├── .gitignore ├── MSBuild └── v4.0 │ ├── Microsoft.Cpp.Win32.user.props │ ├── Microsoft.Cpp.arm64.user.props │ └── Microsoft.Cpp.x64.user.props ├── README.md ├── SkipPsNotify ├── .manifest ├── .rc ├── .rc2 ├── SkipPsNotify.vcxproj ├── SkipPsNotify.vcxproj.filters ├── SkipPsNotify.vcxproj.user ├── ep.cpp ├── regedit.ico ├── resource.h ├── stdafx.cpp └── stdafx.h ├── Solution.sln ├── pnth ├── .gitattributes ├── mini_yvals.h ├── ntbcd.h ├── ntdbg.h ├── ntexapi.h ├── ntgdi.h ├── ntioapi.h ├── ntkeapi.h ├── ntldr.h ├── ntlpcapi.h ├── ntmisc.h ├── ntmmapi.h ├── ntnls.h ├── ntobapi.h ├── ntpebteb.h ├── ntpfapi.h ├── ntpnpapi.h ├── ntpoapi.h ├── ntpsapi.h ├── ntregapi.h ├── ntrtl.h ├── ntsam.h ├── ntseapi.h ├── ntsmss.h ├── nttmapi.h ├── nttp.h ├── ntwow64.h ├── ntxcapi.h ├── ntzwapi.h ├── pch.h ├── phnt.h ├── phnt_ntdef.h ├── phnt_windows.h ├── rtlframe.h ├── subprocesstag.h └── winsta.h ├── src ├── .manifest ├── .rc2 ├── Clone.rc ├── Clone.vcxproj ├── Clone.vcxproj.filters ├── Clone.vcxproj.user ├── FileName.cpp ├── regedit.ico ├── resource.h ├── stdafx.cpp └── stdafx.h └── x64 └── Release ├── Clone.exe └── SkipPsNotify.exe /.gitignore: -------------------------------------------------------------------------------- 1 | .vs 2 | *.pdb 3 | tmp 4 | *.obj 5 | *.lib 6 | *.exp 7 | *.aps 8 | -------------------------------------------------------------------------------- /MSBuild/v4.0/Microsoft.Cpp.Win32.user.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | $(WindowsSdkDir)Include\$(TargetPlatformVersion)\ 5 | $(WindowsSdkDir)Lib\$(TargetPlatformVersion)\ 6 | 7 | 8 | $(INC_ROOT)shared;$(INC_ROOT)km;$(INC_ROOT)um;$(INC_ROOT)km\crt 9 | $(LIB_ROOT)km\x86;$(LIB_ROOT)um\x86;$(LIB_ROOT)ucrt\x86 10 | $(SolutionDir)tmp\$(Platform)\$(Configuration)\$(ProjectName)\ 11 | false 12 | false 13 | false 14 | 15 | 16 | 17 | BufferOverflow.lib;ntdllp.lib;kernel32.lib;user32.lib;advapi32.lib 18 | true 19 | false 20 | "$(OutDir)" 21 | true 22 | UseLinkTimeCodeGeneration 23 | true 24 | MachineX86 25 | 26 | 27 | Level4 28 | Classic 29 | Size 30 | true 31 | false 32 | true 33 | false 34 | true 35 | stdcpplatest 36 | Use 37 | StdCall 38 | true 39 | true 40 | true 41 | false 42 | 43 | 44 | 45 | 46 | $(LIB_ROOT) 47 | 48 | 49 | $(INC_ROOT) 50 | 51 | 52 | -------------------------------------------------------------------------------- /MSBuild/v4.0/Microsoft.Cpp.arm64.user.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | $(WindowsSdkDir)Include\$(TargetPlatformVersion)\ 5 | $(WindowsSdkDir)Lib\$(TargetPlatformVersion)\ 6 | 7 | 8 | $(INC_ROOT)shared;$(INC_ROOT)km;$(INC_ROOT)um;$(INC_ROOT)km\crt 9 | $(LIB_ROOT)km\arm64;$(LIB_ROOT)um\arm64;$(LIB_ROOT)ucrt\arm64 10 | $(SolutionDir)tmp\$(Platform)\$(Configuration)\$(ProjectName)\ 11 | false 12 | false 13 | false 14 | 15 | 16 | 17 | BufferOverflow.lib;ntdllp.lib;kernel32.lib;advapi32.lib;user32.lib 18 | true 19 | false 20 | "$(OutDir)" 21 | true 22 | UseLinkTimeCodeGeneration 23 | MachineARM64 24 | 25 | 26 | Level4 27 | Classic 28 | Size 29 | true 30 | false 31 | true 32 | false 33 | true 34 | stdcpplatest 35 | Use 36 | StdCall 37 | true 38 | true 39 | true 40 | false 41 | 42 | 43 | 44 | 45 | $(LIB_ROOT) 46 | 47 | 48 | $(INC_ROOT) 49 | 50 | 51 | -------------------------------------------------------------------------------- /MSBuild/v4.0/Microsoft.Cpp.x64.user.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | $(WindowsSdkDir)Include\$(TargetPlatformVersion)\ 5 | $(WindowsSdkDir)Lib\$(TargetPlatformVersion)\ 6 | 7 | 8 | $(INC_ROOT)shared;$(INC_ROOT)km;$(INC_ROOT)um;$(INC_ROOT)km\crt 9 | $(LIB_ROOT)km\x64;$(LIB_ROOT)um\x64;$(LIB_ROOT)ucrt\x64 10 | $(SolutionDir)tmp\$(Platform)\$(Configuration)\$(ProjectName)\ 11 | false 12 | false 13 | false 14 | 15 | 16 | 17 | BufferOverflow.lib;ntdllp.lib;kernel32.lib;advapi32.lib;user32.lib 18 | true 19 | false 20 | "$(OutDir)" 21 | true 22 | UseLinkTimeCodeGeneration 23 | MachineX64 24 | 25 | 26 | Level4 27 | Classic 28 | Size 29 | true 30 | false 31 | true 32 | false 33 | true 34 | stdcpplatest 35 | Use 36 | StdCall 37 | true 38 | true 39 | true 40 | false 41 | 42 | 43 | 44 | 45 | $(LIB_ROOT) 46 | 47 | 48 | $(INC_ROOT) 49 | 50 | 51 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # RtlClone 2 | 3 | from [The Definitive Guide To Process Cloning on Windows](https://github.com/huntandhackett/process-cloning/tree/master?tab=readme-ov-file#the-definitive-guide-to-process-cloning-on-windows) 4 | 5 | >So, why is `RtlCloneUserProcess` useful when we already have the more flexible `NtCreateUserProcess` ? 6 | >The reason might be surprising: we cannot re-implement its functionality, at least not entirely and precisely. 7 | 8 | this is not true. ntdll.dll (x64, but not x86, not check on arm64) exported next 2 functions: 9 | 10 | ``` 11 | NTSYSAPI 12 | NTSTATUS 13 | NTAPI 14 | RtlPrepareForProcessCloning(); 15 | 16 | NTSYSAPI 17 | NTSTATUS 18 | NTAPI 19 | RtlCompleteProcessCloning(_In_ BOOL bCloned); 20 | ``` 21 | 22 | with it we easy can implement `RtlCloneUserProcess` with `NtCreateUserProcess` 23 | 24 | ``` 25 | NTSTATUS status = ProcessFlags & RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE 26 | ? STATUS_SUCCESS : RtlPrepareForProcessCloning(); 27 | 28 | if (0 <= status) 29 | { 30 | PS_CREATE_INFO createInfo = { sizeof(createInfo) }; 31 | 32 | status = NtCreateUserProcess(...); 33 | 34 | if (ProcessFlags & RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE) 35 | RtlCompleteProcessCloning(STATUS_PROCESS_CLONED == status); 36 | } 37 | 38 | return status; 39 | ``` 40 | 41 | such implementation we can view in `wow64.dll` inside `Wow64NtCreateUserProcess` function 42 | 43 | probably it doesn't matter more, but it seems these api ( `RtlPrepareForProcessCloning` / `RtlCompleteProcessCloning` ) almost unknown, despite exist from win 8.1 (or 8) 44 | 45 | in src code several example of how cloned process can interact with parent - via inherited Event handle, thread Alert, Apc, etc 46 | also i show here again how we can map/unmap executable image section from cloned process to parent process. this is very strong anti-debug technique, most debuggers freeze both processes here forever. some debuggers silently, windbg with next messages: 47 | 48 | ``` 49 | // ERROR: Unable to find system process **** 50 | // ERROR: The process being debugged has either exited or cannot be accessed 51 | // ERROR: Many commands will not work properly 52 | // ERROR: Module load event for unknown process 53 | ``` 54 | also this is work in x64 processes. but in x86 not exist RtlPrepareForProcessCloning/RtlCompleteProcessCloning 55 | 56 | in case we in wow64 (x86 process on x64 system) `NtCreateUserProcess` internal call `Wow64NtCreateUserProcess` function inside `wow64.dll` 57 | and it already call `RtlPrepareForProcessCloning();NtCreateUserProcess(...);RtlCompleteProcessCloning(STATUS_PROCESS_CLONED == status);` ( if `RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE` not set ) 58 | despite new cloned wow64 process created - it crashed just after enter to 32-bit mode. more exactly - after first access **`FS`** segment. in x86 windows **`FS`** segment must point to thread *TEB*, but by error in cloning code - **`FS`** point to 0 in cloned process 59 | -------------------------------------------------------------------------------- /SkipPsNotify/.manifest: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | True 21 | true 22 | 23 | 24 | -------------------------------------------------------------------------------- /SkipPsNotify/.rc: -------------------------------------------------------------------------------- 1 | // Microsoft Visual C++ generated resource script. 2 | // 3 | #include "resource.h" 4 | 5 | #define APSTUDIO_READONLY_SYMBOLS 6 | ///////////////////////////////////////////////////////////////////////////// 7 | // 8 | // Generated from the TEXTINCLUDE 2 resource. 9 | // 10 | #include "winres.h" 11 | ///////////////////////////////////////////////////////////////////////////// 12 | #undef APSTUDIO_READONLY_SYMBOLS 13 | 14 | ///////////////////////////////////////////////////////////////////////////// 15 | // English (U.S.) resources 16 | 17 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU) 18 | #ifdef _WIN32 19 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US 20 | #pragma code_page(1252) 21 | #endif //_WIN32 22 | 23 | #ifdef APSTUDIO_INVOKED 24 | ///////////////////////////////////////////////////////////////////////////// 25 | // 26 | // TEXTINCLUDE 27 | // 28 | 29 | 1 TEXTINCLUDE 30 | BEGIN 31 | "resource.h\0" 32 | END 33 | 34 | 2 TEXTINCLUDE 35 | BEGIN 36 | "#include ""winres.h\0" 37 | END 38 | 39 | 3 TEXTINCLUDE 40 | BEGIN 41 | "#include "".rc2\0" 42 | END 43 | 44 | #endif // APSTUDIO_INVOKED 45 | 46 | 47 | #endif // English (U.S.) resources 48 | ///////////////////////////////////////////////////////////////////////////// 49 | 50 | 51 | #ifndef APSTUDIO_INVOKED 52 | ///////////////////////////////////////////////////////////////////////////// 53 | // 54 | // Generated from the TEXTINCLUDE 3 resource. 55 | // 56 | #include ".rc2" 57 | ///////////////////////////////////////////////////////////////////////////// 58 | #endif // not APSTUDIO_INVOKED 59 | 60 | -------------------------------------------------------------------------------- /SkipPsNotify/.rc2: -------------------------------------------------------------------------------- 1 | ///////////////////////////////////////////////////////////////////////////// 2 | // 3 | // RT_MANIFEST 4 | // 5 | LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL 6 | 7 | CREATEPROCESS_MANIFEST_RESOURCE_ID RT_MANIFEST ".manifest" 8 | 9 | 1 ICON "regedit.ico" 10 | -------------------------------------------------------------------------------- /SkipPsNotify/SkipPsNotify.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Release 6 | Win32 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | 16.0 15 | Win32Proj 16 | {983067F0-c52a-5216-A233-AEFCF52D77DC} 17 | SkipPsNotify 18 | 10.0 19 | $(SolutionDir)MSBuild\v4.0 20 | 21 | 22 | 23 | Application 24 | false 25 | v143 26 | Unicode 27 | true 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | Level4 36 | true 37 | MaxSpeed 38 | $(SolutionDir)pnth 39 | 40 | 41 | Windows 42 | true 43 | true 44 | false 45 | ep 46 | /EMITPOGOPHASEINFO /EMITVOLATILEMETADATA:NO %(AdditionalOptions) 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | Create 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /SkipPsNotify/SkipPsNotify.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Header Files 31 | 32 | 33 | 34 | 35 | Resource Files 36 | 37 | 38 | 39 | 40 | Resource Files 41 | 42 | 43 | -------------------------------------------------------------------------------- /SkipPsNotify/SkipPsNotify.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /SkipPsNotify/ep.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | EXTERN_C_START 4 | 5 | NTSYSAPI 6 | NTSTATUS 7 | NTAPI 8 | RtlPrepareForProcessCloning(); 9 | 10 | NTSYSAPI 11 | NTSTATUS 12 | NTAPI 13 | RtlCompleteProcessCloning(_In_ BOOL bCloned); 14 | 15 | EXTERN_C_END 16 | 17 | NTSTATUS CloneUserProcess(_Out_ PHANDLE ProcessHandle, 18 | _Out_ PHANDLE ThreadHandle, 19 | _In_ BOOL bSynchronize, 20 | _In_ ULONG ProcessFlags, // PROCESS_CREATE_FLAGS_* 21 | _In_ ULONG ThreadFlags // THREAD_CREATE_FLAGS_* 22 | ) 23 | { 24 | NTSTATUS status = bSynchronize ? RtlPrepareForProcessCloning() : STATUS_SUCCESS; 25 | 26 | if (0 <= status) 27 | { 28 | PS_CREATE_INFO createInfo = { sizeof(createInfo) }; 29 | 30 | status = NtCreateUserProcess(ProcessHandle, 31 | ThreadHandle, PROCESS_ALL_ACCESS, THREAD_ALL_ACCESS, NULL, NULL, 32 | ProcessFlags, ThreadFlags, NULL, &createInfo, NULL); 33 | 34 | if (IsDebuggerPresent()) __debugbreak(); 35 | 36 | if (bSynchronize) RtlCompleteProcessCloning(STATUS_PROCESS_CLONED == status); 37 | } 38 | 39 | return status; 40 | } 41 | 42 | NTSTATUS CreateSection(_Out_ PHANDLE SectionHandle, _In_ PCWSTR lpLibFileName) 43 | { 44 | int len = 0; 45 | PWSTR buf = 0; 46 | 47 | while (0 < (len = _snwprintf(buf, len, L"\\systemroot\\system32\\%s", lpLibFileName))) 48 | { 49 | if (buf) 50 | { 51 | UNICODE_STRING ObjectName; 52 | OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &ObjectName, OBJ_CASE_INSENSITIVE }; 53 | RtlInitUnicodeString(&ObjectName, buf); 54 | 55 | HANDLE hFile; 56 | IO_STATUS_BLOCK iosb; 57 | NTSTATUS status = NtOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT); 58 | 59 | if (0 <= status) 60 | { 61 | status = NtCreateSection(SectionHandle, SECTION_MAP_EXECUTE, 0, 0, PAGE_EXECUTE, SEC_IMAGE, hFile); 62 | NtClose(hFile); 63 | } 64 | 65 | return status; 66 | } 67 | 68 | buf = (PWSTR)alloca(++len * sizeof(WCHAR)); 69 | } 70 | 71 | return STATUS_INTERNAL_ERROR; 72 | } 73 | 74 | struct BAS { 75 | PVOID BaseAddress; 76 | NTSTATUS status; 77 | }; 78 | 79 | void NTAPI OnApc( 80 | _In_opt_ PVOID ApcArgument1, 81 | _In_opt_ PVOID ApcArgument2, 82 | _In_opt_ PVOID ApcArgument3) 83 | { 84 | reinterpret_cast(ApcArgument1)->BaseAddress = ApcArgument2; 85 | reinterpret_cast(ApcArgument1)->status = (NTSTATUS)(ULONG_PTR)ApcArgument3; 86 | } 87 | 88 | NTSTATUS NotifyParent(_In_ HANDLE hThread, _In_ PVOID BaseAddress, _In_ BAS* p, NTSTATUS status) 89 | { 90 | return NtQueueApcThread(hThread, OnApc, p, BaseAddress, (PVOID)(ULONG_PTR)status); 91 | } 92 | 93 | NTSTATUS DoRemoteMap( 94 | _In_ PCWSTR lpLibFileName, 95 | _In_ PCLIENT_ID ClientId, 96 | _In_ HANDLE hThread, 97 | _In_ BAS* p) 98 | { 99 | HANDLE hProcess, hSection; 100 | 101 | BOOL bPost = FALSE; 102 | 103 | NTSTATUS status; 104 | 105 | OBJECT_ATTRIBUTES oa = { sizeof(oa) }; 106 | 107 | if (0 <= (status = NtOpenProcess(&hProcess, PROCESS_VM_OPERATION, &oa, ClientId))) 108 | { 109 | if (0 <= (status = CreateSection(&hSection, lpLibFileName))) 110 | { 111 | SIZE_T ViewSize = 0; 112 | PVOID BaseAddress = 0; 113 | 114 | ////////////////////////////////////////////////////////////////////////// 115 | // 116 | // ERROR: Unable to find system process **** 117 | // ERROR: The process being debugged has either exited or cannot be accessed 118 | // ERROR: Many commands will not work properly 119 | // ERROR: Module load event for unknown process 120 | // 121 | ////////////////////////////////////////////////////////////////////////// 122 | 123 | status = ZwMapViewOfSection(hSection, hProcess, &BaseAddress, 124 | 0, 0, 0, &ViewSize, ViewShare, 0, PAGE_EXECUTE); 125 | 126 | NtClose(hSection); 127 | 128 | if (0 <= status) 129 | { 130 | bPost = TRUE; 131 | 132 | if (0 > (status = NotifyParent(hThread, BaseAddress, p, status))) 133 | { 134 | ZwUnmapViewOfSection(hProcess, BaseAddress); 135 | } 136 | } 137 | } 138 | 139 | NtClose(hProcess); 140 | } 141 | 142 | if (!bPost) NotifyParent(hThread, 0, p, status); 143 | 144 | return status; 145 | } 146 | 147 | NTSTATUS DoRemoteUnMap( 148 | _In_ PVOID BaseAddress, 149 | _In_ PCLIENT_ID ClientId, 150 | _In_ HANDLE hThread, 151 | _In_ BAS* p) 152 | { 153 | HANDLE hProcess; 154 | 155 | NTSTATUS status; 156 | 157 | OBJECT_ATTRIBUTES oa = { sizeof(oa) }; 158 | 159 | if (0 <= (status = NtOpenProcess(&hProcess, PROCESS_VM_OPERATION, &oa, ClientId))) 160 | { 161 | status = ZwUnmapViewOfSection(hProcess, BaseAddress); 162 | 163 | NtClose(hProcess); 164 | } 165 | 166 | NotifyParent(hThread, BaseAddress, p, status); 167 | 168 | return status; 169 | } 170 | 171 | NTSTATUS OpenParentThread(_Out_ PHANDLE ThreadHandle, 172 | _In_ ACCESS_MASK DesiredAccess, 173 | _In_ PCLIENT_ID ClientId) 174 | /* 175 | thread with ClientId must be created *before* current thread 176 | */ 177 | { 178 | NTSTATUS status; 179 | KERNEL_USER_TIMES kut, my_kut; 180 | 181 | if (0 <= (status = NtQueryInformationThread(NtCurrentThread(), ThreadTimes, &my_kut, sizeof(my_kut), 0))) 182 | { 183 | HANDLE hThread; 184 | OBJECT_ATTRIBUTES oa = { sizeof(oa) }; 185 | 186 | if (0 <= (status = NtOpenThread(&hThread, DesiredAccess | THREAD_QUERY_LIMITED_INFORMATION, &oa, ClientId))) 187 | { 188 | if (0 <= (status = NtQueryInformationThread(hThread, ThreadTimes, &kut, sizeof(kut), 0))) 189 | { 190 | if (kut.CreateTime.QuadPart <= my_kut.CreateTime.QuadPart) 191 | { 192 | *ThreadHandle = hThread; 193 | return STATUS_SUCCESS; 194 | } 195 | 196 | // original thread terminated and other thread reuse it id 197 | status = STATUS_INVALID_CID; 198 | } 199 | 200 | NtClose(hThread); 201 | } 202 | } 203 | 204 | return status; 205 | } 206 | 207 | NTSTATUS fork(_Out_ void** phmod, _In_ PCWSTR lpLibFileName = 0, _In_ PVOID BaseAddress = 0) 208 | { 209 | HANDLE hProcess, hThread; 210 | 211 | BAS ba{ 0, STATUS_UNSUCCESSFUL }; 212 | 213 | CLIENT_ID cid = { (HANDLE)(ULONG_PTR)GetCurrentProcessId(), (HANDLE)(ULONG_PTR)GetCurrentThreadId() }; 214 | 215 | NTSTATUS status = CloneUserProcess(&hProcess, &hThread, TRUE, 0, 0); 216 | 217 | if (STATUS_PROCESS_CLONED == status) 218 | { 219 | // ++ cloned process 220 | 221 | if (0 <= (status = OpenParentThread(&hThread, THREAD_ALERT | THREAD_SET_CONTEXT, &cid))) 222 | { 223 | status = BaseAddress ? DoRemoteUnMap(BaseAddress, &cid, hThread, &ba) : 224 | lpLibFileName ? DoRemoteMap(lpLibFileName, &cid, hThread, &ba) : NtAlertThread(hThread); 225 | 226 | NtClose(hThread); 227 | } 228 | 229 | NtTerminateProcess(NtCurrentProcess(), status); 230 | 231 | // -- cloned process 232 | } 233 | 234 | if (0 <= status) 235 | { 236 | NtClose(hThread); 237 | 238 | status = NtWaitForSingleObject(hProcess, TRUE, 0); 239 | 240 | NtClose(hProcess); 241 | 242 | if (STATUS_USER_APC == status) 243 | { 244 | DbgPrint("addr = %p, s = %x\n", ba.BaseAddress, ba.status); 245 | 246 | if (0 <= (status = ba.status)) 247 | { 248 | *phmod = ba.BaseAddress; 249 | } 250 | } 251 | else 252 | { 253 | status = STATUS_UNSUCCESSFUL; 254 | } 255 | } 256 | 257 | return status; 258 | } 259 | 260 | void WINAPI ep(void*) 261 | { 262 | MessageBoxW(0, 0, L"POC", MB_ICONWARNING); 263 | void* hmod; 264 | NTSTATUS status = fork(&hmod, L"kerberos.dll"); 265 | WCHAR sz[0x40]; 266 | if (0 > status) 267 | { 268 | swprintf_s(sz, _countof(sz), L"error = %x", status); 269 | } 270 | else 271 | { 272 | swprintf_s(sz, _countof(sz), L"hmod = %p", hmod); 273 | } 274 | MessageBoxW(0, sz, L"load kerberos", MB_ICONINFORMATION); 275 | 276 | if (0 <= status) 277 | { 278 | status = fork(&hmod, 0, hmod); 279 | swprintf_s(sz, _countof(sz), L"error = %x", status); 280 | MessageBoxW(0, sz, L"unload", MB_ICONINFORMATION); 281 | } 282 | 283 | ExitProcess(0); 284 | } 285 | -------------------------------------------------------------------------------- /SkipPsNotify/regedit.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/RtlClone/a966a2e3de42025810f5649ed061b7c8e0ae5ad6/SkipPsNotify/regedit.ico -------------------------------------------------------------------------------- /SkipPsNotify/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by ITUI.rc 4 | // 5 | 6 | // Next default values for new objects 7 | // 8 | #ifdef APSTUDIO_INVOKED 9 | #ifndef APSTUDIO_READONLY_SYMBOLS 10 | #define _APS_NEXT_RESOURCE_VALUE 101 11 | #define _APS_NEXT_COMMAND_VALUE 40001 12 | #define _APS_NEXT_CONTROL_VALUE 1001 13 | #define _APS_NEXT_SYMED_VALUE 101 14 | #endif 15 | #endif 16 | -------------------------------------------------------------------------------- /SkipPsNotify/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | void* __cdecl operator new[](size_t ByteSize) 4 | { 5 | return HeapAlloc(GetProcessHeap(), 0, ByteSize); 6 | } 7 | 8 | void* __cdecl operator new(size_t ByteSize) 9 | { 10 | return HeapAlloc(GetProcessHeap(), 0, ByteSize); 11 | } 12 | 13 | void __cdecl operator delete(void* Buffer) 14 | { 15 | HeapFree(GetProcessHeap(), 0, Buffer); 16 | } 17 | 18 | void __cdecl operator delete(void* Buffer, size_t) 19 | { 20 | HeapFree(GetProcessHeap(), 0, Buffer); 21 | } 22 | 23 | void __cdecl operator delete[](void* Buffer) 24 | { 25 | HeapFree(GetProcessHeap(), 0, Buffer); 26 | } 27 | 28 | void __cdecl operator delete[](void* Buffer, size_t) 29 | { 30 | HeapFree(GetProcessHeap(), 0, Buffer); 31 | } -------------------------------------------------------------------------------- /SkipPsNotify/stdafx.h: -------------------------------------------------------------------------------- 1 | #define SECURITY_WIN32 2 | #include "pch.h" -------------------------------------------------------------------------------- /Solution.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.6.33723.286 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Clone", "src\Clone.vcxproj", "{99B006C0-3A27-3A3C-6588-6C86BD57A80D}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SkipPsNotify", "SkipPsNotify\SkipPsNotify.vcxproj", "{983067F0-C52A-5216-A233-AEFCF52D77DC}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {99B006C0-3A27-3A3C-6588-6C86BD57A80D}.Release|x64.ActiveCfg = Release|x64 17 | {99B006C0-3A27-3A3C-6588-6C86BD57A80D}.Release|x64.Build.0 = Release|x64 18 | {99B006C0-3A27-3A3C-6588-6C86BD57A80D}.Release|x86.ActiveCfg = Release|Win32 19 | {99B006C0-3A27-3A3C-6588-6C86BD57A80D}.Release|x86.Build.0 = Release|Win32 20 | {983067F0-C52A-5216-A233-AEFCF52D77DC}.Release|x64.ActiveCfg = Release|x64 21 | {983067F0-C52A-5216-A233-AEFCF52D77DC}.Release|x64.Build.0 = Release|x64 22 | {983067F0-C52A-5216-A233-AEFCF52D77DC}.Release|x86.ActiveCfg = Release|Win32 23 | {983067F0-C52A-5216-A233-AEFCF52D77DC}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {0A7AB709-7E2F-4C29-BCBC-0C0093D1DE9D} 30 | SolutionGuid = {31E95A3C-0BE4-4890-815C-0391F78DB4AF} 31 | SolutionGuid = {3F900B2D-D854-4D44-9CC2-C7D9A85A41A3} 32 | SolutionGuid = {FA75AC33-EDD7-4B1A-8D3E-6AE708A788CE} 33 | EndGlobalSection 34 | EndGlobal 35 | -------------------------------------------------------------------------------- /pnth/.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /pnth/mini_yvals.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifndef _HAS_CXX17 4 | #ifdef _MSVC_LANG 5 | #if _MSVC_LANG > 201402 6 | #define _HAS_CXX17 1 7 | #else /* _MSVC_LANG > 201402 */ 8 | #define _HAS_CXX17 0 9 | #endif /* _MSVC_LANG > 201402 */ 10 | #else /* _MSVC_LANG */ 11 | #if __cplusplus > 201402 12 | #define _HAS_CXX17 1 13 | #else /* __cplusplus > 201402 */ 14 | #define _HAS_CXX17 0 15 | #endif /* __cplusplus > 201402 */ 16 | #endif /* _MSVC_LANG */ 17 | #endif /* _HAS_CXX17 */ 18 | 19 | #ifndef _NODISCARD 20 | #if _HAS_CXX17 21 | #define _NODISCARD [[nodiscard]] 22 | #else 23 | #define _NODISCARD 24 | #endif 25 | #endif//_NODISCARD 26 | 27 | #ifndef _CRT_STRINGIZE 28 | #define _CRT_STRINGIZE_(x) #x 29 | #define _CRT_STRINGIZE(x) _CRT_STRINGIZE_(x) 30 | #endif 31 | 32 | #ifndef _CRT_WIDE 33 | #define _CRT_WIDE_(s) L ## s 34 | #define _CRT_WIDE(s) _CRT_WIDE_(s) 35 | #endif 36 | 37 | #ifndef _CRT_CONCATENATE 38 | #define _CRT_CONCATENATE_(a, b) a ## b 39 | #define _CRT_CONCATENATE(a, b) _CRT_CONCATENATE_(a, b) 40 | #endif 41 | 42 | 43 | #ifndef _CRT_UNPARENTHESIZE 44 | #define _CRT_UNPARENTHESIZE_(...) __VA_ARGS__ 45 | #define _CRT_UNPARENTHESIZE(...) _CRT_UNPARENTHESIZE_ __VA_ARGS__ 46 | #endif 47 | 48 | #ifndef __has_cpp_attribute // vvv no attributes vvv 49 | #define _LIKELY 50 | #define _UNLIKELY 51 | #elif __has_cpp_attribute(likely) >= 201803L && __has_cpp_attribute(unlikely) >= 201803L // ^^^ no attr / C++20 attr vvv 52 | #define _LIKELY [[likely]] 53 | #define _UNLIKELY [[unlikely]] 54 | #elif defined(__clang__) // ^^^ C++20 attributes / clang attributes and C++17 or C++14 vvv 55 | #define _LIKELY [[__likely__]] 56 | #define _UNLIKELY [[__unlikely__]] 57 | #else // ^^^ clang attributes and C++17 or C++14 / C1XX attributes and C++17 or C++14 vvv 58 | #define _LIKELY 59 | #define _UNLIKELY 60 | #endif // ^^^ C1XX attributes and C++17 or C++14 ^^^ 61 | 62 | 63 | -------------------------------------------------------------------------------- /pnth/ntdbg.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _NTDBG_H 13 | #define _NTDBG_H 14 | 15 | // Debugging 16 | 17 | NTSYSAPI 18 | VOID 19 | NTAPI 20 | DbgUserBreakPoint( 21 | VOID 22 | ); 23 | 24 | NTSYSAPI 25 | VOID 26 | NTAPI 27 | DbgBreakPoint( 28 | VOID 29 | ); 30 | 31 | NTSYSAPI 32 | VOID 33 | NTAPI 34 | DbgBreakPointWithStatus( 35 | _In_ ULONG Status 36 | ); 37 | 38 | #define DBG_STATUS_CONTROL_C 1 39 | #define DBG_STATUS_SYSRQ 2 40 | #define DBG_STATUS_BUGCHECK_FIRST 3 41 | #define DBG_STATUS_BUGCHECK_SECOND 4 42 | #define DBG_STATUS_FATAL 5 43 | #define DBG_STATUS_DEBUG_CONTROL 6 44 | #define DBG_STATUS_WORKER 7 45 | 46 | NTSYSAPI 47 | ULONG 48 | STDAPIVCALLTYPE 49 | DbgPrint( 50 | _In_z_ _Printf_format_string_ PCSTR Format, 51 | ... 52 | ); 53 | 54 | NTSYSAPI 55 | ULONG 56 | STDAPIVCALLTYPE 57 | DbgPrintEx( 58 | _In_ ULONG ComponentId, 59 | _In_ ULONG Level, 60 | _In_z_ _Printf_format_string_ PCSTR Format, 61 | ... 62 | ); 63 | 64 | NTSYSAPI 65 | ULONG 66 | NTAPI 67 | vDbgPrintEx( 68 | _In_ ULONG ComponentId, 69 | _In_ ULONG Level, 70 | _In_z_ PCCH Format, 71 | _In_ va_list arglist 72 | ); 73 | 74 | NTSYSAPI 75 | ULONG 76 | NTAPI 77 | vDbgPrintExWithPrefix( 78 | _In_z_ PCCH Prefix, 79 | _In_ ULONG ComponentId, 80 | _In_ ULONG Level, 81 | _In_z_ PCCH Format, 82 | _In_ va_list arglist 83 | ); 84 | 85 | NTSYSAPI 86 | NTSTATUS 87 | NTAPI 88 | DbgQueryDebugFilterState( 89 | _In_ ULONG ComponentId, 90 | _In_ ULONG Level 91 | ); 92 | 93 | NTSYSAPI 94 | NTSTATUS 95 | NTAPI 96 | DbgSetDebugFilterState( 97 | _In_ ULONG ComponentId, 98 | _In_ ULONG Level, 99 | _In_ BOOLEAN State 100 | ); 101 | 102 | NTSYSAPI 103 | ULONG 104 | NTAPI 105 | DbgPrompt( 106 | _In_ PCCH Prompt, 107 | _Out_writes_bytes_(Length) PCH Response, 108 | _In_ ULONG Length 109 | ); 110 | 111 | // Definitions 112 | 113 | typedef struct _DBGKM_EXCEPTION 114 | { 115 | EXCEPTION_RECORD ExceptionRecord; 116 | ULONG FirstChance; 117 | } DBGKM_EXCEPTION, *PDBGKM_EXCEPTION; 118 | 119 | typedef struct _DBGKM_CREATE_THREAD 120 | { 121 | ULONG SubSystemKey; 122 | PVOID StartAddress; 123 | } DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD; 124 | 125 | typedef struct _DBGKM_CREATE_PROCESS 126 | { 127 | ULONG SubSystemKey; 128 | HANDLE FileHandle; 129 | PVOID BaseOfImage; 130 | ULONG DebugInfoFileOffset; 131 | ULONG DebugInfoSize; 132 | DBGKM_CREATE_THREAD InitialThread; 133 | } DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS; 134 | 135 | typedef struct _DBGKM_EXIT_THREAD 136 | { 137 | NTSTATUS ExitStatus; 138 | } DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD; 139 | 140 | typedef struct _DBGKM_EXIT_PROCESS 141 | { 142 | NTSTATUS ExitStatus; 143 | } DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS; 144 | 145 | typedef struct _DBGKM_LOAD_DLL 146 | { 147 | HANDLE FileHandle; 148 | PVOID BaseOfDll; 149 | ULONG DebugInfoFileOffset; 150 | ULONG DebugInfoSize; 151 | PVOID NamePointer; 152 | } DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL; 153 | 154 | typedef struct _DBGKM_UNLOAD_DLL 155 | { 156 | PVOID BaseAddress; 157 | } DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL; 158 | 159 | typedef enum _DBG_STATE 160 | { 161 | DbgIdle, 162 | DbgReplyPending, 163 | DbgCreateThreadStateChange, 164 | DbgCreateProcessStateChange, 165 | DbgExitThreadStateChange, 166 | DbgExitProcessStateChange, 167 | DbgExceptionStateChange, 168 | DbgBreakpointStateChange, 169 | DbgSingleStepStateChange, 170 | DbgLoadDllStateChange, 171 | DbgUnloadDllStateChange 172 | } DBG_STATE, *PDBG_STATE; 173 | 174 | typedef struct _DBGUI_CREATE_THREAD 175 | { 176 | HANDLE HandleToThread; 177 | DBGKM_CREATE_THREAD NewThread; 178 | } DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD; 179 | 180 | typedef struct _DBGUI_CREATE_PROCESS 181 | { 182 | HANDLE HandleToProcess; 183 | HANDLE HandleToThread; 184 | DBGKM_CREATE_PROCESS NewProcess; 185 | } DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS; 186 | 187 | typedef struct _DBGUI_WAIT_STATE_CHANGE 188 | { 189 | DBG_STATE NewState; 190 | CLIENT_ID AppClientId; 191 | union 192 | { 193 | DBGKM_EXCEPTION Exception; 194 | DBGUI_CREATE_THREAD CreateThread; 195 | DBGUI_CREATE_PROCESS CreateProcessInfo; 196 | DBGKM_EXIT_THREAD ExitThread; 197 | DBGKM_EXIT_PROCESS ExitProcess; 198 | DBGKM_LOAD_DLL LoadDll; 199 | DBGKM_UNLOAD_DLL UnloadDll; 200 | }; 201 | } DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE; 202 | 203 | #define DEBUG_READ_EVENT 0x0001 204 | #define DEBUG_PROCESS_ASSIGN 0x0002 205 | #define DEBUG_SET_INFORMATION 0x0004 206 | #define DEBUG_QUERY_INFORMATION 0x0008 207 | #define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ 208 | DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \ 209 | DEBUG_QUERY_INFORMATION) 210 | 211 | #define DEBUG_KILL_ON_CLOSE 0x1 212 | 213 | typedef enum _DEBUGOBJECTINFOCLASS 214 | { 215 | DebugObjectUnusedInformation, 216 | DebugObjectKillProcessOnExitInformation, // s: ULONG 217 | MaxDebugObjectInfoClass 218 | } DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; 219 | 220 | // System calls 221 | 222 | NTSYSCALLAPI 223 | NTSTATUS 224 | NTAPI 225 | NtCreateDebugObject( 226 | _Out_ PHANDLE DebugObjectHandle, 227 | _In_ ACCESS_MASK DesiredAccess, 228 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 229 | _In_ ULONG Flags 230 | ); 231 | 232 | NTSYSCALLAPI 233 | NTSTATUS 234 | NTAPI 235 | NtDebugActiveProcess( 236 | _In_ HANDLE ProcessHandle, 237 | _In_ HANDLE DebugObjectHandle 238 | ); 239 | 240 | NTSYSCALLAPI 241 | NTSTATUS 242 | NTAPI 243 | NtDebugContinue( 244 | _In_ HANDLE DebugObjectHandle, 245 | _In_ PCLIENT_ID ClientId, 246 | _In_ NTSTATUS ContinueStatus 247 | ); 248 | 249 | NTSYSCALLAPI 250 | NTSTATUS 251 | NTAPI 252 | NtRemoveProcessDebug( 253 | _In_ HANDLE ProcessHandle, 254 | _In_ HANDLE DebugObjectHandle 255 | ); 256 | 257 | NTSYSCALLAPI 258 | NTSTATUS 259 | NTAPI 260 | NtSetInformationDebugObject( 261 | _In_ HANDLE DebugObjectHandle, 262 | _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass, 263 | _In_ PVOID DebugInformation, 264 | _In_ ULONG DebugInformationLength, 265 | _Out_opt_ PULONG ReturnLength 266 | ); 267 | 268 | NTSYSCALLAPI 269 | NTSTATUS 270 | NTAPI 271 | NtWaitForDebugEvent( 272 | _In_ HANDLE DebugObjectHandle, 273 | _In_ BOOLEAN Alertable, 274 | _In_opt_ PLARGE_INTEGER Timeout, 275 | _Out_ PDBGUI_WAIT_STATE_CHANGE WaitStateChange 276 | ); 277 | 278 | // Debugging UI 279 | 280 | NTSYSAPI 281 | NTSTATUS 282 | NTAPI 283 | DbgUiConnectToDbg( 284 | VOID 285 | ); 286 | 287 | NTSYSAPI 288 | HANDLE 289 | NTAPI 290 | DbgUiGetThreadDebugObject( 291 | VOID 292 | ); 293 | 294 | NTSYSAPI 295 | VOID 296 | NTAPI 297 | DbgUiSetThreadDebugObject( 298 | _In_ HANDLE DebugObject 299 | ); 300 | 301 | NTSYSAPI 302 | NTSTATUS 303 | NTAPI 304 | DbgUiWaitStateChange( 305 | _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange, 306 | _In_opt_ PLARGE_INTEGER Timeout 307 | ); 308 | 309 | NTSYSAPI 310 | NTSTATUS 311 | NTAPI 312 | DbgUiContinue( 313 | _In_ PCLIENT_ID AppClientId, 314 | _In_ NTSTATUS ContinueStatus 315 | ); 316 | 317 | NTSYSAPI 318 | NTSTATUS 319 | NTAPI 320 | DbgUiStopDebugging( 321 | _In_ HANDLE Process 322 | ); 323 | 324 | NTSYSAPI 325 | NTSTATUS 326 | NTAPI 327 | DbgUiDebugActiveProcess( 328 | _In_ HANDLE Process 329 | ); 330 | 331 | NTSYSAPI 332 | VOID 333 | NTAPI 334 | DbgUiRemoteBreakin( 335 | _In_ PVOID Context 336 | ); 337 | 338 | NTSYSAPI 339 | NTSTATUS 340 | NTAPI 341 | DbgUiIssueRemoteBreakin( 342 | _In_ HANDLE Process 343 | ); 344 | 345 | NTSYSAPI 346 | NTSTATUS 347 | NTAPI 348 | DbgUiConvertStateChangeStructure( 349 | _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, 350 | _Out_ LPDEBUG_EVENT DebugEvent 351 | ); 352 | 353 | NTSYSAPI 354 | NTSTATUS 355 | NTAPI 356 | DbgUiConvertStateChangeStructureEx( 357 | _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, 358 | _Out_ LPDEBUG_EVENT DebugEvent 359 | ); 360 | 361 | struct _EVENT_FILTER_DESCRIPTOR; 362 | 363 | typedef VOID (NTAPI *PENABLECALLBACK)( 364 | _In_ LPCGUID SourceId, 365 | _In_ ULONG IsEnabled, 366 | _In_ UCHAR Level, 367 | _In_ ULONGLONG MatchAnyKeyword, 368 | _In_ ULONGLONG MatchAllKeyword, 369 | _In_opt_ struct _EVENT_FILTER_DESCRIPTOR *FilterData, 370 | _Inout_opt_ PVOID CallbackContext 371 | ); 372 | 373 | typedef ULONGLONG REGHANDLE, *PREGHANDLE; 374 | 375 | NTSYSAPI 376 | NTSTATUS 377 | NTAPI 378 | EtwEventRegister( 379 | _In_ LPCGUID ProviderId, 380 | _In_opt_ PENABLECALLBACK EnableCallback, 381 | _In_opt_ PVOID CallbackContext, 382 | _Out_ PREGHANDLE RegHandle 383 | ); 384 | 385 | #endif 386 | -------------------------------------------------------------------------------- /pnth/ntgdi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _NTGDI_H 13 | #define _NTGDI_H 14 | 15 | #define GDI_MAX_HANDLE_COUNT 0xFFFF // 0x4000 16 | 17 | #define GDI_HANDLE_INDEX_SHIFT 0 18 | #define GDI_HANDLE_INDEX_BITS 16 19 | #define GDI_HANDLE_INDEX_MASK 0xffff 20 | 21 | #define GDI_HANDLE_TYPE_SHIFT 16 22 | #define GDI_HANDLE_TYPE_BITS 5 23 | #define GDI_HANDLE_TYPE_MASK 0x1f 24 | 25 | #define GDI_HANDLE_ALTTYPE_SHIFT 21 26 | #define GDI_HANDLE_ALTTYPE_BITS 2 27 | #define GDI_HANDLE_ALTTYPE_MASK 0x3 28 | 29 | #define GDI_HANDLE_STOCK_SHIFT 23 30 | #define GDI_HANDLE_STOCK_BITS 1 31 | #define GDI_HANDLE_STOCK_MASK 0x1 32 | 33 | #define GDI_HANDLE_UNIQUE_SHIFT 24 34 | #define GDI_HANDLE_UNIQUE_BITS 8 35 | #define GDI_HANDLE_UNIQUE_MASK 0xff 36 | 37 | #define GDI_HANDLE_INDEX(Handle) ((ULONG)(Handle) & GDI_HANDLE_INDEX_MASK) 38 | #define GDI_HANDLE_TYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_TYPE_SHIFT) & GDI_HANDLE_TYPE_MASK) 39 | #define GDI_HANDLE_ALTTYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_ALTTYPE_SHIFT) & GDI_HANDLE_ALTTYPE_MASK) 40 | #define GDI_HANDLE_STOCK(Handle) (((ULONG)(Handle) >> GDI_HANDLE_STOCK_SHIFT)) & GDI_HANDLE_STOCK_MASK) 41 | 42 | #define GDI_MAKE_HANDLE(Index, Unique) ((ULONG)(((ULONG)(Unique) << GDI_HANDLE_INDEX_BITS) | (ULONG)(Index))) 43 | 44 | // GDI server-side types 45 | 46 | #define GDI_DEF_TYPE 0 // invalid handle 47 | #define GDI_DC_TYPE 1 48 | #define GDI_DD_DIRECTDRAW_TYPE 2 49 | #define GDI_DD_SURFACE_TYPE 3 50 | #define GDI_RGN_TYPE 4 51 | #define GDI_SURF_TYPE 5 52 | #define GDI_CLIENTOBJ_TYPE 6 53 | #define GDI_PATH_TYPE 7 54 | #define GDI_PAL_TYPE 8 55 | #define GDI_ICMLCS_TYPE 9 56 | #define GDI_LFONT_TYPE 10 57 | #define GDI_RFONT_TYPE 11 58 | #define GDI_PFE_TYPE 12 59 | #define GDI_PFT_TYPE 13 60 | #define GDI_ICMCXF_TYPE 14 61 | #define GDI_ICMDLL_TYPE 15 62 | #define GDI_BRUSH_TYPE 16 63 | #define GDI_PFF_TYPE 17 // unused 64 | #define GDI_CACHE_TYPE 18 // unused 65 | #define GDI_SPACE_TYPE 19 66 | #define GDI_DBRUSH_TYPE 20 // unused 67 | #define GDI_META_TYPE 21 68 | #define GDI_EFSTATE_TYPE 22 69 | #define GDI_BMFD_TYPE 23 // unused 70 | #define GDI_VTFD_TYPE 24 // unused 71 | #define GDI_TTFD_TYPE 25 // unused 72 | #define GDI_RC_TYPE 26 // unused 73 | #define GDI_TEMP_TYPE 27 // unused 74 | #define GDI_DRVOBJ_TYPE 28 75 | #define GDI_DCIOBJ_TYPE 29 // unused 76 | #define GDI_SPOOL_TYPE 30 77 | 78 | // GDI client-side types 79 | 80 | #define GDI_CLIENT_TYPE_FROM_HANDLE(Handle) ((ULONG)(Handle) & ((GDI_HANDLE_ALTTYPE_MASK << GDI_HANDLE_ALTTYPE_SHIFT) | \ 81 | (GDI_HANDLE_TYPE_MASK << GDI_HANDLE_TYPE_SHIFT))) 82 | #define GDI_CLIENT_TYPE_FROM_UNIQUE(Unique) GDI_CLIENT_TYPE_FROM_HANDLE((ULONG)(Unique) << 16) 83 | 84 | #define GDI_ALTTYPE_1 (1 << GDI_HANDLE_ALTTYPE_SHIFT) 85 | #define GDI_ALTTYPE_2 (2 << GDI_HANDLE_ALTTYPE_SHIFT) 86 | #define GDI_ALTTYPE_3 (3 << GDI_HANDLE_ALTTYPE_SHIFT) 87 | 88 | #define GDI_CLIENT_BITMAP_TYPE (GDI_SURF_TYPE << GDI_HANDLE_TYPE_SHIFT) 89 | #define GDI_CLIENT_BRUSH_TYPE (GDI_BRUSH_TYPE << GDI_HANDLE_TYPE_SHIFT) 90 | #define GDI_CLIENT_CLIENTOBJ_TYPE (GDI_CLIENTOBJ_TYPE << GDI_HANDLE_TYPE_SHIFT) 91 | #define GDI_CLIENT_DC_TYPE (GDI_DC_TYPE << GDI_HANDLE_TYPE_SHIFT) 92 | #define GDI_CLIENT_FONT_TYPE (GDI_LFONT_TYPE << GDI_HANDLE_TYPE_SHIFT) 93 | #define GDI_CLIENT_PALETTE_TYPE (GDI_PAL_TYPE << GDI_HANDLE_TYPE_SHIFT) 94 | #define GDI_CLIENT_REGION_TYPE (GDI_RGN_TYPE << GDI_HANDLE_TYPE_SHIFT) 95 | 96 | #define GDI_CLIENT_ALTDC_TYPE (GDI_CLIENT_DC_TYPE | GDI_ALTTYPE_1) 97 | #define GDI_CLIENT_DIBSECTION_TYPE (GDI_CLIENT_BITMAP_TYPE | GDI_ALTTYPE_1) 98 | #define GDI_CLIENT_EXTPEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_2) 99 | #define GDI_CLIENT_METADC16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_3) 100 | #define GDI_CLIENT_METAFILE_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_2) 101 | #define GDI_CLIENT_METAFILE16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_1) 102 | #define GDI_CLIENT_PEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_1) 103 | 104 | typedef struct _GDI_HANDLE_ENTRY 105 | { 106 | union 107 | { 108 | PVOID Object; 109 | PVOID NextFree; 110 | }; 111 | union 112 | { 113 | struct 114 | { 115 | USHORT ProcessId; 116 | USHORT Lock : 1; 117 | USHORT Count : 15; 118 | }; 119 | ULONG Value; 120 | } Owner; 121 | USHORT Unique; 122 | UCHAR Type; 123 | UCHAR Flags; 124 | PVOID UserPointer; 125 | } GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY; 126 | 127 | typedef struct _GDI_SHARED_MEMORY 128 | { 129 | GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT]; 130 | } GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY; 131 | 132 | #endif 133 | -------------------------------------------------------------------------------- /pnth/ntkeapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _NTKEAPI_H 13 | #define _NTKEAPI_H 14 | 15 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 16 | #define LOW_PRIORITY 0 // Lowest thread priority level 17 | #define LOW_REALTIME_PRIORITY 16 // Lowest realtime priority level 18 | #define HIGH_PRIORITY 31 // Highest thread priority level 19 | #define MAXIMUM_PRIORITY 32 // Number of thread priority levels 20 | #endif 21 | 22 | typedef enum _KTHREAD_STATE 23 | { 24 | Initialized, 25 | Ready, 26 | Running, 27 | Standby, 28 | Terminated, 29 | Waiting, 30 | Transition, 31 | DeferredReady, 32 | GateWaitObsolete, 33 | WaitingForProcessInSwap, 34 | MaximumThreadState 35 | } KTHREAD_STATE, *PKTHREAD_STATE; 36 | 37 | // private 38 | typedef enum _KHETERO_CPU_POLICY 39 | { 40 | KHeteroCpuPolicyAll = 0, 41 | KHeteroCpuPolicyLarge = 1, 42 | KHeteroCpuPolicyLargeOrIdle = 2, 43 | KHeteroCpuPolicySmall = 3, 44 | KHeteroCpuPolicySmallOrIdle = 4, 45 | KHeteroCpuPolicyDynamic = 5, 46 | KHeteroCpuPolicyStaticMax = 5, // valid 47 | KHeteroCpuPolicyBiasedSmall = 6, 48 | KHeteroCpuPolicyBiasedLarge = 7, 49 | KHeteroCpuPolicyDefault = 8, 50 | KHeteroCpuPolicyMax = 9 51 | } KHETERO_CPU_POLICY, *PKHETERO_CPU_POLICY; 52 | 53 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 54 | 55 | typedef enum _KWAIT_REASON 56 | { 57 | Executive, 58 | FreePage, 59 | PageIn, 60 | PoolAllocation, 61 | DelayExecution, 62 | Suspended, 63 | UserRequest, 64 | WrExecutive, 65 | WrFreePage, 66 | WrPageIn, 67 | WrPoolAllocation, 68 | WrDelayExecution, 69 | WrSuspended, 70 | WrUserRequest, 71 | WrEventPair, 72 | WrQueue, 73 | WrLpcReceive, 74 | WrLpcReply, 75 | WrVirtualMemory, 76 | WrPageOut, 77 | WrRendezvous, 78 | WrKeyedEvent, 79 | WrTerminated, 80 | WrProcessInSwap, 81 | WrCpuRateControl, 82 | WrCalloutStack, 83 | WrKernel, 84 | WrResource, 85 | WrPushLock, 86 | WrMutex, 87 | WrQuantumEnd, 88 | WrDispatchInt, 89 | WrPreempted, 90 | WrYieldExecution, 91 | WrFastMutex, 92 | WrGuardedMutex, 93 | WrRundown, 94 | WrAlertByThreadId, 95 | WrDeferredPreempt, 96 | WrPhysicalFault, 97 | WrIoRing, 98 | WrMdlCache, 99 | MaximumWaitReason 100 | } KWAIT_REASON, *PKWAIT_REASON; 101 | 102 | typedef enum _KPROFILE_SOURCE 103 | { 104 | ProfileTime, 105 | ProfileAlignmentFixup, 106 | ProfileTotalIssues, 107 | ProfilePipelineDry, 108 | ProfileLoadInstructions, 109 | ProfilePipelineFrozen, 110 | ProfileBranchInstructions, 111 | ProfileTotalNonissues, 112 | ProfileDcacheMisses, 113 | ProfileIcacheMisses, 114 | ProfileCacheMisses, 115 | ProfileBranchMispredictions, 116 | ProfileStoreInstructions, 117 | ProfileFpInstructions, 118 | ProfileIntegerInstructions, 119 | Profile2Issue, 120 | Profile3Issue, 121 | Profile4Issue, 122 | ProfileSpecialInstructions, 123 | ProfileTotalCycles, 124 | ProfileIcacheIssues, 125 | ProfileDcacheAccesses, 126 | ProfileMemoryBarrierCycles, 127 | ProfileLoadLinkedIssues, 128 | ProfileMaximum 129 | } KPROFILE_SOURCE; 130 | 131 | #endif 132 | 133 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 134 | 135 | NTSYSCALLAPI 136 | NTSTATUS 137 | NTAPI 138 | NtCallbackReturn( 139 | _In_reads_bytes_opt_(OutputLength) PVOID OutputBuffer, 140 | _In_ ULONG OutputLength, 141 | _In_ NTSTATUS Status 142 | ); 143 | 144 | #if (PHNT_VERSION >= PHNT_VISTA) 145 | NTSYSCALLAPI 146 | VOID 147 | NTAPI 148 | NtFlushProcessWriteBuffers( 149 | VOID 150 | ); 151 | #endif 152 | 153 | NTSYSCALLAPI 154 | NTSTATUS 155 | NTAPI 156 | NtQueryDebugFilterState( 157 | _In_ ULONG ComponentId, 158 | _In_ ULONG Level 159 | ); 160 | 161 | NTSYSCALLAPI 162 | NTSTATUS 163 | NTAPI 164 | NtSetDebugFilterState( 165 | _In_ ULONG ComponentId, 166 | _In_ ULONG Level, 167 | _In_ BOOLEAN State 168 | ); 169 | 170 | NTSYSCALLAPI 171 | NTSTATUS 172 | NTAPI 173 | NtYieldExecution( 174 | VOID 175 | ); 176 | 177 | #endif 178 | 179 | #endif 180 | -------------------------------------------------------------------------------- /pnth/ntmisc.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _NTMISC_H 13 | #define _NTMISC_H 14 | 15 | // Filter manager 16 | 17 | #define FLT_PORT_CONNECT 0x0001 18 | #define FLT_PORT_ALL_ACCESS (FLT_PORT_CONNECT | STANDARD_RIGHTS_ALL) 19 | 20 | // VDM 21 | 22 | typedef enum _VDMSERVICECLASS 23 | { 24 | VdmStartExecution, 25 | VdmQueueInterrupt, 26 | VdmDelayInterrupt, 27 | VdmInitialize, 28 | VdmFeatures, 29 | VdmSetInt21Handler, 30 | VdmQueryDir, 31 | VdmPrinterDirectIoOpen, 32 | VdmPrinterDirectIoClose, 33 | VdmPrinterInitialize, 34 | VdmSetLdtEntries, 35 | VdmSetProcessLdtInfo, 36 | VdmAdlibEmulation, 37 | VdmPMCliControl, 38 | VdmQueryVdmProcess, 39 | VdmPreInitialize 40 | } VDMSERVICECLASS, *PVDMSERVICECLASS; 41 | 42 | NTSYSCALLAPI 43 | NTSTATUS 44 | NTAPI 45 | NtVdmControl( 46 | _In_ VDMSERVICECLASS Service, 47 | _Inout_ PVOID ServiceData 48 | ); 49 | 50 | // WMI/ETW 51 | 52 | NTSYSCALLAPI 53 | NTSTATUS 54 | NTAPI 55 | NtTraceEvent( 56 | _In_ HANDLE TraceHandle, 57 | _In_ ULONG Flags, 58 | _In_ ULONG FieldSize, 59 | _In_ PVOID Fields 60 | ); 61 | 62 | typedef enum _TRACE_CONTROL_INFORMATION_CLASS 63 | { 64 | TraceControlStartLogger = 1, // inout WMI_LOGGER_INFORMATION 65 | TraceControlStopLogger = 2, // inout WMI_LOGGER_INFORMATION 66 | TraceControlQueryLogger = 3, // inout WMI_LOGGER_INFORMATION 67 | TraceControlUpdateLogger = 4, // inout WMI_LOGGER_INFORMATION 68 | TraceControlFlushLogger = 5, // inout WMI_LOGGER_INFORMATION 69 | TraceControlIncrementLoggerFile = 6, // inout WMI_LOGGER_INFORMATION 70 | TraceControlUnknown = 7, 71 | // unused 72 | TraceControlRealtimeConnect = 11, 73 | TraceControlActivityIdCreate = 12, 74 | TraceControlWdiDispatchControl = 13, 75 | TraceControlRealtimeDisconnectConsumerByHandle = 14, // in HANDLE 76 | TraceControlRegisterGuidsCode = 15, 77 | TraceControlReceiveNotification = 16, 78 | TraceControlSendDataBlock = 17, // ETW_ENABLE_NOTIFICATION_PACKET 79 | TraceControlSendReplyDataBlock = 18, 80 | TraceControlReceiveReplyDataBlock = 19, 81 | TraceControlWdiUpdateSem = 20, 82 | TraceControlEnumTraceGuidList = 21, // out GUID[] 83 | TraceControlGetTraceGuidInfo = 22, // in GUID, out TRACE_GUID_INFO 84 | TraceControlEnumerateTraceGuids = 23, 85 | TraceControlRegisterSecurityProv = 24, 86 | TraceControlQueryReferenceTime = 25, 87 | TraceControlTrackProviderBinary = 26, // in HANDLE 88 | TraceControlAddNotificationEvent = 27, 89 | TraceControlUpdateDisallowList = 28, 90 | TraceControlSetEnableAllKeywordsCode = 29, 91 | TraceControlSetProviderTraitsCode = 30, 92 | TraceControlUseDescriptorTypeCode = 31, 93 | TraceControlEnumTraceGroupList = 32, 94 | TraceControlGetTraceGroupInfo = 33, 95 | TraceControlTraceSetDisallowList = 34, 96 | TraceControlSetCompressionSettings = 35, 97 | TraceControlGetCompressionSettings = 36, 98 | TraceControlUpdatePeriodicCaptureState = 37, 99 | TraceControlGetPrivateSessionTraceHandle = 38, 100 | TraceControlRegisterPrivateSession = 39, 101 | TraceControlQuerySessionDemuxObject = 40, 102 | TraceControlSetProviderBinaryTracking = 41, 103 | TraceControlMaxLoggers = 42, // out ULONG 104 | TraceControlMaxPmcCounter = 43, // out ULONG 105 | TraceControlQueryUsedProcessorCount = 44, // ULONG // since WIN11 106 | TraceControlGetPmcOwnership = 45, 107 | } TRACE_CONTROL_INFORMATION_CLASS; 108 | 109 | #if (PHNT_VERSION >= PHNT_VISTA) 110 | NTSYSCALLAPI 111 | NTSTATUS 112 | NTAPI 113 | NtTraceControl( 114 | _In_ TRACE_CONTROL_INFORMATION_CLASS TraceInformationClass, 115 | _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, 116 | _In_ ULONG InputBufferLength, 117 | _Out_writes_bytes_opt_(TraceInformationLength) PVOID TraceInformation, 118 | _In_ ULONG TraceInformationLength, 119 | _Out_ PULONG ReturnLength 120 | ); 121 | #endif 122 | 123 | #endif 124 | -------------------------------------------------------------------------------- /pnth/ntnls.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _NTNLS_H 13 | #define _NTNLS_H 14 | 15 | #define MAXIMUM_LEADBYTES 12 16 | 17 | // This structure is the data from the raw codepage files. Note that we set the "Codepage" field 18 | // last, so any threads accessing this pointers in this structure should check to see if that is 19 | // CP_UTF8 (65001) first. If so, they should not use the pointers. 20 | // MemoryBarrier might be warranted before checking CodePage to protect out-of-order reads of the pointers. 21 | typedef struct _CPTABLEINFO { 22 | USHORT CodePage; // code page number (For UTF-8 the rest of the structure is unused) 23 | USHORT MaximumCharacterSize; // max length (bytes) of a char 24 | USHORT DefaultChar; // default character (MB) 25 | USHORT UniDefaultChar; // default character (Unicode) 26 | USHORT TransDefaultChar; // translation of default char (Unicode) 27 | USHORT TransUniDefaultChar; // translation of Unic default char (MB) 28 | USHORT DBCSCodePage; // Non 0 for DBCS code pages 29 | UCHAR LeadByte[MAXIMUM_LEADBYTES]; // lead byte ranges 30 | PUSHORT MultiByteTable; // pointer to MB->Unicode translation table 31 | PVOID WideCharTable; // pointer to WC (Unicode->CodePage) translation table 32 | PUSHORT DBCSRanges; // pointer to DBCS ranges (UNUSED, DO NOT SET) 33 | PUSHORT DBCSOffsets; // pointer to DBCS offsets 34 | } CPTABLEINFO, *PCPTABLEINFO; 35 | 36 | typedef struct _NLSTABLEINFO { 37 | CPTABLEINFO OemTableInfo; 38 | CPTABLEINFO AnsiTableInfo; 39 | PUSHORT UpperCaseTable; // 844 format upcase table 40 | PUSHORT LowerCaseTable; // 844 format lower case table 41 | } NLSTABLEINFO, *PNLSTABLEINFO; 42 | 43 | typedef struct _RTL_NLS_STATE { 44 | CPTABLEINFO DefaultAcpTableInfo; 45 | CPTABLEINFO DefaultOemTableInfo; 46 | PUSHORT ActiveCodePageData; 47 | PUSHORT OemCodePageData; 48 | PUSHORT LeadByteInfo; 49 | PUSHORT OemLeadByteInfo; 50 | PUSHORT CaseMappingData; 51 | PUSHORT UnicodeUpcaseTable844; 52 | PUSHORT UnicodeLowercaseTable844; 53 | } RTL_NLS_STATE, *PRTL_NLS_STATE; 54 | 55 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 56 | 57 | #ifdef DATA_EXPORT 58 | _DATAIMP USHORT NlsAnsiCodePage; 59 | _DATAIMP BOOLEAN NlsMbCodePageTag; 60 | _DATAIMP BOOLEAN NlsMbOemCodePageTag; 61 | 62 | #endif 63 | 64 | #endif 65 | 66 | #endif 67 | -------------------------------------------------------------------------------- /pnth/ntobapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _NTOBAPI_H 13 | #define _NTOBAPI_H 14 | 15 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 16 | #define OBJECT_TYPE_CREATE 0x0001 17 | #define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) 18 | #endif 19 | 20 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 21 | #define DIRECTORY_QUERY 0x0001 22 | #define DIRECTORY_TRAVERSE 0x0002 23 | #define DIRECTORY_CREATE_OBJECT 0x0004 24 | #define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 25 | #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xf) 26 | #endif 27 | 28 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 29 | #define SYMBOLIC_LINK_QUERY 0x0001 30 | #define SYMBOLIC_LINK_SET 0x0002 31 | #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) 32 | #define SYMBOLIC_LINK_ALL_ACCESS_EX (STANDARD_RIGHTS_REQUIRED | 0xFFFF) 33 | #endif 34 | 35 | #ifndef OBJ_PROTECT_CLOSE 36 | #define OBJ_PROTECT_CLOSE 0x00000001 37 | #endif 38 | #ifndef OBJ_INHERIT 39 | #define OBJ_INHERIT 0x00000002 40 | #endif 41 | #ifndef OBJ_AUDIT_OBJECT_CLOSE 42 | #define OBJ_AUDIT_OBJECT_CLOSE 0x00000004 43 | #endif 44 | 45 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 46 | typedef enum _OBJECT_INFORMATION_CLASS 47 | { 48 | ObjectBasicInformation, // q: OBJECT_BASIC_INFORMATION 49 | ObjectNameInformation, // q: OBJECT_NAME_INFORMATION 50 | ObjectTypeInformation, // q: OBJECT_TYPE_INFORMATION 51 | ObjectTypesInformation, // q: OBJECT_TYPES_INFORMATION 52 | ObjectHandleFlagInformation, // qs: OBJECT_HANDLE_FLAG_INFORMATION 53 | ObjectSessionInformation, // s: void // change object session // (requires SeTcbPrivilege) 54 | ObjectSessionObjectInformation, // s: void // change object session // (requires SeTcbPrivilege) 55 | MaxObjectInfoClass 56 | } OBJECT_INFORMATION_CLASS; 57 | #else 58 | #define ObjectBasicInformation 0 59 | #define ObjectNameInformation 1 60 | #define ObjectTypeInformation 2 61 | #define ObjectTypesInformation 3 62 | #define ObjectHandleFlagInformation 4 63 | #define ObjectSessionInformation 5 64 | #define ObjectSessionObjectInformation 6 65 | #endif 66 | 67 | typedef struct _OBJECT_BASIC_INFORMATION 68 | { 69 | ULONG Attributes; 70 | ACCESS_MASK GrantedAccess; 71 | ULONG HandleCount; 72 | ULONG PointerCount; 73 | ULONG PagedPoolCharge; 74 | ULONG NonPagedPoolCharge; 75 | ULONG Reserved[3]; 76 | ULONG NameInfoSize; 77 | ULONG TypeInfoSize; 78 | ULONG SecurityDescriptorSize; 79 | LARGE_INTEGER CreationTime; 80 | } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; 81 | 82 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 83 | typedef struct _OBJECT_NAME_INFORMATION 84 | { 85 | UNICODE_STRING Name; 86 | } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; 87 | #endif 88 | 89 | typedef struct _OBJECT_TYPE_INFORMATION 90 | { 91 | UNICODE_STRING TypeName; 92 | ULONG TotalNumberOfObjects; 93 | ULONG TotalNumberOfHandles; 94 | ULONG TotalPagedPoolUsage; 95 | ULONG TotalNonPagedPoolUsage; 96 | ULONG TotalNamePoolUsage; 97 | ULONG TotalHandleTableUsage; 98 | ULONG HighWaterNumberOfObjects; 99 | ULONG HighWaterNumberOfHandles; 100 | ULONG HighWaterPagedPoolUsage; 101 | ULONG HighWaterNonPagedPoolUsage; 102 | ULONG HighWaterNamePoolUsage; 103 | ULONG HighWaterHandleTableUsage; 104 | ULONG InvalidAttributes; 105 | GENERIC_MAPPING GenericMapping; 106 | ULONG ValidAccessMask; 107 | BOOLEAN SecurityRequired; 108 | BOOLEAN MaintainHandleCount; 109 | UCHAR TypeIndex; // since WINBLUE 110 | CHAR ReservedByte; 111 | ULONG PoolType; 112 | ULONG DefaultPagedPoolCharge; 113 | ULONG DefaultNonPagedPoolCharge; 114 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; 115 | 116 | typedef struct _OBJECT_TYPES_INFORMATION 117 | { 118 | ULONG NumberOfTypes; 119 | } OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; 120 | 121 | typedef struct _OBJECT_HANDLE_FLAG_INFORMATION 122 | { 123 | BOOLEAN Inherit; 124 | BOOLEAN ProtectFromClose; 125 | } OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION; 126 | 127 | // Objects, handles 128 | 129 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 130 | 131 | NTSYSCALLAPI 132 | NTSTATUS 133 | NTAPI 134 | NtQueryObject( 135 | _In_opt_ HANDLE Handle, 136 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, 137 | _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, 138 | _In_ ULONG ObjectInformationLength, 139 | _Out_opt_ PULONG ReturnLength 140 | ); 141 | 142 | NTSYSCALLAPI 143 | NTSTATUS 144 | NTAPI 145 | NtSetInformationObject( 146 | _In_ HANDLE Handle, 147 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, 148 | _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation, 149 | _In_ ULONG ObjectInformationLength 150 | ); 151 | 152 | #define DUPLICATE_CLOSE_SOURCE 0x00000001 153 | #define DUPLICATE_SAME_ACCESS 0x00000002 154 | #define DUPLICATE_SAME_ATTRIBUTES 0x00000004 155 | 156 | NTSYSCALLAPI 157 | NTSTATUS 158 | NTAPI 159 | NtDuplicateObject( 160 | _In_ HANDLE SourceProcessHandle, 161 | _In_ HANDLE SourceHandle, 162 | _In_opt_ HANDLE TargetProcessHandle, 163 | _Out_opt_ PHANDLE TargetHandle, 164 | _In_ ACCESS_MASK DesiredAccess, 165 | _In_ ULONG HandleAttributes, 166 | _In_ ULONG Options 167 | ); 168 | 169 | NTSYSCALLAPI 170 | NTSTATUS 171 | NTAPI 172 | NtMakeTemporaryObject( 173 | _In_ HANDLE Handle 174 | ); 175 | 176 | NTSYSCALLAPI 177 | NTSTATUS 178 | NTAPI 179 | NtMakePermanentObject( 180 | _In_ HANDLE Handle 181 | ); 182 | 183 | NTSYSCALLAPI 184 | NTSTATUS 185 | NTAPI 186 | NtSignalAndWaitForSingleObject( 187 | _In_ HANDLE SignalHandle, 188 | _In_ HANDLE WaitHandle, 189 | _In_ BOOLEAN Alertable, 190 | _In_opt_ PLARGE_INTEGER Timeout 191 | ); 192 | 193 | NTSYSCALLAPI 194 | NTSTATUS 195 | NTAPI 196 | NtWaitForSingleObject( 197 | _In_ HANDLE Handle, 198 | _In_ BOOLEAN Alertable, 199 | _In_opt_ PLARGE_INTEGER Timeout 200 | ); 201 | 202 | NTSYSCALLAPI 203 | NTSTATUS 204 | NTAPI 205 | NtWaitForMultipleObjects( 206 | _In_ ULONG Count, 207 | _In_reads_(Count) HANDLE Handles[], 208 | _In_ WAIT_TYPE WaitType, 209 | _In_ BOOLEAN Alertable, 210 | _In_opt_ PLARGE_INTEGER Timeout 211 | ); 212 | 213 | #if (PHNT_VERSION >= PHNT_WS03) 214 | NTSYSCALLAPI 215 | NTSTATUS 216 | NTAPI 217 | NtWaitForMultipleObjects32( 218 | _In_ ULONG Count, 219 | _In_reads_(Count) LONG Handles[], 220 | _In_ WAIT_TYPE WaitType, 221 | _In_ BOOLEAN Alertable, 222 | _In_opt_ PLARGE_INTEGER Timeout 223 | ); 224 | #endif 225 | 226 | NTSYSCALLAPI 227 | NTSTATUS 228 | NTAPI 229 | NtSetSecurityObject( 230 | _In_ HANDLE Handle, 231 | _In_ SECURITY_INFORMATION SecurityInformation, 232 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor 233 | ); 234 | 235 | NTSYSCALLAPI 236 | NTSTATUS 237 | NTAPI 238 | NtQuerySecurityObject( 239 | _In_ HANDLE Handle, 240 | _In_ SECURITY_INFORMATION SecurityInformation, 241 | _Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor, 242 | _In_ ULONG Length, 243 | _Out_ PULONG LengthNeeded 244 | ); 245 | 246 | NTSYSCALLAPI 247 | NTSTATUS 248 | NTAPI 249 | NtClose( 250 | _In_ _Post_ptr_invalid_ HANDLE Handle 251 | ); 252 | 253 | #if (PHNT_VERSION >= PHNT_THRESHOLD) 254 | NTSYSCALLAPI 255 | NTSTATUS 256 | NTAPI 257 | NtCompareObjects( 258 | _In_ HANDLE FirstObjectHandle, 259 | _In_ HANDLE SecondObjectHandle 260 | ); 261 | #endif 262 | 263 | #endif 264 | 265 | // Directory objects 266 | 267 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 268 | 269 | NTSYSCALLAPI 270 | NTSTATUS 271 | NTAPI 272 | NtCreateDirectoryObject( 273 | _Out_ PHANDLE DirectoryHandle, 274 | _In_ ACCESS_MASK DesiredAccess, 275 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 276 | ); 277 | 278 | #if (PHNT_VERSION >= PHNT_WIN8) 279 | NTSYSCALLAPI 280 | NTSTATUS 281 | NTAPI 282 | NtCreateDirectoryObjectEx( 283 | _Out_ PHANDLE DirectoryHandle, 284 | _In_ ACCESS_MASK DesiredAccess, 285 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 286 | _In_ HANDLE ShadowDirectoryHandle, 287 | _In_ ULONG Flags 288 | ); 289 | #endif 290 | 291 | NTSYSCALLAPI 292 | NTSTATUS 293 | NTAPI 294 | NtOpenDirectoryObject( 295 | _Out_ PHANDLE DirectoryHandle, 296 | _In_ ACCESS_MASK DesiredAccess, 297 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 298 | ); 299 | 300 | typedef struct _OBJECT_DIRECTORY_INFORMATION 301 | { 302 | UNICODE_STRING Name; 303 | UNICODE_STRING TypeName; 304 | } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION; 305 | 306 | NTSYSCALLAPI 307 | NTSTATUS 308 | NTAPI 309 | NtQueryDirectoryObject( 310 | _In_ HANDLE DirectoryHandle, 311 | _Out_writes_bytes_opt_(Length) PVOID Buffer, 312 | _In_ ULONG Length, 313 | _In_ BOOLEAN ReturnSingleEntry, 314 | _In_ BOOLEAN RestartScan, 315 | _Inout_ PULONG Context, 316 | _Out_opt_ PULONG ReturnLength 317 | ); 318 | 319 | #endif 320 | 321 | // Private namespaces 322 | 323 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 324 | 325 | #if (PHNT_VERSION >= PHNT_VISTA) 326 | 327 | // private 328 | typedef enum _BOUNDARY_ENTRY_TYPE 329 | { 330 | OBNS_Invalid, 331 | OBNS_Name, 332 | OBNS_SID, 333 | OBNS_IL 334 | } BOUNDARY_ENTRY_TYPE; 335 | 336 | // private 337 | typedef struct _OBJECT_BOUNDARY_ENTRY 338 | { 339 | BOUNDARY_ENTRY_TYPE EntryType; 340 | ULONG EntrySize; 341 | } OBJECT_BOUNDARY_ENTRY, *POBJECT_BOUNDARY_ENTRY; 342 | 343 | // rev 344 | #define OBJECT_BOUNDARY_DESCRIPTOR_VERSION 1 345 | 346 | // private 347 | typedef struct _OBJECT_BOUNDARY_DESCRIPTOR 348 | { 349 | ULONG Version; 350 | ULONG Items; 351 | ULONG TotalSize; 352 | union 353 | { 354 | ULONG Flags; 355 | struct 356 | { 357 | ULONG AddAppContainerSid : 1; 358 | ULONG Reserved : 31; 359 | }; 360 | }; 361 | } OBJECT_BOUNDARY_DESCRIPTOR, *POBJECT_BOUNDARY_DESCRIPTOR; 362 | 363 | NTSYSCALLAPI 364 | NTSTATUS 365 | NTAPI 366 | NtCreatePrivateNamespace( 367 | _Out_ PHANDLE NamespaceHandle, 368 | _In_ ACCESS_MASK DesiredAccess, 369 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 370 | _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor 371 | ); 372 | 373 | NTSYSCALLAPI 374 | NTSTATUS 375 | NTAPI 376 | NtOpenPrivateNamespace( 377 | _Out_ PHANDLE NamespaceHandle, 378 | _In_ ACCESS_MASK DesiredAccess, 379 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 380 | _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor 381 | ); 382 | 383 | NTSYSCALLAPI 384 | NTSTATUS 385 | NTAPI 386 | NtDeletePrivateNamespace( 387 | _In_ HANDLE NamespaceHandle 388 | ); 389 | 390 | #endif 391 | 392 | #endif 393 | 394 | // Symbolic links 395 | 396 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 397 | 398 | NTSYSCALLAPI 399 | NTSTATUS 400 | NTAPI 401 | NtCreateSymbolicLinkObject( 402 | _Out_ PHANDLE LinkHandle, 403 | _In_ ACCESS_MASK DesiredAccess, 404 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 405 | _In_ PUNICODE_STRING LinkTarget 406 | ); 407 | 408 | NTSYSCALLAPI 409 | NTSTATUS 410 | NTAPI 411 | NtOpenSymbolicLinkObject( 412 | _Out_ PHANDLE LinkHandle, 413 | _In_ ACCESS_MASK DesiredAccess, 414 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 415 | ); 416 | 417 | NTSYSCALLAPI 418 | NTSTATUS 419 | NTAPI 420 | NtQuerySymbolicLinkObject( 421 | _In_ HANDLE LinkHandle, 422 | _Inout_ PUNICODE_STRING LinkTarget, 423 | _Out_opt_ PULONG ReturnedLength 424 | ); 425 | 426 | typedef enum _SYMBOLIC_LINK_INFO_CLASS 427 | { 428 | SymbolicLinkGlobalInformation = 1, // s: ULONG 429 | SymbolicLinkAccessMask, // s: ACCESS_MASK 430 | MaxnSymbolicLinkInfoClass 431 | } SYMBOLIC_LINK_INFO_CLASS; 432 | 433 | #if (PHNT_VERSION >= PHNT_THRESHOLD) 434 | NTSYSCALLAPI 435 | NTSTATUS 436 | NTAPI 437 | NtSetInformationSymbolicLink( 438 | _In_ HANDLE LinkHandle, 439 | _In_ SYMBOLIC_LINK_INFO_CLASS SymbolicLinkInformationClass, 440 | _In_reads_bytes_(SymbolicLinkInformationLength) PVOID SymbolicLinkInformation, 441 | _In_ ULONG SymbolicLinkInformationLength 442 | ); 443 | #endif 444 | 445 | #endif 446 | 447 | #endif 448 | -------------------------------------------------------------------------------- /pnth/ntpebteb.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _NTPEBTEB_H 13 | #define _NTPEBTEB_H 14 | 15 | typedef struct _RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS; 16 | typedef struct _RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION; 17 | 18 | // private 19 | typedef struct _ACTIVATION_CONTEXT_STACK 20 | { 21 | struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* ActiveFrame; 22 | LIST_ENTRY FrameListCache; 23 | ULONG Flags; 24 | ULONG NextCookieSequenceNumber; 25 | ULONG StackId; 26 | } ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK; 27 | 28 | // private 29 | typedef struct _API_SET_NAMESPACE 30 | { 31 | ULONG Version; 32 | ULONG Size; 33 | ULONG Flags; 34 | ULONG Count; 35 | ULONG EntryOffset; 36 | ULONG HashOffset; 37 | ULONG HashFactor; 38 | } API_SET_NAMESPACE, *PAPI_SET_NAMESPACE; 39 | 40 | // private 41 | typedef struct _API_SET_HASH_ENTRY 42 | { 43 | ULONG Hash; 44 | ULONG Index; 45 | } API_SET_HASH_ENTRY, *PAPI_SET_HASH_ENTRY; 46 | 47 | // private 48 | typedef struct _API_SET_NAMESPACE_ENTRY 49 | { 50 | ULONG Flags; 51 | ULONG NameOffset; 52 | ULONG NameLength; 53 | ULONG HashedLength; 54 | ULONG ValueOffset; 55 | ULONG ValueCount; 56 | } API_SET_NAMESPACE_ENTRY, *PAPI_SET_NAMESPACE_ENTRY; 57 | 58 | // private 59 | typedef struct _API_SET_VALUE_ENTRY 60 | { 61 | ULONG Flags; 62 | ULONG NameOffset; 63 | ULONG NameLength; 64 | ULONG ValueOffset; 65 | ULONG ValueLength; 66 | } API_SET_VALUE_ENTRY, *PAPI_SET_VALUE_ENTRY; 67 | 68 | // symbols 69 | typedef struct _PEB 70 | { 71 | BOOLEAN InheritedAddressSpace; 72 | BOOLEAN ReadImageFileExecOptions; 73 | BOOLEAN BeingDebugged; 74 | union 75 | { 76 | BOOLEAN BitField; 77 | struct 78 | { 79 | BOOLEAN ImageUsesLargePages : 1; 80 | BOOLEAN IsProtectedProcess : 1; 81 | BOOLEAN IsImageDynamicallyRelocated : 1; 82 | BOOLEAN SkipPatchingUser32Forwarders : 1; 83 | BOOLEAN IsPackagedProcess : 1; 84 | BOOLEAN IsAppContainer : 1; 85 | BOOLEAN IsProtectedProcessLight : 1; 86 | BOOLEAN IsLongPathAwareProcess : 1; 87 | }; 88 | }; 89 | 90 | HANDLE Mutant; 91 | 92 | PVOID ImageBaseAddress; 93 | PPEB_LDR_DATA Ldr; 94 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 95 | PVOID SubSystemData; 96 | PVOID ProcessHeap; 97 | PRTL_CRITICAL_SECTION FastPebLock; 98 | PSLIST_HEADER AtlThunkSListPtr; 99 | PVOID IFEOKey; 100 | 101 | union 102 | { 103 | ULONG CrossProcessFlags; 104 | struct 105 | { 106 | ULONG ProcessInJob : 1; 107 | ULONG ProcessInitializing : 1; 108 | ULONG ProcessUsingVEH : 1; 109 | ULONG ProcessUsingVCH : 1; 110 | ULONG ProcessUsingFTH : 1; 111 | ULONG ProcessPreviouslyThrottled : 1; 112 | ULONG ProcessCurrentlyThrottled : 1; 113 | ULONG ProcessImagesHotPatched : 1; // REDSTONE5 114 | ULONG ReservedBits0 : 24; 115 | }; 116 | }; 117 | union 118 | { 119 | PVOID KernelCallbackTable; 120 | PVOID UserSharedInfoPtr; 121 | }; 122 | ULONG SystemReserved; 123 | ULONG AtlThunkSListPtr32; 124 | PAPI_SET_NAMESPACE ApiSetMap; 125 | ULONG TlsExpansionCounter; 126 | PVOID TlsBitmap; 127 | ULONG TlsBitmapBits[2]; 128 | 129 | PVOID ReadOnlySharedMemoryBase; 130 | PVOID SharedData; // HotpatchInformation 131 | PVOID *ReadOnlyStaticServerData; 132 | 133 | PVOID AnsiCodePageData; // PCPTABLEINFO 134 | PVOID OemCodePageData; // PCPTABLEINFO 135 | PVOID UnicodeCaseTableData; // PNLSTABLEINFO 136 | 137 | ULONG NumberOfProcessors; 138 | ULONG NtGlobalFlag; 139 | 140 | ULARGE_INTEGER CriticalSectionTimeout; 141 | SIZE_T HeapSegmentReserve; 142 | SIZE_T HeapSegmentCommit; 143 | SIZE_T HeapDeCommitTotalFreeThreshold; 144 | SIZE_T HeapDeCommitFreeBlockThreshold; 145 | 146 | ULONG NumberOfHeaps; 147 | ULONG MaximumNumberOfHeaps; 148 | PVOID *ProcessHeaps; // PHEAP 149 | 150 | PVOID GdiSharedHandleTable; 151 | PVOID ProcessStarterHelper; 152 | ULONG GdiDCAttributeList; 153 | 154 | PRTL_CRITICAL_SECTION LoaderLock; 155 | 156 | ULONG OSMajorVersion; 157 | ULONG OSMinorVersion; 158 | USHORT OSBuildNumber; 159 | USHORT OSCSDVersion; 160 | ULONG OSPlatformId; 161 | ULONG ImageSubsystem; 162 | ULONG ImageSubsystemMajorVersion; 163 | ULONG ImageSubsystemMinorVersion; 164 | KAFFINITY ActiveProcessAffinityMask; 165 | GDI_HANDLE_BUFFER GdiHandleBuffer; 166 | PVOID PostProcessInitRoutine; 167 | 168 | PVOID TlsExpansionBitmap; 169 | ULONG TlsExpansionBitmapBits[32]; 170 | 171 | ULONG SessionId; 172 | 173 | ULARGE_INTEGER AppCompatFlags; 174 | ULARGE_INTEGER AppCompatFlagsUser; 175 | PVOID pShimData; 176 | PVOID AppCompatInfo; // APPCOMPAT_EXE_DATA 177 | 178 | UNICODE_STRING CSDVersion; 179 | 180 | PVOID ActivationContextData; // ACTIVATION_CONTEXT_DATA 181 | PVOID ProcessAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP 182 | PVOID SystemDefaultActivationContextData; // ACTIVATION_CONTEXT_DATA 183 | PVOID SystemAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP 184 | 185 | SIZE_T MinimumStackCommit; 186 | 187 | PVOID SparePointers[2]; // 19H1 (previously FlsCallback to FlsHighIndex) 188 | PVOID PatchLoaderData; 189 | PVOID ChpeV2ProcessInfo; // _CHPEV2_PROCESS_INFO 190 | 191 | ULONG AppModelFeatureState; 192 | ULONG SpareUlongs[2]; 193 | 194 | USHORT ActiveCodePage; 195 | USHORT OemCodePage; 196 | USHORT UseCaseMapping; 197 | USHORT UnusedNlsField; 198 | 199 | PVOID WerRegistrationData; 200 | PVOID WerShipAssertPtr; 201 | 202 | union 203 | { 204 | PVOID pContextData; // WIN7 205 | PVOID pUnused; // WIN10 206 | PVOID EcCodeBitMap; // WIN11 207 | }; 208 | 209 | PVOID pImageHeaderHash; 210 | union 211 | { 212 | ULONG TracingFlags; 213 | struct 214 | { 215 | ULONG HeapTracingEnabled : 1; 216 | ULONG CritSecTracingEnabled : 1; 217 | ULONG LibLoaderTracingEnabled : 1; 218 | ULONG SpareTracingBits : 29; 219 | }; 220 | }; 221 | ULONGLONG CsrServerReadOnlySharedMemoryBase; 222 | PRTL_CRITICAL_SECTION TppWorkerpListLock; 223 | LIST_ENTRY TppWorkerpList; 224 | PVOID WaitOnAddressHashTable[128]; 225 | PVOID TelemetryCoverageHeader; // REDSTONE3 226 | ULONG CloudFileFlags; 227 | ULONG CloudFileDiagFlags; // REDSTONE4 228 | CHAR PlaceholderCompatibilityMode; 229 | CHAR PlaceholderCompatibilityModeReserved[7]; 230 | struct _LEAP_SECOND_DATA *LeapSecondData; // REDSTONE5 231 | union 232 | { 233 | ULONG LeapSecondFlags; 234 | struct 235 | { 236 | ULONG SixtySecondEnabled : 1; 237 | ULONG Reserved : 31; 238 | }; 239 | }; 240 | ULONG NtGlobalFlag2; 241 | ULONGLONG ExtendedFeatureDisableMask; // since WIN11 242 | } PEB, *PPEB; 243 | 244 | #ifdef _WIN64 245 | C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x2C0); 246 | //C_ASSERT(sizeof(PEB) == 0x7B0); // REDSTONE3 247 | //C_ASSERT(sizeof(PEB) == 0x7B8); // REDSTONE4 248 | //C_ASSERT(sizeof(PEB) == 0x7C8); // REDSTONE5 // 19H1 249 | C_ASSERT(sizeof(PEB) == 0x7d0); // WIN11 250 | #else 251 | C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x1D4); 252 | //C_ASSERT(sizeof(PEB) == 0x468); // REDSTONE3 253 | //C_ASSERT(sizeof(PEB) == 0x470); // REDSTONE4 254 | //C_ASSERT(sizeof(PEB) == 0x480); // REDSTONE5 // 19H1 255 | C_ASSERT(sizeof(PEB) == 0x488); // WIN11 256 | #endif 257 | 258 | #define GDI_BATCH_BUFFER_SIZE 310 259 | 260 | typedef struct _GDI_TEB_BATCH 261 | { 262 | ULONG Offset; 263 | ULONG_PTR HDC; 264 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 265 | } GDI_TEB_BATCH, *PGDI_TEB_BATCH; 266 | 267 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT 268 | { 269 | ULONG Flags; 270 | PCSTR FrameName; 271 | } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; 272 | 273 | typedef struct _TEB_ACTIVE_FRAME 274 | { 275 | ULONG Flags; 276 | _TEB_ACTIVE_FRAME *Previous; 277 | const TEB_ACTIVE_FRAME_CONTEXT* Context; 278 | } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; 279 | 280 | typedef struct _TEB 281 | { 282 | NT_TIB NtTib; 283 | 284 | PVOID EnvironmentPointer; 285 | CLIENT_ID ClientId; 286 | PVOID ActiveRpcHandle; 287 | PVOID ThreadLocalStoragePointer; 288 | PPEB ProcessEnvironmentBlock; 289 | 290 | ULONG LastErrorValue; 291 | ULONG CountOfOwnedCriticalSections; 292 | PVOID CsrClientThread; 293 | PVOID Win32ThreadInfo; 294 | ULONG User32Reserved[26]; 295 | ULONG UserReserved[5]; 296 | PVOID WOW32Reserved; 297 | LCID CurrentLocale; 298 | ULONG FpSoftwareStatusRegister; 299 | PVOID ReservedForDebuggerInstrumentation[16]; 300 | #ifdef _WIN64 301 | PVOID SystemReserved1[30]; 302 | #else 303 | PVOID SystemReserved1[26]; 304 | #endif 305 | 306 | CHAR PlaceholderCompatibilityMode; 307 | BOOLEAN PlaceholderHydrationAlwaysExplicit; 308 | CHAR PlaceholderReserved[10]; 309 | 310 | ULONG ProxiedProcessId; 311 | ACTIVATION_CONTEXT_STACK ActivationStack; 312 | 313 | UCHAR WorkingOnBehalfTicket[8]; 314 | NTSTATUS ExceptionCode; 315 | 316 | PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; 317 | ULONG_PTR InstrumentationCallbackSp; 318 | ULONG_PTR InstrumentationCallbackPreviousPc; 319 | ULONG_PTR InstrumentationCallbackPreviousSp; 320 | #ifdef _WIN64 321 | ULONG TxFsContext; 322 | #endif 323 | 324 | BOOLEAN InstrumentationCallbackDisabled; 325 | #ifdef _WIN64 326 | BOOLEAN UnalignedLoadStoreExceptions; 327 | #endif 328 | #ifndef _WIN64 329 | UCHAR SpareBytes[23]; 330 | ULONG TxFsContext; 331 | #endif 332 | GDI_TEB_BATCH GdiTebBatch; 333 | CLIENT_ID RealClientId; 334 | HANDLE GdiCachedProcessHandle; 335 | ULONG GdiClientPID; 336 | ULONG GdiClientTID; 337 | PVOID GdiThreadLocalInfo; 338 | ULONG_PTR Win32ClientInfo[62]; 339 | PVOID glDispatchTable[233]; 340 | ULONG_PTR glReserved1[29]; 341 | PVOID glReserved2; 342 | PVOID glSectionInfo; 343 | PVOID glSection; 344 | PVOID glTable; 345 | PVOID glCurrentRC; 346 | PVOID glContext; 347 | 348 | NTSTATUS LastStatusValue; 349 | UNICODE_STRING StaticUnicodeString; 350 | WCHAR StaticUnicodeBuffer[261]; 351 | 352 | PVOID DeallocationStack; 353 | PVOID TlsSlots[64]; 354 | LIST_ENTRY TlsLinks; 355 | 356 | PVOID Vdm; 357 | PVOID ReservedForNtRpc; 358 | PVOID DbgSsReserved[2]; 359 | 360 | ULONG HardErrorMode; 361 | #ifdef _WIN64 362 | PVOID Instrumentation[11]; 363 | #else 364 | PVOID Instrumentation[9]; 365 | #endif 366 | GUID ActivityId; 367 | 368 | PVOID SubProcessTag; 369 | PVOID PerflibData; 370 | PVOID EtwTraceData; 371 | PVOID WinSockData; 372 | ULONG GdiBatchCount; 373 | 374 | union 375 | { 376 | PROCESSOR_NUMBER CurrentIdealProcessor; 377 | ULONG IdealProcessorValue; 378 | struct 379 | { 380 | UCHAR ReservedPad0; 381 | UCHAR ReservedPad1; 382 | UCHAR ReservedPad2; 383 | UCHAR IdealProcessor; 384 | }; 385 | }; 386 | 387 | ULONG GuaranteedStackBytes; 388 | PVOID ReservedForPerf; 389 | PVOID ReservedForOle; 390 | ULONG WaitingOnLoaderLock; 391 | PVOID SavedPriorityState; 392 | ULONG_PTR ReservedForCodeCoverage; 393 | PVOID ThreadPoolData; 394 | PVOID *TlsExpansionSlots; 395 | #ifdef _WIN64 396 | PVOID DeallocationBStore; 397 | PVOID BStoreLimit; 398 | #endif 399 | ULONG MuiGeneration; 400 | ULONG IsImpersonating; 401 | PVOID NlsCache; 402 | PVOID pShimData; 403 | ULONG HeapData; 404 | HANDLE CurrentTransactionHandle; 405 | PTEB_ACTIVE_FRAME ActiveFrame; 406 | PVOID FlsData; 407 | 408 | PVOID PreferredLanguages; 409 | PVOID UserPrefLanguages; 410 | PVOID MergedPrefLanguages; 411 | ULONG MuiImpersonation; 412 | 413 | union 414 | { 415 | USHORT CrossTebFlags; 416 | USHORT SpareCrossTebBits : 16; 417 | }; 418 | union 419 | { 420 | USHORT SameTebFlags; 421 | struct 422 | { 423 | USHORT SafeThunkCall : 1; 424 | USHORT InDebugPrint : 1; 425 | USHORT HasFiberData : 1; 426 | USHORT SkipThreadAttach : 1; 427 | USHORT WerInShipAssertCode : 1; 428 | USHORT RanProcessInit : 1; 429 | USHORT ClonedThread : 1; 430 | USHORT SuppressDebugMsg : 1; 431 | USHORT DisableUserStackWalk : 1; 432 | USHORT RtlExceptionAttached : 1; 433 | USHORT InitialThread : 1; 434 | USHORT SessionAware : 1; 435 | USHORT LoadOwner : 1; 436 | USHORT LoaderWorker : 1; 437 | USHORT SkipLoaderInit : 1; 438 | USHORT SkipFileAPIBrokering : 1; 439 | }; 440 | }; 441 | 442 | PVOID TxnScopeEnterCallback; 443 | PVOID TxnScopeExitCallback; 444 | PVOID TxnScopeContext; 445 | ULONG LockCount; 446 | LONG WowTebOffset; 447 | PVOID ResourceRetValue; 448 | PVOID ReservedForWdf; 449 | ULONGLONG ReservedForCrt; 450 | GUID EffectiveContainerId; 451 | ULONGLONG LastSleepCounter; // Win11 452 | ULONG SpinCallCount; 453 | ULONGLONG ExtendedFeatureDisableMask; 454 | } TEB, *PTEB; 455 | 456 | #endif 457 | -------------------------------------------------------------------------------- /pnth/ntpfapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _NTPFAPI_H 13 | #define _NTPFAPI_H 14 | 15 | // begin_private 16 | 17 | // Prefetch 18 | 19 | typedef enum _PF_BOOT_PHASE_ID 20 | { 21 | PfKernelInitPhase = 0, 22 | PfBootDriverInitPhase = 90, 23 | PfSystemDriverInitPhase = 120, 24 | PfSessionManagerInitPhase = 150, 25 | PfSMRegistryInitPhase = 180, 26 | PfVideoInitPhase = 210, 27 | PfPostVideoInitPhase = 240, 28 | PfBootAcceptedRegistryInitPhase = 270, 29 | PfUserShellReadyPhase = 300, 30 | PfMaxBootPhaseId = 900 31 | } PF_BOOT_PHASE_ID; 32 | 33 | typedef enum _PF_ENABLE_STATUS 34 | { 35 | PfSvNotSpecified, 36 | PfSvEnabled, 37 | PfSvDisabled, 38 | PfSvMaxEnableStatus 39 | } PF_ENABLE_STATUS; 40 | 41 | typedef struct _PF_TRACE_LIMITS 42 | { 43 | ULONG MaxNumPages; 44 | ULONG MaxNumSections; 45 | LONGLONG TimerPeriod; 46 | } PF_TRACE_LIMITS, *PPF_TRACE_LIMITS; 47 | 48 | typedef struct _PF_SYSTEM_PREFETCH_PARAMETERS 49 | { 50 | PF_ENABLE_STATUS EnableStatus[2]; 51 | PF_TRACE_LIMITS TraceLimits[2]; 52 | ULONG MaxNumActiveTraces; 53 | ULONG MaxNumSavedTraces; 54 | WCHAR RootDirPath[32]; 55 | WCHAR HostingApplicationList[128]; 56 | } PF_SYSTEM_PREFETCH_PARAMETERS, *PPF_SYSTEM_PREFETCH_PARAMETERS; 57 | 58 | #define PF_BOOT_CONTROL_VERSION 1 59 | 60 | typedef struct _PF_BOOT_CONTROL 61 | { 62 | ULONG Version; 63 | ULONG DisableBootPrefetching; 64 | } PF_BOOT_CONTROL, *PPF_BOOT_CONTROL; 65 | 66 | typedef enum _PREFETCHER_INFORMATION_CLASS 67 | { 68 | PrefetcherRetrieveTrace = 1, // q: CHAR[] 69 | PrefetcherSystemParameters, // q: PF_SYSTEM_PREFETCH_PARAMETERS 70 | PrefetcherBootPhase, // s: PF_BOOT_PHASE_ID 71 | PrefetcherSpare1, // PrefetcherRetrieveBootLoaderTrace // q: CHAR[] 72 | PrefetcherBootControl, // s: PF_BOOT_CONTROL 73 | PrefetcherScenarioPolicyControl, 74 | PrefetcherSpare2, 75 | PrefetcherAppLaunchScenarioControl, 76 | PrefetcherInformationMax 77 | } PREFETCHER_INFORMATION_CLASS; 78 | 79 | #define PREFETCHER_INFORMATION_VERSION 23 // rev 80 | #define PREFETCHER_INFORMATION_MAGIC ('kuhC') // rev 81 | 82 | typedef struct _PREFETCHER_INFORMATION 83 | { 84 | _In_ ULONG Version; 85 | _In_ ULONG Magic; 86 | _In_ PREFETCHER_INFORMATION_CLASS PrefetcherInformationClass; 87 | _Inout_ PVOID PrefetcherInformation; 88 | _Inout_ ULONG PrefetcherInformationLength; 89 | } PREFETCHER_INFORMATION, *PPREFETCHER_INFORMATION; 90 | 91 | // Superfetch 92 | 93 | typedef struct _PF_SYSTEM_SUPERFETCH_PARAMETERS 94 | { 95 | ULONG EnabledComponents; 96 | ULONG BootID; 97 | ULONG SavedSectInfoTracesMax; 98 | ULONG SavedPageAccessTracesMax; 99 | ULONG ScenarioPrefetchTimeoutStandby; 100 | ULONG ScenarioPrefetchTimeoutHibernate; 101 | ULONG ScenarioPrefetchTimeoutHiberBoot; 102 | } PF_SYSTEM_SUPERFETCH_PARAMETERS, *PPF_SYSTEM_SUPERFETCH_PARAMETERS; 103 | 104 | #define PF_PFN_PRIO_REQUEST_VERSION 1 105 | #define PF_PFN_PRIO_REQUEST_QUERY_MEMORY_LIST 0x1 106 | #define PF_PFN_PRIO_REQUEST_VALID_FLAGS 0x1 107 | 108 | typedef struct _PF_PFN_PRIO_REQUEST 109 | { 110 | ULONG Version; 111 | ULONG RequestFlags; 112 | ULONG_PTR PfnCount; 113 | SYSTEM_MEMORY_LIST_INFORMATION MemInfo; 114 | MMPFN_IDENTITY PageData[256]; 115 | } PF_PFN_PRIO_REQUEST, *PPF_PFN_PRIO_REQUEST; 116 | 117 | typedef enum _PFS_PRIVATE_PAGE_SOURCE_TYPE 118 | { 119 | PfsPrivateSourceKernel, 120 | PfsPrivateSourceSession, 121 | PfsPrivateSourceProcess, 122 | PfsPrivateSourceMax 123 | } PFS_PRIVATE_PAGE_SOURCE_TYPE; 124 | 125 | typedef struct _PFS_PRIVATE_PAGE_SOURCE 126 | { 127 | PFS_PRIVATE_PAGE_SOURCE_TYPE Type; 128 | union 129 | { 130 | ULONG SessionId; 131 | ULONG ProcessId; 132 | }; 133 | ULONG ImagePathHash; 134 | ULONG_PTR UniqueProcessHash; 135 | } PFS_PRIVATE_PAGE_SOURCE, *PPFS_PRIVATE_PAGE_SOURCE; 136 | 137 | typedef struct _PF_PRIVSOURCE_INFO 138 | { 139 | PFS_PRIVATE_PAGE_SOURCE DbInfo; 140 | PVOID EProcess; 141 | SIZE_T WsPrivatePages; 142 | SIZE_T TotalPrivatePages; 143 | ULONG SessionID; 144 | CHAR ImageName[16]; 145 | union { 146 | ULONG_PTR WsSwapPages; // process only PF_PRIVSOURCE_QUERY_WS_SWAP_PAGES. 147 | ULONG_PTR SessionPagedPoolPages; // session only. 148 | ULONG_PTR StoreSizePages; // process only PF_PRIVSOURCE_QUERY_STORE_INFO. 149 | }; 150 | ULONG_PTR WsTotalPages; // process/session only. 151 | ULONG DeepFreezeTimeMs; // process only. 152 | ULONG ModernApp : 1; // process only. 153 | ULONG DeepFrozen : 1; // process only. If set, DeepFreezeTimeMs contains the time at which the freeze occurred 154 | ULONG Foreground : 1; // process only. 155 | ULONG PerProcessStore : 1; // process only. 156 | ULONG Spare : 28; 157 | } PF_PRIVSOURCE_INFO, *PPF_PRIVSOURCE_INFO; 158 | 159 | #define PF_PRIVSOURCE_QUERY_REQUEST_VERSION 8 160 | 161 | typedef struct _PF_PRIVSOURCE_QUERY_REQUEST 162 | { 163 | ULONG Version; 164 | ULONG Flags; 165 | ULONG InfoCount; 166 | PF_PRIVSOURCE_INFO InfoArray[1]; 167 | } PF_PRIVSOURCE_QUERY_REQUEST, *PPF_PRIVSOURCE_QUERY_REQUEST; 168 | 169 | typedef enum _PF_PHASED_SCENARIO_TYPE 170 | { 171 | PfScenarioTypeNone, 172 | PfScenarioTypeStandby, 173 | PfScenarioTypeHibernate, 174 | PfScenarioTypeFUS, 175 | PfScenarioTypeMax 176 | } PF_PHASED_SCENARIO_TYPE; 177 | 178 | #define PF_SCENARIO_PHASE_INFO_VERSION 4 179 | 180 | typedef struct _PF_SCENARIO_PHASE_INFO 181 | { 182 | ULONG Version; 183 | PF_PHASED_SCENARIO_TYPE ScenType; 184 | ULONG PhaseId; 185 | ULONG SequenceNumber; 186 | ULONG Flags; 187 | ULONG FUSUserId; 188 | } PF_SCENARIO_PHASE_INFO, *PPF_SCENARIO_PHASE_INFO; 189 | 190 | typedef struct _PF_MEMORY_LIST_NODE 191 | { 192 | ULONGLONG Node : 8; 193 | ULONGLONG Spare : 56; 194 | ULONGLONG StandbyLowPageCount; 195 | ULONGLONG StandbyMediumPageCount; 196 | ULONGLONG StandbyHighPageCount; 197 | ULONGLONG FreePageCount; 198 | ULONGLONG ModifiedPageCount; 199 | } PF_MEMORY_LIST_NODE, *PPF_MEMORY_LIST_NODE; 200 | 201 | #define PF_MEMORY_LIST_INFO_VERSION 1 202 | 203 | typedef struct _PF_MEMORY_LIST_INFO 204 | { 205 | ULONG Version; 206 | ULONG Size; 207 | ULONG NodeCount; 208 | PF_MEMORY_LIST_NODE Nodes[1]; 209 | } PF_MEMORY_LIST_INFO, *PPF_MEMORY_LIST_INFO; 210 | 211 | typedef struct _PF_PHYSICAL_MEMORY_RANGE 212 | { 213 | ULONG_PTR BasePfn; 214 | ULONG_PTR PageCount; 215 | } PF_PHYSICAL_MEMORY_RANGE, *PPF_PHYSICAL_MEMORY_RANGE; 216 | 217 | #define PF_PHYSICAL_MEMORY_RANGE_INFO_V1_VERSION 1 218 | 219 | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V1 220 | { 221 | ULONG Version; 222 | ULONG RangeCount; 223 | PF_PHYSICAL_MEMORY_RANGE Ranges[1]; 224 | } PF_PHYSICAL_MEMORY_RANGE_INFO_V1, *PPF_PHYSICAL_MEMORY_RANGE_INFO_V1; 225 | 226 | #define PF_PHYSICAL_MEMORY_RANGE_INFO_V2_VERSION 2 227 | 228 | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V2 229 | { 230 | ULONG Version; 231 | ULONG Flags; 232 | ULONG RangeCount; 233 | PF_PHYSICAL_MEMORY_RANGE Ranges[ANYSIZE_ARRAY]; 234 | } PF_PHYSICAL_MEMORY_RANGE_INFO_V2, *PPF_PHYSICAL_MEMORY_RANGE_INFO_V2; 235 | 236 | // begin_rev 237 | 238 | #define PF_REPURPOSED_BY_PREFETCH_INFO_VERSION 1 239 | 240 | typedef struct _PF_REPURPOSED_BY_PREFETCH_INFO 241 | { 242 | ULONG Version; 243 | ULONG RepurposedByPrefetch; 244 | } PF_REPURPOSED_BY_PREFETCH_INFO, *PPF_REPURPOSED_BY_PREFETCH_INFO; 245 | 246 | // end_rev 247 | 248 | typedef enum _SUPERFETCH_INFORMATION_CLASS 249 | { 250 | SuperfetchRetrieveTrace = 1, // q: CHAR[] 251 | SuperfetchSystemParameters, // q: PF_SYSTEM_SUPERFETCH_PARAMETERS 252 | SuperfetchLogEvent, 253 | SuperfetchGenerateTrace, 254 | SuperfetchPrefetch, 255 | SuperfetchPfnQuery, // q: PF_PFN_PRIO_REQUEST 256 | SuperfetchPfnSetPriority, 257 | SuperfetchPrivSourceQuery, // q: PF_PRIVSOURCE_QUERY_REQUEST 258 | SuperfetchSequenceNumberQuery, // q: ULONG 259 | SuperfetchScenarioPhase, // 10 260 | SuperfetchWorkerPriority, 261 | SuperfetchScenarioQuery, // q: PF_SCENARIO_PHASE_INFO 262 | SuperfetchScenarioPrefetch, 263 | SuperfetchRobustnessControl, 264 | SuperfetchTimeControl, 265 | SuperfetchMemoryListQuery, // q: PF_MEMORY_LIST_INFO 266 | SuperfetchMemoryRangesQuery, // q: PF_PHYSICAL_MEMORY_RANGE_INFO 267 | SuperfetchTracingControl, 268 | SuperfetchTrimWhileAgingControl, 269 | SuperfetchRepurposedByPrefetch, // q: PF_REPURPOSED_BY_PREFETCH_INFO // rev 270 | SuperfetchChannelPowerRequest, 271 | SuperfetchMovePages, 272 | SuperfetchVirtualQuery, 273 | SuperfetchCombineStatsQuery, 274 | SuperfetchSetMinWsAgeRate, 275 | SuperfetchDeprioritizeOldPagesInWs, 276 | SuperfetchFileExtentsQuery, 277 | SuperfetchGpuUtilizationQuery, // PF_GPU_UTILIZATION_INFO 278 | SuperfetchInformationMax 279 | } SUPERFETCH_INFORMATION_CLASS; 280 | 281 | #define SUPERFETCH_INFORMATION_VERSION 45 // rev 282 | #define SUPERFETCH_INFORMATION_MAGIC ('kuhC') // rev 283 | 284 | typedef struct _SUPERFETCH_INFORMATION 285 | { 286 | _In_ ULONG Version; 287 | _In_ ULONG Magic; 288 | _In_ SUPERFETCH_INFORMATION_CLASS SuperfetchInformationClass; 289 | _Inout_ PVOID SuperfetchInformation; 290 | _Inout_ ULONG SuperfetchInformationLength; 291 | } SUPERFETCH_INFORMATION, *PSUPERFETCH_INFORMATION; 292 | 293 | // end_private 294 | 295 | #endif 296 | -------------------------------------------------------------------------------- /pnth/ntpnpapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _NTPNPAPI_H 13 | #define _NTPNPAPI_H 14 | 15 | typedef enum _PLUGPLAY_EVENT_CATEGORY 16 | { 17 | HardwareProfileChangeEvent, 18 | TargetDeviceChangeEvent, 19 | DeviceClassChangeEvent, 20 | CustomDeviceEvent, 21 | DeviceInstallEvent, 22 | DeviceArrivalEvent, 23 | PowerEvent, 24 | VetoEvent, 25 | BlockedDriverEvent, 26 | InvalidIDEvent, 27 | MaxPlugEventCategory 28 | } PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY; 29 | 30 | typedef struct _PLUGPLAY_EVENT_BLOCK 31 | { 32 | GUID EventGuid; 33 | PLUGPLAY_EVENT_CATEGORY EventCategory; 34 | PULONG Result; 35 | ULONG Flags; 36 | ULONG TotalSize; 37 | PVOID DeviceObject; 38 | 39 | union 40 | { 41 | struct 42 | { 43 | GUID ClassGuid; 44 | WCHAR SymbolicLinkName[1]; 45 | } DeviceClass; 46 | struct 47 | { 48 | WCHAR DeviceIds[1]; 49 | } TargetDevice; 50 | struct 51 | { 52 | WCHAR DeviceId[1]; 53 | } InstallDevice; 54 | struct 55 | { 56 | PVOID NotificationStructure; 57 | WCHAR DeviceIds[1]; 58 | } CustomNotification; 59 | struct 60 | { 61 | PVOID Notification; 62 | } ProfileNotification; 63 | struct 64 | { 65 | ULONG NotificationCode; 66 | ULONG NotificationData; 67 | } PowerNotification; 68 | struct 69 | { 70 | PNP_VETO_TYPE VetoType; 71 | WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName 72 | } VetoNotification; 73 | struct 74 | { 75 | GUID BlockedDriverGuid; 76 | } BlockedDriverNotification; 77 | struct 78 | { 79 | WCHAR ParentId[1]; 80 | } InvalidIDNotification; 81 | } u; 82 | } PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; 83 | 84 | typedef enum _PLUGPLAY_CONTROL_CLASS 85 | { 86 | PlugPlayControlEnumerateDevice, // PLUGPLAY_CONTROL_ENUMERATE_DEVICE_DATA 87 | PlugPlayControlRegisterNewDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 88 | PlugPlayControlDeregisterDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 89 | PlugPlayControlInitializeDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 90 | PlugPlayControlStartDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 91 | PlugPlayControlUnlockDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 92 | PlugPlayControlQueryAndRemoveDevice, // PLUGPLAY_CONTROL_QUERY_AND_REMOVE_DATA 93 | PlugPlayControlUserResponse, // PLUGPLAY_CONTROL_USER_RESPONSE_DATA 94 | PlugPlayControlGenerateLegacyDevice, // PLUGPLAY_CONTROL_LEGACY_DEVGEN_DATA 95 | PlugPlayControlGetInterfaceDeviceList, // PLUGPLAY_CONTROL_INTERFACE_LIST_DATA 96 | PlugPlayControlProperty, // PLUGPLAY_CONTROL_PROPERTY_DATA 97 | PlugPlayControlDeviceClassAssociation, // PLUGPLAY_CONTROL_CLASS_ASSOCIATION_DATA 98 | PlugPlayControlGetRelatedDevice, // PLUGPLAY_CONTROL_RELATED_DEVICE_DATA 99 | PlugPlayControlGetInterfaceDeviceAlias, // PLUGPLAY_CONTROL_INTERFACE_ALIAS_DATA 100 | PlugPlayControlDeviceStatus, // PLUGPLAY_CONTROL_STATUS_DATA 101 | PlugPlayControlGetDeviceDepth, // PLUGPLAY_CONTROL_DEPTH_DATA 102 | PlugPlayControlQueryDeviceRelations, // PLUGPLAY_CONTROL_DEVICE_RELATIONS_DATA 103 | PlugPlayControlTargetDeviceRelation, // PLUGPLAY_CONTROL_TARGET_RELATION_DATA 104 | PlugPlayControlQueryConflictList, // PLUGPLAY_CONTROL_CONFLICT_LIST 105 | PlugPlayControlRetrieveDock, // PLUGPLAY_CONTROL_RETRIEVE_DOCK_DATA 106 | PlugPlayControlResetDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 107 | PlugPlayControlHaltDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA 108 | PlugPlayControlGetBlockedDriverList, // PLUGPLAY_CONTROL_BLOCKED_DRIVER_DATA 109 | PlugPlayControlGetDeviceInterfaceEnabled, // PLUGPLAY_CONTROL_DEVICE_INTERFACE_ENABLED 110 | MaxPlugPlayControl 111 | } PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS; 112 | 113 | #if (PHNT_VERSION < PHNT_WIN8) 114 | NTSYSCALLAPI 115 | NTSTATUS 116 | NTAPI 117 | NtGetPlugPlayEvent( 118 | _In_ HANDLE EventHandle, 119 | _In_opt_ PVOID Context, 120 | _Out_writes_bytes_(EventBufferSize) PPLUGPLAY_EVENT_BLOCK EventBlock, 121 | _In_ ULONG EventBufferSize 122 | ); 123 | #endif 124 | 125 | NTSYSCALLAPI 126 | NTSTATUS 127 | NTAPI 128 | NtPlugPlayControl( 129 | _In_ PLUGPLAY_CONTROL_CLASS PnPControlClass, 130 | _Inout_updates_bytes_(PnPControlDataLength) PVOID PnPControlData, 131 | _In_ ULONG PnPControlDataLength 132 | ); 133 | 134 | #if (PHNT_VERSION >= PHNT_WIN7) 135 | 136 | NTSYSCALLAPI 137 | NTSTATUS 138 | NTAPI 139 | NtSerializeBoot( 140 | VOID 141 | ); 142 | 143 | NTSYSCALLAPI 144 | NTSTATUS 145 | NTAPI 146 | NtEnableLastKnownGood( 147 | VOID 148 | ); 149 | 150 | NTSYSCALLAPI 151 | NTSTATUS 152 | NTAPI 153 | NtDisableLastKnownGood( 154 | VOID 155 | ); 156 | 157 | #endif 158 | 159 | #if (PHNT_VERSION >= PHNT_VISTA) 160 | NTSYSCALLAPI 161 | NTSTATUS 162 | NTAPI 163 | NtReplacePartitionUnit( 164 | _In_ PUNICODE_STRING TargetInstancePath, 165 | _In_ PUNICODE_STRING SpareInstancePath, 166 | _In_ ULONG Flags 167 | ); 168 | #endif 169 | 170 | #endif 171 | -------------------------------------------------------------------------------- /pnth/ntregapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _NTREGAPI_H 13 | #define _NTREGAPI_H 14 | 15 | // Boot condition flags (NtInitializeRegistry) 16 | 17 | #define REG_INIT_BOOT_SM 0x0000 18 | #define REG_INIT_BOOT_SETUP 0x0001 19 | #define REG_INIT_BOOT_ACCEPTED_BASE 0x0002 20 | #define REG_INIT_BOOT_ACCEPTED_MAX REG_INIT_BOOT_ACCEPTED_BASE + 999 21 | 22 | #define REG_MAX_KEY_VALUE_NAME_LENGTH 32767 23 | #define REG_MAX_KEY_NAME_LENGTH 512 24 | 25 | typedef enum _KEY_INFORMATION_CLASS 26 | { 27 | KeyBasicInformation, // KEY_BASIC_INFORMATION 28 | KeyNodeInformation, // KEY_NODE_INFORMATION 29 | KeyFullInformation, // KEY_FULL_INFORMATION 30 | KeyNameInformation, // KEY_NAME_INFORMATION 31 | KeyCachedInformation, // KEY_CACHED_INFORMATION 32 | KeyFlagsInformation, // KEY_FLAGS_INFORMATION 33 | KeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION 34 | KeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION 35 | KeyTrustInformation, // KEY_TRUST_INFORMATION 36 | KeyLayerInformation, // KEY_LAYER_INFORMATION 37 | MaxKeyInfoClass 38 | } KEY_INFORMATION_CLASS; 39 | 40 | typedef struct _KEY_BASIC_INFORMATION 41 | { 42 | LARGE_INTEGER LastWriteTime; 43 | ULONG TitleIndex; 44 | ULONG NameLength; 45 | WCHAR Name[1]; 46 | } KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION; 47 | 48 | typedef struct _KEY_NODE_INFORMATION 49 | { 50 | LARGE_INTEGER LastWriteTime; 51 | ULONG TitleIndex; 52 | ULONG ClassOffset; 53 | ULONG ClassLength; 54 | ULONG NameLength; 55 | WCHAR Name[1]; 56 | // ... 57 | // WCHAR Class[1]; 58 | } KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION; 59 | 60 | typedef struct _KEY_FULL_INFORMATION 61 | { 62 | LARGE_INTEGER LastWriteTime; 63 | ULONG TitleIndex; 64 | ULONG ClassOffset; 65 | ULONG ClassLength; 66 | ULONG SubKeys; 67 | ULONG MaxNameLen; 68 | ULONG MaxClassLen; 69 | ULONG Values; 70 | ULONG MaxValueNameLen; 71 | ULONG MaxValueDataLen; 72 | WCHAR Class[1]; 73 | } KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION; 74 | 75 | typedef struct _KEY_NAME_INFORMATION 76 | { 77 | ULONG NameLength; 78 | WCHAR Name[1]; 79 | } KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION; 80 | 81 | typedef struct _KEY_CACHED_INFORMATION 82 | { 83 | LARGE_INTEGER LastWriteTime; 84 | ULONG TitleIndex; 85 | ULONG SubKeys; 86 | ULONG MaxNameLen; 87 | ULONG Values; 88 | ULONG MaxValueNameLen; 89 | ULONG MaxValueDataLen; 90 | ULONG NameLength; 91 | WCHAR Name[1]; 92 | } KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION; 93 | 94 | // rev 95 | #define REG_FLAG_VOLATILE 0x0001 96 | #define REG_FLAG_LINK 0x0002 97 | 98 | // msdn 99 | #define REG_KEY_DONT_VIRTUALIZE 0x0002 100 | #define REG_KEY_DONT_SILENT_FAIL 0x0004 101 | #define REG_KEY_RECURSE_FLAG 0x0008 102 | 103 | // private 104 | typedef struct _KEY_FLAGS_INFORMATION 105 | { 106 | ULONG Wow64Flags; 107 | ULONG KeyFlags; // REG_FLAG_* 108 | ULONG ControlFlags; // REG_KEY_* 109 | } KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION; 110 | 111 | typedef struct _KEY_VIRTUALIZATION_INFORMATION 112 | { 113 | ULONG VirtualizationCandidate : 1; // Tells whether the key is part of the virtualization namespace scope (only HKLM\Software for now). 114 | ULONG VirtualizationEnabled : 1; // Tells whether virtualization is enabled on this key. Can be 1 only if above flag is 1. 115 | ULONG VirtualTarget : 1; // Tells if the key is a virtual key. Can be 1 only if above 2 are 0. Valid only on the virtual store key handles. 116 | ULONG VirtualStore : 1; // Tells if the key is a part of the virtual store path. Valid only on the virtual store key handles. 117 | ULONG VirtualSource : 1; // Tells if the key has ever been virtualized, can be 1 only if VirtualizationCandidate is 1. 118 | ULONG Reserved : 27; 119 | } KEY_VIRTUALIZATION_INFORMATION, *PKEY_VIRTUALIZATION_INFORMATION; 120 | 121 | // private 122 | typedef struct _KEY_TRUST_INFORMATION 123 | { 124 | ULONG TrustedKey : 1; 125 | ULONG Reserved : 31; 126 | } KEY_TRUST_INFORMATION, *PKEY_TRUST_INFORMATION; 127 | 128 | // private 129 | typedef struct _KEY_LAYER_INFORMATION 130 | { 131 | ULONG IsTombstone : 1; 132 | ULONG IsSupersedeLocal : 1; 133 | ULONG IsSupersedeTree : 1; 134 | ULONG ClassIsInherited : 1; 135 | ULONG Reserved : 28; 136 | } KEY_LAYER_INFORMATION, *PKEY_LAYER_INFORMATION; 137 | 138 | typedef enum _KEY_SET_INFORMATION_CLASS 139 | { 140 | KeyWriteTimeInformation, // KEY_WRITE_TIME_INFORMATION 141 | KeyWow64FlagsInformation, // KEY_WOW64_FLAGS_INFORMATION 142 | KeyControlFlagsInformation, // KEY_CONTROL_FLAGS_INFORMATION 143 | KeySetVirtualizationInformation, // KEY_SET_VIRTUALIZATION_INFORMATION 144 | KeySetDebugInformation, 145 | KeySetHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION 146 | KeySetLayerInformation, // KEY_SET_LAYER_INFORMATION 147 | MaxKeySetInfoClass 148 | } KEY_SET_INFORMATION_CLASS; 149 | 150 | typedef struct _KEY_WRITE_TIME_INFORMATION 151 | { 152 | LARGE_INTEGER LastWriteTime; 153 | } KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION; 154 | 155 | typedef struct _KEY_WOW64_FLAGS_INFORMATION 156 | { 157 | ULONG UserFlags; 158 | } KEY_WOW64_FLAGS_INFORMATION, *PKEY_WOW64_FLAGS_INFORMATION; 159 | 160 | typedef struct _KEY_HANDLE_TAGS_INFORMATION 161 | { 162 | ULONG HandleTags; 163 | } KEY_HANDLE_TAGS_INFORMATION, *PKEY_HANDLE_TAGS_INFORMATION; 164 | 165 | typedef struct _KEY_SET_LAYER_INFORMATION 166 | { 167 | ULONG IsTombstone : 1; 168 | ULONG IsSupersedeLocal : 1; 169 | ULONG IsSupersedeTree : 1; 170 | ULONG ClassIsInherited : 1; 171 | ULONG Reserved : 28; 172 | } KEY_SET_LAYER_INFORMATION, *PKEY_SET_LAYER_INFORMATION; 173 | 174 | typedef struct _KEY_CONTROL_FLAGS_INFORMATION 175 | { 176 | ULONG ControlFlags; 177 | } KEY_CONTROL_FLAGS_INFORMATION, *PKEY_CONTROL_FLAGS_INFORMATION; 178 | 179 | typedef struct _KEY_SET_VIRTUALIZATION_INFORMATION 180 | { 181 | ULONG VirtualTarget : 1; 182 | ULONG VirtualStore : 1; 183 | ULONG VirtualSource : 1; // true if key has been virtualized at least once 184 | ULONG Reserved : 29; 185 | } KEY_SET_VIRTUALIZATION_INFORMATION, *PKEY_SET_VIRTUALIZATION_INFORMATION; 186 | 187 | typedef enum _KEY_VALUE_INFORMATION_CLASS 188 | { 189 | KeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION 190 | KeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION 191 | KeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION 192 | KeyValueFullInformationAlign64, 193 | KeyValuePartialInformationAlign64, // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 194 | KeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION 195 | MaxKeyValueInfoClass 196 | } KEY_VALUE_INFORMATION_CLASS; 197 | 198 | typedef struct _KEY_VALUE_BASIC_INFORMATION 199 | { 200 | ULONG TitleIndex; 201 | ULONG Type; 202 | ULONG NameLength; 203 | WCHAR Name[1]; 204 | } KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION; 205 | 206 | typedef struct _KEY_VALUE_FULL_INFORMATION 207 | { 208 | ULONG TitleIndex; 209 | ULONG Type; 210 | ULONG DataOffset; 211 | ULONG DataLength; 212 | ULONG NameLength; 213 | WCHAR Name[1]; 214 | // ... 215 | // UCHAR Data[1]; 216 | } KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; 217 | 218 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION 219 | { 220 | ULONG TitleIndex; 221 | ULONG Type; 222 | ULONG DataLength; 223 | UCHAR Data[1]; 224 | } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; 225 | 226 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 227 | { 228 | ULONG Type; 229 | ULONG DataLength; 230 | UCHAR Data[1]; 231 | } KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64; 232 | 233 | // private 234 | typedef struct _KEY_VALUE_LAYER_INFORMATION 235 | { 236 | ULONG IsTombstone : 1; 237 | ULONG Reserved : 31; 238 | } KEY_VALUE_LAYER_INFORMATION, *PKEY_VALUE_LAYER_INFORMATION; 239 | 240 | // rev 241 | typedef enum _KEY_LOAD_ENTRY_TYPE 242 | { 243 | KeyLoadTrustClassKey = 1, 244 | KeyLoadEvent, 245 | KeyLoadToken 246 | } KEY_LOAD_ENTRY_TYPE; 247 | 248 | // rev 249 | typedef struct _KEY_LOAD_ENTRY 250 | { 251 | KEY_LOAD_ENTRY_TYPE EntryType; 252 | union 253 | { 254 | HANDLE Handle; 255 | ULONG_PTR Value; 256 | }; 257 | } KEY_LOAD_ENTRY, *PKEY_LOAD_ENTRY; 258 | 259 | typedef struct _KEY_VALUE_ENTRY 260 | { 261 | PUNICODE_STRING ValueName; 262 | ULONG DataLength; 263 | ULONG DataOffset; 264 | ULONG Type; 265 | } KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; 266 | 267 | typedef enum _REG_ACTION 268 | { 269 | KeyAdded, 270 | KeyRemoved, 271 | KeyModified 272 | } REG_ACTION; 273 | 274 | typedef struct _REG_NOTIFY_INFORMATION 275 | { 276 | ULONG NextEntryOffset; 277 | REG_ACTION Action; 278 | ULONG KeyLength; 279 | WCHAR Key[1]; 280 | } REG_NOTIFY_INFORMATION, *PREG_NOTIFY_INFORMATION; 281 | 282 | typedef struct _KEY_PID_ARRAY 283 | { 284 | HANDLE ProcessId; 285 | UNICODE_STRING KeyName; 286 | } KEY_PID_ARRAY, *PKEY_PID_ARRAY; 287 | 288 | typedef struct _KEY_OPEN_SUBKEYS_INFORMATION 289 | { 290 | ULONG Count; 291 | KEY_PID_ARRAY KeyArray[1]; 292 | } KEY_OPEN_SUBKEYS_INFORMATION, *PKEY_OPEN_SUBKEYS_INFORMATION; 293 | 294 | // System calls 295 | 296 | NTSYSCALLAPI 297 | NTSTATUS 298 | NTAPI 299 | NtCreateKey( 300 | _Out_ PHANDLE KeyHandle, 301 | _In_ ACCESS_MASK DesiredAccess, 302 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 303 | _Reserved_ ULONG TitleIndex, 304 | _In_opt_ PUNICODE_STRING Class, 305 | _In_ ULONG CreateOptions, 306 | _Out_opt_ PULONG Disposition 307 | ); 308 | 309 | #if (PHNT_VERSION >= PHNT_VISTA) 310 | NTSYSCALLAPI 311 | NTSTATUS 312 | NTAPI 313 | NtCreateKeyTransacted( 314 | _Out_ PHANDLE KeyHandle, 315 | _In_ ACCESS_MASK DesiredAccess, 316 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 317 | _Reserved_ ULONG TitleIndex, 318 | _In_opt_ PUNICODE_STRING Class, 319 | _In_ ULONG CreateOptions, 320 | _In_ HANDLE TransactionHandle, 321 | _Out_opt_ PULONG Disposition 322 | ); 323 | #endif 324 | 325 | NTSYSCALLAPI 326 | NTSTATUS 327 | NTAPI 328 | NtOpenKey( 329 | _Out_ PHANDLE KeyHandle, 330 | _In_ ACCESS_MASK DesiredAccess, 331 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 332 | ); 333 | 334 | #if (PHNT_VERSION >= PHNT_VISTA) 335 | NTSYSCALLAPI 336 | NTSTATUS 337 | NTAPI 338 | NtOpenKeyTransacted( 339 | _Out_ PHANDLE KeyHandle, 340 | _In_ ACCESS_MASK DesiredAccess, 341 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 342 | _In_ HANDLE TransactionHandle 343 | ); 344 | #endif 345 | 346 | #if (PHNT_VERSION >= PHNT_WIN7) 347 | NTSYSCALLAPI 348 | NTSTATUS 349 | NTAPI 350 | NtOpenKeyEx( 351 | _Out_ PHANDLE KeyHandle, 352 | _In_ ACCESS_MASK DesiredAccess, 353 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 354 | _In_ ULONG OpenOptions 355 | ); 356 | #endif 357 | 358 | #if (PHNT_VERSION >= PHNT_WIN7) 359 | NTSYSCALLAPI 360 | NTSTATUS 361 | NTAPI 362 | NtOpenKeyTransactedEx( 363 | _Out_ PHANDLE KeyHandle, 364 | _In_ ACCESS_MASK DesiredAccess, 365 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 366 | _In_ ULONG OpenOptions, 367 | _In_ HANDLE TransactionHandle 368 | ); 369 | #endif 370 | 371 | NTSYSCALLAPI 372 | NTSTATUS 373 | NTAPI 374 | NtDeleteKey( 375 | _In_ HANDLE KeyHandle 376 | ); 377 | 378 | NTSYSCALLAPI 379 | NTSTATUS 380 | NTAPI 381 | NtRenameKey( 382 | _In_ HANDLE KeyHandle, 383 | _In_ PUNICODE_STRING NewName 384 | ); 385 | 386 | NTSYSCALLAPI 387 | NTSTATUS 388 | NTAPI 389 | NtDeleteValueKey( 390 | _In_ HANDLE KeyHandle, 391 | _In_ PUNICODE_STRING ValueName 392 | ); 393 | 394 | NTSYSCALLAPI 395 | NTSTATUS 396 | NTAPI 397 | NtQueryKey( 398 | _In_ HANDLE KeyHandle, 399 | _In_ KEY_INFORMATION_CLASS KeyInformationClass, 400 | _Out_writes_bytes_opt_(Length) PVOID KeyInformation, 401 | _In_ ULONG Length, 402 | _Out_ PULONG ResultLength 403 | ); 404 | 405 | NTSYSCALLAPI 406 | NTSTATUS 407 | NTAPI 408 | NtSetInformationKey( 409 | _In_ HANDLE KeyHandle, 410 | _In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass, 411 | _In_reads_bytes_(KeySetInformationLength) PVOID KeySetInformation, 412 | _In_ ULONG KeySetInformationLength 413 | ); 414 | 415 | NTSYSCALLAPI 416 | NTSTATUS 417 | NTAPI 418 | NtQueryValueKey( 419 | _In_ HANDLE KeyHandle, 420 | _In_ PUNICODE_STRING ValueName, 421 | _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, 422 | _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation, 423 | _In_ ULONG Length, 424 | _Out_ PULONG ResultLength 425 | ); 426 | 427 | NTSYSCALLAPI 428 | NTSTATUS 429 | NTAPI 430 | NtSetValueKey( 431 | _In_ HANDLE KeyHandle, 432 | _In_ PUNICODE_STRING ValueName, 433 | _In_opt_ ULONG TitleIndex, 434 | _In_ ULONG Type, 435 | _In_reads_bytes_opt_(DataSize) PVOID Data, 436 | _In_ ULONG DataSize 437 | ); 438 | 439 | NTSYSCALLAPI 440 | NTSTATUS 441 | NTAPI 442 | NtQueryMultipleValueKey( 443 | _In_ HANDLE KeyHandle, 444 | _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries, 445 | _In_ ULONG EntryCount, 446 | _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer, 447 | _Inout_ PULONG BufferLength, 448 | _Out_opt_ PULONG RequiredBufferLength 449 | ); 450 | 451 | NTSYSCALLAPI 452 | NTSTATUS 453 | NTAPI 454 | NtEnumerateKey( 455 | _In_ HANDLE KeyHandle, 456 | _In_ ULONG Index, 457 | _In_ KEY_INFORMATION_CLASS KeyInformationClass, 458 | _Out_writes_bytes_opt_(Length) PVOID KeyInformation, 459 | _In_ ULONG Length, 460 | _Out_ PULONG ResultLength 461 | ); 462 | 463 | NTSYSCALLAPI 464 | NTSTATUS 465 | NTAPI 466 | NtEnumerateValueKey( 467 | _In_ HANDLE KeyHandle, 468 | _In_ ULONG Index, 469 | _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, 470 | _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation, 471 | _In_ ULONG Length, 472 | _Out_ PULONG ResultLength 473 | ); 474 | 475 | NTSYSCALLAPI 476 | NTSTATUS 477 | NTAPI 478 | NtFlushKey( 479 | _In_ HANDLE KeyHandle 480 | ); 481 | 482 | NTSYSCALLAPI 483 | NTSTATUS 484 | NTAPI 485 | NtCompactKeys( 486 | _In_ ULONG Count, 487 | _In_reads_(Count) HANDLE KeyArray[] 488 | ); 489 | 490 | NTSYSCALLAPI 491 | NTSTATUS 492 | NTAPI 493 | NtCompressKey( 494 | _In_ HANDLE Key 495 | ); 496 | 497 | NTSYSCALLAPI 498 | NTSTATUS 499 | NTAPI 500 | NtLoadKey( 501 | _In_ POBJECT_ATTRIBUTES TargetKey, 502 | _In_ POBJECT_ATTRIBUTES SourceFile 503 | ); 504 | 505 | NTSYSCALLAPI 506 | NTSTATUS 507 | NTAPI 508 | NtLoadKey2( 509 | _In_ POBJECT_ATTRIBUTES TargetKey, 510 | _In_ POBJECT_ATTRIBUTES SourceFile, 511 | _In_ ULONG Flags 512 | ); 513 | 514 | NTSYSCALLAPI 515 | NTSTATUS 516 | NTAPI 517 | NtLoadKeyEx( 518 | _In_ POBJECT_ATTRIBUTES TargetKey, 519 | _In_ POBJECT_ATTRIBUTES SourceFile, 520 | _In_ ULONG Flags, 521 | _In_opt_ HANDLE TrustClassKey, // this and below were added on Win10 522 | _In_opt_ HANDLE Event, 523 | _In_opt_ ACCESS_MASK DesiredAccess, 524 | _Out_opt_ PHANDLE RootHandle, 525 | _Reserved_ PVOID Reserved // previously PIO_STATUS_BLOCK 526 | ); 527 | 528 | // rev by tyranid 529 | #if (PHNT_VERSION >= PHNT_20H1) 530 | NTSYSCALLAPI 531 | NTSTATUS 532 | NTAPI 533 | NtLoadKey3( 534 | _In_ POBJECT_ATTRIBUTES TargetKey, 535 | _In_ POBJECT_ATTRIBUTES SourceFile, 536 | _In_ ULONG Flags, 537 | _In_reads_(LoadEntryCount) PKEY_LOAD_ENTRY LoadEntries, 538 | _In_ ULONG LoadEntryCount, 539 | _In_opt_ ACCESS_MASK DesiredAccess, 540 | _Out_opt_ PHANDLE RootHandle, 541 | _Reserved_ PVOID Reserved 542 | ); 543 | #endif 544 | 545 | NTSYSCALLAPI 546 | NTSTATUS 547 | NTAPI 548 | NtReplaceKey( 549 | _In_ POBJECT_ATTRIBUTES NewFile, 550 | _In_ HANDLE TargetHandle, 551 | _In_ POBJECT_ATTRIBUTES OldFile 552 | ); 553 | 554 | NTSYSCALLAPI 555 | NTSTATUS 556 | NTAPI 557 | NtSaveKey( 558 | _In_ HANDLE KeyHandle, 559 | _In_ HANDLE FileHandle 560 | ); 561 | 562 | NTSYSCALLAPI 563 | NTSTATUS 564 | NTAPI 565 | NtSaveKeyEx( 566 | _In_ HANDLE KeyHandle, 567 | _In_ HANDLE FileHandle, 568 | _In_ ULONG Format 569 | ); 570 | 571 | NTSYSCALLAPI 572 | NTSTATUS 573 | NTAPI 574 | NtSaveMergedKeys( 575 | _In_ HANDLE HighPrecedenceKeyHandle, 576 | _In_ HANDLE LowPrecedenceKeyHandle, 577 | _In_ HANDLE FileHandle 578 | ); 579 | 580 | NTSYSCALLAPI 581 | NTSTATUS 582 | NTAPI 583 | NtRestoreKey( 584 | _In_ HANDLE KeyHandle, 585 | _In_ HANDLE FileHandle, 586 | _In_ ULONG Flags 587 | ); 588 | 589 | NTSYSCALLAPI 590 | NTSTATUS 591 | NTAPI 592 | NtUnloadKey( 593 | _In_ POBJECT_ATTRIBUTES TargetKey 594 | ); 595 | 596 | // 597 | // NtUnloadKey2 Flags (from winnt.h) 598 | // 599 | //#define REG_FORCE_UNLOAD 1 600 | //#define REG_UNLOAD_LEGAL_FLAGS (REG_FORCE_UNLOAD) 601 | 602 | NTSYSCALLAPI 603 | NTSTATUS 604 | NTAPI 605 | NtUnloadKey2( 606 | _In_ POBJECT_ATTRIBUTES TargetKey, 607 | _In_ ULONG Flags 608 | ); 609 | 610 | NTSYSCALLAPI 611 | NTSTATUS 612 | NTAPI 613 | NtUnloadKeyEx( 614 | _In_ POBJECT_ATTRIBUTES TargetKey, 615 | _In_opt_ HANDLE Event 616 | ); 617 | 618 | NTSYSCALLAPI 619 | NTSTATUS 620 | NTAPI 621 | NtNotifyChangeKey( 622 | _In_ HANDLE KeyHandle, 623 | _In_opt_ HANDLE Event, 624 | _In_opt_ PIO_APC_ROUTINE ApcRoutine, 625 | _In_opt_ PVOID ApcContext, 626 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 627 | _In_ ULONG CompletionFilter, 628 | _In_ BOOLEAN WatchTree, 629 | _Out_writes_bytes_opt_(BufferSize) PVOID Buffer, 630 | _In_ ULONG BufferSize, 631 | _In_ BOOLEAN Asynchronous 632 | ); 633 | 634 | NTSYSCALLAPI 635 | NTSTATUS 636 | NTAPI 637 | NtNotifyChangeMultipleKeys( 638 | _In_ HANDLE MasterKeyHandle, 639 | _In_opt_ ULONG Count, 640 | _In_reads_opt_(Count) OBJECT_ATTRIBUTES SubordinateObjects[], 641 | _In_opt_ HANDLE Event, 642 | _In_opt_ PIO_APC_ROUTINE ApcRoutine, 643 | _In_opt_ PVOID ApcContext, 644 | _Out_ PIO_STATUS_BLOCK IoStatusBlock, 645 | _In_ ULONG CompletionFilter, 646 | _In_ BOOLEAN WatchTree, 647 | _Out_writes_bytes_opt_(BufferSize) PVOID Buffer, 648 | _In_ ULONG BufferSize, 649 | _In_ BOOLEAN Asynchronous 650 | ); 651 | 652 | NTSYSCALLAPI 653 | NTSTATUS 654 | NTAPI 655 | NtQueryOpenSubKeys( 656 | _In_ POBJECT_ATTRIBUTES TargetKey, 657 | _Out_ PULONG HandleCount 658 | ); 659 | 660 | NTSYSCALLAPI 661 | NTSTATUS 662 | NTAPI 663 | NtQueryOpenSubKeysEx( 664 | _In_ POBJECT_ATTRIBUTES TargetKey, 665 | _In_ ULONG BufferLength, 666 | _Out_writes_bytes_opt_(BufferLength) PVOID Buffer, 667 | _Out_ PULONG RequiredSize 668 | ); 669 | 670 | NTSYSCALLAPI 671 | NTSTATUS 672 | NTAPI 673 | NtInitializeRegistry( 674 | _In_ USHORT BootCondition 675 | ); 676 | 677 | NTSYSCALLAPI 678 | NTSTATUS 679 | NTAPI 680 | NtLockRegistryKey( 681 | _In_ HANDLE KeyHandle 682 | ); 683 | 684 | NTSYSCALLAPI 685 | NTSTATUS 686 | NTAPI 687 | NtLockProductActivationKeys( 688 | _Inout_opt_ ULONG *pPrivateVer, 689 | _Out_opt_ ULONG *pSafeMode 690 | ); 691 | 692 | #if (PHNT_VERSION >= PHNT_VISTA) 693 | // private 694 | NTSYSCALLAPI 695 | NTSTATUS 696 | NTAPI 697 | NtFreezeRegistry( 698 | _In_ ULONG TimeOutInSeconds 699 | ); 700 | #endif 701 | 702 | #if (PHNT_VERSION >= PHNT_VISTA) 703 | // private 704 | NTSYSCALLAPI 705 | NTSTATUS 706 | NTAPI 707 | NtThawRegistry( 708 | VOID 709 | ); 710 | #endif 711 | 712 | #if (PHNT_VERSION >= PHNT_REDSTONE) 713 | NTSTATUS NtCreateRegistryTransaction( 714 | _Out_ HANDLE *RegistryTransactionHandle, 715 | _In_ ACCESS_MASK DesiredAccess, 716 | _In_opt_ POBJECT_ATTRIBUTES ObjAttributes, 717 | _Reserved_ ULONG CreateOptions 718 | ); 719 | #endif 720 | 721 | #if (PHNT_VERSION >= PHNT_REDSTONE) 722 | NTSTATUS NtOpenRegistryTransaction( 723 | _Out_ HANDLE *RegistryTransactionHandle, 724 | _In_ ACCESS_MASK DesiredAccess, 725 | _In_ POBJECT_ATTRIBUTES ObjAttributes 726 | ); 727 | #endif 728 | 729 | #if (PHNT_VERSION >= PHNT_REDSTONE) 730 | NTSTATUS NtCommitRegistryTransaction( 731 | _In_ HANDLE RegistryTransactionHandle, 732 | _Reserved_ ULONG Flags 733 | ); 734 | #endif 735 | 736 | #if (PHNT_VERSION >= PHNT_REDSTONE) 737 | NTSTATUS NtRollbackRegistryTransaction( 738 | _In_ HANDLE RegistryTransactionHandle, 739 | _Reserved_ ULONG Flags 740 | ); 741 | #endif 742 | 743 | #endif 744 | -------------------------------------------------------------------------------- /pnth/ntsmss.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _NTSMSS_H 13 | #define _NTSMSS_H 14 | 15 | NTSYSAPI 16 | NTSTATUS 17 | NTAPI 18 | RtlConnectToSm( 19 | _In_ PUNICODE_STRING ApiPortName, 20 | _In_ HANDLE ApiPortHandle, 21 | _In_ DWORD ProcessImageType, 22 | _Out_ PHANDLE SmssConnection 23 | ); 24 | 25 | NTSYSAPI 26 | NTSTATUS 27 | NTAPI 28 | RtlSendMsgToSm( 29 | _In_ HANDLE ApiPortHandle, 30 | _In_ PPORT_MESSAGE MessageData 31 | ); 32 | 33 | #endif 34 | -------------------------------------------------------------------------------- /pnth/nttmapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _NTTMAPI_H 13 | #define _NTTMAPI_H 14 | 15 | #if (PHNT_VERSION >= PHNT_VISTA) 16 | NTSYSCALLAPI 17 | NTSTATUS 18 | NTAPI 19 | NtCreateTransactionManager( 20 | _Out_ PHANDLE TmHandle, 21 | _In_ ACCESS_MASK DesiredAccess, 22 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 23 | _In_opt_ PUNICODE_STRING LogFileName, 24 | _In_opt_ ULONG CreateOptions, 25 | _In_opt_ ULONG CommitStrength 26 | ); 27 | #endif 28 | 29 | #if (PHNT_VERSION >= PHNT_VISTA) 30 | NTSYSCALLAPI 31 | NTSTATUS 32 | NTAPI 33 | NtOpenTransactionManager( 34 | _Out_ PHANDLE TmHandle, 35 | _In_ ACCESS_MASK DesiredAccess, 36 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 37 | _In_opt_ PUNICODE_STRING LogFileName, 38 | _In_opt_ LPGUID TmIdentity, 39 | _In_opt_ ULONG OpenOptions 40 | ); 41 | #endif 42 | 43 | #if (PHNT_VERSION >= PHNT_VISTA) 44 | NTSYSCALLAPI 45 | NTSTATUS 46 | NTAPI 47 | NtRenameTransactionManager( 48 | _In_ PUNICODE_STRING LogFileName, 49 | _In_ LPGUID ExistingTransactionManagerGuid 50 | ); 51 | #endif 52 | 53 | #if (PHNT_VERSION >= PHNT_VISTA) 54 | NTSYSCALLAPI 55 | NTSTATUS 56 | NTAPI 57 | NtRollforwardTransactionManager( 58 | _In_ HANDLE TransactionManagerHandle, 59 | _In_opt_ PLARGE_INTEGER TmVirtualClock 60 | ); 61 | #endif 62 | 63 | #if (PHNT_VERSION >= PHNT_VISTA) 64 | NTSYSCALLAPI 65 | NTSTATUS 66 | NTAPI 67 | NtRecoverTransactionManager( 68 | _In_ HANDLE TransactionManagerHandle 69 | ); 70 | #endif 71 | 72 | #if (PHNT_VERSION >= PHNT_VISTA) 73 | NTSYSCALLAPI 74 | NTSTATUS 75 | NTAPI 76 | NtQueryInformationTransactionManager( 77 | _In_ HANDLE TransactionManagerHandle, 78 | _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, 79 | _Out_writes_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation, 80 | _In_ ULONG TransactionManagerInformationLength, 81 | _Out_opt_ PULONG ReturnLength 82 | ); 83 | #endif 84 | 85 | #if (PHNT_VERSION >= PHNT_VISTA) 86 | NTSYSCALLAPI 87 | NTSTATUS 88 | NTAPI 89 | NtSetInformationTransactionManager( 90 | _In_opt_ HANDLE TmHandle, 91 | _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, 92 | _In_reads_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation, 93 | _In_ ULONG TransactionManagerInformationLength 94 | ); 95 | #endif 96 | 97 | #if (PHNT_VERSION >= PHNT_VISTA) 98 | NTSYSCALLAPI 99 | NTSTATUS 100 | NTAPI 101 | NtEnumerateTransactionObject( 102 | _In_opt_ HANDLE RootObjectHandle, 103 | _In_ KTMOBJECT_TYPE QueryType, 104 | _Inout_updates_bytes_(ObjectCursorLength) PKTMOBJECT_CURSOR ObjectCursor, 105 | _In_ ULONG ObjectCursorLength, 106 | _Out_ PULONG ReturnLength 107 | ); 108 | #endif 109 | 110 | #if (PHNT_VERSION >= PHNT_VISTA) 111 | NTSYSCALLAPI 112 | NTSTATUS 113 | NTAPI 114 | NtCreateTransaction( 115 | _Out_ PHANDLE TransactionHandle, 116 | _In_ ACCESS_MASK DesiredAccess, 117 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 118 | _In_opt_ LPGUID Uow, 119 | _In_opt_ HANDLE TmHandle, 120 | _In_opt_ ULONG CreateOptions, 121 | _In_opt_ ULONG IsolationLevel, 122 | _In_opt_ ULONG IsolationFlags, 123 | _In_opt_ PLARGE_INTEGER Timeout, 124 | _In_opt_ PUNICODE_STRING Description 125 | ); 126 | #endif 127 | 128 | #if (PHNT_VERSION >= PHNT_VISTA) 129 | NTSYSCALLAPI 130 | NTSTATUS 131 | NTAPI 132 | NtOpenTransaction( 133 | _Out_ PHANDLE TransactionHandle, 134 | _In_ ACCESS_MASK DesiredAccess, 135 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 136 | _In_opt_ LPGUID Uow, 137 | _In_opt_ HANDLE TmHandle 138 | ); 139 | #endif 140 | 141 | #if (PHNT_VERSION >= PHNT_VISTA) 142 | NTSYSCALLAPI 143 | NTSTATUS 144 | NTAPI 145 | NtQueryInformationTransaction( 146 | _In_ HANDLE TransactionHandle, 147 | _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, 148 | _Out_writes_bytes_(TransactionInformationLength) PVOID TransactionInformation, 149 | _In_ ULONG TransactionInformationLength, 150 | _Out_opt_ PULONG ReturnLength 151 | ); 152 | #endif 153 | 154 | #if (PHNT_VERSION >= PHNT_VISTA) 155 | NTSYSCALLAPI 156 | NTSTATUS 157 | NTAPI 158 | NtSetInformationTransaction( 159 | _In_ HANDLE TransactionHandle, 160 | _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, 161 | _In_reads_bytes_(TransactionInformationLength) PVOID TransactionInformation, 162 | _In_ ULONG TransactionInformationLength 163 | ); 164 | #endif 165 | 166 | #if (PHNT_VERSION >= PHNT_VISTA) 167 | NTSYSCALLAPI 168 | NTSTATUS 169 | NTAPI 170 | NtCommitTransaction( 171 | _In_ HANDLE TransactionHandle, 172 | _In_ BOOLEAN Wait 173 | ); 174 | #endif 175 | 176 | #if (PHNT_VERSION >= PHNT_VISTA) 177 | NTSYSCALLAPI 178 | NTSTATUS 179 | NTAPI 180 | NtRollbackTransaction( 181 | _In_ HANDLE TransactionHandle, 182 | _In_ BOOLEAN Wait 183 | ); 184 | #endif 185 | 186 | #if (PHNT_VERSION >= PHNT_VISTA) 187 | NTSYSCALLAPI 188 | NTSTATUS 189 | NTAPI 190 | NtCreateEnlistment( 191 | _Out_ PHANDLE EnlistmentHandle, 192 | _In_ ACCESS_MASK DesiredAccess, 193 | _In_ HANDLE ResourceManagerHandle, 194 | _In_ HANDLE TransactionHandle, 195 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 196 | _In_opt_ ULONG CreateOptions, 197 | _In_ NOTIFICATION_MASK NotificationMask, 198 | _In_opt_ PVOID EnlistmentKey 199 | ); 200 | #endif 201 | 202 | #if (PHNT_VERSION >= PHNT_VISTA) 203 | NTSYSCALLAPI 204 | NTSTATUS 205 | NTAPI 206 | NtOpenEnlistment( 207 | _Out_ PHANDLE EnlistmentHandle, 208 | _In_ ACCESS_MASK DesiredAccess, 209 | _In_ HANDLE ResourceManagerHandle, 210 | _In_ LPGUID EnlistmentGuid, 211 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes 212 | ); 213 | #endif 214 | 215 | #if (PHNT_VERSION >= PHNT_VISTA) 216 | NTSYSCALLAPI 217 | NTSTATUS 218 | NTAPI 219 | NtQueryInformationEnlistment( 220 | _In_ HANDLE EnlistmentHandle, 221 | _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, 222 | _Out_writes_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation, 223 | _In_ ULONG EnlistmentInformationLength, 224 | _Out_opt_ PULONG ReturnLength 225 | ); 226 | #endif 227 | 228 | #if (PHNT_VERSION >= PHNT_VISTA) 229 | NTSYSCALLAPI 230 | NTSTATUS 231 | NTAPI 232 | NtSetInformationEnlistment( 233 | _In_opt_ HANDLE EnlistmentHandle, 234 | _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, 235 | _In_reads_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation, 236 | _In_ ULONG EnlistmentInformationLength 237 | ); 238 | #endif 239 | 240 | #if (PHNT_VERSION >= PHNT_VISTA) 241 | NTSYSCALLAPI 242 | NTSTATUS 243 | NTAPI 244 | NtRecoverEnlistment( 245 | _In_ HANDLE EnlistmentHandle, 246 | _In_opt_ PVOID EnlistmentKey 247 | ); 248 | #endif 249 | 250 | #if (PHNT_VERSION >= PHNT_VISTA) 251 | NTSYSCALLAPI 252 | NTSTATUS 253 | NTAPI 254 | NtPrePrepareEnlistment( 255 | _In_ HANDLE EnlistmentHandle, 256 | _In_opt_ PLARGE_INTEGER TmVirtualClock 257 | ); 258 | #endif 259 | 260 | #if (PHNT_VERSION >= PHNT_VISTA) 261 | NTSYSCALLAPI 262 | NTSTATUS 263 | NTAPI 264 | NtPrepareEnlistment( 265 | _In_ HANDLE EnlistmentHandle, 266 | _In_opt_ PLARGE_INTEGER TmVirtualClock 267 | ); 268 | #endif 269 | 270 | #if (PHNT_VERSION >= PHNT_VISTA) 271 | NTSYSCALLAPI 272 | NTSTATUS 273 | NTAPI 274 | NtCommitEnlistment( 275 | _In_ HANDLE EnlistmentHandle, 276 | _In_opt_ PLARGE_INTEGER TmVirtualClock 277 | ); 278 | #endif 279 | 280 | #if (PHNT_VERSION >= PHNT_VISTA) 281 | NTSYSCALLAPI 282 | NTSTATUS 283 | NTAPI 284 | NtRollbackEnlistment( 285 | _In_ HANDLE EnlistmentHandle, 286 | _In_opt_ PLARGE_INTEGER TmVirtualClock 287 | ); 288 | #endif 289 | 290 | #if (PHNT_VERSION >= PHNT_VISTA) 291 | NTSYSCALLAPI 292 | NTSTATUS 293 | NTAPI 294 | NtPrePrepareComplete( 295 | _In_ HANDLE EnlistmentHandle, 296 | _In_opt_ PLARGE_INTEGER TmVirtualClock 297 | ); 298 | #endif 299 | 300 | #if (PHNT_VERSION >= PHNT_VISTA) 301 | NTSYSCALLAPI 302 | NTSTATUS 303 | NTAPI 304 | NtPrepareComplete( 305 | _In_ HANDLE EnlistmentHandle, 306 | _In_opt_ PLARGE_INTEGER TmVirtualClock 307 | ); 308 | #endif 309 | 310 | #if (PHNT_VERSION >= PHNT_VISTA) 311 | NTSYSCALLAPI 312 | NTSTATUS 313 | NTAPI 314 | NtCommitComplete( 315 | _In_ HANDLE EnlistmentHandle, 316 | _In_opt_ PLARGE_INTEGER TmVirtualClock 317 | ); 318 | #endif 319 | 320 | #if (PHNT_VERSION >= PHNT_VISTA) 321 | NTSYSCALLAPI 322 | NTSTATUS 323 | NTAPI 324 | NtReadOnlyEnlistment( 325 | _In_ HANDLE EnlistmentHandle, 326 | _In_opt_ PLARGE_INTEGER TmVirtualClock 327 | ); 328 | #endif 329 | 330 | #if (PHNT_VERSION >= PHNT_VISTA) 331 | NTSYSCALLAPI 332 | NTSTATUS 333 | NTAPI 334 | NtRollbackComplete( 335 | _In_ HANDLE EnlistmentHandle, 336 | _In_opt_ PLARGE_INTEGER TmVirtualClock 337 | ); 338 | #endif 339 | 340 | #if (PHNT_VERSION >= PHNT_VISTA) 341 | NTSYSCALLAPI 342 | NTSTATUS 343 | NTAPI 344 | NtSinglePhaseReject( 345 | _In_ HANDLE EnlistmentHandle, 346 | _In_opt_ PLARGE_INTEGER TmVirtualClock 347 | ); 348 | #endif 349 | 350 | #if (PHNT_VERSION >= PHNT_VISTA) 351 | NTSYSCALLAPI 352 | NTSTATUS 353 | NTAPI 354 | NtCreateResourceManager( 355 | _Out_ PHANDLE ResourceManagerHandle, 356 | _In_ ACCESS_MASK DesiredAccess, 357 | _In_ HANDLE TmHandle, 358 | _In_ LPGUID RmGuid, 359 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 360 | _In_opt_ ULONG CreateOptions, 361 | _In_opt_ PUNICODE_STRING Description 362 | ); 363 | #endif 364 | 365 | #if (PHNT_VERSION >= PHNT_VISTA) 366 | NTSYSCALLAPI 367 | NTSTATUS 368 | NTAPI 369 | NtOpenResourceManager( 370 | _Out_ PHANDLE ResourceManagerHandle, 371 | _In_ ACCESS_MASK DesiredAccess, 372 | _In_ HANDLE TmHandle, 373 | _In_opt_ LPGUID ResourceManagerGuid, 374 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes 375 | ); 376 | #endif 377 | 378 | #if (PHNT_VERSION >= PHNT_VISTA) 379 | NTSYSCALLAPI 380 | NTSTATUS 381 | NTAPI 382 | NtRecoverResourceManager( 383 | _In_ HANDLE ResourceManagerHandle 384 | ); 385 | #endif 386 | 387 | #if (PHNT_VERSION >= PHNT_VISTA) 388 | NTSYSCALLAPI 389 | NTSTATUS 390 | NTAPI 391 | NtGetNotificationResourceManager( 392 | _In_ HANDLE ResourceManagerHandle, 393 | _Out_ PTRANSACTION_NOTIFICATION TransactionNotification, 394 | _In_ ULONG NotificationLength, 395 | _In_opt_ PLARGE_INTEGER Timeout, 396 | _Out_opt_ PULONG ReturnLength, 397 | _In_ ULONG Asynchronous, 398 | _In_opt_ ULONG_PTR AsynchronousContext 399 | ); 400 | #endif 401 | 402 | #if (PHNT_VERSION >= PHNT_VISTA) 403 | NTSYSCALLAPI 404 | NTSTATUS 405 | NTAPI 406 | NtQueryInformationResourceManager( 407 | _In_ HANDLE ResourceManagerHandle, 408 | _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, 409 | _Out_writes_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation, 410 | _In_ ULONG ResourceManagerInformationLength, 411 | _Out_opt_ PULONG ReturnLength 412 | ); 413 | #endif 414 | 415 | #if (PHNT_VERSION >= PHNT_VISTA) 416 | NTSYSCALLAPI 417 | NTSTATUS 418 | NTAPI 419 | NtSetInformationResourceManager( 420 | _In_ HANDLE ResourceManagerHandle, 421 | _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, 422 | _In_reads_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation, 423 | _In_ ULONG ResourceManagerInformationLength 424 | ); 425 | #endif 426 | 427 | #if (PHNT_VERSION >= PHNT_VISTA) 428 | NTSYSCALLAPI 429 | NTSTATUS 430 | NTAPI 431 | NtRegisterProtocolAddressInformation( 432 | _In_ HANDLE ResourceManager, 433 | _In_ PCRM_PROTOCOL_ID ProtocolId, 434 | _In_ ULONG ProtocolInformationSize, 435 | _In_ PVOID ProtocolInformation, 436 | _In_opt_ ULONG CreateOptions 437 | ); 438 | #endif 439 | 440 | #if (PHNT_VERSION >= PHNT_VISTA) 441 | NTSYSCALLAPI 442 | NTSTATUS 443 | NTAPI 444 | NtPropagationComplete( 445 | _In_ HANDLE ResourceManagerHandle, 446 | _In_ ULONG RequestCookie, 447 | _In_ ULONG BufferLength, 448 | _In_ PVOID Buffer 449 | ); 450 | #endif 451 | 452 | #if (PHNT_VERSION >= PHNT_VISTA) 453 | NTSYSCALLAPI 454 | NTSTATUS 455 | NTAPI 456 | NtPropagationFailed( 457 | _In_ HANDLE ResourceManagerHandle, 458 | _In_ ULONG RequestCookie, 459 | _In_ NTSTATUS PropStatus 460 | ); 461 | #endif 462 | 463 | #if (PHNT_VERSION >= PHNT_VISTA) 464 | // private 465 | NTSYSCALLAPI 466 | NTSTATUS 467 | NTAPI 468 | NtFreezeTransactions( 469 | _In_ PLARGE_INTEGER FreezeTimeout, 470 | _In_ PLARGE_INTEGER ThawTimeout 471 | ); 472 | #endif 473 | 474 | #if (PHNT_VERSION >= PHNT_VISTA) 475 | // private 476 | NTSYSCALLAPI 477 | NTSTATUS 478 | NTAPI 479 | NtThawTransactions( 480 | VOID 481 | ); 482 | #endif 483 | 484 | #endif 485 | -------------------------------------------------------------------------------- /pnth/nttp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _NTTP_H 13 | #define _NTTP_H 14 | 15 | // Some types are already defined in winnt.h. 16 | 17 | typedef struct _TP_ALPC TP_ALPC, *PTP_ALPC; 18 | 19 | // private 20 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK)( 21 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 22 | _Inout_opt_ PVOID Context, 23 | _In_ PTP_ALPC Alpc 24 | ); 25 | 26 | // rev 27 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK_EX)( 28 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 29 | _Inout_opt_ PVOID Context, 30 | _In_ PTP_ALPC Alpc, 31 | _In_ PVOID ApcContext 32 | ); 33 | 34 | #if (PHNT_VERSION >= PHNT_VISTA) 35 | 36 | // private 37 | _Check_return_ 38 | NTSYSAPI 39 | NTSTATUS 40 | NTAPI 41 | TpAllocPool( 42 | _Out_ PTP_POOL *PoolReturn, 43 | _Reserved_ PVOID Reserved 44 | ); 45 | 46 | // winbase:CloseThreadpool 47 | NTSYSAPI 48 | VOID 49 | NTAPI 50 | TpReleasePool( 51 | _Inout_ PTP_POOL Pool 52 | ); 53 | 54 | // winbase:SetThreadpoolThreadMaximum 55 | NTSYSAPI 56 | VOID 57 | NTAPI 58 | TpSetPoolMaxThreads( 59 | _Inout_ PTP_POOL Pool, 60 | _In_ ULONG MaxThreads 61 | ); 62 | 63 | // private 64 | NTSYSAPI 65 | NTSTATUS 66 | NTAPI 67 | TpSetPoolMinThreads( 68 | _Inout_ PTP_POOL Pool, 69 | _In_ ULONG MinThreads 70 | ); 71 | 72 | #if (PHNT_VERSION >= PHNT_WIN7) 73 | // rev 74 | NTSYSAPI 75 | NTSTATUS 76 | NTAPI 77 | TpQueryPoolStackInformation( 78 | _In_ PTP_POOL Pool, 79 | _Out_ PTP_POOL_STACK_INFORMATION PoolStackInformation 80 | ); 81 | #endif 82 | 83 | #if (PHNT_VERSION >= PHNT_WIN7) 84 | // rev 85 | NTSYSAPI 86 | NTSTATUS 87 | NTAPI 88 | TpSetPoolStackInformation( 89 | _Inout_ PTP_POOL Pool, 90 | _In_ PTP_POOL_STACK_INFORMATION PoolStackInformation 91 | ); 92 | #endif 93 | 94 | // private 95 | _Check_return_ 96 | NTSYSAPI 97 | NTSTATUS 98 | NTAPI 99 | TpAllocCleanupGroup( 100 | _Out_ PTP_CLEANUP_GROUP *CleanupGroupReturn 101 | ); 102 | 103 | // winbase:CloseThreadpoolCleanupGroup 104 | NTSYSAPI 105 | VOID 106 | NTAPI 107 | TpReleaseCleanupGroup( 108 | _Inout_ PTP_CLEANUP_GROUP CleanupGroup 109 | ); 110 | 111 | // winbase:CloseThreadpoolCleanupGroupMembers 112 | NTSYSAPI 113 | VOID 114 | NTAPI 115 | TpReleaseCleanupGroupMembers( 116 | _Inout_ PTP_CLEANUP_GROUP CleanupGroup, 117 | _In_ LOGICAL CancelPendingCallbacks, 118 | _Inout_opt_ PVOID CleanupParameter 119 | ); 120 | 121 | // winbase:SetEventWhenCallbackReturns 122 | NTSYSAPI 123 | VOID 124 | NTAPI 125 | TpCallbackSetEventOnCompletion( 126 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 127 | _In_ HANDLE Event 128 | ); 129 | 130 | // winbase:ReleaseSemaphoreWhenCallbackReturns 131 | NTSYSAPI 132 | VOID 133 | NTAPI 134 | TpCallbackReleaseSemaphoreOnCompletion( 135 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 136 | _In_ HANDLE Semaphore, 137 | _In_ ULONG ReleaseCount 138 | ); 139 | 140 | // winbase:ReleaseMutexWhenCallbackReturns 141 | NTSYSAPI 142 | VOID 143 | NTAPI 144 | TpCallbackReleaseMutexOnCompletion( 145 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 146 | _In_ HANDLE Mutex 147 | ); 148 | 149 | // winbase:LeaveCriticalSectionWhenCallbackReturns 150 | NTSYSAPI 151 | VOID 152 | NTAPI 153 | TpCallbackLeaveCriticalSectionOnCompletion( 154 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 155 | _Inout_ PRTL_CRITICAL_SECTION CriticalSection 156 | ); 157 | 158 | // winbase:FreeLibraryWhenCallbackReturns 159 | NTSYSAPI 160 | VOID 161 | NTAPI 162 | TpCallbackUnloadDllOnCompletion( 163 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 164 | _In_ PVOID DllHandle 165 | ); 166 | 167 | // winbase:CallbackMayRunLong 168 | NTSYSAPI 169 | NTSTATUS 170 | NTAPI 171 | TpCallbackMayRunLong( 172 | _Inout_ PTP_CALLBACK_INSTANCE Instance 173 | ); 174 | 175 | // winbase:DisassociateCurrentThreadFromCallback 176 | NTSYSAPI 177 | VOID 178 | NTAPI 179 | TpDisassociateCallback( 180 | _Inout_ PTP_CALLBACK_INSTANCE Instance 181 | ); 182 | 183 | // winbase:TrySubmitThreadpoolCallback 184 | _Check_return_ 185 | NTSYSAPI 186 | NTSTATUS 187 | NTAPI 188 | TpSimpleTryPost( 189 | _In_ PTP_SIMPLE_CALLBACK Callback, 190 | _Inout_opt_ PVOID Context, 191 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 192 | ); 193 | 194 | // private 195 | _Check_return_ 196 | NTSYSAPI 197 | NTSTATUS 198 | NTAPI 199 | TpAllocWork( 200 | _Out_ PTP_WORK *WorkReturn, 201 | _In_ PTP_WORK_CALLBACK Callback, 202 | _Inout_opt_ PVOID Context, 203 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 204 | ); 205 | 206 | // winbase:CloseThreadpoolWork 207 | NTSYSAPI 208 | VOID 209 | NTAPI 210 | TpReleaseWork( 211 | _Inout_ PTP_WORK Work 212 | ); 213 | 214 | // winbase:SubmitThreadpoolWork 215 | NTSYSAPI 216 | VOID 217 | NTAPI 218 | TpPostWork( 219 | _Inout_ PTP_WORK Work 220 | ); 221 | 222 | // winbase:WaitForThreadpoolWorkCallbacks 223 | NTSYSAPI 224 | VOID 225 | NTAPI 226 | TpWaitForWork( 227 | _Inout_ PTP_WORK Work, 228 | _In_ LOGICAL CancelPendingCallbacks 229 | ); 230 | 231 | // private 232 | _Check_return_ 233 | NTSYSAPI 234 | NTSTATUS 235 | NTAPI 236 | TpAllocTimer( 237 | _Out_ PTP_TIMER *Timer, 238 | _In_ PTP_TIMER_CALLBACK Callback, 239 | _Inout_opt_ PVOID Context, 240 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 241 | ); 242 | 243 | // winbase:CloseThreadpoolTimer 244 | NTSYSAPI 245 | VOID 246 | NTAPI 247 | TpReleaseTimer( 248 | _Inout_ PTP_TIMER Timer 249 | ); 250 | 251 | // winbase:SetThreadpoolTimer 252 | NTSYSAPI 253 | VOID 254 | NTAPI 255 | TpSetTimer( 256 | _Inout_ PTP_TIMER Timer, 257 | _In_opt_ PLARGE_INTEGER DueTime, 258 | _In_ ULONG Period, 259 | _In_opt_ ULONG WindowLength 260 | ); 261 | 262 | #if (PHNT_VERSION >= PHNT_WIN8) 263 | // winbase:SetThreadpoolTimerEx 264 | NTSYSAPI 265 | NTSTATUS 266 | NTAPI 267 | TpSetTimerEx( 268 | _Inout_ PTP_TIMER Timer, 269 | _In_opt_ PLARGE_INTEGER DueTime, 270 | _In_ ULONG Period, 271 | _In_opt_ ULONG WindowLength 272 | ); 273 | #endif 274 | 275 | // winbase:IsThreadpoolTimerSet 276 | NTSYSAPI 277 | LOGICAL 278 | NTAPI 279 | TpIsTimerSet( 280 | _In_ PTP_TIMER Timer 281 | ); 282 | 283 | // winbase:WaitForThreadpoolTimerCallbacks 284 | NTSYSAPI 285 | VOID 286 | NTAPI 287 | TpWaitForTimer( 288 | _Inout_ PTP_TIMER Timer, 289 | _In_ LOGICAL CancelPendingCallbacks 290 | ); 291 | 292 | // private 293 | _Check_return_ 294 | NTSYSAPI 295 | NTSTATUS 296 | NTAPI 297 | TpAllocWait( 298 | _Out_ PTP_WAIT *WaitReturn, 299 | _In_ PTP_WAIT_CALLBACK Callback, 300 | _Inout_opt_ PVOID Context, 301 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 302 | ); 303 | 304 | // winbase:CloseThreadpoolWait 305 | NTSYSAPI 306 | VOID 307 | NTAPI 308 | TpReleaseWait( 309 | _Inout_ PTP_WAIT Wait 310 | ); 311 | 312 | // winbase:SetThreadpoolWait 313 | NTSYSAPI 314 | VOID 315 | NTAPI 316 | TpSetWait( 317 | _Inout_ PTP_WAIT Wait, 318 | _In_opt_ HANDLE Handle, 319 | _In_opt_ PLARGE_INTEGER Timeout 320 | ); 321 | 322 | #if (PHNT_VERSION >= PHNT_WIN8) 323 | // winbase:SetThreadpoolWaitEx 324 | NTSYSAPI 325 | NTSTATUS 326 | NTAPI 327 | TpSetWaitEx( 328 | _Inout_ PTP_WAIT Wait, 329 | _In_opt_ HANDLE Handle, 330 | _In_opt_ PLARGE_INTEGER Timeout, 331 | _In_opt_ PVOID Reserved 332 | ); 333 | #endif 334 | 335 | // winbase:WaitForThreadpoolWaitCallbacks 336 | NTSYSAPI 337 | VOID 338 | NTAPI 339 | TpWaitForWait( 340 | _Inout_ PTP_WAIT Wait, 341 | _In_ LOGICAL CancelPendingCallbacks 342 | ); 343 | 344 | // private 345 | typedef VOID (NTAPI *PTP_IO_CALLBACK)( 346 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 347 | _Inout_opt_ PVOID Context, 348 | _In_ PVOID ApcContext, 349 | _In_ PIO_STATUS_BLOCK IoSB, 350 | _In_ PTP_IO Io 351 | ); 352 | 353 | // private 354 | _Check_return_ 355 | NTSYSAPI 356 | NTSTATUS 357 | NTAPI 358 | TpAllocIoCompletion( 359 | _Out_ PTP_IO *IoReturn, 360 | _In_ HANDLE File, 361 | _In_ PTP_IO_CALLBACK Callback, 362 | _Inout_opt_ PVOID Context, 363 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 364 | ); 365 | 366 | // winbase:CloseThreadpoolIo 367 | NTSYSAPI 368 | VOID 369 | NTAPI 370 | TpReleaseIoCompletion( 371 | _Inout_ PTP_IO Io 372 | ); 373 | 374 | // winbase:StartThreadpoolIo 375 | NTSYSAPI 376 | VOID 377 | NTAPI 378 | TpStartAsyncIoOperation( 379 | _Inout_ PTP_IO Io 380 | ); 381 | 382 | // winbase:CancelThreadpoolIo 383 | NTSYSAPI 384 | VOID 385 | NTAPI 386 | TpCancelAsyncIoOperation( 387 | _Inout_ PTP_IO Io 388 | ); 389 | 390 | // winbase:WaitForThreadpoolIoCallbacks 391 | NTSYSAPI 392 | VOID 393 | NTAPI 394 | TpWaitForIoCompletion( 395 | _Inout_ PTP_IO Io, 396 | _In_ LOGICAL CancelPendingCallbacks 397 | ); 398 | 399 | // private 400 | NTSYSAPI 401 | NTSTATUS 402 | NTAPI 403 | TpAllocAlpcCompletion( 404 | _Out_ PTP_ALPC *AlpcReturn, 405 | _In_ HANDLE AlpcPort, 406 | _In_ PTP_ALPC_CALLBACK Callback, 407 | _Inout_opt_ PVOID Context, 408 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 409 | ); 410 | 411 | #if (PHNT_VERSION >= PHNT_WIN7) 412 | // rev 413 | NTSYSAPI 414 | NTSTATUS 415 | NTAPI 416 | TpAllocAlpcCompletionEx( 417 | _Out_ PTP_ALPC *AlpcReturn, 418 | _In_ HANDLE AlpcPort, 419 | _In_ PTP_ALPC_CALLBACK_EX Callback, 420 | _Inout_opt_ PVOID Context, 421 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 422 | ); 423 | #endif 424 | 425 | // private 426 | NTSYSAPI 427 | VOID 428 | NTAPI 429 | TpReleaseAlpcCompletion( 430 | _Inout_ PTP_ALPC Alpc 431 | ); 432 | 433 | // private 434 | NTSYSAPI 435 | VOID 436 | NTAPI 437 | TpWaitForAlpcCompletion( 438 | _Inout_ PTP_ALPC Alpc 439 | ); 440 | 441 | // private 442 | typedef enum _TP_TRACE_TYPE 443 | { 444 | TpTraceThreadPriority = 1, 445 | TpTraceThreadAffinity, 446 | MaxTpTraceType 447 | } TP_TRACE_TYPE; 448 | 449 | // private 450 | NTSYSAPI 451 | VOID 452 | NTAPI 453 | TpCaptureCaller( 454 | _In_ TP_TRACE_TYPE Type 455 | ); 456 | 457 | // private 458 | NTSYSAPI 459 | VOID 460 | NTAPI 461 | TpCheckTerminateWorker( 462 | _In_ HANDLE Thread 463 | ); 464 | 465 | #endif 466 | 467 | #endif 468 | -------------------------------------------------------------------------------- /pnth/ntwow64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _NTWOW64_H 13 | #define _NTWOW64_H 14 | 15 | #define WOW64_SYSTEM_DIRECTORY "SysWOW64" 16 | #define WOW64_SYSTEM_DIRECTORY_U L"SysWOW64" 17 | #define WOW64_X86_TAG " (x86)" 18 | #define WOW64_X86_TAG_U L" (x86)" 19 | 20 | // In USER_SHARED_DATA 21 | typedef enum _WOW64_SHARED_INFORMATION 22 | { 23 | SharedNtdll32LdrInitializeThunk, 24 | SharedNtdll32KiUserExceptionDispatcher, 25 | SharedNtdll32KiUserApcDispatcher, 26 | SharedNtdll32KiUserCallbackDispatcher, 27 | SharedNtdll32ExpInterlockedPopEntrySListFault, 28 | SharedNtdll32ExpInterlockedPopEntrySListResume, 29 | SharedNtdll32ExpInterlockedPopEntrySListEnd, 30 | SharedNtdll32RtlUserThreadStart, 31 | SharedNtdll32pQueryProcessDebugInformationRemote, 32 | SharedNtdll32BaseAddress, 33 | SharedNtdll32LdrSystemDllInitBlock, 34 | Wow64SharedPageEntriesCount 35 | } WOW64_SHARED_INFORMATION; 36 | 37 | // 32-bit definitions 38 | 39 | #define WOW64_POINTER(Type) ULONG 40 | 41 | typedef struct _RTL_BALANCED_NODE32 42 | { 43 | union 44 | { 45 | WOW64_POINTER(struct _RTL_BALANCED_NODE *) Children[2]; 46 | struct 47 | { 48 | WOW64_POINTER(struct _RTL_BALANCED_NODE *) Left; 49 | WOW64_POINTER(struct _RTL_BALANCED_NODE *) Right; 50 | }; 51 | }; 52 | union 53 | { 54 | WOW64_POINTER(UCHAR) Red : 1; 55 | WOW64_POINTER(UCHAR) Balance : 2; 56 | WOW64_POINTER(ULONG_PTR) ParentValue; 57 | }; 58 | } RTL_BALANCED_NODE32, *PRTL_BALANCED_NODE32; 59 | 60 | typedef struct _RTL_RB_TREE32 61 | { 62 | WOW64_POINTER(PRTL_BALANCED_NODE) Root; 63 | WOW64_POINTER(PRTL_BALANCED_NODE) Min; 64 | } RTL_RB_TREE32, *PRTL_RB_TREE32; 65 | 66 | typedef struct _PEB_LDR_DATA32 67 | { 68 | ULONG Length; 69 | BOOLEAN Initialized; 70 | WOW64_POINTER(HANDLE) SsHandle; 71 | LIST_ENTRY32 InLoadOrderModuleList; 72 | LIST_ENTRY32 InMemoryOrderModuleList; 73 | LIST_ENTRY32 InInitializationOrderModuleList; 74 | WOW64_POINTER(PVOID) EntryInProgress; 75 | BOOLEAN ShutdownInProgress; 76 | WOW64_POINTER(HANDLE) ShutdownThreadId; 77 | } PEB_LDR_DATA32, *PPEB_LDR_DATA32; 78 | 79 | typedef struct _LDR_SERVICE_TAG_RECORD32 80 | { 81 | WOW64_POINTER(struct _LDR_SERVICE_TAG_RECORD *) Next; 82 | ULONG ServiceTag; 83 | } LDR_SERVICE_TAG_RECORD32, *PLDR_SERVICE_TAG_RECORD32; 84 | 85 | typedef struct _LDRP_CSLIST32 86 | { 87 | WOW64_POINTER(PSINGLE_LIST_ENTRY) Tail; 88 | } LDRP_CSLIST32, *PLDRP_CSLIST32; 89 | 90 | typedef struct _LDR_DDAG_NODE32 91 | { 92 | LIST_ENTRY32 Modules; 93 | WOW64_POINTER(PLDR_SERVICE_TAG_RECORD) ServiceTagList; 94 | ULONG LoadCount; 95 | ULONG LoadWhileUnloadingCount; 96 | ULONG LowestLink; 97 | union 98 | { 99 | LDRP_CSLIST32 Dependencies; 100 | SINGLE_LIST_ENTRY32 RemovalLink; 101 | }; 102 | LDRP_CSLIST32 IncomingDependencies; 103 | LDR_DDAG_STATE State; 104 | SINGLE_LIST_ENTRY32 CondenseLink; 105 | ULONG PreorderNumber; 106 | } LDR_DDAG_NODE32, *PLDR_DDAG_NODE32; 107 | 108 | #define LDR_DATA_TABLE_ENTRY_SIZE_WINXP_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, DdagNode) 109 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN7_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, BaseNameHashValue) 110 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN8_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, ImplicitPathOptions) 111 | 112 | typedef struct _LDR_DATA_TABLE_ENTRY32 113 | { 114 | LIST_ENTRY32 InLoadOrderLinks; 115 | LIST_ENTRY32 InMemoryOrderLinks; 116 | union 117 | { 118 | LIST_ENTRY32 InInitializationOrderLinks; 119 | LIST_ENTRY32 InProgressLinks; 120 | }; 121 | WOW64_POINTER(PVOID) DllBase; 122 | WOW64_POINTER(PVOID) EntryPoint; 123 | ULONG SizeOfImage; 124 | UNICODE_STRING32 FullDllName; 125 | UNICODE_STRING32 BaseDllName; 126 | union 127 | { 128 | UCHAR FlagGroup[4]; 129 | ULONG Flags; 130 | struct 131 | { 132 | ULONG PackagedBinary : 1; 133 | ULONG MarkedForRemoval : 1; 134 | ULONG ImageDll : 1; 135 | ULONG LoadNotificationsSent : 1; 136 | ULONG TelemetryEntryProcessed : 1; 137 | ULONG ProcessStaticImport : 1; 138 | ULONG InLegacyLists : 1; 139 | ULONG InIndexes : 1; 140 | ULONG ShimDll : 1; 141 | ULONG InExceptionTable : 1; 142 | ULONG ReservedFlags1 : 2; 143 | ULONG LoadInProgress : 1; 144 | ULONG LoadConfigProcessed : 1; 145 | ULONG EntryProcessed : 1; 146 | ULONG ProtectDelayLoad : 1; 147 | ULONG ReservedFlags3 : 2; 148 | ULONG DontCallForThreads : 1; 149 | ULONG ProcessAttachCalled : 1; 150 | ULONG ProcessAttachFailed : 1; 151 | ULONG CorDeferredValidate : 1; 152 | ULONG CorImage : 1; 153 | ULONG DontRelocate : 1; 154 | ULONG CorILOnly : 1; 155 | ULONG ChpeImage : 1; 156 | ULONG ReservedFlags5 : 2; 157 | ULONG Redirected : 1; 158 | ULONG ReservedFlags6 : 2; 159 | ULONG CompatDatabaseProcessed : 1; 160 | }; 161 | }; 162 | USHORT ObsoleteLoadCount; 163 | USHORT TlsIndex; 164 | LIST_ENTRY32 HashLinks; 165 | ULONG TimeDateStamp; 166 | WOW64_POINTER(struct _ACTIVATION_CONTEXT *) EntryPointActivationContext; 167 | WOW64_POINTER(PVOID) Lock; 168 | WOW64_POINTER(PLDR_DDAG_NODE) DdagNode; 169 | LIST_ENTRY32 NodeModuleLink; 170 | WOW64_POINTER(struct _LDRP_LOAD_CONTEXT *) LoadContext; 171 | WOW64_POINTER(PVOID) ParentDllBase; 172 | WOW64_POINTER(PVOID) SwitchBackContext; 173 | RTL_BALANCED_NODE32 BaseAddressIndexNode; 174 | RTL_BALANCED_NODE32 MappingInfoIndexNode; 175 | WOW64_POINTER(ULONG_PTR) OriginalBase; 176 | LARGE_INTEGER LoadTime; 177 | ULONG BaseNameHashValue; 178 | LDR_DLL_LOAD_REASON LoadReason; 179 | ULONG ImplicitPathOptions; 180 | ULONG ReferenceCount; 181 | ULONG DependentLoadFlags; 182 | UCHAR SigningLevel; // since REDSTONE2 183 | } LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32; 184 | 185 | typedef struct _CURDIR32 186 | { 187 | UNICODE_STRING32 DosPath; 188 | WOW64_POINTER(HANDLE) Handle; 189 | } CURDIR32, *PCURDIR32; 190 | 191 | typedef struct _RTL_DRIVE_LETTER_CURDIR32 192 | { 193 | USHORT Flags; 194 | USHORT Length; 195 | ULONG TimeStamp; 196 | STRING32 DosPath; 197 | } RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32; 198 | 199 | typedef struct _RTL_USER_PROCESS_PARAMETERS32 200 | { 201 | ULONG MaximumLength; 202 | ULONG Length; 203 | 204 | ULONG Flags; 205 | ULONG DebugFlags; 206 | 207 | WOW64_POINTER(HANDLE) ConsoleHandle; 208 | ULONG ConsoleFlags; 209 | WOW64_POINTER(HANDLE) StandardInput; 210 | WOW64_POINTER(HANDLE) StandardOutput; 211 | WOW64_POINTER(HANDLE) StandardError; 212 | 213 | CURDIR32 CurrentDirectory; 214 | UNICODE_STRING32 DllPath; 215 | UNICODE_STRING32 ImagePathName; 216 | UNICODE_STRING32 CommandLine; 217 | WOW64_POINTER(PVOID) Environment; 218 | 219 | ULONG StartingX; 220 | ULONG StartingY; 221 | ULONG CountX; 222 | ULONG CountY; 223 | ULONG CountCharsX; 224 | ULONG CountCharsY; 225 | ULONG FillAttribute; 226 | 227 | ULONG WindowFlags; 228 | ULONG ShowWindowFlags; 229 | UNICODE_STRING32 WindowTitle; 230 | UNICODE_STRING32 DesktopInfo; 231 | UNICODE_STRING32 ShellInfo; 232 | UNICODE_STRING32 RuntimeData; 233 | RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; 234 | 235 | WOW64_POINTER(ULONG_PTR) EnvironmentSize; 236 | WOW64_POINTER(ULONG_PTR) EnvironmentVersion; 237 | WOW64_POINTER(PVOID) PackageDependencyData; 238 | ULONG ProcessGroupId; 239 | ULONG LoaderThreads; 240 | 241 | UNICODE_STRING32 RedirectionDllName; // REDSTONE4 242 | UNICODE_STRING32 HeapPartitionName; // 19H1 243 | WOW64_POINTER(ULONG_PTR) DefaultThreadpoolCpuSetMasks; 244 | ULONG DefaultThreadpoolCpuSetMaskCount; 245 | } RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32; 246 | 247 | typedef struct _PEB32 248 | { 249 | BOOLEAN InheritedAddressSpace; 250 | BOOLEAN ReadImageFileExecOptions; 251 | BOOLEAN BeingDebugged; 252 | union 253 | { 254 | BOOLEAN BitField; 255 | struct 256 | { 257 | BOOLEAN ImageUsesLargePages : 1; 258 | BOOLEAN IsProtectedProcess : 1; 259 | BOOLEAN IsImageDynamicallyRelocated : 1; 260 | BOOLEAN SkipPatchingUser32Forwarders : 1; 261 | BOOLEAN IsPackagedProcess : 1; 262 | BOOLEAN IsAppContainer : 1; 263 | BOOLEAN IsProtectedProcessLight : 1; 264 | BOOLEAN IsLongPathAwareProcess : 1; 265 | }; 266 | }; 267 | WOW64_POINTER(HANDLE) Mutant; 268 | 269 | WOW64_POINTER(PVOID) ImageBaseAddress; 270 | WOW64_POINTER(PPEB_LDR_DATA) Ldr; 271 | WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters; 272 | WOW64_POINTER(PVOID) SubSystemData; 273 | WOW64_POINTER(PVOID) ProcessHeap; 274 | WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock; 275 | WOW64_POINTER(PVOID) AtlThunkSListPtr; 276 | WOW64_POINTER(PVOID) IFEOKey; 277 | union 278 | { 279 | ULONG CrossProcessFlags; 280 | struct 281 | { 282 | ULONG ProcessInJob : 1; 283 | ULONG ProcessInitializing : 1; 284 | ULONG ProcessUsingVEH : 1; 285 | ULONG ProcessUsingVCH : 1; 286 | ULONG ProcessUsingFTH : 1; 287 | ULONG ReservedBits0 : 27; 288 | }; 289 | }; 290 | union 291 | { 292 | WOW64_POINTER(PVOID) KernelCallbackTable; 293 | WOW64_POINTER(PVOID) UserSharedInfoPtr; 294 | }; 295 | ULONG SystemReserved; 296 | ULONG AtlThunkSListPtr32; 297 | WOW64_POINTER(PVOID) ApiSetMap; 298 | ULONG TlsExpansionCounter; 299 | WOW64_POINTER(PVOID) TlsBitmap; 300 | ULONG TlsBitmapBits[2]; 301 | WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase; 302 | WOW64_POINTER(PVOID) HotpatchInformation; 303 | WOW64_POINTER(PVOID *) ReadOnlyStaticServerData; 304 | WOW64_POINTER(PVOID) AnsiCodePageData; 305 | WOW64_POINTER(PVOID) OemCodePageData; 306 | WOW64_POINTER(PVOID) UnicodeCaseTableData; 307 | 308 | ULONG NumberOfProcessors; 309 | ULONG NtGlobalFlag; 310 | 311 | LARGE_INTEGER CriticalSectionTimeout; 312 | WOW64_POINTER(SIZE_T) HeapSegmentReserve; 313 | WOW64_POINTER(SIZE_T) HeapSegmentCommit; 314 | WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold; 315 | WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold; 316 | 317 | ULONG NumberOfHeaps; 318 | ULONG MaximumNumberOfHeaps; 319 | WOW64_POINTER(PVOID *) ProcessHeaps; 320 | 321 | WOW64_POINTER(PVOID) GdiSharedHandleTable; 322 | WOW64_POINTER(PVOID) ProcessStarterHelper; 323 | ULONG GdiDCAttributeList; 324 | 325 | WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock; 326 | 327 | ULONG OSMajorVersion; 328 | ULONG OSMinorVersion; 329 | USHORT OSBuildNumber; 330 | USHORT OSCSDVersion; 331 | ULONG OSPlatformId; 332 | ULONG ImageSubsystem; 333 | ULONG ImageSubsystemMajorVersion; 334 | ULONG ImageSubsystemMinorVersion; 335 | WOW64_POINTER(ULONG_PTR) ActiveProcessAffinityMask; 336 | GDI_HANDLE_BUFFER32 GdiHandleBuffer; 337 | WOW64_POINTER(PVOID) PostProcessInitRoutine; 338 | 339 | WOW64_POINTER(PVOID) TlsExpansionBitmap; 340 | ULONG TlsExpansionBitmapBits[32]; 341 | 342 | ULONG SessionId; 343 | 344 | ULARGE_INTEGER AppCompatFlags; 345 | ULARGE_INTEGER AppCompatFlagsUser; 346 | WOW64_POINTER(PVOID) pShimData; 347 | WOW64_POINTER(PVOID) AppCompatInfo; 348 | 349 | UNICODE_STRING32 CSDVersion; 350 | 351 | WOW64_POINTER(PVOID) ActivationContextData; 352 | WOW64_POINTER(PVOID) ProcessAssemblyStorageMap; 353 | WOW64_POINTER(PVOID) SystemDefaultActivationContextData; 354 | WOW64_POINTER(PVOID) SystemAssemblyStorageMap; 355 | 356 | WOW64_POINTER(SIZE_T) MinimumStackCommit; 357 | 358 | WOW64_POINTER(PVOID) SparePointers[4]; 359 | ULONG SpareUlongs[5]; 360 | //WOW64_POINTER(PVOID *) FlsCallback; 361 | //LIST_ENTRY32 FlsListHead; 362 | //WOW64_POINTER(PVOID) FlsBitmap; 363 | //ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)]; 364 | //ULONG FlsHighIndex; 365 | 366 | WOW64_POINTER(PVOID) WerRegistrationData; 367 | WOW64_POINTER(PVOID) WerShipAssertPtr; 368 | WOW64_POINTER(PVOID) pContextData; 369 | WOW64_POINTER(PVOID) pImageHeaderHash; 370 | union 371 | { 372 | ULONG TracingFlags; 373 | struct 374 | { 375 | ULONG HeapTracingEnabled : 1; 376 | ULONG CritSecTracingEnabled : 1; 377 | ULONG LibLoaderTracingEnabled : 1; 378 | ULONG SpareTracingBits : 29; 379 | }; 380 | }; 381 | ULONGLONG CsrServerReadOnlySharedMemoryBase; 382 | WOW64_POINTER(PVOID) TppWorkerpListLock; 383 | LIST_ENTRY32 TppWorkerpList; 384 | WOW64_POINTER(PVOID) WaitOnAddressHashTable[128]; 385 | WOW64_POINTER(PVOID) TelemetryCoverageHeader; // REDSTONE3 386 | ULONG CloudFileFlags; 387 | ULONG CloudFileDiagFlags; // REDSTONE4 388 | CHAR PlaceholderCompatibilityMode; 389 | CHAR PlaceholderCompatibilityModeReserved[7]; 390 | } PEB32, *PPEB32; 391 | 392 | C_ASSERT(FIELD_OFFSET(PEB32, IFEOKey) == 0x024); 393 | C_ASSERT(FIELD_OFFSET(PEB32, UnicodeCaseTableData) == 0x060); 394 | C_ASSERT(FIELD_OFFSET(PEB32, SystemAssemblyStorageMap) == 0x204); 395 | C_ASSERT(FIELD_OFFSET(PEB32, pImageHeaderHash) == 0x23c); 396 | C_ASSERT(FIELD_OFFSET(PEB32, WaitOnAddressHashTable) == 0x25c); 397 | //C_ASSERT(sizeof(PEB32) == 0x460); // REDSTONE3 398 | C_ASSERT(sizeof(PEB32) == 0x470); 399 | 400 | // Note: Use PhGetProcessPeb32 instead. (dmex) 401 | //#define WOW64_GET_PEB32(peb64) ((PPEB32)PTR_ADD_OFFSET((peb64), ALIGN_UP_BY(sizeof(PEB), PAGE_SIZE))) 402 | 403 | #define GDI_BATCH_BUFFER_SIZE 310 404 | 405 | typedef struct _GDI_TEB_BATCH32 406 | { 407 | ULONG Offset; 408 | WOW64_POINTER(ULONG_PTR) HDC; 409 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 410 | } GDI_TEB_BATCH32, *PGDI_TEB_BATCH32; 411 | 412 | typedef struct _TEB32 413 | { 414 | NT_TIB32 NtTib; 415 | 416 | WOW64_POINTER(PVOID) EnvironmentPointer; 417 | CLIENT_ID32 ClientId; 418 | WOW64_POINTER(PVOID) ActiveRpcHandle; 419 | WOW64_POINTER(PVOID) ThreadLocalStoragePointer; 420 | WOW64_POINTER(PPEB) ProcessEnvironmentBlock; 421 | 422 | ULONG LastErrorValue; 423 | ULONG CountOfOwnedCriticalSections; 424 | WOW64_POINTER(PVOID) CsrClientThread; 425 | WOW64_POINTER(PVOID) Win32ThreadInfo; 426 | ULONG User32Reserved[26]; 427 | ULONG UserReserved[5]; 428 | WOW64_POINTER(PVOID) WOW32Reserved; 429 | LCID CurrentLocale; 430 | ULONG FpSoftwareStatusRegister; 431 | WOW64_POINTER(PVOID) ReservedForDebuggerInstrumentation[16]; 432 | WOW64_POINTER(PVOID) SystemReserved1[36]; 433 | UCHAR WorkingOnBehalfTicket[8]; 434 | NTSTATUS ExceptionCode; 435 | 436 | WOW64_POINTER(PVOID) ActivationContextStackPointer; 437 | WOW64_POINTER(ULONG_PTR) InstrumentationCallbackSp; 438 | WOW64_POINTER(ULONG_PTR) InstrumentationCallbackPreviousPc; 439 | WOW64_POINTER(ULONG_PTR) InstrumentationCallbackPreviousSp; 440 | BOOLEAN InstrumentationCallbackDisabled; 441 | UCHAR SpareBytes[23]; 442 | ULONG TxFsContext; 443 | 444 | GDI_TEB_BATCH32 GdiTebBatch; 445 | CLIENT_ID32 RealClientId; 446 | WOW64_POINTER(HANDLE) GdiCachedProcessHandle; 447 | ULONG GdiClientPID; 448 | ULONG GdiClientTID; 449 | WOW64_POINTER(PVOID) GdiThreadLocalInfo; 450 | WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62]; 451 | WOW64_POINTER(PVOID) glDispatchTable[233]; 452 | WOW64_POINTER(ULONG_PTR) glReserved1[29]; 453 | WOW64_POINTER(PVOID) glReserved2; 454 | WOW64_POINTER(PVOID) glSectionInfo; 455 | WOW64_POINTER(PVOID) glSection; 456 | WOW64_POINTER(PVOID) glTable; 457 | WOW64_POINTER(PVOID) glCurrentRC; 458 | WOW64_POINTER(PVOID) glContext; 459 | 460 | NTSTATUS LastStatusValue; 461 | UNICODE_STRING32 StaticUnicodeString; 462 | WCHAR StaticUnicodeBuffer[261]; 463 | 464 | WOW64_POINTER(PVOID) DeallocationStack; 465 | WOW64_POINTER(PVOID) TlsSlots[64]; 466 | LIST_ENTRY32 TlsLinks; 467 | 468 | WOW64_POINTER(PVOID) Vdm; 469 | WOW64_POINTER(PVOID) ReservedForNtRpc; 470 | WOW64_POINTER(PVOID) DbgSsReserved[2]; 471 | 472 | ULONG HardErrorMode; 473 | WOW64_POINTER(PVOID) Instrumentation[9]; 474 | GUID ActivityId; 475 | 476 | WOW64_POINTER(PVOID) SubProcessTag; 477 | WOW64_POINTER(PVOID) PerflibData; 478 | WOW64_POINTER(PVOID) EtwTraceData; 479 | WOW64_POINTER(PVOID) WinSockData; 480 | ULONG GdiBatchCount; 481 | 482 | union 483 | { 484 | PROCESSOR_NUMBER CurrentIdealProcessor; 485 | ULONG IdealProcessorValue; 486 | struct 487 | { 488 | UCHAR ReservedPad0; 489 | UCHAR ReservedPad1; 490 | UCHAR ReservedPad2; 491 | UCHAR IdealProcessor; 492 | }; 493 | }; 494 | 495 | ULONG GuaranteedStackBytes; 496 | WOW64_POINTER(PVOID) ReservedForPerf; 497 | WOW64_POINTER(PVOID) ReservedForOle; 498 | ULONG WaitingOnLoaderLock; 499 | WOW64_POINTER(PVOID) SavedPriorityState; 500 | WOW64_POINTER(ULONG_PTR) ReservedForCodeCoverage; 501 | WOW64_POINTER(PVOID) ThreadPoolData; 502 | WOW64_POINTER(PVOID *) TlsExpansionSlots; 503 | 504 | ULONG MuiGeneration; 505 | ULONG IsImpersonating; 506 | WOW64_POINTER(PVOID) NlsCache; 507 | WOW64_POINTER(PVOID) pShimData; 508 | USHORT HeapVirtualAffinity; 509 | USHORT LowFragHeapDataSlot; 510 | WOW64_POINTER(HANDLE) CurrentTransactionHandle; 511 | WOW64_POINTER(PTEB_ACTIVE_FRAME) ActiveFrame; 512 | WOW64_POINTER(PVOID) FlsData; 513 | 514 | WOW64_POINTER(PVOID) PreferredLanguages; 515 | WOW64_POINTER(PVOID) UserPrefLanguages; 516 | WOW64_POINTER(PVOID) MergedPrefLanguages; 517 | ULONG MuiImpersonation; 518 | 519 | union 520 | { 521 | USHORT CrossTebFlags; 522 | USHORT SpareCrossTebBits : 16; 523 | }; 524 | union 525 | { 526 | USHORT SameTebFlags; 527 | struct 528 | { 529 | USHORT SafeThunkCall : 1; 530 | USHORT InDebugPrint : 1; 531 | USHORT HasFiberData : 1; 532 | USHORT SkipThreadAttach : 1; 533 | USHORT WerInShipAssertCode : 1; 534 | USHORT RanProcessInit : 1; 535 | USHORT ClonedThread : 1; 536 | USHORT SuppressDebugMsg : 1; 537 | USHORT DisableUserStackWalk : 1; 538 | USHORT RtlExceptionAttached : 1; 539 | USHORT InitialThread : 1; 540 | USHORT SessionAware : 1; 541 | USHORT LoadOwner : 1; 542 | USHORT LoaderWorker : 1; 543 | USHORT SpareSameTebBits : 2; 544 | }; 545 | }; 546 | 547 | WOW64_POINTER(PVOID) TxnScopeEnterCallback; 548 | WOW64_POINTER(PVOID) TxnScopeExitCallback; 549 | WOW64_POINTER(PVOID) TxnScopeContext; 550 | ULONG LockCount; 551 | LONG WowTebOffset; 552 | WOW64_POINTER(PVOID) ResourceRetValue; 553 | WOW64_POINTER(PVOID) ReservedForWdf; 554 | ULONGLONG ReservedForCrt; 555 | GUID EffectiveContainerId; 556 | } TEB32, *PTEB32; 557 | 558 | C_ASSERT(FIELD_OFFSET(TEB32, ProcessEnvironmentBlock) == 0x030); 559 | C_ASSERT(FIELD_OFFSET(TEB32, ExceptionCode) == 0x1a4); 560 | C_ASSERT(FIELD_OFFSET(TEB32, TxFsContext) == 0x1d0); 561 | C_ASSERT(FIELD_OFFSET(TEB32, glContext) == 0xbf0); 562 | C_ASSERT(FIELD_OFFSET(TEB32, StaticUnicodeBuffer) == 0xc00); 563 | C_ASSERT(FIELD_OFFSET(TEB32, TlsLinks) == 0xf10); 564 | C_ASSERT(FIELD_OFFSET(TEB32, DbgSsReserved) == 0xf20); 565 | C_ASSERT(FIELD_OFFSET(TEB32, ActivityId) == 0xf50); 566 | C_ASSERT(FIELD_OFFSET(TEB32, GdiBatchCount) == 0xf70); 567 | C_ASSERT(FIELD_OFFSET(TEB32, TlsExpansionSlots) == 0xf94); 568 | C_ASSERT(FIELD_OFFSET(TEB32, FlsData) == 0xfb4); 569 | C_ASSERT(FIELD_OFFSET(TEB32, MuiImpersonation) == 0xfc4); 570 | C_ASSERT(FIELD_OFFSET(TEB32, ReservedForCrt) == 0xfe8); 571 | C_ASSERT(FIELD_OFFSET(TEB32, EffectiveContainerId) == 0xff0); 572 | C_ASSERT(sizeof(TEB32) == 0x1000); 573 | 574 | // Get the 32-bit TEB without doing a memory reference 575 | // modified from public SDK /10.0.10240.0/um/minwin/wow64t.h (dmex) 576 | #define WOW64_GET_TEB32(teb64) ((PTEB32)PTR_ADD_OFFSET((teb64), ALIGN_UP_BY(sizeof(TEB), PAGE_SIZE))) 577 | #define WOW64_TEB32_POINTER_ADDRESS(teb64) (PVOID)&((teb64)->NtTib.ExceptionList) 578 | 579 | // Conversion 580 | 581 | FORCEINLINE VOID UStr32ToUStr( 582 | _Out_ PUNICODE_STRING Destination, 583 | _In_ PUNICODE_STRING32 Source 584 | ) 585 | { 586 | Destination->Length = Source->Length; 587 | Destination->MaximumLength = Source->MaximumLength; 588 | Destination->Buffer = (PWCH)UlongToPtr(Source->Buffer); 589 | } 590 | 591 | FORCEINLINE VOID UStrToUStr32( 592 | _Out_ PUNICODE_STRING32 Destination, 593 | _In_ PUNICODE_STRING Source 594 | ) 595 | { 596 | Destination->Length = Source->Length; 597 | Destination->MaximumLength = Source->MaximumLength; 598 | Destination->Buffer = PtrToUlong(Source->Buffer); 599 | } 600 | 601 | #endif 602 | -------------------------------------------------------------------------------- /pnth/ntxcapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _NTXCAPI_H 13 | #define _NTXCAPI_H 14 | 15 | NTSYSAPI 16 | BOOLEAN 17 | NTAPI 18 | RtlDispatchException( 19 | _In_ PEXCEPTION_RECORD ExceptionRecord, 20 | _In_ PCONTEXT ContextRecord 21 | ); 22 | 23 | NTSYSAPI 24 | DECLSPEC_NORETURN 25 | VOID 26 | NTAPI 27 | RtlRaiseStatus( 28 | _In_ NTSTATUS Status 29 | ); 30 | 31 | NTSYSAPI 32 | VOID 33 | NTAPI 34 | RtlRaiseException( 35 | _In_ PEXCEPTION_RECORD ExceptionRecord 36 | ); 37 | 38 | NTSYSCALLAPI 39 | NTSTATUS 40 | NTAPI 41 | NtContinue( 42 | _In_ PCONTEXT ContextRecord, 43 | _In_ BOOLEAN TestAlert 44 | ); 45 | 46 | #if (PHNT_VERSION >= PHNT_THRESHOLD) 47 | typedef enum _KCONTINUE_TYPE 48 | { 49 | KCONTINUE_UNWIND, 50 | KCONTINUE_RESUME, 51 | KCONTINUE_LONGJUMP, 52 | KCONTINUE_SET, 53 | KCONTINUE_LAST, 54 | } KCONTINUE_TYPE; 55 | 56 | typedef struct _KCONTINUE_ARGUMENT 57 | { 58 | KCONTINUE_TYPE ContinueType; 59 | ULONG ContinueFlags; 60 | ULONGLONG Reserved[2]; 61 | } KCONTINUE_ARGUMENT, *PKCONTINUE_ARGUMENT; 62 | 63 | #define KCONTINUE_FLAG_TEST_ALERT 0x00000001 // wbenny 64 | #define KCONTINUE_FLAG_DELIVER_APC 0x00000002 // wbenny 65 | 66 | NTSYSCALLAPI 67 | NTSTATUS 68 | NTAPI 69 | NtContinueEx( 70 | _In_ PCONTEXT ContextRecord, 71 | _In_ PVOID ContinueArgument // PKCONTINUE_ARGUMENT and BOOLEAN are valid 72 | ); 73 | 74 | //FORCEINLINE 75 | //NTSTATUS 76 | //NtContinue( 77 | // _In_ PCONTEXT ContextRecord, 78 | // _In_ BOOLEAN TestAlert 79 | // ) 80 | //{ 81 | // return NtContinueEx(ContextRecord, (PCONTINUE_ARGUMENT)TestAlert); 82 | //} 83 | #endif 84 | 85 | NTSYSCALLAPI 86 | NTSTATUS 87 | NTAPI 88 | NtRaiseException( 89 | _In_ PEXCEPTION_RECORD ExceptionRecord, 90 | _In_ PCONTEXT ContextRecord, 91 | _In_ BOOLEAN FirstChance 92 | ); 93 | 94 | __analysis_noreturn 95 | NTSYSCALLAPI 96 | VOID 97 | NTAPI 98 | RtlAssert( 99 | _In_ PVOID VoidFailedAssertion, 100 | _In_ PVOID VoidFileName, 101 | _In_ ULONG LineNumber, 102 | _In_opt_ PSTR MutableMessage 103 | ); 104 | 105 | #define RTL_ASSERT(exp) \ 106 | ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, NULL), FALSE) : TRUE) 107 | #define RTL_ASSERTMSG(msg, exp) \ 108 | ((!(exp)) ? (RtlAssert((PVOID)#exp, (PVOID)__FILE__, __LINE__, msg), FALSE) : TRUE) 109 | #define RTL_SOFT_ASSERT(_exp) \ 110 | ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n Expression: %s\n", __FILE__, __LINE__, #_exp), FALSE) : TRUE) 111 | #define RTL_SOFT_ASSERTMSG(_msg, _exp) \ 112 | ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n Expression: %s\n Message: %s\n", __FILE__, __LINE__, #_exp, (_msg)), FALSE) : TRUE) 113 | 114 | #endif 115 | -------------------------------------------------------------------------------- /pnth/pch.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define DECLSPEC_DEPRECATED_DDK 4 | 5 | #define _CRT_SECURE_NO_DEPRECATE 6 | #define _CRT_NON_CONFORMING_SWPRINTFS 7 | #define _NO_CRT_STDIO_INLINE 8 | #define _NO_CPP_INLINES 9 | #define _CRT_SECURE_CPP_OVERLOAD_SECURE_NAMES 0 10 | #define _ALLOW_COMPILER_AND_STL_VERSION_MISMATCH 11 | #define __EDG__ 12 | #define USE_ATL_THUNK2 13 | 14 | #define CMSG_SIGNED_ENCODE_INFO_HAS_CMS_FIELDS 15 | #define CMSG_SIGNER_ENCODE_INFO_HAS_CMS_FIELDS 16 | 17 | #ifndef DECLSPEC_IMPORT 18 | #define DECLSPEC_IMPORT __declspec(dllimport) 19 | #endif 20 | 21 | #define DPAPI_IMP DECLSPEC_IMPORT 22 | #define _CRTIMP DECLSPEC_IMPORT 23 | #define _CRTIMP_ALT DECLSPEC_IMPORT 24 | 25 | #define _NT_BEGIN namespace NT { 26 | #define _NT_END } 27 | 28 | #pragma warning(disable : 4073 4074 4075 4097 4514 4005 4200 4201 4238 4307 4324 4392 4471 4480 4530 4706 5040) 29 | 30 | #include 31 | // #include 32 | #include 33 | #include 34 | 35 | #include 36 | #include 37 | #include 38 | #undef WIN32_NO_STATUS 39 | #include 40 | #include 41 | 42 | //#include 43 | //#include 44 | 45 | typedef GUID *PGUID; 46 | 47 | EXTERN_C IMAGE_DOS_HEADER __ImageBase; 48 | 49 | #ifndef PHNT_MODE 50 | #define PHNT_MODE PHNT_MODE_USER 51 | #endif 52 | 53 | #ifndef PHNT_VERSION 54 | #define PHNT_VERSION PHNT_WIN11_22H2 55 | #endif 56 | 57 | #if PHNT_MODE == PHNT_MODE_USER 58 | #define SECURITY_WIN32 59 | #endif 60 | 61 | //#define _NTLSA_ 62 | 63 | #define PHNT_NO_INLINE_INIT_STRING 64 | 65 | #pragma warning(disable : 4073 4074 4075 4097 4514 4005 4200 4201 4238 4307 4324 4392 4471 4480 4530 4706 5040) 66 | #include "phnt.h" 67 | #pragma warning(default : 4392) 68 | 69 | #define MINCHAR 0x80 // winnt 70 | #define MAXCHAR 0x7f // winnt 71 | #define MINSHORT 0x8000 // winnt 72 | #define MAXSHORT 0x7fff // winnt 73 | #define MINLONG 0x80000000 // winnt 74 | #define MAXLONG 0x7fffffff // winnt 75 | #define MAXUCHAR 0xff // winnt 76 | #define MAXUSHORT 0xffff // winnt 77 | #define MAXULONG 0xffffffff // winnt 78 | 79 | #include "mini_yvals.h" 80 | -------------------------------------------------------------------------------- /pnth/phnt.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _PHNT_H 13 | #define _PHNT_H 14 | 15 | // This header file provides access to NT APIs. 16 | 17 | // Definitions are annotated to indicate their source. If a definition is not annotated, it has been 18 | // retrieved from an official Microsoft source (NT headers, DDK headers, winnt.h). 19 | 20 | // * "winbase" indicates that a definition has been reconstructed from a Win32-ized NT definition in 21 | // winbase.h. 22 | // * "rev" indicates that a definition has been reverse-engineered. 23 | // * "dbg" indicates that a definition has been obtained from a debug message or assertion in a 24 | // checked build of the kernel or file. 25 | 26 | // Reliability: 27 | // 1. No annotation. 28 | // 2. dbg. 29 | // 3. symbols, private. Types may be incorrect. 30 | // 4. winbase. Names and types may be incorrect. 31 | // 5. rev. 32 | 33 | // Mode 34 | #define PHNT_MODE_KERNEL 0 35 | #define PHNT_MODE_USER 1 36 | 37 | // Version 38 | #define PHNT_WIN2K 50 39 | #define PHNT_WINXP 51 40 | #define PHNT_WS03 52 41 | #define PHNT_VISTA 60 42 | #define PHNT_WIN7 61 43 | #define PHNT_WIN8 62 44 | #define PHNT_WINBLUE 63 45 | #define PHNT_THRESHOLD 100 46 | #define PHNT_THRESHOLD2 101 47 | #define PHNT_REDSTONE 102 48 | #define PHNT_REDSTONE2 103 49 | #define PHNT_REDSTONE3 104 50 | #define PHNT_REDSTONE4 105 51 | #define PHNT_REDSTONE5 106 52 | #define PHNT_19H1 107 53 | #define PHNT_19H2 108 54 | #define PHNT_20H1 109 55 | #define PHNT_20H2 110 56 | #define PHNT_21H1 111 57 | #define PHNT_21H2 112 58 | #define PHNT_WIN11 113 59 | #define PHNT_WIN11_22H2 114 60 | 61 | #ifndef PHNT_MODE 62 | #define PHNT_MODE PHNT_MODE_USER 63 | #endif 64 | 65 | #ifndef PHNT_VERSION 66 | #define PHNT_VERSION PHNT_WIN7 67 | #endif 68 | 69 | #ifndef PAGE_SIZE 70 | #define PAGE_SIZE 0x1000 71 | #endif // !1 72 | 73 | 74 | // Options 75 | 76 | #ifndef _DATAIMP 77 | #define _DATAIMP __declspec(dllimport) 78 | #endif 79 | 80 | 81 | #ifdef __cplusplus 82 | extern "C" { 83 | #endif 84 | 85 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 86 | #include 87 | #include 88 | #include 89 | #endif 90 | 91 | #include 92 | #include 93 | 94 | #include 95 | #include 96 | #include 97 | #include 98 | 99 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 100 | #include 101 | #include 102 | #include 103 | #include 104 | #include 105 | #include 106 | #include 107 | #include 108 | #include 109 | #endif 110 | 111 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 112 | 113 | #include 114 | #include 115 | #include 116 | #include 117 | 118 | #include 119 | 120 | #include 121 | #include 122 | 123 | #include 124 | 125 | #include 126 | 127 | #endif 128 | 129 | #ifdef __cplusplus 130 | } 131 | #endif 132 | 133 | #endif 134 | -------------------------------------------------------------------------------- /pnth/phnt_ntdef.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _PHNT_NTDEF_H 13 | #define _PHNT_NTDEF_H 14 | 15 | #ifndef _NTDEF_ 16 | #define _NTDEF_ 17 | 18 | // This header file provides basic NT types not included in Win32. If you have included winnt.h 19 | // (perhaps indirectly), you must use this file instead of ntdef.h. 20 | 21 | #ifndef NOTHING 22 | #define NOTHING 23 | #endif 24 | 25 | // Basic types 26 | 27 | typedef struct _QUAD 28 | { 29 | union 30 | { 31 | __int64 UseThisFieldToCopy; 32 | double DoNotUseThisField; 33 | }; 34 | } QUAD, *PQUAD; 35 | 36 | // This isn't in NT, but it's useful. 37 | typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _QUAD_PTR 38 | { 39 | ULONG_PTR DoNotUseThisField1; 40 | ULONG_PTR DoNotUseThisField2; 41 | } QUAD_PTR, *PQUAD_PTR; 42 | 43 | typedef ULONG LOGICAL; 44 | typedef ULONG *PLOGICAL; 45 | 46 | typedef _Return_type_success_(return >= 0) LONG NTSTATUS; 47 | typedef NTSTATUS *PNTSTATUS; 48 | 49 | // Cardinal types 50 | 51 | typedef char CCHAR; 52 | typedef short CSHORT; 53 | typedef ULONG CLONG; 54 | 55 | typedef CCHAR *PCCHAR; 56 | typedef CSHORT *PCSHORT; 57 | typedef CLONG *PCLONG; 58 | 59 | typedef PCSTR PCSZ; 60 | 61 | // Specific 62 | 63 | typedef UCHAR KIRQL, *PKIRQL; 64 | typedef LONG KPRIORITY, *PKPRIORITY; 65 | typedef USHORT RTL_ATOM, *PRTL_ATOM; 66 | 67 | typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; 68 | 69 | typedef struct _LARGE_INTEGER_128 70 | { 71 | LONGLONG QuadPart[2]; 72 | } LARGE_INTEGER_128, *PLARGE_INTEGER_128; 73 | 74 | // NT status macros 75 | 76 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 77 | #define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1) 78 | #define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2) 79 | #define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3) 80 | 81 | #define NT_FACILITY_MASK 0xfff 82 | #define NT_FACILITY_SHIFT 16 83 | #define NT_FACILITY(Status) ((((ULONG)(Status)) >> NT_FACILITY_SHIFT) & NT_FACILITY_MASK) 84 | 85 | #define NT_NTWIN32(Status) (NT_FACILITY(Status) == FACILITY_NTWIN32) 86 | #define WIN32_FROM_NTSTATUS(Status) (((ULONG)(Status)) & 0xffff) 87 | 88 | // Functions 89 | 90 | #ifndef _WIN64 91 | #define FASTCALL __fastcall 92 | #else 93 | #define FASTCALL 94 | #endif 95 | 96 | // Synchronization enumerations 97 | 98 | typedef enum _EVENT_TYPE 99 | { 100 | NotificationEvent, 101 | SynchronizationEvent 102 | } EVENT_TYPE; 103 | 104 | typedef enum _TIMER_TYPE 105 | { 106 | NotificationTimer, 107 | SynchronizationTimer 108 | } TIMER_TYPE; 109 | 110 | typedef enum _WAIT_TYPE 111 | { 112 | WaitAll, 113 | WaitAny, 114 | WaitNotification 115 | } WAIT_TYPE; 116 | 117 | // Strings 118 | 119 | typedef struct _STRING 120 | { 121 | USHORT Length; 122 | USHORT MaximumLength; 123 | _Field_size_bytes_part_opt_(MaximumLength, Length) PCHAR Buffer; 124 | } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING; 125 | 126 | #define MAXUSHORT 0xffff 127 | 128 | typedef struct _CSTRING { 129 | USHORT Length; 130 | USHORT MaximumLength; 131 | CONST char *Buffer; 132 | } CSTRING; 133 | 134 | typedef CSTRING *PCSTRING; 135 | 136 | typedef STRING UTF8_STRING; 137 | typedef PSTRING PUTF8_STRING; 138 | 139 | typedef const ANSI_STRING *PCANSI_STRING; 140 | typedef const OEM_STRING *PCOEM_STRING; 141 | 142 | typedef struct _UNICODE_STRING 143 | { 144 | USHORT Length; 145 | USHORT MaximumLength; 146 | _Field_size_bytes_part_(MaximumLength, Length) PWCH Buffer; 147 | } UNICODE_STRING, *PUNICODE_STRING; 148 | 149 | typedef const UNICODE_STRING *PCUNICODE_STRING; 150 | 151 | #ifdef __cplusplus 152 | extern "C++" 153 | { 154 | char _RTL_CONSTANT_STRING_type_check(const char *s); 155 | char _RTL_CONSTANT_STRING_type_check(const WCHAR *s); 156 | // __typeof would be desirable here instead of sizeof. 157 | template class _RTL_CONSTANT_STRING_remove_const_template_class; 158 | template <> class _RTL_CONSTANT_STRING_remove_const_template_class {public: typedef char T; }; 159 | template <> class _RTL_CONSTANT_STRING_remove_const_template_class {public: typedef WCHAR T; }; 160 | #define _RTL_CONSTANT_STRING_remove_const_macro(s) \ 161 | (const_cast<_RTL_CONSTANT_STRING_remove_const_template_class::T*>(s)) 162 | } 163 | #else 164 | char _RTL_CONSTANT_STRING_type_check(const void *s); 165 | #define _RTL_CONSTANT_STRING_remove_const_macro(s) (s) 166 | #endif 167 | #define RTL_CONSTANT_STRING(s) \ 168 | { \ 169 | sizeof( s ) - sizeof( (s)[0] ), \ 170 | sizeof( s ) / sizeof(_RTL_CONSTANT_STRING_type_check(s)), \ 171 | _RTL_CONSTANT_STRING_remove_const_macro(s) \ 172 | } 173 | 174 | // Balanced tree node 175 | 176 | #define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3 177 | 178 | typedef struct _RTL_BALANCED_NODE 179 | { 180 | union 181 | { 182 | struct _RTL_BALANCED_NODE *Children[2]; 183 | struct 184 | { 185 | struct _RTL_BALANCED_NODE *Left; 186 | struct _RTL_BALANCED_NODE *Right; 187 | }; 188 | }; 189 | union 190 | { 191 | UCHAR Red : 1; 192 | UCHAR Balance : 2; 193 | ULONG_PTR ParentValue; 194 | }; 195 | } RTL_BALANCED_NODE, *PRTL_BALANCED_NODE; 196 | 197 | #define RTL_BALANCED_NODE_GET_PARENT_POINTER(Node) \ 198 | ((PRTL_BALANCED_NODE)((Node)->ParentValue & ~RTL_BALANCED_NODE_RESERVED_PARENT_MASK)) 199 | 200 | // Portability 201 | 202 | typedef struct _SINGLE_LIST_ENTRY32 203 | { 204 | ULONG Next; 205 | } SINGLE_LIST_ENTRY32, *PSINGLE_LIST_ENTRY32; 206 | 207 | typedef struct _STRING32 208 | { 209 | USHORT Length; 210 | USHORT MaximumLength; 211 | ULONG Buffer; 212 | } STRING32, *PSTRING32; 213 | 214 | typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32; 215 | typedef STRING32 ANSI_STRING32, *PANSI_STRING32; 216 | 217 | typedef struct _STRING64 218 | { 219 | USHORT Length; 220 | USHORT MaximumLength; 221 | ULONGLONG Buffer; 222 | } STRING64, *PSTRING64; 223 | 224 | typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64; 225 | typedef STRING64 ANSI_STRING64, *PANSI_STRING64; 226 | 227 | // Object attributes 228 | 229 | #define OBJ_PROTECT_CLOSE 0x00000001 230 | #define OBJ_INHERIT 0x00000002 231 | #define OBJ_AUDIT_OBJECT_CLOSE 0x00000004 232 | #define OBJ_PERMANENT 0x00000010 233 | #define OBJ_EXCLUSIVE 0x00000020 234 | #define OBJ_CASE_INSENSITIVE 0x00000040 235 | #define OBJ_OPENIF 0x00000080 236 | #define OBJ_OPENLINK 0x00000100 237 | #define OBJ_KERNEL_HANDLE 0x00000200 238 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400 239 | #define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800 240 | #define OBJ_DONT_REPARSE 0x00001000 241 | #define OBJ_VALID_ATTRIBUTES 0x00001ff2 242 | 243 | typedef struct _OBJECT_ATTRIBUTES 244 | { 245 | ULONG Length; 246 | HANDLE RootDirectory; 247 | PUNICODE_STRING ObjectName; 248 | ULONG Attributes; 249 | PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR; 250 | PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE 251 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 252 | 253 | typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; 254 | 255 | #define InitializeObjectAttributes(p, n, a, r, s) { \ 256 | (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ 257 | (p)->RootDirectory = r; \ 258 | (p)->Attributes = a; \ 259 | (p)->ObjectName = n; \ 260 | (p)->SecurityDescriptor = s; \ 261 | (p)->SecurityQualityOfService = NULL; \ 262 | } 263 | 264 | #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL } 265 | #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) 266 | 267 | #define OBJ_NAME_PATH_SEPARATOR ((WCHAR)L'\\') 268 | #define OBJ_NAME_ALTPATH_SEPARATOR ((WCHAR)L'/') 269 | 270 | // Portability 271 | 272 | typedef struct _OBJECT_ATTRIBUTES64 273 | { 274 | ULONG Length; 275 | ULONG64 RootDirectory; 276 | ULONG64 ObjectName; 277 | ULONG Attributes; 278 | ULONG64 SecurityDescriptor; 279 | ULONG64 SecurityQualityOfService; 280 | } OBJECT_ATTRIBUTES64, *POBJECT_ATTRIBUTES64; 281 | 282 | typedef const OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64; 283 | 284 | typedef struct _OBJECT_ATTRIBUTES32 285 | { 286 | ULONG Length; 287 | ULONG RootDirectory; 288 | ULONG ObjectName; 289 | ULONG Attributes; 290 | ULONG SecurityDescriptor; 291 | ULONG SecurityQualityOfService; 292 | } OBJECT_ATTRIBUTES32, *POBJECT_ATTRIBUTES32; 293 | 294 | typedef const OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32; 295 | 296 | // Product types 297 | 298 | typedef enum _NT_PRODUCT_TYPE 299 | { 300 | NtProductWinNt = 1, 301 | NtProductLanManNt, 302 | NtProductServer 303 | } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; 304 | 305 | typedef enum _SUITE_TYPE 306 | { 307 | SmallBusiness, 308 | Enterprise, 309 | BackOffice, 310 | CommunicationServer, 311 | TerminalServer, 312 | SmallBusinessRestricted, 313 | EmbeddedNT, 314 | DataCenter, 315 | SingleUserTS, 316 | Personal, 317 | Blade, 318 | EmbeddedRestricted, 319 | SecurityAppliance, 320 | StorageServer, 321 | ComputeServer, 322 | WHServer, 323 | PhoneNT, 324 | MaxSuiteType 325 | } SUITE_TYPE; 326 | 327 | // Specific 328 | 329 | typedef struct _CLIENT_ID 330 | { 331 | HANDLE UniqueProcess; 332 | HANDLE UniqueThread; 333 | } CLIENT_ID, *PCLIENT_ID; 334 | 335 | typedef struct _CLIENT_ID32 336 | { 337 | ULONG UniqueProcess; 338 | ULONG UniqueThread; 339 | } CLIENT_ID32, *PCLIENT_ID32; 340 | 341 | typedef struct _CLIENT_ID64 342 | { 343 | ULONGLONG UniqueProcess; 344 | ULONGLONG UniqueThread; 345 | } CLIENT_ID64, *PCLIENT_ID64; 346 | 347 | #include 348 | 349 | typedef struct _KSYSTEM_TIME 350 | { 351 | ULONG LowPart; 352 | LONG High1Time; 353 | LONG High2Time; 354 | } KSYSTEM_TIME, *PKSYSTEM_TIME; 355 | 356 | #include 357 | 358 | // NT macros used to test, set and clear flags 359 | #ifndef FlagOn 360 | #define FlagOn(_F, _SF) ((_F) & (_SF)) 361 | #endif 362 | #ifndef BooleanFlagOn 363 | #define BooleanFlagOn(F, SF) ((BOOLEAN)(((F) & (SF)) != 0)) 364 | #endif 365 | #ifndef SetFlag 366 | #define SetFlag(_F, _SF) ((_F) |= (_SF)) 367 | #endif 368 | #ifndef ClearFlag 369 | #define ClearFlag(_F, _SF) ((_F) &= ~(_SF)) 370 | #endif 371 | 372 | #endif 373 | 374 | #endif 375 | -------------------------------------------------------------------------------- /pnth/phnt_windows.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _PHNT_WINDOWS_H 13 | #define _PHNT_WINDOWS_H 14 | 15 | // This header file provides access to Win32, plus NTSTATUS values and some access mask values. 16 | 17 | #ifndef __cplusplus 18 | #ifndef CINTERFACE 19 | #define CINTERFACE 20 | #endif 21 | 22 | #ifndef COBJMACROS 23 | #define COBJMACROS 24 | #endif 25 | #endif 26 | 27 | #ifndef INITGUID 28 | #define INITGUID 29 | #endif 30 | 31 | #ifndef WIN32_LEAN_AND_MEAN 32 | #define WIN32_LEAN_AND_MEAN 33 | #endif 34 | 35 | #ifndef WIN32_NO_STATUS 36 | #define WIN32_NO_STATUS 37 | #endif 38 | 39 | #ifndef __cplusplus 40 | // This is needed to workaround C17 preprocessor errors when using legacy versions of the Windows SDK. (dmex) 41 | #ifndef MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS 42 | #define MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS 0 43 | #endif 44 | #endif 45 | 46 | #include 47 | #include 48 | #undef WIN32_NO_STATUS 49 | #include 50 | #include 51 | 52 | typedef double DOUBLE; 53 | typedef GUID *PGUID; 54 | 55 | // Desktop access rights 56 | #define DESKTOP_ALL_ACCESS \ 57 | (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_ENUMERATE | \ 58 | DESKTOP_HOOKCONTROL | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | \ 59 | DESKTOP_READOBJECTS | DESKTOP_SWITCHDESKTOP | DESKTOP_WRITEOBJECTS | \ 60 | STANDARD_RIGHTS_REQUIRED) 61 | #define DESKTOP_GENERIC_READ \ 62 | (DESKTOP_ENUMERATE | DESKTOP_READOBJECTS | STANDARD_RIGHTS_READ) 63 | #define DESKTOP_GENERIC_WRITE \ 64 | (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_HOOKCONTROL | \ 65 | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | DESKTOP_WRITEOBJECTS | \ 66 | STANDARD_RIGHTS_WRITE) 67 | #define DESKTOP_GENERIC_EXECUTE \ 68 | (DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_EXECUTE) 69 | 70 | // Window station access rights 71 | #define WINSTA_GENERIC_READ \ 72 | (WINSTA_ENUMDESKTOPS | WINSTA_ENUMERATE | WINSTA_READATTRIBUTES | \ 73 | WINSTA_READSCREEN | STANDARD_RIGHTS_READ) 74 | #define WINSTA_GENERIC_WRITE \ 75 | (WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | WINSTA_WRITEATTRIBUTES | \ 76 | STANDARD_RIGHTS_WRITE) 77 | #define WINSTA_GENERIC_EXECUTE \ 78 | (WINSTA_ACCESSGLOBALATOMS | WINSTA_EXITWINDOWS | STANDARD_RIGHTS_EXECUTE) 79 | 80 | // WMI access rights 81 | #define WMIGUID_GENERIC_READ \ 82 | (WMIGUID_QUERY | WMIGUID_NOTIFICATION | WMIGUID_READ_DESCRIPTION | \ 83 | STANDARD_RIGHTS_READ) 84 | #define WMIGUID_GENERIC_WRITE \ 85 | (WMIGUID_SET | TRACELOG_CREATE_REALTIME | TRACELOG_CREATE_ONDISK | \ 86 | STANDARD_RIGHTS_WRITE) 87 | #define WMIGUID_GENERIC_EXECUTE \ 88 | (WMIGUID_EXECUTE | TRACELOG_GUID_ENABLE | TRACELOG_LOG_EVENT | \ 89 | TRACELOG_ACCESS_REALTIME | TRACELOG_REGISTER_GUIDS | \ 90 | STANDARD_RIGHTS_EXECUTE) 91 | 92 | #endif 93 | -------------------------------------------------------------------------------- /pnth/rtlframe.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | struct _RTL_FRAME : TEB_ACTIVE_FRAME 4 | { 5 | _RTL_FRAME(const TEB_ACTIVE_FRAME_CONTEXT* ctx) 6 | { 7 | Context = ctx; 8 | Flags = 0; 9 | RtlPushFrame(this); 10 | } 11 | 12 | ~_RTL_FRAME() 13 | { 14 | RtlPopFrame(this); 15 | } 16 | 17 | static TEB_ACTIVE_FRAME* get(const TEB_ACTIVE_FRAME_CONTEXT* ctx) 18 | { 19 | if (TEB_ACTIVE_FRAME* prf = RtlGetFrame()) 20 | { 21 | do 22 | { 23 | if (prf->Context == ctx) return prf; 24 | } while (prf = prf->Previous); 25 | } 26 | 27 | return 0; 28 | } 29 | }; 30 | 31 | template 32 | struct RTL_FRAME : public _RTL_FRAME, public Base 33 | { 34 | static const TEB_ACTIVE_FRAME_CONTEXT* getContext() 35 | { 36 | static const TEB_ACTIVE_FRAME_CONTEXT s = { 0, __FUNCDNAME__ }; 37 | return &s; 38 | } 39 | 40 | template 41 | RTL_FRAME(Types... args) : Base(args...), _RTL_FRAME(getContext()) 42 | { 43 | } 44 | 45 | static Base* get() 46 | { 47 | #ifdef _PRINT_CPP_NAMES_ 48 | __pragma(message("; " __FUNCSIG__ "\r\nextern " __FUNCDNAME__ " : PROC")) 49 | #endif 50 | return static_cast(_RTL_FRAME::get(getContext())); 51 | } 52 | }; 53 | -------------------------------------------------------------------------------- /pnth/subprocesstag.h: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ 3 | * 4 | * You can redistribute this file and/or modify it under the terms of the 5 | * Attribution 4.0 International (CC BY 4.0) license. 6 | * 7 | * You must give appropriate credit, provide a link to the license, and 8 | * indicate if changes were made. You may do so in any reasonable manner, but 9 | * not in any way that suggests the licensor endorses you or your use. 10 | */ 11 | 12 | #ifndef _SUBPROCESSTAG_H 13 | #define _SUBPROCESSTAG_H 14 | 15 | typedef enum _TAG_INFO_LEVEL 16 | { 17 | eTagInfoLevelNameFromTag = 1, // TAG_INFO_NAME_FROM_TAG 18 | eTagInfoLevelNamesReferencingModule, // TAG_INFO_NAMES_REFERENCING_MODULE 19 | eTagInfoLevelNameTagMapping, // TAG_INFO_NAME_TAG_MAPPING 20 | eTagInfoLevelMax 21 | } TAG_INFO_LEVEL; 22 | 23 | typedef enum _TAG_TYPE 24 | { 25 | eTagTypeService = 1, 26 | eTagTypeMax 27 | } TAG_TYPE; 28 | 29 | typedef struct _TAG_INFO_NAME_FROM_TAG_IN_PARAMS 30 | { 31 | ULONG dwPid; 32 | ULONG dwTag; 33 | } TAG_INFO_NAME_FROM_TAG_IN_PARAMS, *PTAG_INFO_NAME_FROM_TAG_IN_PARAMS; 34 | 35 | typedef struct _TAG_INFO_NAME_FROM_TAG_OUT_PARAMS 36 | { 37 | ULONG eTagType; 38 | PWSTR pszName; 39 | } TAG_INFO_NAME_FROM_TAG_OUT_PARAMS, *PTAG_INFO_NAME_FROM_TAG_OUT_PARAMS; 40 | 41 | typedef struct _TAG_INFO_NAME_FROM_TAG 42 | { 43 | TAG_INFO_NAME_FROM_TAG_IN_PARAMS InParams; 44 | TAG_INFO_NAME_FROM_TAG_OUT_PARAMS OutParams; 45 | } TAG_INFO_NAME_FROM_TAG, *PTAG_INFO_NAME_FROM_TAG; 46 | 47 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS 48 | { 49 | ULONG dwPid; 50 | PWSTR pszModule; 51 | } TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS; 52 | 53 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS 54 | { 55 | ULONG eTagType; 56 | PWSTR pmszNames; 57 | } TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS; 58 | 59 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE 60 | { 61 | TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS InParams; 62 | TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS OutParams; 63 | } TAG_INFO_NAMES_REFERENCING_MODULE, *PTAG_INFO_NAMES_REFERENCING_MODULE; 64 | 65 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS 66 | { 67 | ULONG dwPid; 68 | } TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_IN_PARAMS; 69 | 70 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_ELEMENT 71 | { 72 | ULONG eTagType; 73 | ULONG dwTag; 74 | PWSTR pszName; 75 | PWSTR pszGroupName; 76 | } TAG_INFO_NAME_TAG_MAPPING_ELEMENT, *PTAG_INFO_NAME_TAG_MAPPING_ELEMENT; 77 | 78 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS 79 | { 80 | ULONG cElements; 81 | PTAG_INFO_NAME_TAG_MAPPING_ELEMENT pNameTagMappingElements; 82 | } TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS; 83 | 84 | typedef struct _TAG_INFO_NAME_TAG_MAPPING 85 | { 86 | TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS InParams; 87 | PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS pOutParams; 88 | } TAG_INFO_NAME_TAG_MAPPING, *PTAG_INFO_NAME_TAG_MAPPING; 89 | 90 | _Must_inspect_result_ 91 | ULONG 92 | WINAPI 93 | I_QueryTagInformation( 94 | _In_opt_ PCWSTR MachineName, 95 | _In_ TAG_INFO_LEVEL InfoLevel, 96 | _Inout_ PVOID TagInfo 97 | ); 98 | 99 | typedef ULONG (WINAPI *PQUERY_TAG_INFORMATION)( 100 | _In_opt_ PCWSTR MachineName, 101 | _In_ TAG_INFO_LEVEL InfoLevel, 102 | _Inout_ PVOID TagInfo 103 | ); 104 | 105 | #endif 106 | -------------------------------------------------------------------------------- /src/.manifest: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | True 21 | 22 | 23 | -------------------------------------------------------------------------------- /src/.rc2: -------------------------------------------------------------------------------- 1 | ///////////////////////////////////////////////////////////////////////////// 2 | // 3 | // RT_MANIFEST 4 | // 5 | LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL 6 | 7 | CREATEPROCESS_MANIFEST_RESOURCE_ID RT_MANIFEST ".manifest" 8 | 9 | 1 ICON "regedit.ico" 10 | -------------------------------------------------------------------------------- /src/Clone.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/RtlClone/a966a2e3de42025810f5649ed061b7c8e0ae5ad6/src/Clone.rc -------------------------------------------------------------------------------- /src/Clone.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Release 6 | Win32 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | 16.0 15 | Win32Proj 16 | {99b006c0-3a27-3a3c-6588-6c86bd57a80d} 17 | Clone 18 | 10.0 19 | $(SolutionDir)MSBuild\v4.0 20 | 21 | 22 | 23 | Application 24 | false 25 | v143 26 | Unicode 27 | true 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | Level4 37 | true 38 | %(PreprocessorDefinitions) 39 | MaxSpeed 40 | false 41 | $(SolutionDir)pnth 42 | 43 | 44 | Windows 45 | true 46 | true 47 | true 48 | false 49 | ep 50 | comctl32.lib;%(AdditionalDependencies) 51 | /EMITPOGOPHASEINFO /EMITVOLATILEMETADATA:NO %(AdditionalOptions) 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | Create 62 | 63 | 64 | 65 | 66 | 67 | 68 | -------------------------------------------------------------------------------- /src/Clone.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | Header Files 31 | 32 | 33 | 34 | 35 | Resource Files 36 | 37 | 38 | -------------------------------------------------------------------------------- /src/Clone.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /src/FileName.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "resource.h" 3 | 4 | EXTERN_C_START 5 | 6 | NTSYSAPI 7 | NTSTATUS 8 | NTAPI 9 | RtlPrepareForProcessCloning(); 10 | 11 | NTSYSAPI 12 | NTSTATUS 13 | NTAPI 14 | RtlCompleteProcessCloning(_In_ BOOL bCloned); 15 | 16 | EXTERN_C_END 17 | 18 | int ShowErrorBox(HWND hwnd, NTSTATUS status, PCWSTR lpCaption, UINT uType) 19 | { 20 | int r = 0; 21 | 22 | PWSTR lpText; 23 | if (FormatMessageW(FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS, 24 | GetModuleHandle(L"ntdll"), status, 0, (PWSTR)&lpText, 0, 0)) 25 | { 26 | r = MessageBoxW(hwnd, lpText, lpCaption, uType); 27 | LocalFree(lpText); 28 | } 29 | 30 | return r; 31 | } 32 | 33 | NTSTATUS CloneUserProcess(_Out_ PHANDLE ProcessHandle, 34 | _Out_ PHANDLE ThreadHandle, 35 | _In_ BOOL bSynchronize, 36 | _In_ ULONG ProcessFlags, // PROCESS_CREATE_FLAGS_* 37 | _In_ ULONG ThreadFlags // THREAD_CREATE_FLAGS_* 38 | ) 39 | { 40 | NTSTATUS status = bSynchronize ? RtlPrepareForProcessCloning() : STATUS_SUCCESS; 41 | 42 | if (0 <= status) 43 | { 44 | PS_CREATE_INFO createInfo = { sizeof(createInfo) }; 45 | 46 | status = NtCreateUserProcess(ProcessHandle, 47 | ThreadHandle, PROCESS_ALL_ACCESS, THREAD_ALL_ACCESS, NULL, NULL, 48 | ProcessFlags, ThreadFlags, NULL, &createInfo, NULL); 49 | 50 | if (IsDebuggerPresent()) __debugbreak(); 51 | 52 | if (bSynchronize) RtlCompleteProcessCloning(STATUS_PROCESS_CLONED == status); 53 | } 54 | 55 | return status; 56 | } 57 | 58 | NTSTATUS OpenSection(_Out_ PHANDLE SectionHandle, _In_ PCWSTR lpLibFileName) 59 | { 60 | int len = 0; 61 | PWSTR buf = 0; 62 | 63 | while (0 < (len = _snwprintf(buf, len, L"\\KnownDlls\\%s", lpLibFileName))) 64 | { 65 | if (buf) 66 | { 67 | UNICODE_STRING ObjectName; 68 | OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &ObjectName, OBJ_CASE_INSENSITIVE }; 69 | RtlInitUnicodeString(&ObjectName, buf); 70 | 71 | return NtOpenSection(SectionHandle, SECTION_MAP_EXECUTE, &oa); 72 | } 73 | 74 | buf = (PWSTR)alloca(++len * sizeof(WCHAR)); 75 | } 76 | 77 | return STATUS_INTERNAL_ERROR; 78 | } 79 | 80 | NTSTATUS CreateSection(_Out_ PHANDLE SectionHandle, _In_ PCWSTR lpLibFileName) 81 | { 82 | int len = 0; 83 | PWSTR buf = 0; 84 | 85 | while (0 < (len = _snwprintf(buf, len, L"\\systemroot\\system32\\%s", lpLibFileName))) 86 | { 87 | if (buf) 88 | { 89 | UNICODE_STRING ObjectName; 90 | OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &ObjectName, OBJ_CASE_INSENSITIVE }; 91 | RtlInitUnicodeString(&ObjectName, buf); 92 | 93 | HANDLE hFile; 94 | IO_STATUS_BLOCK iosb; 95 | NTSTATUS status = NtOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT); 96 | 97 | if (0 <= status) 98 | { 99 | status = NtCreateSection(SectionHandle, SECTION_MAP_EXECUTE, 0, 0, PAGE_EXECUTE, SEC_IMAGE, hFile); 100 | NtClose(hFile); 101 | } 102 | 103 | return status; 104 | } 105 | 106 | buf = (PWSTR)alloca(++len * sizeof(WCHAR)); 107 | } 108 | 109 | return STATUS_INTERNAL_ERROR; 110 | } 111 | 112 | NTSTATUS CreateOrOpenSection(_Out_ PHANDLE SectionHandle, _In_ PCWSTR lpLibFileName) 113 | { 114 | NTSTATUS status = OpenSection(SectionHandle, lpLibFileName); 115 | return 0 > status ? CreateSection(SectionHandle, lpLibFileName) : STATUS_SUCCESS; 116 | } 117 | 118 | struct BAS { 119 | PVOID BaseAddress; 120 | NTSTATUS status; 121 | }; 122 | 123 | void NTAPI OnApc( 124 | _In_opt_ PVOID ApcArgument1, 125 | _In_opt_ PVOID ApcArgument2, 126 | _In_opt_ PVOID ApcArgument3) 127 | { 128 | reinterpret_cast(ApcArgument1)->BaseAddress = ApcArgument2; 129 | reinterpret_cast(ApcArgument1)->status = (NTSTATUS)(ULONG_PTR)ApcArgument3; 130 | } 131 | 132 | NTSTATUS NotifyParent(_In_ HANDLE hThread, _In_ PVOID BaseAddress, _In_ BAS* p, NTSTATUS status) 133 | { 134 | return NtQueueApcThread(hThread, OnApc, p, BaseAddress, (PVOID)(ULONG_PTR)status); 135 | } 136 | 137 | NTSTATUS DoRemoteMap( 138 | _In_ PCWSTR lpLibFileName, 139 | _In_ PCLIENT_ID ClientId, 140 | _In_ HANDLE hThread, 141 | _In_ BAS* p) 142 | { 143 | HANDLE hProcess, hSection; 144 | 145 | BOOL bPost = FALSE; 146 | 147 | NTSTATUS status; 148 | 149 | OBJECT_ATTRIBUTES oa = { sizeof(oa) }; 150 | 151 | if (0 <= (status = NtOpenProcess(&hProcess, PROCESS_VM_OPERATION, &oa, ClientId))) 152 | { 153 | if (0 <= (status = CreateOrOpenSection(&hSection, lpLibFileName))) 154 | { 155 | SIZE_T ViewSize = 0; 156 | PVOID BaseAddress = 0; 157 | 158 | ////////////////////////////////////////////////////////////////////////// 159 | // 160 | // ERROR: Unable to find system process **** 161 | // ERROR: The process being debugged has either exited or cannot be accessed 162 | // ERROR: Many commands will not work properly 163 | // ERROR: Module load event for unknown process 164 | // 165 | ////////////////////////////////////////////////////////////////////////// 166 | 167 | status = ZwMapViewOfSection(hSection, hProcess, &BaseAddress, 168 | 0, 0, 0, &ViewSize, ViewShare, 0, PAGE_EXECUTE); 169 | 170 | NtClose(hSection); 171 | 172 | if (0 <= status) 173 | { 174 | bPost = TRUE; 175 | 176 | if (0 > (status = NotifyParent(hThread, BaseAddress, p, status))) 177 | { 178 | ZwUnmapViewOfSection(hProcess, BaseAddress); 179 | } 180 | } 181 | } 182 | 183 | NtClose(hProcess); 184 | } 185 | 186 | if (!bPost) NotifyParent(hThread, 0, p, status); 187 | 188 | return status; 189 | } 190 | 191 | NTSTATUS DoRemoteUnMap( 192 | _In_ PVOID BaseAddress, 193 | _In_ PCLIENT_ID ClientId, 194 | _In_ HANDLE hThread, 195 | _In_ BAS* p) 196 | { 197 | HANDLE hProcess; 198 | 199 | NTSTATUS status; 200 | 201 | OBJECT_ATTRIBUTES oa = { sizeof(oa) }; 202 | 203 | if (0 <= (status = NtOpenProcess(&hProcess, PROCESS_VM_OPERATION, &oa, ClientId))) 204 | { 205 | status = ZwUnmapViewOfSection(hProcess, BaseAddress); 206 | 207 | NtClose(hProcess); 208 | } 209 | 210 | NotifyParent(hThread, BaseAddress, p, status); 211 | 212 | return status; 213 | } 214 | 215 | NTSTATUS OpenParentThread(_Out_ PHANDLE ThreadHandle, 216 | _In_ ACCESS_MASK DesiredAccess, 217 | _In_ PCLIENT_ID ClientId) 218 | /* 219 | thread with ClientId must be created *before* current thread 220 | */ 221 | { 222 | NTSTATUS status; 223 | KERNEL_USER_TIMES kut, my_kut; 224 | 225 | if (0 <= (status = NtQueryInformationThread(NtCurrentThread(), ThreadTimes, &my_kut, sizeof(my_kut), 0))) 226 | { 227 | HANDLE hThread; 228 | OBJECT_ATTRIBUTES oa = { sizeof(oa) }; 229 | 230 | if (0 <= (status = NtOpenThread(&hThread, DesiredAccess|THREAD_QUERY_LIMITED_INFORMATION, &oa, ClientId))) 231 | { 232 | if (0 <= (status = NtQueryInformationThread(hThread, ThreadTimes, &kut, sizeof(kut), 0))) 233 | { 234 | if (kut.CreateTime.QuadPart <= my_kut.CreateTime.QuadPart) 235 | { 236 | *ThreadHandle = hThread; 237 | return STATUS_SUCCESS; 238 | } 239 | 240 | // original thread terminated and other thread reuse it id 241 | status = STATUS_INVALID_CID; 242 | } 243 | 244 | NtClose(hThread); 245 | } 246 | } 247 | 248 | return status; 249 | } 250 | 251 | NTSTATUS fork(_In_ HWND hwnd, _In_ PCWSTR lpLibFileName = 0, _In_ PVOID BaseAddress = 0, _In_ int index = -1) 252 | { 253 | HANDLE hProcess, hThread; 254 | 255 | BAS ba { 0, STATUS_UNSUCCESSFUL }; 256 | 257 | CLIENT_ID cid = { (HANDLE)(ULONG_PTR)GetCurrentProcessId(), (HANDLE)(ULONG_PTR)GetCurrentThreadId() }; 258 | 259 | NTSTATUS status = CloneUserProcess(&hProcess, &hThread, TRUE, 0, 0); 260 | 261 | if (STATUS_PROCESS_CLONED == status) 262 | { 263 | // ++ cloned process 264 | 265 | if (0 <= (status = OpenParentThread(&hThread, THREAD_ALERT|THREAD_SET_CONTEXT, &cid))) 266 | { 267 | status = BaseAddress ? DoRemoteUnMap(BaseAddress, &cid, hThread, &ba) : 268 | lpLibFileName ? DoRemoteMap(lpLibFileName, &cid, hThread, &ba) : NtAlertThread(hThread); 269 | 270 | NtClose(hThread); 271 | } 272 | 273 | NtTerminateProcess(NtCurrentProcess(), status); 274 | 275 | // -- cloned process 276 | } 277 | 278 | if (0 <= status) 279 | { 280 | NtClose(hThread); 281 | 282 | status = NtWaitForSingleObject(hProcess, TRUE, 0); 283 | 284 | NtClose(hProcess); 285 | 286 | if (STATUS_USER_APC == status) 287 | { 288 | if (0 > ba.status) 289 | { 290 | ShowErrorBox(hwnd, ba.status, lpLibFileName, MB_ICONHAND); 291 | } 292 | else 293 | { 294 | WCHAR msg[0x40]; 295 | HWND hwndCB = GetDlgItem(hwnd, IDC_COMBO1); 296 | 297 | if (BaseAddress) 298 | { 299 | if (0 <= (index = ComboBox_DeleteString(hwndCB, index))) 300 | { 301 | ComboBox_SetCurSel(hwndCB, index - 1); 302 | 303 | if (!index) 304 | { 305 | EnableWindow(GetDlgItem(hwnd, IDC_BUTTON4), FALSE); 306 | } 307 | } 308 | swprintf_s(msg, _countof(msg), L"unload at %p", BaseAddress); 309 | } 310 | else if (lpLibFileName) 311 | { 312 | swprintf_s(msg, _countof(msg), L"mapped at %p", ba.BaseAddress); 313 | 314 | if (0 <= (index = ComboBox_AddString(hwndCB, msg + _countof("mapped at")))) 315 | { 316 | ComboBox_SetItemData(hwndCB, index, ba.BaseAddress); 317 | ComboBox_SetCurSel(hwndCB, index); 318 | 319 | if (!index) EnableWindow(GetDlgItem(hwnd, IDC_BUTTON4), TRUE); 320 | } 321 | } 322 | MessageBoxW(hwnd, msg, lpLibFileName, MB_ICONINFORMATION); 323 | } 324 | } 325 | } 326 | 327 | return status; 328 | } 329 | 330 | NTSTATUS fork() 331 | { 332 | HANDLE hProcess, hThread, hEvent; 333 | 334 | OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, 0, OBJ_INHERIT }; 335 | 336 | NTSTATUS status = NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &oa, NotificationEvent, FALSE); 337 | 338 | if (0 <= status) 339 | { 340 | status = CloneUserProcess(&hProcess, &hThread, TRUE, PROCESS_CREATE_FLAGS_INHERIT_HANDLES, 0); 341 | 342 | if (STATUS_PROCESS_CLONED == status) 343 | { 344 | // ++ cloned process 345 | status = NtSetEvent(hEvent, 0); 346 | NtClose(hEvent); 347 | NtTerminateProcess(NtCurrentProcess(), status); 348 | // -- cloned process 349 | } 350 | 351 | if (0 <= status) 352 | { 353 | NtClose(hThread); 354 | 355 | HANDLE Handles[2] = { hProcess, hEvent }; 356 | // really possible raise, if NtTerminateProcess will be called before NtWaitForMultipleObjects 357 | // will be STATUS_WAIT_0 instead STATUS_WAIT_1 (both hEvent and hProcess is signaled) 358 | status = NtWaitForMultipleObjects(_countof(Handles), Handles, WaitAny, TRUE, 0); 359 | 360 | NtClose(hProcess); 361 | } 362 | 363 | NtClose(hEvent); 364 | } 365 | 366 | return status; 367 | } 368 | 369 | NTSTATUS OnCmd(HWND hwnd, WPARAM wParam, LPARAM lParam) 370 | { 371 | switch (wParam) 372 | { 373 | case MAKEWPARAM(IDC_BUTTON1, BN_CLICKED): 374 | return fork(); 375 | 376 | case MAKEWPARAM(IDC_BUTTON2, BN_CLICKED): 377 | return fork(0); 378 | 379 | case MAKEWPARAM(IDC_BUTTON3, BN_CLICKED): 380 | lParam = (LPARAM)alloca(0x100*sizeof(WCHAR)); 381 | if (GetDlgItemTextW(hwnd, IDC_EDIT1, (PWSTR)lParam, 0x100)) 382 | { 383 | return fork(hwnd, (PWSTR)lParam); 384 | } 385 | break; 386 | 387 | case MAKEWPARAM(IDC_BUTTON4, BN_CLICKED): 388 | if (0 <= (lParam = ComboBox_GetCurSel(GetDlgItem(hwnd, IDC_COMBO1)))) 389 | { 390 | fork(hwnd, 0, (PVOID)ComboBox_GetItemData(GetDlgItem(hwnd, IDC_COMBO1), lParam), (int)lParam); 391 | } 392 | break; 393 | 394 | case IDCANCEL: 395 | EndDialog(hwnd, 0); 396 | break; 397 | 398 | case MAKEWPARAM(IDC_EDIT1, EN_CHANGE): 399 | EnableWindow(GetDlgItem(hwnd, IDC_BUTTON3), GetWindowTextLengthW((HWND)lParam)); 400 | break; 401 | 402 | case MAKEWPARAM(IDC_COMBO1, CBN_SELCHANGE): 403 | EnableWindow(GetDlgItem(hwnd, IDC_BUTTON4), 0 <= ComboBox_GetCurSel((HWND)lParam)); 404 | break; 405 | } 406 | 407 | return STATUS_MORE_PROCESSING_REQUIRED; 408 | } 409 | 410 | INT_PTR CALLBACK DlgProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) 411 | { 412 | switch (uMsg) 413 | { 414 | case WM_COMMAND: 415 | switch (NTSTATUS status = OnCmd(hwnd, wParam, lParam)) 416 | { 417 | case STATUS_MORE_PROCESSING_REQUIRED: 418 | break; 419 | default: 420 | ShowErrorBox(hwnd, status, L"Result:", MB_ICONINFORMATION); 421 | } 422 | break; 423 | 424 | case WM_INITDIALOG: 425 | SendDlgItemMessageW(hwnd, IDC_EDIT1, EM_SETCUEBANNER, TRUE, (LPARAM)L"enter from %windir%\\system32"); 426 | break; 427 | } 428 | 429 | return 0; 430 | } 431 | 432 | void WINAPI ep(void* ) 433 | { 434 | ExitProcess((UINT)DialogBoxParamW((HINSTANCE)&__ImageBase, MAKEINTRESOURCE(IDD_DIALOG1), 0, DlgProc, 0)); 435 | } -------------------------------------------------------------------------------- /src/regedit.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/RtlClone/a966a2e3de42025810f5649ed061b7c8e0ae5ad6/src/regedit.ico -------------------------------------------------------------------------------- /src/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by Clone.rc 4 | // 5 | #define VS_VERSION_INFO 1 6 | #define IDD_DIALOG1 101 7 | #define IDC_BUTTON1 1001 8 | #define IDC_BUTTON2 1002 9 | #define IDC_BUTTON3 1003 10 | #define IDC_BUTTON4 1005 11 | #define IDC_EDIT1 1004 12 | #define IDC_COMBO1 1006 13 | 14 | // Next default values for new objects 15 | // 16 | #ifdef APSTUDIO_INVOKED 17 | #ifndef APSTUDIO_READONLY_SYMBOLS 18 | #define _APS_NEXT_RESOURCE_VALUE 103 19 | #define _APS_NEXT_COMMAND_VALUE 40001 20 | #define _APS_NEXT_CONTROL_VALUE 1007 21 | #define _APS_NEXT_SYMED_VALUE 101 22 | #endif 23 | #endif 24 | -------------------------------------------------------------------------------- /src/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | void* __cdecl operator new[](size_t ByteSize) 4 | { 5 | return HeapAlloc(GetProcessHeap(), 0, ByteSize); 6 | } 7 | 8 | void* __cdecl operator new(size_t ByteSize) 9 | { 10 | return HeapAlloc(GetProcessHeap(), 0, ByteSize); 11 | } 12 | 13 | void __cdecl operator delete(void* Buffer) 14 | { 15 | HeapFree(GetProcessHeap(), 0, Buffer); 16 | } 17 | 18 | void __cdecl operator delete(void* Buffer, size_t) 19 | { 20 | HeapFree(GetProcessHeap(), 0, Buffer); 21 | } 22 | 23 | void __cdecl operator delete[](void* Buffer) 24 | { 25 | HeapFree(GetProcessHeap(), 0, Buffer); 26 | } 27 | 28 | void __cdecl operator delete[](void* Buffer, size_t) 29 | { 30 | HeapFree(GetProcessHeap(), 0, Buffer); 31 | } -------------------------------------------------------------------------------- /src/stdafx.h: -------------------------------------------------------------------------------- 1 | #define DECLSPEC_DEPRECATED_DDK 2 | 3 | #define _CRT_SECURE_NO_DEPRECATE 4 | #define _CRT_NON_CONFORMING_SWPRINTFS 5 | #define _NO_CRT_STDIO_INLINE 6 | #define _CRT_SECURE_CPP_OVERLOAD_SECURE_NAMES 0 7 | #define _ALLOW_COMPILER_AND_STL_VERSION_MISMATCH 8 | #define __EDG__ 9 | #define USE_ATL_THUNK2 10 | 11 | #define _CRTIMP_ALT __declspec(dllimport) 12 | 13 | #define CMSG_SIGNED_ENCODE_INFO_HAS_CMS_FIELDS 14 | #define CMSG_SIGNER_ENCODE_INFO_HAS_CMS_FIELDS 15 | #define CRYPT_OID_INFO_HAS_EXTRA_FIELDS 16 | 17 | #pragma warning(disable : 4073 4074 4075 4097 4514 4005 4200 4201 4238 4307 4324 4392 4480 4530 4706 5040) 18 | #include 19 | //#include 20 | #include 21 | #include 22 | 23 | #include 24 | #include 25 | #include 26 | #undef WIN32_NO_STATUS 27 | #include 28 | #include 29 | #include 30 | 31 | //#include 32 | //#include 33 | 34 | EXTERN_C IMAGE_DOS_HEADER __ImageBase; 35 | 36 | #ifndef PHNT_MODE 37 | #define PHNT_MODE PHNT_MODE_USER 38 | #endif 39 | 40 | #ifndef PHNT_VERSION 41 | #define PHNT_VERSION PHNT_WIN11_22H2 42 | #endif 43 | 44 | #define _NTLSA_ 45 | 46 | #if PHNT_MODE == PHNT_MODE_USER 47 | #define SECURITY_WIN32 48 | #endif 49 | 50 | #pragma warning(disable : 4073 4074 4075 4097 4514 4005 4200 4201 4238 4307 4324 4471 4480 4530 4706 5040) 51 | 52 | typedef GUID* PGUID; 53 | 54 | #define PHNT_NO_INLINE_INIT_STRING 55 | #include "phnt.h" 56 | 57 | #pragma warning(default : 4392) -------------------------------------------------------------------------------- /x64/Release/Clone.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/RtlClone/a966a2e3de42025810f5649ed061b7c8e0ae5ad6/x64/Release/Clone.exe -------------------------------------------------------------------------------- /x64/Release/SkipPsNotify.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/RtlClone/a966a2e3de42025810f5649ed061b7c8e0ae5ad6/x64/Release/SkipPsNotify.exe --------------------------------------------------------------------------------