├── README.md
├── NTLib.vcxproj.user
├── includes
    ├── NTLib.h
    ├── NTExp
    │   ├── ntsmss.h
    │   ├── ntnls.h
    │   ├── ntmisc.h
    │   ├── ntxcapi.h
    │   ├── subprocesstag.h
    │   ├── ntkeapi.h
    │   ├── ntpnpapi.h
    │   ├── ntgdi.h
    │   ├── ntpoapi.h
    │   ├── ntcommon.h
    │   ├── ntcompatibility.h
    │   ├── ntdbg.h
    │   ├── ntpfapi.h
    │   ├── nttp.h
    │   ├── ntobapi.h
    │   ├── nttmapi.h
    │   ├── ntpebteb.h
    │   ├── ntregapi.h
    │   ├── ntseapi.h
    │   ├── ntwow64.h
    │   ├── ntldr.h
    │   └── ntlpcapi.h
    └── NTExp.h
├── NTLib.sln
├── LICENSE
├── NTLib.vcxproj.filters
└── NTLib.vcxproj


/README.md:
--------------------------------------------------------------------------------
1 | # NTLib
2 | Headers for linking your software with ntdll.dll
3 | 


--------------------------------------------------------------------------------
/NTLib.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/includes/NTLib.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include "NTExp.h"
 4 | 
 5 | NTSTATUS NtlPsCreateProcess(
 6 |     _Out_    PHANDLE Handle,
 7 |     _In_     LPWSTR Path,
 8 |     _In_opt_ LPWSTR CommandLine,
 9 |     _In_     ACCESS_MASK Access,
10 |     _In_     BOOLEAN InheritObjects,
11 |     _In_opt_ POBJECT_ATTRIBUTES Attributes = NULL
12 | );
13 | 
14 | NTSTATUS NtlPsOpenProcess(
15 |     _Out_    PHANDLE Handle,
16 |     _In_     DWORD ProcessID,
17 |     _In_     ACCESS_MASK Access,
18 |     _In_opt_ POBJECT_ATTRIBUTES Attributes = NULL
19 | );
20 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntsmss.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * This file is part of the Process Hacker project - https://processhacker.sf.io/ 
 3 |  *
 4 |  * You can redistribute this file and/or modify it under the terms of the 
 5 |  * Attribution 4.0 International (CC BY 4.0) license. 
 6 |  * 
 7 |  * You must give appropriate credit, provide a link to the license, and 
 8 |  * indicate if changes were made. You may do so in any reasonable manner, but 
 9 |  * not in any way that suggests the licensor endorses you or your use.
10 |  */
11 | 
12 | #ifndef _NTSMSS_H
13 | #define _NTSMSS_H
14 | 
15 | NTDLL_API(NTSTATUS, RtlConnectToSm, (
16 |     _In_ PUNICODE_STRING ApiPortName,
17 |     _In_ HANDLE ApiPortHandle,
18 |     _In_ DWORD ProcessImageType,
19 |     _Out_ PHANDLE SmssConnection
20 | ))
21 | 
22 | NTDLL_API(NTSTATUS, RtlSendMsgToSm, (
23 |     _In_ HANDLE ApiPortHandle,
24 |     _In_ PPORT_MESSAGE MessageData
25 | ))
26 | 
27 | #endif
28 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntnls.h:
--------------------------------------------------------------------------------
 1 | #ifndef _NTNLS_H
 2 | #define _NTNLS_H
 3 | 
 4 | #define MAXIMUM_LEADBYTES 12
 5 | 
 6 | typedef struct _CPTABLEINFO
 7 | {
 8 |     USHORT CodePage;
 9 |     USHORT MaximumCharacterSize;
10 |     USHORT DefaultChar;
11 |     USHORT UniDefaultChar;
12 |     USHORT TransDefaultChar;
13 |     USHORT TransUniDefaultChar;
14 |     USHORT DBCSCodePage;
15 |     UCHAR LeadByte[MAXIMUM_LEADBYTES];
16 |     PUSHORT MultiByteTable;
17 |     PVOID WideCharTable;
18 |     PUSHORT DBCSRanges;
19 |     PUSHORT DBCSOffsets;
20 | } CPTABLEINFO, *PCPTABLEINFO;
21 | 
22 | typedef struct _NLSTABLEINFO
23 | {
24 |     CPTABLEINFO OemTableInfo;
25 |     CPTABLEINFO AnsiTableInfo;
26 |     PUSHORT UpperCaseTable;
27 |     PUSHORT LowerCaseTable;
28 | } NLSTABLEINFO, *PNLSTABLEINFO;
29 | 
30 | #if (NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
31 | NTSYSAPI USHORT NlsAnsiCodePage;
32 | NTSYSAPI BOOLEAN NlsMbCodePageTag;
33 | NTSYSAPI BOOLEAN NlsMbOemCodePageTag;
34 | #endif
35 | 
36 | #endif
37 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntmisc.h:
--------------------------------------------------------------------------------
 1 | #ifndef _NTMISC_H
 2 | #define _NTMISC_H
 3 | 
 4 | #define FLT_PORT_CONNECT 0x0001
 5 | #define FLT_PORT_ALL_ACCESS (FLT_PORT_CONNECT | STANDARD_RIGHTS_ALL)
 6 | 
 7 | typedef enum _VDMSERVICECLASS
 8 | {
 9 |     VdmStartExecution,
10 |     VdmQueueInterrupt,
11 |     VdmDelayInterrupt,
12 |     VdmInitialize,
13 |     VdmFeatures,
14 |     VdmSetInt21Handler,
15 |     VdmQueryDir,
16 |     VdmPrinterDirectIoOpen,
17 |     VdmPrinterDirectIoClose,
18 |     VdmPrinterInitialize,
19 |     VdmSetLdtEntries,
20 |     VdmSetProcessLdtInfo,
21 |     VdmAdlibEmulation,
22 |     VdmPMCliControl,
23 |     VdmQueryVdmProcess
24 | } VDMSERVICECLASS, *PVDMSERVICECLASS;
25 | 
26 | NATIVE_API(NTSTATUS, /*Nt*/VdmControl, (
27 |     _In_ VDMSERVICECLASS Service,
28 |     _Inout_ PVOID ServiceData
29 | ))
30 | 
31 | NATIVE_API(NTSTATUS, /*Nt*/TraceEvent, (
32 |     _In_ HANDLE TraceHandle,
33 |     _In_ ULONG Flags,
34 |     _In_ ULONG FieldSize,
35 |     _In_ PVOID Fields
36 | ))
37 | 
38 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
39 | NATIVE_API(NTSTATUS, /*Nt*/TraceControl, (
40 |     _In_ ULONG FunctionCode,
41 |     _In_reads_bytes_opt_(InBufferLen) PVOID InBuffer,
42 |     _In_ ULONG InBufferLen,
43 |     _Out_writes_bytes_opt_(OutBufferLen) PVOID OutBuffer,
44 |     _In_ ULONG OutBufferLen,
45 |     _Out_ PULONG ReturnLength
46 | ))
47 | #endif
48 | 
49 | #endif
50 | 


--------------------------------------------------------------------------------
/NTLib.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 19
 4 | VisualStudioVersion = 16.0.29709.97
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NTLib", "NTLib.vcxproj", "{3FEBFBD5-650E-4A6D-8A1F-7B0FDD6B64BF}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{3FEBFBD5-650E-4A6D-8A1F-7B0FDD6B64BF}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{3FEBFBD5-650E-4A6D-8A1F-7B0FDD6B64BF}.Debug|x64.Build.0 = Debug|x64
18 | 		{3FEBFBD5-650E-4A6D-8A1F-7B0FDD6B64BF}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{3FEBFBD5-650E-4A6D-8A1F-7B0FDD6B64BF}.Debug|x86.Build.0 = Debug|Win32
20 | 		{3FEBFBD5-650E-4A6D-8A1F-7B0FDD6B64BF}.Release|x64.ActiveCfg = Release|x64
21 | 		{3FEBFBD5-650E-4A6D-8A1F-7B0FDD6B64BF}.Release|x64.Build.0 = Release|x64
22 | 		{3FEBFBD5-650E-4A6D-8A1F-7B0FDD6B64BF}.Release|x86.ActiveCfg = Release|Win32
23 | 		{3FEBFBD5-650E-4A6D-8A1F-7B0FDD6B64BF}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {D0556EA1-9BA0-4AFC-A073-621109CABB05}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2020, h4xu3lyn
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | 1. Redistributions of source code must retain the above copyright notice, this
10 |    list of conditions and the following disclaimer.
11 | 
12 | 2. Redistributions in binary form must reproduce the above copyright notice,
13 |    this list of conditions and the following disclaimer in the documentation
14 |    and/or other materials provided with the distribution.
15 | 
16 | 3. Neither the name of the copyright holder nor the names of its
17 |    contributors may be used to endorse or promote products derived from
18 |    this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntxcapi.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * This file is part of the Process Hacker project - https://processhacker.sf.io/ 
 3 |  *
 4 |  * You can redistribute this file and/or modify it under the terms of the 
 5 |  * Attribution 4.0 International (CC BY 4.0) license. 
 6 |  * 
 7 |  * You must give appropriate credit, provide a link to the license, and 
 8 |  * indicate if changes were made. You may do so in any reasonable manner, but 
 9 |  * not in any way that suggests the licensor endorses you or your use.
10 |  */
11 | 
12 | #ifndef _NTXCAPI_H
13 | #define _NTXCAPI_H
14 | 
15 | NTDLL_API(BOOLEAN, RtlDispatchException, (
16 |     _In_ PEXCEPTION_RECORD ExceptionRecord,
17 |     _In_ PCONTEXT ContextRecord
18 | ))
19 | 
20 | NTSYSAPI
21 | DECLSPEC_NORETURN
22 | VOID
23 | NTAPI
24 | RtlRaiseStatus(
25 |     _In_ NTSTATUS Status
26 |     );
27 | 
28 | NTDLL_API_VOID(RtlRaiseException, (
29 |     _In_ PEXCEPTION_RECORD ExceptionRecord
30 | ))
31 | 
32 | NATIVE_API(NTSTATUS, /*Nt*/Continue, (
33 |     _In_ PCONTEXT ContextRecord,
34 |     _In_ BOOLEAN TestAlert
35 | ))
36 | 
37 | NATIVE_API(NTSTATUS, /*Nt*/RaiseException, (
38 |     _In_ PEXCEPTION_RECORD ExceptionRecord,
39 |     _In_ PCONTEXT ContextRecord,
40 |     _In_ BOOLEAN FirstChance
41 | ))
42 | 
43 | __analysis_noreturn
44 | NTSYSCALLAPI
45 | VOID
46 | NTAPI
47 | RtlAssert(
48 |     _In_ PVOID VoidFailedAssertion,
49 |     _In_ PVOID VoidFileName,
50 |     _In_ ULONG LineNumber,
51 |     _In_opt_ PSTR MutableMessage
52 |     );
53 | 
54 | #define RTL_ASSERT(exp) \
55 |     ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, NULL), FALSE) : TRUE)
56 | #define RTL_ASSERTMSG(msg, exp) \
57 |     ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, msg), FALSE) : TRUE)
58 | #define RTL_SOFT_ASSERT(_exp) \
59 |     ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n   Expression: %s\n", __FILE__, __LINE__, #_exp), FALSE) : TRUE)
60 | #define RTL_SOFT_ASSERTMSG(_msg, _exp) \
61 |     ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n   Expression: %s\n   Message: %s\n", __FILE__, __LINE__, #_exp, (_msg)), FALSE) : TRUE)
62 | 
63 | #endif
64 | 


--------------------------------------------------------------------------------
/includes/NTExp/subprocesstag.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * This file is part of the Process Hacker project - https://processhacker.sf.io/ 
  3 |  *
  4 |  * You can redistribute this file and/or modify it under the terms of the 
  5 |  * Attribution 4.0 International (CC BY 4.0) license. 
  6 |  * 
  7 |  * You must give appropriate credit, provide a link to the license, and 
  8 |  * indicate if changes were made. You may do so in any reasonable manner, but 
  9 |  * not in any way that suggests the licensor endorses you or your use.
 10 |  */
 11 | 
 12 | #ifndef _SUBPROCESSTAG_H
 13 | #define _SUBPROCESSTAG_H
 14 | 
 15 | // Subprocess tag information
 16 | 
 17 | typedef enum _TAG_INFO_LEVEL
 18 | {
 19 |     eTagInfoLevelNameFromTag = 1, // TAG_INFO_NAME_FROM_TAG
 20 |     eTagInfoLevelNamesReferencingModule, // TAG_INFO_NAMES_REFERENCING_MODULE
 21 |     eTagInfoLevelNameTagMapping, // TAG_INFO_NAME_TAG_MAPPING
 22 |     eTagInfoLevelMax
 23 | } TAG_INFO_LEVEL;
 24 | 
 25 | typedef enum _TAG_TYPE
 26 | {
 27 |     eTagTypeService = 1,
 28 |     eTagTypeMax
 29 | } TAG_TYPE;
 30 | 
 31 | typedef struct _TAG_INFO_NAME_FROM_TAG_IN_PARAMS
 32 | {
 33 |     DWORD dwPid;
 34 |     DWORD dwTag;
 35 | } TAG_INFO_NAME_FROM_TAG_IN_PARAMS, *PTAG_INFO_NAME_FROM_TAG_IN_PARAMS;
 36 | 
 37 | typedef struct _TAG_INFO_NAME_FROM_TAG_OUT_PARAMS
 38 | {
 39 |     DWORD eTagType;
 40 |     LPWSTR pszName;
 41 | } TAG_INFO_NAME_FROM_TAG_OUT_PARAMS, *PTAG_INFO_NAME_FROM_TAG_OUT_PARAMS;
 42 | 
 43 | typedef struct _TAG_INFO_NAME_FROM_TAG
 44 | {
 45 |     TAG_INFO_NAME_FROM_TAG_IN_PARAMS InParams;
 46 |     TAG_INFO_NAME_FROM_TAG_OUT_PARAMS OutParams;
 47 | } TAG_INFO_NAME_FROM_TAG, *PTAG_INFO_NAME_FROM_TAG;
 48 | 
 49 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS
 50 | {
 51 |     DWORD dwPid;
 52 |     LPWSTR pszModule;
 53 | } TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS;
 54 | 
 55 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS
 56 | {
 57 |     DWORD eTagType;
 58 |     LPWSTR pmszNames;
 59 | } TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS;
 60 | 
 61 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE
 62 | {
 63 |     TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS InParams;
 64 |     TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS OutParams;
 65 | } TAG_INFO_NAMES_REFERENCING_MODULE, *PTAG_INFO_NAMES_REFERENCING_MODULE;
 66 | 
 67 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS
 68 | {
 69 |     DWORD dwPid;
 70 | } TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_IN_PARAMS;
 71 | 
 72 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_ELEMENT
 73 | {
 74 |     DWORD eTagType;
 75 |     DWORD dwTag;
 76 |     LPWSTR pszName;
 77 |     LPWSTR pszGroupName;
 78 | } TAG_INFO_NAME_TAG_MAPPING_ELEMENT, *PTAG_INFO_NAME_TAG_MAPPING_ELEMENT;
 79 | 
 80 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS
 81 | {
 82 |     DWORD cElements;
 83 |     PTAG_INFO_NAME_TAG_MAPPING_ELEMENT pNameTagMappingElements;
 84 | } TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS;
 85 | 
 86 | typedef struct _TAG_INFO_NAME_TAG_MAPPING
 87 | {
 88 |     TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS InParams;
 89 |     PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS pOutParams;
 90 | } TAG_INFO_NAME_TAG_MAPPING, *PTAG_INFO_NAME_TAG_MAPPING;
 91 | 
 92 | _Must_inspect_result_
 93 | DWORD
 94 | WINAPI
 95 | I_QueryTagInformation(
 96 |     _In_opt_ LPCWSTR pszMachineName,
 97 |     _In_ TAG_INFO_LEVEL eInfoLevel,
 98 |     _Inout_ PVOID pTagInfo
 99 |     );
100 | 
101 | typedef DWORD (WINAPI *PQUERY_TAG_INFORMATION)(
102 |     _In_opt_ LPCWSTR pszMachineName,
103 |     _In_ TAG_INFO_LEVEL eInfoLevel,
104 |     _Inout_ PVOID pTagInfo
105 |     );
106 | 
107 | #endif
108 | 


--------------------------------------------------------------------------------
/includes/NTExp.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | #include <Windows.h>
  4 | 
  5 | #ifdef __cplusplus
  6 | extern "C" {
  7 | #endif
  8 | 
  9 | #ifdef _M_IX86
 10 |   #pragma pack(push, 4)
 11 | #elif _M_AMD64
 12 |   #pragma pack(push, 8)
 13 | #else
 14 |   #error NTLIB: Error, unknown architecture
 15 | #endif
 16 | 
 17 | #define NTCALL __stdcall
 18 | 
 19 | #ifdef NTLIB_COMPILATION
 20 |   #define NTDEF __declspec(dllexport) NTCALL
 21 | #else
 22 |   #define NTDEF __declspec(dllimport) NTCALL
 23 | #endif
 24 | 
 25 | #ifdef NTLIB_COMPILATION
 26 |   #define NATIVE_API(type, name, params) \
 27 |     type NTDEF Zw##name params { return (type)0; } \
 28 |     type NTDEF Nt##name params { return (type)0; }
 29 |   #define NATIVE_API_VOID(name, params) \
 30 |     VOID NTDEF name params{ return; }
 31 |   #define NTDLL_API(type, name, params) \
 32 |     type NTDEF name params { return (type)0; }
 33 |   #define NTDLL_API_VOID(name, params) \
 34 |     VOID NTDEF name params { return; }
 35 | #else
 36 |   #define NATIVE_API(type, name, params) \
 37 |     type NTDEF Zw##name params; \
 38 |     type NTDEF Nt##name params;
 39 |   #define NATIVE_API_VOID(name, params) \
 40 |     VOID NTDEF name params;
 41 |   #define NTDLL_API(type, name, params) \
 42 |     type NTDEF name params;
 43 |   #define NTDLL_API_VOID(name, params) \
 44 |     VOID NTDEF name params;
 45 | #endif
 46 | 
 47 | #define NTLIB_WIN_2K      0x0400
 48 | #define NTLIB_WIN_XP      0x0500
 49 | #define NTLIB_WIN_VISTA   0x0600
 50 | #define NTLIB_WIN_7       0x0601
 51 | #define NTLIB_WIN_8       0x0602
 52 | #define NTLIB_WIN_8_1     0x0603
 53 | #define NTLIB_WIN_10_TH1  0x0A00
 54 | #define NTLIB_WIN_10_TH2  0x0A01
 55 | #define NTLIB_WIN_10_RS1  0x0A02
 56 | #define NTLIB_WIN_10_RS2  0x0A03
 57 | #define NTLIB_WIN_10_RS3  0x0A04
 58 | #define NTLIB_WIN_10_RS4  0x0A05
 59 | #define NTLIB_WIN_10_RS5  0x0A06
 60 | #define NTLIB_WIN_10_19H1 0x0A07
 61 | #define NTLIB_WIN_MAX     0xFFFF
 62 | 
 63 | #ifndef NTLIB_WIN_VERSION
 64 |   #define NTLIB_WIN_VERSION NTLIB_WIN_MAX
 65 | #endif
 66 | 
 67 | #define NTLIB_KERNEL_MODE 0
 68 | #define NTLIB_USER_MODE   1
 69 | 
 70 | #ifndef NTLIB_CPU_MODE
 71 |   #define NTLIB_CPU_MODE NTLIB_USER_MODE
 72 | #endif
 73 | 
 74 | #ifdef NTLIB_COMPILATION
 75 |   #define PHNT_COMPILE
 76 |   #define PHNT_NO_INLINE_INIT_STRING
 77 | #endif
 78 | 
 79 | #include <ntexp\ntcompatibility.h>
 80 | #include <ntexp\ntstatus.h>
 81 | #include <ntexp\ntcommon.h>
 82 | #include <ntexp\ntnls.h>
 83 | #include <ntexp\ntkeapi.h>
 84 | #include <ntexp\ntldr.h>
 85 | #include <ntexp\ntexapi.h>
 86 | #include <ntexp\ntmmapi.h>
 87 | #include <ntexp\ntobapi.h>
 88 | #include <ntexp\ntpsapi.h>
 89 | #include <ntexp\ntdbg.h>
 90 | #include <ntexp\ntioapi.h>
 91 | #include <ntexp\ntlpcapi.h>
 92 | #include <ntexp\ntpfapi.h>
 93 | #include <ntexp\ntpnpapi.h>
 94 | #include <ntexp\ntpoapi.h>
 95 | #include <ntexp\ntregapi.h>
 96 | #include <ntexp\ntrtl.h>
 97 | #include <ntexp\ntseapi.h>
 98 | #include <ntexp\nttmapi.h>
 99 | #include <ntexp\nttp.h>
100 | #include <ntexp\ntxcapi.h>
101 | #include <ntexp\ntwow64.h>
102 | #include <ntexp\ntsam.h>
103 | #include <ntexp\ntmisc.h>
104 | #include <ntexp\ntgdi.h>
105 | #include <ntexp\ntpebteb.h>
106 | #include <ntexp\ntsmss.h>
107 | #include <ntexp\subprocesstag.h>
108 | #include <ntexp\winsta.h>
109 | 
110 | #undef NTLIB_WIN_XP
111 | #undef NTLIB_WIN_VISTA
112 | #undef NTLIB_WIN_7
113 | #undef NTLIB_WIN_8
114 | #undef NTLIB_WIN_8_1
115 | #undef NTLIB_WIN_10_TH1
116 | #undef NTLIB_WIN_MAX
117 | #undef NTLIB_WIN_VERSION 
118 | 
119 | #undef NTCALL
120 | #undef NTDEF
121 | 
122 | #undef NATIVE_API
123 | 
124 | #undef NTDLL_API
125 | #undef NTDLL_API_VOID
126 | 
127 | #undef LDR_API
128 | 
129 | #pragma pack(pop)
130 | 
131 | #ifdef __cplusplus
132 | }
133 | #endif
134 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntkeapi.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTKEAPI_H
  2 | #define _NTKEAPI_H
  3 | 
  4 | #if (NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
  5 | #define LOW_PRIORITY 0 
  6 | #define LOW_REALTIME_PRIORITY 16
  7 | #define HIGH_PRIORITY 31
  8 | #define MAXIMUM_PRIORITY 32
  9 | #endif
 10 | 
 11 | typedef enum _KTHREAD_STATE
 12 | {
 13 |     Initialized,
 14 |     Ready,
 15 |     Running,
 16 |     Standby,
 17 |     Terminated,
 18 |     Waiting,
 19 |     Transition,
 20 |     DeferredReady,
 21 |     GateWaitObsolete,
 22 |     WaitingForProcessInSwap,
 23 |     MaximumThreadState
 24 | } KTHREAD_STATE, *PKTHREAD_STATE;
 25 | 
 26 | typedef enum _KHETERO_CPU_POLICY
 27 | {
 28 |     KHeteroCpuPolicyAll,
 29 |     KHeteroCpuPolicyLarge,
 30 |     KHeteroCpuPolicyLargeOrIdle,
 31 |     KHeteroCpuPolicySmall,
 32 |     KHeteroCpuPolicySmallOrIdle,
 33 |     KHeteroCpuPolicyDynamic,
 34 |     KHeteroCpuPolicyStaticMax,
 35 |     KHeteroCpuPolicyBiasedSmall,
 36 |     KHeteroCpuPolicyBiasedLarge,
 37 |     KHeteroCpuPolicyDefault,
 38 |     KHeteroCpuPolicyMax
 39 | } KHETERO_CPU_POLICY, *PKHETERO_CPU_POLICY;
 40 | 
 41 | #if (NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
 42 | 
 43 | typedef enum _KWAIT_REASON
 44 | {
 45 |     Executive,
 46 |     FreePage,
 47 |     PageIn,
 48 |     PoolAllocation,
 49 |     DelayExecution,
 50 |     Suspended,
 51 |     UserRequest,
 52 |     WrExecutive,
 53 |     WrFreePage,
 54 |     WrPageIn,
 55 |     WrPoolAllocation,
 56 |     WrDelayExecution,
 57 |     WrSuspended,
 58 |     WrUserRequest,
 59 |     WrEventPair,
 60 |     WrQueue,
 61 |     WrLpcReceive,
 62 |     WrLpcReply,
 63 |     WrVirtualMemory,
 64 |     WrPageOut,
 65 |     WrRendezvous,
 66 |     WrKeyedEvent,
 67 |     WrTerminated,
 68 |     WrProcessInSwap,
 69 |     WrCpuRateControl,
 70 |     WrCalloutStack,
 71 |     WrKernel,
 72 |     WrResource,
 73 |     WrPushLock,
 74 |     WrMutex,
 75 |     WrQuantumEnd,
 76 |     WrDispatchInt,
 77 |     WrPreempted,
 78 |     WrYieldExecution,
 79 |     WrFastMutex,
 80 |     WrGuardedMutex,
 81 |     WrRundown,
 82 |     WrAlertByThreadId,
 83 |     WrDeferredPreempt,
 84 |     MaximumWaitReason
 85 | } KWAIT_REASON, *PKWAIT_REASON;
 86 | 
 87 | typedef enum _KPROFILE_SOURCE
 88 | {
 89 |     ProfileTime,
 90 |     ProfileAlignmentFixup,
 91 |     ProfileTotalIssues,
 92 |     ProfilePipelineDry,
 93 |     ProfileLoadInstructions,
 94 |     ProfilePipelineFrozen,
 95 |     ProfileBranchInstructions,
 96 |     ProfileTotalNonissues,
 97 |     ProfileDcacheMisses,
 98 |     ProfileIcacheMisses,
 99 |     ProfileCacheMisses,
100 |     ProfileBranchMispredictions,
101 |     ProfileStoreInstructions,
102 |     ProfileFpInstructions,
103 |     ProfileIntegerInstructions,
104 |     Profile2Issue,
105 |     Profile3Issue,
106 |     Profile4Issue,
107 |     ProfileSpecialInstructions,
108 |     ProfileTotalCycles,
109 |     ProfileIcacheIssues,
110 |     ProfileDcacheAccesses,
111 |     ProfileMemoryBarrierCycles,
112 |     ProfileLoadLinkedIssues,
113 |     ProfileMaximum
114 | } KPROFILE_SOURCE;
115 | 
116 | #endif
117 | 
118 | #if (defined(PHNT_COMPILE) || NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
119 | 
120 | NATIVE_API(NTSTATUS, /*Nt*/CallbackReturn, (
121 |     _In_reads_bytes_opt_(OutputLength) PVOID OutputBuffer,
122 |     _In_ ULONG OutputLength,
123 |     _In_ NTSTATUS Status
124 | ))
125 | 
126 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
127 | #endif
128 | 
129 | NATIVE_API(NTSTATUS, /*Nt*/QueryDebugFilterState, (
130 |     _In_ ULONG ComponentId,
131 |     _In_ ULONG Level
132 | ))
133 | 
134 | NATIVE_API(NTSTATUS, /*Nt*/SetDebugFilterState, (
135 |     _In_ ULONG ComponentId,
136 |     _In_ ULONG Level,
137 |     _In_ BOOLEAN State
138 | ))
139 | 
140 | NATIVE_API(NTSTATUS, /*Nt*/YieldExecution, (
141 |     VOID
142 | ))
143 | 
144 | #endif
145 | 
146 | #endif
147 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntpnpapi.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTPNPAPI_H
  2 | #define _NTPNPAPI_H
  3 | 
  4 | typedef enum _PLUGPLAY_EVENT_CATEGORY
  5 | {
  6 |     HardwareProfileChangeEvent,
  7 |     TargetDeviceChangeEvent,
  8 |     DeviceClassChangeEvent,
  9 |     CustomDeviceEvent,
 10 |     DeviceInstallEvent,
 11 |     DeviceArrivalEvent,
 12 |     PowerEvent,
 13 |     VetoEvent,
 14 |     BlockedDriverEvent,
 15 |     InvalidIDEvent,
 16 |     MaxPlugEventCategory
 17 | } PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY;
 18 | 
 19 | typedef struct _PLUGPLAY_EVENT_BLOCK
 20 | {
 21 |     GUID EventGuid;
 22 |     PLUGPLAY_EVENT_CATEGORY EventCategory;
 23 |     PULONG Result;
 24 |     ULONG Flags;
 25 |     ULONG TotalSize;
 26 |     PVOID DeviceObject;
 27 | 
 28 |     union
 29 |     {
 30 |         struct
 31 |         {
 32 |             GUID ClassGuid;
 33 |             WCHAR SymbolicLinkName[1];
 34 |         } DeviceClass;
 35 |         struct
 36 |         {
 37 |             WCHAR DeviceIds[1];
 38 |         } TargetDevice;
 39 |         struct
 40 |         {
 41 |             WCHAR DeviceId[1];
 42 |         } InstallDevice;
 43 |         struct
 44 |         {
 45 |             PVOID NotificationStructure;
 46 |             WCHAR DeviceIds[1];
 47 |         } CustomNotification;
 48 |         struct
 49 |         {
 50 |             PVOID Notification;
 51 |         } ProfileNotification;
 52 |         struct
 53 |         {
 54 |             ULONG NotificationCode;
 55 |             ULONG NotificationData;
 56 |         } PowerNotification;
 57 |         struct
 58 |         {
 59 |             PNP_VETO_TYPE VetoType;
 60 |             WCHAR DeviceIdVetoNameBuffer[1];
 61 |         } VetoNotification;
 62 |         struct
 63 |         {
 64 |             GUID BlockedDriverGuid;
 65 |         } BlockedDriverNotification;
 66 |         struct
 67 |         {
 68 |             WCHAR ParentId[1];
 69 |         } InvalidIDNotification;
 70 |     } u;
 71 | } PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK;
 72 | 
 73 | typedef enum _PLUGPLAY_CONTROL_CLASS
 74 | {
 75 |     PlugPlayControlEnumerateDevice,
 76 |     PlugPlayControlRegisterNewDevice,
 77 |     PlugPlayControlDeregisterDevice,
 78 |     PlugPlayControlInitializeDevice,
 79 |     PlugPlayControlStartDevice,
 80 |     PlugPlayControlUnlockDevice,
 81 |     PlugPlayControlQueryAndRemoveDevice,
 82 |     PlugPlayControlUserResponse,
 83 |     PlugPlayControlGenerateLegacyDevice,
 84 |     PlugPlayControlGetInterfaceDeviceList,
 85 |     PlugPlayControlProperty,
 86 |     PlugPlayControlDeviceClassAssociation,
 87 |     PlugPlayControlGetRelatedDevice,
 88 |     PlugPlayControlGetInterfaceDeviceAlias,
 89 |     PlugPlayControlDeviceStatus,
 90 |     PlugPlayControlGetDeviceDepth,
 91 |     PlugPlayControlQueryDeviceRelations,
 92 |     PlugPlayControlTargetDeviceRelation,
 93 |     PlugPlayControlQueryConflictList,
 94 |     PlugPlayControlRetrieveDock,
 95 |     PlugPlayControlResetDevice,
 96 |     PlugPlayControlHaltDevice,
 97 |     PlugPlayControlGetBlockedDriverList,
 98 |     PlugPlayControlGetDeviceInterfaceEnabled,
 99 |     MaxPlugPlayControl
100 | } PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS;
101 | 
102 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION < NTLIB_WIN_8)
103 | NATIVE_API(NTSTATUS, /*Nt*/GetPlugPlayEvent, (
104 |     _In_ HANDLE EventHandle,
105 |     _In_opt_ PVOID Context,
106 |     _Out_writes_bytes_(EventBufferSize) PPLUGPLAY_EVENT_BLOCK EventBlock,
107 |     _In_ ULONG EventBufferSize
108 | ))
109 | #endif
110 | 
111 | NATIVE_API(NTSTATUS, /*Nt*/PlugPlayControl, (
112 |     _In_ PLUGPLAY_CONTROL_CLASS PnPControlClass,
113 |     _Inout_updates_bytes_(PnPControlDataLength) PVOID PnPControlData,
114 |     _In_ ULONG PnPControlDataLength
115 | ))
116 | 
117 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_7)
118 | 
119 | NATIVE_API(NTSTATUS, /*Nt*/SerializeBoot, (
120 |     VOID
121 | ))
122 | 
123 | NATIVE_API(NTSTATUS, /*Nt*/EnableLastKnownGood, (
124 |     VOID
125 | ))
126 | 
127 | NATIVE_API(NTSTATUS, /*Nt*/DisableLastKnownGood, (
128 |     VOID
129 | ))
130 | 
131 | #endif
132 | 
133 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
134 | NATIVE_API(NTSTATUS, /*Nt*/ReplacePartitionUnit, (
135 |     _In_ PUNICODE_STRING TargetInstancePath,
136 |     _In_ PUNICODE_STRING SpareInstancePath,
137 |     _In_ ULONG Flags
138 | ))
139 | #endif
140 | 
141 | #endif
142 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntgdi.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTGDI_H
  2 | #define _NTGDI_H
  3 | 
  4 | #define GDI_MAX_HANDLE_COUNT 0x4000
  5 | #define GDI_HANDLE_INDEX_SHIFT 0
  6 | #define GDI_HANDLE_INDEX_BITS 16
  7 | #define GDI_HANDLE_INDEX_MASK 0xffff
  8 | #define GDI_HANDLE_TYPE_SHIFT 16
  9 | #define GDI_HANDLE_TYPE_BITS 5
 10 | #define GDI_HANDLE_TYPE_MASK 0x1f
 11 | #define GDI_HANDLE_ALTTYPE_SHIFT 21
 12 | #define GDI_HANDLE_ALTTYPE_BITS 2
 13 | #define GDI_HANDLE_ALTTYPE_MASK 0x3
 14 | #define GDI_HANDLE_STOCK_SHIFT 23
 15 | #define GDI_HANDLE_STOCK_BITS 1
 16 | #define GDI_HANDLE_STOCK_MASK 0x1
 17 | #define GDI_HANDLE_UNIQUE_SHIFT 24
 18 | #define GDI_HANDLE_UNIQUE_BITS 8
 19 | #define GDI_HANDLE_UNIQUE_MASK 0xff
 20 | #define GDI_HANDLE_INDEX(Handle) ((ULONG)(Handle) & GDI_HANDLE_INDEX_MASK)
 21 | #define GDI_HANDLE_TYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_TYPE_SHIFT) & GDI_HANDLE_TYPE_MASK)
 22 | #define GDI_HANDLE_ALTTYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_ALTTYPE_SHIFT) & GDI_HANDLE_ALTTYPE_MASK)
 23 | #define GDI_HANDLE_STOCK(Handle) (((ULONG)(Handle) >> GDI_HANDLE_STOCK_SHIFT)) & GDI_HANDLE_STOCK_MASK)
 24 | #define GDI_MAKE_HANDLE(Index, Unique) ((ULONG)(((ULONG)(Unique) << GDI_HANDLE_INDEX_BITS) | (ULONG)(Index)))
 25 | #define GDI_DEF_TYPE 0
 26 | #define GDI_DC_TYPE 1
 27 | #define GDI_DD_DIRECTDRAW_TYPE 2
 28 | #define GDI_DD_SURFACE_TYPE 3
 29 | #define GDI_RGN_TYPE 4
 30 | #define GDI_SURF_TYPE 5
 31 | #define GDI_CLIENTOBJ_TYPE 6
 32 | #define GDI_PATH_TYPE 7
 33 | #define GDI_PAL_TYPE 8
 34 | #define GDI_ICMLCS_TYPE 9
 35 | #define GDI_LFONT_TYPE 10
 36 | #define GDI_RFONT_TYPE 11
 37 | #define GDI_PFE_TYPE 12
 38 | #define GDI_PFT_TYPE 13
 39 | #define GDI_ICMCXF_TYPE 14
 40 | #define GDI_ICMDLL_TYPE 15
 41 | #define GDI_BRUSH_TYPE 16
 42 | #define GDI_PFF_TYPE 17 
 43 | #define GDI_CACHE_TYPE 18 
 44 | #define GDI_SPACE_TYPE 19
 45 | #define GDI_DBRUSH_TYPE 20 
 46 | #define GDI_META_TYPE 21
 47 | #define GDI_EFSTATE_TYPE 22
 48 | #define GDI_BMFD_TYPE 23 
 49 | #define GDI_VTFD_TYPE 24 
 50 | #define GDI_TTFD_TYPE 25 
 51 | #define GDI_RC_TYPE 26
 52 | #define GDI_TEMP_TYPE 27 
 53 | #define GDI_DRVOBJ_TYPE 28
 54 | #define GDI_DCIOBJ_TYPE 29 
 55 | #define GDI_SPOOL_TYPE 30
 56 | 
 57 | #define GDI_CLIENT_TYPE_FROM_HANDLE(Handle) ((ULONG)(Handle) & ((GDI_HANDLE_ALTTYPE_MASK << GDI_HANDLE_ALTTYPE_SHIFT) | \
 58 |     (GDI_HANDLE_TYPE_MASK << GDI_HANDLE_TYPE_SHIFT)))
 59 | #define GDI_CLIENT_TYPE_FROM_UNIQUE(Unique) GDI_CLIENT_TYPE_FROM_HANDLE((ULONG)(Unique) << 16)
 60 | 
 61 | #define GDI_ALTTYPE_1 (1 << GDI_HANDLE_ALTTYPE_SHIFT)
 62 | #define GDI_ALTTYPE_2 (2 << GDI_HANDLE_ALTTYPE_SHIFT)
 63 | #define GDI_ALTTYPE_3 (3 << GDI_HANDLE_ALTTYPE_SHIFT)
 64 | 
 65 | #define GDI_CLIENT_BITMAP_TYPE (GDI_SURF_TYPE << GDI_HANDLE_TYPE_SHIFT)
 66 | #define GDI_CLIENT_BRUSH_TYPE (GDI_BRUSH_TYPE << GDI_HANDLE_TYPE_SHIFT)
 67 | #define GDI_CLIENT_CLIENTOBJ_TYPE (GDI_CLIENTOBJ_TYPE << GDI_HANDLE_TYPE_SHIFT)
 68 | #define GDI_CLIENT_DC_TYPE (GDI_DC_TYPE << GDI_HANDLE_TYPE_SHIFT)
 69 | #define GDI_CLIENT_FONT_TYPE (GDI_LFONT_TYPE << GDI_HANDLE_TYPE_SHIFT)
 70 | #define GDI_CLIENT_PALETTE_TYPE (GDI_PAL_TYPE << GDI_HANDLE_TYPE_SHIFT)
 71 | #define GDI_CLIENT_REGION_TYPE (GDI_RGN_TYPE << GDI_HANDLE_TYPE_SHIFT)
 72 | 
 73 | #define GDI_CLIENT_ALTDC_TYPE (GDI_CLIENT_DC_TYPE | GDI_ALTTYPE_1)
 74 | #define GDI_CLIENT_DIBSECTION_TYPE (GDI_CLIENT_BITMAP_TYPE | GDI_ALTTYPE_1)
 75 | #define GDI_CLIENT_EXTPEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_2)
 76 | #define GDI_CLIENT_METADC16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_3)
 77 | #define GDI_CLIENT_METAFILE_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_2)
 78 | #define GDI_CLIENT_METAFILE16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_1)
 79 | #define GDI_CLIENT_PEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_1)
 80 | 
 81 | typedef struct _GDI_HANDLE_ENTRY
 82 | {
 83 |     union
 84 |     {
 85 |         PVOID Object;
 86 |         PVOID NextFree;
 87 |     };
 88 |     union
 89 |     {
 90 |         struct
 91 |         {
 92 |             USHORT ProcessId;
 93 |             USHORT Lock : 1;
 94 |             USHORT Count : 15;
 95 |         };
 96 |         ULONG Value;
 97 |     } Owner;
 98 |     USHORT Unique;
 99 |     UCHAR Type;
100 |     UCHAR Flags;
101 |     PVOID UserPointer;
102 | } GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY;
103 | 
104 | typedef struct _GDI_SHARED_MEMORY
105 | {
106 |     GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT];
107 | } GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY;
108 | 
109 | #endif
110 | 


--------------------------------------------------------------------------------
/NTLib.vcxproj.filters:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup>
  4 |     <Filter Include="Headers">
  5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
  6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
  7 |     </Filter>
  8 |     <Filter Include="Headers\NtExp">
  9 |       <UniqueIdentifier>{dac22e7f-e96b-4adb-a29d-cabfa3381db6}</UniqueIdentifier>
 10 |     </Filter>
 11 |   </ItemGroup>
 12 |   <ItemGroup>
 13 |     <ClInclude Include="includes\NTExp\nttp.h">
 14 |       <Filter>Headers\NtExp</Filter>
 15 |     </ClInclude>
 16 |     <ClInclude Include="includes\NTExp\ntwow64.h">
 17 |       <Filter>Headers\NtExp</Filter>
 18 |     </ClInclude>
 19 |     <ClInclude Include="includes\NTExp\ntxcapi.h">
 20 |       <Filter>Headers\NtExp</Filter>
 21 |     </ClInclude>
 22 |     <ClInclude Include="includes\NTExp\subprocesstag.h">
 23 |       <Filter>Headers\NtExp</Filter>
 24 |     </ClInclude>
 25 |     <ClInclude Include="includes\NTExp\winsta.h">
 26 |       <Filter>Headers\NtExp</Filter>
 27 |     </ClInclude>
 28 |     <ClInclude Include="includes\NTExp\ntcommon.h">
 29 |       <Filter>Headers\NtExp</Filter>
 30 |     </ClInclude>
 31 |     <ClInclude Include="includes\NTExp\ntcompatibility.h">
 32 |       <Filter>Headers\NtExp</Filter>
 33 |     </ClInclude>
 34 |     <ClInclude Include="includes\NTExp\ntdbg.h">
 35 |       <Filter>Headers\NtExp</Filter>
 36 |     </ClInclude>
 37 |     <ClInclude Include="includes\NTExp\ntexapi.h">
 38 |       <Filter>Headers\NtExp</Filter>
 39 |     </ClInclude>
 40 |     <ClInclude Include="includes\NTExp\ntgdi.h">
 41 |       <Filter>Headers\NtExp</Filter>
 42 |     </ClInclude>
 43 |     <ClInclude Include="includes\NTExp\ntioapi.h">
 44 |       <Filter>Headers\NtExp</Filter>
 45 |     </ClInclude>
 46 |     <ClInclude Include="includes\NTExp\ntkeapi.h">
 47 |       <Filter>Headers\NtExp</Filter>
 48 |     </ClInclude>
 49 |     <ClInclude Include="includes\NTExp\ntldr.h">
 50 |       <Filter>Headers\NtExp</Filter>
 51 |     </ClInclude>
 52 |     <ClInclude Include="includes\NTExp\ntlpcapi.h">
 53 |       <Filter>Headers\NtExp</Filter>
 54 |     </ClInclude>
 55 |     <ClInclude Include="includes\NTExp\ntmisc.h">
 56 |       <Filter>Headers\NtExp</Filter>
 57 |     </ClInclude>
 58 |     <ClInclude Include="includes\NTExp\ntmmapi.h">
 59 |       <Filter>Headers\NtExp</Filter>
 60 |     </ClInclude>
 61 |     <ClInclude Include="includes\NTExp\ntnls.h">
 62 |       <Filter>Headers\NtExp</Filter>
 63 |     </ClInclude>
 64 |     <ClInclude Include="includes\NTExp\ntobapi.h">
 65 |       <Filter>Headers\NtExp</Filter>
 66 |     </ClInclude>
 67 |     <ClInclude Include="includes\NTExp\ntpebteb.h">
 68 |       <Filter>Headers\NtExp</Filter>
 69 |     </ClInclude>
 70 |     <ClInclude Include="includes\NTExp\ntpfapi.h">
 71 |       <Filter>Headers\NtExp</Filter>
 72 |     </ClInclude>
 73 |     <ClInclude Include="includes\NTExp\ntpnpapi.h">
 74 |       <Filter>Headers\NtExp</Filter>
 75 |     </ClInclude>
 76 |     <ClInclude Include="includes\NTExp\ntpoapi.h">
 77 |       <Filter>Headers\NtExp</Filter>
 78 |     </ClInclude>
 79 |     <ClInclude Include="includes\NTExp\ntpsapi.h">
 80 |       <Filter>Headers\NtExp</Filter>
 81 |     </ClInclude>
 82 |     <ClInclude Include="includes\NTExp\ntregapi.h">
 83 |       <Filter>Headers\NtExp</Filter>
 84 |     </ClInclude>
 85 |     <ClInclude Include="includes\NTExp\ntrtl.h">
 86 |       <Filter>Headers\NtExp</Filter>
 87 |     </ClInclude>
 88 |     <ClInclude Include="includes\NTExp\ntsam.h">
 89 |       <Filter>Headers\NtExp</Filter>
 90 |     </ClInclude>
 91 |     <ClInclude Include="includes\NTExp\ntseapi.h">
 92 |       <Filter>Headers\NtExp</Filter>
 93 |     </ClInclude>
 94 |     <ClInclude Include="includes\NTExp\ntsmss.h">
 95 |       <Filter>Headers\NtExp</Filter>
 96 |     </ClInclude>
 97 |     <ClInclude Include="includes\NTExp\ntstatus.h">
 98 |       <Filter>Headers\NtExp</Filter>
 99 |     </ClInclude>
100 |     <ClInclude Include="includes\NTExp\nttmapi.h">
101 |       <Filter>Headers\NtExp</Filter>
102 |     </ClInclude>
103 |     <ClInclude Include="includes\NTExp.h">
104 |       <Filter>Headers</Filter>
105 |     </ClInclude>
106 |     <ClInclude Include="includes\NTLib.h">
107 |       <Filter>Headers</Filter>
108 |     </ClInclude>
109 |   </ItemGroup>
110 | </Project>


--------------------------------------------------------------------------------
/includes/NTExp/ntpoapi.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTPOAPI_H
  2 | #define _NTPOAPI_H
  3 | 
  4 | typedef union _POWER_STATE
  5 | {
  6 |     SYSTEM_POWER_STATE SystemState;
  7 |     DEVICE_POWER_STATE DeviceState;
  8 | } POWER_STATE, *PPOWER_STATE;
  9 | 
 10 | typedef enum _POWER_STATE_TYPE
 11 | {
 12 |     SystemPowerState = 0,
 13 |     DevicePowerState
 14 | } POWER_STATE_TYPE, *PPOWER_STATE_TYPE;
 15 | 
 16 | #if (NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
 17 | typedef struct _SYSTEM_POWER_STATE_CONTEXT
 18 | {
 19 |     union
 20 |     {
 21 |         struct
 22 |         {
 23 |             ULONG Reserved1 : 8;
 24 |             ULONG TargetSystemState : 4;
 25 |             ULONG EffectiveSystemState : 4;
 26 |             ULONG CurrentSystemState : 4;
 27 |             ULONG IgnoreHibernationPath : 1;
 28 |             ULONG PseudoTransition : 1;
 29 |             ULONG Reserved2 : 10;
 30 |         };
 31 |         ULONG ContextAsUlong;
 32 |     };
 33 | } SYSTEM_POWER_STATE_CONTEXT, *PSYSTEM_POWER_STATE_CONTEXT;
 34 | #endif
 35 | 
 36 | #if (NTLIB_WIN_VERSION >= NTLIB_WIN_7)
 37 | typedef struct _COUNTED_REASON_CONTEXT
 38 | {
 39 |     ULONG Version;
 40 |     ULONG Flags;
 41 |     union
 42 |     {
 43 |         struct
 44 |         {
 45 |             UNICODE_STRING ResourceFileName;
 46 |             USHORT ResourceReasonId;
 47 |             ULONG StringCount;
 48 |             PUNICODE_STRING _Field_size_(StringCount) ReasonStrings;
 49 |         };
 50 |         UNICODE_STRING SimpleString;
 51 |     };
 52 | } COUNTED_REASON_CONTEXT, *PCOUNTED_REASON_CONTEXT;
 53 | #endif
 54 | 
 55 | typedef enum _POWER_STATE_HANDLER_TYPE
 56 | {
 57 |     PowerStateSleeping1 = 0,
 58 |     PowerStateSleeping2 = 1,
 59 |     PowerStateSleeping3 = 2,
 60 |     PowerStateSleeping4 = 3,
 61 |     PowerStateShutdownOff = 4,
 62 |     PowerStateShutdownReset = 5,
 63 |     PowerStateSleeping4Firmware = 6,
 64 |     PowerStateMaximum = 7
 65 | } POWER_STATE_HANDLER_TYPE, *PPOWER_STATE_HANDLER_TYPE;
 66 | 
 67 | typedef NTSTATUS (NTAPI *PENTER_STATE_SYSTEM_HANDLER)(
 68 |     _In_ PVOID SystemContext
 69 |     );
 70 | 
 71 | typedef NTSTATUS (NTAPI *PENTER_STATE_HANDLER)(
 72 |     _In_ PVOID Context,
 73 |     _In_opt_ PENTER_STATE_SYSTEM_HANDLER SystemHandler,
 74 |     _In_ PVOID SystemContext,
 75 |     _In_ LONG NumberProcessors,
 76 |     _In_ volatile PLONG Number
 77 |     );
 78 | 
 79 | typedef struct _POWER_STATE_HANDLER
 80 | {
 81 |     POWER_STATE_HANDLER_TYPE Type;
 82 |     BOOLEAN RtcWake;
 83 |     UCHAR Spare[3];
 84 |     PENTER_STATE_HANDLER Handler;
 85 |     PVOID Context;
 86 | } POWER_STATE_HANDLER, *PPOWER_STATE_HANDLER;
 87 | 
 88 | typedef NTSTATUS (NTAPI *PENTER_STATE_NOTIFY_HANDLER)(
 89 |     _In_ POWER_STATE_HANDLER_TYPE State,
 90 |     _In_ PVOID Context,
 91 |     _In_ BOOLEAN Entering
 92 |     );
 93 | 
 94 | typedef struct _POWER_STATE_NOTIFY_HANDLER
 95 | {
 96 |     PENTER_STATE_NOTIFY_HANDLER Handler;
 97 |     PVOID Context;
 98 | } POWER_STATE_NOTIFY_HANDLER, *PPOWER_STATE_NOTIFY_HANDLER;
 99 | 
100 | typedef struct _PROCESSOR_POWER_INFORMATION
101 | {
102 |     ULONG Number;
103 |     ULONG MaxMhz;
104 |     ULONG CurrentMhz;
105 |     ULONG MhzLimit;
106 |     ULONG MaxIdleState;
107 |     ULONG CurrentIdleState;
108 | } PROCESSOR_POWER_INFORMATION, *PPROCESSOR_POWER_INFORMATION;
109 | 
110 | typedef struct _SYSTEM_POWER_INFORMATION
111 | {
112 |     ULONG MaxIdlenessAllowed;
113 |     ULONG Idleness;
114 |     ULONG TimeRemaining;
115 |     UCHAR CoolingMode;
116 | } SYSTEM_POWER_INFORMATION, *PSYSTEM_POWER_INFORMATION;
117 | 
118 | NATIVE_API(NTSTATUS, /*Nt*/PowerInformation, (
119 |     _In_ POWER_INFORMATION_LEVEL InformationLevel,
120 |     _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,
121 |     _In_ ULONG InputBufferLength,
122 |     _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,
123 |     _In_ ULONG OutputBufferLength
124 | ))
125 | 
126 | NATIVE_API(NTSTATUS, /*Nt*/SetThreadExecutionState, (
127 |     _In_ EXECUTION_STATE NewFlags, // ES_* flags
128 |     _Out_ EXECUTION_STATE *PreviousFlags
129 | ))
130 | 
131 | NATIVE_API(NTSTATUS, /*Nt*/RequestWakeupLatency, (
132 |     _In_ LATENCY_TIME latency
133 | ))
134 | 
135 | NATIVE_API(NTSTATUS, /*Nt*/InitiatePowerAction, (
136 |     _In_ POWER_ACTION SystemAction,
137 |     _In_ SYSTEM_POWER_STATE LightestSystemState,
138 |     _In_ ULONG Flags, // POWER_ACTION_* flags
139 |     _In_ BOOLEAN Asynchronous
140 | ))
141 | 
142 | NATIVE_API(NTSTATUS, /*Nt*/SetSystemPowerState, (
143 |     _In_ POWER_ACTION SystemAction,
144 |     _In_ SYSTEM_POWER_STATE LightestSystemState,
145 |     _In_ ULONG Flags
146 | ))
147 | 
148 | NATIVE_API(NTSTATUS, /*Nt*/GetDevicePowerState, (
149 |     _In_ HANDLE Device,
150 |     _Out_ PDEVICE_POWER_STATE State
151 | ))
152 | 
153 | NATIVE_API(BOOLEAN, /*Nt*/IsSystemResumeAutomatic, (
154 |     VOID
155 | ))
156 | 
157 | #endif
158 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntcommon.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | #include <Windows.h>
  4 | 
  5 | typedef char CCHAR;
  6 | typedef short CSHORT;
  7 | typedef ULONG CLONG;
  8 | 
  9 | typedef CCHAR *PCCHAR;
 10 | typedef CSHORT *PCSHORT;
 11 | typedef CLONG *PCLONG;
 12 | 
 13 | typedef PCSTR PCSZ;
 14 | 
 15 | typedef UCHAR KIRQL, *PKIRQL;
 16 | typedef LONG KPRIORITY;
 17 | typedef USHORT RTL_ATOM, *PRTL_ATOM;
 18 | 
 19 | typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
 20 | 
 21 | typedef ULONG LOGICAL;
 22 | typedef ULONG *PLOGICAL;
 23 | 
 24 | typedef struct _ANSI_STRING {
 25 |     USHORT Length;
 26 |     USHORT MaximumLength;
 27 |     PCHAR  Buffer;
 28 | } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING;
 29 | 
 30 | typedef struct _LSA_UNICODE_STRING {
 31 |     USHORT Length;
 32 |     USHORT MaximumLength;
 33 |     PWSTR  Buffer;
 34 | } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
 35 | 
 36 | typedef const STRING *PCSTRING;
 37 | typedef const ANSI_STRING *PCANSI_STRING;
 38 | typedef const OEM_STRING *PCOEM_STRING;
 39 | 
 40 | typedef const UNICODE_STRING *PCUNICODE_STRING;
 41 | 
 42 | #define OBJ_INHERIT 0x00000002
 43 | #define OBJ_PERMANENT 0x00000010
 44 | #define OBJ_EXCLUSIVE 0x00000020
 45 | #define OBJ_CASE_INSENSITIVE 0x00000040
 46 | #define OBJ_OPENIF 0x00000080
 47 | #define OBJ_OPENLINK 0x00000100
 48 | #define OBJ_KERNEL_HANDLE 0x00000200
 49 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400
 50 | #define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800
 51 | #define OBJ_DONT_REPARSE 0x00001000
 52 | #define OBJ_VALID_ATTRIBUTES 0x00001ff2
 53 | 
 54 | typedef struct _OBJECT_ATTRIBUTES {
 55 |     ULONG           Length;
 56 |     HANDLE          RootDirectory;
 57 |     PUNICODE_STRING ObjectName;
 58 |     ULONG           Attributes;
 59 |     PVOID           SecurityDescriptor;
 60 |     PVOID           SecurityQualityOfService;
 61 | }  OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
 62 | 
 63 | typedef struct _OBJECT_HANDLE_ATTRIBUTE_INFORMATION {
 64 |     BOOLEAN Inherit;
 65 |     BOOLEAN ProtectFromClose;
 66 | } OBJECT_HANDLE_ATTRIBUTE_INFORMATION, *POBJECT_HANDLE_ATTRIBUTE_INFORMATION;
 67 | 
 68 | #define InitializeObjectAttributes(p, n, a, r, s) { \
 69 |     (p)->Length = sizeof(OBJECT_ATTRIBUTES); \
 70 |     (p)->RootDirectory = r; \
 71 |     (p)->Attributes = a; \
 72 |     (p)->ObjectName = n; \
 73 |     (p)->SecurityDescriptor = s; \
 74 |     (p)->SecurityQualityOfService = NULL; \
 75 | }
 76 | 
 77 | typedef struct _CURRENT_DIRECTORY {
 78 |     UNICODE_STRING DosPath;
 79 |     PVOID          Handle;
 80 | } CURRENT_DIRECTORY, *PCURRENT_DIRECTORY;
 81 | 
 82 | typedef struct _CLIENT_ID
 83 | {
 84 |     HANDLE UniqueProcess;
 85 |     HANDLE UniqueThread;
 86 | } CLIENT_ID, *PCLIENT_ID;
 87 | 
 88 | typedef struct _CLIENT_ID32
 89 | {
 90 |     ULONG UniqueProcess;
 91 |     ULONG UniqueThread;
 92 | } CLIENT_ID32, *PCLIENT_ID32;
 93 | 
 94 | typedef struct _CLIENT_ID64
 95 | {
 96 |     ULONGLONG UniqueProcess;
 97 |     ULONGLONG UniqueThread;
 98 | } CLIENT_ID64, *PCLIENT_ID64;
 99 | 
100 | #include <pshpack4.h>
101 | 
102 | typedef struct _KSYSTEM_TIME
103 | {
104 |     ULONG LowPart;
105 |     LONG High1Time;
106 |     LONG High2Time;
107 | } KSYSTEM_TIME, *PKSYSTEM_TIME;
108 | 
109 | #include <poppack.h>
110 | 
111 | typedef enum _EVENT_TYPE
112 | {
113 |     NotificationEvent,
114 |     SynchronizationEvent
115 | } EVENT_TYPE;
116 | 
117 | typedef enum _TIMER_TYPE
118 | {
119 |     NotificationTimer,
120 |     SynchronizationTimer
121 | } TIMER_TYPE;
122 | 
123 | typedef enum _WAIT_TYPE
124 | {
125 |     WaitAll,
126 |     WaitAny,
127 |     WaitNotification
128 | } WAIT_TYPE;
129 | 
130 | typedef enum _NT_PRODUCT_TYPE
131 | {
132 |     NtProductWinNt = 1,
133 |     NtProductLanManNt,
134 |     NtProductServer
135 | } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE;
136 | 
137 | typedef enum _SUITE_TYPE
138 | {
139 |     SmallBusiness,
140 |     Enterprise,
141 |     BackOffice,
142 |     CommunicationServer,
143 |     TerminalServer,
144 |     SmallBusinessRestricted,
145 |     EmbeddedNT,
146 |     DataCenter,
147 |     SingleUserTS,
148 |     Personal,
149 |     Blade,
150 |     EmbeddedRestricted,
151 |     SecurityAppliance,
152 |     StorageServer,
153 |     ComputeServer,
154 |     WHServer,
155 |     PhoneNT,
156 |     MaxSuiteType
157 | } SUITE_TYPE;
158 | 
159 | #define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3
160 | 
161 | typedef struct _RTL_BALANCED_NODE
162 | {
163 |     union
164 |     {
165 |         struct _RTL_BALANCED_NODE *Children[2];
166 |         struct
167 |         {
168 |             struct _RTL_BALANCED_NODE *Left;
169 |             struct _RTL_BALANCED_NODE *Right;
170 |         };
171 |     };
172 |     union
173 |     {
174 |         UCHAR Red : 1;
175 |         UCHAR Balance : 2;
176 |         ULONG_PTR ParentValue;
177 |     };
178 | } RTL_BALANCED_NODE, *PRTL_BALANCED_NODE;
179 | 
180 | #define RTL_BALANCED_NODE_GET_PARENT_POINTER(Node) \
181 |     ((PRTL_BALANCED_NODE)((Node)->ParentValue & ~RTL_BALANCED_NODE_RESERVED_PARENT_MASK))
182 | 
183 | typedef struct _SINGLE_LIST_ENTRY32
184 | {
185 |     ULONG Next;
186 | } SINGLE_LIST_ENTRY32, *PSINGLE_LIST_ENTRY32;
187 | 
188 | typedef struct _STRING32
189 | {
190 |     USHORT Length;
191 |     USHORT MaximumLength;
192 |     ULONG Buffer;
193 | } STRING32, *PSTRING32;
194 | 
195 | typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32;
196 | typedef STRING32 ANSI_STRING32, *PANSI_STRING32;
197 | 
198 | typedef struct _STRING64
199 | {
200 |     USHORT Length;
201 |     USHORT MaximumLength;
202 |     ULONGLONG Buffer;
203 | } STRING64, *PSTRING64;
204 | 
205 | typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64;
206 | typedef STRING64 ANSI_STRING64, *PANSI_STRING64;
207 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntcompatibility.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | #include <Windows.h>
  4 | 
  5 | #define MEM_EXTENDED_PARAMETER_TYPE_BITS 8
  6 | 
  7 | typedef struct MEM_EXTENDED_PARAMETER {
  8 |     struct {
  9 |         DWORD64 Type : MEM_EXTENDED_PARAMETER_TYPE_BITS;
 10 |         DWORD64 Reserved : 64 - MEM_EXTENDED_PARAMETER_TYPE_BITS;
 11 |     } DUMMYSTRUCTNAME;
 12 |     union {
 13 |         DWORD64 ULong64;
 14 |         PVOID   Pointer;
 15 |         SIZE_T  Size;
 16 |         HANDLE  Handle;
 17 |         DWORD   ULong;
 18 |     } DUMMYUNIONNAME;
 19 | } MEM_EXTENDED_PARAMETER, *PMEM_EXTENDED_PARAMETER;
 20 | 
 21 | typedef struct _CFG_CALL_TARGET_INFO {
 22 |     ULONG_PTR Offset;
 23 |     ULONG_PTR Flags;
 24 | } CFG_CALL_TARGET_INFO, *PCFG_CALL_TARGET_INFO;
 25 | 
 26 | typedef struct _PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY {
 27 |     union {
 28 |         DWORD Flags;
 29 |         struct {
 30 |             DWORD EnableControlFlowGuard : 1;
 31 |             DWORD EnableExportSuppression : 1;
 32 |             DWORD StrictMode : 1;
 33 |             DWORD ReservedFlags : 29;
 34 |         } DUMMYSTRUCTNAME;
 35 |     } DUMMYUNIONNAME;
 36 | } PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY, *PPROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY;
 37 | 
 38 | typedef struct _PROCESS_MITIGATION_FONT_DISABLE_POLICY {
 39 |     union {
 40 |         DWORD Flags;
 41 |         struct {
 42 |             DWORD DisableNonSystemFonts : 1;
 43 |             DWORD AuditNonSystemFontLoading : 1;
 44 |             DWORD ReservedFlags : 30;
 45 |         } DUMMYSTRUCTNAME;
 46 |     } DUMMYUNIONNAME;
 47 | } PROCESS_MITIGATION_FONT_DISABLE_POLICY, *PPROCESS_MITIGATION_FONT_DISABLE_POLICY;
 48 | 
 49 | typedef struct _PROCESS_MITIGATION_IMAGE_LOAD_POLICY {
 50 |     union {
 51 |         DWORD Flags;
 52 |         struct {
 53 |             DWORD NoRemoteImages : 1;
 54 |             DWORD NoLowMandatoryLabelImages : 1;
 55 |             DWORD PreferSystem32Images : 1;
 56 |             DWORD AuditNoRemoteImages : 1;
 57 |             DWORD AuditNoLowMandatoryLabelImages : 1;
 58 |             DWORD ReservedFlags : 27;
 59 |         } DUMMYSTRUCTNAME;
 60 |     } DUMMYUNIONNAME;
 61 | } PROCESS_MITIGATION_IMAGE_LOAD_POLICY, *PPROCESS_MITIGATION_IMAGE_LOAD_POLICY;
 62 | 
 63 | typedef struct _PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY {
 64 |     union {
 65 |         ULONG Flags;
 66 |         struct {
 67 |             ULONG FilterId : 4;
 68 |             ULONG ReservedFlags : 28;
 69 |         } DUMMYSTRUCTNAME;
 70 |     } DUMMYUNIONNAME;
 71 | } PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY, *PPROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY;
 72 | 
 73 | typedef struct _PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY {
 74 |     union {
 75 |         ULONG Flags;
 76 |         struct {
 77 |             ULONG EnableExportAddressFilter : 1;
 78 |             ULONG AuditExportAddressFilter : 1;
 79 |             ULONG EnableExportAddressFilterPlus : 1;
 80 |             ULONG AuditExportAddressFilterPlus : 1;
 81 |             ULONG EnableImportAddressFilter : 1;
 82 |             ULONG AuditImportAddressFilter : 1;
 83 |             ULONG EnableRopStackPivot : 1;
 84 |             ULONG AuditRopStackPivot : 1;
 85 |             ULONG EnableRopCallerCheck : 1;
 86 |             ULONG AuditRopCallerCheck : 1;
 87 |             ULONG EnableRopSimExec : 1;
 88 |             ULONG AuditRopSimExec : 1;
 89 |             ULONG ReservedFlags : 20;
 90 |         } DUMMYSTRUCTNAME;
 91 |     } DUMMYUNIONNAME;
 92 | } PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY, *PPROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY;
 93 | 
 94 | typedef struct _PROCESS_MITIGATION_CHILD_PROCESS_POLICY {
 95 |     union {
 96 |         ULONG Flags;
 97 |         struct {
 98 |             ULONG NoChildProcessCreation : 1;
 99 |             ULONG AuditNoChildProcessCreation : 1;
100 |             ULONG AllowSecureProcessCreation : 1;
101 |             ULONG ReservedFlags : 29;
102 |         } DUMMYSTRUCTNAME;
103 |     } DUMMYUNIONNAME;
104 | } PROCESS_MITIGATION_CHILD_PROCESS_POLICY, *PPROCESS_MITIGATION_CHILD_PROCESS_POLICY;
105 | 
106 | typedef struct _PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY {
107 |     ULONG reserved;
108 | } PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY, *PPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY;
109 | 
110 | typedef GUID* PGUID;
111 | 
112 | typedef enum _OS_DEPLOYEMENT_STATE_VALUES
113 | {
114 |     OS_DEPLOYMENT_STANDARD = 1,
115 |     OS_DEPLOYMENT_COMPACT
116 | } OS_DEPLOYEMENT_STATE_VALUES;
117 | 
118 | typedef enum _PNP_VETO_TYPE {
119 |     PNP_VetoTypeUnknown,
120 |     PNP_VetoLegacyDevice,
121 |     PNP_VetoPendingClose,
122 |     PNP_VetoWindowsApp,
123 |     PNP_VetoWindowsService,
124 |     PNP_VetoOutstandingOpen,
125 |     PNP_VetoDevice,
126 |     PNP_VetoDriver,
127 |     PNP_VetoIllegalDeviceRequest,
128 |     PNP_VetoInsufficientPower,
129 |     PNP_VetoNonDisableable,
130 |     PNP_VetoLegacyDriver,
131 |     PNP_VetoInsufficientRights,
132 |     PNP_VetoAlreadyRemoved
133 | } PNP_VETO_TYPE, *PPNP_VETO_TYPE;
134 | 
135 | typedef UCHAR SE_SIGNING_LEVEL, *PSE_SIGNING_LEVEL;
136 | 
137 | typedef _IMAGE_RUNTIME_FUNCTION_ENTRY RUNTIME_FUNCTION, *PRUNTIME_FUNCTION;
138 | 
139 | #ifndef _WIN64
140 | typedef FARPROC PGET_RUNTIME_FUNCTION_CALLBACK;
141 | #endif
142 | 
143 | #define SE_SIGNING_LEVEL_UNCHECKED         0x00000000
144 | #define SE_SIGNING_LEVEL_UNSIGNED          0x00000001
145 | #define SE_SIGNING_LEVEL_ENTERPRISE        0x00000002
146 | #define SE_SIGNING_LEVEL_CUSTOM_1          0x00000003
147 | #define SE_SIGNING_LEVEL_AUTHENTICODE      0x00000004
148 | #define SE_SIGNING_LEVEL_CUSTOM_2          0x00000005
149 | #define SE_SIGNING_LEVEL_STORE             0x00000006
150 | #define SE_SIGNING_LEVEL_CUSTOM_3          0x00000007
151 | #define SE_SIGNING_LEVEL_ANTIMALWARE       SE_SIGNING_LEVEL_CUSTOM_3
152 | #define SE_SIGNING_LEVEL_MICROSOFT         0x00000008
153 | #define SE_SIGNING_LEVEL_CUSTOM_4          0x00000009
154 | #define SE_SIGNING_LEVEL_CUSTOM_5          0x0000000A
155 | #define SE_SIGNING_LEVEL_DYNAMIC_CODEGEN   0x0000000B
156 | #define SE_SIGNING_LEVEL_WINDOWS           0x0000000C
157 | #define SE_SIGNING_LEVEL_CUSTOM_7          0x0000000D
158 | #define SE_SIGNING_LEVEL_WINDOWS_TCB       0x0000000E
159 | #define SE_SIGNING_LEVEL_CUSTOM_6          0x0000000F


--------------------------------------------------------------------------------
/includes/NTExp/ntdbg.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTDBG_H
  2 | #define _NTDBG_H
  3 | 
  4 | NTDLL_API_VOID(DbgUserBreakPoint, (
  5 |     VOID
  6 | ))
  7 | 
  8 | NTDLL_API_VOID(DbgBreakPoint, (
  9 |     VOID
 10 | ))
 11 | 
 12 | NTDLL_API_VOID(DbgBreakPointWithStatus, (
 13 |     _In_ ULONG Status
 14 | ))
 15 | 
 16 | #define DBG_STATUS_CONTROL_C 1
 17 | #define DBG_STATUS_SYSRQ 2
 18 | #define DBG_STATUS_BUGCHECK_FIRST 3
 19 | #define DBG_STATUS_BUGCHECK_SECOND 4
 20 | #define DBG_STATUS_FATAL 5
 21 | #define DBG_STATUS_DEBUG_CONTROL 6
 22 | #define DBG_STATUS_WORKER 7
 23 | 
 24 | NTSYSAPI
 25 | ULONG
 26 | STDAPIVCALLTYPE
 27 | DbgPrint(
 28 |     _In_z_ _Printf_format_string_ PSTR Format,
 29 |     ...
 30 |     );
 31 | 
 32 | NTSYSAPI
 33 | ULONG
 34 | STDAPIVCALLTYPE
 35 | DbgPrintEx(
 36 |     _In_ ULONG ComponentId,
 37 |     _In_ ULONG Level,
 38 |     _In_z_ _Printf_format_string_ PSTR Format,
 39 |     ...
 40 |     );
 41 | 
 42 | NTDLL_API(ULONG, vDbgPrintEx, (
 43 |     _In_ ULONG ComponentId,
 44 |     _In_ ULONG Level,
 45 |     _In_z_ PCH Format,
 46 |     _In_ va_list arglist
 47 | ))
 48 | 
 49 | NTDLL_API(ULONG, vDbgPrintExWithPrefix, (
 50 |     _In_z_ PCH Prefix,
 51 |     _In_ ULONG ComponentId,
 52 |     _In_ ULONG Level,
 53 |     _In_z_ PCH Format,
 54 |     _In_ va_list arglist
 55 | ))
 56 | 
 57 | NTDLL_API(NTSTATUS, DbgQueryDebugFilterState, (
 58 |     _In_ ULONG ComponentId,
 59 |     _In_ ULONG Level
 60 | ))
 61 | 
 62 | NTDLL_API(NTSTATUS, DbgSetDebugFilterState, (
 63 |     _In_ ULONG ComponentId,
 64 |     _In_ ULONG Level,
 65 |     _In_ BOOLEAN State
 66 | ))
 67 | 
 68 | NTDLL_API(ULONG, DbgPrompt, (
 69 |     _In_ PCH Prompt,
 70 |     _Out_writes_bytes_(Length) PCH Response,
 71 |     _In_ ULONG Length
 72 | ))
 73 | 
 74 | typedef struct _DBGKM_EXCEPTION
 75 | {
 76 |     EXCEPTION_RECORD ExceptionRecord;
 77 |     ULONG FirstChance;
 78 | } DBGKM_EXCEPTION, *PDBGKM_EXCEPTION;
 79 | 
 80 | typedef struct _DBGKM_CREATE_THREAD
 81 | {
 82 |     ULONG SubSystemKey;
 83 |     PVOID StartAddress;
 84 | } DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD;
 85 | 
 86 | typedef struct _DBGKM_CREATE_PROCESS
 87 | {
 88 |     ULONG SubSystemKey;
 89 |     HANDLE FileHandle;
 90 |     PVOID BaseOfImage;
 91 |     ULONG DebugInfoFileOffset;
 92 |     ULONG DebugInfoSize;
 93 |     DBGKM_CREATE_THREAD InitialThread;
 94 | } DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS;
 95 | 
 96 | typedef struct _DBGKM_EXIT_THREAD
 97 | {
 98 |     NTSTATUS ExitStatus;
 99 | } DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD;
100 | 
101 | typedef struct _DBGKM_EXIT_PROCESS
102 | {
103 |     NTSTATUS ExitStatus;
104 | } DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS;
105 | 
106 | typedef struct _DBGKM_LOAD_DLL
107 | {
108 |     HANDLE FileHandle;
109 |     PVOID BaseOfDll;
110 |     ULONG DebugInfoFileOffset;
111 |     ULONG DebugInfoSize;
112 |     PVOID NamePointer;
113 | } DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL;
114 | 
115 | typedef struct _DBGKM_UNLOAD_DLL
116 | {
117 |     PVOID BaseAddress;
118 | } DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL;
119 | 
120 | typedef enum _DBG_STATE
121 | {
122 |     DbgIdle,
123 |     DbgReplyPending,
124 |     DbgCreateThreadStateChange,
125 |     DbgCreateProcessStateChange,
126 |     DbgExitThreadStateChange,
127 |     DbgExitProcessStateChange,
128 |     DbgExceptionStateChange,
129 |     DbgBreakpointStateChange,
130 |     DbgSingleStepStateChange,
131 |     DbgLoadDllStateChange,
132 |     DbgUnloadDllStateChange
133 | } DBG_STATE, *PDBG_STATE;
134 | 
135 | typedef struct _DBGUI_CREATE_THREAD
136 | {
137 |     HANDLE HandleToThread;
138 |     DBGKM_CREATE_THREAD NewThread;
139 | } DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD;
140 | 
141 | typedef struct _DBGUI_CREATE_PROCESS
142 | {
143 |     HANDLE HandleToProcess;
144 |     HANDLE HandleToThread;
145 |     DBGKM_CREATE_PROCESS NewProcess;
146 | } DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS;
147 | 
148 | typedef struct _DBGUI_WAIT_STATE_CHANGE
149 | {
150 |     DBG_STATE NewState;
151 |     CLIENT_ID AppClientId;
152 |     union
153 |     {
154 |         DBGKM_EXCEPTION Exception;
155 |         DBGUI_CREATE_THREAD CreateThread;
156 |         DBGUI_CREATE_PROCESS CreateProcessInfo;
157 |         DBGKM_EXIT_THREAD ExitThread;
158 |         DBGKM_EXIT_PROCESS ExitProcess;
159 |         DBGKM_LOAD_DLL LoadDll;
160 |         DBGKM_UNLOAD_DLL UnloadDll;
161 |     } StateInfo;
162 | } DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE;
163 | 
164 | #define DEBUG_READ_EVENT 0x0001
165 | #define DEBUG_PROCESS_ASSIGN 0x0002
166 | #define DEBUG_SET_INFORMATION 0x0004
167 | #define DEBUG_QUERY_INFORMATION 0x0008
168 | #define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
169 |     DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \
170 |     DEBUG_QUERY_INFORMATION)
171 | 
172 | #define DEBUG_KILL_ON_CLOSE 0x1
173 | 
174 | typedef enum _DEBUGOBJECTINFOCLASS
175 | {
176 |     DebugObjectUnusedInformation,
177 |     DebugObjectKillProcessOnExitInformation,
178 |     MaxDebugObjectInfoClass
179 | } DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS;
180 | 
181 | NATIVE_API(NTSTATUS, /*Nt*/CreateDebugObject, (
182 |     _Out_ PHANDLE DebugObjectHandle,
183 |     _In_ ACCESS_MASK DesiredAccess,
184 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
185 |     _In_ ULONG Flags
186 | ))
187 | 
188 | NATIVE_API(NTSTATUS, /*Nt*/DebugActiveProcess, (
189 |     _In_ HANDLE ProcessHandle,
190 |     _In_ HANDLE DebugObjectHandle
191 | ))
192 | 
193 | NATIVE_API(NTSTATUS, /*Nt*/DebugContinue, (
194 |     _In_ HANDLE DebugObjectHandle,
195 |     _In_ PCLIENT_ID ClientId,
196 |     _In_ NTSTATUS ContinueStatus
197 | ))
198 | 
199 | NATIVE_API(NTSTATUS, /*Nt*/RemoveProcessDebug, (
200 |     _In_ HANDLE ProcessHandle,
201 |     _In_ HANDLE DebugObjectHandle
202 | ))
203 | 
204 | NATIVE_API(NTSTATUS, /*Nt*/SetInformationDebugObject, (
205 |     _In_ HANDLE DebugObjectHandle,
206 |     _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass,
207 |     _In_ PVOID DebugInformation,
208 |     _In_ ULONG DebugInformationLength,
209 |     _Out_opt_ PULONG ReturnLength
210 | ))
211 | 
212 | NATIVE_API(NTSTATUS, /*Nt*/WaitForDebugEvent, (
213 |     _In_ HANDLE DebugObjectHandle,
214 |     _In_ BOOLEAN Alertable,
215 |     _In_opt_ PLARGE_INTEGER Timeout,
216 |     _Out_ PVOID WaitStateChange
217 | ))
218 | 
219 | NTDLL_API(NTSTATUS, DbgUiConnectToDbg, (
220 |     VOID
221 | ))
222 | 
223 | NTDLL_API(HANDLE, DbgUiGetThreadDebugObject, (
224 |     VOID
225 | ))
226 | 
227 | NTDLL_API_VOID(DbgUiSetThreadDebugObject, (
228 |     _In_ HANDLE DebugObject
229 | ))
230 | 
231 | NTDLL_API(NTSTATUS, DbgUiWaitStateChange, (
232 |     _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange,
233 |     _In_opt_ PLARGE_INTEGER Timeout
234 | ))
235 | 
236 | NTDLL_API(NTSTATUS, DbgUiContinue, (
237 |     _In_ PCLIENT_ID AppClientId,
238 |     _In_ NTSTATUS ContinueStatus
239 | ))
240 | 
241 | NTDLL_API(NTSTATUS, DbgUiStopDebugging, (
242 |     _In_ HANDLE Process
243 | ))
244 | 
245 | NTDLL_API(NTSTATUS, DbgUiDebugActiveProcess, (
246 |     _In_ HANDLE Process
247 | ))
248 | 
249 | NTDLL_API_VOID(DbgUiRemoteBreakin, (
250 |     _In_ PVOID Context
251 | ))
252 | 
253 | NTDLL_API(NTSTATUS, DbgUiIssueRemoteBreakin, (
254 |     _In_ HANDLE Process
255 | ))
256 | 
257 | NTDLL_API(NTSTATUS, DbgUiConvertStateChangeStructure, (
258 |     _In_ PDBGUI_WAIT_STATE_CHANGE StateChange,
259 |     _Out_ LPDEBUG_EVENT DebugEvent
260 | ))
261 | 
262 | struct _EVENT_FILTER_DESCRIPTOR;
263 | 
264 | typedef VOID (NTAPI *PENABLECALLBACK)(
265 |     _In_ LPCGUID SourceId,
266 |     _In_ ULONG IsEnabled,
267 |     _In_ UCHAR Level,
268 |     _In_ ULONGLONG MatchAnyKeyword,
269 |     _In_ ULONGLONG MatchAllKeyword,
270 |     _In_opt_ struct _EVENT_FILTER_DESCRIPTOR *FilterData,
271 |     _Inout_opt_ PVOID CallbackContext
272 |     );
273 | 
274 | typedef ULONGLONG REGHANDLE, *PREGHANDLE;
275 | 
276 | NTDLL_API(NTSTATUS, EtwEventRegister, (
277 |     _In_ LPCGUID ProviderId,
278 |     _In_opt_ PENABLECALLBACK EnableCallback,
279 |     _In_opt_ PVOID CallbackContext,
280 |     _Out_ PREGHANDLE RegHandle
281 | ))
282 | 
283 | #endif
284 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntpfapi.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTPFAPI_H
  2 | #define _NTPFAPI_H
  3 | 
  4 | typedef enum _PF_BOOT_PHASE_ID
  5 | {
  6 |     PfKernelInitPhase = 0,
  7 |     PfBootDriverInitPhase = 90,
  8 |     PfSystemDriverInitPhase = 120,
  9 |     PfSessionManagerInitPhase = 150,
 10 |     PfSMRegistryInitPhase = 180,
 11 |     PfVideoInitPhase = 210,
 12 |     PfPostVideoInitPhase = 240,
 13 |     PfBootAcceptedRegistryInitPhase = 270,
 14 |     PfUserShellReadyPhase = 300,
 15 |     PfMaxBootPhaseId = 900
 16 | } PF_BOOT_PHASE_ID;
 17 | 
 18 | typedef enum _PF_ENABLE_STATUS
 19 | {
 20 |     PfSvNotSpecified,
 21 |     PfSvEnabled,
 22 |     PfSvDisabled,
 23 |     PfSvMaxEnableStatus
 24 | } PF_ENABLE_STATUS;
 25 | 
 26 | typedef struct _PF_TRACE_LIMITS
 27 | {
 28 |     ULONG MaxNumPages;
 29 |     ULONG MaxNumSections;
 30 |     LONGLONG TimerPeriod;
 31 | } PF_TRACE_LIMITS, *PPF_TRACE_LIMITS;
 32 | 
 33 | typedef struct _PF_SYSTEM_PREFETCH_PARAMETERS
 34 | {
 35 |     PF_ENABLE_STATUS EnableStatus[2];
 36 |     PF_TRACE_LIMITS TraceLimits[2];
 37 |     ULONG MaxNumActiveTraces;
 38 |     ULONG MaxNumSavedTraces;
 39 |     WCHAR RootDirPath[32];
 40 |     WCHAR HostingApplicationList[128];
 41 | } PF_SYSTEM_PREFETCH_PARAMETERS, *PPF_SYSTEM_PREFETCH_PARAMETERS;
 42 | 
 43 | #define PF_BOOT_CONTROL_VERSION 1
 44 | 
 45 | typedef struct _PF_BOOT_CONTROL
 46 | {
 47 |     ULONG Version;
 48 |     ULONG DisableBootPrefetching;
 49 | } PF_BOOT_CONTROL, *PPF_BOOT_CONTROL;
 50 | 
 51 | typedef enum _PREFETCHER_INFORMATION_CLASS
 52 | {
 53 |     PrefetcherRetrieveTrace = 1, // q: CHAR[]
 54 |     PrefetcherSystemParameters, // q: PF_SYSTEM_PREFETCH_PARAMETERS
 55 |     PrefetcherBootPhase, // s: PF_BOOT_PHASE_ID
 56 |     PrefetcherRetrieveBootLoaderTrace, // q: CHAR[]
 57 |     PrefetcherBootControl // s: PF_BOOT_CONTROL
 58 | } PREFETCHER_INFORMATION_CLASS;
 59 | 
 60 | #define PREFETCHER_INFORMATION_VERSION 23 // rev
 61 | #define PREFETCHER_INFORMATION_MAGIC ('kuhC') // rev
 62 | 
 63 | typedef struct _PREFETCHER_INFORMATION
 64 | {
 65 |     ULONG Version;
 66 |     ULONG Magic;
 67 |     PREFETCHER_INFORMATION_CLASS PrefetcherInformationClass;
 68 |     PVOID PrefetcherInformation;
 69 |     ULONG PrefetcherInformationLength;
 70 | } PREFETCHER_INFORMATION, *PPREFETCHER_INFORMATION;
 71 | 
 72 | typedef struct _PF_SYSTEM_SUPERFETCH_PARAMETERS
 73 | {
 74 |     ULONG EnabledComponents;
 75 |     ULONG BootID;
 76 |     ULONG SavedSectInfoTracesMax;
 77 |     ULONG SavedPageAccessTracesMax;
 78 |     ULONG ScenarioPrefetchTimeoutStandby;
 79 |     ULONG ScenarioPrefetchTimeoutHibernate;
 80 | } PF_SYSTEM_SUPERFETCH_PARAMETERS, *PPF_SYSTEM_SUPERFETCH_PARAMETERS;
 81 | 
 82 | #define PF_PFN_PRIO_REQUEST_VERSION 1
 83 | #define PF_PFN_PRIO_REQUEST_QUERY_MEMORY_LIST 0x1
 84 | #define PF_PFN_PRIO_REQUEST_VALID_FLAGS 0x1
 85 | 
 86 | typedef struct _PF_PFN_PRIO_REQUEST
 87 | {
 88 |     ULONG Version;
 89 |     ULONG RequestFlags;
 90 |     ULONG_PTR PfnCount;
 91 |     SYSTEM_MEMORY_LIST_INFORMATION MemInfo;
 92 |     MMPFN_IDENTITY PageData[256];
 93 | } PF_PFN_PRIO_REQUEST, *PPF_PFN_PRIO_REQUEST;
 94 | 
 95 | typedef enum _PFS_PRIVATE_PAGE_SOURCE_TYPE
 96 | {
 97 |     PfsPrivateSourceKernel,
 98 |     PfsPrivateSourceSession,
 99 |     PfsPrivateSourceProcess,
100 |     PfsPrivateSourceMax
101 | } PFS_PRIVATE_PAGE_SOURCE_TYPE;
102 | 
103 | typedef struct _PFS_PRIVATE_PAGE_SOURCE
104 | {
105 |     PFS_PRIVATE_PAGE_SOURCE_TYPE Type;
106 |     union
107 |     {
108 |         ULONG SessionId;
109 |         ULONG ProcessId;
110 |     };
111 |     ULONG ImagePathHash;
112 |     ULONG_PTR UniqueProcessHash;
113 | } PFS_PRIVATE_PAGE_SOURCE, *PPFS_PRIVATE_PAGE_SOURCE;
114 | 
115 | typedef struct _PF_PRIVSOURCE_INFO
116 | {
117 |     PFS_PRIVATE_PAGE_SOURCE DbInfo;
118 |     PVOID EProcess;
119 |     SIZE_T WsPrivatePages;
120 |     SIZE_T TotalPrivatePages;
121 |     ULONG SessionID;
122 |     CHAR ImageName[16];
123 |     union {
124 |         ULONG_PTR WsSwapPages;                 // process only PF_PRIVSOURCE_QUERY_WS_SWAP_PAGES.
125 |         ULONG_PTR SessionPagedPoolPages;       // session only.
126 |         ULONG_PTR StoreSizePages;              // process only PF_PRIVSOURCE_QUERY_STORE_INFO.
127 |     };
128 |     ULONG_PTR WsTotalPages;         // process/session only.
129 |     ULONG DeepFreezeTimeMs;         // process only.
130 |     ULONG ModernApp : 1;            // process only.
131 |     ULONG DeepFrozen : 1;           // process only. If set, DeepFreezeTimeMs contains the time at which the freeze occurred
132 |     ULONG Foreground : 1;           // process only.
133 |     ULONG PerProcessStore : 1;      // process only.
134 |     ULONG Spare : 28;
135 | } PF_PRIVSOURCE_INFO, *PPF_PRIVSOURCE_INFO;
136 | 
137 | #define PF_PRIVSOURCE_QUERY_REQUEST_VERSION 8
138 | 
139 | typedef struct _PF_PRIVSOURCE_QUERY_REQUEST
140 | {
141 |     ULONG Version;
142 |     ULONG Flags;
143 |     ULONG InfoCount;
144 |     PF_PRIVSOURCE_INFO InfoArray[1];
145 | } PF_PRIVSOURCE_QUERY_REQUEST, *PPF_PRIVSOURCE_QUERY_REQUEST;
146 | 
147 | typedef enum _PF_PHASED_SCENARIO_TYPE
148 | {
149 |     PfScenarioTypeNone,
150 |     PfScenarioTypeStandby,
151 |     PfScenarioTypeHibernate,
152 |     PfScenarioTypeFUS,
153 |     PfScenarioTypeMax
154 | } PF_PHASED_SCENARIO_TYPE;
155 | 
156 | #define PF_SCENARIO_PHASE_INFO_VERSION 4
157 | 
158 | typedef struct _PF_SCENARIO_PHASE_INFO
159 | {
160 |     ULONG Version;
161 |     PF_PHASED_SCENARIO_TYPE ScenType;
162 |     ULONG PhaseId;
163 |     ULONG SequenceNumber;
164 |     ULONG Flags;
165 |     ULONG FUSUserId;
166 | } PF_SCENARIO_PHASE_INFO, *PPF_SCENARIO_PHASE_INFO;
167 | 
168 | typedef struct _PF_MEMORY_LIST_NODE
169 | {
170 |     ULONGLONG Node : 8;
171 |     ULONGLONG Spare : 56;
172 |     ULONGLONG StandbyLowPageCount;
173 |     ULONGLONG StandbyMediumPageCount;
174 |     ULONGLONG StandbyHighPageCount;
175 |     ULONGLONG FreePageCount;
176 |     ULONGLONG ModifiedPageCount;
177 | } PF_MEMORY_LIST_NODE, *PPF_MEMORY_LIST_NODE;
178 | 
179 | #define PF_MEMORY_LIST_INFO_VERSION 1
180 | 
181 | typedef struct _PF_MEMORY_LIST_INFO
182 | {
183 |     ULONG Version;
184 |     ULONG Size;
185 |     ULONG NodeCount;
186 |     PF_MEMORY_LIST_NODE Nodes[1];
187 | } PF_MEMORY_LIST_INFO, *PPF_MEMORY_LIST_INFO;
188 | 
189 | typedef struct _PF_PHYSICAL_MEMORY_RANGE
190 | {
191 |     ULONG_PTR BasePfn;
192 |     ULONG_PTR PageCount;
193 | } PF_PHYSICAL_MEMORY_RANGE, *PPF_PHYSICAL_MEMORY_RANGE;
194 | 
195 | #define PF_PHYSICAL_MEMORY_RANGE_INFO_VERSION 1
196 | 
197 | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO
198 | {
199 |     ULONG Version;
200 |     ULONG RangeCount;
201 |     PF_PHYSICAL_MEMORY_RANGE Ranges[1];
202 | } PF_PHYSICAL_MEMORY_RANGE_INFO, *PPF_PHYSICAL_MEMORY_RANGE_INFO;
203 | 
204 | #define PF_REPURPOSED_BY_PREFETCH_INFO_VERSION 1
205 | 
206 | typedef struct _PF_REPURPOSED_BY_PREFETCH_INFO
207 | {
208 |     ULONG Version;
209 |     ULONG RepurposedByPrefetch;
210 | } PF_REPURPOSED_BY_PREFETCH_INFO, *PPF_REPURPOSED_BY_PREFETCH_INFO;
211 | 
212 | typedef enum _SUPERFETCH_INFORMATION_CLASS
213 | {
214 |     SuperfetchRetrieveTrace = 1, // q: CHAR[]
215 |     SuperfetchSystemParameters, // q: PF_SYSTEM_SUPERFETCH_PARAMETERS
216 |     SuperfetchLogEvent,
217 |     SuperfetchGenerateTrace,
218 |     SuperfetchPrefetch,
219 |     SuperfetchPfnQuery, // q: PF_PFN_PRIO_REQUEST
220 |     SuperfetchPfnSetPriority,
221 |     SuperfetchPrivSourceQuery, // q: PF_PRIVSOURCE_QUERY_REQUEST
222 |     SuperfetchSequenceNumberQuery, // q: ULONG
223 |     SuperfetchScenarioPhase, // 10
224 |     SuperfetchWorkerPriority,
225 |     SuperfetchScenarioQuery, // q: PF_SCENARIO_PHASE_INFO
226 |     SuperfetchScenarioPrefetch,
227 |     SuperfetchRobustnessControl,
228 |     SuperfetchTimeControl,
229 |     SuperfetchMemoryListQuery, // q: PF_MEMORY_LIST_INFO
230 |     SuperfetchMemoryRangesQuery, // q: PF_PHYSICAL_MEMORY_RANGE_INFO
231 |     SuperfetchTracingControl,
232 |     SuperfetchTrimWhileAgingControl,
233 |     SuperfetchRepurposedByPrefetch, // q: PF_REPURPOSED_BY_PREFETCH_INFO // rev
234 |     SuperfetchInformationMax
235 | } SUPERFETCH_INFORMATION_CLASS;
236 | 
237 | #define SUPERFETCH_INFORMATION_VERSION 45 // rev
238 | #define SUPERFETCH_INFORMATION_MAGIC ('kuhC') // rev
239 | 
240 | typedef struct _SUPERFETCH_INFORMATION
241 | {
242 |     _In_ ULONG Version;
243 |     _In_ ULONG Magic;
244 |     _In_ SUPERFETCH_INFORMATION_CLASS InfoClass;
245 |     _Inout_ PVOID Data;
246 |     _Inout_ ULONG Length;
247 | } SUPERFETCH_INFORMATION, *PSUPERFETCH_INFORMATION;
248 | 
249 | #endif
250 | 


--------------------------------------------------------------------------------
/includes/NTExp/nttp.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * This file is part of the Process Hacker project - https://processhacker.sf.io/ 
  3 |  *
  4 |  * You can redistribute this file and/or modify it under the terms of the 
  5 |  * Attribution 4.0 International (CC BY 4.0) license. 
  6 |  * 
  7 |  * You must give appropriate credit, provide a link to the license, and 
  8 |  * indicate if changes were made. You may do so in any reasonable manner, but 
  9 |  * not in any way that suggests the licensor endorses you or your use.
 10 |  */
 11 | 
 12 | #ifndef _NTTP_H
 13 | #define _NTTP_H
 14 | 
 15 | // Some types are already defined in winnt.h.
 16 | 
 17 | typedef struct _TP_ALPC TP_ALPC, *PTP_ALPC;
 18 | 
 19 | // private
 20 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK)(
 21 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
 22 |     _Inout_opt_ PVOID Context,
 23 |     _In_ PTP_ALPC Alpc
 24 |     );
 25 | 
 26 | // rev
 27 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK_EX)(
 28 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
 29 |     _Inout_opt_ PVOID Context,
 30 |     _In_ PTP_ALPC Alpc,
 31 |     _In_ PVOID ApcContext
 32 |     );
 33 | 
 34 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
 35 | 
 36 | // private
 37 | _Check_return_
 38 | NTDLL_API(NTSTATUS, TpAllocPool, (
 39 |     _Out_ PTP_POOL *PoolReturn,
 40 |     _Reserved_ PVOID Reserved
 41 | ))
 42 | 
 43 | // winbase:CloseThreadpool
 44 | NTDLL_API_VOID(TpReleasePool, (
 45 |     _Inout_ PTP_POOL Pool
 46 | ))
 47 | 
 48 | // winbase:SetThreadpoolThreadMaximum
 49 | NTDLL_API_VOID(TpSetPoolMaxThreads, (
 50 |     _Inout_ PTP_POOL Pool,
 51 |     _In_ LONG MaxThreads
 52 | ))
 53 | 
 54 | // private
 55 | NTDLL_API(NTSTATUS, TpSetPoolMinThreads, (
 56 |     _Inout_ PTP_POOL Pool,
 57 |     _In_ LONG MinThreads
 58 | ))
 59 | 
 60 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_7)
 61 | // rev
 62 | NTDLL_API(NTSTATUS, TpQueryPoolStackInformation, (
 63 |     _In_ PTP_POOL Pool,
 64 |     _Out_ PTP_POOL_STACK_INFORMATION PoolStackInformation
 65 | ))
 66 | #endif
 67 | 
 68 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_7)
 69 | // rev
 70 | NTDLL_API(NTSTATUS, TpSetPoolStackInformation, (
 71 |     _Inout_ PTP_POOL Pool,
 72 |     _In_ PTP_POOL_STACK_INFORMATION PoolStackInformation
 73 | ))
 74 | #endif
 75 | 
 76 | // private
 77 | _Check_return_
 78 | NTDLL_API(NTSTATUS, TpAllocCleanupGroup, (
 79 |     _Out_ PTP_CLEANUP_GROUP *CleanupGroupReturn
 80 | ))
 81 | 
 82 | // winbase:CloseThreadpoolCleanupGroup
 83 | NTDLL_API_VOID(TpReleaseCleanupGroup, (
 84 |     _Inout_ PTP_CLEANUP_GROUP CleanupGroup
 85 | ))
 86 | 
 87 | // winbase:CloseThreadpoolCleanupGroupMembers
 88 | NTDLL_API_VOID(TpReleaseCleanupGroupMembers, (
 89 |     _Inout_ PTP_CLEANUP_GROUP CleanupGroup,
 90 |     _In_ LOGICAL CancelPendingCallbacks,
 91 |     _Inout_opt_ PVOID CleanupParameter
 92 | ))
 93 | 
 94 | // winbase:SetEventWhenCallbackReturns
 95 | NTDLL_API_VOID(TpCallbackSetEventOnCompletion, (
 96 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
 97 |     _In_ HANDLE Event
 98 | ))
 99 | 
100 | // winbase:ReleaseSemaphoreWhenCallbackReturns
101 | NTDLL_API_VOID(TpCallbackReleaseSemaphoreOnCompletion, (
102 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
103 |     _In_ HANDLE Semaphore,
104 |     _In_ LONG ReleaseCount
105 | ))
106 | 
107 | // winbase:ReleaseMutexWhenCallbackReturns
108 | NTDLL_API_VOID(TpCallbackReleaseMutexOnCompletion, (
109 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
110 |     _In_ HANDLE Mutex
111 | ))
112 | 
113 | // winbase:LeaveCriticalSectionWhenCallbackReturns
114 | NTDLL_API_VOID(TpCallbackLeaveCriticalSectionOnCompletion, (
115 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
116 |     _Inout_ PRTL_CRITICAL_SECTION CriticalSection
117 | ))
118 | 
119 | // winbase:FreeLibraryWhenCallbackReturns
120 | NTDLL_API_VOID(TpCallbackUnloadDllOnCompletion, (
121 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
122 |     _In_ PVOID DllHandle
123 | ))
124 | 
125 | // winbase:CallbackMayRunLong
126 | NTDLL_API(NTSTATUS, TpCallbackMayRunLong, (
127 |     _Inout_ PTP_CALLBACK_INSTANCE Instance
128 | ))
129 | 
130 | // winbase:DisassociateCurrentThreadFromCallback
131 | NTDLL_API_VOID(TpDisassociateCallback, (
132 |     _Inout_ PTP_CALLBACK_INSTANCE Instance
133 | ))
134 | 
135 | // winbase:TrySubmitThreadpoolCallback
136 | _Check_return_
137 | NTDLL_API(NTSTATUS, TpSimpleTryPost, (
138 |     _In_ PTP_SIMPLE_CALLBACK Callback,
139 |     _Inout_opt_ PVOID Context,
140 |     _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
141 | ))
142 | 
143 | // private
144 | _Check_return_
145 | NTDLL_API(NTSTATUS, TpAllocWork, (
146 |     _Out_ PTP_WORK *WorkReturn,
147 |     _In_ PTP_WORK_CALLBACK Callback,
148 |     _Inout_opt_ PVOID Context,
149 |     _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
150 | ))
151 | 
152 | // winbase:CloseThreadpoolWork
153 | NTDLL_API_VOID(TpReleaseWork, (
154 |     _Inout_ PTP_WORK Work
155 | ))
156 | 
157 | // winbase:SubmitThreadpoolWork
158 | NTDLL_API_VOID(TpPostWork, (
159 |     _Inout_ PTP_WORK Work
160 | ))
161 | 
162 | // winbase:WaitForThreadpoolWorkCallbacks
163 | NTDLL_API_VOID(TpWaitForWork, (
164 |     _Inout_ PTP_WORK Work,
165 |     _In_ LOGICAL CancelPendingCallbacks
166 | ))
167 | 
168 | // private
169 | _Check_return_
170 | NTDLL_API(NTSTATUS, TpAllocTimer, (
171 |     _Out_ PTP_TIMER *Timer,
172 |     _In_ PTP_TIMER_CALLBACK Callback,
173 |     _Inout_opt_ PVOID Context,
174 |     _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
175 | ))
176 | 
177 | // winbase:CloseThreadpoolTimer
178 | NTDLL_API_VOID(TpReleaseTimer, (
179 |     _Inout_ PTP_TIMER Timer
180 | ))
181 | 
182 | // winbase:SetThreadpoolTimer
183 | NTDLL_API_VOID(TpSetTimer, (
184 |     _Inout_ PTP_TIMER Timer,
185 |     _In_opt_ PLARGE_INTEGER DueTime,
186 |     _In_ LONG Period,
187 |     _In_opt_ LONG WindowLength
188 | ))
189 | 
190 | // winbase:IsThreadpoolTimerSet
191 | NTDLL_API(LOGICAL, TpIsTimerSet, (
192 |     _In_ PTP_TIMER Timer
193 | ))
194 | 
195 | // winbase:WaitForThreadpoolTimerCallbacks
196 | NTDLL_API_VOID(TpWaitForTimer, (
197 |     _Inout_ PTP_TIMER Timer,
198 |     _In_ LOGICAL CancelPendingCallbacks
199 | ))
200 | 
201 | // private
202 | _Check_return_
203 | NTDLL_API(NTSTATUS, TpAllocWait, (
204 |     _Out_ PTP_WAIT *WaitReturn,
205 |     _In_ PTP_WAIT_CALLBACK Callback,
206 |     _Inout_opt_ PVOID Context,
207 |     _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
208 | ))
209 | 
210 | // winbase:CloseThreadpoolWait
211 | NTDLL_API_VOID(TpReleaseWait, (
212 |     _Inout_ PTP_WAIT Wait
213 | ))
214 | 
215 | // winbase:SetThreadpoolWait
216 | NTDLL_API_VOID(TpSetWait, (
217 |     _Inout_ PTP_WAIT Wait,
218 |     _In_opt_ HANDLE Handle,
219 |     _In_opt_ PLARGE_INTEGER Timeout
220 | ))
221 | 
222 | // winbase:WaitForThreadpoolWaitCallbacks
223 | NTDLL_API_VOID(TpWaitForWait, (
224 |     _Inout_ PTP_WAIT Wait,
225 |     _In_ LOGICAL CancelPendingCallbacks
226 | ))
227 | 
228 | // private
229 | typedef VOID (NTAPI *PTP_IO_CALLBACK)(
230 |     _Inout_ PTP_CALLBACK_INSTANCE Instance,
231 |     _Inout_opt_ PVOID Context,
232 |     _In_ PVOID ApcContext,
233 |     _In_ PIO_STATUS_BLOCK IoSB,
234 |     _In_ PTP_IO Io
235 |     );
236 | 
237 | // private
238 | _Check_return_
239 | NTDLL_API(NTSTATUS, TpAllocIoCompletion, (
240 |     _Out_ PTP_IO *IoReturn,
241 |     _In_ HANDLE File,
242 |     _In_ PTP_IO_CALLBACK Callback,
243 |     _Inout_opt_ PVOID Context,
244 |     _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
245 | ))
246 | 
247 | // winbase:CloseThreadpoolIo
248 | NTDLL_API_VOID(TpReleaseIoCompletion, (
249 |     _Inout_ PTP_IO Io
250 | ))
251 | 
252 | // winbase:StartThreadpoolIo
253 | NTDLL_API_VOID(TpStartAsyncIoOperation, (
254 |     _Inout_ PTP_IO Io
255 | ))
256 | 
257 | // winbase:CancelThreadpoolIo
258 | NTDLL_API_VOID(TpCancelAsyncIoOperation, (
259 |     _Inout_ PTP_IO Io
260 | ))
261 | 
262 | // winbase:WaitForThreadpoolIoCallbacks
263 | NTDLL_API_VOID(TpWaitForIoCompletion, (
264 |     _Inout_ PTP_IO Io,
265 |     _In_ LOGICAL CancelPendingCallbacks
266 | ))
267 | 
268 | // private
269 | NTDLL_API(NTSTATUS, TpAllocAlpcCompletion, (
270 |     _Out_ PTP_ALPC *AlpcReturn,
271 |     _In_ HANDLE AlpcPort,
272 |     _In_ PTP_ALPC_CALLBACK Callback,
273 |     _Inout_opt_ PVOID Context,
274 |     _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
275 | ))
276 | 
277 | #if (NTLIB_WIN_VERSION >= NTLIB_WIN_7)
278 | // rev
279 | NTDLL_API(NTSTATUS, TpAllocAlpcCompletionEx, (
280 |     _Out_ PTP_ALPC *AlpcReturn,
281 |     _In_ HANDLE AlpcPort,
282 |     _In_ PTP_ALPC_CALLBACK_EX Callback,
283 |     _Inout_opt_ PVOID Context,
284 |     _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
285 | ))
286 | #endif
287 | 
288 | // private
289 | NTDLL_API_VOID(TpReleaseAlpcCompletion, (
290 |     _Inout_ PTP_ALPC Alpc
291 | ))
292 | 
293 | // private
294 | NTDLL_API_VOID(TpWaitForAlpcCompletion, (
295 |     _Inout_ PTP_ALPC Alpc
296 | ))
297 | 
298 | // private
299 | typedef enum _TP_TRACE_TYPE
300 | {
301 |     TpTraceThreadPriority = 1,
302 |     TpTraceThreadAffinity,
303 |     MaxTpTraceType
304 | } TP_TRACE_TYPE;
305 | 
306 | // private
307 | NTDLL_API_VOID(TpCaptureCaller, (
308 |     _In_ TP_TRACE_TYPE Type
309 | ))
310 | 
311 | // private
312 | NTDLL_API_VOID(TpCheckTerminateWorker, (
313 |     _In_ HANDLE Thread
314 | ))
315 | 
316 | #endif
317 | 
318 | #endif
319 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntobapi.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTOBAPI_H
  2 | #define _NTOBAPI_H
  3 | 
  4 | #if (NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
  5 | #define OBJECT_TYPE_CREATE 0x0001
  6 | #define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
  7 | #endif
  8 | 
  9 | #if (NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
 10 | #define DIRECTORY_QUERY 0x0001
 11 | #define DIRECTORY_TRAVERSE 0x0002
 12 | #define DIRECTORY_CREATE_OBJECT 0x0004
 13 | #define DIRECTORY_CREATE_SUBDIRECTORY 0x0008
 14 | #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xf)
 15 | #endif
 16 | 
 17 | #if (NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
 18 | #define SYMBOLIC_LINK_QUERY 0x0001
 19 | #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
 20 | #endif
 21 | 
 22 | #define OBJ_PROTECT_CLOSE 0x00000001
 23 | #ifndef OBJ_INHERIT
 24 | #define OBJ_INHERIT 0x00000002
 25 | #endif
 26 | #define OBJ_AUDIT_OBJECT_CLOSE 0x00000004
 27 | 
 28 | #if (NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
 29 | typedef enum _OBJECT_INFORMATION_CLASS
 30 | {
 31 |     ObjectBasicInformation, // OBJECT_BASIC_INFORMATION
 32 |     ObjectNameInformation, // OBJECT_NAME_INFORMATION
 33 |     ObjectTypeInformation, // OBJECT_TYPE_INFORMATION
 34 |     ObjectTypesInformation, // OBJECT_TYPES_INFORMATION
 35 |     ObjectHandleFlagInformation, // OBJECT_HANDLE_FLAG_INFORMATION
 36 |     ObjectSessionInformation,
 37 |     ObjectSessionObjectInformation,
 38 |     MaxObjectInfoClass
 39 | } OBJECT_INFORMATION_CLASS;
 40 | #else
 41 | #define ObjectBasicInformation 0
 42 | #define ObjectNameInformation 1
 43 | #define ObjectTypesInformation 3
 44 | #define ObjectHandleFlagInformation 4
 45 | #define ObjectSessionInformation 5
 46 | #define ObjectSessionObjectInformation 6
 47 | #endif
 48 | 
 49 | typedef struct _OBJECT_BASIC_INFORMATION
 50 | {
 51 |     ULONG Attributes;
 52 |     ACCESS_MASK GrantedAccess;
 53 |     ULONG HandleCount;
 54 |     ULONG PointerCount;
 55 |     ULONG PagedPoolCharge;
 56 |     ULONG NonPagedPoolCharge;
 57 |     ULONG Reserved[3];
 58 |     ULONG NameInfoSize;
 59 |     ULONG TypeInfoSize;
 60 |     ULONG SecurityDescriptorSize;
 61 |     LARGE_INTEGER CreationTime;
 62 | } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
 63 | 
 64 | #if (NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
 65 | typedef struct _OBJECT_NAME_INFORMATION
 66 | {
 67 |     UNICODE_STRING Name;
 68 | } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
 69 | #endif
 70 | 
 71 | typedef struct _OBJECT_TYPE_INFORMATION
 72 | {
 73 |     UNICODE_STRING TypeName;
 74 |     ULONG TotalNumberOfObjects;
 75 |     ULONG TotalNumberOfHandles;
 76 |     ULONG TotalPagedPoolUsage;
 77 |     ULONG TotalNonPagedPoolUsage;
 78 |     ULONG TotalNamePoolUsage;
 79 |     ULONG TotalHandleTableUsage;
 80 |     ULONG HighWaterNumberOfObjects;
 81 |     ULONG HighWaterNumberOfHandles;
 82 |     ULONG HighWaterPagedPoolUsage;
 83 |     ULONG HighWaterNonPagedPoolUsage;
 84 |     ULONG HighWaterNamePoolUsage;
 85 |     ULONG HighWaterHandleTableUsage;
 86 |     ULONG InvalidAttributes;
 87 |     GENERIC_MAPPING GenericMapping;
 88 |     ULONG ValidAccessMask;
 89 |     BOOLEAN SecurityRequired;
 90 |     BOOLEAN MaintainHandleCount;
 91 |     UCHAR TypeIndex; // since WINBLUE
 92 |     CHAR ReservedByte;
 93 |     ULONG PoolType;
 94 |     ULONG DefaultPagedPoolCharge;
 95 |     ULONG DefaultNonPagedPoolCharge;
 96 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
 97 | 
 98 | typedef struct _OBJECT_TYPES_INFORMATION
 99 | {
100 |     ULONG NumberOfTypes;
101 | } OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION;
102 | 
103 | typedef struct _OBJECT_HANDLE_FLAG_INFORMATION
104 | {
105 |     BOOLEAN Inherit;
106 |     BOOLEAN ProtectFromClose;
107 | } OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION;
108 | 
109 | #if (defined(PHNT_COMPILE) || NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
110 | 
111 | NATIVE_API(NTSTATUS, /*Nt*/QueryObject, (
112 |     _In_opt_ HANDLE Handle,
113 |     _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
114 |     _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation,
115 |     _In_ ULONG ObjectInformationLength,
116 |     _Out_opt_ PULONG ReturnLength
117 | ))
118 | 
119 | NATIVE_API(NTSTATUS, /*Nt*/SetInformationObject, (
120 |     _In_ HANDLE Handle,
121 |     _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
122 |     _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation,
123 |     _In_ ULONG ObjectInformationLength
124 | ))
125 | 
126 | #define DUPLICATE_CLOSE_SOURCE 0x00000001
127 | #define DUPLICATE_SAME_ACCESS 0x00000002
128 | #define DUPLICATE_SAME_ATTRIBUTES 0x00000004
129 | 
130 | NATIVE_API(NTSTATUS, /*Nt*/DuplicateObject, (
131 |     _In_ HANDLE SourceProcessHandle,
132 |     _In_ HANDLE SourceHandle,
133 |     _In_opt_ HANDLE TargetProcessHandle,
134 |     _Out_opt_ PHANDLE TargetHandle,
135 |     _In_ ACCESS_MASK DesiredAccess,
136 |     _In_ ULONG HandleAttributes,
137 |     _In_ ULONG Options
138 | ))
139 | 
140 | NATIVE_API(NTSTATUS, /*Nt*/MakeTemporaryObject, (
141 |     _In_ HANDLE Handle
142 | ))
143 | 
144 | NATIVE_API(NTSTATUS, /*Nt*/MakePermanentObject, (
145 |     _In_ HANDLE Handle
146 | ))
147 | 
148 | NATIVE_API(NTSTATUS, /*Nt*/SignalAndWaitForSingleObject, (
149 |     _In_ HANDLE SignalHandle,
150 |     _In_ HANDLE WaitHandle,
151 |     _In_ BOOLEAN Alertable,
152 |     _In_opt_ PLARGE_INTEGER Timeout
153 | ))
154 | 
155 | NATIVE_API(NTSTATUS, /*Nt*/WaitForSingleObject, (
156 |     _In_ HANDLE Handle,
157 |     _In_ BOOLEAN Alertable,
158 |     _In_opt_ PLARGE_INTEGER Timeout
159 | ))
160 | 
161 | NATIVE_API(NTSTATUS, /*Nt*/WaitForMultipleObjects, (
162 |     _In_ ULONG Count,
163 |     _In_reads_(Count) HANDLE Handles[],
164 |     _In_ WAIT_TYPE WaitType,
165 |     _In_ BOOLEAN Alertable,
166 |     _In_opt_ PLARGE_INTEGER Timeout
167 | ))
168 | 
169 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_XP)
170 | NATIVE_API(NTSTATUS, /*Nt*/WaitForMultipleObjects32, (
171 |     _In_ ULONG Count,
172 |     _In_reads_(Count) LONG Handles[],
173 |     _In_ WAIT_TYPE WaitType,
174 |     _In_ BOOLEAN Alertable,
175 |     _In_opt_ PLARGE_INTEGER Timeout
176 | ))
177 | #endif
178 | 
179 | NATIVE_API(NTSTATUS, /*Nt*/SetSecurityObject, (
180 |     _In_ HANDLE Handle,
181 |     _In_ SECURITY_INFORMATION SecurityInformation,
182 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
183 | ))
184 | 
185 | NATIVE_API(NTSTATUS, /*Nt*/QuerySecurityObject, (
186 |     _In_ HANDLE Handle,
187 |     _In_ SECURITY_INFORMATION SecurityInformation,
188 |     _Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor,
189 |     _In_ ULONG Length,
190 |     _Out_ PULONG LengthNeeded
191 | ))
192 | 
193 | NATIVE_API(NTSTATUS, /*Nt*/Close, (
194 |     _In_ HANDLE Handle
195 | ))
196 | 
197 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_10_TH1)
198 | NATIVE_API(NTSTATUS, /*Nt*/CompareObjects, (
199 |     _In_ HANDLE FirstObjectHandle,
200 |     _In_ HANDLE SecondObjectHandle
201 | ))
202 | #endif
203 | 
204 | #endif
205 | 
206 | #if (defined(PHNT_COMPILE) || NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
207 | 
208 | NATIVE_API(NTSTATUS, /*Nt*/CreateDirectoryObject, (
209 |     _Out_ PHANDLE DirectoryHandle,
210 |     _In_ ACCESS_MASK DesiredAccess,
211 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes
212 | ))
213 | 
214 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_8)
215 | NATIVE_API(NTSTATUS, /*Nt*/CreateDirectoryObjectEx, (
216 |     _Out_ PHANDLE DirectoryHandle,
217 |     _In_ ACCESS_MASK DesiredAccess,
218 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
219 |     _In_ HANDLE ShadowDirectoryHandle,
220 |     _In_ ULONG Flags
221 | ))
222 | #endif
223 | 
224 | NATIVE_API(NTSTATUS, /*Nt*/OpenDirectoryObject, (
225 |     _Out_ PHANDLE DirectoryHandle,
226 |     _In_ ACCESS_MASK DesiredAccess,
227 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes
228 | ))
229 | 
230 | typedef struct _OBJECT_DIRECTORY_INFORMATION
231 | {
232 |     UNICODE_STRING Name;
233 |     UNICODE_STRING TypeName;
234 | } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;
235 | 
236 | NATIVE_API(NTSTATUS, /*Nt*/QueryDirectoryObject, (
237 |     _In_ HANDLE DirectoryHandle,
238 |     _Out_writes_bytes_opt_(Length) PVOID Buffer,
239 |     _In_ ULONG Length,
240 |     _In_ BOOLEAN ReturnSingleEntry,
241 |     _In_ BOOLEAN RestartScan,
242 |     _Inout_ PULONG Context,
243 |     _Out_opt_ PULONG ReturnLength
244 | ))
245 | 
246 | #endif
247 | 
248 | #if (defined(PHNT_COMPILE) || NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
249 | 
250 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
251 | 
252 | NATIVE_API(NTSTATUS, /*Nt*/CreatePrivateNamespace, (
253 |     _Out_ PHANDLE NamespaceHandle,
254 |     _In_ ACCESS_MASK DesiredAccess,
255 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
256 |     _In_ PVOID BoundaryDescriptor
257 | ))
258 | 
259 | NATIVE_API(NTSTATUS, /*Nt*/OpenPrivateNamespace, (
260 |     _Out_ PHANDLE NamespaceHandle,
261 |     _In_ ACCESS_MASK DesiredAccess,
262 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
263 |     _In_ PVOID BoundaryDescriptor
264 | ))
265 | 
266 | NATIVE_API(NTSTATUS, /*Nt*/DeletePrivateNamespace, (
267 |     _In_ HANDLE NamespaceHandle
268 | ))
269 | 
270 | #endif
271 | 
272 | #endif
273 | 
274 | #if (defined(PHNT_COMPILE) || NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
275 | 
276 | NATIVE_API(NTSTATUS, /*Nt*/CreateSymbolicLinkObject, (
277 |     _Out_ PHANDLE LinkHandle,
278 |     _In_ ACCESS_MASK DesiredAccess,
279 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
280 |     _In_ PUNICODE_STRING LinkTarget
281 | ))
282 | 
283 | NATIVE_API(NTSTATUS, /*Nt*/OpenSymbolicLinkObject, (
284 |     _Out_ PHANDLE LinkHandle,
285 |     _In_ ACCESS_MASK DesiredAccess,
286 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes
287 | ))
288 | 
289 | NATIVE_API(NTSTATUS, /*Nt*/QuerySymbolicLinkObject, (
290 |     _In_ HANDLE LinkHandle,
291 |     _Inout_ PUNICODE_STRING LinkTarget,
292 |     _Out_opt_ PULONG ReturnedLength
293 | ))
294 | 
295 | #endif
296 | 
297 | #endif
298 | 


--------------------------------------------------------------------------------
/NTLib.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <ItemGroup>
 22 |     <ClInclude Include="includes\NTExp.h" />
 23 |     <ClInclude Include="includes\NTExp\ntcommon.h" />
 24 |     <ClInclude Include="includes\NTExp\ntcompatibility.h" />
 25 |     <ClInclude Include="includes\NTExp\ntdbg.h" />
 26 |     <ClInclude Include="includes\NTExp\ntexapi.h" />
 27 |     <ClInclude Include="includes\NTExp\ntgdi.h" />
 28 |     <ClInclude Include="includes\NTExp\ntioapi.h" />
 29 |     <ClInclude Include="includes\NTExp\ntkeapi.h" />
 30 |     <ClInclude Include="includes\NTExp\ntldr.h" />
 31 |     <ClInclude Include="includes\NTExp\ntlpcapi.h" />
 32 |     <ClInclude Include="includes\NTExp\ntmisc.h" />
 33 |     <ClInclude Include="includes\NTExp\ntmmapi.h" />
 34 |     <ClInclude Include="includes\NTExp\ntnls.h" />
 35 |     <ClInclude Include="includes\NTExp\ntobapi.h" />
 36 |     <ClInclude Include="includes\NTExp\ntpebteb.h" />
 37 |     <ClInclude Include="includes\NTExp\ntpfapi.h" />
 38 |     <ClInclude Include="includes\NTExp\ntpnpapi.h" />
 39 |     <ClInclude Include="includes\NTExp\ntpoapi.h" />
 40 |     <ClInclude Include="includes\NTExp\ntpsapi.h" />
 41 |     <ClInclude Include="includes\NTExp\ntregapi.h" />
 42 |     <ClInclude Include="includes\NTExp\ntrtl.h" />
 43 |     <ClInclude Include="includes\NTExp\ntsam.h" />
 44 |     <ClInclude Include="includes\NTExp\ntseapi.h" />
 45 |     <ClInclude Include="includes\NTExp\ntsmss.h" />
 46 |     <ClInclude Include="includes\NTExp\ntstatus.h" />
 47 |     <ClInclude Include="includes\NTExp\nttmapi.h" />
 48 |     <ClInclude Include="includes\NTExp\nttp.h" />
 49 |     <ClInclude Include="includes\NTExp\ntwow64.h" />
 50 |     <ClInclude Include="includes\NTExp\ntxcapi.h" />
 51 |     <ClInclude Include="includes\NTExp\subprocesstag.h" />
 52 |     <ClInclude Include="includes\NTExp\winsta.h" />
 53 |     <ClInclude Include="includes\NTLib.h" />
 54 |   </ItemGroup>
 55 |   <PropertyGroup Label="Globals">
 56 |     <VCProjectVersion>16.0</VCProjectVersion>
 57 |     <ProjectGuid>{3FEBFBD5-650E-4A6D-8A1F-7B0FDD6B64BF}</ProjectGuid>
 58 |     <Keyword>Win32Proj</Keyword>
 59 |     <RootNamespace>NTLib</RootNamespace>
 60 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 61 |   </PropertyGroup>
 62 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 63 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 64 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 65 |     <UseDebugLibraries>true</UseDebugLibraries>
 66 |     <PlatformToolset>v142</PlatformToolset>
 67 |     <CharacterSet>Unicode</CharacterSet>
 68 |   </PropertyGroup>
 69 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 70 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 71 |     <UseDebugLibraries>false</UseDebugLibraries>
 72 |     <PlatformToolset>v142</PlatformToolset>
 73 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 74 |     <CharacterSet>Unicode</CharacterSet>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 77 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 78 |     <UseDebugLibraries>true</UseDebugLibraries>
 79 |     <PlatformToolset>v142</PlatformToolset>
 80 |     <CharacterSet>Unicode</CharacterSet>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 83 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 84 |     <UseDebugLibraries>false</UseDebugLibraries>
 85 |     <PlatformToolset>v142</PlatformToolset>
 86 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 87 |     <CharacterSet>Unicode</CharacterSet>
 88 |   </PropertyGroup>
 89 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 90 |   <ImportGroup Label="ExtensionSettings">
 91 |   </ImportGroup>
 92 |   <ImportGroup Label="Shared">
 93 |   </ImportGroup>
 94 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 95 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 96 |   </ImportGroup>
 97 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 98 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 99 |   </ImportGroup>
100 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
101 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
102 |   </ImportGroup>
103 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
104 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
105 |   </ImportGroup>
106 |   <PropertyGroup Label="UserMacros" />
107 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
108 |     <LinkIncremental>true</LinkIncremental>
109 |   </PropertyGroup>
110 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
111 |     <LinkIncremental>true</LinkIncremental>
112 |   </PropertyGroup>
113 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
114 |     <LinkIncremental>false</LinkIncremental>
115 |   </PropertyGroup>
116 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
117 |     <LinkIncremental>false</LinkIncremental>
118 |   </PropertyGroup>
119 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
120 |     <ClCompile>
121 |       <PrecompiledHeader>Use</PrecompiledHeader>
122 |       <WarningLevel>Level3</WarningLevel>
123 |       <SDLCheck>true</SDLCheck>
124 |       <PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
125 |       <ConformanceMode>true</ConformanceMode>
126 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
127 |     </ClCompile>
128 |     <Link>
129 |       <SubSystem>Windows</SubSystem>
130 |       <GenerateDebugInformation>true</GenerateDebugInformation>
131 |     </Link>
132 |   </ItemDefinitionGroup>
133 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
134 |     <ClCompile>
135 |       <PrecompiledHeader>Use</PrecompiledHeader>
136 |       <WarningLevel>Level3</WarningLevel>
137 |       <SDLCheck>true</SDLCheck>
138 |       <PreprocessorDefinitions>_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
139 |       <ConformanceMode>true</ConformanceMode>
140 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
141 |     </ClCompile>
142 |     <Link>
143 |       <SubSystem>Windows</SubSystem>
144 |       <GenerateDebugInformation>true</GenerateDebugInformation>
145 |     </Link>
146 |   </ItemDefinitionGroup>
147 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
148 |     <ClCompile>
149 |       <PrecompiledHeader>Use</PrecompiledHeader>
150 |       <WarningLevel>Level3</WarningLevel>
151 |       <FunctionLevelLinking>true</FunctionLevelLinking>
152 |       <IntrinsicFunctions>true</IntrinsicFunctions>
153 |       <SDLCheck>true</SDLCheck>
154 |       <PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
155 |       <ConformanceMode>true</ConformanceMode>
156 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
157 |     </ClCompile>
158 |     <Link>
159 |       <SubSystem>Windows</SubSystem>
160 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
161 |       <OptimizeReferences>true</OptimizeReferences>
162 |       <GenerateDebugInformation>true</GenerateDebugInformation>
163 |     </Link>
164 |   </ItemDefinitionGroup>
165 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
166 |     <ClCompile>
167 |       <PrecompiledHeader>Use</PrecompiledHeader>
168 |       <WarningLevel>Level3</WarningLevel>
169 |       <FunctionLevelLinking>true</FunctionLevelLinking>
170 |       <IntrinsicFunctions>true</IntrinsicFunctions>
171 |       <SDLCheck>true</SDLCheck>
172 |       <PreprocessorDefinitions>NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
173 |       <ConformanceMode>true</ConformanceMode>
174 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
175 |     </ClCompile>
176 |     <Link>
177 |       <SubSystem>Windows</SubSystem>
178 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
179 |       <OptimizeReferences>true</OptimizeReferences>
180 |       <GenerateDebugInformation>true</GenerateDebugInformation>
181 |     </Link>
182 |   </ItemDefinitionGroup>
183 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
184 |   <ImportGroup Label="ExtensionTargets">
185 |   </ImportGroup>
186 | </Project>


--------------------------------------------------------------------------------
/includes/NTExp/nttmapi.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * This file is part of the Process Hacker project - https://processhacker.sf.io/ 
  3 |  *
  4 |  * You can redistribute this file and/or modify it under the terms of the 
  5 |  * Attribution 4.0 International (CC BY 4.0) license. 
  6 |  * 
  7 |  * You must give appropriate credit, provide a link to the license, and 
  8 |  * indicate if changes were made. You may do so in any reasonable manner, but 
  9 |  * not in any way that suggests the licensor endorses you or your use.
 10 |  */
 11 | 
 12 | #ifndef _NTTMAPI_H
 13 | #define _NTTMAPI_H
 14 | 
 15 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
 16 | 
 17 | NATIVE_API(NTSTATUS, /*Nt*/CreateTransactionManager, (
 18 |     _Out_ PHANDLE TmHandle,
 19 |     _In_ ACCESS_MASK DesiredAccess,
 20 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
 21 |     _In_opt_ PUNICODE_STRING LogFileName,
 22 |     _In_opt_ ULONG CreateOptions,
 23 |     _In_opt_ ULONG CommitStrength
 24 | ))
 25 | 
 26 | NATIVE_API(NTSTATUS, /*Nt*/OpenTransactionManager, (
 27 |     _Out_ PHANDLE TmHandle,
 28 |     _In_ ACCESS_MASK DesiredAccess,
 29 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
 30 |     _In_opt_ PUNICODE_STRING LogFileName,
 31 |     _In_opt_ LPGUID TmIdentity,
 32 |     _In_opt_ ULONG OpenOptions
 33 | ))
 34 | 
 35 | NATIVE_API(NTSTATUS, /*Nt*/RenameTransactionManager, (
 36 |     _In_ PUNICODE_STRING LogFileName,
 37 |     _In_ LPGUID ExistingTransactionManagerGuid
 38 | ))
 39 | 
 40 | NATIVE_API(NTSTATUS, /*Nt*/RollforwardTransactionManager, (
 41 |     _In_ HANDLE TransactionManagerHandle,
 42 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
 43 | ))
 44 | 
 45 | NATIVE_API(NTSTATUS, /*Nt*/RecoverTransactionManager, (
 46 |     _In_ HANDLE TransactionManagerHandle
 47 | ))
 48 | 
 49 | NATIVE_API(NTSTATUS, /*Nt*/QueryInformationTransactionManager, (
 50 |     _In_ HANDLE TransactionManagerHandle,
 51 |     _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass,
 52 |     _Out_writes_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation,
 53 |     _In_ ULONG TransactionManagerInformationLength,
 54 |     _Out_opt_ PULONG ReturnLength
 55 | ))
 56 | 
 57 | NATIVE_API(NTSTATUS, /*Nt*/SetInformationTransactionManager, (
 58 |     _In_opt_ HANDLE TmHandle,
 59 |     _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass,
 60 |     _In_reads_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation,
 61 |     _In_ ULONG TransactionManagerInformationLength
 62 | ))
 63 | 
 64 | NATIVE_API(NTSTATUS, /*Nt*/EnumerateTransactionObject, (
 65 |     _In_opt_ HANDLE RootObjectHandle,
 66 |     _In_ KTMOBJECT_TYPE QueryType,
 67 |     _Inout_updates_bytes_(ObjectCursorLength) PKTMOBJECT_CURSOR ObjectCursor,
 68 |     _In_ ULONG ObjectCursorLength,
 69 |     _Out_ PULONG ReturnLength
 70 | ))
 71 | 
 72 | NATIVE_API(NTSTATUS, /*Nt*/CreateTransaction, (
 73 |     _Out_ PHANDLE TransactionHandle,
 74 |     _In_ ACCESS_MASK DesiredAccess,
 75 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
 76 |     _In_opt_ LPGUID Uow,
 77 |     _In_opt_ HANDLE TmHandle,
 78 |     _In_opt_ ULONG CreateOptions,
 79 |     _In_opt_ ULONG IsolationLevel,
 80 |     _In_opt_ ULONG IsolationFlags,
 81 |     _In_opt_ PLARGE_INTEGER Timeout,
 82 |     _In_opt_ PUNICODE_STRING Description
 83 | ))
 84 | 
 85 | NATIVE_API(NTSTATUS, /*Nt*/OpenTransaction, (
 86 |     _Out_ PHANDLE TransactionHandle,
 87 |     _In_ ACCESS_MASK DesiredAccess,
 88 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
 89 |     _In_ LPGUID Uow,
 90 |     _In_opt_ HANDLE TmHandle
 91 | ))
 92 | 
 93 | NATIVE_API(NTSTATUS, /*Nt*/QueryInformationTransaction, (
 94 |     _In_ HANDLE TransactionHandle,
 95 |     _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass,
 96 |     _Out_writes_bytes_(TransactionInformationLength) PVOID TransactionInformation,
 97 |     _In_ ULONG TransactionInformationLength,
 98 |     _Out_opt_ PULONG ReturnLength
 99 | ))
100 | 
101 | NATIVE_API(NTSTATUS, /*Nt*/SetInformationTransaction, (
102 |     _In_ HANDLE TransactionHandle,
103 |     _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass,
104 |     _In_reads_bytes_(TransactionInformationLength) PVOID TransactionInformation,
105 |     _In_ ULONG TransactionInformationLength
106 | ))
107 | 
108 | NATIVE_API(NTSTATUS, /*Nt*/CommitTransaction, (
109 |     _In_ HANDLE TransactionHandle,
110 |     _In_ BOOLEAN Wait
111 | ))
112 | 
113 | NATIVE_API(NTSTATUS, /*Nt*/RollbackTransaction, (
114 |     _In_ HANDLE TransactionHandle,
115 |     _In_ BOOLEAN Wait
116 | ))
117 | 
118 | NATIVE_API(NTSTATUS, /*Nt*/CreateEnlistment, (
119 |     _Out_ PHANDLE EnlistmentHandle,
120 |     _In_ ACCESS_MASK DesiredAccess,
121 |     _In_ HANDLE ResourceManagerHandle,
122 |     _In_ HANDLE TransactionHandle,
123 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
124 |     _In_opt_ ULONG CreateOptions,
125 |     _In_ NOTIFICATION_MASK NotificationMask,
126 |     _In_opt_ PVOID EnlistmentKey
127 | ))
128 | 
129 | NATIVE_API(NTSTATUS, /*Nt*/OpenEnlistment, (
130 |     _Out_ PHANDLE EnlistmentHandle,
131 |     _In_ ACCESS_MASK DesiredAccess,
132 |     _In_ HANDLE ResourceManagerHandle,
133 |     _In_ LPGUID EnlistmentGuid,
134 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
135 | ))
136 | 
137 | NATIVE_API(NTSTATUS, /*Nt*/QueryInformationEnlistment, (
138 |     _In_ HANDLE EnlistmentHandle,
139 |     _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass,
140 |     _Out_writes_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation,
141 |     _In_ ULONG EnlistmentInformationLength,
142 |     _Out_opt_ PULONG ReturnLength
143 | ))
144 | 
145 | NATIVE_API(NTSTATUS, /*Nt*/SetInformationEnlistment, (
146 |     _In_opt_ HANDLE EnlistmentHandle,
147 |     _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass,
148 |     _In_reads_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation,
149 |     _In_ ULONG EnlistmentInformationLength
150 | ))
151 | 
152 | NATIVE_API(NTSTATUS, /*Nt*/RecoverEnlistment, (
153 |     _In_ HANDLE EnlistmentHandle,
154 |     _In_opt_ PVOID EnlistmentKey
155 | ))
156 | 
157 | NATIVE_API(NTSTATUS, /*Nt*/PrePrepareEnlistment, (
158 |     _In_ HANDLE EnlistmentHandle,
159 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
160 | ))
161 | 
162 | NATIVE_API(NTSTATUS, /*Nt*/PrepareEnlistment, (
163 |     _In_ HANDLE EnlistmentHandle,
164 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
165 | ))
166 | 
167 | NATIVE_API(NTSTATUS, /*Nt*/CommitEnlistment, (
168 |     _In_ HANDLE EnlistmentHandle,
169 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
170 | ))
171 | 
172 | NATIVE_API(NTSTATUS, /*Nt*/RollbackEnlistment, (
173 |     _In_ HANDLE EnlistmentHandle,
174 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
175 | ))
176 | 
177 | NATIVE_API(NTSTATUS, /*Nt*/PrePrepareComplete, (
178 |     _In_ HANDLE EnlistmentHandle,
179 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
180 | ))
181 | 
182 | NATIVE_API(NTSTATUS, /*Nt*/PrepareComplete, (
183 |     _In_ HANDLE EnlistmentHandle,
184 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
185 | ))
186 | 
187 | NATIVE_API(NTSTATUS, /*Nt*/CommitComplete, (
188 |     _In_ HANDLE EnlistmentHandle,
189 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
190 | ))
191 | 
192 | NATIVE_API(NTSTATUS, /*Nt*/ReadOnlyEnlistment, (
193 |     _In_ HANDLE EnlistmentHandle,
194 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
195 | ))
196 | 
197 | NATIVE_API(NTSTATUS, /*Nt*/RollbackComplete, (
198 |     _In_ HANDLE EnlistmentHandle,
199 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
200 | ))
201 | 
202 | NATIVE_API(NTSTATUS, /*Nt*/SinglePhaseReject, (
203 |     _In_ HANDLE EnlistmentHandle,
204 |     _In_opt_ PLARGE_INTEGER TmVirtualClock
205 | ))
206 | 
207 | NATIVE_API(NTSTATUS, /*Nt*/CreateResourceManager, (
208 |     _Out_ PHANDLE ResourceManagerHandle,
209 |     _In_ ACCESS_MASK DesiredAccess,
210 |     _In_ HANDLE TmHandle,
211 |     _In_ LPGUID RmGuid,
212 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
213 |     _In_opt_ ULONG CreateOptions,
214 |     _In_opt_ PUNICODE_STRING Description
215 | ))
216 | 
217 | NATIVE_API(NTSTATUS, /*Nt*/OpenResourceManager, (
218 |     _Out_ PHANDLE ResourceManagerHandle,
219 |     _In_ ACCESS_MASK DesiredAccess,
220 |     _In_ HANDLE TmHandle,
221 |     _In_opt_ LPGUID ResourceManagerGuid,
222 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
223 | ))
224 | 
225 | NATIVE_API(NTSTATUS, /*Nt*/RecoverResourceManager, (
226 |     _In_ HANDLE ResourceManagerHandle
227 | ))
228 | 
229 | NATIVE_API(NTSTATUS, /*Nt*/GetNotificationResourceManager, (
230 |     _In_ HANDLE ResourceManagerHandle,
231 |     _Out_ PTRANSACTION_NOTIFICATION TransactionNotification,
232 |     _In_ ULONG NotificationLength,
233 |     _In_opt_ PLARGE_INTEGER Timeout,
234 |     _Out_opt_ PULONG ReturnLength,
235 |     _In_ ULONG Asynchronous,
236 |     _In_opt_ ULONG_PTR AsynchronousContext
237 | ))
238 | 
239 | NATIVE_API(NTSTATUS, /*Nt*/QueryInformationResourceManager, (
240 |     _In_ HANDLE ResourceManagerHandle,
241 |     _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass,
242 |     _Out_writes_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation,
243 |     _In_ ULONG ResourceManagerInformationLength,
244 |     _Out_opt_ PULONG ReturnLength
245 | ))
246 | 
247 | NATIVE_API(NTSTATUS, /*Nt*/SetInformationResourceManager, (
248 |     _In_ HANDLE ResourceManagerHandle,
249 |     _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass,
250 |     _In_reads_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation,
251 |     _In_ ULONG ResourceManagerInformationLength
252 | ))
253 | 
254 | NATIVE_API(NTSTATUS, /*Nt*/RegisterProtocolAddressInformation, (
255 |     _In_ HANDLE ResourceManager,
256 |     _In_ PCRM_PROTOCOL_ID ProtocolId,
257 |     _In_ ULONG ProtocolInformationSize,
258 |     _In_ PVOID ProtocolInformation,
259 |     _In_opt_ ULONG CreateOptions
260 | ))
261 | 
262 | NATIVE_API(NTSTATUS, /*Nt*/PropagationComplete, (
263 |     _In_ HANDLE ResourceManagerHandle,
264 |     _In_ ULONG RequestCookie,
265 |     _In_ ULONG BufferLength,
266 |     _In_ PVOID Buffer
267 | ))
268 | 
269 | NATIVE_API(NTSTATUS, /*Nt*/PropagationFailed, (
270 |     _In_ HANDLE ResourceManagerHandle,
271 |     _In_ ULONG RequestCookie,
272 |     _In_ NTSTATUS PropStatus
273 | ))
274 | 
275 | // private
276 | NATIVE_API(NTSTATUS, /*Nt*/FreezeTransactions, (
277 |     _In_ PLARGE_INTEGER FreezeTimeout,
278 |     _In_ PLARGE_INTEGER ThawTimeout
279 | ))
280 | 
281 | // private
282 | NATIVE_API(NTSTATUS, /*Nt*/ThawTransactions, (
283 |     VOID
284 | ))
285 | #endif
286 | 
287 | #endif
288 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntpebteb.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTPEBTEB_H
  2 | #define _NTPEBTEB_H
  3 | 
  4 | typedef struct _RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS;
  5 | typedef struct _RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION;
  6 | 
  7 | typedef struct _ACTIVATION_CONTEXT_STACK
  8 | {
  9 |     struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* ActiveFrame;
 10 |     LIST_ENTRY FrameListCache;
 11 |     ULONG Flags;
 12 |     ULONG NextCookieSequenceNumber;
 13 |     ULONG StackId;
 14 | } ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;
 15 | 
 16 | typedef struct _API_SET_NAMESPACE
 17 | {
 18 |     ULONG Version;
 19 |     ULONG Size;
 20 |     ULONG Flags;
 21 |     ULONG Count;
 22 |     ULONG EntryOffset;
 23 |     ULONG HashOffset;
 24 |     ULONG HashFactor;
 25 | } API_SET_NAMESPACE, *PAPI_SET_NAMESPACE;
 26 | 
 27 | typedef struct _API_SET_HASH_ENTRY
 28 | {
 29 |     ULONG Hash;
 30 |     ULONG Index;
 31 | } API_SET_HASH_ENTRY, *PAPI_SET_HASH_ENTRY;
 32 | 
 33 | typedef struct _API_SET_NAMESPACE_ENTRY
 34 | {
 35 |     ULONG Flags;
 36 |     ULONG NameOffset;
 37 |     ULONG NameLength;
 38 |     ULONG HashedLength;
 39 |     ULONG ValueOffset;
 40 |     ULONG ValueCount;
 41 | } API_SET_NAMESPACE_ENTRY, *PAPI_SET_NAMESPACE_ENTRY;
 42 | 
 43 | typedef struct _API_SET_VALUE_ENTRY 
 44 | {
 45 |     ULONG Flags;
 46 |     ULONG NameOffset;
 47 |     ULONG NameLength;
 48 |     ULONG ValueOffset;
 49 |     ULONG ValueLength;
 50 | } API_SET_VALUE_ENTRY, *PAPI_SET_VALUE_ENTRY;
 51 | 
 52 | typedef struct _PEB
 53 | {
 54 |     BOOLEAN InheritedAddressSpace;
 55 |     BOOLEAN ReadImageFileExecOptions;
 56 |     BOOLEAN BeingDebugged;
 57 |     union
 58 |     {
 59 |         BOOLEAN BitField;
 60 |         struct
 61 |         {
 62 |             BOOLEAN ImageUsesLargePages : 1;
 63 |             BOOLEAN IsProtectedProcess : 1;
 64 |             BOOLEAN IsImageDynamicallyRelocated : 1;
 65 |             BOOLEAN SkipPatchingUser32Forwarders : 1;
 66 |             BOOLEAN IsPackagedProcess : 1;
 67 |             BOOLEAN IsAppContainer : 1;
 68 |             BOOLEAN IsProtectedProcessLight : 1;
 69 |             BOOLEAN IsLongPathAwareProcess : 1;
 70 |         };
 71 |     };
 72 | 
 73 |     HANDLE Mutant;
 74 | 
 75 |     PVOID ImageBaseAddress;
 76 |     PPEB_LDR_DATA Ldr;
 77 |     PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
 78 |     PVOID SubSystemData;
 79 |     PVOID ProcessHeap;
 80 |     PRTL_CRITICAL_SECTION FastPebLock;
 81 |     PVOID IFEOKey;
 82 |     PSLIST_HEADER AtlThunkSListPtr;
 83 |     union
 84 |     {
 85 |         ULONG CrossProcessFlags;
 86 |         struct
 87 |         {
 88 |             ULONG ProcessInJob : 1;
 89 |             ULONG ProcessInitializing : 1;
 90 |             ULONG ProcessUsingVEH : 1;
 91 |             ULONG ProcessUsingVCH : 1;
 92 |             ULONG ProcessUsingFTH : 1;
 93 |             ULONG ProcessPreviouslyThrottled : 1;
 94 |             ULONG ProcessCurrentlyThrottled : 1;
 95 |             ULONG ProcessImagesHotPatched : 1;
 96 |             ULONG ReservedBits0 : 24;
 97 |         };
 98 |     };
 99 |     union
100 |     {
101 |         PVOID KernelCallbackTable;
102 |         PVOID UserSharedInfoPtr;
103 |     };
104 |     ULONG SystemReserved;
105 |     ULONG AtlThunkSListPtr32;
106 |     PAPI_SET_NAMESPACE ApiSetMap;
107 |     ULONG TlsExpansionCounter;
108 |     PVOID TlsBitmap;
109 |     ULONG TlsBitmapBits[2];
110 |     
111 |     PVOID ReadOnlySharedMemoryBase; 
112 |     PVOID SharedData;
113 |     PVOID *ReadOnlyStaticServerData;
114 |     
115 |     PVOID AnsiCodePageData;
116 |     PVOID OemCodePageData;
117 |     PVOID UnicodeCaseTableData;
118 | 
119 |     ULONG NumberOfProcessors;
120 |     ULONG NtGlobalFlag;
121 | 
122 |     ULARGE_INTEGER CriticalSectionTimeout;
123 |     SIZE_T HeapSegmentReserve;
124 |     SIZE_T HeapSegmentCommit;
125 |     SIZE_T HeapDeCommitTotalFreeThreshold;
126 |     SIZE_T HeapDeCommitFreeBlockThreshold;
127 | 
128 |     ULONG NumberOfHeaps;
129 |     ULONG MaximumNumberOfHeaps;
130 |     PVOID *ProcessHeaps;
131 | 
132 |     PVOID GdiSharedHandleTable;
133 |     PVOID ProcessStarterHelper;
134 |     ULONG GdiDCAttributeList;
135 | 
136 |     PRTL_CRITICAL_SECTION LoaderLock;
137 | 
138 |     ULONG OSMajorVersion;
139 |     ULONG OSMinorVersion;
140 |     USHORT OSBuildNumber;
141 |     USHORT OSCSDVersion;
142 |     ULONG OSPlatformId;
143 |     ULONG ImageSubsystem;
144 |     ULONG ImageSubsystemMajorVersion;
145 |     ULONG ImageSubsystemMinorVersion;
146 |     ULONG_PTR ActiveProcessAffinityMask;
147 |     GDI_HANDLE_BUFFER GdiHandleBuffer;
148 |     PVOID PostProcessInitRoutine;
149 | 
150 |     PVOID TlsExpansionBitmap;
151 |     ULONG TlsExpansionBitmapBits[32];
152 | 
153 |     ULONG SessionId;
154 | 
155 |     ULARGE_INTEGER AppCompatFlags;
156 |     ULARGE_INTEGER AppCompatFlagsUser;
157 |     PVOID pShimData;
158 |     PVOID AppCompatInfo;
159 | 
160 |     UNICODE_STRING CSDVersion;
161 | 
162 |     PVOID ActivationContextData;
163 |     PVOID ProcessAssemblyStorageMap;
164 |     PVOID SystemDefaultActivationContextData;
165 |     PVOID SystemAssemblyStorageMap;
166 | 
167 |     SIZE_T MinimumStackCommit;
168 | 
169 |     PVOID SparePointers[4];
170 |     ULONG SpareUlongs[5];
171 |     PVOID WerRegistrationData;
172 |     PVOID WerShipAssertPtr;
173 |     PVOID pUnused;
174 |     PVOID pImageHeaderHash;
175 |     union
176 |     {
177 |         ULONG TracingFlags;
178 |         struct
179 |         {
180 |             ULONG HeapTracingEnabled : 1;
181 |             ULONG CritSecTracingEnabled : 1;
182 |             ULONG LibLoaderTracingEnabled : 1;
183 |             ULONG SpareTracingBits : 29;
184 |         };
185 |     };
186 |     ULONGLONG CsrServerReadOnlySharedMemoryBase;
187 |     PRTL_CRITICAL_SECTION TppWorkerpListLock;
188 |     LIST_ENTRY TppWorkerpList;
189 |     PVOID WaitOnAddressHashTable[128];
190 |     PVOID TelemetryCoverageHeader;
191 |     ULONG CloudFileFlags;
192 |     ULONG CloudFileDiagFlags;
193 |     CHAR PlaceholderCompatibilityMode;
194 |     CHAR PlaceholderCompatibilityModeReserved[7];
195 |     struct _LEAP_SECOND_DATA *LeapSecondData;
196 |     union
197 |     {
198 |         ULONG LeapSecondFlags;
199 |         struct
200 |         {
201 |             ULONG SixtySecondEnabled : 1;
202 |             ULONG Reserved : 31;
203 |         };
204 |     };
205 |     ULONG NtGlobalFlag2;
206 | } PEB, *PPEB;
207 | 
208 | #ifdef _WIN64
209 | C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x2C0);
210 | C_ASSERT(sizeof(PEB) == 0x7C8);
211 | #else
212 | #endif
213 | 
214 | #define GDI_BATCH_BUFFER_SIZE 310
215 | 
216 | typedef struct _GDI_TEB_BATCH
217 | {
218 |     ULONG Offset;
219 |     ULONG_PTR HDC;
220 |     ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
221 | } GDI_TEB_BATCH, *PGDI_TEB_BATCH;
222 | 
223 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT
224 | {
225 |     ULONG Flags;
226 |     PSTR FrameName;
227 | } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
228 | 
229 | typedef struct _TEB_ACTIVE_FRAME
230 | {
231 |     ULONG Flags;
232 |     struct _TEB_ACTIVE_FRAME *Previous;
233 |     PTEB_ACTIVE_FRAME_CONTEXT Context;
234 | } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
235 | 
236 | typedef struct _TEB
237 | {
238 |     NT_TIB NtTib;
239 | 
240 |     PVOID EnvironmentPointer;
241 |     CLIENT_ID ClientId;
242 |     PVOID ActiveRpcHandle;
243 |     PVOID ThreadLocalStoragePointer;
244 |     PPEB ProcessEnvironmentBlock;
245 | 
246 |     ULONG LastErrorValue;
247 |     ULONG CountOfOwnedCriticalSections;
248 |     PVOID CsrClientThread;
249 |     PVOID Win32ThreadInfo;
250 |     ULONG User32Reserved[26];
251 |     ULONG UserReserved[5];
252 |     PVOID WOW32Reserved;
253 |     LCID CurrentLocale;
254 |     ULONG FpSoftwareStatusRegister;
255 |     PVOID ReservedForDebuggerInstrumentation[16];
256 | #ifdef _WIN64
257 |     PVOID SystemReserved1[30];
258 | #else
259 |     PVOID SystemReserved1[26];
260 | #endif
261 |     
262 |     CHAR PlaceholderCompatibilityMode;
263 |     CHAR PlaceholderReserved[11];
264 |     ULONG ProxiedProcessId;
265 |     ACTIVATION_CONTEXT_STACK ActivationStack;
266 |     
267 |     UCHAR WorkingOnBehalfTicket[8];
268 |     NTSTATUS ExceptionCode;
269 | 
270 |     PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
271 |     ULONG_PTR InstrumentationCallbackSp;
272 |     ULONG_PTR InstrumentationCallbackPreviousPc;
273 |     ULONG_PTR InstrumentationCallbackPreviousSp;
274 | #ifdef _WIN64
275 |     ULONG TxFsContext;
276 | #endif
277 | 
278 |     BOOLEAN InstrumentationCallbackDisabled;
279 | #ifndef _WIN64
280 |     UCHAR SpareBytes[23];
281 |     ULONG TxFsContext;
282 | #endif
283 |     GDI_TEB_BATCH GdiTebBatch;
284 |     CLIENT_ID RealClientId;
285 |     HANDLE GdiCachedProcessHandle;
286 |     ULONG GdiClientPID;
287 |     ULONG GdiClientTID;
288 |     PVOID GdiThreadLocalInfo;
289 |     ULONG_PTR Win32ClientInfo[62];
290 |     PVOID glDispatchTable[233];
291 |     ULONG_PTR glReserved1[29];
292 |     PVOID glReserved2;
293 |     PVOID glSectionInfo;
294 |     PVOID glSection;
295 |     PVOID glTable;
296 |     PVOID glCurrentRC;
297 |     PVOID glContext;
298 | 
299 |     NTSTATUS LastStatusValue;
300 |     UNICODE_STRING StaticUnicodeString;
301 |     WCHAR StaticUnicodeBuffer[261];
302 | 
303 |     PVOID DeallocationStack;
304 |     PVOID TlsSlots[64];
305 |     LIST_ENTRY TlsLinks;
306 | 
307 |     PVOID Vdm;
308 |     PVOID ReservedForNtRpc;
309 |     PVOID DbgSsReserved[2];
310 | 
311 |     ULONG HardErrorMode;
312 | #ifdef _WIN64
313 |     PVOID Instrumentation[11];
314 | #else
315 |     PVOID Instrumentation[9];
316 | #endif
317 |     GUID ActivityId;
318 | 
319 |     PVOID SubProcessTag;
320 |     PVOID PerflibData;
321 |     PVOID EtwTraceData;
322 |     PVOID WinSockData;
323 |     ULONG GdiBatchCount;
324 | 
325 |     union
326 |     {
327 |         PROCESSOR_NUMBER CurrentIdealProcessor;
328 |         ULONG IdealProcessorValue;
329 |         struct
330 |         {
331 |             UCHAR ReservedPad0;
332 |             UCHAR ReservedPad1;
333 |             UCHAR ReservedPad2;
334 |             UCHAR IdealProcessor;
335 |         };
336 |     };
337 | 
338 |     ULONG GuaranteedStackBytes;
339 |     PVOID ReservedForPerf;
340 |     PVOID ReservedForOle;
341 |     ULONG WaitingOnLoaderLock;
342 |     PVOID SavedPriorityState;
343 |     ULONG_PTR ReservedForCodeCoverage;
344 |     PVOID ThreadPoolData;
345 |     PVOID *TlsExpansionSlots;
346 | #ifdef _WIN64
347 |     PVOID DeallocationBStore;
348 |     PVOID BStoreLimit;
349 | #endif
350 |     ULONG MuiGeneration;
351 |     ULONG IsImpersonating;
352 |     PVOID NlsCache;
353 |     PVOID pShimData;
354 |     USHORT HeapVirtualAffinity;
355 |     USHORT LowFragHeapDataSlot;
356 |     HANDLE CurrentTransactionHandle;
357 |     PTEB_ACTIVE_FRAME ActiveFrame;
358 |     PVOID FlsData;
359 | 
360 |     PVOID PreferredLanguages;
361 |     PVOID UserPrefLanguages;
362 |     PVOID MergedPrefLanguages;
363 |     ULONG MuiImpersonation;
364 | 
365 |     union
366 |     {
367 |         USHORT CrossTebFlags;
368 |         USHORT SpareCrossTebBits : 16;
369 |     };
370 |     union
371 |     {
372 |         USHORT SameTebFlags;
373 |         struct
374 |         {
375 |             USHORT SafeThunkCall : 1;
376 |             USHORT InDebugPrint : 1;
377 |             USHORT HasFiberData : 1;
378 |             USHORT SkipThreadAttach : 1;
379 |             USHORT WerInShipAssertCode : 1;
380 |             USHORT RanProcessInit : 1;
381 |             USHORT ClonedThread : 1;
382 |             USHORT SuppressDebugMsg : 1;
383 |             USHORT DisableUserStackWalk : 1;
384 |             USHORT RtlExceptionAttached : 1;
385 |             USHORT InitialThread : 1;
386 |             USHORT SessionAware : 1;
387 |             USHORT LoadOwner : 1;
388 |             USHORT LoaderWorker : 1;
389 |             USHORT SkipLoaderInit : 1;
390 |             USHORT SpareSameTebBits : 1;
391 |         };
392 |     };
393 | 
394 |     PVOID TxnScopeEnterCallback;
395 |     PVOID TxnScopeExitCallback;
396 |     PVOID TxnScopeContext;
397 |     ULONG LockCount;
398 |     LONG WowTebOffset;
399 |     PVOID ResourceRetValue;
400 |     PVOID ReservedForWdf;
401 |     ULONGLONG ReservedForCrt;
402 |     GUID EffectiveContainerId;
403 | } TEB, *PTEB;
404 | 
405 | #endif
406 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntregapi.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTREGAPI_H
  2 | #define _NTREGAPI_H
  3 | 
  4 | #define REG_INIT_BOOT_SM 0x0000
  5 | #define REG_INIT_BOOT_SETUP 0x0001
  6 | #define REG_INIT_BOOT_ACCEPTED_BASE 0x0002
  7 | #define REG_INIT_BOOT_ACCEPTED_MAX REG_INIT_BOOT_ACCEPTED_BASE + 999
  8 | 
  9 | #define REG_MAX_KEY_VALUE_NAME_LENGTH 32767
 10 | #define REG_MAX_KEY_NAME_LENGTH 512
 11 | 
 12 | typedef enum _KEY_INFORMATION_CLASS
 13 | {
 14 |     KeyBasicInformation, // KEY_BASIC_INFORMATION
 15 |     KeyNodeInformation, // KEY_NODE_INFORMATION
 16 |     KeyFullInformation, // KEY_FULL_INFORMATION
 17 |     KeyNameInformation, // KEY_NAME_INFORMATION
 18 |     KeyCachedInformation, // KEY_CACHED_INFORMATION
 19 |     KeyFlagsInformation, // KEY_FLAGS_INFORMATION
 20 |     KeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION
 21 |     KeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION
 22 |     KeyTrustInformation, // KEY_TRUST_INFORMATION
 23 |     KeyLayerInformation, // KEY_LAYER_INFORMATION
 24 |     MaxKeyInfoClass
 25 | } KEY_INFORMATION_CLASS;
 26 | 
 27 | typedef struct _KEY_BASIC_INFORMATION
 28 | {
 29 |     LARGE_INTEGER LastWriteTime;
 30 |     ULONG TitleIndex;
 31 |     ULONG NameLength;
 32 |     WCHAR Name[1];
 33 | } KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;
 34 | 
 35 | typedef struct _KEY_NODE_INFORMATION
 36 | {
 37 |     LARGE_INTEGER LastWriteTime;
 38 |     ULONG TitleIndex;
 39 |     ULONG ClassOffset;
 40 |     ULONG ClassLength;
 41 |     ULONG NameLength;
 42 |     WCHAR Name[1];
 43 | } KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION;
 44 | 
 45 | typedef struct _KEY_FULL_INFORMATION
 46 | {
 47 |     LARGE_INTEGER LastWriteTime;
 48 |     ULONG TitleIndex;
 49 |     ULONG ClassOffset;
 50 |     ULONG ClassLength;
 51 |     ULONG SubKeys;
 52 |     ULONG MaxNameLen;
 53 |     ULONG MaxClassLen;
 54 |     ULONG Values;
 55 |     ULONG MaxValueNameLen;
 56 |     ULONG MaxValueDataLen;
 57 |     WCHAR Class[1];
 58 | } KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;
 59 | 
 60 | typedef struct _KEY_NAME_INFORMATION
 61 | {
 62 |     ULONG NameLength;
 63 |     WCHAR Name[1];
 64 | } KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION;
 65 | 
 66 | typedef struct _KEY_CACHED_INFORMATION
 67 | {
 68 |     LARGE_INTEGER LastWriteTime;
 69 |     ULONG TitleIndex;
 70 |     ULONG SubKeys;
 71 |     ULONG MaxNameLen;
 72 |     ULONG Values;
 73 |     ULONG MaxValueNameLen;
 74 |     ULONG MaxValueDataLen;
 75 |     ULONG NameLength;
 76 |     WCHAR Name[1];
 77 | } KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION;
 78 | 
 79 | typedef struct _KEY_FLAGS_INFORMATION
 80 | {
 81 |     ULONG UserFlags;
 82 | } KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION;
 83 | 
 84 | typedef struct _KEY_VIRTUALIZATION_INFORMATION
 85 | {
 86 |     ULONG VirtualizationCandidate : 1;
 87 |     ULONG VirtualizationEnabled : 1; 
 88 |     ULONG VirtualTarget : 1;
 89 |     ULONG VirtualStore : 1; 
 90 |     ULONG VirtualSource : 1; 
 91 |     ULONG Reserved : 27;
 92 | } KEY_VIRTUALIZATION_INFORMATION, *PKEY_VIRTUALIZATION_INFORMATION;
 93 | 
 94 | typedef struct _KEY_TRUST_INFORMATION
 95 | {
 96 |     ULONG TrustedKey : 1;
 97 |     ULONG Reserved : 31;
 98 | } KEY_TRUST_INFORMATION, *PKEY_TRUST_INFORMATION;
 99 | 
100 | typedef struct _KEY_LAYER_INFORMATION
101 | {
102 |     ULONG IsTombstone;
103 |     ULONG IsSupersedeLocal;
104 |     ULONG IsSupersedeTree;
105 |     ULONG ClassIsInherited;
106 |     ULONG Reserved;
107 | } KEY_LAYER_INFORMATION, *PKEY_LAYER_INFORMATION;
108 | 
109 | typedef enum _KEY_SET_INFORMATION_CLASS
110 | {
111 |     KeyWriteTimeInformation, // KEY_WRITE_TIME_INFORMATION
112 |     KeyWow64FlagsInformation, // KEY_WOW64_FLAGS_INFORMATION
113 |     KeyControlFlagsInformation, // KEY_CONTROL_FLAGS_INFORMATION
114 |     KeySetVirtualizationInformation, // KEY_SET_VIRTUALIZATION_INFORMATION
115 |     KeySetDebugInformation,
116 |     KeySetHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION
117 |     KeySetLayerInformation, // KEY_SET_LAYER_INFORMATION
118 |     MaxKeySetInfoClass
119 | } KEY_SET_INFORMATION_CLASS;
120 | 
121 | typedef struct _KEY_WRITE_TIME_INFORMATION
122 | {
123 |     LARGE_INTEGER LastWriteTime;
124 | } KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION;
125 | 
126 | typedef struct _KEY_WOW64_FLAGS_INFORMATION
127 | {
128 |     ULONG UserFlags;
129 | } KEY_WOW64_FLAGS_INFORMATION, *PKEY_WOW64_FLAGS_INFORMATION;
130 | 
131 | typedef struct _KEY_HANDLE_TAGS_INFORMATION
132 | {
133 |     ULONG HandleTags;
134 | } KEY_HANDLE_TAGS_INFORMATION, *PKEY_HANDLE_TAGS_INFORMATION;
135 | 
136 | typedef struct _KEY_SET_LAYER_INFORMATION
137 | {
138 |     ULONG IsTombstone : 1;
139 |     ULONG IsSupersedeLocal : 1;
140 |     ULONG IsSupersedeTree : 1;
141 |     ULONG ClassIsInherited : 1;
142 |     ULONG Reserved : 28;
143 | } KEY_SET_LAYER_INFORMATION, *PKEY_SET_LAYER_INFORMATION;
144 | 
145 | typedef struct _KEY_CONTROL_FLAGS_INFORMATION
146 | {
147 |     ULONG ControlFlags;
148 | } KEY_CONTROL_FLAGS_INFORMATION, *PKEY_CONTROL_FLAGS_INFORMATION;
149 | 
150 | typedef struct _KEY_SET_VIRTUALIZATION_INFORMATION
151 | {
152 |     ULONG VirtualTarget : 1;
153 |     ULONG VirtualStore : 1;
154 |     ULONG VirtualSource : 1;
155 |     ULONG Reserved : 29;
156 | } KEY_SET_VIRTUALIZATION_INFORMATION, *PKEY_SET_VIRTUALIZATION_INFORMATION;
157 | 
158 | typedef enum _KEY_VALUE_INFORMATION_CLASS
159 | {
160 |     KeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION
161 |     KeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION
162 |     KeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION
163 |     KeyValueFullInformationAlign64,
164 |     KeyValuePartialInformationAlign64,  // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64
165 |     KeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION
166 |     MaxKeyValueInfoClass
167 | } KEY_VALUE_INFORMATION_CLASS;
168 | 
169 | typedef struct _KEY_VALUE_BASIC_INFORMATION
170 | {
171 |     ULONG TitleIndex;
172 |     ULONG Type;
173 |     ULONG NameLength;
174 |     WCHAR Name[1];
175 | } KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;
176 | 
177 | typedef struct _KEY_VALUE_FULL_INFORMATION
178 | {
179 |     ULONG TitleIndex;
180 |     ULONG Type;
181 |     ULONG DataOffset;
182 |     ULONG DataLength;
183 |     ULONG NameLength;
184 |     WCHAR Name[1];
185 | 
186 | } KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;
187 | 
188 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION
189 | {
190 |     ULONG TitleIndex;
191 |     ULONG Type;
192 |     ULONG DataLength;
193 |     UCHAR Data[1];
194 | } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
195 | 
196 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64
197 | {
198 |     ULONG Type;
199 |     ULONG DataLength;
200 |     UCHAR Data[1];
201 | } KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64;
202 | 
203 | typedef struct _KEY_VALUE_LAYER_INFORMATION
204 | {
205 |     ULONG IsTombstone;
206 |     ULONG Reserved;
207 | } KEY_VALUE_LAYER_INFORMATION, *PKEY_VALUE_LAYER_INFORMATION;
208 | 
209 | typedef struct _KEY_VALUE_ENTRY
210 | {
211 |     PUNICODE_STRING ValueName;
212 |     ULONG DataLength;
213 |     ULONG DataOffset;
214 |     ULONG Type;
215 | } KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;
216 | 
217 | typedef enum _REG_ACTION
218 | {
219 |     KeyAdded,
220 |     KeyRemoved,
221 |     KeyModified
222 | } REG_ACTION;
223 | 
224 | typedef struct _REG_NOTIFY_INFORMATION
225 | {
226 |     ULONG NextEntryOffset;
227 |     REG_ACTION Action;
228 |     ULONG KeyLength;
229 |     WCHAR Key[1];
230 | } REG_NOTIFY_INFORMATION, *PREG_NOTIFY_INFORMATION;
231 | 
232 | typedef struct _KEY_PID_ARRAY
233 | {
234 |     HANDLE PID;
235 |     UNICODE_STRING KeyName;
236 | } KEY_PID_ARRAY, *PKEY_PID_ARRAY;
237 | 
238 | typedef struct _KEY_OPEN_SUBKEYS_INFORMATION
239 | {
240 |     ULONG Count;
241 |     KEY_PID_ARRAY KeyArray[1];
242 | } KEY_OPEN_SUBKEYS_INFORMATION, *PKEY_OPEN_SUBKEYS_INFORMATION;
243 | 
244 | NATIVE_API(NTSTATUS, /*Nt*/CreateKey, (
245 |     _Out_ PHANDLE KeyHandle,
246 |     _In_ ACCESS_MASK DesiredAccess,
247 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
248 |     _Reserved_ ULONG TitleIndex,
249 |     _In_opt_ PUNICODE_STRING Class,
250 |     _In_ ULONG CreateOptions,
251 |     _Out_opt_ PULONG Disposition
252 | ))
253 | 
254 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
255 | NATIVE_API(NTSTATUS, /*Nt*/CreateKeyTransacted, (
256 |     _Out_ PHANDLE KeyHandle,
257 |     _In_ ACCESS_MASK DesiredAccess,
258 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
259 |     _Reserved_ ULONG TitleIndex,
260 |     _In_opt_ PUNICODE_STRING Class,
261 |     _In_ ULONG CreateOptions,
262 |     _In_ HANDLE TransactionHandle,
263 |     _Out_opt_ PULONG Disposition
264 | ))
265 | #endif
266 | 
267 | NATIVE_API(NTSTATUS, /*Nt*/OpenKey, (
268 |     _Out_ PHANDLE KeyHandle,
269 |     _In_ ACCESS_MASK DesiredAccess,
270 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes
271 | ))
272 | 
273 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
274 | NATIVE_API(NTSTATUS, /*Nt*/OpenKeyTransacted, (
275 |     _Out_ PHANDLE KeyHandle,
276 |     _In_ ACCESS_MASK DesiredAccess,
277 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
278 |     _In_ HANDLE TransactionHandle
279 | ))
280 | #endif
281 | 
282 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_7)
283 | NATIVE_API(NTSTATUS, /*Nt*/OpenKeyEx, (
284 |     _Out_ PHANDLE KeyHandle,
285 |     _In_ ACCESS_MASK DesiredAccess,
286 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
287 |     _In_ ULONG OpenOptions
288 | ))
289 | #endif
290 | 
291 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_7)
292 | NATIVE_API(NTSTATUS, /*Nt*/OpenKeyTransactedEx, (
293 |     _Out_ PHANDLE KeyHandle,
294 |     _In_ ACCESS_MASK DesiredAccess,
295 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
296 |     _In_ ULONG OpenOptions,
297 |     _In_ HANDLE TransactionHandle
298 | ))
299 | #endif
300 | 
301 | NATIVE_API(NTSTATUS, /*Nt*/DeleteKey, (
302 |     _In_ HANDLE KeyHandle
303 | ))
304 | 
305 | NATIVE_API(NTSTATUS, /*Nt*/RenameKey, (
306 |     _In_ HANDLE KeyHandle,
307 |     _In_ PUNICODE_STRING NewName
308 | ))
309 | 
310 | NATIVE_API(NTSTATUS, /*Nt*/DeleteValueKey, (
311 |     _In_ HANDLE KeyHandle,
312 |     _In_ PUNICODE_STRING ValueName
313 | ))
314 | 
315 | NATIVE_API(NTSTATUS, /*Nt*/QueryKey, (
316 |     _In_ HANDLE KeyHandle,
317 |     _In_ KEY_INFORMATION_CLASS KeyInformationClass,
318 |     _Out_writes_bytes_opt_(Length) PVOID KeyInformation,
319 |     _In_ ULONG Length,
320 |     _Out_ PULONG ResultLength
321 | ))
322 | 
323 | NATIVE_API(NTSTATUS, /*Nt*/SetInformationKey, (
324 |     _In_ HANDLE KeyHandle,
325 |     _In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass,
326 |     _In_reads_bytes_(KeySetInformationLength) PVOID KeySetInformation,
327 |     _In_ ULONG KeySetInformationLength
328 | ))
329 | 
330 | NATIVE_API(NTSTATUS, /*Nt*/QueryValueKey, (
331 |     _In_ HANDLE KeyHandle,
332 |     _In_ PUNICODE_STRING ValueName,
333 |     _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
334 |     _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation,
335 |     _In_ ULONG Length,
336 |     _Out_ PULONG ResultLength
337 | ))
338 | 
339 | NATIVE_API(NTSTATUS, /*Nt*/SetValueKey, (
340 |     _In_ HANDLE KeyHandle,
341 |     _In_ PUNICODE_STRING ValueName,
342 |     _In_opt_ ULONG TitleIndex,
343 |     _In_ ULONG Type,
344 |     _In_reads_bytes_opt_(DataSize) PVOID Data,
345 |     _In_ ULONG DataSize
346 | ))
347 | 
348 | NATIVE_API(NTSTATUS, /*Nt*/QueryMultipleValueKey, (
349 |     _In_ HANDLE KeyHandle,
350 |     _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries,
351 |     _In_ ULONG EntryCount,
352 |     _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer,
353 |     _Inout_ PULONG BufferLength,
354 |     _Out_opt_ PULONG RequiredBufferLength
355 | ))
356 | 
357 | NATIVE_API(NTSTATUS, /*Nt*/EnumerateKey, (
358 |     _In_ HANDLE KeyHandle,
359 |     _In_ ULONG Index,
360 |     _In_ KEY_INFORMATION_CLASS KeyInformationClass,
361 |     _Out_writes_bytes_opt_(Length) PVOID KeyInformation,
362 |     _In_ ULONG Length,
363 |     _Out_ PULONG ResultLength
364 | ))
365 | 
366 | NATIVE_API(NTSTATUS, /*Nt*/EnumerateValueKey, (
367 |     _In_ HANDLE KeyHandle,
368 |     _In_ ULONG Index,
369 |     _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
370 |     _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation,
371 |     _In_ ULONG Length,
372 |     _Out_ PULONG ResultLength
373 | ))
374 | 
375 | NATIVE_API(NTSTATUS, /*Nt*/FlushKey, (
376 |     _In_ HANDLE KeyHandle
377 | ))
378 | 
379 | NATIVE_API(NTSTATUS, /*Nt*/CompactKeys, (
380 |     _In_ ULONG Count,
381 |     _In_reads_(Count) HANDLE KeyArray[]
382 | ))
383 | 
384 | NATIVE_API(NTSTATUS, /*Nt*/CompressKey, (
385 |     _In_ HANDLE Key
386 | ))
387 | 
388 | NATIVE_API(NTSTATUS, /*Nt*/LoadKey, (
389 |     _In_ POBJECT_ATTRIBUTES TargetKey,
390 |     _In_ POBJECT_ATTRIBUTES SourceFile
391 | ))
392 | 
393 | NATIVE_API(NTSTATUS, /*Nt*/LoadKey2, (
394 |     _In_ POBJECT_ATTRIBUTES TargetKey,
395 |     _In_ POBJECT_ATTRIBUTES SourceFile,
396 |     _In_ ULONG Flags
397 | ))
398 | 
399 | NATIVE_API(NTSTATUS, /*Nt*/LoadKeyEx, (
400 |     _In_ POBJECT_ATTRIBUTES TargetKey,
401 |     _In_ POBJECT_ATTRIBUTES SourceFile,
402 |     _In_ ULONG Flags,
403 |     _In_opt_ HANDLE TrustClassKey,
404 |     _In_opt_ HANDLE Event,
405 |     _In_opt_ ACCESS_MASK DesiredAccess,
406 |     _Out_opt_ PHANDLE RootHandle,
407 |     _Out_opt_ PIO_STATUS_BLOCK IoStatus
408 | ))
409 | 
410 | NATIVE_API(NTSTATUS, /*Nt*/ReplaceKey, (
411 |     _In_ POBJECT_ATTRIBUTES NewFile,
412 |     _In_ HANDLE TargetHandle,
413 |     _In_ POBJECT_ATTRIBUTES OldFile
414 | ))
415 | 
416 | NATIVE_API(NTSTATUS, /*Nt*/SaveKey, (
417 |     _In_ HANDLE KeyHandle,
418 |     _In_ HANDLE FileHandle
419 | ))
420 | 
421 | NATIVE_API(NTSTATUS, /*Nt*/SaveKeyEx, (
422 |     _In_ HANDLE KeyHandle,
423 |     _In_ HANDLE FileHandle,
424 |     _In_ ULONG Format
425 | ))
426 | 
427 | NATIVE_API(NTSTATUS, /*Nt*/SaveMergedKeys, (
428 |     _In_ HANDLE HighPrecedenceKeyHandle,
429 |     _In_ HANDLE LowPrecedenceKeyHandle,
430 |     _In_ HANDLE FileHandle
431 | ))
432 | 
433 | NATIVE_API(NTSTATUS, /*Nt*/RestoreKey, (
434 |     _In_ HANDLE KeyHandle,
435 |     _In_ HANDLE FileHandle,
436 |     _In_ ULONG Flags
437 | ))
438 | 
439 | NATIVE_API(NTSTATUS, /*Nt*/UnloadKey, (
440 |     _In_ POBJECT_ATTRIBUTES TargetKey
441 | ))
442 | 
443 | NATIVE_API(NTSTATUS, /*Nt*/UnloadKey2, (
444 |     _In_ POBJECT_ATTRIBUTES TargetKey,
445 |     _In_ ULONG Flags
446 | ))
447 | 
448 | NATIVE_API(NTSTATUS, /*Nt*/UnloadKeyEx, (
449 |     _In_ POBJECT_ATTRIBUTES TargetKey,
450 |     _In_opt_ HANDLE Event
451 | ))
452 | 
453 | NATIVE_API(NTSTATUS, /*Nt*/NotifyChangeKey, (
454 |     _In_ HANDLE KeyHandle,
455 |     _In_opt_ HANDLE Event,
456 |     _In_opt_ PIO_APC_ROUTINE ApcRoutine,
457 |     _In_opt_ PVOID ApcContext,
458 |     _Out_ PIO_STATUS_BLOCK IoStatusBlock,
459 |     _In_ ULONG CompletionFilter,
460 |     _In_ BOOLEAN WatchTree,
461 |     _Out_writes_bytes_opt_(BufferSize) PVOID Buffer,
462 |     _In_ ULONG BufferSize,
463 |     _In_ BOOLEAN Asynchronous
464 | ))
465 | 
466 | NATIVE_API(NTSTATUS, /*Nt*/NotifyChangeMultipleKeys, (
467 |     _In_ HANDLE MasterKeyHandle,
468 |     _In_opt_ ULONG Count,
469 |     _In_reads_opt_(Count) OBJECT_ATTRIBUTES SubordinateObjects[],
470 |     _In_opt_ HANDLE Event,
471 |     _In_opt_ PIO_APC_ROUTINE ApcRoutine,
472 |     _In_opt_ PVOID ApcContext,
473 |     _Out_ PIO_STATUS_BLOCK IoStatusBlock,
474 |     _In_ ULONG CompletionFilter,
475 |     _In_ BOOLEAN WatchTree,
476 |     _Out_writes_bytes_opt_(BufferSize) PVOID Buffer,
477 |     _In_ ULONG BufferSize,
478 |     _In_ BOOLEAN Asynchronous
479 | ))
480 | 
481 | NATIVE_API(NTSTATUS, /*Nt*/QueryOpenSubKeys, (
482 |     _In_ POBJECT_ATTRIBUTES TargetKey,
483 |     _Out_ PULONG HandleCount
484 | ))
485 | 
486 | NATIVE_API(NTSTATUS, /*Nt*/QueryOpenSubKeysEx, (
487 |     _In_ POBJECT_ATTRIBUTES TargetKey,
488 |     _In_ ULONG BufferLength,
489 |     _Out_writes_bytes_(BufferLength) PVOID Buffer,
490 |     _Out_ PULONG RequiredSize
491 | ))
492 | 
493 | NATIVE_API(NTSTATUS, /*Nt*/InitializeRegistry, (
494 |     _In_ USHORT BootCondition
495 | ))
496 | 
497 | NATIVE_API(NTSTATUS, /*Nt*/LockRegistryKey, (
498 |     _In_ HANDLE KeyHandle
499 | ))
500 | 
501 | NATIVE_API(NTSTATUS, /*Nt*/LockProductActivationKeys, (
502 |     _Inout_opt_ ULONG *pPrivateVer,
503 |     _Out_opt_ ULONG *pSafeMode
504 | ))
505 | 
506 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
507 | NATIVE_API(NTSTATUS, /*Nt*/FreezeRegistry, (
508 |     _In_ ULONG TimeOutInSeconds
509 | ))
510 | #endif
511 | 
512 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
513 | NATIVE_API(NTSTATUS, /*Nt*/ThawRegistry, (
514 |     VOID
515 | ))
516 | #endif
517 | 
518 | #endif
519 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntseapi.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * This file is part of the Process Hacker project - https://processhacker.sf.io/ 
  3 |  *
  4 |  * You can redistribute this file and/or modify it under the terms of the 
  5 |  * Attribution 4.0 International (CC BY 4.0) license. 
  6 |  * 
  7 |  * You must give appropriate credit, provide a link to the license, and 
  8 |  * indicate if changes were made. You may do so in any reasonable manner, but 
  9 |  * not in any way that suggests the licensor endorses you or your use.
 10 |  */
 11 | 
 12 | #ifndef _NTSEAPI_H
 13 | #define _NTSEAPI_H
 14 | 
 15 | // Privileges
 16 | 
 17 | #define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
 18 | #define SE_CREATE_TOKEN_PRIVILEGE (2L)
 19 | #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
 20 | #define SE_LOCK_MEMORY_PRIVILEGE (4L)
 21 | #define SE_INCREASE_QUOTA_PRIVILEGE (5L)
 22 | 
 23 | #define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
 24 | #define SE_TCB_PRIVILEGE (7L)
 25 | #define SE_SECURITY_PRIVILEGE (8L)
 26 | #define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
 27 | #define SE_LOAD_DRIVER_PRIVILEGE (10L)
 28 | #define SE_SYSTEM_PROFILE_PRIVILEGE (11L)
 29 | #define SE_SYSTEMTIME_PRIVILEGE (12L)
 30 | #define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
 31 | #define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
 32 | #define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
 33 | #define SE_CREATE_PERMANENT_PRIVILEGE (16L)
 34 | #define SE_BACKUP_PRIVILEGE (17L)
 35 | #define SE_RESTORE_PRIVILEGE (18L)
 36 | #define SE_SHUTDOWN_PRIVILEGE (19L)
 37 | #define SE_DEBUG_PRIVILEGE (20L)
 38 | #define SE_AUDIT_PRIVILEGE (21L)
 39 | #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
 40 | #define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
 41 | #define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
 42 | #define SE_UNDOCK_PRIVILEGE (25L)
 43 | #define SE_SYNC_AGENT_PRIVILEGE (26L)
 44 | #define SE_ENABLE_DELEGATION_PRIVILEGE (27L)
 45 | #define SE_MANAGE_VOLUME_PRIVILEGE (28L)
 46 | #define SE_IMPERSONATE_PRIVILEGE (29L)
 47 | #define SE_CREATE_GLOBAL_PRIVILEGE (30L)
 48 | #define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L)
 49 | #define SE_RELABEL_PRIVILEGE (32L)
 50 | #define SE_INC_WORKING_SET_PRIVILEGE (33L)
 51 | #define SE_TIME_ZONE_PRIVILEGE (34L)
 52 | #define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L)
 53 | #define SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE (36L)
 54 | #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE
 55 | 
 56 | // Authz
 57 | 
 58 | // begin_rev
 59 | 
 60 | // Types
 61 | 
 62 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID 0x00
 63 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 0x01
 64 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 0x02
 65 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING 0x03
 66 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN 0x04
 67 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_SID 0x05
 68 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x06
 69 | #define TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING 0x10
 70 | 
 71 | // Flags
 72 | 
 73 | #define TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001
 74 | #define TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002
 75 | #define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004
 76 | #define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008
 77 | #define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010
 78 | #define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020
 79 | #define TOKEN_SECURITY_ATTRIBUTE_COMPARE_IGNORE 0x0040
 80 | 
 81 | #define TOKEN_SECURITY_ATTRIBUTE_VALID_FLAGS ( \
 82 |     TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE | \
 83 |     TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE | \
 84 |     TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY | \
 85 |     TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT | \
 86 |     TOKEN_SECURITY_ATTRIBUTE_DISABLED | \
 87 |     TOKEN_SECURITY_ATTRIBUTE_MANDATORY)
 88 | 
 89 | #define TOKEN_SECURITY_ATTRIBUTE_CUSTOM_FLAGS 0xffff0000
 90 | 
 91 | // end_rev
 92 | 
 93 | // private
 94 | typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE
 95 | {
 96 |     ULONG64 Version;
 97 |     UNICODE_STRING Name;
 98 | } TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;
 99 | 
100 | // private
101 | typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
102 | {
103 |     PVOID pValue;
104 |     ULONG ValueLength;
105 | } TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;
106 | 
107 | // private
108 | typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1
109 | {
110 |     UNICODE_STRING Name;
111 |     USHORT ValueType;
112 |     USHORT Reserved;
113 |     ULONG Flags;
114 |     ULONG ValueCount;
115 |     union
116 |     {
117 |         PLONG64 pInt64;
118 |         PULONG64 pUint64;
119 |         PUNICODE_STRING pString;
120 |         PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn;
121 |         PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;
122 |     } Values;
123 | } TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1;
124 | 
125 | // rev
126 | #define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1
127 | // rev
128 | #define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1
129 | 
130 | // private
131 | typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION
132 | {
133 |     USHORT Version;
134 |     USHORT Reserved;
135 |     ULONG AttributeCount;
136 |     union
137 |     {
138 |         PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1;
139 |     } Attribute;
140 | } TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION;
141 | 
142 | // rev
143 | typedef struct _TOKEN_PROCESS_TRUST_LEVEL
144 | {
145 |     PSID TrustLevelSid;
146 | } TOKEN_PROCESS_TRUST_LEVEL, *PTOKEN_PROCESS_TRUST_LEVEL;
147 | 
148 | // Tokens
149 | 
150 | NATIVE_API(NTSTATUS, /*Nt*/CreateToken, (
151 |     _Out_ PHANDLE TokenHandle,
152 |     _In_ ACCESS_MASK DesiredAccess,
153 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
154 |     _In_ TOKEN_TYPE TokenType,
155 |     _In_ PLUID AuthenticationId,
156 |     _In_ PLARGE_INTEGER ExpirationTime,
157 |     _In_ PTOKEN_USER User,
158 |     _In_ PTOKEN_GROUPS Groups,
159 |     _In_ PTOKEN_PRIVILEGES Privileges,
160 |     _In_opt_ PTOKEN_OWNER Owner,
161 |     _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
162 |     _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
163 |     _In_ PTOKEN_SOURCE TokenSource
164 | ))
165 | 
166 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_8)
167 | NATIVE_API(NTSTATUS, /*Nt*/CreateLowBoxToken, (
168 |     _Out_ PHANDLE TokenHandle,
169 |     _In_ HANDLE ExistingTokenHandle,
170 |     _In_ ACCESS_MASK DesiredAccess,
171 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
172 |     _In_ PSID PackageSid,
173 |     _In_ ULONG CapabilityCount,
174 |     _In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,
175 |     _In_ ULONG HandleCount,
176 |     _In_reads_opt_(HandleCount) HANDLE *Handles
177 | ))
178 | #endif
179 | 
180 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_8)
181 | NATIVE_API(NTSTATUS, /*Nt*/CreateTokenEx, (
182 |     _Out_ PHANDLE TokenHandle,
183 |     _In_ ACCESS_MASK DesiredAccess,
184 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
185 |     _In_ TOKEN_TYPE TokenType,
186 |     _In_ PLUID AuthenticationId,
187 |     _In_ PLARGE_INTEGER ExpirationTime,
188 |     _In_ PTOKEN_USER User,
189 |     _In_ PTOKEN_GROUPS Groups,
190 |     _In_ PTOKEN_PRIVILEGES Privileges,
191 |     _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes,
192 |     _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes,
193 |     _In_opt_ PTOKEN_GROUPS DeviceGroups,
194 |     _In_opt_ PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy,
195 |     _In_opt_ PTOKEN_OWNER Owner,
196 |     _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
197 |     _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
198 |     _In_ PTOKEN_SOURCE TokenSource
199 | ))
200 | #endif
201 | 
202 | NATIVE_API(NTSTATUS, /*Nt*/OpenProcessToken, (
203 |     _In_ HANDLE ProcessHandle,
204 |     _In_ ACCESS_MASK DesiredAccess,
205 |     _Out_ PHANDLE TokenHandle
206 | ))
207 | 
208 | NATIVE_API(NTSTATUS, /*Nt*/OpenProcessTokenEx, (
209 |     _In_ HANDLE ProcessHandle,
210 |     _In_ ACCESS_MASK DesiredAccess,
211 |     _In_ ULONG HandleAttributes,
212 |     _Out_ PHANDLE TokenHandle
213 | ))
214 | 
215 | NATIVE_API(NTSTATUS, /*Nt*/OpenThreadToken, (
216 |     _In_ HANDLE ThreadHandle,
217 |     _In_ ACCESS_MASK DesiredAccess,
218 |     _In_ BOOLEAN OpenAsSelf,
219 |     _Out_ PHANDLE TokenHandle
220 | ))
221 | 
222 | NATIVE_API(NTSTATUS, /*Nt*/OpenThreadTokenEx, (
223 |     _In_ HANDLE ThreadHandle,
224 |     _In_ ACCESS_MASK DesiredAccess,
225 |     _In_ BOOLEAN OpenAsSelf,
226 |     _In_ ULONG HandleAttributes,
227 |     _Out_ PHANDLE TokenHandle
228 | ))
229 | 
230 | NATIVE_API(NTSTATUS, /*Nt*/DuplicateToken, (
231 |     _In_ HANDLE ExistingTokenHandle,
232 |     _In_ ACCESS_MASK DesiredAccess,
233 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
234 |     _In_ BOOLEAN EffectiveOnly,
235 |     _In_ TOKEN_TYPE TokenType,
236 |     _Out_ PHANDLE NewTokenHandle
237 | ))
238 | 
239 | NATIVE_API(NTSTATUS, /*Nt*/QueryInformationToken, (
240 |     _In_ HANDLE TokenHandle,
241 |     _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
242 |     _Out_writes_bytes_(TokenInformationLength) PVOID TokenInformation,
243 |     _In_ ULONG TokenInformationLength,
244 |     _Out_ PULONG ReturnLength
245 | ))
246 | 
247 | NATIVE_API(NTSTATUS, /*Nt*/SetInformationToken, (
248 |     _In_ HANDLE TokenHandle,
249 |     _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
250 |     _In_reads_bytes_(TokenInformationLength) PVOID TokenInformation,
251 |     _In_ ULONG TokenInformationLength
252 | ))
253 | 
254 | NATIVE_API(NTSTATUS, /*Nt*/AdjustPrivilegesToken, (
255 |     _In_ HANDLE TokenHandle,
256 |     _In_ BOOLEAN DisableAllPrivileges,
257 |     _In_opt_ PTOKEN_PRIVILEGES NewState,
258 |     _In_ ULONG BufferLength,
259 |     _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
260 |     _Out_ _When_(PreviousState == NULL, _Out_opt_) PULONG ReturnLength
261 | ))
262 | 
263 | NATIVE_API(NTSTATUS, /*Nt*/AdjustGroupsToken, (
264 |     _In_ HANDLE TokenHandle,
265 |     _In_ BOOLEAN ResetToDefault,
266 |     _In_opt_ PTOKEN_GROUPS NewState,
267 |     _In_opt_ ULONG BufferLength,
268 |     _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,
269 |     _Out_opt_ PULONG ReturnLength
270 | ))
271 | 
272 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_8)
273 | NATIVE_API(NTSTATUS, /*Nt*/AdjustTokenClaimsAndDeviceGroups, (
274 |     _In_ HANDLE TokenHandle,
275 |     _In_ BOOLEAN UserResetToDefault,
276 |     _In_ BOOLEAN DeviceResetToDefault,
277 |     _In_ BOOLEAN DeviceGroupsResetToDefault,
278 |     _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState,
279 |     _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState,
280 |     _In_opt_ PTOKEN_GROUPS NewDeviceGroupsState,
281 |     _In_ ULONG UserBufferLength,
282 |     _Out_writes_bytes_to_opt_(UserBufferLength, *UserReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState,
283 |     _In_ ULONG DeviceBufferLength,
284 |     _Out_writes_bytes_to_opt_(DeviceBufferLength, *DeviceReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState,
285 |     _In_ ULONG DeviceGroupsBufferLength,
286 |     _Out_writes_bytes_to_opt_(DeviceGroupsBufferLength, *DeviceGroupsReturnBufferLength) PTOKEN_GROUPS PreviousDeviceGroups,
287 |     _Out_opt_ PULONG UserReturnLength,
288 |     _Out_opt_ PULONG DeviceReturnLength,
289 |     _Out_opt_ PULONG DeviceGroupsReturnBufferLength
290 | ))
291 | #endif
292 | 
293 | NATIVE_API(NTSTATUS, /*Nt*/FilterToken, (
294 |     _In_ HANDLE ExistingTokenHandle,
295 |     _In_ ULONG Flags,
296 |     _In_opt_ PTOKEN_GROUPS SidsToDisable,
297 |     _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
298 |     _In_opt_ PTOKEN_GROUPS RestrictedSids,
299 |     _Out_ PHANDLE NewTokenHandle
300 | ))
301 | 
302 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_8)
303 | NATIVE_API(NTSTATUS, /*Nt*/FilterTokenEx, (
304 |     _In_ HANDLE ExistingTokenHandle,
305 |     _In_ ULONG Flags,
306 |     _In_opt_ PTOKEN_GROUPS SidsToDisable,
307 |     _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
308 |     _In_opt_ PTOKEN_GROUPS RestrictedSids,
309 |     _In_ ULONG DisableUserClaimsCount,
310 |     _In_opt_ PUNICODE_STRING UserClaimsToDisable,
311 |     _In_ ULONG DisableDeviceClaimsCount,
312 |     _In_opt_ PUNICODE_STRING DeviceClaimsToDisable,
313 |     _In_opt_ PTOKEN_GROUPS DeviceGroupsToDisable,
314 |     _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes,
315 |     _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes,
316 |     _In_opt_ PTOKEN_GROUPS RestrictedDeviceGroups,
317 |     _Out_ PHANDLE NewTokenHandle
318 | ))
319 | #endif
320 | 
321 | NATIVE_API(NTSTATUS, /*Nt*/CompareTokens, (
322 |     _In_ HANDLE FirstTokenHandle,
323 |     _In_ HANDLE SecondTokenHandle,
324 |     _Out_ PBOOLEAN Equal
325 | ))
326 | 
327 | NATIVE_API(NTSTATUS, /*Nt*/PrivilegeCheck, (
328 |     _In_ HANDLE ClientToken,
329 |     _Inout_ PPRIVILEGE_SET RequiredPrivileges,
330 |     _Out_ PBOOLEAN Result
331 | ))
332 | 
333 | NATIVE_API(NTSTATUS, /*Nt*/ImpersonateAnonymousToken, (
334 |     _In_ HANDLE ThreadHandle
335 | ))
336 | 
337 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_7)
338 | // rev
339 | NATIVE_API(NTSTATUS, /*Nt*/QuerySecurityAttributesToken, (
340 |     _In_ HANDLE TokenHandle,
341 |     _In_reads_opt_(NumberOfAttributes) PUNICODE_STRING Attributes,
342 |     _In_ ULONG NumberOfAttributes,
343 |     _Out_writes_bytes_(Length) PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION
344 |     _In_ ULONG Length,
345 |     _Out_ PULONG ReturnLength
346 | ))
347 | #endif
348 | 
349 | // Access checking
350 | 
351 | NATIVE_API(NTSTATUS, /*Nt*/AccessCheck, (
352 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
353 |     _In_ HANDLE ClientToken,
354 |     _In_ ACCESS_MASK DesiredAccess,
355 |     _In_ PGENERIC_MAPPING GenericMapping,
356 |     _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
357 |     _Inout_ PULONG PrivilegeSetLength,
358 |     _Out_ PACCESS_MASK GrantedAccess,
359 |     _Out_ PNTSTATUS AccessStatus
360 | ))
361 | 
362 | NATIVE_API(NTSTATUS, /*Nt*/AccessCheckByType, (
363 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
364 |     _In_opt_ PSID PrincipalSelfSid,
365 |     _In_ HANDLE ClientToken,
366 |     _In_ ACCESS_MASK DesiredAccess,
367 |     _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
368 |     _In_ ULONG ObjectTypeListLength,
369 |     _In_ PGENERIC_MAPPING GenericMapping,
370 |     _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
371 |     _Inout_ PULONG PrivilegeSetLength,
372 |     _Out_ PACCESS_MASK GrantedAccess,
373 |     _Out_ PNTSTATUS AccessStatus
374 | ))
375 | 
376 | NATIVE_API(NTSTATUS, /*Nt*/AccessCheckByTypeResultList, (
377 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
378 |     _In_opt_ PSID PrincipalSelfSid,
379 |     _In_ HANDLE ClientToken,
380 |     _In_ ACCESS_MASK DesiredAccess,
381 |     _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
382 |     _In_ ULONG ObjectTypeListLength,
383 |     _In_ PGENERIC_MAPPING GenericMapping,
384 |     _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
385 |     _Inout_ PULONG PrivilegeSetLength,
386 |     _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
387 |     _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus
388 | ))
389 | 
390 | // Signing
391 | 
392 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_10_TH1)
393 | 
394 | NATIVE_API(NTSTATUS, /*Nt*/SetCachedSigningLevel, (
395 |     _In_ ULONG Flags,
396 |     _In_ SE_SIGNING_LEVEL InputSigningLevel,
397 |     _In_reads_(SourceFileCount) PHANDLE SourceFiles,
398 |     _In_ ULONG SourceFileCount,
399 |     _In_opt_ HANDLE TargetFile
400 | ))
401 | 
402 | NATIVE_API(NTSTATUS, /*Nt*/GetCachedSigningLevel, (
403 |     _In_ HANDLE File,
404 |     _Out_ PULONG Flags,
405 |     _Out_ PSE_SIGNING_LEVEL SigningLevel,
406 |     _Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint,
407 |     _Inout_opt_ PULONG ThumbprintSize,
408 |     _Out_opt_ PULONG ThumbprintAlgorithm
409 | ))
410 | 
411 | #endif
412 | 
413 | // Audit alarm
414 | 
415 | NATIVE_API(NTSTATUS, /*Nt*/AccessCheckAndAuditAlarm, (
416 |     _In_ PUNICODE_STRING SubsystemName,
417 |     _In_opt_ PVOID HandleId,
418 |     _In_ PUNICODE_STRING ObjectTypeName,
419 |     _In_ PUNICODE_STRING ObjectName,
420 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
421 |     _In_ ACCESS_MASK DesiredAccess,
422 |     _In_ PGENERIC_MAPPING GenericMapping,
423 |     _In_ BOOLEAN ObjectCreation,
424 |     _Out_ PACCESS_MASK GrantedAccess,
425 |     _Out_ PNTSTATUS AccessStatus,
426 |     _Out_ PBOOLEAN GenerateOnClose
427 | ))
428 | 
429 | NATIVE_API(NTSTATUS, /*Nt*/AccessCheckByTypeAndAuditAlarm, (
430 |     _In_ PUNICODE_STRING SubsystemName,
431 |     _In_opt_ PVOID HandleId,
432 |     _In_ PUNICODE_STRING ObjectTypeName,
433 |     _In_ PUNICODE_STRING ObjectName,
434 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
435 |     _In_opt_ PSID PrincipalSelfSid,
436 |     _In_ ACCESS_MASK DesiredAccess,
437 |     _In_ AUDIT_EVENT_TYPE AuditType,
438 |     _In_ ULONG Flags,
439 |     _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
440 |     _In_ ULONG ObjectTypeListLength,
441 |     _In_ PGENERIC_MAPPING GenericMapping,
442 |     _In_ BOOLEAN ObjectCreation,
443 |     _Out_ PACCESS_MASK GrantedAccess,
444 |     _Out_ PNTSTATUS AccessStatus,
445 |     _Out_ PBOOLEAN GenerateOnClose
446 | ))
447 | 
448 | NATIVE_API(NTSTATUS, /*Nt*/AccessCheckByTypeResultListAndAuditAlarm, (
449 |     _In_ PUNICODE_STRING SubsystemName,
450 |     _In_opt_ PVOID HandleId,
451 |     _In_ PUNICODE_STRING ObjectTypeName,
452 |     _In_ PUNICODE_STRING ObjectName,
453 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
454 |     _In_opt_ PSID PrincipalSelfSid,
455 |     _In_ ACCESS_MASK DesiredAccess,
456 |     _In_ AUDIT_EVENT_TYPE AuditType,
457 |     _In_ ULONG Flags,
458 |     _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
459 |     _In_ ULONG ObjectTypeListLength,
460 |     _In_ PGENERIC_MAPPING GenericMapping,
461 |     _In_ BOOLEAN ObjectCreation,
462 |     _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
463 |     _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
464 |     _Out_ PBOOLEAN GenerateOnClose
465 | ))
466 | 
467 | NATIVE_API(NTSTATUS, /*Nt*/AccessCheckByTypeResultListAndAuditAlarmByHandle, (
468 |     _In_ PUNICODE_STRING SubsystemName,
469 |     _In_opt_ PVOID HandleId,
470 |     _In_ HANDLE ClientToken,
471 |     _In_ PUNICODE_STRING ObjectTypeName,
472 |     _In_ PUNICODE_STRING ObjectName,
473 |     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
474 |     _In_opt_ PSID PrincipalSelfSid,
475 |     _In_ ACCESS_MASK DesiredAccess,
476 |     _In_ AUDIT_EVENT_TYPE AuditType,
477 |     _In_ ULONG Flags,
478 |     _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
479 |     _In_ ULONG ObjectTypeListLength,
480 |     _In_ PGENERIC_MAPPING GenericMapping,
481 |     _In_ BOOLEAN ObjectCreation,
482 |     _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
483 |     _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
484 |     _Out_ PBOOLEAN GenerateOnClose
485 | ))
486 | 
487 | NATIVE_API(NTSTATUS, /*Nt*/OpenObjectAuditAlarm, (
488 |     _In_ PUNICODE_STRING SubsystemName,
489 |     _In_opt_ PVOID HandleId,
490 |     _In_ PUNICODE_STRING ObjectTypeName,
491 |     _In_ PUNICODE_STRING ObjectName,
492 |     _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
493 |     _In_ HANDLE ClientToken,
494 |     _In_ ACCESS_MASK DesiredAccess,
495 |     _In_ ACCESS_MASK GrantedAccess,
496 |     _In_opt_ PPRIVILEGE_SET Privileges,
497 |     _In_ BOOLEAN ObjectCreation,
498 |     _In_ BOOLEAN AccessGranted,
499 |     _Out_ PBOOLEAN GenerateOnClose
500 | ))
501 | 
502 | NATIVE_API(NTSTATUS, /*Nt*/PrivilegeObjectAuditAlarm, (
503 |     _In_ PUNICODE_STRING SubsystemName,
504 |     _In_opt_ PVOID HandleId,
505 |     _In_ HANDLE ClientToken,
506 |     _In_ ACCESS_MASK DesiredAccess,
507 |     _In_ PPRIVILEGE_SET Privileges,
508 |     _In_ BOOLEAN AccessGranted
509 | ))
510 | 
511 | NATIVE_API(NTSTATUS, /*Nt*/CloseObjectAuditAlarm, (
512 |     _In_ PUNICODE_STRING SubsystemName,
513 |     _In_opt_ PVOID HandleId,
514 |     _In_ BOOLEAN GenerateOnClose
515 | ))
516 | 
517 | NATIVE_API(NTSTATUS, /*Nt*/DeleteObjectAuditAlarm, (
518 |     _In_ PUNICODE_STRING SubsystemName,
519 |     _In_opt_ PVOID HandleId,
520 |     _In_ BOOLEAN GenerateOnClose
521 | ))
522 | 
523 | NATIVE_API(NTSTATUS, /*Nt*/PrivilegedServiceAuditAlarm, (
524 |     _In_ PUNICODE_STRING SubsystemName,
525 |     _In_ PUNICODE_STRING ServiceName,
526 |     _In_ HANDLE ClientToken,
527 |     _In_ PPRIVILEGE_SET Privileges,
528 |     _In_ BOOLEAN AccessGranted
529 | ))
530 | 
531 | #endif
532 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntwow64.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * This file is part of the Process Hacker project - https://processhacker.sf.io/ 
  3 |  *
  4 |  * You can redistribute this file and/or modify it under the terms of the 
  5 |  * Attribution 4.0 International (CC BY 4.0) license. 
  6 |  * 
  7 |  * You must give appropriate credit, provide a link to the license, and 
  8 |  * indicate if changes were made. You may do so in any reasonable manner, but 
  9 |  * not in any way that suggests the licensor endorses you or your use.
 10 |  */
 11 | 
 12 | #ifndef _NTWOW64_H
 13 | #define _NTWOW64_H
 14 | 
 15 | #define WOW64_SYSTEM_DIRECTORY "SysWOW64"
 16 | #define WOW64_SYSTEM_DIRECTORY_U L"SysWOW64"
 17 | #define WOW64_X86_TAG " (x86)"
 18 | #define WOW64_X86_TAG_U L" (x86)"
 19 | 
 20 | // In USER_SHARED_DATA
 21 | typedef enum _WOW64_SHARED_INFORMATION
 22 | {
 23 |     SharedNtdll32LdrInitializeThunk,
 24 |     SharedNtdll32KiUserExceptionDispatcher,
 25 |     SharedNtdll32KiUserApcDispatcher,
 26 |     SharedNtdll32KiUserCallbackDispatcher,
 27 |     SharedNtdll32ExpInterlockedPopEntrySListFault,
 28 |     SharedNtdll32ExpInterlockedPopEntrySListResume,
 29 |     SharedNtdll32ExpInterlockedPopEntrySListEnd,
 30 |     SharedNtdll32RtlUserThreadStart,
 31 |     SharedNtdll32pQueryProcessDebugInformationRemote,
 32 |     SharedNtdll32BaseAddress,
 33 |     SharedNtdll32LdrSystemDllInitBlock,
 34 |     Wow64SharedPageEntriesCount
 35 | } WOW64_SHARED_INFORMATION;
 36 | 
 37 | // 32-bit definitions
 38 | 
 39 | #define WOW64_POINTER(Type) ULONG
 40 | 
 41 | typedef struct _RTL_BALANCED_NODE32
 42 | {
 43 |     union
 44 |     {
 45 |         WOW64_POINTER(struct _RTL_BALANCED_NODE *) Children[2];
 46 |         struct
 47 |         {
 48 |             WOW64_POINTER(struct _RTL_BALANCED_NODE *) Left;
 49 |             WOW64_POINTER(struct _RTL_BALANCED_NODE *) Right;
 50 |         };
 51 |     };
 52 |     union
 53 |     {
 54 |         WOW64_POINTER(UCHAR) Red : 1;
 55 |         WOW64_POINTER(UCHAR) Balance : 2;
 56 |         WOW64_POINTER(ULONG_PTR) ParentValue;
 57 |     };
 58 | } RTL_BALANCED_NODE32, *PRTL_BALANCED_NODE32;
 59 | 
 60 | typedef struct _RTL_RB_TREE32
 61 | {
 62 |     WOW64_POINTER(PRTL_BALANCED_NODE) Root;
 63 |     WOW64_POINTER(PRTL_BALANCED_NODE) Min;
 64 | } RTL_RB_TREE32, *PRTL_RB_TREE32;
 65 | 
 66 | typedef struct _PEB_LDR_DATA32
 67 | {
 68 |     ULONG Length;
 69 |     BOOLEAN Initialized;
 70 |     WOW64_POINTER(HANDLE) SsHandle;
 71 |     LIST_ENTRY32 InLoadOrderModuleList;
 72 |     LIST_ENTRY32 InMemoryOrderModuleList;
 73 |     LIST_ENTRY32 InInitializationOrderModuleList;
 74 |     WOW64_POINTER(PVOID) EntryInProgress;
 75 |     BOOLEAN ShutdownInProgress;
 76 |     WOW64_POINTER(HANDLE) ShutdownThreadId;
 77 | } PEB_LDR_DATA32, *PPEB_LDR_DATA32;
 78 | 
 79 | typedef struct _LDR_SERVICE_TAG_RECORD32
 80 | {
 81 |     WOW64_POINTER(struct _LDR_SERVICE_TAG_RECORD *) Next;
 82 |     ULONG ServiceTag;
 83 | } LDR_SERVICE_TAG_RECORD32, *PLDR_SERVICE_TAG_RECORD32;
 84 | 
 85 | typedef struct _LDRP_CSLIST32
 86 | {
 87 |     WOW64_POINTER(PSINGLE_LIST_ENTRY) Tail;
 88 | } LDRP_CSLIST32, *PLDRP_CSLIST32;
 89 | 
 90 | typedef struct _LDR_DDAG_NODE32
 91 | {
 92 |     LIST_ENTRY32 Modules;
 93 |     WOW64_POINTER(PLDR_SERVICE_TAG_RECORD) ServiceTagList;
 94 |     ULONG LoadCount;
 95 |     ULONG LoadWhileUnloadingCount;
 96 |     ULONG LowestLink;
 97 |     union
 98 |     {
 99 |         LDRP_CSLIST32 Dependencies;
100 |         SINGLE_LIST_ENTRY32 RemovalLink;
101 |     };
102 |     LDRP_CSLIST32 IncomingDependencies;
103 |     LDR_DDAG_STATE State;
104 |     SINGLE_LIST_ENTRY32 CondenseLink;
105 |     ULONG PreorderNumber;
106 | } LDR_DDAG_NODE32, *PLDR_DDAG_NODE32;
107 | 
108 | #define LDR_DATA_TABLE_ENTRY_SIZE_WINXP_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, DdagNode)
109 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN7_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, BaseNameHashValue)
110 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN8_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, ImplicitPathOptions)
111 | 
112 | typedef struct _LDR_DATA_TABLE_ENTRY32
113 | {
114 |     LIST_ENTRY32 InLoadOrderLinks;
115 |     LIST_ENTRY32 InMemoryOrderLinks;
116 |     union
117 |     {
118 |         LIST_ENTRY32 InInitializationOrderLinks;
119 |         LIST_ENTRY32 InProgressLinks;
120 |     };
121 |     WOW64_POINTER(PVOID) DllBase;
122 |     WOW64_POINTER(PVOID) EntryPoint;
123 |     ULONG SizeOfImage;
124 |     UNICODE_STRING32 FullDllName;
125 |     UNICODE_STRING32 BaseDllName;
126 |     union
127 |     {
128 |         UCHAR FlagGroup[4];
129 |         ULONG Flags;
130 |         struct
131 |         {
132 |             ULONG PackagedBinary : 1;
133 |             ULONG MarkedForRemoval : 1;
134 |             ULONG ImageDll : 1;
135 |             ULONG LoadNotificationsSent : 1;
136 |             ULONG TelemetryEntryProcessed : 1;
137 |             ULONG ProcessStaticImport : 1;
138 |             ULONG InLegacyLists : 1;
139 |             ULONG InIndexes : 1;
140 |             ULONG ShimDll : 1;
141 |             ULONG InExceptionTable : 1;
142 |             ULONG ReservedFlags1 : 2;
143 |             ULONG LoadInProgress : 1;
144 |             ULONG LoadConfigProcessed : 1;
145 |             ULONG EntryProcessed : 1;
146 |             ULONG ProtectDelayLoad : 1;
147 |             ULONG ReservedFlags3 : 2;
148 |             ULONG DontCallForThreads : 1;
149 |             ULONG ProcessAttachCalled : 1;
150 |             ULONG ProcessAttachFailed : 1;
151 |             ULONG CorDeferredValidate : 1;
152 |             ULONG CorImage : 1;
153 |             ULONG DontRelocate : 1;
154 |             ULONG CorILOnly : 1;
155 |             ULONG ChpeImage : 1;
156 |             ULONG ReservedFlags5 : 2;
157 |             ULONG Redirected : 1;
158 |             ULONG ReservedFlags6 : 2;
159 |             ULONG CompatDatabaseProcessed : 1;
160 |         };
161 |     };
162 |     USHORT ObsoleteLoadCount;
163 |     USHORT TlsIndex;
164 |     LIST_ENTRY32 HashLinks;
165 |     ULONG TimeDateStamp;
166 |     WOW64_POINTER(struct _ACTIVATION_CONTEXT *) EntryPointActivationContext;
167 |     WOW64_POINTER(PVOID) Lock;
168 |     WOW64_POINTER(PLDR_DDAG_NODE) DdagNode;
169 |     LIST_ENTRY32 NodeModuleLink;
170 |     WOW64_POINTER(struct _LDRP_LOAD_CONTEXT *) LoadContext;
171 |     WOW64_POINTER(PVOID) ParentDllBase;
172 |     WOW64_POINTER(PVOID) SwitchBackContext;
173 |     RTL_BALANCED_NODE32 BaseAddressIndexNode;
174 |     RTL_BALANCED_NODE32 MappingInfoIndexNode;
175 |     WOW64_POINTER(ULONG_PTR) OriginalBase;
176 |     LARGE_INTEGER LoadTime;
177 |     ULONG BaseNameHashValue;
178 |     LDR_DLL_LOAD_REASON LoadReason;
179 |     ULONG ImplicitPathOptions;
180 |     ULONG ReferenceCount;
181 |     ULONG DependentLoadFlags;
182 |     UCHAR SigningLevel; // since REDSTONE2
183 | } LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;
184 | 
185 | typedef struct _CURDIR32
186 | {
187 |     UNICODE_STRING32 DosPath;
188 |     WOW64_POINTER(HANDLE) Handle;
189 | } CURDIR32, *PCURDIR32;
190 | 
191 | typedef struct _RTL_DRIVE_LETTER_CURDIR32
192 | {
193 |     USHORT Flags;
194 |     USHORT Length;
195 |     ULONG TimeStamp;
196 |     STRING32 DosPath;
197 | } RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32;
198 | 
199 | typedef struct _RTL_USER_PROCESS_PARAMETERS32
200 | {
201 |     ULONG MaximumLength;
202 |     ULONG Length;
203 | 
204 |     ULONG Flags;
205 |     ULONG DebugFlags;
206 | 
207 |     WOW64_POINTER(HANDLE) ConsoleHandle;
208 |     ULONG ConsoleFlags;
209 |     WOW64_POINTER(HANDLE) StandardInput;
210 |     WOW64_POINTER(HANDLE) StandardOutput;
211 |     WOW64_POINTER(HANDLE) StandardError;
212 | 
213 |     CURDIR32 CurrentDirectory;
214 |     UNICODE_STRING32 DllPath;
215 |     UNICODE_STRING32 ImagePathName;
216 |     UNICODE_STRING32 CommandLine;
217 |     WOW64_POINTER(PVOID) Environment;
218 | 
219 |     ULONG StartingX;
220 |     ULONG StartingY;
221 |     ULONG CountX;
222 |     ULONG CountY;
223 |     ULONG CountCharsX;
224 |     ULONG CountCharsY;
225 |     ULONG FillAttribute;
226 | 
227 |     ULONG WindowFlags;
228 |     ULONG ShowWindowFlags;
229 |     UNICODE_STRING32 WindowTitle;
230 |     UNICODE_STRING32 DesktopInfo;
231 |     UNICODE_STRING32 ShellInfo;
232 |     UNICODE_STRING32 RuntimeData;
233 |     RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
234 | 
235 |     WOW64_POINTER(ULONG_PTR) EnvironmentSize;
236 |     WOW64_POINTER(ULONG_PTR) EnvironmentVersion;
237 |     WOW64_POINTER(PVOID) PackageDependencyData;
238 |     ULONG ProcessGroupId;
239 |     ULONG LoaderThreads;
240 | 
241 |     UNICODE_STRING32 RedirectionDllName; // REDSTONE4
242 |     UNICODE_STRING32 HeapPartitionName; // 19H1
243 |     WOW64_POINTER(ULONG_PTR) DefaultThreadpoolCpuSetMasks;
244 |     ULONG DefaultThreadpoolCpuSetMaskCount;
245 | } RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32;
246 | 
247 | typedef struct _PEB32
248 | {
249 |     BOOLEAN InheritedAddressSpace;
250 |     BOOLEAN ReadImageFileExecOptions;
251 |     BOOLEAN BeingDebugged;
252 |     union
253 |     {
254 |         BOOLEAN BitField;
255 |         struct
256 |         {
257 |             BOOLEAN ImageUsesLargePages : 1;
258 |             BOOLEAN IsProtectedProcess : 1;
259 |             BOOLEAN IsImageDynamicallyRelocated : 1;
260 |             BOOLEAN SkipPatchingUser32Forwarders : 1;
261 |             BOOLEAN IsPackagedProcess : 1;
262 |             BOOLEAN IsAppContainer : 1;
263 |             BOOLEAN IsProtectedProcessLight : 1;
264 |             BOOLEAN IsLongPathAwareProcess : 1;
265 |         };
266 |     };
267 |     WOW64_POINTER(HANDLE) Mutant;
268 | 
269 |     WOW64_POINTER(PVOID) ImageBaseAddress;
270 |     WOW64_POINTER(PPEB_LDR_DATA) Ldr;
271 |     WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters;
272 |     WOW64_POINTER(PVOID) SubSystemData;
273 |     WOW64_POINTER(PVOID) ProcessHeap;
274 |     WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock;
275 |     WOW64_POINTER(PVOID) AtlThunkSListPtr;
276 |     WOW64_POINTER(PVOID) IFEOKey;
277 |     union
278 |     {
279 |         ULONG CrossProcessFlags;
280 |         struct
281 |         {
282 |             ULONG ProcessInJob : 1;
283 |             ULONG ProcessInitializing : 1;
284 |             ULONG ProcessUsingVEH : 1;
285 |             ULONG ProcessUsingVCH : 1;
286 |             ULONG ProcessUsingFTH : 1;
287 |             ULONG ReservedBits0 : 27;
288 |         };
289 |     };
290 |     union
291 |     {
292 |         WOW64_POINTER(PVOID) KernelCallbackTable;
293 |         WOW64_POINTER(PVOID) UserSharedInfoPtr;
294 |     };
295 |     ULONG SystemReserved;
296 |     ULONG AtlThunkSListPtr32;
297 |     WOW64_POINTER(PVOID) ApiSetMap;
298 |     ULONG TlsExpansionCounter;
299 |     WOW64_POINTER(PVOID) TlsBitmap;
300 |     ULONG TlsBitmapBits[2];
301 |     WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase;
302 |     WOW64_POINTER(PVOID) HotpatchInformation;
303 |     WOW64_POINTER(PVOID *) ReadOnlyStaticServerData;
304 |     WOW64_POINTER(PVOID) AnsiCodePageData;
305 |     WOW64_POINTER(PVOID) OemCodePageData;
306 |     WOW64_POINTER(PVOID) UnicodeCaseTableData;
307 | 
308 |     ULONG NumberOfProcessors;
309 |     ULONG NtGlobalFlag;
310 | 
311 |     LARGE_INTEGER CriticalSectionTimeout;
312 |     WOW64_POINTER(SIZE_T) HeapSegmentReserve;
313 |     WOW64_POINTER(SIZE_T) HeapSegmentCommit;
314 |     WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold;
315 |     WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold;
316 | 
317 |     ULONG NumberOfHeaps;
318 |     ULONG MaximumNumberOfHeaps;
319 |     WOW64_POINTER(PVOID *) ProcessHeaps;
320 | 
321 |     WOW64_POINTER(PVOID) GdiSharedHandleTable;
322 |     WOW64_POINTER(PVOID) ProcessStarterHelper;
323 |     ULONG GdiDCAttributeList;
324 | 
325 |     WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock;
326 | 
327 |     ULONG OSMajorVersion;
328 |     ULONG OSMinorVersion;
329 |     USHORT OSBuildNumber;
330 |     USHORT OSCSDVersion;
331 |     ULONG OSPlatformId;
332 |     ULONG ImageSubsystem;
333 |     ULONG ImageSubsystemMajorVersion;
334 |     ULONG ImageSubsystemMinorVersion;
335 |     WOW64_POINTER(ULONG_PTR) ActiveProcessAffinityMask;
336 |     GDI_HANDLE_BUFFER32 GdiHandleBuffer;
337 |     WOW64_POINTER(PVOID) PostProcessInitRoutine;
338 | 
339 |     WOW64_POINTER(PVOID) TlsExpansionBitmap;
340 |     ULONG TlsExpansionBitmapBits[32];
341 | 
342 |     ULONG SessionId;
343 | 
344 |     ULARGE_INTEGER AppCompatFlags;
345 |     ULARGE_INTEGER AppCompatFlagsUser;
346 |     WOW64_POINTER(PVOID) pShimData;
347 |     WOW64_POINTER(PVOID) AppCompatInfo;
348 | 
349 |     UNICODE_STRING32 CSDVersion;
350 | 
351 |     WOW64_POINTER(PVOID) ActivationContextData;
352 |     WOW64_POINTER(PVOID) ProcessAssemblyStorageMap;
353 |     WOW64_POINTER(PVOID) SystemDefaultActivationContextData;
354 |     WOW64_POINTER(PVOID) SystemAssemblyStorageMap;
355 | 
356 |     WOW64_POINTER(SIZE_T) MinimumStackCommit;
357 | 
358 |     WOW64_POINTER(PVOID) SparePointers[4];
359 |     ULONG SpareUlongs[5];
360 |     //WOW64_POINTER(PVOID *) FlsCallback;
361 |     //LIST_ENTRY32 FlsListHead;
362 |     //WOW64_POINTER(PVOID) FlsBitmap;
363 |     //ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
364 |     //ULONG FlsHighIndex;
365 | 
366 |     WOW64_POINTER(PVOID) WerRegistrationData;
367 |     WOW64_POINTER(PVOID) WerShipAssertPtr;
368 |     WOW64_POINTER(PVOID) pContextData;
369 |     WOW64_POINTER(PVOID) pImageHeaderHash;
370 |     union
371 |     {
372 |         ULONG TracingFlags;
373 |         struct
374 |         {
375 |             ULONG HeapTracingEnabled : 1;
376 |             ULONG CritSecTracingEnabled : 1;
377 |             ULONG LibLoaderTracingEnabled : 1;
378 |             ULONG SpareTracingBits : 29;
379 |         };
380 |     };
381 |     ULONGLONG CsrServerReadOnlySharedMemoryBase;
382 |     WOW64_POINTER(PVOID) TppWorkerpListLock;
383 |     LIST_ENTRY32 TppWorkerpList;
384 |     WOW64_POINTER(PVOID) WaitOnAddressHashTable[128];
385 |     WOW64_POINTER(PVOID) TelemetryCoverageHeader; // REDSTONE3
386 |     ULONG CloudFileFlags;
387 |     ULONG CloudFileDiagFlags; // REDSTONE4
388 |     CHAR PlaceholderCompatibilityMode;
389 |     CHAR PlaceholderCompatibilityModeReserved[7];
390 | } PEB32, *PPEB32;
391 | 
392 | C_ASSERT(FIELD_OFFSET(PEB32, IFEOKey) == 0x024);
393 | C_ASSERT(FIELD_OFFSET(PEB32, UnicodeCaseTableData) == 0x060);
394 | /*C_ASSERT(FIELD_OFFSET(PEB32, SystemAssemblyStorageMap) == 0x204);
395 | C_ASSERT(FIELD_OFFSET(PEB32, pImageHeaderHash) == 0x23c);
396 | C_ASSERT(FIELD_OFFSET(PEB32, WaitOnAddressHashTable) == 0x25c);
397 | //C_ASSERT(sizeof(PEB32) == 0x460); // REDSTONE3
398 | C_ASSERT(sizeof(PEB32) == 0x470);*/
399 | 
400 | #define GDI_BATCH_BUFFER_SIZE 310
401 | 
402 | typedef struct _GDI_TEB_BATCH32
403 | {
404 |     ULONG Offset;
405 |     WOW64_POINTER(ULONG_PTR) HDC;
406 |     ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
407 | } GDI_TEB_BATCH32, *PGDI_TEB_BATCH32;
408 | 
409 | typedef struct _TEB32
410 | {
411 |     NT_TIB32 NtTib;
412 | 
413 |     WOW64_POINTER(PVOID) EnvironmentPointer;
414 |     CLIENT_ID32 ClientId;
415 |     WOW64_POINTER(PVOID) ActiveRpcHandle;
416 |     WOW64_POINTER(PVOID) ThreadLocalStoragePointer;
417 |     WOW64_POINTER(PPEB) ProcessEnvironmentBlock;
418 | 
419 |     ULONG LastErrorValue;
420 |     ULONG CountOfOwnedCriticalSections;
421 |     WOW64_POINTER(PVOID) CsrClientThread;
422 |     WOW64_POINTER(PVOID) Win32ThreadInfo;
423 |     ULONG User32Reserved[26];
424 |     ULONG UserReserved[5];
425 |     WOW64_POINTER(PVOID) WOW32Reserved;
426 |     LCID CurrentLocale;
427 |     ULONG FpSoftwareStatusRegister;
428 |     WOW64_POINTER(PVOID) ReservedForDebuggerInstrumentation[16];
429 |     WOW64_POINTER(PVOID) SystemReserved1[36];
430 |     UCHAR WorkingOnBehalfTicket[8];
431 |     NTSTATUS ExceptionCode;
432 | 
433 |     WOW64_POINTER(PVOID) ActivationContextStackPointer;
434 |     WOW64_POINTER(ULONG_PTR) InstrumentationCallbackSp;
435 |     WOW64_POINTER(ULONG_PTR) InstrumentationCallbackPreviousPc;
436 |     WOW64_POINTER(ULONG_PTR) InstrumentationCallbackPreviousSp;
437 |     BOOLEAN InstrumentationCallbackDisabled;
438 |     UCHAR SpareBytes[23];
439 |     ULONG TxFsContext;
440 | 
441 |     GDI_TEB_BATCH32 GdiTebBatch;
442 |     CLIENT_ID32 RealClientId;
443 |     WOW64_POINTER(HANDLE) GdiCachedProcessHandle;
444 |     ULONG GdiClientPID;
445 |     ULONG GdiClientTID;
446 |     WOW64_POINTER(PVOID) GdiThreadLocalInfo;
447 |     WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62];
448 |     WOW64_POINTER(PVOID) glDispatchTable[233];
449 |     WOW64_POINTER(ULONG_PTR) glReserved1[29];
450 |     WOW64_POINTER(PVOID) glReserved2;
451 |     WOW64_POINTER(PVOID) glSectionInfo;
452 |     WOW64_POINTER(PVOID) glSection;
453 |     WOW64_POINTER(PVOID) glTable;
454 |     WOW64_POINTER(PVOID) glCurrentRC;
455 |     WOW64_POINTER(PVOID) glContext;
456 | 
457 |     NTSTATUS LastStatusValue;
458 |     UNICODE_STRING32 StaticUnicodeString;
459 |     WCHAR StaticUnicodeBuffer[261];
460 | 
461 |     WOW64_POINTER(PVOID) DeallocationStack;
462 |     WOW64_POINTER(PVOID) TlsSlots[64];
463 |     LIST_ENTRY32 TlsLinks;
464 | 
465 |     WOW64_POINTER(PVOID) Vdm;
466 |     WOW64_POINTER(PVOID) ReservedForNtRpc;
467 |     WOW64_POINTER(PVOID) DbgSsReserved[2];
468 | 
469 |     ULONG HardErrorMode;
470 |     WOW64_POINTER(PVOID) Instrumentation[9];
471 |     GUID ActivityId;
472 | 
473 |     WOW64_POINTER(PVOID) SubProcessTag;
474 |     WOW64_POINTER(PVOID) PerflibData;
475 |     WOW64_POINTER(PVOID) EtwTraceData;
476 |     WOW64_POINTER(PVOID) WinSockData;
477 |     ULONG GdiBatchCount;
478 | 
479 |     union
480 |     {
481 |         PROCESSOR_NUMBER CurrentIdealProcessor;
482 |         ULONG IdealProcessorValue;
483 |         struct
484 |         {
485 |             UCHAR ReservedPad0;
486 |             UCHAR ReservedPad1;
487 |             UCHAR ReservedPad2;
488 |             UCHAR IdealProcessor;
489 |         };
490 |     };
491 | 
492 |     ULONG GuaranteedStackBytes;
493 |     WOW64_POINTER(PVOID) ReservedForPerf;
494 |     WOW64_POINTER(PVOID) ReservedForOle;
495 |     ULONG WaitingOnLoaderLock;
496 |     WOW64_POINTER(PVOID) SavedPriorityState;
497 |     WOW64_POINTER(ULONG_PTR) ReservedForCodeCoverage;
498 |     WOW64_POINTER(PVOID) ThreadPoolData;
499 |     WOW64_POINTER(PVOID *) TlsExpansionSlots;
500 | 
501 |     ULONG MuiGeneration;
502 |     ULONG IsImpersonating;
503 |     WOW64_POINTER(PVOID) NlsCache;
504 |     WOW64_POINTER(PVOID) pShimData;
505 |     USHORT HeapVirtualAffinity;
506 |     USHORT LowFragHeapDataSlot;
507 |     WOW64_POINTER(HANDLE) CurrentTransactionHandle;
508 |     WOW64_POINTER(PTEB_ACTIVE_FRAME) ActiveFrame;
509 |     WOW64_POINTER(PVOID) FlsData;
510 | 
511 |     WOW64_POINTER(PVOID) PreferredLanguages;
512 |     WOW64_POINTER(PVOID) UserPrefLanguages;
513 |     WOW64_POINTER(PVOID) MergedPrefLanguages;
514 |     ULONG MuiImpersonation;
515 | 
516 |     union
517 |     {
518 |         USHORT CrossTebFlags;
519 |         USHORT SpareCrossTebBits : 16;
520 |     };
521 |     union
522 |     {
523 |         USHORT SameTebFlags;
524 |         struct
525 |         {
526 |             USHORT SafeThunkCall : 1;
527 |             USHORT InDebugPrint : 1;
528 |             USHORT HasFiberData : 1;
529 |             USHORT SkipThreadAttach : 1;
530 |             USHORT WerInShipAssertCode : 1;
531 |             USHORT RanProcessInit : 1;
532 |             USHORT ClonedThread : 1;
533 |             USHORT SuppressDebugMsg : 1;
534 |             USHORT DisableUserStackWalk : 1;
535 |             USHORT RtlExceptionAttached : 1;
536 |             USHORT InitialThread : 1;
537 |             USHORT SessionAware : 1;
538 |             USHORT LoadOwner : 1;
539 |             USHORT LoaderWorker : 1;
540 |             USHORT SpareSameTebBits : 2;
541 |         };
542 |     };
543 | 
544 |     WOW64_POINTER(PVOID) TxnScopeEnterCallback;
545 |     WOW64_POINTER(PVOID) TxnScopeExitCallback;
546 |     WOW64_POINTER(PVOID) TxnScopeContext;
547 |     ULONG LockCount;
548 |     LONG WowTebOffset;
549 |     WOW64_POINTER(PVOID) ResourceRetValue;
550 |     WOW64_POINTER(PVOID) ReservedForWdf;
551 |     ULONGLONG ReservedForCrt;
552 |     GUID EffectiveContainerId;
553 | } TEB32, *PTEB32;
554 | 
555 | C_ASSERT(FIELD_OFFSET(TEB32, ProcessEnvironmentBlock) == 0x030);
556 | C_ASSERT(FIELD_OFFSET(TEB32, ExceptionCode) == 0x1a4);
557 | C_ASSERT(FIELD_OFFSET(TEB32, TxFsContext) == 0x1d0);
558 | C_ASSERT(FIELD_OFFSET(TEB32, glContext) == 0xbf0);
559 | C_ASSERT(FIELD_OFFSET(TEB32, StaticUnicodeBuffer) == 0xc00);
560 | C_ASSERT(FIELD_OFFSET(TEB32, TlsLinks) == 0xf10);
561 | C_ASSERT(FIELD_OFFSET(TEB32, DbgSsReserved) == 0xf20);
562 | C_ASSERT(FIELD_OFFSET(TEB32, ActivityId) == 0xf50);
563 | C_ASSERT(FIELD_OFFSET(TEB32, GdiBatchCount) == 0xf70);
564 | C_ASSERT(FIELD_OFFSET(TEB32, TlsExpansionSlots) == 0xf94);
565 | C_ASSERT(FIELD_OFFSET(TEB32, FlsData) == 0xfb4);
566 | C_ASSERT(FIELD_OFFSET(TEB32, MuiImpersonation) == 0xfc4);
567 | C_ASSERT(FIELD_OFFSET(TEB32, ReservedForCrt) == 0xfe8);
568 | C_ASSERT(FIELD_OFFSET(TEB32, EffectiveContainerId) == 0xff0);
569 | C_ASSERT(sizeof(TEB32) == 0x1000);
570 | 
571 | // Conversion
572 | 
573 | FORCEINLINE VOID UStr32ToUStr(
574 |     _Out_ PUNICODE_STRING Destination,
575 |     _In_ PUNICODE_STRING32 Source
576 |     )
577 | {
578 |     Destination->Length = Source->Length;
579 |     Destination->MaximumLength = Source->MaximumLength;
580 |     Destination->Buffer = (PWCH)UlongToPtr(Source->Buffer);
581 | }
582 | 
583 | FORCEINLINE VOID UStrToUStr32(
584 |     _Out_ PUNICODE_STRING32 Destination,
585 |     _In_ PUNICODE_STRING Source
586 |     )
587 | {
588 |     Destination->Length = Source->Length;
589 |     Destination->MaximumLength = Source->MaximumLength;
590 |     Destination->Buffer = PtrToUlong(Source->Buffer);
591 | }
592 | 
593 | #endif
594 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntldr.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTLDR_H
  2 | #define _NTLDR_H
  3 | 
  4 | #if (defined(PHNT_COMPILE) || NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
  5 | 
  6 | typedef BOOLEAN (NTAPI *PLDR_INIT_ROUTINE)(
  7 |     _In_ PVOID DllHandle,
  8 |     _In_ ULONG Reason,
  9 |     _In_opt_ PVOID Context
 10 |     );
 11 | 
 12 | typedef struct _LDR_SERVICE_TAG_RECORD
 13 | {
 14 |     struct _LDR_SERVICE_TAG_RECORD *Next;
 15 |     ULONG ServiceTag;
 16 | } LDR_SERVICE_TAG_RECORD, *PLDR_SERVICE_TAG_RECORD;
 17 | 
 18 | typedef struct _LDRP_CSLIST
 19 | {
 20 |     PSINGLE_LIST_ENTRY Tail;
 21 | } LDRP_CSLIST, *PLDRP_CSLIST;
 22 | 
 23 | typedef enum _LDR_DDAG_STATE
 24 | {
 25 |     LdrModulesMerged = -5,
 26 |     LdrModulesInitError = -4,
 27 |     LdrModulesSnapError = -3,
 28 |     LdrModulesUnloaded = -2,
 29 |     LdrModulesUnloading = -1,
 30 |     LdrModulesPlaceHolder = 0,
 31 |     LdrModulesMapping = 1,
 32 |     LdrModulesMapped = 2,
 33 |     LdrModulesWaitingForDependencies = 3,
 34 |     LdrModulesSnapping = 4,
 35 |     LdrModulesSnapped = 5,
 36 |     LdrModulesCondensed = 6,
 37 |     LdrModulesReadyToInit = 7,
 38 |     LdrModulesInitializing = 8,
 39 |     LdrModulesReadyToRun = 9
 40 | } LDR_DDAG_STATE;
 41 | 
 42 | typedef struct _LDR_DDAG_NODE
 43 | {
 44 |     LIST_ENTRY Modules;
 45 |     PLDR_SERVICE_TAG_RECORD ServiceTagList;
 46 |     ULONG LoadCount;
 47 |     ULONG LoadWhileUnloadingCount;
 48 |     ULONG LowestLink;
 49 |     union
 50 |     {
 51 |         LDRP_CSLIST Dependencies;
 52 |         SINGLE_LIST_ENTRY RemovalLink;
 53 |     };
 54 |     LDRP_CSLIST IncomingDependencies;
 55 |     LDR_DDAG_STATE State;
 56 |     SINGLE_LIST_ENTRY CondenseLink;
 57 |     ULONG PreorderNumber;
 58 | } LDR_DDAG_NODE, *PLDR_DDAG_NODE;
 59 | 
 60 | typedef struct _LDR_DEPENDENCY_RECORD
 61 | {
 62 |     SINGLE_LIST_ENTRY DependencyLink;
 63 |     PLDR_DDAG_NODE DependencyNode;
 64 |     SINGLE_LIST_ENTRY IncomingDependencyLink;
 65 |     PLDR_DDAG_NODE IncomingDependencyNode;
 66 | } LDR_DEPENDENCY_RECORD, *PLDR_DEPENDENCY_RECORD;
 67 | 
 68 | typedef enum _LDR_DLL_LOAD_REASON
 69 | {
 70 |     LoadReasonStaticDependency,
 71 |     LoadReasonStaticForwarderDependency,
 72 |     LoadReasonDynamicForwarderDependency,
 73 |     LoadReasonDelayloadDependency,
 74 |     LoadReasonDynamicLoad,
 75 |     LoadReasonAsImageLoad,
 76 |     LoadReasonAsDataLoad,
 77 |     LoadReasonEnclavePrimary,
 78 |     LoadReasonEnclaveDependency,
 79 |     LoadReasonUnknown = -1
 80 | } LDR_DLL_LOAD_REASON, *PLDR_DLL_LOAD_REASON;
 81 | 
 82 | #define LDRP_PACKAGED_BINARY 0x00000001
 83 | #define LDRP_STATIC_LINK 0x00000002
 84 | #define LDRP_IMAGE_DLL 0x00000004
 85 | #define LDRP_LOAD_IN_PROGRESS 0x00001000
 86 | #define LDRP_UNLOAD_IN_PROGRESS 0x00002000
 87 | #define LDRP_ENTRY_PROCESSED 0x00004000
 88 | #define LDRP_ENTRY_INSERTED 0x00008000
 89 | #define LDRP_CURRENT_LOAD 0x00010000
 90 | #define LDRP_FAILED_BUILTIN_LOAD 0x00020000
 91 | #define LDRP_DONT_CALL_FOR_THREADS 0x00040000
 92 | #define LDRP_PROCESS_ATTACH_CALLED 0x00080000
 93 | #define LDRP_DEBUG_SYMBOLS_LOADED 0x00100000
 94 | #define LDRP_IMAGE_NOT_AT_BASE 0x00200000
 95 | #define LDRP_COR_IMAGE 0x00400000
 96 | #define LDRP_DONT_RELOCATE 0x00800000
 97 | #define LDRP_SYSTEM_MAPPED 0x01000000
 98 | #define LDRP_IMAGE_VERIFYING 0x02000000
 99 | #define LDRP_DRIVER_DEPENDENT_DLL 0x04000000
100 | #define LDRP_ENTRY_NATIVE 0x08000000
101 | #define LDRP_REDIRECTED 0x10000000
102 | #define LDRP_NON_PAGED_DEBUG_INFO 0x20000000
103 | #define LDRP_MM_LOADED 0x40000000
104 | #define LDRP_COMPAT_DATABASE_PROCESSED 0x80000000
105 | 
106 | #define LDR_DATA_TABLE_ENTRY_SIZE_WINXP FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DdagNode)
107 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN7 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, BaseNameHashValue)
108 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN8 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ImplicitPathOptions)
109 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN10 sizeof(LDR_DATA_TABLE_ENTRY)
110 | 
111 | typedef struct _LDR_DATA_TABLE_ENTRY
112 | {
113 |     LIST_ENTRY InLoadOrderLinks;
114 |     LIST_ENTRY InMemoryOrderLinks;
115 |     union
116 |     {
117 |         LIST_ENTRY InInitializationOrderLinks;
118 |         LIST_ENTRY InProgressLinks;
119 |     };
120 |     PVOID DllBase;
121 |     PLDR_INIT_ROUTINE EntryPoint;
122 |     ULONG SizeOfImage;
123 |     UNICODE_STRING FullDllName;
124 |     UNICODE_STRING BaseDllName;
125 |     union
126 |     {
127 |         UCHAR FlagGroup[4];
128 |         ULONG Flags;
129 |         struct
130 |         {
131 |             ULONG PackagedBinary : 1;
132 |             ULONG MarkedForRemoval : 1;
133 |             ULONG ImageDll : 1;
134 |             ULONG LoadNotificationsSent : 1;
135 |             ULONG TelemetryEntryProcessed : 1;
136 |             ULONG ProcessStaticImport : 1;
137 |             ULONG InLegacyLists : 1;
138 |             ULONG InIndexes : 1;
139 |             ULONG ShimDll : 1;
140 |             ULONG InExceptionTable : 1;
141 |             ULONG ReservedFlags1 : 2;
142 |             ULONG LoadInProgress : 1;
143 |             ULONG LoadConfigProcessed : 1;
144 |             ULONG EntryProcessed : 1;
145 |             ULONG ProtectDelayLoad : 1;
146 |             ULONG ReservedFlags3 : 2;
147 |             ULONG DontCallForThreads : 1;
148 |             ULONG ProcessAttachCalled : 1;
149 |             ULONG ProcessAttachFailed : 1;
150 |             ULONG CorDeferredValidate : 1;
151 |             ULONG CorImage : 1;
152 |             ULONG DontRelocate : 1;
153 |             ULONG CorILOnly : 1;
154 |             ULONG ChpeImage : 1;
155 |             ULONG ReservedFlags5 : 2;
156 |             ULONG Redirected : 1;
157 |             ULONG ReservedFlags6 : 2;
158 |             ULONG CompatDatabaseProcessed : 1;
159 |         };
160 |     };
161 |     USHORT ObsoleteLoadCount;
162 |     USHORT TlsIndex;
163 |     LIST_ENTRY HashLinks;
164 |     ULONG TimeDateStamp;
165 |     struct _ACTIVATION_CONTEXT *EntryPointActivationContext;
166 |     PVOID Lock;
167 |     PLDR_DDAG_NODE DdagNode;
168 |     LIST_ENTRY NodeModuleLink;
169 |     struct _LDRP_LOAD_CONTEXT *LoadContext;
170 |     PVOID ParentDllBase;
171 |     PVOID SwitchBackContext;
172 |     RTL_BALANCED_NODE BaseAddressIndexNode;
173 |     RTL_BALANCED_NODE MappingInfoIndexNode;
174 |     ULONG_PTR OriginalBase;
175 |     LARGE_INTEGER LoadTime;
176 |     ULONG BaseNameHashValue;
177 |     LDR_DLL_LOAD_REASON LoadReason;
178 |     ULONG ImplicitPathOptions;
179 |     ULONG ReferenceCount;
180 |     ULONG DependentLoadFlags;
181 |     UCHAR SigningLevel;
182 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
183 | 
184 | #define LDR_IS_DATAFILE(DllHandle) (((ULONG_PTR)(DllHandle)) & (ULONG_PTR)1)
185 | #define LDR_IS_IMAGEMAPPING(DllHandle) (((ULONG_PTR)(DllHandle)) & (ULONG_PTR)2)
186 | #define LDR_IS_RESOURCE(DllHandle) (LDR_IS_IMAGEMAPPING(DllHandle) || LDR_IS_DATAFILE(DllHandle))
187 | 
188 | NTDLL_API(NTSTATUS, LdrLoadDll, (
189 |     _In_opt_ PWSTR DllPath,
190 |     _In_opt_ PULONG DllCharacteristics,
191 |     _In_ PUNICODE_STRING DllName,
192 |     _Out_ PVOID *DllHandle
193 | ))
194 | 
195 | NTDLL_API(NTSTATUS, LdrUnloadDll, (
196 |     _In_ PVOID DllHandle
197 | ))
198 | 
199 | NTDLL_API(NTSTATUS, LdrGetDllHandle, (
200 |     _In_opt_ PWSTR DllPath,
201 |     _In_opt_ PULONG DllCharacteristics,
202 |     _In_ PUNICODE_STRING DllName,
203 |     _Out_ PVOID *DllHandle
204 | ))
205 | 
206 | #define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT 0x00000001
207 | #define LDR_GET_DLL_HANDLE_EX_PIN 0x00000002
208 | 
209 | NTDLL_API(NTSTATUS, LdrGetDllHandleEx, (
210 |     _In_ ULONG Flags,
211 |     _In_opt_ PWSTR DllPath,
212 |     _In_opt_ PULONG DllCharacteristics,
213 |     _In_ PUNICODE_STRING DllName,
214 |     _Out_opt_ PVOID *DllHandle
215 | ))
216 | 
217 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_7)
218 | // rev
219 | NTDLL_API(NTSTATUS, LdrGetDllHandleByMapping, (
220 |     _In_ PVOID BaseAddress,
221 |     _Out_ PVOID *DllHandle
222 | ))
223 | #endif
224 | 
225 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_7)
226 | // rev
227 | NTDLL_API(NTSTATUS, LdrGetDllHandleByName, (
228 |     _In_opt_ PUNICODE_STRING BaseDllName,
229 |     _In_opt_ PUNICODE_STRING FullDllName,
230 |     _Out_ PVOID *DllHandle
231 | ))
232 | #endif
233 | 
234 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_8)
235 | // rev
236 | NTDLL_API(NTSTATUS, LdrGetDllFullName, (
237 |     _In_ PVOID DllHandle,
238 |     _Out_ PUNICODE_STRING FullDllName
239 | ))
240 | 
241 | // rev
242 | NTDLL_API(NTSTATUS, LdrGetDllDirectory, (
243 |     _Out_ PUNICODE_STRING DllDirectory
244 | ))
245 | 
246 | // rev
247 | NTDLL_API(NTSTATUS, LdrSetDllDirectory, (
248 |     _In_ PUNICODE_STRING DllDirectory
249 | ))
250 | #endif
251 | 
252 | #define LDR_ADDREF_DLL_PIN 0x00000001
253 | 
254 | NTDLL_API(NTSTATUS, LdrAddRefDll, (
255 |     _In_ ULONG Flags,
256 |     _In_ PVOID DllHandle
257 | ))
258 | 
259 | NTDLL_API(NTSTATUS, LdrGetProcedureAddress, (
260 |     _In_ PVOID DllHandle,
261 |     _In_opt_ PANSI_STRING ProcedureName,
262 |     _In_opt_ ULONG ProcedureNumber,
263 |     _Out_ PVOID *ProcedureAddress
264 | ))
265 | 
266 | // rev
267 | #define LDR_GET_PROCEDURE_ADDRESS_DONT_RECORD_FORWARDER 0x00000001
268 | 
269 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
270 | // private
271 | NTDLL_API(NTSTATUS, LdrGetProcedureAddressEx, (
272 |     _In_ PVOID DllHandle,
273 |     _In_opt_ PANSI_STRING ProcedureName,
274 |     _In_opt_ ULONG ProcedureNumber,
275 |     _Out_ PVOID *ProcedureAddress,
276 |     _In_ ULONG Flags
277 | ))
278 | #endif
279 | 
280 | NTDLL_API(NTSTATUS, LdrGetKnownDllSectionHandle, (
281 |     _In_ PCWSTR DllName,
282 |     _In_ BOOLEAN KnownDlls32,
283 |     _Out_ PHANDLE Section
284 | ))
285 | 
286 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_10_TH1)
287 | // rev
288 | NTDLL_API(NTSTATUS, LdrGetProcedureAddressForCaller, (
289 |     _In_ PVOID DllHandle,
290 |     _In_opt_ PANSI_STRING ProcedureName,
291 |     _In_opt_ ULONG ProcedureNumber,
292 |     _Out_ PVOID *ProcedureAddress,
293 |     _In_ ULONG Flags,
294 |     _In_ PVOID *Callback
295 | ))
296 | #endif
297 | 
298 | #define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
299 | #define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002
300 | 
301 | #define LDR_LOCK_LOADER_LOCK_DISPOSITION_INVALID 0
302 | #define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_ACQUIRED 1
303 | #define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_NOT_ACQUIRED 2
304 | 
305 | NTDLL_API(NTSTATUS, LdrLockLoaderLock, (
306 |     _In_ ULONG Flags,
307 |     _Out_opt_ ULONG *Disposition,
308 |     _Out_ PVOID *Cookie
309 | ))
310 | 
311 | #define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
312 | 
313 | NTDLL_API(NTSTATUS, LdrUnlockLoaderLock, (
314 |     _In_ ULONG Flags,
315 |     _Inout_ PVOID Cookie
316 | ))
317 | 
318 | NTDLL_API(NTSTATUS, LdrRelocateImage, (
319 |     _In_ PVOID NewBase,
320 |     _In_ PSTR LoaderName,
321 |     _In_ NTSTATUS Success,
322 |     _In_ NTSTATUS Conflict,
323 |     _In_ NTSTATUS Invalid
324 | ))
325 | 
326 | NTDLL_API(NTSTATUS, LdrRelocateImageWithBias, (
327 |     _In_ PVOID NewBase,
328 |     _In_ LONGLONG Bias,
329 |     _In_ PSTR LoaderName,
330 |     _In_ NTSTATUS Success,
331 |     _In_ NTSTATUS Conflict,
332 |     _In_ NTSTATUS Invalid
333 | ))
334 | 
335 | NTDLL_API(PIMAGE_BASE_RELOCATION, LdrProcessRelocationBlock, (
336 |     _In_ ULONG_PTR VA,
337 |     _In_ ULONG SizeOfBlock,
338 |     _In_ PUSHORT NextOffset,
339 |     _In_ LONG_PTR Diff
340 | ))
341 | 
342 | NTDLL_API(BOOLEAN, LdrVerifyMappedImageMatchesChecksum, (
343 |     _In_ PVOID BaseAddress,
344 |     _In_ SIZE_T NumberOfBytes,
345 |     _In_ ULONG FileLength
346 | ))
347 | 
348 | typedef VOID (NTAPI *PLDR_IMPORT_MODULE_CALLBACK)(
349 |     _In_ PVOID Parameter,
350 |     _In_ PSTR ModuleName
351 |     );
352 | 
353 | NTDLL_API(NTSTATUS, LdrVerifyImageMatchesChecksum, (
354 |     _In_ HANDLE ImageFileHandle,
355 |     _In_opt_ PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine,
356 |     _In_ PVOID ImportCallbackParameter,
357 |     _Out_opt_ PUSHORT ImageCharacteristics
358 | ))
359 | 
360 | // private
361 | typedef struct _LDR_IMPORT_CALLBACK_INFO
362 | {
363 |     PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine;
364 |     PVOID ImportCallbackParameter;
365 | } LDR_IMPORT_CALLBACK_INFO, *PLDR_IMPORT_CALLBACK_INFO;
366 | 
367 | // private
368 | typedef struct _LDR_SECTION_INFO
369 | {
370 |     HANDLE SectionHandle;
371 |     ACCESS_MASK DesiredAccess;
372 |     POBJECT_ATTRIBUTES ObjA;
373 |     ULONG SectionPageProtection;
374 |     ULONG AllocationAttributes;
375 | } LDR_SECTION_INFO, *PLDR_SECTION_INFO;
376 | 
377 | // private
378 | typedef struct _LDR_VERIFY_IMAGE_INFO
379 | {
380 |     ULONG Size;
381 |     ULONG Flags;
382 |     LDR_IMPORT_CALLBACK_INFO CallbackInfo;
383 |     LDR_SECTION_INFO SectionInfo;
384 |     USHORT ImageCharacteristics;
385 | } LDR_VERIFY_IMAGE_INFO, *PLDR_VERIFY_IMAGE_INFO;
386 | 
387 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
388 | // private
389 | NTDLL_API(NTSTATUS, LdrVerifyImageMatchesChecksumEx, (
390 |     _In_ HANDLE ImageFileHandle,
391 |     _Inout_ PLDR_VERIFY_IMAGE_INFO VerifyInfo
392 | ))
393 | #endif
394 | 
395 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
396 | // private
397 | NTDLL_API(NTSTATUS, LdrQueryModuleServiceTags, (
398 |     _In_ PVOID DllHandle,
399 |     _Out_writes_(*BufferSize) PULONG ServiceTagBuffer,
400 |     _Inout_ PULONG BufferSize
401 | ))
402 | #endif
403 | 
404 | // begin_msdn:"DLL Load Notification"
405 | 
406 | #define LDR_DLL_NOTIFICATION_REASON_LOADED 1
407 | #define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2
408 | 
409 | typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA
410 | {
411 |     ULONG Flags;
412 |     PUNICODE_STRING FullDllName;
413 |     PUNICODE_STRING BaseDllName;
414 |     PVOID DllBase;
415 |     ULONG SizeOfImage;
416 | } LDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_LOADED_NOTIFICATION_DATA;
417 | 
418 | typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA
419 | {
420 |     ULONG Flags;
421 |     PCUNICODE_STRING FullDllName;
422 |     PCUNICODE_STRING BaseDllName;
423 |     PVOID DllBase;
424 |     ULONG SizeOfImage;
425 | } LDR_DLL_UNLOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA;
426 | 
427 | typedef union _LDR_DLL_NOTIFICATION_DATA
428 | {
429 |     LDR_DLL_LOADED_NOTIFICATION_DATA Loaded;
430 |     LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded;
431 | } LDR_DLL_NOTIFICATION_DATA, *PLDR_DLL_NOTIFICATION_DATA;
432 | 
433 | typedef VOID (NTAPI *PLDR_DLL_NOTIFICATION_FUNCTION)(
434 |     _In_ ULONG NotificationReason,
435 |     _In_ PLDR_DLL_NOTIFICATION_DATA NotificationData,
436 |     _In_opt_ PVOID Context
437 |     );
438 | 
439 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
440 | 
441 | NTDLL_API(NTSTATUS, LdrRegisterDllNotification, (
442 |     _In_ ULONG Flags,
443 |     _In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction,
444 |     _In_ PVOID Context,
445 |     _Out_ PVOID *Cookie
446 | ))
447 | 
448 | NTDLL_API(NTSTATUS, LdrUnregisterDllNotification, (
449 |     _In_ PVOID Cookie
450 | ))
451 | 
452 | #endif
453 | 
454 | // end_msdn
455 | 
456 | // rev
457 | NTDLL_API(PUNICODE_STRING, LdrStandardizeSystemPath, (
458 |     _In_ PUNICODE_STRING SystemPath
459 | ))
460 | 
461 | // private
462 | typedef struct _PS_MITIGATION_OPTIONS_MAP
463 | {
464 |     ULONG_PTR Map[2];
465 | } PS_MITIGATION_OPTIONS_MAP, *PPS_MITIGATION_OPTIONS_MAP;
466 | 
467 | // private
468 | typedef struct _PS_MITIGATION_AUDIT_OPTIONS_MAP
469 | {
470 |     ULONG_PTR Map[2];
471 | } PS_MITIGATION_AUDIT_OPTIONS_MAP, *PPS_MITIGATION_AUDIT_OPTIONS_MAP;
472 | 
473 | // private
474 | typedef struct _PS_SYSTEM_DLL_INIT_BLOCK
475 | {
476 |     ULONG Size;
477 |     ULONG_PTR SystemDllWowRelocation;
478 |     ULONG_PTR SystemDllNativeRelocation;
479 |     ULONG_PTR Wow64SharedInformation[16];
480 |     ULONG RngData;
481 |     union
482 |     {
483 |         ULONG Flags;
484 |         struct
485 |         {
486 |             ULONG CfgOverride : 1;
487 |             ULONG Reserved : 31;
488 |         };
489 |     };
490 |     PS_MITIGATION_OPTIONS_MAP MitigationOptionsMap;
491 |     ULONG_PTR CfgBitMap;
492 |     ULONG_PTR CfgBitMapSize;
493 |     ULONG_PTR Wow64CfgBitMap;
494 |     ULONG_PTR Wow64CfgBitMapSize;
495 |     PS_MITIGATION_AUDIT_OPTIONS_MAP MitigationAuditOptionsMap; // REDSTONE3
496 | } PS_SYSTEM_DLL_INIT_BLOCK, *PPS_SYSTEM_DLL_INIT_BLOCK;
497 | 
498 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_10_TH1)
499 | // rev
500 | NTDLL_API(PPS_SYSTEM_DLL_INIT_BLOCK, LdrSystemDllInitBlock, (
501 |     VOID
502 | ))
503 | #endif
504 | 
505 | // Load as data table
506 | 
507 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
508 | 
509 | // private
510 | NTDLL_API(NTSTATUS, LdrAddLoadAsDataTable, (
511 |     _In_ PVOID Module,
512 |     _In_ PWSTR FilePath,
513 |     _In_ SIZE_T Size,
514 |     _In_ HANDLE Handle
515 | ))
516 | 
517 | // private
518 | NTDLL_API(NTSTATUS, LdrRemoveLoadAsDataTable, (
519 |     _In_ PVOID InitModule,
520 |     _Out_opt_ PVOID *BaseModule,
521 |     _Out_opt_ PSIZE_T Size,
522 |     _In_ ULONG Flags
523 | ))
524 | 
525 | // private
526 | NTDLL_API(NTSTATUS, LdrGetFileNameFromLoadAsDataTable, (
527 |     _In_ PVOID Module,
528 |     _Out_ PVOID *pFileNamePrt
529 | ))
530 | 
531 | #endif
532 | 
533 | NTDLL_API(NTSTATUS, LdrDisableThreadCalloutsForDll, (
534 |     _In_ PVOID DllImageBase
535 | ))
536 |     
537 | // Resources
538 | 
539 | NTDLL_API(NTSTATUS, LdrAccessResource, (
540 |     _In_ PVOID DllHandle,
541 |     _In_ PIMAGE_RESOURCE_DATA_ENTRY ResourceDataEntry,
542 |     _Out_opt_ PVOID *ResourceBuffer,
543 |     _Out_opt_ ULONG *ResourceLength
544 | ))
545 | 
546 | typedef struct _LDR_RESOURCE_INFO
547 | {
548 |     ULONG_PTR Type;
549 |     ULONG_PTR Name;
550 |     ULONG_PTR Language;
551 | } LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO;
552 | 
553 | #define RESOURCE_TYPE_LEVEL 0
554 | #define RESOURCE_NAME_LEVEL 1
555 | #define RESOURCE_LANGUAGE_LEVEL 2
556 | #define RESOURCE_DATA_LEVEL 3
557 | 
558 | NTDLL_API(NTSTATUS, LdrFindResource_U, (
559 |     _In_ PVOID DllHandle,
560 |     _In_ PLDR_RESOURCE_INFO ResourceInfo,
561 |     _In_ ULONG Level,
562 |     _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry
563 | ))
564 | 
565 | NTDLL_API(NTSTATUS, LdrFindResourceDirectory_U, (
566 |     _In_ PVOID DllHandle,
567 |     _In_ PLDR_RESOURCE_INFO ResourceInfo,
568 |     _In_ ULONG Level,
569 |     _Out_ PIMAGE_RESOURCE_DIRECTORY *ResourceDirectory
570 | ))
571 | 
572 | // private 
573 | typedef struct _LDR_ENUM_RESOURCE_ENTRY
574 | {
575 |     union
576 |     {
577 |         ULONG_PTR NameOrId;
578 |         PIMAGE_RESOURCE_DIRECTORY_STRING Name;
579 |         struct
580 |         {
581 |             USHORT Id;
582 |             USHORT NameIsPresent;
583 |         };
584 |     } Path[3];
585 |     PVOID Data;
586 |     ULONG Size;
587 |     ULONG Reserved;
588 | } LDR_ENUM_RESOURCE_ENTRY, *PLDR_ENUM_RESOURCE_ENTRY;
589 | 
590 | #define NAME_FROM_RESOURCE_ENTRY(RootDirectory, Entry) \
591 |     ((Entry)->NameIsString ? (ULONG_PTR)PTR_ADD_OFFSET((RootDirectory), (Entry)->NameOffset) : (Entry)->Id)
592 | 
593 | NTDLL_API(NTSTATUS, LdrEnumResources, (
594 |     _In_ PVOID DllHandle,
595 |     _In_ PLDR_RESOURCE_INFO ResourceInfo,
596 |     _In_ ULONG Level,
597 |     _Inout_ ULONG *ResourceCount,
598 |     _Out_writes_to_opt_(*ResourceCount, *ResourceCount) PLDR_ENUM_RESOURCE_ENTRY Resources
599 | ))
600 | 
601 | NTDLL_API(NTSTATUS, LdrFindEntryForAddress, (
602 |     _In_ PVOID DllHandle,
603 |     _Out_ PLDR_DATA_TABLE_ENTRY *Entry
604 | ))
605 | 
606 | #endif // (NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
607 | 
608 | // Module information
609 | 
610 | typedef struct _RTL_PROCESS_MODULE_INFORMATION
611 | {
612 |     HANDLE Section;
613 |     PVOID MappedBase;
614 |     PVOID ImageBase;
615 |     ULONG ImageSize;
616 |     ULONG Flags;
617 |     USHORT LoadOrderIndex;
618 |     USHORT InitOrderIndex;
619 |     USHORT LoadCount;
620 |     USHORT OffsetToFileName;
621 |     UCHAR FullPathName[256];
622 | } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
623 | 
624 | typedef struct _RTL_PROCESS_MODULES
625 | {
626 |     ULONG NumberOfModules;
627 |     RTL_PROCESS_MODULE_INFORMATION Modules[1];
628 | } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
629 | 
630 | // private
631 | typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX
632 | {
633 |     USHORT NextOffset;
634 |     RTL_PROCESS_MODULE_INFORMATION BaseInfo;
635 |     ULONG ImageChecksum;
636 |     ULONG TimeDateStamp;
637 |     PVOID DefaultBase;
638 | } RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX;
639 | 
640 | #if (defined(PHNT_COMPILE) || NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
641 | 
642 | NTDLL_API(NTSTATUS, LdrQueryProcessModuleInformation, (
643 |     _In_opt_ PRTL_PROCESS_MODULES ModuleInformation,
644 |     _In_opt_ ULONG Size,
645 |     _Out_ PULONG ReturnedSize
646 | ))
647 | 
648 | typedef VOID (NTAPI *PLDR_ENUM_CALLBACK)(
649 |     _In_ PLDR_DATA_TABLE_ENTRY ModuleInformation, 
650 |     _In_ PVOID Parameter, 
651 |     _Out_ BOOLEAN *Stop
652 |     );
653 | 
654 | NTDLL_API(NTSTATUS, LdrEnumerateLoadedModules, (
655 |     _In_ BOOLEAN ReservedFlag,
656 |     _In_ PLDR_ENUM_CALLBACK EnumProc,
657 |     _In_ PVOID Context
658 | ))
659 | 
660 | NTDLL_API(NTSTATUS, LdrOpenImageFileOptionsKey, (
661 |     _In_ PUNICODE_STRING SubKey,
662 |     _In_ BOOLEAN Wow64,
663 |     _Out_ PHANDLE NewKeyHandle
664 | ))
665 | 
666 | NTDLL_API(NTSTATUS, LdrQueryImageFileKeyOption, (
667 |     _In_ HANDLE KeyHandle,
668 |     _In_ PCWSTR ValueName,
669 |     _In_ ULONG Type,
670 |     _Out_ PVOID Buffer,
671 |     _In_ ULONG BufferSize,
672 |     _Out_opt_ PULONG ReturnedLength
673 | ))
674 | 
675 | NTDLL_API(NTSTATUS, LdrQueryImageFileExecutionOptions, (
676 |     _In_ PUNICODE_STRING SubKey,
677 |     _In_ PCWSTR ValueName,
678 |     _In_ ULONG ValueSize,
679 |     _Out_ PVOID Buffer,
680 |     _In_ ULONG BufferSize,
681 |     _Out_opt_ PULONG ReturnedLength
682 | ))
683 | 
684 | NTDLL_API(NTSTATUS, LdrQueryImageFileExecutionOptionsEx, (
685 |     _In_ PUNICODE_STRING SubKey,
686 |     _In_ PCWSTR ValueName,
687 |     _In_ ULONG Type,
688 |     _Out_ PVOID Buffer,
689 |     _In_ ULONG BufferSize,
690 |     _Out_opt_ PULONG ReturnedLength,
691 |     _In_ BOOLEAN Wow64
692 | ))
693 | 
694 | // private
695 | typedef struct _DELAYLOAD_PROC_DESCRIPTOR
696 | {
697 |     ULONG ImportDescribedByName;
698 |     union
699 |     {
700 |         PCSTR Name;
701 |         ULONG Ordinal;
702 |     } Description;
703 | } DELAYLOAD_PROC_DESCRIPTOR, *PDELAYLOAD_PROC_DESCRIPTOR;
704 | 
705 | // private
706 | typedef struct _DELAYLOAD_INFO
707 | {
708 |     ULONG Size;
709 |     PCIMAGE_DELAYLOAD_DESCRIPTOR DelayloadDescriptor;
710 |     PIMAGE_THUNK_DATA ThunkAddress;
711 |     PCSTR TargetDllName;
712 |     DELAYLOAD_PROC_DESCRIPTOR TargetApiDescriptor;
713 |     PVOID TargetModuleBase;
714 |     PVOID Unused;
715 |     ULONG LastError;
716 | } DELAYLOAD_INFO, *PDELAYLOAD_INFO;
717 | 
718 | // private
719 | typedef PVOID (NTAPI *PDELAYLOAD_FAILURE_DLL_CALLBACK)(
720 |     _In_ ULONG NotificationReason,
721 |     _In_ PDELAYLOAD_INFO DelayloadInfo
722 |     );
723 | 
724 | // rev
725 | typedef PVOID (NTAPI *PDELAYLOAD_FAILURE_SYSTEM_ROUTINE)(
726 |     _In_ PCSTR DllName,
727 |     _In_ PCSTR ProcName
728 |     );
729 | 
730 | // rev
731 | NTDLL_API(PVOID, LdrResolveDelayLoadedAPI, (
732 |     _In_ PVOID ParentModuleBase,
733 |     _In_ PCIMAGE_DELAYLOAD_DESCRIPTOR DelayloadDescriptor,
734 |     _In_opt_ PDELAYLOAD_FAILURE_DLL_CALLBACK FailureDllHook,
735 |     _In_opt_ PDELAYLOAD_FAILURE_SYSTEM_ROUTINE FailureSystemHook, // kernel32.DelayLoadFailureHook
736 |     _Out_ PIMAGE_THUNK_DATA ThunkAddress,
737 |     _Reserved_ ULONG Flags
738 | ))
739 | 
740 | // rev
741 | NTDLL_API(NTSTATUS, LdrResolveDelayLoadsFromDll, (
742 |     _In_ PVOID ParentBase,
743 |     _In_ PCSTR TargetDllName,
744 |     _Reserved_ ULONG Flags
745 | ))
746 | 
747 | // rev
748 | NTDLL_API(NTSTATUS, LdrSetDefaultDllDirectories, (
749 |     _In_ ULONG DirectoryFlags
750 | ))
751 | 
752 | // rev
753 | NTDLL_API(NTSTATUS, LdrShutdownProcess, (
754 |     VOID
755 | ))
756 | 
757 | // rev
758 | NTDLL_API(NTSTATUS, LdrShutdownThread, (
759 |     VOID
760 | ))
761 | 
762 | // rev
763 | NTDLL_API(NTSTATUS, LdrSetImplicitPathOptions, (
764 |     _In_ ULONG ImplicitPathOptions
765 | ))
766 | 
767 | // rev
768 | NTDLL_API(BOOLEAN, LdrControlFlowGuardEnforced, (
769 |     VOID
770 | ))
771 | 
772 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_10_19H1)
773 | // rev
774 | NTDLL_API(BOOLEAN, LdrIsModuleSxsRedirected, (
775 |     _In_ PVOID DllHandle
776 | ))
777 | #endif
778 | 
779 | #endif // (NTLIB_CPU_MODE != NTLIB_KERNEL_MODE)
780 | 
781 | #endif
782 | 


--------------------------------------------------------------------------------
/includes/NTExp/ntlpcapi.h:
--------------------------------------------------------------------------------
  1 | #ifndef _NTLPCAPI_H
  2 | #define _NTLPCAPI_H
  3 | 
  4 | #define PORT_CONNECT 0x0001
  5 | #define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1)
  6 | 
  7 | typedef struct _PORT_MESSAGE
  8 | {
  9 |     union
 10 |     {
 11 |         struct
 12 |         {
 13 |             CSHORT DataLength;
 14 |             CSHORT TotalLength;
 15 |         } s1;
 16 |         ULONG Length;
 17 |     } u1;
 18 |     union
 19 |     {
 20 |         struct
 21 |         {
 22 |             CSHORT Type;
 23 |             CSHORT DataInfoOffset;
 24 |         } s2;
 25 |         ULONG ZeroInit;
 26 |     } u2;
 27 |     union
 28 |     {
 29 |         CLIENT_ID ClientId;
 30 |         double DoNotUseThisField;
 31 |     };
 32 |     ULONG MessageId;
 33 |     union
 34 |     {
 35 |         SIZE_T ClientViewSize;
 36 |         ULONG CallbackId;
 37 |     };
 38 | } PORT_MESSAGE, *PPORT_MESSAGE;
 39 | 
 40 | typedef struct _PORT_DATA_ENTRY
 41 | {
 42 |     PVOID Base;
 43 |     ULONG Size;
 44 | } PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;
 45 | 
 46 | typedef struct _PORT_DATA_INFORMATION
 47 | {
 48 |     ULONG CountDataEntries;
 49 |     PORT_DATA_ENTRY DataEntries[1];
 50 | } PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;
 51 | 
 52 | #define LPC_REQUEST 1
 53 | #define LPC_REPLY 2
 54 | #define LPC_DATAGRAM 3
 55 | #define LPC_LOST_REPLY 4
 56 | #define LPC_PORT_CLOSED 5
 57 | #define LPC_CLIENT_DIED 6
 58 | #define LPC_EXCEPTION 7
 59 | #define LPC_DEBUG_EVENT 8
 60 | #define LPC_ERROR_EVENT 9
 61 | #define LPC_CONNECTION_REQUEST 10
 62 | 
 63 | #define LPC_KERNELMODE_MESSAGE (CSHORT)0x8000
 64 | #define LPC_NO_IMPERSONATE (CSHORT)0x4000
 65 | 
 66 | #define PORT_VALID_OBJECT_ATTRIBUTES OBJ_CASE_INSENSITIVE
 67 | 
 68 | #ifdef _WIN64
 69 | #define PORT_MAXIMUM_MESSAGE_LENGTH 512
 70 | #else
 71 | #define PORT_MAXIMUM_MESSAGE_LENGTH 256
 72 | #endif
 73 | 
 74 | #define LPC_MAX_CONNECTION_INFO_SIZE (16 * sizeof(ULONG_PTR))
 75 | 
 76 | #define PORT_TOTAL_MAXIMUM_MESSAGE_LENGTH \
 77 |     ((PORT_MAXIMUM_MESSAGE_LENGTH + sizeof(PORT_MESSAGE) + LPC_MAX_CONNECTION_INFO_SIZE + 0xf) & ~0xf)
 78 | 
 79 | typedef struct _LPC_CLIENT_DIED_MSG
 80 | {
 81 |     PORT_MESSAGE PortMsg;
 82 |     LARGE_INTEGER CreateTime;
 83 | } LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;
 84 | 
 85 | typedef struct _PORT_VIEW
 86 | {
 87 |     ULONG Length;
 88 |     HANDLE SectionHandle;
 89 |     ULONG SectionOffset;
 90 |     SIZE_T ViewSize;
 91 |     PVOID ViewBase;
 92 |     PVOID ViewRemoteBase;
 93 | } PORT_VIEW, *PPORT_VIEW;
 94 | 
 95 | typedef struct _REMOTE_PORT_VIEW
 96 | {
 97 |     ULONG Length;
 98 |     SIZE_T ViewSize;
 99 |     PVOID ViewBase;
100 | } REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
101 | 
102 | typedef struct _PORT_MESSAGE64
103 | {
104 |     union
105 |     {
106 |         struct
107 |         {
108 |             CSHORT DataLength;
109 |             CSHORT TotalLength;
110 |         } s1;
111 |         ULONG Length;
112 |     } u1;
113 |     union
114 |     {
115 |         struct
116 |         {
117 |             CSHORT Type;
118 |             CSHORT DataInfoOffset;
119 |         } s2;
120 |         ULONG ZeroInit;
121 |     } u2;
122 |     union
123 |     {
124 |         CLIENT_ID64 ClientId;
125 |         double DoNotUseThisField;
126 |     };
127 |     ULONG MessageId;
128 |     union
129 |     {
130 |         ULONGLONG ClientViewSize;
131 |         ULONG CallbackId;
132 |     };
133 | } PORT_MESSAGE64, *PPORT_MESSAGE64;
134 | 
135 | typedef struct _LPC_CLIENT_DIED_MSG64
136 | {
137 |     PORT_MESSAGE64 PortMsg;
138 |     LARGE_INTEGER CreateTime;
139 | } LPC_CLIENT_DIED_MSG64, *PLPC_CLIENT_DIED_MSG64;
140 | 
141 | typedef struct _PORT_VIEW64
142 | {
143 |     ULONG Length;
144 |     ULONGLONG SectionHandle;
145 |     ULONG SectionOffset;
146 |     ULONGLONG ViewSize;
147 |     ULONGLONG ViewBase;
148 |     ULONGLONG ViewRemoteBase;
149 | } PORT_VIEW64, *PPORT_VIEW64;
150 | 
151 | typedef struct _REMOTE_PORT_VIEW64
152 | {
153 |     ULONG Length;
154 |     ULONGLONG ViewSize;
155 |     ULONGLONG ViewBase;
156 | } REMOTE_PORT_VIEW64, *PREMOTE_PORT_VIEW64;
157 | 
158 | NATIVE_API(NTSTATUS, /*Nt*/CreatePort, (
159 |     _Out_ PHANDLE PortHandle,
160 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
161 |     _In_ ULONG MaxConnectionInfoLength,
162 |     _In_ ULONG MaxMessageLength,
163 |     _In_opt_ ULONG MaxPoolUsage
164 | ))
165 | 
166 | NATIVE_API(NTSTATUS, /*Nt*/CreateWaitablePort, (
167 |     _Out_ PHANDLE PortHandle,
168 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
169 |     _In_ ULONG MaxConnectionInfoLength,
170 |     _In_ ULONG MaxMessageLength,
171 |     _In_opt_ ULONG MaxPoolUsage
172 | ))
173 | 
174 | NATIVE_API(NTSTATUS, /*Nt*/ConnectPort, (
175 |     _Out_ PHANDLE PortHandle,
176 |     _In_ PUNICODE_STRING PortName,
177 |     _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos,
178 |     _Inout_opt_ PPORT_VIEW ClientView,
179 |     _Inout_opt_ PREMOTE_PORT_VIEW ServerView,
180 |     _Out_opt_ PULONG MaxMessageLength,
181 |     _Inout_updates_bytes_to_opt_(*ConnectionInformationLength, *ConnectionInformationLength) PVOID ConnectionInformation,
182 |     _Inout_opt_ PULONG ConnectionInformationLength
183 | ))
184 | 
185 | NATIVE_API(NTSTATUS, /*Nt*/SecureConnectPort, (
186 |     _Out_ PHANDLE PortHandle,
187 |     _In_ PUNICODE_STRING PortName,
188 |     _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos,
189 |     _Inout_opt_ PPORT_VIEW ClientView,
190 |     _In_opt_ PSID RequiredServerSid,
191 |     _Inout_opt_ PREMOTE_PORT_VIEW ServerView,
192 |     _Out_opt_ PULONG MaxMessageLength,
193 |     _Inout_updates_bytes_to_opt_(*ConnectionInformationLength, *ConnectionInformationLength) PVOID ConnectionInformation,
194 |     _Inout_opt_ PULONG ConnectionInformationLength
195 | ))
196 | 
197 | NATIVE_API(NTSTATUS, /*Nt*/ListenPort, (
198 |     _In_ HANDLE PortHandle,
199 |     _Out_ PPORT_MESSAGE ConnectionRequest
200 | ))
201 | 
202 | NATIVE_API(NTSTATUS, /*Nt*/AcceptConnectPort, (
203 |     _Out_ PHANDLE PortHandle,
204 |     _In_opt_ PVOID PortContext,
205 |     _In_ PPORT_MESSAGE ConnectionRequest,
206 |     _In_ BOOLEAN AcceptConnection,
207 |     _Inout_opt_ PPORT_VIEW ServerView,
208 |     _Out_opt_ PREMOTE_PORT_VIEW ClientView
209 | ))
210 | 
211 | NATIVE_API(NTSTATUS, /*Nt*/CompleteConnectPort, (
212 |     _In_ HANDLE PortHandle
213 | ))
214 | 
215 | NATIVE_API(NTSTATUS, /*Nt*/RequestPort, (
216 |     _In_ HANDLE PortHandle,
217 |     _In_reads_bytes_(RequestMessage->u1.s1.TotalLength) PPORT_MESSAGE RequestMessage
218 | ))
219 | 
220 | NATIVE_API(NTSTATUS, /*Nt*/RequestWaitReplyPort, (
221 |     _In_ HANDLE PortHandle,
222 |     _In_reads_bytes_(RequestMessage->u1.s1.TotalLength) PPORT_MESSAGE RequestMessage,
223 |     _Out_ PPORT_MESSAGE ReplyMessage
224 | ))
225 | 
226 | NATIVE_API(NTSTATUS, /*Nt*/ReplyPort, (
227 |     _In_ HANDLE PortHandle,
228 |     _In_reads_bytes_(ReplyMessage->u1.s1.TotalLength) PPORT_MESSAGE ReplyMessage
229 | ))
230 | 
231 | NATIVE_API(NTSTATUS, /*Nt*/ReplyWaitReplyPort, (
232 |     _In_ HANDLE PortHandle,
233 |     _Inout_ PPORT_MESSAGE ReplyMessage
234 | ))
235 | 
236 | NATIVE_API(NTSTATUS, /*Nt*/ReplyWaitReceivePort, (
237 |     _In_ HANDLE PortHandle,
238 |     _Out_opt_ PVOID *PortContext,
239 |     _In_reads_bytes_opt_(ReplyMessage->u1.s1.TotalLength) PPORT_MESSAGE ReplyMessage,
240 |     _Out_ PPORT_MESSAGE ReceiveMessage
241 | ))
242 | 
243 | NATIVE_API(NTSTATUS, /*Nt*/ReplyWaitReceivePortEx, (
244 |     _In_ HANDLE PortHandle,
245 |     _Out_opt_ PVOID *PortContext,
246 |     _In_reads_bytes_opt_(ReplyMessage->u1.s1.TotalLength) PPORT_MESSAGE ReplyMessage,
247 |     _Out_ PPORT_MESSAGE ReceiveMessage,
248 |     _In_opt_ PLARGE_INTEGER Timeout
249 | ))
250 | 
251 | NATIVE_API(NTSTATUS, /*Nt*/ImpersonateClientOfPort, (
252 |     _In_ HANDLE PortHandle,
253 |     _In_ PPORT_MESSAGE Message
254 | ))
255 | 
256 | NATIVE_API(NTSTATUS, /*Nt*/ReadRequestData, (
257 |     _In_ HANDLE PortHandle,
258 |     _In_ PPORT_MESSAGE Message,
259 |     _In_ ULONG DataEntryIndex,
260 |     _Out_writes_bytes_to_(BufferSize, *NumberOfBytesRead) PVOID Buffer,
261 |     _In_ SIZE_T BufferSize,
262 |     _Out_opt_ PSIZE_T NumberOfBytesRead
263 | ))
264 | 
265 | NATIVE_API(NTSTATUS, /*Nt*/WriteRequestData, (
266 |     _In_ HANDLE PortHandle,
267 |     _In_ PPORT_MESSAGE Message,
268 |     _In_ ULONG DataEntryIndex,
269 |     _In_reads_bytes_(BufferSize) PVOID Buffer,
270 |     _In_ SIZE_T BufferSize,
271 |     _Out_opt_ PSIZE_T NumberOfBytesWritten
272 | ))
273 | 
274 | typedef enum _PORT_INFORMATION_CLASS
275 | {
276 |     PortBasicInformation,
277 |     PortDumpInformation
278 | } PORT_INFORMATION_CLASS;
279 | 
280 | NATIVE_API(NTSTATUS, /*Nt*/QueryInformationPort, (
281 |     _In_ HANDLE PortHandle,
282 |     _In_ PORT_INFORMATION_CLASS PortInformationClass,
283 |     _Out_writes_bytes_to_(Length, *ReturnLength) PVOID PortInformation,
284 |     _In_ ULONG Length,
285 |     _Out_opt_ PULONG ReturnLength
286 | ))
287 | 
288 | typedef HANDLE ALPC_HANDLE, *PALPC_HANDLE;
289 | 
290 | #define ALPC_PORFLG_ALLOW_LPC_REQUESTS 0x20000 // rev
291 | #define ALPC_PORFLG_WAITABLE_PORT 0x40000 // dbg
292 | #define ALPC_PORFLG_SYSTEM_PROCESS 0x100000 // dbg
293 | 
294 | typedef struct _ALPC_PORT_ATTRIBUTES
295 | {
296 |     ULONG Flags;
297 |     SECURITY_QUALITY_OF_SERVICE SecurityQos;
298 |     SIZE_T MaxMessageLength;
299 |     SIZE_T MemoryBandwidth;
300 |     SIZE_T MaxPoolUsage;
301 |     SIZE_T MaxSectionSize;
302 |     SIZE_T MaxViewSize;
303 |     SIZE_T MaxTotalSectionSize;
304 |     ULONG DupObjectTypes;
305 | #ifdef _WIN64
306 |     ULONG Reserved;
307 | #endif
308 | } ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES;
309 | 
310 | #define ALPC_MESSAGE_SECURITY_ATTRIBUTE 0x80000000
311 | #define ALPC_MESSAGE_VIEW_ATTRIBUTE 0x40000000
312 | #define ALPC_MESSAGE_CONTEXT_ATTRIBUTE 0x20000000
313 | #define ALPC_MESSAGE_HANDLE_ATTRIBUTE 0x10000000
314 | 
315 | typedef struct _ALPC_MESSAGE_ATTRIBUTES
316 | {
317 |     ULONG AllocatedAttributes;
318 |     ULONG ValidAttributes;
319 | } ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES;
320 | 
321 | typedef struct _ALPC_COMPLETION_LIST_STATE
322 | {
323 |     union
324 |     {
325 |         struct
326 |         {
327 |             ULONG64 Head : 24;
328 |             ULONG64 Tail : 24;
329 |             ULONG64 ActiveThreadCount : 16;
330 |         } s1;
331 |         ULONG64 Value;
332 |     } u1;
333 | } ALPC_COMPLETION_LIST_STATE, *PALPC_COMPLETION_LIST_STATE;
334 | 
335 | #define ALPC_COMPLETION_LIST_BUFFER_GRANULARITY_MASK 0x3f // dbg
336 | 
337 | typedef struct DECLSPEC_ALIGN(128) _ALPC_COMPLETION_LIST_HEADER
338 | {
339 |     ULONG64 StartMagic;
340 | 
341 |     ULONG TotalSize;
342 |     ULONG ListOffset;
343 |     ULONG ListSize;
344 |     ULONG BitmapOffset;
345 |     ULONG BitmapSize;
346 |     ULONG DataOffset;
347 |     ULONG DataSize;
348 |     ULONG AttributeFlags;
349 |     ULONG AttributeSize;
350 | 
351 |     DECLSPEC_ALIGN(128) ALPC_COMPLETION_LIST_STATE State;
352 |     ULONG LastMessageId;
353 |     ULONG LastCallbackId;
354 |     DECLSPEC_ALIGN(128) ULONG PostCount;
355 |     DECLSPEC_ALIGN(128) ULONG ReturnCount;
356 |     DECLSPEC_ALIGN(128) ULONG LogSequenceNumber;
357 |     DECLSPEC_ALIGN(128) RTL_SRWLOCK UserLock;
358 | 
359 |     ULONG64 EndMagic;
360 | } ALPC_COMPLETION_LIST_HEADER, *PALPC_COMPLETION_LIST_HEADER;
361 | 
362 | typedef struct _ALPC_CONTEXT_ATTR
363 | {
364 |     PVOID PortContext;
365 |     PVOID MessageContext;
366 |     ULONG Sequence;
367 |     ULONG MessageId;
368 |     ULONG CallbackId;
369 | } ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR;
370 | 
371 | #define ALPC_HANDLEFLG_DUPLICATE_SAME_ACCESS 0x10000
372 | #define ALPC_HANDLEFLG_DUPLICATE_SAME_ATTRIBUTES 0x20000
373 | #define ALPC_HANDLEFLG_DUPLICATE_INHERIT 0x80000
374 | 
375 | typedef struct _ALPC_HANDLE_ATTR32
376 | {
377 |     ULONG Flags;
378 |     ULONG Reserved0;
379 |     ULONG SameAccess;
380 |     ULONG SameAttributes;
381 |     ULONG Indirect;
382 |     ULONG Inherit;
383 |     ULONG Reserved1;
384 |     ULONG Handle;
385 |     ULONG ObjectType; // ObjectTypeCode, not ObjectTypeIndex
386 |     ULONG DesiredAccess;
387 |     ULONG GrantedAccess;
388 | } ALPC_HANDLE_ATTR32, *PALPC_HANDLE_ATTR32;
389 | 
390 | typedef struct _ALPC_HANDLE_ATTR
391 | {
392 |     ULONG Flags;
393 |     ULONG Reserved0;
394 |     ULONG SameAccess;
395 |     ULONG SameAttributes;
396 |     ULONG Indirect;
397 |     ULONG Inherit;
398 |     ULONG Reserved1;
399 |     HANDLE Handle;
400 |     PALPC_HANDLE_ATTR32 HandleAttrArray;
401 |     ULONG ObjectType; // ObjectTypeCode, not ObjectTypeIndex
402 |     ULONG HandleCount;
403 |     ACCESS_MASK DesiredAccess;
404 |     ACCESS_MASK GrantedAccess;
405 | } ALPC_HANDLE_ATTR, *PALPC_HANDLE_ATTR;
406 | 
407 | #define ALPC_SECFLG_CREATE_HANDLE 0x20000 // dbg
408 | #define ALPC_SECFLG_NOSECTIONHANDLE 0x40000
409 | 
410 | typedef struct _ALPC_SECURITY_ATTR
411 | {
412 |     ULONG Flags;
413 |     PSECURITY_QUALITY_OF_SERVICE QoS;
414 |     ALPC_HANDLE ContextHandle; // dbg
415 | } ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR;
416 | 
417 | #define ALPC_VIEWFLG_NOT_SECURE 0x40000
418 | 
419 | typedef struct _ALPC_DATA_VIEW_ATTR
420 | {
421 |     ULONG Flags;
422 |     ALPC_HANDLE SectionHandle;
423 |     PVOID ViewBase;
424 |     SIZE_T ViewSize;
425 | } ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR;
426 | 
427 | typedef enum _ALPC_PORT_INFORMATION_CLASS
428 | {
429 |     AlpcBasicInformation, // q: out ALPC_BASIC_INFORMATION
430 |     AlpcPortInformation, // s: in ALPC_PORT_ATTRIBUTES
431 |     AlpcAssociateCompletionPortInformation, // s: in ALPC_PORT_ASSOCIATE_COMPLETION_PORT
432 |     AlpcConnectedSIDInformation, // q: in SID
433 |     AlpcServerInformation, // q: inout ALPC_SERVER_INFORMATION
434 |     AlpcMessageZoneInformation, // s: in ALPC_PORT_MESSAGE_ZONE_INFORMATION
435 |     AlpcRegisterCompletionListInformation, // s: in ALPC_PORT_COMPLETION_LIST_INFORMATION
436 |     AlpcUnregisterCompletionListInformation, // s: VOID
437 |     AlpcAdjustCompletionListConcurrencyCountInformation, // s: in ULONG
438 |     AlpcRegisterCallbackInformation, // kernel-mode only
439 |     AlpcCompletionListRundownInformation, // s: VOID
440 |     AlpcWaitForPortReferences
441 | } ALPC_PORT_INFORMATION_CLASS;
442 | 
443 | typedef struct _ALPC_BASIC_INFORMATION
444 | {
445 |     ULONG Flags;
446 |     ULONG SequenceNo;
447 |     PVOID PortContext;
448 | } ALPC_BASIC_INFORMATION, *PALPC_BASIC_INFORMATION;
449 | 
450 | typedef struct _ALPC_PORT_ASSOCIATE_COMPLETION_PORT
451 | {
452 |     PVOID CompletionKey;
453 |     HANDLE CompletionPort;
454 | } ALPC_PORT_ASSOCIATE_COMPLETION_PORT, *PALPC_PORT_ASSOCIATE_COMPLETION_PORT;
455 | 
456 | typedef struct _ALPC_SERVER_INFORMATION
457 | {
458 |     union
459 |     {
460 |         struct
461 |         {
462 |             HANDLE ThreadHandle;
463 |         } In;
464 |         struct
465 |         {
466 |             BOOLEAN ThreadBlocked;
467 |             HANDLE ConnectedProcessId;
468 |             UNICODE_STRING ConnectionPortName;
469 |         } Out;
470 |     };
471 | } ALPC_SERVER_INFORMATION, *PALPC_SERVER_INFORMATION;
472 | 
473 | // private
474 | typedef struct _ALPC_PORT_MESSAGE_ZONE_INFORMATION
475 | {
476 |     PVOID Buffer;
477 |     ULONG Size;
478 | } ALPC_PORT_MESSAGE_ZONE_INFORMATION, *PALPC_PORT_MESSAGE_ZONE_INFORMATION;
479 | 
480 | // private
481 | typedef struct _ALPC_PORT_COMPLETION_LIST_INFORMATION
482 | {
483 |     PVOID Buffer; // PALPC_COMPLETION_LIST_HEADER
484 |     ULONG Size;
485 |     ULONG ConcurrencyCount;
486 |     ULONG AttributeFlags;
487 | } ALPC_PORT_COMPLETION_LIST_INFORMATION, *PALPC_PORT_COMPLETION_LIST_INFORMATION;
488 | 
489 | // private
490 | typedef enum _ALPC_MESSAGE_INFORMATION_CLASS
491 | {
492 |     AlpcMessageSidInformation, // q: out SID
493 |     AlpcMessageTokenModifiedIdInformation,  // q: out LUID
494 |     AlpcMessageDirectStatusInformation,
495 |     AlpcMessageHandleInformation, // ALPC_MESSAGE_HANDLE_INFORMATION
496 |     MaxAlpcMessageInfoClass
497 | } ALPC_MESSAGE_INFORMATION_CLASS, *PALPC_MESSAGE_INFORMATION_CLASS;
498 | 
499 | typedef struct _ALPC_MESSAGE_HANDLE_INFORMATION
500 | {
501 |     ULONG Index;
502 |     ULONG Flags;
503 |     ULONG Handle;
504 |     ULONG ObjectType;
505 |     ACCESS_MASK GrantedAccess;
506 | } ALPC_MESSAGE_HANDLE_INFORMATION, *PALPC_MESSAGE_HANDLE_INFORMATION;
507 | 
508 | // begin_private
509 | 
510 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_VISTA)
511 | 
512 | // System calls
513 | 
514 | NATIVE_API(NTSTATUS, /*Nt*/AlpcCreatePort, (
515 |     _Out_ PHANDLE PortHandle,
516 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
517 |     _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes
518 | ))
519 | 
520 | NATIVE_API(NTSTATUS, /*Nt*/AlpcDisconnectPort, (
521 |     _In_ HANDLE PortHandle,
522 |     _In_ ULONG Flags
523 | ))
524 | 
525 | NATIVE_API(NTSTATUS, /*Nt*/AlpcQueryInformation, (
526 |     _In_opt_ HANDLE PortHandle,
527 |     _In_ ALPC_PORT_INFORMATION_CLASS PortInformationClass,
528 |     _Inout_updates_bytes_to_(Length, *ReturnLength) PVOID PortInformation,
529 |     _In_ ULONG Length,
530 |     _Out_opt_ PULONG ReturnLength
531 | ))
532 | 
533 | NATIVE_API(NTSTATUS, /*Nt*/AlpcSetInformation, (
534 |     _In_ HANDLE PortHandle,
535 |     _In_ ALPC_PORT_INFORMATION_CLASS PortInformationClass,
536 |     _In_reads_bytes_opt_(Length) PVOID PortInformation,
537 |     _In_ ULONG Length
538 | ))
539 | 
540 | NATIVE_API(NTSTATUS, /*Nt*/AlpcCreatePortSection, (
541 |     _In_ HANDLE PortHandle,
542 |     _In_ ULONG Flags,
543 |     _In_opt_ HANDLE SectionHandle,
544 |     _In_ SIZE_T SectionSize,
545 |     _Out_ PALPC_HANDLE AlpcSectionHandle,
546 |     _Out_ PSIZE_T ActualSectionSize
547 | ))
548 | 
549 | NATIVE_API(NTSTATUS, /*Nt*/AlpcDeletePortSection, (
550 |     _In_ HANDLE PortHandle,
551 |     _Reserved_ ULONG Flags,
552 |     _In_ ALPC_HANDLE SectionHandle
553 | ))
554 | 
555 | NATIVE_API(NTSTATUS, /*Nt*/AlpcCreateResourceReserve, (
556 |     _In_ HANDLE PortHandle,
557 |     _Reserved_ ULONG Flags,
558 |     _In_ SIZE_T MessageSize,
559 |     _Out_ PALPC_HANDLE ResourceId
560 | ))
561 | 
562 | NATIVE_API(NTSTATUS, /*Nt*/AlpcDeleteResourceReserve, (
563 |     _In_ HANDLE PortHandle,
564 |     _Reserved_ ULONG Flags,
565 |     _In_ ALPC_HANDLE ResourceId
566 | ))
567 | 
568 | NATIVE_API(NTSTATUS, /*Nt*/AlpcCreateSectionView, (
569 |     _In_ HANDLE PortHandle,
570 |     _Reserved_ ULONG Flags,
571 |     _Inout_ PALPC_DATA_VIEW_ATTR ViewAttributes
572 | ))
573 | 
574 | NATIVE_API(NTSTATUS, /*Nt*/AlpcDeleteSectionView, (
575 |     _In_ HANDLE PortHandle,
576 |     _Reserved_ ULONG Flags,
577 |     _In_ PVOID ViewBase
578 | ))
579 | 
580 | NATIVE_API(NTSTATUS, /*Nt*/AlpcCreateSecurityContext, (
581 |     _In_ HANDLE PortHandle,
582 |     _Reserved_ ULONG Flags,
583 |     _Inout_ PALPC_SECURITY_ATTR SecurityAttribute
584 | ))
585 | 
586 | NATIVE_API(NTSTATUS, /*Nt*/AlpcDeleteSecurityContext, (
587 |     _In_ HANDLE PortHandle,
588 |     _Reserved_ ULONG Flags,
589 |     _In_ ALPC_HANDLE ContextHandle
590 | ))
591 | 
592 | NATIVE_API(NTSTATUS, /*Nt*/AlpcRevokeSecurityContext, (
593 |     _In_ HANDLE PortHandle,
594 |     _Reserved_ ULONG Flags,
595 |     _In_ ALPC_HANDLE ContextHandle
596 | ))
597 | 
598 | NATIVE_API(NTSTATUS, /*Nt*/AlpcQueryInformationMessage, (
599 |     _In_ HANDLE PortHandle,
600 |     _In_ PPORT_MESSAGE PortMessage,
601 |     _In_ ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass,
602 |     _Out_writes_bytes_to_opt_(Length, *ReturnLength) PVOID MessageInformation,
603 |     _In_ ULONG Length,
604 |     _Out_opt_ PULONG ReturnLength
605 | ))
606 | 
607 | #define ALPC_MSGFLG_REPLY_MESSAGE 0x1
608 | #define ALPC_MSGFLG_LPC_MODE 0x2 // ?
609 | #define ALPC_MSGFLG_RELEASE_MESSAGE 0x10000 // dbg
610 | #define ALPC_MSGFLG_SYNC_REQUEST 0x20000 // dbg
611 | #define ALPC_MSGFLG_WAIT_USER_MODE 0x100000
612 | #define ALPC_MSGFLG_WAIT_ALERTABLE 0x200000
613 | #define ALPC_MSGFLG_WOW64_CALL 0x80000000 // dbg
614 | 
615 | NATIVE_API(NTSTATUS, /*Nt*/AlpcConnectPort, (
616 |     _Out_ PHANDLE PortHandle,
617 |     _In_ PUNICODE_STRING PortName,
618 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
619 |     _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes,
620 |     _In_ ULONG Flags,
621 |     _In_opt_ PSID RequiredServerSid,
622 |     _Inout_updates_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ConnectionMessage,
623 |     _Inout_opt_ PULONG BufferLength,
624 |     _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes,
625 |     _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES InMessageAttributes,
626 |     _In_opt_ PLARGE_INTEGER Timeout
627 | ))
628 | 
629 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_8)
630 | NATIVE_API(NTSTATUS, /*Nt*/AlpcConnectPortEx, (
631 |     _Out_ PHANDLE PortHandle,
632 |     _In_ POBJECT_ATTRIBUTES ConnectionPortObjectAttributes,
633 |     _In_opt_ POBJECT_ATTRIBUTES ClientPortObjectAttributes,
634 |     _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes,
635 |     _In_ ULONG Flags,
636 |     _In_opt_ PSECURITY_DESCRIPTOR ServerSecurityRequirements,
637 |     _Inout_updates_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ConnectionMessage,
638 |     _Inout_opt_ PSIZE_T BufferLength,
639 |     _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes,
640 |     _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES InMessageAttributes,
641 |     _In_opt_ PLARGE_INTEGER Timeout
642 | ))
643 | #endif
644 | 
645 | NATIVE_API(NTSTATUS, /*Nt*/AlpcAcceptConnectPort, (
646 |     _Out_ PHANDLE PortHandle,
647 |     _In_ HANDLE ConnectionPortHandle,
648 |     _In_ ULONG Flags,
649 |     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
650 |     _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes,
651 |     _In_opt_ PVOID PortContext,
652 |     _In_reads_bytes_(ConnectionRequest->u1.s1.TotalLength) PPORT_MESSAGE ConnectionRequest,
653 |     _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes,
654 |     _In_ BOOLEAN AcceptConnection
655 | ))
656 | 
657 | NATIVE_API(NTSTATUS, /*Nt*/AlpcSendWaitReceivePort, (
658 |     _In_ HANDLE PortHandle,
659 |     _In_ ULONG Flags,
660 |     _In_reads_bytes_opt_(SendMessage->u1.s1.TotalLength) PPORT_MESSAGE SendMessage,
661 |     _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes,
662 |     _Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ReceiveMessage,
663 |     _Inout_opt_ PSIZE_T BufferLength,
664 |     _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes,
665 |     _In_opt_ PLARGE_INTEGER Timeout
666 | ))
667 | 
668 | #define ALPC_CANCELFLG_TRY_CANCEL 0x1 // dbg
669 | #define ALPC_CANCELFLG_NO_CONTEXT_CHECK 0x8
670 | #define ALPC_CANCELFLGP_FLUSH 0x10000 // dbg
671 | 
672 | NATIVE_API(NTSTATUS, /*Nt*/AlpcCancelMessage, (
673 |     _In_ HANDLE PortHandle,
674 |     _In_ ULONG Flags,
675 |     _In_ PALPC_CONTEXT_ATTR MessageContext
676 | ))
677 | 
678 | NATIVE_API(NTSTATUS, /*Nt*/AlpcImpersonateClientOfPort, (
679 |     _In_ HANDLE PortHandle,
680 |     _In_ PPORT_MESSAGE Message,
681 |     _In_ PVOID Flags
682 | ))
683 | 
684 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_10_TH1)
685 | NATIVE_API(NTSTATUS, /*Nt*/AlpcImpersonateClientContainerOfPort, (
686 |     _In_ HANDLE PortHandle,
687 |     _In_ PPORT_MESSAGE Message,
688 |     _In_ ULONG Flags
689 | ))
690 | #endif
691 | 
692 | NATIVE_API(NTSTATUS, /*Nt*/AlpcOpenSenderProcess, (
693 |     _Out_ PHANDLE ProcessHandle,
694 |     _In_ HANDLE PortHandle,
695 |     _In_ PPORT_MESSAGE PortMessage,
696 |     _In_ ULONG Flags,
697 |     _In_ ACCESS_MASK DesiredAccess,
698 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes
699 | ))
700 | 
701 | NATIVE_API(NTSTATUS, /*Nt*/AlpcOpenSenderThread, (
702 |     _Out_ PHANDLE ThreadHandle,
703 |     _In_ HANDLE PortHandle,
704 |     _In_ PPORT_MESSAGE PortMessage,
705 |     _In_ ULONG Flags,
706 |     _In_ ACCESS_MASK DesiredAccess,
707 |     _In_ POBJECT_ATTRIBUTES ObjectAttributes
708 | ))
709 | 
710 | // Support functions
711 | 
712 | NTDLL_API(ULONG, AlpcMaxAllowedMessageLength, (
713 |     VOID
714 | ))
715 | 
716 | NTDLL_API(ULONG, AlpcGetHeaderSize, (
717 |     _In_ ULONG Flags
718 | ))
719 | 
720 | #define ALPC_ATTRFLG_ALLOCATEDATTR 0x20000000
721 | #define ALPC_ATTRFLG_VALIDATTR 0x40000000
722 | #define ALPC_ATTRFLG_KEEPRUNNINGATTR 0x60000000
723 | 
724 | NTDLL_API(NTSTATUS, AlpcInitializeMessageAttribute, (
725 |     _In_ ULONG AttributeFlags,
726 |     _Out_opt_ PALPC_MESSAGE_ATTRIBUTES Buffer,
727 |     _In_ ULONG BufferSize,
728 |     _Out_ PULONG RequiredBufferSize
729 | ))
730 | 
731 | NTDLL_API(PVOID, AlpcGetMessageAttribute, (
732 |     _In_ PALPC_MESSAGE_ATTRIBUTES Buffer,
733 |     _In_ ULONG AttributeFlag
734 | ))
735 | 
736 | NTDLL_API(NTSTATUS, AlpcRegisterCompletionList, (
737 |     _In_ HANDLE PortHandle,
738 |     _Out_ PALPC_COMPLETION_LIST_HEADER Buffer,
739 |     _In_ ULONG Size,
740 |     _In_ ULONG ConcurrencyCount,
741 |     _In_ ULONG AttributeFlags
742 | ))
743 | 
744 | NTDLL_API(NTSTATUS, AlpcUnregisterCompletionList, (
745 |     _In_ HANDLE PortHandle
746 | ))
747 | 
748 | #if (defined(PHNT_COMPILE) || NTLIB_WIN_VERSION >= NTLIB_WIN_7)
749 | // rev
750 | NTDLL_API(NTSTATUS, AlpcRundownCompletionList, (
751 |     _In_ HANDLE PortHandle
752 | ))
753 | #endif
754 | 
755 | NTDLL_API(NTSTATUS, AlpcAdjustCompletionListConcurrencyCount, (
756 |     _In_ HANDLE PortHandle,
757 |     _In_ ULONG ConcurrencyCount
758 | ))
759 | 
760 | NTDLL_API(BOOLEAN, AlpcRegisterCompletionListWorkerThread, (
761 |     _Inout_ PVOID CompletionList
762 | ))
763 | 
764 | NTDLL_API(BOOLEAN, AlpcUnregisterCompletionListWorkerThread, (
765 |     _Inout_ PVOID CompletionList
766 | ))
767 | 
768 | NTDLL_API_VOID(AlpcGetCompletionListLastMessageInformation, (
769 |     _In_ PVOID CompletionList,
770 |     _Out_ PULONG LastMessageId,
771 |     _Out_ PULONG LastCallbackId
772 | ))
773 | 
774 | NTDLL_API(ULONG, AlpcGetOutstandingCompletionListMessageCount, (
775 |     _In_ PVOID CompletionList
776 | ))
777 | 
778 | NTDLL_API(PPORT_MESSAGE, AlpcGetMessageFromCompletionList, (
779 |     _In_ PVOID CompletionList,
780 |     _Out_opt_ PALPC_MESSAGE_ATTRIBUTES *MessageAttributes
781 | ))
782 | 
783 | NTDLL_API_VOID(AlpcFreeCompletionListMessage, (
784 |     _Inout_ PVOID CompletionList,
785 |     _In_ PPORT_MESSAGE Message
786 | ))
787 | 
788 | NTDLL_API(PALPC_MESSAGE_ATTRIBUTES, AlpcGetCompletionListMessageAttributes, (
789 |     _In_ PVOID CompletionList,
790 |     _In_ PPORT_MESSAGE Message
791 | ))
792 | 
793 | #endif
794 | 
795 | // end_private
796 | 
797 | #endif
798 | 


--------------------------------------------------------------------------------