diff options
Diffstat (limited to 'plugins/Dbx_mdb/src/lmdb/ntapi.h')
-rw-r--r-- | plugins/Dbx_mdb/src/lmdb/ntapi.h | 3909 |
1 files changed, 3909 insertions, 0 deletions
diff --git a/plugins/Dbx_mdb/src/lmdb/ntapi.h b/plugins/Dbx_mdb/src/lmdb/ntapi.h new file mode 100644 index 0000000000..10d4aa7f50 --- /dev/null +++ b/plugins/Dbx_mdb/src/lmdb/ntapi.h @@ -0,0 +1,3909 @@ +/* + * ntapi.h + * + * Windows NT Native API + * + * Most structures in this file is obtained from Windows NT/2000 Native API + * Reference by Gary Nebbett, ISBN 1578701996. + * + * This file is part of the w32api package. + * + * Contributors: + * Created by Casper S. Hornstrup <chorns@users.sourceforge.net> + * + * THIS SOFTWARE IS NOT COPYRIGHTED + * + * This source code is offered for use in the public domain. You may + * use, modify or distribute it freely. + * + * This code is distributed in the hope that it will be useful but + * WITHOUT ANY WARRANTY. ALL WARRANTIES, EXPRESS OR IMPLIED ARE HEREBY + * DISCLAIMED. This includes but is not limited to warranties of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * + */ + +#ifndef __NTAPI_H +#define __NTAPI_H + +#ifdef __cplusplus +extern "C" { +#endif + +#include <stdarg.h> +//#include <winbase.h> +#include <windef.h> + + +#pragma pack(push,4) + +//typedef struct _PEB *PPEB; + +/* FIXME: Unknown definitions */ +//typedef PVOID POBJECT_TYPE_LIST; +typedef PVOID PEXECUTION_STATE; +typedef PVOID PLANGID; + +#ifndef NtCurrentProcess +#define NtCurrentProcess() ((HANDLE)0xFFFFFFFF) +#endif /* NtCurrentProcess */ +#ifndef NtCurrentThread +#define NtCurrentThread() ((HANDLE)0xFFFFFFFE) +#endif /* NtCurrentThread */ + + + +#define RTL_REGISTRY_ABSOLUTE 0 +//add by SevenCat + +#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L) +#define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L) +#define STATUS_INVALID_INFO_CLASS ((NTSTATUS)0xC0000003L) // ntsubauth +#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) +//#define STATUS_ACCESS_VIOLATION ((NTSTATUS)0xC0000005L) // winnt +//#define STATUS_IN_PAGE_ERROR ((NTSTATUS)0xC0000006L) // winnt +#define STATUS_PAGEFILE_QUOTA ((NTSTATUS)0xC0000007L) +//#define STATUS_INVALID_HANDLE ((NTSTATUS)0xC0000008L) // winnt +#define STATUS_BAD_INITIAL_STACK ((NTSTATUS)0xC0000009L) +#define STATUS_BAD_INITIAL_PC ((NTSTATUS)0xC000000AL) +#define STATUS_INVALID_CID ((NTSTATUS)0xC000000BL) +#define STATUS_TIMER_NOT_CANCELED ((NTSTATUS)0xC000000CL) +// #define STATUS_INVALID_PARAMETER ((NTSTATUS)0xC000000DL) +#define STATUS_NO_SUCH_DEVICE ((NTSTATUS)0xC000000EL) +#define STATUS_NO_SUCH_FILE ((NTSTATUS)0xC000000FL) +#define STATUS_OBJECT_NAME_NOT_FOUND 0xC0000034 + +#define RTL_CONSTANT_STRING(s) { sizeof( s ) - sizeof( (s)[0] ), sizeof( s ), s } + +#define __WTEXT(quote) L##quote +#define WTEXT(quote) __WTEXT(quote) + +#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|0xF) +#define OBJ_PERMANENT 0x00000010L + +#ifndef NT_SUCCESS +#define NT_SUCCESS(x) ((x)>=0) +#define STATUS_SUCCESS ((NTSTATUS)0) +#endif + +#define DDKAPI __stdcall +#define DDKFASTAPI __fastcall +#define DDKCDECLAPI __cdecl + +typedef struct _CLIENT_ID { + HANDLE UniqueProcess; + HANDLE UniqueThread; +} CLIENT_ID, *PCLIENT_ID; + + +///////////// + + + +typedef enum _KEY_INFORMATION_CLASS +{ + KeyBasicInformation, + KeyNodeInformation, + KeyFullInformation +} KEY_INFORMATION_CLASS; + +typedef struct _KEY_BASIC_INFORMATION +{ + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG NameLength; + WCHAR Name[1]; +} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION; + +typedef struct _KEY_FULL_INFORMATION +{ + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG ClassOffset; + ULONG ClassLength; + ULONG SubKeys; + ULONG MaxNameLen; + ULONG MaxClassLen; + ULONG Values; + ULONG MaxValueNameLen; + ULONG MaxValueDataLen; + WCHAR Class[1]; +} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION; + +typedef struct _KEY_NODE_INFORMATION +{ + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG ClassOffset; + ULONG ClassLength; + ULONG NameLength; + WCHAR Name[1]; +} KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION; + +/* key set information class */ +/* + * KeyWriteTimeInformation + */ + +/* key value information class */ + +typedef enum _KEY_VALUE_INFORMATION_CLASS +{ + KeyValueBasicInformation, + KeyValueFullInformation, + KeyValuePartialInformation +} KEY_VALUE_INFORMATION_CLASS; + +typedef struct _KEY_VALUE_BASIC_INFORMATION +{ + ULONG TitleIndex; + ULONG Type; + ULONG NameLength; + WCHAR Name[1]; +} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION; + +typedef struct _KEY_VALUE_FULL_INFORMATION +{ + ULONG TitleIndex; + ULONG Type; + ULONG DataOffset; + ULONG DataLength; + ULONG NameLength; + WCHAR Name[1]; +} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; + +typedef struct _KEY_VALUE_PARTIAL_INFORMATION +{ + ULONG TitleIndex; + ULONG Type; + ULONG DataLength; + UCHAR Data[1]; +} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; + + + + + +/////////// + +typedef LONG KPRIORITY; + +typedef enum _KWAIT_REASON { + Executive, + FreePage, + PageIn, + PoolAllocation, + DelayExecution, + Suspended, + UserRequest, + WrExecutive, + WrFreePage, + WrPageIn, + WrPoolAllocation, + WrDelayExecution, + WrSuspended, + WrUserRequest, + WrEventPair, + WrQueue, + WrLpcReceive, + WrLpcReply, + WrVirtualMemory, + WrPageOut, + WrRendezvous, + Spare2, + Spare3, + Spare4, + Spare5, + Spare6, + WrKernel, + MaximumWaitReason +} KWAIT_REASON; + +#define FILE_SUPERSEDE 0x00000000 +#define FILE_OPEN 0x00000001 +#define FILE_CREATE 0x00000002 +#define FILE_OPEN_IF 0x00000003 +#define FILE_OVERWRITE 0x00000004 +#define FILE_OVERWRITE_IF 0x00000005 +#define FILE_MAXIMUM_DISPOSITION 0x00000005 + + +typedef struct _STRING { + USHORT Length; + USHORT MaximumLength; + PCHAR Buffer; +} STRING; +typedef STRING *PSTRING; + +typedef STRING ANSI_STRING; +typedef PSTRING PANSI_STRING; +typedef PSTRING PCANSI_STRING; + +typedef STRING OEM_STRING; +typedef PSTRING POEM_STRING; +typedef CONST STRING* PCOEM_STRING; + +typedef struct _UNICODE_STRING { + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING; +typedef UNICODE_STRING *PUNICODE_STRING; +typedef const UNICODE_STRING *PCUNICODE_STRING; + + +typedef enum _POOL_TYPE { + NonPagedPool, + PagedPool, + NonPagedPoolMustSucceed, + DontUseThisType, + NonPagedPoolCacheAligned, + PagedPoolCacheAligned, + NonPagedPoolCacheAlignedMustS, + MaxPoolType, + NonPagedPoolSession = 32, + PagedPoolSession, + NonPagedPoolMustSucceedSession, + DontUseThisTypeSession, + NonPagedPoolCacheAlignedSession, + PagedPoolCacheAlignedSession, + NonPagedPoolCacheAlignedMustSSession +} POOL_TYPE; + +#ifndef DECL_IMPORT +#define DECL_IMPORT __declspec(dllimport) +#endif + +#ifndef NTOSAPI +#define NTOSAPI DECL_IMPORT +#endif +#define DECLARE_INTERNAL_OBJECT(x) struct _##x; typedef struct _##x *P##x; +#define DECLARE_INTERNAL_OBJECT2(x,y) struct _##x; typedef struct _##x *P##y; + +typedef LONG NTSTATUS; + +typedef struct _OBJECT_ATTRIBUTES { + ULONG Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; + PVOID SecurityQualityOfService; +} OBJECT_ATTRIBUTES; +typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES; + +#define InitializeObjectAttributes( p, n, a, r, s ) { \ + (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ + (p)->RootDirectory = r; \ + (p)->Attributes = a; \ + (p)->ObjectName = n; \ + (p)->SecurityDescriptor = s; \ + (p)->SecurityQualityOfService = NULL; \ + } + + +typedef struct _FILE_NETWORK_OPEN_INFORMATION { + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG FileAttributes; +} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; + +typedef struct _IO_STATUS_BLOCK { + union { + NTSTATUS Status; + PVOID Pointer; + }; + + ULONG_PTR Information; +} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; + + +typedef VOID (NTAPI *PKNORMAL_ROUTINE)( + IN PVOID NormalContext, + IN PVOID SystemArgument1, + IN PVOID SystemArgument2); + +typedef enum _PROCESSINFOCLASS { + ProcessBasicInformation, + ProcessQuotaLimits, + ProcessIoCounters, + ProcessVmCounters, + ProcessTimes, + ProcessBasePriority, + ProcessRaisePriority, + ProcessDebugPort, + ProcessExceptionPort, + ProcessAccessToken, + ProcessLdtInformation, + ProcessLdtSize, + ProcessDefaultHardErrorMode, + ProcessIoPortHandlers, + ProcessPooledUsageAndLimits, + ProcessWorkingSetWatch, + ProcessUserModeIOPL, + ProcessEnableAlignmentFaultFixup, + ProcessPriorityClass, + ProcessWx86Information, + ProcessHandleCount, + ProcessAffinityMask, + ProcessPriorityBoost, + ProcessDeviceMap, + ProcessSessionInformation, + ProcessForegroundInformation, + ProcessWow64Information, + ProcessImageFileName, + ProcessLUIDDeviceMapsEnabled, + ProcessBreakOnTermination, + ProcessDebugObjectHandle, + ProcessDebugFlags, + ProcessHandleTracing, + MaxProcessInfoClass +} PROCESSINFOCLASS; + +typedef enum _THREADINFOCLASS { + ThreadBasicInformation, + ThreadTimes, + ThreadPriority, + ThreadBasePriority, + ThreadAffinityMask, + ThreadImpersonationToken, + ThreadDescriptorTableEntry, + ThreadEnableAlignmentFaultFixup, + ThreadEventPair_Reusable, + ThreadQuerySetWin32StartAddress, + ThreadZeroTlsCell, + ThreadPerformanceCount, + ThreadAmILastThread, + ThreadIdealProcessor, + ThreadPriorityBoost, + ThreadSetTlsArrayAddress, + ThreadIsIoPending, + ThreadHideFromDebugger, + ThreadBreakOnTermination, + MaxThreadInfoClass +} THREADINFOCLASS; + +typedef enum _KPROFILE_SOURCE { + ProfileTime, + ProfileAlignmentFixup, + ProfileTotalIssues, + ProfilePipelineDry, + ProfileLoadInstructions, + ProfilePipelineFrozen, + ProfileBranchInstructions, + ProfileTotalNonissues, + ProfileDcacheMisses, + ProfileIcacheMisses, + ProfileCacheMisses, + ProfileBranchMispredictions, + ProfileStoreInstructions, + ProfileFpInstructions, + ProfileIntegerInstructions, + Profile2Issue, + Profile3Issue, + Profile4Issue, + ProfileSpecialInstructions, + ProfileTotalCycles, + ProfileIcacheIssues, + ProfileDcacheAccesses, + ProfileMemoryBarrierCycles, + ProfileLoadLinkedIssues, + ProfileMaximum +} KPROFILE_SOURCE; + + +typedef VOID +(NTAPI *PIO_APC_ROUTINE)( + IN PVOID ApcContext, + IN PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG Reserved); + +typedef struct _KEY_VALUE_ENTRY { + PUNICODE_STRING ValueName; + ULONG DataLength; + ULONG DataOffset; + ULONG Type; +} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; + +//end add + +/* System information and control */ + +typedef enum _SYSTEM_INFORMATION_CLASS { + SystemInformationClassMin = 0, + SystemBasicInformation = 0, + SystemProcessorInformation = 1, + SystemPerformanceInformation = 2, + SystemTimeOfDayInformation = 3, + SystemPathInformation = 4, + SystemNotImplemented1 = 4, + SystemProcessInformation = 5, + SystemProcessesAndThreadsInformation = 5, + SystemCallCountInfoInformation = 6, + SystemCallCounts = 6, + SystemDeviceInformation = 7, + SystemConfigurationInformation = 7, + SystemProcessorPerformanceInformation = 8, + SystemProcessorTimes = 8, + SystemFlagsInformation = 9, + SystemGlobalFlag = 9, + SystemCallTimeInformation = 10, + SystemNotImplemented2 = 10, + SystemModuleInformation = 11, + SystemLocksInformation = 12, + SystemLockInformation = 12, + SystemStackTraceInformation = 13, + SystemNotImplemented3 = 13, + SystemPagedPoolInformation = 14, + SystemNotImplemented4 = 14, + SystemNonPagedPoolInformation = 15, + SystemNotImplemented5 = 15, + SystemHandleInformation = 16, + SystemObjectInformation = 17, + SystemPageFileInformation = 18, + SystemPagefileInformation = 18, + SystemVdmInstemulInformation = 19, + SystemInstructionEmulationCounts = 19, + SystemVdmBopInformation = 20, + SystemInvalidInfoClass1 = 20, + SystemFileCacheInformation = 21, + SystemCacheInformation = 21, + SystemPoolTagInformation = 22, + SystemInterruptInformation = 23, + SystemProcessorStatistics = 23, + SystemDpcBehaviourInformation = 24, + SystemDpcInformation = 24, + SystemFullMemoryInformation = 25, + SystemNotImplemented6 = 25, + SystemLoadImage = 26, + SystemUnloadImage = 27, + SystemTimeAdjustmentInformation = 28, + SystemTimeAdjustment = 28, + SystemSummaryMemoryInformation = 29, + SystemNotImplemented7 = 29, + SystemNextEventIdInformation = 30, + SystemNotImplemented8 = 30, + SystemEventIdsInformation = 31, + SystemNotImplemented9 = 31, + SystemCrashDumpInformation = 32, + SystemExceptionInformation = 33, + SystemCrashDumpStateInformation = 34, + SystemKernelDebuggerInformation = 35, + SystemContextSwitchInformation = 36, + SystemRegistryQuotaInformation = 37, + SystemLoadAndCallImage = 38, + SystemPrioritySeparation = 39, + SystemPlugPlayBusInformation = 40, + SystemNotImplemented10 = 40, + SystemDockInformation = 41, + SystemNotImplemented11 = 41, + /* SystemPowerInformation = 42, Conflicts with POWER_INFORMATION_LEVEL 1 */ + SystemInvalidInfoClass2 = 42, + SystemProcessorSpeedInformation = 43, + SystemInvalidInfoClass3 = 43, + SystemCurrentTimeZoneInformation = 44, + SystemTimeZoneInformation = 44, + SystemLookasideInformation = 45, + SystemSetTimeSlipEvent = 46, + SystemCreateSession = 47, + SystemDeleteSession = 48, + SystemInvalidInfoClass4 = 49, + SystemRangeStartInformation = 50, + SystemVerifierInformation = 51, + SystemAddVerifier = 52, + SystemSessionProcessesInformation = 53, + SystemInformationClassMax +} SYSTEM_INFORMATION_CLASS; + +typedef struct _SYSTEM_BASIC_INFORMATION { + ULONG Unknown; + ULONG MaximumIncrement; + ULONG PhysicalPageSize; + ULONG NumberOfPhysicalPages; + ULONG LowestPhysicalPage; + ULONG HighestPhysicalPage; + ULONG AllocationGranularity; + ULONG LowestUserAddress; + ULONG HighestUserAddress; + ULONG ActiveProcessors; + UCHAR NumberProcessors; +} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION; + +typedef struct _SYSTEM_PROCESSOR_INFORMATION { + USHORT ProcessorArchitecture; + USHORT ProcessorLevel; + USHORT ProcessorRevision; + USHORT Unknown; + ULONG FeatureBits; +} SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION; + +typedef struct _SYSTEM_PERFORMANCE_INFORMATION { + LARGE_INTEGER IdleTime; + LARGE_INTEGER ReadTransferCount; + LARGE_INTEGER WriteTransferCount; + LARGE_INTEGER OtherTransferCount; + ULONG ReadOperationCount; + ULONG WriteOperationCount; + ULONG OtherOperationCount; + ULONG AvailablePages; + ULONG TotalCommittedPages; + ULONG TotalCommitLimit; + ULONG PeakCommitment; + ULONG PageFaults; + ULONG WriteCopyFaults; + ULONG TransitionFaults; + ULONG CacheTransitionFaults; + ULONG DemandZeroFaults; + ULONG PagesRead; + ULONG PageReadIos; + ULONG CacheReads; + ULONG CacheIos; + ULONG PagefilePagesWritten; + ULONG PagefilePageWriteIos; + ULONG MappedFilePagesWritten; + ULONG MappedFilePageWriteIos; + ULONG PagedPoolUsage; + ULONG NonPagedPoolUsage; + ULONG PagedPoolAllocs; + ULONG PagedPoolFrees; + ULONG NonPagedPoolAllocs; + ULONG NonPagedPoolFrees; + ULONG TotalFreeSystemPtes; + ULONG SystemCodePage; + ULONG TotalSystemDriverPages; + ULONG TotalSystemCodePages; + ULONG SmallNonPagedLookasideListAllocateHits; + ULONG SmallPagedLookasideListAllocateHits; + ULONG Reserved3; + ULONG MmSystemCachePage; + ULONG PagedPoolPage; + ULONG SystemDriverPage; + ULONG FastReadNoWait; + ULONG FastReadWait; + ULONG FastReadResourceMiss; + ULONG FastReadNotPossible; + ULONG FastMdlReadNoWait; + ULONG FastMdlReadWait; + ULONG FastMdlReadResourceMiss; + ULONG FastMdlReadNotPossible; + ULONG MapDataNoWait; + ULONG MapDataWait; + ULONG MapDataNoWaitMiss; + ULONG MapDataWaitMiss; + ULONG PinMappedDataCount; + ULONG PinReadNoWait; + ULONG PinReadWait; + ULONG PinReadNoWaitMiss; + ULONG PinReadWaitMiss; + ULONG CopyReadNoWait; + ULONG CopyReadWait; + ULONG CopyReadNoWaitMiss; + ULONG CopyReadWaitMiss; + ULONG MdlReadNoWait; + ULONG MdlReadWait; + ULONG MdlReadNoWaitMiss; + ULONG MdlReadWaitMiss; + ULONG ReadAheadIos; + ULONG LazyWriteIos; + ULONG LazyWritePages; + ULONG DataFlushes; + ULONG DataPages; + ULONG ContextSwitches; + ULONG FirstLevelTbFills; + ULONG SecondLevelTbFills; + ULONG SystemCalls; +} SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION; + +typedef struct _SYSTEM_TIME_OF_DAY_INFORMATION { + LARGE_INTEGER BootTime; + LARGE_INTEGER CurrentTime; + LARGE_INTEGER TimeZoneBias; + ULONG CurrentTimeZoneId; +} SYSTEM_TIME_OF_DAY_INFORMATION, *PSYSTEM_TIME_OF_DAY_INFORMATION; + +typedef struct _VM_COUNTERS { + ULONG PeakVirtualSize; + ULONG VirtualSize; + ULONG PageFaultCount; + ULONG PeakWorkingSetSize; + ULONG WorkingSetSize; + ULONG QuotaPeakPagedPoolUsage; + ULONG QuotaPagedPoolUsage; + ULONG QuotaPeakNonPagedPoolUsage; + ULONG QuotaNonPagedPoolUsage; + ULONG PagefileUsage; + ULONG PeakPagefileUsage; +} VM_COUNTERS; + +typedef enum _THREAD_STATE { + StateInitialized, + StateReady, + StateRunning, + StateStandby, + StateTerminated, + StateWait, + StateTransition, + StateUnknown +} THREAD_STATE; + +typedef struct _SYSTEM_THREADS { + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER CreateTime; + ULONG WaitTime; + PVOID StartAddress; + CLIENT_ID ClientId; + KPRIORITY Priority; + KPRIORITY BasePriority; + ULONG ContextSwitchCount; + THREAD_STATE State; + KWAIT_REASON WaitReason; +} SYSTEM_THREADS, *PSYSTEM_THREADS; + +typedef struct _SYSTEM_PROCESSES { + ULONG NextEntryOffset; + BYTE Reserved1[52]; + PVOID Reserved2[3]; + HANDLE UniqueProcessId; + PVOID Reserved3; + ULONG HandleCount; + BYTE Reserved4[4]; + PVOID Reserved5[11]; + SIZE_T PeakPagefileUsage; + SIZE_T PrivatePageCount; + LARGE_INTEGER Reserved6[6]; +} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES; + +typedef struct _SYSTEM_CALLS_INFORMATION { + ULONG Size; + ULONG NumberOfDescriptorTables; + ULONG NumberOfRoutinesInTable[1]; + ULONG CallCounts[ANYSIZE_ARRAY]; +} SYSTEM_CALLS_INFORMATION, *PSYSTEM_CALLS_INFORMATION; + +typedef struct _SYSTEM_CONFIGURATION_INFORMATION { + ULONG DiskCount; + ULONG FloppyCount; + ULONG CdRomCount; + ULONG TapeCount; + ULONG SerialCount; + ULONG ParallelCount; +} SYSTEM_CONFIGURATION_INFORMATION, *PSYSTEM_CONFIGURATION_INFORMATION; + +typedef struct _SYSTEM_PROCESSOR_TIMES { + LARGE_INTEGER IdleTime; + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER DpcTime; + LARGE_INTEGER InterruptTime; + ULONG InterruptCount; +} SYSTEM_PROCESSOR_TIMES, *PSYSTEM_PROCESSOR_TIMES; + +/* SYSTEM_GLOBAL_FLAG.GlobalFlag constants */ +#define FLG_STOP_ON_EXCEPTION 0x00000001 +#define FLG_SHOW_LDR_SNAPS 0x00000002 +#define FLG_DEBUG_INITIAL_COMMAND 0x00000004 +#define FLG_STOP_ON_HUNG_GUI 0x00000008 +#define FLG_HEAP_ENABLE_TAIL_CHECK 0x00000010 +#define FLG_HEAP_ENABLE_FREE_CHECK 0x00000020 +#define FLG_HEAP_VALIDATE_PARAMETERS 0x00000040 +#define FLG_HEAP_VALIDATE_ALL 0x00000080 +#define FLG_POOL_ENABLE_TAIL_CHECK 0x00000100 +#define FLG_POOL_ENABLE_FREE_CHECK 0x00000200 +#define FLG_POOL_ENABLE_TAGGING 0x00000400 +#define FLG_HEAP_ENABLE_TAGGING 0x00000800 +#define FLG_USER_STACK_TRACE_DB 0x00001000 +#define FLG_KERNEL_STACK_TRACE_DB 0x00002000 +#define FLG_MAINTAIN_OBJECT_TYPELIST 0x00004000 +#define FLG_HEAP_ENABLE_TAG_BY_DLL 0x00008000 +#define FLG_IGNORE_DEBUG_PRIV 0x00010000 +#define FLG_ENABLE_CSRDEBUG 0x00020000 +#define FLG_ENABLE_KDEBUG_SYMBOL_LOAD 0x00040000 +#define FLG_DISABLE_PAGE_KERNEL_STACKS 0x00080000 +#define FLG_HEAP_ENABLE_CALL_TRACING 0x00100000 +#define FLG_HEAP_DISABLE_COALESCING 0x00200000 +#define FLG_ENABLE_CLOSE_EXCEPTIONS 0x00400000 +#define FLG_ENABLE_EXCEPTION_LOGGING 0x00800000 +#define FLG_ENABLE_DBGPRINT_BUFFERING 0x08000000 + + +NTOSAPI +PVOID +NTAPI +RtlImageDirectoryEntryToData( + PVOID Base, + BOOLEAN MappedAsImage, + USHORT DirectoryEntry, + PULONG Size + ); + + +// +// Loader Data Table Entry +// +typedef struct _LDR_DATA_TABLE_ENTRY +{ + LIST_ENTRY InLoadOrderLinks; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; + ULONG DllBase; + ULONG EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + ULONG Flags; + USHORT LoadCount; + USHORT TlsIndex; + union + { + LIST_ENTRY HashLinks; + PVOID SectionPointer; + }; + ULONG CheckSum; + union + { + ULONG TimeDateStamp; + PVOID LoadedImports; + }; + PVOID EntryPointActivationContext; + PVOID PatchInformation; +} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; + +typedef struct _PEB_LDR_DATA { + ULONG Length; + BOOLEAN Initialized; + PVOID SsHandle; + LIST_ENTRY InLoadOrderModuleList; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; +} PEB_LDR_DATA, *PPEB_LDR_DATA; + + +typedef struct _LDR_MODULE { + LIST_ENTRY InLoadOrderModuleList; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; + PVOID BaseAddress; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + ULONG Flags; + SHORT LoadCount; + SHORT TlsIndex; + LIST_ENTRY HashTableEntry; + ULONG TimeDateStamp; +} LDR_MODULE, *PLDR_MODULE; + + +typedef struct _PEB { + BOOLEAN InheritedAddressSpace; + BOOLEAN ReadImageFileExecOptions; + BOOLEAN BeingDebugged; + BOOLEAN Spare; + HANDLE Mutant; + PVOID ImageBaseAddress; + PPEB_LDR_DATA LoaderData; + PVOID ProcessParameters; + PVOID SubSystemData; + PVOID ProcessHeap; + PVOID FastPebLock; + PVOID FastPebLockRoutine; + PVOID FastPebUnlockRoutine; + ULONG EnvironmentUpdateCount; + PVOID* KernelCallbackTable; + PVOID EventLogSection; + PVOID EventLog; + PVOID FreeList; + ULONG TlsExpansionCounter; + PVOID TlsBitmap; + ULONG TlsBitmapBits[0x2]; + PVOID ReadOnlySharedMemoryBase; + PVOID ReadOnlySharedMemoryHeap; + PVOID* ReadOnlyStaticServerData; + PVOID AnsiCodePageData; + PVOID OemCodePageData; + PVOID UnicodeCaseTableData; + ULONG NumberOfProcessors; + ULONG NtGlobalFlag; + BYTE Spare2[0x4]; + LARGE_INTEGER CriticalSectionTimeout; + ULONG HeapSegmentReserve; + ULONG HeapSegmentCommit; + ULONG HeapDeCommitTotalFreeThreshold; + ULONG HeapDeCommitFreeBlockThreshold; + ULONG NumberOfHeaps; + ULONG MaximumNumberOfHeaps; + PVOID* *ProcessHeaps; + PVOID GdiSharedHandleTable; + PVOID ProcessStarterHelper; + PVOID GdiDCAttributeList; + PVOID LoaderLock; + ULONG OSMajorVersion; + ULONG OSMinorVersion; + ULONG OSBuildNumber; + ULONG OSPlatformId; + ULONG ImageSubSystem; + ULONG ImageSubSystemMajorVersion; + ULONG ImageSubSystemMinorVersion; + ULONG GdiHandleBuffer[0x22]; + ULONG PostProcessInitRoutine; + ULONG TlsExpansionBitmap; + BYTE TlsExpansionBitmapBits[0x80]; + ULONG SessionId; +} PEB, *PPEB; + +typedef struct _SYSTEM_GLOBAL_FLAG { + ULONG GlobalFlag; +} SYSTEM_GLOBAL_FLAG, *PSYSTEM_GLOBAL_FLAG; + +typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { + ULONG Unknown1; + ULONG Unknown2; + PVOID Base; + ULONG Size; + ULONG Flags; + USHORT Index; + /* Length of module name not including the path, this + field contains valid value only for NTOSKRNL module */ + USHORT NameLength; + USHORT LoadCount; + USHORT PathLength; + CHAR ImageName[256]; +} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; + +typedef struct _SYSTEM_MODULE_INFORMATION { + ULONG Count; + SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; +} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; + +typedef struct _SYSTEM_LOCK_INFORMATION { + PVOID Address; + USHORT Type; + USHORT Reserved1; + ULONG ExclusiveOwnerThreadId; + ULONG ActiveCount; + ULONG ContentionCount; + ULONG Reserved2[2]; + ULONG NumberOfSharedWaiters; + ULONG NumberOfExclusiveWaiters; +} SYSTEM_LOCK_INFORMATION, *PSYSTEM_LOCK_INFORMATION; + +/*SYSTEM_HANDLE_INFORMATION.Flags cosntants */ +#define PROTECT_FROM_CLOSE 0x01 +#define INHERIT 0x02 + +typedef struct _SYSTEM_HANDLE_INFORMATION { + ULONG ProcessId; + UCHAR ObjectTypeNumber; + UCHAR Flags; + USHORT Handle; + PVOID Object; + ACCESS_MASK GrantedAccess; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + +typedef struct _SYSTEM_OBJECT_TYPE_INFORMATION { + ULONG NextEntryOffset; + ULONG ObjectCount; + ULONG HandleCount; + ULONG TypeNumber; + ULONG InvalidAttributes; + GENERIC_MAPPING GenericMapping; + ACCESS_MASK ValidAccessMask; + POOL_TYPE PoolType; + UCHAR Unknown; + UNICODE_STRING Name; +} SYSTEM_OBJECT_TYPE_INFORMATION, *PSYSTEM_OBJECT_TYPE_INFORMATION; + +/* SYSTEM_OBJECT_INFORMATION.Flags constants */ +#define FLG_SYSOBJINFO_SINGLE_HANDLE_ENTRY 0x40 +#define FLG_SYSOBJINFO_DEFAULT_SECURITY_QUOTA 0x20 +#define FLG_SYSOBJINFO_PERMANENT 0x10 +#define FLG_SYSOBJINFO_EXCLUSIVE 0x08 +#define FLG_SYSOBJINFO_CREATOR_INFO 0x04 +#define FLG_SYSOBJINFO_KERNEL_MODE 0x02 + +typedef struct _SYSTEM_OBJECT_INFORMATION { + ULONG NextEntryOffset; + PVOID Object; + ULONG CreatorProcessId; + USHORT Unknown; + USHORT Flags; + ULONG PointerCount; + ULONG HandleCount; + ULONG PagedPoolUsage; + ULONG NonPagedPoolUsage; + ULONG ExclusiveProcessId; + PSECURITY_DESCRIPTOR SecurityDescriptor; + UNICODE_STRING Name; +} SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION; + +typedef struct _SYSTEM_PAGEFILE_INFORMATION { + ULONG NextEntryOffset; + ULONG CurrentSize; + ULONG TotalUsed; + ULONG PeakUsed; + UNICODE_STRING FileName; +} SYSTEM_PAGEFILE_INFORMATION, *PSYSTEM_PAGEFILE_INFORMATION; + +typedef struct _SYSTEM_INSTRUCTION_EMULATION_INFORMATION { + ULONG SegmentNotPresent; + ULONG TwoByteOpcode; + ULONG ESprefix; + ULONG CSprefix; + ULONG SSprefix; + ULONG DSprefix; + ULONG FSPrefix; + ULONG GSprefix; + ULONG OPER32prefix; + ULONG ADDR32prefix; + ULONG INSB; + ULONG INSW; + ULONG OUTSB; + ULONG OUTSW; + ULONG PUSHFD; + ULONG POPFD; + ULONG INTnn; + ULONG INTO; + ULONG IRETD; + ULONG INBimm; + ULONG INWimm; + ULONG OUTBimm; + ULONG OUTWimm; + ULONG INB; + ULONG INW; + ULONG OUTB; + ULONG OUTW; + ULONG LOCKprefix; + ULONG REPNEprefix; + ULONG REPprefix; + ULONG HLT; + ULONG CLI; + ULONG STI; + ULONG GenericInvalidOpcode; +} SYSTEM_INSTRUCTION_EMULATION_INFORMATION, *PSYSTEM_INSTRUCTION_EMULATION_INFORMATION; + +typedef struct _SYSTEM_POOL_TAG_INFORMATION { + CHAR Tag[4]; + ULONG PagedPoolAllocs; + ULONG PagedPoolFrees; + ULONG PagedPoolUsage; + ULONG NonPagedPoolAllocs; + ULONG NonPagedPoolFrees; + ULONG NonPagedPoolUsage; +} SYSTEM_POOL_TAG_INFORMATION, *PSYSTEM_POOL_TAG_INFORMATION; + +typedef struct _SYSTEM_PROCESSOR_STATISTICS { + ULONG ContextSwitches; + ULONG DpcCount; + ULONG DpcRequestRate; + ULONG TimeIncrement; + ULONG DpcBypassCount; + ULONG ApcBypassCount; +} SYSTEM_PROCESSOR_STATISTICS, *PSYSTEM_PROCESSOR_STATISTICS; + +typedef struct _SYSTEM_DPC_INFORMATION { + ULONG Reserved; + ULONG MaximumDpcQueueDepth; + ULONG MinimumDpcRate; + ULONG AdjustDpcThreshold; + ULONG IdealDpcRate; +} SYSTEM_DPC_INFORMATION, *PSYSTEM_DPC_INFORMATION; + +typedef struct _SYSTEM_LOAD_IMAGE { + UNICODE_STRING ModuleName; + PVOID ModuleBase; + PVOID SectionPointer; + PVOID EntryPoint; + PVOID ExportDirectory; +} SYSTEM_LOAD_IMAGE, *PSYSTEM_LOAD_IMAGE; + +typedef struct _SYSTEM_UNLOAD_IMAGE { + PVOID ModuleBase; +} SYSTEM_UNLOAD_IMAGE, *PSYSTEM_UNLOAD_IMAGE; + +typedef struct _SYSTEM_QUERY_TIME_ADJUSTMENT { + ULONG TimeAdjustment; + ULONG MaximumIncrement; + BOOLEAN TimeSynchronization; +} SYSTEM_QUERY_TIME_ADJUSTMENT, *PSYSTEM_QUERY_TIME_ADJUSTMENT; + +typedef struct _SYSTEM_SET_TIME_ADJUSTMENT { + ULONG TimeAdjustment; + BOOLEAN TimeSynchronization; +} SYSTEM_SET_TIME_ADJUSTMENT, *PSYSTEM_SET_TIME_ADJUSTMENT; + +typedef struct _SYSTEM_CRASH_DUMP_INFORMATION { + HANDLE CrashDumpSectionHandle; + HANDLE Unknown; +} SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION; + +typedef struct _SYSTEM_EXCEPTION_INFORMATION { + ULONG AlignmentFixupCount; + ULONG ExceptionDispatchCount; + ULONG FloatingEmulationCount; + ULONG Reserved; +} SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION; + +typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION { + ULONG CrashDumpSectionExists; + ULONG Unknown; +} SYSTEM_CRASH_DUMP_STATE_INFORMATION, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION; + +typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION { + BOOLEAN DebuggerEnabled; + BOOLEAN DebuggerNotPresent; +} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; + +typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION { + ULONG ContextSwitches; + ULONG ContextSwitchCounters[11]; +} SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION; + +typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION { + ULONG RegistryQuota; + ULONG RegistryQuotaInUse; + ULONG PagedPoolSize; +} SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION; + +typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE { + UNICODE_STRING ModuleName; +} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE; + +typedef struct _SYSTEM_PRIORITY_SEPARATION { + ULONG PrioritySeparation; +} SYSTEM_PRIORITY_SEPARATION, *PSYSTEM_PRIORITY_SEPARATION; + +typedef struct _SYSTEM_TIME_ZONE_INFORMATION { + LONG Bias; + WCHAR StandardName[32]; + LARGE_INTEGER StandardDate; + LONG StandardBias; + WCHAR DaylightName[32]; + LARGE_INTEGER DaylightDate; + LONG DaylightBias; +} SYSTEM_TIME_ZONE_INFORMATION, *PSYSTEM_TIME_ZONE_INFORMATION; + +typedef struct _SYSTEM_LOOKASIDE_INFORMATION { + USHORT Depth; + USHORT MaximumDepth; + ULONG TotalAllocates; + ULONG AllocateMisses; + ULONG TotalFrees; + ULONG FreeMisses; + POOL_TYPE Type; + ULONG Tag; + ULONG Size; +} SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION; + +typedef struct _SYSTEM_SET_TIME_SLIP_EVENT { + HANDLE TimeSlipEvent; +} SYSTEM_SET_TIME_SLIP_EVENT, *PSYSTEM_SET_TIME_SLIP_EVENT; + +typedef struct _SYSTEM_CREATE_SESSION { + ULONG SessionId; +} SYSTEM_CREATE_SESSION, *PSYSTEM_CREATE_SESSION; + +typedef struct _SYSTEM_DELETE_SESSION { + ULONG SessionId; +} SYSTEM_DELETE_SESSION, *PSYSTEM_DELETE_SESSION; + +typedef struct _SYSTEM_RANGE_START_INFORMATION { + PVOID SystemRangeStart; +} SYSTEM_RANGE_START_INFORMATION, *PSYSTEM_RANGE_START_INFORMATION; + +typedef struct _SYSTEM_SESSION_PROCESSES_INFORMATION { + ULONG SessionId; + ULONG BufferSize; + PVOID Buffer; +} SYSTEM_SESSION_PROCESSES_INFORMATION, *PSYSTEM_SESSION_PROCESSES_INFORMATION; + +typedef struct _SYSTEM_POOL_BLOCK { + BOOLEAN Allocated; + USHORT Unknown; + ULONG Size; + CHAR Tag[4]; +} SYSTEM_POOL_BLOCK, *PSYSTEM_POOL_BLOCK; + +typedef struct _SYSTEM_POOL_BLOCKS_INFORMATION { + ULONG PoolSize; + PVOID PoolBase; + USHORT Unknown; + ULONG NumberOfBlocks; + SYSTEM_POOL_BLOCK PoolBlocks[1]; +} SYSTEM_POOL_BLOCKS_INFORMATION, *PSYSTEM_POOL_BLOCKS_INFORMATION; + +typedef struct _SYSTEM_MEMORY_USAGE { + PVOID Name; + USHORT Valid; + USHORT Standby; + USHORT Modified; + USHORT PageTables; +} SYSTEM_MEMORY_USAGE, *PSYSTEM_MEMORY_USAGE; + +typedef struct _SYSTEM_MEMORY_USAGE_INFORMATION { + ULONG Reserved; + PVOID EndOfData; + SYSTEM_MEMORY_USAGE MemoryUsage[1]; +} SYSTEM_MEMORY_USAGE_INFORMATION, *PSYSTEM_MEMORY_USAGE_INFORMATION; + +NTOSAPI +NTSTATUS +NTAPI +NtQuerySystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN OUT PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwQuerySystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN OUT PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +NtQueryFullAttributesFile( + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryFullAttributesFile( + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetSystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN OUT PVOID SystemInformation, + IN ULONG SystemInformationLength); + +NTOSAPI +NTSTATUS +NTAPI +ZwQuerySystemEnvironmentValue( + IN PUNICODE_STRING Name, + OUT PVOID Value, + IN ULONG ValueLength, + OUT PULONG ReturnLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetSystemEnvironmentValue( + IN PUNICODE_STRING Name, + IN PUNICODE_STRING Value); + +typedef enum _SHUTDOWN_ACTION { + ShutdownNoReboot, + ShutdownReboot, + ShutdownPowerOff +} SHUTDOWN_ACTION; + +NTOSAPI +NTSTATUS +NTAPI +NtShutdownSystem( + IN SHUTDOWN_ACTION Action); + +typedef enum _DEBUG_CONTROL_CODE { + DebugGetTraceInformation = 1, + DebugSetInternalBreakpoint, + DebugSetSpecialCall, + DebugClearSpecialCalls, + DebugQuerySpecialCalls, + DebugDbgBreakPoint, + DebugMaximum +} DEBUG_CONTROL_CODE; + + +NTOSAPI +NTSTATUS +NTAPI +ZwSystemDebugControl( + IN DEBUG_CONTROL_CODE ControlCode, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength, + OUT PULONG ReturnLength OPTIONAL); + + + +/* Objects, Object directories, and symbolic links */ + +typedef enum _OBJECT_INFORMATION_CLASS { + ObjectBasicInformation, + ObjectNameInformation, + ObjectTypeInformation, + ObjectAllTypesInformation, + ObjectHandleInformation +} OBJECT_INFORMATION_CLASS; + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryObject( + IN HANDLE ObjectHandle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + OUT PVOID ObjectInformation, + IN ULONG ObjectInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetInformationObject( + IN HANDLE ObjectHandle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + IN PVOID ObjectInformation, + IN ULONG ObjectInformationLength); + +/* OBJECT_BASIC_INFORMATION.Attributes constants */ +/* also in winbase.h */ +//#define HANDLE_FLAG_INHERIT 0x01 +//#define HANDLE_FLAG_PROTECT_FROM_CLOSE 0x02 +/* end winbase.h */ +#define PERMANENT 0x10 +#define EXCLUSIVE 0x20 + +typedef struct _OBJECT_BASIC_INFORMATION { + ULONG Attributes; + ACCESS_MASK GrantedAccess; + ULONG HandleCount; + ULONG PointerCount; + ULONG PagedPoolUsage; + ULONG NonPagedPoolUsage; + ULONG Reserved[3]; + ULONG NameInformationLength; + ULONG TypeInformationLength; + ULONG SecurityDescriptorLength; + LARGE_INTEGER CreateTime; +} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; +#if 0 +/* FIXME: Enable later */ +typedef struct _OBJECT_TYPE_INFORMATION { + UNICODE_STRING Name; + ULONG ObjectCount; + ULONG HandleCount; + ULONG Reserved1[4]; + ULONG PeakObjectCount; + ULONG PeakHandleCount; + ULONG Reserved2[4]; + ULONG InvalidAttributes; + GENERIC_MAPPING GenericMapping; + ULONG ValidAccess; + UCHAR Unknown; + BOOLEAN MaintainHandleDatabase; + POOL_TYPE PoolType; + ULONG PagedPoolUsage; + ULONG NonPagedPoolUsage; +} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; + +typedef struct _OBJECT_ALL_TYPES_INFORMATION { + ULONG NumberOfTypes; + OBJECT_TYPE_INFORMATION TypeInformation; +} OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION; +#endif +typedef struct _OBJECT_HANDLE_ATTRIBUTE_INFORMATION { + BOOLEAN Inherit; + BOOLEAN ProtectFromClose; +} OBJECT_HANDLE_ATTRIBUTE_INFORMATION, *POBJECT_HANDLE_ATTRIBUTE_INFORMATION; + +NTOSAPI +NTSTATUS +NTAPI +NtDuplicateObject( + IN HANDLE SourceProcessHandle, + IN HANDLE SourceHandle, + IN HANDLE TargetProcessHandle, + OUT PHANDLE TargetHandle OPTIONAL, + IN ACCESS_MASK DesiredAccess, + IN ULONG Attributes, + IN ULONG Options); + +NTOSAPI +NTSTATUS +NTAPI +ZwDuplicateObject( + IN HANDLE SourceProcessHandle, + IN HANDLE SourceHandle, + IN HANDLE TargetProcessHandle, + OUT PHANDLE TargetHandle OPTIONAL, + IN ACCESS_MASK DesiredAccess, + IN ULONG Attributes, + IN ULONG Options); + +NTOSAPI +NTSTATUS +NTAPI +NtQuerySecurityObject( + IN HANDLE Handle, + IN SECURITY_INFORMATION SecurityInformation, + OUT PSECURITY_DESCRIPTOR SecurityDescriptor, + IN ULONG SecurityDescriptorLength, + OUT PULONG ReturnLength); + +NTOSAPI +NTSTATUS +NTAPI +ZwQuerySecurityObject( + IN HANDLE Handle, + IN SECURITY_INFORMATION SecurityInformation, + OUT PSECURITY_DESCRIPTOR SecurityDescriptor, + IN ULONG SecurityDescriptorLength, + OUT PULONG ReturnLength); + +NTOSAPI +NTSTATUS +NTAPI +NtSetSecurityObject( + IN HANDLE Handle, + IN SECURITY_INFORMATION SecurityInformation, + IN PSECURITY_DESCRIPTOR SecurityDescriptor); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetSecurityObject( + IN HANDLE Handle, + IN SECURITY_INFORMATION SecurityInformation, + IN PSECURITY_DESCRIPTOR SecurityDescriptor); + +NTOSAPI +NTSTATUS +NTAPI +ZwOpenDirectoryObject( + OUT PHANDLE DirectoryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryDirectoryObject( + IN HANDLE DirectoryHandle, + OUT PVOID Buffer, + IN ULONG BufferLength, + IN BOOLEAN ReturnSingleEntry, + IN BOOLEAN RestartScan, + IN OUT PULONG Context, + OUT PULONG ReturnLength OPTIONAL); + +typedef struct _DIRECTORY_BASIC_INFORMATION { + UNICODE_STRING ObjectName; + UNICODE_STRING ObjectTypeName; +} DIRECTORY_BASIC_INFORMATION, *PDIRECTORY_BASIC_INFORMATION; + +NTOSAPI +NTSTATUS +NTAPI +ZwCreateSymbolicLinkObject( + OUT PHANDLE SymbolicLinkHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PUNICODE_STRING TargetName); + + + + +/* Virtual memory */ + +typedef enum _MEMORY_INFORMATION_CLASS { +MemoryBasicInformation, +MemoryWorkingSetList, +MemorySectionName, +MemoryBasicVlmInformation +} MEMORY_INFORMATION_CLASS; + +NTOSAPI +NTSTATUS +NTAPI +NtAllocateVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN ULONG ZeroBits, + IN OUT PULONG AllocationSize, + IN ULONG AllocationType, + IN ULONG Protect); + +NTOSAPI +NTSTATUS +NTAPI +ZwAllocateVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN ULONG ZeroBits, + IN OUT PULONG AllocationSize, + IN ULONG AllocationType, + IN ULONG Protect); + +NTOSAPI +NTSTATUS +NTAPI +NtFreeVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PULONG FreeSize, + IN ULONG FreeType); + +NTOSAPI +NTSTATUS +NTAPI +ZwFreeVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PULONG FreeSize, + IN ULONG FreeType); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN MEMORY_INFORMATION_CLASS MemoryInformationClass, + OUT PVOID MemoryInformation, + IN ULONG MemoryInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +/* MEMORY_WORKING_SET_LIST.WorkingSetList constants */ +#define WSLE_PAGE_READONLY 0x001 +#define WSLE_PAGE_EXECUTE 0x002 +#define WSLE_PAGE_READWRITE 0x004 +#define WSLE_PAGE_EXECUTE_READ 0x003 +#define WSLE_PAGE_WRITECOPY 0x005 +#define WSLE_PAGE_EXECUTE_READWRITE 0x006 +#define WSLE_PAGE_EXECUTE_WRITECOPY 0x007 +#define WSLE_PAGE_SHARE_COUNT_MASK 0x0E0 +#define WSLE_PAGE_SHAREABLE 0x100 + +typedef struct _MEMORY_WORKING_SET_LIST { + ULONG NumberOfPages; + ULONG WorkingSetList[1]; +} MEMORY_WORKING_SET_LIST, *PMEMORY_WORKING_SET_LIST; + +typedef struct _MEMORY_SECTION_NAME { + UNICODE_STRING SectionFileName; +} MEMORY_SECTION_NAME, *PMEMORY_SECTION_NAME; + +/* Zw[Lock|Unlock]VirtualMemory.LockType constants */ +#define LOCK_VM_IN_WSL 0x01 +#define LOCK_VM_IN_RAM 0x02 + +NTOSAPI +NTSTATUS +NTAPI +ZwLockVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PULONG LockSize, + IN ULONG LockType); + +NTOSAPI +NTSTATUS +NTAPI +ZwUnlockVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PULONG LockSize, + IN ULONG LockType); + +NTOSAPI +NTSTATUS +NTAPI +ZwReadVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + OUT PVOID Buffer, + IN ULONG BufferLength, + OUT PULONG ReturnLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwWriteVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID Buffer, + IN ULONG BufferLength, + OUT PULONG ReturnLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwProtectVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PULONG ProtectSize, + IN ULONG NewProtect, + OUT PULONG OldProtect); + +NTOSAPI +NTSTATUS +NTAPI +ZwFlushVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PULONG FlushSize, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +NTOSAPI +NTSTATUS +NTAPI +ZwAllocateUserPhysicalPages( + IN HANDLE ProcessHandle, + IN PULONG NumberOfPages, + OUT PULONG PageFrameNumbers); + +NTOSAPI +NTSTATUS +NTAPI +ZwFreeUserPhysicalPages( + IN HANDLE ProcessHandle, + IN OUT PULONG NumberOfPages, + IN PULONG PageFrameNumbers); + +NTOSAPI +NTSTATUS +NTAPI +ZwMapUserPhysicalPages( + IN PVOID BaseAddress, + IN PULONG NumberOfPages, + IN PULONG PageFrameNumbers); + +NTOSAPI +NTSTATUS +NTAPI +ZwMapUserPhysicalPagesScatter( + IN PVOID *BaseAddresses, + IN PULONG NumberOfPages, + IN PULONG PageFrameNumbers); + +NTOSAPI +NTSTATUS +NTAPI +ZwGetWriteWatch( + IN HANDLE ProcessHandle, + IN ULONG Flags, + IN PVOID BaseAddress, + IN ULONG RegionSize, + OUT PULONG Buffer, + IN OUT PULONG BufferEntries, + OUT PULONG Granularity); + +NTSYSAPI +NTSTATUS +NTAPI +ZwOpenSection( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTOSAPI +NTSTATUS +NTAPI +ZwResetWriteWatch( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN ULONG RegionSize); + + + + +/* Sections */ + +typedef enum _SECTION_INFORMATION_CLASS { + SectionBasicInformation, + SectionImageInformation +} SECTION_INFORMATION_CLASS; + +NTOSAPI +NTSTATUS +NTAPI +NtCreateSection( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PLARGE_INTEGER SectionSize OPTIONAL, + IN ULONG Protect, + IN ULONG Attributes, + IN HANDLE FileHandle); + +NTOSAPI +NTSTATUS +NTAPI +ZwCreateSection( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PLARGE_INTEGER SectionSize OPTIONAL, + IN ULONG Protect, + IN ULONG Attributes, + IN HANDLE FileHandle); + +NTOSAPI +NTSTATUS +NTAPI +ZwQuerySection( + IN HANDLE SectionHandle, + IN SECTION_INFORMATION_CLASS SectionInformationClass, + OUT PVOID SectionInformation, + IN ULONG SectionInformationLength, + OUT PULONG ResultLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwExtendSection( + IN HANDLE SectionHandle, + IN PLARGE_INTEGER SectionSize); + +NTOSAPI +NTSTATUS +NTAPI +ZwAreMappedFilesTheSame( + IN PVOID Address1, + IN PVOID Address2); + + + + +/* Threads */ + +typedef struct _USER_STACK { + PVOID FixedStackBase; + PVOID FixedStackLimit; + PVOID ExpandableStackBase; + PVOID ExpandableStackLimit; + PVOID ExpandableStackBottom; +} USER_STACK, *PUSER_STACK; + +NTOSAPI +NTSTATUS +NTAPI +ZwCreateThread( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE ProcessHandle, + OUT PCLIENT_ID ClientId, + IN PCONTEXT ThreadContext, + IN PUSER_STACK UserStack, + IN BOOLEAN CreateSuspended); + +NTOSAPI +NTSTATUS +NTAPI +NtOpenThread( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PCLIENT_ID ClientId); + +NTOSAPI +NTSTATUS +NTAPI +ZwOpenThread( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PCLIENT_ID ClientId); + +NTOSAPI +NTSTATUS +NTAPI +ZwTerminateThread( + IN HANDLE ThreadHandle OPTIONAL, + IN NTSTATUS ExitStatus); + +NTOSAPI +NTSTATUS +NTAPI +NtQueryInformationThread( + IN HANDLE ThreadHandle, + IN THREADINFOCLASS ThreadInformationClass, + OUT PVOID ThreadInformation, + IN ULONG ThreadInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryInformationThread( + IN HANDLE ThreadHandle, + IN THREADINFOCLASS ThreadInformationClass, + OUT PVOID ThreadInformation, + IN ULONG ThreadInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +NtSetInformationThread( + IN HANDLE ThreadHandle, + IN THREADINFOCLASS ThreadInformationClass, + IN PVOID ThreadInformation, + IN ULONG ThreadInformationLength); + +typedef struct _THREAD_BASIC_INFORMATION { + NTSTATUS ExitStatus; + PNT_TIB TebBaseAddress; + CLIENT_ID ClientId; + KAFFINITY AffinityMask; + KPRIORITY Priority; + KPRIORITY BasePriority; +} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; + +typedef struct _KERNEL_USER_TIMES { + LARGE_INTEGER CreateTime; + LARGE_INTEGER ExitTime; + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; +} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES; + +NTOSAPI +NTSTATUS +NTAPI +ZwSuspendThread( + IN HANDLE ThreadHandle, + OUT PULONG PreviousSuspendCount OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwResumeThread( + IN HANDLE ThreadHandle, + OUT PULONG PreviousSuspendCount OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwGetContextThread( + IN HANDLE ThreadHandle, + OUT PCONTEXT Context); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetContextThread( + IN HANDLE ThreadHandle, + IN PCONTEXT Context); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueueApcThread( + IN HANDLE ThreadHandle, + IN PKNORMAL_ROUTINE ApcRoutine, + IN PVOID ApcContext OPTIONAL, + IN PVOID Argument1 OPTIONAL, + IN PVOID Argument2 OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwTestAlert( + VOID); + +NTOSAPI +NTSTATUS +NTAPI +ZwAlertThread( + IN HANDLE ThreadHandle); + +NTOSAPI +NTSTATUS +NTAPI +ZwAlertResumeThread( + IN HANDLE ThreadHandle, + OUT PULONG PreviousSuspendCount OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwRegisterThreadTerminatePort( + IN HANDLE PortHandle); + +NTOSAPI +NTSTATUS +NTAPI +ZwImpersonateThread( + IN HANDLE ThreadHandle, + IN HANDLE TargetThreadHandle, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos); + +NTOSAPI +NTSTATUS +NTAPI +ZwImpersonateAnonymousToken( + IN HANDLE ThreadHandle); + + + + +/* Processes */ + +NTOSAPI +NTSTATUS +NTAPI +ZwCreateProcess( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE InheritFromProcessHandle, + IN BOOLEAN InheritHandles, + IN HANDLE SectionHandle OPTIONAL, + IN HANDLE DebugPort OPTIONAL, + IN HANDLE ExceptionPort OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwCreateProcess( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE InheritFromProcessHandle, + IN BOOLEAN InheritHandles, + IN HANDLE SectionHandle OPTIONAL, + IN HANDLE DebugPort OPTIONAL, + IN HANDLE ExceptionPort OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwTerminateProcess( + IN HANDLE ProcessHandle OPTIONAL, + IN NTSTATUS ExitStatus); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryInformationProcess( + IN HANDLE ProcessHandle, + IN PROCESSINFOCLASS ProcessInformationClass, + OUT PVOID ProcessInformation, + IN ULONG ProcessInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +NtSetInformationProcess( + IN HANDLE ProcessHandle, + IN PROCESSINFOCLASS ProcessInformationClass, + IN PVOID ProcessInformation, + IN ULONG ProcessInformationLength); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetInformationProcess( + IN HANDLE ProcessHandle, + IN PROCESSINFOCLASS ProcessInformationClass, + IN PVOID ProcessInformation, + IN ULONG ProcessInformationLength); + +typedef struct _PROCESS_BASIC_INFORMATION { + NTSTATUS ExitStatus; + PPEB PebBaseAddress; + KAFFINITY AffinityMask; + KPRIORITY BasePriority; + ULONG UniqueProcessId; + ULONG InheritedFromUniqueProcessId; +} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; + +typedef struct _PROCESS_ACCESS_TOKEN { + HANDLE Token; + HANDLE Thread; +} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN; + +/* DefaultHardErrorMode constants */ +/* also in winbase.h */ +#define SEM_FAILCRITICALERRORS 0x0001 +#define SEM_NOGPFAULTERRORBOX 0x0002 +#define SEM_NOALIGNMENTFAULTEXCEPT 0x0004 +#define SEM_NOOPENFILEERRORBOX 0x8000 +/* end winbase.h */ +typedef struct _POOLED_USAGE_AND_LIMITS { + ULONG PeakPagedPoolUsage; + ULONG PagedPoolUsage; + ULONG PagedPoolLimit; + ULONG PeakNonPagedPoolUsage; + ULONG NonPagedPoolUsage; + ULONG NonPagedPoolLimit; + ULONG PeakPagefileUsage; + ULONG PagefileUsage; + ULONG PagefileLimit; +} POOLED_USAGE_AND_LIMITS, *PPOOLED_USAGE_AND_LIMITS; + +typedef struct _PROCESS_WS_WATCH_INFORMATION { + PVOID FaultingPc; + PVOID FaultingVa; +} PROCESS_WS_WATCH_INFORMATION, *PPROCESS_WS_WATCH_INFORMATION; + +/* PROCESS_PRIORITY_CLASS.PriorityClass constants */ +#define PC_IDLE 1 +#define PC_NORMAL 2 +#define PC_HIGH 3 +#define PC_REALTIME 4 +#define PC_BELOW_NORMAL 5 +#define PC_ABOVE_NORMAL 6 + +typedef struct _PROCESS_PRIORITY_CLASS { + BOOLEAN Foreground; + UCHAR PriorityClass; +} PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS; + +/* PROCESS_DEVICEMAP_INFORMATION.DriveType constants */ +#define DRIVE_UNKNOWN 0 +#define DRIVE_NO_ROOT_DIR 1 +#define DRIVE_REMOVABLE 2 +#define DRIVE_FIXED 3 +#define DRIVE_REMOTE 4 +#define DRIVE_CDROM 5 +#define DRIVE_RAMDISK 6 + +typedef struct _PROCESS_DEVICEMAP_INFORMATION { + union { + struct { + HANDLE DirectoryHandle; + } Set; + struct { + ULONG DriveMap; + UCHAR DriveType[ 32 ]; + } Query; + }; +} PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION; + +typedef struct _PROCESS_SESSION_INFORMATION { + ULONG SessionId; +} PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION; + +typedef struct _RTL_USER_PROCESS_PARAMETERS { + ULONG AllocationSize; + ULONG Size; + ULONG Flags; + ULONG DebugFlags; + HANDLE hConsole; + ULONG ProcessGroup; + HANDLE hStdInput; + HANDLE hStdOutput; + HANDLE hStdError; + UNICODE_STRING CurrentDirectoryName; + HANDLE CurrentDirectoryHandle; + UNICODE_STRING DllPath; + UNICODE_STRING ImagePathName; + UNICODE_STRING CommandLine; + PWSTR Environment; + ULONG dwX; + ULONG dwY; + ULONG dwXSize; + ULONG dwYSize; + ULONG dwXCountChars; + ULONG dwYCountChars; + ULONG dwFillAttribute; + ULONG dwFlags; + ULONG wShowWindow; + UNICODE_STRING WindowTitle; + UNICODE_STRING DesktopInfo; + UNICODE_STRING ShellInfo; + UNICODE_STRING RuntimeInfo; +} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; + +NTSTATUS +NTAPI +RtlCreateProcessParameters( + OUT PRTL_USER_PROCESS_PARAMETERS *ProcessParameters, + IN PUNICODE_STRING ImageFile, + IN PUNICODE_STRING DllPath OPTIONAL, + IN PUNICODE_STRING CurrentDirectory OPTIONAL, + IN PUNICODE_STRING CommandLine OPTIONAL, + IN PWSTR Environment OPTIONAL, + IN PUNICODE_STRING WindowTitle OPTIONAL, + IN PUNICODE_STRING DesktopInfo OPTIONAL, + IN PUNICODE_STRING ShellInfo OPTIONAL, + IN PUNICODE_STRING RuntimeInfo OPTIONAL); + +NTSTATUS +NTAPI +RtlDestroyProcessParameters( + IN PRTL_USER_PROCESS_PARAMETERS ProcessParameters); + +typedef struct _DEBUG_BUFFER { + HANDLE SectionHandle; + PVOID SectionBase; + PVOID RemoteSectionBase; + ULONG SectionBaseDelta; + HANDLE EventPairHandle; + ULONG Unknown[2]; + HANDLE RemoteThreadHandle; + ULONG InfoClassMask; + ULONG SizeOfInfo; + ULONG AllocatedSize; + ULONG SectionSize; + PVOID ModuleInformation; + PVOID BackTraceInformation; + PVOID HeapInformation; + PVOID LockInformation; + PVOID Reserved[8]; +} DEBUG_BUFFER, *PDEBUG_BUFFER; + +PDEBUG_BUFFER +NTAPI +RtlCreateQueryDebugBuffer( + IN ULONG Size, + IN BOOLEAN EventPair); + +/* RtlQueryProcessDebugInformation.DebugInfoClassMask constants */ +#define PDI_MODULES 0x01 +#define PDI_BACKTRACE 0x02 +#define PDI_HEAPS 0x04 +#define PDI_HEAP_TAGS 0x08 +#define PDI_HEAP_BLOCKS 0x10 +#define PDI_LOCKS 0x20 + +NTSTATUS +NTAPI +RtlQueryProcessDebugInformation( + IN ULONG ProcessId, + IN ULONG DebugInfoClassMask, + IN OUT PDEBUG_BUFFER DebugBuffer); + +NTSTATUS +NTAPI +RtlDestroyQueryDebugBuffer( + IN PDEBUG_BUFFER DebugBuffer); + +/* DEBUG_MODULE_INFORMATION.Flags constants */ +#define LDRP_STATIC_LINK 0x00000002 +#define LDRP_IMAGE_DLL 0x00000004 +#define LDRP_LOAD_IN_PROGRESS 0x00001000 +#define LDRP_UNLOAD_IN_PROGRESS 0x00002000 +#define LDRP_ENTRY_PROCESSED 0x00004000 +#define LDRP_ENTRY_INSERTED 0x00008000 +#define LDRP_CURRENT_LOAD 0x00010000 +#define LDRP_FAILED_BUILTIN_LOAD 0x00020000 +#define LDRP_DONT_CALL_FOR_THREADS 0x00040000 +#define LDRP_PROCESS_ATTACH_CALLED 0x00080000 +#define LDRP_DEBUG_SYMBOLS_LOADED 0x00100000 +#define LDRP_IMAGE_NOT_AT_BASE 0x00200000 +#define LDRP_WX86_IGNORE_MACHINETYPE 0x00400000 + +typedef struct _DEBUG_MODULE_INFORMATION { + ULONG Reserved[2]; + ULONG Base; + ULONG Size; + ULONG Flags; + USHORT Index; + USHORT Unknown; + USHORT LoadCount; + USHORT ModuleNameOffset; + CHAR ImageName[256]; +} DEBUG_MODULE_INFORMATION, *PDEBUG_MODULE_INFORMATION; + +typedef struct _DEBUG_HEAP_INFORMATION { + ULONG Base; + ULONG Flags; + USHORT Granularity; + USHORT Unknown; + ULONG Allocated; + ULONG Committed; + ULONG TagCount; + ULONG BlockCount; + ULONG Reserved[7]; + PVOID Tags; + PVOID Blocks; +} DEBUG_HEAP_INFORMATION, *PDEBUG_HEAP_INFORMATION; + +typedef struct _DEBUG_LOCK_INFORMATION { + PVOID Address; + USHORT Type; + USHORT CreatorBackTraceIndex; + ULONG OwnerThreadId; + ULONG ActiveCount; + ULONG ContentionCount; + ULONG EntryCount; + ULONG RecursionCount; + ULONG NumberOfSharedWaiters; + ULONG NumberOfExclusiveWaiters; +} DEBUG_LOCK_INFORMATION, *PDEBUG_LOCK_INFORMATION; + + + +/* Jobs */ + +NTOSAPI +NTSTATUS +NTAPI +ZwCreateJobObject( + OUT PHANDLE JobHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +NTOSAPI +NTSTATUS +NTAPI +ZwOpenJobObject( + OUT PHANDLE JobHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +NTOSAPI +NTSTATUS +NTAPI +ZwTerminateJobObject( + IN HANDLE JobHandle, + IN NTSTATUS ExitStatus); + +NTOSAPI +NTSTATUS +NTAPI +ZwAssignProcessToJobObject( + IN HANDLE JobHandle, + IN HANDLE ProcessHandle); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryInformationJobObject( + IN HANDLE JobHandle, + IN JOBOBJECTINFOCLASS JobInformationClass, + OUT PVOID JobInformation, + IN ULONG JobInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetInformationJobObject( + IN HANDLE JobHandle, + IN JOBOBJECTINFOCLASS JobInformationClass, + IN PVOID JobInformation, + IN ULONG JobInformationLength); + + +/* Tokens */ + +#define SE_DEBUG_PRIVILEGE 20L +#define STATUS_NOT_ALL_ASSIGNED ((NTSTATUS)0x00000106L) +#define STATUS_PRIVILEGE_NOT_HELD ((NTSTATUS)0xC0000061L) + +NTOSAPI +NTSTATUS +NTAPI +ZwCreateToken( +OUT PHANDLE TokenHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN TOKEN_TYPE Type, +IN PLUID AuthenticationId, +IN PLARGE_INTEGER ExpirationTime, +IN PTOKEN_USER User, +IN PTOKEN_GROUPS Groups, +IN PTOKEN_PRIVILEGES Privileges, +IN PTOKEN_OWNER Owner, +IN PTOKEN_PRIMARY_GROUP PrimaryGroup, +IN PTOKEN_DEFAULT_DACL DefaultDacl, +IN PTOKEN_SOURCE Source +); + +NTOSAPI +NTSTATUS +NTAPI +ZwOpenProcess ( + __out PHANDLE ProcessHandle, + __in ACCESS_MASK DesiredAccess, + __in POBJECT_ATTRIBUTES ObjectAttributes, + __in_opt PCLIENT_ID ClientId + ); + + +NTOSAPI +NTSTATUS +NTAPI +ZwClose( + IN HANDLE Handle + ); + + +NTOSAPI +NTSTATUS +NTAPI + ZwMakeTemporaryObject( + IN HANDLE Handle + ); + + +NTOSAPI +NTSTATUS +NTAPI +NtOpenProcessToken( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + OUT PHANDLE TokenHandle); + +NTOSAPI +NTSTATUS +NTAPI +ZwOpenProcessToken( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + OUT PHANDLE TokenHandle); + +NTOSAPI +NTSTATUS +NTAPI +NtOpenThreadToken( + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN BOOLEAN OpenAsSelf, + OUT PHANDLE TokenHandle); + +NTOSAPI +NTSTATUS +NTAPI +ZwOpenThreadToken( + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN BOOLEAN OpenAsSelf, + OUT PHANDLE TokenHandle); + +NTOSAPI +NTSTATUS +NTAPI +NtDuplicateToken( + IN HANDLE ExistingTokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN BOOLEAN EffectiveOnly, + IN TOKEN_TYPE TokenType, + OUT PHANDLE NewTokenHandle); + +NTOSAPI +NTSTATUS +NTAPI +ZwDuplicateToken( + IN HANDLE ExistingTokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN BOOLEAN EffectiveOnly, + IN TOKEN_TYPE TokenType, + OUT PHANDLE NewTokenHandle); + +NTOSAPI +NTSTATUS +NTAPI +ZwFilterToken( + IN HANDLE ExistingTokenHandle, + IN ULONG Flags, + IN PTOKEN_GROUPS SidsToDisable, + IN PTOKEN_PRIVILEGES PrivilegesToDelete, + IN PTOKEN_GROUPS SidsToRestricted, + OUT PHANDLE NewTokenHandle); + +NTOSAPI +NTSTATUS +NTAPI +NtAdjustPrivilegesToken( + IN HANDLE TokenHandle, + IN BOOLEAN DisableAllPrivileges, + IN PTOKEN_PRIVILEGES NewState, + IN ULONG BufferLength, + OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, + OUT PULONG ReturnLength); + +NTOSAPI +NTSTATUS +NTAPI +ZwAdjustPrivilegesToken( + IN HANDLE TokenHandle, + IN BOOLEAN DisableAllPrivileges, + IN PTOKEN_PRIVILEGES NewState, + IN ULONG BufferLength, + OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, + OUT PULONG ReturnLength); + +NTOSAPI +NTSTATUS +NTAPI +ZwAdjustGroupsToken( + IN HANDLE TokenHandle, + IN BOOLEAN ResetToDefault, + IN PTOKEN_GROUPS NewState, + IN ULONG BufferLength, + OUT PTOKEN_GROUPS PreviousState OPTIONAL, + OUT PULONG ReturnLength); + +NTOSAPI +NTSTATUS +NTAPI +NtQueryInformationToken( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + OUT PVOID TokenInformation, + IN ULONG TokenInformationLength, + OUT PULONG ReturnLength); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryInformationToken( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + OUT PVOID TokenInformation, + IN ULONG TokenInformationLength, + OUT PULONG ReturnLength); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetInformationToken( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + IN PVOID TokenInformation, + IN ULONG TokenInformationLength); + + + + +/* Time */ + +NTOSAPI +NTSTATUS +NTAPI +ZwQuerySystemTime( + OUT PLARGE_INTEGER CurrentTime); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetSystemTime( + IN PLARGE_INTEGER NewTime, + OUT PLARGE_INTEGER OldTime OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryPerformanceCounter( + OUT PLARGE_INTEGER PerformanceCount, + OUT PLARGE_INTEGER PerformanceFrequency OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryPerformanceCounter( + OUT PLARGE_INTEGER PerformanceCount, + OUT PLARGE_INTEGER PerformanceFrequency OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryTimerResolution( + OUT PULONG CoarsestResolution, + OUT PULONG FinestResolution, + OUT PULONG ActualResolution); + +NTOSAPI +NTSTATUS +NTAPI +ZwDelayExecution( + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Interval); + +NTOSAPI +NTSTATUS +NTAPI +ZwYieldExecution( + VOID); + +NTOSAPI +ULONG +NTAPI +ZwGetTickCount( + VOID); + + + + +/* Execution profiling */ + +NTOSAPI +NTSTATUS +NTAPI +ZwCreateProfile( + OUT PHANDLE ProfileHandle, + IN HANDLE ProcessHandle, + IN PVOID Base, + IN ULONG Size, + IN ULONG BucketShift, + IN PULONG Buffer, + IN ULONG BufferLength, + IN KPROFILE_SOURCE Source, + IN ULONG ProcessorMask); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetIntervalProfile( + IN ULONG Interval, + IN KPROFILE_SOURCE Source); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryIntervalProfile( + IN KPROFILE_SOURCE Source, + OUT PULONG Interval); + +NTOSAPI +NTSTATUS +NTAPI +ZwStartProfile( + IN HANDLE ProfileHandle); + +NTOSAPI +NTSTATUS +NTAPI +ZwStopProfile( + IN HANDLE ProfileHandle); + +/* Local Procedure Call (LPC) */ + +typedef struct _LPC_MESSAGE { + USHORT DataSize; + USHORT MessageSize; + USHORT MessageType; + USHORT VirtualRangesOffset; + CLIENT_ID ClientId; + ULONG MessageId; + ULONG SectionSize; + UCHAR Data[ANYSIZE_ARRAY]; +} LPC_MESSAGE, *PLPC_MESSAGE; + +#define LPC_MESSAGE_BASE_SIZE 24 + +typedef enum _LPC_TYPE { + LPC_NEW_MESSAGE, + LPC_REQUEST, + LPC_REPLY, + LPC_DATAGRAM, + LPC_LOST_REPLY, + LPC_PORT_CLOSED, + LPC_CLIENT_DIED, + LPC_EXCEPTION, + LPC_DEBUG_EVENT, + LPC_ERROR_EVENT, + LPC_CONNECTION_REQUEST, + LPC_CONNECTION_REFUSED, + LPC_MAXIMUM +} LPC_TYPE; + +typedef struct _LPC_SECTION_WRITE { + ULONG Length; + HANDLE SectionHandle; + ULONG SectionOffset; + ULONG ViewSize; + PVOID ViewBase; + PVOID TargetViewBase; +} LPC_SECTION_WRITE, *PLPC_SECTION_WRITE; + +typedef struct _LPC_SECTION_READ { + ULONG Length; + ULONG ViewSize; + PVOID ViewBase; +} LPC_SECTION_READ, *PLPC_SECTION_READ; + +NTOSAPI +NTSTATUS +NTAPI +ZwCreatePort( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG MaxDataSize, + IN ULONG MaxMessageSize, + IN ULONG Reserved); + +NTOSAPI +NTSTATUS +NTAPI +ZwCreateWaitablePort( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG MaxDataSize, + IN ULONG MaxMessageSize, + IN ULONG Reserved); + +NTOSAPI +NTSTATUS +NTAPI +NtConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, + IN OUT PLPC_SECTION_WRITE WriteSection OPTIONAL, + IN OUT PLPC_SECTION_READ ReadSection OPTIONAL, + OUT PULONG MaxMessageSize OPTIONAL, + IN OUT PVOID ConnectData OPTIONAL, + IN OUT PULONG ConnectDataLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, + IN OUT PLPC_SECTION_WRITE WriteSection OPTIONAL, + IN OUT PLPC_SECTION_READ ReadSection OPTIONAL, + OUT PULONG MaxMessageSize OPTIONAL, + IN OUT PVOID ConnectData OPTIONAL, + IN OUT PULONG ConnectDataLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, + IN OUT PLPC_SECTION_WRITE WriteSection OPTIONAL, + IN OUT PLPC_SECTION_READ ReadSection OPTIONAL, + OUT PULONG MaxMessageSize OPTIONAL, + IN OUT PVOID ConnectData OPTIONAL, + IN OUT PULONG ConnectDataLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwListenPort( + IN HANDLE PortHandle, + OUT PLPC_MESSAGE Message); + +NTOSAPI +NTSTATUS +NTAPI +ZwAcceptConnectPort( + OUT PHANDLE PortHandle, + IN ULONG PortIdentifier, + IN PLPC_MESSAGE Message, + IN BOOLEAN Accept, + IN OUT PLPC_SECTION_WRITE WriteSection OPTIONAL, + IN OUT PLPC_SECTION_READ ReadSection OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwCompleteConnectPort( + IN HANDLE PortHandle); + +NTOSAPI +NTSTATUS +NTAPI +NtRequestPort( + IN HANDLE PortHandle, + IN PLPC_MESSAGE RequestMessage); + +NTOSAPI +NTSTATUS +NTAPI +NtRequestWaitReplyPort( + IN HANDLE PortHandle, + IN PLPC_MESSAGE RequestMessage, + OUT PLPC_MESSAGE ReplyMessage); + +NTOSAPI +NTSTATUS +NTAPI +ZwRequestWaitReplyPort( + IN HANDLE PortHandle, + IN PLPC_MESSAGE RequestMessage, + OUT PLPC_MESSAGE ReplyMessage); + +NTOSAPI +NTSTATUS +NTAPI +ZwReplyPort( + IN HANDLE PortHandle, + IN PLPC_MESSAGE ReplyMessage); + +NTOSAPI +NTSTATUS +NTAPI +ZwReplyWaitReplyPort( + IN HANDLE PortHandle, + IN OUT PLPC_MESSAGE ReplyMessage); + +NTOSAPI +NTSTATUS +NTAPI +ZwReplyWaitReceivePort( + IN HANDLE PortHandle, + OUT PULONG PortIdentifier OPTIONAL, + IN PLPC_MESSAGE ReplyMessage OPTIONAL, + OUT PLPC_MESSAGE Message); + +NTOSAPI +NTSTATUS +NTAPI +ZwReplyWaitReceivePortEx( + IN HANDLE PortHandle, + OUT PULONG PortIdentifier OPTIONAL, + IN PLPC_MESSAGE ReplyMessage OPTIONAL, + OUT PLPC_MESSAGE Message, + IN PLARGE_INTEGER Timeout); + +NTOSAPI +NTSTATUS +NTAPI +ZwOpenFile( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG ShareAccess, + IN ULONG OpenOptions +); + + +#define OBJ_CASE_INSENSITIVE 0x00000040L +#define FILE_NON_DIRECTORY_FILE 0x00000040 +#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 + +NTOSAPI +NTSTATUS +NTAPI +ZwReadRequestData( + IN HANDLE PortHandle, + IN PLPC_MESSAGE Message, + IN ULONG Index, + OUT PVOID Buffer, + IN ULONG BufferLength, + OUT PULONG ReturnLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwWriteRequestData( + IN HANDLE PortHandle, + IN PLPC_MESSAGE Message, + IN ULONG Index, + IN PVOID Buffer, + IN ULONG BufferLength, + OUT PULONG ReturnLength OPTIONAL); + +typedef enum _PORT_INFORMATION_CLASS { + PortBasicInformation +} PORT_INFORMATION_CLASS; + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryInformationPort( + IN HANDLE PortHandle, + IN PORT_INFORMATION_CLASS PortInformationClass, + OUT PVOID PortInformation, + IN ULONG PortInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwImpersonateClientOfPort( + IN HANDLE PortHandle, + IN PLPC_MESSAGE Message); + + + + +/* Files */ + +NTOSAPI +NTSTATUS +NTAPI +NtDeleteFile( + IN POBJECT_ATTRIBUTES ObjectAttributes); + +NTOSAPI +NTSTATUS +NTAPI +ZwDeleteFile( + IN POBJECT_ATTRIBUTES ObjectAttributes); + +NTOSAPI +NTSTATUS +NTAPI +ZwFlushBuffersFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +NTOSAPI +NTSTATUS +NTAPI +ZwCancelIoFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +NTOSAPI +NTSTATUS +NTAPI +ZwReadFileScatter( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_SEGMENT_ELEMENT Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwWriteFileGather( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_SEGMENT_ELEMENT Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + + + + +/* Registry keys */ + +NTOSAPI +NTSTATUS +NTAPI +ZwSaveKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle); + +NTOSAPI +NTSTATUS +NTAPI +ZwSaveMergedKeys( + IN HANDLE KeyHandle1, + IN HANDLE KeyHandle2, + IN HANDLE FileHandle); + +NTOSAPI +NTSTATUS +NTAPI +ZwRestoreKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle, + IN ULONG Flags); + +NTOSAPI +NTSTATUS +NTAPI +ZwLoadKey( + IN POBJECT_ATTRIBUTES KeyObjectAttributes, + IN POBJECT_ATTRIBUTES FileObjectAttributes); + +NTOSAPI +NTSTATUS +NTAPI +ZwLoadKey2( + IN POBJECT_ATTRIBUTES KeyObjectAttributes, + IN POBJECT_ATTRIBUTES FileObjectAttributes, + IN ULONG Flags); + +NTOSAPI +NTSTATUS +NTAPI +ZwUnloadKey( + IN POBJECT_ATTRIBUTES KeyObjectAttributes); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryOpenSubKeys( + IN POBJECT_ATTRIBUTES KeyObjectAttributes, + OUT PULONG NumberOfKeys); + +NTOSAPI +NTSTATUS +NTAPI +ZwReplaceKey( + IN POBJECT_ATTRIBUTES NewFileObjectAttributes, + IN HANDLE KeyHandle, + IN POBJECT_ATTRIBUTES OldFileObjectAttributes); + +typedef enum _KEY_SET_INFORMATION_CLASS { + KeyLastWriteTimeInformation +} KEY_SET_INFORMATION_CLASS; + +NTOSAPI +NTSTATUS +NTAPI +ZwSetInformationKey( + IN HANDLE KeyHandle, + IN KEY_SET_INFORMATION_CLASS KeyInformationClass, + IN PVOID KeyInformation, + IN ULONG KeyInformationLength); + +typedef struct _KEY_LAST_WRITE_TIME_INFORMATION { + LARGE_INTEGER LastWriteTime; +} KEY_LAST_WRITE_TIME_INFORMATION, *PKEY_LAST_WRITE_TIME_INFORMATION; + +typedef struct _KEY_NAME_INFORMATION { + ULONG NameLength; + WCHAR Name[1]; +} KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION; + +NTOSAPI +NTSTATUS +NTAPI +ZwNotifyChangeKey( + IN HANDLE KeyHandle, + IN HANDLE EventHandle OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG NotifyFilter, + IN BOOLEAN WatchSubtree, + IN PVOID Buffer, + IN ULONG BufferLength, + IN BOOLEAN Asynchronous); + +/* ZwNotifyChangeMultipleKeys.Flags constants */ +#define REG_MONITOR_SINGLE_KEY 0x00 +#define REG_MONITOR_SECOND_KEY 0x01 + +NTOSAPI +NTSTATUS +NTAPI +ZwNotifyChangeMultipleKeys( + IN HANDLE KeyHandle, + IN ULONG Flags, + IN POBJECT_ATTRIBUTES KeyObjectAttributes, + IN HANDLE EventHandle OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG NotifyFilter, + IN BOOLEAN WatchSubtree, + IN PVOID Buffer, + IN ULONG BufferLength, + IN BOOLEAN Asynchronous); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryMultipleValueKey( + IN HANDLE KeyHandle, + IN OUT PKEY_VALUE_ENTRY ValueList, + IN ULONG NumberOfValues, + OUT PVOID Buffer, + IN OUT PULONG Length, + OUT PULONG ReturnLength); + +NTOSAPI +NTSTATUS +NTAPI +ZwInitializeRegistry( + IN BOOLEAN Setup); + + + + +/* Security and auditing */ + +NTOSAPI +NTSTATUS +NTAPI +ZwPrivilegeCheck( + IN HANDLE TokenHandle, + IN PPRIVILEGE_SET RequiredPrivileges, + OUT PBOOLEAN Result); + +NTOSAPI +NTSTATUS +NTAPI +ZwPrivilegeObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId, + IN HANDLE TokenHandle, + IN ACCESS_MASK DesiredAccess, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN AccessGranted); + +NTOSAPI +NTSTATUS +NTAPI +ZwPrivilegeObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId, + IN HANDLE TokenHandle, + IN ACCESS_MASK DesiredAccess, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN AccessGranted); + +NTOSAPI +NTSTATUS +NTAPI +ZwAccessCheck( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN HANDLE TokenHandle, + IN ACCESS_MASK DesiredAccess, + IN PGENERIC_MAPPING GenericMapping, + IN PPRIVILEGE_SET PrivilegeSet, + IN PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PBOOLEAN AccessStatus); + +NTOSAPI +NTSTATUS +NTAPI +ZwAccessCheckAndAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN ACCESS_MASK DesiredAccess, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PBOOLEAN AccessStatus, + OUT PBOOLEAN GenerateOnClose); + +NTOSAPI +NTSTATUS +NTAPI +ZwAccessCheckByType( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid, + IN HANDLE TokenHandle, + IN ULONG DesiredAccess, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN PPRIVILEGE_SET PrivilegeSet, + IN PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus); + +NTOSAPI +NTSTATUS +NTAPI +ZwAccessCheckByTypeAndAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus, + OUT PBOOLEAN GenerateOnClose); + +NTOSAPI +NTSTATUS +NTAPI +ZwAccessCheckByTypeResultList( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid, + IN HANDLE TokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN PPRIVILEGE_SET PrivilegeSet, + IN PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccessList, + OUT PULONG AccessStatusList); + +NTOSAPI +NTSTATUS +NTAPI +ZwAccessCheckByTypeResultListAndAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccessList, + OUT PULONG AccessStatusList, + OUT PULONG GenerateOnClose); + +NTOSAPI +NTSTATUS +NTAPI +ZwAccessCheckByTypeResultListAndAuditAlarmByHandle( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId, + IN HANDLE TokenHandle, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccessList, + OUT PULONG AccessStatusList, + OUT PULONG GenerateOnClose); + +NTOSAPI +NTSTATUS +NTAPI +ZwOpenObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID *HandleId, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN HANDLE TokenHandle, + IN ACCESS_MASK DesiredAccess, + IN ACCESS_MASK GrantedAccess, + IN PPRIVILEGE_SET Privileges OPTIONAL, + IN BOOLEAN ObjectCreation, + IN BOOLEAN AccessGranted, + OUT PBOOLEAN GenerateOnClose); + +NTOSAPI +NTSTATUS +NTAPI +ZwCloseObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId, + IN BOOLEAN GenerateOnClose); + +NTOSAPI +NTSTATUS +NTAPI +ZwDeleteObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId, + IN BOOLEAN GenerateOnClose); + + + + +/* Plug and play and power management */ + +NTOSAPI +NTSTATUS +NTAPI +ZwRequestWakeupLatency( + IN LATENCY_TIME Latency); + +NTOSAPI +NTSTATUS +NTAPI +ZwRequestDeviceWakeup( + IN HANDLE DeviceHandle); + +NTOSAPI +NTSTATUS +NTAPI +ZwCancelDeviceWakeupRequest( + IN HANDLE DeviceHandle); + +NTOSAPI +BOOLEAN +NTAPI +ZwIsSystemResumeAutomatic( + VOID); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetThreadExecutionState( + IN EXECUTION_STATE ExecutionState, + OUT PEXECUTION_STATE PreviousExecutionState); + +NTOSAPI +NTSTATUS +NTAPI +ZwGetDevicePowerState( + IN HANDLE DeviceHandle, + OUT PDEVICE_POWER_STATE DevicePowerState); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetSystemPowerState( + IN POWER_ACTION SystemAction, + IN SYSTEM_POWER_STATE MinSystemState, + IN ULONG Flags); + +NTOSAPI +NTSTATUS +NTAPI +ZwInitiatePowerAction( + IN POWER_ACTION SystemAction, + IN SYSTEM_POWER_STATE MinSystemState, + IN ULONG Flags, + IN BOOLEAN Asynchronous); + +NTOSAPI +NTSTATUS +NTAPI +ZwPowerInformation( + IN POWER_INFORMATION_LEVEL PowerInformationLevel, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength); + +NTOSAPI +NTSTATUS +NTAPI +ZwPlugPlayControl( + IN ULONG ControlCode, + IN OUT PVOID Buffer, + IN ULONG BufferLength); + +NTOSAPI +NTSTATUS +NTAPI +ZwGetPlugPlayEvent( + IN ULONG Reserved1, + IN ULONG Reserved2, + OUT PVOID Buffer, + IN ULONG BufferLength); + + +/* Miscellany */ + +NTOSAPI +NTSTATUS +NTAPI +ZwRaiseException( + IN PEXCEPTION_RECORD ExceptionRecord, + IN PCONTEXT Context, + IN BOOLEAN SearchFrames); + +NTOSAPI +NTSTATUS +NTAPI +ZwContinue( + IN PCONTEXT Context, + IN BOOLEAN TestAlert); + +NTOSAPI +NTSTATUS +NTAPI +ZwW32Call( + IN ULONG RoutineIndex, + IN PVOID Argument, + IN ULONG ArgumentLength, + OUT PVOID *Result OPTIONAL, + OUT PULONG ResultLength OPTIONAL); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetLowWaitHighThread( + VOID); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetHighWaitLowThread( + VOID); + +NTOSAPI +NTSTATUS +NTAPI +ZwLoadDriver( + IN PUNICODE_STRING DriverServiceName); + +NTOSAPI +NTSTATUS +NTAPI +ZwUnloadDriver( + IN PUNICODE_STRING DriverServiceName); + +NTOSAPI +NTSTATUS +NTAPI +ZwFlushInstructionCache( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress OPTIONAL, + IN ULONG FlushSize); + +NTOSAPI +NTSTATUS +NTAPI +ZwFlushWriteBuffer( + VOID); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryDefaultLocale( + IN BOOLEAN ThreadOrSystem, + OUT PLCID Locale); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetDefaultLocale( + IN BOOLEAN ThreadOrSystem, + IN LCID Locale); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryDefaultUILanguage( + OUT PLANGID LanguageId); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetDefaultUILanguage( + IN LANGID LanguageId); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryInstallUILanguage( + OUT PLANGID LanguageId); + +NTOSAPI +NTSTATUS +NTAPI +NtAllocateLocallyUniqueId( + OUT PLUID Luid); + +NTOSAPI +NTSTATUS +NTAPI +NtAllocateUuids( + OUT PLARGE_INTEGER UuidLastTimeAllocated, + OUT PULONG UuidDeltaTime, + OUT PULONG UuidSequenceNumber, + OUT PUCHAR UuidSeed); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetUuidSeed( + IN PUCHAR UuidSeed); + +typedef enum _HARDERROR_RESPONSE_OPTION { + OptionAbortRetryIgnore, + OptionOk, + OptionOkCancel, + OptionRetryCancel, + OptionYesNo, + OptionYesNoCancel, + OptionShutdownSystem +} HARDERROR_RESPONSE_OPTION, *PHARDERROR_RESPONSE_OPTION; + +typedef enum _HARDERROR_RESPONSE { + ResponseReturnToCaller, + ResponseNotHandled, + ResponseAbort, + ResponseCancel, + ResponseIgnore, + ResponseNo, + ResponseOk, + ResponseRetry, + ResponseYes +} HARDERROR_RESPONSE, *PHARDERROR_RESPONSE; + +NTOSAPI +NTSTATUS +NTAPI +ZwRaiseHardError( + IN NTSTATUS Status, + IN ULONG NumberOfArguments, + IN ULONG StringArgumentsMask, + IN PULONG Arguments, + IN HARDERROR_RESPONSE_OPTION ResponseOption, + OUT PHARDERROR_RESPONSE Response); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetDefaultHardErrorPort( + IN HANDLE PortHandle); + +NTOSAPI +NTSTATUS +NTAPI +ZwDisplayString( + IN PUNICODE_STRING String); + +NTOSAPI +NTSTATUS +NTAPI +ZwCreatePagingFile( + IN PUNICODE_STRING FileName, + IN PULARGE_INTEGER InitialSize, + IN PULARGE_INTEGER MaximumSize, + IN ULONG Reserved); + +typedef USHORT RTL_ATOM, *PRTL_ATOM; + +NTOSAPI +NTSTATUS +NTAPI +NtAddAtom( + IN PWSTR AtomName, + IN ULONG AtomNameLength, + OUT PRTL_ATOM Atom); + +NTOSAPI +NTSTATUS +NTAPI +NtFindAtom( + IN PWSTR AtomName, + IN ULONG AtomNameLength, + OUT PRTL_ATOM Atom); + +NTOSAPI +NTSTATUS +NTAPI +NtDeleteAtom( + IN RTL_ATOM Atom); + +typedef enum _ATOM_INFORMATION_CLASS { + AtomBasicInformation, + AtomListInformation +} ATOM_INFORMATION_CLASS; + +NTOSAPI +NTSTATUS +NTAPI +NtQueryInformationAtom( + IN RTL_ATOM Atom, + IN ATOM_INFORMATION_CLASS AtomInformationClass, + OUT PVOID AtomInformation, + IN ULONG AtomInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +typedef struct _ATOM_BASIC_INFORMATION { + USHORT ReferenceCount; + USHORT Pinned; + USHORT NameLength; + WCHAR Name[1]; +} ATOM_BASIC_INFORMATION, *PATOM_BASIC_INFORMATION; + +typedef struct _ATOM_LIST_INFORMATION { + ULONG NumberOfAtoms; + ATOM Atoms[1]; +} ATOM_LIST_INFORMATION, *PATOM_LIST_INFORMATION; + +NTOSAPI +NTSTATUS +NTAPI +ZwSetLdtEntries( + IN ULONG Selector1, + IN LDT_ENTRY LdtEntry1, + IN ULONG Selector2, + IN LDT_ENTRY LdtEntry2); + +NTOSAPI +NTSTATUS +NTAPI +ZwSetInformationThread( + IN HANDLE ThreadHandle, + IN THREADINFOCLASS ThreadInformationClass, + IN PVOID ThreadInformation, + IN ULONG ThreadInformationLength); + +NTOSAPI +NTSTATUS +NTAPI +ZwTerminateThread( + IN HANDLE ThreadHandle OPTIONAL, + IN NTSTATUS ExitStatus); + +NTOSAPI +NTSTATUS +NTAPI +NtVdmControl( + IN ULONG ControlCode, + IN PVOID ControlData); + +BOOLEAN +WINAPI +RtlCreateUnicodeStringFromAsciiz ( + OUT PUNICODE_STRING Destination, + IN PCSTR Source + ); + +VOID +WINAPI +RtlInitUnicodeString( + IN OUT PUNICODE_STRING DestinationString, + IN PCWSTR SourceString); + +VOID +RtlFreeUnicodeString( +IN OUT PUNICODE_STRING DestinationString); + + +LONG +WINAPI +RtlCompareUnicodeString( + IN PUNICODE_STRING String1, + IN PUNICODE_STRING String2, + IN BOOLEAN CaseInSensitive); + +BOOLEAN +WINAPI +RtlEqualUnicodeString( + IN CONST UNICODE_STRING *String1, + IN CONST UNICODE_STRING *String2, + IN BOOLEAN CaseInSensitive); + + +VOID +WINAPI + RtlInitAnsiString( + IN OUT PANSI_STRING DestinationString, + IN PCHAR SourceString + ); + + +PPEB +WINAPI +RtlGetCurrentPeb( + VOID + ); + +NTSTATUS WINAPI +RtlAdjustPrivilege(ULONG Privilege, + BOOLEAN Enable, + BOOLEAN CurrentThread, + PBOOLEAN Enabled); + +NTOSAPI +NTSTATUS +NTAPI +ZwQueryInformationThread( + /*IN*/ HANDLE ThreadHandle, + /*IN*/ THREADINFOCLASS ThreadInformationClass, + /*OUT*/ PVOID ThreadInformation, + /*IN*/ ULONG ThreadInformationLength, + /*OUT*/ PULONG ReturnLength /*OPTIONAL*/); + +NTSTATUS WINAPI LdrGetDllHandle(ULONG, ULONG, const UNICODE_STRING*, HMODULE*); +NTSTATUS WINAPI LdrGetProcedureAddress(HMODULE, const ANSI_STRING*, ULONG, void**); + +NTSTATUS WINAPI +RtlCreateUserThread( + +IN HANDLE ProcessHandle, IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, IN BOOLEAN CreateSuspended, IN ULONG StackZeroBits, IN OUT PULONG StackReserved, IN OUT PULONG StackCommit, IN PVOID StartAddress, IN PVOID StartParameter OPTIONAL, OUT PHANDLE ThreadHandle, OUT PCLIENT_ID ClientID ); + +BOOLEAN +RtlDosPathNameToNtPathName_U ( + PCWSTR DosName, + PUNICODE_STRING NtName, + PWSTR *DosFilePath, + PVOID NtFilePath // Some special structure, first member being UNICODE_STRING + ); + +BOOLEAN RtlFreeHeap( IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase ); +PVOID RtlAllocateHeap( IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size ); +PVOID RtlReAllocateHeap( + IN PVOID HeapHandle, + IN ULONG Flags, + IN PVOID MemoryPointer, + IN ULONG Size ); +NTSYSAPI BOOLEAN NTAPI +RtlValidateHeap( + IN PVOID HeapHandle, + IN ULONG Flags, + IN PVOID AddressToValidate OPTIONAL ); + +typedef struct _TEB +{ + NT_TIB Tib; /* 000 */ + PVOID EnvironmentPointer; /* 01c */ + CLIENT_ID ClientId; /* 020 */ + PVOID ActiveRpcHandle; /* 028 */ + PVOID ThreadLocalStoragePointer; /* 02c */ + PPEB Peb; /* 030 */ + ULONG LastErrorValue; /* 034 */ + BYTE __pad038[140]; /* 038 */ + ULONG CurrentLocale; /* 0c4 */ + BYTE __pad0c8[1752]; /* 0c8 */ + PVOID Reserved2[277]; /* 7a0 */ + ULONG LastStatusValue; /* bf4 */ + UNICODE_STRING StaticUnicodeString; /* bf8 used by advapi32 */ + WCHAR StaticUnicodeBuffer[261]; /* c00 used by advapi32 */ + PVOID DeallocationStack; /* e0c */ + PVOID TlsSlots[64]; /* e10 */ + LIST_ENTRY TlsLinks; /* f10 */ + PVOID Reserved4[26]; /* f18 */ + PVOID ReservedForOle; /* f80 Windows 2000 only */ + PVOID Reserved5[4]; /* f84 */ + PVOID TlsExpansionSlots; /* f94 */ +} TEB, *PTEB; + + +typedef struct _FILE_STANDARD_INFORMATION { + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG NumberOfLinks; + BOOLEAN DeletePending; + BOOLEAN Directory; +} FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION; + + +typedef enum _FILE_INFORMATION_CLASS { + FileDirectoryInformation = 1, + FileFullDirectoryInformation, // 2 + FileBothDirectoryInformation, // 3 + FileBasicInformation, // 4 + FileStandardInformation, // 5 + FileInternalInformation, // 6 + FileEaInformation, // 7 + FileAccessInformation, // 8 + FileNameInformation, // 9 + FileRenameInformation, // 10 + FileLinkInformation, // 11 + FileNamesInformation, // 12 + FileDispositionInformation, // 13 + FilePositionInformation, // 14 + FileFullEaInformation, // 15 + FileModeInformation, // 16 + FileAlignmentInformation, // 17 + FileAllInformation, // 18 + FileAllocationInformation, // 19 + FileEndOfFileInformation, // 20 + FileAlternateNameInformation, // 21 + FileStreamInformation, // 22 + FilePipeInformation, // 23 + FilePipeLocalInformation, // 24 + FilePipeRemoteInformation, // 25 + FileMailslotQueryInformation, // 26 + FileMailslotSetInformation, // 27 + FileCompressionInformation, // 28 + FileObjectIdInformation, // 29 + FileCompletionInformation, // 30 + FileMoveClusterInformation, // 31 + FileInformationReserved32, // 32 + FileInformationReserved33, // 33 + FileNetworkOpenInformation, // 34 + FileAttributeTagInformation, // 35 + FileTrackingInformation, // 36 + FileIdBothDirectoryInformation, // 37 + FileIdFullDirectoryInformation, // 38 + FileValidDataLengthInformation, // 39 + FileShortNameInformation, // 40 + FileMaximumInformation +} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; + +NTSYSAPI +NTSTATUS +NTAPI +ZwQueryInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FileInformation, +IN ULONG FileInformationLength, +IN FILE_INFORMATION_CLASS FileInformationClass +); + +NTOSAPI +NTSTATUS +NTAPI +ZwCreateFile( +OUT PHANDLE FileHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PLARGE_INTEGER AllocationSize OPTIONAL, +IN ULONG FileAttributes, +IN ULONG ShareAccess, +IN ULONG CreateDisposition, +IN ULONG CreateOptions, +IN PVOID EaBuffer OPTIONAL, +IN ULONG EaLength +); + +NTSYSAPI +NTSTATUS +NTAPI +ZwReadFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID Buffer, +IN ULONG Length, +IN PLARGE_INTEGER ByteOffset OPTIONAL, +IN PULONG Key OPTIONAL +); + +NTSYSAPI +NTSTATUS +NTAPI +ZwWriteFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PVOID Buffer, +IN ULONG Length, +IN PLARGE_INTEGER ByteOffset OPTIONAL, +IN PULONG Key OPTIONAL +); + +NTSYSAPI +NTSTATUS +NTAPI +ZwSetInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PVOID FileInformation, +IN ULONG FileInformationLength, +IN FILE_INFORMATION_CLASS FileInformationClass +); + +typedef enum _SECTION_INHERIT { +ViewShare = 1, +ViewUnmap = 2 +} SECTION_INHERIT; + +NTSYSAPI +NTSTATUS +NTAPI +ZwMapViewOfSection( +IN HANDLE SectionHandle, +IN HANDLE ProcessHandle, +IN OUT PVOID *BaseAddress, +IN ULONG ZeroBits, +IN ULONG CommitSize, +IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, +IN OUT PULONG ViewSize, +IN SECTION_INHERIT InheritDisposition, +IN ULONG AllocationType, +IN ULONG Protect +); + +NTSYSAPI +NTSTATUS +NTAPI +ZwUnmapViewOfSection( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress +); + +typedef enum _EVENT_TYPE { +NotificationEvent, // A manual-reset event +SynchronizationEvent // An auto-reset event +} EVENT_TYPE; + +NTSYSAPI +NTSTATUS +NTAPI +ZwCreateEvent( +OUT PHANDLE EventHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN EVENT_TYPE EventType, +IN BOOLEAN InitialState +); + + +NTSYSAPI +NTSTATUS +NTAPI +ZwFindAtom( +IN PWSTR String, +IN ULONG StringLength, +OUT PUSHORT Atom +); + + +NTSYSAPI +NTSTATUS +NTAPI +ZwAddAtom( +IN PWSTR String, +IN ULONG StringLength, +OUT PUSHORT Atom +); + + + +NTSYSAPI +NTSTATUS +NTAPI +ZwCreateMutant( +OUT PHANDLE MutantHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN BOOLEAN InitialOwner +); + + +NTSYSAPI +NTSTATUS +NTAPI +ZwOpenMutant( +OUT PHANDLE MutantHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes +); + +NTSYSAPI +NTSTATUS +NTAPI +ZwMakePermanentObject( + IN HANDLE Object + ); + +NTSYSAPI +NTSTATUS +NTAPI +ZwWaitForSingleObject( +IN HANDLE Handle, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL +); + + +NTSYSAPI +NTSTATUS +NTAPI +ZwSetValueKey( +IN HANDLE KeyHandle, +IN PUNICODE_STRING ValueName, +IN ULONG TitleIndex, +IN ULONG Type, +IN PVOID Data, +IN ULONG DataSize +); + +NTSYSAPI +NTSTATUS +NTAPI + RtlCreateRegistryKey( + IN ULONG RelativeTo, + IN PWSTR Path + ); + + +NTSYSAPI +NTSTATUS +NTAPI + RtlWriteRegistryValue( + IN ULONG RelativeTo, + IN PCWSTR Path, + IN PCWSTR ValueName, + IN ULONG ValueType, + IN PVOID ValueData, + IN ULONG ValueLength + ); + +NTSYSAPI +NTSTATUS +NTAPI + ZwOpenKey( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSYSAPI +NTSTATUS +NTAPI + ZwSetEvent( + __in HANDLE EventHandle, + __out_opt PLONG PreviousState + ); + + +NTSYSAPI +NTSTATUS +NTAPI + ZwQueryValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT PVOID KeyValueInformation, + IN ULONG Length, + OUT PULONG ResultLength + ); + +NTSYSAPI +NTSTATUS +NTAPI +ZwCreateKey( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG TitleIndex, +IN PUNICODE_STRING Class OPTIONAL, +IN ULONG CreateOptions, +OUT PULONG Disposition OPTIONAL +); + +NTSTATUS WINAPI LdrFindEntryForAddress(const void*, PLDR_MODULE*); + +NTSYSAPI +PIMAGE_NT_HEADERS +NTAPI +RtlImageNtHeader(IN PVOID ModuleAddress); + +NTSYSAPI +NTSTATUS +NTAPI +NtProtectVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PULONG NumberOfBytesToProtect, + IN ULONG NewAccessProtection, + OUT PULONG OldAccessProtection ); + +#pragma pack(pop) + +#ifdef __cplusplus +} +#endif + +#endif /* __NTAPI_H */ |