2015-06-06 12:52:13 +00:00
|
|
|
|
////////////////////////////////////////////////////////////////////
|
|
|
|
|
// Copyright (C) Alexander Telyatnikov, Ivan Keliukh, Yegor Anchishkin, SKIF Software, 1999-2013. Kiev, Ukraine
|
|
|
|
|
// All rights reserved
|
2015-06-08 14:24:47 +00:00
|
|
|
|
// This file was released under the GPLv2 on June 2015.
|
2015-06-06 12:52:13 +00:00
|
|
|
|
////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
|
|
|
|
//======================================================================
|
|
|
|
|
//
|
|
|
|
|
// NT_Native.h
|
|
|
|
|
//
|
|
|
|
|
//======================================================================
|
|
|
|
|
|
|
|
|
|
#ifndef __NT_NATIVE_DEFS__H__
|
|
|
|
|
#define __NT_NATIVE_DEFS__H__
|
|
|
|
|
|
|
|
|
|
#ifdef __cplusplus
|
|
|
|
|
extern "C" {
|
|
|
|
|
#endif //__cplusplus
|
|
|
|
|
|
|
|
|
|
#include <excpt.h>
|
|
|
|
|
#include <ntdef.h>
|
|
|
|
|
#include <ntstatus.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <DEVIOCTL.H>
|
|
|
|
|
#include <NTDDSTOR.H>
|
|
|
|
|
#include <NTDDDISK.H>
|
|
|
|
|
|
|
|
|
|
typedef struct _KTHREAD *PKTHREAD;
|
|
|
|
|
typedef struct _ETHREAD *PETHREAD;
|
|
|
|
|
typedef struct _EPROCESS *PEPROCESS;
|
|
|
|
|
typedef struct _PEB *PPEB;
|
|
|
|
|
typedef struct _KINTERRUPT *PKINTERRUPT;
|
|
|
|
|
typedef struct _IO_TIMER *PIO_TIMER;
|
|
|
|
|
typedef struct _OBJECT_TYPE *POBJECT_TYPE;
|
|
|
|
|
typedef struct _CALLBACK_OBJECT *PCALLBACK_OBJECT;
|
|
|
|
|
typedef struct _DEVICE_HANDLER_OBJECT *PDEVICE_HANDLER_OBJECT;
|
|
|
|
|
typedef struct _BUS_HANDLER *PBUS_HANDLER;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
typedef ULONG ACCESS_MASK;
|
|
|
|
|
typedef ACCESS_MASK *PACCESS_MASK;
|
|
|
|
|
|
|
|
|
|
#define BOOL BOOLEAN
|
|
|
|
|
#define DWORD ULONG
|
|
|
|
|
#define LPVOID PVOID
|
|
|
|
|
#define LPDWORD PULONG
|
|
|
|
|
|
|
|
|
|
#define APIENTRY __stdcall
|
|
|
|
|
|
|
|
|
|
#define FASTCALL _fastcall
|
|
|
|
|
|
|
|
|
|
// end_winnt
|
|
|
|
|
//
|
|
|
|
|
// The following are masks for the predefined standard access types
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define DELETE (0x00010000L)
|
|
|
|
|
#define READ_CONTROL (0x00020000L)
|
|
|
|
|
#define WRITE_DAC (0x00040000L)
|
|
|
|
|
#define WRITE_OWNER (0x00080000L)
|
|
|
|
|
#define SYNCHRONIZE (0x00100000L)
|
|
|
|
|
|
|
|
|
|
#define STANDARD_RIGHTS_REQUIRED (0x000F0000L)
|
|
|
|
|
|
|
|
|
|
#define STANDARD_RIGHTS_READ (READ_CONTROL)
|
|
|
|
|
#define STANDARD_RIGHTS_WRITE (READ_CONTROL)
|
|
|
|
|
#define STANDARD_RIGHTS_EXECUTE (READ_CONTROL)
|
|
|
|
|
|
|
|
|
|
#define STANDARD_RIGHTS_ALL (0x001F0000L)
|
|
|
|
|
|
|
|
|
|
#define SPECIFIC_RIGHTS_ALL (0x0000FFFFL)
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// AccessSystemAcl access type
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define ACCESS_SYSTEM_SECURITY (0x01000000L)
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// MaximumAllowed access type
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define MAXIMUM_ALLOWED (0x02000000L)
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// These are the generic rights.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define GENERIC_READ (0x80000000L)
|
|
|
|
|
#define GENERIC_WRITE (0x40000000L)
|
|
|
|
|
#define GENERIC_EXECUTE (0x20000000L)
|
|
|
|
|
#define GENERIC_ALL (0x10000000L)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Subroutines for dealing with the Registry
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
typedef NTSTATUS (*PRTL_QUERY_REGISTRY_ROUTINE)(
|
|
|
|
|
IN PWSTR ValueName,
|
|
|
|
|
IN ULONG ValueType,
|
|
|
|
|
IN PVOID ValueData,
|
|
|
|
|
IN ULONG ValueLength,
|
|
|
|
|
IN PVOID Context,
|
|
|
|
|
IN PVOID EntryContext
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef struct _RTL_QUERY_REGISTRY_TABLE {
|
|
|
|
|
PRTL_QUERY_REGISTRY_ROUTINE QueryRoutine;
|
|
|
|
|
ULONG Flags;
|
|
|
|
|
PWSTR Name;
|
|
|
|
|
PVOID EntryContext;
|
|
|
|
|
ULONG DefaultType;
|
|
|
|
|
PVOID DefaultData;
|
|
|
|
|
ULONG DefaultLength;
|
|
|
|
|
|
|
|
|
|
} RTL_QUERY_REGISTRY_TABLE, *PRTL_QUERY_REGISTRY_TABLE;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// The following flags specify how the Name field of a RTL_QUERY_REGISTRY_TABLE
|
|
|
|
|
// entry is interpreted. A NULL name indicates the end of the table.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define RTL_QUERY_REGISTRY_SUBKEY 0x00000001 // Name is a subkey and remainder of
|
|
|
|
|
// table or until next subkey are value
|
|
|
|
|
// names for that subkey to look at.
|
|
|
|
|
|
|
|
|
|
#define RTL_QUERY_REGISTRY_TOPKEY 0x00000002 // Reset current key to original key for
|
|
|
|
|
// this and all following table entries.
|
|
|
|
|
|
|
|
|
|
#define RTL_QUERY_REGISTRY_REQUIRED 0x00000004 // Fail if no match found for this table
|
|
|
|
|
// entry.
|
|
|
|
|
|
|
|
|
|
#define RTL_QUERY_REGISTRY_NOVALUE 0x00000008 // Used to mark a table entry that has no
|
|
|
|
|
// value name, just wants a call out, not
|
|
|
|
|
// an enumeration of all values.
|
|
|
|
|
|
|
|
|
|
#define RTL_QUERY_REGISTRY_NOEXPAND 0x00000010 // Used to suppress the expansion of
|
|
|
|
|
// REG_MULTI_SZ into multiple callouts or
|
|
|
|
|
// to prevent the expansion of environment
|
|
|
|
|
// variable values in REG_EXPAND_SZ
|
|
|
|
|
|
|
|
|
|
#define RTL_QUERY_REGISTRY_DIRECT 0x00000020 // QueryRoutine field ignored. EntryContext
|
|
|
|
|
// field points to location to store value.
|
|
|
|
|
// For null terminated strings, EntryContext
|
|
|
|
|
// points to UNICODE_STRING structure that
|
|
|
|
|
// that describes maximum size of buffer.
|
|
|
|
|
// If .Buffer field is NULL then a buffer is
|
|
|
|
|
// allocated.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define RTL_QUERY_REGISTRY_DELETE 0x00000040 // Used to delete value keys after they
|
|
|
|
|
// are queried.
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// The following values for the RelativeTo parameter determine what the
|
|
|
|
|
// Path parameter to RtlQueryRegistryValues is relative to.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define RTL_REGISTRY_ABSOLUTE 0 // Path is a full path
|
|
|
|
|
#define RTL_REGISTRY_SERVICES 1 // \Registry\Machine\System\CurrentControlSet\Services
|
|
|
|
|
#define RTL_REGISTRY_CONTROL 2 // \Registry\Machine\System\CurrentControlSet\Control
|
|
|
|
|
#define RTL_REGISTRY_WINDOWS_NT 3 // \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion
|
|
|
|
|
#define RTL_REGISTRY_DEVICEMAP 4 // \Registry\Machine\Hardware\DeviceMap
|
|
|
|
|
#define RTL_REGISTRY_USER 5 // \Registry\User\CurrentUser
|
|
|
|
|
#define RTL_REGISTRY_MAXIMUM 6
|
|
|
|
|
#define RTL_REGISTRY_HANDLE 0x40000000 // Low order bits are registry handle
|
|
|
|
|
#define RTL_REGISTRY_OPTIONAL 0x80000000 // Indicates the key node is optional
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlCharToInteger (
|
|
|
|
|
PCSZ String,
|
|
|
|
|
ULONG Base,
|
|
|
|
|
PULONG Value
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlIntegerToUnicodeString (
|
|
|
|
|
ULONG Value,
|
|
|
|
|
ULONG Base,
|
|
|
|
|
PUNICODE_STRING String
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlUnicodeStringToInteger (
|
|
|
|
|
PUNICODE_STRING String,
|
|
|
|
|
ULONG Base,
|
|
|
|
|
PULONG Value
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// String manipulation routines
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#ifdef _NTSYSTEM_
|
|
|
|
|
|
|
|
|
|
#define NLS_MB_CODE_PAGE_TAG NlsMbCodePageTag
|
|
|
|
|
#define NLS_MB_OEM_CODE_PAGE_TAG NlsMbOemCodePageTag
|
|
|
|
|
|
|
|
|
|
#else
|
|
|
|
|
|
|
|
|
|
#define NLS_MB_CODE_PAGE_TAG (*NlsMbCodePageTag)
|
|
|
|
|
#define NLS_MB_OEM_CODE_PAGE_TAG (*NlsMbOemCodePageTag)
|
|
|
|
|
|
|
|
|
|
#endif // _NTSYSTEM_
|
|
|
|
|
|
|
|
|
|
extern BOOLEAN NLS_MB_CODE_PAGE_TAG; // TRUE -> Multibyte CP, FALSE -> Singlebyte
|
|
|
|
|
extern BOOLEAN NLS_MB_OEM_CODE_PAGE_TAG; // TRUE -> Multibyte CP, FALSE -> Singlebyte
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlInitString(
|
|
|
|
|
PSTRING DestinationString,
|
|
|
|
|
PCSZ SourceString
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlInitAnsiString(
|
|
|
|
|
PANSI_STRING DestinationString,
|
|
|
|
|
PCSZ SourceString
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlInitUnicodeString(
|
|
|
|
|
PUNICODE_STRING DestinationString,
|
|
|
|
|
PCWSTR SourceString
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlCopyString(
|
|
|
|
|
PSTRING DestinationString,
|
|
|
|
|
PSTRING SourceString
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
CHAR
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlUpperChar (
|
|
|
|
|
CHAR Character
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
LONG
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlCompareString(
|
|
|
|
|
PSTRING String1,
|
|
|
|
|
PSTRING String2,
|
|
|
|
|
BOOLEAN CaseInSensitive
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
BOOLEAN
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlEqualString(
|
|
|
|
|
PSTRING String1,
|
|
|
|
|
PSTRING String2,
|
|
|
|
|
BOOLEAN CaseInSensitive
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlUpperString(
|
|
|
|
|
PSTRING DestinationString,
|
|
|
|
|
PSTRING SourceString
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// NLS String functions
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlAnsiStringToUnicodeString(
|
|
|
|
|
PUNICODE_STRING DestinationString,
|
|
|
|
|
PANSI_STRING SourceString,
|
|
|
|
|
BOOLEAN AllocateDestinationString
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlUnicodeStringToAnsiString(
|
|
|
|
|
PANSI_STRING DestinationString,
|
|
|
|
|
PUNICODE_STRING SourceString,
|
|
|
|
|
BOOLEAN AllocateDestinationString
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
LONG
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlCompareUnicodeString(
|
|
|
|
|
PUNICODE_STRING String1,
|
|
|
|
|
PUNICODE_STRING String2,
|
|
|
|
|
BOOLEAN CaseInSensitive
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
BOOLEAN
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlEqualUnicodeString(
|
|
|
|
|
PUNICODE_STRING String1,
|
|
|
|
|
PUNICODE_STRING String2,
|
|
|
|
|
BOOLEAN CaseInSensitive
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
BOOLEAN
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlPrefixUnicodeString(
|
|
|
|
|
IN PUNICODE_STRING String1,
|
|
|
|
|
IN PUNICODE_STRING String2,
|
|
|
|
|
IN BOOLEAN CaseInSensitive
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlUpcaseUnicodeString(
|
|
|
|
|
PUNICODE_STRING DestinationString,
|
|
|
|
|
PUNICODE_STRING SourceString,
|
|
|
|
|
BOOLEAN AllocateDestinationString
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlCopyUnicodeString(
|
|
|
|
|
PUNICODE_STRING DestinationString,
|
|
|
|
|
PUNICODE_STRING SourceString
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlAppendUnicodeStringToString (
|
|
|
|
|
PUNICODE_STRING Destination,
|
|
|
|
|
PUNICODE_STRING Source
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlAppendUnicodeToString (
|
|
|
|
|
PUNICODE_STRING Destination,
|
|
|
|
|
PWSTR Source
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlFreeUnicodeString(
|
|
|
|
|
PUNICODE_STRING UnicodeString
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlFreeAnsiString(
|
|
|
|
|
PANSI_STRING AnsiString
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
ULONG
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlxAnsiStringToUnicodeSize(
|
|
|
|
|
PANSI_STRING AnsiString
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// NTSYSAPI
|
|
|
|
|
// ULONG
|
|
|
|
|
// NTAPI
|
|
|
|
|
// RtlAnsiStringToUnicodeSize(
|
|
|
|
|
// PANSI_STRING AnsiString
|
|
|
|
|
// );
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define RtlAnsiStringToUnicodeSize(STRING) ( \
|
|
|
|
|
NLS_MB_CODE_PAGE_TAG ? \
|
|
|
|
|
RtlxAnsiStringToUnicodeSize(STRING) : \
|
|
|
|
|
((STRING)->Length + sizeof((UCHAR)NULL)) * sizeof(WCHAR) \
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
#if DBG
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlAssert(
|
|
|
|
|
PVOID FailedAssertion,
|
|
|
|
|
PVOID FileName,
|
|
|
|
|
ULONG LineNumber,
|
|
|
|
|
PCHAR Message
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
#define ASSERT( exp ) \
|
|
|
|
|
if (!(exp)) \
|
|
|
|
|
RtlAssert( #exp, __FILE__, __LINE__, NULL )
|
|
|
|
|
|
|
|
|
|
#define ASSERTMSG( msg, exp ) \
|
|
|
|
|
if (!(exp)) \
|
|
|
|
|
RtlAssert( #exp, __FILE__, __LINE__, msg )
|
|
|
|
|
|
|
|
|
|
#else
|
|
|
|
|
#define ASSERT( exp )
|
|
|
|
|
#define ASSERTMSG( msg, exp )
|
|
|
|
|
#endif // DBG
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Fast primitives to compare, move, and zero memory
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
// begin_winnt begin_ntndis
|
|
|
|
|
#if defined(_M_IX86) || defined(_M_MRX000) || defined(_M_ALPHA)
|
|
|
|
|
|
|
|
|
|
#if defined(_M_MRX000)
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
ULONG
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlEqualMemory (
|
|
|
|
|
CONST VOID *Source1,
|
|
|
|
|
CONST VOID *Source2,
|
|
|
|
|
ULONG Length
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
#else
|
|
|
|
|
#define RtlEqualMemory(Destination,Source,Length) (!memcmp((Destination),(Source),(Length)))
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#define RtlMoveMemory(Destination,Source,Length) memmove((Destination),(Source),(Length))
|
|
|
|
|
#define RtlCopyMemory(Destination,Source,Length) memcpy((Destination),(Source),(Length))
|
|
|
|
|
#define RtlFillMemory(Destination,Length,Fill) memset((Destination),(Fill),(Length))
|
|
|
|
|
#define RtlZeroMemory(Destination,Length) memset((Destination),0,(Length))
|
|
|
|
|
|
|
|
|
|
#else // _M_PPC
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
ULONG
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlEqualMemory (
|
|
|
|
|
CONST VOID *Source1,
|
|
|
|
|
CONST VOID *Source2,
|
|
|
|
|
ULONG Length
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlCopyMemory (
|
|
|
|
|
VOID UNALIGNED *Destination,
|
|
|
|
|
CONST VOID UNALIGNED *Source,
|
|
|
|
|
ULONG Length
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlCopyMemory32 (
|
|
|
|
|
VOID UNALIGNED *Destination,
|
|
|
|
|
CONST VOID UNALIGNED *Source,
|
|
|
|
|
ULONG Length
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlMoveMemory (
|
|
|
|
|
VOID UNALIGNED *Destination,
|
|
|
|
|
CONST VOID UNALIGNED *Source,
|
|
|
|
|
ULONG Length
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlFillMemory (
|
|
|
|
|
VOID UNALIGNED *Destination,
|
|
|
|
|
ULONG Length,
|
|
|
|
|
UCHAR Fill
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlZeroMemory (
|
|
|
|
|
VOID UNALIGNED *Destination,
|
|
|
|
|
ULONG Length
|
|
|
|
|
);
|
|
|
|
|
#endif
|
|
|
|
|
// end_winnt end_ntndis
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
ULONG
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlCompareMemory (
|
|
|
|
|
PVOID Source1,
|
|
|
|
|
PVOID Source2,
|
|
|
|
|
ULONG Length
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef struct _TIME_FIELDS {
|
|
|
|
|
CSHORT Year; // range [1601...]
|
|
|
|
|
CSHORT Month; // range [1..12]
|
|
|
|
|
CSHORT Day; // range [1..31]
|
|
|
|
|
CSHORT Hour; // range [0..23]
|
|
|
|
|
CSHORT Minute; // range [0..59]
|
|
|
|
|
CSHORT Second; // range [0..59]
|
|
|
|
|
CSHORT Milliseconds;// range [0..999]
|
|
|
|
|
CSHORT Weekday; // range [0..6] == [Sunday..Saturday]
|
|
|
|
|
} TIME_FIELDS;
|
|
|
|
|
typedef TIME_FIELDS *PTIME_FIELDS;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlTimeToTimeFields (
|
|
|
|
|
PLARGE_INTEGER Time,
|
|
|
|
|
PTIME_FIELDS TimeFields
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// A time field record (Weekday ignored) -> 64 bit Time value
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
BOOLEAN
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlTimeFieldsToTime (
|
|
|
|
|
PTIME_FIELDS TimeFields,
|
|
|
|
|
PLARGE_INTEGER Time
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define the generic mapping array. This is used to denote the
|
|
|
|
|
// mapping of each generic access right to a specific access mask.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
typedef struct _GENERIC_MAPPING {
|
|
|
|
|
ACCESS_MASK GenericRead;
|
|
|
|
|
ACCESS_MASK GenericWrite;
|
|
|
|
|
ACCESS_MASK GenericExecute;
|
|
|
|
|
ACCESS_MASK GenericAll;
|
|
|
|
|
} GENERIC_MAPPING;
|
|
|
|
|
typedef GENERIC_MAPPING *PGENERIC_MAPPING;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define the various device type values. Note that values used by Microsoft
|
|
|
|
|
// Corporation are in the range 0-32767, and 32768-65535 are reserved for use
|
|
|
|
|
// by customers.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define DEVICE_TYPE ULONG
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Macro definition for defining IOCTL and FSCTL function control codes. Note
|
|
|
|
|
// that function codes 0-2047 are reserved for Microsoft Corporation, and
|
|
|
|
|
// 2048-4095 are reserved for customers.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define CTL_CODE( DeviceType, Function, Method, Access ) ( \
|
|
|
|
|
((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) \
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define the method codes for how buffers are passed for I/O and FS controls
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define METHOD_BUFFERED 0
|
|
|
|
|
#define METHOD_IN_DIRECT 1
|
|
|
|
|
#define METHOD_OUT_DIRECT 2
|
|
|
|
|
#define METHOD_NEITHER 3
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define the access check value for any access
|
|
|
|
|
//
|
|
|
|
|
//
|
|
|
|
|
// The FILE_READ_ACCESS and FILE_WRITE_ACCESS constants are also defined in
|
|
|
|
|
// ntioapi.h as FILE_READ_DATA and FILE_WRITE_DATA. The values for these
|
|
|
|
|
// constants *MUST* always be in sync.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#define FILE_ANY_ACCESS 0
|
|
|
|
|
#define FILE_READ_ACCESS ( 0x0001 ) // file & pipe
|
|
|
|
|
#define FILE_WRITE_ACCESS ( 0x0002 ) // file & pipe
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// begin_winnt
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define access rights to files and directories
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// The FILE_READ_DATA and FILE_WRITE_DATA constants are also defined in
|
|
|
|
|
// devioctl.h as FILE_READ_ACCESS and FILE_WRITE_ACCESS. The values for these
|
|
|
|
|
// constants *MUST* always be in sync.
|
|
|
|
|
// The values are redefined in devioctl.h because they must be available to
|
|
|
|
|
// both DOS and NT.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define FILE_READ_DATA ( 0x0001 ) // file & pipe
|
|
|
|
|
#define FILE_LIST_DIRECTORY ( 0x0001 ) // directory
|
|
|
|
|
|
|
|
|
|
#define FILE_WRITE_DATA ( 0x0002 ) // file & pipe
|
|
|
|
|
#define FILE_ADD_FILE ( 0x0002 ) // directory
|
|
|
|
|
|
|
|
|
|
#define FILE_APPEND_DATA ( 0x0004 ) // file
|
|
|
|
|
#define FILE_ADD_SUBDIRECTORY ( 0x0004 ) // directory
|
|
|
|
|
#define FILE_CREATE_PIPE_INSTANCE ( 0x0004 ) // named pipe
|
|
|
|
|
|
|
|
|
|
#define FILE_READ_EA ( 0x0008 ) // file & directory
|
|
|
|
|
|
|
|
|
|
#define FILE_WRITE_EA ( 0x0010 ) // file & directory
|
|
|
|
|
|
|
|
|
|
#define FILE_EXECUTE ( 0x0020 ) // file
|
|
|
|
|
#define FILE_TRAVERSE ( 0x0020 ) // directory
|
|
|
|
|
|
|
|
|
|
#define FILE_DELETE_CHILD ( 0x0040 ) // directory
|
|
|
|
|
|
|
|
|
|
#define FILE_READ_ATTRIBUTES ( 0x0080 ) // all
|
|
|
|
|
|
|
|
|
|
#define FILE_WRITE_ATTRIBUTES ( 0x0100 ) // all
|
|
|
|
|
|
|
|
|
|
#define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF)
|
|
|
|
|
|
|
|
|
|
#define FILE_GENERIC_READ (STANDARD_RIGHTS_READ |\
|
|
|
|
|
FILE_READ_DATA |\
|
|
|
|
|
FILE_READ_ATTRIBUTES |\
|
|
|
|
|
FILE_READ_EA |\
|
|
|
|
|
SYNCHRONIZE)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#define FILE_GENERIC_WRITE (STANDARD_RIGHTS_WRITE |\
|
|
|
|
|
FILE_WRITE_DATA |\
|
|
|
|
|
FILE_WRITE_ATTRIBUTES |\
|
|
|
|
|
FILE_WRITE_EA |\
|
|
|
|
|
FILE_APPEND_DATA |\
|
|
|
|
|
SYNCHRONIZE)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
|
|
|
|
|
FILE_READ_ATTRIBUTES |\
|
|
|
|
|
FILE_EXECUTE |\
|
|
|
|
|
SYNCHRONIZE)
|
|
|
|
|
|
|
|
|
|
// end_winnt
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define share access rights to files and directories
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define FILE_SHARE_READ 0x00000001 // winnt
|
|
|
|
|
#define FILE_SHARE_WRITE 0x00000002 // winnt
|
|
|
|
|
#define FILE_SHARE_DELETE 0x00000004 // winnt
|
|
|
|
|
#define FILE_SHARE_VALID_FLAGS 0x00000007
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define the file attributes values
|
|
|
|
|
//
|
|
|
|
|
// Note: 0x00000008 is reserved for use for the old DOS VOLID (volume ID)
|
|
|
|
|
// and is therefore not considered valid in NT.
|
|
|
|
|
//
|
|
|
|
|
// Note: 0x00000010 is reserved for use for the old DOS SUBDIRECTORY flag
|
|
|
|
|
// and is therefore not considered valid in NT. This flag has
|
|
|
|
|
// been disassociated with file attributes since the other flags are
|
|
|
|
|
// protected with READ_ and WRITE_ATTRIBUTES access to the file.
|
|
|
|
|
//
|
|
|
|
|
// Note: Note also that the order of these flags is set to allow both the
|
|
|
|
|
// FAT and the Pinball File Systems to directly set the attributes
|
|
|
|
|
// flags in attributes words without having to pick each flag out
|
|
|
|
|
// individually. The order of these flags should not be changed!
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define FILE_ATTRIBUTE_READONLY 0x00000001 // winnt
|
|
|
|
|
#define FILE_ATTRIBUTE_HIDDEN 0x00000002 // winnt
|
|
|
|
|
#define FILE_ATTRIBUTE_SYSTEM 0x00000004 // winnt
|
|
|
|
|
#define FILE_ATTRIBUTE_DIRECTORY 0x00000010 // winnt
|
|
|
|
|
#define FILE_ATTRIBUTE_ARCHIVE 0x00000020 // winnt
|
|
|
|
|
#define FILE_ATTRIBUTE_NORMAL 0x00000080 // winnt
|
|
|
|
|
#define FILE_ATTRIBUTE_TEMPORARY 0x00000100 // winnt
|
|
|
|
|
#define FILE_ATTRIBUTE_RESERVED0 0x00000200
|
|
|
|
|
#define FILE_ATTRIBUTE_RESERVED1 0x00000400
|
|
|
|
|
#define FILE_ATTRIBUTE_COMPRESSED 0x00000800 // winnt
|
|
|
|
|
#define FILE_ATTRIBUTE_OFFLINE 0x00001000 // winnt
|
|
|
|
|
#define FILE_ATTRIBUTE_PROPERTY_SET 0x00002000
|
|
|
|
|
#define FILE_ATTRIBUTE_VALID_FLAGS 0x00003fb7
|
|
|
|
|
#define FILE_ATTRIBUTE_VALID_SET_FLAGS 0x00003fa7
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define the create disposition values
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define FILE_SUPERSEDE 0x00000000
|
|
|
|
|
#define FILE_OPEN 0x00000001
|
|
|
|
|
#define FILE_CREATE 0x00000002
|
|
|
|
|
#define FILE_OPEN_IF 0x00000003
|
|
|
|
|
#define FILE_OVERWRITE 0x00000004
|
|
|
|
|
#define FILE_OVERWRITE_IF 0x00000005
|
|
|
|
|
#define FILE_MAXIMUM_DISPOSITION 0x00000005
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define the create/open option flags
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define FILE_DIRECTORY_FILE 0x00000001
|
|
|
|
|
#define FILE_WRITE_THROUGH 0x00000002
|
|
|
|
|
#define FILE_SEQUENTIAL_ONLY 0x00000004
|
|
|
|
|
#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008
|
|
|
|
|
|
|
|
|
|
#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010
|
|
|
|
|
#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
|
|
|
|
|
#define FILE_NON_DIRECTORY_FILE 0x00000040
|
|
|
|
|
#define FILE_CREATE_TREE_CONNECTION 0x00000080
|
|
|
|
|
|
|
|
|
|
#define FILE_COMPLETE_IF_OPLOCKED 0x00000100
|
|
|
|
|
#define FILE_NO_EA_KNOWLEDGE 0x00000200
|
|
|
|
|
//UNUSED 0x00000400
|
|
|
|
|
#define FILE_RANDOM_ACCESS 0x00000800
|
|
|
|
|
|
|
|
|
|
#define FILE_DELETE_ON_CLOSE 0x00001000
|
|
|
|
|
#define FILE_OPEN_BY_FILE_ID 0x00002000
|
|
|
|
|
#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000
|
|
|
|
|
#define FILE_NO_COMPRESSION 0x00008000
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#define FILE_RESERVE_OPFILTER 0x00100000
|
|
|
|
|
#define FILE_TRANSACTED_MODE 0x00200000
|
|
|
|
|
#define FILE_OPEN_OFFLINE_FILE 0x00400000
|
|
|
|
|
|
|
|
|
|
#define FILE_VALID_OPTION_FLAGS 0x007fffff
|
|
|
|
|
#define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032
|
|
|
|
|
#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032
|
|
|
|
|
#define FILE_VALID_SET_FLAGS 0x00000036
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define the I/O status information return values for NtCreateFile/NtOpenFile
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define FILE_SUPERSEDED 0x00000000
|
|
|
|
|
#define FILE_OPENED 0x00000001
|
|
|
|
|
#define FILE_CREATED 0x00000002
|
|
|
|
|
#define FILE_OVERWRITTEN 0x00000003
|
|
|
|
|
#define FILE_EXISTS 0x00000004
|
|
|
|
|
#define FILE_DOES_NOT_EXIST 0x00000005
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define special ByteOffset parameters for read and write operations
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define FILE_WRITE_TO_END_OF_FILE 0xffffffff
|
|
|
|
|
#define FILE_USE_FILE_POINTER_POSITION 0xfffffffe
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define alignment requirement values
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define FILE_BYTE_ALIGNMENT 0x00000000
|
|
|
|
|
#define FILE_WORD_ALIGNMENT 0x00000001
|
|
|
|
|
#define FILE_LONG_ALIGNMENT 0x00000003
|
|
|
|
|
#define FILE_QUAD_ALIGNMENT 0x00000007
|
|
|
|
|
#define FILE_OCTA_ALIGNMENT 0x0000000f
|
|
|
|
|
#define FILE_32_BYTE_ALIGNMENT 0x0000001f
|
|
|
|
|
#define FILE_64_BYTE_ALIGNMENT 0x0000003f
|
|
|
|
|
#define FILE_128_BYTE_ALIGNMENT 0x0000007f
|
|
|
|
|
#define FILE_256_BYTE_ALIGNMENT 0x000000ff
|
|
|
|
|
#define FILE_512_BYTE_ALIGNMENT 0x000001ff
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define the maximum length of a filename string
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define MAXIMUM_FILENAME_LENGTH 256
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define the various device characteristics flags
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define FILE_REMOVABLE_MEDIA 0x00000001
|
|
|
|
|
#define FILE_READ_ONLY_DEVICE 0x00000002
|
|
|
|
|
#define FILE_FLOPPY_DISKETTE 0x00000004
|
|
|
|
|
#define FILE_WRITE_ONCE_MEDIA 0x00000008
|
|
|
|
|
#define FILE_REMOTE_DEVICE 0x00000010
|
|
|
|
|
#define FILE_DEVICE_IS_MOUNTED 0x00000020
|
|
|
|
|
#define FILE_VIRTUAL_VOLUME 0x00000040
|
|
|
|
|
|
|
|
|
|
#ifndef _FILESYSTEMFSCTL_
|
|
|
|
|
#define _FILESYSTEMFSCTL_
|
|
|
|
|
|
|
|
|
|
#endif // _FILESYSTEMFSCTL_
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// The following is a list of the native file system fsctls followed by
|
|
|
|
|
// additional network file system fsctls. Some values have been
|
|
|
|
|
// decommissioned.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define FSCTL_REQUEST_OPLOCK_LEVEL_1 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
#define FSCTL_REQUEST_OPLOCK_LEVEL_2 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 1, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
#define FSCTL_REQUEST_BATCH_OPLOCK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
#define FSCTL_OPLOCK_BREAK_ACKNOWLEDGE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 3, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
#define FSCTL_OPBATCH_ACK_CLOSE_PENDING CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 4, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
#define FSCTL_OPLOCK_BREAK_NOTIFY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 5, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
#define FSCTL_LOCK_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 6, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
#define FSCTL_UNLOCK_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 7, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
#define FSCTL_DISMOUNT_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 8, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
// decommissioned fsctl value 9
|
|
|
|
|
#define FSCTL_IS_VOLUME_MOUNTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 10, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
#define FSCTL_IS_PATHNAME_VALID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 11, METHOD_BUFFERED, FILE_ANY_ACCESS) // PATHNAME_BUFFER,
|
|
|
|
|
#define FSCTL_MARK_VOLUME_DIRTY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 12, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
// decommissioned fsctl value 13
|
|
|
|
|
#define FSCTL_QUERY_RETRIEVAL_POINTERS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 14, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
|
|
|
#define FSCTL_GET_COMPRESSION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 15, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
#define FSCTL_SET_COMPRESSION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 16, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
|
|
|
|
|
// decommissioned fsctl value 17
|
|
|
|
|
// decommissioned fsctl value 18
|
|
|
|
|
#define FSCTL_MARK_AS_SYSTEM_HIVE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 19, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
|
|
|
#define FSCTL_OPLOCK_BREAK_ACK_NO_2 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 20, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
#define FSCTL_INVALIDATE_VOLUMES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 21, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
#define FSCTL_QUERY_FAT_BPB CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 22, METHOD_BUFFERED, FILE_ANY_ACCESS) // FSCTL_QUERY_FAT_BPB_BUFFER
|
|
|
|
|
#define FSCTL_REQUEST_FILTER_OPLOCK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 23, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
#define FSCTL_FILESYSTEM_GET_STATISTICS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 24, METHOD_BUFFERED, FILE_ANY_ACCESS) // FILESYSTEM_STATISTICS
|
|
|
|
|
#if(_WIN32_WINNT >= 0x0400)
|
|
|
|
|
#define FSCTL_GET_NTFS_VOLUME_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 25, METHOD_BUFFERED, FILE_ANY_ACCESS) // NTFS_VOLUME_DATA_BUFFER
|
|
|
|
|
#define FSCTL_GET_NTFS_FILE_RECORD CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 26, METHOD_BUFFERED, FILE_ANY_ACCESS) // NTFS_FILE_RECORD_INPUT_BUFFER, NTFS_FILE_RECORD_OUTPUT_BUFFER
|
|
|
|
|
#define FSCTL_GET_VOLUME_BITMAP CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 27, METHOD_NEITHER, FILE_ANY_ACCESS) // STARTING_LCN_INPUT_BUFFER, VOLUME_BITMAP_BUFFER
|
|
|
|
|
#define FSCTL_GET_RETRIEVAL_POINTERS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 28, METHOD_NEITHER, FILE_ANY_ACCESS) // STARTING_VCN_INPUT_BUFFER, RETRIEVAL_POINTERS_BUFFER
|
|
|
|
|
#define FSCTL_MOVE_FILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 29, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // MOVE_FILE_DATA,
|
|
|
|
|
#define FSCTL_IS_VOLUME_DIRTY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 30, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
|
// decomissioned fsctl value 31
|
|
|
|
|
#define FSCTL_ALLOW_EXTENDED_DASD_IO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 32, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
|
|
|
#endif /* _WIN32_WINNT >= 0x0400 */
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define the base asynchronous I/O argument types
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
typedef struct _IO_STATUS_BLOCK {
|
|
|
|
|
NTSTATUS Status;
|
|
|
|
|
ULONG Information;
|
|
|
|
|
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define an Asynchronous Procedure Call from I/O viewpoint
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
typedef
|
|
|
|
|
VOID
|
|
|
|
|
(*PIO_APC_ROUTINE) (
|
|
|
|
|
IN PVOID ApcContext,
|
|
|
|
|
IN PIO_STATUS_BLOCK IoStatusBlock,
|
|
|
|
|
IN ULONG Reserved
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define the file information class values
|
|
|
|
|
//
|
|
|
|
|
// WARNING: The order of the following values are assumed by the I/O system.
|
|
|
|
|
// Any changes made here should be reflected there as well.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
typedef enum _FILE_INFORMATION_CLASS {
|
|
|
|
|
FileDirectoryInformation = 1,
|
|
|
|
|
FileFullDirectoryInformation,
|
|
|
|
|
FileBothDirectoryInformation,
|
|
|
|
|
FileBasicInformation,
|
|
|
|
|
FileStandardInformation,
|
|
|
|
|
FileInternalInformation,
|
|
|
|
|
FileEaInformation,
|
|
|
|
|
FileAccessInformation,
|
|
|
|
|
FileNameInformation,
|
|
|
|
|
FileRenameInformation,
|
|
|
|
|
FileLinkInformation,
|
|
|
|
|
FileNamesInformation,
|
|
|
|
|
FileDispositionInformation,
|
|
|
|
|
FilePositionInformation,
|
|
|
|
|
FileFullEaInformation,
|
|
|
|
|
FileModeInformation,
|
|
|
|
|
FileAlignmentInformation,
|
|
|
|
|
FileAllInformation,
|
|
|
|
|
FileAllocationInformation,
|
|
|
|
|
FileEndOfFileInformation,
|
|
|
|
|
FileAlternateNameInformation,
|
|
|
|
|
FileStreamInformation,
|
|
|
|
|
FilePipeInformation,
|
|
|
|
|
FilePipeLocalInformation,
|
|
|
|
|
FilePipeRemoteInformation,
|
|
|
|
|
FileMailslotQueryInformation,
|
|
|
|
|
FileMailslotSetInformation,
|
|
|
|
|
FileCompressionInformation,
|
|
|
|
|
FileCopyOnWriteInformation,
|
|
|
|
|
FileCompletionInformation,
|
|
|
|
|
FileMoveClusterInformation,
|
|
|
|
|
FileOleClassIdInformation,
|
|
|
|
|
FileOleStateBitsInformation,
|
|
|
|
|
FileNetworkOpenInformation,
|
|
|
|
|
FileObjectIdInformation,
|
|
|
|
|
FileOleAllInformation,
|
|
|
|
|
FileOleDirectoryInformation,
|
|
|
|
|
FileContentIndexInformation,
|
|
|
|
|
FileInheritContentIndexInformation,
|
|
|
|
|
FileOleInformation,
|
|
|
|
|
FileMaximumInformation
|
|
|
|
|
} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define the various structures which are returned on query operations
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
typedef struct _FILE_BASIC_INFORMATION {
|
|
|
|
|
LARGE_INTEGER CreationTime;
|
|
|
|
|
LARGE_INTEGER LastAccessTime;
|
|
|
|
|
LARGE_INTEGER LastWriteTime;
|
|
|
|
|
LARGE_INTEGER ChangeTime;
|
|
|
|
|
ULONG FileAttributes;
|
|
|
|
|
} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
|
|
|
|
|
|
|
|
|
|
typedef struct _FILE_STANDARD_INFORMATION {
|
|
|
|
|
LARGE_INTEGER AllocationSize;
|
|
|
|
|
LARGE_INTEGER EndOfFile;
|
|
|
|
|
ULONG NumberOfLinks;
|
|
|
|
|
BOOLEAN DeletePending;
|
|
|
|
|
BOOLEAN Directory;
|
|
|
|
|
} FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION;
|
|
|
|
|
|
|
|
|
|
typedef struct _FILE_POSITION_INFORMATION {
|
|
|
|
|
LARGE_INTEGER CurrentByteOffset;
|
|
|
|
|
} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION;
|
|
|
|
|
|
|
|
|
|
typedef struct _FILE_ALIGNMENT_INFORMATION {
|
|
|
|
|
ULONG AlignmentRequirement;
|
|
|
|
|
} FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION;
|
|
|
|
|
|
|
|
|
|
typedef struct _FILE_NETWORK_OPEN_INFORMATION {
|
|
|
|
|
LARGE_INTEGER CreationTime;
|
|
|
|
|
LARGE_INTEGER LastAccessTime;
|
|
|
|
|
LARGE_INTEGER LastWriteTime;
|
|
|
|
|
LARGE_INTEGER ChangeTime;
|
|
|
|
|
LARGE_INTEGER AllocationSize;
|
|
|
|
|
LARGE_INTEGER EndOfFile;
|
|
|
|
|
ULONG FileAttributes;
|
|
|
|
|
} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;
|
|
|
|
|
|
|
|
|
|
typedef struct _FILE_DISPOSITION_INFORMATION {
|
|
|
|
|
BOOLEAN DeleteFile;
|
|
|
|
|
} FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION;
|
|
|
|
|
|
|
|
|
|
typedef struct _FILE_END_OF_FILE_INFORMATION {
|
|
|
|
|
LARGE_INTEGER EndOfFile;
|
|
|
|
|
} FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
typedef struct _FILE_FULL_EA_INFORMATION {
|
|
|
|
|
ULONG NextEntryOffset;
|
|
|
|
|
UCHAR Flags;
|
|
|
|
|
UCHAR EaNameLength;
|
|
|
|
|
USHORT EaValueLength;
|
|
|
|
|
CHAR EaName[1];
|
|
|
|
|
} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define the file system information class values
|
|
|
|
|
//
|
|
|
|
|
// WARNING: The order of the following values are assumed by the I/O system.
|
|
|
|
|
// Any changes made here should be reflected there as well.
|
|
|
|
|
|
|
|
|
|
typedef enum _FSINFOCLASS {
|
|
|
|
|
FileFsVolumeInformation = 1,
|
|
|
|
|
FileFsLabelInformation,
|
|
|
|
|
FileFsSizeInformation,
|
|
|
|
|
FileFsDeviceInformation,
|
|
|
|
|
FileFsAttributeInformation,
|
|
|
|
|
FileFsControlInformation,
|
|
|
|
|
FileFsQuotaQueryInformation, // temporary
|
|
|
|
|
FileFsQuotaSetInformation, // temporary
|
|
|
|
|
FileFsMaximumInformation
|
|
|
|
|
} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;
|
|
|
|
|
|
|
|
|
|
typedef struct _FILE_FS_DEVICE_INFORMATION {
|
|
|
|
|
DEVICE_TYPE DeviceType;
|
|
|
|
|
ULONG Characteristics;
|
|
|
|
|
} FILE_FS_DEVICE_INFORMATION, *PFILE_FS_DEVICE_INFORMATION;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Registry Specific Access Rights.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define KEY_QUERY_VALUE (0x0001)
|
|
|
|
|
#define KEY_SET_VALUE (0x0002)
|
|
|
|
|
#define KEY_CREATE_SUB_KEY (0x0004)
|
|
|
|
|
#define KEY_ENUMERATE_SUB_KEYS (0x0008)
|
|
|
|
|
#define KEY_NOTIFY (0x0010)
|
|
|
|
|
#define KEY_CREATE_LINK (0x0020)
|
|
|
|
|
|
|
|
|
|
#define KEY_READ ((STANDARD_RIGHTS_READ |\
|
|
|
|
|
KEY_QUERY_VALUE |\
|
|
|
|
|
KEY_ENUMERATE_SUB_KEYS |\
|
|
|
|
|
KEY_NOTIFY) \
|
|
|
|
|
& \
|
|
|
|
|
(~SYNCHRONIZE))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#define KEY_WRITE ((STANDARD_RIGHTS_WRITE |\
|
|
|
|
|
KEY_SET_VALUE |\
|
|
|
|
|
KEY_CREATE_SUB_KEY) \
|
|
|
|
|
& \
|
|
|
|
|
(~SYNCHRONIZE))
|
|
|
|
|
|
|
|
|
|
#define KEY_EXECUTE ((KEY_READ) \
|
|
|
|
|
& \
|
|
|
|
|
(~SYNCHRONIZE))
|
|
|
|
|
|
|
|
|
|
#define KEY_ALL_ACCESS ((STANDARD_RIGHTS_ALL |\
|
|
|
|
|
KEY_QUERY_VALUE |\
|
|
|
|
|
KEY_SET_VALUE |\
|
|
|
|
|
KEY_CREATE_SUB_KEY |\
|
|
|
|
|
KEY_ENUMERATE_SUB_KEYS |\
|
|
|
|
|
KEY_NOTIFY |\
|
|
|
|
|
KEY_CREATE_LINK) \
|
|
|
|
|
& \
|
|
|
|
|
(~SYNCHRONIZE))
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Open/Create Options
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define REG_OPTION_RESERVED (0x00000000L) // Parameter is reserved
|
|
|
|
|
|
|
|
|
|
#define REG_OPTION_NON_VOLATILE (0x00000000L) // Key is preserved
|
|
|
|
|
// when system is rebooted
|
|
|
|
|
|
|
|
|
|
#define REG_OPTION_VOLATILE (0x00000001L) // Key is not preserved
|
|
|
|
|
// when system is rebooted
|
|
|
|
|
|
|
|
|
|
#define REG_OPTION_CREATE_LINK (0x00000002L) // Created key is a
|
|
|
|
|
// symbolic link
|
|
|
|
|
|
|
|
|
|
#define REG_OPTION_BACKUP_RESTORE (0x00000004L) // open for backup or restore
|
|
|
|
|
// special access rules
|
|
|
|
|
// privilege required
|
|
|
|
|
|
|
|
|
|
#define REG_OPTION_OPEN_LINK (0x00000008L) // Open symbolic link
|
|
|
|
|
|
|
|
|
|
#define REG_LEGAL_OPTION \
|
|
|
|
|
(REG_OPTION_RESERVED |\
|
|
|
|
|
REG_OPTION_NON_VOLATILE |\
|
|
|
|
|
REG_OPTION_VOLATILE |\
|
|
|
|
|
REG_OPTION_CREATE_LINK |\
|
|
|
|
|
REG_OPTION_BACKUP_RESTORE |\
|
|
|
|
|
REG_OPTION_OPEN_LINK)
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Key creation/open disposition
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define REG_CREATED_NEW_KEY (0x00000001L) // New Registry Key created
|
|
|
|
|
#define REG_OPENED_EXISTING_KEY (0x00000002L) // Existing Key opened
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Key restore flags
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define REG_WHOLE_HIVE_VOLATILE (0x00000001L) // Restore whole hive volatile
|
|
|
|
|
#define REG_REFRESH_HIVE (0x00000002L) // Unwind changes to last flush
|
|
|
|
|
#define REG_NO_LAZY_FLUSH (0x00000004L) // Never lazy flush this hive
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Key query structures
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
typedef struct _KEY_BASIC_INFORMATION {
|
|
|
|
|
LARGE_INTEGER LastWriteTime;
|
|
|
|
|
ULONG TitleIndex;
|
|
|
|
|
ULONG NameLength;
|
|
|
|
|
WCHAR Name[1]; // Variable length string
|
|
|
|
|
} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;
|
|
|
|
|
|
|
|
|
|
typedef struct _KEY_NODE_INFORMATION {
|
|
|
|
|
LARGE_INTEGER LastWriteTime;
|
|
|
|
|
ULONG TitleIndex;
|
|
|
|
|
ULONG ClassOffset;
|
|
|
|
|
ULONG ClassLength;
|
|
|
|
|
ULONG NameLength;
|
|
|
|
|
WCHAR Name[1]; // Variable length string
|
|
|
|
|
// Class[1]; // Variable length string not declared
|
|
|
|
|
} KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION;
|
|
|
|
|
|
|
|
|
|
typedef struct _KEY_FULL_INFORMATION {
|
|
|
|
|
LARGE_INTEGER LastWriteTime;
|
|
|
|
|
ULONG TitleIndex;
|
|
|
|
|
ULONG ClassOffset;
|
|
|
|
|
ULONG ClassLength;
|
|
|
|
|
ULONG SubKeys;
|
|
|
|
|
ULONG MaxNameLen;
|
|
|
|
|
ULONG MaxClassLen;
|
|
|
|
|
ULONG Values;
|
|
|
|
|
ULONG MaxValueNameLen;
|
|
|
|
|
ULONG MaxValueDataLen;
|
|
|
|
|
WCHAR Class[1]; // Variable length
|
|
|
|
|
} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;
|
|
|
|
|
|
|
|
|
|
typedef enum _KEY_INFORMATION_CLASS {
|
|
|
|
|
KeyBasicInformation,
|
|
|
|
|
KeyNodeInformation,
|
|
|
|
|
KeyFullInformation
|
|
|
|
|
} KEY_INFORMATION_CLASS;
|
|
|
|
|
|
|
|
|
|
typedef struct _KEY_WRITE_TIME_INFORMATION {
|
|
|
|
|
LARGE_INTEGER LastWriteTime;
|
|
|
|
|
} KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION;
|
|
|
|
|
|
|
|
|
|
typedef enum _KEY_SET_INFORMATION_CLASS {
|
|
|
|
|
KeyWriteTimeInformation
|
|
|
|
|
} KEY_SET_INFORMATION_CLASS;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Value entry query structures
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
typedef struct _KEY_VALUE_BASIC_INFORMATION {
|
|
|
|
|
ULONG TitleIndex;
|
|
|
|
|
ULONG Type;
|
|
|
|
|
ULONG NameLength;
|
|
|
|
|
WCHAR Name[1]; // Variable size
|
|
|
|
|
} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;
|
|
|
|
|
|
|
|
|
|
typedef struct _KEY_VALUE_FULL_INFORMATION {
|
|
|
|
|
ULONG TitleIndex;
|
|
|
|
|
ULONG Type;
|
|
|
|
|
ULONG DataOffset;
|
|
|
|
|
ULONG DataLength;
|
|
|
|
|
ULONG NameLength;
|
|
|
|
|
WCHAR Name[1]; // Variable size
|
|
|
|
|
// Data[1]; // Variable size data not declared
|
|
|
|
|
} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;
|
|
|
|
|
|
|
|
|
|
typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
|
|
|
|
|
ULONG TitleIndex;
|
|
|
|
|
ULONG Type;
|
|
|
|
|
ULONG DataLength;
|
|
|
|
|
UCHAR Data[1]; // Variable size
|
|
|
|
|
} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
|
|
|
|
|
|
|
|
|
|
typedef struct _KEY_VALUE_ENTRY {
|
|
|
|
|
PUNICODE_STRING ValueName;
|
|
|
|
|
ULONG DataLength;
|
|
|
|
|
ULONG DataOffset;
|
|
|
|
|
ULONG Type;
|
|
|
|
|
} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;
|
|
|
|
|
|
|
|
|
|
typedef enum _KEY_VALUE_INFORMATION_CLASS {
|
|
|
|
|
KeyValueBasicInformation,
|
|
|
|
|
KeyValueFullInformation,
|
|
|
|
|
KeyValuePartialInformation
|
|
|
|
|
} KEY_VALUE_INFORMATION_CLASS;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtEnumerateKey(
|
|
|
|
|
IN HANDLE KeyHandle,
|
|
|
|
|
IN ULONG Index,
|
|
|
|
|
IN KEY_INFORMATION_CLASS KeyInformationClass,
|
|
|
|
|
IN PVOID KeyInformation,
|
|
|
|
|
IN ULONG Length,
|
|
|
|
|
IN PULONG ResultLength
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtOpenKey(
|
|
|
|
|
OUT PHANDLE KeyHandle,
|
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtQueryValueKey(
|
|
|
|
|
IN HANDLE KeyHandle,
|
|
|
|
|
IN PUNICODE_STRING ValueName,
|
|
|
|
|
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
|
|
|
|
|
IN PVOID KeyValueInformation,
|
|
|
|
|
IN ULONG Length,
|
|
|
|
|
IN PULONG ResultLength
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtSetValueKey(
|
|
|
|
|
IN HANDLE KeyHandle,
|
|
|
|
|
IN PUNICODE_STRING ValueName,
|
|
|
|
|
IN ULONG TitleIndex OPTIONAL,
|
|
|
|
|
IN ULONG Type,
|
|
|
|
|
IN PVOID Data,
|
|
|
|
|
IN ULONG DataSize
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtDeleteValueKey(
|
|
|
|
|
IN HANDLE KeyHandle,
|
|
|
|
|
IN PUNICODE_STRING ValueName
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#define OBJ_NAME_PATH_SEPARATOR ((WCHAR)L'\\')
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Object Manager Object Type Specific Access Rights.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define OBJECT_TYPE_CREATE (0x0001)
|
|
|
|
|
|
|
|
|
|
#define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Object Manager Directory Specific Access Rights.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define DIRECTORY_QUERY (0x0001)
|
|
|
|
|
#define DIRECTORY_TRAVERSE (0x0002)
|
|
|
|
|
#define DIRECTORY_CREATE_OBJECT (0x0004)
|
|
|
|
|
#define DIRECTORY_CREATE_SUBDIRECTORY (0x0008)
|
|
|
|
|
|
|
|
|
|
#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF)
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Object Manager Symbolic Link Specific Access Rights.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define SYMBOLIC_LINK_QUERY (0x0001)
|
|
|
|
|
|
|
|
|
|
#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
|
|
|
|
|
|
|
|
|
|
typedef struct _OBJECT_NAME_INFORMATION {
|
|
|
|
|
UNICODE_STRING Name;
|
|
|
|
|
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Section Information Structures.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
typedef enum _SECTION_INHERIT {
|
|
|
|
|
ViewShare = 1,
|
|
|
|
|
ViewUnmap = 2
|
|
|
|
|
} SECTION_INHERIT;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Section Access Rights.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
// begin_winnt
|
|
|
|
|
#define SECTION_QUERY 0x0001
|
|
|
|
|
#define SECTION_MAP_WRITE 0x0002
|
|
|
|
|
#define SECTION_MAP_READ 0x0004
|
|
|
|
|
#define SECTION_MAP_EXECUTE 0x0008
|
|
|
|
|
#define SECTION_EXTEND_SIZE 0x0010
|
|
|
|
|
|
|
|
|
|
#define SECTION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|\
|
|
|
|
|
SECTION_MAP_WRITE | \
|
|
|
|
|
SECTION_MAP_READ | \
|
|
|
|
|
SECTION_MAP_EXECUTE | \
|
|
|
|
|
SECTION_EXTEND_SIZE)
|
|
|
|
|
// end_winnt
|
|
|
|
|
|
|
|
|
|
#define SEGMENT_ALL_ACCESS SECTION_ALL_ACCESS
|
|
|
|
|
|
|
|
|
|
#define PAGE_NOACCESS 0x01 // winnt
|
|
|
|
|
#define PAGE_READONLY 0x02 // winnt
|
|
|
|
|
#define PAGE_READWRITE 0x04 // winnt
|
|
|
|
|
#define PAGE_WRITECOPY 0x08 // winnt
|
|
|
|
|
#define PAGE_EXECUTE 0x10 // winnt
|
|
|
|
|
#define PAGE_EXECUTE_READ 0x20 // winnt
|
|
|
|
|
#define PAGE_EXECUTE_READWRITE 0x40 // winnt
|
|
|
|
|
#define PAGE_EXECUTE_WRITECOPY 0x80 // winnt
|
|
|
|
|
#define PAGE_GUARD 0x100 // winnt
|
|
|
|
|
#define PAGE_NOCACHE 0x200 // winnt
|
|
|
|
|
|
|
|
|
|
#define MEM_COMMIT 0x1000
|
|
|
|
|
#define MEM_RESERVE 0x2000
|
|
|
|
|
#define MEM_DECOMMIT 0x4000
|
|
|
|
|
#define MEM_RELEASE 0x8000
|
|
|
|
|
#define MEM_FREE 0x10000
|
|
|
|
|
#define MEM_PRIVATE 0x20000
|
|
|
|
|
#define MEM_MAPPED 0x40000
|
|
|
|
|
#define MEM_RESET 0x80000
|
|
|
|
|
#define MEM_TOP_DOWN 0x100000
|
|
|
|
|
#define MEM_LARGE_PAGES 0x20000000
|
|
|
|
|
#define SEC_RESERVE 0x4000000
|
|
|
|
|
#define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
|
|
|
|
|
0xFFF)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#define MAXIMUM_PROCESSORS 32
|
|
|
|
|
|
|
|
|
|
// end_winnt
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Thread Specific Access Rights
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define THREAD_TERMINATE (0x0001) // winnt
|
|
|
|
|
#define THREAD_SET_INFORMATION (0x0020) // winnt
|
|
|
|
|
|
|
|
|
|
#define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
|
|
|
|
|
0x3FF)
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// ClientId
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
typedef struct _CLIENT_ID {
|
|
|
|
|
HANDLE UniqueProcess;
|
|
|
|
|
HANDLE UniqueThread;
|
|
|
|
|
} CLIENT_ID;
|
|
|
|
|
typedef CLIENT_ID *PCLIENT_ID;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Define the size of the 80387 save area, which is in the context frame.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define SIZE_OF_80387_REGISTERS 80
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// The following flags control the contents of the CONTEXT structure.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#if !defined(RC_INVOKED)
|
|
|
|
|
|
|
|
|
|
#define CONTEXT_i386 0x00010000 // this assumes that i386 and
|
|
|
|
|
#define CONTEXT_i486 0x00010000 // i486 have identical context records
|
|
|
|
|
|
|
|
|
|
// end_wx86
|
|
|
|
|
|
|
|
|
|
#define CONTEXT_CONTROL (CONTEXT_i386 | 0x00000001L) // SS:SP, CS:IP, FLAGS, BP
|
|
|
|
|
#define CONTEXT_INTEGER (CONTEXT_i386 | 0x00000002L) // AX, BX, CX, DX, SI, DI
|
|
|
|
|
#define CONTEXT_SEGMENTS (CONTEXT_i386 | 0x00000004L) // DS, ES, FS, GS
|
|
|
|
|
#define CONTEXT_FLOATING_POINT (CONTEXT_i386 | 0x00000008L) // 387 state
|
|
|
|
|
#define CONTEXT_DEBUG_REGISTERS (CONTEXT_i386 | 0x00000010L) // DB 0-3,6,7
|
|
|
|
|
|
|
|
|
|
#define CONTEXT_FULL (CONTEXT_CONTROL | CONTEXT_INTEGER |\
|
|
|
|
|
CONTEXT_SEGMENTS)
|
|
|
|
|
|
|
|
|
|
// begin_wx86
|
|
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
typedef struct _FLOATING_SAVE_AREA {
|
|
|
|
|
ULONG ControlWord;
|
|
|
|
|
ULONG StatusWord;
|
|
|
|
|
ULONG TagWord;
|
|
|
|
|
ULONG ErrorOffset;
|
|
|
|
|
ULONG ErrorSelector;
|
|
|
|
|
ULONG DataOffset;
|
|
|
|
|
ULONG DataSelector;
|
|
|
|
|
UCHAR RegisterArea[SIZE_OF_80387_REGISTERS];
|
|
|
|
|
ULONG Cr0NpxState;
|
|
|
|
|
} FLOATING_SAVE_AREA;
|
|
|
|
|
|
|
|
|
|
typedef FLOATING_SAVE_AREA *PFLOATING_SAVE_AREA;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Context Frame
|
|
|
|
|
//
|
|
|
|
|
// This frame has a several purposes: 1) it is used as an argument to
|
|
|
|
|
// NtContinue, 2) is is used to constuct a call frame for APC delivery,
|
|
|
|
|
// and 3) it is used in the user level thread creation routines.
|
|
|
|
|
//
|
|
|
|
|
// The layout of the record conforms to a standard call frame.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
typedef struct _CONTEXT {
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// The flags values within this flag control the contents of
|
|
|
|
|
// a CONTEXT record.
|
|
|
|
|
//
|
|
|
|
|
// If the context record is used as an input parameter, then
|
|
|
|
|
// for each portion of the context record controlled by a flag
|
|
|
|
|
// whose value is set, it is assumed that that portion of the
|
|
|
|
|
// context record contains valid context. If the context record
|
|
|
|
|
// is being used to modify a threads context, then only that
|
|
|
|
|
// portion of the threads context will be modified.
|
|
|
|
|
//
|
|
|
|
|
// If the context record is used as an IN OUT parameter to capture
|
|
|
|
|
// the context of a thread, then only those portions of the thread's
|
|
|
|
|
// context corresponding to set flags will be returned.
|
|
|
|
|
//
|
|
|
|
|
// The context record is never used as an OUT only parameter.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
ULONG ContextFlags;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// This section is specified/returned if CONTEXT_DEBUG_REGISTERS is
|
|
|
|
|
// set in ContextFlags. Note that CONTEXT_DEBUG_REGISTERS is NOT
|
|
|
|
|
// included in CONTEXT_FULL.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
ULONG Dr0;
|
|
|
|
|
ULONG Dr1;
|
|
|
|
|
ULONG Dr2;
|
|
|
|
|
ULONG Dr3;
|
|
|
|
|
ULONG Dr6;
|
|
|
|
|
ULONG Dr7;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// This section is specified/returned if the
|
|
|
|
|
// ContextFlags word contians the flag CONTEXT_FLOATING_POINT.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
FLOATING_SAVE_AREA FloatSave;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// This section is specified/returned if the
|
|
|
|
|
// ContextFlags word contians the flag CONTEXT_SEGMENTS.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
ULONG SegGs;
|
|
|
|
|
ULONG SegFs;
|
|
|
|
|
ULONG SegEs;
|
|
|
|
|
ULONG SegDs;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// This section is specified/returned if the
|
|
|
|
|
// ContextFlags word contians the flag CONTEXT_INTEGER.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
ULONG Edi;
|
|
|
|
|
ULONG Esi;
|
|
|
|
|
ULONG Ebx;
|
|
|
|
|
ULONG Edx;
|
|
|
|
|
ULONG Ecx;
|
|
|
|
|
ULONG Eax;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// This section is specified/returned if the
|
|
|
|
|
// ContextFlags word contians the flag CONTEXT_CONTROL.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
ULONG Ebp;
|
|
|
|
|
ULONG Eip;
|
|
|
|
|
ULONG SegCs; // MUST BE SANITIZED
|
|
|
|
|
ULONG EFlags; // MUST BE SANITIZED
|
|
|
|
|
ULONG Esp;
|
|
|
|
|
ULONG SegSs;
|
|
|
|
|
|
|
|
|
|
} CONTEXT;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
typedef CONTEXT *PCONTEXT;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Predefined Value Types.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#define REG_NONE ( 0 ) // No value type
|
|
|
|
|
#define REG_SZ ( 1 ) // Unicode nul terminated string
|
|
|
|
|
#define REG_EXPAND_SZ ( 2 ) // Unicode nul terminated string
|
|
|
|
|
// (with environment variable references)
|
|
|
|
|
#define REG_BINARY ( 3 ) // Free form binary
|
|
|
|
|
#define REG_DWORD ( 4 ) // 32-bit number
|
|
|
|
|
#define REG_DWORD_LITTLE_ENDIAN ( 4 ) // 32-bit number (same as REG_DWORD)
|
|
|
|
|
#define REG_DWORD_BIG_ENDIAN ( 5 ) // 32-bit number
|
|
|
|
|
#define REG_LINK ( 6 ) // Symbolic Link (unicode)
|
|
|
|
|
#define REG_MULTI_SZ ( 7 ) // Multiple Unicode strings
|
|
|
|
|
#define REG_RESOURCE_LIST ( 8 ) // Resource list in the resource map
|
|
|
|
|
#define REG_FULL_RESOURCE_DESCRIPTOR ( 9 ) // Resource list in the hardware description
|
|
|
|
|
#define REG_RESOURCE_REQUIREMENTS_LIST ( 10 )
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
LONG
|
|
|
|
|
FASTCALL
|
|
|
|
|
InterlockedIncrement(
|
|
|
|
|
IN PLONG Addend
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
LONG
|
|
|
|
|
FASTCALL
|
|
|
|
|
InterlockedDecrement(
|
|
|
|
|
IN PLONG Addend
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
LONG
|
|
|
|
|
FASTCALL
|
|
|
|
|
InterlockedExchange(
|
|
|
|
|
IN OUT PLONG Target,
|
|
|
|
|
IN LONG Value
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
LONG
|
|
|
|
|
FASTCALL
|
|
|
|
|
InterlockedExchangeAdd(
|
|
|
|
|
IN OUT PLONG Addend,
|
|
|
|
|
IN LONG Increment
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
PVOID
|
|
|
|
|
FASTCALL
|
|
|
|
|
InterlockedCompareExchange(
|
|
|
|
|
IN OUT PVOID *Destination,
|
|
|
|
|
IN PVOID ExChange,
|
|
|
|
|
IN PVOID Comperand
|
|
|
|
|
);
|
|
|
|
|
*/
|
|
|
|
|
//
|
|
|
|
|
// Environment information, which includes command line and
|
|
|
|
|
// image file name
|
|
|
|
|
//
|
|
|
|
|
typedef struct {
|
|
|
|
|
ULONG Unknown[21];
|
|
|
|
|
UNICODE_STRING CommandLine;
|
|
|
|
|
UNICODE_STRING ImageFile;
|
|
|
|
|
} ENVIRONMENT_INFORMATION, *PENVIRONMENT_INFORMATION;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// This structure is passed as NtProcessStartup's parameter
|
|
|
|
|
//
|
|
|
|
|
typedef struct {
|
|
|
|
|
ULONG Unknown[3];
|
|
|
|
|
PENVIRONMENT_INFORMATION Environment;
|
|
|
|
|
} STARTUP_ARGUMENT, *PSTARTUP_ARGUMENT;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Data structure for heap definition. This includes various
|
|
|
|
|
// sizing parameters and callback routines, which, if left NULL,
|
|
|
|
|
// result in default behavior
|
|
|
|
|
//
|
|
|
|
|
typedef struct {
|
|
|
|
|
ULONG Length;
|
|
|
|
|
ULONG Unknown[11];
|
|
|
|
|
} RTL_HEAP_DEFINITION, *PRTL_HEAP_DEFINITION;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Native NT api function to write something to the boot-time
|
|
|
|
|
// blue screen
|
|
|
|
|
//
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtDisplayString(
|
|
|
|
|
PUNICODE_STRING String
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Native applications must kill themselves when done - the job
|
|
|
|
|
// of this native API
|
|
|
|
|
//
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtTerminateProcess(
|
|
|
|
|
HANDLE ProcessHandle,
|
|
|
|
|
LONG ExitStatus
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Thread start function
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
typedef
|
|
|
|
|
VOID
|
|
|
|
|
(*PKSTART_ROUTINE) (
|
|
|
|
|
IN PVOID StartContext
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef struct StackInfo_t {
|
|
|
|
|
ULONG Unknown1;
|
|
|
|
|
ULONG Unknown2;
|
|
|
|
|
ULONG TopOfStack;
|
|
|
|
|
ULONG OnePageBelowTopOfStack;
|
|
|
|
|
ULONG BottomOfStack;
|
|
|
|
|
} STACKINFO, *PSTACKINFO;
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtCreateThread(
|
|
|
|
|
OUT PHANDLE phThread,
|
|
|
|
|
IN ACCESS_MASK AccessMask,
|
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
|
IN HANDLE hProcess,
|
|
|
|
|
OUT PCLIENT_ID pClientId,
|
|
|
|
|
IN PCONTEXT pContext,
|
|
|
|
|
OUT PSTACKINFO pStackInfo,
|
|
|
|
|
IN BOOLEAN bSuspended
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
/*NTSTATUS
|
|
|
|
|
PsCreateSystemThread(
|
|
|
|
|
OUT PHANDLE ThreadHandle,
|
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
|
|
|
|
IN HANDLE ProcessHandle OPTIONAL,
|
|
|
|
|
OUT PCLIENT_ID ClientId OPTIONAL,
|
|
|
|
|
IN PKSTART_ROUTINE StartRoutine,
|
|
|
|
|
IN PVOID StartContext
|
|
|
|
|
);
|
|
|
|
|
*/
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NtTerminateThread(
|
|
|
|
|
IN HANDLE ThreadHandle OPTIONAL,
|
|
|
|
|
IN NTSTATUS ExitStatus
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
BOOLEAN
|
|
|
|
|
PsGetVersion(
|
|
|
|
|
PULONG MajorVersion OPTIONAL,
|
|
|
|
|
PULONG MinorVersion OPTIONAL,
|
|
|
|
|
PULONG BuildNumber OPTIONAL,
|
|
|
|
|
PUNICODE_STRING CSDVersion OPTIONAL
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
HANDLE
|
|
|
|
|
PsGetCurrentProcessId( VOID );
|
|
|
|
|
|
|
|
|
|
HANDLE
|
|
|
|
|
PsGetCurrentThreadId( VOID );
|
|
|
|
|
*/
|
|
|
|
|
//
|
|
|
|
|
// Definition to represent current process
|
|
|
|
|
//
|
|
|
|
|
#define NtCurrentProcess() ( (HANDLE) -1 )
|
|
|
|
|
|
|
|
|
|
typedef NTSTATUS
|
|
|
|
|
(*PRTL_HEAP_COMMIT_ROUTINE)(
|
|
|
|
|
IN PVOID Base,
|
|
|
|
|
IN OUT PVOID *CommitAddress,
|
|
|
|
|
IN OUT PULONG CommitSize
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef struct _RTL_HEAP_PARAMETERS {
|
|
|
|
|
ULONG Length;
|
|
|
|
|
ULONG SegmentReserve;
|
|
|
|
|
ULONG SegmentCommit;
|
|
|
|
|
ULONG DeCommitFreeBlockThreshold;
|
|
|
|
|
ULONG DeCommitTotalFreeThreshold;
|
|
|
|
|
ULONG MaximumAllocationSize;
|
|
|
|
|
ULONG VirtualMemoryThreshold;
|
|
|
|
|
ULONG InitialCommit;
|
|
|
|
|
ULONG InitialReserve;
|
|
|
|
|
PRTL_HEAP_COMMIT_ROUTINE CommitRoutine;
|
|
|
|
|
ULONG Reserved[ 2 ];
|
|
|
|
|
} RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS;
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
PVOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlCreateHeap(
|
|
|
|
|
IN ULONG Flags,
|
|
|
|
|
IN PVOID HeapBase OPTIONAL,
|
|
|
|
|
IN ULONG ReserveSize OPTIONAL,
|
|
|
|
|
IN ULONG CommitSize OPTIONAL,
|
|
|
|
|
IN PVOID Lock OPTIONAL,
|
|
|
|
|
IN PRTL_HEAP_PARAMETERS Parameters OPTIONAL
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
#define HEAP_NO_SERIALIZE 0x00000001 // winnt
|
|
|
|
|
#define HEAP_GROWABLE 0x00000002 // winnt
|
|
|
|
|
#define HEAP_GENERATE_EXCEPTIONS 0x00000004 // winnt
|
|
|
|
|
#define HEAP_ZERO_MEMORY 0x00000008 // winnt
|
|
|
|
|
#define HEAP_REALLOC_IN_PLACE_ONLY 0x00000010 // winnt
|
|
|
|
|
#define HEAP_TAIL_CHECKING_ENABLED 0x00000020 // winnt
|
|
|
|
|
#define HEAP_FREE_CHECKING_ENABLED 0x00000040 // winnt
|
|
|
|
|
#define HEAP_DISABLE_COALESCE_ON_FREE 0x00000080 // winnt
|
|
|
|
|
|
|
|
|
|
#define HEAP_CREATE_ALIGN_16 0x00010000 // winnt Create heap with 16 byte alignment
|
|
|
|
|
#define HEAP_CREATE_ENABLE_TRACING 0x00020000 // winnt Create heap call tracing enabled
|
|
|
|
|
|
|
|
|
|
#define HEAP_SETTABLE_USER_VALUE 0x00000100
|
|
|
|
|
#define HEAP_SETTABLE_USER_FLAG1 0x00000200
|
|
|
|
|
#define HEAP_SETTABLE_USER_FLAG2 0x00000400
|
|
|
|
|
#define HEAP_SETTABLE_USER_FLAG3 0x00000800
|
|
|
|
|
#define HEAP_SETTABLE_USER_FLAGS 0x00000E00
|
|
|
|
|
|
|
|
|
|
#define HEAP_CLASS_0 0x00000000 // process heap
|
|
|
|
|
#define HEAP_CLASS_1 0x00001000 // private heap
|
|
|
|
|
#define HEAP_CLASS_2 0x00002000 // Kernel Heap
|
|
|
|
|
#define HEAP_CLASS_3 0x00003000 // GDI heap
|
|
|
|
|
#define HEAP_CLASS_4 0x00004000 // User heap
|
|
|
|
|
#define HEAP_CLASS_5 0x00005000 // Console heap
|
|
|
|
|
#define HEAP_CLASS_6 0x00006000 // User Desktop heap
|
|
|
|
|
#define HEAP_CLASS_7 0x00007000 // Csrss Shared heap
|
|
|
|
|
#define HEAP_CLASS_8 0x00008000 // Csr Port heap
|
|
|
|
|
#define HEAP_CLASS_MASK 0x0000F000
|
|
|
|
|
|
|
|
|
|
#define HEAP_MAXIMUM_TAG 0x0FFF // winnt
|
|
|
|
|
#define HEAP_GLOBAL_TAG 0x0800
|
|
|
|
|
#define HEAP_PSEUDO_TAG_FLAG 0x8000 // winnt
|
|
|
|
|
#define HEAP_TAG_SHIFT 16 // winnt
|
|
|
|
|
#define HEAP_MAKE_TAG_FLAGS( b, o ) ((ULONG)((b) + ((o) << 16))) // winnt
|
|
|
|
|
#define HEAP_TAG_MASK (HEAP_MAXIMUM_TAG << HEAP_TAG_SHIFT)
|
|
|
|
|
|
|
|
|
|
#define HEAP_CREATE_VALID_MASK (HEAP_NO_SERIALIZE | \
|
|
|
|
|
HEAP_GROWABLE | \
|
|
|
|
|
HEAP_GENERATE_EXCEPTIONS | \
|
|
|
|
|
HEAP_ZERO_MEMORY | \
|
|
|
|
|
HEAP_REALLOC_IN_PLACE_ONLY | \
|
|
|
|
|
HEAP_TAIL_CHECKING_ENABLED | \
|
|
|
|
|
HEAP_FREE_CHECKING_ENABLED | \
|
|
|
|
|
HEAP_DISABLE_COALESCE_ON_FREE | \
|
|
|
|
|
HEAP_CLASS_MASK | \
|
|
|
|
|
HEAP_CREATE_ALIGN_16 | \
|
|
|
|
|
HEAP_CREATE_ENABLE_TRACING)
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
PVOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlDestroyHeap(
|
|
|
|
|
IN PVOID HeapHandle
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Heap allocation function (ala "malloc")
|
|
|
|
|
//
|
|
|
|
|
PVOID
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlAllocateHeap(
|
|
|
|
|
HANDLE Heap,
|
|
|
|
|
ULONG Flags,
|
|
|
|
|
ULONG Size
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Heap free function (ala "free")
|
|
|
|
|
//
|
|
|
|
|
BOOLEAN
|
|
|
|
|
NTAPI
|
|
|
|
|
RtlFreeHeap(
|
|
|
|
|
HANDLE Heap,
|
|
|
|
|
ULONG Flags,
|
|
|
|
|
PVOID Address
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtCreateFile(
|
|
|
|
|
OUT PHANDLE FileHandle,
|
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
|
|
|
IN PLARGE_INTEGER AllocationSize OPTIONAL,
|
|
|
|
|
IN ULONG FileAttributes,
|
|
|
|
|
IN ULONG ShareAccess,
|
|
|
|
|
IN ULONG CreateDisposition,
|
|
|
|
|
IN ULONG CreateOptions,
|
|
|
|
|
IN PVOID EaBuffer OPTIONAL,
|
|
|
|
|
IN ULONG EaLength
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtOpenFile(
|
|
|
|
|
OUT PHANDLE phFile,
|
|
|
|
|
IN ACCESS_MASK DesiredAccess,
|
|
|
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
|
|
|
OUT PIO_STATUS_BLOCK pIoStatusBlock,
|
|
|
|
|
IN ULONG ShareMode,
|
|
|
|
|
IN ULONG OpenMode
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtDeviceIoControlFile(
|
|
|
|
|
IN HANDLE hFile,
|
|
|
|
|
IN HANDLE hEvent OPTIONAL,
|
|
|
|
|
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
|
|
|
|
|
IN PVOID IoApcContext OPTIONAL,
|
|
|
|
|
OUT PIO_STATUS_BLOCK pIoStatusBlock,
|
|
|
|
|
IN ULONG DeviceIoControlCode,
|
|
|
|
|
IN PVOID InBuffer OPTIONAL,
|
|
|
|
|
IN ULONG InBufferLength,
|
|
|
|
|
OUT PVOID OutBuffer OPTIONAL,
|
|
|
|
|
IN ULONG OutBufferLength
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtFsControlFile(
|
|
|
|
|
IN HANDLE hFile,
|
|
|
|
|
IN HANDLE hEvent OPTIONAL,
|
|
|
|
|
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
|
|
|
|
|
IN PVOID IoApcContext OPTIONAL,
|
|
|
|
|
OUT PIO_STATUS_BLOCK pIoStatusBlock,
|
|
|
|
|
IN ULONG DeviceIoControlCode,
|
|
|
|
|
IN PVOID InBuffer OPTIONAL,
|
|
|
|
|
IN ULONG InBufferLength,
|
|
|
|
|
OUT PVOID OutBuffer OPTIONAL,
|
|
|
|
|
IN ULONG OutBufferLength
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtReadFile(
|
|
|
|
|
IN HANDLE hFile,
|
|
|
|
|
IN HANDLE hEvent OPTIONAL,
|
|
|
|
|
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
|
|
|
|
|
IN PVOID IoApcContext OPTIONAL,
|
|
|
|
|
OUT PIO_STATUS_BLOCK pIoStatusBlock,
|
|
|
|
|
OUT PVOID ReadBuffer,
|
|
|
|
|
IN ULONG ReadBufferLength,
|
|
|
|
|
IN PLARGE_INTEGER FileOffset OPTIONAL,
|
|
|
|
|
IN PULONG LockOperationKey
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtWriteFile(
|
|
|
|
|
IN HANDLE hFile,
|
|
|
|
|
IN HANDLE hEvent OPTIONAL,
|
|
|
|
|
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
|
|
|
|
|
IN PVOID IoApcContext OPTIONAL,
|
|
|
|
|
OUT PIO_STATUS_BLOCK pIoStatusBlock,
|
|
|
|
|
IN PVOID WriteBuffer,
|
|
|
|
|
IN ULONG WriteBufferLength,
|
|
|
|
|
IN PLARGE_INTEGER FileOffset OPTIONAL,
|
|
|
|
|
IN PULONG LockOperationKey OPTIONAL
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtQueryInformationFile(
|
|
|
|
|
IN HANDLE hFile,
|
|
|
|
|
OUT PIO_STATUS_BLOCK pIoStatusBlock,
|
|
|
|
|
OUT PVOID FileInformationBuffer,
|
|
|
|
|
IN ULONG FileInformationBufferLength,
|
|
|
|
|
IN FILE_INFORMATION_CLASS FileInfoClass
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtSetInformationFile(
|
|
|
|
|
IN HANDLE hFile,
|
|
|
|
|
OUT PIO_STATUS_BLOCK pIoStatusBlock,
|
|
|
|
|
IN PVOID FileInformationBuffer,
|
|
|
|
|
IN ULONG FileInformationBufferLength,
|
|
|
|
|
IN FILE_INFORMATION_CLASS FileInfoClass
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtClose(
|
|
|
|
|
IN HANDLE Handle
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtWaitForSingleObject(
|
|
|
|
|
IN HANDLE hObject,
|
|
|
|
|
IN BOOLEAN bAlertable,
|
|
|
|
|
IN PLARGE_INTEGER Timeout
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
NtDelayExecution (
|
|
|
|
|
IN BOOLEAN Alertable,
|
|
|
|
|
IN PLARGE_INTEGER DelayInterval
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
#ifdef __cplusplus
|
|
|
|
|
};
|
|
|
|
|
#endif //__cplusplus
|
|
|
|
|
|
|
|
|
|
#endif //__NT_NATIVE_DEFS__H__
|