PowerInternalTtmGetTerminalEvent, 371 | PowerInternalTtmSetDefaultDeviceAssignment, 372 | PowerInternalTtmAssignDevice, 373 | PowerInternalTtmSetDisplayState, 374 | PowerInternalTtmSetDisplayTimeouts, 375 | PowerInternalBootSessionStandbyActivationInformation, 376 | PowerInternalSessionPowerState, 377 | PowerInternalSessionTerminalInput, // 20 378 | PowerInternalSetWatchdog, 379 | PowerInternalPhysicalPowerButtonPressInfoAtBoot, 380 | PowerInternalExternalMonitorConnected, 381 | PowerInternalHighPrecisionBrightnessSettings, 382 | PowerInternalWinrtScreenToggle, 383 | PowerInternalPpmQosDisable, 384 | PowerInternalTransitionCheckpoint, 385 | PowerInternalInputControllerState, 386 | PowerInternalFirmwareResetReason, 387 | PowerInternalPpmSchedulerQosSupport, // 30 388 | PowerInternalBootStatGet, 389 | PowerInternalBootStatSet, 390 | PowerInternalCallHasNotReturnedWatchdog, 391 | PowerInternalBootStatCheckIntegrity, 392 | PowerInternalBootStatRestoreDefaults, // in: void 393 | PowerInternalHostEsStateUpdate, 394 | PowerInternalGetPowerActionState, 395 | PowerInternalBootStatUnlock, 396 | PowerInternalWakeOnVoiceState, 397 | PowerInternalDeepSleepBlock, // 40 398 | PowerInternalIsPoFxDevice, 399 | PowerInternalPowerTransitionExtensionAtBoot, 400 | PowerInternalProcessorBrandedFrequency, // in: POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_INPUT, out: POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_OUTPUT 401 | PowerInternalTimeBrokerExpirationReason, 402 | PowerInternalNotifyUserShutdownStatus, 403 | PowerInternalPowerRequestTerminalCoreWindow, 404 | PowerInternalProcessorIdleVeto, 405 | PowerInternalPlatformIdleVeto, 406 | PowerInternalIsLongPowerButtonBugcheckEnabled, 407 | PowerInternalAutoChkCausedReboot, // 50 408 | PowerInternalSetWakeAlarmOverride, 409 | 410 | PowerInternalDirectedFxAddTestDevice = 53, 411 | PowerInternalDirectedFxRemoveTestDevice, 412 | 413 | PowerInternalDirectedFxSetMode = 56, 414 | PowerInternalRegisterPowerPlane, 415 | PowerInternalSetDirectedDripsFlags, 416 | PowerInternalClearDirectedDripsFlags, 417 | PowerInternalRetrieveHiberFileResumeContext, // 60 418 | PowerInternalReadHiberFilePage, 419 | PowerInternalLastBootSucceeded, // out: BOOLEAN 420 | PowerInternalQuerySleepStudyHelperRoutineBlock, 421 | PowerInternalDirectedDripsQueryCapabilities, 422 | PowerInternalClearConstraints, 423 | PowerInternalSoftParkVelocityEnabled, 424 | PowerInternalQueryIntelPepCapabilities, 425 | PowerInternalGetSystemIdleLoopEnablement, // since WIN11 426 | PowerInternalGetVmPerfControlSupport, 427 | PowerInternalGetVmPerfControlConfig, // 70 428 | PowerInternalSleepDetailedDiagUpdate, 429 | PowerInternalProcessorClassFrequencyBandsStats, 430 | PowerInternalHostGlobalUserPresenceStateUpdate, 431 | PowerInternalCpuNodeIdleIntervalStats, 432 | PowerInternalClassIdleIntervalStats, 433 | PowerInternalCpuNodeConcurrencyStats, 434 | PowerInternalClassConcurrencyStats, 435 | PowerInternalQueryProcMeasurementCapabilities, 436 | PowerInternalQueryProcMeasurementValues, 437 | PowerInternalPrepareForSystemInitiatedReboot, // 80 438 | PowerInternalGetAdaptiveSessionState, 439 | PowerInternalSetConsoleLockedState, 440 | PowerInternalOverrideSystemInitiatedRebootState, 441 | PowerInternalFanImpactStats, 442 | PowerInternalFanRpmBuckets, 443 | PowerInternalPowerBootAppDiagInfo, 444 | PowerInternalUnregisterShutdownNotification, // since 22H1 445 | PowerInternalManageTransitionStateRecord, 446 | PowerInternalGetAcpiTimeAndAlarmCapabilities, // since 22H2 447 | PowerInternalSuspendResumeRequest, 448 | PowerInformationInternalMaximum 449 | } POWER_INFORMATION_LEVEL_INTERNAL; 450 | 451 | typedef enum _POWER_S0_DISCONNECTED_REASON 452 | { 453 | PoS0DisconnectedReasonNone, 454 | PoS0DisconnectedReasonNonCompliantNic, 455 | PoS0DisconnectedReasonSettingPolicy, 456 | PoS0DisconnectedReasonEnforceDsPolicy, 457 | PoS0DisconnectedReasonCsChecksFailed, 458 | PoS0DisconnectedReasonSmartStandby, 459 | PoS0DisconnectedReasonMaximum 460 | } POWER_S0_DISCONNECTED_REASON; 461 | 462 | typedef struct _POWER_S0_LOW_POWER_IDLE_INFO 463 | { 464 | POWER_S0_DISCONNECTED_REASON DisconnectedReason; 465 | union 466 | { 467 | BOOLEAN Storage : 1; 468 | BOOLEAN WiFi : 1; 469 | BOOLEAN Mbn : 1; 470 | BOOLEAN Ethernet : 1; 471 | BOOLEAN Reserved : 4; 472 | UCHAR AsUCHAR; 473 | } CsDeviceCompliance; 474 | union 475 | { 476 | BOOLEAN DisconnectInStandby : 1; 477 | BOOLEAN EnforceDs : 1; 478 | BOOLEAN Reserved : 6; 479 | UCHAR AsUCHAR; 480 | } Policy; 481 | } POWER_S0_LOW_POWER_IDLE_INFO, *PPOWER_S0_LOW_POWER_IDLE_INFO; 482 | 483 | typedef struct _POWER_INFORMATION_INTERNAL_HEADER 484 | { 485 | POWER_INFORMATION_LEVEL_INTERNAL InternalType; 486 | ULONG Version; 487 | } POWER_INFORMATION_INTERNAL_HEADER, *PPOWER_INFORMATION_INTERNAL_HEADER; 488 | 489 | typedef struct _POWER_USER_ABSENCE_PREDICTION 490 | { 491 | POWER_INFORMATION_INTERNAL_HEADER Header; 492 | LARGE_INTEGER ReturnTime; 493 | } POWER_USER_ABSENCE_PREDICTION, *PPOWER_USER_ABSENCE_PREDICTION; 494 | 495 | typedef struct _POWER_USER_ABSENCE_PREDICTION_CAPABILITY 496 | { 497 | BOOLEAN AbsencePredictionCapability; 498 | } POWER_USER_ABSENCE_PREDICTION_CAPABILITY, *PPOWER_USER_ABSENCE_PREDICTION_CAPABILITY; 499 | 500 | typedef struct _POWER_PROCESSOR_LATENCY_HINT 501 | { 502 | POWER_INFORMATION_INTERNAL_HEADER PowerInformationInternalHeader; 503 | ULONG Type; 504 | } POWER_PROCESSOR_LATENCY_HINT, *PPO_PROCESSOR_LATENCY_HINT; 505 | 506 | typedef struct _POWER_STANDBY_NETWORK_REQUEST 507 | { 508 | POWER_INFORMATION_INTERNAL_HEADER PowerInformationInternalHeader; 509 | BOOLEAN Active; 510 | } POWER_STANDBY_NETWORK_REQUEST, *PPOWER_STANDBY_NETWORK_REQUEST; 511 | 512 | typedef struct _POWER_SET_BACKGROUND_TASK_STATE 513 | { 514 | POWER_INFORMATION_INTERNAL_HEADER PowerInformationInternalHeader; 515 | BOOLEAN Engaged; 516 | } POWER_SET_BACKGROUND_TASK_STATE, *PPOWER_SET_BACKGROUND_TASK_STATE; 517 | 518 | typedef struct POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_INPUT 519 | { 520 | POWER_INFORMATION_LEVEL_INTERNAL InternalType; 521 | PROCESSOR_NUMBER ProcessorNumber; // ULONG_MAX 522 | } POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_INPUT, *PPOWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_INPUT; 523 | 524 | typedef struct POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_OUTPUT 525 | { 526 | ULONG Version; 527 | ULONG NominalFrequency; // if (Domain) Prcb->PowerState.CheckContext.Domain.NominalFrequency else Prcb->MHz 528 | } POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_OUTPUT, *PPOWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_OUTPUT; 529 | 530 | NTSYSCALLAPI 531 | NTSTATUS 532 | NTAPI 533 | NtPowerInformation( 534 | _In_ POWER_INFORMATION_LEVEL InformationLevel, 535 | _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, 536 | _In_ ULONG InputBufferLength, 537 | _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, 538 | _In_ ULONG OutputBufferLength 539 | ); 540 | 541 | NTSYSCALLAPI 542 | NTSTATUS 543 | NTAPI 544 | NtSetThreadExecutionState( 545 | _In_ EXECUTION_STATE NewFlags, // ES_* flags 546 | _Out_ EXECUTION_STATE *PreviousFlags 547 | ); 548 | 549 | #if (PHNT_VERSION < PHNT_WIN7) 550 | NTSYSCALLAPI 551 | NTSTATUS 552 | NTAPI 553 | NtRequestWakeupLatency( 554 | _In_ LATENCY_TIME latency 555 | ); 556 | #endif 557 | 558 | NTSYSCALLAPI 559 | NTSTATUS 560 | NTAPI 561 | NtInitiatePowerAction( 562 | _In_ POWER_ACTION SystemAction, 563 | _In_ SYSTEM_POWER_STATE LightestSystemState, 564 | _In_ ULONG Flags, // POWER_ACTION_* flags 565 | _In_ BOOLEAN Asynchronous 566 | ); 567 | 568 | NTSYSCALLAPI 569 | NTSTATUS 570 | NTAPI 571 | NtSetSystemPowerState( 572 | _In_ POWER_ACTION SystemAction, 573 | _In_ SYSTEM_POWER_STATE LightestSystemState, 574 | _In_ ULONG Flags // POWER_ACTION_* flags 575 | ); 576 | 577 | NTSYSCALLAPI 578 | NTSTATUS 579 | NTAPI 580 | NtGetDevicePowerState( 581 | _In_ HANDLE Device, 582 | _Out_ PDEVICE_POWER_STATE State 583 | ); 584 | 585 | NTSYSCALLAPI 586 | BOOLEAN 587 | NTAPI 588 | NtIsSystemResumeAutomatic( 589 | VOID 590 | ); 591 | 592 | #endif 593 | --------------------------------------------------------------------------------