├── .gitignore ├── LICENSE ├── README.md ├── data ├── prototypes.json ├── syscall_numbers.json └── typedefs.json ├── example-output ├── syscalls.asm └── syscalls.h ├── requirements.txt ├── syswhispers.py └── update ├── getSyscalls.c ├── getSyscalls.exe └── updateJson.py /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2019 Jackson T. 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SysWhispers 2 | 3 | SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls. 4 | 5 | All core syscalls are supported from Windows XP to 10. Example generated files available in `example-output/`. 6 | 7 | ## Introduction 8 | 9 | Various security products place hooks in user-mode APIs which allow them to redirect execution flow to their engines and detect for suspicious behaviour. The functions in `ntdll.dll` that make the syscalls consist of just a few assembly instructions, so re-implementing them in your own implant can bypass the triggering of those security product hooks. This technique was popularized by [@Cn33liz](https://twitter.com/Cneelis) and his [blog post](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/) has more technical details worth reading. 10 | 11 | SysWhispers provides red teamers the ability to generate header/ASM pairs for any system call in the core kernel image (`ntoskrnl.exe`) across any Windows version starting from XP. The headers will also include the necessary type definitions. 12 | 13 | The main implementation difference between this and the [Dumpert](https://github.com/outflanknl/Dumpert) POC is that this doesn't call `RtlGetVersion` to query the OS version, but instead does this in the assembly by querying the PEB directly. The benefit is being able to call one function that supports multiple Windows versions instead of calling multiple functions each supporting one version. 14 | 15 | ## Installation 16 | 17 | ```bash 18 | > git clone https://github.com/jthuraisamy/SysWhispers.git 19 | > cd SysWhispers 20 | > pip3 install -r .\requirements.txt 21 | > py .\syswhispers.py --help 22 | ``` 23 | 24 | ## Usage and Examples 25 | 26 | ### Command Lines 27 | 28 | ```powershell 29 | # Export all functions with compatibility for all supported Windows versions (see example-output/). 30 | py .\syswhispers.py --preset all -o syscalls_all 31 | 32 | # Export just the common functions with compatibility for Windows 7, 8, and 10. 33 | py .\syswhispers.py --preset common -o syscalls_common 34 | 35 | # Export NtProtectVirtualMemory and NtWriteVirtualMemory with compatibility for all versions. 36 | py .\syswhispers.py --functions NtProtectVirtualMemory,NtWriteVirtualMemory -o syscalls_mem 37 | 38 | # Export all functions with compatibility for Windows 7, 8, and 10. 39 | py .\syswhispers.py --versions 7,8,10 -o syscalls_78X 40 | ``` 41 | 42 | ### Script Output 43 | 44 | ``` 45 | PS C:\Projects\SysWhispers> py .\syswhispers.py --preset common --out-file syscom 46 | 47 | , , ,_ /_ . , ,_ _ ,_ , 48 | _/_)__(_/__/_)__/_/_/ / (__/__/_)__/_)__(/__/ (__/_)__ 49 | _/_ / 50 | (/ / @Jackson_T, 2019 51 | 52 | SysWhispers: Why call the kernel when you can whisper? 53 | 54 | Common functions selected. 55 | 56 | Complete! Files written to: 57 | syscom.asm 58 | syscom.h 59 | ``` 60 | 61 | ### Before-and-After Example of Classic `CreateRemoteThread` DLL Injection 62 | 63 | ``` 64 | py .\syswhispers.py -f NtAllocateVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx -o syscalls 65 | ``` 66 | 67 | ```c 68 | #include 69 | 70 | void InjectDll(const HANDLE hProcess, const char* dllPath) 71 | { 72 | LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, strlen(dllPath), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 73 | LPVOID lpStartAddress = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA"); 74 | 75 | WriteProcessMemory(hProcess, lpBaseAddress, dllPath, strlen(dllPath), nullptr); 76 | CreateRemoteThread(hProcess, nullptr, 0, (LPTHREAD_START_ROUTINE)lpStartAddress, lpBaseAddress, 0, nullptr); 77 | } 78 | ``` 79 | 80 | ```c 81 | #include 82 | #include "syscalls.h" // Import the generated header. 83 | 84 | void InjectDll(const HANDLE hProcess, const char* dllPath) 85 | { 86 | HANDLE hThread = NULL; 87 | LPVOID lpAllocationStart = nullptr; 88 | SIZE_T szAllocationSize = strlen(dllPath); 89 | LPVOID lpStartAddress = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA"); 90 | 91 | NtAllocateVirtualMemory(hProcess, &lpAllocationStart, 0, (PULONG)&szAllocationSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 92 | NtWriteVirtualMemory(hProcess, lpAllocationStart, (PVOID)dllPath, strlen(dllPath), nullptr); 93 | NtCreateThreadEx(&hThread, GENERIC_EXECUTE, NULL, hProcess, lpStartAddress, lpAllocationStart, FALSE, 0, 0, 0, nullptr); 94 | } 95 | ``` 96 | 97 | ## Common Functions 98 | 99 | Using the `--preset common` switch will create a header/ASM pair with the following functions: 100 | 101 |
102 | Click to expand function list. 103 | 104 | - NtCreateProcess (CreateProcess) 105 | - NtCreateThreadEx (CreateRemoteThread) 106 | - NtOpenProcess (OpenProcess) 107 | - NtOpenThread (OpenThread) 108 | - NtSuspendProcess 109 | - NtSuspendThread (SuspendThread) 110 | - NtResumeProcess 111 | - NtResumeThread (ResumeThread) 112 | - NtGetContextThread (GetThreadContext) 113 | - NtSetContextThread (SetThreadContext) 114 | - NtClose (CloseHandle) 115 | - NtReadVirtualMemory (ReadProcessMemory) 116 | - NtWriteVirtualMemory (WriteProcessMemory) 117 | - NtAllocateVirtualMemory (VirtualAllocEx) 118 | - NtProtectVirtualMemory (VirtualProtectEx) 119 | - NtFreeVirtualMemory (VirtualFreeEx) 120 | - NtQuerySystemInformation (GetSystemInfo) 121 | - NtQueryDirectoryFile 122 | - NtQueryInformationFile 123 | - NtQueryInformationProcess 124 | - NtQueryInformationThread 125 | - NtCreateSection (CreateFileMapping) 126 | - NtOpenSection 127 | - NtMapViewOfSection 128 | - NtUnmapViewOfSection 129 | - NtAdjustPrivilegesToken (AdjustTokenPrivileges) 130 | - NtDeviceIoControlFile (DeviceIoControl) 131 | - NtQueueApcThread (QueueUserAPC) 132 | - NtWaitForMultipleObjects (WaitForMultipleObjectsEx) 133 | 134 |
135 | 136 | ## Importing into Visual Studio 137 | 138 | 1. Copy the generated H/ASM files into the project folder. 139 | 2. In Visual Studio, go to *Project* → *Build Customizations...* and enable MASM. 140 | 3. In the *Solution Explorer*, add the .h and .asm files to the project as header and source files, respectively. 141 | 4. Go to the properties of the ASM file, and set the *Item Type* to *Microsoft Macro Assembler*. 142 | 5. Ensure that the project platform is set to x64. 32-bit projects are not supported at this time. 143 | 144 | ## Caveats and Limitations 145 | 146 | - Only 64-bit Windows is supported at this time. 147 | - System calls from the graphical subsystem (`win32k.sys`) are not supported. 148 | - Tested on Visual Studio 2019 (v142) with Windows 10 SDK. 149 | 150 | ## Troubleshooting 151 | 152 | - `ModuleNotFoundError` in Python script. 153 | - Ensure that the required modules are installed with `pip3 install -r requirements.txt`. 154 | - Type redefinitions errors: a project may not compile if typedefs in `syscalls.h` have already been defined. 155 | - Ensure that only required functions are included (i.e. `--preset all` is rarely necessary). 156 | - If a typedef is already defined in another used header, then it could be removed from `syscalls.h`. 157 | 158 | ## Credits 159 | 160 | This script was developed by [@Jackson_T](https://twitter.com/Jackson_T) but builds upon the work of many others: 161 | 162 | - [@j00ru](https://twitter.com/j00ru) for maintaining syscall numbers in machine-readable formats. 163 | - [@FoxHex0ne](https://twitter.com/FoxHex0ne) for cataloguing many function prototypes and typedefs in a machine-readable format. 164 | - [@PetrBenes](https://twitter.com/PetrBenes), [NTInternals.net team](https://undocumented.ntinternals.net/), and [MSDN](https://docs.microsoft.com/en-us/windows/) for additional prototypes and typedefs. 165 | - [@Cn33liz](https://twitter.com/Cneelis) for the initial [Dumpert](https://github.com/outflanknl/Dumpert) POC implementation. 166 | 167 | Special thanks to [@Dcept905](https://twitter.com/Dcept905) for testing and suggestions. 168 | 169 | code for getting new syscalls taken from a forum post from timb3r on https://guidedhacking.com/threads/understanding-windows-syscalls-syscall-dumper.14470/ 170 | 171 | ## Related Articles and Projects 172 | 173 | - [@0x00dtm](https://twitter.com/0x00dtm): [Userland API Monitoring and Code Injection Detection](https://0x00sec.org/t/userland-api-monitoring-and-code-injection-detection/5565) 174 | - [@0x00dtm](https://twitter.com/0x00dtm): [Defeating Userland Hooks (ft. Bitdefender)](https://0x00sec.org/t/defeating-userland-hooks-ft-bitdefender/12496) ([Code](https://github.com/NtRaiseHardError/Antimalware-Research/tree/master/Generic/Userland%20Hooking/AntiHook)) 175 | - [@Cn33liz](https://twitter.com/Cneelis): [Combining Direct System Calls and sRDI to bypass AV/EDR](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/) ([Code](https://github.com/outflanknl/Dumpert)) 176 | - [@mrgretzky](https://twitter.com/mrgretzky): [Defeating Antivirus Real-time Protection From The Inside](https://breakdev.org/defeating-antivirus-real-time-protection-from-the-inside/) 177 | - [@SpecialHoang](https://twitter.com/SpecialHoang): [Bypass EDR’s memory protection, introduction to hooking](https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6) ([Code](https://github.com/hoangprod/AndrewSpecial/tree/master)) 178 | - [@xpn](https://twitter.com/_xpn_) and [@domchell](https://twitter.com/domchell): [Silencing Cylance: A Case Study in Modern EDRs](https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs/) 179 | - [@mrjefftang](https://twitter.com/mrjefftang): [Universal Unhooking: Blinding Security Software](https://threatvector.cylance.com/en_us/home/universal-unhooking-blinding-security-software.html) ([Code](https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher)) 180 | - [@spotheplanet](https://twitter.com/spotheplanet): [Full DLL Unhooking with C++](https://ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++) 181 | - [@hasherezade](https://twitter.com/hasherezade): [Floki Bot and the stealthy dropper](https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/) 182 | - [@hodg87](https://twitter.com/hodg87): [Latest Trickbot Variant has New Tricks Up Its Sleeve](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) 183 | - [@hodg87](https://twitter.com/hodg87): [Malware Mitigation when Direct System Calls are Used](https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/) 184 | 185 | ## Licence 186 | 187 | This project is licensed under the Apache License 2.0. 188 | -------------------------------------------------------------------------------- /data/typedefs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "identifiers": ["MEM_EXTENDED_PARAMETER_TYPE", "PMEM_EXTENDED_PARAMETER_TYPE"], 4 | "dependencies": [], 5 | "definition": "typedef enum _MEM_EXTENDED_PARAMETER_TYPE\n{\n\tMemExtendedParameterInvalidType,\n\tMemExtendedParameterAddressRequirements,\n\tMemExtendedParameterNumaNode,\n\tMemExtendedParameterPartitionHandle,\n\tMemExtendedParameterUserPhysicalHandle,\n\tMemExtendedParameterAttributeFlags,\n\tMemExtendedParameterMax\n} MEM_EXTENDED_PARAMETER_TYPE, *PMEM_EXTENDED_PARAMETER_TYPE;" 6 | }, 7 | { 8 | "identifiers": ["IO_STATUS_BLOCK", "PIO_STATUS_BLOCK"], 9 | "dependencies": [], 10 | "definition": "typedef struct _IO_STATUS_BLOCK\n{\n\tunion\n\t{\n\t\tNTSTATUS Status;\n\t\tVOID* Pointer;\n\t};\n\tULONG_PTR Information;\n} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;" 11 | }, 12 | { 13 | "identifiers": ["KEY_VALUE_ENTRY", "PKEY_VALUE_ENTRY"], 14 | "dependencies": ["PUNICODE_STRING"], 15 | "definition": "typedef struct _KEY_VALUE_ENTRY\n{\n\tPUNICODE_STRING ValueName;\n\tULONG DataLength;\n\tULONG DataOffset;\n\tULONG Type;\n} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;" 16 | }, 17 | { 18 | "identifiers": ["KEY_SET_INFORMATION_CLASS", "PKEY_SET_INFORMATION_CLASS"], 19 | "dependencies": [], 20 | "definition": "typedef enum _KEY_SET_INFORMATION_CLASS\n{\n\tKeyWriteTimeInformation,\n\tKeyWow64FlagsInformation,\n\tKeyControlFlagsInformation,\n\tKeySetVirtualizationInformation,\n\tKeySetDebugInformation,\n\tKeySetHandleTagsInformation,\n\tMaxKeySetInfoClass // MaxKeySetInfoClass should always be the last enum.\n} KEY_SET_INFORMATION_CLASS, *PKEY_SET_INFORMATION_CLASS;" 21 | }, 22 | { 23 | "identifiers": ["SYSTEM_HANDLE", "PSYSTEM_HANDLE"], 24 | "dependencies": [], 25 | "definition": "typedef struct _SYSTEM_HANDLE\n{\n\tULONG ProcessId;\n\tBYTE ObjectTypeNumber;\n\tBYTE Flags;\n\tUSHORT Handle;\n\tPVOID Object;\n\tACCESS_MASK GrantedAccess;\n} SYSTEM_HANDLE, *PSYSTEM_HANDLE;" 26 | }, 27 | { 28 | "identifiers": ["SYSTEM_HANDLE_INFORMATION", "PSYSTEM_HANDLE_INFORMATION"], 29 | "dependencies": ["SYSTEM_HANDLE"], 30 | "definition": "typedef struct _SYSTEM_HANDLE_INFORMATION\n{\n\tULONG HandleCount;\n\tSYSTEM_HANDLE Handles[1];\n} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;" 31 | }, 32 | { 33 | "identifiers": ["SYSTEM_INFORMATION_CLASS", "PSYSTEM_INFORMATION_CLASS"], 34 | "dependencies": ["SYSTEM_HANDLE_INFORMATION"], 35 | "definition": "typedef enum _SYSTEM_INFORMATION_CLASS\n{\n\tSystemBasicInformation = 0,\n\tSystemPerformanceInformation = 2,\n\tSystemTimeOfDayInformation = 3,\n\tSystemProcessInformation = 5,\n\tSystemProcessorPerformanceInformation = 8,\n\tSystemHandleInformation = 16,\n\tSystemInterruptInformation = 23,\n\tSystemExceptionInformation = 33,\n\tSystemRegistryQuotaInformation = 37,\n\tSystemLookasideInformation = 45,\n\tSystemCodeIntegrityInformation = 103,\n\tSystemPolicyInformation = 134,\n} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;" 36 | }, 37 | { 38 | "identifiers": ["PROCESSINFOCLASS", "PPROCESSINFOCLASS"], 39 | "dependencies": [], 40 | "definition": "typedef enum _PROCESSINFOCLASS\n{\n\tProcessBasicInformation = 0,\n\tProcessDebugPort = 7,\n\tProcessWow64Information = 26,\n\tProcessImageFileName = 27,\n\tProcessBreakOnTermination = 29\n} PROCESSINFOCLASS, *PPROCESSINFOCLASS;" 41 | }, 42 | { 43 | "identifiers": ["MEMORY_RANGE_ENTRY", "PMEMORY_RANGE_ENTRY"], 44 | "dependencies": [], 45 | "definition": "typedef struct _MEMORY_RANGE_ENTRY\n{\n\tPVOID VirtualAddress;\n\tSIZE_T NumberOfBytes;\n} MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY;" 46 | }, 47 | { 48 | "identifiers": ["T2_SET_PARAMETERS", "PT2_SET_PARAMETERS"], 49 | "dependencies": [], 50 | "definition": "typedef struct _T2_SET_PARAMETERS_V0\n{\n\tULONG Version;\n\tULONG Reserved;\n\tLONGLONG NoWakeTolerance;\n} T2_SET_PARAMETERS, *PT2_SET_PARAMETERS;" 51 | }, 52 | { 53 | "identifiers": ["FILE_PATH", "PFILE_PATH"], 54 | "dependencies": [], 55 | "definition": "typedef struct _FILE_PATH\n{\n\tULONG Version;\n\tULONG Length;\n\tULONG Type;\n\tCHAR FilePath[1];\n} FILE_PATH, *PFILE_PATH;" 56 | }, 57 | { 58 | "identifiers": ["FILE_USER_QUOTA_INFORMATION", "PFILE_USER_QUOTA_INFORMATION"], 59 | "dependencies": [], 60 | "definition": "typedef struct _FILE_USER_QUOTA_INFORMATION\n{\n\tULONG NextEntryOffset;\n\tULONG SidLength;\n\tLARGE_INTEGER ChangeTime;\n\tLARGE_INTEGER QuotaUsed;\n\tLARGE_INTEGER QuotaThreshold;\n\tLARGE_INTEGER QuotaLimit;\n\tSID Sid[1];\n} FILE_USER_QUOTA_INFORMATION, *PFILE_USER_QUOTA_INFORMATION;" 61 | }, 62 | { 63 | "identifiers": ["FILE_QUOTA_LIST_INFORMATION", "PFILE_QUOTA_LIST_INFORMATION"], 64 | "dependencies": [], 65 | "definition": "typedef struct _FILE_QUOTA_LIST_INFORMATION\n{\n\tULONG NextEntryOffset;\n\tULONG SidLength;\n\tSID Sid[1];\n} FILE_QUOTA_LIST_INFORMATION, *PFILE_QUOTA_LIST_INFORMATION;" 66 | }, 67 | { 68 | "identifiers": ["FILE_NETWORK_OPEN_INFORMATION", "PFILE_NETWORK_OPEN_INFORMATION"], 69 | "dependencies": [], 70 | "definition": "typedef struct _FILE_NETWORK_OPEN_INFORMATION\n{\n\tLARGE_INTEGER CreationTime;\n\tLARGE_INTEGER LastAccessTime;\n\tLARGE_INTEGER LastWriteTime;\n\tLARGE_INTEGER ChangeTime;\n\tLARGE_INTEGER AllocationSize;\n\tLARGE_INTEGER EndOfFile;\n\tULONG FileAttributes;\n\tULONG Unknown;\n} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;" 71 | }, 72 | { 73 | "identifiers": ["FILTER_BOOT_OPTION_OPERATION", "PFILTER_BOOT_OPTION_OPERATION"], 74 | "dependencies": [], 75 | "definition": "typedef enum _FILTER_BOOT_OPTION_OPERATION\n{\n\tFilterBootOptionOperationOpenSystemStore,\n\tFilterBootOptionOperationSetElement,\n\tFilterBootOptionOperationDeleteElement,\n\tFilterBootOptionOperationMax\n} FILTER_BOOT_OPTION_OPERATION, *PFILTER_BOOT_OPTION_OPERATION;" 76 | }, 77 | { 78 | "identifiers": ["EVENT_TYPE", "PEVENT_TYPE"], 79 | "dependencies": [], 80 | "definition": "typedef enum _EVENT_TYPE\n{\n\tNotificationEvent = 0,\n\tSynchronizationEvent = 1,\n} EVENT_TYPE, *PEVENT_TYPE;" 81 | }, 82 | { 83 | "identifiers": ["FILE_FULL_EA_INFORMATION", "PFILE_FULL_EA_INFORMATION"], 84 | "dependencies": [], 85 | "definition": "typedef struct _FILE_FULL_EA_INFORMATION\n{\n\tULONG NextEntryOffset;\n\tUCHAR Flags;\n\tUCHAR EaNameLength;\n\tUSHORT EaValueLength;\n\tCHAR EaName[1];\n} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION;" 86 | }, 87 | { 88 | "identifiers": ["FILE_GET_EA_INFORMATION", "PFILE_GET_EA_INFORMATION"], 89 | "dependencies": [], 90 | "definition": "typedef struct _FILE_GET_EA_INFORMATION\n{\n\tULONG NextEntryOffset;\n\tBYTE EaNameLength;\n\tCHAR EaName[1];\n} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION;" 91 | }, 92 | { 93 | "identifiers": ["BOOT_OPTIONS", "PBOOT_OPTIONS"], 94 | "dependencies": [], 95 | "definition": "typedef struct _BOOT_OPTIONS\n{\n\tULONG Version;\n\tULONG Length;\n\tULONG Timeout;\n\tULONG CurrentBootEntryId;\n\tULONG NextBootEntryId;\n\tWCHAR HeadlessRedirection[1];\n} BOOT_OPTIONS, *PBOOT_OPTIONS;" 96 | }, 97 | { 98 | "identifiers": ["WNF_CHANGE_STAMP", "PWNF_CHANGE_STAMP"], 99 | "dependencies": [], 100 | "definition": "typedef ULONG WNF_CHANGE_STAMP, *PWNF_CHANGE_STAMP;" 101 | }, 102 | { 103 | "identifiers": ["WNF_DATA_SCOPE", "PWNF_DATA_SCOPE"], 104 | "dependencies": [], 105 | "definition": "typedef enum _WNF_DATA_SCOPE\n{\n\tWnfDataScopeSystem = 0,\n\tWnfDataScopeSession = 1,\n\tWnfDataScopeUser = 2,\n\tWnfDataScopeProcess = 3,\n\tWnfDataScopeMachine = 4\n} WNF_DATA_SCOPE, *PWNF_DATA_SCOPE;" 106 | }, 107 | { 108 | "identifiers": ["WNF_STATE_NAME_LIFETIME", "PWNF_STATE_NAME_LIFETIME"], 109 | "dependencies": [], 110 | "definition": "typedef enum _WNF_STATE_NAME_LIFETIME\n{\n\tWnfWellKnownStateName = 0,\n\tWnfPermanentStateName = 1,\n\tWnfPersistentStateName = 2,\n\tWnfTemporaryStateName = 3\n} WNF_STATE_NAME_LIFETIME, *PWNF_STATE_NAME_LIFETIME;" 111 | }, 112 | { 113 | "identifiers": ["VIRTUAL_MEMORY_INFORMATION_CLASS", "PVIRTUAL_MEMORY_INFORMATION_CLASS"], 114 | "dependencies": [], 115 | "definition": "typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS\n{\n\tVmPrefetchInformation,\n\tVmPagePriorityInformation,\n\tVmCfgCallTargetInformation\n} VIRTUAL_MEMORY_INFORMATION_CLASS, *PVIRTUAL_MEMORY_INFORMATION_CLASS;" 116 | }, 117 | { 118 | "identifiers": ["IO_SESSION_EVENT", "PIO_SESSION_EVENT"], 119 | "dependencies": [], 120 | "definition": "typedef enum _IO_SESSION_EVENT\n{\n\tIoSessionEventIgnore,\n\tIoSessionEventCreated,\n\tIoSessionEventTerminated,\n\tIoSessionEventConnected,\n\tIoSessionEventDisconnected,\n\tIoSessionEventLogon,\n\tIoSessionEventLogoff,\n\tIoSessionEventMax\n} IO_SESSION_EVENT, *PIO_SESSION_EVENT;" 121 | }, 122 | { 123 | "identifiers": ["PORT_INFORMATION_CLASS", "PPORT_INFORMATION_CLASS"], 124 | "dependencies": [], 125 | "definition": "typedef enum _PORT_INFORMATION_CLASS\n{\n\tPortBasicInformation,\n#if DEVL\n\tPortDumpInformation\n#endif\n} PORT_INFORMATION_CLASS, *PPORT_INFORMATION_CLASS;" 126 | }, 127 | { 128 | "identifiers": ["PLUGPLAY_CONTROL_CLASS", "PPLUGPLAY_CONTROL_CLASS"], 129 | "dependencies": [], 130 | "definition": "typedef enum _PLUGPLAY_CONTROL_CLASS\n{\n\tPlugPlayControlEnumerateDevice,\n\tPlugPlayControlRegisterNewDevice,\n\tPlugPlayControlDeregisterDevice,\n\tPlugPlayControlInitializeDevice,\n\tPlugPlayControlStartDevice,\n\tPlugPlayControlUnlockDevice,\n\tPlugPlayControlQueryAndRemoveDevice,\n\tPlugPlayControlUserResponse,\n\tPlugPlayControlGenerateLegacyDevice,\n\tPlugPlayControlGetInterfaceDeviceList,\n\tPlugPlayControlProperty,\n\tPlugPlayControlDeviceClassAssociation,\n\tPlugPlayControlGetRelatedDevice,\n\tPlugPlayControlGetInterfaceDeviceAlias,\n\tPlugPlayControlDeviceStatus,\n\tPlugPlayControlGetDeviceDepth,\n\tPlugPlayControlQueryDeviceRelations,\n\tPlugPlayControlTargetDeviceRelation,\n\tPlugPlayControlQueryConflictList,\n\tPlugPlayControlRetrieveDock,\n\tPlugPlayControlResetDevice,\n\tPlugPlayControlHaltDevice,\n\tPlugPlayControlGetBlockedDriverList,\n\tMaxPlugPlayControl\n} PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS;" 131 | }, 132 | { 133 | "identifiers": ["IO_COMPLETION_INFORMATION_CLASS", "PIO_COMPLETION_INFORMATION_CLASS"], 134 | "dependencies": [], 135 | "definition": "typedef enum _IO_COMPLETION_INFORMATION_CLASS\n{\n\tIoCompletionBasicInformation\n} IO_COMPLETION_INFORMATION_CLASS, *PIO_COMPLETION_INFORMATION_CLASS;" 136 | }, 137 | { 138 | "identifiers": ["SECTION_INHERIT", "PSECTION_INHERIT"], 139 | "dependencies": [], 140 | "definition": "typedef enum _SECTION_INHERIT\n{\n\tViewShare = 1,\n\tViewUnmap = 2\n} SECTION_INHERIT, *PSECTION_INHERIT;" 141 | }, 142 | { 143 | "identifiers": ["PS_ATTRIBUTE", "PPS_ATTRIBUTE"], 144 | "dependencies": [], 145 | "definition": "typedef struct _PS_ATTRIBUTE\n{\n\tULONG Attribute;\n\tSIZE_T Size;\n\tunion\n\t{\n\t\tULONG Value;\n\t\tPVOID ValuePtr;\n\t} u1;\n\tPSIZE_T ReturnLength;\n} PS_ATTRIBUTE, *PPS_ATTRIBUTE;" 146 | }, 147 | { 148 | "identifiers": ["DEBUGOBJECTINFOCLASS", "PDEBUGOBJECTINFOCLASS"], 149 | "dependencies": [], 150 | "definition": "typedef enum _DEBUGOBJECTINFOCLASS\n{\n\tDebugObjectFlags = 1,\n\tMaxDebugObjectInfoClass\n} DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS;" 151 | }, 152 | { 153 | "identifiers": ["SEMAPHORE_INFORMATION_CLASS", "PSEMAPHORE_INFORMATION_CLASS"], 154 | "dependencies": [], 155 | "definition": "typedef enum _SEMAPHORE_INFORMATION_CLASS\n{\n\tSemaphoreBasicInformation\n} SEMAPHORE_INFORMATION_CLASS, *PSEMAPHORE_INFORMATION_CLASS;" 156 | }, 157 | { 158 | "identifiers": ["PS_ATTRIBUTE_LIST", "PPS_ATTRIBUTE_LIST"], 159 | "dependencies": ["PS_ATTRIBUTE"], 160 | "definition": "typedef struct _PS_ATTRIBUTE_LIST\n{\n\tSIZE_T TotalLength;\n\tPS_ATTRIBUTE Attributes[1];\n} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;" 161 | }, 162 | { 163 | "identifiers": ["VDMSERVICECLASS"], 164 | "dependencies": [], 165 | "definition": "typedef enum _VDMSERVICECLASS\n{\n\tVdmStartExecution,\n\tVdmQueueInterrupt,\n\tVdmDelayInterrupt,\n\tVdmInitialize,\n\tVdmFeatures,\n\tVdmSetInt21Handler,\n\tVdmQueryDir,\n\tVdmPrinterDirectIoOpen,\n\tVdmPrinterDirectIoClose,\n\tVdmPrinterInitialize,\n\tVdmSetLdtEntries,\n\tVdmSetProcessLdtInfo,\n\tVdmAdlibEmulation,\n\tVdmPMCliControl,\n\tVdmQueryVdmProcess\n} VDMSERVICECLASS, *PVDMSERVICECLASS;" 166 | }, 167 | { 168 | "identifiers": ["PS_CREATE_STATE", "PPS_CREATE_STATE"], 169 | "dependencies": [], 170 | "definition": "typedef enum _PS_CREATE_STATE\n{\n\tPsCreateInitialState,\n\tPsCreateFailOnFileOpen,\n\tPsCreateFailOnSectionCreate,\n\tPsCreateFailExeFormat,\n\tPsCreateFailMachineMismatch,\n\tPsCreateFailExeName,\n\tPsCreateSuccess,\n\tPsCreateMaximumStates\n} PS_CREATE_STATE, *PPS_CREATE_STATE;" 171 | }, 172 | { 173 | "identifiers": ["PS_CREATE_INFO", "PPS_CREATE_INFO"], 174 | "dependencies": ["PS_CREATE_STATE"], 175 | "definition": "typedef struct _PS_CREATE_INFO\n{\n\tSIZE_T Size;\n\tPS_CREATE_STATE State;\n\tunion\n\t{\n\t\t// PsCreateInitialState\n\t\tstruct {\n\t\t\tunion {\n\t\t\t\tULONG InitFlags;\n\t\t\t\tstruct {\n\t\t\t\t\tUCHAR WriteOutputOnExit : 1;\n\t\t\t\t\tUCHAR DetectManifest : 1;\n\t\t\t\t\tUCHAR IFEOSkipDebugger : 1;\n\t\t\t\t\tUCHAR IFEODoNotPropagateKeyState : 1;\n\t\t\t\t\tUCHAR SpareBits1 : 4;\n\t\t\t\t\tUCHAR SpareBits2 : 8;\n\t\t\t\t\tUSHORT ProhibitedImageCharacteristics : 16;\n\t\t\t\t};\n\t\t\t};\n\t\t\tACCESS_MASK AdditionalFileAccess;\n\t\t} InitState;\n\t\t// PsCreateFailOnSectionCreate\n\t\tstruct {\n\t\t\tHANDLE FileHandle;\n\t\t} FailSection;\n\t\t// PsCreateFailExeFormat\n\t\tstruct {\n\t\t\tUSHORT DllCharacteristics;\n\t\t} ExeFormat;\n\t\t// PsCreateFailExeName\n\t\tstruct {\n\t\t\tHANDLE IFEOKey;\n\t\t} ExeName;\n\t\t// PsCreateSuccess\n\t\tstruct {\n\t\t\tunion {\n\t\t\t\tULONG OutputFlags;\n\t\t\t\tstruct {\n\t\t\t\t\tUCHAR ProtectedProcess : 1;\n\t\t\t\t\tUCHAR AddressSpaceOverride : 1;\n\t\t\t\t\tUCHAR DevOverrideEnabled : 1; // from Image File Execution Options\n\t\t\t\t\tUCHAR ManifestDetected : 1;\n\t\t\t\t\tUCHAR ProtectedProcessLight : 1;\n\t\t\t\t\tUCHAR SpareBits1 : 3;\n\t\t\t\t\tUCHAR SpareBits2 : 8;\n\t\t\t\t\tUSHORT SpareBits3 : 16;\n\t\t\t\t};\n\t\t\t};\n\t\t\tHANDLE FileHandle;\n\t\t\tHANDLE SectionHandle;\n\t\t\tULONGLONG UserProcessParametersNative;\n\t\t\tULONG UserProcessParametersWow64;\n\t\t\tULONG CurrentParameterFlags;\n\t\t\tULONGLONG PebAddressNative;\n\t\t\tULONG PebAddressWow64;\n\t\t\tULONGLONG ManifestAddress;\n\t\t\tULONG ManifestSize;\n\t\t} SuccessState;\n\t};\n} PS_CREATE_INFO, *PPS_CREATE_INFO;" 176 | }, 177 | { 178 | "identifiers": ["MEMORY_INFORMATION_CLASS", "PMEMORY_INFORMATION_CLASS"], 179 | "dependencies": [], 180 | "definition": "typedef enum _MEMORY_INFORMATION_CLASS\n{\n\tMemoryBasicInformation,\n\tMemoryWorkingSetInformation,\n\tMemoryMappedFilenameInformation,\n\tMemoryRegionInformation,\n\tMemoryWorkingSetExInformation,\n\tMemorySharedCommitInformation,\n\tMemoryImageInformation,\n\tMemoryRegionInformationEx,\n\tMemoryPrivilegedBasicInformation,\n\tMemoryEnclaveImageInformation,\n\tMemoryBasicInformationCapped\n} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS;" 181 | }, 182 | { 183 | "identifiers": ["MEMORY_RESERVE_TYPE", "PMEMORY_RESERVE_TYPE"], 184 | "dependencies": [], 185 | "definition": "typedef enum _MEMORY_RESERVE_TYPE\n{\n\tMemoryReserveUserApc,\n\tMemoryReserveIoCompletion,\n\tMemoryReserveTypeMax\n} MEMORY_RESERVE_TYPE, *PMEMORY_RESERVE_TYPE;" 186 | }, 187 | { 188 | "identifiers": ["ALPC_PORT_INFORMATION_CLASS", "PALPC_PORT_INFORMATION_CLASS"], 189 | "dependencies": [], 190 | "definition": "typedef enum _ALPC_PORT_INFORMATION_CLASS\n{\n\tAlpcBasicInformation,\n\tAlpcPortInformation,\n\tAlpcAssociateCompletionPortInformation,\n\tAlpcConnectedSIDInformation,\n\tAlpcServerInformation,\n\tAlpcMessageZoneInformation,\n\tAlpcRegisterCompletionListInformation,\n\tAlpcUnregisterCompletionListInformation,\n\tAlpcAdjustCompletionListConcurrencyCountInformation,\n\tAlpcRegisterCallbackInformation,\n\tAlpcCompletionListRundownInformation\n} ALPC_PORT_INFORMATION_CLASS, *PALPC_PORT_INFORMATION_CLASS;" 191 | }, 192 | { 193 | "identifiers": ["ALPC_CONTEXT_ATTR", "PALPC_CONTEXT_ATTR"], 194 | "dependencies": [], 195 | "definition": "typedef struct _ALPC_CONTEXT_ATTR\n{\n\tPVOID PortContext;\n\tPVOID MessageContext;\n\tULONG SequenceNumber;\n\tULONG MessageID;\n\tULONG CallbackID;\n} ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR;" 196 | }, 197 | { 198 | "identifiers": ["ALPC_DATA_VIEW_ATTR", "PALPC_DATA_VIEW_ATTR"], 199 | "dependencies": [], 200 | "definition": "typedef struct _ALPC_DATA_VIEW_ATTR\n{\n\tULONG Flags;\n\tHANDLE SectionHandle;\n\tPVOID ViewBase;\n\tSIZE_T ViewSize;\n} ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR;" 201 | }, 202 | { 203 | "identifiers": ["ALPC_SECURITY_ATTR", "PALPC_SECURITY_ATTR"], 204 | "dependencies": [], 205 | "definition": "typedef struct _ALPC_SECURITY_ATTR\n{\n\tULONG Flags;\n\tPSECURITY_QUALITY_OF_SERVICE SecurityQos;\n\tHANDLE ContextHandle;\n\tULONG Reserved1;\n\tULONG Reserved2;\n} ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR;" 206 | }, 207 | { 208 | "identifiers": ["PPVOID"], 209 | "dependencies": [], 210 | "definition": "typedef PVOID* PPVOID;" 211 | }, 212 | { 213 | "identifiers": ["KPROFILE_SOURCE", "PKPROFILE_SOURCE"], 214 | "dependencies": [], 215 | "definition": "typedef enum _KPROFILE_SOURCE\n{\n\tProfileTime = 0,\n\tProfileAlignmentFixup = 1,\n\tProfileTotalIssues = 2,\n\tProfilePipelineDry = 3,\n\tProfileLoadInstructions = 4,\n\tProfilePipelineFrozen = 5,\n\tProfileBranchInstructions = 6,\n\tProfileTotalNonissues = 7,\n\tProfileDcacheMisses = 8,\n\tProfileIcacheMisses = 9,\n\tProfileCacheMisses = 10,\n\tProfileBranchMispredictions = 11,\n\tProfileStoreInstructions = 12,\n\tProfileFpInstructions = 13,\n\tProfileIntegerInstructions = 14,\n\tProfile2Issue = 15,\n\tProfile3Issue = 16,\n\tProfile4Issue = 17,\n\tProfileSpecialInstructions = 18,\n\tProfileTotalCycles = 19,\n\tProfileIcacheIssues = 20,\n\tProfileDcacheAccesses = 21,\n\tProfileMemoryBarrierCycles = 22,\n\tProfileLoadLinkedIssues = 23,\n\tProfileMaximum = 24,\n} KPROFILE_SOURCE, *PKPROFILE_SOURCE;" 216 | }, 217 | { 218 | "identifiers": ["ALPC_MESSAGE_INFORMATION_CLASS", "PALPC_MESSAGE_INFORMATION_CLASS"], 219 | "dependencies": [], 220 | "definition": "typedef enum _ALPC_MESSAGE_INFORMATION_CLASS\n{\n\tAlpcMessageSidInformation,\n\tAlpcMessageTokenModifiedIdInformation\n} ALPC_MESSAGE_INFORMATION_CLASS, *PALPC_MESSAGE_INFORMATION_CLASS;" 221 | }, 222 | { 223 | "identifiers": ["WORKERFACTORYINFOCLASS", "PWORKERFACTORYINFOCLASS"], 224 | "dependencies": [], 225 | "definition": "typedef enum _WORKERFACTORYINFOCLASS\n{\n\tWorkerFactoryTimeout,\n\tWorkerFactoryRetryTimeout,\n\tWorkerFactoryIdleTimeout,\n\tWorkerFactoryBindingCount,\n\tWorkerFactoryThreadMinimum,\n\tWorkerFactoryThreadMaximum,\n\tWorkerFactoryPaused,\n\tWorkerFactoryBasicInformation,\n\tWorkerFactoryAdjustThreadGoal,\n\tWorkerFactoryCallbackType,\n\tWorkerFactoryStackInformation,\n\tMaxWorkerFactoryInfoClass\n} WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS;" 226 | }, 227 | { 228 | "identifiers": ["MEMORY_PARTITION_INFORMATION_CLASS", "PMEMORY_PARTITION_INFORMATION_CLASS"], 229 | "dependencies": [], 230 | "definition": "typedef enum _MEMORY_PARTITION_INFORMATION_CLASS\n{\n\tSystemMemoryPartitionInformation,\n\tSystemMemoryPartitionMoveMemory,\n\tSystemMemoryPartitionAddPagefile,\n\tSystemMemoryPartitionCombineMemory,\n\tSystemMemoryPartitionInitialAddMemory,\n\tSystemMemoryPartitionGetMemoryEvents,\n\tSystemMemoryPartitionMax\n} MEMORY_PARTITION_INFORMATION_CLASS, *PMEMORY_PARTITION_INFORMATION_CLASS;" 231 | }, 232 | { 233 | "identifiers": ["MUTANT_INFORMATION_CLASS", "PMUTANT_INFORMATION_CLASS"], 234 | "dependencies": [], 235 | "definition": "typedef enum _MUTANT_INFORMATION_CLASS\n{\n\tMutantBasicInformation,\n\tMutantOwnerInformation\n} MUTANT_INFORMATION_CLASS, *PMUTANT_INFORMATION_CLASS;" 236 | }, 237 | { 238 | "identifiers": ["ATOM_INFORMATION_CLASS", "PATOM_INFORMATION_CLASS"], 239 | "dependencies": [], 240 | "definition": "typedef enum _ATOM_INFORMATION_CLASS\n{\n\tAtomBasicInformation,\n\tAtomTableInformation\n} ATOM_INFORMATION_CLASS, *PATOM_INFORMATION_CLASS;" 241 | }, 242 | { 243 | "identifiers": ["SHUTDOWN_ACTION"], 244 | "dependencies": [], 245 | "definition": "typedef enum _SHUTDOWN_ACTION {\n\tShutdownNoReboot,\n\tShutdownReboot,\n\tShutdownPowerOff\n} SHUTDOWN_ACTION;" 246 | }, 247 | { 248 | "identifiers": ["PTIMER_APC_ROUTINE"], 249 | "dependencies": [], 250 | "definition": "typedef VOID(CALLBACK* PTIMER_APC_ROUTINE)(\n\tIN PVOID TimerContext,\n\tIN ULONG TimerLowValue,\n\tIN LONG TimerHighValue);" 251 | }, 252 | { 253 | "identifiers": ["KEY_VALUE_INFORMATION_CLASS"], 254 | "dependencies": [], 255 | "definition": "typedef enum _KEY_VALUE_INFORMATION_CLASS {\n\tKeyValueBasicInformation = 0,\n\tKeyValueFullInformation,\n\tKeyValuePartialInformation,\n\tKeyValueFullInformationAlign64,\n\tKeyValuePartialInformationAlign64,\n\tMaxKeyValueInfoClass\n} KEY_VALUE_INFORMATION_CLASS;" 256 | }, 257 | { 258 | "identifiers": ["PLANGID"], 259 | "dependencies": [], 260 | "definition": "typedef LANGID* PLANGID;" 261 | }, 262 | { 263 | "identifiers": ["PLUGPLAY_EVENT_CATEGORY", "PPLUGPLAY_EVENT_CATEGORY"], 264 | "dependencies": [], 265 | "definition": "typedef enum _PLUGPLAY_EVENT_CATEGORY\n{\n\tHardwareProfileChangeEvent,\n\tTargetDeviceChangeEvent,\n\tDeviceClassChangeEvent,\n\tCustomDeviceEvent,\n\tDeviceInstallEvent,\n\tDeviceArrivalEvent,\n\tPowerEvent,\n\tVetoEvent,\n\tBlockedDriverEvent,\n\tInvalidIDEvent,\n\tMaxPlugEventCategory\n} PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY;" 266 | }, 267 | { 268 | "identifiers": ["PNP_VETO_TYPE", "PPNP_VETO_TYPE"], 269 | "dependencies": [], 270 | "definition": "typedef enum _PNP_VETO_TYPE\n{\n\tPNP_VetoTypeUnknown, // unspecified\n\tPNP_VetoLegacyDevice, // instance path\n\tPNP_VetoPendingClose, // instance path\n\tPNP_VetoWindowsApp, // module\n\tPNP_VetoWindowsService, // service\n\tPNP_VetoOutstandingOpen, // instance path\n\tPNP_VetoDevice, // instance path\n\tPNP_VetoDriver, // driver service name\n\tPNP_VetoIllegalDeviceRequest, // instance path\n\tPNP_VetoInsufficientPower, // unspecified\n\tPNP_VetoNonDisableable, // instance path\n\tPNP_VetoLegacyDriver, // service\n\tPNP_VetoInsufficientRights // unspecified\n} PNP_VETO_TYPE, *PPNP_VETO_TYPE;" 271 | }, 272 | { 273 | "identifiers": ["PLUGPLAY_EVENT_BLOCK", "PPLUGPLAY_EVENT_BLOCK"], 274 | "dependencies": ["PLUGPLAY_EVENT_CATEGORY", "PNP_VETO_TYPE"], 275 | "definition": "typedef struct _PLUGPLAY_EVENT_BLOCK\n{\n\tGUID EventGuid;\n\tPLUGPLAY_EVENT_CATEGORY EventCategory;\n\tPULONG Result;\n\tULONG Flags;\n\tULONG TotalSize;\n\tPVOID DeviceObject;\n\n\tunion\n\t{\n\t\tstruct\n\t\t{\n\t\t\tGUID ClassGuid;\n\t\t\tWCHAR SymbolicLinkName[1];\n\t\t} DeviceClass;\n\t\tstruct\n\t\t{\n\t\t\tWCHAR DeviceIds[1];\n\t\t} TargetDevice;\n\t\tstruct\n\t\t{\n\t\t\tWCHAR DeviceId[1];\n\t\t} InstallDevice;\n\t\tstruct\n\t\t{\n\t\t\tPVOID NotificationStructure;\n\t\t\tWCHAR DeviceIds[1];\n\t\t} CustomNotification;\n\t\tstruct\n\t\t{\n\t\t\tPVOID Notification;\n\t\t} ProfileNotification;\n\t\tstruct\n\t\t{\n\t\t\tULONG NotificationCode;\n\t\t\tULONG NotificationData;\n\t\t} PowerNotification;\n\t\tstruct\n\t\t{\n\t\t\tPNP_VETO_TYPE VetoType;\n\t\t\tWCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName\n\t\t} VetoNotification;\n\t\tstruct\n\t\t{\n\t\t\tGUID BlockedDriverGuid;\n\t\t} BlockedDriverNotification;\n\t\tstruct\n\t\t{\n\t\t\tWCHAR ParentId[1];\n\t\t} InvalidIDNotification;\n\t} u;\n} PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK;" 276 | }, 277 | { 278 | "identifiers": ["PIO_APC_ROUTINE"], 279 | "dependencies": ["PIO_STATUS_BLOCK"], 280 | "definition": "typedef VOID(NTAPI* PIO_APC_ROUTINE) (\n\tIN PVOID ApcContext,\n\tIN PIO_STATUS_BLOCK IoStatusBlock,\n\tIN ULONG Reserved);" 281 | }, 282 | { 283 | "identifiers": ["KNORMAL_ROUTINE"], 284 | "dependencies": [], 285 | "definition": "typedef VOID(KNORMAL_ROUTINE) (\n\tIN PVOID NormalContext,\n\tIN PVOID SystemArgument1,\n\tIN PVOID SystemArgument2);" 286 | }, 287 | { 288 | "identifiers": ["PKNORMAL_ROUTINE"], 289 | "dependencies": ["KNORMAL_ROUTINE"], 290 | "definition": "typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE;" 291 | }, 292 | { 293 | "identifiers": ["DIRECTORY_NOTIFY_INFORMATION_CLASS", "PDIRECTORY_NOTIFY_INFORMATION_CLASS"], 294 | "dependencies": [], 295 | "definition": "typedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS\n{\n\tDirectoryNotifyInformation = 1,\n\tDirectoryNotifyExtendedInformation = 2,\n} DIRECTORY_NOTIFY_INFORMATION_CLASS, *PDIRECTORY_NOTIFY_INFORMATION_CLASS;" 296 | }, 297 | { 298 | "identifiers": ["EVENT_INFORMATION_CLASS", "PEVENT_INFORMATION_CLASS"], 299 | "dependencies": [], 300 | "definition": "typedef enum _EVENT_INFORMATION_CLASS\n{\n\tEventBasicInformation\n} EVENT_INFORMATION_CLASS, *PEVENT_INFORMATION_CLASS;" 301 | }, 302 | { 303 | "identifiers": ["ALPC_MESSAGE_ATTRIBUTES", "PALPC_MESSAGE_ATTRIBUTES"], 304 | "dependencies": [], 305 | "definition": "typedef struct _ALPC_MESSAGE_ATTRIBUTES\n{\n\tunsigned long AllocatedAttributes;\n\tunsigned long ValidAttributes;\n} ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES;" 306 | }, 307 | { 308 | "identifiers": ["ALPC_PORT_ATTRIBUTES", "PALPC_PORT_ATTRIBUTES"], 309 | "dependencies": [], 310 | "definition": "typedef struct _ALPC_PORT_ATTRIBUTES\n{\n\tULONG Flags;\n\tSECURITY_QUALITY_OF_SERVICE SecurityQos;\n\tSIZE_T MaxMessageLength;\n\tSIZE_T MemoryBandwidth;\n\tSIZE_T MaxPoolUsage;\n\tSIZE_T MaxSectionSize;\n\tSIZE_T MaxViewSize;\n\tSIZE_T MaxTotalSectionSize;\n\tULONG DupObjectTypes;\n#ifdef _WIN64\n\tULONG Reserved;\n#endif\n} ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES;" 311 | }, 312 | { 313 | "identifiers": ["IO_SESSION_STATE", "PIO_SESSION_STATE"], 314 | "dependencies": [], 315 | "definition": "typedef enum _IO_SESSION_STATE\n{\n\tIoSessionStateCreated = 1,\n\tIoSessionStateInitialized = 2,\n\tIoSessionStateConnected = 3,\n\tIoSessionStateDisconnected = 4,\n\tIoSessionStateDisconnectedLoggedOn = 5,\n\tIoSessionStateLoggedOn = 6,\n\tIoSessionStateLoggedOff = 7,\n\tIoSessionStateTerminated = 8,\n\tIoSessionStateMax = 9,\n} IO_SESSION_STATE, *PIO_SESSION_STATE;" 316 | }, 317 | { 318 | "identifiers": ["WNF_STATE_NAME", "PWNF_STATE_NAME"], 319 | "dependencies": [], 320 | "definition": "typedef struct _WNF_STATE_NAME\n{\n\tULONG Data[2];\n} WNF_STATE_NAME, *PWNF_STATE_NAME;" 321 | }, 322 | { 323 | "identifiers": ["PCWNF_STATE_NAME"], 324 | "dependencies": ["WNF_STATE_NAME"], 325 | "definition": "typedef const WNF_STATE_NAME *PCWNF_STATE_NAME;" 326 | }, 327 | { 328 | "identifiers": ["WNF_TYPE_ID", "PWNF_TYPE_ID"], 329 | "dependencies": [], 330 | "definition": "typedef struct _WNF_TYPE_ID\n{\n\tGUID TypeId;\n} WNF_TYPE_ID, *PWNF_TYPE_ID;" 331 | }, 332 | { 333 | "identifiers": ["PCWNF_TYPE_ID"], 334 | "dependencies": ["WNF_TYPE_ID"], 335 | "definition": "typedef const WNF_TYPE_ID *PCWNF_TYPE_ID;" 336 | }, 337 | { 338 | "identifiers": ["WNF_DELIVERY_DESCRIPTOR", "PWNF_DELIVERY_DESCRIPTOR"], 339 | "dependencies": ["WNF_STATE_NAME", "WNF_TYPE_ID"], 340 | "definition": "typedef struct _WNF_DELIVERY_DESCRIPTOR\n{\n\tunsigned __int64 SubscriptionId;\n\tWNF_STATE_NAME StateName;\n\tunsigned long ChangeStamp;\n\tunsigned long StateDataSize;\n\tunsigned long EventMask;\n\tWNF_TYPE_ID TypeId;\n\tunsigned long StateDataOffset;\n} WNF_DELIVERY_DESCRIPTOR, *PWNF_DELIVERY_DESCRIPTOR;" 341 | }, 342 | { 343 | "identifiers": ["DEBUG_CONTROL_CODE", "PPDEBUG_CONTROL_CODE"], 344 | "dependencies": [], 345 | "definition": "typedef enum _DEBUG_CONTROL_CODE\n{\n\tSysDbgQueryModuleInformation = 0,\n\tSysDbgQueryTraceInformation = 1,\n\tSysDbgSetTracePoint = 2,\n\tSysDbgSetSpecialCall = 3,\n\tSysDbgClearSpecialCalls = 4,\n\tSysDbgQuerySpecialCalls = 5,\n\tSysDbgBreakPoint = 6,\n\tSysDbgQueryVersion = 7,\n\tSysDbgReadVirtual = 8,\n\tSysDbgWriteVirtual = 9,\n\tSysDbgReadPhysical = 10,\n\tSysDbgWritePhysical = 11,\n\tSysDbgReadControlSpace = 12,\n\tSysDbgWriteControlSpace = 13,\n\tSysDbgReadIoSpace = 14,\n\tSysDbgWriteIoSpace = 15,\n\tSysDbgReadMsr = 16,\n\tSysDbgWriteMsr = 17,\n\tSysDbgReadBusData = 18,\n\tSysDbgWriteBusData = 19,\n\tSysDbgCheckLowMemory = 20,\n\tSysDbgEnableKernelDebugger = 21,\n\tSysDbgDisableKernelDebugger = 22,\n\tSysDbgGetAutoKdEnable = 23,\n\tSysDbgSetAutoKdEnable = 24,\n\tSysDbgGetPrintBufferSize = 25,\n\tSysDbgSetPrintBufferSize = 26,\n\tSysDbgGetKdUmExceptionEnable = 27,\n\tSysDbgSetKdUmExceptionEnable = 28,\n\tSysDbgGetTriageDump = 29,\n\tSysDbgGetKdBlockEnable = 30,\n\tSysDbgSetKdBlockEnable = 31\n} DEBUG_CONTROL_CODE, *PDEBUG_CONTROL_CODE;" 346 | }, 347 | { 348 | "identifiers": ["CLIENT_ID", "PCLIENT_ID"], 349 | "dependencies": [], 350 | "definition": "typedef struct _CLIENT_ID\n{\n\tHANDLE UniqueProcess;\n\tHANDLE UniqueThread;\n} CLIENT_ID, *PCLIENT_ID;" 351 | }, 352 | { 353 | "identifiers": ["PORT_MESSAGE", "PPORT_MESSAGE"], 354 | "dependencies": ["CLIENT_ID"], 355 | "definition": "typedef struct _PORT_MESSAGE\n{\n\tunion\n\t{\n\t\tunion\n\t\t{\n\t\t\tstruct\n\t\t\t{\n\t\t\t\tshort DataLength;\n\t\t\t\tshort TotalLength;\n\t\t\t} s1;\n\t\t\tunsigned long Length;\n\t\t};\n\t} u1;\n\tunion\n\t{\n\t\tunion\n\t\t{\n\t\t\tstruct\n\t\t\t{\n\t\t\t\tshort Type;\n\t\t\t\tshort DataInfoOffset;\n\t\t\t} s2;\n\t\t\tunsigned long ZeroInit;\n\t\t};\n\t} u2;\n\tunion\n\t{\n\t\tCLIENT_ID ClientId;\n\t\tdouble DoNotUseThisField;\n\t};\n\tunsigned long MessageId;\n\tunion\n\t{\n\t\tunsigned __int64 ClientViewSize;\n\t\tstruct\n\t\t{\n\t\t\tunsigned long CallbackId;\n\t\t\tlong __PADDING__[1];\n\t\t};\n\t};\n} PORT_MESSAGE, *PPORT_MESSAGE;" 356 | }, 357 | { 358 | "identifiers": ["FILE_BASIC_INFORMATION", "PFILE_BASIC_INFORMATION"], 359 | "dependencies": [], 360 | "definition": "typedef struct FILE_BASIC_INFORMATION\n{\n\tLARGE_INTEGER CreationTime;\n\tLARGE_INTEGER LastAccessTime;\n\tLARGE_INTEGER LastWriteTime;\n\tLARGE_INTEGER ChangeTime;\n\tULONG FileAttributes;\n} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;" 361 | }, 362 | { 363 | "identifiers": ["PORT_SECTION_READ", "PPORT_SECTION_READ"], 364 | "dependencies": [], 365 | "definition": "typedef struct _PORT_SECTION_READ\n{\n\tULONG Length;\n\tULONG ViewSize;\n\tULONG ViewBase;\n} PORT_SECTION_READ, *PPORT_SECTION_READ;" 366 | }, 367 | { 368 | "identifiers": ["PORT_SECTION_WRITE", "PPORT_SECTION_WRITE"], 369 | "dependencies": [], 370 | "definition": "typedef struct _PORT_SECTION_WRITE\n{\n\tULONG Length;\n\tHANDLE SectionHandle;\n\tULONG SectionOffset;\n\tULONG ViewSize;\n\tPVOID ViewBase;\n\tPVOID TargetViewBase;\n} PORT_SECTION_WRITE, *PPORT_SECTION_WRITE;" 371 | }, 372 | { 373 | "identifiers": ["TIMER_TYPE", "PTIMER_TYPE"], 374 | "dependencies": [], 375 | "definition": "typedef enum _TIMER_TYPE\n{\n\tNotificationTimer,\n\tSynchronizationTimer\n} TIMER_TYPE, *PTIMER_TYPE;" 376 | }, 377 | { 378 | "identifiers": ["BOOT_ENTRY", "PBOOT_ENTRY"], 379 | "dependencies": [], 380 | "definition": "typedef struct _BOOT_ENTRY\n{\n\tULONG Version;\n\tULONG Length;\n\tULONG Id;\n\tULONG Attributes;\n\tULONG FriendlyNameOffset;\n\tULONG BootFilePathOffset;\n\tULONG OsOptionsLength;\n\tUCHAR OsOptions[ANYSIZE_ARRAY];\n} BOOT_ENTRY, *PBOOT_ENTRY;" 381 | }, 382 | { 383 | "identifiers": ["EFI_DRIVER_ENTRY", "PEFI_DRIVER_ENTRY"], 384 | "dependencies": [], 385 | "definition": "typedef struct _EFI_DRIVER_ENTRY\n{\n\tULONG Version;\n\tULONG Length;\n\tULONG Id;\n\tULONG Attributes;\n\tULONG FriendlyNameOffset;\n\tULONG DriverFilePathOffset;\n} EFI_DRIVER_ENTRY, *PEFI_DRIVER_ENTRY;" 386 | }, 387 | { 388 | "identifiers": ["RTL_ATOM", "PRTL_ATOM"], 389 | "dependencies": [], 390 | "definition": "typedef USHORT RTL_ATOM, *PRTL_ATOM;" 391 | }, 392 | { 393 | "identifiers": ["TIMER_SET_INFORMATION_CLASS", "PTIMER_SET_INFORMATION_CLASS"], 394 | "dependencies": [], 395 | "definition": "typedef enum _TIMER_SET_INFORMATION_CLASS\n{\n\tTimerSetCoalescableTimer,\n\tMaxTimerInfoClass\n} TIMER_SET_INFORMATION_CLASS, *PTIMER_SET_INFORMATION_CLASS;" 396 | }, 397 | { 398 | "identifiers": ["FSINFOCLASS", "PFSINFOCLASS"], 399 | "dependencies": [], 400 | "definition": "typedef enum _FSINFOCLASS\n{\n\tFileFsVolumeInformation = 1,\n\tFileFsLabelInformation = 2,\n\tFileFsSizeInformation = 3,\n\tFileFsDeviceInformation = 4,\n\tFileFsAttributeInformation = 5,\n\tFileFsControlInformation = 6,\n\tFileFsFullSizeInformation = 7,\n\tFileFsObjectIdInformation = 8,\n\tFileFsDriverPathInformation = 9,\n\tFileFsVolumeFlagsInformation = 10,\n\tFileFsSectorSizeInformation = 11,\n\tFileFsDataCopyInformation = 12,\n\tFileFsMetadataSizeInformation = 13,\n\tFileFsFullSizeInformationEx = 14,\n\tFileFsMaximumInformation = 15,\n} FSINFOCLASS, *PFSINFOCLASS;" 401 | }, 402 | { 403 | "identifiers": ["WAIT_TYPE", "PWAIT_TYPE"], 404 | "dependencies": [], 405 | "definition": "typedef enum _WAIT_TYPE\n{\n\tWaitAll = 0,\n\tWaitAny = 1\n} WAIT_TYPE, *PWAIT_TYPE;" 406 | }, 407 | { 408 | "identifiers": ["USER_STACK", "PUSER_STACK"], 409 | "dependencies": [], 410 | "definition": "typedef struct _USER_STACK\n{\n\tPVOID FixedStackBase;\n\tPVOID FixedStackLimit;\n\tPVOID ExpandableStackBase;\n\tPVOID ExpandableStackLimit;\n\tPVOID ExpandableStackBottom;\n} USER_STACK, *PUSER_STACK;" 411 | }, 412 | { 413 | "identifiers": ["SECTION_INFORMATION_CLASS", "PSECTION_INFORMATION_CLASS"], 414 | "dependencies": [], 415 | "definition": "typedef enum _SECTION_INFORMATION_CLASS\n{\n\tSectionBasicInformation,\n\tSectionImageInformation,\n} SECTION_INFORMATION_CLASS, *PSECTION_INFORMATION_CLASS;" 416 | }, 417 | { 418 | "identifiers": ["APPHELPCACHESERVICECLASS", "PAPPHELPCACHESERVICECLASS"], 419 | "dependencies": [], 420 | "definition": "typedef enum _APPHELPCACHESERVICECLASS\n{\n\tApphelpCacheServiceLookup = 0,\n\tApphelpCacheServiceRemove = 1,\n\tApphelpCacheServiceUpdate = 2,\n\tApphelpCacheServiceFlush = 3,\n\tApphelpCacheServiceDump = 4,\n\tApphelpDBGReadRegistry = 0x100,\n\tApphelpDBGWriteRegistry = 0x101,\n} APPHELPCACHESERVICECLASS, *PAPPHELPCACHESERVICECLASS;" 421 | }, 422 | { 423 | "identifiers": ["TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE", "PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE"], 424 | "dependencies": ["UNICODE_STRING"], 425 | "definition": "typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE\n{\n\tULONG64 Version;\n\tUNICODE_STRING Name;\n} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;" 426 | }, 427 | { 428 | "identifiers": ["TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE", "PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE"], 429 | "dependencies": [], 430 | "definition": "typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE\n{\n\tPVOID pValue;\n\tULONG ValueLength;\n} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;" 431 | }, 432 | { 433 | "identifiers": ["TOKEN_SECURITY_ATTRIBUTE_V1", "PTOKEN_SECURITY_ATTRIBUTE_V1"], 434 | "dependencies": ["PUNICODE_STRING", "PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE", "PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE"], 435 | "definition": "typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1\n{\n\tUNICODE_STRING Name;\n\tUSHORT ValueType;\n\tUSHORT Reserved;\n\tULONG Flags;\n\tULONG ValueCount;\n\tunion\n\t{\n\t\tPLONG64 pInt64;\n\t\tPULONG64 pUint64;\n\t\tPUNICODE_STRING pString;\n\t\tPTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn;\n\t\tPTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;\n\t} Values;\n} TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1;" 436 | }, 437 | { 438 | "identifiers": ["TOKEN_SECURITY_ATTRIBUTES_INFORMATION", "PTOKEN_SECURITY_ATTRIBUTES_INFORMATION"], 439 | "dependencies": ["PTOKEN_SECURITY_ATTRIBUTE_V1"], 440 | "definition": "typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION\n{\n\tUSHORT Version;\n\tUSHORT Reserved;\n\tULONG AttributeCount;\n\tunion\n\t{\n\t\tPTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1;\n\t} Attribute;\n} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION;" 441 | }, 442 | { 443 | "identifiers": ["FILE_IO_COMPLETION_INFORMATION", "PFILE_IO_COMPLETION_INFORMATION"], 444 | "dependencies": [], 445 | "definition": "typedef struct _FILE_IO_COMPLETION_INFORMATION\n{\n\tPVOID KeyContext;\n\tPVOID ApcContext;\n\tIO_STATUS_BLOCK IoStatusBlock;\n} FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION;" 446 | }, 447 | { 448 | "identifiers": ["PT2_CANCEL_PARAMETERS"], 449 | "dependencies": [], 450 | "definition": "typedef PVOID PT2_CANCEL_PARAMETERS;" 451 | }, 452 | { 453 | "identifiers": ["THREADINFOCLASS", "PTHREADINFOCLASS"], 454 | "dependencies": [], 455 | "definition": "typedef enum _THREADINFOCLASS\n{\n\tThreadBasicInformation,\n\tThreadTimes,\n\tThreadPriority,\n\tThreadBasePriority,\n\tThreadAffinityMask,\n\tThreadImpersonationToken,\n\tThreadDescriptorTableEntry,\n\tThreadEnableAlignmentFaultFixup,\n\tThreadEventPair_Reusable,\n\tThreadQuerySetWin32StartAddress,\n\tThreadZeroTlsCell,\n\tThreadPerformanceCount,\n\tThreadAmILastThread,\n\tThreadIdealProcessor,\n\tThreadPriorityBoost,\n\tThreadSetTlsArrayAddress,\n\tThreadIsIoPending,\n\tThreadHideFromDebugger,\n\tThreadBreakOnTermination,\n\tMaxThreadInfoClass\n} THREADINFOCLASS, *PTHREADINFOCLASS;" 456 | }, 457 | { 458 | "identifiers": ["OBJECT_INFORMATION_CLASS", "POBJECT_INFORMATION_CLASS"], 459 | "dependencies": [], 460 | "definition": "typedef enum _OBJECT_INFORMATION_CLASS\n{\n\tObjectBasicInformation,\n\tObjectNameInformation,\n\tObjectTypeInformation,\n\tObjectAllTypesInformation,\n\tObjectHandleInformation\n} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS;" 461 | }, 462 | { 463 | "identifiers": ["FILE_INFORMATION_CLASS", "PFILE_INFORMATION_CLASS"], 464 | "dependencies": [], 465 | "definition": "typedef enum _FILE_INFORMATION_CLASS\n{\n\tFileDirectoryInformation = 1,\n\tFileFullDirectoryInformation = 2,\n\tFileBothDirectoryInformation = 3,\n\tFileBasicInformation = 4,\n\tFileStandardInformation = 5,\n\tFileInternalInformation = 6,\n\tFileEaInformation = 7,\n\tFileAccessInformation = 8,\n\tFileNameInformation = 9,\n\tFileRenameInformation = 10,\n\tFileLinkInformation = 11,\n\tFileNamesInformation = 12,\n\tFileDispositionInformation = 13,\n\tFilePositionInformation = 14,\n\tFileFullEaInformation = 15,\n\tFileModeInformation = 16,\n\tFileAlignmentInformation = 17,\n\tFileAllInformation = 18,\n\tFileAllocationInformation = 19,\n\tFileEndOfFileInformation = 20,\n\tFileAlternateNameInformation = 21,\n\tFileStreamInformation = 22,\n\tFilePipeInformation = 23,\n\tFilePipeLocalInformation = 24,\n\tFilePipeRemoteInformation = 25,\n\tFileMailslotQueryInformation = 26,\n\tFileMailslotSetInformation = 27,\n\tFileCompressionInformation = 28,\n\tFileObjectIdInformation = 29,\n\tFileCompletionInformation = 30,\n\tFileMoveClusterInformation = 31,\n\tFileQuotaInformation = 32,\n\tFileReparsePointInformation = 33,\n\tFileNetworkOpenInformation = 34,\n\tFileAttributeTagInformation = 35,\n\tFileTrackingInformation = 36,\n\tFileIdBothDirectoryInformation = 37,\n\tFileIdFullDirectoryInformation = 38,\n\tFileValidDataLengthInformation = 39,\n\tFileShortNameInformation = 40,\n\tFileIoCompletionNotificationInformation = 41,\n\tFileIoStatusBlockRangeInformation = 42,\n\tFileIoPriorityHintInformation = 43,\n\tFileSfioReserveInformation = 44,\n\tFileSfioVolumeInformation = 45,\n\tFileHardLinkInformation = 46,\n\tFileProcessIdsUsingFileInformation = 47,\n\tFileNormalizedNameInformation = 48,\n\tFileNetworkPhysicalNameInformation = 49,\n\tFileIdGlobalTxDirectoryInformation = 50,\n\tFileIsRemoteDeviceInformation = 51,\n\tFileUnusedInformation = 52,\n\tFileNumaNodeInformation = 53,\n\tFileStandardLinkInformation = 54,\n\tFileRemoteProtocolInformation = 55,\n\tFileRenameInformationBypassAccessCheck = 56,\n\tFileLinkInformationBypassAccessCheck = 57,\n\tFileVolumeNameInformation = 58,\n\tFileIdInformation = 59,\n\tFileIdExtdDirectoryInformation = 60,\n\tFileReplaceCompletionInformation = 61,\n\tFileHardLinkFullIdInformation = 62,\n\tFileIdExtdBothDirectoryInformation = 63,\n\tFileDispositionInformationEx = 64,\n\tFileRenameInformationEx = 65,\n\tFileRenameInformationExBypassAccessCheck = 66,\n\tFileMaximumInformation = 67,\n} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;" 466 | }, 467 | { 468 | "identifiers": ["KEY_INFORMATION_CLASS", "PKEY_INFORMATION_CLASS"], 469 | "dependencies": [], 470 | "definition": "typedef enum _KEY_INFORMATION_CLASS\n{\n\tKeyBasicInformation = 0,\n\tKeyNodeInformation = 1,\n\tKeyFullInformation = 2,\n\tKeyNameInformation = 3,\n\tKeyCachedInformation = 4,\n\tKeyFlagsInformation = 5,\n\tKeyVirtualizationInformation = 6,\n\tKeyHandleTagsInformation = 7,\n\tMaxKeyInfoClass = 8\n} KEY_INFORMATION_CLASS, *PKEY_INFORMATION_CLASS;" 471 | }, 472 | { 473 | "identifiers": ["UNICODE_STRING", "PUNICODE_STRING"], 474 | "dependencies": [], 475 | "definition": "typedef struct _UNICODE_STRING\n{\n\tUSHORT Length;\n\tUSHORT MaximumLength;\n\tPWSTR Buffer;\n} UNICODE_STRING, *PUNICODE_STRING;" 476 | }, 477 | { 478 | "identifiers": ["InitializeObjectAttributes"], 479 | "dependencies": [], 480 | "definition": "#ifndef InitializeObjectAttributes\n#define InitializeObjectAttributes( p, n, a, r, s ) { \\\n\t(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \\\n\t(p)->RootDirectory = r; \\\n\t(p)->Attributes = a; \\\n\t(p)->ObjectName = n; \\\n\t(p)->SecurityDescriptor = s; \\\n\t(p)->SecurityQualityOfService = NULL; \\\n}\n#endif" 481 | }, 482 | { 483 | "identifiers": ["OBJECT_ATTRIBUTES", "POBJECT_ATTRIBUTES"], 484 | "dependencies": ["PUNICODE_STRING", "InitializeObjectAttributes"], 485 | "definition": "typedef struct _OBJECT_ATTRIBUTES\n{\n\tULONG Length;\n\tHANDLE RootDirectory;\n\tPUNICODE_STRING ObjectName;\n\tULONG Attributes;\n\tPVOID SecurityDescriptor;\n\tPVOID SecurityQualityOfService;\n} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;" 486 | }, 487 | { 488 | "identifiers": ["TIMER_INFORMATION_CLASS", "PTIMER_INFORMATION_CLASS"], 489 | "dependencies": [], 490 | "definition": "typedef enum _TIMER_INFORMATION_CLASS\n{\n\tTimerBasicInformation\n} TIMER_INFORMATION_CLASS, *PTIMER_INFORMATION_CLASS;" 491 | } 492 | ] -------------------------------------------------------------------------------- /example-output/syscalls.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | typedef struct _UNICODE_STRING 6 | { 7 | USHORT Length; 8 | USHORT MaximumLength; 9 | PWSTR Buffer; 10 | } UNICODE_STRING, *PUNICODE_STRING; 11 | 12 | typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE 13 | { 14 | ULONG64 Version; 15 | UNICODE_STRING Name; 16 | } TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE; 17 | 18 | typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE 19 | { 20 | PVOID pValue; 21 | ULONG ValueLength; 22 | } TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE; 23 | 24 | typedef struct _IO_STATUS_BLOCK 25 | { 26 | union 27 | { 28 | NTSTATUS Status; 29 | VOID* Pointer; 30 | }; 31 | ULONG_PTR Information; 32 | } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; 33 | 34 | typedef struct _CLIENT_ID 35 | { 36 | void* UniqueProcess; 37 | void* UniqueThread; 38 | } CLIENT_ID, *PCLIENT_ID; 39 | 40 | typedef enum _PLUGPLAY_EVENT_CATEGORY 41 | { 42 | HardwareProfileChangeEvent, 43 | TargetDeviceChangeEvent, 44 | DeviceClassChangeEvent, 45 | CustomDeviceEvent, 46 | DeviceInstallEvent, 47 | DeviceArrivalEvent, 48 | PowerEvent, 49 | VetoEvent, 50 | BlockedDriverEvent, 51 | InvalidIDEvent, 52 | MaxPlugEventCategory 53 | } PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY; 54 | 55 | typedef enum _PNP_VETO_TYPE 56 | { 57 | PNP_VetoTypeUnknown, // unspecified 58 | PNP_VetoLegacyDevice, // instance path 59 | PNP_VetoPendingClose, // instance path 60 | PNP_VetoWindowsApp, // module 61 | PNP_VetoWindowsService, // service 62 | PNP_VetoOutstandingOpen, // instance path 63 | PNP_VetoDevice, // instance path 64 | PNP_VetoDriver, // driver service name 65 | PNP_VetoIllegalDeviceRequest, // instance path 66 | PNP_VetoInsufficientPower, // unspecified 67 | PNP_VetoNonDisableable, // instance path 68 | PNP_VetoLegacyDriver, // service 69 | PNP_VetoInsufficientRights // unspecified 70 | } PNP_VETO_TYPE, *PPNP_VETO_TYPE; 71 | 72 | typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1 73 | { 74 | UNICODE_STRING Name; 75 | USHORT ValueType; 76 | USHORT Reserved; 77 | ULONG Flags; 78 | ULONG ValueCount; 79 | union 80 | { 81 | PLONG64 pInt64; 82 | PULONG64 pUint64; 83 | PUNICODE_STRING pString; 84 | PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn; 85 | PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString; 86 | } Values; 87 | } TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1; 88 | 89 | typedef struct _WNF_STATE_NAME 90 | { 91 | ULONG Data[2]; 92 | } WNF_STATE_NAME, *PWNF_STATE_NAME; 93 | 94 | typedef VOID(KNORMAL_ROUTINE) ( 95 | IN PVOID NormalContext, 96 | IN PVOID SystemArgument1, 97 | IN PVOID SystemArgument2); 98 | 99 | typedef struct _PS_ATTRIBUTE 100 | { 101 | ULONG Attribute; 102 | SIZE_T Size; 103 | union 104 | { 105 | ULONG Value; 106 | PVOID ValuePtr; 107 | } u1; 108 | PSIZE_T ReturnLength; 109 | } PS_ATTRIBUTE, *PPS_ATTRIBUTE; 110 | 111 | typedef enum _PS_CREATE_STATE 112 | { 113 | PsCreateInitialState, 114 | PsCreateFailOnFileOpen, 115 | PsCreateFailOnSectionCreate, 116 | PsCreateFailExeFormat, 117 | PsCreateFailMachineMismatch, 118 | PsCreateFailExeName, 119 | PsCreateSuccess, 120 | PsCreateMaximumStates 121 | } PS_CREATE_STATE, *PPS_CREATE_STATE; 122 | 123 | #ifndef InitializeObjectAttributes 124 | #define InitializeObjectAttributes( p, n, a, r, s ) { \ 125 | (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 126 | (p)->RootDirectory = r; \ 127 | (p)->Attributes = a; \ 128 | (p)->ObjectName = n; \ 129 | (p)->SecurityDescriptor = s; \ 130 | (p)->SecurityQualityOfService = NULL; \ 131 | } 132 | #endif 133 | 134 | typedef struct _WNF_TYPE_ID 135 | { 136 | GUID TypeId; 137 | } WNF_TYPE_ID, *PWNF_TYPE_ID; 138 | 139 | typedef struct _KEY_VALUE_ENTRY 140 | { 141 | PUNICODE_STRING ValueName; 142 | ULONG DataLength; 143 | ULONG DataOffset; 144 | ULONG Type; 145 | } KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; 146 | 147 | typedef enum _KEY_SET_INFORMATION_CLASS 148 | { 149 | KeyWriteTimeInformation, 150 | KeyWow64FlagsInformation, 151 | KeyControlFlagsInformation, 152 | KeySetVirtualizationInformation, 153 | KeySetDebugInformation, 154 | KeySetHandleTagsInformation, 155 | MaxKeySetInfoClass // MaxKeySetInfoClass should always be the last enum. 156 | } KEY_SET_INFORMATION_CLASS, *PKEY_SET_INFORMATION_CLASS; 157 | 158 | typedef enum _SYSTEM_INFORMATION_CLASS 159 | { 160 | SystemBasicInformation = 0, 161 | SystemPerformanceInformation = 2, 162 | SystemTimeOfDayInformation = 3, 163 | SystemProcessInformation = 5, 164 | SystemProcessorPerformanceInformation = 8, 165 | SystemInterruptInformation = 23, 166 | SystemExceptionInformation = 33, 167 | SystemRegistryQuotaInformation = 37, 168 | SystemLookasideInformation = 45, 169 | SystemCodeIntegrityInformation = 103, 170 | SystemPolicyInformation = 134, 171 | } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; 172 | 173 | typedef enum _PROCESSINFOCLASS 174 | { 175 | ProcessBasicInformation = 0, 176 | ProcessDebugPort = 7, 177 | ProcessWow64Information = 26, 178 | ProcessImageFileName = 27, 179 | ProcessBreakOnTermination = 29 180 | } PROCESSINFOCLASS, *PPROCESSINFOCLASS; 181 | 182 | typedef struct _MEMORY_RANGE_ENTRY 183 | { 184 | PVOID VirtualAddress; 185 | SIZE_T NumberOfBytes; 186 | } MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY; 187 | 188 | typedef struct _T2_SET_PARAMETERS_V0 189 | { 190 | ULONG Version; 191 | ULONG Reserved; 192 | LONGLONG NoWakeTolerance; 193 | } T2_SET_PARAMETERS, *PT2_SET_PARAMETERS; 194 | 195 | typedef struct _FILE_PATH 196 | { 197 | ULONG Version; 198 | ULONG Length; 199 | ULONG Type; 200 | CHAR FilePath[1]; 201 | } FILE_PATH, *PFILE_PATH; 202 | 203 | typedef struct _FILE_USER_QUOTA_INFORMATION 204 | { 205 | ULONG NextEntryOffset; 206 | ULONG SidLength; 207 | LARGE_INTEGER ChangeTime; 208 | LARGE_INTEGER QuotaUsed; 209 | LARGE_INTEGER QuotaThreshold; 210 | LARGE_INTEGER QuotaLimit; 211 | SID Sid[1]; 212 | } FILE_USER_QUOTA_INFORMATION, *PFILE_USER_QUOTA_INFORMATION; 213 | 214 | typedef struct _FILE_QUOTA_LIST_INFORMATION 215 | { 216 | ULONG NextEntryOffset; 217 | ULONG SidLength; 218 | SID Sid[1]; 219 | } FILE_QUOTA_LIST_INFORMATION, *PFILE_QUOTA_LIST_INFORMATION; 220 | 221 | typedef struct _FILE_NETWORK_OPEN_INFORMATION 222 | { 223 | LARGE_INTEGER CreationTime; 224 | LARGE_INTEGER LastAccessTime; 225 | LARGE_INTEGER LastWriteTime; 226 | LARGE_INTEGER ChangeTime; 227 | LARGE_INTEGER AllocationSize; 228 | LARGE_INTEGER EndOfFile; 229 | ULONG FileAttributes; 230 | ULONG Unknown; 231 | } FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; 232 | 233 | typedef enum _FILTER_BOOT_OPTION_OPERATION 234 | { 235 | FilterBootOptionOperationOpenSystemStore, 236 | FilterBootOptionOperationSetElement, 237 | FilterBootOptionOperationDeleteElement, 238 | FilterBootOptionOperationMax 239 | } FILTER_BOOT_OPTION_OPERATION, *PFILTER_BOOT_OPTION_OPERATION; 240 | 241 | typedef enum _EVENT_TYPE 242 | { 243 | NotificationEvent = 0, 244 | SynchronizationEvent = 1, 245 | } EVENT_TYPE, *PEVENT_TYPE; 246 | 247 | typedef struct _FILE_FULL_EA_INFORMATION 248 | { 249 | ULONG NextEntryOffset; 250 | UCHAR Flags; 251 | UCHAR EaNameLength; 252 | USHORT EaValueLength; 253 | CHAR EaName[1]; 254 | } FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION; 255 | 256 | typedef struct _FILE_GET_EA_INFORMATION 257 | { 258 | ULONG NextEntryOffset; 259 | BYTE EaNameLength; 260 | CHAR EaName[1]; 261 | } FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION; 262 | 263 | typedef struct _BOOT_OPTIONS 264 | { 265 | ULONG Version; 266 | ULONG Length; 267 | ULONG Timeout; 268 | ULONG CurrentBootEntryId; 269 | ULONG NextBootEntryId; 270 | WCHAR HeadlessRedirection[1]; 271 | } BOOT_OPTIONS, *PBOOT_OPTIONS; 272 | 273 | typedef ULONG WNF_CHANGE_STAMP, *PWNF_CHANGE_STAMP; 274 | 275 | typedef enum _WNF_DATA_SCOPE 276 | { 277 | WnfDataScopeSystem = 0, 278 | WnfDataScopeSession = 1, 279 | WnfDataScopeUser = 2, 280 | WnfDataScopeProcess = 3, 281 | WnfDataScopeMachine = 4 282 | } WNF_DATA_SCOPE, *PWNF_DATA_SCOPE; 283 | 284 | typedef enum _WNF_STATE_NAME_LIFETIME 285 | { 286 | WnfWellKnownStateName = 0, 287 | WnfPermanentStateName = 1, 288 | WnfPersistentStateName = 2, 289 | WnfTemporaryStateName = 3 290 | } WNF_STATE_NAME_LIFETIME, *PWNF_STATE_NAME_LIFETIME; 291 | 292 | typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS 293 | { 294 | VmPrefetchInformation, 295 | VmPagePriorityInformation, 296 | VmCfgCallTargetInformation 297 | } VIRTUAL_MEMORY_INFORMATION_CLASS, *PVIRTUAL_MEMORY_INFORMATION_CLASS; 298 | 299 | typedef enum _IO_SESSION_EVENT 300 | { 301 | IoSessionEventIgnore, 302 | IoSessionEventCreated, 303 | IoSessionEventTerminated, 304 | IoSessionEventConnected, 305 | IoSessionEventDisconnected, 306 | IoSessionEventLogon, 307 | IoSessionEventLogoff, 308 | IoSessionEventMax 309 | } IO_SESSION_EVENT, *PIO_SESSION_EVENT; 310 | 311 | typedef enum _PORT_INFORMATION_CLASS 312 | { 313 | PortBasicInformation, 314 | #if DEVL 315 | PortDumpInformation 316 | #endif 317 | } PORT_INFORMATION_CLASS, *PPORT_INFORMATION_CLASS; 318 | 319 | typedef enum _PLUGPLAY_CONTROL_CLASS 320 | { 321 | PlugPlayControlEnumerateDevice, 322 | PlugPlayControlRegisterNewDevice, 323 | PlugPlayControlDeregisterDevice, 324 | PlugPlayControlInitializeDevice, 325 | PlugPlayControlStartDevice, 326 | PlugPlayControlUnlockDevice, 327 | PlugPlayControlQueryAndRemoveDevice, 328 | PlugPlayControlUserResponse, 329 | PlugPlayControlGenerateLegacyDevice, 330 | PlugPlayControlGetInterfaceDeviceList, 331 | PlugPlayControlProperty, 332 | PlugPlayControlDeviceClassAssociation, 333 | PlugPlayControlGetRelatedDevice, 334 | PlugPlayControlGetInterfaceDeviceAlias, 335 | PlugPlayControlDeviceStatus, 336 | PlugPlayControlGetDeviceDepth, 337 | PlugPlayControlQueryDeviceRelations, 338 | PlugPlayControlTargetDeviceRelation, 339 | PlugPlayControlQueryConflictList, 340 | PlugPlayControlRetrieveDock, 341 | PlugPlayControlResetDevice, 342 | PlugPlayControlHaltDevice, 343 | PlugPlayControlGetBlockedDriverList, 344 | MaxPlugPlayControl 345 | } PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS; 346 | 347 | typedef enum _IO_COMPLETION_INFORMATION_CLASS 348 | { 349 | IoCompletionBasicInformation 350 | } IO_COMPLETION_INFORMATION_CLASS, *PIO_COMPLETION_INFORMATION_CLASS; 351 | 352 | typedef enum _SECTION_INHERIT 353 | { 354 | ViewShare = 1, 355 | ViewUnmap = 2 356 | } SECTION_INHERIT, *PSECTION_INHERIT; 357 | 358 | typedef enum _DEBUGOBJECTINFOCLASS 359 | { 360 | DebugObjectFlags = 1, 361 | MaxDebugObjectInfoClass 362 | } DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; 363 | 364 | typedef enum _SEMAPHORE_INFORMATION_CLASS 365 | { 366 | SemaphoreBasicInformation 367 | } SEMAPHORE_INFORMATION_CLASS, *PSEMAPHORE_INFORMATION_CLASS; 368 | 369 | typedef struct _PS_ATTRIBUTE_LIST 370 | { 371 | SIZE_T TotalLength; 372 | PS_ATTRIBUTE Attributes[1]; 373 | } PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST; 374 | 375 | typedef enum _VDMSERVICECLASS 376 | { 377 | VdmStartExecution, 378 | VdmQueueInterrupt, 379 | VdmDelayInterrupt, 380 | VdmInitialize, 381 | VdmFeatures, 382 | VdmSetInt21Handler, 383 | VdmQueryDir, 384 | VdmPrinterDirectIoOpen, 385 | VdmPrinterDirectIoClose, 386 | VdmPrinterInitialize, 387 | VdmSetLdtEntries, 388 | VdmSetProcessLdtInfo, 389 | VdmAdlibEmulation, 390 | VdmPMCliControl, 391 | VdmQueryVdmProcess 392 | } VDMSERVICECLASS, *PVDMSERVICECLASS; 393 | 394 | typedef struct _PS_CREATE_INFO 395 | { 396 | SIZE_T Size; 397 | PS_CREATE_STATE State; 398 | union 399 | { 400 | // PsCreateInitialState 401 | struct { 402 | union { 403 | ULONG InitFlags; 404 | struct { 405 | UCHAR WriteOutputOnExit : 1; 406 | UCHAR DetectManifest : 1; 407 | UCHAR IFEOSkipDebugger : 1; 408 | UCHAR IFEODoNotPropagateKeyState : 1; 409 | UCHAR SpareBits1 : 4; 410 | UCHAR SpareBits2 : 8; 411 | USHORT ProhibitedImageCharacteristics : 16; 412 | }; 413 | }; 414 | ACCESS_MASK AdditionalFileAccess; 415 | } InitState; 416 | // PsCreateFailOnSectionCreate 417 | struct { 418 | HANDLE FileHandle; 419 | } FailSection; 420 | // PsCreateFailExeFormat 421 | struct { 422 | USHORT DllCharacteristics; 423 | } ExeFormat; 424 | // PsCreateFailExeName 425 | struct { 426 | HANDLE IFEOKey; 427 | } ExeName; 428 | // PsCreateSuccess 429 | struct { 430 | union { 431 | ULONG OutputFlags; 432 | struct { 433 | UCHAR ProtectedProcess : 1; 434 | UCHAR AddressSpaceOverride : 1; 435 | UCHAR DevOverrideEnabled : 1; // from Image File Execution Options 436 | UCHAR ManifestDetected : 1; 437 | UCHAR ProtectedProcessLight : 1; 438 | UCHAR SpareBits1 : 3; 439 | UCHAR SpareBits2 : 8; 440 | USHORT SpareBits3 : 16; 441 | }; 442 | }; 443 | HANDLE FileHandle; 444 | HANDLE SectionHandle; 445 | ULONGLONG UserProcessParametersNative; 446 | ULONG UserProcessParametersWow64; 447 | ULONG CurrentParameterFlags; 448 | ULONGLONG PebAddressNative; 449 | ULONG PebAddressWow64; 450 | ULONGLONG ManifestAddress; 451 | ULONG ManifestSize; 452 | } SuccessState; 453 | }; 454 | } PS_CREATE_INFO, *PPS_CREATE_INFO; 455 | 456 | typedef enum _MEMORY_INFORMATION_CLASS 457 | { 458 | MemoryBasicInformation, 459 | MemoryWorkingSetInformation, 460 | MemoryMappedFilenameInformation, 461 | MemoryRegionInformation, 462 | MemoryWorkingSetExInformation, 463 | MemorySharedCommitInformation, 464 | MemoryImageInformation, 465 | MemoryRegionInformationEx, 466 | MemoryPrivilegedBasicInformation, 467 | MemoryEnclaveImageInformation, 468 | MemoryBasicInformationCapped 469 | } MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS; 470 | 471 | typedef enum _MEMORY_RESERVE_TYPE 472 | { 473 | MemoryReserveUserApc, 474 | MemoryReserveIoCompletion, 475 | MemoryReserveTypeMax 476 | } MEMORY_RESERVE_TYPE, *PMEMORY_RESERVE_TYPE; 477 | 478 | typedef enum _ALPC_PORT_INFORMATION_CLASS 479 | { 480 | AlpcBasicInformation, 481 | AlpcPortInformation, 482 | AlpcAssociateCompletionPortInformation, 483 | AlpcConnectedSIDInformation, 484 | AlpcServerInformation, 485 | AlpcMessageZoneInformation, 486 | AlpcRegisterCompletionListInformation, 487 | AlpcUnregisterCompletionListInformation, 488 | AlpcAdjustCompletionListConcurrencyCountInformation, 489 | AlpcRegisterCallbackInformation, 490 | AlpcCompletionListRundownInformation 491 | } ALPC_PORT_INFORMATION_CLASS, *PALPC_PORT_INFORMATION_CLASS; 492 | 493 | typedef struct _ALPC_CONTEXT_ATTR 494 | { 495 | PVOID PortContext; 496 | PVOID MessageContext; 497 | ULONG SequenceNumber; 498 | ULONG MessageID; 499 | ULONG CallbackID; 500 | } ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR; 501 | 502 | typedef struct _ALPC_DATA_VIEW_ATTR 503 | { 504 | ULONG Flags; 505 | HANDLE SectionHandle; 506 | PVOID ViewBase; 507 | SIZE_T ViewSize; 508 | } ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR; 509 | 510 | typedef struct _ALPC_SECURITY_ATTR 511 | { 512 | ULONG Flags; 513 | PSECURITY_QUALITY_OF_SERVICE SecurityQos; 514 | HANDLE ContextHandle; 515 | ULONG Reserved1; 516 | ULONG Reserved2; 517 | } ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR; 518 | 519 | typedef PVOID* PPVOID; 520 | 521 | typedef enum _KPROFILE_SOURCE 522 | { 523 | ProfileTime = 0, 524 | ProfileAlignmentFixup = 1, 525 | ProfileTotalIssues = 2, 526 | ProfilePipelineDry = 3, 527 | ProfileLoadInstructions = 4, 528 | ProfilePipelineFrozen = 5, 529 | ProfileBranchInstructions = 6, 530 | ProfileTotalNonissues = 7, 531 | ProfileDcacheMisses = 8, 532 | ProfileIcacheMisses = 9, 533 | ProfileCacheMisses = 10, 534 | ProfileBranchMispredictions = 11, 535 | ProfileStoreInstructions = 12, 536 | ProfileFpInstructions = 13, 537 | ProfileIntegerInstructions = 14, 538 | Profile2Issue = 15, 539 | Profile3Issue = 16, 540 | Profile4Issue = 17, 541 | ProfileSpecialInstructions = 18, 542 | ProfileTotalCycles = 19, 543 | ProfileIcacheIssues = 20, 544 | ProfileDcacheAccesses = 21, 545 | ProfileMemoryBarrierCycles = 22, 546 | ProfileLoadLinkedIssues = 23, 547 | ProfileMaximum = 24, 548 | } KPROFILE_SOURCE, *PKPROFILE_SOURCE; 549 | 550 | typedef enum _ALPC_MESSAGE_INFORMATION_CLASS 551 | { 552 | AlpcMessageSidInformation, 553 | AlpcMessageTokenModifiedIdInformation 554 | } ALPC_MESSAGE_INFORMATION_CLASS, *PALPC_MESSAGE_INFORMATION_CLASS; 555 | 556 | typedef enum _WORKERFACTORYINFOCLASS 557 | { 558 | WorkerFactoryTimeout, 559 | WorkerFactoryRetryTimeout, 560 | WorkerFactoryIdleTimeout, 561 | WorkerFactoryBindingCount, 562 | WorkerFactoryThreadMinimum, 563 | WorkerFactoryThreadMaximum, 564 | WorkerFactoryPaused, 565 | WorkerFactoryBasicInformation, 566 | WorkerFactoryAdjustThreadGoal, 567 | WorkerFactoryCallbackType, 568 | WorkerFactoryStackInformation, 569 | MaxWorkerFactoryInfoClass 570 | } WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS; 571 | 572 | typedef enum _MEMORY_PARTITION_INFORMATION_CLASS 573 | { 574 | SystemMemoryPartitionInformation, 575 | SystemMemoryPartitionMoveMemory, 576 | SystemMemoryPartitionAddPagefile, 577 | SystemMemoryPartitionCombineMemory, 578 | SystemMemoryPartitionInitialAddMemory, 579 | SystemMemoryPartitionGetMemoryEvents, 580 | SystemMemoryPartitionMax 581 | } MEMORY_PARTITION_INFORMATION_CLASS, *PMEMORY_PARTITION_INFORMATION_CLASS; 582 | 583 | typedef enum _MUTANT_INFORMATION_CLASS 584 | { 585 | MutantBasicInformation, 586 | MutantOwnerInformation 587 | } MUTANT_INFORMATION_CLASS, *PMUTANT_INFORMATION_CLASS; 588 | 589 | typedef enum _ATOM_INFORMATION_CLASS 590 | { 591 | AtomBasicInformation, 592 | AtomTableInformation 593 | } ATOM_INFORMATION_CLASS, *PATOM_INFORMATION_CLASS; 594 | 595 | typedef enum _SHUTDOWN_ACTION { 596 | ShutdownNoReboot, 597 | ShutdownReboot, 598 | ShutdownPowerOff 599 | } SHUTDOWN_ACTION; 600 | 601 | typedef VOID(CALLBACK* PTIMER_APC_ROUTINE)( 602 | IN PVOID TimerContext, 603 | IN ULONG TimerLowValue, 604 | IN LONG TimerHighValue); 605 | 606 | typedef enum _KEY_VALUE_INFORMATION_CLASS { 607 | KeyValueBasicInformation = 0, 608 | KeyValueFullInformation, 609 | KeyValuePartialInformation, 610 | KeyValueFullInformationAlign64, 611 | KeyValuePartialInformationAlign64, 612 | MaxKeyValueInfoClass 613 | } KEY_VALUE_INFORMATION_CLASS; 614 | 615 | typedef LANGID* PLANGID; 616 | 617 | typedef struct _PLUGPLAY_EVENT_BLOCK 618 | { 619 | GUID EventGuid; 620 | PLUGPLAY_EVENT_CATEGORY EventCategory; 621 | PULONG Result; 622 | ULONG Flags; 623 | ULONG TotalSize; 624 | PVOID DeviceObject; 625 | 626 | union 627 | { 628 | struct 629 | { 630 | GUID ClassGuid; 631 | WCHAR SymbolicLinkName[1]; 632 | } DeviceClass; 633 | struct 634 | { 635 | WCHAR DeviceIds[1]; 636 | } TargetDevice; 637 | struct 638 | { 639 | WCHAR DeviceId[1]; 640 | } InstallDevice; 641 | struct 642 | { 643 | PVOID NotificationStructure; 644 | WCHAR DeviceIds[1]; 645 | } CustomNotification; 646 | struct 647 | { 648 | PVOID Notification; 649 | } ProfileNotification; 650 | struct 651 | { 652 | ULONG NotificationCode; 653 | ULONG NotificationData; 654 | } PowerNotification; 655 | struct 656 | { 657 | PNP_VETO_TYPE VetoType; 658 | WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName 659 | } VetoNotification; 660 | struct 661 | { 662 | GUID BlockedDriverGuid; 663 | } BlockedDriverNotification; 664 | struct 665 | { 666 | WCHAR ParentId[1]; 667 | } InvalidIDNotification; 668 | } u; 669 | } PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; 670 | 671 | typedef VOID(NTAPI* PIO_APC_ROUTINE) ( 672 | IN PVOID ApcContext, 673 | IN PIO_STATUS_BLOCK IoStatusBlock, 674 | IN ULONG Reserved); 675 | 676 | typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE; 677 | 678 | typedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS 679 | { 680 | DirectoryNotifyInformation = 1, 681 | DirectoryNotifyExtendedInformation = 2, 682 | } DIRECTORY_NOTIFY_INFORMATION_CLASS, *PDIRECTORY_NOTIFY_INFORMATION_CLASS; 683 | 684 | typedef enum _EVENT_INFORMATION_CLASS 685 | { 686 | EventBasicInformation 687 | } EVENT_INFORMATION_CLASS, *PEVENT_INFORMATION_CLASS; 688 | 689 | typedef struct _ALPC_MESSAGE_ATTRIBUTES 690 | { 691 | unsigned long AllocatedAttributes; 692 | unsigned long ValidAttributes; 693 | } ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES; 694 | 695 | typedef struct _ALPC_PORT_ATTRIBUTES 696 | { 697 | ULONG Flags; 698 | SECURITY_QUALITY_OF_SERVICE SecurityQos; 699 | SIZE_T MaxMessageLength; 700 | SIZE_T MemoryBandwidth; 701 | SIZE_T MaxPoolUsage; 702 | SIZE_T MaxSectionSize; 703 | SIZE_T MaxViewSize; 704 | SIZE_T MaxTotalSectionSize; 705 | ULONG DupObjectTypes; 706 | #ifdef _WIN64 707 | ULONG Reserved; 708 | #endif 709 | } ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES; 710 | 711 | typedef enum _IO_SESSION_STATE 712 | { 713 | IoSessionStateCreated = 1, 714 | IoSessionStateInitialized = 2, 715 | IoSessionStateConnected = 3, 716 | IoSessionStateDisconnected = 4, 717 | IoSessionStateDisconnectedLoggedOn = 5, 718 | IoSessionStateLoggedOn = 6, 719 | IoSessionStateLoggedOff = 7, 720 | IoSessionStateTerminated = 8, 721 | IoSessionStateMax = 9, 722 | } IO_SESSION_STATE, *PIO_SESSION_STATE; 723 | 724 | typedef const WNF_STATE_NAME *PCWNF_STATE_NAME; 725 | 726 | typedef const WNF_TYPE_ID *PCWNF_TYPE_ID; 727 | 728 | typedef struct _WNF_DELIVERY_DESCRIPTOR 729 | { 730 | unsigned __int64 SubscriptionId; 731 | WNF_STATE_NAME StateName; 732 | unsigned long ChangeStamp; 733 | unsigned long StateDataSize; 734 | unsigned long EventMask; 735 | WNF_TYPE_ID TypeId; 736 | unsigned long StateDataOffset; 737 | } WNF_DELIVERY_DESCRIPTOR, *PWNF_DELIVERY_DESCRIPTOR; 738 | 739 | typedef enum _DEBUG_CONTROL_CODE 740 | { 741 | SysDbgQueryModuleInformation = 0, 742 | SysDbgQueryTraceInformation = 1, 743 | SysDbgSetTracePoint = 2, 744 | SysDbgSetSpecialCall = 3, 745 | SysDbgClearSpecialCalls = 4, 746 | SysDbgQuerySpecialCalls = 5, 747 | SysDbgBreakPoint = 6, 748 | SysDbgQueryVersion = 7, 749 | SysDbgReadVirtual = 8, 750 | SysDbgWriteVirtual = 9, 751 | SysDbgReadPhysical = 10, 752 | SysDbgWritePhysical = 11, 753 | SysDbgReadControlSpace = 12, 754 | SysDbgWriteControlSpace = 13, 755 | SysDbgReadIoSpace = 14, 756 | SysDbgWriteIoSpace = 15, 757 | SysDbgReadMsr = 16, 758 | SysDbgWriteMsr = 17, 759 | SysDbgReadBusData = 18, 760 | SysDbgWriteBusData = 19, 761 | SysDbgCheckLowMemory = 20, 762 | SysDbgEnableKernelDebugger = 21, 763 | SysDbgDisableKernelDebugger = 22, 764 | SysDbgGetAutoKdEnable = 23, 765 | SysDbgSetAutoKdEnable = 24, 766 | SysDbgGetPrintBufferSize = 25, 767 | SysDbgSetPrintBufferSize = 26, 768 | SysDbgGetKdUmExceptionEnable = 27, 769 | SysDbgSetKdUmExceptionEnable = 28, 770 | SysDbgGetTriageDump = 29, 771 | SysDbgGetKdBlockEnable = 30, 772 | SysDbgSetKdBlockEnable = 31 773 | } DEBUG_CONTROL_CODE, *PDEBUG_CONTROL_CODE; 774 | 775 | typedef struct _PORT_MESSAGE 776 | { 777 | union 778 | { 779 | union 780 | { 781 | struct 782 | { 783 | short DataLength; 784 | short TotalLength; 785 | } s1; 786 | unsigned long Length; 787 | }; 788 | } u1; 789 | union 790 | { 791 | union 792 | { 793 | struct 794 | { 795 | short Type; 796 | short DataInfoOffset; 797 | } s2; 798 | unsigned long ZeroInit; 799 | }; 800 | } u2; 801 | union 802 | { 803 | CLIENT_ID ClientId; 804 | double DoNotUseThisField; 805 | }; 806 | unsigned long MessageId; 807 | union 808 | { 809 | unsigned __int64 ClientViewSize; 810 | struct 811 | { 812 | unsigned long CallbackId; 813 | long __PADDING__[1]; 814 | }; 815 | }; 816 | } PORT_MESSAGE, *PPORT_MESSAGE; 817 | 818 | typedef struct FILE_BASIC_INFORMATION 819 | { 820 | LARGE_INTEGER CreationTime; 821 | LARGE_INTEGER LastAccessTime; 822 | LARGE_INTEGER LastWriteTime; 823 | LARGE_INTEGER ChangeTime; 824 | ULONG FileAttributes; 825 | } FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; 826 | 827 | typedef struct _PORT_SECTION_READ 828 | { 829 | ULONG Length; 830 | ULONG ViewSize; 831 | ULONG ViewBase; 832 | } PORT_SECTION_READ, *PPORT_SECTION_READ; 833 | 834 | typedef struct _PORT_SECTION_WRITE 835 | { 836 | ULONG Length; 837 | HANDLE SectionHandle; 838 | ULONG SectionOffset; 839 | ULONG ViewSize; 840 | PVOID ViewBase; 841 | PVOID TargetViewBase; 842 | } PORT_SECTION_WRITE, *PPORT_SECTION_WRITE; 843 | 844 | typedef enum _TIMER_TYPE 845 | { 846 | NotificationTimer, 847 | SynchronizationTimer 848 | } TIMER_TYPE, *PTIMER_TYPE; 849 | 850 | typedef struct _BOOT_ENTRY 851 | { 852 | ULONG Version; 853 | ULONG Length; 854 | ULONG Id; 855 | ULONG Attributes; 856 | ULONG FriendlyNameOffset; 857 | ULONG BootFilePathOffset; 858 | ULONG OsOptionsLength; 859 | UCHAR OsOptions[ANYSIZE_ARRAY]; 860 | } BOOT_ENTRY, *PBOOT_ENTRY; 861 | 862 | typedef struct _EFI_DRIVER_ENTRY 863 | { 864 | ULONG Version; 865 | ULONG Length; 866 | ULONG Id; 867 | ULONG Attributes; 868 | ULONG FriendlyNameOffset; 869 | ULONG DriverFilePathOffset; 870 | } EFI_DRIVER_ENTRY, *PEFI_DRIVER_ENTRY; 871 | 872 | typedef USHORT RTL_ATOM, *PRTL_ATOM; 873 | 874 | typedef enum _TIMER_SET_INFORMATION_CLASS 875 | { 876 | TimerSetCoalescableTimer, 877 | MaxTimerInfoClass 878 | } TIMER_SET_INFORMATION_CLASS, *PTIMER_SET_INFORMATION_CLASS; 879 | 880 | typedef enum _FSINFOCLASS 881 | { 882 | FileFsVolumeInformation = 1, 883 | FileFsLabelInformation = 2, 884 | FileFsSizeInformation = 3, 885 | FileFsDeviceInformation = 4, 886 | FileFsAttributeInformation = 5, 887 | FileFsControlInformation = 6, 888 | FileFsFullSizeInformation = 7, 889 | FileFsObjectIdInformation = 8, 890 | FileFsDriverPathInformation = 9, 891 | FileFsVolumeFlagsInformation = 10, 892 | FileFsSectorSizeInformation = 11, 893 | FileFsDataCopyInformation = 12, 894 | FileFsMetadataSizeInformation = 13, 895 | FileFsFullSizeInformationEx = 14, 896 | FileFsMaximumInformation = 15, 897 | } FSINFOCLASS, *PFSINFOCLASS; 898 | 899 | typedef enum _WAIT_TYPE 900 | { 901 | WaitAll = 0, 902 | WaitAny = 1 903 | } WAIT_TYPE, *PWAIT_TYPE; 904 | 905 | typedef struct _USER_STACK 906 | { 907 | PVOID FixedStackBase; 908 | PVOID FixedStackLimit; 909 | PVOID ExpandableStackBase; 910 | PVOID ExpandableStackLimit; 911 | PVOID ExpandableStackBottom; 912 | } USER_STACK, *PUSER_STACK; 913 | 914 | typedef enum _SECTION_INFORMATION_CLASS 915 | { 916 | SectionBasicInformation, 917 | SectionImageInformation, 918 | } SECTION_INFORMATION_CLASS, *PSECTION_INFORMATION_CLASS; 919 | 920 | typedef enum _APPHELPCACHESERVICECLASS 921 | { 922 | ApphelpCacheServiceLookup = 0, 923 | ApphelpCacheServiceRemove = 1, 924 | ApphelpCacheServiceUpdate = 2, 925 | ApphelpCacheServiceFlush = 3, 926 | ApphelpCacheServiceDump = 4, 927 | ApphelpDBGReadRegistry = 0x100, 928 | ApphelpDBGWriteRegistry = 0x101, 929 | } APPHELPCACHESERVICECLASS, *PAPPHELPCACHESERVICECLASS; 930 | 931 | typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION 932 | { 933 | USHORT Version; 934 | USHORT Reserved; 935 | ULONG AttributeCount; 936 | union 937 | { 938 | PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1; 939 | } Attribute; 940 | } TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; 941 | 942 | typedef struct _FILE_IO_COMPLETION_INFORMATION 943 | { 944 | PVOID KeyContext; 945 | PVOID ApcContext; 946 | IO_STATUS_BLOCK IoStatusBlock; 947 | } FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION; 948 | 949 | typedef PVOID PT2_CANCEL_PARAMETERS; 950 | 951 | typedef enum _THREADINFOCLASS 952 | { 953 | ThreadBasicInformation, 954 | ThreadTimes, 955 | ThreadPriority, 956 | ThreadBasePriority, 957 | ThreadAffinityMask, 958 | ThreadImpersonationToken, 959 | ThreadDescriptorTableEntry, 960 | ThreadEnableAlignmentFaultFixup, 961 | ThreadEventPair_Reusable, 962 | ThreadQuerySetWin32StartAddress, 963 | ThreadZeroTlsCell, 964 | ThreadPerformanceCount, 965 | ThreadAmILastThread, 966 | ThreadIdealProcessor, 967 | ThreadPriorityBoost, 968 | ThreadSetTlsArrayAddress, 969 | ThreadIsIoPending, 970 | ThreadHideFromDebugger, 971 | ThreadBreakOnTermination, 972 | MaxThreadInfoClass 973 | } THREADINFOCLASS, *PTHREADINFOCLASS; 974 | 975 | typedef enum _OBJECT_INFORMATION_CLASS 976 | { 977 | ObjectBasicInformation, 978 | ObjectNameInformation, 979 | ObjectTypeInformation, 980 | ObjectAllTypesInformation, 981 | ObjectHandleInformation 982 | } OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; 983 | 984 | typedef enum _FILE_INFORMATION_CLASS 985 | { 986 | FileDirectoryInformation = 1, 987 | FileFullDirectoryInformation = 2, 988 | FileBothDirectoryInformation = 3, 989 | FileBasicInformation = 4, 990 | FileStandardInformation = 5, 991 | FileInternalInformation = 6, 992 | FileEaInformation = 7, 993 | FileAccessInformation = 8, 994 | FileNameInformation = 9, 995 | FileRenameInformation = 10, 996 | FileLinkInformation = 11, 997 | FileNamesInformation = 12, 998 | FileDispositionInformation = 13, 999 | FilePositionInformation = 14, 1000 | FileFullEaInformation = 15, 1001 | FileModeInformation = 16, 1002 | FileAlignmentInformation = 17, 1003 | FileAllInformation = 18, 1004 | FileAllocationInformation = 19, 1005 | FileEndOfFileInformation = 20, 1006 | FileAlternateNameInformation = 21, 1007 | FileStreamInformation = 22, 1008 | FilePipeInformation = 23, 1009 | FilePipeLocalInformation = 24, 1010 | FilePipeRemoteInformation = 25, 1011 | FileMailslotQueryInformation = 26, 1012 | FileMailslotSetInformation = 27, 1013 | FileCompressionInformation = 28, 1014 | FileObjectIdInformation = 29, 1015 | FileCompletionInformation = 30, 1016 | FileMoveClusterInformation = 31, 1017 | FileQuotaInformation = 32, 1018 | FileReparsePointInformation = 33, 1019 | FileNetworkOpenInformation = 34, 1020 | FileAttributeTagInformation = 35, 1021 | FileTrackingInformation = 36, 1022 | FileIdBothDirectoryInformation = 37, 1023 | FileIdFullDirectoryInformation = 38, 1024 | FileValidDataLengthInformation = 39, 1025 | FileShortNameInformation = 40, 1026 | FileIoCompletionNotificationInformation = 41, 1027 | FileIoStatusBlockRangeInformation = 42, 1028 | FileIoPriorityHintInformation = 43, 1029 | FileSfioReserveInformation = 44, 1030 | FileSfioVolumeInformation = 45, 1031 | FileHardLinkInformation = 46, 1032 | FileProcessIdsUsingFileInformation = 47, 1033 | FileNormalizedNameInformation = 48, 1034 | FileNetworkPhysicalNameInformation = 49, 1035 | FileIdGlobalTxDirectoryInformation = 50, 1036 | FileIsRemoteDeviceInformation = 51, 1037 | FileUnusedInformation = 52, 1038 | FileNumaNodeInformation = 53, 1039 | FileStandardLinkInformation = 54, 1040 | FileRemoteProtocolInformation = 55, 1041 | FileRenameInformationBypassAccessCheck = 56, 1042 | FileLinkInformationBypassAccessCheck = 57, 1043 | FileVolumeNameInformation = 58, 1044 | FileIdInformation = 59, 1045 | FileIdExtdDirectoryInformation = 60, 1046 | FileReplaceCompletionInformation = 61, 1047 | FileHardLinkFullIdInformation = 62, 1048 | FileIdExtdBothDirectoryInformation = 63, 1049 | FileDispositionInformationEx = 64, 1050 | FileRenameInformationEx = 65, 1051 | FileRenameInformationExBypassAccessCheck = 66, 1052 | FileMaximumInformation = 67, 1053 | } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; 1054 | 1055 | typedef enum _KEY_INFORMATION_CLASS 1056 | { 1057 | KeyBasicInformation = 0, 1058 | KeyNodeInformation = 1, 1059 | KeyFullInformation = 2, 1060 | KeyNameInformation = 3, 1061 | KeyCachedInformation = 4, 1062 | KeyFlagsInformation = 5, 1063 | KeyVirtualizationInformation = 6, 1064 | KeyHandleTagsInformation = 7, 1065 | MaxKeyInfoClass = 8 1066 | } KEY_INFORMATION_CLASS, *PKEY_INFORMATION_CLASS; 1067 | 1068 | typedef struct _OBJECT_ATTRIBUTES 1069 | { 1070 | ULONG Length; 1071 | HANDLE RootDirectory; 1072 | PUNICODE_STRING ObjectName; 1073 | ULONG Attributes; 1074 | PVOID SecurityDescriptor; 1075 | PVOID SecurityQualityOfService; 1076 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 1077 | 1078 | typedef enum _TIMER_INFORMATION_CLASS 1079 | { 1080 | TimerBasicInformation 1081 | } TIMER_INFORMATION_CLASS, *PTIMER_INFORMATION_CLASS; 1082 | 1083 | EXTERN_C NTSTATUS NtCompareObjects( 1084 | IN HANDLE FirstObjectHandle, 1085 | IN HANDLE SecondObjectHandle); 1086 | 1087 | EXTERN_C NTSTATUS NtAllocateUuids( 1088 | OUT PLARGE_INTEGER Time, 1089 | OUT PULONG Range, 1090 | OUT PULONG Sequence, 1091 | OUT PUCHAR Seed); 1092 | 1093 | EXTERN_C NTSTATUS NtFlushBuffersFileEx( 1094 | IN HANDLE FileHandle, 1095 | IN ULONG Flags, 1096 | IN PVOID Parameters, 1097 | IN ULONG ParametersSize, 1098 | OUT PIO_STATUS_BLOCK IoStatusBlock); 1099 | 1100 | EXTERN_C NTSTATUS NtQueryInformationEnlistment( 1101 | IN HANDLE EnlistmentHandle, 1102 | IN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, 1103 | OUT PVOID EnlistmentInformation, 1104 | IN ULONG EnlistmentInformationLength, 1105 | OUT PULONG ReturnLength OPTIONAL); 1106 | 1107 | EXTERN_C NTSTATUS NtRemoveIoCompletion( 1108 | IN HANDLE IoCompletionHandle, 1109 | OUT PULONG KeyContext, 1110 | OUT PULONG ApcContext, 1111 | OUT PIO_STATUS_BLOCK IoStatusBlock, 1112 | IN PLARGE_INTEGER Timeout OPTIONAL); 1113 | 1114 | EXTERN_C NTSTATUS NtCreateLowBoxToken( 1115 | OUT PHANDLE TokenHandle, 1116 | IN HANDLE ExistingTokenHandle, 1117 | IN ACCESS_MASK DesiredAccess, 1118 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 1119 | IN PSID PackageSid, 1120 | IN ULONG CapabilityCount, 1121 | IN PSID_AND_ATTRIBUTES Capabilities OPTIONAL, 1122 | IN ULONG HandleCount, 1123 | IN HANDLE Handles OPTIONAL); 1124 | 1125 | EXTERN_C NTSTATUS NtQueryAuxiliaryCounterFrequency( 1126 | OUT PULONGLONG lpAuxiliaryCounterFrequency); 1127 | 1128 | EXTERN_C NTSTATUS NtContinue( 1129 | IN PCONTEXT ContextRecord, 1130 | IN BOOLEAN TestAlert); 1131 | 1132 | EXTERN_C NTSTATUS NtUnloadKey( 1133 | IN POBJECT_ATTRIBUTES DestinationKeyName); 1134 | 1135 | EXTERN_C NTSTATUS NtCompressKey( 1136 | IN HANDLE Key); 1137 | 1138 | EXTERN_C NTSTATUS NtWaitForMultipleObjects32( 1139 | IN ULONG ObjectCount, 1140 | IN PHANDLE Handles, 1141 | IN WAIT_TYPE WaitType, 1142 | IN BOOLEAN Alertable, 1143 | IN PLARGE_INTEGER Timeout OPTIONAL); 1144 | 1145 | EXTERN_C NTSTATUS NtPropagationComplete( 1146 | IN HANDLE ResourceManagerHandle, 1147 | IN ULONG RequestCookie, 1148 | IN ULONG BufferLength, 1149 | IN PVOID Buffer); 1150 | 1151 | EXTERN_C NTSTATUS NtQueryInformationWorkerFactory( 1152 | IN HANDLE WorkerFactoryHandle, 1153 | IN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, 1154 | OUT PVOID WorkerFactoryInformation, 1155 | IN ULONG WorkerFactoryInformationLength, 1156 | OUT PULONG ReturnLength OPTIONAL); 1157 | 1158 | EXTERN_C NTSTATUS NtQueryIntervalProfile( 1159 | IN KPROFILE_SOURCE ProfileSource, 1160 | OUT PULONG Interval); 1161 | 1162 | EXTERN_C NTSTATUS NtAccessCheckByType( 1163 | IN PSECURITY_DESCRIPTOR SecurityDescriptor, 1164 | IN PSID PrincipalSelfSid OPTIONAL, 1165 | IN HANDLE ClientToken, 1166 | IN ULONG DesiredAccess, 1167 | IN POBJECT_TYPE_LIST ObjectTypeList, 1168 | IN ULONG ObjectTypeListLength, 1169 | IN PGENERIC_MAPPING GenericMapping, 1170 | OUT PPRIVILEGE_SET PrivilegeSet, 1171 | IN OUT PULONG PrivilegeSetLength, 1172 | OUT PACCESS_MASK GrantedAccess, 1173 | OUT PULONG AccessStatus); 1174 | 1175 | EXTERN_C NTSTATUS NtOpenEvent( 1176 | OUT PHANDLE EventHandle, 1177 | IN ACCESS_MASK DesiredAccess, 1178 | IN POBJECT_ATTRIBUTES ObjectAttributes); 1179 | 1180 | EXTERN_C NTSTATUS NtQueryTimerResolution( 1181 | OUT PULONG MaximumTime, 1182 | OUT PULONG MinimumTime, 1183 | OUT PULONG CurrentTime); 1184 | 1185 | EXTERN_C NTSTATUS NtFreezeRegistry( 1186 | IN ULONG TimeOutInSeconds); 1187 | 1188 | EXTERN_C NTSTATUS NtDuplicateToken( 1189 | IN HANDLE ExistingTokenHandle, 1190 | IN ACCESS_MASK DesiredAccess, 1191 | IN POBJECT_ATTRIBUTES ObjectAttributes, 1192 | IN BOOLEAN EffectiveOnly, 1193 | IN TOKEN_TYPE TokenType, 1194 | OUT PHANDLE NewTokenHandle); 1195 | 1196 | EXTERN_C NTSTATUS NtQueryInformationJobObject( 1197 | IN HANDLE JobHandle, 1198 | IN JOBOBJECTINFOCLASS JobObjectInformationClass, 1199 | OUT PVOID JobObjectInformation, 1200 | IN ULONG JobObjectInformationLength, 1201 | OUT PULONG ReturnLength OPTIONAL); 1202 | 1203 | EXTERN_C NTSTATUS NtUnloadKey2( 1204 | IN POBJECT_ATTRIBUTES TargetKey, 1205 | IN ULONG Flags); 1206 | 1207 | EXTERN_C NTSTATUS NtTerminateJobObject( 1208 | IN HANDLE JobHandle, 1209 | IN NTSTATUS ExitStatus); 1210 | 1211 | EXTERN_C NTSTATUS NtRequestWaitReplyPort( 1212 | IN HANDLE PortHandle, 1213 | IN PPORT_MESSAGE RequestMessage, 1214 | OUT PPORT_MESSAGE ReplyMessage); 1215 | 1216 | EXTERN_C NTSTATUS NtThawTransactions(); 1217 | 1218 | EXTERN_C NTSTATUS NtListenPort( 1219 | IN HANDLE PortHandle, 1220 | OUT PPORT_MESSAGE ConnectionRequest); 1221 | 1222 | EXTERN_C NTSTATUS NtOpenKeyedEvent( 1223 | OUT PHANDLE KeyedEventHandle, 1224 | IN ACCESS_MASK DesiredAccess, 1225 | IN POBJECT_ATTRIBUTES ObjectAttributes); 1226 | 1227 | EXTERN_C NTSTATUS NtModifyBootEntry( 1228 | IN PBOOT_ENTRY BootEntry); 1229 | 1230 | EXTERN_C NTSTATUS NtCreateSymbolicLinkObject( 1231 | OUT PHANDLE LinkHandle, 1232 | IN ACCESS_MASK DesiredAccess, 1233 | IN POBJECT_ATTRIBUTES ObjectAttributes, 1234 | IN PUNICODE_STRING LinkTarget); 1235 | 1236 | EXTERN_C NTSTATUS NtEnumerateKey( 1237 | IN HANDLE KeyHandle, 1238 | IN ULONG Index, 1239 | IN KEY_INFORMATION_CLASS KeyInformationClass, 1240 | OUT PVOID KeyInformation OPTIONAL, 1241 | IN ULONG Length, 1242 | OUT PULONG ResultLength); 1243 | 1244 | EXTERN_C NTSTATUS NtGetCurrentProcessorNumber(); 1245 | 1246 | EXTERN_C NTSTATUS NtWaitForKeyedEvent( 1247 | IN HANDLE KeyedEventHandle, 1248 | IN PVOID Key, 1249 | IN BOOLEAN Alertable, 1250 | IN PLARGE_INTEGER Timeout OPTIONAL); 1251 | 1252 | EXTERN_C NTSTATUS NtSetInformationTransactionManager( 1253 | IN HANDLE TransactionHandle, 1254 | IN TRANSACTION_INFORMATION_CLASS TransactionInformationClass, 1255 | IN PVOID TransactionInformation, 1256 | IN ULONG TransactionInformationLength); 1257 | 1258 | EXTERN_C NTSTATUS NtSetThreadExecutionState( 1259 | IN EXECUTION_STATE ExecutionState, 1260 | OUT PEXECUTION_STATE PreviousExecutionState); 1261 | 1262 | EXTERN_C NTSTATUS NtOpenMutant( 1263 | OUT PHANDLE MutantHandle, 1264 | IN ACCESS_MASK DesiredAccess, 1265 | IN POBJECT_ATTRIBUTES ObjectAttributes); 1266 | 1267 | EXTERN_C NTSTATUS NtVdmControl( 1268 | IN VDMSERVICECLASS Service, 1269 | IN OUT PVOID ServiceData); 1270 | 1271 | EXTERN_C NTSTATUS NtPrePrepareComplete( 1272 | IN HANDLE EnlistmentHandle, 1273 | IN PLARGE_INTEGER TmVirtualClock OPTIONAL); 1274 | 1275 | EXTERN_C NTSTATUS NtAreMappedFilesTheSame( 1276 | IN PVOID File1MappedAsAnImage, 1277 | IN PVOID File2MappedAsFile); 1278 | 1279 | EXTERN_C NTSTATUS NtSetHighWaitLowEventPair( 1280 | IN HANDLE EventPairHandle); 1281 | 1282 | EXTERN_C NTSTATUS NtSetEventBoostPriority( 1283 | IN HANDLE EventHandle); 1284 | 1285 | EXTERN_C NTSTATUS NtQueryBootOptions( 1286 | OUT PBOOT_OPTIONS BootOptions OPTIONAL, 1287 | IN OUT PULONG BootOptionsLength); 1288 | 1289 | EXTERN_C NTSTATUS NtAlpcOpenSenderProcess( 1290 | OUT PHANDLE ProcessHandle, 1291 | IN HANDLE PortHandle, 1292 | IN PPORT_MESSAGE PortMessage, 1293 | IN ULONG Flags, 1294 | IN ACCESS_MASK DesiredAccess, 1295 | IN POBJECT_ATTRIBUTES ObjectAttributes); 1296 | 1297 | EXTERN_C NTSTATUS NtSetDefaultHardErrorPort( 1298 | IN HANDLE PortHandle); 1299 | 1300 | EXTERN_C NTSTATUS NtLoadDriver( 1301 | IN PUNICODE_STRING DriverServiceName); 1302 | 1303 | EXTERN_C NTSTATUS NtTerminateEnclave( 1304 | IN PVOID BaseAddress, 1305 | IN BOOLEAN WaitForThread); 1306 | 1307 | EXTERN_C NTSTATUS NtOpenEnlistment( 1308 | OUT PHANDLE EnlistmentHandle, 1309 | IN ACCESS_MASK DesiredAccess, 1310 | IN HANDLE ResourceManagerHandle, 1311 | IN LPGUID EnlistmentGuid, 1312 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); 1313 | 1314 | EXTERN_C NTSTATUS NtWriteRequestData( 1315 | IN HANDLE PortHandle, 1316 | IN PPORT_MESSAGE Request, 1317 | IN ULONG DataIndex, 1318 | IN PVOID Buffer, 1319 | IN ULONG Length, 1320 | OUT PULONG ResultLength OPTIONAL); 1321 | 1322 | EXTERN_C NTSTATUS NtGetNextThread( 1323 | IN HANDLE ProcessHandle, 1324 | IN HANDLE ThreadHandle, 1325 | IN ACCESS_MASK DesiredAccess, 1326 | IN ULONG HandleAttributes, 1327 | IN ULONG Flags, 1328 | OUT PHANDLE NewThreadHandle); 1329 | 1330 | EXTERN_C NTSTATUS NtCancelTimer( 1331 | IN HANDLE TimerHandle, 1332 | OUT PBOOLEAN CurrentState OPTIONAL); 1333 | 1334 | EXTERN_C NTSTATUS NtCreateCrossVmEvent(); 1335 | 1336 | EXTERN_C NTSTATUS NtModifyDriverEntry( 1337 | IN PEFI_DRIVER_ENTRY DriverEntry); 1338 | 1339 | EXTERN_C NTSTATUS NtRollbackComplete( 1340 | IN HANDLE EnlistmentHandle, 1341 | IN PLARGE_INTEGER TmVirtualClock OPTIONAL); 1342 | 1343 | EXTERN_C NTSTATUS NtQueryValueKey( 1344 | IN HANDLE KeyHandle, 1345 | IN PUNICODE_STRING ValueName, 1346 | IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, 1347 | OUT PVOID KeyValueInformation OPTIONAL, 1348 | IN ULONG Length, 1349 | OUT PULONG ResultLength); 1350 | 1351 | EXTERN_C NTSTATUS NtSetInformationWorkerFactory( 1352 | IN HANDLE WorkerFactoryHandle, 1353 | IN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, 1354 | IN PVOID WorkerFactoryInformation, 1355 | IN ULONG WorkerFactoryInformationLength); 1356 | 1357 | EXTERN_C NTSTATUS NtFreezeTransactions( 1358 | IN PLARGE_INTEGER FreezeTimeout, 1359 | IN PLARGE_INTEGER ThawTimeout); 1360 | 1361 | EXTERN_C NTSTATUS NtDeleteObjectAuditAlarm( 1362 | IN PUNICODE_STRING SubsystemName, 1363 | IN PVOID HandleId OPTIONAL, 1364 | IN BOOLEAN GenerateOnClose); 1365 | 1366 | EXTERN_C NTSTATUS NtQueryPortInformationProcess(); 1367 | 1368 | EXTERN_C NTSTATUS NtDeleteFile( 1369 | IN POBJECT_ATTRIBUTES ObjectAttributes); 1370 | 1371 | EXTERN_C NTSTATUS NtCreateNamedPipeFile( 1372 | OUT PHANDLE FileHandle, 1373 | IN ACCESS_MASK DesiredAccess, 1374 | IN POBJECT_ATTRIBUTES ObjectAttributes, 1375 | OUT PIO_STATUS_BLOCK IoStatusBlock, 1376 | IN ULONG ShareAccess, 1377 | IN ULONG CreateDisposition, 1378 | IN ULONG CreateOptions, 1379 | IN BOOLEAN NamedPipeType, 1380 | IN BOOLEAN ReadMode, 1381 | IN BOOLEAN CompletionMode, 1382 | IN ULONG MaximumInstances, 1383 | IN ULONG InboundQuota, 1384 | IN ULONG OutboundQuota, 1385 | IN PLARGE_INTEGER DefaultTimeout OPTIONAL); 1386 | 1387 | EXTERN_C NTSTATUS NtAcceptConnectPort( 1388 | OUT PHANDLE ServerPortHandle, 1389 | IN ULONG AlternativeReceivePortHandle OPTIONAL, 1390 | IN PPORT_MESSAGE ConnectionReply, 1391 | IN BOOLEAN AcceptConnection, 1392 | IN OUT PPORT_SECTION_WRITE ServerSharedMemory OPTIONAL, 1393 | OUT PPORT_SECTION_READ ClientSharedMemory OPTIONAL); 1394 | 1395 | EXTERN_C NTSTATUS NtDeleteValueKey( 1396 | IN HANDLE KeyHandle, 1397 | IN PUNICODE_STRING ValueName); 1398 | 1399 | EXTERN_C NTSTATUS NtOpenIoCompletion( 1400 | OUT PHANDLE IoCompletionHandle, 1401 | IN ACCESS_MASK DesiredAccess, 1402 | IN POBJECT_ATTRIBUTES ObjectAttributes); 1403 | 1404 | EXTERN_C NTSTATUS NtReplyPort( 1405 | IN HANDLE PortHandle, 1406 | IN PPORT_MESSAGE ReplyMessage); 1407 | 1408 | EXTERN_C NTSTATUS NtSetDefaultUILanguage( 1409 | IN LANGID DefaultUILanguageId); 1410 | 1411 | EXTERN_C NTSTATUS NtWaitForMultipleObjects( 1412 | IN ULONG Count, 1413 | IN PHANDLE Handles, 1414 | IN WAIT_TYPE WaitType, 1415 | IN BOOLEAN Alertable, 1416 | IN PLARGE_INTEGER Timeout OPTIONAL); 1417 | 1418 | EXTERN_C NTSTATUS NtQueryMultipleValueKey( 1419 | IN HANDLE KeyHandle, 1420 | IN OUT PKEY_VALUE_ENTRY ValueEntries, 1421 | IN ULONG EntryCount, 1422 | OUT PVOID ValueBuffer, 1423 | IN PULONG BufferLength, 1424 | OUT PULONG RequiredBufferLength OPTIONAL); 1425 | 1426 | EXTERN_C NTSTATUS NtCommitRegistryTransaction( 1427 | IN HANDLE RegistryHandle, 1428 | IN BOOL Wait); 1429 | 1430 | EXTERN_C NTSTATUS NtCreateWorkerFactory( 1431 | OUT PHANDLE WorkerFactoryHandleReturn, 1432 | IN ACCESS_MASK DesiredAccess, 1433 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 1434 | IN HANDLE CompletionPortHandle, 1435 | IN HANDLE WorkerProcessHandle, 1436 | IN PVOID StartRoutine, 1437 | IN PVOID StartParameter OPTIONAL, 1438 | IN ULONG MaxThreadCount OPTIONAL, 1439 | IN SIZE_T StackReserve OPTIONAL, 1440 | IN SIZE_T StackCommit OPTIONAL); 1441 | 1442 | EXTERN_C NTSTATUS NtCancelDeviceWakeupRequest( 1443 | IN HANDLE DeviceHandle); 1444 | 1445 | EXTERN_C NTSTATUS NtPrivilegeObjectAuditAlarm( 1446 | IN PUNICODE_STRING SubsystemName, 1447 | IN PVOID HandleId OPTIONAL, 1448 | IN HANDLE ClientToken, 1449 | IN ACCESS_MASK DesiredAccess, 1450 | IN PPRIVILEGE_SET Privileges, 1451 | IN BOOLEAN AccessGranted); 1452 | 1453 | EXTERN_C NTSTATUS NtCreateTransaction( 1454 | OUT PHANDLE TransactionHandle, 1455 | IN ACCESS_MASK DesiredAccess, 1456 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 1457 | IN LPGUID Uow OPTIONAL, 1458 | IN HANDLE TmHandle OPTIONAL, 1459 | IN ULONG CreateOptions OPTIONAL, 1460 | IN ULONG IsolationLevel OPTIONAL, 1461 | IN ULONG IsolationFlags OPTIONAL, 1462 | IN PLARGE_INTEGER Timeout OPTIONAL, 1463 | IN PUNICODE_STRING Description OPTIONAL); 1464 | 1465 | EXTERN_C NTSTATUS NtCreateSectionEx( 1466 | OUT PHANDLE SectionHandle, 1467 | IN ACCESS_MASK DesiredAccess, 1468 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 1469 | IN PLARGE_INTEGER MaximumSize OPTIONAL, 1470 | IN ULONG SectionPageProtection, 1471 | IN ULONG AllocationAttributes, 1472 | IN HANDLE FileHandle OPTIONAL, 1473 | IN PMEM_EXTENDED_PARAMETER ExtendedParameters, 1474 | IN ULONG ExtendedParametersCount); 1475 | 1476 | EXTERN_C NTSTATUS NtPowerInformation( 1477 | IN POWER_INFORMATION_LEVEL InformationLevel, 1478 | IN PVOID InputBuffer OPTIONAL, 1479 | IN ULONG InputBufferLength, 1480 | OUT PVOID OutputBuffer OPTIONAL, 1481 | IN ULONG OutputBufferLength); 1482 | 1483 | EXTERN_C NTSTATUS NtWaitForWnfNotifications(); 1484 | 1485 | EXTERN_C NTSTATUS NtOpenResourceManager( 1486 | OUT PHANDLE ResourceManagerHandle, 1487 | IN ACCESS_MASK DesiredAccess, 1488 | IN HANDLE TmHandle, 1489 | IN LPGUID ResourceManagerGuid OPTIONAL, 1490 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); 1491 | 1492 | EXTERN_C NTSTATUS NtEnumerateSystemEnvironmentValuesEx( 1493 | IN ULONG InformationClass, 1494 | OUT PVOID Buffer, 1495 | IN OUT PULONG BufferLength); 1496 | 1497 | EXTERN_C NTSTATUS NtDeleteKey( 1498 | IN HANDLE KeyHandle); 1499 | 1500 | EXTERN_C NTSTATUS NtSerializeBoot(); 1501 | 1502 | EXTERN_C NTSTATUS NtMapUserPhysicalPagesScatter( 1503 | IN PVOID VirtualAddresses, 1504 | IN PULONG NumberOfPages, 1505 | IN PULONG UserPfnArray OPTIONAL); 1506 | 1507 | EXTERN_C NTSTATUS NtSetBootOptions( 1508 | IN PBOOT_OPTIONS BootOptions, 1509 | IN ULONG FieldsToChange); 1510 | 1511 | EXTERN_C NTSTATUS NtOpenKeyEx( 1512 | OUT PHANDLE KeyHandle, 1513 | IN ACCESS_MASK DesiredAccess, 1514 | IN POBJECT_ATTRIBUTES ObjectAttributes, 1515 | IN ULONG OpenOptions); 1516 | 1517 | EXTERN_C NTSTATUS NtInitializeEnclave( 1518 | IN HANDLE ProcessHandle, 1519 | IN PVOID BaseAddress, 1520 | IN PVOID EnclaveInformation, 1521 | IN ULONG EnclaveInformationLength, 1522 | OUT PULONG EnclaveError OPTIONAL); 1523 | 1524 | EXTERN_C NTSTATUS NtQueryPerformanceCounter( 1525 | OUT PLARGE_INTEGER PerformanceCounter, 1526 | OUT PLARGE_INTEGER PerformanceFrequency OPTIONAL); 1527 | 1528 | EXTERN_C NTSTATUS NtSetDebugFilterState( 1529 | IN ULONG ComponentId, 1530 | IN ULONG Level, 1531 | IN BOOLEAN State); 1532 | 1533 | EXTERN_C NTSTATUS NtRollbackEnlistment( 1534 | IN HANDLE EnlistmentHandle, 1535 | IN PLARGE_INTEGER TmVirtualClock OPTIONAL); 1536 | 1537 | EXTERN_C NTSTATUS NtShutdownWorkerFactory( 1538 | IN HANDLE WorkerFactoryHandle, 1539 | IN OUT PLONG PendingWorkerCount); 1540 | 1541 | EXTERN_C NTSTATUS NtWaitForAlertByThreadId( 1542 | IN HANDLE Handle, 1543 | IN PLARGE_INTEGER Timeout OPTIONAL); 1544 | 1545 | EXTERN_C NTSTATUS NtCreateFile( 1546 | OUT PHANDLE FileHandle, 1547 | IN ACCESS_MASK DesiredAccess, 1548 | IN POBJECT_ATTRIBUTES ObjectAttributes, 1549 | OUT PIO_STATUS_BLOCK IoStatusBlock, 1550 | IN PLARGE_INTEGER AllocationSize OPTIONAL, 1551 | IN ULONG FileAttributes, 1552 | IN ULONG ShareAccess, 1553 | IN ULONG CreateDisposition, 1554 | IN ULONG CreateOptions, 1555 | IN PVOID EaBuffer OPTIONAL, 1556 | IN ULONG EaLength); 1557 | 1558 | EXTERN_C NTSTATUS NtSetInformationJobObject( 1559 | IN HANDLE JobHandle, 1560 | IN JOBOBJECTINFOCLASS JobObjectInformationClass, 1561 | IN PVOID JobObjectInformation, 1562 | IN ULONG JobObjectInformationLength); 1563 | 1564 | EXTERN_C NTSTATUS NtThawRegistry(); 1565 | 1566 | EXTERN_C NTSTATUS NtSetSystemInformation( 1567 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 1568 | IN PVOID SystemInformation, 1569 | IN ULONG SystemInformationLength); 1570 | 1571 | EXTERN_C NTSTATUS NtInitiatePowerAction( 1572 | IN POWER_ACTION SystemAction, 1573 | IN SYSTEM_POWER_STATE LightestSystemState, 1574 | IN ULONG Flags, 1575 | IN BOOLEAN Asynchronous); 1576 | 1577 | EXTERN_C NTSTATUS NtCommitComplete( 1578 | IN HANDLE EnlistmentHandle, 1579 | IN PLARGE_INTEGER TmVirtualClock OPTIONAL); 1580 | 1581 | EXTERN_C NTSTATUS NtResetWriteWatch( 1582 | IN HANDLE ProcessHandle, 1583 | IN PVOID BaseAddress, 1584 | IN ULONG RegionSize); 1585 | 1586 | EXTERN_C NTSTATUS NtSetInformationKey( 1587 | IN HANDLE KeyHandle, 1588 | IN KEY_SET_INFORMATION_CLASS KeySetInformationClass, 1589 | IN PVOID KeySetInformation, 1590 | IN ULONG KeySetInformationLength); 1591 | 1592 | EXTERN_C NTSTATUS NtAllocateReserveObject( 1593 | OUT PHANDLE MemoryReserveHandle, 1594 | IN POBJECT_ATTRIBUTES ObjectAttributes, 1595 | IN MEMORY_RESERVE_TYPE Type); 1596 | 1597 | EXTERN_C NTSTATUS NtCreateProcessEx( 1598 | OUT PHANDLE ProcessHandle, 1599 | IN ACCESS_MASK DesiredAccess, 1600 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 1601 | IN HANDLE ParentProcess, 1602 | IN ULONG Flags, 1603 | IN HANDLE SectionHandle OPTIONAL, 1604 | IN HANDLE DebugPort OPTIONAL, 1605 | IN HANDLE ExceptionPort OPTIONAL, 1606 | IN ULONG JobMemberLevel); 1607 | 1608 | EXTERN_C NTSTATUS NtRemoveIoCompletionEx( 1609 | IN HANDLE IoCompletionHandle, 1610 | OUT PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, 1611 | IN ULONG Count, 1612 | OUT PULONG NumEntriesRemoved, 1613 | IN PLARGE_INTEGER Timeout OPTIONAL, 1614 | IN BOOLEAN Alertable); 1615 | 1616 | EXTERN_C NTSTATUS NtRenameTransactionManager( 1617 | IN PUNICODE_STRING LogFileName, 1618 | IN LPGUID ExistingTransactionManagerGuid); 1619 | 1620 | EXTERN_C NTSTATUS NtQuerySection( 1621 | IN HANDLE SectionHandle, 1622 | IN SECTION_INFORMATION_CLASS SectionInformationClass, 1623 | OUT PVOID SectionInformation, 1624 | IN ULONG SectionInformationLength, 1625 | OUT PULONG ReturnLength OPTIONAL); 1626 | 1627 | EXTERN_C NTSTATUS NtAllocateUserPhysicalPages( 1628 | IN HANDLE ProcessHandle, 1629 | IN OUT PULONG NumberOfPages, 1630 | OUT PULONG UserPfnArray); 1631 | 1632 | EXTERN_C NTSTATUS NtOpenObjectAuditAlarm( 1633 | IN PUNICODE_STRING SubsystemName, 1634 | IN PVOID HandleId OPTIONAL, 1635 | IN PUNICODE_STRING ObjectTypeName, 1636 | IN PUNICODE_STRING ObjectName, 1637 | IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, 1638 | IN HANDLE ClientToken, 1639 | IN ACCESS_MASK DesiredAccess, 1640 | IN ACCESS_MASK GrantedAccess, 1641 | IN PPRIVILEGE_SET Privileges OPTIONAL, 1642 | IN BOOLEAN ObjectCreation, 1643 | IN BOOLEAN AccessGranted, 1644 | OUT PBOOLEAN GenerateOnClose); 1645 | 1646 | EXTERN_C NTSTATUS NtAlertResumeThread( 1647 | IN HANDLE ThreadHandle, 1648 | OUT PULONG PreviousSuspendCount OPTIONAL); 1649 | 1650 | EXTERN_C NTSTATUS NtSetLowEventPair( 1651 | IN HANDLE EventPairHandle); 1652 | 1653 | EXTERN_C NTSTATUS NtRollforwardTransactionManager( 1654 | IN HANDLE TransactionManagerHandle, 1655 | IN PLARGE_INTEGER TmVirtualClock OPTIONAL); 1656 | 1657 | EXTERN_C NTSTATUS NtQuerySemaphore( 1658 | IN HANDLE SemaphoreHandle, 1659 | IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, 1660 | OUT PVOID SemaphoreInformation, 1661 | IN ULONG SemaphoreInformationLength, 1662 | OUT PULONG ReturnLength OPTIONAL); 1663 | 1664 | EXTERN_C NTSTATUS NtRaiseHardError( 1665 | IN NTSTATUS ErrorStatus, 1666 | IN ULONG NumberOfParameters, 1667 | IN ULONG UnicodeStringParameterMask, 1668 | IN PULONG_PTR Parameters, 1669 | IN ULONG ValidResponseOptions, 1670 | OUT PULONG Response); 1671 | 1672 | EXTERN_C NTSTATUS NtTraceControl( 1673 | IN ULONG FunctionCode, 1674 | IN PVOID InputBuffer OPTIONAL, 1675 | IN ULONG InputBufferLength, 1676 | OUT PVOID OutputBuffer OPTIONAL, 1677 | IN ULONG OutputBufferLength, 1678 | OUT PULONG ReturnLength); 1679 | 1680 | EXTERN_C NTSTATUS NtWriteVirtualMemory( 1681 | IN HANDLE ProcessHandle, 1682 | IN PVOID BaseAddress, 1683 | IN PVOID Buffer, 1684 | IN ULONG NumberOfBytesToWrite, 1685 | OUT PULONG NumberOfBytesWritten OPTIONAL); 1686 | 1687 | EXTERN_C NTSTATUS NtCloseObjectAuditAlarm( 1688 | IN PUNICODE_STRING SubsystemName, 1689 | IN PVOID HandleId OPTIONAL, 1690 | IN BOOLEAN GenerateOnClose); 1691 | 1692 | EXTERN_C NTSTATUS NtAddBootEntry( 1693 | IN PBOOT_ENTRY BootEntry, 1694 | OUT PULONG Id OPTIONAL); 1695 | 1696 | EXTERN_C NTSTATUS NtCancelIoFileEx( 1697 | IN HANDLE FileHandle, 1698 | IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, 1699 | OUT PIO_STATUS_BLOCK IoStatusBlock); 1700 | 1701 | EXTERN_C NTSTATUS NtDebugContinue( 1702 | IN HANDLE DebugObjectHandle, 1703 | IN PCLIENT_ID ClientId, 1704 | IN NTSTATUS ContinueStatus); 1705 | 1706 | EXTERN_C NTSTATUS NtNotifyChangeSession( 1707 | IN HANDLE SessionHandle, 1708 | IN ULONG ChangeSequenceNumber, 1709 | IN PLARGE_INTEGER ChangeTimeStamp, 1710 | IN IO_SESSION_EVENT Event, 1711 | IN IO_SESSION_STATE NewState, 1712 | IN IO_SESSION_STATE PreviousState, 1713 | IN PVOID Payload OPTIONAL, 1714 | IN ULONG PayloadSize); 1715 | 1716 | EXTERN_C NTSTATUS NtOpenRegistryTransaction( 1717 | OUT PHANDLE RegistryHandle, 1718 | IN ACCESS_MASK DesiredAccess, 1719 | IN POBJECT_ATTRIBUTES ObjectAttributes); 1720 | 1721 | EXTERN_C NTSTATUS NtRollbackTransaction( 1722 | IN HANDLE TransactionHandle, 1723 | IN BOOLEAN Wait); 1724 | 1725 | EXTERN_C NTSTATUS NtSetTimer2( 1726 | IN HANDLE TimerHandle, 1727 | IN PLARGE_INTEGER DueTime, 1728 | IN PLARGE_INTEGER Period OPTIONAL, 1729 | IN PT2_SET_PARAMETERS Parameters); 1730 | 1731 | EXTERN_C NTSTATUS NtQueryInformationByName( 1732 | IN POBJECT_ATTRIBUTES ObjectAttributes, 1733 | OUT PIO_STATUS_BLOCK IoStatusBlock, 1734 | OUT PVOID FileInformation, 1735 | IN ULONG Length, 1736 | IN FILE_INFORMATION_CLASS FileInformationClass); 1737 | 1738 | EXTERN_C NTSTATUS NtDelayExecution( 1739 | IN BOOLEAN Alertable, 1740 | IN PLARGE_INTEGER DelayInterval); 1741 | 1742 | EXTERN_C NTSTATUS NtCreateJobSet( 1743 | IN ULONG NumJob, 1744 | IN PJOB_SET_ARRAY UserJobSet, 1745 | IN ULONG Flags); 1746 | 1747 | EXTERN_C NTSTATUS NtOpenJobObject( 1748 | OUT PHANDLE JobHandle, 1749 | IN ACCESS_MASK DesiredAccess, 1750 | IN POBJECT_ATTRIBUTES ObjectAttributes); 1751 | 1752 | EXTERN_C NTSTATUS NtFlushInstallUILanguage( 1753 | IN LANGID InstallUILanguage, 1754 | IN ULONG SetComittedFlag); 1755 | 1756 | EXTERN_C NTSTATUS NtRevertContainerImpersonation(); 1757 | 1758 | EXTERN_C NTSTATUS NtFlushBuffersFile( 1759 | IN HANDLE FileHandle, 1760 | OUT PIO_STATUS_BLOCK IoStatusBlock); 1761 | 1762 | EXTERN_C NTSTATUS NtAssociateWaitCompletionPacket( 1763 | IN HANDLE WaitCompletionPacketHandle, 1764 | IN HANDLE IoCompletionHandle, 1765 | IN HANDLE TargetObjectHandle, 1766 | IN PVOID KeyContext OPTIONAL, 1767 | IN PVOID ApcContext OPTIONAL, 1768 | IN NTSTATUS IoStatus, 1769 | IN ULONG_PTR IoStatusInformation, 1770 | OUT PBOOLEAN AlreadySignaled OPTIONAL); 1771 | 1772 | EXTERN_C NTSTATUS NtLockProductActivationKeys( 1773 | IN OUT PULONG pPrivateVer OPTIONAL, 1774 | OUT PULONG pSafeMode OPTIONAL); 1775 | 1776 | EXTERN_C NTSTATUS NtAlpcRevokeSecurityContext( 1777 | IN HANDLE PortHandle, 1778 | IN ULONG Flags, 1779 | IN HANDLE ContextHandle); 1780 | 1781 | EXTERN_C NTSTATUS NtAlpcQueryInformationMessage( 1782 | IN HANDLE PortHandle, 1783 | IN PPORT_MESSAGE PortMessage, 1784 | IN ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass, 1785 | OUT PVOID MessageInformation OPTIONAL, 1786 | IN ULONG Length, 1787 | OUT PULONG ReturnLength OPTIONAL); 1788 | 1789 | EXTERN_C NTSTATUS NtReleaseKeyedEvent( 1790 | IN HANDLE KeyedEventHandle, 1791 | IN PVOID KeyValue, 1792 | IN BOOLEAN Alertable, 1793 | IN PLARGE_INTEGER Timeout OPTIONAL); 1794 | 1795 | EXTERN_C NTSTATUS NtInitializeRegistry( 1796 | IN USHORT BootCondition); 1797 | 1798 | EXTERN_C NTSTATUS NtMapCMFModule( 1799 | IN ULONG What, 1800 | IN ULONG Index, 1801 | OUT PULONG CacheIndexOut OPTIONAL, 1802 | OUT PULONG CacheFlagsOut OPTIONAL, 1803 | OUT PULONG ViewSizeOut OPTIONAL, 1804 | OUT PVOID BaseAddress OPTIONAL); 1805 | 1806 | EXTERN_C NTSTATUS NtCreateRegistryTransaction( 1807 | OUT PHANDLE Handle, 1808 | IN ACCESS_MASK DesiredAccess, 1809 | IN POBJECT_ATTRIBUTES ObjectAttributes, 1810 | IN DWORD Flags); 1811 | 1812 | EXTERN_C NTSTATUS NtMapViewOfSection( 1813 | IN HANDLE SectionHandle, 1814 | IN HANDLE ProcessHandle, 1815 | IN OUT PVOID BaseAddress, 1816 | IN ULONG ZeroBits, 1817 | IN SIZE_T CommitSize, 1818 | IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, 1819 | IN OUT PSIZE_T ViewSize, 1820 | IN SECTION_INHERIT InheritDisposition, 1821 | IN ULONG AllocationType, 1822 | IN ULONG Win32Protect); 1823 | 1824 | EXTERN_C NTSTATUS NtCreateEnlistment( 1825 | OUT PHANDLE EnlistmentHandle, 1826 | IN ACCESS_MASK DesiredAccess, 1827 | IN HANDLE ResourceManagerHandle, 1828 | IN HANDLE TransactionHandle, 1829 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 1830 | IN ULONG CreateOptions OPTIONAL, 1831 | IN NOTIFICATION_MASK NotificationMask, 1832 | IN PVOID EnlistmentKey OPTIONAL); 1833 | 1834 | EXTERN_C NTSTATUS NtEnumerateTransactionObject( 1835 | IN HANDLE RootObjectHandle OPTIONAL, 1836 | IN KTMOBJECT_TYPE QueryType, 1837 | IN OUT PKTMOBJECT_CURSOR ObjectCursor, 1838 | IN ULONG ObjectCursorLength, 1839 | OUT PULONG ReturnLength); 1840 | 1841 | EXTERN_C NTSTATUS NtQueryAttributesFile( 1842 | IN POBJECT_ATTRIBUTES ObjectAttributes, 1843 | OUT PFILE_BASIC_INFORMATION FileInformation); 1844 | 1845 | EXTERN_C NTSTATUS NtSetHighEventPair( 1846 | IN HANDLE EventPairHandle); 1847 | 1848 | EXTERN_C NTSTATUS NtAlpcSetInformation( 1849 | IN HANDLE PortHandle, 1850 | IN ALPC_PORT_INFORMATION_CLASS PortInformationClass, 1851 | IN PVOID PortInformation OPTIONAL, 1852 | IN ULONG Length); 1853 | 1854 | EXTERN_C NTSTATUS NtFlushWriteBuffer(); 1855 | 1856 | EXTERN_C NTSTATUS NtCreateEnclave( 1857 | IN HANDLE ProcessHandle, 1858 | IN OUT PVOID BaseAddress, 1859 | IN ULONG_PTR ZeroBits, 1860 | IN SIZE_T Size, 1861 | IN SIZE_T InitialCommitment, 1862 | IN ULONG EnclaveType, 1863 | IN PVOID EnclaveInformation, 1864 | IN ULONG EnclaveInformationLength, 1865 | OUT PULONG EnclaveError OPTIONAL); 1866 | 1867 | EXTERN_C NTSTATUS NtFreeUserPhysicalPages( 1868 | IN HANDLE ProcessHandle, 1869 | IN OUT PULONG NumberOfPages, 1870 | IN PULONG UserPfnArray); 1871 | 1872 | EXTERN_C NTSTATUS NtQueryInformationProcess( 1873 | IN HANDLE ProcessHandle, 1874 | IN PROCESSINFOCLASS ProcessInformationClass, 1875 | OUT PVOID ProcessInformation, 1876 | IN ULONG ProcessInformationLength, 1877 | OUT PULONG ReturnLength OPTIONAL); 1878 | 1879 | EXTERN_C NTSTATUS NtCreateTimer2( 1880 | OUT PHANDLE TimerHandle, 1881 | IN PVOID Reserved1 OPTIONAL, 1882 | IN PVOID Reserved2 OPTIONAL, 1883 | IN ULONG Attributes, 1884 | IN ACCESS_MASK DesiredAccess); 1885 | 1886 | EXTERN_C NTSTATUS NtCreateSection( 1887 | OUT PHANDLE SectionHandle, 1888 | IN ACCESS_MASK DesiredAccess, 1889 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 1890 | IN PLARGE_INTEGER MaximumSize OPTIONAL, 1891 | IN ULONG SectionPageProtection, 1892 | IN ULONG AllocationAttributes, 1893 | IN HANDLE FileHandle OPTIONAL); 1894 | 1895 | EXTERN_C NTSTATUS NtOpenKey( 1896 | OUT PHANDLE KeyHandle, 1897 | IN ACCESS_MASK DesiredAccess, 1898 | IN POBJECT_ATTRIBUTES ObjectAttributes); 1899 | 1900 | EXTERN_C NTSTATUS NtQueryQuotaInformationFile( 1901 | IN HANDLE FileHandle, 1902 | OUT PIO_STATUS_BLOCK IoStatusBlock, 1903 | OUT PFILE_USER_QUOTA_INFORMATION Buffer, 1904 | IN ULONG Length, 1905 | IN BOOLEAN ReturnSingleEntry, 1906 | IN PFILE_QUOTA_LIST_INFORMATION SidList OPTIONAL, 1907 | IN ULONG SidListLength, 1908 | IN PSID StartSid OPTIONAL, 1909 | IN BOOLEAN RestartScan); 1910 | 1911 | EXTERN_C NTSTATUS NtCreateKeyedEvent( 1912 | OUT PHANDLE KeyedEventHandle, 1913 | IN ACCESS_MASK DesiredAccess, 1914 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 1915 | IN ULONG Flags); 1916 | 1917 | EXTERN_C NTSTATUS NtDeviceIoControlFile( 1918 | IN HANDLE FileHandle, 1919 | IN HANDLE Event OPTIONAL, 1920 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 1921 | IN PVOID ApcContext OPTIONAL, 1922 | OUT PIO_STATUS_BLOCK IoStatusBlock, 1923 | IN ULONG IoControlCode, 1924 | IN PVOID InputBuffer OPTIONAL, 1925 | IN ULONG InputBufferLength, 1926 | OUT PVOID OutputBuffer OPTIONAL, 1927 | IN ULONG OutputBufferLength); 1928 | 1929 | EXTERN_C NTSTATUS NtUnmapViewOfSectionEx( 1930 | IN HANDLE ProcessHandle, 1931 | IN PVOID BaseAddress OPTIONAL, 1932 | IN ULONG Flags); 1933 | 1934 | EXTERN_C NTSTATUS NtAcquireCMFViewOwnership( 1935 | OUT BOOLEAN TimeStamp, 1936 | OUT BOOLEAN TokenTaken, 1937 | IN BOOLEAN ReplaceExisting); 1938 | 1939 | EXTERN_C NTSTATUS NtQuerySystemEnvironmentValueEx( 1940 | IN PUNICODE_STRING VariableName, 1941 | IN LPGUID VendorGuid, 1942 | OUT PVOID Value OPTIONAL, 1943 | IN OUT PULONG ValueLength, 1944 | OUT PULONG Attributes OPTIONAL); 1945 | 1946 | EXTERN_C NTSTATUS NtYieldExecution(); 1947 | 1948 | EXTERN_C NTSTATUS NtCreateDirectoryObject( 1949 | OUT PHANDLE DirectoryHandle, 1950 | IN ACCESS_MASK DesiredAccess, 1951 | IN POBJECT_ATTRIBUTES ObjectAttributes); 1952 | 1953 | EXTERN_C NTSTATUS NtAddAtom( 1954 | IN PWSTR AtomName OPTIONAL, 1955 | IN ULONG Length, 1956 | OUT PUSHORT Atom OPTIONAL); 1957 | 1958 | EXTERN_C NTSTATUS NtIsSystemResumeAutomatic(); 1959 | 1960 | EXTERN_C NTSTATUS NtOpenPartition( 1961 | OUT PHANDLE PartitionHandle, 1962 | IN ACCESS_MASK DesiredAccess, 1963 | IN POBJECT_ATTRIBUTES ObjectAttributes); 1964 | 1965 | EXTERN_C NTSTATUS NtRecoverTransactionManager( 1966 | IN HANDLE TransactionManagerHandle); 1967 | 1968 | EXTERN_C NTSTATUS NtQueryDriverEntryOrder( 1969 | IN PULONG Ids OPTIONAL, 1970 | IN OUT PULONG Count); 1971 | 1972 | EXTERN_C NTSTATUS NtCreateTokenEx( 1973 | OUT PHANDLE TokenHandle, 1974 | IN ACCESS_MASK DesiredAccess, 1975 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 1976 | IN TOKEN_TYPE TokenType, 1977 | IN PLUID AuthenticationId, 1978 | IN PLARGE_INTEGER ExpirationTime, 1979 | IN PTOKEN_USER User, 1980 | IN PTOKEN_GROUPS Groups, 1981 | IN PTOKEN_PRIVILEGES Privileges, 1982 | IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes OPTIONAL, 1983 | IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes OPTIONAL, 1984 | IN PTOKEN_GROUPS DeviceGroups OPTIONAL, 1985 | IN PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy OPTIONAL, 1986 | IN PTOKEN_OWNER Owner OPTIONAL, 1987 | IN PTOKEN_PRIMARY_GROUP PrimaryGroup, 1988 | IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, 1989 | IN PTOKEN_SOURCE TokenSource); 1990 | 1991 | EXTERN_C NTSTATUS NtCreatePagingFile( 1992 | IN PUNICODE_STRING PageFileName, 1993 | IN PULARGE_INTEGER MinimumSize, 1994 | IN PULARGE_INTEGER MaximumSize, 1995 | IN ULONG Priority); 1996 | 1997 | EXTERN_C NTSTATUS NtPrepareComplete( 1998 | IN HANDLE EnlistmentHandle, 1999 | IN PLARGE_INTEGER TmVirtualClock OPTIONAL); 2000 | 2001 | EXTERN_C NTSTATUS NtStartTm(); 2002 | 2003 | EXTERN_C NTSTATUS NtCreateProcess( 2004 | OUT PHANDLE ProcessHandle, 2005 | IN ACCESS_MASK DesiredAccess, 2006 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 2007 | IN HANDLE ParentProcess, 2008 | IN BOOLEAN InheritObjectTable, 2009 | IN HANDLE SectionHandle OPTIONAL, 2010 | IN HANDLE DebugPort OPTIONAL, 2011 | IN HANDLE ExceptionPort OPTIONAL); 2012 | 2013 | EXTERN_C NTSTATUS NtPullTransaction(); 2014 | 2015 | EXTERN_C NTSTATUS NtQueryDirectoryFileEx( 2016 | IN HANDLE FileHandle, 2017 | IN HANDLE Event OPTIONAL, 2018 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2019 | IN PVOID ApcContext OPTIONAL, 2020 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2021 | OUT PVOID FileInformation, 2022 | IN ULONG Length, 2023 | IN FILE_INFORMATION_CLASS FileInformationClass, 2024 | IN ULONG QueryFlags, 2025 | IN PUNICODE_STRING FileName OPTIONAL); 2026 | 2027 | EXTERN_C NTSTATUS NtOpenTransaction( 2028 | OUT PHANDLE TransactionHandle, 2029 | IN ACCESS_MASK DesiredAccess, 2030 | IN POBJECT_ATTRIBUTES ObjectAttributes, 2031 | IN LPGUID Uow, 2032 | IN HANDLE TmHandle OPTIONAL); 2033 | 2034 | EXTERN_C NTSTATUS NtRecoverEnlistment( 2035 | IN HANDLE EnlistmentHandle, 2036 | IN PVOID EnlistmentKey OPTIONAL); 2037 | 2038 | EXTERN_C NTSTATUS NtCreateEvent( 2039 | OUT PHANDLE EventHandle, 2040 | IN ACCESS_MASK DesiredAccess, 2041 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 2042 | IN EVENT_TYPE EventType, 2043 | IN BOOLEAN InitialState); 2044 | 2045 | EXTERN_C NTSTATUS NtRegisterThreadTerminatePort( 2046 | IN HANDLE PortHandle); 2047 | 2048 | EXTERN_C NTSTATUS NtQueryInstallUILanguage( 2049 | OUT PLANGID InstallUILanguageId); 2050 | 2051 | EXTERN_C NTSTATUS NtOpenKeyTransactedEx( 2052 | OUT PHANDLE KeyHandle, 2053 | IN ACCESS_MASK DesiredAccess, 2054 | IN POBJECT_ATTRIBUTES ObjectAttributes, 2055 | IN ULONG OpenOptions, 2056 | IN HANDLE TransactionHandle); 2057 | 2058 | EXTERN_C NTSTATUS NtQuerySecurityPolicy( 2059 | IN ULONG_PTR UnknownParameter1, 2060 | IN ULONG_PTR UnknownParameter2, 2061 | IN ULONG_PTR UnknownParameter3, 2062 | IN ULONG_PTR UnknownParameter4, 2063 | IN ULONG_PTR UnknownParameter5, 2064 | IN ULONG_PTR UnknownParameter6); 2065 | 2066 | EXTERN_C NTSTATUS NtQueryEaFile( 2067 | IN HANDLE FileHandle, 2068 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2069 | OUT PFILE_FULL_EA_INFORMATION Buffer, 2070 | IN ULONG Length, 2071 | IN BOOLEAN ReturnSingleEntry, 2072 | IN PFILE_GET_EA_INFORMATION EaList OPTIONAL, 2073 | IN ULONG EaListLength, 2074 | IN PULONG EaIndex OPTIONAL, 2075 | IN BOOLEAN RestartScan); 2076 | 2077 | EXTERN_C NTSTATUS NtImpersonateThread( 2078 | IN HANDLE ServerThreadHandle, 2079 | IN HANDLE ClientThreadHandle, 2080 | IN PSECURITY_QUALITY_OF_SERVICE SecurityQos); 2081 | 2082 | EXTERN_C NTSTATUS NtGetNotificationResourceManager( 2083 | IN HANDLE ResourceManagerHandle, 2084 | OUT PTRANSACTION_NOTIFICATION TransactionNotification, 2085 | IN ULONG NotificationLength, 2086 | IN PLARGE_INTEGER Timeout OPTIONAL, 2087 | OUT PULONG ReturnLength OPTIONAL, 2088 | IN ULONG Asynchronous, 2089 | IN ULONG AsynchronousContext OPTIONAL); 2090 | 2091 | EXTERN_C NTSTATUS NtCreateMailslotFile( 2092 | OUT PHANDLE FileHandle, 2093 | IN ACCESS_MASK DesiredAccess, 2094 | IN POBJECT_ATTRIBUTES ObjectAttributes, 2095 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2096 | IN ULONG CreateOptions, 2097 | IN ULONG MailslotQuota, 2098 | IN ULONG MaximumMessageSize, 2099 | IN PLARGE_INTEGER ReadTimeout); 2100 | 2101 | EXTERN_C NTSTATUS NtSetLdtEntries( 2102 | IN ULONG Selector0, 2103 | IN ULONG Entry0Low, 2104 | IN ULONG Entry0Hi, 2105 | IN ULONG Selector1, 2106 | IN ULONG Entry1Low, 2107 | IN ULONG Entry1Hi); 2108 | 2109 | EXTERN_C NTSTATUS NtFlushKey( 2110 | IN HANDLE KeyHandle); 2111 | 2112 | EXTERN_C NTSTATUS NtDrawText( 2113 | IN PUNICODE_STRING String); 2114 | 2115 | EXTERN_C NTSTATUS NtGetContextThread( 2116 | IN HANDLE ThreadHandle, 2117 | IN OUT PCONTEXT ThreadContext); 2118 | 2119 | EXTERN_C NTSTATUS NtCreateIoCompletion( 2120 | OUT PHANDLE IoCompletionHandle, 2121 | IN ACCESS_MASK DesiredAccess, 2122 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 2123 | IN ULONG Count OPTIONAL); 2124 | 2125 | EXTERN_C NTSTATUS NtOpenTimer( 2126 | OUT PHANDLE TimerHandle, 2127 | IN ACCESS_MASK DesiredAccess, 2128 | IN POBJECT_ATTRIBUTES ObjectAttributes); 2129 | 2130 | EXTERN_C NTSTATUS NtLoadKey( 2131 | IN POBJECT_ATTRIBUTES TargetKey, 2132 | IN POBJECT_ATTRIBUTES SourceFile); 2133 | 2134 | EXTERN_C NTSTATUS NtMakeTemporaryObject( 2135 | IN HANDLE Handle); 2136 | 2137 | EXTERN_C NTSTATUS NtSetValueKey( 2138 | IN HANDLE KeyHandle, 2139 | IN PUNICODE_STRING ValueName, 2140 | IN ULONG TitleIndex OPTIONAL, 2141 | IN ULONG Type, 2142 | IN PVOID SystemData, 2143 | IN ULONG DataSize); 2144 | 2145 | EXTERN_C NTSTATUS NtFlushProcessWriteBuffers(); 2146 | 2147 | EXTERN_C NTSTATUS NtPrepareEnlistment( 2148 | IN HANDLE EnlistmentHandle, 2149 | IN PLARGE_INTEGER TmVirtualClock OPTIONAL); 2150 | 2151 | EXTERN_C NTSTATUS NtSetCachedSigningLevel2( 2152 | IN ULONG Flags, 2153 | IN ULONG InputSigningLevel, 2154 | IN PHANDLE SourceFiles, 2155 | IN ULONG SourceFileCount, 2156 | IN HANDLE TargetFile OPTIONAL, 2157 | IN PVOID LevelInformation OPTIONAL); 2158 | 2159 | EXTERN_C NTSTATUS NtConnectPort( 2160 | OUT PHANDLE PortHandle, 2161 | IN PUNICODE_STRING PortName, 2162 | IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, 2163 | IN OUT PPORT_SECTION_WRITE ClientView OPTIONAL, 2164 | IN OUT PPORT_SECTION_READ ServerView OPTIONAL, 2165 | OUT PULONG MaxMessageLength OPTIONAL, 2166 | IN OUT PVOID ConnectionInformation OPTIONAL, 2167 | IN OUT PULONG ConnectionInformationLength OPTIONAL); 2168 | 2169 | EXTERN_C NTSTATUS NtAlpcConnectPort( 2170 | OUT PHANDLE PortHandle, 2171 | IN PUNICODE_STRING PortName, 2172 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 2173 | IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, 2174 | IN ULONG Flags, 2175 | IN PSID RequiredServerSid OPTIONAL, 2176 | IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL, 2177 | IN OUT PULONG BufferLength OPTIONAL, 2178 | IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, 2179 | IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, 2180 | IN PLARGE_INTEGER Timeout OPTIONAL); 2181 | 2182 | EXTERN_C NTSTATUS NtUnlockVirtualMemory( 2183 | IN HANDLE ProcessHandle, 2184 | IN PVOID BaseAddress, 2185 | IN PULONG NumberOfBytesToUnlock, 2186 | IN ULONG LockType); 2187 | 2188 | EXTERN_C NTSTATUS NtQueryObject( 2189 | IN HANDLE Handle, 2190 | IN OBJECT_INFORMATION_CLASS ObjectInformationClass, 2191 | OUT PVOID ObjectInformation OPTIONAL, 2192 | IN ULONG ObjectInformationLength, 2193 | OUT PULONG ReturnLength OPTIONAL); 2194 | 2195 | EXTERN_C NTSTATUS NtLockVirtualMemory( 2196 | IN HANDLE ProcessHandle, 2197 | IN PVOID BaseAddress, 2198 | IN PULONG RegionSize, 2199 | IN ULONG MapType); 2200 | 2201 | EXTERN_C NTSTATUS NtAlpcQueryInformation( 2202 | IN HANDLE PortHandle OPTIONAL, 2203 | IN ALPC_PORT_INFORMATION_CLASS PortInformationClass, 2204 | IN OUT PVOID PortInformation, 2205 | IN ULONG Length, 2206 | OUT PULONG ReturnLength OPTIONAL); 2207 | 2208 | EXTERN_C NTSTATUS NtSetInformationFile( 2209 | IN HANDLE FileHandle, 2210 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2211 | IN PVOID FileInformation, 2212 | IN ULONG Length, 2213 | IN FILE_INFORMATION_CLASS FileInformationClass); 2214 | 2215 | EXTERN_C NTSTATUS NtQueryOpenSubKeysEx( 2216 | IN POBJECT_ATTRIBUTES TargetKey, 2217 | IN ULONG BufferLength, 2218 | OUT PVOID Buffer, 2219 | OUT PULONG RequiredSize); 2220 | 2221 | EXTERN_C NTSTATUS NtDeleteBootEntry( 2222 | IN ULONG Id); 2223 | 2224 | EXTERN_C NTSTATUS NtAlpcDeleteSectionView( 2225 | IN HANDLE PortHandle, 2226 | IN ULONG Flags, 2227 | IN PVOID ViewBase); 2228 | 2229 | EXTERN_C NTSTATUS NtManageHotPatch( 2230 | IN ULONG UnknownParameter1, 2231 | IN ULONG UnknownParameter2, 2232 | IN ULONG UnknownParameter3, 2233 | IN ULONG UnknownParameter4); 2234 | 2235 | EXTERN_C NTSTATUS NtGetCachedSigningLevel( 2236 | IN HANDLE File, 2237 | OUT PULONG Flags, 2238 | OUT PSE_SIGNING_LEVEL SigningLevel, 2239 | OUT PUCHAR Thumbprint OPTIONAL, 2240 | IN OUT PULONG ThumbprintSize OPTIONAL, 2241 | OUT PULONG ThumbprintAlgorithm OPTIONAL); 2242 | 2243 | EXTERN_C NTSTATUS NtConvertBetweenAuxiliaryCounterAndPerformanceCounter( 2244 | IN ULONG UnknownParameter1, 2245 | IN ULONG UnknownParameter2, 2246 | IN ULONG UnknownParameter3, 2247 | IN ULONG UnknownParameter4); 2248 | 2249 | EXTERN_C NTSTATUS NtSetWnfProcessNotificationEvent( 2250 | IN HANDLE NotificationEvent); 2251 | 2252 | EXTERN_C NTSTATUS NtOpenProcessTokenEx( 2253 | IN HANDLE ProcessHandle, 2254 | IN ACCESS_MASK DesiredAccess, 2255 | IN ULONG HandleAttributes, 2256 | OUT PHANDLE TokenHandle); 2257 | 2258 | EXTERN_C NTSTATUS NtCancelWaitCompletionPacket( 2259 | IN HANDLE WaitCompletionPacketHandle, 2260 | IN BOOLEAN RemoveSignaledPacket); 2261 | 2262 | EXTERN_C NTSTATUS NtPrePrepareEnlistment( 2263 | IN HANDLE EnlistmentHandle, 2264 | IN PLARGE_INTEGER TmVirtualClock OPTIONAL); 2265 | 2266 | EXTERN_C NTSTATUS NtSuspendProcess( 2267 | IN HANDLE ProcessHandle); 2268 | 2269 | EXTERN_C NTSTATUS NtSuspendThread( 2270 | IN HANDLE ThreadHandle, 2271 | OUT PULONG PreviousSuspendCount); 2272 | 2273 | EXTERN_C NTSTATUS NtAlpcConnectPortEx( 2274 | OUT PHANDLE PortHandle, 2275 | IN POBJECT_ATTRIBUTES ConnectionPortObjectAttributes, 2276 | IN POBJECT_ATTRIBUTES ClientPortObjectAttributes OPTIONAL, 2277 | IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, 2278 | IN ULONG Flags, 2279 | IN PSECURITY_DESCRIPTOR ServerSecurityRequirements OPTIONAL, 2280 | IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL, 2281 | IN OUT PSIZE_T BufferLength OPTIONAL, 2282 | IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, 2283 | IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, 2284 | IN PLARGE_INTEGER Timeout OPTIONAL); 2285 | 2286 | EXTERN_C NTSTATUS NtStopProfile( 2287 | IN HANDLE ProfileHandle); 2288 | 2289 | EXTERN_C NTSTATUS NtPlugPlayControl( 2290 | IN PLUGPLAY_CONTROL_CLASS PnPControlClass, 2291 | IN OUT PVOID PnPControlData, 2292 | IN ULONG PnPControlDataLength); 2293 | 2294 | EXTERN_C NTSTATUS NtQueryDirectoryObject( 2295 | IN HANDLE DirectoryHandle, 2296 | OUT PVOID Buffer OPTIONAL, 2297 | IN ULONG Length, 2298 | IN BOOLEAN ReturnSingleEntry, 2299 | IN BOOLEAN RestartScan, 2300 | IN OUT PULONG Context, 2301 | OUT PULONG ReturnLength OPTIONAL); 2302 | 2303 | EXTERN_C NTSTATUS NtQueryVolumeInformationFile( 2304 | IN HANDLE FileHandle, 2305 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2306 | OUT PVOID FsInformation, 2307 | IN ULONG Length, 2308 | IN FSINFOCLASS FsInformationClass); 2309 | 2310 | EXTERN_C NTSTATUS NtIsProcessInJob( 2311 | IN HANDLE ProcessHandle, 2312 | IN HANDLE JobHandle OPTIONAL); 2313 | 2314 | EXTERN_C NTSTATUS NtSetContextThread( 2315 | IN HANDLE ThreadHandle, 2316 | IN PCONTEXT Context); 2317 | 2318 | EXTERN_C NTSTATUS NtAlpcCreateSectionView( 2319 | IN HANDLE PortHandle, 2320 | IN ULONG Flags, 2321 | IN OUT PALPC_DATA_VIEW_ATTR ViewAttributes); 2322 | 2323 | EXTERN_C NTSTATUS NtUnsubscribeWnfStateChange( 2324 | IN PCWNF_STATE_NAME StateName); 2325 | 2326 | EXTERN_C NTSTATUS NtSetInformationVirtualMemory( 2327 | IN HANDLE ProcessHandle, 2328 | IN VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass, 2329 | IN ULONG_PTR NumberOfEntries, 2330 | IN PMEMORY_RANGE_ENTRY VirtualAddresses, 2331 | IN PVOID VmInformation, 2332 | IN ULONG VmInformationLength); 2333 | 2334 | EXTERN_C NTSTATUS NtDuplicateObject( 2335 | IN HANDLE SourceProcessHandle, 2336 | IN HANDLE SourceHandle, 2337 | IN HANDLE TargetProcessHandle OPTIONAL, 2338 | OUT PHANDLE TargetHandle OPTIONAL, 2339 | IN ACCESS_MASK DesiredAccess, 2340 | IN ULONG HandleAttributes, 2341 | IN ULONG Options); 2342 | 2343 | EXTERN_C NTSTATUS NtResumeThread( 2344 | IN HANDLE ThreadHandle, 2345 | IN OUT PULONG PreviousSuspendCount OPTIONAL); 2346 | 2347 | EXTERN_C NTSTATUS NtRenameKey( 2348 | IN HANDLE KeyHandle, 2349 | IN PUNICODE_STRING NewName); 2350 | 2351 | EXTERN_C NTSTATUS NtFindAtom( 2352 | IN PWSTR AtomName OPTIONAL, 2353 | IN ULONG Length, 2354 | OUT PUSHORT Atom OPTIONAL); 2355 | 2356 | EXTERN_C NTSTATUS NtReplyWaitReceivePortEx( 2357 | IN HANDLE PortHandle, 2358 | OUT PULONG PortContext OPTIONAL, 2359 | IN PPORT_MESSAGE ReplyMessage OPTIONAL, 2360 | OUT PPORT_MESSAGE ReceiveMessage, 2361 | IN PLARGE_INTEGER Timeout OPTIONAL); 2362 | 2363 | EXTERN_C NTSTATUS NtCreateWnfStateName( 2364 | OUT PCWNF_STATE_NAME StateName, 2365 | IN WNF_STATE_NAME_LIFETIME NameLifetime, 2366 | IN WNF_DATA_SCOPE DataScope, 2367 | IN BOOLEAN PersistData, 2368 | IN PCWNF_TYPE_ID TypeId OPTIONAL, 2369 | IN ULONG MaximumStateSize, 2370 | IN PSECURITY_DESCRIPTOR SecurityDescriptor); 2371 | 2372 | EXTERN_C NTSTATUS NtFilterToken( 2373 | IN HANDLE ExistingTokenHandle, 2374 | IN ULONG Flags, 2375 | IN PTOKEN_GROUPS SidsToDisable OPTIONAL, 2376 | IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, 2377 | IN PTOKEN_GROUPS RestrictedSids OPTIONAL, 2378 | OUT PHANDLE NewTokenHandle); 2379 | 2380 | EXTERN_C NTSTATUS NtUnmapViewOfSection( 2381 | IN HANDLE ProcessHandle, 2382 | IN PVOID BaseAddress); 2383 | 2384 | EXTERN_C NTSTATUS NtResumeProcess( 2385 | IN HANDLE ProcessHandle); 2386 | 2387 | EXTERN_C NTSTATUS NtSetInformationDebugObject( 2388 | IN HANDLE DebugObject, 2389 | IN DEBUGOBJECTINFOCLASS InformationClass, 2390 | IN PVOID Information, 2391 | IN ULONG InformationLength, 2392 | OUT PULONG ReturnLength OPTIONAL); 2393 | 2394 | EXTERN_C NTSTATUS NtCompareTokens( 2395 | IN HANDLE FirstTokenHandle, 2396 | IN HANDLE SecondTokenHandle, 2397 | OUT PBOOLEAN Equal); 2398 | 2399 | EXTERN_C NTSTATUS NtWaitForDebugEvent( 2400 | IN HANDLE DebugObjectHandle, 2401 | IN BOOLEAN Alertable, 2402 | IN PLARGE_INTEGER Timeout OPTIONAL, 2403 | OUT PVOID WaitStateChange); 2404 | 2405 | EXTERN_C NTSTATUS NtSetUuidSeed( 2406 | IN PUCHAR Seed); 2407 | 2408 | EXTERN_C NTSTATUS NtClearEvent( 2409 | IN HANDLE EventHandle); 2410 | 2411 | EXTERN_C NTSTATUS NtAllocateLocallyUniqueId( 2412 | OUT PLUID Luid); 2413 | 2414 | EXTERN_C NTSTATUS NtCreateMutant( 2415 | OUT PHANDLE MutantHandle, 2416 | IN ACCESS_MASK DesiredAccess, 2417 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 2418 | IN BOOLEAN InitialOwner); 2419 | 2420 | EXTERN_C NTSTATUS NtGetPlugPlayEvent( 2421 | IN HANDLE EventHandle, 2422 | IN PVOID Context OPTIONAL, 2423 | OUT PPLUGPLAY_EVENT_BLOCK EventBlock, 2424 | IN ULONG EventBufferSize); 2425 | 2426 | EXTERN_C NTSTATUS NtListTransactions(); 2427 | 2428 | EXTERN_C NTSTATUS NtSetIoCompletionEx( 2429 | IN HANDLE IoCompletionHandle, 2430 | IN HANDLE IoCompletionPacketHandle, 2431 | IN PVOID KeyContext OPTIONAL, 2432 | IN PVOID ApcContext OPTIONAL, 2433 | IN NTSTATUS IoStatus, 2434 | IN ULONG_PTR IoStatusInformation); 2435 | 2436 | EXTERN_C NTSTATUS NtAlpcAcceptConnectPort( 2437 | OUT PHANDLE PortHandle, 2438 | IN HANDLE ConnectionPortHandle, 2439 | IN ULONG Flags, 2440 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 2441 | IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, 2442 | IN PVOID PortContext OPTIONAL, 2443 | IN PPORT_MESSAGE ConnectionRequest, 2444 | IN OUT PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes OPTIONAL, 2445 | IN BOOLEAN AcceptConnection); 2446 | 2447 | EXTERN_C NTSTATUS NtOpenDirectoryObject( 2448 | OUT PHANDLE DirectoryHandle, 2449 | IN ACCESS_MASK DesiredAccess, 2450 | IN POBJECT_ATTRIBUTES ObjectAttributes); 2451 | 2452 | EXTERN_C NTSTATUS NtQuerySystemEnvironmentValue( 2453 | IN PUNICODE_STRING VariableName, 2454 | OUT PVOID VariableValue, 2455 | IN ULONG ValueLength, 2456 | OUT PULONG ReturnLength OPTIONAL); 2457 | 2458 | EXTERN_C NTSTATUS NtImpersonateClientOfPort( 2459 | IN HANDLE PortHandle, 2460 | IN PPORT_MESSAGE Message); 2461 | 2462 | EXTERN_C NTSTATUS NtTestAlert(); 2463 | 2464 | EXTERN_C NTSTATUS NtAlpcCreatePort( 2465 | OUT PHANDLE PortHandle, 2466 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 2467 | IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL); 2468 | 2469 | EXTERN_C NTSTATUS NtRollbackSavepointTransaction( 2470 | IN HANDLE TransactionHandle, 2471 | IN ULONG SavePointId); 2472 | 2473 | EXTERN_C NTSTATUS NtSetEaFile( 2474 | IN HANDLE FileHandle, 2475 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2476 | IN PFILE_FULL_EA_INFORMATION EaBuffer, 2477 | IN ULONG EaBufferSize); 2478 | 2479 | EXTERN_C NTSTATUS NtOpenPrivateNamespace( 2480 | OUT PHANDLE NamespaceHandle, 2481 | IN ACCESS_MASK DesiredAccess, 2482 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 2483 | IN PVOID BoundaryDescriptor); 2484 | 2485 | EXTERN_C NTSTATUS NtReadOnlyEnlistment( 2486 | IN HANDLE EnlistmentHandle, 2487 | IN PLARGE_INTEGER TmVirtualClock OPTIONAL); 2488 | 2489 | EXTERN_C NTSTATUS NtQueryEvent( 2490 | IN HANDLE EventHandle, 2491 | IN EVENT_INFORMATION_CLASS EventInformationClass, 2492 | OUT PVOID EventInformation, 2493 | IN ULONG EventInformationLength, 2494 | OUT PULONG ReturnLength OPTIONAL); 2495 | 2496 | EXTERN_C NTSTATUS NtOpenSymbolicLinkObject( 2497 | OUT PHANDLE LinkHandle, 2498 | IN ACCESS_MASK DesiredAccess, 2499 | IN POBJECT_ATTRIBUTES ObjectAttributes); 2500 | 2501 | EXTERN_C NTSTATUS NtCreateTimer( 2502 | OUT PHANDLE TimerHandle, 2503 | IN ACCESS_MASK DesiredAccess, 2504 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 2505 | IN TIMER_TYPE TimerType); 2506 | 2507 | EXTERN_C NTSTATUS NtQueryDefaultUILanguage( 2508 | OUT PLANGID DefaultUILanguageId); 2509 | 2510 | EXTERN_C NTSTATUS NtIsUILanguageComitted(); 2511 | 2512 | EXTERN_C NTSTATUS NtGetCurrentProcessorNumberEx( 2513 | OUT PULONG ProcNumber OPTIONAL); 2514 | 2515 | EXTERN_C NTSTATUS NtNotifyChangeDirectoryFileEx( 2516 | IN HANDLE FileHandle, 2517 | IN HANDLE Event OPTIONAL, 2518 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2519 | IN PVOID ApcContext OPTIONAL, 2520 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2521 | OUT PVOID Buffer, 2522 | IN ULONG Length, 2523 | IN ULONG CompletionFilter, 2524 | IN BOOLEAN WatchTree, 2525 | IN DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass OPTIONAL); 2526 | 2527 | EXTERN_C NTSTATUS NtEnumerateValueKey( 2528 | IN HANDLE KeyHandle, 2529 | IN ULONG Index, 2530 | IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, 2531 | OUT PVOID KeyValueInformation OPTIONAL, 2532 | IN ULONG Length, 2533 | OUT PULONG ResultLength); 2534 | 2535 | EXTERN_C NTSTATUS NtGetDevicePowerState( 2536 | IN HANDLE Device, 2537 | OUT PDEVICE_POWER_STATE State); 2538 | 2539 | EXTERN_C NTSTATUS NtProtectVirtualMemory( 2540 | IN HANDLE ProcessHandle, 2541 | IN OUT PVOID BaseAddress, 2542 | IN OUT PULONG RegionSize, 2543 | IN ULONG NewProtect, 2544 | OUT PULONG OldProtect); 2545 | 2546 | EXTERN_C NTSTATUS NtDebugActiveProcess( 2547 | IN HANDLE ProcessHandle, 2548 | IN HANDLE DebugObjectHandle); 2549 | 2550 | EXTERN_C NTSTATUS NtMakePermanentObject( 2551 | IN HANDLE Handle); 2552 | 2553 | EXTERN_C NTSTATUS NtOpenThread( 2554 | OUT PHANDLE ThreadHandle, 2555 | IN ACCESS_MASK DesiredAccess, 2556 | IN POBJECT_ATTRIBUTES ObjectAttributes, 2557 | IN PCLIENT_ID ClientId OPTIONAL); 2558 | 2559 | EXTERN_C NTSTATUS NtRaiseException( 2560 | IN PEXCEPTION_RECORD ExceptionRecord, 2561 | IN PCONTEXT ContextRecord, 2562 | IN BOOLEAN FirstChance); 2563 | 2564 | EXTERN_C NTSTATUS NtQueryInformationThread( 2565 | IN HANDLE ThreadHandle, 2566 | IN THREADINFOCLASS ThreadInformationClass, 2567 | OUT PVOID ThreadInformation, 2568 | IN ULONG ThreadInformationLength, 2569 | OUT PULONG ReturnLength OPTIONAL); 2570 | 2571 | EXTERN_C NTSTATUS NtAccessCheckByTypeResultListAndAuditAlarm( 2572 | IN PUNICODE_STRING SubsystemName, 2573 | IN PVOID HandleId OPTIONAL, 2574 | IN PUNICODE_STRING ObjectTypeName, 2575 | IN PUNICODE_STRING ObjectName, 2576 | IN PSECURITY_DESCRIPTOR SecurityDescriptor, 2577 | IN PSID PrincipalSelfSid OPTIONAL, 2578 | IN ACCESS_MASK DesiredAccess, 2579 | IN AUDIT_EVENT_TYPE AuditType, 2580 | IN ULONG Flags, 2581 | IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, 2582 | IN ULONG ObjectTypeListLength, 2583 | IN PGENERIC_MAPPING GenericMapping, 2584 | IN BOOLEAN ObjectCreation, 2585 | OUT PACCESS_MASK GrantedAccess, 2586 | OUT PULONG AccessStatus, 2587 | OUT PULONG GenerateOnClose); 2588 | 2589 | EXTERN_C NTSTATUS NtCompleteConnectPort( 2590 | IN HANDLE PortHandle); 2591 | 2592 | EXTERN_C NTSTATUS NtAccessCheckByTypeResultList( 2593 | IN PSECURITY_DESCRIPTOR SecurityDescriptor, 2594 | IN PSID PrincipalSelfSid OPTIONAL, 2595 | IN HANDLE ClientToken, 2596 | IN ACCESS_MASK DesiredAccess, 2597 | IN POBJECT_TYPE_LIST ObjectTypeList, 2598 | IN ULONG ObjectTypeListLength, 2599 | IN PGENERIC_MAPPING GenericMapping, 2600 | OUT PPRIVILEGE_SET PrivilegeSet, 2601 | IN OUT PULONG PrivilegeSetLength, 2602 | OUT PACCESS_MASK GrantedAccess, 2603 | OUT PULONG AccessStatus); 2604 | 2605 | EXTERN_C NTSTATUS NtSetBootEntryOrder( 2606 | IN PULONG Ids, 2607 | IN ULONG Count); 2608 | 2609 | EXTERN_C NTSTATUS NtSetDefaultLocale( 2610 | IN BOOLEAN UserProfile, 2611 | IN LCID DefaultLocaleId); 2612 | 2613 | EXTERN_C NTSTATUS NtAccessCheckByTypeResultListAndAuditAlarmByHandle( 2614 | IN PUNICODE_STRING SubsystemName, 2615 | IN PVOID HandleId OPTIONAL, 2616 | IN HANDLE ClientToken, 2617 | IN PUNICODE_STRING ObjectTypeName, 2618 | IN PUNICODE_STRING ObjectName, 2619 | IN PSECURITY_DESCRIPTOR SecurityDescriptor, 2620 | IN PSID PrincipalSelfSid OPTIONAL, 2621 | IN ACCESS_MASK DesiredAccess, 2622 | IN AUDIT_EVENT_TYPE AuditType, 2623 | IN ULONG Flags, 2624 | IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, 2625 | IN ULONG ObjectTypeListLength, 2626 | IN PGENERIC_MAPPING GenericMapping, 2627 | IN BOOLEAN ObjectCreation, 2628 | OUT PACCESS_MASK GrantedAccess, 2629 | OUT PULONG AccessStatus, 2630 | OUT PULONG GenerateOnClose); 2631 | 2632 | EXTERN_C NTSTATUS NtLoadHotPatch( 2633 | IN PUNICODE_STRING HotPatchName, 2634 | IN ULONG LoadFlag); 2635 | 2636 | EXTERN_C NTSTATUS NtCreatePort( 2637 | OUT PHANDLE PortHandle, 2638 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 2639 | IN ULONG MaxConnectionInfoLength, 2640 | IN ULONG MaxMessageLength, 2641 | IN ULONG MaxPoolUsage OPTIONAL); 2642 | 2643 | EXTERN_C NTSTATUS NtOpenTransactionManager( 2644 | OUT PHANDLE TmHandle, 2645 | IN ACCESS_MASK DesiredAccess, 2646 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 2647 | IN PUNICODE_STRING LogFileName OPTIONAL, 2648 | IN LPGUID TmIdentity OPTIONAL, 2649 | IN ULONG OpenOptions OPTIONAL); 2650 | 2651 | EXTERN_C NTSTATUS NtAllocateVirtualMemory( 2652 | IN HANDLE ProcessHandle, 2653 | IN OUT PVOID BaseAddress, 2654 | IN ULONG ZeroBits, 2655 | IN OUT PULONG RegionSize, 2656 | IN ULONG AllocationType, 2657 | IN ULONG Protect); 2658 | 2659 | EXTERN_C NTSTATUS NtSetSystemEnvironmentValue( 2660 | IN PUNICODE_STRING VariableName, 2661 | IN PUNICODE_STRING Value); 2662 | 2663 | EXTERN_C NTSTATUS NtQueryInformationTransaction( 2664 | IN HANDLE TransactionHandle, 2665 | IN TRANSACTION_INFORMATION_CLASS TransactionInformationClass, 2666 | OUT PVOID TransactionInformation, 2667 | IN ULONG TransactionInformationLength, 2668 | OUT PULONG ReturnLength OPTIONAL); 2669 | 2670 | EXTERN_C NTSTATUS NtReadRequestData( 2671 | IN HANDLE PortHandle, 2672 | IN PPORT_MESSAGE Message, 2673 | IN ULONG DataEntryIndex, 2674 | OUT PVOID Buffer, 2675 | IN ULONG BufferSize, 2676 | OUT PULONG NumberOfBytesRead OPTIONAL); 2677 | 2678 | EXTERN_C NTSTATUS NtSystemDebugControl( 2679 | IN DEBUG_CONTROL_CODE Command, 2680 | IN PVOID InputBuffer OPTIONAL, 2681 | IN ULONG InputBufferLength, 2682 | OUT PVOID OutputBuffer OPTIONAL, 2683 | IN ULONG OutputBufferLength, 2684 | OUT PULONG ReturnLength OPTIONAL); 2685 | 2686 | EXTERN_C NTSTATUS NtAlpcCancelMessage( 2687 | IN HANDLE PortHandle, 2688 | IN ULONG Flags, 2689 | IN PALPC_CONTEXT_ATTR MessageContext); 2690 | 2691 | EXTERN_C NTSTATUS NtLockRegistryKey( 2692 | IN HANDLE KeyHandle); 2693 | 2694 | EXTERN_C NTSTATUS NtNotifyChangeMultipleKeys( 2695 | IN HANDLE MasterKeyHandle, 2696 | IN ULONG Count OPTIONAL, 2697 | IN POBJECT_ATTRIBUTES SubordinateObjects OPTIONAL, 2698 | IN HANDLE Event OPTIONAL, 2699 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2700 | IN PVOID ApcContext OPTIONAL, 2701 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2702 | IN ULONG CompletionFilter, 2703 | IN BOOLEAN WatchTree, 2704 | OUT PVOID Buffer OPTIONAL, 2705 | IN ULONG BufferSize, 2706 | IN BOOLEAN Asynchronous); 2707 | 2708 | EXTERN_C NTSTATUS NtImpersonateAnonymousToken( 2709 | IN HANDLE ThreadHandle); 2710 | 2711 | EXTERN_C NTSTATUS NtUnlockFile( 2712 | IN HANDLE FileHandle, 2713 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2714 | IN PULARGE_INTEGER ByteOffset, 2715 | IN PULARGE_INTEGER Length, 2716 | IN ULONG Key); 2717 | 2718 | EXTERN_C NTSTATUS NtQueueApcThread( 2719 | IN HANDLE ThreadHandle, 2720 | IN PKNORMAL_ROUTINE ApcRoutine, 2721 | IN PVOID ApcArgument1 OPTIONAL, 2722 | IN PVOID ApcArgument2 OPTIONAL, 2723 | IN PVOID ApcArgument3 OPTIONAL); 2724 | 2725 | EXTERN_C NTSTATUS NtAccessCheckByTypeAndAuditAlarm( 2726 | IN PUNICODE_STRING SubsystemName, 2727 | IN PVOID HandleId OPTIONAL, 2728 | IN PUNICODE_STRING ObjectTypeName, 2729 | IN PUNICODE_STRING ObjectName, 2730 | IN PSECURITY_DESCRIPTOR SecurityDescriptor, 2731 | IN PSID PrincipalSelfSid OPTIONAL, 2732 | IN ACCESS_MASK DesiredAccess, 2733 | IN AUDIT_EVENT_TYPE AuditType, 2734 | IN ULONG Flags, 2735 | IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, 2736 | IN ULONG ObjectTypeListLength, 2737 | IN PGENERIC_MAPPING GenericMapping, 2738 | IN BOOLEAN ObjectCreation, 2739 | OUT PACCESS_MASK GrantedAccess, 2740 | OUT PULONG AccessStatus, 2741 | OUT PBOOLEAN GenerateOnClose); 2742 | 2743 | EXTERN_C NTSTATUS NtResetEvent( 2744 | IN HANDLE EventHandle, 2745 | OUT PULONG PreviousState OPTIONAL); 2746 | 2747 | EXTERN_C NTSTATUS NtQueueApcThreadEx( 2748 | IN HANDLE ThreadHandle, 2749 | IN HANDLE UserApcReserveHandle OPTIONAL, 2750 | IN PKNORMAL_ROUTINE ApcRoutine, 2751 | IN PVOID ApcArgument1 OPTIONAL, 2752 | IN PVOID ApcArgument2 OPTIONAL, 2753 | IN PVOID ApcArgument3 OPTIONAL); 2754 | 2755 | EXTERN_C NTSTATUS NtClearAllSavepointsTransaction( 2756 | IN HANDLE TransactionHandle); 2757 | 2758 | EXTERN_C NTSTATUS NtQueryWnfStateNameInformation( 2759 | IN PCWNF_STATE_NAME StateName, 2760 | IN PCWNF_TYPE_ID NameInfoClass, 2761 | IN PVOID ExplicitScope OPTIONAL, 2762 | OUT PVOID InfoBuffer, 2763 | IN ULONG InfoBufferSize); 2764 | 2765 | EXTERN_C NTSTATUS NtRequestWakeupLatency( 2766 | IN ULONG LatencyTime); 2767 | 2768 | EXTERN_C NTSTATUS NtCreateKey( 2769 | OUT PHANDLE KeyHandle, 2770 | IN ACCESS_MASK DesiredAccess, 2771 | IN POBJECT_ATTRIBUTES ObjectAttributes, 2772 | IN ULONG TitleIndex, 2773 | IN PUNICODE_STRING Class OPTIONAL, 2774 | IN ULONG CreateOptions, 2775 | OUT PULONG Disposition OPTIONAL); 2776 | 2777 | EXTERN_C NTSTATUS NtStartProfile( 2778 | IN HANDLE ProfileHandle); 2779 | 2780 | EXTERN_C NTSTATUS NtAlpcSendWaitReceivePort( 2781 | IN HANDLE PortHandle, 2782 | IN ULONG Flags, 2783 | IN PPORT_MESSAGE SendMessage OPTIONAL, 2784 | IN OUT PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes OPTIONAL, 2785 | OUT PPORT_MESSAGE ReceiveMessage OPTIONAL, 2786 | IN OUT PSIZE_T BufferLength OPTIONAL, 2787 | IN OUT PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes OPTIONAL, 2788 | IN PLARGE_INTEGER Timeout OPTIONAL); 2789 | 2790 | EXTERN_C NTSTATUS NtOpenThreadTokenEx( 2791 | IN HANDLE ThreadHandle, 2792 | IN ACCESS_MASK DesiredAccess, 2793 | IN BOOLEAN OpenAsSelf, 2794 | IN ULONG HandleAttributes, 2795 | OUT PHANDLE TokenHandle); 2796 | 2797 | EXTERN_C NTSTATUS NtSetInformationResourceManager( 2798 | IN HANDLE ResourceManagerHandle, 2799 | IN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, 2800 | IN PVOID ResourceManagerInformation, 2801 | IN ULONG ResourceManagerInformationLength); 2802 | 2803 | EXTERN_C NTSTATUS NtQuerySystemInformationEx( 2804 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 2805 | IN PVOID InputBuffer, 2806 | IN ULONG InputBufferLength, 2807 | OUT PVOID SystemInformation OPTIONAL, 2808 | IN ULONG SystemInformationLength, 2809 | OUT PULONG ReturnLength OPTIONAL); 2810 | 2811 | EXTERN_C NTSTATUS NtAlpcImpersonateClientOfPort( 2812 | IN HANDLE PortHandle, 2813 | IN PPORT_MESSAGE Message, 2814 | IN PVOID Flags); 2815 | 2816 | EXTERN_C NTSTATUS NtDisplayString( 2817 | IN PUNICODE_STRING String); 2818 | 2819 | EXTERN_C NTSTATUS NtSetDriverEntryOrder( 2820 | IN PULONG Ids, 2821 | IN PULONG Count); 2822 | 2823 | EXTERN_C NTSTATUS NtQueryDirectoryFile( 2824 | IN HANDLE FileHandle, 2825 | IN HANDLE Event OPTIONAL, 2826 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2827 | IN PVOID ApcContext OPTIONAL, 2828 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2829 | OUT PVOID FileInformation, 2830 | IN ULONG Length, 2831 | IN FILE_INFORMATION_CLASS FileInformationClass, 2832 | IN BOOLEAN ReturnSingleEntry, 2833 | IN PUNICODE_STRING FileName OPTIONAL, 2834 | IN BOOLEAN RestartScan); 2835 | 2836 | EXTERN_C NTSTATUS NtCreateThreadEx( 2837 | OUT PHANDLE ThreadHandle, 2838 | IN ACCESS_MASK DesiredAccess, 2839 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 2840 | IN HANDLE ProcessHandle, 2841 | IN PVOID StartRoutine, 2842 | IN PVOID Argument OPTIONAL, 2843 | IN ULONG CreateFlags, 2844 | IN SIZE_T ZeroBits, 2845 | IN SIZE_T StackSize, 2846 | IN SIZE_T MaximumStackSize, 2847 | IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL); 2848 | 2849 | EXTERN_C NTSTATUS NtManagePartition( 2850 | IN HANDLE TargetHandle, 2851 | IN HANDLE SourceHandle, 2852 | IN MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass, 2853 | IN OUT PVOID PartitionInformation, 2854 | IN ULONG PartitionInformationLength); 2855 | 2856 | EXTERN_C NTSTATUS NtQueryMutant( 2857 | IN HANDLE MutantHandle, 2858 | IN MUTANT_INFORMATION_CLASS MutantInformationClass, 2859 | OUT PVOID MutantInformation, 2860 | IN ULONG MutantInformationLength, 2861 | OUT PULONG ReturnLength OPTIONAL); 2862 | 2863 | EXTERN_C NTSTATUS NtRestoreKey( 2864 | IN HANDLE KeyHandle, 2865 | IN HANDLE FileHandle, 2866 | IN ULONG Flags); 2867 | 2868 | EXTERN_C NTSTATUS NtReleaseWorkerFactoryWorker( 2869 | IN HANDLE WorkerFactoryHandle); 2870 | 2871 | EXTERN_C NTSTATUS NtSecureConnectPort( 2872 | OUT PHANDLE PortHandle, 2873 | IN PUNICODE_STRING PortName, 2874 | IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, 2875 | IN OUT PPORT_SECTION_WRITE ClientView OPTIONAL, 2876 | IN PSID RequiredServerSid OPTIONAL, 2877 | IN OUT PPORT_SECTION_READ ServerView OPTIONAL, 2878 | OUT PULONG MaxMessageLength OPTIONAL, 2879 | IN OUT PVOID ConnectionInformation OPTIONAL, 2880 | IN OUT PULONG ConnectionInformationLength OPTIONAL); 2881 | 2882 | EXTERN_C NTSTATUS NtFlushVirtualMemory( 2883 | IN HANDLE ProcessHandle, 2884 | IN OUT PVOID BaseAddress, 2885 | IN OUT PULONG RegionSize, 2886 | OUT PIO_STATUS_BLOCK IoStatusBlock); 2887 | 2888 | EXTERN_C NTSTATUS NtReadFileScatter( 2889 | IN HANDLE FileHandle, 2890 | IN HANDLE Event OPTIONAL, 2891 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 2892 | IN PVOID ApcContext OPTIONAL, 2893 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2894 | IN PFILE_SEGMENT_ELEMENT SegmentArray, 2895 | IN ULONG Length, 2896 | IN PLARGE_INTEGER ByteOffset OPTIONAL, 2897 | IN PULONG Key OPTIONAL); 2898 | 2899 | EXTERN_C NTSTATUS NtQuerySymbolicLinkObject( 2900 | IN HANDLE LinkHandle, 2901 | IN OUT PUNICODE_STRING LinkTarget, 2902 | OUT PULONG ReturnedLength OPTIONAL); 2903 | 2904 | EXTERN_C NTSTATUS NtTerminateProcess( 2905 | IN HANDLE ProcessHandle OPTIONAL, 2906 | IN NTSTATUS ExitStatus); 2907 | 2908 | EXTERN_C NTSTATUS NtQuerySecurityAttributesToken( 2909 | IN HANDLE TokenHandle, 2910 | IN PUNICODE_STRING Attributes OPTIONAL, 2911 | IN ULONG NumberOfAttributes, 2912 | OUT PVOID Buffer, 2913 | IN ULONG Length, 2914 | OUT PULONG ReturnLength); 2915 | 2916 | EXTERN_C NTSTATUS NtMapViewOfSectionEx( 2917 | IN HANDLE SectionHandle, 2918 | IN HANDLE ProcessHandle, 2919 | IN OUT PLARGE_INTEGER SectionOffset, 2920 | IN OUT PPVOID BaseAddress, 2921 | IN OUT PSIZE_T ViewSize, 2922 | IN ULONG AllocationType, 2923 | IN ULONG Protect, 2924 | IN OUT PVOID DataBuffer OPTIONAL, 2925 | IN ULONG DataCount); 2926 | 2927 | EXTERN_C NTSTATUS NtAlpcCreatePortSection( 2928 | IN HANDLE PortHandle, 2929 | IN ULONG Flags, 2930 | IN HANDLE SectionHandle OPTIONAL, 2931 | IN SIZE_T SectionSize, 2932 | OUT PHANDLE AlpcSectionHandle, 2933 | OUT PSIZE_T ActualSectionSize); 2934 | 2935 | EXTERN_C NTSTATUS NtSetInformationObject( 2936 | IN HANDLE Handle, 2937 | IN OBJECT_INFORMATION_CLASS ObjectInformationClass, 2938 | IN PVOID ObjectInformation, 2939 | IN ULONG ObjectInformationLength); 2940 | 2941 | EXTERN_C NTSTATUS NtCreateThread( 2942 | OUT PHANDLE ThreadHandle, 2943 | IN ACCESS_MASK DesiredAccess, 2944 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 2945 | IN HANDLE ProcessHandle, 2946 | OUT PCLIENT_ID ClientId, 2947 | IN PCONTEXT ThreadContext, 2948 | IN PUSER_STACK InitialTeb, 2949 | IN BOOLEAN CreateSuspended); 2950 | 2951 | EXTERN_C NTSTATUS NtAdjustGroupsToken( 2952 | IN HANDLE TokenHandle, 2953 | IN BOOLEAN ResetToDefault, 2954 | IN PTOKEN_GROUPS NewState OPTIONAL, 2955 | IN ULONG BufferLength OPTIONAL, 2956 | OUT PTOKEN_GROUPS PreviousState OPTIONAL, 2957 | OUT PULONG ReturnLength); 2958 | 2959 | EXTERN_C NTSTATUS NtSetIntervalProfile( 2960 | IN ULONG Interval, 2961 | IN KPROFILE_SOURCE Source); 2962 | 2963 | EXTERN_C NTSTATUS NtCallEnclave( 2964 | IN PENCLAVE_ROUTINE Routine, 2965 | IN PVOID Parameter, 2966 | IN BOOLEAN WaitForThread, 2967 | IN OUT PVOID ReturnValue OPTIONAL); 2968 | 2969 | EXTERN_C NTSTATUS NtAccessCheckAndAuditAlarm( 2970 | IN PUNICODE_STRING SubsystemName, 2971 | IN PVOID HandleId OPTIONAL, 2972 | IN PUNICODE_STRING ObjectTypeName, 2973 | IN PUNICODE_STRING ObjectName, 2974 | IN PSECURITY_DESCRIPTOR SecurityDescriptor, 2975 | IN ACCESS_MASK DesiredAccess, 2976 | IN PGENERIC_MAPPING GenericMapping, 2977 | IN BOOLEAN ObjectCreation, 2978 | OUT PACCESS_MASK GrantedAccess, 2979 | OUT PBOOLEAN AccessStatus, 2980 | OUT PBOOLEAN GenerateOnClose); 2981 | 2982 | EXTERN_C NTSTATUS NtQueryInformationFile( 2983 | IN HANDLE FileHandle, 2984 | OUT PIO_STATUS_BLOCK IoStatusBlock, 2985 | OUT PVOID FileInformation, 2986 | IN ULONG Length, 2987 | IN FILE_INFORMATION_CLASS FileInformationClass); 2988 | 2989 | EXTERN_C NTSTATUS NtCreateToken( 2990 | OUT PHANDLE TokenHandle, 2991 | IN ACCESS_MASK DesiredAccess, 2992 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 2993 | IN TOKEN_TYPE TokenType, 2994 | IN PLUID AuthenticationId, 2995 | IN PLARGE_INTEGER ExpirationTime, 2996 | IN PTOKEN_USER User, 2997 | IN PTOKEN_GROUPS Groups, 2998 | IN PTOKEN_PRIVILEGES Privileges, 2999 | IN PTOKEN_OWNER Owner OPTIONAL, 3000 | IN PTOKEN_PRIMARY_GROUP PrimaryGroup, 3001 | IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, 3002 | IN PTOKEN_SOURCE TokenSource); 3003 | 3004 | EXTERN_C NTSTATUS NtCancelIoFile( 3005 | IN HANDLE FileHandle, 3006 | OUT PIO_STATUS_BLOCK IoStatusBlock); 3007 | 3008 | EXTERN_C NTSTATUS NtCommitTransaction( 3009 | IN HANDLE TransactionHandle, 3010 | IN BOOLEAN Wait); 3011 | 3012 | EXTERN_C NTSTATUS NtReadFile( 3013 | IN HANDLE FileHandle, 3014 | IN HANDLE Event OPTIONAL, 3015 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 3016 | OUT PVOID ApcContext OPTIONAL, 3017 | OUT PIO_STATUS_BLOCK IoStatusBlock, 3018 | IN PVOID Buffer, 3019 | IN ULONG Length, 3020 | IN PLARGE_INTEGER ByteOffset OPTIONAL, 3021 | IN PULONG Key OPTIONAL); 3022 | 3023 | EXTERN_C NTSTATUS NtSavepointTransaction( 3024 | IN HANDLE TransactionHandle, 3025 | IN BOOLEAN Flag, 3026 | OUT ULONG SavePointId); 3027 | 3028 | EXTERN_C NTSTATUS NtUmsThreadYield( 3029 | IN PVOID SchedulerParam); 3030 | 3031 | EXTERN_C NTSTATUS NtQueryWnfStateData( 3032 | IN PCWNF_STATE_NAME StateName, 3033 | IN PCWNF_TYPE_ID TypeId OPTIONAL, 3034 | IN PVOID ExplicitScope OPTIONAL, 3035 | OUT PWNF_CHANGE_STAMP ChangeStamp, 3036 | OUT PVOID Buffer OPTIONAL, 3037 | IN OUT PULONG BufferSize); 3038 | 3039 | EXTERN_C NTSTATUS NtFilterTokenEx( 3040 | IN HANDLE TokenHandle, 3041 | IN ULONG Flags, 3042 | IN PTOKEN_GROUPS SidsToDisable OPTIONAL, 3043 | IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, 3044 | IN PTOKEN_GROUPS RestrictedSids OPTIONAL, 3045 | IN ULONG DisableUserClaimsCount, 3046 | IN PUNICODE_STRING UserClaimsToDisable OPTIONAL, 3047 | IN ULONG DisableDeviceClaimsCount, 3048 | IN PUNICODE_STRING DeviceClaimsToDisable OPTIONAL, 3049 | IN PTOKEN_GROUPS DeviceGroupsToDisable OPTIONAL, 3050 | IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes OPTIONAL, 3051 | IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes OPTIONAL, 3052 | IN PTOKEN_GROUPS RestrictedDeviceGroups OPTIONAL, 3053 | OUT PHANDLE NewTokenHandle); 3054 | 3055 | EXTERN_C NTSTATUS NtEnumerateDriverEntries( 3056 | OUT PVOID Buffer OPTIONAL, 3057 | IN OUT PULONG BufferLength); 3058 | 3059 | EXTERN_C NTSTATUS NtDeleteWnfStateName( 3060 | IN PCWNF_STATE_NAME StateName); 3061 | 3062 | EXTERN_C NTSTATUS NtWaitHighEventPair( 3063 | IN HANDLE EventHandle); 3064 | 3065 | EXTERN_C NTSTATUS NtDeleteAtom( 3066 | IN USHORT Atom); 3067 | 3068 | EXTERN_C NTSTATUS NtRemoveProcessDebug( 3069 | IN HANDLE ProcessHandle, 3070 | IN HANDLE DebugObjectHandle); 3071 | 3072 | EXTERN_C NTSTATUS NtMarshallTransaction(); 3073 | 3074 | EXTERN_C NTSTATUS NtReplyWaitReplyPort( 3075 | IN HANDLE PortHandle, 3076 | IN OUT PPORT_MESSAGE ReplyMessage); 3077 | 3078 | EXTERN_C NTSTATUS NtSetInformationThread( 3079 | IN HANDLE ThreadHandle, 3080 | IN THREADINFOCLASS ThreadInformationClass, 3081 | IN PVOID ThreadInformation, 3082 | IN ULONG ThreadInformationLength); 3083 | 3084 | EXTERN_C NTSTATUS NtSaveMergedKeys( 3085 | IN HANDLE HighPrecedenceKeyHandle, 3086 | IN HANDLE LowPrecedenceKeyHandle, 3087 | IN HANDLE FileHandle); 3088 | 3089 | EXTERN_C NTSTATUS NtReplacePartitionUnit( 3090 | IN PUNICODE_STRING TargetInstancePath, 3091 | IN PUNICODE_STRING SpareInstancePath, 3092 | IN ULONG Flags); 3093 | 3094 | EXTERN_C NTSTATUS NtFreeVirtualMemory( 3095 | IN HANDLE ProcessHandle, 3096 | IN OUT PVOID BaseAddress, 3097 | IN OUT PULONG RegionSize, 3098 | IN ULONG FreeType); 3099 | 3100 | EXTERN_C NTSTATUS NtRecoverResourceManager( 3101 | IN HANDLE ResourceManagerHandle); 3102 | 3103 | EXTERN_C NTSTATUS NtSetQuotaInformationFile( 3104 | IN HANDLE FileHandle, 3105 | OUT PIO_STATUS_BLOCK IoStatusBlock, 3106 | IN PFILE_USER_QUOTA_INFORMATION Buffer, 3107 | IN ULONG Length); 3108 | 3109 | EXTERN_C NTSTATUS NtCallbackReturn( 3110 | IN PVOID OutputBuffer OPTIONAL, 3111 | IN ULONG OutputLength, 3112 | IN NTSTATUS Status); 3113 | 3114 | EXTERN_C NTSTATUS NtDisableLastKnownGood(); 3115 | 3116 | EXTERN_C NTSTATUS NtQueryLicenseValue( 3117 | IN PUNICODE_STRING ValueName, 3118 | OUT PULONG Type OPTIONAL, 3119 | OUT PVOID SystemData OPTIONAL, 3120 | IN ULONG DataSize, 3121 | OUT PULONG ResultDataSize); 3122 | 3123 | EXTERN_C NTSTATUS NtTraceEvent( 3124 | IN HANDLE TraceHandle, 3125 | IN ULONG Flags, 3126 | IN ULONG FieldSize, 3127 | IN PVOID Fields); 3128 | 3129 | EXTERN_C NTSTATUS NtAlertThreadByThreadId( 3130 | IN ULONG ThreadId); 3131 | 3132 | EXTERN_C NTSTATUS NtSetSystemEnvironmentValueEx( 3133 | IN PUNICODE_STRING VariableName, 3134 | IN LPGUID VendorGuid, 3135 | IN PVOID Value OPTIONAL, 3136 | IN ULONG ValueLength, 3137 | IN ULONG Attributes); 3138 | 3139 | EXTERN_C NTSTATUS NtWriteFileGather( 3140 | IN HANDLE FileHandle, 3141 | IN HANDLE Event OPTIONAL, 3142 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 3143 | IN PVOID ApcContext OPTIONAL, 3144 | OUT PIO_STATUS_BLOCK IoStatusBlock, 3145 | IN PFILE_SEGMENT_ELEMENT SegmentArray, 3146 | IN ULONG Length, 3147 | IN PLARGE_INTEGER ByteOffset, 3148 | IN PULONG Key OPTIONAL); 3149 | 3150 | EXTERN_C NTSTATUS NtQuerySecurityObject( 3151 | IN HANDLE Handle, 3152 | IN SECURITY_INFORMATION SecurityInformation, 3153 | OUT PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, 3154 | IN ULONG Length, 3155 | OUT PULONG LengthNeeded); 3156 | 3157 | EXTERN_C NTSTATUS NtAlpcDisconnectPort( 3158 | IN HANDLE PortHandle, 3159 | IN ULONG Flags); 3160 | 3161 | EXTERN_C NTSTATUS NtEnableLastKnownGood(); 3162 | 3163 | EXTERN_C NTSTATUS NtDeletePrivateNamespace( 3164 | IN HANDLE NamespaceHandle); 3165 | 3166 | EXTERN_C NTSTATUS NtClose( 3167 | IN HANDLE Handle); 3168 | 3169 | EXTERN_C NTSTATUS NtApphelpCacheControl( 3170 | IN APPHELPCACHESERVICECLASS Service, 3171 | IN PVOID ServiceData); 3172 | 3173 | EXTERN_C NTSTATUS NtSetLowWaitHighEventPair( 3174 | IN HANDLE EventPairHandle); 3175 | 3176 | EXTERN_C NTSTATUS NtAdjustPrivilegesToken( 3177 | IN HANDLE TokenHandle, 3178 | IN BOOLEAN DisableAllPrivileges, 3179 | IN PTOKEN_PRIVILEGES NewState OPTIONAL, 3180 | IN ULONG BufferLength, 3181 | OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, 3182 | OUT PULONG ReturnLength OPTIONAL); 3183 | 3184 | EXTERN_C NTSTATUS NtSetTimerResolution( 3185 | IN ULONG DesiredResolution, 3186 | IN BOOLEAN SetResolution, 3187 | OUT PULONG CurrentResolution); 3188 | 3189 | EXTERN_C NTSTATUS NtAlpcOpenSenderThread( 3190 | OUT PHANDLE ThreadHandle, 3191 | IN HANDLE PortHandle, 3192 | IN PPORT_MESSAGE PortMessage, 3193 | IN ULONG Flags, 3194 | IN ACCESS_MASK DesiredAccess, 3195 | IN POBJECT_ATTRIBUTES ObjectAttributes); 3196 | 3197 | EXTERN_C NTSTATUS NtRegisterProtocolAddressInformation( 3198 | IN HANDLE ResourceManager, 3199 | IN LPGUID ProtocolId, 3200 | IN ULONG ProtocolInformationSize, 3201 | IN PVOID ProtocolInformation, 3202 | IN ULONG CreateOptions OPTIONAL); 3203 | 3204 | EXTERN_C NTSTATUS NtReadVirtualMemory( 3205 | IN HANDLE ProcessHandle, 3206 | IN PVOID BaseAddress OPTIONAL, 3207 | OUT PVOID Buffer, 3208 | IN ULONG BufferSize, 3209 | OUT PULONG NumberOfBytesRead OPTIONAL); 3210 | 3211 | EXTERN_C NTSTATUS NtSaveKeyEx( 3212 | IN HANDLE KeyHandle, 3213 | IN HANDLE FileHandle, 3214 | IN ULONG Format); 3215 | 3216 | EXTERN_C NTSTATUS NtRollbackRegistryTransaction( 3217 | IN HANDLE RegistryHandle, 3218 | IN BOOL Wait); 3219 | 3220 | EXTERN_C NTSTATUS NtFsControlFile( 3221 | IN HANDLE FileHandle, 3222 | IN HANDLE Event OPTIONAL, 3223 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 3224 | IN PVOID ApcContext OPTIONAL, 3225 | OUT PIO_STATUS_BLOCK IoStatusBlock, 3226 | IN ULONG FsControlCode, 3227 | IN PVOID InputBuffer OPTIONAL, 3228 | IN ULONG InputBufferLength, 3229 | OUT PVOID OutputBuffer OPTIONAL, 3230 | IN ULONG OutputBufferLength); 3231 | 3232 | EXTERN_C NTSTATUS NtSubscribeWnfStateChange( 3233 | IN PCWNF_STATE_NAME StateName, 3234 | IN WNF_CHANGE_STAMP ChangeStamp OPTIONAL, 3235 | IN ULONG EventMask, 3236 | OUT PLARGE_INTEGER SubscriptionId OPTIONAL); 3237 | 3238 | EXTERN_C NTSTATUS NtDeleteDriverEntry( 3239 | IN ULONG Id); 3240 | 3241 | EXTERN_C NTSTATUS NtSaveKey( 3242 | IN HANDLE KeyHandle, 3243 | IN HANDLE FileHandle); 3244 | 3245 | EXTERN_C NTSTATUS NtQueryInformationTransactionManager( 3246 | IN HANDLE TransactionManagerHandle, 3247 | IN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, 3248 | OUT PVOID TransactionManagerInformation, 3249 | IN ULONG TransactionManagerInformationLength, 3250 | OUT PULONG ReturnLength OPTIONAL); 3251 | 3252 | EXTERN_C NTSTATUS NtAlpcImpersonateClientContainerOfPort( 3253 | IN HANDLE PortHandle, 3254 | IN PPORT_MESSAGE Message, 3255 | IN ULONG Flags); 3256 | 3257 | EXTERN_C NTSTATUS NtQueryDebugFilterState( 3258 | IN ULONG ComponentId, 3259 | IN ULONG Level); 3260 | 3261 | EXTERN_C NTSTATUS NtSetSecurityObject( 3262 | IN HANDLE ObjectHandle, 3263 | IN SECURITY_INFORMATION SecurityInformationClass, 3264 | IN PSECURITY_DESCRIPTOR DescriptorBuffer); 3265 | 3266 | EXTERN_C NTSTATUS NtCreateKeyTransacted( 3267 | OUT PHANDLE KeyHandle, 3268 | IN ACCESS_MASK DesiredAccess, 3269 | IN POBJECT_ATTRIBUTES ObjectAttributes, 3270 | IN ULONG TitleIndex, 3271 | IN PUNICODE_STRING Class OPTIONAL, 3272 | IN ULONG CreateOptions, 3273 | IN HANDLE TransactionHandle, 3274 | OUT PULONG Disposition OPTIONAL); 3275 | 3276 | EXTERN_C NTSTATUS NtLoadEnclaveData( 3277 | IN HANDLE ProcessHandle, 3278 | IN PVOID BaseAddress, 3279 | IN PVOID Buffer, 3280 | IN SIZE_T BufferSize, 3281 | IN ULONG Protect, 3282 | IN PVOID PageInformation, 3283 | IN ULONG PageInformationLength, 3284 | OUT PSIZE_T NumberOfBytesWritten OPTIONAL, 3285 | OUT PULONG EnclaveError OPTIONAL); 3286 | 3287 | EXTERN_C NTSTATUS NtGetNextProcess( 3288 | IN HANDLE ProcessHandle, 3289 | IN ACCESS_MASK DesiredAccess, 3290 | IN ULONG HandleAttributes, 3291 | IN ULONG Flags, 3292 | OUT PHANDLE NewProcessHandle); 3293 | 3294 | EXTERN_C NTSTATUS NtQueryTimer( 3295 | IN HANDLE TimerHandle, 3296 | IN TIMER_INFORMATION_CLASS TimerInformationClass, 3297 | OUT PVOID TimerInformation, 3298 | IN ULONG TimerInformationLength, 3299 | OUT PULONG ReturnLength OPTIONAL); 3300 | 3301 | EXTERN_C NTSTATUS NtTerminateThread( 3302 | IN HANDLE ThreadHandle, 3303 | IN NTSTATUS ExitStatus); 3304 | 3305 | EXTERN_C NTSTATUS NtGetMUIRegistryInfo( 3306 | IN ULONG Flags, 3307 | IN OUT PULONG DataSize, 3308 | OUT PVOID SystemData); 3309 | 3310 | EXTERN_C NTSTATUS NtQueryDefaultLocale( 3311 | IN BOOLEAN UserProfile, 3312 | OUT PLCID DefaultLocaleId); 3313 | 3314 | EXTERN_C NTSTATUS NtLockFile( 3315 | IN HANDLE FileHandle, 3316 | IN HANDLE Event OPTIONAL, 3317 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 3318 | IN PVOID ApcContext OPTIONAL, 3319 | OUT PIO_STATUS_BLOCK IoStatusBlock, 3320 | IN PULARGE_INTEGER ByteOffset, 3321 | IN PULARGE_INTEGER Length, 3322 | IN ULONG Key, 3323 | IN BOOLEAN FailImmediately, 3324 | IN BOOLEAN ExclusiveLock); 3325 | 3326 | EXTERN_C NTSTATUS NtAlpcDeleteResourceReserve( 3327 | IN HANDLE PortHandle, 3328 | IN ULONG Flags, 3329 | IN HANDLE ResourceId); 3330 | 3331 | EXTERN_C NTSTATUS NtCreateProfileEx( 3332 | OUT PHANDLE ProfileHandle, 3333 | IN HANDLE Process OPTIONAL, 3334 | IN PVOID ProfileBase, 3335 | IN SIZE_T ProfileSize, 3336 | IN ULONG BucketSize, 3337 | IN PULONG Buffer, 3338 | IN ULONG BufferSize, 3339 | IN KPROFILE_SOURCE ProfileSource, 3340 | IN USHORT GroupCount, 3341 | IN PGROUP_AFFINITY GroupAffinity); 3342 | 3343 | EXTERN_C NTSTATUS NtQueryOpenSubKeys( 3344 | IN POBJECT_ATTRIBUTES TargetKey, 3345 | OUT PULONG HandleCount); 3346 | 3347 | EXTERN_C NTSTATUS NtSetIRTimer( 3348 | IN HANDLE TimerHandle, 3349 | IN PLARGE_INTEGER DueTime OPTIONAL); 3350 | 3351 | EXTERN_C NTSTATUS NtAllocateVirtualMemoryEx( 3352 | IN HANDLE ProcessHandle, 3353 | IN OUT PPVOID lpAddress, 3354 | IN ULONG_PTR ZeroBits, 3355 | IN OUT PSIZE_T pSize, 3356 | IN ULONG flAllocationType, 3357 | IN OUT PVOID DataBuffer OPTIONAL, 3358 | IN ULONG DataCount); 3359 | 3360 | EXTERN_C NTSTATUS NtCreatePrivateNamespace( 3361 | OUT PHANDLE NamespaceHandle, 3362 | IN ACCESS_MASK DesiredAccess, 3363 | IN POBJECT_ATTRIBUTES ObjectAttributes, 3364 | IN PVOID BoundaryDescriptor); 3365 | 3366 | EXTERN_C NTSTATUS NtRequestPort( 3367 | IN HANDLE PortHandle, 3368 | IN PPORT_MESSAGE RequestMessage); 3369 | 3370 | EXTERN_C NTSTATUS NtOpenFile( 3371 | OUT PHANDLE FileHandle, 3372 | IN ACCESS_MASK DesiredAccess, 3373 | IN POBJECT_ATTRIBUTES ObjectAttributes, 3374 | OUT PIO_STATUS_BLOCK IoStatusBlock, 3375 | IN ULONG ShareAccess, 3376 | IN ULONG OpenOptions); 3377 | 3378 | EXTERN_C NTSTATUS NtCreateWaitablePort( 3379 | OUT PHANDLE PortHandle, 3380 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 3381 | IN ULONG MaxConnectionInfoLength, 3382 | IN ULONG MaxMessageLength, 3383 | IN ULONG MaxPoolUsage OPTIONAL); 3384 | 3385 | EXTERN_C NTSTATUS NtOpenThreadToken( 3386 | IN HANDLE ThreadHandle, 3387 | IN ACCESS_MASK DesiredAccess, 3388 | IN BOOLEAN OpenAsSelf, 3389 | OUT PHANDLE TokenHandle); 3390 | 3391 | EXTERN_C NTSTATUS NtSetIoCompletion( 3392 | IN HANDLE IoCompletionHandle, 3393 | IN ULONG CompletionKey, 3394 | OUT PIO_STATUS_BLOCK IoStatusBlock, 3395 | IN NTSTATUS CompletionStatus, 3396 | IN ULONG NumberOfBytesTransfered); 3397 | 3398 | EXTERN_C NTSTATUS NtReplyWaitReceivePort( 3399 | IN HANDLE PortHandle, 3400 | OUT PVOID PortContext OPTIONAL, 3401 | IN PPORT_MESSAGE ReplyMessage OPTIONAL, 3402 | OUT PPORT_MESSAGE ReceiveMessage); 3403 | 3404 | EXTERN_C NTSTATUS NtFlushInstructionCache( 3405 | IN HANDLE ProcessHandle, 3406 | IN PVOID BaseAddress OPTIONAL, 3407 | IN ULONG Length); 3408 | 3409 | EXTERN_C NTSTATUS NtGetCompleteWnfStateSubscription( 3410 | IN PCWNF_STATE_NAME OldDescriptorStateName OPTIONAL, 3411 | IN PLARGE_INTEGER OldSubscriptionId OPTIONAL, 3412 | IN ULONG OldDescriptorEventMask OPTIONAL, 3413 | IN ULONG OldDescriptorStatus OPTIONAL, 3414 | OUT PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor, 3415 | IN ULONG DescriptorSize); 3416 | 3417 | EXTERN_C NTSTATUS NtSetInformationToken( 3418 | IN HANDLE TokenHandle, 3419 | IN TOKEN_INFORMATION_CLASS TokenInformationClass, 3420 | IN PVOID TokenInformation, 3421 | IN ULONG TokenInformationLength); 3422 | 3423 | EXTERN_C NTSTATUS NtShutdownSystem( 3424 | IN SHUTDOWN_ACTION Action); 3425 | 3426 | EXTERN_C NTSTATUS NtPrivilegedServiceAuditAlarm( 3427 | IN PUNICODE_STRING SubsystemName, 3428 | IN PUNICODE_STRING ServiceName, 3429 | IN HANDLE ClientToken, 3430 | IN PPRIVILEGE_SET Privileges, 3431 | IN BOOLEAN AccessGranted); 3432 | 3433 | EXTERN_C NTSTATUS NtQueryVirtualMemory( 3434 | IN HANDLE ProcessHandle, 3435 | IN PVOID BaseAddress, 3436 | IN MEMORY_INFORMATION_CLASS MemoryInformationClass, 3437 | OUT PVOID MemoryInformation, 3438 | IN ULONG MemoryInformationLength, 3439 | OUT PULONG ReturnLength OPTIONAL); 3440 | 3441 | EXTERN_C NTSTATUS NtSetTimer( 3442 | IN HANDLE TimerHandle, 3443 | IN PLARGE_INTEGER DueTime, 3444 | IN PTIMER_APC_ROUTINE TimerApcRoutine OPTIONAL, 3445 | IN PVOID TimerContext OPTIONAL, 3446 | IN BOOLEAN ResumeTimer, 3447 | IN LONG Period OPTIONAL, 3448 | OUT PBOOLEAN PreviousState OPTIONAL); 3449 | 3450 | EXTERN_C NTSTATUS NtAddDriverEntry( 3451 | IN PEFI_DRIVER_ENTRY DriverEntry, 3452 | OUT PULONG Id OPTIONAL); 3453 | 3454 | EXTERN_C NTSTATUS NtOpenSection( 3455 | OUT PHANDLE SectionHandle, 3456 | IN ACCESS_MASK DesiredAccess, 3457 | IN POBJECT_ATTRIBUTES ObjectAttributes); 3458 | 3459 | EXTERN_C NTSTATUS NtCompareSigningLevels( 3460 | IN ULONG UnknownParameter1, 3461 | IN ULONG UnknownParameter2); 3462 | 3463 | EXTERN_C NTSTATUS NtReleaseCMFViewOwnership(); 3464 | 3465 | EXTERN_C NTSTATUS NtReplaceKey( 3466 | IN POBJECT_ATTRIBUTES NewFile, 3467 | IN HANDLE TargetHandle, 3468 | IN POBJECT_ATTRIBUTES OldFile); 3469 | 3470 | EXTERN_C NTSTATUS NtGetWriteWatch( 3471 | IN HANDLE ProcessHandle, 3472 | IN ULONG Flags, 3473 | IN PVOID BaseAddress, 3474 | IN ULONG RegionSize, 3475 | OUT PULONG UserAddressArray, 3476 | IN OUT PULONG EntriesInUserAddressArray, 3477 | OUT PULONG Granularity); 3478 | 3479 | EXTERN_C NTSTATUS NtDeleteWnfStateData( 3480 | IN PCWNF_STATE_NAME StateName, 3481 | IN PVOID ExplicitScope OPTIONAL); 3482 | 3483 | EXTERN_C NTSTATUS NtSinglePhaseReject( 3484 | IN HANDLE EnlistmentHandle, 3485 | IN PLARGE_INTEGER TmVirtualClock OPTIONAL); 3486 | 3487 | EXTERN_C NTSTATUS NtUnloadDriver( 3488 | IN PUNICODE_STRING DriverServiceName); 3489 | 3490 | EXTERN_C NTSTATUS NtCreateIRTimer( 3491 | OUT PHANDLE TimerHandle, 3492 | IN ACCESS_MASK DesiredAccess); 3493 | 3494 | EXTERN_C NTSTATUS NtCreateTransactionManager( 3495 | OUT PHANDLE TmHandle, 3496 | IN ACCESS_MASK DesiredAccess, 3497 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 3498 | IN PUNICODE_STRING LogFileName OPTIONAL, 3499 | IN ULONG CreateOptions OPTIONAL, 3500 | IN ULONG CommitStrength OPTIONAL); 3501 | 3502 | EXTERN_C NTSTATUS NtFilterBootOption( 3503 | IN FILTER_BOOT_OPTION_OPERATION FilterOperation, 3504 | IN ULONG ObjectType, 3505 | IN ULONG ElementType, 3506 | IN PVOID SystemData OPTIONAL, 3507 | IN ULONG DataSize); 3508 | 3509 | EXTERN_C NTSTATUS NtWriteFile( 3510 | IN HANDLE FileHandle, 3511 | IN HANDLE Event OPTIONAL, 3512 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 3513 | IN PVOID ApcContext OPTIONAL, 3514 | OUT PIO_STATUS_BLOCK IoStatusBlock, 3515 | IN PVOID Buffer, 3516 | IN ULONG Length, 3517 | IN PLARGE_INTEGER ByteOffset OPTIONAL, 3518 | IN PULONG Key OPTIONAL); 3519 | 3520 | EXTERN_C NTSTATUS NtNotifyChangeDirectoryFile( 3521 | IN HANDLE FileHandle, 3522 | IN HANDLE Event OPTIONAL, 3523 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 3524 | IN PVOID ApcContext OPTIONAL, 3525 | OUT PIO_STATUS_BLOCK IoStatusBlock, 3526 | OUT PFILE_NOTIFY_INFORMATION Buffer, 3527 | IN ULONG Length, 3528 | IN ULONG CompletionFilter, 3529 | IN BOOLEAN WatchTree); 3530 | 3531 | EXTERN_C NTSTATUS NtSetSystemPowerState( 3532 | IN POWER_ACTION SystemAction, 3533 | IN SYSTEM_POWER_STATE MinSystemState, 3534 | IN ULONG Flags); 3535 | 3536 | EXTERN_C NTSTATUS NtCreateJobObject( 3537 | OUT PHANDLE JobHandle, 3538 | IN ACCESS_MASK DesiredAccess, 3539 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); 3540 | 3541 | EXTERN_C NTSTATUS NtPulseEvent( 3542 | IN HANDLE EventHandle, 3543 | OUT PULONG PreviousState OPTIONAL); 3544 | 3545 | EXTERN_C NTSTATUS NtSavepointComplete( 3546 | IN HANDLE TransactionHandle, 3547 | IN PLARGE_INTEGER TmVirtualClock OPTIONAL); 3548 | 3549 | EXTERN_C NTSTATUS NtSetInformationTransaction( 3550 | IN HANDLE TransactionHandle, 3551 | IN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionInformationClass, 3552 | IN PVOID TransactionInformation, 3553 | IN ULONG TransactionInformationLength); 3554 | 3555 | EXTERN_C NTSTATUS NtUpdateWnfStateData( 3556 | IN PCWNF_STATE_NAME StateName, 3557 | IN PVOID Buffer OPTIONAL, 3558 | IN ULONG Length OPTIONAL, 3559 | IN PCWNF_TYPE_ID TypeId OPTIONAL, 3560 | IN PVOID ExplicitScope OPTIONAL, 3561 | IN WNF_CHANGE_STAMP MatchingChangeStamp, 3562 | IN ULONG CheckStamp); 3563 | 3564 | EXTERN_C NTSTATUS NtCreateEventPair( 3565 | OUT PHANDLE EventPairHandle, 3566 | IN ACCESS_MASK DesiredAccess, 3567 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); 3568 | 3569 | EXTERN_C NTSTATUS NtCreatePartition( 3570 | OUT PHANDLE PartitionHandle, 3571 | IN ACCESS_MASK DesiredAccess, 3572 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 3573 | IN ULONG PreferredNode); 3574 | 3575 | EXTERN_C NTSTATUS NtSetTimerEx( 3576 | IN HANDLE TimerHandle, 3577 | IN TIMER_SET_INFORMATION_CLASS TimerSetInformationClass, 3578 | IN OUT PVOID TimerSetInformation OPTIONAL, 3579 | IN ULONG TimerSetInformationLength); 3580 | 3581 | EXTERN_C NTSTATUS NtOpenSemaphore( 3582 | OUT PHANDLE SemaphoreHandle, 3583 | IN ACCESS_MASK DesiredAccess, 3584 | IN POBJECT_ATTRIBUTES ObjectAttributes); 3585 | 3586 | EXTERN_C NTSTATUS NtAlpcDeleteSecurityContext( 3587 | IN HANDLE PortHandle, 3588 | IN ULONG Flags, 3589 | IN HANDLE ContextHandle); 3590 | 3591 | EXTERN_C NTSTATUS NtCreateDebugObject( 3592 | OUT PHANDLE DebugObjectHandle, 3593 | IN ACCESS_MASK DesiredAccess, 3594 | IN POBJECT_ATTRIBUTES ObjectAttributes, 3595 | IN ULONG Flags); 3596 | 3597 | EXTERN_C NTSTATUS NtPrivilegeCheck( 3598 | IN HANDLE ClientToken, 3599 | IN OUT PPRIVILEGE_SET RequiredPrivileges, 3600 | OUT PBOOLEAN Result); 3601 | 3602 | EXTERN_C NTSTATUS NtLoadKey2( 3603 | IN POBJECT_ATTRIBUTES TargetKey, 3604 | IN POBJECT_ATTRIBUTES SourceFile, 3605 | IN ULONG Flags); 3606 | 3607 | EXTERN_C NTSTATUS NtCreateSemaphore( 3608 | OUT PHANDLE SemaphoreHandle, 3609 | IN ACCESS_MASK DesiredAccess, 3610 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 3611 | IN LONG InitialCount, 3612 | IN LONG MaximumCount); 3613 | 3614 | EXTERN_C NTSTATUS NtCreateProfile( 3615 | OUT PHANDLE ProfileHandle, 3616 | IN HANDLE Process OPTIONAL, 3617 | IN PVOID ProfileBase, 3618 | IN ULONG ProfileSize, 3619 | IN ULONG BucketSize, 3620 | IN PULONG Buffer, 3621 | IN ULONG BufferSize, 3622 | IN KPROFILE_SOURCE ProfileSource, 3623 | IN ULONG Affinity); 3624 | 3625 | EXTERN_C NTSTATUS NtWaitLowEventPair( 3626 | IN HANDLE EventHandle); 3627 | 3628 | EXTERN_C NTSTATUS NtAlpcDeletePortSection( 3629 | IN HANDLE PortHandle, 3630 | IN ULONG Flags, 3631 | IN HANDLE SectionHandle); 3632 | 3633 | EXTERN_C NTSTATUS NtAcquireProcessActivityReference(); 3634 | 3635 | EXTERN_C NTSTATUS NtAdjustTokenClaimsAndDeviceGroups( 3636 | IN HANDLE TokenHandle, 3637 | IN BOOLEAN UserResetToDefault, 3638 | IN BOOLEAN DeviceResetToDefault, 3639 | IN BOOLEAN DeviceGroupsResetToDefault, 3640 | IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState OPTIONAL, 3641 | IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState OPTIONAL, 3642 | IN PTOKEN_GROUPS NewDeviceGroupsState OPTIONAL, 3643 | IN ULONG UserBufferLength, 3644 | OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState OPTIONAL, 3645 | IN ULONG DeviceBufferLength, 3646 | OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState OPTIONAL, 3647 | IN ULONG DeviceGroupsBufferLength, 3648 | OUT PTOKEN_GROUPS PreviousDeviceGroups OPTIONAL, 3649 | OUT PULONG UserReturnLength OPTIONAL, 3650 | OUT PULONG DeviceReturnLength OPTIONAL, 3651 | OUT PULONG DeviceGroupsReturnBufferLength OPTIONAL); 3652 | 3653 | EXTERN_C NTSTATUS NtNotifyChangeKey( 3654 | IN HANDLE KeyHandle, 3655 | IN HANDLE Event OPTIONAL, 3656 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 3657 | IN PVOID ApcContext OPTIONAL, 3658 | OUT PIO_STATUS_BLOCK IoStatusBlock, 3659 | IN ULONG CompletionFilter, 3660 | IN BOOLEAN WatchTree, 3661 | OUT PVOID Buffer OPTIONAL, 3662 | IN ULONG BufferSize, 3663 | IN BOOLEAN Asynchronous); 3664 | 3665 | EXTERN_C NTSTATUS NtWaitForSingleObject( 3666 | IN HANDLE ObjectHandle, 3667 | IN BOOLEAN Alertable, 3668 | IN PLARGE_INTEGER TimeOut OPTIONAL); 3669 | 3670 | EXTERN_C NTSTATUS NtGetNlsSectionPtr( 3671 | IN ULONG SectionType, 3672 | IN ULONG SectionData, 3673 | IN PVOID ContextData, 3674 | OUT PVOID SectionPointer, 3675 | OUT PULONG SectionSize); 3676 | 3677 | EXTERN_C NTSTATUS NtQueryIoCompletion( 3678 | IN HANDLE IoCompletionHandle, 3679 | IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, 3680 | OUT PVOID IoCompletionInformation, 3681 | IN ULONG IoCompletionInformationLength, 3682 | OUT PULONG ReturnLength OPTIONAL); 3683 | 3684 | EXTERN_C NTSTATUS NtSetVolumeInformationFile( 3685 | IN HANDLE FileHandle, 3686 | OUT PIO_STATUS_BLOCK IoStatusBlock, 3687 | IN PVOID FileSystemInformation, 3688 | IN ULONG Length, 3689 | IN FSINFOCLASS FileSystemInformationClass); 3690 | 3691 | EXTERN_C NTSTATUS NtCreateUserProcess( 3692 | OUT PHANDLE ProcessHandle, 3693 | OUT PHANDLE ThreadHandle, 3694 | IN ACCESS_MASK ProcessDesiredAccess, 3695 | IN ACCESS_MASK ThreadDesiredAccess, 3696 | IN POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL, 3697 | IN POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL, 3698 | IN ULONG ProcessFlags, 3699 | IN ULONG ThreadFlags, 3700 | IN PVOID ProcessParameters OPTIONAL, 3701 | IN OUT PPS_CREATE_INFO CreateInfo, 3702 | IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL); 3703 | 3704 | EXTERN_C NTSTATUS NtCancelSynchronousIoFile( 3705 | IN HANDLE ThreadHandle, 3706 | IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, 3707 | OUT PIO_STATUS_BLOCK IoStatusBlock); 3708 | 3709 | EXTERN_C NTSTATUS NtPropagationFailed( 3710 | IN HANDLE ResourceManagerHandle, 3711 | IN ULONG RequestCookie, 3712 | IN NTSTATUS PropStatus); 3713 | 3714 | EXTERN_C NTSTATUS NtLoadKeyEx( 3715 | IN POBJECT_ATTRIBUTES TargetKey, 3716 | IN POBJECT_ATTRIBUTES SourceFile, 3717 | IN ULONG Flags, 3718 | IN HANDLE TrustClassKey OPTIONAL, 3719 | IN HANDLE Event OPTIONAL, 3720 | IN ACCESS_MASK DesiredAccess OPTIONAL, 3721 | OUT PHANDLE RootHandle OPTIONAL, 3722 | OUT PIO_STATUS_BLOCK IoStatus OPTIONAL); 3723 | 3724 | EXTERN_C NTSTATUS NtQueryInformationResourceManager( 3725 | IN HANDLE ResourceManagerHandle, 3726 | IN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, 3727 | OUT PVOID ResourceManagerInformation, 3728 | IN ULONG ResourceManagerInformationLength, 3729 | OUT PULONG ReturnLength OPTIONAL); 3730 | 3731 | EXTERN_C NTSTATUS NtSetInformationEnlistment( 3732 | IN HANDLE EnlistmentHandle, 3733 | IN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, 3734 | IN PVOID EnlistmentInformation, 3735 | IN ULONG EnlistmentInformationLength); 3736 | 3737 | EXTERN_C NTSTATUS NtSetInformationProcess( 3738 | IN HANDLE DeviceHandle, 3739 | IN PROCESSINFOCLASS ProcessInformationClass, 3740 | IN PVOID ProcessInformation, 3741 | IN ULONG Length); 3742 | 3743 | EXTERN_C NTSTATUS NtOpenProcess( 3744 | OUT PHANDLE ProcessHandle, 3745 | IN ACCESS_MASK DesiredAccess, 3746 | IN POBJECT_ATTRIBUTES ObjectAttributes, 3747 | IN PCLIENT_ID ClientId OPTIONAL); 3748 | 3749 | EXTERN_C NTSTATUS NtRequestDeviceWakeup( 3750 | IN HANDLE DeviceHandle); 3751 | 3752 | EXTERN_C NTSTATUS NtSetSystemTime( 3753 | IN PLARGE_INTEGER SystemTime, 3754 | OUT PLARGE_INTEGER PreviousTime OPTIONAL); 3755 | 3756 | EXTERN_C NTSTATUS NtMapUserPhysicalPages( 3757 | IN PVOID VirtualAddress, 3758 | IN PULONG NumberOfPages, 3759 | IN PULONG UserPfnArray OPTIONAL); 3760 | 3761 | EXTERN_C NTSTATUS NtClearSavepointTransaction( 3762 | IN HANDLE TransactionHandle, 3763 | IN ULONG SavePointId); 3764 | 3765 | EXTERN_C NTSTATUS NtOpenKeyTransacted( 3766 | OUT PHANDLE KeyHandle, 3767 | IN ACCESS_MASK DesiredAccess, 3768 | IN POBJECT_ATTRIBUTES ObjectAttributes, 3769 | IN HANDLE TransactionHandle); 3770 | 3771 | EXTERN_C NTSTATUS NtQueryBootEntryOrder( 3772 | OUT PULONG Ids OPTIONAL, 3773 | IN OUT PULONG Count); 3774 | 3775 | EXTERN_C NTSTATUS NtOpenProcessToken( 3776 | IN HANDLE ProcessHandle, 3777 | IN ACCESS_MASK DesiredAccess, 3778 | OUT PHANDLE TokenHandle); 3779 | 3780 | EXTERN_C NTSTATUS NtQueryFullAttributesFile( 3781 | IN POBJECT_ATTRIBUTES ObjectAttributes, 3782 | OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation); 3783 | 3784 | EXTERN_C NTSTATUS NtCreateWaitCompletionPacket( 3785 | OUT PHANDLE WaitCompletionPacketHandle, 3786 | IN ACCESS_MASK DesiredAccess, 3787 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); 3788 | 3789 | EXTERN_C NTSTATUS NtQueryKey( 3790 | IN HANDLE KeyHandle, 3791 | IN KEY_INFORMATION_CLASS KeyInformationClass, 3792 | OUT PVOID KeyInformation OPTIONAL, 3793 | IN ULONG Length, 3794 | OUT PULONG ResultLength); 3795 | 3796 | EXTERN_C NTSTATUS NtQueryInformationPort( 3797 | IN HANDLE PortHandle, 3798 | IN PORT_INFORMATION_CLASS PortInformationClass, 3799 | OUT PVOID PortInformation, 3800 | IN ULONG Length, 3801 | OUT PULONG ReturnLength OPTIONAL); 3802 | 3803 | EXTERN_C NTSTATUS NtAlpcCreateResourceReserve( 3804 | IN HANDLE PortHandle, 3805 | IN ULONG Flags, 3806 | IN SIZE_T MessageSize, 3807 | OUT PHANDLE ResourceId); 3808 | 3809 | EXTERN_C NTSTATUS NtTranslateFilePath( 3810 | IN PFILE_PATH InputFilePath, 3811 | IN ULONG OutputType, 3812 | OUT PFILE_PATH OutputFilePath OPTIONAL, 3813 | IN OUT PULONG OutputFilePathLength OPTIONAL); 3814 | 3815 | EXTERN_C NTSTATUS NtSetEvent( 3816 | IN HANDLE EventHandle, 3817 | OUT PULONG PreviousState OPTIONAL); 3818 | 3819 | EXTERN_C NTSTATUS NtAlpcCreateSecurityContext( 3820 | IN HANDLE PortHandle, 3821 | IN ULONG Flags, 3822 | IN OUT PALPC_SECURITY_ATTR SecurityAttribute); 3823 | 3824 | EXTERN_C NTSTATUS NtAlertThread( 3825 | IN HANDLE ThreadHandle); 3826 | 3827 | EXTERN_C NTSTATUS NtSetInformationSymbolicLink( 3828 | IN HANDLE Handle, 3829 | IN ULONG Class, 3830 | IN PVOID Buffer, 3831 | IN ULONG BufferLength); 3832 | 3833 | EXTERN_C NTSTATUS NtAssignProcessToJobObject( 3834 | IN HANDLE JobHandle, 3835 | IN HANDLE ProcessHandle); 3836 | 3837 | EXTERN_C NTSTATUS NtQueryInformationAtom( 3838 | IN USHORT Atom, 3839 | IN ATOM_INFORMATION_CLASS AtomInformationClass, 3840 | OUT PVOID AtomInformation, 3841 | IN ULONG AtomInformationLength, 3842 | OUT PULONG ReturnLength OPTIONAL); 3843 | 3844 | EXTERN_C NTSTATUS NtInitializeNlsFiles( 3845 | OUT PVOID BaseAddress, 3846 | OUT PLCID DefaultLocaleId, 3847 | OUT PLARGE_INTEGER DefaultCasingTableSize); 3848 | 3849 | EXTERN_C NTSTATUS NtReleaseMutant( 3850 | IN HANDLE MutantHandle, 3851 | OUT PULONG PreviousCount OPTIONAL); 3852 | 3853 | EXTERN_C NTSTATUS NtWaitForWorkViaWorkerFactory( 3854 | IN HANDLE WorkerFactoryHandle, 3855 | OUT PVOID MiniPacket); 3856 | 3857 | EXTERN_C NTSTATUS NtQuerySystemTime( 3858 | OUT PLARGE_INTEGER SystemTime); 3859 | 3860 | EXTERN_C NTSTATUS NtSetCachedSigningLevel( 3861 | IN ULONG Flags, 3862 | IN SE_SIGNING_LEVEL InputSigningLevel, 3863 | IN PHANDLE SourceFiles, 3864 | IN ULONG SourceFileCount, 3865 | IN HANDLE TargetFile OPTIONAL); 3866 | 3867 | EXTERN_C NTSTATUS NtCommitEnlistment( 3868 | IN HANDLE EnlistmentHandle, 3869 | IN PLARGE_INTEGER TmVirtualClock OPTIONAL); 3870 | 3871 | EXTERN_C NTSTATUS NtCreateDirectoryObjectEx( 3872 | OUT PHANDLE DirectoryHandle, 3873 | IN ACCESS_MASK DesiredAccess, 3874 | IN POBJECT_ATTRIBUTES ObjectAttributes, 3875 | IN HANDLE ShadowDirectoryHandle, 3876 | IN ULONG Flags); 3877 | 3878 | EXTERN_C NTSTATUS NtUnloadKeyEx( 3879 | IN POBJECT_ATTRIBUTES TargetKey, 3880 | IN HANDLE Event OPTIONAL); 3881 | 3882 | EXTERN_C NTSTATUS NtReleaseSemaphore( 3883 | IN HANDLE SemaphoreHandle, 3884 | IN LONG ReleaseCount, 3885 | OUT PLONG PreviousCount OPTIONAL); 3886 | 3887 | EXTERN_C NTSTATUS NtAddAtomEx( 3888 | IN PWSTR AtomName, 3889 | IN ULONG Length, 3890 | IN PRTL_ATOM Atom, 3891 | IN ULONG Flags); 3892 | 3893 | EXTERN_C NTSTATUS NtWorkerFactoryWorkerReady( 3894 | IN HANDLE WorkerFactoryHandle); 3895 | 3896 | EXTERN_C NTSTATUS NtOpenEventPair( 3897 | OUT PHANDLE EventPairHandle, 3898 | IN ACCESS_MASK DesiredAccess, 3899 | IN POBJECT_ATTRIBUTES ObjectAttributes); 3900 | 3901 | EXTERN_C NTSTATUS NtQueryInformationToken( 3902 | IN HANDLE TokenHandle, 3903 | IN TOKEN_INFORMATION_CLASS TokenInformationClass, 3904 | OUT PVOID TokenInformation, 3905 | IN ULONG TokenInformationLength, 3906 | OUT PULONG ReturnLength); 3907 | 3908 | EXTERN_C NTSTATUS NtExtendSection( 3909 | IN HANDLE SectionHandle, 3910 | IN OUT PLARGE_INTEGER NewSectionSize); 3911 | 3912 | EXTERN_C NTSTATUS NtAccessCheck( 3913 | IN PSECURITY_DESCRIPTOR pSecurityDescriptor, 3914 | IN HANDLE ClientToken, 3915 | IN ACCESS_MASK DesiaredAccess, 3916 | IN PGENERIC_MAPPING GenericMapping, 3917 | OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL, 3918 | IN OUT PULONG PrivilegeSetLength, 3919 | OUT PACCESS_MASK GrantedAccess, 3920 | OUT PBOOLEAN AccessStatus); 3921 | 3922 | EXTERN_C NTSTATUS NtCreateResourceManager( 3923 | OUT PHANDLE ResourceManagerHandle, 3924 | IN ACCESS_MASK DesiredAccess, 3925 | IN HANDLE TmHandle, 3926 | IN LPGUID RmGuid, 3927 | IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, 3928 | IN ULONG CreateOptions OPTIONAL, 3929 | IN PUNICODE_STRING Description OPTIONAL); 3930 | 3931 | EXTERN_C NTSTATUS NtEnumerateBootEntries( 3932 | OUT PVOID Buffer OPTIONAL, 3933 | IN OUT PULONG BufferLength); 3934 | 3935 | EXTERN_C NTSTATUS NtSignalAndWaitForSingleObject( 3936 | IN HANDLE hObjectToSignal, 3937 | IN HANDLE hObjectToWaitOn, 3938 | IN BOOLEAN bAlertable, 3939 | IN PLARGE_INTEGER dwMilliseconds OPTIONAL); 3940 | 3941 | EXTERN_C NTSTATUS NtOpenSession( 3942 | OUT PHANDLE SessionHandle, 3943 | IN ACCESS_MASK DesiredAccess, 3944 | IN POBJECT_ATTRIBUTES ObjectAttributes); 3945 | 3946 | EXTERN_C NTSTATUS NtCancelTimer2( 3947 | IN HANDLE TimerHandle, 3948 | IN PT2_CANCEL_PARAMETERS Parameters); 3949 | 3950 | EXTERN_C NTSTATUS NtCompactKeys( 3951 | IN ULONG Count, 3952 | IN HANDLE KeyArray); 3953 | 3954 | EXTERN_C NTSTATUS NtQuerySystemInformation( 3955 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 3956 | IN OUT PVOID SystemInformation, 3957 | IN ULONG SystemInformationLength, 3958 | OUT PULONG ReturnLength OPTIONAL); 3959 | 3960 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | jmespath==0.9.4 2 | -------------------------------------------------------------------------------- /syswhispers.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import argparse 4 | import json 5 | import jmespath 6 | import functools 7 | import operator 8 | import os 9 | from pprint import pprint 10 | 11 | class SysWhispers(object): 12 | 13 | def __init__(self, nasm = False): 14 | self.typedefs: list = json.load(open('./data/typedefs.json')) 15 | self.prototypes: dict = json.load(open('./data/prototypes.json')) 16 | self.syscall_numbers: dict = json.load(open('./data/syscall_numbers.json')) 17 | self.isnasm = nasm; 18 | self.version_syscall_map = lambda function_name: { 19 | 'Windows XP': [{ 20 | 'version': '5.X.XXXX', 21 | 'description': 'Windows XP and Server 2003', 22 | 'jmespath': f'{function_name}."Windows XP".SP2' 23 | }], 24 | 25 | 'Windows Vista': [{ 26 | 'version': '6.0.6000', 27 | 'description': 'Windows Vista SP0', 28 | 'jmespath': f'{function_name}."Windows Vista".SP0' 29 | }, { 30 | 'version': '6.0.6001', 31 | 'description': 'Windows Vista SP1 and Server 2008 SP0', 32 | 'jmespath': f'{function_name}."Windows Vista".SP1' 33 | }, { 34 | 'version': '6.0.6002', 35 | 'description': 'Windows Vista SP2 and Server 2008 SP2', 36 | 'jmespath': f'{function_name}."Windows Vista".SP2' 37 | }], 38 | 39 | 'Windows 7': [{ 40 | 'version': '6.1.7600', 41 | 'description': 'Windows 7 SP0', 42 | 'jmespath': f'{function_name}."Windows 7".SP0' 43 | }, { 44 | 'version': '6.1.7601', 45 | 'description': 'Windows 7 SP1 and Server 2008 R2 SP0', 46 | 'jmespath': f'{function_name}."Windows 7".SP1' 47 | }], 48 | 49 | 'Windows 8': [{ 50 | 'version': '6.2.XXXX', 51 | 'description': 'Windows 8 and Server 2012', 52 | 'jmespath': f'{function_name}."Windows 8"."8.0"' 53 | }, { 54 | 'version': '6.3.XXXX', 55 | 'description': 'Windows 8.1 and Server 2012 R2', 56 | 'jmespath': f'{function_name}."Windows 8"."8.1"' 57 | }], 58 | 59 | 'Windows 10': [{ 60 | 'version': '10.0.10240', 61 | 'description': 'Windows 10.0.10240 (1507)', 62 | 'jmespath': f'{function_name}."Windows 10"."1507"' 63 | }, { 64 | 'version': '10.0.10586', 65 | 'description': 'Windows 10.0.10586 (1511)', 66 | 'jmespath': f'{function_name}."Windows 10"."1511"' 67 | }, { 68 | 'version': '10.0.14393', 69 | 'description': 'Windows 10.0.14393 (1607)', 70 | 'jmespath': f'{function_name}."Windows 10"."1607"' 71 | }, { 72 | 'version': '10.0.15063', 73 | 'description': 'Windows 10.0.15063 (1703)', 74 | 'jmespath': f'{function_name}."Windows 10"."1703"' 75 | }, { 76 | 'version': '10.0.16299', 77 | 'description': 'Windows 10.0.16299 (1709)', 78 | 'jmespath': f'{function_name}."Windows 10"."1709"' 79 | }, { 80 | 'version': '10.0.17134', 81 | 'description': 'Windows 10.0.17134 (1803)', 82 | 'jmespath': f'{function_name}."Windows 10"."1803"' 83 | }, { 84 | 'version': '10.0.17763', 85 | 'description': 'Windows 10.0.17763 (1809)', 86 | 'jmespath': f'{function_name}."Windows 10"."1809"' 87 | }, { 88 | 'version': '10.0.18362', 89 | 'description': 'Windows 10.0.18362 (1903)', 90 | 'jmespath': f'{function_name}."Windows 10"."1903"' 91 | }, { 92 | 'version': '10.0.18363', 93 | 'description': 'Windows 10.0.18363 (1909)', 94 | 'jmespath': f'{function_name}."Windows 10"."1909"' 95 | }, { 96 | 'version': '10.0.19041', 97 | 'description': 'Windows 10.0.19041 (2004)', 98 | 'jmespath': f'{function_name}."Windows 10"."2004"' 99 | }, { 100 | 'version': '10.0.19042', 101 | 'description': 'Windows 10.0.19042 (20H2)', 102 | 'jmespath': f'{function_name}."Windows 10"."20H2"' 103 | }] 104 | } 105 | 106 | def generate(self, function_names: list = (), versions: list = (), basename: str = 'syscalls', isnasm: bool = None): 107 | if isnasm is not None: 108 | self.isnasm = isnasm 109 | 110 | if not function_names: 111 | function_names = list(self.syscall_numbers.keys()) 112 | 113 | excluded_functions = [] 114 | 115 | # Write ASM file. 116 | with open(f'{basename}.asm', 'wb') as hnd: 117 | if self.isnasm: 118 | hnd.write(b'SECTION .text\n\n') 119 | for function_name in function_names: 120 | hnd.write(f'global _{function_name}\n'.encode()) 121 | else: 122 | hnd.write(b'.code\n\n') 123 | for function_name in function_names: 124 | try: 125 | hnd.write((self._get_function_asm_code(function_name, versions) + '\n').encode()) 126 | except ValueError as incompatible_function: 127 | print(f'WARNING: {incompatible_function}') 128 | excluded_functions.append(function_name) 129 | if not self.isnasm: 130 | hnd.write(b'end') 131 | 132 | function_names = list(set(function_names) - set(excluded_functions)) 133 | if not function_names: 134 | os.remove(f'{basename}.asm') 135 | print('ERROR: No compatible functions found. Exiting...') 136 | return 137 | elif excluded_functions: 138 | print() 139 | 140 | # Write header file. 141 | with open(f'{basename}.h', 'wb') as hnd: 142 | hnd.write(b'#pragma once\n\n#include \n\n') 143 | for typedef in self._get_typedefs(function_names): 144 | hnd.write(typedef.encode() + b'\n\n') 145 | for function_name in function_names: 146 | hnd.write((self._get_function_prototype(function_name) + '\n\n').encode()) 147 | 148 | print('Complete! Files written to:') 149 | print(f'\t{basename}.asm') 150 | print(f'\t{basename}.h') 151 | 152 | def get_version_compatibility(self, versions: list) -> dict: 153 | version_compatibility = {} 154 | for version in versions: 155 | version_compatibility[version] = list(filter(lambda f: version in self.syscall_numbers[f], 156 | [f for f in self.syscall_numbers])) 157 | return version_compatibility 158 | 159 | def get_function_compatibility(self, function_names: list) -> dict: 160 | function_compatibility = {} 161 | for function_name in function_names: 162 | function_compatibility[function_name] = [v for v in self.syscall_numbers[function_name].keys() 163 | if v in self.version_syscall_map(function_name).keys()] 164 | return function_compatibility 165 | 166 | def _get_typedefs(self, function_names: list) -> list: 167 | def _names_to_ids(names: list) -> list: 168 | return [next(i for i, t in enumerate(self.typedefs) if n in t['identifiers']) for n in names] 169 | 170 | # Determine typedefs to use. 171 | used_typedefs = [] 172 | for function_name in function_names: 173 | for param in self.prototypes[function_name]['params']: 174 | if list(filter(lambda t: param['type'] in t['identifiers'], self.typedefs)): 175 | if param['type'] not in used_typedefs: 176 | used_typedefs.append(param['type']) 177 | 178 | # Resolve typedef dependencies. 179 | i = 0 180 | typedef_layers = {i: _names_to_ids(used_typedefs)} 181 | while True: 182 | # Identify dependencies of current layer. 183 | more_dependencies = [] 184 | for typedef_id in typedef_layers[i]: 185 | more_dependencies += self.typedefs[typedef_id]['dependencies'] 186 | more_dependencies = list(set(more_dependencies)) # Remove duplicates. 187 | 188 | if more_dependencies: 189 | # Create new layer. 190 | i += 1 191 | typedef_layers[i] = _names_to_ids(more_dependencies) 192 | else: 193 | # Remove duplicates between layers. 194 | for k in range(len(typedef_layers) - 1): 195 | typedef_layers[k] = set(typedef_layers[k]) - set(typedef_layers[k + 1]) 196 | break 197 | 198 | # Get code for each typedef. 199 | typedef_code = [] 200 | for i in range(max(typedef_layers.keys()), -1, -1): 201 | for j in typedef_layers[i]: 202 | typedef_code.append(self.typedefs[j]['definition']) 203 | return typedef_code 204 | 205 | def _get_function_prototype(self, function_name: str) -> str: 206 | # Check if given function is in syscall map. 207 | if function_name not in self.prototypes: 208 | raise ValueError('Invalid function name provided.') 209 | 210 | num_params = len(self.prototypes[function_name]['params']) 211 | if self.isnasm: 212 | signature = f'EXTERN_C NTSTATUS _{function_name}(' 213 | else: 214 | signature = f'EXTERN_C NTSTATUS {function_name}(' 215 | if num_params: 216 | for i in range(num_params): 217 | param = self.prototypes[function_name]['params'][i] 218 | signature += '\n\t' 219 | signature += 'IN ' if param['in'] else '' 220 | signature += 'OUT ' if param['out'] else '' 221 | signature += f'{param["type"]} {param["name"]}' 222 | signature += ' OPTIONAL' if param['optional'] else '' 223 | signature += ',' if i < num_params - 1 else ');' 224 | else: 225 | signature += ');' 226 | 227 | return signature 228 | 229 | def _get_function_asm_code(self, function_name: str, versions: list = ()) -> str: 230 | # Check if given function is in syscall map. 231 | if function_name not in self.syscall_numbers: 232 | raise ValueError('Invalid function name provided.') 233 | 234 | # If no versions list is provided, support all compatible versions. 235 | if not versions: 236 | versions = [v for v in self.syscall_numbers[function_name].keys() 237 | if v in self.version_syscall_map(function_name).keys()] 238 | 239 | # Check if given function is compatible with given Windows versions. 240 | compatible_versions = [] 241 | incompatible_versions = [] 242 | for version in versions: 243 | if any(isinstance(jmespath.search(build['jmespath'], self.syscall_numbers), int) 244 | for build in self.version_syscall_map(function_name)[version]): 245 | compatible_versions.append(version) 246 | else: 247 | incompatible_versions.append(version) 248 | if incompatible_versions: 249 | raise ValueError(f'{function_name} is not compatible with {", ".join(incompatible_versions)}.') 250 | 251 | # Generate 64-bit ASM code. 252 | code = '' 253 | ptr = '' 254 | if self.isnasm: 255 | code += f'_{function_name}:\n' 256 | code += '\tmov rax, [gs:60h]'.ljust(len(function_name) + 28) 257 | else: 258 | code += f'{function_name} PROC\n' 259 | code += '\tmov rax, gs:[60h]'.ljust(len(function_name) + 28) 260 | ptr = 'ptr ' 261 | code += '; Load PEB into RAX.\n' 262 | 263 | # Code to check major version. 264 | code += f'{function_name}_Check_X_X_XXXX:'.ljust(len(function_name) + 31) 265 | code += '; Check major version.\n' 266 | if 'Windows XP' in compatible_versions: 267 | code += f'\tcmp dword {ptr}[rax+118h], 5\n' 268 | code += f'\tje {function_name}_SystemCall_5_X_XXXX\n' 269 | if any(v in compatible_versions for v in ['Windows Vista', 'Windows 7', 'Windows 8']): 270 | code += f'\tcmp dword {ptr}[rax+118h], 6\n' 271 | code += f'\tje {function_name}_Check_6_X_XXXX\n' 272 | if 'Windows 10' in compatible_versions: 273 | code += f'\tcmp dword {ptr}[rax+118h], 10\n' 274 | code += f'\tje {function_name}_Check_10_0_XXXX\n' 275 | code += f'\tjmp {function_name}_SystemCall_Unknown\n' 276 | 277 | # Code to check minor version for Vista/7/8. 278 | if any(v in compatible_versions for v in ['Windows Vista', 'Windows 7', 'Windows 8']): 279 | code += f'{function_name}_Check_6_X_XXXX:'.ljust(len(function_name) + 31) 280 | code += '; Check minor version for Windows Vista/7/8.\n' 281 | if 'Windows Vista' in compatible_versions: 282 | code += f'\tcmp dword {ptr}[rax+11ch], 0\n' 283 | code += f'\tje {function_name}_Check_6_0_XXXX\n' 284 | if 'Windows 7' in compatible_versions: 285 | code += f'\tcmp dword {ptr}[rax+11ch], 1\n' 286 | code += f'\tje {function_name}_Check_6_1_XXXX\n' 287 | if 'Windows 8' in compatible_versions: 288 | for build in self.version_syscall_map(function_name)['Windows 8']: 289 | if isinstance(jmespath.search(build['jmespath'], self.syscall_numbers), int): 290 | code += f'\tcmp dword {ptr}[rax+11ch], {build["version"][2]}\n' 291 | code += f'\tje {function_name}_SystemCall_{build["version"].replace(".", "_")}\n' 292 | code += f'\tjmp {function_name}_SystemCall_Unknown\n' 293 | 294 | # Code to check build number for Windows Vista. 295 | if 'Windows Vista' in compatible_versions: 296 | code += f'{function_name}_Check_6_0_XXXX:'.ljust(len(function_name) + 31) 297 | code += '; Check build number for Windows Vista.\n' 298 | for build in self.version_syscall_map(function_name)['Windows Vista']: 299 | if jmespath.search(build['jmespath'], self.syscall_numbers): 300 | code += f'\tcmp word {ptr}[rax+120h], {build["version"].split(".")[-1]}\n' 301 | code += f'\tje {function_name}_SystemCall_{build["version"].replace(".", "_")}\n' 302 | code += f'\tjmp {function_name}_SystemCall_Unknown\n' 303 | 304 | # Code to check build number for Windows 7. 305 | if 'Windows 7' in compatible_versions: 306 | code += f'{function_name}_Check_6_1_XXXX:'.ljust(len(function_name) + 31) 307 | code += '; Check build number for Windows 7.\n' 308 | for build in self.version_syscall_map(function_name)['Windows 7']: 309 | if jmespath.search(build['jmespath'], self.syscall_numbers): 310 | code += f'\tcmp word {ptr}[rax+120h], {build["version"].split(".")[-1]}\n' 311 | code += f'\tje {function_name}_SystemCall_{build["version"].replace(".", "_")}\n' 312 | code += f'\tjmp {function_name}_SystemCall_Unknown\n' 313 | 314 | # Code to check build number for Windows 10. 315 | if 'Windows 10' in compatible_versions: 316 | code += f'{function_name}_Check_10_0_XXXX:'.ljust(len(function_name) + 31) 317 | code += '; Check build number for Windows 10.\n' 318 | for build in self.version_syscall_map(function_name)['Windows 10']: 319 | if jmespath.search(build['jmespath'], self.syscall_numbers): 320 | code += f'\tcmp word {ptr}[rax+120h], {build["version"].split(".")[-1]}\n' 321 | code += f'\tje {function_name}_SystemCall_{build["version"].replace(".", "_")}\n' 322 | code += f'\tjmp {function_name}_SystemCall_Unknown\n' 323 | 324 | # Code to set syscall values. 325 | for version in compatible_versions: 326 | for build in self.version_syscall_map(function_name)[version]: 327 | if isinstance(jmespath.search(build['jmespath'], self.syscall_numbers), int): 328 | code += f'{function_name}_SystemCall_{build["version"].replace(".", "_")}:'.ljust( 329 | len(function_name) + 31) 330 | code += f'; {build["description"]}\n' 331 | code += '\tmov eax, %04xh\n' % jmespath.search(build['jmespath'], self.syscall_numbers) 332 | code += f'\tjmp {function_name}_Epilogue\n' 333 | 334 | # What to do when syscall is not found. 335 | code += f'{function_name}_SystemCall_Unknown:'.ljust(len(function_name) + 31) 336 | code += '; Unknown/unsupported version.\n' 337 | code += '\tret\n' 338 | 339 | # Send the syscall and return. 340 | code += f'{function_name}_Epilogue:\n' 341 | code += '\tmov r10, rcx\n' 342 | code += '\tsyscall\n' 343 | code += '\tret\n' 344 | if not self.isnasm: 345 | code += f'{function_name} ENDP\n' 346 | 347 | return code 348 | 349 | 350 | if __name__ == '__main__': 351 | 352 | print( 353 | " \n" 354 | " , , ,_ /_ . , ,_ _ ,_ , \n" 355 | "_/_)__(_/__/_)__/_/_/ / (__/__/_)__/_)__(/__/ (__/_)__\n" 356 | " _/_ / \n" 357 | " (/ / @Jackson_T, 2019 \n\n" 358 | "SysWhispers: Why call the kernel when you can whisper?\n" 359 | ) 360 | 361 | parser = argparse.ArgumentParser() 362 | parser.add_argument('-p', '--preset', help='Preset ("all", "common")', required=False) 363 | parser.add_argument('-f', '--functions', help='Comma-separated functions, OR path to file on disk with newline separated list of functions', required=False) 364 | parser.add_argument('-n', '--nasm', help='Generate nasm compatible asm', action='store_true') 365 | parser.add_argument('-v', '--versions', help='Comma-separated versions (XP, Vista, 7, 8, 10)', required=False) 366 | parser.add_argument('-o', '--out-file', help='Output basename (w/o extension)', required=True) 367 | args = parser.parse_args() 368 | 369 | sw = SysWhispers(args.nasm) 370 | 371 | if args.preset == 'all': 372 | print('All functions selected.\n') 373 | sw.generate(basename=args.out_file) 374 | 375 | elif args.preset == 'common': 376 | print('Common functions selected.\n') 377 | sw.generate( 378 | ['NtCreateProcess', 379 | 'NtCreateThreadEx', 380 | 'NtOpenProcess', 381 | 'NtOpenThread', 382 | 'NtSuspendProcess', 383 | 'NtSuspendThread', 384 | 'NtResumeProcess', 385 | 'NtResumeThread', 386 | 'NtGetContextThread', 387 | 'NtSetContextThread', 388 | 'NtClose', 389 | 'NtReadVirtualMemory', 390 | 'NtWriteVirtualMemory', 391 | 'NtAllocateVirtualMemory', 392 | 'NtProtectVirtualMemory', 393 | 'NtFreeVirtualMemory', 394 | 'NtQuerySystemInformation', 395 | 'NtQueryDirectoryFile', 396 | 'NtQueryInformationFile', 397 | 'NtQueryInformationProcess', 398 | 'NtQueryInformationThread', 399 | 'NtCreateSection', 400 | 'NtOpenSection', 401 | 'NtMapViewOfSection', 402 | 'NtUnmapViewOfSection', 403 | 'NtAdjustPrivilegesToken', 404 | 'NtDeviceIoControlFile', 405 | 'NtQueueApcThread', 406 | 'NtWaitForMultipleObjects'], 407 | ['Windows 7', 408 | 'Windows 8', 409 | 'Windows 10'], 410 | basename=args.out_file) 411 | 412 | elif args.preset: 413 | print('ERROR: Invalid preset provided. Must be "all" or "common".') 414 | 415 | elif not args.functions and not args.versions: 416 | print('ERROR: --preset XOR --functions AND/OR --versions switches must be specified.\n') 417 | print('EXAMPLE: ./syswhispers.py --preset common --out-file syscalls_common') 418 | print( 419 | 'EXAMPLE: ./syswhispers.py --functions NtProtectVirtualMemory,NtWriteVirtualMemory --out-file syscalls_mem') 420 | print('EXAMPLE: ./syswhispers.py --versions 7,8,10 --out-file syscalls_78X') 421 | 422 | else: 423 | versions_map = { 424 | 'xp': 'Windows XP', 425 | 'vista': 'Windows Vista', 426 | '7': 'Windows 7', 427 | '8': 'Windows 8', 428 | '10': 'Windows 10' 429 | } 430 | 431 | if os.path.exists(args.functions): 432 | with open(args.functions) as fp: 433 | functions = [f.strip('\r\n') for f in fp.readlines()] 434 | else: 435 | functions = args.functions.split(',') if args.functions else [] 436 | versions = [versions_map[v] for v in args.versions.lower().split(',') if 437 | v in versions_map] if args.versions else [] 438 | sw.generate(functions, versions, args.out_file) 439 | -------------------------------------------------------------------------------- /update/getSyscalls.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(void) 5 | { 6 | PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)GetModuleHandle("ntdll.dll"); 7 | PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((LPBYTE)pDosHeader + pDosHeader->e_lfanew); 8 | 9 | // Invalid file exit 10 | if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE || pNtHeader->Signature != IMAGE_NT_SIGNATURE) 11 | return -1; 12 | 13 | PIMAGE_EXPORT_DIRECTORY pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((LPBYTE)pDosHeader + pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 14 | if (!pExportDirectory) 15 | return -1; 16 | 17 | PDWORD dwAddress = (PDWORD)((LPBYTE)pDosHeader + pExportDirectory->AddressOfFunctions); 18 | PDWORD dwName = (PDWORD)((LPBYTE)pDosHeader + pExportDirectory->AddressOfNames); 19 | PWORD dwOrdinal = (PWORD)((LPBYTE)pDosHeader + pExportDirectory->AddressOfNameOrdinals); 20 | 21 | unsigned char pBuf[32] = { 0 }; 22 | const unsigned char pSig[4] = { 0x4C, 0x8B, 0xD1, 0xB8 }; 23 | 24 | printf("SYSCALL ADDRESS FUNCTION\n"); 25 | printf("-----------------------------------------\n"); 26 | 27 | for (DWORD i = 0; i < pExportDirectory->NumberOfFunctions; i++) 28 | { 29 | memset(&pBuf, 0, 32); 30 | PVOID pAddr = (PVOID)((LPBYTE)pDosHeader + dwAddress[dwOrdinal[i]]); 31 | char *szName = (char*)pDosHeader + dwName[i]; 32 | 33 | memcpy(&pBuf, pAddr, 32); 34 | 35 | if (!pAddr || !szName) 36 | break; 37 | 38 | for (int x = 0; x < sizeof(pSig); x++) 39 | { 40 | if (pBuf[x] != pSig[x]) 41 | break; 42 | 43 | if (x == sizeof(pSig) - 1) { 44 | printf("0x%02X%02X\t %p\t%s\n", pBuf[5] pBuf[4], pAddr, szName); 45 | } 46 | } 47 | } 48 | } -------------------------------------------------------------------------------- /update/getSyscalls.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/SysWhispers/1f50ad7527b5dc829cec45d638e189d4bbdc7b86/update/getSyscalls.exe -------------------------------------------------------------------------------- /update/updateJson.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | #This script takes the two paramenters (1: VerionsName) (2:getSyscalls.exe output) and updates the json files acordingly, outputing to stdout (redirect to get it to a file) 4 | #Currently it'll only be updating for hardcoded windows 10, as everything else should be locked in 5 | #You must manually update prototypes.json to include new functions, this file will disregard any item not already in prototypes.json 6 | #if you do add a completely new function you'll need to add its skeleton ot syscall_numbers.json as well 7 | #you must also update syswhisper.py's self.version_syscall_map to include the new windows 10 version (https://docs.microsoft.com/en-us/windows/release-information/) 8 | 9 | import sys 10 | import json 11 | import os 12 | import re 13 | 14 | protofile = "../data/prototypes.json" 15 | syscallfile = "../data/syscall_numbers.json" 16 | 17 | def usage(): 18 | print("updateJson.py ") 19 | sys.exit(1) 20 | 21 | 22 | if len(sys.argv) != 3: 23 | usage() 24 | 25 | if not os.path.exists(sys.argv[2]): 26 | print("unable to read in your new syscalls file") 27 | usage() 28 | 29 | with open(sys.argv[2]) as fp: 30 | newsyscalls = {} 31 | for line in fp.readlines(): 32 | parts = re.split('[\t ]+', line) 33 | if(len(parts) != 3 or parts[0] == "SYSCALL"): 34 | continue 35 | newsyscalls[parts[2].strip('\n')] = int(parts[0], base=16) 36 | 37 | if not os.path.exists(protofile): 38 | os.chdir("update") 39 | if not os.path.exists(protofile): 40 | print("Please run this script from the \"update\" directory") 41 | usage() 42 | 43 | with open(protofile) as fp: 44 | proto = json.load(fp) 45 | 46 | with open(syscallfile) as fp: 47 | syscalls = json.load(fp) 48 | 49 | # print("prototypes\n") 50 | # print("------------") 51 | # print(proto) 52 | # print("syscalls\n") 53 | # print("------------") 54 | # print(syscalls) 55 | 56 | for func, num in newsyscalls.items(): 57 | if(func in proto and func in syscalls): 58 | syscalls[func]["Windows 10"][sys.argv[1]] = num 59 | 60 | print(json.dumps(syscalls, indent=2)) 61 | 62 | 63 | --------------------------------------------------------------------------------