├── .gitattributes
├── .gitignore
├── client.sln
├── client
├── client.vcxproj
├── client.vcxproj.filters
└── umkcfcl.c
├── driver
├── client.c
├── default
│ ├── makefile
│ └── sources
├── devctrl.c
├── dirs
├── filter.c
├── include
│ ├── hashset.h
│ ├── ntfill.h
│ └── umkcf.h
├── main.c
├── pscall.c
├── resource.rc
├── sign
│ ├── DigiCert High Assurance EV Root CA.crt
│ ├── sign.cmd
│ └── signfile.cmd
├── sources.inc
├── umkcf.sln
├── umkcf.vcxproj
└── umkcf.vcxproj.filters
├── include
├── sys
│ ├── circbuf.h
│ ├── circbuf_h.h
│ ├── colorbox.h
│ ├── cpysave.h
│ ├── dltmgr.h
│ ├── dspick.h
│ ├── emenu.h
│ ├── fastlock.h
│ ├── filepool.h
│ ├── filepoolp.h
│ ├── graph.h
│ ├── guisupp.h
│ ├── handlep.h
│ ├── hexedit.h
│ ├── hexeditp.h
│ ├── iosupp.h
│ ├── md5.h
│ ├── ntbasic.h
│ ├── ntcm.h
│ ├── ntdbg.h
│ ├── ntexapi.h
│ ├── ntgdi.h
│ ├── ntimport.h
│ ├── ntioapi.h
│ ├── ntkeapi.h
│ ├── ntldr.h
│ ├── ntlpcapi.h
│ ├── ntlsa.h
│ ├── ntmisc.h
│ ├── ntmmapi.h
│ ├── ntnls.h
│ ├── ntobapi.h
│ ├── ntpebteb.h
│ ├── ntpfapi.h
│ ├── ntpnpapi.h
│ ├── ntpoapi.h
│ ├── ntpsapi.h
│ ├── ntregapi.h
│ ├── ntrtl.h
│ ├── ntsam.h
│ ├── ntseapi.h
│ ├── nttmapi.h
│ ├── nttp.h
│ ├── ntwin.h
│ ├── ntwow64.h
│ ├── ntxcapi.h
│ ├── ntzwapi.h
│ ├── ph.h
│ ├── phbase.h
│ ├── phgui.h
│ ├── phintrnl.h
│ ├── phnatinl.h
│ ├── phnet.h
│ ├── phnt.h
│ ├── phsup.h
│ ├── phsync.h
│ ├── queuedlock.h
│ ├── ref.h
│ ├── refp.h
│ ├── seceditp.h
│ ├── sha.h
│ ├── symprv.h
│ ├── templ.h
│ ├── treenew.h
│ ├── treenewp.h
│ ├── verify.h
│ ├── verifyp.h
│ ├── winmisc.h
│ └── winsta.h
├── umkcfapi.h
└── umkcfcl.h
├── lib
├── lib32
│ ├── ntdll.def
│ ├── ntdll.exp
│ └── ntdll.lib
└── lib64
│ ├── ntdll.def
│ ├── ntdll.exp
│ └── ntdll.lib
└── test
├── main.c
├── test.vcxproj
└── test.vcxproj.filters
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
4 | # Custom for Visual Studio
5 | *.cs diff=csharp
6 | *.sln merge=union
7 | *.csproj merge=union
8 | *.vbproj merge=union
9 | *.fsproj merge=union
10 | *.dbproj merge=union
11 |
12 | # Standard to msysgit
13 | *.doc diff=astextplain
14 | *.DOC diff=astextplain
15 | *.docx diff=astextplain
16 | *.DOCX diff=astextplain
17 | *.dot diff=astextplain
18 | *.DOT diff=astextplain
19 | *.pdf diff=astextplain
20 | *.PDF diff=astextplain
21 | *.rtf diff=astextplain
22 | *.RTF diff=astextplain
23 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | driver/default/objchk_*
2 | driver/buildchk_*
3 |
4 | #################
5 | ## Eclipse
6 | #################
7 |
8 | *.pydevproject
9 | .project
10 | .metadata
11 | bin/
12 | tmp/
13 | *.tmp
14 | *.bak
15 | *.swp
16 | *~.nib
17 | local.properties
18 | .classpath
19 | .settings/
20 | .loadpath
21 |
22 | # External tool builders
23 | .externalToolBuilders/
24 |
25 | # Locally stored "Eclipse launch configurations"
26 | *.launch
27 |
28 | # CDT-specific
29 | .cproject
30 |
31 | # PDT-specific
32 | .buildpath
33 |
34 |
35 | #################
36 | ## Visual Studio
37 | #################
38 |
39 | ## Ignore Visual Studio temporary files, build results, and
40 | ## files generated by popular Visual Studio add-ons.
41 |
42 | # User-specific files
43 | *.suo
44 | *.user
45 | *.sln.docstates
46 |
47 | # Build results
48 |
49 | [Dd]ebug/
50 | [Rr]elease/
51 | x64/
52 | build/
53 | [Bb]in/
54 | [Oo]bj/
55 |
56 | # MSTest test Results
57 | [Tt]est[Rr]esult*/
58 | [Bb]uild[Ll]og.*
59 |
60 | *_i.c
61 | *_p.c
62 | *.ilk
63 | *.meta
64 | *.obj
65 | *.pch
66 | *.pdb
67 | *.pgc
68 | *.pgd
69 | *.rsp
70 | *.sbr
71 | *.tlb
72 | *.tli
73 | *.tlh
74 | *.tmp
75 | *.tmp_proj
76 | *.log
77 | *.vspscc
78 | *.vssscc
79 | .builds
80 | *.pidb
81 | *.log
82 | *.scc
83 |
84 | # Visual C++ cache files
85 | ipch/
86 | *.aps
87 | *.ncb
88 | *.opensdf
89 | *.sdf
90 | *.cachefile
91 |
92 | # Visual Studio profiler
93 | *.psess
94 | *.vsp
95 | *.vspx
96 |
97 | # Guidance Automation Toolkit
98 | *.gpState
99 |
100 | # ReSharper is a .NET coding add-in
101 | _ReSharper*/
102 | *.[Rr]e[Ss]harper
103 |
104 | # TeamCity is a build add-in
105 | _TeamCity*
106 |
107 | # DotCover is a Code Coverage Tool
108 | *.dotCover
109 |
110 | # NCrunch
111 | *.ncrunch*
112 | .*crunch*.local.xml
113 |
114 | # Installshield output folder
115 | [Ee]xpress/
116 |
117 | # DocProject is a documentation generator add-in
118 | DocProject/buildhelp/
119 | DocProject/Help/*.HxT
120 | DocProject/Help/*.HxC
121 | DocProject/Help/*.hhc
122 | DocProject/Help/*.hhk
123 | DocProject/Help/*.hhp
124 | DocProject/Help/Html2
125 | DocProject/Help/html
126 |
127 | # Click-Once directory
128 | publish/
129 |
130 | # Publish Web Output
131 | *.Publish.xml
132 | *.pubxml
133 |
134 | # NuGet Packages Directory
135 | ## TODO: If you have NuGet Package Restore enabled, uncomment the next line
136 | #packages/
137 |
138 | # Windows Azure Build Output
139 | csx
140 | *.build.csdef
141 |
142 | # Windows Store app package directory
143 | AppPackages/
144 |
145 | # Others
146 | sql/
147 | *.Cache
148 | ClientBin/
149 | [Ss]tyle[Cc]op.*
150 | ~$*
151 | *~
152 | *.dbmdl
153 | *.[Pp]ublish.xml
154 | *.pfx
155 | *.publishsettings
156 |
157 | # RIA/Silverlight projects
158 | Generated_Code/
159 |
160 | # Backup & report files from converting an old project file to a newer
161 | # Visual Studio version. Backup files are not needed, because we have git ;-)
162 | _UpgradeReport_Files/
163 | Backup*/
164 | UpgradeLog*.XML
165 | UpgradeLog*.htm
166 |
167 | # SQL Server files
168 | App_Data/*.mdf
169 | App_Data/*.ldf
170 |
171 | #############
172 | ## Windows detritus
173 | #############
174 |
175 | # Windows image file caches
176 | Thumbs.db
177 | ehthumbs.db
178 |
179 | # Folder config file
180 | Desktop.ini
181 |
182 | # Recycle Bin used on file shares
183 | $RECYCLE.BIN/
184 |
185 | # Mac crap
186 | .DS_Store
187 |
188 |
189 | #############
190 | ## Python
191 | #############
192 |
193 | *.py[co]
194 |
195 | # Packages
196 | *.egg
197 | *.egg-info
198 | dist/
199 | build/
200 | eggs/
201 | parts/
202 | var/
203 | sdist/
204 | develop-eggs/
205 | .installed.cfg
206 |
207 | # Installer logs
208 | pip-log.txt
209 |
210 | # Unit test / coverage reports
211 | .coverage
212 | .tox
213 |
214 | #Translations
215 | *.mo
216 |
217 | #Mr Developer
218 | .mr.developer.cfg
219 |
--------------------------------------------------------------------------------
/client.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.21005.1
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "client", "client\client.vcxproj", "{8B015194-D4A3-493A-8EB1-FE27C188767E}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "test", "test\test.vcxproj", "{B80E5765-B69D-4565-8551-105678269A26}"
9 | ProjectSection(ProjectDependencies) = postProject
10 | {8B015194-D4A3-493A-8EB1-FE27C188767E} = {8B015194-D4A3-493A-8EB1-FE27C188767E}
11 | EndProjectSection
12 | EndProject
13 | Global
14 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
15 | Debug|Win32 = Debug|Win32
16 | Debug|x64 = Debug|x64
17 | Release|Win32 = Release|Win32
18 | Release|x64 = Release|x64
19 | EndGlobalSection
20 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
21 | {8B015194-D4A3-493A-8EB1-FE27C188767E}.Debug|Win32.ActiveCfg = Debug|Win32
22 | {8B015194-D4A3-493A-8EB1-FE27C188767E}.Debug|Win32.Build.0 = Debug|Win32
23 | {8B015194-D4A3-493A-8EB1-FE27C188767E}.Debug|x64.ActiveCfg = Debug|x64
24 | {8B015194-D4A3-493A-8EB1-FE27C188767E}.Debug|x64.Build.0 = Debug|x64
25 | {8B015194-D4A3-493A-8EB1-FE27C188767E}.Release|Win32.ActiveCfg = Release|Win32
26 | {8B015194-D4A3-493A-8EB1-FE27C188767E}.Release|Win32.Build.0 = Release|Win32
27 | {8B015194-D4A3-493A-8EB1-FE27C188767E}.Release|x64.ActiveCfg = Release|x64
28 | {8B015194-D4A3-493A-8EB1-FE27C188767E}.Release|x64.Build.0 = Release|x64
29 | {B80E5765-B69D-4565-8551-105678269A26}.Debug|Win32.ActiveCfg = Debug|Win32
30 | {B80E5765-B69D-4565-8551-105678269A26}.Debug|Win32.Build.0 = Debug|Win32
31 | {B80E5765-B69D-4565-8551-105678269A26}.Debug|x64.ActiveCfg = Debug|x64
32 | {B80E5765-B69D-4565-8551-105678269A26}.Debug|x64.Build.0 = Debug|x64
33 | {B80E5765-B69D-4565-8551-105678269A26}.Release|Win32.ActiveCfg = Release|Win32
34 | {B80E5765-B69D-4565-8551-105678269A26}.Release|Win32.Build.0 = Release|Win32
35 | {B80E5765-B69D-4565-8551-105678269A26}.Release|x64.ActiveCfg = Release|x64
36 | {B80E5765-B69D-4565-8551-105678269A26}.Release|x64.Build.0 = Release|x64
37 | EndGlobalSection
38 | GlobalSection(SolutionProperties) = preSolution
39 | HideSolutionNode = FALSE
40 | EndGlobalSection
41 | EndGlobal
42 |
--------------------------------------------------------------------------------
/client/client.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/driver/default/makefile:
--------------------------------------------------------------------------------
1 | !INCLUDE $(NTMAKEENV)\makefile.def
--------------------------------------------------------------------------------
/driver/default/sources:
--------------------------------------------------------------------------------
1 | !IF 0
2 |
3 | The default configuration.
4 |
5 | !ENDIF
6 |
7 | !include ..\sources.inc
8 |
--------------------------------------------------------------------------------
/driver/devctrl.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Device control dispatch
3 | *
4 | * Copyright (C) 2013 Wen Jia Liu
5 | *
6 | * This file is part of UMKCF.
7 | *
8 | * UMKCF is free software; you can redistribute it and/or modify
9 | * it under the terms of the GNU General Public License as published by
10 | * the Free Software Foundation, either version 3 of the License, or
11 | * (at your option) any later version.
12 | *
13 | * UMKCF is distributed in the hope that it will be useful,
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 | * GNU General Public License for more details.
17 | *
18 | * You should have received a copy of the GNU General Public License
19 | * along with UMKCF. If not, see .
20 | */
21 |
22 | #include
23 |
24 | NTSTATUS KcfDispatchDeviceControl(
25 | __in PDEVICE_OBJECT DeviceObject,
26 | __in PIRP Irp
27 | )
28 | {
29 | NTSTATUS status;
30 | PIO_STACK_LOCATION stackLocation;
31 | PFILE_OBJECT fileObject;
32 | PKCF_CLIENT client;
33 | PVOID originalInput;
34 | ULONG inputLength;
35 | ULONG ioControlCode;
36 | KPROCESSOR_MODE accessMode;
37 | UCHAR capturedInput[16 * sizeof(ULONG_PTR)];
38 | PVOID capturedInputPointer;
39 |
40 | #define VERIFY_INPUT_LENGTH \
41 | do { \
42 | /* Ensure at compile time that our local buffer fits this particular call. */ \
43 | C_ASSERT(sizeof(*input) <= sizeof(capturedInput)); \
44 | \
45 | if (inputLength != sizeof(*input)) \
46 | { \
47 | status = STATUS_INFO_LENGTH_MISMATCH; \
48 | goto ControlEnd; \
49 | } \
50 | } while (0)
51 |
52 | stackLocation = IoGetCurrentIrpStackLocation(Irp);
53 | fileObject = stackLocation->FileObject;
54 | client = fileObject->FsContext;
55 |
56 | if (!client)
57 | {
58 | dprintf("No client object on file object 0x%Ix in device control\n", fileObject);
59 | status = STATUS_INTERNAL_ERROR;
60 | goto ControlEnd;
61 | }
62 |
63 | originalInput = stackLocation->Parameters.DeviceIoControl.Type3InputBuffer;
64 | inputLength = stackLocation->Parameters.DeviceIoControl.InputBufferLength;
65 | ioControlCode = stackLocation->Parameters.DeviceIoControl.IoControlCode;
66 | accessMode = Irp->RequestorMode;
67 |
68 | // Make sure we actually have input if the input length is non-zero.
69 | if (inputLength != 0 && !originalInput)
70 | {
71 | status = STATUS_INVALID_BUFFER_SIZE;
72 | goto ControlEnd;
73 | }
74 |
75 | // Make sure the caller isn't giving us a huge buffer.
76 | // If they are, it can't be correct because we have a compile-time check that makes
77 | // sure our buffer can store the arguments for all the calls.
78 | if (inputLength > sizeof(capturedInput))
79 | {
80 | status = STATUS_INVALID_BUFFER_SIZE;
81 | goto ControlEnd;
82 | }
83 |
84 | // Probe and capture the input buffer.
85 | if (accessMode != KernelMode)
86 | {
87 | __try
88 | {
89 | ProbeForRead(originalInput, inputLength, sizeof(UCHAR));
90 | memcpy(capturedInput, originalInput, inputLength);
91 | }
92 | __except (EXCEPTION_EXECUTE_HANDLER)
93 | {
94 | status = GetExceptionCode();
95 | goto ControlEnd;
96 | }
97 | }
98 | else
99 | {
100 | memcpy(capturedInput, originalInput, inputLength);
101 | }
102 |
103 | capturedInputPointer = capturedInput; // avoid casting below
104 |
105 | switch (ioControlCode)
106 | {
107 | case KCF_QUERYVERSION:
108 | {
109 | struct
110 | {
111 | PULONG Version;
112 | } *input = capturedInputPointer;
113 |
114 | VERIFY_INPUT_LENGTH;
115 |
116 | status = KcfiQueryVersion(
117 | input->Version,
118 | accessMode
119 | );
120 | }
121 | break;
122 | case KCF_REMOVECALLBACK:
123 | {
124 | struct
125 | {
126 | PLARGE_INTEGER Timeout;
127 | PKCF_CALLBACK_ID CallbackId;
128 | PKCF_CALLBACK_DATA Data;
129 | ULONG DataLength;
130 | PULONG ReturnLength;
131 | } *input = capturedInputPointer;
132 |
133 | VERIFY_INPUT_LENGTH;
134 |
135 | status = KcfiRemoveCallback(
136 | input->Timeout,
137 | input->CallbackId,
138 | input->Data,
139 | input->DataLength,
140 | input->ReturnLength,
141 | client,
142 | accessMode
143 | );
144 | }
145 | break;
146 | case KCF_RETURNCALLBACK:
147 | {
148 | struct
149 | {
150 | KCF_CALLBACK_ID CallbackId;
151 | NTSTATUS ReturnStatus;
152 | PKCF_CALLBACK_RETURN_DATA ReturnData;
153 | ULONG ReturnDataLength;
154 | } *input = capturedInputPointer;
155 |
156 | VERIFY_INPUT_LENGTH;
157 |
158 | status = KcfiReturnCallback(
159 | input->CallbackId,
160 | input->ReturnStatus,
161 | input->ReturnData,
162 | input->ReturnDataLength,
163 | client,
164 | accessMode
165 | );
166 | }
167 | break;
168 | case KCF_SETFILTERS:
169 | {
170 | struct
171 | {
172 | PKCF_FILTER_DATA Filters;
173 | ULONG NumberOfFilters;
174 | } *input = capturedInputPointer;
175 |
176 | VERIFY_INPUT_LENGTH;
177 |
178 | status = KcfiSetFilters(
179 | input->Filters,
180 | input->NumberOfFilters,
181 | client,
182 | accessMode
183 | );
184 | }
185 | break;
186 | default:
187 | status = STATUS_INVALID_DEVICE_REQUEST;
188 | break;
189 | }
190 |
191 | ControlEnd:
192 | Irp->IoStatus.Status = status;
193 | Irp->IoStatus.Information = 0;
194 | IoCompleteRequest(Irp, IO_NO_INCREMENT);
195 |
196 | return status;
197 | }
198 |
--------------------------------------------------------------------------------
/driver/dirs:
--------------------------------------------------------------------------------
1 | DIRS=default
2 |
--------------------------------------------------------------------------------
/driver/include/hashset.h:
--------------------------------------------------------------------------------
1 | #ifndef HASHSET_H
2 | #define HASHSET_H
3 |
4 | // Taken from Process Hacker, phbase.h
5 |
6 | typedef struct _PH_HASH_ENTRY
7 | {
8 | struct _PH_HASH_ENTRY *Next;
9 | ULONG Hash;
10 | } PH_HASH_ENTRY, *PPH_HASH_ENTRY;
11 |
12 | #define PH_HASH_SET_INIT { 0 }
13 | #define PH_HASH_SET_SIZE(Buckets) (sizeof(Buckets) / sizeof(PPH_HASH_ENTRY))
14 |
15 | /**
16 | * Initializes a hash set.
17 | *
18 | * \param Buckets The bucket array.
19 | * \param NumberOfBuckets The number of buckets.
20 | */
21 | FORCEINLINE VOID PhInitializeHashSet(
22 | __out PPH_HASH_ENTRY *Buckets,
23 | __in ULONG NumberOfBuckets
24 | )
25 | {
26 | memset(Buckets, 0, sizeof(PPH_HASH_ENTRY) * NumberOfBuckets);
27 | }
28 |
29 | /**
30 | * Determines the number of entries in a hash set.
31 | *
32 | * \param Buckets The bucket array.
33 | * \param NumberOfBuckets The number of buckets.
34 | *
35 | * \return The number of entries in the hash set.
36 | */
37 | FORCEINLINE ULONG PhCountHashSet(
38 | __in PPH_HASH_ENTRY *Buckets,
39 | __in ULONG NumberOfBuckets
40 | )
41 | {
42 | ULONG i;
43 | PPH_HASH_ENTRY entry;
44 | ULONG count;
45 |
46 | count = 0;
47 |
48 | for (i = 0; i < NumberOfBuckets; i++)
49 | {
50 | for (entry = Buckets[i]; entry; entry = entry->Next)
51 | count++;
52 | }
53 |
54 | return count;
55 | }
56 |
57 | /**
58 | * Moves entries from one hash set to another.
59 | *
60 | * \param NewBuckets The new bucket array.
61 | * \param NumberOfNewBuckets The number of buckets in \a NewBuckets.
62 | * \param OldBuckets The old bucket array.
63 | * \param NumberOfOldBuckets The number of buckets in \a OldBuckets.
64 | *
65 | * \remarks \a NewBuckets and \a OldBuckets must be different.
66 | */
67 | FORCEINLINE VOID PhDistributeHashSet(
68 | __inout PPH_HASH_ENTRY *NewBuckets,
69 | __in ULONG NumberOfNewBuckets,
70 | __in PPH_HASH_ENTRY *OldBuckets,
71 | __in ULONG NumberOfOldBuckets
72 | )
73 | {
74 | ULONG i;
75 | PPH_HASH_ENTRY entry;
76 | PPH_HASH_ENTRY nextEntry;
77 | ULONG index;
78 |
79 | for (i = 0; i < NumberOfOldBuckets; i++)
80 | {
81 | entry = OldBuckets[i];
82 |
83 | while (entry)
84 | {
85 | nextEntry = entry->Next;
86 |
87 | index = entry->Hash & (NumberOfNewBuckets - 1);
88 | entry->Next = NewBuckets[index];
89 | NewBuckets[index] = entry;
90 |
91 | entry = nextEntry;
92 | }
93 | }
94 | }
95 |
96 | /**
97 | * Adds an entry to a hash set.
98 | *
99 | * \param Buckets The bucket array.
100 | * \param NumberOfBuckets The number of buckets.
101 | * \param Entry The entry.
102 | * \param Hash The hash for the entry.
103 | *
104 | * \remarks This function does not check for duplicates.
105 | */
106 | FORCEINLINE VOID PhAddEntryHashSet(
107 | __inout PPH_HASH_ENTRY *Buckets,
108 | __in ULONG NumberOfBuckets,
109 | __out PPH_HASH_ENTRY Entry,
110 | __in ULONG Hash
111 | )
112 | {
113 | ULONG index;
114 |
115 | index = Hash & (NumberOfBuckets - 1);
116 |
117 | Entry->Hash = Hash;
118 | Entry->Next = Buckets[index];
119 | Buckets[index] = Entry;
120 | }
121 |
122 | /**
123 | * Begins the process of finding an entry in a hash set.
124 | *
125 | * \param Buckets The bucket array.
126 | * \param NumberOfBuckets The number of buckets.
127 | * \param Hash The hash for the entry.
128 | *
129 | * \return The first entry in the chain.
130 | *
131 | * \remarks If the function returns NULL, the entry
132 | * does not exist in the hash set.
133 | */
134 | FORCEINLINE PPH_HASH_ENTRY PhFindEntryHashSet(
135 | __in PPH_HASH_ENTRY *Buckets,
136 | __in ULONG NumberOfBuckets,
137 | __in ULONG Hash
138 | )
139 | {
140 | return Buckets[Hash & (NumberOfBuckets - 1)];
141 | }
142 |
143 | /**
144 | * Removes an entry from a hash set.
145 | *
146 | * \param Buckets The bucket array.
147 | * \param NumberOfBuckets The number of buckets.
148 | * \param Entry An entry present in the hash set.
149 | */
150 | FORCEINLINE VOID PhRemoveEntryHashSet(
151 | __inout PPH_HASH_ENTRY *Buckets,
152 | __in ULONG NumberOfBuckets,
153 | __inout PPH_HASH_ENTRY Entry
154 | )
155 | {
156 | ULONG index;
157 | PPH_HASH_ENTRY entry;
158 | PPH_HASH_ENTRY previousEntry;
159 |
160 | index = Entry->Hash & (NumberOfBuckets - 1);
161 | previousEntry = NULL;
162 |
163 | entry = Buckets[index];
164 |
165 | do
166 | {
167 | if (entry == Entry)
168 | {
169 | if (!previousEntry)
170 | Buckets[index] = entry->Next;
171 | else
172 | previousEntry->Next = entry->Next;
173 |
174 | return;
175 | }
176 |
177 | previousEntry = entry;
178 | entry = entry->Next;
179 | } while (entry);
180 |
181 | // Entry doesn't actually exist in the set. This is a fatal logic error.
182 | ExRaiseStatus(STATUS_INTERNAL_ERROR);
183 | }
184 |
185 | #endif
186 |
--------------------------------------------------------------------------------
/driver/include/ntfill.h:
--------------------------------------------------------------------------------
1 | #ifndef NTFILL_H
2 | #define NTFILL_H
3 |
4 | // IO
5 |
6 | extern POBJECT_TYPE *IoDriverObjectType;
7 |
8 | // KE
9 |
10 | typedef enum _KAPC_ENVIRONMENT
11 | {
12 | OriginalApcEnvironment,
13 | AttachedApcEnvironment,
14 | CurrentApcEnvironment,
15 | InsertApcEnvironment
16 | } KAPC_ENVIRONMENT, *PKAPC_ENVIRONMENT;
17 |
18 | typedef VOID (NTAPI *PKNORMAL_ROUTINE)(
19 | __in PVOID NormalContext,
20 | __in PVOID SystemArgument1,
21 | __in PVOID SystemArgument2
22 | );
23 |
24 | typedef VOID KKERNEL_ROUTINE(
25 | __in PRKAPC Apc,
26 | __inout PKNORMAL_ROUTINE *NormalRoutine,
27 | __inout PVOID *NormalContext,
28 | __inout PVOID *SystemArgument1,
29 | __inout PVOID *SystemArgument2
30 | );
31 |
32 | typedef KKERNEL_ROUTINE (NTAPI *PKKERNEL_ROUTINE);
33 |
34 | typedef VOID (NTAPI *PKRUNDOWN_ROUTINE)(
35 | __in PRKAPC Apc
36 | );
37 |
38 | NTKERNELAPI
39 | VOID
40 | NTAPI
41 | KeInitializeApc(
42 | __out PRKAPC Apc,
43 | __in PRKTHREAD Thread,
44 | __in KAPC_ENVIRONMENT Environment,
45 | __in PKKERNEL_ROUTINE KernelRoutine,
46 | __in_opt PKRUNDOWN_ROUTINE RundownRoutine,
47 | __in_opt PKNORMAL_ROUTINE NormalRoutine,
48 | __in_opt KPROCESSOR_MODE ProcessorMode,
49 | __in_opt PVOID NormalContext
50 | );
51 |
52 | NTKERNELAPI
53 | BOOLEAN
54 | NTAPI
55 | KeInsertQueueApc(
56 | __inout PRKAPC Apc,
57 | __in_opt PVOID SystemArgument1,
58 | __in_opt PVOID SystemArgument2,
59 | __in KPRIORITY Increment
60 | );
61 |
62 | // EX
63 |
64 | NTSYSCALLAPI
65 | NTSTATUS
66 | NTAPI
67 | ZwQuerySystemInformation(
68 | __in SYSTEM_INFORMATION_CLASS SystemInformationClass,
69 | __out_bcount_opt(SystemInformationLength) PVOID SystemInformation,
70 | __in ULONG SystemInformationLength,
71 | __out_opt PULONG ReturnLength
72 | );
73 |
74 | // OB
75 |
76 | #define OBJ_PROTECT_CLOSE 0x00000001
77 |
78 | typedef POBJECT_TYPE (NTAPI *_ObGetObjectType)(
79 | __in PVOID Object
80 | );
81 |
82 | NTKERNELAPI
83 | NTSTATUS
84 | NTAPI
85 | ObOpenObjectByName(
86 | __in POBJECT_ATTRIBUTES ObjectAttributes,
87 | __in POBJECT_TYPE ObjectType,
88 | __in KPROCESSOR_MODE PreviousMode,
89 | __in_opt PACCESS_STATE AccessState,
90 | __in_opt ACCESS_MASK DesiredAccess,
91 | __in PVOID ParseContext,
92 | __out PHANDLE Handle
93 | );
94 |
95 | NTKERNELAPI
96 | NTSTATUS
97 | NTAPI
98 | ObSetHandleAttributes(
99 | __in HANDLE Handle,
100 | __in POBJECT_HANDLE_FLAG_INFORMATION HandleFlags,
101 | __in KPROCESSOR_MODE PreviousMode
102 | );
103 |
104 | NTKERNELAPI
105 | NTSTATUS
106 | ObCloseHandle(
107 | __in HANDLE Handle,
108 | __in KPROCESSOR_MODE PreviousMode
109 | );
110 |
111 | // PS
112 |
113 | typedef NTSTATUS (NTAPI *_PsAcquireProcessExitSynchronization)(
114 | __in PEPROCESS Process
115 | );
116 |
117 | typedef NTSTATUS (NTAPI *_PsReleaseProcessExitSynchronization)(
118 | __in PEPROCESS Process
119 | );
120 |
121 | typedef NTSTATUS (NTAPI *_PsSuspendProcess)(
122 | __in PEPROCESS Process
123 | );
124 |
125 | typedef NTSTATUS (NTAPI *_PsResumeProcess)(
126 | __in PEPROCESS Process
127 | );
128 |
129 | typedef BOOLEAN (NTAPI *_PsIsProtectedProcess)(
130 | __in PEPROCESS Process
131 | );
132 |
133 | NTSYSCALLAPI
134 | NTSTATUS
135 | NTAPI
136 | ZwQueryInformationProcess(
137 | __in HANDLE ProcessHandle,
138 | __in PROCESSINFOCLASS ProcessInformationClass,
139 | __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
140 | __in ULONG ProcessInformationLength,
141 | __out_opt PULONG ReturnLength
142 | );
143 |
144 | NTSYSCALLAPI
145 | NTSTATUS
146 | NTAPI
147 | ZwSetInformationProcess(
148 | __in HANDLE ProcessHandle,
149 | __in PROCESSINFOCLASS ProcessInformationClass,
150 | __in_bcount(ProcessInformationLength) PVOID ProcessInformation,
151 | __in ULONG ProcessInformationLength
152 | );
153 |
154 | NTSYSCALLAPI
155 | NTSTATUS
156 | NTAPI
157 | ZwQueryInformationThread(
158 | __in HANDLE ThreadHandle,
159 | __in THREADINFOCLASS ThreadInformationClass,
160 | __out_bcount(ThreadInformationLength) PVOID ThreadInformation,
161 | __in ULONG ThreadInformationLength,
162 | __out_opt PULONG ReturnLength
163 | );
164 |
165 | NTKERNELAPI
166 | NTSTATUS
167 | NTAPI
168 | PsLookupProcessThreadByCid(
169 | __in PCLIENT_ID ClientId,
170 | __out_opt PEPROCESS *Process,
171 | __out PETHREAD *Thread
172 | );
173 |
174 | NTKERNELAPI
175 | PVOID
176 | NTAPI
177 | PsGetThreadWin32Thread(
178 | __in PETHREAD Thread
179 | );
180 |
181 | NTKERNELAPI
182 | NTSTATUS
183 | NTAPI
184 | PsGetContextThread(
185 | __in PETHREAD Thread,
186 | __inout PCONTEXT ThreadContext,
187 | __in KPROCESSOR_MODE PreviousMode
188 | );
189 |
190 | NTKERNELAPI
191 | NTSTATUS
192 | NTAPI
193 | PsSetContextThread(
194 | __in PETHREAD Thread,
195 | __in PCONTEXT ThreadContext,
196 | __in KPROCESSOR_MODE PreviousMode
197 | );
198 |
199 | typedef struct _EJOB *PEJOB;
200 |
201 | extern POBJECT_TYPE *PsJobType;
202 |
203 | NTKERNELAPI
204 | PEJOB
205 | NTAPI
206 | PsGetProcessJob(
207 | __in PEPROCESS Process
208 | );
209 |
210 | // RTL
211 |
212 | // Sensible limit that may or may not correspond to the actual Windows value.
213 | #define MAX_STACK_DEPTH 64
214 |
215 | #define RTL_WALK_USER_MODE_STACK 0x00000001
216 | #define RTL_WALK_VALID_FLAGS 0x00000001
217 |
218 | NTSYSAPI
219 | ULONG
220 | NTAPI
221 | RtlWalkFrameChain(
222 | __out PVOID *Callers,
223 | __in ULONG Count,
224 | __in ULONG Flags
225 | );
226 |
227 | #endif
228 |
--------------------------------------------------------------------------------
/driver/include/umkcf.h:
--------------------------------------------------------------------------------
1 | #ifndef UMKCF_H
2 | #define UMKCF_H
3 |
4 | #include
5 | #define PHNT_MODE PHNT_MODE_KERNEL
6 | #include
7 | #include
8 | #include
9 | #include
10 |
11 | // Debugging
12 |
13 | #ifdef DBG
14 | #define dprintf(Format, ...) DbgPrint("UMKCF: " Format, __VA_ARGS__)
15 | #else
16 | #define dprintf
17 | #endif
18 |
19 | typedef struct _KCF_PARAMETERS
20 | {
21 | KCF_SECURITY_LEVEL SecurityLevel;
22 | } KCF_PARAMETERS, *PKCF_PARAMETERS;
23 |
24 | #define KCF_CLIENT_CANCELLED 0x1
25 | #define KCF_CLIENT_ENABLE_CALLBACKS 0x2
26 |
27 | typedef struct _KCF_CLIENT
28 | {
29 | LONG RefCount;
30 | LIST_ENTRY ListEntry;
31 |
32 | ULONG Flags;
33 | KCF_CALLBACK_ID LastCallbackId;
34 |
35 | FAST_MUTEX QueueLock;
36 | KQUEUE Queue;
37 | ULONG QueueCount;
38 | PPH_HASH_ENTRY CallbackHashSet[256];
39 |
40 | FAST_MUTEX FilterListLock;
41 | LIST_ENTRY FilterListHeads[KCF_CATEGORY_MAXIMUM];
42 | } KCF_CLIENT, *PKCF_CLIENT;
43 |
44 | #define KCF_MAXIMUM_QUEUED_CALLBACKS 10000
45 |
46 | #define KCF_CALLBACK_STATE_QUEUED 0x1
47 | #define KCF_CALLBACK_STATE_QUEUED_SHIFT 0
48 | #define KCF_CALLBACK_STATE_COMPLETED 0x2
49 | #define KCF_CALLBACK_STATE_COMPLETED_SHIFT 1
50 | #define KCF_CALLBACK_STATE_CANCELLED 0x4
51 | #define KCF_CALLBACK_STATE_CANCELLED_SHIFT 2
52 |
53 | typedef struct _KCF_CALLBACK
54 | {
55 | LONG RefCount;
56 | PH_HASH_ENTRY HashEntry;
57 | LIST_ENTRY ListEntry; // queue
58 | KCF_CALLBACK_ID CallbackId;
59 | PKCF_CLIENT Client;
60 |
61 | ULONG Flags;
62 | KEVENT Event;
63 | PKCF_CALLBACK_DATA Data;
64 | PKCF_CALLBACK_RETURN_DATA ReturnData;
65 | } KCF_CALLBACK, *PKCF_CALLBACK;
66 |
67 | FORCEINLINE VOID KcfInitializeCallbackData(
68 | __out PKCF_CALLBACK_DATA Data,
69 | __in KCF_EVENT_ID EventId
70 | )
71 | {
72 | memset(Data, 0, sizeof(KCF_CALLBACK_DATA));
73 | Data->EventId = EventId;
74 | Data->ClientId.UniqueProcess = PsGetCurrentProcessId();
75 | Data->ClientId.UniqueThread = PsGetCurrentThreadId();
76 | KeQuerySystemTime(&Data->TimeStamp);
77 | }
78 |
79 | // main
80 |
81 | extern KCF_PARAMETERS KcfParameters;
82 |
83 | extern FAST_MUTEX KcfClientListLock;
84 | extern LIST_ENTRY KcfClientListHead;
85 |
86 | NTSTATUS KcfiQueryVersion(
87 | __out PULONG Version,
88 | __in KPROCESSOR_MODE AccessMode
89 | );
90 |
91 | ULONG_PTR KcfFindUnicodeStringInUnicodeString(
92 | __in PUNICODE_STRING String1,
93 | __in PUNICODE_STRING String2,
94 | __in BOOLEAN IgnoreCase
95 | );
96 |
97 | FORCEINLINE BOOLEAN KcfSuffixUnicodeString(
98 | __in PUNICODE_STRING String1,
99 | __in PUNICODE_STRING String2,
100 | __in BOOLEAN IgnoreCase
101 | )
102 | {
103 | UNICODE_STRING us1;
104 |
105 | if (String2->Length > String1->Length)
106 | return FALSE;
107 |
108 | us1.Buffer = (PWSTR)((PCHAR)String1->Buffer + String1->Length - String2->Length);
109 | us1.Length = String2->Length;
110 | us1.MaximumLength = String2->Length;
111 |
112 | return RtlEqualUnicodeString(&us1, String2, IgnoreCase);
113 | }
114 |
115 | // client
116 |
117 | VOID KcfClientInitialization(
118 | VOID
119 | );
120 |
121 | VOID KcfClientUninitialization(
122 | VOID
123 | );
124 |
125 | NTSTATUS KcfCreateClient(
126 | __out PKCF_CLIENT *Client
127 | );
128 |
129 | VOID KcfCancelClient(
130 | __in PKCF_CLIENT Client
131 | );
132 |
133 | VOID KcfReferenceClient(
134 | __in PKCF_CLIENT Client
135 | );
136 |
137 | VOID KcfDereferenceClient(
138 | __in PKCF_CLIENT Client
139 | );
140 |
141 | NTSTATUS KcfCreateCallback(
142 | __out PKCF_CALLBACK *Callback,
143 | __in PKCF_CLIENT Client,
144 | __in PKCF_CALLBACK_DATA Data
145 | );
146 |
147 | VOID KcfReferenceCallback(
148 | __in PKCF_CALLBACK Callback
149 | );
150 |
151 | VOID KcfDereferenceCallback(
152 | __in PKCF_CALLBACK Callback
153 | );
154 |
155 | PKCF_CALLBACK KcfFindCallback(
156 | __in PKCF_CLIENT Client,
157 | __in KCF_CALLBACK_ID CallbackId
158 | );
159 |
160 | NTSTATUS KcfPerformCallback(
161 | __in PKCF_CALLBACK Callback,
162 | __in KPROCESSOR_MODE WaitMode,
163 | __in_opt PLARGE_INTEGER Timeout,
164 | __out_opt PKCF_CALLBACK_RETURN_DATA *ReturnData
165 | );
166 |
167 | NTSTATUS KcfiRemoveCallback(
168 | __in_opt PLARGE_INTEGER Timeout,
169 | __out PKCF_CALLBACK_ID CallbackId,
170 | __out PKCF_CALLBACK_DATA Data,
171 | __in ULONG DataLength,
172 | __out_opt PULONG ReturnLength,
173 | __in PKCF_CLIENT Client,
174 | __in KPROCESSOR_MODE AccessMode
175 | );
176 |
177 | VOID KcfFreeReturnData(
178 | __in PKCF_CALLBACK_RETURN_DATA ReturnData
179 | );
180 |
181 | NTSTATUS KcfiReturnCallback(
182 | __in KCF_CALLBACK_ID CallbackId,
183 | __in NTSTATUS ReturnStatus,
184 | __in_opt PKCF_CALLBACK_RETURN_DATA ReturnData,
185 | __in ULONG ReturnDataLength,
186 | __in PKCF_CLIENT Client,
187 | __in KPROCESSOR_MODE AccessMode
188 | );
189 |
190 | // filter
191 |
192 | #define KCF_MAXIMUM_CLIENTS 32
193 |
194 | typedef struct _KCF_FILTER
195 | {
196 | LIST_ENTRY ListEntry;
197 | PKCF_CLIENT Client;
198 | KCF_FILTER_DATA Data;
199 | } KCF_FILTER, *PKCF_FILTER;
200 |
201 | VOID KcfFilterInitialization(
202 | VOID
203 | );
204 |
205 | VOID KcfDeleteDataItem(
206 | __in PKCF_DATA_ITEM DataItem
207 | );
208 |
209 | VOID KcfDeleteFilterData(
210 | __in PKCF_FILTER_DATA FilterData
211 | );
212 |
213 | NTSTATUS KcfiSetFilters(
214 | __in PKCF_FILTER_DATA Filters,
215 | __in ULONG NumberOfFilters,
216 | __in PKCF_CLIENT Client,
217 | __in KPROCESSOR_MODE AccessMode
218 | );
219 |
220 | BOOLEAN KcfGetClientsForCallback(
221 | __out PKCF_CLIENT *Clients,
222 | __in ULONG MaximumClients,
223 | __out PULONG NumberOfClients,
224 | __in PKCF_CALLBACK_DATA Data,
225 | __in_opt PKCF_DATA_ITEM CustomValues,
226 | __in ULONG NumberOfCustomValues
227 | );
228 |
229 | // devctrl
230 |
231 | __drv_dispatchType(IRP_MJ_DEVICE_CONTROL) DRIVER_DISPATCH KcfDispatchDeviceControl;
232 |
233 | NTSTATUS KcfDispatchDeviceControl(
234 | __in PDEVICE_OBJECT DeviceObject,
235 | __in PIRP Irp
236 | );
237 |
238 | // pscall
239 |
240 | NTSTATUS KcfPsInitialization(
241 | VOID
242 | );
243 |
244 | NTSTATUS KcfPsUninitialization(
245 | VOID
246 | );
247 |
248 | #endif
249 |
--------------------------------------------------------------------------------
/driver/resource.rc:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #define VER_COMMA 1,0,0,0
4 | #define VER_STR "1.0\0"
5 |
6 | #define VER_FILEVERSION VER_COMMA
7 | #define VER_FILEVERSION_STR VER_STR
8 | #define VER_PRODUCTVERSION VER_COMMA
9 | #define VER_PRODUCTVERSION_STR VER_STR
10 |
11 | #ifndef DEBUG
12 | #define VER_DEBUG 0
13 | #else
14 | #define VER_DEBUG VS_FF_DEBUG
15 | #endif
16 |
17 | #define VER_PRIVATEBUILD 0
18 | #define VER_PRERELEASE 0
19 |
20 | #define VER_COMPANYNAME_STR "wj32\0"
21 | #define VER_FILEDESCRIPTION_STR "UMKCF\0"
22 | #define VER_LEGALCOPYRIGHT_STR "\0"
23 | #define VER_ORIGINALFILENAME_STR "umkcf.sys\0"
24 | #define VER_PRODUCTNAME_STR "User-mode kernel callback framework\0"
25 |
26 | VS_VERSION_INFO VERSIONINFO
27 | FILEVERSION VER_FILEVERSION
28 | PRODUCTVERSION VER_PRODUCTVERSION
29 | FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
30 | FILEFLAGS (VER_PRIVATEBUILD | VER_PRERELEASE | VER_DEBUG)
31 | FILEOS VOS__WINDOWS32
32 | FILETYPE VFT_DRV
33 | FILESUBTYPE VFT2_DRV_SYSTEM
34 | BEGIN
35 | BLOCK "StringFileInfo"
36 | BEGIN
37 | BLOCK "040904E4"
38 | BEGIN
39 | VALUE "CompanyName", VER_COMPANYNAME_STR
40 | VALUE "FileDescription", VER_FILEDESCRIPTION_STR
41 | VALUE "FileVersion", VER_FILEVERSION_STR
42 | VALUE "LegalCopyright", VER_LEGALCOPYRIGHT_STR
43 | VALUE "OriginalFilename", VER_ORIGINALFILENAME_STR
44 | VALUE "ProductName", VER_PRODUCTNAME_STR
45 | VALUE "ProductVersion", VER_PRODUCTVERSION_STR
46 | END
47 | END
48 |
49 | BLOCK "VarFileInfo"
50 | BEGIN
51 | VALUE "Translation", 0x409, 1252
52 | END
53 | END
54 |
--------------------------------------------------------------------------------
/driver/sign/DigiCert High Assurance EV Root CA.crt:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIFOzCCAyOgAwIBAgIKYSBNtAAAAAAAJzANBgkqhkiG9w0BAQUFADB/MQswCQYD
3 | VQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEe
4 | MBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSkwJwYDVQQDEyBNaWNyb3Nv
5 | ZnQgQ29kZSBWZXJpZmljYXRpb24gUm9vdDAeFw0xMTA0MTUxOTQ1MzNaFw0yMTA0
6 | MTUxOTU1MzNaMGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMx
7 | GTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhp
8 | Z2ggQXNzdXJhbmNlIEVWIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
9 | ggEKAoIBAQDGzOVz5vvUu+UtLTKm3+WBP8nNJUm2cSrD1ZQ0Z6IKHLBfaaZAscS3
10 | so/QmKSpQVk609yU1jzbdDikSsxNJYL3SqVTEjju80ltcZF+Y7arpl/DpIT4T2JR
11 | vvjF7Ns4kuMG5QiRDMQoQVX7y1qJFX5x6DW/TXIJPb46OFBbdzEbjbPHJEWap6xt
12 | ABRaBLe6E+tRCphBQSJOZWGHgUFQpnlcid4ZSlfVLuZdHFMsfpjNGgYWpGhz0DQE
13 | E1yhcdNafFXbXmThN4cwVgTlEbQpgBLxeTmIogIRfCdmt4i3ePLKCqg4qwpkwr9m
14 | XZWEwaElHoddGlALIBLMQbtuC1E4uEvLAgMBAAGjgcswgcgwEQYDVR0gBAowCDAG
15 | BgRVHSAAMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSx
16 | PsNpA/i/RwHUmCYaCALvY2QrwzAfBgNVHSMEGDAWgBRi+wohW39DbhHaCVRQa/XS
17 | lnHxnjBVBgNVHR8ETjBMMEqgSKBGhkRodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20v
18 | cGtpL2NybC9wcm9kdWN0cy9NaWNyb3NvZnRDb2RlVmVyaWZSb290LmNybDANBgkq
19 | hkiG9w0BAQUFAAOCAgEAIIzBWe1vnGstwUo+dR1FTEFQHL2A6tmwkosGKhM/Uxae
20 | VjlqimO2eCR59X24uUehCpbC9su9omafBuGs0nkJDv083KwCDHCvPxvseH7U60sF
21 | YCbZc2GRIe2waGPglxKrb6AS7dmf0tonPLPkVvnR1IEPcb1CfKaJ3M3VvZWiq/GT
22 | EX3orDEpqF1mcEGd/HXJ1bMaOSrQhQVQi6yRysSTy3GlnaSUb1gM+m4gxAgxtYWd
23 | foH50j3KWxiFbAqG7CIJG6V0NE9/KLyVSqsdtpiwXQmkd3Z+76eOXYT2GCTL0W2m
24 | w6GcwhB1gP+dMv3mz0M6gvfOj+FyKptit1/tlRo5XC+UbUi3AV8zL7vcLXM0iQRC
25 | ChyLefmj+hfv+qEaEN/gssGV61wMBZc7NT4YiE3bbL8kiY3Ivdifezk6JKDV39Hz
26 | ShqX9qZveh+wkKmzrAE5kdNht2TxPlc4A6/OetK1kPWu3DmZ1bY8l+2myxbHfWsq
27 | TJCU5kxU/R7NIOzOaJyHWOlhYL7rDsnVGX2f6Xi9DqwhdQePqW7gjGoqa5zj52W8
28 | vC08bdwE3GdFNjKvBIG8qABuYUyVxVzUjo6fL8EydL29EWUDB83vt14CV9qG1Boo
29 | NK+ISbLPpd2CVm9oqhTiWVT+/+ru7+qScCJggeMlI8CfzA9JsjWqWMM6w9kWlBA=
30 | -----END CERTIFICATE-----
31 |
--------------------------------------------------------------------------------
/driver/sign/sign.cmd:
--------------------------------------------------------------------------------
1 | call signfile.cmd ..\bin\amd64\umkcf.sys kmcs
--------------------------------------------------------------------------------
/driver/sign/signfile.cmd:
--------------------------------------------------------------------------------
1 | @echo off
2 |
3 | if "%1" == "" goto :notset
4 |
5 | set additional=
6 | if "%2" == "kmcs" set additional=/ac "DigiCert High Assurance EV Root CA.crt"
7 |
8 | set timestamp=
9 | if "%SIGN_TIMESTAMP%" == "1" set timestamp=/t http://timestamp.digicert.com
10 |
11 | signtool sign %timestamp% /i "DigiCert High Assurance Code Signing CA-1" %additional% %1
12 |
13 | goto :end
14 |
15 | :notset
16 | echo Parameters not set.
17 | pause
18 |
19 | :end
20 |
--------------------------------------------------------------------------------
/driver/sources.inc:
--------------------------------------------------------------------------------
1 | TARGETTYPE=DRIVER
2 |
3 | !IF !DEFINED(TARGETNAME)
4 | TARGETNAME=umkcf
5 | !ENDIF
6 |
7 | !IF !DEFINED(TARGETPATH)
8 | TARGETPATH=..\bin
9 | !ENDIF
10 |
11 | INCLUDES=$(DDK_INC_PATH);..\include;..\..\include;..\..\include\sys
12 | LIBS=%BUILD%\lib
13 |
14 | MSC_WARNING_LEVEL=/WX
15 | LINKER_FLAGS=/INTEGRITYCHECK
16 |
17 | SOURCES= \
18 | ..\main.c \
19 | ..\client.c \
20 | ..\devctrl.c \
21 | ..\filter.c \
22 | ..\pscall.c \
23 | ..\resource.rc
24 |
--------------------------------------------------------------------------------
/driver/umkcf.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.21005.1
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "umkcf", "umkcf.vcxproj", "{B493DEAC-4D34-45F1-8535-7D9C02F9368A}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Win7 Debug|Win32 = Win7 Debug|Win32
11 | Win7 Debug|x64 = Win7 Debug|x64
12 | Win7 Release|Win32 = Win7 Release|Win32
13 | Win7 Release|x64 = Win7 Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {B493DEAC-4D34-45F1-8535-7D9C02F9368A}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32
17 | {B493DEAC-4D34-45F1-8535-7D9C02F9368A}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32
18 | {B493DEAC-4D34-45F1-8535-7D9C02F9368A}.Win7 Debug|Win32.Deploy.0 = Win7 Debug|Win32
19 | {B493DEAC-4D34-45F1-8535-7D9C02F9368A}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64
20 | {B493DEAC-4D34-45F1-8535-7D9C02F9368A}.Win7 Debug|x64.Build.0 = Win7 Debug|x64
21 | {B493DEAC-4D34-45F1-8535-7D9C02F9368A}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64
22 | {B493DEAC-4D34-45F1-8535-7D9C02F9368A}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32
23 | {B493DEAC-4D34-45F1-8535-7D9C02F9368A}.Win7 Release|Win32.Build.0 = Win7 Release|Win32
24 | {B493DEAC-4D34-45F1-8535-7D9C02F9368A}.Win7 Release|Win32.Deploy.0 = Win7 Release|Win32
25 | {B493DEAC-4D34-45F1-8535-7D9C02F9368A}.Win7 Release|x64.ActiveCfg = Win7 Release|x64
26 | {B493DEAC-4D34-45F1-8535-7D9C02F9368A}.Win7 Release|x64.Build.0 = Win7 Release|x64
27 | {B493DEAC-4D34-45F1-8535-7D9C02F9368A}.Win7 Release|x64.Deploy.0 = Win7 Release|x64
28 | EndGlobalSection
29 | GlobalSection(SolutionProperties) = preSolution
30 | HideSolutionNode = FALSE
31 | EndGlobalSection
32 | EndGlobal
33 |
--------------------------------------------------------------------------------
/driver/umkcf.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Win7 Debug
6 | Win32
7 |
8 |
9 | Win7 Release
10 | Win32
11 |
12 |
13 | Win7 Debug
14 | x64
15 |
16 |
17 | Win7 Release
18 | x64
19 |
20 |
21 |
22 | {B493DEAC-4D34-45F1-8535-7D9C02F9368A}
23 | {dd38f7fc-d7bd-488b-9242-7d8754cde80d}
24 | v4.5
25 | 11.0
26 | Win8.1 Debug
27 | Win32
28 | umkcf
29 |
30 |
31 |
32 | Windows7
33 | true
34 | WindowsKernelModeDriver8.1
35 | Driver
36 | WDM
37 |
38 |
39 | Windows7
40 | false
41 | WindowsKernelModeDriver8.1
42 | Driver
43 | WDM
44 |
45 |
46 | Windows7
47 | true
48 | WindowsKernelModeDriver8.1
49 | Driver
50 | WDM
51 |
52 |
53 | Windows7
54 | false
55 | WindowsKernelModeDriver8.1
56 | Driver
57 | WDM
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 | DbgengKernelDebugger
69 |
70 |
71 | DbgengKernelDebugger
72 |
73 |
74 | DbgengKernelDebugger
75 |
76 |
77 | DbgengKernelDebugger
78 |
79 |
80 |
81 | include;..\include;..\include\sys;%(AdditionalIncludeDirectories)
82 |
83 |
84 |
85 |
86 | include;..\include;..\include\sys;%(AdditionalIncludeDirectories)
87 |
88 |
89 |
90 |
91 | include;..\include;..\include\sys;%(AdditionalIncludeDirectories)
92 |
93 |
94 |
95 |
96 | include;..\include;..\include\sys;%(AdditionalIncludeDirectories)
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
--------------------------------------------------------------------------------
/driver/umkcf.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 | Source Files
26 |
27 |
28 | Source Files
29 |
30 |
31 | Source Files
32 |
33 |
34 |
35 |
36 | Header Files
37 |
38 |
39 | Header Files
40 |
41 |
42 | Header Files
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 | Resource Files
52 |
53 |
54 |
--------------------------------------------------------------------------------
/include/sys/circbuf.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_CIRCBUF_H
2 | #define _PH_CIRCBUF_H
3 |
4 | #define PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE
5 |
6 | #undef T
7 | #define T ULONG
8 | #include "circbuf_h.h"
9 |
10 | #undef T
11 | #define T ULONG64
12 | #include "circbuf_h.h"
13 |
14 | #undef T
15 | #define T PVOID
16 | #include "circbuf_h.h"
17 |
18 | #undef T
19 | #define T SIZE_T
20 | #include "circbuf_h.h"
21 |
22 | #undef T
23 | #define T FLOAT
24 | #include "circbuf_h.h"
25 |
26 | #endif
27 |
--------------------------------------------------------------------------------
/include/sys/circbuf_h.h:
--------------------------------------------------------------------------------
1 | #ifdef T
2 |
3 | #include
4 |
5 | typedef struct T___(_PH_CIRCULAR_BUFFER, T)
6 | {
7 | ULONG Size;
8 | #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE
9 | ULONG SizeMinusOne;
10 | #endif
11 | ULONG Count;
12 | LONG Index;
13 | T *Data;
14 | } T___(PH_CIRCULAR_BUFFER, T), *T___(PPH_CIRCULAR_BUFFER, T);
15 |
16 | PHLIBAPI
17 | VOID
18 | NTAPI
19 | T___(PhInitializeCircularBuffer, T)(
20 | _Out_ T___(PPH_CIRCULAR_BUFFER, T) Buffer,
21 | _In_ ULONG Size
22 | );
23 |
24 | PHLIBAPI
25 | VOID
26 | NTAPI
27 | T___(PhDeleteCircularBuffer, T)(
28 | _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer
29 | );
30 |
31 | PHLIBAPI
32 | VOID
33 | NTAPI
34 | T___(PhResizeCircularBuffer, T)(
35 | _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer,
36 | _In_ ULONG NewSize
37 | );
38 |
39 | PHLIBAPI
40 | VOID
41 | NTAPI
42 | T___(PhClearCircularBuffer, T)(
43 | _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer
44 | );
45 |
46 | PHLIBAPI
47 | VOID
48 | NTAPI
49 | T___(PhCopyCircularBuffer, T)(
50 | _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer,
51 | _Out_writes_(Count) T *Destination,
52 | _In_ ULONG Count
53 | );
54 |
55 | FORCEINLINE T T___(PhGetItemCircularBuffer, T)(
56 | _In_ T___(PPH_CIRCULAR_BUFFER, T) Buffer,
57 | _In_ LONG Index
58 | )
59 | {
60 | #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE
61 | return Buffer->Data[(Buffer->Index + Index) & Buffer->SizeMinusOne];
62 | #else
63 | ULONG size;
64 |
65 | size = Buffer->Size;
66 | // Modulo is dividend-based.
67 | return Buffer->Data[(((Buffer->Index + Index) % size) + size) % size];
68 | #endif
69 | }
70 |
71 | FORCEINLINE VOID T___(PhSetItemCircularBuffer, T)(
72 | _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer,
73 | _In_ LONG Index,
74 | _In_ T Value
75 | )
76 | {
77 | #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE
78 | Buffer->Data[(Buffer->Index + Index) & Buffer->SizeMinusOne] = Value;
79 | #else
80 | ULONG size;
81 |
82 | size = Buffer->Size;
83 | Buffer->Data[(((Buffer->Index + Index) % size) + size) % size] = Value;
84 | #endif
85 | }
86 |
87 | FORCEINLINE VOID T___(PhAddItemCircularBuffer, T)(
88 | _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer,
89 | _In_ T Value
90 | )
91 | {
92 | #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE
93 | Buffer->Data[Buffer->Index = ((Buffer->Index - 1) & Buffer->SizeMinusOne)] = Value;
94 | #else
95 | ULONG size;
96 |
97 | size = Buffer->Size;
98 | Buffer->Data[Buffer->Index = (((Buffer->Index - 1) % size) + size) % size] = Value;
99 | #endif
100 |
101 | if (Buffer->Count < Buffer->Size)
102 | Buffer->Count++;
103 | }
104 |
105 | FORCEINLINE T T___(PhAddItemCircularBuffer2, T)(
106 | _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer,
107 | _In_ T Value
108 | )
109 | {
110 | LONG index;
111 | T oldValue;
112 |
113 | #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE
114 | index = ((Buffer->Index - 1) & Buffer->SizeMinusOne);
115 | #else
116 | ULONG size;
117 |
118 | size = Buffer->Size;
119 | index = (((Buffer->Index - 1) % size) + size) % size;
120 | #endif
121 |
122 | Buffer->Index = index;
123 | oldValue = Buffer->Data[index];
124 | Buffer->Data[index] = Value;
125 |
126 | if (Buffer->Count < Buffer->Size)
127 | Buffer->Count++;
128 |
129 | return oldValue;
130 | }
131 |
132 | #endif
133 |
--------------------------------------------------------------------------------
/include/sys/colorbox.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_COLORBOX_H
2 | #define _PH_COLORBOX_H
3 |
4 | #define PH_COLORBOX_CLASSNAME L"PhColorBox"
5 |
6 | BOOLEAN PhColorBoxInitialization(
7 | VOID
8 | );
9 |
10 | #define CBCM_SETCOLOR (WM_APP + 1501)
11 | #define CBCM_GETCOLOR (WM_APP + 1502)
12 |
13 | #define ColorBox_SetColor(hWnd, Color) \
14 | SendMessage((hWnd), CBCM_SETCOLOR, (WPARAM)(Color), 0)
15 |
16 | #define ColorBox_GetColor(hWnd) \
17 | ((COLORREF)SendMessage((hWnd), CBCM_GETCOLOR, 0, 0))
18 |
19 | #endif
20 |
--------------------------------------------------------------------------------
/include/sys/cpysave.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_CPYSAVE_H
2 | #define _PH_CPYSAVE_H
3 |
4 | #define PH_EXPORT_MODE_TABS 0
5 | #define PH_EXPORT_MODE_SPACES 1
6 | #define PH_EXPORT_MODE_CSV 2
7 |
8 | VOID PhaCreateTextTable(
9 | _Out_ PPH_STRING ***Table,
10 | _In_ ULONG Rows,
11 | _In_ ULONG Columns
12 | );
13 |
14 | PPH_LIST PhaFormatTextTable(
15 | _In_ PPH_STRING **Table,
16 | _In_ ULONG Rows,
17 | _In_ ULONG Columns,
18 | _In_ ULONG Mode
19 | );
20 |
21 | VOID PhMapDisplayIndexTreeNew(
22 | _In_ HWND TreeNewHandle,
23 | _Out_opt_ PULONG *DisplayToId,
24 | _Out_opt_ PWSTR **DisplayToText,
25 | _Out_ PULONG NumberOfColumns
26 | );
27 |
28 | PHLIBAPI
29 | PPH_STRING PhGetTreeNewText(
30 | _In_ HWND TreeNewHandle,
31 | _Reserved_ ULONG Reserved
32 | );
33 |
34 | PHLIBAPI
35 | PPH_LIST PhGetGenericTreeNewLines(
36 | _In_ HWND TreeNewHandle,
37 | _In_ ULONG Mode
38 | );
39 |
40 | VOID PhaMapDisplayIndexListView(
41 | _In_ HWND ListViewHandle,
42 | _Out_writes_(Count) PULONG DisplayToId,
43 | _Out_writes_opt_(Count) PPH_STRING *DisplayToText,
44 | _In_ ULONG Count,
45 | _Out_ PULONG NumberOfColumns
46 | );
47 |
48 | PPH_STRING PhaGetListViewItemText(
49 | _In_ HWND ListViewHandle,
50 | _In_ INT Index,
51 | _In_ INT SubItemIndex
52 | );
53 |
54 | PPH_STRING PhGetListViewText(
55 | _In_ HWND ListViewHandle
56 | );
57 |
58 | PPH_LIST PhGetListViewLines(
59 | _In_ HWND ListViewHandle,
60 | _In_ ULONG Mode
61 | );
62 |
63 | #endif
64 |
--------------------------------------------------------------------------------
/include/sys/dltmgr.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_DLTMGR_H
2 | #define _PH_DLTMGR_H
3 |
4 | typedef struct _PH_SINGLE_DELTA
5 | {
6 | FLOAT Value;
7 | FLOAT Delta;
8 | } PH_SINGLE_DELTA, *PPH_SINGLE_DELTA;
9 |
10 | typedef struct _PH_UINT32_DELTA
11 | {
12 | ULONG Value;
13 | ULONG Delta;
14 | } PH_UINT32_DELTA, *PPH_UINT32_DELTA;
15 |
16 | typedef struct _PH_UINT64_DELTA
17 | {
18 | ULONG64 Value;
19 | ULONG64 Delta;
20 | } PH_UINT64_DELTA, *PPH_UINT64_DELTA;
21 |
22 | typedef struct _PH_UINTPTR_DELTA
23 | {
24 | ULONG_PTR Value;
25 | ULONG_PTR Delta;
26 | } PH_UINTPTR_DELTA, *PPH_UINTPTR_DELTA;
27 |
28 | #define PhInitializeDelta(DltMgr) \
29 | ((DltMgr)->Value = 0, (DltMgr)->Delta = 0)
30 |
31 | #define PhUpdateDelta(DltMgr, NewValue) \
32 | ((DltMgr)->Delta = (NewValue) - (DltMgr)->Value, \
33 | (DltMgr)->Value = (NewValue), (DltMgr)->Delta)
34 |
35 | #endif
36 |
--------------------------------------------------------------------------------
/include/sys/dspick.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_DSPICK_H
2 | #define _PH_DSPICK_H
3 |
4 | #define PH_DSPICK_MULTISELECT 0x1
5 |
6 | typedef struct _PH_DSPICK_OBJECT
7 | {
8 | PPH_STRING Name;
9 | PSID Sid;
10 | } PH_DSPICK_OBJECT, *PPH_DSPICK_OBJECT;
11 |
12 | typedef struct _PH_DSPICK_OBJECTS
13 | {
14 | ULONG NumberOfObjects;
15 | PH_DSPICK_OBJECT Objects[1];
16 | } PH_DSPICK_OBJECTS, *PPH_DSPICK_OBJECTS;
17 |
18 | PHLIBAPI
19 | VOID PhFreeDsObjectPickerDialog(
20 | _In_ PVOID PickerDialog
21 | );
22 |
23 | PHLIBAPI
24 | PVOID PhCreateDsObjectPickerDialog(
25 | _In_ ULONG Flags
26 | );
27 |
28 | PHLIBAPI
29 | BOOLEAN PhShowDsObjectPickerDialog(
30 | _In_ HWND hWnd,
31 | _In_ PVOID PickerDialog,
32 | _Out_ PPH_DSPICK_OBJECTS *Objects
33 | );
34 |
35 | PHLIBAPI
36 | VOID PhFreeDsObjectPickerObjects(
37 | _In_ PPH_DSPICK_OBJECTS Objects
38 | );
39 |
40 | #endif
41 |
--------------------------------------------------------------------------------
/include/sys/emenu.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_EMENU_H
2 | #define _PH_EMENU_H
3 |
4 | #define PH_EMENU_DISABLED 0x1
5 | #define PH_EMENU_CHECKED 0x2
6 | #define PH_EMENU_HIGHLIGHT 0x4
7 | #define PH_EMENU_MENUBARBREAK 0x8
8 | #define PH_EMENU_MENUBREAK 0x10
9 | #define PH_EMENU_DEFAULT 0x20
10 | #define PH_EMENU_MOUSESELECT 0x40
11 | #define PH_EMENU_RADIOCHECK 0x80
12 |
13 | #define PH_EMENU_STRING 0x100000
14 | #define PH_EMENU_SEPARATOR 0x200000
15 |
16 | #define PH_EMENU_TEXT_OWNED 0x80000000
17 | #define PH_EMENU_BITMAP_OWNED 0x40000000
18 |
19 | struct _PH_EMENU_ITEM;
20 |
21 | typedef VOID (NTAPI *PPH_EMENU_ITEM_DELETE_FUNCTION)(
22 | _In_ struct _PH_EMENU_ITEM *Item
23 | );
24 |
25 | typedef struct _PH_EMENU_ITEM
26 | {
27 | ULONG Flags;
28 | ULONG Id;
29 | PWSTR Text;
30 | HBITMAP Bitmap;
31 |
32 | PVOID Parameter;
33 | PVOID Context;
34 | PPH_EMENU_ITEM_DELETE_FUNCTION DeleteFunction;
35 | PVOID Reserved;
36 |
37 | struct _PH_EMENU_ITEM *Parent;
38 | PPH_LIST Items;
39 | } PH_EMENU_ITEM, *PPH_EMENU_ITEM;
40 |
41 | typedef struct _PH_EMENU_ITEM PH_EMENU, *PPH_EMENU;
42 |
43 | PHLIBAPI
44 | PPH_EMENU_ITEM PhCreateEMenuItem(
45 | _In_ ULONG Flags,
46 | _In_ ULONG Id,
47 | _In_ PWSTR Text,
48 | _In_opt_ PWSTR Bitmap,
49 | _In_opt_ PVOID Context
50 | );
51 |
52 | PHLIBAPI
53 | VOID PhDestroyEMenuItem(
54 | _In_ PPH_EMENU_ITEM Item
55 | );
56 |
57 | #define PH_EMENU_FIND_DESCEND 0x1
58 | #define PH_EMENU_FIND_STARTSWITH 0x2
59 | #define PH_EMENU_FIND_LITERAL 0x4
60 |
61 | PHLIBAPI
62 | PPH_EMENU_ITEM PhFindEMenuItem(
63 | _In_ PPH_EMENU_ITEM Item,
64 | _In_ ULONG Flags,
65 | _In_opt_ PWSTR Text,
66 | _In_opt_ ULONG Id
67 | );
68 |
69 | PPH_EMENU_ITEM PhFindEMenuItemEx(
70 | _In_ PPH_EMENU_ITEM Item,
71 | _In_ ULONG Flags,
72 | _In_opt_ PWSTR Text,
73 | _In_opt_ ULONG Id,
74 | _Out_opt_ PPH_EMENU_ITEM *FoundParent,
75 | _Out_opt_ PULONG FoundIndex
76 | );
77 |
78 | PHLIBAPI
79 | ULONG PhIndexOfEMenuItem(
80 | _In_ PPH_EMENU_ITEM Parent,
81 | _In_ PPH_EMENU_ITEM Item
82 | );
83 |
84 | PHLIBAPI
85 | VOID PhInsertEMenuItem(
86 | _Inout_ PPH_EMENU_ITEM Parent,
87 | _Inout_ PPH_EMENU_ITEM Item,
88 | _In_ ULONG Index
89 | );
90 |
91 | PHLIBAPI
92 | BOOLEAN PhRemoveEMenuItem(
93 | _Inout_opt_ PPH_EMENU_ITEM Parent,
94 | _In_opt_ PPH_EMENU_ITEM Item,
95 | _In_opt_ ULONG Index
96 | );
97 |
98 | PHLIBAPI
99 | VOID PhRemoveAllEMenuItems(
100 | _Inout_ PPH_EMENU_ITEM Parent
101 | );
102 |
103 | PHLIBAPI
104 | PPH_EMENU PhCreateEMenu(
105 | VOID
106 | );
107 |
108 | PHLIBAPI
109 | VOID PhDestroyEMenu(
110 | _In_ PPH_EMENU Menu
111 | );
112 |
113 | #define PH_EMENU_CONVERT_ID 0x1
114 |
115 | typedef struct _PH_EMENU_DATA
116 | {
117 | PPH_LIST IdToItem;
118 | } PH_EMENU_DATA, *PPH_EMENU_DATA;
119 |
120 | VOID PhInitializeEMenuData(
121 | _Out_ PPH_EMENU_DATA Data
122 | );
123 |
124 | VOID PhDeleteEMenuData(
125 | _Inout_ PPH_EMENU_DATA Data
126 | );
127 |
128 | HMENU PhEMenuToHMenu(
129 | _In_ PPH_EMENU_ITEM Menu,
130 | _In_ ULONG Flags,
131 | _Inout_opt_ PPH_EMENU_DATA Data
132 | );
133 |
134 | VOID PhEMenuToHMenu2(
135 | _In_ HMENU MenuHandle,
136 | _In_ PPH_EMENU_ITEM Menu,
137 | _In_ ULONG Flags,
138 | _Inout_opt_ PPH_EMENU_DATA Data
139 | );
140 |
141 | VOID PhHMenuToEMenuItem(
142 | _Inout_ PPH_EMENU_ITEM MenuItem,
143 | _In_ HMENU MenuHandle
144 | );
145 |
146 | PHLIBAPI
147 | VOID PhLoadResourceEMenuItem(
148 | _Inout_ PPH_EMENU_ITEM MenuItem,
149 | _In_ HINSTANCE InstanceHandle,
150 | _In_ PWSTR Resource,
151 | _In_ ULONG SubMenuIndex
152 | );
153 |
154 | #define PH_EMENU_SHOW_NONOTIFY 0x1
155 | #define PH_EMENU_SHOW_LEFTRIGHT 0x2
156 |
157 | PHLIBAPI
158 | PPH_EMENU_ITEM PhShowEMenu(
159 | _In_ PPH_EMENU Menu,
160 | _In_ HWND WindowHandle,
161 | _In_ ULONG Flags,
162 | _In_ ULONG Align,
163 | _In_ ULONG X,
164 | _In_ ULONG Y
165 | );
166 |
167 | // Convenience functions
168 |
169 | PHLIBAPI
170 | BOOLEAN PhSetFlagsEMenuItem(
171 | _In_ PPH_EMENU_ITEM Item,
172 | _In_ ULONG Id,
173 | _In_ ULONG Mask,
174 | _In_ ULONG Value
175 | );
176 |
177 | FORCEINLINE BOOLEAN PhEnableEMenuItem(
178 | _In_ PPH_EMENU_ITEM Item,
179 | _In_ ULONG Id,
180 | _In_ BOOLEAN Enable
181 | )
182 | {
183 | return PhSetFlagsEMenuItem(Item, Id, PH_EMENU_DISABLED, Enable ? 0 : PH_EMENU_DISABLED);
184 | }
185 |
186 | PHLIBAPI
187 | VOID PhSetFlagsAllEMenuItems(
188 | _In_ PPH_EMENU_ITEM Item,
189 | _In_ ULONG Mask,
190 | _In_ ULONG Value
191 | );
192 |
193 | #endif
194 |
--------------------------------------------------------------------------------
/include/sys/fastlock.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_FASTLOCK_H
2 | #define _PH_FASTLOCK_H
3 |
4 | // FastLock is a port of FastResourceLock from PH 1.x.
5 |
6 | #ifdef __cplusplus
7 | extern "C" {
8 | #endif
9 |
10 | typedef struct _PH_FAST_LOCK
11 | {
12 | ULONG Value;
13 | HANDLE ExclusiveWakeEvent;
14 | HANDLE SharedWakeEvent;
15 | } PH_FAST_LOCK, *PPH_FAST_LOCK;
16 |
17 | #define PH_FAST_LOCK_INIT { 0, NULL, NULL }
18 |
19 | VOID PhFastLockInitialization(
20 | VOID
21 | );
22 |
23 | PHLIBAPI
24 | VOID
25 | NTAPI
26 | PhInitializeFastLock(
27 | _Out_ PPH_FAST_LOCK FastLock
28 | );
29 |
30 | PHLIBAPI
31 | VOID
32 | NTAPI
33 | PhDeleteFastLock(
34 | _Inout_ PPH_FAST_LOCK FastLock
35 | );
36 |
37 | #define PhAcquireFastLockExclusive PhfAcquireFastLockExclusive
38 | _May_raise_
39 | _Acquires_exclusive_lock_(*FastLock)
40 | PHLIBAPI
41 | VOID
42 | FASTCALL
43 | PhfAcquireFastLockExclusive(
44 | _Inout_ PPH_FAST_LOCK FastLock
45 | );
46 |
47 | #define PhAcquireFastLockShared PhfAcquireFastLockShared
48 | _May_raise_
49 | _Acquires_shared_lock_(*FastLock)
50 | PHLIBAPI
51 | VOID
52 | FASTCALL
53 | PhfAcquireFastLockShared(
54 | _Inout_ PPH_FAST_LOCK FastLock
55 | );
56 |
57 | #define PhReleaseFastLockExclusive PhfReleaseFastLockExclusive
58 | _Releases_exclusive_lock_(*FastLock)
59 | PHLIBAPI
60 | VOID
61 | FASTCALL
62 | PhfReleaseFastLockExclusive(
63 | _Inout_ PPH_FAST_LOCK FastLock
64 | );
65 |
66 | #define PhReleaseFastLockShared PhfReleaseFastLockShared
67 | _Releases_shared_lock_(*FastLock)
68 | PHLIBAPI
69 | VOID
70 | FASTCALL
71 | PhfReleaseFastLockShared(
72 | _Inout_ PPH_FAST_LOCK FastLock
73 | );
74 |
75 | #define PhTryAcquireFastLockExclusive PhfTryAcquireFastLockExclusive
76 | _When_(return != 0, _Acquires_exclusive_lock_(*FastLock))
77 | PHLIBAPI
78 | BOOLEAN
79 | FASTCALL
80 | PhfTryAcquireFastLockExclusive(
81 | _Inout_ PPH_FAST_LOCK FastLock
82 | );
83 |
84 | #define PhTryAcquireFastLockShared PhfTryAcquireFastLockShared
85 | _When_(return != 0, _Acquires_shared_lock_(*FastLock))
86 | PHLIBAPI
87 | BOOLEAN
88 | FASTCALL
89 | PhfTryAcquireFastLockShared(
90 | _Inout_ PPH_FAST_LOCK FastLock
91 | );
92 |
93 | #ifdef __cplusplus
94 | }
95 | #endif
96 |
97 | #endif
98 |
--------------------------------------------------------------------------------
/include/sys/filepool.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_FILEPOOL_H
2 | #define _PH_FILEPOOL_H
3 |
4 | // On-disk structures
5 |
6 | // Each file has at least one segment.
7 | // Each segment has a number of blocks, which are allocated
8 | // from a bitmap. The segment header is always in the first block
9 | // of each segment, except for the first segment. In the first segment,
10 | // the file header is in the first few blocks, followed by the segment header.
11 | //
12 | // The segments are placed in a particular free list depending on how many
13 | // blocks they have free; this allows allocators to simply skip the segments
14 | // which don't have enough segments free, and allocate new segments if necessary.
15 | // The free list does not however guarantee that a particular segment has
16 | // a particular number of contiguous blocks free; low performance can still
17 | // occur when there is fragmentation.
18 |
19 | /** The number of 32-bit integers used for each allocation bitmap. */
20 | #define PH_FP_BITMAP_SIZE 64
21 | /** The power-of-two index of the bitmap size. */
22 | #define PH_FP_BITMAP_SIZE_SHIFT 6
23 | /** The number of blocks that are available in each segment. */
24 | #define PH_FP_BLOCK_COUNT (PH_FP_BITMAP_SIZE * 32)
25 | /** The power-of-two index of the block count. */
26 | #define PH_FP_BLOCK_COUNT_SHIFT (PH_FP_BITMAP_SIZE_SHIFT + 5)
27 | /** The number of free lists for segments. */
28 | #define PH_FP_FREE_LIST_COUNT 8
29 |
30 | // Block flags
31 | /** The block is the beginning of a large allocation (one that spans several segments). */
32 | #define PH_FP_BLOCK_LARGE_ALLOCATION 0x1
33 |
34 | typedef struct _PH_FP_BLOCK_HEADER
35 | {
36 | ULONG Flags; // PH_FP_BLOCK_*
37 | /** The number of blocks in the entire logical block, or the number
38 | * of segments in a large allocation. */
39 | ULONG Span;
40 | ULONGLONG Body;
41 | } PH_FP_BLOCK_HEADER, *PPH_FP_BLOCK_HEADER;
42 |
43 | typedef struct _PH_FP_SEGMENT_HEADER
44 | {
45 | ULONG Bitmap[PH_FP_BITMAP_SIZE];
46 | ULONG FreeBlocks;
47 | ULONG FreeFlink;
48 | ULONG FreeBlink;
49 | ULONG Reserved[13];
50 | } PH_FP_SEGMENT_HEADER, *PPH_FP_SEGMENT_HEADER;
51 |
52 | #define PH_FP_MAGIC ('loPF')
53 |
54 | typedef struct _PH_FP_FILE_HEADER
55 | {
56 | ULONG Magic;
57 | ULONG SegmentShift;
58 | ULONG SegmentCount;
59 | ULONGLONG UserContext;
60 | ULONG FreeLists[PH_FP_FREE_LIST_COUNT];
61 | } PH_FP_FILE_HEADER, *PPH_FP_FILE_HEADER;
62 |
63 | // Runtime
64 |
65 | typedef struct _PH_FILE_POOL_PARAMETERS
66 | {
67 | // File options
68 |
69 | /** The base-2 logarithm of the size of each segment. This value
70 | * must be between 16 and 28, inclusive. */
71 | ULONG SegmentShift;
72 |
73 | // Runtime options
74 |
75 | /** The maximum number of inactive segments to keep mapped. */
76 | ULONG MaximumInactiveViews;
77 | } PH_FILE_POOL_PARAMETERS, *PPH_FILE_POOL_PARAMETERS;
78 |
79 | typedef struct _PH_FILE_POOL
80 | {
81 | HANDLE FileHandle;
82 | HANDLE SectionHandle;
83 | BOOLEAN ReadOnly;
84 |
85 | PH_FREE_LIST ViewFreeList;
86 | PLIST_ENTRY *ByIndexBuckets;
87 | ULONG ByIndexSize;
88 | PH_AVL_TREE ByBaseSet;
89 |
90 | ULONG MaximumInactiveViews;
91 | ULONG NumberOfInactiveViews;
92 | LIST_ENTRY InactiveViewsListHead;
93 |
94 | PPH_FP_BLOCK_HEADER FirstBlockOfFirstSegment;
95 | PPH_FP_FILE_HEADER Header;
96 | ULONG SegmentShift; // The power-of-two size of each segment
97 | ULONG SegmentSize; // The size of each segment
98 | ULONG BlockShift; // The power-of-two size of each block in each segment
99 | ULONG BlockSize; // The size of each block in each segment
100 | ULONG FileHeaderBlockSpan; // The number of blocks needed to store a file header
101 | ULONG SegmentHeaderBlockSpan; // The number of blocks needed to store a segment header
102 | } PH_FILE_POOL, *PPH_FILE_POOL;
103 |
104 | NTSTATUS PhCreateFilePool(
105 | _Out_ PPH_FILE_POOL *Pool,
106 | _In_ HANDLE FileHandle,
107 | _In_ BOOLEAN ReadOnly,
108 | _In_opt_ PPH_FILE_POOL_PARAMETERS Parameters
109 | );
110 |
111 | NTSTATUS PhCreateFilePool2(
112 | _Out_ PPH_FILE_POOL *Pool,
113 | _In_ PWSTR FileName,
114 | _In_ BOOLEAN ReadOnly,
115 | _In_ ULONG ShareAccess,
116 | _In_ ULONG CreateDisposition,
117 | _In_opt_ PPH_FILE_POOL_PARAMETERS Parameters
118 | );
119 |
120 | VOID PhDestroyFilePool(
121 | _In_ _Post_invalid_ PPH_FILE_POOL Pool
122 | );
123 |
124 | PVOID PhAllocateFilePool(
125 | _Inout_ PPH_FILE_POOL Pool,
126 | _In_ ULONG Size,
127 | _Out_opt_ PULONG Rva
128 | );
129 |
130 | VOID PhFreeFilePool(
131 | _Inout_ PPH_FILE_POOL Pool,
132 | _In_ PVOID Block
133 | );
134 |
135 | BOOLEAN PhFreeFilePoolByRva(
136 | _Inout_ PPH_FILE_POOL Pool,
137 | _In_ ULONG Rva
138 | );
139 |
140 | VOID PhReferenceFilePool(
141 | _Inout_ PPH_FILE_POOL Pool,
142 | _In_ PVOID Address
143 | );
144 |
145 | VOID PhDereferenceFilePool(
146 | _Inout_ PPH_FILE_POOL Pool,
147 | _In_ PVOID Address
148 | );
149 |
150 | PVOID PhReferenceFilePoolByRva(
151 | _Inout_ PPH_FILE_POOL Pool,
152 | _In_ ULONG Rva
153 | );
154 |
155 | BOOLEAN PhDereferenceFilePoolByRva(
156 | _Inout_ PPH_FILE_POOL Pool,
157 | _In_ ULONG Rva
158 | );
159 |
160 | ULONG PhEncodeRvaFilePool(
161 | _In_ PPH_FILE_POOL Pool,
162 | _In_ PVOID Address
163 | );
164 |
165 | VOID PhGetUserContextFilePool(
166 | _In_ PPH_FILE_POOL Pool,
167 | _Out_ PULONGLONG Context
168 | );
169 |
170 | VOID PhSetUserContextFilePool(
171 | _Inout_ PPH_FILE_POOL Pool,
172 | _In_ PULONGLONG Context
173 | );
174 |
175 | #endif
176 |
--------------------------------------------------------------------------------
/include/sys/filepoolp.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_FILEPOOLP_H
2 | #define _PH_FILEPOOLP_H
3 |
4 | typedef struct _PH_FILE_POOL_VIEW
5 | {
6 | LIST_ENTRY ByIndexListEntry;
7 | PH_AVL_LINKS ByBaseLinks;
8 | LIST_ENTRY InactiveViewsListEntry;
9 |
10 | ULONG RefCount;
11 | ULONG SegmentIndex;
12 | PVOID Base;
13 | } PH_FILE_POOL_VIEW, *PPH_FILE_POOL_VIEW;
14 |
15 | NTSTATUS PhpValidateFilePoolParameters(
16 | _Inout_ PPH_FILE_POOL_PARAMETERS Parameters
17 | );
18 |
19 | VOID PhpSetDefaultFilePoolParameters(
20 | _Out_ PPH_FILE_POOL_PARAMETERS Parameters
21 | );
22 |
23 | // Range mapping
24 |
25 | NTSTATUS PhFppExtendRange(
26 | _Inout_ PPH_FILE_POOL Pool,
27 | _In_ ULONG NewSize
28 | );
29 |
30 | NTSTATUS PhFppMapRange(
31 | _Inout_ PPH_FILE_POOL Pool,
32 | _In_ ULONG Offset,
33 | _In_ ULONG Size,
34 | _Out_ PVOID *Base
35 | );
36 |
37 | NTSTATUS PhFppUnmapRange(
38 | _Inout_ PPH_FILE_POOL Pool,
39 | _In_ PVOID Base
40 | );
41 |
42 | // Segments
43 |
44 | VOID PhFppInitializeSegment(
45 | _Inout_ PPH_FILE_POOL Pool,
46 | _Out_ PPH_FP_BLOCK_HEADER BlockOfSegmentHeader,
47 | _In_ ULONG AdditionalBlocksUsed
48 | );
49 |
50 | PPH_FP_BLOCK_HEADER PhFppAllocateSegment(
51 | _Inout_ PPH_FILE_POOL Pool,
52 | _Out_ PULONG NewSegmentIndex
53 | );
54 |
55 | PPH_FP_SEGMENT_HEADER PhFppGetHeaderSegment(
56 | _Inout_ PPH_FILE_POOL Pool,
57 | _In_ PPH_FP_BLOCK_HEADER FirstBlock
58 | );
59 |
60 | // Views
61 |
62 | VOID PhFppAddViewByIndex(
63 | _Inout_ PPH_FILE_POOL Pool,
64 | _Inout_ PPH_FILE_POOL_VIEW View
65 | );
66 |
67 | VOID PhFppRemoveViewByIndex(
68 | _Inout_ PPH_FILE_POOL Pool,
69 | _Inout_ PPH_FILE_POOL_VIEW View
70 | );
71 |
72 | PPH_FILE_POOL_VIEW PhFppFindViewByIndex(
73 | _Inout_ PPH_FILE_POOL Pool,
74 | _In_ ULONG SegmentIndex
75 | );
76 |
77 | LONG NTAPI PhpFilePoolViewByBaseCompareFunction(
78 | _In_ PPH_AVL_LINKS Links1,
79 | _In_ PPH_AVL_LINKS Links2
80 | );
81 |
82 | VOID PhFppAddViewByBase(
83 | _Inout_ PPH_FILE_POOL Pool,
84 | _Inout_ PPH_FILE_POOL_VIEW View
85 | );
86 |
87 | VOID PhFppRemoveViewByBase(
88 | _Inout_ PPH_FILE_POOL Pool,
89 | _Inout_ PPH_FILE_POOL_VIEW View
90 | );
91 |
92 | PPH_FILE_POOL_VIEW PhFppFindViewByBase(
93 | _Inout_ PPH_FILE_POOL Pool,
94 | _In_ PVOID Base
95 | );
96 |
97 | PPH_FILE_POOL_VIEW PhFppCreateView(
98 | _Inout_ PPH_FILE_POOL Pool,
99 | _In_ ULONG SegmentIndex
100 | );
101 |
102 | VOID PhFppDestroyView(
103 | _Inout_ PPH_FILE_POOL Pool,
104 | _Inout_ PPH_FILE_POOL_VIEW View
105 | );
106 |
107 | VOID PhFppActivateView(
108 | _Inout_ PPH_FILE_POOL Pool,
109 | _Inout_ PPH_FILE_POOL_VIEW View
110 | );
111 |
112 | VOID PhFppDeactivateView(
113 | _Inout_ PPH_FILE_POOL Pool,
114 | _Inout_ PPH_FILE_POOL_VIEW View
115 | );
116 |
117 | VOID PhFppReferenceView(
118 | _Inout_ PPH_FILE_POOL Pool,
119 | _Inout_ PPH_FILE_POOL_VIEW View
120 | );
121 |
122 | VOID PhFppDereferenceView(
123 | _Inout_ PPH_FILE_POOL Pool,
124 | _Inout_ PPH_FILE_POOL_VIEW View
125 | );
126 |
127 | PPH_FP_BLOCK_HEADER PhFppReferenceSegment(
128 | _Inout_ PPH_FILE_POOL Pool,
129 | _In_ ULONG SegmentIndex
130 | );
131 |
132 | VOID PhFppDereferenceSegment(
133 | _Inout_ PPH_FILE_POOL Pool,
134 | _In_ ULONG SegmentIndex
135 | );
136 |
137 | VOID PhFppReferenceSegmentByBase(
138 | _Inout_ PPH_FILE_POOL Pool,
139 | _In_ PVOID Base
140 | );
141 |
142 | VOID PhFppDereferenceSegmentByBase(
143 | _Inout_ PPH_FILE_POOL Pool,
144 | _In_ PVOID Base
145 | );
146 |
147 | // Bitmap allocation
148 |
149 | PPH_FP_BLOCK_HEADER PhFppAllocateBlocks(
150 | _Inout_ PPH_FILE_POOL Pool,
151 | _In_ PPH_FP_BLOCK_HEADER FirstBlock,
152 | _Inout_ PPH_FP_SEGMENT_HEADER SegmentHeader,
153 | _In_ ULONG NumberOfBlocks
154 | );
155 |
156 | VOID PhFppFreeBlocks(
157 | _Inout_ PPH_FILE_POOL Pool,
158 | _In_ PPH_FP_BLOCK_HEADER FirstBlock,
159 | _Inout_ PPH_FP_SEGMENT_HEADER SegmentHeader,
160 | _In_ PPH_FP_BLOCK_HEADER BlockHeader
161 | );
162 |
163 | // Free list
164 |
165 | ULONG PhFppComputeFreeListIndex(
166 | _In_ PPH_FILE_POOL Pool,
167 | _In_ ULONG NumberOfBlocks
168 | );
169 |
170 | BOOLEAN PhFppInsertFreeList(
171 | _Inout_ PPH_FILE_POOL Pool,
172 | _In_ ULONG FreeListIndex,
173 | _In_ ULONG SegmentIndex,
174 | _In_ PPH_FP_SEGMENT_HEADER SegmentHeader
175 | );
176 |
177 | BOOLEAN PhFppRemoveFreeList(
178 | _Inout_ PPH_FILE_POOL Pool,
179 | _In_ ULONG FreeListIndex,
180 | _In_ ULONG SegmentIndex,
181 | _In_ PPH_FP_SEGMENT_HEADER SegmentHeader
182 | );
183 |
184 | // Misc.
185 |
186 | PPH_FP_BLOCK_HEADER PhFppGetHeaderBlock(
187 | _In_ PPH_FILE_POOL Pool,
188 | _In_ PVOID Block
189 | );
190 |
191 | ULONG PhFppEncodeRva(
192 | _In_ PPH_FILE_POOL Pool,
193 | _In_ ULONG SegmentIndex,
194 | _In_ PPH_FP_BLOCK_HEADER FirstBlock,
195 | _In_ PVOID Address
196 | );
197 |
198 | ULONG PhFppDecodeRva(
199 | _In_ PPH_FILE_POOL Pool,
200 | _In_ ULONG Rva,
201 | _Out_ PULONG SegmentIndex
202 | );
203 |
204 | #endif
205 |
--------------------------------------------------------------------------------
/include/sys/graph.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_GRAPH_H
2 | #define _PH_GRAPH_H
3 |
4 | // Graph drawing
5 |
6 | #ifndef _PH_GRAPH_PRIVATE
7 | extern RECT PhNormalGraphTextMargin;
8 | extern RECT PhNormalGraphTextPadding;
9 | #endif
10 |
11 | #define PH_GRAPH_USE_GRID 0x1
12 | #define PH_GRAPH_USE_LINE_2 0x10
13 | #define PH_GRAPH_OVERLAY_LINE_2 0x20
14 |
15 | typedef struct _PH_GRAPH_DRAW_INFO
16 | {
17 | // Basic
18 | ULONG Width;
19 | ULONG Height;
20 | ULONG Flags;
21 | ULONG Step;
22 | COLORREF BackColor;
23 |
24 | // Data/lines
25 | ULONG LineDataCount;
26 | PFLOAT LineData1;
27 | PFLOAT LineData2;
28 | COLORREF LineColor1;
29 | COLORREF LineColor2;
30 | COLORREF LineBackColor1;
31 | COLORREF LineBackColor2;
32 |
33 | // Grid
34 | COLORREF GridColor;
35 | ULONG GridWidth;
36 | ULONG GridHeight;
37 | ULONG GridStart;
38 |
39 | // Text
40 | PH_STRINGREF Text;
41 | RECT TextRect;
42 | RECT TextBoxRect;
43 | COLORREF TextColor;
44 | COLORREF TextBoxColor;
45 | } PH_GRAPH_DRAW_INFO, *PPH_GRAPH_DRAW_INFO;
46 |
47 | // Graph control
48 |
49 | #define PH_GRAPH_CLASSNAME L"PhGraph"
50 |
51 | BOOLEAN PhGraphControlInitialization(
52 | VOID
53 | );
54 |
55 | PHLIBAPI
56 | VOID PhDrawGraph(
57 | _In_ HDC hdc,
58 | _In_ PPH_GRAPH_DRAW_INFO DrawInfo
59 | );
60 |
61 | PHLIBAPI
62 | VOID PhDrawGraphDirect(
63 | _In_ HDC hdc,
64 | _In_ PVOID Bits,
65 | _In_ PPH_GRAPH_DRAW_INFO DrawInfo
66 | );
67 |
68 | PHLIBAPI
69 | VOID PhSetGraphText(
70 | _In_ HDC hdc,
71 | _Inout_ PPH_GRAPH_DRAW_INFO DrawInfo,
72 | _In_ PPH_STRINGREF Text,
73 | _In_ PRECT Margin,
74 | _In_ PRECT Padding,
75 | _In_ ULONG Align
76 | );
77 |
78 | // Configuration
79 |
80 | typedef struct _PH_GRAPH_OPTIONS
81 | {
82 | COLORREF FadeOutBackColor;
83 | ULONG FadeOutWidth;
84 | HCURSOR DefaultCursor;
85 | } PH_GRAPH_OPTIONS, *PPH_GRAPH_OPTIONS;
86 |
87 | // Styles
88 |
89 | #define GC_STYLE_FADEOUT 0x1
90 | #define GC_STYLE_DRAW_PANEL 0x2
91 |
92 | // Messages
93 |
94 | #define GCM_GETDRAWINFO (WM_USER + 1301)
95 | #define GCM_SETDRAWINFO (WM_USER + 1302)
96 | #define GCM_DRAW (WM_USER + 1303)
97 | #define GCM_MOVEGRID (WM_USER + 1304)
98 | #define GCM_GETBUFFEREDCONTEXT (WM_USER + 1305)
99 | #define GCM_SETTOOLTIP (WM_USER + 1306)
100 | #define GCM_UPDATETOOLTIP (WM_USER + 1307)
101 | #define GCM_GETOPTIONS (WM_USER + 1308)
102 | #define GCM_SETOPTIONS (WM_USER + 1309)
103 |
104 | #define Graph_GetDrawInfo(hWnd, DrawInfo) \
105 | SendMessage((hWnd), GCM_GETDRAWINFO, 0, (LPARAM)(DrawInfo))
106 | #define Graph_SetDrawInfo(hWnd, DrawInfo) \
107 | SendMessage((hWnd), GCM_SETDRAWINFO, 0, (LPARAM)(DrawInfo))
108 | #define Graph_Draw(hWnd) \
109 | SendMessage((hWnd), GCM_DRAW, 0, 0)
110 | #define Graph_MoveGrid(hWnd, Increment) \
111 | SendMessage((hWnd), GCM_MOVEGRID, (WPARAM)(Increment), 0)
112 | #define Graph_GetBufferedContext(hWnd) \
113 | ((HDC)SendMessage((hWnd), GCM_GETBUFFEREDCONTEXT, 0, 0))
114 | #define Graph_SetTooltip(hWnd, Enable) \
115 | ((HDC)SendMessage((hWnd), GCM_SETTOOLTIP, (WPARAM)(Enable), 0))
116 | #define Graph_UpdateTooltip(hWnd) \
117 | ((HDC)SendMessage((hWnd), GCM_UPDATETOOLTIP, 0, 0))
118 | #define Graph_GetOptions(hWnd, Options) \
119 | SendMessage((hWnd), GCM_GETOPTIONS, 0, (LPARAM)(Options))
120 | #define Graph_SetOptions(hWnd, Options) \
121 | SendMessage((hWnd), GCM_SETOPTIONS, 0, (LPARAM)(Options))
122 |
123 | // Notifications
124 |
125 | #define GCN_GETDRAWINFO (WM_USER + 1351)
126 | #define GCN_GETTOOLTIPTEXT (WM_USER + 1352)
127 | #define GCN_MOUSEEVENT (WM_USER + 1353)
128 | #define GCN_DRAWPANEL (WM_USER + 1354)
129 |
130 | typedef struct _PH_GRAPH_GETDRAWINFO
131 | {
132 | NMHDR Header;
133 | PPH_GRAPH_DRAW_INFO DrawInfo;
134 | } PH_GRAPH_GETDRAWINFO, *PPH_GRAPH_GETDRAWINFO;
135 |
136 | typedef struct _PH_GRAPH_GETTOOLTIPTEXT
137 | {
138 | NMHDR Header;
139 | ULONG Index;
140 | ULONG TotalCount;
141 |
142 | PH_STRINGREF Text; // must be null-terminated
143 | } PH_GRAPH_GETTOOLTIPTEXT, *PPH_GRAPH_GETTOOLTIPTEXT;
144 |
145 | typedef struct _PH_GRAPH_MOUSEEVENT
146 | {
147 | NMHDR Header;
148 | ULONG Index;
149 | ULONG TotalCount;
150 |
151 | ULONG Message;
152 | ULONG Keys;
153 | POINT Point;
154 | } PH_GRAPH_MOUSEEVENT, *PPH_GRAPH_MOUSEEVENT;
155 |
156 | typedef struct _PH_GRAPH_DRAWPANEL
157 | {
158 | NMHDR Header;
159 | HDC hdc;
160 | RECT Rect;
161 | } PH_GRAPH_DRAWPANEL, *PPH_GRAPH_DRAWPANEL;
162 |
163 | // Graph buffer management
164 |
165 | #define PH_GRAPH_DATA_COUNT(Width, Step) (((Width) + (Step) - 1) / (Step) + 1) // round up in division
166 |
167 | typedef struct _PH_GRAPH_BUFFERS
168 | {
169 | PFLOAT Data1; // invalidate by setting Valid to FALSE
170 | PFLOAT Data2; // invalidate by setting Valid to FALSE
171 | ULONG AllocatedCount;
172 | BOOLEAN Valid; // indicates the data is valid
173 | } PH_GRAPH_BUFFERS, *PPH_GRAPH_BUFFERS;
174 |
175 | VOID PhInitializeGraphBuffers(
176 | _Out_ PPH_GRAPH_BUFFERS Buffers
177 | );
178 |
179 | VOID PhDeleteGraphBuffers(
180 | _Inout_ PPH_GRAPH_BUFFERS Buffers
181 | );
182 |
183 | PHLIBAPI
184 | VOID PhGetDrawInfoGraphBuffers(
185 | _Inout_ PPH_GRAPH_BUFFERS Buffers,
186 | _Inout_ PPH_GRAPH_DRAW_INFO DrawInfo,
187 | _In_ ULONG DataCount
188 | );
189 |
190 | // Graph control state
191 |
192 | // The basic buffer management structure was moved out of this section because
193 | // the text management is not needed for most cases.
194 |
195 | typedef struct _PH_GRAPH_STATE
196 | {
197 | // Union for compatibility
198 | union
199 | {
200 | struct
201 | {
202 | PFLOAT Data1; // invalidate by setting Valid to FALSE
203 | PFLOAT Data2; // invalidate by setting Valid to FALSE
204 | ULONG AllocatedCount;
205 | BOOLEAN Valid; // indicates the data is valid
206 | };
207 | PH_GRAPH_BUFFERS Buffers;
208 | };
209 |
210 | PPH_STRING Text;
211 | PPH_STRING TooltipText; // invalidate by setting TooltipIndex to -1
212 | ULONG TooltipIndex; // indicates the tooltip text is valid for this index
213 | } PH_GRAPH_STATE, *PPH_GRAPH_STATE;
214 |
215 | PHLIBAPI
216 | VOID PhInitializeGraphState(
217 | _Out_ PPH_GRAPH_STATE State
218 | );
219 |
220 | PHLIBAPI
221 | VOID PhDeleteGraphState(
222 | _Inout_ PPH_GRAPH_STATE State
223 | );
224 |
225 | PHLIBAPI
226 | VOID PhGraphStateGetDrawInfo(
227 | _Inout_ PPH_GRAPH_STATE State,
228 | _In_ PPH_GRAPH_GETDRAWINFO GetDrawInfo,
229 | _In_ ULONG DataCount
230 | );
231 |
232 | #endif
233 |
--------------------------------------------------------------------------------
/include/sys/guisupp.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_GUISUPP_H
2 | #define _PH_GUISUPP_H
3 |
4 | #define CINTERFACE
5 | #define COBJMACROS
6 | #include
7 | #undef CINTERFACE
8 | #undef COBJMACROS
9 |
10 | typedef HRESULT (WINAPI *_SetWindowTheme)(
11 | _In_ HWND hwnd,
12 | _In_ LPCWSTR pszSubAppName,
13 | _In_ LPCWSTR pszSubIdList
14 | );
15 |
16 | typedef HRESULT (WINAPI *_SHCreateShellItem)(
17 | _In_opt_ PCIDLIST_ABSOLUTE pidlParent,
18 | _In_opt_ IShellFolder *psfParent,
19 | _In_ PCUITEMID_CHILD pidl,
20 | _Out_ IShellItem **ppsi
21 | );
22 |
23 | typedef HRESULT (WINAPI *_SHOpenFolderAndSelectItems)(
24 | _In_ PCIDLIST_ABSOLUTE pidlFolder,
25 | _In_ UINT cidl,
26 | _In_reads_opt_(cidl) PCUITEMID_CHILD_ARRAY *apidl,
27 | _In_ DWORD dwFlags
28 | );
29 |
30 | typedef HRESULT (WINAPI *_SHParseDisplayName)(
31 | _In_ LPCWSTR pszName,
32 | _In_opt_ IBindCtx *pbc,
33 | _Out_ PIDLIST_ABSOLUTE *ppidl,
34 | _In_ SFGAOF sfgaoIn,
35 | _Out_ SFGAOF *psfgaoOut
36 | );
37 |
38 | #ifndef _PH_GUISUP_PRIVATE
39 | extern _SetWindowTheme SetWindowTheme_I;
40 | extern _SHCreateShellItem SHCreateShellItem_I;
41 | extern _SHOpenFolderAndSelectItems SHOpenFolderAndSelectItems_I;
42 | extern _SHParseDisplayName SHParseDisplayName_I;
43 | #endif
44 |
45 | #endif
46 |
--------------------------------------------------------------------------------
/include/sys/handlep.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_HANDLEP_H
2 | #define _PH_HANDLEP_H
3 |
4 | #define PH_HANDLE_TABLE_ENTRY_TYPE 0x1
5 | #define PH_HANDLE_TABLE_ENTRY_IN_USE 0x0
6 | #define PH_HANDLE_TABLE_ENTRY_FREE 0x1
7 |
8 | // Locked actually means Not Locked. This means
9 | // that an in use, locked handle table entry can
10 | // be used as-is.
11 | #define PH_HANDLE_TABLE_ENTRY_LOCKED 0x2
12 | #define PH_HANDLE_TABLE_ENTRY_LOCKED_SHIFT 1
13 |
14 | // There is initially one handle table level, with
15 | // 256 entries. When the handle table is expanded,
16 | // the table is replaced with a level 1 table, which
17 | // contains 256 pointers to level 0 tables (the first
18 | // entry already points to the initial level 0 table).
19 | // Similarly, when the handle table is expanded a
20 | // second time, the table is replaced with a level 2
21 | // table, which contains 256 pointers to level 1 tables.
22 | //
23 | // This provides a maximum of 16,777,216 handles.
24 |
25 | #define PH_HANDLE_TABLE_LEVEL_ENTRIES 256
26 | #define PH_HANDLE_TABLE_LEVEL_MASK 0x3
27 |
28 | #define PH_HANDLE_TABLE_LOCKS 8
29 | #define PH_HANDLE_TABLE_LOCK_INDEX(HandleValue) ((HandleValue) % PH_HANDLE_TABLE_LOCKS)
30 |
31 | typedef struct _PH_HANDLE_TABLE
32 | {
33 | PH_QUEUED_LOCK Lock;
34 | PH_QUEUED_LOCK HandleWakeEvent;
35 |
36 | ULONG Count;
37 | ULONG_PTR TableValue;
38 | ULONG FreeValue;
39 | ULONG NextValue;
40 | ULONG FreeValueAlt;
41 |
42 | ULONG Flags;
43 |
44 | PH_QUEUED_LOCK Locks[PH_HANDLE_TABLE_LOCKS];
45 | } PH_HANDLE_TABLE, *PPH_HANDLE_TABLE;
46 |
47 | FORCEINLINE VOID PhpLockHandleTableShared(
48 | _Inout_ PPH_HANDLE_TABLE HandleTable,
49 | _In_ ULONG Index
50 | )
51 | {
52 | PhAcquireQueuedLockShared(&HandleTable->Locks[Index]);
53 | }
54 |
55 | FORCEINLINE VOID PhpUnlockHandleTableShared(
56 | _Inout_ PPH_HANDLE_TABLE HandleTable,
57 | _In_ ULONG Index
58 | )
59 | {
60 | PhReleaseQueuedLockShared(&HandleTable->Locks[Index]);
61 | }
62 |
63 | // Handle values work by specifying indicies into each
64 | // level.
65 | //
66 | // Bits 0-7: level 0
67 | // Bits 8-15: level 1
68 | // Bits 16-23: level 2
69 | // Bits 24-31: reserved
70 |
71 | #define PH_HANDLE_VALUE_INVALID ((ULONG)-1)
72 | #define PH_HANDLE_VALUE_SHIFT 2
73 | #define PH_HANDLE_VALUE_BIAS 4
74 |
75 | #define PH_HANDLE_VALUE_LEVEL0(HandleValue) ((HandleValue) & 0xff)
76 | #define PH_HANDLE_VALUE_LEVEL1_U(HandleValue) ((HandleValue) >> 8)
77 | #define PH_HANDLE_VALUE_LEVEL1(HandleValue) (PH_HANDLE_VALUE_LEVEL1_U(HandleValue) & 0xff)
78 | #define PH_HANDLE_VALUE_LEVEL2_U(HandleValue) ((HandleValue) >> 16)
79 | #define PH_HANDLE_VALUE_LEVEL2(HandleValue) (PH_HANDLE_VALUE_LEVEL2_U(HandleValue) & 0xff)
80 | #define PH_HANDLE_VALUE_IS_INVALID(HandleValue) (((HandleValue) >> 24) != 0)
81 |
82 | FORCEINLINE HANDLE PhpEncodeHandle(
83 | _In_ ULONG HandleValue
84 | )
85 | {
86 | return (HANDLE)((HandleValue << PH_HANDLE_VALUE_SHIFT) + PH_HANDLE_VALUE_BIAS);
87 | }
88 |
89 | FORCEINLINE ULONG PhpDecodeHandle(
90 | _In_ HANDLE Handle
91 | )
92 | {
93 | return ((ULONG)Handle - PH_HANDLE_VALUE_BIAS) >> PH_HANDLE_VALUE_SHIFT;
94 | }
95 |
96 | VOID PhpBlockOnLockedHandleTableEntry(
97 | _Inout_ PPH_HANDLE_TABLE HandleTable,
98 | _In_ PPH_HANDLE_TABLE_ENTRY HandleTableEntry
99 | );
100 |
101 | PPH_HANDLE_TABLE_ENTRY PhpAllocateHandleTableEntry(
102 | _Inout_ PPH_HANDLE_TABLE HandleTable,
103 | _Out_ PULONG HandleValue
104 | );
105 |
106 | VOID PhpFreeHandleTableEntry(
107 | _Inout_ PPH_HANDLE_TABLE HandleTable,
108 | _In_ ULONG HandleValue,
109 | _Inout_ PPH_HANDLE_TABLE_ENTRY HandleTableEntry
110 | );
111 |
112 | BOOLEAN PhpAllocateMoreHandleTableEntries(
113 | _In_ PPH_HANDLE_TABLE HandleTable,
114 | _In_ BOOLEAN Initialize
115 | );
116 |
117 | PPH_HANDLE_TABLE_ENTRY PhpLookupHandleTableEntry(
118 | _In_ PPH_HANDLE_TABLE HandleTable,
119 | _In_ ULONG HandleValue
120 | );
121 |
122 | ULONG PhpMoveFreeHandleTableEntries(
123 | _Inout_ PPH_HANDLE_TABLE HandleTable
124 | );
125 |
126 | PPH_HANDLE_TABLE_ENTRY PhpCreateHandleTableLevel0(
127 | _In_ PPH_HANDLE_TABLE HandleTable,
128 | _In_ BOOLEAN Initialize
129 | );
130 |
131 | VOID PhpFreeHandleTableLevel0(
132 | _In_ PPH_HANDLE_TABLE_ENTRY Table
133 | );
134 |
135 | PPH_HANDLE_TABLE_ENTRY *PhpCreateHandleTableLevel1(
136 | _In_ PPH_HANDLE_TABLE HandleTable
137 | );
138 |
139 | VOID PhpFreeHandleTableLevel1(
140 | _In_ PPH_HANDLE_TABLE_ENTRY *Table
141 | );
142 |
143 | PPH_HANDLE_TABLE_ENTRY **PhpCreateHandleTableLevel2(
144 | _In_ PPH_HANDLE_TABLE HandleTable
145 | );
146 |
147 | VOID PhpFreeHandleTableLevel2(
148 | _In_ PPH_HANDLE_TABLE_ENTRY **Table
149 | );
150 |
151 | #endif
152 |
--------------------------------------------------------------------------------
/include/sys/hexedit.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_HEXEDIT_H
2 | #define _PH_HEXEDIT_H
3 |
4 | #define PH_HEXEDIT_CLASSNAME L"PhHexEdit"
5 |
6 | #define EDIT_NONE 0
7 | #define EDIT_ASCII 1
8 | #define EDIT_HIGH 2
9 | #define EDIT_LOW 3
10 |
11 | BOOLEAN PhHexEditInitialization(
12 | VOID
13 | );
14 |
15 | #define HEM_SETBUFFER (WM_APP + 1401)
16 | #define HEM_SETDATA (WM_APP + 1402)
17 | #define HEM_GETBUFFER (WM_APP + 1403)
18 | #define HEM_SETSEL (WM_APP + 1404)
19 | #define HEM_SETEDITMODE (WM_APP + 1405)
20 |
21 | #define HexEdit_SetBuffer(hWnd, Buffer, Length) \
22 | SendMessage((hWnd), HEM_SETBUFFER, (WPARAM)(Length), (LPARAM)(Buffer))
23 |
24 | #define HexEdit_SetData(hWnd, Buffer, Length) \
25 | SendMessage((hWnd), HEM_SETDATA, (WPARAM)(Length), (LPARAM)(Buffer))
26 |
27 | #define HexEdit_GetBuffer(hWnd, Buffer, Length) \
28 | ((PUCHAR)SendMessage((hWnd), HEM_GETBUFFER, 0, 0))
29 |
30 | #define HexEdit_SetSel(hWnd, Start, End) \
31 | SendMessage((hWnd), HEM_SETSEL, (WPARAM)(Start), (LPARAM)(End))
32 |
33 | #define HexEdit_SetEditMode(hWnd, Mode) \
34 | SendMessage((hWnd), HEM_SETEDITMODE, (WPARAM)(Mode), 0)
35 |
36 | #endif
37 |
--------------------------------------------------------------------------------
/include/sys/hexeditp.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_HEXEDITP_H
2 | #define _PH_HEXEDITP_H
3 |
4 | typedef struct _PHP_HEXEDIT_CONTEXT
5 | {
6 | PUCHAR Data;
7 | LONG Length;
8 | BOOLEAN UserBuffer;
9 | LONG TopIndex; // index of first visible byte on screen
10 |
11 | LONG CurrentAddress;
12 | LONG CurrentMode;
13 | LONG SelStart;
14 | LONG SelEnd;
15 |
16 | LONG BytesPerRow;
17 | LONG LinesPerPage;
18 | BOOLEAN ShowAddress;
19 | BOOLEAN ShowAscii;
20 | BOOLEAN ShowHex;
21 | BOOLEAN AddressIsWide;
22 | BOOLEAN AllowLengthChange;
23 |
24 | BOOLEAN NoAddressChange;
25 | BOOLEAN HalfPage;
26 |
27 | HFONT Font;
28 | LONG LineHeight;
29 | LONG NullWidth;
30 | BOOLEAN Update;
31 |
32 | LONG HexOffset;
33 | LONG AsciiOffset;
34 | LONG AddressOffset;
35 |
36 | BOOLEAN HasCapture;
37 | POINT EditPosition;
38 | } PHP_HEXEDIT_CONTEXT, *PPHP_HEXEDIT_CONTEXT;
39 |
40 | #define IS_PRINTABLE(Byte) ((ULONG)((Byte) - ' ') <= (ULONG)('~' - ' '))
41 |
42 | #define TO_HEX(Buffer, Byte) \
43 | { \
44 | *(Buffer)++ = PhIntegerToChar[(Byte) >> 4]; \
45 | *(Buffer)++ = PhIntegerToChar[(Byte) & 0xf]; \
46 | }
47 |
48 | #define REDRAW_WINDOW(hwnd) \
49 | RedrawWindow((hwnd), NULL, NULL, RDW_INVALIDATE | RDW_UPDATENOW | RDW_ERASE)
50 |
51 | VOID PhpCreateHexEditContext(
52 | _Out_ PPHP_HEXEDIT_CONTEXT *Context
53 | );
54 |
55 | VOID PhpFreeHexEditContext(
56 | _In_ _Post_invalid_ PPHP_HEXEDIT_CONTEXT Context
57 | );
58 |
59 | LRESULT CALLBACK PhpHexEditWndProc(
60 | _In_ HWND hwnd,
61 | _In_ UINT uMsg,
62 | _In_ WPARAM wParam,
63 | _In_ LPARAM lParam
64 | );
65 |
66 | VOID PhpHexEditOnPaint(
67 | _In_ HWND hwnd,
68 | _In_ PPHP_HEXEDIT_CONTEXT Context,
69 | _In_ PAINTSTRUCT *PaintStruct,
70 | _In_ HDC hdc
71 | );
72 |
73 | VOID PhpHexEditUpdateScrollbars(
74 | _In_ HWND hwnd,
75 | _In_ PPHP_HEXEDIT_CONTEXT Context
76 | );
77 |
78 | FORCEINLINE BOOLEAN PhpHexEditHasSelected(
79 | _In_ PPHP_HEXEDIT_CONTEXT Context
80 | )
81 | {
82 | return Context->SelStart != -1;
83 | }
84 |
85 | VOID PhpHexEditCreateAddressCaret(
86 | _In_ HWND hwnd,
87 | _In_ PPHP_HEXEDIT_CONTEXT Context
88 | );
89 |
90 | VOID PhpHexEditCreateEditCaret(
91 | _In_ HWND hwnd,
92 | _In_ PPHP_HEXEDIT_CONTEXT Context
93 | );
94 |
95 | VOID PhpHexEditRepositionCaret(
96 | _In_ HWND hwnd,
97 | _In_ PPHP_HEXEDIT_CONTEXT Context,
98 | _In_ LONG Position
99 | );
100 |
101 | VOID PhpHexEditCalculatePosition(
102 | _In_ HWND hwnd,
103 | _In_ PPHP_HEXEDIT_CONTEXT Context,
104 | _In_ LONG X,
105 | _In_ LONG Y,
106 | _Out_ POINT *Point
107 | );
108 |
109 | VOID PhpHexEditMove(
110 | _In_ HWND hwnd,
111 | _In_ PPHP_HEXEDIT_CONTEXT Context,
112 | _In_ LONG X,
113 | _In_ LONG Y
114 | );
115 |
116 | VOID PhpHexEditSetSel(
117 | _In_ HWND hwnd,
118 | _In_ PPHP_HEXEDIT_CONTEXT Context,
119 | _In_ LONG S,
120 | _In_ LONG E
121 | );
122 |
123 | VOID PhpHexEditScrollTo(
124 | _In_ HWND hwnd,
125 | _In_ PPHP_HEXEDIT_CONTEXT Context,
126 | _In_ LONG Position
127 | );
128 |
129 | VOID PhpHexEditClearEdit(
130 | _In_ HWND hwnd,
131 | _In_ PPHP_HEXEDIT_CONTEXT Context
132 | );
133 |
134 | VOID PhpHexEditCopyEdit(
135 | _In_ HWND hwnd,
136 | _In_ PPHP_HEXEDIT_CONTEXT Context
137 | );
138 |
139 | VOID PhpHexEditCutEdit(
140 | _In_ HWND hwnd,
141 | _In_ PPHP_HEXEDIT_CONTEXT Context
142 | );
143 |
144 | VOID PhpHexEditPasteEdit(
145 | _In_ HWND hwnd,
146 | _In_ PPHP_HEXEDIT_CONTEXT Context
147 | );
148 |
149 | VOID PhpHexEditSelectAll(
150 | _In_ HWND hwnd,
151 | _In_ PPHP_HEXEDIT_CONTEXT Context
152 | );
153 |
154 | VOID PhpHexEditUndoEdit(
155 | _In_ HWND hwnd,
156 | _In_ PPHP_HEXEDIT_CONTEXT Context
157 | );
158 |
159 | VOID PhpHexEditNormalizeSel(
160 | _In_ HWND hwnd,
161 | _In_ PPHP_HEXEDIT_CONTEXT Context
162 | );
163 |
164 | VOID PhpHexEditSelDelete(
165 | _In_ HWND hwnd,
166 | _In_ PPHP_HEXEDIT_CONTEXT Context,
167 | _In_ LONG S,
168 | _In_ LONG E
169 | );
170 |
171 | VOID PhpHexEditSelInsert(
172 | _In_ HWND hwnd,
173 | _In_ PPHP_HEXEDIT_CONTEXT Context,
174 | _In_ LONG S,
175 | _In_ LONG L
176 | );
177 |
178 | VOID PhpHexEditSetBuffer(
179 | _In_ HWND hwnd,
180 | _In_ PPHP_HEXEDIT_CONTEXT Context,
181 | _In_ PUCHAR Data,
182 | _In_ ULONG Length
183 | );
184 |
185 | VOID PhpHexEditSetData(
186 | _In_ HWND hwnd,
187 | _In_ PPHP_HEXEDIT_CONTEXT Context,
188 | _In_ PUCHAR Data,
189 | _In_ ULONG Length
190 | );
191 |
192 | #endif
193 |
--------------------------------------------------------------------------------
/include/sys/iosupp.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_IOSUPP_H
2 | #define _PH_IOSUPP_H
3 |
4 | VOID NTAPI PhpFileStreamDeleteProcedure(
5 | _In_ PVOID Object,
6 | _In_ ULONG Flags
7 | );
8 |
9 | NTSTATUS PhpAllocateBufferFileStream(
10 | _Inout_ PPH_FILE_STREAM FileStream
11 | );
12 |
13 | NTSTATUS PhpReadFileStream(
14 | _Inout_ PPH_FILE_STREAM FileStream,
15 | _Out_writes_bytes_(Length) PVOID Buffer,
16 | _In_ ULONG Length,
17 | _Out_opt_ PULONG ReadLength
18 | );
19 |
20 | NTSTATUS PhpWriteFileStream(
21 | _Inout_ PPH_FILE_STREAM FileStream,
22 | _In_reads_bytes_(Length) PVOID Buffer,
23 | _In_ ULONG Length
24 | );
25 |
26 | NTSTATUS PhpFlushReadFileStream(
27 | _Inout_ PPH_FILE_STREAM FileStream
28 | );
29 |
30 | NTSTATUS PhpFlushWriteFileStream(
31 | _Inout_ PPH_FILE_STREAM FileStream
32 | );
33 |
34 | NTSTATUS PhpSeekFileStream(
35 | _Inout_ PPH_FILE_STREAM FileStream,
36 | _In_ PLARGE_INTEGER Offset,
37 | _In_ PH_SEEK_ORIGIN Origin
38 | );
39 |
40 | #endif
41 |
--------------------------------------------------------------------------------
/include/sys/md5.h:
--------------------------------------------------------------------------------
1 | #ifndef _MD5_H
2 | #define _MD5_H
3 |
4 | typedef struct
5 | {
6 | ULONG i[2];
7 | ULONG buf[4];
8 | UCHAR in[64];
9 | UCHAR digest[16];
10 | } MD5_CTX;
11 |
12 | VOID MD5Init(
13 | _Out_ MD5_CTX *Context
14 | );
15 |
16 | VOID MD5Update(
17 | _Inout_ MD5_CTX *Context,
18 | _In_reads_bytes_(Length) UCHAR *Input,
19 | _In_ ULONG Length
20 | );
21 |
22 | VOID MD5Final(
23 | _Inout_ MD5_CTX *Context
24 | );
25 |
26 | #endif
27 |
--------------------------------------------------------------------------------
/include/sys/ntbasic.h:
--------------------------------------------------------------------------------
1 | #ifndef _NTBASIC_H
2 | #define _NTBASIC_H
3 |
4 | #ifndef _NTDEF_
5 |
6 | // This header file provides basic NT types not included in Win32.
7 |
8 | #ifndef NOTHING
9 | #define NOTHING
10 | #endif
11 |
12 | // Basic types
13 |
14 | typedef struct _QUAD
15 | {
16 | double DoNotUseThisField;
17 | } QUAD, *PQUAD, UQUAD, *PUQUAD;
18 |
19 | // This isn't in NT, but it's useful.
20 | typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _QUAD_PTR
21 | {
22 | ULONG_PTR DoNotUseThisField1;
23 | ULONG_PTR DoNotUseThisField2;
24 | } QUAD_PTR, *PQUAD_PTR, UQUAD_PTR, *PUQUAD_PTR;
25 |
26 | typedef PVOID *PPVOID;
27 |
28 | typedef ULONG LOGICAL;
29 | typedef ULONG *PLOGICAL;
30 |
31 | typedef _Success_(return >= 0) LONG NTSTATUS;
32 | typedef NTSTATUS *PNTSTATUS;
33 |
34 | // Cardinal types
35 |
36 | typedef char CCHAR;
37 | typedef short CSHORT;
38 | typedef ULONG CLONG;
39 |
40 | typedef CCHAR *PCCHAR;
41 | typedef CSHORT *PCSHORT;
42 | typedef CLONG *PCLONG;
43 |
44 | // Specific
45 |
46 | typedef UCHAR KIRQL, *PKIRQL;
47 | typedef LONG KPRIORITY;
48 | typedef USHORT RTL_ATOM, *PRTL_ATOM;
49 |
50 | typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
51 |
52 | // NT status macros
53 |
54 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
55 | #define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1)
56 | #define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2)
57 | #define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3)
58 |
59 | #define NT_FACILITY_MASK 0xfff
60 | #define NT_FACILITY_SHIFT 16
61 | #define NT_FACILITY(Status) ((((ULONG)(Status)) >> NT_FACILITY_SHIFT) & NT_FACILITY_MASK)
62 |
63 | #define NT_NTWIN32(Status) (NT_FACILITY(Status) == FACILITY_NTWIN32)
64 | #define WIN32_FROM_NTSTATUS(Status) (((ULONG)(Status)) & 0xffff)
65 |
66 | // Functions
67 |
68 | #ifdef _M_IX86
69 | #define FASTCALL __fastcall
70 | #else
71 | #define FASTCALL
72 | #endif
73 |
74 | // Synchronization enumerations
75 |
76 | typedef enum _EVENT_TYPE
77 | {
78 | NotificationEvent,
79 | SynchronizationEvent
80 | } EVENT_TYPE;
81 |
82 | typedef enum _TIMER_TYPE
83 | {
84 | NotificationTimer,
85 | SynchronizationTimer
86 | } TIMER_TYPE;
87 |
88 | typedef enum _WAIT_TYPE
89 | {
90 | WaitAll,
91 | WaitAny
92 | } WAIT_TYPE;
93 |
94 | // Strings
95 |
96 | typedef struct _STRING
97 | {
98 | USHORT Length;
99 | USHORT MaximumLength;
100 | _Field_size_bytes_part_opt_(MaximumLength, Length) PCHAR Buffer;
101 | } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING;
102 |
103 | typedef const STRING *PCSTRING;
104 | typedef const ANSI_STRING *PCANSI_STRING;
105 | typedef const OEM_STRING *PCOEM_STRING;
106 |
107 | typedef struct _UNICODE_STRING
108 | {
109 | USHORT Length;
110 | USHORT MaximumLength;
111 | _Field_size_bytes_part_(MaximumLength, Length) PWCH Buffer;
112 | } UNICODE_STRING, *PUNICODE_STRING;
113 |
114 | typedef const UNICODE_STRING *PCUNICODE_STRING;
115 |
116 | #define RTL_CONSTANT_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), s }
117 |
118 | // Balanced tree node
119 |
120 | #define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3
121 |
122 | typedef struct _RTL_BALANCED_NODE
123 | {
124 | union
125 | {
126 | struct _RTL_BALANCED_NODE *Children[2];
127 | struct
128 | {
129 | struct _RTL_BALANCED_NODE *Left;
130 | struct _RTL_BALANCED_NODE *Right;
131 | };
132 | };
133 | union
134 | {
135 | UCHAR Red : 1;
136 | UCHAR Balance : 2;
137 | ULONG_PTR ParentValue;
138 | };
139 | } RTL_BALANCED_NODE, *PRTL_BALANCED_NODE;
140 |
141 | #define RTL_BALANCED_NODE_GET_PARENT_POINTER(Node) ((PRTL_BALANCED_NODE)((Node)->ParentValue & ~RTL_BALANCED_NODE_RESERVED_PARENT_MASK))
142 |
143 | // Portability
144 |
145 | typedef struct _SINGLE_LIST_ENTRY32
146 | {
147 | ULONG Next;
148 | } SINGLE_LIST_ENTRY32, *PSINGLE_LIST_ENTRY32;
149 |
150 | typedef struct _STRING32
151 | {
152 | USHORT Length;
153 | USHORT MaximumLength;
154 | ULONG Buffer;
155 | } STRING32, *PSTRING32;
156 |
157 | typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32;
158 | typedef STRING32 ANSI_STRING32, *PANSI_STRING32;
159 |
160 | typedef struct _STRING64
161 | {
162 | USHORT Length;
163 | USHORT MaximumLength;
164 | ULONGLONG Buffer;
165 | } STRING64, *PSTRING64;
166 |
167 | typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64;
168 | typedef STRING64 ANSI_STRING64, *PANSI_STRING64;
169 |
170 | // Object attributes
171 |
172 | #define OBJ_INHERIT 0x00000002
173 | #define OBJ_PERMANENT 0x00000010
174 | #define OBJ_EXCLUSIVE 0x00000020
175 | #define OBJ_CASE_INSENSITIVE 0x00000040
176 | #define OBJ_OPENIF 0x00000080
177 | #define OBJ_OPENLINK 0x00000100
178 | #define OBJ_KERNEL_HANDLE 0x00000200
179 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400
180 | #define OBJ_VALID_ATTRIBUTES 0x000007f2
181 |
182 | typedef struct _OBJECT_ATTRIBUTES
183 | {
184 | ULONG Length;
185 | HANDLE RootDirectory;
186 | PUNICODE_STRING ObjectName;
187 | ULONG Attributes;
188 | PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR;
189 | PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE
190 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
191 |
192 | typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES;
193 |
194 | #define InitializeObjectAttributes(p, n, a, r, s) { \
195 | (p)->Length = sizeof(OBJECT_ATTRIBUTES); \
196 | (p)->RootDirectory = r; \
197 | (p)->Attributes = a; \
198 | (p)->ObjectName = n; \
199 | (p)->SecurityDescriptor = s; \
200 | (p)->SecurityQualityOfService = NULL; \
201 | }
202 |
203 | #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL }
204 | #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a)
205 |
206 | // Portability
207 |
208 | typedef struct _OBJECT_ATTRIBUTES64
209 | {
210 | ULONG Length;
211 | ULONG64 RootDirectory;
212 | ULONG64 ObjectName;
213 | ULONG Attributes;
214 | ULONG64 SecurityDescriptor;
215 | ULONG64 SecurityQualityOfService;
216 | } OBJECT_ATTRIBUTES64, *POBJECT_ATTRIBUTES64;
217 |
218 | typedef const OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64;
219 |
220 | typedef struct _OBJECT_ATTRIBUTES32
221 | {
222 | ULONG Length;
223 | ULONG RootDirectory;
224 | ULONG ObjectName;
225 | ULONG Attributes;
226 | ULONG SecurityDescriptor;
227 | ULONG SecurityQualityOfService;
228 | } OBJECT_ATTRIBUTES32, *POBJECT_ATTRIBUTES32;
229 |
230 | typedef const OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32;
231 |
232 | // Product types
233 |
234 | typedef enum _NT_PRODUCT_TYPE
235 | {
236 | NtProductWinNt = 1,
237 | NtProductLanManNt,
238 | NtProductServer
239 | } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE;
240 |
241 | typedef enum _SUITE_TYPE
242 | {
243 | SmallBusiness,
244 | Enterprise,
245 | BackOffice,
246 | CommunicationServer,
247 | TerminalServer,
248 | SmallBusinessRestricted,
249 | EmbeddedNT,
250 | DataCenter,
251 | SingleUserTS,
252 | Personal,
253 | Blade,
254 | EmbeddedRestricted,
255 | SecurityAppliance,
256 | StorageServer,
257 | ComputeServer,
258 | WHServer,
259 | PhoneNT,
260 | MaxSuiteType
261 | } SUITE_TYPE;
262 |
263 | // Specific
264 |
265 | typedef struct _CLIENT_ID
266 | {
267 | HANDLE UniqueProcess;
268 | HANDLE UniqueThread;
269 | } CLIENT_ID, *PCLIENT_ID;
270 |
271 | typedef struct _CLIENT_ID32
272 | {
273 | ULONG UniqueProcess;
274 | ULONG UniqueThread;
275 | } CLIENT_ID32, *PCLIENT_ID32;
276 |
277 | typedef struct _CLIENT_ID64
278 | {
279 | ULONGLONG UniqueProcess;
280 | ULONGLONG UniqueThread;
281 | } CLIENT_ID64, *PCLIENT_ID64;
282 |
283 | #include
284 |
285 | typedef struct _KSYSTEM_TIME
286 | {
287 | ULONG LowPart;
288 | LONG High1Time;
289 | LONG High2Time;
290 | } KSYSTEM_TIME, *PKSYSTEM_TIME;
291 |
292 | #include
293 |
294 | #endif
295 |
296 | #endif
297 |
--------------------------------------------------------------------------------
/include/sys/ntcm.h:
--------------------------------------------------------------------------------
1 | #ifndef _NTCM_H
2 | #define _NTCM_H
3 |
4 | typedef enum _PNP_VETO_TYPE
5 | {
6 | PNP_VetoTypeUnknown, // unspecified
7 | PNP_VetoLegacyDevice, // instance path
8 | PNP_VetoPendingClose, // instance path
9 | PNP_VetoWindowsApp, // module
10 | PNP_VetoWindowsService, // service
11 | PNP_VetoOutstandingOpen, // instance path
12 | PNP_VetoDevice, // instance path
13 | PNP_VetoDriver, // driver service name
14 | PNP_VetoIllegalDeviceRequest, // instance path
15 | PNP_VetoInsufficientPower, // unspecified
16 | PNP_VetoNonDisableable, // instance path
17 | PNP_VetoLegacyDriver, // service
18 | PNP_VetoInsufficientRights // unspecified
19 | } PNP_VETO_TYPE, *PPNP_VETO_TYPE;
20 |
21 | #endif
22 |
--------------------------------------------------------------------------------
/include/sys/ntdbg.h:
--------------------------------------------------------------------------------
1 | #ifndef _NTDBG_H
2 | #define _NTDBG_H
3 |
4 | // Definitions
5 |
6 | typedef struct _DBGKM_EXCEPTION
7 | {
8 | EXCEPTION_RECORD ExceptionRecord;
9 | ULONG FirstChance;
10 | } DBGKM_EXCEPTION, *PDBGKM_EXCEPTION;
11 |
12 | typedef struct _DBGKM_CREATE_THREAD
13 | {
14 | ULONG SubSystemKey;
15 | PVOID StartAddress;
16 | } DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD;
17 |
18 | typedef struct _DBGKM_CREATE_PROCESS
19 | {
20 | ULONG SubSystemKey;
21 | HANDLE FileHandle;
22 | PVOID BaseOfImage;
23 | ULONG DebugInfoFileOffset;
24 | ULONG DebugInfoSize;
25 | DBGKM_CREATE_THREAD InitialThread;
26 | } DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS;
27 |
28 | typedef struct _DBGKM_EXIT_THREAD
29 | {
30 | NTSTATUS ExitStatus;
31 | } DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD;
32 |
33 | typedef struct _DBGKM_EXIT_PROCESS
34 | {
35 | NTSTATUS ExitStatus;
36 | } DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS;
37 |
38 | typedef struct _DBGKM_LOAD_DLL
39 | {
40 | HANDLE FileHandle;
41 | PVOID BaseOfDll;
42 | ULONG DebugInfoFileOffset;
43 | ULONG DebugInfoSize;
44 | PVOID NamePointer;
45 | } DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL;
46 |
47 | typedef struct _DBGKM_UNLOAD_DLL
48 | {
49 | PVOID BaseAddress;
50 | } DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL;
51 |
52 | typedef enum _DBG_STATE
53 | {
54 | DbgIdle,
55 | DbgReplyPending,
56 | DbgCreateThreadStateChange,
57 | DbgCreateProcessStateChange,
58 | DbgExitThreadStateChange,
59 | DbgExitProcessStateChange,
60 | DbgExceptionStateChange,
61 | DbgBreakpointStateChange,
62 | DbgSingleStepStateChange,
63 | DbgLoadDllStateChange,
64 | DbgUnloadDllStateChange
65 | } DBG_STATE, *PDBG_STATE;
66 |
67 | typedef struct _DBGUI_CREATE_THREAD
68 | {
69 | HANDLE HandleToThread;
70 | DBGKM_CREATE_THREAD NewThread;
71 | } DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD;
72 |
73 | typedef struct _DBGUI_CREATE_PROCESS
74 | {
75 | HANDLE HandleToProcess;
76 | HANDLE HandleToThread;
77 | DBGKM_CREATE_PROCESS NewProcess;
78 | } DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS;
79 |
80 | typedef struct _DBGUI_WAIT_STATE_CHANGE
81 | {
82 | DBG_STATE NewState;
83 | CLIENT_ID AppClientId;
84 | union
85 | {
86 | DBGKM_EXCEPTION Exception;
87 | DBGUI_CREATE_THREAD CreateThread;
88 | DBGUI_CREATE_PROCESS CreateProcessInfo;
89 | DBGKM_EXIT_THREAD ExitThread;
90 | DBGKM_EXIT_PROCESS ExitProcess;
91 | DBGKM_LOAD_DLL LoadDll;
92 | DBGKM_UNLOAD_DLL UnloadDll;
93 | } StateInfo;
94 | } DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE;
95 |
96 | // System calls
97 |
98 | #define DEBUG_READ_EVENT 0x0001
99 | #define DEBUG_PROCESS_ASSIGN 0x0002
100 | #define DEBUG_SET_INFORMATION 0x0004
101 | #define DEBUG_QUERY_INFORMATION 0x0008
102 | #define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
103 | DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \
104 | DEBUG_QUERY_INFORMATION)
105 |
106 | #define DEBUG_KILL_ON_CLOSE 0x1
107 |
108 | typedef enum _DEBUGOBJECTINFOCLASS
109 | {
110 | DebugObjectFlags = 1,
111 | MaxDebugObjectInfoClass
112 | } DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS;
113 |
114 | NTSYSCALLAPI
115 | NTSTATUS
116 | NTAPI
117 | NtCreateDebugObject(
118 | _Out_ PHANDLE DebugObjectHandle,
119 | _In_ ACCESS_MASK DesiredAccess,
120 | _In_ POBJECT_ATTRIBUTES ObjectAttributes,
121 | _In_ ULONG Flags
122 | );
123 |
124 | NTSYSCALLAPI
125 | NTSTATUS
126 | NTAPI
127 | NtDebugActiveProcess(
128 | _In_ HANDLE ProcessHandle,
129 | _In_ HANDLE DebugObjectHandle
130 | );
131 |
132 | NTSYSCALLAPI
133 | NTSTATUS
134 | NTAPI
135 | NtDebugContinue(
136 | _In_ HANDLE DebugObjectHandle,
137 | _In_ PCLIENT_ID ClientId,
138 | _In_ NTSTATUS ContinueStatus
139 | );
140 |
141 | NTSYSCALLAPI
142 | NTSTATUS
143 | NTAPI
144 | NtRemoveProcessDebug(
145 | _In_ HANDLE ProcessHandle,
146 | _In_ HANDLE DebugObjectHandle
147 | );
148 |
149 | NTSYSCALLAPI
150 | NTSTATUS
151 | NTAPI
152 | NtSetInformationDebugObject(
153 | _In_ HANDLE DebugObjectHandle,
154 | _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass,
155 | _In_ PVOID DebugInformation,
156 | _In_ ULONG DebugInformationLength,
157 | _Out_opt_ PULONG ReturnLength
158 | );
159 |
160 | NTSYSCALLAPI
161 | NTSTATUS
162 | NTAPI
163 | NtWaitForDebugEvent(
164 | _In_ HANDLE DebugObjectHandle,
165 | _In_ BOOLEAN Alertable,
166 | _In_opt_ PLARGE_INTEGER Timeout,
167 | _Out_ PVOID WaitStateChange
168 | );
169 |
170 | // Debugging UI
171 |
172 | NTSYSAPI
173 | NTSTATUS
174 | NTAPI
175 | DbgUiConnectToDbg(
176 | VOID
177 | );
178 |
179 | NTSYSAPI
180 | HANDLE
181 | NTAPI
182 | DbgUiGetThreadDebugObject(
183 | VOID
184 | );
185 |
186 | NTSYSAPI
187 | VOID
188 | NTAPI
189 | DbgUiSetThreadDebugObject(
190 | _In_ HANDLE DebugObject
191 | );
192 |
193 | NTSYSAPI
194 | NTSTATUS
195 | NTAPI
196 | DbgUiWaitStateChange(
197 | _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange,
198 | _In_opt_ PLARGE_INTEGER Timeout
199 | );
200 |
201 | NTSYSAPI
202 | NTSTATUS
203 | NTAPI
204 | DbgUiContinue(
205 | _In_ PCLIENT_ID AppClientId,
206 | _In_ NTSTATUS ContinueStatus
207 | );
208 |
209 | NTSYSAPI
210 | NTSTATUS
211 | NTAPI
212 | DbgUiStopDebugging(
213 | _In_ HANDLE Process
214 | );
215 |
216 | NTSYSAPI
217 | NTSTATUS
218 | NTAPI
219 | DbgUiDebugActiveProcess(
220 | _In_ HANDLE Process
221 | );
222 |
223 | NTSYSAPI
224 | VOID
225 | NTAPI
226 | DbgUiRemoteBreakin(
227 | _In_ PVOID Context
228 | );
229 |
230 | NTSYSAPI
231 | NTSTATUS
232 | NTAPI
233 | DbgUiIssueRemoteBreakin(
234 | _In_ HANDLE Process
235 | );
236 |
237 | struct _DEBUG_EVENT;
238 |
239 | NTSYSAPI
240 | NTSTATUS
241 | NTAPI
242 | DbgUiConvertStateChangeStructure(
243 | _In_ PDBGUI_WAIT_STATE_CHANGE StateChange,
244 | _Out_ struct _DEBUG_EVENT *DebugEvent
245 | );
246 |
247 | #endif
248 |
--------------------------------------------------------------------------------
/include/sys/ntgdi.h:
--------------------------------------------------------------------------------
1 | #ifndef _NTGDI_H
2 | #define _NTGDI_H
3 |
4 | #define GDI_MAX_HANDLE_COUNT 0x4000
5 |
6 | #define GDI_HANDLE_INDEX_SHIFT 0
7 | #define GDI_HANDLE_INDEX_BITS 16
8 | #define GDI_HANDLE_INDEX_MASK 0xffff
9 |
10 | #define GDI_HANDLE_TYPE_SHIFT 16
11 | #define GDI_HANDLE_TYPE_BITS 5
12 | #define GDI_HANDLE_TYPE_MASK 0x1f
13 |
14 | #define GDI_HANDLE_ALTTYPE_SHIFT 21
15 | #define GDI_HANDLE_ALTTYPE_BITS 2
16 | #define GDI_HANDLE_ALTTYPE_MASK 0x3
17 |
18 | #define GDI_HANDLE_STOCK_SHIFT 23
19 | #define GDI_HANDLE_STOCK_BITS 1
20 | #define GDI_HANDLE_STOCK_MASK 0x1
21 |
22 | #define GDI_HANDLE_UNIQUE_SHIFT 24
23 | #define GDI_HANDLE_UNIQUE_BITS 8
24 | #define GDI_HANDLE_UNIQUE_MASK 0xff
25 |
26 | #define GDI_HANDLE_INDEX(Handle) ((ULONG)(Handle) & GDI_HANDLE_INDEX_MASK)
27 | #define GDI_HANDLE_TYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_TYPE_SHIFT) & GDI_HANDLE_TYPE_MASK)
28 | #define GDI_HANDLE_ALTTYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_ALTTYPE_SHIFT) & GDI_HANDLE_ALTTYPE_MASK)
29 | #define GDI_HANDLE_STOCK(Handle) (((ULONG)(Handle) >> GDI_HANDLE_STOCK_SHIFT)) & GDI_HANDLE_STOCK_MASK)
30 |
31 | #define GDI_MAKE_HANDLE(Index, Unique) ((ULONG)(((ULONG)(Unique) << GDI_HANDLE_INDEX_BITS) | (ULONG)(Index)))
32 |
33 | // GDI server-side types
34 |
35 | #define GDI_DEF_TYPE 0 // invalid handle
36 | #define GDI_DC_TYPE 1
37 | #define GDI_DD_DIRECTDRAW_TYPE 2
38 | #define GDI_DD_SURFACE_TYPE 3
39 | #define GDI_RGN_TYPE 4
40 | #define GDI_SURF_TYPE 5
41 | #define GDI_CLIENTOBJ_TYPE 6
42 | #define GDI_PATH_TYPE 7
43 | #define GDI_PAL_TYPE 8
44 | #define GDI_ICMLCS_TYPE 9
45 | #define GDI_LFONT_TYPE 10
46 | #define GDI_RFONT_TYPE 11
47 | #define GDI_PFE_TYPE 12
48 | #define GDI_PFT_TYPE 13
49 | #define GDI_ICMCXF_TYPE 14
50 | #define GDI_ICMDLL_TYPE 15
51 | #define GDI_BRUSH_TYPE 16
52 | #define GDI_PFF_TYPE 17 // unused
53 | #define GDI_CACHE_TYPE 18 // unused
54 | #define GDI_SPACE_TYPE 19
55 | #define GDI_DBRUSH_TYPE 20 // unused
56 | #define GDI_META_TYPE 21
57 | #define GDI_EFSTATE_TYPE 22
58 | #define GDI_BMFD_TYPE 23 // unused
59 | #define GDI_VTFD_TYPE 24 // unused
60 | #define GDI_TTFD_TYPE 25 // unused
61 | #define GDI_RC_TYPE 26 // unused
62 | #define GDI_TEMP_TYPE 27 // unused
63 | #define GDI_DRVOBJ_TYPE 28
64 | #define GDI_DCIOBJ_TYPE 29 // unused
65 | #define GDI_SPOOL_TYPE 30
66 |
67 | // GDI client-side types
68 |
69 | #define GDI_CLIENT_TYPE_FROM_HANDLE(Handle) ((ULONG)(Handle) & ((GDI_HANDLE_ALTTYPE_MASK << GDI_HANDLE_ALTTYPE_SHIFT) | \
70 | (GDI_HANDLE_TYPE_MASK << GDI_HANDLE_TYPE_SHIFT)))
71 | #define GDI_CLIENT_TYPE_FROM_UNIQUE(Unique) GDI_CLIENT_TYPE_FROM_HANDLE((ULONG)(Unique) << 16)
72 |
73 | #define GDI_ALTTYPE_1 (1 << GDI_HANDLE_ALTTYPE_SHIFT)
74 | #define GDI_ALTTYPE_2 (2 << GDI_HANDLE_ALTTYPE_SHIFT)
75 | #define GDI_ALTTYPE_3 (3 << GDI_HANDLE_ALTTYPE_SHIFT)
76 |
77 | #define GDI_CLIENT_BITMAP_TYPE (GDI_SURF_TYPE << GDI_HANDLE_TYPE_SHIFT)
78 | #define GDI_CLIENT_BRUSH_TYPE (GDI_BRUSH_TYPE << GDI_HANDLE_TYPE_SHIFT)
79 | #define GDI_CLIENT_CLIENTOBJ_TYPE (GDI_CLIENTOBJ_TYPE << GDI_HANDLE_TYPE_SHIFT)
80 | #define GDI_CLIENT_DC_TYPE (GDI_DC_TYPE << GDI_HANDLE_TYPE_SHIFT)
81 | #define GDI_CLIENT_FONT_TYPE (GDI_LFONT_TYPE << GDI_HANDLE_TYPE_SHIFT)
82 | #define GDI_CLIENT_PALETTE_TYPE (GDI_PAL_TYPE << GDI_HANDLE_TYPE_SHIFT)
83 | #define GDI_CLIENT_REGION_TYPE (GDI_RGN_TYPE << GDI_HANDLE_TYPE_SHIFT)
84 |
85 | #define GDI_CLIENT_ALTDC_TYPE (GDI_CLIENT_DC_TYPE | GDI_ALTTYPE_1)
86 | #define GDI_CLIENT_DIBSECTION_TYPE (GDI_CLIENT_BITMAP_TYPE | GDI_ALTTYPE_1)
87 | #define GDI_CLIENT_EXTPEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_2)
88 | #define GDI_CLIENT_METADC16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_3)
89 | #define GDI_CLIENT_METAFILE_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_2)
90 | #define GDI_CLIENT_METAFILE16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_1)
91 | #define GDI_CLIENT_PEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_1)
92 |
93 | typedef struct _GDI_HANDLE_ENTRY
94 | {
95 | union
96 | {
97 | PVOID Object;
98 | PVOID NextFree;
99 | };
100 | union
101 | {
102 | struct
103 | {
104 | USHORT ProcessId;
105 | USHORT Lock : 1;
106 | USHORT Count : 15;
107 | };
108 | ULONG Value;
109 | } Owner;
110 | USHORT Unique;
111 | UCHAR Type;
112 | UCHAR Flags;
113 | PVOID UserPointer;
114 | } GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY;
115 |
116 | typedef struct _GDI_SHARED_MEMORY
117 | {
118 | GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT];
119 | } GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY;
120 |
121 | #endif
122 |
--------------------------------------------------------------------------------
/include/sys/ntimport.h:
--------------------------------------------------------------------------------
1 | #ifndef _NTIMPORT_H
2 | #define _NTIMPORT_H
3 |
4 | #ifdef _PH_NTIMPORT_PRIVATE
5 | #define EXT DECLSPEC_SELECTANY
6 | #else
7 | #define EXT extern
8 | #endif
9 |
10 | // Only functions appearing in Windows XP and below may be
11 | // imported normally. The other functions are imported here.
12 |
13 | #if !(PHNT_VERSION >= PHNT_WS03)
14 |
15 | typedef NTSTATUS (NTAPI *_NtGetNextProcess)(
16 | _In_ HANDLE ProcessHandle,
17 | _In_ ACCESS_MASK DesiredAccess,
18 | _In_ ULONG HandleAttributes,
19 | _In_ ULONG Flags,
20 | _Out_ PHANDLE NewProcessHandle
21 | );
22 |
23 | typedef NTSTATUS (NTAPI *_NtGetNextThread)(
24 | _In_ HANDLE ProcessHandle,
25 | _In_ HANDLE ThreadHandle,
26 | _In_ ACCESS_MASK DesiredAccess,
27 | _In_ ULONG HandleAttributes,
28 | _In_ ULONG Flags,
29 | _Out_ PHANDLE NewThreadHandle
30 | );
31 |
32 | EXT _NtGetNextProcess NtGetNextProcess;
33 | EXT _NtGetNextThread NtGetNextThread;
34 | #endif
35 |
36 | #if !(PHNT_VERSION >= PHNT_VISTA)
37 |
38 | typedef NTSTATUS (NTAPI *_NtQueryInformationEnlistment)(
39 | _In_ HANDLE EnlistmentHandle,
40 | _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass,
41 | _Out_writes_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation,
42 | _In_ ULONG EnlistmentInformationLength,
43 | _Out_opt_ PULONG ReturnLength
44 | );
45 |
46 | typedef NTSTATUS (NTAPI *_NtQueryInformationResourceManager)(
47 | _In_ HANDLE ResourceManagerHandle,
48 | _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass,
49 | _Out_writes_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation,
50 | _In_ ULONG ResourceManagerInformationLength,
51 | _Out_opt_ PULONG ReturnLength
52 | );
53 |
54 | typedef NTSTATUS (NTAPI *_NtQueryInformationTransaction)(
55 | _In_ HANDLE TransactionHandle,
56 | _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass,
57 | _Out_writes_bytes_(TransactionInformationLength) PVOID TransactionInformation,
58 | _In_ ULONG TransactionInformationLength,
59 | _Out_opt_ PULONG ReturnLength
60 | );
61 |
62 | typedef NTSTATUS (NTAPI *_NtQueryInformationTransactionManager)(
63 | _In_ HANDLE TransactionManagerHandle,
64 | _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass,
65 | _Out_writes_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation,
66 | _In_ ULONG TransactionManagerInformationLength,
67 | _Out_opt_ PULONG ReturnLength
68 | );
69 |
70 | EXT _NtQueryInformationEnlistment NtQueryInformationEnlistment;
71 | EXT _NtQueryInformationResourceManager NtQueryInformationResourceManager;
72 | EXT _NtQueryInformationTransaction NtQueryInformationTransaction;
73 | EXT _NtQueryInformationTransactionManager NtQueryInformationTransactionManager;
74 | #endif
75 |
76 | BOOLEAN PhInitializeImports();
77 |
78 | #endif
79 |
--------------------------------------------------------------------------------
/include/sys/ntkeapi.h:
--------------------------------------------------------------------------------
1 | #ifndef _NTKEAPI_H
2 | #define _NTKEAPI_H
3 |
4 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
5 | #define LOW_PRIORITY 0 // Lowest thread priority level
6 | #define LOW_REALTIME_PRIORITY 16 // Lowest realtime priority level
7 | #define HIGH_PRIORITY 31 // Highest thread priority level
8 | #define MAXIMUM_PRIORITY 32 // Number of thread priority levels
9 | #endif
10 |
11 | typedef enum _KTHREAD_STATE
12 | {
13 | Initialized,
14 | Ready,
15 | Running,
16 | Standby,
17 | Terminated,
18 | Waiting,
19 | Transition,
20 | DeferredReady,
21 | GateWait,
22 | MaximumThreadState
23 | } KTHREAD_STATE, *PKTHREAD_STATE;
24 |
25 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
26 |
27 | typedef enum _KWAIT_REASON
28 | {
29 | Executive,
30 | FreePage,
31 | PageIn,
32 | PoolAllocation,
33 | DelayExecution,
34 | Suspended,
35 | UserRequest,
36 | WrExecutive,
37 | WrFreePage,
38 | WrPageIn,
39 | WrPoolAllocation,
40 | WrDelayExecution,
41 | WrSuspended,
42 | WrUserRequest,
43 | WrEventPair,
44 | WrQueue,
45 | WrLpcReceive,
46 | WrLpcReply,
47 | WrVirtualMemory,
48 | WrPageOut,
49 | WrRendezvous,
50 | WrKeyedEvent,
51 | WrTerminated,
52 | WrProcessInSwap,
53 | WrCpuRateControl,
54 | WrCalloutStack,
55 | WrKernel,
56 | WrResource,
57 | WrPushLock,
58 | WrMutex,
59 | WrQuantumEnd,
60 | WrDispatchInt,
61 | WrPreempted,
62 | WrYieldExecution,
63 | WrFastMutex,
64 | WrGuardedMutex,
65 | WrRundown,
66 | MaximumWaitReason
67 | } KWAIT_REASON, *PKWAIT_REASON;
68 |
69 | typedef enum _KPROFILE_SOURCE
70 | {
71 | ProfileTime,
72 | ProfileAlignmentFixup,
73 | ProfileTotalIssues,
74 | ProfilePipelineDry,
75 | ProfileLoadInstructions,
76 | ProfilePipelineFrozen,
77 | ProfileBranchInstructions,
78 | ProfileTotalNonissues,
79 | ProfileDcacheMisses,
80 | ProfileIcacheMisses,
81 | ProfileCacheMisses,
82 | ProfileBranchMispredictions,
83 | ProfileStoreInstructions,
84 | ProfileFpInstructions,
85 | ProfileIntegerInstructions,
86 | Profile2Issue,
87 | Profile3Issue,
88 | Profile4Issue,
89 | ProfileSpecialInstructions,
90 | ProfileTotalCycles,
91 | ProfileIcacheIssues,
92 | ProfileDcacheAccesses,
93 | ProfileMemoryBarrierCycles,
94 | ProfileLoadLinkedIssues,
95 | ProfileMaximum
96 | } KPROFILE_SOURCE;
97 |
98 | #endif
99 |
100 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
101 |
102 | NTSYSCALLAPI
103 | NTSTATUS
104 | NTAPI
105 | NtCallbackReturn(
106 | _In_reads_bytes_opt_(OutputLength) PVOID OutputBuffer,
107 | _In_ ULONG OutputLength,
108 | _In_ NTSTATUS Status
109 | );
110 |
111 | NTSYSCALLAPI
112 | NTSTATUS
113 | NTAPI
114 | NtQueryDebugFilterState(
115 | _In_ ULONG ComponentId,
116 | _In_ ULONG Level
117 | );
118 |
119 | NTSYSCALLAPI
120 | NTSTATUS
121 | NTAPI
122 | NtSetDebugFilterState(
123 | _In_ ULONG ComponentId,
124 | _In_ ULONG Level,
125 | _In_ BOOLEAN State
126 | );
127 |
128 | NTSYSCALLAPI
129 | NTSTATUS
130 | NTAPI
131 | NtYieldExecution(
132 | VOID
133 | );
134 |
135 | #if (PHNT_VERSION >= PHNT_VISTA)
136 | // winnt:FlushProcessWriteBuffers
137 | NTSYSCALLAPI
138 | VOID
139 | NTAPI
140 | NtFlushProcessWriteBuffers(
141 | VOID
142 | );
143 | #endif
144 |
145 | #endif
146 |
147 | #endif
148 |
--------------------------------------------------------------------------------
/include/sys/ntmisc.h:
--------------------------------------------------------------------------------
1 | #ifndef _NTMISC_H
2 | #define _NTMISC_H
3 |
4 | // Boot graphics
5 |
6 | #if (PHNT_VERSION >= PHNT_WIN7)
7 | // rev
8 | NTSYSCALLAPI
9 | NTSTATUS
10 | NTAPI
11 | NtDrawText(
12 | _In_ PUNICODE_STRING Text
13 | );
14 | #endif
15 |
16 | // Filter manager
17 |
18 | #define FLT_PORT_CONNECT 0x0001
19 | #define FLT_PORT_ALL_ACCESS (FLT_PORT_CONNECT | STANDARD_RIGHTS_ALL)
20 |
21 | // VDM
22 |
23 | typedef enum _VDMSERVICECLASS
24 | {
25 | VdmStartExecution,
26 | VdmQueueInterrupt,
27 | VdmDelayInterrupt,
28 | VdmInitialize,
29 | VdmFeatures,
30 | VdmSetInt21Handler,
31 | VdmQueryDir,
32 | VdmPrinterDirectIoOpen,
33 | VdmPrinterDirectIoClose,
34 | VdmPrinterInitialize,
35 | VdmSetLdtEntries,
36 | VdmSetProcessLdtInfo,
37 | VdmAdlibEmulation,
38 | VdmPMCliControl,
39 | VdmQueryVdmProcess
40 | } VDMSERVICECLASS, *PVDMSERVICECLASS;
41 |
42 | NTSYSCALLAPI
43 | NTSTATUS
44 | NTAPI
45 | NtVdmControl(
46 | _In_ VDMSERVICECLASS Service,
47 | _Inout_ PVOID ServiceData
48 | );
49 |
50 | // WMI/ETW
51 |
52 | NTSYSCALLAPI
53 | NTSTATUS
54 | NTAPI
55 | NtTraceEvent(
56 | _In_ HANDLE TraceHandle,
57 | _In_ ULONG Flags,
58 | _In_ ULONG FieldSize,
59 | _In_ PVOID Fields
60 | );
61 |
62 | #if (PHNT_VERSION >= PHNT_VISTA)
63 | // private
64 | NTSYSCALLAPI
65 | NTSTATUS
66 | NTAPI
67 | NtTraceControl(
68 | _In_ ULONG FunctionCode,
69 | _In_reads_bytes_opt_(InBufferLen) PVOID InBuffer,
70 | _In_ ULONG InBufferLen,
71 | _Out_writes_bytes_opt_(OutBufferLen) PVOID OutBuffer,
72 | _In_ ULONG OutBufferLen,
73 | _Out_ PULONG ReturnLength
74 | );
75 | #endif
76 |
77 | #endif
78 |
--------------------------------------------------------------------------------
/include/sys/ntnls.h:
--------------------------------------------------------------------------------
1 | #ifndef _NTNLS_H
2 | #define _NTNLS_H
3 |
4 | #define MAXIMUM_LEADBYTES 12
5 |
6 | typedef struct _CPTABLEINFO
7 | {
8 | USHORT CodePage;
9 | USHORT MaximumCharacterSize;
10 | USHORT DefaultChar;
11 | USHORT UniDefaultChar;
12 | USHORT TransDefaultChar;
13 | USHORT TransUniDefaultChar;
14 | USHORT DBCSCodePage;
15 | UCHAR LeadByte[MAXIMUM_LEADBYTES];
16 | PUSHORT MultiByteTable;
17 | PVOID WideCharTable;
18 | PUSHORT DBCSRanges;
19 | PUSHORT DBCSOffsets;
20 | } CPTABLEINFO, *PCPTABLEINFO;
21 |
22 | typedef struct _NLSTABLEINFO
23 | {
24 | CPTABLEINFO OemTableInfo;
25 | CPTABLEINFO AnsiTableInfo;
26 | PUSHORT UpperCaseTable;
27 | PUSHORT LowerCaseTable;
28 | } NLSTABLEINFO, *PNLSTABLEINFO;
29 |
30 | #endif
31 |
--------------------------------------------------------------------------------
/include/sys/ntobapi.h:
--------------------------------------------------------------------------------
1 | #ifndef _NTOBAPI_H
2 | #define _NTOBAPI_H
3 |
4 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
5 | #define OBJECT_TYPE_CREATE 0x0001
6 | #define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
7 | #endif
8 |
9 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
10 | #define DIRECTORY_QUERY 0x0001
11 | #define DIRECTORY_TRAVERSE 0x0002
12 | #define DIRECTORY_CREATE_OBJECT 0x0004
13 | #define DIRECTORY_CREATE_SUBDIRECTORY 0x0008
14 | #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xf)
15 | #endif
16 |
17 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
18 | #define SYMBOLIC_LINK_QUERY 0x0001
19 | #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
20 | #endif
21 |
22 | #define OBJ_PROTECT_CLOSE 0x00000001
23 | #ifndef OBJ_INHERIT
24 | #define OBJ_INHERIT 0x00000002
25 | #endif
26 | #define OBJ_AUDIT_OBJECT_CLOSE 0x00000004
27 |
28 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
29 | typedef enum _OBJECT_INFORMATION_CLASS
30 | {
31 | ObjectBasicInformation,
32 | ObjectNameInformation,
33 | ObjectTypeInformation,
34 | ObjectTypesInformation,
35 | ObjectHandleFlagInformation,
36 | ObjectSessionInformation,
37 | MaxObjectInfoClass
38 | } OBJECT_INFORMATION_CLASS;
39 | #else
40 | #define ObjectNameInformation 1
41 | #define ObjectTypesInformation 3
42 | #define ObjectHandleFlagInformation 4
43 | #define ObjectSessionInformation 5
44 | #endif
45 |
46 | typedef struct _OBJECT_BASIC_INFORMATION
47 | {
48 | ULONG Attributes;
49 | ACCESS_MASK GrantedAccess;
50 | ULONG HandleCount;
51 | ULONG PointerCount;
52 | ULONG PagedPoolCharge;
53 | ULONG NonPagedPoolCharge;
54 | ULONG Reserved[3];
55 | ULONG NameInfoSize;
56 | ULONG TypeInfoSize;
57 | ULONG SecurityDescriptorSize;
58 | LARGE_INTEGER CreationTime;
59 | } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
60 |
61 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
62 | typedef struct _OBJECT_NAME_INFORMATION
63 | {
64 | UNICODE_STRING Name;
65 | } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
66 | #endif
67 |
68 | typedef struct _OBJECT_TYPE_INFORMATION
69 | {
70 | UNICODE_STRING TypeName;
71 | ULONG TotalNumberOfObjects;
72 | ULONG TotalNumberOfHandles;
73 | ULONG TotalPagedPoolUsage;
74 | ULONG TotalNonPagedPoolUsage;
75 | ULONG TotalNamePoolUsage;
76 | ULONG TotalHandleTableUsage;
77 | ULONG HighWaterNumberOfObjects;
78 | ULONG HighWaterNumberOfHandles;
79 | ULONG HighWaterPagedPoolUsage;
80 | ULONG HighWaterNonPagedPoolUsage;
81 | ULONG HighWaterNamePoolUsage;
82 | ULONG HighWaterHandleTableUsage;
83 | ULONG InvalidAttributes;
84 | GENERIC_MAPPING GenericMapping;
85 | ULONG ValidAccessMask;
86 | BOOLEAN SecurityRequired;
87 | BOOLEAN MaintainHandleCount;
88 | ULONG PoolType;
89 | ULONG DefaultPagedPoolCharge;
90 | ULONG DefaultNonPagedPoolCharge;
91 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
92 |
93 | typedef struct _OBJECT_TYPES_INFORMATION
94 | {
95 | ULONG NumberOfTypes;
96 | OBJECT_TYPE_INFORMATION TypeInformation[1];
97 | } OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION;
98 |
99 | typedef struct _OBJECT_HANDLE_FLAG_INFORMATION
100 | {
101 | BOOLEAN Inherit;
102 | BOOLEAN ProtectFromClose;
103 | } OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION;
104 |
105 | // Objects, handles
106 |
107 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
108 |
109 | NTSYSCALLAPI
110 | NTSTATUS
111 | NTAPI
112 | NtQueryObject(
113 | _In_ HANDLE Handle,
114 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
115 | _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation,
116 | _In_ ULONG ObjectInformationLength,
117 | _Out_opt_ PULONG ReturnLength
118 | );
119 |
120 | NTSYSCALLAPI
121 | NTSTATUS
122 | NTAPI
123 | NtSetInformationObject(
124 | _In_ HANDLE Handle,
125 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
126 | _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation,
127 | _In_ ULONG ObjectInformationLength
128 | );
129 |
130 | #define DUPLICATE_CLOSE_SOURCE 0x00000001
131 | #define DUPLICATE_SAME_ACCESS 0x00000002
132 | #define DUPLICATE_SAME_ATTRIBUTES 0x00000004
133 |
134 | NTSYSCALLAPI
135 | NTSTATUS
136 | NTAPI
137 | NtDuplicateObject(
138 | _In_ HANDLE SourceProcessHandle,
139 | _In_ HANDLE SourceHandle,
140 | _In_opt_ HANDLE TargetProcessHandle,
141 | _Out_opt_ PHANDLE TargetHandle,
142 | _In_ ACCESS_MASK DesiredAccess,
143 | _In_ ULONG HandleAttributes,
144 | _In_ ULONG Options
145 | );
146 |
147 | NTSYSCALLAPI
148 | NTSTATUS
149 | NTAPI
150 | NtMakeTemporaryObject(
151 | _In_ HANDLE Handle
152 | );
153 |
154 | typedef NTSTATUS (NTAPI *_NtMakePermanentObject)(
155 | _In_ HANDLE Handle
156 | );
157 |
158 | NTSYSCALLAPI
159 | NTSTATUS
160 | NTAPI
161 | NtSignalAndWaitForSingleObject(
162 | _In_ HANDLE SignalHandle,
163 | _In_ HANDLE WaitHandle,
164 | _In_ BOOLEAN Alertable,
165 | _In_opt_ PLARGE_INTEGER Timeout
166 | );
167 |
168 | NTSYSCALLAPI
169 | NTSTATUS
170 | NTAPI
171 | NtWaitForSingleObject(
172 | _In_ HANDLE Handle,
173 | _In_ BOOLEAN Alertable,
174 | _In_opt_ PLARGE_INTEGER Timeout
175 | );
176 |
177 | NTSYSCALLAPI
178 | NTSTATUS
179 | NTAPI
180 | NtWaitForMultipleObjects(
181 | _In_ ULONG Count,
182 | _In_reads_(Count) PHANDLE Handles,
183 | _In_ WAIT_TYPE WaitType,
184 | _In_ BOOLEAN Alertable,
185 | _In_opt_ PLARGE_INTEGER Timeout
186 | );
187 |
188 | NTSYSCALLAPI
189 | NTSTATUS
190 | NTAPI
191 | NtSetSecurityObject(
192 | _In_ HANDLE Handle,
193 | _In_ SECURITY_INFORMATION SecurityInformation,
194 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
195 | );
196 |
197 | NTSYSCALLAPI
198 | NTSTATUS
199 | NTAPI
200 | NtQuerySecurityObject(
201 | _In_ HANDLE Handle,
202 | _In_ SECURITY_INFORMATION SecurityInformation,
203 | _Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor,
204 | _In_ ULONG Length,
205 | _Out_ PULONG LengthNeeded
206 | );
207 |
208 | NTSYSCALLAPI
209 | NTSTATUS
210 | NTAPI
211 | NtClose(
212 | _In_ HANDLE Handle
213 | );
214 |
215 | #endif
216 |
217 | // Directory objects
218 |
219 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
220 |
221 | NTSYSCALLAPI
222 | NTSTATUS
223 | NTAPI
224 | NtCreateDirectoryObject(
225 | _Out_ PHANDLE DirectoryHandle,
226 | _In_ ACCESS_MASK DesiredAccess,
227 | _In_ POBJECT_ATTRIBUTES ObjectAttributes
228 | );
229 |
230 | NTSYSCALLAPI
231 | NTSTATUS
232 | NTAPI
233 | NtOpenDirectoryObject(
234 | _Out_ PHANDLE DirectoryHandle,
235 | _In_ ACCESS_MASK DesiredAccess,
236 | _In_ POBJECT_ATTRIBUTES ObjectAttributes
237 | );
238 |
239 | typedef struct _OBJECT_DIRECTORY_INFORMATION
240 | {
241 | UNICODE_STRING Name;
242 | UNICODE_STRING TypeName;
243 | } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;
244 |
245 | NTSYSCALLAPI
246 | NTSTATUS
247 | NTAPI
248 | NtQueryDirectoryObject(
249 | _In_ HANDLE DirectoryHandle,
250 | _Out_writes_bytes_opt_(Length) PVOID Buffer,
251 | _In_ ULONG Length,
252 | _In_ BOOLEAN ReturnSingleEntry,
253 | _In_ BOOLEAN RestartScan,
254 | _Inout_ PULONG Context,
255 | _Out_opt_ PULONG ReturnLength
256 | );
257 |
258 | #endif
259 |
260 | // Private namespaces
261 |
262 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
263 |
264 | #if (PHNT_VERSION >= PHNT_VISTA)
265 |
266 | // begin_private
267 |
268 | NTSYSCALLAPI
269 | NTSTATUS
270 | NTAPI
271 | NtCreatePrivateNamespace(
272 | _Out_ PHANDLE NamespaceHandle,
273 | _In_ ACCESS_MASK DesiredAccess,
274 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
275 | _In_ PVOID BoundaryDescriptor
276 | );
277 |
278 | NTSYSCALLAPI
279 | NTSTATUS
280 | NTAPI
281 | NtOpenPrivateNamespace(
282 | _Out_ PHANDLE NamespaceHandle,
283 | _In_ ACCESS_MASK DesiredAccess,
284 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
285 | _In_ PVOID BoundaryDescriptor
286 | );
287 |
288 | NTSYSCALLAPI
289 | NTSTATUS
290 | NTAPI
291 | NtDeletePrivateNamespace(
292 | _In_ HANDLE NamespaceHandle
293 | );
294 |
295 | // end_private
296 |
297 | #endif
298 |
299 | #endif
300 |
301 | // Symbolic links
302 |
303 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
304 |
305 | NTSYSCALLAPI
306 | NTSTATUS
307 | NTAPI
308 | NtCreateSymbolicLinkObject(
309 | _Out_ PHANDLE LinkHandle,
310 | _In_ ACCESS_MASK DesiredAccess,
311 | _In_ POBJECT_ATTRIBUTES ObjectAttributes,
312 | _In_ PUNICODE_STRING LinkTarget
313 | );
314 |
315 | NTSYSCALLAPI
316 | NTSTATUS
317 | NTAPI
318 | NtOpenSymbolicLinkObject(
319 | _Out_ PHANDLE LinkHandle,
320 | _In_ ACCESS_MASK DesiredAccess,
321 | _In_ POBJECT_ATTRIBUTES ObjectAttributes
322 | );
323 |
324 | NTSYSCALLAPI
325 | NTSTATUS
326 | NTAPI
327 | NtQuerySymbolicLinkObject(
328 | _In_ HANDLE LinkHandle,
329 | _Inout_ PUNICODE_STRING LinkTarget,
330 | _Out_opt_ PULONG ReturnedLength
331 | );
332 |
333 | #endif
334 |
335 | #endif
336 |
--------------------------------------------------------------------------------
/include/sys/ntpebteb.h:
--------------------------------------------------------------------------------
1 | #ifndef _NTPEBTEB_H
2 | #define _NTPEBTEB_H
3 |
4 | #if (PHNT_MODE == PHNT_MODE_KERNEL)
5 | typedef PVOID *PPVOID;
6 | #endif
7 |
8 | typedef struct _RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS;
9 | typedef struct _RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION;
10 |
11 | // symbols
12 | typedef struct _PEB
13 | {
14 | BOOLEAN InheritedAddressSpace;
15 | BOOLEAN ReadImageFileExecOptions;
16 | BOOLEAN BeingDebugged;
17 | union
18 | {
19 | BOOLEAN BitField;
20 | struct
21 | {
22 | BOOLEAN ImageUsesLargePages : 1;
23 | BOOLEAN IsProtectedProcess : 1;
24 | BOOLEAN IsImageDynamicallyRelocated : 1;
25 | BOOLEAN SkipPatchingUser32Forwarders : 1;
26 | BOOLEAN IsPackagedProcess : 1;
27 | BOOLEAN IsAppContainer : 1;
28 | BOOLEAN IsProtectedProcessLight : 1;
29 | BOOLEAN SpareBits : 1;
30 | };
31 | };
32 | HANDLE Mutant;
33 |
34 | PVOID ImageBaseAddress;
35 | PPEB_LDR_DATA Ldr;
36 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
37 | PVOID SubSystemData;
38 | PVOID ProcessHeap;
39 | PRTL_CRITICAL_SECTION FastPebLock;
40 | PVOID AtlThunkSListPtr;
41 | PVOID IFEOKey;
42 | union
43 | {
44 | ULONG CrossProcessFlags;
45 | struct
46 | {
47 | ULONG ProcessInJob : 1;
48 | ULONG ProcessInitializing : 1;
49 | ULONG ProcessUsingVEH : 1;
50 | ULONG ProcessUsingVCH : 1;
51 | ULONG ProcessUsingFTH : 1;
52 | ULONG ReservedBits0 : 27;
53 | };
54 | ULONG EnvironmentUpdateCount;
55 | };
56 | union
57 | {
58 | PVOID KernelCallbackTable;
59 | PVOID UserSharedInfoPtr;
60 | };
61 | ULONG SystemReserved[1];
62 | ULONG AtlThunkSListPtr32;
63 | PVOID ApiSetMap;
64 | ULONG TlsExpansionCounter;
65 | PVOID TlsBitmap;
66 | ULONG TlsBitmapBits[2];
67 | PVOID ReadOnlySharedMemoryBase;
68 | PVOID HotpatchInformation;
69 | PPVOID ReadOnlyStaticServerData;
70 | PVOID AnsiCodePageData;
71 | PVOID OemCodePageData;
72 | PVOID UnicodeCaseTableData;
73 |
74 | ULONG NumberOfProcessors;
75 | ULONG NtGlobalFlag;
76 |
77 | LARGE_INTEGER CriticalSectionTimeout;
78 | SIZE_T HeapSegmentReserve;
79 | SIZE_T HeapSegmentCommit;
80 | SIZE_T HeapDeCommitTotalFreeThreshold;
81 | SIZE_T HeapDeCommitFreeBlockThreshold;
82 |
83 | ULONG NumberOfHeaps;
84 | ULONG MaximumNumberOfHeaps;
85 | PPVOID ProcessHeaps;
86 |
87 | PVOID GdiSharedHandleTable;
88 | PVOID ProcessStarterHelper;
89 | ULONG GdiDCAttributeList;
90 |
91 | PRTL_CRITICAL_SECTION LoaderLock;
92 |
93 | ULONG OSMajorVersion;
94 | ULONG OSMinorVersion;
95 | USHORT OSBuildNumber;
96 | USHORT OSCSDVersion;
97 | ULONG OSPlatformId;
98 | ULONG ImageSubsystem;
99 | ULONG ImageSubsystemMajorVersion;
100 | ULONG ImageSubsystemMinorVersion;
101 | ULONG_PTR ImageProcessAffinityMask;
102 | GDI_HANDLE_BUFFER GdiHandleBuffer;
103 | PVOID PostProcessInitRoutine;
104 |
105 | PVOID TlsExpansionBitmap;
106 | ULONG TlsExpansionBitmapBits[32];
107 |
108 | ULONG SessionId;
109 |
110 | ULARGE_INTEGER AppCompatFlags;
111 | ULARGE_INTEGER AppCompatFlagsUser;
112 | PVOID pShimData;
113 | PVOID AppCompatInfo;
114 |
115 | UNICODE_STRING CSDVersion;
116 |
117 | PVOID ActivationContextData;
118 | PVOID ProcessAssemblyStorageMap;
119 | PVOID SystemDefaultActivationContextData;
120 | PVOID SystemAssemblyStorageMap;
121 |
122 | SIZE_T MinimumStackCommit;
123 |
124 | PPVOID FlsCallback;
125 | LIST_ENTRY FlsListHead;
126 | PVOID FlsBitmap;
127 | ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
128 | ULONG FlsHighIndex;
129 |
130 | PVOID WerRegistrationData;
131 | PVOID WerShipAssertPtr;
132 | PVOID pContextData;
133 | PVOID pImageHeaderHash;
134 | union
135 | {
136 | ULONG TracingFlags;
137 | struct
138 | {
139 | ULONG HeapTracingEnabled : 1;
140 | ULONG CritSecTracingEnabled : 1;
141 | ULONG LibLoaderTracingEnabled : 1;
142 | ULONG SpareTracingBits : 29;
143 | };
144 | };
145 | ULONGLONG CsrServerReadOnlySharedMemoryBase;
146 | } PEB, *PPEB;
147 |
148 | #define GDI_BATCH_BUFFER_SIZE 310
149 |
150 | typedef struct _GDI_TEB_BATCH
151 | {
152 | ULONG Offset;
153 | ULONG_PTR HDC;
154 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
155 | } GDI_TEB_BATCH, *PGDI_TEB_BATCH;
156 |
157 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT
158 | {
159 | ULONG Flags;
160 | PSTR FrameName;
161 | } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
162 |
163 | typedef struct _TEB_ACTIVE_FRAME
164 | {
165 | ULONG Flags;
166 | struct _TEB_ACTIVE_FRAME *Previous;
167 | PTEB_ACTIVE_FRAME_CONTEXT Context;
168 | } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
169 |
170 | typedef struct _TEB
171 | {
172 | NT_TIB NtTib;
173 |
174 | PVOID EnvironmentPointer;
175 | CLIENT_ID ClientId;
176 | PVOID ActiveRpcHandle;
177 | PVOID ThreadLocalStoragePointer;
178 | PPEB ProcessEnvironmentBlock;
179 |
180 | ULONG LastErrorValue;
181 | ULONG CountOfOwnedCriticalSections;
182 | PVOID CsrClientThread;
183 | PVOID Win32ThreadInfo;
184 | ULONG User32Reserved[26];
185 | ULONG UserReserved[5];
186 | PVOID WOW32Reserved;
187 | LCID CurrentLocale;
188 | ULONG FpSoftwareStatusRegister;
189 | PVOID SystemReserved1[54];
190 | NTSTATUS ExceptionCode;
191 | PVOID ActivationContextStackPointer;
192 | #ifdef _M_X64
193 | UCHAR SpareBytes[24];
194 | #else
195 | UCHAR SpareBytes[36];
196 | #endif
197 | ULONG TxFsContext;
198 |
199 | GDI_TEB_BATCH GdiTebBatch;
200 | CLIENT_ID RealClientId;
201 | HANDLE GdiCachedProcessHandle;
202 | ULONG GdiClientPID;
203 | ULONG GdiClientTID;
204 | PVOID GdiThreadLocalInfo;
205 | ULONG_PTR Win32ClientInfo[62];
206 | PVOID glDispatchTable[233];
207 | ULONG_PTR glReserved1[29];
208 | PVOID glReserved2;
209 | PVOID glSectionInfo;
210 | PVOID glSection;
211 | PVOID glTable;
212 | PVOID glCurrentRC;
213 | PVOID glContext;
214 |
215 | NTSTATUS LastStatusValue;
216 | UNICODE_STRING StaticUnicodeString;
217 | WCHAR StaticUnicodeBuffer[261];
218 |
219 | PVOID DeallocationStack;
220 | PVOID TlsSlots[64];
221 | LIST_ENTRY TlsLinks;
222 |
223 | PVOID Vdm;
224 | PVOID ReservedForNtRpc;
225 | PVOID DbgSsReserved[2];
226 |
227 | ULONG HardErrorMode;
228 | #ifdef _M_X64
229 | PVOID Instrumentation[11];
230 | #else
231 | PVOID Instrumentation[9];
232 | #endif
233 | GUID ActivityId;
234 |
235 | PVOID SubProcessTag;
236 | PVOID EtwLocalData;
237 | PVOID EtwTraceData;
238 | PVOID WinSockData;
239 | ULONG GdiBatchCount;
240 |
241 | union
242 | {
243 | PROCESSOR_NUMBER CurrentIdealProcessor;
244 | ULONG IdealProcessorValue;
245 | struct
246 | {
247 | UCHAR ReservedPad0;
248 | UCHAR ReservedPad1;
249 | UCHAR ReservedPad2;
250 | UCHAR IdealProcessor;
251 | };
252 | };
253 |
254 | ULONG GuaranteedStackBytes;
255 | PVOID ReservedForPerf;
256 | PVOID ReservedForOle;
257 | ULONG WaitingOnLoaderLock;
258 | PVOID SavedPriorityState;
259 | ULONG_PTR SoftPatchPtr1;
260 | PVOID ThreadPoolData;
261 | PPVOID TlsExpansionSlots;
262 | #ifdef _M_X64
263 | PVOID DeallocationBStore;
264 | PVOID BStoreLimit;
265 | #endif
266 | ULONG MuiGeneration;
267 | ULONG IsImpersonating;
268 | PVOID NlsCache;
269 | PVOID pShimData;
270 | ULONG HeapVirtualAffinity;
271 | HANDLE CurrentTransactionHandle;
272 | PTEB_ACTIVE_FRAME ActiveFrame;
273 | PVOID FlsData;
274 |
275 | PVOID PreferredLanguages;
276 | PVOID UserPrefLanguages;
277 | PVOID MergedPrefLanguages;
278 | ULONG MuiImpersonation;
279 |
280 | union
281 | {
282 | USHORT CrossTebFlags;
283 | USHORT SpareCrossTebBits : 16;
284 | };
285 | union
286 | {
287 | USHORT SameTebFlags;
288 | struct
289 | {
290 | USHORT SafeThunkCall : 1;
291 | USHORT InDebugPrint : 1;
292 | USHORT HasFiberData : 1;
293 | USHORT SkipThreadAttach : 1;
294 | USHORT WerInShipAssertCode : 1;
295 | USHORT RanProcessInit : 1;
296 | USHORT ClonedThread : 1;
297 | USHORT SuppressDebugMsg : 1;
298 | USHORT DisableUserStackWalk : 1;
299 | USHORT RtlExceptionAttached : 1;
300 | USHORT InitialThread : 1;
301 | USHORT SessionAware : 1;
302 | USHORT SpareSameTebBits : 4;
303 | };
304 | };
305 |
306 | PVOID TxnScopeEnterCallback;
307 | PVOID TxnScopeExitCallback;
308 | PVOID TxnScopeContext;
309 | ULONG LockCount;
310 | ULONG SpareUlong0;
311 | PVOID ResourceRetValue;
312 | PVOID ReservedForWdf;
313 | } TEB, *PTEB;
314 |
315 | #endif
316 |
--------------------------------------------------------------------------------
/include/sys/ntpfapi.h:
--------------------------------------------------------------------------------
1 | #ifndef _NTPFAPI_H
2 | #define _NTPFAPI_H
3 |
4 | // begin_private
5 |
6 | // Prefetch
7 |
8 | typedef enum _PF_BOOT_PHASE_ID
9 | {
10 | PfKernelInitPhase = 0,
11 | PfBootDriverInitPhase = 90,
12 | PfSystemDriverInitPhase = 120,
13 | PfSessionManagerInitPhase = 150,
14 | PfSMRegistryInitPhase = 180,
15 | PfVideoInitPhase = 210,
16 | PfPostVideoInitPhase = 240,
17 | PfBootAcceptedRegistryInitPhase = 270,
18 | PfUserShellReadyPhase = 300,
19 | PfMaxBootPhaseId = 900
20 | } PF_BOOT_PHASE_ID;
21 |
22 | typedef enum _PF_ENABLE_STATUS
23 | {
24 | PfSvNotSpecified,
25 | PfSvEnabled,
26 | PfSvDisabled,
27 | PfSvMaxEnableStatus
28 | } PF_ENABLE_STATUS;
29 |
30 | typedef struct _PF_TRACE_LIMITS
31 | {
32 | ULONG MaxNumPages;
33 | ULONG MaxNumSections;
34 | LONGLONG TimerPeriod;
35 | } PF_TRACE_LIMITS, *PPF_TRACE_LIMITS;
36 |
37 | typedef struct _PF_SYSTEM_PREFETCH_PARAMETERS
38 | {
39 | PF_ENABLE_STATUS EnableStatus[2];
40 | PF_TRACE_LIMITS TraceLimits[2];
41 | ULONG MaxNumActiveTraces;
42 | ULONG MaxNumSavedTraces;
43 | WCHAR RootDirPath[32];
44 | WCHAR HostingApplicationList[128];
45 | } PF_SYSTEM_PREFETCH_PARAMETERS, *PPF_SYSTEM_PREFETCH_PARAMETERS;
46 |
47 | #define PF_BOOT_CONTROL_VERSION 1
48 |
49 | typedef struct _PF_BOOT_CONTROL
50 | {
51 | ULONG Version;
52 | ULONG DisableBootPrefetching;
53 | } PF_BOOT_CONTROL, *PPF_BOOT_CONTROL;
54 |
55 | typedef enum _PREFETCHER_INFORMATION_CLASS
56 | {
57 | PrefetcherRetrieveTrace = 1, // q: CHAR[]
58 | PrefetcherSystemParameters, // q: PF_SYSTEM_PREFETCH_PARAMETERS
59 | PrefetcherBootPhase, // s: PF_BOOT_PHASE_ID
60 | PrefetcherRetrieveBootLoaderTrace, // q: CHAR[]
61 | PrefetcherBootControl // s: PF_BOOT_CONTROL
62 | } PREFETCHER_INFORMATION_CLASS;
63 |
64 | #define PREFETCHER_INFORMATION_VERSION 23 // rev
65 | #define PREFETCHER_INFORMATION_MAGIC ('kuhC') // rev
66 |
67 | typedef struct _PREFETCHER_INFORMATION
68 | {
69 | ULONG Version;
70 | ULONG Magic;
71 | PREFETCHER_INFORMATION_CLASS PrefetcherInformationClass;
72 | PVOID PrefetcherInformation;
73 | ULONG PrefetcherInformationLength;
74 | } PREFETCHER_INFORMATION, *PPREFETCHER_INFORMATION;
75 |
76 | // Superfetch
77 |
78 | typedef struct _PF_SYSTEM_SUPERFETCH_PARAMETERS
79 | {
80 | ULONG EnabledComponents;
81 | ULONG BootID;
82 | ULONG SavedSectInfoTracesMax;
83 | ULONG SavedPageAccessTracesMax;
84 | ULONG ScenarioPrefetchTimeoutStandby;
85 | ULONG ScenarioPrefetchTimeoutHibernate;
86 | } PF_SYSTEM_SUPERFETCH_PARAMETERS, *PPF_SYSTEM_SUPERFETCH_PARAMETERS;
87 |
88 | #define PF_PFN_PRIO_REQUEST_VERSION 1
89 | #define PF_PFN_PRIO_REQUEST_QUERY_MEMORY_LIST 0x1
90 | #define PF_PFN_PRIO_REQUEST_VALID_FLAGS 0x1
91 |
92 | typedef struct _PF_PFN_PRIO_REQUEST
93 | {
94 | ULONG Version;
95 | ULONG RequestFlags;
96 | ULONG PfnCount;
97 | SYSTEM_MEMORY_LIST_INFORMATION MemInfo;
98 | MMPFN_IDENTITY PageData[256];
99 | } PF_PFN_PRIO_REQUEST, *PPF_PFN_PRIO_REQUEST;
100 |
101 | typedef enum _PFS_PRIVATE_PAGE_SOURCE_TYPE
102 | {
103 | PfsPrivateSourceKernel,
104 | PfsPrivateSourceSession,
105 | PfsPrivateSourceProcess,
106 | PfsPrivateSourceMax
107 | } PFS_PRIVATE_PAGE_SOURCE_TYPE;
108 |
109 | typedef struct _PFS_PRIVATE_PAGE_SOURCE
110 | {
111 | PFS_PRIVATE_PAGE_SOURCE_TYPE Type;
112 | union
113 | {
114 | ULONG_PTR SessionId;
115 | ULONG_PTR ProcessId;
116 | };
117 | ULONG ImagePathHash;
118 | ULONG UniqueProcessHash;
119 | } PFS_PRIVATE_PAGE_SOURCE, *PPFS_PRIVATE_PAGE_SOURCE;
120 |
121 | typedef struct _PF_PRIVSOURCE_INFO
122 | {
123 | PFS_PRIVATE_PAGE_SOURCE DbInfo;
124 | union
125 | {
126 | ULONG_PTR EProcess;
127 | ULONG_PTR GlobalVA;
128 | };
129 | ULONG WsPrivatePages;
130 | ULONG TotalPrivatePages;
131 | ULONG SessionID;
132 | CHAR ImageName[16];
133 | } PF_PRIVSOURCE_INFO, *PPF_PRIVSOURCE_INFO;
134 |
135 | #define PF_PRIVSOURCE_QUERY_REQUEST_VERSION 3
136 |
137 | typedef struct _PF_PRIVSOURCE_QUERY_REQUEST
138 | {
139 | ULONG Version;
140 | ULONG InfoCount;
141 | PF_PRIVSOURCE_INFO InfoArray[1];
142 | } PF_PRIVSOURCE_QUERY_REQUEST, *PPF_PRIVSOURCE_QUERY_REQUEST;
143 |
144 | typedef enum _PF_PHASED_SCENARIO_TYPE
145 | {
146 | PfScenarioTypeNone,
147 | PfScenarioTypeStandby,
148 | PfScenarioTypeHibernate,
149 | PfScenarioTypeFUS,
150 | PfScenarioTypeMax
151 | } PF_PHASED_SCENARIO_TYPE;
152 |
153 | #define PF_SCENARIO_PHASE_INFO_VERSION 4
154 |
155 | typedef struct _PF_SCENARIO_PHASE_INFO
156 | {
157 | ULONG Version;
158 | PF_PHASED_SCENARIO_TYPE ScenType;
159 | ULONG PhaseId;
160 | ULONG SequenceNumber;
161 | ULONG Flags;
162 | ULONG FUSUserId;
163 | } PF_SCENARIO_PHASE_INFO, *PPF_SCENARIO_PHASE_INFO;
164 |
165 | typedef struct _PF_MEMORY_LIST_NODE
166 | {
167 | ULONGLONG Node : 8;
168 | ULONGLONG Spare : 56;
169 | ULONGLONG StandbyLowPageCount;
170 | ULONGLONG StandbyMediumPageCount;
171 | ULONGLONG StandbyHighPageCount;
172 | ULONGLONG FreePageCount;
173 | ULONGLONG ModifiedPageCount;
174 | } PF_MEMORY_LIST_NODE, *PPF_MEMORY_LIST_NODE;
175 |
176 | #define PF_MEMORY_LIST_INFO_VERSION 1
177 |
178 | typedef struct _PF_MEMORY_LIST_INFO
179 | {
180 | ULONG Version;
181 | ULONG Size;
182 | ULONG NodeCount;
183 | PF_MEMORY_LIST_NODE Nodes[1];
184 | } PF_MEMORY_LIST_INFO, *PPF_MEMORY_LIST_INFO;
185 |
186 | typedef struct _PF_PHYSICAL_MEMORY_RANGE
187 | {
188 | ULONG BasePfn;
189 | ULONG PageCount;
190 | } PF_PHYSICAL_MEMORY_RANGE, *PPF_PHYSICAL_MEMORY_RANGE;
191 |
192 | #define PF_PHYSICAL_MEMORY_RANGE_INFO_VERSION 1
193 |
194 | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO
195 | {
196 | ULONG Version;
197 | ULONG RangeCount;
198 | PF_PHYSICAL_MEMORY_RANGE Ranges[1];
199 | } PF_PHYSICAL_MEMORY_RANGE_INFO, *PPF_PHYSICAL_MEMORY_RANGE_INFO;
200 |
201 | // begin_rev
202 |
203 | #define PF_REPURPOSED_BY_PREFETCH_INFO_VERSION 1
204 |
205 | typedef struct _PF_REPURPOSED_BY_PREFETCH_INFO
206 | {
207 | ULONG Version;
208 | ULONG RepurposedByPrefetch;
209 | } PF_REPURPOSED_BY_PREFETCH_INFO, *PPF_REPURPOSED_BY_PREFETCH_INFO;
210 |
211 | // end_rev
212 |
213 | typedef enum _SUPERFETCH_INFORMATION_CLASS
214 | {
215 | SuperfetchRetrieveTrace = 1, // q: CHAR[]
216 | SuperfetchSystemParameters, // q: PF_SYSTEM_SUPERFETCH_PARAMETERS
217 | SuperfetchLogEvent,
218 | SuperfetchGenerateTrace,
219 | SuperfetchPrefetch,
220 | SuperfetchPfnQuery, // q: PF_PFN_PRIO_REQUEST
221 | SuperfetchPfnSetPriority,
222 | SuperfetchPrivSourceQuery, // q: PF_PRIVSOURCE_QUERY_REQUEST
223 | SuperfetchSequenceNumberQuery, // q: ULONG
224 | SuperfetchScenarioPhase, // 10
225 | SuperfetchWorkerPriority,
226 | SuperfetchScenarioQuery, // q: PF_SCENARIO_PHASE_INFO
227 | SuperfetchScenarioPrefetch,
228 | SuperfetchRobustnessControl,
229 | SuperfetchTimeControl,
230 | SuperfetchMemoryListQuery, // q: PF_MEMORY_LIST_INFO
231 | SuperfetchMemoryRangesQuery, // q: PF_PHYSICAL_MEMORY_RANGE_INFO
232 | SuperfetchTracingControl,
233 | SuperfetchTrimWhileAgingControl,
234 | SuperfetchRepurposedByPrefetch, // q: PF_REPURPOSED_BY_PREFETCH_INFO // rev
235 | SuperfetchInformationMax
236 | } SUPERFETCH_INFORMATION_CLASS;
237 |
238 | #define SUPERFETCH_INFORMATION_VERSION 45 // rev
239 | #define SUPERFETCH_INFORMATION_MAGIC ('kuhC') // rev
240 |
241 | typedef struct _SUPERFETCH_INFORMATION
242 | {
243 | ULONG Version;
244 | ULONG Magic;
245 | SUPERFETCH_INFORMATION_CLASS InfoClass;
246 | PVOID Data;
247 | ULONG Length;
248 | } SUPERFETCH_INFORMATION, *PSUPERFETCH_INFORMATION;
249 |
250 | // end_private
251 |
252 | #endif
253 |
--------------------------------------------------------------------------------
/include/sys/ntpnpapi.h:
--------------------------------------------------------------------------------
1 | #ifndef _NTPNPAPI_H
2 | #define _NTPNPAPI_H
3 |
4 | typedef enum _PLUGPLAY_EVENT_CATEGORY
5 | {
6 | HardwareProfileChangeEvent,
7 | TargetDeviceChangeEvent,
8 | DeviceClassChangeEvent,
9 | CustomDeviceEvent,
10 | DeviceInstallEvent,
11 | DeviceArrivalEvent,
12 | PowerEvent,
13 | VetoEvent,
14 | BlockedDriverEvent,
15 | InvalidIDEvent,
16 | MaxPlugEventCategory
17 | } PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY;
18 |
19 | typedef struct _PLUGPLAY_EVENT_BLOCK
20 | {
21 | GUID EventGuid;
22 | PLUGPLAY_EVENT_CATEGORY EventCategory;
23 | PULONG Result;
24 | ULONG Flags;
25 | ULONG TotalSize;
26 | PVOID DeviceObject;
27 |
28 | union
29 | {
30 | struct
31 | {
32 | GUID ClassGuid;
33 | WCHAR SymbolicLinkName[1];
34 | } DeviceClass;
35 | struct
36 | {
37 | WCHAR DeviceIds[1];
38 | } TargetDevice;
39 | struct
40 | {
41 | WCHAR DeviceId[1];
42 | } InstallDevice;
43 | struct
44 | {
45 | PVOID NotificationStructure;
46 | WCHAR DeviceIds[1];
47 | } CustomNotification;
48 | struct
49 | {
50 | PVOID Notification;
51 | } ProfileNotification;
52 | struct
53 | {
54 | ULONG NotificationCode;
55 | ULONG NotificationData;
56 | } PowerNotification;
57 | struct
58 | {
59 | PNP_VETO_TYPE VetoType;
60 | WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName
61 | } VetoNotification;
62 | struct
63 | {
64 | GUID BlockedDriverGuid;
65 | } BlockedDriverNotification;
66 | struct
67 | {
68 | WCHAR ParentId[1];
69 | } InvalidIDNotification;
70 | } u;
71 | } PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK;
72 |
73 | typedef enum _PLUGPLAY_CONTROL_CLASS
74 | {
75 | PlugPlayControlEnumerateDevice,
76 | PlugPlayControlRegisterNewDevice,
77 | PlugPlayControlDeregisterDevice,
78 | PlugPlayControlInitializeDevice,
79 | PlugPlayControlStartDevice,
80 | PlugPlayControlUnlockDevice,
81 | PlugPlayControlQueryAndRemoveDevice,
82 | PlugPlayControlUserResponse,
83 | PlugPlayControlGenerateLegacyDevice,
84 | PlugPlayControlGetInterfaceDeviceList,
85 | PlugPlayControlProperty,
86 | PlugPlayControlDeviceClassAssociation,
87 | PlugPlayControlGetRelatedDevice,
88 | PlugPlayControlGetInterfaceDeviceAlias,
89 | PlugPlayControlDeviceStatus,
90 | PlugPlayControlGetDeviceDepth,
91 | PlugPlayControlQueryDeviceRelations,
92 | PlugPlayControlTargetDeviceRelation,
93 | PlugPlayControlQueryConflictList,
94 | PlugPlayControlRetrieveDock,
95 | PlugPlayControlResetDevice,
96 | PlugPlayControlHaltDevice,
97 | PlugPlayControlGetBlockedDriverList,
98 | MaxPlugPlayControl
99 | } PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS;
100 |
101 | NTSYSCALLAPI
102 | NTSTATUS
103 | NTAPI
104 | NtGetPlugPlayEvent(
105 | _In_ HANDLE EventHandle,
106 | _In_opt_ PVOID Context,
107 | _Out_writes_bytes_(EventBufferSize) PPLUGPLAY_EVENT_BLOCK EventBlock,
108 | _In_ ULONG EventBufferSize
109 | );
110 |
111 | NTSYSCALLAPI
112 | NTSTATUS
113 | NTAPI
114 | NtPlugPlayControl(
115 | _In_ PLUGPLAY_CONTROL_CLASS PnPControlClass,
116 | _Inout_updates_bytes_(PnPControlDataLength) PVOID PnPControlData,
117 | _In_ ULONG PnPControlDataLength
118 | );
119 |
120 | #if (PHNT_VERSION >= PHNT_WIN7)
121 | // rev
122 | NTSYSCALLAPI
123 | NTSTATUS
124 | NTAPI
125 | NtSerializeBoot(
126 | VOID
127 | );
128 | #endif
129 |
130 | #if (PHNT_VERSION >= PHNT_VISTA)
131 | // private
132 | NTSYSCALLAPI
133 | NTSTATUS
134 | NTAPI
135 | NtReplacePartitionUnit(
136 | _In_ PUNICODE_STRING TargetInstancePath,
137 | _In_ PUNICODE_STRING SpareInstancePath,
138 | _In_ ULONG Flags
139 | );
140 | #endif
141 |
142 | #endif
143 |
--------------------------------------------------------------------------------
/include/sys/ntpoapi.h:
--------------------------------------------------------------------------------
1 | #ifndef _NTPOAPI_H
2 | #define _NTPOAPI_H
3 |
4 | typedef union _POWER_STATE
5 | {
6 | SYSTEM_POWER_STATE SystemState;
7 | DEVICE_POWER_STATE DeviceState;
8 | } POWER_STATE, *PPOWER_STATE;
9 |
10 | typedef enum _POWER_STATE_TYPE
11 | {
12 | SystemPowerState = 0,
13 | DevicePowerState
14 | } POWER_STATE_TYPE, *PPOWER_STATE_TYPE;
15 |
16 | #if (PHNT_VERSION >= PHNT_VISTA)
17 | // wdm
18 | typedef struct _SYSTEM_POWER_STATE_CONTEXT
19 | {
20 | union
21 | {
22 | struct
23 | {
24 | ULONG Reserved1 : 8;
25 | ULONG TargetSystemState : 4;
26 | ULONG EffectiveSystemState : 4;
27 | ULONG CurrentSystemState : 4;
28 | ULONG IgnoreHibernationPath : 1;
29 | ULONG PseudoTransition : 1;
30 | ULONG Reserved2 : 10;
31 | };
32 | ULONG ContextAsUlong;
33 | };
34 | } SYSTEM_POWER_STATE_CONTEXT, *PSYSTEM_POWER_STATE_CONTEXT;
35 | #endif
36 |
37 | #if (PHNT_VERSION >= PHNT_WIN7)
38 | /** \cond NEVER */ // disable doxygen warning
39 | // wdm
40 | typedef struct _COUNTED_REASON_CONTEXT
41 | {
42 | ULONG Version;
43 | ULONG Flags;
44 | union
45 | {
46 | struct
47 | {
48 | UNICODE_STRING ResourceFileName;
49 | USHORT ResourceReasonId;
50 | ULONG StringCount;
51 | PUNICODE_STRING _Field_size_(StringCount) ReasonStrings;
52 | };
53 | UNICODE_STRING SimpleString;
54 | };
55 | } COUNTED_REASON_CONTEXT, *PCOUNTED_REASON_CONTEXT;
56 | /** \endcond */
57 | #endif
58 |
59 | typedef enum
60 | {
61 | PowerStateSleeping1 = 0,
62 | PowerStateSleeping2 = 1,
63 | PowerStateSleeping3 = 2,
64 | PowerStateSleeping4 = 3,
65 | PowerStateSleeping4Firmware = 4,
66 | PowerStateShutdownReset = 5,
67 | PowerStateShutdownOff = 6,
68 | PowerStateMaximum = 7
69 | } POWER_STATE_HANDLER_TYPE, *PPOWER_STATE_HANDLER_TYPE;
70 |
71 | typedef NTSTATUS (NTAPI *PENTER_STATE_SYSTEM_HANDLER)(
72 | _In_ PVOID SystemContext
73 | );
74 |
75 | typedef NTSTATUS (NTAPI *PENTER_STATE_HANDLER)(
76 | _In_ PVOID Context,
77 | _In_opt_ PENTER_STATE_SYSTEM_HANDLER SystemHandler,
78 | _In_ PVOID SystemContext,
79 | _In_ LONG NumberProcessors,
80 | _In_ volatile PLONG Number
81 | );
82 |
83 | typedef struct _POWER_STATE_HANDLER
84 | {
85 | POWER_STATE_HANDLER_TYPE Type;
86 | BOOLEAN RtcWake;
87 | UCHAR Spare[3];
88 | PENTER_STATE_HANDLER Handler;
89 | PVOID Context;
90 | } POWER_STATE_HANDLER, *PPOWER_STATE_HANDLER;
91 |
92 | typedef NTSTATUS (NTAPI *PENTER_STATE_NOTIFY_HANDLER)(
93 | _In_ POWER_STATE_HANDLER_TYPE State,
94 | _In_ PVOID Context,
95 | _In_ BOOLEAN Entering
96 | );
97 |
98 | typedef struct _POWER_STATE_NOTIFY_HANDLER
99 | {
100 | PENTER_STATE_NOTIFY_HANDLER Handler;
101 | PVOID Context;
102 | } POWER_STATE_NOTIFY_HANDLER, *PPOWER_STATE_NOTIFY_HANDLER;
103 |
104 | typedef struct _PROCESSOR_POWER_INFORMATION
105 | {
106 | ULONG Number;
107 | ULONG MaxMhz;
108 | ULONG CurrentMhz;
109 | ULONG MhzLimit;
110 | ULONG MaxIdleState;
111 | ULONG CurrentIdleState;
112 | } PROCESSOR_POWER_INFORMATION, *PPROCESSOR_POWER_INFORMATION;
113 |
114 | typedef struct _SYSTEM_POWER_INFORMATION
115 | {
116 | ULONG MaxIdlenessAllowed;
117 | ULONG Idleness;
118 | ULONG TimeRemaining;
119 | UCHAR CoolingMode;
120 | } SYSTEM_POWER_INFORMATION, *PSYSTEM_POWER_INFORMATION;
121 |
122 | NTSYSCALLAPI
123 | NTSTATUS
124 | NTAPI
125 | NtPowerInformation(
126 | _In_ POWER_INFORMATION_LEVEL InformationLevel,
127 | _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,
128 | _In_ ULONG InputBufferLength,
129 | _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,
130 | _In_ ULONG OutputBufferLength
131 | );
132 |
133 | NTSYSCALLAPI
134 | NTSTATUS
135 | NTAPI
136 | NtSetThreadExecutionState(
137 | _In_ EXECUTION_STATE NewFlags, // ES_* flags
138 | _Out_ EXECUTION_STATE *PreviousFlags
139 | );
140 |
141 | NTSYSCALLAPI
142 | NTSTATUS
143 | NTAPI
144 | NtRequestWakeupLatency(
145 | _In_ LATENCY_TIME latency
146 | );
147 |
148 | NTSYSCALLAPI
149 | NTSTATUS
150 | NTAPI
151 | NtInitiatePowerAction(
152 | _In_ POWER_ACTION SystemAction,
153 | _In_ SYSTEM_POWER_STATE LightestSystemState,
154 | _In_ ULONG Flags, // POWER_ACTION_* flags
155 | _In_ BOOLEAN Asynchronous
156 | );
157 |
158 | NTSYSCALLAPI
159 | NTSTATUS
160 | NTAPI
161 | NtSetSystemPowerState(
162 | _In_ POWER_ACTION SystemAction,
163 | _In_ SYSTEM_POWER_STATE LightestSystemState,
164 | _In_ ULONG Flags // POWER_ACTION_* flags
165 | );
166 |
167 | NTSYSCALLAPI
168 | NTSTATUS
169 | NTAPI
170 | NtGetDevicePowerState(
171 | _In_ HANDLE Device,
172 | _Out_ PDEVICE_POWER_STATE State
173 | );
174 |
175 | NTSYSCALLAPI
176 | BOOLEAN
177 | NTAPI
178 | NtIsSystemResumeAutomatic(
179 | VOID
180 | );
181 |
182 | #endif
183 |
--------------------------------------------------------------------------------
/include/sys/ntwin.h:
--------------------------------------------------------------------------------
1 | #ifndef _NTWIN_H
2 | #define _NTWIN_H
3 |
4 | // This header file provides access to Win32, plus NTSTATUS values.
5 |
6 | #define WIN32_LEAN_AND_MEAN
7 | #define WIN32_NO_STATUS
8 | #include
9 | #undef WIN32_NO_STATUS
10 | #include
11 |
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 |
18 | typedef GUID *PGUID;
19 |
20 | // Desktop access rights
21 | #define DESKTOP_ALL_ACCESS \
22 | (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_ENUMERATE | \
23 | DESKTOP_HOOKCONTROL | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | \
24 | DESKTOP_READOBJECTS | DESKTOP_SWITCHDESKTOP | DESKTOP_WRITEOBJECTS | \
25 | STANDARD_RIGHTS_REQUIRED)
26 | #define DESKTOP_GENERIC_READ \
27 | (DESKTOP_ENUMERATE | DESKTOP_READOBJECTS | STANDARD_RIGHTS_READ)
28 | #define DESKTOP_GENERIC_WRITE \
29 | (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_HOOKCONTROL | \
30 | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | DESKTOP_WRITEOBJECTS | \
31 | STANDARD_RIGHTS_WRITE)
32 | #define DESKTOP_GENERIC_EXECUTE \
33 | (DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_EXECUTE)
34 |
35 | // Window station access rights
36 | #define WINSTA_GENERIC_READ \
37 | (WINSTA_ENUMDESKTOPS | WINSTA_ENUMERATE | WINSTA_READATTRIBUTES | \
38 | WINSTA_READSCREEN | STANDARD_RIGHTS_READ)
39 | #define WINSTA_GENERIC_WRITE \
40 | (WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | WINSTA_WRITEATTRIBUTES | \
41 | STANDARD_RIGHTS_WRITE)
42 | #define WINSTA_GENERIC_EXECUTE \
43 | (WINSTA_ACCESSGLOBALATOMS | WINSTA_EXITWINDOWS | STANDARD_RIGHTS_EXECUTE)
44 |
45 | // WMI access rights
46 | #define WMIGUID_GENERIC_READ \
47 | (WMIGUID_QUERY | WMIGUID_NOTIFICATION | WMIGUID_READ_DESCRIPTION | \
48 | STANDARD_RIGHTS_READ)
49 | #define WMIGUID_GENERIC_WRITE \
50 | (WMIGUID_SET | TRACELOG_CREATE_REALTIME | TRACELOG_CREATE_ONDISK | \
51 | STANDARD_RIGHTS_WRITE)
52 | #define WMIGUID_GENERIC_EXECUTE \
53 | (WMIGUID_EXECUTE | TRACELOG_GUID_ENABLE | TRACELOG_LOG_EVENT | \
54 | TRACELOG_ACCESS_REALTIME | TRACELOG_REGISTER_GUIDS | \
55 | STANDARD_RIGHTS_EXECUTE)
56 |
57 | #endif
58 |
--------------------------------------------------------------------------------
/include/sys/ntxcapi.h:
--------------------------------------------------------------------------------
1 | #ifndef _NTXCAPI_H
2 | #define _NTXCAPI_H
3 |
4 | NTSYSAPI
5 | BOOLEAN
6 | NTAPI
7 | RtlDispatchException(
8 | _In_ PEXCEPTION_RECORD ExceptionRecord,
9 | _In_ PCONTEXT ContextRecord
10 | );
11 |
12 | NTSYSAPI
13 | DECLSPEC_NORETURN
14 | VOID
15 | NTAPI
16 | RtlRaiseStatus(
17 | _In_ NTSTATUS Status
18 | );
19 |
20 | NTSYSAPI
21 | VOID
22 | NTAPI
23 | RtlRaiseException(
24 | _In_ PEXCEPTION_RECORD ExceptionRecord
25 | );
26 |
27 | NTSYSCALLAPI
28 | NTSTATUS
29 | NTAPI
30 | NtContinue(
31 | _In_ PCONTEXT ContextRecord,
32 | _In_ BOOLEAN TestAlert
33 | );
34 |
35 | NTSYSCALLAPI
36 | NTSTATUS
37 | NTAPI
38 | NtRaiseException(
39 | _In_ PEXCEPTION_RECORD ExceptionRecord,
40 | _In_ PCONTEXT ContextRecord,
41 | _In_ BOOLEAN FirstChance
42 | );
43 |
44 | #endif
45 |
--------------------------------------------------------------------------------
/include/sys/phintrnl.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_PHINTRNL_H
2 | #define _PH_PHINTRNL_H
3 |
4 | typedef struct _PHLIB_STATISTICS_BLOCK
5 | {
6 | // basesup
7 | ULONG BaseThreadsCreated;
8 | ULONG BaseThreadsCreateFailed;
9 | ULONG BaseStringBuildersCreated;
10 | ULONG BaseStringBuildersResized;
11 |
12 | // ref
13 | ULONG RefObjectsCreated;
14 | ULONG RefObjectsDestroyed;
15 | ULONG RefObjectsAllocated;
16 | ULONG RefObjectsFreed;
17 | ULONG RefObjectsAllocatedFromSmallFreeList;
18 | ULONG RefObjectsFreedToSmallFreeList;
19 | ULONG RefObjectsAllocatedFromTypeFreeList;
20 | ULONG RefObjectsFreedToTypeFreeList;
21 | ULONG RefObjectsDeleteDeferred;
22 | ULONG RefAutoPoolsCreated;
23 | ULONG RefAutoPoolsDestroyed;
24 | ULONG RefAutoPoolsDynamicAllocated;
25 | ULONG RefAutoPoolsDynamicResized;
26 |
27 | // queuedlock
28 | ULONG QlBlockSpins;
29 | ULONG QlBlockWaits;
30 | ULONG QlAcquireExclusiveBlocks;
31 | ULONG QlAcquireSharedBlocks;
32 |
33 | // workqueue
34 | ULONG WqWorkQueueThreadsCreated;
35 | ULONG WqWorkQueueThreadsCreateFailed;
36 | ULONG WqWorkItemsQueued;
37 | } PHLIB_STATISTICS_BLOCK;
38 |
39 | #ifdef DEBUG
40 | extern PHLIB_STATISTICS_BLOCK PhLibStatisticsBlock;
41 | #endif
42 |
43 | #ifdef DEBUG
44 | #define PHLIB_INC_STATISTIC(Name) (_InterlockedIncrement(&PhLibStatisticsBlock.Name))
45 | #else
46 | #define PHLIB_INC_STATISTIC(Name)
47 | #endif
48 |
49 | #endif
50 |
--------------------------------------------------------------------------------
/include/sys/phnet.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_PHNET_H
2 | #define _PH_PHNET_H
3 |
4 | #include
5 | #include
6 |
7 | #define PH_IPV4_NETWORK_TYPE 0x1
8 | #define PH_IPV6_NETWORK_TYPE 0x2
9 | #define PH_NETWORK_TYPE_MASK 0x3
10 |
11 | #define PH_TCP_PROTOCOL_TYPE 0x10
12 | #define PH_UDP_PROTOCOL_TYPE 0x20
13 | #define PH_PROTOCOL_TYPE_MASK 0x30
14 |
15 | #define PH_NO_NETWORK_PROTOCOL 0x0
16 | #define PH_TCP4_NETWORK_PROTOCOL (PH_IPV4_NETWORK_TYPE | PH_TCP_PROTOCOL_TYPE)
17 | #define PH_TCP6_NETWORK_PROTOCOL (PH_IPV6_NETWORK_TYPE | PH_TCP_PROTOCOL_TYPE)
18 | #define PH_UDP4_NETWORK_PROTOCOL (PH_IPV4_NETWORK_TYPE | PH_UDP_PROTOCOL_TYPE)
19 | #define PH_UDP6_NETWORK_PROTOCOL (PH_IPV6_NETWORK_TYPE | PH_UDP_PROTOCOL_TYPE)
20 |
21 | typedef struct _PH_IP_ADDRESS
22 | {
23 | ULONG Type;
24 | union
25 | {
26 | ULONG Ipv4;
27 | struct in_addr InAddr;
28 | UCHAR Ipv6[16];
29 | struct in6_addr In6Addr;
30 | };
31 | } PH_IP_ADDRESS, *PPH_IP_ADDRESS;
32 |
33 | FORCEINLINE BOOLEAN PhEqualIpAddress(
34 | _In_ PPH_IP_ADDRESS Address1,
35 | _In_ PPH_IP_ADDRESS Address2
36 | )
37 | {
38 | if ((Address1->Type | Address2->Type) == 0) // don't check addresses if both are invalid
39 | return TRUE;
40 | if (Address1->Type != Address2->Type)
41 | return FALSE;
42 |
43 | if (Address1->Type == PH_IPV4_NETWORK_TYPE)
44 | {
45 | return Address1->Ipv4 == Address2->Ipv4;
46 | }
47 | else
48 | {
49 | #ifdef _M_IX86
50 | return
51 | *(PULONG)(Address1->Ipv6) == *(PULONG)(Address2->Ipv6) &&
52 | *(PULONG)(Address1->Ipv6 + 4) == *(PULONG)(Address2->Ipv6 + 4) &&
53 | *(PULONG)(Address1->Ipv6 + 8) == *(PULONG)(Address2->Ipv6 + 8) &&
54 | *(PULONG)(Address1->Ipv6 + 12) == *(PULONG)(Address2->Ipv6 + 12);
55 | #else
56 | return
57 | *(PULONG64)(Address1->Ipv6) == *(PULONG64)(Address2->Ipv6) &&
58 | *(PULONG64)(Address1->Ipv6 + 8) == *(PULONG64)(Address2->Ipv6 + 8);
59 | #endif
60 | }
61 | }
62 |
63 | FORCEINLINE ULONG PhHashIpAddress(
64 | _In_ PPH_IP_ADDRESS Address
65 | )
66 | {
67 | ULONG hash = 0;
68 |
69 | if (Address->Type == 0)
70 | return 0;
71 |
72 | hash = Address->Type | (Address->Type << 16);
73 |
74 | if (Address->Type == PH_IPV4_NETWORK_TYPE)
75 | {
76 | hash ^= Address->Ipv4;
77 | }
78 | else
79 | {
80 | hash += *(PULONG)(Address->Ipv6);
81 | hash ^= *(PULONG)(Address->Ipv6 + 4);
82 | hash += *(PULONG)(Address->Ipv6 + 8);
83 | hash ^= *(PULONG)(Address->Ipv6 + 12);
84 | }
85 |
86 | return hash;
87 | }
88 |
89 | FORCEINLINE BOOLEAN PhIsNullIpAddress(
90 | _In_ PPH_IP_ADDRESS Address
91 | )
92 | {
93 | if (Address->Type == 0)
94 | {
95 | return TRUE;
96 | }
97 | else if (Address->Type == PH_IPV4_NETWORK_TYPE)
98 | {
99 | return Address->Ipv4 == 0;
100 | }
101 | else if (Address->Type == PH_IPV6_NETWORK_TYPE)
102 | {
103 | #ifdef _M_IX86
104 | return (*(PULONG)(Address->Ipv6) | *(PULONG)(Address->Ipv6 + 4) |
105 | *(PULONG)(Address->Ipv6 + 8) | *(PULONG)(Address->Ipv6 + 12)) == 0;
106 | #else
107 | return (*(PULONG64)(Address->Ipv6) | *(PULONG64)(Address->Ipv6 + 8)) == 0;
108 | #endif
109 | }
110 | else
111 | {
112 | return TRUE;
113 | }
114 | }
115 |
116 | typedef struct _PH_IP_ENDPOINT
117 | {
118 | PH_IP_ADDRESS Address;
119 | ULONG Port;
120 | } PH_IP_ENDPOINT, *PPH_IP_ENDPOINT;
121 |
122 | FORCEINLINE BOOLEAN PhEqualIpEndpoint(
123 | _In_ PPH_IP_ENDPOINT Endpoint1,
124 | _In_ PPH_IP_ENDPOINT Endpoint2
125 | )
126 | {
127 | return
128 | PhEqualIpAddress(&Endpoint1->Address, &Endpoint2->Address) &&
129 | Endpoint1->Port == Endpoint2->Port;
130 | }
131 |
132 | FORCEINLINE ULONG PhHashIpEndpoint(
133 | _In_ PPH_IP_ENDPOINT Endpoint
134 | )
135 | {
136 | return PhHashIpAddress(&Endpoint->Address) ^ Endpoint->Port;
137 | }
138 |
139 | #endif
140 |
--------------------------------------------------------------------------------
/include/sys/phnt.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_PHNT_H
2 | #define _PH_PHNT_H
3 |
4 | // This header file provides access to NT APIs.
5 |
6 | // Definitions are annotated to indicate their source.
7 | // If a definition is not annotated, it has been retrieved
8 | // from an official Microsoft source (NT headers, DDK headers, winnt.h).
9 |
10 | // "winbase" indicates that a definition has been reconstructed from
11 | // a Win32-ized NT definition in winbase.h.
12 | // "rev" indicates that a definition has been reverse-engineered.
13 | // "dbg" indicates that a definition has been obtained from a debug
14 | // message or assertion in a checked build of the kernel or file.
15 |
16 | // Reliability:
17 | // 1. No annotation.
18 | // 2. dbg.
19 | // 3. symbols, private. Types may be incorrect.
20 | // 4. winbase. Names and types may be incorrect.
21 | // 5. rev.
22 |
23 | // Mode
24 | #define PHNT_MODE_KERNEL 0
25 | #define PHNT_MODE_USER 1
26 |
27 | // Version
28 | #define PHNT_WIN2K 50
29 | #define PHNT_WINXP 51
30 | #define PHNT_WS03 52
31 | #define PHNT_VISTA 60
32 | #define PHNT_WIN7 61
33 | #define PHNT_WIN8 62
34 | #define PHNT_WINBLUE 63
35 |
36 | #ifndef PHNT_MODE
37 | #define PHNT_MODE PHNT_MODE_USER
38 | #endif
39 |
40 | #ifndef PHNT_VERSION
41 | #define PHNT_VERSION PHNT_WINXP
42 | #endif
43 |
44 | // Options
45 |
46 | //#define PHNT_NO_INLINE_INIT_STRING
47 |
48 | #ifdef __cplusplus
49 | extern "C" {
50 | #endif
51 |
52 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
53 | #include
54 | #include
55 | #include
56 | #endif
57 |
58 | #include
59 |
60 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
61 | #include
62 | #endif
63 |
64 | #include
65 | #include
66 |
67 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
68 | #include
69 | #include
70 | #include
71 | #include
72 | #include
73 | #include
74 | #include
75 | #include
76 | #include
77 | #endif
78 |
79 | #include
80 |
81 | #if (PHNT_MODE != PHNT_MODE_KERNEL)
82 |
83 | #include
84 | #include
85 | #include
86 | #include
87 |
88 | #include
89 |
90 | #include
91 | #include
92 |
93 | #include
94 |
95 | #include
96 |
97 | #endif
98 |
99 | #ifdef __cplusplus
100 | }
101 | #endif
102 |
103 | #endif
104 |
--------------------------------------------------------------------------------
/include/sys/phsync.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_PHSYNC_H
2 | #define _PH_PHSYNC_H
3 |
4 | // This header file defines synchronization primitives not included
5 | // in phbase.
6 |
7 | #ifdef __cplusplus
8 | extern "C" {
9 | #endif
10 |
11 | #ifdef __cplusplus
12 | }
13 | #endif
14 |
15 | #endif
16 |
--------------------------------------------------------------------------------
/include/sys/queuedlock.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_QUEUEDLOCK_H
2 | #define _PH_QUEUEDLOCK_H
3 |
4 | #ifdef __cplusplus
5 | extern "C" {
6 | #endif
7 |
8 | #define PH_QUEUED_LOCK_OWNED ((ULONG_PTR)0x1)
9 | #define PH_QUEUED_LOCK_OWNED_SHIFT 0
10 | #define PH_QUEUED_LOCK_WAITERS ((ULONG_PTR)0x2)
11 |
12 | // Valid only if Waiters = 0
13 | #define PH_QUEUED_LOCK_SHARED_INC ((ULONG_PTR)0x4)
14 | #define PH_QUEUED_LOCK_SHARED_SHIFT 2
15 |
16 | // Valid only if Waiters = 1
17 | #define PH_QUEUED_LOCK_TRAVERSING ((ULONG_PTR)0x4)
18 | #define PH_QUEUED_LOCK_MULTIPLE_SHARED ((ULONG_PTR)0x8)
19 |
20 | #define PH_QUEUED_LOCK_FLAGS ((ULONG_PTR)0xf)
21 |
22 | #define PhGetQueuedLockSharedOwners(Value) \
23 | ((ULONG_PTR)(Value) >> PH_QUEUED_LOCK_SHARED_SHIFT)
24 | #define PhGetQueuedLockWaitBlock(Value) \
25 | ((PPH_QUEUED_WAIT_BLOCK)((ULONG_PTR)(Value) & ~PH_QUEUED_LOCK_FLAGS))
26 |
27 | typedef struct _PH_QUEUED_LOCK
28 | {
29 | ULONG_PTR Value;
30 | } PH_QUEUED_LOCK, *PPH_QUEUED_LOCK;
31 |
32 | #define PH_QUEUED_LOCK_INIT { 0 }
33 |
34 | #define PH_QUEUED_WAITER_EXCLUSIVE 0x1
35 | #define PH_QUEUED_WAITER_SPINNING 0x2
36 | #define PH_QUEUED_WAITER_SPINNING_SHIFT 1
37 |
38 | typedef struct DECLSPEC_ALIGN(16) _PH_QUEUED_WAIT_BLOCK
39 | {
40 | /** A pointer to the next wait block, i.e. the
41 | * wait block pushed onto the list before this
42 | * one.
43 | */
44 | struct _PH_QUEUED_WAIT_BLOCK *Next;
45 | /** A pointer to the previous wait block, i.e. the
46 | * wait block pushed onto the list after this
47 | * one.
48 | */
49 | struct _PH_QUEUED_WAIT_BLOCK *Previous;
50 | /** A pointer to the last wait block, i.e. the
51 | * first waiter pushed onto the list.
52 | */
53 | struct _PH_QUEUED_WAIT_BLOCK *Last;
54 |
55 | ULONG SharedOwners;
56 | ULONG Flags;
57 | } PH_QUEUED_WAIT_BLOCK, *PPH_QUEUED_WAIT_BLOCK;
58 |
59 | BOOLEAN PhQueuedLockInitialization(
60 | VOID
61 | );
62 |
63 | FORCEINLINE VOID PhInitializeQueuedLock(
64 | _Out_ PPH_QUEUED_LOCK QueuedLock
65 | )
66 | {
67 | QueuedLock->Value = 0;
68 | }
69 |
70 | PHLIBAPI
71 | VOID
72 | FASTCALL
73 | PhfAcquireQueuedLockExclusive(
74 | _Inout_ PPH_QUEUED_LOCK QueuedLock
75 | );
76 |
77 | PHLIBAPI
78 | VOID
79 | FASTCALL
80 | PhfAcquireQueuedLockShared(
81 | _Inout_ PPH_QUEUED_LOCK QueuedLock
82 | );
83 |
84 | PHLIBAPI
85 | VOID
86 | FASTCALL
87 | PhfReleaseQueuedLockExclusive(
88 | _Inout_ PPH_QUEUED_LOCK QueuedLock
89 | );
90 |
91 | PHLIBAPI
92 | VOID
93 | FASTCALL
94 | PhfReleaseQueuedLockShared(
95 | _Inout_ PPH_QUEUED_LOCK QueuedLock
96 | );
97 |
98 | PHLIBAPI
99 | VOID
100 | FASTCALL
101 | PhfTryWakeQueuedLock(
102 | _Inout_ PPH_QUEUED_LOCK QueuedLock
103 | );
104 |
105 | PHLIBAPI
106 | VOID
107 | FASTCALL
108 | PhfWakeForReleaseQueuedLock(
109 | _Inout_ PPH_QUEUED_LOCK QueuedLock,
110 | _In_ ULONG_PTR Value
111 | );
112 |
113 | #define PhPulseCondition PhfPulseCondition
114 | PHLIBAPI
115 | VOID
116 | FASTCALL
117 | PhfPulseCondition(
118 | _Inout_ PPH_QUEUED_LOCK Condition
119 | );
120 |
121 | #define PhPulseAllCondition PhfPulseAllCondition
122 | PHLIBAPI
123 | VOID
124 | FASTCALL
125 | PhfPulseAllCondition(
126 | _Inout_ PPH_QUEUED_LOCK Condition
127 | );
128 |
129 | #define PhWaitForCondition PhfWaitForCondition
130 | PHLIBAPI
131 | VOID
132 | FASTCALL
133 | PhfWaitForCondition(
134 | _Inout_ PPH_QUEUED_LOCK Condition,
135 | _Inout_ PPH_QUEUED_LOCK Lock,
136 | _In_opt_ PLARGE_INTEGER Timeout
137 | );
138 |
139 | #define PH_CONDITION_WAIT_QUEUED_LOCK 0x1
140 | #define PH_CONDITION_WAIT_CRITICAL_SECTION 0x2
141 | #define PH_CONDITION_WAIT_FAST_LOCK 0x4
142 | #define PH_CONDITION_WAIT_LOCK_TYPE_MASK 0xfff
143 |
144 | #define PH_CONDITION_WAIT_SHARED 0x1000
145 | #define PH_CONDITION_WAIT_SPIN 0x2000
146 |
147 | #define PhWaitForConditionEx PhfWaitForConditionEx
148 | PHLIBAPI
149 | VOID
150 | FASTCALL
151 | PhfWaitForConditionEx(
152 | _Inout_ PPH_QUEUED_LOCK Condition,
153 | _Inout_ PVOID Lock,
154 | _In_ ULONG Flags,
155 | _In_opt_ PLARGE_INTEGER Timeout
156 | );
157 |
158 | #define PhQueueWakeEvent PhfQueueWakeEvent
159 | PHLIBAPI
160 | VOID
161 | FASTCALL
162 | PhfQueueWakeEvent(
163 | _Inout_ PPH_QUEUED_LOCK WakeEvent,
164 | _Out_ PPH_QUEUED_WAIT_BLOCK WaitBlock
165 | );
166 |
167 | PHLIBAPI
168 | VOID
169 | FASTCALL
170 | PhfSetWakeEvent(
171 | _Inout_ PPH_QUEUED_LOCK WakeEvent,
172 | _Inout_opt_ PPH_QUEUED_WAIT_BLOCK WaitBlock
173 | );
174 |
175 | #define PhWaitForWakeEvent PhfWaitForWakeEvent
176 | PHLIBAPI
177 | NTSTATUS
178 | FASTCALL
179 | PhfWaitForWakeEvent(
180 | _Inout_ PPH_QUEUED_LOCK WakeEvent,
181 | _Inout_ PPH_QUEUED_WAIT_BLOCK WaitBlock,
182 | _In_ BOOLEAN Spin,
183 | _In_opt_ PLARGE_INTEGER Timeout
184 | );
185 |
186 | // Inline functions
187 |
188 | _Acquires_exclusive_lock_(*QueuedLock)
189 | FORCEINLINE VOID PhAcquireQueuedLockExclusive(
190 | _Inout_ PPH_QUEUED_LOCK QueuedLock
191 | )
192 | {
193 | if (_InterlockedBitTestAndSetPointer((PLONG_PTR)&QueuedLock->Value, PH_QUEUED_LOCK_OWNED_SHIFT))
194 | {
195 | // Owned bit was already set. Slow path.
196 | PhfAcquireQueuedLockExclusive(QueuedLock);
197 | }
198 | }
199 |
200 | _Acquires_shared_lock_(*QueuedLock)
201 | FORCEINLINE VOID PhAcquireQueuedLockShared(
202 | _Inout_ PPH_QUEUED_LOCK QueuedLock
203 | )
204 | {
205 | if ((ULONG_PTR)_InterlockedCompareExchangePointer(
206 | (PPVOID)&QueuedLock->Value,
207 | (PVOID)(PH_QUEUED_LOCK_OWNED | PH_QUEUED_LOCK_SHARED_INC),
208 | (PVOID)0
209 | ) != 0)
210 | {
211 | PhfAcquireQueuedLockShared(QueuedLock);
212 | }
213 | }
214 |
215 | _When_(return != 0, _Acquires_exclusive_lock_(*QueuedLock))
216 | FORCEINLINE BOOLEAN PhTryAcquireQueuedLockExclusive(
217 | _Inout_ PPH_QUEUED_LOCK QueuedLock
218 | )
219 | {
220 | if (!_InterlockedBitTestAndSetPointer((PLONG_PTR)&QueuedLock->Value, PH_QUEUED_LOCK_OWNED_SHIFT))
221 | {
222 | return TRUE;
223 | }
224 | else
225 | {
226 | return FALSE;
227 | }
228 | }
229 |
230 | _Releases_exclusive_lock_(*QueuedLock)
231 | FORCEINLINE VOID PhReleaseQueuedLockExclusive(
232 | _Inout_ PPH_QUEUED_LOCK QueuedLock
233 | )
234 | {
235 | ULONG_PTR value;
236 |
237 | value = (ULONG_PTR)_InterlockedExchangeAddPointer((PLONG_PTR)&QueuedLock->Value, -(LONG_PTR)PH_QUEUED_LOCK_OWNED);
238 |
239 | if ((value & (PH_QUEUED_LOCK_WAITERS | PH_QUEUED_LOCK_TRAVERSING)) == PH_QUEUED_LOCK_WAITERS)
240 | {
241 | PhfWakeForReleaseQueuedLock(QueuedLock, value - PH_QUEUED_LOCK_OWNED);
242 | }
243 | }
244 |
245 | _Releases_shared_lock_(*QueuedLock)
246 | FORCEINLINE VOID PhReleaseQueuedLockShared(
247 | _Inout_ PPH_QUEUED_LOCK QueuedLock
248 | )
249 | {
250 | ULONG_PTR value;
251 |
252 | value = PH_QUEUED_LOCK_OWNED | PH_QUEUED_LOCK_SHARED_INC;
253 |
254 | if ((ULONG_PTR)_InterlockedCompareExchangePointer(
255 | (PPVOID)&QueuedLock->Value,
256 | (PVOID)0,
257 | (PVOID)value
258 | ) != value)
259 | {
260 | PhfReleaseQueuedLockShared(QueuedLock);
261 | }
262 | }
263 |
264 | FORCEINLINE VOID PhAcquireReleaseQueuedLockExclusive(
265 | _Inout_ PPH_QUEUED_LOCK QueuedLock
266 | )
267 | {
268 | BOOLEAN owned;
269 |
270 | MemoryBarrier();
271 | owned = !!(QueuedLock->Value & PH_QUEUED_LOCK_OWNED);
272 | MemoryBarrier();
273 |
274 | if (owned)
275 | {
276 | PhAcquireQueuedLockExclusive(QueuedLock);
277 | PhReleaseQueuedLockExclusive(QueuedLock);
278 | }
279 | }
280 |
281 | FORCEINLINE BOOLEAN PhTryAcquireReleaseQueuedLockExclusive(
282 | _Inout_ PPH_QUEUED_LOCK QueuedLock
283 | )
284 | {
285 | BOOLEAN owned;
286 |
287 | // Need two memory barriers because we don't want the
288 | // compiler re-ordering the following check in either
289 | // direction.
290 | MemoryBarrier();
291 | owned = !(QueuedLock->Value & PH_QUEUED_LOCK_OWNED);
292 | MemoryBarrier();
293 |
294 | return owned;
295 | }
296 |
297 | FORCEINLINE VOID PhSetWakeEvent(
298 | _Inout_ PPH_QUEUED_LOCK WakeEvent,
299 | _Inout_opt_ PPH_QUEUED_WAIT_BLOCK WaitBlock
300 | )
301 | {
302 | // The wake event is similar to a synchronization event
303 | // in that it does not have thread-safe pulsing; we can
304 | // simply skip the function call if there's nothing to
305 | // wake. However, if we're cancelling a wait
306 | // (WaitBlock != NULL) we need to make the call.
307 |
308 | if (WakeEvent->Value || WaitBlock)
309 | PhfSetWakeEvent(WakeEvent, WaitBlock);
310 | }
311 |
312 | #ifdef __cplusplus
313 | }
314 | #endif
315 |
316 | #endif
317 |
--------------------------------------------------------------------------------
/include/sys/ref.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Process Hacker -
3 | * internal object manager
4 | *
5 | * Copyright (C) 2009 wj32
6 | *
7 | * This file is part of Process Hacker.
8 | *
9 | * Process Hacker is free software; you can redistribute it and/or modify
10 | * it under the terms of the GNU General Public License as published by
11 | * the Free Software Foundation, either version 3 of the License, or
12 | * (at your option) any later version.
13 | *
14 | * Process Hacker is distributed in the hope that it will be useful,
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 | * GNU General Public License for more details.
18 | *
19 | * You should have received a copy of the GNU General Public License
20 | * along with Process Hacker. If not, see .
21 | */
22 |
23 | #ifndef _PH_REF_H
24 | #define _PH_REF_H
25 |
26 | #ifdef __cplusplus
27 | extern "C" {
28 | #endif
29 |
30 | // Configuration
31 |
32 | #define PHOBJ_SMALL_OBJECT_SIZE 48
33 | #define PHOBJ_SMALL_OBJECT_COUNT 512
34 |
35 | //#define PHOBJ_STRICT_CHECKS
36 | #define PHOBJ_ALLOCATE_NEVER_NULL
37 |
38 | /* Object flags */
39 | #define PHOBJ_RAISE_ON_FAIL 0x00000001
40 | #define PHOBJ_VALID_FLAGS 0x00000001
41 |
42 | /* Object type flags */
43 | #define PHOBJTYPE_USE_FREE_LIST 0x00000001
44 | #define PHOBJTYPE_VALID_FLAGS 0x00000001
45 |
46 | /* Object type callbacks */
47 |
48 | /**
49 | * The delete procedure for an object type, called when
50 | * an object of the type is being freed.
51 | *
52 | * \param Object A pointer to the object being freed.
53 | * \param Flags Reserved.
54 | */
55 | typedef VOID (NTAPI *PPH_TYPE_DELETE_PROCEDURE)(
56 | _In_ PVOID Object,
57 | _In_ ULONG Flags
58 | );
59 |
60 | struct _PH_OBJECT_TYPE;
61 | typedef struct _PH_OBJECT_TYPE *PPH_OBJECT_TYPE;
62 |
63 | struct _PH_QUEUED_LOCK;
64 | typedef struct _PH_QUEUED_LOCK PH_QUEUED_LOCK, *PPH_QUEUED_LOCK;
65 |
66 | #ifdef DEBUG
67 | typedef VOID (NTAPI *PPH_CREATE_OBJECT_HOOK)(
68 | _In_ PVOID Object,
69 | _In_ SIZE_T Size,
70 | _In_ ULONG Flags,
71 | _In_ PPH_OBJECT_TYPE ObjectType
72 | );
73 | #endif
74 |
75 | #ifndef _PH_REF_PRIVATE
76 | extern PPH_OBJECT_TYPE PhObjectTypeObject;
77 | extern PPH_OBJECT_TYPE PhAllocType;
78 |
79 | #ifdef DEBUG
80 | extern LIST_ENTRY PhDbgObjectListHead;
81 | extern PH_QUEUED_LOCK PhDbgObjectListLock;
82 | extern PPH_CREATE_OBJECT_HOOK PhDbgCreateObjectHook;
83 | #endif
84 | #endif
85 |
86 | typedef struct _PH_OBJECT_TYPE_PARAMETERS
87 | {
88 | SIZE_T FreeListSize;
89 | ULONG FreeListCount;
90 |
91 | UCHAR Reserved1;
92 | UCHAR Reserved2;
93 | UCHAR Reserved3;
94 | UCHAR Reserved4;
95 | ULONG Reserved5[4];
96 | } PH_OBJECT_TYPE_PARAMETERS, *PPH_OBJECT_TYPE_PARAMETERS;
97 |
98 | typedef struct _PH_OBJECT_TYPE_INFORMATION
99 | {
100 | PWSTR Name;
101 | ULONG NumberOfObjects;
102 | } PH_OBJECT_TYPE_INFORMATION, *PPH_OBJECT_TYPE_INFORMATION;
103 |
104 | NTSTATUS PhInitializeRef(
105 | VOID
106 | );
107 |
108 | _May_raise_
109 | PHLIBAPI
110 | NTSTATUS
111 | NTAPI
112 | PhCreateObject(
113 | _Out_ PVOID *Object,
114 | _In_ SIZE_T ObjectSize,
115 | _In_ ULONG Flags,
116 | _In_ PPH_OBJECT_TYPE ObjectType
117 | );
118 |
119 | PHLIBAPI
120 | VOID
121 | NTAPI
122 | PhReferenceObject(
123 | _In_ PVOID Object
124 | );
125 |
126 | _May_raise_
127 | PHLIBAPI
128 | LONG
129 | NTAPI
130 | PhReferenceObjectEx(
131 | _In_ PVOID Object,
132 | _In_ LONG RefCount
133 | );
134 |
135 | PHLIBAPI
136 | BOOLEAN
137 | NTAPI
138 | PhReferenceObjectSafe(
139 | _In_ PVOID Object
140 | );
141 |
142 | PHLIBAPI
143 | VOID
144 | NTAPI
145 | PhDereferenceObject(
146 | _In_ PVOID Object
147 | );
148 |
149 | PHLIBAPI
150 | BOOLEAN
151 | NTAPI
152 | PhDereferenceObjectDeferDelete(
153 | _In_ PVOID Object
154 | );
155 |
156 | _May_raise_
157 | PHLIBAPI
158 | LONG
159 | NTAPI
160 | PhDereferenceObjectEx(
161 | _In_ PVOID Object,
162 | _In_ LONG RefCount,
163 | _In_ BOOLEAN DeferDelete
164 | );
165 |
166 | PHLIBAPI
167 | PPH_OBJECT_TYPE
168 | NTAPI
169 | PhGetObjectType(
170 | _In_ PVOID Object
171 | );
172 |
173 | PHLIBAPI
174 | NTSTATUS
175 | NTAPI
176 | PhCreateObjectType(
177 | _Out_ PPH_OBJECT_TYPE *ObjectType,
178 | _In_ PWSTR Name,
179 | _In_ ULONG Flags,
180 | _In_opt_ PPH_TYPE_DELETE_PROCEDURE DeleteProcedure
181 | );
182 |
183 | PHLIBAPI
184 | NTSTATUS
185 | NTAPI
186 | PhCreateObjectTypeEx(
187 | _Out_ PPH_OBJECT_TYPE *ObjectType,
188 | _In_ PWSTR Name,
189 | _In_ ULONG Flags,
190 | _In_opt_ PPH_TYPE_DELETE_PROCEDURE DeleteProcedure,
191 | _In_opt_ PPH_OBJECT_TYPE_PARAMETERS Parameters
192 | );
193 |
194 | PHLIBAPI
195 | VOID
196 | NTAPI
197 | PhGetObjectTypeInformation(
198 | _In_ PPH_OBJECT_TYPE ObjectType,
199 | _Out_ PPH_OBJECT_TYPE_INFORMATION Information
200 | );
201 |
202 | FORCEINLINE VOID PhSwapReference(
203 | _Inout_ PVOID *ObjectReference,
204 | _In_opt_ PVOID NewObject
205 | )
206 | {
207 | PVOID oldObject;
208 |
209 | oldObject = *ObjectReference;
210 | *ObjectReference = NewObject;
211 |
212 | if (NewObject) PhReferenceObject(NewObject);
213 | if (oldObject) PhDereferenceObject(oldObject);
214 | }
215 |
216 | FORCEINLINE VOID PhSwapReference2(
217 | _Inout_ PVOID *ObjectReference,
218 | _In_opt_ _Assume_refs_(1) PVOID NewObject
219 | )
220 | {
221 | PVOID oldObject;
222 |
223 | oldObject = *ObjectReference;
224 | *ObjectReference = NewObject;
225 |
226 | if (oldObject) PhDereferenceObject(oldObject);
227 | }
228 |
229 | PHLIBAPI
230 | NTSTATUS
231 | NTAPI
232 | PhCreateAlloc(
233 | _Out_ PVOID *Alloc,
234 | _In_ SIZE_T Size
235 | );
236 |
237 | /** The size of the static array in an auto-release pool. */
238 | #define PH_AUTO_POOL_STATIC_SIZE 64
239 | /** The maximum size of the dynamic array for it to be
240 | * kept after the auto-release pool is drained. */
241 | #define PH_AUTO_POOL_DYNAMIC_BIG_SIZE 256
242 |
243 | /**
244 | * An auto-dereference pool can be used for
245 | * semi-automatic reference counting. Batches of
246 | * objects are dereferenced at a certain time.
247 | *
248 | * This object is not thread-safe and cannot
249 | * be used across thread boundaries. Always
250 | * store them as local variables.
251 | */
252 | typedef struct _PH_AUTO_POOL
253 | {
254 | ULONG StaticCount;
255 | PVOID StaticObjects[PH_AUTO_POOL_STATIC_SIZE];
256 |
257 | ULONG DynamicCount;
258 | ULONG DynamicAllocated;
259 | PVOID *DynamicObjects;
260 |
261 | struct _PH_AUTO_POOL *NextPool;
262 | } PH_AUTO_POOL, *PPH_AUTO_POOL;
263 |
264 | PHLIBAPI
265 | VOID
266 | NTAPI
267 | PhInitializeAutoPool(
268 | _Out_ PPH_AUTO_POOL AutoPool
269 | );
270 |
271 | _May_raise_
272 | PHLIBAPI
273 | VOID
274 | NTAPI
275 | PhDeleteAutoPool(
276 | _Inout_ PPH_AUTO_POOL AutoPool
277 | );
278 |
279 | _May_raise_
280 | PHLIBAPI
281 | VOID
282 | NTAPI
283 | PhaDereferenceObject(
284 | _In_ PVOID Object
285 | );
286 |
287 | PHLIBAPI
288 | VOID
289 | NTAPI
290 | PhDrainAutoPool(
291 | _In_ PPH_AUTO_POOL AutoPool
292 | );
293 |
294 | /**
295 | * Calls PhaDereferenceObject() and returns the given object.
296 | *
297 | * \param Object A pointer to an object. The value can be
298 | * null; in that case no action is performed.
299 | *
300 | * \return The value of \a Object.
301 | */
302 | FORCEINLINE PVOID PHA_DEREFERENCE(
303 | _In_ PVOID Object
304 | )
305 | {
306 | if (Object)
307 | PhaDereferenceObject(Object);
308 |
309 | return Object;
310 | }
311 |
312 | #ifdef __cplusplus
313 | }
314 | #endif
315 |
316 | #endif
317 |
--------------------------------------------------------------------------------
/include/sys/refp.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Process Hacker -
3 | * internal object manager
4 | *
5 | * Copyright (C) 2009 wj32
6 | *
7 | * This file is part of Process Hacker.
8 | *
9 | * Process Hacker is free software; you can redistribute it and/or modify
10 | * it under the terms of the GNU General Public License as published by
11 | * the Free Software Foundation, either version 3 of the License, or
12 | * (at your option) any later version.
13 | *
14 | * Process Hacker is distributed in the hope that it will be useful,
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 | * GNU General Public License for more details.
18 | *
19 | * You should have received a copy of the GNU General Public License
20 | * along with Process Hacker. If not, see .
21 | */
22 |
23 | #ifndef _PH_REFP_H
24 | #define _PH_REFP_H
25 |
26 | /**
27 | * Gets a pointer to the object header for an object.
28 | *
29 | * \param Object A pointer to an object.
30 | *
31 | * \return A pointer to the object header of the object.
32 | */
33 | #define PhObjectToObjectHeader(Object) ((PPH_OBJECT_HEADER)CONTAINING_RECORD((PCHAR)(Object), PH_OBJECT_HEADER, Body))
34 |
35 | /**
36 | * Gets a pointer to an object from an object header.
37 | *
38 | * \param ObjectHeader A pointer to an object header.
39 | *
40 | * \return A pointer to an object.
41 | */
42 | #define PhObjectHeaderToObject(ObjectHeader) ((PVOID)&((PPH_OBJECT_HEADER)(ObjectHeader))->Body)
43 |
44 | /**
45 | * Calculates the total size to allocate for an object.
46 | *
47 | * \param Size The size of the object to allocate.
48 | *
49 | * \return The new size, including space for the object header.
50 | */
51 | #define PhpAddObjectHeaderSize(Size) ((Size) + FIELD_OFFSET(PH_OBJECT_HEADER, Body))
52 |
53 | typedef struct _PH_OBJECT_HEADER *PPH_OBJECT_HEADER;
54 | typedef struct _PH_OBJECT_TYPE *PPH_OBJECT_TYPE;
55 |
56 | /** Reserved. */
57 | #define PHOBJ_LOCK_BIT 0x1
58 | /** The object was allocated from the small free list. */
59 | #define PHOBJ_FROM_SMALL_FREE_LIST 0x2
60 | /** The object was allocated from the type free list. */
61 | #define PHOBJ_FROM_TYPE_FREE_LIST 0x4
62 |
63 | /**
64 | * The object header contains object manager information
65 | * including the reference count of an object and its
66 | * type.
67 | */
68 | typedef struct _PH_OBJECT_HEADER
69 | {
70 | /** The reference count of the object. */
71 | LONG RefCount;
72 |
73 | /** Internal flags. */
74 | ULONG Flags;
75 |
76 | union
77 | {
78 | /** The size of the object, excluding the header. */
79 | SIZE_T Size;
80 | /** A pointer to the object header of the next object to free. */
81 | PPH_OBJECT_HEADER NextToFree;
82 | };
83 |
84 | /** The type of the object. */
85 | PPH_OBJECT_TYPE Type;
86 |
87 | #ifdef DEBUG
88 | PVOID StackBackTrace[16];
89 | LIST_ENTRY ObjectListEntry;
90 | #endif
91 |
92 | /** The body of the object. For use by the \ref PhObjectToObjectHeader
93 | * and \ref PhObjectHeaderToObject macros. */
94 | QUAD_PTR Body;
95 | } PH_OBJECT_HEADER, *PPH_OBJECT_HEADER;
96 |
97 | #ifndef DEBUG
98 | #ifdef _M_IX86
99 | C_ASSERT(FIELD_OFFSET(PH_OBJECT_HEADER, RefCount) == 0x0);
100 | C_ASSERT(FIELD_OFFSET(PH_OBJECT_HEADER, Flags) == 0x4);
101 | C_ASSERT(FIELD_OFFSET(PH_OBJECT_HEADER, NextToFree) == 0x8);
102 | C_ASSERT(FIELD_OFFSET(PH_OBJECT_HEADER, Type) == 0xc);
103 | C_ASSERT(FIELD_OFFSET(PH_OBJECT_HEADER, Body) == 0x10);
104 | #else
105 | C_ASSERT(FIELD_OFFSET(PH_OBJECT_HEADER, RefCount) == 0x0);
106 | C_ASSERT(FIELD_OFFSET(PH_OBJECT_HEADER, Flags) == 0x4);
107 | C_ASSERT(FIELD_OFFSET(PH_OBJECT_HEADER, NextToFree) == 0x8);
108 | C_ASSERT(FIELD_OFFSET(PH_OBJECT_HEADER, Type) == 0x10);
109 | C_ASSERT(FIELD_OFFSET(PH_OBJECT_HEADER, Body) == 0x20);
110 | #endif
111 | #endif
112 |
113 | /**
114 | * An object type specifies a kind of object and
115 | * its delete procedure.
116 | */
117 | typedef struct _PH_OBJECT_TYPE
118 | {
119 | /** The flags that were used to create the object type. */
120 | ULONG Flags;
121 | UCHAR Reserved1;
122 | UCHAR Reserved2;
123 | UCHAR Reserved3;
124 | UCHAR Reserved4;
125 | /** An optional procedure called when objects of this type are freed. */
126 | PPH_TYPE_DELETE_PROCEDURE DeleteProcedure;
127 | /** The name of the type. */
128 | PWSTR Name;
129 | /** The total number of objects of this type that are alive. */
130 | ULONG NumberOfObjects;
131 | /** A free list to use when allocating for this type. */
132 | PH_FREE_LIST FreeList;
133 | } PH_OBJECT_TYPE, *PPH_OBJECT_TYPE;
134 |
135 | /**
136 | * Increments a reference count, but will never increment
137 | * from 0 to 1.
138 | *
139 | * \param RefCount A pointer to a reference count.
140 | */
141 | FORCEINLINE BOOLEAN PhpInterlockedIncrementSafe(
142 | _Inout_ PLONG RefCount
143 | )
144 | {
145 | /* Here we will attempt to increment the reference count,
146 | * making sure that it is not 0.
147 | */
148 | return _InterlockedIncrementNoZero(RefCount);
149 | }
150 |
151 | PPH_OBJECT_HEADER PhpAllocateObject(
152 | _In_ PPH_OBJECT_TYPE ObjectType,
153 | _In_ SIZE_T ObjectSize,
154 | _In_ ULONG Flags
155 | );
156 |
157 | VOID PhpFreeObject(
158 | _In_ PPH_OBJECT_HEADER ObjectHeader
159 | );
160 |
161 | VOID PhpDeferDeleteObject(
162 | _In_ PPH_OBJECT_HEADER ObjectHeader
163 | );
164 |
165 | NTSTATUS PhpDeferDeleteObjectRoutine(
166 | _In_ PVOID Parameter
167 | );
168 |
169 | #endif
170 |
--------------------------------------------------------------------------------
/include/sys/seceditp.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_SECEDITP_H
2 | #define _PH_SECEDITP_H
3 |
4 | #include
5 | #include
6 |
7 | typedef struct
8 | {
9 | ISecurityInformationVtbl *VTable;
10 |
11 | ULONG RefCount;
12 |
13 | PPH_STRING ObjectName;
14 | PPH_GET_OBJECT_SECURITY GetObjectSecurity;
15 | PPH_SET_OBJECT_SECURITY SetObjectSecurity;
16 | PVOID Context;
17 | PSI_ACCESS AccessEntries;
18 | ULONG NumberOfAccessEntries;
19 | } PhSecurityInformation;
20 |
21 | ISecurityInformation *PhSecurityInformation_Create(
22 | _In_ PWSTR ObjectName,
23 | _In_ PPH_GET_OBJECT_SECURITY GetObjectSecurity,
24 | _In_ PPH_SET_OBJECT_SECURITY SetObjectSecurity,
25 | _In_opt_ PVOID Context,
26 | _In_ PPH_ACCESS_ENTRY AccessEntries,
27 | _In_ ULONG NumberOfAccessEntries
28 | );
29 |
30 | HRESULT STDMETHODCALLTYPE PhSecurityInformation_QueryInterface(
31 | _In_ ISecurityInformation *This,
32 | _In_ REFIID Riid,
33 | _Out_ PVOID *Object
34 | );
35 |
36 | ULONG STDMETHODCALLTYPE PhSecurityInformation_AddRef(
37 | _In_ ISecurityInformation *This
38 | );
39 |
40 | ULONG STDMETHODCALLTYPE PhSecurityInformation_Release(
41 | _In_ ISecurityInformation *This
42 | );
43 |
44 | HRESULT STDMETHODCALLTYPE PhSecurityInformation_GetObjectInformation(
45 | _In_ ISecurityInformation *This,
46 | _Out_ PSI_OBJECT_INFO ObjectInfo
47 | );
48 |
49 | HRESULT STDMETHODCALLTYPE PhSecurityInformation_GetSecurity(
50 | _In_ ISecurityInformation *This,
51 | _In_ SECURITY_INFORMATION RequestedInformation,
52 | _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor,
53 | _In_ BOOL Default
54 | );
55 |
56 | HRESULT STDMETHODCALLTYPE PhSecurityInformation_SetSecurity(
57 | _In_ ISecurityInformation *This,
58 | _In_ SECURITY_INFORMATION SecurityInformation,
59 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
60 | );
61 |
62 | HRESULT STDMETHODCALLTYPE PhSecurityInformation_GetAccessRights(
63 | _In_ ISecurityInformation *This,
64 | _In_ const GUID *ObjectType,
65 | _In_ ULONG Flags,
66 | _Out_ PSI_ACCESS *Access,
67 | _Out_ PULONG Accesses,
68 | _Out_ PULONG DefaultAccess
69 | );
70 |
71 | HRESULT STDMETHODCALLTYPE PhSecurityInformation_MapGeneric(
72 | _In_ ISecurityInformation *This,
73 | _In_ const GUID *ObjectType,
74 | _In_ PUCHAR AceFlags,
75 | _Inout_ PACCESS_MASK Mask
76 | );
77 |
78 | HRESULT STDMETHODCALLTYPE PhSecurityInformation_GetInheritTypes(
79 | _In_ ISecurityInformation *This,
80 | _Out_ PSI_INHERIT_TYPE *InheritTypes,
81 | _Out_ PULONG InheritTypesCount
82 | );
83 |
84 | HRESULT STDMETHODCALLTYPE PhSecurityInformation_PropertySheetPageCallback(
85 | _In_ ISecurityInformation *This,
86 | _In_ HWND hwnd,
87 | _In_ UINT uMsg,
88 | _In_ SI_PAGE_TYPE uPage
89 | );
90 |
91 | typedef HPROPSHEETPAGE (WINAPI *_CreateSecurityPage)(
92 | _In_ LPSECURITYINFO psi
93 | );
94 |
95 | typedef BOOL (WINAPI *_EditSecurity)(
96 | _In_ HWND hwndOwner,
97 | _In_ LPSECURITYINFO psi
98 | );
99 |
100 | #endif
101 |
--------------------------------------------------------------------------------
/include/sys/sha.h:
--------------------------------------------------------------------------------
1 | #ifndef _SHA_H
2 | #define _SHA_H
3 |
4 | typedef struct
5 | {
6 | ULONG flag;
7 | UCHAR hash[20];
8 | ULONG state[5];
9 | ULONG count[2];
10 | UCHAR buffer[64];
11 | } A_SHA_CTX;
12 |
13 | VOID A_SHAInit(
14 | _Out_ A_SHA_CTX *Context
15 | );
16 |
17 | VOID A_SHAUpdate(
18 | _Inout_ A_SHA_CTX *Context,
19 | _In_reads_bytes_(Length) UCHAR *Input,
20 | _In_ ULONG Length
21 | );
22 |
23 | VOID A_SHAFinal(
24 | _Inout_ A_SHA_CTX *Context,
25 | _Out_writes_bytes_(20) UCHAR *Hash
26 | );
27 |
28 | #endif
29 |
--------------------------------------------------------------------------------
/include/sys/symprv.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_SYMPRV_H
2 | #define _PH_SYMPRV_H
3 |
4 | #include
5 |
6 | typedef BOOL (WINAPI *_SymInitialize)(
7 | _In_ HANDLE hProcess,
8 | _In_opt_ PCSTR UserSearchPath,
9 | _In_ BOOL fInvadeProcess
10 | );
11 |
12 | typedef BOOL (WINAPI *_SymCleanup)(
13 | _In_ HANDLE hProcess
14 | );
15 |
16 | typedef BOOL (WINAPI *_SymEnumSymbols)(
17 | _In_ HANDLE hProcess,
18 | _In_ ULONG64 BaseOfDll,
19 | _In_opt_ PCSTR Mask,
20 | _In_ PSYM_ENUMERATESYMBOLS_CALLBACK EnumSymbolsCallback,
21 | _In_opt_ const PVOID UserContext
22 | );
23 |
24 | typedef BOOL (WINAPI *_SymEnumSymbolsW)(
25 | _In_ HANDLE hProcess,
26 | _In_ ULONG64 BaseOfDll,
27 | _In_opt_ PCWSTR Mask,
28 | _In_ PSYM_ENUMERATESYMBOLS_CALLBACKW EnumSymbolsCallback,
29 | _In_opt_ const PVOID UserContext
30 | );
31 |
32 | typedef BOOL (WINAPI *_SymFromAddr)(
33 | _In_ HANDLE hProcess,
34 | _In_ DWORD64 Address,
35 | _Out_opt_ PDWORD64 Displacement,
36 | _Inout_ PSYMBOL_INFO Symbol
37 | );
38 |
39 | typedef BOOL (WINAPI *_SymFromAddrW)(
40 | _In_ HANDLE hProcess,
41 | _In_ DWORD64 Address,
42 | _Out_opt_ PDWORD64 Displacement,
43 | _Inout_ PSYMBOL_INFOW Symbol
44 | );
45 |
46 | typedef BOOL (WINAPI *_SymFromName)(
47 | _In_ HANDLE hProcess,
48 | _In_ PCSTR Name,
49 | _Inout_ PSYMBOL_INFO Symbol
50 | );
51 |
52 | typedef BOOL (WINAPI *_SymFromNameW)(
53 | _In_ HANDLE hProcess,
54 | _In_ PCWSTR Name,
55 | _Inout_ PSYMBOL_INFOW Symbol
56 | );
57 |
58 | typedef BOOL (WINAPI *_SymGetLineFromAddr64)(
59 | _In_ HANDLE hProcess,
60 | _In_ DWORD64 dwAddr,
61 | _Out_ PDWORD pdwDisplacement,
62 | _Out_ PIMAGEHLP_LINE64 Line
63 | );
64 |
65 | typedef BOOL (WINAPI *_SymGetLineFromAddrW64)(
66 | _In_ HANDLE hProcess,
67 | _In_ DWORD64 dwAddr,
68 | _Out_ PDWORD pdwDisplacement,
69 | _Out_ PIMAGEHLP_LINEW64 Line
70 | );
71 |
72 | typedef DWORD64 (WINAPI *_SymLoadModule64)(
73 | _In_ HANDLE hProcess,
74 | _In_opt_ HANDLE hFile,
75 | _In_opt_ PCSTR ImageName,
76 | _In_opt_ PCSTR ModuleName,
77 | _In_ DWORD64 BaseOfDll,
78 | _In_ DWORD SizeOfDll
79 | );
80 |
81 | typedef DWORD (WINAPI *_SymGetOptions)();
82 |
83 | typedef DWORD (WINAPI *_SymSetOptions)(
84 | _In_ DWORD SymOptions
85 | );
86 |
87 | typedef BOOL (WINAPI *_SymGetSearchPath)(
88 | _In_ HANDLE hProcess,
89 | _Out_ PSTR SearchPath,
90 | _In_ DWORD SearchPathLength
91 | );
92 |
93 | typedef BOOL (WINAPI *_SymGetSearchPathW)(
94 | _In_ HANDLE hProcess,
95 | _Out_ PWSTR SearchPath,
96 | _In_ DWORD SearchPathLength
97 | );
98 |
99 | typedef BOOL (WINAPI *_SymSetSearchPath)(
100 | _In_ HANDLE hProcess,
101 | _In_opt_ PCSTR SearchPath
102 | );
103 |
104 | typedef BOOL (WINAPI *_SymSetSearchPathW)(
105 | _In_ HANDLE hProcess,
106 | _In_opt_ PCWSTR SearchPath
107 | );
108 |
109 | typedef BOOL (WINAPI *_SymUnloadModule64)(
110 | _In_ HANDLE hProcess,
111 | _In_ DWORD64 BaseOfDll
112 | );
113 |
114 | typedef PVOID (WINAPI *_SymFunctionTableAccess64)(
115 | _In_ HANDLE hProcess,
116 | _In_ DWORD64 AddrBase
117 | );
118 |
119 | typedef DWORD64 (WINAPI *_SymGetModuleBase64)(
120 | _In_ HANDLE hProcess,
121 | _In_ DWORD64 dwAddr
122 | );
123 |
124 | typedef BOOL (WINAPI *_SymRegisterCallbackW64)(
125 | _In_ HANDLE hProcess,
126 | _In_ PSYMBOL_REGISTERED_CALLBACK64 CallbackFunction,
127 | _In_ ULONG64 UserContext
128 | );
129 |
130 | typedef BOOL (WINAPI *_StackWalk64)(
131 | _In_ DWORD MachineType,
132 | _In_ HANDLE hProcess,
133 | _In_ HANDLE hThread,
134 | _Inout_ LPSTACKFRAME64 StackFrame,
135 | _Inout_ PVOID ContextRecord,
136 | _In_opt_ PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine,
137 | _In_opt_ PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine,
138 | _In_opt_ PGET_MODULE_BASE_ROUTINE64 GetModuleBaseRoutine,
139 | _In_opt_ PTRANSLATE_ADDRESS_ROUTINE64 TranslateAddress
140 | );
141 |
142 | typedef BOOL (WINAPI *_MiniDumpWriteDump)(
143 | _In_ HANDLE hProcess,
144 | _In_ DWORD ProcessId,
145 | _In_ HANDLE hFile,
146 | _In_ MINIDUMP_TYPE DumpType,
147 | _In_ PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
148 | _In_ PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
149 | _In_ PMINIDUMP_CALLBACK_INFORMATION CallbackParam
150 | );
151 |
152 | typedef UINT_PTR (CALLBACK *_SymbolServerGetOptions)();
153 |
154 | typedef BOOL (CALLBACK *_SymbolServerSetOptions)(
155 | _In_ UINT_PTR options,
156 | _In_ ULONG64 data
157 | );
158 |
159 | #ifdef _M_X64
160 | NTSTATUS PhAccessOutOfProcessFunctionEntry(
161 | _In_ HANDLE ProcessHandle,
162 | _In_ ULONG64 ControlPc,
163 | _Out_ PRUNTIME_FUNCTION Function
164 | );
165 | #endif
166 |
167 | ULONG64 __stdcall PhGetModuleBase64(
168 | _In_ HANDLE hProcess,
169 | _In_ DWORD64 dwAddr
170 | );
171 |
172 | PVOID __stdcall PhFunctionTableAccess64(
173 | _In_ HANDLE hProcess,
174 | _In_ DWORD64 AddrBase
175 | );
176 |
177 | PHLIBAPI
178 | BOOLEAN
179 | NTAPI
180 | PhStackWalk(
181 | _In_ ULONG MachineType,
182 | _In_ HANDLE ProcessHandle,
183 | _In_ HANDLE ThreadHandle,
184 | _Inout_ STACKFRAME64 *StackFrame,
185 | _Inout_ PVOID ContextRecord,
186 | _In_opt_ PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine,
187 | _In_opt_ PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine,
188 | _In_opt_ PGET_MODULE_BASE_ROUTINE64 GetModuleBaseRoutine,
189 | _In_opt_ PTRANSLATE_ADDRESS_ROUTINE64 TranslateAddress
190 | );
191 |
192 | PHLIBAPI
193 | BOOLEAN
194 | NTAPI
195 | PhWriteMiniDumpProcess(
196 | _In_ HANDLE ProcessHandle,
197 | _In_ HANDLE ProcessId,
198 | _In_ HANDLE FileHandle,
199 | _In_ MINIDUMP_TYPE DumpType,
200 | _In_opt_ PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
201 | _In_opt_ PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
202 | _In_opt_ PMINIDUMP_CALLBACK_INFORMATION CallbackParam
203 | );
204 |
205 | #ifndef _PH_SYMPRV_PRIVATE
206 | extern PH_CALLBACK PhSymInitCallback;
207 | extern PVOID PhSymPreferredDbgHelpBase;
208 | #endif
209 |
210 | #endif
211 |
--------------------------------------------------------------------------------
/include/sys/templ.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_TEMPL_H
2 | #define _PH_TEMPL_H
3 |
4 | #define TEMPLATE_(f,T) f##_##T
5 | #define T___(f,T) TEMPLATE_(f,T)
6 |
7 | #endif
8 |
--------------------------------------------------------------------------------
/include/sys/verify.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_VERIFY_H
2 | #define _PH_VERIFY_H
3 |
4 | #include
5 | #include
6 |
7 | #define PH_VERIFY_DEFAULT_SIZE_LIMIT (32 * 1024 * 1024)
8 |
9 | #define PH_VERIFY_PREVENT_NETWORK_ACCESS 0x1
10 | #define PH_VERIFY_VIEW_PROPERTIES 0x2
11 |
12 | typedef struct _PH_VERIFY_FILE_INFO
13 | {
14 | PWSTR FileName;
15 | ULONG Flags;
16 |
17 | ULONG FileSizeLimitForHash; // 0 for PH_VERIFY_DEFAULT_SIZE_LIMIT, -1 for unlimited
18 | ULONG NumberOfCatalogFileNames;
19 | PWSTR *CatalogFileNames;
20 |
21 | HWND hWnd; // for PH_VERIFY_VIEW_PROPERTIES
22 | } PH_VERIFY_FILE_INFO, *PPH_VERIFY_FILE_INFO;
23 |
24 | NTSTATUS PhVerifyFileEx(
25 | _In_ PPH_VERIFY_FILE_INFO Information,
26 | _Out_ VERIFY_RESULT *VerifyResult,
27 | _Out_opt_ PCERT_CONTEXT **Signatures,
28 | _Out_opt_ PULONG NumberOfSignatures
29 | );
30 |
31 | VOID PhFreeVerifySignatures(
32 | _In_ PCERT_CONTEXT *Signatures,
33 | _In_ ULONG NumberOfSignatures
34 | );
35 |
36 | PPH_STRING PhGetSignerNameFromCertificate(
37 | _In_ PCERT_CONTEXT Certificate
38 | );
39 |
40 | #endif
41 |
--------------------------------------------------------------------------------
/include/sys/verifyp.h:
--------------------------------------------------------------------------------
1 | #ifndef _PH_VERIFYP_H
2 | #define _PH_VERIFYP_H
3 |
4 | typedef struct _CATALOG_INFO
5 | {
6 | DWORD cbStruct;
7 | WCHAR wszCatalogFile[MAX_PATH];
8 | } CATALOG_INFO, *PCATALOG_INFO;
9 |
10 | typedef struct tagCRYPTUI_VIEWSIGNERINFO_STRUCT {
11 | DWORD dwSize;
12 | HWND hwndParent;
13 | DWORD dwFlags;
14 | LPCTSTR szTitle;
15 | CMSG_SIGNER_INFO *pSignerInfo;
16 | HCRYPTMSG hMsg;
17 | LPCSTR pszOID;
18 | DWORD_PTR dwReserved;
19 | DWORD cStores;
20 | HCERTSTORE *rghStores;
21 | DWORD cPropSheetPages;
22 | LPCPROPSHEETPAGE rgPropSheetPages;
23 | } CRYPTUI_VIEWSIGNERINFO_STRUCT, *PCRYPTUI_VIEWSIGNERINFO_STRUCT;
24 |
25 | typedef BOOL (WINAPI *_CryptCATAdminCalcHashFromFileHandle)(
26 | HANDLE hFile,
27 | DWORD *pcbHash,
28 | BYTE *pbHash,
29 | DWORD dwFlags
30 | );
31 |
32 | typedef BOOL (WINAPI *_CryptCATAdminCalcHashFromFileHandle2)(
33 | HCATADMIN hCatAdmin,
34 | HANDLE hFile,
35 | DWORD *pcbHash,
36 | BYTE *pbHash,
37 | DWORD dwFlags
38 | );
39 |
40 | typedef BOOL (WINAPI *_CryptCATAdminAcquireContext)(
41 | HANDLE *phCatAdmin,
42 | GUID *pgSubsystem,
43 | DWORD dwFlags
44 | );
45 |
46 | typedef BOOL (WINAPI *_CryptCATAdminAcquireContext2)(
47 | HCATADMIN *phCatAdmin,
48 | const GUID *pgSubsystem,
49 | PCWSTR pwszHashAlgorithm,
50 | PCCERT_STRONG_SIGN_PARA pStrongHashPolicy,
51 | DWORD dwFlags
52 | );
53 |
54 | typedef HANDLE (WINAPI *_CryptCATAdminEnumCatalogFromHash)(
55 | HANDLE hCatAdmin,
56 | BYTE *pbHash,
57 | DWORD cbHash,
58 | DWORD dwFlags,
59 | HANDLE *phPrevCatInfo
60 | );
61 |
62 | typedef BOOL (WINAPI *_CryptCATCatalogInfoFromContext)(
63 | HANDLE hCatInfo,
64 | CATALOG_INFO *psCatInfo,
65 | DWORD dwFlags
66 | );
67 |
68 | typedef BOOL (WINAPI *_CryptCATAdminReleaseCatalogContext)(
69 | HANDLE hCatAdmin,
70 | HANDLE hCatInfo,
71 | DWORD dwFlags
72 | );
73 |
74 | typedef BOOL (WINAPI *_CryptCATAdminReleaseContext)(
75 | HANDLE hCatAdmin,
76 | DWORD dwFlags
77 | );
78 |
79 | typedef PCRYPT_PROVIDER_DATA (WINAPI *_WTHelperProvDataFromStateData)(
80 | HANDLE hStateData
81 | );
82 |
83 | typedef PCRYPT_PROVIDER_SGNR (WINAPI *_WTHelperGetProvSignerFromChain)(
84 | CRYPT_PROVIDER_DATA *pProvData,
85 | DWORD idxSigner,
86 | BOOL fCounterSigner,
87 | DWORD idxCounterSigner
88 | );
89 |
90 | typedef LONG (WINAPI *_WinVerifyTrust)(
91 | HWND hWnd,
92 | GUID *pgActionID,
93 | LPVOID pWVTData
94 | );
95 |
96 | typedef DWORD (WINAPI *_CertNameToStr)(
97 | DWORD dwCertEncodingType,
98 | PCERT_NAME_BLOB pName,
99 | DWORD dwStrType,
100 | LPTSTR psz,
101 | DWORD csz
102 | );
103 |
104 | typedef PCCERT_CONTEXT (WINAPI *_CertDuplicateCertificateContext)(
105 | _In_ PCCERT_CONTEXT pCertContext
106 | );
107 |
108 | typedef BOOL (WINAPI *_CertFreeCertificateContext)(
109 | _In_ PCCERT_CONTEXT pCertContext
110 | );
111 |
112 | typedef BOOL (WINAPI *_CryptUIDlgViewSignerInfo)(
113 | _In_ CRYPTUI_VIEWSIGNERINFO_STRUCT *pcvsi
114 | );
115 |
116 | #endif
117 |
--------------------------------------------------------------------------------
/include/sys/winmisc.h:
--------------------------------------------------------------------------------
1 | #ifndef _WINMISC_H
2 | #define _WINMISC_H
3 |
4 | // Tag information
5 |
6 | // begin_private
7 |
8 | typedef enum _TAG_INFO_LEVEL
9 | {
10 | eTagInfoLevelNameFromTag = 1, // TAG_INFO_NAME_FROM_TAG
11 | eTagInfoLevelNamesReferencingModule, // TAG_INFO_NAMES_REFERENCING_MODULE
12 | eTagInfoLevelNameTagMapping, // TAG_INFO_NAME_TAG_MAPPING
13 | eTagInfoLevelMax
14 | } TAG_INFO_LEVEL;
15 |
16 | typedef enum _TAG_TYPE
17 | {
18 | eTagTypeService = 1,
19 | eTagTypeMax
20 | } TAG_TYPE;
21 |
22 | typedef struct _TAG_INFO_NAME_FROM_TAG_IN_PARAMS
23 | {
24 | ULONG dwPid;
25 | ULONG dwTag;
26 | } TAG_INFO_NAME_FROM_TAG_IN_PARAMS, *PTAG_INFO_NAME_FROM_TAG_IN_PARAMS;
27 |
28 | typedef struct _TAG_INFO_NAME_FROM_TAG_OUT_PARAMS
29 | {
30 | ULONG eTagType;
31 | PWSTR pszName;
32 | } TAG_INFO_NAME_FROM_TAG_OUT_PARAMS, *PTAG_INFO_NAME_FROM_TAG_OUT_PARAMS;
33 |
34 | // rev
35 | typedef struct _TAG_INFO_NAME_FROM_TAG
36 | {
37 | TAG_INFO_NAME_FROM_TAG_IN_PARAMS InParams;
38 | TAG_INFO_NAME_FROM_TAG_OUT_PARAMS OutParams;
39 | } TAG_INFO_NAME_FROM_TAG, *PTAG_INFO_NAME_FROM_TAG;
40 |
41 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS
42 | {
43 | ULONG dwPid;
44 | PWSTR pszModule;
45 | } TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS;
46 |
47 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS
48 | {
49 | ULONG eTagType;
50 | PWSTR pmszNames;
51 | } TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS;
52 |
53 | // rev
54 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE
55 | {
56 | TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS InParams;
57 | TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS OutParams;
58 | } TAG_INFO_NAMES_REFERENCING_MODULE, *PTAG_INFO_NAMES_REFERENCING_MODULE;
59 |
60 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_ELEMENT
61 | {
62 | ULONG eTagType;
63 | ULONG dwTag;
64 | PWSTR pszName;
65 | PWSTR pszGroupName;
66 | } TAG_INFO_NAME_TAG_MAPPING_ELEMENT, *PTAG_INFO_NAME_TAG_MAPPING_ELEMENT;
67 |
68 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS
69 | {
70 | ULONG dwPid;
71 | } TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_IN_PARAMS;
72 |
73 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS
74 | {
75 | ULONG cElements;
76 | PTAG_INFO_NAME_TAG_MAPPING_ELEMENT pNameTagMappingElements;
77 | } TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS;
78 |
79 | typedef struct _TAG_INFO_NAME_TAG_MAPPING
80 | {
81 | TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS InParams;
82 | PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS pOutParams;
83 | } TAG_INFO_NAME_TAG_MAPPING, *PTAG_INFO_NAME_TAG_MAPPING;
84 |
85 | // end_private
86 |
87 | // rev
88 | typedef ULONG (WINAPI *PQUERY_TAG_INFORMATION)(
89 | _In_ PCWSTR Reserved, // ?
90 | _In_ TAG_INFO_LEVEL InfoLevel,
91 | _Inout_ PVOID Data
92 | );
93 |
94 | #endif
95 |
--------------------------------------------------------------------------------
/include/umkcfapi.h:
--------------------------------------------------------------------------------
1 | #ifndef _UMKCFAPI_H
2 | #define _UMKCFAPI_H
3 |
4 | // This file contains UMKCF definitions shared across
5 | // kernel-mode and user-mode.
6 |
7 | #define KCF_DEVICE_SHORT_NAME L"UMKCF"
8 | #define KCF_DEVICE_TYPE 0x9999
9 | #define KCF_DEVICE_NAME (L"\\Device\\" KCF_DEVICE_SHORT_NAME)
10 | #define KCF_VERSION 1
11 |
12 | // Parameters
13 |
14 | typedef enum _KCF_SECURITY_LEVEL
15 | {
16 | KcfSecurityNone = 0, // all clients are allowed
17 | KcfSecurityPrivilegeCheck = 1, // require SeDebugPrivilege
18 | KcfMaxSecurityLevel
19 | } KCF_SECURITY_LEVEL, *PKCF_SECURITY_LEVEL;
20 |
21 | // Callbacks
22 |
23 | typedef ULONG KCF_CALLBACK_ID, *PKCF_CALLBACK_ID;
24 |
25 | // Categories
26 | #define KCF_CATEGORY_ALL 0
27 | #define KCF_CATEGORY_SPECIAL 1
28 | #define KCF_CATEGORY_PROCESS 2
29 | #define KCF_CATEGORY_OBJECT 3
30 | #define KCF_CATEGORY_REGISTRY 4
31 | #define KCF_CATEGORY_FILE 5
32 | #define KCF_CATEGORY_MAXIMUM 6
33 |
34 | // Process
35 | #define KCF_PROCESS_EVENT_PROCESS_CREATE 0
36 | #define KCF_PROCESS_EVENT_PROCESS_EXIT 1
37 | #define KCF_PROCESS_EVENT_THREAD_CREATE 2
38 | #define KCF_PROCESS_EVENT_THREAD_EXIT 3
39 | #define KCF_PROCESS_EVENT_IMAGE_LOAD 4
40 |
41 | typedef struct _KCF_EVENT_ID
42 | {
43 | union
44 | {
45 | struct
46 | {
47 | USHORT Category; // KCF_CATEGORY_*
48 | USHORT Event; // KCF_*_EVENT_*
49 | };
50 | ULONG Value;
51 | };
52 | } KCF_EVENT_ID, *PKCF_EVENT_ID;
53 |
54 | #define KCF_MAKE_EVENT_ID_VALUE(Category, Event) ((ULONG)(USHORT)(Category) + ((ULONG)(USHORT)(Event) << 16))
55 |
56 | FORCEINLINE KCF_EVENT_ID KcfMakeEventId(
57 | __in USHORT Category,
58 | __in USHORT Event
59 | )
60 | {
61 | KCF_EVENT_ID eventId;
62 |
63 | eventId.Category = Category;
64 | eventId.Event = Event;
65 |
66 | return eventId;
67 | }
68 |
69 | FORCEINLINE BOOLEAN KcfEqualEventId(
70 | __in KCF_EVENT_ID EventId1,
71 | __in KCF_EVENT_ID EventId2
72 | )
73 | {
74 | return EventId1.Value == EventId2.Value;
75 | }
76 |
77 | typedef struct _KCF_CALLBACK_DATA
78 | {
79 | KCF_EVENT_ID EventId;
80 | CLIENT_ID ClientId; // ID of source thread
81 | LARGE_INTEGER TimeStamp;
82 |
83 | union
84 | {
85 | struct
86 | {
87 | HANDLE ProcessId;
88 | HANDLE ParentProcessId;
89 | CLIENT_ID CreatingThreadId;
90 | UNICODE_STRING ImageFileName;
91 | UNICODE_STRING CommandLine;
92 | BOOLEAN FileOpenNameAvailable;
93 | } ProcessCreate;
94 | struct
95 | {
96 | HANDLE ProcessId;
97 | } ProcessExit;
98 | struct
99 | {
100 | CLIENT_ID ThreadId;
101 | } ThreadCreateExit;
102 | struct
103 | {
104 | UNICODE_STRING FullImageName;
105 | HANDLE ProcessId;
106 | union
107 | {
108 | ULONG Properties;
109 | struct
110 | {
111 | ULONG ImageAddressingMode : 8; // code addressing mode
112 | ULONG SystemModeImage : 1; // system mode image
113 | ULONG ImageMappedToAllPids : 1; // mapped in all processes
114 | ULONG Reserved : 22;
115 | };
116 | PVOID ImageBase;
117 | ULONG ImageSelector;
118 | ULONG ImageSize;
119 | ULONG ImageSectionNumber;
120 | };
121 | } ImageLoad;
122 | } Parameters;
123 | } KCF_CALLBACK_DATA, *PKCF_CALLBACK_DATA;
124 |
125 | typedef struct _KCF_CALLBACK_RETURN_DATA
126 | {
127 | KCF_EVENT_ID EventId;
128 |
129 | union
130 | {
131 | struct
132 | {
133 | NTSTATUS CreationStatus;
134 | } ProcessCreate;
135 | } Parameters;
136 | } KCF_CALLBACK_RETURN_DATA, *PKCF_CALLBACK_RETURN_DATA;
137 |
138 | // Filtering
139 |
140 | #define KCF_MAXIMUM_FILTERS 100
141 | #define KCF_EVENT_MASK_ALL (0xffffffffffffffffull)
142 |
143 | typedef enum _KCF_FILTER_TYPE
144 | {
145 | FilterInclude,
146 | FilterExclude,
147 | FilterTypeMaximum
148 | } KCF_FILTER_TYPE;
149 |
150 | typedef enum _KCF_FILTER_KEY
151 | {
152 | FilterKeyNone,
153 | FilterKeyProcessId, // i: source process ID
154 | FilterKeyProcessName, // s: source process name
155 | FilterKeyProcessFileName, // s: source process file name
156 | FilterKeyPath, // s: file name or registry path
157 | FilterKeyMaximum
158 | } KCF_FILTER_KEY;
159 |
160 | typedef enum _KCF_FILTER_MODE
161 | {
162 | FilterModeEquals,
163 | FilterModeContains,
164 | FilterModeStartsWith,
165 | FilterModeEndsWith,
166 | FilterModeGreaterThan,
167 | FilterModeLessThan,
168 | FilterModeMaximum
169 | } KCF_FILTER_MODE;
170 |
171 | typedef enum _KCF_DATA_TYPE
172 | {
173 | DataTypeInvalid,
174 | DataTypeString, // UNICODE_STRING
175 | DataTypeInteger, // ULONGLONG
176 | DataTypeMaximum
177 | } KCF_DATA_TYPE;
178 |
179 | typedef struct _KCF_DATA_ITEM
180 | {
181 | KCF_DATA_TYPE Type;
182 | union
183 | {
184 | UNICODE_STRING String;
185 | ULONGLONG Integer;
186 | } u;
187 | } KCF_DATA_ITEM, *PKCF_DATA_ITEM;
188 |
189 | typedef struct _KCF_FILTER_DATA
190 | {
191 | KCF_FILTER_TYPE Type;
192 | USHORT Category;
193 | USHORT Reserved;
194 | ULONGLONG EventMask;
195 |
196 | KCF_FILTER_KEY Key;
197 | KCF_FILTER_MODE Mode;
198 | KCF_DATA_ITEM DataItem;
199 | } KCF_FILTER_DATA, *PKCF_FILTER_DATA;
200 |
201 | // Control codes
202 |
203 | #define KCF_CTL_CODE(x) CTL_CODE(KCF_DEVICE_TYPE, 0x800 + x, METHOD_NEITHER, FILE_ANY_ACCESS)
204 |
205 | #define KCF_QUERYVERSION KCF_CTL_CODE(0)
206 | #define KCF_REMOVECALLBACK KCF_CTL_CODE(1)
207 | #define KCF_RETURNCALLBACK KCF_CTL_CODE(2)
208 | #define KCF_SETFILTERS KCF_CTL_CODE(3)
209 |
210 | #endif
--------------------------------------------------------------------------------
/include/umkcfcl.h:
--------------------------------------------------------------------------------
1 | #ifndef _UMKCFCL_H
2 | #define _UMKCFCL_H
3 |
4 | #include
5 |
6 | #if defined(UMKCFCL_EXPORT)
7 | #define UMKCFCLAPI __declspec(dllexport)
8 | #elif defined(UMKCFCL_IMPORT)
9 | #define UMKCFCLAPI __declspec(dllimport)
10 | #else
11 | #define UMKCFCLAPI
12 | #endif
13 |
14 | typedef struct _KCF_PARAMETERS
15 | {
16 | KCF_SECURITY_LEVEL SecurityLevel;
17 | } KCF_PARAMETERS, *PKCF_PARAMETERS;
18 |
19 | UMKCFCLAPI
20 | NTSTATUS
21 | NTAPI
22 | KcfConnect(
23 | __in_opt PWSTR DeviceName
24 | );
25 |
26 | UMKCFCLAPI
27 | NTSTATUS
28 | NTAPI
29 | KcfConnect2(
30 | __in_opt PWSTR DeviceName,
31 | __in PWSTR FileName
32 | );
33 |
34 | UMKCFCLAPI
35 | NTSTATUS
36 | NTAPI
37 | KcfConnect2Ex(
38 | __in_opt PWSTR DeviceName,
39 | __in PWSTR FileName,
40 | __in_opt PKCF_PARAMETERS Parameters
41 | );
42 |
43 | UMKCFCLAPI
44 | NTSTATUS
45 | NTAPI
46 | KcfDisconnect(
47 | VOID
48 | );
49 |
50 | UMKCFCLAPI
51 | BOOLEAN
52 | NTAPI
53 | KcfIsConnected(
54 | VOID
55 | );
56 |
57 | UMKCFCLAPI
58 | NTSTATUS
59 | NTAPI
60 | KcfSetParameters(
61 | __in_opt PWSTR DeviceName,
62 | __in PKCF_PARAMETERS Parameters
63 | );
64 |
65 | UMKCFCLAPI
66 | NTSTATUS
67 | NTAPI
68 | KcfInstall(
69 | __in_opt PWSTR DeviceName,
70 | __in PWSTR FileName
71 | );
72 |
73 | UMKCFCLAPI
74 | NTSTATUS
75 | NTAPI
76 | KcfInstallEx(
77 | __in_opt PWSTR DeviceName,
78 | __in PWSTR FileName,
79 | __in_opt PKCF_PARAMETERS Parameters
80 | );
81 |
82 | UMKCFCLAPI
83 | NTSTATUS
84 | NTAPI
85 | KcfUninstall(
86 | __in_opt PWSTR DeviceName
87 | );
88 |
89 | UMKCFCLAPI
90 | NTSTATUS
91 | NTAPI
92 | KcfQueryVersion(
93 | __out PULONG Version
94 | );
95 |
96 | UMKCFCLAPI
97 | NTSTATUS
98 | NTAPI
99 | KcfRemoveCallback(
100 | __in_opt PLARGE_INTEGER Timeout,
101 | __out PKCF_CALLBACK_ID CallbackId,
102 | __out PKCF_CALLBACK_DATA Data,
103 | __in ULONG DataLength,
104 | __out_opt PULONG ReturnLength
105 | );
106 |
107 | UMKCFCLAPI
108 | NTSTATUS
109 | NTAPI
110 | KcfReturnCallback(
111 | __in KCF_CALLBACK_ID CallbackId,
112 | __in NTSTATUS ReturnStatus,
113 | __in_opt PKCF_CALLBACK_RETURN_DATA ReturnData,
114 | __in ULONG ReturnDataLength
115 | );
116 |
117 | UMKCFCLAPI
118 | NTSTATUS
119 | NTAPI
120 | KcfSetFilters(
121 | __in PKCF_FILTER_DATA Filters,
122 | __in ULONG NumberOfFilters
123 | );
124 |
125 | #endif
126 |
--------------------------------------------------------------------------------
/lib/lib32/ntdll.exp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wj32/umkcf/f68d7756faf1b90e4a557b9ae631233d2752f091/lib/lib32/ntdll.exp
--------------------------------------------------------------------------------
/lib/lib32/ntdll.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wj32/umkcf/f68d7756faf1b90e4a557b9ae631233d2752f091/lib/lib32/ntdll.lib
--------------------------------------------------------------------------------
/lib/lib64/ntdll.exp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wj32/umkcf/f68d7756faf1b90e4a557b9ae631233d2752f091/lib/lib64/ntdll.exp
--------------------------------------------------------------------------------
/lib/lib64/ntdll.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wj32/umkcf/f68d7756faf1b90e4a557b9ae631233d2752f091/lib/lib64/ntdll.lib
--------------------------------------------------------------------------------
/test/main.c:
--------------------------------------------------------------------------------
1 | // 'function': was declared deprecated
2 | #pragma warning(disable: 4996)
3 |
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 |
11 | UCHAR buffer[4096 * 8];
12 |
13 | int __cdecl wmain(int argc, wchar_t *argv[])
14 | {
15 | NTSTATUS status;
16 | WCHAR umkcfFileName[500];
17 | KCF_PARAMETERS parameters;
18 | KCF_FILTER_DATA filters[2];
19 |
20 | GetCurrentDirectory(sizeof(umkcfFileName) / 2, umkcfFileName);
21 | wcscat_s(umkcfFileName, sizeof(umkcfFileName) / 2, L"\\umkcf.sys");
22 |
23 | parameters.SecurityLevel = KcfSecurityNone;
24 |
25 | if (!NT_SUCCESS(status = KcfConnect2Ex(KCF_DEVICE_SHORT_NAME, umkcfFileName, ¶meters)))
26 | {
27 | wprintf(L"Couldn't connect to UMKCF: 0x%x\n", status);
28 | return 1;
29 | }
30 |
31 | wprintf(L"Connected.\n");
32 |
33 | filters[0].Type = FilterInclude;
34 | filters[0].Category = KCF_CATEGORY_ALL;
35 | filters[0].EventMask = KCF_EVENT_MASK_ALL;
36 | filters[0].Key = FilterKeyNone;
37 | filters[1].Type = FilterExclude;
38 | filters[1].Category = KCF_CATEGORY_ALL;
39 | filters[1].EventMask = KCF_EVENT_MASK_ALL;
40 | filters[1].Key = FilterKeyProcessId;
41 | filters[1].Mode = FilterModeEquals;
42 | filters[1].DataItem.Type = DataTypeInteger;
43 | filters[1].DataItem.u.Integer = (ULONGLONG)(ULONG_PTR)NtCurrentProcessId();
44 | status = KcfSetFilters(filters, 2);
45 |
46 | if (!NT_SUCCESS(status))
47 | wprintf(L"KcfSetFilters: 0x%x\n", status);
48 |
49 | while (1)
50 | {
51 | KCF_CALLBACK_ID callbackId;
52 | PKCF_CALLBACK_DATA data;
53 | KCF_CALLBACK_RETURN_DATA returnData;
54 |
55 | wprintf(L"Waiting...\n");
56 | status = KcfRemoveCallback(NULL, &callbackId, (PKCF_CALLBACK_DATA)buffer, sizeof(buffer), NULL);
57 |
58 | if (!NT_SUCCESS(status))
59 | {
60 | wprintf(L"KcfRemoveCallback: 0x%x\n", status);
61 | return 1;
62 | }
63 |
64 | data = (PKCF_CALLBACK_DATA)buffer;
65 | memset(&returnData, 0, sizeof(KCF_CALLBACK_RETURN_DATA));
66 | returnData.EventId = data->EventId;
67 |
68 | if (data->EventId.Event == KCF_PROCESS_EVENT_PROCESS_CREATE)
69 | {
70 | //int result;
71 |
72 | wprintf(L"Process create (%Iu): %.*s\n", data->Parameters.ProcessCreate.ProcessId, data->Parameters.ProcessCreate.ImageFileName.Length / 2, data->Parameters.ProcessCreate.ImageFileName.Buffer);
73 |
74 | //wprintf(L"Press ENTER to return, or n followed by ENTER to disallow.\n");
75 | //result = getchar();
76 |
77 | //if (result == 'n')
78 | //{
79 | // getchar();
80 | // returnData.Parameters.ProcessCreate.CreationStatus = STATUS_NOT_IMPLEMENTED;
81 | //}
82 | }
83 | else if (data->EventId.Event == KCF_PROCESS_EVENT_PROCESS_EXIT)
84 | {
85 | wprintf(L"Process exit (%Iu)\n", data->Parameters.ProcessExit.ProcessId);
86 | }
87 | else if (data->EventId.Event == KCF_PROCESS_EVENT_THREAD_CREATE)
88 | {
89 | wprintf(L"Thread create (PID %Iu, TID %Iu)\n", data->Parameters.ThreadCreateExit.ThreadId.UniqueProcess, data->Parameters.ThreadCreateExit.ThreadId.UniqueThread);
90 | }
91 | else if (data->EventId.Event == KCF_PROCESS_EVENT_THREAD_EXIT)
92 | {
93 | wprintf(L"Thread exit (PID %Iu, TID %Iu)\n", data->Parameters.ThreadCreateExit.ThreadId.UniqueProcess, data->Parameters.ThreadCreateExit.ThreadId.UniqueThread);
94 | }
95 | else if (data->EventId.Event == KCF_PROCESS_EVENT_IMAGE_LOAD)
96 | {
97 | wprintf(L"Image load (%Iu): %.*s\n", data->Parameters.ImageLoad.ProcessId, data->Parameters.ImageLoad.FullImageName.Length / 2, data->Parameters.ImageLoad.FullImageName.Buffer);
98 | }
99 |
100 | status = KcfReturnCallback(callbackId, STATUS_SUCCESS, &returnData, sizeof(KCF_CALLBACK_RETURN_DATA));
101 |
102 | if (!NT_SUCCESS(status))
103 | {
104 | wprintf(L"KcfReturnCallback: 0x%x\n", status);
105 | return 1;
106 | }
107 | }
108 |
109 | getchar();
110 |
111 | return 0;
112 | }
113 |
--------------------------------------------------------------------------------
/test/test.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------