2002-10-06 Casper Hornstrup <chorns@it.dk>
* include/ddk: New subdir.
* lib/ddk: Ditto.
* include/ddk/(atm.h, batclass.h, cfg.h, cfgmgr32.h, d4drvif.h,
d4iface.h, ddkmapi.h, hidclass.h, hidpi.h, hidusage.h, mcd.h,
miniport.h, minitape.h, mountdev.h, mountmgr.h, ndis.h,
ndisquid.h, ndistapi.h, ndisvan.h, netevent.h, netpnp.h,
netdev.h, ntapi.h, ntdd8042.h, ntddbeep.h, ntddcdrm.h,
ntddcdvd.h, ntddchgr.h, ntdddisk.h, ntddk.h, ntddkbd.h,
ntddmou.h, ntddndis.h, ntddpar.h, ntddpcm.h, ntddscsi.h,
ntddser.h, ntddstor.h, ntddtape.h, ntddtdi.h, ntddvdeo.h,
ntddvol.h, ntifs.h, ntpoapi.h, ntstatus.h, parallel.h, pfhook.h,
poclass.h, scsi.h, scsiscan.h, scsiwmi.h, smbus.h, srb.h,
storport.h, tdi.h, tdiinfo.h, tdikrnl.h, tdistat.h, tvout.h,
upssvc.h, usb.h, usb100.h, usbcamdi.h, usbdi.h, usbioctl.h,
usbiodef.h, usbscan.h, usbuser.h, video.h, videoagp.h, win2k.h,
winddi.h, winddk.h, winnt4.h, winxp.h, ws2san.h,
xfilter.h): New files.
* lib/ddk/(Makefile.in, apcups.def, cfgmgr32.def, dxapi.def,
hal.def, hid.def, hidparse.def, mcd.def, ndis.def, ntoskrnl.def,
scsiport.def, tdi.def, usbcamd.def, usbcamd2.def, videoprt.def,
win32k.def): Ditto.
2002-10-06 22:18:26 +00:00
|
|
|
/*
|
|
|
|
* ntapi.h
|
|
|
|
*
|
|
|
|
* Windows NT Native API
|
|
|
|
*
|
|
|
|
* Most structures in this file is obtained from Windows NT/2000 Native API
|
|
|
|
* Reference by Gary Nebbett, ISBN 1578701996.
|
|
|
|
*
|
* include/ddk/(atm.h, batclass.h, cfg.h, cfgmgr32.h, d4drvif.h,
d4iface.h, ddkmapi.h, hidclass.h, hidpi.h, hidusage.h, mcd.h,
miniport.h, minitape.h, mountdev.h, mountmgr.h, ndis.h,
ndisquid.h, ndistapi.h, ndisvan.h, netevent.h, netpnp.h,
netdev.h, ntapi.h, ntdd8042.h, ntddbeep.h, ntddcdrm.h,
ntddcdvd.h, ntddchgr.h, ntdddisk.h, ntddk.h, ntddkbd.h,
ntddmou.h, ntddndis.h, ntddpar.h, ntddpcm.h, ntddscsi.h,
ntddser.h, ntddstor.h, ntddtape.h, ntddtdi.h, ntddvdeo.h,
ntddvol.h, ntifs.h, ntpoapi.h, ntstatus.h, parallel.h, pfhook.h,
poclass.h, scsi.h, scsiscan.h, scsiwmi.h, smbus.h, srb.h,
storport.h, tdi.h, tdiinfo.h, tdikrnl.h, tdistat.h, tvout.h,
upssvc.h, usb.h, usb100.h, usbcamdi.h, usbdi.h, usbioctl.h,
usbiodef.h, usbscan.h, usbuser.h, video.h, videoagp.h, win2k.h,
winddi.h, winddk.h, winnt4.h, winxp.h, ws2san.h,
xfilter.h): Change comment to refer w32api package, not MinGW.
2002-11-15 01:08:17 +00:00
|
|
|
* This file is part of the w32api package.
|
2002-10-06 Casper Hornstrup <chorns@it.dk>
* include/ddk: New subdir.
* lib/ddk: Ditto.
* include/ddk/(atm.h, batclass.h, cfg.h, cfgmgr32.h, d4drvif.h,
d4iface.h, ddkmapi.h, hidclass.h, hidpi.h, hidusage.h, mcd.h,
miniport.h, minitape.h, mountdev.h, mountmgr.h, ndis.h,
ndisquid.h, ndistapi.h, ndisvan.h, netevent.h, netpnp.h,
netdev.h, ntapi.h, ntdd8042.h, ntddbeep.h, ntddcdrm.h,
ntddcdvd.h, ntddchgr.h, ntdddisk.h, ntddk.h, ntddkbd.h,
ntddmou.h, ntddndis.h, ntddpar.h, ntddpcm.h, ntddscsi.h,
ntddser.h, ntddstor.h, ntddtape.h, ntddtdi.h, ntddvdeo.h,
ntddvol.h, ntifs.h, ntpoapi.h, ntstatus.h, parallel.h, pfhook.h,
poclass.h, scsi.h, scsiscan.h, scsiwmi.h, smbus.h, srb.h,
storport.h, tdi.h, tdiinfo.h, tdikrnl.h, tdistat.h, tvout.h,
upssvc.h, usb.h, usb100.h, usbcamdi.h, usbdi.h, usbioctl.h,
usbiodef.h, usbscan.h, usbuser.h, video.h, videoagp.h, win2k.h,
winddi.h, winddk.h, winnt4.h, winxp.h, ws2san.h,
xfilter.h): New files.
* lib/ddk/(Makefile.in, apcups.def, cfgmgr32.def, dxapi.def,
hal.def, hid.def, hidparse.def, mcd.def, ndis.def, ntoskrnl.def,
scsiport.def, tdi.def, usbcamd.def, usbcamd2.def, videoprt.def,
win32k.def): Ditto.
2002-10-06 22:18:26 +00:00
|
|
|
*
|
|
|
|
* Contributors:
|
|
|
|
* Created by Casper S. Hornstrup <chorns@users.sourceforge.net>
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS NOT COPYRIGHTED
|
|
|
|
*
|
|
|
|
* This source code is offered for use in the public domain. You may
|
|
|
|
* use, modify or distribute it freely.
|
|
|
|
*
|
|
|
|
* This code is distributed in the hope that it will be useful but
|
|
|
|
* WITHOUT ANY WARRANTY. ALL WARRANTIES, EXPRESS OR IMPLIED ARE HEREBY
|
* include/ddk/(atm.h, batclass.h, cfg.h, cfgmgr32.h, d4drvif.h,
d4iface.h, ddkmapi.h, hidclass.h, hidpi.h, hidusage.h, mcd.h,
miniport.h, minitape.h, mountdev.h, mountmgr.h, ndis.h,
ndisquid.h, ndistapi.h, ndisvan.h, netevent.h, netpnp.h,
netdev.h, ntapi.h, ntdd8042.h, ntddbeep.h, ntddcdrm.h,
ntddcdvd.h, ntddchgr.h, ntdddisk.h, ntddk.h, ntddkbd.h,
ntddmou.h, ntddndis.h, ntddpar.h, ntddpcm.h, ntddscsi.h,
ntddser.h, ntddstor.h, ntddtape.h, ntddtdi.h, ntddvdeo.h,
ntddvol.h, ntifs.h, ntpoapi.h, ntstatus.h, parallel.h, pfhook.h,
poclass.h, scsi.h, scsiscan.h, scsiwmi.h, smbus.h, srb.h,
storport.h, tdi.h, tdiinfo.h, tdikrnl.h, tdistat.h, tvout.h,
upssvc.h, usb.h, usb100.h, usbcamdi.h, usbdi.h, usbioctl.h,
usbiodef.h, usbscan.h, usbuser.h, video.h, videoagp.h, win2k.h,
winddi.h, winddk.h, winnt4.h, winxp.h, ws2san.h,
xfilter.h): Fix typo in disclaimer comment.
2002-11-12 21:34:07 +00:00
|
|
|
* DISCLAIMED. This includes but is not limited to warranties of
|
2002-10-06 Casper Hornstrup <chorns@it.dk>
* include/ddk: New subdir.
* lib/ddk: Ditto.
* include/ddk/(atm.h, batclass.h, cfg.h, cfgmgr32.h, d4drvif.h,
d4iface.h, ddkmapi.h, hidclass.h, hidpi.h, hidusage.h, mcd.h,
miniport.h, minitape.h, mountdev.h, mountmgr.h, ndis.h,
ndisquid.h, ndistapi.h, ndisvan.h, netevent.h, netpnp.h,
netdev.h, ntapi.h, ntdd8042.h, ntddbeep.h, ntddcdrm.h,
ntddcdvd.h, ntddchgr.h, ntdddisk.h, ntddk.h, ntddkbd.h,
ntddmou.h, ntddndis.h, ntddpar.h, ntddpcm.h, ntddscsi.h,
ntddser.h, ntddstor.h, ntddtape.h, ntddtdi.h, ntddvdeo.h,
ntddvol.h, ntifs.h, ntpoapi.h, ntstatus.h, parallel.h, pfhook.h,
poclass.h, scsi.h, scsiscan.h, scsiwmi.h, smbus.h, srb.h,
storport.h, tdi.h, tdiinfo.h, tdikrnl.h, tdistat.h, tvout.h,
upssvc.h, usb.h, usb100.h, usbcamdi.h, usbdi.h, usbioctl.h,
usbiodef.h, usbscan.h, usbuser.h, video.h, videoagp.h, win2k.h,
winddi.h, winddk.h, winnt4.h, winxp.h, ws2san.h,
xfilter.h): New files.
* lib/ddk/(Makefile.in, apcups.def, cfgmgr32.def, dxapi.def,
hal.def, hid.def, hidparse.def, mcd.def, ndis.def, ntoskrnl.def,
scsiport.def, tdi.def, usbcamd.def, usbcamd2.def, videoprt.def,
win32k.def): Ditto.
2002-10-06 22:18:26 +00:00
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef __NTAPI_H
|
|
|
|
#define __NTAPI_H
|
|
|
|
|
|
|
|
#if __GNUC__ >=3
|
|
|
|
#pragma GCC system_header
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef __cplusplus
|
|
|
|
extern "C" {
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#pragma pack(push,4)
|
|
|
|
|
|
|
|
#include <stdarg.h>
|
|
|
|
#include <winbase.h>
|
|
|
|
#include "ntddk.h"
|
|
|
|
#include "ntpoapi.h"
|
|
|
|
|
|
|
|
typedef struct _PEB *PPEB;
|
|
|
|
|
|
|
|
/* FIXME: Unknown definitions */
|
|
|
|
typedef PVOID POBJECT_TYPE_LIST;
|
|
|
|
typedef PVOID PEXECUTION_STATE;
|
|
|
|
typedef PVOID PLANGID;
|
|
|
|
|
|
|
|
|
|
|
|
/* System information and control */
|
|
|
|
|
|
|
|
typedef enum _SYSTEM_INFORMATION_CLASS {
|
|
|
|
SystemInformationClassMin = 0,
|
|
|
|
SystemBasicInformation = 0,
|
|
|
|
SystemProcessorInformation = 1,
|
|
|
|
SystemPerformanceInformation = 2,
|
|
|
|
SystemTimeOfDayInformation = 3,
|
|
|
|
SystemPathInformation = 4,
|
|
|
|
SystemNotImplemented1 = 4,
|
|
|
|
SystemProcessInformation = 5,
|
|
|
|
SystemProcessesAndThreadsInformation = 5,
|
|
|
|
SystemCallCountInfoInformation = 6,
|
|
|
|
SystemCallCounts = 6,
|
|
|
|
SystemDeviceInformation = 7,
|
|
|
|
SystemConfigurationInformation = 7,
|
|
|
|
SystemProcessorPerformanceInformation = 8,
|
|
|
|
SystemProcessorTimes = 8,
|
|
|
|
SystemFlagsInformation = 9,
|
|
|
|
SystemGlobalFlag = 9,
|
|
|
|
SystemCallTimeInformation = 10,
|
|
|
|
SystemNotImplemented2 = 10,
|
|
|
|
SystemModuleInformation = 11,
|
|
|
|
SystemLocksInformation = 12,
|
|
|
|
SystemLockInformation = 12,
|
|
|
|
SystemStackTraceInformation = 13,
|
|
|
|
SystemNotImplemented3 = 13,
|
|
|
|
SystemPagedPoolInformation = 14,
|
|
|
|
SystemNotImplemented4 = 14,
|
|
|
|
SystemNonPagedPoolInformation = 15,
|
|
|
|
SystemNotImplemented5 = 15,
|
|
|
|
SystemHandleInformation = 16,
|
|
|
|
SystemObjectInformation = 17,
|
|
|
|
SystemPageFileInformation = 18,
|
|
|
|
SystemPagefileInformation = 18,
|
|
|
|
SystemVdmInstemulInformation = 19,
|
|
|
|
SystemInstructionEmulationCounts = 19,
|
|
|
|
SystemVdmBopInformation = 20,
|
|
|
|
SystemInvalidInfoClass1 = 20,
|
|
|
|
SystemFileCacheInformation = 21,
|
|
|
|
SystemCacheInformation = 21,
|
|
|
|
SystemPoolTagInformation = 22,
|
|
|
|
SystemInterruptInformation = 23,
|
|
|
|
SystemProcessorStatistics = 23,
|
|
|
|
SystemDpcBehaviourInformation = 24,
|
|
|
|
SystemDpcInformation = 24,
|
|
|
|
SystemFullMemoryInformation = 25,
|
|
|
|
SystemNotImplemented6 = 25,
|
|
|
|
SystemLoadImage = 26,
|
|
|
|
SystemUnloadImage = 27,
|
|
|
|
SystemTimeAdjustmentInformation = 28,
|
|
|
|
SystemTimeAdjustment = 28,
|
|
|
|
SystemSummaryMemoryInformation = 29,
|
|
|
|
SystemNotImplemented7 = 29,
|
|
|
|
SystemNextEventIdInformation = 30,
|
|
|
|
SystemNotImplemented8 = 30,
|
|
|
|
SystemEventIdsInformation = 31,
|
|
|
|
SystemNotImplemented9 = 31,
|
|
|
|
SystemCrashDumpInformation = 32,
|
|
|
|
SystemExceptionInformation = 33,
|
|
|
|
SystemCrashDumpStateInformation = 34,
|
|
|
|
SystemKernelDebuggerInformation = 35,
|
|
|
|
SystemContextSwitchInformation = 36,
|
|
|
|
SystemRegistryQuotaInformation = 37,
|
|
|
|
SystemLoadAndCallImage = 38,
|
|
|
|
SystemPrioritySeparation = 39,
|
|
|
|
SystemPlugPlayBusInformation = 40,
|
|
|
|
SystemNotImplemented10 = 40,
|
|
|
|
SystemDockInformation = 41,
|
|
|
|
SystemNotImplemented11 = 41,
|
|
|
|
//SystemPowerInformation = 42, Conflicts with POWER_INFORMATION_LEVEL
|
|
|
|
SystemInvalidInfoClass2 = 42,
|
|
|
|
SystemProcessorSpeedInformation = 43,
|
|
|
|
SystemInvalidInfoClass3 = 43,
|
|
|
|
SystemCurrentTimeZoneInformation = 44,
|
|
|
|
SystemTimeZoneInformation = 44,
|
|
|
|
SystemLookasideInformation = 45,
|
|
|
|
SystemSetTimeSlipEvent = 46,
|
|
|
|
SystemCreateSession = 47,
|
|
|
|
SystemDeleteSession = 48,
|
|
|
|
SystemInvalidInfoClass4 = 49,
|
|
|
|
SystemRangeStartInformation = 50,
|
|
|
|
SystemVerifierInformation = 51,
|
|
|
|
SystemAddVerifier = 52,
|
|
|
|
SystemSessionProcessesInformation = 53,
|
|
|
|
SystemInformationClassMax
|
|
|
|
} SYSTEM_INFORMATION_CLASS;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_BASIC_INFORMATION {
|
|
|
|
ULONG Unknown;
|
|
|
|
ULONG MaximumIncrement;
|
|
|
|
ULONG PhysicalPageSize;
|
|
|
|
ULONG NumberOfPhysicalPages;
|
|
|
|
ULONG LowestPhysicalPage;
|
|
|
|
ULONG HighestPhysicalPage;
|
|
|
|
ULONG AllocationGranularity;
|
|
|
|
ULONG LowestUserAddress;
|
|
|
|
ULONG HighestUserAddress;
|
|
|
|
ULONG ActiveProcessors;
|
|
|
|
UCHAR NumberProcessors;
|
|
|
|
} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_PROCESSOR_INFORMATION {
|
|
|
|
USHORT ProcessorArchitecture;
|
|
|
|
USHORT ProcessorLevel;
|
|
|
|
USHORT ProcessorRevision;
|
|
|
|
USHORT Unknown;
|
|
|
|
ULONG FeatureBits;
|
|
|
|
} SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_PERFORMANCE_INFORMATION {
|
|
|
|
LARGE_INTEGER IdleTime;
|
|
|
|
LARGE_INTEGER ReadTransferCount;
|
|
|
|
LARGE_INTEGER WriteTransferCount;
|
|
|
|
LARGE_INTEGER OtherTransferCount;
|
|
|
|
ULONG ReadOperationCount;
|
|
|
|
ULONG WriteOperationCount;
|
|
|
|
ULONG OtherOperationCount;
|
|
|
|
ULONG AvailablePages;
|
|
|
|
ULONG TotalCommittedPages;
|
|
|
|
ULONG TotalCommitLimit;
|
|
|
|
ULONG PeakCommitment;
|
|
|
|
ULONG PageFaults;
|
|
|
|
ULONG WriteCopyFaults;
|
|
|
|
ULONG TransitionFaults;
|
|
|
|
ULONG CacheTransitionFaults;
|
|
|
|
ULONG DemandZeroFaults;
|
|
|
|
ULONG PagesRead;
|
|
|
|
ULONG PageReadIos;
|
|
|
|
ULONG CacheReads;
|
|
|
|
ULONG CacheIos;
|
|
|
|
ULONG PagefilePagesWritten;
|
|
|
|
ULONG PagefilePageWriteIos;
|
|
|
|
ULONG MappedFilePagesWritten;
|
|
|
|
ULONG MappedFilePageWriteIos;
|
|
|
|
ULONG PagedPoolUsage;
|
|
|
|
ULONG NonPagedPoolUsage;
|
|
|
|
ULONG PagedPoolAllocs;
|
|
|
|
ULONG PagedPoolFrees;
|
|
|
|
ULONG NonPagedPoolAllocs;
|
|
|
|
ULONG NonPagedPoolFrees;
|
|
|
|
ULONG TotalFreeSystemPtes;
|
|
|
|
ULONG SystemCodePage;
|
|
|
|
ULONG TotalSystemDriverPages;
|
|
|
|
ULONG TotalSystemCodePages;
|
|
|
|
ULONG SmallNonPagedLookasideListAllocateHits;
|
|
|
|
ULONG SmallPagedLookasideListAllocateHits;
|
|
|
|
ULONG Reserved3;
|
|
|
|
ULONG MmSystemCachePage;
|
|
|
|
ULONG PagedPoolPage;
|
|
|
|
ULONG SystemDriverPage;
|
|
|
|
ULONG FastReadNoWait;
|
|
|
|
ULONG FastReadWait;
|
|
|
|
ULONG FastReadResourceMiss;
|
|
|
|
ULONG FastReadNotPossible;
|
|
|
|
ULONG FastMdlReadNoWait;
|
|
|
|
ULONG FastMdlReadWait;
|
|
|
|
ULONG FastMdlReadResourceMiss;
|
|
|
|
ULONG FastMdlReadNotPossible;
|
|
|
|
ULONG MapDataNoWait;
|
|
|
|
ULONG MapDataWait;
|
|
|
|
ULONG MapDataNoWaitMiss;
|
|
|
|
ULONG MapDataWaitMiss;
|
|
|
|
ULONG PinMappedDataCount;
|
|
|
|
ULONG PinReadNoWait;
|
|
|
|
ULONG PinReadWait;
|
|
|
|
ULONG PinReadNoWaitMiss;
|
|
|
|
ULONG PinReadWaitMiss;
|
|
|
|
ULONG CopyReadNoWait;
|
|
|
|
ULONG CopyReadWait;
|
|
|
|
ULONG CopyReadNoWaitMiss;
|
|
|
|
ULONG CopyReadWaitMiss;
|
|
|
|
ULONG MdlReadNoWait;
|
|
|
|
ULONG MdlReadWait;
|
|
|
|
ULONG MdlReadNoWaitMiss;
|
|
|
|
ULONG MdlReadWaitMiss;
|
|
|
|
ULONG ReadAheadIos;
|
|
|
|
ULONG LazyWriteIos;
|
|
|
|
ULONG LazyWritePages;
|
|
|
|
ULONG DataFlushes;
|
|
|
|
ULONG DataPages;
|
|
|
|
ULONG ContextSwitches;
|
|
|
|
ULONG FirstLevelTbFills;
|
|
|
|
ULONG SecondLevelTbFills;
|
|
|
|
ULONG SystemCalls;
|
|
|
|
} SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_TIME_OF_DAY_INFORMATION {
|
|
|
|
LARGE_INTEGER BootTime;
|
|
|
|
LARGE_INTEGER CurrentTime;
|
|
|
|
LARGE_INTEGER TimeZoneBias;
|
|
|
|
ULONG CurrentTimeZoneId;
|
|
|
|
} SYSTEM_TIME_OF_DAY_INFORMATION, *PSYSTEM_TIME_OF_DAY_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _VM_COUNTERS {
|
|
|
|
ULONG PeakVirtualSize;
|
|
|
|
ULONG VirtualSize;
|
|
|
|
ULONG PageFaultCount;
|
|
|
|
ULONG PeakWorkingSetSize;
|
|
|
|
ULONG WorkingSetSize;
|
|
|
|
ULONG QuotaPeakPagedPoolUsage;
|
|
|
|
ULONG QuotaPagedPoolUsage;
|
|
|
|
ULONG QuotaPeakNonPagedPoolUsage;
|
|
|
|
ULONG QuotaNonPagedPoolUsage;
|
|
|
|
ULONG PagefileUsage;
|
|
|
|
ULONG PeakPagefileUsage;
|
|
|
|
} VM_COUNTERS;
|
|
|
|
|
|
|
|
typedef enum _THREAD_STATE {
|
|
|
|
StateInitialized,
|
|
|
|
StateReady,
|
|
|
|
StateRunning,
|
|
|
|
StateStandby,
|
|
|
|
StateTerminated,
|
|
|
|
StateWait,
|
|
|
|
StateTransition,
|
|
|
|
StateUnknown
|
|
|
|
} THREAD_STATE;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_THREADS {
|
|
|
|
LARGE_INTEGER KernelTime;
|
|
|
|
LARGE_INTEGER UserTime;
|
|
|
|
LARGE_INTEGER CreateTime;
|
|
|
|
ULONG WaitTime;
|
|
|
|
PVOID StartAddress;
|
|
|
|
CLIENT_ID ClientId;
|
|
|
|
KPRIORITY Priority;
|
|
|
|
KPRIORITY BasePriority;
|
|
|
|
ULONG ContextSwitchCount;
|
|
|
|
THREAD_STATE State;
|
|
|
|
KWAIT_REASON WaitReason;
|
|
|
|
} SYSTEM_THREADS, *PSYSTEM_THREADS;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_PROCESSES {
|
|
|
|
ULONG NextEntryDelta;
|
|
|
|
ULONG ThreadCount;
|
|
|
|
ULONG Reserved1[6];
|
|
|
|
LARGE_INTEGER CreateTime;
|
|
|
|
LARGE_INTEGER UserTime;
|
|
|
|
LARGE_INTEGER KernelTime;
|
|
|
|
UNICODE_STRING ProcessName;
|
|
|
|
KPRIORITY BasePriority;
|
|
|
|
ULONG ProcessId;
|
|
|
|
ULONG InheritedFromProcessId;
|
|
|
|
ULONG HandleCount;
|
|
|
|
ULONG Reserved2[2];
|
|
|
|
VM_COUNTERS VmCounters;
|
|
|
|
IO_COUNTERS IoCounters;
|
|
|
|
SYSTEM_THREADS Threads[1];
|
|
|
|
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_CALLS_INFORMATION {
|
|
|
|
ULONG Size;
|
|
|
|
ULONG NumberOfDescriptorTables;
|
|
|
|
ULONG NumberOfRoutinesInTable[1];
|
|
|
|
ULONG CallCounts[ANYSIZE_ARRAY];
|
|
|
|
} SYSTEM_CALLS_INFORMATION, *PSYSTEM_CALLS_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_CONFIGURATION_INFORMATION {
|
|
|
|
ULONG DiskCount;
|
|
|
|
ULONG FloppyCount;
|
|
|
|
ULONG CdRomCount;
|
|
|
|
ULONG TapeCount;
|
|
|
|
ULONG SerialCount;
|
|
|
|
ULONG ParallelCount;
|
|
|
|
} SYSTEM_CONFIGURATION_INFORMATION, *PSYSTEM_CONFIGURATION_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_PROCESSOR_TIMES {
|
|
|
|
LARGE_INTEGER IdleTime;
|
|
|
|
LARGE_INTEGER KernelTime;
|
|
|
|
LARGE_INTEGER UserTime;
|
|
|
|
LARGE_INTEGER DpcTime;
|
|
|
|
LARGE_INTEGER InterruptTime;
|
|
|
|
ULONG InterruptCount;
|
|
|
|
} SYSTEM_PROCESSOR_TIMES, *PSYSTEM_PROCESSOR_TIMES;
|
|
|
|
|
|
|
|
/* SYSTEM_GLOBAL_FLAG.GlobalFlag constants */
|
|
|
|
#define FLG_STOP_ON_EXCEPTION 0x00000001
|
|
|
|
#define FLG_SHOW_LDR_SNAPS 0x00000002
|
|
|
|
#define FLG_DEBUG_INITIAL_COMMAND 0x00000004
|
|
|
|
#define FLG_STOP_ON_HUNG_GUI 0x00000008
|
|
|
|
#define FLG_HEAP_ENABLE_TAIL_CHECK 0x00000010
|
|
|
|
#define FLG_HEAP_ENABLE_FREE_CHECK 0x00000020
|
|
|
|
#define FLG_HEAP_VALIDATE_PARAMETERS 0x00000040
|
|
|
|
#define FLG_HEAP_VALIDATE_ALL 0x00000080
|
|
|
|
#define FLG_POOL_ENABLE_TAIL_CHECK 0x00000100
|
|
|
|
#define FLG_POOL_ENABLE_FREE_CHECK 0x00000200
|
|
|
|
#define FLG_POOL_ENABLE_TAGGING 0x00000400
|
|
|
|
#define FLG_HEAP_ENABLE_TAGGING 0x00000800
|
|
|
|
#define FLG_USER_STACK_TRACE_DB 0x00001000
|
|
|
|
#define FLG_KERNEL_STACK_TRACE_DB 0x00002000
|
|
|
|
#define FLG_MAINTAIN_OBJECT_TYPELIST 0x00004000
|
|
|
|
#define FLG_HEAP_ENABLE_TAG_BY_DLL 0x00008000
|
|
|
|
#define FLG_IGNORE_DEBUG_PRIV 0x00010000
|
|
|
|
#define FLG_ENABLE_CSRDEBUG 0x00020000
|
|
|
|
#define FLG_ENABLE_KDEBUG_SYMBOL_LOAD 0x00040000
|
|
|
|
#define FLG_DISABLE_PAGE_KERNEL_STACKS 0x00080000
|
|
|
|
#define FLG_HEAP_ENABLE_CALL_TRACING 0x00100000
|
|
|
|
#define FLG_HEAP_DISABLE_COALESCING 0x00200000
|
|
|
|
#define FLG_ENABLE_CLOSE_EXCEPTIONS 0x00400000
|
|
|
|
#define FLG_ENABLE_EXCEPTION_LOGGING 0x00800000
|
|
|
|
#define FLG_ENABLE_DBGPRINT_BUFFERING 0x08000000
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_GLOBAL_FLAG {
|
|
|
|
ULONG GlobalFlag;
|
|
|
|
} SYSTEM_GLOBAL_FLAG, *PSYSTEM_GLOBAL_FLAG;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
|
|
|
|
ULONG Unknown1;
|
|
|
|
ULONG Unknown2;
|
|
|
|
PVOID Base;
|
|
|
|
ULONG Size;
|
|
|
|
ULONG Flags;
|
|
|
|
USHORT Index;
|
|
|
|
/* Length of module name not including the path, this
|
|
|
|
field contains valid value only for NTOSKRNL module */
|
|
|
|
USHORT NameLength;
|
|
|
|
USHORT LoadCount;
|
|
|
|
USHORT PathLength;
|
|
|
|
CHAR ImageName[256];
|
|
|
|
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_MODULE_INFORMATION {
|
|
|
|
ULONG Count;
|
|
|
|
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
|
|
|
|
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_LOCK_INFORMATION {
|
|
|
|
PVOID Address;
|
|
|
|
USHORT Type;
|
|
|
|
USHORT Reserved1;
|
|
|
|
ULONG ExclusiveOwnerThreadId;
|
|
|
|
ULONG ActiveCount;
|
|
|
|
ULONG ContentionCount;
|
|
|
|
ULONG Reserved2[2];
|
|
|
|
ULONG NumberOfSharedWaiters;
|
|
|
|
ULONG NumberOfExclusiveWaiters;
|
|
|
|
} SYSTEM_LOCK_INFORMATION, *PSYSTEM_LOCK_INFORMATION;
|
|
|
|
|
|
|
|
/*SYSTEM_HANDLE_INFORMATION.Flags cosntants */
|
|
|
|
#define PROTECT_FROM_CLOSE 0x01
|
|
|
|
#define INHERIT 0x02
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_HANDLE_INFORMATION {
|
|
|
|
ULONG ProcessId;
|
|
|
|
UCHAR ObjectTypeNumber;
|
|
|
|
UCHAR Flags;
|
|
|
|
USHORT Handle;
|
|
|
|
PVOID Object;
|
|
|
|
ACCESS_MASK GrantedAccess;
|
|
|
|
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_OBJECT_TYPE_INFORMATION {
|
|
|
|
ULONG NextEntryOffset;
|
|
|
|
ULONG ObjectCount;
|
|
|
|
ULONG HandleCount;
|
|
|
|
ULONG TypeNumber;
|
|
|
|
ULONG InvalidAttributes;
|
|
|
|
GENERIC_MAPPING GenericMapping;
|
|
|
|
ACCESS_MASK ValidAccessMask;
|
|
|
|
POOL_TYPE PoolType;
|
|
|
|
UCHAR Unknown;
|
|
|
|
UNICODE_STRING Name;
|
|
|
|
} SYSTEM_OBJECT_TYPE_INFORMATION, *PSYSTEM_OBJECT_TYPE_INFORMATION;
|
|
|
|
|
|
|
|
/* SYSTEM_OBJECT_INFORMATION.Flags constants */
|
|
|
|
#define FLG_SYSOBJINFO_SINGLE_HANDLE_ENTRY 0x40
|
|
|
|
#define FLG_SYSOBJINFO_DEFAULT_SECURITY_QUOTA 0x20
|
|
|
|
#define FLG_SYSOBJINFO_PERMANENT 0x10
|
|
|
|
#define FLG_SYSOBJINFO_EXCLUSIVE 0x08
|
|
|
|
#define FLG_SYSOBJINFO_CREATOR_INFO 0x04
|
|
|
|
#define FLG_SYSOBJINFO_KERNEL_MODE 0x02
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_OBJECT_INFORMATION {
|
|
|
|
ULONG NextEntryOffset;
|
|
|
|
PVOID Object;
|
|
|
|
ULONG CreatorProcessId;
|
|
|
|
USHORT Unknown;
|
|
|
|
USHORT Flags;
|
|
|
|
ULONG PointerCount;
|
|
|
|
ULONG HandleCount;
|
|
|
|
ULONG PagedPoolUsage;
|
|
|
|
ULONG NonPagedPoolUsage;
|
|
|
|
ULONG ExclusiveProcessId;
|
|
|
|
PSECURITY_DESCRIPTOR SecurityDescriptor;
|
|
|
|
UNICODE_STRING Name;
|
|
|
|
} SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_PAGEFILE_INFORMATION {
|
|
|
|
ULONG NextEntryOffset;
|
|
|
|
ULONG CurrentSize;
|
|
|
|
ULONG TotalUsed;
|
|
|
|
ULONG PeakUsed;
|
|
|
|
UNICODE_STRING FileName;
|
|
|
|
} SYSTEM_PAGEFILE_INFORMATION, *PSYSTEM_PAGEFILE_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_INSTRUCTION_EMULATION_INFORMATION {
|
|
|
|
ULONG SegmentNotPresent;
|
|
|
|
ULONG TwoByteOpcode;
|
|
|
|
ULONG ESprefix;
|
|
|
|
ULONG CSprefix;
|
|
|
|
ULONG SSprefix;
|
|
|
|
ULONG DSprefix;
|
|
|
|
ULONG FSPrefix;
|
|
|
|
ULONG GSprefix;
|
|
|
|
ULONG OPER32prefix;
|
|
|
|
ULONG ADDR32prefix;
|
|
|
|
ULONG INSB;
|
|
|
|
ULONG INSW;
|
|
|
|
ULONG OUTSB;
|
|
|
|
ULONG OUTSW;
|
|
|
|
ULONG PUSHFD;
|
|
|
|
ULONG POPFD;
|
|
|
|
ULONG INTnn;
|
|
|
|
ULONG INTO;
|
|
|
|
ULONG IRETD;
|
|
|
|
ULONG INBimm;
|
|
|
|
ULONG INWimm;
|
|
|
|
ULONG OUTBimm;
|
|
|
|
ULONG OUTWimm;
|
|
|
|
ULONG INB;
|
|
|
|
ULONG INW;
|
|
|
|
ULONG OUTB;
|
|
|
|
ULONG OUTW;
|
|
|
|
ULONG LOCKprefix;
|
|
|
|
ULONG REPNEprefix;
|
|
|
|
ULONG REPprefix;
|
|
|
|
ULONG HLT;
|
|
|
|
ULONG CLI;
|
|
|
|
ULONG STI;
|
|
|
|
ULONG GenericInvalidOpcode;
|
|
|
|
} SYSTEM_INSTRUCTION_EMULATION_INFORMATION, *PSYSTEM_INSTRUCTION_EMULATION_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_POOL_TAG_INFORMATION {
|
|
|
|
CHAR Tag[4];
|
|
|
|
ULONG PagedPoolAllocs;
|
|
|
|
ULONG PagedPoolFrees;
|
|
|
|
ULONG PagedPoolUsage;
|
|
|
|
ULONG NonPagedPoolAllocs;
|
|
|
|
ULONG NonPagedPoolFrees;
|
|
|
|
ULONG NonPagedPoolUsage;
|
|
|
|
} SYSTEM_POOL_TAG_INFORMATION, *PSYSTEM_POOL_TAG_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_PROCESSOR_STATISTICS {
|
|
|
|
ULONG ContextSwitches;
|
|
|
|
ULONG DpcCount;
|
|
|
|
ULONG DpcRequestRate;
|
|
|
|
ULONG TimeIncrement;
|
|
|
|
ULONG DpcBypassCount;
|
|
|
|
ULONG ApcBypassCount;
|
|
|
|
} SYSTEM_PROCESSOR_STATISTICS, *PSYSTEM_PROCESSOR_STATISTICS;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_DPC_INFORMATION {
|
|
|
|
ULONG Reserved;
|
|
|
|
ULONG MaximumDpcQueueDepth;
|
|
|
|
ULONG MinimumDpcRate;
|
|
|
|
ULONG AdjustDpcThreshold;
|
|
|
|
ULONG IdealDpcRate;
|
|
|
|
} SYSTEM_DPC_INFORMATION, *PSYSTEM_DPC_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_LOAD_IMAGE {
|
|
|
|
UNICODE_STRING ModuleName;
|
|
|
|
PVOID ModuleBase;
|
|
|
|
PVOID SectionPointer;
|
|
|
|
PVOID EntryPoint;
|
|
|
|
PVOID ExportDirectory;
|
|
|
|
} SYSTEM_LOAD_IMAGE, *PSYSTEM_LOAD_IMAGE;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_UNLOAD_IMAGE {
|
|
|
|
PVOID ModuleBase;
|
|
|
|
} SYSTEM_UNLOAD_IMAGE, *PSYSTEM_UNLOAD_IMAGE;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_QUERY_TIME_ADJUSTMENT {
|
|
|
|
ULONG TimeAdjustment;
|
|
|
|
ULONG MaximumIncrement;
|
|
|
|
BOOLEAN TimeSynchronization;
|
|
|
|
} SYSTEM_QUERY_TIME_ADJUSTMENT, *PSYSTEM_QUERY_TIME_ADJUSTMENT;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_SET_TIME_ADJUSTMENT {
|
|
|
|
ULONG TimeAdjustment;
|
|
|
|
BOOLEAN TimeSynchronization;
|
|
|
|
} SYSTEM_SET_TIME_ADJUSTMENT, *PSYSTEM_SET_TIME_ADJUSTMENT;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_CRASH_DUMP_INFORMATION {
|
|
|
|
HANDLE CrashDumpSectionHandle;
|
|
|
|
HANDLE Unknown;
|
|
|
|
} SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_EXCEPTION_INFORMATION {
|
|
|
|
ULONG AlignmentFixupCount;
|
|
|
|
ULONG ExceptionDispatchCount;
|
|
|
|
ULONG FloatingEmulationCount;
|
|
|
|
ULONG Reserved;
|
|
|
|
} SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION {
|
|
|
|
ULONG CrashDumpSectionExists;
|
|
|
|
ULONG Unknown;
|
|
|
|
} SYSTEM_CRASH_DUMP_STATE_INFORMATION, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION {
|
|
|
|
BOOLEAN DebuggerEnabled;
|
|
|
|
BOOLEAN DebuggerNotPresent;
|
|
|
|
} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION {
|
|
|
|
ULONG ContextSwitches;
|
|
|
|
ULONG ContextSwitchCounters[11];
|
|
|
|
} SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION {
|
|
|
|
ULONG RegistryQuota;
|
|
|
|
ULONG RegistryQuotaInUse;
|
|
|
|
ULONG PagedPoolSize;
|
|
|
|
} SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE {
|
|
|
|
UNICODE_STRING ModuleName;
|
|
|
|
} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_PRIORITY_SEPARATION {
|
|
|
|
ULONG PrioritySeparation;
|
|
|
|
} SYSTEM_PRIORITY_SEPARATION, *PSYSTEM_PRIORITY_SEPARATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_TIME_ZONE_INFORMATION {
|
|
|
|
LONG Bias;
|
|
|
|
WCHAR StandardName[32];
|
|
|
|
LARGE_INTEGER StandardDate;
|
|
|
|
LONG StandardBias;
|
|
|
|
WCHAR DaylightName[32];
|
|
|
|
LARGE_INTEGER DaylightDate;
|
|
|
|
LONG DaylightBias;
|
|
|
|
} SYSTEM_TIME_ZONE_INFORMATION, *PSYSTEM_TIME_ZONE_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_LOOKASIDE_INFORMATION {
|
|
|
|
USHORT Depth;
|
|
|
|
USHORT MaximumDepth;
|
|
|
|
ULONG TotalAllocates;
|
|
|
|
ULONG AllocateMisses;
|
|
|
|
ULONG TotalFrees;
|
|
|
|
ULONG FreeMisses;
|
|
|
|
POOL_TYPE Type;
|
|
|
|
ULONG Tag;
|
|
|
|
ULONG Size;
|
|
|
|
} SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_SET_TIME_SLIP_EVENT {
|
|
|
|
HANDLE TimeSlipEvent;
|
|
|
|
} SYSTEM_SET_TIME_SLIP_EVENT, *PSYSTEM_SET_TIME_SLIP_EVENT;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_CREATE_SESSION {
|
|
|
|
ULONG SessionId;
|
|
|
|
} SYSTEM_CREATE_SESSION, *PSYSTEM_CREATE_SESSION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_DELETE_SESSION {
|
|
|
|
ULONG SessionId;
|
|
|
|
} SYSTEM_DELETE_SESSION, *PSYSTEM_DELETE_SESSION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_RANGE_START_INFORMATION {
|
|
|
|
PVOID SystemRangeStart;
|
|
|
|
} SYSTEM_RANGE_START_INFORMATION, *PSYSTEM_RANGE_START_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_SESSION_PROCESSES_INFORMATION {
|
|
|
|
ULONG SessionId;
|
|
|
|
ULONG BufferSize;
|
|
|
|
PVOID Buffer;
|
|
|
|
} SYSTEM_SESSION_PROCESSES_INFORMATION, *PSYSTEM_SESSION_PROCESSES_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_POOL_BLOCK {
|
|
|
|
BOOLEAN Allocated;
|
|
|
|
USHORT Unknown;
|
|
|
|
ULONG Size;
|
|
|
|
CHAR Tag[4];
|
|
|
|
} SYSTEM_POOL_BLOCK, *PSYSTEM_POOL_BLOCK;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_POOL_BLOCKS_INFORMATION {
|
|
|
|
ULONG PoolSize;
|
|
|
|
PVOID PoolBase;
|
|
|
|
USHORT Unknown;
|
|
|
|
ULONG NumberOfBlocks;
|
|
|
|
SYSTEM_POOL_BLOCK PoolBlocks[1];
|
|
|
|
} SYSTEM_POOL_BLOCKS_INFORMATION, *PSYSTEM_POOL_BLOCKS_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_MEMORY_USAGE {
|
|
|
|
PVOID Name;
|
|
|
|
USHORT Valid;
|
|
|
|
USHORT Standby;
|
|
|
|
USHORT Modified;
|
|
|
|
USHORT PageTables;
|
|
|
|
} SYSTEM_MEMORY_USAGE, *PSYSTEM_MEMORY_USAGE;
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_MEMORY_USAGE_INFORMATION {
|
|
|
|
ULONG Reserved;
|
|
|
|
PVOID EndOfData;
|
|
|
|
SYSTEM_MEMORY_USAGE MemoryUsage[1];
|
|
|
|
} SYSTEM_MEMORY_USAGE_INFORMATION, *PSYSTEM_MEMORY_USAGE_INFORMATION;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtQuerySystemInformation(
|
|
|
|
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
|
|
|
IN OUT PVOID SystemInformation,
|
|
|
|
IN ULONG SystemInformationLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQuerySystemInformation(
|
|
|
|
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
|
|
|
IN OUT PVOID SystemInformation,
|
|
|
|
IN ULONG SystemInformationLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetSystemInformation(
|
|
|
|
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
|
|
|
IN OUT PVOID SystemInformation,
|
|
|
|
IN ULONG SystemInformationLength);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQuerySystemEnvironmentValue(
|
|
|
|
IN PUNICODE_STRING Name,
|
|
|
|
OUT PVOID Value,
|
|
|
|
IN ULONG ValueLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetSystemEnvironmentValue(
|
|
|
|
IN PUNICODE_STRING Name,
|
|
|
|
IN PUNICODE_STRING Value);
|
|
|
|
|
|
|
|
typedef enum _SHUTDOWN_ACTION {
|
|
|
|
ShutdownNoReboot,
|
|
|
|
ShutdownReboot,
|
|
|
|
ShutdownPowerOff
|
|
|
|
} SHUTDOWN_ACTION;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtShutdownSystem(
|
|
|
|
IN SHUTDOWN_ACTION Action);
|
|
|
|
|
|
|
|
typedef enum _DEBUG_CONTROL_CODE {
|
|
|
|
DebugGetTraceInformation = 1,
|
|
|
|
DebugSetInternalBreakpoint,
|
|
|
|
DebugSetSpecialCall,
|
|
|
|
DebugClearSpecialCalls,
|
|
|
|
DebugQuerySpecialCalls,
|
|
|
|
DebugDbgBreakPoint,
|
|
|
|
DebugMaximum
|
|
|
|
} DEBUG_CONTROL_CODE;
|
|
|
|
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSystemDebugControl(
|
|
|
|
IN DEBUG_CONTROL_CODE ControlCode,
|
|
|
|
IN PVOID InputBuffer OPTIONAL,
|
|
|
|
IN ULONG InputBufferLength,
|
|
|
|
OUT PVOID OutputBuffer OPTIONAL,
|
|
|
|
IN ULONG OutputBufferLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Objects, Object directories, and symbolic links */
|
|
|
|
|
|
|
|
typedef enum _OBJECT_INFORMATION_CLASS {
|
|
|
|
ObjectBasicInformation,
|
|
|
|
ObjectNameInformation,
|
|
|
|
ObjectTypeInformation,
|
|
|
|
ObjectAllTypesInformation,
|
|
|
|
ObjectHandleInformation
|
|
|
|
} OBJECT_INFORMATION_CLASS;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryObject(
|
|
|
|
IN HANDLE ObjectHandle,
|
|
|
|
IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
|
|
|
|
OUT PVOID ObjectInformation,
|
|
|
|
IN ULONG ObjectInformationLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetInformationObject(
|
|
|
|
IN HANDLE ObjectHandle,
|
|
|
|
IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
|
|
|
|
IN PVOID ObjectInformation,
|
|
|
|
IN ULONG ObjectInformationLength);
|
|
|
|
|
|
|
|
/* OBJECT_BASIC_INFORMATION.Attributes constants */
|
|
|
|
#define HANDLE_FLAG_INHERIT 0x01
|
|
|
|
#define HANDLE_FLAG_PROTECT_FROM_CLOSE 0x02
|
|
|
|
#define PERMANENT 0x10
|
|
|
|
#define EXCLUSIVE 0x20
|
|
|
|
|
|
|
|
typedef struct _OBJECT_BASIC_INFORMATION {
|
|
|
|
ULONG Attributes;
|
|
|
|
ACCESS_MASK GrantedAccess;
|
|
|
|
ULONG HandleCount;
|
|
|
|
ULONG PointerCount;
|
|
|
|
ULONG PagedPoolUsage;
|
|
|
|
ULONG NonPagedPoolUsage;
|
|
|
|
ULONG Reserved[3];
|
|
|
|
ULONG NameInformationLength;
|
|
|
|
ULONG TypeInformationLength;
|
|
|
|
ULONG SecurityDescriptorLength;
|
|
|
|
LARGE_INTEGER CreateTime;
|
|
|
|
} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
|
|
|
|
#if 0
|
|
|
|
// FIXME: Enable later
|
|
|
|
typedef struct _OBJECT_TYPE_INFORMATION {
|
|
|
|
UNICODE_STRING Name;
|
|
|
|
ULONG ObjectCount;
|
|
|
|
ULONG HandleCount;
|
|
|
|
ULONG Reserved1[4];
|
|
|
|
ULONG PeakObjectCount;
|
|
|
|
ULONG PeakHandleCount;
|
|
|
|
ULONG Reserved2[4];
|
|
|
|
ULONG InvalidAttributes;
|
|
|
|
GENERIC_MAPPING GenericMapping;
|
|
|
|
ULONG ValidAccess;
|
|
|
|
UCHAR Unknown;
|
|
|
|
BOOLEAN MaintainHandleDatabase;
|
|
|
|
POOL_TYPE PoolType;
|
|
|
|
ULONG PagedPoolUsage;
|
|
|
|
ULONG NonPagedPoolUsage;
|
|
|
|
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _OBJECT_ALL_TYPES_INFORMATION {
|
|
|
|
ULONG NumberOfTypes;
|
|
|
|
OBJECT_TYPE_INFORMATION TypeInformation;
|
|
|
|
} OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION;
|
|
|
|
#endif
|
|
|
|
typedef struct _OBJECT_HANDLE_ATTRIBUTE_INFORMATION {
|
|
|
|
BOOLEAN Inherit;
|
|
|
|
BOOLEAN ProtectFromClose;
|
|
|
|
} OBJECT_HANDLE_ATTRIBUTE_INFORMATION, *POBJECT_HANDLE_ATTRIBUTE_INFORMATION;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtDuplicateObject(
|
|
|
|
IN HANDLE SourceProcessHandle,
|
|
|
|
IN HANDLE SourceHandle,
|
|
|
|
IN HANDLE TargetProcessHandle,
|
|
|
|
OUT PHANDLE TargetHandle OPTIONAL,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN ULONG Attributes,
|
|
|
|
IN ULONG Options);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwDuplicateObject(
|
|
|
|
IN HANDLE SourceProcessHandle,
|
|
|
|
IN HANDLE SourceHandle,
|
|
|
|
IN HANDLE TargetProcessHandle,
|
|
|
|
OUT PHANDLE TargetHandle OPTIONAL,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN ULONG Attributes,
|
|
|
|
IN ULONG Options);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtQuerySecurityObject(
|
|
|
|
IN HANDLE Handle,
|
|
|
|
IN SECURITY_INFORMATION SecurityInformation,
|
|
|
|
OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
|
|
IN ULONG SecurityDescriptorLength,
|
|
|
|
OUT PULONG ReturnLength);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQuerySecurityObject(
|
|
|
|
IN HANDLE Handle,
|
|
|
|
IN SECURITY_INFORMATION SecurityInformation,
|
|
|
|
OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
|
|
IN ULONG SecurityDescriptorLength,
|
|
|
|
OUT PULONG ReturnLength);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtSetSecurityObject(
|
|
|
|
IN HANDLE Handle,
|
|
|
|
IN SECURITY_INFORMATION SecurityInformation,
|
|
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetSecurityObject(
|
|
|
|
IN HANDLE Handle,
|
|
|
|
IN SECURITY_INFORMATION SecurityInformation,
|
|
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwOpenDirectoryObject(
|
|
|
|
OUT PHANDLE DirectoryHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryDirectoryObject(
|
|
|
|
IN HANDLE DirectoryHandle,
|
|
|
|
OUT PVOID Buffer,
|
|
|
|
IN ULONG BufferLength,
|
|
|
|
IN BOOLEAN ReturnSingleEntry,
|
|
|
|
IN BOOLEAN RestartScan,
|
|
|
|
IN OUT PULONG Context,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
typedef struct _DIRECTORY_BASIC_INFORMATION {
|
|
|
|
UNICODE_STRING ObjectName;
|
|
|
|
UNICODE_STRING ObjectTypeName;
|
|
|
|
} DIRECTORY_BASIC_INFORMATION, *PDIRECTORY_BASIC_INFORMATION;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwCreateSymbolicLinkObject(
|
|
|
|
OUT PHANDLE SymbolicLinkHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
IN PUNICODE_STRING TargetName);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Virtual memory */
|
|
|
|
|
|
|
|
typedef enum _MEMORY_INFORMATION_CLASS {
|
|
|
|
MemoryBasicInformation,
|
|
|
|
MemoryWorkingSetList,
|
|
|
|
MemorySectionName,
|
|
|
|
MemoryBasicVlmInformation
|
|
|
|
} MEMORY_INFORMATION_CLASS;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtAllocateVirtualMemory(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN OUT PVOID *BaseAddress,
|
|
|
|
IN ULONG ZeroBits,
|
|
|
|
IN OUT PULONG AllocationSize,
|
|
|
|
IN ULONG AllocationType,
|
|
|
|
IN ULONG Protect);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAllocateVirtualMemory(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN OUT PVOID *BaseAddress,
|
|
|
|
IN ULONG ZeroBits,
|
|
|
|
IN OUT PULONG AllocationSize,
|
|
|
|
IN ULONG AllocationType,
|
|
|
|
IN ULONG Protect);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtFreeVirtualMemory(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN OUT PVOID *BaseAddress,
|
|
|
|
IN OUT PULONG FreeSize,
|
|
|
|
IN ULONG FreeType);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwFreeVirtualMemory(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN OUT PVOID *BaseAddress,
|
|
|
|
IN OUT PULONG FreeSize,
|
|
|
|
IN ULONG FreeType);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryVirtualMemory(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN PVOID BaseAddress,
|
|
|
|
IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
|
|
|
|
OUT PVOID MemoryInformation,
|
|
|
|
IN ULONG MemoryInformationLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
/* MEMORY_WORKING_SET_LIST.WorkingSetList constants */
|
|
|
|
#define WSLE_PAGE_READONLY 0x001
|
|
|
|
#define WSLE_PAGE_EXECUTE 0x002
|
|
|
|
#define WSLE_PAGE_READWRITE 0x004
|
|
|
|
#define WSLE_PAGE_EXECUTE_READ 0x003
|
|
|
|
#define WSLE_PAGE_WRITECOPY 0x005
|
|
|
|
#define WSLE_PAGE_EXECUTE_READWRITE 0x006
|
|
|
|
#define WSLE_PAGE_EXECUTE_WRITECOPY 0x007
|
|
|
|
#define WSLE_PAGE_SHARE_COUNT_MASK 0x0E0
|
|
|
|
#define WSLE_PAGE_SHAREABLE 0x100
|
|
|
|
|
|
|
|
typedef struct _MEMORY_WORKING_SET_LIST {
|
|
|
|
ULONG NumberOfPages;
|
|
|
|
ULONG WorkingSetList[1];
|
|
|
|
} MEMORY_WORKING_SET_LIST, *PMEMORY_WORKING_SET_LIST;
|
|
|
|
|
|
|
|
typedef struct _MEMORY_SECTION_NAME {
|
|
|
|
UNICODE_STRING SectionFileName;
|
|
|
|
} MEMORY_SECTION_NAME, *PMEMORY_SECTION_NAME;
|
|
|
|
|
|
|
|
/* Zw[Lock|Unlock]VirtualMemory.LockType constants */
|
|
|
|
#define LOCK_VM_IN_WSL 0x01
|
|
|
|
#define LOCK_VM_IN_RAM 0x02
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwLockVirtualMemory(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN OUT PVOID *BaseAddress,
|
|
|
|
IN OUT PULONG LockSize,
|
|
|
|
IN ULONG LockType);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwUnlockVirtualMemory(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN OUT PVOID *BaseAddress,
|
|
|
|
IN OUT PULONG LockSize,
|
|
|
|
IN ULONG LockType);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwReadVirtualMemory(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN PVOID BaseAddress,
|
|
|
|
OUT PVOID Buffer,
|
|
|
|
IN ULONG BufferLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwWriteVirtualMemory(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN PVOID BaseAddress,
|
|
|
|
IN PVOID Buffer,
|
|
|
|
IN ULONG BufferLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwProtectVirtualMemory(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN OUT PVOID *BaseAddress,
|
|
|
|
IN OUT PULONG ProtectSize,
|
|
|
|
IN ULONG NewProtect,
|
|
|
|
OUT PULONG OldProtect);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwFlushVirtualMemory(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN OUT PVOID *BaseAddress,
|
|
|
|
IN OUT PULONG FlushSize,
|
|
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAllocateUserPhysicalPages(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN PULONG NumberOfPages,
|
|
|
|
OUT PULONG PageFrameNumbers);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwFreeUserPhysicalPages(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN OUT PULONG NumberOfPages,
|
|
|
|
IN PULONG PageFrameNumbers);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwMapUserPhysicalPages(
|
|
|
|
IN PVOID BaseAddress,
|
|
|
|
IN PULONG NumberOfPages,
|
|
|
|
IN PULONG PageFrameNumbers);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwMapUserPhysicalPagesScatter(
|
|
|
|
IN PVOID *BaseAddresses,
|
|
|
|
IN PULONG NumberOfPages,
|
|
|
|
IN PULONG PageFrameNumbers);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwGetWriteWatch(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN ULONG Flags,
|
|
|
|
IN PVOID BaseAddress,
|
|
|
|
IN ULONG RegionSize,
|
|
|
|
OUT PULONG Buffer,
|
|
|
|
IN OUT PULONG BufferEntries,
|
|
|
|
OUT PULONG Granularity);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwResetWriteWatch(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN PVOID BaseAddress,
|
|
|
|
IN ULONG RegionSize);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Sections */
|
|
|
|
|
|
|
|
typedef enum _SECTION_INFORMATION_CLASS {
|
|
|
|
SectionBasicInformation,
|
|
|
|
SectionImageInformation
|
|
|
|
} SECTION_INFORMATION_CLASS;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtCreateSection(
|
|
|
|
OUT PHANDLE SectionHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
IN PLARGE_INTEGER SectionSize OPTIONAL,
|
|
|
|
IN ULONG Protect,
|
|
|
|
IN ULONG Attributes,
|
|
|
|
IN HANDLE FileHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwCreateSection(
|
|
|
|
OUT PHANDLE SectionHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
IN PLARGE_INTEGER SectionSize OPTIONAL,
|
|
|
|
IN ULONG Protect,
|
|
|
|
IN ULONG Attributes,
|
|
|
|
IN HANDLE FileHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQuerySection(
|
|
|
|
IN HANDLE SectionHandle,
|
|
|
|
IN SECTION_INFORMATION_CLASS SectionInformationClass,
|
|
|
|
OUT PVOID SectionInformation,
|
|
|
|
IN ULONG SectionInformationLength,
|
|
|
|
OUT PULONG ResultLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwExtendSection(
|
|
|
|
IN HANDLE SectionHandle,
|
|
|
|
IN PLARGE_INTEGER SectionSize);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAreMappedFilesTheSame(
|
|
|
|
IN PVOID Address1,
|
|
|
|
IN PVOID Address2);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Threads */
|
|
|
|
|
|
|
|
typedef struct _USER_STACK {
|
|
|
|
PVOID FixedStackBase;
|
|
|
|
PVOID FixedStackLimit;
|
|
|
|
PVOID ExpandableStackBase;
|
|
|
|
PVOID ExpandableStackLimit;
|
|
|
|
PVOID ExpandableStackBottom;
|
|
|
|
} USER_STACK, *PUSER_STACK;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwCreateThread(
|
|
|
|
OUT PHANDLE ThreadHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
OUT PCLIENT_ID ClientId,
|
|
|
|
IN PCONTEXT ThreadContext,
|
|
|
|
IN PUSER_STACK UserStack,
|
|
|
|
IN BOOLEAN CreateSuspended);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtOpenThread(
|
|
|
|
OUT PHANDLE ThreadHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
IN PCLIENT_ID ClientId);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwOpenThread(
|
|
|
|
OUT PHANDLE ThreadHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
IN PCLIENT_ID ClientId);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwTerminateThread(
|
|
|
|
IN HANDLE ThreadHandle OPTIONAL,
|
|
|
|
IN NTSTATUS ExitStatus);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtQueryInformationThread(
|
|
|
|
IN HANDLE ThreadHandle,
|
|
|
|
IN THREADINFOCLASS ThreadInformationClass,
|
|
|
|
OUT PVOID ThreadInformation,
|
|
|
|
IN ULONG ThreadInformationLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryInformationThread(
|
|
|
|
IN HANDLE ThreadHandle,
|
|
|
|
IN THREADINFOCLASS ThreadInformationClass,
|
|
|
|
OUT PVOID ThreadInformation,
|
|
|
|
IN ULONG ThreadInformationLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtSetInformationThread(
|
|
|
|
IN HANDLE ThreadHandle,
|
|
|
|
IN THREADINFOCLASS ThreadInformationClass,
|
|
|
|
IN PVOID ThreadInformation,
|
|
|
|
IN ULONG ThreadInformationLength);
|
|
|
|
|
|
|
|
typedef struct _THREAD_BASIC_INFORMATION {
|
|
|
|
NTSTATUS ExitStatus;
|
|
|
|
PNT_TIB TebBaseAddress;
|
|
|
|
CLIENT_ID ClientId;
|
|
|
|
KAFFINITY AffinityMask;
|
|
|
|
KPRIORITY Priority;
|
|
|
|
KPRIORITY BasePriority;
|
|
|
|
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _KERNEL_USER_TIMES {
|
|
|
|
LARGE_INTEGER CreateTime;
|
|
|
|
LARGE_INTEGER ExitTime;
|
|
|
|
LARGE_INTEGER KernelTime;
|
|
|
|
LARGE_INTEGER UserTime;
|
|
|
|
} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSuspendThread(
|
|
|
|
IN HANDLE ThreadHandle,
|
|
|
|
OUT PULONG PreviousSuspendCount OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwResumeThread(
|
|
|
|
IN HANDLE ThreadHandle,
|
|
|
|
OUT PULONG PreviousSuspendCount OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwGetContextThread(
|
|
|
|
IN HANDLE ThreadHandle,
|
|
|
|
OUT PCONTEXT Context);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetContextThread(
|
|
|
|
IN HANDLE ThreadHandle,
|
|
|
|
IN PCONTEXT Context);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueueApcThread(
|
|
|
|
IN HANDLE ThreadHandle,
|
|
|
|
IN PKNORMAL_ROUTINE ApcRoutine,
|
|
|
|
IN PVOID ApcContext OPTIONAL,
|
|
|
|
IN PVOID Argument1 OPTIONAL,
|
|
|
|
IN PVOID Argument2 OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwTestAlert(
|
|
|
|
VOID);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAlertThread(
|
|
|
|
IN HANDLE ThreadHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAlertResumeThread(
|
|
|
|
IN HANDLE ThreadHandle,
|
|
|
|
OUT PULONG PreviousSuspendCount OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwRegisterThreadTerminatePort(
|
|
|
|
IN HANDLE PortHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwImpersonateThread(
|
|
|
|
IN HANDLE ThreadHandle,
|
|
|
|
IN HANDLE TargetThreadHandle,
|
|
|
|
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwImpersonateAnonymousToken(
|
|
|
|
IN HANDLE ThreadHandle);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Processes */
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwCreateProcess(
|
|
|
|
OUT PHANDLE ProcessHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
IN HANDLE InheritFromProcessHandle,
|
|
|
|
IN BOOLEAN InheritHandles,
|
|
|
|
IN HANDLE SectionHandle OPTIONAL,
|
|
|
|
IN HANDLE DebugPort OPTIONAL,
|
|
|
|
IN HANDLE ExceptionPort OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwCreateProcess(
|
|
|
|
OUT PHANDLE ProcessHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
IN HANDLE InheritFromProcessHandle,
|
|
|
|
IN BOOLEAN InheritHandles,
|
|
|
|
IN HANDLE SectionHandle OPTIONAL,
|
|
|
|
IN HANDLE DebugPort OPTIONAL,
|
|
|
|
IN HANDLE ExceptionPort OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwTerminateProcess(
|
|
|
|
IN HANDLE ProcessHandle OPTIONAL,
|
|
|
|
IN NTSTATUS ExitStatus);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryInformationProcess(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN PROCESSINFOCLASS ProcessInformationClass,
|
|
|
|
OUT PVOID ProcessInformation,
|
|
|
|
IN ULONG ProcessInformationLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtSetInformationProcess(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN PROCESSINFOCLASS ProcessInformationClass,
|
|
|
|
IN PVOID ProcessInformation,
|
|
|
|
IN ULONG ProcessInformationLength);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetInformationProcess(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN PROCESSINFOCLASS ProcessInformationClass,
|
|
|
|
IN PVOID ProcessInformation,
|
|
|
|
IN ULONG ProcessInformationLength);
|
|
|
|
|
|
|
|
typedef struct _PROCESS_BASIC_INFORMATION {
|
|
|
|
NTSTATUS ExitStatus;
|
|
|
|
PPEB PebBaseAddress;
|
|
|
|
KAFFINITY AffinityMask;
|
|
|
|
KPRIORITY BasePriority;
|
|
|
|
ULONG UniqueProcessId;
|
|
|
|
ULONG InheritedFromUniqueProcessId;
|
|
|
|
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _PROCESS_ACCESS_TOKEN {
|
|
|
|
HANDLE Token;
|
|
|
|
HANDLE Thread;
|
|
|
|
} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;
|
|
|
|
|
|
|
|
/* DefaultHardErrorMode constants */
|
|
|
|
#define SEM_FAILCRITICALERRORS 0x0001
|
|
|
|
#define SEM_NOGPFAULTERRORBOX 0x0002
|
|
|
|
#define SEM_NOALIGNMENTFAULTEXCEPT 0x0004
|
|
|
|
#define SEM_NOOPENFILEERRORBOX 0x8000
|
|
|
|
|
|
|
|
typedef struct _POOLED_USAGE_AND_LIMITS {
|
|
|
|
ULONG PeakPagedPoolUsage;
|
|
|
|
ULONG PagedPoolUsage;
|
|
|
|
ULONG PagedPoolLimit;
|
|
|
|
ULONG PeakNonPagedPoolUsage;
|
|
|
|
ULONG NonPagedPoolUsage;
|
|
|
|
ULONG NonPagedPoolLimit;
|
|
|
|
ULONG PeakPagefileUsage;
|
|
|
|
ULONG PagefileUsage;
|
|
|
|
ULONG PagefileLimit;
|
|
|
|
} POOLED_USAGE_AND_LIMITS, *PPOOLED_USAGE_AND_LIMITS;
|
|
|
|
|
|
|
|
typedef struct _PROCESS_WS_WATCH_INFORMATION {
|
|
|
|
PVOID FaultingPc;
|
|
|
|
PVOID FaultingVa;
|
|
|
|
} PROCESS_WS_WATCH_INFORMATION, *PPROCESS_WS_WATCH_INFORMATION;
|
|
|
|
|
|
|
|
/* PROCESS_PRIORITY_CLASS.PriorityClass constants */
|
|
|
|
#define PC_IDLE 1
|
|
|
|
#define PC_NORMAL 2
|
|
|
|
#define PC_HIGH 3
|
|
|
|
#define PC_REALTIME 4
|
|
|
|
#define PC_BELOW_NORMAL 5
|
|
|
|
#define PC_ABOVE_NORMAL 6
|
|
|
|
|
|
|
|
typedef struct _PROCESS_PRIORITY_CLASS {
|
|
|
|
BOOLEAN Foreground;
|
|
|
|
UCHAR PriorityClass;
|
|
|
|
} PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS;
|
|
|
|
|
|
|
|
/* PROCESS_DEVICEMAP_INFORMATION.DriveType constants */
|
|
|
|
#define DRIVE_UNKNOWN 0
|
|
|
|
#define DRIVE_NO_ROOT_DIR 1
|
|
|
|
#define DRIVE_REMOVABLE 2
|
|
|
|
#define DRIVE_FIXED 3
|
|
|
|
#define DRIVE_REMOTE 4
|
|
|
|
#define DRIVE_CDROM 5
|
|
|
|
#define DRIVE_RAMDISK 6
|
|
|
|
|
|
|
|
typedef struct _PROCESS_DEVICEMAP_INFORMATION {
|
|
|
|
union {
|
|
|
|
struct {
|
|
|
|
HANDLE DirectoryHandle;
|
|
|
|
} Set;
|
|
|
|
struct {
|
|
|
|
ULONG DriveMap;
|
|
|
|
UCHAR DriveType[32];
|
|
|
|
} Query;
|
|
|
|
};
|
|
|
|
} PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _PROCESS_SESSION_INFORMATION {
|
|
|
|
ULONG SessionId;
|
|
|
|
} PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _RTL_USER_PROCESS_PARAMETERS {
|
|
|
|
ULONG AllocationSize;
|
|
|
|
ULONG Size;
|
|
|
|
ULONG Flags;
|
|
|
|
ULONG DebugFlags;
|
|
|
|
HANDLE hConsole;
|
|
|
|
ULONG ProcessGroup;
|
|
|
|
HANDLE hStdInput;
|
|
|
|
HANDLE hStdOutput;
|
|
|
|
HANDLE hStdError;
|
|
|
|
UNICODE_STRING CurrentDirectoryName;
|
|
|
|
HANDLE CurrentDirectoryHandle;
|
|
|
|
UNICODE_STRING DllPath;
|
|
|
|
UNICODE_STRING ImagePathName;
|
|
|
|
UNICODE_STRING CommandLine;
|
|
|
|
PWSTR Environment;
|
|
|
|
ULONG dwX;
|
|
|
|
ULONG dwY;
|
|
|
|
ULONG dwXSize;
|
|
|
|
ULONG dwYSize;
|
|
|
|
ULONG dwXCountChars;
|
|
|
|
ULONG dwYCountChars;
|
|
|
|
ULONG dwFillAttribute;
|
|
|
|
ULONG dwFlags;
|
|
|
|
ULONG wShowWindow;
|
|
|
|
UNICODE_STRING WindowTitle;
|
|
|
|
UNICODE_STRING DesktopInfo;
|
|
|
|
UNICODE_STRING ShellInfo;
|
|
|
|
UNICODE_STRING RuntimeInfo;
|
|
|
|
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
RtlCreateProcessParameters(
|
|
|
|
OUT PRTL_USER_PROCESS_PARAMETERS *ProcessParameters,
|
|
|
|
IN PUNICODE_STRING ImageFile,
|
|
|
|
IN PUNICODE_STRING DllPath OPTIONAL,
|
|
|
|
IN PUNICODE_STRING CurrentDirectory OPTIONAL,
|
|
|
|
IN PUNICODE_STRING CommandLine OPTIONAL,
|
|
|
|
IN PWSTR Environment OPTIONAL,
|
|
|
|
IN PUNICODE_STRING WindowTitle OPTIONAL,
|
|
|
|
IN PUNICODE_STRING DesktopInfo OPTIONAL,
|
|
|
|
IN PUNICODE_STRING ShellInfo OPTIONAL,
|
|
|
|
IN PUNICODE_STRING RuntimeInfo OPTIONAL);
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
RtlDestroyProcessParameters(
|
|
|
|
IN PRTL_USER_PROCESS_PARAMETERS ProcessParameters);
|
|
|
|
|
|
|
|
typedef struct _DEBUG_BUFFER {
|
|
|
|
HANDLE SectionHandle;
|
|
|
|
PVOID SectionBase;
|
|
|
|
PVOID RemoteSectionBase;
|
|
|
|
ULONG SectionBaseDelta;
|
|
|
|
HANDLE EventPairHandle;
|
|
|
|
ULONG Unknown[2];
|
|
|
|
HANDLE RemoteThreadHandle;
|
|
|
|
ULONG InfoClassMask;
|
|
|
|
ULONG SizeOfInfo;
|
|
|
|
ULONG AllocatedSize;
|
|
|
|
ULONG SectionSize;
|
|
|
|
PVOID ModuleInformation;
|
|
|
|
PVOID BackTraceInformation;
|
|
|
|
PVOID HeapInformation;
|
|
|
|
PVOID LockInformation;
|
|
|
|
PVOID Reserved[8];
|
|
|
|
} DEBUG_BUFFER, *PDEBUG_BUFFER;
|
|
|
|
|
|
|
|
PDEBUG_BUFFER
|
|
|
|
NTAPI
|
|
|
|
RtlCreateQueryDebugBuffer(
|
|
|
|
IN ULONG Size,
|
|
|
|
IN BOOLEAN EventPair);
|
|
|
|
|
|
|
|
/* RtlQueryProcessDebugInformation.DebugInfoClassMask constants */
|
|
|
|
#define PDI_MODULES 0x01
|
|
|
|
#define PDI_BACKTRACE 0x02
|
|
|
|
#define PDI_HEAPS 0x04
|
|
|
|
#define PDI_HEAP_TAGS 0x08
|
|
|
|
#define PDI_HEAP_BLOCKS 0x10
|
|
|
|
#define PDI_LOCKS 0x20
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
RtlQueryProcessDebugInformation(
|
|
|
|
IN ULONG ProcessId,
|
|
|
|
IN ULONG DebugInfoClassMask,
|
|
|
|
IN OUT PDEBUG_BUFFER DebugBuffer);
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
RtlDestroyQueryDebugBuffer(
|
|
|
|
IN PDEBUG_BUFFER DebugBuffer);
|
|
|
|
|
|
|
|
/* DEBUG_MODULE_INFORMATION.Flags constants */
|
|
|
|
#define LDRP_STATIC_LINK 0x00000002
|
|
|
|
#define LDRP_IMAGE_DLL 0x00000004
|
|
|
|
#define LDRP_LOAD_IN_PROGRESS 0x00001000
|
|
|
|
#define LDRP_UNLOAD_IN_PROGRESS 0x00002000
|
|
|
|
#define LDRP_ENTRY_PROCESSED 0x00004000
|
|
|
|
#define LDRP_ENTRY_INSERTED 0x00008000
|
|
|
|
#define LDRP_CURRENT_LOAD 0x00010000
|
|
|
|
#define LDRP_FAILED_BUILTIN_LOAD 0x00020000
|
|
|
|
#define LDRP_DONT_CALL_FOR_THREADS 0x00040000
|
|
|
|
#define LDRP_PROCESS_ATTACH_CALLED 0x00080000
|
|
|
|
#define LDRP_DEBUG_SYMBOLS_LOADED 0x00100000
|
|
|
|
#define LDRP_IMAGE_NOT_AT_BASE 0x00200000
|
|
|
|
#define LDRP_WX86_IGNORE_MACHINETYPE 0x00400000
|
|
|
|
|
|
|
|
typedef struct _DEBUG_MODULE_INFORMATION {
|
|
|
|
ULONG Reserved[2];
|
|
|
|
ULONG Base;
|
|
|
|
ULONG Size;
|
|
|
|
ULONG Flags;
|
|
|
|
USHORT Index;
|
|
|
|
USHORT Unknown;
|
|
|
|
USHORT LoadCount;
|
|
|
|
USHORT ModuleNameOffset;
|
|
|
|
CHAR ImageName[256];
|
|
|
|
} DEBUG_MODULE_INFORMATION, *PDEBUG_MODULE_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _DEBUG_HEAP_INFORMATION {
|
|
|
|
ULONG Base;
|
|
|
|
ULONG Flags;
|
|
|
|
USHORT Granularity;
|
|
|
|
USHORT Unknown;
|
|
|
|
ULONG Allocated;
|
|
|
|
ULONG Committed;
|
|
|
|
ULONG TagCount;
|
|
|
|
ULONG BlockCount;
|
|
|
|
ULONG Reserved[7];
|
|
|
|
PVOID Tags;
|
|
|
|
PVOID Blocks;
|
|
|
|
} DEBUG_HEAP_INFORMATION, *PDEBUG_HEAP_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _DEBUG_LOCK_INFORMATION {
|
|
|
|
PVOID Address;
|
|
|
|
USHORT Type;
|
|
|
|
USHORT CreatorBackTraceIndex;
|
|
|
|
ULONG OwnerThreadId;
|
|
|
|
ULONG ActiveCount;
|
|
|
|
ULONG ContentionCount;
|
|
|
|
ULONG EntryCount;
|
|
|
|
ULONG RecursionCount;
|
|
|
|
ULONG NumberOfSharedWaiters;
|
|
|
|
ULONG NumberOfExclusiveWaiters;
|
|
|
|
} DEBUG_LOCK_INFORMATION, *PDEBUG_LOCK_INFORMATION;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Jobs */
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwCreateJobObject(
|
|
|
|
OUT PHANDLE JobHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwOpenJobObject(
|
|
|
|
OUT PHANDLE JobHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwTerminateJobObject(
|
|
|
|
IN HANDLE JobHandle,
|
|
|
|
IN NTSTATUS ExitStatus);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAssignProcessToJobObject(
|
|
|
|
IN HANDLE JobHandle,
|
|
|
|
IN HANDLE ProcessHandle);
|
|
|
|
|
|
|
|
typedef enum _JOBOBJECTINFOCLASS {
|
|
|
|
JobObjectBasicAccountingInformation = 1,
|
|
|
|
JobObjectBasicLimitInformation,
|
|
|
|
JobObjectBasicProcessIdList,
|
|
|
|
JobObjectBasicUIRestrictions,
|
|
|
|
JobObjectSecurityLimitInformation,
|
|
|
|
JobObjectEndOfJobTimeInformation,
|
|
|
|
JobObjectAssociateCompletionPortInformation,
|
|
|
|
JobObjectBasicAndIoAccountingInformation,
|
|
|
|
JobObjectExtendedLimitInformation
|
|
|
|
} JOBOBJECTINFOCLASS;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryInformationJobObject(
|
|
|
|
IN HANDLE JobHandle,
|
|
|
|
IN JOBOBJECTINFOCLASS JobInformationClass,
|
|
|
|
OUT PVOID JobInformation,
|
|
|
|
IN ULONG JobInformationLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetInformationJobObject(
|
|
|
|
IN HANDLE JobHandle,
|
|
|
|
IN JOBOBJECTINFOCLASS JobInformationClass,
|
|
|
|
IN PVOID JobInformation,
|
|
|
|
IN ULONG JobInformationLength);
|
|
|
|
|
|
|
|
typedef struct _JOBOBJECT_BASIC_ACCOUNTING_INFORMATION {
|
|
|
|
LARGE_INTEGER TotalUserTime;
|
|
|
|
LARGE_INTEGER TotalKernelTime;
|
|
|
|
LARGE_INTEGER ThisPeriodTotalUserTime;
|
|
|
|
LARGE_INTEGER ThisPeriodTotalKernelTime;
|
|
|
|
ULONG TotalPageFaultCount;
|
|
|
|
ULONG TotalProcesses;
|
|
|
|
ULONG ActiveProcesses;
|
|
|
|
ULONG TotalTerminatedProcesses;
|
|
|
|
} JOBOBJECT_BASIC_ACCOUNTING_INFORMATION, *PJOBOBJECT_BASIC_ACCOUNTING_INFORMATION;
|
|
|
|
|
|
|
|
/* JOBOBJECT_BASIC_LIMIT_INFORMATION.LimitFlags constants */
|
|
|
|
#define JOB_OBJECT_LIMIT_WORKINGSET 0x0001
|
|
|
|
#define JOB_OBJECT_LIMIT_PROCESS_TIME 0x0002
|
|
|
|
#define JOB_OBJECT_LIMIT_JOB_TIME 0x0004
|
|
|
|
#define JOB_OBJECT_LIMIT_ACTIVE_PROCESS 0x0008
|
|
|
|
#define JOB_OBJECT_LIMIT_AFFINITY 0x0010
|
|
|
|
#define JOB_OBJECT_LIMIT_PRIORITY_CLASS 0x0020
|
|
|
|
#define JOB_OBJECT_LIMIT_PRESERVE_JOB_TIME 0x0040
|
|
|
|
#define JOB_OBJECT_LIMIT_SCHEDULING_CLASS 0x0080
|
|
|
|
#define JOB_OBJECT_LIMIT_PROCESS_MEMORY 0x0100
|
|
|
|
#define JOB_OBJECT_LIMIT_JOB_MEMORY 0x0200
|
|
|
|
#define JOB_OBJECT_LIMIT_DIE_ON_UNHANDLED_EXCEPTION 0x0400
|
|
|
|
#define JOB_OBJECT_BREAKAWAY_OK 0x0800
|
|
|
|
#define JOB_OBJECT_SILENT_BREAKAWAY 0x1000
|
|
|
|
|
|
|
|
typedef struct _JOBOBJECT_BASIC_LIMIT_INFORMATION {
|
|
|
|
LARGE_INTEGER PerProcessUserTimeLimit;
|
|
|
|
LARGE_INTEGER PerJobUserTimeLimit;
|
|
|
|
ULONG LimitFlags;
|
|
|
|
ULONG MinimumWorkingSetSize;
|
|
|
|
ULONG MaximumWorkingSetSize;
|
|
|
|
ULONG ActiveProcessLimit;
|
|
|
|
ULONG Affinity;
|
|
|
|
ULONG PriorityClass;
|
|
|
|
ULONG SchedulingClass;
|
|
|
|
} JOBOBJECT_BASIC_LIMIT_INFORMATION, *PJOBOBJECT_BASIC_LIMIT_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _JOBOBJECT_BASIC_PROCESS_ID_LIST {
|
|
|
|
ULONG NumberOfAssignedProcesses;
|
|
|
|
ULONG NumberOfProcessIdsInList;
|
|
|
|
ULONG_PTR ProcessIdList[1];
|
|
|
|
} JOBOBJECT_BASIC_PROCESS_ID_LIST, *PJOBOBJECT_BASIC_PROCESS_ID_LIST;
|
|
|
|
|
|
|
|
/* JOBOBJECT_BASIC_UI_RESTRICTIONS.UIRestrictionsClass constants */
|
|
|
|
#define JOB_OBJECT_UILIMIT_HANDLES 0x0001
|
|
|
|
#define JOB_OBJECT_UILIMIT_READCLIPBOARD 0x0002
|
|
|
|
#define JOB_OBJECT_UILIMIT_WRITECLIPBOARD 0x0004
|
|
|
|
#define JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS 0x0008
|
|
|
|
#define JOB_OBJECT_UILIMIT_DISPLAYSETTINGS 0x0010
|
|
|
|
#define JOB_OBJECT_UILIMIT_GLOBALATOMS 0x0020
|
|
|
|
#define JOB_OBJECT_UILIMIT_DESKTOP 0x0040
|
|
|
|
#define JOB_OBJECT_UILIMIT_EXITWINDOWS 0x0080
|
|
|
|
|
|
|
|
typedef struct _JOBOBJECT_BASIC_UI_RESTRICTIONS {
|
|
|
|
ULONG UIRestrictionsClass;
|
|
|
|
} JOBOBJECT_BASIC_UI_RESTRICTIONS, *PJOBOBJECT_BASIC_UI_RESTRICTIONS;
|
|
|
|
|
|
|
|
/* JOBOBJECT_SECURITY_LIMIT_INFORMATION.SecurityLimitFlags constants */
|
|
|
|
#define JOB_OBJECT_SECURITY_NO_ADMIN 0x0001
|
|
|
|
#define JOB_OBJECT_SECURITY_RESTRICTED_TOKEN 0x0002
|
|
|
|
#define JOB_OBJECT_SECURITY_ONLY_TOKEN 0x0004
|
|
|
|
#define JOB_OBJECT_SECURITY_FILTER_TOKENS 0x0008
|
|
|
|
|
|
|
|
typedef struct _JOBOBJECT_SECURITY_LIMIT_INFORMATION {
|
|
|
|
ULONG SecurityLimitFlags;
|
|
|
|
HANDLE JobToken;
|
|
|
|
PTOKEN_GROUPS SidsToDisable;
|
|
|
|
PTOKEN_PRIVILEGES PrivilegesToDelete;
|
|
|
|
PTOKEN_GROUPS RestrictedSids;
|
|
|
|
} JOBOBJECT_SECURITY_LIMIT_INFORMATION, *PJOBOBJECT_SECURITY_LIMIT_INFORMATION;
|
|
|
|
|
|
|
|
/* JOBOBJECT_END_OF_JOB_TIME_INFORMATION.EndOfJobTimeAction constants */
|
|
|
|
#define JOB_OBJECT_TERMINATE_AT_END_OF_JOB 0
|
|
|
|
#define JOB_OBJECT_POST_AT_END_OF_JOB 1
|
|
|
|
|
|
|
|
typedef struct _JOBOBJECT_END_OF_JOB_TIME_INFORMATION {
|
|
|
|
ULONG EndOfJobTimeAction;
|
|
|
|
} JOBOBJECT_END_OF_JOB_TIME_INFORMATION, *PJOBOBJECT_END_OF_JOB_TIME_INFORMATION;
|
|
|
|
|
|
|
|
#define JOB_OBJECT_MSG_END_OF_JOB_TIME 1
|
|
|
|
#define JOB_OBJECT_MSG_END_OF_PROCESS_TIME 2
|
|
|
|
#define JOB_OBJECT_MSG_ACTIVE_PROCESS_LIMIT 3
|
|
|
|
#define JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO 4
|
|
|
|
#define JOB_OBJECT_MSG_NEW_PROCESS 6
|
|
|
|
#define JOB_OBJECT_MSG_EXIT_PROCESS 7
|
|
|
|
#define JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS 8
|
|
|
|
#define JOB_OBJECT_MSG_PROCESS_MEMORY_LIMIT 9
|
|
|
|
#define JOB_OBJECT_MSG_JOB_MEMORY_LIMIT 10
|
|
|
|
|
|
|
|
typedef struct _JOBOBJECT_ASSOCIATE_COMPLETION_PORT {
|
|
|
|
PVOID CompletionKey;
|
|
|
|
HANDLE CompletionPort;
|
|
|
|
} JOBOBJECT_ASSOCIATE_COMPLETION_PORT, *PJOBOBJECT_ASSOCIATE_COMPLETION_PORT;
|
|
|
|
|
|
|
|
typedef struct JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION {
|
|
|
|
JOBOBJECT_BASIC_ACCOUNTING_INFORMATION BasicInfo;
|
|
|
|
IO_COUNTERS IoInfo;
|
|
|
|
} JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION, *PJOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _JOBOBJECT_EXTENDED_LIMIT_INFORMATION {
|
|
|
|
JOBOBJECT_BASIC_LIMIT_INFORMATION BasicLimitInformation;
|
|
|
|
IO_COUNTERS IoInfo;
|
|
|
|
ULONG ProcessMemoryLimit;
|
|
|
|
ULONG JobMemoryLimit;
|
|
|
|
ULONG PeakProcessMemoryUsed;
|
|
|
|
ULONG PeakJobMemoryUsed;
|
|
|
|
} JOBOBJECT_EXTENDED_LIMIT_INFORMATION, *PJOBOBJECT_EXTENDED_LIMIT_INFORMATION;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Tokens */
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwCreateToken(
|
|
|
|
OUT PHANDLE TokenHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
IN TOKEN_TYPE Type,
|
|
|
|
IN PLUID AuthenticationId,
|
|
|
|
IN PLARGE_INTEGER ExpirationTime,
|
|
|
|
IN PTOKEN_USER User,
|
|
|
|
IN PTOKEN_GROUPS Groups,
|
|
|
|
IN PTOKEN_PRIVILEGES Privileges,
|
|
|
|
IN PTOKEN_OWNER Owner,
|
|
|
|
IN PTOKEN_PRIMARY_GROUP PrimaryGroup,
|
|
|
|
IN PTOKEN_DEFAULT_DACL DefaultDacl,
|
|
|
|
IN PTOKEN_SOURCE Source
|
|
|
|
);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtOpenProcessToken(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
OUT PHANDLE TokenHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwOpenProcessToken(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
OUT PHANDLE TokenHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtOpenThreadToken(
|
|
|
|
IN HANDLE ThreadHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN BOOLEAN OpenAsSelf,
|
|
|
|
OUT PHANDLE TokenHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwOpenThreadToken(
|
|
|
|
IN HANDLE ThreadHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN BOOLEAN OpenAsSelf,
|
|
|
|
OUT PHANDLE TokenHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtDuplicateToken(
|
|
|
|
IN HANDLE ExistingTokenHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
IN BOOLEAN EffectiveOnly,
|
|
|
|
IN TOKEN_TYPE TokenType,
|
|
|
|
OUT PHANDLE NewTokenHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwDuplicateToken(
|
|
|
|
IN HANDLE ExistingTokenHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
IN BOOLEAN EffectiveOnly,
|
|
|
|
IN TOKEN_TYPE TokenType,
|
|
|
|
OUT PHANDLE NewTokenHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwFilterToken(
|
|
|
|
IN HANDLE ExistingTokenHandle,
|
|
|
|
IN ULONG Flags,
|
|
|
|
IN PTOKEN_GROUPS SidsToDisable,
|
|
|
|
IN PTOKEN_PRIVILEGES PrivilegesToDelete,
|
|
|
|
IN PTOKEN_GROUPS SidsToRestricted,
|
|
|
|
OUT PHANDLE NewTokenHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtAdjustPrivilegesToken(
|
|
|
|
IN HANDLE TokenHandle,
|
|
|
|
IN BOOLEAN DisableAllPrivileges,
|
|
|
|
IN PTOKEN_PRIVILEGES NewState,
|
|
|
|
IN ULONG BufferLength,
|
|
|
|
OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL,
|
|
|
|
OUT PULONG ReturnLength);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAdjustPrivilegesToken(
|
|
|
|
IN HANDLE TokenHandle,
|
|
|
|
IN BOOLEAN DisableAllPrivileges,
|
|
|
|
IN PTOKEN_PRIVILEGES NewState,
|
|
|
|
IN ULONG BufferLength,
|
|
|
|
OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL,
|
|
|
|
OUT PULONG ReturnLength);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAdjustGroupsToken(
|
|
|
|
IN HANDLE TokenHandle,
|
|
|
|
IN BOOLEAN ResetToDefault,
|
|
|
|
IN PTOKEN_GROUPS NewState,
|
|
|
|
IN ULONG BufferLength,
|
|
|
|
OUT PTOKEN_GROUPS PreviousState OPTIONAL,
|
|
|
|
OUT PULONG ReturnLength);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtQueryInformationToken(
|
|
|
|
IN HANDLE TokenHandle,
|
|
|
|
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|
|
|
OUT PVOID TokenInformation,
|
|
|
|
IN ULONG TokenInformationLength,
|
|
|
|
OUT PULONG ReturnLength);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryInformationToken(
|
|
|
|
IN HANDLE TokenHandle,
|
|
|
|
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|
|
|
OUT PVOID TokenInformation,
|
|
|
|
IN ULONG TokenInformationLength,
|
|
|
|
OUT PULONG ReturnLength);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetInformationToken(
|
|
|
|
IN HANDLE TokenHandle,
|
|
|
|
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|
|
|
IN PVOID TokenInformation,
|
|
|
|
IN ULONG TokenInformationLength);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Time */
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQuerySystemTime(
|
|
|
|
OUT PLARGE_INTEGER CurrentTime);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetSystemTime(
|
|
|
|
IN PLARGE_INTEGER NewTime,
|
|
|
|
OUT PLARGE_INTEGER OldTime OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryPerformanceCounter(
|
|
|
|
OUT PLARGE_INTEGER PerformanceCount,
|
|
|
|
OUT PLARGE_INTEGER PerformanceFrequency OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryPerformanceCounter(
|
|
|
|
OUT PLARGE_INTEGER PerformanceCount,
|
|
|
|
OUT PLARGE_INTEGER PerformanceFrequency OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryTimerResolution(
|
|
|
|
OUT PULONG CoarsestResolution,
|
|
|
|
OUT PULONG FinestResolution,
|
|
|
|
OUT PULONG ActualResolution);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwDelayExecution(
|
|
|
|
IN BOOLEAN Alertable,
|
|
|
|
IN PLARGE_INTEGER Interval);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwYieldExecution(
|
|
|
|
VOID);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
ULONG
|
|
|
|
NTAPI
|
|
|
|
ZwGetTickCount(
|
|
|
|
VOID);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Execution profiling */
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwCreateProfile(
|
|
|
|
OUT PHANDLE ProfileHandle,
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN PVOID Base,
|
|
|
|
IN ULONG Size,
|
|
|
|
IN ULONG BucketShift,
|
|
|
|
IN PULONG Buffer,
|
|
|
|
IN ULONG BufferLength,
|
|
|
|
IN KPROFILE_SOURCE Source,
|
|
|
|
IN ULONG ProcessorMask);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetIntervalProfile(
|
|
|
|
IN ULONG Interval,
|
|
|
|
IN KPROFILE_SOURCE Source);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryIntervalProfile(
|
|
|
|
IN KPROFILE_SOURCE Source,
|
|
|
|
OUT PULONG Interval);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwStartProfile(
|
|
|
|
IN HANDLE ProfileHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwStopProfile(
|
|
|
|
IN HANDLE ProfileHandle);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Local Procedure Call (LPC) */
|
|
|
|
|
|
|
|
typedef struct _LPC_MESSAGE {
|
|
|
|
USHORT DataSize;
|
|
|
|
USHORT MessageSize;
|
|
|
|
USHORT MessageType;
|
|
|
|
USHORT VirtualRangesOffset;
|
|
|
|
CLIENT_ID ClientId;
|
|
|
|
ULONG MessageId;
|
|
|
|
ULONG SectionSize;
|
|
|
|
UCHAR Data[ANYSIZE_ARRAY];
|
|
|
|
} LPC_MESSAGE, *PLPC_MESSAGE;
|
|
|
|
|
|
|
|
typedef enum _LPC_TYPE {
|
|
|
|
LPC_NEW_MESSAGE,
|
|
|
|
LPC_REQUEST,
|
|
|
|
LPC_REPLY,
|
|
|
|
LPC_DATAGRAM,
|
|
|
|
LPC_LOST_REPLY,
|
|
|
|
LPC_PORT_CLOSED,
|
|
|
|
LPC_CLIENT_DIED,
|
|
|
|
LPC_EXCEPTION,
|
|
|
|
LPC_DEBUG_EVENT,
|
|
|
|
LPC_ERROR_EVENT,
|
|
|
|
LPC_CONNECTION_REQUEST,
|
|
|
|
LPC_MAXIMUM
|
|
|
|
} LPC_TYPE;
|
|
|
|
|
|
|
|
typedef struct _LPC_SECTION_WRITE {
|
|
|
|
ULONG Length;
|
|
|
|
HANDLE SectionHandle;
|
|
|
|
ULONG SectionOffset;
|
|
|
|
ULONG ViewSize;
|
|
|
|
PVOID ViewBase;
|
|
|
|
PVOID TargetViewBase;
|
|
|
|
} LPC_SECTION_WRITE, *PLPC_SECTION_WRITE;
|
|
|
|
|
|
|
|
typedef struct _LPC_SECTION_READ {
|
|
|
|
ULONG Length;
|
|
|
|
ULONG ViewSize;
|
|
|
|
PVOID ViewBase;
|
|
|
|
} LPC_SECTION_READ, *PLPC_SECTION_READ;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwCreatePort(
|
|
|
|
OUT PHANDLE PortHandle,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
IN ULONG MaxDataSize,
|
|
|
|
IN ULONG MaxMessageSize,
|
|
|
|
IN ULONG Reserved);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwCreateWaitablePort(
|
|
|
|
OUT PHANDLE PortHandle,
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
IN ULONG MaxDataSize,
|
|
|
|
IN ULONG MaxMessageSize,
|
|
|
|
IN ULONG Reserved);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtConnectPort(
|
|
|
|
OUT PHANDLE PortHandle,
|
|
|
|
IN PUNICODE_STRING PortName,
|
|
|
|
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
|
|
|
|
IN OUT PLPC_SECTION_WRITE WriteSection OPTIONAL,
|
|
|
|
IN OUT PLPC_SECTION_READ ReadSection OPTIONAL,
|
|
|
|
OUT PULONG MaxMessageSize OPTIONAL,
|
|
|
|
IN OUT PVOID ConnectData OPTIONAL,
|
|
|
|
IN OUT PULONG ConnectDataLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwConnectPort(
|
|
|
|
OUT PHANDLE PortHandle,
|
|
|
|
IN PUNICODE_STRING PortName,
|
|
|
|
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
|
|
|
|
IN OUT PLPC_SECTION_WRITE WriteSection OPTIONAL,
|
|
|
|
IN OUT PLPC_SECTION_READ ReadSection OPTIONAL,
|
|
|
|
OUT PULONG MaxMessageSize OPTIONAL,
|
|
|
|
IN OUT PVOID ConnectData OPTIONAL,
|
|
|
|
IN OUT PULONG ConnectDataLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwConnectPort(
|
|
|
|
OUT PHANDLE PortHandle,
|
|
|
|
IN PUNICODE_STRING PortName,
|
|
|
|
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
|
|
|
|
IN OUT PLPC_SECTION_WRITE WriteSection OPTIONAL,
|
|
|
|
IN OUT PLPC_SECTION_READ ReadSection OPTIONAL,
|
|
|
|
OUT PULONG MaxMessageSize OPTIONAL,
|
|
|
|
IN OUT PVOID ConnectData OPTIONAL,
|
|
|
|
IN OUT PULONG ConnectDataLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwListenPort(
|
|
|
|
IN HANDLE PortHandle,
|
|
|
|
OUT PLPC_MESSAGE Message);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAcceptConnectPort(
|
|
|
|
OUT PHANDLE PortHandle,
|
|
|
|
IN ULONG PortIdentifier,
|
|
|
|
IN PLPC_MESSAGE Message,
|
|
|
|
IN BOOLEAN Accept,
|
|
|
|
IN OUT PLPC_SECTION_WRITE WriteSection OPTIONAL,
|
|
|
|
IN OUT PLPC_SECTION_READ ReadSection OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwCompleteConnectPort(
|
|
|
|
IN HANDLE PortHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtRequestPort(
|
|
|
|
IN HANDLE PortHandle,
|
|
|
|
IN PLPC_MESSAGE RequestMessage);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtRequestWaitReplyPort(
|
|
|
|
IN HANDLE PortHandle,
|
|
|
|
IN PLPC_MESSAGE RequestMessage,
|
|
|
|
OUT PLPC_MESSAGE ReplyMessage);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwRequestWaitReplyPort(
|
|
|
|
IN HANDLE PortHandle,
|
|
|
|
IN PLPC_MESSAGE RequestMessage,
|
|
|
|
OUT PLPC_MESSAGE ReplyMessage);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwReplyPort(
|
|
|
|
IN HANDLE PortHandle,
|
|
|
|
IN PLPC_MESSAGE ReplyMessage);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwReplyWaitReplyPort(
|
|
|
|
IN HANDLE PortHandle,
|
|
|
|
IN OUT PLPC_MESSAGE ReplyMessage);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwReplyWaitReceivePort(
|
|
|
|
IN HANDLE PortHandle,
|
|
|
|
OUT PULONG PortIdentifier OPTIONAL,
|
|
|
|
IN PLPC_MESSAGE ReplyMessage OPTIONAL,
|
|
|
|
OUT PLPC_MESSAGE Message);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwReplyWaitReceivePortEx(
|
|
|
|
IN HANDLE PortHandle,
|
|
|
|
OUT PULONG PortIdentifier OPTIONAL,
|
|
|
|
IN PLPC_MESSAGE ReplyMessage OPTIONAL,
|
|
|
|
OUT PLPC_MESSAGE Message,
|
|
|
|
IN PLARGE_INTEGER Timeout);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwReadRequestData(
|
|
|
|
IN HANDLE PortHandle,
|
|
|
|
IN PLPC_MESSAGE Message,
|
|
|
|
IN ULONG Index,
|
|
|
|
OUT PVOID Buffer,
|
|
|
|
IN ULONG BufferLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwWriteRequestData(
|
|
|
|
IN HANDLE PortHandle,
|
|
|
|
IN PLPC_MESSAGE Message,
|
|
|
|
IN ULONG Index,
|
|
|
|
IN PVOID Buffer,
|
|
|
|
IN ULONG BufferLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
typedef enum _PORT_INFORMATION_CLASS {
|
|
|
|
PortBasicInformation
|
|
|
|
} PORT_INFORMATION_CLASS;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryInformationPort(
|
|
|
|
IN HANDLE PortHandle,
|
|
|
|
IN PORT_INFORMATION_CLASS PortInformationClass,
|
|
|
|
OUT PVOID PortInformation,
|
|
|
|
IN ULONG PortInformationLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwImpersonateClientOfPort(
|
|
|
|
IN HANDLE PortHandle,
|
|
|
|
IN PLPC_MESSAGE Message);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Files */
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtDeleteFile(
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwDeleteFile(
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwFlushBuffersFile(
|
|
|
|
IN HANDLE FileHandle,
|
|
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwCancelIoFile(
|
|
|
|
IN HANDLE FileHandle,
|
|
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwReadFileScatter(
|
|
|
|
IN HANDLE FileHandle,
|
|
|
|
IN HANDLE Event OPTIONAL,
|
|
|
|
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
|
|
|
|
IN PVOID ApcContext OPTIONAL,
|
|
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
|
|
IN PFILE_SEGMENT_ELEMENT Buffer,
|
|
|
|
IN ULONG Length,
|
|
|
|
IN PLARGE_INTEGER ByteOffset OPTIONAL,
|
|
|
|
IN PULONG Key OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwWriteFileGather(
|
|
|
|
IN HANDLE FileHandle,
|
|
|
|
IN HANDLE Event OPTIONAL,
|
|
|
|
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
|
|
|
|
IN PVOID ApcContext OPTIONAL,
|
|
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
|
|
IN PFILE_SEGMENT_ELEMENT Buffer,
|
|
|
|
IN ULONG Length,
|
|
|
|
IN PLARGE_INTEGER ByteOffset OPTIONAL,
|
|
|
|
IN PULONG Key OPTIONAL);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Registry keys */
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSaveKey(
|
|
|
|
IN HANDLE KeyHandle,
|
|
|
|
IN HANDLE FileHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSaveMergedKeys(
|
|
|
|
IN HANDLE KeyHandle1,
|
|
|
|
IN HANDLE KeyHandle2,
|
|
|
|
IN HANDLE FileHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwRestoreKey(
|
|
|
|
IN HANDLE KeyHandle,
|
|
|
|
IN HANDLE FileHandle,
|
|
|
|
IN ULONG Flags);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwLoadKey(
|
|
|
|
IN POBJECT_ATTRIBUTES KeyObjectAttributes,
|
|
|
|
IN POBJECT_ATTRIBUTES FileObjectAttributes);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwLoadKey2(
|
|
|
|
IN POBJECT_ATTRIBUTES KeyObjectAttributes,
|
|
|
|
IN POBJECT_ATTRIBUTES FileObjectAttributes,
|
|
|
|
IN ULONG Flags);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwUnloadKey(
|
|
|
|
IN POBJECT_ATTRIBUTES KeyObjectAttributes);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryOpenSubKeys(
|
|
|
|
IN POBJECT_ATTRIBUTES KeyObjectAttributes,
|
|
|
|
OUT PULONG NumberOfKeys);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwReplaceKey(
|
|
|
|
IN POBJECT_ATTRIBUTES NewFileObjectAttributes,
|
|
|
|
IN HANDLE KeyHandle,
|
|
|
|
IN POBJECT_ATTRIBUTES OldFileObjectAttributes);
|
|
|
|
|
|
|
|
typedef enum _KEY_SET_INFORMATION_CLASS {
|
|
|
|
KeyLastWriteTimeInformation
|
|
|
|
} KEY_SET_INFORMATION_CLASS;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetInformationKey(
|
|
|
|
IN HANDLE KeyHandle,
|
|
|
|
IN KEY_SET_INFORMATION_CLASS KeyInformationClass,
|
|
|
|
IN PVOID KeyInformation,
|
|
|
|
IN ULONG KeyInformationLength);
|
|
|
|
|
|
|
|
typedef struct _KEY_LAST_WRITE_TIME_INFORMATION {
|
|
|
|
LARGE_INTEGER LastWriteTime;
|
|
|
|
} KEY_LAST_WRITE_TIME_INFORMATION, *PKEY_LAST_WRITE_TIME_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _KEY_NAME_INFORMATION {
|
|
|
|
ULONG NameLength;
|
|
|
|
WCHAR Name[1];
|
|
|
|
} KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwNotifyChangeKey(
|
|
|
|
IN HANDLE KeyHandle,
|
|
|
|
IN HANDLE EventHandle OPTIONAL,
|
|
|
|
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
|
|
|
|
IN PVOID ApcContext OPTIONAL,
|
|
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
|
|
IN ULONG NotifyFilter,
|
|
|
|
IN BOOLEAN WatchSubtree,
|
|
|
|
IN PVOID Buffer,
|
|
|
|
IN ULONG BufferLength,
|
|
|
|
IN BOOLEAN Asynchronous);
|
|
|
|
|
|
|
|
/* ZwNotifyChangeMultipleKeys.Flags constants */
|
|
|
|
#define REG_MONITOR_SINGLE_KEY 0x00
|
|
|
|
#define REG_MONITOR_SECOND_KEY 0x01
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwNotifyChangeMultipleKeys(
|
|
|
|
IN HANDLE KeyHandle,
|
|
|
|
IN ULONG Flags,
|
|
|
|
IN POBJECT_ATTRIBUTES KeyObjectAttributes,
|
|
|
|
IN HANDLE EventHandle OPTIONAL,
|
|
|
|
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
|
|
|
|
IN PVOID ApcContext OPTIONAL,
|
|
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
|
|
IN ULONG NotifyFilter,
|
|
|
|
IN BOOLEAN WatchSubtree,
|
|
|
|
IN PVOID Buffer,
|
|
|
|
IN ULONG BufferLength,
|
|
|
|
IN BOOLEAN Asynchronous);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryMultipleValueKey(
|
|
|
|
IN HANDLE KeyHandle,
|
|
|
|
IN OUT PKEY_VALUE_ENTRY ValueList,
|
|
|
|
IN ULONG NumberOfValues,
|
|
|
|
OUT PVOID Buffer,
|
|
|
|
IN OUT PULONG Length,
|
|
|
|
OUT PULONG ReturnLength);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwInitializeRegistry(
|
|
|
|
IN BOOLEAN Setup);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Security and auditing */
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwPrivilegeCheck(
|
|
|
|
IN HANDLE TokenHandle,
|
|
|
|
IN PPRIVILEGE_SET RequiredPrivileges,
|
|
|
|
OUT PBOOLEAN Result);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwPrivilegeObjectAuditAlarm(
|
|
|
|
IN PUNICODE_STRING SubsystemName,
|
|
|
|
IN PVOID HandleId,
|
|
|
|
IN HANDLE TokenHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN PPRIVILEGE_SET Privileges,
|
|
|
|
IN BOOLEAN AccessGranted);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwPrivilegeObjectAuditAlarm(
|
|
|
|
IN PUNICODE_STRING SubsystemName,
|
|
|
|
IN PVOID HandleId,
|
|
|
|
IN HANDLE TokenHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN PPRIVILEGE_SET Privileges,
|
|
|
|
IN BOOLEAN AccessGranted);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAccessCheck(
|
|
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
|
|
IN HANDLE TokenHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN PGENERIC_MAPPING GenericMapping,
|
|
|
|
IN PPRIVILEGE_SET PrivilegeSet,
|
|
|
|
IN PULONG PrivilegeSetLength,
|
|
|
|
OUT PACCESS_MASK GrantedAccess,
|
|
|
|
OUT PBOOLEAN AccessStatus);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAccessCheckAndAuditAlarm(
|
|
|
|
IN PUNICODE_STRING SubsystemName,
|
|
|
|
IN PVOID HandleId,
|
|
|
|
IN PUNICODE_STRING ObjectTypeName,
|
|
|
|
IN PUNICODE_STRING ObjectName,
|
|
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN PGENERIC_MAPPING GenericMapping,
|
|
|
|
IN BOOLEAN ObjectCreation,
|
|
|
|
OUT PACCESS_MASK GrantedAccess,
|
|
|
|
OUT PBOOLEAN AccessStatus,
|
|
|
|
OUT PBOOLEAN GenerateOnClose);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAccessCheckByType(
|
|
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
|
|
IN PSID PrincipalSelfSid,
|
|
|
|
IN HANDLE TokenHandle,
|
|
|
|
IN ULONG DesiredAccess,
|
|
|
|
IN POBJECT_TYPE_LIST ObjectTypeList,
|
|
|
|
IN ULONG ObjectTypeListLength,
|
|
|
|
IN PGENERIC_MAPPING GenericMapping,
|
|
|
|
IN PPRIVILEGE_SET PrivilegeSet,
|
|
|
|
IN PULONG PrivilegeSetLength,
|
|
|
|
OUT PACCESS_MASK GrantedAccess,
|
|
|
|
OUT PULONG AccessStatus);
|
|
|
|
|
|
|
|
typedef enum _AUDIT_EVENT_TYPE {
|
|
|
|
AuditEventObjectAccess,
|
|
|
|
AuditEventDirectoryServiceAccess
|
|
|
|
} AUDIT_EVENT_TYPE, *PAUDIT_EVENT_TYPE;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAccessCheckByTypeAndAuditAlarm(
|
|
|
|
IN PUNICODE_STRING SubsystemName,
|
|
|
|
IN PVOID HandleId,
|
|
|
|
IN PUNICODE_STRING ObjectTypeName,
|
|
|
|
IN PUNICODE_STRING ObjectName,
|
|
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
|
|
IN PSID PrincipalSelfSid,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN AUDIT_EVENT_TYPE AuditType,
|
|
|
|
IN ULONG Flags,
|
|
|
|
IN POBJECT_TYPE_LIST ObjectTypeList,
|
|
|
|
IN ULONG ObjectTypeListLength,
|
|
|
|
IN PGENERIC_MAPPING GenericMapping,
|
|
|
|
IN BOOLEAN ObjectCreation,
|
|
|
|
OUT PACCESS_MASK GrantedAccess,
|
|
|
|
OUT PULONG AccessStatus,
|
|
|
|
OUT PBOOLEAN GenerateOnClose);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAccessCheckByTypeResultList(
|
|
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
|
|
IN PSID PrincipalSelfSid,
|
|
|
|
IN HANDLE TokenHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN POBJECT_TYPE_LIST ObjectTypeList,
|
|
|
|
IN ULONG ObjectTypeListLength,
|
|
|
|
IN PGENERIC_MAPPING GenericMapping,
|
|
|
|
IN PPRIVILEGE_SET PrivilegeSet,
|
|
|
|
IN PULONG PrivilegeSetLength,
|
|
|
|
OUT PACCESS_MASK GrantedAccessList,
|
|
|
|
OUT PULONG AccessStatusList);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAccessCheckByTypeResultListAndAuditAlarm(
|
|
|
|
IN PUNICODE_STRING SubsystemName,
|
|
|
|
IN PVOID HandleId,
|
|
|
|
IN PUNICODE_STRING ObjectTypeName,
|
|
|
|
IN PUNICODE_STRING ObjectName,
|
|
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
|
|
IN PSID PrincipalSelfSid,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN AUDIT_EVENT_TYPE AuditType,
|
|
|
|
IN ULONG Flags,
|
|
|
|
IN POBJECT_TYPE_LIST ObjectTypeList,
|
|
|
|
IN ULONG ObjectTypeListLength,
|
|
|
|
IN PGENERIC_MAPPING GenericMapping,
|
|
|
|
IN BOOLEAN ObjectCreation,
|
|
|
|
OUT PACCESS_MASK GrantedAccessList,
|
|
|
|
OUT PULONG AccessStatusList,
|
|
|
|
OUT PULONG GenerateOnClose);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwAccessCheckByTypeResultListAndAuditAlarmByHandle(
|
|
|
|
IN PUNICODE_STRING SubsystemName,
|
|
|
|
IN PVOID HandleId,
|
|
|
|
IN HANDLE TokenHandle,
|
|
|
|
IN PUNICODE_STRING ObjectTypeName,
|
|
|
|
IN PUNICODE_STRING ObjectName,
|
|
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
|
|
IN PSID PrincipalSelfSid,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN AUDIT_EVENT_TYPE AuditType,
|
|
|
|
IN ULONG Flags,
|
|
|
|
IN POBJECT_TYPE_LIST ObjectTypeList,
|
|
|
|
IN ULONG ObjectTypeListLength,
|
|
|
|
IN PGENERIC_MAPPING GenericMapping,
|
|
|
|
IN BOOLEAN ObjectCreation,
|
|
|
|
OUT PACCESS_MASK GrantedAccessList,
|
|
|
|
OUT PULONG AccessStatusList,
|
|
|
|
OUT PULONG GenerateOnClose);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwOpenObjectAuditAlarm(
|
|
|
|
IN PUNICODE_STRING SubsystemName,
|
|
|
|
IN PVOID *HandleId,
|
|
|
|
IN PUNICODE_STRING ObjectTypeName,
|
|
|
|
IN PUNICODE_STRING ObjectName,
|
|
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
|
|
IN HANDLE TokenHandle,
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
IN ACCESS_MASK GrantedAccess,
|
|
|
|
IN PPRIVILEGE_SET Privileges OPTIONAL,
|
|
|
|
IN BOOLEAN ObjectCreation,
|
|
|
|
IN BOOLEAN AccessGranted,
|
|
|
|
OUT PBOOLEAN GenerateOnClose);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwCloseObjectAuditAlarm(
|
|
|
|
IN PUNICODE_STRING SubsystemName,
|
|
|
|
IN PVOID HandleId,
|
|
|
|
IN BOOLEAN GenerateOnClose);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwDeleteObjectAuditAlarm(
|
|
|
|
IN PUNICODE_STRING SubsystemName,
|
|
|
|
IN PVOID HandleId,
|
|
|
|
IN BOOLEAN GenerateOnClose);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Plug and play and power management */
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwRequestWakeupLatency(
|
|
|
|
IN LATENCY_TIME Latency);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwRequestDeviceWakeup(
|
|
|
|
IN HANDLE DeviceHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwCancelDeviceWakeupRequest(
|
|
|
|
IN HANDLE DeviceHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
BOOLEAN
|
|
|
|
NTAPI
|
|
|
|
ZwIsSystemResumeAutomatic(
|
|
|
|
VOID);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetThreadExecutionState(
|
|
|
|
IN EXECUTION_STATE ExecutionState,
|
|
|
|
OUT PEXECUTION_STATE PreviousExecutionState);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwGetDevicePowerState(
|
|
|
|
IN HANDLE DeviceHandle,
|
|
|
|
OUT PDEVICE_POWER_STATE DevicePowerState);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetSystemPowerState(
|
|
|
|
IN POWER_ACTION SystemAction,
|
|
|
|
IN SYSTEM_POWER_STATE MinSystemState,
|
|
|
|
IN ULONG Flags);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwInitiatePowerAction(
|
|
|
|
IN POWER_ACTION SystemAction,
|
|
|
|
IN SYSTEM_POWER_STATE MinSystemState,
|
|
|
|
IN ULONG Flags,
|
|
|
|
IN BOOLEAN Asynchronous);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwPowerInformation(
|
|
|
|
IN POWER_INFORMATION_LEVEL PowerInformationLevel,
|
|
|
|
IN PVOID InputBuffer OPTIONAL,
|
|
|
|
IN ULONG InputBufferLength,
|
|
|
|
OUT PVOID OutputBuffer OPTIONAL,
|
|
|
|
IN ULONG OutputBufferLength);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwPlugPlayControl(
|
|
|
|
IN ULONG ControlCode,
|
|
|
|
IN OUT PVOID Buffer,
|
|
|
|
IN ULONG BufferLength);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwGetPlugPlayEvent(
|
|
|
|
IN ULONG Reserved1,
|
|
|
|
IN ULONG Reserved2,
|
|
|
|
OUT PVOID Buffer,
|
|
|
|
IN ULONG BufferLength);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Miscellany */
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwRaiseException(
|
|
|
|
IN PEXCEPTION_RECORD ExceptionRecord,
|
|
|
|
IN PCONTEXT Context,
|
|
|
|
IN BOOLEAN SearchFrames);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwContinue(
|
|
|
|
IN PCONTEXT Context,
|
|
|
|
IN BOOLEAN TestAlert);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwW32Call(
|
|
|
|
IN ULONG RoutineIndex,
|
|
|
|
IN PVOID Argument,
|
|
|
|
IN ULONG ArgumentLength,
|
|
|
|
OUT PVOID *Result OPTIONAL,
|
|
|
|
OUT PULONG ResultLength OPTIONAL);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetLowWaitHighThread(
|
|
|
|
VOID);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetHighWaitLowThread(
|
|
|
|
VOID);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwLoadDriver(
|
|
|
|
IN PUNICODE_STRING DriverServiceName);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwUnloadDriver(
|
|
|
|
IN PUNICODE_STRING DriverServiceName);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwFlushInstructionCache(
|
|
|
|
IN HANDLE ProcessHandle,
|
|
|
|
IN PVOID BaseAddress OPTIONAL,
|
|
|
|
IN ULONG FlushSize);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwFlushWriteBuffer(
|
|
|
|
VOID);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryDefaultLocale(
|
|
|
|
IN BOOLEAN ThreadOrSystem,
|
|
|
|
OUT PLCID Locale);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetDefaultLocale(
|
|
|
|
IN BOOLEAN ThreadOrSystem,
|
|
|
|
IN LCID Locale);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryDefaultUILanguage(
|
|
|
|
OUT PLANGID LanguageId);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetDefaultUILanguage(
|
|
|
|
IN LANGID LanguageId);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwQueryInstallUILanguage(
|
|
|
|
OUT PLANGID LanguageId);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtAllocateLocallyUniqueId(
|
|
|
|
OUT PLUID Luid);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtAllocateUuids(
|
|
|
|
OUT PLARGE_INTEGER UuidLastTimeAllocated,
|
|
|
|
OUT PULONG UuidDeltaTime,
|
|
|
|
OUT PULONG UuidSequenceNumber,
|
|
|
|
OUT PUCHAR UuidSeed);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetUuidSeed(
|
|
|
|
IN PUCHAR UuidSeed);
|
|
|
|
|
|
|
|
typedef enum _HARDERROR_RESPONSE_OPTION {
|
|
|
|
OptionAbortRetryIgnore,
|
|
|
|
OptionOk,
|
|
|
|
OptionOkCancel,
|
|
|
|
OptionRetryCancel,
|
|
|
|
OptionYesNo,
|
|
|
|
OptionYesNoCancel,
|
|
|
|
OptionShutdownSystem
|
|
|
|
} HARDERROR_RESPONSE_OPTION, *PHARDERROR_RESPONSE_OPTION;
|
|
|
|
|
|
|
|
typedef enum _HARDERROR_RESPONSE {
|
|
|
|
ResponseReturnToCaller,
|
|
|
|
ResponseNotHandled,
|
|
|
|
ResponseAbort,
|
|
|
|
ResponseCancel,
|
|
|
|
ResponseIgnore,
|
|
|
|
ResponseNo,
|
|
|
|
ResponseOk,
|
|
|
|
ResponseRetry,
|
|
|
|
ResponseYes
|
|
|
|
} HARDERROR_RESPONSE, *PHARDERROR_RESPONSE;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwRaiseHardError(
|
|
|
|
IN NTSTATUS Status,
|
|
|
|
IN ULONG NumberOfArguments,
|
|
|
|
IN ULONG StringArgumentsMask,
|
|
|
|
IN PULONG Arguments,
|
|
|
|
IN HARDERROR_RESPONSE_OPTION ResponseOption,
|
|
|
|
OUT PHARDERROR_RESPONSE Response);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetDefaultHardErrorPort(
|
|
|
|
IN HANDLE PortHandle);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwDisplayString(
|
|
|
|
IN PUNICODE_STRING String);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwCreatePagingFile(
|
|
|
|
IN PUNICODE_STRING FileName,
|
|
|
|
IN PULARGE_INTEGER InitialSize,
|
|
|
|
IN PULARGE_INTEGER MaximumSize,
|
|
|
|
IN ULONG Reserved);
|
|
|
|
|
|
|
|
typedef USHORT RTL_ATOM, *PRTL_ATOM;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtAddAtom(
|
|
|
|
IN PWSTR AtomName,
|
|
|
|
IN ULONG AtomNameLength,
|
|
|
|
OUT PRTL_ATOM Atom);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtFindAtom(
|
|
|
|
IN PWSTR AtomName,
|
|
|
|
IN ULONG AtomNameLength,
|
|
|
|
OUT PRTL_ATOM Atom);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtDeleteAtom(
|
|
|
|
IN RTL_ATOM Atom);
|
|
|
|
|
|
|
|
typedef enum _ATOM_INFORMATION_CLASS {
|
|
|
|
AtomBasicInformation,
|
|
|
|
AtomListInformation
|
|
|
|
} ATOM_INFORMATION_CLASS;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtQueryInformationAtom(
|
|
|
|
IN RTL_ATOM Atom,
|
|
|
|
IN ATOM_INFORMATION_CLASS AtomInformationClass,
|
|
|
|
OUT PVOID AtomInformation,
|
|
|
|
IN ULONG AtomInformationLength,
|
|
|
|
OUT PULONG ReturnLength OPTIONAL);
|
|
|
|
|
|
|
|
typedef struct _ATOM_BASIC_INFORMATION {
|
|
|
|
USHORT ReferenceCount;
|
|
|
|
USHORT Pinned;
|
|
|
|
USHORT NameLength;
|
|
|
|
WCHAR Name[1];
|
|
|
|
} ATOM_BASIC_INFORMATION, *PATOM_BASIC_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _ATOM_LIST_INFORMATION {
|
|
|
|
ULONG NumberOfAtoms;
|
|
|
|
ATOM Atoms[1];
|
|
|
|
} ATOM_LIST_INFORMATION, *PATOM_LIST_INFORMATION;
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
ZwSetLdtEntries(
|
|
|
|
IN ULONG Selector1,
|
|
|
|
IN LDT_ENTRY LdtEntry1,
|
|
|
|
IN ULONG Selector2,
|
|
|
|
IN LDT_ENTRY LdtEntry2);
|
|
|
|
|
|
|
|
NTOSAPI
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtVdmControl(
|
|
|
|
IN ULONG ControlCode,
|
|
|
|
IN PVOID ControlData);
|
|
|
|
|
|
|
|
#pragma pack(pop)
|
|
|
|
|
|
|
|
#ifdef __cplusplus
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#endif /* __NTAPI_H */
|