/* * ntapi.h * * Windows NT Native API * * Most structures in this file is obtained from Windows NT/2000 Native API * Reference by Gary Nebbett, ISBN 1578701996. * * This file is part of the w32api package. * * Contributors: * Created by Casper S. Hornstrup * * THIS SOFTWARE IS NOT COPYRIGHTED * * This source code is offered for use in the public domain. You may * use, modify or distribute it freely. * * This code is distributed in the hope that it will be useful but * WITHOUT ANY WARRANTY. ALL WARRANTIES, EXPRESS OR IMPLIED ARE HEREBY * DISCLAIMED. This includes but is not limited to warranties of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * */ #ifndef __NTAPI_H #define __NTAPI_H #if __GNUC__ >=3 #pragma GCC system_header #endif #ifdef __cplusplus extern "C" { #endif #pragma pack(push,4) #include #include #include "ntddk.h" #include "ntpoapi.h" typedef struct _PEB *PPEB; /* FIXME: Unknown definitions */ typedef PVOID POBJECT_TYPE_LIST; typedef PVOID PEXECUTION_STATE; typedef PVOID PLANGID; /* System information and control */ typedef enum _SYSTEM_INFORMATION_CLASS { SystemInformationClassMin = 0, SystemBasicInformation = 0, SystemProcessorInformation = 1, SystemPerformanceInformation = 2, SystemTimeOfDayInformation = 3, SystemPathInformation = 4, SystemNotImplemented1 = 4, SystemProcessInformation = 5, SystemProcessesAndThreadsInformation = 5, SystemCallCountInfoInformation = 6, SystemCallCounts = 6, SystemDeviceInformation = 7, SystemConfigurationInformation = 7, SystemProcessorPerformanceInformation = 8, SystemProcessorTimes = 8, SystemFlagsInformation = 9, SystemGlobalFlag = 9, SystemCallTimeInformation = 10, SystemNotImplemented2 = 10, SystemModuleInformation = 11, SystemLocksInformation = 12, SystemLockInformation = 12, SystemStackTraceInformation = 13, SystemNotImplemented3 = 13, SystemPagedPoolInformation = 14, SystemNotImplemented4 = 14, SystemNonPagedPoolInformation = 15, SystemNotImplemented5 = 15, SystemHandleInformation = 16, SystemObjectInformation = 17, SystemPageFileInformation = 18, SystemPagefileInformation = 18, SystemVdmInstemulInformation = 19, SystemInstructionEmulationCounts = 19, SystemVdmBopInformation = 20, SystemInvalidInfoClass1 = 20, SystemFileCacheInformation = 21, SystemCacheInformation = 21, SystemPoolTagInformation = 22, SystemInterruptInformation = 23, SystemProcessorStatistics = 23, SystemDpcBehaviourInformation = 24, SystemDpcInformation = 24, SystemFullMemoryInformation = 25, SystemNotImplemented6 = 25, SystemLoadImage = 26, SystemUnloadImage = 27, SystemTimeAdjustmentInformation = 28, SystemTimeAdjustment = 28, SystemSummaryMemoryInformation = 29, SystemNotImplemented7 = 29, SystemNextEventIdInformation = 30, SystemNotImplemented8 = 30, SystemEventIdsInformation = 31, SystemNotImplemented9 = 31, SystemCrashDumpInformation = 32, SystemExceptionInformation = 33, SystemCrashDumpStateInformation = 34, SystemKernelDebuggerInformation = 35, SystemContextSwitchInformation = 36, SystemRegistryQuotaInformation = 37, SystemLoadAndCallImage = 38, SystemPrioritySeparation = 39, SystemPlugPlayBusInformation = 40, SystemNotImplemented10 = 40, SystemDockInformation = 41, SystemNotImplemented11 = 41, //SystemPowerInformation = 42, Conflicts with POWER_INFORMATION_LEVEL SystemInvalidInfoClass2 = 42, SystemProcessorSpeedInformation = 43, SystemInvalidInfoClass3 = 43, SystemCurrentTimeZoneInformation = 44, SystemTimeZoneInformation = 44, SystemLookasideInformation = 45, SystemSetTimeSlipEvent = 46, SystemCreateSession = 47, SystemDeleteSession = 48, SystemInvalidInfoClass4 = 49, SystemRangeStartInformation = 50, SystemVerifierInformation = 51, SystemAddVerifier = 52, SystemSessionProcessesInformation = 53, SystemInformationClassMax } SYSTEM_INFORMATION_CLASS; typedef struct _SYSTEM_BASIC_INFORMATION { ULONG Unknown; ULONG MaximumIncrement; ULONG PhysicalPageSize; ULONG NumberOfPhysicalPages; ULONG LowestPhysicalPage; ULONG HighestPhysicalPage; ULONG AllocationGranularity; ULONG LowestUserAddress; ULONG HighestUserAddress; ULONG ActiveProcessors; UCHAR NumberProcessors; } SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION; typedef struct _SYSTEM_PROCESSOR_INFORMATION { USHORT ProcessorArchitecture; USHORT ProcessorLevel; USHORT ProcessorRevision; USHORT Unknown; ULONG FeatureBits; } SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION; typedef struct _SYSTEM_PERFORMANCE_INFORMATION { LARGE_INTEGER IdleTime; LARGE_INTEGER ReadTransferCount; LARGE_INTEGER WriteTransferCount; LARGE_INTEGER OtherTransferCount; ULONG ReadOperationCount; ULONG WriteOperationCount; ULONG OtherOperationCount; ULONG AvailablePages; ULONG TotalCommittedPages; ULONG TotalCommitLimit; ULONG PeakCommitment; ULONG PageFaults; ULONG WriteCopyFaults; ULONG TransitionFaults; ULONG CacheTransitionFaults; ULONG DemandZeroFaults; ULONG PagesRead; ULONG PageReadIos; ULONG CacheReads; ULONG CacheIos; ULONG PagefilePagesWritten; ULONG PagefilePageWriteIos; ULONG MappedFilePagesWritten; ULONG MappedFilePageWriteIos; ULONG PagedPoolUsage; ULONG NonPagedPoolUsage; ULONG PagedPoolAllocs; ULONG PagedPoolFrees; ULONG NonPagedPoolAllocs; ULONG NonPagedPoolFrees; ULONG TotalFreeSystemPtes; ULONG SystemCodePage; ULONG TotalSystemDriverPages; ULONG TotalSystemCodePages; ULONG SmallNonPagedLookasideListAllocateHits; ULONG SmallPagedLookasideListAllocateHits; ULONG Reserved3; ULONG MmSystemCachePage; ULONG PagedPoolPage; ULONG SystemDriverPage; ULONG FastReadNoWait; ULONG FastReadWait; ULONG FastReadResourceMiss; ULONG FastReadNotPossible; ULONG FastMdlReadNoWait; ULONG FastMdlReadWait; ULONG FastMdlReadResourceMiss; ULONG FastMdlReadNotPossible; ULONG MapDataNoWait; ULONG MapDataWait; ULONG MapDataNoWaitMiss; ULONG MapDataWaitMiss; ULONG PinMappedDataCount; ULONG PinReadNoWait; ULONG PinReadWait; ULONG PinReadNoWaitMiss; ULONG PinReadWaitMiss; ULONG CopyReadNoWait; ULONG CopyReadWait; ULONG CopyReadNoWaitMiss; ULONG CopyReadWaitMiss; ULONG MdlReadNoWait; ULONG MdlReadWait; ULONG MdlReadNoWaitMiss; ULONG MdlReadWaitMiss; ULONG ReadAheadIos; ULONG LazyWriteIos; ULONG LazyWritePages; ULONG DataFlushes; ULONG DataPages; ULONG ContextSwitches; ULONG FirstLevelTbFills; ULONG SecondLevelTbFills; ULONG SystemCalls; } SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION; typedef struct _SYSTEM_TIME_OF_DAY_INFORMATION { LARGE_INTEGER BootTime; LARGE_INTEGER CurrentTime; LARGE_INTEGER TimeZoneBias; ULONG CurrentTimeZoneId; } SYSTEM_TIME_OF_DAY_INFORMATION, *PSYSTEM_TIME_OF_DAY_INFORMATION; typedef struct _VM_COUNTERS { ULONG PeakVirtualSize; ULONG VirtualSize; ULONG PageFaultCount; ULONG PeakWorkingSetSize; ULONG WorkingSetSize; ULONG QuotaPeakPagedPoolUsage; ULONG QuotaPagedPoolUsage; ULONG QuotaPeakNonPagedPoolUsage; ULONG QuotaNonPagedPoolUsage; ULONG PagefileUsage; ULONG PeakPagefileUsage; } VM_COUNTERS; typedef enum _THREAD_STATE { StateInitialized, StateReady, StateRunning, StateStandby, StateTerminated, StateWait, StateTransition, StateUnknown } THREAD_STATE; typedef struct _SYSTEM_THREADS { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientId; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; THREAD_STATE State; KWAIT_REASON WaitReason; } SYSTEM_THREADS, *PSYSTEM_THREADS; typedef struct _SYSTEM_PROCESSES { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved1[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; SYSTEM_THREADS Threads[1]; } SYSTEM_PROCESSES, *PSYSTEM_PROCESSES; typedef struct _SYSTEM_CALLS_INFORMATION { ULONG Size; ULONG NumberOfDescriptorTables; ULONG NumberOfRoutinesInTable[1]; ULONG CallCounts[ANYSIZE_ARRAY]; } SYSTEM_CALLS_INFORMATION, *PSYSTEM_CALLS_INFORMATION; typedef struct _SYSTEM_CONFIGURATION_INFORMATION { ULONG DiskCount; ULONG FloppyCount; ULONG CdRomCount; ULONG TapeCount; ULONG SerialCount; ULONG ParallelCount; } SYSTEM_CONFIGURATION_INFORMATION, *PSYSTEM_CONFIGURATION_INFORMATION; typedef struct _SYSTEM_PROCESSOR_TIMES { LARGE_INTEGER IdleTime; LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER DpcTime; LARGE_INTEGER InterruptTime; ULONG InterruptCount; } SYSTEM_PROCESSOR_TIMES, *PSYSTEM_PROCESSOR_TIMES; /* SYSTEM_GLOBAL_FLAG.GlobalFlag constants */ #define FLG_STOP_ON_EXCEPTION 0x00000001 #define FLG_SHOW_LDR_SNAPS 0x00000002 #define FLG_DEBUG_INITIAL_COMMAND 0x00000004 #define FLG_STOP_ON_HUNG_GUI 0x00000008 #define FLG_HEAP_ENABLE_TAIL_CHECK 0x00000010 #define FLG_HEAP_ENABLE_FREE_CHECK 0x00000020 #define FLG_HEAP_VALIDATE_PARAMETERS 0x00000040 #define FLG_HEAP_VALIDATE_ALL 0x00000080 #define FLG_POOL_ENABLE_TAIL_CHECK 0x00000100 #define FLG_POOL_ENABLE_FREE_CHECK 0x00000200 #define FLG_POOL_ENABLE_TAGGING 0x00000400 #define FLG_HEAP_ENABLE_TAGGING 0x00000800 #define FLG_USER_STACK_TRACE_DB 0x00001000 #define FLG_KERNEL_STACK_TRACE_DB 0x00002000 #define FLG_MAINTAIN_OBJECT_TYPELIST 0x00004000 #define FLG_HEAP_ENABLE_TAG_BY_DLL 0x00008000 #define FLG_IGNORE_DEBUG_PRIV 0x00010000 #define FLG_ENABLE_CSRDEBUG 0x00020000 #define FLG_ENABLE_KDEBUG_SYMBOL_LOAD 0x00040000 #define FLG_DISABLE_PAGE_KERNEL_STACKS 0x00080000 #define FLG_HEAP_ENABLE_CALL_TRACING 0x00100000 #define FLG_HEAP_DISABLE_COALESCING 0x00200000 #define FLG_ENABLE_CLOSE_EXCEPTIONS 0x00400000 #define FLG_ENABLE_EXCEPTION_LOGGING 0x00800000 #define FLG_ENABLE_DBGPRINT_BUFFERING 0x08000000 typedef struct _SYSTEM_GLOBAL_FLAG { ULONG GlobalFlag; } SYSTEM_GLOBAL_FLAG, *PSYSTEM_GLOBAL_FLAG; typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { ULONG Unknown1; ULONG Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; /* Length of module name not including the path, this field contains valid value only for NTOSKRNL module */ USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef struct _SYSTEM_LOCK_INFORMATION { PVOID Address; USHORT Type; USHORT Reserved1; ULONG ExclusiveOwnerThreadId; ULONG ActiveCount; ULONG ContentionCount; ULONG Reserved2[2]; ULONG NumberOfSharedWaiters; ULONG NumberOfExclusiveWaiters; } SYSTEM_LOCK_INFORMATION, *PSYSTEM_LOCK_INFORMATION; /*SYSTEM_HANDLE_INFORMATION.Flags cosntants */ #define PROTECT_FROM_CLOSE 0x01 #define INHERIT 0x02 typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; PVOID Object; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; typedef struct _SYSTEM_OBJECT_TYPE_INFORMATION { ULONG NextEntryOffset; ULONG ObjectCount; ULONG HandleCount; ULONG TypeNumber; ULONG InvalidAttributes; GENERIC_MAPPING GenericMapping; ACCESS_MASK ValidAccessMask; POOL_TYPE PoolType; UCHAR Unknown; UNICODE_STRING Name; } SYSTEM_OBJECT_TYPE_INFORMATION, *PSYSTEM_OBJECT_TYPE_INFORMATION; /* SYSTEM_OBJECT_INFORMATION.Flags constants */ #define FLG_SYSOBJINFO_SINGLE_HANDLE_ENTRY 0x40 #define FLG_SYSOBJINFO_DEFAULT_SECURITY_QUOTA 0x20 #define FLG_SYSOBJINFO_PERMANENT 0x10 #define FLG_SYSOBJINFO_EXCLUSIVE 0x08 #define FLG_SYSOBJINFO_CREATOR_INFO 0x04 #define FLG_SYSOBJINFO_KERNEL_MODE 0x02 typedef struct _SYSTEM_OBJECT_INFORMATION { ULONG NextEntryOffset; PVOID Object; ULONG CreatorProcessId; USHORT Unknown; USHORT Flags; ULONG PointerCount; ULONG HandleCount; ULONG PagedPoolUsage; ULONG NonPagedPoolUsage; ULONG ExclusiveProcessId; PSECURITY_DESCRIPTOR SecurityDescriptor; UNICODE_STRING Name; } SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION; typedef struct _SYSTEM_PAGEFILE_INFORMATION { ULONG NextEntryOffset; ULONG CurrentSize; ULONG TotalUsed; ULONG PeakUsed; UNICODE_STRING FileName; } SYSTEM_PAGEFILE_INFORMATION, *PSYSTEM_PAGEFILE_INFORMATION; typedef struct _SYSTEM_INSTRUCTION_EMULATION_INFORMATION { ULONG SegmentNotPresent; ULONG TwoByteOpcode; ULONG ESprefix; ULONG CSprefix; ULONG SSprefix; ULONG DSprefix; ULONG FSPrefix; ULONG GSprefix; ULONG OPER32prefix; ULONG ADDR32prefix; ULONG INSB; ULONG INSW; ULONG OUTSB; ULONG OUTSW; ULONG PUSHFD; ULONG POPFD; ULONG INTnn; ULONG INTO; ULONG IRETD; ULONG INBimm; ULONG INWimm; ULONG OUTBimm; ULONG OUTWimm; ULONG INB; ULONG INW; ULONG OUTB; ULONG OUTW; ULONG LOCKprefix; ULONG REPNEprefix; ULONG REPprefix; ULONG HLT; ULONG CLI; ULONG STI; ULONG GenericInvalidOpcode; } SYSTEM_INSTRUCTION_EMULATION_INFORMATION, *PSYSTEM_INSTRUCTION_EMULATION_INFORMATION; typedef struct _SYSTEM_POOL_TAG_INFORMATION { CHAR Tag[4]; ULONG PagedPoolAllocs; ULONG PagedPoolFrees; ULONG PagedPoolUsage; ULONG NonPagedPoolAllocs; ULONG NonPagedPoolFrees; ULONG NonPagedPoolUsage; } SYSTEM_POOL_TAG_INFORMATION, *PSYSTEM_POOL_TAG_INFORMATION; typedef struct _SYSTEM_PROCESSOR_STATISTICS { ULONG ContextSwitches; ULONG DpcCount; ULONG DpcRequestRate; ULONG TimeIncrement; ULONG DpcBypassCount; ULONG ApcBypassCount; } SYSTEM_PROCESSOR_STATISTICS, *PSYSTEM_PROCESSOR_STATISTICS; typedef struct _SYSTEM_DPC_INFORMATION { ULONG Reserved; ULONG MaximumDpcQueueDepth; ULONG MinimumDpcRate; ULONG AdjustDpcThreshold; ULONG IdealDpcRate; } SYSTEM_DPC_INFORMATION, *PSYSTEM_DPC_INFORMATION; typedef struct _SYSTEM_LOAD_IMAGE { UNICODE_STRING ModuleName; PVOID ModuleBase; PVOID SectionPointer; PVOID EntryPoint; PVOID ExportDirectory; } SYSTEM_LOAD_IMAGE, *PSYSTEM_LOAD_IMAGE; typedef struct _SYSTEM_UNLOAD_IMAGE { PVOID ModuleBase; } SYSTEM_UNLOAD_IMAGE, *PSYSTEM_UNLOAD_IMAGE; typedef struct _SYSTEM_QUERY_TIME_ADJUSTMENT { ULONG TimeAdjustment; ULONG MaximumIncrement; BOOLEAN TimeSynchronization; } SYSTEM_QUERY_TIME_ADJUSTMENT, *PSYSTEM_QUERY_TIME_ADJUSTMENT; typedef struct _SYSTEM_SET_TIME_ADJUSTMENT { ULONG TimeAdjustment; BOOLEAN TimeSynchronization; } SYSTEM_SET_TIME_ADJUSTMENT, *PSYSTEM_SET_TIME_ADJUSTMENT; typedef struct _SYSTEM_CRASH_DUMP_INFORMATION { HANDLE CrashDumpSectionHandle; HANDLE Unknown; } SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION; typedef struct _SYSTEM_EXCEPTION_INFORMATION { ULONG AlignmentFixupCount; ULONG ExceptionDispatchCount; ULONG FloatingEmulationCount; ULONG Reserved; } SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION; typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION { ULONG CrashDumpSectionExists; ULONG Unknown; } SYSTEM_CRASH_DUMP_STATE_INFORMATION, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION; typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION { BOOLEAN DebuggerEnabled; BOOLEAN DebuggerNotPresent; } SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION { ULONG ContextSwitches; ULONG ContextSwitchCounters[11]; } SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION; typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION { ULONG RegistryQuota; ULONG RegistryQuotaInUse; ULONG PagedPoolSize; } SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION; typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE { UNICODE_STRING ModuleName; } SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE; typedef struct _SYSTEM_PRIORITY_SEPARATION { ULONG PrioritySeparation; } SYSTEM_PRIORITY_SEPARATION, *PSYSTEM_PRIORITY_SEPARATION; typedef struct _SYSTEM_TIME_ZONE_INFORMATION { LONG Bias; WCHAR StandardName[32]; LARGE_INTEGER StandardDate; LONG StandardBias; WCHAR DaylightName[32]; LARGE_INTEGER DaylightDate; LONG DaylightBias; } SYSTEM_TIME_ZONE_INFORMATION, *PSYSTEM_TIME_ZONE_INFORMATION; typedef struct _SYSTEM_LOOKASIDE_INFORMATION { USHORT Depth; USHORT MaximumDepth; ULONG TotalAllocates; ULONG AllocateMisses; ULONG TotalFrees; ULONG FreeMisses; POOL_TYPE Type; ULONG Tag; ULONG Size; } SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION; typedef struct _SYSTEM_SET_TIME_SLIP_EVENT { HANDLE TimeSlipEvent; } SYSTEM_SET_TIME_SLIP_EVENT, *PSYSTEM_SET_TIME_SLIP_EVENT; typedef struct _SYSTEM_CREATE_SESSION { ULONG SessionId; } SYSTEM_CREATE_SESSION, *PSYSTEM_CREATE_SESSION; typedef struct _SYSTEM_DELETE_SESSION { ULONG SessionId; } SYSTEM_DELETE_SESSION, *PSYSTEM_DELETE_SESSION; typedef struct _SYSTEM_RANGE_START_INFORMATION { PVOID SystemRangeStart; } SYSTEM_RANGE_START_INFORMATION, *PSYSTEM_RANGE_START_INFORMATION; typedef struct _SYSTEM_SESSION_PROCESSES_INFORMATION { ULONG SessionId; ULONG BufferSize; PVOID Buffer; } SYSTEM_SESSION_PROCESSES_INFORMATION, *PSYSTEM_SESSION_PROCESSES_INFORMATION; typedef struct _SYSTEM_POOL_BLOCK { BOOLEAN Allocated; USHORT Unknown; ULONG Size; CHAR Tag[4]; } SYSTEM_POOL_BLOCK, *PSYSTEM_POOL_BLOCK; typedef struct _SYSTEM_POOL_BLOCKS_INFORMATION { ULONG PoolSize; PVOID PoolBase; USHORT Unknown; ULONG NumberOfBlocks; SYSTEM_POOL_BLOCK PoolBlocks[1]; } SYSTEM_POOL_BLOCKS_INFORMATION, *PSYSTEM_POOL_BLOCKS_INFORMATION; typedef struct _SYSTEM_MEMORY_USAGE { PVOID Name; USHORT Valid; USHORT Standby; USHORT Modified; USHORT PageTables; } SYSTEM_MEMORY_USAGE, *PSYSTEM_MEMORY_USAGE; typedef struct _SYSTEM_MEMORY_USAGE_INFORMATION { ULONG Reserved; PVOID EndOfData; SYSTEM_MEMORY_USAGE MemoryUsage[1]; } SYSTEM_MEMORY_USAGE_INFORMATION, *PSYSTEM_MEMORY_USAGE_INFORMATION; NTOSAPI NTSTATUS NTAPI NtQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwSetSystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength); NTOSAPI NTSTATUS NTAPI ZwQuerySystemEnvironmentValue( IN PUNICODE_STRING Name, OUT PVOID Value, IN ULONG ValueLength, OUT PULONG ReturnLength OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwSetSystemEnvironmentValue( IN PUNICODE_STRING Name, IN PUNICODE_STRING Value); typedef enum _SHUTDOWN_ACTION { ShutdownNoReboot, ShutdownReboot, ShutdownPowerOff } SHUTDOWN_ACTION; NTOSAPI NTSTATUS NTAPI NtShutdownSystem( IN SHUTDOWN_ACTION Action); typedef enum _DEBUG_CONTROL_CODE { DebugGetTraceInformation = 1, DebugSetInternalBreakpoint, DebugSetSpecialCall, DebugClearSpecialCalls, DebugQuerySpecialCalls, DebugDbgBreakPoint, DebugMaximum } DEBUG_CONTROL_CODE; NTOSAPI NTSTATUS NTAPI ZwSystemDebugControl( IN DEBUG_CONTROL_CODE ControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength, OUT PULONG ReturnLength OPTIONAL); /* Objects, Object directories, and symbolic links */ typedef enum _OBJECT_INFORMATION_CLASS { ObjectBasicInformation, ObjectNameInformation, ObjectTypeInformation, ObjectAllTypesInformation, ObjectHandleInformation } OBJECT_INFORMATION_CLASS; NTOSAPI NTSTATUS NTAPI ZwQueryObject( IN HANDLE ObjectHandle, IN OBJECT_INFORMATION_CLASS ObjectInformationClass, OUT PVOID ObjectInformation, IN ULONG ObjectInformationLength, OUT PULONG ReturnLength OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwSetInformationObject( IN HANDLE ObjectHandle, IN OBJECT_INFORMATION_CLASS ObjectInformationClass, IN PVOID ObjectInformation, IN ULONG ObjectInformationLength); /* OBJECT_BASIC_INFORMATION.Attributes constants */ #define HANDLE_FLAG_INHERIT 0x01 #define HANDLE_FLAG_PROTECT_FROM_CLOSE 0x02 #define PERMANENT 0x10 #define EXCLUSIVE 0x20 typedef struct _OBJECT_BASIC_INFORMATION { ULONG Attributes; ACCESS_MASK GrantedAccess; ULONG HandleCount; ULONG PointerCount; ULONG PagedPoolUsage; ULONG NonPagedPoolUsage; ULONG Reserved[3]; ULONG NameInformationLength; ULONG TypeInformationLength; ULONG SecurityDescriptorLength; LARGE_INTEGER CreateTime; } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; #if 0 // FIXME: Enable later typedef struct _OBJECT_TYPE_INFORMATION { UNICODE_STRING Name; ULONG ObjectCount; ULONG HandleCount; ULONG Reserved1[4]; ULONG PeakObjectCount; ULONG PeakHandleCount; ULONG Reserved2[4]; ULONG InvalidAttributes; GENERIC_MAPPING GenericMapping; ULONG ValidAccess; UCHAR Unknown; BOOLEAN MaintainHandleDatabase; POOL_TYPE PoolType; ULONG PagedPoolUsage; ULONG NonPagedPoolUsage; } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; typedef struct _OBJECT_ALL_TYPES_INFORMATION { ULONG NumberOfTypes; OBJECT_TYPE_INFORMATION TypeInformation; } OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION; #endif typedef struct _OBJECT_HANDLE_ATTRIBUTE_INFORMATION { BOOLEAN Inherit; BOOLEAN ProtectFromClose; } OBJECT_HANDLE_ATTRIBUTE_INFORMATION, *POBJECT_HANDLE_ATTRIBUTE_INFORMATION; NTOSAPI NTSTATUS NTAPI NtDuplicateObject( IN HANDLE SourceProcessHandle, IN HANDLE SourceHandle, IN HANDLE TargetProcessHandle, OUT PHANDLE TargetHandle OPTIONAL, IN ACCESS_MASK DesiredAccess, IN ULONG Attributes, IN ULONG Options); NTOSAPI NTSTATUS NTAPI ZwDuplicateObject( IN HANDLE SourceProcessHandle, IN HANDLE SourceHandle, IN HANDLE TargetProcessHandle, OUT PHANDLE TargetHandle OPTIONAL, IN ACCESS_MASK DesiredAccess, IN ULONG Attributes, IN ULONG Options); NTOSAPI NTSTATUS NTAPI NtQuerySecurityObject( IN HANDLE Handle, IN SECURITY_INFORMATION SecurityInformation, OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN ULONG SecurityDescriptorLength, OUT PULONG ReturnLength); NTOSAPI NTSTATUS NTAPI ZwQuerySecurityObject( IN HANDLE Handle, IN SECURITY_INFORMATION SecurityInformation, OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN ULONG SecurityDescriptorLength, OUT PULONG ReturnLength); NTOSAPI NTSTATUS NTAPI NtSetSecurityObject( IN HANDLE Handle, IN SECURITY_INFORMATION SecurityInformation, IN PSECURITY_DESCRIPTOR SecurityDescriptor); NTOSAPI NTSTATUS NTAPI ZwSetSecurityObject( IN HANDLE Handle, IN SECURITY_INFORMATION SecurityInformation, IN PSECURITY_DESCRIPTOR SecurityDescriptor); NTOSAPI NTSTATUS NTAPI ZwOpenDirectoryObject( OUT PHANDLE DirectoryHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes); NTOSAPI NTSTATUS NTAPI ZwQueryDirectoryObject( IN HANDLE DirectoryHandle, OUT PVOID Buffer, IN ULONG BufferLength, IN BOOLEAN ReturnSingleEntry, IN BOOLEAN RestartScan, IN OUT PULONG Context, OUT PULONG ReturnLength OPTIONAL); typedef struct _DIRECTORY_BASIC_INFORMATION { UNICODE_STRING ObjectName; UNICODE_STRING ObjectTypeName; } DIRECTORY_BASIC_INFORMATION, *PDIRECTORY_BASIC_INFORMATION; NTOSAPI NTSTATUS NTAPI ZwCreateSymbolicLinkObject( OUT PHANDLE SymbolicLinkHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PUNICODE_STRING TargetName); /* Virtual memory */ typedef enum _MEMORY_INFORMATION_CLASS { MemoryBasicInformation, MemoryWorkingSetList, MemorySectionName, MemoryBasicVlmInformation } MEMORY_INFORMATION_CLASS; NTOSAPI NTSTATUS NTAPI NtAllocateVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG AllocationSize, IN ULONG AllocationType, IN ULONG Protect); NTOSAPI NTSTATUS NTAPI ZwAllocateVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG AllocationSize, IN ULONG AllocationType, IN ULONG Protect); NTOSAPI NTSTATUS NTAPI NtFreeVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG FreeSize, IN ULONG FreeType); NTOSAPI NTSTATUS NTAPI ZwFreeVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG FreeSize, IN ULONG FreeType); NTOSAPI NTSTATUS NTAPI ZwQueryVirtualMemory( IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN MEMORY_INFORMATION_CLASS MemoryInformationClass, OUT PVOID MemoryInformation, IN ULONG MemoryInformationLength, OUT PULONG ReturnLength OPTIONAL); /* MEMORY_WORKING_SET_LIST.WorkingSetList constants */ #define WSLE_PAGE_READONLY 0x001 #define WSLE_PAGE_EXECUTE 0x002 #define WSLE_PAGE_READWRITE 0x004 #define WSLE_PAGE_EXECUTE_READ 0x003 #define WSLE_PAGE_WRITECOPY 0x005 #define WSLE_PAGE_EXECUTE_READWRITE 0x006 #define WSLE_PAGE_EXECUTE_WRITECOPY 0x007 #define WSLE_PAGE_SHARE_COUNT_MASK 0x0E0 #define WSLE_PAGE_SHAREABLE 0x100 typedef struct _MEMORY_WORKING_SET_LIST { ULONG NumberOfPages; ULONG WorkingSetList[1]; } MEMORY_WORKING_SET_LIST, *PMEMORY_WORKING_SET_LIST; typedef struct _MEMORY_SECTION_NAME { UNICODE_STRING SectionFileName; } MEMORY_SECTION_NAME, *PMEMORY_SECTION_NAME; /* Zw[Lock|Unlock]VirtualMemory.LockType constants */ #define LOCK_VM_IN_WSL 0x01 #define LOCK_VM_IN_RAM 0x02 NTOSAPI NTSTATUS NTAPI ZwLockVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG LockSize, IN ULONG LockType); NTOSAPI NTSTATUS NTAPI ZwUnlockVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG LockSize, IN ULONG LockType); NTOSAPI NTSTATUS NTAPI ZwReadVirtualMemory( IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG BufferLength, OUT PULONG ReturnLength OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwWriteVirtualMemory( IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN ULONG BufferLength, OUT PULONG ReturnLength OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwProtectVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG ProtectSize, IN ULONG NewProtect, OUT PULONG OldProtect); NTOSAPI NTSTATUS NTAPI ZwFlushVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG FlushSize, OUT PIO_STATUS_BLOCK IoStatusBlock); NTOSAPI NTSTATUS NTAPI ZwAllocateUserPhysicalPages( IN HANDLE ProcessHandle, IN PULONG NumberOfPages, OUT PULONG PageFrameNumbers); NTOSAPI NTSTATUS NTAPI ZwFreeUserPhysicalPages( IN HANDLE ProcessHandle, IN OUT PULONG NumberOfPages, IN PULONG PageFrameNumbers); NTOSAPI NTSTATUS NTAPI ZwMapUserPhysicalPages( IN PVOID BaseAddress, IN PULONG NumberOfPages, IN PULONG PageFrameNumbers); NTOSAPI NTSTATUS NTAPI ZwMapUserPhysicalPagesScatter( IN PVOID *BaseAddresses, IN PULONG NumberOfPages, IN PULONG PageFrameNumbers); NTOSAPI NTSTATUS NTAPI ZwGetWriteWatch( IN HANDLE ProcessHandle, IN ULONG Flags, IN PVOID BaseAddress, IN ULONG RegionSize, OUT PULONG Buffer, IN OUT PULONG BufferEntries, OUT PULONG Granularity); NTOSAPI NTSTATUS NTAPI ZwResetWriteWatch( IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN ULONG RegionSize); /* Sections */ typedef enum _SECTION_INFORMATION_CLASS { SectionBasicInformation, SectionImageInformation } SECTION_INFORMATION_CLASS; NTOSAPI NTSTATUS NTAPI NtCreateSection( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PLARGE_INTEGER SectionSize OPTIONAL, IN ULONG Protect, IN ULONG Attributes, IN HANDLE FileHandle); NTOSAPI NTSTATUS NTAPI ZwCreateSection( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PLARGE_INTEGER SectionSize OPTIONAL, IN ULONG Protect, IN ULONG Attributes, IN HANDLE FileHandle); NTOSAPI NTSTATUS NTAPI ZwQuerySection( IN HANDLE SectionHandle, IN SECTION_INFORMATION_CLASS SectionInformationClass, OUT PVOID SectionInformation, IN ULONG SectionInformationLength, OUT PULONG ResultLength OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwExtendSection( IN HANDLE SectionHandle, IN PLARGE_INTEGER SectionSize); NTOSAPI NTSTATUS NTAPI ZwAreMappedFilesTheSame( IN PVOID Address1, IN PVOID Address2); /* Threads */ typedef struct _USER_STACK { PVOID FixedStackBase; PVOID FixedStackLimit; PVOID ExpandableStackBase; PVOID ExpandableStackLimit; PVOID ExpandableStackBottom; } USER_STACK, *PUSER_STACK; NTOSAPI NTSTATUS NTAPI ZwCreateThread( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE ProcessHandle, OUT PCLIENT_ID ClientId, IN PCONTEXT ThreadContext, IN PUSER_STACK UserStack, IN BOOLEAN CreateSuspended); NTOSAPI NTSTATUS NTAPI NtOpenThread( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId); NTOSAPI NTSTATUS NTAPI ZwOpenThread( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId); NTOSAPI NTSTATUS NTAPI ZwTerminateThread( IN HANDLE ThreadHandle OPTIONAL, IN NTSTATUS ExitStatus); NTOSAPI NTSTATUS NTAPI NtQueryInformationThread( IN HANDLE ThreadHandle, IN THREADINFOCLASS ThreadInformationClass, OUT PVOID ThreadInformation, IN ULONG ThreadInformationLength, OUT PULONG ReturnLength OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwQueryInformationThread( IN HANDLE ThreadHandle, IN THREADINFOCLASS ThreadInformationClass, OUT PVOID ThreadInformation, IN ULONG ThreadInformationLength, OUT PULONG ReturnLength OPTIONAL); NTOSAPI NTSTATUS NTAPI NtSetInformationThread( IN HANDLE ThreadHandle, IN THREADINFOCLASS ThreadInformationClass, IN PVOID ThreadInformation, IN ULONG ThreadInformationLength); typedef struct _THREAD_BASIC_INFORMATION { NTSTATUS ExitStatus; PNT_TIB TebBaseAddress; CLIENT_ID ClientId; KAFFINITY AffinityMask; KPRIORITY Priority; KPRIORITY BasePriority; } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; typedef struct _KERNEL_USER_TIMES { LARGE_INTEGER CreateTime; LARGE_INTEGER ExitTime; LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; } KERNEL_USER_TIMES, *PKERNEL_USER_TIMES; NTOSAPI NTSTATUS NTAPI ZwSuspendThread( IN HANDLE ThreadHandle, OUT PULONG PreviousSuspendCount OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwResumeThread( IN HANDLE ThreadHandle, OUT PULONG PreviousSuspendCount OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwGetContextThread( IN HANDLE ThreadHandle, OUT PCONTEXT Context); NTOSAPI NTSTATUS NTAPI ZwSetContextThread( IN HANDLE ThreadHandle, IN PCONTEXT Context); NTOSAPI NTSTATUS NTAPI ZwQueueApcThread( IN HANDLE ThreadHandle, IN PKNORMAL_ROUTINE ApcRoutine, IN PVOID ApcContext OPTIONAL, IN PVOID Argument1 OPTIONAL, IN PVOID Argument2 OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwTestAlert( VOID); NTOSAPI NTSTATUS NTAPI ZwAlertThread( IN HANDLE ThreadHandle); NTOSAPI NTSTATUS NTAPI ZwAlertResumeThread( IN HANDLE ThreadHandle, OUT PULONG PreviousSuspendCount OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwRegisterThreadTerminatePort( IN HANDLE PortHandle); NTOSAPI NTSTATUS NTAPI ZwImpersonateThread( IN HANDLE ThreadHandle, IN HANDLE TargetThreadHandle, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos); NTOSAPI NTSTATUS NTAPI ZwImpersonateAnonymousToken( IN HANDLE ThreadHandle); /* Processes */ NTOSAPI NTSTATUS NTAPI ZwCreateProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE InheritFromProcessHandle, IN BOOLEAN InheritHandles, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwCreateProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE InheritFromProcessHandle, IN BOOLEAN InheritHandles, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwTerminateProcess( IN HANDLE ProcessHandle OPTIONAL, IN NTSTATUS ExitStatus); NTOSAPI NTSTATUS NTAPI ZwQueryInformationProcess( IN HANDLE ProcessHandle, IN PROCESSINFOCLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength OPTIONAL); NTOSAPI NTSTATUS NTAPI NtSetInformationProcess( IN HANDLE ProcessHandle, IN PROCESSINFOCLASS ProcessInformationClass, IN PVOID ProcessInformation, IN ULONG ProcessInformationLength); NTOSAPI NTSTATUS NTAPI ZwSetInformationProcess( IN HANDLE ProcessHandle, IN PROCESSINFOCLASS ProcessInformationClass, IN PVOID ProcessInformation, IN ULONG ProcessInformationLength); typedef struct _PROCESS_BASIC_INFORMATION { NTSTATUS ExitStatus; PPEB PebBaseAddress; KAFFINITY AffinityMask; KPRIORITY BasePriority; ULONG UniqueProcessId; ULONG InheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; typedef struct _PROCESS_ACCESS_TOKEN { HANDLE Token; HANDLE Thread; } PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN; /* DefaultHardErrorMode constants */ #define SEM_FAILCRITICALERRORS 0x0001 #define SEM_NOGPFAULTERRORBOX 0x0002 #define SEM_NOALIGNMENTFAULTEXCEPT 0x0004 #define SEM_NOOPENFILEERRORBOX 0x8000 typedef struct _POOLED_USAGE_AND_LIMITS { ULONG PeakPagedPoolUsage; ULONG PagedPoolUsage; ULONG PagedPoolLimit; ULONG PeakNonPagedPoolUsage; ULONG NonPagedPoolUsage; ULONG NonPagedPoolLimit; ULONG PeakPagefileUsage; ULONG PagefileUsage; ULONG PagefileLimit; } POOLED_USAGE_AND_LIMITS, *PPOOLED_USAGE_AND_LIMITS; typedef struct _PROCESS_WS_WATCH_INFORMATION { PVOID FaultingPc; PVOID FaultingVa; } PROCESS_WS_WATCH_INFORMATION, *PPROCESS_WS_WATCH_INFORMATION; /* PROCESS_PRIORITY_CLASS.PriorityClass constants */ #define PC_IDLE 1 #define PC_NORMAL 2 #define PC_HIGH 3 #define PC_REALTIME 4 #define PC_BELOW_NORMAL 5 #define PC_ABOVE_NORMAL 6 typedef struct _PROCESS_PRIORITY_CLASS { BOOLEAN Foreground; UCHAR PriorityClass; } PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS; /* PROCESS_DEVICEMAP_INFORMATION.DriveType constants */ #define DRIVE_UNKNOWN 0 #define DRIVE_NO_ROOT_DIR 1 #define DRIVE_REMOVABLE 2 #define DRIVE_FIXED 3 #define DRIVE_REMOTE 4 #define DRIVE_CDROM 5 #define DRIVE_RAMDISK 6 typedef struct _PROCESS_DEVICEMAP_INFORMATION { union { struct { HANDLE DirectoryHandle; } Set; struct { ULONG DriveMap; UCHAR DriveType[32]; } Query; }; } PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION; typedef struct _PROCESS_SESSION_INFORMATION { ULONG SessionId; } PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION; typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG AllocationSize; ULONG Size; ULONG Flags; ULONG DebugFlags; HANDLE hConsole; ULONG ProcessGroup; HANDLE hStdInput; HANDLE hStdOutput; HANDLE hStdError; UNICODE_STRING CurrentDirectoryName; HANDLE CurrentDirectoryHandle; UNICODE_STRING DllPath; UNICODE_STRING ImagePathName; UNICODE_STRING CommandLine; PWSTR Environment; ULONG dwX; ULONG dwY; ULONG dwXSize; ULONG dwYSize; ULONG dwXCountChars; ULONG dwYCountChars; ULONG dwFillAttribute; ULONG dwFlags; ULONG wShowWindow; UNICODE_STRING WindowTitle; UNICODE_STRING DesktopInfo; UNICODE_STRING ShellInfo; UNICODE_STRING RuntimeInfo; } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; NTSTATUS NTAPI RtlCreateProcessParameters( OUT PRTL_USER_PROCESS_PARAMETERS *ProcessParameters, IN PUNICODE_STRING ImageFile, IN PUNICODE_STRING DllPath OPTIONAL, IN PUNICODE_STRING CurrentDirectory OPTIONAL, IN PUNICODE_STRING CommandLine OPTIONAL, IN PWSTR Environment OPTIONAL, IN PUNICODE_STRING WindowTitle OPTIONAL, IN PUNICODE_STRING DesktopInfo OPTIONAL, IN PUNICODE_STRING ShellInfo OPTIONAL, IN PUNICODE_STRING RuntimeInfo OPTIONAL); NTSTATUS NTAPI RtlDestroyProcessParameters( IN PRTL_USER_PROCESS_PARAMETERS ProcessParameters); typedef struct _DEBUG_BUFFER { HANDLE SectionHandle; PVOID SectionBase; PVOID RemoteSectionBase; ULONG SectionBaseDelta; HANDLE EventPairHandle; ULONG Unknown[2]; HANDLE RemoteThreadHandle; ULONG InfoClassMask; ULONG SizeOfInfo; ULONG AllocatedSize; ULONG SectionSize; PVOID ModuleInformation; PVOID BackTraceInformation; PVOID HeapInformation; PVOID LockInformation; PVOID Reserved[8]; } DEBUG_BUFFER, *PDEBUG_BUFFER; PDEBUG_BUFFER NTAPI RtlCreateQueryDebugBuffer( IN ULONG Size, IN BOOLEAN EventPair); /* RtlQueryProcessDebugInformation.DebugInfoClassMask constants */ #define PDI_MODULES 0x01 #define PDI_BACKTRACE 0x02 #define PDI_HEAPS 0x04 #define PDI_HEAP_TAGS 0x08 #define PDI_HEAP_BLOCKS 0x10 #define PDI_LOCKS 0x20 NTSTATUS NTAPI RtlQueryProcessDebugInformation( IN ULONG ProcessId, IN ULONG DebugInfoClassMask, IN OUT PDEBUG_BUFFER DebugBuffer); NTSTATUS NTAPI RtlDestroyQueryDebugBuffer( IN PDEBUG_BUFFER DebugBuffer); /* DEBUG_MODULE_INFORMATION.Flags constants */ #define LDRP_STATIC_LINK 0x00000002 #define LDRP_IMAGE_DLL 0x00000004 #define LDRP_LOAD_IN_PROGRESS 0x00001000 #define LDRP_UNLOAD_IN_PROGRESS 0x00002000 #define LDRP_ENTRY_PROCESSED 0x00004000 #define LDRP_ENTRY_INSERTED 0x00008000 #define LDRP_CURRENT_LOAD 0x00010000 #define LDRP_FAILED_BUILTIN_LOAD 0x00020000 #define LDRP_DONT_CALL_FOR_THREADS 0x00040000 #define LDRP_PROCESS_ATTACH_CALLED 0x00080000 #define LDRP_DEBUG_SYMBOLS_LOADED 0x00100000 #define LDRP_IMAGE_NOT_AT_BASE 0x00200000 #define LDRP_WX86_IGNORE_MACHINETYPE 0x00400000 typedef struct _DEBUG_MODULE_INFORMATION { ULONG Reserved[2]; ULONG Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } DEBUG_MODULE_INFORMATION, *PDEBUG_MODULE_INFORMATION; typedef struct _DEBUG_HEAP_INFORMATION { ULONG Base; ULONG Flags; USHORT Granularity; USHORT Unknown; ULONG Allocated; ULONG Committed; ULONG TagCount; ULONG BlockCount; ULONG Reserved[7]; PVOID Tags; PVOID Blocks; } DEBUG_HEAP_INFORMATION, *PDEBUG_HEAP_INFORMATION; typedef struct _DEBUG_LOCK_INFORMATION { PVOID Address; USHORT Type; USHORT CreatorBackTraceIndex; ULONG OwnerThreadId; ULONG ActiveCount; ULONG ContentionCount; ULONG EntryCount; ULONG RecursionCount; ULONG NumberOfSharedWaiters; ULONG NumberOfExclusiveWaiters; } DEBUG_LOCK_INFORMATION, *PDEBUG_LOCK_INFORMATION; /* Jobs */ NTOSAPI NTSTATUS NTAPI ZwCreateJobObject( OUT PHANDLE JobHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes); NTOSAPI NTSTATUS NTAPI ZwOpenJobObject( OUT PHANDLE JobHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes); NTOSAPI NTSTATUS NTAPI ZwTerminateJobObject( IN HANDLE JobHandle, IN NTSTATUS ExitStatus); NTOSAPI NTSTATUS NTAPI ZwAssignProcessToJobObject( IN HANDLE JobHandle, IN HANDLE ProcessHandle); typedef enum _JOBOBJECTINFOCLASS { JobObjectBasicAccountingInformation = 1, JobObjectBasicLimitInformation, JobObjectBasicProcessIdList, JobObjectBasicUIRestrictions, JobObjectSecurityLimitInformation, JobObjectEndOfJobTimeInformation, JobObjectAssociateCompletionPortInformation, JobObjectBasicAndIoAccountingInformation, JobObjectExtendedLimitInformation } JOBOBJECTINFOCLASS; NTOSAPI NTSTATUS NTAPI ZwQueryInformationJobObject( IN HANDLE JobHandle, IN JOBOBJECTINFOCLASS JobInformationClass, OUT PVOID JobInformation, IN ULONG JobInformationLength, OUT PULONG ReturnLength OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwSetInformationJobObject( IN HANDLE JobHandle, IN JOBOBJECTINFOCLASS JobInformationClass, IN PVOID JobInformation, IN ULONG JobInformationLength); typedef struct _JOBOBJECT_BASIC_ACCOUNTING_INFORMATION { LARGE_INTEGER TotalUserTime; LARGE_INTEGER TotalKernelTime; LARGE_INTEGER ThisPeriodTotalUserTime; LARGE_INTEGER ThisPeriodTotalKernelTime; ULONG TotalPageFaultCount; ULONG TotalProcesses; ULONG ActiveProcesses; ULONG TotalTerminatedProcesses; } JOBOBJECT_BASIC_ACCOUNTING_INFORMATION, *PJOBOBJECT_BASIC_ACCOUNTING_INFORMATION; /* JOBOBJECT_BASIC_LIMIT_INFORMATION.LimitFlags constants */ #define JOB_OBJECT_LIMIT_WORKINGSET 0x0001 #define JOB_OBJECT_LIMIT_PROCESS_TIME 0x0002 #define JOB_OBJECT_LIMIT_JOB_TIME 0x0004 #define JOB_OBJECT_LIMIT_ACTIVE_PROCESS 0x0008 #define JOB_OBJECT_LIMIT_AFFINITY 0x0010 #define JOB_OBJECT_LIMIT_PRIORITY_CLASS 0x0020 #define JOB_OBJECT_LIMIT_PRESERVE_JOB_TIME 0x0040 #define JOB_OBJECT_LIMIT_SCHEDULING_CLASS 0x0080 #define JOB_OBJECT_LIMIT_PROCESS_MEMORY 0x0100 #define JOB_OBJECT_LIMIT_JOB_MEMORY 0x0200 #define JOB_OBJECT_LIMIT_DIE_ON_UNHANDLED_EXCEPTION 0x0400 #define JOB_OBJECT_BREAKAWAY_OK 0x0800 #define JOB_OBJECT_SILENT_BREAKAWAY 0x1000 typedef struct _JOBOBJECT_BASIC_LIMIT_INFORMATION { LARGE_INTEGER PerProcessUserTimeLimit; LARGE_INTEGER PerJobUserTimeLimit; ULONG LimitFlags; ULONG MinimumWorkingSetSize; ULONG MaximumWorkingSetSize; ULONG ActiveProcessLimit; ULONG Affinity; ULONG PriorityClass; ULONG SchedulingClass; } JOBOBJECT_BASIC_LIMIT_INFORMATION, *PJOBOBJECT_BASIC_LIMIT_INFORMATION; typedef struct _JOBOBJECT_BASIC_PROCESS_ID_LIST { ULONG NumberOfAssignedProcesses; ULONG NumberOfProcessIdsInList; ULONG_PTR ProcessIdList[1]; } JOBOBJECT_BASIC_PROCESS_ID_LIST, *PJOBOBJECT_BASIC_PROCESS_ID_LIST; /* JOBOBJECT_BASIC_UI_RESTRICTIONS.UIRestrictionsClass constants */ #define JOB_OBJECT_UILIMIT_HANDLES 0x0001 #define JOB_OBJECT_UILIMIT_READCLIPBOARD 0x0002 #define JOB_OBJECT_UILIMIT_WRITECLIPBOARD 0x0004 #define JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS 0x0008 #define JOB_OBJECT_UILIMIT_DISPLAYSETTINGS 0x0010 #define JOB_OBJECT_UILIMIT_GLOBALATOMS 0x0020 #define JOB_OBJECT_UILIMIT_DESKTOP 0x0040 #define JOB_OBJECT_UILIMIT_EXITWINDOWS 0x0080 typedef struct _JOBOBJECT_BASIC_UI_RESTRICTIONS { ULONG UIRestrictionsClass; } JOBOBJECT_BASIC_UI_RESTRICTIONS, *PJOBOBJECT_BASIC_UI_RESTRICTIONS; /* JOBOBJECT_SECURITY_LIMIT_INFORMATION.SecurityLimitFlags constants */ #define JOB_OBJECT_SECURITY_NO_ADMIN 0x0001 #define JOB_OBJECT_SECURITY_RESTRICTED_TOKEN 0x0002 #define JOB_OBJECT_SECURITY_ONLY_TOKEN 0x0004 #define JOB_OBJECT_SECURITY_FILTER_TOKENS 0x0008 typedef struct _JOBOBJECT_SECURITY_LIMIT_INFORMATION { ULONG SecurityLimitFlags; HANDLE JobToken; PTOKEN_GROUPS SidsToDisable; PTOKEN_PRIVILEGES PrivilegesToDelete; PTOKEN_GROUPS RestrictedSids; } JOBOBJECT_SECURITY_LIMIT_INFORMATION, *PJOBOBJECT_SECURITY_LIMIT_INFORMATION; /* JOBOBJECT_END_OF_JOB_TIME_INFORMATION.EndOfJobTimeAction constants */ #define JOB_OBJECT_TERMINATE_AT_END_OF_JOB 0 #define JOB_OBJECT_POST_AT_END_OF_JOB 1 typedef struct _JOBOBJECT_END_OF_JOB_TIME_INFORMATION { ULONG EndOfJobTimeAction; } JOBOBJECT_END_OF_JOB_TIME_INFORMATION, *PJOBOBJECT_END_OF_JOB_TIME_INFORMATION; #define JOB_OBJECT_MSG_END_OF_JOB_TIME 1 #define JOB_OBJECT_MSG_END_OF_PROCESS_TIME 2 #define JOB_OBJECT_MSG_ACTIVE_PROCESS_LIMIT 3 #define JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO 4 #define JOB_OBJECT_MSG_NEW_PROCESS 6 #define JOB_OBJECT_MSG_EXIT_PROCESS 7 #define JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS 8 #define JOB_OBJECT_MSG_PROCESS_MEMORY_LIMIT 9 #define JOB_OBJECT_MSG_JOB_MEMORY_LIMIT 10 typedef struct _JOBOBJECT_ASSOCIATE_COMPLETION_PORT { PVOID CompletionKey; HANDLE CompletionPort; } JOBOBJECT_ASSOCIATE_COMPLETION_PORT, *PJOBOBJECT_ASSOCIATE_COMPLETION_PORT; typedef struct JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION { JOBOBJECT_BASIC_ACCOUNTING_INFORMATION BasicInfo; IO_COUNTERS IoInfo; } JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION, *PJOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION; typedef struct _JOBOBJECT_EXTENDED_LIMIT_INFORMATION { JOBOBJECT_BASIC_LIMIT_INFORMATION BasicLimitInformation; IO_COUNTERS IoInfo; ULONG ProcessMemoryLimit; ULONG JobMemoryLimit; ULONG PeakProcessMemoryUsed; ULONG PeakJobMemoryUsed; } JOBOBJECT_EXTENDED_LIMIT_INFORMATION, *PJOBOBJECT_EXTENDED_LIMIT_INFORMATION; /* Tokens */ NTOSAPI NTSTATUS NTAPI ZwCreateToken( OUT PHANDLE TokenHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN TOKEN_TYPE Type, IN PLUID AuthenticationId, IN PLARGE_INTEGER ExpirationTime, IN PTOKEN_USER User, IN PTOKEN_GROUPS Groups, IN PTOKEN_PRIVILEGES Privileges, IN PTOKEN_OWNER Owner, IN PTOKEN_PRIMARY_GROUP PrimaryGroup, IN PTOKEN_DEFAULT_DACL DefaultDacl, IN PTOKEN_SOURCE Source ); NTOSAPI NTSTATUS NTAPI NtOpenProcessToken( IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle); NTOSAPI NTSTATUS NTAPI ZwOpenProcessToken( IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle); NTOSAPI NTSTATUS NTAPI NtOpenThreadToken( IN HANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN BOOLEAN OpenAsSelf, OUT PHANDLE TokenHandle); NTOSAPI NTSTATUS NTAPI ZwOpenThreadToken( IN HANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN BOOLEAN OpenAsSelf, OUT PHANDLE TokenHandle); NTOSAPI NTSTATUS NTAPI NtDuplicateToken( IN HANDLE ExistingTokenHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN BOOLEAN EffectiveOnly, IN TOKEN_TYPE TokenType, OUT PHANDLE NewTokenHandle); NTOSAPI NTSTATUS NTAPI ZwDuplicateToken( IN HANDLE ExistingTokenHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN BOOLEAN EffectiveOnly, IN TOKEN_TYPE TokenType, OUT PHANDLE NewTokenHandle); NTOSAPI NTSTATUS NTAPI ZwFilterToken( IN HANDLE ExistingTokenHandle, IN ULONG Flags, IN PTOKEN_GROUPS SidsToDisable, IN PTOKEN_PRIVILEGES PrivilegesToDelete, IN PTOKEN_GROUPS SidsToRestricted, OUT PHANDLE NewTokenHandle); NTOSAPI NTSTATUS NTAPI NtAdjustPrivilegesToken( IN HANDLE TokenHandle, IN BOOLEAN DisableAllPrivileges, IN PTOKEN_PRIVILEGES NewState, IN ULONG BufferLength, OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, OUT PULONG ReturnLength); NTOSAPI NTSTATUS NTAPI ZwAdjustPrivilegesToken( IN HANDLE TokenHandle, IN BOOLEAN DisableAllPrivileges, IN PTOKEN_PRIVILEGES NewState, IN ULONG BufferLength, OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, OUT PULONG ReturnLength); NTOSAPI NTSTATUS NTAPI ZwAdjustGroupsToken( IN HANDLE TokenHandle, IN BOOLEAN ResetToDefault, IN PTOKEN_GROUPS NewState, IN ULONG BufferLength, OUT PTOKEN_GROUPS PreviousState OPTIONAL, OUT PULONG ReturnLength); NTOSAPI NTSTATUS NTAPI NtQueryInformationToken( IN HANDLE TokenHandle, IN TOKEN_INFORMATION_CLASS TokenInformationClass, OUT PVOID TokenInformation, IN ULONG TokenInformationLength, OUT PULONG ReturnLength); NTOSAPI NTSTATUS NTAPI ZwQueryInformationToken( IN HANDLE TokenHandle, IN TOKEN_INFORMATION_CLASS TokenInformationClass, OUT PVOID TokenInformation, IN ULONG TokenInformationLength, OUT PULONG ReturnLength); NTOSAPI NTSTATUS NTAPI ZwSetInformationToken( IN HANDLE TokenHandle, IN TOKEN_INFORMATION_CLASS TokenInformationClass, IN PVOID TokenInformation, IN ULONG TokenInformationLength); /* Time */ NTOSAPI NTSTATUS NTAPI ZwQuerySystemTime( OUT PLARGE_INTEGER CurrentTime); NTOSAPI NTSTATUS NTAPI ZwSetSystemTime( IN PLARGE_INTEGER NewTime, OUT PLARGE_INTEGER OldTime OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwQueryPerformanceCounter( OUT PLARGE_INTEGER PerformanceCount, OUT PLARGE_INTEGER PerformanceFrequency OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwQueryPerformanceCounter( OUT PLARGE_INTEGER PerformanceCount, OUT PLARGE_INTEGER PerformanceFrequency OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwQueryTimerResolution( OUT PULONG CoarsestResolution, OUT PULONG FinestResolution, OUT PULONG ActualResolution); NTOSAPI NTSTATUS NTAPI ZwDelayExecution( IN BOOLEAN Alertable, IN PLARGE_INTEGER Interval); NTOSAPI NTSTATUS NTAPI ZwYieldExecution( VOID); NTOSAPI ULONG NTAPI ZwGetTickCount( VOID); /* Execution profiling */ NTOSAPI NTSTATUS NTAPI ZwCreateProfile( OUT PHANDLE ProfileHandle, IN HANDLE ProcessHandle, IN PVOID Base, IN ULONG Size, IN ULONG BucketShift, IN PULONG Buffer, IN ULONG BufferLength, IN KPROFILE_SOURCE Source, IN ULONG ProcessorMask); NTOSAPI NTSTATUS NTAPI ZwSetIntervalProfile( IN ULONG Interval, IN KPROFILE_SOURCE Source); NTOSAPI NTSTATUS NTAPI ZwQueryIntervalProfile( IN KPROFILE_SOURCE Source, OUT PULONG Interval); NTOSAPI NTSTATUS NTAPI ZwStartProfile( IN HANDLE ProfileHandle); NTOSAPI NTSTATUS NTAPI ZwStopProfile( IN HANDLE ProfileHandle); /* Local Procedure Call (LPC) */ typedef struct _LPC_MESSAGE { USHORT DataSize; USHORT MessageSize; USHORT MessageType; USHORT VirtualRangesOffset; CLIENT_ID ClientId; ULONG MessageId; ULONG SectionSize; UCHAR Data[ANYSIZE_ARRAY]; } LPC_MESSAGE, *PLPC_MESSAGE; typedef enum _LPC_TYPE { LPC_NEW_MESSAGE, LPC_REQUEST, LPC_REPLY, LPC_DATAGRAM, LPC_LOST_REPLY, LPC_PORT_CLOSED, LPC_CLIENT_DIED, LPC_EXCEPTION, LPC_DEBUG_EVENT, LPC_ERROR_EVENT, LPC_CONNECTION_REQUEST, LPC_MAXIMUM } LPC_TYPE; typedef struct _LPC_SECTION_WRITE { ULONG Length; HANDLE SectionHandle; ULONG SectionOffset; ULONG ViewSize; PVOID ViewBase; PVOID TargetViewBase; } LPC_SECTION_WRITE, *PLPC_SECTION_WRITE; typedef struct _LPC_SECTION_READ { ULONG Length; ULONG ViewSize; PVOID ViewBase; } LPC_SECTION_READ, *PLPC_SECTION_READ; NTOSAPI NTSTATUS NTAPI ZwCreatePort( OUT PHANDLE PortHandle, IN POBJECT_ATTRIBUTES ObjectAttributes, IN ULONG MaxDataSize, IN ULONG MaxMessageSize, IN ULONG Reserved); NTOSAPI NTSTATUS NTAPI ZwCreateWaitablePort( OUT PHANDLE PortHandle, IN POBJECT_ATTRIBUTES ObjectAttributes, IN ULONG MaxDataSize, IN ULONG MaxMessageSize, IN ULONG Reserved); NTOSAPI NTSTATUS NTAPI NtConnectPort( OUT PHANDLE PortHandle, IN PUNICODE_STRING PortName, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, IN OUT PLPC_SECTION_WRITE WriteSection OPTIONAL, IN OUT PLPC_SECTION_READ ReadSection OPTIONAL, OUT PULONG MaxMessageSize OPTIONAL, IN OUT PVOID ConnectData OPTIONAL, IN OUT PULONG ConnectDataLength OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwConnectPort( OUT PHANDLE PortHandle, IN PUNICODE_STRING PortName, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, IN OUT PLPC_SECTION_WRITE WriteSection OPTIONAL, IN OUT PLPC_SECTION_READ ReadSection OPTIONAL, OUT PULONG MaxMessageSize OPTIONAL, IN OUT PVOID ConnectData OPTIONAL, IN OUT PULONG ConnectDataLength OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwConnectPort( OUT PHANDLE PortHandle, IN PUNICODE_STRING PortName, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, IN OUT PLPC_SECTION_WRITE WriteSection OPTIONAL, IN OUT PLPC_SECTION_READ ReadSection OPTIONAL, OUT PULONG MaxMessageSize OPTIONAL, IN OUT PVOID ConnectData OPTIONAL, IN OUT PULONG ConnectDataLength OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwListenPort( IN HANDLE PortHandle, OUT PLPC_MESSAGE Message); NTOSAPI NTSTATUS NTAPI ZwAcceptConnectPort( OUT PHANDLE PortHandle, IN ULONG PortIdentifier, IN PLPC_MESSAGE Message, IN BOOLEAN Accept, IN OUT PLPC_SECTION_WRITE WriteSection OPTIONAL, IN OUT PLPC_SECTION_READ ReadSection OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwCompleteConnectPort( IN HANDLE PortHandle); NTOSAPI NTSTATUS NTAPI NtRequestPort( IN HANDLE PortHandle, IN PLPC_MESSAGE RequestMessage); NTOSAPI NTSTATUS NTAPI NtRequestWaitReplyPort( IN HANDLE PortHandle, IN PLPC_MESSAGE RequestMessage, OUT PLPC_MESSAGE ReplyMessage); NTOSAPI NTSTATUS NTAPI ZwRequestWaitReplyPort( IN HANDLE PortHandle, IN PLPC_MESSAGE RequestMessage, OUT PLPC_MESSAGE ReplyMessage); NTOSAPI NTSTATUS NTAPI ZwReplyPort( IN HANDLE PortHandle, IN PLPC_MESSAGE ReplyMessage); NTOSAPI NTSTATUS NTAPI ZwReplyWaitReplyPort( IN HANDLE PortHandle, IN OUT PLPC_MESSAGE ReplyMessage); NTOSAPI NTSTATUS NTAPI ZwReplyWaitReceivePort( IN HANDLE PortHandle, OUT PULONG PortIdentifier OPTIONAL, IN PLPC_MESSAGE ReplyMessage OPTIONAL, OUT PLPC_MESSAGE Message); NTOSAPI NTSTATUS NTAPI ZwReplyWaitReceivePortEx( IN HANDLE PortHandle, OUT PULONG PortIdentifier OPTIONAL, IN PLPC_MESSAGE ReplyMessage OPTIONAL, OUT PLPC_MESSAGE Message, IN PLARGE_INTEGER Timeout); NTOSAPI NTSTATUS NTAPI ZwReadRequestData( IN HANDLE PortHandle, IN PLPC_MESSAGE Message, IN ULONG Index, OUT PVOID Buffer, IN ULONG BufferLength, OUT PULONG ReturnLength OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwWriteRequestData( IN HANDLE PortHandle, IN PLPC_MESSAGE Message, IN ULONG Index, IN PVOID Buffer, IN ULONG BufferLength, OUT PULONG ReturnLength OPTIONAL); typedef enum _PORT_INFORMATION_CLASS { PortBasicInformation } PORT_INFORMATION_CLASS; NTOSAPI NTSTATUS NTAPI ZwQueryInformationPort( IN HANDLE PortHandle, IN PORT_INFORMATION_CLASS PortInformationClass, OUT PVOID PortInformation, IN ULONG PortInformationLength, OUT PULONG ReturnLength OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwImpersonateClientOfPort( IN HANDLE PortHandle, IN PLPC_MESSAGE Message); /* Files */ NTOSAPI NTSTATUS NTAPI NtDeleteFile( IN POBJECT_ATTRIBUTES ObjectAttributes); NTOSAPI NTSTATUS NTAPI ZwDeleteFile( IN POBJECT_ATTRIBUTES ObjectAttributes); NTOSAPI NTSTATUS NTAPI ZwFlushBuffersFile( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock); NTOSAPI NTSTATUS NTAPI ZwCancelIoFile( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock); NTOSAPI NTSTATUS NTAPI ZwReadFileScatter( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PFILE_SEGMENT_ELEMENT Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwWriteFileGather( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PFILE_SEGMENT_ELEMENT Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL); /* Registry keys */ NTOSAPI NTSTATUS NTAPI ZwSaveKey( IN HANDLE KeyHandle, IN HANDLE FileHandle); NTOSAPI NTSTATUS NTAPI ZwSaveMergedKeys( IN HANDLE KeyHandle1, IN HANDLE KeyHandle2, IN HANDLE FileHandle); NTOSAPI NTSTATUS NTAPI ZwRestoreKey( IN HANDLE KeyHandle, IN HANDLE FileHandle, IN ULONG Flags); NTOSAPI NTSTATUS NTAPI ZwLoadKey( IN POBJECT_ATTRIBUTES KeyObjectAttributes, IN POBJECT_ATTRIBUTES FileObjectAttributes); NTOSAPI NTSTATUS NTAPI ZwLoadKey2( IN POBJECT_ATTRIBUTES KeyObjectAttributes, IN POBJECT_ATTRIBUTES FileObjectAttributes, IN ULONG Flags); NTOSAPI NTSTATUS NTAPI ZwUnloadKey( IN POBJECT_ATTRIBUTES KeyObjectAttributes); NTOSAPI NTSTATUS NTAPI ZwQueryOpenSubKeys( IN POBJECT_ATTRIBUTES KeyObjectAttributes, OUT PULONG NumberOfKeys); NTOSAPI NTSTATUS NTAPI ZwReplaceKey( IN POBJECT_ATTRIBUTES NewFileObjectAttributes, IN HANDLE KeyHandle, IN POBJECT_ATTRIBUTES OldFileObjectAttributes); typedef enum _KEY_SET_INFORMATION_CLASS { KeyLastWriteTimeInformation } KEY_SET_INFORMATION_CLASS; NTOSAPI NTSTATUS NTAPI ZwSetInformationKey( IN HANDLE KeyHandle, IN KEY_SET_INFORMATION_CLASS KeyInformationClass, IN PVOID KeyInformation, IN ULONG KeyInformationLength); typedef struct _KEY_LAST_WRITE_TIME_INFORMATION { LARGE_INTEGER LastWriteTime; } KEY_LAST_WRITE_TIME_INFORMATION, *PKEY_LAST_WRITE_TIME_INFORMATION; typedef struct _KEY_NAME_INFORMATION { ULONG NameLength; WCHAR Name[1]; } KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION; NTOSAPI NTSTATUS NTAPI ZwNotifyChangeKey( IN HANDLE KeyHandle, IN HANDLE EventHandle OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG NotifyFilter, IN BOOLEAN WatchSubtree, IN PVOID Buffer, IN ULONG BufferLength, IN BOOLEAN Asynchronous); /* ZwNotifyChangeMultipleKeys.Flags constants */ #define REG_MONITOR_SINGLE_KEY 0x00 #define REG_MONITOR_SECOND_KEY 0x01 NTOSAPI NTSTATUS NTAPI ZwNotifyChangeMultipleKeys( IN HANDLE KeyHandle, IN ULONG Flags, IN POBJECT_ATTRIBUTES KeyObjectAttributes, IN HANDLE EventHandle OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG NotifyFilter, IN BOOLEAN WatchSubtree, IN PVOID Buffer, IN ULONG BufferLength, IN BOOLEAN Asynchronous); NTOSAPI NTSTATUS NTAPI ZwQueryMultipleValueKey( IN HANDLE KeyHandle, IN OUT PKEY_VALUE_ENTRY ValueList, IN ULONG NumberOfValues, OUT PVOID Buffer, IN OUT PULONG Length, OUT PULONG ReturnLength); NTOSAPI NTSTATUS NTAPI ZwInitializeRegistry( IN BOOLEAN Setup); /* Security and auditing */ NTOSAPI NTSTATUS NTAPI ZwPrivilegeCheck( IN HANDLE TokenHandle, IN PPRIVILEGE_SET RequiredPrivileges, OUT PBOOLEAN Result); NTOSAPI NTSTATUS NTAPI ZwPrivilegeObjectAuditAlarm( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN HANDLE TokenHandle, IN ACCESS_MASK DesiredAccess, IN PPRIVILEGE_SET Privileges, IN BOOLEAN AccessGranted); NTOSAPI NTSTATUS NTAPI ZwPrivilegeObjectAuditAlarm( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN HANDLE TokenHandle, IN ACCESS_MASK DesiredAccess, IN PPRIVILEGE_SET Privileges, IN BOOLEAN AccessGranted); NTOSAPI NTSTATUS NTAPI ZwAccessCheck( IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN HANDLE TokenHandle, IN ACCESS_MASK DesiredAccess, IN PGENERIC_MAPPING GenericMapping, IN PPRIVILEGE_SET PrivilegeSet, IN PULONG PrivilegeSetLength, OUT PACCESS_MASK GrantedAccess, OUT PBOOLEAN AccessStatus); NTOSAPI NTSTATUS NTAPI ZwAccessCheckAndAuditAlarm( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN PUNICODE_STRING ObjectTypeName, IN PUNICODE_STRING ObjectName, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN ACCESS_MASK DesiredAccess, IN PGENERIC_MAPPING GenericMapping, IN BOOLEAN ObjectCreation, OUT PACCESS_MASK GrantedAccess, OUT PBOOLEAN AccessStatus, OUT PBOOLEAN GenerateOnClose); NTOSAPI NTSTATUS NTAPI ZwAccessCheckByType( IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID PrincipalSelfSid, IN HANDLE TokenHandle, IN ULONG DesiredAccess, IN POBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeListLength, IN PGENERIC_MAPPING GenericMapping, IN PPRIVILEGE_SET PrivilegeSet, IN PULONG PrivilegeSetLength, OUT PACCESS_MASK GrantedAccess, OUT PULONG AccessStatus); typedef enum _AUDIT_EVENT_TYPE { AuditEventObjectAccess, AuditEventDirectoryServiceAccess } AUDIT_EVENT_TYPE, *PAUDIT_EVENT_TYPE; NTOSAPI NTSTATUS NTAPI ZwAccessCheckByTypeAndAuditAlarm( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN PUNICODE_STRING ObjectTypeName, IN PUNICODE_STRING ObjectName, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID PrincipalSelfSid, IN ACCESS_MASK DesiredAccess, IN AUDIT_EVENT_TYPE AuditType, IN ULONG Flags, IN POBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeListLength, IN PGENERIC_MAPPING GenericMapping, IN BOOLEAN ObjectCreation, OUT PACCESS_MASK GrantedAccess, OUT PULONG AccessStatus, OUT PBOOLEAN GenerateOnClose); NTOSAPI NTSTATUS NTAPI ZwAccessCheckByTypeResultList( IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID PrincipalSelfSid, IN HANDLE TokenHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeListLength, IN PGENERIC_MAPPING GenericMapping, IN PPRIVILEGE_SET PrivilegeSet, IN PULONG PrivilegeSetLength, OUT PACCESS_MASK GrantedAccessList, OUT PULONG AccessStatusList); NTOSAPI NTSTATUS NTAPI ZwAccessCheckByTypeResultListAndAuditAlarm( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN PUNICODE_STRING ObjectTypeName, IN PUNICODE_STRING ObjectName, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID PrincipalSelfSid, IN ACCESS_MASK DesiredAccess, IN AUDIT_EVENT_TYPE AuditType, IN ULONG Flags, IN POBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeListLength, IN PGENERIC_MAPPING GenericMapping, IN BOOLEAN ObjectCreation, OUT PACCESS_MASK GrantedAccessList, OUT PULONG AccessStatusList, OUT PULONG GenerateOnClose); NTOSAPI NTSTATUS NTAPI ZwAccessCheckByTypeResultListAndAuditAlarmByHandle( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN HANDLE TokenHandle, IN PUNICODE_STRING ObjectTypeName, IN PUNICODE_STRING ObjectName, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID PrincipalSelfSid, IN ACCESS_MASK DesiredAccess, IN AUDIT_EVENT_TYPE AuditType, IN ULONG Flags, IN POBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeListLength, IN PGENERIC_MAPPING GenericMapping, IN BOOLEAN ObjectCreation, OUT PACCESS_MASK GrantedAccessList, OUT PULONG AccessStatusList, OUT PULONG GenerateOnClose); NTOSAPI NTSTATUS NTAPI ZwOpenObjectAuditAlarm( IN PUNICODE_STRING SubsystemName, IN PVOID *HandleId, IN PUNICODE_STRING ObjectTypeName, IN PUNICODE_STRING ObjectName, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN HANDLE TokenHandle, IN ACCESS_MASK DesiredAccess, IN ACCESS_MASK GrantedAccess, IN PPRIVILEGE_SET Privileges OPTIONAL, IN BOOLEAN ObjectCreation, IN BOOLEAN AccessGranted, OUT PBOOLEAN GenerateOnClose); NTOSAPI NTSTATUS NTAPI ZwCloseObjectAuditAlarm( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN BOOLEAN GenerateOnClose); NTOSAPI NTSTATUS NTAPI ZwDeleteObjectAuditAlarm( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN BOOLEAN GenerateOnClose); /* Plug and play and power management */ NTOSAPI NTSTATUS NTAPI ZwRequestWakeupLatency( IN LATENCY_TIME Latency); NTOSAPI NTSTATUS NTAPI ZwRequestDeviceWakeup( IN HANDLE DeviceHandle); NTOSAPI NTSTATUS NTAPI ZwCancelDeviceWakeupRequest( IN HANDLE DeviceHandle); NTOSAPI BOOLEAN NTAPI ZwIsSystemResumeAutomatic( VOID); NTOSAPI NTSTATUS NTAPI ZwSetThreadExecutionState( IN EXECUTION_STATE ExecutionState, OUT PEXECUTION_STATE PreviousExecutionState); NTOSAPI NTSTATUS NTAPI ZwGetDevicePowerState( IN HANDLE DeviceHandle, OUT PDEVICE_POWER_STATE DevicePowerState); NTOSAPI NTSTATUS NTAPI ZwSetSystemPowerState( IN POWER_ACTION SystemAction, IN SYSTEM_POWER_STATE MinSystemState, IN ULONG Flags); NTOSAPI NTSTATUS NTAPI ZwInitiatePowerAction( IN POWER_ACTION SystemAction, IN SYSTEM_POWER_STATE MinSystemState, IN ULONG Flags, IN BOOLEAN Asynchronous); NTOSAPI NTSTATUS NTAPI ZwPowerInformation( IN POWER_INFORMATION_LEVEL PowerInformationLevel, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength); NTOSAPI NTSTATUS NTAPI ZwPlugPlayControl( IN ULONG ControlCode, IN OUT PVOID Buffer, IN ULONG BufferLength); NTOSAPI NTSTATUS NTAPI ZwGetPlugPlayEvent( IN ULONG Reserved1, IN ULONG Reserved2, OUT PVOID Buffer, IN ULONG BufferLength); /* Miscellany */ NTOSAPI NTSTATUS NTAPI ZwRaiseException( IN PEXCEPTION_RECORD ExceptionRecord, IN PCONTEXT Context, IN BOOLEAN SearchFrames); NTOSAPI NTSTATUS NTAPI ZwContinue( IN PCONTEXT Context, IN BOOLEAN TestAlert); NTOSAPI NTSTATUS NTAPI ZwW32Call( IN ULONG RoutineIndex, IN PVOID Argument, IN ULONG ArgumentLength, OUT PVOID *Result OPTIONAL, OUT PULONG ResultLength OPTIONAL); NTOSAPI NTSTATUS NTAPI ZwSetLowWaitHighThread( VOID); NTOSAPI NTSTATUS NTAPI ZwSetHighWaitLowThread( VOID); NTOSAPI NTSTATUS NTAPI ZwLoadDriver( IN PUNICODE_STRING DriverServiceName); NTOSAPI NTSTATUS NTAPI ZwUnloadDriver( IN PUNICODE_STRING DriverServiceName); NTOSAPI NTSTATUS NTAPI ZwFlushInstructionCache( IN HANDLE ProcessHandle, IN PVOID BaseAddress OPTIONAL, IN ULONG FlushSize); NTOSAPI NTSTATUS NTAPI ZwFlushWriteBuffer( VOID); NTOSAPI NTSTATUS NTAPI ZwQueryDefaultLocale( IN BOOLEAN ThreadOrSystem, OUT PLCID Locale); NTOSAPI NTSTATUS NTAPI ZwSetDefaultLocale( IN BOOLEAN ThreadOrSystem, IN LCID Locale); NTOSAPI NTSTATUS NTAPI ZwQueryDefaultUILanguage( OUT PLANGID LanguageId); NTOSAPI NTSTATUS NTAPI ZwSetDefaultUILanguage( IN LANGID LanguageId); NTOSAPI NTSTATUS NTAPI ZwQueryInstallUILanguage( OUT PLANGID LanguageId); NTOSAPI NTSTATUS NTAPI NtAllocateLocallyUniqueId( OUT PLUID Luid); NTOSAPI NTSTATUS NTAPI NtAllocateUuids( OUT PLARGE_INTEGER UuidLastTimeAllocated, OUT PULONG UuidDeltaTime, OUT PULONG UuidSequenceNumber, OUT PUCHAR UuidSeed); NTOSAPI NTSTATUS NTAPI ZwSetUuidSeed( IN PUCHAR UuidSeed); typedef enum _HARDERROR_RESPONSE_OPTION { OptionAbortRetryIgnore, OptionOk, OptionOkCancel, OptionRetryCancel, OptionYesNo, OptionYesNoCancel, OptionShutdownSystem } HARDERROR_RESPONSE_OPTION, *PHARDERROR_RESPONSE_OPTION; typedef enum _HARDERROR_RESPONSE { ResponseReturnToCaller, ResponseNotHandled, ResponseAbort, ResponseCancel, ResponseIgnore, ResponseNo, ResponseOk, ResponseRetry, ResponseYes } HARDERROR_RESPONSE, *PHARDERROR_RESPONSE; NTOSAPI NTSTATUS NTAPI ZwRaiseHardError( IN NTSTATUS Status, IN ULONG NumberOfArguments, IN ULONG StringArgumentsMask, IN PULONG Arguments, IN HARDERROR_RESPONSE_OPTION ResponseOption, OUT PHARDERROR_RESPONSE Response); NTOSAPI NTSTATUS NTAPI ZwSetDefaultHardErrorPort( IN HANDLE PortHandle); NTOSAPI NTSTATUS NTAPI ZwDisplayString( IN PUNICODE_STRING String); NTOSAPI NTSTATUS NTAPI ZwCreatePagingFile( IN PUNICODE_STRING FileName, IN PULARGE_INTEGER InitialSize, IN PULARGE_INTEGER MaximumSize, IN ULONG Reserved); typedef USHORT RTL_ATOM, *PRTL_ATOM; NTOSAPI NTSTATUS NTAPI NtAddAtom( IN PWSTR AtomName, IN ULONG AtomNameLength, OUT PRTL_ATOM Atom); NTOSAPI NTSTATUS NTAPI NtFindAtom( IN PWSTR AtomName, IN ULONG AtomNameLength, OUT PRTL_ATOM Atom); NTOSAPI NTSTATUS NTAPI NtDeleteAtom( IN RTL_ATOM Atom); typedef enum _ATOM_INFORMATION_CLASS { AtomBasicInformation, AtomListInformation } ATOM_INFORMATION_CLASS; NTOSAPI NTSTATUS NTAPI NtQueryInformationAtom( IN RTL_ATOM Atom, IN ATOM_INFORMATION_CLASS AtomInformationClass, OUT PVOID AtomInformation, IN ULONG AtomInformationLength, OUT PULONG ReturnLength OPTIONAL); typedef struct _ATOM_BASIC_INFORMATION { USHORT ReferenceCount; USHORT Pinned; USHORT NameLength; WCHAR Name[1]; } ATOM_BASIC_INFORMATION, *PATOM_BASIC_INFORMATION; typedef struct _ATOM_LIST_INFORMATION { ULONG NumberOfAtoms; ATOM Atoms[1]; } ATOM_LIST_INFORMATION, *PATOM_LIST_INFORMATION; NTOSAPI NTSTATUS NTAPI ZwSetLdtEntries( IN ULONG Selector1, IN LDT_ENTRY LdtEntry1, IN ULONG Selector2, IN LDT_ENTRY LdtEntry2); NTOSAPI NTSTATUS NTAPI NtVdmControl( IN ULONG ControlCode, IN PVOID ControlData); #pragma pack(pop) #ifdef __cplusplus } #endif #endif /* __NTAPI_H */