use core::ptr::null_mut; use crate::ntapi_base::{CLIENT_ID, PCLIENT_ID}; use crate::ntexapi::{RTL_PROCESS_BACKTRACES, RTL_PROCESS_LOCKS}; use crate::ntioapi::FILE_INFORMATION_CLASS; use crate::ntldr::{RTL_PROCESS_MODULES, RTL_PROCESS_MODULE_INFORMATION_EX}; use crate::ntmmapi::SECTION_IMAGE_INFORMATION; use crate::ntnls::{PCPTABLEINFO, PNLSTABLEINFO}; use crate::ntpebteb::{PPEB, PTEB_ACTIVE_FRAME}; use crate::ntpsapi::{PINITIAL_TEB, PPS_APC_ROUTINE, PS_PROTECTION}; use crate::ntapi_base::{PRTL_ATOM, RTL_ATOM}; use crate::string::UTF16Const; use winapi::ctypes::c_void; use winapi::shared::basetsd::{PULONG64, ULONG32, ULONG64, PSIZE_T, PULONG_PTR, SIZE_T, ULONG_PTR}; use winapi::shared::guiddef::GUID; use winapi::shared::in6addr::in6_addr; use winapi::shared::inaddr::in_addr; use winapi::shared::minwindef::{BOOL, DWORD, PBOOL}; #[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))] use winapi::shared::ntdef::{LARGE_INTEGER, RTL_BALANCED_NODE}; use winapi::shared::ntdef::{ BOOLEAN, CCHAR, CHAR, CLONG, CSHORT, HANDLE, LCID, LIST_ENTRY, LOGICAL, LONG, LUID, NTSTATUS, PANSI_STRING, PBOOLEAN, PCANSI_STRING, PCCH, PCH, PCHAR, PCOEM_STRING, PCSZ, PCUNICODE_STRING, PCWCH, PCWSTR, PHANDLE, PLARGE_INTEGER, PLCID, PLIST_ENTRY, PLONG, PLUID, PNT_PRODUCT_TYPE, POEM_STRING, PPROCESSOR_NUMBER, PRTL_BALANCED_NODE, PSINGLE_LIST_ENTRY, PSTR, PSTRING, PUCHAR, PULONG, PULONGLONG, PUNICODE_STRING, PUSHORT, PVOID, PWCH, PWCHAR, PWSTR, SINGLE_LIST_ENTRY, STRING, UCHAR, ULONG, ULONGLONG, UNICODE_STRING, USHORT, VOID, WCHAR, }; use winapi::um::minwinbase::PTHREAD_START_ROUTINE; #[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))] use winapi::um::winnt::{PGET_RUNTIME_FUNCTION_CALLBACK, PRUNTIME_FUNCTION, PWOW64_CONTEXT}; use winapi::um::winnt::{ ACCESS_MASK, ACL_INFORMATION_CLASS, APC_CALLBACK_FUNCTION, HEAP_INFORMATION_CLASS, HEAP_REALLOC_IN_PLACE_ONLY, HEAP_ZERO_MEMORY, OS_DEPLOYEMENT_STATE_VALUES, PACCESS_MASK, PACL, PCONTEXT, PEXCEPTION_POINTERS, PEXCEPTION_RECORD, PFLS_CALLBACK_FUNCTION, PGENERIC_MAPPING, PIMAGE_NT_HEADERS, PIMAGE_SECTION_HEADER, PLUID_AND_ATTRIBUTES, PMESSAGE_RESOURCE_ENTRY, PPERFORMANCE_DATA, PRTL_BARRIER, PRTL_CONDITION_VARIABLE, PRTL_CRITICAL_SECTION, PRTL_OSVERSIONINFOEXW, PRTL_OSVERSIONINFOW, PRTL_RESOURCE_DEBUG, PRTL_SRWLOCK, PSECURITY_DESCRIPTOR, PSECURITY_DESCRIPTOR_CONTROL, PSID, PSID_AND_ATTRIBUTES, PSID_AND_ATTRIBUTES_HASH, PSID_IDENTIFIER_AUTHORITY, PVECTORED_EXCEPTION_HANDLER, PXSAVE_AREA_HEADER, RTL_CRITICAL_SECTION, RTL_SRWLOCK, SECURITY_DESCRIPTOR_CONTROL, SECURITY_IMPERSONATION_LEVEL, SECURITY_INFORMATION, WAITORTIMERCALLBACKFUNC, WORKERCALLBACKFUNC, }; use winapi::vc::vadefs::va_list; #[inline] pub fn InitializeListHead(ListHead: &mut LIST_ENTRY) { ListHead.Flink = ListHead; ListHead.Blink = ListHead; } #[inline] pub fn IsListEmpty(ListHead: &LIST_ENTRY) -> bool { ListHead.Flink as *const _ == ListHead as *const _ } #[inline] pub unsafe fn RemoveEntryList(Entry: &mut LIST_ENTRY) -> bool { let (Blink, Flink) = (Entry.Blink, Entry.Flink); (*Blink).Flink = Flink; (*Flink).Blink = Blink; Flink == Blink } #[inline] pub unsafe fn RemoveHeadList(ListHead: &mut LIST_ENTRY) -> PLIST_ENTRY { let Entry = ListHead.Flink; let Flink = (*Entry).Flink; ListHead.Flink = Flink; (*Flink).Blink = ListHead; Entry } #[inline] pub unsafe fn RemoveTailList(ListHead: &mut LIST_ENTRY) -> PLIST_ENTRY { let Entry = ListHead.Blink; let Blink = (*Entry).Blink; ListHead.Blink = Blink; (*Blink).Flink = ListHead; Entry } #[inline] pub unsafe fn InsertTailList(ListHead: &mut LIST_ENTRY, Entry: &mut LIST_ENTRY) { let Blink = ListHead.Blink; Entry.Flink = ListHead; Entry.Blink = Blink; (*Blink).Flink = Entry; ListHead.Blink = Entry; } #[inline] pub unsafe fn InsertHeadList(ListHead: &mut LIST_ENTRY, Entry: &mut LIST_ENTRY) { let Flink = ListHead.Flink; Entry.Flink = Flink; Entry.Blink = ListHead; (*Flink).Blink = Entry; ListHead.Flink = Entry; } #[inline] pub unsafe fn AppendTailList(ListHead: &mut LIST_ENTRY, ListToAppend: &mut LIST_ENTRY) { let ListEnd = ListHead.Blink; (*ListHead.Blink).Flink = ListToAppend; ListHead.Blink = ListToAppend.Blink; (*ListToAppend.Blink).Flink = ListHead; ListToAppend.Blink = ListEnd; } #[inline] pub unsafe fn PopEntryList(ListHead: &mut SINGLE_LIST_ENTRY) -> PSINGLE_LIST_ENTRY { let FirstEntry = ListHead.Next; if !FirstEntry.is_null() { ListHead.Next = (*FirstEntry).Next; } FirstEntry } #[inline] pub fn PushEntryList(ListHead: &mut SINGLE_LIST_ENTRY, Entry: &mut SINGLE_LIST_ENTRY) { Entry.Next = ListHead.Next; ListHead.Next = Entry; } ENUM!{enum TABLE_SEARCH_RESULT { TableEmptyTree = 0, TableFoundNode = 1, TableInsertAsLeft = 2, TableInsertAsRight = 3, }} ENUM!{enum RTL_GENERIC_COMPARE_RESULTS { GenericLessThan = 0, GenericGreaterThan = 1, GenericEqual = 2, }} FN!{stdcall PRTL_AVL_COMPARE_ROUTINE( Table: *mut RTL_AVL_TABLE, FirstStruct: PVOID, SecondStruct: PVOID, ) -> RTL_GENERIC_COMPARE_RESULTS} FN!{stdcall PRTL_AVL_ALLOCATE_ROUTINE( Table: *mut RTL_AVL_TABLE, ByteSize: CLONG, ) -> PVOID} FN!{stdcall PRTL_AVL_FREE_ROUTINE( Table: *mut RTL_AVL_TABLE, Buffer: PVOID, ) -> ()} FN!{stdcall PRTL_AVL_MATCH_FUNCTION( Table: *mut RTL_AVL_TABLE, UserData: PVOID, MatchData: PVOID, ) -> NTSTATUS} STRUCT!{struct RTL_BALANCED_LINKS { Parent: *mut RTL_BALANCED_LINKS, LeftChild: *mut RTL_BALANCED_LINKS, RightChild: *mut RTL_BALANCED_LINKS, Balance: CHAR, Reserved: [UCHAR; 3], }} pub type PRTL_BALANCED_LINKS = *mut RTL_BALANCED_LINKS; STRUCT!{struct RTL_AVL_TABLE { BalancedRoot: RTL_BALANCED_LINKS, OrderedPointer: PVOID, WhichOrderedElement: ULONG, NumberGenericTableElements: ULONG, DepthOfTree: ULONG, RestartKey: PRTL_BALANCED_LINKS, DeleteCount: ULONG, CompareRoutine: PRTL_AVL_COMPARE_ROUTINE, AllocateRoutine: PRTL_AVL_ALLOCATE_ROUTINE, FreeRoutine: PRTL_AVL_FREE_ROUTINE, TableContext: PVOID, }} pub type PRTL_AVL_TABLE = *mut RTL_AVL_TABLE; EXTERN!{extern "system" { fn RtlInitializeGenericTableAvl( Table: PRTL_AVL_TABLE, CompareRoutine: PRTL_AVL_COMPARE_ROUTINE, AllocateRoutine: PRTL_AVL_ALLOCATE_ROUTINE, FreeRoutine: PRTL_AVL_FREE_ROUTINE, TableContext: PVOID, ); fn RtlInsertElementGenericTableAvl( Table: PRTL_AVL_TABLE, Buffer: PVOID, BufferSize: CLONG, NewElement: PBOOLEAN, ) -> PVOID; fn RtlInsertElementGenericTableFullAvl( Table: PRTL_AVL_TABLE, Buffer: PVOID, BufferSize: CLONG, NewElement: PBOOLEAN, NodeOrParent: PVOID, SearchResult: TABLE_SEARCH_RESULT, ) -> PVOID; fn RtlDeleteElementGenericTableAvl( Table: PRTL_AVL_TABLE, Buffer: PVOID, ) -> BOOLEAN; fn RtlLookupElementGenericTableAvl( Table: PRTL_AVL_TABLE, Buffer: PVOID, ) -> PVOID; fn RtlLookupElementGenericTableFullAvl( Table: PRTL_AVL_TABLE, Buffer: PVOID, NodeOrParent: *mut PVOID, SearchResult: *mut TABLE_SEARCH_RESULT, ) -> PVOID; fn RtlEnumerateGenericTableAvl( Table: PRTL_AVL_TABLE, Restart: BOOLEAN, ) -> PVOID; fn RtlEnumerateGenericTableWithoutSplayingAvl( Table: PRTL_AVL_TABLE, RestartKey: *mut PVOID, ) -> PVOID; fn RtlLookupFirstMatchingElementGenericTableAvl( Table: PRTL_AVL_TABLE, Buffer: PVOID, RestartKey: *mut PVOID, ) -> PVOID; fn RtlEnumerateGenericTableLikeADirectory( Table: PRTL_AVL_TABLE, MatchFunction: PRTL_AVL_MATCH_FUNCTION, MatchData: PVOID, NextFlag: ULONG, RestartKey: *mut PVOID, DeleteCount: PULONG, Buffer: PVOID, ) -> PVOID; fn RtlGetElementGenericTableAvl( Table: PRTL_AVL_TABLE, I: ULONG, ) -> PVOID; fn RtlNumberGenericTableElementsAvl( Table: PRTL_AVL_TABLE, ) -> ULONG; fn RtlIsGenericTableEmptyAvl( Table: PRTL_AVL_TABLE, ) -> BOOLEAN; }} STRUCT!{struct RTL_SPLAY_LINKS { Parent: *mut RTL_SPLAY_LINKS, LeftChild: *mut RTL_SPLAY_LINKS, RightChild: *mut RTL_SPLAY_LINKS, }} pub type PRTL_SPLAY_LINKS = *mut RTL_SPLAY_LINKS; #[inline] pub fn RtlInitializeSplayLinks(Links: &mut RTL_SPLAY_LINKS) { Links.Parent = Links; Links.LeftChild = null_mut(); Links.RightChild = null_mut(); } #[inline] pub const fn RtlParent(Links: &RTL_SPLAY_LINKS) -> PRTL_SPLAY_LINKS { Links.Parent } #[inline] pub const fn RtlLeftChild(Links: &RTL_SPLAY_LINKS) -> PRTL_SPLAY_LINKS { Links.LeftChild } #[inline] pub const fn RtlRightChild(Links: &RTL_SPLAY_LINKS) -> PRTL_SPLAY_LINKS { Links.RightChild } #[inline] pub unsafe fn RtlIsRoot(Links: *const RTL_SPLAY_LINKS) -> bool { (*Links).Parent as *const _ == Links } #[inline] pub unsafe fn RtlIsLeftChild(Links: *const RTL_SPLAY_LINKS) -> bool { RtlLeftChild(&*RtlParent(&*Links)) as *const _ == Links } #[inline] pub unsafe fn RtlIsRightChild(Links: *const RTL_SPLAY_LINKS) -> bool { RtlRightChild(&*RtlParent(&*Links)) as *const _ == Links } #[inline] pub fn RtlInsertAsLeftChild( ParentLinks: &mut RTL_SPLAY_LINKS, ChildLinks: &mut RTL_SPLAY_LINKS, ) { ParentLinks.LeftChild = ChildLinks; ChildLinks.Parent = ParentLinks; } #[inline] pub fn RtlInsertAsRightChild( ParentLinks: &mut RTL_SPLAY_LINKS, ChildLinks: &mut RTL_SPLAY_LINKS, ) { ParentLinks.RightChild = ChildLinks; ChildLinks.Parent = ParentLinks; } EXTERN!{extern "system" { fn RtlSplay( Links: PRTL_SPLAY_LINKS, ) -> PRTL_SPLAY_LINKS; fn RtlDelete( Links: PRTL_SPLAY_LINKS, ) -> PRTL_SPLAY_LINKS; fn RtlDeleteNoSplay( Links: PRTL_SPLAY_LINKS, Root: *mut PRTL_SPLAY_LINKS, ); fn RtlSubtreeSuccessor( Links: PRTL_SPLAY_LINKS, ) -> PRTL_SPLAY_LINKS; fn RtlSubtreePredecessor( Links: PRTL_SPLAY_LINKS, ) -> PRTL_SPLAY_LINKS; fn RtlRealSuccessor( Links: PRTL_SPLAY_LINKS, ) -> PRTL_SPLAY_LINKS; fn RtlRealPredecessor( Links: PRTL_SPLAY_LINKS, ) -> PRTL_SPLAY_LINKS; }} FN!{stdcall PRTL_GENERIC_COMPARE_ROUTINE( Table: *mut RTL_GENERIC_TABLE, FirstStruct: PVOID, SecondStruct: PVOID, ) -> RTL_GENERIC_COMPARE_RESULTS} FN!{stdcall PRTL_GENERIC_ALLOCATE_ROUTINE( Table: *mut RTL_GENERIC_TABLE, ByteSize: CLONG, ) -> PVOID} FN!{stdcall PRTL_GENERIC_FREE_ROUTINE( Table: *mut RTL_GENERIC_TABLE, Buffer: PVOID, ) -> ()} STRUCT!{struct RTL_GENERIC_TABLE { TableRoot: PRTL_SPLAY_LINKS, InsertOrderList: LIST_ENTRY, OrderedPointer: PLIST_ENTRY, WhichOrderedElement: ULONG, NumberGenericTableElements: ULONG, CompareRoutine: PRTL_GENERIC_COMPARE_ROUTINE, AllocateRoutine: PRTL_GENERIC_ALLOCATE_ROUTINE, FreeRoutine: PRTL_GENERIC_FREE_ROUTINE, TableContext: PVOID, }} pub type PRTL_GENERIC_TABLE = *mut RTL_GENERIC_TABLE; EXTERN!{extern "system" { fn RtlInitializeGenericTable( Table: PRTL_GENERIC_TABLE, CompareRoutine: PRTL_GENERIC_COMPARE_ROUTINE, AllocateRoutine: PRTL_GENERIC_ALLOCATE_ROUTINE, FreeRoutine: PRTL_GENERIC_FREE_ROUTINE, TableContext: PVOID, ); fn RtlInsertElementGenericTable( Table: PRTL_GENERIC_TABLE, Buffer: PVOID, BufferSize: CLONG, NewElement: PBOOLEAN, ) -> PVOID; fn RtlInsertElementGenericTableFull( Table: PRTL_GENERIC_TABLE, Buffer: PVOID, BufferSize: CLONG, NewElement: PBOOLEAN, NodeOrParent: PVOID, SearchResult: TABLE_SEARCH_RESULT, ) -> PVOID; fn RtlDeleteElementGenericTable( Table: PRTL_GENERIC_TABLE, Buffer: PVOID, ) -> BOOLEAN; fn RtlLookupElementGenericTable( Table: PRTL_GENERIC_TABLE, Buffer: PVOID, ) -> PVOID; fn RtlLookupElementGenericTableFull( Table: PRTL_GENERIC_TABLE, Buffer: PVOID, NodeOrParent: *mut PVOID, SearchResult: *mut TABLE_SEARCH_RESULT, ) -> PVOID; fn RtlEnumerateGenericTable( Table: PRTL_GENERIC_TABLE, Restart: BOOLEAN, ) -> PVOID; fn RtlEnumerateGenericTableWithoutSplaying( Table: PRTL_GENERIC_TABLE, RestartKey: *mut PVOID, ) -> PVOID; fn RtlGetElementGenericTable( Table: PRTL_GENERIC_TABLE, I: ULONG, ) -> PVOID; fn RtlNumberGenericTableElements( Table: PRTL_GENERIC_TABLE, ) -> ULONG; fn RtlIsGenericTableEmpty( Table: PRTL_GENERIC_TABLE, ) -> BOOLEAN; }} STRUCT!{struct RTL_RB_TREE { Root: PRTL_BALANCED_NODE, Min: PRTL_BALANCED_NODE, }} pub type PRTL_RB_TREE = *mut RTL_RB_TREE; EXTERN!{extern "system" { fn RtlRbInsertNodeEx( Tree: PRTL_RB_TREE, Parent: PRTL_BALANCED_NODE, Right: BOOLEAN, Node: PRTL_BALANCED_NODE, ); fn RtlRbRemoveNode( Tree: PRTL_RB_TREE, Node: PRTL_BALANCED_NODE, ); }} pub const RTL_HASH_ALLOCATED_HEADER: u32 = 0x00000001; pub const RTL_HASH_RESERVED_SIGNATURE: u32 = 0; STRUCT!{struct RTL_DYNAMIC_HASH_TABLE_ENTRY { Linkage: LIST_ENTRY, Signature: ULONG_PTR, }} pub type PRTL_DYNAMIC_HASH_TABLE_ENTRY = *mut RTL_DYNAMIC_HASH_TABLE_ENTRY; #[inline] pub const fn HASH_ENTRY_KEY(x: &RTL_DYNAMIC_HASH_TABLE_ENTRY) -> ULONG_PTR { x.Signature } STRUCT!{struct RTL_DYNAMIC_HASH_TABLE_CONTEXT { ChainHead: PLIST_ENTRY, PrevLinkage: PLIST_ENTRY, Signature: ULONG_PTR, }} pub type PRTL_DYNAMIC_HASH_TABLE_CONTEXT = *mut RTL_DYNAMIC_HASH_TABLE_CONTEXT; STRUCT!{struct RTL_DYNAMIC_HASH_TABLE_ENUMERATOR { HashEntry: RTL_DYNAMIC_HASH_TABLE_ENTRY, ChainHead: PLIST_ENTRY, BucketIndex: ULONG, }} pub type PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR = *mut RTL_DYNAMIC_HASH_TABLE_ENUMERATOR; STRUCT!{struct RTL_DYNAMIC_HASH_TABLE { Flags: ULONG, Shift: ULONG, TableSize: ULONG, Pivot: ULONG, DivisorMask: ULONG, NumEntries: ULONG, NonEmptyBuckets: ULONG, NumEnumerators: ULONG, Directory: PVOID, }} pub type PRTL_DYNAMIC_HASH_TABLE = *mut RTL_DYNAMIC_HASH_TABLE; #[inline] pub fn RtlInitHashTableContext(Context: &mut RTL_DYNAMIC_HASH_TABLE_CONTEXT) { Context.ChainHead = null_mut(); Context.PrevLinkage = null_mut(); } #[inline] pub fn RtlInitHashTableContextFromEnumerator( Context: &mut RTL_DYNAMIC_HASH_TABLE_CONTEXT, Enumerator: &RTL_DYNAMIC_HASH_TABLE_ENUMERATOR, ) { Context.ChainHead = Enumerator.ChainHead; Context.PrevLinkage = Enumerator.HashEntry.Linkage.Blink; } // RtlReleaseHashTableContext #[inline] pub const fn RtlTotalBucketsHashTable(HashTable: &RTL_DYNAMIC_HASH_TABLE) -> ULONG { HashTable.TableSize } #[inline] pub const fn RtlNonEmptyBucketsHashTable(HashTable: &RTL_DYNAMIC_HASH_TABLE) -> ULONG { HashTable.NonEmptyBuckets } #[inline] pub const fn RtlEmptyBucketsHashTable(HashTable: &RTL_DYNAMIC_HASH_TABLE) -> ULONG { HashTable.TableSize - HashTable.NonEmptyBuckets } #[inline] pub const fn RtlTotalEntriesHashTable(HashTable: &RTL_DYNAMIC_HASH_TABLE) -> ULONG { HashTable.NumEntries } #[inline] pub const fn RtlActiveEnumeratorsHashTable(HashTable: &RTL_DYNAMIC_HASH_TABLE) -> ULONG { HashTable.NumEnumerators } EXTERN!{extern "system" { fn RtlCreateHashTable( HashTable: *mut PRTL_DYNAMIC_HASH_TABLE, Shift: ULONG, Flags: ULONG, ) -> BOOLEAN; fn RtlDeleteHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, ); fn RtlInsertEntryHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, Entry: PRTL_DYNAMIC_HASH_TABLE_ENTRY, Signature: ULONG_PTR, Context: PRTL_DYNAMIC_HASH_TABLE_CONTEXT, ) -> BOOLEAN; fn RtlRemoveEntryHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, Entry: PRTL_DYNAMIC_HASH_TABLE_ENTRY, Context: PRTL_DYNAMIC_HASH_TABLE_CONTEXT, ) -> BOOLEAN; fn RtlLookupEntryHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, Signature: ULONG_PTR, Context: PRTL_DYNAMIC_HASH_TABLE_CONTEXT, ) -> PRTL_DYNAMIC_HASH_TABLE_ENTRY; fn RtlGetNextEntryHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, Context: PRTL_DYNAMIC_HASH_TABLE_CONTEXT, ) -> PRTL_DYNAMIC_HASH_TABLE_ENTRY; fn RtlInitEnumerationHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, Enumerator: PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR, ) -> BOOLEAN; fn RtlEnumerateEntryHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, Enumerator: PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR, ) -> PRTL_DYNAMIC_HASH_TABLE_ENTRY; fn RtlEndEnumerationHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, Enumerator: PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR, ); fn RtlInitWeakEnumerationHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, Enumerator: PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR, ) -> BOOLEAN; fn RtlWeaklyEnumerateEntryHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, Enumerator: PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR, ) -> PRTL_DYNAMIC_HASH_TABLE_ENTRY; fn RtlEndWeakEnumerationHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, Enumerator: PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR, ); fn RtlExpandHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, ) -> BOOLEAN; fn RtlContractHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, ) -> BOOLEAN; fn RtlInitStrongEnumerationHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, Enumerator: PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR, ) -> BOOLEAN; fn RtlStronglyEnumerateEntryHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, Enumerator: PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR, ) -> PRTL_DYNAMIC_HASH_TABLE_ENTRY; fn RtlEndStrongEnumerationHashTable( HashTable: PRTL_DYNAMIC_HASH_TABLE, Enumerator: PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR, ); fn RtlInitializeCriticalSection( CriticalSection: PRTL_CRITICAL_SECTION, ) -> NTSTATUS; fn RtlInitializeCriticalSectionAndSpinCount( CriticalSection: PRTL_CRITICAL_SECTION, SpinCount: ULONG, ) -> NTSTATUS; fn RtlDeleteCriticalSection( CriticalSection: PRTL_CRITICAL_SECTION, ) -> NTSTATUS; fn RtlEnterCriticalSection( CriticalSection: PRTL_CRITICAL_SECTION, ) -> NTSTATUS; fn RtlLeaveCriticalSection( CriticalSection: PRTL_CRITICAL_SECTION, ) -> NTSTATUS; fn RtlTryEnterCriticalSection( CriticalSection: PRTL_CRITICAL_SECTION, ) -> LOGICAL; fn RtlIsCriticalSectionLocked( CriticalSection: PRTL_CRITICAL_SECTION, ) -> LOGICAL; fn RtlIsCriticalSectionLockedByThread( CriticalSection: PRTL_CRITICAL_SECTION, ) -> LOGICAL; fn RtlGetCriticalSectionRecursionCount( CriticalSection: PRTL_CRITICAL_SECTION, ) -> ULONG; fn RtlSetCriticalSectionSpinCount( CriticalSection: PRTL_CRITICAL_SECTION, SpinCount: ULONG, ) -> ULONG; fn RtlQueryCriticalSectionOwner( EventHandle: HANDLE, ) -> HANDLE; fn RtlCheckForOrphanedCriticalSections( ThreadHandle: HANDLE, ); }} STRUCT!{struct RTL_RESOURCE { CriticalSection: RTL_CRITICAL_SECTION, SharedSemaphore: HANDLE, NumberOfWaitingShared: ULONG, ExclusiveSemaphore: HANDLE, NumberOfWaitingExclusive: ULONG, NumberOfActive: LONG, ExclusiveOwnerThread: HANDLE, Flags: ULONG, DebugInfo: PRTL_RESOURCE_DEBUG, }} pub type PRTL_RESOURCE = *mut RTL_RESOURCE; pub const RTL_RESOURCE_FLAG_LONG_TERM: ULONG = 0x00000001; EXTERN!{extern "system" { fn RtlInitializeResource( Resource: PRTL_RESOURCE, ); fn RtlDeleteResource( Resource: PRTL_RESOURCE, ); fn RtlAcquireResourceShared( Resource: PRTL_RESOURCE, Wait: BOOLEAN, ) -> BOOLEAN; fn RtlAcquireResourceExclusive( Resource: PRTL_RESOURCE, Wait: BOOLEAN, ) -> BOOLEAN; fn RtlReleaseResource( Resource: PRTL_RESOURCE, ); fn RtlConvertSharedToExclusive( Resource: PRTL_RESOURCE, ); fn RtlConvertExclusiveToShared( Resource: PRTL_RESOURCE, ); fn RtlInitializeSRWLock( SRWLock: PRTL_SRWLOCK, ); fn RtlAcquireSRWLockExclusive( SRWLock: PRTL_SRWLOCK, ); fn RtlAcquireSRWLockShared( SRWLock: PRTL_SRWLOCK, ); fn RtlReleaseSRWLockExclusive( SRWLock: PRTL_SRWLOCK, ); fn RtlReleaseSRWLockShared( SRWLock: PRTL_SRWLOCK, ); fn RtlTryAcquireSRWLockExclusive( SRWLock: PRTL_SRWLOCK, ) -> BOOLEAN; fn RtlTryAcquireSRWLockShared( SRWLock: PRTL_SRWLOCK, ) -> BOOLEAN; fn RtlAcquireReleaseSRWLockExclusive( SRWLock: PRTL_SRWLOCK, ); fn RtlInitializeConditionVariable( ConditionVariable: PRTL_CONDITION_VARIABLE, ); fn RtlSleepConditionVariableCS( ConditionVariable: PRTL_CONDITION_VARIABLE, CriticalSection: PRTL_CRITICAL_SECTION, Timeout: PLARGE_INTEGER, ) -> NTSTATUS; fn RtlSleepConditionVariableSRW( ConditionVariable: PRTL_CONDITION_VARIABLE, SRWLock: PRTL_SRWLOCK, Timeout: PLARGE_INTEGER, Flags: ULONG, ) -> NTSTATUS; fn RtlWakeConditionVariable( ConditionVariable: PRTL_CONDITION_VARIABLE, ); fn RtlWakeAllConditionVariable( ConditionVariable: PRTL_CONDITION_VARIABLE, ); }} pub const RTL_BARRIER_FLAGS_SPIN_ONLY: ULONG = 0x00000001; pub const RTL_BARRIER_FLAGS_BLOCK_ONLY: ULONG = 0x00000002; pub const RTL_BARRIER_FLAGS_NO_DELETE: ULONG = 0x00000004; EXTERN!{extern "system" { fn RtlInitBarrier( Barrier: PRTL_BARRIER, TotalThreads: ULONG, SpinCount: ULONG, ) -> NTSTATUS; fn RtlDeleteBarrier( Barrier: PRTL_BARRIER, ) -> NTSTATUS; fn RtlBarrier( Barrier: PRTL_BARRIER, Flags: ULONG, ) -> BOOLEAN; fn RtlBarrierForDelete( Barrier: PRTL_BARRIER, Flags: ULONG, ) -> BOOLEAN; fn RtlWaitOnAddress( Address: *mut VOID, CompareAddress: PVOID, AddressSize: SIZE_T, Timeout: PLARGE_INTEGER, ) -> NTSTATUS; fn RtlWakeAddressAll( Address: PVOID, ); fn RtlWakeAddressSingle( Address: PVOID, ); fn RtlInitString( DestinationString: PSTRING, SourceString: PCSZ, ); fn RtlInitStringEx( DestinationString: PSTRING, SourceString: PCSZ, ) -> NTSTATUS; fn RtlInitAnsiString( DestinationString: PANSI_STRING, SourceString: PCSZ, ); fn RtlInitAnsiStringEx( DestinationString: PANSI_STRING, SourceString: PCSZ, ) -> NTSTATUS; fn RtlFreeAnsiString( AnsiString: PANSI_STRING, ); fn RtlFreeOemString( OemString: POEM_STRING, ); fn RtlCopyString( DestinationString: PSTRING, SourceString: *const STRING, ); fn RtlUpperChar( Character: CHAR, ) -> CHAR; fn RtlCompareString( String1: *const STRING, String2: *const STRING, CaseInSensitive: BOOLEAN, ) -> LONG; fn RtlEqualString( String1: *const STRING, String2: *const STRING, CaseInSensitive: BOOLEAN, ) -> BOOLEAN; fn RtlPrefixString( String1: *const STRING, String2: *const STRING, CaseInSensitive: BOOLEAN, ) -> BOOLEAN; fn RtlAppendStringToString( Destination: PSTRING, Source: *const STRING, ) -> NTSTATUS; fn RtlAppendAsciizToString( Destination: PSTRING, Source: PSTR, ) -> NTSTATUS; fn RtlUpperString( DestinationString: PSTRING, SourceString: *const STRING, ); }} #[inline] pub unsafe fn RtlIsNullOrEmptyUnicodeString(String: PUNICODE_STRING) -> bool { String.is_null() || (*String).Length == 0 } #[inline] pub fn RtlInitEmptyUnicodeString( UnicodeString: &mut UNICODE_STRING, Buffer: PWCHAR, MaximumLength: USHORT, ) { UnicodeString.Buffer = Buffer; UnicodeString.MaximumLength = MaximumLength; UnicodeString.Length = 0; } EXTERN!{extern "system" { fn RtlInitUnicodeString( DestinationString: PUNICODE_STRING, SourceString: PCWSTR, ); fn RtlInitUnicodeStringEx( DestinationString: PUNICODE_STRING, SourceString: PCWSTR, ) -> NTSTATUS; fn RtlCreateUnicodeString( DestinationString: PUNICODE_STRING, SourceString: PCWSTR, ) -> BOOLEAN; fn RtlCreateUnicodeStringFromAsciiz( DestinationString: PUNICODE_STRING, SourceString: PSTR, ) -> BOOLEAN; fn RtlFreeUnicodeString( UnicodeString: PUNICODE_STRING, ); }} pub const RTL_DUPLICATE_UNICODE_STRING_NULL_TERMINATE: ULONG = 0x00000001; pub const RTL_DUPLICATE_UNICODE_STRING_ALLOCATE_NULL_STRING: ULONG = 0x00000002; EXTERN!{extern "system" { fn RtlDuplicateUnicodeString( Flags: ULONG, StringIn: PCUNICODE_STRING, StringOut: PUNICODE_STRING, ) -> NTSTATUS; fn RtlCopyUnicodeString( DestinationString: PUNICODE_STRING, SourceString: PCUNICODE_STRING, ); fn RtlUpcaseUnicodeChar( SourceCharacter: WCHAR, ) -> WCHAR; fn RtlDowncaseUnicodeChar( SourceCharacter: WCHAR, ) -> WCHAR; fn RtlCompareUnicodeString( String1: PCUNICODE_STRING, String2: PCUNICODE_STRING, CaseInSensitive: BOOLEAN, ) -> LONG; fn RtlCompareUnicodeStrings( String1: PCWCH, String1Length: SIZE_T, String2: PCWCH, String2Length: SIZE_T, CaseInSensitive: BOOLEAN, ) -> LONG; fn RtlEqualUnicodeString( String1: PCUNICODE_STRING, String2: PCUNICODE_STRING, CaseInSensitive: BOOLEAN, ) -> BOOLEAN; }} pub const HASH_STRING_ALGORITHM_DEFAULT: ULONG = 0; pub const HASH_STRING_ALGORITHM_X65599: ULONG = 1; pub const HASH_STRING_ALGORITHM_INVALID: ULONG = 0xffffffff; EXTERN!{extern "system" { fn RtlHashUnicodeString( String: PCUNICODE_STRING, CaseInSensitive: BOOLEAN, HashAlgorithm: ULONG, HashValue: PULONG, ) -> NTSTATUS; fn RtlValidateUnicodeString( Flags: ULONG, String: PCUNICODE_STRING, ) -> NTSTATUS; fn RtlPrefixUnicodeString( String1: PCUNICODE_STRING, String2: PCUNICODE_STRING, CaseInSensitive: BOOLEAN, ) -> BOOLEAN; fn RtlSuffixUnicodeString( String1: PUNICODE_STRING, String2: PUNICODE_STRING, CaseInSensitive: BOOLEAN, ) -> BOOLEAN; fn RtlFindUnicodeSubstring( FullString: PUNICODE_STRING, SearchString: PUNICODE_STRING, CaseInSensitive: BOOLEAN, ) -> PWCHAR; }} pub const RTL_FIND_CHAR_IN_UNICODE_STRING_START_AT_END: ULONG = 0x00000001; pub const RTL_FIND_CHAR_IN_UNICODE_STRING_COMPLEMENT_CHAR_SET: ULONG = 0x00000002; pub const RTL_FIND_CHAR_IN_UNICODE_STRING_CASE_INSENSITIVE: ULONG = 0x00000004; EXTERN!{extern "system" { fn RtlFindCharInUnicodeString( Flags: ULONG, StringToSearch: PUNICODE_STRING, CharSet: PUNICODE_STRING, NonInclusivePrefixLength: PUSHORT, ) -> NTSTATUS; fn RtlAppendUnicodeStringToString( Destination: PUNICODE_STRING, Source: PCUNICODE_STRING, ) -> NTSTATUS; fn RtlAppendUnicodeToString( Destination: PUNICODE_STRING, Source: PCWSTR, ) -> NTSTATUS; fn RtlUpcaseUnicodeString( DestinationString: PUNICODE_STRING, SourceString: PCUNICODE_STRING, AllocateDestinationString: BOOLEAN, ) -> NTSTATUS; fn RtlDowncaseUnicodeString( DestinationString: PUNICODE_STRING, SourceString: PCUNICODE_STRING, AllocateDestinationString: BOOLEAN, ) -> NTSTATUS; fn RtlEraseUnicodeString( String: PUNICODE_STRING, ); fn RtlAnsiStringToUnicodeString( DestinationString: PUNICODE_STRING, SourceString: PCANSI_STRING, AllocateDestinationString: BOOLEAN, ) -> NTSTATUS; fn RtlUnicodeStringToAnsiString( DestinationString: PANSI_STRING, SourceString: PCUNICODE_STRING, AllocateDestinationString: BOOLEAN, ) -> NTSTATUS; fn RtlAnsiCharToUnicodeChar( SourceCharacter: *mut PUCHAR, ) -> WCHAR; fn RtlUpcaseUnicodeStringToAnsiString( DestinationString: PANSI_STRING, SourceString: PUNICODE_STRING, AllocateDestinationString: BOOLEAN, ) -> NTSTATUS; fn RtlOemStringToUnicodeString( DestinationString: PUNICODE_STRING, SourceString: PCOEM_STRING, AllocateDestinationString: BOOLEAN, ) -> NTSTATUS; fn RtlUnicodeStringToOemString( DestinationString: POEM_STRING, SourceString: PCUNICODE_STRING, AllocateDestinationString: BOOLEAN, ) -> NTSTATUS; fn RtlUpcaseUnicodeStringToOemString( DestinationString: POEM_STRING, SourceString: PUNICODE_STRING, AllocateDestinationString: BOOLEAN, ) -> NTSTATUS; fn RtlUnicodeStringToCountedOemString( DestinationString: POEM_STRING, SourceString: PCUNICODE_STRING, AllocateDestinationString: BOOLEAN, ) -> NTSTATUS; fn RtlUpcaseUnicodeStringToCountedOemString( DestinationString: POEM_STRING, SourceString: PCUNICODE_STRING, AllocateDestinationString: BOOLEAN, ) -> NTSTATUS; fn RtlMultiByteToUnicodeN( UnicodeString: PWCH, MaxBytesInUnicodeString: ULONG, BytesInUnicodeString: PULONG, MultiByteString: *const CHAR, BytesInMultiByteString: ULONG, ) -> NTSTATUS; fn RtlMultiByteToUnicodeSize( BytesInUnicodeString: PULONG, MultiByteString: *const CHAR, BytesInMultiByteString: ULONG, ) -> NTSTATUS; fn RtlUnicodeToMultiByteN( MultiByteString: PCHAR, MaxBytesInMultiByteString: ULONG, BytesInMultiByteString: PULONG, UnicodeString: PCWCH, BytesInUnicodeString: ULONG, ) -> NTSTATUS; fn RtlUnicodeToMultiByteSize( BytesInMultiByteString: PULONG, UnicodeString: PCWCH, BytesInUnicodeString: ULONG, ) -> NTSTATUS; fn RtlUpcaseUnicodeToMultiByteN( MultiByteString: PCHAR, MaxBytesInMultiByteString: ULONG, BytesInMultiByteString: PULONG, UnicodeString: PCWCH, BytesInUnicodeString: ULONG, ) -> NTSTATUS; fn RtlOemToUnicodeN( UnicodeString: PWCH, MaxBytesInUnicodeString: ULONG, BytesInUnicodeString: PULONG, OemString: PCCH, BytesInOemString: ULONG, ) -> NTSTATUS; fn RtlUnicodeToOemN( OemString: PCHAR, MaxBytesInOemString: ULONG, BytesInOemString: PULONG, UnicodeString: PCWCH, BytesInUnicodeString: ULONG, ) -> NTSTATUS; fn RtlUpcaseUnicodeToOemN( OemString: PCHAR, MaxBytesInOemString: ULONG, BytesInOemString: PULONG, UnicodeString: PCWCH, BytesInUnicodeString: ULONG, ) -> NTSTATUS; fn RtlConsoleMultiByteToUnicodeN( UnicodeString: PWCH, MaxBytesInUnicodeString: ULONG, BytesInUnicodeString: PULONG, MultiByteString: PCH, BytesInMultiByteString: ULONG, pdwSpecialChar: PULONG, ) -> NTSTATUS; fn RtlUTF8ToUnicodeN( UnicodeStringDestination: PWSTR, UnicodeStringMaxByteCount: ULONG, UnicodeStringActualByteCount: PULONG, UTF8StringSource: PCCH, UTF8StringByteCount: ULONG, ) -> NTSTATUS; fn RtlUnicodeToUTF8N( UTF8StringDestination: PCHAR, UTF8StringMaxByteCount: ULONG, UTF8StringActualByteCount: PULONG, UnicodeStringSource: PCWCH, UnicodeStringByteCount: ULONG, ) -> NTSTATUS; fn RtlCustomCPToUnicodeN( CustomCP: PCPTABLEINFO, UnicodeString: PWCH, MaxBytesInUnicodeString: ULONG, BytesInUnicodeString: PULONG, CustomCPString: PCH, BytesInCustomCPString: ULONG, ) -> NTSTATUS; fn RtlUnicodeToCustomCPN( CustomCP: PCPTABLEINFO, CustomCPString: PCH, MaxBytesInCustomCPString: ULONG, BytesInCustomCPString: PULONG, UnicodeString: PWCH, BytesInUnicodeString: ULONG, ) -> NTSTATUS; fn RtlUpcaseUnicodeToCustomCPN( CustomCP: PCPTABLEINFO, CustomCPString: PCH, MaxBytesInCustomCPString: ULONG, BytesInCustomCPString: PULONG, UnicodeString: PWCH, BytesInUnicodeString: ULONG, ) -> NTSTATUS; fn RtlInitCodePageTable( TableBase: PUSHORT, CodePageTable: PCPTABLEINFO, ); fn RtlInitNlsTables( AnsiNlsBase: PUSHORT, OemNlsBase: PUSHORT, LanguageNlsBase: PUSHORT, TableInfo: PNLSTABLEINFO, ); fn RtlResetRtlTranslations( TableInfo: PNLSTABLEINFO, ); fn RtlIsTextUnicode( Buffer: PVOID, Size: ULONG, Result: PULONG, ) -> BOOLEAN; }} ENUM!{enum RTL_NORM_FORM { NormOther = 0x0, NormC = 0x1, NormD = 0x2, NormKC = 0x5, NormKD = 0x6, NormIdna = 0xd, DisallowUnassigned = 0x100, NormCDisallowUnassigned = 0x101, NormDDisallowUnassigned = 0x102, NormKCDisallowUnassigned = 0x105, NormKDDisallowUnassigned = 0x106, NormIdnaDisallowUnassigned = 0x10d, }} EXTERN!{extern "system" { fn RtlNormalizeString( NormForm: ULONG, SourceString: PCWSTR, SourceStringLength: LONG, DestinationString: PWSTR, DestinationStringLength: PLONG, ) -> NTSTATUS; fn RtlIsNormalizedString( NormForm: ULONG, SourceString: PCWSTR, SourceStringLength: LONG, Normalized: PBOOLEAN, ) -> NTSTATUS; fn RtlIsNameInExpression( Expression: PUNICODE_STRING, Name: PUNICODE_STRING, IgnoreCase: BOOLEAN, UpcaseTable: PWCH, ) -> BOOLEAN; fn RtlIsNameInUnUpcasedExpression( Expression: PUNICODE_STRING, Name: PUNICODE_STRING, IgnoreCase: BOOLEAN, UpcaseTable: PWCH, ) -> BOOLEAN; fn RtlEqualDomainName( String1: PUNICODE_STRING, String2: PUNICODE_STRING, ) -> BOOLEAN; fn RtlEqualComputerName( String1: PUNICODE_STRING, String2: PUNICODE_STRING, ) -> BOOLEAN; fn RtlDnsHostNameToComputerName( ComputerNameString: PUNICODE_STRING, DnsHostNameString: PUNICODE_STRING, AllocateComputerNameString: BOOLEAN, ) -> NTSTATUS; fn RtlStringFromGUID( Guid: *const GUID, GuidString: PUNICODE_STRING, ) -> NTSTATUS; fn RtlStringFromGUIDEx( Guid: *mut GUID, GuidString: PUNICODE_STRING, AllocateGuidString: BOOLEAN, ) -> NTSTATUS; fn RtlGUIDFromString( GuidString: PCUNICODE_STRING, Guid: *mut GUID, ) -> NTSTATUS; fn RtlCompareAltitudes( Altitude1: PCUNICODE_STRING, Altitude2: PCUNICODE_STRING, ) -> LONG; fn RtlIdnToAscii( Flags: ULONG, SourceString: PCWSTR, SourceStringLength: LONG, DestinationString: PWSTR, DestinationStringLength: PLONG, ) -> NTSTATUS; fn RtlIdnToUnicode( Flags: ULONG, SourceString: PCWSTR, SourceStringLength: LONG, DestinationString: PWSTR, DestinationStringLength: PLONG, ) -> NTSTATUS; fn RtlIdnToNameprepUnicode( Flags: ULONG, SourceString: PCWSTR, SourceStringLength: LONG, DestinationString: PWSTR, DestinationStringLength: PLONG, ) -> NTSTATUS; }} STRUCT!{struct PREFIX_TABLE_ENTRY { NodeTypeCode: CSHORT, NameLength: CSHORT, NextPrefixTree: *mut PREFIX_TABLE_ENTRY, Links: RTL_SPLAY_LINKS, Prefix: PSTRING, }} pub type PPREFIX_TABLE_ENTRY = *mut PREFIX_TABLE_ENTRY; STRUCT!{struct PREFIX_TABLE { NodeTypeCode: CSHORT, NameLength: CSHORT, NextPrefixTree: PPREFIX_TABLE_ENTRY, }} pub type PPREFIX_TABLE = *mut PREFIX_TABLE; EXTERN!{extern "system" { fn PfxInitialize( PrefixTable: PPREFIX_TABLE, ); fn PfxInsertPrefix( PrefixTable: PPREFIX_TABLE, Prefix: PSTRING, PrefixTableEntry: PPREFIX_TABLE_ENTRY, ) -> BOOLEAN; fn PfxRemovePrefix( PrefixTable: PPREFIX_TABLE, PrefixTableEntry: PPREFIX_TABLE_ENTRY, ); fn PfxFindPrefix( PrefixTable: PPREFIX_TABLE, FullName: PSTRING, ) -> PPREFIX_TABLE_ENTRY; }} STRUCT!{struct UNICODE_PREFIX_TABLE_ENTRY { NodeTypeCode: CSHORT, NameLength: CSHORT, NextPrefixTree: *mut UNICODE_PREFIX_TABLE_ENTRY, CaseMatch: *mut UNICODE_PREFIX_TABLE_ENTRY, Links: RTL_SPLAY_LINKS, Prefix: PUNICODE_STRING, }} pub type PUNICODE_PREFIX_TABLE_ENTRY = *mut UNICODE_PREFIX_TABLE_ENTRY; STRUCT!{struct UNICODE_PREFIX_TABLE { NodeTypeCode: CSHORT, NameLength: CSHORT, NextPrefixTree: PUNICODE_PREFIX_TABLE_ENTRY, LastNextEntry: PUNICODE_PREFIX_TABLE_ENTRY, }} pub type PUNICODE_PREFIX_TABLE = *mut UNICODE_PREFIX_TABLE; EXTERN!{extern "system" { fn RtlInitializeUnicodePrefix( PrefixTable: PUNICODE_PREFIX_TABLE, ); fn RtlInsertUnicodePrefix( PrefixTable: PUNICODE_PREFIX_TABLE, Prefix: PUNICODE_STRING, PrefixTableEntry: PUNICODE_PREFIX_TABLE_ENTRY, ) -> BOOLEAN; fn RtlRemoveUnicodePrefix( PrefixTable: PUNICODE_PREFIX_TABLE, PrefixTableEntry: PUNICODE_PREFIX_TABLE_ENTRY, ); fn RtlFindUnicodePrefix( PrefixTable: PUNICODE_PREFIX_TABLE, FullName: PCUNICODE_STRING, CaseInsensitiveIndex: ULONG, ) -> PUNICODE_PREFIX_TABLE_ENTRY; fn RtlNextUnicodePrefix( PrefixTable: PUNICODE_PREFIX_TABLE, Restart: BOOLEAN, ) -> PUNICODE_PREFIX_TABLE_ENTRY; }} STRUCT!{struct COMPRESSED_DATA_INFO { CompressionFormatAndEngine: USHORT, CompressionUnitShift: UCHAR, ChunkShift: UCHAR, ClusterShift: UCHAR, Reserved: UCHAR, NumberOfChunks: USHORT, CompressedChunkSizes: [ULONG; 1], }} pub type PCOMPRESSED_DATA_INFO = *mut COMPRESSED_DATA_INFO; EXTERN!{extern "system" { fn RtlGetCompressionWorkSpaceSize( CompressionFormatAndEngine: USHORT, CompressBufferWorkSpaceSize: PULONG, CompressFragmentWorkSpaceSize: PULONG, ) -> NTSTATUS; fn RtlCompressBuffer( CompressionFormatAndEngine: USHORT, UncompressedBuffer: PUCHAR, UncompressedBufferSize: ULONG, CompressedBuffer: PUCHAR, CompressedBufferSize: ULONG, UncompressedChunkSize: ULONG, FinalCompressedSize: PULONG, WorkSpace: PVOID, ) -> NTSTATUS; fn RtlDecompressBuffer( CompressionFormat: USHORT, UncompressedBuffer: PUCHAR, UncompressedBufferSize: ULONG, CompressedBuffer: PUCHAR, CompressedBufferSize: ULONG, FinalUncompressedSize: PULONG, ) -> NTSTATUS; fn RtlDecompressBufferEx( CompressionFormat: USHORT, UncompressedBuffer: PUCHAR, UncompressedBufferSize: ULONG, CompressedBuffer: PUCHAR, CompressedBufferSize: ULONG, FinalUncompressedSize: PULONG, WorkSpace: PVOID, ) -> NTSTATUS; fn RtlDecompressFragment( CompressionFormat: USHORT, UncompressedFragment: PUCHAR, UncompressedFragmentSize: ULONG, CompressedBuffer: PUCHAR, CompressedBufferSize: ULONG, FragmentOffset: ULONG, FinalUncompressedSize: PULONG, WorkSpace: PVOID, ) -> NTSTATUS; fn RtlDescribeChunk( CompressionFormat: USHORT, CompressedBuffer: *mut PUCHAR, EndOfCompressedBufferPlus1: PUCHAR, ChunkBuffer: *mut PUCHAR, ChunkSize: PULONG, ) -> NTSTATUS; fn RtlReserveChunk( CompressionFormat: USHORT, CompressedBuffer: *mut PUCHAR, EndOfCompressedBufferPlus1: PUCHAR, ChunkBuffer: *mut PUCHAR, ChunkSize: ULONG, ) -> NTSTATUS; fn RtlDecompressChunks( UncompressedBuffer: PUCHAR, UncompressedBufferSize: ULONG, CompressedBuffer: PUCHAR, CompressedBufferSize: ULONG, CompressedTail: PUCHAR, CompressedTailSize: ULONG, CompressedDataInfo: PCOMPRESSED_DATA_INFO, ) -> NTSTATUS; fn RtlCompressChunks( UncompressedBuffer: PUCHAR, UncompressedBufferSize: ULONG, CompressedBuffer: PUCHAR, CompressedBufferSize: ULONG, CompressedDataInfo: PCOMPRESSED_DATA_INFO, CompressedDataInfoLength: ULONG, WorkSpace: PVOID, ) -> NTSTATUS; fn RtlConvertLCIDToString( LcidValue: LCID, Base: ULONG, Padding: ULONG, pResultBuf: PWSTR, Size: ULONG, ) -> NTSTATUS; fn RtlIsValidLocaleName( LocaleName: PWSTR, Flags: ULONG, ) -> BOOLEAN; fn RtlGetParentLocaleName( LocaleName: PWSTR, ParentLocaleName: PUNICODE_STRING, Flags: ULONG, AllocateDestinationString: BOOLEAN, ) -> NTSTATUS; fn RtlLcidToLocaleName( lcid: LCID, LocaleName: PUNICODE_STRING, Flags: ULONG, AllocateDestinationString: BOOLEAN, ) -> NTSTATUS; fn RtlLocaleNameToLcid( LocaleName: PWSTR, lcid: PLCID, Flags: ULONG, ) -> NTSTATUS; fn RtlLCIDToCultureName( Lcid: LCID, String: PUNICODE_STRING, ) -> BOOLEAN; fn RtlCultureNameToLCID( String: PUNICODE_STRING, Lcid: PLCID, ) -> BOOLEAN; fn RtlCleanUpTEBLangLists(); fn RtlGetLocaleFileMappingAddress( BaseAddress: *mut PVOID, DefaultLocaleId: PLCID, DefaultCasingTableSize: PLARGE_INTEGER, ) -> NTSTATUS; fn RtlGetCurrentPeb() -> PPEB; fn RtlAcquirePebLock(); fn RtlReleasePebLock(); fn RtlTryAcquirePebLock() -> LOGICAL; fn RtlAllocateFromPeb( Size: ULONG, Block: *mut PVOID, ) -> NTSTATUS; fn RtlFreeToPeb( Block: PVOID, Size: ULONG, ) -> NTSTATUS; }} pub const DOS_MAX_COMPONENT_LENGTH: u32 = 255; pub const DOS_MAX_PATH_LENGTH: u32 = DOS_MAX_COMPONENT_LENGTH + 5; STRUCT!{struct CURDIR { DosPath: UNICODE_STRING, Handle: HANDLE, }} pub type PCURDIR = *mut CURDIR; pub const RTL_USER_PROC_CURDIR_CLOSE: u32 = 0x00000002; pub const RTL_USER_PROC_CURDIR_INHERIT: u32 = 0x00000003; STRUCT!{struct RTL_DRIVE_LETTER_CURDIR { Flags: USHORT, Length: USHORT, TimeStamp: ULONG, DosPath: STRING, }} pub type PRTL_DRIVE_LETTER_CURDIR = *mut RTL_DRIVE_LETTER_CURDIR; pub const RTL_MAX_DRIVE_LETTERS: usize = 32; pub const RTL_DRIVE_LETTER_VALID: USHORT = 0x0001; STRUCT!{struct RTL_USER_PROCESS_PARAMETERS { MaximumLength: ULONG, Length: ULONG, Flags: ULONG, DebugFlags: ULONG, ConsoleHandle: HANDLE, ConsoleFlags: ULONG, StandardInput: HANDLE, StandardOutput: HANDLE, StandardError: HANDLE, CurrentDirectory: CURDIR, DllPath: UNICODE_STRING, ImagePathName: UNICODE_STRING, CommandLine: UNICODE_STRING, Environment: PVOID, StartingX: ULONG, StartingY: ULONG, CountX: ULONG, CountY: ULONG, CountCharsX: ULONG, CountCharsY: ULONG, FillAttribute: ULONG, WindowFlags: ULONG, ShowWindowFlags: ULONG, WindowTitle: UNICODE_STRING, DesktopInfo: UNICODE_STRING, ShellInfo: UNICODE_STRING, RuntimeData: UNICODE_STRING, CurrentDirectories: [RTL_DRIVE_LETTER_CURDIR; RTL_MAX_DRIVE_LETTERS], EnvironmentSize: ULONG_PTR, EnvironmentVersion: ULONG_PTR, PackageDependencyData: PVOID, ProcessGroupId: ULONG, LoaderThreads: ULONG, }} pub type PRTL_USER_PROCESS_PARAMETERS = *mut RTL_USER_PROCESS_PARAMETERS; pub const RTL_USER_PROC_PARAMS_NORMALIZED: ULONG = 0x00000001; pub const RTL_USER_PROC_PROFILE_USER: ULONG = 0x00000002; pub const RTL_USER_PROC_PROFILE_KERNEL: ULONG = 0x00000004; pub const RTL_USER_PROC_PROFILE_SERVER: ULONG = 0x00000008; pub const RTL_USER_PROC_RESERVE_1MB: ULONG = 0x00000020; pub const RTL_USER_PROC_RESERVE_16MB: ULONG = 0x00000040; pub const RTL_USER_PROC_CASE_SENSITIVE: ULONG = 0x00000080; pub const RTL_USER_PROC_DISABLE_HEAP_DECOMMIT: ULONG = 0x00000100; pub const RTL_USER_PROC_DLL_REDIRECTION_LOCAL: ULONG = 0x00001000; pub const RTL_USER_PROC_APP_MANIFEST_PRESENT: ULONG = 0x00002000; pub const RTL_USER_PROC_IMAGE_KEY_MISSING: ULONG = 0x00004000; pub const RTL_USER_PROC_OPTIN_PROCESS: ULONG = 0x00020000; EXTERN!{extern "system" { fn RtlCreateProcessParameters( pProcessParameters: *mut PRTL_USER_PROCESS_PARAMETERS, ImagePathName: PUNICODE_STRING, DllPath: PUNICODE_STRING, CurrentDirectory: PUNICODE_STRING, CommandLine: PUNICODE_STRING, Environment: PVOID, WindowTitle: PUNICODE_STRING, DesktopInfo: PUNICODE_STRING, ShellInfo: PUNICODE_STRING, RuntimeData: PUNICODE_STRING, ) -> NTSTATUS; fn RtlCreateProcessParametersEx( pProcessParameters: *mut PRTL_USER_PROCESS_PARAMETERS, ImagePathName: PUNICODE_STRING, DllPath: PUNICODE_STRING, CurrentDirectory: PUNICODE_STRING, CommandLine: PUNICODE_STRING, Environment: PVOID, WindowTitle: PUNICODE_STRING, DesktopInfo: PUNICODE_STRING, ShellInfo: PUNICODE_STRING, RuntimeData: PUNICODE_STRING, Flags: ULONG, ) -> NTSTATUS; fn RtlDestroyProcessParameters( ProcessParameters: PRTL_USER_PROCESS_PARAMETERS, ) -> NTSTATUS; fn RtlNormalizeProcessParams( ProcessParameters: PRTL_USER_PROCESS_PARAMETERS, ) -> PRTL_USER_PROCESS_PARAMETERS; fn RtlDeNormalizeProcessParams( ProcessParameters: PRTL_USER_PROCESS_PARAMETERS, ) -> PRTL_USER_PROCESS_PARAMETERS; }} STRUCT!{struct RTL_USER_PROCESS_INFORMATION { Length: ULONG, Process: HANDLE, Thread: HANDLE, ClientId: CLIENT_ID, ImageInformation: SECTION_IMAGE_INFORMATION, }} pub type PRTL_USER_PROCESS_INFORMATION = *mut RTL_USER_PROCESS_INFORMATION; EXTERN!{extern "system" { fn RtlCreateUserProcess( NtImagePathName: PUNICODE_STRING, AttributesDeprecated: ULONG, ProcessParameters: PRTL_USER_PROCESS_PARAMETERS, ProcessSecurityDescriptor: PSECURITY_DESCRIPTOR, ThreadSecurityDescriptor: PSECURITY_DESCRIPTOR, ParentProcess: HANDLE, InheritHandles: BOOLEAN, DebugPort: HANDLE, TokenHandle: HANDLE, ProcessInformation: PRTL_USER_PROCESS_INFORMATION, ) -> NTSTATUS; fn RtlCreateUserProcessEx( NtImagePathName: PUNICODE_STRING, ProcessParameters: PRTL_USER_PROCESS_PARAMETERS, InheritHandles: BOOLEAN, Flags: ULONG, ProcessInformation: PRTL_USER_PROCESS_INFORMATION, ) -> NTSTATUS; fn RtlExitUserProcess( ExitStatus: NTSTATUS, ); }} pub const RTL_CLONE_PROCESS_FLAGS_CREATE_SUSPENDED: ULONG = 0x00000001; pub const RTL_CLONE_PROCESS_FLAGS_INHERIT_HANDLES: ULONG = 0x00000002; pub const RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE: ULONG = 0x00000004; EXTERN!{extern "system" { fn RtlCloneUserProcess( ProcessFlags: ULONG, ProcessSecurityDescriptor: PSECURITY_DESCRIPTOR, ThreadSecurityDescriptor: PSECURITY_DESCRIPTOR, DebugPort: HANDLE, ProcessInformation: PRTL_USER_PROCESS_INFORMATION, ) -> NTSTATUS; fn RtlUpdateClonedCriticalSection( CriticalSection: PRTL_CRITICAL_SECTION, ); fn RtlUpdateClonedSRWLock( SRWLock: PRTL_SRWLOCK, Shared: LOGICAL, ); }} STRUCT!{struct RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION { ReflectionProcessHandle: HANDLE, ReflectionThreadHandle: HANDLE, ReflectionClientId: CLIENT_ID, }} pub type PRTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION = *mut RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION; EXTERN!{extern "system" { fn RtlCreateProcessReflection( ProcessHandle: HANDLE, Flags: ULONG, StartRoutine: PVOID, StartContext: PVOID, EventHandle: HANDLE, ReflectionInformation: PRTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION, ) -> NTSTATUS; }} EXTERN!{extern "C" { fn RtlSetProcessIsCritical( NewValue: BOOLEAN, OldValue: PBOOLEAN, CheckFlag: BOOLEAN, ) -> NTSTATUS; fn RtlSetThreadIsCritical( NewValue: BOOLEAN, OldValue: PBOOLEAN, CheckFlag: BOOLEAN, ) -> NTSTATUS; }} EXTERN!{extern "system" { fn RtlValidProcessProtection( ProcessProtection: PS_PROTECTION, ) -> BOOLEAN; fn RtlTestProtectedAccess( Source: PS_PROTECTION, Target: PS_PROTECTION, ) -> BOOLEAN; fn RtlIsCurrentProcess( ProcessHandle: HANDLE, ) -> BOOLEAN; fn RtlIsCurrentThread( ThreadHandle: HANDLE, ) -> BOOLEAN; }} FN!{stdcall PUSER_THREAD_START_ROUTINE( ThreadParameter: PVOID, ) -> NTSTATUS} EXTERN!{extern "system" { fn RtlCreateUserThread( Process: HANDLE, ThreadSecurityDescriptor: PSECURITY_DESCRIPTOR, CreateSuspended: BOOLEAN, ZeroBits: ULONG, MaximumStackSize: SIZE_T, CommittedStackSize: SIZE_T, StartAddress: PUSER_THREAD_START_ROUTINE, Parameter: PVOID, Thread: PHANDLE, ClientId: PCLIENT_ID, ) -> NTSTATUS; fn RtlExitUserThread( ExitStatus: NTSTATUS, ); fn RtlIsCurrentThreadAttachExempt() -> BOOLEAN; fn RtlCreateUserStack( CommittedStackSize: SIZE_T, MaximumStackSize: SIZE_T, ZeroBits: ULONG_PTR, PageSize: SIZE_T, ReserveAlignment: ULONG_PTR, InitialTeb: PINITIAL_TEB, ) -> NTSTATUS; fn RtlFreeUserStack( AllocationBase: PVOID, ) -> NTSTATUS; }} STRUCT!{struct CONTEXT_CHUNK { Offset: LONG, Length: ULONG, }} pub type PCONTEXT_CHUNK = *mut CONTEXT_CHUNK; STRUCT!{struct CONTEXT_EX { All: CONTEXT_CHUNK, Legacy: CONTEXT_CHUNK, XState: CONTEXT_CHUNK, }} pub type PCONTEXT_EX = *mut CONTEXT_EX; pub const CONTEXT_EX_LENGTH: usize = 4096; #[macro_export] macro_rules! RTL_CONTEXT_EX_OFFSET { ($ContextEx:expr, $Chunk:ident) => { (*$ContextEx).$Chunk.Offset }; } #[macro_export] macro_rules! RTL_CONTEXT_EX_LENGTH { ($ContextEx:expr, $Chunk:ident) => { (*$ContextEx).$Chunk.Length }; } #[macro_export] macro_rules! RTL_CONTEXT_EX_CHUNK { ($Base:expr, $Layout:expr, $Chunk:ident) => { ($Base as usize + RTL_CONTEXT_EX_OFFSET!($Layout, $Chunk) as usize) as *mut c_void }; } #[macro_export] macro_rules! RTL_CONTEXT_OFFSET { ($Context:expr, $Chunk:ident) => { RTL_CONTEXT_EX_OFFSET!(($Context as *const $crate::winapi::um::winnt::CONTEXT).offset(1) as *const $crate::ntrtl::CONTEXT_EX, $Chunk) }; } #[macro_export] macro_rules! RTL_CONTEXT_LENGTH { ($Context:expr, $Chunk:ident) => { RTL_CONTEXT_EX_LENGTH!(($Context as *const $crate::winapi::um::winnt::CONTEXT).offset(1) as *const $crate::ntrtl::CONTEXT_EX, $Chunk) }; } #[macro_export] macro_rules! RTL_CONTEXT_CHUNK { ($Context:expr, $Chunk:ident) => { RTL_CONTEXT_EX_CHUNK!( ($Context as *const $crate::winapi::um::winnt::CONTEXT).offset(1) as *const $crate::ntrtl::CONTEXT_EX, ($Context as *const $crate::winapi::um::winnt::CONTEXT).offset(1) as *const $crate::ntrtl::CONTEXT_EX, $Chunk ) }; } EXTERN!{extern "system" { fn RtlInitializeContext( Process: HANDLE, Context: PCONTEXT, Parameter: PVOID, InitialPc: PVOID, InitialSp: PVOID, ); fn RtlInitializeExtendedContext( Context: PCONTEXT, ContextFlags: ULONG, ContextEx: *mut PCONTEXT_EX, ) -> ULONG; fn RtlCopyExtendedContext( Destination: PCONTEXT_EX, ContextFlags: ULONG, Source: PCONTEXT_EX, ) -> ULONG; fn RtlGetExtendedContextLength( ContextFlags: ULONG, ContextLength: PULONG, ) -> ULONG; fn RtlGetExtendedFeaturesMask( ContextEx: PCONTEXT_EX, ) -> ULONG64; fn RtlLocateExtendedFeature( ContextEx: PCONTEXT_EX, FeatureId: ULONG, Length: PULONG, ) -> PVOID; fn RtlLocateLegacyContext( ContextEx: PCONTEXT_EX, Length: PULONG, ) -> PCONTEXT; fn RtlSetExtendedFeaturesMask( ContextEx: PCONTEXT_EX, FeatureMask: ULONG64, ); }} #[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))] EXTERN!{extern "system" { fn RtlWow64GetThreadContext( ThreadHandle: HANDLE, ThreadContext: PWOW64_CONTEXT, ) -> NTSTATUS; fn RtlWow64SetThreadContext( ThreadHandle: HANDLE, ThreadContext: PWOW64_CONTEXT, ) -> NTSTATUS; }} EXTERN!{extern "system" { fn RtlRemoteCall( Process: HANDLE, Thread: HANDLE, CallSite: PVOID, ArgumentCount: ULONG, Arguments: PULONG_PTR, PassContext: BOOLEAN, AlreadySuspended: BOOLEAN, ) -> NTSTATUS; fn RtlAddVectoredExceptionHandler( First: ULONG, Handler: PVECTORED_EXCEPTION_HANDLER, ) -> PVOID; fn RtlRemoveVectoredExceptionHandler( Handle: PVOID, ) -> ULONG; fn RtlAddVectoredContinueHandler( First: ULONG, Handler: PVECTORED_EXCEPTION_HANDLER, ) -> PVOID; fn RtlRemoveVectoredContinueHandler( Handle: PVOID, ) -> ULONG; }} FN!{stdcall PRTLP_UNHANDLED_EXCEPTION_FILTER( ExceptionInfo: PEXCEPTION_POINTERS, ) -> ULONG} EXTERN!{extern "system" { fn RtlSetUnhandledExceptionFilter( UnhandledExceptionFilter: PRTLP_UNHANDLED_EXCEPTION_FILTER, ); fn RtlUnhandledExceptionFilter( ExceptionPointers: PEXCEPTION_POINTERS, ) -> LONG; fn RtlUnhandledExceptionFilter2( ExceptionPointers: PEXCEPTION_POINTERS, Flags: ULONG, ) -> LONG; fn RtlKnownExceptionFilter( ExceptionPointers: PEXCEPTION_POINTERS, ) -> LONG; }} #[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))] IFDEF!{ ENUM!{enum FUNCTION_TABLE_TYPE { RF_SORTED = 0, RF_UNSORTED = 1, RF_CALLBACK = 2, RF_KERNEL_DYNAMIC = 3, }} STRUCT!{struct DYNAMIC_FUNCTION_TABLE { ListEntry: LIST_ENTRY, FunctionTable: PRUNTIME_FUNCTION, TimeStamp: LARGE_INTEGER, MinimumAddress: ULONG64, MaximumAddress: ULONG64, BaseAddress: ULONG64, Callback: PGET_RUNTIME_FUNCTION_CALLBACK, Context: PVOID, OutOfProcessCallbackDll: PWSTR, Type: FUNCTION_TABLE_TYPE, EntryCount: ULONG, TreeNode: RTL_BALANCED_NODE, }} pub type PDYNAMIC_FUNCTION_TABLE = *mut DYNAMIC_FUNCTION_TABLE; EXTERN!{extern "system" { fn RtlGetFunctionTableListHead() -> PLIST_ENTRY; }} } EXTERN!{extern "system" { fn RtlImageNtHeader( BaseOfImage: PVOID, ) -> PIMAGE_NT_HEADERS; }} pub const RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK: ULONG = 0x00000001; EXTERN!{extern "system" { fn RtlImageNtHeaderEx( Flags: ULONG, BaseOfImage: PVOID, Size: ULONG64, OutHeaders: *mut PIMAGE_NT_HEADERS, ) -> NTSTATUS; fn RtlAddressInSectionTable( NtHeaders: PIMAGE_NT_HEADERS, BaseOfImage: PVOID, VirtualAddress: ULONG, ) -> PVOID; fn RtlSectionTableFromVirtualAddress( NtHeaders: PIMAGE_NT_HEADERS, BaseOfImage: PVOID, VirtualAddress: ULONG, ) -> PIMAGE_SECTION_HEADER; fn RtlImageDirectoryEntryToData( BaseOfImage: PVOID, MappedAsImage: BOOLEAN, DirectoryEntry: USHORT, Size: PULONG, ) -> PVOID; fn RtlImageRvaToSection( NtHeaders: PIMAGE_NT_HEADERS, BaseOfImage: PVOID, Rva: ULONG, ) -> PIMAGE_SECTION_HEADER; fn RtlImageRvaToVa( NtHeaders: PIMAGE_NT_HEADERS, BaseOfImage: PVOID, Rva: ULONG, LastRvaSection: *mut PIMAGE_SECTION_HEADER, ) -> PVOID; fn RtlFindExportedRoutineByName( BaseOfImage: PVOID, RoutineName: PSTR, ) -> PVOID; fn RtlGuardCheckLongJumpTarget( PcValue: PVOID, IsFastFail: BOOL, IsLongJumpTarget: PBOOL, ) -> NTSTATUS; fn RtlCompareMemoryUlong( Source: PVOID, Length: SIZE_T, Pattern: ULONG, ) -> SIZE_T; fn RtlFillMemoryUlong( Destination: PVOID, Length: SIZE_T, Pattern: ULONG, ); fn RtlFillMemoryUlonglong( Destination: PVOID, Length: SIZE_T, Pattern: ULONGLONG, ); fn RtlCreateEnvironment( CloneCurrentEnvironment: BOOLEAN, Environment: *mut PVOID, ) -> NTSTATUS; }} pub const RTL_CREATE_ENVIRONMENT_TRANSLATE: ULONG = 0x1; pub const RTL_CREATE_ENVIRONMENT_TRANSLATE_FROM_OEM: ULONG = 0x2; pub const RTL_CREATE_ENVIRONMENT_EMPTY: ULONG = 0x4; EXTERN!{extern "system" { fn RtlCreateEnvironmentEx( SourceEnv: PVOID, Environment: *mut PVOID, Flags: ULONG, ) -> NTSTATUS; fn RtlDestroyEnvironment( Environment: PVOID, ) -> NTSTATUS; fn RtlSetCurrentEnvironment( Environment: PVOID, PreviousEnvironment: *mut PVOID, ) -> NTSTATUS; fn RtlSetEnvironmentVar( Environment: *mut PWSTR, Name: PWSTR, NameLength: SIZE_T, Value: PWSTR, ValueLength: SIZE_T, ) -> NTSTATUS; fn RtlSetEnvironmentVariable( Environment: *mut PVOID, Name: PUNICODE_STRING, Value: PUNICODE_STRING, ) -> NTSTATUS; fn RtlQueryEnvironmentVariable( Environment: PVOID, Name: PWSTR, NameLength: SIZE_T, Value: PWSTR, ValueLength: SIZE_T, ReturnLength: PSIZE_T, ) -> NTSTATUS; fn RtlQueryEnvironmentVariable_U( Environment: PVOID, Name: PUNICODE_STRING, Value: PUNICODE_STRING, ) -> NTSTATUS; fn RtlExpandEnvironmentStrings( Environment: PVOID, Src: PWSTR, SrcLength: SIZE_T, Dst: PWSTR, DstLength: SIZE_T, ReturnLength: PSIZE_T, ) -> NTSTATUS; fn RtlExpandEnvironmentStrings_U( Environment: PVOID, Source: PUNICODE_STRING, Destination: PUNICODE_STRING, ReturnedLength: PULONG, ) -> NTSTATUS; fn RtlSetEnvironmentStrings( NewEnvironment: PWCHAR, NewEnvironmentSize: SIZE_T, ) -> NTSTATUS; }} STRUCT!{struct RTLP_CURDIR_REF { ReferenceCount: LONG, DirectoryHandle: HANDLE, }} pub type PRTLP_CURDIR_REF = *mut RTLP_CURDIR_REF; STRUCT!{struct RTL_RELATIVE_NAME_U { RelativeName: UNICODE_STRING, ContainingDirectory: HANDLE, CurDirRef: PRTLP_CURDIR_REF, }} pub type PRTL_RELATIVE_NAME_U = *mut RTL_RELATIVE_NAME_U; ENUM!{enum RTL_PATH_TYPE { RtlPathTypeUnknown = 0, RtlPathTypeUncAbsolute = 1, RtlPathTypeDriveAbsolute = 2, RtlPathTypeDriveRelative = 3, RtlPathTypeRooted = 4, RtlPathTypeRelative = 5, RtlPathTypeLocalDevice = 6, RtlPathTypeRootLocalDevice = 7, }} EXTERN!{extern "C" { static mut RtlDosPathSeperatorsString: UNICODE_STRING; static mut RtlAlternateDosPathSeperatorString: UNICODE_STRING; static mut RtlNtPathSeperatorString: UNICODE_STRING; }} /// "ntdll.dll" pub const RtlNtdllName: UTF16Const = UTF16Const(&[ 0x006E, 0x0074, 0x0064, 0x006C, 0x006C, 0x002E, 0x0064, 0x006C, 0x006C, 0u16, ]); EXTERN!{extern "system" { fn RtlDetermineDosPathNameType_U( DosFileName: PWSTR, ) -> RTL_PATH_TYPE; fn RtlDetermineDosPathNameType_Ustr( DosFileName: PCUNICODE_STRING, ) -> RTL_PATH_TYPE; fn RtlIsDosDeviceName_U( DosFileName: PWSTR, ) -> ULONG; fn RtlIsDosDeviceName_Ustr( DosFileName: PUNICODE_STRING, ) -> ULONG; fn RtlGetFullPathName_U( FileName: PWSTR, BufferLength: ULONG, Buffer: PWSTR, FilePart: *mut PWSTR, ) -> ULONG; fn RtlGetFullPathName_UEx( FileName: PWSTR, BufferLength: ULONG, Buffer: PWSTR, FilePart: *mut PWSTR, BytesRequired: *mut ULONG, ) -> NTSTATUS; fn RtlGetFullPathName_UstrEx( FileName: PUNICODE_STRING, StaticString: PUNICODE_STRING, DynamicString: PUNICODE_STRING, StringUsed: *mut PUNICODE_STRING, FilePartPrefixCch: *mut SIZE_T, NameInvalid: PBOOLEAN, InputPathType: *mut RTL_PATH_TYPE, BytesRequired: *mut SIZE_T, ) -> NTSTATUS; fn RtlGetCurrentDirectory_U( BufferLength: ULONG, Buffer: PWSTR, ) -> ULONG; fn RtlSetCurrentDirectory_U( PathName: PUNICODE_STRING, ) -> NTSTATUS; fn RtlGetLongestNtPathLength() -> ULONG; fn RtlDosPathNameToNtPathName_U( DosFileName: PWSTR, NtFileName: PUNICODE_STRING, FilePart: *mut PWSTR, RelativeName: PRTL_RELATIVE_NAME_U, ) -> BOOLEAN; fn RtlDosPathNameToNtPathName_U_WithStatus( DosFileName: PWSTR, NtFileName: PUNICODE_STRING, FilePart: *mut PWSTR, RelativeName: PRTL_RELATIVE_NAME_U, ) -> NTSTATUS; fn RtlDosLongPathNameToNtPathName_U_WithStatus( DosFileName: PWSTR, NtFileName: PUNICODE_STRING, FilePart: *mut PWSTR, RelativeName: PRTL_RELATIVE_NAME_U, ) -> NTSTATUS; fn RtlDosPathNameToRelativeNtPathName_U( DosFileName: PWSTR, NtFileName: PUNICODE_STRING, FilePart: *mut PWSTR, RelativeName: PRTL_RELATIVE_NAME_U, ) -> BOOLEAN; fn RtlDosPathNameToRelativeNtPathName_U_WithStatus( DosFileName: PWSTR, NtFileName: PUNICODE_STRING, FilePart: *mut PWSTR, RelativeName: PRTL_RELATIVE_NAME_U, ) -> NTSTATUS; fn RtlDosLongPathNameToRelativeNtPathName_U_WithStatus( DosFileName: PWSTR, NtFileName: PUNICODE_STRING, FilePart: *mut PWSTR, RelativeName: PRTL_RELATIVE_NAME_U, ) -> NTSTATUS; fn RtlReleaseRelativeName( RelativeName: PRTL_RELATIVE_NAME_U, ); fn RtlDosSearchPath_U( Path: PWSTR, FileName: PWSTR, Extension: PWSTR, BufferLength: ULONG, Buffer: PWSTR, FilePart: *mut PWSTR, ) -> ULONG; }} pub const RTL_DOS_SEARCH_PATH_FLAG_APPLY_ISOLATION_REDIRECTION: ULONG = 0x00000001; pub const RTL_DOS_SEARCH_PATH_FLAG_DISALLOW_DOT_RELATIVE_PATH_SEARCH: ULONG = 0x00000002; pub const RTL_DOS_SEARCH_PATH_FLAG_APPLY_DEFAULT_EXTENSION_WHEN_NOT_RELATIVE_PATH_EVEN_IF_FILE_HAS_EXTENSION: ULONG = 0x00000004; EXTERN!{extern "system" { fn RtlDosSearchPath_Ustr( Flags: ULONG, Path: PUNICODE_STRING, FileName: PUNICODE_STRING, DefaultExtension: PUNICODE_STRING, StaticString: PUNICODE_STRING, DynamicString: PUNICODE_STRING, FullFileNameOut: *mut PCUNICODE_STRING, FilePartPrefixCch: *mut SIZE_T, BytesRequired: *mut SIZE_T, ) -> NTSTATUS; fn RtlDoesFileExists_U( FileName: PWSTR, ) -> BOOLEAN; fn RtlGetLengthWithoutLastFullDosOrNtPathElement( Flags: ULONG, PathString: PUNICODE_STRING, Length: PULONG, ) -> NTSTATUS; fn RtlGetLengthWithoutTrailingPathSeperators( Flags: ULONG, PathString: PUNICODE_STRING, Length: PULONG, ) -> NTSTATUS; }} STRUCT!{struct GENERATE_NAME_CONTEXT { Checksum: USHORT, CheckSumInserted: BOOLEAN, NameLength: UCHAR, NameBuffer: [WCHAR; 8], ExtensionLength: ULONG, ExtensionBuffer: [WCHAR; 4], LastIndexValue: ULONG, }} pub type PGENERATE_NAME_CONTEXT = *mut GENERATE_NAME_CONTEXT; EXTERN!{extern "system" { fn RtlGenerate8dot3Name( Name: PCUNICODE_STRING, AllowExtendedCharacters: BOOLEAN, Context: PGENERATE_NAME_CONTEXT, Name8dot3: PUNICODE_STRING, ) -> NTSTATUS; fn RtlComputePrivatizedDllName_U( DllName: PUNICODE_STRING, RealName: PUNICODE_STRING, LocalName: PUNICODE_STRING, ) -> NTSTATUS; fn RtlGetSearchPath( SearchPathA: *mut PWSTR, ) -> BOOLEAN; fn RtlSetSearchPathMode( Flags: ULONG, ) -> NTSTATUS; fn RtlGetExePath() -> PWSTR; fn RtlGetNtSystemRoot() -> PWSTR; fn RtlAreLongPathsEnabled() -> BOOLEAN; fn RtlIsThreadWithinLoaderCallout() -> BOOLEAN; fn RtlDllShutdownInProgress() -> BOOLEAN; }} STRUCT!{struct RTL_HEAP_ENTRY_u_s1 { Settable: SIZE_T, Tag: ULONG, }} STRUCT!{struct RTL_HEAP_ENTRY_u_s2 { CommittedSize: SIZE_T, FirstBlock: PVOID, }} UNION!{union RTL_HEAP_ENTRY_u { s1: RTL_HEAP_ENTRY_u_s1, s2: RTL_HEAP_ENTRY_u_s2, }} STRUCT!{struct RTL_HEAP_ENTRY { Size: SIZE_T, Flags: USHORT, AllocatorBackTraceIndex: USHORT, u: RTL_HEAP_ENTRY_u, }} pub type PRTL_HEAP_ENTRY = *mut RTL_HEAP_ENTRY; pub const RTL_HEAP_BUSY: USHORT = 0x0001; pub const RTL_HEAP_SEGMENT: USHORT = 0x0002; pub const RTL_HEAP_SETTABLE_VALUE: USHORT = 0x0010; pub const RTL_HEAP_SETTABLE_FLAG1: USHORT = 0x0020; pub const RTL_HEAP_SETTABLE_FLAG2: USHORT = 0x0040; pub const RTL_HEAP_SETTABLE_FLAG3: USHORT = 0x0080; pub const RTL_HEAP_SETTABLE_FLAGS: USHORT = 0x00e0; pub const RTL_HEAP_UNCOMMITTED_RANGE: USHORT = 0x0100; pub const RTL_HEAP_PROTECTED_ENTRY: USHORT = 0x0200; STRUCT!{struct RTL_HEAP_TAG { NumberOfAllocations: ULONG, NumberOfFrees: ULONG, BytesAllocated: SIZE_T, TagIndex: USHORT, CreatorBackTraceIndex: USHORT, TagName: [WCHAR; 24], }} pub type PRTL_HEAP_TAG = *mut RTL_HEAP_TAG; STRUCT!{struct RTL_HEAP_INFORMATION { BaseAddress: PVOID, Flags: ULONG, EntryOverhead: USHORT, CreatorBackTraceIndex: USHORT, BytesAllocated: SIZE_T, BytesCommitted: SIZE_T, NumberOfTags: ULONG, NumberOfEntries: ULONG, NumberOfPseudoTags: ULONG, PseudoTagGranularity: ULONG, Reserved: [ULONG; 5], Tags: PRTL_HEAP_TAG, Entries: PRTL_HEAP_ENTRY, }} pub type PRTL_HEAP_INFORMATION = *mut RTL_HEAP_INFORMATION; STRUCT!{struct RTL_PROCESS_HEAPS { NumberOfHeaps: ULONG, Heaps: [RTL_HEAP_INFORMATION; 1], }} pub type PRTL_PROCESS_HEAPS = *mut RTL_PROCESS_HEAPS; FN!{stdcall PRTL_HEAP_COMMIT_ROUTINE( Base: PVOID, CommitAddress: *mut PVOID, CommitSize: PSIZE_T, ) -> NTSTATUS} STRUCT!{struct RTL_HEAP_PARAMETERS { Length: ULONG, SegmentReserve: SIZE_T, SegmentCommit: SIZE_T, DeCommitFreeBlockThreshold: SIZE_T, DeCommitTotalFreeThreshold: SIZE_T, MaximumAllocationSize: SIZE_T, VirtualMemoryThreshold: SIZE_T, InitialCommit: SIZE_T, InitialReserve: SIZE_T, CommitRoutine: PRTL_HEAP_COMMIT_ROUTINE, Reserved: [SIZE_T; 2], }} pub type PRTL_HEAP_PARAMETERS = *mut RTL_HEAP_PARAMETERS; pub const HEAP_SETTABLE_USER_VALUE: ULONG = 0x00000100; pub const HEAP_SETTABLE_USER_FLAG1: ULONG = 0x00000200; pub const HEAP_SETTABLE_USER_FLAG2: ULONG = 0x00000400; pub const HEAP_SETTABLE_USER_FLAG3: ULONG = 0x00000800; pub const HEAP_SETTABLE_USER_FLAGS: ULONG = 0x00000e00; pub const HEAP_CLASS_0: ULONG = 0x00000000; pub const HEAP_CLASS_1: ULONG = 0x00001000; pub const HEAP_CLASS_2: ULONG = 0x00002000; pub const HEAP_CLASS_3: ULONG = 0x00003000; pub const HEAP_CLASS_4: ULONG = 0x00004000; pub const HEAP_CLASS_5: ULONG = 0x00005000; pub const HEAP_CLASS_6: ULONG = 0x00006000; pub const HEAP_CLASS_7: ULONG = 0x00007000; pub const HEAP_CLASS_8: ULONG = 0x00008000; pub const HEAP_CLASS_MASK: ULONG = 0x0000f000; EXTERN!{extern "system" { fn RtlCreateHeap( Flags: ULONG, HeapBase: PVOID, ReserveSize: SIZE_T, CommitSize: SIZE_T, Lock: PVOID, Parameters: PRTL_HEAP_PARAMETERS, ) -> PVOID; fn RtlDestroyHeap( HeapHandle: PVOID, ) -> PVOID; fn RtlAllocateHeap( HeapHandle: PVOID, Flags: ULONG, Size: SIZE_T, ) -> PVOID; fn RtlFreeHeap( HeapHandle: PVOID, Flags: ULONG, BaseAddress: PVOID, ) -> BOOLEAN; fn RtlSizeHeap( HeapHandle: PVOID, Flags: ULONG, BaseAddress: PVOID, ) -> SIZE_T; fn RtlZeroHeap( HeapHandle: PVOID, Flags: ULONG, ) -> NTSTATUS; fn RtlProtectHeap( HeapHandle: PVOID, MakeReadOnly: BOOLEAN, ); }} #[inline] #[cfg(not(target_arch = "aarch64"))] pub unsafe fn RtlProcessHeap() -> PVOID { use crate::ntpsapi::NtCurrentPeb; (*NtCurrentPeb()).ProcessHeap } EXTERN!{extern "system" { fn RtlLockHeap( HeapHandle: PVOID, ) -> BOOLEAN; fn RtlUnlockHeap( HeapHandle: PVOID, ) -> BOOLEAN; fn RtlReAllocateHeap( HeapHandle: PVOID, Flags: ULONG, BaseAddress: PVOID, Size: SIZE_T, ) -> PVOID; fn RtlGetUserInfoHeap( HeapHandle: PVOID, Flags: ULONG, BaseAddress: PVOID, UserValue: *mut PVOID, UserFlags: PULONG, ) -> BOOLEAN; fn RtlSetUserValueHeap( HeapHandle: PVOID, Flags: ULONG, BaseAddress: PVOID, UserValue: PVOID, ) -> BOOLEAN; fn RtlSetUserFlagsHeap( HeapHandle: PVOID, Flags: ULONG, BaseAddress: PVOID, UserFlagsReset: ULONG, UserFlagsSet: ULONG, ) -> BOOLEAN; }} STRUCT!{struct RTL_HEAP_TAG_INFO { NumberOfAllocations: ULONG, NumberOfFrees: ULONG, BytesAllocated: SIZE_T, }} pub type PRTL_HEAP_TAG_INFO = *mut RTL_HEAP_TAG_INFO; EXTERN!{extern "system" { fn RtlCreateTagHeap( HeapHandle: PVOID, Flags: ULONG, TagPrefix: PWSTR, TagNames: PWSTR, ) -> ULONG; fn RtlQueryTagHeap( HeapHandle: PVOID, Flags: ULONG, TagIndex: USHORT, ResetCounters: BOOLEAN, TagInfo: PRTL_HEAP_TAG_INFO, ) -> PWSTR; fn RtlExtendHeap( HeapHandle: PVOID, Flags: ULONG, Base: PVOID, Size: SIZE_T, ) -> NTSTATUS; fn RtlCompactHeap( HeapHandle: PVOID, Flags: ULONG, ) -> SIZE_T; fn RtlValidateHeap( HeapHandle: PVOID, Flags: ULONG, BaseAddress: PVOID, ) -> BOOLEAN; fn RtlValidateProcessHeaps() -> BOOLEAN; fn RtlGetProcessHeaps( NumberOfHeaps: ULONG, ProcessHeaps: *mut PVOID, ) -> ULONG; }} FN!{stdcall PRTL_ENUM_HEAPS_ROUTINE( HeapHandle: PVOID, Parameter: PVOID, ) -> NTSTATUS} EXTERN!{extern "system" { fn RtlEnumProcessHeaps( EnumRoutine: PRTL_ENUM_HEAPS_ROUTINE, Parameter: PVOID, ) -> NTSTATUS; }} STRUCT!{struct RTL_HEAP_USAGE_ENTRY { Next: *mut RTL_HEAP_USAGE_ENTRY, Address: PVOID, Size: SIZE_T, AllocatorBackTraceIndex: USHORT, TagIndex: USHORT, }} pub type PRTL_HEAP_USAGE_ENTRY = *mut RTL_HEAP_USAGE_ENTRY; STRUCT!{struct RTL_HEAP_USAGE { Length: ULONG, BytesAllocated: SIZE_T, BytesCommitted: SIZE_T, BytesReserved: SIZE_T, BytesReservedMaximum: SIZE_T, Entries: PRTL_HEAP_USAGE_ENTRY, AddedEntries: PRTL_HEAP_USAGE_ENTRY, RemovedEntries: PRTL_HEAP_USAGE_ENTRY, Reserved: [ULONG_PTR; 8], }} pub type PRTL_HEAP_USAGE = *mut RTL_HEAP_USAGE; pub const HEAP_USAGE_ALLOCATED_BLOCKS: ULONG = HEAP_REALLOC_IN_PLACE_ONLY; pub const HEAP_USAGE_FREE_BUFFER: ULONG = HEAP_ZERO_MEMORY; EXTERN!{extern "system" { fn RtlUsageHeap( HeapHandle: PVOID, Flags: ULONG, Usage: PRTL_HEAP_USAGE, ) -> NTSTATUS; }} STRUCT!{struct RTL_HEAP_WALK_ENTRY_u_Block { Settable: SIZE_T, TagIndex: USHORT, AllocatorBackTraceIndex: USHORT, Reserved: [ULONG; 2], }} STRUCT!{struct RTL_HEAP_WALK_ENTRY_u_Segment { CommittedSize: ULONG, UnCommittedSize: ULONG, FirstEntry: PVOID, LastEntry: PVOID, }} UNION!{union RTL_HEAP_WALK_ENTRY_u { Block: RTL_HEAP_WALK_ENTRY_u_Block, Segment: RTL_HEAP_WALK_ENTRY_u_Segment, }} STRUCT!{struct RTL_HEAP_WALK_ENTRY { DataAddress: PVOID, DataSize: SIZE_T, OverheadBytes: UCHAR, SegmentIndex: UCHAR, Flags: USHORT, u: RTL_HEAP_WALK_ENTRY_u, }} pub type PRTL_HEAP_WALK_ENTRY = *mut RTL_HEAP_WALK_ENTRY; EXTERN!{extern "system" { fn RtlWalkHeap( HeapHandle: PVOID, Entry: PRTL_HEAP_WALK_ENTRY, ) -> NTSTATUS; }} pub const HeapDetailedFailureInformation: u32 = 0x80000001; pub const HeapSetDebuggingInformation: u32 = 0x80000002; ENUM!{enum HEAP_COMPATIBILITY_MODE { HEAP_COMPATIBILITY_STANDARD = 0, HEAP_COMPATIBILITY_LAL = 1, HEAP_COMPATIBILITY_LFH = 2, }} STRUCT!{struct PROCESS_HEAP_INFORMATION { ReserveSize: ULONG_PTR, CommitSize: ULONG_PTR, NumberOfHeaps: ULONG, FirstHeapInformationOffset: ULONG_PTR, }} pub type PPROCESS_HEAP_INFORMATION = *mut PROCESS_HEAP_INFORMATION; STRUCT!{struct HEAP_INFORMATION { Address: ULONG_PTR, Mode: ULONG, ReserveSize: ULONG_PTR, CommitSize: ULONG_PTR, FirstRegionInformationOffset: ULONG_PTR, NextHeapInformationOffset: ULONG_PTR, }} pub type PHEAP_INFORMATION = *mut HEAP_INFORMATION; UNION!{union HEAP_EXTENDED_INFORMATION_u { ProcessHeapInformation: PROCESS_HEAP_INFORMATION, HeapInformation: HEAP_INFORMATION, }} STRUCT!{struct HEAP_EXTENDED_INFORMATION { Process: HANDLE, Heap: ULONG_PTR, Level: ULONG, CallbackRoutine: PVOID, CallbackContext: PVOID, u: HEAP_EXTENDED_INFORMATION_u, }} pub type PHEAP_EXTENDED_INFORMATION = *mut HEAP_EXTENDED_INFORMATION; FN!{stdcall PRTL_HEAP_LEAK_ENUMERATION_ROUTINE( Reserved: LONG, HeapHandle: PVOID, BaseAddress: PVOID, BlockSize: SIZE_T, StackTraceDepth: ULONG, StackTrace: *mut PVOID, ) -> NTSTATUS} STRUCT!{struct HEAP_DEBUGGING_INFORMATION { InterceptorFunction: PVOID, InterceptorValue: USHORT, ExtendedOptions: ULONG, StackTraceDepth: ULONG, MinTotalBlockSize: SIZE_T, MaxTotalBlockSize: SIZE_T, HeapLeakEnumerationRoutine: PRTL_HEAP_LEAK_ENUMERATION_ROUTINE, }} pub type PHEAP_DEBUGGING_INFORMATION = *mut HEAP_DEBUGGING_INFORMATION; EXTERN!{extern "system" { fn RtlQueryHeapInformation( HeapHandle: PVOID, HeapInformationClass: HEAP_INFORMATION_CLASS, HeapInformation: PVOID, HeapInformationLength: SIZE_T, ReturnLength: PSIZE_T, ) -> NTSTATUS; fn RtlSetHeapInformation( HeapHandle: PVOID, HeapInformationClass: HEAP_INFORMATION_CLASS, HeapInformation: PVOID, HeapInformationLength: SIZE_T, ) -> NTSTATUS; fn RtlMultipleAllocateHeap( HeapHandle: PVOID, Flags: ULONG, Size: SIZE_T, Count: ULONG, Array: *mut PVOID, ) -> ULONG; fn RtlMultipleFreeHeap( HeapHandle: PVOID, Flags: ULONG, Count: ULONG, Array: *mut PVOID, ) -> ULONG; fn RtlDetectHeapLeaks(); fn RtlFlushHeaps(); }} STRUCT!{struct RTL_MEMORY_ZONE_SEGMENT { NextSegment: *mut RTL_MEMORY_ZONE_SEGMENT, Size: SIZE_T, Next: PVOID, Limit: PVOID, }} pub type PRTL_MEMORY_ZONE_SEGMENT = *mut RTL_MEMORY_ZONE_SEGMENT; STRUCT!{struct RTL_MEMORY_ZONE { Segment: RTL_MEMORY_ZONE_SEGMENT, Lock: RTL_SRWLOCK, LockCount: ULONG, FirstSegment: PRTL_MEMORY_ZONE_SEGMENT, }} pub type PRTL_MEMORY_ZONE = *mut RTL_MEMORY_ZONE; EXTERN!{extern "system" { fn RtlCreateMemoryZone( MemoryZone: *mut PVOID, InitialSize: SIZE_T, Flags: ULONG, ) -> NTSTATUS; fn RtlDestroyMemoryZone( MemoryZone: PVOID, ) -> NTSTATUS; fn RtlAllocateMemoryZone( MemoryZone: PVOID, BlockSize: SIZE_T, Block: *mut PVOID, ) -> NTSTATUS; fn RtlResetMemoryZone( MemoryZone: PVOID, ) -> NTSTATUS; fn RtlLockMemoryZone( MemoryZone: PVOID, ) -> NTSTATUS; fn RtlUnlockMemoryZone( MemoryZone: PVOID, ) -> NTSTATUS; fn RtlCreateMemoryBlockLookaside( MemoryBlockLookaside: *mut PVOID, Flags: ULONG, InitialSize: ULONG, MinimumBlockSize: ULONG, MaximumBlockSize: ULONG, ) -> NTSTATUS; fn RtlDestroyMemoryBlockLookaside( MemoryBlockLookaside: PVOID, ) -> NTSTATUS; fn RtlAllocateMemoryBlockLookaside( MemoryBlockLookaside: PVOID, BlockSize: ULONG, Block: *mut PVOID, ) -> NTSTATUS; fn RtlFreeMemoryBlockLookaside( MemoryBlockLookaside: PVOID, Block: PVOID, ) -> NTSTATUS; fn RtlExtendMemoryBlockLookaside( MemoryBlockLookaside: PVOID, Increment: ULONG, ) -> NTSTATUS; fn RtlResetMemoryBlockLookaside( MemoryBlockLookaside: PVOID, ) -> NTSTATUS; fn RtlLockMemoryBlockLookaside( MemoryBlockLookaside: PVOID, ) -> NTSTATUS; fn RtlUnlockMemoryBlockLookaside( MemoryBlockLookaside: PVOID, ) -> NTSTATUS; fn RtlGetCurrentTransaction() -> HANDLE; fn RtlSetCurrentTransaction( TransactionHandle: HANDLE, ) -> LOGICAL; }} #[inline] pub const fn RtlIsEqualLuid(L1: &LUID, L2: &LUID) -> bool { (L1.LowPart == L2.LowPart) && (L1.HighPart == L2.HighPart) } #[inline] pub const fn RtlIsZeroLuid(L1: &LUID) -> bool { (L1.LowPart | L1.HighPart as u32) == 0 } #[inline] pub const fn RtlConvertLongToLuid(Long: LONG) -> LUID { LUID { LowPart: Long as u32, HighPart: ((Long as i64) >> 32) as i32 } } #[inline] pub const fn RtlConvertUlongToLuid(Ulong: ULONG) -> LUID { LUID { LowPart: Ulong, HighPart: 0 } } EXTERN!{extern "system" { fn RtlCopyLuid( DestinationLuid: PLUID, SourceLuid: PLUID, ); fn RtlCopyLuidAndAttributesArray( Count: ULONG, Src: PLUID_AND_ATTRIBUTES, Dest: PLUID_AND_ATTRIBUTES, ); }} STRUCT!{struct RTL_PROCESS_VERIFIER_OPTIONS { SizeStruct: ULONG, Option: ULONG, OptionData: [UCHAR; 1], }} pub type PRTL_PROCESS_VERIFIER_OPTIONS = *mut RTL_PROCESS_VERIFIER_OPTIONS; UNION!{union RTL_DEBUG_INFORMATION_u { Modules: *mut RTL_PROCESS_MODULES, ModulesEx: *mut RTL_PROCESS_MODULE_INFORMATION_EX, }} STRUCT!{struct RTL_DEBUG_INFORMATION { SectionHandleClient: HANDLE, ViewBaseClient: PVOID, ViewBaseTarget: PVOID, ViewBaseDelta: ULONG_PTR, EventPairClient: HANDLE, EventPairTarget: HANDLE, TargetProcessId: HANDLE, TargetThreadHandle: HANDLE, Flags: ULONG, OffsetFree: SIZE_T, CommitSize: SIZE_T, ViewSize: SIZE_T, u: RTL_DEBUG_INFORMATION_u, BackTraces: *mut RTL_PROCESS_BACKTRACES, Heaps: *mut RTL_PROCESS_HEAPS, Locks: *mut RTL_PROCESS_LOCKS, SpecificHeap: PVOID, TargetProcessHandle: HANDLE, VerifierOptions: PRTL_PROCESS_VERIFIER_OPTIONS, ProcessHeap: PVOID, CriticalSectionHandle: HANDLE, CriticalSectionOwnerThread: HANDLE, Reserved: [PVOID; 4], }} pub type PRTL_DEBUG_INFORMATION = *mut RTL_DEBUG_INFORMATION; EXTERN!{extern "system" { fn RtlCreateQueryDebugBuffer( MaximumCommit: ULONG, UseEventPair: BOOLEAN, ) -> PRTL_DEBUG_INFORMATION; fn RtlDestroyQueryDebugBuffer( Buffer: PRTL_DEBUG_INFORMATION, ) -> NTSTATUS; fn RtlCommitDebugInfo( Buffer: PRTL_DEBUG_INFORMATION, Size: SIZE_T, ) -> PVOID; fn RtlDeCommitDebugInfo( Buffer: PRTL_DEBUG_INFORMATION, p: PVOID, Size: SIZE_T, ); }} pub const RTL_QUERY_PROCESS_MODULES: ULONG = 0x00000001; pub const RTL_QUERY_PROCESS_BACKTRACES: ULONG = 0x00000002; pub const RTL_QUERY_PROCESS_HEAP_SUMMARY: ULONG = 0x00000004; pub const RTL_QUERY_PROCESS_HEAP_TAGS: ULONG = 0x00000008; pub const RTL_QUERY_PROCESS_HEAP_ENTRIES: ULONG = 0x00000010; pub const RTL_QUERY_PROCESS_LOCKS: ULONG = 0x00000020; pub const RTL_QUERY_PROCESS_MODULES32: ULONG = 0x00000040; pub const RTL_QUERY_PROCESS_VERIFIER_OPTIONS: ULONG = 0x00000080; pub const RTL_QUERY_PROCESS_MODULESEX: ULONG = 0x00000100; pub const RTL_QUERY_PROCESS_HEAP_ENTRIES_EX: ULONG = 0x00000200; pub const RTL_QUERY_PROCESS_CS_OWNER: ULONG = 0x00000400; pub const RTL_QUERY_PROCESS_NONINVASIVE: ULONG = 0x80000000; EXTERN!{extern "system" { fn RtlQueryProcessDebugInformation( UniqueProcessId: HANDLE, Flags: ULONG, Buffer: PRTL_DEBUG_INFORMATION, ) -> NTSTATUS; fn RtlFindMessage( DllHandle: PVOID, MessageTableId: ULONG, MessageLanguageId: ULONG, MessageId: ULONG, MessageEntry: *mut PMESSAGE_RESOURCE_ENTRY, ) -> NTSTATUS; fn RtlFormatMessage( MessageFormat: PWSTR, MaximumWidth: ULONG, IgnoreInserts: BOOLEAN, ArgumentsAreAnsi: BOOLEAN, ArgumentsAreAnArray: BOOLEAN, Arguments: *mut va_list, Buffer: PWSTR, Length: ULONG, ReturnLength: PULONG, ) -> NTSTATUS; }} STRUCT!{struct PARSE_MESSAGE_CONTEXT { fFlags: ULONG, cwSavColumn: ULONG, iwSrc: SIZE_T, iwDst: SIZE_T, iwDstSpace: SIZE_T, lpvArgStart: va_list, }} pub type PPARSE_MESSAGE_CONTEXT = *mut PARSE_MESSAGE_CONTEXT; #[inline] pub fn INIT_PARSE_MESSAGE_CONTEXT(ctx: &mut PARSE_MESSAGE_CONTEXT) { ctx.fFlags = 0; } #[inline] pub fn TEST_PARSE_MESSAGE_CONTEXT_FLAG(ctx: &mut PARSE_MESSAGE_CONTEXT, flag: ULONG) -> ULONG { ctx.fFlags & flag } #[inline] pub fn SET_PARSE_MESSAGE_CONTEXT_FLAG(ctx: &mut PARSE_MESSAGE_CONTEXT, flag: ULONG) -> ULONG { ctx.fFlags |= flag; ctx.fFlags } #[inline] pub fn CLEAR_PARSE_MESSAGE_CONTEXT_FLAG(ctx: &mut PARSE_MESSAGE_CONTEXT, flag: ULONG) -> ULONG { ctx.fFlags &= !flag; ctx.fFlags } EXTERN!{extern "system" { fn RtlFormatMessageEx( MessageFormat: PWSTR, MaximumWidth: ULONG, IgnoreInserts: BOOLEAN, ArgumentsAreAnsi: BOOLEAN, ArgumentsAreAnArray: BOOLEAN, Arguments: *mut va_list, Buffer: PWSTR, Length: ULONG, ReturnLength: PULONG, ParseContext: PPARSE_MESSAGE_CONTEXT, ) -> NTSTATUS; fn RtlNtStatusToDosError( Status: NTSTATUS, ) -> ULONG; fn RtlNtStatusToDosErrorNoTeb( Status: NTSTATUS, ) -> ULONG; fn RtlGetLastNtStatus() -> NTSTATUS; fn RtlGetLastWin32Error() -> LONG; fn RtlSetLastWin32ErrorAndNtStatusFromNtStatus( Status: NTSTATUS, ); fn RtlSetLastWin32Error( Win32Error: LONG, ); fn RtlRestoreLastWin32Error( Win32Error: LONG, ); }} pub const RTL_ERRORMODE_FAILCRITICALERRORS: ULONG = 0x0010; pub const RTL_ERRORMODE_NOGPFAULTERRORBOX: ULONG = 0x0020; pub const RTL_ERRORMODE_NOOPENFILEERRORBOX: ULONG = 0x0040; EXTERN!{extern "system" { fn RtlGetThreadErrorMode() -> ULONG; fn RtlSetThreadErrorMode( NewMode: ULONG, OldMode: PULONG, ) -> NTSTATUS; fn RtlReportException( ExceptionRecord: PEXCEPTION_RECORD, ContextRecord: PCONTEXT, Flags: ULONG, ) -> NTSTATUS; fn RtlReportExceptionEx( ExceptionRecord: PEXCEPTION_RECORD, ContextRecord: PCONTEXT, Flags: ULONG, Timeout: PLARGE_INTEGER, ) -> NTSTATUS; fn RtlWerpReportException( ProcessId: ULONG, CrashReportSharedMem: HANDLE, Flags: ULONG, CrashVerticalProcessHandle: PHANDLE, ) -> NTSTATUS; fn RtlReportSilentProcessExit( ProcessHandle: HANDLE, ExitStatus: NTSTATUS, ) -> NTSTATUS; fn RtlUniform( Seed: PULONG, ) -> ULONG; fn RtlRandom( Seed: PULONG, ) -> ULONG; fn RtlRandomEx( Seed: PULONG, ) -> ULONG; fn RtlComputeImportTableHash( FileHandle: HANDLE, Hash: PCHAR, ImportTableHashRevision: ULONG, ) -> NTSTATUS; fn RtlIntegerToChar( Value: ULONG, Base: ULONG, OutputLength: LONG, String: PSTR, ) -> NTSTATUS; fn RtlCharToInteger( String: PCSZ, Base: ULONG, Value: PULONG, ) -> NTSTATUS; fn RtlLargeIntegerToChar( Value: PLARGE_INTEGER, Base: ULONG, OutputLength: LONG, String: PSTR, ) -> NTSTATUS; fn RtlIntegerToUnicodeString( Value: ULONG, Base: ULONG, String: PUNICODE_STRING, ) -> NTSTATUS; fn RtlInt64ToUnicodeString( Value: ULONGLONG, Base: ULONG, String: PUNICODE_STRING, ) -> NTSTATUS; fn RtlUnicodeStringToInteger( String: PCUNICODE_STRING, Base: ULONG, Value: PULONG, ) -> NTSTATUS; fn RtlIpv4AddressToStringExW( Address: *const in_addr, Port: USHORT, AddressString: PWSTR, AddressStringLength: PULONG, ) -> NTSTATUS; fn RtlIpv6AddressToStringExW( Address: *const in6_addr, ScopeId: ULONG, Port: USHORT, AddressString: PWSTR, AddressStringLength: PULONG, ) -> NTSTATUS; fn RtlIpv4StringToAddressExW( AddressString: PCWSTR, Strict: BOOLEAN, Address: *mut in_addr, Port: PUSHORT, ) -> NTSTATUS; fn RtlIpv6StringToAddressExW( AddressString: PCWSTR, Address: *mut in6_addr, ScopeId: PULONG, Port: PUSHORT, ) -> NTSTATUS; }} STRUCT!{struct TIME_FIELDS { Year: CSHORT, Month: CSHORT, Day: CSHORT, Hour: CSHORT, Minute: CSHORT, Second: CSHORT, Milliseconds: CSHORT, Weekday: CSHORT, }} pub type PTIME_FIELDS = *mut TIME_FIELDS; EXTERN!{extern "system" { fn RtlCutoverTimeToSystemTime( CutoverTime: PTIME_FIELDS, SystemTime: PLARGE_INTEGER, CurrentSystemTime: PLARGE_INTEGER, ThisYear: BOOLEAN, ) -> BOOLEAN; fn RtlSystemTimeToLocalTime( SystemTime: PLARGE_INTEGER, LocalTime: PLARGE_INTEGER, ) -> NTSTATUS; fn RtlLocalTimeToSystemTime( LocalTime: PLARGE_INTEGER, SystemTime: PLARGE_INTEGER, ) -> NTSTATUS; fn RtlTimeToElapsedTimeFields( Time: PLARGE_INTEGER, TimeFields: PTIME_FIELDS, ); fn RtlTimeToTimeFields( Time: PLARGE_INTEGER, TimeFields: PTIME_FIELDS, ); fn RtlTimeFieldsToTime( TimeFields: PTIME_FIELDS, Time: PLARGE_INTEGER, ) -> BOOLEAN; fn RtlTimeToSecondsSince1980( Time: PLARGE_INTEGER, ElapsedSeconds: PULONG, ) -> BOOLEAN; fn RtlSecondsSince1980ToTime( ElapsedSeconds: ULONG, Time: PLARGE_INTEGER, ); fn RtlTimeToSecondsSince1970( Time: PLARGE_INTEGER, ElapsedSeconds: PULONG, ) -> BOOLEAN; fn RtlSecondsSince1970ToTime( ElapsedSeconds: ULONG, Time: PLARGE_INTEGER, ); }} STRUCT!{struct RTL_TIME_ZONE_INFORMATION { Bias: LONG, StandardName: [WCHAR; 32], StandardStart: TIME_FIELDS, StandardBias: LONG, DaylightName: [WCHAR; 32], DaylightStart: TIME_FIELDS, DaylightBias: LONG, }} pub type PRTL_TIME_ZONE_INFORMATION = *mut RTL_TIME_ZONE_INFORMATION; EXTERN!{extern "system" { fn RtlQueryTimeZoneInformation( TimeZoneInformation: PRTL_TIME_ZONE_INFORMATION, ) -> NTSTATUS; fn RtlSetTimeZoneInformation( TimeZoneInformation: PRTL_TIME_ZONE_INFORMATION, ) -> NTSTATUS; }} STRUCT!{struct RTL_BITMAP { SizeOfBitMap: ULONG, Buffer: PULONG, }} pub type PRTL_BITMAP = *mut RTL_BITMAP; EXTERN!{extern "system" { fn RtlInitializeBitMap( BitMapHeader: PRTL_BITMAP, BitMapBuffer: PULONG, SizeOfBitMap: ULONG, ); fn RtlClearBit( BitMapHeader: PRTL_BITMAP, BitNumber: ULONG, ); fn RtlSetBit( BitMapHeader: PRTL_BITMAP, BitNumber: ULONG, ); fn RtlTestBit( BitMapHeader: PRTL_BITMAP, BitNumber: ULONG, ) -> BOOLEAN; fn RtlClearAllBits( BitMapHeader: PRTL_BITMAP, ); fn RtlSetAllBits( BitMapHeader: PRTL_BITMAP, ); fn RtlFindClearBits( BitMapHeader: PRTL_BITMAP, NumberToFind: ULONG, HintIndex: ULONG, ) -> ULONG; fn RtlFindSetBits( BitMapHeader: PRTL_BITMAP, NumberToFind: ULONG, HintIndex: ULONG, ) -> ULONG; fn RtlFindClearBitsAndSet( BitMapHeader: PRTL_BITMAP, NumberToFind: ULONG, HintIndex: ULONG, ) -> ULONG; fn RtlFindSetBitsAndClear( BitMapHeader: PRTL_BITMAP, NumberToFind: ULONG, HintIndex: ULONG, ) -> ULONG; fn RtlClearBits( BitMapHeader: PRTL_BITMAP, StartingIndex: ULONG, NumberToClear: ULONG, ); fn RtlSetBits( BitMapHeader: PRTL_BITMAP, StartingIndex: ULONG, NumberToSet: ULONG, ); fn RtlFindMostSignificantBit( Set: ULONGLONG, ) -> CCHAR; fn RtlFindLeastSignificantBit( Set: ULONGLONG, ) -> CCHAR; }} STRUCT!{struct RTL_BITMAP_RUN { StartingIndex: ULONG, NumberOfBits: ULONG, }} pub type PRTL_BITMAP_RUN = *mut RTL_BITMAP_RUN; EXTERN!{extern "system" { fn RtlFindClearRuns( BitMapHeader: PRTL_BITMAP, RunArray: PRTL_BITMAP_RUN, SizeOfRunArray: ULONG, LocateLongestRuns: BOOLEAN, ) -> ULONG; fn RtlFindLongestRunClear( BitMapHeader: PRTL_BITMAP, StartingIndex: PULONG, ) -> ULONG; fn RtlFindFirstRunClear( BitMapHeader: PRTL_BITMAP, StartingIndex: PULONG, ) -> ULONG; }} #[inline] pub unsafe fn RtlCheckBit(BitMapHeader: &RTL_BITMAP, BitPosition: ULONG) -> u8 { #[cfg(target_arch = "x86_64")] { core::arch::x86_64::_bittest64(BitMapHeader.Buffer as *const i64, BitPosition as i64) } #[cfg(any(target_arch = "x86", target_arch = "aarch64"))] { (*BitMapHeader.Buffer.offset(BitPosition as isize / 32) >> (BitPosition % 32) & 1) as u8 } } EXTERN!{extern "system" { fn RtlNumberOfClearBits( BitMapHeader: PRTL_BITMAP, ) -> ULONG; fn RtlNumberOfSetBits( BitMapHeader: PRTL_BITMAP, ) -> ULONG; fn RtlAreBitsClear( BitMapHeader: PRTL_BITMAP, StartingIndex: ULONG, Length: ULONG, ) -> BOOLEAN; fn RtlAreBitsSet( BitMapHeader: PRTL_BITMAP, StartingIndex: ULONG, Length: ULONG, ) -> BOOLEAN; fn RtlFindNextForwardRunClear( BitMapHeader: PRTL_BITMAP, FromIndex: ULONG, StartingRunIndex: PULONG, ) -> ULONG; fn RtlFindLastBackwardRunClear( BitMapHeader: PRTL_BITMAP, FromIndex: ULONG, StartingRunIndex: PULONG, ) -> ULONG; fn RtlNumberOfSetBitsUlongPtr( Target: ULONG_PTR, ) -> ULONG; fn RtlInterlockedClearBitRun( BitMapHeader: PRTL_BITMAP, StartingIndex: ULONG, NumberToClear: ULONG, ); fn RtlInterlockedSetBitRun( BitMapHeader: PRTL_BITMAP, StartingIndex: ULONG, NumberToSet: ULONG, ); fn RtlCopyBitMap( Source: PRTL_BITMAP, Destination: PRTL_BITMAP, TargetBit: ULONG, ); fn RtlExtractBitMap( Source: PRTL_BITMAP, Destination: PRTL_BITMAP, TargetBit: ULONG, NumberOfBits: ULONG, ); fn RtlNumberOfClearBitsInRange( BitMapHeader: PRTL_BITMAP, StartingIndex: ULONG, Length: ULONG, ) -> ULONG; fn RtlNumberOfSetBitsInRange( BitMapHeader: PRTL_BITMAP, StartingIndex: ULONG, Length: ULONG, ) -> ULONG; }} STRUCT!{struct RTL_BITMAP_EX { SizeOfBitMap: ULONG64, Buffer: PULONG64, }} pub type PRTL_BITMAP_EX = *mut RTL_BITMAP_EX; EXTERN!{extern "system" { fn RtlInitializeBitMapEx( BitMapHeader: PRTL_BITMAP_EX, BitMapBuffer: PULONG64, SizeOfBitMap: ULONG64, ); fn RtlTestBitEx( BitMapHeader: PRTL_BITMAP_EX, BitNumber: ULONG64, ) -> BOOLEAN; fn RtlClearAllBitsEx( BitMapHeader: PRTL_BITMAP_EX, ); fn RtlClearBitEx( BitMapHeader: PRTL_BITMAP_EX, BitNumber: ULONG64, ); fn RtlSetBitEx( BitMapHeader: PRTL_BITMAP_EX, BitNumber: ULONG64, ); fn RtlFindSetBitsEx( BitMapHeader: PRTL_BITMAP_EX, NumberToFind: ULONG64, HintIndex: ULONG64, ) -> ULONG64; fn RtlFindSetBitsAndClearEx( BitMapHeader: PRTL_BITMAP_EX, NumberToFind: ULONG64, HintIndex: ULONG64, ) -> ULONG64; }} UNION!{union RTL_HANDLE_TABLE_ENTRY { Flags: ULONG, NextFree: *mut RTL_HANDLE_TABLE_ENTRY, }} pub type PRTL_HANDLE_TABLE_ENTRY = *mut RTL_HANDLE_TABLE_ENTRY; pub const RTL_HANDLE_ALLOCATED: USHORT = 0x0001; STRUCT!{struct RTL_HANDLE_TABLE { MaximumNumberOfHandles: ULONG, SizeOfHandleTableEntry: ULONG, Reserved: [ULONG; 2], FreeHandles: PRTL_HANDLE_TABLE_ENTRY, CommittedHandles: PRTL_HANDLE_TABLE_ENTRY, UnCommittedHandles: PRTL_HANDLE_TABLE_ENTRY, MaxReservedHandles: PRTL_HANDLE_TABLE_ENTRY, }} pub type PRTL_HANDLE_TABLE = *mut RTL_HANDLE_TABLE; EXTERN!{extern "system" { fn RtlInitializeHandleTable( MaximumNumberOfHandles: ULONG, SizeOfHandleTableEntry: ULONG, HandleTable: PRTL_HANDLE_TABLE, ); fn RtlDestroyHandleTable( HandleTable: PRTL_HANDLE_TABLE, ) -> NTSTATUS; fn RtlAllocateHandle( HandleTable: PRTL_HANDLE_TABLE, HandleIndex: PULONG, ) -> PRTL_HANDLE_TABLE_ENTRY; fn RtlFreeHandle( HandleTable: PRTL_HANDLE_TABLE, Handle: PRTL_HANDLE_TABLE_ENTRY, ) -> BOOLEAN; fn RtlIsValidHandle( HandleTable: PRTL_HANDLE_TABLE, Handle: PRTL_HANDLE_TABLE_ENTRY, ) -> BOOLEAN; fn RtlIsValidIndexHandle( HandleTable: PRTL_HANDLE_TABLE, HandleIndex: ULONG, Handle: *mut PRTL_HANDLE_TABLE_ENTRY, ) -> BOOLEAN; }} pub const RTL_ATOM_MAXIMUM_INTEGER_ATOM: RTL_ATOM = 0xc000; pub const RTL_ATOM_INVALID_ATOM: RTL_ATOM = 0x0000; pub const RTL_ATOM_TABLE_DEFAULT_NUMBER_OF_BUCKETS: u32 = 37; pub const RTL_ATOM_MAXIMUM_NAME_LENGTH: u32 = 255; pub const RTL_ATOM_PINNED: u32 = 0x01; EXTERN!{extern "system" { fn RtlCreateAtomTable( NumberOfBuckets: ULONG, AtomTableHandle: *mut PVOID, ) -> NTSTATUS; fn RtlDestroyAtomTable( AtomTableHandle: PVOID, ) -> NTSTATUS; fn RtlEmptyAtomTable( AtomTableHandle: PVOID, IncludePinnedAtoms: BOOLEAN, ) -> NTSTATUS; fn RtlAddAtomToAtomTable( AtomTableHandle: PVOID, AtomName: PWSTR, Atom: PRTL_ATOM, ) -> NTSTATUS; fn RtlLookupAtomInAtomTable( AtomTableHandle: PVOID, AtomName: PWSTR, Atom: PRTL_ATOM, ) -> NTSTATUS; fn RtlDeleteAtomFromAtomTable( AtomTableHandle: PVOID, Atom: RTL_ATOM, ) -> NTSTATUS; fn RtlPinAtomInAtomTable( AtomTableHandle: PVOID, Atom: RTL_ATOM, ) -> NTSTATUS; fn RtlQueryAtomInAtomTable( AtomTableHandle: PVOID, Atom: RTL_ATOM, AtomUsage: PULONG, AtomFlags: PULONG, AtomName: PWSTR, AtomNameLength: PULONG, ) -> NTSTATUS; fn RtlGetIntegerAtom( AtomName: PWSTR, IntegerAtom: PUSHORT, ) -> BOOLEAN; fn RtlValidSid( Sid: PSID, ) -> BOOLEAN; fn RtlEqualSid( Sid1: PSID, Sid2: PSID, ) -> BOOLEAN; fn RtlEqualPrefixSid( Sid1: PSID, Sid2: PSID, ) -> BOOLEAN; fn RtlLengthRequiredSid( SubAuthorityCount: ULONG, ) -> ULONG; fn RtlFreeSid( Sid: PSID, ) -> PVOID; fn RtlAllocateAndInitializeSid( IdentifierAuthority: PSID_IDENTIFIER_AUTHORITY, SubAuthorityCount: UCHAR, SubAuthority0: ULONG, SubAuthority1: ULONG, SubAuthority2: ULONG, SubAuthority3: ULONG, SubAuthority4: ULONG, SubAuthority5: ULONG, SubAuthority6: ULONG, SubAuthority7: ULONG, Sid: *mut PSID, ) -> NTSTATUS; fn RtlInitializeSid( Sid: PSID, IdentifierAuthority: PSID_IDENTIFIER_AUTHORITY, SubAuthorityCount: UCHAR, ) -> NTSTATUS; }} EXTERN!{extern "C" { fn RtlInitializeSidEx( Sid: PSID, IdentifierAuthority: PSID_IDENTIFIER_AUTHORITY, SubAuthorityCount: UCHAR, ... ) -> NTSTATUS; }} EXTERN!{extern "system" { fn RtlIdentifierAuthoritySid( Sid: PSID, ) -> PSID_IDENTIFIER_AUTHORITY; fn RtlSubAuthoritySid( Sid: PSID, SubAuthority: ULONG, ) -> PULONG; fn RtlSubAuthorityCountSid( Sid: PSID, ) -> PUCHAR; fn RtlLengthSid( Sid: PSID, ) -> ULONG; fn RtlCopySid( DestinationSidLength: ULONG, DestinationSid: PSID, SourceSid: PSID, ) -> NTSTATUS; fn RtlCopySidAndAttributesArray( Count: ULONG, Src: PSID_AND_ATTRIBUTES, SidAreaSize: ULONG, Dest: PSID_AND_ATTRIBUTES, SidArea: PSID, RemainingSidArea: *mut PSID, RemainingSidAreaSize: PULONG, ) -> NTSTATUS; fn RtlCreateServiceSid( ServiceName: PUNICODE_STRING, ServiceSid: PSID, ServiceSidLength: PULONG, ) -> NTSTATUS; fn RtlSidDominates( Sid1: PSID, Sid2: PSID, Dominates: PBOOLEAN, ) -> NTSTATUS; fn RtlSidDominatesForTrust( Sid1: PSID, Sid2: PSID, DominatesTrust: PBOOLEAN, ) -> NTSTATUS; fn RtlSidEqualLevel( Sid1: PSID, Sid2: PSID, EqualLevel: PBOOLEAN, ) -> NTSTATUS; fn RtlSidIsHigherLevel( Sid1: PSID, Sid2: PSID, HigherLevel: PBOOLEAN, ) -> NTSTATUS; fn RtlCreateVirtualAccountSid( Name: PCUNICODE_STRING, BaseSubAuthority: ULONG, Sid: PSID, SidLength: PULONG, ) -> NTSTATUS; fn RtlReplaceSidInSd( SecurityDescriptor: PSECURITY_DESCRIPTOR, OldSid: PSID, NewSid: PSID, NumChanges: *mut ULONG, ) -> NTSTATUS; }} pub const MAX_UNICODE_STACK_BUFFER_LENGTH: usize = 256; EXTERN!{extern "system" { fn RtlConvertSidToUnicodeString( UnicodeString: PUNICODE_STRING, Sid: PSID, AllocateDestinationString: BOOLEAN, ) -> NTSTATUS; fn RtlSidHashInitialize( SidAttr: PSID_AND_ATTRIBUTES, SidCount: ULONG, SidAttrHash: PSID_AND_ATTRIBUTES_HASH, ) -> NTSTATUS; fn RtlSidHashLookup( SidAttrHash: PSID_AND_ATTRIBUTES_HASH, Sid: PSID, ) -> PSID_AND_ATTRIBUTES; fn RtlIsElevatedRid( SidAttr: PSID_AND_ATTRIBUTES, ) -> BOOLEAN; fn RtlDeriveCapabilitySidsFromName( UnicodeString: PUNICODE_STRING, CapabilityGroupSid: PSID, CapabilitySid: PSID, ) -> NTSTATUS; fn RtlCreateSecurityDescriptor( SecurityDescriptor: PSECURITY_DESCRIPTOR, Revision: ULONG, ) -> NTSTATUS; fn RtlValidSecurityDescriptor( SecurityDescriptor: PSECURITY_DESCRIPTOR, ) -> BOOLEAN; fn RtlLengthSecurityDescriptor( SecurityDescriptor: PSECURITY_DESCRIPTOR, ) -> ULONG; fn RtlValidRelativeSecurityDescriptor( SecurityDescriptorInput: PSECURITY_DESCRIPTOR, SecurityDescriptorLength: ULONG, RequiredInformation: SECURITY_INFORMATION, ) -> BOOLEAN; fn RtlGetControlSecurityDescriptor( SecurityDescriptor: PSECURITY_DESCRIPTOR, Control: PSECURITY_DESCRIPTOR_CONTROL, Revision: PULONG, ) -> NTSTATUS; fn RtlSetControlSecurityDescriptor( SecurityDescriptor: PSECURITY_DESCRIPTOR, ControlBitsOfInterest: SECURITY_DESCRIPTOR_CONTROL, ControlBitsToSet: SECURITY_DESCRIPTOR_CONTROL, ) -> NTSTATUS; fn RtlSetAttributesSecurityDescriptor( SecurityDescriptor: PSECURITY_DESCRIPTOR, Control: SECURITY_DESCRIPTOR_CONTROL, Revision: PULONG, ) -> NTSTATUS; fn RtlGetSecurityDescriptorRMControl( SecurityDescriptor: PSECURITY_DESCRIPTOR, RMControl: PUCHAR, ) -> BOOLEAN; fn RtlSetSecurityDescriptorRMControl( SecurityDescriptor: PSECURITY_DESCRIPTOR, RMControl: PUCHAR, ); fn RtlSetDaclSecurityDescriptor( SecurityDescriptor: PSECURITY_DESCRIPTOR, DaclPresent: BOOLEAN, Dacl: PACL, DaclDefaulted: BOOLEAN, ) -> NTSTATUS; fn RtlGetDaclSecurityDescriptor( SecurityDescriptor: PSECURITY_DESCRIPTOR, DaclPresent: PBOOLEAN, Dacl: *mut PACL, DaclDefaulted: PBOOLEAN, ) -> NTSTATUS; fn RtlSetSaclSecurityDescriptor( SecurityDescriptor: PSECURITY_DESCRIPTOR, SaclPresent: BOOLEAN, Sacl: PACL, SaclDefaulted: BOOLEAN, ) -> NTSTATUS; fn RtlGetSaclSecurityDescriptor( SecurityDescriptor: PSECURITY_DESCRIPTOR, SaclPresent: PBOOLEAN, Sacl: *mut PACL, SaclDefaulted: PBOOLEAN, ) -> NTSTATUS; fn RtlSetOwnerSecurityDescriptor( SecurityDescriptor: PSECURITY_DESCRIPTOR, Owner: PSID, OwnerDefaulted: BOOLEAN, ) -> NTSTATUS; fn RtlGetOwnerSecurityDescriptor( SecurityDescriptor: PSECURITY_DESCRIPTOR, Owner: *mut PSID, OwnerDefaulted: PBOOLEAN, ) -> NTSTATUS; fn RtlSetGroupSecurityDescriptor( SecurityDescriptor: PSECURITY_DESCRIPTOR, Group: PSID, GroupDefaulted: BOOLEAN, ) -> NTSTATUS; fn RtlGetGroupSecurityDescriptor( SecurityDescriptor: PSECURITY_DESCRIPTOR, Group: *mut PSID, GroupDefaulted: PBOOLEAN, ) -> NTSTATUS; fn RtlMakeSelfRelativeSD( AbsoluteSecurityDescriptor: PSECURITY_DESCRIPTOR, SelfRelativeSecurityDescriptor: PSECURITY_DESCRIPTOR, BufferLength: PULONG, ) -> NTSTATUS; fn RtlAbsoluteToSelfRelativeSD( AbsoluteSecurityDescriptor: PSECURITY_DESCRIPTOR, SelfRelativeSecurityDescriptor: PSECURITY_DESCRIPTOR, BufferLength: PULONG, ) -> NTSTATUS; fn RtlSelfRelativeToAbsoluteSD( SelfRelativeSecurityDescriptor: PSECURITY_DESCRIPTOR, AbsoluteSecurityDescriptor: PSECURITY_DESCRIPTOR, AbsoluteSecurityDescriptorSize: PULONG, Dacl: PACL, DaclSize: PULONG, Sacl: PACL, SaclSize: PULONG, Owner: PSID, OwnerSize: PULONG, PrimaryGroup: PSID, PrimaryGroupSize: PULONG, ) -> NTSTATUS; fn RtlSelfRelativeToAbsoluteSD2( pSelfRelativeSecurityDescriptor: PSECURITY_DESCRIPTOR, pBufferSize: PULONG, ) -> NTSTATUS; fn RtlAreAllAccessesGranted( GrantedAccess: ACCESS_MASK, DesiredAccess: ACCESS_MASK, ) -> BOOLEAN; fn RtlAreAnyAccessesGranted( GrantedAccess: ACCESS_MASK, DesiredAccess: ACCESS_MASK, ) -> BOOLEAN; fn RtlMapGenericMask( AccessMask: PACCESS_MASK, GenericMapping: PGENERIC_MAPPING, ); fn RtlCreateAcl( Acl: PACL, AclLength: ULONG, AclRevision: ULONG, ) -> NTSTATUS; fn RtlValidAcl( Acl: PACL, ) -> BOOLEAN; fn RtlQueryInformationAcl( Acl: PACL, AclInformation: PVOID, AclInformationLength: ULONG, AclInformationClass: ACL_INFORMATION_CLASS, ) -> NTSTATUS; fn RtlSetInformationAcl( Acl: PACL, AclInformation: PVOID, AclInformationLength: ULONG, AclInformationClass: ACL_INFORMATION_CLASS, ) -> NTSTATUS; fn RtlAddAce( Acl: PACL, AceRevision: ULONG, StartingAceIndex: ULONG, AceList: PVOID, AceListLength: ULONG, ) -> NTSTATUS; fn RtlDeleteAce( Acl: PACL, AceIndex: ULONG, ) -> NTSTATUS; fn RtlGetAce( Acl: PACL, AceIndex: ULONG, Ace: *mut PVOID, ) -> NTSTATUS; fn RtlFirstFreeAce( Acl: PACL, FirstFree: *mut PVOID, ) -> BOOLEAN; fn RtlFindAceByType( pAcl: PACL, AceType: UCHAR, pIndex: PULONG, ) -> PVOID; fn RtlOwnerAcesPresent( pAcl: PACL, ) -> BOOLEAN; fn RtlAddAccessAllowedAce( Acl: PACL, AceRevision: ULONG, AccessMask: ACCESS_MASK, Sid: PSID, ) -> NTSTATUS; fn RtlAddAccessAllowedAceEx( Acl: PACL, AceRevision: ULONG, AceFlags: ULONG, AccessMask: ACCESS_MASK, Sid: PSID, ) -> NTSTATUS; fn RtlAddAccessDeniedAce( Acl: PACL, AceRevision: ULONG, AccessMask: ACCESS_MASK, Sid: PSID, ) -> NTSTATUS; fn RtlAddAccessDeniedAceEx( Acl: PACL, AceRevision: ULONG, AceFlags: ULONG, AccessMask: ACCESS_MASK, Sid: PSID, ) -> NTSTATUS; fn RtlAddAuditAccessAce( Acl: PACL, AceRevision: ULONG, AccessMask: ACCESS_MASK, Sid: PSID, AuditSuccess: BOOLEAN, AuditFailure: BOOLEAN, ) -> NTSTATUS; fn RtlAddAuditAccessAceEx( Acl: PACL, AceRevision: ULONG, AceFlags: ULONG, AccessMask: ACCESS_MASK, Sid: PSID, AuditSuccess: BOOLEAN, AuditFailure: BOOLEAN, ) -> NTSTATUS; fn RtlAddAccessAllowedObjectAce( Acl: PACL, AceRevision: ULONG, AceFlags: ULONG, AccessMask: ACCESS_MASK, ObjectTypeGuid: *mut GUID, InheritedObjectTypeGuid: *mut GUID, Sid: PSID, ) -> NTSTATUS; fn RtlAddAccessDeniedObjectAce( Acl: PACL, AceRevision: ULONG, AceFlags: ULONG, AccessMask: ACCESS_MASK, ObjectTypeGuid: *mut GUID, InheritedObjectTypeGuid: *mut GUID, Sid: PSID, ) -> NTSTATUS; fn RtlAddAuditAccessObjectAce( Acl: PACL, AceRevision: ULONG, AceFlags: ULONG, AccessMask: ACCESS_MASK, ObjectTypeGuid: *mut GUID, InheritedObjectTypeGuid: *mut GUID, Sid: PSID, AuditSuccess: BOOLEAN, AuditFailure: BOOLEAN, ) -> NTSTATUS; fn RtlAddCompoundAce( Acl: PACL, AceRevision: ULONG, AceType: UCHAR, AccessMask: ACCESS_MASK, ServerSid: PSID, ClientSid: PSID, ) -> NTSTATUS; fn RtlAddMandatoryAce( Acl: PACL, AceRevision: ULONG, AceFlags: ULONG, Sid: PSID, AceType: UCHAR, AccessMask: ACCESS_MASK, ) -> NTSTATUS; fn RtlDefaultNpAcl( Acl: *mut PACL, ) -> NTSTATUS; fn RtlNewSecurityObject( ParentDescriptor: PSECURITY_DESCRIPTOR, CreatorDescriptor: PSECURITY_DESCRIPTOR, NewDescriptor: *mut PSECURITY_DESCRIPTOR, IsDirectoryObject: BOOLEAN, Token: HANDLE, GenericMapping: PGENERIC_MAPPING, ) -> NTSTATUS; fn RtlNewSecurityObjectEx( ParentDescriptor: PSECURITY_DESCRIPTOR, CreatorDescriptor: PSECURITY_DESCRIPTOR, NewDescriptor: *mut PSECURITY_DESCRIPTOR, ObjectType: *mut GUID, IsDirectoryObject: BOOLEAN, AutoInheritFlags: ULONG, Token: HANDLE, GenericMapping: PGENERIC_MAPPING, ) -> NTSTATUS; fn RtlNewSecurityObjectWithMultipleInheritance( ParentDescriptor: PSECURITY_DESCRIPTOR, CreatorDescriptor: PSECURITY_DESCRIPTOR, NewDescriptor: *mut PSECURITY_DESCRIPTOR, ObjectType: *mut *mut GUID, GuidCount: ULONG, IsDirectoryObject: BOOLEAN, AutoInheritFlags: ULONG, Token: HANDLE, GenericMapping: PGENERIC_MAPPING, ) -> NTSTATUS; fn RtlDeleteSecurityObject( ObjectDescriptor: *mut PSECURITY_DESCRIPTOR, ) -> NTSTATUS; fn RtlQuerySecurityObject( ObjectDescriptor: PSECURITY_DESCRIPTOR, SecurityInformation: SECURITY_INFORMATION, ResultantDescriptor: PSECURITY_DESCRIPTOR, DescriptorLength: ULONG, ReturnLength: PULONG, ) -> NTSTATUS; fn RtlSetSecurityObject( SecurityInformation: SECURITY_INFORMATION, ModificationDescriptor: PSECURITY_DESCRIPTOR, ObjectsSecurityDescriptor: *mut PSECURITY_DESCRIPTOR, GenericMapping: PGENERIC_MAPPING, Token: HANDLE, ) -> NTSTATUS; fn RtlSetSecurityObjectEx( SecurityInformation: SECURITY_INFORMATION, ModificationDescriptor: PSECURITY_DESCRIPTOR, ObjectsSecurityDescriptor: *mut PSECURITY_DESCRIPTOR, AutoInheritFlags: ULONG, GenericMapping: PGENERIC_MAPPING, Token: HANDLE, ) -> NTSTATUS; fn RtlConvertToAutoInheritSecurityObject( ParentDescriptor: PSECURITY_DESCRIPTOR, CurrentSecurityDescriptor: PSECURITY_DESCRIPTOR, NewSecurityDescriptor: *mut PSECURITY_DESCRIPTOR, ObjectType: *mut GUID, IsDirectoryObject: BOOLEAN, GenericMapping: PGENERIC_MAPPING, ) -> NTSTATUS; fn RtlNewInstanceSecurityObject( ParentDescriptorChanged: BOOLEAN, CreatorDescriptorChanged: BOOLEAN, OldClientTokenModifiedId: PLUID, NewClientTokenModifiedId: PLUID, ParentDescriptor: PSECURITY_DESCRIPTOR, CreatorDescriptor: PSECURITY_DESCRIPTOR, NewDescriptor: *mut PSECURITY_DESCRIPTOR, IsDirectoryObject: BOOLEAN, Token: HANDLE, GenericMapping: PGENERIC_MAPPING, ) -> NTSTATUS; fn RtlCopySecurityDescriptor( InputSecurityDescriptor: PSECURITY_DESCRIPTOR, OutputSecurityDescriptor: *mut PSECURITY_DESCRIPTOR, ) -> NTSTATUS; fn RtlRunEncodeUnicodeString( Seed: PUCHAR, String: PUNICODE_STRING, ); fn RtlRunDecodeUnicodeString( Seed: UCHAR, String: PUNICODE_STRING, ); fn RtlImpersonateSelf( ImpersonationLevel: SECURITY_IMPERSONATION_LEVEL, ) -> NTSTATUS; fn RtlImpersonateSelfEx( ImpersonationLevel: SECURITY_IMPERSONATION_LEVEL, AdditionalAccess: ACCESS_MASK, ThreadToken: PHANDLE, ) -> NTSTATUS; fn RtlAdjustPrivilege( Privilege: ULONG, Enable: BOOLEAN, Client: BOOLEAN, WasEnabled: PBOOLEAN, ) -> NTSTATUS; }} pub const RTL_ACQUIRE_PRIVILEGE_REVERT: ULONG = 0x00000001; pub const RTL_ACQUIRE_PRIVILEGE_PROCESS: ULONG = 0x00000002; EXTERN!{extern "system" { fn RtlAcquirePrivilege( Privilege: PULONG, NumPriv: ULONG, Flags: ULONG, ReturnedState: *mut PVOID, ) -> NTSTATUS; fn RtlReleasePrivilege( StatePointer: PVOID, ); fn RtlRemovePrivileges( TokenHandle: HANDLE, PrivilegesToKeep: PULONG, PrivilegeCount: ULONG, ) -> NTSTATUS; fn RtlIsUntrustedObject( Handle: HANDLE, Object: PVOID, IsUntrustedObject: PBOOLEAN, ) -> NTSTATUS; fn RtlQueryValidationRunlevel( ComponentName: PUNICODE_STRING, ) -> ULONG; fn RtlCreateBoundaryDescriptor( Name: PUNICODE_STRING, Flags: ULONG, ) -> PVOID; fn RtlDeleteBoundaryDescriptor( BoundaryDescriptor: PVOID, ); fn RtlAddSIDToBoundaryDescriptor( BoundaryDescriptor: *mut PVOID, RequiredSid: PSID, ) -> NTSTATUS; fn RtlAddIntegrityLabelToBoundaryDescriptor( BoundaryDescriptor: *mut PVOID, IntegrityLabel: PSID, ) -> NTSTATUS; fn RtlGetVersion( lpVersionInformation: PRTL_OSVERSIONINFOW, ) -> NTSTATUS; fn RtlVerifyVersionInfo( VersionInfo: PRTL_OSVERSIONINFOEXW, TypeMask: ULONG, ConditionMask: ULONGLONG, ) -> NTSTATUS; fn RtlGetNtVersionNumbers( NtMajorVersion: PULONG, NtMinorVersion: PULONG, NtBuildNumber: PULONG, ); fn RtlGetNtGlobalFlags() -> ULONG; fn RtlGetNtProductType( NtProductType: PNT_PRODUCT_TYPE, ) -> BOOLEAN; fn RtlGetSuiteMask() -> ULONG; fn RtlRegisterWait( WaitHandle: PHANDLE, Handle: HANDLE, Function: WAITORTIMERCALLBACKFUNC, Context: PVOID, Milliseconds: ULONG, Flags: ULONG, ) -> NTSTATUS; fn RtlDeregisterWait( WaitHandle: HANDLE, ) -> NTSTATUS; fn RtlDeregisterWaitEx( WaitHandle: HANDLE, Event: HANDLE, ) -> NTSTATUS; fn RtlQueueWorkItem( Function: WORKERCALLBACKFUNC, Context: PVOID, Flags: ULONG, ) -> NTSTATUS; fn RtlSetIoCompletionCallback( FileHandle: HANDLE, CompletionProc: APC_CALLBACK_FUNCTION, Flags: ULONG, ) -> NTSTATUS; }} FN!{stdcall PRTL_START_POOL_THREAD( Function: PTHREAD_START_ROUTINE, Parameter: PVOID, ThreadHandle: PHANDLE, ) -> NTSTATUS} FN!{stdcall PRTL_EXIT_POOL_THREAD( ExitStatus: NTSTATUS, ) -> NTSTATUS} EXTERN!{extern "system" { fn RtlSetThreadPoolStartFunc( StartPoolThread: PRTL_START_POOL_THREAD, ExitPoolThread: PRTL_EXIT_POOL_THREAD, ) -> NTSTATUS; fn RtlUserThreadStart( Function: PTHREAD_START_ROUTINE, Parameter: PVOID, ); fn LdrInitializeThunk( ContextRecord: PCONTEXT, Parameter: PVOID, ); fn RtlCreateTimerQueue( TimerQueueHandle: PHANDLE, ) -> NTSTATUS; fn RtlCreateTimer( TimerQueueHandle: HANDLE, Handle: PHANDLE, Function: WAITORTIMERCALLBACKFUNC, Context: PVOID, DueTime: ULONG, Period: ULONG, Flags: ULONG, ) -> NTSTATUS; fn RtlUpdateTimer( TimerQueueHandle: HANDLE, TimerHandle: HANDLE, DueTime: ULONG, Period: ULONG, ) -> NTSTATUS; fn RtlDeleteTimer( TimerQueueHandle: HANDLE, TimerToCancel: HANDLE, Event: HANDLE, ) -> NTSTATUS; fn RtlDeleteTimerQueue( TimerQueueHandle: HANDLE, ) -> NTSTATUS; fn RtlDeleteTimerQueueEx( TimerQueueHandle: HANDLE, Event: HANDLE, ) -> NTSTATUS; fn RtlFormatCurrentUserKeyPath( CurrentUserKeyPath: PUNICODE_STRING, ) -> NTSTATUS; fn RtlOpenCurrentUser( DesiredAccess: ACCESS_MASK, CurrentUserKey: PHANDLE, ) -> NTSTATUS; }} pub const RTL_REGISTRY_ABSOLUTE: ULONG = 0; pub const RTL_REGISTRY_SERVICES: ULONG = 1; pub const RTL_REGISTRY_CONTROL: ULONG = 2; pub const RTL_REGISTRY_WINDOWS_NT: ULONG = 3; pub const RTL_REGISTRY_DEVICEMAP: ULONG = 4; pub const RTL_REGISTRY_USER: ULONG = 5; pub const RTL_REGISTRY_MAXIMUM: ULONG = 6; pub const RTL_REGISTRY_HANDLE: ULONG = 0x40000000; pub const RTL_REGISTRY_OPTIONAL: ULONG = 0x80000000; EXTERN!{extern "system" { fn RtlCreateRegistryKey( RelativeTo: ULONG, Path: PWSTR, ) -> NTSTATUS; fn RtlCheckRegistryKey( RelativeTo: ULONG, Path: PWSTR, ) -> NTSTATUS; }} FN!{stdcall PRTL_QUERY_REGISTRY_ROUTINE( ValueName: PWSTR, ValueType: ULONG, ValueData: PVOID, ValueLength: ULONG, Context: PVOID, EntryContext: PVOID, ) -> NTSTATUS} STRUCT!{struct RTL_QUERY_REGISTRY_TABLE { QueryRoutine: PRTL_QUERY_REGISTRY_ROUTINE, Flags: ULONG, Name: PWSTR, EntryContext: PVOID, DefaultType: ULONG, DefaultData: PVOID, DefaultLength: ULONG, }} pub type PRTL_QUERY_REGISTRY_TABLE = *mut RTL_QUERY_REGISTRY_TABLE; pub const RTL_QUERY_REGISTRY_SUBKEY: ULONG = 0x00000001; pub const RTL_QUERY_REGISTRY_TOPKEY: ULONG = 0x00000002; pub const RTL_QUERY_REGISTRY_REQUIRED: ULONG = 0x00000004; pub const RTL_QUERY_REGISTRY_NOVALUE: ULONG = 0x00000008; pub const RTL_QUERY_REGISTRY_NOEXPAND: ULONG = 0x00000010; pub const RTL_QUERY_REGISTRY_DIRECT: ULONG = 0x00000020; pub const RTL_QUERY_REGISTRY_DELETE: ULONG = 0x00000040; EXTERN!{extern "system" { fn RtlQueryRegistryValues( RelativeTo: ULONG, Path: PCWSTR, QueryTable: PRTL_QUERY_REGISTRY_TABLE, Context: PVOID, Environment: PVOID, ) -> NTSTATUS; fn RtlQueryRegistryValuesEx( RelativeTo: ULONG, Path: PWSTR, QueryTable: PRTL_QUERY_REGISTRY_TABLE, Context: PVOID, Environment: PVOID, ) -> NTSTATUS; fn RtlWriteRegistryValue( RelativeTo: ULONG, Path: PCWSTR, ValueName: PCWSTR, ValueType: ULONG, ValueData: PVOID, ValueLength: ULONG, ) -> NTSTATUS; fn RtlDeleteRegistryValue( RelativeTo: ULONG, Path: PCWSTR, ValueName: PCWSTR, ) -> NTSTATUS; fn RtlEnableThreadProfiling( ThreadHandle: HANDLE, Flags: ULONG, HardwareCounters: ULONG64, PerformanceDataHandle: *mut PVOID, ) -> NTSTATUS; fn RtlDisableThreadProfiling( PerformanceDataHandle: PVOID, ) -> NTSTATUS; fn RtlQueryThreadProfiling( ThreadHandle: HANDLE, Enabled: PBOOLEAN, ) -> NTSTATUS; fn RtlReadThreadProfilingData( PerformanceDataHandle: HANDLE, Flags: ULONG, PerformanceData: PPERFORMANCE_DATA, ) -> NTSTATUS; fn RtlGetNativeSystemInformation( SystemInformationClass: ULONG, NativeSystemInformation: PVOID, InformationLength: ULONG, ReturnLength: PULONG, ) -> NTSTATUS; fn RtlQueueApcWow64Thread( ThreadHandle: HANDLE, ApcRoutine: PPS_APC_ROUTINE, ApcArgument1: PVOID, ApcArgument2: PVOID, ApcArgument3: PVOID, ) -> NTSTATUS; fn RtlWow64EnableFsRedirection( Wow64FsEnableRedirection: BOOLEAN, ) -> NTSTATUS; fn RtlWow64EnableFsRedirectionEx( Wow64FsEnableRedirection: PVOID, OldFsRedirectionLevel: *mut PVOID, ) -> NTSTATUS; fn RtlComputeCrc32( PartialCrc: ULONG32, Buffer: PVOID, Length: ULONG, ) -> ULONG32; fn RtlEncodePointer( Ptr: PVOID, ) -> PVOID; fn RtlDecodePointer( Ptr: PVOID, ) -> PVOID; fn RtlEncodeSystemPointer( Ptr: PVOID, ) -> PVOID; fn RtlDecodeSystemPointer( Ptr: PVOID, ) -> PVOID; fn RtlEncodeRemotePointer( ProcessHandle: HANDLE, Pointer: PVOID, EncodedPointer: *mut PVOID, ) -> NTSTATUS; fn RtlDecodeRemotePointer( ProcessHandle: HANDLE, Pointer: PVOID, DecodedPointer: *mut PVOID, ) -> NTSTATUS; fn RtlIsProcessorFeaturePresent( ProcessorFeature: ULONG, ) -> BOOLEAN; fn RtlGetCurrentProcessorNumber() -> ULONG; fn RtlGetCurrentProcessorNumberEx( ProcessorNumber: PPROCESSOR_NUMBER, ); fn RtlPushFrame( Frame: PTEB_ACTIVE_FRAME, ); fn RtlPopFrame( Frame: PTEB_ACTIVE_FRAME, ); fn RtlGetFrame() -> PTEB_ACTIVE_FRAME; }} pub const RTL_WALK_USER_MODE_STACK: ULONG = 0x00000001; pub const RTL_WALK_VALID_FLAGS: ULONG = 0x00000001; pub const RTL_STACK_WALKING_MODE_FRAMES_TO_SKIP_SHIFT: ULONG = 0x00000008; EXTERN!{extern "system" { fn RtlWalkFrameChain( Callers: *mut PVOID, Count: ULONG, Flags: ULONG, ) -> ULONG; fn RtlGetCallersAddress( CallersAddress: *mut PVOID, CallersCaller: *mut PVOID, ); fn RtlGetEnabledExtendedFeatures( FeatureMask: ULONG64, ) -> ULONG64; fn RtlGetEnabledExtendedAndSupervisorFeatures( FeatureMask: ULONG64, ) -> ULONG64; fn RtlLocateSupervisorFeature( XStateHeader: PXSAVE_AREA_HEADER, FeatureId: ULONG, Length: PULONG, ) -> PVOID; }} STRUCT!{struct RTL_ELEVATION_FLAGS { Flags: ULONG, }} BITFIELD!{RTL_ELEVATION_FLAGS Flags: ULONG [ ElevationEnabled set_ElevationEnabled[0..1], VirtualizationEnabled set_VirtualizationEnabled[1..2], InstallerDetectEnabled set_InstallerDetectEnabled[2..3], ReservedBits set_ReservedBits[3..32], ]} pub type PRTL_ELEVATION_FLAGS = *mut RTL_ELEVATION_FLAGS; EXTERN!{extern "system" { fn RtlQueryElevationFlags( Flags: PRTL_ELEVATION_FLAGS, ) -> NTSTATUS; fn RtlRegisterThreadWithCsrss() -> NTSTATUS; fn RtlLockCurrentThread() -> NTSTATUS; fn RtlUnlockCurrentThread() -> NTSTATUS; fn RtlLockModuleSection( Address: PVOID, ) -> NTSTATUS; fn RtlUnlockModuleSection( Address: PVOID, ) -> NTSTATUS; }} pub const RTL_UNLOAD_EVENT_TRACE_NUMBER: u32 = 64; STRUCT!{struct RTL_UNLOAD_EVENT_TRACE { BaseAddress: PVOID, SizeOfImage: SIZE_T, Sequence: ULONG, TimeDateStamp: ULONG, CheckSum: ULONG, ImageName: [WCHAR; 32], Version: [ULONG; 2], }} pub type PRTL_UNLOAD_EVENT_TRACE = *mut RTL_UNLOAD_EVENT_TRACE; STRUCT!{struct RTL_UNLOAD_EVENT_TRACE32 { BaseAddress: ULONG, SizeOfImage: ULONG, Sequence: ULONG, TimeDateStamp: ULONG, CheckSum: ULONG, ImageName: [WCHAR; 32], Version: [ULONG; 2], }} pub type PRTL_UNLOAD_EVENT_TRACE32 = *mut RTL_UNLOAD_EVENT_TRACE32; EXTERN!{extern "system" { fn RtlGetUnloadEventTrace() -> PRTL_UNLOAD_EVENT_TRACE; fn RtlGetUnloadEventTraceEx( ElementSize: *mut PULONG, ElementCount: *mut PULONG, EventTrace: *mut PVOID, ); fn RtlQueryPerformanceCounter( PerformanceCounter: PLARGE_INTEGER, ) -> LOGICAL; fn RtlQueryPerformanceFrequency( PerformanceFrequency: PLARGE_INTEGER, ) -> LOGICAL; }} ENUM!{enum IMAGE_MITIGATION_POLICY { ImageDepPolicy = 0, ImageAslrPolicy = 1, ImageDynamicCodePolicy = 2, ImageStrictHandleCheckPolicy = 3, ImageSystemCallDisablePolicy = 4, ImageMitigationOptionsMask = 5, ImageExtensionPointDisablePolicy = 6, ImageControlFlowGuardPolicy = 7, ImageSignaturePolicy = 8, ImageFontDisablePolicy = 9, ImageImageLoadPolicy = 10, ImagePayloadRestrictionPolicy = 11, ImageChildProcessPolicy = 12, ImageSehopPolicy = 13, ImageHeapPolicy = 14, MaxImageMitigationPolicy = 15, }} UNION!{union RTL_IMAGE_MITIGATION_POLICY { Bitfields1: ULONG64, Bitfields2: ULONG64, }} BITFIELD!{unsafe RTL_IMAGE_MITIGATION_POLICY Bitfields1: ULONG64 [ AuditState set_AuditState[0..2], AuditFlag set_AuditFlag[2..3], EnableAdditionalAuditingOption set_EnableAdditionalAuditingOption[3..4], Reserved set_Reserved[4..64], ]} BITFIELD!{unsafe RTL_IMAGE_MITIGATION_POLICY Bitfields2: ULONG64 [ PolicyState set_PolicyState[0..2], AlwaysInherit set_AlwaysInherit[2..3], EnableAdditionalPolicyOption set_EnableAdditionalPolicyOption[3..4], AuditReserved set_AuditReserved[4..64], ]} pub type PRTL_IMAGE_MITIGATION_POLICY = *mut RTL_IMAGE_MITIGATION_POLICY; STRUCT!{struct RTL_IMAGE_MITIGATION_DEP_POLICY { Dep: RTL_IMAGE_MITIGATION_POLICY, }} pub type PRTL_IMAGE_MITIGATION_DEP_POLICY = *mut RTL_IMAGE_MITIGATION_DEP_POLICY; STRUCT!{struct RTL_IMAGE_MITIGATION_ASLR_POLICY { ForceRelocateImages: RTL_IMAGE_MITIGATION_POLICY, BottomUpRandomization: RTL_IMAGE_MITIGATION_POLICY, HighEntropyRandomization: RTL_IMAGE_MITIGATION_POLICY, }} pub type PRTL_IMAGE_MITIGATION_ASLR_POLICY = *mut RTL_IMAGE_MITIGATION_ASLR_POLICY; STRUCT!{struct RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY { BlockDynamicCode: RTL_IMAGE_MITIGATION_POLICY, }} pub type PRTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY = *mut RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY; STRUCT!{struct RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY { StrictHandleChecks: RTL_IMAGE_MITIGATION_POLICY, }} pub type PRTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY = *mut RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY; STRUCT!{struct RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY { BlockWin32kSystemCalls: RTL_IMAGE_MITIGATION_POLICY, }} pub type PRTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY = *mut RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY; STRUCT!{struct RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY { DisableExtensionPoints: RTL_IMAGE_MITIGATION_POLICY, }} pub type PRTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY = *mut RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY; STRUCT!{struct RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY { ControlFlowGuard: RTL_IMAGE_MITIGATION_POLICY, StrictControlFlowGuard: RTL_IMAGE_MITIGATION_POLICY, }} pub type PRTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY = *mut RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY; STRUCT!{struct RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY { BlockNonMicrosoftSignedBinaries: RTL_IMAGE_MITIGATION_POLICY, EnforceSigningOnModuleDependencies: RTL_IMAGE_MITIGATION_POLICY, }} pub type PRTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY = *mut RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY; STRUCT!{struct RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY { DisableNonSystemFonts: RTL_IMAGE_MITIGATION_POLICY, }} pub type PRTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY = *mut RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY; STRUCT!{struct RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY { BlockRemoteImageLoads: RTL_IMAGE_MITIGATION_POLICY, BlockLowLabelImageLoads: RTL_IMAGE_MITIGATION_POLICY, PreferSystem32: RTL_IMAGE_MITIGATION_POLICY, }} pub type PRTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY = *mut RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY; STRUCT!{struct RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY { EnableExportAddressFilter: RTL_IMAGE_MITIGATION_POLICY, EnableExportAddressFilterPlus: RTL_IMAGE_MITIGATION_POLICY, EnableImportAddressFilter: RTL_IMAGE_MITIGATION_POLICY, EnableRopStackPivot: RTL_IMAGE_MITIGATION_POLICY, EnableRopCallerCheck: RTL_IMAGE_MITIGATION_POLICY, EnableRopSimExec: RTL_IMAGE_MITIGATION_POLICY, }} pub type PRTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY = *mut RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY; STRUCT!{struct RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY { DisallowChildProcessCreation: RTL_IMAGE_MITIGATION_POLICY, }} pub type PRTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY = *mut RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY; STRUCT!{struct RTL_IMAGE_MITIGATION_SEHOP_POLICY { Sehop: RTL_IMAGE_MITIGATION_POLICY, }} pub type PRTL_IMAGE_MITIGATION_SEHOP_POLICY = *mut RTL_IMAGE_MITIGATION_SEHOP_POLICY; STRUCT!{struct RTL_IMAGE_MITIGATION_HEAP_POLICY { TerminateOnHeapErrors: RTL_IMAGE_MITIGATION_POLICY, }} pub type PRTL_IMAGE_MITIGATION_HEAP_POLICY = *mut RTL_IMAGE_MITIGATION_HEAP_POLICY; ENUM!{enum RTL_IMAGE_MITIGATION_OPTION_STATE { RtlMitigationOptionStateNotConfigured = 0, RtlMitigationOptionStateOn = 1, RtlMitigationOptionStateOff = 2, }} pub const RTL_IMAGE_MITIGATION_FLAG_RESET: ULONG = 0x1; pub const RTL_IMAGE_MITIGATION_FLAG_REMOVE: ULONG = 0x2; pub const RTL_IMAGE_MITIGATION_FLAG_OSDEFAULT: ULONG = 0x4; pub const RTL_IMAGE_MITIGATION_FLAG_AUDIT: ULONG = 0x8; EXTERN!{extern "system" { fn RtlQueryImageMitigationPolicy( ImagePath: PWSTR, Policy: IMAGE_MITIGATION_POLICY, Flags: ULONG, Buffer: PVOID, BufferSize: ULONG, ) -> NTSTATUS; fn RtlSetImageMitigationPolicy( ImagePath: PWSTR, Policy: IMAGE_MITIGATION_POLICY, Flags: ULONG, Buffer: PVOID, BufferSize: ULONG, ) -> NTSTATUS; fn RtlGetCurrentServiceSessionId() -> ULONG; fn RtlGetActiveConsoleId() -> ULONG; fn RtlGetConsoleSessionForegroundProcessId() -> ULONGLONG; fn RtlGetTokenNamedObjectPath( Token: HANDLE, Sid: PSID, ObjectPath: PUNICODE_STRING, ) -> NTSTATUS; fn RtlGetAppContainerNamedObjectPath( Token: HANDLE, AppContainerSid: PSID, RelativePath: BOOLEAN, ObjectPath: PUNICODE_STRING, ) -> NTSTATUS; fn RtlGetAppContainerParent( AppContainerSid: PSID, AppContainerSidParent: *mut PSID, ) -> NTSTATUS; fn RtlCheckSandboxedToken( TokenHandle: HANDLE, IsSandboxed: PBOOLEAN, ) -> NTSTATUS; fn RtlCheckTokenCapability( TokenHandle: HANDLE, CapabilitySidToCheck: PSID, HasCapability: PBOOLEAN, ) -> NTSTATUS; fn RtlCapabilityCheck( TokenHandle: HANDLE, CapabilityName: PUNICODE_STRING, HasCapability: PBOOLEAN, ) -> NTSTATUS; fn RtlCheckTokenMembership( TokenHandle: HANDLE, SidToCheck: PSID, IsMember: PBOOLEAN, ) -> NTSTATUS; fn RtlCheckTokenMembershipEx( TokenHandle: HANDLE, SidToCheck: PSID, Flags: ULONG, IsMember: PBOOLEAN, ) -> NTSTATUS; fn RtlIsParentOfChildAppContainer( ParentAppContainerSid: PSID, ChildAppContainerSid: PSID, ) -> NTSTATUS; fn RtlIsCapabilitySid( Sid: PSID, ) -> BOOLEAN; fn RtlIsPackageSid( Sid: PSID, ) -> BOOLEAN; fn RtlIsValidProcessTrustLabelSid( Sid: PSID, ) -> BOOLEAN; fn RtlIsStateSeparationEnabled() -> BOOLEAN; }} ENUM!{enum APPCONTAINER_SID_TYPE { NotAppContainerSidType = 0, ChildAppContainerSidType = 1, ParentAppContainerSidType = 2, InvalidAppContainerSidType = 3, MaxAppContainerSidType = 4, }} pub type PAPPCONTAINER_SID_TYPE = *mut APPCONTAINER_SID_TYPE; EXTERN!{extern "system" { fn RtlGetAppContainerSidType( AppContainerSid: PSID, AppContainerSidType: PAPPCONTAINER_SID_TYPE, ) -> NTSTATUS; fn RtlFlsAlloc( Callback: PFLS_CALLBACK_FUNCTION, FlsIndex: PULONG, ) -> NTSTATUS; fn RtlFlsFree( FlsIndex: ULONG, ) -> NTSTATUS; }} ENUM!{enum STATE_LOCATION_TYPE { LocationTypeRegistry = 0, LocationTypeFileSystem = 1, LocationTypeMaximum = 2, }} EXTERN!{extern "system" { fn RtlGetPersistedStateLocation( SourceID: PCWSTR, CustomValue: PCWSTR, DefaultPath: PCWSTR, StateLocationType: STATE_LOCATION_TYPE, TargetPath: PWCHAR, BufferLengthIn: ULONG, BufferLengthOut: PULONG, ) -> NTSTATUS; fn RtlIsCloudFilesPlaceholder( FileAttributes: ULONG, ReparseTag: ULONG, ) -> BOOLEAN; fn RtlIsPartialPlaceholder( FileAttributes: ULONG, ReparseTag: ULONG, ) -> BOOLEAN; fn RtlIsPartialPlaceholderFileHandle( FileHandle: HANDLE, IsPartialPlaceholder: PBOOLEAN, ) -> NTSTATUS; fn RtlIsPartialPlaceholderFileInfo( InfoBuffer: *const c_void, InfoClass: FILE_INFORMATION_CLASS, IsPartialPlaceholder: PBOOLEAN, ) -> NTSTATUS; fn RtlIsNonEmptyDirectoryReparsePointAllowed( ReparseTag: ULONG, ) -> BOOLEAN; fn RtlAppxIsFileOwnedByTrustedInstaller( FileHandle: HANDLE, IsFileOwnedByTrustedInstaller: PBOOLEAN, ) -> NTSTATUS; }} STRUCT!{struct PS_PKG_CLAIM { Flags: ULONGLONG, Origin: ULONGLONG, }} pub type PPS_PKG_CLAIM = *mut PS_PKG_CLAIM; EXTERN!{extern "system" { fn RtlQueryPackageClaims( TokenHandle: HANDLE, PackageFullName: PWSTR, PackageSize: PSIZE_T, AppId: PWSTR, AppIdSize: PSIZE_T, DynamicId: *mut GUID, PkgClaim: PPS_PKG_CLAIM, AttributesPresent: PULONG64, ) -> NTSTATUS; fn RtlQueryProtectedPolicy( PolicyGuid: *mut GUID, PolicyValue: PULONG_PTR, ) -> NTSTATUS; fn RtlSetProtectedPolicy( PolicyGuid: *mut GUID, PolicyValue: ULONG_PTR, OldPolicyValue: PULONG_PTR, ) -> NTSTATUS; fn RtlIsMultiSessionSku() -> BOOLEAN; fn RtlIsMultiUsersInSessionSku() -> BOOLEAN; }} ENUM!{enum RTL_BSD_ITEM_TYPE { RtlBsdItemVersionNumber = 0, RtlBsdItemProductType = 1, RtlBsdItemAabEnabled = 2, RtlBsdItemAabTimeout = 3, RtlBsdItemBootGood = 4, RtlBsdItemBootShutdown = 5, RtlBsdSleepInProgress = 6, RtlBsdPowerTransition = 7, RtlBsdItemBootAttemptCount = 8, RtlBsdItemBootCheckpoint = 9, RtlBsdItemBootId = 10, RtlBsdItemShutdownBootId = 11, RtlBsdItemReportedAbnormalShutdownBootId = 12, RtlBsdItemErrorInfo = 13, RtlBsdItemPowerButtonPressInfo = 14, RtlBsdItemChecksum = 15, RtlBsdItemMax = 16, }} STRUCT!{struct RTL_BSD_ITEM { Type: RTL_BSD_ITEM_TYPE, DataBuffer: PVOID, DataLength: ULONG, }} pub type PRTL_BSD_ITEM = *mut RTL_BSD_ITEM; EXTERN!{extern "system" { fn RtlCreateBootStatusDataFile() -> NTSTATUS; fn RtlLockBootStatusData( FileHandle: PHANDLE, ) -> NTSTATUS; fn RtlUnlockBootStatusData( FileHandle: HANDLE, ) -> NTSTATUS; fn RtlGetSetBootStatusData( FileHandle: HANDLE, Read: BOOLEAN, DataClass: RTL_BSD_ITEM_TYPE, Buffer: PVOID, BufferSize: ULONG, ReturnLength: PULONG, ) -> NTSTATUS; fn RtlCheckBootStatusIntegrity( FileHandle: HANDLE, Verified: PBOOLEAN, ) -> NTSTATUS; fn RtlCheckPortableOperatingSystem( IsPortable: PBOOLEAN, ) -> NTSTATUS; fn RtlSetPortableOperatingSystem( IsPortable: BOOLEAN, ) -> NTSTATUS; }} EXTERN!{extern "system" { fn RtlOsDeploymentState( Flags: DWORD, ) -> OS_DEPLOYEMENT_STATE_VALUES; fn RtlFindClosestEncodableLength( SourceLength: ULONGLONG, TargetLength: PULONGLONG, ) -> NTSTATUS; }} FN!{stdcall PRTL_SECURE_MEMORY_CACHE_CALLBACK( Address: PVOID, Length: SIZE_T, ) -> NTSTATUS} EXTERN!{extern "system" { fn RtlRegisterSecureMemoryCacheCallback( Callback: PRTL_SECURE_MEMORY_CACHE_CALLBACK, ) -> NTSTATUS; fn RtlDeregisterSecureMemoryCacheCallback( Callback: PRTL_SECURE_MEMORY_CACHE_CALLBACK, ) -> NTSTATUS; fn RtlFlushSecureMemoryCache( MemoryCache: PVOID, MemoryLength: SIZE_T, ) -> BOOLEAN; }}