Ntdll.h
转自:https://www.cnblogs.com/gwsbhqt/p/5092390.html
为了能使用上Ntdll.lib库函数,从几份不完整的Ntdll.h中拼凑整理出了比较完整美观的Ntdll.h。
测试平台:Windows 10 Professional / Visual Studio 2015 Community Update 1
测试Lib:Visual Studio 2015 Community Update 1 (x86 / x64) Ntdll.lib
/*///////////////////////////////////////////////////////////////
Name: Ntdll.h
BaseLib:
BaseHead:
Author: gwsbhqt@163.com
LastCode: 20160102
Description: Reference the undeclared Native API in Ntdll.lib
///////////////////////////////////////////////////////////////*/
#pragma once
#ifndef __NTDLL_H__
#define __NTDLL_H__
#pragma region HEAD
#include
#include
#include
#ifdef __cplusplus
extern "C" {
#endif
#ifdef _NTDDK_
#error This head file can not be compiled together with Ntddk.h
#endif
#ifndef WIN64
#pragma comment(lib, "Lib\\x86\\Ntdll.lib")
#else
#pragma comment(lib, "Lib\\x64\\Ntdll.lib")
#endif
#pragma endregion
#pragma region NTDLL BASE DEFINE
#ifndef NTSTATUS
typedef LONG NTSTATUS;
#endif
#ifndef NT_SUCCESS
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#endif // NT_SUCCESS
#ifndef STATUS_SUCCESS
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#endif // STATUS_SUCCESS
#ifndef STATUS_UNSUCCESSFUL
#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
#endif // STATUS_UNSUCCESSFUL
#ifndef ASSERT
#ifdef _DEBUG
#define ASSERT(x) assert(x)
#else // _DEBUG
#define ASSERT(x)
#endif // _DEBUG
#endif // ASSERT
#pragma endregion
#pragma region DEFINE
#define DEVICE_TYPE DWORD
#define FLG_STOP_ON_EXCEPTION 0x0000001L
#define FLG_SHOW_LDR_SNAPS 0x0000002L
#define FLG_DEBUG_INITIAL_COMMAND 0x0000004L
#define FLG_STOP_ON_HUNG_GUI 0x0000008L
#define FLG_HEAP_ENABLE_TAIL_CHECK 0x0000010L
#define FLG_HEAP_ENABLE_FREE_CHECK 0x0000020L
#define FLG_HEAP_VALIDATE_PARAMETERS 0x0000040L
#define FLG_HEAP_VALIDATE_ALL 0x0000080L
#define FLG_POOL_ENABLE_TAIL_CHECK 0x0000100L
#define FLG_POOL_ENABLE_FREE_CHECK 0x0000200L
#define FLG_POOL_ENABLE_TAGGING 0x0000400L
#define FLG_HEAP_ENABLE_TAGGING 0x0000800L
#define FLG_USER_STACK_TRACE_DB 0x0001000L
#define FLG_KERNEL_STACK_TRACE_DB 0x0002000L
#define FLG_MAINTAIN_OBJECT_TYPELIST 0x0004000L
#define FLG_HEAP_ENABLE_TAG_BY_DLL 0x0008000L
#define FLG_IGNORE_DEBUG_PRIV 0x0010000L
#define FLG_ENABLE_CSRDEBUG 0x0020000L
#define FLG_ENABLE_KDEBUG_SYMBOL_LOAD 0x0040000L
#define FLG_DISABLE_PAGE_KERNEL_STACKS 0x0080000L
#define FLG_HEAP_ENABLE_CALL_TRACING 0x0100000L
#define FLG_HEAP_DISABLE_COALESCING 0x0200000L
#define FLG_ENABLE_CLOSE_EXCEPTIONS 0x0400000L
#define FLG_ENABLE_EXCEPTION_LOGGING 0x0800000L
#define FLG_ENABLE_DBGPRINT_BUFFERING 0x8000000L
#define PROTECT_FROM_CLOSE 0x1L
#define INHERIT 0x2L
#define FLG_SYSOBJINFO_SINGLE_HANDLE_ENTRY 0x40L
#define FLG_SYSOBJINFO_DEFAULT_SECURITY_QUOTA 0x20L
#define FLG_SYSOBJINFO_PERMANENT 0x10L
#define FLG_SYSOBJINFO_EXCLUSIVE 0x08L
#define FLG_SYSOBJINFO_CREATOR_INFO 0x04L
#define FLG_SYSOBJINFO_KERNEL_MODE 0x02L
#define PERMANENT 0x10L
#define EXCLUSIVE 0x20L
#define WSLE_PAGE_READONLY 0x001L
#define WSLE_PAGE_EXECUTE 0x002L
#define WSLE_PAGE_READWRITE 0x004L
#define WSLE_PAGE_EXECUTE_READ 0x003L
#define WSLE_PAGE_WRITECOPY 0x005L
#define WSLE_PAGE_EXECUTE_READWRITE 0x006L
#define WSLE_PAGE_EXECUTE_WRITECOPY 0x007L
#define WSLE_PAGE_SHARE_COUNT_MASK 0x0E0L
#define WSLE_PAGE_SHAREABLE 0x100L
#define LOCK_VM_IN_WSL 0x1L
#define LOCK_VM_IN_RAM 0x2L
#define PC_IDLE 0x1L
#define PC_NORMAL 0x2L
#define PC_HIGH 0x3L
#define PC_REALTIME 0x4L
#define PC_BELOW_NORMAL 0x5L
#define PC_ABOVE_NORMAL 0x6L
#define PDI_MODULES 0x01L
#define PDI_BACKTRACE 0x02L
#define PDI_HEAPS 0x04L
#define PDI_HEAP_TAGS 0x08L
#define PDI_HEAP_BLOCKS 0x10L
#define PDI_LOCKS 0x20L
#define LDRP_STATIC_LINK 0x000002L
#define LDRP_IMAGE_DLL 0x000004L
#define LDRP_LOAD_IN_PROGRESS 0x001000L
#define LDRP_UNLOAD_IN_PROGRESS 0x002000L
#define LDRP_ENTRY_PROCESSED 0x004000L
#define LDRP_ENTRY_INSERTED 0x008000L
#define LDRP_CURRENT_LOAD 0x010000L
#define LDRP_FAILED_BUILTIN_LOAD 0x020000L
#define LDRP_DONT_CALL_FOR_THREADS 0x040000L
#define LDRP_PROCESS_ATTACH_CALLED 0x080000L
#define LDRP_DEBUG_SYMBOLS_LOADED 0x100000L
#define LDRP_IMAGE_NOT_AT_BASE 0x200000L
#define LDRP_WX86_IGNORE_MACHINETYPE 0x400000L
#define LPC_MESSAGE_BASE_SIZE 0x18L
#define FILE_SUPERSEDE 0x0L
#define FILE_OPEN 0x1L
#define FILE_CREATE 0x2L
#define FILE_OPEN_IF 0x3L
#define FILE_OVERWRITE 0x4L
#define FILE_OVERWRITE_IF 0x5L
#define FILE_MAXIMUM_DISPOSITION 0x5L
#define FILE_SUPERSEDED 0x0L
#define FILE_OPENED 0x1L
#define FILE_CREATED 0x2L
#define FILE_OVERWRITTEN 0x3L
#define FILE_EXISTS 0x4L
#define FILE_DOES_NOT_EXIST 0x5L
#define REG_MONITOR_SINGLE_KEY 0x0L
#define REG_MONITOR_SECOND_KEY 0x1L
#define HASH_STRING_ALGORITHM_DEFAULT 0x00000000L
#define HASH_STRING_ALGORITHM_X65599 0x00000001L
#define HASH_STRING_ALGORITHM_INVALID 0xFFFFFFFFL
#define SE_MIN_WELL_KNOWN_PRIVILEGE 0x02L
#define SE_CREATE_TOKEN_PRIVILEGE 0x02L
#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE 0x03L
#define SE_LOCK_MEMORY_PRIVILEGE 0x04L
#define SE_INCREASE_QUOTA_PRIVILEGE 0x05L
#define SE_UNSOLICITED_INPUT_PRIVILEGE 0x06L
#define SE_MACHINE_ACCOUNT_PRIVILEGE 0x06L
#define SE_TCB_PRIVILEGE 0x07L
#define SE_SECURITY_PRIVILEGE 0x08L
#define SE_TAKE_OWNERSHIP_PRIVILEGE 0x09L
#define SE_LOAD_DRIVER_PRIVILEGE 0x0AL
#define SE_SYSTEM_PROFILE_PRIVILEGE 0x0BL
#define SE_SYSTEMTIME_PRIVILEGE 0x0CL
#define SE_PROF_SINGLE_PROCESS_PRIVILEGE 0x0DL
#define SE_INC_BASE_PRIORITY_PRIVILEGE 0x0EL
#define SE_CREATE_PAGEFILE_PRIVILEGE 0x0FL
#define SE_CREATE_PERMANENT_PRIVILEGE 0x10L
#define SE_BACKUP_PRIVILEGE 0x11L
#define SE_RESTORE_PRIVILEGE 0x12L
#define SE_SHUTDOWN_PRIVILEGE 0x13L
#define SE_DEBUG_PRIVILEGE 0x14L
#define SE_AUDIT_PRIVILEGE 0x15L
#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE 0x16L
#define SE_CHANGE_NOTIFY_PRIVILEGE 0x17L
#define SE_REMOTE_SHUTDOWN_PRIVILEGE 0x18L
#define SE_UNDOCK_PRIVILEGE 0x19L
#define SE_SYNC_AGENT_PRIVILEGE 0x1AL
#define SE_ENABLE_DELEGATION_PRIVILEGE 0x1BL
#define SE_MANAGE_VOLUME_PRIVILEGE 0x1CL
#define SE_IMPERSONATE_PRIVILEGE 0x1DL
#define SE_CREATE_GLOBAL_PRIVILEGE 0x1EL
#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_GLOBAL_PRIVILEGE
#define OBJ_INHERIT 0x002L
#define OBJ_PERMANENT 0x010L
#define OBJ_EXCLUSIVE 0x020L
#define OBJ_CASE_INSENSITIVE 0x040L
#define OBJ_OPENIF 0x080L
#define OBJ_OPENLINK 0x100L
#define OBJ_KERNEL_HANDLE 0x200L
#define OBJ_FORCE_ACCESS_CHECK 0x400L
#define OBJ_VALID_ATTRIBUTES 0x7F2L
#define DIRECTORY_QUERY 0x0001L
#define DIRECTORY_TRAVERSE 0x0002L
#define DIRECTORY_CREATE_OBJECT 0x0004L
#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008L
#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x000FL)
#define LEVEL_HANDLE_ID 0x74000000L
#define LEVEL_HANDLE_ID_MASK 0xFF000000L
#define LEVEL_HANDLE_INDEX_MASK 0x00FFFFFFL
#define RTL_QUERY_REGISTRY_SUBKEY 0x01L
#define RTL_QUERY_REGISTRY_TOPKEY 0x02L
#define RTL_QUERY_REGISTRY_REQUIRED 0x04L
#define RTL_QUERY_REGISTRY_NOVALUE 0x08L
#define RTL_QUERY_REGISTRY_NOEXPAND 0x10L
#define RTL_QUERY_REGISTRY_DIRECT 0x20L
#define RTL_QUERY_REGISTRY_DELETE 0x40L
#define RTL_REGISTRY_ABSOLUTE 0x00000000L
#define RTL_REGISTRY_SERVICES 0x00000001L
#define RTL_REGISTRY_CONTROL 0x00000002L
#define RTL_REGISTRY_WINDOWS_NT 0x00000003L
#define RTL_REGISTRY_DEVICEMAP 0x00000004L
#define RTL_REGISTRY_USER 0x00000005L
#define RTL_REGISTRY_MAXIMUM 0x00000006L
#define RTL_REGISTRY_HANDLE 0x40000000L
#define RTL_REGISTRY_OPTIONAL 0x80000000L
#define OLD_DOS_VOLID 0x8L
#define FILE_DIRECTORY_FILE 0x000001L
#define FILE_WRITE_THROUGH 0x000002L
#define FILE_SEQUENTIAL_ONLY 0x000004L
#define FILE_NO_INTERMEDIATE_BUFFERING 0x000008L
#define FILE_SYNCHRONOUS_IO_ALERT 0x000010L
#define FILE_SYNCHRONOUS_IO_NONALERT 0x000020L
#define FILE_NON_DIRECTORY_FILE 0x000040L
#define FILE_CREATE_TREE_CONNECTION 0x000080L
#define FILE_COMPLETE_IF_OPLOCKED 0x000100L
#define FILE_NO_EA_KNOWLEDGE 0x000200L
#define FILE_OPEN_FOR_RECOVERY 0x000400L
#define FILE_RANDOM_ACCESS 0x000800L
#define FILE_DELETE_ON_CLOSE 0x001000L
#define FILE_OPEN_BY_FILE_ID 0x002000L
#define FILE_OPEN_FOR_BACKUP_INTENT 0x004000L
#define FILE_NO_COMPRESSION 0x008000L
#define FILE_OPEN_REQUIRING_OPLOCK 0x010000L
#define FILE_DISALLOW_EXCLUSIVE 0x020000L
#define FILE_RESERVE_OPFILTER 0x100000L
#define FILE_OPEN_REPARSE_POINT 0x200000L
#define FILE_OPEN_NO_RECALL 0x400000L
#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x800000L
#define GDI_HANDLE_BUFFER_SIZE 0x22L
#define MEM_EXECUTE_OPTION_DISABLE 0x01L
#define MEM_EXECUTE_OPTION_ENABLE 0x02L
#define MEM_EXECUTE_OPTION_PERMANENT 0x08L
#define MAX_LPC_DATA 0x130L
#define ALPC_REQUEST 0x2000L | LPC_REQUEST
#define ALPC_CONNECTION_REQUEST 0x2000L | LPC_CONNECTION_REQUEST
#define SYMBOLIC_LINK_QUERY 0x1L
#define SYMBOLIC_LINK_ALL_ACCESS STANDARD_RIGHTS_REQUIRED | 0x1L
#define EVENT_PAIR_ALL_ACCESS STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE
#pragma endregion
#pragma region TYPEDEF
typedef LONG KPRIORITY;
typedef PVOID PLANGID;
typedef DWORD ULONG\_PTR;
typedef ULONG\_PTR KAFFINITY;
typedef USHORT RTL\_ATOM, \*PRTL\_ATOM;
typedef LARGE\_INTEGER PHYSICAL\_ADDRESS;#pragma endregion
#pragma region ENUM
typedef enum \_THREADINFOCLASS
{
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair\_Reusable,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress,
ThreadIsIoPending,
ThreadHideFromDebugger,
ThreadBreakOnTermination,
MaxThreadInfoClass
} THREADINFOCLASS;
typedef enum \_KPROFILE\_SOURCE
{
ProfileTime,
ProfileAlignmentFixup,
ProfileTotalIssues,
ProfilePipelineDry,
ProfileLoadInstructions,
ProfilePipelineFrozen,
ProfileBranchInstructions,
ProfileTotalNonissues,
ProfileDcacheMisses,
ProfileIcacheMisses,
ProfileCacheMisses,
ProfileBranchMispredictions,
ProfileStoreInstructions,
ProfileFpInstructions,
ProfileIntegerInstructions,
Profile2Issue,
Profile3Issue,
Profile4Issue,
ProfileSpecialInstructions,
ProfileTotalCycles,
ProfileIcacheIssues,
ProfileDcacheAccesses,
ProfileMemoryBarrierCycles,
ProfileLoadLinkedIssues,
ProfileMaximum
} KPROFILE\_SOURCE;
typedef enum \_KWAIT\_REASON
{
Executive,
FreePage,
PageIn,
PoolAllocation,
DelayExecution,
Suspended,
UserRequest,
WrExecutive,
WrFreePage,
WrPageIn,
WrPoolAllocation,
WrDelayExecution,
WrSuspended,
WrUserRequest,
WrEventPair,
WrQueue,
WrLpcReceive,
WrLpcReply,
WrVirtualMemory,
WrPageOut,
WrRendezvous,
Spare2,
Spare3,
Spare4,
Spare5,
Spare6,
WrKernel,
MaximumWaitReason
} KWAIT\_REASON;
typedef enum \_POOL\_TYPE
{
NonPagedPool,
PagedPool,
NonPagedPoolMustSucceed,
DontUseThisType,
NonPagedPoolCacheAligned,
PagedPoolCacheAligned,
NonPagedPoolCacheAlignedMustS,
MaxPoolType,
NonPagedPoolSession = ,
PagedPoolSession,
NonPagedPoolMustSucceedSession,
DontUseThisTypeSession,
NonPagedPoolCacheAlignedSession,
PagedPoolCacheAlignedSession,
NonPagedPoolCacheAlignedMustSSession
} POOL\_TYPE;
typedef enum \_THREAD\_STATE
{
StateInitialized,
StateReady,
StateRunning,
StateStandby,
StateTerminated,
StateWait,
StateTransition,
StateUnknown
} THREAD\_STATE;
typedef enum \_SYSTEM\_HANDLE\_TYPE
{
OB\_TYPE\_UNKNOWN,
OB\_TYPE\_TYPE,
OB\_TYPE\_DIRECTORY,
OB\_TYPE\_SYMBOLIC\_LINK,
OB\_TYPE\_TOKEN,
OB\_TYPE\_PROCESS,
OB\_TYPE\_THREAD,
OB\_TYPE\_UNKNOWN\_7,
OB\_TYPE\_EVENT,
OB\_TYPE\_EVENT\_PAIR,
OB\_TYPE\_MUTANT,
OB\_TYPE\_UNKNOWN\_11,
OB\_TYPE\_SEMAPHORE,
OB\_TYPE\_TIMER,
OB\_TYPE\_PROFILE,
OB\_TYPE\_WINDOW\_STATION,
OB\_TYPE\_DESKTOP,
OB\_TYPE\_SECTION,
OB\_TYPE\_KEY,
OB\_TYPE\_PORT,
OB\_TYPE\_WAITABLE\_PORT,
OB\_TYPE\_UNKNOWN\_21,
OB\_TYPE\_UNKNOWN\_22,
OB\_TYPE\_UNKNOWN\_23,
OB\_TYPE\_UNKNOWN\_24,
OB\_TYPE\_IO\_COMPLETION,
OB\_TYPE\_FILE
}SYSTEM\_HANDLE\_TYPE;
typedef enum \_DEBUG\_CONTROL\_CODE
{
DebugGetTraceInformation = ,
DebugSetInternalBreakpoint,
DebugSetSpecialCall,
DebugClearSpecialCalls,
DebugQuerySpecialCalls,
DebugDbgBreakPoint,
DebugMaximum
} DEBUG\_CONTROL\_CODE;
typedef enum \_SYSDBG\_COMMAND
{
SysDbgQueryModuleInformation = ,
SysDbgQueryTraceInformation,
SysDbgSetTracepoint,
SysDbgSetSpecialCall,
SysDbgClearSpecialCalls,
SysDbgQuerySpecialCalls,
SysDbgBreakPoint,
SysDbgQueryVersion,
SysDbgReadVirtual,
SysDbgWriteVirtual,
SysDbgReadPhysical,
SysDbgWritePhysical,
SysDbgReadControlSpace,
SysDbgWriteControlSpace,
SysDbgReadIoSpace,
SysDbgWriteIoSpace,
SysDbgReadMsr,
SysDbgWriteMsr,
SysDbgReadBusData,
SysDbgWriteBusData,
SysDbgCheckLowMemory,
SysDbgEnableKernelDebugger,
SysDbgDisableKernelDebugger,
SysDbgGetAutoKdEnable,
SysDbgSetAutoKdEnable,
SysDbgGetPrintBufferSize,
SysDbgSetPrintBufferSize,
SysDbgGetKdUmExceptionEnable,
SysDbgSetKdUmExceptionEnable,
SysDbgGetTriageDump,
SysDbgGetKdBlockEnable,
SysDbgSetKdBlockEnable,
} SYSDBG\_COMMAND, \*PSYSDBG\_COMMAND;
typedef enum \_INTERFACE\_TYPE
{
InterfaceTypeUndefined = -,
Internal,
Isa,
Eisa,
MicroChannel,
TurboChannel,
PCIBus,
VMEBus,
NuBus,
PCMCIABus,
CBus,
MPIBus,
MPSABus,
ProcessorInternal,
InternalPowerBus,
PNPISABus,
PNPBus,
MaximumInterfaceType
}INTERFACE\_TYPE, \*PINTERFACE\_TYPE;
typedef enum \_BUS\_DATA\_TYPE
{
ConfigurationSpaceUndefined = -,
Cmos,
EisaConfiguration,
Pos,
CbusConfiguration,
PCIConfiguration,
VMEConfiguration,
NuBusConfiguration,
PCMCIAConfiguration,
MPIConfiguration,
MPSAConfiguration,
PNPISAConfiguration,
SgiInternalConfiguration,
MaximumBusDataType
} BUS\_DATA\_TYPE, \*PBUS\_DATA\_TYPE;
typedef enum \_OBJECT\_INFORMATION\_CLASS
{
ObjectBasicInformation,
ObjectNameInformation,
ObjectTypeInformation,
ObjectAllTypesInformation,
ObjectHandleInformation
} OBJECT\_INFORMATION\_CLASS;
typedef enum \_LPC\_TYPE
{
LPC\_NEW\_MESSAGE,
LPC\_REQUEST,
LPC\_REPLY,
LPC\_DATAGRAM,
LPC\_LOST\_REPLY,
LPC\_PORT\_CLOSED,
LPC\_CLIENT\_DIED,
LPC\_EXCEPTION,
LPC\_DEBUG\_EVENT,
LPC\_ERROR\_EVENT,
LPC\_CONNECTION\_REQUEST,
LPC\_CONNECTION\_REFUSED,
LPC\_MAXIMUM
} LPC\_TYPE;
typedef enum \_KEY\_SET\_INFORMATION\_CLASS
{
KeyLastWriteTimeInformation
} KEY\_SET\_INFORMATION\_CLASS;
typedef enum \_HARDERROR\_RESPONSE\_OPTION
{
OptionAbortRetryIgnore,
OptionOk,
OptionOkCancel,
OptionRetryCancel,
OptionYesNo,
OptionYesNoCancel,
OptionShutdownSystem
} HARDERROR\_RESPONSE\_OPTION, \*PHARDERROR\_RESPONSE\_OPTION;
typedef enum \_HARDERROR\_RESPONSE
{
ResponseReturnToCaller,
ResponseNotHandled,
ResponseAbort,
ResponseCancel,
ResponseIgnore,
ResponseNo,
ResponseOk,
ResponseRetry,
ResponseYes
} HARDERROR\_RESPONSE, \*PHARDERROR\_RESPONSE;
typedef enum \_ATOM\_INFORMATION\_CLASS
{
AtomBasicInformation,
AtomListInformation
} ATOM\_INFORMATION\_CLASS;
typedef enum \_PORT\_INFORMATION\_CLASS
{
PortBasicInformation
} PORT\_INFORMATION\_CLASS;
typedef enum \_EVENT\_TYPE
{
NotificationEvent,
SynchronizationEvent
} EVENT\_TYPE;
typedef enum \_RTL\_GENERIC\_COMPARE\_RESULTS
{
GenericLessThan,
GenericGreaterThan,
GenericEqual
} RTL\_GENERIC\_COMPARE\_RESULTS;
typedef enum \_SECTION\_INHERIT
{
ViewShare = ,
ViewUnmap =
} SECTION\_INHERIT;
typedef enum \_KEY\_VALUE\_INFORMATION\_CLASS
{
KeyValueBasicInformation,
KeyValueFullInformation,
KeyValuePartialInformation,
KeyValueFullInformationAlign64,
KeyValuePartialInformationAlign64,
MaxKeyValueInfoClass
} KEY\_VALUE\_INFORMATION\_CLASS;
typedef enum \_KEY\_INFORMATION\_CLASS
{
KeyBasicInformation,
KeyNodeInformation,
KeyFullInformation,
KeyNameInformation,
KeyCachedInformation,
KeyFlagsInformation,
MaxKeyInfoClass
} KEY\_INFORMATION\_CLASS;
typedef enum \_SYSTEM\_INFORMATION\_CLASS
{
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemMirrorMemoryInformation,
SystemPerformanceTraceInformation,
SystemObsolete0,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemPlugPlayBusInformation,
SystemDockInformation,
SystemPowerInformationNative,
SystemProcessorSpeedInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation,
SystemTimeSlipNotification,
SystemSessionCreate,
SystemSessionDetach,
SystemSessionInformation,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation,
SystemLoadGdiDriverInSystemSpaceInformation,
SystemNumaProcessorMap,
SystemPrefetcherInformation,
SystemExtendedProcessInformation,
SystemRecommendedSharedDataAlignment,
SystemComPlusPackage,
SystemNumaAvailableMemory,
SystemProcessorPowerInformation,
SystemEmulationBasicInformation,
SystemEmulationProcessorInformation,
SystemExtendedHanfleInformation,
SystemLostDelayedWriteInformation,
SystemBigPoolInformation,
SystemSessionPoolTagInformation,
SystemSessionMappedViewInformation,
SystemHotpatchInformation,
SystemObjectSecurityMode,
SystemWatchDogTimerHandler,
SystemWatchDogTimerInformation,
SystemLogicalProcessorInformation,
SystemWo64SharedInformationObosolete,
SystemRegisterFirmwareTableInformationHandler,
SystemFirmwareTableInformation,
SystemModuleInformationEx,
SystemVerifierTriageInformation,
SystemSuperfetchInformation,
SystemMemoryListInformation,
SystemFileCacheInformationEx,
SystemThreadPriorityClientIdInformation,
SystemProcessorIdleCycleTimeInformation,
SystemVerifierCancellationInformation,
SystemProcessorPowerInformationEx,
SystemRefTraceInformation,
SystemSpecialPoolInformation,
SystemProcessIdInformation,
SystemErrorPortInformation,
SystemBootEnvironmentInformation,
SystemHypervisorInformation,
SystemVerifierInformationEx,
SystemTimeZoneInformation,
SystemImageFileExecutionOptionsInformation,
SystemCoverageInformation,
SystemPrefetchPathInformation,
SystemVerifierFaultsInformation,
MaxSystemInfoClass
} SYSTEM\_INFORMATION\_CLASS, \*PSYSTEM\_INFORMATION\_CLASS;
typedef enum \_SHUTDOWN\_ACTION
{
ShutdownNoReboot,
ShutdownReboot,
ShutdownPowerOff
} SHUTDOWN\_ACTION, \*PSHUTDOWN\_ACTION;
typedef enum \_FILE\_INFORMATION\_CLASS
{
FileDirectoryInformation = ,
FileFullDirectoryInformation,
FileBothDirectoryInformation,
FileBasicInformation,
FileStandardInformation,
FileInternalInformation,
FileEaInformation,
FileAccessInformation,
FileNameInformation,
FileRenameInformation,
FileLinkInformation,
FileNamesInformation,
FileDispositionInformation,
FilePositionInformation,
FileFullEaInformation,
FileModeInformation,
FileAlignmentInformation,
FileAllInformation,
FileAllocationInformation,
FileEndOfFileInformation,
FileAlternateNameInformation,
FileStreamInformation,
FilePipeInformation,
FilePipeLocalInformation,
FilePipeRemoteInformation,
FileMailslotQueryInformation,
FileMailslotSetInformation,
FileCompressionInformation,
FileObjectIdInformation,
FileCompletionInformation,
FileMoveClusterInformation,
FileQuotaInformation,
FileReparsePointInformation,
FileNetworkOpenInformation,
FileAttributeTagInformation,
FileTrackingInformation,
FileIdBothDirectoryInformation,
FileIdFullDirectoryInformation,
FileValidDataLengthInformation,
FileShortNameInformation,
FileIoCompletionNotificationInformation,
FileIoStatusBlockRangeInformation,
FileIoPriorityHintInformation,
FileSfioReserveInformation,
FileSfioVolumeInformation,
FileHardLinkInformation,
FileProcessIdsUsingFileInformation,
FileNormalizedNameInformation,
FileNetworkPhysicalNameInformation,
FileIdGlobalTxDirectoryInformation,
FileIsRemoteDeviceInformation,
FileAttributeCacheInformation,
FileNumaNodeInformation,
FileStandardLinkInformation,
FileRemoteProtocolInformation,
FileMaximumInformation
} FILE\_INFORMATION\_CLASS, \*PFILE\_INFORMATION\_CLASS;
typedef enum \_IO\_PRIORITY\_HINT
{
IoPriorityVeryLow,
IoPriorityLow,
IoPriorityNormal,
IoPriorityHigh,
IoPriorityCritical,
MaxIoPriorityTypes
} IO\_PRIORITY\_HINT;
typedef enum \_FSINFOCLASS
{
FileFsVolumeInformation = ,
FileFsLabelInformation,
FileFsSizeInformation,
FileFsDeviceInformation,
FileFsAttributeInformation,
FileFsControlInformation,
FileFsFullSizeInformation,
FileFsObjectIdInformation,
FileFsDriverPathInformation,
FileFsVolumeFlagsInformation,
FileFsMaximumInformation
} FS\_INFORMATION\_CLASS, \*PFS\_INFORMATION\_CLASS;
typedef enum \_PROCESSINFOCLASS
{
ProcessBasicInformation,
ProcessQuotaLimits,
ProcessIoCounters,
ProcessVmCounters,
ProcessTimes,
ProcessBasePriority,
ProcessRaisePriority,
ProcessDebugPort,
ProcessExceptionPort,
ProcessAccessToken,
ProcessLdtInformation,
ProcessLdtSize,
ProcessDefaultHardErrorMode,
ProcessIoPortHandlers,
ProcessPooledUsageAndLimits,
ProcessWorkingSetWatch,
ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup,
ProcessPriorityClass,
ProcessWx86Information,
ProcessHandleCount,
ProcessAffinityMask,
ProcessPriorityBoost,
ProcessDeviceMap,
ProcessSessionInformation,
ProcessForegroundInformation,
ProcessWow64Information,
ProcessImageFileName,
ProcessLUIDDeviceMapsEnabled,
ProcessBreakOnTermination,
ProcessDebugObjectHandle,
ProcessDebugFlags,
ProcessHandleTracing,
ProcessIoPriority,
ProcessExecuteFlags,
ProcessTlsInformation,
ProcessCookie,
ProcessImageInformation,
ProcessCycleTime,
ProcessPagePriority,
ProcessInstrumentationCallback,
ProcessThreadStackAllocation,
ProcessWorkingSetWatchEx,
ProcessImageFileNameWin32,
ProcessImageFileMapping,
ProcessAffinityUpdateMode,
ProcessMemoryAllocationMode,
ProcessGroupInformation,
ProcessTokenVirtualizationEnabled,
ProcessConsoleHostProcess,
ProcessWindowInformation,
MaxProcessInfoClass
} PROCESSINFOCLASS;
typedef enum \_MEMORY\_INFORMATION\_CLASS
{
MemoryBasicInformation,
MemoryWorkingSetInformation,
MemoryMappedFilenameInformation,
MemoryRegionInformation,
MemoryWorkingSetExInformation
} MEMORY\_INFORMATION\_CLASS;
typedef enum \_WAIT\_TYPE
{
WaitAll,
WaitAny
} WAIT\_TYPE;
typedef enum \_EVENT\_INFORMATION\_CLASS
{
EventBasicInformation
} EVENT\_INFORMATION\_CLASS;
typedef enum \_SECTION\_INFORMATION\_CLASS
{
SectionBasicInformation,
SectionImageInformation
} SECTION\_INFORMATION\_CLASS, \*PSECTION\_INFORMATION\_CLASS;#pragma endregion
#pragma region STRUCT
typedef struct \_STRING
{
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;
} STRING, ANSI\_STRING, OEM\_STRING, \*PSTRING, \*PANSI\_STRING, \*PCANSI\_STRING, \*POEM\_STRING;
typedef const STRING \*PCOEM\_STRING;
typedef struct \_UNICODE\_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE\_STRING, \*PUNICODE\_STRING;
typedef const UNICODE\_STRING \*PCUNICODE\_STRING;
typedef struct \_CLIENT\_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT\_ID, \*PCLIENT\_ID;
typedef struct \_CURDIR
{
UNICODE\_STRING DosPath;
HANDLE Handle;
} CURDIR, \*PCURDIR;
typedef struct \_OBJECT\_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE\_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT\_ATTRIBUTES, \*POBJECT\_ATTRIBUTES;
typedef struct \_PEB\_FREE\_BLOCK
{
struct \_PEB\_FREE\_BLOCK \*Next;
ULONG Size;
} PEB\_FREE\_BLOCK, \*PPEB\_FREE\_BLOCK;
typedef struct \_PEB\_LDR\_DATA
{
ULONG Length;
BOOLEAN Initialized;
HANDLE SsHandle;
LIST\_ENTRY InLoadOrderModuleList;
LIST\_ENTRY InMemoryOrderModuleList;
LIST\_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
} PEB\_LDR\_DATA, \*PPEB\_LDR\_DATA;
typedef struct \_RTL\_DRIVE\_LETTER\_CURDIR
{
USHORT Flags;
USHORT Length;
ULONG TimeStamp;
STRING DosPath;
} RTL\_DRIVE\_LETTER\_CURDIR, \*PRTL\_DRIVE\_LETTER\_CURDIR;
typedef struct \_RTL\_USER\_PROCESS\_PARAMETERS
{
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
PVOID ConsoleHandle;
ULONG ConsoleFlags;
HANDLE StandardInput;
HANDLE StandardOutput;
HANDLE StandardError;
CURDIR CurrentDirectory;
UNICODE\_STRING DllPath;
UNICODE\_STRING ImagePathName;
UNICODE\_STRING CommandLine;
PVOID Environment;
ULONG StartingX;
ULONG StartingY;
ULONG CountX;
ULONG CountY;
ULONG CountCharsX;
ULONG CountCharsY;
ULONG FillAttribute;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE\_STRING WindowTitle;
UNICODE\_STRING DesktopInfo;
UNICODE\_STRING ShellInfo;
UNICODE\_STRING RuntimeData;
RTL\_DRIVE\_LETTER\_CURDIR CurrentDirectores\[0x20\];
} RTL\_USER\_PROCESS\_PARAMETERS, \*PRTL\_USER\_PROCESS\_PARAMETERS;
typedef struct \_PEB
{
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
BOOLEAN SpareBool;
HANDLE Mutant;
PVOID ImageBaseAddress;
PPEB\_LDR\_DATA Ldr;
PRTL\_USER\_PROCESS\_PARAMETERS ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PVOID FastPebLock;
PVOID FastPebLockRoutine;
PVOID FastPebUnlockRoutine;
ULONG EnvironmentUpdateCount;
PVOID KernelCallbackTable;
HANDLE SystemReserved;
PVOID AtlThunkSListPtr32;
PPEB\_FREE\_BLOCK FreeList;
ULONG TlsExpansionCounter;
PVOID TlsBitmap;
ULONG TlsBitmapBits\[\];
PVOID ReadOnlySharedMemoryBase;
PVOID ReadOnlySharedMemoryHeap;
PVOID \*ReadOnlyStaticServerData;
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
ULONG NumberOfProcessors;
ULONG NtGlobalFlag;
LARGE\_INTEGER CriticalSectionTimeout;
ULONG HeapSegmentReserve;
ULONG HeapSegmentCommit;
ULONG HeapDeCommitTotalFreeThreshold;
ULONG HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps;
PVOID \*ProcessHeaps;
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
PVOID GdiDCAttributeList;
PVOID LoaderLock;
ULONG OSMajorVersion;
ULONG OSMinorVersion;
USHORT OSBuildNumber;
USHORT OSCSDVersion;
ULONG OSPlatformId;
ULONG ImageSubsystem;
ULONG ImageSubsystemMajorVersion;
ULONG ImageSubsystemMinorVersion;
ULONG ImageProcessAffinityMask;
ULONG GdiHandleBuffer\[GDI\_HANDLE\_BUFFER\_SIZE\];
} PEB, \*PPEB;
typedef struct \_TEB
{
NT\_TIB NtTib;
PVOID EnvironmentPointer;
CLIENT\_ID ClientId;
PVOID ActiveRpcHandle;
PVOID ThreadLocalStoragePointer;
PPEB ProcessEnvironmentBlock;
ULONG LastErrorValue;
ULONG CountOfOwnedCriticalSections;
PVOID CsrClientThread;
PVOID Win32ThreadInfo;
} TEB, \*PTEB;
typedef struct \_PROCESS\_BASIC\_INFORMATION
{
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
KAFFINITY AffinityMask;
KPRIORITY BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS\_BASIC\_INFORMATION, \*PPROCESS\_BASIC\_INFORMATION;
typedef struct \_FILE\_NETWORK\_OPEN\_INFORMATION
{
LARGE\_INTEGER CreationTime;
LARGE\_INTEGER LastAccessTime;
LARGE\_INTEGER LastWriteTime;
LARGE\_INTEGER ChangeTime;
LARGE\_INTEGER AllocationSize;
LARGE\_INTEGER EndOfFile;
ULONG FileAttributes;
} FILE\_NETWORK\_OPEN\_INFORMATION, \*PFILE\_NETWORK\_OPEN\_INFORMATION;
typedef struct \_IO\_STATUS\_BLOCK
{
union
{
NTSTATUS Status;
PVOID Pointer;
};
ULONG\_PTR Information;
} IO\_STATUS\_BLOCK, \*PIO\_STATUS\_BLOCK;
typedef struct \_KEY\_VALUE\_ENTRY
{
PUNICODE\_STRING ValueName;
ULONG DataLength;
ULONG DataOffset;
ULONG Type;
} KEY\_VALUE\_ENTRY, \*PKEY\_VALUE\_ENTRY;
typedef struct \_SYSTEM\_BASIC\_INFORMATION
{
ULONG Reserved;
ULONG TimerResolution;
ULONG PageSize;
ULONG NumberOfPhysicalPages;
ULONG LowestPhysicalPageNumber;
ULONG HighestPhysicalPageNumber;
ULONG AllocationGranularity;
ULONG MinimumUserModeAddress;
ULONG MaximumUserModeAddress;
KAFFINITY ActiveProcessorsAffinityMask;
CCHAR NumberOfProcessors;
} SYSTEM\_BASIC\_INFORMATION, \*PSYSTEM\_BASIC\_INFORMATION;
typedef struct \_SYSTEM\_PROCESSOR\_INFORMATION
{
USHORT ProcessorArchitecture;
USHORT ProcessorLevel;
USHORT ProcessorRevision;
USHORT Unknown;
ULONG FeatureBits;
} SYSTEM\_PROCESSOR\_INFORMATION, \*PSYSTEM\_PROCESSOR\_INFORMATION;
typedef struct \_SYSTEM\_PERFORMANCE\_INFORMATION
{
LARGE\_INTEGER IdleProcessTime;
LARGE\_INTEGER IoReadTransferCount;
LARGE\_INTEGER IoWriteTransferCount;
LARGE\_INTEGER IoOtherTransferCount;
ULONG IoReadOperationCount;
ULONG IoWriteOperationCount;
ULONG IoOtherOperationCount;
ULONG AvailablePages;
ULONG CommittedPages;
ULONG CommitLimit;
ULONG PeakCommitment;
ULONG PageFaultCount;
ULONG CopyOnWriteCount;
ULONG TransitionCount;
ULONG CacheTransitionCount;
ULONG DemandZeroCount;
ULONG PageReadCount;
ULONG PageReadIoCount;
ULONG CacheReadCount;
ULONG CacheIoCount;
ULONG DirtyPagesWriteCount;
ULONG DirtyWriteIoCount;
ULONG MappedPagesWriteCount;
ULONG MappedWriteIoCount;
ULONG PagedPoolPages;
ULONG NonPagedPoolPages;
ULONG PagedPoolAllocs;
ULONG PagedPoolFrees;
ULONG NonPagedPoolAllocs;
ULONG NonPagedPoolFrees;
ULONG FreeSystemPtes;
ULONG ResidentSystemCodePage;
ULONG TotalSystemDriverPages;
ULONG TotalSystemCodePages;
ULONG NonPagedPoolLookasideHits;
ULONG PagedPoolLookasideHits;
ULONG Spare3Count;
ULONG ResidentSystemCachePage;
ULONG ResidentPagedPoolPage;
ULONG ResidentSystemDriverPage;
ULONG CcFastReadNoWait;
ULONG CcFastReadWait;
ULONG CcFastReadResourceMiss;
ULONG CcFastReadNotPossible;
ULONG CcFastMdlReadNoWait;
ULONG CcFastMdlReadWait;
ULONG CcFastMdlReadResourceMiss;
ULONG CcFastMdlReadNotPossible;
ULONG CcMapDataNoWait;
ULONG CcMapDataWait;
ULONG CcMapDataNoWaitMiss;
ULONG CcMapDataWaitMiss;
ULONG CcPinMappedDataCount;
ULONG CcPinReadNoWait;
ULONG CcPinReadWait;
ULONG CcPinReadNoWaitMiss;
ULONG CcPinReadWaitMiss;
ULONG CcCopyReadNoWait;
ULONG CcCopyReadWait;
ULONG CcCopyReadNoWaitMiss;
ULONG CcCopyReadWaitMiss;
ULONG CcMdlReadNoWait;
ULONG CcMdlReadWait;
ULONG CcMdlReadNoWaitMiss;
ULONG CcMdlReadWaitMiss;
ULONG CcReadAheadIos;
ULONG CcLazyWriteIos;
ULONG CcLazyWritePages;
ULONG CcDataFlushes;
ULONG CcDataPages;
ULONG ContextSwitches;
ULONG FirstLevelTbFills;
ULONG SecondLevelTbFills;
ULONG SystemCalls;
} SYSTEM\_PERFORMANCE\_INFORMATION, \*PSYSTEM\_PERFORMANCE\_INFORMATION;
typedef struct \_SYSTEM\_TIME\_OF\_DAY\_INFORMATION
{
LARGE\_INTEGER BootTime;
LARGE\_INTEGER CurrentTime;
LARGE\_INTEGER TimeZoneBias;
ULONG CurrentTimeZoneId;
} SYSTEM\_TIME\_OF\_DAY\_INFORMATION, \*PSYSTEM\_TIME\_OF\_DAY\_INFORMATION;
typedef struct \_VM\_COUNTERS
{
ULONG PeakVirtualSize;
ULONG VirtualSize;
ULONG PageFaultCount;
ULONG PeakWorkingSetSize;
ULONG WorkingSetSize;
ULONG QuotaPeakPagedPoolUsage;
ULONG QuotaPagedPoolUsage;
ULONG QuotaPeakNonPagedPoolUsage;
ULONG QuotaNonPagedPoolUsage;
ULONG PagefileUsage;
ULONG PeakPagefileUsage;
ULONG PrivatePageCount;
} VM\_COUNTERS;
typedef struct \_SYSTEM\_THREADS
{
LARGE\_INTEGER KernelTime;
LARGE\_INTEGER UserTime;
LARGE\_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT\_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
THREAD\_STATE State;
KWAIT\_REASON WaitReason;
ULONG Reversed;
} SYSTEM\_THREADS, \*PSYSTEM\_THREADS;
typedef struct \_SYSTEM\_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
LARGE\_INTEGER Reserved1\[\];
LARGE\_INTEGER CreateTime;
LARGE\_INTEGER UserTime;
LARGE\_INTEGER KernelTime;
UNICODE\_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG\_PTR PageDirectoryBase;
VM\_COUNTERS VmCounters;
ULONG PrivatePageCount;
IO\_COUNTERS IoCounters;
SYSTEM\_THREADS Threads\[\];
} SYSTEM\_PROCESSES, \*PSYSTEM\_PROCESSES;
typedef struct \_SYSTEM\_CALLS\_INFORMATION
{
ULONG Size;
ULONG NumberOfDescriptorTables;
ULONG NumberOfRoutinesInTable\[\];
ULONG CallCounts\[ANYSIZE\_ARRAY\];
} SYSTEM\_CALLS\_INFORMATION, \*PSYSTEM\_CALLS\_INFORMATION;
typedef struct \_SYSTEM\_CONFIGURATION\_INFORMATION
{
ULONG DiskCount;
ULONG FloppyCount;
ULONG CdRomCount;
ULONG TapeCount;
ULONG SerialCount;
ULONG ParallelCount;
} SYSTEM\_CONFIGURATION\_INFORMATION, \*PSYSTEM\_CONFIGURATION\_INFORMATION;
typedef struct \_SYSTEM\_PROCESSOR\_TIMES
{
LARGE\_INTEGER IdleTime;
LARGE\_INTEGER KernelTime;
LARGE\_INTEGER UserTime;
LARGE\_INTEGER DpcTime;
LARGE\_INTEGER InterruptTime;
ULONG InterruptCount;
} SYSTEM\_PROCESSOR\_TIMES, \*PSYSTEM\_PROCESSOR\_TIMES;
typedef struct \_SYSTEM\_GLOBAL\_FLAG
{
ULONG GlobalFlag;
} SYSTEM\_GLOBAL\_FLAG, \*PSYSTEM\_GLOBAL\_FLAG;
typedef struct \_SYSTEM\_MODULE\_INFORMATION\_ENTRY
{
HANDLE Section;
PVOID MappedBase;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName\[\];
} SYSTEM\_MODULE\_INFORMATION\_ENTRY, \*PSYSTEM\_MODULE\_INFORMATION\_ENTRY;
typedef struct \_SYSTEM\_MODULE
{
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
CHAR ImageName\[\];
} SYSTEM\_MODULE, \*PSYSTEM\_MODULE;
typedef struct \_SYSTEM\_MODULE\_INFORMATION
{
ULONG ModulesCount;
SYSTEM\_MODULE Modules\[\];
} SYSTEM\_MODULE\_INFORMATION, \*PSYSTEM\_MODULE\_INFORMATION;
typedef struct \_SYSTEM\_LOCK\_INFORMATION
{
PVOID Address;
USHORT Type;
USHORT Reserved1;
ULONG ExclusiveOwnerThreadId;
ULONG ActiveCount;
ULONG ContentionCount;
ULONG Reserved2\[\];
ULONG NumberOfSharedWaiters;
ULONG NumberOfExclusiveWaiters;
} SYSTEM\_LOCK\_INFORMATION, \*PSYSTEM\_LOCK\_INFORMATION;
typedef struct \_SYSTEM\_HANDLE\_INFORMATION
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS\_MASK GrantedAccess;
} SYSTEM\_HANDLE\_INFORMATION, \*PSYSTEM\_HANDLE\_INFORMATION;
typedef struct \_SYSTEM\_OBJECT\_TYPE\_INFORMATION
{
ULONG NextEntryOffset;
ULONG ObjectCount;
ULONG HandleCount;
ULONG TypeNumber;
ULONG InvalidAttributes;
GENERIC\_MAPPING GenericMapping;
ACCESS\_MASK ValidAccessMask;
POOL\_TYPE PoolType;
UCHAR Unknown;
UNICODE\_STRING Name;
} SYSTEM\_OBJECT\_TYPE\_INFORMATION, \*PSYSTEM\_OBJECT\_TYPE\_INFORMATION;
typedef struct \_SYSTEM\_OBJECT\_INFORMATION
{
ULONG NextEntryOffset;
PVOID Object;
ULONG CreatorProcessId;
USHORT Unknown;
USHORT Flags;
ULONG PointerCount;
ULONG HandleCount;
ULONG PagedPoolUsage;
ULONG NonPagedPoolUsage;
ULONG ExclusiveProcessId;
PSECURITY\_DESCRIPTOR SecurityDescriptor;
UNICODE\_STRING Name;
} SYSTEM\_OBJECT\_INFORMATION, \*PSYSTEM\_OBJECT\_INFORMATION;
typedef struct \_SYSTEM\_PAGEFILE\_INFORMATION
{
ULONG NextEntryOffset;
ULONG CurrentSize;
ULONG TotalUsed;
ULONG PeakUsed;
UNICODE\_STRING FileName;
} SYSTEM\_PAGEFILE\_INFORMATION, \*PSYSTEM\_PAGEFILE\_INFORMATION;
typedef struct \_SYSTEM\_INSTRUCTION\_EMULATION\_INFORMATION
{
ULONG SegmentNotPresent;
ULONG TwoByteOpcode;
ULONG ESprefix;
ULONG CSprefix;
ULONG SSprefix;
ULONG DSprefix;
ULONG FSPrefix;
ULONG GSprefix;
ULONG OPER32prefix;
ULONG ADDR32prefix;
ULONG INSB;
ULONG INSW;
ULONG OUTSB;
ULONG OUTSW;
ULONG PUSHFD;
ULONG POPFD;
ULONG INTnn;
ULONG INTO;
ULONG IRETD;
ULONG INBimm;
ULONG INWimm;
ULONG OUTBimm;
ULONG OUTWimm;
ULONG INB;
ULONG INW;
ULONG OUTB;
ULONG OUTW;
ULONG LOCKprefix;
ULONG REPNEprefix;
ULONG REPprefix;
ULONG HLT;
ULONG CLI;
ULONG STI;
ULONG GenericInvalidOpcode;
} SYSTEM\_INSTRUCTION\_EMULATION\_INFORMATION, \*PSYSTEM\_INSTRUCTION\_EMULATION\_INFORMATION;
typedef struct \_SYSTEM\_POOL\_TAG\_INFORMATION
{
CHAR Tag\[\];
ULONG PagedPoolAllocs;
ULONG PagedPoolFrees;
ULONG PagedPoolUsage;
ULONG NonPagedPoolAllocs;
ULONG NonPagedPoolFrees;
ULONG NonPagedPoolUsage;
} SYSTEM\_POOL\_TAG\_INFORMATION, \*PSYSTEM\_POOL\_TAG\_INFORMATION;
typedef struct \_SYSTEM\_PROCESSOR\_STATISTICS
{
ULONG ContextSwitches;
ULONG DpcCount;
ULONG DpcRequestRate;
ULONG TimeIncrement;
ULONG DpcBypassCount;
ULONG ApcBypassCount;
} SYSTEM\_PROCESSOR\_STATISTICS, \*PSYSTEM\_PROCESSOR\_STATISTICS;
typedef struct \_SYSTEM\_DPC\_INFORMATION
{
ULONG Reserved;
ULONG MaximumDpcQueueDepth;
ULONG MinimumDpcRate;
ULONG AdjustDpcThreshold;
ULONG IdealDpcRate;
} SYSTEM\_DPC\_INFORMATION, \*PSYSTEM\_DPC\_INFORMATION;
typedef struct \_SYSTEM\_LOAD\_IMAGE
{
UNICODE\_STRING ModuleName;
PVOID ModuleBase;
PVOID SectionPointer;
PVOID EntryPoint;
PVOID ExportDirectory;
} SYSTEM\_LOAD\_IMAGE, \*PSYSTEM\_LOAD\_IMAGE;
typedef struct \_SYSTEM\_UNLOAD\_IMAGE
{
PVOID ModuleBase;
} SYSTEM\_UNLOAD\_IMAGE, \*PSYSTEM\_UNLOAD\_IMAGE;
typedef struct \_SYSTEM\_QUERY\_TIME\_ADJUSTMENT
{
ULONG TimeAdjustment;
ULONG MaximumIncrement;
BOOLEAN TimeSynchronization;
} SYSTEM\_QUERY\_TIME\_ADJUSTMENT, \*PSYSTEM\_QUERY\_TIME\_ADJUSTMENT;
typedef struct \_SYSTEM\_SET\_TIME\_ADJUSTMENT
{
ULONG TimeAdjustment;
BOOLEAN TimeSynchronization;
} SYSTEM\_SET\_TIME\_ADJUSTMENT, \*PSYSTEM\_SET\_TIME\_ADJUSTMENT;
typedef struct \_SYSTEM\_CRASH\_DUMP\_INFORMATION
{
HANDLE CrashDumpSectionHandle;
HANDLE Unknown;
} SYSTEM\_CRASH\_DUMP\_INFORMATION, \*PSYSTEM\_CRASH\_DUMP\_INFORMATION;
typedef struct \_SYSTEM\_EXCEPTION\_INFORMATION
{
ULONG AlignmentFixupCount;
ULONG ExceptionDispatchCount;
ULONG FloatingEmulationCount;
ULONG Reserved;
} SYSTEM\_EXCEPTION\_INFORMATION, \*PSYSTEM\_EXCEPTION\_INFORMATION;
typedef struct \_SYSTEM\_CRASH\_DUMP\_STATE\_INFORMATION
{
ULONG CrashDumpSectionExists;
ULONG Unknown;
} SYSTEM\_CRASH\_DUMP\_STATE\_INFORMATION, \*PSYSTEM\_CRASH\_DUMP\_STATE\_INFORMATION;
typedef struct \_SYSTEM\_KERNEL\_DEBUGGER\_INFORMATION
{
BOOLEAN KernelDebuggerEnabled;
BOOLEAN KernelDebuggerNotPresent;
} SYSTEM\_KERNEL\_DEBUGGER\_INFORMATION, \*PSYSTEM\_KERNEL\_DEBUGGER\_INFORMATION;
typedef struct \_SYSTEM\_CONTEXT\_SWITCH\_INFORMATION
{
ULONG ContextSwitches;
ULONG ContextSwitchCounters\[\];
} SYSTEM\_CONTEXT\_SWITCH\_INFORMATION, \*PSYSTEM\_CONTEXT\_SWITCH\_INFORMATION;
typedef struct \_SYSTEM\_REGISTRY\_QUOTA\_INFORMATION
{
ULONG RegistryQuotaAllowed;
ULONG RegistryQuotaUsed;
ULONG PagedPoolSize;
} SYSTEM\_REGISTRY\_QUOTA\_INFORMATION, \*PSYSTEM\_REGISTRY\_QUOTA\_INFORMATION;
typedef struct \_SYSTEM\_LOAD\_AND\_CALL\_IMAGE
{
UNICODE\_STRING ModuleName;
} SYSTEM\_LOAD\_AND\_CALL\_IMAGE, \*PSYSTEM\_LOAD\_AND\_CALL\_IMAGE;
typedef struct \_SYSTEM\_PRIORITY\_SEPARATION
{
ULONG PrioritySeparation;
} SYSTEM\_PRIORITY\_SEPARATION, \*PSYSTEM\_PRIORITY\_SEPARATION;
typedef struct \_SYSTEM\_TIME\_ZONE\_INFORMATION
{
LONG Bias;
WCHAR StandardName\[\];
LARGE\_INTEGER StandardDate;
LONG StandardBias;
WCHAR DaylightName\[\];
LARGE\_INTEGER DaylightDate;
LONG DaylightBias;
} SYSTEM\_TIME\_ZONE\_INFORMATION, \*PSYSTEM\_TIME\_ZONE\_INFORMATION;
typedef struct \_SYSTEM\_LOOKASIDE\_INFORMATION
{
USHORT Depth;
USHORT MaximumDepth;
ULONG TotalAllocates;
ULONG AllocateMisses;
ULONG TotalFrees;
ULONG FreeMisses;
POOL\_TYPE Type;
ULONG Tag;
ULONG Size;
} SYSTEM\_LOOKASIDE\_INFORMATION, \*PSYSTEM\_LOOKASIDE\_INFORMATION;
typedef struct \_SYSTEM\_SET\_TIME\_SLIP\_EVENT
{
HANDLE TimeSlipEvent;
} SYSTEM\_SET\_TIME\_SLIP\_EVENT, \*PSYSTEM\_SET\_TIME\_SLIP\_EVENT;
typedef struct \_SYSTEM\_CREATE\_SESSION
{
ULONG SessionId;
} SYSTEM\_CREATE\_SESSION, \*PSYSTEM\_CREATE\_SESSION;
typedef struct \_SYSTEM\_DELETE\_SESSION
{
ULONG SessionId;
} SYSTEM\_DELETE\_SESSION, \*PSYSTEM\_DELETE\_SESSION;
typedef struct \_SYSTEM\_RANGE\_START\_INFORMATION
{
PVOID SystemRangeStart;
} SYSTEM\_RANGE\_START\_INFORMATION, \*PSYSTEM\_RANGE\_START\_INFORMATION;
typedef struct \_SYSTEM\_SESSION\_PROCESSES\_INFORMATION
{
ULONG SessionId;
ULONG BufferSize;
PVOID Buffer;
} SYSTEM\_SESSION\_PROCESSES\_INFORMATION, \*PSYSTEM\_SESSION\_PROCESSES\_INFORMATION;
typedef struct \_SYSTEM\_POOL\_BLOCK
{
BOOLEAN Allocated;
USHORT Unknown;
ULONG Size;
CHAR Tag\[\];
} SYSTEM\_POOL\_BLOCK, \*PSYSTEM\_POOL\_BLOCK;
typedef struct \_SYSTEM\_POOL\_BLOCKS\_INFORMATION
{
ULONG PoolSize;
PVOID PoolBase;
USHORT Unknown;
ULONG NumberOfBlocks;
SYSTEM\_POOL\_BLOCK PoolBlocks\[\];
} SYSTEM\_POOL\_BLOCKS\_INFORMATION, \*PSYSTEM\_POOL\_BLOCKS\_INFORMATION;
typedef struct \_SYSTEM\_MEMORY\_USAGE
{
PVOID Name;
USHORT Valid;
USHORT Standby;
USHORT Modified;
USHORT PageTables;
} SYSTEM\_MEMORY\_USAGE, \*PSYSTEM\_MEMORY\_USAGE;
typedef struct \_SYSTEM\_MEMORY\_USAGE\_INFORMATION
{
ULONG Reserved;
PVOID EndOfData;
SYSTEM\_MEMORY\_USAGE MemoryUsage\[\];
} SYSTEM\_MEMORY\_USAGE\_INFORMATION, \*PSYSTEM\_MEMORY\_USAGE\_INFORMATION;
typedef struct \_SYSDBG\_PHYSICAL
{
PHYSICAL\_ADDRESS Address;
PVOID Buffer;
ULONG Request;
} SYSDBG\_PHYSICAL, \*PSYSDBG\_PHYSICAL;
typedef struct \_SYSDBG\_CONTROL\_SPACE
{
ULONG64 Address;
PVOID Buffer;
ULONG Request;
ULONG Processor;
} SYSDBG\_CONTROL\_SPACE, \*PSYSDBG\_CONTROL\_SPACE;
typedef struct \_SYSDBG\_IO\_SPACE
{
ULONG64 Address;
PVOID Buffer;
ULONG Request;
INTERFACE\_TYPE InterfaceType;
ULONG BusNumber;
ULONG AddressSpace;
} SYSDBG\_IO\_SPACE, \*PSYSDBG\_IO\_SPACE;
typedef struct \_SYSDBG\_MSR
{
ULONG Msr;
ULONG64 Data;
} SYSDBG\_MSR, \*PSYSDBG\_MSR;
typedef struct \_SYSDBG\_BUS\_DATA
{
ULONG Address;
PVOID Buffer;
ULONG Request;
BUS\_DATA\_TYPE BusDataType;
ULONG BusNumber;
ULONG SlotNumber;
} SYSDBG\_BUS\_DATA, \*PSYSDBG\_BUS\_DATA;
typedef struct \_DBGKD\_GET\_VERSION
{
USHORT MajorVersion;
USHORT MinorVersion;
USHORT ProtocolVersion;
USHORT Flags;
USHORT MachineType;
UCHAR MaxPacketType;
UCHAR MaxStateChange;
UCHAR MaxManipulate;
UCHAR Simulation;
USHORT Unused\[\];
ULONG64 KernBase;
ULONG64 PsLoadedModuleList;
ULONG64 DebuggerDataList;
} DBGKD\_GET\_VERSION, \*PDBGKD\_GET\_VERSION;
typedef struct \_SYSDBG\_VIRTUAL
{
PVOID Address;
PVOID Buffer;
ULONG Request;
} SYSDBG\_VIRTUAL, \*PSYSDBG\_VIRTUAL;
typedef struct \_OBJECT\_BASIC\_INFORMATION
{
ULONG Attributes;
ACCESS\_MASK GrantedAccess;
ULONG HandleCount;
ULONG PointerCount;
ULONG PagedPoolCharge;
ULONG NonPagedPoolCharge;
ULONG Reserved\[\];
ULONG NameInfoSize;
ULONG TypeInfoSize;
ULONG SecurityDescriptorSize;
LARGE\_INTEGER CreationTime;
} OBJECT\_BASIC\_INFORMATION, \*POBJECT\_BASIC\_INFORMATION;
typedef struct \_OBJECT\_NAME\_INFORMATION
{
UNICODE\_STRING Name;
} OBJECT\_NAME\_INFORMATION, \*POBJECT\_NAME\_INFORMATION;
typedef struct \_OBJECT\_TYPE\_INFORMATION
{
UNICODE\_STRING TypeName;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG TotalPagedPoolUsage;
ULONG TotalNonPagedPoolUsage;
ULONG TotalNamePoolUsage;
ULONG TotalHandleTableUsage;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
ULONG HighWaterPagedPoolUsage;
ULONG HighWaterNonPagedPoolUsage;
ULONG HighWaterNamePoolUsage;
ULONG HighWaterHandleTableUsage;
ULONG InvalidAttributes;
GENERIC\_MAPPING GenericMapping;
ULONG ValidAccessMask;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
POOL\_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
} OBJECT\_TYPE\_INFORMATION, \*POBJECT\_TYPE\_INFORMATION;
typedef struct \_OBJECT\_ALL\_TYPES\_INFORMATION
{
ULONG NumberOfTypes;
OBJECT\_TYPE\_INFORMATION TypeInformation;
} OBJECT\_ALL\_TYPES\_INFORMATION, \*POBJECT\_ALL\_TYPES\_INFORMATION;
typedef struct \_OBJECT\_HANDLE\_ATTRIBUTE\_INFORMATION
{
BOOLEAN Inherit;
BOOLEAN ProtectFromClose;
} OBJECT\_HANDLE\_ATTRIBUTE\_INFORMATION, \*POBJECT\_HANDLE\_ATTRIBUTE\_INFORMATION;
typedef struct \_OBJECT\_HANDLE\_FLAG\_INFORMATION
{
BOOLEAN Inherit;
BOOLEAN ProtectFromClose;
} OBJECT\_HANDLE\_FLAG\_INFORMATION, \*POBJECT\_HANDLE\_FLAG\_INFORMATION;
typedef struct \_OBJECT\_DIRECTORY\_INFORMATION
{
UNICODE\_STRING Name;
UNICODE\_STRING TypeName;
} OBJECT\_DIRECTORY\_INFORMATION, \*POBJECT\_DIRECTORY\_INFORMATION;
typedef struct \_DIRECTORY\_BASIC\_INFORMATION
{
UNICODE\_STRING ObjectName;
UNICODE\_STRING ObjectTypeName;
} DIRECTORY\_BASIC\_INFORMATION, \*PDIRECTORY\_BASIC\_INFORMATION;
typedef struct \_MEMORY\_WORKING\_SET\_LIST
{
ULONG NumberOfPages;
ULONG WorkingSetList\[\];
} MEMORY\_WORKING\_SET\_LIST, \*PMEMORY\_WORKING\_SET\_LIST;
typedef struct \_MEMORY\_SECTION\_NAME
{
UNICODE\_STRING SectionFileName;
} MEMORY\_SECTION\_NAME, \*PMEMORY\_SECTION\_NAME;
typedef struct \_USER\_STACK
{
PVOID FixedStackBase;
PVOID FixedStackLimit;
PVOID ExpandableStackBase;
PVOID ExpandableStackLimit;
PVOID ExpandableStackBottom;
} USER\_STACK, \*PUSER\_STACK;
typedef struct \_THREAD\_BASIC\_INFORMATION
{
NTSTATUS ExitStatus;
PNT\_TIB TebBaseAddress;
CLIENT\_ID ClientId;
KAFFINITY AffinityMask;
KPRIORITY Priority;
KPRIORITY BasePriority;
} THREAD\_BASIC\_INFORMATION, \*PTHREAD\_BASIC\_INFORMATION;
typedef struct \_KERNEL\_USER\_TIMES
{
LARGE\_INTEGER CreateTime;
LARGE\_INTEGER ExitTime;
LARGE\_INTEGER KernelTime;
LARGE\_INTEGER UserTime;
} KERNEL\_USER\_TIMES, \*PKERNEL\_USER\_TIMES;
typedef struct \_PROCESS\_ACCESS\_TOKEN
{
HANDLE Token;
HANDLE Thread;
} PROCESS\_ACCESS\_TOKEN, \*PPROCESS\_ACCESS\_TOKEN;
typedef struct \_POOLED\_USAGE\_AND\_LIMITS
{
ULONG PeakPagedPoolUsage;
ULONG PagedPoolUsage;
ULONG PagedPoolLimit;
ULONG PeakNonPagedPoolUsage;
ULONG NonPagedPoolUsage;
ULONG NonPagedPoolLimit;
ULONG PeakPagefileUsage;
ULONG PagefileUsage;
ULONG PagefileLimit;
} POOLED\_USAGE\_AND\_LIMITS, \*PPOOLED\_USAGE\_AND\_LIMITS;
typedef struct \_PROCESS\_WS\_WATCH\_INFORMATION
{
PVOID FaultingPc;
PVOID FaultingVa;
} PROCESS\_WS\_WATCH\_INFORMATION, \*PPROCESS\_WS\_WATCH\_INFORMATION;
typedef struct \_PROCESS\_PRIORITY\_CLASS
{
BOOLEAN Foreground;
UCHAR PriorityClass;
} PROCESS\_PRIORITY\_CLASS, \*PPROCESS\_PRIORITY\_CLASS;
typedef struct \_PROCESS\_DEVICEMAP\_INFORMATION
{
union
{
struct
{
HANDLE DirectoryHandle;
} Set;
struct
{
ULONG DriveMap;
UCHAR DriveType\[\];
} Query;
};
} PROCESS\_DEVICEMAP\_INFORMATION, \*PPROCESS\_DEVICEMAP\_INFORMATION;
typedef struct \_PROCESS\_SESSION\_INFORMATION
{
ULONG SessionId;
} PROCESS\_SESSION\_INFORMATION, \*PPROCESS\_SESSION\_INFORMATION;
typedef struct \_DEBUG\_BUFFER
{
HANDLE SectionHandle;
PVOID SectionBase;
PVOID RemoteSectionBase;
ULONG SectionBaseDelta;
HANDLE EventPairHandle;
ULONG Unknown\[\];
HANDLE RemoteThreadHandle;
ULONG InfoClassMask;
ULONG SizeOfInfo;
ULONG AllocatedSize;
ULONG SectionSize;
PVOID ModuleInformation;
PVOID BackTraceInformation;
PVOID HeapInformation;
PVOID LockInformation;
PVOID Reserved\[\];
} DEBUG\_BUFFER, \*PDEBUG\_BUFFER;
typedef struct \_DEBUG\_MODULE\_INFORMATION
{
ULONG Reserved\[\];
ULONG Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName\[\];
} DEBUG\_MODULE\_INFORMATION, \*PDEBUG\_MODULE\_INFORMATION;
typedef struct \_DEBUG\_HEAP\_INFORMATION
{
ULONG Base;
ULONG Flags;
USHORT Granularity;
USHORT Unknown;
ULONG Allocated;
ULONG Committed;
ULONG TagCount;
ULONG BlockCount;
ULONG Reserved\[\];
PVOID Tags;
PVOID Blocks;
} DEBUG\_HEAP\_INFORMATION, \*PDEBUG\_HEAP\_INFORMATION;
typedef struct \_DEBUG\_LOCK\_INFORMATION
{
PVOID Address;
USHORT Type;
USHORT CreatorBackTraceIndex;
ULONG OwnerThreadId;
ULONG ActiveCount;
ULONG ContentionCount;
ULONG EntryCount;
ULONG RecursionCount;
ULONG NumberOfSharedWaiters;
ULONG NumberOfExclusiveWaiters;
} DEBUG\_LOCK\_INFORMATION, \*PDEBUG\_LOCK\_INFORMATION;
typedef struct \_LPC\_MESSAGE
{
USHORT DataSize;
USHORT MessageSize;
USHORT MessageType;
USHORT VirtualRangesOffset;
CLIENT\_ID ClientId;
ULONG MessageId;
ULONG SectionSize;
UCHAR Data\[ANYSIZE\_ARRAY\];
} LPC\_MESSAGE, \*PLPC\_MESSAGE;
typedef struct \_LPC\_SECTION\_WRITE
{
ULONG Length;
HANDLE SectionHandle;
ULONG SectionOffset;
ULONG ViewSize;
PVOID ViewBase;
PVOID TargetViewBase;
} LPC\_SECTION\_WRITE, \*PLPC\_SECTION\_WRITE;
typedef struct \_LPC\_SECTION\_READ
{
ULONG Length;
ULONG ViewSize;
PVOID ViewBase;
} LPC\_SECTION\_READ, \*PLPC\_SECTION\_READ;
typedef struct \_KEY\_LAST\_WRITE\_TIME\_INFORMATION
{
LARGE\_INTEGER LastWriteTime;
} KEY\_LAST\_WRITE\_TIME\_INFORMATION, \*PKEY\_LAST\_WRITE\_TIME\_INFORMATION;
typedef struct \_KEY\_NAME\_INFORMATION
{
ULONG NameLength;
WCHAR Name\[\];
} KEY\_NAME\_INFORMATION, \*PKEY\_NAME\_INFORMATION;
typedef struct \_ATOM\_BASIC\_INFORMATION
{
USHORT ReferenceCount;
USHORT Pinned;
USHORT NameLength;
WCHAR Name\[\];
} ATOM\_BASIC\_INFORMATION, \*PATOM\_BASIC\_INFORMATION;
typedef struct \_ATOM\_LIST\_INFORMATION
{
ULONG NumberOfAtoms;
ATOM Atoms\[\];
} ATOM\_LIST\_INFORMATION, \*PATOM\_LIST\_INFORMATION;
typedef struct \_RTL\_SPLAY\_LINKS
{
struct \_RTL\_SPLAY\_LINKS \*Parent;
struct \_RTL\_SPLAY\_LINKS \*LeftChild;
struct \_RTL\_SPLAY\_LINKS \*RightChild;
} RTL\_SPLAY\_LINKS, \*PRTL\_SPLAY\_LINKS;
typedef struct \_RTL\_HANDLE\_TABLE\_ENTRY
{
struct \_RTL\_HANDLE\_TABLE\_ENTRY \*Next;
PVOID Object;
} RTL\_HANDLE\_TABLE\_ENTRY, \*PRTL\_HANDLE\_TABLE\_ENTRY;
typedef struct \_RTL\_HANDLE\_TABLE
{
ULONG MaximumNumberOfHandles;
ULONG SizeOfHandleTableEntry;
ULONG Unknown01;
ULONG Unknown02;
PRTL\_HANDLE\_TABLE\_ENTRY FreeHandles;
PRTL\_HANDLE\_TABLE\_ENTRY CommittedHandles;
PRTL\_HANDLE\_TABLE\_ENTRY UnCommittedHandles;
PRTL\_HANDLE\_TABLE\_ENTRY MaxReservedHandles;
} RTL\_HANDLE\_TABLE, \*PRTL\_HANDLE\_TABLE;
typedef struct \_KEY\_BASIC\_INFORMATION
{
LARGE\_INTEGER LastWriteTime;
ULONG TitleIndex;
ULONG NameLength;
WCHAR Name\[\];
} KEY\_BASIC\_INFORMATION, \*PKEY\_BASIC\_INFORMATION;
typedef struct \_KEY\_NODE\_INFORMATION
{
LARGE\_INTEGER LastWriteTime;
ULONG TitleIndex;
ULONG ClassOffset;
ULONG ClassLength;
ULONG NameLength;
WCHAR Name\[\];
} KEY\_NODE\_INFORMATION, \*PKEY\_NODE\_INFORMATION;
typedef struct \_KEY\_FULL\_INFORMATION
{
LARGE\_INTEGER LastWriteTime;
ULONG TitleIndex;
ULONG ClassOffset;
ULONG ClassLength;
ULONG SubKeys;
ULONG MaxNameLen;
ULONG MaxClassLen;
ULONG Values;
ULONG MaxValueNameLen;
ULONG MaxValueDataLen;
WCHAR Class\[\];
} KEY\_FULL\_INFORMATION, \*PKEY\_FULL\_INFORMATION;
typedef struct \_KEY\_CACHED\_INFORMATION
{
LARGE\_INTEGER LastWriteTime;
ULONG TitleIndex;
ULONG SubKeys;
ULONG MaxNameLen;
ULONG Values;
ULONG MaxValueNameLen;
ULONG MaxValueDataLen;
ULONG NameLength;
WCHAR Name\[\];
} KEY\_CACHED\_INFORMATION, \*PKEY\_CACHED\_INFORMATION;
typedef struct \_KEY\_FLAGS\_INFORMATION
{
ULONG UserFlags;
} KEY\_FLAGS\_INFORMATION, \*PKEY\_FLAGS\_INFORMATION;
typedef struct \_KEY\_VALUE\_BASIC\_INFORMATION
{
ULONG TitleIndex;
ULONG Type;
ULONG NameLength;
WCHAR Name\[\];
} KEY\_VALUE\_BASIC\_INFORMATION, \*PKEY\_VALUE\_BASIC\_INFORMATION;
typedef struct \_KEY\_VALUE\_FULL\_INFORMATION
{
ULONG TitleIndex;
ULONG Type;
ULONG DataOffset;
ULONG DataLength;
ULONG NameLength;
WCHAR Name\[\];
} KEY\_VALUE\_FULL\_INFORMATION, \*PKEY\_VALUE\_FULL\_INFORMATION;
typedef struct \_KEY\_VALUE\_PARTIAL\_INFORMATION
{
ULONG TitleIndex;
ULONG Type;
ULONG DataLength;
UCHAR Data\[\];
} KEY\_VALUE\_PARTIAL\_INFORMATION, \*PKEY\_VALUE\_PARTIAL\_INFORMATION;
typedef struct \_SYSTEM\_TIMEOFDAY\_INFORMATION
{
LARGE\_INTEGER BootTime;
LARGE\_INTEGER CurrentTime;
LARGE\_INTEGER TimeZoneBias;
ULONG TimeZoneId;
ULONG Reserved;
} SYSTEM\_TIMEOFDAY\_INFORMATION, \*PSYSTEM\_TIMEOFDAY\_INFORMATION;
typedef struct \_SYSTEM\_PROCESS\_INFORMATION
{
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE\_INTEGER SpareLi1;
LARGE\_INTEGER SpareLi2;
LARGE\_INTEGER SpareLi3;
LARGE\_INTEGER CreateTime;
LARGE\_INTEGER UserTime;
LARGE\_INTEGER KernelTime;
UNICODE\_STRING ImageName;
KPRIORITY BasePriority;
ULONG\_PTR UniqueProcessId;
ULONG\_PTR InheritedFromUniqueProcessId;
ULONG HandleCount;
} SYSTEM\_PROCESS\_INFORMATION, \*PSYSTEM\_PROCESS\_INFORMATION;
typedef struct \_SYSTEM\_DEVICE\_INFORMATION
{
ULONG NumberOfDisks;
ULONG NumberOfFloppies;
ULONG NumberOfCdRoms;
ULONG NumberOfTapes;
ULONG NumberOfSerialPorts;
ULONG NumberOfParallelPorts;
} SYSTEM\_DEVICE\_INFORMATION, \*PSYSTEM\_DEVICE\_INFORMATION;
typedef struct \_SYSTEM\_PROCESSOR\_PERFORMANCE\_INFORMATION
{
LARGE\_INTEGER IdleTime;
LARGE\_INTEGER KernelTime;
LARGE\_INTEGER UserTime;
LARGE\_INTEGER DpcTime;
LARGE\_INTEGER InterruptTime;
ULONG InterruptCount;
} SYSTEM\_PROCESSOR\_PERFORMANCE\_INFORMATION, \*PSYSTEM\_PROCESSOR\_PERFORMANCE\_INFORMATION;
typedef struct \_SYSTEM\_FLAGS\_INFORMATION
{
ULONG GlobalFlag;
} SYSTEM\_FLAGS\_INFORMATION, \*PSYSTEM\_FLAGS\_INFORMATION;
typedef struct \_SYSTEM\_VDM\_INSTEMUL\_INFO
{
ULONG SegmentNotPresent;
ULONG VdmOpcode0F;
ULONG OpcodeESPrefix;
ULONG OpcodeCSPrefix;
ULONG OpcodeSSPrefix;
ULONG OpcodeDSPrefix;
ULONG OpcodeFSPrefix;
ULONG OpcodeGSPrefix;
ULONG OpcodeOPER32Prefix;
ULONG OpcodeADDR32Prefix;
ULONG OpcodeINSB;
ULONG OpcodeINSW;
ULONG OpcodeOUTSB;
ULONG OpcodeOUTSW;
ULONG OpcodePUSHF;
ULONG OpcodePOPF;
ULONG OpcodeINTnn;
ULONG OpcodeINTO;
ULONG OpcodeIRET;
ULONG OpcodeINBimm;
ULONG OpcodeINWimm;
ULONG OpcodeOUTBimm;
ULONG OpcodeOUTWimm;
ULONG OpcodeINB;
ULONG OpcodeINW;
ULONG OpcodeOUTB;
ULONG OpcodeOUTW;
ULONG OpcodeLOCKPrefix;
ULONG OpcodeREPNEPrefix;
ULONG OpcodeREPPrefix;
ULONG OpcodeHLT;
ULONG OpcodeCLI;
ULONG OpcodeSTI;
ULONG BopCount;
} SYSTEM\_VDM\_INSTEMUL\_INFO, \*PSYSTEM\_VDM\_INSTEMUL\_INFO;
typedef struct \_SYSTEM\_QUERY\_TIME\_ADJUST\_INFORMATION
{
ULONG TimeAdjustment;
ULONG TimeIncrement;
BOOLEAN Enable;
} SYSTEM\_QUERY\_TIME\_ADJUST\_INFORMATION, \*PSYSTEM\_QUERY\_TIME\_ADJUST\_INFORMATION;
typedef struct \_SYSTEM\_SET\_TIME\_ADJUST\_INFORMATION
{
ULONG TimeAdjustment;
BOOLEAN Enable;
} SYSTEM\_SET\_TIME\_ADJUST\_INFORMATION, \*PSYSTEM\_SET\_TIME\_ADJUST\_INFORMATION;
typedef struct \_SYSTEM\_THREAD\_INFORMATION
{
LARGE\_INTEGER KernelTime;
LARGE\_INTEGER UserTime;
LARGE\_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT\_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG ContextSwitches;
ULONG ThreadState;
ULONG WaitReason;
} SYSTEM\_THREAD\_INFORMATION, \*PSYSTEM\_THREAD\_INFORMATION;
typedef struct \_SYSTEM\_MEMORY\_INFO
{
PUCHAR StringOffset;
USHORT ValidCount;
USHORT TransitionCount;
USHORT ModifiedCount;
USHORT PageTableCount;
} SYSTEM\_MEMORY\_INFO, \*PSYSTEM\_MEMORY\_INFO;
typedef struct \_SYSTEM\_MEMORY\_INFORMATION
{
ULONG InfoSize;
ULONG StringStart;
SYSTEM\_MEMORY\_INFO Memory\[\];
} SYSTEM\_MEMORY\_INFORMATION, \*PSYSTEM\_MEMORY\_INFORMATION;
typedef struct \_SYSTEM\_CRASH\_STATE\_INFORMATION
{
ULONG ValidCrashDump;
} SYSTEM\_CRASH\_STATE\_INFORMATION, \*PSYSTEM\_CRASH\_STATE\_INFORMATION;
typedef struct \_SYSTEM\_GDI\_DRIVER\_INFORMATION
{
UNICODE\_STRING DriverName;
PVOID ImageAddress;
PVOID SectionPointer;
PVOID EntryPoint;
PIMAGE\_EXPORT\_DIRECTORY ExportSectionPointer;
ULONG ImageLength;
} SYSTEM\_GDI\_DRIVER\_INFORMATION, \*PSYSTEM\_GDI\_DRIVER\_INFORMATION;
typedef struct \_SYSTEM\_BOOT\_ENVIRONMENT\_INFORMATION
{
GUID CurrentBootGuid;
ULONG Unknown;
} SYSTEM\_BOOT\_ENVIRONMENT\_INFORMATION, \*PSYSTEM\_BOOT\_ENVIRONMENT\_INFORMATION;
typedef struct \_FILE\_DIRECTORY\_INFORMATION
{
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE\_INTEGER CreationTime;
LARGE\_INTEGER LastAccessTime;
LARGE\_INTEGER LastWriteTime;
LARGE\_INTEGER ChangeTime;
LARGE\_INTEGER EndOfFile;
LARGE\_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
WCHAR FileName\[\];
} FILE\_DIRECTORY\_INFORMATION, \*PFILE\_DIRECTORY\_INFORMATION;
typedef struct \_FILE\_FULL\_DIR\_INFORMATION
{
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE\_INTEGER CreationTime;
LARGE\_INTEGER LastAccessTime;
LARGE\_INTEGER LastWriteTime;
LARGE\_INTEGER ChangeTime;
LARGE\_INTEGER EndOfFile;
LARGE\_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
WCHAR FileName\[\];
} FILE\_FULL\_DIR\_INFORMATION, \*PFILE\_FULL\_DIR\_INFORMATION;
typedef struct \_FILE\_BOTH\_DIR\_INFORMATION
{
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE\_INTEGER CreationTime;
LARGE\_INTEGER LastAccessTime;
LARGE\_INTEGER LastWriteTime;
LARGE\_INTEGER ChangeTime;
LARGE\_INTEGER EndOfFile;
LARGE\_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
CCHAR ShortNameLength;
WCHAR ShortName\[\];
WCHAR FileName\[\];
} FILE\_BOTH\_DIR\_INFORMATION, \*PFILE\_BOTH\_DIR\_INFORMATION;
typedef struct \_FILE\_BASIC\_INFORMATION
{
LARGE\_INTEGER CreationTime;
LARGE\_INTEGER LastAccessTime;
LARGE\_INTEGER LastWriteTime;
LARGE\_INTEGER ChangeTime;
ULONG FileAttributes;
} FILE\_BASIC\_INFORMATION, \*PFILE\_BASIC\_INFORMATION;
typedef struct \_FILE\_STANDARD\_INFORMATION
{
LARGE\_INTEGER AllocationSize;
LARGE\_INTEGER EndOfFile;
ULONG NumberOfLinks;
BOOLEAN DeletePending;
BOOLEAN Directory;
} FILE\_STANDARD\_INFORMATION, \*PFILE\_STANDARD\_INFORMATION;
typedef struct \_FILE\_INTERNAL\_INFORMATION
{
LARGE\_INTEGER IndexNumber;
} FILE\_INTERNAL\_INFORMATION, \*PFILE\_INTERNAL\_INFORMATION;
typedef struct \_FILE\_EA\_INFORMATION
{
ULONG EaSize;
} FILE\_EA\_INFORMATION, \*PFILE\_EA\_INFORMATION;
typedef struct \_FILE\_ACCESS\_INFORMATION
{
ACCESS\_MASK AccessFlags;
} FILE\_ACCESS\_INFORMATION, \*PFILE\_ACCESS\_INFORMATION;
typedef struct \_FILE\_NAME\_INFORMATION
{
ULONG FileNameLength;
WCHAR FileName\[\];
} FILE\_NAME\_INFORMATION, \*PFILE\_NAME\_INFORMATION;
typedef struct \_FILE\_RENAME\_INFORMATION
{
BOOLEAN ReplaceIfExists;
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName\[\];
} FILE\_RENAME\_INFORMATION, \*PFILE\_RENAME\_INFORMATION;
typedef struct \_FILE\_NAMES\_INFORMATION
{
ULONG NextEntryOffset;
ULONG FileIndex;
ULONG FileNameLength;
WCHAR FileName\[\];
} FILE\_NAMES\_INFORMATION, \*PFILE\_NAMES\_INFORMATION;
typedef struct \_FILE\_DISPOSITION\_INFORMATION
{
BOOLEAN DeleteFile;
} FILE\_DISPOSITION\_INFORMATION, \*PFILE\_DISPOSITION\_INFORMATION;
typedef struct \_FILE\_POSITION\_INFORMATION
{
LARGE\_INTEGER CurrentByteOffset;
} FILE\_POSITION\_INFORMATION, \*PFILE\_POSITION\_INFORMATION;
typedef struct \_FILE\_FULL\_EA\_INFORMATION
{
ULONG NextEntryOffset;
UCHAR Flags;
UCHAR EaNameLength;
USHORT EaValueLength;
CHAR EaName\[\];
} FILE\_FULL\_EA\_INFORMATION, \*PFILE\_FULL\_EA\_INFORMATION;
typedef struct \_FILE\_MODE\_INFORMATION
{
ULONG Mode;
} FILE\_MODE\_INFORMATION, \*PFILE\_MODE\_INFORMATION;
typedef struct \_FILE\_ALIGNMENT\_INFORMATION
{
ULONG AlignmentRequirement;
} FILE\_ALIGNMENT\_INFORMATION, \*PFILE\_ALIGNMENT\_INFORMATION;
typedef struct \_FILE\_ALL\_INFORMATION
{
FILE\_BASIC\_INFORMATION BasicInformation;
FILE\_STANDARD\_INFORMATION StandardInformation;
FILE\_INTERNAL\_INFORMATION InternalInformation;
FILE\_EA\_INFORMATION EaInformation;
FILE\_ACCESS\_INFORMATION AccessInformation;
FILE\_POSITION\_INFORMATION PositionInformation;
FILE\_MODE\_INFORMATION ModeInformation;
FILE\_ALIGNMENT\_INFORMATION AlignmentInformation;
FILE\_NAME\_INFORMATION NameInformation;
} FILE\_ALL\_INFORMATION, \*PFILE\_ALL\_INFORMATION;
typedef struct \_FILE\_ALLOCATION\_INFORMATION
{
LARGE\_INTEGER AllocationSize;
} FILE\_ALLOCATION\_INFORMATION, \*PFILE\_ALLOCATION\_INFORMATION;
typedef struct \_FILE\_END\_OF\_FILE\_INFORMATION
{
LARGE\_INTEGER EndOfFile;
} FILE\_END\_OF\_FILE\_INFORMATION, \*PFILE\_END\_OF\_FILE\_INFORMATION;
typedef struct \_FILE\_STREAM\_INFORMATION
{
ULONG NextEntryOffset;
ULONG StreamNameLength;
LARGE\_INTEGER StreamSize;
LARGE\_INTEGER StreamAllocationSize;
WCHAR StreamName\[\];
} FILE\_STREAM\_INFORMATION, \*PFILE\_STREAM\_INFORMATION;
typedef struct \_FILE\_PIPE\_INFORMATION
{
ULONG ReadMode;
ULONG CompletionMode;
} FILE\_PIPE\_INFORMATION, \*PFILE\_PIPE\_INFORMATION;
typedef struct \_FILE\_PIPE\_LOCAL\_INFORMATION
{
ULONG NamedPipeType;
ULONG NamedPipeConfiguration;
ULONG MaximumInstances;
ULONG CurrentInstances;
ULONG InboundQuota;
ULONG ReadDataAvailable;
ULONG OutboundQuota;
ULONG WriteQuotaAvailable;
ULONG NamedPipeState;
ULONG NamedPipeEnd;
} FILE\_PIPE\_LOCAL\_INFORMATION, \*PFILE\_PIPE\_LOCAL\_INFORMATION;
typedef struct \_FILE\_PIPE\_REMOTE\_INFORMATION
{
LARGE\_INTEGER CollectDataTime;
ULONG MaximumCollectionCount;
} FILE\_PIPE\_REMOTE\_INFORMATION, \*PFILE\_PIPE\_REMOTE\_INFORMATION;
typedef struct \_FILE\_MAILSLOT\_QUERY\_INFORMATION
{
ULONG MaximumMessageSize;
ULONG MailslotQuota;
ULONG NextMessageSize;
ULONG MessagesAvailable;
LARGE\_INTEGER ReadTimeout;
} FILE\_MAILSLOT\_QUERY\_INFORMATION, \*PFILE\_MAILSLOT\_QUERY\_INFORMATION;
typedef struct \_FILE\_MAILSLOT\_SET\_INFORMATION
{
PLARGE\_INTEGER ReadTimeout;
} FILE\_MAILSLOT\_SET\_INFORMATION, \*PFILE\_MAILSLOT\_SET\_INFORMATION;
typedef struct \_FILE\_COMPRESSION\_INFORMATION
{
LARGE\_INTEGER CompressedFileSize;
USHORT CompressionFormat;
UCHAR CompressionUnitShift;
UCHAR ChunkShift;
UCHAR ClusterShift;
UCHAR Reserved\[\];
} FILE\_COMPRESSION\_INFORMATION, \*PFILE\_COMPRESSION\_INFORMATION;
typedef struct \_FILE\_LINK\_INFORMATION
{
BOOLEAN ReplaceIfExists;
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName\[\];
} FILE\_LINK\_INFORMATION, \*PFILE\_LINK\_INFORMATION;
typedef struct \_FILE\_OBJECTID\_INFORMATION
{
LONGLONG FileReference;
UCHAR ObjectId\[\];
union
{
struct
{
UCHAR BirthVolumeId\[\];
UCHAR BirthObjectId\[\];
UCHAR DomainId\[\];
};
UCHAR ExtendedInfo\[\];
};
} FILE\_OBJECTID\_INFORMATION, \*PFILE\_OBJECTID\_INFORMATION;
typedef struct \_FILE\_COMPLETION\_INFORMATION
{
HANDLE Port;
PVOID Key;
} FILE\_COMPLETION\_INFORMATION, \*PFILE\_COMPLETION\_INFORMATION;
typedef struct \_FILE\_MOVE\_CLUSTER\_INFORMATION
{
ULONG ClusterCount;
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName\[\];
} FILE\_MOVE\_CLUSTER\_INFORMATION, \*PFILE\_MOVE\_CLUSTER\_INFORMATION;
typedef struct \_FILE\_ATTRIBUTE\_TAG\_INFORMATION
{
ULONG FileAttributes;
ULONG ReparseTag;
} FILE\_ATTRIBUTE\_TAG\_INFORMATION, \*PFILE\_ATTRIBUTE\_TAG\_INFORMATION;
typedef struct \_FILE\_TRACKING\_INFORMATION
{
HANDLE DestinationFile;
ULONG ObjectInformationLength;
CHAR ObjectInformation\[\];
} FILE\_TRACKING\_INFORMATION, \*PFILE\_TRACKING\_INFORMATION;
typedef struct \_FILE\_REPARSE\_POINT\_INFORMATION
{
LONGLONG FileReference;
ULONG Tag;
} FILE\_REPARSE\_POINT\_INFORMATION, \*PFILE\_REPARSE\_POINT\_INFORMATION;
typedef struct \_FILE\_QUOTA\_INFORMATION
{
ULONG NextEntryOffset;
ULONG SidLength;
LARGE\_INTEGER ChangeTime;
LARGE\_INTEGER QuotaUsed;
LARGE\_INTEGER QuotaThreshold;
LARGE\_INTEGER QuotaLimit;
SID Sid;
} FILE\_QUOTA\_INFORMATION, \*PFILE\_QUOTA\_INFORMATION;
typedef struct \_FILE\_ID\_BOTH\_DIR\_INFORMATION
{
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE\_INTEGER CreationTime;
LARGE\_INTEGER LastAccessTime;
LARGE\_INTEGER LastWriteTime;
LARGE\_INTEGER ChangeTime;
LARGE\_INTEGER EndOfFile;
LARGE\_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
CCHAR ShortNameLength;
WCHAR ShortName\[\];
LARGE\_INTEGER FileId;
WCHAR FileName\[\];
} FILE\_ID\_BOTH\_DIR\_INFORMATION, \*PFILE\_ID\_BOTH\_DIR\_INFORMATION;
typedef struct \_FILE\_ID\_FULL\_DIR\_INFORMATION
{
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE\_INTEGER CreationTime;
LARGE\_INTEGER LastAccessTime;
LARGE\_INTEGER LastWriteTime;
LARGE\_INTEGER ChangeTime;
LARGE\_INTEGER EndOfFile;
LARGE\_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
LARGE\_INTEGER FileId;
WCHAR FileName\[\];
} FILE\_ID\_FULL\_DIR\_INFORMATION, \*PFILE\_ID\_FULL\_DIR\_INFORMATION;
typedef struct \_FILE\_VALID\_DATA\_LENGTH\_INFORMATION
{
LARGE\_INTEGER ValidDataLength;
} FILE\_VALID\_DATA\_LENGTH\_INFORMATION, \*PFILE\_VALID\_DATA\_LENGTH\_INFORMATION;
typedef struct \_FILE\_IO\_COMPLETION\_NOTIFICATION\_INFORMATION
{
ULONG Flags;
} FILE\_IO\_COMPLETION\_NOTIFICATION\_INFORMATION, \*PFILE\_IO\_COMPLETION\_NOTIFICATION\_INFORMATION;
typedef struct \_FILE\_PROCESS\_IDS\_USING\_FILE\_INFORMATION
{
ULONG NumberOfProcessIdsInList;
ULONG\_PTR ProcessIdList\[\];
} FILE\_PROCESS\_IDS\_USING\_FILE\_INFORMATION, \*PFILE\_PROCESS\_IDS\_USING\_FILE\_INFORMATION;
typedef struct \_FILE\_IOSTATUSBLOCK\_RANGE\_INFORMATION
{
PUCHAR IoStatusBlockRange;
ULONG Length;
} FILE\_IOSTATUSBLOCK\_RANGE\_INFORMATION, \*PFILE\_IOSTATUSBLOCK\_RANGE\_INFORMATION;
typedef struct \_FILE\_IO\_PRIORITY\_HINT\_INFORMATION
{
IO\_PRIORITY\_HINT PriorityHint;
} FILE\_IO\_PRIORITY\_HINT\_INFORMATION, \*PFILE\_IO\_PRIORITY\_HINT\_INFORMATION;
typedef struct \_FILE\_SFIO\_RESERVE\_INFORMATION
{
ULONG RequestsPerPeriod;
ULONG Period;
BOOLEAN RetryFailures;
BOOLEAN Discardable;
ULONG RequestSize;
ULONG NumOutstandingRequests;
} FILE\_SFIO\_RESERVE\_INFORMATION, \*PFILE\_SFIO\_RESERVE\_INFORMATION;
typedef struct \_FILE\_SFIO\_VOLUME\_INFORMATION
{
ULONG MaximumRequestsPerPeriod;
ULONG MinimumPeriod;
ULONG MinimumTransferSize;
} FILE\_SFIO\_VOLUME\_INFORMATION, \*PFILE\_SFIO\_VOLUME\_INFORMATION;
typedef struct \_FILE\_LINK\_ENTRY\_INFORMATION
{
ULONG NextEntryOffset;
LONGLONG ParentFileId;
ULONG FileNameLength;
WCHAR FileName\[\];
} FILE\_LINK\_ENTRY\_INFORMATION, \*PFILE\_LINK\_ENTRY\_INFORMATION;
typedef struct \_FILE\_LINKS\_INFORMATION
{
ULONG BytesNeeded;
ULONG EntriesReturned;
FILE\_LINK\_ENTRY\_INFORMATION Entry;
} FILE\_LINKS\_INFORMATION, \*PFILE\_LINKS\_INFORMATION;
typedef struct \_FILE\_ID\_GLOBAL\_TX\_DIR\_INFORMATION
{
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE\_INTEGER CreationTime;
LARGE\_INTEGER LastAccessTime;
LARGE\_INTEGER LastWriteTime;
LARGE\_INTEGER ChangeTime;
LARGE\_INTEGER EndOfFile;
LARGE\_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
LARGE\_INTEGER FileId;
GUID LockingTransactionId;
ULONG TxInfoFlags;
WCHAR FileName\[\];
} FILE\_ID\_GLOBAL\_TX\_DIR\_INFORMATION, \*PFILE\_ID\_GLOBAL\_TX\_DIR\_INFORMATION;
typedef struct \_FILE\_IS\_REMOTE\_DEVICE\_INFORMATION
{
BOOLEAN IsRemote;
} FILE\_IS\_REMOTE\_DEVICE\_INFORMATION, \*PFILE\_IS\_REMOTE\_DEVICE\_INFORMATION;
typedef struct \_FILE\_NUMA\_NODE\_INFORMATION
{
USHORT NodeNumber;
} FILE\_NUMA\_NODE\_INFORMATION, \*PFILE\_NUMA\_NODE\_INFORMATION;
typedef struct \_FILE\_FS\_VOLUME\_INFORMATION
{
LARGE\_INTEGER VolumeCreationTime;
ULONG VolumeSerialNumber;
ULONG VolumeLabelLength;
BOOLEAN SupportsObjects;
WCHAR VolumeLabel\[\];
} FILE\_FS\_VOLUME\_INFORMATION, \*PFILE\_FS\_VOLUME\_INFORMATION;
typedef struct \_FILE\_FS\_LABEL\_INFORMATION
{
ULONG VolumeLabelLength;
WCHAR VolumeLabel\[\];
} FILE\_FS\_LABEL\_INFORMATION, \*PFILE\_FS\_LABEL\_INFORMATION;
typedef struct \_FILE\_FS\_SIZE\_INFORMATION
{
LARGE\_INTEGER TotalAllocationUnits;
LARGE\_INTEGER AvailableAllocationUnits;
ULONG SectorsPerAllocationUnit;
ULONG BytesPerSector;
} FILE\_FS\_SIZE\_INFORMATION, \*PFILE\_FS\_SIZE\_INFORMATION;
typedef struct \_FILE\_FS\_DEVICE\_INFORMATION
{
DEVICE\_TYPE DeviceType;
ULONG Characteristics;
} FILE\_FS\_DEVICE\_INFORMATION, \*PFILE\_FS\_DEVICE\_INFORMATION;
typedef struct \_FILE\_FS\_ATTRIBUTE\_INFORMATION
{
ULONG FileSystemAttributes;
LONG MaximumComponentNameLength;
ULONG FileSystemNameLength;
WCHAR FileSystemName\[\];
} FILE\_FS\_ATTRIBUTE\_INFORMATION, \*PFILE\_FS\_ATTRIBUTE\_INFORMATION;
typedef struct \_FILE\_FS\_CONTROL\_INFORMATION
{
LARGE\_INTEGER FreeSpaceStartFiltering;
LARGE\_INTEGER FreeSpaceThreshold;
LARGE\_INTEGER FreeSpaceStopFiltering;
LARGE\_INTEGER DefaultQuotaThreshold;
LARGE\_INTEGER DefaultQuotaLimit;
ULONG FileSystemControlFlags;
} FILE\_FS\_CONTROL\_INFORMATION, \*PFILE\_FS\_CONTROL\_INFORMATION;
typedef struct \_FILE\_FS\_FULL\_SIZE\_INFORMATION
{
LARGE\_INTEGER TotalAllocationUnits;
LARGE\_INTEGER CallerAvailableAllocationUnits;
LARGE\_INTEGER ActualAvailableAllocationUnits;
ULONG SectorsPerAllocationUnit;
ULONG BytesPerSector;
} FILE\_FS\_FULL\_SIZE\_INFORMATION, \*PFILE\_FS\_FULL\_SIZE\_INFORMATION;
typedef struct \_FILE\_FS\_OBJECTID\_INFORMATION
{
UCHAR ObjectId\[\];
UCHAR ExtendedInfo\[\];
} FILE\_FS\_OBJECTID\_INFORMATION, \*PFILE\_FS\_OBJECTID\_INFORMATION;
typedef struct \_FILE\_FS\_DRIVER\_PATH\_INFORMATION
{
BOOLEAN DriverInPath;
ULONG DriverNameLength;
WCHAR DriverName\[\];
} FILE\_FS\_DRIVER\_PATH\_INFORMATION, \*PFILE\_FS\_DRIVER\_PATH\_INFORMATION;
typedef struct \_FILE\_FS\_VOLUME\_FLAGS\_INFORMATION
{
ULONG Flags;
} FILE\_FS\_VOLUME\_FLAGS\_INFORMATION, \*PFILE\_FS\_VOLUME\_FLAGS\_INFORMATION;
typedef struct \_SECTION\_IMAGE\_INFORMATION
{
PVOID TransferAddress;
ULONG ZeroBits;
ULONG\_PTR MaximumStackSize;
ULONG\_PTR CommittedStackSize;
ULONG SubSystemType;
union \_SECTION\_IMAGE\_INFORMATION\_u0
{
struct \_SECTION\_IMAGE\_INFORMATION\_s0
{
USHORT SubSystemMinorVersion;
USHORT SubSystemMajorVersion;
};
ULONG SubSystemVersion;
};
ULONG GpValue;
USHORT ImageCharacteristics;
USHORT DllCharacteristics;
USHORT Machine;
BOOLEAN ImageContainsCode;
BOOLEAN Spare1;
ULONG LoaderFlags;
ULONG Reserved\[\];
} SECTION\_IMAGE\_INFORMATION, \*PSECTION\_IMAGE\_INFORMATION;
typedef struct \_RTL\_USER\_PROCESS\_INFORMATION
{
ULONG Length;
HANDLE ProcessHandle;
HANDLE ThreadHandle;
CLIENT\_ID ClientId;
SECTION\_IMAGE\_INFORMATION ImageInformation;
} RTL\_USER\_PROCESS\_INFORMATION, \*PRTL\_USER\_PROCESS\_INFORMATION;
typedef struct \_LDR\_DATA\_TABLE\_ENTRY
{
LIST\_ENTRY InLoadOrderLinks;
LIST\_ENTRY InMemoryOrderLinks;
LIST\_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE\_STRING FullDllName;
UNICODE\_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST\_ENTRY HashLinks;
PVOID SectionPointer;
ULONG CheckSum;
ULONG TimeDateStamp;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
PVOID Unknown1;
PVOID Unknown2;
PVOID Unknown3;
} LDR\_DATA\_TABLE\_ENTRY, \*PLDR\_DATA\_TABLE\_ENTRY;
typedef struct \_PORT\_MESSAGE
{
union
{
struct
{
USHORT DataLength;
USHORT TotalLength;
} s1;
ULONG Length;
} u1;
union
{
struct
{
USHORT Type;
USHORT DataInfoOffset;
} s2;
ULONG ZeroInit;
} u2;
union
{
CLIENT\_ID ClientId;
double DoNotUseThisField;
};
ULONG MessageId;
union
{
ULONG\_PTR ClientViewSize;
ULONG CallbackId;
};
} PORT\_MESSAGE, \*PPORT\_MESSAGE;
typedef struct \_PORT\_VIEW
{
ULONG Length;
HANDLE SectionHandle;
ULONG SectionOffset;
SIZE\_T ViewSize;
PVOID ViewBase;
PVOID ViewRemoteBase;
} PORT\_VIEW, \*PPORT\_VIEW;
typedef struct \_REMOTE\_PORT\_VIEW
{
ULONG Length;
SIZE\_T ViewSize;
PVOID ViewBase;
} REMOTE\_PORT\_VIEW, \*PREMOTE\_PORT\_VIEW;
typedef struct RTL\_HEAP\_PARAMETERS
{
ULONG Length;
ULONG SegmentReserve;
ULONG SegmentCommit;
ULONG DeCommitFreeBlockThreshold;
ULONG DeCommitTotalFreeThreshold;
ULONG MaximumAllocationSize;
ULONG VirtualMemoryThreshold;
ULONG InitialCommit;
ULONG InitialReserve;
PVOID CommitRoutine;
ULONG Reserved;
} RTL\_HEAP\_PARAMETERS, \*PRTL\_HEAP\_PARAMETERS;
typedef struct \_EVENT\_BASIC\_INFORMATION
{
EVENT\_TYPE EventType;
LONG EventState;
} EVENT\_BASIC\_INFORMATION, \*PEVENT\_BASIC\_INFORMATION;#pragma endregion
#pragma region TYPEDEF API
typedef VOID(NTAPI \*PKNORMAL\_ROUTINE)(
IN PVOID NormalContext,
IN PVOID SystemArgument1,
IN PVOID SystemArgument2
);
typedef VOID(NTAPI \*PIO\_APC\_ROUTINE)(
IN PVOID ApcContext,
IN PIO\_STATUS\_BLOCK IoStatusBlock,
IN ULONG Reserved
);
typedef VOID(NTAPI \*PIO\_APC\_ROUTINE)(
IN PVOID ApcContext,
IN PIO\_STATUS\_BLOCK IoStatusBlock,
IN ULONG Reserved
);
typedef VOID(NTAPI \*PUSER\_THREAD\_START\_ROUTINE)(
IN PVOID ApcArgument1
);#pragma endregion
#pragma region DEFINE API
#ifndef WIN64
#define NtCurrentProcess() ((HANDLE)0xFFFFFFFF)
#define NtCurrentThread() ((HANDLE)0xFFFFFFFE)
#else // WIN64
#define NtCurrentProcess() ((HANDLE)0xFFFFFFFFFFFFFFFF)
#define NtCurrentThread() ((HANDLE)0xFFFFFFFFFFFFFFFE)
#endif // WIN64
#define NtCurrentPeb() (PPEB)(NtCurrentTeb()->ProcessEnvironmentBlock)
#define RtlProcessHeap() (HANDLE)(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap)
#define DECLARE_INTERNAL_OBJECT(x) struct _##x; typedef struct _##x *P##x;
#define DECLARE_INTERNAL_OBJECT2(x,y) struct _##x; typedef struct _##x *P##y;
#define InitializeObjectAttributes(p, n, a, r, s) \
{ \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
#define InitializeMessageHeader(ph, l, t) \
{ \
(ph)->u1.s1.TotalLength = (USHORT)(l); \
(ph)->u1.s1.DataLength = (USHORT)(l - sizeof(PORT_MESSAGE)); \
(ph)->u2.s2.Type = (USHORT)(t); \
(ph)->u2.s2.DataInfoOffset = ; \
(ph)->ClientId.UniqueProcess = NULL; \
(ph)->ClientId.UniqueThread = NULL; \
(ph)->MessageId = ; \
(ph)->ClientViewSize = ; \
}
#define RtlInitEmptyUnicodeString(ucStr, buf, bufSize) \
{ \
(ucStr)->Buffer = (buf); \
(ucStr)->Length = ; \
(ucStr)->MaximumLength = (USHORT)(bufSize); \
}
#define ABSOLUTE_INTERVAL(wait) (wait)
#define RELATIVE_INTERVAL(wait) (-(wait))
#define NANOSECONDS(nanos) (((signed __int64)(nanos)) / 100L)
#define MICROSECONDS(micros) (((signed __int64)(micros)) * NANOSECONDS(1000L))
#define MILISECONDS(mili) (((signed __int64)(mili)) * MICROSECONDS(1000L))
#define SECONDS(seconds) (((signed __int64)(seconds)) * MILISECONDS(1000L))
#pragma endregion
#pragma region REAL API
BOOLEAN FORCEINLINE IsListEmpty(IN const LIST\_ENTRY \*ListHead)
{
return (BOOLEAN)(ListHead->Flink == ListHead);
}
FORCEINLINE VOID InitializeListHead(IN PLIST\_ENTRY ListHead)
{
ListHead->Flink = ListHead->Blink = ListHead;
}
FORCEINLINE VOID InsertHeadList(IN OUT PLIST\_ENTRY ListHead, IN OUT PLIST\_ENTRY Entry)
{
PLIST\_ENTRY Flink;
Flink = ListHead->Flink;
Entry->Flink = Flink;
Entry->Blink = ListHead;
Flink->Blink = Entry;
ListHead->Flink = Entry;
}
FORCEINLINE VOID InsertTailList(IN OUT PLIST\_ENTRY ListHead, IN OUT PLIST\_ENTRY Entry)
{
PLIST\_ENTRY Blink;
Blink = ListHead->Blink;
Entry->Flink = ListHead;
Entry->Blink = Blink;
Blink->Flink = Entry;
ListHead->Blink = Entry;
}
FORCEINLINE BOOLEAN RemoveEntryList(IN PLIST\_ENTRY Entry)
{
PLIST\_ENTRY Blink;
PLIST\_ENTRY Flink;
Flink = Entry->Flink;
Blink = Entry->Blink;
Blink->Flink = Flink;
Flink->Blink = Blink;
return (BOOLEAN)(Flink == Blink);
}#pragma endregion
#pragma region NATIVE API
NTSYSAPI NTSTATUS NTAPI NtAcceptConnectPort(
OUT PHANDLE PortHandle,
IN PVOID PortContext OPTIONAL,
IN PPORT\_MESSAGE ConnectionRequest,
IN BOOLEAN AcceptConnection,
IN OUT PPORT\_VIEW ServerView OPTIONAL,
OUT PREMOTE\_PORT\_VIEW ClientView OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtAccessCheck(
IN PSECURITY\_DESCRIPTOR SecurityDescriptor,
IN HANDLE TokenHandle,
IN ACCESS\_MASK DesiredAccess,
IN PGENERIC\_MAPPING GenericMapping,
OUT PPRIVILEGE\_SET PrivilegeSet,
IN PULONG PrivilegeSetLength,
OUT PACCESS\_MASK GrantedAccess,
OUT PBOOLEAN AccessStatus
);
NTSYSAPI NTSTATUS NTAPI NtAccessCheckAndAuditAlarm(
IN PUNICODE\_STRING SubsystemName,
IN PVOID HandleId,
IN PUNICODE\_STRING ObjectTypeName,
IN PUNICODE\_STRING ObjectName,
IN PSECURITY\_DESCRIPTOR SecurityDescriptor,
IN ACCESS\_MASK DesiredAccess,
IN PGENERIC\_MAPPING GenericMapping,
IN BOOLEAN ObjectCreation,
OUT PACCESS\_MASK GrantedAccess,
OUT PBOOLEAN AccessStatus,
OUT PBOOLEAN GenerateOnClose
);
NTSYSAPI NTSTATUS NTAPI NtAccessCheckByType(
IN PSECURITY\_DESCRIPTOR SecurityDescriptor,
IN PSID PrincipalSelfSid,
IN HANDLE TokenHandle,
IN ULONG DesiredAccess,
IN POBJECT\_TYPE\_LIST ObjectTypeList,
IN ULONG ObjectTypeListLength,
IN PGENERIC\_MAPPING GenericMapping,
IN PPRIVILEGE\_SET PrivilegeSet,
IN PULONG PrivilegeSetLength,
OUT PACCESS\_MASK GrantedAccess,
OUT PULONG AccessStatus
);
NTSYSAPI NTSTATUS NTAPI NtAccessCheckByTypeAndAuditAlarm(
IN PUNICODE\_STRING SubsystemName,
IN PVOID HandleId,
IN PUNICODE\_STRING ObjectTypeName,
IN PUNICODE\_STRING ObjectName,
IN PSECURITY\_DESCRIPTOR SecurityDescriptor,
IN PSID PrincipalSelfSid,
IN ACCESS\_MASK DesiredAccess,
IN AUDIT\_EVENT\_TYPE AuditType,
IN ULONG Flags,
IN POBJECT\_TYPE\_LIST ObjectTypeList,
IN ULONG ObjectTypeListLength,
IN PGENERIC\_MAPPING GenericMapping,
IN BOOLEAN ObjectCreation,
OUT PACCESS\_MASK GrantedAccess,
OUT PULONG AccessStatus,
OUT PBOOLEAN GenerateOnClose
);
NTSYSAPI NTSTATUS NTAPI NtAccessCheckByTypeResultList(
IN PSECURITY\_DESCRIPTOR SecurityDescriptor,
IN PSID PrincipalSelfSid,
IN HANDLE TokenHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_TYPE\_LIST ObjectTypeList,
IN ULONG ObjectTypeListLength,
IN PGENERIC\_MAPPING GenericMapping,
IN PPRIVILEGE\_SET PrivilegeSet,
IN PULONG PrivilegeSetLength,
OUT PACCESS\_MASK GrantedAccessList,
OUT PULONG AccessStatusList
);
NTSYSAPI NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarm(
IN PUNICODE\_STRING SubsystemName,
IN PVOID HandleId,
IN PUNICODE\_STRING ObjectTypeName,
IN PUNICODE\_STRING ObjectName,
IN PSECURITY\_DESCRIPTOR SecurityDescriptor,
IN PSID PrincipalSelfSid,
IN ACCESS\_MASK DesiredAccess,
IN AUDIT\_EVENT\_TYPE AuditType,
IN ULONG Flags,
IN POBJECT\_TYPE\_LIST ObjectTypeList,
IN ULONG ObjectTypeListLength,
IN PGENERIC\_MAPPING GenericMapping,
IN BOOLEAN ObjectCreation,
OUT PACCESS\_MASK GrantedAccessList,
OUT PULONG AccessStatusList,
OUT PULONG GenerateOnClose
);
NTSYSAPI NTSTATUS NTAPI NtAccessCheckByTypeResultListAndAuditAlarmByHandle(
IN PUNICODE\_STRING SubsystemName,
IN PVOID HandleId,
IN HANDLE TokenHandle,
IN PUNICODE\_STRING ObjectTypeName,
IN PUNICODE\_STRING ObjectName,
IN PSECURITY\_DESCRIPTOR SecurityDescriptor,
IN PSID PrincipalSelfSid,
IN ACCESS\_MASK DesiredAccess,
IN AUDIT\_EVENT\_TYPE AuditType,
IN ULONG Flags,
IN POBJECT\_TYPE\_LIST ObjectTypeList,
IN ULONG ObjectTypeListLength,
IN PGENERIC\_MAPPING GenericMapping,
IN BOOLEAN ObjectCreation,
OUT PACCESS\_MASK GrantedAccessList,
OUT PULONG AccessStatusList,
OUT PULONG GenerateOnClose
);
NTSYSAPI NTSTATUS NTAPI NtAddAtom(
IN PWSTR String,
IN ULONG StringLength,
OUT PUSHORT Atom
);
NTSYSAPI NTSTATUS NTAPI NtAddBootEntry(
IN PUNICODE\_STRING EntryName,
IN PUNICODE\_STRING EntryValue
);
NTSYSAPI NTSTATUS NTAPI NtAddDriverEntry(
IN PUNICODE\_STRING DriverName,
IN PUNICODE\_STRING DriverPath
);
NTSYSAPI NTSTATUS NTAPI NtAdjustGroupsToken(
IN HANDLE TokenHandle,
IN BOOLEAN ResetToDefault,
IN PTOKEN\_GROUPS NewState,
IN ULONG BufferLength,
OUT PTOKEN\_GROUPS PreviousState OPTIONAL,
OUT PULONG ReturnLength
);
NTSYSAPI NTSTATUS NTAPI NtAdjustPrivilegesToken(
IN HANDLE TokenHandle,
IN BOOLEAN DisableAllPrivileges,
IN PTOKEN\_PRIVILEGES NewState OPTIONAL,
IN ULONG BufferLength OPTIONAL,
IN PTOKEN\_PRIVILEGES PreviousState OPTIONAL,
OUT PULONG ReturnLength
);
NTSYSAPI NTSTATUS NTAPI NtAlertResumeThread(
IN HANDLE ThreadHandle,
OUT PULONG PreviousSuspendCount OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtAllocateLocallyUniqueId(
OUT PLUID Luid
);
NTSYSAPI NTSTATUS NTAPI NtAllocateUserPhysicalPages(
IN HANDLE ProcessHandle,
IN PULONG NumberOfPages,
OUT PULONG PageFrameNumbers
);
NTSYSAPI NTSTATUS NTAPI NtAllocateUuids(
OUT PLARGE\_INTEGER UuidLastTimeAllocated,
OUT PULONG UuidDeltaTime,
OUT PULONG UuidSequenceNumber,
OUT PUCHAR UuidSeed
);
NTSYSAPI NTSTATUS NTAPI NtAllocateVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID \*BaseAddress,
IN ULONG ZeroBits,
IN OUT PULONG AllocationSize,
IN ULONG AllocationType,
IN ULONG Protect
);
NTSYSAPI NTSTATUS NTAPI NtAreMappedFilesTheSame(
IN PVOID Address1,
IN PVOID Address2
);
NTSYSAPI NTSTATUS NTAPI NtAssignProcessToJobObject(
IN HANDLE JobHandle,
IN HANDLE ProcessHandle
);
NTSYSAPI NTSTATUS NTAPI NtCallbackReturn(
IN PVOID Result OPTIONAL,
IN ULONG ResultLength,
IN NTSTATUS Status
);
NTSYSAPI NTSTATUS NTAPI NtCancelDeviceWakeupRequest(
IN HANDLE DeviceHandle
);
NTSYSAPI NTSTATUS NTAPI NtCancelIoFile(
IN HANDLE FileHandle,
OUT PIO\_STATUS\_BLOCK IoStatusBlock
);
NTSYSAPI NTSTATUS NTAPI NtCancelTimer(
IN HANDLE TimerHandle,
OUT PBOOLEAN PreviousState OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtClearEvent(
IN HANDLE EventHandle
);
NTSYSAPI NTSTATUS NTAPI NtClose(
IN HANDLE Handle
);
NTSYSAPI NTSTATUS NTAPI NtCloseObjectAuditAlarm(
IN PUNICODE\_STRING SubsystemName,
IN PVOID HandleId,
IN BOOLEAN GenerateOnClose
);
NTSYSAPI NTSTATUS NTAPI NtCompactKeys(
IN ULONG Length,
IN HANDLE Key
);
NTSYSAPI NTSTATUS NTAPI NtCompareTokens(
IN HANDLE FirstTokenHandle,
IN HANDLE SecondTokenHandle,
OUT PBOOLEAN IdenticalTokens
);
NTSYSAPI NTSTATUS NTAPI NtCompleteConnectPort(
IN HANDLE PortHandle
);
NTSYSAPI NTSTATUS NTAPI NtCompressKey(
IN HANDLE Key
);
NTSYSAPI NTSTATUS NTAPI NtConnectPort(
OUT PHANDLE PortHandle,
IN PUNICODE\_STRING PortName,
IN PSECURITY\_QUALITY\_OF\_SERVICE SecurityQos,
IN OUT PLPC\_SECTION\_WRITE WriteSection OPTIONAL,
IN OUT PLPC\_SECTION\_READ ReadSection OPTIONAL,
OUT PULONG MaxMessageSize OPTIONAL,
IN OUT PVOID ConnectData OPTIONAL,
IN OUT PULONG ConnectDataLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtContinue(
IN PCONTEXT Context,
IN BOOLEAN TestAlert
);
NTSYSAPI NTSTATUS NTAPI NtCreateDebugObject(
OUT PHANDLE DebugObject,
IN ULONG AccessRequired,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
IN BOOLEAN KillProcessOnExit
);
NTSYSAPI NTSTATUS NTAPI NtCreateDirectoryObject(
OUT PHANDLE DirectoryHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes
);
NTSYSAPI NTSTATUS NTAPI NtCreateEvent(
OUT PHANDLE EventHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
IN EVENT\_TYPE EventType,
IN BOOLEAN InitialState
);
NTSYSAPI NTSTATUS NTAPI NtCreateEventPair(
OUT PHANDLE EventPairHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN PLARGE\_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
);
NTSYSAPI NTSTATUS NTAPI NtCreateIoCompletion(
OUT PHANDLE IoCompletionHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
IN ULONG NumberOfConcurrentThreads
);
NTSYSAPI NTSTATUS NTAPI NtCreateJobObject(
OUT PHANDLE JobHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes
);
NTSYSAPI NTSTATUS NTAPI NtCreateJobSet(
IN ULONG Jobs,
IN PJOB\_SET\_ARRAY JobSet,
IN ULONG Reserved
);
NTSYSAPI NTSTATUS NTAPI NtCreateKey(
OUT PHANDLE KeyHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
IN PUNICODE\_STRING Class OPTIONAL,
IN ULONG CreateOptions,
OUT PULONG Disposition OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtCreateKeyedEvent(
OUT PHANDLE KeyedEventHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
IN ULONG Reserved
);
NTSYSAPI NTSTATUS NTAPI NtCreateMailslotFile(
OUT PHANDLE FileHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN ULONG CreateOptions,
IN ULONG InBufferSize,
IN ULONG MaxMessageSize,
IN PLARGE\_INTEGER ReadTimeout OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtCreateMutant(
OUT PHANDLE MutantHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes OPTIONAL,
IN BOOLEAN InitialOwner
);
NTSYSAPI NTSTATUS NTAPI NtCreateNamedPipeFile(
OUT PHANDLE FileHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN BOOLEAN TypeMessage,
IN BOOLEAN ReadmodeMessage,
IN BOOLEAN Nonblocking,
IN ULONG MaxInstances,
IN ULONG InBufferSize,
IN ULONG OutBufferSize,
IN PLARGE\_INTEGER DefaultTimeout OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtCreatePort(
OUT PHANDLE PortHandle,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
IN ULONG MaxConnectionInfoLength,
IN ULONG MaxMessageLength,
IN ULONG MaxPoolUsage
);
NTSYSAPI NTSTATUS NTAPI NtCreateProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtCreateProcessEx(
OUT PHANDLE ProcessHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
IN HANDLE InheritFromProcessHandle,
IN ULONG CreateFlags,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugObject OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN ULONG JobMemberLevel
);
NTSYSAPI NTSTATUS NTAPI NtCreateProfile(
OUT PHANDLE ProfileHandle,
IN HANDLE ProcessHandle,
IN PVOID Base,
IN ULONG Size,
IN ULONG BucketShift,
IN PULONG Buffer,
IN ULONG BufferLength,
IN KPROFILE\_SOURCE Source,
IN ULONG ProcessorMask
);
NTSYSAPI NTSTATUS NTAPI NtCreateSection(
OUT PHANDLE SectionHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
IN PLARGE\_INTEGER SectionSize OPTIONAL,
IN ULONG Protect,
IN ULONG Attributes,
IN HANDLE FileHandle
);
NTSYSAPI NTSTATUS NTAPI NtCreateSemaphore(
OUT PHANDLE SemaphoreHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes OPTIONAL,
IN ULONG InitialCount,
IN ULONG MaximumCount
);
NTSYSAPI NTSTATUS NTAPI NtCreateSymbolicLinkObject(
OUT PHANDLE SymbolicLinkHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
IN PUNICODE\_STRING TargetName
);
NTSYSAPI NTSTATUS NTAPI NtCreateThread(
OUT PHANDLE ThreadHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
IN HANDLE ProcessHandle,
OUT PCLIENT\_ID ClientId,
IN PCONTEXT ThreadContext,
IN PUSER\_STACK UserStack,
IN BOOLEAN CreateSuspended
);
NTSYSAPI NTSTATUS NTAPI NtCreateToken(
OUT PHANDLE TokenHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
IN TOKEN\_TYPE Type,
IN PLUID AuthenticationId,
IN PLARGE\_INTEGER ExpirationTime,
IN PTOKEN\_USER User,
IN PTOKEN\_GROUPS Groups,
IN PTOKEN\_PRIVILEGES Privileges,
IN PTOKEN\_OWNER Owner,
IN PTOKEN\_PRIMARY\_GROUP PrimaryGroup,
IN PTOKEN\_DEFAULT\_DACL DefaultDacl,
IN PTOKEN\_SOURCE Source
);
NTSYSAPI NTSTATUS NTAPI NtCreateWaitablePort(
OUT PHANDLE PortHandle,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
IN ULONG MaxConnectionInfoLength,
IN ULONG MaxMessageLength,
IN ULONG MaxPoolUsage
);
NTSYSAPI NTSTATUS NTAPI NtDebugActiveProcess(
IN HANDLE Process,
IN HANDLE DebugObject
);
NTSYSAPI NTSTATUS NTAPI NtDebugContinue(
IN HANDLE DebugObject,
IN PCLIENT\_ID AppClientId,
IN NTSTATUS ContinueStatus
);
NTSYSAPI NTSTATUS NTAPI NtDelayExecution(
IN BOOLEAN Alertable,
IN PLARGE\_INTEGER DelayInterval
);
NTSYSAPI NTSTATUS NTAPI NtDeleteAtom(
IN USHORT Atom
);
NTSYSAPI NTSTATUS NTAPI NtDeleteBootEntry(
IN PUNICODE\_STRING EntryName,
IN PUNICODE\_STRING EntryValue
);
NTSYSAPI NTSTATUS NTAPI NtDeleteDriverEntry(
IN PUNICODE\_STRING DriverName,
IN PUNICODE\_STRING DriverPath
);
NTSYSAPI NTSTATUS NTAPI NtDeleteFile(
IN POBJECT\_ATTRIBUTES ObjectAttributes
);
NTSYSAPI NTSTATUS NTAPI NtDeleteKey(
IN HANDLE KeyHandle
);
NTSYSAPI NTSTATUS NTAPI NtDeleteObjectAuditAlarm(
IN PUNICODE\_STRING SubsystemName,
IN PVOID HandleId,
IN BOOLEAN GenerateOnClose
);
NTSYSAPI NTSTATUS NTAPI NtDeleteValueKey(
IN HANDLE KeyHandle,
IN PUNICODE\_STRING ValueName
);
NTSYSAPI NTSTATUS NTAPI NtDeviceIoControlFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO\_APC\_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);
NTSYSAPI NTSTATUS NTAPI NtDisplayString(
IN PUNICODE\_STRING String
);
NTSYSAPI NTSTATUS NTAPI NtDuplicateObject(
IN HANDLE SourceProcessHandle,
IN HANDLE SourceHandle,
IN HANDLE TargetProcessHandle OPTIONAL,
OUT PHANDLE TargetHandle OPTIONAL,
IN ACCESS\_MASK DesiredAccess,
IN ULONG HandleAttributes,
IN ULONG Options
);
NTSYSAPI NTSTATUS NTAPI NtDuplicateToken(
IN HANDLE ExistingTokenHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
IN BOOLEAN EffectiveOnly,
IN TOKEN\_TYPE TokenType,
OUT PHANDLE NewTokenHandle
);
NTSYSAPI NTSTATUS NTAPI NtEnumerateBootEntries(
IN ULONG Unknown1,
IN ULONG Unknown2
);
NTSYSAPI NTSTATUS NTAPI NtEnumerateKey(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY\_INFORMATION\_CLASS KeyInformationClass,
OUT PVOID KeyInformation,
IN ULONG KeyInformationLength,
OUT PULONG ResultLength
);
NTSYSAPI NTSTATUS NTAPI NtEnumerateSystemEnvironmentValuesEx(
IN ULONG Unknown1,
IN ULONG Unknown2,
IN ULONG Unknown3
);
NTSYSAPI NTSTATUS NTAPI NtEnumerateValueKey(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY\_VALUE\_INFORMATION\_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation,
IN ULONG KeyValueInformationLength,
OUT PULONG ResultLength
);
NTSYSAPI NTSTATUS NTAPI NtExtendSection(
IN HANDLE SectionHandle,
IN PLARGE\_INTEGER SectionSize
);
NTSYSAPI NTSTATUS NTAPI NtFilterToken(
IN HANDLE ExistingTokenHandle,
IN ULONG Flags,
IN PTOKEN\_GROUPS SidsToDisable,
IN PTOKEN\_PRIVILEGES PrivilegesToDelete,
IN PTOKEN\_GROUPS SidsToRestricted,
OUT PHANDLE NewTokenHandle
);
NTSYSAPI NTSTATUS NTAPI NtFindAtom(
IN PWSTR String,
IN ULONG StringLength,
OUT PUSHORT Atom
);
NTSYSAPI NTSTATUS NTAPI NtFlushBuffersFile(
IN HANDLE FileHandle,
OUT PIO\_STATUS\_BLOCK IoStatusBlock
);
NTSYSAPI NTSTATUS NTAPI NtFlushInstructionCache(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress OPTIONAL,
IN ULONG FlushSize
);
NTSYSAPI NTSTATUS NTAPI NtFlushKey(
IN HANDLE KeyHandle
);
NTSYSAPI NTSTATUS NTAPI NtFlushVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID \*BaseAddress,
IN OUT PULONG FlushSize,
OUT PIO\_STATUS\_BLOCK IoStatusBlock
);
NTSYSAPI NTSTATUS NTAPI NtFlushWriteBuffer(
VOID
);
NTSYSAPI NTSTATUS NTAPI NtYieldExecution(
VOID
);
NTSYSAPI NTSTATUS NTAPI NtWriteVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtWriteRequestData(
IN HANDLE PortHandle,
IN PPORT\_MESSAGE Message,
IN ULONG Index,
IN PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtWriteFileGather(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO\_APC\_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN PFILE\_SEGMENT\_ELEMENT Buffer,
IN ULONG Length,
IN PLARGE\_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtWriteFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO\_APC\_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE\_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtWaitLowEventPair(
IN HANDLE EventPairHandle
);
NTSYSAPI NTSTATUS NTAPI NtWaitHighEventPair(
IN HANDLE EventPairHandle
);
NTSYSAPI NTSTATUS NTAPI NtWaitForSingleObject(
IN HANDLE Handle,
IN BOOLEAN Alertable,
IN PLARGE\_INTEGER Timeout OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtWaitForMultipleObjects32(
IN ULONG HandleCount,
IN PHANDLE Handles,
IN WAIT\_TYPE WaitType,
IN BOOLEAN Alertable,
IN PLARGE\_INTEGER Timeout OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtWaitForMultipleObjects(
IN ULONG HandleCount,
IN PHANDLE Handles,
IN WAIT\_TYPE WaitType,
IN BOOLEAN Alertable,
IN PLARGE\_INTEGER Timeout OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtWaitForKeyedEvent(
IN HANDLE KeyedEventHandle,
IN PVOID Key,
IN BOOLEAN Alertable,
IN PLARGE\_INTEGER Timeout OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtUnmapViewOfSection(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress
);
NTSYSAPI NTSTATUS NTAPI NtUnlockVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID \*BaseAddress,
IN OUT PULONG LockSize,
IN ULONG LockType
);
NTSYSAPI NTSTATUS NTAPI NtUnlockFile(
IN HANDLE FileHandle,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN PULARGE\_INTEGER LockOffset,
IN PULARGE\_INTEGER LockLength,
IN ULONG Key
);
NTSYSAPI NTSTATUS NTAPI NtUnloadKeyEx(
IN POBJECT\_ATTRIBUTES KeyObjectAttributes,
IN HANDLE EventHandle OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtUnloadKey2(
IN POBJECT\_ATTRIBUTES KeyObjectAttributes,
IN BOOLEAN ForceUnload
);
NTSYSAPI NTSTATUS NTAPI NtUnloadKey(
IN POBJECT\_ATTRIBUTES KeyObjectAttributes
);
NTSYSAPI NTSTATUS NTAPI NtUnloadDriver(
IN PUNICODE\_STRING DriverServiceName
);
NTSYSAPI NTSTATUS NTAPI NtTerminateThread(
IN HANDLE ThreadHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
NTSYSAPI NTSTATUS NTAPI NtTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
NTSYSAPI NTSTATUS NTAPI NtTerminateJobObject(
IN HANDLE JobHandle,
IN NTSTATUS ExitStatus
);
NTSYSAPI NTSTATUS NTAPI NtSystemDebugControl(
IN DEBUG\_CONTROL\_CODE ControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtSuspendThread(
IN HANDLE ThreadHandle,
OUT PULONG PreviousSuspendCount OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtSuspendProcess(
IN HANDLE Process
);
NTSYSAPI NTSTATUS NTAPI NtStopProfile(
IN HANDLE ProfileHandle
);
NTSYSAPI NTSTATUS NTAPI NtStartProfile(
IN HANDLE ProfileHandle
);
NTSYSAPI NTSTATUS NTAPI NtSignalAndWaitForSingleObject(
IN HANDLE HandleToSignal,
IN HANDLE HandleToWait,
IN BOOLEAN Alertable,
IN PLARGE\_INTEGER Timeout OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtShutdownSystem(
IN SHUTDOWN\_ACTION Action
);
NTSYSAPI NTSTATUS NTAPI NtSetVolumeInformationFile(
IN HANDLE FileHandle,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG BufferLength,
IN FS\_INFORMATION\_CLASS VolumeInformationClass
);
NTSYSAPI NTSTATUS NTAPI NtSetValueKey(
IN HANDLE KeyHandle,
IN PUNICODE\_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
);
NTSYSAPI NTSTATUS NTAPI NtSetUuidSeed(
IN PUCHAR UuidSeed
);
NTSYSAPI NTSTATUS NTAPI NtSetTimerResolution(
IN ULONG RequestedResolution,
IN BOOLEAN Set,
OUT PULONG ActualResolution
);
NTSYSAPI NTSTATUS NTAPI NtSetThreadExecutionState(
IN EXECUTION\_STATE ExecutionState,
OUT PEXECUTION\_STATE PreviousExecutionState
);
NTSYSAPI NTSTATUS NTAPI NtSetSystemTime(
IN PLARGE\_INTEGER NewTime,
OUT PLARGE\_INTEGER OldTime OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtSetSystemPowerState(
IN POWER\_ACTION SystemAction,
IN SYSTEM\_POWER\_STATE MinSystemState,
IN ULONG Flags
);
NTSYSAPI NTSTATUS NTAPI NtSetSystemInformation(
IN SYSTEM\_INFORMATION\_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength
);
NTSYSAPI NTSTATUS NTAPI NtSetSystemEnvironmentValue(
IN PUNICODE\_STRING Name,
IN PUNICODE\_STRING Value
);
NTSYSAPI NTSTATUS NTAPI NtSetSecurityObject(
IN HANDLE Handle,
IN SECURITY\_INFORMATION SecurityInformation,
IN PSECURITY\_DESCRIPTOR SecurityDescriptor
);
NTSYSAPI NTSTATUS NTAPI NtSetLowWaitHighEventPair(
IN HANDLE EventPairHandle
);
NTSYSAPI NTSTATUS NTAPI NtSetLowEventPair(
IN HANDLE EventPairHandle
);
NTSYSAPI NTSTATUS NTAPI NtSetLdtEntries(
IN ULONG Selector1,
IN LDT\_ENTRY LdtEntry1,
IN ULONG Selector2,
IN LDT\_ENTRY LdtEntry2
);
NTSYSAPI NTSTATUS NTAPI NtSetIoCompletion(
IN HANDLE IoCompletionHandle,
IN ULONG CompletionKey,
IN ULONG CompletionValue,
IN NTSTATUS Status,
IN ULONG Information
);
NTSYSAPI NTSTATUS NTAPI NtSetIntervalProfile(
IN ULONG Interval,
IN KPROFILE\_SOURCE Source
);
NTSYSAPI NTSTATUS NTAPI NtSetInformationToken(
IN HANDLE TokenHandle,
IN TOKEN\_INFORMATION\_CLASS TokenInformationClass,
IN PVOID TokenInformation,
IN ULONG TokenInformationLength
);
NTSYSAPI NTSTATUS NTAPI NtSetInformationThread(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
IN PVOID ThreadInformation,
IN ULONG ThreadInformationLength
);
NTSYSAPI NTSTATUS NTAPI NtSetInformationProcess(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
IN PVOID ProcessInformation,
IN ULONG ProcessInformationLength
);
NTSYSAPI NTSTATUS NTAPI NtSetInformationObject(
IN HANDLE ObjectHandle,
IN OBJECT\_INFORMATION\_CLASS ObjectInformationClass,
IN PVOID ObjectInformation,
IN ULONG ObjectInformationLength
);
NTSYSAPI NTSTATUS NTAPI NtSetInformationKey(
IN HANDLE KeyHandle,
IN KEY\_SET\_INFORMATION\_CLASS KeyInformationClass,
IN PVOID KeyInformation,
IN ULONG KeyInformationLength
);
NTSYSAPI NTSTATUS NTAPI NtSetInformationJobObject(
IN HANDLE JobHandle,
IN JOBOBJECTINFOCLASS JobInformationClass,
IN PVOID JobInformation,
IN ULONG JobInformationLength
);
NTSYSAPI NTSTATUS NTAPI NtSetInformationFile(
IN HANDLE FileHandle,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG FileInformationLength,
IN FILE\_INFORMATION\_CLASS FileInformationClass
);
NTSYSAPI NTSTATUS NTAPI NtSetHighWaitLowEventPair(
IN HANDLE EventPairHandle
);
NTSYSAPI NTSTATUS NTAPI NtSetHighEventPair(
IN HANDLE EventPairHandle
);
NTSYSAPI NTSTATUS NTAPI NtSetEventBoostPriority(
IN HANDLE EventHandle
);
NTSYSAPI NTSTATUS NTAPI NtSetEvent(
IN HANDLE EventHandle,
OUT PULONG PreviousState OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtSetEaFile(
IN HANDLE FileHandle,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN PFILE\_FULL\_EA\_INFORMATION Buffer,
IN ULONG BufferLength
);
NTSYSAPI NTSTATUS NTAPI NtSetDefaultUILanguage(
IN LANGID LanguageId
);
NTSYSAPI NTSTATUS NTAPI NtSetDefaultLocale(
IN BOOLEAN ThreadOrSystem,
IN LCID Locale
);
NTSYSAPI NTSTATUS NTAPI NtSetDefaultHardErrorPort(
IN HANDLE PortHandle
);
NTSYSAPI NTSTATUS NTAPI NtSetDebugFilterState(
IN ULONG ComponentId,
IN ULONG Level,
IN BOOLEAN Enable
);
NTSYSAPI NTSTATUS NTAPI NtSetContextThread(
IN HANDLE ThreadHandle,
IN PCONTEXT Context
);
NTSYSAPI NTSTATUS NTAPI NtSetContextChannel(
IN HANDLE CHannelHandle
);
NTSYSAPI NTSTATUS NTAPI NtSetBootEntryOrder(
IN ULONG Unknown1,
IN ULONG Unknown2
);
NTSYSAPI NTSTATUS NTAPI NtSecureConnectPort(
OUT PHANDLE PortHandle,
IN PUNICODE\_STRING PortName,
IN PSECURITY\_QUALITY\_OF\_SERVICE SecurityQos,
IN OUT PPORT\_VIEW ClientView OPTIONAL,
IN PSID ServerSid OPTIONAL,
OUT PREMOTE\_PORT\_VIEW ServerView OPTIONAL,
OUT PULONG MaxMessageLength OPTIONAL,
IN OUT PVOID ConnectInformation OPTIONAL,
IN OUT PULONG ConnectInformationLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtSaveMergedKeys(
IN HANDLE KeyHandle1,
IN HANDLE KeyHandle2,
IN HANDLE FileHandle
);
NTSYSAPI NTSTATUS NTAPI NtSaveKeyEx(
IN HANDLE KeyHandle,
IN HANDLE FileHandle,
IN ULONG Flags
);
NTSYSAPI NTSTATUS NTAPI NtSaveKey(
IN HANDLE KeyHandle,
IN HANDLE FileHandle
);
NTSYSAPI NTSTATUS NTAPI NtResumeThread(
IN HANDLE ThreadHandle,
OUT PULONG PreviousSuspendCount OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtResumeProcess(
IN HANDLE Process
);
NTSYSAPI NTSTATUS NTAPI NtRestoreKey(
IN HANDLE KeyHandle,
IN HANDLE FileHandle,
IN ULONG Flags
);
NTSYSAPI NTSTATUS NTAPI NtResetWriteWatch(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN ULONG RegionSize
);
NTSYSAPI NTSTATUS NTAPI NtResetEvent(
IN HANDLE EventHandle,
OUT PULONG PreviousState OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtRequestWakeupLatency(
IN LATENCY\_TIME Latency
);
NTSYSAPI NTSTATUS NTAPI NtRequestWaitReplyPort(
IN HANDLE PortHandle,
IN PPORT\_MESSAGE RequestMessage,
OUT PPORT\_MESSAGE ReplyMessage
);
NTSYSAPI NTSTATUS NTAPI NtRequestPort(
IN HANDLE PortHandle,
IN PPORT\_MESSAGE RequestMessage
);
NTSYSAPI NTSTATUS NTAPI NtRequestDeviceWakeup(
IN HANDLE DeviceHandle
);
NTSYSAPI NTSTATUS NTAPI NtReplyWaitReplyPort(
IN HANDLE PortHandle,
IN OUT PPORT\_MESSAGE ReplyMessage
);
NTSYSAPI NTSTATUS NTAPI NtReplyWaitReceivePortEx(
IN HANDLE PortHandle,
OUT PVOID\* PortIdentifier OPTIONAL,
IN PPORT\_MESSAGE ReplyMessage OPTIONAL,
OUT PPORT\_MESSAGE Message,
IN PLARGE\_INTEGER Timeout
);
NTSYSAPI NTSTATUS NTAPI NtReplyWaitReceivePort(
IN HANDLE PortHandle,
OUT PULONG PortIdentifier OPTIONAL,
IN PPORT\_MESSAGE ReplyMessage OPTIONAL,
OUT PPORT\_MESSAGE Message
);
NTSYSAPI NTSTATUS NTAPI NtReplyPort(
IN HANDLE PortHandle,
IN PPORT\_MESSAGE ReplyMessage
);
NTSYSAPI NTSTATUS NTAPI NtReplaceKey(
IN POBJECT\_ATTRIBUTES NewFileObjectAttributes,
IN HANDLE KeyHandle,
IN POBJECT\_ATTRIBUTES OldFileObjectAttributes
);
NTSYSAPI NTSTATUS NTAPI NtRenameKey(
IN HANDLE KeyHandle,
IN PUNICODE\_STRING ReplacementName
);
NTSYSAPI NTSTATUS NTAPI NtRemoveProcessDebug(
IN HANDLE Process,
IN HANDLE DebugObject
);
NTSYSAPI NTSTATUS NTAPI NtRemoveIoCompletion(
IN HANDLE IoCompletionHandle,
OUT PULONG CompletionKey,
OUT PULONG CompletionValue,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN PLARGE\_INTEGER Timeout OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtReleaseSemaphore(
IN HANDLE SemaphoreHandle,
IN LONG ReleaseCount,
OUT PLONG PreviousCount OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtReleaseMutant(
IN HANDLE MutantHandle,
OUT PULONG PreviousState
);
NTSYSAPI NTSTATUS NTAPI NtReleaseKeyedEvent(
IN HANDLE KeyedEventHandle,
IN PVOID Key,
IN BOOLEAN Alertable,
IN PLARGE\_INTEGER Timeout OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtRegisterThreadTerminatePort(
IN HANDLE PortHandle
);
NTSYSAPI NTSTATUS NTAPI NtReadVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtReadRequestData(
IN HANDLE PortHandle,
IN PPORT\_MESSAGE Message,
IN ULONG Index,
OUT PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtReadFileScatter(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO\_APC\_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN PFILE\_SEGMENT\_ELEMENT Buffer,
IN ULONG Length,
IN PLARGE\_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtReadFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO\_APC\_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE\_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtRaiseHardError(
IN NTSTATUS Status,
IN ULONG NumberOfArguments,
IN ULONG StringArgumentsMask,
IN PULONG\_PTR Arguments,
IN HARDERROR\_RESPONSE\_OPTION ResponseOption,
OUT PHARDERROR\_RESPONSE Response
);
NTSYSAPI NTSTATUS NTAPI NtRaiseException(
IN PEXCEPTION\_RECORD ExceptionRecord,
IN PCONTEXT Context,
IN BOOLEAN SearchFrames
);
NTSYSAPI NTSTATUS NTAPI NtQueueApcThread(
IN HANDLE ThreadHandle,
IN PKNORMAL\_ROUTINE ApcRoutine,
IN PVOID ApcContext OPTIONAL,
IN PVOID Argument1 OPTIONAL,
IN PVOID Argument2 OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtQueryVolumeInformationFile(
IN HANDLE FileHandle,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
OUT PVOID VolumeInformation,
IN ULONG VolumeInformationLength,
IN FS\_INFORMATION\_CLASS VolumeInformationClass
);
NTSYSAPI NTSTATUS NTAPI NtQueryVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN MEMORY\_INFORMATION\_CLASS MemoryInformationClass,
OUT PVOID MemoryInformation,
IN ULONG MemoryInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtQueryValueKey(
IN HANDLE KeyHandle,
IN PUNICODE\_STRING ValueName,
IN KEY\_VALUE\_INFORMATION\_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation,
IN ULONG KeyValueInformationLength,
OUT PULONG ResultLength
);
NTSYSAPI NTSTATUS NTAPI NtQueryTimerResolution(
OUT PULONG CoarsestResolution,
OUT PULONG FinestResolution,
OUT PULONG ActualResolution
);
NTSYSAPI NTSTATUS NTAPI NtQuerySystemTime(
OUT PLARGE\_INTEGER CurrentTime
);
NTSYSAPI NTSTATUS NTAPI NtQuerySystemInformation(
IN SYSTEM\_INFORMATION\_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtQuerySystemEnvironmentValueEx(
IN ULONG Unknown1,
IN ULONG Unknown2,
IN ULONG Unknown3,
IN ULONG Unknown4,
IN ULONG Unknown5
);
NTSYSAPI NTSTATUS NTAPI NtQuerySystemEnvironmentValue(
IN PUNICODE\_STRING Name,
OUT PVOID Value,
IN ULONG ValueLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtQuerySymbolicLinkObject(
IN HANDLE SymbolicLinkHandle,
IN OUT PUNICODE\_STRING TargetName,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtQuerySecurityObject(
IN HANDLE ObjectHandle,
IN SECURITY\_INFORMATION SecurityInformation,
OUT PSECURITY\_DESCRIPTOR SecurityDescriptor,
IN ULONG DescriptorLength,
OUT PULONG ReturnLength
);
NTSYSAPI NTSTATUS NTAPI NtQuerySection(
IN HANDLE SectionHandle,
IN SECTION\_INFORMATION\_CLASS SectionInformationClass,
OUT PVOID SectionInformation,
IN ULONG SectionInformationLength,
OUT PULONG ResultLength OPTIONAL
);
NTSYSAPI BOOLEAN NTAPI NtQueryPortInformationProcess(
VOID
);
NTSYSAPI NTSTATUS NTAPI NtQueryPerformanceCounter(
OUT PLARGE\_INTEGER PerformanceCount,
OUT PLARGE\_INTEGER PerformanceFrequency OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtQueryOpenSubKeys(
IN POBJECT\_ATTRIBUTES KeyObjectAttributes,
OUT PULONG NumberOfKeys
);
NTSYSAPI NTSTATUS NTAPI NtQueryObject(
IN HANDLE ObjectHandle,
IN OBJECT\_INFORMATION\_CLASS ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG ObjectInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtQueryMultipleValueKey(
IN HANDLE KeyHandle,
IN OUT PKEY\_VALUE\_ENTRY ValueList,
IN ULONG NumberOfValues,
OUT PVOID Buffer,
IN OUT PULONG Length,
OUT PULONG ReturnLength
);
NTSYSAPI NTSTATUS NTAPI NtQueryKey(
IN HANDLE KeyHandle,
IN KEY\_INFORMATION\_CLASS KeyInformationClass,
OUT PVOID KeyInformation,
IN ULONG KeyInformationLength,
OUT PULONG ResultLength
);
NTSYSAPI NTSTATUS NTAPI NtQueryIntervalProfile(
IN KPROFILE\_SOURCE Source,
OUT PULONG Interval
);
NTSYSAPI NTSTATUS NTAPI NtQueryInstallUILanguage(
OUT PLANGID LanguageId
);
NTSYSAPI NTSTATUS NTAPI NtQueryInformationToken(
IN HANDLE TokenHandle,
IN TOKEN\_INFORMATION\_CLASS TokenInformationClass,
OUT PVOID TokenInformation,
IN ULONG TokenInformationLength,
OUT PULONG ReturnLength
);
NTSYSAPI NTSTATUS NTAPI NtQueryInformationThread(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
OUT PVOID ThreadInformation,
IN ULONG ThreadInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtQueryInformationProcess(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtQueryInformationPort(
IN HANDLE PortHandle,
IN PORT\_INFORMATION\_CLASS PortInformationClass,
OUT PVOID PortInformation,
IN ULONG PortInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtQueryInformationJobObject(
IN HANDLE JobHandle,
IN JOBOBJECTINFOCLASS JobInformationClass,
OUT PVOID JobInformation,
IN ULONG JobInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtQueryInformationFile(
IN HANDLE FileHandle,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG FileInformationLength,
IN FILE\_INFORMATION\_CLASS FileInformationClass
);
NTSYSAPI NTSTATUS NTAPI NtQueryInformationAtom(
IN USHORT Atom,
IN ATOM\_INFORMATION\_CLASS AtomInformationClass,
OUT PVOID AtomInformation,
IN ULONG AtomInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtQueryFullAttributesFile(
IN POBJECT\_ATTRIBUTES ObjectAttributes,
OUT PFILE\_NETWORK\_OPEN\_INFORMATION FileInformation
);
NTSYSAPI NTSTATUS NTAPI NtQueryEvent(
IN HANDLE EventHandle,
IN EVENT\_INFORMATION\_CLASS EventInformationClass,
OUT PVOID EventInformation,
IN ULONG EventInformationLength,
OUT PULONG ResultLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtQueryDirectoryObject(
IN HANDLE DirectoryHandle,
OUT PVOID Buffer,
IN ULONG BufferLength,
IN BOOLEAN ReturnSingleEntry,
IN BOOLEAN RestartScan,
IN OUT PULONG Context,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtQueryDirectoryFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO\_APC\_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG FileInformationLength,
IN FILE\_INFORMATION\_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE\_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan
);
NTSYSAPI NTSTATUS NTAPI NtQueryDefaultUILanguage(
OUT PLANGID LanguageId
);
NTSYSAPI NTSTATUS NTAPI NtQueryDefaultLocale(
IN BOOLEAN ThreadOrSystem,
OUT PLCID Locale
);
NTSYSAPI NTSTATUS NTAPI NtQueryDebugFilterState(
IN ULONG ComponentId,
IN ULONG Level
);
NTSYSAPI NTSTATUS NTAPI NtQueryBootOptions(
IN ULONG Unknown1,
IN ULONG Unknown2
);
NTSYSAPI NTSTATUS NTAPI NtQueryBootEntryOrder(
IN ULONG Unknown1,
IN ULONG Unknown2
);
NTSYSAPI NTSTATUS NTAPI NtQueryAttributesFile(
IN POBJECT\_ATTRIBUTES ObjectAttributes,
OUT PFILE\_BASIC\_INFORMATION FileInformation
);
NTSYSAPI NTSTATUS NTAPI NtPulseEvent(
IN HANDLE EventHandle,
OUT PULONG PreviousState OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtProtectVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID \*BaseAddress,
IN OUT PULONG ProtectSize,
IN ULONG NewProtect,
OUT PULONG OldProtect
);
NTSYSAPI NTSTATUS NTAPI NtPrivilegedServiceAuditAlarm(
IN PUNICODE\_STRING SubsystemName,
IN PUNICODE\_STRING ServiceName,
IN HANDLE TokenHandle,
IN PPRIVILEGE\_SET Privileges,
IN BOOLEAN AccessGranted
);
NTSYSAPI NTSTATUS NTAPI NtPrivilegeObjectAuditAlarm(
IN PUNICODE\_STRING SubsystemName,
IN PVOID HandleId,
IN HANDLE TokenHandle,
IN ACCESS\_MASK DesiredAccess,
IN PPRIVILEGE\_SET Privileges,
IN BOOLEAN AccessGranted
);
NTSYSAPI NTSTATUS NTAPI NtPrivilegeCheck(
IN HANDLE TokenHandle,
IN PPRIVILEGE\_SET RequiredPrivileges,
OUT PBOOLEAN Result
);
NTSYSAPI NTSTATUS NTAPI NtPowerInformation(
IN POWER\_INFORMATION\_LEVEL PowerInformationLevel,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);
NTSYSAPI NTSTATUS NTAPI NtPlugPlayControl(
IN ULONG ControlCode,
IN OUT PVOID Buffer,
IN ULONG BufferLength,
IN PVOID Unknown OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtOpenTimer(
OUT PHANDLE TimerHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes
);
NTSYSAPI NTSTATUS NTAPI NtOpenThreadTokenEx(
IN HANDLE ThreadHandle,
IN ACCESS\_MASK DesiredAccess,
IN BOOLEAN OpenAsSelf,
IN ULONG HandleAttributes,
OUT PHANDLE TokenHandle
);
NTSYSAPI NTSTATUS NTAPI NtOpenThreadToken(
IN HANDLE ThreadHandle,
IN ACCESS\_MASK DesiredAccess,
IN BOOLEAN OpenAsSelf,
OUT PHANDLE TokenHandle
);
NTSYSAPI NTSTATUS NTAPI NtOpenThread(
OUT PHANDLE ThreadHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
IN PCLIENT\_ID ClientId
);
NTSYSAPI NTSTATUS NTAPI NtOpenSymbolicLinkObject(
OUT PHANDLE SymbolicLinkHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes
);
NTSYSAPI NTSTATUS NTAPI NtOpenSemaphore(
OUT PHANDLE SemaphoreHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtOpenSection(
OUT PHANDLE SectionHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes
);
NTSYSAPI NTSTATUS NTAPI NtOpenProcessTokenEx(
IN HANDLE ProcessHandle,
IN ACCESS\_MASK DesiredAccess,
IN ULONG HandleAttributes,
OUT PHANDLE TokenHandle
);
NTSYSAPI NTSTATUS NTAPI NtOpenProcessToken(
IN HANDLE ProcessHandle,
IN ACCESS\_MASK DesiredAccess,
OUT PHANDLE TokenHandle
);
NTSYSAPI NTSTATUS NTAPI NtOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
IN PCLIENT\_ID ClientId OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtOpenObjectAuditAlarm(
IN PUNICODE\_STRING SubsystemName,
IN PVOID \*HandleId,
IN PUNICODE\_STRING ObjectTypeName,
IN PUNICODE\_STRING ObjectName,
IN PSECURITY\_DESCRIPTOR SecurityDescriptor,
IN HANDLE TokenHandle,
IN ACCESS\_MASK DesiredAccess,
IN ACCESS\_MASK GrantedAccess,
IN PPRIVILEGE\_SET Privileges OPTIONAL,
IN BOOLEAN ObjectCreation,
IN BOOLEAN AccessGranted,
OUT PBOOLEAN GenerateOnClose
);
NTSYSAPI NTSTATUS NTAPI NtOpenMutant(
OUT PHANDLE MutantHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtOpenKeyedEvent(
OUT PHANDLE KeyedEventHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes
);
NTSYSAPI NTSTATUS NTAPI NtOpenKey(
OUT PHANDLE KeyHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes
);
NTSYSAPI NTSTATUS NTAPI NtOpenJobObject(
OUT PHANDLE JobHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes
);
NTSYSAPI NTSTATUS NTAPI NtOpenIoCompletion(
OUT PHANDLE IoCompletionHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes
);
NTSYSAPI NTSTATUS NTAPI NtOpenFile(
OUT PHANDLE FileHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions
);
NTSYSAPI NTSTATUS NTAPI NtOpenEventPair(
OUT PHANDLE EventPairHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtOpenEvent(
OUT PHANDLE EventHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes
);
NTSYSAPI NTSTATUS NTAPI NtOpenDirectoryObject(
OUT PHANDLE DirectoryHandle,
IN ACCESS\_MASK DesiredAccess,
IN POBJECT\_ATTRIBUTES ObjectAttributes
);
NTSYSAPI NTSTATUS NTAPI NtNotifyChangeMultipleKeys(
IN HANDLE KeyHandle,
IN ULONG Flags,
IN POBJECT\_ATTRIBUTES KeyObjectAttributes,
IN HANDLE EventHandle OPTIONAL,
IN PIO\_APC\_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN ULONG NotifyFilter,
IN BOOLEAN WatchSubtree,
IN PVOID Buffer,
IN ULONG BufferLength,
IN BOOLEAN Asynchronous
);
NTSYSAPI NTSTATUS NTAPI NtNotifyChangeKey(
IN HANDLE KeyHandle,
IN HANDLE EventHandle OPTIONAL,
IN PIO\_APC\_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN ULONG NotifyFilter,
IN BOOLEAN WatchSubtree,
IN PVOID Buffer,
IN ULONG BufferLength,
IN BOOLEAN Asynchronous
);
NTSYSAPI NTSTATUS NTAPI NtNotifyChangeDirectoryFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO\_APC\_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
OUT PFILE\_NOTIFY\_INFORMATION Buffer,
IN ULONG BufferLength,
IN ULONG NotifyFilter,
IN BOOLEAN WatchSubtree
);
NTSYSAPI NTSTATUS NTAPI NtModifyDriverEntry(
IN PUNICODE\_STRING DriverName,
IN PUNICODE\_STRING DriverPath
);
NTSYSAPI NTSTATUS NTAPI NtModifyBootEntry(
IN PUNICODE\_STRING EntryName,
IN PUNICODE\_STRING EntryValue
);
NTSYSAPI NTSTATUS NTAPI NtMapViewOfSection(
IN HANDLE SectionHandle,
IN HANDLE ProcessHandle,
IN OUT PVOID \*BaseAddress,
IN ULONG ZeroBits,
IN ULONG CommitSize,
IN OUT PLARGE\_INTEGER SectionOffset OPTIONAL,
IN OUT PULONG ViewSize,
IN SECTION\_INHERIT InheritDisposition,
IN ULONG AllocationType,
IN ULONG Protect
);
NTSYSAPI NTSTATUS NTAPI NtMapUserPhysicalPagesScatter(
IN PVOID \*BaseAddresses,
IN PULONG NumberOfPages,
IN PULONG PageFrameNumbers
);
NTSYSAPI NTSTATUS NTAPI NtMapUserPhysicalPages(
IN PVOID BaseAddress,
IN PULONG NumberOfPages,
IN PULONG PageFrameNumbers
);
NTSYSAPI NTSTATUS NTAPI NtMakeTemporaryObject(
IN HANDLE ObjectHandle
);
NTSYSAPI NTSTATUS NTAPI NtMakePermanentObject(
IN HANDLE Object
);
NTSYSAPI NTSTATUS NTAPI NtLockVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID \*BaseAddress,
IN OUT PULONG LockSize,
IN ULONG LockType
);
NTSYSAPI NTSTATUS NTAPI NtLockRegistryKey(
IN HANDLE Key
);
NTSYSAPI NTSTATUS NTAPI NtLockFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO\_APC\_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN PULARGE\_INTEGER LockOffset,
IN PULARGE\_INTEGER LockLength,
IN ULONG Key,
IN BOOLEAN FailImmediately,
IN BOOLEAN ExclusiveLock
);
NTSYSAPI NTSTATUS NTAPI NtLoadKey(
IN POBJECT\_ATTRIBUTES KeyObjectAttributes,
IN POBJECT\_ATTRIBUTES FileObjectAttributes
);
NTSYSAPI NTSTATUS NTAPI NtLoadKey2(
IN POBJECT\_ATTRIBUTES KeyObjectAttributes,
IN POBJECT\_ATTRIBUTES FileObjectAttributes,
IN ULONG Flags
);
NTSYSAPI NTSTATUS NTAPI NtLoadDriver(
IN PUNICODE\_STRING DriverServiceName
);
NTSYSAPI NTSTATUS NTAPI NtListenPort(
IN HANDLE PortHandle,
OUT PPORT\_MESSAGE RequestMessage
);
NTSYSAPI NTSTATUS NTAPI NtFreeUserPhysicalPages(
IN HANDLE ProcessHandle,
IN OUT PULONG NumberOfPages,
IN PULONG PageFrameNumbers
);
NTSYSAPI NTSTATUS NTAPI NtFreeVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID \*BaseAddress,
IN OUT PULONG FreeSize,
IN ULONG FreeType
);
NTSYSAPI NTSTATUS NTAPI NtFsControlFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO\_APC\_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
IN ULONG FsControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);
NTSYSAPI NTSTATUS NTAPI NtGetContextThread(
IN HANDLE ThreadHandle,
OUT PCONTEXT Context
);
NTSYSAPI NTSTATUS NTAPI NtGetDevicePowerState(
IN HANDLE DeviceHandle,
OUT PDEVICE\_POWER\_STATE DevicePowerState
);
NTSYSAPI NTSTATUS NTAPI NtGetPlugPlayEvent(
IN ULONG Reserved1,
IN ULONG Reserved2,
OUT PVOID Buffer,
IN ULONG BufferLength
);
NTSYSAPI NTSTATUS NTAPI NtGetWriteWatch(
IN HANDLE ProcessHandle,
IN ULONG Flags,
IN PVOID BaseAddress,
IN ULONG RegionSize,
OUT PULONG Buffer,
IN OUT PULONG BufferEntries,
OUT PULONG Granularity
);
NTSYSAPI NTSTATUS NTAPI NtImpersonateAnonymousToken(
IN HANDLE ThreadHandle
);
NTSYSAPI NTSTATUS NTAPI NtImpersonateClientOfPort(
IN HANDLE PortHandle,
IN PPORT\_MESSAGE Message
);
NTSYSAPI NTSTATUS NTAPI NtImpersonateThread(
IN HANDLE ThreadHandle,
IN HANDLE TargetThreadHandle,
IN PSECURITY\_QUALITY\_OF\_SERVICE SecurityQos
);
NTSYSAPI NTSTATUS NTAPI NtInitializeRegistry(
IN BOOLEAN Setup
);
NTSYSAPI NTSTATUS NTAPI NtInitiatePowerAction(
IN POWER\_ACTION SystemAction,
IN SYSTEM\_POWER\_STATE MinSystemState,
IN ULONG Flags,
IN BOOLEAN Asynchronous
);
NTSYSAPI NTSTATUS NTAPI NtIsProcessInJob(
IN HANDLE ProcessHandle,
IN HANDLE JobHandle OPTIONAL
);
NTSYSAPI BOOLEAN NTAPI NtIsSystemResumeAutomatic(
VOID
);
NTSYSAPI NTSTATUS NTAPI NtTestAlert(
VOID
);
NTSYSAPI NTSTATUS NTAPI NtAlertThread(
IN HANDLE ThreadHandle
);
NTSYSAPI ULONG NTAPI NtGetTickCount(
VOID
);
NTSYSAPI NTSTATUS NTAPI NtW32Call(
IN ULONG RoutineIndex,
IN PVOID Argument,
IN ULONG ArgumentLength,
OUT PVOID \*Result OPTIONAL,
OUT PULONG ResultLength OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtSetLowWaitHighThread(
VOID
);
NTSYSAPI NTSTATUS NTAPI NtSetHighWaitLowThread(
VOID
);
NTSYSAPI NTSTATUS NTAPI NtCreatePagingFile(
IN PUNICODE\_STRING FileName,
IN PULARGE\_INTEGER InitialSize,
IN PULARGE\_INTEGER MaximumSize,
IN ULONG Priority OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI NtVdmControl(
IN ULONG ControlCode,
IN PVOID ControlData
);
NTSYSAPI NTSTATUS NTAPI NtQueryEaFile(
IN HANDLE FileHandle,
OUT PIO\_STATUS\_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN BOOLEAN ReturnSingleEntry,
IN PVOID EaList OPTIONAL,
IN ULONG EaListLength,
IN PULONG EaIndex OPTIONAL,
IN BOOLEAN RestartScan
);
NTSTATUS NTAPI RtlCreateProcessParameters(
OUT PRTL\_USER\_PROCESS\_PARAMETERS \*ProcessParameters,
IN PUNICODE\_STRING ImageFile,
IN PUNICODE\_STRING DllPath OPTIONAL,
IN PUNICODE\_STRING CurrentDirectory OPTIONAL,
IN PUNICODE\_STRING CommandLine OPTIONAL,
IN PWSTR Environment OPTIONAL,
IN PUNICODE\_STRING WindowTitle OPTIONAL,
IN PUNICODE\_STRING DesktopInfo OPTIONAL,
IN PUNICODE\_STRING ShellInfo OPTIONAL,
IN PUNICODE\_STRING RuntimeInfo OPTIONAL
);
NTSTATUS NTAPI RtlDestroyProcessParameters(
IN PRTL\_USER\_PROCESS\_PARAMETERS ProcessParameters
);
PDEBUG\_BUFFER NTAPI RtlCreateQueryDebugBuffer(
IN ULONG Size,
IN BOOLEAN EventPair
);
NTSTATUS NTAPI RtlQueryProcessDebugInformation(
IN ULONG ProcessId,
IN ULONG DebugInfoClassMask,
IN OUT PDEBUG\_BUFFER DebugBuffer
);
NTSTATUS NTAPI RtlDestroyQueryDebugBuffer(
IN PDEBUG\_BUFFER DebugBuffer
);
NTSYSAPI VOID NTAPI RtlInitUnicodeString(
OUT PUNICODE\_STRING DestinationString,
IN PCWSTR SourceString
);
NTSYSAPI VOID NTAPI RtlInitString(
PSTRING DestinationString,
PCSTR SourceString
);
NTSYSAPI VOID NTAPI RtlInitAnsiString(
OUT PANSI\_STRING DestinationString,
IN PCSTR SourceString
);
NTSYSAPI NTSTATUS NTAPI RtlAnsiStringToUnicodeString(
OUT PUNICODE\_STRING DestinationString,
IN PANSI\_STRING SourceString,
IN BOOLEAN AllocateDestinationString
);
NTSYSAPI NTSTATUS NTAPI RtlUnicodeStringToAnsiString(
OUT PANSI\_STRING DestinationString,
IN PCUNICODE\_STRING SourceString,
IN BOOLEAN AllocateDestinationString
);
NTSYSAPI LONG NTAPI RtlCompareUnicodeString(
IN PUNICODE\_STRING String1,
IN PUNICODE\_STRING String2,
IN BOOLEAN CaseInSensitive
);
NTSYSAPI BOOLEAN NTAPI RtlEqualUnicodeString(
IN PCUNICODE\_STRING String1,
IN PCUNICODE\_STRING String2,
IN BOOLEAN CaseInSensitive
);
NTSYSAPI NTSTATUS NTAPI RtlHashUnicodeString(
IN CONST UNICODE\_STRING \*String,
IN BOOLEAN CaseInSensitive,
IN ULONG HashAlgorithm,
OUT PULONG HashValue
);
NTSYSAPI VOID NTAPI RtlCopyUnicodeString(
OUT PUNICODE\_STRING DestinationString,
IN PUNICODE\_STRING SourceString
);
NTSYSAPI NTSTATUS NTAPI RtlAppendUnicodeStringToString(
IN OUT PUNICODE\_STRING Destination,
IN PUNICODE\_STRING Source
);
NTSYSAPI NTSTATUS NTAPI RtlAppendUnicodeToString(
PUNICODE\_STRING Destination,
PCWSTR Source
);
NTSYSAPI VOID NTAPI RtlFreeUnicodeString(
PUNICODE\_STRING UnicodeString
);
NTSYSAPI VOID NTAPI RtlFreeAnsiString(
PANSI\_STRING AnsiString
);
NTSYSAPI ULONG NTAPI RtlxUnicodeStringToAnsiSize(
PCUNICODE\_STRING UnicodeString
);
NTSYSAPI DWORD NTAPI RtlNtStatusToDosError(
IN NTSTATUS status
);
NTSYSAPI NTSTATUS NTAPI RtlAdjustPrivilege(
ULONG Privilege,
BOOLEAN Enable,
BOOLEAN CurrentThread,
PBOOLEAN Enabled
);
NTSYSAPI BOOLEAN NTAPI RtlCreateUnicodeString(
OUT PUNICODE\_STRING DestinationString,
IN PCWSTR SourceString
);
NTSYSAPI BOOLEAN NTAPI RtlCreateUnicodeStringFromAsciiz(
OUT PUNICODE\_STRING Destination,
IN PCSTR Source
);
NTSYSAPI BOOLEAN NTAPI RtlPrefixUnicodeString(
IN PUNICODE\_STRING String1,
IN PUNICODE\_STRING String2,
IN BOOLEAN CaseInSensitive
);
NTSYSAPI NTSTATUS NTAPI RtlDuplicateUnicodeString(
IN BOOLEAN AllocateNew,
IN PUNICODE\_STRING SourceString,
OUT PUNICODE\_STRING TargetString
);
NTSYSAPI NTSTATUS NTAPI RtlUnicodeStringToInteger(
IN PUNICODE\_STRING String,
IN ULONG Base OPTIONAL,
OUT PULONG Value
);
NTSYSAPI NTSTATUS NTAPI RtlIntegerToUnicodeString(
IN ULONG Value,
IN ULONG Base OPTIONAL,
IN OUT PUNICODE\_STRING String
);
NTSYSAPI NTSTATUS NTAPI RtlGUIDFromString(
IN PUNICODE\_STRING GuidString,
OUT GUID \*Guid
);
NTSYSAPI NTSTATUS NTAPI RtlUpcaseUnicodeString(
OUT PUNICODE\_STRING DestinationString,
IN PUNICODE\_STRING SourceString,
IN BOOLEAN AllocateDestinationString
);
NTSYSAPI NTSTATUS NTAPI RtlDowncaseUnicodeString(
OUT PUNICODE\_STRING DestinationString,
IN PUNICODE\_STRING SourceString,
IN BOOLEAN AllocateDestinationString
);
NTSYSAPI NTSTATUS NTAPI RtlFormatCurrentUserKeyPath(
OUT PUNICODE\_STRING CurrentUserKeyPath
);
NTSYSAPI VOID NTAPI RtlRaiseStatus(
IN NTSTATUS Status
);
NTSYSAPI ULONG NTAPI RtlRandom(
IN OUT PULONG Seed
);
NTSYSAPI NTSTATUS NTAPI RtlInitializeCriticalSection(
IN PRTL\_CRITICAL\_SECTION CriticalSection
);
NTSYSAPI BOOL NTAPI RtlTryEnterCriticalSection(
IN PRTL\_CRITICAL\_SECTION CriticalSection
);
NTSYSAPI NTSTATUS NTAPI RtlEnterCriticalSection(
IN PRTL\_CRITICAL\_SECTION CriticalSection
);
NTSYSAPI NTSTATUS NTAPI RtlLeaveCriticalSection(
IN PRTL\_CRITICAL\_SECTION CriticalSection
);
NTSYSAPI NTSTATUS NTAPI RtlDeleteCriticalSection(
IN PRTL\_CRITICAL\_SECTION CriticalSection
);
NTSYSAPI NTSTATUS NTAPI RtlCompressBuffer(
IN USHORT CompressionFormatAndEngine,
IN PUCHAR UncompressedBuffer,
IN ULONG UncompressedBufferSize,
OUT PUCHAR CompressedBuffer,
IN ULONG CompressedBufferSize,
IN ULONG UncompressedChunkSize,
OUT PULONG FinalCompressedSize,
IN PVOID WorkSpace
);
NTSYSAPI NTSTATUS NTAPI RtlDecompressBuffer(
IN USHORT CompressionFormat,
OUT PUCHAR UncompressedBuffer,
IN ULONG UncompressedBufferSize,
IN PUCHAR CompressedBuffer,
IN ULONG CompressedBufferSize,
OUT PULONG FinalUncompressedSize
);
NTSYSAPI VOID NTAPI RtlInitializeHandleTable(
IN ULONG MaximumNumberOfHandles,
IN ULONG SizeOfHandleTableEntry,
OUT PRTL\_HANDLE\_TABLE HandleTable
);
NTSYSAPI PRTL\_HANDLE\_TABLE\_ENTRY NTAPI RtlAllocateHandle(
IN PRTL\_HANDLE\_TABLE HandleTable,
OUT PULONG HandleIndex OPTIONAL
);
NTSYSAPI BOOLEAN NTAPI RtlFreeHandle(
IN PRTL\_HANDLE\_TABLE HandleTable,
IN PRTL\_HANDLE\_TABLE\_ENTRY Handle
);
NTSYSAPI BOOLEAN NTAPI RtlIsValidIndexHandle(
IN PRTL\_HANDLE\_TABLE HandleTable,
IN ULONG HandleIndex,
OUT PRTL\_HANDLE\_TABLE\_ENTRY \*Handle
);
NTSYSAPI NTSTATUS NTAPI RtlOpenCurrentUser(
IN ULONG DesiredAccess,
OUT PHANDLE CurrentUserKey
);
NTSYSAPI NTSTATUS NTAPI RtlCreateEnvironment(
BOOLEAN CloneCurrentEnvironment,
PVOID \*Environment
);
NTSYSAPI NTSTATUS NTAPI RtlQueryEnvironmentVariable\_U(
PVOID Environment,
PUNICODE\_STRING Name,
PUNICODE\_STRING Value
);
NTSYSAPI NTSTATUS NTAPI RtlSetEnvironmentVariable(
PVOID \*Environment,
PUNICODE\_STRING Name,
PUNICODE\_STRING Value
);
NTSYSAPI NTSTATUS NTAPI RtlDestroyEnvironment(
PVOID Environment
);
NTSYSAPI BOOLEAN NTAPI RtlDosPathNameToNtPathName\_U(
IN PWSTR DosPathName,
OUT PUNICODE\_STRING NtPathName,
OUT PWSTR \* NtFileNamePart OPTIONAL,
OUT PCURDIR DirectoryInfo OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI RtlCreateUserProcess(
PUNICODE\_STRING NtImagePathName,
ULONG Attributes,
PRTL\_USER\_PROCESS\_PARAMETERS ProcessParameters,
PSECURITY\_DESCRIPTOR ProcessSecurityDescriptor,
PSECURITY\_DESCRIPTOR ThreadSecurityDescriptor,
HANDLE ParentProcess,
BOOLEAN InheritHandles,
HANDLE DebugPort,
HANDLE ExceptionPort,
PRTL\_USER\_PROCESS\_INFORMATION ProcessInformation
);
NTSYSAPI NTSTATUS NTAPI RtlCreateUserThread(
IN HANDLE Process,
IN PSECURITY\_DESCRIPTOR ThreadSecurityDescriptor OPTIONAL,
IN BOOLEAN CreateSuspended,
IN ULONG\_PTR ZeroBits OPTIONAL,
IN SIZE\_T MaximumStackSize OPTIONAL,
IN SIZE\_T CommittedStackSize OPTIONAL,
IN PUSER\_THREAD\_START\_ROUTINE StartAddress,
IN PVOID Parameter OPTIONAL,
OUT PHANDLE Thread OPTIONAL,
OUT PCLIENT\_ID ClientId OPTIONAL
);
NTSYSAPI HANDLE NTAPI RtlCreateHeap(
IN ULONG Flags,
IN PVOID BaseAddress OPTIONAL,
IN ULONG SizeToReserve,
IN ULONG SizeToCommit,
IN BOOLEAN Lock OPTIONAL,
IN PRTL\_HEAP\_PARAMETERS Definition OPTIONAL
);
NTSYSAPI ULONG NTAPI RtlDestroyHeap(
IN HANDLE HeapHandle
);
NTSYSAPI PVOID NTAPI RtlAllocateHeap(
IN HANDLE HeapHandle,
IN ULONG Flags,
IN SIZE\_T Size
);
NTSYSAPI PVOID NTAPI RtlReAllocateHeap(
IN HANDLE HeapHandle,
IN ULONG Flags,
IN LPVOID Address,
IN SIZE\_T Size
);
NTSYSAPI BOOLEAN NTAPI RtlFreeHeap(
IN HANDLE HeapHandle,
IN ULONG Flags,
IN PVOID Address
);
NTSYSAPI ULONG NTAPI RtlCompactHeap(
IN HANDLE HeapHandle,
IN ULONG Flags
);
NTSYSAPI BOOLEAN NTAPI RtlLockHeap(
IN HANDLE HeapHandle
);
NTSYSAPI BOOLEAN NTAPI RtlUnlockHeap(
IN HANDLE HeapHandle
);
NTSYSAPI ULONG NTAPI RtlSizeHeap(
IN HANDLE HeapHandle,
IN ULONG Flags,
IN PVOID Address
);
NTSYSAPI BOOLEAN NTAPI RtlValidateHeap(
IN HANDLE HeapHandle,
IN ULONG Flags,
IN PVOID Address OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(
IN PSECURITY\_DESCRIPTOR SecurityDescriptor,
IN ULONG Revision
);
NTSYSAPI NTSTATUS NTAPI RtlGetDaclSecurityDescriptor(
IN PSECURITY\_DESCRIPTOR SecurityDescriptor,
OUT PBOOLEAN DaclPresent,
OUT PACL \*Dacl,
OUT PBOOLEAN DaclDefaulted
);
NTSYSAPI NTSTATUS NTAPI RtlSetDaclSecurityDescriptor(
IN PSECURITY\_DESCRIPTOR SecurityDescriptor,
IN BOOLEAN DaclPresent,
IN PACL Dacl OPTIONAL,
IN BOOLEAN DaclDefaulted OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI RtlSetOwnerSecurityDescriptor(
IN PSECURITY\_DESCRIPTOR SecurityDescriptor,
IN PSID Owner OPTIONAL,
IN BOOLEAN OwnerDefaulted OPTIONAL
);
NTSYSAPI NTSTATUS NTAPI RtlAllocateAndInitializeSid(
IN PSID\_IDENTIFIER\_AUTHORITY IdentifierAuthority,
IN UCHAR SubAuthorityCount,
IN ULONG SubAuthority0,
IN ULONG SubAuthority1,
IN ULONG SubAuthority2,
IN ULONG SubAuthority3,
IN ULONG SubAuthority4,
IN ULONG SubAuthority5,
IN ULONG SubAuthority6,
IN ULONG SubAuthority7,
OUT PSID \*Sid
);
NTSYSAPI ULONG NTAPI RtlLengthSid(
IN PSID Sid
);
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(
IN PSID Sid1,
IN PSID Sid2
);
NTSYSAPI PVOID NTAPI RtlFreeSid(
IN PSID Sid
);
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(
IN PACL Acl,
IN ULONG AclLength,
IN ULONG AclRevision
);
NTSYSAPI NTSTATUS NTAPI RtlGetAce(
IN PACL Acl,
IN ULONG AceIndex,
OUT PVOID \*Ace
);
NTSYSAPI NTSTATUS NTAPI RtlAddAccessAllowedAce(
IN OUT PACL Acl,
IN ULONG AceRevision,
IN ACCESS\_MASK AccessMask,
IN PSID Sid
);
NTSYSAPI NTSTATUS NTAPI RtlAddAccessAllowedAceEx(
IN OUT PACL Acl,
IN ULONG AceRevision,
IN ULONG AceFlags,
IN ULONG AccessMask,
IN PSID Sid
);
NTSYSAPI ULONG NTAPI RtlNtStatusToDosErrorNoTeb(
NTSTATUS Status
);
NTSYSAPI NTSTATUS NTAPI RtlGetLastNtStatus(
);
NTSYSAPI ULONG NTAPI RtlGetLastWin32Error(
);
NTSYSAPI VOID NTAPI RtlSetLastWin32Error(
ULONG WinError
);
NTSYSAPI VOID NTAPI RtlSetLastWin32ErrorAndNtStatusFromNtStatus(
NTSTATUS Status
);
NTSYSAPI VOID NTAPI DbgBreakPoint(
VOID
);
NTSYSAPI ULONG \_cdecl DbgPrint(
PCH Format,
...
);
NTSYSAPI NTSTATUS NTAPI LdrLoadDll(
IN PWSTR DllPath OPTIONAL,
IN PULONG DllCharacteristics OPTIONAL,
IN PUNICODE\_STRING DllName,
OUT PVOID \*DllHandle
);
NTSYSAPI NTSTATUS NTAPI LdrGetDllHandle(
IN PWSTR DllPath OPTIONAL,
IN PULONG DllCharacteristics OPTIONAL,
IN PUNICODE\_STRING DllName,
OUT PVOID \* DllHandle
);
NTSYSAPI NTSTATUS NTAPI LdrUnloadDll(
IN PVOID DllHandle
);
NTSYSAPI NTSTATUS NTAPI LdrGetProcedureAddress(
IN PVOID DllHandle,
IN PANSI\_STRING ProcedureName OPTIONAL,
IN ULONG ProcedureNumber OPTIONAL,
OUT PVOID \*ProcedureAddress
);#pragma endregion
#pragma region TAIL
#ifdef __cplusplus
} // extern "C"
#endif
#pragma endregion
#endif // __NTDLL_H__
Ntdll.h
手机扫一扫
移动阅读更方便
你可能感兴趣的文章