[RTL][NTDLL] Add some function stubs

- LdrSetAppCompatDllRedirectionCallback
- RtlCancelTimer
- RtlCreateServiceSid
- RtlQueryProcessHeapInformation
- RtlQueueApcWow64Thread
- RtlSetTimer
- RtlUnhandledExceptionFilter2
- RtlpNotOwnerCriticalSection

dll/ntdll/def/ntdll.spec

@@ -113,7 +113,7 @@
 @ stdcall LdrQueryImageFileExecutionOptionsEx(ptr ptr long ptr long ptr long)
 @ stdcall LdrQueryImageFileKeyOption(ptr ptr long ptr long ptr)
 @ stdcall LdrQueryProcessModuleInformation(ptr long ptr)
-# stdcall LdrSetAppCompatDllRedirectionCallback
+@ stdcall LdrSetAppCompatDllRedirectionCallback(long ptr ptr)
 @ stdcall LdrSetDllManifestProber(ptr)
 @ stdcall LdrShutdownProcess()
 @ stdcall LdrShutdownThread()
@@ -475,7 +475,7 @@
 @ stdcall RtlAreBitsClear(ptr long long)
 @ stdcall RtlAreBitsSet(ptr long long)
 @ stdcall RtlAssert(ptr ptr long ptr)
-# stdcall RtlCancelTimer
+@ stdcall RtlCancelTimer(ptr ptr)
 @ stdcall -register RtlCaptureContext(ptr)
 @ stdcall RtlCaptureStackBackTrace(long long ptr ptr)
 # stdcall RtlCaptureStackContext
@@ -525,6 +525,7 @@
 @ stdcall RtlCreateQueryDebugBuffer(long long)
 @ stdcall RtlCreateRegistryKey(long wstr)
 @ stdcall RtlCreateSecurityDescriptor(ptr long)
+@ stdcall RtlCreateServiceSid(ptr ptr ptr)
 @ stdcall RtlCreateSystemVolumeInformationFolder(ptr)
 @ stdcall RtlCreateTagHeap(ptr long str str)
 @ stdcall RtlCreateTimer(ptr ptr ptr ptr long long long)
@@ -812,13 +813,13 @@
 @ stdcall RtlQueryInterfaceMemoryStream(ptr ptr ptr)
 # stdcall RtlQueryProcessBackTraceInformation
 @ stdcall RtlQueryProcessDebugInformation(long long ptr)
-# stdcall RtlQueryProcessHeapInformation
+@ stdcall RtlQueryProcessHeapInformation(ptr)
 # stdcall RtlQueryProcessLockInformation
 @ stdcall RtlQueryRegistryValues(long ptr ptr ptr ptr)
 @ stdcall RtlQuerySecurityObject(ptr long ptr long ptr)
 @ stdcall RtlQueryTagHeap(ptr long long long ptr)
 @ stdcall RtlQueryTimeZoneInformation(ptr)
-# stdcall RtlQueueApcWow64Thread
+@ stdcall -arch=i386,x86_64 RtlQueueApcWow64Thread(ptr ptr ptr ptr ptr)
 @ stdcall RtlQueueWorkItem(ptr ptr long)
 @ stdcall -register RtlRaiseException(ptr)
 @ stdcall RtlRaiseStatus(long)
@@ -878,7 +879,7 @@
 @ cdecl RtlSetThreadIsCritical(long ptr long)
 @ stdcall RtlSetThreadPoolStartFunc(ptr ptr)
 @ stdcall RtlSetTimeZoneInformation(ptr)
-@ stdcall RtlSetTimer(ptr ptr ptr ptr long long long) RtlCreateTimer
+@ stdcall RtlSetTimer(ptr ptr ptr ptr long long long)
 @ stdcall RtlSetUnhandledExceptionFilter(ptr)
 # stdcall RtlSetUnicodeCallouts
 @ stdcall RtlSetUserFlagsHeap(ptr long ptr long long)
@@ -907,7 +908,7 @@
 @ stdcall RtlTraceDatabaseUnlock(ptr)
 @ stdcall RtlTraceDatabaseValidate(ptr)
 @ stdcall RtlTryEnterCriticalSection(ptr)
-# stdcall RtlUnhandledExceptionFilter2
+@ stdcall RtlUnhandledExceptionFilter2(ptr long)
 @ stdcall RtlUnhandledExceptionFilter(ptr)
 @ stdcall RtlUnicodeStringToAnsiSize(ptr) RtlxUnicodeStringToAnsiSize
 @ stdcall RtlUnicodeStringToAnsiString(ptr ptr long)
@@ -957,7 +958,7 @@
 @ stdcall RtlZombifyActivationContext(ptr)
 @ stdcall RtlpApplyLengthFunction(long long ptr ptr)
 @ stdcall RtlpEnsureBufferSize(long ptr long)
-# stdcall RtlpNotOwnerCriticalSection
+@ stdcall RtlpNotOwnerCriticalSection(ptr)
 @ stdcall RtlpNtCreateKey(ptr long ptr long ptr ptr)
 @ stdcall RtlpNtEnumerateSubKey(ptr ptr long long)
 @ stdcall RtlpNtMakeTemporaryKey(ptr)

dll/ntdll/include/ntdllp.h

@@ -29,6 +29,16 @@ typedef struct _LDRP_TLS_DATA
     IMAGE_TLS_DIRECTORY TlsDirectory;
 } LDRP_TLS_DATA, *PLDRP_TLS_DATA;
 
+typedef
+NTSTATUS
+(NTAPI* PLDR_APP_COMPAT_DLL_REDIRECTION_CALLBACK_FUNCTION)(
+    _In_ ULONG Flags,
+    _In_ PCWSTR DllName,
+    _In_ PCWSTR DllPath OPTIONAL,
+    _Inout_opt_ PULONG DllCharacteristics,
+    _In_ PVOID CallbackData,
+    _Outptr_ PWSTR* EffectiveDllPath);
+
 /* Global data */
 extern RTL_CRITICAL_SECTION LdrpLoaderLock;
 extern BOOLEAN LdrpInLdrInit;

dll/ntdll/ldr/ldrapi.c

@@ -1658,4 +1658,19 @@ LdrFlushAlternateResourceModules(VOID)
     return FALSE;
 }
 
+/*
+ * @unimplemented
+ * See https://www.kernelmode.info/forum/viewtopic.php?t=991
+ */
+NTSTATUS
+NTAPI
+LdrSetAppCompatDllRedirectionCallback(
+    _In_ ULONG Flags,
+    _In_ PLDR_APP_COMPAT_DLL_REDIRECTION_CALLBACK_FUNCTION CallbackFunction,
+    _In_opt_ PVOID CallbackData)
+{
+    UNIMPLEMENTED;
+    return STATUS_NOT_IMPLEMENTED;
+}
+
 /* EOF */

sdk/lib/rtl/amd64/stubs.c

@@ -113,4 +113,16 @@ RtlRestoreContext(
     UNIMPLEMENTED;
 }
 
+NTSTATUS
+NTAPI
+RtlQueueApcWow64Thread(
+    _In_ HANDLE ThreadHandle,
+    _In_ PKNORMAL_ROUTINE ApcRoutine,
+    _In_opt_ PVOID NormalContext,
+    _In_opt_ PVOID SystemArgument1,
+    _In_opt_ PVOID SystemArgument2)
+{
+    UNIMPLEMENTED;
+    return STATUS_NOT_IMPLEMENTED;
+}
 

sdk/lib/rtl/critical.c

@@ -801,4 +801,11 @@ RtlIsCriticalSectionLockedByThread(PRTL_CRITICAL_SECTION CriticalSection)
            CriticalSection->RecursionCount != 0;
 }
 
+VOID
+NTAPI
+RtlpNotOwnerCriticalSection(PRTL_CRITICAL_SECTION CriticalSection)
+{
+    RtlRaiseStatus(STATUS_RESOURCE_NOT_OWNED);
+}
+
 /* EOF */

sdk/lib/rtl/exception.c

@@ -311,6 +311,21 @@ RtlUnhandledExceptionFilter(IN struct _EXCEPTION_POINTERS* ExceptionInfo)
     return ERROR_CALL_NOT_IMPLEMENTED;
 }
 
+/*
+ * @unimplemented
+ */
+LONG
+NTAPI
+RtlUnhandledExceptionFilter2(
+    _In_ PEXCEPTION_POINTERS ExceptionInfo,
+    _In_ ULONG Flags)
+{
+    /* This is used by the security cookie checks, and also called externally */
+    UNIMPLEMENTED;
+    PrintStackTrace(ExceptionInfo);
+    return ERROR_CALL_NOT_IMPLEMENTED;
+}
+
 /*
  * @implemented
  */

sdk/lib/rtl/heap.c

@@ -3995,4 +3995,20 @@ RtlMultipleFreeHeap(IN PVOID HeapHandle,
     return 0;
 }
 
+/*
+ * Info:
+ * - https://securityxploded.com/enumheaps.php
+ * - https://evilcodecave.wordpress.com/2009/04/14/rtlqueryprocessheapinformation-as-anti-dbg-trick/
+ */
+struct _DEBUG_BUFFER;
+
+NTSTATUS
+NTAPI
+RtlQueryProcessHeapInformation(
+    IN struct _DEBUG_BUFFER *DebugBuffer)
+{
+    UNIMPLEMENTED;
+    return STATUS_NOT_IMPLEMENTED;
+}
+
 /* EOF */

sdk/lib/rtl/i386/thread.c

@@ -77,4 +77,20 @@ RtlInitializeContext(IN HANDLE ProcessHandle,
     ThreadContext->Esp -= sizeof(PVOID);
 }
 
+NTSTATUS
+NTAPI
+RtlQueueApcWow64Thread(
+    _In_ HANDLE ThreadHandle,
+    _In_ PKNORMAL_ROUTINE ApcRoutine,
+    _In_opt_ PVOID NormalContext,
+    _In_opt_ PVOID SystemArgument1,
+    _In_opt_ PVOID SystemArgument2)
+{
+    return NtQueueApcThread(ThreadHandle,
+                            ApcRoutine,
+                            NormalContext,
+                            SystemArgument1,
+                            SystemArgument2);
+}
+
 /* EOF */

sdk/lib/rtl/sid.c

@@ -404,4 +404,18 @@ RtlConvertSidToUnicodeString(IN PUNICODE_STRING String,
     return STATUS_SUCCESS;
 }
 
+/*
+ * @unimplemented
+ */
+NTSTATUS
+NTAPI
+RtlCreateServiceSid(
+    _In_ PUNICODE_STRING ServiceName,
+    _Out_writes_bytes_opt_(*ServiceSidLength) PSID ServiceSid,
+    _Inout_ PULONG ServiceSidLength)
+{
+    UNIMPLEMENTED;
+    return STATUS_NOT_IMPLEMENTED;
+}
+
 /* EOF */

sdk/lib/rtl/timerqueue.c

@@ -463,6 +463,26 @@ NTSTATUS WINAPI RtlCreateTimer(HANDLE TimerQueue, PHANDLE NewTimer,
     return status;
 }
 
+NTSTATUS
+WINAPI
+RtlSetTimer(
+    HANDLE TimerQueue,
+    PHANDLE NewTimer,
+    WAITORTIMERCALLBACKFUNC Callback,
+    PVOID Parameter,
+    DWORD DueTime,
+    DWORD Period,
+    ULONG Flags)
+{
+    return RtlCreateTimer(TimerQueue,
+                          NewTimer,
+                          Callback,
+                          Parameter,
+                          DueTime,
+                          Period,
+                          Flags);
+}
+
 /***********************************************************************
  *              RtlUpdateTimer   (NTDLL.@)
  *
@@ -557,6 +577,16 @@ NTSTATUS WINAPI RtlDeleteTimer(HANDLE TimerQueue, HANDLE Timer,
     return status;
 }
 
+/*
+ * @implemented
+ */
+NTSTATUS
+NTAPI
+RtlCancelTimer(HANDLE TimerQueue, HANDLE Timer)
+{
+    return RtlDeleteTimer(TimerQueue, Timer, NULL);
+}
+
 /*
  * @implemented
  */