/* $Id: nt.h $ */ /** @file * IPRT - Header for code using the Native NT API. */ /* * Copyright (C) 2010-2019 Oracle Corporation * * This file is part of VirtualBox Open Source Edition (OSE), as * available from http://www.virtualbox.org. This file is free software; * you can redistribute it and/or modify it under the terms of the GNU * General Public License (GPL) as published by the Free Software * Foundation, in version 2 as it comes in the "COPYING" file of the * VirtualBox OSE distribution. VirtualBox OSE is distributed in the * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind. * * The contents of this file may alternatively be used under the terms * of the Common Development and Distribution License Version 1.0 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the * VirtualBox OSE distribution, in which case the provisions of the * CDDL are applicable instead of those of the GPL. * * You may elect to license modified versions of this file under the * terms and conditions of either the GPL or the CDDL or both. */ #ifndef IPRT_INCLUDED_nt_nt_h #define IPRT_INCLUDED_nt_nt_h #ifndef RT_WITHOUT_PRAGMA_ONCE # pragma once #endif /** @def IPRT_NT_MAP_TO_ZW * Map Nt calls to Zw calls. In ring-0 the Zw calls let you pass kernel memory * to the APIs (takes care of the previous context checks). */ #ifdef DOXYGEN_RUNNING # define IPRT_NT_MAP_TO_ZW #endif #ifdef IPRT_NT_MAP_TO_ZW # define NtQueryInformationFile ZwQueryInformationFile # define NtQueryInformationProcess ZwQueryInformationProcess # define NtQueryInformationThread ZwQueryInformationThread # define NtQueryFullAttributesFile ZwQueryFullAttributesFile # define NtQuerySystemInformation ZwQuerySystemInformation # define NtQuerySecurityObject ZwQuerySecurityObject # define NtSetInformationFile ZwSetInformationFile # define NtClose ZwClose # define NtCreateFile ZwCreateFile # define NtReadFile ZwReadFile # define NtWriteFile ZwWriteFile # define NtFlushBuffersFile ZwFlushBuffersFile /** @todo this is very incomplete! */ #endif #include /* * Hacks common to both base header sets. */ #define RtlFreeUnicodeString WrongLinkage_RtlFreeUnicodeString #define NtQueryObject Incomplete_NtQueryObject #define ZwQueryObject Incomplete_ZwQueryObject #define NtSetInformationObject Incomplete_NtSetInformationObject #define _OBJECT_INFORMATION_CLASS Incomplete_OBJECT_INFORMATION_CLASS #define OBJECT_INFORMATION_CLASS Incomplete_OBJECT_INFORMATION_CLASS #define ObjectBasicInformation Incomplete_ObjectBasicInformation #define ObjectTypeInformation Incomplete_ObjectTypeInformation #define _PEB Incomplete__PEB #define PEB Incomplete_PEB #define PPEB Incomplete_PPEB #define _TEB Incomplete__TEB #define TEB Incomplete_TEB #define PTEB Incomplete_PTEB #define _PEB_LDR_DATA Incomplete__PEB_LDR_DATA #define PEB_LDR_DATA Incomplete_PEB_LDR_DATA #define PPEB_LDR_DATA Incomplete_PPEB_LDR_DATA #define _KUSER_SHARED_DATA Incomplete__KUSER_SHARED_DATA #define KUSER_SHARED_DATA Incomplete_KUSER_SHARED_DATA #define PKUSER_SHARED_DATA Incomplete_PKUSER_SHARED_DATA #ifdef IPRT_NT_USE_WINTERNL /* * Use Winternl.h. */ # define _FILE_INFORMATION_CLASS IncompleteWinternl_FILE_INFORMATION_CLASS # define FILE_INFORMATION_CLASS IncompleteWinternl_FILE_INFORMATION_CLASS # define FileDirectoryInformation IncompleteWinternl_FileDirectoryInformation # define NtQueryInformationProcess IncompleteWinternl_NtQueryInformationProcess # define NtSetInformationProcess IncompleteWinternl_NtSetInformationProcess # define PROCESSINFOCLASS IncompleteWinternl_PROCESSINFOCLASS # define _PROCESSINFOCLASS IncompleteWinternl_PROCESSINFOCLASS # define PROCESS_BASIC_INFORMATION IncompleteWinternl_PROCESS_BASIC_INFORMATION # define PPROCESS_BASIC_INFORMATION IncompleteWinternl_PPROCESS_BASIC_INFORMATION # define _PROCESS_BASIC_INFORMATION IncompleteWinternl_PROCESS_BASIC_INFORMATION # define ProcessBasicInformation IncompleteWinternl_ProcessBasicInformation # define ProcessDebugPort IncompleteWinternl_ProcessDebugPort # define ProcessWow64Information IncompleteWinternl_ProcessWow64Information # define ProcessImageFileName IncompleteWinternl_ProcessImageFileName # define ProcessBreakOnTermination IncompleteWinternl_ProcessBreakOnTermination # define RTL_USER_PROCESS_PARAMETERS IncompleteWinternl_RTL_USER_PROCESS_PARAMETERS # define PRTL_USER_PROCESS_PARAMETERS IncompleteWinternl_PRTL_USER_PROCESS_PARAMETERS # define _RTL_USER_PROCESS_PARAMETERS IncompleteWinternl__RTL_USER_PROCESS_PARAMETERS # define NtQueryInformationThread IncompleteWinternl_NtQueryInformationThread # define NtSetInformationThread IncompleteWinternl_NtSetInformationThread # define THREADINFOCLASS IncompleteWinternl_THREADINFOCLASS # define _THREADINFOCLASS IncompleteWinternl_THREADINFOCLASS # define ThreadIsIoPending IncompleteWinternl_ThreadIsIoPending # define NtQuerySystemInformation IncompleteWinternl_NtQuerySystemInformation # define NtSetSystemInformation IncompleteWinternl_NtSetSystemInformation # define SYSTEM_INFORMATION_CLASS IncompleteWinternl_SYSTEM_INFORMATION_CLASS # define _SYSTEM_INFORMATION_CLASS IncompleteWinternl_SYSTEM_INFORMATION_CLASS # define SystemBasicInformation IncompleteWinternl_SystemBasicInformation # define SystemPerformanceInformation IncompleteWinternl_SystemPerformanceInformation # define SystemTimeOfDayInformation IncompleteWinternl_SystemTimeOfDayInformation # define SystemProcessInformation IncompleteWinternl_SystemProcessInformation # define SystemProcessorPerformanceInformation IncompleteWinternl_SystemProcessorPerformanceInformation # define SystemInterruptInformation IncompleteWinternl_SystemInterruptInformation # define SystemExceptionInformation IncompleteWinternl_SystemExceptionInformation # define SystemRegistryQuotaInformation IncompleteWinternl_SystemRegistryQuotaInformation # define SystemLookasideInformation IncompleteWinternl_SystemLookasideInformation # define SystemPolicyInformation IncompleteWinternl_SystemPolicyInformation # pragma warning(push) # pragma warning(disable: 4668) # define WIN32_NO_STATUS # include # include # include # undef WIN32_NO_STATUS # include # pragma warning(pop) # ifndef OBJ_DONT_REPARSE # define RTNT_NEED_CLIENT_ID # endif # undef _FILE_INFORMATION_CLASS # undef FILE_INFORMATION_CLASS # undef FileDirectoryInformation # undef NtQueryInformationProcess # undef NtSetInformationProcess # undef PROCESSINFOCLASS # undef _PROCESSINFOCLASS # undef PROCESS_BASIC_INFORMATION # undef PPROCESS_BASIC_INFORMATION # undef _PROCESS_BASIC_INFORMATION # undef ProcessBasicInformation # undef ProcessDebugPort # undef ProcessWow64Information # undef ProcessImageFileName # undef ProcessBreakOnTermination # undef RTL_USER_PROCESS_PARAMETERS # undef PRTL_USER_PROCESS_PARAMETERS # undef _RTL_USER_PROCESS_PARAMETERS # undef NtQueryInformationThread # undef NtSetInformationThread # undef THREADINFOCLASS # undef _THREADINFOCLASS # undef ThreadIsIoPending # undef NtQuerySystemInformation # undef NtSetSystemInformation # undef SYSTEM_INFORMATION_CLASS # undef _SYSTEM_INFORMATION_CLASS # undef SystemBasicInformation # undef SystemPerformanceInformation # undef SystemTimeOfDayInformation # undef SystemProcessInformation # undef SystemProcessorPerformanceInformation # undef SystemInterruptInformation # undef SystemExceptionInformation # undef SystemRegistryQuotaInformation # undef SystemLookasideInformation # undef SystemPolicyInformation #else /* * Use ntifs.h and wdm.h. */ # if _MSC_VER >= 1200 /* Fix/workaround for KeInitializeSpinLock visibility issue on AMD64. */ # define FORCEINLINE static __forceinline # else # define FORCEINLINE static __inline # endif # pragma warning(push) # ifdef RT_ARCH_X86 # define _InterlockedAddLargeStatistic _InterlockedAddLargeStatistic_StupidDDKVsCompilerCrap # pragma warning(disable: 4163) # endif # pragma warning(disable: 4668) # pragma warning(disable: 4255) /* warning C4255: 'ObGetFilterVersion' : no function prototype given: converting '()' to '(void)' */ # if _MSC_VER >= 1800 /*RT_MSC_VER_VC120*/ # pragma warning(disable:4005) /* sdk/v7.1/include/sal_supp.h(57) : warning C4005: '__useHeader' : macro redefinition */ # pragma warning(disable:4471) /* wdm.h(11057) : warning C4471: '_POOL_TYPE' : a forward declaration of an unscoped enumeration must have an underlying type (int assumed) */ # endif # include # include # ifdef RT_ARCH_X86 # undef _InterlockedAddLargeStatistic # endif # pragma warning(pop) # define IPRT_NT_NEED_API_GROUP_NTIFS #endif #undef RtlFreeUnicodeString #undef NtQueryObject #undef ZwQueryObject #undef NtSetInformationObject #undef _OBJECT_INFORMATION_CLASS #undef OBJECT_INFORMATION_CLASS #undef ObjectBasicInformation #undef ObjectTypeInformation #undef _PEB #undef PEB #undef PPEB #undef _TEB #undef TEB #undef PTEB #undef _PEB_LDR_DATA #undef PEB_LDR_DATA #undef PPEB_LDR_DATA #undef _KUSER_SHARED_DATA #undef KUSER_SHARED_DATA #undef PKUSER_SHARED_DATA #include #include /** @name Useful macros * @{ */ /** Indicates that we're targeting native NT in the current source. */ #define RTNT_USE_NATIVE_NT 1 /** Initializes a IO_STATUS_BLOCK. */ #define RTNT_IO_STATUS_BLOCK_INITIALIZER { STATUS_FAILED_DRIVER_ENTRY, ~(uintptr_t)42 } /** Reinitializes a IO_STATUS_BLOCK. */ #define RTNT_IO_STATUS_BLOCK_REINIT(a_pIos) \ do { (a_pIos)->Status = STATUS_FAILED_DRIVER_ENTRY; (a_pIos)->Information = ~(uintptr_t)42; } while (0) /** Similar to INVALID_HANDLE_VALUE in the Windows environment. */ #define RTNT_INVALID_HANDLE_VALUE ( (HANDLE)~(uintptr_t)0 ) /** Constant UNICODE_STRING initializer. */ #define RTNT_CONSTANT_UNISTR(a_String) { sizeof(a_String) - sizeof(WCHAR), sizeof(a_String), (WCHAR *)a_String } /** @} */ /** @name IPRT helper functions for NT * @{ */ RT_C_DECLS_BEGIN RTDECL(int) RTNtPathOpen(const char *pszPath, ACCESS_MASK fDesiredAccess, ULONG fFileAttribs, ULONG fShareAccess, ULONG fCreateDisposition, ULONG fCreateOptions, ULONG fObjAttribs, PHANDLE phHandle, PULONG_PTR puDisposition); RTDECL(int) RTNtPathOpenDir(const char *pszPath, ACCESS_MASK fDesiredAccess, ULONG fShareAccess, ULONG fCreateOptions, ULONG fObjAttribs, PHANDLE phHandle, bool *pfObjDir); RTDECL(int) RTNtPathOpenDirEx(HANDLE hRootDir, struct _UNICODE_STRING *pNtName, ACCESS_MASK fDesiredAccess, ULONG fShareAccess, ULONG fCreateOptions, ULONG fObjAttribs, PHANDLE phHandle, bool *pfObjDir); RTDECL(int) RTNtPathClose(HANDLE hHandle); /** * Converts a windows-style path to NT format and encoding. * * @returns IPRT status code. * @param pNtName Where to return the NT name. Free using * RTNtPathFree. * @param phRootDir Where to return the root handle, if applicable. * @param pszPath The UTF-8 path. */ RTDECL(int) RTNtPathFromWinUtf8(struct _UNICODE_STRING *pNtName, PHANDLE phRootDir, const char *pszPath); /** * Converts a UTF-16 windows-style path to NT format. * * @returns IPRT status code. * @param pNtName Where to return the NT name. Free using * RTNtPathFree. * @param phRootDir Where to return the root handle, if applicable. * @param pwszPath The UTF-16 windows-style path. * @param cwcPath The max length of the windows-style path in * RTUTF16 units. Use RTSTR_MAX if unknown and @a * pwszPath is correctly terminated. */ RTDECL(int) RTNtPathFromWinUtf16Ex(struct _UNICODE_STRING *pNtName, HANDLE *phRootDir, PCRTUTF16 pwszPath, size_t cwcPath); /** * How to handle ascent ('..' relative to a root handle). */ typedef enum RTNTPATHRELATIVEASCENT { kRTNtPathRelativeAscent_Invalid = 0, kRTNtPathRelativeAscent_Allow, kRTNtPathRelativeAscent_Fail, kRTNtPathRelativeAscent_Ignore, kRTNtPathRelativeAscent_End, kRTNtPathRelativeAscent_32BitHack = 0x7fffffff } RTNTPATHRELATIVEASCENT; /** * Converts a relative windows-style path to relative NT format and encoding. * * @returns IPRT status code. * @param pNtName Where to return the NT name. Free using * rtTNtPathToNative with phRootDir set to NULL. * @param phRootDir On input, the handle to the directory the path * is relative to. On output, the handle to * specify as root directory in the object * attributes when accessing the path. If * enmAscent is kRTNtPathRelativeAscent_Allow, it * may have been set to NULL. * @param pszPath The relative UTF-8 path. * @param enmAscent How to handle ascent. * @param fMustReturnAbsolute Must convert to an absolute path. This * is necessary if the root dir is a NT directory * object (e.g. /Devices) since they cannot parse * relative paths it seems. */ RTDECL(int) RTNtPathRelativeFromUtf8(struct _UNICODE_STRING *pNtName, PHANDLE phRootDir, const char *pszPath, RTNTPATHRELATIVEASCENT enmAscent, bool fMustReturnAbsolute); /** * Ensures that the NT string has sufficient storage to hold @a cwcMin RTUTF16 * chars plus a terminator. * * The NT string must have been returned by RTNtPathFromWinUtf8 or * RTNtPathFromWinUtf16Ex. * * @returns IPRT status code. * @param pNtName The NT path string. * @param cwcMin The minimum number of RTUTF16 chars. Max 32767. * @sa RTNtPathFree */ RTDECL(int) RTNtPathEnsureSpace(struct _UNICODE_STRING *pNtName, size_t cwcMin); /** * Frees the native path and root handle. * * @param pNtName The NT path after a successful rtNtPathToNative * call or RTNtPathRelativeFromUtf8. * @param phRootDir The root handle variable from rtNtPathToNative, */ RTDECL(void) RTNtPathFree(struct _UNICODE_STRING *pNtName, HANDLE *phRootDir); /** * Checks whether the path could be containing alternative 8.3 names generated * by NTFS, FAT, or other similar file systems. * * @returns Pointer to the first component that might be an 8.3 name, NULL if * not 8.3 path. * @param pwszPath The path to check. * * @remarks This is making bad ASSUMPTION wrt to the naming scheme of 8.3 names, * however, non-tilde 8.3 aliases are probably rare enough to not be * worth all the extra code necessary to open each path component and * check if we've got the short name or not. */ RTDECL(PRTUTF16) RTNtPathFindPossible8dot3Name(PCRTUTF16 pwszPath); /** * Fixes up a path possibly containing one or more alternative 8-dot-3 style * components. * * The path is fixed up in place. Errors are ignored. * * @returns VINF_SUCCESS if it all went smoothly, informational status codes * indicating the nature of last problem we ran into. * * @param pUniStr The path to fix up. MaximumLength is the max buffer * length. * @param fPathOnly Whether to only process the path and leave the filename * as passed in. */ RTDECL(int) RTNtPathExpand8dot3Path(struct _UNICODE_STRING *pUniStr, bool fPathOnly); RT_C_DECLS_END /** @} */ /** @name NT API delcarations. * @{ */ RT_C_DECLS_BEGIN /** @name Process access rights missing in ntddk headers * @{ */ #ifndef PROCESS_TERMINATE # define PROCESS_TERMINATE UINT32_C(0x00000001) #endif #ifndef PROCESS_CREATE_THREAD # define PROCESS_CREATE_THREAD UINT32_C(0x00000002) #endif #ifndef PROCESS_SET_SESSIONID # define PROCESS_SET_SESSIONID UINT32_C(0x00000004) #endif #ifndef PROCESS_VM_OPERATION # define PROCESS_VM_OPERATION UINT32_C(0x00000008) #endif #ifndef PROCESS_VM_READ # define PROCESS_VM_READ UINT32_C(0x00000010) #endif #ifndef PROCESS_VM_WRITE # define PROCESS_VM_WRITE UINT32_C(0x00000020) #endif #ifndef PROCESS_DUP_HANDLE # define PROCESS_DUP_HANDLE UINT32_C(0x00000040) #endif #ifndef PROCESS_CREATE_PROCESS # define PROCESS_CREATE_PROCESS UINT32_C(0x00000080) #endif #ifndef PROCESS_SET_QUOTA # define PROCESS_SET_QUOTA UINT32_C(0x00000100) #endif #ifndef PROCESS_SET_INFORMATION # define PROCESS_SET_INFORMATION UINT32_C(0x00000200) #endif #ifndef PROCESS_QUERY_INFORMATION # define PROCESS_QUERY_INFORMATION UINT32_C(0x00000400) #endif #ifndef PROCESS_SUSPEND_RESUME # define PROCESS_SUSPEND_RESUME UINT32_C(0x00000800) #endif #ifndef PROCESS_QUERY_LIMITED_INFORMATION # define PROCESS_QUERY_LIMITED_INFORMATION UINT32_C(0x00001000) #endif #ifndef PROCESS_SET_LIMITED_INFORMATION # define PROCESS_SET_LIMITED_INFORMATION UINT32_C(0x00002000) #endif #define PROCESS_UNKNOWN_4000 UINT32_C(0x00004000) #define PROCESS_UNKNOWN_6000 UINT32_C(0x00008000) #ifndef PROCESS_ALL_ACCESS # define PROCESS_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | UINT32_C(0x0000ffff) ) #endif /** @} */ /** @name Thread access rights missing in ntddk headers * @{ */ #ifndef THREAD_QUERY_INFORMATION # define THREAD_QUERY_INFORMATION UINT32_C(0x00000040) #endif #ifndef THREAD_SET_THREAD_TOKEN # define THREAD_SET_THREAD_TOKEN UINT32_C(0x00000080) #endif #ifndef THREAD_IMPERSONATE # define THREAD_IMPERSONATE UINT32_C(0x00000100) #endif #ifndef THREAD_DIRECT_IMPERSONATION # define THREAD_DIRECT_IMPERSONATION UINT32_C(0x00000200) #endif #ifndef THREAD_RESUME # define THREAD_RESUME UINT32_C(0x00001000) #endif #define THREAD_UNKNOWN_2000 UINT32_C(0x00002000) #define THREAD_UNKNOWN_4000 UINT32_C(0x00004000) #define THREAD_UNKNOWN_8000 UINT32_C(0x00008000) /** @} */ /** @name Special handle values. * @{ */ #ifndef NtCurrentProcess # define NtCurrentProcess() ( (HANDLE)-(intptr_t)1 ) #endif #ifndef NtCurrentThread # define NtCurrentThread() ( (HANDLE)-(intptr_t)2 ) #endif #ifndef ZwCurrentProcess # define ZwCurrentProcess() NtCurrentProcess() #endif #ifndef ZwCurrentThread # define ZwCurrentThread() NtCurrentThread() #endif /** @} */ /** @name Directory object access rights. * @{ */ #ifndef DIRECTORY_QUERY # define DIRECTORY_QUERY UINT32_C(0x00000001) #endif #ifndef DIRECTORY_TRAVERSE # define DIRECTORY_TRAVERSE UINT32_C(0x00000002) #endif #ifndef DIRECTORY_CREATE_OBJECT # define DIRECTORY_CREATE_OBJECT UINT32_C(0x00000004) #endif #ifndef DIRECTORY_CREATE_SUBDIRECTORY # define DIRECTORY_CREATE_SUBDIRECTORY UINT32_C(0x00000008) #endif #ifndef DIRECTORY_ALL_ACCESS # define DIRECTORY_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED | UINT32_C(0x0000000f) ) #endif /** @} */ #ifdef RTNT_NEED_CLIENT_ID typedef struct _CLIENT_ID { HANDLE UniqueProcess; HANDLE UniqueThread; } CLIENT_ID; #endif #ifdef IPRT_NT_USE_WINTERNL typedef CLIENT_ID *PCLIENT_ID; #endif /** Extended affinity type, introduced in Windows 7 (?). */ typedef struct _KAFFINITY_EX { /** Count of valid bitmap entries. */ uint16_t Count; /** Count of allocated bitmap entries. */ uint16_t Size; /** Reserved / aligmment padding. */ uint32_t Reserved; /** Bitmap where one bit corresponds to a CPU. */ uintptr_t Bitmap[20]; } KAFFINITY_EX; typedef KAFFINITY_EX *PKAFFINITY_EX; typedef KAFFINITY_EX const *PCKAFFINITY_EX; /** @name User Shared Data * @{ */ #ifdef IPRT_NT_USE_WINTERNL typedef struct _KSYSTEM_TIME { ULONG LowPart; LONG High1Time; LONG High2Time; } KSYSTEM_TIME; typedef KSYSTEM_TIME *PKSYSTEM_TIME; typedef enum _NT_PRODUCT_TYPE { NtProductWinNt = 1, NtProductLanManNt, NtProductServer } NT_PRODUCT_TYPE; #define PROCESSOR_FEATURE_MAX 64 typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE { StandardDesign = 0, NEC98x86, EndAlternatives } ALTERNATIVE_ARCHITECTURE_TYPE; # if 0 typedef struct _XSTATE_FEATURE { ULONG Offset; ULONG Size; } XSTATE_FEATURE; typedef XSTATE_FEATURE *PXSTATE_FEATURE; #define MAXIMUM_XSTATE_FEATURES 64 typedef struct _XSTATE_CONFIGURATION { ULONG64 EnabledFeatures; ULONG Size; ULONG OptimizedSave : 1; XSTATE_FEATURE Features[MAXIMUM_XSTATE_FEATURES]; } XSTATE_CONFIGURATION; typedef XSTATE_CONFIGURATION *PXSTATE_CONFIGURATION; # endif #endif /* IPRT_NT_USE_WINTERNL */ typedef struct _KUSER_SHARED_DATA { ULONG TickCountLowDeprecated; /**< 0x000 */ ULONG TickCountMultiplier; /**< 0x004 */ KSYSTEM_TIME volatile InterruptTime; /**< 0x008 */ KSYSTEM_TIME volatile SystemTime; /**< 0x014 */ KSYSTEM_TIME volatile TimeZoneBias; /**< 0x020 */ USHORT ImageNumberLow; /**< 0x02c */ USHORT ImageNumberHigh; /**< 0x02e */ WCHAR NtSystemRoot[260]; /**< 0x030 - Seems to be last member in NT 3.51. */ ULONG MaxStackTraceDepth; /**< 0x238 */ ULONG CryptoExponent; /**< 0x23c */ ULONG TimeZoneId; /**< 0x240 */ ULONG LargePageMinimum; /**< 0x244 */ ULONG AitSamplingValue; /**< 0x248 */ ULONG AppCompatFlag; /**< 0x24c */ ULONGLONG RNGSeedVersion; /**< 0x250 */ ULONG GlobalValidationRunlevel; /**< 0x258 */ LONG volatile TimeZoneBiasStamp; /**< 0x25c*/ ULONG Reserved2; /**< 0x260 */ NT_PRODUCT_TYPE NtProductType; /**< 0x264 */ BOOLEAN ProductTypeIsValid; /**< 0x268 */ BOOLEAN Reserved0[1]; /**< 0x269 */ USHORT NativeProcessorArchitecture; /**< 0x26a */ ULONG NtMajorVersion; /**< 0x26c */ ULONG NtMinorVersion; /**< 0x270 */ BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; /**< 0x274 */ ULONG Reserved1; /**< 0x2b4 */ ULONG Reserved3; /**< 0x2b8 */ ULONG volatile TimeSlip; /**< 0x2bc */ ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; /**< 0x2c0 */ ULONG AltArchitecturePad[1]; /**< 0x2c4 */ LARGE_INTEGER SystemExpirationDate; /**< 0x2c8 */ ULONG SuiteMask; /**< 0x2d0 */ BOOLEAN KdDebuggerEnabled; /**< 0x2d4 */ union /**< 0x2d5 */ { UCHAR MitigationPolicies; /**< 0x2d5 */ struct { UCHAR NXSupportPolicy : 2; UCHAR SEHValidationPolicy : 2; UCHAR CurDirDevicesSkippedForDlls : 2; UCHAR Reserved : 2; }; }; UCHAR Reserved6[2]; /**< 0x2d6 */ ULONG volatile ActiveConsoleId; /**< 0x2d8 */ ULONG volatile DismountCount; /**< 0x2dc */ ULONG ComPlusPackage; /**< 0x2e0 */ ULONG LastSystemRITEventTickCount; /**< 0x2e4 */ ULONG NumberOfPhysicalPages; /**< 0x2e8 */ BOOLEAN SafeBootMode; /**< 0x2ec */ UCHAR Reserved12[3]; /**< 0x2ed */ union /**< 0x2f0 */ { ULONG SharedDataFlags; /**< 0x2f0 */ struct { ULONG DbgErrorPortPresent : 1; ULONG DbgElevationEnabled : 1; ULONG DbgVirtEnabled : 1; ULONG DbgInstallerDetectEnabled : 1; ULONG DbgLkgEnabled : 1; ULONG DbgDynProcessorEnabled : 1; ULONG DbgConsoleBrokerEnabled : 1; ULONG DbgSecureBootEnabled : 1; ULONG SpareBits : 24; }; }; ULONG DataFlagsPad[1]; /**< 0x2f4 */ ULONGLONG TestRetInstruction; /**< 0x2f8 */ LONGLONG QpcFrequency; /**< 0x300 */ ULONGLONG SystemCallPad[3]; /**< 0x308 */ union /**< 0x320 */ { ULONG64 volatile TickCountQuad; /**< 0x320 */ KSYSTEM_TIME volatile TickCount; /**< 0x320 */ struct /**< 0x320 */ { ULONG ReservedTickCountOverlay[3]; /**< 0x320 */ ULONG TickCountPad[1]; /**< 0x32c */ }; }; ULONG Cookie; /**< 0x330 */ ULONG CookiePad[1]; /**< 0x334 */ LONGLONG ConsoleSessionForegroundProcessId; /**< 0x338 */ ULONGLONG TimeUpdateLock; /**< 0x340 */ ULONGLONG BaselineSystemTimeQpc; /**< 0x348 */ ULONGLONG BaselineInterruptTimeQpc; /**< 0x350 */ ULONGLONG QpcSystemTimeIncrement; /**< 0x358 */ ULONGLONG QpcInterruptTimeIncrement; /**< 0x360 */ ULONG QpcSystemTimeIncrement32; /**< 0x368 */ ULONG QpcInterruptTimeIncrement32; /**< 0x36c */ UCHAR QpcSystemTimeIncrementShift; /**< 0x370 */ UCHAR QpcInterruptTimeIncrementShift; /**< 0x371 */ UCHAR Reserved8[14]; /**< 0x372 */ USHORT UserModeGlobalLogger[16]; /**< 0x380 */ ULONG ImageFileExecutionOptions; /**< 0x3a0 */ ULONG LangGenerationCount; /**< 0x3a4 */ ULONGLONG Reserved4; /**< 0x3a8 */ ULONGLONG volatile InterruptTimeBias; /**< 0x3b0 - What QueryUnbiasedInterruptTimePrecise * subtracts from interrupt time. */ ULONGLONG volatile QpcBias; /**< 0x3b8 */ ULONG volatile ActiveProcessorCount; /**< 0x3c0 */ UCHAR volatile ActiveGroupCount; /**< 0x3c4 */ UCHAR Reserved9; /**< 0x3c5 */ union /**< 0x3c6 */ { USHORT QpcData; /**< 0x3c6 */ struct /**< 0x3c6 */ { BOOLEAN volatile QpcBypassEnabled; /**< 0x3c6 */ UCHAR QpcShift; /**< 0x3c7 */ }; }; LARGE_INTEGER TimeZoneBiasEffectiveStart; /**< 0x3c8 */ LARGE_INTEGER TimeZoneBiasEffectiveEnd; /**< 0x3d0 */ XSTATE_CONFIGURATION XState; /**< 0x3d8 */ } KUSER_SHARED_DATA; typedef KUSER_SHARED_DATA *PKUSER_SHARED_DATA; AssertCompileMemberOffset(KUSER_SHARED_DATA, InterruptTime, 0x008); AssertCompileMemberOffset(KUSER_SHARED_DATA, SystemTime, 0x014); AssertCompileMemberOffset(KUSER_SHARED_DATA, NtSystemRoot, 0x030); AssertCompileMemberOffset(KUSER_SHARED_DATA, LargePageMinimum, 0x244); AssertCompileMemberOffset(KUSER_SHARED_DATA, Reserved1, 0x2b4); AssertCompileMemberOffset(KUSER_SHARED_DATA, TestRetInstruction, 0x2f8); AssertCompileMemberOffset(KUSER_SHARED_DATA, Cookie, 0x330); AssertCompileMemberOffset(KUSER_SHARED_DATA, ImageFileExecutionOptions, 0x3a0); AssertCompileMemberOffset(KUSER_SHARED_DATA, XState, 0x3d8); /** @def MM_SHARED_USER_DATA_VA * Read only userland mapping of KUSER_SHARED_DATA. */ #ifndef MM_SHARED_USER_DATA_VA # if ARCH_BITS == 32 # define MM_SHARED_USER_DATA_VA UINT32_C(0x7ffe0000) # elif ARCH_BITS == 64 # define MM_SHARED_USER_DATA_VA UINT64_C(0x7ffe0000) # else # error "Unsupported/undefined ARCH_BITS value." # endif #endif /** @def KI_USER_SHARED_DATA * Read write kernel mapping of KUSER_SHARED_DATA. */ #ifndef KI_USER_SHARED_DATA # ifdef RT_ARCH_X86 # define KI_USER_SHARED_DATA UINT32_C(0xffdf0000) # elif defined(RT_ARCH_AMD64) # define KI_USER_SHARED_DATA UINT64_C(0xfffff78000000000) # else # error "PORT ME - KI_USER_SHARED_DATA" # endif #endif /** @} */ /** @name Process And Thread Environment Blocks * @{ */ typedef struct _PEB_LDR_DATA { uint32_t Length; BOOLEAN Initialized; BOOLEAN Padding[3]; HANDLE SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; /* End NT4 */ LIST_ENTRY *EntryInProgress; BOOLEAN ShutdownInProgress; HANDLE ShutdownThreadId; } PEB_LDR_DATA; typedef PEB_LDR_DATA *PPEB_LDR_DATA; typedef struct _PEB_COMMON { BOOLEAN InheritedAddressSpace; /**< 0x000 / 0x000 */ BOOLEAN ReadImageFileExecOptions; /**< 0x001 / 0x001 */ BOOLEAN BeingDebugged; /**< 0x002 / 0x002 */ union { uint8_t BitField; /**< 0x003 / 0x003 */ struct { uint8_t ImageUsesLargePages : 1; /**< 0x003 / 0x003 : Pos 0, 1 Bit */ } Common; struct { uint8_t ImageUsesLargePages : 1; /**< 0x003 / 0x003 : Pos 0, 1 Bit */ uint8_t IsProtectedProcess : 1; /**< 0x003 / 0x003 : Pos 1, 1 Bit */ uint8_t IsImageDynamicallyRelocated : 1; /**< 0x003 / 0x003 : Pos 2, 1 Bit - Differs from W80 */ uint8_t SkipPatchingUser32Forwarders : 1; /**< 0x003 / 0x003 : Pos 3, 1 Bit - Differs from W80 */ uint8_t IsPackagedProcess : 1; /**< 0x003 / 0x003 : Pos 4, 1 Bit - Differs from W80 */ uint8_t IsAppContainer : 1; /**< 0x003 / 0x003 : Pos 5, 1 Bit - Differs from W80 */ uint8_t IsProtectedProcessLight : 1; /**< 0x003 / 0x003 : Pos 6, 1 Bit - Differs from W80 */ uint8_t SpareBits : 1; /**< 0x003 / 0x003 : Pos 7, 1 Bit */ } W81; struct { uint8_t ImageUsesLargePages : 1; /**< 0x003 / 0x003 : Pos 0, 1 Bit */ uint8_t IsProtectedProcess : 1; /**< 0x003 / 0x003 : Pos 1, 1 Bit */ uint8_t IsLegacyProcess : 1; /**< 0x003 / 0x003 : Pos 2, 1 Bit - Differs from W81 */ uint8_t IsImageDynamicallyRelocated : 1; /**< 0x003 / 0x003 : Pos 3, 1 Bit - Differs from W81 */ uint8_t SkipPatchingUser32Forwarders : 1; /**< 0x003 / 0x003 : Pos 4, 1 Bit - Differs from W81 */ uint8_t IsPackagedProcess : 1; /**< 0x003 / 0x003 : Pos 5, 1 Bit - Differs from W81 */ uint8_t IsAppContainer : 1; /**< 0x003 / 0x003 : Pos 6, 1 Bit - Differs from W81 */ uint8_t SpareBits : 1; /**< 0x003 / 0x003 : Pos 7, 1 Bit */ } W80; struct { uint8_t ImageUsesLargePages : 1; /**< 0x003 / 0x003 : Pos 0, 1 Bit */ uint8_t IsProtectedProcess : 1; /**< 0x003 / 0x003 : Pos 1, 1 Bit */ uint8_t IsLegacyProcess : 1; /**< 0x003 / 0x003 : Pos 2, 1 Bit - Differs from W81, same as W80 & W6. */ uint8_t IsImageDynamicallyRelocated : 1; /**< 0x003 / 0x003 : Pos 3, 1 Bit - Differs from W81, same as W80 & W6. */ uint8_t SkipPatchingUser32Forwarders : 1; /**< 0x003 / 0x003 : Pos 4, 1 Bit - Added in W7; Differs from W81, same as W80. */ uint8_t SpareBits : 3; /**< 0x003 / 0x003 : Pos 5, 3 Bit - Differs from W81 & W80, more spare bits. */ } W7; struct { uint8_t ImageUsesLargePages : 1; /**< 0x003 / 0x003 : Pos 0, 1 Bit */ uint8_t IsProtectedProcess : 1; /**< 0x003 / 0x003 : Pos 1, 1 Bit */ uint8_t IsLegacyProcess : 1; /**< 0x003 / 0x003 : Pos 2, 1 Bit - Differs from W81, same as W80 & W7. */ uint8_t IsImageDynamicallyRelocated : 1; /**< 0x003 / 0x003 : Pos 3, 1 Bit - Differs from W81, same as W80 & W7. */ uint8_t SpareBits : 4; /**< 0x003 / 0x003 : Pos 4, 4 Bit - Differs from W81, W80, & W7, more spare bits. */ } W6; struct { uint8_t ImageUsesLargePages : 1; /**< 0x003 / 0x003 : Pos 0, 1 Bit */ uint8_t SpareBits : 7; /**< 0x003 / 0x003 : Pos 1, 7 Bit - Differs from W81, W80, & W7, more spare bits. */ } W52; struct { BOOLEAN SpareBool; } W51; } Diff0; #if ARCH_BITS == 64 uint32_t Padding0; /**< 0x004 / NA */ #endif HANDLE Mutant; /**< 0x008 / 0x004 */ PVOID ImageBaseAddress; /**< 0x010 / 0x008 */ PPEB_LDR_DATA Ldr; /**< 0x018 / 0x00c */ struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters; /**< 0x020 / 0x010 */ PVOID SubSystemData; /**< 0x028 / 0x014 */ HANDLE ProcessHeap; /**< 0x030 / 0x018 */ struct _RTL_CRITICAL_SECTION *FastPebLock; /**< 0x038 / 0x01c */ union { struct { PVOID AtlThunkSListPtr; /**< 0x040 / 0x020 */ PVOID IFEOKey; /**< 0x048 / 0x024 */ union { ULONG CrossProcessFlags; /**< 0x050 / 0x028 */ struct { uint32_t ProcessInJob : 1; /**< 0x050 / 0x028: Pos 0, 1 Bit */ uint32_t ProcessInitializing : 1; /**< 0x050 / 0x028: Pos 1, 1 Bit */ uint32_t ProcessUsingVEH : 1; /**< 0x050 / 0x028: Pos 2, 1 Bit */ uint32_t ProcessUsingVCH : 1; /**< 0x050 / 0x028: Pos 3, 1 Bit */ uint32_t ProcessUsingFTH : 1; /**< 0x050 / 0x028: Pos 4, 1 Bit */ uint32_t ReservedBits0 : 1; /**< 0x050 / 0x028: Pos 5, 27 Bits */ } W7, W8, W80, W81; struct { uint32_t ProcessInJob : 1; /**< 0x050 / 0x028: Pos 0, 1 Bit */ uint32_t ProcessInitializing : 1; /**< 0x050 / 0x028: Pos 1, 1 Bit */ uint32_t ReservedBits0 : 30; /**< 0x050 / 0x028: Pos 2, 30 Bits */ } W6; }; #if ARCH_BITS == 64 uint32_t Padding1; /**< 0x054 / */ #endif } W6, W7, W8, W80, W81; struct { PVOID AtlThunkSListPtr; /**< 0x040 / 0x020 */ PVOID SparePtr2; /**< 0x048 / 0x024 */ uint32_t EnvironmentUpdateCount; /**< 0x050 / 0x028 */ #if ARCH_BITS == 64 uint32_t Padding1; /**< 0x054 / */ #endif } W52; struct { PVOID FastPebLockRoutine; /**< NA / 0x020 */ PVOID FastPebUnlockRoutine; /**< NA / 0x024 */ uint32_t EnvironmentUpdateCount; /**< NA / 0x028 */ } W51; } Diff1; union { PVOID KernelCallbackTable; /**< 0x058 / 0x02c */ PVOID UserSharedInfoPtr; /**< 0x058 / 0x02c - Alternative use in W6.*/ }; uint32_t SystemReserved; /**< 0x060 / 0x030 */ union { struct { uint32_t AtlThunkSListPtr32; /**< 0x064 / 0x034 */ } W7, W8, W80, W81; struct { uint32_t SpareUlong; /**< 0x064 / 0x034 */ } W52, W6; struct { uint32_t ExecuteOptions : 2; /**< NA / 0x034: Pos 0, 2 Bits */ uint32_t SpareBits : 30; /**< NA / 0x034: Pos 2, 30 Bits */ } W51; } Diff2; union { struct { PVOID ApiSetMap; /**< 0x068 / 0x038 */ } W7, W8, W80, W81; struct { struct _PEB_FREE_BLOCK *FreeList; /**< 0x068 / 0x038 */ } W52, W6; struct { struct _PEB_FREE_BLOCK *FreeList; /**< NA / 0x038 */ } W51; } Diff3; uint32_t TlsExpansionCounter; /**< 0x070 / 0x03c */ #if ARCH_BITS == 64 uint32_t Padding2; /**< 0x074 / NA */ #endif struct _RTL_BITMAP *TlsBitmap; /**< 0x078 / 0x040 */ uint32_t TlsBitmapBits[2]; /**< 0x080 / 0x044 */ PVOID ReadOnlySharedMemoryBase; /**< 0x088 / 0x04c */ union { struct { PVOID SparePvoid0; /**< 0x090 / 0x050 - HotpatchInformation before W81. */ } W81; struct { PVOID HotpatchInformation; /**< 0x090 / 0x050 - Retired in W81. */ } W6, W7, W80; struct { PVOID ReadOnlySharedMemoryHeap; } W52; } Diff4; PVOID *ReadOnlyStaticServerData; /**< 0x098 / 0x054 */ PVOID AnsiCodePageData; /**< 0x0a0 / 0x058 */ PVOID OemCodePageData; /**< 0x0a8 / 0x05c */ PVOID UnicodeCaseTableData; /**< 0x0b0 / 0x060 */ uint32_t NumberOfProcessors; /**< 0x0b8 / 0x064 */ uint32_t NtGlobalFlag; /**< 0x0bc / 0x068 */ #if ARCH_BITS == 32 uint32_t Padding2b; #endif LARGE_INTEGER CriticalSectionTimeout; /**< 0x0c0 / 0x070 */ SIZE_T HeapSegmentReserve; /**< 0x0c8 / 0x078 */ SIZE_T HeapSegmentCommit; /**< 0x0d0 / 0x07c */ SIZE_T HeapDeCommitTotalFreeThreshold; /**< 0x0d8 / 0x080 */ SIZE_T HeapDeCommitFreeBlockThreshold; /**< 0x0e0 / 0x084 */ uint32_t NumberOfHeaps; /**< 0x0e8 / 0x088 */ uint32_t MaximumNumberOfHeaps; /**< 0x0ec / 0x08c */ PVOID *ProcessHeaps; /**< 0x0f0 / 0x090 - Last NT 3.51 member. */ PVOID GdiSharedHandleTable; /**< 0x0f8 / 0x094 */ PVOID ProcessStarterHelper; /**< 0x100 / 0x098 */ uint32_t GdiDCAttributeList; /**< 0x108 / 0x09c */ #if ARCH_BITS == 64 uint32_t Padding3; /**< 0x10c / NA */ #endif struct _RTL_CRITICAL_SECTION *LoaderLock; /**< 0x110 / 0x0a0 */ uint32_t OSMajorVersion; /**< 0x118 / 0x0a4 */ uint32_t OSMinorVersion; /**< 0x11c / 0x0a8 */ uint16_t OSBuildNumber; /**< 0x120 / 0x0ac */ uint16_t OSCSDVersion; /**< 0x122 / 0x0ae */ uint32_t OSPlatformId; /**< 0x124 / 0x0b0 */ uint32_t ImageSubsystem; /**< 0x128 / 0x0b4 */ uint32_t ImageSubsystemMajorVersion; /**< 0x12c / 0x0b8 */ uint32_t ImageSubsystemMinorVersion; /**< 0x130 / 0x0bc */ #if ARCH_BITS == 64 uint32_t Padding4; /**< 0x134 / NA */ #endif union { struct { SIZE_T ActiveProcessAffinityMask; /**< 0x138 / 0x0c0 */ } W7, W8, W80, W81; struct { SIZE_T ImageProcessAffinityMask; /**< 0x138 / 0x0c0 */ } W52, W6; } Diff5; uint32_t GdiHandleBuffer[ARCH_BITS == 64 ? 60 : 34]; /**< 0x140 / 0x0c4 */ PVOID PostProcessInitRoutine; /**< 0x230 / 0x14c */ PVOID TlsExpansionBitmap; /**< 0x238 / 0x150 */ uint32_t TlsExpansionBitmapBits[32]; /**< 0x240 / 0x154 */ uint32_t SessionId; /**< 0x2c0 / 0x1d4 */ #if ARCH_BITS == 64 uint32_t Padding5; /**< 0x2c4 / NA */ #endif ULARGE_INTEGER AppCompatFlags; /**< 0x2c8 / 0x1d8 */ ULARGE_INTEGER AppCompatFlagsUser; /**< 0x2d0 / 0x1e0 */ PVOID pShimData; /**< 0x2d8 / 0x1e8 */ PVOID AppCompatInfo; /**< 0x2e0 / 0x1ec */ UNICODE_STRING CSDVersion; /**< 0x2e8 / 0x1f0 */ struct _ACTIVATION_CONTEXT_DATA *ActivationContextData; /**< 0x2f8 / 0x1f8 */ struct _ASSEMBLY_STORAGE_MAP *ProcessAssemblyStorageMap; /**< 0x300 / 0x1fc */ struct _ACTIVATION_CONTEXT_DATA *SystemDefaultActivationContextData; /**< 0x308 / 0x200 */ struct _ASSEMBLY_STORAGE_MAP *SystemAssemblyStorageMap; /**< 0x310 / 0x204 */ SIZE_T MinimumStackCommit; /**< 0x318 / 0x208 */ /* End of PEB in W52 (Windows XP (RTM))! */ struct _FLS_CALLBACK_INFO *FlsCallback; /**< 0x320 / 0x20c */ LIST_ENTRY FlsListHead; /**< 0x328 / 0x210 */ PVOID FlsBitmap; /**< 0x338 / 0x218 */ uint32_t FlsBitmapBits[4]; /**< 0x340 / 0x21c */ uint32_t FlsHighIndex; /**< 0x350 / 0x22c */ /* End of PEB in W52 (Windows Server 2003)! */ PVOID WerRegistrationData; /**< 0x358 / 0x230 */ PVOID WerShipAssertPtr; /**< 0x360 / 0x234 */ /* End of PEB in W6 (windows Vista)! */ union { struct { PVOID pUnused; /**< 0x368 / 0x238 - Was pContextData in W7. */ } W8, W80, W81; struct { PVOID pContextData; /**< 0x368 / 0x238 - Retired in W80. */ } W7; } Diff6; PVOID pImageHeaderHash; /**< 0x370 / 0x23c */ union { uint32_t TracingFlags; /**< 0x378 / 0x240 */ struct { uint32_t HeapTracingEnabled : 1; /**< 0x378 / 0x240 : Pos 0, 1 Bit */ uint32_t CritSecTracingEnabled : 1; /**< 0x378 / 0x240 : Pos 1, 1 Bit */ uint32_t LibLoaderTracingEnabled : 1; /**< 0x378 / 0x240 : Pos 2, 1 Bit */ uint32_t SpareTracingBits : 29; /**< 0x378 / 0x240 : Pos 3, 29 Bits */ } W8, W80, W81; struct { uint32_t HeapTracingEnabled : 1; /**< 0x378 / 0x240 : Pos 0, 1 Bit */ uint32_t CritSecTracingEnabled : 1; /**< 0x378 / 0x240 : Pos 1, 1 Bit */ uint32_t SpareTracingBits : 30; /**< 0x378 / 0x240 : Pos 3, 30 Bits - One bit more than W80 */ } W7; } Diff7; #if ARCH_BITS == 64 uint32_t Padding6; /**< 0x37c / NA */ #endif uint64_t CsrServerReadOnlySharedMemoryBase; /**< 0x380 / 0x248 */ /* End of PEB in W8, W81. */ uintptr_t TppWorkerpListLock; /**< 0x388 / 0x250 */ LIST_ENTRY TppWorkerpList; /**< 0x390 / 0x254 */ PVOID WaitOnAddressHashTable[128]; /**< 0x3a0 / 0x25c */ #if ARCH_BITS == 32 uint32_t ExplicitPadding7; /**< NA NA / 0x45c */ #endif } PEB_COMMON; typedef PEB_COMMON *PPEB_COMMON; AssertCompileMemberOffset(PEB_COMMON, ProcessHeap, ARCH_BITS == 64 ? 0x30 : 0x18); AssertCompileMemberOffset(PEB_COMMON, SystemReserved, ARCH_BITS == 64 ? 0x60 : 0x30); AssertCompileMemberOffset(PEB_COMMON, TlsExpansionCounter, ARCH_BITS == 64 ? 0x70 : 0x3c); AssertCompileMemberOffset(PEB_COMMON, NtGlobalFlag, ARCH_BITS == 64 ? 0xbc : 0x68); AssertCompileMemberOffset(PEB_COMMON, LoaderLock, ARCH_BITS == 64 ? 0x110 : 0xa0); AssertCompileMemberOffset(PEB_COMMON, Diff5.W52.ImageProcessAffinityMask, ARCH_BITS == 64 ? 0x138 : 0xc0); AssertCompileMemberOffset(PEB_COMMON, PostProcessInitRoutine, ARCH_BITS == 64 ? 0x230 : 0x14c); AssertCompileMemberOffset(PEB_COMMON, AppCompatFlags, ARCH_BITS == 64 ? 0x2c8 : 0x1d8); AssertCompileSize(PEB_COMMON, ARCH_BITS == 64 ? 0x7a0 : 0x460); /** The size of the windows 10 (build 14393) PEB structure. */ #define PEB_SIZE_W10 sizeof(PEB_COMMON) /** The size of the windows 8.1 PEB structure. */ #define PEB_SIZE_W81 RT_UOFFSETOF(PEB_COMMON, TppWorkerpListLock) /** The size of the windows 8.0 PEB structure. */ #define PEB_SIZE_W80 RT_UOFFSETOF(PEB_COMMON, TppWorkerpListLock) /** The size of the windows 7 PEB structure. */ #define PEB_SIZE_W7 RT_UOFFSETOF(PEB_COMMON, CsrServerReadOnlySharedMemoryBase) /** The size of the windows vista PEB structure. */ #define PEB_SIZE_W6 RT_UOFFSETOF(PEB_COMMON, Diff3) /** The size of the windows server 2003 PEB structure. */ #define PEB_SIZE_W52 RT_UOFFSETOF(PEB_COMMON, WerRegistrationData) /** The size of the windows XP PEB structure. */ #define PEB_SIZE_W51 RT_UOFFSETOF(PEB_COMMON, FlsCallback) #if 0 typedef struct _NT_TIB { struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList; PVOID StackBase; PVOID StackLimit; PVOID SubSystemTib; union { PVOID FiberData; ULONG Version; }; PVOID ArbitraryUserPointer; struct _NT_TIB *Self; } NT_TIB; typedef NT_TIB *PNT_TIB; #endif typedef struct _ACTIVATION_CONTEXT_STACK { uint32_t Flags; uint32_t NextCookieSequenceNumber; PVOID ActiveFrame; LIST_ENTRY FrameListCache; } ACTIVATION_CONTEXT_STACK; /* Common TEB. */ typedef struct _TEB_COMMON { NT_TIB NtTib; /**< 0x000 / 0x000 */ PVOID EnvironmentPointer; /**< 0x038 / 0x01c */ CLIENT_ID ClientId; /**< 0x040 / 0x020 */ PVOID ActiveRpcHandle; /**< 0x050 / 0x028 */ PVOID ThreadLocalStoragePointer; /**< 0x058 / 0x02c */ PPEB_COMMON ProcessEnvironmentBlock; /**< 0x060 / 0x030 */ uint32_t LastErrorValue; /**< 0x068 / 0x034 */ uint32_t CountOfOwnedCriticalSections; /**< 0x06c / 0x038 */ PVOID CsrClientThread; /**< 0x070 / 0x03c */ PVOID Win32ThreadInfo; /**< 0x078 / 0x040 */ uint32_t User32Reserved[26]; /**< 0x080 / 0x044 */ uint32_t UserReserved[5]; /**< 0x0e8 / 0x0ac */ PVOID WOW32Reserved; /**< 0x100 / 0x0c0 */ uint32_t CurrentLocale; /**< 0x108 / 0x0c4 */ uint32_t FpSoftwareStatusRegister; /**< 0x10c / 0x0c8 */ PVOID SystemReserved1[54]; /**< 0x110 / 0x0cc */ uint32_t ExceptionCode; /**< 0x2c0 / 0x1a4 */ #if ARCH_BITS == 64 uint32_t Padding0; /**< 0x2c4 / NA */ #endif union { struct { struct _ACTIVATION_CONTEXT_STACK *ActivationContextStackPointer;/**< 0x2c8 / 0x1a8 */ uint8_t SpareBytes[ARCH_BITS == 64 ? 24 : 36]; /**< 0x2d0 / 0x1ac */ } W52, W6, W7, W8, W80, W81; #if ARCH_BITS == 32 struct { ACTIVATION_CONTEXT_STACK ActivationContextStack; /**< NA / 0x1a8 */ uint8_t SpareBytes[20]; /**< NA / 0x1bc */ } W51; #endif } Diff0; union { struct { uint32_t TxFsContext; /**< 0x2e8 / 0x1d0 */ } W6, W7, W8, W80, W81; struct { uint32_t SpareBytesContinues; /**< 0x2e8 / 0x1d0 */ } W52; } Diff1; #if ARCH_BITS == 64 uint32_t Padding1; /**< 0x2ec / NA */ #endif /*_GDI_TEB_BATCH*/ uint8_t GdiTebBatch[ARCH_BITS == 64 ? 0x4e8 :0x4e0]; /**< 0x2f0 / 0x1d4 */ CLIENT_ID RealClientId; /**< 0x7d8 / 0x6b4 */ HANDLE GdiCachedProcessHandle; /**< 0x7e8 / 0x6bc */ uint32_t GdiClientPID; /**< 0x7f0 / 0x6c0 */ uint32_t GdiClientTID; /**< 0x7f4 / 0x6c4 */ PVOID GdiThreadLocalInfo; /**< 0x7f8 / 0x6c8 */ SIZE_T Win32ClientInfo[62]; /**< 0x800 / 0x6cc */ PVOID glDispatchTable[233]; /**< 0x9f0 / 0x7c4 */ SIZE_T glReserved1[29]; /**< 0x1138 / 0xb68 */ PVOID glReserved2; /**< 0x1220 / 0xbdc */ PVOID glSectionInfo; /**< 0x1228 / 0xbe0 */ PVOID glSection; /**< 0x1230 / 0xbe4 */ PVOID glTable; /**< 0x1238 / 0xbe8 */ PVOID glCurrentRC; /**< 0x1240 / 0xbec */ PVOID glContext; /**< 0x1248 / 0xbf0 */ NTSTATUS LastStatusValue; /**< 0x1250 / 0xbf4 */ #if ARCH_BITS == 64 uint32_t Padding2; /**< 0x1254 / NA */ #endif UNICODE_STRING StaticUnicodeString; /**< 0x1258 / 0xbf8 */ WCHAR StaticUnicodeBuffer[261]; /**< 0x1268 / 0xc00 */ #if ARCH_BITS == 64 WCHAR Padding3[3]; /**< 0x1472 / NA */ #endif PVOID DeallocationStack; /**< 0x1478 / 0xe0c */ PVOID TlsSlots[64]; /**< 0x1480 / 0xe10 */ LIST_ENTRY TlsLinks; /**< 0x1680 / 0xf10 */ PVOID Vdm; /**< 0x1690 / 0xf18 */ PVOID ReservedForNtRpc; /**< 0x1698 / 0xf1c */ PVOID DbgSsReserved[2]; /**< 0x16a0 / 0xf20 */ uint32_t HardErrorMode; /**< 0x16b0 / 0xf28 - Called HardErrorsAreDisabled in W51. */ #if ARCH_BITS == 64 uint32_t Padding4; /**< 0x16b4 / NA */ #endif PVOID Instrumentation[ARCH_BITS == 64 ? 11 : 9]; /**< 0x16b8 / 0xf2c */ union { struct { GUID ActivityId; /**< 0x1710 / 0xf50 */ PVOID SubProcessTag; /**< 0x1720 / 0xf60 */ } W6, W7, W8, W80, W81; struct { PVOID InstrumentationContinues[ARCH_BITS == 64 ? 3 : 5]; /**< 0x1710 / 0xf50 */ } W52; } Diff2; union /**< 0x1728 / 0xf64 */ { struct { PVOID PerflibData; /**< 0x1728 / 0xf64 */ } W8, W80, W81; struct { PVOID EtwLocalData; /**< 0x1728 / 0xf64 */ } W7, W6; struct { PVOID SubProcessTag; /**< 0x1728 / 0xf64 */ } W52; struct { PVOID InstrumentationContinues[1]; /**< 0x1728 / 0xf64 */ } W51; } Diff3; union { struct { PVOID EtwTraceData; /**< 0x1730 / 0xf68 */ } W52, W6, W7, W8, W80, W81; struct { PVOID InstrumentationContinues[1]; /**< 0x1730 / 0xf68 */ } W51; } Diff4; PVOID WinSockData; /**< 0x1738 / 0xf6c */ uint32_t GdiBatchCount; /**< 0x1740 / 0xf70 */ union { union { PROCESSOR_NUMBER CurrentIdealProcessor; /**< 0x1744 / 0xf74 - W7+ */ uint32_t IdealProcessorValue; /**< 0x1744 / 0xf74 - W7+ */ struct { uint8_t ReservedPad1; /**< 0x1744 / 0xf74 - Called SpareBool0 in W6 */ uint8_t ReservedPad2; /**< 0x1745 / 0xf75 - Called SpareBool0 in W6 */ uint8_t ReservedPad3; /**< 0x1746 / 0xf76 - Called SpareBool0 in W6 */ uint8_t IdealProcessor; /**< 0x1747 / 0xf77 */ }; } W6, W7, W8, W80, W81; struct { BOOLEAN InDbgPrint; /**< 0x1744 / 0xf74 */ BOOLEAN FreeStackOnTermination; /**< 0x1745 / 0xf75 */ BOOLEAN HasFiberData; /**< 0x1746 / 0xf76 */ uint8_t IdealProcessor; /**< 0x1747 / 0xf77 */ } W51, W52; } Diff5; uint32_t GuaranteedStackBytes; /**< 0x1748 / 0xf78 */ #if ARCH_BITS == 64 uint32_t Padding5; /**< 0x174c / NA */ #endif PVOID ReservedForPerf; /**< 0x1750 / 0xf7c */ PVOID ReservedForOle; /**< 0x1758 / 0xf80 */ uint32_t WaitingOnLoaderLock; /**< 0x1760 / 0xf84 */ #if ARCH_BITS == 64 uint32_t Padding6; /**< 0x1764 / NA */ #endif union /**< 0x1770 / 0xf8c */ { struct { PVOID SavedPriorityState; /**< 0x1768 / 0xf88 */ SIZE_T ReservedForCodeCoverage; /**< 0x1770 / 0xf8c */ PVOID ThreadPoolData; /**< 0x1778 / 0xf90 */ } W8, W80, W81; struct { PVOID SavedPriorityState; /**< 0x1768 / 0xf88 */ SIZE_T SoftPatchPtr1; /**< 0x1770 / 0xf8c */ PVOID ThreadPoolData; /**< 0x1778 / 0xf90 */ } W6, W7; struct { PVOID SparePointer1; /**< 0x1768 / 0xf88 */ SIZE_T SoftPatchPtr1; /**< 0x1770 / 0xf8c */ PVOID SoftPatchPtr2; /**< 0x1778 / 0xf90 */ } W52; #if ARCH_BITS == 32 struct _Wx86ThreadState { PVOID CallBx86Eip; /**< NA / 0xf88 */ PVOID DeallocationCpu; /**< NA / 0xf8c */ BOOLEAN UseKnownWx86Dll; /**< NA / 0xf90 */ int8_t OleStubInvoked; /**< NA / 0xf91 */ } W51; #endif } Diff6; PVOID TlsExpansionSlots; /**< 0x1780 / 0xf94 */ #if ARCH_BITS == 64 PVOID DallocationBStore; /**< 0x1788 / NA */ PVOID BStoreLimit; /**< 0x1790 / NA */ #endif union { struct { uint32_t MuiGeneration; /**< 0x1798 / 0xf98 */ } W7, W8, W80, W81; struct { uint32_t ImpersonationLocale; } W6; } Diff7; uint32_t IsImpersonating; /**< 0x179c / 0xf9c */ PVOID NlsCache; /**< 0x17a0 / 0xfa0 */ PVOID pShimData; /**< 0x17a8 / 0xfa4 */ union /**< 0x17b0 / 0xfa8 */ { struct { uint16_t HeapVirtualAffinity; /**< 0x17b0 / 0xfa8 */ uint16_t LowFragHeapDataSlot; /**< 0x17b2 / 0xfaa */ } W8, W80, W81; struct { uint32_t HeapVirtualAffinity; /**< 0x17b0 / 0xfa8 */ } W7; } Diff8; #if ARCH_BITS == 64 uint32_t Padding7; /**< 0x17b4 / NA */ #endif HANDLE CurrentTransactionHandle; /**< 0x17b8 / 0xfac */ struct _TEB_ACTIVE_FRAME *ActiveFrame; /**< 0x17c0 / 0xfb0 */ /* End of TEB in W51 (Windows XP)! */ PVOID FlsData; /**< 0x17c8 / 0xfb4 */ union { struct { PVOID PreferredLanguages; /**< 0x17d0 / 0xfb8 */ } W6, W7, W8, W80, W81; struct { BOOLEAN SafeThunkCall; /**< 0x17d0 / 0xfb8 */ uint8_t BooleanSpare[3]; /**< 0x17d1 / 0xfb9 */ /* End of TEB in W52 (Windows server 2003)! */ } W52; } Diff9; PVOID UserPrefLanguages; /**< 0x17d8 / 0xfbc */ PVOID MergedPrefLanguages; /**< 0x17e0 / 0xfc0 */ uint32_t MuiImpersonation; /**< 0x17e8 / 0xfc4 */ union { uint16_t CrossTebFlags; /**< 0x17ec / 0xfc8 */ struct { uint16_t SpareCrossTebBits : 16; /**< 0x17ec / 0xfc8 : Pos 0, 16 Bits */ }; }; union { uint16_t SameTebFlags; /**< 0x17ee / 0xfca */ struct { uint16_t SafeThunkCall : 1; /**< 0x17ee / 0xfca : Pos 0, 1 Bit */ uint16_t InDebugPrint : 1; /**< 0x17ee / 0xfca : Pos 1, 1 Bit */ uint16_t HasFiberData : 1; /**< 0x17ee / 0xfca : Pos 2, 1 Bit */ uint16_t SkipThreadAttach : 1; /**< 0x17ee / 0xfca : Pos 3, 1 Bit */ uint16_t WerInShipAssertCode : 1; /**< 0x17ee / 0xfca : Pos 4, 1 Bit */ uint16_t RanProcessInit : 1; /**< 0x17ee / 0xfca : Pos 5, 1 Bit */ uint16_t ClonedThread : 1; /**< 0x17ee / 0xfca : Pos 6, 1 Bit */ uint16_t SuppressDebugMsg : 1; /**< 0x17ee / 0xfca : Pos 7, 1 Bit */ } Common; struct { uint16_t SafeThunkCall : 1; /**< 0x17ee / 0xfca : Pos 0, 1 Bit */ uint16_t InDebugPrint : 1; /**< 0x17ee / 0xfca : Pos 1, 1 Bit */ uint16_t HasFiberData : 1; /**< 0x17ee / 0xfca : Pos 2, 1 Bit */ uint16_t SkipThreadAttach : 1; /**< 0x17ee / 0xfca : Pos 3, 1 Bit */ uint16_t WerInShipAssertCode : 1; /**< 0x17ee / 0xfca : Pos 4, 1 Bit */ uint16_t RanProcessInit : 1; /**< 0x17ee / 0xfca : Pos 5, 1 Bit */ uint16_t ClonedThread : 1; /**< 0x17ee / 0xfca : Pos 6, 1 Bit */ uint16_t SuppressDebugMsg : 1; /**< 0x17ee / 0xfca : Pos 7, 1 Bit */ uint16_t DisableUserStackWalk : 1; /**< 0x17ee / 0xfca : Pos 8, 1 Bit */ uint16_t RtlExceptionAttached : 1; /**< 0x17ee / 0xfca : Pos 9, 1 Bit */ uint16_t InitialThread : 1; /**< 0x17ee / 0xfca : Pos 10, 1 Bit */ uint16_t SessionAware : 1; /**< 0x17ee / 0xfca : Pos 11, 1 Bit - New Since W7. */ uint16_t SpareSameTebBits : 4; /**< 0x17ee / 0xfca : Pos 12, 4 Bits */ } W8, W80, W81; struct { uint16_t SafeThunkCall : 1; /**< 0x17ee / 0xfca : Pos 0, 1 Bit */ uint16_t InDebugPrint : 1; /**< 0x17ee / 0xfca : Pos 1, 1 Bit */ uint16_t HasFiberData : 1; /**< 0x17ee / 0xfca : Pos 2, 1 Bit */ uint16_t SkipThreadAttach : 1; /**< 0x17ee / 0xfca : Pos 3, 1 Bit */ uint16_t WerInShipAssertCode : 1; /**< 0x17ee / 0xfca : Pos 4, 1 Bit */ uint16_t RanProcessInit : 1; /**< 0x17ee / 0xfca : Pos 5, 1 Bit */ uint16_t ClonedThread : 1; /**< 0x17ee / 0xfca : Pos 6, 1 Bit */ uint16_t SuppressDebugMsg : 1; /**< 0x17ee / 0xfca : Pos 7, 1 Bit */ uint16_t DisableUserStackWalk : 1; /**< 0x17ee / 0xfca : Pos 8, 1 Bit */ uint16_t RtlExceptionAttached : 1; /**< 0x17ee / 0xfca : Pos 9, 1 Bit */ uint16_t InitialThread : 1; /**< 0x17ee / 0xfca : Pos 10, 1 Bit */ uint16_t SpareSameTebBits : 5; /**< 0x17ee / 0xfca : Pos 12, 4 Bits */ } W7; struct { uint16_t DbgSafeThunkCall : 1; /**< 0x17ee / 0xfca : Pos 0, 1 Bit */ uint16_t DbgInDebugPrint : 1; /**< 0x17ee / 0xfca : Pos 1, 1 Bit */ uint16_t DbgHasFiberData : 1; /**< 0x17ee / 0xfca : Pos 2, 1 Bit */ uint16_t DbgSkipThreadAttach : 1; /**< 0x17ee / 0xfca : Pos 3, 1 Bit */ uint16_t DbgWerInShipAssertCode : 1; /**< 0x17ee / 0xfca : Pos 4, 1 Bit */ uint16_t DbgRanProcessInit : 1; /**< 0x17ee / 0xfca : Pos 5, 1 Bit */ uint16_t DbgClonedThread : 1; /**< 0x17ee / 0xfca : Pos 6, 1 Bit */ uint16_t DbgSuppressDebugMsg : 1; /**< 0x17ee / 0xfca : Pos 7, 1 Bit */ uint16_t SpareSameTebBits : 8; /**< 0x17ee / 0xfca : Pos 8, 8 Bits */ } W6; } Diff10; PVOID TxnScopeEnterCallback; /**< 0x17f0 / 0xfcc */ PVOID TxnScopeExitCallback; /**< 0x17f8 / 0xfd0 */ PVOID TxnScopeContext; /**< 0x1800 / 0xfd4 */ uint32_t LockCount; /**< 0x1808 / 0xfd8 */ union { struct { uint32_t SpareUlong0; /**< 0x180c / 0xfdc */ } W7, W8, W80, W81; struct { uint32_t ProcessRundown; } W6; } Diff11; union { struct { PVOID ResourceRetValue; /**< 0x1810 / 0xfe0 */ /* End of TEB in W7 (windows 7)! */ PVOID ReservedForWdf; /**< 0x1818 / 0xfe4 - New Since W7. */ /* End of TEB in W8 (windows 8.0 & 8.1)! */ PVOID ReservedForCrt; /**< 0x1820 / 0xfe8 - New Since W10. */ RTUUID EffectiveContainerId; /**< 0x1828 / 0xfec - New Since W10. */ /* End of TEB in W10 14393! */ } W8, W80, W81, W10; struct { PVOID ResourceRetValue; /**< 0x1810 / 0xfe0 */ } W7; struct { uint64_t LastSwitchTime; /**< 0x1810 / 0xfe0 */ uint64_t TotalSwitchOutTime; /**< 0x1818 / 0xfe8 */ LARGE_INTEGER WaitReasonBitMap; /**< 0x1820 / 0xff0 */ /* End of TEB in W6 (windows Vista)! */ } W6; } Diff12; } TEB_COMMON; typedef TEB_COMMON *PTEB_COMMON; AssertCompileMemberOffset(TEB_COMMON, ExceptionCode, ARCH_BITS == 64 ? 0x2c0 : 0x1a4); AssertCompileMemberOffset(TEB_COMMON, LastStatusValue, ARCH_BITS == 64 ? 0x1250 : 0xbf4); AssertCompileMemberOffset(TEB_COMMON, DeallocationStack, ARCH_BITS == 64 ? 0x1478 : 0xe0c); AssertCompileMemberOffset(TEB_COMMON, ReservedForNtRpc, ARCH_BITS == 64 ? 0x1698 : 0xf1c); AssertCompileMemberOffset(TEB_COMMON, Instrumentation, ARCH_BITS == 64 ? 0x16b8 : 0xf2c); AssertCompileMemberOffset(TEB_COMMON, Diff2, ARCH_BITS == 64 ? 0x1710 : 0xf50); AssertCompileMemberOffset(TEB_COMMON, Diff3, ARCH_BITS == 64 ? 0x1728 : 0xf64); AssertCompileMemberOffset(TEB_COMMON, Diff4, ARCH_BITS == 64 ? 0x1730 : 0xf68); AssertCompileMemberOffset(TEB_COMMON, WinSockData, ARCH_BITS == 64 ? 0x1738 : 0xf6c); AssertCompileMemberOffset(TEB_COMMON, GuaranteedStackBytes, ARCH_BITS == 64 ? 0x1748 : 0xf78); AssertCompileMemberOffset(TEB_COMMON, MuiImpersonation, ARCH_BITS == 64 ? 0x17e8 : 0xfc4); AssertCompileMemberOffset(TEB_COMMON, LockCount, ARCH_BITS == 64 ? 0x1808 : 0xfd8); AssertCompileSize(TEB_COMMON, ARCH_BITS == 64 ? 0x1838 : 0x1000); /** The size of the windows 8.1 PEB structure. */ #define TEB_SIZE_W10 ( RT_UOFFSETOF(TEB_COMMON, Diff12.W10.EffectiveContainerId) + sizeof(RTUUID) ) /** The size of the windows 8.1 PEB structure. */ #define TEB_SIZE_W81 ( RT_UOFFSETOF(TEB_COMMON, Diff12.W8.ReservedForWdf) + sizeof(PVOID) ) /** The size of the windows 8.0 PEB structure. */ #define TEB_SIZE_W80 ( RT_UOFFSETOF(TEB_COMMON, Diff12.W8.ReservedForWdf) + sizeof(PVOID) ) /** The size of the windows 7 PEB structure. */ #define TEB_SIZE_W7 RT_UOFFSETOF(TEB_COMMON, Diff12.W8.ReservedForWdf) /** The size of the windows vista PEB structure. */ #define TEB_SIZE_W6 ( RT_UOFFSETOF(TEB_COMMON, Diff12.W6.WaitReasonBitMap) + sizeof(LARGE_INTEGER) ) /** The size of the windows server 2003 PEB structure. */ #define TEB_SIZE_W52 RT_ALIGN_Z(RT_UOFFSETOF(TEB_COMMON, Diff9.W52.BooleanSpare), sizeof(PVOID)) /** The size of the windows XP PEB structure. */ #define TEB_SIZE_W51 RT_UOFFSETOF(TEB_COMMON, FlsData) #define _PEB _PEB_COMMON typedef PEB_COMMON PEB; typedef PPEB_COMMON PPEB; #define _TEB _TEB_COMMON typedef TEB_COMMON TEB; typedef PTEB_COMMON PTEB; #if !defined(NtCurrentTeb) && !defined(IPRT_NT_HAVE_CURRENT_TEB_MACRO) # ifdef RT_ARCH_X86 DECL_FORCE_INLINE(PTEB) RTNtCurrentTeb(void) { return (PTEB)__readfsdword(RT_UOFFSETOF(TEB_COMMON, NtTib.Self)); } DECL_FORCE_INLINE(PPEB) RTNtCurrentPeb(void) { return (PPEB)__readfsdword(RT_UOFFSETOF(TEB_COMMON, ProcessEnvironmentBlock)); } DECL_FORCE_INLINE(uint32_t) RTNtCurrentThreadId(void) { return __readfsdword(RT_UOFFSETOF(TEB_COMMON, ClientId.UniqueThread)); } DECL_FORCE_INLINE(NTSTATUS) RTNtLastStatusValue(void) { return (NTSTATUS)__readfsdword(RT_UOFFSETOF(TEB_COMMON, LastStatusValue)); } DECL_FORCE_INLINE(uint32_t) RTNtLastErrorValue(void) { return __readfsdword(RT_UOFFSETOF(TEB_COMMON, LastErrorValue)); } # elif defined(RT_ARCH_AMD64) DECL_FORCE_INLINE(PTEB) RTNtCurrentTeb(void) { return (PTEB)__readgsqword(RT_UOFFSETOF(TEB_COMMON, NtTib.Self)); } DECL_FORCE_INLINE(PPEB) RTNtCurrentPeb(void) { return (PPEB)__readgsqword(RT_UOFFSETOF(TEB_COMMON, ProcessEnvironmentBlock)); } DECL_FORCE_INLINE(uint32_t) RTNtCurrentThreadId(void) { return __readgsdword(RT_UOFFSETOF(TEB_COMMON, ClientId.UniqueThread)); } DECL_FORCE_INLINE(NTSTATUS) RTNtLastStatusValue(void) { return (NTSTATUS)__readgsdword(RT_UOFFSETOF(TEB_COMMON, LastStatusValue)); } DECL_FORCE_INLINE(uint32_t) RTNtLastErrorValue(void) { return __readgsdword(RT_UOFFSETOF(TEB_COMMON, LastErrorValue)); } # else # error "Port me" # endif #else # define RTNtCurrentTeb() ((PTEB)NtCurrentTeb()) # define RTNtCurrentPeb() (RTNtCurrentTeb()->ProcessEnvironmentBlock) # define RTNtCurrentThreadId() ((uint32_t)(uintptr_t)RTNtCurrentTeb()->ClientId.UniqueThread) # define RTNtLastStatusValue() (RTNtCurrentTeb()->LastStatusValue) # define RTNtLastErrorValue() (RTNtCurrentTeb()->LastErrorValue) #endif #define NtCurrentPeb() RTNtCurrentPeb() /** @} */ #ifdef IPRT_NT_USE_WINTERNL NTSYSAPI NTSTATUS NTAPI NtCreateSection(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PLARGE_INTEGER, ULONG, ULONG, HANDLE); typedef enum _SECTION_INHERIT { ViewShare = 1, ViewUnmap } SECTION_INHERIT; #endif NTSYSAPI NTSTATUS NTAPI NtMapViewOfSection(HANDLE, HANDLE, PVOID *, ULONG, SIZE_T, PLARGE_INTEGER, PSIZE_T, SECTION_INHERIT, ULONG, ULONG); NTSYSAPI NTSTATUS NTAPI NtFlushVirtualMemory(HANDLE, PVOID *, PSIZE_T, PIO_STATUS_BLOCK); NTSYSAPI NTSTATUS NTAPI NtUnmapViewOfSection(HANDLE, PVOID); #ifdef IPRT_NT_USE_WINTERNL typedef struct _FILE_FS_ATTRIBUTE_INFORMATION { ULONG FileSystemAttributes; LONG MaximumComponentNameLength; ULONG FileSystemNameLength; WCHAR FileSystemName[1]; } FILE_FS_ATTRIBUTE_INFORMATION; typedef FILE_FS_ATTRIBUTE_INFORMATION *PFILE_FS_ATTRIBUTE_INFORMATION; #endif NTSYSAPI NTSTATUS NTAPI NtOpenProcess(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PCLIENT_ID); NTSYSAPI NTSTATUS NTAPI ZwOpenProcess(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PCLIENT_ID); NTSYSAPI NTSTATUS NTAPI NtOpenThread(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PCLIENT_ID); NTSYSAPI NTSTATUS NTAPI ZwOpenThread(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PCLIENT_ID); NTSYSAPI NTSTATUS NTAPI NtAlertThread(HANDLE hThread); #ifdef IPRT_NT_USE_WINTERNL NTSYSAPI NTSTATUS NTAPI ZwAlertThread(HANDLE hThread); #endif #ifdef IPRT_NT_USE_WINTERNL NTSYSAPI NTSTATUS NTAPI NtOpenProcessToken(HANDLE, ACCESS_MASK, PHANDLE); NTSYSAPI NTSTATUS NTAPI NtOpenThreadToken(HANDLE, ACCESS_MASK, BOOLEAN, PHANDLE); #endif NTSYSAPI NTSTATUS NTAPI ZwOpenProcessToken(HANDLE, ACCESS_MASK, PHANDLE); NTSYSAPI NTSTATUS NTAPI ZwOpenThreadToken(HANDLE, ACCESS_MASK, BOOLEAN, PHANDLE); #ifdef IPRT_NT_USE_WINTERNL typedef struct _FILE_FS_SIZE_INFORMATION { LARGE_INTEGER TotalAllocationUnits; LARGE_INTEGER AvailableAllocationUnits; ULONG SectorsPerAllocationUnit; ULONG BytesPerSector; } FILE_FS_SIZE_INFORMATION; typedef FILE_FS_SIZE_INFORMATION *PFILE_FS_SIZE_INFORMATION; typedef enum _FSINFOCLASS { FileFsVolumeInformation = 1, FileFsLabelInformation, FileFsSizeInformation, /**< FILE_FS_SIZE_INFORMATION */ FileFsDeviceInformation, FileFsAttributeInformation, FileFsControlInformation, FileFsFullSizeInformation, FileFsObjectIdInformation, FileFsDriverPathInformation, FileFsVolumeFlagsInformation, FileFsSectorSizeInformation, FileFsDataCopyInformation, FileFsMaximumInformation } FS_INFORMATION_CLASS; typedef FS_INFORMATION_CLASS *PFS_INFORMATION_CLASS; NTSYSAPI NTSTATUS NTAPI NtQueryVolumeInformationFile(HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FS_INFORMATION_CLASS); typedef struct _FILE_BOTH_DIR_INFORMATION { ULONG NextEntryOffset; /**< 0x00: */ ULONG FileIndex; /**< 0x04: */ LARGE_INTEGER CreationTime; /**< 0x08: */ LARGE_INTEGER LastAccessTime; /**< 0x10: */ LARGE_INTEGER LastWriteTime; /**< 0x18: */ LARGE_INTEGER ChangeTime; /**< 0x20: */ LARGE_INTEGER EndOfFile; /**< 0x28: */ LARGE_INTEGER AllocationSize; /**< 0x30: */ ULONG FileAttributes; /**< 0x38: */ ULONG FileNameLength; /**< 0x3c: */ ULONG EaSize; /**< 0x40: */ CCHAR ShortNameLength; /**< 0x44: */ WCHAR ShortName[12]; /**< 0x46: */ WCHAR FileName[1]; /**< 0x5e: */ } FILE_BOTH_DIR_INFORMATION; typedef FILE_BOTH_DIR_INFORMATION *PFILE_BOTH_DIR_INFORMATION; typedef struct _FILE_BASIC_INFORMATION { LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; ULONG FileAttributes; } FILE_BASIC_INFORMATION; typedef FILE_BASIC_INFORMATION *PFILE_BASIC_INFORMATION; typedef struct _FILE_STANDARD_INFORMATION { LARGE_INTEGER AllocationSize; LARGE_INTEGER EndOfFile; ULONG NumberOfLinks; BOOLEAN DeletePending; BOOLEAN Directory; } FILE_STANDARD_INFORMATION; typedef FILE_STANDARD_INFORMATION *PFILE_STANDARD_INFORMATION; typedef struct _FILE_NAME_INFORMATION { ULONG FileNameLength; WCHAR FileName[1]; } FILE_NAME_INFORMATION; typedef FILE_NAME_INFORMATION *PFILE_NAME_INFORMATION; typedef struct _FILE_NETWORK_OPEN_INFORMATION { LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER AllocationSize; LARGE_INTEGER EndOfFile; ULONG FileAttributes; } FILE_NETWORK_OPEN_INFORMATION; typedef FILE_NETWORK_OPEN_INFORMATION *PFILE_NETWORK_OPEN_INFORMATION; typedef enum _FILE_INFORMATION_CLASS { FileDirectoryInformation = 1, FileFullDirectoryInformation, FileBothDirectoryInformation, FileBasicInformation, FileStandardInformation, FileInternalInformation, FileEaInformation, FileAccessInformation, FileNameInformation, FileRenameInformation, FileLinkInformation, FileNamesInformation, FileDispositionInformation, FilePositionInformation, FileFullEaInformation, FileModeInformation, FileAlignmentInformation, FileAllInformation, FileAllocationInformation, FileEndOfFileInformation, FileAlternateNameInformation, FileStreamInformation, FilePipeInformation, FilePipeLocalInformation, FilePipeRemoteInformation, FileMailslotQueryInformation, FileMailslotSetInformation, FileCompressionInformation, FileObjectIdInformation, FileCompletionInformation, FileMoveClusterInformation, FileQuotaInformation, FileReparsePointInformation, FileNetworkOpenInformation, FileAttributeTagInformation, FileTrackingInformation, FileIdBothDirectoryInformation, FileIdFullDirectoryInformation, FileValidDataLengthInformation, FileShortNameInformation, FileIoCompletionNotificationInformation, FileIoStatusBlockRangeInformation, FileIoPriorityHintInformation, FileSfioReserveInformation, FileSfioVolumeInformation, FileHardLinkInformation, FileProcessIdsUsingFileInformation, FileNormalizedNameInformation, FileNetworkPhysicalNameInformation, FileIdGlobalTxDirectoryInformation, FileIsRemoteDeviceInformation, FileUnusedInformation, FileNumaNodeInformation, FileStandardLinkInformation, FileRemoteProtocolInformation, FileRenameInformationBypassAccessCheck, FileLinkInformationBypassAccessCheck, FileVolumeNameInformation, FileIdInformation, FileIdExtdDirectoryInformation, FileReplaceCompletionInformation, FileHardLinkFullIdInformation, FileMaximumInformation } FILE_INFORMATION_CLASS; typedef FILE_INFORMATION_CLASS *PFILE_INFORMATION_CLASS; NTSYSAPI NTSTATUS NTAPI NtQueryInformationFile(HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS); NTSYSAPI NTSTATUS NTAPI NtQueryDirectoryFile(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS, BOOLEAN, PUNICODE_STRING, BOOLEAN); NTSYSAPI NTSTATUS NTAPI NtSetInformationFile(HANDLE, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS); #endif /* IPRT_NT_USE_WINTERNL */ NTSYSAPI NTSTATUS NTAPI NtQueryAttributesFile(POBJECT_ATTRIBUTES, PFILE_BASIC_INFORMATION); NTSYSAPI NTSTATUS NTAPI NtQueryFullAttributesFile(POBJECT_ATTRIBUTES, PFILE_NETWORK_OPEN_INFORMATION); /** @name SE_GROUP_XXX - Attributes returned with TokenGroup and others. * @{ */ #ifndef SE_GROUP_MANDATORY # define SE_GROUP_MANDATORY UINT32_C(0x01) #endif #ifndef SE_GROUP_ENABLED_BY_DEFAULT # define SE_GROUP_ENABLED_BY_DEFAULT UINT32_C(0x02) #endif #ifndef SE_GROUP_ENABLED # define SE_GROUP_ENABLED UINT32_C(0x04) #endif #ifndef SE_GROUP_OWNER # define SE_GROUP_OWNER UINT32_C(0x08) #endif #ifndef SE_GROUP_USE_FOR_DENY_ONLY # define SE_GROUP_USE_FOR_DENY_ONLY UINT32_C(0x10) #endif #ifndef SE_GROUP_INTEGRITY # define SE_GROUP_INTEGRITY UINT32_C(0x20) #endif #ifndef SE_GROUP_INTEGRITY_ENABLED # define SE_GROUP_INTEGRITY_ENABLED UINT32_C(0x40) #endif #ifndef SE_GROUP_RESOURCE # define SE_GROUP_RESOURCE UINT32_C(0x20000000) #endif #ifndef SE_GROUP_LOGON_ID # define SE_GROUP_LOGON_ID UINT32_C(0xc0000000) #endif /** @} */ #ifdef IPRT_NT_USE_WINTERNL /** For use with KeyBasicInformation. */ typedef struct _KEY_BASIC_INFORMATION { LARGE_INTEGER LastWriteTime; ULONG TitleIndex; ULONG NameLength; WCHAR Name[1]; } KEY_BASIC_INFORMATION; typedef KEY_BASIC_INFORMATION *PKEY_BASIC_INFORMATION; /** For use with KeyNodeInformation. */ typedef struct _KEY_NODE_INFORMATION { LARGE_INTEGER LastWriteTime; ULONG TitleIndex; ULONG ClassOffset; /**< Offset from the start of the structure. */ ULONG ClassLength; ULONG NameLength; WCHAR Name[1]; } KEY_NODE_INFORMATION; typedef KEY_NODE_INFORMATION *PKEY_NODE_INFORMATION; /** For use with KeyFullInformation. */ typedef struct _KEY_FULL_INFORMATION { LARGE_INTEGER LastWriteTime; ULONG TitleIndex; ULONG ClassOffset; /**< Offset of the Class member. */ ULONG ClassLength; ULONG SubKeys; ULONG MaxNameLen; ULONG MaxClassLen; ULONG Values; ULONG MaxValueNameLen; ULONG MaxValueDataLen; WCHAR Class[1]; } KEY_FULL_INFORMATION; typedef KEY_FULL_INFORMATION *PKEY_FULL_INFORMATION; /** For use with KeyNameInformation. */ typedef struct _KEY_NAME_INFORMATION { ULONG NameLength; WCHAR Name[1]; } KEY_NAME_INFORMATION; typedef KEY_NAME_INFORMATION *PKEY_NAME_INFORMATION; /** For use with KeyCachedInformation. */ typedef struct _KEY_CACHED_INFORMATION { LARGE_INTEGER LastWriteTime; ULONG TitleIndex; ULONG SubKeys; ULONG MaxNameLen; ULONG Values; ULONG MaxValueNameLen; ULONG MaxValueDataLen; ULONG NameLength; } KEY_CACHED_INFORMATION; typedef KEY_CACHED_INFORMATION *PKEY_CACHED_INFORMATION; /** For use with KeyVirtualizationInformation. */ typedef struct _KEY_VIRTUALIZATION_INFORMATION { ULONG VirtualizationCandidate : 1; ULONG VirtualizationEnabled : 1; ULONG VirtualTarget : 1; ULONG VirtualStore : 1; ULONG VirtualSource : 1; ULONG Reserved : 27; } KEY_VIRTUALIZATION_INFORMATION; typedef KEY_VIRTUALIZATION_INFORMATION *PKEY_VIRTUALIZATION_INFORMATION; typedef enum _KEY_INFORMATION_CLASS { KeyBasicInformation = 0, KeyNodeInformation, KeyFullInformation, KeyNameInformation, KeyCachedInformation, KeyFlagsInformation, KeyVirtualizationInformation, KeyHandleTagsInformation, MaxKeyInfoClass } KEY_INFORMATION_CLASS; NTSYSAPI NTSTATUS NTAPI NtQueryKey(HANDLE, KEY_INFORMATION_CLASS, PVOID, ULONG, PULONG); NTSYSAPI NTSTATUS NTAPI NtEnumerateKey(HANDLE, ULONG, KEY_INFORMATION_CLASS, PVOID, ULONG, PULONG); typedef struct _MEMORY_SECTION_NAME { UNICODE_STRING SectionFileName; WCHAR NameBuffer[1]; } MEMORY_SECTION_NAME; #ifdef IPRT_NT_USE_WINTERNL typedef struct _PROCESS_BASIC_INFORMATION { NTSTATUS ExitStatus; PPEB PebBaseAddress; ULONG_PTR AffinityMask; int32_t BasePriority; ULONG_PTR UniqueProcessId; ULONG_PTR InheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION; typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION; #endif typedef enum _PROCESSINFOCLASS { ProcessBasicInformation = 0, /**< 0 / 0x00 */ ProcessQuotaLimits, /**< 1 / 0x01 */ ProcessIoCounters, /**< 2 / 0x02 */ ProcessVmCounters, /**< 3 / 0x03 */ ProcessTimes, /**< 4 / 0x04 */ ProcessBasePriority, /**< 5 / 0x05 */ ProcessRaisePriority, /**< 6 / 0x06 */ ProcessDebugPort, /**< 7 / 0x07 */ ProcessExceptionPort, /**< 8 / 0x08 */ ProcessAccessToken, /**< 9 / 0x09 */ ProcessLdtInformation, /**< 10 / 0x0a */ ProcessLdtSize, /**< 11 / 0x0b */ ProcessDefaultHardErrorMode, /**< 12 / 0x0c */ ProcessIoPortHandlers, /**< 13 / 0x0d */ ProcessPooledUsageAndLimits, /**< 14 / 0x0e */ ProcessWorkingSetWatch, /**< 15 / 0x0f */ ProcessUserModeIOPL, /**< 16 / 0x10 */ ProcessEnableAlignmentFaultFixup, /**< 17 / 0x11 */ ProcessPriorityClass, /**< 18 / 0x12 */ ProcessWx86Information, /**< 19 / 0x13 */ ProcessHandleCount, /**< 20 / 0x14 */ ProcessAffinityMask, /**< 21 / 0x15 */ ProcessPriorityBoost, /**< 22 / 0x16 */ ProcessDeviceMap, /**< 23 / 0x17 */ ProcessSessionInformation, /**< 24 / 0x18 */ ProcessForegroundInformation, /**< 25 / 0x19 */ ProcessWow64Information, /**< 26 / 0x1a */ ProcessImageFileName, /**< 27 / 0x1b */ ProcessLUIDDeviceMapsEnabled, /**< 28 / 0x1c */ ProcessBreakOnTermination, /**< 29 / 0x1d */ ProcessDebugObjectHandle, /**< 30 / 0x1e */ ProcessDebugFlags, /**< 31 / 0x1f */ ProcessHandleTracing, /**< 32 / 0x20 */ ProcessIoPriority, /**< 33 / 0x21 */ ProcessExecuteFlags, /**< 34 / 0x22 */ ProcessTlsInformation, /**< 35 / 0x23 */ ProcessCookie, /**< 36 / 0x24 */ ProcessImageInformation, /**< 37 / 0x25 */ ProcessCycleTime, /**< 38 / 0x26 */ ProcessPagePriority, /**< 39 / 0x27 */ ProcessInstrumentationCallbak, /**< 40 / 0x28 */ ProcessThreadStackAllocation, /**< 41 / 0x29 */ ProcessWorkingSetWatchEx, /**< 42 / 0x2a */ ProcessImageFileNameWin32, /**< 43 / 0x2b */ ProcessImageFileMapping, /**< 44 / 0x2c */ ProcessAffinityUpdateMode, /**< 45 / 0x2d */ ProcessMemoryAllocationMode, /**< 46 / 0x2e */ ProcessGroupInformation, /**< 47 / 0x2f */ ProcessTokenVirtualizationEnabled, /**< 48 / 0x30 */ ProcessOwnerInformation, /**< 49 / 0x31 */ ProcessWindowInformation, /**< 50 / 0x32 */ ProcessHandleInformation, /**< 51 / 0x33 */ ProcessMitigationPolicy, /**< 52 / 0x34 */ ProcessDynamicFunctionTableInformation, /**< 53 / 0x35 */ ProcessHandleCheckingMode, /**< 54 / 0x36 */ ProcessKeepAliveCount, /**< 55 / 0x37 */ ProcessRevokeFileHandles, /**< 56 / 0x38 */ ProcessWorkingSetControl, /**< 57 / 0x39 */ ProcessHandleTable, /**< 58 / 0x3a */ ProcessCheckStackExtentsMode, /**< 59 / 0x3b */ ProcessCommandLineInformation, /**< 60 / 0x3c */ ProcessProtectionInformation, /**< 61 / 0x3d */ ProcessMemoryExhaustion, /**< 62 / 0x3e */ ProcessFaultInformation, /**< 63 / 0x3f */ ProcessTelemetryIdInformation, /**< 64 / 0x40 */ ProcessCommitReleaseInformation, /**< 65 / 0x41 */ ProcessDefaultCpuSetsInformation, /**< 66 / 0x42 - aka ProcessReserved1Information */ ProcessAllowedCpuSetsInformation, /**< 67 / 0x43 - aka ProcessReserved2Information; PROCESS_SET_LIMITED_INFORMATION & audiog.exe; W10 */ ProcessSubsystemProcess, /**< 68 / 0x44 */ ProcessJobMemoryInformation, /**< 69 / 0x45 */ ProcessInPrivate, /**< 70 / 0x46 */ ProcessRaiseUMExceptionOnInvalidHandleClose,/**< 71 / 0x47 */ ProcessIumChallengeResponse, /**< 72 / 0x48 */ ProcessChildProcessInformation, /**< 73 / 0x49 */ ProcessHighGraphicsPriorityInformation, /**< 74 / 0x4a */ ProcessSubsystemInformation, /**< 75 / 0x4b */ ProcessEnergyValues, /**< 76 / 0x4c */ ProcessPowerThrottlingState, /**< 77 / 0x4d */ ProcessReserved3Information, /**< 78 / 0x4e */ ProcessWin32kSyscallFilterInformation, /**< 79 / 0x4f */ ProcessDisableSystemAllowedCpuSets, /**< 80 / 0x50 */ ProcessWakeInformation, /**< 81 / 0x51 */ ProcessEnergyTrackingState, /**< 82 / 0x52 */ ProcessManageWritesToExecutableMemory, /**< 83 / 0x53 */ ProcessCaptureTrustletLiveDump, /**< 84 / 0x54 */ ProcessTelemetryCoverage, /**< 85 / 0x55 */ ProcessEnclaveInformation, /**< 86 / 0x56 */ ProcessEnableReadWriteVmLogging, /**< 87 / 0x57 */ ProcessUptimeInformation, /**< 88 / 0x58 */ ProcessImageSection, /**< 89 / 0x59 */ ProcessDebugAuthInformation, /**< 90 / 0x5a */ ProcessSystemResourceManagement, /**< 92 / 0x5b */ ProcessSequenceNumber, /**< 93 / 0x5c */ MaxProcessInfoClass } PROCESSINFOCLASS; AssertCompile(ProcessSequenceNumber == 0x5c); NTSYSAPI NTSTATUS NTAPI NtQueryInformationProcess(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); #if ARCH_BITS == 32 /** 64-bit API pass thru to WOW64 processes. */ NTSYSAPI NTSTATUS NTAPI NtWow64QueryInformationProcess64(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); #endif typedef enum _THREADINFOCLASS { ThreadBasicInformation = 0, ThreadTimes, ThreadPriority, ThreadBasePriority, ThreadAffinityMask, ThreadImpersonationToken, ThreadDescriptorTableEntry, ThreadEnableAlignmentFaultFixup, ThreadEventPair_Reusable, ThreadQuerySetWin32StartAddress, ThreadZeroTlsCell, ThreadPerformanceCount, ThreadAmILastThread, ThreadIdealProcessor, ThreadPriorityBoost, ThreadSetTlsArrayAddress, ThreadIsIoPending, ThreadHideFromDebugger, ThreadBreakOnTermination, ThreadSwitchLegacyState, ThreadIsTerminated, ThreadLastSystemCall, ThreadIoPriority, ThreadCycleTime, ThreadPagePriority, ThreadActualBasePriority, ThreadTebInformation, ThreadCSwitchMon, ThreadCSwitchPmu, ThreadWow64Context, ThreadGroupInformation, ThreadUmsInformation, ThreadCounterProfiling, ThreadIdealProcessorEx, ThreadCpuAccountingInformation, MaxThreadInfoClass } THREADINFOCLASS; NTSYSAPI NTSTATUS NTAPI NtSetInformationThread(HANDLE, THREADINFOCLASS, LPCVOID, ULONG); NTSYSAPI NTSTATUS NTAPI NtQueryInformationToken(HANDLE, TOKEN_INFORMATION_CLASS, PVOID, ULONG, PULONG); NTSYSAPI NTSTATUS NTAPI ZwQueryInformationToken(HANDLE, TOKEN_INFORMATION_CLASS, PVOID, ULONG, PULONG); NTSYSAPI NTSTATUS NTAPI NtReadFile(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, PVOID, ULONG, PLARGE_INTEGER, PULONG); NTSYSAPI NTSTATUS NTAPI NtWriteFile(HANDLE, HANDLE, PIO_APC_ROUTINE, void const *, PIO_STATUS_BLOCK, PVOID, ULONG, PLARGE_INTEGER, PULONG); NTSYSAPI NTSTATUS NTAPI NtFlushBuffersFile(HANDLE, PIO_STATUS_BLOCK); NTSYSAPI NTSTATUS NTAPI NtCancelIoFile(HANDLE, PIO_STATUS_BLOCK); NTSYSAPI NTSTATUS NTAPI NtReadVirtualMemory(HANDLE, PVOID, PVOID, SIZE_T, PSIZE_T); NTSYSAPI NTSTATUS NTAPI NtWriteVirtualMemory(HANDLE, PVOID, void const *, SIZE_T, PSIZE_T); NTSYSAPI NTSTATUS NTAPI RtlAddAccessAllowedAce(PACL, ULONG, ULONG, PSID); NTSYSAPI NTSTATUS NTAPI RtlCopySid(ULONG, PSID, PSID); NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL, ULONG, ULONG); NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(PSECURITY_DESCRIPTOR, ULONG); NTSYSAPI BOOLEAN NTAPI RtlEqualSid(PSID, PSID); NTSYSAPI NTSTATUS NTAPI RtlGetVersion(PRTL_OSVERSIONINFOW); NTSYSAPI NTSTATUS NTAPI RtlInitializeSid(PSID, PSID_IDENTIFIER_AUTHORITY, UCHAR); NTSYSAPI NTSTATUS NTAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN); NTSYSAPI PULONG NTAPI RtlSubAuthoritySid(PSID, ULONG); #endif /* IPRT_NT_USE_WINTERNL */ /** For use with ObjectHandleFlagInformation. */ typedef struct _OBJECT_HANDLE_FLAG_INFORMATION { BOOLEAN Inherit; BOOLEAN ProtectFromClose; } OBJECT_HANDLE_FLAG_INFORMATION; typedef OBJECT_HANDLE_FLAG_INFORMATION *POBJECT_HANDLE_FLAG_INFORMATION; typedef enum _OBJECT_INFORMATION_CLASS { ObjectBasicInformation = 0, ObjectNameInformation, ObjectTypeInformation, ObjectAllInformation, ObjectHandleFlagInformation, ObjectSessionInformation, MaxObjectInfoClass } OBJECT_INFORMATION_CLASS; typedef OBJECT_INFORMATION_CLASS *POBJECT_INFORMATION_CLASS; #ifdef IN_RING0 # define NtQueryObject ZwQueryObject #endif NTSYSAPI NTSTATUS NTAPI NtQueryObject(HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG, PULONG); NTSYSAPI NTSTATUS NTAPI NtSetInformationObject(HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG); NTSYSAPI NTSTATUS NTAPI NtDuplicateObject(HANDLE, HANDLE, HANDLE, PHANDLE, ACCESS_MASK, ULONG, ULONG); NTSYSAPI NTSTATUS NTAPI NtOpenDirectoryObject(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES); typedef struct _OBJECT_DIRECTORY_INFORMATION { UNICODE_STRING Name; UNICODE_STRING TypeName; } OBJECT_DIRECTORY_INFORMATION; typedef OBJECT_DIRECTORY_INFORMATION *POBJECT_DIRECTORY_INFORMATION; NTSYSAPI NTSTATUS NTAPI NtQueryDirectoryObject(HANDLE, PVOID, ULONG, BOOLEAN, BOOLEAN, PULONG, PULONG); NTSYSAPI NTSTATUS NTAPI NtSuspendProcess(HANDLE); NTSYSAPI NTSTATUS NTAPI NtResumeProcess(HANDLE); /** @name ProcessDefaultHardErrorMode bit definitions. * @{ */ #define PROCESS_HARDERR_CRITICAL_ERROR UINT32_C(0x00000001) /**< Inverted from the win32 define. */ #define PROCESS_HARDERR_NO_GP_FAULT_ERROR UINT32_C(0x00000002) #define PROCESS_HARDERR_NO_ALIGNMENT_FAULT_ERROR UINT32_C(0x00000004) #define PROCESS_HARDERR_NO_OPEN_FILE_ERROR UINT32_C(0x00008000) /** @} */ NTSYSAPI NTSTATUS NTAPI NtSetInformationProcess(HANDLE, PROCESSINFOCLASS, PVOID, ULONG); NTSYSAPI NTSTATUS NTAPI NtTerminateProcess(HANDLE, LONG); /** Returned by NtQUerySection with SectionBasicInformation. */ typedef struct _SECTION_BASIC_INFORMATION { PVOID BaseAddress; ULONG AllocationAttributes; LARGE_INTEGER MaximumSize; } SECTION_BASIC_INFORMATION; typedef SECTION_BASIC_INFORMATION *PSECTION_BASIC_INFORMATION; /** Retured by ProcessImageInformation as well as NtQuerySection. */ typedef struct _SECTION_IMAGE_INFORMATION { PVOID TransferAddress; ULONG ZeroBits; SIZE_T MaximumStackSize; SIZE_T CommittedStackSize; ULONG SubSystemType; union { struct { USHORT SubSystemMinorVersion; USHORT SubSystemMajorVersion; }; ULONG SubSystemVersion; }; ULONG GpValue; USHORT ImageCharacteristics; USHORT DllCharacteristics; USHORT Machine; BOOLEAN ImageContainsCode; union /**< Since Vista, used to be a spare BOOLEAN. */ { struct { UCHAR ComPlusNativeRead : 1; UCHAR ComPlusILOnly : 1; UCHAR ImageDynamicallyRelocated : 1; UCHAR ImageMAppedFlat : 1; UCHAR Reserved : 4; }; UCHAR ImageFlags; }; ULONG LoaderFlags; ULONG ImageFileSize; /**< Since XP? */ ULONG CheckSum; /**< Since Vista, Used to be a reserved/spare ULONG. */ } SECTION_IMAGE_INFORMATION; typedef SECTION_IMAGE_INFORMATION *PSECTION_IMAGE_INFORMATION; typedef enum _SECTION_INFORMATION_CLASS { SectionBasicInformation = 0, SectionImageInformation, MaxSectionInfoClass } SECTION_INFORMATION_CLASS; NTSYSAPI NTSTATUS NTAPI NtQuerySection(HANDLE, SECTION_INFORMATION_CLASS, PVOID, SIZE_T, PSIZE_T); NTSYSAPI NTSTATUS NTAPI NtCreateSymbolicLinkObject(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PUNICODE_STRING pTarget); NTSYSAPI NTSTATUS NTAPI NtOpenSymbolicLinkObject(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES); NTSYSAPI NTSTATUS NTAPI NtQuerySymbolicLinkObject(HANDLE, PUNICODE_STRING, PULONG); #ifndef SYMBOLIC_LINK_QUERY # define SYMBOLIC_LINK_QUERY UINT32_C(0x00000001) #endif #ifndef SYMBOLIC_LINK_ALL_ACCESS # define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYMBOLIC_LINK_QUERY) #endif NTSYSAPI NTSTATUS NTAPI NtQueryInformationThread(HANDLE, THREADINFOCLASS, PVOID, ULONG, PULONG); NTSYSAPI NTSTATUS NTAPI NtResumeThread(HANDLE, PULONG); NTSYSAPI NTSTATUS NTAPI NtSuspendThread(HANDLE, PULONG); NTSYSAPI NTSTATUS NTAPI NtTerminateThread(HANDLE, LONG); NTSYSAPI NTSTATUS NTAPI NtGetContextThread(HANDLE, PCONTEXT); NTSYSAPI NTSTATUS NTAPI NtSetContextThread(HANDLE, PCONTEXT); NTSYSAPI NTSTATUS NTAPI ZwYieldExecution(void); #ifndef SEC_FILE # define SEC_FILE UINT32_C(0x00800000) #endif #ifndef SEC_IMAGE # define SEC_IMAGE UINT32_C(0x01000000) #endif #ifndef SEC_PROTECTED_IMAGE # define SEC_PROTECTED_IMAGE UINT32_C(0x02000000) #endif #ifndef SEC_NOCACHE # define SEC_NOCACHE UINT32_C(0x10000000) #endif #ifndef MEM_ROTATE # define MEM_ROTATE UINT32_C(0x00800000) #endif typedef enum _MEMORY_INFORMATION_CLASS { MemoryBasicInformation = 0, MemoryWorkingSetList, MemorySectionName, MemoryBasicVlmInformation } MEMORY_INFORMATION_CLASS; #ifdef IN_RING0 typedef struct _MEMORY_BASIC_INFORMATION { PVOID BaseAddress; PVOID AllocationBase; ULONG AllocationProtect; SIZE_T RegionSize; ULONG State; ULONG Protect; ULONG Type; } MEMORY_BASIC_INFORMATION; typedef MEMORY_BASIC_INFORMATION *PMEMORY_BASIC_INFORMATION; # define NtQueryVirtualMemory ZwQueryVirtualMemory #endif NTSYSAPI NTSTATUS NTAPI NtQueryVirtualMemory(HANDLE, void const *, MEMORY_INFORMATION_CLASS, PVOID, SIZE_T, PSIZE_T); #ifdef IPRT_NT_USE_WINTERNL NTSYSAPI NTSTATUS NTAPI NtAllocateVirtualMemory(HANDLE, PVOID *, ULONG, PSIZE_T, ULONG, ULONG); #endif NTSYSAPI NTSTATUS NTAPI NtFreeVirtualMemory(HANDLE, PVOID *, PSIZE_T, ULONG); NTSYSAPI NTSTATUS NTAPI NtProtectVirtualMemory(HANDLE, PVOID *, PSIZE_T, ULONG, PULONG); typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation = 0, SystemCpuInformation, SystemPerformanceInformation, SystemTimeOfDayInformation, SystemInformation_Unknown_4, SystemProcessInformation, SystemInformation_Unknown_6, SystemInformation_Unknown_7, SystemProcessorPerformanceInformation, SystemInformation_Unknown_9, SystemInformation_Unknown_10, SystemModuleInformation, SystemInformation_Unknown_12, SystemInformation_Unknown_13, SystemInformation_Unknown_14, SystemInformation_Unknown_15, SystemHandleInformation, SystemInformation_Unknown_17, SystemPageFileInformation, SystemInformation_Unknown_19, SystemInformation_Unknown_20, SystemCacheInformation, SystemInformation_Unknown_22, SystemInterruptInformation, SystemDpcBehaviourInformation, SystemFullMemoryInformation, SystemLoadGdiDriverInformation, /* 26 */ SystemUnloadGdiDriverInformation, /* 27 */ SystemTimeAdjustmentInformation, SystemSummaryMemoryInformation, SystemInformation_Unknown_30, SystemInformation_Unknown_31, SystemInformation_Unknown_32, SystemExceptionInformation, SystemCrashDumpStateInformation, SystemKernelDebuggerInformation, SystemContextSwitchInformation, SystemRegistryQuotaInformation, SystemInformation_Unknown_38, SystemInformation_Unknown_39, SystemInformation_Unknown_40, SystemInformation_Unknown_41, SystemInformation_Unknown_42, SystemInformation_Unknown_43, SystemCurrentTimeZoneInformation, SystemLookasideInformation, SystemSetTimeSlipEvent, SystemCreateSession, SystemDeleteSession, SystemInformation_Unknown_49, SystemRangeStartInformation, SystemVerifierInformation, SystemInformation_Unknown_52, SystemSessionProcessInformation, SystemLoadGdiDriverInSystemSpaceInformation, /* 54 */ SystemInformation_Unknown_55, SystemInformation_Unknown_56, SystemExtendedProcessInformation, SystemInformation_Unknown_58, SystemInformation_Unknown_59, SystemInformation_Unknown_60, SystemInformation_Unknown_61, SystemInformation_Unknown_62, SystemInformation_Unknown_63, SystemExtendedHandleInformation, /* 64 */ SystemInformation_Unknown_65, SystemInformation_Unknown_66, SystemInformation_Unknown_67, SystemInformation_Unknown_68, SystemInformation_HotPatchInfo, /* 69 */ SystemInformation_Unknown_70, SystemInformation_Unknown_71, SystemInformation_Unknown_72, SystemInformation_Unknown_73, SystemInformation_Unknown_74, SystemInformation_Unknown_75, SystemInformation_Unknown_76, SystemInformation_Unknown_77, SystemInformation_Unknown_78, SystemInformation_Unknown_79, SystemInformation_Unknown_80, SystemInformation_Unknown_81, SystemInformation_Unknown_82, SystemInformation_Unknown_83, SystemInformation_Unknown_84, SystemInformation_Unknown_85, SystemInformation_Unknown_86, SystemInformation_Unknown_87, SystemInformation_Unknown_88, SystemInformation_Unknown_89, SystemInformation_Unknown_90, SystemInformation_Unknown_91, SystemInformation_Unknown_92, SystemInformation_Unknown_93, SystemInformation_Unknown_94, SystemInformation_Unknown_95, SystemInformation_KiOpPrefetchPatchCount, /* 96 */ SystemInformation_Unknown_97, SystemInformation_Unknown_98, SystemInformation_Unknown_99, SystemInformation_Unknown_100, SystemInformation_Unknown_101, SystemInformation_Unknown_102, SystemInformation_Unknown_103, SystemInformation_Unknown_104, SystemInformation_Unknown_105, SystemInformation_Unknown_107, SystemInformation_GetLogicalProcessorInformationEx, /* 107 */ /** @todo fill gap. they've added a whole bunch of things */ SystemPolicyInformation = 134, SystemInformationClassMax } SYSTEM_INFORMATION_CLASS; #ifdef IPRT_NT_USE_WINTERNL typedef struct _VM_COUNTERS { SIZE_T PeakVirtualSize; SIZE_T VirtualSize; ULONG PageFaultCount; SIZE_T PeakWorkingSetSize; SIZE_T WorkingSetSize; SIZE_T QuotaPeakPagedPoolUsage; SIZE_T QuotaPagedPoolUsage; SIZE_T QuotaPeakNonPagedPoolUsage; SIZE_T QuotaNonPagedPoolUsage; SIZE_T PagefileUsage; SIZE_T PeakPagefileUsage; } VM_COUNTERS; typedef VM_COUNTERS *PVM_COUNTERS; #endif #if 0 typedef struct _IO_COUNTERS { ULONGLONG ReadOperationCount; ULONGLONG WriteOperationCount; ULONGLONG OtherOperationCount; ULONGLONG ReadTransferCount; ULONGLONG WriteTransferCount; ULONGLONG OtherTransferCount; } IO_COUNTERS; typedef IO_COUNTERS *PIO_COUNTERS; #endif typedef struct _RTNT_SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; /**< 0x00 / 0x00 */ ULONG NumberOfThreads; /**< 0x04 / 0x04 */ LARGE_INTEGER Reserved1[3]; /**< 0x08 / 0x08 */ LARGE_INTEGER CreationTime; /**< 0x20 / 0x20 */ LARGE_INTEGER UserTime; /**< 0x28 / 0x28 */ LARGE_INTEGER KernelTime; /**< 0x30 / 0x30 */ UNICODE_STRING ProcessName; /**< 0x38 / 0x38 Clean unicode encoding? */ int32_t BasePriority; /**< 0x40 / 0x48 */ HANDLE UniqueProcessId; /**< 0x44 / 0x50 */ HANDLE ParentProcessId; /**< 0x48 / 0x58 */ ULONG HandleCount; /**< 0x4c / 0x60 */ ULONG Reserved2; /**< 0x50 / 0x64 Session ID? */ ULONG_PTR Reserved3; /**< 0x54 / 0x68 */ VM_COUNTERS VmCounters; /**< 0x58 / 0x70 */ IO_COUNTERS IoCounters; /**< 0x88 / 0xd0 Might not be present in earlier windows versions. */ /* After this follows the threads, then the ProcessName.Buffer. */ } RTNT_SYSTEM_PROCESS_INFORMATION; typedef RTNT_SYSTEM_PROCESS_INFORMATION *PRTNT_SYSTEM_PROCESS_INFORMATION; #ifndef IPRT_NT_USE_WINTERNL typedef RTNT_SYSTEM_PROCESS_INFORMATION SYSTEM_PROCESS_INFORMATION; typedef SYSTEM_PROCESS_INFORMATION *PSYSTEM_PROCESS_INFORMATION; #endif typedef struct _SYSTEM_HANDLE_ENTRY_INFO { USHORT UniqueProcessId; USHORT CreatorBackTraceIndex; UCHAR ObjectTypeIndex; UCHAR HandleAttributes; USHORT HandleValue; PVOID Object; ULONG GrantedAccess; } SYSTEM_HANDLE_ENTRY_INFO; typedef SYSTEM_HANDLE_ENTRY_INFO *PSYSTEM_HANDLE_ENTRY_INFO; /** Returned by SystemHandleInformation */ typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG NumberOfHandles; SYSTEM_HANDLE_ENTRY_INFO Handles[1]; } SYSTEM_HANDLE_INFORMATION; typedef SYSTEM_HANDLE_INFORMATION *PSYSTEM_HANDLE_INFORMATION; /** Extended handle information entry. * @remarks 3 x PVOID + 4 x ULONG = 28 bytes on 32-bit / 40 bytes on 64-bit */ typedef struct _SYSTEM_HANDLE_ENTRY_INFO_EX { PVOID Object; HANDLE UniqueProcessId; HANDLE HandleValue; ACCESS_MASK GrantedAccess; USHORT CreatorBackTraceIndex; USHORT ObjectTypeIndex; ULONG HandleAttributes; ULONG Reserved; } SYSTEM_HANDLE_ENTRY_INFO_EX; typedef SYSTEM_HANDLE_ENTRY_INFO_EX *PSYSTEM_HANDLE_ENTRY_INFO_EX; /** Returned by SystemExtendedHandleInformation. */ typedef struct _SYSTEM_HANDLE_INFORMATION_EX { ULONG_PTR NumberOfHandles; ULONG_PTR Reserved; SYSTEM_HANDLE_ENTRY_INFO_EX Handles[1]; } SYSTEM_HANDLE_INFORMATION_EX; typedef SYSTEM_HANDLE_INFORMATION_EX *PSYSTEM_HANDLE_INFORMATION_EX; /** Returned by SystemSessionProcessInformation. */ typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION { ULONG SessionId; ULONG BufferLength; /** Return buffer, SYSTEM_PROCESS_INFORMATION entries. */ PVOID Buffer; } SYSTEM_SESSION_PROCESS_INFORMATION; typedef SYSTEM_SESSION_PROCESS_INFORMATION *PSYSTEM_SESSION_PROCESS_INFORMATION; typedef struct _RTL_PROCESS_MODULE_INFORMATION { HANDLE Section; /**< 0x00 / 0x00 */ PVOID MappedBase; /**< 0x04 / 0x08 */ PVOID ImageBase; /**< 0x08 / 0x10 */ ULONG ImageSize; /**< 0x0c / 0x18 */ ULONG Flags; /**< 0x10 / 0x1c */ USHORT LoadOrderIndex; /**< 0x14 / 0x20 */ USHORT InitOrderIndex; /**< 0x16 / 0x22 */ USHORT LoadCount; /**< 0x18 / 0x24 */ USHORT OffsetToFileName; /**< 0x1a / 0x26 */ UCHAR FullPathName[256]; /**< 0x1c / 0x28 */ } RTL_PROCESS_MODULE_INFORMATION; typedef RTL_PROCESS_MODULE_INFORMATION *PRTL_PROCESS_MODULE_INFORMATION; /** Returned by SystemModuleInformation. */ typedef struct _RTL_PROCESS_MODULES { ULONG NumberOfModules; RTL_PROCESS_MODULE_INFORMATION Modules[1]; /**< 0x04 / 0x08 */ } RTL_PROCESS_MODULES; typedef RTL_PROCESS_MODULES *PRTL_PROCESS_MODULES; NTSYSAPI NTSTATUS NTAPI NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG); #ifndef IPRT_NT_MAP_TO_ZW NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG); #endif NTSYSAPI NTSTATUS NTAPI NtSetTimerResolution(ULONG cNtTicksWanted, BOOLEAN fSetResolution, PULONG pcNtTicksCur); NTSYSAPI NTSTATUS NTAPI NtQueryTimerResolution(PULONG pcNtTicksMin, PULONG pcNtTicksMax, PULONG pcNtTicksCur); NTSYSAPI NTSTATUS NTAPI NtDelayExecution(BOOLEAN, PLARGE_INTEGER); NTSYSAPI NTSTATUS NTAPI NtYieldExecution(void); #ifndef IPRT_NT_USE_WINTERNL NTSYSAPI NTSTATUS NTAPI NtWaitForSingleObject(HANDLE, BOOLEAN PLARGE_INTEGER); #endif typedef NTSYSAPI NTSTATUS (NTAPI *PFNNTWAITFORSINGLEOBJECT)(HANDLE, BOOLEAN, PLARGE_INTEGER); typedef enum _OBJECT_WAIT_TYPE { WaitAllObjects = 0, WaitAnyObject = 1, ObjectWaitTypeHack = 0x7fffffff } OBJECT_WAIT_TYPE; NTSYSAPI NTSTATUS NTAPI NtWaitForMultipleObjects(ULONG, PHANDLE, OBJECT_WAIT_TYPE, BOOLEAN, PLARGE_INTEGER); NTSYSAPI NTSTATUS NTAPI NtQuerySecurityObject(HANDLE, ULONG, PSECURITY_DESCRIPTOR, ULONG, PULONG); #ifdef IPRT_NT_USE_WINTERNL typedef enum _EVENT_TYPE { /* Manual reset event. */ NotificationEvent = 0, /* Automaitc reset event. */ SynchronizationEvent } EVENT_TYPE; #endif NTSYSAPI NTSTATUS NTAPI NtCreateEvent(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, EVENT_TYPE, BOOLEAN); NTSYSAPI NTSTATUS NTAPI NtOpenEvent(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES); typedef NTSYSAPI NTSTATUS (NTAPI *PFNNTCLEAREVENT)(HANDLE); NTSYSAPI NTSTATUS NTAPI NtClearEvent(HANDLE); NTSYSAPI NTSTATUS NTAPI NtResetEvent(HANDLE, PULONG); NTSYSAPI NTSTATUS NTAPI NtSetEvent(HANDLE, PULONG); typedef NTSYSAPI NTSTATUS (NTAPI *PFNNTSETEVENT)(HANDLE, PULONG); typedef enum _EVENT_INFORMATION_CLASS { EventBasicInformation = 0 } EVENT_INFORMATION_CLASS; /** Data returned by NtQueryEvent + EventBasicInformation. */ typedef struct EVENT_BASIC_INFORMATION { EVENT_TYPE EventType; ULONG EventState; } EVENT_BASIC_INFORMATION; typedef EVENT_BASIC_INFORMATION *PEVENT_BASIC_INFORMATION; NTSYSAPI NTSTATUS NTAPI NtQueryEvent(HANDLE, EVENT_INFORMATION_CLASS, PVOID, ULONG, PULONG); #ifdef IPRT_NT_USE_WINTERNL /** For NtQueryValueKey. */ typedef enum _KEY_VALUE_INFORMATION_CLASS { KeyValueBasicInformation = 0, KeyValueFullInformation, KeyValuePartialInformation, KeyValueFullInformationAlign64, KeyValuePartialInformationAlign64 } KEY_VALUE_INFORMATION_CLASS; /** KeyValuePartialInformation and KeyValuePartialInformationAlign64 struct. */ typedef struct _KEY_VALUE_PARTIAL_INFORMATION { ULONG TitleIndex; ULONG Type; ULONG DataLength; UCHAR Data[1]; } KEY_VALUE_PARTIAL_INFORMATION; typedef KEY_VALUE_PARTIAL_INFORMATION *PKEY_VALUE_PARTIAL_INFORMATION; #endif NTSYSAPI NTSTATUS NTAPI NtOpenKey(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES); NTSYSAPI NTSTATUS NTAPI NtQueryValueKey(HANDLE, PUNICODE_STRING, KEY_VALUE_INFORMATION_CLASS, PVOID, ULONG, PULONG); NTSYSAPI NTSTATUS NTAPI RtlAddAccessDeniedAce(PACL, ULONG, ULONG, PSID); typedef struct _CURDIR { UNICODE_STRING DosPath; HANDLE Handle; /**< 0x10 / 0x08 */ } CURDIR; AssertCompileSize(CURDIR, ARCH_BITS == 32 ? 0x0c : 0x18); typedef CURDIR *PCURDIR; typedef struct _RTL_DRIVE_LETTER_CURDIR { USHORT Flags; USHORT Length; ULONG TimeStamp; STRING DosPath; /**< Yeah, it's STRING according to dt ntdll!_RTL_DRIVE_LETTER_CURDIR. */ } RTL_DRIVE_LETTER_CURDIR; typedef RTL_DRIVE_LETTER_CURDIR *PRTL_DRIVE_LETTER_CURDIR; typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength; /**< 0x000 / 0x000 */ ULONG Length; /**< 0x004 / 0x004 */ ULONG Flags; /**< 0x008 / 0x008 */ ULONG DebugFlags; /**< 0x00c / 0x00c */ HANDLE ConsoleHandle; /**< 0x010 / 0x010 */ ULONG ConsoleFlags; /**< 0x018 / 0x014 */ HANDLE StandardInput; /**< 0x020 / 0x018 */ HANDLE StandardOutput; /**< 0x028 / 0x01c */ HANDLE StandardError; /**< 0x030 / 0x020 */ CURDIR CurrentDirectory; /**< 0x038 / 0x024 */ UNICODE_STRING DllPath; /**< 0x050 / 0x030 */ UNICODE_STRING ImagePathName; /**< 0x060 / 0x038 */ UNICODE_STRING CommandLine; /**< 0x070 / 0x040 */ PWSTR Environment; /**< 0x080 / 0x048 */ ULONG StartingX; /**< 0x088 / 0x04c */ ULONG StartingY; /**< 0x090 / 0x050 */ ULONG CountX; /**< 0x094 / 0x054 */ ULONG CountY; /**< 0x098 / 0x058 */ ULONG CountCharsX; /**< 0x09c / 0x05c */ ULONG CountCharsY; /**< 0x0a0 / 0x060 */ ULONG FillAttribute; /**< 0x0a4 / 0x064 */ ULONG WindowFlags; /**< 0x0a8 / 0x068 */ ULONG ShowWindowFlags; /**< 0x0ac / 0x06c */ UNICODE_STRING WindowTitle; /**< 0x0b0 / 0x070 */ UNICODE_STRING DesktopInfo; /**< 0x0c0 / 0x078 */ UNICODE_STRING ShellInfo; /**< 0x0d0 / 0x080 */ UNICODE_STRING RuntimeInfo; /**< 0x0e0 / 0x088 */ RTL_DRIVE_LETTER_CURDIR CurrentDirectories[0x20]; /**< 0x0f0 / 0x090 */ SIZE_T EnvironmentSize; /**< 0x3f0 / 0x - Added in Vista */ SIZE_T EnvironmentVersion; /**< 0x3f8 / 0x - Added in Windows 7. */ PVOID PackageDependencyData; /**< 0x400 / 0x - Added Windows 8? */ ULONG ProcessGroupId; /**< 0x408 / 0x - Added Windows 8? */ ULONG LoaderThreads; /**< 0x40c / 0x - Added Windows 10? */ } RTL_USER_PROCESS_PARAMETERS; typedef RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS; #define RTL_USER_PROCESS_PARAMS_FLAG_NORMALIZED 1 typedef struct _RTL_USER_PROCESS_INFORMATION { ULONG Size; HANDLE ProcessHandle; HANDLE ThreadHandle; CLIENT_ID ClientId; SECTION_IMAGE_INFORMATION ImageInformation; } RTL_USER_PROCESS_INFORMATION; typedef RTL_USER_PROCESS_INFORMATION *PRTL_USER_PROCESS_INFORMATION; NTSYSAPI NTSTATUS NTAPI RtlCreateUserProcess(PUNICODE_STRING, ULONG, PRTL_USER_PROCESS_PARAMETERS, PSECURITY_DESCRIPTOR, PSECURITY_DESCRIPTOR, HANDLE, BOOLEAN, HANDLE, HANDLE, PRTL_USER_PROCESS_INFORMATION); NTSYSAPI NTSTATUS NTAPI RtlCreateProcessParameters(PRTL_USER_PROCESS_PARAMETERS *, PUNICODE_STRING ImagePathName, PUNICODE_STRING DllPath, PUNICODE_STRING CurrentDirectory, PUNICODE_STRING CommandLine, PUNICODE_STRING Environment, PUNICODE_STRING WindowTitle, PUNICODE_STRING DesktopInfo, PUNICODE_STRING ShellInfo, PUNICODE_STRING RuntimeInfo); NTSYSAPI VOID NTAPI RtlDestroyProcessParameters(PRTL_USER_PROCESS_PARAMETERS); NTSYSAPI NTSTATUS NTAPI RtlCreateUserThread(HANDLE, PSECURITY_DESCRIPTOR, BOOLEAN, ULONG, SIZE_T, SIZE_T, PFNRT, PVOID, PHANDLE, PCLIENT_ID); #ifndef RTL_CRITICAL_SECTION_FLAG_NO_DEBUG_INFO typedef struct _RTL_CRITICAL_SECTION { struct _RTL_CRITICAL_SECTION_DEBUG *DebugInfo; LONG LockCount; LONG Recursioncount; HANDLE OwningThread; HANDLE LockSemaphore; ULONG_PTR SpinCount; } RTL_CRITICAL_SECTION; typedef RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION; #endif /*NTSYSAPI ULONG NTAPI RtlNtStatusToDosError(NTSTATUS rcNt);*/ /** @def RTL_QUERY_REGISTRY_TYPECHECK * WDK 8.1+, backported in updates, ignored in older. */ #if !defined(RTL_QUERY_REGISTRY_TYPECHECK) || defined(DOXYGEN_RUNNING) # define RTL_QUERY_REGISTRY_TYPECHECK UINT32_C(0x00000100) #endif /** @def RTL_QUERY_REGISTRY_TYPECHECK_SHIFT * WDK 8.1+, backported in updates, ignored in older. */ #if !defined(RTL_QUERY_REGISTRY_TYPECHECK_SHIFT) || defined(DOXYGEN_RUNNING) # define RTL_QUERY_REGISTRY_TYPECHECK_SHIFT 24 #endif RT_C_DECLS_END /** @} */ #if defined(IN_RING0) || defined(DOXYGEN_RUNNING) /** @name NT Kernel APIs * @{ */ RT_C_DECLS_BEGIN typedef ULONG KEPROCESSORINDEX; /**< Bitmap indexes != process numbers, apparently. */ NTSYSAPI VOID NTAPI KeInitializeAffinityEx(PKAFFINITY_EX pAffinity); typedef VOID (NTAPI *PFNKEINITIALIZEAFFINITYEX)(PKAFFINITY_EX pAffinity); NTSYSAPI VOID NTAPI KeAddProcessorAffinityEx(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); typedef VOID (NTAPI *PFNKEADDPROCESSORAFFINITYEX)(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); NTSYSAPI VOID NTAPI KeRemoveProcessorAffinityEx(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); typedef VOID (NTAPI *PFNKEREMOVEPROCESSORAFFINITYEX)(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); NTSYSAPI BOOLEAN NTAPI KeInterlockedSetProcessorAffinityEx(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); typedef BOOLEAN (NTAPI *PFNKEINTERLOCKEDSETPROCESSORAFFINITYEX)(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); NTSYSAPI BOOLEAN NTAPI KeInterlockedClearProcessorAffinityEx(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); typedef BOOLEAN (NTAPI *PFNKEINTERLOCKEDCLEARPROCESSORAFFINITYEX)(PKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); NTSYSAPI BOOLEAN NTAPI KeCheckProcessorAffinityEx(PCKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); typedef BOOLEAN (NTAPI *PFNKECHECKPROCESSORAFFINITYEX)(PCKAFFINITY_EX pAffinity, KEPROCESSORINDEX idxProcessor); NTSYSAPI VOID NTAPI KeCopyAffinityEx(PKAFFINITY_EX pDst, PCKAFFINITY_EX pSrc); typedef VOID (NTAPI *PFNKECOPYAFFINITYEX)(PKAFFINITY_EX pDst, PCKAFFINITY_EX pSrc); NTSYSAPI VOID NTAPI KeComplementAffinityEx(PKAFFINITY_EX pResult, PCKAFFINITY_EX pIn); typedef VOID (NTAPI *PFNKECOMPLEMENTAFFINITYEX)(PKAFFINITY_EX pResult, PCKAFFINITY_EX pIn); NTSYSAPI BOOLEAN NTAPI KeAndAffinityEx(PCKAFFINITY_EX pIn1, PCKAFFINITY_EX pIn2, PKAFFINITY_EX pResult OPTIONAL); typedef BOOLEAN (NTAPI *PFNKEANDAFFINITYEX)(PCKAFFINITY_EX pIn1, PCKAFFINITY_EX pIn2, PKAFFINITY_EX pResult OPTIONAL); NTSYSAPI BOOLEAN NTAPI KeOrAffinityEx(PCKAFFINITY_EX pIn1, PCKAFFINITY_EX pIn2, PKAFFINITY_EX pResult OPTIONAL); typedef BOOLEAN (NTAPI *PFNKEORAFFINITYEX)(PCKAFFINITY_EX pIn1, PCKAFFINITY_EX pIn2, PKAFFINITY_EX pResult OPTIONAL); /** Works like anding the complemented subtrahend with the minuend. */ NTSYSAPI BOOLEAN NTAPI KeSubtractAffinityEx(PCKAFFINITY_EX pMinuend, PCKAFFINITY_EX pSubtrahend, PKAFFINITY_EX pResult OPTIONAL); typedef BOOLEAN (NTAPI *PFNKESUBTRACTAFFINITYEX)(PCKAFFINITY_EX pMinuend, PCKAFFINITY_EX pSubtrahend, PKAFFINITY_EX pResult OPTIONAL); NTSYSAPI BOOLEAN NTAPI KeIsEqualAffinityEx(PCKAFFINITY_EX pLeft, PCKAFFINITY_EX pRight); typedef BOOLEAN (NTAPI *PFNKEISEQUALAFFINITYEX)(PCKAFFINITY_EX pLeft, PCKAFFINITY_EX pRight); NTSYSAPI BOOLEAN NTAPI KeIsEmptyAffinityEx(PCKAFFINITY_EX pAffinity); typedef BOOLEAN (NTAPI *PFNKEISEMPTYAFFINITYEX)(PCKAFFINITY_EX pAffinity); NTSYSAPI BOOLEAN NTAPI KeIsSubsetAffinityEx(PCKAFFINITY_EX pSubset, PCKAFFINITY_EX pSuperSet); typedef BOOLEAN (NTAPI *PFNKEISSUBSETAFFINITYEX)(PCKAFFINITY_EX pSubset, PCKAFFINITY_EX pSuperSet); NTSYSAPI ULONG NTAPI KeCountSetBitsAffinityEx(PCKAFFINITY_EX pAffinity); typedef ULONG (NTAPI *PFNKECOUNTSETAFFINITYEX)(PCKAFFINITY_EX pAffinity); NTSYSAPI KEPROCESSORINDEX NTAPI KeFindFirstSetLeftAffinityEx(PCKAFFINITY_EX pAffinity); typedef KEPROCESSORINDEX (NTAPI *PFNKEFINDFIRSTSETLEFTAFFINITYEX)(PCKAFFINITY_EX pAffinity); typedef NTSTATUS (NTAPI *PFNKEGETPROCESSORNUMBERFROMINDEX)(KEPROCESSORINDEX idxProcessor, PPROCESSOR_NUMBER pProcNumber); typedef KEPROCESSORINDEX (NTAPI *PFNKEGETPROCESSORINDEXFROMNUMBER)(const PROCESSOR_NUMBER *pProcNumber); typedef NTSTATUS (NTAPI *PFNKEGETPROCESSORNUMBERFROMINDEX)(KEPROCESSORINDEX ProcIndex, PROCESSOR_NUMBER *pProcNumber); typedef KEPROCESSORINDEX (NTAPI *PFNKEGETCURRENTPROCESSORNUMBEREX)(const PROCESSOR_NUMBER *pProcNumber); typedef KAFFINITY (NTAPI *PFNKEQUERYACTIVEPROCESSORS)(VOID); typedef ULONG (NTAPI *PFNKEQUERYMAXIMUMPROCESSORCOUNT)(VOID); typedef ULONG (NTAPI *PFNKEQUERYMAXIMUMPROCESSORCOUNTEX)(USHORT GroupNumber); typedef USHORT (NTAPI *PFNKEQUERYMAXIMUMGROUPCOUNT)(VOID); typedef ULONG (NTAPI *PFNKEQUERYACTIVEPROCESSORCOUNT)(KAFFINITY *pfActiveProcessors); typedef ULONG (NTAPI *PFNKEQUERYACTIVEPROCESSORCOUNTEX)(USHORT GroupNumber); typedef NTSTATUS (NTAPI *PFNKEQUERYLOGICALPROCESSORRELATIONSHIP)(PROCESSOR_NUMBER *pProcNumber, LOGICAL_PROCESSOR_RELATIONSHIP RelationShipType, SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX *pInfo, PULONG pcbInfo); typedef PVOID (NTAPI *PFNKEREGISTERPROCESSORCHANGECALLBACK)(PPROCESSOR_CALLBACK_FUNCTION pfnCallback, void *pvUser, ULONG fFlags); typedef VOID (NTAPI *PFNKEDEREGISTERPROCESSORCHANGECALLBACK)(PVOID pvCallback); typedef NTSTATUS (NTAPI *PFNKESETTARGETPROCESSORDPCEX)(KDPC *pDpc, PROCESSOR_NUMBER *pProcNumber); typedef LOGICAL (NTAPI *PFNKESHOULDYIELDPROCESSOR)(void); NTSYSAPI BOOLEAN NTAPI ObFindHandleForObject(PEPROCESS pProcess, PVOID pvObject, POBJECT_TYPE pObjectType, PVOID pvOptionalConditions, PHANDLE phFound); NTSYSAPI NTSTATUS NTAPI ObReferenceObjectByName(PUNICODE_STRING pObjectPath, ULONG fAttributes, PACCESS_STATE pAccessState, ACCESS_MASK fDesiredAccess, POBJECT_TYPE pObjectType, KPROCESSOR_MODE enmAccessMode, PVOID pvParseContext, PVOID *ppvObject); NTSYSAPI HANDLE NTAPI PsGetProcessInheritedFromUniqueProcessId(PEPROCESS); NTSYSAPI UCHAR * NTAPI PsGetProcessImageFileName(PEPROCESS); NTSYSAPI BOOLEAN NTAPI PsIsProcessBeingDebugged(PEPROCESS); NTSYSAPI ULONG NTAPI PsGetProcessSessionId(PEPROCESS); extern DECLIMPORT(POBJECT_TYPE *) LpcPortObjectType; /**< In vista+ this is the ALPC port object type. */ extern DECLIMPORT(POBJECT_TYPE *) LpcWaitablePortObjectType; /**< In vista+ this is the ALPC port object type. */ typedef VOID (NTAPI *PFNHALREQUESTIPI_PRE_W7)(KAFFINITY TargetSet); typedef VOID (NTAPI *PFNHALREQUESTIPI_W7PLUS)(ULONG uUsuallyZero, PCKAFFINITY_EX pTargetSet); RT_C_DECLS_END /** @ */ #endif /* IN_RING0 */ #if defined(IN_RING3) || defined(DOXYGEN_RUNNING) /** @name NT Userland APIs * @{ */ RT_C_DECLS_BEGIN #if 0 /** @todo figure this out some time... */ typedef struct CSR_MSG_DATA_CREATED_PROCESS { HANDLE hProcess; HANDLE hThread; CLIENT_ID DWORD idProcess; DWORD idThread; DWORD fCreate; } CSR_MSG_DATA_CREATED_PROCESS; #define CSR_MSG_NO_CREATED_PROCESS UINT32_C(0x10000) #define CSR_MSG_NO_CREATED_THREAD UINT32_C(0x10001) NTSYSAPI NTSTATUS NTAPI CsrClientCallServer(PVOID, PVOID, ULONG, SIZE_T); #endif NTSYSAPI VOID NTAPI LdrInitializeThunk(PVOID, PVOID, PVOID); typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA { ULONG Flags; PCUNICODE_STRING FullDllName; PCUNICODE_STRING BaseDllName; PVOID DllBase; ULONG SizeOfImage; } LDR_DLL_LOADED_NOTIFICATION_DATA, LDR_DLL_UNLOADED_NOTIFICATION_DATA; typedef LDR_DLL_LOADED_NOTIFICATION_DATA *PLDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA; typedef LDR_DLL_LOADED_NOTIFICATION_DATA const *PCLDR_DLL_LOADED_NOTIFICATION_DATA, *PCLDR_DLL_UNLOADED_NOTIFICATION_DATA; typedef union _LDR_DLL_NOTIFICATION_DATA { LDR_DLL_LOADED_NOTIFICATION_DATA Loaded; LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded; } LDR_DLL_NOTIFICATION_DATA; typedef LDR_DLL_NOTIFICATION_DATA *PLDR_DLL_NOTIFICATION_DATA; typedef LDR_DLL_NOTIFICATION_DATA const *PCLDR_DLL_NOTIFICATION_DATA; typedef VOID (NTAPI *PLDR_DLL_NOTIFICATION_FUNCTION)(ULONG ulReason, PCLDR_DLL_NOTIFICATION_DATA pData, PVOID pvUser); #define LDR_DLL_NOTIFICATION_REASON_LOADED UINT32_C(1) #define LDR_DLL_NOTIFICATION_REASON_UNLOADED UINT32_C(2) NTSYSAPI NTSTATUS NTAPI LdrRegisterDllNotification(ULONG fFlags, PLDR_DLL_NOTIFICATION_FUNCTION pfnCallback, PVOID pvUser, PVOID *pvCookie); typedef NTSTATUS (NTAPI *PFNLDRREGISTERDLLNOTIFICATION)(ULONG, PLDR_DLL_NOTIFICATION_FUNCTION, PVOID, PVOID *); NTSYSAPI NTSTATUS NTAPI LdrUnregisterDllNotification(PVOID pvCookie); typedef NTSTATUS (NTAPI *PFNLDRUNREGISTERDLLNOTIFICATION)(PVOID); NTSYSAPI NTSTATUS NTAPI LdrLoadDll(IN PWSTR pwszSearchPathOrFlags OPTIONAL, IN PULONG pfFlags OPTIONAL, IN PCUNICODE_STRING pName, OUT PHANDLE phMod); typedef NTSTATUS (NTAPI *PFNLDRLOADDLL)(IN PWSTR pwszSearchPathOrFlags OPTIONAL, IN PULONG pfFlags OPTIONAL, IN PCUNICODE_STRING pName, OUT PHANDLE phMod); NTSYSAPI NTSTATUS NTAPI LdrUnloadDll(IN HANDLE hMod); typedef NTSTATUS (NTAPI *PFNLDRUNLOADDLL)(IN HANDLE hMod); NTSYSAPI NTSTATUS NTAPI LdrGetDllHandle(IN PCWSTR pwszDllPath OPTIONAL, IN PULONG pfFlags OPTIONAL, IN PCUNICODE_STRING pName, OUT PHANDLE phDll); typedef NTSTATUS (NTAPI *PFNLDRGETDLLHANDLE)(IN PCWSTR pwszDllPath OPTIONAL, IN PULONG pfFlags OPTIONAL, IN PCUNICODE_STRING pName, OUT PHANDLE phDll); #define LDRGETDLLHANDLEEX_F_UNCHANGED_REFCOUNT RT_BIT_32(0) #define LDRGETDLLHANDLEEX_F_PIN RT_BIT_32(1) /** @since Windows XP. */ NTSYSAPI NTSTATUS NTAPI LdrGetDllHandleEx(IN ULONG fFlags, IN PCWSTR pwszDllPath OPTIONAL, IN PULONG pfFlags OPTIONAL, IN PCUNICODE_STRING pName, OUT PHANDLE phDll); /** @since Windows XP. */ typedef NTSTATUS (NTAPI *PFNLDRGETDLLHANDLEEX)(IN ULONG fFlags, IN PCWSTR pwszDllPath OPTIONAL, IN PULONG pfFlags OPTIONAL, IN PCUNICODE_STRING pName, OUT PHANDLE phDll); /** @since Windows 7. */ NTSYSAPI NTSTATUS NTAPI LdrGetDllHandleByMapping(IN PVOID pvBase, OUT PHANDLE phDll); /** @since Windows 7. */ typedef NTSTATUS (NTAPI *PFNLDRGETDLLHANDLEBYMAPPING)(IN PVOID pvBase, OUT PHANDLE phDll); /** @since Windows 7. */ NTSYSAPI NTSTATUS NTAPI LdrGetDllHandleByName(IN PCUNICODE_STRING pName OPTIONAL, IN PCUNICODE_STRING pFullName OPTIONAL, OUT PHANDLE phDll); /** @since Windows 7. */ typedef NTSTATUS (NTAPI *PFNLDRGETDLLHANDLEBYNAME)(IN PCUNICODE_STRING pName OPTIONAL, IN PCUNICODE_STRING pFullName OPTIONAL, OUT PHANDLE phDll); #define LDRADDREFDLL_F_PIN RT_BIT_32(0) NTSYSAPI NTSTATUS NTAPI LdrAddRefDll(IN ULONG fFlags, IN HANDLE hDll); typedef NTSTATUS (NTAPI *PFNLDRADDREFDLL)(IN ULONG fFlags, IN HANDLE hDll); NTSYSAPI NTSTATUS NTAPI LdrGetProcedureAddress(IN HANDLE hDll, IN ANSI_STRING const *pSymbol OPTIONAL, IN ULONG uOrdinal OPTIONAL, OUT PVOID *ppvSymbol); typedef NTSTATUS (NTAPI *PFNLDRGETPROCEDUREADDRESS)(IN HANDLE hDll, IN PCANSI_STRING pSymbol OPTIONAL, IN ULONG uOrdinal OPTIONAL, OUT PVOID *ppvSymbol); #define LDRGETPROCEDUREADDRESSEX_F_DONT_RECORD_FORWARDER RT_BIT_32(0) /** @since Windows Vista. */ NTSYSAPI NTSTATUS NTAPI LdrGetProcedureAddressEx(IN HANDLE hDll, IN ANSI_STRING const *pSymbol OPTIONAL, IN ULONG uOrdinal OPTIONAL, OUT PVOID *ppvSymbol, ULONG fFlags); /** @since Windows Vista. */ typedef NTSTATUS (NTAPI *PFNLDRGETPROCEDUREADDRESSEX)(IN HANDLE hDll, IN ANSI_STRING const *pSymbol OPTIONAL, IN ULONG uOrdinal OPTIONAL, OUT PVOID *ppvSymbol, ULONG fFlags); #define LDRLOCKLOADERLOCK_F_RAISE_ERRORS RT_BIT_32(0) #define LDRLOCKLOADERLOCK_F_NO_WAIT RT_BIT_32(1) #define LDRLOCKLOADERLOCK_DISP_INVALID UINT32_C(0) #define LDRLOCKLOADERLOCK_DISP_ACQUIRED UINT32_C(1) #define LDRLOCKLOADERLOCK_DISP_NOT_ACQUIRED UINT32_C(2) /** @since Windows XP. */ NTSYSAPI NTSTATUS NTAPI LdrLockLoaderLock(IN ULONG fFlags, OUT PULONG puDisposition OPTIONAL, OUT PVOID *ppvCookie); /** @since Windows XP. */ typedef NTSTATUS (NTAPI *PFNLDRLOCKLOADERLOCK)(IN ULONG fFlags, OUT PULONG puDisposition OPTIONAL, OUT PVOID *ppvCookie); #define LDRUNLOCKLOADERLOCK_F_RAISE_ERRORS RT_BIT_32(0) /** @since Windows XP. */ NTSYSAPI NTSTATUS NTAPI LdrUnlockLoaderLock(IN ULONG fFlags, OUT PVOID pvCookie); /** @since Windows XP. */ typedef NTSTATUS (NTAPI *PFNLDRUNLOCKLOADERLOCK)(IN ULONG fFlags, OUT PVOID pvCookie); NTSYSAPI NTSTATUS NTAPI RtlExpandEnvironmentStrings_U(PVOID, PUNICODE_STRING, PUNICODE_STRING, PULONG); NTSYSAPI VOID NTAPI RtlExitUserProcess(NTSTATUS rcExitCode); /**< Vista and later. */ NTSYSAPI VOID NTAPI RtlExitUserThread(NTSTATUS rcExitCode); NTSYSAPI NTSTATUS NTAPI RtlDosApplyFileIsolationRedirection_Ustr(IN ULONG fFlags, IN PCUNICODE_STRING pOrgName, IN PUNICODE_STRING pDefaultSuffix, IN OUT PUNICODE_STRING pStaticString, IN OUT PUNICODE_STRING pDynamicString, IN OUT PUNICODE_STRING *ppResultString, IN PULONG pfNewFlags OPTIONAL, IN PSIZE_T pcbFilename OPTIONAL, IN PSIZE_T pcbNeeded OPTIONAL); /** @since Windows 8. * @note Status code is always zero in windows 10 build 14393. */ NTSYSAPI NTSTATUS NTAPI ApiSetQueryApiSetPresence(IN PCUNICODE_STRING pAllegedApiSetDll, OUT PBOOLEAN pfPresent); /** @copydoc ApiSetQueryApiSetPresence */ typedef NTSTATUS (NTAPI *PFNAPISETQUERYAPISETPRESENCE)(IN PCUNICODE_STRING pAllegedApiSetDll, OUT PBOOLEAN pfPresent); # ifdef IPRT_NT_USE_WINTERNL typedef NTSTATUS NTAPI RTL_HEAP_COMMIT_ROUTINE(PVOID, PVOID *, PSIZE_T); typedef RTL_HEAP_COMMIT_ROUTINE *PRTL_HEAP_COMMIT_ROUTINE; typedef struct _RTL_HEAP_PARAMETERS { ULONG Length; SIZE_T SegmentReserve; SIZE_T SegmentCommit; SIZE_T DeCommitFreeBlockThreshold; SIZE_T DeCommitTotalFreeThreshold; SIZE_T MaximumAllocationSize; SIZE_T VirtualMemoryThreshold; SIZE_T InitialCommit; SIZE_T InitialReserve; PRTL_HEAP_COMMIT_ROUTINE CommitRoutine; SIZE_T Reserved[2]; } RTL_HEAP_PARAMETERS; typedef RTL_HEAP_PARAMETERS *PRTL_HEAP_PARAMETERS; NTSYSAPI PVOID NTAPI RtlCreateHeap(ULONG fFlags, PVOID pvHeapBase, SIZE_T cbReserve, SIZE_T cbCommit, PVOID pvLock, PRTL_HEAP_PARAMETERS pParameters); /** @name Heap flags (for RtlCreateHeap). * @{ */ /*# define HEAP_NO_SERIALIZE UINT32_C(0x00000001) # define HEAP_GROWABLE UINT32_C(0x00000002) # define HEAP_GENERATE_EXCEPTIONS UINT32_C(0x00000004) # define HEAP_ZERO_MEMORY UINT32_C(0x00000008) # define HEAP_REALLOC_IN_PLACE_ONLY UINT32_C(0x00000010) # define HEAP_TAIL_CHECKING_ENABLED UINT32_C(0x00000020) # define HEAP_FREE_CHECKING_ENABLED UINT32_C(0x00000040) # define HEAP_DISABLE_COALESCE_ON_FREE UINT32_C(0x00000080)*/ # define HEAP_SETTABLE_USER_VALUE UINT32_C(0x00000100) # define HEAP_SETTABLE_USER_FLAG1 UINT32_C(0x00000200) # define HEAP_SETTABLE_USER_FLAG2 UINT32_C(0x00000400) # define HEAP_SETTABLE_USER_FLAG3 UINT32_C(0x00000800) # define HEAP_SETTABLE_USER_FLAGS UINT32_C(0x00000e00) # define HEAP_CLASS_0 UINT32_C(0x00000000) # define HEAP_CLASS_1 UINT32_C(0x00001000) # define HEAP_CLASS_2 UINT32_C(0x00002000) # define HEAP_CLASS_3 UINT32_C(0x00003000) # define HEAP_CLASS_4 UINT32_C(0x00004000) # define HEAP_CLASS_5 UINT32_C(0x00005000) # define HEAP_CLASS_6 UINT32_C(0x00006000) # define HEAP_CLASS_7 UINT32_C(0x00007000) # define HEAP_CLASS_8 UINT32_C(0x00008000) # define HEAP_CLASS_MASK UINT32_C(0x0000f000) # endif # define HEAP_CLASS_PROCESS HEAP_CLASS_0 # define HEAP_CLASS_PRIVATE HEAP_CLASS_1 # define HEAP_CLASS_KERNEL HEAP_CLASS_2 # define HEAP_CLASS_GDI HEAP_CLASS_3 # define HEAP_CLASS_USER HEAP_CLASS_4 # define HEAP_CLASS_CONSOLE HEAP_CLASS_5 # define HEAP_CLASS_USER_DESKTOP HEAP_CLASS_6 # define HEAP_CLASS_CSRSS_SHARED HEAP_CLASS_7 # define HEAP_CLASS_CSRSS_PORT HEAP_CLASS_8 # ifdef IPRT_NT_USE_WINTERNL /*# define HEAP_CREATE_ALIGN_16 UINT32_C(0x00010000) # define HEAP_CREATE_ENABLE_TRACING UINT32_C(0x00020000) # define HEAP_CREATE_ENABLE_EXECUTE UINT32_C(0x00040000)*/ # define HEAP_CREATE_VALID_MASK UINT32_C(0x0007f0ff) # endif /* IPRT_NT_USE_WINTERNL */ /** @} */ # ifdef IPRT_NT_USE_WINTERNL /** @name Heap tagging constants * @{ */ # define HEAP_GLOBAL_TAG UINT32_C(0x00000800) /*# define HEAP_MAXIMUM_TAG UINT32_C(0x00000fff) # define HEAP_PSEUDO_TAG_FLAG UINT32_C(0x00008000) # define HEAP_TAG_SHIFT 18 */ # define HEAP_TAG_MASK (HEAP_MAXIMUM_TAG << HEAP_TAG_SHIFT) /** @} */ NTSYSAPI PVOID NTAPI RtlAllocateHeap(HANDLE hHeap, ULONG fFlags, SIZE_T cb); NTSYSAPI PVOID NTAPI RtlReAllocateHeap(HANDLE hHeap, ULONG fFlags, PVOID pvOld, SIZE_T cbNew); NTSYSAPI BOOLEAN NTAPI RtlFreeHeap(HANDLE hHeap, ULONG fFlags, PVOID pvMem); # endif /* IPRT_NT_USE_WINTERNL */ NTSYSAPI SIZE_T NTAPI RtlCompactHeap(HANDLE hHeap, ULONG fFlags); NTSYSAPI VOID NTAPI RtlFreeUnicodeString(PUNICODE_STRING); NTSYSAPI SIZE_T NTAPI RtlSizeHeap(HANDLE hHeap, ULONG fFlags, PVOID pvMem); NTSYSAPI NTSTATUS NTAPI RtlGetLastNtStatus(VOID); NTSYSAPI ULONG NTAPI RtlGetLastWin32Error(VOID); NTSYSAPI VOID NTAPI RtlSetLastWin32Error(ULONG uError); NTSYSAPI VOID NTAPI RtlSetLastWin32ErrorAndNtStatusFromNtStatus(NTSTATUS rcNt); NTSYSAPI VOID NTAPI RtlRestoreLastWin32Error(ULONG uError); NTSYSAPI BOOLEAN NTAPI RtlQueryPerformanceCounter(PLARGE_INTEGER); NTSYSAPI uint64_t NTAPI RtlGetSystemTimePrecise(VOID); typedef uint64_t (NTAPI * PFNRTLGETSYSTEMTIMEPRECISE)(VOID); NTSYSAPI uint64_t NTAPI RtlGetInterruptTimePrecise(uint64_t *puPerfTime); typedef uint64_t (NTAPI * PFNRTLGETINTERRUPTTIMEPRECISE)(uint64_t *); NTSYSAPI BOOLEAN NTAPI RtlQueryUnbiasedInterruptTime(uint64_t *puInterruptTime); typedef BOOLEAN (NTAPI * PFNRTLQUERYUNBIASEDINTERRUPTTIME)(uint64_t *); RT_C_DECLS_END /** @} */ #endif /* IN_RING3 */ #endif /* !IPRT_INCLUDED_nt_nt_h */