├── .gitignore
├── LICENSE
├── NtdllLib.sln
├── README.md
├── include
    └── ntdlllib
    │   ├── all.h
    │   ├── csrss.h
    │   ├── ntdll.h
    │   ├── ntdllapi.h
    │   ├── ntdllfiles.h
    │   ├── ntdllobj.h
    │   ├── ntdllutil.h
    │   ├── ntstatus.h
    │   └── ntuser.h
├── lib
    ├── Win32
    │   ├── ntdlllib_md.lib
    │   ├── ntdlllib_mdd.lib
    │   ├── ntdlllib_mt.lib
    │   └── ntdlllib_mtd.lib
    └── x64
    │   ├── ntdlllib_md.lib
    │   ├── ntdlllib_mdd.lib
    │   ├── ntdlllib_mt.lib
    │   └── ntdlllib_mtd.lib
├── project
    ├── ntdlllib
    │   ├── NtdllLib.vcxproj
    │   └── NtdllLib.vcxproj.filters
    └── ntdlllibtest
    │   ├── NtdllLibTest.vcxproj
    │   └── NtdllLibTest.vcxproj.filters
└── source
    ├── ntdlllib
        ├── ntdllapi.cpp
        ├── ntdllfiles.cpp
        ├── ntdllutil.cpp
        └── ntllobj.cpp
    └── ntdlllibtest
        └── ntdlllibtest.cpp


/.gitignore:
--------------------------------------------------------------------------------
1 | *.sdf
2 | *.suo
3 | *.opensdf
4 | ipch
5 | _mediate
6 | *.user
7 | bin


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2015 Shin Hee Sik
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 
23 | 


--------------------------------------------------------------------------------
/NtdllLib.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 2013
 4 | VisualStudioVersion = 12.0.31101.0
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NtdllLib", "project\ntdlllib\NtdllLib.vcxproj", "{D667E75F-479E-4410-BD73-DEADEB70857B}"
 7 | EndProject
 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NtdllLibTest", "project\ntdlllibtest\NtdllLibTest.vcxproj", "{44EB7939-94CF-444E-BC99-B59AE4488549}"
 9 | 	ProjectSection(ProjectDependencies) = postProject
10 | 		{D667E75F-479E-4410-BD73-DEADEB70857B} = {D667E75F-479E-4410-BD73-DEADEB70857B}
11 | 	EndProjectSection
12 | EndProject
13 | Global
14 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
15 | 		Debug DLL|Win32 = Debug DLL|Win32
16 | 		Debug DLL|x64 = Debug DLL|x64
17 | 		Debug|Win32 = Debug|Win32
18 | 		Debug|x64 = Debug|x64
19 | 		Release DLL|Win32 = Release DLL|Win32
20 | 		Release DLL|x64 = Release DLL|x64
21 | 		Release|Win32 = Release|Win32
22 | 		Release|x64 = Release|x64
23 | 	EndGlobalSection
24 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
25 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Debug DLL|Win32.ActiveCfg = Debug DLL|Win32
26 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Debug DLL|Win32.Build.0 = Debug DLL|Win32
27 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Debug DLL|x64.ActiveCfg = Debug DLL|x64
28 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Debug DLL|x64.Build.0 = Debug DLL|x64
29 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Debug|Win32.ActiveCfg = Debug|Win32
30 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Debug|Win32.Build.0 = Debug|Win32
31 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Debug|x64.ActiveCfg = Debug|x64
32 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Debug|x64.Build.0 = Debug|x64
33 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Release DLL|Win32.ActiveCfg = Release DLL|Win32
34 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Release DLL|Win32.Build.0 = Release DLL|Win32
35 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Release DLL|x64.ActiveCfg = Release DLL|x64
36 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Release DLL|x64.Build.0 = Release DLL|x64
37 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Release|Win32.ActiveCfg = Release|Win32
38 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Release|Win32.Build.0 = Release|Win32
39 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Release|x64.ActiveCfg = Release|x64
40 | 		{D667E75F-479E-4410-BD73-DEADEB70857B}.Release|x64.Build.0 = Release|x64
41 | 		{44EB7939-94CF-444E-BC99-B59AE4488549}.Debug DLL|Win32.ActiveCfg = Debug|Win32
42 | 		{44EB7939-94CF-444E-BC99-B59AE4488549}.Debug DLL|Win32.Build.0 = Debug|Win32
43 | 		{44EB7939-94CF-444E-BC99-B59AE4488549}.Debug DLL|x64.ActiveCfg = Debug|x64
44 | 		{44EB7939-94CF-444E-BC99-B59AE4488549}.Debug DLL|x64.Build.0 = Debug|x64
45 | 		{44EB7939-94CF-444E-BC99-B59AE4488549}.Debug|Win32.ActiveCfg = Debug|Win32
46 | 		{44EB7939-94CF-444E-BC99-B59AE4488549}.Debug|x64.ActiveCfg = Debug|x64
47 | 		{44EB7939-94CF-444E-BC99-B59AE4488549}.Release DLL|Win32.ActiveCfg = Release|Win32
48 | 		{44EB7939-94CF-444E-BC99-B59AE4488549}.Release DLL|Win32.Build.0 = Release|Win32
49 | 		{44EB7939-94CF-444E-BC99-B59AE4488549}.Release DLL|x64.ActiveCfg = Release|x64
50 | 		{44EB7939-94CF-444E-BC99-B59AE4488549}.Release DLL|x64.Build.0 = Release|x64
51 | 		{44EB7939-94CF-444E-BC99-B59AE4488549}.Release|Win32.ActiveCfg = Release|Win32
52 | 		{44EB7939-94CF-444E-BC99-B59AE4488549}.Release|x64.ActiveCfg = Release|x64
53 | 	EndGlobalSection
54 | 	GlobalSection(SolutionProperties) = preSolution
55 | 		HideSolutionNode = FALSE
56 | 	EndGlobalSection
57 | EndGlobal
58 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # windows-ntdll-api-library
 2 | 
 3 | we can use ntdll apis (including exported apis and not exported apids) easily.   
 4 | just link library to your project.
 5 | 
 6 | it will be updated steadily.
 7 | 
 8 | ## How to Use   
 9 | 1. include all.h file.   
10 |   * *include*   
11 |     * /ntdlllib   
12 |       * all.h   
13 | 
14 | 2. add library path (lib/win32 or lib/x64) to additional library dicectory.   
15 | 
16 | 3. automatically link static linking library correctly.   
17 |   * *lib*   
18 |     * /Win32   
19 |       * ntdlllib_md.lib   
20 |       * ntdlllib_mdd.lib   
21 |       * ntdlllib_mt.lib   
22 |       * ntdlllib_mtd.lib   
23 |     * /x64   
24 |       * ntdlllib_md.lib   
25 |       * ntdlllib_mdd.lib   
26 |       * ntdlllib_mt.lib   
27 |       * ntdlllib_mtd.lib   
28 | 
29 | ## Build
30 | * Configure     
31 |   * Debug   
32 |   * Debug DLL   
33 |   * Release   
34 |   * Release DLL   
35 | * Platform   
36 |   * Win32   
37 |   * x64   
38 | * Output File Naming   
39 |   * md - multi thread dll   
40 |   * mt - multi thread   
41 |   * d - debug   
42 | 
43 | ### Tools
44 | visual studio 2013
45 | 
46 | ### License
47 | MIT
48 | 


--------------------------------------------------------------------------------
/include/ntdlllib/all.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #if _MT
 4 | #if _DLL
 5 | #define _crt_opt_str       "_md"
 6 | #else   // #if _DLL
 7 | #define _crt_opt_str       "_mt"
 8 | #endif  // #if _DLL
 9 | #else   // #if _MT
10 | #define _crt_opt_str       ""
11 | #endif  // #if _MT
12 | 
13 | #ifdef _DEBUG
14 | #define _configuration_str "d"
15 | #else
16 | #define _configuration_str ""
17 | #endif
18 | 
19 | #define _lib_filename      "ntdlllib"         \
20 |                            _crt_opt_str       \
21 |                            _configuration_str \
22 |                            ".lib"
23 | 
24 | #pragma comment(lib, _lib_filename)
25 | 
26 | #include <ntdlllib/ntdll.h>
27 | #include <ntdlllib/ntstatus.h>
28 | #include <ntdlllib/ntdllapi.h>
29 | #include <ntdlllib/ntdllutil.h>
30 | #include <ntdlllib/ntdllfiles.h>
31 | #include <ntdlllib/ntdllobj.h>
32 | 
33 | using namespace ntdlllib;


--------------------------------------------------------------------------------
/include/ntdlllib/csrss.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/star114/windows-ntdll-api-library/682eb0b2c93be7561f89ebd8600804a0d1ce58fb/include/ntdlllib/csrss.h


--------------------------------------------------------------------------------
/include/ntdlllib/ntdll.h:
--------------------------------------------------------------------------------
   1 | #pragma once
   2 | #include <Windows.h>
   3 | 
   4 | #ifndef _WINTERNL_
   5 | #define _WINTERNL_
   6 | #endif
   7 | 
   8 | #ifdef _MSC_VER
   9 |  #pragma pack(push,8)
  10 | #endif //_MSC_VER
  11 | 
  12 | #ifdef __cplusplus
  13 | extern "C" {
  14 | #endif
  15 | 
  16 | #ifndef IN
  17 |  #define IN
  18 | #endif //IN
  19 | 
  20 | #ifndef OUT
  21 |  #define OUT
  22 | #endif //OUT
  23 | 
  24 | #ifndef OPTIONAL
  25 |  #define OPTIONAL
  26 | #endif //OPTIONAL
  27 | 
  28 | #if defined(_M_MRX000) || defined(_M_IX86) || defined(_M_IA64) || defined(_M_AMD64) || defined(_M_ALPHA) || defined(_M_PPC) && !defined(MIDL_PASS)
  29 |  #define DECLSPEC_IMPORT __declspec(dllimport)
  30 | #else
  31 |  #define DECLSPEC_IMPORT
  32 | #endif
  33 | 
  34 | #if defined(_M_MRX000) || defined(_M_IX86) || defined(_M_IA64) || defined(_M_AMD64) || defined(_M_ALPHA) || defined(_M_PPC) && !defined(MIDL_PASS)
  35 |  #define DECLSPEC_EXPORT __declspec(dllexport)
  36 | #else
  37 |  #define DECLSPEC_EXPORT
  38 | #endif
  39 | 
  40 | #if (_MSC_VER>=800) || defined(_STDCALL_SUPPORTED)
  41 |  #define NTAPI __stdcall
  42 | #else
  43 |  #define _cdecl
  44 |  #define NTAPI
  45 | #endif
  46 | 
  47 | #if !defined(_NTSYSTEM_)
  48 |  #define NTSYSAPI DECLSPEC_IMPORT
  49 | #else
  50 |  #define NTSYSAPI DECLSPEC_EXPORT
  51 | #endif
  52 | 
  53 | #ifndef CONST
  54 |  #define CONST               const
  55 | #endif
  56 | 
  57 | #ifndef VOID
  58 |  #define VOID void
  59 |  typedef char CHAR;
  60 |  typedef short SHORT;
  61 |  typedef long LONG;
  62 | #endif
  63 | 
  64 | typedef void *PVOID;    // winnt
  65 | 
  66 | #define FALSE   0
  67 | #define TRUE    1
  68 | 
  69 | #ifndef NULL
  70 |  #ifdef __cplusplus
  71 |   #define NULL    0
  72 |  #else
  73 |   #define NULL    ((void *)0)
  74 |  #endif
  75 | #endif // NULL
  76 | 
  77 | #ifndef _WCHAR_T_DEFINED
  78 |  typedef unsigned short wchar_t;
  79 |  #define _WCHAR_T_DEFINED
  80 | #endif //_WCHAR_T_DEFINED
  81 | 
  82 | typedef wchar_t WCHAR;
  83 | typedef WCHAR *LPWSTR, *PWSTR;
  84 | typedef CONST WCHAR *LPCWSTR, *PCWSTR;
  85 | typedef CHAR *LPSTR, *PSTR, *PCHAR;
  86 | typedef CONST CHAR *LPCSTR, *PCSTR;
  87 | 
  88 | #define UNICODE_NULL ((WCHAR)0) // winnt
  89 | 
  90 | typedef unsigned char UCHAR;
  91 | typedef unsigned short USHORT;
  92 | typedef unsigned long ULONG;
  93 | typedef UCHAR *PUCHAR;
  94 | typedef USHORT *PUSHORT;
  95 | typedef ULONG *PULONG;
  96 | 
  97 | typedef unsigned long       DWORD;
  98 | typedef unsigned char       BYTE;
  99 | typedef unsigned short      WORD;
 100 | typedef void               *LPVOID;
 101 | 
 102 | typedef void *HANDLE;
 103 | typedef HANDLE *PHANDLE;
 104 | typedef UCHAR BOOLEAN;           // winnt
 105 | typedef BOOLEAN *PBOOLEAN;       // winnt
 106 | typedef long NTSTATUS;
 107 | 
 108 | typedef CHAR *PSZ;
 109 | typedef CONST char *PCSZ;
 110 | 
 111 | #ifndef _WINNT_
 112 | 
 113 | typedef struct _LARGE_INTEGER {
 114 |      ULONG LowPart;
 115 |      LONG HighPart;
 116 | } LARGE_INTEGER, *PLARGE_INTEGER;
 117 | 
 118 | typedef struct _ULARGE_INTEGER {
 119 |      ULONG LowPart;
 120 |      ULONG HighPart;
 121 | } ULARGE_INTEGER, *PULARGE_INTEGER;
 122 | 
 123 | typedef LARGE_INTEGER LUID, *PLUID;
 124 | 
 125 | #endif //_WINNT_
 126 | 
 127 | typedef struct _UNICODE_STRING {
 128 |     USHORT Length;
 129 |     USHORT MaximumLength;
 130 |     PWSTR  Buffer;
 131 | } UNICODE_STRING;
 132 | 
 133 | typedef UNICODE_STRING *PUNICODE_STRING;
 134 | 
 135 | typedef struct _ANSI_STRING {
 136 | 	USHORT Length;
 137 | 	USHORT MaximumLength;
 138 | 	PCHAR Buffer;
 139 | } ANSI_STRING;
 140 | 
 141 | typedef ANSI_STRING *PANSI_STRING;
 142 | 
 143 | NTSYSAPI
 144 | VOID
 145 | NTAPI
 146 | RtlInitUnicodeString(
 147 |     PUNICODE_STRING DestinationString,
 148 |     PCWSTR SourceString
 149 |     );
 150 | 
 151 | NTSYSAPI
 152 | NTSTATUS 
 153 | NTAPI
 154 | RtlUnicodeStringToAnsiString(
 155 | 	PANSI_STRING DestinationString,
 156 | 	PUNICODE_STRING SourceString,
 157 | 	BOOLEAN AllocateDestinationString
 158 | );
 159 | 
 160 | NTSYSAPI
 161 | VOID 
 162 | NTAPI
 163 | RtlFreeAnsiString(
 164 | 	IN PANSI_STRING  AnsiString
 165 | );
 166 | 
 167 | //
 168 | // Valid values for the Attributes field
 169 | //
 170 | 
 171 | #define OBJ_INHERIT             0x00000002L
 172 | #define OBJ_PERMANENT           0x00000010L
 173 | #define OBJ_EXCLUSIVE           0x00000020L
 174 | #define OBJ_CASE_INSENSITIVE    0x00000040L
 175 | #define OBJ_OPENIF              0x00000080L
 176 | #define OBJ_OPENLINK            0x00000100L
 177 | #define OBJ_VALID_ATTRIBUTES    0x000001F2L
 178 | #define OBJ_KERNEL_HANDLE		0x00000200L
 179 | 
 180 | //
 181 | // Object Attributes structure
 182 | //
 183 | 
 184 | typedef struct _OBJECT_ATTRIBUTES {
 185 |     ULONG Length;
 186 |     HANDLE RootDirectory;
 187 |     PUNICODE_STRING ObjectName;
 188 |     ULONG Attributes;
 189 |     PVOID SecurityDescriptor;        // Points to type SECURITY_DESCRIPTOR
 190 |     PVOID SecurityQualityOfService;  // Points to type SECURITY_QUALITY_OF_SERVICE
 191 | } OBJECT_ATTRIBUTES;
 192 | typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
 193 | 
 194 | #define InitializeObjectAttributes( p, n, a, r, s ) { \
 195 |     (p)->Length = sizeof( OBJECT_ATTRIBUTES );          \
 196 |     (p)->RootDirectory = r;                             \
 197 |     (p)->Attributes = a;                                \
 198 |     (p)->ObjectName = n;                                \
 199 |     (p)->SecurityDescriptor = s;                        \
 200 |     (p)->SecurityQualityOfService = NULL;               \
 201 |     }
 202 | 
 203 | #define OBJ_NAME_PATH_SEPARATOR ((WCHAR) L'\\')
 204 | 
 205 | typedef ULONG ACCESS_MASK;
 206 | 
 207 | #define DELETE                           (0x00010000L)
 208 | #define READ_CONTROL                     (0x00020000L)
 209 | #define WRITE_DAC                        (0x00040000L)
 210 | #define WRITE_OWNER                      (0x00080000L)
 211 | #define SYNCHRONIZE                      (0x00100000L)
 212 | 
 213 | #define STANDARD_RIGHTS_REQUIRED         (0x000F0000L)
 214 | 
 215 | #define STANDARD_RIGHTS_READ             (READ_CONTROL)
 216 | #define STANDARD_RIGHTS_WRITE            (READ_CONTROL)
 217 | #define STANDARD_RIGHTS_EXECUTE          (READ_CONTROL)
 218 | 
 219 | #define STANDARD_RIGHTS_ALL              (0x001F0000L)
 220 | 
 221 | #define SPECIFIC_RIGHTS_ALL              (0x0000FFFFL)
 222 | 
 223 | //
 224 | // AccessSystemAcl access type
 225 | //
 226 | 
 227 | #define ACCESS_SYSTEM_SECURITY           (0x01000000L)
 228 | 
 229 | //
 230 | // MaximumAllowed access type
 231 | //
 232 | 
 233 | #define MAXIMUM_ALLOWED                  (0x02000000L)
 234 | 
 235 | //
 236 | //  These are the generic rights.
 237 | //
 238 | 
 239 | #define GENERIC_READ                     (0x80000000L)
 240 | #define GENERIC_WRITE                    (0x40000000L)
 241 | #define GENERIC_EXECUTE                  (0x20000000L)
 242 | #define GENERIC_ALL                      (0x10000000L)
 243 | 
 244 | #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
 245 | 
 246 | NTSYSAPI
 247 | NTSTATUS
 248 | NTAPI
 249 | NtClose(
 250 |     IN HANDLE Handle
 251 |     );
 252 | 
 253 | 
 254 | //
 255 | // Object Manager Directory Specific Access Rights.
 256 | //
 257 | 
 258 | #define DIRECTORY_QUERY                 (0x0001)
 259 | #define DIRECTORY_TRAVERSE              (0x0002)
 260 | #define DIRECTORY_CREATE_OBJECT         (0x0004)
 261 | #define DIRECTORY_CREATE_SUBDIRECTORY   (0x0008)
 262 | 
 263 | #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF)
 264 | 
 265 | NTSYSAPI
 266 | NTSTATUS
 267 | NTAPI
 268 | NtOpenDirectoryObject(
 269 |     OUT PHANDLE DirectoryHandle,
 270 |     IN ACCESS_MASK DesiredAccess,
 271 |     IN POBJECT_ATTRIBUTES ObjectAttributes
 272 |     ); 
 273 | 
 274 | typedef struct _OBJECT_NAMETYPE_INFO {               
 275 |     UNICODE_STRING ObjectName;
 276 |     UNICODE_STRING ObjectType;
 277 | } OBJECT_NAMETYPE_INFO, *POBJECT_NAMETYPE_INFO;   
 278 | 
 279 | typedef enum _DIRECTORYINFOCLASS {
 280 |     ObjectArray,
 281 |     ObjectByOne
 282 | } DIRECTORYINFOCLASS, *PDIRECTORYINFOCLASS;
 283 | 
 284 | #define QUERY_DIRECTORY_BUF_SIZE 0x200
 285 | 
 286 | NTSYSAPI
 287 | NTSTATUS
 288 | NTAPI
 289 | NtQueryDirectoryObject(
 290 |     IN PHANDLE DirectoryObjectHandle,
 291 |     OUT PVOID ObjectInfoBuffer,
 292 |     IN ULONG ObjectInfoBufferLength,
 293 |     IN DIRECTORYINFOCLASS DirectoryInformationClass,
 294 |     IN BOOLEAN First,
 295 |     IN OUT PULONG ObjectIndex,
 296 |     OUT PULONG LengthReturned
 297 |     ); 
 298 | 
 299 | NTSYSAPI
 300 | NTSTATUS
 301 | NTAPI
 302 | NtDisplayString(
 303 |     IN PUNICODE_STRING DisplayString
 304 |     );
 305 | 
 306 | 
 307 | #define SYMBOLIC_LINK_QUERY		0x0001
 308 | #define SYMBOLIC_LINK_ALL_ACCESS	(STANDARD_RIGHTS_REQUIRED | SYMBOLIC_LINK_FLAG_DIRECTORY)
 309 | 
 310 | 
 311 | //
 312 | // Registry Specific Access Rights.
 313 | //
 314 | 
 315 | #define KEY_QUERY_VALUE         (0x0001)
 316 | #define KEY_SET_VALUE           (0x0002)
 317 | #define KEY_CREATE_SUB_KEY      (0x0004)
 318 | #define KEY_ENUMERATE_SUB_KEYS  (0x0008)
 319 | #define KEY_NOTIFY              (0x0010)
 320 | #define KEY_CREATE_LINK         (0x0020)
 321 | 
 322 | #define KEY_READ                ((STANDARD_RIGHTS_READ       |\
 323 |                                   KEY_QUERY_VALUE            |\
 324 |                                   KEY_ENUMERATE_SUB_KEYS     |\
 325 |                                   KEY_NOTIFY)                 \
 326 |                                   &                           \
 327 |                                  (~SYNCHRONIZE))
 328 | 
 329 | 
 330 | #define KEY_WRITE               ((STANDARD_RIGHTS_WRITE      |\
 331 |                                   KEY_SET_VALUE              |\
 332 |                                   KEY_CREATE_SUB_KEY)         \
 333 |                                   &                           \
 334 |                                  (~SYNCHRONIZE))
 335 | 
 336 | #define KEY_EXECUTE             ((KEY_READ)                   \
 337 |                                   &                           \
 338 |                                  (~SYNCHRONIZE))
 339 | 
 340 | #define KEY_ALL_ACCESS          ((STANDARD_RIGHTS_ALL        |\
 341 |                                   KEY_QUERY_VALUE            |\
 342 |                                   KEY_SET_VALUE              |\
 343 |                                   KEY_CREATE_SUB_KEY         |\
 344 |                                   KEY_ENUMERATE_SUB_KEYS     |\
 345 |                                   KEY_NOTIFY                 |\
 346 |                                   KEY_CREATE_LINK)            \
 347 |                                   &                           \
 348 |                                  (~SYNCHRONIZE))
 349 | 
 350 | //
 351 | // Open/Create Options
 352 | //
 353 | 
 354 | #define REG_OPTION_RESERVED         (0x00000000L)   // Parameter is reserved
 355 | 
 356 | #define REG_OPTION_NON_VOLATILE     (0x00000000L)   // Key is preserved
 357 |                                                     // when system is rebooted
 358 | 
 359 | #define REG_OPTION_VOLATILE         (0x00000001L)   // Key is not preserved
 360 |                                                     // when system is rebooted
 361 | 
 362 | #define REG_OPTION_CREATE_LINK      (0x00000002L)   // Created key is a
 363 |                                                     // symbolic link
 364 | 
 365 | #define REG_OPTION_BACKUP_RESTORE   (0x00000004L)   // open for backup or restore
 366 |                                                     // special access rules
 367 |                                                     // privilege required
 368 | 
 369 | #define REG_OPTION_OPEN_LINK        (0x00000008L)   // Open symbolic link
 370 | 
 371 | #define REG_LEGAL_OPTION            \
 372 |                 (REG_OPTION_RESERVED            |\
 373 |                  REG_OPTION_NON_VOLATILE        |\
 374 |                  REG_OPTION_VOLATILE            |\
 375 |                  REG_OPTION_CREATE_LINK         |\
 376 |                  REG_OPTION_BACKUP_RESTORE      |\
 377 |                  REG_OPTION_OPEN_LINK)
 378 | 
 379 | //
 380 | // Key creation/open disposition
 381 | //
 382 | 
 383 | #define REG_CREATED_NEW_KEY         (0x00000001L)   // New Registry Key created
 384 | #define REG_OPENED_EXISTING_KEY     (0x00000002L)   // Existing Key opened
 385 | 
 386 | //
 387 | // Key restore flags
 388 | //
 389 | 
 390 | #define REG_WHOLE_HIVE_VOLATILE     (0x00000001L)   // Restore whole hive volatile
 391 | #define REG_REFRESH_HIVE            (0x00000002L)   // Unwind changes to last flush
 392 | #define REG_NO_LAZY_FLUSH           (0x00000004L)   // Never lazy flush this hive
 393 | 
 394 | //
 395 | // Predefined Value Types.
 396 | //
 397 | 
 398 | #define REG_NONE                    ( 0 )   // No value type
 399 | #define REG_SZ                      ( 1 )   // Unicode nul terminated string
 400 | #define REG_EXPAND_SZ               ( 2 )   // Unicode nul terminated string
 401 |                                             // (with environment variable references)
 402 | #define REG_BINARY                  ( 3 )   // Free form binary
 403 | #define REG_DWORD                   ( 4 )   // 32-bit number
 404 | #define REG_DWORD_LITTLE_ENDIAN     ( 4 )   // 32-bit number (same as REG_DWORD)
 405 | #define REG_DWORD_BIG_ENDIAN        ( 5 )   // 32-bit number
 406 | #define REG_LINK                    ( 6 )   // Symbolic Link (unicode)
 407 | #define REG_MULTI_SZ                ( 7 )   // Multiple Unicode strings
 408 | #define REG_RESOURCE_LIST           ( 8 )   // Resource list in the resource map
 409 | #define REG_FULL_RESOURCE_DESCRIPTOR ( 9 )  // Resource list in the hardware description
 410 | #define REG_RESOURCE_REQUIREMENTS_LIST ( 10 )
 411 | 
 412 | //
 413 | // Key query structures
 414 | //
 415 | 
 416 | typedef struct _KEY_BASIC_INFORMATION {
 417 |     LARGE_INTEGER LastWriteTime;
 418 |     ULONG   TitleIndex;
 419 |     ULONG   NameLength;
 420 |     WCHAR   Name[1];            // Variable length string
 421 | } KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;
 422 | 
 423 | typedef struct _KEY_NODE_INFORMATION {
 424 |     LARGE_INTEGER LastWriteTime;
 425 |     ULONG   TitleIndex;
 426 |     ULONG   ClassOffset;
 427 |     ULONG   ClassLength;
 428 |     ULONG   NameLength;
 429 |     WCHAR   Name[1];            // Variable length string
 430 | //          Class[1];           // Variable length string not declared
 431 | } KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION;
 432 | 
 433 | typedef struct _KEY_FULL_INFORMATION {
 434 |     LARGE_INTEGER LastWriteTime;
 435 |     ULONG   TitleIndex;
 436 |     ULONG   ClassOffset;
 437 |     ULONG   ClassLength;
 438 |     ULONG   SubKeys;
 439 |     ULONG   MaxNameLen;
 440 |     ULONG   MaxClassLen;
 441 |     ULONG   Values;
 442 |     ULONG   MaxValueNameLen;
 443 |     ULONG   MaxValueDataLen;
 444 |     WCHAR   Class[1];           // Variable length
 445 | } KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;
 446 | 
 447 | typedef struct _KEY_NAME_INFORMATION {
 448 | 	ULONG  NameLength;
 449 | 	WCHAR  Name[1];
 450 | } KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION;
 451 | 
 452 | typedef struct _KEY_CACHED_INFORMATION {
 453 | 	LARGE_INTEGER LastWriteTime;
 454 | 	ULONG  TitleIndex;
 455 | 	ULONG  SubKeys;
 456 | 	ULONG  MaxNameLen;
 457 | 	ULONG  Values;
 458 | 	ULONG  MaxValueNameLen;
 459 | 	ULONG  MaxValueDataLen;
 460 | 	ULONG  NameLength;
 461 | } KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION;
 462 | 
 463 | typedef struct _KEY_VIRTUALIZATION_INFORMATION {
 464 | 	ULONG VirtualizationCandidate;  
 465 | 	ULONG VirtualizationEnabled;  
 466 | 	ULONG VirtualTarget;  
 467 | 	ULONG VirtualStore;
 468 | 	ULONG VirtualSource;
 469 | 	ULONG Reserved;
 470 | } KEY_VIRTUALIZATION_INFORMATION, *PKEY_VIRTUALIZATION_INFORMATION;
 471 | 
 472 | typedef struct _KEY_HANDLE_TAGS_INFORMATION {
 473 | 	ULONG   HandleTags;
 474 | } KEY_HANDLE_TAGS_INFORMATION, *PKEY_HANDLE_TAGS_INFORMATION;
 475 | 
 476 | typedef struct _KEY_TRUST_INFORMATION {
 477 | 	ULONG   TrustedKey      : 1; // Tells if key is opened from a trusted hive.
 478 | 	ULONG   Reserved        : 31;
 479 | } KEY_TRUST_INFORMATION, *PKEY_TRUST_INFORMATION;
 480 | 
 481 | typedef enum _KEY_INFORMATION_CLASS {
 482 |     KeyBasicInformation,
 483 |     KeyNodeInformation,
 484 |     KeyFullInformation,
 485 | 	KeyNameInformation,  
 486 | 	KeyCachedInformation,  
 487 | 	KeyFlagsInformation,
 488 | 	KeyVirtualizationInformation,
 489 | 	KeyHandleTagsInformation,
 490 | 	KeyTrustInformation,
 491 | 	MaxKeyInfoClass
 492 | } KEY_INFORMATION_CLASS;
 493 | 
 494 | typedef struct _KEY_WRITE_TIME_INFORMATION {
 495 |     LARGE_INTEGER LastWriteTime;
 496 | } KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION;
 497 | 
 498 | typedef enum _KEY_SET_INFORMATION_CLASS {
 499 | 	KeyWriteTimeInformation,
 500 | 	KeyWow64FlagsInformation,
 501 | 	KeyControlFlagsInformation,
 502 | 	KeySetVirtualizationInformation,
 503 | 	KeySetDebugInformation,
 504 | 	KeySetHandleTagsInformation,
 505 | 	MaxKeySetInfoClass  // MaxKeySetInfoClass should always be the last enum
 506 | } KEY_SET_INFORMATION_CLASS;
 507 | 
 508 | //
 509 | // Value entry query structures
 510 | //
 511 | 
 512 | typedef struct _KEY_VALUE_BASIC_INFORMATION {
 513 |     ULONG   TitleIndex;
 514 |     ULONG   Type;
 515 |     ULONG   NameLength;
 516 |     WCHAR   Name[1];            // Variable size
 517 | } KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;
 518 | 
 519 | typedef struct _KEY_VALUE_FULL_INFORMATION {
 520 |     ULONG   TitleIndex;
 521 |     ULONG   Type;
 522 |     ULONG   DataOffset;
 523 |     ULONG   DataLength;
 524 |     ULONG   NameLength;
 525 |     WCHAR   Name[1];            // Variable size
 526 | //          Data[1];            // Variable size data not declared
 527 | } KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;
 528 | 
 529 | typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
 530 |     ULONG   TitleIndex;
 531 |     ULONG   Type;
 532 |     ULONG   DataLength;
 533 |     UCHAR   Data[1];            // Variable size
 534 | } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
 535 | 
 536 | typedef struct _KEY_VALUE_ENTRY {
 537 |     PUNICODE_STRING ValueName;
 538 |     ULONG           DataLength;
 539 |     ULONG           DataOffset;
 540 |     ULONG           Type;
 541 | } KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;
 542 | 
 543 | typedef enum _KEY_VALUE_INFORMATION_CLASS {
 544 |     KeyValueBasicInformation,
 545 |     KeyValueFullInformation,
 546 |     KeyValuePartialInformation
 547 | } KEY_VALUE_INFORMATION_CLASS;
 548 | 
 549 | NTSYSAPI
 550 | NTSTATUS
 551 | NTAPI
 552 | NtLoadKey(
 553 |     IN POBJECT_ATTRIBUTES KeyToLoad,
 554 |     IN POBJECT_ATTRIBUTES FileToLoad
 555 |     );
 556 | 
 557 | NTSYSAPI
 558 | NTSTATUS
 559 | NTAPI
 560 | NtUnloadKey(
 561 |     IN POBJECT_ATTRIBUTES KeyToUnLoad
 562 |     );
 563 | 
 564 | NTSYSAPI
 565 | NTSTATUS
 566 | NTAPI
 567 | NtOpenKey(
 568 |     OUT PHANDLE KeyHandle,
 569 |     IN ACCESS_MASK DesiredAccess,
 570 |     IN POBJECT_ATTRIBUTES ObjectAttributes
 571 |     );
 572 | 
 573 | NTSYSAPI
 574 | NTSTATUS
 575 | NTAPI
 576 | NtOpenKeyEx(
 577 |     OUT PHANDLE KeyHandle,
 578 |     IN ACCESS_MASK DesiredAccess,
 579 |     IN POBJECT_ATTRIBUTES ObjectAttributes,
 580 | 	IN ULONG OpenOptions
 581 |     );
 582 | 
 583 | NTSYSAPI
 584 | NTSTATUS
 585 | NTAPI
 586 | NtCreateKey(
 587 |     OUT PHANDLE KeyHandle,
 588 |     IN ACCESS_MASK DesiredAccess,
 589 |     IN POBJECT_ATTRIBUTES ObjectAttributes,
 590 |     IN ULONG TitleIndex,
 591 |     IN PUNICODE_STRING Class OPTIONAL,
 592 |     IN ULONG CreateOptions,
 593 |     OUT PULONG Disposition OPTIONAL
 594 |     );
 595 | 
 596 | NTSYSAPI
 597 | NTSTATUS
 598 | NTAPI
 599 | NtSetValueKey(
 600 |     IN HANDLE KeyHandle,
 601 |     IN PUNICODE_STRING ValueName,
 602 |     IN ULONG TitleIndex OPTIONAL,
 603 |     IN ULONG Type,
 604 |     IN PVOID Data,
 605 |     IN ULONG DataSize
 606 |     );
 607 | 
 608 | NTSYSAPI
 609 | NTSTATUS
 610 | NTAPI
 611 | NtEnumerateKey(
 612 |     IN HANDLE KeyHandle,
 613 |     IN ULONG Index,
 614 |     IN KEY_INFORMATION_CLASS KeyInformationClass,
 615 |     OUT PVOID KeyInformation,
 616 |     IN ULONG Length,
 617 |     OUT PULONG ResultLength
 618 |     );
 619 | 
 620 | NTSYSAPI
 621 | NTSTATUS
 622 | NTAPI
 623 | NtEnumerateValueKey(
 624 |     IN HANDLE KeyHandle,
 625 |     IN ULONG Index,
 626 |     IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
 627 |     OUT PVOID KeyValueInformation,
 628 |     IN ULONG Length,
 629 |     OUT PULONG ResultLength
 630 |     );
 631 | 
 632 | NTSYSAPI
 633 | NTSTATUS
 634 | NTAPI
 635 | NtFlushKey(
 636 |     IN HANDLE KeyHandle
 637 |     );
 638 | 
 639 | NTSYSAPI
 640 | NTSTATUS
 641 | NTAPI
 642 | NtQueryKey(
 643 |     IN HANDLE KeyHandle,
 644 |     IN KEY_INFORMATION_CLASS KeyInformationClass,
 645 |     OUT PVOID KeyInformation,
 646 |     IN ULONG Length,
 647 |     OUT PULONG ResultLength
 648 |     );
 649 | 
 650 | NTSYSAPI
 651 | NTSTATUS
 652 | NTAPI
 653 | NtQueryValueKey(
 654 |     IN HANDLE KeyHandle,
 655 |     IN PUNICODE_STRING ValueName,
 656 |     IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
 657 |     OUT PVOID KeyValueInformation,
 658 |     IN ULONG Length,
 659 |     OUT PULONG ResultLength
 660 |     );
 661 | 
 662 | //
 663 | // These must be converted to LUIDs before use.
 664 | //
 665 | 
 666 | #define SE_MIN_WELL_KNOWN_PRIVILEGE       (2L)
 667 | #define SE_CREATE_TOKEN_PRIVILEGE         (2L)
 668 | #define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE   (3L)
 669 | #define SE_LOCK_MEMORY_PRIVILEGE          (4L)
 670 | #define SE_INCREASE_QUOTA_PRIVILEGE       (5L)
 671 | 
 672 | //
 673 | // Unsolicited Input is obsolete and unused.
 674 | //
 675 | 
 676 | #define SE_UNSOLICITED_INPUT_PRIVILEGE    (6L)
 677 | 
 678 | #define SE_MACHINE_ACCOUNT_PRIVILEGE      (6L)
 679 | #define SE_TCB_PRIVILEGE                  (7L)
 680 | #define SE_SECURITY_PRIVILEGE             (8L)
 681 | #define SE_TAKE_OWNERSHIP_PRIVILEGE       (9L)
 682 | #define SE_LOAD_DRIVER_PRIVILEGE          (10L)
 683 | #define SE_SYSTEM_PROFILE_PRIVILEGE       (11L)
 684 | #define SE_SYSTEMTIME_PRIVILEGE           (12L)
 685 | #define SE_PROF_SINGLE_PROCESS_PRIVILEGE  (13L)
 686 | #define SE_INC_BASE_PRIORITY_PRIVILEGE    (14L)
 687 | #define SE_CREATE_PAGEFILE_PRIVILEGE      (15L)
 688 | #define SE_CREATE_PERMANENT_PRIVILEGE     (16L)
 689 | #define SE_BACKUP_PRIVILEGE               (17L)
 690 | #define SE_RESTORE_PRIVILEGE              (18L)
 691 | #define SE_SHUTDOWN_PRIVILEGE             (19L)
 692 | #define SE_DEBUG_PRIVILEGE                (20L)
 693 | #define SE_AUDIT_PRIVILEGE                (21L)
 694 | #define SE_SYSTEM_ENVIRONMENT_PRIVILEGE   (22L)
 695 | #define SE_CHANGE_NOTIFY_PRIVILEGE        (23L)
 696 | #define SE_REMOTE_SHUTDOWN_PRIVILEGE      (24L)
 697 | #define SE_MAX_WELL_KNOWN_PRIVILEGE       (SE_REMOTE_SHUTDOWN_PRIVILEGE)
 698 | 
 699 | NTSYSAPI
 700 | NTSTATUS
 701 | NTAPI
 702 | RtlAdjustPrivilege(
 703 |     IN ULONG Privilege,
 704 |     IN BOOLEAN Enable,
 705 |     IN BOOLEAN CurrentThread,
 706 |     OUT PBOOLEAN Enabled
 707 |     );
 708 | 
 709 | typedef struct _PRELATIVE_NAME{
 710 |     UNICODE_STRING Name;
 711 |     HANDLE CurrentDir;
 712 | } PRELATIVE_NAME, *PPRELATIVE_NAME;
 713 | 
 714 | NTSYSAPI
 715 | NTSTATUS
 716 | NTAPI
 717 | RtlDosPathNameToNtPathName_U(
 718 |     IN PCWSTR DosPathName,
 719 |     OUT PUNICODE_STRING NtPathName,
 720 |     OUT PWSTR* FilePathInNtPathName OPTIONAL,
 721 |     OUT PRELATIVE_NAME* RelativeName OPTIONAL
 722 |     );
 723 | 
 724 | /**********************************************************************/
 725 | NTSYSAPI
 726 | NTSTATUS
 727 | NTAPI
 728 | NtShutdownSystem(
 729 |     IN HANDLE KeyHandle
 730 |     );
 731 | 
 732 | NTSYSAPI
 733 | NTSTATUS
 734 | NTAPI
 735 | NtWaitForSingleObject(
 736 |     IN HANDLE ObjectHandle,
 737 |     IN BOOLEAN Alertable,
 738 |     IN PLARGE_INTEGER Timeout OPTIONAL
 739 |     );
 740 | 
 741 | typedef enum _WAIT_TYPE
 742 | {
 743 |   WaitAll,
 744 |   WaitAny
 745 | } WAIT_TYPE;
 746 | 
 747 | NTSYSAPI
 748 | NTSTATUS
 749 | NTAPI
 750 | NtWaitForMultipleObjects(
 751 |     IN ULONG NumberOfHandles,
 752 |     IN PHANDLE ArrayOfHandles,
 753 |     IN WAIT_TYPE WaitType,
 754 |     IN BOOLEAN Alertable,
 755 |     IN PLARGE_INTEGER Timeout OPTIONAL
 756 |     );
 757 | 
 758 | typedef struct _RTL_DRIVE_LETTER_CURDIR {
 759 | 	USHORT                  Flags;
 760 | 	USHORT                  Length;
 761 | 	ULONG                   TimeStamp;
 762 | 	UNICODE_STRING          DosPath;
 763 | } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
 764 | 
 765 | typedef struct _RTL_USER_PROCESS_PARAMETERS {
 766 | 	ULONG                   MaximumLength;
 767 | 	ULONG                   Length;
 768 | 	ULONG                   Flags;
 769 | 	ULONG                   DebugFlags;
 770 | 	PVOID                   ConsoleHandle;
 771 | 	ULONG                   ConsoleFlags;
 772 | 	HANDLE                  StdInputHandle;
 773 | 	HANDLE                  StdOutputHandle;
 774 | 	HANDLE                  StdErrorHandle;
 775 | 	UNICODE_STRING          CurrentDirectoryPath;
 776 | 	HANDLE                  CurrentDirectoryHandle;
 777 | 	UNICODE_STRING          DllPath;
 778 | 	UNICODE_STRING          ImagePathName;
 779 | 	UNICODE_STRING          CommandLine;
 780 | 	PVOID                   Environment;
 781 | 	ULONG                   StartingPositionLeft;
 782 | 	ULONG                   StartingPositionTop;
 783 | 	ULONG                   Width;
 784 | 	ULONG                   Height;
 785 | 	ULONG                   CharWidth;
 786 | 	ULONG                   CharHeight;
 787 | 	ULONG                   ConsoleTextAttributes;
 788 | 	ULONG                   WindowFlags;
 789 | 	ULONG                   ShowWindowFlags;
 790 | 	UNICODE_STRING          WindowTitle;
 791 | 	UNICODE_STRING          DesktopName;
 792 | 	UNICODE_STRING          ShellInfo;
 793 | 	UNICODE_STRING          RuntimeData;
 794 | 	RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
 795 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
 796 | 
 797 | typedef
 798 | VOID
 799 | (NTAPI *PPS_POST_PROCESS_INIT_ROUTINE) (
 800 |     VOID
 801 |     );
 802 | 
 803 | typedef struct _PEB_LDR_DAT_ {
 804 | 	ULONG		Length;
 805 | 	UCHAR		Initialized;
 806 | 	PVOID		SsHandle;
 807 | 	LIST_ENTRY	InLoadOrderModuleList;
 808 | 	LIST_ENTRY	InMemoryOrderModuleList;
 809 | 	LIST_ENTRY	InInitializationOrderModuleList;
 810 | 	PVOID		EntryInProgress;
 811 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
 812 | 
 813 | typedef struct _PEB {
 814 | 	BYTE Reserved1[2];
 815 | 	BYTE BeingDebugged;
 816 | 	BYTE Reserved2[1];
 817 | 	PVOID Reserved3[2];
 818 | 	PPEB_LDR_DATA Ldr;
 819 | 	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
 820 | 	BYTE Reserved4[104];
 821 | 	PVOID Reserved5[52];
 822 | 	PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
 823 | 	BYTE Reserved6[128];
 824 | 	PVOID Reserved7[1];
 825 | 	ULONG SessionId;
 826 | } PEB, *PPEB;
 827 | 
 828 | typedef struct tagLdrModule
 829 | {
 830 | 	LIST_ENTRY InLoadOrderModuleList;
 831 | 	LIST_ENTRY InMemoryOrderModuleList;
 832 | 	LIST_ENTRY InInitializationOrderModuleList;
 833 | 	PVOID BaseAddress;
 834 | 	PVOID EntryPoint;
 835 | 	ULONG SizeOfImage;
 836 | 	UNICODE_STRING FullDllName;
 837 | 	UNICODE_STRING BaseDllName;
 838 | 	ULONG Flags;
 839 | 	USHORT LoadCount;
 840 | 	USHORT TlsIndex;
 841 | 	LIST_ENTRY HashTableEntry;
 842 | 	ULONG TimeDateStamp;
 843 | } LDR_MODULE, *PLDR_MODULE;
 844 | 
 845 | typedef struct _THREAD_ENVIRONMENT_BLOCK
 846 | {
 847 |     void            *except;       
 848 |     void            *stack_top;    
 849 |     void            *stack_low;    
 850 |     WORD            unk1;          
 851 |     WORD            unk2;          
 852 |     DWORD           unk3;          
 853 |     DWORD           unk4;          
 854 |     void            *self;         
 855 |     WORD            flags;         
 856 |     WORD            unk5;          
 857 |     DWORD           Pid;           
 858 |     DWORD           Tid;           
 859 |     WORD            unk6;          
 860 |     WORD            unk7;          
 861 |     LPVOID          *tls_ptr;      
 862 |     PEB *peb;
 863 |     DWORD           LastError;     
 864 |                                    
 865 | 
 866 | } THREAD_ENVIRONMENT_BLOCK, *PTHREAD_ENVIRONMENT_BLOCK;
 867 | 
 868 | typedef THREAD_ENVIRONMENT_BLOCK TEB, *PTEB;      
 869 | 
 870 | typedef struct _CLIENT_ID 
 871 | {
 872 |   HANDLE UniqueProcess;
 873 |   HANDLE UniqueThread;
 874 | } CLIENT_ID;
 875 | typedef CLIENT_ID *PCLIENT_ID;
 876 | 
 877 | 
 878 | typedef struct _SECTION_IMAGE_INFORMATION
 879 | {
 880 |   ULONG  EntryPoint;
 881 |   ULONG  Unknown0;
 882 |   ULONG  ReservedStackSize;
 883 |   ULONG  CommitedStackSize;
 884 |   ULONG  SubSystem;
 885 |   USHORT SubsystemVersionMinor;
 886 |   USHORT SubsystemVersionMajor;
 887 |   ULONG  Unknown1;
 888 |   ULONG  Characteristics;
 889 |   ULONG  Machine;
 890 |   ULONG  Unknown2;
 891 |   ULONG  Unknown3;
 892 |   ULONG  Unknown4;
 893 | } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
 894 | 
 895 | typedef struct _RTL_PROCESS_INFORMATION
 896 | {
 897 |   ULONG Size;
 898 |   HANDLE ProcessHandle;
 899 |   HANDLE ThreadHandle;
 900 |   CLIENT_ID ClientId;
 901 |   SECTION_IMAGE_INFORMATION SectionImageInfo;
 902 | } RTL_PROCESS_INFORMATION, *PRTL_PROCESS_INFORMATION;
 903 | 
 904 | 
 905 | NTSYSAPI
 906 | HANDLE
 907 | NTAPI
 908 | NtCurrentProcess(
 909 |     VOID
 910 |     );
 911 | 
 912 | //NTSYSAPI
 913 | //PTEB
 914 | //NTAPI
 915 | //NtCurrentTeb(
 916 | //    VOID
 917 | //    );
 918 | 
 919 | NTSYSAPI
 920 | NTSTATUS
 921 | NTAPI
 922 | RtlCreateUserProcess(
 923 |     IN PUNICODE_STRING FileName,
 924 |     IN ULONG FileObjectAttributes,
 925 |     IN PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
 926 |     IN PVOID ProcessSecurityDescriptor OPTIONAL,
 927 |     IN PVOID ThreadSecurityDescriptor OPTIONAL,
 928 |     IN HANDLE ParrentProcess OPTIONAL,
 929 |     IN BOOLEAN InheritHandles,
 930 |     IN HANDLE DebugPort OPTIONAL,
 931 |     IN HANDLE ExceptionPort OPTIONAL,
 932 |     OUT PRTL_PROCESS_INFORMATION ProcessInfo
 933 |     );
 934 | 
 935 | NTSYSAPI
 936 | NTSTATUS
 937 | NTAPI
 938 | NtTerminateProcess(
 939 |     IN HANDLE ProcessHandle,
 940 |     IN ULONG ProcessExitCode
 941 |     );
 942 | NTSYSAPI NTSTATUS NTAPI NtCreateProcessEx
 943 | 	(	__out PHANDLE 	ProcessHandle,
 944 | 	__in ACCESS_MASK 	DesiredAccess,
 945 | 	__in_opt POBJECT_ATTRIBUTES 	ObjectAttributes,
 946 | 	__in HANDLE 	ParentProcess,
 947 | 	__in ULONG 	Flags,
 948 | 	__in_opt HANDLE 	SectionHandle,
 949 | 	__in_opt HANDLE 	DebugPort,
 950 | 	__in_opt HANDLE 	ExceptionPort,
 951 | 	__in ULONG 	JobMemberLevel 
 952 | 	);
 953 | NTSYSAPI NTSTATUS NTAPI NtCreateProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL);
 954 | typedef enum _PS_CREATE_STATE
 955 | {
 956 | PsCreateInitialState,
 957 | PsCreateFailOnFileOpen,
 958 | PsCreateFailOnSectionCreate,
 959 | PsCreateFailExeFormat,
 960 | PsCreateFailMachineMismatch,
 961 | PsCreateFailExeName, // Debugger specified
 962 | PsCreateSuccess,
 963 | PsCreateMaximumStates
 964 | } PS_CREATE_STATE;
 965 | 
 966 | typedef struct _PS_CREATE_INFO
 967 | {
 968 | 	SIZE_T Size;
 969 | 	PS_CREATE_STATE State;
 970 | 	union
 971 | 	{
 972 | 		// PsCreateInitialState
 973 | 		struct
 974 | 		{
 975 | 			union
 976 | 			{
 977 | 				ULONG InitFlags;
 978 | 				struct
 979 | 				{
 980 | 					UCHAR WriteOutputOnExit : 1;
 981 | 					UCHAR DetectManifest : 1;
 982 | 					UCHAR SpareBits1 : 6;
 983 | 					UCHAR IFEOKeyState : 2; // PS_IFEO_KEY_STATE
 984 | 					UCHAR SpareBits2 : 6;
 985 | 					USHORT ProhibitedImageCharacteristics : 16;
 986 | 				};
 987 | 			};
 988 | 			ACCESS_MASK AdditionalFileAccess;
 989 | 		} InitState;
 990 | 
 991 | 		// PsCreateFailOnSectionCreate
 992 | 		struct
 993 | 		{
 994 | 			HANDLE FileHandle;
 995 | 		} FailSection;
 996 | 
 997 | 		// PsCreateFailExeName
 998 | 		struct
 999 | 		{
1000 | 			HANDLE IFEOKey;
1001 | 		} ExeName;
1002 | 
1003 | 		// PsCreateSuccess
1004 | 		struct
1005 | 		{
1006 | 			union
1007 | 			{
1008 | 				ULONG OutputFlags;
1009 | 				struct
1010 | 				{
1011 | 					UCHAR ProtectedProcess : 1;
1012 | 					UCHAR AddressSpaceOverride : 1;
1013 | 					UCHAR DevOverrideEnabled : 1; // from Image File Execution Options
1014 | 					UCHAR ManifestDetected : 1;
1015 | 					UCHAR SpareBits1 : 4;
1016 | 					UCHAR SpareBits2 : 8;
1017 | 					USHORT SpareBits3 : 16;
1018 | 				};
1019 | 			};
1020 | 			HANDLE FileHandle;
1021 | 			HANDLE SectionHandle;
1022 | 			ULONGLONG UserProcessParametersNative;
1023 | 			ULONG UserProcessParametersWow64;
1024 | 			ULONG CurrentParameterFlags;
1025 | 			ULONGLONG PebAddressNative;
1026 | 			ULONG PebAddressWow64;
1027 | 			ULONGLONG ManifestAddress;
1028 | 			ULONG ManifestSize;
1029 | 		} SuccessState;
1030 | 	};
1031 | } PS_CREATE_INFO, *PPS_CREATE_INFO;
1032 | 
1033 | #define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff
1034 | #define PS_ATTRIBUTE_THREAD 0x00010000 // can be used with threads
1035 | #define PS_ATTRIBUTE_INPUT 0x00020000 // input only
1036 | #define PS_ATTRIBUTE_UNKNOWN 0x00040000
1037 | 
1038 | typedef enum _PS_ATTRIBUTE_NUM
1039 | {
1040 | 	PsAttributeParentProcess, // in HANDLE
1041 | 	PsAttributeDebugPort, // in HANDLE
1042 | 	PsAttributeToken, // in HANDLE
1043 | 	PsAttributeClientId, // out PCLIENT_ID
1044 | 	PsAttributeTebAddress, // out PTEB *
1045 | 	PsAttributeImageName, // in PWSTR
1046 | 	PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION
1047 | 	PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE
1048 | 	PsAttributePriorityClass, // in UCHAR
1049 | 	PsAttributeErrorMode, // in ULONG
1050 | 	PsAttributeStdHandleInfo, // 10, in PPS_STD_HANDLE_INFO
1051 | 	PsAttributeHandleList, // in PHANDLE
1052 | 	PsAttributeGroupAffinity, // in PGROUP_AFFINITY
1053 | 	PsAttributePreferredNode, // in PUSHORT
1054 | 	PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER
1055 | 	PsAttributeUmsThread, // ? in PUMS_CREATE_THREAD_ATTRIBUTES
1056 | 	PsAttributeMitigationOptions, // in UCHAR
1057 | 	PsAttributeSecurityCapabilities,
1058 | 	PsAttributeMax
1059 | } PS_ATTRIBUTE_NUM;
1060 | 
1061 | #define PsAttributeValue(Number, Thread, Input, Unknown) \
1062 | 	(((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \
1063 | 	((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \
1064 | 	((Input) ? PS_ATTRIBUTE_INPUT : 0) | \
1065 | 	((Unknown) ? PS_ATTRIBUTE_UNKNOWN : 0))
1066 | 
1067 | #define PS_ATTRIBUTE_PARENT_PROCESS \
1068 | 	PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE)
1069 | #define PS_ATTRIBUTE_DEBUG_PORT \
1070 | 	PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE)
1071 | #define PS_ATTRIBUTE_TOKEN \
1072 | 	PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE)
1073 | #define PS_ATTRIBUTE_CLIENT_ID \
1074 | 	PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE)
1075 | #define PS_ATTRIBUTE_TEB_ADDRESS \
1076 | 	PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE)
1077 | #define PS_ATTRIBUTE_IMAGE_NAME \
1078 | 	PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE)
1079 | #define PS_ATTRIBUTE_IMAGE_INFO \
1080 | 	PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE)
1081 | #define PS_ATTRIBUTE_MEMORY_RESERVE \
1082 | 	PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE)
1083 | #define PS_ATTRIBUTE_PRIORITY_CLASS \
1084 | 	PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE)
1085 | #define PS_ATTRIBUTE_ERROR_MODE \
1086 | 	PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE)
1087 | #define PS_ATTRIBUTE_STD_HANDLE_INFO \
1088 | 	PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE)
1089 | #define PS_ATTRIBUTE_HANDLE_LIST \
1090 | 	PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE)
1091 | #define PS_ATTRIBUTE_GROUP_AFFINITY \
1092 | 	PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE)
1093 | #define PS_ATTRIBUTE_PREFERRED_NODE \
1094 | 	PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE)
1095 | #define PS_ATTRIBUTE_IDEAL_PROCESSOR \
1096 | 	PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE)
1097 | #define PS_ATTRIBUTE_MITIGATION_OPTIONS \
1098 | 	PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, TRUE)
1099 | 
1100 | typedef struct _PS_ATTRIBUTE
1101 | {
1102 | 	ULONG Attribute;
1103 | 	SIZE_T Size;
1104 | 	union
1105 | 	{
1106 | 		ULONG Value;
1107 | 		PVOID ValuePtr;
1108 | 	};
1109 | 	PSIZE_T ReturnLength;
1110 | } PS_ATTRIBUTE, *PPS_ATTRIBUTE;
1111 | 
1112 | typedef struct _PS_ATTRIBUTE_LIST
1113 | {
1114 | 	SIZE_T TotalLength;
1115 | 	PS_ATTRIBUTE Attributes[1];
1116 | } PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;
1117 | 
1118 | NTSYSAPI
1119 | 	NTSTATUS
1120 | 	NTAPI
1121 | 	NtCreateUserProcess(
1122 | 	__out PHANDLE 	ProcessHandle,
1123 | 	__out PHANDLE 	ThreadHandle,
1124 | 	__in ACCESS_MASK 	ProcessDesiredAccess,
1125 | 	__in ACCESS_MASK 	ThreadDesiredAccess,
1126 | 	__in_opt POBJECT_ATTRIBUTES 	ProcessObjectAttributes,
1127 | 	__in_opt POBJECT_ATTRIBUTES 	ThreadObjectAttributes,
1128 | 	__in ULONG 	ProcessFlags,
1129 | 	__in ULONG 	ThreadFlags,
1130 | 	__in_opt PRTL_USER_PROCESS_PARAMETERS 	ProcessParameters,
1131 | 	__inout PPS_CREATE_INFO 	CreateInfo,
1132 | 	__in_opt PPS_ATTRIBUTE_LIST 	AttributeList 
1133 | 	);
1134 | NTSYSAPI
1135 | VOID
1136 | NTAPI
1137 | LdrShutdownProcess(
1138 |     VOID
1139 |     );
1140 | 
1141 | NTSYSAPI
1142 | VOID
1143 | NTAPI
1144 | NtSuspendThread(
1145 |     IN HANDLE ThreadHandle,
1146 |     OUT PULONG SuspendCount OPTIONAL
1147 |     );
1148 | 
1149 | NTSYSAPI
1150 | VOID
1151 | NTAPI
1152 | NtResumeThread(
1153 |     IN HANDLE ThreadHandle,
1154 |     OUT PULONG SuspendCount OPTIONAL
1155 |     );
1156 | 
1157 | NTSYSAPI
1158 | NTSTATUS
1159 | NTAPI
1160 | RtlCreateProcessParameters(
1161 |     OUT PRTL_USER_PROCESS_PARAMETERS * ProcessParameters,
1162 |     IN PUNICODE_STRING ApplicationName,
1163 |     IN PUNICODE_STRING SearchPaths OPTIONAL,
1164 |     IN PUNICODE_STRING CurrentDirectory OPTIONAL,
1165 |     IN PUNICODE_STRING CommandLine OPTIONAL,
1166 |     IN PVOID EnvironmentBlock OPTIONAL,
1167 |     IN PUNICODE_STRING Unknown1 OPTIONAL,
1168 |     IN PUNICODE_STRING Unknown2 OPTIONAL,
1169 |     IN PUNICODE_STRING Unknown3 OPTIONAL,
1170 |     IN PUNICODE_STRING Unknown4 OPTIONAL
1171 |     );
1172 | 
1173 | NTSYSAPI
1174 | NTSTATUS
1175 | NTAPI
1176 | RtlDestroyProcessParameters(
1177 |     IN PRTL_USER_PROCESS_PARAMETERS  ProcessParameters
1178 |     );
1179 | 
1180 | NTSYSAPI
1181 | PRTL_USER_PROCESS_PARAMETERS 
1182 | NTAPI
1183 | RtlDeNormalizeProcessParams(
1184 |     IN PRTL_USER_PROCESS_PARAMETERS  ProcessParameters
1185 |     );
1186 | 
1187 | NTSYSAPI
1188 | PRTL_USER_PROCESS_PARAMETERS 
1189 | NTAPI
1190 | RtlNormalizeProcessParams(
1191 |     IN PRTL_USER_PROCESS_PARAMETERS  ProcessParameters
1192 |     );
1193 | 
1194 | NTSYSAPI
1195 | NTSTATUS
1196 | NTAPI
1197 | RtlQueryEnvironmentVariable_U(
1198 |     IN PVOID EnvironmentBlock OPTIONAL,
1199 |     IN PUNICODE_STRING VariableName,
1200 |     IN PUNICODE_STRING VariableValue
1201 |     );
1202 | 
1203 | NTSYSAPI
1204 | NTSTATUS
1205 | NTAPI
1206 | RtlExpandEnvironmentVariable_U(
1207 |     IN PVOID EnvironmentBlock OPTIONAL,
1208 |     IN PUNICODE_STRING SourceString,
1209 |     OUT PUNICODE_STRING ExpandString,
1210 |     OUT PULONG BytesRequired
1211 |     );
1212 | 
1213 | #define NtGetProcessHeap() \
1214 |      (NtCurrentTeb()->peb->hHeap)
1215 | 
1216 | #ifndef _CRTIMP
1217 |  #define _CRTIMP NTSYSAPI
1218 | #endif
1219 | 
1220 | #ifndef _INC_STRING
1221 |  #ifndef _INC_MEMORY
1222 |   _CRTIMP void * __cdecl memmove(void *, const void *, int); //size_t
1223 |   _CRTIMP void * __cdecl memcpy(void *, const void *, int); //size_t
1224 |   _CRTIMP void * __cdecl memset(void *, int, int); //size_t
1225 |   _CRTIMP char *  __cdecl strcpy(char *, const char *);
1226 |   _CRTIMP size_t  __cdecl strlen(const char *);
1227 |  #endif
1228 | #endif
1229 | 
1230 | //#ifndef _INC_WCHAR
1231 | // _CRTIMP int __cdecl swprintf(wchar_t *, const wchar_t *, ...);
1232 | //
1233 | // _CRTIMP wchar_t * __cdecl wcscat(wchar_t *, const wchar_t *);
1234 | // _CRTIMP wchar_t * __cdecl wcschr(const wchar_t *, wchar_t);
1235 | // _CRTIMP int __cdecl wcscmp(const wchar_t *, const wchar_t *);
1236 | // _CRTIMP wchar_t * __cdecl wcscpy(wchar_t *, const wchar_t *);
1237 | // _CRTIMP size_t __cdecl wcscspn(const wchar_t *, const wchar_t *);
1238 | // _CRTIMP size_t __cdecl wcslen(const wchar_t *);
1239 | // _CRTIMP wchar_t * __cdecl wcsncat(wchar_t *, const wchar_t *, size_t);
1240 | // _CRTIMP int __cdecl wcsncmp(const wchar_t *, const wchar_t *, size_t);
1241 | // _CRTIMP wchar_t * __cdecl wcsncpy(wchar_t *, const wchar_t *, size_t);
1242 | // _CRTIMP wchar_t * __cdecl wcspbrk(const wchar_t *, const wchar_t *);
1243 | // _CRTIMP wchar_t * __cdecl wcsrchr(const wchar_t *, wchar_t);
1244 | // _CRTIMP size_t __cdecl wcsspn(const wchar_t *, const wchar_t *);
1245 | // _CRTIMP wchar_t * __cdecl wcsstr(const wchar_t *, const wchar_t *);
1246 | // _CRTIMP wchar_t * __cdecl wcstok(wchar_t *, const wchar_t *);
1247 | //#endif
1248 | 
1249 | #define HEAP_NO_SERIALIZE               0x00000001      
1250 | #define HEAP_GROWABLE                   0x00000002      
1251 | #define HEAP_GENERATE_EXCEPTIONS        0x00000004      
1252 | #define HEAP_ZERO_MEMORY                0x00000008      
1253 | #define HEAP_REALLOC_IN_PLACE_ONLY      0x00000010      
1254 | #define HEAP_TAIL_CHECKING_ENABLED      0x00000020      
1255 | #define HEAP_FREE_CHECKING_ENABLED      0x00000040      
1256 | #define HEAP_DISABLE_COALESCE_ON_FREE   0x00000080      
1257 | #define HEAP_CREATE_ALIGN_16            0x00010000      
1258 | #define HEAP_CREATE_ENABLE_TRACING      0x00020000      
1259 | 
1260 | NTSYSAPI
1261 | LPVOID 
1262 | NTAPI
1263 | RtlAllocateHeap(
1264 |     HANDLE hHeap, ULONG dwFlags, ULONG dwBytes
1265 |     );
1266 | 
1267 | NTSYSAPI
1268 | BOOLEAN
1269 | NTAPI
1270 | RtlFreeHeap(
1271 |     HANDLE hHeap,
1272 |     ULONG dwFlags, 
1273 |     LPVOID lpMem
1274 |     );
1275 | 
1276 | #define PAGE_NOACCESS          0x01     
1277 | #define PAGE_READONLY          0x02     
1278 | #define PAGE_READWRITE         0x04     
1279 | #define PAGE_WRITECOPY         0x08     
1280 | #define PAGE_EXECUTE           0x10     
1281 | #define PAGE_EXECUTE_READ      0x20     
1282 | #define PAGE_EXECUTE_READWRITE 0x40     
1283 | #define PAGE_EXECUTE_WRITECOPY 0x80     
1284 | #define PAGE_GUARD            0x100     
1285 | #define PAGE_NOCACHE          0x200     
1286 | #define PAGE_WRITECOMBINE     0x400     
1287 | #define MEM_COMMIT           0x1000     
1288 | #define MEM_RESERVE          0x2000     
1289 | #define MEM_DECOMMIT         0x4000     
1290 | #define MEM_RELEASE          0x8000     
1291 | #define MEM_FREE            0x10000     
1292 | #define MEM_PRIVATE         0x20000     
1293 | #define MEM_MAPPED          0x40000     
1294 | #define MEM_RESET           0x80000     
1295 | #define MEM_TOP_DOWN       0x100000     
1296 | #define MEM_4MB_PAGES    0x80000000     
1297 | #define SEC_FILE           0x800000     
1298 | #define SEC_IMAGE         0x1000000     
1299 | #define SEC_VLM           0x2000000     
1300 | #define SEC_RESERVE       0x4000000     
1301 | #define SEC_COMMIT        0x8000000     
1302 | #define SEC_NOCACHE      0x10000000     
1303 | #define MEM_IMAGE         SEC_IMAGE     
1304 | 
1305 | NTSYSAPI
1306 | NTSTATUS
1307 | NTAPI
1308 | NtAllocateVirtualMemory(
1309 |     IN HANDLE ProcessHandle,
1310 |     IN OUT PVOID *RegionAddress,
1311 |     IN ULONG ZeroBits, // 0 - 21
1312 |     IN OUT PULONG RegionSize,
1313 |     IN ULONG AllocationType,
1314 |     IN ULONG ProtectionType
1315 |     );
1316 | 
1317 | NTSYSAPI
1318 | NTSTATUS
1319 | NTAPI
1320 | NtFreeVirtualMemory(  
1321 |     IN HANDLE ProcessHandle,
1322 |     IN PVOID *RegionAddress,
1323 |     IN PULONG RegionSize,
1324 |     IN ULONG FreeType
1325 |     );
1326 | 
1327 | 
1328 | NTSYSAPI
1329 | VOID 
1330 | NTAPI
1331 | RtlAcquirePebLock(
1332 |     VOID
1333 |     );
1334 | 
1335 | NTSYSAPI
1336 | VOID 
1337 | NTAPI
1338 | RtlReleasePebLock(
1339 |     VOID
1340 |     );
1341 | 
1342 | 
1343 | 
1344 | //
1345 | // Define the base asynchronous I/O argument types
1346 | //
1347 | #ifdef _M_IX86
1348 | 
1349 | typedef struct _IO_STATUS_BLOCK {
1350 |     NTSTATUS Status;
1351 |     ULONG Information;
1352 | } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
1353 | 
1354 | #else
1355 | 
1356 | typedef struct IO_STATUS_BLOCK {
1357 | 	union
1358 | 	{                                                              
1359 | 		LONG32       Status;                                       
1360 | 		VOID*        Pointer;                                      
1361 | 	};                                                             
1362 | 	UINT64       Information;                                      
1363 | }IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
1364 | 
1365 | #endif
1366 | 
1367 | //
1368 | // Define the access check value for any access
1369 | //
1370 | //
1371 | // The FILE_READ_ACCESS and FILE_WRITE_ACCESS constants are also defined in
1372 | // ntioapi.h as FILE_READ_DATA and FILE_WRITE_DATA. The values for these
1373 | // constants *MUST* always be in sync.
1374 | //
1375 | 
1376 | 
1377 | #define FILE_ANY_ACCESS                 0
1378 | #define FILE_READ_ACCESS          ( 0x0001 )    // file & pipe
1379 | #define FILE_WRITE_ACCESS         ( 0x0002 )    // file & pipe
1380 | 
1381 | 
1382 | // begin_winnt
1383 | 
1384 | //
1385 | // Define access rights to files and directories
1386 | //
1387 | 
1388 | //
1389 | // The FILE_READ_DATA and FILE_WRITE_DATA constants are also defined in
1390 | // devioctl.h as FILE_READ_ACCESS and FILE_WRITE_ACCESS. The values for these
1391 | // constants *MUST* always be in sync.
1392 | // The values are redefined in devioctl.h because they must be available to
1393 | // both DOS and NT.
1394 | //
1395 | 
1396 | #define FILE_READ_DATA            ( 0x0001 )    // file & pipe
1397 | #define FILE_LIST_DIRECTORY       ( 0x0001 )    // directory
1398 | 
1399 | #define FILE_WRITE_DATA           ( 0x0002 )    // file & pipe
1400 | #define FILE_ADD_FILE             ( 0x0002 )    // directory
1401 | 
1402 | #define FILE_APPEND_DATA          ( 0x0004 )    // file
1403 | #define FILE_ADD_SUBDIRECTORY     ( 0x0004 )    // directory
1404 | #define FILE_CREATE_PIPE_INSTANCE ( 0x0004 )    // named pipe
1405 | 
1406 | #define FILE_READ_EA              ( 0x0008 )    // file & directory
1407 | 
1408 | #define FILE_WRITE_EA             ( 0x0010 )    // file & directory
1409 | 
1410 | #define FILE_EXECUTE              ( 0x0020 )    // file
1411 | #define FILE_TRAVERSE             ( 0x0020 )    // directory
1412 | 
1413 | #define FILE_DELETE_CHILD         ( 0x0040 )    // directory
1414 | 
1415 | #define FILE_READ_ATTRIBUTES      ( 0x0080 )    // all
1416 | 
1417 | #define FILE_WRITE_ATTRIBUTES     ( 0x0100 )    // all
1418 | 
1419 | #define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF)
1420 | 
1421 | #define FILE_GENERIC_READ         (STANDARD_RIGHTS_READ     |\
1422 |                                    FILE_READ_DATA           |\
1423 |                                    FILE_READ_ATTRIBUTES     |\
1424 |                                    FILE_READ_EA             |\
1425 |                                    SYNCHRONIZE)
1426 | 
1427 | 
1428 | #define FILE_GENERIC_WRITE        (STANDARD_RIGHTS_WRITE    |\
1429 |                                    FILE_WRITE_DATA          |\
1430 |                                    FILE_WRITE_ATTRIBUTES    |\
1431 |                                    FILE_WRITE_EA            |\
1432 |                                    FILE_APPEND_DATA         |\
1433 |                                    SYNCHRONIZE)
1434 | 
1435 | 
1436 | #define FILE_GENERIC_EXECUTE      (STANDARD_RIGHTS_EXECUTE  |\
1437 |                                    FILE_READ_ATTRIBUTES     |\
1438 |                                    FILE_EXECUTE             |\
1439 |                                    SYNCHRONIZE)
1440 | 
1441 | // end_winnt
1442 | 
1443 | 
1444 | //
1445 | // Define share access rights to files and directories
1446 | //
1447 | 
1448 | #define FILE_SHARE_READ                 0x00000001  // winnt
1449 | #define FILE_SHARE_WRITE                0x00000002  // winnt
1450 | #define FILE_SHARE_DELETE               0x00000004  // winnt
1451 | #define FILE_SHARE_VALID_FLAGS          0x00000007
1452 | 
1453 | //
1454 | // Define the file attributes values
1455 | //
1456 | // Note:  0x00000008 is reserved for use for the old DOS VOLID (volume ID)
1457 | //        and is therefore not considered valid in NT.
1458 | //
1459 | // Note:  0x00000010 is reserved for use for the old DOS SUBDIRECTORY flag
1460 | //        and is therefore not considered valid in NT.  This flag has
1461 | //        been disassociated with file attributes since the other flags are
1462 | //        protected with READ_ and WRITE_ATTRIBUTES access to the file.
1463 | //
1464 | // Note:  Note also that the order of these flags is set to allow both the
1465 | //        FAT and the Pinball File Systems to directly set the attributes
1466 | //        flags in attributes words without having to pick each flag out
1467 | //        individually.  The order of these flags should not be changed!
1468 | //
1469 | 
1470 | #define FILE_ATTRIBUTE_READONLY         0x00000001  // winnt
1471 | #define FILE_ATTRIBUTE_HIDDEN           0x00000002  // winnt
1472 | #define FILE_ATTRIBUTE_SYSTEM           0x00000004  // winnt
1473 | #define FILE_ATTRIBUTE_DIRECTORY        0x00000010  // winnt
1474 | #define FILE_ATTRIBUTE_ARCHIVE          0x00000020  // winnt
1475 | #define FILE_ATTRIBUTE_NORMAL           0x00000080  // winnt
1476 | #define FILE_ATTRIBUTE_TEMPORARY        0x00000100  // winnt
1477 | #define FILE_ATTRIBUTE_RESERVED0        0x00000200
1478 | #define FILE_ATTRIBUTE_RESERVED1        0x00000400
1479 | #define FILE_ATTRIBUTE_COMPRESSED       0x00000800  // winnt
1480 | #define FILE_ATTRIBUTE_OFFLINE          0x00001000  // winnt
1481 | #define FILE_ATTRIBUTE_PROPERTY_SET     0x00002000
1482 | #define FILE_ATTRIBUTE_VALID_FLAGS      0x00003fb7
1483 | #define FILE_ATTRIBUTE_VALID_SET_FLAGS  0x00003fa7
1484 | 
1485 | //
1486 | // Define the create disposition values
1487 | //
1488 | 
1489 | #define FILE_SUPERSEDE                  0x00000000
1490 | #define FILE_OPEN                       0x00000001
1491 | #define FILE_CREATE                     0x00000002
1492 | #define FILE_OPEN_IF                    0x00000003
1493 | #define FILE_OVERWRITE                  0x00000004
1494 | #define FILE_OVERWRITE_IF               0x00000005
1495 | #define FILE_MAXIMUM_DISPOSITION        0x00000005
1496 | 
1497 | 
1498 | //
1499 | // Define the create/open option flags
1500 | //
1501 | 
1502 | #define FILE_DIRECTORY_FILE                     0x00000001
1503 | #define FILE_WRITE_THROUGH                      0x00000002
1504 | #define FILE_SEQUENTIAL_ONLY                    0x00000004
1505 | #define FILE_NO_INTERMEDIATE_BUFFERING          0x00000008
1506 | 
1507 | #define FILE_SYNCHRONOUS_IO_ALERT               0x00000010
1508 | #define FILE_SYNCHRONOUS_IO_NONALERT            0x00000020
1509 | #define FILE_NON_DIRECTORY_FILE                 0x00000040
1510 | #define FILE_CREATE_TREE_CONNECTION             0x00000080
1511 | 
1512 | #define FILE_COMPLETE_IF_OPLOCKED               0x00000100
1513 | #define FILE_NO_EA_KNOWLEDGE                    0x00000200
1514 | //UNUSED                                        0x00000400
1515 | #define FILE_RANDOM_ACCESS                      0x00000800
1516 | 
1517 | #define FILE_DELETE_ON_CLOSE                    0x00001000
1518 | #define FILE_OPEN_BY_FILE_ID                    0x00002000
1519 | #define FILE_OPEN_FOR_BACKUP_INTENT             0x00004000
1520 | #define FILE_NO_COMPRESSION                     0x00008000
1521 | 
1522 | 
1523 | #define FILE_RESERVE_OPFILTER                   0x00100000
1524 | #define FILE_TRANSACTED_MODE                    0x00200000
1525 | #define FILE_OPEN_OFFLINE_FILE                  0x00400000
1526 | 
1527 | #define FILE_VALID_OPTION_FLAGS                 0x007fffff
1528 | #define FILE_VALID_PIPE_OPTION_FLAGS            0x00000032
1529 | #define FILE_VALID_MAILSLOT_OPTION_FLAGS        0x00000032
1530 | #define FILE_VALID_SET_FLAGS                    0x00000036
1531 | 
1532 | //
1533 | // Define the I/O status information return values for NtCreateFile/NtOpenFile
1534 | //
1535 | 
1536 | #define FILE_SUPERSEDED                 0x00000000
1537 | #define FILE_OPENED                     0x00000001
1538 | #define FILE_CREATED                    0x00000002
1539 | #define FILE_OVERWRITTEN                0x00000003
1540 | #define FILE_EXISTS                     0x00000004
1541 | #define FILE_DOES_NOT_EXIST             0x00000005
1542 | 
1543 | //
1544 | // Define special ByteOffset parameters for read and write operations
1545 | //
1546 | 
1547 | #define FILE_WRITE_TO_END_OF_FILE       0xffffffff
1548 | #define FILE_USE_FILE_POINTER_POSITION  0xfffffffe
1549 | 
1550 | 
1551 | NTSYSAPI
1552 | NTSTATUS
1553 | NTAPI
1554 | NtCreateFile(
1555 |     OUT PHANDLE FileHandle,
1556 |     IN ACCESS_MASK DesiredAccess,
1557 |     IN POBJECT_ATTRIBUTES ObjectAttributes,
1558 |     OUT PIO_STATUS_BLOCK IoStatusBlock,
1559 | 	IN PLARGE_INTEGER AllocationSize OPTIONAL,
1560 | 	IN ULONG FileAttributes,
1561 | 	IN ULONG ShareAccess,
1562 | 	IN ULONG CreateDisposition,
1563 | 	IN ULONG CreateOptions,
1564 | 	IN PVOID EaBuffer OPTIONAL,
1565 | 	IN ULONG EaLength
1566 | 	);
1567 | 
1568 | NTSYSAPI
1569 | NTSTATUS
1570 | NTAPI
1571 | NtOpenFile(
1572 | 	OUT PHANDLE             FileHandle,
1573 | 	IN ACCESS_MASK          DesiredAccess,
1574 | 	IN POBJECT_ATTRIBUTES   ObjectAttributes,
1575 | 	OUT PIO_STATUS_BLOCK    IoStatusBlock,
1576 | 	IN ULONG                ShavbvvreAccess,
1577 | 	IN ULONG                OpenOptions
1578 | 	);
1579 | 
1580 | NTSYSAPI
1581 | NTSTATUS
1582 | NTAPI
1583 | NtDeleteFile(
1584 | 	IN POBJECT_ATTRIBUTES   ObjectAttributes
1585 | 	);
1586 | 
1587 | NTSYSAPI
1588 | NTSTATUS
1589 | NTAPI
1590 | NtClose(
1591 | 	IN HANDLE Handle
1592 | 	);
1593 | 
1594 | #define PIO_APC_ROUTINE void*
1595 | 
1596 | NTSYSAPI
1597 | NTSTATUS
1598 | NTAPI
1599 | NtReadFile(
1600 | 	IN HANDLE FileHandle,
1601 | 	IN HANDLE Event OPTIONAL,
1602 | 	IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1603 | 	IN PVOID ApcContext OPTIONAL,
1604 | 	OUT PIO_STATUS_BLOCK IoStatusBlock,
1605 | 	OUT PVOID Buffer,
1606 | 	IN ULONG Length,
1607 | 	IN PLARGE_INTEGER ByteOffset OPTIONAL,
1608 | 	IN PULONG Key OPTIONAL
1609 | 	);
1610 | 
1611 | NTSYSAPI
1612 | NTSTATUS
1613 | NTAPI
1614 | NtWriteFile(
1615 |   IN HANDLE  FileHandle,
1616 |   IN HANDLE  Event  OPTIONAL,
1617 |   IN PIO_APC_ROUTINE  ApcRoutine  OPTIONAL,
1618 |   IN PVOID  ApcContext  OPTIONAL,
1619 |   OUT PIO_STATUS_BLOCK  IoStatusBlock,
1620 |   IN PVOID  Buffer,
1621 |   IN ULONG  Length,
1622 |   IN PLARGE_INTEGER  ByteOffset  OPTIONAL,
1623 |   IN PULONG  Key  OPTIONAL
1624 |   );
1625 | 
1626 | NTSYSAPI
1627 | NTSTATUS
1628 | NTAPI
1629 | NtNotifyChangeDirectoryFile(
1630 | 	IN HANDLE FileHandle,
1631 | 	IN HANDLE Event OPTIONAL,
1632 | 	IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
1633 | 	IN PVOID ApcContext OPTIONAL,
1634 | 	OUT PIO_STATUS_BLOCK IoStatusBlock,
1635 | 	OUT PFILE_NOTIFY_INFORMATION Buffer,
1636 | 	IN ULONG BufferLength,
1637 | 	IN ULONG NotifyFilter,
1638 | 	IN BOOLEAN WatchSubtree
1639 | );
1640 | 
1641 | /*
1642 | calling ntquerysysteminformation with a request type of 16
1643 | to get back a list of what appears to be objects and their associated pids. the structure contains 4 DWORDs
1644 |  
1645 | DWORD pid
1646 | DWORD unknown
1647 | DWORD object
1648 | DWORD unknown
1649 |  
1650 | I believe one of these unknows contains a flag used to determine the object type. does anyone know the type flags?
1651 | */
1652 | 
1653 | typedef enum _SYSTEMINFOCLASS {
1654 |     SystemInfoBasic = 0,
1655 |     SystemInfoProcessor,
1656 |     SystemInfoTimeZone,
1657 |     SystemInfoTimeInformation,
1658 |     SystemInfoUnk4, 
1659 |     SystemInfoProcesses,
1660 |     SystemInfoUnk6,
1661 |     SystemInfoConfiguration,
1662 |     SystemInfoUnk8,
1663 |     SystemInfoUnk9,
1664 |     SystemInfoUnk10,
1665 |     SystemInfoDrivers
1666 | } SYSTEMINFOCLASS, *PSYSTEMINFOCLASS;
1667 | 
1668 | typedef struct _SYSTEM_TIME_INFORMATION
1669 | {
1670 |   LARGE_INTEGER liKeBootTime;
1671 |   LARGE_INTEGER liKeSystemTime;
1672 |   LARGE_INTEGER liExpTimeZoneBias;
1673 |   ULONG uCurrentTimeZoneId;
1674 |   DWORD dwReserved;
1675 | } SYSTEM_TIME_INFORMATION;
1676 | 
1677 | NTSYSAPI
1678 | NTSTATUS
1679 | NTAPI
1680 | NtQuerySystemInformation(
1681 |     IN SYSTEMINFOCLASS SystemInformationClass, 
1682 |     OUT PVOID SystemInformation, 
1683 |     IN ULONG SystemInformationLength,
1684 |     OUT PULONG LehgthReturned OPTIONAL
1685 |     );
1686 | 
1687 | 
1688 | //typedef struct _FILETIME 
1689 | //{ // ft 
1690 | //  ULONG dwLowDateTime; 
1691 | //  ULONG dwHighDateTime; 
1692 | //} FILETIME; 
1693 | 
1694 | 
1695 | typedef struct _THREAD_INFO
1696 | {
1697 |   FILETIME      ftCreationTime;
1698 |   ULONG         dwUnknown1;
1699 |   ULONG         dwStartAddress;
1700 |   ULONG         dwOwningPID;
1701 |   ULONG         dwThreadID;
1702 |   ULONG         dwCurrentPriority;
1703 |   ULONG         dwBasePriority;
1704 |   ULONG         dwContextSwitches;
1705 |   ULONG         dwThreadState;
1706 |   ULONG         dwUnknown2;
1707 |   ULONG         dwUnknown3;
1708 |   ULONG         dwUnknown4;
1709 |   ULONG         dwUnknown5;
1710 |   ULONG         dwUnknown6;
1711 |   ULONG         dwUnknown7;
1712 | } THREAD_INFO, *PTHREAD_INFO;
1713 | 
1714 | typedef struct _PROCESS_INFO
1715 | {
1716 |   ULONG         dwOffset; // an ofset to the next Process structure
1717 |   ULONG         dwThreadCount;
1718 |   ULONG         dwUnkown1[6];
1719 |   FILETIME      ftCreationTime;
1720 |   ULONG         dwUnkown2;
1721 |   ULONG         dwUnkown3;
1722 |   ULONG         dwUnkown4;
1723 |   ULONG         dwUnkown5;
1724 |   //WORD          wUnkown6;                                           // 38h
1725 |   //WORD          wUnkown6;                                           // 3Ah
1726 |   //WCHAR        *pszProcessName;                                     // 3Ch
1727 |   UNICODE_STRING ProcessName;                                       // 38h
1728 |   ULONG         dwBasePriority;
1729 |   ULONG         dwProcessID;
1730 |   ULONG         dwParentProcessID;
1731 |   ULONG         dwHandleCount;
1732 |   ULONG         dwUnkown7;
1733 |   ULONG         dwUnkown8;
1734 |   ULONG         dwVirtualBytesPeak;
1735 |   ULONG         dwVirtualBytes;
1736 |   ULONG         dwPageFaults;
1737 |   ULONG         dwWorkingSetPeak;
1738 |   ULONG         dwWorkingSet;
1739 |   ULONG         dwUnkown9;
1740 |   ULONG         dwPagedPool; // kbytes
1741 |   ULONG         dwUnkown10;
1742 |   ULONG         dwNonPagedPool; // kbytes
1743 |   ULONG         dwPageFileBytesPeak;
1744 |   ULONG         dwPageFileBytes;
1745 |   ULONG         dwPrivateBytes;
1746 |   ULONG         dwUnkown11;
1747 |   ULONG         dwUnkown12;
1748 |   ULONG         dwUnkown13;
1749 |   ULONG         dwUnkown14;
1750 |   THREAD_INFO   ti[1];
1751 |   //struct ThreadInfo ati[1];
1752 | } PROCESS_INFO, *PPROCESS_INFO;
1753 | 
1754 | NTSYSAPI  
1755 | NTSTATUS  
1756 | NTAPI  
1757 | ZwLoadDriver(
1758 |     IN PUNICODE_STRING DriverServiceName
1759 |     );
1760 | 
1761 | NTSYSAPI  
1762 | NTSTATUS  
1763 | NTAPI  
1764 | ZwUnloadDriver(
1765 |     IN PUNICODE_STRING DriverServiceName
1766 |     );
1767 | 
1768 | NTSYSAPI
1769 | NTSTATUS
1770 | NTAPI
1771 | ZwDeleteKey(
1772 |     IN HANDLE KeyHandle
1773 |     );
1774 | 
1775 | NTSYSAPI
1776 | NTSTATUS
1777 | NTAPI
1778 | ZwDeleteValueKey(
1779 |     IN HANDLE hKey,
1780 |     IN PUNICODE_STRING UniNameKey
1781 |     );
1782 | 
1783 | #define EXCEPTION_EXECUTE_HANDLER       1
1784 | #define EXCEPTION_CONTINUE_SEARCH       0
1785 | #define EXCEPTION_CONTINUE_EXECUTION    -1
1786 | 
1787 | typedef enum _POOL_TYPE {
1788 | 	NonPagedPool,
1789 | 	PagedPool,
1790 | 	NonPagedPoolMustSucceed,
1791 | 	DontUseThisType,
1792 | 	NonPagedPoolCacheAligned,
1793 | 	PagedPoolCacheAligned,
1794 | 	NonPagedPoolCacheAlignedMustS,
1795 | 	MaxPoolType,
1796 | 	NonPagedPoolSession = 32,
1797 | 	PagedPoolSession,
1798 | 	NonPagedPoolMustSucceedSession,
1799 | 	DontUseThisTypeSession,
1800 | 	NonPagedPoolCacheAlignedSession,
1801 | 	PagedPoolCacheAlignedSession,
1802 | 	NonPagedPoolCacheAlignedMustSSession
1803 | } POOL_TYPE;
1804 | 
1805 | typedef enum _OBJECT_INFORMATION_CLASS {
1806 | 	ObjectBasicInformation, // 0 Y N
1807 | 	ObjectNameInformation, // 1 Y N
1808 | 	ObjectTypeInformation, // 2 Y N
1809 | 	ObjectAllTypesInformation, // 3 Y N
1810 | 	ObjectHandleInformation // 4 Y Y
1811 | } OBJECT_INFORMATION_CLASS;
1812 | 
1813 | typedef struct _OBJECT_NAME_INFORMATION {               
1814 | 	UNICODE_STRING Name; 
1815 | } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
1816 | 
1817 | typedef struct _OBJECT_TYPE_INFORMATION { // Information Class 2
1818 | 	UNICODE_STRING Name;
1819 | 	ULONG ObjectCount;
1820 | 	ULONG HandleCount;
1821 | 	ULONG Reserved1[4];
1822 | 	ULONG PeakObjectCount;
1823 | 	ULONG PeakHandleCount;
1824 | 	ULONG Reserved2[4];
1825 | 	ULONG InvalidAttributes;
1826 | 	GENERIC_MAPPING GenericMapping;
1827 | 	ULONG ValidAccess;
1828 | 	UCHAR Unknown;
1829 | 	BOOLEAN MaintainHandleDatabase;
1830 | 	POOL_TYPE PoolType;
1831 | 	ULONG PagedPoolUsage;
1832 | 	ULONG NonPagedPoolUsage;
1833 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
1834 | 
1835 | NTSYSAPI
1836 | NTSTATUS
1837 | NTAPI
1838 | ZwQueryObject(IN HANDLE ObjectHandle,
1839 | 			  IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
1840 | 			  OUT PVOID ObjectInformation,
1841 | 			  IN ULONG ObjectInformationLength,
1842 | 			  OUT PULONG ReturnLength OPTIONAL);
1843 | 
1844 | typedef enum _FILE_INFORMATION_CLASS {
1845 | 	FileDirectoryInformation = 1, // 1 Y N D
1846 | 	FileFullDirectoryInformation, // 2 Y N D
1847 | 	FileBothDirectoryInformation, // 3 Y N D
1848 | 	FileBasicInformation, // 4 Y Y F
1849 | 	FileStandardInformation, // 5 Y N F
1850 | 	FileInternalInformation, // 6 Y N F
1851 | 	FileEaInformation, // 7 Y N F
1852 | 	FileAccessInformation, // 8 Y N F
1853 | 	FileNameInformation, // 9 Y N F
1854 | 	FileRenameInformation, // 10 N Y F
1855 | 	FileLinkInformation, // 11 N Y F
1856 | 	FileNamesInformation, // 12 Y N D
1857 | 	FileDispositionInformation, // 13 N Y F
1858 | 	FilePositionInformation, // 14 Y Y F
1859 | 	FileFullEaInformation,          // 15
1860 | 	FileModeInformation, // 16 Y Y F
1861 | 	FileAlignmentInformation, // 17 Y N F
1862 | 	FileAllInformation, // 18 Y N F
1863 | 	FileAllocationInformation, // 19 N Y F
1864 | 	FileEndOfFileInformation, // 20 N Y F
1865 | 	FileAlternateNameInformation, // 21 Y N F
1866 | 	FileStreamInformation, // 22 Y N F
1867 | 	FilePipeInformation, // 23 Y Y F
1868 | 	FilePipeLocalInformation, // 24 Y N F
1869 | 	FilePipeRemoteInformation, // 25 Y Y F
1870 | 	FileMailslotQueryInformation, // 26 Y N F
1871 | 	FileMailslotSetInformation, // 27 N Y F
1872 | 	FileCompressionInformation, // 28 Y N F
1873 | 	FileObjectIdInformation, // 29 Y Y F
1874 | 	FileCompletionInformation, // 30 N Y F
1875 | 	FileMoveClusterInformation, // 31 N Y F
1876 | 	FileQuotaInformation, // 32 Y Y F
1877 | 	FileReparsePointInformation, // 33 Y N F
1878 | 	FileNetworkOpenInformation, // 34 Y N F
1879 | 	FileAttributeTagInformation, // 35 Y N F
1880 | 	FileTrackingInformation, // 36 N Y F
1881 | 	FileIdBothDirectoryInformation, // 37
1882 | 	FileIdFullDirectoryInformation, // 38
1883 | 	FileValidDataLengthInformation, // 39
1884 | 	FileShortNameInformation,       // 40
1885 | 	FileIoCompletionNotificationInformation, // 41
1886 | 	FileIoStatusBlockRangeInformation,       // 42
1887 | 	FileIoPriorityHintInformation,           // 43
1888 | 	FileSfioReserveInformation,              // 44
1889 | 	FileSfioVolumeInformation,               // 45
1890 | 	FileHardLinkInformation,                 // 46
1891 | 	FileProcessIdsUsingFileInformation,      // 47
1892 | 	FileNormalizedNameInformation,           // 48
1893 | 	FileNetworkPhysicalNameInformation,      // 49
1894 | 	FileIdGlobalTxDirectoryInformation,      // 50
1895 | 	FileIsRemoteDeviceInformation,           // 51
1896 | 	FileAttributeCacheInformation,           // 52
1897 | 	FileNumaNodeInformation,                 // 53
1898 | 	FileStandardLinkInformation,             // 54
1899 | 	FileRemoteProtocolInformation,           // 55
1900 | 	FileRenameInformationBypassAccessCheck, // (kernel-mode only) // since WIN8
1901 | 	FileLinkInformationBypassAccessCheck, // (kernel-mode only)
1902 | 	FileIntegrityStreamInformation,
1903 | 	FileVolumeNameInformation,
1904 | 	//FileIdInformation,
1905 | 	//FileIdExtdDirectoryInformation,
1906 | 	FileMaximumInformation
1907 | } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
1908 | 
1909 | typedef struct _FILE_DIRECTORY_INFORMATION { // Information Class 1
1910 | 	ULONG NextEntryOffset;
1911 | 	ULONG Unknown;
1912 | 	LARGE_INTEGER CreationTime;
1913 | 	LARGE_INTEGER LastAccessTime;
1914 | 	LARGE_INTEGER LastWriteTime;
1915 | 	LARGE_INTEGER ChangeTime;
1916 | 	LARGE_INTEGER EndOfFile;
1917 | 	LARGE_INTEGER AllocationSize;
1918 | 	ULONG FileAttributes;
1919 | 	ULONG FileNameLength;
1920 | 	WCHAR FileName[1];
1921 | } FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
1922 | 
1923 | typedef struct _FILE_FULL_DIRECTORY_INFORMATION { // Information Class 2
1924 | 	ULONG NextEntryOffset;
1925 | 	ULONG Unknown;
1926 | 	LARGE_INTEGER CreationTime;
1927 | 	LARGE_INTEGER LastAccessTime;
1928 | 	LARGE_INTEGER LastWriteTime;
1929 | 	LARGE_INTEGER ChangeTime;
1930 | 	LARGE_INTEGER EndOfFile;
1931 | 	LARGE_INTEGER AllocationSize;
1932 | 	ULONG FileAttributes;
1933 | 	ULONG FileNameLength;
1934 | 	ULONG EaInformationLength;
1935 | 	WCHAR FileName[1];
1936 | } FILE_FULL_DIRECTORY_INFORMATION, *PFILE_FULL_DIRECTORY_INFORMATION;
1937 | 
1938 | typedef struct _FILE_BOTH_DIRECTORY_INFORMATION { // Information Class 3
1939 | 	ULONG NextEntryOffset;
1940 | 	ULONG Unknown;
1941 | 	LARGE_INTEGER CreationTime;
1942 | 	LARGE_INTEGER LastAccessTime;
1943 | 	LARGE_INTEGER LastWriteTime;
1944 | 	LARGE_INTEGER ChangeTime;
1945 | 	LARGE_INTEGER EndOfFile;
1946 | 	LARGE_INTEGER AllocationSize;
1947 | 	ULONG FileAttributes;
1948 | 	ULONG FileNameLength;
1949 | 	ULONG EaInformationLength;
1950 | 	UCHAR AlternateNameLength;
1951 | 	WCHAR AlternateName[12];
1952 | 	WCHAR FileName[1];
1953 | } FILE_BOTH_DIRECTORY_INFORMATION, *PFILE_BOTH_DIRECTORY_INFORMATION;
1954 | 
1955 | typedef struct _FILE_BASIC_INFORMATION { // Information Class 4
1956 | 	LARGE_INTEGER CreationTime;
1957 | 	LARGE_INTEGER LastAccessTime;
1958 | 	LARGE_INTEGER LastWriteTime;
1959 | 	LARGE_INTEGER ChangeTime;
1960 | 	ULONG FileAttributes;
1961 | } FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
1962 | 
1963 | typedef struct _FILE_STANDARD_INFORMATION { // Information Class 5
1964 | 	LARGE_INTEGER AllocationSize;
1965 | 	LARGE_INTEGER EndOfFile;
1966 | 	ULONG NumberOfLinks;
1967 | 	BOOLEAN DeletePending;
1968 | 	BOOLEAN Directory;
1969 | } FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION;
1970 | 
1971 | typedef struct _FILE_NAME_INFORMATION { // Information Classes 9 and 21
1972 | 	ULONG FileNameLength;
1973 | 	WCHAR FileName[1];
1974 | } FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION,
1975 | FILE_ALTERNATE_NAME_INFORMATION, *PFILE_ALTERNATE_NAME_INFORMATION;
1976 | 
1977 | typedef struct _FILE_LINK_RENAME_INFORMATION { // Info Classes 10 and 11
1978 | 	BOOLEAN ReplaceIfExists;
1979 | 	HANDLE RootDirectory;
1980 | 	ULONG FileNameLength;
1981 | 	WCHAR FileName[1];
1982 | } FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION,
1983 | FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;
1984 | 
1985 | typedef struct _FILE_COMPRESSION_INFORMATION {  
1986 | LARGE_INTEGER CompressedFileSize;  
1987 | USHORT  CompressionFormat;  
1988 | UCHAR  CompressionUnitShift;  
1989 | UCHAR  ChunkShift;  
1990 | UCHAR  ClusterShift; 
1991 | UCHAR  Reserved[3];
1992 | } FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION;
1993 | 
1994 | typedef struct _FILE_REPARSE_POINT_INFORMATION {    
1995 | 	LONGLONG FileReference;    
1996 | 	ULONG Tag;
1997 | } FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION;
1998 | 
1999 | typedef struct _FILE_NAMES_INFORMATION { // Information Class 12
2000 | 	ULONG NextEntryOffset;
2001 | 	ULONG Unknown;
2002 | 	ULONG FileNameLength;
2003 | 	WCHAR FileName[1];
2004 | } FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
2005 | 
2006 | typedef struct _FILE_DISPOSITION_INFORMATION { // Information Class 13
2007 | 	BOOLEAN DeleteFile;
2008 | } FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION;
2009 | 
2010 | typedef struct _FILE_POSITION_INFORMATION {
2011 | 	LARGE_INTEGER CurrentByteOffset;
2012 | } FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION;
2013 | 
2014 | typedef struct _FILE_END_OF_FILE_INFORMATION {
2015 | 	LARGE_INTEGER EndOfFile;
2016 | } FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION;
2017 | 
2018 | typedef struct _FILE_INTERNAL_INFORMATION {
2019 | 	LARGE_INTEGER IndexNumber;
2020 | } FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;
2021 | 
2022 | typedef struct _FILE_EA_INFORMATION {
2023 | 	ULONG EaSize;
2024 | } FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;
2025 | 
2026 | typedef struct _FILE_ACCESS_INFORMATION {
2027 | 	ACCESS_MASK AccessFlags;
2028 | } FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;
2029 | 
2030 | typedef struct _FILE_MODE_INFORMATION {
2031 | 	ULONG Mode;
2032 | } FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;
2033 | 
2034 | typedef struct _FILE_ALIGNMENT_INFORMATION {
2035 | 	ULONG AlignmentRequirement;
2036 | } FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION;
2037 | 
2038 | typedef struct _FILE_ALL_INFORMATION {
2039 | 	FILE_BASIC_INFORMATION BasicInformation;
2040 | 	FILE_STANDARD_INFORMATION StandardInformation;
2041 | 	FILE_INTERNAL_INFORMATION InternalInformation;
2042 | 	FILE_EA_INFORMATION EaInformation;
2043 | 	FILE_ACCESS_INFORMATION AccessInformation;
2044 | 	FILE_POSITION_INFORMATION PositionInformation;
2045 | 	FILE_MODE_INFORMATION ModeInformation;
2046 | 	FILE_ALIGNMENT_INFORMATION AlignmentInformation;
2047 | 	FILE_NAME_INFORMATION NameInformation;
2048 | } FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;
2049 | 
2050 | typedef struct _FILE_NETWORK_OPEN_INFORMATION { // Information Class 34
2051 | 	LARGE_INTEGER CreationTime;
2052 | 	LARGE_INTEGER LastAccessTime;
2053 | 	LARGE_INTEGER LastWriteTime;
2054 | 	LARGE_INTEGER ChangeTime;
2055 | 	LARGE_INTEGER AllocationSize;
2056 | 	LARGE_INTEGER EndOfFile;
2057 | 	ULONG FileAttributes;
2058 | } FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;
2059 | 
2060 | typedef enum _FILE_STORAGE_TYPE {
2061 | 	StorageTypeDefault = 1,
2062 | 	StorageTypeDirectory,
2063 | 	StorageTypeFile,
2064 | 	StorageTypeJunctionPoint,
2065 | 	StorageTypeCatalog,
2066 | 	StorageTypeStructuredStorage,
2067 | 	StorageTypeEmbedding,
2068 | 	StorageTypeStream
2069 | } FILE_STORAGE_TYPE;
2070 | 
2071 | typedef struct _FILE_ID_BOTH_DIR_INFORMATION { // Information Class 37
2072 | 	ULONG         NextEntryOffset;
2073 | 	ULONG         FileIndex;
2074 | 	LARGE_INTEGER CreationTime;
2075 | 	LARGE_INTEGER LastAccessTime;
2076 | 	LARGE_INTEGER LastWriteTime;
2077 | 	LARGE_INTEGER ChangeTime;
2078 | 	LARGE_INTEGER EndOfFile;
2079 | 	LARGE_INTEGER AllocationSize;
2080 | 	ULONG         FileAttributes;
2081 | 	ULONG         FileNameLength;
2082 | 	ULONG         EaSize;
2083 | 	CCHAR         ShortNameLength;
2084 | 	WCHAR         ShortName[12];
2085 | 	LARGE_INTEGER FileId;
2086 | 	WCHAR         FileName[1];
2087 | } FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
2088 | 
2089 | typedef struct _FILE_ID_FULL_DIR_INFORMATION { // Information Class 38
2090 | 	ULONG         NextEntryOffset;
2091 | 	ULONG         FileIndex;
2092 | 	LARGE_INTEGER CreationTime;
2093 | 	LARGE_INTEGER LastAccessTime;
2094 | 	LARGE_INTEGER LastWriteTime;
2095 | 	LARGE_INTEGER ChangeTime;
2096 | 	LARGE_INTEGER EndOfFile;
2097 | 	LARGE_INTEGER AllocationSize;
2098 | 	ULONG         FileAttributes;
2099 | 	ULONG         FileNameLength;
2100 | 	ULONG         EaSize;
2101 | 	LARGE_INTEGER FileId;
2102 | 	WCHAR         FileName[1];
2103 | } FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;
2104 | 
2105 | typedef struct _FILE_OLE_DIR_INFORMATION { 
2106 | 	ULONG               NextEntryOffset;
2107 | 	ULONG               FileIndex;
2108 | 	LARGE_INTEGER       CreationTime;
2109 | 	LARGE_INTEGER       LastAccessTime;
2110 | 	LARGE_INTEGER       LastWriteTime;
2111 | 	LARGE_INTEGER       ChangeTime;
2112 | 	LARGE_INTEGER       EndOfFile;
2113 | 	LARGE_INTEGER       AllocationSize;
2114 | 	ULONG               FileAttributes;
2115 | 	ULONG               FileNameLength;
2116 | 	FILE_STORAGE_TYPE   StorageType;
2117 | 	GUID                OleClassId;
2118 | 	ULONG               OleStateBits;
2119 | 	BOOLEAN             ContentIndexDisable;
2120 | 	BOOLEAN             InheritContentIndexDisable;
2121 | 	WCHAR               FileName[1];
2122 | } FILE_OLE_DIR_INFORMATION, *PFILE_OLE_DIR_INFORMATION;
2123 | 
2124 | typedef enum _EVENT_TYPE {
2125 | 	NotificationEvent, // A manual-reset event
2126 | 	SynchronizationEvent // An auto-reset event
2127 | } EVENT_TYPE;
2128 | 
2129 | NTSYSAPI
2130 | NTSTATUS
2131 | NTAPI
2132 | NtSetInformationFile(
2133 | 	IN HANDLE					FileHandle,
2134 | 	OUT PIO_STATUS_BLOCK		IoStatusBlock,
2135 | 	IN PVOID					FileInformation,
2136 | 	IN ULONG					FileInformationLength,
2137 | 	IN FILE_INFORMATION_CLASS	FileInformationClass
2138 | 	);
2139 | 
2140 | NTSYSAPI
2141 | NTSTATUS
2142 | NTAPI
2143 | NtQueryAttributesFile(
2144 | 	IN POBJECT_ATTRIBUTES	ObjectAttributes,
2145 | 	OUT PFILE_BASIC_INFORMATION FileInformation
2146 | 	);
2147 | 
2148 | NTSYSAPI
2149 | NTSTATUS
2150 | NTAPI
2151 | NtQueryFullAttributesFile(
2152 | 	IN POBJECT_ATTRIBUTES ObjectAttributes,
2153 | 	OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation
2154 | 	);
2155 | 
2156 | NTSYSAPI
2157 | NTSTATUS
2158 | NTAPI
2159 | NtQueryDirectoryFile(
2160 | 	IN HANDLE					FileHandle,
2161 | 	IN HANDLE					Event OPTIONAL,
2162 | 	IN PIO_APC_ROUTINE			ApcRoutine OPTIONAL,
2163 | 	IN PVOID					ApcContext OPTIONAL,
2164 | 	OUT PIO_STATUS_BLOCK		IoStatusBlock,
2165 | 	OUT PVOID					FileInformation,
2166 | 	IN ULONG					FileInformationLength,
2167 | 	IN FILE_INFORMATION_CLASS	FileInformationClass,
2168 | 	IN BOOLEAN					ReturnSingleEntry,
2169 | 	IN PUNICODE_STRING			FileName OPTIONAL,
2170 | 	IN BOOLEAN					RestartScan
2171 | 	);
2172 | 
2173 | typedef struct _PORT_MESSAGE {
2174 | 	USHORT DataSize;
2175 | 	USHORT MessageSize;
2176 | 	USHORT MessageType;
2177 | 	USHORT VirtualRangesOffset;
2178 | 	CLIENT_ID ClientId;
2179 | 	ULONG MessageId;
2180 | 	ULONG SectionSize;
2181 | 	// UCHAR Data[];
2182 | } PORT_MESSAGE, *PPORT_MESSAGE;
2183 | 
2184 | typedef struct _PORT_SECTION_WRITE {
2185 | 	ULONG Length;
2186 | 	HANDLE SectionHandle;
2187 | 	ULONG SectionOffset;
2188 | 	ULONG ViewSize;
2189 | 	PVOID ViewBase;
2190 | 	PVOID TargetViewBase;
2191 | } PORT_SECTION_WRITE, *PPORT_SECTION_WRITE;
2192 | 
2193 | typedef struct _PORT_SECTION_READ {
2194 | 	ULONG Length;
2195 | 	ULONG ViewSize;
2196 | 	ULONG ViewBase;
2197 | } PORT_SECTION_READ, *PPORT_SECTION_READ;
2198 | 
2199 | typedef struct _RTL_USER_PROCESS_INFORMATION {
2200 | 	ULONG                   Size;
2201 | 	HANDLE                  ProcessHandle;
2202 | 	HANDLE                  ThreadHandle;
2203 | 	CLIENT_ID               ClientId;
2204 | 	SECTION_IMAGE_INFORMATION ImageInformation;
2205 | } RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;
2206 | 
2207 | typedef enum _PROCESSINFOCLASS {
2208 | 	ProcessBasicInformation, // 0 Y N
2209 | 	ProcessQuotaLimits, // 1 Y Y
2210 | 	ProcessIoCounters, // 2 Y N
2211 | 	ProcessVmCounters, // 3 Y N
2212 | 	ProcessTimes, // 4 Y N
2213 | 	ProcessBasePriority, // 5 N Y
2214 | 	ProcessRaisePriority, // 6 N Y
2215 | 	ProcessDebugPort, // 7 Y Y
2216 | 	ProcessExceptionPort, // 8 N Y
2217 | 	ProcessAccessToken, // 9 N Y
2218 | 	ProcessLdtInformation, // 10 Y Y
2219 | 	ProcessLdtSize, // 11 N Y
2220 | 	ProcessDefaultHardErrorMode, // 12 Y Y
2221 | 	ProcessIoPortHandlers, // 13 N Y
2222 | 	ProcessPooledUsageAndLimits, // 14 Y N
2223 | 	ProcessWorkingSetWatch, // 15 Y Y
2224 | 	ProcessUserModeIOPL, // 16 N Y
2225 | 	ProcessEnableAlignmentFaultFixup, // 17 N Y
2226 | 	ProcessPriorityClass, // 18 N Y
2227 | 	ProcessWx86Information, // 19 Y N
2228 | 	ProcessHandleCount, // 20 Y N
2229 | 	ProcessAffinityMask, // 21 N Y
2230 | 	ProcessPriorityBoost, // 22 Y Y
2231 | 	ProcessDeviceMap, // 23 Y Y
2232 | 	ProcessSessionInformation, // 24 Y Y
2233 | 	ProcessForegroundInformation, // 25 N Y
2234 | 	ProcessWow64Information, // 26 Y N
2235 | 	ProcessImageFileName,
2236 | 	ProcessLUIDDeviceMapsEnabled,
2237 | 	ProcessBreakOnTermination,
2238 | 	ProcessDebugObjectHandle,
2239 | 	ProcessDebugFlags
2240 | } PROCESSINFOCLASS;
2241 | 
2242 | typedef enum _THREADINFOCLASS {
2243 | 	ThreadBasicInformation, // 0 Y N
2244 | 	ThreadTimes, // 1 Y N
2245 | 	ThreadPriority, // 2 N Y
2246 | 	ThreadBasePriority, // 3 N Y
2247 | 	ThreadAffinityMask, // 4 N Y
2248 | 	ThreadImpersonationToken, // 5 N Y
2249 | 	ThreadDescriptorTableEntry, // 6 Y N
2250 | 	ThreadEnableAlignmentFaultFixup, // 7 N Y
2251 | 	ThreadEventPair, // 8 N Y
2252 | 	ThreadQuerySetWin32StartAddress, // 9 Y Y
2253 | 	ThreadZeroTlsCell, // 10 N Y
2254 | 	ThreadPerformanceCount, // 11 Y N
2255 | 	ThreadAmILastThread, // 12 Y N
2256 | 	ThreadIdealProcessor, // 13 N Y
2257 | 	ThreadPriorityBoost, // 14 Y Y
2258 | 	ThreadSetTlsArrayAddress, // 15 N Y
2259 | 	ThreadIsIoPending, // 16 Y N
2260 | 	ThreadHideFromDebugger // 17 N Y
2261 | } THREADINFOCLASS;
2262 | 
2263 | typedef LONG KPRIORITY;
2264 | 
2265 | typedef enum {
2266 | 	StateInitialized,
2267 | 	StateReady,
2268 | 	StateRunning,
2269 | 	StateStandby,
2270 | 	StateTerminated,
2271 | 	StateWait,
2272 | 	StateTransition,
2273 | 	StateUnknown
2274 | } THREAD_STATE;
2275 | 
2276 | typedef enum _KWAIT_REASON {
2277 | 	Executive,
2278 | 	FreePage,
2279 | 	PageIn,
2280 | 	PoolAllocation,
2281 | 	DelayExecution,
2282 | 	Suspended,
2283 | 	UserRequest,
2284 | 	WrExecutive,
2285 | 	WrFreePage,
2286 | 	WrPageIn,
2287 | 	WrPoolAllocation,
2288 | 	WrDelayExecution,
2289 | 	WrSuspended,
2290 | 	WrUserRequest,
2291 | 	WrEventPair,
2292 | 	WrQueue,
2293 | 	WrLpcReceive,
2294 | 	WrLpcReply,
2295 | 	WrVirtualMemory,
2296 | 	WrPageOut,
2297 | 	WrRendezvous,
2298 | 	Spare2,
2299 | 	Spare3,
2300 | 	Spare4,
2301 | 	Spare5,
2302 | 	Spare6,
2303 | 	WrKernel,
2304 | 	MaximumWaitReason
2305 | } KWAIT_REASON;
2306 | 
2307 | typedef struct _THREAD_BASIC_INFORMATION { // Information Class 0
2308 | 	NTSTATUS ExitStatus;
2309 | 	PNT_TIB TebBaseAddress;
2310 | 	CLIENT_ID ClientId;
2311 | 	KAFFINITY AffinityMask;
2312 | 	KPRIORITY Priority;
2313 | 	KPRIORITY BasePriority;
2314 | } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
2315 | 
2316 | typedef struct _SYSTEM_THREADS {
2317 | 	LARGE_INTEGER KernelTime;
2318 | 	LARGE_INTEGER UserTime;
2319 | 	LARGE_INTEGER CreateTime;
2320 | 	ULONG WaitTime;
2321 | 	PVOID StartAddress;
2322 | 	CLIENT_ID ClientId;
2323 | 	KPRIORITY Priority;
2324 | 	KPRIORITY BasePriority;
2325 | 	ULONG ContextSwitchCount;
2326 | 	THREAD_STATE State;
2327 | 	KWAIT_REASON WaitReason;
2328 | } SYSTEM_THREADS, *PSYSTEM_THREADS;
2329 | 
2330 | typedef struct _VM_COUNTERS {
2331 | 	SIZE_T PeakVirtualSize;
2332 | 	SIZE_T VirtualSize;
2333 | 	ULONG PageFaultCount;
2334 | 	SIZE_T PeakWorkingSetSize;
2335 | 	SIZE_T WorkingSetSize;
2336 | 	SIZE_T QuotaPeakPagedPoolUsage;
2337 | 	SIZE_T QuotaPagedPoolUsage;
2338 | 	SIZE_T QuotaPeakNonPagedPoolUsage;
2339 | 	SIZE_T QuotaNonPagedPoolUsage;
2340 | 	SIZE_T PagefileUsage;
2341 | 	SIZE_T PeakPagefileUsage;
2342 | } VM_COUNTERS;
2343 | typedef VM_COUNTERS *PVM_COUNTERS;
2344 | 
2345 | typedef struct _SYSTEM_PROCESSES { // Information Class 5
2346 | 	ULONG NextEntryDelta;
2347 | 	ULONG ThreadCount;
2348 | 	ULONG Reserved1[6];
2349 | 	LARGE_INTEGER CreateTime;
2350 | 	LARGE_INTEGER UserTime;
2351 | 	LARGE_INTEGER KernelTime;
2352 | 	UNICODE_STRING ProcessName;
2353 | 	KPRIORITY BasePriority;
2354 | // 	ULONG NextEntryDelta;
2355 | // 	BYTE Reserved1[52];
2356 | // 	PVOID Reserved2[3];
2357 | 	HANDLE ProcessId;
2358 | 	HANDLE InheritedFromProcessId;
2359 | 	ULONG HandleCount;
2360 | 	ULONG Reserved3[2];
2361 | 	VM_COUNTERS VmCounters;
2362 | 	IO_COUNTERS IoCounters; // Windows 2000 only
2363 | 	SYSTEM_THREADS Threads[1];
2364 | } SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
2365 | 
2366 | typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11
2367 | 	ULONG Reserved[2];
2368 | 	PVOID Base;
2369 | 	ULONG Size;
2370 | 	ULONG Flags;
2371 | 	USHORT Index;
2372 | 	USHORT Unknown;
2373 | 	USHORT LoadCount;
2374 | 	USHORT ModuleNameOffset;
2375 | 	CHAR ImageName[256];
2376 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
2377 | 
2378 | typedef struct _PROCESS_DEVICEMAP_INFORMATION {
2379 | 	ULONG DriverMap;
2380 | 	BYTE DriverType[32];
2381 | } PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION;
2382 | 
2383 | typedef enum _LPC_MSG_TYPE {
2384 | 	LPC_NEW_MSG,
2385 | 	LPC_REQUEST,
2386 | 	LPC_REPLY,
2387 | 	LPC_DATAGRAM,
2388 | 	LPC_LOST_REPLY,
2389 | 	LPC_PORT_CLOSED,
2390 | 	LPC_CLIENT_DIED,
2391 | 	LPC_EXCEPTION,
2392 | 	LPC_DEBUG_EVENT,
2393 | 	LPC_ERROR_EVENT,
2394 | 	LPC_CONN_REQ
2395 | } LPC_MSG_TYPE;
2396 | 
2397 | typedef struct _LPC_MESSAGE {
2398 | 	USHORT DataSize;
2399 | 	USHORT TotalSize;
2400 | 	LPC_MSG_TYPE MsgType;
2401 | 	USHORT VirtRangOff;
2402 | 	CLIENT_ID ClientId;
2403 | 	ULONG Mid;
2404 | 	ULONG CallbackId;
2405 | } LPC_MESSAGE, *PLPC_MESSAGE;
2406 | 
2407 | // Asynchronous Local Inter-process Communication
2408 | 
2409 | // ALPC handles aren't NT object manager handles, and
2410 | // it seems traditional to use a typedef in these cases.
2411 | // rev
2412 | typedef PVOID ALPC_HANDLE, *PALPC_HANDLE;
2413 | 
2414 | #define ALPC_PORFLG_ALLOW_LPC_REQUESTS 0x20000 // rev
2415 | #define ALPC_PORFLG_WAITABLE_PORT 0x40000 // dbg
2416 | #define ALPC_PORFLG_SYSTEM_PROCESS 0x100000 // dbg
2417 | 
2418 | // symbols
2419 | typedef struct _ALPC_PORT_ATTRIBUTES
2420 | {
2421 | 	ULONG Flags;
2422 | 	SECURITY_QUALITY_OF_SERVICE SecurityQos;
2423 | 	SIZE_T MaxMessageLength;
2424 | 	SIZE_T MemoryBandwidth;
2425 | 	SIZE_T MaxPoolUsage;
2426 | 	SIZE_T MaxSectionSize;
2427 | 	SIZE_T MaxViewSize;
2428 | 	SIZE_T MaxTotalSectionSize;
2429 | 	ULONG DupObjectTypes;
2430 | #ifdef _M_X64
2431 | 	ULONG Reserved;
2432 | #endif
2433 | } ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES;
2434 | 
2435 | // begin_rev
2436 | #define ALPC_MESSAGE_SECURITY_ATTRIBUTE 0x80000000
2437 | #define ALPC_MESSAGE_VIEW_ATTRIBUTE 0x40000000
2438 | #define ALPC_MESSAGE_CONTEXT_ATTRIBUTE 0x20000000
2439 | #define ALPC_MESSAGE_HANDLE_ATTRIBUTE 0x10000000
2440 | // end_rev
2441 | 
2442 | // symbols
2443 | typedef struct _ALPC_MESSAGE_ATTRIBUTES
2444 | {
2445 | 	ULONG AllocatedAttributes;
2446 | 	ULONG ValidAttributes;
2447 | } ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES;
2448 | 
2449 | // symbols
2450 | typedef struct _ALPC_COMPLETION_LIST_STATE
2451 | {
2452 | 	union
2453 | 	{
2454 | 		struct
2455 | 		{
2456 | 			ULONG64 Head : 24;
2457 | 			ULONG64 Tail : 24;
2458 | 			ULONG64 ActiveThreadCount : 16;
2459 | 		} s1;
2460 | 		ULONG64 Value;
2461 | 	} u1;
2462 | } ALPC_COMPLETION_LIST_STATE, *PALPC_COMPLETION_LIST_STATE;
2463 | 
2464 | #define ALPC_COMPLETION_LIST_BUFFER_GRANULARITY_MASK 0x3f // dbg
2465 | 
2466 | // symbols
2467 | typedef struct DECLSPEC_ALIGN(128) _ALPC_COMPLETION_LIST_HEADER
2468 | {
2469 | 	ULONG64 StartMagic;
2470 | 
2471 | 	ULONG TotalSize;
2472 | 	ULONG ListOffset;
2473 | 	ULONG ListSize;
2474 | 	ULONG BitmapOffset;
2475 | 	ULONG BitmapSize;
2476 | 	ULONG DataOffset;
2477 | 	ULONG DataSize;
2478 | 	ULONG AttributeFlags;
2479 | 	ULONG AttributeSize;
2480 | 
2481 | 	DECLSPEC_ALIGN(128) ALPC_COMPLETION_LIST_STATE State;
2482 | 	ULONG LastMessageId;
2483 | 	ULONG LastCallbackId;
2484 | 	DECLSPEC_ALIGN(128) ULONG PostCount;
2485 | 	DECLSPEC_ALIGN(128) ULONG ReturnCount;
2486 | 	DECLSPEC_ALIGN(128) ULONG LogSequenceNumber;
2487 | 	DECLSPEC_ALIGN(128) RTL_SRWLOCK UserLock;
2488 | 
2489 | 	ULONG64 EndMagic;
2490 | } ALPC_COMPLETION_LIST_HEADER, *PALPC_COMPLETION_LIST_HEADER;
2491 | 
2492 | // private
2493 | typedef struct _ALPC_CONTEXT_ATTR
2494 | {
2495 | 	PVOID PortContext;
2496 | 	PVOID MessageContext;
2497 | 	ULONG Sequence;
2498 | 	ULONG MessageId;
2499 | 	ULONG CallbackId;
2500 | } ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR;
2501 | 
2502 | // begin_rev
2503 | #define ALPC_HANDLEFLG_DUPLICATE_SAME_ACCESS 0x10000
2504 | #define ALPC_HANDLEFLG_DUPLICATE_SAME_ATTRIBUTES 0x20000
2505 | #define ALPC_HANDLEFLG_DUPLICATE_INHERIT 0x80000
2506 | // end_rev
2507 | 
2508 | // private
2509 | typedef struct _ALPC_HANDLE_ATTR
2510 | {
2511 | 	ULONG Flags;
2512 | 	HANDLE Handle;
2513 | 	ULONG ObjectType; // ObjectTypeCode, not ObjectTypeIndex
2514 | 	ACCESS_MASK DesiredAccess;
2515 | } ALPC_HANDLE_ATTR, *PALPC_HANDLE_ATTR;
2516 | 
2517 | #define ALPC_SECFLG_CREATE_HANDLE 0x20000 // dbg
2518 | 
2519 | // name:private
2520 | // rev
2521 | typedef struct _ALPC_SECURITY_ATTR
2522 | {
2523 | 	ULONG Flags;
2524 | 	PSECURITY_QUALITY_OF_SERVICE SecurityQos;
2525 | 	ALPC_HANDLE ContextHandle; // dbg
2526 | 	ULONG Reserved1;
2527 | 	ULONG Reserved2;
2528 | } ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR;
2529 | 
2530 | // begin_rev
2531 | #define ALPC_VIEWFLG_NOT_SECURE 0x40000
2532 | // end_rev
2533 | 
2534 | // private
2535 | typedef struct _ALPC_DATA_VIEW_ATTR
2536 | {
2537 | 	ULONG Flags;
2538 | 	ALPC_HANDLE SectionHandle;
2539 | 	PVOID ViewBase; // must be zero on input
2540 | 	SIZE_T ViewSize;
2541 | } ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR;
2542 | 
2543 | // private
2544 | typedef enum _ALPC_PORT_INFORMATION_CLASS
2545 | {
2546 | 	AlpcBasicInformation, // q: out ALPC_BASIC_INFORMATION
2547 | 	AlpcPortInformation, // s: in ALPC_PORT_ATTRIBUTES
2548 | 	AlpcAssociateCompletionPortInformation, // s: in ALPC_PORT_ASSOCIATE_COMPLETION_PORT
2549 | 	AlpcConnectedSIDInformation, // q: in SID
2550 | 	AlpcServerInformation, // q: inout ALPC_SERVER_INFORMATION
2551 | 	AlpcMessageZoneInformation, // s: in ALPC_PORT_MESSAGE_ZONE_INFORMATION
2552 | 	AlpcRegisterCompletionListInformation, // s: in ALPC_PORT_COMPLETION_LIST_INFORMATION
2553 | 	AlpcUnregisterCompletionListInformation, // s: VOID
2554 | 	AlpcAdjustCompletionListConcurrencyCountInformation, // s: in ULONG
2555 | 	AlpcRegisterCallback, // kernel-mode only // rev
2556 | 	AlpcDisableCompletionList, // s: VOID // rev
2557 | 	MaxAlpcPortInfoClass
2558 | } ALPC_PORT_INFORMATION_CLASS;
2559 | 
2560 | // private
2561 | typedef struct _ALPC_BASIC_INFORMATION
2562 | {
2563 | 	ULONG Flags;
2564 | 	ULONG SequenceNo;
2565 | 	PVOID PortContext;
2566 | } ALPC_BASIC_INFORMATION, *PALPC_BASIC_INFORMATION;
2567 | 
2568 | // private
2569 | typedef struct _ALPC_PORT_ASSOCIATE_COMPLETION_PORT
2570 | {
2571 | 	PVOID CompletionKey;
2572 | 	HANDLE CompletionPort;
2573 | } ALPC_PORT_ASSOCIATE_COMPLETION_PORT, *PALPC_PORT_ASSOCIATE_COMPLETION_PORT;
2574 | 
2575 | // private
2576 | typedef struct _ALPC_SERVER_INFORMATION
2577 | {
2578 | 	union
2579 | 	{
2580 | 		struct
2581 | 		{
2582 | 			HANDLE ThreadHandle;
2583 | 		} In;
2584 | 		struct
2585 | 		{
2586 | 			BOOLEAN ThreadBlocked;
2587 | 			HANDLE ConnectedProcessId;
2588 | 			UNICODE_STRING ConnectionPortName;
2589 | 		} Out;
2590 | 	};
2591 | } ALPC_SERVER_INFORMATION, *PALPC_SERVER_INFORMATION;
2592 | 
2593 | // private
2594 | typedef struct _ALPC_PORT_MESSAGE_ZONE_INFORMATION
2595 | {
2596 | 	PVOID Buffer;
2597 | 	ULONG Size;
2598 | } ALPC_PORT_MESSAGE_ZONE_INFORMATION, *PALPC_PORT_MESSAGE_ZONE_INFORMATION;
2599 | 
2600 | // private
2601 | typedef struct _ALPC_PORT_COMPLETION_LIST_INFORMATION
2602 | {
2603 | 	PVOID Buffer; // PALPC_COMPLETION_LIST_HEADER
2604 | 	ULONG Size;
2605 | 	ULONG ConcurrencyCount;
2606 | 	ULONG AttributeFlags;
2607 | } ALPC_PORT_COMPLETION_LIST_INFORMATION, *PALPC_PORT_COMPLETION_LIST_INFORMATION;
2608 | 
2609 | // private
2610 | typedef enum _ALPC_MESSAGE_INFORMATION_CLASS
2611 | {
2612 | 	AlpcMessageSidInformation, // q: out SID
2613 | 	AlpcMessageTokenModifiedIdInformation,  // q: out LUID
2614 | 	MaxAlpcMessageInfoClass
2615 | } ALPC_MESSAGE_INFORMATION_CLASS, *PALPC_MESSAGE_INFORMATION_CLASS;
2616 | 
2617 | 
2618 | typedef enum _FSINFOCLASS {
2619 | 	FileFsVolumeInformation = 1, // 1 Y N
2620 | 	FileFsLabelInformation, // 2 N Y
2621 | 	FileFsSizeInformation, // 3 Y N
2622 | 	FileFsDeviceInformation, // 4 Y N
2623 | 	FileFsAttributeInformation, // 5 Y N
2624 | 	FileFsControlInformation, // 6 Y Y
2625 | 	FileFsFullSizeInformation, // 7 Y N
2626 | 	FileFsObjectIdInformation // 8 Y Y
2627 | } FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;
2628 | 
2629 | typedef struct _FILE_FS_VOLUME_INFORMATION {
2630 | 	LARGE_INTEGER VolumeCreationTime;
2631 | 	ULONG VolumeSerialNumber;
2632 | 	ULONG VolumeLabelLength;
2633 | 	UCHAR Unknown;
2634 | 	WCHAR VolumeLabel[1];
2635 | } FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;
2636 | 
2637 | typedef struct _FILE_FS_LABEL_INFORMATION {
2638 | 	ULONG VolumeLabelLength;
2639 | 	WCHAR VolumeLabel[1];
2640 | } FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION;
2641 | 
2642 | typedef struct _FILE_FS_SIZE_INFORMATION {
2643 | 	LARGE_INTEGER TotalAllocationUnits;
2644 | 	LARGE_INTEGER AvailableAllocationUnits;
2645 | 	ULONG SectorsPerAllocationUnit;
2646 | 	ULONG BytesPerSector;
2647 | } FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION;
2648 | 
2649 | #define DEVICE_TYPE DWORD
2650 | 
2651 | typedef struct _FILE_FS_DEVICE_INFORMATION {
2652 | 	DEVICE_TYPE DeviceType;
2653 | 	ULONG Characteristics;
2654 | } FILE_FS_DEVICE_INFORMATION, *PFILE_FS_DEVICE_INFORMATION;
2655 | 
2656 | typedef struct _FILE_FS_ATTRIBUTE_INFORMATION {
2657 | 	ULONG FileSystemFlags;
2658 | 	ULONG MaximumComponentNameLength;
2659 | 	ULONG FileSystemNameLength;
2660 | 	WCHAR FileSystemName[1];
2661 | } FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION;
2662 | 
2663 | typedef struct _FILE_FS_CONTROL_INFORMATION {
2664 | 	LARGE_INTEGER Reserved[3];
2665 | 	LARGE_INTEGER DefaultQuotaThreshold;
2666 | 	LARGE_INTEGER DefaultQuotaLimit;
2667 | 	ULONG QuotaFlags;
2668 | } FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION;
2669 | 
2670 | typedef struct _FILE_FS_FULL_SIZE_INFORMATION {
2671 | 	LARGE_INTEGER TotalQuotaAllocationUnits;
2672 | 	LARGE_INTEGER AvailableQuotaAllocationUnits;
2673 | 	LARGE_INTEGER AvailableAllocationUnits;
2674 | 	ULONG SectorsPerAllocationUnit;
2675 | 	ULONG BytesPerSector;
2676 | } FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION;
2677 | 
2678 | 
2679 | #define MOUNTMGRCONTROLTYPE  ((ULONG) 'm')
2680 | #define MOUNTDEVCONTROLTYPE  ((ULONG) 'M')
2681 | 
2682 | //
2683 | // These are the IOCTLs supported by the mount point manager.
2684 | //
2685 | 
2686 | #define IOCTL_MOUNTMGR_CREATE_POINT                 CTL_CODE(MOUNTMGRCONTROLTYPE, 0, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
2687 | #define IOCTL_MOUNTMGR_DELETE_POINTS                CTL_CODE(MOUNTMGRCONTROLTYPE, 1, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
2688 | #define IOCTL_MOUNTMGR_QUERY_POINTS                 CTL_CODE(MOUNTMGRCONTROLTYPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)
2689 | #define IOCTL_MOUNTMGR_DELETE_POINTS_DBONLY         CTL_CODE(MOUNTMGRCONTROLTYPE, 3, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
2690 | #define IOCTL_MOUNTMGR_NEXT_DRIVE_LETTER            CTL_CODE(MOUNTMGRCONTROLTYPE, 4, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
2691 | #define IOCTL_MOUNTMGR_AUTO_DL_ASSIGNMENTS          CTL_CODE(MOUNTMGRCONTROLTYPE, 5, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
2692 | #define IOCTL_MOUNTMGR_VOLUME_MOUNT_POINT_CREATED   CTL_CODE(MOUNTMGRCONTROLTYPE, 6, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
2693 | #define IOCTL_MOUNTMGR_VOLUME_MOUNT_POINT_DELETED   CTL_CODE(MOUNTMGRCONTROLTYPE, 7, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
2694 | #define IOCTL_MOUNTMGR_CHANGE_NOTIFY                CTL_CODE(MOUNTMGRCONTROLTYPE, 8, METHOD_BUFFERED, FILE_READ_ACCESS)
2695 | #define IOCTL_MOUNTMGR_KEEP_LINKS_WHEN_OFFLINE      CTL_CODE(MOUNTMGRCONTROLTYPE, 9, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
2696 | #define IOCTL_MOUNTMGR_CHECK_UNPROCESSED_VOLUMES    CTL_CODE(MOUNTMGRCONTROLTYPE, 10, METHOD_BUFFERED, FILE_READ_ACCESS)
2697 | #define IOCTL_MOUNTMGR_VOLUME_ARRIVAL_NOTIFICATION  CTL_CODE(MOUNTMGRCONTROLTYPE, 11, METHOD_BUFFERED, FILE_READ_ACCESS)
2698 | #define IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH        CTL_CODE(MOUNTMGRCONTROLTYPE, 12, METHOD_BUFFERED, FILE_ANY_ACCESS)
2699 | #define IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS       CTL_CODE(MOUNTMGRCONTROLTYPE, 13, METHOD_BUFFERED, FILE_ANY_ACCESS)
2700 | 
2701 | //
2702 | // The following IOCTL is supported by mounted devices.
2703 | //
2704 | 
2705 | #define IOCTL_MOUNTDEV_QUERY_DEVICE_NAME    CTL_CODE(MOUNTDEVCONTROLTYPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)
2706 | 
2707 | //
2708 | // Output structure for IOCTL_MOUNTDEV_QUERY_DEVICE_NAME.
2709 | //
2710 | 
2711 | typedef struct _MOUNTDEV_NAME {
2712 | 	USHORT  NameLength;
2713 | 	WCHAR   Name[1];
2714 | } MOUNTDEV_NAME, *PMOUNTDEV_NAME;
2715 | 
2716 | //
2717 | // Named Pipe file control code and structure declarations
2718 | //
2719 | 
2720 | //
2721 | // External named pipe file control operations
2722 | //
2723 | 
2724 | #define FSCTL_PIPE_ASSIGN_EVENT             CTL_CODE(FILE_DEVICE_NAMED_PIPE, 0, METHOD_BUFFERED, FILE_ANY_ACCESS)
2725 | #define FSCTL_PIPE_DISCONNECT               CTL_CODE(FILE_DEVICE_NAMED_PIPE, 1, METHOD_BUFFERED, FILE_ANY_ACCESS)
2726 | #define FSCTL_PIPE_LISTEN                   CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)
2727 | #define FSCTL_PIPE_PEEK                     CTL_CODE(FILE_DEVICE_NAMED_PIPE, 3, METHOD_BUFFERED, FILE_READ_DATA)
2728 | #define FSCTL_PIPE_QUERY_EVENT              CTL_CODE(FILE_DEVICE_NAMED_PIPE, 4, METHOD_BUFFERED, FILE_ANY_ACCESS)
2729 | #define FSCTL_PIPE_TRANSCEIVE               CTL_CODE(FILE_DEVICE_NAMED_PIPE, 5, METHOD_NEITHER,  FILE_READ_DATA | FILE_WRITE_DATA)
2730 | #define FSCTL_PIPE_WAIT                     CTL_CODE(FILE_DEVICE_NAMED_PIPE, 6, METHOD_BUFFERED, FILE_ANY_ACCESS)
2731 | #define FSCTL_PIPE_IMPERSONATE              CTL_CODE(FILE_DEVICE_NAMED_PIPE, 7, METHOD_BUFFERED, FILE_ANY_ACCESS)
2732 | #define FSCTL_PIPE_SET_CLIENT_PROCESS       CTL_CODE(FILE_DEVICE_NAMED_PIPE, 8, METHOD_BUFFERED, FILE_ANY_ACCESS)
2733 | #define FSCTL_PIPE_QUERY_CLIENT_PROCESS     CTL_CODE(FILE_DEVICE_NAMED_PIPE, 9, METHOD_BUFFERED, FILE_ANY_ACCESS)
2734 | #define FSCTL_PIPE_GET_PIPE_ATTRIBUTE       CTL_CODE(FILE_DEVICE_NAMED_PIPE, 10, METHOD_BUFFERED, FILE_ANY_ACCESS)
2735 | #define FSCTL_PIPE_SET_PIPE_ATTRIBUTE       CTL_CODE(FILE_DEVICE_NAMED_PIPE, 11, METHOD_BUFFERED, FILE_ANY_ACCESS)
2736 | #define FSCTL_PIPE_GET_CONNECTION_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 12, METHOD_BUFFERED, FILE_ANY_ACCESS)
2737 | #define FSCTL_PIPE_SET_CONNECTION_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 13, METHOD_BUFFERED, FILE_ANY_ACCESS)
2738 | #define FSCTL_PIPE_GET_HANDLE_ATTRIBUTE     CTL_CODE(FILE_DEVICE_NAMED_PIPE, 14, METHOD_BUFFERED, FILE_ANY_ACCESS)
2739 | #define FSCTL_PIPE_SET_HANDLE_ATTRIBUTE     CTL_CODE(FILE_DEVICE_NAMED_PIPE, 15, METHOD_BUFFERED, FILE_ANY_ACCESS)
2740 | #define FSCTL_PIPE_FLUSH                    CTL_CODE(FILE_DEVICE_NAMED_PIPE, 16, METHOD_BUFFERED, FILE_WRITE_DATA)
2741 | 
2742 | //
2743 | // Internal named pipe file control operations
2744 | //
2745 | 
2746 | #define FSCTL_PIPE_INTERNAL_READ        CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2045, METHOD_BUFFERED, FILE_READ_DATA)
2747 | #define FSCTL_PIPE_INTERNAL_WRITE       CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2046, METHOD_BUFFERED, FILE_WRITE_DATA)
2748 | #define FSCTL_PIPE_INTERNAL_TRANSCEIVE  CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2047, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
2749 | #define FSCTL_PIPE_INTERNAL_READ_OVFLOW CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2048, METHOD_BUFFERED, FILE_READ_DATA)
2750 | 
2751 | // Control structure for FSCTL_PIPE_WAIT
2752 | 
2753 | typedef struct _FILE_PIPE_WAIT_FOR_BUFFER {
2754 | 	LARGE_INTEGER Timeout;
2755 | 	ULONG NameLength;
2756 | 	BOOLEAN TimeoutSpecified;
2757 | 	WCHAR Name[1];
2758 | } FILE_PIPE_WAIT_FOR_BUFFER, *PFILE_PIPE_WAIT_FOR_BUFFER;
2759 | 
2760 | #define REPARSE_MOUNTPOINT_HEADER_SIZE   8
2761 | 
2762 | typedef struct {
2763 | 	DWORD ReparseTag;
2764 | 	DWORD ReparseDataLength;
2765 | 	WORD Reserved;
2766 | 	WORD ReparseTargetLength;
2767 | 	WORD ReparseTargetMaximumLength;
2768 | 	WORD Reserved1;
2769 | 	WCHAR ReparseTarget[1];
2770 | } REPARSE_MOUNTPOINT_DATA_BUFFER, *PREPARSE_MOUNTPOINT_DATA_BUFFER;
2771 | 
2772 | typedef struct _REPARSE_DATA_BUFFER {
2773 | 	ULONG  ReparseTag;
2774 | 	USHORT ReparseDataLength;
2775 | 	USHORT Reserved;
2776 | 	union {
2777 | 		struct {
2778 | 			USHORT SubstituteNameOffset;
2779 | 			USHORT SubstituteNameLength;
2780 | 			USHORT PrintNameOffset;
2781 | 			USHORT PrintNameLength;
2782 | 			ULONG  Flags;
2783 | 			WCHAR  PathBuffer[1];
2784 | 		} SymbolicLinkReparseBuffer;
2785 | 		struct {
2786 | 			USHORT SubstituteNameOffset;
2787 | 			USHORT SubstituteNameLength;
2788 | 			USHORT PrintNameOffset;
2789 | 			USHORT PrintNameLength;
2790 | 			WCHAR  PathBuffer[1];
2791 | 		} MountPointReparseBuffer;
2792 | 		struct {
2793 | 			UCHAR DataBuffer[1];
2794 | 		} GenericReparseBuffer;
2795 | 	};
2796 | } REPARSE_DATA_BUFFER, *PREPARSE_DATA_BUFFER;
2797 | 
2798 | #define REPARSE_DATA_BUFFER_HEADER_SIZE   FIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer)
2799 | 
2800 | typedef enum _SYSTEM_INFORMATION_CLASS {
2801 | 	SystemBasicInformation, // 0 Y N
2802 | 	SystemProcessorInformation, // 1 Y N
2803 | 	SystemPerformanceInformation, // 2 Y N
2804 | 	SystemTimeOfDayInformation, // 3 Y N
2805 | 	SystemNotImplemented1, // 4 Y N
2806 | 	SystemProcessesAndThreadsInformation, // 5 Y N
2807 | 	SystemCallCounts, // 6 Y N
2808 | 	SystemConfigurationInformation, // 7 Y N
2809 | 	SystemProcessorTimes, // 8 Y N
2810 | 	SystemGlobalFlag, // 9 Y Y
2811 | 	SystemNotImplemented2, // 10 Y N
2812 | 	SystemModuleInformation, // 11 Y N
2813 | 	SystemLockInformation, // 12 Y N
2814 | 	SystemNotImplemented3, // 13 Y N
2815 | 	SystemNotImplemented4, // 14 Y N
2816 | 	SystemNotImplemented5, // 15 Y N
2817 | 	SystemHandleInformation, // 16 Y N
2818 | 	SystemObjectInformation, // 17 Y N
2819 | 	SystemPagefileInformation, // 18 Y N
2820 | 	SystemInstructionEmulationCounts, // 19 Y N
2821 | 	SystemInvalidInfoClass1, // 20
2822 | 	SystemCacheInformation, // 21 Y Y
2823 | 	SystemPoolTagInformation, // 22 Y N
2824 | 	SystemProcessorStatistics, // 23 Y N
2825 | 	SystemDpcInformation, // 24 Y Y
2826 | 	SystemNotImplemented6, // 25 Y N
2827 | 	SystemLoadImage, // 26 N Y
2828 | 	SystemUnloadImage, // 27 N Y
2829 | 	SystemTimeAdjustment, // 28 Y Y
2830 | 	SystemNotImplemented7, // 29 Y N
2831 | 	SystemNotImplemented8, // 30 Y N
2832 | 	SystemNotImplemented9, // 31 Y N
2833 | 	SystemCrashDumpInformation, // 32 Y N
2834 | 	SystemExceptionInformation, // 33 Y N
2835 | 	SystemCrashDumpStateInformation, // 34 Y Y/N
2836 | 	SystemKernelDebuggerInformation, // 35 Y N
2837 | 	SystemContextSwitchInformation, // 36 Y N
2838 | 	SystemRegistryQuotaInformation, // 37 Y Y
2839 | 	SystemLoadAndCallImage, // 38 N Y
2840 | 	SystemPrioritySeparation, // 39 N Y
2841 | 	SystemNotImplemented10, // 40 Y N
2842 | 	SystemNotImplemented11, // 41 Y N
2843 | 	SystemInvalidInfoClass2, // 42
2844 | 	SystemInvalidInfoClass3, // 43
2845 | 	SystemTimeZoneInformation, // 44 Y N
2846 | 	SystemLookasideInformation, // 45 Y N
2847 | 	SystemSetTimeSlipEvent, // 46 N Y
2848 | 	SystemCreateSession, // 47 N Y
2849 | 	SystemDeleteSession, // 48 N Y
2850 | 	SystemInvalidInfoClass4, // 49
2851 | 	SystemRangeStartInformation, // 50 Y N
2852 | 	SystemVerifierInformation, // 51 Y Y
2853 | 	SystemAddVerifier, // 52 N Y
2854 | 	SystemSessionProcessesInformation, // 53 Y N
2855 | 	// NtQueryEx
2856 | 	SystemLogicalProcessorAndGroupInformation = 107,
2857 | 	SystemLogicalGroupInformation = 108,
2858 | 
2859 | 	SystemStoreInformation = 109,
2860 | 	SystemVhdBootInformation = 112,
2861 | 	SystemCpuQuotaInformation = 113, 
2862 | 
2863 | 	// Removed in build 7100
2864 | 	SystemHardwareCountersInformation = 115, // uses KeQueryHardwareCounterConfiguration() instead
2865 | 
2866 | 	SystemLowPriorityInformation = 116,
2867 | 	SystemTpmBootEntropyInformation = 117,
2868 | 	//SystemVerifierInformation = 118, 
2869 | 
2870 | 	// NtQueryEx
2871 | 	SystemNumaNodesInformation = 121,
2872 | 	//
2873 | 	// Added in build 7100
2874 | 	//
2875 | 	SystemHalInformation = 122, // 8 bytes size
2876 | 	SystemCommittedMemoryInformation = 123,
2877 | 	MaxSystemInfoClass = 124
2878 | } SYSTEM_INFORMATION_CLASS;
2879 | 
2880 | 
2881 | typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE
2882 | {
2883 | 	UNICODE_STRING ModuleName;
2884 | }SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;
2885 | 
2886 | typedef struct _PROCESS_BASIC_INFORMATION {
2887 | 	NTSTATUS ExitStatus;
2888 | 	PPEB PebBaseAddress;
2889 | 	ULONG_PTR AffinityMask;
2890 | 	KPRIORITY BasePriority;
2891 | 	ULONG_PTR UniqueProcessId;
2892 | 	ULONG_PTR InheritedFromUniqueProcessId;
2893 | } PROCESS_BASIC_INFORMATION;
2894 | typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;
2895 | 
2896 | typedef struct _SYSTEM_PROCESSOR_INFORMATION { // Information Class 1
2897 | 	USHORT ProcessorArchitecture;
2898 | 	USHORT ProcessorLevel;
2899 | 	USHORT ProcessorRevision;
2900 | 	USHORT Unknown;
2901 | 	ULONG FeatureBits;
2902 | } SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION;
2903 | 
2904 | typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION 
2905 | {
2906 | 	BOOLEAN DebuggerEnabled;
2907 | 	BOOLEAN DebuggerNotPresent;
2908 | } SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
2909 | 
2910 | typedef struct _RTL_PROCESS_MODULE_INFORMATION
2911 | {
2912 | 	ULONG Reserved[2];
2913 | 	PVOID Base;
2914 | 	ULONG Size;
2915 | 	ULONG Flags;
2916 | 	USHORT Index;
2917 | 	USHORT Unknown;
2918 | 	USHORT LoadCount;
2919 | 	USHORT ModuleNameOffset;
2920 | 	CHAR ImageName[256];
2921 | } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
2922 | 
2923 | typedef struct _RTL_PROCESS_MODULES
2924 | {
2925 | 	ULONG ModuleCount;
2926 | 	RTL_PROCESS_MODULE_INFORMATION ModuleEntry[1];
2927 | } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
2928 | 
2929 | 
2930 | typedef struct _DEBUG_BUFFER {
2931 | 	HANDLE SectionHandle;
2932 | 	PVOID  SectionBase;
2933 | 	PVOID  RemoteSectionBase;
2934 | 	ULONG  SectionBaseDelta;
2935 | 	HANDLE  EventPairHandle;
2936 | 	ULONG  Unknown[2];
2937 | 	HANDLE  RemoteThreadHandle;
2938 | 	ULONG  InfoClassMask;
2939 | 	ULONG  SizeOfInfo;
2940 | 	ULONG  AllocatedSize;
2941 | 	ULONG  SectionSize;
2942 | 	PVOID  ModuleInformation;
2943 | 	PVOID  BackTraceInformation;
2944 | 	PVOID  HeapInformation;
2945 | 	PVOID  LockInformation;
2946 | 	PVOID  Reserved[8];
2947 | } RTL_DEBUG_BUFFER, *PRTL_DEBUG_BUFFER;
2948 | 
2949 | #define RTL_DEBUG_QUERY_MODULES         0x01
2950 | #define RTL_DEBUG_QUERY_BACKTRACES      0x02
2951 | #define RTL_DEBUG_QUERY_HEAPS           0x04
2952 | #define RTL_DEBUG_QUERY_HEAP_TAGS       0x08
2953 | #define RTL_DEBUG_QUERY_HEAP_BLOCKS     0x10
2954 | #define RTL_DEBUG_QUERY_LOCKS           0x20
2955 | 
2956 | typedef struct _TIB {
2957 | 	PVOID pSEH;
2958 | 	PVOID pEsp;
2959 | 	PVOID pEBP;
2960 | 	PVOID Reserved1;
2961 | 	PVOID dwFiberData;
2962 | 	PVOID pSlot;
2963 | 	PVOID pTib;
2964 | 	PVOID Reserved2;
2965 | 	PVOID dwProcessId;
2966 | 	PVOID dwThreadId;
2967 | 	PVOID Reserved3;
2968 | 	PVOID pTls;
2969 | 	PVOID pPeb;
2970 | 	PVOID dwErrorValue;
2971 | } TIB, *PTIB;
2972 | 
2973 | 
2974 | 
2975 | 
2976 | typedef VOID (NTAPI *PPS_POST_PROCESS_INIT_ROUTINE) (VOID);
2977 | 
2978 | 
2979 | #ifdef _M_X64
2980 | 
2981 | typedef struct _PEB_ {
2982 | 	BYTE Reserved1[2];
2983 | 	BYTE BeingDebugged;
2984 | 	BYTE Reserved2[21];
2985 | 	PPEB_LDR_DATA Ldr;
2986 | 	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
2987 | 	BYTE Reserved3[520];
2988 | 	PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
2989 | 	BYTE Reserved4[136];
2990 | 	ULONG SessionId;
2991 | }  PEB_, *PPEB_;
2992 | 
2993 | #else 
2994 | 
2995 | typedef struct _PEB_ {
2996 | 	BYTE Reserved1[2];
2997 | 	BYTE BeingDebugged;
2998 | 	BYTE Reserved2[1];
2999 | 	PVOID Reserved3[2];
3000 | 	PPEB_LDR_DATA Ldr;
3001 | 	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
3002 | 	BYTE Reserved4[104];
3003 | 	PVOID Reserved5[52];
3004 | 	PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
3005 | 	BYTE Reserved6[128];
3006 | 	PVOID Reserved7[1];
3007 | 	ULONG SessionId;
3008 | } PEB_, *PPEB_;
3009 | 
3010 | #endif
3011 | 
3012 | 
3013 | typedef enum _MEMORY_INFORMATION_CLASS {
3014 | 
3015 | 
3016 | 	MemoryBasicInformation
3017 | 
3018 | 
3019 | } MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS;
3020 | 
3021 | typedef enum _SECTION_INHERIT {
3022 | 	ViewShare = 1,
3023 | 	ViewUnmap = 2
3024 | } SECTION_INHERIT;
3025 | 
3026 | typedef struct _SYSTEM_HANDLE_INFORMATION {	//Information 16
3027 | 	ULONG ProcessId;
3028 | 	UCHAR ObjectTypeNumber;
3029 | 	UCHAR Flags;			// 0x01 = PROTECT_FROM_CLOSE, 0x02 = INHERIT
3030 | 	USHORT Handle;
3031 | 	PVOID Object;
3032 | 	ACCESS_MASK GrantedAccess;
3033 | } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
3034 | 
3035 | typedef struct _OBJECT_BASIC_INFORMATION { // Information 0
3036 | 	ULONG Attributes;
3037 | 	ACCESS_MASK GrantedAccess;
3038 | 	ULONG HandleCount;
3039 | 	ULONG PointerCount;
3040 | 	ULONG PagedPoolUsage;
3041 | 	ULONG NonPagedPoolUsage;
3042 | 	ULONG Reserved[3];
3043 | 	ULONG NameInformationLength;
3044 | 	ULONG TypeInformationLength;
3045 | 	ULONG SecurityDescriptorLength;
3046 | 	LARGE_INTEGER CreateTime;
3047 | } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
3048 | 
3049 | typedef enum _OBJECT_WAIT_TYPE {
3050 | 	WaitAllObject,
3051 | 	WaitAnyObject
3052 | } OBJECT_WAIT_TYPE, *POBJECT_WAIT_TYPE;
3053 | 
3054 | 
3055 | #ifdef __cplusplus
3056 | }
3057 | #endif
3058 | 
3059 | #ifdef _MSC_VER
3060 | #pragma pack(pop)
3061 | #endif //_MSC_VER
3062 | 


--------------------------------------------------------------------------------
/include/ntdlllib/ntdllapi.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | #include <ntdlllib/csrss.h>
  4 | #include <Windows.h>
  5 | 
  6 | namespace ntdlllib
  7 | {
  8 | 	typedef void (NTAPI* pfRtlInitAnsiString)(PANSI_STRING DestinationString, PCSZ SourceString);
  9 | 	typedef NTSTATUS(NTAPI* pfRtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
 10 | 
 11 | 	/*
 12 | 		General API
 13 | 	*/
 14 | 	typedef NTSTATUS (NTAPI* pfNtClose)(IN HANDLE Handle);
 15 | 	typedef NTSTATUS (NTAPI* pfNtQueryObject)(
 16 | 		IN HANDLE					ObjectHandle,
 17 | 		IN OBJECT_INFORMATION_CLASS	ObjectInformationClass,
 18 | 		OUT PVOID					ObjectInformation,
 19 | 		IN ULONG					ObjectInformationLength,
 20 | 		OUT PULONG					ReturnLength OPTIONAL
 21 | 		);
 22 | 	typedef NTSTATUS (NTAPI* pfNtSetSystemInformation)(
 23 | 		IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
 24 | 		IN PVOID					SystemInformation,
 25 | 		IN ULONG					SystemInformationLength);
 26 | 	typedef NTSTATUS (NTAPI* pfNtQuerySystemInformation)(
 27 | 		__in       SYSTEM_INFORMATION_CLASS SystemInformationClass,
 28 | 		__inout    PVOID					SystemInformation,
 29 | 		__in       ULONG					SystemInformationLength,
 30 | 		__out_opt  PULONG					ReturnLength
 31 | 		);
 32 | 	typedef NTSTATUS(NTAPI * pfRtlGetVersion)(
 33 | 		IN OUT PRTL_OSVERSIONINFOEXW  lpVersionInformation
 34 | 		);
 35 | 
 36 | 	/*
 37 | 		DLL API
 38 | 	*/
 39 | 	typedef NTSTATUS(NTAPI* pfLdrLoadDll)(
 40 | 		IN PWCHAR               PathToFile OPTIONAL,
 41 | 		IN PULONG               Flags OPTIONAL,
 42 | 		IN PUNICODE_STRING      ModuleFileName,
 43 | 		OUT PHANDLE             ModuleHandle
 44 | 		);
 45 | 	typedef NTSTATUS(NTAPI* pfLdrGetDllHandle)(
 46 | 		IN PWORD				pwPath OPTIONAL,
 47 | 		IN PVOID				Unused OPTIONAL,
 48 | 		IN PUNICODE_STRING		ModuleFileName,
 49 | 		OUT PHANDLE				ModuleHandle
 50 | 		);
 51 | 	typedef NTSTATUS(NTAPI* pfLdrGetProcedureAddress)(IN HMODULE ModuleHandle, IN PANSI_STRING FunctionName OPTIONAL, IN WORD Ordinal OPTIONAL, OUT PVOID* FunctionAddress);
 52 | 
 53 | 	/*
 54 | 		Process API
 55 | 	*/
 56 | 	typedef NTSTATUS(NTAPI* pfNtOpenThread)(
 57 | 		OUT PHANDLE ThreadHandle,
 58 | 		IN ACCESS_MASK DesiredAccess,
 59 | 		IN POBJECT_ATTRIBUTES ObjectAttributes,
 60 | 		IN PCLIENT_ID ClientId
 61 | 		);
 62 | 	typedef NTSTATUS(NTAPI* pfNtQueryInformationThread)(
 63 | 		IN HANDLE ThreadHandle,
 64 | 		IN THREADINFOCLASS ThreadInformationClass,
 65 | 		IN OUT PVOID ThreadInformation,
 66 | 		IN ULONG ThreadInformationLength,
 67 | 		OUT PULONG ReturnLength OPTIONAL
 68 | 		);
 69 | 
 70 | 	typedef NTSTATUS(NTAPI* pfNtQueryInformationProcess)(
 71 | 		IN HANDLE ProcessHandle,
 72 | 		IN PROCESSINFOCLASS ProcessInformationClass,
 73 | 		OUT PVOID ProcessInformation,
 74 | 		IN ULONG ProcessInformationLength,
 75 | 		OUT PULONG ReturnLength OPTIONAL
 76 | 		);
 77 | 	typedef NTSTATUS(NTAPI* pfRtlSetCurrentDirectory_U)(const UNICODE_STRING* dir);
 78 | 	typedef ULONG(NTAPI* pfRtlGetCurrentDirectory_U)(ULONG buflen, LPWSTR buf);
 79 | 	typedef NTSTATUS(NTAPI* pfNtCreateToken)(
 80 | 		OUT PHANDLE				TokenHandle,
 81 | 		IN ACCESS_MASK			DesiredAccess,
 82 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes,
 83 | 		IN TOKEN_TYPE			Type,
 84 | 		IN PLUID				AuthenticationId,
 85 | 		IN PLARGE_INTEGER		ExpirationTime,
 86 | 		IN PTOKEN_USER			User,
 87 | 		IN PTOKEN_GROUPS		Groups,
 88 | 		IN PTOKEN_PRIVILEGES	Privileges,
 89 | 		IN PTOKEN_OWNER			Owner,
 90 | 		IN PTOKEN_PRIMARY_GROUP PrimaryGroup,
 91 | 		IN PTOKEN_DEFAULT_DACL	DefaultDacl,
 92 | 		IN PTOKEN_SOURCE		Source
 93 | 		);
 94 | 	typedef NTSTATUS(NTAPI* pfNtTerminateProcess)(IN HANDLE ProcessHandle, IN ULONG ProcessExitCode);
 95 | 	typedef NTSTATUS(NTAPI* pfNtCreateProcess)(
 96 | 		OUT PHANDLE				ProcessHandle,
 97 | 		IN ACCESS_MASK			DesiredAccess,
 98 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes OPTIONAL,
 99 | 		IN HANDLE				ParentProcess,
100 | 		IN BOOLEAN				InheritObjectTable,
101 | 		IN HANDLE				SectionHandle OPTIONAL,
102 | 		IN HANDLE				DebugPort OPTIONAL,
103 | 		IN HANDLE				ExceptionPort OPTIONAL
104 | 		);
105 | 	typedef NTSTATUS(NTAPI *pfNtCreateProcessEx)(
106 | 		__out PHANDLE 					ProcessHandle,
107 | 		__in ACCESS_MASK 				DesiredAccess,
108 | 		__in_opt POBJECT_ATTRIBUTES 	ObjectAttributes,
109 | 		__in HANDLE 					ParentProcess,
110 | 		__in ULONG 						Flags,
111 | 		__in_opt HANDLE 				SectionHandle,
112 | 		__in_opt HANDLE 				DebugPort,
113 | 		__in_opt HANDLE 				ExceptionPort,
114 | 		__in ULONG 						JobMemberLevel
115 | 		);
116 | 	typedef	NTSTATUS(NTAPI * pfNtCreateUserProcess)(
117 | 		OUT PHANDLE 						ProcessHandle,
118 | 		OUT PHANDLE 						ThreadHandle,
119 | 		IN ACCESS_MASK 						ProcessDesiredAccess,
120 | 		IN ACCESS_MASK 						ThreadDesiredAccess,
121 | 		IN POBJECT_ATTRIBUTES 				ProcessObjectAttributes OPTIONAL,
122 | 		IN POBJECT_ATTRIBUTES 				ThreadObjectAttributes OPTIONAL,
123 | 		IN ULONG 							ProcessFlags,
124 | 		IN ULONG 							ThreadFlags,
125 | 		IN PRTL_USER_PROCESS_PARAMETERS 	ProcessParameters OPTIONAL,
126 | 		__in_opt PPS_CREATE_INFO 			CreateInfo,
127 | 		IN PPS_ATTRIBUTE_LIST 				AttributeList OPTIONAL
128 | 		);
129 | 
130 | 	/*
131 | 		Synchronization Objects (Section, Event, Mutex, Semaphore) API
132 | 	*/
133 | 	typedef	NTSTATUS (NTAPI* pfNtCreateSection)(
134 | 		OUT PHANDLE				SectionHandle,
135 | 		IN ACCESS_MASK			DesiredAccess,
136 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes,
137 | 		IN PLARGE_INTEGER		SectionSize OPTIONAL,
138 | 		IN ULONG				Protect,
139 | 		IN ULONG				Attributes,
140 | 		IN HANDLE				FileHandle
141 | 		);
142 | 	typedef NTSTATUS (NTAPI* pfNtOpenSection)(
143 | 		OUT PHANDLE				SectionHandle,
144 | 		IN ACCESS_MASK			DesiredAccess,
145 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes
146 | 		);
147 | 	typedef NTSTATUS (NTAPI* pfNtMapViewOfSection)(
148 | 		__in HANDLE					SectionHandle,
149 | 		__in HANDLE					ProcessHandle,
150 | 		__inout PVOID				*BaseAddress,
151 | 		__in ULONG_PTR				ZeroBits,
152 | 		__in SIZE_T					CommitSize,
153 | 		__inout_opt PLARGE_INTEGER	SectionOffset,
154 | 		__inout PSIZE_T				ViewSize,
155 | 		__in SECTION_INHERIT		InheritDisposition,
156 | 		__in ULONG					AllocationType,
157 | 		__in ULONG					Win32Protect
158 | 		);
159 | 	typedef NTSTATUS (NTAPI* pfNtUnmapViewOfSection)(
160 | 		__in HANDLE		ProcessHandle,
161 | 		__in_opt PVOID	BaseAddress
162 | 		);
163 | 	typedef NTSTATUS (NTAPI* pfNtCreateEvent)(
164 | 		OUT PHANDLE				EventHandle,
165 | 		IN ACCESS_MASK			DesiredAccess,
166 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes,
167 | 		IN EVENT_TYPE			EventType,
168 | 		IN BOOLEAN				InitialState
169 | 		);
170 | 	typedef NTSTATUS (NTAPI* pfNtOpenEvent)(
171 | 		OUT PHANDLE				EventHandle,
172 | 		IN ACCESS_MASK			DesiredAccess,
173 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes
174 | 		);
175 | 	typedef NTSTATUS (NTAPI* pfNtCreateMutant)(
176 | 		OUT PHANDLE				MutantHandle,
177 | 		IN ACCESS_MASK			DesiredAccess,
178 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes,
179 | 		IN BOOLEAN				InitialOwner
180 | 		);
181 | 	typedef NTSTATUS (NTAPI* pfNtOpenMutant)(
182 | 		OUT PHANDLE				MutantHandle,
183 | 		IN ACCESS_MASK			DesiredAccess,
184 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes
185 | 		);
186 | 	typedef NTSTATUS (NTAPI* pfNtCreateSemaphore)(
187 | 		OUT PHANDLE				SemaphoreHandle,
188 | 		IN ACCESS_MASK			DesiredAccess,
189 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes,
190 | 		IN LONG					InitialCount,
191 | 		IN LONG					MaximumCount
192 | 		);
193 | 	typedef NTSTATUS (NTAPI* pfNtOpenSemaphore)(
194 | 		OUT PHANDLE				SemaphoreHandle,
195 | 		IN ACCESS_MASK			DesiredAccess,
196 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes
197 | 		);
198 | 	typedef NTSTATUS (NTAPI* pfNtWaitForSingleObject)(
199 | 		IN HANDLE				ObjectHandle,
200 | 		IN BOOLEAN				Alertable,
201 | 		IN PLARGE_INTEGER		Timeout OPTIONAL
202 | 		);
203 | 	typedef NTSTATUS (NTAPI* pfNtWaitForMultipleObjects)(
204 | 		IN ULONG                ObjectCount,
205 | 		IN PHANDLE              ObjectsArray,
206 | 		IN OBJECT_WAIT_TYPE     WaitType,
207 | 		IN BOOLEAN              Alertable,
208 | 		IN PLARGE_INTEGER       TimeOut OPTIONAL
209 | 		);
210 | 	typedef NTSTATUS (NTAPI* pfNtReleaseMutant)(
211 | 		IN HANDLE	MutantHandle,
212 | 		IN PLONG	ReleaseCount OPTIONAL
213 | 		);
214 | 	typedef NTSTATUS (NTAPI* pfNtSetEvent)(
215 | 		IN HANDLE EventHandle,
216 | 		OUT PLONG PreviousState OPTIONAL
217 | 		);
218 | 	typedef NTSTATUS(NTAPI* pfNtClearEvent)(
219 | 		IN HANDLE EventHandle
220 | 		);
221 | 
222 | 	/*
223 | 		File API
224 | 	*/
225 | 	typedef NTSTATUS (NTAPI* pfNtCreateNamedPipeFile)(
226 | 		OUT PHANDLE				FileHandle,
227 | 		IN ACCESS_MASK			DesiredAccess,
228 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes,
229 | 		OUT PIO_STATUS_BLOCK	IoStatusBlock,
230 | 		IN ULONG				ShareAccess,
231 | 		IN ULONG				CreateDisposition,
232 | 		IN ULONG				CreateOptions,
233 | 		IN ULONG				TypeMessage,
234 | 		IN ULONG				ReadmodeMessage,
235 | 		IN ULONG				Nonblocking,
236 | 		IN ULONG				MaxInstances,
237 | 		IN ULONG				InBufferSize,
238 | 		IN ULONG				OutBufferSize,
239 | 		IN PLARGE_INTEGER		DefaultTimeout OPTIONAL
240 | 		);
241 | 	typedef NTSTATUS (NTAPI* pfNtCreateMailslotFile)(
242 | 		 OUT PHANDLE			FileHandle,
243 | 		 IN ACCESS_MASK			DesiredAccess,
244 | 		 IN POBJECT_ATTRIBUTES	ObjectAttributes,
245 | 		 OUT PIO_STATUS_BLOCK	IoStatusBlock,
246 | 		 IN ULONG				CreateOptions,
247 | 		 IN ULONG				InBufferSize,
248 | 		 IN ULONG				MaxMessageSize,
249 | 		 IN PLARGE_INTEGER		ReadTimeout OPTIONAL
250 | 		 );
251 | 	typedef NTSTATUS (NTAPI* pfNtCreateFile)(
252 | 		OUT PHANDLE             FileHandle,
253 | 		IN ACCESS_MASK          DesiredAccess,
254 | 		IN POBJECT_ATTRIBUTES   ObjectAttributes,
255 | 		OUT PIO_STATUS_BLOCK    IoStatusBlock,
256 | 		IN PLARGE_INTEGER       AllocationSize OPTIONAL,
257 | 		IN ULONG                FileAttributes,
258 | 		IN ULONG                ShareAccess,
259 | 		IN ULONG                CreateDisposition,
260 | 		IN ULONG                CreateOptions,
261 | 		IN PVOID                EaBuffer OPTIONAL,
262 | 		IN ULONG                EaLength
263 | 		);
264 | 	typedef NTSTATUS (NTAPI* pfNtOpenFile)(
265 | 		OUT PHANDLE             FileHandle,
266 | 		IN ACCESS_MASK          DesiredAccess,
267 | 		IN POBJECT_ATTRIBUTES   ObjectAttributes,
268 | 		OUT PIO_STATUS_BLOCK    IoStatusBlock,
269 | 		IN ULONG                ShavbvvreAccess,
270 | 		IN ULONG                OpenOptions
271 | 		);
272 | 	typedef NTSTATUS (NTAPI* pfNtDeleteFile)(
273 | 		IN POBJECT_ATTRIBUTES   ObjectAttributes
274 | 		);
275 | 	typedef NTSTATUS (NTAPI* pfNtReadFile)(
276 | 		IN HANDLE				FileHandle,
277 | 		IN HANDLE				Event OPTIONAL,
278 | 		IN PIO_APC_ROUTINE		ApcRoutine OPTIONAL,
279 | 		IN PVOID				ApcContext OPTIONAL,
280 | 		OUT PIO_STATUS_BLOCK	IoStatusBlock,
281 | 		OUT PVOID				Buffer,
282 | 		IN ULONG				Length,
283 | 		IN PLARGE_INTEGER		ByteOffset OPTIONAL,
284 | 		IN PULONG				Key OPTIONAL
285 | 		);
286 | 	typedef NTSTATUS (NTAPI* pfNtWriteFile)(
287 | 		IN HANDLE				FileHandle,
288 | 		IN HANDLE				Event OPTIONAL,
289 | 		IN PIO_APC_ROUTINE		ApcRoutine OPTIONAL,
290 | 		IN PVOID				ApcContext OPTIONAL,
291 | 		OUT PIO_STATUS_BLOCK	IoStatusBlock,
292 | 		IN PVOID				Buffer,
293 | 		IN ULONG				Length,
294 | 		IN PLARGE_INTEGER		ByteOffset OPTIONAL,
295 | 		IN PULONG				Key OPTIONAL
296 | 		);
297 | 	typedef NTSTATUS (NTAPI* pfNtNotifyChangeDirectoryFile)(
298 | 		IN HANDLE						FileHandle,
299 | 		IN HANDLE						Event OPTIONAL,
300 | 		IN PIO_APC_ROUTINE				ApcRoutine OPTIONAL,
301 | 		IN PVOID						ApcContext OPTIONAL,
302 | 		OUT PIO_STATUS_BLOCK			IoStatusBlock,
303 | 		OUT PFILE_NOTIFY_INFORMATION	Buffer,
304 | 		IN ULONG						BufferLength,
305 | 		IN ULONG						NotifyFilter,
306 | 		IN BOOLEAN						WatchSubtree
307 | 	);
308 | 	typedef NTSTATUS (NTAPI* pfNtQueryInformationFile)(
309 | 		IN HANDLE					FileHandle,
310 | 		OUT PIO_STATUS_BLOCK		IoStatusBlock,
311 | 		OUT PVOID					FileInformation,
312 | 		IN ULONG					FileInformationLength,
313 | 		IN FILE_INFORMATION_CLASS	FileInformationClass
314 | 		);
315 | 	typedef NTSTATUS (NTAPI* pfNtSetInformationFile)(
316 | 		IN HANDLE					FileHandle,
317 | 		OUT PIO_STATUS_BLOCK		IoStatusBlock,
318 | 		IN PVOID					FileInformation,
319 | 		IN ULONG					FileInformationLength,
320 | 		IN FILE_INFORMATION_CLASS	FileInformationClass
321 | 		);
322 | 	typedef NTSTATUS (NTAPI* pfNtQueryAttributesFile)(
323 | 		IN POBJECT_ATTRIBUTES		ObjectAttributes,
324 | 		OUT PFILE_BASIC_INFORMATION	FileInformation
325 | 		);
326 | 	typedef NTSTATUS (NTAPI* pfNtQueryFullAttributesFile)(
327 | 		IN POBJECT_ATTRIBUTES				ObjectAttributes,
328 | 		OUT PFILE_NETWORK_OPEN_INFORMATION	FileInformation
329 | 		);
330 | 	typedef NTSTATUS (NTAPI* pfNtQueryDirectoryFile)(
331 | 		IN HANDLE					FileHandle,
332 | 		IN HANDLE					Event OPTIONAL,
333 | 		IN PIO_APC_ROUTINE			ApcRoutine OPTIONAL,
334 | 		IN PVOID					ApcContext OPTIONAL,
335 | 		OUT PIO_STATUS_BLOCK		IoStatusBlock,
336 | 		OUT PVOID					FileInformation,
337 | 		IN ULONG					FileInformationLength,
338 | 		IN FILE_INFORMATION_CLASS	FileInformationClass,
339 | 		IN BOOLEAN					ReturnSingleEntry,
340 | 		IN PUNICODE_STRING			FileName OPTIONAL,
341 | 		IN BOOLEAN					RestartScan
342 | 		);
343 | 	typedef NTSTATUS (NTAPI* pfNtQueryVolumeInformationFile)(
344 | 		IN HANDLE				FileHandle,
345 | 		OUT PIO_STATUS_BLOCK	IoStatusBlock,
346 | 		OUT PVOID				VolumeInformation,
347 | 		IN ULONG				VolumeInformationLength,
348 | 		IN FS_INFORMATION_CLASS VolumeInformationClass
349 | 		);
350 | 	typedef NTSTATUS (NTAPI* pfNtSetVolumeInformationFile)(
351 | 		IN HANDLE				FileHandle,
352 | 		OUT PIO_STATUS_BLOCK	IoStatusBlock,
353 | 		IN PVOID				Buffer,
354 | 		IN ULONG				BufferLength,
355 | 		IN FS_INFORMATION_CLASS VolumeInformationClass
356 | 		);
357 | 	typedef NTSTATUS (NTAPI* pfNtFsControlFile)(
358 | 		IN HANDLE				FileHandle,
359 | 		IN HANDLE				Event OPTIONAL,
360 | 		IN PIO_APC_ROUTINE		ApcRoutine OPTIONAL,
361 | 		IN PVOID				ApcContext OPTIONAL,
362 | 		OUT PIO_STATUS_BLOCK	IoStatusBlock,
363 | 		IN ULONG				FsControlCode,
364 | 		IN PVOID				InputBuffer OPTIONAL,
365 | 		IN ULONG				InputBufferLength,
366 | 		OUT PVOID				OutputBuffer OPTIONAL,
367 | 		IN ULONG				OutputBufferLength
368 | 		); 
369 | 	typedef NTSTATUS (NTAPI* pfNtDeviceIoControlFile)( 
370 | 		IN HANDLE				FileHandle, 
371 | 		IN HANDLE				Event OPTIONAL, 
372 | 		IN PIO_APC_ROUTINE		ApcRoutine OPTIONAL, 
373 | 		IN PVOID				ApcContext OPTIONAL, 
374 | 		OUT PIO_STATUS_BLOCK	IoStatusBlock, 
375 | 		IN ULONG				IoControlCode, 
376 | 		IN PVOID				InputBuffer OPTIONAL, 
377 | 		IN ULONG				InputBufferLength, 
378 | 		OUT PVOID				OutputBuffer OPTIONAL, 
379 | 		IN ULONG				OutputBufferLength 
380 | 		);
381 | 
382 | 	/*
383 | 		Directory API
384 | 	*/
385 | 	typedef NTSTATUS(NTAPI* pfNtOpenDirectoryObject)(
386 | 		OUT PHANDLE				DirectoryHandle,
387 | 		IN ACCESS_MASK			DesiredAccess,
388 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes
389 | 		);
390 | 	typedef NTSTATUS(NTAPI* pfNtCreateDirectoryObject)(
391 | 		OUT PHANDLE				DirectoryHandle,
392 | 		IN ACCESS_MASK			DesiredAccess,
393 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes
394 | 		);
395 | 	typedef NTSTATUS(NTAPI* pfNtCreateDirectoryObjectEx)(
396 | 		OUT PHANDLE				DirectoryHandle,
397 | 		IN ACCESS_MASK			DesiredAccess,
398 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes,
399 | 		IN DWORD				UNKNOWN1,
400 | 		IN DWORD				UNKNOWN2
401 | 		);
402 | 	typedef NTSTATUS(NTAPI* pfNtQueryDirectoryObject)(
403 | 		IN HANDLE		DirectoryHandle,
404 | 		OUT PVOID		Buffer,
405 | 		IN ULONG		BufferLength,
406 | 		IN BOOLEAN		ReturnSingleEntry,
407 | 		IN BOOLEAN		RestartScan,
408 | 		IN OUT PULONG	Context,
409 | 		OUT PULONG		ReturnLength OPTIONAL
410 | 		);
411 | 	/*
412 | 		SymbolicLink API
413 | 	*/
414 | 	typedef NTSTATUS(NTAPI* pfNtOpenSymbolicLinkObject)(
415 | 		OUT PHANDLE				SymbolicLinkHandle,
416 | 		IN ACCESS_MASK			DesiredAccess,
417 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes
418 | 		);
419 | 	typedef NTSTATUS(NTAPI* pfNtCreateSymbolicLinkObject)(
420 | 		OUT PHANDLE				SymbolicLinkHandle,
421 | 		IN ACCESS_MASK			DesiredAccess,
422 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes,
423 | 		IN PUNICODE_STRING		TargetName
424 | 		);
425 | 	typedef NTSTATUS(NTAPI* pfNtQuerySymbolicLinkObject)(
426 | 		IN HANDLE				SymbolicLinkHandle,
427 | 		IN OUT PUNICODE_STRING	TargetName,
428 | 		OUT PULONG				ReturnLength OPTIONAL
429 | 		);
430 | 
431 | 	/*
432 | 		Registry API
433 | 	*/
434 | 	typedef NTSTATUS (NTAPI* pfNtCompactKeys)(
435 | 		IN ULONG  Count,  
436 | 		IN PHANDLE  KeyArray 
437 | 		);
438 | 	typedef NTSTATUS (NTAPI* pfNtCompressKey)(
439 | 		IN HANDLE  Key 
440 | 		);
441 | 	typedef NTSTATUS (NTAPI* pfNtCreateKey)(
442 | 		OUT PHANDLE				KeyHandle,
443 | 		IN ACCESS_MASK			DesiredAccess,
444 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes,
445 | 		IN ULONG				TitleIndex,
446 | 		IN PUNICODE_STRING		Class OPTIONAL,
447 | 		IN ULONG				CreateOptions,
448 | 		OUT PULONG				Disposition OPTIONAL
449 | 		);
450 | 	typedef NTSTATUS (NTAPI* pfNtCreateKeyTransacted)(
451 | 		OUT PHANDLE				KeyHandle,
452 | 		IN ACCESS_MASK			DesiredAccess,
453 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes,
454 | 		IN ULONG				TitleIndex,
455 | 		IN PUNICODE_STRING		Class OPTIONAL,
456 | 		IN ULONG				CreateOptions,
457 | 		OUT PULONG				Disposition OPTIONAL,
458 | 		IN PHANDLE				TransactionHandle
459 | 		);
460 | 	typedef NTSTATUS (NTAPI* pfNtOpenKey)(
461 | 		OUT PHANDLE				KeyHandle,
462 | 		IN ACCESS_MASK			DesiredAccess,
463 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes
464 | 		);
465 | 	typedef NTSTATUS (NTAPI* pfNtOpenKeyEx)(
466 | 		OUT PHANDLE				KeyHandle,
467 | 		IN ACCESS_MASK			DesiredAccess,
468 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes,
469 | 		IN ULONG				OpenOptions
470 | 		);
471 | 	typedef NTSTATUS (NTAPI* pfNtOpenKeyTransacted)(
472 | 		OUT PHANDLE				KeyHandle,
473 | 		IN ACCESS_MASK			DesiredAccess,
474 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes,
475 | 		IN PHANDLE				TransactionHandle
476 | 		);
477 | 	typedef NTSTATUS (NTAPI* pfNtOpenKeyTransactedEx)(
478 | 		OUT PHANDLE				KeyHandle,
479 | 		IN ACCESS_MASK			DesiredAccess,
480 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes,
481 | 		IN ULONG				OpenOptions,
482 | 		IN PHANDLE				TransactionHandle
483 | 		);
484 | 	typedef NTSTATUS (NTAPI* pfNtDeleteKey)(
485 | 		IN HANDLE KeyHandle
486 | 		);
487 | 	typedef NTSTATUS (NTAPI* pfNtQueryKey)(
488 | 		IN HANDLE					KeyHandle,
489 | 		IN KEY_INFORMATION_CLASS	KeyInformationClass,
490 | 		OUT PVOID					KeyInformation,
491 | 		IN ULONG					KeyInformationLength,
492 | 		OUT PULONG					ResultLength
493 | 		);
494 | 	typedef NTSTATUS (NTAPI* pfNtEnumerateKey)(
495 | 		IN HANDLE					KeyHandle,
496 | 		IN ULONG					Index,
497 | 		IN KEY_INFORMATION_CLASS	KeyInformationClass,
498 | 		OUT PVOID					KeyInformation,
499 | 		IN ULONG					KeyInformationLength,
500 | 		OUT PULONG					ResultLength
501 | 		);
502 | 	typedef NTSTATUS (NTAPI* pfNtDeleteValueKey)(
503 | 		IN HANDLE			KeyHandle,
504 | 		IN PUNICODE_STRING	ValueName
505 | 		);
506 | 	typedef NTSTATUS (NTAPI* pfNtSetValueKey)(
507 | 		IN HANDLE			KeyHandle,
508 | 		IN PUNICODE_STRING	ValueName,
509 | 		IN ULONG			TitleIndex,
510 | 		IN ULONG			Type,
511 | 		IN PVOID			Data,
512 | 		IN ULONG			DataSize
513 | 		);
514 | 	typedef NTSTATUS (NTAPI* pfNtQueryValueKey)(
515 | 		IN HANDLE						KeyHandle,
516 | 		IN PUNICODE_STRING				ValueName,
517 | 		IN KEY_VALUE_INFORMATION_CLASS	KeyValueInformationClass,
518 | 		OUT PVOID						KeyValueInformation,
519 | 		IN ULONG						KeyValueInformationLength,
520 | 		OUT PULONG						ResultLength
521 | 		);
522 | 	typedef NTSTATUS (NTAPI* pfNtEnumerateValueKey)(
523 | 		IN HANDLE						KeyHandle,
524 | 		IN ULONG						Index,
525 | 		IN KEY_VALUE_INFORMATION_CLASS	KeyValueInformationClass,
526 | 		OUT PVOID						KeyValueInformation,
527 | 		IN ULONG						KeyValueInformationLength,
528 | 		OUT PULONG						ResultLength
529 | 		);
530 | 	typedef NTSTATUS (NTAPI* pfNtQueryMultipleValueKey)(
531 | 		IN HANDLE				KeyHandle,
532 | 		IN OUT PKEY_VALUE_ENTRY	ValueList,
533 | 		IN ULONG				NumberOfValues,
534 | 		OUT PVOID				Buffer,
535 | 		IN OUT PULONG			Length,
536 | 		OUT PULONG				ReturnLength
537 | 		);
538 | 	typedef NTSTATUS (NTAPI* pfNtFlushKey)(
539 | 		IN HANDLE	KeyHandle								   
540 | 		);
541 | 	typedef NTSTATUS (NTAPI* pfNtSaveKey)(
542 | 		IN HANDLE	KeyHandle,
543 | 		IN HANDLE	FileHandle
544 | 		);
545 | 	typedef NTSTATUS (NTAPI* pfNtSaveKeyEx)(
546 | 		IN HANDLE	KeyHandle,
547 | 		IN HANDLE	FileHandle,
548 | 		IN ULONG	Flags
549 | 		);
550 | 	typedef NTSTATUS (NTAPI* pfNtSaveMergedKeys)(
551 | 		IN HANDLE	KeyHandle1,
552 | 		IN HANDLE	KeyHandle2,
553 | 		IN HANDLE	FileHandle
554 | 		);
555 | 	typedef NTSTATUS (NTAPI* pfNtRestoreKey)(
556 | 		IN HANDLE	KeyHandle,
557 | 		IN HANDLE	FileHandle,
558 | 		IN ULONG	Flags
559 | 		);
560 | 	typedef NTSTATUS (NTAPI* pfNtLoadKey)(
561 | 		IN POBJECT_ATTRIBUTES	KeyObjectAttributes,
562 | 		IN POBJECT_ATTRIBUTES	FileObjectAttributes
563 | 		);
564 | 	typedef NTSTATUS (NTAPI* pfNtLoadKey2)(
565 | 		IN POBJECT_ATTRIBUTES	KeyObjectAttributes,
566 | 		IN POBJECT_ATTRIBUTES	FileObjectAttributes,
567 | 		IN ULONG				Flags
568 | 		);
569 | 	typedef NTSTATUS (NTAPI* pfNtLoadKeyEx)(
570 | 		IN POBJECT_ATTRIBUTES	KeyObjectAttributes,
571 | 		IN POBJECT_ATTRIBUTES	FileObjectAttributes,
572 | 		IN ULONG				Flags,
573 | 		ULONG_PTR				Unknown1,
574 | 		ULONG_PTR				Unknown2,
575 | 		IN ACCESS_MASK			DesiredAccess,
576 | 		OUT PHANDLE				KeyHandle,
577 | 		ULONG_PTR				Unknown3
578 | 		);
579 | 	typedef NTSTATUS (NTAPI* pfNtLockRegistryKey)(IN HANDLE KeyHandle);
580 | 	typedef NTSTATUS (NTAPI* pfNtUnloadKey)(
581 | 		IN POBJECT_ATTRIBUTES	KeyObjectAttributes
582 | 		);
583 | 	typedef NTSTATUS (NTAPI* pfNtUnloadKey2)(
584 | 		IN POBJECT_ATTRIBUTES	KeyObjectAttributes,
585 | 		IN ULONG				Flags
586 | 		);
587 | 	typedef NTSTATUS (NTAPI* pfNtUnloadKeyEx)(
588 | 		IN POBJECT_ATTRIBUTES	KeyObjectAttributes,
589 | 		IN HANDLE				EventHandle
590 | 		);
591 | 	typedef NTSTATUS (NTAPI* pfNtQueryOpenSubKeys)(
592 | 		IN POBJECT_ATTRIBUTES	KeyObjectAttributes,
593 | 		OUT PULONG				NumberOfKeys
594 | 		);
595 | 	typedef NTSTATUS (NTAPI* pfNtQueryOpenSubKeysEx)(
596 | 		IN POBJECT_ATTRIBUTES	KeyObjectAttributes,
597 | 		IN ULONG				BufferLength,
598 | 		IN PVOID				Buffer,
599 | 		IN PULONG				RequiredSize
600 | 		);
601 | 	typedef NTSTATUS (NTAPI* pfNtReplaceKey)(
602 | 		IN POBJECT_ATTRIBUTES	NewFileObjectAttributes,
603 | 		IN HANDLE				KeyHandle,
604 | 		IN POBJECT_ATTRIBUTES	OldFileObjectAttributes
605 | 		);
606 | 	typedef NTSTATUS (NTAPI* pfNtSetInformationKey)(
607 | 		IN HANDLE						KeyHandle,
608 | 		IN KEY_SET_INFORMATION_CLASS	KeyInformationClass,
609 | 		IN PVOID						KeyInformation,
610 | 		IN ULONG						KeyInformationLength
611 | 		);
612 | 	typedef NTSTATUS (NTAPI* pfNtRenameKey)(
613 | 		IN HANDLE			KeyHandle,
614 | 		IN PUNICODE_STRING	NewName
615 | 		);
616 | 	typedef NTSTATUS (NTAPI* pfNtNotifyChangeKey)(
617 | 		IN HANDLE				KeyHandle,
618 | 		IN HANDLE				EventHandle OPTIONAL,
619 | 		IN PIO_APC_ROUTINE		ApcRoutine OPTIONAL,
620 | 		IN PVOID				ApcContext OPTIONAL,
621 | 		OUT PIO_STATUS_BLOCK	IoStatusBlock,
622 | 		IN ULONG				NotifyFilter,
623 | 		IN BOOLEAN				WatchSubtree,
624 | 		IN PVOID				Buffer,
625 | 		IN ULONG				BufferLength,
626 | 		IN BOOLEAN				Asynchrous
627 | 		);
628 | 	typedef NTSTATUS (NTAPI* pfNtNotifyChangeMultipleKeys)(
629 | 		IN HANDLE				KeyHandle,
630 | 		IN ULONG				Flags,
631 | 		IN POBJECT_ATTRIBUTES	KeyObjectAttributes,
632 | 		IN HANDLE				EventHandle OPTIONAL,
633 | 		IN PIO_APC_ROUTINE		ApcRoutine OPTIONAL,
634 | 		IN PVOID				ApcContext OPTIONAL,
635 | 		OUT PIO_STATUS_BLOCK	IoStatusBlock,
636 | 		IN ULONG				NotifyFilter,
637 | 		IN BOOLEAN				WatchSubtree,
638 | 		IN PVOID				Buffer,
639 | 		IN ULONG				BufferLength,
640 | 		IN BOOLEAN				Asynchronous
641 | 		);
642 | 	typedef NTSTATUS (NTAPI* pfNtInitializeRegistry)(
643 | 		IN BOOLEAN	Setup
644 | 		);
645 | 
646 | 	/*
647 | 		Port API
648 | 	*/
649 | 	typedef NTSTATUS (NTAPI* pfNtCreatePort)(
650 | 		OUT PHANDLE				PortHandle,
651 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes,
652 | 		IN ULONG				MaxDataSize,
653 | 		IN ULONG				MaxMessageSize,
654 | 		IN ULONG				Reserved
655 | 		);
656 | 	typedef NTSTATUS (NTAPI* pfNtCreateWaitablePort)(
657 | 		OUT PHANDLE				PortHandle,
658 | 		IN POBJECT_ATTRIBUTES	ObjectAttributes,
659 | 		IN ULONG				MaxDataSize,
660 | 		IN ULONG				MaxMessageSize,
661 | 		IN ULONG				Reserved
662 | 		);
663 | 	typedef NTSTATUS (NTAPI* pfNtConnectPort)(
664 | 		OUT PHANDLE						PortHandle,
665 | 		IN PUNICODE_STRING				PortName,
666 | 		IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
667 | 		IN OUT PPORT_SECTION_WRITE		WriteSection OPTIONAL,
668 | 		IN OUT PPORT_SECTION_READ		ReadSection OPTIONAL,
669 | 		OUT PULONG						MaxMessageSize OPTIONAL,
670 | 		IN OUT PVOID					ConnectData OPTIONAL,
671 | 		IN OUT PULONG					ConnectDataLength OPTIONAL
672 | 		);
673 | 	typedef NTSTATUS (NTAPI* pfNtSecureConnectPort)(
674 | 		OUT PHANDLE						PortHandle,
675 | 		IN PUNICODE_STRING				PortName,
676 | 		IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
677 | 		IN OUT PPORT_SECTION_WRITE		WriteSection OPTIONAL,
678 | 		IN PSID							ServerSid OPTIONAL,
679 | 		IN OUT PPORT_SECTION_READ		ReadSection OPTIONAL,
680 | 		OUT PULONG						MaxMessageSize OPTIONAL,
681 | 		IN OUT PVOID					ConnectData OPTIONAL,
682 | 		IN OUT PULONG					ConnectDataLength OPTIONAL
683 | 		);
684 | 	typedef NTSTATUS (NTAPI* pfNtAlpcCreatePort)(
685 | 		__out PHANDLE					PortHandle,
686 | 		__in POBJECT_ATTRIBUTES			ObjectAttributes,
687 | 		__in_opt PALPC_PORT_ATTRIBUTES	PortAttributes
688 | 		);
689 | 	typedef NTSTATUS (NTAPI* pfNtAlpcConnectPort)(
690 | 		__out PHANDLE							PortHandle,
691 | 		__in PUNICODE_STRING					PortName,
692 | 		__in POBJECT_ATTRIBUTES					ObjectAttributes,
693 | 		__in_opt PALPC_PORT_ATTRIBUTES			PortAttributes,
694 | 		__in ULONG								Flags,
695 | 		__in_opt PSID							RequiredServerSid,
696 | 		__inout PPORT_MESSAGE					ConnectionMessage,
697 | 		__inout_opt PULONG						BufferLength,
698 | 		__inout_opt PALPC_MESSAGE_ATTRIBUTES	OutMessageAttributes,
699 | 		__inout_opt PALPC_MESSAGE_ATTRIBUTES	InMessageAttributes,
700 | 		__in_opt PLARGE_INTEGER					Timeout
701 | 		);
702 | 	typedef NTSTATUS (NTAPI* pfNtAlpcConnectPortEx)(
703 | 		__out PHANDLE							PortHandle,
704 | 		__in POBJECT_ATTRIBUTES					PortName,
705 | 		__in POBJECT_ATTRIBUTES					ObjectAttributes,
706 | 		__in_opt PALPC_PORT_ATTRIBUTES			PortAttributes,
707 | 		__in ULONG								Flags,
708 | 		__in_opt PSID							RequiredServerSid,
709 | 		__inout PPORT_MESSAGE					ConnectionMessage,
710 | 		__inout_opt PULONG						BufferLength,
711 | 		__inout_opt PALPC_MESSAGE_ATTRIBUTES	OutMessageAttributes,
712 | 		__inout_opt PALPC_MESSAGE_ATTRIBUTES	InMessageAttributes,
713 | 		__in_opt PLARGE_INTEGER					Timeout
714 | 		);
715 | 
716 | 	/*
717 | 		Atom API
718 | 	*/
719 | 	typedef NTSTATUS (NTAPI* pfNtAddAtom)(
720 | 		IN PWSTR String,
721 | 		IN ULONG StringLength,
722 | 		OUT PUSHORT Atom
723 | 		);
724 | 	typedef NTSTATUS (NTAPI* pfNtAddAtomEx)(
725 | 		IN PWSTR String,
726 | 		IN ULONG StringLength,
727 | 		OUT PUSHORT Atom,
728 | 		ULONG Unknown
729 | 		);
730 | 	typedef NTSTATUS (NTAPI* pfNtFindAtom)(
731 | 		IN PWSTR String,
732 | 		IN ULONG StringLength,
733 | 		OUT PUSHORT Atom
734 | 		);
735 | 
736 | 	/*
737 | 		Driver API
738 | 	*/
739 | 	typedef NTSTATUS(NTAPI* pfNtLoadDriver)(
740 | 		IN PUNICODE_STRING DriverServiceName
741 | 		);
742 | 	typedef NTSTATUS(NTAPI* pfNtUnloadDriver)(
743 | 		IN PUNICODE_STRING DriverServiceName
744 | 		);
745 | 
746 | 	/*
747 | 		Transaction API
748 | 	*/
749 | 	typedef NTSTATUS(NTAPI* pfNtCreateTransaction)(
750 | 		__out PHANDLE				TransactionHandle,
751 | 		__in ACCESS_MASK			DesiredAccess,
752 | 		__in_opt PVOID				ObjectAttributes,
753 | 		__in_opt LPGUID				Uow,
754 | 		__in_opt HANDLE				TmHandle,
755 | 		__in_opt ULONG				CreateOptions,
756 | 		__in_opt ULONG				IsolationLevel,
757 | 		__in_opt ULONG				IsolationFlags,
758 | 		__in_opt PLARGE_INTEGER		Timeout,
759 | 		__in_opt PUNICODE_STRING	Description);
760 | 	typedef NTSTATUS(NTAPI* pfNtOpenTransaction)(
761 | 		__out PHANDLE		TransactionHandle,
762 | 		__in ACCESS_MASK	DesiredAccess,
763 | 		__in_opt PVOID		ObjectAttributes,
764 | 		__in LPGUID			Uow,
765 | 		__in_opt HANDLE		TmHandle);
766 | 	typedef NTSTATUS(NTAPI* pfNtCommitTransaction)(IN PHANDLE  TransactionHandle, IN BOOLEAN  Wait);
767 | 	typedef NTSTATUS(NTAPI* pfNtRollbackTransaction)(IN PHANDLE  TransactionHandle, IN BOOLEAN  Wait);
768 | 
769 | 	/*
770 | 		Security API
771 | 	*/
772 | 	typedef NTSTATUS(NTAPI* pfNtQuerySecurityObject)(
773 | 		IN HANDLE					Handle,
774 | 		IN SECURITY_INFORMATION		SecurityInformation,
775 | 		OUT PSECURITY_DESCRIPTOR	SecurityDescriptor,
776 | 		IN ULONG					SecurityDescriptorLength,
777 | 		OUT PULONG					ReturnLength
778 | 		);
779 | 	typedef NTSTATUS(NTAPI* pfNtSetSecurityObject)(
780 | 		IN HANDLE					Handle,
781 | 		IN SECURITY_INFORMATION		SecurityInformation,
782 | 		IN PSECURITY_DESCRIPTOR		SecurityDescriptor
783 | 		);
784 | 	typedef BOOLEAN(NTAPI* pfRtlFlushSecureMemoryCache)(
785 | 		IN PVOID					MemoryCache,
786 | 		IN SIZE_T					MemoryLength
787 | 		);
788 | 
789 | 	class ntdllapi
790 | 	{
791 | 	public:
792 | 
793 | 		pfRtlInitAnsiString RtlInitAnsiString;
794 | 		pfRtlInitUnicodeString RtlInitUnicodeString;
795 | 
796 | 		/*
797 | 			General API
798 | 		*/
799 | 		pfNtClose NtClose;
800 | 		pfNtQueryObject NtQueryObject;
801 | 		pfNtSetSystemInformation NtSetSystemInformation;
802 | 		pfNtQuerySystemInformation NtQuerySystemInformation;
803 | 		pfRtlGetVersion RtlGetVersion;
804 | 
805 | 		/*
806 | 			DLL API
807 | 		*/
808 | 		pfLdrGetProcedureAddress LdrGetProcedureAddress;
809 | 		pfLdrLoadDll LdrLoadDll;
810 | 		pfLdrGetDllHandle LdrGetDllHandle;
811 | 
812 | 		/*
813 | 			Process API
814 | 		*/
815 | 		pfNtOpenThread NtOpenThread;
816 | 		pfNtQueryInformationThread NtQueryInformationThread;
817 | 		pfNtQueryInformationProcess NtQueryInformationProcess;
818 | 		pfRtlGetCurrentDirectory_U RtlGetCurrentDirectory_U;
819 | 		pfRtlSetCurrentDirectory_U RtlSetCurrentDirectory_U;
820 | 		pfNtCreateToken NtCreateToken;
821 | 		pfNtTerminateProcess NtTerminateProcess;
822 | 		pfNtCreateProcess NtCreateProcess;
823 | 		pfNtCreateProcessEx NtCreateProcessEx;
824 | 		pfNtCreateUserProcess NtCreateUserProcess;
825 | 
826 | 		/*
827 | 			Synchronization Objects (Section, Event, Mutex, Semaphore) API
828 | 		*/
829 | 		pfNtOpenSection NtOpenSection;
830 | 		pfNtCreateSection NtCreateSection;
831 | 		pfNtMapViewOfSection NtMapViewOfSection;
832 | 		pfNtUnmapViewOfSection NtUnmapViewOfSection;
833 | 		pfNtOpenEvent NtOpenEvent;
834 | 		pfNtCreateEvent NtCreateEvent;
835 | 		pfNtOpenMutant NtOpenMutant;
836 | 		pfNtCreateMutant NtCreateMutant;
837 | 		pfNtOpenSemaphore NtOpenSemaphore;
838 | 		pfNtCreateSemaphore NtCreateSemaphore;
839 | 		pfNtWaitForSingleObject NtWaitForSingleObject;
840 | 		pfNtWaitForMultipleObjects NtWaitForMultipleObjects;
841 | 		pfNtReleaseMutant NtReleaseMutant;
842 | 		pfNtSetEvent NtSetEvent;
843 | 		pfNtClearEvent NtClearEvent;
844 | 
845 | 		/*
846 | 			File API
847 | 		*/
848 | 		pfNtCreateNamedPipeFile NtCreateNamedPipeFile;
849 | 		pfNtCreateMailslotFile NtCreateMailslotFile;
850 | 		pfNtCreateFile NtCreateFile;
851 | 		pfNtOpenFile NtOpenFile;
852 | 		pfNtDeleteFile NtDeleteFile;
853 | 		pfNtReadFile NtReadFile;
854 | 		pfNtWriteFile NtWriteFile;
855 | 		pfNtNotifyChangeDirectoryFile NtNotifyChangeDirectoryFile;
856 | 		pfNtQueryAttributesFile NtQueryAttributesFile;
857 | 		pfNtQueryFullAttributesFile NtQueryFullAttributesFile;
858 | 		pfNtQueryInformationFile NtQueryInformationFile;
859 | 		pfNtSetInformationFile NtSetInformationFile;
860 | 		pfNtQueryDirectoryFile NtQueryDirectoryFile;
861 | 		pfNtQueryVolumeInformationFile NtQueryVolumeInformationFile;
862 | 		pfNtFsControlFile NtFsControlFile;
863 | 		pfNtDeviceIoControlFile NtDeviceIoControlFile;
864 | 
865 | 		/*
866 | 			Directory API
867 | 		*/
868 | 		pfNtOpenDirectoryObject NtOpenDirectoryObject;
869 | 		pfNtCreateDirectoryObject NtCreateDirectoryObject;
870 | 		pfNtCreateDirectoryObjectEx NtCreateDirectoryObjectEx;
871 | 		pfNtQueryDirectoryObject NtQueryDirectoryObject;
872 | 
873 | 		/*
874 | 			SymbolicLink API
875 | 		*/
876 | 		pfNtOpenSymbolicLinkObject NtOpenSymbolicLinkObject;
877 | 		pfNtCreateSymbolicLinkObject NtCreateSymbolicLinkObject;
878 | 		pfNtQuerySymbolicLinkObject NtQuerySymbolicLinkObject;
879 | 
880 | 		/*
881 | 			Registry API
882 | 		*/
883 | 		pfNtCompactKeys NtCompactKeys;
884 | 		pfNtCompressKey NtCompressKey;
885 | 		pfNtCreateKey NtCreateKey;
886 | 		pfNtCreateKeyTransacted NtCreateKeyTransacted;
887 | 		pfNtOpenKey NtOpenKey;
888 | 		pfNtOpenKeyEx NtOpenKeyEx;
889 | 		pfNtOpenKeyTransacted NtOpenKeyTransacted;
890 | 		pfNtOpenKeyTransactedEx NtOpenKeyTransactedEx;
891 | 		pfNtDeleteKey NtDeleteKey;
892 | 		pfNtQueryKey NtQueryKey;
893 | 		pfNtEnumerateKey NtEnumerateKey;
894 | 		pfNtDeleteValueKey NtDeleteValueKey;
895 | 		pfNtSetValueKey NtSetValueKey;
896 | 		pfNtQueryValueKey NtQueryValueKey;
897 | 		pfNtEnumerateValueKey NtEnumerateValueKey;
898 | 		pfNtQueryMultipleValueKey NtQueryMultipleValueKey;
899 | 		pfNtFlushKey NtFlushKey;
900 | 		pfNtSaveKey NtSaveKey;
901 | 		pfNtSaveKeyEx NtSaveKeyEx;
902 | 		pfNtSaveMergedKeys NtSaveMergedKeys;
903 | 		pfNtRestoreKey NtRestoreKey;
904 | 		pfNtLoadKey NtLoadKey;
905 | 		pfNtLoadKey2 NtLoadKey2;
906 | 		pfNtLoadKeyEx NtLoadKeyEx;
907 | 		pfNtUnloadKey NtUnloadKey;
908 | 		pfNtUnloadKey2 NtUnloadKey2;
909 | 		pfNtUnloadKeyEx NtUnloadKeyEx;
910 | 		pfNtQueryOpenSubKeys NtQueryOpenSubKeys;
911 | 		pfNtQueryOpenSubKeysEx NtQueryOpenSubKeysEx;
912 | 		pfNtReplaceKey NtReplaceKey;
913 | 		pfNtSetInformationKey NtSetInformationKey;
914 | 		pfNtRenameKey NtRenameKey;
915 | 		pfNtNotifyChangeKey NtNotifyChangeKey;
916 | 		pfNtNotifyChangeMultipleKeys NtNotifyChangeMultipleKeys;
917 | 		pfNtInitializeRegistry NtInitializeRegistry;
918 | 		pfNtLockRegistryKey NtLockRegistryKey;
919 | 
920 | 		/*
921 | 			Port API
922 | 		*/
923 | 		pfNtCreatePort NtCreatePort;
924 | 		pfNtCreateWaitablePort NtCreateWaitablePort;
925 | 		pfNtConnectPort NtConnectPort;
926 | 		pfNtSecureConnectPort NtSecureConnectPort;
927 | 		pfNtAlpcCreatePort NtAlpcCreatePort;
928 | 		pfNtAlpcConnectPort NtAlpcConnectPort;
929 | 		pfNtAlpcConnectPortEx NtAlpcConnectPortEx;
930 | 
931 | 		/*
932 | 			Atom API
933 | 		*/
934 | 		pfNtAddAtom NtAddAtom;
935 | 		pfNtAddAtomEx NtAddAtomEx;
936 | 		pfNtFindAtom NtFindAtom;
937 | 
938 | 		/*
939 | 			Driver API
940 | 		*/
941 | 		pfNtLoadDriver NtLoadDriver;
942 | 		pfNtUnloadDriver NtUnloadDriver;
943 | 
944 | 		/*
945 | 			Transaction API
946 | 		*/
947 | 		pfNtCreateTransaction NtCreateTransaction;
948 | 		pfNtOpenTransaction NtOpenTransaction;
949 | 		pfNtRollbackTransaction NtRollbackTransaction;
950 | 		pfNtCommitTransaction NtCommitTransaction;
951 | 
952 | 		/*
953 | 			Security API
954 | 		*/
955 | 		pfNtQuerySecurityObject NtQuerySecurityObject;
956 | 		pfNtSetSecurityObject NtSetSecurityObject;
957 | 		pfRtlFlushSecureMemoryCache RtlFlushSecureMemoryCache;
958 | 		
959 | 		static ntdllapi* GetInstance();
960 | 	protected:
961 | 		ntdllapi(void);
962 | 		virtual ~ntdllapi(void);
963 | 
964 | 	private:
965 | 	};
966 | 
967 | }


--------------------------------------------------------------------------------
/include/ntdlllib/ntdllfiles.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <string>
 3 | 
 4 | namespace ntdlllib
 5 | {
 6 | 	class ntdllfiles
 7 | 	{
 8 | 	public:
 9 | 		/*
10 | 			ToKernelPath
11 | 				return path starts with \??\.
12 | 			FromKernelPath
13 | 				return path removed \??\
14 | 		*/
15 | 		static std::wstring ToKernelPath(const std::wstring& str);
16 | 		static std::wstring FromKernelPath(const std::wstring& strKernelPath);
17 | 		/*
18 | 			CreateFile
19 | 			Input : 
20 | 				strPath - path that you want to create or open.
21 | 				piostatusblock - iostatusblock pointer
22 | 			Output :
23 | 				Handle - handle of input path file if it succeeds to create or open.
24 | 						if it fails, returns NULL
25 | 			After using handle, handle must be closed via ntclose function.
26 | 		*/
27 | 		static HANDLE CreateFile(const std::wstring& strPath);
28 | 		static HANDLE CreateFile(const std::wstring& strPath, PIO_STATUS_BLOCK piostatusblock);
29 | 
30 | 		/*
31 | 			CopyFile
32 | 			Input :
33 | 				strSourcePath - source path to copy
34 | 				strDestinationPath - destination path to copy
35 | 			Output :
36 | 				bool - return true when succeed to copy, or return  false.
37 | 		*/
38 | 		static bool CopyFile(const std::wstring& strSourcePath, const std::wstring& strDestinationPath);
39 | 	private:
40 | 	};
41 | }


--------------------------------------------------------------------------------
/include/ntdlllib/ntdllobj.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <ntdlllib/ntdll.h>
 3 | #include <string>
 4 | 
 5 | namespace ntdlllib
 6 | {
 7 | 	class ntdllobj
 8 | 	{
 9 | 	public:
10 | 		static bool QueryDeviceName(HANDLE hGlobalDirectory, const std::wstring& strInDeviceName, std::wstring& strSymDeviceName);
11 | 		static HANDLE OpenSymbolicLink(HANDLE hRootDirectory, const std::wstring& strName);
12 | 		static HANDLE OpenGlobalDirectoryObject();
13 | 		static HANDLE OpenDirectoryObject(const std::wstring& strDirectoryName);
14 | 	private:
15 | 	};
16 | }


--------------------------------------------------------------------------------
/include/ntdlllib/ntdllutil.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <ntdlllib/ntdll.h>
 3 | #include <string>
 4 | 
 5 | namespace ntdlllib
 6 | {
 7 | 	class ntdllutil
 8 | 	{ 
 9 | 	public:
10 | 		static BOOL UnicodeStringToString(PUNICODE_STRING pusz, std::wstring& str);
11 | 		static BOOL MoveStringToUnicodeString(std::wstring const& str, PUNICODE_STRING pusz);
12 | 		static BOOL StringToUnicodeString(std::wstring const& str, PUNICODE_STRING pusz);
13 | 		static void FreeUnicodeString(PUNICODE_STRING pusz);
14 | 
15 | 		static void CloseHandle(HANDLE handle);
16 | 	private:
17 | 	};
18 | }


--------------------------------------------------------------------------------
/include/ntdlllib/ntuser.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | namespace ntdlllib
 4 | {
 5 | 
 6 | typedef struct _LARGE_STRING
 7 | {
 8 | 	ULONG Length;
 9 | 	ULONG MaximumLength:31;
10 | 	ULONG bAnsi:1;
11 | 	PVOID Buffer;
12 | } LARGE_STRING, *PLARGE_STRING;
13 | 
14 | 
15 | #define DWORD_ALIGN(pAddr)	((LPWORD)(((DWORD_PTR)pAddr + 3) & ~3))
16 | 
17 | #pragma pack(push, 1)
18 | 
19 | typedef struct {
20 | 	WORD dlgVer;
21 | 	WORD signature;
22 | 	DWORD helpID;
23 | 	DWORD exStyle;
24 | 	DWORD style;
25 | 	WORD cDlgItems;
26 | 	short x;
27 | 	short y;
28 | 	short cx;
29 | 	short cy;
30 | 	// 	sz_Or_Ord menu;
31 | 	// 	sz_Or_Ord windowClass;
32 | 	// 	WCHAR title[titleLen];
33 | 	// 	WORD pointsize;
34 | 	// 	WORD weight;
35 | 	// 	BYTE italic;
36 | 	// 	BYTE charset;
37 | 	// 	WCHAR typeface[stringLen];
38 | } DLGTEMPLATEEX;
39 | typedef DLGTEMPLATEEX* LPDLGTEMPLATEEX;
40 | 
41 | typedef struct {
42 | 	DWORD helpID;
43 | 	DWORD exStyle;
44 | 	DWORD style;
45 | 	short x;
46 | 	short y;
47 | 	short cx;
48 | 	short cy;
49 | 	DWORD id;
50 | 	// 	sz_Or_Ord windowClass;
51 | 	// 	sz_Or_Ord title;
52 | 	// 	WORD extraCount;
53 | } DLGITEMTEMPLATEEX;
54 | typedef DLGITEMTEMPLATEEX* LPDLGITEMTEMPLATEEX;
55 | 
56 | #pragma pack(pop)
57 | 
58 | }


--------------------------------------------------------------------------------
/lib/Win32/ntdlllib_md.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/star114/windows-ntdll-api-library/682eb0b2c93be7561f89ebd8600804a0d1ce58fb/lib/Win32/ntdlllib_md.lib


--------------------------------------------------------------------------------
/lib/Win32/ntdlllib_mdd.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/star114/windows-ntdll-api-library/682eb0b2c93be7561f89ebd8600804a0d1ce58fb/lib/Win32/ntdlllib_mdd.lib


--------------------------------------------------------------------------------
/lib/Win32/ntdlllib_mt.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/star114/windows-ntdll-api-library/682eb0b2c93be7561f89ebd8600804a0d1ce58fb/lib/Win32/ntdlllib_mt.lib


--------------------------------------------------------------------------------
/lib/Win32/ntdlllib_mtd.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/star114/windows-ntdll-api-library/682eb0b2c93be7561f89ebd8600804a0d1ce58fb/lib/Win32/ntdlllib_mtd.lib


--------------------------------------------------------------------------------
/lib/x64/ntdlllib_md.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/star114/windows-ntdll-api-library/682eb0b2c93be7561f89ebd8600804a0d1ce58fb/lib/x64/ntdlllib_md.lib


--------------------------------------------------------------------------------
/lib/x64/ntdlllib_mdd.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/star114/windows-ntdll-api-library/682eb0b2c93be7561f89ebd8600804a0d1ce58fb/lib/x64/ntdlllib_mdd.lib


--------------------------------------------------------------------------------
/lib/x64/ntdlllib_mt.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/star114/windows-ntdll-api-library/682eb0b2c93be7561f89ebd8600804a0d1ce58fb/lib/x64/ntdlllib_mt.lib


--------------------------------------------------------------------------------
/lib/x64/ntdlllib_mtd.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/star114/windows-ntdll-api-library/682eb0b2c93be7561f89ebd8600804a0d1ce58fb/lib/x64/ntdlllib_mtd.lib


--------------------------------------------------------------------------------
/project/ntdlllib/NtdllLib.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug DLL|Win32">
  5 |       <Configuration>Debug DLL</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Debug DLL|x64">
  9 |       <Configuration>Debug DLL</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|Win32">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>Win32</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Debug|x64">
 17 |       <Configuration>Debug</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Release DLL|Win32">
 21 |       <Configuration>Release DLL</Configuration>
 22 |       <Platform>Win32</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release DLL|x64">
 25 |       <Configuration>Release DLL</Configuration>
 26 |       <Platform>x64</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Release|Win32">
 29 |       <Configuration>Release</Configuration>
 30 |       <Platform>Win32</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Release|x64">
 33 |       <Configuration>Release</Configuration>
 34 |       <Platform>x64</Platform>
 35 |     </ProjectConfiguration>
 36 |   </ItemGroup>
 37 |   <PropertyGroup Label="Globals">
 38 |     <ProjectGuid>{D667E75F-479E-4410-BD73-DEADEB70857B}</ProjectGuid>
 39 |     <Keyword>Win32Proj</Keyword>
 40 |     <RootNamespace>NtdllLib</RootNamespace>
 41 |   </PropertyGroup>
 42 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 43 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 44 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 45 |     <UseDebugLibraries>true</UseDebugLibraries>
 46 |     <PlatformToolset>v120_xp</PlatformToolset>
 47 |     <CharacterSet>Unicode</CharacterSet>
 48 |   </PropertyGroup>
 49 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug DLL|Win32'" Label="Configuration">
 50 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 51 |     <UseDebugLibraries>true</UseDebugLibraries>
 52 |     <PlatformToolset>v120_xp</PlatformToolset>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 56 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 57 |     <UseDebugLibraries>true</UseDebugLibraries>
 58 |     <PlatformToolset>v120_xp</PlatformToolset>
 59 |     <CharacterSet>Unicode</CharacterSet>
 60 |   </PropertyGroup>
 61 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug DLL|x64'" Label="Configuration">
 62 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 63 |     <UseDebugLibraries>true</UseDebugLibraries>
 64 |     <PlatformToolset>v120_xp</PlatformToolset>
 65 |     <CharacterSet>Unicode</CharacterSet>
 66 |   </PropertyGroup>
 67 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 68 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 69 |     <UseDebugLibraries>false</UseDebugLibraries>
 70 |     <PlatformToolset>v120_xp</PlatformToolset>
 71 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 72 |     <CharacterSet>Unicode</CharacterSet>
 73 |   </PropertyGroup>
 74 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release DLL|Win32'" Label="Configuration">
 75 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 76 |     <UseDebugLibraries>false</UseDebugLibraries>
 77 |     <PlatformToolset>v120_xp</PlatformToolset>
 78 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 79 |     <CharacterSet>Unicode</CharacterSet>
 80 |   </PropertyGroup>
 81 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 82 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 83 |     <UseDebugLibraries>false</UseDebugLibraries>
 84 |     <PlatformToolset>v120_xp</PlatformToolset>
 85 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 86 |     <CharacterSet>Unicode</CharacterSet>
 87 |   </PropertyGroup>
 88 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release DLL|x64'" Label="Configuration">
 89 |     <ConfigurationType>StaticLibrary</ConfigurationType>
 90 |     <UseDebugLibraries>false</UseDebugLibraries>
 91 |     <PlatformToolset>v120_xp</PlatformToolset>
 92 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 93 |     <CharacterSet>Unicode</CharacterSet>
 94 |   </PropertyGroup>
 95 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 96 |   <ImportGroup Label="ExtensionSettings">
 97 |   </ImportGroup>
 98 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 99 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
100 |   </ImportGroup>
101 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug DLL|Win32'" Label="PropertySheets">
102 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
103 |   </ImportGroup>
104 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
105 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
106 |   </ImportGroup>
107 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug DLL|x64'" Label="PropertySheets">
108 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
109 |   </ImportGroup>
110 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
111 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
112 |   </ImportGroup>
113 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release DLL|Win32'" Label="PropertySheets">
114 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
115 |   </ImportGroup>
116 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
117 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
118 |   </ImportGroup>
119 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release DLL|x64'" Label="PropertySheets">
120 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
121 |   </ImportGroup>
122 |   <PropertyGroup Label="UserMacros" />
123 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
124 |     <OutDir>..\..\lib\$(Platform)\</OutDir>
125 |     <IntDir>..\..\_mediate\$(ProjectName)\$(Platform)\</IntDir>
126 |     <TargetName>ntdlllib_mt</TargetName>
127 |   </PropertyGroup>
128 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release DLL|Win32'">
129 |     <OutDir>..\..\lib\$(Platform)\</OutDir>
130 |     <IntDir>..\..\_mediate\$(ProjectName)\$(Platform)\</IntDir>
131 |     <TargetName>ntdlllib_md</TargetName>
132 |   </PropertyGroup>
133 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
134 |     <OutDir>..\..\lib\$(Platform)\</OutDir>
135 |     <IntDir>..\..\_mediate\$(ProjectName)\$(Platform)\</IntDir>
136 |     <TargetName>ntdlllib_mt</TargetName>
137 |   </PropertyGroup>
138 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release DLL|x64'">
139 |     <OutDir>..\..\lib\$(Platform)\</OutDir>
140 |     <IntDir>..\..\_mediate\$(ProjectName)\$(Platform)\</IntDir>
141 |     <TargetName>ntdlllib_md</TargetName>
142 |   </PropertyGroup>
143 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
144 |     <OutDir>..\..\lib\$(Platform)\</OutDir>
145 |     <IntDir>..\..\_mediate\$(ProjectName)\$(Platform)\</IntDir>
146 |     <TargetName>ntdlllib_mtd</TargetName>
147 |   </PropertyGroup>
148 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug DLL|Win32'">
149 |     <OutDir>..\..\lib\$(Platform)\</OutDir>
150 |     <IntDir>..\..\_mediate\$(ProjectName)\$(Platform)\</IntDir>
151 |     <TargetName>ntdlllib_mdd</TargetName>
152 |   </PropertyGroup>
153 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
154 |     <OutDir>..\..\lib\$(Platform)\</OutDir>
155 |     <IntDir>..\..\_mediate\$(ProjectName)\$(Platform)\</IntDir>
156 |     <TargetName>ntdlllib_mtd</TargetName>
157 |   </PropertyGroup>
158 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug DLL|x64'">
159 |     <OutDir>..\..\lib\$(Platform)\</OutDir>
160 |     <IntDir>..\..\_mediate\$(ProjectName)\$(Platform)\</IntDir>
161 |     <TargetName>ntdlllib_mdd</TargetName>
162 |   </PropertyGroup>
163 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
164 |     <ClCompile>
165 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
166 |       <WarningLevel>Level3</WarningLevel>
167 |       <Optimization>Disabled</Optimization>
168 |       <PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
169 |       <SDLCheck>true</SDLCheck>
170 |       <AdditionalIncludeDirectories>;..\..\include;</AdditionalIncludeDirectories>
171 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
172 |     </ClCompile>
173 |     <Link>
174 |       <SubSystem>Windows</SubSystem>
175 |       <GenerateDebugInformation>true</GenerateDebugInformation>
176 |     </Link>
177 |   </ItemDefinitionGroup>
178 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug DLL|Win32'">
179 |     <ClCompile>
180 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
181 |       <WarningLevel>Level3</WarningLevel>
182 |       <Optimization>Disabled</Optimization>
183 |       <PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
184 |       <SDLCheck>true</SDLCheck>
185 |       <AdditionalIncludeDirectories>;..\..\include;</AdditionalIncludeDirectories>
186 |     </ClCompile>
187 |     <Link>
188 |       <SubSystem>Windows</SubSystem>
189 |       <GenerateDebugInformation>true</GenerateDebugInformation>
190 |     </Link>
191 |   </ItemDefinitionGroup>
192 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
193 |     <ClCompile>
194 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
195 |       <WarningLevel>Level3</WarningLevel>
196 |       <Optimization>Disabled</Optimization>
197 |       <PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
198 |       <SDLCheck>true</SDLCheck>
199 |       <AdditionalIncludeDirectories>;..\..\include;</AdditionalIncludeDirectories>
200 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
201 |     </ClCompile>
202 |     <Link>
203 |       <SubSystem>Windows</SubSystem>
204 |       <GenerateDebugInformation>true</GenerateDebugInformation>
205 |     </Link>
206 |   </ItemDefinitionGroup>
207 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug DLL|x64'">
208 |     <ClCompile>
209 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
210 |       <WarningLevel>Level3</WarningLevel>
211 |       <Optimization>Disabled</Optimization>
212 |       <PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
213 |       <SDLCheck>true</SDLCheck>
214 |       <AdditionalIncludeDirectories>;..\..\include;</AdditionalIncludeDirectories>
215 |     </ClCompile>
216 |     <Link>
217 |       <SubSystem>Windows</SubSystem>
218 |       <GenerateDebugInformation>true</GenerateDebugInformation>
219 |     </Link>
220 |   </ItemDefinitionGroup>
221 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
222 |     <ClCompile>
223 |       <WarningLevel>Level3</WarningLevel>
224 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
225 |       <Optimization>MaxSpeed</Optimization>
226 |       <FunctionLevelLinking>true</FunctionLevelLinking>
227 |       <IntrinsicFunctions>true</IntrinsicFunctions>
228 |       <PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
229 |       <SDLCheck>true</SDLCheck>
230 |       <AdditionalIncludeDirectories>;..\..\include;</AdditionalIncludeDirectories>
231 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
232 |     </ClCompile>
233 |     <Link>
234 |       <SubSystem>Windows</SubSystem>
235 |       <GenerateDebugInformation>true</GenerateDebugInformation>
236 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
237 |       <OptimizeReferences>true</OptimizeReferences>
238 |     </Link>
239 |   </ItemDefinitionGroup>
240 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release DLL|Win32'">
241 |     <ClCompile>
242 |       <WarningLevel>Level3</WarningLevel>
243 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
244 |       <Optimization>MaxSpeed</Optimization>
245 |       <FunctionLevelLinking>true</FunctionLevelLinking>
246 |       <IntrinsicFunctions>true</IntrinsicFunctions>
247 |       <PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
248 |       <SDLCheck>true</SDLCheck>
249 |       <AdditionalIncludeDirectories>;..\..\include;</AdditionalIncludeDirectories>
250 |     </ClCompile>
251 |     <Link>
252 |       <SubSystem>Windows</SubSystem>
253 |       <GenerateDebugInformation>true</GenerateDebugInformation>
254 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
255 |       <OptimizeReferences>true</OptimizeReferences>
256 |     </Link>
257 |   </ItemDefinitionGroup>
258 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
259 |     <ClCompile>
260 |       <WarningLevel>Level3</WarningLevel>
261 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
262 |       <Optimization>MaxSpeed</Optimization>
263 |       <FunctionLevelLinking>true</FunctionLevelLinking>
264 |       <IntrinsicFunctions>true</IntrinsicFunctions>
265 |       <PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
266 |       <SDLCheck>true</SDLCheck>
267 |       <AdditionalIncludeDirectories>;..\..\include;</AdditionalIncludeDirectories>
268 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
269 |     </ClCompile>
270 |     <Link>
271 |       <SubSystem>Windows</SubSystem>
272 |       <GenerateDebugInformation>true</GenerateDebugInformation>
273 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
274 |       <OptimizeReferences>true</OptimizeReferences>
275 |     </Link>
276 |   </ItemDefinitionGroup>
277 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release DLL|x64'">
278 |     <ClCompile>
279 |       <WarningLevel>Level3</WarningLevel>
280 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
281 |       <Optimization>MaxSpeed</Optimization>
282 |       <FunctionLevelLinking>true</FunctionLevelLinking>
283 |       <IntrinsicFunctions>true</IntrinsicFunctions>
284 |       <PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
285 |       <SDLCheck>true</SDLCheck>
286 |       <AdditionalIncludeDirectories>;..\..\include;</AdditionalIncludeDirectories>
287 |     </ClCompile>
288 |     <Link>
289 |       <SubSystem>Windows</SubSystem>
290 |       <GenerateDebugInformation>true</GenerateDebugInformation>
291 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
292 |       <OptimizeReferences>true</OptimizeReferences>
293 |     </Link>
294 |   </ItemDefinitionGroup>
295 |   <ItemGroup>
296 |     <ClCompile Include="..\..\source\ntdlllib\ntdllapi.cpp" />
297 |     <ClCompile Include="..\..\source\ntdlllib\ntdllfiles.cpp" />
298 |     <ClCompile Include="..\..\source\ntdlllib\ntdllutil.cpp" />
299 |     <ClCompile Include="..\..\source\ntdlllib\ntllobj.cpp" />
300 |   </ItemGroup>
301 |   <ItemGroup>
302 |     <ClInclude Include="..\..\include\ntdlllib\all.h" />
303 |     <ClInclude Include="..\..\include\ntdlllib\csrss.h" />
304 |     <ClInclude Include="..\..\include\ntdlllib\ntdll.h" />
305 |     <ClInclude Include="..\..\include\ntdlllib\ntdllapi.h" />
306 |     <ClInclude Include="..\..\include\ntdlllib\ntdllfiles.h" />
307 |     <ClInclude Include="..\..\include\ntdlllib\ntdllobj.h" />
308 |     <ClInclude Include="..\..\include\ntdlllib\ntdllutil.h" />
309 |     <ClInclude Include="..\..\include\ntdlllib\ntstatus.h" />
310 |     <ClInclude Include="..\..\include\ntdlllib\ntuser.h" />
311 |   </ItemGroup>
312 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
313 |   <ImportGroup Label="ExtensionTargets">
314 |   </ImportGroup>
315 | </Project>


--------------------------------------------------------------------------------
/project/ntdlllib/NtdllLib.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Header Files">
 5 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
 6 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files\ntdlllib">
 9 |       <UniqueIdentifier>{9efa0564-5e4c-497a-a4ea-07d4e48211da}</UniqueIdentifier>
10 |     </Filter>
11 |     <Filter Include="Source Files">
12 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
13 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
14 |     </Filter>
15 |     <Filter Include="Source Files\ntdlllib">
16 |       <UniqueIdentifier>{3163ed8d-d8f4-445f-b984-b328b51da25e}</UniqueIdentifier>
17 |     </Filter>
18 |     <Filter Include="Resource Files">
19 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
20 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
21 |     </Filter>
22 |   </ItemGroup>
23 |   <ItemGroup>
24 |     <ClCompile Include="..\..\source\ntdlllib\ntdllapi.cpp">
25 |       <Filter>Source Files\ntdlllib</Filter>
26 |     </ClCompile>
27 |     <ClCompile Include="..\..\source\ntdlllib\ntdllutil.cpp">
28 |       <Filter>Source Files\ntdlllib</Filter>
29 |     </ClCompile>
30 |     <ClCompile Include="..\..\source\ntdlllib\ntdllfiles.cpp">
31 |       <Filter>Source Files\ntdlllib</Filter>
32 |     </ClCompile>
33 |     <ClCompile Include="..\..\source\ntdlllib\ntllobj.cpp">
34 |       <Filter>Source Files\ntdlllib</Filter>
35 |     </ClCompile>
36 |   </ItemGroup>
37 |   <ItemGroup>
38 |     <ClInclude Include="..\..\include\ntdlllib\all.h">
39 |       <Filter>Header Files\ntdlllib</Filter>
40 |     </ClInclude>
41 |     <ClInclude Include="..\..\include\ntdlllib\csrss.h">
42 |       <Filter>Header Files\ntdlllib</Filter>
43 |     </ClInclude>
44 |     <ClInclude Include="..\..\include\ntdlllib\ntdll.h">
45 |       <Filter>Header Files\ntdlllib</Filter>
46 |     </ClInclude>
47 |     <ClInclude Include="..\..\include\ntdlllib\ntdllapi.h">
48 |       <Filter>Header Files\ntdlllib</Filter>
49 |     </ClInclude>
50 |     <ClInclude Include="..\..\include\ntdlllib\ntdllutil.h">
51 |       <Filter>Header Files\ntdlllib</Filter>
52 |     </ClInclude>
53 |     <ClInclude Include="..\..\include\ntdlllib\ntstatus.h">
54 |       <Filter>Header Files\ntdlllib</Filter>
55 |     </ClInclude>
56 |     <ClInclude Include="..\..\include\ntdlllib\ntuser.h">
57 |       <Filter>Header Files\ntdlllib</Filter>
58 |     </ClInclude>
59 |     <ClInclude Include="..\..\include\ntdlllib\ntdllfiles.h">
60 |       <Filter>Header Files\ntdlllib</Filter>
61 |     </ClInclude>
62 |     <ClInclude Include="..\..\include\ntdlllib\ntdllobj.h">
63 |       <Filter>Header Files\ntdlllib</Filter>
64 |     </ClInclude>
65 |   </ItemGroup>
66 | </Project>


--------------------------------------------------------------------------------
/project/ntdlllibtest/NtdllLibTest.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Debug|x64">
  9 |       <Configuration>Debug</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Release|Win32">
 13 |       <Configuration>Release</Configuration>
 14 |       <Platform>Win32</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <ItemGroup>
 22 |     <ClCompile Include="..\..\source\ntdlllibtest\ntdlllibtest.cpp" />
 23 |   </ItemGroup>
 24 |   <PropertyGroup Label="Globals">
 25 |     <ProjectGuid>{44EB7939-94CF-444E-BC99-B59AE4488549}</ProjectGuid>
 26 |     <Keyword>Win32Proj</Keyword>
 27 |     <RootNamespace>NtdllLibTest</RootNamespace>
 28 |   </PropertyGroup>
 29 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 30 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 31 |     <ConfigurationType>Application</ConfigurationType>
 32 |     <UseDebugLibraries>true</UseDebugLibraries>
 33 |     <PlatformToolset>v120_xp</PlatformToolset>
 34 |     <CharacterSet>Unicode</CharacterSet>
 35 |   </PropertyGroup>
 36 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 37 |     <ConfigurationType>Application</ConfigurationType>
 38 |     <UseDebugLibraries>true</UseDebugLibraries>
 39 |     <PlatformToolset>v120_xp</PlatformToolset>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>false</UseDebugLibraries>
 45 |     <PlatformToolset>v120_xp</PlatformToolset>
 46 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 47 |     <CharacterSet>Unicode</CharacterSet>
 48 |   </PropertyGroup>
 49 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 50 |     <ConfigurationType>Application</ConfigurationType>
 51 |     <UseDebugLibraries>false</UseDebugLibraries>
 52 |     <PlatformToolset>v120_xp</PlatformToolset>
 53 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 54 |     <CharacterSet>Unicode</CharacterSet>
 55 |   </PropertyGroup>
 56 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 57 |   <ImportGroup Label="ExtensionSettings">
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 60 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 61 |   </ImportGroup>
 62 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
 63 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 64 |   </ImportGroup>
 65 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 66 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 67 |   </ImportGroup>
 68 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
 69 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 70 |   </ImportGroup>
 71 |   <PropertyGroup Label="UserMacros" />
 72 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 73 |     <LinkIncremental>true</LinkIncremental>
 74 |     <OutDir>..\..\bin\$(Platform)\</OutDir>
 75 |     <IntDir>..\..\_mediate\$(ProjectName)\$(Platform)\</IntDir>
 76 |     <TargetName>ntdlllibtestd</TargetName>
 77 |   </PropertyGroup>
 78 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 79 |     <LinkIncremental>true</LinkIncremental>
 80 |     <OutDir>..\..\bin\$(Platform)\</OutDir>
 81 |     <IntDir>..\..\_mediate\$(ProjectName)\$(Platform)\</IntDir>
 82 |     <TargetName>ntdlllibtestd</TargetName>
 83 |   </PropertyGroup>
 84 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 85 |     <LinkIncremental>false</LinkIncremental>
 86 |     <OutDir>..\..\bin\$(Platform)\</OutDir>
 87 |     <IntDir>..\..\_mediate\$(ProjectName)\$(Platform)\</IntDir>
 88 |     <TargetName>ntdlllibtest</TargetName>
 89 |   </PropertyGroup>
 90 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 91 |     <LinkIncremental>false</LinkIncremental>
 92 |     <OutDir>..\..\bin\$(Platform)\</OutDir>
 93 |     <IntDir>..\..\_mediate\$(ProjectName)\$(Platform)\</IntDir>
 94 |     <TargetName>ntdlllibtest</TargetName>
 95 |   </PropertyGroup>
 96 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 97 |     <ClCompile>
 98 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
 99 |       <WarningLevel>Level3</WarningLevel>
100 |       <Optimization>Disabled</Optimization>
101 |       <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
102 |       <SDLCheck>true</SDLCheck>
103 |       <AdditionalIncludeDirectories>;..\..\include;</AdditionalIncludeDirectories>
104 |     </ClCompile>
105 |     <Link>
106 |       <SubSystem>Console</SubSystem>
107 |       <GenerateDebugInformation>true</GenerateDebugInformation>
108 |       <AdditionalLibraryDirectories>;..\..\lib\$(Platform);</AdditionalLibraryDirectories>
109 |     </Link>
110 |   </ItemDefinitionGroup>
111 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
112 |     <ClCompile>
113 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
114 |       <WarningLevel>Level3</WarningLevel>
115 |       <Optimization>Disabled</Optimization>
116 |       <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
117 |       <SDLCheck>true</SDLCheck>
118 |       <AdditionalIncludeDirectories>;..\..\include;</AdditionalIncludeDirectories>
119 |     </ClCompile>
120 |     <Link>
121 |       <SubSystem>Console</SubSystem>
122 |       <GenerateDebugInformation>true</GenerateDebugInformation>
123 |       <AdditionalLibraryDirectories>;..\..\lib\$(Platform);</AdditionalLibraryDirectories>
124 |     </Link>
125 |   </ItemDefinitionGroup>
126 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
127 |     <ClCompile>
128 |       <WarningLevel>Level3</WarningLevel>
129 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
130 |       <Optimization>MaxSpeed</Optimization>
131 |       <FunctionLevelLinking>true</FunctionLevelLinking>
132 |       <IntrinsicFunctions>true</IntrinsicFunctions>
133 |       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
134 |       <SDLCheck>true</SDLCheck>
135 |       <AdditionalIncludeDirectories>;..\..\include;</AdditionalIncludeDirectories>
136 |     </ClCompile>
137 |     <Link>
138 |       <SubSystem>Console</SubSystem>
139 |       <GenerateDebugInformation>true</GenerateDebugInformation>
140 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
141 |       <OptimizeReferences>true</OptimizeReferences>
142 |       <AdditionalLibraryDirectories>;..\..\lib\$(Platform);</AdditionalLibraryDirectories>
143 |     </Link>
144 |   </ItemDefinitionGroup>
145 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
146 |     <ClCompile>
147 |       <WarningLevel>Level3</WarningLevel>
148 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
149 |       <Optimization>MaxSpeed</Optimization>
150 |       <FunctionLevelLinking>true</FunctionLevelLinking>
151 |       <IntrinsicFunctions>true</IntrinsicFunctions>
152 |       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
153 |       <SDLCheck>true</SDLCheck>
154 |       <AdditionalIncludeDirectories>;..\..\include;</AdditionalIncludeDirectories>
155 |     </ClCompile>
156 |     <Link>
157 |       <SubSystem>Console</SubSystem>
158 |       <GenerateDebugInformation>true</GenerateDebugInformation>
159 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
160 |       <OptimizeReferences>true</OptimizeReferences>
161 |       <AdditionalLibraryDirectories>;..\..\lib\$(Platform);</AdditionalLibraryDirectories>
162 |     </Link>
163 |   </ItemDefinitionGroup>
164 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
165 |   <ImportGroup Label="ExtensionTargets">
166 |   </ImportGroup>
167 | </Project>


--------------------------------------------------------------------------------
/project/ntdlllibtest/NtdllLibTest.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="..\..\source\ntdlllibtest\ntdlllibtest.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/source/ntdlllib/ntdllapi.cpp:
--------------------------------------------------------------------------------
  1 | #include <ntdlllib/all.h>
  2 | 
  3 | namespace ntdlllib
  4 | {
  5 | 
  6 | ntdllapi::ntdllapi(void)
  7 | {
  8 | 	HMODULE hModule = ::GetModuleHandleW(L"ntdll.dll");
  9 | 	if (NULL == hModule) hModule = ::LoadLibraryW(L"ntdll.dll");
 10 | 	if (NULL == hModule) throw;
 11 | 
 12 | 	RtlInitAnsiString = (pfRtlInitAnsiString)::GetProcAddress(hModule, "RtlInitAnsiString");
 13 | 	RtlInitUnicodeString = (pfRtlInitUnicodeString)::GetProcAddress(hModule, "RtlInitUnicodeString");
 14 | 
 15 | 	/*
 16 | 		General API
 17 | 	*/
 18 | 	NtClose = (pfNtClose)::GetProcAddress(hModule, "NtClose");
 19 | 	NtQueryObject = (pfNtQueryObject)::GetProcAddress(hModule, "NtQueryObject");
 20 | 	NtQuerySystemInformation = (pfNtQuerySystemInformation)::GetProcAddress(hModule, "NtQuerySystemInformation");
 21 | 	NtSetSystemInformation = (pfNtSetSystemInformation)::GetProcAddress(hModule, "NtSetSystemInformation");
 22 | 	RtlGetVersion = (pfRtlGetVersion)::GetProcAddress(hModule, "RtlGetVersion");
 23 | 
 24 | 	/*
 25 | 		DLL API
 26 | 	*/
 27 | 	LdrGetProcedureAddress = (pfLdrGetProcedureAddress)::GetProcAddress(hModule, "LdrGetProcedureAddress");
 28 | 	LdrLoadDll = (pfLdrLoadDll)::GetProcAddress(hModule, "LdrLoadDll");
 29 | 	LdrGetDllHandle = (pfLdrGetDllHandle)::GetProcAddress(hModule, "LdrGetDllHandle");
 30 | 
 31 | 	/*
 32 | 		Process API
 33 | 	*/
 34 | 	NtOpenThread = (pfNtOpenThread)::GetProcAddress(hModule, "NtOpenThread");
 35 | 	NtQueryInformationThread = (pfNtQueryInformationThread)::GetProcAddress(hModule, "NtQueryInformationThread");
 36 | 	NtQueryInformationProcess = (pfNtQueryInformationProcess)::GetProcAddress(hModule, "NtQueryInformationProcess");
 37 | 	RtlGetCurrentDirectory_U = (pfRtlGetCurrentDirectory_U)::GetProcAddress(hModule, "RtlGetCurrentDirectory_U");
 38 | 	RtlSetCurrentDirectory_U = (pfRtlSetCurrentDirectory_U)::GetProcAddress(hModule, "RtlSetCurrentDirectory_U");
 39 | 	NtCreateToken = (pfNtCreateToken)::GetProcAddress(hModule, "NtCreateToken");
 40 | 	NtTerminateProcess = (pfNtTerminateProcess)::GetProcAddress(hModule, "NtTerminateProcess");
 41 | 	NtCreateProcess = (pfNtCreateProcess)::GetProcAddress(hModule, "NtCreateProcess");
 42 | 	NtCreateProcessEx = (pfNtCreateProcessEx)::GetProcAddress(hModule, "NtCreateProcessEx");
 43 | 	NtCreateUserProcess = (pfNtCreateUserProcess)::GetProcAddress(hModule, "NtCreateUserProcess");
 44 | 
 45 | 	/*
 46 | 		Synchronization Objects (Section, Event, Mutex, Semaphore) API
 47 | 	*/
 48 | 	NtOpenSection = (pfNtOpenSection)::GetProcAddress(hModule, "NtOpenSection");
 49 | 	NtCreateSection = (pfNtCreateSection)::GetProcAddress(hModule, "NtCreateSection");
 50 | 	NtMapViewOfSection = (pfNtMapViewOfSection)::GetProcAddress(hModule, "NtMapViewOfSection");
 51 | 	NtUnmapViewOfSection = (pfNtUnmapViewOfSection)::GetProcAddress(hModule, "NtUnmapViewOfSection");
 52 | 	NtOpenEvent = (pfNtOpenEvent)::GetProcAddress(hModule, "NtOpenEvent");
 53 | 	NtCreateEvent = (pfNtCreateEvent)::GetProcAddress(hModule, "NtCreateEvent");
 54 | 	NtOpenMutant = (pfNtOpenMutant)::GetProcAddress(hModule, "NtOpenMutant");
 55 | 	NtCreateMutant = (pfNtCreateMutant)::GetProcAddress(hModule, "NtCreateMutant");
 56 | 	NtOpenSemaphore = (pfNtOpenSemaphore)::GetProcAddress(hModule, "NtOpenSemaphore");
 57 | 	NtCreateSemaphore = (pfNtCreateSemaphore)::GetProcAddress(hModule, "NtCreateSemaphore");
 58 | 	NtWaitForSingleObject = (pfNtWaitForSingleObject)::GetProcAddress(hModule, "NtWaitForSingleObject");
 59 | 	NtWaitForMultipleObjects = (pfNtWaitForMultipleObjects)::GetProcAddress(hModule, "NtWaitForMultipleObjects");
 60 | 	NtReleaseMutant = (pfNtReleaseMutant)::GetProcAddress(hModule, "NtReleaseMutant");
 61 | 	NtSetEvent = (pfNtSetEvent)::GetProcAddress(hModule, "NtSetEvent");
 62 | 	NtClearEvent = (pfNtClearEvent)::GetProcAddress(hModule, "NtClearEvent");
 63 | 	
 64 | 	/*
 65 | 		File API
 66 | 	*/
 67 | 	NtCreateNamedPipeFile = (pfNtCreateNamedPipeFile)::GetProcAddress(hModule, "NtCreateNamedPipeFile");
 68 | 	NtCreateMailslotFile = (pfNtCreateMailslotFile)::GetProcAddress(hModule, "NtCreateMailslotFile");
 69 | 	NtCreateFile = (pfNtCreateFile)::GetProcAddress(hModule, "NtCreateFile");
 70 | 	NtOpenFile = (pfNtOpenFile)::GetProcAddress(hModule, "NtOpenFile");
 71 | 	NtDeleteFile = (pfNtDeleteFile)::GetProcAddress(hModule, "NtDeleteFile");
 72 | 	NtReadFile = (pfNtReadFile)::GetProcAddress(hModule, "NtReadFile");
 73 | 	NtWriteFile = (pfNtWriteFile)::GetProcAddress(hModule, "NtWriteFile");
 74 | 	NtNotifyChangeDirectoryFile = (pfNtNotifyChangeDirectoryFile)::GetProcAddress(hModule, "NtNotifyChangeDirectoryFile");
 75 | 	NtQueryAttributesFile = (pfNtQueryAttributesFile)::GetProcAddress(hModule, "NtQueryAttributesFile");
 76 | 	NtQueryFullAttributesFile = (pfNtQueryFullAttributesFile)::GetProcAddress(hModule, "NtQueryFullAttributesFile");
 77 | 	NtQueryInformationFile = (pfNtQueryInformationFile)::GetProcAddress(hModule, "NtQueryInformationFile");
 78 | 	NtSetInformationFile = (pfNtSetInformationFile)::GetProcAddress(hModule, "NtSetInformationFile");
 79 | 	NtQueryDirectoryFile = (pfNtQueryDirectoryFile)::GetProcAddress(hModule, "NtQueryDirectoryFile");
 80 | 	NtQueryVolumeInformationFile = (pfNtQueryVolumeInformationFile)::GetProcAddress(hModule, "NtQueryVolumeInformationFile");
 81 | 	NtFsControlFile = (pfNtFsControlFile)::GetProcAddress(hModule, "NtFsControlFile");
 82 | 	NtDeviceIoControlFile = (pfNtDeviceIoControlFile)::GetProcAddress(hModule, "NtDeviceIoControlFile");
 83 | 
 84 | 	/*
 85 | 		Directory API
 86 | 	*/
 87 | 	NtOpenDirectoryObject = (pfNtOpenDirectoryObject)::GetProcAddress(hModule, "NtOpenDirectoryObject");
 88 | 	NtCreateDirectoryObject = (pfNtCreateDirectoryObject)::GetProcAddress(hModule, "NtCreateDirectoryObject");
 89 | 	NtCreateDirectoryObjectEx = (pfNtCreateDirectoryObjectEx)::GetProcAddress(hModule, "NtCreateDirectoryObjectEx");
 90 | 	NtQueryDirectoryObject = (pfNtQueryDirectoryObject)::GetProcAddress(hModule, "NtQueryDirectoryObject");
 91 | 
 92 | 	/*
 93 | 		SymbolicLink API
 94 | 	*/
 95 | 	NtOpenSymbolicLinkObject = (pfNtOpenSymbolicLinkObject)::GetProcAddress(hModule, "NtOpenSymbolicLinkObject");
 96 | 	NtCreateSymbolicLinkObject = (pfNtCreateSymbolicLinkObject)::GetProcAddress(hModule, "NtCreateSymbolicLinkObject");
 97 | 	NtQuerySymbolicLinkObject = (pfNtQuerySymbolicLinkObject)::GetProcAddress(hModule, "NtQuerySymbolicLinkObject");
 98 | 
 99 | 	/*
100 | 		Registry API
101 | 	*/
102 | 	NtCompactKeys = (pfNtCompactKeys)::GetProcAddress(hModule, "NtCompactKeys");
103 | 	NtCompressKey = (pfNtCompressKey)::GetProcAddress(hModule, "NtCompressKey");
104 | 	NtCreateKey = (pfNtCreateKey)::GetProcAddress(hModule, "NtCreateKey");
105 | 	NtCreateKeyTransacted = (pfNtCreateKeyTransacted)::GetProcAddress(hModule, "NtCreateKeyTransacted");
106 | 	NtOpenKey = (pfNtOpenKey)::GetProcAddress(hModule, "NtOpenKey");
107 | 	NtOpenKeyEx = (pfNtOpenKeyEx)::GetProcAddress(hModule, "NtOpenKeyEx");
108 | 	NtOpenKeyTransacted = (pfNtOpenKeyTransacted)::GetProcAddress(hModule, "NtOpenKeyTransacted");
109 | 	NtOpenKeyTransactedEx = (pfNtOpenKeyTransactedEx)::GetProcAddress(hModule, "NtOpenKeyTransactedEx");
110 | 	NtDeleteKey = (pfNtDeleteKey)::GetProcAddress(hModule, "NtDeleteKey");
111 | 	NtQueryKey = (pfNtQueryKey)::GetProcAddress(hModule, "NtQueryKey");
112 | 	NtEnumerateKey = (pfNtEnumerateKey)::GetProcAddress(hModule, "NtEnumerateKey");
113 | 	NtDeleteValueKey = (pfNtDeleteValueKey)::GetProcAddress(hModule, "NtDeleteValueKey");
114 | 	NtSetValueKey = (pfNtSetValueKey)::GetProcAddress(hModule, "NtSetValueKey");
115 | 	NtQueryValueKey = (pfNtQueryValueKey)::GetProcAddress(hModule, "NtQueryValueKey");
116 | 	NtEnumerateValueKey = (pfNtEnumerateValueKey)::GetProcAddress(hModule, "NtEnumerateValueKey");
117 | 	NtQueryMultipleValueKey = (pfNtQueryMultipleValueKey)::GetProcAddress(hModule, "NtQueryMultipleValueKey");
118 | 	NtFlushKey = (pfNtFlushKey)::GetProcAddress(hModule, "NtFlushKey");
119 | 	NtSaveKey = (pfNtSaveKey)::GetProcAddress(hModule, "NtSaveKey");
120 | 	NtSaveKeyEx = (pfNtSaveKeyEx)::GetProcAddress(hModule, "NtSaveKeyEx");
121 | 	NtSaveMergedKeys = (pfNtSaveMergedKeys)::GetProcAddress(hModule, "NtSaveMergedKeys");
122 | 	NtRestoreKey = (pfNtRestoreKey)::GetProcAddress(hModule, "NtRestoreKey");
123 | 	NtLoadKey = (pfNtLoadKey)::GetProcAddress(hModule, "NtLoadKey");
124 | 	NtLoadKey2 = (pfNtLoadKey2)::GetProcAddress(hModule, "NtLoadKey2");
125 | 	NtLoadKeyEx = (pfNtLoadKeyEx)::GetProcAddress(hModule, "NtLoadKeyEx");
126 | 	NtUnloadKey = (pfNtUnloadKey)::GetProcAddress(hModule, "NtUnloadKey");
127 | 	NtUnloadKey2 = (pfNtUnloadKey2)::GetProcAddress(hModule, "NtUnloadKey2");
128 | 	NtUnloadKeyEx = (pfNtUnloadKeyEx)::GetProcAddress(hModule, "NtUnloadKeyEx");
129 | 	NtQueryOpenSubKeys = (pfNtQueryOpenSubKeys)::GetProcAddress(hModule, "NtQueryOpenSubKeys");
130 | 	NtQueryOpenSubKeysEx = (pfNtQueryOpenSubKeysEx)::GetProcAddress(hModule, "NtQueryOpenSubKeysEx");
131 | 	NtReplaceKey = (pfNtReplaceKey)::GetProcAddress(hModule, "NtReplaceKey");
132 | 	NtSetInformationKey = (pfNtSetInformationKey)::GetProcAddress(hModule, "NtSetInformationKey");
133 | 	NtRenameKey = (pfNtRenameKey)::GetProcAddress(hModule, "NtRenameKey");
134 | 	NtNotifyChangeKey = (pfNtNotifyChangeKey)::GetProcAddress(hModule, "NtNotifyChangeKey");
135 | 	NtNotifyChangeMultipleKeys = (pfNtNotifyChangeMultipleKeys)::GetProcAddress(hModule, "NtNotifyChangeMultipleKeys");
136 | 	NtInitializeRegistry = (pfNtInitializeRegistry)::GetProcAddress(hModule, "NtInitializeRegistry");
137 | 	NtLockRegistryKey = (pfNtLockRegistryKey)::GetProcAddress(hModule, "NtLockRegistryKey");
138 | 
139 | 	/*
140 | 		Port API
141 | 	*/
142 | 	NtCreatePort = (pfNtCreatePort)::GetProcAddress(hModule, "NtCreatePort");
143 | 	NtCreateWaitablePort = (pfNtCreateWaitablePort)::GetProcAddress(hModule, "NtCreateWaitablePort");
144 | 	NtConnectPort = (pfNtConnectPort)::GetProcAddress(hModule, "NtConnectPort");
145 | 	NtSecureConnectPort = (pfNtSecureConnectPort)::GetProcAddress(hModule, "NtSecureConnectPort");
146 | 	NtAlpcCreatePort = (pfNtAlpcCreatePort)::GetProcAddress(hModule, "NtAlpcCreatePort");
147 | 	NtAlpcConnectPort = (pfNtAlpcConnectPort)::GetProcAddress(hModule, "NtAlpcConnectPort");
148 | 	NtAlpcConnectPortEx = (pfNtAlpcConnectPortEx)::GetProcAddress(hModule, "NtAlpcConnectPortEx");
149 | 
150 | 	/*
151 | 		ATOM API
152 | 	*/
153 | 	NtAddAtom = (pfNtAddAtom)::GetProcAddress(hModule, "NtAddAtom");
154 | 	NtAddAtomEx = (pfNtAddAtomEx)::GetProcAddress(hModule, "NtAddAtomEx");
155 | 	NtFindAtom = (pfNtFindAtom)::GetProcAddress(hModule, "NtFindAtom");
156 | 
157 | 	/*
158 | 		Driver API
159 | 	*/
160 | 	NtLoadDriver = (pfNtLoadDriver)::GetProcAddress(hModule, "NtLoadDriver");
161 | 	NtUnloadDriver = (pfNtUnloadDriver)::GetProcAddress(hModule, "NtUnloadDriver");
162 | 
163 | 	/*
164 | 		Transaction API
165 | 	*/
166 | 	NtCreateTransaction  = (pfNtCreateTransaction)::GetProcAddress(hModule, "NtCreateTransaction");
167 | 	NtOpenTransaction  = (pfNtOpenTransaction)::GetProcAddress(hModule, "NtOpenTransaction");
168 | 	NtCommitTransaction = (pfNtCommitTransaction)::GetProcAddress(hModule, "NtCommitTransaction");
169 | 	NtRollbackTransaction = (pfNtRollbackTransaction)::GetProcAddress(hModule, "NtRollbackTransaction");
170 | 
171 | 	/*
172 | 		Security API
173 | 	*/
174 | 	NtQuerySecurityObject = (pfNtQuerySecurityObject)::GetProcAddress(hModule, "NtQuerySecurityObject");
175 | 	NtSetSecurityObject = (pfNtSetSecurityObject)::GetProcAddress(hModule, "NtSetSecurityObject");
176 | 	RtlFlushSecureMemoryCache = (pfRtlFlushSecureMemoryCache)::GetProcAddress(hModule, "RtlFlushSecureMemoryCache");
177 | }
178 | 
179 | ntdllapi::~ntdllapi(void)
180 | {
181 | }
182 | 
183 | 
184 | ntdllapi* ntdllapi::GetInstance()
185 | {
186 | 	static ntdllapi _ntdllAPI;
187 | 	return &_ntdllAPI;
188 | }
189 | 
190 | }


--------------------------------------------------------------------------------
/source/ntdlllib/ntdllfiles.cpp:
--------------------------------------------------------------------------------
  1 | #include <ntdlllib/all.h>
  2 | 
  3 | namespace ntdlllib
  4 | {
  5 | 	std::wstring ntdllfiles::ToKernelPath(const std::wstring& str)
  6 | 	{
  7 | 		std::wstring strKernelPath;
  8 | 
  9 | 		if (!str.compare(0, 4, L"\\??\\"))
 10 | 			strKernelPath = str;
 11 | 		else
 12 | 			strKernelPath = L"\\??\\" + str;
 13 | 
 14 | 		return strKernelPath;
 15 | 	}
 16 | 
 17 | 	std::wstring ntdllfiles::FromKernelPath(const std::wstring& strKernelPath)
 18 | 	{
 19 | 		std::wstring strPath;
 20 | 
 21 | 		if (!strKernelPath.compare(0, 4, L"\\??\\"))
 22 | 			strPath = strKernelPath.substr(4);
 23 | 		else
 24 | 			strPath = strKernelPath;
 25 | 
 26 | 		return strPath;
 27 | 	}
 28 | 
 29 | 	HANDLE ntdllfiles::CreateFile(const std::wstring& strPath)
 30 | 	{
 31 | 		IO_STATUS_BLOCK iostatusblock = { 0, };
 32 | 		return CreateFile(strPath, &iostatusblock);
 33 | 	}
 34 | 	HANDLE ntdllfiles::CreateFile(const std::wstring& strPath, PIO_STATUS_BLOCK piostatusblock)
 35 | 	{
 36 | 		HANDLE handle = NULL;
 37 | 
 38 | 		std::wstring strKernelPath = ToKernelPath(strPath);
 39 | 
 40 | 		UNICODE_STRING usz = { 0, };
 41 | 		ntdllutil::StringToUnicodeString(strKernelPath, &usz);
 42 | 
 43 | 		OBJECT_ATTRIBUTES oa = { 0, };
 44 | 		InitializeObjectAttributes(&oa, &usz, OBJ_CASE_INSENSITIVE, NULL, NULL);
 45 | 
 46 | 		NTSTATUS status = ntdllapi::GetInstance()->NtCreateFile(
 47 | 			&handle,
 48 | 			FILE_GENERIC_READ | FILE_GENERIC_WRITE,
 49 | 			&oa,
 50 | 			piostatusblock,
 51 | 			0,
 52 | 			FILE_ATTRIBUTE_NORMAL,
 53 | 			FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
 54 | 			FILE_OPEN_IF,
 55 | 			0,
 56 | 			0,
 57 | 			0);
 58 | 
 59 | 		ntdllutil::FreeUnicodeString(&usz);
 60 | 		return handle;
 61 | 	}
 62 | 	bool ntdllfiles::CopyFile(const std::wstring& strSourcePath, const std::wstring& strDestinationPath)
 63 | 	{
 64 | 		bool f = false;
 65 | 
 66 | 		NTSTATUS status = STATUS_SUCCESS;
 67 | 		UNICODE_STRING uszSourcePath = { 0 };
 68 | 		UNICODE_STRING uszDestinationPath = { 0 };
 69 | 		OBJECT_ATTRIBUTES oaSource = { 0 };
 70 | 		OBJECT_ATTRIBUTES oaDestination = { 0 };
 71 | 		HANDLE hSource = NULL;
 72 | 		HANDLE hDestination = NULL;
 73 | 		FILE_BASIC_INFORMATION FileInformation = { 0 };
 74 | 
 75 | 		do
 76 | 		{
 77 | 			if (0 == strSourcePath.compare(strDestinationPath))
 78 | 				break;
 79 | 
 80 | 			std::wstring strSourceKernelPath = ToKernelPath(strSourcePath);
 81 | 			std::wstring strDestinationKernelPath = ToKernelPath(strDestinationPath);
 82 | 
 83 | 			if (0 == strSourceKernelPath.compare(strDestinationKernelPath))
 84 | 				break;
 85 | 
 86 | 			ntdllutil::StringToUnicodeString(strSourceKernelPath, &uszSourcePath);
 87 | 			InitializeObjectAttributes(&oaSource, &uszSourcePath, NULL, NULL, NULL);
 88 | 			ntdllutil::StringToUnicodeString(strDestinationKernelPath, &uszDestinationPath);
 89 | 			InitializeObjectAttributes(&oaDestination, &uszDestinationPath, NULL, NULL, NULL);
 90 | 
 91 | 			IO_STATUS_BLOCK iostatus;
 92 | 			status = ntdllapi::GetInstance()->NtCreateFile(
 93 | 				&hSource,
 94 | 				FILE_READ_DATA | FILE_READ_ATTRIBUTES | READ_CONTROL | SYNCHRONIZE,
 95 | 				&oaSource,
 96 | 				&iostatus,
 97 | 				0,
 98 | 				FILE_ATTRIBUTE_NORMAL,
 99 | 				FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
100 | 				FILE_OPEN,
101 | 				FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE,
102 | 				NULL,
103 | 				0
104 | 				);
105 | 			if (!NT_SUCCESS(status))
106 | 				break;
107 | 
108 | 
109 | 			status = ntdllapi::GetInstance()->NtCreateFile(
110 | 				&hDestination,
111 | 				FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | WRITE_DAC | SYNCHRONIZE,
112 | 				&oaDestination,
113 | 				&iostatus,
114 | 				0,
115 | 				FILE_ATTRIBUTE_NORMAL,
116 | 				FILE_SHARE_READ,
117 | 				FILE_OVERWRITE_IF,
118 | 				FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE,
119 | 				NULL,
120 | 				0
121 | 				);
122 | 			if (!NT_SUCCESS(status))
123 | 				break;
124 | 			
125 | 
126 | 			byte ab[65536];
127 | 			memset(ab, 0, 65536);
128 | 			unsigned int uBytesRead = 0;
129 | 			do
130 | 			{
131 | 				status = ntdllapi::GetInstance()->NtReadFile(
132 | 					hSource,
133 | 					NULL,
134 | 					NULL,
135 | 					NULL,
136 | 					&iostatus,
137 | 					(PVOID)ab,
138 | 					65536,
139 | 					NULL,
140 | 					NULL
141 | 					);
142 | 				if (!NT_SUCCESS(status))
143 | 					break;
144 | 
145 | 				uBytesRead = iostatus.Information;
146 | 				ntdllapi::GetInstance()->NtWriteFile(
147 | 					hDestination,
148 | 					NULL,
149 | 					NULL,
150 | 					NULL,
151 | 					&iostatus,
152 | 					(PVOID)ab,
153 | 					uBytesRead,
154 | 					NULL,
155 | 					NULL
156 | 					);
157 | 				if (!NT_SUCCESS(status))
158 | 					break;
159 | 
160 | 			} while (NT_SUCCESS(status));
161 | 
162 | 			status = ntdllapi::GetInstance()->NtQueryInformationFile(
163 | 				hSource,
164 | 				&iostatus,
165 | 				&FileInformation,
166 | 				sizeof(FileInformation),
167 | 				FileBasicInformation
168 | 				);
169 | 			if (!NT_SUCCESS(status))
170 | 				break;
171 | 
172 | 			status = ntdllapi::GetInstance()->NtSetInformationFile(
173 | 				hDestination,
174 | 				&iostatus,
175 | 				&FileInformation,
176 | 				sizeof(FileInformation),
177 | 				FileBasicInformation
178 | 				);
179 | 			if (!NT_SUCCESS(status))
180 | 				break;
181 | 
182 | 			memset(ab, 0, 65536);
183 | 			ULONG ulReturnLength = 0;
184 | 			status = ntdllapi::GetInstance()->NtQuerySecurityObject(hSource, DACL_SECURITY_INFORMATION, ab, 65536, &ulReturnLength);
185 | 			if (NT_SUCCESS(status))
186 | 			{
187 | 				status = ntdllapi::GetInstance()->NtSetSecurityObject(hDestination, DACL_SECURITY_INFORMATION, ab);
188 | 			}
189 | 
190 | 			f = true;
191 | 		}
192 | 		while (false);
193 | 
194 | 		ntdllutil::FreeUnicodeString(&uszSourcePath);
195 | 		ntdllutil::FreeUnicodeString(&uszDestinationPath);
196 | 		ntdllutil::CloseHandle(hSource);
197 | 		ntdllutil::CloseHandle(hDestination);
198 | 
199 | 		return f;
200 | 	}
201 | }


--------------------------------------------------------------------------------
/source/ntdlllib/ntdllutil.cpp:
--------------------------------------------------------------------------------
 1 | #include <ntdlllib/all.h>
 2 | 
 3 | namespace ntdlllib
 4 | {
 5 | 
 6 | 	BOOL ntdllutil::UnicodeStringToString(PUNICODE_STRING pusz, std::wstring& str)
 7 | 	{
 8 | 		if (NULL == pusz)
 9 | 			return FALSE;
10 | 		if (0 == pusz->Length)
11 | 		{
12 | 			str = std::wstring(L"");
13 | 			return TRUE;
14 | 		}
15 | 
16 | 		str = std::wstring(pusz->Buffer, 0, pusz->Length / sizeof(wchar_t));
17 | 
18 | 		return TRUE;
19 | 	}
20 | 
21 | 	BOOL ntdllutil::MoveStringToUnicodeString(std::wstring const& str, PUNICODE_STRING pusz)
22 | 	{
23 | 		if (NULL == pusz)
24 | 			return FALSE;
25 | 
26 | 		pusz->Length = str.size() * (USHORT)sizeof(wchar_t);
27 | 		pusz->MaximumLength = (str.size() + 1) * (USHORT)sizeof(wchar_t);
28 | 		pusz->Buffer = (wchar_t*)str.c_str();
29 | 
30 | 		return TRUE;
31 | 	}
32 | 
33 | 	BOOL ntdllutil::StringToUnicodeString(std::wstring const& str, PUNICODE_STRING pusz)
34 | 	{
35 | 		if (NULL == pusz)
36 | 			return FALSE;
37 | 
38 | 		pusz->Length = str.size() * (USHORT)sizeof(wchar_t);
39 | 		pusz->MaximumLength = (str.size() + 1) * (USHORT)sizeof(wchar_t);
40 | 		pusz->Buffer = (wchar_t*)malloc(pusz->MaximumLength);
41 | 		memcpy(pusz->Buffer, (const wchar_t*)str.c_str(), pusz->MaximumLength);
42 | 
43 | 		return TRUE;
44 | 	}
45 | 
46 | 	void ntdllutil::FreeUnicodeString(PUNICODE_STRING pusz)
47 | 	{
48 | 		if (NULL != pusz && NULL != pusz->Buffer)
49 | 		{
50 | 			free(pusz->Buffer);
51 | 			pusz->Buffer = NULL;
52 | 		}
53 | 	}
54 | 
55 | 	void ntdllutil::CloseHandle(HANDLE handle)
56 | 	{
57 | 		if (NULL != handle)
58 | 			ntdllapi::GetInstance()->NtClose(handle);
59 | 	}
60 | }


--------------------------------------------------------------------------------
/source/ntdlllib/ntllobj.cpp:
--------------------------------------------------------------------------------
 1 | #include <ntdlllib/all.h>
 2 | 
 3 | namespace ntdlllib
 4 | {
 5 | 	bool ntdllobj::QueryDeviceName(HANDLE hGlobalDirectory, const std::wstring& strInDeviceName, std::wstring& strSymDeviceName)
 6 | 	{
 7 | 		bool fSuccess = false;
 8 | 
 9 | 		HANDLE hSymbolicLink = OpenSymbolicLink(hGlobalDirectory, strInDeviceName);
10 | 		if (hSymbolicLink)
11 | 		{
12 | 			wchar_t* wc[256];
13 | 			UNICODE_STRING uszValue;
14 | 			uszValue.Length = 256 * (USHORT)sizeof(wchar_t);
15 | 			uszValue.MaximumLength = uszValue.Length + sizeof(wchar_t);
16 | 			uszValue.Buffer = (PWSTR)wc;
17 | 
18 | 			NTSTATUS status = ntdllapi::GetInstance()->NtQuerySymbolicLinkObject(hSymbolicLink, &uszValue, NULL);
19 | 			if (NT_SUCCESS(status))
20 | 			{
21 | 				ntdllutil::UnicodeStringToString(&uszValue, strSymDeviceName);
22 | 				fSuccess = true;
23 | 			}
24 | 
25 | 			ntdllutil::CloseHandle(hSymbolicLink);
26 | 		}
27 | 
28 | 		return fSuccess;
29 | 	}
30 | 
31 | 	HANDLE ntdllobj::OpenSymbolicLink(HANDLE hRootDirectory, const std::wstring& strName)
32 | 	{
33 | 		HANDLE hSymbolicLink = NULL;
34 | 
35 | 		NTSTATUS status;
36 | 		OBJECT_ATTRIBUTES oa;
37 | 		UNICODE_STRING usz;
38 | 		PSECURITY_DESCRIPTOR pSD = NULL;
39 | 		ntdllutil::MoveStringToUnicodeString(strName, &usz);
40 | 		InitializeObjectAttributes(&oa, &usz, NULL, hRootDirectory, pSD);
41 | 
42 | 		status = ntdllapi::GetInstance()->NtOpenSymbolicLinkObject(&hSymbolicLink, SYMBOLIC_LINK_QUERY, &oa);
43 | 		if (NULL != pSD)
44 | 			::LocalFree(pSD);
45 | 
46 | 		return hSymbolicLink;
47 | 	}
48 | 
49 | 
50 | 	HANDLE ntdllobj::OpenDirectoryObject(const std::wstring& strDirectoryName)
51 | 	{
52 | 		HANDLE hDirectory = NULL;
53 | 
54 | 		OBJECT_ATTRIBUTES oa;
55 | 		UNICODE_STRING usz;
56 | 		PSECURITY_DESCRIPTOR pSD = NULL;
57 | 		ntdllutil::MoveStringToUnicodeString(strDirectoryName, &usz);
58 | 		InitializeObjectAttributes(&oa, &usz, NULL, NULL, pSD);
59 | 
60 | 		NTSTATUS status = ntdllapi::GetInstance()->NtOpenDirectoryObject(&hDirectory, DIRECTORY_QUERY, &oa);
61 | 		if (NULL != pSD)
62 | 			::LocalFree(pSD);
63 | 		if (!NT_SUCCESS(status))
64 | 			throw;
65 | 
66 | 		return hDirectory;
67 | 	}
68 | 
69 | 	HANDLE ntdllobj::OpenGlobalDirectoryObject()
70 | 	{
71 | 		return OpenDirectoryObject(L"\\GLOBAL??");
72 | 	}
73 | 
74 | }


--------------------------------------------------------------------------------
/source/ntdlllibtest/ntdlllibtest.cpp:
--------------------------------------------------------------------------------
 1 | #include <tchar.h>
 2 | #include <stdio.h>
 3 | #include <Windows.h>
 4 | #include <ntdlllib/all.h>
 5 | 
 6 | int main(int argc, _TCHAR* argv)
 7 | {
 8 | 	std::wstring strPath = L"C:\\temp\\test.txt";
 9 | 	IO_STATUS_BLOCK iostatusblock = { 0, };
10 | 	HANDLE handle = ntdllfiles::CreateFile(strPath, &iostatusblock);
11 | 
12 | 	printf("strPath:%ws - handle:%x\n", strPath.c_str(), (DWORD)handle);
13 | 
14 | 	if (FILE_CREATED & iostatusblock.Information)
15 | 		printf("created file.\n");
16 | 	else if (FILE_OPENED & iostatusblock.Information)
17 | 		printf("opened file.\n");
18 | 
19 | 	ntdllutil::CloseHandle(handle);
20 | 
21 | 	std::wstring strDestinationPath = L"C:\\temp\\test2.txt";
22 | 	bool f = ntdllfiles::CopyFile(strPath, strDestinationPath);
23 | 	if (f)
24 | 		printf("copy file %ws to %ws success\n", strPath.c_str(), strDestinationPath.c_str());
25 | 	else
26 | 		printf("copy file failed.\n");
27 | 
28 | 	return 0;
29 | }


--------------------------------------------------------------------------------