diff options
Diffstat (limited to '')
-rw-r--r-- | include/iprt/nt/nt.h | 2937 |
1 files changed, 2937 insertions, 0 deletions
diff --git a/include/iprt/nt/nt.h b/include/iprt/nt/nt.h new file mode 100644 index 00000000..a06b6f72 --- /dev/null +++ b/include/iprt/nt/nt.h @@ -0,0 +1,2937 @@ +/* $Id: nt.h $ */ +/** @file + * IPRT - Header for code using the Native NT API. + */ + +/* + * Copyright (C) 2010-2019 Oracle Corporation + * + * This file is part of VirtualBox Open Source Edition (OSE), as + * available from http://www.virtualbox.org. This file is free software; + * you can redistribute it and/or modify it under the terms of the GNU + * General Public License (GPL) as published by the Free Software + * Foundation, in version 2 as it comes in the "COPYING" file of the + * VirtualBox OSE distribution. VirtualBox OSE is distributed in the + * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind. + * + * The contents of this file may alternatively be used under the terms + * of the Common Development and Distribution License Version 1.0 + * (CDDL) only, as it comes in the "COPYING.CDDL" file of the + * VirtualBox OSE distribution, in which case the provisions of the + * CDDL are applicable instead of those of the GPL. + * + * You may elect to license modified versions of this file under the + * terms and conditions of either the GPL or the CDDL or both. + */ + +#ifndef IPRT_INCLUDED_nt_nt_h +#define IPRT_INCLUDED_nt_nt_h +#ifndef RT_WITHOUT_PRAGMA_ONCE +# pragma once +#endif + +/** @def IPRT_NT_MAP_TO_ZW + * Map Nt calls to Zw calls. In ring-0 the Zw calls let you pass kernel memory + * to the APIs (takes care of the previous context checks). + */ +#ifdef DOXYGEN_RUNNING +# define IPRT_NT_MAP_TO_ZW +#endif + +#ifdef IPRT_NT_MAP_TO_ZW +# define NtQueryInformationFile ZwQueryInformationFile +# define NtQueryInformationProcess ZwQueryInformationProcess +# define NtQueryInformationThread ZwQueryInformationThread +# define NtQueryFullAttributesFile ZwQueryFullAttributesFile +# define NtQuerySystemInformation ZwQuerySystemInformation +# define NtQuerySecurityObject ZwQuerySecurityObject +# define NtSetInformationFile ZwSetInformationFile +# define NtClose ZwClose +# define NtCreateFile ZwCreateFile +# define NtReadFile ZwReadFile +# define NtWriteFile ZwWriteFile +# define NtFlushBuffersFile ZwFlushBuffersFile +/** @todo this is very incomplete! */ +#endif + +#include <ntstatus.h> + +/* + * Hacks common to both base header sets. + */ +#define RtlFreeUnicodeString WrongLinkage_RtlFreeUnicodeString +#define NtQueryObject Incomplete_NtQueryObject +#define ZwQueryObject Incomplete_ZwQueryObject +#define NtSetInformationObject Incomplete_NtSetInformationObject +#define _OBJECT_INFORMATION_CLASS Incomplete_OBJECT_INFORMATION_CLASS +#define OBJECT_INFORMATION_CLASS Incomplete_OBJECT_INFORMATION_CLASS +#define ObjectBasicInformation Incomplete_ObjectBasicInformation +#define ObjectTypeInformation Incomplete_ObjectTypeInformation +#define _PEB Incomplete__PEB +#define PEB Incomplete_PEB +#define PPEB Incomplete_PPEB +#define _TEB Incomplete__TEB +#define TEB Incomplete_TEB +#define PTEB Incomplete_PTEB +#define _PEB_LDR_DATA Incomplete__PEB_LDR_DATA +#define PEB_LDR_DATA Incomplete_PEB_LDR_DATA +#define PPEB_LDR_DATA Incomplete_PPEB_LDR_DATA +#define _KUSER_SHARED_DATA Incomplete__KUSER_SHARED_DATA +#define KUSER_SHARED_DATA Incomplete_KUSER_SHARED_DATA +#define PKUSER_SHARED_DATA Incomplete_PKUSER_SHARED_DATA + + + +#ifdef IPRT_NT_USE_WINTERNL +/* + * Use Winternl.h. + */ +# define _FILE_INFORMATION_CLASS IncompleteWinternl_FILE_INFORMATION_CLASS +# define FILE_INFORMATION_CLASS IncompleteWinternl_FILE_INFORMATION_CLASS +# define FileDirectoryInformation IncompleteWinternl_FileDirectoryInformation + +# define NtQueryInformationProcess IncompleteWinternl_NtQueryInformationProcess +# define NtSetInformationProcess IncompleteWinternl_NtSetInformationProcess +# define PROCESSINFOCLASS IncompleteWinternl_PROCESSINFOCLASS +# define _PROCESSINFOCLASS IncompleteWinternl_PROCESSINFOCLASS +# define PROCESS_BASIC_INFORMATION IncompleteWinternl_PROCESS_BASIC_INFORMATION +# define PPROCESS_BASIC_INFORMATION IncompleteWinternl_PPROCESS_BASIC_INFORMATION +# define _PROCESS_BASIC_INFORMATION IncompleteWinternl_PROCESS_BASIC_INFORMATION +# define ProcessBasicInformation IncompleteWinternl_ProcessBasicInformation +# define ProcessDebugPort IncompleteWinternl_ProcessDebugPort +# define ProcessWow64Information IncompleteWinternl_ProcessWow64Information +# define ProcessImageFileName IncompleteWinternl_ProcessImageFileName +# define ProcessBreakOnTermination IncompleteWinternl_ProcessBreakOnTermination + +# define RTL_USER_PROCESS_PARAMETERS IncompleteWinternl_RTL_USER_PROCESS_PARAMETERS +# define PRTL_USER_PROCESS_PARAMETERS IncompleteWinternl_PRTL_USER_PROCESS_PARAMETERS +# define _RTL_USER_PROCESS_PARAMETERS IncompleteWinternl__RTL_USER_PROCESS_PARAMETERS + +# define NtQueryInformationThread IncompleteWinternl_NtQueryInformationThread +# define NtSetInformationThread IncompleteWinternl_NtSetInformationThread +# define THREADINFOCLASS IncompleteWinternl_THREADINFOCLASS +# define _THREADINFOCLASS IncompleteWinternl_THREADINFOCLASS +# define ThreadIsIoPending IncompleteWinternl_ThreadIsIoPending + +# define NtQuerySystemInformation IncompleteWinternl_NtQuerySystemInformation +# define NtSetSystemInformation IncompleteWinternl_NtSetSystemInformation +# define SYSTEM_INFORMATION_CLASS IncompleteWinternl_SYSTEM_INFORMATION_CLASS +# define _SYSTEM_INFORMATION_CLASS IncompleteWinternl_SYSTEM_INFORMATION_CLASS +# define SystemBasicInformation IncompleteWinternl_SystemBasicInformation +# define SystemPerformanceInformation IncompleteWinternl_SystemPerformanceInformation +# define SystemTimeOfDayInformation IncompleteWinternl_SystemTimeOfDayInformation +# define SystemProcessInformation IncompleteWinternl_SystemProcessInformation +# define SystemProcessorPerformanceInformation IncompleteWinternl_SystemProcessorPerformanceInformation +# define SystemInterruptInformation IncompleteWinternl_SystemInterruptInformation +# define SystemExceptionInformation IncompleteWinternl_SystemExceptionInformation +# define SystemRegistryQuotaInformation IncompleteWinternl_SystemRegistryQuotaInformation +# define SystemLookasideInformation IncompleteWinternl_SystemLookasideInformation +# define SystemPolicyInformation IncompleteWinternl_SystemPolicyInformation + + +# pragma warning(push) +# pragma warning(disable: 4668) +# define WIN32_NO_STATUS +# include <windef.h> +# include <winnt.h> +# include <winternl.h> +# undef WIN32_NO_STATUS +# include <ntstatus.h> +# pragma warning(pop) + +# ifndef OBJ_DONT_REPARSE +# define RTNT_NEED_CLIENT_ID +# endif + +# undef _FILE_INFORMATION_CLASS +# undef FILE_INFORMATION_CLASS +# undef FileDirectoryInformation + +# undef NtQueryInformationProcess +# undef NtSetInformationProcess +# undef PROCESSINFOCLASS +# undef _PROCESSINFOCLASS +# undef PROCESS_BASIC_INFORMATION +# undef PPROCESS_BASIC_INFORMATION +# undef _PROCESS_BASIC_INFORMATION +# undef ProcessBasicInformation +# undef ProcessDebugPort +# undef ProcessWow64Information +# undef ProcessImageFileName +# undef ProcessBreakOnTermination + +# undef RTL_USER_PROCESS_PARAMETERS +# undef PRTL_USER_PROCESS_PARAMETERS +# undef _RTL_USER_PROCESS_PARAMETERS + +# undef NtQueryInformationThread +# undef NtSetInformationThread +# undef THREADINFOCLASS +# undef _THREADINFOCLASS +# undef ThreadIsIoPending + +# undef NtQuerySystemInformation +# undef NtSetSystemInformation +# undef SYSTEM_INFORMATION_CLASS +# undef _SYSTEM_INFORMATION_CLASS +# undef SystemBasicInformation +# undef SystemPerformanceInformation +# undef SystemTimeOfDayInformation +# undef SystemProcessInformation +# undef SystemProcessorPerformanceInformation +# undef SystemInterruptInformation +# undef SystemExceptionInformation +# undef SystemRegistryQuotaInformation +# undef SystemLookasideInformation +# undef SystemPolicyInformation + +#else +/* + * Use ntifs.h and wdm.h. + */ +# if _MSC_VER >= 1200 /* Fix/workaround for KeInitializeSpinLock visibility issue on AMD64. */ +# define FORCEINLINE static __forceinline +# else +# define FORCEINLINE static __inline +# endif + +# pragma warning(push) +# ifdef RT_ARCH_X86 +# define _InterlockedAddLargeStatistic _InterlockedAddLargeStatistic_StupidDDKVsCompilerCrap +# pragma warning(disable: 4163) +# endif +# pragma warning(disable: 4668) +# pragma warning(disable: 4255) /* warning C4255: 'ObGetFilterVersion' : no function prototype given: converting '()' to '(void)' */ +# if _MSC_VER >= 1800 /*RT_MSC_VER_VC120*/ +# pragma warning(disable:4005) /* sdk/v7.1/include/sal_supp.h(57) : warning C4005: '__useHeader' : macro redefinition */ +# pragma warning(disable:4471) /* wdm.h(11057) : warning C4471: '_POOL_TYPE' : a forward declaration of an unscoped enumeration must have an underlying type (int assumed) */ +# endif + +# include <ntifs.h> +# include <wdm.h> + +# ifdef RT_ARCH_X86 +# undef _InterlockedAddLargeStatistic +# endif +# pragma warning(pop) + +# define IPRT_NT_NEED_API_GROUP_NTIFS +#endif + +#undef RtlFreeUnicodeString +#undef NtQueryObject +#undef ZwQueryObject +#undef NtSetInformationObject +#undef _OBJECT_INFORMATION_CLASS +#undef OBJECT_INFORMATION_CLASS +#undef ObjectBasicInformation +#undef ObjectTypeInformation +#undef _PEB +#undef PEB +#undef PPEB +#undef _TEB +#undef TEB +#undef PTEB +#undef _PEB_LDR_DATA +#undef PEB_LDR_DATA +#undef PPEB_LDR_DATA +#undef _KUSER_SHARED_DATA +#undef KUSER_SHARED_DATA +#undef PKUSER_SHARED_DATA + + +#include <iprt/types.h> +#include <iprt/assert.h> + + +/** @name Useful macros + * @{ */ +/** Indicates that we're targeting native NT in the current source. */ +#define RTNT_USE_NATIVE_NT 1 +/** Initializes a IO_STATUS_BLOCK. */ +#define RTNT_IO_STATUS_BLOCK_INITIALIZER { STATUS_FAILED_DRIVER_ENTRY, ~(uintptr_t)42 } +/** Reinitializes a IO_STATUS_BLOCK. */ +#define RTNT_IO_STATUS_BLOCK_REINIT(a_pIos) \ + do { (a_pIos)->Status = STATUS_FAILED_DRIVER_ENTRY; (a_pIos)->Information = ~(uintptr_t)42; } while (0) +/** Similar to INVALID_HANDLE_VALUE in the Windows environment. */ +#define RTNT_INVALID_HANDLE_VALUE ( (HANDLE)~(uintptr_t)0 ) +/** Constant UNICODE_STRING initializer. */ +#define RTNT_CONSTANT_UNISTR(a_String) { sizeof(a_String) - sizeof(WCHAR), sizeof(a_String), (WCHAR *)a_String } +/** @} */ + + +/** @name IPRT helper functions for NT + * @{ */ +RT_C_DECLS_BEGIN + +RTDECL(int) RTNtPathOpen(const char *pszPath, ACCESS_MASK fDesiredAccess, ULONG fFileAttribs, ULONG fShareAccess, + ULONG fCreateDisposition, ULONG fCreateOptions, ULONG fObjAttribs, + PHANDLE phHandle, PULONG_PTR puDisposition); +RTDECL(int) RTNtPathOpenDir(const char *pszPath, ACCESS_MASK fDesiredAccess, ULONG fShareAccess, ULONG fCreateOptions, + ULONG fObjAttribs, PHANDLE phHandle, bool *pfObjDir); +RTDECL(int) RTNtPathOpenDirEx(HANDLE hRootDir, struct _UNICODE_STRING *pNtName, ACCESS_MASK fDesiredAccess, + ULONG fShareAccess, ULONG fCreateOptions, ULONG fObjAttribs, PHANDLE phHandle, bool *pfObjDir); +RTDECL(int) RTNtPathClose(HANDLE hHandle); + +/** + * Converts a windows-style path to NT format and encoding. + * + * @returns IPRT status code. + * @param pNtName Where to return the NT name. Free using + * RTNtPathFree. + * @param phRootDir Where to return the root handle, if applicable. + * @param pszPath The UTF-8 path. + */ +RTDECL(int) RTNtPathFromWinUtf8(struct _UNICODE_STRING *pNtName, PHANDLE phRootDir, const char *pszPath); + +/** + * Converts a UTF-16 windows-style path to NT format. + * + * @returns IPRT status code. + * @param pNtName Where to return the NT name. Free using + * RTNtPathFree. + * @param phRootDir Where to return the root handle, if applicable. + * @param pwszPath The UTF-16 windows-style path. + * @param cwcPath The max length of the windows-style path in + * RTUTF16 units. Use RTSTR_MAX if unknown and @a + * pwszPath is correctly terminated. + */ +RTDECL(int) RTNtPathFromWinUtf16Ex(struct _UNICODE_STRING *pNtName, HANDLE *phRootDir, PCRTUTF16 pwszPath, size_t cwcPath); + +/** + * How to handle ascent ('..' relative to a root handle). + */ +typedef enum RTNTPATHRELATIVEASCENT +{ + kRTNtPathRelativeAscent_Invalid = 0, + kRTNtPathRelativeAscent_Allow, + kRTNtPathRelativeAscent_Fail, + kRTNtPathRelativeAscent_Ignore, + kRTNtPathRelativeAscent_End, + kRTNtPathRelativeAscent_32BitHack = 0x7fffffff +} RTNTPATHRELATIVEASCENT; + +/** + * Converts a relative windows-style path to relative NT format and encoding. + * + * @returns IPRT status code. + * @param pNtName Where to return the NT name. Free using + * rtTNtPathToNative with phRootDir set to NULL. + * @param phRootDir On input, the handle to the directory the path + * is relative to. On output, the handle to + * specify as root directory in the object + * attributes when accessing the path. If + * enmAscent is kRTNtPathRelativeAscent_Allow, it + * may have been set to NULL. + * @param pszPath The relative UTF-8 path. + * @param enmAscent How to handle ascent. + * @param fMustReturnAbsolute Must convert to an absolute path. This + * is necessary if the root dir is a NT directory + * object (e.g. /Devices) since they cannot parse + * relative paths it seems. + */ +RTDECL(int) RTNtPathRelativeFromUtf8(struct _UNICODE_STRING *pNtName, PHANDLE phRootDir, const char *pszPath, + RTNTPATHRELATIVEASCENT enmAscent, bool fMustReturnAbsolute); + +/** + * Ensures that the NT string has sufficient storage to hold @a cwcMin RTUTF16 + * chars plus a terminator. + * + * The NT string must have been returned by RTNtPathFromWinUtf8 or + * RTNtPathFromWinUtf16Ex. + * + * @returns IPRT status code. + * @param pNtName The NT path string. + * @param cwcMin The minimum number of RTUTF16 chars. Max 32767. + * @sa RTNtPathFree + */ +RTDECL(int) RTNtPathEnsureSpace(struct _UNICODE_STRING *pNtName, size_t cwcMin); + +/** + * Frees the native path and root handle. + * + * @param pNtName The NT path after a successful rtNtPathToNative + * call or RTNtPathRelativeFromUtf8. + * @param phRootDir The root handle variable from rtNtPathToNative, + */ +RTDECL(void) RTNtPathFree(struct _UNICODE_STRING *pNtName, HANDLE *phRootDir); + + +/** + * Checks whether the path could be containing alternative 8.3 names generated + * by NTFS, FAT, or other similar file systems. + * + * @returns Pointer to the first component that might be an 8.3 name, NULL if + * not 8.3 path. + * @param pwszPath The path to check. + * + * @remarks This is making bad ASSUMPTION wrt to the naming scheme of 8.3 names, + * however, non-tilde 8.3 aliases are probably rare enough to not be + * worth all the extra code necessary to open each path component and + * check if we've got the short name or not. + */ +RTDECL(PRTUTF16) RTNtPathFindPossible8dot3Name(PCRTUTF16 pwszPath); + +/** + * Fixes up a path possibly containing one or more alternative 8-dot-3 style + * components. + * + * The path is fixed up in place. Errors are ignored. + * + * @returns VINF_SUCCESS if it all went smoothly, informational status codes + * indicating the nature of last problem we ran into. + * + * @param pUniStr The path to fix up. MaximumLength is the max buffer + * length. + * @param fPathOnly Whether to only process the path and leave the filename + * as passed in. + */ +RTDECL(int) RTNtPathExpand8dot3Path(struct _UNICODE_STRING *pUniStr, bool fPathOnly); + + +RT_C_DECLS_END +/** @} */ + + +/** @name NT API delcarations. + * @{ */ +RT_C_DECLS_BEGIN + +/** @name Process access rights missing in ntddk headers + * @{ */ +#ifndef PROCESS_TERMINATE +# define PROCESS_TERMINATE UINT32_C(0x00000001) +#endif +#ifndef PROCESS_CREATE_THREAD +# define PROCESS_CREATE_THREAD UINT32_C(0x00000002) +#endif +#ifndef PROCESS_SET_SESSIONID +# define PROCESS_SET_SESSIONID UINT32_C(0x00000004) +#endif +#ifndef PROCESS_VM_OPERATION +# define PROCESS_VM_OPERATION UINT32_C(0x00000008) +#endif +#ifndef PROCESS_VM_READ +# define PROCESS_VM_READ UINT32_C(0x00000010) +#endif +#ifndef PROCESS_VM_WRITE +# define PROCESS_VM_WRITE UINT32_C(0x00000020) +#endif +#ifndef PROCESS_DUP_HANDLE +# define PROCESS_DUP_HANDLE UINT32_C(0x00000040) +#endif +#ifndef PROCESS_CREATE_PROCESS +# define PROCESS_CREATE_PROCESS UINT32_C(0x00000080) +#endif +#ifndef PROCESS_SET_QUOTA +# define PROCESS_SET_QUOTA UINT32_C(0x00000100) +#endif +#ifndef PROCESS_SET_INFORMATION +# define PROCESS_SET_INFORMATION UINT32_C(0x00000200) +#endif +#ifndef PROCESS_QUERY_INFORMATION +# define PROCESS_QUERY_INFORMATION UINT32_C(0x00000400) +#endif +#ifndef PROCESS_SUSPEND_RESUME +# define PROCESS_SUSPEND_RESUME UINT32_C(0x00000800) +#endif +#ifndef PROCESS_QUERY_LIMITED_INFORMATION +# define PROCESS_QUERY_LIMITED_INFORMATION UINT32_C(0x00001000) +#endif +#ifndef PROCESS_SET_LIMITED_INFORMATION +# define PROCESS_SET_LIMITED_INFORMATION UINT32_C(0x00002000) +#endif +#define PROCESS_UNKNOWN_4000 UINT32_C(0x00004000) +#define PROCESS_UNKNOWN_6000 UINT32_C(0x00008000) +#ifndef PROCESS_ALL_ACCESS +# define PROCESS_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | UINT32_C(0x0000ffff) ) +#endif +/** @} */ + +/** @name Thread access rights missing in ntddk headers + * @{ */ +#ifndef THREAD_QUERY_INFORMATION +# define THREAD_QUERY_INFORMATION UINT32_C(0x00000040) +#endif +#ifndef THREAD_SET_THREAD_TOKEN +# define THREAD_SET_THREAD_TOKEN UINT32_C(0x00000080) +#endif +#ifndef THREAD_IMPERSONATE +# define THREAD_IMPERSONATE UINT32_C(0x00000100) +#endif +#ifndef THREAD_DIRECT_IMPERSONATION +# define THREAD_DIRECT_IMPERSONATION UINT32_C(0x00000200) +#endif +#ifndef THREAD_RESUME +# define THREAD_RESUME UINT32_C(0x00001000) +#endif +#define THREAD_UNKNOWN_2000 UINT32_C(0x00002000) +#define THREAD_UNKNOWN_4000 UINT32_C(0x00004000) +#define THREAD_UNKNOWN_8000 UINT32_C(0x00008000) +/** @} */ + +/** @name Special handle values. + * @{ */ +#ifndef NtCurrentProcess +# define NtCurrentProcess() ( (HANDLE)-(intptr_t)1 ) +#endif +#ifndef NtCurrentThread +# define NtCurrentThread() ( (HANDLE)-(intptr_t)2 ) +#endif +#ifndef ZwCurrentProcess +# define ZwCurrentProcess() NtCurrentProcess() +#endif +#ifndef ZwCurrentThread +# define ZwCurrentThread() NtCurrentThread() +#endif +/** @} */ + + +/** @name Directory object access rights. + * @{ */ +#ifndef DIRECTORY_QUERY +# define DIRECTORY_QUERY UINT32_C(0x00000001) +#endif +#ifndef DIRECTORY_TRAVERSE +# define DIRECTORY_TRAVERSE UINT32_C(0x00000002) +#endif +#ifndef DIRECTORY_CREATE_OBJECT +# define DIRECTORY_CREATE_OBJECT UINT32_C(0x00000004) +#endif +#ifndef DIRECTORY_CREATE_SUBDIRECTORY +# define DIRECTORY_CREATE_SUBDIRECTORY UINT32_C(0x00000008) +#endif +#ifndef DIRECTORY_ALL_ACCESS +# define DIRECTORY_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED | UINT32_C(0x0000000f) ) +#endif +/** @} */ + + + +#ifdef RTNT_NEED_CLIENT_ID +typedef struct _CLIENT_ID +{ + HANDLE UniqueProcess; + HANDLE UniqueThread; +} CLIENT_ID; +#endif +#ifdef IPRT_NT_USE_WINTERNL +typedef CLIENT_ID *PCLIENT_ID; +#endif + +/** Extended affinity type, introduced in Windows 7 (?). */ +typedef struct _KAFFINITY_EX +{ + /** Count of valid bitmap entries. */ + uint16_t Count; + /** Count of allocated bitmap entries. */ + uint16_t Size; + /** Reserved / aligmment padding. */ + uint32_t Reserved; + /** Bitmap where one bit corresponds to a CPU. */ + uintptr_t Bitmap[20]; +} KAFFINITY_EX; +typedef KAFFINITY_EX *PKAFFINITY_EX; +typedef KAFFINITY_EX const *PCKAFFINITY_EX; + +/** @name User Shared Data + * @{ */ + +#ifdef IPRT_NT_USE_WINTERNL +typedef struct _KSYSTEM_TIME +{ + ULONG LowPart; + LONG High1Time; + LONG High2Time; +} KSYSTEM_TIME; +typedef KSYSTEM_TIME *PKSYSTEM_TIME; + +typedef enum _NT_PRODUCT_TYPE +{ + NtProductWinNt = 1, + NtProductLanManNt, + NtProductServer +} NT_PRODUCT_TYPE; + +#define PROCESSOR_FEATURE_MAX 64 + +typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE +{ + StandardDesign = 0, + NEC98x86, + EndAlternatives +} ALTERNATIVE_ARCHITECTURE_TYPE; + +# if 0 +typedef struct _XSTATE_FEATURE +{ + ULONG Offset; + ULONG Size; +} XSTATE_FEATURE; +typedef XSTATE_FEATURE *PXSTATE_FEATURE; + +#define MAXIMUM_XSTATE_FEATURES 64 + +typedef struct _XSTATE_CONFIGURATION +{ + ULONG64 EnabledFeatures; + ULONG Size; + ULONG OptimizedSave : 1; + XSTATE_FEATURE Features[MAXIMUM_XSTATE_FEATURES]; +} XSTATE_CONFIGURATION; +typedef XSTATE_CONFIGURATION *PXSTATE_CONFIGURATION; +# endif +#endif /* IPRT_NT_USE_WINTERNL */ + +typedef struct _KUSER_SHARED_DATA +{ + ULONG TickCountLowDeprecated; /**< 0x000 */ + ULONG TickCountMultiplier; /**< 0x004 */ + KSYSTEM_TIME volatile InterruptTime; /**< 0x008 */ + KSYSTEM_TIME volatile SystemTime; /**< 0x014 */ + KSYSTEM_TIME volatile TimeZoneBias; /**< 0x020 */ + USHORT ImageNumberLow; /**< 0x02c */ + USHORT ImageNumberHigh; /**< 0x02e */ + WCHAR NtSystemRoot[260]; /**< 0x030 - Seems to be last member in NT 3.51. */ + ULONG MaxStackTraceDepth; /**< 0x238 */ + ULONG CryptoExponent; /**< 0x23c */ + ULONG TimeZoneId; /**< 0x240 */ + ULONG LargePageMinimum; /**< 0x244 */ + ULONG AitSamplingValue; /**< 0x248 */ + ULONG AppCompatFlag; /**< 0x24c */ + ULONGLONG RNGSeedVersion; /**< 0x250 */ + ULONG GlobalValidationRunlevel; /**< 0x258 */ + LONG volatile TimeZoneBiasStamp; /**< 0x25c*/ + ULONG Reserved2; /**< 0x260 */ + NT_PRODUCT_TYPE NtProductType; /**< 0x264 */ + BOOLEAN ProductTypeIsValid; /**< 0x268 */ + BOOLEAN Reserved0[1]; /**< 0x269 */ + USHORT NativeProcessorArchitecture; /**< 0x26a */ + ULONG NtMajorVersion; /**< 0x26c */ + ULONG NtMinorVersion; /**< 0x270 */ + BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; /**< 0x274 */ + ULONG Reserved1; /**< 0x2b4 */ + ULONG Reserved3; /**< 0x2b8 */ + ULONG volatile TimeSlip; /**< 0x2bc */ + ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; /**< 0x2c0 */ + ULONG AltArchitecturePad[1]; /**< 0x2c4 */ + LARGE_INTEGER SystemExpirationDate; /**< 0x2c8 */ + ULONG SuiteMask; /**< 0x2d0 */ + BOOLEAN KdDebuggerEnabled; /**< 0x2d4 */ + union /**< 0x2d5 */ + { + UCHAR MitigationPolicies; /**< 0x2d5 */ + struct + { + UCHAR NXSupportPolicy : 2; + UCHAR SEHValidationPolicy : 2; + UCHAR CurDirDevicesSkippedForDlls : 2; + UCHAR Reserved : 2; + }; + }; + UCHAR Reserved6[2]; /**< 0x2d6 */ + ULONG volatile ActiveConsoleId; /**< 0x2d8 */ + ULONG volatile DismountCount; /**< 0x2dc */ + ULONG ComPlusPackage; /**< 0x2e0 */ + ULONG LastSystemRITEventTickCount; /**< 0x2e4 */ + ULONG NumberOfPhysicalPages; /**< 0x2e8 */ + BOOLEAN SafeBootMode; /**< 0x2ec */ + UCHAR Reserved12[3]; /**< 0x2ed */ + union /**< 0x2f0 */ + { + ULONG SharedDataFlags; /**< 0x2f0 */ + struct + { + ULONG DbgErrorPortPresent : 1; + ULONG DbgElevationEnabled : 1; + ULONG DbgVirtEnabled : 1; + ULONG DbgInstallerDetectEnabled : 1; + ULONG DbgLkgEnabled : 1; + ULONG DbgDynProcessorEnabled : 1; + ULONG DbgConsoleBrokerEnabled : 1; + ULONG DbgSecureBootEnabled : 1; + ULONG SpareBits : 24; + }; + }; + ULONG DataFlagsPad[1]; /**< 0x2f4 */ + ULONGLONG TestRetInstruction; /**< 0x2f8 */ + LONGLONG QpcFrequency; /**< 0x300 */ + ULONGLONG SystemCallPad[3]; /**< 0x308 */ + union /**< 0x320 */ + { + ULONG64 volatile TickCountQuad; /**< 0x320 */ + KSYSTEM_TIME volatile TickCount; /**< 0x320 */ + struct /**< 0x320 */ + { + ULONG ReservedTickCountOverlay[3]; /**< 0x320 */ + ULONG TickCountPad[1]; /**< 0x32c */ + }; + }; + ULONG Cookie; /**< 0x330 */ + ULONG CookiePad[1]; /**< 0x334 */ + LONGLONG ConsoleSessionForegroundProcessId; /**< 0x338 */ + ULONGLONG TimeUpdateLock; /**< 0x340 */ + ULONGLONG BaselineSystemTimeQpc; /**< 0x348 */ + ULONGLONG BaselineInterruptTimeQpc; /**< 0x350 */ + ULONGLONG QpcSystemTimeIncrement; /**< 0x358 */ + ULONGLONG QpcInterruptTimeIncrement; /**< 0x360 */ + ULONG QpcSystemTimeIncrement32; /**< 0x368 */ + ULONG QpcInterruptTimeIncrement32; /**< 0x36c */ + UCHAR QpcSystemTimeIncrementShift; /**< 0x370 */ + UCHAR QpcInterruptTimeIncrementShift; /**< 0x371 */ + UCHAR Reserved8[14]; /**< 0x372 */ + USHORT UserModeGlobalLogger[16]; /**< 0x380 */ + ULONG ImageFileExecutionOptions; /**< 0x3a0 */ + ULONG LangGenerationCount; /**< 0x3a4 */ + ULONGLONG Reserved4; /**< 0x3a8 */ + ULONGLONG volatile InterruptTimeBias; /**< 0x3b0 - What QueryUnbiasedInterruptTimePrecise + * subtracts from interrupt time. */ + ULONGLONG volatile QpcBias; /**< 0x3b8 */ + ULONG volatile ActiveProcessorCount; /**< 0x3c0 */ + UCHAR volatile ActiveGroupCount; /**< 0x3c4 */ + UCHAR Reserved9; /**< 0x3c5 */ + union /**< 0x3c6 */ + { + USHORT QpcData; /**< 0x3c6 */ + struct /**< 0x3c6 */ + { + BOOLEAN volatile QpcBypassEnabled; /**< 0x3c6 */ + UCHAR QpcShift; /**< 0x3c7 */ + }; + }; + LARGE_INTEGER TimeZoneBiasEffectiveStart; /**< 0x3c8 */ + LARGE_INTEGER TimeZoneBiasEffectiveEnd; /**< 0x3d0 */ + XSTATE_CONFIGURATION XState; /**< 0x3d8 */ +} KUSER_SHARED_DATA; +typedef KUSER_SHARED_DATA *PKUSER_SHARED_DATA; +AssertCompileMemberOffset(KUSER_SHARED_DATA, InterruptTime, 0x008); +AssertCompileMemberOffset(KUSER_SHARED_DATA, SystemTime, 0x014); +AssertCompileMemberOffset(KUSER_SHARED_DATA, NtSystemRoot, 0x030); +AssertCompileMemberOffset(KUSER_SHARED_DATA, LargePageMinimum, 0x244); +AssertCompileMemberOffset(KUSER_SHARED_DATA, Reserved1, 0x2b4); +AssertCompileMemberOffset(KUSER_SHARED_DATA, TestRetInstruction, 0x2f8); +AssertCompileMemberOffset(KUSER_SHARED_DATA, Cookie, 0x330); +AssertCompileMemberOffset(KUSER_SHARED_DATA, ImageFileExecutionOptions, 0x3a0); +AssertCompileMemberOffset(KUSER_SHARED_DATA, XState, 0x3d8); +/** @def MM_SHARED_USER_DATA_VA + * Read only userland mapping of KUSER_SHARED_DATA. */ +#ifndef MM_SHARED_USER_DATA_VA +# if ARCH_BITS == 32 +# define MM_SHARED_USER_DATA_VA UINT32_C(0x7ffe0000) +# elif ARCH_BITS == 64 +# define MM_SHARED_USER_DATA_VA UINT64_C(0x7ffe0000) +# else +# error "Unsupported/undefined ARCH_BITS value." +# endif +#endif +/** @def KI_USER_SHARED_DATA + * Read write kernel mapping of KUSER_SHARED_DATA. */ +#ifndef KI_USER_SHARED_DATA +# ifdef RT_ARCH_X86 +# define KI_USER_SHARED_DATA UINT32_C(0xffdf0000) +# elif defined(RT_ARCH_AMD64) +# define KI_USER_SHARED_DATA UINT64_C(0xfffff78000000000) +# else +# error "PORT ME - KI_USER_SHARED_DATA" +# endif +#endif +/** @} */ + + +/** @name Process And Thread Environment Blocks + * @{ */ + +typedef struct _PEB_LDR_DATA +{ + uint32_t Length; + BOOLEAN Initialized; + BOOLEAN Padding[3]; + HANDLE SsHandle; + LIST_ENTRY InLoadOrderModuleList; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; + /* End NT4 */ + LIST_ENTRY *EntryInProgress; + BOOLEAN ShutdownInProgress; + HANDLE ShutdownThreadId; +} PEB_LDR_DATA; +typedef PEB_LDR_DATA *PPEB_LDR_DATA; + +typedef struct _PEB_COMMON +{ + BOOLEAN InheritedAddressSpace; /**< 0x000 / 0x000 */ + BOOLEAN ReadImageFileExecOptions; /**< 0x001 / 0x001 */ + BOOLEAN BeingDebugged; /**< 0x002 / 0x002 */ + union + { + uint8_t BitField; /**< 0x003 / 0x003 */ + struct + { + uint8_t ImageUsesLargePages : 1; /**< 0x003 / 0x003 : Pos 0, 1 Bit */ + } Common; + struct + { + uint8_t ImageUsesLargePages : 1; /**< 0x003 / 0x003 : Pos 0, 1 Bit */ + uint8_t IsProtectedProcess : 1; /**< 0x003 / 0x003 : Pos 1, 1 Bit */ + uint8_t IsImageDynamicallyRelocated : 1; /**< 0x003 / 0x003 : Pos 2, 1 Bit - Differs from W80 */ + uint8_t SkipPatchingUser32Forwarders : 1; /**< 0x003 / 0x003 : Pos 3, 1 Bit - Differs from W80 */ + uint8_t IsPackagedProcess : 1; /**< 0x003 / 0x003 : Pos 4, 1 Bit - Differs from W80 */ + uint8_t IsAppContainer : 1; /**< 0x003 / 0x003 : Pos 5, 1 Bit - Differs from W80 */ + uint8_t IsProtectedProcessLight : 1; /**< 0x003 / 0x003 : Pos 6, 1 Bit - Differs from W80 */ + uint8_t SpareBits : 1; /**< 0x003 / 0x003 : Pos 7, 1 Bit */ + } W81; + struct + { + uint8_t ImageUsesLargePages : 1; /**< 0x003 / 0x003 : Pos 0, 1 Bit */ + uint8_t IsProtectedProcess : 1; /**< 0x003 / 0x003 : Pos 1, 1 Bit */ + uint8_t IsLegacyProcess : 1; /**< 0x003 / 0x003 : Pos 2, 1 Bit - Differs from W81 */ + uint8_t IsImageDynamicallyRelocated : 1; /**< 0x003 / 0x003 : Pos 3, 1 Bit - Differs from W81 */ + uint8_t SkipPatchingUser32Forwarders : 1; /**< 0x003 / 0x003 : Pos 4, 1 Bit - Differs from W81 */ + uint8_t IsPackagedProcess : 1; /**< 0x003 / 0x003 : Pos 5, 1 Bit - Differs from W81 */ + uint8_t IsAppContainer : 1; /**< 0x003 / 0x003 : Pos 6, 1 Bit - Differs from W81 */ + uint8_t SpareBits : 1; /**< 0x003 / 0x003 : Pos 7, 1 Bit */ + } W80; + struct + { + uint8_t ImageUsesLargePages : 1; /**< 0x003 / 0x003 : Pos 0, 1 Bit */ + uint8_t IsProtectedProcess : 1; /**< 0x003 / 0x003 : Pos 1, 1 Bit */ + uint8_t IsLegacyProcess : 1; /**< 0x003 / 0x003 : Pos 2, 1 Bit - Differs from W81, same as W80 & W6. */ + uint8_t IsImageDynamicallyRelocated : 1; /**< 0x003 / 0x003 : Pos 3, 1 Bit - Differs from W81, same as W80 & W6. */ + uint8_t SkipPatchingUser32Forwarders : 1; /**< 0x003 / 0x003 : Pos 4, 1 Bit - Added in W7; Differs from W81, same as W80. */ + uint8_t SpareBits : 3; /**< 0x003 / 0x003 : Pos 5, 3 Bit - Differs from W81 & W80, more spare bits. */ + } W7; + struct + { + uint8_t ImageUsesLargePages : 1; /**< 0x003 / 0x003 : Pos 0, 1 Bit */ + uint8_t IsProtectedProcess : 1; /**< 0x003 / 0x003 : Pos 1, 1 Bit */ + uint8_t IsLegacyProcess : 1; /**< 0x003 / 0x003 : Pos 2, 1 Bit - Differs from W81, same as W80 & W7. */ + uint8_t IsImageDynamicallyRelocated : 1; /**< 0x003 / 0x003 : Pos 3, 1 Bit - Differs from W81, same as W80 & W7. */ + uint8_t SpareBits : 4; /**< 0x003 / 0x003 : Pos 4, 4 Bit - Differs from W81, W80, & W7, more spare bits. */ + } W6; + struct + { + uint8_t ImageUsesLargePages : 1; /**< 0x003 / 0x003 : Pos 0, 1 Bit */ + uint8_t SpareBits : 7; /**< 0x003 / 0x003 : Pos 1, 7 Bit - Differs from W81, W80, & W7, more spare bits. */ + } W52; + struct + { + BOOLEAN SpareBool; + } W51; + } Diff0; +#if ARCH_BITS == 64 + uint32_t Padding0; /**< 0x004 / NA */ +#endif + HANDLE Mutant; /**< 0x008 / 0x004 */ + PVOID ImageBaseAddress; /**< 0x010 / 0x008 */ + PPEB_LDR_DATA Ldr; /**< 0x018 / 0x00c */ + struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters; /**< 0x020 / 0x010 */ + PVOID SubSystemData; /**< 0x028 / 0x014 */ + HANDLE ProcessHeap; /**< 0x030 / 0x018 */ + struct _RTL_CRITICAL_SECTION *FastPebLock; /**< 0x038 / 0x01c */ + union + { + struct + { + PVOID AtlThunkSListPtr; /**< 0x040 / 0x020 */ + PVOID IFEOKey; /**< 0x048 / 0x024 */ + union + { + ULONG CrossProcessFlags; /**< 0x050 / 0x028 */ + struct + { + uint32_t ProcessInJob : 1; /**< 0x050 / 0x028: Pos 0, 1 Bit */ + uint32_t ProcessInitializing : 1; /**< 0x050 / 0x028: Pos 1, 1 Bit */ + uint32_t ProcessUsingVEH : 1; /**< 0x050 / 0x028: Pos 2, 1 Bit */ + uint32_t ProcessUsingVCH : 1; /**< 0x050 / 0x028: Pos 3, 1 Bit */ + uint32_t ProcessUsingFTH : 1; /**< 0x050 / 0x028: Pos 4, 1 Bit */ + uint32_t ReservedBits0 : 1; /**< 0x050 / 0x028: Pos 5, 27 Bits */ + } W7, W8, W80, W81; + struct + { + uint32_t ProcessInJob : 1; /**< 0x050 / 0x028: Pos 0, 1 Bit */ + uint32_t ProcessInitializing : 1; /**< 0x050 / 0x028: Pos 1, 1 Bit */ + uint32_t ReservedBits0 : 30; /**< 0x050 / 0x028: Pos 2, 30 Bits */ + } W6; + }; +#if ARCH_BITS == 64 + uint32_t Padding1; /**< 0x054 / */ +#endif + } W6, W7, W8, W80, W81; + struct + { + PVOID AtlThunkSListPtr; /**< 0x040 / 0x020 */ + PVOID SparePtr2; /**< 0x048 / 0x024 */ + uint32_t EnvironmentUpdateCount; /**< 0x050 / 0x028 */ +#if ARCH_BITS == 64 + uint32_t Padding1; /**< 0x054 / */ +#endif + } W52; + struct + { + PVOID FastPebLockRoutine; /**< NA / 0x020 */ + PVOID FastPebUnlockRoutine; /**< NA / 0x024 */ + uint32_t EnvironmentUpdateCount; /**< NA / 0x028 */ + } W51; + } Diff1; + union + { + PVOID KernelCallbackTable; /**< 0x058 / 0x02c */ + PVOID UserSharedInfoPtr; /**< 0x058 / 0x02c - Alternative use in W6.*/ + }; + uint32_t SystemReserved; /**< 0x060 / 0x030 */ + union + { + struct + { + uint32_t AtlThunkSListPtr32; /**< 0x064 / 0x034 */ + } W7, W8, W80, W81; + struct + { + uint32_t SpareUlong; /**< 0x064 / 0x034 */ + } W52, W6; + struct + { + uint32_t ExecuteOptions : 2; /**< NA / 0x034: Pos 0, 2 Bits */ + uint32_t SpareBits : 30; /**< NA / 0x034: Pos 2, 30 Bits */ + } W51; + } Diff2; + union + { + struct + { + PVOID ApiSetMap; /**< 0x068 / 0x038 */ + } W7, W8, W80, W81; + struct + { + struct _PEB_FREE_BLOCK *FreeList; /**< 0x068 / 0x038 */ + } W52, W6; + struct + { + struct _PEB_FREE_BLOCK *FreeList; /**< NA / 0x038 */ + } W51; + } Diff3; + uint32_t TlsExpansionCounter; /**< 0x070 / 0x03c */ +#if ARCH_BITS == 64 + uint32_t Padding2; /**< 0x074 / NA */ +#endif + struct _RTL_BITMAP *TlsBitmap; /**< 0x078 / 0x040 */ + uint32_t TlsBitmapBits[2]; /**< 0x080 / 0x044 */ + PVOID ReadOnlySharedMemoryBase; /**< 0x088 / 0x04c */ + union + { + struct + { + PVOID SparePvoid0; /**< 0x090 / 0x050 - HotpatchInformation before W81. */ + } W81; + struct + { + PVOID HotpatchInformation; /**< 0x090 / 0x050 - Retired in W81. */ + } W6, W7, W80; + struct + { + PVOID ReadOnlySharedMemoryHeap; + } W52; + } Diff4; + PVOID *ReadOnlyStaticServerData; /**< 0x098 / 0x054 */ + PVOID AnsiCodePageData; /**< 0x0a0 / 0x058 */ + PVOID OemCodePageData; /**< 0x0a8 / 0x05c */ + PVOID UnicodeCaseTableData; /**< 0x0b0 / 0x060 */ + uint32_t NumberOfProcessors; /**< 0x0b8 / 0x064 */ + uint32_t NtGlobalFlag; /**< 0x0bc / 0x068 */ +#if ARCH_BITS == 32 + uint32_t Padding2b; +#endif + LARGE_INTEGER CriticalSectionTimeout; /**< 0x0c0 / 0x070 */ + SIZE_T HeapSegmentReserve; /**< 0x0c8 / 0x078 */ + SIZE_T HeapSegmentCommit; /**< 0x0d0 / 0x07c */ + SIZE_T HeapDeCommitTotalFreeThreshold; /**< 0x0d8 / 0x080 */ + SIZE_T HeapDeCommitFreeBlockThreshold; /**< 0x0e0 / 0x084 */ + uint32_t NumberOfHeaps; /**< 0x0e8 / 0x088 */ + uint32_t MaximumNumberOfHeaps; /**< 0x0ec / 0x08c */ + PVOID *ProcessHeaps; /**< 0x0f0 / 0x090 - Last NT 3.51 member. */ + PVOID GdiSharedHandleTable; /**< 0x0f8 / 0x094 */ + PVOID ProcessStarterHelper; /**< 0x100 / 0x098 */ + uint32_t GdiDCAttributeList; /**< 0x108 / 0x09c */ +#if ARCH_BITS == 64 + uint32_t Padding3; /**< 0x10c / NA */ +#endif + struct _RTL_CRITICAL_SECTION *LoaderLock; /**< 0x110 / 0x0a0 */ + uint32_t OSMajorVersion; /**< 0x118 / 0x0a4 */ + uint32_t OSMinorVersion; /**< 0x11c / 0x0a8 */ + uint16_t OSBuildNumber; /**< 0x120 / 0x0ac */ + uint16_t OSCSDVersion; /**< 0x122 / 0x0ae */ + uint32_t OSPlatformId; /**< 0x124 / 0x0b0 */ + uint32_t ImageSubsystem; /**< 0x128 / 0x0b4 */ + uint32_t ImageSubsystemMajorVersion; /**< 0x12c / 0x0b8 */ + uint32_t ImageSubsystemMinorVersion; /**< 0x130 / 0x0bc */ +#if ARCH_BITS == 64 + uint32_t Padding4; /**< 0x134 / NA */ +#endif + union + { + struct + { + SIZE_T ActiveProcessAffinityMask; /**< 0x138 / 0x0c0 */ + } W7, W8, W80, W81; + struct + { + SIZE_T ImageProcessAffinityMask; /**< 0x138 / 0x0c0 */ + } W52, W6; + } Diff5; + uint32_t GdiHandleBuffer[ARCH_BITS == 64 ? 60 : 34]; /**< 0x140 / 0x0c4 */ + PVOID PostProcessInitRoutine; /**< 0x230 / 0x14c */ + PVOID TlsExpansionBitmap; /**< 0x238 / 0x150 */ + uint32_t TlsExpansionBitmapBits[32]; /**< 0x240 / 0x154 */ + uint32_t SessionId; /**< 0x2c0 / 0x1d4 */ +#if ARCH_BITS == 64 + uint32_t Padding5; /**< 0x2c4 / NA */ +#endif + ULARGE_INTEGER AppCompatFlags; /**< 0x2c8 / 0x1d8 */ + ULARGE_INTEGER AppCompatFlagsUser; /**< 0x2d0 / 0x1e0 */ + PVOID pShimData; /**< 0x2d8 / 0x1e8 */ + PVOID AppCompatInfo; /**< 0x2e0 / 0x1ec */ + UNICODE_STRING CSDVersion; /**< 0x2e8 / 0x1f0 */ + struct _ACTIVATION_CONTEXT_DATA *ActivationContextData; /**< 0x2f8 / 0x1f8 */ + struct _ASSEMBLY_STORAGE_MAP *ProcessAssemblyStorageMap; /**< 0x300 / 0x1fc */ + struct _ACTIVATION_CONTEXT_DATA *SystemDefaultActivationContextData; /**< 0x308 / 0x200 */ + struct _ASSEMBLY_STORAGE_MAP *SystemAssemblyStorageMap; /**< 0x310 / 0x204 */ + SIZE_T MinimumStackCommit; /**< 0x318 / 0x208 */ + /* End of PEB in W52 (Windows XP (RTM))! */ + struct _FLS_CALLBACK_INFO *FlsCallback; /**< 0x320 / 0x20c */ + LIST_ENTRY FlsListHead; /**< 0x328 / 0x210 */ + PVOID FlsBitmap; /**< 0x338 / 0x218 */ + uint32_t FlsBitmapBits[4]; /**< 0x340 / 0x21c */ + uint32_t FlsHighIndex; /**< 0x350 / 0x22c */ + /* End of PEB in W52 (Windows Server 2003)! */ + PVOID WerRegistrationData; /**< 0x358 / 0x230 */ + PVOID WerShipAssertPtr; /**< 0x360 / 0x234 */ + /* End of PEB in W6 (windows Vista)! */ + union + { + struct + { + PVOID pUnused; /**< 0x368 / 0x238 - Was pContextData in W7. */ + } W8, W80, W81; + struct + { + PVOID pContextData; /**< 0x368 / 0x238 - Retired in W80. */ + } W7; + } Diff6; + PVOID pImageHeaderHash; /**< 0x370 / 0x23c */ + union + { + uint32_t TracingFlags; /**< 0x378 / 0x240 */ + struct + { + uint32_t HeapTracingEnabled : 1; /**< 0x378 / 0x240 : Pos 0, 1 Bit */ + uint32_t CritSecTracingEnabled : 1; /**< 0x378 / 0x240 : Pos 1, 1 Bit */ + uint32_t LibLoaderTracingEnabled : 1; /**< 0x378 / 0x240 : Pos 2, 1 Bit */ + uint32_t SpareTracingBits : 29; /**< 0x378 / 0x240 : Pos 3, 29 Bits */ + } W8, W80, W81; + struct + { + uint32_t HeapTracingEnabled : 1; /**< 0x378 / 0x240 : Pos 0, 1 Bit */ + uint32_t CritSecTracingEnabled : 1; /**< 0x378 / 0x240 : Pos 1, 1 Bit */ + uint32_t SpareTracingBits : 30; /**< 0x378 / 0x240 : Pos 3, 30 Bits - One bit more than W80 */ + } W7; + } Diff7; +#if ARCH_BITS == 64 + uint32_t Padding6; /**< 0x37c / NA */ +#endif + uint64_t CsrServerReadOnlySharedMemoryBase; /**< 0x380 / 0x248 */ + /* End of PEB in W8, W81. */ + uintptr_t TppWorkerpListLock; /**< 0x388 / 0x250 */ + LIST_ENTRY TppWorkerpList; /**< 0x390 / 0x254 */ + PVOID WaitOnAddressHashTable[128]; /**< 0x3a0 / 0x25c */ +#if ARCH_BITS == 32 + uint32_t ExplicitPadding7; /**< NA NA / 0x45c */ +#endif +} PEB_COMMON; +typedef PEB_COMMON *PPEB_COMMON; + +AssertCompileMemberOffset(PEB_COMMON, ProcessHeap, ARCH_BITS == 64 ? 0x30 : 0x18); +AssertCompileMemberOffset(PEB_COMMON, SystemReserved, ARCH_BITS == 64 ? 0x60 : 0x30); +AssertCompileMemberOffset(PEB_COMMON, TlsExpansionCounter, ARCH_BITS == 64 ? 0x70 : 0x3c); +AssertCompileMemberOffset(PEB_COMMON, NtGlobalFlag, ARCH_BITS == 64 ? 0xbc : 0x68); +AssertCompileMemberOffset(PEB_COMMON, LoaderLock, ARCH_BITS == 64 ? 0x110 : 0xa0); +AssertCompileMemberOffset(PEB_COMMON, Diff5.W52.ImageProcessAffinityMask, ARCH_BITS == 64 ? 0x138 : 0xc0); +AssertCompileMemberOffset(PEB_COMMON, PostProcessInitRoutine, ARCH_BITS == 64 ? 0x230 : 0x14c); +AssertCompileMemberOffset(PEB_COMMON, AppCompatFlags, ARCH_BITS == 64 ? 0x2c8 : 0x1d8); +AssertCompileSize(PEB_COMMON, ARCH_BITS == 64 ? 0x7a0 : 0x460); + +/** The size of the windows 10 (build 14393) PEB structure. */ +#define PEB_SIZE_W10 sizeof(PEB_COMMON) +/** The size of the windows 8.1 PEB structure. */ +#define PEB_SIZE_W81 RT_UOFFSETOF(PEB_COMMON, TppWorkerpListLock) +/** The size of the windows 8.0 PEB structure. */ +#define PEB_SIZE_W80 RT_UOFFSETOF(PEB_COMMON, TppWorkerpListLock) +/** The size of the windows 7 PEB structure. */ +#define PEB_SIZE_W7 RT_UOFFSETOF(PEB_COMMON, CsrServerReadOnlySharedMemoryBase) +/** The size of the windows vista PEB structure. */ +#define PEB_SIZE_W6 RT_UOFFSETOF(PEB_COMMON, Diff3) +/** The size of the windows server 2003 PEB structure. */ +#define PEB_SIZE_W52 RT_UOFFSETOF(PEB_COMMON, WerRegistrationData) +/** The size of the windows XP PEB structure. */ +#define PEB_SIZE_W51 RT_UOFFSETOF(PEB_COMMON, FlsCallback) + +#if 0 +typedef struct _NT_TIB +{ + struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList; + PVOID StackBase; + PVOID StackLimit; + PVOID SubSystemTib; + union + { + PVOID FiberData; + ULONG Version; + }; + PVOID ArbitraryUserPointer; + struct _NT_TIB *Self; +} NT_TIB; +typedef NT_TIB *PNT_TIB; +#endif + +typedef struct _ACTIVATION_CONTEXT_STACK +{ + uint32_t Flags; + uint32_t NextCookieSequenceNumber; + PVOID ActiveFrame; + LIST_ENTRY FrameListCache; +} ACTIVATION_CONTEXT_STACK; + +/* Common TEB. */ +typedef struct _TEB_COMMON +{ + NT_TIB NtTib; /**< 0x000 / 0x000 */ + PVOID EnvironmentPointer; /**< 0x038 / 0x01c */ + CLIENT_ID ClientId; /**< 0x040 / 0x020 */ + PVOID ActiveRpcHandle; /**< 0x050 / 0x028 */ + PVOID ThreadLocalStoragePointer; /**< 0x058 / 0x02c */ + PPEB_COMMON ProcessEnvironmentBlock; /**< 0x060 / 0x030 */ + uint32_t LastErrorValue; /**< 0x068 / 0x034 */ + uint32_t CountOfOwnedCriticalSections; /**< 0x06c / 0x038 */ + PVOID CsrClientThread; /**< 0x070 / 0x03c */ + PVOID Win32ThreadInfo; /**< 0x078 / 0x040 */ + uint32_t User32Reserved[26]; /**< 0x080 / 0x044 */ + uint32_t UserReserved[5]; /**< 0x0e8 / 0x0ac */ + PVOID WOW32Reserved; /**< 0x100 / 0x0c0 */ + uint32_t CurrentLocale; /**< 0x108 / 0x0c4 */ + uint32_t FpSoftwareStatusRegister; /**< 0x10c / 0x0c8 */ + PVOID SystemReserved1[54]; /**< 0x110 / 0x0cc */ + uint32_t ExceptionCode; /**< 0x2c0 / 0x1a4 */ +#if ARCH_BITS == 64 + uint32_t Padding0; /**< 0x2c4 / NA */ +#endif + union + { + struct + { + struct _ACTIVATION_CONTEXT_STACK *ActivationContextStackPointer;/**< 0x2c8 / 0x1a8 */ + uint8_t SpareBytes[ARCH_BITS == 64 ? 24 : 36]; /**< 0x2d0 / 0x1ac */ + } W52, W6, W7, W8, W80, W81; +#if ARCH_BITS == 32 + struct + { + ACTIVATION_CONTEXT_STACK ActivationContextStack; /**< NA / 0x1a8 */ + uint8_t SpareBytes[20]; /**< NA / 0x1bc */ + } W51; +#endif + } Diff0; + union + { + struct + { + uint32_t TxFsContext; /**< 0x2e8 / 0x1d0 */ + } W6, W7, W8, W80, W81; + struct + { + uint32_t SpareBytesContinues; /**< 0x2e8 / 0x1d0 */ + } W52; + } Diff1; +#if ARCH_BITS == 64 + uint32_t Padding1; /**< 0x2ec / NA */ +#endif + /*_GDI_TEB_BATCH*/ uint8_t GdiTebBatch[ARCH_BITS == 64 ? 0x4e8 :0x4e0]; /**< 0x2f0 / 0x1d4 */ + CLIENT_ID RealClientId; /**< 0x7d8 / 0x6b4 */ + HANDLE GdiCachedProcessHandle; /**< 0x7e8 / 0x6bc */ + uint32_t GdiClientPID; /**< 0x7f0 / 0x6c0 */ + uint32_t GdiClientTID; /**< 0x7f4 / 0x6c4 */ + PVOID GdiThreadLocalInfo; /**< 0x7f8 / 0x6c8 */ + SIZE_T Win32ClientInfo[62]; /**< 0x800 / 0x6cc */ + PVOID glDispatchTable[233]; /**< 0x9f0 / 0x7c4 */ + SIZE_T glReserved1[29]; /**< 0x1138 / 0xb68 */ + PVOID glReserved2; /**< 0x1220 / 0xbdc */ + PVOID glSectionInfo; /**< 0x1228 / 0xbe0 */ + PVOID glSection; /**< 0x1230 / 0xbe4 */ + PVOID glTable; /**< 0x1238 / 0xbe8 */ + PVOID glCurrentRC; /**< 0x1240 / 0xbec */ + PVOID glContext; /**< 0x1248 / 0xbf0 */ + NTSTATUS LastStatusValue; /**< 0x1250 / 0xbf4 */ +#if ARCH_BITS == 64 + uint32_t Padding2; /**< 0x1254 / NA */ +#endif + UNICODE_STRING StaticUnicodeString; /**< 0x1258 / 0xbf8 */ + WCHAR StaticUnicodeBuffer[261]; /**< 0x1268 / 0xc00 */ +#if ARCH_BITS == 64 + WCHAR Padding3[3]; /**< 0x1472 / NA */ +#endif + PVOID DeallocationStack; /**< 0x1478 / 0xe0c */ + PVOID TlsSlots[64]; /**< 0x1480 / 0xe10 */ + LIST_ENTRY TlsLinks; /**< 0x1680 / 0xf10 */ + PVOID Vdm; /**< 0x1690 / 0xf18 */ + PVOID ReservedForNtRpc; /**< 0x1698 / 0xf1c */ + PVOID DbgSsReserved[2]; /**< 0x16a0 / 0xf20 */ + uint32_t HardErrorMode; /**< 0x16b0 / 0xf28 - Called HardErrorsAreDisabled in W51. */ +#if ARCH_BITS == 64 + uint32_t Padding4; /**< 0x16b4 / NA */ +#endif + PVOID Instrumentation[ARCH_BITS == 64 ? 11 : 9]; /**< 0x16b8 / 0xf2c */ + union + { + struct + { + GUID ActivityId; /**< 0x1710 / 0xf50 */ + PVOID SubProcessTag; /**< 0x1720 / 0xf60 */ + } W6, W7, W8, W80, W81; + struct + { + PVOID InstrumentationContinues[ARCH_BITS == 64 ? 3 : 5]; /**< 0x1710 / 0xf50 */ + } W52; + } Diff2; + union /**< 0x1728 / 0xf64 */ + { + struct + { + PVOID PerflibData; /**< 0x1728 / 0xf64 */ + } W8, W80, W81; + struct + { + PVOID EtwLocalData; /**< 0x1728 / 0xf64 */ + } W7, W6; + struct + { + PVOID SubProcessTag; /**< 0x1728 / 0xf64 */ + } W52; + struct + { + PVOID InstrumentationContinues[1]; /**< 0x1728 / 0xf64 */ + } W51; + } Diff3; + union + { + struct + { + PVOID EtwTraceData; /**< 0x1730 / 0xf68 */ + } W52, W6, W7, W8, W80, W81; + struct + { + PVOID InstrumentationContinues[1]; /**< 0x1730 / 0xf68 */ + } W51; + } Diff4; + PVOID WinSockData; /**< 0x1738 / 0xf6c */ + uint32_t GdiBatchCount; /**< 0x1740 / 0xf70 */ + union + { + union + { + PROCESSOR_NUMBER CurrentIdealProcessor; /**< 0x1744 / 0xf74 - W7+ */ + uint32_t IdealProcessorValue; /**< 0x1744 / 0xf74 - W7+ */ + struct + { + uint8_t ReservedPad1; /**< 0x1744 / 0xf74 - Called SpareBool0 in W6 */ + uint8_t ReservedPad2; /**< 0x1745 / 0xf75 - Called SpareBool0 in W6 */ + uint8_t ReservedPad3; /**< 0x1746 / 0xf76 - Called SpareBool0 in W6 */ + uint8_t IdealProcessor; /**< 0x1747 / 0xf77 */ + }; + } W6, W7, W8, W80, W81; + struct + { + BOOLEAN InDbgPrint; /**< 0x1744 / 0xf74 */ + BOOLEAN FreeStackOnTermination; /**< 0x1745 / 0xf75 */ + BOOLEAN HasFiberData; /**< 0x1746 / 0xf76 */ + uint8_t IdealProcessor; /**< 0x1747 / 0xf77 */ + } W51, W52; + } Diff5; + uint32_t GuaranteedStackBytes; /**< 0x1748 / 0xf78 */ +#if ARCH_BITS == 64 + uint32_t Padding5; /**< 0x174c / NA */ +#endif + PVOID ReservedForPerf; /**< 0x1750 / 0xf7c */ + PVOID ReservedForOle; /**< 0x1758 / 0xf80 */ + uint32_t WaitingOnLoaderLock; /**< 0x1760 / 0xf84 */ +#if ARCH_BITS == 64 + uint32_t Padding6; /**< 0x1764 / NA */ +#endif + union /**< 0x1770 / 0xf8c */ + { + struct + { + PVOID SavedPriorityState; /**< 0x1768 / 0xf88 */ + SIZE_T ReservedForCodeCoverage; /**< 0x1770 / 0xf8c */ + PVOID ThreadPoolData; /**< 0x1778 / 0xf90 */ + } W8, W80, W81; + struct + { + PVOID SavedPriorityState; /**< 0x1768 / 0xf88 */ + SIZE_T SoftPatchPtr1; /**< 0x1770 / 0xf8c */ + PVOID ThreadPoolData; /**< 0x1778 / 0xf90 */ + } W6, W7; + struct + { + PVOID SparePointer1; /**< 0x1768 / 0xf88 */ + SIZE_T SoftPatchPtr1; /**< 0x1770 / 0xf8c */ + PVOID SoftPatchPtr2; /**< 0x1778 / 0xf90 */ + } W52; +#if ARCH_BITS == 32 + struct _Wx86ThreadState + { + PVOID CallBx86Eip; /**< NA / 0xf88 */ + PVOID DeallocationCpu; /**< NA / 0xf8c */ + BOOLEAN UseKnownWx86Dll; /**< NA / 0xf90 */ + int8_t OleStubInvoked; /**< NA / 0xf91 */ + } W51; +#endif + } Diff6; + PVOID TlsExpansionSlots; /**< 0x1780 / 0xf94 */ +#if ARCH_BITS == 64 + PVOID DallocationBStore; /**< 0x1788 / NA */ + PVOID BStoreLimit; /**< 0x1790 / NA */ +#endif + union + { + struct + { + uint32_t MuiGeneration; /**< 0x1798 / 0xf98 */ + } W7, W8, W80, W81; + struct + { + uint32_t ImpersonationLocale; + } W6; + } Diff7; + uint32_t IsImpersonating; /**< 0x179c / 0xf9c */ + PVOID NlsCache; /**< 0x17a0 / 0xfa0 */ + PVOID pShimData; /**< 0x17a8 / 0xfa4 */ + union /**< 0x17b0 / 0xfa8 */ + { + struct + { + uint16_t HeapVirtualAffinity; /**< 0x17b0 / 0xfa8 */ + uint16_t LowFragHeapDataSlot; /**< 0x17b2 / 0xfaa */ + } W8, W80, W81; + struct + { + uint32_t HeapVirtualAffinity; /**< 0x17b0 / 0xfa8 */ + } W7; + } Diff8; +#if ARCH_BITS == 64 + uint32_t Padding7; /**< 0x17b4 / NA */ +#endif + HANDLE CurrentTransactionHandle; /**< 0x17b8 / 0xfac */ + struct _TEB_ACTIVE_FRAME *ActiveFrame; /**< 0x17c0 / 0xfb0 */ + /* End of TEB in W51 (Windows XP)! */ + PVOID FlsData; /**< 0x17c8 / 0xfb4 */ + union + { + struct + { + PVOID PreferredLanguages; /**< 0x17d0 / 0xfb8 */ + } W6, W7, W8, W80, W81; + struct + { + BOOLEAN SafeThunkCall; /**< 0x17d0 / 0xfb8 */ + uint8_t BooleanSpare[3]; /**< 0x17d1 / 0xfb9 */ + /* End of TEB in W52 (Windows server 2003)! */ + } W52; + } Diff9; + PVOID UserPrefLanguages; /**< 0x17d8 / 0xfbc */ + PVOID MergedPrefLanguages; /**< 0x17e0 / 0xfc0 */ + uint32_t MuiImpersonation; /**< 0x17e8 / 0xfc4 */ + union + { + uint16_t CrossTebFlags; /**< 0x17ec / 0xfc8 */ + struct + { + uint16_t SpareCrossTebBits : 16; /**< 0x17ec / 0xfc8 : Pos 0, 16 Bits */ + }; + }; + union + { + uint16_t SameTebFlags; /**< 0x17ee / 0xfca */ + struct + { + uint16_t SafeThunkCall : 1; /**< 0x17ee / 0xfca : Pos 0, 1 Bit */ + uint16_t InDebugPrint : 1; /**< 0x17ee / 0xfca : Pos 1, 1 Bit */ + uint16_t HasFiberData : 1; /**< 0x17ee / 0xfca : Pos 2, 1 Bit */ + uint16_t SkipThreadAttach : 1; /**< 0x17ee / 0xfca : Pos 3, 1 Bit */ + uint16_t WerInShipAssertCode : 1; /**< 0x17ee / 0xfca : Pos 4, 1 Bit */ + uint16_t RanProcessInit : 1; /**< 0x17ee / 0xfca : Pos 5, 1 Bit */ + uint16_t ClonedThread : 1; /**< 0x17ee / 0xfca : Pos 6, 1 Bit */ + uint16_t SuppressDebugMsg : 1; /**< 0x17ee / 0xfca : Pos 7, 1 Bit */ + } Common; + struct + { + uint16_t SafeThunkCall : 1; /**< 0x17ee / 0xfca : Pos 0, 1 Bit */ + uint16_t InDebugPrint : 1; /**< 0x17ee / 0xfca : Pos 1, 1 Bit */ + uint16_t HasFiberData : 1; /**< 0x17ee / 0xfca : Pos 2, 1 Bit */ + uint16_t SkipThreadAttach : 1; /**< 0x17ee / 0xfca : Pos 3, 1 Bit */ + uint16_t WerInShipAssertCode : 1; /**< 0x17ee / 0xfca : Pos 4, 1 Bit */ + uint16_t RanProcessInit : 1; /**< 0x17ee / 0xfca : Pos 5, 1 Bit */ + uint16_t ClonedThread : 1; /**< 0x17ee / 0xfca : Pos 6, 1 Bit */ + uint16_t SuppressDebugMsg : 1; /**< 0x17ee / 0xfca : Pos 7, 1 Bit */ + uint16_t DisableUserStackWalk : 1; /**< 0x17ee / 0xfca : Pos 8, 1 Bit */ + uint16_t RtlExceptionAttached : 1; /**< 0x17ee / 0xfca : Pos 9, 1 Bit */ + uint16_t InitialThread : 1; /**< 0x17ee / 0xfca : Pos 10, 1 Bit */ + uint16_t SessionAware : 1; /**< 0x17ee / 0xfca : Pos 11, 1 Bit - New Since W7. */ + uint16_t SpareSameTebBits : 4; /**< 0x17ee / 0xfca : Pos 12, 4 Bits */ + } W8, W80, W81; + struct + { + uint16_t SafeThunkCall : 1; /**< 0x17ee / 0xfca : Pos 0, 1 Bit */ + uint16_t InDebugPrint : 1; /**< 0x17ee / 0xfca : Pos 1, 1 Bit */ + uint16_t HasFiberData : 1; /**< 0x17ee / 0xfca : Pos 2, 1 Bit */ + uint16_t SkipThreadAttach : 1; /**< 0x17ee / 0xfca : Pos 3, 1 Bit */ + uint16_t WerInShipAssertCode : 1; /**< 0x17ee / 0xfca : Pos 4, 1 Bit */ + uint16_t RanProcessInit : 1; /**< 0x17ee / 0xfca : Pos 5, 1 Bit */ + uint16_t ClonedThread : 1; /**< 0x17ee / 0xfca : Pos 6, 1 Bit */ + uint16_t SuppressDebugMsg : 1; /**< 0x17ee / 0xfca : Pos 7, 1 Bit */ + uint16_t DisableUserStackWalk : 1; /**< 0x17ee / 0xfca : Pos 8, 1 Bit */ + uint16_t RtlExceptionAttached : 1; /**< 0x17ee / 0xfca : Pos 9, 1 Bit */ + uint16_t InitialThread : 1; /**< 0x17ee / 0xfca : Pos 10, 1 Bit */ + uint16_t SpareSameTebBits : 5; /**< 0x17ee / 0xfca : Pos 12, 4 Bits */ + } W7; + struct + { + uint16_t DbgSafeThunkCall : 1; /**< 0x17ee / 0xfca : Pos 0, 1 Bit */ + uint16_t DbgInDebugPrint : 1; /**< 0x17ee / 0xfca : Pos 1, 1 Bit */ + uint16_t DbgHasFiberData : 1; /**< 0x17ee / 0xfca : Pos 2, 1 Bit */ + uint16_t DbgSkipThreadAttach : 1; /**< 0x17ee / 0xfca : Pos 3, 1 Bit */ + uint16_t DbgWerInShipAssertCode : 1; /**< 0x17ee / 0xfca : Pos 4, 1 Bit */ + uint16_t DbgRanProcessInit : 1; /**< 0x17ee / 0xfca : Pos 5, 1 Bit */ + uint16_t DbgClonedThread : 1; /**< 0x17ee / 0xfca : Pos 6, 1 Bit */ + uint16_t DbgSuppressDebugMsg : 1; /**< 0x17ee / 0xfca : Pos 7, 1 Bit */ + uint16_t SpareSameTebBits : 8; /**< 0x17ee / 0xfca : Pos 8, 8 Bits */ + } W6; + } Diff10; + PVOID TxnScopeEnterCallback; /**< 0x17f0 / 0xfcc */ + PVOID TxnScopeExitCallback; /**< 0x17f8 / 0xfd0 */ + PVOID TxnScopeContext; /**< 0x1800 / 0xfd4 */ + uint32_t LockCount; /**< 0x1808 / 0xfd8 */ + union + { + struct + { + uint32_t SpareUlong0; /**< 0x180c / 0xfdc */ + } W7, W8, W80, W81; + struct + { + uint32_t ProcessRundown; + } W6; + } Diff11; + union + { + struct + { + PVOID ResourceRetValue; /**< 0x1810 / 0xfe0 */ + /* End of TEB in W7 (windows 7)! */ + PVOID ReservedForWdf; /**< 0x1818 / 0xfe4 - New Since W7. */ + /* End of TEB in W8 (windows 8.0 & 8.1)! */ + PVOID ReservedForCrt; /**< 0x1820 / 0xfe8 - New Since W10. */ + RTUUID EffectiveContainerId; /**< 0x1828 / 0xfec - New Since W10. */ + /* End of TEB in W10 14393! */ + } W8, W80, W81, W10; + struct + { + PVOID ResourceRetValue; /**< 0x1810 / 0xfe0 */ + } W7; + struct + { + uint64_t LastSwitchTime; /**< 0x1810 / 0xfe0 */ + uint64_t TotalSwitchOutTime; /**< 0x1818 / 0xfe8 */ + LARGE_INTEGER WaitReasonBitMap; /**< 0x1820 / 0xff0 */ + /* End of TEB in W6 (windows Vista)! */ + } W6; + } Diff12; +} TEB_COMMON; +typedef TEB_COMMON *PTEB_COMMON; +AssertCompileMemberOffset(TEB_COMMON, ExceptionCode, ARCH_BITS == 64 ? 0x2c0 : 0x1a4); +AssertCompileMemberOffset(TEB_COMMON, LastStatusValue, ARCH_BITS == 64 ? 0x1250 : 0xbf4); +AssertCompileMemberOffset(TEB_COMMON, DeallocationStack, ARCH_BITS == 64 ? 0x1478 : 0xe0c); +AssertCompileMemberOffset(TEB_COMMON, ReservedForNtRpc, ARCH_BITS == 64 ? 0x1698 : 0xf1c); +AssertCompileMemberOffset(TEB_COMMON, Instrumentation, ARCH_BITS == 64 ? 0x16b8 : 0xf2c); +AssertCompileMemberOffset(TEB_COMMON, Diff2, ARCH_BITS == 64 ? 0x1710 : 0xf50); +AssertCompileMemberOffset(TEB_COMMON, Diff3, ARCH_BITS == 64 ? 0x1728 : 0xf64); +AssertCompileMemberOffset(TEB_COMMON, Diff4, ARCH_BITS == 64 ? 0x1730 : 0xf68); +AssertCompileMemberOffset(TEB_COMMON, WinSockData, ARCH_BITS == 64 ? 0x1738 : 0xf6c); +AssertCompileMemberOffset(TEB_COMMON, GuaranteedStackBytes, ARCH_BITS == 64 ? 0x1748 : 0xf78); +AssertCompileMemberOffset(TEB_COMMON, MuiImpersonation, ARCH_BITS == 64 ? 0x17e8 : 0xfc4); +AssertCompileMemberOffset(TEB_COMMON, LockCount, ARCH_BITS == 64 ? 0x1808 : 0xfd8); +AssertCompileSize(TEB_COMMON, ARCH_BITS == 64 ? 0x1838 : 0x1000); + + +/** The size of the windows 8.1 PEB structure. */ +#define TEB_SIZE_W10 ( RT_UOFFSETOF(TEB_COMMON, Diff12.W10.EffectiveContainerId) + sizeof(RTUUID) ) +/** The size of the windows 8.1 PEB structure. */ +#define TEB_SIZE_W81 ( RT_UOFFSETOF(TEB_COMMON, Diff12.W8.ReservedForWdf) + sizeof(PVOID) ) +/** The size of the windows 8.0 PEB structure. */ +#define TEB_SIZE_W80 ( RT_UOFFSETOF(TEB_COMMON, Diff12.W8.ReservedForWdf) + sizeof(PVOID) ) +/** The size of the windows 7 PEB structure. */ +#define TEB_SIZE_W7 RT_UOFFSETOF(TEB_COMMON, Diff12.W8.ReservedForWdf) +/** The size of the windows vista PEB structure. */ +#define TEB_SIZE_W6 ( RT_UOFFSETOF(TEB_COMMON, Diff12.W6.WaitReasonBitMap) + sizeof(LARGE_INTEGER) ) +/** The size of the windows server 2003 PEB structure. */ +#define TEB_SIZE_W52 RT_ALIGN_Z(RT_UOFFSETOF(TEB_COMMON, Diff9.W52.BooleanSpare), sizeof(PVOID)) +/** The size of the windows XP PEB structure. */ +#define TEB_SIZE_W51 RT_UOFFSETOF(TEB_COMMON, FlsData) + + + +#define _PEB _PEB_COMMON +typedef PEB_COMMON PEB; +typedef PPEB_COMMON PPEB; + +#define _TEB _TEB_COMMON +typedef TEB_COMMON TEB; +typedef PTEB_COMMON PTEB; + +#if !defined(NtCurrentTeb) && !defined(IPRT_NT_HAVE_CURRENT_TEB_MACRO) +# ifdef RT_ARCH_X86 +DECL_FORCE_INLINE(PTEB) RTNtCurrentTeb(void) { return (PTEB)__readfsdword(RT_UOFFSETOF(TEB_COMMON, NtTib.Self)); } +DECL_FORCE_INLINE(PPEB) RTNtCurrentPeb(void) { return (PPEB)__readfsdword(RT_UOFFSETOF(TEB_COMMON, ProcessEnvironmentBlock)); } +DECL_FORCE_INLINE(uint32_t) RTNtCurrentThreadId(void) { return __readfsdword(RT_UOFFSETOF(TEB_COMMON, ClientId.UniqueThread)); } +DECL_FORCE_INLINE(NTSTATUS) RTNtLastStatusValue(void) { return (NTSTATUS)__readfsdword(RT_UOFFSETOF(TEB_COMMON, LastStatusValue)); } +DECL_FORCE_INLINE(uint32_t) RTNtLastErrorValue(void) { return __readfsdword(RT_UOFFSETOF(TEB_COMMON, LastErrorValue)); } +# elif defined(RT_ARCH_AMD64) +DECL_FORCE_INLINE(PTEB) RTNtCurrentTeb(void) { return (PTEB)__readgsqword(RT_UOFFSETOF(TEB_COMMON, NtTib.Self)); } +DECL_FORCE_INLINE(PPEB) RTNtCurrentPeb(void) { return (PPEB)__readgsqword(RT_UOFFSETOF(TEB_COMMON, ProcessEnvironmentBlock)); } +DECL_FORCE_INLINE(uint32_t) RTNtCurrentThreadId(void) { return __readgsdword(RT_UOFFSETOF(TEB_COMMON, ClientId.UniqueThread)); } +DECL_FORCE_INLINE(NTSTATUS) RTNtLastStatusValue(void) { return (NTSTATUS)__readgsdword(RT_UOFFSETOF(TEB_COMMON, LastStatusValue)); } +DECL_FORCE_INLINE(uint32_t) RTNtLastErrorValue(void) { return __readgsdword(RT_UOFFSETOF(TEB_COMMON, LastErrorValue)); } +# else +# error "Port me" +# endif +#else +# define RTNtCurrentTeb() ((PTEB)NtCurrentTeb()) +# define RTNtCurrentPeb() (RTNtCurrentTeb()->ProcessEnvironmentBlock) +# define RTNtCurrentThreadId() ((uint32_t)(uintptr_t)RTNtCurrentTeb()->ClientId.UniqueThread) +# define RTNtLastStatusValue() (RTNtCurrentTeb()->LastStatusValue) +# define RTNtLastErrorValue() (RTNtCurrentTeb()->LastErrorValue) +#endif +#define NtCurrentPeb() RTNtCurrentPeb() + + +/** @} */ + + +#ifdef IPRT_NT_USE_WINTERNL +NTSYSAPI NTSTATUS NTAPI NtCreateSection(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PLARGE_INTEGER, ULONG, ULONG, HANDLE); +typedef enum _SECTION_INHERIT +{ + ViewShare = 1, + ViewUnmap +} SECTION_INHERIT; +#endif +NTSYSAPI NTSTATUS NTAPI NtMapViewOfSection(HANDLE, HANDLE, PVOID *, ULONG, SIZE_T, PLARGE_INTEGER, PSIZE_T, SECTION_INHERIT, + ULONG, ULONG); +NTSYSAPI NTSTATUS NTAPI NtFlushVirtualMemory(HANDLE, PVOID *, PSIZE_T, PIO_STATUS_BLOCK); +NTSYSAPI NTSTATUS NTAPI NtUnmapViewOfSection(HANDLE, PVOID); + +#ifdef IPRT_NT_USE_WINTERNL +typedef struct _FILE_FS_ATTRIBUTE_INFORMATION +{ + ULONG FileSystemAttributes; + LONG MaximumComponentNameLength; + ULONG FileSystemNameLength; + WCHAR FileSystemName[1]; +} FILE_FS_ATTRIBUTE_INFORMATION; +typedef FILE_FS_ATTRIBUTE_INFORMATION *PFILE_FS_ATTRIBUTE_INFORMATION; + +#endif +NTSYSAPI NTSTATUS NTAPI NtOpenProcess(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PCLIENT_ID); +NTSYSAPI NTSTATUS NTAPI ZwOpenProcess(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PCLIENT_ID); +NTSYSAPI NTSTATUS NTAPI NtOpenThread(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PCLIENT_ID); +NTSYSAPI NTSTATUS NTAPI ZwOpenThread(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PCLIENT_ID); +NTSYSAPI NTSTATUS NTAPI NtAlertThread(HANDLE hThread); +#ifdef IPRT_NT_USE_WINTERNL +NTSYSAPI NTSTATUS NTAPI ZwAlertThread(HANDLE hThread); +#endif + +#ifdef IPRT_NT_USE_WINTERNL +NTSYSAPI NTSTATUS NTAPI NtOpenProcessToken(HANDLE, ACCESS_MASK, PHANDLE); +NTSYSAPI NTSTATUS NTAPI NtOpenThreadToken(HANDLE, ACCESS_MASK, BOOLEAN, PHANDLE); +#endif +NTSYSAPI NTSTATUS NTAPI ZwOpenProcessToken(HANDLE, ACCESS_MASK, PHANDLE); +NTSYSAPI NTSTATUS NTAPI ZwOpenThreadToken(HANDLE, ACCESS_MASK, BOOLEAN, PHANDLE); + +#ifdef IPRT_NT_USE_WINTERNL +typedef struct _FILE_FS_SIZE_INFORMATION +{ + LARGE_INTEGER TotalAllocationUnits; + LARGE_INTEGER AvailableAllocationUnits; + ULONG SectorsPerAllocationUnit; + ULONG BytesPerSector; +} FILE_FS_SIZE_INFORMATION; +typedef FILE_FS_SIZE_INFORMATION *PFILE_FS_SIZE_INFORMATION; + +typedef enum _FSINFOCLASS +{ + FileFsVolumeInformation = 1, + FileFsLabelInformation, + FileFsSizeInformation, /**< FILE_FS_SIZE_INFORMATION */ + FileFsDeviceInformation, + FileFsAttributeInformation, + FileFsControlInformation, + FileFsFullSizeInformation, + FileFsObjectIdInformation, + FileFsDriverPathInformation, + FileFsVolumeFlagsInformation, + FileFsSectorSizeInformation, + FileFsDataCopyInformation, + FileFsMaximumInformation +} FS_INFORMATION_CLASS; +typedef FS_INFORMATION_CLASS *PFS_INFORMATION_CLASS; +NTSYSAPI NTSTATUS NTAPI NtQueryVolumeInformationFile(HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FS_INFORMATION_CLASS); + +typedef struct _FILE_BOTH_DIR_INFORMATION +{ + ULONG NextEntryOffset; /**< 0x00: */ + ULONG FileIndex; /**< 0x04: */ + LARGE_INTEGER CreationTime; /**< 0x08: */ + LARGE_INTEGER LastAccessTime; /**< 0x10: */ + LARGE_INTEGER LastWriteTime; /**< 0x18: */ + LARGE_INTEGER ChangeTime; /**< 0x20: */ + LARGE_INTEGER EndOfFile; /**< 0x28: */ + LARGE_INTEGER AllocationSize; /**< 0x30: */ + ULONG FileAttributes; /**< 0x38: */ + ULONG FileNameLength; /**< 0x3c: */ + ULONG EaSize; /**< 0x40: */ + CCHAR ShortNameLength; /**< 0x44: */ + WCHAR ShortName[12]; /**< 0x46: */ + WCHAR FileName[1]; /**< 0x5e: */ +} FILE_BOTH_DIR_INFORMATION; +typedef FILE_BOTH_DIR_INFORMATION *PFILE_BOTH_DIR_INFORMATION; +typedef struct _FILE_BASIC_INFORMATION +{ + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + ULONG FileAttributes; +} FILE_BASIC_INFORMATION; +typedef FILE_BASIC_INFORMATION *PFILE_BASIC_INFORMATION; +typedef struct _FILE_STANDARD_INFORMATION +{ + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG NumberOfLinks; + BOOLEAN DeletePending; + BOOLEAN Directory; +} FILE_STANDARD_INFORMATION; +typedef FILE_STANDARD_INFORMATION *PFILE_STANDARD_INFORMATION; +typedef struct _FILE_NAME_INFORMATION +{ + ULONG FileNameLength; + WCHAR FileName[1]; +} FILE_NAME_INFORMATION; +typedef FILE_NAME_INFORMATION *PFILE_NAME_INFORMATION; +typedef struct _FILE_NETWORK_OPEN_INFORMATION +{ + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG FileAttributes; +} FILE_NETWORK_OPEN_INFORMATION; +typedef FILE_NETWORK_OPEN_INFORMATION *PFILE_NETWORK_OPEN_INFORMATION; +typedef enum _FILE_INFORMATION_CLASS +{ + FileDirectoryInformation = 1, + FileFullDirectoryInformation, + FileBothDirectoryInformation, + FileBasicInformation, + FileStandardInformation, + FileInternalInformation, + FileEaInformation, + FileAccessInformation, + FileNameInformation, + FileRenameInformation, + FileLinkInformation, + FileNamesInformation, + FileDispositionInformation, + FilePositionInformation, + FileFullEaInformation, + FileModeInformation, + FileAlignmentInformation, + FileAllInformation, + FileAllocationInformation, + FileEndOfFileInformation, + FileAlternateNameInformation, + FileStreamInformation, + FilePipeInformation, + FilePipeLocalInformation, + FilePipeRemoteInformation, + FileMailslotQueryInformation, + FileMailslotSetInformation, + FileCompressionInformation, + FileObjectIdInformation, + FileCompletionInformation, + FileMoveClusterInformation, + FileQuotaInformation, + FileReparsePointInformation, + FileNetworkOpenInformation, + FileAttributeTagInformation, + FileTrackingInformation, + FileIdBothDirectoryInformation, + FileIdFullDirectoryInformation, + FileValidDataLengthInformation, + FileShortNameInformation, + FileIoCompletionNotificationInformation, + FileIoStatusBlockRangeInformation, + FileIoPriorityHintInformation, + FileSfioReserveInformation, + FileSfioVolumeInformation, + FileHardLinkInformation, + FileProcessIdsUsingFileInformation, + FileNormalizedNameInformation, + FileNetworkPhysicalNameInformation, + FileIdGlobalTxDirectoryInformation, + FileIsRemoteDeviceInformation, + FileUnusedInformation, + FileNumaNodeInformation, + FileStandardLinkInformation, + FileRemoteProtocolInformation, + FileRenameInformationBypassAccessCheck, + FileLinkInformationBypassAccessCheck, + FileVolumeNameInformation, + FileIdInformation, + FileIdExtdDirectoryInformation, + FileReplaceCompletionInformation, + FileHardLinkFullIdInformation, + FileMaximumInformation +} FILE_INFORMATION_CLASS; +typedef FILE_INFORMATION_CLASS *PFILE_INFORMATION_CLASS; +NTSYSAPI NTSTATUS NTAPI NtQueryInformationFile(HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS); +NTSYSAPI NTSTATUS NTAPI NtQueryDirectoryFile(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, PVOID, ULONG, + FILE_INFORMATION_CLASS, BOOLEAN, PUNICODE_STRING, BOOLEAN); +NTSYSAPI NTSTATUS NTAPI NtSetInformationFile(HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS); +#endif /* IPRT_NT_USE_WINTERNL */ +NTSYSAPI NTSTATUS NTAPI NtQueryAttributesFile(POBJECT_ATTRIBUTES, PFILE_BASIC_INFORMATION); +NTSYSAPI NTSTATUS NTAPI NtQueryFullAttributesFile(POBJECT_ATTRIBUTES, PFILE_NETWORK_OPEN_INFORMATION); + + +/** @name SE_GROUP_XXX - Attributes returned with TokenGroup and others. + * @{ */ +#ifndef SE_GROUP_MANDATORY +# define SE_GROUP_MANDATORY UINT32_C(0x01) +#endif +#ifndef SE_GROUP_ENABLED_BY_DEFAULT +# define SE_GROUP_ENABLED_BY_DEFAULT UINT32_C(0x02) +#endif +#ifndef SE_GROUP_ENABLED +# define SE_GROUP_ENABLED UINT32_C(0x04) +#endif +#ifndef SE_GROUP_OWNER +# define SE_GROUP_OWNER UINT32_C(0x08) +#endif +#ifndef SE_GROUP_USE_FOR_DENY_ONLY +# define SE_GROUP_USE_FOR_DENY_ONLY UINT32_C(0x10) +#endif +#ifndef SE_GROUP_INTEGRITY +# define SE_GROUP_INTEGRITY UINT32_C(0x20) +#endif +#ifndef SE_GROUP_INTEGRITY_ENABLED +# define SE_GROUP_INTEGRITY_ENABLED UINT32_C(0x40) +#endif +#ifndef SE_GROUP_RESOURCE +# define SE_GROUP_RESOURCE UINT32_C(0x20000000) +#endif +#ifndef SE_GROUP_LOGON_ID +# define SE_GROUP_LOGON_ID UINT32_C(0xc0000000) +#endif +/** @} */ + + +#ifdef IPRT_NT_USE_WINTERNL + +/** For use with KeyBasicInformation. */ +typedef struct _KEY_BASIC_INFORMATION +{ + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG NameLength; + WCHAR Name[1]; +} KEY_BASIC_INFORMATION; +typedef KEY_BASIC_INFORMATION *PKEY_BASIC_INFORMATION; + +/** For use with KeyNodeInformation. */ +typedef struct _KEY_NODE_INFORMATION +{ + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG ClassOffset; /**< Offset from the start of the structure. */ + ULONG ClassLength; + ULONG NameLength; + WCHAR Name[1]; +} KEY_NODE_INFORMATION; +typedef KEY_NODE_INFORMATION *PKEY_NODE_INFORMATION; + +/** For use with KeyFullInformation. */ +typedef struct _KEY_FULL_INFORMATION +{ + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG ClassOffset; /**< Offset of the Class member. */ + ULONG ClassLength; + ULONG SubKeys; + ULONG MaxNameLen; + ULONG MaxClassLen; + ULONG Values; + ULONG MaxValueNameLen; + ULONG MaxValueDataLen; + WCHAR Class[1]; +} KEY_FULL_INFORMATION; +typedef KEY_FULL_INFORMATION *PKEY_FULL_INFORMATION; + +/** For use with KeyNameInformation. */ +typedef struct _KEY_NAME_INFORMATION +{ + ULONG NameLength; + WCHAR Name[1]; +} KEY_NAME_INFORMATION; +typedef KEY_NAME_INFORMATION *PKEY_NAME_INFORMATION; + +/** For use with KeyCachedInformation. */ +typedef struct _KEY_CACHED_INFORMATION +{ + LARGE_INTEGER LastWriteTime; + ULONG TitleIndex; + ULONG SubKeys; + ULONG MaxNameLen; + ULONG Values; + ULONG MaxValueNameLen; + ULONG MaxValueDataLen; + ULONG NameLength; +} KEY_CACHED_INFORMATION; +typedef KEY_CACHED_INFORMATION *PKEY_CACHED_INFORMATION; + +/** For use with KeyVirtualizationInformation. */ +typedef struct _KEY_VIRTUALIZATION_INFORMATION +{ + ULONG VirtualizationCandidate : 1; + ULONG VirtualizationEnabled : 1; + ULONG VirtualTarget : 1; + ULONG VirtualStore : 1; + ULONG VirtualSource : 1; + ULONG Reserved : 27; +} KEY_VIRTUALIZATION_INFORMATION; +typedef KEY_VIRTUALIZATION_INFORMATION *PKEY_VIRTUALIZATION_INFORMATION; + +typedef enum _KEY_INFORMATION_CLASS +{ + KeyBasicInformation = 0, + KeyNodeInformation, + KeyFullInformation, + KeyNameInformation, + KeyCachedInformation, + KeyFlagsInformation, + KeyVirtualizationInformation, + KeyHandleTagsInformation, + MaxKeyInfoClass +} KEY_INFORMATION_CLASS; +NTSYSAPI NTSTATUS NTAPI NtQueryKey(HANDLE, KEY_INFORMATION_CLASS, PVOID, ULONG, PULONG); +NTSYSAPI NTSTATUS NTAPI NtEnumerateKey(HANDLE, ULONG, KEY_INFORMATION_CLASS, PVOID, ULONG, PULONG); + +typedef struct _MEMORY_SECTION_NAME +{ + UNICODE_STRING SectionFileName; + WCHAR NameBuffer[1]; +} MEMORY_SECTION_NAME; + +#ifdef IPRT_NT_USE_WINTERNL +typedef struct _PROCESS_BASIC_INFORMATION +{ + NTSTATUS ExitStatus; + PPEB PebBaseAddress; + ULONG_PTR AffinityMask; + int32_t BasePriority; + ULONG_PTR UniqueProcessId; + ULONG_PTR InheritedFromUniqueProcessId; +} PROCESS_BASIC_INFORMATION; +typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION; +#endif + +typedef enum _PROCESSINFOCLASS +{ + ProcessBasicInformation = 0, /**< 0 / 0x00 */ + ProcessQuotaLimits, /**< 1 / 0x01 */ + ProcessIoCounters, /**< 2 / 0x02 */ + ProcessVmCounters, /**< 3 / 0x03 */ + ProcessTimes, /**< 4 / 0x04 */ + ProcessBasePriority, /**< 5 / 0x05 */ + ProcessRaisePriority, /**< 6 / 0x06 */ + ProcessDebugPort, /**< 7 / 0x07 */ + ProcessExceptionPort, /**< 8 / 0x08 */ + ProcessAccessToken, /**< 9 / 0x09 */ + ProcessLdtInformation, /**< 10 / 0x0a */ + ProcessLdtSize, /**< 11 / 0x0b */ + ProcessDefaultHardErrorMode, /**< 12 / 0x0c */ + ProcessIoPortHandlers, /**< 13 / 0x0d */ + ProcessPooledUsageAndLimits, /**< 14 / 0x0e */ + ProcessWorkingSetWatch, /**< 15 / 0x0f */ + ProcessUserModeIOPL, /**< 16 / 0x10 */ + ProcessEnableAlignmentFaultFixup, /**< 17 / 0x11 */ + ProcessPriorityClass, /**< 18 / 0x12 */ + ProcessWx86Information, /**< 19 / 0x13 */ + ProcessHandleCount, /**< 20 / 0x14 */ + ProcessAffinityMask, /**< 21 / 0x15 */ + ProcessPriorityBoost, /**< 22 / 0x16 */ + ProcessDeviceMap, /**< 23 / 0x17 */ + ProcessSessionInformation, /**< 24 / 0x18 */ + ProcessForegroundInformation, /**< 25 / 0x19 */ + ProcessWow64Information, /**< 26 / 0x1a */ + ProcessImageFileName, /**< 27 / 0x1b */ + ProcessLUIDDeviceMapsEnabled, /**< 28 / 0x1c */ + ProcessBreakOnTermination, /**< 29 / 0x1d */ + ProcessDebugObjectHandle, /**< 30 / 0x1e */ + ProcessDebugFlags, /**< 31 / 0x1f */ + ProcessHandleTracing, /**< 32 / 0x20 */ + ProcessIoPriority, /**< 33 / 0x21 */ + ProcessExecuteFlags, /**< 34 / 0x22 */ + ProcessTlsInformation, /**< 35 / 0x23 */ + ProcessCookie, /**< 36 / 0x24 */ + ProcessImageInformation, /**< 37 / 0x25 */ + ProcessCycleTime, /**< 38 / 0x26 */ + ProcessPagePriority, /**< 39 / 0x27 */ + ProcessInstrumentationCallbak, /**< 40 / 0x28 */ + ProcessThreadStackAllocation, /**< 41 / 0x29 */ + ProcessWorkingSetWatchEx, /**< 42 / 0x2a */ + ProcessImageFileNameWin32, /**< 43 / 0x2b */ + ProcessImageFileMapping, /**< 44 / 0x2c */ + ProcessAffinityUpdateMode, /**< 45 / 0x2d */ + ProcessMemoryAllocationMode, /**< 46 / 0x2e */ + ProcessGroupInformation, /**< 47 / 0x2f */ + ProcessTokenVirtualizationEnabled, /**< 48 / 0x30 */ + ProcessOwnerInformation, /**< 49 / 0x31 */ + ProcessWindowInformation, /**< 50 / 0x32 */ + ProcessHandleInformation, /**< 51 / 0x33 */ + ProcessMitigationPolicy, /**< 52 / 0x34 */ + ProcessDynamicFunctionTableInformation, /**< 53 / 0x35 */ + ProcessHandleCheckingMode, /**< 54 / 0x36 */ + ProcessKeepAliveCount, /**< 55 / 0x37 */ + ProcessRevokeFileHandles, /**< 56 / 0x38 */ + ProcessWorkingSetControl, /**< 57 / 0x39 */ + ProcessHandleTable, /**< 58 / 0x3a */ + ProcessCheckStackExtentsMode, /**< 59 / 0x3b */ + ProcessCommandLineInformation, /**< 60 / 0x3c */ + ProcessProtectionInformation, /**< 61 / 0x3d */ + ProcessMemoryExhaustion, /**< 62 / 0x3e */ + ProcessFaultInformation, /**< 63 / 0x3f */ + ProcessTelemetryIdInformation, /**< 64 / 0x40 */ + ProcessCommitReleaseInformation, /**< 65 / 0x41 */ + ProcessDefaultCpuSetsInformation, /**< 66 / 0x42 - aka ProcessReserved1Information */ + ProcessAllowedCpuSetsInformation, /**< 67 / 0x43 - aka ProcessReserved2Information; PROCESS_SET_LIMITED_INFORMATION & audiog.exe; W10 */ + ProcessSubsystemProcess, /**< 68 / 0x44 */ + ProcessJobMemoryInformation, /**< 69 / 0x45 */ + ProcessInPrivate, /**< 70 / 0x46 */ + ProcessRaiseUMExceptionOnInvalidHandleClose,/**< 71 / 0x47 */ + ProcessIumChallengeResponse, /**< 72 / 0x48 */ + ProcessChildProcessInformation, /**< 73 / 0x49 */ + ProcessHighGraphicsPriorityInformation, /**< 74 / 0x4a */ + ProcessSubsystemInformation, /**< 75 / 0x4b */ + ProcessEnergyValues, /**< 76 / 0x4c */ + ProcessPowerThrottlingState, /**< 77 / 0x4d */ + ProcessReserved3Information, /**< 78 / 0x4e */ + ProcessWin32kSyscallFilterInformation, /**< 79 / 0x4f */ + ProcessDisableSystemAllowedCpuSets, /**< 80 / 0x50 */ + ProcessWakeInformation, /**< 81 / 0x51 */ + ProcessEnergyTrackingState, /**< 82 / 0x52 */ + ProcessManageWritesToExecutableMemory, /**< 83 / 0x53 */ + ProcessCaptureTrustletLiveDump, /**< 84 / 0x54 */ + ProcessTelemetryCoverage, /**< 85 / 0x55 */ + ProcessEnclaveInformation, /**< 86 / 0x56 */ + ProcessEnableReadWriteVmLogging, /**< 87 / 0x57 */ + ProcessUptimeInformation, /**< 88 / 0x58 */ + ProcessImageSection, /**< 89 / 0x59 */ + ProcessDebugAuthInformation, /**< 90 / 0x5a */ + ProcessSystemResourceManagement, /**< 92 / 0x5b */ + ProcessSequenceNumber, /**< 93 / 0x5c */ + MaxProcessInfoClass +} PROCESSINFOCLASS; +AssertCompile(ProcessSequenceNumber == 0x5c); +NTSYSAPI NTSTATUS NTAPI NtQueryInformationProcess(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); +#if ARCH_BITS == 32 +/** 64-bit API pass thru to WOW64 processes. */ +NTSYSAPI NTSTATUS NTAPI NtWow64QueryInformationProcess64(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); +#endif + +typedef enum _THREADINFOCLASS +{ + ThreadBasicInformation = 0, + ThreadTimes, + ThreadPriority, + ThreadBasePriority, + ThreadAffinityMask, + ThreadImpersonationToken, + ThreadDescriptorTableEntry, + ThreadEnableAlignmentFaultFixup, + ThreadEventPair_Reusable, + ThreadQuerySetWin32StartAddress, + ThreadZeroTlsCell, + ThreadPerformanceCount, + ThreadAmILastThread, + ThreadIdealProcessor, + ThreadPriorityBoost, + ThreadSetTlsArrayAddress, + ThreadIsIoPending, + ThreadHideFromDebugger, + ThreadBreakOnTermination, + ThreadSwitchLegacyState, + ThreadIsTerminated, + ThreadLastSystemCall, + ThreadIoPriority, + ThreadCycleTime, + ThreadPagePriority, + ThreadActualBasePriority, + ThreadTebInformation, + ThreadCSwitchMon, + ThreadCSwitchPmu, + ThreadWow64Context, + ThreadGroupInformation, + ThreadUmsInformation, + ThreadCounterProfiling, + ThreadIdealProcessorEx, + ThreadCpuAccountingInformation, + MaxThreadInfoClass +} THREADINFOCLASS; +NTSYSAPI NTSTATUS NTAPI NtSetInformationThread(HANDLE, THREADINFOCLASS, LPCVOID, ULONG); + +NTSYSAPI NTSTATUS NTAPI NtQueryInformationToken(HANDLE, TOKEN_INFORMATION_CLASS, PVOID, ULONG, PULONG); +NTSYSAPI NTSTATUS NTAPI ZwQueryInformationToken(HANDLE, TOKEN_INFORMATION_CLASS, PVOID, ULONG, PULONG); + +NTSYSAPI NTSTATUS NTAPI NtReadFile(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, PVOID, ULONG, PLARGE_INTEGER, PULONG); +NTSYSAPI NTSTATUS NTAPI NtWriteFile(HANDLE, HANDLE, PIO_APC_ROUTINE, void const *, PIO_STATUS_BLOCK, PVOID, ULONG, PLARGE_INTEGER, PULONG); +NTSYSAPI NTSTATUS NTAPI NtFlushBuffersFile(HANDLE, PIO_STATUS_BLOCK); +NTSYSAPI NTSTATUS NTAPI NtCancelIoFile(HANDLE, PIO_STATUS_BLOCK); + +NTSYSAPI NTSTATUS NTAPI NtReadVirtualMemory(HANDLE, PVOID, PVOID, SIZE_T, PSIZE_T); +NTSYSAPI NTSTATUS NTAPI NtWriteVirtualMemory(HANDLE, PVOID, void const *, SIZE_T, PSIZE_T); + +NTSYSAPI NTSTATUS NTAPI RtlAddAccessAllowedAce(PACL, ULONG, ULONG, PSID); +NTSYSAPI NTSTATUS NTAPI RtlCopySid(ULONG, PSID, PSID); +NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL, ULONG, ULONG); +NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(PSECURITY_DESCRIPTOR, ULONG); +NTSYSAPI BOOLEAN NTAPI RtlEqualSid(PSID, PSID); +NTSYSAPI NTSTATUS NTAPI RtlGetVersion(PRTL_OSVERSIONINFOW); +NTSYSAPI NTSTATUS NTAPI RtlInitializeSid(PSID, PSID_IDENTIFIER_AUTHORITY, UCHAR); +NTSYSAPI NTSTATUS NTAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN); +NTSYSAPI PULONG NTAPI RtlSubAuthoritySid(PSID, ULONG); + +#endif /* IPRT_NT_USE_WINTERNL */ + +/** For use with ObjectHandleFlagInformation. */ +typedef struct _OBJECT_HANDLE_FLAG_INFORMATION +{ + BOOLEAN Inherit; + BOOLEAN ProtectFromClose; +} OBJECT_HANDLE_FLAG_INFORMATION; +typedef OBJECT_HANDLE_FLAG_INFORMATION *POBJECT_HANDLE_FLAG_INFORMATION; + +typedef enum _OBJECT_INFORMATION_CLASS +{ + ObjectBasicInformation = 0, + ObjectNameInformation, + ObjectTypeInformation, + ObjectAllInformation, + ObjectHandleFlagInformation, + ObjectSessionInformation, + MaxObjectInfoClass +} OBJECT_INFORMATION_CLASS; +typedef OBJECT_INFORMATION_CLASS *POBJECT_INFORMATION_CLASS; +#ifdef IN_RING0 +# define NtQueryObject ZwQueryObject +#endif +NTSYSAPI NTSTATUS NTAPI NtQueryObject(HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG, PULONG); +NTSYSAPI NTSTATUS NTAPI NtSetInformationObject(HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG); +NTSYSAPI NTSTATUS NTAPI NtDuplicateObject(HANDLE, HANDLE, HANDLE, PHANDLE, ACCESS_MASK, ULONG, ULONG); + +NTSYSAPI NTSTATUS NTAPI NtOpenDirectoryObject(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES); + +typedef struct _OBJECT_DIRECTORY_INFORMATION +{ + UNICODE_STRING Name; + UNICODE_STRING TypeName; +} OBJECT_DIRECTORY_INFORMATION; +typedef OBJECT_DIRECTORY_INFORMATION *POBJECT_DIRECTORY_INFORMATION; +NTSYSAPI NTSTATUS NTAPI NtQueryDirectoryObject(HANDLE, PVOID, ULONG, BOOLEAN, BOOLEAN, PULONG, PULONG); + +NTSYSAPI NTSTATUS NTAPI NtSuspendProcess(HANDLE); +NTSYSAPI NTSTATUS NTAPI NtResumeProcess(HANDLE); +/** @name ProcessDefaultHardErrorMode bit definitions. + * @{ */ +#define PROCESS_HARDERR_CRITICAL_ERROR UINT32_C(0x00000001) /**< Inverted from the win32 define. */ +#define PROCESS_HARDERR_NO_GP_FAULT_ERROR UINT32_C(0x00000002) +#define PROCESS_HARDERR_NO_ALIGNMENT_FAULT_ERROR UINT32_C(0x00000004) +#define PROCESS_HARDERR_NO_OPEN_FILE_ERROR UINT32_C(0x00008000) +/** @} */ +NTSYSAPI NTSTATUS NTAPI NtSetInformationProcess(HANDLE, PROCESSINFOCLASS, PVOID, ULONG); +NTSYSAPI NTSTATUS NTAPI NtTerminateProcess(HANDLE, LONG); + +/** Returned by NtQUerySection with SectionBasicInformation. */ +typedef struct _SECTION_BASIC_INFORMATION +{ + PVOID BaseAddress; + ULONG AllocationAttributes; + LARGE_INTEGER MaximumSize; +} SECTION_BASIC_INFORMATION; +typedef SECTION_BASIC_INFORMATION *PSECTION_BASIC_INFORMATION; + +/** Retured by ProcessImageInformation as well as NtQuerySection. */ +typedef struct _SECTION_IMAGE_INFORMATION +{ + PVOID TransferAddress; + ULONG ZeroBits; + SIZE_T MaximumStackSize; + SIZE_T CommittedStackSize; + ULONG SubSystemType; + union + { + struct + { + USHORT SubSystemMinorVersion; + USHORT SubSystemMajorVersion; + }; + ULONG SubSystemVersion; + }; + ULONG GpValue; + USHORT ImageCharacteristics; + USHORT DllCharacteristics; + USHORT Machine; + BOOLEAN ImageContainsCode; + union /**< Since Vista, used to be a spare BOOLEAN. */ + { + struct + { + UCHAR ComPlusNativeRead : 1; + UCHAR ComPlusILOnly : 1; + UCHAR ImageDynamicallyRelocated : 1; + UCHAR ImageMAppedFlat : 1; + UCHAR Reserved : 4; + }; + UCHAR ImageFlags; + }; + ULONG LoaderFlags; + ULONG ImageFileSize; /**< Since XP? */ + ULONG CheckSum; /**< Since Vista, Used to be a reserved/spare ULONG. */ +} SECTION_IMAGE_INFORMATION; +typedef SECTION_IMAGE_INFORMATION *PSECTION_IMAGE_INFORMATION; + +typedef enum _SECTION_INFORMATION_CLASS +{ + SectionBasicInformation = 0, + SectionImageInformation, + MaxSectionInfoClass +} SECTION_INFORMATION_CLASS; +NTSYSAPI NTSTATUS NTAPI NtQuerySection(HANDLE, SECTION_INFORMATION_CLASS, PVOID, SIZE_T, PSIZE_T); + +NTSYSAPI NTSTATUS NTAPI NtCreateSymbolicLinkObject(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PUNICODE_STRING pTarget); +NTSYSAPI NTSTATUS NTAPI NtOpenSymbolicLinkObject(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES); +NTSYSAPI NTSTATUS NTAPI NtQuerySymbolicLinkObject(HANDLE, PUNICODE_STRING, PULONG); +#ifndef SYMBOLIC_LINK_QUERY +# define SYMBOLIC_LINK_QUERY UINT32_C(0x00000001) +#endif +#ifndef SYMBOLIC_LINK_ALL_ACCESS +# define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYMBOLIC_LINK_QUERY) +#endif + +NTSYSAPI NTSTATUS NTAPI NtQueryInformationThread(HANDLE, THREADINFOCLASS, PVOID, ULONG, PULONG); +NTSYSAPI NTSTATUS NTAPI NtResumeThread(HANDLE, PULONG); +NTSYSAPI NTSTATUS NTAPI NtSuspendThread(HANDLE, PULONG); +NTSYSAPI NTSTATUS NTAPI NtTerminateThread(HANDLE, LONG); +NTSYSAPI NTSTATUS NTAPI NtGetContextThread(HANDLE, PCONTEXT); +NTSYSAPI NTSTATUS NTAPI NtSetContextThread(HANDLE, PCONTEXT); +NTSYSAPI NTSTATUS NTAPI ZwYieldExecution(void); + + +#ifndef SEC_FILE +# define SEC_FILE UINT32_C(0x00800000) +#endif +#ifndef SEC_IMAGE +# define SEC_IMAGE UINT32_C(0x01000000) +#endif +#ifndef SEC_PROTECTED_IMAGE +# define SEC_PROTECTED_IMAGE UINT32_C(0x02000000) +#endif +#ifndef SEC_NOCACHE +# define SEC_NOCACHE UINT32_C(0x10000000) +#endif +#ifndef MEM_ROTATE +# define MEM_ROTATE UINT32_C(0x00800000) +#endif +typedef enum _MEMORY_INFORMATION_CLASS +{ + MemoryBasicInformation = 0, + MemoryWorkingSetList, + MemorySectionName, + MemoryBasicVlmInformation +} MEMORY_INFORMATION_CLASS; +#ifdef IN_RING0 +typedef struct _MEMORY_BASIC_INFORMATION +{ + PVOID BaseAddress; + PVOID AllocationBase; + ULONG AllocationProtect; + SIZE_T RegionSize; + ULONG State; + ULONG Protect; + ULONG Type; +} MEMORY_BASIC_INFORMATION; +typedef MEMORY_BASIC_INFORMATION *PMEMORY_BASIC_INFORMATION; +# define NtQueryVirtualMemory ZwQueryVirtualMemory +#endif +NTSYSAPI NTSTATUS NTAPI NtQueryVirtualMemory(HANDLE, void const *, MEMORY_INFORMATION_CLASS, PVOID, SIZE_T, PSIZE_T); +#ifdef IPRT_NT_USE_WINTERNL +NTSYSAPI NTSTATUS NTAPI NtAllocateVirtualMemory(HANDLE, PVOID *, ULONG, PSIZE_T, ULONG, ULONG); +#endif +NTSYSAPI NTSTATUS NTAPI NtFreeVirtualMemory(HANDLE, PVOID *, PSIZE_T, ULONG); +NTSYSAPI NTSTATUS NTAPI NtProtectVirtualMemory(HANDLE, PVOID *, PSIZE_T, ULONG, PULONG); + +typedef enum _SYSTEM_INFORMATION_CLASS +{ + SystemBasicInformation = 0, + SystemCpuInformation, + SystemPerformanceInformation, + SystemTimeOfDayInformation, + SystemInformation_Unknown_4, + SystemProcessInformation, + SystemInformation_Unknown_6, + SystemInformation_Unknown_7, + SystemProcessorPerformanceInformation, + SystemInformation_Unknown_9, + SystemInformation_Unknown_10, + SystemModuleInformation, + SystemInformation_Unknown_12, + SystemInformation_Unknown_13, + SystemInformation_Unknown_14, + SystemInformation_Unknown_15, + SystemHandleInformation, + SystemInformation_Unknown_17, + SystemPageFileInformation, + SystemInformation_Unknown_19, + SystemInformation_Unknown_20, + SystemCacheInformation, + SystemInformation_Unknown_22, + SystemInterruptInformation, + SystemDpcBehaviourInformation, + SystemFullMemoryInformation, + SystemLoadGdiDriverInformation, /* 26 */ + SystemUnloadGdiDriverInformation, /* 27 */ + SystemTimeAdjustmentInformation, + SystemSummaryMemoryInformation, + SystemInformation_Unknown_30, + SystemInformation_Unknown_31, + SystemInformation_Unknown_32, + SystemExceptionInformation, + SystemCrashDumpStateInformation, + SystemKernelDebuggerInformation, + SystemContextSwitchInformation, + SystemRegistryQuotaInformation, + SystemInformation_Unknown_38, + SystemInformation_Unknown_39, + SystemInformation_Unknown_40, + SystemInformation_Unknown_41, + SystemInformation_Unknown_42, + SystemInformation_Unknown_43, + SystemCurrentTimeZoneInformation, + SystemLookasideInformation, + SystemSetTimeSlipEvent, + SystemCreateSession, + SystemDeleteSession, + SystemInformation_Unknown_49, + SystemRangeStartInformation, + SystemVerifierInformation, + SystemInformation_Unknown_52, + SystemSessionProcessInformation, + SystemLoadGdiDriverInSystemSpaceInformation, /* 54 */ + SystemInformation_Unknown_55, + SystemInformation_Unknown_56, + SystemExtendedProcessInformation, + SystemInformation_Unknown_58, + SystemInformation_Unknown_59, + SystemInformation_Unknown_60, + SystemInformation_Unknown_61, + SystemInformation_Unknown_62, + SystemInformation_Unknown_63, + SystemExtendedHandleInformation, /* 64 */ + SystemInformation_Unknown_65, + SystemInformation_Unknown_66, + SystemInformation_Unknown_67, + SystemInformation_Unknown_68, + SystemInformation_HotPatchInfo, /* 69 */ + SystemInformation_Unknown_70, + SystemInformation_Unknown_71, + SystemInformation_Unknown_72, + SystemInformation_Unknown_73, + SystemInformation_Unknown_74, + SystemInformation_Unknown_75, + SystemInformation_Unknown_76, + SystemInformation_Unknown_77, + SystemInformation_Unknown_78, + SystemInformation_Unknown_79, + SystemInformation_Unknown_80, + SystemInformation_Unknown_81, + SystemInformation_Unknown_82, + SystemInformation_Unknown_83, + SystemInformation_Unknown_84, + SystemInformation_Unknown_85, + SystemInformation_Unknown_86, + SystemInformation_Unknown_87, + SystemInformation_Unknown_88, + SystemInformation_Unknown_89, + SystemInformation_Unknown_90, + SystemInformation_Unknown_91, + SystemInformation_Unknown_92, + SystemInformation_Unknown_93, + SystemInformation_Unknown_94, + SystemInformation_Unknown_95, + SystemInformation_KiOpPrefetchPatchCount, /* 96 */ + SystemInformation_Unknown_97, + SystemInformation_Unknown_98, + SystemInformation_Unknown_99, + SystemInformation_Unknown_100, + SystemInformation_Unknown_101, + SystemInformation_Unknown_102, + SystemInformation_Unknown_103, + SystemInformation_Unknown_104, + SystemInformation_Unknown_105, + SystemInformation_Unknown_107, + SystemInformation_GetLogicalProcessorInformationEx, /* 107 */ + + /** @todo fill gap. they've added a whole bunch of things */ + SystemPolicyInformation = 134, + SystemInformationClassMax +} SYSTEM_INFORMATION_CLASS; + +#ifdef IPRT_NT_USE_WINTERNL +typedef struct _VM_COUNTERS +{ + SIZE_T PeakVirtualSize; + SIZE_T VirtualSize; + ULONG PageFaultCount; + SIZE_T PeakWorkingSetSize; + SIZE_T WorkingSetSize; + SIZE_T QuotaPeakPagedPoolUsage; + SIZE_T QuotaPagedPoolUsage; + SIZE_T QuotaPeakNonPagedPoolUsage; + SIZE_T QuotaNonPagedPoolUsage; + SIZE_T PagefileUsage; + SIZE_T PeakPagefileUsage; +} VM_COUNTERS; +typedef VM_COUNTERS *PVM_COUNTERS; +#endif + +#if 0 +typedef struct _IO_COUNTERS +{ + ULONGLONG ReadOperationCount; + ULONGLONG WriteOperationCount; + ULONGLONG OtherOperationCount; + ULONGLONG ReadTransferCount; + ULONGLONG WriteTransferCount; + ULONGLONG OtherTransferCount; +} IO_COUNTERS; +typedef IO_COUNTERS *PIO_COUNTERS; +#endif + +typedef struct _RTNT_SYSTEM_PROCESS_INFORMATION +{ + ULONG NextEntryOffset; /**< 0x00 / 0x00 */ + ULONG NumberOfThreads; /**< 0x04 / 0x04 */ + LARGE_INTEGER Reserved1[3]; /**< 0x08 / 0x08 */ + LARGE_INTEGER CreationTime; /**< 0x20 / 0x20 */ + LARGE_INTEGER UserTime; /**< 0x28 / 0x28 */ + LARGE_INTEGER KernelTime; /**< 0x30 / 0x30 */ + UNICODE_STRING ProcessName; /**< 0x38 / 0x38 Clean unicode encoding? */ + int32_t BasePriority; /**< 0x40 / 0x48 */ + HANDLE UniqueProcessId; /**< 0x44 / 0x50 */ + HANDLE ParentProcessId; /**< 0x48 / 0x58 */ + ULONG HandleCount; /**< 0x4c / 0x60 */ + ULONG Reserved2; /**< 0x50 / 0x64 Session ID? */ + ULONG_PTR Reserved3; /**< 0x54 / 0x68 */ + VM_COUNTERS VmCounters; /**< 0x58 / 0x70 */ + IO_COUNTERS IoCounters; /**< 0x88 / 0xd0 Might not be present in earlier windows versions. */ + /* After this follows the threads, then the ProcessName.Buffer. */ +} RTNT_SYSTEM_PROCESS_INFORMATION; +typedef RTNT_SYSTEM_PROCESS_INFORMATION *PRTNT_SYSTEM_PROCESS_INFORMATION; +#ifndef IPRT_NT_USE_WINTERNL +typedef RTNT_SYSTEM_PROCESS_INFORMATION SYSTEM_PROCESS_INFORMATION; +typedef SYSTEM_PROCESS_INFORMATION *PSYSTEM_PROCESS_INFORMATION; +#endif + +typedef struct _SYSTEM_HANDLE_ENTRY_INFO +{ + USHORT UniqueProcessId; + USHORT CreatorBackTraceIndex; + UCHAR ObjectTypeIndex; + UCHAR HandleAttributes; + USHORT HandleValue; + PVOID Object; + ULONG GrantedAccess; +} SYSTEM_HANDLE_ENTRY_INFO; +typedef SYSTEM_HANDLE_ENTRY_INFO *PSYSTEM_HANDLE_ENTRY_INFO; + +/** Returned by SystemHandleInformation */ +typedef struct _SYSTEM_HANDLE_INFORMATION +{ + ULONG NumberOfHandles; + SYSTEM_HANDLE_ENTRY_INFO Handles[1]; +} SYSTEM_HANDLE_INFORMATION; +typedef SYSTEM_HANDLE_INFORMATION *PSYSTEM_HANDLE_INFORMATION; + +/** Extended handle information entry. + * @remarks 3 x PVOID + 4 x ULONG = 28 bytes on 32-bit / 40 bytes on 64-bit */ +typedef struct _SYSTEM_HANDLE_ENTRY_INFO_EX +{ + PVOID Object; + HANDLE UniqueProcessId; + HANDLE HandleValue; + ACCESS_MASK GrantedAccess; + USHORT CreatorBackTraceIndex; + USHORT ObjectTypeIndex; + ULONG HandleAttributes; + ULONG Reserved; +} SYSTEM_HANDLE_ENTRY_INFO_EX; +typedef SYSTEM_HANDLE_ENTRY_INFO_EX *PSYSTEM_HANDLE_ENTRY_INFO_EX; + +/** Returned by SystemExtendedHandleInformation. */ +typedef struct _SYSTEM_HANDLE_INFORMATION_EX +{ + ULONG_PTR NumberOfHandles; + ULONG_PTR Reserved; + SYSTEM_HANDLE_ENTRY_INFO_EX Handles[1]; +} SYSTEM_HANDLE_INFORMATION_EX; +typedef SYSTEM_HANDLE_INFORMATION_EX *PSYSTEM_HANDLE_INFORMATION_EX; + +/** Returned by SystemSessionProcessInformation. */ +typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION +{ + ULONG SessionId; + ULONG BufferLength; + /** Return buffer, SYSTEM_PROCESS_INFORMATION entries. */ + PVOID Buffer; +} SYSTEM_SESSION_PROCESS_INFORMATION; +typedef SYSTEM_SESSION_PROCESS_INFORMATION *PSYSTEM_SESSION_PROCESS_INFORMATION; + +typedef struct _RTL_PROCESS_MODULE_INFORMATION +{ + HANDLE Section; /**< 0x00 / 0x00 */ + PVOID MappedBase; /**< 0x04 / 0x08 */ + PVOID ImageBase; /**< 0x08 / 0x10 */ + ULONG ImageSize; /**< 0x0c / 0x18 */ + ULONG Flags; /**< 0x10 / 0x1c */ + USHORT LoadOrderIndex; /**< 0x14 / 0x20 */ + USHORT InitOrderIndex; /**< 0x16 / 0x22 */ + USHORT LoadCount; /**< 0x18 / 0x24 */ + USHORT OffsetToFileName; /**< 0x1a / 0x26 */ + UCHAR FullPathName[256]; /**< 0x1c / 0x28 */ +} RTL_PROCESS_MODULE_INFORMATION; +typedef RTL_PROCESS_MODULE_INFORMATION *PRTL_PROCESS_MODULE_INFORMATION; + +/** Returned by SystemModuleInformation. */ +typedef struct _RTL_PROCESS_MODULES +{ + ULONG NumberOfModules; + RTL_PROCESS_MODULE_INFORMATION Modules[1]; /**< 0x04 / 0x08 */ +} RTL_PROCESS_MODULES; +typedef RTL_PROCESS_MODULES *PRTL_PROCESS_MODULES; + +NTSYSAPI NTSTATUS NTAPI NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG); +#ifndef IPRT_NT_MAP_TO_ZW +NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG); +#endif + +NTSYSAPI NTSTATUS NTAPI NtSetTimerResolution(ULONG cNtTicksWanted, BOOLEAN fSetResolution, PULONG pcNtTicksCur); +NTSYSAPI NTSTATUS NTAPI NtQueryTimerResolution(PULONG pcNtTicksMin, PULONG pcNtTicksMax, PULONG pcNtTicksCur); + +NTSYSAPI NTSTATUS NTAPI NtDelayExecution(BOOLEAN, PLARGE_INTEGER); +NTSYSAPI NTSTATUS NTAPI NtYieldExecution(void); +#ifndef IPRT_NT_USE_WINTERNL +NTSYSAPI NTSTATUS NTAPI NtWaitForSingleObject(HANDLE, BOOLEAN PLARGE_INTEGER); +#endif +typedef NTSYSAPI NTSTATUS (NTAPI *PFNNTWAITFORSINGLEOBJECT)(HANDLE, BOOLEAN, PLARGE_INTEGER); +typedef enum _OBJECT_WAIT_TYPE { WaitAllObjects = 0, WaitAnyObject = 1, ObjectWaitTypeHack = 0x7fffffff } OBJECT_WAIT_TYPE; +NTSYSAPI NTSTATUS NTAPI NtWaitForMultipleObjects(ULONG, PHANDLE, OBJECT_WAIT_TYPE, BOOLEAN, PLARGE_INTEGER); + +NTSYSAPI NTSTATUS NTAPI NtQuerySecurityObject(HANDLE, ULONG, PSECURITY_DESCRIPTOR, ULONG, PULONG); + +#ifdef IPRT_NT_USE_WINTERNL +typedef enum _EVENT_TYPE +{ + /* Manual reset event. */ + NotificationEvent = 0, + /* Automaitc reset event. */ + SynchronizationEvent +} EVENT_TYPE; +#endif +NTSYSAPI NTSTATUS NTAPI NtCreateEvent(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, EVENT_TYPE, BOOLEAN); +NTSYSAPI NTSTATUS NTAPI NtOpenEvent(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES); +typedef NTSYSAPI NTSTATUS (NTAPI *PFNNTCLEAREVENT)(HANDLE); +NTSYSAPI NTSTATUS NTAPI NtClearEvent(HANDLE); +NTSYSAPI NTSTATUS NTAPI NtResetEvent(HANDLE, PULONG); +NTSYSAPI NTSTATUS NTAPI NtSetEvent(HANDLE, PULONG); +typedef NTSYSAPI NTSTATUS (NTAPI *PFNNTSETEVENT)(HANDLE, PULONG); +typedef enum _EVENT_INFORMATION_CLASS +{ + EventBasicInformation = 0 +} EVENT_INFORMATION_CLASS; +/** Data returned by NtQueryEvent + EventBasicInformation. */ +typedef struct EVENT_BASIC_INFORMATION +{ + EVENT_TYPE EventType; + ULONG EventState; +} EVENT_BASIC_INFORMATION; +typedef EVENT_BASIC_INFORMATION *PEVENT_BASIC_INFORMATION; +NTSYSAPI NTSTATUS NTAPI NtQueryEvent(HANDLE, EVENT_INFORMATION_CLASS, PVOID, ULONG, PULONG); + +#ifdef IPRT_NT_USE_WINTERNL +/** For NtQueryValueKey. */ +typedef enum _KEY_VALUE_INFORMATION_CLASS +{ + KeyValueBasicInformation = 0, + KeyValueFullInformation, + KeyValuePartialInformation, + KeyValueFullInformationAlign64, + KeyValuePartialInformationAlign64 +} KEY_VALUE_INFORMATION_CLASS; + +/** KeyValuePartialInformation and KeyValuePartialInformationAlign64 struct. */ +typedef struct _KEY_VALUE_PARTIAL_INFORMATION +{ + ULONG TitleIndex; + ULONG Type; + ULONG DataLength; + UCHAR Data[1]; +} KEY_VALUE_PARTIAL_INFORMATION; +typedef KEY_VALUE_PARTIAL_INFORMATION *PKEY_VALUE_PARTIAL_INFORMATION; +#endif +NTSYSAPI NTSTATUS NTAPI NtOpenKey(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES); +NTSYSAPI NTSTATUS NTAPI NtQueryValueKey(HANDLE, PUNICODE_STRING, KEY_VALUE_INFORMATION_CLASS, PVOID, ULONG, PULONG); + + +NTSYSAPI NTSTATUS NTAPI RtlAddAccessDeniedAce(PACL, ULONG, ULONG, PSID); + + +typedef struct _CURDIR +{ + UNICODE_STRING DosPath; + HANDLE Handle; /**< 0x10 / 0x08 */ +} CURDIR; +AssertCompileSize(CURDIR, ARCH_BITS == 32 ? 0x0c : 0x18); +typedef CURDIR *PCURDIR; + +typedef struct _RTL_DRIVE_LETTER_CURDIR +{ + USHORT Flags; + USHORT Length; + ULONG TimeStamp; + STRING DosPath; /**< Yeah, it's STRING according to dt ntdll!_RTL_DRIVE_LETTER_CURDIR. */ +} RTL_DRIVE_LETTER_CURDIR; +typedef RTL_DRIVE_LETTER_CURDIR *PRTL_DRIVE_LETTER_CURDIR; + +typedef struct _RTL_USER_PROCESS_PARAMETERS +{ + ULONG MaximumLength; /**< 0x000 / 0x000 */ + ULONG Length; /**< 0x004 / 0x004 */ + ULONG Flags; /**< 0x008 / 0x008 */ + ULONG DebugFlags; /**< 0x00c / 0x00c */ + HANDLE ConsoleHandle; /**< 0x010 / 0x010 */ + ULONG ConsoleFlags; /**< 0x018 / 0x014 */ + HANDLE StandardInput; /**< 0x020 / 0x018 */ + HANDLE StandardOutput; /**< 0x028 / 0x01c */ + HANDLE StandardError; /**< 0x030 / 0x020 */ + CURDIR CurrentDirectory; /**< 0x038 / 0x024 */ + UNICODE_STRING DllPath; /**< 0x050 / 0x030 */ + UNICODE_STRING ImagePathName; /**< 0x060 / 0x038 */ + UNICODE_STRING CommandLine; /**< 0x070 / 0x040 */ + PWSTR Environment; /**< 0x080 / 0x048 */ + ULONG StartingX; /**< 0x088 / 0x04c */ + ULONG StartingY; /**< 0x090 / 0x050 */ + ULONG CountX; /**< 0x094 / 0x054 */ + ULONG CountY; /**< 0x098 / 0x058 */ + ULONG CountCharsX; /**< 0x09c / 0x05c */ + ULONG CountCharsY; /**< 0x0a0 / 0x060 */ + ULONG FillAttribute; /**< 0x0a4 / 0x064 */ + ULONG WindowFlags; /**< 0x0a8 / 0x068 */ + ULONG ShowWindowFlags; /**< 0x0ac / 0x06c */ + UNICODE_STRING WindowTitle; /**< 0x0b0 / 0x070 */ + UNICODE_STRING DesktopInfo; /**< 0x0c0 / 0x078 */ + UNICODE_STRING ShellInfo; /**< 0x0d0 / 0x080 */ + UNICODE_STRING RuntimeInfo; /**< 0x0e0 / 0x088 */ + RTL_DRIVE_LETTER_CURDIR CurrentDirectories[0x20]; /**< 0x0f0 / 0x090 */ + SIZE_T EnvironmentSize; /**< 0x3f0 / 0x - Added in Vista */ + SIZE_T EnvironmentVersion; /**< 0x3f8 / 0x - Added in Windows 7. */ + PVOID PackageDependencyData; /**< 0x400 / 0x - Added Windows 8? */ + ULONG ProcessGroupId; /**< 0x408 / 0x - Added Windows 8? */ + ULONG LoaderThreads; /**< 0x40c / 0x - Added Windows 10? */ +} RTL_USER_PROCESS_PARAMETERS; +typedef RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS; +#define RTL_USER_PROCESS_PARAMS_FLAG_NORMALIZED 1 + +typedef struct _RTL_USER_PROCESS_INFORMATION +{ + ULONG Size; + HANDLE ProcessHandle; + HANDLE ThreadHandle; + CLIENT_ID ClientId; + SECTION_IMAGE_INFORMATION ImageInformation; +} RTL_USER_PROCESS_INFORMATION; +typedef RTL_USER_PROCESS_INFORMATION *PRTL_USER_PROCESS_INFORMATION; + + +NTSYSAPI NTSTATUS NTAPI RtlCreateUserProcess(PUNICODE_STRING, ULONG, PRTL_USER_PROCESS_PARAMETERS, PSECURITY_DESCRIPTOR, + PSECURITY_DESCRIPTOR, HANDLE, BOOLEAN, HANDLE, HANDLE, PRTL_USER_PROCESS_INFORMATION); +NTSYSAPI NTSTATUS NTAPI RtlCreateProcessParameters(PRTL_USER_PROCESS_PARAMETERS *, PUNICODE_STRING ImagePathName, + PUNICODE_STRING DllPath, PUNICODE_STRING CurrentDirectory, + PUNICODE_STRING CommandLine, PUNICODE_STRING Environment, + PUNICODE_STRING WindowTitle, PUNICODE_STRING DesktopInfo, + PUNICODE_STRING ShellInfo, PUNICODE_STRING RuntimeInfo); +NTSYSAPI VOID NTAPI RtlDestroyProcessParameters(PRTL_USER_PROCESS_PARAMETERS); +NTSYSAPI NTSTATUS NTAPI RtlCreateUserThread(HANDLE, PSECURITY_DESCRIPTOR, BOOLEAN, ULONG, SIZE_T, SIZE_T, + PFNRT, PVOID, PHANDLE, PCLIENT_ID); + +#ifndef RTL_CRITICAL_SECTION_FLAG_NO_DEBUG_INFO +typedef struct _RTL_CRITICAL_SECTION +{ + struct _RTL_CRITICAL_SECTION_DEBUG *DebugInfo; + LONG LockCount; + LONG Recursioncount; + HANDLE OwningThread; + HANDLE LockSemaphore; + ULONG_PTR SpinCount; +} RTL_CRITICAL_SECTION; +typedef RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION; +#endif + +/*NTSYSAPI ULONG NTAPI RtlNtStatusToDosError(NTSTATUS rcNt);*/ + +/** @def RTL_QUERY_REGISTRY_TYPECHECK + * WDK 8.1+, backported in updates, ignored in older. */ +#if !defined(RTL_QUERY_REGISTRY_TYPECHECK) || defined(DOXYGEN_RUNNING) +# define RTL_QUERY_REGISTRY_TYPECHECK UINT32_C(0x00000100) +#endif +/** @def RTL_QUERY_REGISTRY_TYPECHECK_SHIFT + * WDK 8.1+, backported in updates, ignored in older. */ +#if !defined(RTL_QUERY_REGISTRY_TYPECHECK_SHIFT) || defined(DOXYGEN_RUNNING) +# define RTL_QUERY_REGISTRY_TYPECHECK_SHIFT 24 +#endif + + +RT_C_DECLS_END +/** @} */ + + +#if defined(IN_RING0) || defined(DOXYGEN_RUNNING) +/** @name NT Kernel APIs + * @{ */ +RT_C_DECLS_BEGIN + +typedef ULONG KEPROCESSORINDEX; /**< Bitmap indexes != process numbers, apparently. */ + +NTSYSAPI VOID NTAPI KeInitializeAffinityEx(PKAFFINITY_EX pAffinity); +typedef VOID (NTAPI *PFNKEINITIALIZEAFFINITYEX)(PKAFFINITY_EX pAffinity); +NTSYSAPI VOID NTAPI KeAddProcessorAffinityEx(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); +typedef VOID (NTAPI *PFNKEADDPROCESSORAFFINITYEX)(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); +NTSYSAPI VOID NTAPI KeRemoveProcessorAffinityEx(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); +typedef VOID (NTAPI *PFNKEREMOVEPROCESSORAFFINITYEX)(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); +NTSYSAPI BOOLEAN NTAPI KeInterlockedSetProcessorAffinityEx(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); +typedef BOOLEAN (NTAPI *PFNKEINTERLOCKEDSETPROCESSORAFFINITYEX)(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); +NTSYSAPI BOOLEAN NTAPI KeInterlockedClearProcessorAffinityEx(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); +typedef BOOLEAN (NTAPI *PFNKEINTERLOCKEDCLEARPROCESSORAFFINITYEX)(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); +NTSYSAPI BOOLEAN NTAPI KeCheckProcessorAffinityEx(PCKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); +typedef BOOLEAN (NTAPI *PFNKECHECKPROCESSORAFFINITYEX)(PCKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); +NTSYSAPI VOID NTAPI KeCopyAffinityEx(PKAFFINITY_EX pDst, PCKAFFINITY_EX pSrc); +typedef VOID (NTAPI *PFNKECOPYAFFINITYEX)(PKAFFINITY_EX pDst, PCKAFFINITY_EX pSrc); +NTSYSAPI VOID NTAPI KeComplementAffinityEx(PKAFFINITY_EX pResult, PCKAFFINITY_EX pIn); +typedef VOID (NTAPI *PFNKECOMPLEMENTAFFINITYEX)(PKAFFINITY_EX pResult, PCKAFFINITY_EX pIn); +NTSYSAPI BOOLEAN NTAPI KeAndAffinityEx(PCKAFFINITY_EX pIn1, PCKAFFINITY_EX pIn2, PKAFFINITY_EX pResult OPTIONAL); +typedef BOOLEAN (NTAPI *PFNKEANDAFFINITYEX)(PCKAFFINITY_EX pIn1, PCKAFFINITY_EX pIn2, PKAFFINITY_EX pResult OPTIONAL); +NTSYSAPI BOOLEAN NTAPI KeOrAffinityEx(PCKAFFINITY_EX pIn1, PCKAFFINITY_EX pIn2, PKAFFINITY_EX pResult OPTIONAL); +typedef BOOLEAN (NTAPI *PFNKEORAFFINITYEX)(PCKAFFINITY_EX pIn1, PCKAFFINITY_EX pIn2, PKAFFINITY_EX pResult OPTIONAL); +/** Works like anding the complemented subtrahend with the minuend. */ +NTSYSAPI BOOLEAN NTAPI KeSubtractAffinityEx(PCKAFFINITY_EX pMinuend, PCKAFFINITY_EX pSubtrahend, PKAFFINITY_EX pResult OPTIONAL); +typedef BOOLEAN (NTAPI *PFNKESUBTRACTAFFINITYEX)(PCKAFFINITY_EX pMinuend, PCKAFFINITY_EX pSubtrahend, PKAFFINITY_EX pResult OPTIONAL); +NTSYSAPI BOOLEAN NTAPI KeIsEqualAffinityEx(PCKAFFINITY_EX pLeft, PCKAFFINITY_EX pRight); +typedef BOOLEAN (NTAPI *PFNKEISEQUALAFFINITYEX)(PCKAFFINITY_EX pLeft, PCKAFFINITY_EX pRight); +NTSYSAPI BOOLEAN NTAPI KeIsEmptyAffinityEx(PCKAFFINITY_EX pAffinity); +typedef BOOLEAN (NTAPI *PFNKEISEMPTYAFFINITYEX)(PCKAFFINITY_EX pAffinity); +NTSYSAPI BOOLEAN NTAPI KeIsSubsetAffinityEx(PCKAFFINITY_EX pSubset, PCKAFFINITY_EX pSuperSet); +typedef BOOLEAN (NTAPI *PFNKEISSUBSETAFFINITYEX)(PCKAFFINITY_EX pSubset, PCKAFFINITY_EX pSuperSet); +NTSYSAPI ULONG NTAPI KeCountSetBitsAffinityEx(PCKAFFINITY_EX pAffinity); +typedef ULONG (NTAPI *PFNKECOUNTSETAFFINITYEX)(PCKAFFINITY_EX pAffinity); +NTSYSAPI KEPROCESSORINDEX NTAPI KeFindFirstSetLeftAffinityEx(PCKAFFINITY_EX pAffinity); +typedef KEPROCESSORINDEX (NTAPI *PFNKEFINDFIRSTSETLEFTAFFINITYEX)(PCKAFFINITY_EX pAffinity); +typedef NTSTATUS (NTAPI *PFNKEGETPROCESSORNUMBERFROMINDEX)(KEPROCESSORINDEX idxProcessor, PPROCESSOR_NUMBER pProcNumber); +typedef KEPROCESSORINDEX (NTAPI *PFNKEGETPROCESSORINDEXFROMNUMBER)(const PROCESSOR_NUMBER *pProcNumber); +typedef NTSTATUS (NTAPI *PFNKEGETPROCESSORNUMBERFROMINDEX)(KEPROCESSORINDEX ProcIndex, PROCESSOR_NUMBER *pProcNumber); +typedef KEPROCESSORINDEX (NTAPI *PFNKEGETCURRENTPROCESSORNUMBEREX)(const PROCESSOR_NUMBER *pProcNumber); +typedef KAFFINITY (NTAPI *PFNKEQUERYACTIVEPROCESSORS)(VOID); +typedef ULONG (NTAPI *PFNKEQUERYMAXIMUMPROCESSORCOUNT)(VOID); +typedef ULONG (NTAPI *PFNKEQUERYMAXIMUMPROCESSORCOUNTEX)(USHORT GroupNumber); +typedef USHORT (NTAPI *PFNKEQUERYMAXIMUMGROUPCOUNT)(VOID); +typedef ULONG (NTAPI *PFNKEQUERYACTIVEPROCESSORCOUNT)(KAFFINITY *pfActiveProcessors); +typedef ULONG (NTAPI *PFNKEQUERYACTIVEPROCESSORCOUNTEX)(USHORT GroupNumber); +typedef NTSTATUS (NTAPI *PFNKEQUERYLOGICALPROCESSORRELATIONSHIP)(PROCESSOR_NUMBER *pProcNumber, + LOGICAL_PROCESSOR_RELATIONSHIP RelationShipType, + SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX *pInfo, PULONG pcbInfo); +typedef PVOID (NTAPI *PFNKEREGISTERPROCESSORCHANGECALLBACK)(PPROCESSOR_CALLBACK_FUNCTION pfnCallback, void *pvUser, ULONG fFlags); +typedef VOID (NTAPI *PFNKEDEREGISTERPROCESSORCHANGECALLBACK)(PVOID pvCallback); +typedef NTSTATUS (NTAPI *PFNKESETTARGETPROCESSORDPCEX)(KDPC *pDpc, PROCESSOR_NUMBER *pProcNumber); +typedef LOGICAL (NTAPI *PFNKESHOULDYIELDPROCESSOR)(void); + +NTSYSAPI BOOLEAN NTAPI ObFindHandleForObject(PEPROCESS pProcess, PVOID pvObject, POBJECT_TYPE pObjectType, + PVOID pvOptionalConditions, PHANDLE phFound); +NTSYSAPI NTSTATUS NTAPI ObReferenceObjectByName(PUNICODE_STRING pObjectPath, ULONG fAttributes, PACCESS_STATE pAccessState, + ACCESS_MASK fDesiredAccess, POBJECT_TYPE pObjectType, + KPROCESSOR_MODE enmAccessMode, PVOID pvParseContext, PVOID *ppvObject); +NTSYSAPI HANDLE NTAPI PsGetProcessInheritedFromUniqueProcessId(PEPROCESS); +NTSYSAPI UCHAR * NTAPI PsGetProcessImageFileName(PEPROCESS); +NTSYSAPI BOOLEAN NTAPI PsIsProcessBeingDebugged(PEPROCESS); +NTSYSAPI ULONG NTAPI PsGetProcessSessionId(PEPROCESS); +extern DECLIMPORT(POBJECT_TYPE *) LpcPortObjectType; /**< In vista+ this is the ALPC port object type. */ +extern DECLIMPORT(POBJECT_TYPE *) LpcWaitablePortObjectType; /**< In vista+ this is the ALPC port object type. */ + +typedef VOID (NTAPI *PFNHALREQUESTIPI_PRE_W7)(KAFFINITY TargetSet); +typedef VOID (NTAPI *PFNHALREQUESTIPI_W7PLUS)(ULONG uUsuallyZero, PCKAFFINITY_EX pTargetSet); + +RT_C_DECLS_END +/** @ */ +#endif /* IN_RING0 */ + + +#if defined(IN_RING3) || defined(DOXYGEN_RUNNING) +/** @name NT Userland APIs + * @{ */ +RT_C_DECLS_BEGIN + +#if 0 /** @todo figure this out some time... */ +typedef struct CSR_MSG_DATA_CREATED_PROCESS +{ + HANDLE hProcess; + HANDLE hThread; + CLIENT_ID + DWORD idProcess; + DWORD idThread; + DWORD fCreate; + +} CSR_MSG_DATA_CREATED_PROCESS; + +#define CSR_MSG_NO_CREATED_PROCESS UINT32_C(0x10000) +#define CSR_MSG_NO_CREATED_THREAD UINT32_C(0x10001) +NTSYSAPI NTSTATUS NTAPI CsrClientCallServer(PVOID, PVOID, ULONG, SIZE_T); +#endif + +NTSYSAPI VOID NTAPI LdrInitializeThunk(PVOID, PVOID, PVOID); + +typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA +{ + ULONG Flags; + PCUNICODE_STRING FullDllName; + PCUNICODE_STRING BaseDllName; + PVOID DllBase; + ULONG SizeOfImage; +} LDR_DLL_LOADED_NOTIFICATION_DATA, LDR_DLL_UNLOADED_NOTIFICATION_DATA; +typedef LDR_DLL_LOADED_NOTIFICATION_DATA *PLDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA; +typedef LDR_DLL_LOADED_NOTIFICATION_DATA const *PCLDR_DLL_LOADED_NOTIFICATION_DATA, *PCLDR_DLL_UNLOADED_NOTIFICATION_DATA; + +typedef union _LDR_DLL_NOTIFICATION_DATA +{ + LDR_DLL_LOADED_NOTIFICATION_DATA Loaded; + LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded; +} LDR_DLL_NOTIFICATION_DATA; +typedef LDR_DLL_NOTIFICATION_DATA *PLDR_DLL_NOTIFICATION_DATA; +typedef LDR_DLL_NOTIFICATION_DATA const *PCLDR_DLL_NOTIFICATION_DATA; + +typedef VOID (NTAPI *PLDR_DLL_NOTIFICATION_FUNCTION)(ULONG ulReason, PCLDR_DLL_NOTIFICATION_DATA pData, PVOID pvUser); + +#define LDR_DLL_NOTIFICATION_REASON_LOADED UINT32_C(1) +#define LDR_DLL_NOTIFICATION_REASON_UNLOADED UINT32_C(2) +NTSYSAPI NTSTATUS NTAPI LdrRegisterDllNotification(ULONG fFlags, PLDR_DLL_NOTIFICATION_FUNCTION pfnCallback, PVOID pvUser, + PVOID *pvCookie); +typedef NTSTATUS (NTAPI *PFNLDRREGISTERDLLNOTIFICATION)(ULONG, PLDR_DLL_NOTIFICATION_FUNCTION, PVOID, PVOID *); +NTSYSAPI NTSTATUS NTAPI LdrUnregisterDllNotification(PVOID pvCookie); +typedef NTSTATUS (NTAPI *PFNLDRUNREGISTERDLLNOTIFICATION)(PVOID); + +NTSYSAPI NTSTATUS NTAPI LdrLoadDll(IN PWSTR pwszSearchPathOrFlags OPTIONAL, IN PULONG pfFlags OPTIONAL, + IN PCUNICODE_STRING pName, OUT PHANDLE phMod); +typedef NTSTATUS (NTAPI *PFNLDRLOADDLL)(IN PWSTR pwszSearchPathOrFlags OPTIONAL, IN PULONG pfFlags OPTIONAL, + IN PCUNICODE_STRING pName, OUT PHANDLE phMod); +NTSYSAPI NTSTATUS NTAPI LdrUnloadDll(IN HANDLE hMod); +typedef NTSTATUS (NTAPI *PFNLDRUNLOADDLL)(IN HANDLE hMod); +NTSYSAPI NTSTATUS NTAPI LdrGetDllHandle(IN PCWSTR pwszDllPath OPTIONAL, IN PULONG pfFlags OPTIONAL, + IN PCUNICODE_STRING pName, OUT PHANDLE phDll); +typedef NTSTATUS (NTAPI *PFNLDRGETDLLHANDLE)(IN PCWSTR pwszDllPath OPTIONAL, IN PULONG pfFlags OPTIONAL, + IN PCUNICODE_STRING pName, OUT PHANDLE phDll); +#define LDRGETDLLHANDLEEX_F_UNCHANGED_REFCOUNT RT_BIT_32(0) +#define LDRGETDLLHANDLEEX_F_PIN RT_BIT_32(1) +/** @since Windows XP. */ +NTSYSAPI NTSTATUS NTAPI LdrGetDllHandleEx(IN ULONG fFlags, IN PCWSTR pwszDllPath OPTIONAL, IN PULONG pfFlags OPTIONAL, + IN PCUNICODE_STRING pName, OUT PHANDLE phDll); +/** @since Windows XP. */ +typedef NTSTATUS (NTAPI *PFNLDRGETDLLHANDLEEX)(IN ULONG fFlags, IN PCWSTR pwszDllPath OPTIONAL, IN PULONG pfFlags OPTIONAL, + IN PCUNICODE_STRING pName, OUT PHANDLE phDll); +/** @since Windows 7. */ +NTSYSAPI NTSTATUS NTAPI LdrGetDllHandleByMapping(IN PVOID pvBase, OUT PHANDLE phDll); +/** @since Windows 7. */ +typedef NTSTATUS (NTAPI *PFNLDRGETDLLHANDLEBYMAPPING)(IN PVOID pvBase, OUT PHANDLE phDll); +/** @since Windows 7. */ +NTSYSAPI NTSTATUS NTAPI LdrGetDllHandleByName(IN PCUNICODE_STRING pName OPTIONAL, IN PCUNICODE_STRING pFullName OPTIONAL, + OUT PHANDLE phDll); +/** @since Windows 7. */ +typedef NTSTATUS (NTAPI *PFNLDRGETDLLHANDLEBYNAME)(IN PCUNICODE_STRING pName OPTIONAL, IN PCUNICODE_STRING pFullName OPTIONAL, + OUT PHANDLE phDll); +#define LDRADDREFDLL_F_PIN RT_BIT_32(0) +NTSYSAPI NTSTATUS NTAPI LdrAddRefDll(IN ULONG fFlags, IN HANDLE hDll); +typedef NTSTATUS (NTAPI *PFNLDRADDREFDLL)(IN ULONG fFlags, IN HANDLE hDll); +NTSYSAPI NTSTATUS NTAPI LdrGetProcedureAddress(IN HANDLE hDll, IN ANSI_STRING const *pSymbol OPTIONAL, + IN ULONG uOrdinal OPTIONAL, OUT PVOID *ppvSymbol); +typedef NTSTATUS (NTAPI *PFNLDRGETPROCEDUREADDRESS)(IN HANDLE hDll, IN PCANSI_STRING pSymbol OPTIONAL, + IN ULONG uOrdinal OPTIONAL, OUT PVOID *ppvSymbol); +#define LDRGETPROCEDUREADDRESSEX_F_DONT_RECORD_FORWARDER RT_BIT_32(0) +/** @since Windows Vista. */ +NTSYSAPI NTSTATUS NTAPI LdrGetProcedureAddressEx(IN HANDLE hDll, IN ANSI_STRING const *pSymbol OPTIONAL, + IN ULONG uOrdinal OPTIONAL, OUT PVOID *ppvSymbol, ULONG fFlags); +/** @since Windows Vista. */ +typedef NTSTATUS (NTAPI *PFNLDRGETPROCEDUREADDRESSEX)(IN HANDLE hDll, IN ANSI_STRING const *pSymbol OPTIONAL, + IN ULONG uOrdinal OPTIONAL, OUT PVOID *ppvSymbol, ULONG fFlags); +#define LDRLOCKLOADERLOCK_F_RAISE_ERRORS RT_BIT_32(0) +#define LDRLOCKLOADERLOCK_F_NO_WAIT RT_BIT_32(1) +#define LDRLOCKLOADERLOCK_DISP_INVALID UINT32_C(0) +#define LDRLOCKLOADERLOCK_DISP_ACQUIRED UINT32_C(1) +#define LDRLOCKLOADERLOCK_DISP_NOT_ACQUIRED UINT32_C(2) +/** @since Windows XP. */ +NTSYSAPI NTSTATUS NTAPI LdrLockLoaderLock(IN ULONG fFlags, OUT PULONG puDisposition OPTIONAL, OUT PVOID *ppvCookie); +/** @since Windows XP. */ +typedef NTSTATUS (NTAPI *PFNLDRLOCKLOADERLOCK)(IN ULONG fFlags, OUT PULONG puDisposition OPTIONAL, OUT PVOID *ppvCookie); +#define LDRUNLOCKLOADERLOCK_F_RAISE_ERRORS RT_BIT_32(0) +/** @since Windows XP. */ +NTSYSAPI NTSTATUS NTAPI LdrUnlockLoaderLock(IN ULONG fFlags, OUT PVOID pvCookie); +/** @since Windows XP. */ +typedef NTSTATUS (NTAPI *PFNLDRUNLOCKLOADERLOCK)(IN ULONG fFlags, OUT PVOID pvCookie); + +NTSYSAPI NTSTATUS NTAPI RtlExpandEnvironmentStrings_U(PVOID, PUNICODE_STRING, PUNICODE_STRING, PULONG); +NTSYSAPI VOID NTAPI RtlExitUserProcess(NTSTATUS rcExitCode); /**< Vista and later. */ +NTSYSAPI VOID NTAPI RtlExitUserThread(NTSTATUS rcExitCode); +NTSYSAPI NTSTATUS NTAPI RtlDosApplyFileIsolationRedirection_Ustr(IN ULONG fFlags, + IN PCUNICODE_STRING pOrgName, + IN PUNICODE_STRING pDefaultSuffix, + IN OUT PUNICODE_STRING pStaticString, + IN OUT PUNICODE_STRING pDynamicString, + IN OUT PUNICODE_STRING *ppResultString, + IN PULONG pfNewFlags OPTIONAL, + IN PSIZE_T pcbFilename OPTIONAL, + IN PSIZE_T pcbNeeded OPTIONAL); +/** @since Windows 8. + * @note Status code is always zero in windows 10 build 14393. */ +NTSYSAPI NTSTATUS NTAPI ApiSetQueryApiSetPresence(IN PCUNICODE_STRING pAllegedApiSetDll, OUT PBOOLEAN pfPresent); +/** @copydoc ApiSetQueryApiSetPresence */ +typedef NTSTATUS (NTAPI *PFNAPISETQUERYAPISETPRESENCE)(IN PCUNICODE_STRING pAllegedApiSetDll, OUT PBOOLEAN pfPresent); + + +# ifdef IPRT_NT_USE_WINTERNL +typedef NTSTATUS NTAPI RTL_HEAP_COMMIT_ROUTINE(PVOID, PVOID *, PSIZE_T); +typedef RTL_HEAP_COMMIT_ROUTINE *PRTL_HEAP_COMMIT_ROUTINE; +typedef struct _RTL_HEAP_PARAMETERS +{ + ULONG Length; + SIZE_T SegmentReserve; + SIZE_T SegmentCommit; + SIZE_T DeCommitFreeBlockThreshold; + SIZE_T DeCommitTotalFreeThreshold; + SIZE_T MaximumAllocationSize; + SIZE_T VirtualMemoryThreshold; + SIZE_T InitialCommit; + SIZE_T InitialReserve; + PRTL_HEAP_COMMIT_ROUTINE CommitRoutine; + SIZE_T Reserved[2]; +} RTL_HEAP_PARAMETERS; +typedef RTL_HEAP_PARAMETERS *PRTL_HEAP_PARAMETERS; +NTSYSAPI PVOID NTAPI RtlCreateHeap(ULONG fFlags, PVOID pvHeapBase, SIZE_T cbReserve, SIZE_T cbCommit, PVOID pvLock, + PRTL_HEAP_PARAMETERS pParameters); +/** @name Heap flags (for RtlCreateHeap). + * @{ */ +/*# define HEAP_NO_SERIALIZE UINT32_C(0x00000001) +# define HEAP_GROWABLE UINT32_C(0x00000002) +# define HEAP_GENERATE_EXCEPTIONS UINT32_C(0x00000004) +# define HEAP_ZERO_MEMORY UINT32_C(0x00000008) +# define HEAP_REALLOC_IN_PLACE_ONLY UINT32_C(0x00000010) +# define HEAP_TAIL_CHECKING_ENABLED UINT32_C(0x00000020) +# define HEAP_FREE_CHECKING_ENABLED UINT32_C(0x00000040) +# define HEAP_DISABLE_COALESCE_ON_FREE UINT32_C(0x00000080)*/ +# define HEAP_SETTABLE_USER_VALUE UINT32_C(0x00000100) +# define HEAP_SETTABLE_USER_FLAG1 UINT32_C(0x00000200) +# define HEAP_SETTABLE_USER_FLAG2 UINT32_C(0x00000400) +# define HEAP_SETTABLE_USER_FLAG3 UINT32_C(0x00000800) +# define HEAP_SETTABLE_USER_FLAGS UINT32_C(0x00000e00) +# define HEAP_CLASS_0 UINT32_C(0x00000000) +# define HEAP_CLASS_1 UINT32_C(0x00001000) +# define HEAP_CLASS_2 UINT32_C(0x00002000) +# define HEAP_CLASS_3 UINT32_C(0x00003000) +# define HEAP_CLASS_4 UINT32_C(0x00004000) +# define HEAP_CLASS_5 UINT32_C(0x00005000) +# define HEAP_CLASS_6 UINT32_C(0x00006000) +# define HEAP_CLASS_7 UINT32_C(0x00007000) +# define HEAP_CLASS_8 UINT32_C(0x00008000) +# define HEAP_CLASS_MASK UINT32_C(0x0000f000) +# endif +# define HEAP_CLASS_PROCESS HEAP_CLASS_0 +# define HEAP_CLASS_PRIVATE HEAP_CLASS_1 +# define HEAP_CLASS_KERNEL HEAP_CLASS_2 +# define HEAP_CLASS_GDI HEAP_CLASS_3 +# define HEAP_CLASS_USER HEAP_CLASS_4 +# define HEAP_CLASS_CONSOLE HEAP_CLASS_5 +# define HEAP_CLASS_USER_DESKTOP HEAP_CLASS_6 +# define HEAP_CLASS_CSRSS_SHARED HEAP_CLASS_7 +# define HEAP_CLASS_CSRSS_PORT HEAP_CLASS_8 +# ifdef IPRT_NT_USE_WINTERNL +/*# define HEAP_CREATE_ALIGN_16 UINT32_C(0x00010000) +# define HEAP_CREATE_ENABLE_TRACING UINT32_C(0x00020000) +# define HEAP_CREATE_ENABLE_EXECUTE UINT32_C(0x00040000)*/ +# define HEAP_CREATE_VALID_MASK UINT32_C(0x0007f0ff) +# endif /* IPRT_NT_USE_WINTERNL */ +/** @} */ +# ifdef IPRT_NT_USE_WINTERNL +/** @name Heap tagging constants + * @{ */ +# define HEAP_GLOBAL_TAG UINT32_C(0x00000800) +/*# define HEAP_MAXIMUM_TAG UINT32_C(0x00000fff) +# define HEAP_PSEUDO_TAG_FLAG UINT32_C(0x00008000) +# define HEAP_TAG_SHIFT 18 */ +# define HEAP_TAG_MASK (HEAP_MAXIMUM_TAG << HEAP_TAG_SHIFT) +/** @} */ +NTSYSAPI PVOID NTAPI RtlAllocateHeap(HANDLE hHeap, ULONG fFlags, SIZE_T cb); +NTSYSAPI PVOID NTAPI RtlReAllocateHeap(HANDLE hHeap, ULONG fFlags, PVOID pvOld, SIZE_T cbNew); +NTSYSAPI BOOLEAN NTAPI RtlFreeHeap(HANDLE hHeap, ULONG fFlags, PVOID pvMem); +# endif /* IPRT_NT_USE_WINTERNL */ +NTSYSAPI SIZE_T NTAPI RtlCompactHeap(HANDLE hHeap, ULONG fFlags); +NTSYSAPI VOID NTAPI RtlFreeUnicodeString(PUNICODE_STRING); +NTSYSAPI SIZE_T NTAPI RtlSizeHeap(HANDLE hHeap, ULONG fFlags, PVOID pvMem); +NTSYSAPI NTSTATUS NTAPI RtlGetLastNtStatus(VOID); +NTSYSAPI ULONG NTAPI RtlGetLastWin32Error(VOID); +NTSYSAPI VOID NTAPI RtlSetLastWin32Error(ULONG uError); +NTSYSAPI VOID NTAPI RtlSetLastWin32ErrorAndNtStatusFromNtStatus(NTSTATUS rcNt); +NTSYSAPI VOID NTAPI RtlRestoreLastWin32Error(ULONG uError); +NTSYSAPI BOOLEAN NTAPI RtlQueryPerformanceCounter(PLARGE_INTEGER); +NTSYSAPI uint64_t NTAPI RtlGetSystemTimePrecise(VOID); +typedef uint64_t (NTAPI * PFNRTLGETSYSTEMTIMEPRECISE)(VOID); +NTSYSAPI uint64_t NTAPI RtlGetInterruptTimePrecise(uint64_t *puPerfTime); +typedef uint64_t (NTAPI * PFNRTLGETINTERRUPTTIMEPRECISE)(uint64_t *); +NTSYSAPI BOOLEAN NTAPI RtlQueryUnbiasedInterruptTime(uint64_t *puInterruptTime); +typedef BOOLEAN (NTAPI * PFNRTLQUERYUNBIASEDINTERRUPTTIME)(uint64_t *); + +RT_C_DECLS_END +/** @} */ +#endif /* IN_RING3 */ + +#endif /* !IPRT_INCLUDED_nt_nt_h */ + |