mirror of
https://github.com/reactos/reactos.git
synced 2025-08-06 06:22:58 +00:00
9491 lines
273 KiB
C
9491 lines
273 KiB
C
/*
|
|
This is a free version of the file ntifs.h, release 58.
|
|
The purpose of this include file is to build file system and
|
|
file system filter drivers for Windows.
|
|
Copyright (C) 1999-2015 Bo Brantén.
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 2 of the License, or
|
|
(at your option) any later version.
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
The GNU General Public License is also available from:
|
|
http://www.gnu.org/copyleft/gpl.html
|
|
|
|
Windows and Windows NT are either registered trademarks or trademarks of
|
|
Microsoft Corporation in the United States and/or other countries.
|
|
|
|
DISCLAIMER: I do not encourage anyone to use this include file to build
|
|
drivers used in production. Some of the information in this file may not
|
|
be available in other publications intended for similar use. Some of the
|
|
information in this file may have different names than in other
|
|
publications even though they describe the same thing.
|
|
|
|
NOTE: This file should be used with the Microsoft® Windows® Driver
|
|
Development Kit (DDK) while the file wdkundoc.h is a subset of this
|
|
file that should be used with the Microsoft Windows Driver Kit (WDK).
|
|
|
|
Please send comments, corrections and contributions to bosse@acc.umu.se.
|
|
|
|
The most recent version of this file is available from:
|
|
http://www.acc.umu.se/~bosse/ntifs.h
|
|
|
|
The most recent version of the file wdkundoc.h is available from:
|
|
http://www.acc.umu.se/~bosse/wdkundoc.h
|
|
|
|
Thanks to:
|
|
Andrey Shedel, Luigi Mori, Louis Joubert, Itai Shaham, David Welch,
|
|
Emanuele Aliberti, Anton Altaparmakov, Dan Partelly, Mamaich, Yossi
|
|
Yaffe, Gunnar André Dalsnes, Vadim V Vorobev, Ashot Oganesyan K,
|
|
Oleg Nikityenko, Matt Wu, Tomas Olsson, Raaf, Anthony Choi, Alexey
|
|
Logachyov, Marc-Antoine Ruel, Vyacheslav I. Levtchenko, Yuri Polyakov,
|
|
Bruno Milot, Alex Vlasov, Dan Fulger, Petr Semerad, Sobame La Garompa,
|
|
Jérôme Hodé and Darja Isaksson.
|
|
|
|
Revision history:
|
|
|
|
58. 2015-06-11
|
|
Added:
|
|
Externals:
|
|
PsInitialSystemProcess
|
|
HalPrivateDispatchTable
|
|
KeLoaderBlock
|
|
KeI386MachineType
|
|
KiBugCheckData
|
|
InitSafeBootMode
|
|
KiEnableTimerWatchdog
|
|
KdComPortInUse
|
|
KdEnteredDebugger
|
|
MmBadPointer
|
|
NlsLeadByteInfo
|
|
NlsOemLeadByteInfo
|
|
NlsMbCodePageTag
|
|
NlsMbOemCodePageTag
|
|
NlsAnsiCodePage
|
|
NlsOemCodePage
|
|
IoStatisticsLock
|
|
IoReadOperationCount
|
|
IoWriteOperationCount
|
|
IoReadTransferCount
|
|
IoWriteTransferCount
|
|
KeDcacheFlushCount
|
|
KeIcacheFlushCount
|
|
CcFastMdlReadWait
|
|
CcFastReadNotPossible
|
|
CcFastReadWait
|
|
IoAdapterObjectType
|
|
IoDeviceObjectType
|
|
MmSectionObjectType
|
|
PsProcessType
|
|
PsThreadType
|
|
ExDesktopObjectType
|
|
ExWindowStationObjectType
|
|
IoDeviceHandlerObjectType
|
|
LpcPortObjectType
|
|
PsJobType
|
|
SeTokenObjectType
|
|
TmEnlistmentObjectType
|
|
TmResourceManagerObjectType
|
|
TmTransactionManagerObjectType
|
|
TmTransactionObjectType
|
|
CmKeyObjectType
|
|
IoDeviceHandlerObjectSize
|
|
POGOBuffer
|
|
psMUITest
|
|
PsUILanguageComitted
|
|
|
|
57. 2015-03-23
|
|
Corrected:
|
|
ObGetObjectPointerCount
|
|
Added:
|
|
Function prototypes:
|
|
FsRtlTeardownPerFileContexts
|
|
FsRtlTeardownPerStreamContexts
|
|
|
|
56. 2008-07-31
|
|
Corrected:
|
|
FSCTL_SET_SPARSE
|
|
FSRTL_COMMON_FCB_HEADER
|
|
Added:
|
|
Defines:
|
|
FSRTL_XXX
|
|
IO_REPARSE_TAG_XXX
|
|
Data types:
|
|
FSRTL_ADVANCED_FCB_HEADER
|
|
Function prototypes:
|
|
FsRtlSetupAdvancedHeader
|
|
|
|
55. 2006-05-15
|
|
Corrected:
|
|
TOKEN_OBJECT
|
|
Added:
|
|
Data types:
|
|
SEP_AUDIT_POLICY_VISTA
|
|
SID_AND_ATTRIBUTES_HASH
|
|
|
|
54. 2006-05-14
|
|
Corrected:
|
|
EXTENDED_IO_STACK_LOCATION
|
|
|
|
53. 2005-11-06
|
|
Added:
|
|
Function prototypes:
|
|
RtlRandom
|
|
RtlRandomEx
|
|
RtlSecondsSince1980ToTime
|
|
RtlTimeToSecondsSince1980
|
|
|
|
52. 2005-11-05
|
|
Corrected:
|
|
OBJECT_NAME
|
|
TOKEN_OBJECT
|
|
|
|
51. 2005-10-16
|
|
Corrected:
|
|
ETHREAD
|
|
GDI_TEB_BATCH
|
|
MMADDRESS_NODE
|
|
TEB
|
|
|
|
50. 2005-10-15
|
|
Added:
|
|
Data types:
|
|
READ_LIST
|
|
Function prototypes:
|
|
IoAttachDeviceToDeviceStackSafe
|
|
IoCheckQuerySetFileInformation
|
|
IoCheckQuerySetVolumeInformation
|
|
IoCreateFileSpecifyDeviceObjectHint
|
|
IoCreateStreamFileObjectEx
|
|
IoEnumerateDeviceObjectList
|
|
IoGetDeviceAttachmentBaseRef
|
|
IoGetDiskDeviceObject
|
|
IoGetLowerDeviceObject
|
|
IoIsFileOriginRemote
|
|
IoQueryFileDosDeviceName
|
|
IoQueueThreadIrp
|
|
IoSetFileOrigin
|
|
KeAcquireQueuedSpinLock
|
|
KeInitializeMutant
|
|
KeReadStateMutant
|
|
KeReleaseMutant
|
|
KeReleaseQueuedSpinLock
|
|
KeSetIdealProcessorThread
|
|
KeSetKernelStackSwapEnable
|
|
KeTryToAcquireQueuedSpinLock
|
|
MmPrefetchPages
|
|
ObDereferenceSecurityDescriptor
|
|
ObLogSecurityDescriptor
|
|
ObReferenceSecurityDescriptor
|
|
PoQueueShutdownWorkItem
|
|
RtlxUnicodeStringToAnsiSize
|
|
SeAuditHardLinkCreation
|
|
SeAuditingHardLinkEvents
|
|
SeFilterToken
|
|
|
|
49. 2005-10-09
|
|
Corrected:
|
|
EPROCESS
|
|
KTHREAD
|
|
MMSUPPORT_FLAGS
|
|
MMSUPPORT
|
|
OBJECT_HEADER
|
|
OBJECT_TYPE_INITIALIZER
|
|
OBJECT_TYPE
|
|
TEB
|
|
KeInsertQueueApc
|
|
Added:
|
|
Defines:
|
|
OB_FLAG_XXX
|
|
OB_SECURITY_CHARGE
|
|
Data types:
|
|
ACTIVATION_CONTEXT_STACK
|
|
GDI_TEB_BATCH
|
|
HANDLE_INFO
|
|
KGUARDED_MUTEX
|
|
MMADDRESS_NODE
|
|
MM_AVL_TABLE
|
|
OBJECT_CREATE_INFORMATION
|
|
OBJECT_CREATOR_INFO
|
|
OBJECT_DIRECTORY
|
|
OBJECT_DIRECTORY_ITEM
|
|
OBJECT_HANDLE_DB
|
|
OBJECT_HANDLE_DB_LIST
|
|
OBJECT_HEADER_FLAGS
|
|
OBJECT_NAME
|
|
OBJECT_QUOTA_CHARGES
|
|
OBJECT_QUOTA_INFO
|
|
QUOTA_BLOCK
|
|
RTL_ACTIVATION_CONTEXT_STACK_FRAME
|
|
TEB_ACTIVE_FRAME
|
|
TEB_ACTIVE_FRAME_CONTEXT
|
|
Wx86ThreadState
|
|
Function prototypes:
|
|
FsRtlAcquireFileExclusive
|
|
FsRtlBalanceReads
|
|
FsRtlDissectDbcs
|
|
FsRtlDoesDbcsContainWildCards
|
|
FsRtlIsDbcsInExpression
|
|
FsRtlIsFatDbcsLegal
|
|
FsRtlIsHpfsDbcsLegal
|
|
FsRtlIsPagingFile
|
|
FsRtlIsTotalDeviceFailure
|
|
FsRtlMdlReadDev
|
|
FsRtlPostPagingFileStackOverflow
|
|
FsRtlPostStackOverflow
|
|
FsRtlPrepareMdlWriteDev
|
|
FsRtlReleaseFile
|
|
|
|
48. 2005-04-16
|
|
Added:
|
|
Data types:
|
|
THREAD_BASIC_INFORMATION
|
|
Function prototypes:
|
|
ZwQueryInformationThread
|
|
|
|
47. 2005-03-08
|
|
Corrected:
|
|
SYSTEM_PROCESSES_INFORMATION
|
|
TOKEN_OBJECT
|
|
KeInsertQueueApc
|
|
|
|
46. 2004-06-08
|
|
Added:
|
|
Data types:
|
|
TOKEN_OBJECT
|
|
|
|
45. 2004-06-06
|
|
Corrected:
|
|
SERVICE_DESCRIPTOR_TABLE
|
|
Added:
|
|
Defines:
|
|
TOKEN_SESSION_NOT_REFERENCED
|
|
TOKEN_SANDBOX_INERT
|
|
TOKEN_HAS_IMPERSONATE_PRIVILEGE
|
|
Function prototypes:
|
|
FsRtlDissectName
|
|
RtlOemStringToCountedUnicodeSize
|
|
RtlOemStringToUnicodeSize
|
|
RtlOemStringToUnicodeString
|
|
RtlUnicodeStringToOemSize
|
|
RtlUnicodeStringToOemString
|
|
RtlxOemStringToUnicodeSize
|
|
RtlxUnicodeStringToOemSize
|
|
|
|
44. 2003-05-06
|
|
Added:
|
|
Function prototypes:
|
|
InbvAcquireDisplayOwnership
|
|
InbvCheckDisplayOwnership
|
|
InbvDisplayString
|
|
InbvEnableBootDriver
|
|
InbvEnableDisplayString
|
|
InbvInstallDisplayStringFilter
|
|
InbvIsBootDriverInstalled
|
|
InbvNotifyDisplayOwnershipLost
|
|
InbvResetDisplay
|
|
InbvSetScrollRegion
|
|
InbvSetTextColor
|
|
InbvSolidColorFill
|
|
|
|
43. 2003-04-07
|
|
Added:
|
|
Data types:
|
|
MCB
|
|
Function prototypes:
|
|
FsRtlAddMcbEntry
|
|
FsRtlInitializeMcb
|
|
FsRtlLookupLastMcbEntry
|
|
FsRtlLookupMcbEntry
|
|
FsRtlNotifyFilterChangeDirectory
|
|
FsRtlNotifyFilterReportChange
|
|
FsRtlNumberOfRunsInMcb
|
|
FsRtlRemoveMcbEntry
|
|
FsRtlTruncateMcb
|
|
FsRtlUninitializeMcb
|
|
|
|
42. 2003-03-30
|
|
Corrected:
|
|
SYSTEM_CACHE_INFORMATION
|
|
SYSTEM_INFORMATION_CLASS
|
|
Added:
|
|
Data types:
|
|
SYSTEM_XXX_INFORMATION
|
|
THREAD_STATE
|
|
|
|
41. 2003-01-03
|
|
Corrected:
|
|
CcMapData
|
|
PsDereferenceImpersonationToken
|
|
PsDereferencePrimaryToken
|
|
PsGetProcessExitTime
|
|
PsReferencePrimaryToken
|
|
Added:
|
|
Defines:
|
|
MAP_XXX
|
|
Function prototypes:
|
|
CcMdlWriteAbort
|
|
PsAssignImpersonationToken
|
|
PsChargeProcessNonPagedPoolQuota
|
|
PsChargeProcessPagedPoolQuota
|
|
PsChargeProcessPoolQuota
|
|
PsDisableImpersonation
|
|
PsImpersonateClient
|
|
PsIsSystemThread
|
|
PsRestoreImpersonation
|
|
SeDeleteAccessState
|
|
ZwOpenProcessTokenEx
|
|
ZwOpenThreadTokenEx
|
|
|
|
40. 2002-10-02
|
|
Corrected:
|
|
HANDLE_TABLE_ENTRY
|
|
Added:
|
|
Defines:
|
|
FSRTL_FLAG_ADVANCED_HEADER
|
|
FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS
|
|
FSRTL_FLAG2_PURGE_WHEN_MAPPED
|
|
Data types:
|
|
FILE_ID_BOTH_DIR_INFORMATION
|
|
FILE_ID_FULL_DIR_INFORMATION
|
|
|
|
39. 2002-08-04
|
|
Added:
|
|
Data types:
|
|
LARGE_MCB
|
|
Function prototypes:
|
|
FsRtlAddLargeMcbEntry
|
|
FsRtlGetNextLargeMcbEntry
|
|
FsRtlInitializeLargeMcb
|
|
FsRtlLookupLargeMcbEntry
|
|
FsRtlLookupLastLargeMcbEntry
|
|
FsRtlLookupLastLargeMcbEntryAndIndex
|
|
FsRtlNumberOfRunsInLargeMcb
|
|
FsRtlRemoveLargeMcbEntry
|
|
FsRtlResetLargeMcb
|
|
FsRtlSplitLargeMcb
|
|
FsRtlTruncateLargeMcb
|
|
FsRtlUninitializeLargeMcb
|
|
|
|
38. 2002-06-30
|
|
Added:
|
|
Defines:
|
|
FILE_READ_ONLY_VOLUME
|
|
Function prototypes:
|
|
FsRtlAllocateResource
|
|
FsRtlIncrementCcFastReadNotPossible
|
|
FsRtlIncrementCcFastReadNoWait
|
|
FsRtlIncrementCcFastReadResourceMiss
|
|
FsRtlIncrementCcFastReadWait
|
|
KeIsAttachedProcess
|
|
KeIsExecutingDpc
|
|
KeRevertToUserAffinityThread
|
|
KeUpdateSystemTime
|
|
PsGetCurrentProcessSessionId
|
|
PsGetCurrentThreadPreviousMode
|
|
PsGetCurrentThreadStackBase
|
|
PsGetCurrentThreadStackLimit
|
|
RtlGetNtGlobalFlags
|
|
|
|
37. 2002-05-18
|
|
Uppdated for Windows XP:
|
|
EPROCESS
|
|
ETHREAD
|
|
KPROCESS
|
|
KTHREAD
|
|
MMSUPPORT_FLAGS
|
|
MMSUPPORT
|
|
PRIVATE_CACHE_MAP_FLAGS
|
|
PRIVATE_CACHE_MAP
|
|
SHARED_CACHE_MAP
|
|
Corrected:
|
|
VACB
|
|
Added:
|
|
Data types:
|
|
EPROCESS_QUOTA_ENTRY
|
|
EPROCESS_QUOTA_BLOCK
|
|
EX_FAST_REF
|
|
EX_PUSH_LOCK
|
|
EX_RUNDOWN_REF
|
|
PAGEFAULT_HISTORY
|
|
SE_AUDIT_PROCESS_CREATION_INFO
|
|
SECTION_OBJECT
|
|
TERMINATION_PORT
|
|
|
|
36. 2002-05-14
|
|
Corrected:
|
|
FILE_FS_FULL_SIZE_INFORMATION
|
|
|
|
35. 2002-03-23
|
|
Added:
|
|
Defines:
|
|
COMPRESSION_XXX
|
|
Data types:
|
|
COMPRESSED_DATA_INFO
|
|
OBJECT_HEADER
|
|
VAD_HEADER
|
|
Function prototypes:
|
|
CcWaitForCurrentLazyWriterActivity
|
|
FsRtlCheckOplock
|
|
FsRtlCurrentBatchOplock
|
|
FsRtlDeregisterUncProvider
|
|
FsRtlInitializeOplock
|
|
FsRtlOplockFsctrl
|
|
FsRtlOplockIsFastIoPossible
|
|
FsRtlRegisterUncProvider
|
|
FsRtlUninitializeOplock
|
|
RtlCompressBuffer
|
|
RtlCompressChunks
|
|
RtlDecompressBuffer
|
|
RtlDecompressChunks
|
|
RtlDecompressFragment
|
|
RtlDescribeChunk
|
|
RtlGetCompressionWorkSpaceSize
|
|
RtlReserveChunk
|
|
|
|
34. 2002-02-14
|
|
Corrected:
|
|
HARDWARE_PTE
|
|
Changed the use of _WIN32_WINNT to VER_PRODUCTBUILD since _WIN32_WINNT
|
|
is incorrectly defined in the Windows 2000 build environment included
|
|
in the Windows XP DDK.
|
|
|
|
33. 2002-01-20
|
|
Added:
|
|
Function prototypes:
|
|
PsDereferenceImpersonationToken
|
|
PsDereferencePrimaryToken
|
|
|
|
32. 2002-01-18
|
|
Corrected:
|
|
ObReferenceObjectByName
|
|
FILE_FS_OBJECT_ID_INFORMATION
|
|
FILE_OBJECTID_INFORMATION
|
|
Added:
|
|
Externals:
|
|
IoDriverObjectType
|
|
SeExports
|
|
Defines:
|
|
FILE_ACTION_XXX
|
|
FSCTL_XXX
|
|
IO_FILE_OBJECT_XXX
|
|
IRP_BEING_VERIFIED
|
|
TOKEN_XXX
|
|
Data types:
|
|
DEVICE_MAP
|
|
FILE_TRACKING_INFORMATION
|
|
SE_EXPORTS
|
|
Function prototypes:
|
|
SeEnableAccessToExports
|
|
|
|
31. 2001-12-23
|
|
Corrected:
|
|
QueryQuota in EXTENDED_IO_STACK_LOCATION
|
|
FILE_LOCK
|
|
CcPinMappedData
|
|
CcPinRead
|
|
CcPreparePinWrite
|
|
FsRtlFastUnlockAll
|
|
FsRtlFastUnlockAllByKey
|
|
FsRtlFastUnlockSingle
|
|
FsRtlInitializeFileLock
|
|
FsRtlPrivateLock
|
|
FsRtlProcessFileLock
|
|
MmForceSectionClosed
|
|
MmIsRecursiveIoFault
|
|
SeImpersonateClient
|
|
SeImpersonateClientEx
|
|
Added:
|
|
Defines:
|
|
More FSRTL_FLAG_XXX
|
|
PIN_XXX
|
|
VACB_XXX
|
|
Data types:
|
|
REPARSE_DATA_BUFFER
|
|
Function prototypes:
|
|
CcCopyWriteWontFlush
|
|
CcGetFileSizePointer
|
|
CcGetFlushedValidData
|
|
CcIsFileCached
|
|
CcRemapBcb
|
|
ExDisableResourceBoostLite
|
|
ExQueryPoolBlockSize
|
|
FsRtlAllocateFileLock
|
|
FsRtlAreThereCurrentFileLocks
|
|
FsRtlFastLock
|
|
FsRtlFreeFileLock
|
|
IoCheckDesiredAccess
|
|
IoCheckEaBufferValidity
|
|
IoCheckFunctionAccess
|
|
IoCheckQuotaBufferValidity
|
|
IoCreateStreamFileObjectLite
|
|
IoFastQueryNetworkAttributes
|
|
IoGetRequestorProcessId
|
|
IoIsFileOpenedExclusively
|
|
IoIsSystemThread
|
|
IoIsValidNameGraftingBuffer
|
|
IoSynchronousPageWrite
|
|
IoThreadToProcess
|
|
KeInitializeQueue
|
|
KeInsertHeadQueue
|
|
KeInsertQueue
|
|
KeReadStateQueue
|
|
KeRemoveQueue
|
|
KeRundownQueue
|
|
MmSetAddressRangeModified
|
|
ObGetObjectPointerCount
|
|
ObMakeTemporaryObject
|
|
ObQueryObjectAuditingByHandle
|
|
PsChargePoolQuota
|
|
PsReturnPoolQuota
|
|
SeAppendPrivileges
|
|
SeAuditingFileEvents
|
|
SeAuditingFileOrGlobalEvents
|
|
SeCreateClientSecurity
|
|
SeCreateClientSecurityFromSubjectContext
|
|
SeDeleteClientSecurity
|
|
SeDeleteObjectAuditAlarm
|
|
SeFreePrivileges
|
|
SeLockSubjectContext
|
|
SeOpenObjectAuditAlarm
|
|
SeOpenObjectForDeleteAuditAlarm
|
|
SePrivilegeCheck
|
|
SeQueryAuthenticationIdToken
|
|
SeQuerySecurityDescriptorInfo
|
|
SeQuerySessionIdToken
|
|
SeSetAccessStateGenericMapping
|
|
SeSetSecurityDescriptorInfo
|
|
SeSetSecurityDescriptorInfoEx
|
|
SeTokenIsAdmin
|
|
SeTokenIsRestricted
|
|
SeTokenType
|
|
SeUnlockSubjectContext
|
|
|
|
30. 2001-10-24
|
|
Corrected:
|
|
KINTERRUPT
|
|
OBJECT_TYPE
|
|
Added:
|
|
Defines:
|
|
More FSCTL_XXX
|
|
Data types:
|
|
BITMAP_RANGE
|
|
CreateMailslot in EXTENDED_IO_STACK_LOCATION
|
|
CreatePipe in EXTENDED_IO_STACK_LOCATION
|
|
QueryQuota in EXTENDED_IO_STACK_LOCATION
|
|
MAILSLOT_CREATE_PARAMETERS
|
|
MBCB
|
|
NAMED_PIPE_CREATE_PARAMETERS
|
|
PRIVATE_CACHE_MAP_FLAGS
|
|
PRIVATE_CACHE_MAP
|
|
SECURITY_CLIENT_CONTEXT
|
|
SHARED_CACHE_MAP
|
|
VACB
|
|
Function prototypes:
|
|
HalQueryRealTimeClock
|
|
HalSetRealTimeClock
|
|
PsGetProcessExitTime
|
|
PsIsThreadTerminating
|
|
PsLookupProcessThreadByCid
|
|
PsLookupThreadByThreadId
|
|
SeQueryAuthenticationIdToken
|
|
Externals:
|
|
KeServiceDescriptorTable
|
|
SePublicDefaultDacl
|
|
SeSystemDefaultDacl
|
|
|
|
29. 2001-10-06
|
|
Added:
|
|
Defines:
|
|
FSRTL_VOLUME_XXX
|
|
Function prototypes:
|
|
FsRtlNotifyChangeDirectory
|
|
FsRtlNotifyReportChange
|
|
FsRtlNotifyVolumeEvent
|
|
|
|
28. 2001-09-16
|
|
Added:
|
|
Function prototypes:
|
|
FsRtlNotifyInitializeSync
|
|
FsRtlNotifyUninitializeSync
|
|
SeImpersonateClientEx
|
|
SeReleaseSubjectContext
|
|
|
|
27. 2001-08-25
|
|
Corrected:
|
|
KPROCESS
|
|
FILE_LOCK_ANCHOR
|
|
FsRtlNormalizeNtstatus
|
|
RtlSecondsSince1970ToTime
|
|
RtlTimeToSecondsSince1970
|
|
SeQueryInformationToken
|
|
Added:
|
|
Defines:
|
|
FS_LFN_APIS
|
|
Data types:
|
|
FILE_LOCK_ENTRY
|
|
FILE_SHARED_LOCK_ENTRY
|
|
FILE_EXCLUSIVE_LOCK_ENTRY
|
|
Function prototypes:
|
|
FsRtlCheckLockForReadAccess
|
|
FsRtlCheckLockForWriteAccess
|
|
FsRtlFastUnlockAll
|
|
FsRtlFastUnlockAllByKey
|
|
FsRtlFastUnlockSingle
|
|
FsRtlGetFileSize
|
|
FsRtlGetNextFileLock
|
|
FsRtlInitializeFileLock
|
|
FsRtlPrivateLock
|
|
FsRtlProcessFileLock
|
|
FsRtlUninitializeFileLock
|
|
IoUnregisterFsRegistrationChange
|
|
PsLookupProcessByProcessId
|
|
SeQuerySubjectContextToken
|
|
|
|
26. 2001-04-28
|
|
Added:
|
|
Defines:
|
|
FSCTL_XXX
|
|
Data types:
|
|
RTL_SPLAY_LINKS
|
|
TUNNEL
|
|
Function prototypes:
|
|
FsRtlAddToTunnelCache
|
|
FsRtlDeleteKeyFromTunnelCache
|
|
FsRtlDeleteTunnelCache
|
|
FsRtlFindInTunnelCache
|
|
FsRtlInitializeTunnelCache
|
|
IoSetDeviceToVerify
|
|
KeInitializeApc
|
|
KeInsertQueueApc
|
|
SeQueryInformationToken
|
|
|
|
25. 2001-04-05
|
|
Corrected:
|
|
RtlImageNtHeader
|
|
LPC_XXX
|
|
OBJECT_BASIC_INFO
|
|
Added:
|
|
Defines:
|
|
SID_REVISION
|
|
Data types:
|
|
DIRECTORY_BASIC_INFORMATION
|
|
KINTERRUPT
|
|
OBJECT_HANDLE_ATTRIBUTE_INFO
|
|
PROCESS_PRIORITY_CLASS
|
|
SECTION_BASIC_INFORMATION
|
|
SECTION_IMAGE_INFORMATION
|
|
SECTION_INFORMATION_CLASS
|
|
Function prototypes:
|
|
RtlSecondsSince1970ToTime
|
|
RtlTimeToSecondsSince1970
|
|
ZwAdjustPrivilegesToken
|
|
ZwAlertThread
|
|
ZwAccessCheckAndAuditAlarm
|
|
ZwClearEvent
|
|
ZwCloseObjectAuditAlarm
|
|
ZwCreateSection
|
|
ZwCreateSymbolicLinkObject
|
|
ZwDuplicateToken
|
|
ZwFlushInstructionCache
|
|
ZwFlushVirtualMemory
|
|
ZwInitiatePowerAction
|
|
ZwLoadKey
|
|
ZwNotifyChangeKey
|
|
ZwOpenThread
|
|
ZwPowerInformation
|
|
ZwPulseEvent
|
|
ZwQueryDefaultLocale
|
|
ZwQueryDefaultUILanguage
|
|
ZwQueryInformationProcess
|
|
ZwQueryInstallUILanguage
|
|
ZwQuerySection
|
|
ZwReplaceKey
|
|
ZwResetEvent
|
|
ZwRestoreKey
|
|
ZwSaveKey
|
|
ZwSetDefaultLocale
|
|
ZwSetDefaultUILanguage
|
|
ZwSetEvent
|
|
ZwSetInformationObject
|
|
ZwSetInformationProcess
|
|
ZwSetSecurityObject
|
|
ZwSetSystemTime
|
|
ZwTerminateProcess
|
|
ZwUnloadKey
|
|
ZwWaitForSingleObject
|
|
ZwWaitForMultipleObjects
|
|
ZwYieldExecution
|
|
Removed functions that is not exported in kernel mode:
|
|
CcZeroEndOfLastPage
|
|
RtlAllocateAndInitializeSid
|
|
ZwAcceptConnectPort
|
|
ZwCompleteConnectPort
|
|
ZwCreatePort
|
|
ZwCreateProcess
|
|
ZwCreateThread
|
|
ZwFlushBuffersFile
|
|
ZwGetContextThread
|
|
ZwImpersonateClientOfPort
|
|
ZwListenPort
|
|
ZwLockFile
|
|
ZwNotifyChangeDirectoryFile
|
|
ZwQueryInformationPort
|
|
ZwReadRequestData
|
|
ZwReplyPort
|
|
ZwReplyWaitReceivePort
|
|
ZwReplyWaitReplyPort
|
|
ZwRequestPort
|
|
ZwUnlockFile
|
|
ZwWriteRequestData
|
|
|
|
24. 2001-03-08
|
|
Corrected:
|
|
EPROCESS
|
|
ETHREAD
|
|
FAST_IO_POSSIBLE
|
|
QueryEa in EXTENDED_IO_STACK_LOCATION
|
|
Added:
|
|
Defines:
|
|
Some more flags for FileSystemAttributes
|
|
Data types:
|
|
EXCEPTION_REGISTRATION_RECORD
|
|
FILE_FS_FULL_SIZE_INFORMATION
|
|
FILE_FS_OBJECT_ID_INFORMATION
|
|
HANDLE_TABLE_ENTRY
|
|
IO_CLIENT_EXTENSION
|
|
PS_IMPERSONATION_INFORMATION
|
|
SetEa and SetQuota in EXTENDED_IO_STACK_LOCATION
|
|
Function prototypes:
|
|
IoPageRead
|
|
KeStackAttachProcess
|
|
KeUnstackDetachProcess
|
|
MmMapViewOfSection
|
|
RtlSelfRelativeToAbsoluteSD
|
|
SeCreateAccessState
|
|
|
|
23. 2001-01-29
|
|
Corrected:
|
|
FSCTL_GET_VOLUME_INFORMATION
|
|
FSCTL_READ_MFT_RECORD
|
|
HARDWARE_PTE
|
|
EPROCESS
|
|
ETHREAD
|
|
KAPC_STATE
|
|
KPROCESS
|
|
KTHREAD
|
|
MMSUPPORT
|
|
Added:
|
|
Data types:
|
|
KGDTENTRY
|
|
KIDTENTRY
|
|
MMSUPPORT_FLAGS
|
|
|
|
22. 2000-12-23
|
|
Corrected:
|
|
EPROCESS
|
|
KPROCESS
|
|
Added:
|
|
Data types:
|
|
HARDWARE_PTE
|
|
MMSUPPORT
|
|
|
|
21. 2000-12-12
|
|
Added:
|
|
Defines:
|
|
IO_TYPE_XXX
|
|
OB_TYPE_XXX
|
|
THREAD_STATE_XXX
|
|
Data types:
|
|
EPROCESS
|
|
ETHREAD
|
|
KAPC_STATE
|
|
KEVENT_PAIR
|
|
KPROCESS
|
|
KTHREAD
|
|
KQUEUE
|
|
SERVICE_DESCRIPTOR_TABLE
|
|
TEB
|
|
|
|
20. 2000-12-03
|
|
Added:
|
|
Data types:
|
|
OBJECT_TYPE
|
|
Function prototypes:
|
|
ObCreateObject
|
|
ObInsertObject
|
|
ObReferenceObjectByName
|
|
|
|
19. 2000-11-25
|
|
Removed a name from credits since the person want to be anonymous.
|
|
|
|
18. 2000-10-13
|
|
Corrected:
|
|
PsReferenceImpersonationToken
|
|
Added:
|
|
Defines:
|
|
FILE_PIPE_XXX
|
|
LPC_XXX
|
|
MAILSLOT_XXX
|
|
PORT_XXX
|
|
FSCTL_GET_VOLUME_INFORMATION
|
|
FSCTL_READ_MFT_RECORD
|
|
FSCTL_MAILSLOT_PEEK
|
|
FSCTL_PIPE_XXX
|
|
Data types:
|
|
PORT_INFORMATION_CLASS
|
|
BITMAP_DESCRIPTOR
|
|
FILE_MAILSLOT_XXX
|
|
FILE_PIPE_XXX
|
|
MAPPING_PAIR
|
|
GET_RETRIEVAL_DESCRIPTOR
|
|
LPC_XXX
|
|
MOVEFILE_DESCRIPTOR
|
|
Function prototypes:
|
|
InitializeMessageHeader
|
|
MmForceSectionClosed
|
|
ZwAcceptConnectPort
|
|
ZwCompleteConnectPort
|
|
ZwConnectPort
|
|
ZwCreateEvent
|
|
ZwCreatePort
|
|
ZwImpersonateClientOfPort
|
|
ZwListenPort
|
|
ZwQueryInformationPort
|
|
ZwReadRequestData
|
|
ZwReplyPort
|
|
ZwReplyWaitReceivePort
|
|
ZwReplyWaitReplyPort
|
|
ZwRequestPort
|
|
ZwRequestWaitReplyPort
|
|
ZwWriteRequestData
|
|
|
|
17. 2000-05-21
|
|
Added:
|
|
Function prototypes:
|
|
PsRevertToSelf
|
|
SeCreateClientSecurity
|
|
SeImpersonateClient
|
|
ZwDuplicateObject
|
|
|
|
16. 2000-03-28
|
|
Added:
|
|
Defines:
|
|
FILE_STORAGE_TYPE_XXX
|
|
FILE_VC_XXX
|
|
IO_CHECK_CREATE_PARAMETERS
|
|
IO_ATTACH_DEVICE
|
|
IO_ATTACH_DEVICE_API
|
|
IO_COMPLETION_XXX
|
|
Data types:
|
|
IO_COMPLETION_INFORMATION_CLASS
|
|
OBJECT_INFO_CLASS
|
|
SYSTEM_INFORMATION_CLASS
|
|
FILE_LOCK_ANCHOR
|
|
IO_COMPLETION_BASIC_INFORMATION
|
|
OBJECT_BASIC_INFO
|
|
OBJECT_NAME_INFO
|
|
OBJECT_PROTECTION_INFO
|
|
OBJECT_TYPE_INFO
|
|
OBJECT_ALL_TYPES_INFO
|
|
SYSTEM_CACHE_INFORMATION
|
|
Function prototypes:
|
|
FsRtlAllocatePool
|
|
FsRtlAllocatePoolWithQuota
|
|
FsRtlAllocatePoolWithQuotaTag
|
|
FsRtlAllocatePoolWithTag
|
|
FsRtlAreNamesEqual
|
|
FsRtlFastCheckLockForRead
|
|
FsRtlFastCheckLockForWrite
|
|
FsRtlMdlReadComplete
|
|
FsRtlMdlWriteComplete
|
|
FsRtlNormalizeNtstatus
|
|
RtlAllocateHeap
|
|
RtlCreateHeap
|
|
RtlDestroyHeap
|
|
RtlFreeHeap
|
|
RtlImageNtHeader
|
|
ZwQueryObject
|
|
ZwQuerySystemInformation
|
|
ZwSetSystemInformation
|
|
|
|
15. 2000-03-15
|
|
Corrected:
|
|
Renamed IoQueryFileVolumeInformation to IoQueryVolumeInformation
|
|
Comment on:
|
|
CcZeroEndOfLastPage
|
|
|
|
14. 2000-03-12
|
|
Corrected:
|
|
IoCreateFile
|
|
Added:
|
|
#if (_WIN32_WINNT < 0x0500)/#endif around stuff that is included in
|
|
the Windows 2000 DDK but is missing in the Windows NT 4.0 DDK.
|
|
ZwOpenEvent
|
|
|
|
13. 2000-02-08
|
|
Corrected:
|
|
PsReferenceImpersonationToken
|
|
Comment on:
|
|
RtlAllocateAndInitializeSid
|
|
|
|
12. 1999-10-18
|
|
Corrected:
|
|
FILE_COMPRESSION_INFORMATION
|
|
Added:
|
|
Defines:
|
|
ACCESS_ALLOWED_ACE_TYPE
|
|
ACCESS_DENIED_ACE_TYPE
|
|
SYSTEM_AUDIT_ACE_TYPE
|
|
SYSTEM_ALARM_ACE_TYPE
|
|
ANSI_DOS_STAR/QM/DOT
|
|
DOS_STAR/QM/DOT
|
|
FILE_EA_TYPE_XXX
|
|
FILE_NEED_EA
|
|
FILE_OPBATCH_BREAK_UNDERWAY
|
|
SECURITY_WORLD_SID_AUTHORITY
|
|
SECURITY_WORLD_RID
|
|
Data types:
|
|
POBJECT
|
|
FILE_STORAGE_TYPE
|
|
FILE_COMPLETION_INFORMATION
|
|
FILE_COPY_ON_WRITE_INFORMATION
|
|
FILE_FS_CONTROL_INFORMATION
|
|
FILE_GET_EA_INFORMATION
|
|
FILE_GET_QUOTA_INFORMATION
|
|
FILE_OBJECTID_INFORMATION
|
|
FILE_OLE_CLASSID_INFORMATION
|
|
FILE_OLE_ALL_INFORMATION
|
|
FILE_OLE_DIR_INFORMATION
|
|
FILE_OLE_INFORMATION
|
|
FILE_OLE_STATE_BITS_INFORMATION
|
|
FILE_QUOTA_INFORMATION
|
|
Function prototypes:
|
|
HalDisplayString
|
|
HalMakeBeep
|
|
IoGetRequestorProcess
|
|
ObQueryNameString
|
|
ProbeForWrite
|
|
RtlAbsoluteToSelfRelativeSD
|
|
RtlGetDaclSecurityDescriptor
|
|
RtlGetGroupSecurityDescriptor
|
|
RtlGetOwnerSecurityDescriptor
|
|
RtlInitializeSid
|
|
RtlSetGroupSecurityDescriptor
|
|
RtlSetOwnerSecurityDescriptor
|
|
RtlSetSaclSecurityDescriptor
|
|
ZwDeleteValueKey
|
|
ZwDisplayString
|
|
ZwQueryDirectoryObject
|
|
|
|
11. 1999-10-13
|
|
Corrected:
|
|
ZwOpenProcessToken
|
|
ZwOpenThreadToken
|
|
Added:
|
|
Function prototypes:
|
|
RtlAllocateAndInitializeSid
|
|
RtlCopySid
|
|
RtlEqualSid
|
|
RtlFillMemoryUlong
|
|
RtlIsNameLegalDOS8Dot3
|
|
RtlLengthRequiredSid
|
|
RtlLengthSid
|
|
RtlNtStatusToDosError
|
|
RtlSubAuthorityCountSid
|
|
RtlSubAuthoritySid
|
|
RtlValidSid
|
|
|
|
10. 1999-07-15
|
|
Corrected:
|
|
RtlConvertSidToUnicodeString
|
|
Added:
|
|
Externals:
|
|
FsRtlLegalAnsiCharacterArray
|
|
NtBuildNumber
|
|
Defines:
|
|
FSRTL_WILD_CHARACTER
|
|
FlagOn
|
|
FsRtlIsUnicodeCharacterWild
|
|
Structures:
|
|
FILE_ACCESS_INFORMATION
|
|
FILE_MODE_INFORMATION
|
|
GENERATE_NAME_CONTEXT
|
|
Function prototypes:
|
|
FsRtlDoesNameContainWildCards
|
|
FsRtlIsNameInExpression
|
|
IoSetInformation
|
|
RtlGenerate8dot3Name
|
|
ZwQuerySecurityObject
|
|
|
|
9. 1999-07-12
|
|
Corrected:
|
|
EXTENDED_IO_STACK_LOCATION
|
|
QueryDirectory in EXTENDED_IO_STACK_LOCATION
|
|
ZwCreateThread
|
|
Added:
|
|
Structures:
|
|
INITIAL_TEB
|
|
Function prototypes:
|
|
ZwQuerySymbolicLinkObject
|
|
|
|
8. 1999-06-07
|
|
Corrected:
|
|
ZwOpenProcessToken
|
|
ZwOpenThreadToken
|
|
Added:
|
|
Defines:
|
|
FILE_OPLOCK_BROKEN_TO_LEVEL_2
|
|
FILE_OPLOCK_BROKEN_TO_NONE
|
|
FILE_CASE_SENSITIVE_SEARCH
|
|
FILE_CASE_PRESERVED_NAMES
|
|
FILE_UNICODE_ON_DISK
|
|
FILE_PERSISTENT_ACLS
|
|
FILE_FILE_COMPRESSION
|
|
FILE_VOLUME_IS_COMPRESSED
|
|
FSRTL_FLAG_ACQUIRE_MAIN_RSRC_EX
|
|
FSRTL_FLAG_ACQUIRE_MAIN_RSRC_SH
|
|
IOCTL_REDIR_QUERY_PATH
|
|
Structures:
|
|
FILE_FS_LABEL_INFORMATION
|
|
PATHNAME_BUFFER
|
|
In IO_STACK_LOCATION:
|
|
FileSystemControl
|
|
LockControl
|
|
SetVolume
|
|
Function prototypes:
|
|
FsRtlCopyRead
|
|
FsRtlCopyWrite
|
|
IoVerifyVolume
|
|
|
|
7. 1999-06-05
|
|
Added:
|
|
defines for TOKEN_XXX
|
|
SID_NAME_USE
|
|
TOKEN_INFORMATION_CLASS
|
|
TOKEN_TYPE
|
|
FILE_FS_ATTRIBUTE_INFORMATION
|
|
FILE_FS_SIZE_INFORMATION
|
|
SID_IDENTIFIER_AUTHORITY
|
|
SID
|
|
SID_AND_ATTRIBUTES
|
|
TOKEN_CONTROL
|
|
TOKEN_DEFAULT_DACL
|
|
TOKEN_GROUPS
|
|
TOKEN_OWNER
|
|
TOKEN_PRIMARY_GROUP
|
|
TOKEN_PRIVILEGES
|
|
TOKEN_SOURCE
|
|
TOKEN_STATISTICS
|
|
TOKEN_USER
|
|
IoCreateFile
|
|
IoGetAttachedDevice
|
|
IoGetBaseFileSystemDeviceObject
|
|
PsReferenceImpersonationToken
|
|
PsReferencePrimaryToken
|
|
RtlConvertSidToUnicodeString
|
|
SeCaptureSubjectContext
|
|
SeMarkLogonSessionForTerminationNotification
|
|
SeRegisterLogonSessionTerminatedRoutine
|
|
SeUnregisterLogonSessionTerminatedRoutine
|
|
ZwOpenProcessToken
|
|
ZwOpenThreadToken
|
|
ZwQueryInformationToken
|
|
|
|
6. 1999-05-10
|
|
Corrected declarations of Zw functions.
|
|
Added:
|
|
ZwCancelIoFile
|
|
ZwDeleteFile
|
|
ZwFlushBuffersFile
|
|
ZwFsControlFile
|
|
ZwLockFile
|
|
ZwNotifyChangeDirectoryFile
|
|
ZwOpenFile
|
|
ZwQueryEaFile
|
|
ZwSetEaFile
|
|
ZwSetVolumeInformationFile
|
|
ZwUnlockFile
|
|
|
|
5. 1999-05-09
|
|
Added:
|
|
defines for FILE_ACTION_XXX and FILE_NOTIFY_XXX
|
|
FILE_FS_VOLUME_INFORMATION
|
|
RETRIEVAL_POINTERS_BUFFER
|
|
STARTING_VCN_INPUT_BUFFER
|
|
FsRtlNotifyFullReportChange
|
|
|
|
4. 1999-04-11
|
|
Corrected:
|
|
ZwCreateThread
|
|
Added:
|
|
define _GNU_NTIFS_
|
|
|
|
3. 1999-03-30
|
|
Added:
|
|
defines for MAP_XXX, MEM_XXX and SEC_XXX
|
|
FILE_BOTH_DIR_INFORMATION
|
|
FILE_DIRECTORY_INFORMATION
|
|
FILE_FULL_DIR_INFORMATION
|
|
FILE_NAMES_INFORMATION
|
|
FILE_NOTIFY_INFORMATION
|
|
FsRtlNotifyCleanup
|
|
KeAttachProcess
|
|
KeDetachProcess
|
|
MmCreateSection
|
|
ZwCreateProcess
|
|
ZwCreateThread
|
|
ZwDeviceIoControlFile
|
|
ZwGetContextThread
|
|
ZwLoadDriver
|
|
ZwOpenDirectoryObject
|
|
ZwOpenProcess
|
|
ZwOpenSymbolicLinkObject
|
|
ZwQueryDirectoryFile
|
|
ZwUnloadDriver
|
|
|
|
2. 1999-03-15
|
|
Added:
|
|
FILE_COMPRESSION_INFORMATION
|
|
FILE_STREAM_INFORMATION
|
|
FILE_LINK_INFORMATION
|
|
FILE_RENAME_INFORMATION
|
|
EXTENDED_IO_STACK_LOCATION
|
|
IoQueryFileInformation
|
|
IoQueryFileVolumeInformation
|
|
ZwQueryVolumeInformationFile
|
|
Moved include of ntddk.h to inside extern "C" block.
|
|
|
|
1. 1999-03-11
|
|
Initial release.
|
|
*/
|
|
|
|
#ifndef _NTIFS_
|
|
#define _NTIFS_
|
|
#define _GNU_NTIFS_
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
#include <ntddk.h>
|
|
#include <ntverp.h>
|
|
|
|
// Available in Windows NT 3.1 and later versions.
|
|
// Documented in the WDK.
|
|
extern PEPROCESS PsInitialSystemProcess;
|
|
|
|
// Available in Windows NT 3.5 and later versions.
|
|
typedef struct _HAL_PRIVATE_DISPATCH *PHAL_PRIVATE_DISPATCH;
|
|
extern PHAL_PRIVATE_DISPATCH HalPrivateDispatchTable;
|
|
|
|
// Available in Windows NT 3.5 and later versions.
|
|
typedef struct _LOADER_PARAMETER_BLOCK *PLOADER_PARAMETER_BLOCK;
|
|
extern PLOADER_PARAMETER_BLOCK KeLoaderBlock;
|
|
|
|
// Available in Windows NT 3.5 and later versions.
|
|
typedef struct _SERVICE_DESCRIPTOR_TABLE *PSERVICE_DESCRIPTOR_TABLE;
|
|
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
|
|
|
|
// Available in Windows NT 3.5 and later versions.
|
|
extern PSHORT NtBuildNumber;
|
|
extern PULONG KeI386MachineType;
|
|
|
|
// Available in Windows NT 4.0 and later versions.
|
|
extern ULONG KiBugCheckData[5];
|
|
|
|
// Available in Windows 2000 and later versions.
|
|
extern PULONG InitSafeBootMode;
|
|
|
|
// Available from Windows 2000 untill Windows Server 2003.
|
|
extern PULONG KiEnableTimerWatchdog;
|
|
|
|
// Available in Windows NT 3.5 and later versions.
|
|
//
|
|
// Set by the kernel debugger on the target system to the address of the
|
|
// serial port used to communicate with the host.
|
|
//
|
|
extern PUCHAR *KdComPortInUse;
|
|
|
|
// Available in Windows 2000 and later versions.
|
|
extern PULONG KdEnteredDebugger;
|
|
|
|
// Available in Windows Vista and later versions.
|
|
// Documented in the WDK.
|
|
extern PVOID MmBadPointer;
|
|
|
|
// Available in Windows NT 3.5 and later versions.
|
|
// Documented in the WDK.
|
|
extern PUCHAR *FsRtlLegalAnsiCharacterArray;
|
|
|
|
// Available in Windows NT 3.5 and later versions.
|
|
extern PUSHORT *NlsLeadByteInfo;
|
|
extern PUSHORT *NlsOemLeadByteInfo;
|
|
extern PBOOLEAN NlsMbCodePageTag;
|
|
extern PBOOLEAN NlsMbOemCodePageTag;
|
|
|
|
// Available in Windows NT 4.0 and later versions.
|
|
extern PUSHORT NlsAnsiCodePage;
|
|
|
|
// Available in Windows 2000 and later versions.
|
|
extern PUSHORT NlsOemCodePage;
|
|
|
|
// Available in Windows NT 3.5 and later versions.
|
|
// SeExports is documented in the WDK.
|
|
typedef struct _SE_EXPORTS *PSE_EXPORTS;
|
|
extern PSE_EXPORTS SeExports;
|
|
extern PACL SePublicDefaultDacl;
|
|
extern PACL SeSystemDefaultDacl;
|
|
|
|
// Available in Windows NT 3.5 and later versions.
|
|
// Documented in the WDK.
|
|
extern KSPIN_LOCK IoStatisticsLock;
|
|
extern ULONG IoReadOperationCount;
|
|
extern ULONG IoWriteOperationCount;
|
|
extern LARGE_INTEGER IoReadTransferCount;
|
|
extern LARGE_INTEGER IoWriteTransferCount;
|
|
|
|
// Available from Windows NT 3.5 untill Windows XP.
|
|
extern ULONG KeDcacheFlushCount;
|
|
extern ULONG KeIcacheFlushCount;
|
|
|
|
// Available in Windows NT 4.0 and later versions.
|
|
// Documented in the WDK.
|
|
extern ULONG CcFastMdlReadWait;
|
|
// Available from Windows NT 4.0 untill Windows Server 2003.
|
|
extern ULONG CcFastReadNotPossible;
|
|
extern ULONG CcFastReadWait;
|
|
|
|
// The ExEventObjectType, ExSemaphoreObjectType and IoFileObjectType is
|
|
// documented in the DDK and the WDK.
|
|
//
|
|
// The CmKeyObjectType, SeTokenObjectType, PsProcessType, PsThreadType,
|
|
// TmEnlistmentObjectType, TmResourceManagerObjectType,
|
|
// TmTransactionManagerObjectType and TmTransactionObjectType
|
|
// is documented in the WDK.
|
|
//
|
|
// Available in Windows NT 3.5 and later versions.
|
|
extern POBJECT_TYPE *IoAdapterObjectType;
|
|
extern POBJECT_TYPE *IoDeviceObjectType;
|
|
extern POBJECT_TYPE *IoDriverObjectType;
|
|
extern POBJECT_TYPE *MmSectionObjectType;
|
|
extern POBJECT_TYPE *PsProcessType;
|
|
extern POBJECT_TYPE *PsThreadType;
|
|
// Available in Windows NT 4.0 and later versions.
|
|
extern POBJECT_TYPE *ExDesktopObjectType;
|
|
extern POBJECT_TYPE *ExWindowStationObjectType;
|
|
extern POBJECT_TYPE *IoDeviceHandlerObjectType;
|
|
// Available in Windows 2000 and later versions.
|
|
extern POBJECT_TYPE *LpcPortObjectType;
|
|
extern POBJECT_TYPE *PsJobType;
|
|
// Available in Windows XP and later versions.
|
|
extern POBJECT_TYPE *SeTokenObjectType;
|
|
// Available in Windows Vista and later versions.
|
|
extern POBJECT_TYPE *TmEnlistmentObjectType;
|
|
extern POBJECT_TYPE *TmResourceManagerObjectType;
|
|
extern POBJECT_TYPE *TmTransactionManagerObjectType;
|
|
extern POBJECT_TYPE *TmTransactionObjectType;
|
|
// Available in Windows 7 and later versions.
|
|
extern POBJECT_TYPE *CmKeyObjectType;
|
|
|
|
// Available in Windows NT 4.0 and later versions.
|
|
extern PULONG IoDeviceHandlerObjectSize;
|
|
|
|
// Available in Windows Vista and later versions.
|
|
extern PVOID POGOBuffer;
|
|
extern PVOID psMUITest;
|
|
extern PVOID PsUILanguageComitted;
|
|
|
|
#define ACCESS_ALLOWED_ACE_TYPE (0x0)
|
|
#define ACCESS_DENIED_ACE_TYPE (0x1)
|
|
#define SYSTEM_AUDIT_ACE_TYPE (0x2)
|
|
#define SYSTEM_ALARM_ACE_TYPE (0x3)
|
|
|
|
#define ANSI_DOS_STAR ('<')
|
|
#define ANSI_DOS_QM ('>')
|
|
#define ANSI_DOS_DOT ('"')
|
|
|
|
#define DOS_STAR (L'<')
|
|
#define DOS_QM (L'>')
|
|
#define DOS_DOT (L'"')
|
|
|
|
#define COMPRESSION_FORMAT_NONE (0x0000)
|
|
#define COMPRESSION_FORMAT_DEFAULT (0x0001)
|
|
#define COMPRESSION_FORMAT_LZNT1 (0x0002)
|
|
#define COMPRESSION_ENGINE_STANDARD (0x0000)
|
|
#define COMPRESSION_ENGINE_MAXIMUM (0x0100)
|
|
#define COMPRESSION_ENGINE_HIBER (0x0200)
|
|
|
|
#define FILE_ACTION_ADDED 0x00000001
|
|
#define FILE_ACTION_REMOVED 0x00000002
|
|
#define FILE_ACTION_MODIFIED 0x00000003
|
|
#define FILE_ACTION_RENAMED_OLD_NAME 0x00000004
|
|
#define FILE_ACTION_RENAMED_NEW_NAME 0x00000005
|
|
#define FILE_ACTION_ADDED_STREAM 0x00000006
|
|
#define FILE_ACTION_REMOVED_STREAM 0x00000007
|
|
#define FILE_ACTION_MODIFIED_STREAM 0x00000008
|
|
#define FILE_ACTION_REMOVED_BY_DELETE 0x00000009
|
|
#define FILE_ACTION_ID_NOT_TUNNELLED 0x0000000A
|
|
#define FILE_ACTION_TUNNELLED_ID_COLLISION 0x0000000B
|
|
|
|
#define FILE_EA_TYPE_BINARY 0xfffe
|
|
#define FILE_EA_TYPE_ASCII 0xfffd
|
|
#define FILE_EA_TYPE_BITMAP 0xfffb
|
|
#define FILE_EA_TYPE_METAFILE 0xfffa
|
|
#define FILE_EA_TYPE_ICON 0xfff9
|
|
#define FILE_EA_TYPE_EA 0xffee
|
|
#define FILE_EA_TYPE_MVMT 0xffdf
|
|
#define FILE_EA_TYPE_MVST 0xffde
|
|
#define FILE_EA_TYPE_ASN1 0xffdd
|
|
#define FILE_EA_TYPE_FAMILY_IDS 0xff01
|
|
|
|
#define FILE_NEED_EA 0x00000080
|
|
|
|
#define FILE_NOTIFY_CHANGE_FILE_NAME 0x00000001
|
|
#define FILE_NOTIFY_CHANGE_DIR_NAME 0x00000002
|
|
#define FILE_NOTIFY_CHANGE_NAME 0x00000003
|
|
#define FILE_NOTIFY_CHANGE_ATTRIBUTES 0x00000004
|
|
#define FILE_NOTIFY_CHANGE_SIZE 0x00000008
|
|
#define FILE_NOTIFY_CHANGE_LAST_WRITE 0x00000010
|
|
#define FILE_NOTIFY_CHANGE_LAST_ACCESS 0x00000020
|
|
#define FILE_NOTIFY_CHANGE_CREATION 0x00000040
|
|
#define FILE_NOTIFY_CHANGE_EA 0x00000080
|
|
#define FILE_NOTIFY_CHANGE_SECURITY 0x00000100
|
|
#define FILE_NOTIFY_CHANGE_STREAM_NAME 0x00000200
|
|
#define FILE_NOTIFY_CHANGE_STREAM_SIZE 0x00000400
|
|
#define FILE_NOTIFY_CHANGE_STREAM_WRITE 0x00000800
|
|
#define FILE_NOTIFY_VALID_MASK 0x00000fff
|
|
|
|
#define FILE_OPLOCK_BROKEN_TO_LEVEL_2 0x00000007
|
|
#define FILE_OPLOCK_BROKEN_TO_NONE 0x00000008
|
|
|
|
#define FILE_OPBATCH_BREAK_UNDERWAY 0x00000009
|
|
|
|
#define FILE_CASE_SENSITIVE_SEARCH 0x00000001
|
|
#define FILE_CASE_PRESERVED_NAMES 0x00000002
|
|
#define FILE_UNICODE_ON_DISK 0x00000004
|
|
#define FILE_PERSISTENT_ACLS 0x00000008
|
|
#define FILE_FILE_COMPRESSION 0x00000010
|
|
#define FILE_VOLUME_QUOTAS 0x00000020
|
|
#define FILE_SUPPORTS_SPARSE_FILES 0x00000040
|
|
#define FILE_SUPPORTS_REPARSE_POINTS 0x00000080
|
|
#define FILE_SUPPORTS_REMOTE_STORAGE 0x00000100
|
|
#define FS_LFN_APIS 0x00004000
|
|
#define FILE_VOLUME_IS_COMPRESSED 0x00008000
|
|
#define FILE_SUPPORTS_OBJECT_IDS 0x00010000
|
|
#define FILE_SUPPORTS_ENCRYPTION 0x00020000
|
|
#define FILE_NAMED_STREAMS 0x00040000
|
|
#define FILE_READ_ONLY_VOLUME 0x00080000
|
|
|
|
#define FILE_PIPE_BYTE_STREAM_TYPE 0x00000000
|
|
#define FILE_PIPE_MESSAGE_TYPE 0x00000001
|
|
|
|
#define FILE_PIPE_BYTE_STREAM_MODE 0x00000000
|
|
#define FILE_PIPE_MESSAGE_MODE 0x00000001
|
|
|
|
#define FILE_PIPE_QUEUE_OPERATION 0x00000000
|
|
#define FILE_PIPE_COMPLETE_OPERATION 0x00000001
|
|
|
|
#define FILE_PIPE_INBOUND 0x00000000
|
|
#define FILE_PIPE_OUTBOUND 0x00000001
|
|
#define FILE_PIPE_FULL_DUPLEX 0x00000002
|
|
|
|
#define FILE_PIPE_DISCONNECTED_STATE 0x00000001
|
|
#define FILE_PIPE_LISTENING_STATE 0x00000002
|
|
#define FILE_PIPE_CONNECTED_STATE 0x00000003
|
|
#define FILE_PIPE_CLOSING_STATE 0x00000004
|
|
|
|
#define FILE_PIPE_CLIENT_END 0x00000000
|
|
#define FILE_PIPE_SERVER_END 0x00000001
|
|
|
|
#define FILE_PIPE_READ_DATA 0x00000000
|
|
#define FILE_PIPE_WRITE_SPACE 0x00000001
|
|
|
|
#define FILE_STORAGE_TYPE_SPECIFIED 0x00000041 // FILE_DIRECTORY_FILE | FILE_NON_DIRECTORY_FILE
|
|
#define FILE_STORAGE_TYPE_DEFAULT (StorageTypeDefault << FILE_STORAGE_TYPE_SHIFT)
|
|
#define FILE_STORAGE_TYPE_DIRECTORY (StorageTypeDirectory << FILE_STORAGE_TYPE_SHIFT)
|
|
#define FILE_STORAGE_TYPE_FILE (StorageTypeFile << FILE_STORAGE_TYPE_SHIFT)
|
|
#define FILE_STORAGE_TYPE_DOCFILE (StorageTypeDocfile << FILE_STORAGE_TYPE_SHIFT)
|
|
#define FILE_STORAGE_TYPE_JUNCTION_POINT (StorageTypeJunctionPoint << FILE_STORAGE_TYPE_SHIFT)
|
|
#define FILE_STORAGE_TYPE_CATALOG (StorageTypeCatalog << FILE_STORAGE_TYPE_SHIFT)
|
|
#define FILE_STORAGE_TYPE_STRUCTURED_STORAGE (StorageTypeStructuredStorage << FILE_STORAGE_TYPE_SHIFT)
|
|
#define FILE_STORAGE_TYPE_EMBEDDING (StorageTypeEmbedding << FILE_STORAGE_TYPE_SHIFT)
|
|
#define FILE_STORAGE_TYPE_STREAM (StorageTypeStream << FILE_STORAGE_TYPE_SHIFT)
|
|
#define FILE_MINIMUM_STORAGE_TYPE FILE_STORAGE_TYPE_DEFAULT
|
|
#define FILE_MAXIMUM_STORAGE_TYPE FILE_STORAGE_TYPE_STREAM
|
|
#define FILE_STORAGE_TYPE_MASK 0x000f0000
|
|
#define FILE_STORAGE_TYPE_SHIFT 16
|
|
|
|
#define FILE_VC_QUOTA_NONE 0x00000000
|
|
#define FILE_VC_QUOTA_TRACK 0x00000001
|
|
#define FILE_VC_QUOTA_ENFORCE 0x00000002
|
|
#define FILE_VC_QUOTA_MASK 0x00000003
|
|
|
|
#define FILE_VC_QUOTAS_LOG_VIOLATIONS 0x00000004
|
|
#define FILE_VC_CONTENT_INDEX_DISABLED 0x00000008
|
|
|
|
#define FILE_VC_LOG_QUOTA_THRESHOLD 0x00000010
|
|
#define FILE_VC_LOG_QUOTA_LIMIT 0x00000020
|
|
#define FILE_VC_LOG_VOLUME_THRESHOLD 0x00000040
|
|
#define FILE_VC_LOG_VOLUME_LIMIT 0x00000080
|
|
|
|
#define FILE_VC_QUOTAS_INCOMPLETE 0x00000100
|
|
#define FILE_VC_QUOTAS_REBUILDING 0x00000200
|
|
|
|
#define FILE_VC_VALID_MASK 0x000003ff
|
|
|
|
#define FSRTL_FCB_HEADER_V0 (0x00)
|
|
#define FSRTL_FCB_HEADER_V1 (0x01)
|
|
|
|
#define FSRTL_FLAG_FILE_MODIFIED (0x01)
|
|
#define FSRTL_FLAG_FILE_LENGTH_CHANGED (0x02)
|
|
#define FSRTL_FLAG_LIMIT_MODIFIED_PAGES (0x04)
|
|
#define FSRTL_FLAG_ACQUIRE_MAIN_RSRC_EX (0x08)
|
|
#define FSRTL_FLAG_ACQUIRE_MAIN_RSRC_SH (0x10)
|
|
#define FSRTL_FLAG_USER_MAPPED_FILE (0x20)
|
|
#define FSRTL_FLAG_ADVANCED_HEADER (0x40)
|
|
#define FSRTL_FLAG_EOF_ADVANCE_ACTIVE (0x80)
|
|
|
|
#define FSRTL_FLAG2_DO_MODIFIED_WRITE (0x01)
|
|
#define FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS (0x02)
|
|
#define FSRTL_FLAG2_PURGE_WHEN_MAPPED (0x04)
|
|
#define FSRTL_FLAG2_IS_PAGING_FILE (0x08)
|
|
|
|
#define FSRTL_FSP_TOP_LEVEL_IRP (0x01)
|
|
#define FSRTL_CACHE_TOP_LEVEL_IRP (0x02)
|
|
#define FSRTL_MOD_WRITE_TOP_LEVEL_IRP (0x03)
|
|
#define FSRTL_FAST_IO_TOP_LEVEL_IRP (0x04)
|
|
#define FSRTL_MAX_TOP_LEVEL_IRP_FLAG (0x04)
|
|
|
|
#define FSRTL_VOLUME_DISMOUNT 1
|
|
#define FSRTL_VOLUME_DISMOUNT_FAILED 2
|
|
#define FSRTL_VOLUME_LOCK 3
|
|
#define FSRTL_VOLUME_LOCK_FAILED 4
|
|
#define FSRTL_VOLUME_UNLOCK 5
|
|
#define FSRTL_VOLUME_MOUNT 6
|
|
|
|
#define FSRTL_WILD_CHARACTER 0x08
|
|
|
|
#ifdef _X86_
|
|
#define HARDWARE_PTE HARDWARE_PTE_X86
|
|
#define PHARDWARE_PTE PHARDWARE_PTE_X86
|
|
#else
|
|
#define HARDWARE_PTE ULONG
|
|
#define PHARDWARE_PTE PULONG
|
|
#endif
|
|
|
|
#define IO_CHECK_CREATE_PARAMETERS 0x0200
|
|
#define IO_ATTACH_DEVICE 0x0400
|
|
|
|
#define IO_ATTACH_DEVICE_API 0x80000000
|
|
|
|
#define IO_COMPLETION_QUERY_STATE 0x0001
|
|
#define IO_COMPLETION_MODIFY_STATE 0x0002
|
|
#define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)
|
|
|
|
#define IO_FILE_OBJECT_NON_PAGED_POOL_CHARGE 64
|
|
#define IO_FILE_OBJECT_PAGED_POOL_CHARGE 1024
|
|
|
|
#define IO_REPARSE_TAG_RESERVED_ZERO (0)
|
|
#define IO_REPARSE_TAG_RESERVED_ONE (1)
|
|
|
|
#define IO_TYPE_APC 18
|
|
#define IO_TYPE_DPC 19
|
|
#define IO_TYPE_DEVICE_QUEUE 20
|
|
#define IO_TYPE_EVENT_PAIR 21
|
|
#define IO_TYPE_INTERRUPT 22
|
|
#define IO_TYPE_PROFILE 23
|
|
|
|
#define IRP_BEING_VERIFIED 0x10
|
|
|
|
#define MAILSLOT_CLASS_FIRSTCLASS 1
|
|
#define MAILSLOT_CLASS_SECONDCLASS 2
|
|
|
|
#define MAILSLOT_SIZE_AUTO 0
|
|
|
|
#define MAP_PROCESS 1L
|
|
#define MAP_SYSTEM 2L
|
|
|
|
#define MEM_DOS_LIM 0x40000000
|
|
#define MEM_IMAGE SEC_IMAGE
|
|
|
|
#define OB_FLAG_CREATE_INFO 0x01 /* Object header has OBJECT_CREATE_INFO */
|
|
#define OB_FLAG_KERNEL_MODE 0x02 /* Created by kernel */
|
|
#define OB_FLAG_CREATOR_INFO 0x04 /* Object header has OBJECT_CREATOR_INFO */
|
|
#define OB_FLAG_EXCLUSIVE 0x08 /* OBJ_EXCLUSIVE */
|
|
#define OB_FLAG_PERMAMENT 0x10 /* OBJ_PERMAMENT */
|
|
#define OB_FLAG_SECURITY 0x20 /* Object header has SecurityDescriptor != NULL */
|
|
#define OB_FLAG_SINGLE_PROCESS 0x40 /* absent HandleDBList */
|
|
|
|
#define OB_SECURITY_CHARGE 0x00000800
|
|
|
|
#define OB_TYPE_TYPE 1
|
|
#define OB_TYPE_DIRECTORY 2
|
|
#define OB_TYPE_SYMBOLIC_LINK 3
|
|
#define OB_TYPE_TOKEN 4
|
|
#define OB_TYPE_PROCESS 5
|
|
#define OB_TYPE_THREAD 6
|
|
#define OB_TYPE_EVENT 7
|
|
#define OB_TYPE_EVENT_PAIR 8
|
|
#define OB_TYPE_MUTANT 9
|
|
#define OB_TYPE_SEMAPHORE 10
|
|
#define OB_TYPE_TIMER 11
|
|
#define OB_TYPE_PROFILE 12
|
|
#define OB_TYPE_WINDOW_STATION 13
|
|
#define OB_TYPE_DESKTOP 14
|
|
#define OB_TYPE_SECTION 15
|
|
#define OB_TYPE_KEY 16
|
|
#define OB_TYPE_PORT 17
|
|
#define OB_TYPE_ADAPTER 18
|
|
#define OB_TYPE_CONTROLLER 19
|
|
#define OB_TYPE_DEVICE 20
|
|
#define OB_TYPE_DRIVER 21
|
|
#define OB_TYPE_IO_COMPLETION 22
|
|
#define OB_TYPE_FILE 23
|
|
|
|
#define PIN_WAIT (1)
|
|
#define PIN_EXCLUSIVE (2)
|
|
#define PIN_NO_READ (4)
|
|
#define PIN_IF_BCB (8)
|
|
|
|
#define MAP_WAIT (1)
|
|
#define MAP_NO_READ (16)
|
|
|
|
#define PORT_CONNECT 0x0001
|
|
#define PORT_ALL_ACCESS (STANDARD_RIGHTS_ALL |\
|
|
PORT_CONNECT)
|
|
|
|
#define SEC_BASED 0x00200000
|
|
#define SEC_NO_CHANGE 0x00400000
|
|
#define SEC_FILE 0x00800000
|
|
#define SEC_IMAGE 0x01000000
|
|
#define SEC_COMMIT 0x08000000
|
|
#define SEC_NOCACHE 0x10000000
|
|
|
|
#define SECURITY_WORLD_SID_AUTHORITY {0,0,0,0,0,1}
|
|
#define SECURITY_WORLD_RID (0x00000000L)
|
|
|
|
#define SID_REVISION 1
|
|
|
|
#define THREAD_STATE_INITIALIZED 0
|
|
#define THREAD_STATE_READY 1
|
|
#define THREAD_STATE_RUNNING 2
|
|
#define THREAD_STATE_STANDBY 3
|
|
#define THREAD_STATE_TERMINATED 4
|
|
#define THREAD_STATE_WAIT 5
|
|
#define THREAD_STATE_TRANSITION 6
|
|
#define THREAD_STATE_UNKNOWN 7
|
|
|
|
#define TOKEN_ASSIGN_PRIMARY (0x0001)
|
|
#define TOKEN_DUPLICATE (0x0002)
|
|
#define TOKEN_IMPERSONATE (0x0004)
|
|
#define TOKEN_QUERY (0x0008)
|
|
#define TOKEN_QUERY_SOURCE (0x0010)
|
|
#define TOKEN_ADJUST_PRIVILEGES (0x0020)
|
|
#define TOKEN_ADJUST_GROUPS (0x0040)
|
|
#define TOKEN_ADJUST_DEFAULT (0x0080)
|
|
|
|
#define TOKEN_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
|
|
TOKEN_ASSIGN_PRIMARY |\
|
|
TOKEN_DUPLICATE |\
|
|
TOKEN_IMPERSONATE |\
|
|
TOKEN_QUERY |\
|
|
TOKEN_QUERY_SOURCE |\
|
|
TOKEN_ADJUST_PRIVILEGES |\
|
|
TOKEN_ADJUST_GROUPS |\
|
|
TOKEN_ADJUST_DEFAULT)
|
|
|
|
#define TOKEN_READ (STANDARD_RIGHTS_READ |\
|
|
TOKEN_QUERY)
|
|
|
|
#define TOKEN_WRITE (STANDARD_RIGHTS_WRITE |\
|
|
TOKEN_ADJUST_PRIVILEGES |\
|
|
TOKEN_ADJUST_GROUPS |\
|
|
TOKEN_ADJUST_DEFAULT)
|
|
|
|
#define TOKEN_EXECUTE (STANDARD_RIGHTS_EXECUTE)
|
|
|
|
#define TOKEN_SOURCE_LENGTH 8
|
|
|
|
#define TOKEN_HAS_TRAVERSE_PRIVILEGE 0x01
|
|
#define TOKEN_HAS_BACKUP_PRIVILEGE 0x02
|
|
#define TOKEN_HAS_RESTORE_PRIVILEGE 0x04
|
|
#define TOKEN_HAS_ADMIN_GROUP 0x08
|
|
#define TOKEN_IS_RESTRICTED 0x10
|
|
#define TOKEN_SESSION_NOT_REFERENCED 0x20
|
|
#define TOKEN_SANDBOX_INERT 0x40
|
|
#define TOKEN_HAS_IMPERSONATE_PRIVILEGE 0x80
|
|
|
|
#define VACB_MAPPING_GRANULARITY (0x40000)
|
|
#define VACB_OFFSET_SHIFT (18)
|
|
|
|
#define FSCTL_REQUEST_OPLOCK_LEVEL_1 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_REQUEST_OPLOCK_LEVEL_2 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 1, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_REQUEST_BATCH_OPLOCK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_OPLOCK_BREAK_ACKNOWLEDGE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 3, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_OPBATCH_ACK_CLOSE_PENDING CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 4, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_OPLOCK_BREAK_NOTIFY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 5, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_LOCK_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 6, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_UNLOCK_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 7, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_DISMOUNT_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 8, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
#define FSCTL_IS_VOLUME_MOUNTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 10, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_IS_PATHNAME_VALID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 11, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_MARK_VOLUME_DIRTY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 12, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
#define FSCTL_QUERY_RETRIEVAL_POINTERS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 14, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
#define FSCTL_GET_COMPRESSION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 15, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_SET_COMPRESSION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 16, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
|
|
|
|
|
|
#define FSCTL_MARK_AS_SYSTEM_HIVE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 19, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
#define FSCTL_OPLOCK_BREAK_ACK_NO_2 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 20, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_INVALIDATE_VOLUMES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 21, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_QUERY_FAT_BPB CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 22, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_REQUEST_FILTER_OPLOCK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 23, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_FILESYSTEM_GET_STATISTICS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 24, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
#if (VER_PRODUCTBUILD >= 1381)
|
|
|
|
#define FSCTL_GET_NTFS_VOLUME_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 25, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_GET_NTFS_FILE_RECORD CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 26, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_GET_VOLUME_BITMAP CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 27, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
#define FSCTL_GET_RETRIEVAL_POINTERS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 28, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
#define FSCTL_MOVE_FILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 29, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_IS_VOLUME_DIRTY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 30, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_GET_HFS_INFORMATION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 31, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_ALLOW_EXTENDED_DASD_IO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 32, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 1381)
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
#define FSCTL_READ_PROPERTY_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 33, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
#define FSCTL_WRITE_PROPERTY_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 34, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
#define FSCTL_FIND_FILES_BY_SID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 35, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
|
|
#define FSCTL_DUMP_PROPERTY_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 37, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
#define FSCTL_SET_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 38, METHOD_BUFFERED, FILE_WRITE_DATA)
|
|
#define FSCTL_GET_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 39, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_DELETE_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 40, METHOD_BUFFERED, FILE_WRITE_DATA)
|
|
#define FSCTL_SET_REPARSE_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 41, METHOD_BUFFERED, FILE_WRITE_DATA)
|
|
#define FSCTL_GET_REPARSE_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 42, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_DELETE_REPARSE_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 43, METHOD_BUFFERED, FILE_WRITE_DATA)
|
|
#define FSCTL_ENUM_USN_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 44, METHOD_NEITHER, FILE_READ_DATA)
|
|
#define FSCTL_SECURITY_ID_CHECK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 45, METHOD_NEITHER, FILE_READ_DATA)
|
|
#define FSCTL_READ_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 46, METHOD_NEITHER, FILE_READ_DATA)
|
|
#define FSCTL_SET_OBJECT_ID_EXTENDED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 47, METHOD_BUFFERED, FILE_WRITE_DATA)
|
|
#define FSCTL_CREATE_OR_GET_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 48, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_SET_SPARSE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 49, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
|
#define FSCTL_SET_ZERO_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 50, METHOD_BUFFERED, FILE_WRITE_DATA)
|
|
#define FSCTL_QUERY_ALLOCATED_RANGES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 51, METHOD_NEITHER, FILE_READ_DATA)
|
|
#define FSCTL_ENABLE_UPGRADE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 52, METHOD_BUFFERED, FILE_WRITE_DATA)
|
|
#define FSCTL_SET_ENCRYPTION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 53, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_ENCRYPTION_FSCTL_IO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 54, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
#define FSCTL_WRITE_RAW_ENCRYPTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 55, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
#define FSCTL_READ_RAW_ENCRYPTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 56, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
#define FSCTL_CREATE_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 57, METHOD_NEITHER, FILE_READ_DATA)
|
|
#define FSCTL_READ_FILE_USN_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 58, METHOD_NEITHER, FILE_READ_DATA)
|
|
#define FSCTL_WRITE_USN_CLOSE_RECORD CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 59, METHOD_NEITHER, FILE_READ_DATA)
|
|
#define FSCTL_EXTEND_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 60, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_QUERY_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 61, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_DELETE_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 62, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_MARK_HANDLE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 63, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_SIS_COPYFILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 64, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_SIS_LINK_FILES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 65, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
|
|
#define FSCTL_HSM_MSG CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 66, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
|
|
#define FSCTL_NSS_CONTROL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 67, METHOD_BUFFERED, FILE_WRITE_DATA)
|
|
#define FSCTL_HSM_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 68, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
|
|
#define FSCTL_RECALL_FILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 69, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
#define FSCTL_NSS_RCONTROL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 70, METHOD_BUFFERED, FILE_READ_DATA)
|
|
#define FSCTL_READ_FROM_PLEX CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 71, METHOD_OUT_DIRECT, FILE_READ_DATA)
|
|
#define FSCTL_FILE_PREFETCH CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 72, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
#define FSCTL_MAILSLOT_PEEK CTL_CODE(FILE_DEVICE_MAILSLOT, 0, METHOD_NEITHER, FILE_READ_DATA)
|
|
|
|
#define FSCTL_NETWORK_SET_CONFIGURATION_INFO CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 102, METHOD_IN_DIRECT, FILE_ANY_ACCESS)
|
|
#define FSCTL_NETWORK_GET_CONFIGURATION_INFO CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 103, METHOD_OUT_DIRECT, FILE_ANY_ACCESS)
|
|
#define FSCTL_NETWORK_GET_CONNECTION_INFO CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 104, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
#define FSCTL_NETWORK_ENUMERATE_CONNECTIONS CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 105, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
#define FSCTL_NETWORK_DELETE_CONNECTION CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 107, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_NETWORK_GET_STATISTICS CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 116, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_NETWORK_SET_DOMAIN_NAME CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 120, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_NETWORK_REMOTE_BOOT_INIT_SCRT CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 250, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
|
|
#define FSCTL_PIPE_ASSIGN_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 0, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_PIPE_DISCONNECT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 1, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_PIPE_LISTEN CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_PIPE_PEEK CTL_CODE(FILE_DEVICE_NAMED_PIPE, 3, METHOD_BUFFERED, FILE_READ_DATA)
|
|
#define FSCTL_PIPE_QUERY_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 4, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_PIPE_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 5, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
|
|
#define FSCTL_PIPE_WAIT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 6, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_PIPE_IMPERSONATE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 7, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_PIPE_SET_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 8, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_PIPE_QUERY_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 9, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
|
#define FSCTL_PIPE_INTERNAL_READ CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2045, METHOD_BUFFERED, FILE_READ_DATA)
|
|
#define FSCTL_PIPE_INTERNAL_WRITE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2046, METHOD_BUFFERED, FILE_WRITE_DATA)
|
|
#define FSCTL_PIPE_INTERNAL_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2047, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
|
|
#define FSCTL_PIPE_INTERNAL_READ_OVFLOW CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2048, METHOD_BUFFERED, FILE_READ_DATA)
|
|
|
|
#define IOCTL_REDIR_QUERY_PATH CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 99, METHOD_NEITHER, FILE_ANY_ACCESS)
|
|
|
|
typedef PVOID PEJOB;
|
|
typedef PVOID PNOTIFY_SYNC;
|
|
typedef PVOID OPLOCK, *POPLOCK;
|
|
typedef PVOID PWOW64_PROCESS;
|
|
|
|
typedef ULONG LBN;
|
|
typedef LBN *PLBN;
|
|
|
|
typedef ULONG VBN;
|
|
typedef VBN *PVBN;
|
|
|
|
typedef struct _CACHE_MANAGER_CALLBACKS *PCACHE_MANAGER_CALLBACKS;
|
|
typedef struct _EPROCESS_QUOTA_BLOCK *PEPROCESS_QUOTA_BLOCK;
|
|
typedef struct _FILE_GET_QUOTA_INFORMATION *PFILE_GET_QUOTA_INFORMATION;
|
|
typedef struct _HANDLE_TABLE *PHANDLE_TABLE;
|
|
typedef struct _KEVENT_PAIR *PKEVENT_PAIR;
|
|
typedef struct _KPROCESS *PKPROCESS;
|
|
typedef struct _KQUEUE *PKQUEUE;
|
|
typedef struct _KTRAP_FRAME *PKTRAP_FRAME;
|
|
typedef struct _LPC_MESSAGE *PLPC_MESSAGE;
|
|
typedef struct _MAILSLOT_CREATE_PARAMETERS *PMAILSLOT_CREATE_PARAMETERS;
|
|
typedef struct _MMWSL *PMMWSL;
|
|
typedef struct _NAMED_PIPE_CREATE_PARAMETERS *PNAMED_PIPE_CREATE_PARAMETERS;
|
|
typedef struct _OBJECT_DIRECTORY *POBJECT_DIRECTORY;
|
|
typedef struct _PAGEFAULT_HISTORY *PPAGEFAULT_HISTORY;
|
|
typedef struct _PEB *PPEB;
|
|
typedef struct _PS_IMPERSONATION_INFORMATION *PPS_IMPERSONATION_INFORMATION;
|
|
typedef struct _SECTION_OBJECT *PSECTION_OBJECT;
|
|
typedef struct _SERVICE_DESCRIPTOR_TABLE *PSERVICE_DESCRIPTOR_TABLE;
|
|
typedef struct _SHARED_CACHE_MAP *PSHARED_CACHE_MAP;
|
|
typedef struct _TERMINATION_PORT *PTERMINATION_PORT;
|
|
typedef struct _VACB *PVACB;
|
|
typedef struct _VAD_HEADER *PVAD_HEADER;
|
|
|
|
#if (VER_PRODUCTBUILD < 2195)
|
|
typedef ULONG SIZE_T, *PSIZE_T;
|
|
#endif
|
|
|
|
typedef enum _FAST_IO_POSSIBLE {
|
|
FastIoIsNotPossible,
|
|
FastIoIsPossible,
|
|
FastIoIsQuestionable
|
|
} FAST_IO_POSSIBLE;
|
|
|
|
typedef enum _FILE_STORAGE_TYPE {
|
|
StorageTypeDefault = 1,
|
|
StorageTypeDirectory,
|
|
StorageTypeFile,
|
|
StorageTypeJunctionPoint,
|
|
StorageTypeCatalog,
|
|
StorageTypeStructuredStorage,
|
|
StorageTypeEmbedding,
|
|
StorageTypeStream
|
|
} FILE_STORAGE_TYPE;
|
|
|
|
typedef enum _IO_COMPLETION_INFORMATION_CLASS {
|
|
IoCompletionBasicInformation
|
|
} IO_COMPLETION_INFORMATION_CLASS;
|
|
|
|
#if (VER_PRODUCTBUILD == 2195)
|
|
|
|
typedef enum _KSPIN_LOCK_QUEUE_NUMBER {
|
|
LockQueueDispatcherLock,
|
|
LockQueueContextSwapLock,
|
|
LockQueuePfnLock,
|
|
LockQueueSystemSpaceLock,
|
|
LockQueueVacbLock,
|
|
LockQueueMasterLock,
|
|
LockQueueNonPagedPoolLock,
|
|
LockQueueIoCancelLock,
|
|
LockQueueWorkQueueLock,
|
|
LockQueueIoVpbLock,
|
|
LockQueueIoDatabaseLock,
|
|
LockQueueIoCompletionLock,
|
|
LockQueueNtfsStructLock,
|
|
LockQueueAfdWorkQueueLock,
|
|
LockQueueBcbLock,
|
|
LockQueueMaximumLock
|
|
} KSPIN_LOCK_QUEUE_NUMBER;
|
|
|
|
#endif // (VER_PRODUCTBUILD == 2195)
|
|
|
|
typedef enum _LPC_TYPE {
|
|
LPC_NEW_MESSAGE,
|
|
LPC_REQUEST,
|
|
LPC_REPLY,
|
|
LPC_DATAGRAM,
|
|
LPC_LOST_REPLY,
|
|
LPC_PORT_CLOSED,
|
|
LPC_CLIENT_DIED,
|
|
LPC_EXCEPTION,
|
|
LPC_DEBUG_EVENT,
|
|
LPC_ERROR_EVENT,
|
|
LPC_CONNECTION_REQUEST
|
|
} LPC_TYPE;
|
|
|
|
typedef enum _MMFLUSH_TYPE {
|
|
MmFlushForDelete,
|
|
MmFlushForWrite
|
|
} MMFLUSH_TYPE;
|
|
|
|
typedef enum _OBJECT_INFO_CLASS {
|
|
ObjectBasicInfo,
|
|
ObjectNameInfo,
|
|
ObjectTypeInfo,
|
|
ObjectAllTypesInfo,
|
|
ObjectProtectionInfo
|
|
} OBJECT_INFO_CLASS;
|
|
|
|
typedef enum _PORT_INFORMATION_CLASS {
|
|
PortNoInformation
|
|
} PORT_INFORMATION_CLASS;
|
|
|
|
typedef enum _SECTION_INFORMATION_CLASS {
|
|
SectionBasicInformation,
|
|
SectionImageInformation
|
|
} SECTION_INFORMATION_CLASS;
|
|
|
|
typedef enum _SID_NAME_USE {
|
|
SidTypeUser = 1,
|
|
SidTypeGroup,
|
|
SidTypeDomain,
|
|
SidTypeAlias,
|
|
SidTypeWellKnownGroup,
|
|
SidTypeDeletedAccount,
|
|
SidTypeInvalid,
|
|
SidTypeUnknown
|
|
} SID_NAME_USE;
|
|
|
|
typedef enum _SYSTEM_INFORMATION_CLASS {
|
|
SystemBasicInformation,
|
|
SystemProcessorInformation,
|
|
SystemPerformanceInformation,
|
|
SystemTimeOfDayInformation,
|
|
SystemNotImplemented1,
|
|
SystemProcessesAndThreadsInformation,
|
|
SystemCallCounts,
|
|
SystemConfigurationInformation,
|
|
SystemProcessorTimes,
|
|
SystemGlobalFlag,
|
|
SystemNotImplemented2,
|
|
SystemModuleInformation,
|
|
SystemLockInformation,
|
|
SystemNotImplemented3,
|
|
SystemNotImplemented4,
|
|
SystemNotImplemented5,
|
|
SystemHandleInformation,
|
|
SystemObjectInformation,
|
|
SystemPagefileInformation,
|
|
SystemInstructionEmulationCounts,
|
|
SystemInvalidInfoClass1,
|
|
SystemCacheInformation,
|
|
SystemPoolTagInformation,
|
|
SystemProcessorStatistics,
|
|
SystemDpcInformation,
|
|
SystemNotImplemented6,
|
|
SystemLoadImage,
|
|
SystemUnloadImage,
|
|
SystemTimeAdjustment,
|
|
SystemNotImplemented7,
|
|
SystemNotImplemented8,
|
|
SystemNotImplemented9,
|
|
SystemCrashDumpInformation,
|
|
SystemExceptionInformation,
|
|
SystemCrashDumpStateInformation,
|
|
SystemKernelDebuggerInformation,
|
|
SystemContextSwitchInformation,
|
|
SystemRegistryQuotaInformation,
|
|
SystemLoadAndCallImage,
|
|
SystemPrioritySeparation,
|
|
SystemNotImplemented10,
|
|
SystemNotImplemented11,
|
|
SystemInvalidInfoClass2,
|
|
SystemInvalidInfoClass3,
|
|
SystemTimeZoneInformation,
|
|
SystemLookasideInformation,
|
|
SystemSetTimeSlipEvent,
|
|
SystemCreateSession,
|
|
SystemDeleteSession,
|
|
SystemInvalidInfoClass4,
|
|
SystemRangeStartInformation,
|
|
SystemVerifierInformation,
|
|
SystemAddVerifier,
|
|
SystemSessionProcessesInformation
|
|
} SYSTEM_INFORMATION_CLASS;
|
|
|
|
typedef enum _THREAD_STATE {
|
|
StateInitialized,
|
|
StateReady,
|
|
StateRunning,
|
|
StateStandby,
|
|
StateTerminated,
|
|
StateWait,
|
|
StateTransition,
|
|
StateUnknown
|
|
} THREAD_STATE;
|
|
|
|
typedef enum _TOKEN_INFORMATION_CLASS {
|
|
TokenUser = 1,
|
|
TokenGroups,
|
|
TokenPrivileges,
|
|
TokenOwner,
|
|
TokenPrimaryGroup,
|
|
TokenDefaultDacl,
|
|
TokenSource,
|
|
TokenType,
|
|
TokenImpersonationLevel,
|
|
TokenStatistics,
|
|
TokenRestrictedSids
|
|
} TOKEN_INFORMATION_CLASS;
|
|
|
|
typedef enum _TOKEN_TYPE {
|
|
TokenPrimary = 1,
|
|
TokenImpersonation
|
|
} TOKEN_TYPE;
|
|
|
|
typedef struct _HARDWARE_PTE_X86 {
|
|
ULONG Valid : 1;
|
|
ULONG Write : 1;
|
|
ULONG Owner : 1;
|
|
ULONG WriteThrough : 1;
|
|
ULONG CacheDisable : 1;
|
|
ULONG Accessed : 1;
|
|
ULONG Dirty : 1;
|
|
ULONG LargePage : 1;
|
|
ULONG Global : 1;
|
|
ULONG CopyOnWrite : 1;
|
|
ULONG Prototype : 1;
|
|
ULONG reserved : 1;
|
|
ULONG PageFrameNumber : 20;
|
|
} HARDWARE_PTE_X86, *PHARDWARE_PTE_X86;
|
|
|
|
typedef struct _KAPC_STATE {
|
|
LIST_ENTRY ApcListHead[2];
|
|
PKPROCESS Process;
|
|
BOOLEAN KernelApcInProgress;
|
|
BOOLEAN KernelApcPending;
|
|
BOOLEAN UserApcPending;
|
|
} KAPC_STATE, *PKAPC_STATE;
|
|
|
|
typedef struct _KGDTENTRY {
|
|
USHORT LimitLow;
|
|
USHORT BaseLow;
|
|
union {
|
|
struct {
|
|
UCHAR BaseMid;
|
|
UCHAR Flags1;
|
|
UCHAR Flags2;
|
|
UCHAR BaseHi;
|
|
} Bytes;
|
|
struct {
|
|
ULONG BaseMid : 8;
|
|
ULONG Type : 5;
|
|
ULONG Dpl : 2;
|
|
ULONG Pres : 1;
|
|
ULONG LimitHi : 4;
|
|
ULONG Sys : 1;
|
|
ULONG Reserved_0 : 1;
|
|
ULONG Default_Big : 1;
|
|
ULONG Granularity : 1;
|
|
ULONG BaseHi : 8;
|
|
} Bits;
|
|
} HighWord;
|
|
} KGDTENTRY, *PKGDTENTRY;
|
|
|
|
typedef struct _KIDTENTRY {
|
|
USHORT Offset;
|
|
USHORT Selector;
|
|
USHORT Access;
|
|
USHORT ExtendedOffset;
|
|
} KIDTENTRY, *PKIDTENTRY;
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
typedef struct _KPROCESS {
|
|
DISPATCHER_HEADER Header;
|
|
LIST_ENTRY ProfileListHead;
|
|
ULONG DirectoryTableBase[2];
|
|
KGDTENTRY LdtDescriptor;
|
|
KIDTENTRY Int21Descriptor;
|
|
USHORT IopmOffset;
|
|
UCHAR Iopl;
|
|
UCHAR Unused;
|
|
ULONG ActiveProcessors;
|
|
ULONG KernelTime;
|
|
ULONG UserTime;
|
|
LIST_ENTRY ReadyListHead;
|
|
SINGLE_LIST_ENTRY SwapListEntry;
|
|
PVOID VdmTrapcHandler;
|
|
LIST_ENTRY ThreadListHead;
|
|
KSPIN_LOCK ProcessLock;
|
|
KAFFINITY Affinity;
|
|
USHORT StackCount;
|
|
CHAR BasePriority;
|
|
CHAR ThreadQuantum;
|
|
BOOLEAN AutoAlignment;
|
|
UCHAR State;
|
|
UCHAR ThreadSeed;
|
|
BOOLEAN DisableBoost;
|
|
UCHAR PowerState;
|
|
BOOLEAN DisableQuantum;
|
|
UCHAR IdealNode;
|
|
UCHAR Spare;
|
|
} KPROCESS, *PKPROCESS;
|
|
|
|
#else
|
|
|
|
typedef struct _KPROCESS {
|
|
DISPATCHER_HEADER Header;
|
|
LIST_ENTRY ProfileListHead;
|
|
ULONG DirectoryTableBase[2];
|
|
KGDTENTRY LdtDescriptor;
|
|
KIDTENTRY Int21Descriptor;
|
|
USHORT IopmOffset;
|
|
UCHAR Iopl;
|
|
UCHAR VdmFlag;
|
|
ULONG ActiveProcessors;
|
|
ULONG KernelTime;
|
|
ULONG UserTime;
|
|
LIST_ENTRY ReadyListHead;
|
|
SINGLE_LIST_ENTRY SwapListEntry;
|
|
PVOID Reserved1;
|
|
LIST_ENTRY ThreadListHead;
|
|
KSPIN_LOCK ProcessLock;
|
|
KAFFINITY Affinity;
|
|
USHORT StackCount;
|
|
UCHAR BasePriority;
|
|
UCHAR ThreadQuantum;
|
|
BOOLEAN AutoAlignment;
|
|
UCHAR State;
|
|
UCHAR ThreadSeed;
|
|
BOOLEAN DisableBoost;
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
UCHAR PowerState;
|
|
BOOLEAN DisableQuantum;
|
|
UCHAR IdealNode;
|
|
UCHAR Spare;
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
} KPROCESS, *PKPROCESS;
|
|
|
|
#endif
|
|
|
|
#if (VER_PRODUCTBUILD >= 3790)
|
|
|
|
typedef struct _KTHREAD {
|
|
DISPATCHER_HEADER Header;
|
|
LIST_ENTRY MutantListHead; // 0x10
|
|
PVOID InitialStack; // 0x18
|
|
PVOID StackLimit; // 0x1c
|
|
PVOID KernelStack; // 0x20
|
|
ULONG ThreadLock; // 0x24
|
|
ULONG ContextSwitches; // 0x28
|
|
UCHAR State; // 0x2c
|
|
UCHAR NpxState; // 0x2d
|
|
UCHAR WaitIrql; // 0x2e
|
|
CHAR WaitMode; // 0x2f
|
|
struct _TEB *Teb; // 0x30
|
|
KAPC_STATE ApcState; // 0x34
|
|
KSPIN_LOCK ApcQueueLock; // 0x4c
|
|
NTSTATUS WaitStatus; // 0x50
|
|
PKWAIT_BLOCK WaitBlockList; // 0x54
|
|
BOOLEAN Alertable; // 0x58
|
|
UCHAR WaitNext; // 0x59
|
|
UCHAR WaitReason; // 0x5a
|
|
CHAR Priority; // 0x5b
|
|
BOOLEAN EnableStackSwap; // 0x5c
|
|
BOOLEAN SwapBusy; // 0x5d
|
|
UCHAR Alerted[2]; // 0x5e
|
|
union {
|
|
LIST_ENTRY WaitListEntry; // 0x60
|
|
SINGLE_LIST_ENTRY SwapListEntry; // 0x60
|
|
};
|
|
PKQUEUE Queue; // 0x68
|
|
ULONG WaitTime; // 0x6c
|
|
union {
|
|
struct {
|
|
USHORT KernelApcDisable; // 0x70
|
|
USHORT SpecialApcDisable; // 0x72
|
|
};
|
|
USHORT CombinedApcDisable; // 0x70
|
|
};
|
|
KTIMER Timer; // 0x78
|
|
KWAIT_BLOCK WaitBlock[4]; // 0xa0
|
|
LIST_ENTRY QueueListEntry; // 0x100
|
|
UCHAR ApcStateIndex; // 0x108
|
|
BOOLEAN ApcQueueable; // 0x109
|
|
BOOLEAN Preempted; // 0x10a
|
|
BOOLEAN ProcessReadyQueue; // 0x10b
|
|
BOOLEAN KernelStackResident; // 0x10c
|
|
CHAR Saturation; // 0x10d
|
|
UCHAR IdealProcessor; // 0x10e
|
|
UCHAR NextProcessor; // 0x10f
|
|
CHAR BasePriority; // 0x110
|
|
UCHAR Spare4; // 0x111
|
|
CHAR PriorityDecrement; // 0x112
|
|
CHAR Quantum; // 0x113
|
|
BOOLEAN SystemAffinityActive; // 0x114
|
|
CHAR PreviousMode; // 0x115
|
|
UCHAR ResourceIndex; // 0x116
|
|
BOOLEAN DisableBoost; // 0x117
|
|
ULONG UserAffinity; // 0x118
|
|
PKPROCESS Process; // 0x11c
|
|
ULONG Affinity; // 0x120
|
|
PSERVICE_DESCRIPTOR_TABLE ServiceTable; // 0x124
|
|
PKAPC_STATE ApcStatePointer[2]; // 0x128
|
|
KAPC_STATE SavedApcState; // 0x130
|
|
PVOID CallbackStack; // 0x148
|
|
PVOID Win32Thread; // 0x14c
|
|
PKTRAP_FRAME TrapFrame; // 0x150
|
|
ULONG KernelTime; // 0x154
|
|
ULONG UserTime; // 0x158
|
|
PVOID StackBase; // 0x15c
|
|
KAPC SuspendApc; // 0x160
|
|
KSEMAPHORE SuspendSemaphore; // 0x190
|
|
PVOID TlsArray; // 0x1a4
|
|
PVOID LegoData; // 0x1a8
|
|
LIST_ENTRY ThreadListEntry; // 0x1ac
|
|
BOOLEAN LargeStack; // 0x1b4
|
|
UCHAR PowerState; // 0x1b5
|
|
UCHAR NpxIrql; // 0x1b6
|
|
UCHAR Spare5; // 0x1b7
|
|
BOOLEAN AutoAlignment; // 0x1b8
|
|
UCHAR Iopl; // 0x1b9
|
|
CHAR FreezeCount; // 0x1ba
|
|
CHAR SuspendCount; // 0x1bb
|
|
UCHAR Spare0[1]; // 0x1bc
|
|
UCHAR UserIdealProcessor; // 0x1bd
|
|
UCHAR DeferredProcessor; // 0x1be
|
|
UCHAR AdjustReason; // 0x1bf
|
|
CHAR AdjustIncrement; // 0x1c0
|
|
UCHAR Spare2[3]; // 0x1c1
|
|
} KTHREAD, *PKTHREAD;
|
|
|
|
#elif (VER_PRODUCTBUILD >= 2600)
|
|
|
|
typedef struct _KTHREAD {
|
|
DISPATCHER_HEADER Header;
|
|
LIST_ENTRY MutantListHead;
|
|
PVOID InitialStack;
|
|
PVOID StackLimit;
|
|
struct _TEB *Teb;
|
|
PVOID TlsArray;
|
|
PVOID KernelStack;
|
|
BOOLEAN DebugActive;
|
|
UCHAR State;
|
|
UCHAR Alerted[2];
|
|
UCHAR Iopl;
|
|
UCHAR NpxState;
|
|
CHAR Saturation;
|
|
CHAR Priority;
|
|
KAPC_STATE ApcState;
|
|
ULONG ContextSwitches;
|
|
UCHAR IdleSwapBlock;
|
|
UCHAR Spare0[3];
|
|
NTSTATUS WaitStatus;
|
|
UCHAR WaitIrql;
|
|
CHAR WaitMode;
|
|
UCHAR WaitNext;
|
|
UCHAR WaitReason;
|
|
PKWAIT_BLOCK WaitBlockList;
|
|
union {
|
|
LIST_ENTRY WaitListEntry;
|
|
SINGLE_LIST_ENTRY SwapListEntry;
|
|
};
|
|
ULONG WaitTime;
|
|
CHAR BasePriority;
|
|
UCHAR DecrementCount;
|
|
CHAR PriorityDecrement;
|
|
CHAR Quantum;
|
|
KWAIT_BLOCK WaitBlock[4];
|
|
PVOID LegoData;
|
|
ULONG KernelApcDisable;
|
|
ULONG UserAffinity;
|
|
BOOLEAN SystemAffinityActive;
|
|
UCHAR PowerState;
|
|
UCHAR NpxIrql;
|
|
UCHAR InitialNode;
|
|
PSERVICE_DESCRIPTOR_TABLE ServiceTable;
|
|
PKQUEUE Queue;
|
|
KSPIN_LOCK ApcQueueLock;
|
|
KTIMER Timer;
|
|
LIST_ENTRY QueueListEntry;
|
|
ULONG SoftAffinity;
|
|
ULONG Affinity;
|
|
BOOLEAN Preempted;
|
|
BOOLEAN ProcessReadyQueue;
|
|
BOOLEAN KernelStackResident;
|
|
UCHAR NextProcessor;
|
|
PVOID CallbackStack;
|
|
PVOID Win32Thread;
|
|
PKTRAP_FRAME TrapFrame;
|
|
PKAPC_STATE ApcStatePointer[2];
|
|
CHAR PreviousMode;
|
|
BOOLEAN EnableStackSwap;
|
|
BOOLEAN LargeStack;
|
|
UCHAR ResourceIndex;
|
|
ULONG KernelTime;
|
|
ULONG UserTime;
|
|
KAPC_STATE SavedApcState;
|
|
BOOLEAN Alertable;
|
|
UCHAR ApcStateIndex;
|
|
BOOLEAN ApcQueueable;
|
|
BOOLEAN AutoAlignment;
|
|
PVOID StackBase;
|
|
KAPC SuspendApc;
|
|
KSEMAPHORE SuspendSemaphore;
|
|
LIST_ENTRY ThreadListEntry;
|
|
CHAR FreezeCount;
|
|
CHAR SuspendCount;
|
|
UCHAR IdealProcessor;
|
|
BOOLEAN DisableBoost;
|
|
} KTHREAD, *PKTHREAD;
|
|
|
|
#else
|
|
|
|
typedef struct _KTHREAD {
|
|
DISPATCHER_HEADER Header;
|
|
LIST_ENTRY MutantListHead;
|
|
PVOID InitialStack;
|
|
PVOID StackLimit;
|
|
struct _TEB *Teb;
|
|
PVOID TlsArray;
|
|
PVOID KernelStack;
|
|
BOOLEAN DebugActive;
|
|
UCHAR State;
|
|
USHORT Alerted;
|
|
UCHAR Iopl;
|
|
UCHAR NpxState;
|
|
UCHAR Saturation;
|
|
UCHAR Priority;
|
|
KAPC_STATE ApcState;
|
|
ULONG ContextSwitches;
|
|
NTSTATUS WaitStatus;
|
|
UCHAR WaitIrql;
|
|
UCHAR WaitMode;
|
|
UCHAR WaitNext;
|
|
UCHAR WaitReason;
|
|
PKWAIT_BLOCK WaitBlockList;
|
|
LIST_ENTRY WaitListEntry;
|
|
ULONG WaitTime;
|
|
UCHAR BasePriority;
|
|
UCHAR DecrementCount;
|
|
UCHAR PriorityDecrement;
|
|
UCHAR Quantum;
|
|
KWAIT_BLOCK WaitBlock[4];
|
|
ULONG LegoData;
|
|
ULONG KernelApcDisable;
|
|
ULONG UserAffinity;
|
|
BOOLEAN SystemAffinityActive;
|
|
#if (VER_PRODUCTBUILD < 2195)
|
|
UCHAR Pad[3];
|
|
#else // (VER_PRODUCTBUILD >= 2195)
|
|
UCHAR PowerState;
|
|
UCHAR NpxIrql;
|
|
UCHAR Pad[1];
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
PSERVICE_DESCRIPTOR_TABLE ServiceDescriptorTable;
|
|
PKQUEUE Queue;
|
|
KSPIN_LOCK ApcQueueLock;
|
|
KTIMER Timer;
|
|
LIST_ENTRY QueueListEntry;
|
|
ULONG Affinity;
|
|
BOOLEAN Preempted;
|
|
BOOLEAN ProcessReadyQueue;
|
|
BOOLEAN KernelStackResident;
|
|
UCHAR NextProcessor;
|
|
PVOID CallbackStack;
|
|
PVOID Win32Thread;
|
|
PKTRAP_FRAME TrapFrame;
|
|
PKAPC_STATE ApcStatePointer[2];
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
UCHAR PreviousMode;
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
BOOLEAN EnableStackSwap;
|
|
BOOLEAN LargeStack;
|
|
UCHAR ResourceIndex;
|
|
#if (VER_PRODUCTBUILD < 2195)
|
|
UCHAR PreviousMode;
|
|
#endif // (VER_PRODUCTBUILD < 2195)
|
|
ULONG KernelTime;
|
|
ULONG UserTime;
|
|
KAPC_STATE SavedApcState;
|
|
BOOLEAN Alertable;
|
|
UCHAR ApcStateIndex;
|
|
BOOLEAN ApcQueueable;
|
|
BOOLEAN AutoAlignment;
|
|
PVOID StackBase;
|
|
KAPC SuspendApc;
|
|
KSEMAPHORE SuspendSemaphore;
|
|
LIST_ENTRY ThreadListEntry;
|
|
UCHAR FreezeCount;
|
|
UCHAR SuspendCount;
|
|
UCHAR IdealProcessor;
|
|
BOOLEAN DisableBoost;
|
|
} KTHREAD, *PKTHREAD;
|
|
|
|
#endif
|
|
|
|
#if (VER_PRODUCTBUILD >= 3790)
|
|
|
|
typedef struct _MMSUPPORT_FLAGS {
|
|
ULONG SessionSpace : 1;
|
|
ULONG BeingTrimmed : 1;
|
|
ULONG SessionLeader : 1;
|
|
ULONG TrimHard : 1;
|
|
ULONG MaximumWorkingSetHard : 1;
|
|
ULONG ForceTrim : 1;
|
|
ULONG MinimumWorkingSetHard : 1;
|
|
ULONG Available0 : 1;
|
|
ULONG MemoryPriority : 8;
|
|
ULONG GrowWsleHash : 1;
|
|
ULONG AcquiredUnsafe : 1;
|
|
ULONG Available : 14;
|
|
} MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;
|
|
|
|
#elif (VER_PRODUCTBUILD >= 2600)
|
|
|
|
typedef struct _MMSUPPORT_FLAGS {
|
|
ULONG SessionSpace : 1;
|
|
ULONG BeingTrimmed : 1;
|
|
ULONG SessionLeader : 1;
|
|
ULONG TrimHard : 1;
|
|
ULONG WorkingSetHard : 1;
|
|
ULONG AddressSpaceBeingDeleted : 1;
|
|
ULONG Available : 10;
|
|
ULONG AllowWorkingSetAdjustment : 8;
|
|
ULONG MemoryPriority : 8;
|
|
} MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;
|
|
|
|
#else
|
|
|
|
typedef struct _MMSUPPORT_FLAGS {
|
|
ULONG SessionSpace : 1;
|
|
ULONG BeingTrimmed : 1;
|
|
ULONG ProcessInSession : 1;
|
|
ULONG SessionLeader : 1;
|
|
ULONG TrimHard : 1;
|
|
ULONG WorkingSetHard : 1;
|
|
ULONG WriteWatch : 1;
|
|
ULONG Filler : 25;
|
|
} MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;
|
|
|
|
#endif
|
|
|
|
#if (VER_PRODUCTBUILD >= 3790)
|
|
/*
|
|
typedef struct _KGUARDED_MUTEX {
|
|
LONG Count;
|
|
PKTHREAD Owner; // 0x4
|
|
ULONG Contention; // 0x8
|
|
KEVENT Event; // 0xc
|
|
union {
|
|
struct {
|
|
USHORT KernelApcDisable; // 0x1c
|
|
USHORT SpecialApcDisable; // 0x1e
|
|
};
|
|
USHORT CombinedApcDisable; // 0x1c
|
|
};
|
|
} KGUARDED_MUTEX, *PKGUARDED_MUTEX;
|
|
*/
|
|
typedef struct _MMSUPPORT {
|
|
LIST_ENTRY WorkingSetExpansionLinks;
|
|
LARGE_INTEGER LastTrimTime; // 0x8
|
|
MMSUPPORT_FLAGS Flags; // 0x10
|
|
ULONG PageFaultCount; // 0x14
|
|
ULONG PeakWorkingSetSize; // 0x18
|
|
ULONG GrowthSinceLastEstimate; // 0x1c
|
|
ULONG MinimumWorkingSetSize; // 0x20
|
|
ULONG MaximumWorkingSetSize; // 0x24
|
|
PMMWSL VmWorkingSetList; // 0x28
|
|
ULONG Claim; // 0x2c
|
|
ULONG NextEstimationSlot; // 0x30
|
|
ULONG NextAgingSlot; // 0x34
|
|
ULONG EstimatedAvailable; // 0x38
|
|
ULONG WorkingSetSize; //0x3c
|
|
KGUARDED_MUTEX Mutex; // 0x40
|
|
} MMSUPPORT, *PMMSUPPORT;
|
|
|
|
#elif (VER_PRODUCTBUILD >= 2600)
|
|
|
|
typedef struct _MMSUPPORT {
|
|
LARGE_INTEGER LastTrimTime;
|
|
MMSUPPORT_FLAGS Flags;
|
|
ULONG PageFaultCount;
|
|
ULONG PeakWorkingSetSize;
|
|
ULONG WorkingSetSize;
|
|
ULONG MinimumWorkingSetSize;
|
|
ULONG MaximumWorkingSetSize;
|
|
PMMWSL VmWorkingSetList;
|
|
LIST_ENTRY WorkingSetExpansionLinks;
|
|
ULONG Claim;
|
|
ULONG NextEstimationSlot;
|
|
ULONG NextAgingSlot;
|
|
ULONG EstimatedAvailable;
|
|
ULONG GrowthSinceLastEstimate;
|
|
} MMSUPPORT, *PMMSUPPORT;
|
|
|
|
#else
|
|
|
|
typedef struct _MMSUPPORT {
|
|
LARGE_INTEGER LastTrimTime;
|
|
ULONG LastTrimFaultCount;
|
|
ULONG PageFaultCount;
|
|
ULONG PeakWorkingSetSize;
|
|
ULONG WorkingSetSize;
|
|
ULONG MinimumWorkingSetSize;
|
|
ULONG MaximumWorkingSetSize;
|
|
PMMWSL VmWorkingSetList;
|
|
LIST_ENTRY WorkingSetExpansionLinks;
|
|
BOOLEAN AllowWorkingSetAdjustment;
|
|
BOOLEAN AddressSpaceBeingDeleted;
|
|
UCHAR ForegroundSwitchCount;
|
|
UCHAR MemoryPriority;
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
union {
|
|
ULONG LongFlags;
|
|
MMSUPPORT_FLAGS Flags;
|
|
} u;
|
|
ULONG Claim;
|
|
ULONG NextEstimationSlot;
|
|
ULONG NextAgingSlot;
|
|
ULONG EstimatedAvailable;
|
|
ULONG GrowthSinceLastEstimate;
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
} MMSUPPORT, *PMMSUPPORT;
|
|
|
|
#endif
|
|
|
|
typedef struct _SE_AUDIT_PROCESS_CREATION_INFO {
|
|
POBJECT_NAME_INFORMATION ImageFileName;
|
|
} SE_AUDIT_PROCESS_CREATION_INFO, *PSE_AUDIT_PROCESS_CREATION_INFO;
|
|
|
|
typedef struct _SID_IDENTIFIER_AUTHORITY {
|
|
UCHAR Value[6];
|
|
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
|
|
|
|
typedef struct _SID {
|
|
UCHAR Revision;
|
|
UCHAR SubAuthorityCount;
|
|
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
|
|
ULONG SubAuthority[1];
|
|
} SID, *PREAL_SID;
|
|
|
|
typedef struct _BITMAP_DESCRIPTOR {
|
|
ULONGLONG StartLcn;
|
|
ULONGLONG ClustersToEndOfVol;
|
|
UCHAR Map[1];
|
|
} BITMAP_DESCRIPTOR, *PBITMAP_DESCRIPTOR;
|
|
|
|
typedef struct _BITMAP_RANGE {
|
|
LIST_ENTRY Links;
|
|
LARGE_INTEGER BasePage;
|
|
ULONG FirstDirtyPage;
|
|
ULONG LastDirtyPage;
|
|
ULONG DirtyPages;
|
|
PULONG Bitmap;
|
|
} BITMAP_RANGE, *PBITMAP_RANGE;
|
|
|
|
typedef struct _CACHE_UNINITIALIZE_EVENT {
|
|
struct _CACHE_UNINITIALIZE_EVENT *Next;
|
|
KEVENT Event;
|
|
} CACHE_UNINITIALIZE_EVENT, *PCACHE_UNINITIALIZE_EVENT;
|
|
|
|
typedef struct _CC_FILE_SIZES {
|
|
LARGE_INTEGER AllocationSize;
|
|
LARGE_INTEGER FileSize;
|
|
LARGE_INTEGER ValidDataLength;
|
|
} CC_FILE_SIZES, *PCC_FILE_SIZES;
|
|
|
|
typedef struct _COMPRESSED_DATA_INFO {
|
|
USHORT CompressionFormatAndEngine;
|
|
UCHAR CompressionUnitShift;
|
|
UCHAR ChunkShift;
|
|
UCHAR ClusterShift;
|
|
UCHAR Reserved;
|
|
USHORT NumberOfChunks;
|
|
ULONG CompressedChunkSizes[ANYSIZE_ARRAY];
|
|
} COMPRESSED_DATA_INFO, *PCOMPRESSED_DATA_INFO;
|
|
|
|
typedef struct _DEVICE_MAP {
|
|
POBJECT_DIRECTORY DosDevicesDirectory;
|
|
POBJECT_DIRECTORY GlobalDosDevicesDirectory;
|
|
ULONG ReferenceCount;
|
|
ULONG DriveMap;
|
|
UCHAR DriveType[32];
|
|
} DEVICE_MAP, *PDEVICE_MAP;
|
|
|
|
typedef struct _DIRECTORY_BASIC_INFORMATION {
|
|
UNICODE_STRING ObjectName;
|
|
UNICODE_STRING ObjectTypeName;
|
|
} DIRECTORY_BASIC_INFORMATION, *PDIRECTORY_BASIC_INFORMATION;
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
typedef struct _EX_FAST_REF {
|
|
union {
|
|
PVOID Object;
|
|
ULONG RefCnt : 3;
|
|
ULONG Value;
|
|
};
|
|
} EX_FAST_REF, *PEX_FAST_REF;
|
|
|
|
typedef struct _EX_PUSH_LOCK {
|
|
union {
|
|
struct {
|
|
ULONG Waiting : 1;
|
|
ULONG Exclusive : 1;
|
|
ULONG Shared : 30;
|
|
};
|
|
ULONG Value;
|
|
PVOID Ptr;
|
|
};
|
|
} EX_PUSH_LOCK, *PEX_PUSH_LOCK;
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
#if (VER_PRODUCTBUILD == 2600)
|
|
|
|
typedef struct _EX_RUNDOWN_REF {
|
|
union {
|
|
ULONG Count;
|
|
PVOID Ptr;
|
|
};
|
|
} EX_RUNDOWN_REF, *PEX_RUNDOWN_REF;
|
|
|
|
#endif // (VER_PRODUCTBUILD == 2600)
|
|
|
|
#if (VER_PRODUCTBUILD >= 3790)
|
|
|
|
typedef struct _MM_ADDRESS_NODE {
|
|
union {
|
|
ULONG Balance : 2;
|
|
struct _MM_ADDRESS_NODE *Parent; // lower 2 bits of Parent are Balance and must be zeroed to obtain Parent
|
|
};
|
|
struct _MM_ADDRESS_NODE *LeftChild;
|
|
struct _MM_ADDRESS_NODE *RightChild;
|
|
ULONG_PTR StartingVpn;
|
|
ULONG_PTR EndingVpn;
|
|
} MMADDRESS_NODE, *PMMADDRESS_NODE;
|
|
|
|
typedef struct _MM_AVL_TABLE {
|
|
MMADDRESS_NODE BalancedRoot; // Vadroot; incorrectly represents the NULL pages (EndingVpn should be 0xf, etc.)
|
|
ULONG DepthOfTree : 5; // 0x14
|
|
ULONG Unused : 3;
|
|
ULONG NumberGenericTableElements : 24; // total number of nodes
|
|
PVOID NodeHint; // 0x18 (0x270 in _EPROCESS)
|
|
PVOID NodeFreeHint; // 0x1c
|
|
} MM_AVL_TABLE, *PMM_AVL_TABLE;
|
|
|
|
typedef struct _EPROCESS {
|
|
KPROCESS Pcb; // +0x000
|
|
EX_PUSH_LOCK ProcessLock; // +0x06c
|
|
LARGE_INTEGER CreateTime; // +0x070
|
|
LARGE_INTEGER ExitTime; // +0x078
|
|
EX_RUNDOWN_REF RundownProtect; // +0x080
|
|
ULONG UniqueProcessId; // +0x084
|
|
LIST_ENTRY ActiveProcessLinks; // +0x088
|
|
ULONG QuotaUsage[3]; // +0x090
|
|
ULONG QuotaPeak[3]; // +0x09c
|
|
ULONG CommitCharge; // +0x0a8
|
|
ULONG PeakVirtualSize; // +0x0ac
|
|
ULONG VirtualSize; // +0x0b0
|
|
LIST_ENTRY SessionProcessLinks; // +0x0b4
|
|
PVOID DebugPort; // +0x0bc
|
|
PVOID ExceptionPort; // +0x0c0
|
|
PHANDLE_TABLE ObjectTable; // +0x0c4
|
|
EX_FAST_REF Token; // +0x0c8
|
|
ULONG WorkingSetPage; // +0x0cc
|
|
KGUARDED_MUTEX AddressCreationLock; // +0x0d0
|
|
ULONG HyperSpaceLock; // +0x0f0
|
|
PETHREAD ForkInProgress; // +0x0f4
|
|
ULONG HardwareTrigger; // +0x0f8
|
|
PMM_AVL_TABLE PhysicalVadRoot; // +0x0fc
|
|
PVOID CloneRoot; // +0x100
|
|
ULONG NumberOfPrivatePages; // +0x104
|
|
ULONG NumberOfLockedPages; // +0x108
|
|
PVOID Win32Process; // +0x10c
|
|
PEJOB Job; // +0x110
|
|
PVOID SectionObject; // +0x114
|
|
PVOID SectionBaseAddress; // +0x118
|
|
PEPROCESS_QUOTA_BLOCK QuotaBlock; // +0x11c
|
|
PPAGEFAULT_HISTORY WorkingSetWatch; // +0x120
|
|
PVOID Win32WindowStation; // +0x124
|
|
ULONG InheritedFromUniqueProcessId; // +0x128
|
|
PVOID LdtInformation; // +0x12c
|
|
PVOID VadFreeHint; // +0x130
|
|
PVOID VdmObjects; // +0x134
|
|
PVOID DeviceMap; // +0x138
|
|
PVOID Spare0[3]; // +0x13c
|
|
union {
|
|
HARDWARE_PTE PageDirectoryPte; // +0x148
|
|
UINT64 Filler; // +0x148
|
|
};
|
|
PVOID Session; // +0x150
|
|
UCHAR ImageFileName[16]; // +0x154
|
|
LIST_ENTRY JobLinks; // +0x164
|
|
PVOID LockedPagesList; // +0x16c
|
|
LIST_ENTRY ThreadListHead; // +0x170
|
|
PVOID SecurityPort; // +0x178
|
|
PVOID PaeTop; // +0x17c
|
|
ULONG ActiveThreads; // +0x180
|
|
ULONG GrantedAccess; // +0x184
|
|
ULONG DefaultHardErrorProcessing; // +0x188
|
|
SHORT LastThreadExitStatus; // +0x18c
|
|
PPEB Peb; // +0x190
|
|
EX_FAST_REF PrefetchTrace; // +0x194
|
|
LARGE_INTEGER ReadOperationCount; // +0x198
|
|
LARGE_INTEGER WriteOperationCount; // +0x1a0
|
|
LARGE_INTEGER OtherOperationCount; // +0x1a8
|
|
LARGE_INTEGER ReadTransferCount; // +0x1b0
|
|
LARGE_INTEGER WriteTransferCount; // +0x1b8
|
|
LARGE_INTEGER OtherTransferCount; // +0x1c0
|
|
ULONG CommitChargeLimit; // +0x1c8
|
|
ULONG CommitChargePeak; // +0x1cc
|
|
PVOID AweInfo; // +0x1d0
|
|
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo; // +0x1d4
|
|
MMSUPPORT Vm; // +0x1d8
|
|
LIST_ENTRY MmProcessLinks; // +0x238
|
|
ULONG ModifiedPageCount; // +0x240
|
|
ULONG JobStatus; // +0x244
|
|
union {
|
|
ULONG Flags; // 0x248
|
|
struct {
|
|
ULONG CreateReported : 1;
|
|
ULONG NoDebugInherit : 1;
|
|
ULONG ProcessExiting : 1;
|
|
ULONG ProcessDelete : 1;
|
|
ULONG Wow64SplitPages : 1;
|
|
ULONG VmDeleted : 1;
|
|
ULONG OutswapEnabled : 1;
|
|
ULONG Outswapped : 1;
|
|
ULONG ForkFailed : 1;
|
|
ULONG Wow64VaSpace4Gb : 1;
|
|
ULONG AddressSpaceInitialized : 2;
|
|
ULONG SetTimerResolution : 1;
|
|
ULONG BreakOnTermination : 1;
|
|
ULONG SessionCreationUnderway : 1;
|
|
ULONG WriteWatch : 1;
|
|
ULONG ProcessInSession : 1;
|
|
ULONG OverrideAddressSpace : 1;
|
|
ULONG HasAddressSpace : 1;
|
|
ULONG LaunchPrefetched : 1;
|
|
ULONG InjectInpageErrors : 1;
|
|
ULONG VmTopDown : 1;
|
|
ULONG ImageNotifyDone : 1;
|
|
ULONG PdeUpdateNeeded : 1;
|
|
ULONG VdmAllowed : 1;
|
|
ULONG Unused : 7;
|
|
};
|
|
};
|
|
NTSTATUS ExitStatus; // +0x24c
|
|
USHORT NextPageColor; // +0x250
|
|
union {
|
|
struct {
|
|
UCHAR SubSystemMinorVersion; // +0x252
|
|
UCHAR SubSystemMajorVersion; // +0x253
|
|
};
|
|
USHORT SubSystemVersion; // +0x252
|
|
};
|
|
UCHAR PriorityClass; // +0x254
|
|
MM_AVL_TABLE VadRoot; // +0x258
|
|
} EPROCESS, *PEPROCESS; // 0x278 in total
|
|
|
|
#elif (VER_PRODUCTBUILD >= 2600)
|
|
|
|
typedef struct _EPROCESS {
|
|
KPROCESS Pcb;
|
|
EX_PUSH_LOCK ProcessLock;
|
|
LARGE_INTEGER CreateTime;
|
|
LARGE_INTEGER ExitTime;
|
|
EX_RUNDOWN_REF RundownProtect;
|
|
ULONG UniqueProcessId;
|
|
LIST_ENTRY ActiveProcessLinks;
|
|
ULONG QuotaUsage[3];
|
|
ULONG QuotaPeak[3];
|
|
ULONG CommitCharge;
|
|
ULONG PeakVirtualSize;
|
|
ULONG VirtualSize;
|
|
LIST_ENTRY SessionProcessLinks;
|
|
PVOID DebugPort;
|
|
PVOID ExceptionPort;
|
|
PHANDLE_TABLE ObjectTable;
|
|
EX_FAST_REF Token;
|
|
FAST_MUTEX WorkingSetLock;
|
|
ULONG WorkingSetPage;
|
|
FAST_MUTEX AddressCreationLock;
|
|
KSPIN_LOCK HyperSpaceLock;
|
|
PETHREAD ForkInProgress;
|
|
ULONG HardwareTrigger;
|
|
PVOID VadRoot;
|
|
PVOID VadHint;
|
|
PVOID CloneRoot;
|
|
ULONG NumberOfPrivatePages;
|
|
ULONG NumberOfLockedPages;
|
|
PVOID Win32Process;
|
|
PEJOB Job;
|
|
PSECTION_OBJECT SectionObject;
|
|
PVOID SectionBaseAddress;
|
|
PEPROCESS_QUOTA_BLOCK QuotaBlock;
|
|
PPAGEFAULT_HISTORY WorkingSetWatch;
|
|
PVOID Win32WindowStation;
|
|
PVOID InheritedFromUniqueProcessId;
|
|
PVOID LdtInformation;
|
|
PVOID VadFreeHint;
|
|
PVOID VdmObjects;
|
|
PDEVICE_MAP DeviceMap;
|
|
LIST_ENTRY PhysicalVadList;
|
|
union {
|
|
HARDWARE_PTE PageDirectoryPte;
|
|
ULONGLONG Filler;
|
|
};
|
|
PVOID Session;
|
|
UCHAR ImageFileName[16];
|
|
LIST_ENTRY JobLinks;
|
|
PVOID LockedPageList;
|
|
LIST_ENTRY ThreadListHead;
|
|
PVOID SecurityPort;
|
|
PVOID PaeTop;
|
|
ULONG ActiveThreads;
|
|
ULONG GrantedAccess;
|
|
ULONG DefaultHardErrorProcessing;
|
|
NTSTATUS LastThreadExitStatus;
|
|
PPEB Peb;
|
|
EX_FAST_REF PrefetchTrace;
|
|
LARGE_INTEGER ReadOperationCount;
|
|
LARGE_INTEGER WriteOperationCount;
|
|
LARGE_INTEGER OtherOperationCount;
|
|
LARGE_INTEGER ReadTransferCount;
|
|
LARGE_INTEGER WriteTransferCount;
|
|
LARGE_INTEGER OtherTransferCount;
|
|
ULONG CommitChargeLimit;
|
|
ULONG CommitChargePeek;
|
|
PVOID AweInfo;
|
|
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
|
|
MMSUPPORT Vm;
|
|
ULONG LastFaultCount;
|
|
ULONG ModifiedPageCount;
|
|
ULONG NumberOfVads;
|
|
ULONG JobStatus;
|
|
union {
|
|
ULONG Flags;
|
|
struct {
|
|
ULONG CreateReported : 1;
|
|
ULONG NoDebugInherit : 1;
|
|
ULONG ProcessExiting : 1;
|
|
ULONG ProcessDelete : 1;
|
|
ULONG Wow64SplitPages : 1;
|
|
ULONG VmDeleted : 1;
|
|
ULONG OutswapEnabled : 1;
|
|
ULONG Outswapped : 1;
|
|
ULONG ForkFailed : 1;
|
|
ULONG HasPhysicalVad : 1;
|
|
ULONG AddressSpaceInitialized : 2;
|
|
ULONG SetTimerResolution : 1;
|
|
ULONG BreakOnTermination : 1;
|
|
ULONG SessionCreationUnderway : 1;
|
|
ULONG WriteWatch : 1;
|
|
ULONG ProcessInSession : 1;
|
|
ULONG OverrideAddressSpace : 1;
|
|
ULONG HasAddressSpace : 1;
|
|
ULONG LaunchPrefetched : 1;
|
|
ULONG InjectInpageErrors : 1;
|
|
ULONG Unused : 11;
|
|
};
|
|
};
|
|
NTSTATUS ExitStatus;
|
|
USHORT NextPageColor;
|
|
union {
|
|
struct {
|
|
UCHAR SubSystemMinorVersion;
|
|
UCHAR SubSystemMajorVersion;
|
|
};
|
|
USHORT SubSystemVersion;
|
|
};
|
|
UCHAR PriorityClass;
|
|
BOOLEAN WorkingSetAcquiredUnsafe;
|
|
} EPROCESS, *PEPROCESS;
|
|
|
|
#else
|
|
|
|
typedef struct _EPROCESS {
|
|
KPROCESS Pcb;
|
|
NTSTATUS ExitStatus;
|
|
KEVENT LockEvent;
|
|
ULONG LockCount;
|
|
LARGE_INTEGER CreateTime;
|
|
LARGE_INTEGER ExitTime;
|
|
PKTHREAD LockOwner;
|
|
ULONG UniqueProcessId;
|
|
LIST_ENTRY ActiveProcessLinks;
|
|
ULONGLONG QuotaPeakPoolUsage;
|
|
ULONGLONG QuotaPoolUsage;
|
|
ULONG PagefileUsage;
|
|
ULONG CommitCharge;
|
|
ULONG PeakPagefileUsage;
|
|
ULONG PeakVirtualSize;
|
|
ULONGLONG VirtualSize;
|
|
MMSUPPORT Vm;
|
|
#if (VER_PRODUCTBUILD < 2195)
|
|
ULONG LastProtoPteFault;
|
|
#else // (VER_PRODUCTBUILD >= 2195)
|
|
LIST_ENTRY SessionProcessLinks;
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
ULONG DebugPort;
|
|
ULONG ExceptionPort;
|
|
PHANDLE_TABLE ObjectTable;
|
|
PACCESS_TOKEN Token;
|
|
FAST_MUTEX WorkingSetLock;
|
|
ULONG WorkingSetPage;
|
|
BOOLEAN ProcessOutswapEnabled;
|
|
BOOLEAN ProcessOutswapped;
|
|
BOOLEAN AddressSpaceInitialized;
|
|
BOOLEAN AddressSpaceDeleted;
|
|
FAST_MUTEX AddressCreationLock;
|
|
KSPIN_LOCK HyperSpaceLock;
|
|
PETHREAD ForkInProgress;
|
|
USHORT VmOperation;
|
|
BOOLEAN ForkWasSuccessful;
|
|
UCHAR MmAgressiveWsTrimMask;
|
|
PKEVENT VmOperationEvent;
|
|
#if (VER_PRODUCTBUILD < 2195)
|
|
HARDWARE_PTE PageDirectoryPte;
|
|
#else // (VER_PRODUCTBUILD >= 2195)
|
|
PVOID PaeTop;
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
ULONG LastFaultCount;
|
|
ULONG ModifiedPageCount;
|
|
PVOID VadRoot;
|
|
PVOID VadHint;
|
|
ULONG CloneRoot;
|
|
ULONG NumberOfPrivatePages;
|
|
ULONG NumberOfLockedPages;
|
|
USHORT NextPageColor;
|
|
BOOLEAN ExitProcessCalled;
|
|
BOOLEAN CreateProcessReported;
|
|
HANDLE SectionHandle;
|
|
PPEB Peb;
|
|
PVOID SectionBaseAddress;
|
|
PEPROCESS_QUOTA_BLOCK QuotaBlock;
|
|
NTSTATUS LastThreadExitStatus;
|
|
PPROCESS_WS_WATCH_INFORMATION WorkingSetWatch;
|
|
HANDLE Win32WindowStation;
|
|
HANDLE InheritedFromUniqueProcessId;
|
|
ACCESS_MASK GrantedAccess;
|
|
ULONG DefaultHardErrorProcessing;
|
|
PVOID LdtInformation;
|
|
PVOID VadFreeHint;
|
|
PVOID VdmObjects;
|
|
#if (VER_PRODUCTBUILD < 2195)
|
|
KMUTANT ProcessMutant;
|
|
#else // (VER_PRODUCTBUILD >= 2195)
|
|
PDEVICE_MAP DeviceMap;
|
|
ULONG SessionId;
|
|
LIST_ENTRY PhysicalVadList;
|
|
HARDWARE_PTE PageDirectoryPte;
|
|
ULONG Filler;
|
|
ULONG PaePageDirectoryPage;
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
UCHAR ImageFileName[16];
|
|
ULONG VmTrimFaultValue;
|
|
UCHAR SetTimerResolution;
|
|
UCHAR PriorityClass;
|
|
union {
|
|
struct {
|
|
UCHAR SubSystemMinorVersion;
|
|
UCHAR SubSystemMajorVersion;
|
|
};
|
|
USHORT SubSystemVersion;
|
|
};
|
|
PVOID Win32Process;
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
PEJOB Job;
|
|
ULONG JobStatus;
|
|
LIST_ENTRY JobLinks;
|
|
PVOID LockedPageList;
|
|
PVOID SecurityPort;
|
|
PWOW64_PROCESS Wow64Process;
|
|
LARGE_INTEGER ReadOperationCount;
|
|
LARGE_INTEGER WriteOperationCount;
|
|
LARGE_INTEGER OtherOperationCount;
|
|
LARGE_INTEGER ReadTransferCount;
|
|
LARGE_INTEGER WriteTransferCount;
|
|
LARGE_INTEGER OtherTransferCount;
|
|
ULONG CommitChargeLimit;
|
|
ULONG CommitChargePeek;
|
|
LIST_ENTRY ThreadListHead;
|
|
PRTL_BITMAP VadPhysicalPagesBitMap;
|
|
ULONG VadPhysicalPages;
|
|
ULONG AweLock;
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
} EPROCESS, *PEPROCESS;
|
|
|
|
#endif
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
typedef struct _ETHREAD {
|
|
KTHREAD Tcb;
|
|
union {
|
|
LARGE_INTEGER CreateTime;
|
|
struct {
|
|
ULONG NestedFaultCount : 2;
|
|
ULONG ApcNeeded : 1;
|
|
};
|
|
};
|
|
union {
|
|
LARGE_INTEGER ExitTime;
|
|
LIST_ENTRY LpcReplyChain;
|
|
LIST_ENTRY KeyedWaitChain;
|
|
};
|
|
union {
|
|
NTSTATUS ExitStatus;
|
|
PVOID OfsChain;
|
|
};
|
|
LIST_ENTRY PostBlockList;
|
|
union {
|
|
PTERMINATION_PORT TerminationPort;
|
|
PETHREAD ReaperLink;
|
|
PVOID KeyedWaitValue;
|
|
};
|
|
KSPIN_LOCK ActiveTimerListLock;
|
|
LIST_ENTRY ActiveTimerListHead;
|
|
CLIENT_ID Cid;
|
|
union {
|
|
KSEMAPHORE LpcReplySemaphore;
|
|
KSEMAPHORE KeyedWaitSemaphore;
|
|
};
|
|
union {
|
|
PLPC_MESSAGE LpcReplyMessage;
|
|
PVOID LpcWaitingOnPort;
|
|
};
|
|
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
|
|
LIST_ENTRY IrpList;
|
|
ULONG TopLevelIrp;
|
|
PDEVICE_OBJECT DeviceToVerify;
|
|
PEPROCESS ThreadsProcess;
|
|
PKSTART_ROUTINE StartAddress;
|
|
union {
|
|
PVOID Win32StartAddress;
|
|
ULONG LpcReceivedMessageId;
|
|
};
|
|
LIST_ENTRY ThreadListEntry;
|
|
EX_RUNDOWN_REF RundownProtect;
|
|
EX_PUSH_LOCK ThreadLock;
|
|
ULONG LpcReplyMessageId;
|
|
ULONG ReadClusterSize;
|
|
ACCESS_MASK GrantedAccess;
|
|
union {
|
|
ULONG CrossThreadFlags;
|
|
struct {
|
|
ULONG Terminated : 1;
|
|
ULONG DeadThread : 1;
|
|
ULONG HideFromDebugger : 1;
|
|
ULONG ActiveImpersonationInfo : 1;
|
|
ULONG SystemThread : 1;
|
|
ULONG HardErrorsAreDisabled : 1;
|
|
ULONG BreakOnTermination : 1;
|
|
ULONG SkipCreationMsg : 1;
|
|
ULONG SkipTerminationMsg : 1;
|
|
};
|
|
};
|
|
union {
|
|
ULONG SameThreadPassiveFlags;
|
|
struct {
|
|
ULONG ActiveExWorker : 1;
|
|
ULONG ExWorkerCanWaitUser : 1;
|
|
ULONG MemoryMaker : 1;
|
|
ULONG KeyedEventInUse : 1;
|
|
};
|
|
};
|
|
union {
|
|
ULONG SameThreadApcFlags;
|
|
struct {
|
|
BOOLEAN LpcReceivedMsgIdValid : 1;
|
|
BOOLEAN LpcExitThreadCalled : 1;
|
|
BOOLEAN AddressSpaceOwner : 1;
|
|
};
|
|
};
|
|
BOOLEAN ForwardClusterOnly;
|
|
BOOLEAN DisablePageFaultClustering;
|
|
} ETHREAD, *PETHREAD;
|
|
|
|
#else
|
|
|
|
typedef struct _ETHREAD {
|
|
KTHREAD Tcb;
|
|
LARGE_INTEGER CreateTime;
|
|
union {
|
|
LARGE_INTEGER ExitTime;
|
|
LIST_ENTRY LpcReplyChain;
|
|
};
|
|
union {
|
|
NTSTATUS ExitStatus;
|
|
PVOID OfsChain;
|
|
};
|
|
LIST_ENTRY PostBlockList;
|
|
LIST_ENTRY TerminationPortList;
|
|
KSPIN_LOCK ActiveTimerListLock;
|
|
LIST_ENTRY ActiveTimerListHead;
|
|
CLIENT_ID Cid;
|
|
KSEMAPHORE LpcReplySemaphore;
|
|
PLPC_MESSAGE LpcReplyMessage;
|
|
ULONG LpcReplyMessageId;
|
|
ULONG PerformanceCountLow;
|
|
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
|
|
LIST_ENTRY IrpList;
|
|
PVOID TopLevelIrp;
|
|
PDEVICE_OBJECT DeviceToVerify;
|
|
ULONG ReadClusterSize;
|
|
BOOLEAN ForwardClusterOnly;
|
|
BOOLEAN DisablePageFaultClustering;
|
|
BOOLEAN DeadThread;
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
BOOLEAN HideFromDebugger;
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
#if (VER_PRODUCTBUILD < 2195)
|
|
BOOLEAN HasTerminated;
|
|
#else // (VER_PRODUCTBUILD >= 2195)
|
|
ULONG HasTerminated;
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
#if (VER_PRODUCTBUILD < 2195)
|
|
PKEVENT_PAIR EventPair;
|
|
#endif // (VER_PRODUCTBUILD < 2195)
|
|
ACCESS_MASK GrantedAccess;
|
|
PEPROCESS ThreadsProcess;
|
|
PKSTART_ROUTINE StartAddress;
|
|
union {
|
|
PVOID Win32StartAddress;
|
|
ULONG LpcReceivedMessageId;
|
|
};
|
|
BOOLEAN LpcExitThreadCalled;
|
|
BOOLEAN HardErrorsAreDisabled;
|
|
BOOLEAN LpcReceivedMsgIdValid;
|
|
BOOLEAN ActiveImpersonationInfo;
|
|
ULONG PerformanceCountHigh;
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
LIST_ENTRY ThreadListEntry;
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
} ETHREAD, *PETHREAD;
|
|
|
|
#endif
|
|
|
|
typedef struct _EPROCESS_QUOTA_ENTRY {
|
|
ULONG Usage;
|
|
ULONG Limit;
|
|
ULONG Peak;
|
|
ULONG Return;
|
|
} EPROCESS_QUOTA_ENTRY, *PEPROCESS_QUOTA_ENTRY;
|
|
|
|
typedef struct _EPROCESS_QUOTA_BLOCK {
|
|
EPROCESS_QUOTA_ENTRY QuotaEntry[3];
|
|
LIST_ENTRY QuotaList;
|
|
ULONG ReferenceCount;
|
|
ULONG ProcessCount;
|
|
} EPROCESS_QUOTA_BLOCK, *PEPROCESS_QUOTA_BLOCK;
|
|
|
|
typedef struct _EXCEPTION_REGISTRATION_RECORD {
|
|
struct _EXCEPTION_REGISTRATION_RECORD *Next;
|
|
PVOID Handler;
|
|
} EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;
|
|
|
|
/*
|
|
* When needing these parameters cast your PIO_STACK_LOCATION to
|
|
* PEXTENDED_IO_STACK_LOCATION
|
|
*/
|
|
#if !defined(_ALPHA_) && !defined(_AMD64_) && !defined(_IA64_)
|
|
#include <pshpack4.h>
|
|
#endif
|
|
typedef struct _EXTENDED_IO_STACK_LOCATION {
|
|
|
|
/* Included for padding */
|
|
UCHAR MajorFunction;
|
|
UCHAR MinorFunction;
|
|
UCHAR Flags;
|
|
UCHAR Control;
|
|
|
|
union {
|
|
|
|
struct {
|
|
PIO_SECURITY_CONTEXT SecurityContext;
|
|
ULONG Options;
|
|
USHORT Reserved;
|
|
USHORT ShareAccess;
|
|
PMAILSLOT_CREATE_PARAMETERS Parameters;
|
|
} CreateMailslot;
|
|
|
|
struct {
|
|
PIO_SECURITY_CONTEXT SecurityContext;
|
|
ULONG Options;
|
|
USHORT Reserved;
|
|
USHORT ShareAccess;
|
|
PNAMED_PIPE_CREATE_PARAMETERS Parameters;
|
|
} CreatePipe;
|
|
|
|
struct {
|
|
ULONG OutputBufferLength;
|
|
ULONG InputBufferLength;
|
|
ULONG FsControlCode;
|
|
PVOID Type3InputBuffer;
|
|
} FileSystemControl;
|
|
|
|
struct {
|
|
PLARGE_INTEGER Length;
|
|
ULONG Key;
|
|
LARGE_INTEGER ByteOffset;
|
|
} LockControl;
|
|
|
|
struct {
|
|
ULONG Length;
|
|
ULONG CompletionFilter;
|
|
} NotifyDirectory;
|
|
|
|
struct {
|
|
ULONG Length;
|
|
PUNICODE_STRING FileName;
|
|
FILE_INFORMATION_CLASS FileInformationClass;
|
|
ULONG FileIndex;
|
|
} QueryDirectory;
|
|
|
|
struct {
|
|
ULONG Length;
|
|
PVOID EaList;
|
|
ULONG EaListLength;
|
|
ULONG EaIndex;
|
|
} QueryEa;
|
|
|
|
struct {
|
|
ULONG Length;
|
|
PSID StartSid;
|
|
PFILE_GET_QUOTA_INFORMATION SidList;
|
|
ULONG SidListLength;
|
|
} QueryQuota;
|
|
|
|
struct {
|
|
ULONG Length;
|
|
} SetEa;
|
|
|
|
struct {
|
|
ULONG Length;
|
|
} SetQuota;
|
|
|
|
struct {
|
|
ULONG Length;
|
|
FS_INFORMATION_CLASS FsInformationClass;
|
|
} SetVolume;
|
|
|
|
} Parameters;
|
|
|
|
} EXTENDED_IO_STACK_LOCATION, *PEXTENDED_IO_STACK_LOCATION;
|
|
#if !defined(_ALPHA_) && !defined(_AMD64_) && !defined(_IA64_)
|
|
#include <poppack.h>
|
|
#endif
|
|
|
|
typedef struct _FILE_ACCESS_INFORMATION {
|
|
ACCESS_MASK AccessFlags;
|
|
} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;
|
|
|
|
typedef struct _FILE_ALLOCATION_INFORMATION {
|
|
LARGE_INTEGER AllocationSize;
|
|
} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;
|
|
|
|
typedef struct _FILE_BOTH_DIR_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
ULONG FileIndex;
|
|
LARGE_INTEGER CreationTime;
|
|
LARGE_INTEGER LastAccessTime;
|
|
LARGE_INTEGER LastWriteTime;
|
|
LARGE_INTEGER ChangeTime;
|
|
LARGE_INTEGER EndOfFile;
|
|
LARGE_INTEGER AllocationSize;
|
|
ULONG FileAttributes;
|
|
ULONG FileNameLength;
|
|
ULONG EaSize;
|
|
CCHAR ShortNameLength;
|
|
WCHAR ShortName[12];
|
|
WCHAR FileName[1];
|
|
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;
|
|
|
|
typedef struct _FILE_COMPLETION_INFORMATION {
|
|
HANDLE Port;
|
|
ULONG Key;
|
|
} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION;
|
|
|
|
typedef struct _FILE_COMPRESSION_INFORMATION {
|
|
LARGE_INTEGER CompressedFileSize;
|
|
USHORT CompressionFormat;
|
|
UCHAR CompressionUnitShift;
|
|
UCHAR ChunkShift;
|
|
UCHAR ClusterShift;
|
|
UCHAR Reserved[3];
|
|
} FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION;
|
|
|
|
typedef struct _FILE_COPY_ON_WRITE_INFORMATION {
|
|
BOOLEAN ReplaceIfExists;
|
|
HANDLE RootDirectory;
|
|
ULONG FileNameLength;
|
|
WCHAR FileName[1];
|
|
} FILE_COPY_ON_WRITE_INFORMATION, *PFILE_COPY_ON_WRITE_INFORMATION;
|
|
|
|
typedef struct _FILE_DIRECTORY_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
ULONG FileIndex;
|
|
LARGE_INTEGER CreationTime;
|
|
LARGE_INTEGER LastAccessTime;
|
|
LARGE_INTEGER LastWriteTime;
|
|
LARGE_INTEGER ChangeTime;
|
|
LARGE_INTEGER EndOfFile;
|
|
LARGE_INTEGER AllocationSize;
|
|
ULONG FileAttributes;
|
|
ULONG FileNameLength;
|
|
WCHAR FileName[1];
|
|
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
|
|
|
|
typedef struct _FILE_EA_INFORMATION {
|
|
ULONG EaSize;
|
|
} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;
|
|
|
|
typedef struct _FILE_FS_ATTRIBUTE_INFORMATION {
|
|
ULONG FileSystemAttributes;
|
|
ULONG MaximumComponentNameLength;
|
|
ULONG FileSystemNameLength;
|
|
WCHAR FileSystemName[1];
|
|
} FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION;
|
|
|
|
typedef struct _FILE_FS_CONTROL_INFORMATION {
|
|
LARGE_INTEGER FreeSpaceStartFiltering;
|
|
LARGE_INTEGER FreeSpaceThreshold;
|
|
LARGE_INTEGER FreeSpaceStopFiltering;
|
|
LARGE_INTEGER DefaultQuotaThreshold;
|
|
LARGE_INTEGER DefaultQuotaLimit;
|
|
ULONG FileSystemControlFlags;
|
|
} FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION;
|
|
|
|
typedef struct _FILE_FS_FULL_SIZE_INFORMATION {
|
|
LARGE_INTEGER TotalAllocationUnits;
|
|
LARGE_INTEGER CallerAvailableAllocationUnits;
|
|
LARGE_INTEGER ActualAvailableAllocationUnits;
|
|
ULONG SectorsPerAllocationUnit;
|
|
ULONG BytesPerSector;
|
|
} FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION;
|
|
|
|
typedef struct _FILE_FS_LABEL_INFORMATION {
|
|
ULONG VolumeLabelLength;
|
|
WCHAR VolumeLabel[1];
|
|
} FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION;
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
typedef struct _FILE_FS_OBJECT_ID_INFORMATION {
|
|
UCHAR ObjectId[16];
|
|
UCHAR ExtendedInfo[48];
|
|
} FILE_FS_OBJECT_ID_INFORMATION, *PFILE_FS_OBJECT_ID_INFORMATION;
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
typedef struct _FILE_FS_SIZE_INFORMATION {
|
|
LARGE_INTEGER TotalAllocationUnits;
|
|
LARGE_INTEGER AvailableAllocationUnits;
|
|
ULONG SectorsPerAllocationUnit;
|
|
ULONG BytesPerSector;
|
|
} FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION;
|
|
|
|
typedef struct _FILE_FS_VOLUME_INFORMATION {
|
|
LARGE_INTEGER VolumeCreationTime;
|
|
ULONG VolumeSerialNumber;
|
|
ULONG VolumeLabelLength;
|
|
BOOLEAN SupportsObjects;
|
|
WCHAR VolumeLabel[1];
|
|
} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;
|
|
|
|
typedef struct _FILE_FULL_DIR_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
ULONG FileIndex;
|
|
LARGE_INTEGER CreationTime;
|
|
LARGE_INTEGER LastAccessTime;
|
|
LARGE_INTEGER LastWriteTime;
|
|
LARGE_INTEGER ChangeTime;
|
|
LARGE_INTEGER EndOfFile;
|
|
LARGE_INTEGER AllocationSize;
|
|
ULONG FileAttributes;
|
|
ULONG FileNameLength;
|
|
ULONG EaSize;
|
|
WCHAR FileName[1];
|
|
} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;
|
|
|
|
typedef struct _FILE_GET_EA_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
UCHAR EaNameLength;
|
|
CHAR EaName[1];
|
|
} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION;
|
|
|
|
typedef struct _FILE_GET_QUOTA_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
ULONG SidLength;
|
|
SID Sid;
|
|
} FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION;
|
|
|
|
typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
ULONG FileIndex;
|
|
LARGE_INTEGER CreationTime;
|
|
LARGE_INTEGER LastAccessTime;
|
|
LARGE_INTEGER LastWriteTime;
|
|
LARGE_INTEGER ChangeTime;
|
|
LARGE_INTEGER EndOfFile;
|
|
LARGE_INTEGER AllocationSize;
|
|
ULONG FileAttributes;
|
|
ULONG FileNameLength;
|
|
ULONG EaSize;
|
|
CCHAR ShortNameLength;
|
|
WCHAR ShortName[12];
|
|
LARGE_INTEGER FileId;
|
|
WCHAR FileName[1];
|
|
} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
|
|
|
|
typedef struct _FILE_ID_FULL_DIR_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
ULONG FileIndex;
|
|
LARGE_INTEGER CreationTime;
|
|
LARGE_INTEGER LastAccessTime;
|
|
LARGE_INTEGER LastWriteTime;
|
|
LARGE_INTEGER ChangeTime;
|
|
LARGE_INTEGER EndOfFile;
|
|
LARGE_INTEGER AllocationSize;
|
|
ULONG FileAttributes;
|
|
ULONG FileNameLength;
|
|
ULONG EaSize;
|
|
LARGE_INTEGER FileId;
|
|
WCHAR FileName[1];
|
|
} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;
|
|
|
|
typedef struct _FILE_INTERNAL_INFORMATION {
|
|
LARGE_INTEGER IndexNumber;
|
|
} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;
|
|
|
|
typedef struct _FILE_LINK_INFORMATION {
|
|
BOOLEAN ReplaceIfExists;
|
|
HANDLE RootDirectory;
|
|
ULONG FileNameLength;
|
|
WCHAR FileName[1];
|
|
} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;
|
|
|
|
typedef struct _FILE_LOCK_INFO {
|
|
LARGE_INTEGER StartingByte;
|
|
LARGE_INTEGER Length;
|
|
BOOLEAN ExclusiveLock;
|
|
ULONG Key;
|
|
PFILE_OBJECT FileObject;
|
|
PEPROCESS Process;
|
|
LARGE_INTEGER EndingByte;
|
|
} FILE_LOCK_INFO, *PFILE_LOCK_INFO;
|
|
|
|
// raw internal file lock struct returned from FsRtlGetNextFileLock
|
|
typedef struct _FILE_SHARED_LOCK_ENTRY {
|
|
PVOID Unknown1;
|
|
PVOID Unknown2;
|
|
FILE_LOCK_INFO FileLock;
|
|
} FILE_SHARED_LOCK_ENTRY, *PFILE_SHARED_LOCK_ENTRY;
|
|
|
|
// raw internal file lock struct returned from FsRtlGetNextFileLock
|
|
typedef struct _FILE_EXCLUSIVE_LOCK_ENTRY {
|
|
LIST_ENTRY ListEntry;
|
|
PVOID Unknown1;
|
|
PVOID Unknown2;
|
|
FILE_LOCK_INFO FileLock;
|
|
} FILE_EXCLUSIVE_LOCK_ENTRY, *PFILE_EXCLUSIVE_LOCK_ENTRY;
|
|
|
|
typedef NTSTATUS (*PCOMPLETE_LOCK_IRP_ROUTINE) (
|
|
IN PVOID Context,
|
|
IN PIRP Irp
|
|
);
|
|
|
|
typedef VOID (*PUNLOCK_ROUTINE) (
|
|
IN PVOID Context,
|
|
IN PFILE_LOCK_INFO FileLockInfo
|
|
);
|
|
|
|
typedef struct _FILE_LOCK {
|
|
PCOMPLETE_LOCK_IRP_ROUTINE CompleteLockIrpRoutine;
|
|
PUNLOCK_ROUTINE UnlockRoutine;
|
|
BOOLEAN FastIoIsQuestionable;
|
|
BOOLEAN Pad[3];
|
|
PVOID LockInformation;
|
|
FILE_LOCK_INFO LastReturnedLockInfo;
|
|
PVOID LastReturnedLock;
|
|
} FILE_LOCK, *PFILE_LOCK;
|
|
|
|
typedef struct _FILE_MAILSLOT_PEEK_BUFFER {
|
|
ULONG ReadDataAvailable;
|
|
ULONG NumberOfMessages;
|
|
ULONG MessageLength;
|
|
} FILE_MAILSLOT_PEEK_BUFFER, *PFILE_MAILSLOT_PEEK_BUFFER;
|
|
|
|
typedef struct _FILE_MAILSLOT_QUERY_INFORMATION {
|
|
ULONG MaximumMessageSize;
|
|
ULONG MailslotQuota;
|
|
ULONG NextMessageSize;
|
|
ULONG MessagesAvailable;
|
|
LARGE_INTEGER ReadTimeout;
|
|
} FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION;
|
|
|
|
typedef struct _FILE_MAILSLOT_SET_INFORMATION {
|
|
PLARGE_INTEGER ReadTimeout;
|
|
} FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION;
|
|
|
|
typedef struct _FILE_MODE_INFORMATION {
|
|
ULONG Mode;
|
|
} FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;
|
|
|
|
// This structure is included in the Windows 2000 DDK but is missing in the
|
|
// Windows NT 4.0 DDK
|
|
#if (VER_PRODUCTBUILD < 2195)
|
|
typedef struct _FILE_NAME_INFORMATION {
|
|
ULONG FileNameLength;
|
|
WCHAR FileName[1];
|
|
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
|
|
#endif // (VER_PRODUCTBUILD < 2195)
|
|
|
|
typedef struct _FILE_ALL_INFORMATION {
|
|
FILE_BASIC_INFORMATION BasicInformation;
|
|
FILE_STANDARD_INFORMATION StandardInformation;
|
|
FILE_INTERNAL_INFORMATION InternalInformation;
|
|
FILE_EA_INFORMATION EaInformation;
|
|
FILE_ACCESS_INFORMATION AccessInformation;
|
|
FILE_POSITION_INFORMATION PositionInformation;
|
|
FILE_MODE_INFORMATION ModeInformation;
|
|
FILE_ALIGNMENT_INFORMATION AlignmentInformation;
|
|
FILE_NAME_INFORMATION NameInformation;
|
|
} FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;
|
|
|
|
typedef struct _FILE_NAMES_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
ULONG FileIndex;
|
|
ULONG FileNameLength;
|
|
WCHAR FileName[1];
|
|
} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
|
|
|
|
typedef struct _FILE_NOTIFY_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
ULONG Action;
|
|
ULONG FileNameLength;
|
|
WCHAR FileName[1];
|
|
} FILE_NOTIFY_INFORMATION, *PFILE_NOTIFY_INFORMATION;
|
|
|
|
typedef struct _FILE_OBJECTID_INFORMATION {
|
|
LONGLONG FileReference;
|
|
UCHAR ObjectId[16];
|
|
union {
|
|
struct {
|
|
UCHAR BirthVolumeId[16];
|
|
UCHAR BirthObjectId[16];
|
|
UCHAR DomainId[16];
|
|
} ;
|
|
UCHAR ExtendedInfo[48];
|
|
};
|
|
} FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION;
|
|
|
|
typedef struct _FILE_OLE_CLASSID_INFORMATION {
|
|
GUID ClassId;
|
|
} FILE_OLE_CLASSID_INFORMATION, *PFILE_OLE_CLASSID_INFORMATION;
|
|
|
|
typedef struct _FILE_OLE_ALL_INFORMATION {
|
|
FILE_BASIC_INFORMATION BasicInformation;
|
|
FILE_STANDARD_INFORMATION StandardInformation;
|
|
FILE_INTERNAL_INFORMATION InternalInformation;
|
|
FILE_EA_INFORMATION EaInformation;
|
|
FILE_ACCESS_INFORMATION AccessInformation;
|
|
FILE_POSITION_INFORMATION PositionInformation;
|
|
FILE_MODE_INFORMATION ModeInformation;
|
|
FILE_ALIGNMENT_INFORMATION AlignmentInformation;
|
|
USN LastChangeUsn;
|
|
USN ReplicationUsn;
|
|
LARGE_INTEGER SecurityChangeTime;
|
|
FILE_OLE_CLASSID_INFORMATION OleClassIdInformation;
|
|
FILE_OBJECTID_INFORMATION ObjectIdInformation;
|
|
FILE_STORAGE_TYPE StorageType;
|
|
ULONG OleStateBits;
|
|
ULONG OleId;
|
|
ULONG NumberOfStreamReferences;
|
|
ULONG StreamIndex;
|
|
ULONG SecurityId;
|
|
BOOLEAN ContentIndexDisable;
|
|
BOOLEAN InheritContentIndexDisable;
|
|
FILE_NAME_INFORMATION NameInformation;
|
|
} FILE_OLE_ALL_INFORMATION, *PFILE_OLE_ALL_INFORMATION;
|
|
|
|
typedef struct _FILE_OLE_DIR_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
ULONG FileIndex;
|
|
LARGE_INTEGER CreationTime;
|
|
LARGE_INTEGER LastAccessTime;
|
|
LARGE_INTEGER LastWriteTime;
|
|
LARGE_INTEGER ChangeTime;
|
|
LARGE_INTEGER EndOfFile;
|
|
LARGE_INTEGER AllocationSize;
|
|
ULONG FileAttributes;
|
|
ULONG FileNameLength;
|
|
FILE_STORAGE_TYPE StorageType;
|
|
GUID OleClassId;
|
|
ULONG OleStateBits;
|
|
BOOLEAN ContentIndexDisable;
|
|
BOOLEAN InheritContentIndexDisable;
|
|
WCHAR FileName[1];
|
|
} FILE_OLE_DIR_INFORMATION, *PFILE_OLE_DIR_INFORMATION;
|
|
|
|
typedef struct _FILE_OLE_INFORMATION {
|
|
LARGE_INTEGER SecurityChangeTime;
|
|
FILE_OLE_CLASSID_INFORMATION OleClassIdInformation;
|
|
FILE_OBJECTID_INFORMATION ObjectIdInformation;
|
|
FILE_STORAGE_TYPE StorageType;
|
|
ULONG OleStateBits;
|
|
BOOLEAN ContentIndexDisable;
|
|
BOOLEAN InheritContentIndexDisable;
|
|
} FILE_OLE_INFORMATION, *PFILE_OLE_INFORMATION;
|
|
|
|
typedef struct _FILE_OLE_STATE_BITS_INFORMATION {
|
|
ULONG StateBits;
|
|
ULONG StateBitsMask;
|
|
} FILE_OLE_STATE_BITS_INFORMATION, *PFILE_OLE_STATE_BITS_INFORMATION;
|
|
|
|
typedef struct _FILE_PIPE_ASSIGN_EVENT_BUFFER {
|
|
HANDLE EventHandle;
|
|
ULONG KeyValue;
|
|
} FILE_PIPE_ASSIGN_EVENT_BUFFER, *PFILE_PIPE_ASSIGN_EVENT_BUFFER;
|
|
|
|
typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER {
|
|
PVOID ClientSession;
|
|
PVOID ClientProcess;
|
|
} FILE_PIPE_CLIENT_PROCESS_BUFFER, *PFILE_PIPE_CLIENT_PROCESS_BUFFER;
|
|
|
|
typedef struct _FILE_PIPE_EVENT_BUFFER {
|
|
ULONG NamedPipeState;
|
|
ULONG EntryType;
|
|
ULONG ByteCount;
|
|
ULONG KeyValue;
|
|
ULONG NumberRequests;
|
|
} FILE_PIPE_EVENT_BUFFER, *PFILE_PIPE_EVENT_BUFFER;
|
|
|
|
typedef struct _FILE_PIPE_INFORMATION {
|
|
ULONG ReadMode;
|
|
ULONG CompletionMode;
|
|
} FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION;
|
|
|
|
typedef struct _FILE_PIPE_LOCAL_INFORMATION {
|
|
ULONG NamedPipeType;
|
|
ULONG NamedPipeConfiguration;
|
|
ULONG MaximumInstances;
|
|
ULONG CurrentInstances;
|
|
ULONG InboundQuota;
|
|
ULONG ReadDataAvailable;
|
|
ULONG OutboundQuota;
|
|
ULONG WriteQuotaAvailable;
|
|
ULONG NamedPipeState;
|
|
ULONG NamedPipeEnd;
|
|
} FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION;
|
|
|
|
typedef struct _FILE_PIPE_PEEK_BUFFER {
|
|
ULONG NamedPipeState;
|
|
ULONG ReadDataAvailable;
|
|
ULONG NumberOfMessages;
|
|
ULONG MessageLength;
|
|
CHAR Data[1];
|
|
} FILE_PIPE_PEEK_BUFFER, *PFILE_PIPE_PEEK_BUFFER;
|
|
|
|
typedef struct _FILE_PIPE_REMOTE_INFORMATION {
|
|
LARGE_INTEGER CollectDataTime;
|
|
ULONG MaximumCollectionCount;
|
|
} FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION;
|
|
|
|
typedef struct _FILE_PIPE_WAIT_FOR_BUFFER {
|
|
LARGE_INTEGER Timeout;
|
|
ULONG NameLength;
|
|
BOOLEAN TimeoutSpecified;
|
|
WCHAR Name[1];
|
|
} FILE_PIPE_WAIT_FOR_BUFFER, *PFILE_PIPE_WAIT_FOR_BUFFER;
|
|
|
|
typedef struct _FILE_QUOTA_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
ULONG SidLength;
|
|
LARGE_INTEGER ChangeTime;
|
|
LARGE_INTEGER QuotaUsed;
|
|
LARGE_INTEGER QuotaThreshold;
|
|
LARGE_INTEGER QuotaLimit;
|
|
SID Sid;
|
|
} FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION;
|
|
|
|
typedef struct _FILE_RENAME_INFORMATION {
|
|
BOOLEAN ReplaceIfExists;
|
|
HANDLE RootDirectory;
|
|
ULONG FileNameLength;
|
|
WCHAR FileName[1];
|
|
} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;
|
|
|
|
typedef struct _FILE_STREAM_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
ULONG StreamNameLength;
|
|
LARGE_INTEGER StreamSize;
|
|
LARGE_INTEGER StreamAllocationSize;
|
|
WCHAR StreamName[1];
|
|
} FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION;
|
|
|
|
typedef struct _FILE_TRACKING_INFORMATION {
|
|
HANDLE DestinationFile;
|
|
ULONG ObjectInformationLength;
|
|
CHAR ObjectInformation[1];
|
|
} FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION;
|
|
|
|
typedef struct _FSRTL_COMMON_FCB_HEADER {
|
|
CSHORT NodeTypeCode;
|
|
CSHORT NodeByteSize;
|
|
UCHAR Flags;
|
|
UCHAR IsFastIoPossible;
|
|
#if (VER_PRODUCTBUILD >= 1381)
|
|
UCHAR Flags2;
|
|
UCHAR Reserved : 4;
|
|
UCHAR Version : 4;
|
|
#endif // (VER_PRODUCTBUILD >= 1381)
|
|
PERESOURCE Resource;
|
|
PERESOURCE PagingIoResource;
|
|
LARGE_INTEGER AllocationSize;
|
|
LARGE_INTEGER FileSize;
|
|
LARGE_INTEGER ValidDataLength;
|
|
} FSRTL_COMMON_FCB_HEADER, *PFSRTL_COMMON_FCB_HEADER;
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
#ifdef __cplusplus
|
|
typedef struct _FSRTL_ADVANCED_FCB_HEADER:FSRTL_COMMON_FCB_HEADER {
|
|
#else // __cplusplus
|
|
typedef struct _FSRTL_ADVANCED_FCB_HEADER {
|
|
FSRTL_COMMON_FCB_HEADER;
|
|
#endif // __cplusplus
|
|
PFAST_MUTEX FastMutex;
|
|
LIST_ENTRY FilterContexts;
|
|
EX_PUSH_LOCK PushLock;
|
|
PVOID *FileContextSupportPointer;
|
|
} FSRTL_ADVANCED_FCB_HEADER, *PFSRTL_ADVANCED_FCB_HEADER;
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
typedef struct _GENERATE_NAME_CONTEXT {
|
|
USHORT Checksum;
|
|
BOOLEAN CheckSumInserted;
|
|
UCHAR NameLength;
|
|
WCHAR NameBuffer[8];
|
|
ULONG ExtensionLength;
|
|
WCHAR ExtensionBuffer[4];
|
|
ULONG LastIndexValue;
|
|
} GENERATE_NAME_CONTEXT, *PGENERATE_NAME_CONTEXT;
|
|
|
|
typedef struct _HANDLE_INFO { // Information about open handles
|
|
union {
|
|
PEPROCESS Process; // Pointer to PEPROCESS owning the Handle
|
|
ULONG Count; // Count of HANDLE_INFO structures following this structure
|
|
} HandleInfo;
|
|
USHORT HandleCount;
|
|
} HANDLE_INFO, *PHANDLE_INFO;
|
|
|
|
typedef struct _HANDLE_TABLE_ENTRY_INFO {
|
|
ULONG AuditMask;
|
|
} HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;
|
|
|
|
typedef struct _HANDLE_TABLE_ENTRY {
|
|
union {
|
|
PVOID Object;
|
|
ULONG ObAttributes;
|
|
PHANDLE_TABLE_ENTRY_INFO InfoTable;
|
|
ULONG Value;
|
|
};
|
|
union {
|
|
ULONG GrantedAccess;
|
|
USHORT GrantedAccessIndex;
|
|
LONG NextFreeTableEntry;
|
|
};
|
|
USHORT CreatorBackTraceIndex;
|
|
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
|
|
|
|
typedef struct _MAPPING_PAIR {
|
|
ULONGLONG Vcn;
|
|
ULONGLONG Lcn;
|
|
} MAPPING_PAIR, *PMAPPING_PAIR;
|
|
|
|
typedef struct _GET_RETRIEVAL_DESCRIPTOR {
|
|
ULONG NumberOfPairs;
|
|
ULONGLONG StartVcn;
|
|
MAPPING_PAIR Pair[1];
|
|
} GET_RETRIEVAL_DESCRIPTOR, *PGET_RETRIEVAL_DESCRIPTOR;
|
|
|
|
typedef struct _INITIAL_TEB {
|
|
ULONG Unknown_1;
|
|
ULONG Unknown_2;
|
|
PVOID StackTop;
|
|
PVOID StackBase;
|
|
PVOID Unknown_3;
|
|
} INITIAL_TEB, *PINITIAL_TEB;
|
|
|
|
typedef struct _IO_CLIENT_EXTENSION {
|
|
struct _IO_CLIENT_EXTENSION *NextExtension;
|
|
PVOID ClientIdentificationAddress;
|
|
} IO_CLIENT_EXTENSION, *PIO_CLIENT_EXTENSION;
|
|
|
|
typedef struct _IO_COMPLETION_BASIC_INFORMATION {
|
|
LONG Depth;
|
|
} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION;
|
|
|
|
typedef struct _KEVENT_PAIR {
|
|
USHORT Type;
|
|
USHORT Size;
|
|
KEVENT Event1;
|
|
KEVENT Event2;
|
|
} KEVENT_PAIR, *PKEVENT_PAIR;
|
|
|
|
typedef struct _KINTERRUPT {
|
|
CSHORT Type;
|
|
CSHORT Size;
|
|
LIST_ENTRY InterruptListEntry;
|
|
PKSERVICE_ROUTINE ServiceRoutine;
|
|
PVOID ServiceContext;
|
|
KSPIN_LOCK SpinLock;
|
|
ULONG TickCount;
|
|
PKSPIN_LOCK ActualLock;
|
|
PVOID DispatchAddress;
|
|
ULONG Vector;
|
|
KIRQL Irql;
|
|
KIRQL SynchronizeIrql;
|
|
BOOLEAN FloatingSave;
|
|
BOOLEAN Connected;
|
|
CHAR Number;
|
|
UCHAR ShareVector;
|
|
KINTERRUPT_MODE Mode;
|
|
ULONG ServiceCount;
|
|
ULONG DispatchCount;
|
|
ULONG DispatchCode[106];
|
|
} KINTERRUPT, *PKINTERRUPT;
|
|
|
|
typedef struct _KQUEUE {
|
|
DISPATCHER_HEADER Header;
|
|
LIST_ENTRY EntryListHead;
|
|
ULONG CurrentCount;
|
|
ULONG MaximumCount;
|
|
LIST_ENTRY ThreadListHead;
|
|
} KQUEUE, *PKQUEUE, *RESTRICTED_POINTER PRKQUEUE;
|
|
|
|
typedef struct _LARGE_MCB {
|
|
PFAST_MUTEX FastMutex;
|
|
ULONG MaximumPairCount;
|
|
ULONG PairCount;
|
|
POOL_TYPE PoolType;
|
|
PVOID Mapping;
|
|
} LARGE_MCB, *PLARGE_MCB;
|
|
|
|
typedef struct _LPC_MESSAGE {
|
|
USHORT DataSize;
|
|
USHORT MessageSize;
|
|
USHORT MessageType;
|
|
USHORT VirtualRangesOffset;
|
|
CLIENT_ID ClientId;
|
|
ULONG MessageId;
|
|
ULONG SectionSize;
|
|
UCHAR Data[1];
|
|
} LPC_MESSAGE, *PLPC_MESSAGE;
|
|
|
|
typedef struct _LPC_SECTION_READ {
|
|
ULONG Length;
|
|
ULONG ViewSize;
|
|
PVOID ViewBase;
|
|
} LPC_SECTION_READ, *PLPC_SECTION_READ;
|
|
|
|
typedef struct _LPC_SECTION_WRITE {
|
|
ULONG Length;
|
|
HANDLE SectionHandle;
|
|
ULONG SectionOffset;
|
|
ULONG ViewSize;
|
|
PVOID ViewBase;
|
|
PVOID TargetViewBase;
|
|
} LPC_SECTION_WRITE, *PLPC_SECTION_WRITE;
|
|
|
|
typedef struct _MAILSLOT_CREATE_PARAMETERS {
|
|
ULONG MailslotQuota;
|
|
ULONG MaximumMessageSize;
|
|
LARGE_INTEGER ReadTimeout;
|
|
BOOLEAN TimeoutSpecified;
|
|
} MAILSLOT_CREATE_PARAMETERS, *PMAILSLOT_CREATE_PARAMETERS;
|
|
|
|
typedef struct _MBCB {
|
|
CSHORT NodeTypeCode;
|
|
CSHORT NodeIsInZone;
|
|
ULONG PagesToWrite;
|
|
ULONG DirtyPages;
|
|
ULONG Reserved;
|
|
LIST_ENTRY BitmapRanges;
|
|
LONGLONG ResumeWritePage;
|
|
BITMAP_RANGE BitmapRange1;
|
|
BITMAP_RANGE BitmapRange2;
|
|
BITMAP_RANGE BitmapRange3;
|
|
} MBCB, *PMBCB;
|
|
|
|
typedef struct _MCB {
|
|
LARGE_MCB LargeMcb;
|
|
} MCB, *PMCB;
|
|
|
|
typedef struct _MOVEFILE_DESCRIPTOR {
|
|
HANDLE FileHandle;
|
|
ULONG Reserved;
|
|
LARGE_INTEGER StartVcn;
|
|
LARGE_INTEGER TargetLcn;
|
|
ULONG NumVcns;
|
|
ULONG Reserved1;
|
|
} MOVEFILE_DESCRIPTOR, *PMOVEFILE_DESCRIPTOR;
|
|
|
|
typedef struct _NAMED_PIPE_CREATE_PARAMETERS {
|
|
ULONG NamedPipeType;
|
|
ULONG ReadMode;
|
|
ULONG CompletionMode;
|
|
ULONG MaximumInstances;
|
|
ULONG InboundQuota;
|
|
ULONG OutboundQuota;
|
|
LARGE_INTEGER DefaultTimeout;
|
|
BOOLEAN TimeoutSpecified;
|
|
} NAMED_PIPE_CREATE_PARAMETERS, *PNAMED_PIPE_CREATE_PARAMETERS;
|
|
|
|
typedef struct _QUOTA_BLOCK {
|
|
KSPIN_LOCK QuotaLock;
|
|
ULONG ReferenceCount; // Number of processes using this block
|
|
ULONG PeakNonPagedPoolUsage;
|
|
ULONG PeakPagedPoolUsage;
|
|
ULONG NonPagedpoolUsage;
|
|
ULONG PagedPoolUsage;
|
|
ULONG NonPagedPoolLimit;
|
|
ULONG PagedPoolLimit;
|
|
ULONG PeakPagefileUsage;
|
|
ULONG PagefileUsage;
|
|
ULONG PageFileLimit;
|
|
} QUOTA_BLOCK, *PQUOTA_BLOCK;
|
|
|
|
typedef struct _OBJECT_BASIC_INFO {
|
|
ULONG Attributes;
|
|
ACCESS_MASK GrantedAccess;
|
|
ULONG HandleCount;
|
|
ULONG ReferenceCount;
|
|
ULONG PagedPoolUsage;
|
|
ULONG NonPagedPoolUsage;
|
|
ULONG Reserved[3];
|
|
ULONG NameInformationLength;
|
|
ULONG TypeInformationLength;
|
|
ULONG SecurityDescriptorLength;
|
|
LARGE_INTEGER CreateTime;
|
|
} OBJECT_BASIC_INFO, *POBJECT_BASIC_INFO;
|
|
|
|
typedef struct _OBJECT_CREATE_INFORMATION {
|
|
ULONG Attributes;
|
|
HANDLE RootDirectory; // 0x4
|
|
PVOID ParseContext; // 0x8
|
|
KPROCESSOR_MODE ProbeMode; // 0xc
|
|
ULONG PagedPoolCharge; // 0x10
|
|
ULONG NonPagedPoolCharge; // 0x14
|
|
ULONG SecurityDescriptorCharge; // 0x18
|
|
PSECURITY_DESCRIPTOR SecurityDescriptor; // 0x1c
|
|
PSECURITY_QUALITY_OF_SERVICE SecurityQos; // 0x20
|
|
SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; // 0x24
|
|
} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;
|
|
|
|
typedef struct _OBJECT_CREATOR_INFO {
|
|
LIST_ENTRY Creator;
|
|
ULONG UniqueProcessId; // Creator's Process ID
|
|
ULONG Reserved; // Alignment
|
|
} OBJECT_CREATOR_INFO, *POBJECT_CREATOR_INFO;
|
|
|
|
typedef struct _OBJECT_DIRECTORY_ITEM {
|
|
struct _OBJECT_DIRECTORY_ITEM *Next;
|
|
PVOID Object;
|
|
} OBJECT_DIRECTORY_ITEM, *POBJECT_DIRECTORY_ITEM;
|
|
|
|
typedef struct _OBJECT_DIRECTORY {
|
|
POBJECT_DIRECTORY_ITEM HashEntries[0x25];
|
|
POBJECT_DIRECTORY_ITEM LastHashAccess;
|
|
ULONG LastHashResult;
|
|
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
|
|
|
|
typedef struct _OBJECT_HANDLE_ATTRIBUTE_INFO {
|
|
BOOLEAN Inherit;
|
|
BOOLEAN ProtectFromClose;
|
|
} OBJECT_HANDLE_ATTRIBUTE_INFO, *POBJECT_HANDLE_ATTRIBUTE_INFO;
|
|
|
|
typedef struct _OBJECT_HANDLE_DB {
|
|
union {
|
|
struct _EPROCESS *Process;
|
|
struct _OBJECT_HANDLE_DB_LIST *HandleDBList;
|
|
};
|
|
ULONG HandleCount;
|
|
} OBJECT_HANDLE_DB, *POBJECT_HANDLE_DB;
|
|
|
|
typedef struct _OBJECT_HANDLE_DB_LIST {
|
|
ULONG Count;
|
|
OBJECT_HANDLE_DB Entries[1];
|
|
} OBJECT_HANDLE_DB_LIST, *POBJECT_HANDLE_DB_LIST;
|
|
|
|
typedef struct _OBJECT_HEADER_FLAGS {
|
|
ULONG NameInfoOffset : 8;
|
|
ULONG HandleInfoOffset : 8;
|
|
ULONG QuotaInfoOffset : 8;
|
|
ULONG QuotaBlock : 1; // QuotaBlock/ObjectInfo
|
|
ULONG KernelMode : 1; // UserMode/KernelMode
|
|
ULONG CreatorInfo : 1;
|
|
ULONG Exclusive : 1;
|
|
ULONG Permanent : 1;
|
|
ULONG SecurityDescriptor : 1;
|
|
ULONG HandleInfo : 1;
|
|
ULONG Reserved : 1;
|
|
} OBJECT_HEADER_FLAGS, *POBJECT_HEADER_FLAGS;
|
|
|
|
typedef struct _OBJECT_HEADER {
|
|
ULONG ReferenceCount;
|
|
union {
|
|
ULONG HandleCount;
|
|
PSINGLE_LIST_ENTRY NextToFree;
|
|
}; // 0x4
|
|
POBJECT_TYPE ObjectType; // 0x8
|
|
OBJECT_HEADER_FLAGS Flags; // 0xc
|
|
union {
|
|
POBJECT_CREATE_INFORMATION ObjectCreateInfo;
|
|
PQUOTA_BLOCK QuotaBlock;
|
|
}; // 0x10
|
|
PSECURITY_DESCRIPTOR SecurityDescriptor; // 0x14
|
|
QUAD Body; // 0x18
|
|
} OBJECT_HEADER, *POBJECT_HEADER;
|
|
|
|
typedef struct _OBJECT_NAME {
|
|
POBJECT_DIRECTORY Directory;
|
|
UNICODE_STRING ObjectName;
|
|
ULONG Reserved;
|
|
} OBJECT_NAME, *POBJECT_NAME;
|
|
|
|
typedef struct _OBJECT_NAME_INFO {
|
|
UNICODE_STRING ObjectName;
|
|
WCHAR ObjectNameBuffer[1];
|
|
} OBJECT_NAME_INFO, *POBJECT_NAME_INFO;
|
|
|
|
typedef struct _OBJECT_PROTECTION_INFO {
|
|
BOOLEAN Inherit;
|
|
BOOLEAN ProtectHandle;
|
|
} OBJECT_PROTECTION_INFO, *POBJECT_PROTECTION_INFO;
|
|
|
|
typedef struct _OBJECT_QUOTA_CHARGES {
|
|
ULONG PagedPoolCharge;
|
|
ULONG NonPagedPoolCharge;
|
|
ULONG SecurityCharge;
|
|
ULONG Reserved;
|
|
} OBJECT_QUOTA_CHARGES, *POBJECT_QUOTA_CHARGES;
|
|
|
|
typedef struct _OBJECT_QUOTA_INFO {
|
|
ULONG PagedPoolQuota;
|
|
ULONG NonPagedPoolQuota;
|
|
ULONG QuotaInformationSize;
|
|
PEPROCESS Process; // Owning process
|
|
} OBJECT_QUOTA_INFO, *POBJECT_QUOTA_INFO;
|
|
|
|
typedef struct _OBJECT_TYPE_INITIALIZER {
|
|
USHORT Length;
|
|
BOOLEAN UseDefaultObject;
|
|
BOOLEAN Reserved1;
|
|
ULONG InvalidAttributes;
|
|
GENERIC_MAPPING GenericMapping;
|
|
ACCESS_MASK ValidAccessMask;
|
|
BOOLEAN SecurityRequired;
|
|
BOOLEAN MaintainHandleCount; /* OBJECT_HANDLE_DB */
|
|
BOOLEAN MaintainTypeList; /* OBJECT_CREATOR_INFO */
|
|
UCHAR Reserved2;
|
|
BOOLEAN PagedPool;
|
|
ULONG DefaultPagedPoolCharge;
|
|
ULONG DefaultNonPagedPoolCharge;
|
|
PVOID DumpProcedure;
|
|
PVOID OpenProcedure;
|
|
PVOID CloseProcedure;
|
|
PVOID DeleteProcedure;
|
|
PVOID ParseProcedure;
|
|
PVOID SecurityProcedure; /* SeDefaultObjectMethod */
|
|
PVOID QueryNameProcedure;
|
|
PVOID OkayToCloseProcedure;
|
|
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
|
|
|
|
typedef struct _OBJECT_TYPE {
|
|
ERESOURCE Lock;
|
|
LIST_ENTRY ObjectListHead; /* OBJECT_CREATOR_INFO */
|
|
UNICODE_STRING ObjectTypeName;
|
|
union {
|
|
PVOID DefaultObject; /* ObpDefaultObject */
|
|
ULONG Code; /* File: 5C, WaitablePort: A0 */
|
|
};
|
|
ULONG ObjectTypeIndex; /* OB_TYPE_INDEX_* */
|
|
ULONG ObjectCount;
|
|
ULONG HandleCount;
|
|
ULONG PeakObjectCount;
|
|
ULONG PeakHandleCount;
|
|
OBJECT_TYPE_INITIALIZER TypeInfo;
|
|
ULONG ObjectTypeTag; /* OB_TYPE_TAG_* */
|
|
} OBJECT_TYPE, *POBJECT_TYPE;
|
|
|
|
typedef struct _OBJECT_TYPE_INFO {
|
|
UNICODE_STRING ObjectTypeName;
|
|
UCHAR Unknown[0x58];
|
|
WCHAR ObjectTypeNameBuffer[1];
|
|
} OBJECT_TYPE_INFO, *POBJECT_TYPE_INFO;
|
|
|
|
typedef struct _OBJECT_ALL_TYPES_INFO {
|
|
ULONG NumberOfObjectTypes;
|
|
OBJECT_TYPE_INFO ObjectsTypeInfo[1];
|
|
} OBJECT_ALL_TYPES_INFO, *POBJECT_ALL_TYPES_INFO;
|
|
|
|
typedef struct _PAGEFAULT_HISTORY {
|
|
ULONG CurrentIndex;
|
|
ULONG MaxIndex;
|
|
KSPIN_LOCK SpinLock;
|
|
PVOID Reserved;
|
|
PROCESS_WS_WATCH_INFORMATION WatchInfo[1];
|
|
} PAGEFAULT_HISTORY, *PPAGEFAULT_HISTORY;
|
|
|
|
typedef struct _PATHNAME_BUFFER {
|
|
ULONG PathNameLength;
|
|
WCHAR Name[1];
|
|
} PATHNAME_BUFFER, *PPATHNAME_BUFFER;
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
typedef struct _PRIVATE_CACHE_MAP_FLAGS {
|
|
ULONG DontUse : 16;
|
|
ULONG ReadAheadActive : 1;
|
|
ULONG ReadAheadEnabled : 1;
|
|
ULONG Available : 14;
|
|
} PRIVATE_CACHE_MAP_FLAGS, *PPRIVATE_CACHE_MAP_FLAGS;
|
|
|
|
typedef struct _PRIVATE_CACHE_MAP {
|
|
union {
|
|
CSHORT NodeTypeCode;
|
|
PRIVATE_CACHE_MAP_FLAGS Flags;
|
|
ULONG UlongFlags;
|
|
};
|
|
ULONG ReadAheadMask;
|
|
PFILE_OBJECT FileObject;
|
|
LARGE_INTEGER FileOffset1;
|
|
LARGE_INTEGER BeyondLastByte1;
|
|
LARGE_INTEGER FileOffset2;
|
|
LARGE_INTEGER BeyondLastByte2;
|
|
LARGE_INTEGER ReadAheadOffset[2];
|
|
ULONG ReadAheadLength[2];
|
|
KSPIN_LOCK ReadAheadSpinLock;
|
|
LIST_ENTRY PrivateLinks;
|
|
} PRIVATE_CACHE_MAP, *PPRIVATE_CACHE_MAP;
|
|
|
|
#endif
|
|
|
|
typedef struct _PROCESS_PRIORITY_CLASS {
|
|
BOOLEAN Foreground;
|
|
UCHAR PriorityClass;
|
|
} PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS;
|
|
|
|
typedef struct _PS_IMPERSONATION_INFORMATION {
|
|
PACCESS_TOKEN Token;
|
|
BOOLEAN CopyOnOpen;
|
|
BOOLEAN EffectiveOnly;
|
|
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
|
|
} PS_IMPERSONATION_INFORMATION, *PPS_IMPERSONATION_INFORMATION;
|
|
|
|
typedef struct _PUBLIC_BCB {
|
|
CSHORT NodeTypeCode;
|
|
CSHORT NodeByteSize;
|
|
ULONG MappedLength;
|
|
LARGE_INTEGER MappedFileOffset;
|
|
} PUBLIC_BCB, *PPUBLIC_BCB;
|
|
|
|
typedef struct _QUERY_PATH_REQUEST {
|
|
ULONG PathNameLength;
|
|
PIO_SECURITY_CONTEXT SecurityContext;
|
|
WCHAR FilePathName[1];
|
|
} QUERY_PATH_REQUEST, *PQUERY_PATH_REQUEST;
|
|
|
|
typedef struct _QUERY_PATH_RESPONSE {
|
|
ULONG LengthAccepted;
|
|
} QUERY_PATH_RESPONSE, *PQUERY_PATH_RESPONSE;
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
typedef struct _READ_LIST {
|
|
PFILE_OBJECT FileObject;
|
|
ULONG NumberOfEntries;
|
|
LOGICAL IsImage;
|
|
FILE_SEGMENT_ELEMENT List[ANYSIZE_ARRAY];
|
|
} READ_LIST, *PREAD_LIST;
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
typedef struct _REPARSE_DATA_BUFFER {
|
|
|
|
ULONG ReparseTag;
|
|
USHORT ReparseDataLength;
|
|
USHORT Reserved;
|
|
|
|
union {
|
|
|
|
struct {
|
|
USHORT SubstituteNameOffset;
|
|
USHORT SubstituteNameLength;
|
|
USHORT PrintNameOffset;
|
|
USHORT PrintNameLength;
|
|
WCHAR PathBuffer[1];
|
|
} SymbolicLinkReparseBuffer;
|
|
|
|
struct {
|
|
USHORT SubstituteNameOffset;
|
|
USHORT SubstituteNameLength;
|
|
USHORT PrintNameOffset;
|
|
USHORT PrintNameLength;
|
|
WCHAR PathBuffer[1];
|
|
} MountPointReparseBuffer;
|
|
|
|
struct {
|
|
UCHAR DataBuffer[1];
|
|
} GenericReparseBuffer;
|
|
};
|
|
|
|
} REPARSE_DATA_BUFFER, *PREPARSE_DATA_BUFFER;
|
|
|
|
typedef struct _RETRIEVAL_POINTERS_BUFFER {
|
|
ULONG ExtentCount;
|
|
LARGE_INTEGER StartingVcn;
|
|
struct {
|
|
LARGE_INTEGER NextVcn;
|
|
LARGE_INTEGER Lcn;
|
|
} Extents[1];
|
|
} RETRIEVAL_POINTERS_BUFFER, *PRETRIEVAL_POINTERS_BUFFER;
|
|
|
|
typedef struct _RTL_SPLAY_LINKS {
|
|
struct _RTL_SPLAY_LINKS *Parent;
|
|
struct _RTL_SPLAY_LINKS *LeftChild;
|
|
struct _RTL_SPLAY_LINKS *RightChild;
|
|
} RTL_SPLAY_LINKS, *PRTL_SPLAY_LINKS;
|
|
|
|
typedef struct _SE_EXPORTS {
|
|
|
|
LUID SeCreateTokenPrivilege;
|
|
LUID SeAssignPrimaryTokenPrivilege;
|
|
LUID SeLockMemoryPrivilege;
|
|
LUID SeIncreaseQuotaPrivilege;
|
|
LUID SeUnsolicitedInputPrivilege;
|
|
LUID SeTcbPrivilege;
|
|
LUID SeSecurityPrivilege;
|
|
LUID SeTakeOwnershipPrivilege;
|
|
LUID SeLoadDriverPrivilege;
|
|
LUID SeCreatePagefilePrivilege;
|
|
LUID SeIncreaseBasePriorityPrivilege;
|
|
LUID SeSystemProfilePrivilege;
|
|
LUID SeSystemtimePrivilege;
|
|
LUID SeProfileSingleProcessPrivilege;
|
|
LUID SeCreatePermanentPrivilege;
|
|
LUID SeBackupPrivilege;
|
|
LUID SeRestorePrivilege;
|
|
LUID SeShutdownPrivilege;
|
|
LUID SeDebugPrivilege;
|
|
LUID SeAuditPrivilege;
|
|
LUID SeSystemEnvironmentPrivilege;
|
|
LUID SeChangeNotifyPrivilege;
|
|
LUID SeRemoteShutdownPrivilege;
|
|
|
|
PSID SeNullSid;
|
|
PSID SeWorldSid;
|
|
PSID SeLocalSid;
|
|
PSID SeCreatorOwnerSid;
|
|
PSID SeCreatorGroupSid;
|
|
|
|
PSID SeNtAuthoritySid;
|
|
PSID SeDialupSid;
|
|
PSID SeNetworkSid;
|
|
PSID SeBatchSid;
|
|
PSID SeInteractiveSid;
|
|
PSID SeLocalSystemSid;
|
|
PSID SeAliasAdminsSid;
|
|
PSID SeAliasUsersSid;
|
|
PSID SeAliasGuestsSid;
|
|
PSID SeAliasPowerUsersSid;
|
|
PSID SeAliasAccountOpsSid;
|
|
PSID SeAliasSystemOpsSid;
|
|
PSID SeAliasPrintOpsSid;
|
|
PSID SeAliasBackupOpsSid;
|
|
|
|
PSID SeAuthenticatedUsersSid;
|
|
|
|
PSID SeRestrictedSid;
|
|
PSID SeAnonymousLogonSid;
|
|
|
|
LUID SeUndockPrivilege;
|
|
LUID SeSyncAgentPrivilege;
|
|
LUID SeEnableDelegationPrivilege;
|
|
|
|
} SE_EXPORTS, *PSE_EXPORTS;
|
|
|
|
typedef struct _SECTION_BASIC_INFORMATION {
|
|
PVOID BaseAddress;
|
|
ULONG Attributes;
|
|
LARGE_INTEGER Size;
|
|
} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
|
|
|
|
typedef struct _SECTION_IMAGE_INFORMATION {
|
|
PVOID EntryPoint;
|
|
ULONG Unknown1;
|
|
ULONG StackReserve;
|
|
ULONG StackCommit;
|
|
ULONG Subsystem;
|
|
USHORT MinorSubsystemVersion;
|
|
USHORT MajorSubsystemVersion;
|
|
ULONG Unknown2;
|
|
ULONG Characteristics;
|
|
USHORT ImageNumber;
|
|
BOOLEAN Executable;
|
|
UCHAR Unknown3;
|
|
ULONG Unknown4[3];
|
|
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
|
|
|
|
typedef struct _SECTION_OBJECT {
|
|
PVOID StartingVa;
|
|
PVOID EndingVa;
|
|
struct _SECTION_OBJECT *Parent;
|
|
struct _SECTION_OBJECT *LeftChild;
|
|
struct _SECTION_OBJECT *RightChild;
|
|
PVOID Segment;
|
|
} SECTION_OBJECT, *PSECTION_OBJECT;
|
|
|
|
typedef struct _SEP_AUDIT_POLICY {
|
|
// _SEP_AUDIT_POLICY_CATEGORIES
|
|
ULONGLONG System : 4;
|
|
ULONGLONG Logon : 4;
|
|
ULONGLONG ObjectAccess : 4;
|
|
ULONGLONG PrivilegeUse : 4;
|
|
ULONGLONG DetailedTracking : 4;
|
|
ULONGLONG PolicyChange : 4;
|
|
ULONGLONG AccountManagement : 4;
|
|
ULONGLONG DirectoryServiceAccess : 4;
|
|
ULONGLONG AccountLogon : 4;
|
|
// _SEP_AUDIT_POLICY_OVERLAY
|
|
ULONGLONG SetBit : 1;
|
|
} SEP_AUDIT_POLICY, *PSEP_AUDIT_POLICY;
|
|
|
|
/* size 0x1C */
|
|
typedef struct _SEP_AUDIT_POLICY_VISTA {
|
|
UCHAR PerUserPolicy[25]; /* +0x000 */
|
|
UCHAR PolicySetStatus; /* +0x019 */
|
|
USHORT Alignment; /* +0x01A */
|
|
} SEP_AUDIT_POLICY_VISTA, *PSEP_AUDIT_POLICY_VISTA;
|
|
|
|
typedef struct _SERVICE_DESCRIPTOR_TABLE {
|
|
/*
|
|
* Table containing cServices elements of pointers to service handler
|
|
* functions, indexed by service ID.
|
|
*/
|
|
PVOID *ServiceTable;
|
|
/*
|
|
* Table that counts how many times each service is used. This table
|
|
* is only updated in checked builds.
|
|
*/
|
|
PULONG CounterTable;
|
|
/*
|
|
* Number of services contained in this table.
|
|
*/
|
|
ULONG TableSize;
|
|
/*
|
|
* Table containing the number of bytes of parameters the handler
|
|
* function takes.
|
|
*/
|
|
PUCHAR ArgumentTable;
|
|
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
typedef struct _SHARED_CACHE_MAP {
|
|
CSHORT NodeTypeCode;
|
|
CSHORT NodeByteSize;
|
|
ULONG OpenCount;
|
|
LARGE_INTEGER FileSize;
|
|
LIST_ENTRY BcbList;
|
|
LARGE_INTEGER SectionSize;
|
|
LARGE_INTEGER ValidDataLength;
|
|
LARGE_INTEGER ValidDataGoal;
|
|
PVACB InitialVacbs[4];
|
|
PVACB *Vacbs;
|
|
PFILE_OBJECT FileObject;
|
|
PVACB ActiveVacb;
|
|
PVOID NeedToZero;
|
|
ULONG ActivePage;
|
|
ULONG NeedToZeroPage;
|
|
KSPIN_LOCK ActiveVacbSpinLock;
|
|
ULONG VacbActiveCount;
|
|
ULONG DirtyPages;
|
|
LIST_ENTRY SharedCacheMapLinks;
|
|
ULONG Flags;
|
|
NTSTATUS Status;
|
|
PMBCB Mbcb;
|
|
PVOID Section;
|
|
PKEVENT CreateEvent;
|
|
PKEVENT WaitOnActiveCount;
|
|
ULONG PagesToWrite;
|
|
LONGLONG BeyondLastFlush;
|
|
PCACHE_MANAGER_CALLBACKS Callbacks;
|
|
PVOID LazyWriteContext;
|
|
LIST_ENTRY PrivateList;
|
|
PVOID LogHandle;
|
|
PVOID FlushToLsnRoutine;
|
|
ULONG DirtyPageThreshold;
|
|
ULONG LazyWritePassCount;
|
|
PCACHE_UNINITIALIZE_EVENT UninitializeEvent;
|
|
PVACB NeedToZeroVacb;
|
|
KSPIN_LOCK BcbSpinLock;
|
|
PVOID Reserved;
|
|
KEVENT Event;
|
|
EX_PUSH_LOCK VacbPushLock;
|
|
PRIVATE_CACHE_MAP PrivateCacheMap;
|
|
} SHARED_CACHE_MAP, *PSHARED_CACHE_MAP;
|
|
|
|
#endif
|
|
|
|
typedef struct _SID_AND_ATTRIBUTES {
|
|
PSID Sid;
|
|
ULONG Attributes;
|
|
} SID_AND_ATTRIBUTES, *PSID_AND_ATTRIBUTES;
|
|
|
|
typedef struct _SID_AND_ATTRIBUTES_HASH {
|
|
ULONG SidCount; /* +0x000 */
|
|
PSID_AND_ATTRIBUTES SidAttr; /* +0x004 */
|
|
ULONG Hash[32]; /* +0x008 */
|
|
} SID_AND_ATTRIBUTES_HASH, *PSID_AND_ATTRIBUTES_HASH;
|
|
|
|
typedef struct _STARTING_VCN_INPUT_BUFFER {
|
|
LARGE_INTEGER StartingVcn;
|
|
} STARTING_VCN_INPUT_BUFFER, *PSTARTING_VCN_INPUT_BUFFER;
|
|
|
|
// SystemBasicInformation
|
|
typedef struct _SYSTEM_BASIC_INFORMATION {
|
|
ULONG Unknown;
|
|
ULONG MaximumIncrement;
|
|
ULONG PhysicalPageSize;
|
|
ULONG NumberOfPhysicalPages;
|
|
ULONG LowestPhysicalPage;
|
|
ULONG HighestPhysicalPage;
|
|
ULONG AllocationGranularity;
|
|
ULONG LowestUserAddress;
|
|
ULONG HighestUserAddress;
|
|
ULONG ActiveProcessors;
|
|
UCHAR NumberProcessors;
|
|
} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;
|
|
|
|
// SystemProcessorInformation
|
|
typedef struct _SYSTEM_PROCESSOR_INFORMATION {
|
|
USHORT ProcessorArchitecture;
|
|
USHORT ProcessorLevel;
|
|
USHORT ProcessorRevision;
|
|
USHORT Unknown;
|
|
ULONG FeatureBits;
|
|
} SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION;
|
|
|
|
// SystemPerformanceInformation
|
|
typedef struct _SYSTEM_PERFORMANCE_INFORMATION {
|
|
LARGE_INTEGER IdleTime;
|
|
LARGE_INTEGER ReadTransferCount;
|
|
LARGE_INTEGER WriteTransferCount;
|
|
LARGE_INTEGER OtherTransferCount;
|
|
ULONG ReadOperationCount;
|
|
ULONG WriteOperationCount;
|
|
ULONG OtherOperationCount;
|
|
ULONG AvailablePages;
|
|
ULONG TotalCommittedPages;
|
|
ULONG TotalCommitLimit;
|
|
ULONG PeakCommitment;
|
|
ULONG PageFaults;
|
|
ULONG WriteCopyFaults;
|
|
ULONG TransistionFaults;
|
|
ULONG Reserved1;
|
|
ULONG DemandZeroFaults;
|
|
ULONG PagesRead;
|
|
ULONG PageReadIos;
|
|
ULONG Reserved2[2];
|
|
ULONG PagefilePagesWritten;
|
|
ULONG PagefilePageWriteIos;
|
|
ULONG MappedFilePagesWritten;
|
|
ULONG MappedFilePageWriteIos;
|
|
ULONG PagedPoolUsage;
|
|
ULONG NonPagedPoolUsage;
|
|
ULONG PagedPoolAllocs;
|
|
ULONG PagedPoolFrees;
|
|
ULONG NonPagedPoolAllocs;
|
|
ULONG NonPagedPoolFrees;
|
|
ULONG TotalFreeSystemPtes;
|
|
ULONG SystemCodePage;
|
|
ULONG TotalSystemDriverPages;
|
|
ULONG TotalSystemCodePages;
|
|
ULONG SmallNonPagedLookasideListAllocateHits;
|
|
ULONG SmallPagedLookasideListAllocateHits;
|
|
ULONG Reserved3;
|
|
ULONG MmSystemCachePage;
|
|
ULONG PagedPoolPage;
|
|
ULONG SystemDriverPage;
|
|
ULONG FastReadNoWait;
|
|
ULONG FastReadWait;
|
|
ULONG FastReadResourceMiss;
|
|
ULONG FastReadNotPossible;
|
|
ULONG FastMdlReadNoWait;
|
|
ULONG FastMdlReadWait;
|
|
ULONG FastMdlReadResourceMiss;
|
|
ULONG FastMdlReadNotPossible;
|
|
ULONG MapDataNoWait;
|
|
ULONG MapDataWait;
|
|
ULONG MapDataNoWaitMiss;
|
|
ULONG MapDataWaitMiss;
|
|
ULONG PinMappedDataCount;
|
|
ULONG PinReadNoWait;
|
|
ULONG PinReadWait;
|
|
ULONG PinReadNoWaitMiss;
|
|
ULONG PinReadWaitMiss;
|
|
ULONG CopyReadNoWait;
|
|
ULONG CopyReadWait;
|
|
ULONG CopyReadNoWaitMiss;
|
|
ULONG CopyReadWaitMiss;
|
|
ULONG MdlReadNoWait;
|
|
ULONG MdlReadWait;
|
|
ULONG MdlReadNoWaitMiss;
|
|
ULONG MdlReadWaitMiss;
|
|
ULONG ReadAheadIos;
|
|
ULONG LazyWriteIos;
|
|
ULONG LazyWritePages;
|
|
ULONG DataFlushes;
|
|
ULONG DataPages;
|
|
ULONG ContextSwitches;
|
|
ULONG FirstLevelTbFills;
|
|
ULONG SecondLevelTbFills;
|
|
ULONG SystemCalls;
|
|
} SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION;
|
|
|
|
// SystemTimeOfDayInformation
|
|
typedef struct _SYSTEM_TIME_OF_DAY_INFORMATION {
|
|
LARGE_INTEGER BootTime;
|
|
LARGE_INTEGER CurrentTime;
|
|
LARGE_INTEGER TimeZoneBias;
|
|
ULONG CurrentTimeZoneId;
|
|
} SYSTEM_TIME_OF_DAY_INFORMATION, *PSYSTEM_TIME_OF_DAY_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_THREADS_INFORMATION {
|
|
LARGE_INTEGER KernelTime;
|
|
LARGE_INTEGER UserTime;
|
|
LARGE_INTEGER CreateTime;
|
|
ULONG WaitTime;
|
|
PVOID StartAddress;
|
|
CLIENT_ID ClientId;
|
|
KPRIORITY Priority;
|
|
KPRIORITY BasePriority;
|
|
ULONG ContextSwitchCount;
|
|
THREAD_STATE State;
|
|
KWAIT_REASON WaitReason;
|
|
} SYSTEM_THREADS_INFORMATION, *PSYSTEM_THREADS_INFORMATION;
|
|
|
|
// SystemProcessesAndThreadsInformation
|
|
typedef struct _SYSTEM_PROCESSES_INFORMATION {
|
|
ULONG NextEntryDelta;
|
|
ULONG ThreadCount;
|
|
ULONG Reserved1[6];
|
|
LARGE_INTEGER CreateTime;
|
|
LARGE_INTEGER UserTime;
|
|
LARGE_INTEGER KernelTime;
|
|
UNICODE_STRING ProcessName;
|
|
KPRIORITY BasePriority;
|
|
ULONG ProcessId;
|
|
ULONG InheritedFromProcessId;
|
|
ULONG HandleCount;
|
|
ULONG SessionId;
|
|
ULONG Reserved2;
|
|
VM_COUNTERS VmCounters;
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
IO_COUNTERS IoCounters;
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
SYSTEM_THREADS_INFORMATION Threads[1];
|
|
} SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION;
|
|
|
|
// SystemCallCounts
|
|
typedef struct _SYSTEM_CALL_COUNTS {
|
|
ULONG Size;
|
|
ULONG NumberOfDescriptorTables;
|
|
ULONG NumberOfRoutinesInTable[1];
|
|
// On checked build this is followed by a ULONG CallCounts[1] variable length array.
|
|
} SYSTEM_CALL_COUNTS, *PSYSTEM_CALL_COUNTS;
|
|
|
|
// SystemConfigurationInformation
|
|
typedef struct _SYSTEM_CONFIGURATION_INFORMATION {
|
|
ULONG DiskCount;
|
|
ULONG FloppyCount;
|
|
ULONG CdRomCount;
|
|
ULONG TapeCount;
|
|
ULONG SerialCount;
|
|
ULONG ParallelCount;
|
|
} SYSTEM_CONFIGURATION_INFORMATION, *PSYSTEM_CONFIGURATION_INFORMATION;
|
|
|
|
// SystemProcessorTimes
|
|
typedef struct _SYSTEM_PROCESSOR_TIMES {
|
|
LARGE_INTEGER IdleTime;
|
|
LARGE_INTEGER KernelTime;
|
|
LARGE_INTEGER UserTime;
|
|
LARGE_INTEGER DpcTime;
|
|
LARGE_INTEGER InterruptTime;
|
|
ULONG InterruptCount;
|
|
} SYSTEM_PROCESSOR_TIMES, *PSYSTEM_PROCESSOR_TIMES;
|
|
|
|
// SystemGlobalFlag
|
|
typedef struct _SYSTEM_GLOBAL_FLAG {
|
|
ULONG GlobalFlag;
|
|
} SYSTEM_GLOBAL_FLAG, *PSYSTEM_GLOBAL_FLAG;
|
|
|
|
// SystemModuleInformation
|
|
typedef struct _SYSTEM_MODULE_INFORMATION {
|
|
ULONG Reserved[2];
|
|
PVOID Base;
|
|
ULONG Size;
|
|
ULONG Flags;
|
|
USHORT Index;
|
|
USHORT Unknown;
|
|
USHORT LoadCount;
|
|
USHORT ModuleNameOffset;
|
|
CHAR ImageName[256];
|
|
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
|
|
|
|
// SystemLockInformation
|
|
typedef struct _SYSTEM_LOCK_INFORMATION {
|
|
PVOID Address;
|
|
USHORT Type;
|
|
USHORT Reserved1;
|
|
ULONG ExclusiveOwnerThreadId;
|
|
ULONG ActiveCount;
|
|
ULONG ContentionCount;
|
|
ULONG Reserved2[2];
|
|
ULONG NumberOfSharedWaiters;
|
|
ULONG NumberOfExclusiveWaiters;
|
|
} SYSTEM_LOCK_INFORMATION, *PSYSTEM_LOCK_INFORMATION;
|
|
|
|
// SystemHandleInformation
|
|
typedef struct _SYSTEM_HANDLE_INFORMATION {
|
|
ULONG ProcessId;
|
|
UCHAR ObjectTypeNumber;
|
|
UCHAR Flags;
|
|
USHORT Handle;
|
|
PVOID Object;
|
|
ACCESS_MASK GrantedAccess;
|
|
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
|
|
|
|
// SystemObjectInformation
|
|
typedef struct _SYSTEM_OBJECT_TYPE_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
ULONG ObjectCount;
|
|
ULONG HandleCount;
|
|
ULONG TypeNumber;
|
|
ULONG InvalidAttributes;
|
|
GENERIC_MAPPING GenericMapping;
|
|
ACCESS_MASK ValidAccessMask;
|
|
POOL_TYPE PoolType;
|
|
UCHAR Unknown;
|
|
UNICODE_STRING Name;
|
|
} SYSTEM_OBJECT_TYPE_INFORMATION, *PSYSTEM_OBJECT_TYPE_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_OBJECT_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
PVOID Object;
|
|
ULONG CreatorProcessId;
|
|
USHORT Unknown;
|
|
USHORT Flags;
|
|
ULONG PointerCount;
|
|
ULONG HandleCount;
|
|
ULONG PagedPoolUsage;
|
|
ULONG NonPagedPoolUsage;
|
|
ULONG ExclusiveProcessId;
|
|
PSECURITY_DESCRIPTOR SecurityDescriptor;
|
|
UNICODE_STRING Name;
|
|
} SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION;
|
|
|
|
// SystemPagefileInformation
|
|
typedef struct _SYSTEM_PAGEFILE_INFORMATION {
|
|
ULONG NextEntryOffset;
|
|
ULONG CurrentSize;
|
|
ULONG TotalUsed;
|
|
ULONG PeakUsed;
|
|
UNICODE_STRING FileName;
|
|
} SYSTEM_PAGEFILE_INFORMATION, *PSYSTEM_PAGEFILE_INFORMATION;
|
|
|
|
// SystemInstructionEmulationCounts
|
|
typedef struct _SYSTEM_INSTRUCTION_EMULATION_COUNTS {
|
|
ULONG GenericInvalidOpcode;
|
|
ULONG TwoByteOpcode;
|
|
ULONG ESprefix;
|
|
ULONG CSprefix;
|
|
ULONG SSprefix;
|
|
ULONG DSprefix;
|
|
ULONG FSPrefix;
|
|
ULONG GSprefix;
|
|
ULONG OPER32prefix;
|
|
ULONG ADDR32prefix;
|
|
ULONG INSB;
|
|
ULONG INSW;
|
|
ULONG OUTSB;
|
|
ULONG OUTSW;
|
|
ULONG PUSHFD;
|
|
ULONG POPFD;
|
|
ULONG INTnn;
|
|
ULONG INTO;
|
|
ULONG IRETD;
|
|
ULONG FloatingPointOpcode;
|
|
ULONG INBimm;
|
|
ULONG INWimm;
|
|
ULONG OUTBimm;
|
|
ULONG OUTWimm;
|
|
ULONG INB;
|
|
ULONG INW;
|
|
ULONG OUTB;
|
|
ULONG OUTW;
|
|
ULONG LOCKprefix;
|
|
ULONG REPNEprefix;
|
|
ULONG REPprefix;
|
|
ULONG CLI;
|
|
ULONG STI;
|
|
ULONG HLT;
|
|
} SYSTEM_INSTRUCTION_EMULATION_COUNTS, *PSYSTEM_INSTRUCTION_EMULATION_COUNTS;
|
|
|
|
// SystemCacheInformation
|
|
typedef struct _SYSTEM_CACHE_INFORMATION {
|
|
ULONG SystemCacheWsSize;
|
|
ULONG SystemCacheWsPeakSize;
|
|
ULONG SystemCacheWsFaults;
|
|
ULONG SystemCacheWsMinimum;
|
|
ULONG SystemCacheWsMaximum;
|
|
ULONG TransitionSharedPages;
|
|
ULONG TransitionSharedPagesPeak;
|
|
ULONG Reserved[2];
|
|
} SYSTEM_CACHE_INFORMATION, *PSYSTEM_CACHE_INFORMATION;
|
|
|
|
// SystemPoolTagInformation
|
|
typedef struct _SYSTEM_POOL_TAG_INFORMATION {
|
|
CHAR Tag[4];
|
|
ULONG PagedPoolAllocs;
|
|
ULONG PagedPoolFrees;
|
|
ULONG PagedPoolUsage;
|
|
ULONG NonPagedPoolAllocs;
|
|
ULONG NonPagedPoolFrees;
|
|
ULONG NonPagedPoolUsage;
|
|
} SYSTEM_POOL_TAG_INFORMATION, *PSYSTEM_POOL_TAG_INFORMATION;
|
|
|
|
// SystemProcessorStatistics
|
|
typedef struct _SYSTEM_PROCESSOR_STATISTICS {
|
|
ULONG ContextSwitches;
|
|
ULONG DpcCount;
|
|
ULONG DpcRequestRate;
|
|
ULONG TimeIncrement;
|
|
ULONG DpcBypassCount;
|
|
ULONG ApcBypassCount;
|
|
} SYSTEM_PROCESSOR_STATISTICS, *PSYSTEM_PROCESSOR_STATISTICS;
|
|
|
|
// SystemDpcInformation
|
|
typedef struct _SYSTEM_DPC_INFORMATION {
|
|
ULONG Reserved;
|
|
ULONG MaximumDpcQueueDepth;
|
|
ULONG MinimumDpcRate;
|
|
ULONG AdjustDpcThreshold;
|
|
ULONG IdealDpcRate;
|
|
} SYSTEM_DPC_INFORMATION, *PSYSTEM_DPC_INFORMATION;
|
|
|
|
// SystemLoadImage
|
|
typedef struct _SYSTEM_LOAD_IMAGE {
|
|
UNICODE_STRING ModuleName;
|
|
PVOID ModuleBase;
|
|
PVOID Unknown;
|
|
PVOID EntryPoint;
|
|
PVOID ExportDirectory;
|
|
} SYSTEM_LOAD_IMAGE, *PSYSTEM_LOAD_IMAGE;
|
|
|
|
// SystemUnloadImage
|
|
typedef struct _SYSTEM_UNLOAD_IMAGE {
|
|
PVOID ModuleBase;
|
|
} SYSTEM_UNLOAD_IMAGE, *PSYSTEM_UNLOAD_IMAGE;
|
|
|
|
// SystemTimeAdjustment
|
|
typedef struct _SYSTEM_QUERY_TIME_ADJUSTMENT {
|
|
ULONG TimeAdjustment;
|
|
ULONG MaximumIncrement;
|
|
BOOLEAN TimeSynchronization;
|
|
} SYSTEM_QUERY_TIME_ADJUSTMENT, *PSYSTEM_QUERY_TIME_ADJUSTMENT;
|
|
|
|
// SystemTimeAdjustment
|
|
typedef struct _SYSTEM_SET_TIME_ADJUSTMENT {
|
|
ULONG TimeAdjustment;
|
|
BOOLEAN TimeSynchronization;
|
|
} SYSTEM_SET_TIME_ADJUSTMENT, *PSYSTEM_SET_TIME_ADJUSTMENT;
|
|
|
|
// SystemCrashDumpInformation
|
|
typedef struct _SYSTEM_CRASH_DUMP_INFORMATION {
|
|
HANDLE CrashDumpSectionHandle;
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
HANDLE Unknown;
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
} SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION;
|
|
|
|
// SystemExceptionInformation
|
|
typedef struct _SYSTEM_EXCEPTION_INFORMATION {
|
|
ULONG AlignmentFixupCount;
|
|
ULONG ExceptionDispatchCount;
|
|
ULONG FloatingEmulationCount;
|
|
ULONG Reserved;
|
|
} SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION;
|
|
|
|
// SystemCrashDumpStateInformation
|
|
typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION {
|
|
ULONG ValidCrashDump;
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
ULONG Unknown;
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
} SYSTEM_CRASH_DUMP_STATE_INFORMATION, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION;
|
|
|
|
// SystemKernelDebuggerInformation
|
|
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION {
|
|
BOOLEAN DebuggerEnabled;
|
|
BOOLEAN DebuggerNotPresent;
|
|
} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
|
|
|
|
// SystemContextSwitchInformation
|
|
typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION {
|
|
ULONG ContextSwitches;
|
|
ULONG ContextSwitchCounters[11];
|
|
} SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION;
|
|
|
|
// SystemRegistryQuotaInformation
|
|
typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION {
|
|
ULONG RegistryQuota;
|
|
ULONG RegistryQuotaInUse;
|
|
ULONG PagedPoolSize;
|
|
} SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION;
|
|
|
|
// SystemLoadAndCallImage
|
|
typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE {
|
|
UNICODE_STRING ModuleName;
|
|
} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;
|
|
|
|
// SystemPrioritySeparation
|
|
typedef struct _SYSTEM_PRIORITY_SEPARATION {
|
|
ULONG PrioritySeparation;
|
|
} SYSTEM_PRIORITY_SEPARATION, *PSYSTEM_PRIORITY_SEPARATION;
|
|
|
|
// SystemTimeZoneInformation
|
|
typedef struct _SYSTEM_TIME_ZONE_INFORMATION {
|
|
LONG Bias;
|
|
WCHAR StandardName[32];
|
|
TIME_FIELDS StandardDate;
|
|
LONG StandardBias;
|
|
WCHAR DaylightName[32];
|
|
TIME_FIELDS DaylightDate;
|
|
LONG DaylightBias;
|
|
} SYSTEM_TIME_ZONE_INFORMATION, *PSYSTEM_TIME_ZONE_INFORMATION;
|
|
|
|
// SystemLookasideInformation
|
|
typedef struct _SYSTEM_LOOKASIDE_INFORMATION {
|
|
USHORT Depth;
|
|
USHORT MaximumDepth;
|
|
ULONG TotalAllocates;
|
|
ULONG AllocateMisses;
|
|
ULONG TotalFrees;
|
|
ULONG FreeMisses;
|
|
POOL_TYPE Type;
|
|
ULONG Tag;
|
|
ULONG Size;
|
|
} SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION;
|
|
|
|
// SystemSetTimeSlipEvent
|
|
typedef struct _SYSTEM_SET_TIME_SLIP_EVENT {
|
|
HANDLE TimeSlipEvent;
|
|
} SYSTEM_SET_TIME_SLIP_EVENT, *PSYSTEM_SET_TIME_SLIP_EVENT;
|
|
|
|
// SystemCreateSession
|
|
typedef struct _SYSTEM_CREATE_SESSION {
|
|
ULONG Session;
|
|
} SYSTEM_CREATE_SESSION, *PSYSTEM_CREATE_SESSION;
|
|
|
|
// SystemDeleteSession
|
|
typedef struct _SYSTEM_DELETE_SESSION {
|
|
ULONG Session;
|
|
} SYSTEM_DELETE_SESSION, *PSYSTEM_DELETE_SESSION;
|
|
|
|
// SystemRangeStartInformation
|
|
typedef struct _SYSTEM_RANGE_START_INFORMATION {
|
|
PVOID SystemRangeStart;
|
|
} SYSTEM_RANGE_START_INFORMATION, *PSYSTEM_RANGE_START_INFORMATION;
|
|
|
|
// SystemSessionProcessesInformation
|
|
typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION {
|
|
ULONG SessionId;
|
|
ULONG BufferSize;
|
|
PVOID Buffer;
|
|
} SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION;
|
|
|
|
typedef struct _GDI_TEB_BATCH {
|
|
ULONG Offset;
|
|
ULONG HDC;
|
|
ULONG Buffer[(VER_PRODUCTBUILD >= 2195) ? 0x133 : 0x136];
|
|
} GDI_TEB_BATCH, *PGDI_TEB_BATCH;
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
|
|
struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
|
|
struct _ACTIVATION_CONTEXT* ActivationContext; // 0x4
|
|
ULONG Flags; // 0x8
|
|
} RTL_ACTIVATION_CONTEXT_STACK_FRAME, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
|
|
|
|
typedef struct _ACTIVATION_CONTEXT_STACK {
|
|
ULONG Flags;
|
|
ULONG NextCookieSequenceNumber;
|
|
PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; // 0x8
|
|
LIST_ENTRY FrameListCache; // 0xc
|
|
} ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
typedef struct _Wx86ThreadState {
|
|
PULONG CallBx86Eip;
|
|
PVOID DeallocationCpu;
|
|
UCHAR UseKnownWx86Dll; // 0x8
|
|
UCHAR OleStubInvoked; // 0x9
|
|
} Wx86ThreadState, *PWx86ThreadState;
|
|
|
|
typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
|
|
ULONG Flags;
|
|
PCHAR FrameName;
|
|
} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
|
|
|
|
typedef struct _TEB_ACTIVE_FRAME {
|
|
ULONG Flags;
|
|
struct _TEB_ACTIVE_FRAME *Previous;
|
|
PTEB_ACTIVE_FRAME_CONTEXT Context;
|
|
} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
|
|
|
|
typedef struct _TEB // from Reactos, Native API; checked and corrected for 2003 and nt 4.0
|
|
// should also work on XP and 2000
|
|
// the reactos version was probably from NT 3.51 SP3
|
|
{
|
|
NT_TIB Tib; /* 00h */
|
|
PVOID EnvironmentPointer; /* 1Ch */
|
|
CLIENT_ID Cid; /* 20h */
|
|
HANDLE RpcHandle; /* 28h */
|
|
PVOID *ThreadLocalStorage; /* 2Ch */
|
|
PPEB Peb; /* 30h */
|
|
ULONG LastErrorValue; /* 34h */
|
|
ULONG CountOfOwnedCriticalSections; /* 38h */
|
|
PVOID CsrClientThread; /* 3Ch */
|
|
struct _W32THREAD* Win32ThreadInfo; /* 40h */
|
|
ULONG User32Reserved[26]; /* 44h */
|
|
ULONG UserReserved[5]; /* ACh */
|
|
PVOID WOW32Reserved; /* C0h */
|
|
LCID CurrentLocale; /* C4h */
|
|
ULONG FpSoftwareStatusRegister; /* C8h */
|
|
PVOID SystemReserved1[0x36]; /* CCh */
|
|
#if (VER_PRODUCTBUILD <= 1381)
|
|
PVOID Spare1; /* 1A4h */
|
|
#endif
|
|
LONG ExceptionCode; /* 1A4h */
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
ACTIVATION_CONTEXT_STACK
|
|
ActivationContextStack; /* 1A8h */
|
|
UCHAR SpareBytes1[24]; /* 1BCh */
|
|
#elif (VER_PRODUCTBUILD >= 2195)
|
|
UCHAR SpareBytes1[0x2c]; /* 1A8h */
|
|
#else /* nt 4.0 */
|
|
ULONG SpareBytes1[0x14]; /* 1ACh */
|
|
#endif
|
|
GDI_TEB_BATCH GdiTebBatch; /* 1D4h */ /* 1FC for nt 4.0 */
|
|
ULONG gdiRgn; /* 6A8h */ /* 6DCh for nt 4.0 */
|
|
ULONG gdiPen; /* 6ACh */
|
|
ULONG gdiBrush; /* 6B0h */
|
|
CLIENT_ID RealClientId; /* 6B4h */ /* 6E8h for nt 4.0 */
|
|
PVOID GdiCachedProcessHandle; /* 6BCh */
|
|
ULONG GdiClientPID; /* 6C0h */
|
|
ULONG GdiClientTID; /* 6C4h */
|
|
PVOID GdiThreadLocaleInfo; /* 6C8h */
|
|
#if (VER_PRODUCTBUILD == 1381)
|
|
PVOID Win32ClientInfo[5]; /* 700h */
|
|
PVOID glDispatchTable[0x118]; /* 714h */
|
|
ULONG glReserved1[0x1a]; /* B74h */
|
|
#else
|
|
PVOID Win32ClientInfo[0x3e]; /* 6CCh */
|
|
PVOID glDispatchTable[0xe9]; /* 7C4h */
|
|
ULONG glReserved1[0x1d]; /* B68h */
|
|
#endif
|
|
PVOID glReserved2; /* BDCh */
|
|
PVOID glSectionInfo; /* BE0h */
|
|
PVOID glSection; /* BE4h */
|
|
PVOID glTable; /* BE8h */
|
|
PVOID glCurrentRC; /* BECh */
|
|
PVOID glContext; /* BF0h */
|
|
NTSTATUS LastStatusValue; /* BF4h */
|
|
UNICODE_STRING StaticUnicodeString; /* BF8h */
|
|
WCHAR StaticUnicodeBuffer[0x105]; /* C00h */
|
|
PVOID DeallocationStack; /* E0Ch */
|
|
PVOID TlsSlots[0x40]; /* E10h */
|
|
LIST_ENTRY TlsLinks; /* F10h */
|
|
PVOID Vdm; /* F18h */
|
|
PVOID ReservedForNtRpc; /* F1Ch */
|
|
PVOID DbgSsReserved[0x2]; /* F20h */
|
|
ULONG HardErrorDisabled; /* F28h */
|
|
PVOID Instrumentation[0x10]; /* F2Ch */
|
|
PVOID WinSockData; /* F6Ch */
|
|
ULONG GdiBatchCount; /* F70h */
|
|
BOOLEAN InDbgPrint; /* F74h */
|
|
BOOLEAN FreeStackOnTermination; /* F75h */
|
|
BOOLEAN HasFiberData; /* F76h */
|
|
UCHAR IdealProcessor; /* F77h */
|
|
ULONG Spare3; /* F78h */
|
|
ULONG ReservedForPerf; /* F7Ch */
|
|
PVOID ReservedForOle; /* F80h */
|
|
ULONG WaitingOnLoaderLock; /* F84h */
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
Wx86ThreadState Wx86Thread; /* F88h */
|
|
PVOID* TlsExpansionSlots; /* F94h */
|
|
ULONG ImpersonationLocale; /* F98h */
|
|
ULONG IsImpersonating; /* F9Ch */
|
|
PVOID NlsCache; /* FA0h */
|
|
PVOID pShimData; /* FA4h */
|
|
ULONG HeapVirtualAffinity; /* FA8h */
|
|
PVOID CurrentTransactionHandle; /* FACh */
|
|
PTEB_ACTIVE_FRAME ActiveFrame; /* FB0h*/
|
|
PVOID FlsSlots; /* FB4h */
|
|
#endif
|
|
} TEB, *PTEB;
|
|
|
|
typedef struct _TERMINATION_PORT {
|
|
struct _TERMINATION_PORT* Next;
|
|
PVOID Port;
|
|
} TERMINATION_PORT, *PTERMINATION_PORT;
|
|
|
|
typedef struct _THREAD_BASIC_INFORMATION {
|
|
NTSTATUS ExitStatus;
|
|
PVOID TebBaseAddress;
|
|
ULONG UniqueProcessId;
|
|
ULONG UniqueThreadId;
|
|
KAFFINITY AffinityMask;
|
|
KPRIORITY BasePriority;
|
|
ULONG DiffProcessPriority;
|
|
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
|
|
|
|
typedef struct _TOKEN_SOURCE {
|
|
CCHAR SourceName[TOKEN_SOURCE_LENGTH];
|
|
LUID SourceIdentifier;
|
|
} TOKEN_SOURCE, *PTOKEN_SOURCE;
|
|
|
|
typedef struct _TOKEN_CONTROL {
|
|
LUID TokenId;
|
|
LUID AuthenticationId;
|
|
LUID ModifiedId;
|
|
TOKEN_SOURCE TokenSource;
|
|
} TOKEN_CONTROL, *PTOKEN_CONTROL;
|
|
|
|
typedef struct _TOKEN_DEFAULT_DACL {
|
|
PACL DefaultDacl;
|
|
} TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL;
|
|
|
|
typedef struct _TOKEN_GROUPS {
|
|
ULONG GroupCount;
|
|
SID_AND_ATTRIBUTES Groups[1];
|
|
} TOKEN_GROUPS, *PTOKEN_GROUPS;
|
|
|
|
/* XP SP2 has same TOKEN_OBJECT structure as Windows Server 2003 (stucture K23 in union). */
|
|
#include <pshpack1.h>
|
|
typedef union
|
|
{
|
|
struct
|
|
{
|
|
TOKEN_SOURCE TokenSource; /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32 " + LUID SourceIdentifier = 0x10, *SYSTEM* id == 0 */
|
|
LUID TokenId; /* 0x10: */
|
|
LUID AuthenticationId; /* 0x18: */
|
|
LARGE_INTEGER ExpirationTime; /* 0x20: -1 no expired. *SYSTEM* has expired? */
|
|
LUID ModifiedId; /* 0x28: */
|
|
ULONG UserAndGroupCount; /* 0x30: 3 */
|
|
ULONG PrivilegeCount; /* 0x34: 14 */
|
|
ULONG VariableLength; /* 0x38: 0x37C */
|
|
ULONG DynamicCharged; /* 0x3C: 0x1F4 */
|
|
ULONG DynamicAvailable; /* 0x40: 0x1A4 */
|
|
ULONG DefaultOwnerIndex; /* 0x44: 1 */
|
|
PSID_AND_ATTRIBUTES UserAndGroups;/* 0x48: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
|
|
PSID PrimaryGroup; /* 0x4C: */
|
|
PLUID_AND_ATTRIBUTES Privileges;/* 0x50: */
|
|
PULONG DynamicPart; /* 0x54: */
|
|
PACL DefaultDacl; /* 0x58: */
|
|
TOKEN_TYPE TokenType; /* 0x5C: TokenPrimary | TokenImpersonation */
|
|
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x60: 0 */
|
|
UCHAR TokenFlags; /* 0x64: 1 */
|
|
BOOLEAN TokenInUse; /* 0x65: 1 */
|
|
USHORT Alignment; /* 0x66: 0 */
|
|
PVOID ProxyData; /* 0x68: 0 */
|
|
PVOID AuditData; /* 0x6C: 0 */
|
|
ULONG VariablePart; /* 0x70: */
|
|
} NT;
|
|
struct
|
|
{
|
|
TOKEN_SOURCE TokenSource; /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32 " + LUID SourceIdentifier = 0x10 */
|
|
LUID TokenId; /* 0x10: */
|
|
LUID AuthenticationId; /* 0x18: */
|
|
LUID ParentTokenId; /* 0x20: 0 */
|
|
LARGE_INTEGER ExpirationTime; /* 0x28: -1 no expired */
|
|
LUID ModifiedId; /* 0x30: */
|
|
ULONG SessionId; /* 0x38: 0 */
|
|
ULONG UserAndGroupCount; /* 0x3C: 9 */
|
|
ULONG RestrictedSidCount; /*+0x40: 0 */
|
|
ULONG PrivilegeCount; /* 0x44: 11 */
|
|
ULONG VariableLength; /* 0x48: 0x1F0 */
|
|
ULONG DynamicCharged; /* 0x4C: 0x1F4 */
|
|
ULONG DynamicAvailable; /* 0x50: 0x1A4 */
|
|
ULONG DefaultOwnerIndex; /* 0x54: 3 */
|
|
PSID_AND_ATTRIBUTES UserAndGroups; /* 0x58: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
|
|
PSID_AND_ATTRIBUTES RestrictedSids;/* 0x5C: 0 */
|
|
PSID PrimaryGroup; /* 0x60: */
|
|
PLUID_AND_ATTRIBUTES Privileges;/* 0x64: */
|
|
PULONG DynamicPart; /* 0x68: */
|
|
PACL DefaultDacl; /* 0x6C: */
|
|
TOKEN_TYPE TokenType; /* 0x70: TokenPrimary | TokenImpersonation */
|
|
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x74: 0 */
|
|
UCHAR TokenFlags; /* 0x78: 9 */
|
|
BOOLEAN TokenInUse; /* 0x79: 1 */
|
|
USHORT Alignment; /* 0x7A: 0 */
|
|
PVOID ProxyData; /* 0x7C: 0 */
|
|
PVOID AuditData; /* 0x80: 0 */
|
|
ULONG VariablePart; /* 0x84: */
|
|
} K2;
|
|
struct
|
|
{
|
|
TOKEN_SOURCE TokenSource; /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32 " + LUID SourceIdentifier = 0x10 */
|
|
LUID TokenId; /* 0x10: 0x6F68 */
|
|
LUID AuthenticationId; /* 0x18: */
|
|
LUID ParentTokenId; /* 0x20: 0 */
|
|
LARGE_INTEGER ExpirationTime; /* 0x28: -1 no expired */
|
|
PERESOURCE TokenLock; /*+0x30: 0x8xxxxxxxx */
|
|
LUID ModifiedId; /* 0x34: */
|
|
ULONG SessionId; /* 0x3C: 0x6F6A */
|
|
ULONG UserAndGroupCount; /* 0x40: 4 */
|
|
ULONG RestrictedSidCount; /*+0x44: 0 */
|
|
ULONG VariableLength; /* 0x48: 0x160 */
|
|
ULONG DynamicCharged; /* 0x4C: 0x164 */
|
|
ULONG DynamicAvailable; /* 0x50: 0x1F4 */
|
|
ULONG PrivilegeCount; /* 0x54: 0 */
|
|
ULONG DefaultOwnerIndex; /* 0x58: 1 */
|
|
PSID_AND_ATTRIBUTES UserAndGroups; /* 0x5C: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
|
|
PSID_AND_ATTRIBUTES RestrictedSids;/* 0x60: 0 */
|
|
PSID PrimaryGroup; /* 0x64: */
|
|
PLUID_AND_ATTRIBUTES Privileges;/* 0x68: */
|
|
PULONG DynamicPart; /* 0x6C: */
|
|
PACL DefaultDacl; /* 0x70: */
|
|
TOKEN_TYPE TokenType; /* 0x74: TokenPrimary | TokenImpersonation */
|
|
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x78: 0 */
|
|
UCHAR TokenFlags; /* 0x7C: 9 */
|
|
BOOLEAN TokenInUse; /* 0x7D: 1 */
|
|
USHORT Alignment; /* 0x7E: 4BB4 */
|
|
PVOID ProxyData; /* 0x80: 0 */
|
|
PVOID AuditData; /* 0x84: 0 */
|
|
ULONG VariablePart; /* 0x88: */
|
|
} XP;
|
|
struct
|
|
{
|
|
TOKEN_SOURCE TokenSource; /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32 " + LUID SourceIdentifier = 0x10 */
|
|
LUID TokenId; /* 0x10: 0x6F68 */
|
|
LUID AuthenticationId; /* 0x18: */
|
|
LUID ParentTokenId; /* 0x20: 0 */
|
|
LARGE_INTEGER ExpirationTime; /* 0x28: -1 no expired */
|
|
PERESOURCE TokenLock; /*+0x30: 0x8xxxxxxxx */
|
|
ULONG Padding64; /*+0x34: 0xXxxxxxxxx */
|
|
SEP_AUDIT_POLICY AuditPolicy; /*+0x38: */
|
|
LUID ModifiedId; /*+0x040: 0x6F6A */
|
|
ULONG SessionId; /*+0x048: */
|
|
ULONG UserAndGroupCount; /* 0x4C: 4 */
|
|
ULONG RestrictedSidCount; /*+0x50: 0 */
|
|
ULONG VariableLength; /* 0x54: 0x18 */
|
|
ULONG DynamicCharged; /* 0x58: 0x17C */
|
|
ULONG DynamicAvailable; /* 0x5C: 0x1F4 */
|
|
ULONG PrivilegeCount; /* 0x60: 0 */
|
|
ULONG DefaultOwnerIndex; /* 0x64: 1 */
|
|
PSID_AND_ATTRIBUTES UserAndGroups; /* 0x68: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
|
|
PSID_AND_ATTRIBUTES RestrictedSids;/* 0x6C: 0 */
|
|
PSID PrimaryGroup; /* 0x70: */
|
|
PLUID_AND_ATTRIBUTES Privileges;/* 0x74: */
|
|
PULONG DynamicPart; /* 0x78: */
|
|
PACL DefaultDacl; /* 0x7C: */
|
|
TOKEN_TYPE TokenType; /* 0x80: TokenPrimary | TokenImpersonation */
|
|
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x84: 0 */
|
|
UCHAR TokenFlags; /* 0x88: 9 */
|
|
BOOLEAN TokenInUse; /* 0x89: 1 */
|
|
USHORT Alignment; /* 0x8A: 4BB4 */
|
|
PVOID ProxyData; /* 0x8C: 0x8xxxxxxxx */
|
|
PVOID AuditData; /* 0x90: 0 */
|
|
ULONG VariablePart; /* 0x94: */
|
|
} K23;
|
|
struct
|
|
{
|
|
TOKEN_SOURCE TokenSource; /* +0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32 " + LUID SourceIdentifier = 0x10 */
|
|
LUID TokenId; /* +0x10: 0x6F68 */
|
|
LUID AuthenticationId; /* +0x18: */
|
|
LUID ParentTokenId; /* +0x20: 0 */
|
|
LARGE_INTEGER ExpirationTime; /* +0x28: -1 no expired */
|
|
PERESOURCE TokenLock; /* +0x30: 0x8xxxxxxxx */
|
|
ULONG Padding64; /* +0x34: 0xXxxxxxxxx */
|
|
SEP_AUDIT_POLICY AuditPolicy; /* +0x38: */
|
|
LUID ModifiedId; /* +0x040: 0x6F6A */
|
|
ULONG SessionId; /* +0x048: */
|
|
ULONG UserAndGroupCount; /* +0x04c: 4 */
|
|
ULONG RestrictedSidCount; /* +0x050: 0 */
|
|
ULONG PrivilegeCount; /* +0x054: 0x18 */
|
|
ULONG VariableLength; /* +0x058: 0x17C */
|
|
ULONG DynamicCharged; /* +0x05c: 0x1F4 */
|
|
ULONG DynamicAvailable; /* +0x060: 0 */
|
|
ULONG DefaultOwnerIndex; /* +0x064: 1 */
|
|
PSID_AND_ATTRIBUTES UserAndGroups; /* +0x68: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
|
|
PSID_AND_ATTRIBUTES RestrictedSids; /* +0x6C: 0 */
|
|
PSID PrimaryGroup; /* +0x70: */
|
|
PLUID_AND_ATTRIBUTES Privileges; /* +0x74: */
|
|
PULONG DynamicPart; /* +0x78: */
|
|
PACL DefaultDacl; /* +0x7C: */
|
|
TOKEN_TYPE TokenType; /* +0x80: TokenPrimary | TokenImpersonation */
|
|
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* +0x84: 0 */
|
|
UCHAR TokenFlags; /* +0x88: 9 */
|
|
BOOLEAN TokenInUse; /* +0x89: 1 */
|
|
USHORT Alignment; /* +0x8A: 4BB4 */
|
|
PVOID ProxyData; /* +0x8C: 0x8xxxxxxxx */
|
|
PVOID AuditData; /* +0x90: 0 */
|
|
PVOID LogonSession; /* +0x94: */
|
|
LUID OriginatingLogonSession;/* +0x98: */
|
|
ULONG VariablePart; /* +0xa0: */
|
|
} K23SP1;
|
|
struct
|
|
{
|
|
TOKEN_SOURCE TokenSource; /* +0x000 */
|
|
LUID TokenId; /* +0x010 */
|
|
LUID AuthenticationId; /* +0x018 */
|
|
LUID ParentTokenId; /* +0x020 */
|
|
LARGE_INTEGER ExpirationTime; /* +0x028 */
|
|
PERESOURCE TokenLock; /* +0x030 */
|
|
LUID ModifiedId; /* +0x034 */
|
|
SEP_AUDIT_POLICY_VISTA AuditPolicy; /* +0x03c */
|
|
ULONG SessionId; /* +0x058 */
|
|
ULONG UserAndGroupCount; /* +0x05c */
|
|
ULONG RestrictedSidCount; /* +0x060 */
|
|
ULONG PrivilegeCount; /* +0x064 */
|
|
ULONG VariableLength; /* +0x068 */
|
|
ULONG DynamicCharged; /* +0x06c */
|
|
ULONG DynamicAvailable; /* +0x070 */
|
|
ULONG DefaultOwnerIndex; /* +0x074 */
|
|
PSID_AND_ATTRIBUTES UserAndGroups; /* +0x078 */
|
|
PSID_AND_ATTRIBUTES RestrictedSids; /* +0x07c */
|
|
PSID PrimaryGroup; /* +0x080 */
|
|
PLUID_AND_ATTRIBUTES Privileges; /* +0x084 */
|
|
PULONG DynamicPart; /* +0x088 */
|
|
PACL DefaultDacl; /* +0x08c */
|
|
TOKEN_TYPE TokenType; /* +0x090 */
|
|
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* +0x094 */
|
|
ULONG TokenFlags; /* +0x098 */
|
|
BOOLEAN TokenInUse; /* +0x09c */
|
|
BOOLEAN WriterPresent; /* +0x09d */
|
|
USHORT Alignment; /* +0x09e */
|
|
ULONG IntegrityLevelIndex; /* +0x0a0 */
|
|
ULONG DesktopIntegrityLevelIndex;/* +0x0a4 */
|
|
ULONG MandatoryPolicy; /* +0x0a8 */
|
|
PVOID ProxyData; /* +0x0ac */
|
|
PVOID AuditData; /* +0x0b0 */
|
|
PVOID LogonSession; /* +0x0b4 */
|
|
LUID OriginatingLogonSession;/* +0x0b8 */
|
|
SID_AND_ATTRIBUTES_HASH SidHash; /* +0x0c0 */
|
|
SID_AND_ATTRIBUTES_HASH RestrictedSidHash;/* +0x148 */
|
|
ULONG VariablePart; /* +0x1d0 */
|
|
} VISTA;
|
|
struct
|
|
{
|
|
TOKEN_SOURCE TokenSource; /* +0x000 */
|
|
LUID TokenId; /* +0x010 */
|
|
LUID AuthenticationId; /* +0x018 */
|
|
LUID ParentTokenId; /* +0x020 */
|
|
LARGE_INTEGER ExpirationTime; /* +0x028 */
|
|
PERESOURCE TokenLock; /* +0x030 */
|
|
SEP_AUDIT_POLICY AuditPolicy; /* +0x038 */
|
|
LUID ModifiedId; /* +0x040 */
|
|
ULONG SessionId; /* +0x048 */
|
|
ULONG UserAndGroupCount; /* +0x04c */
|
|
ULONG RestrictedSidCount; /* +0x050 */
|
|
ULONG PrivilegeCount; /* +0x054 */
|
|
ULONG VariableLength; /* +0x058 */
|
|
ULONG DynamicCharged; /* +0x05c */
|
|
ULONG DynamicAvailable; /* +0x060 */
|
|
ULONG DefaultOwnerIndex; /* +0x064 */
|
|
PSID_AND_ATTRIBUTES UserAndGroups; /* +0x068 */
|
|
PSID_AND_ATTRIBUTES RestrictedSids; /* +0x070 */
|
|
PSID PrimaryGroup; /* +0x078 */
|
|
PLUID_AND_ATTRIBUTES Privileges; /* +0x080 */
|
|
PULONG DynamicPart; /* +0x088 */
|
|
PACL DefaultDacl; /* +0x090 */
|
|
TOKEN_TYPE TokenType; /* +0x098 */
|
|
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; /* +0x09c */
|
|
UCHAR TokenFlags; /* +0x0a0 */
|
|
BOOLEAN TokenInUse; /* +0x0a1 */
|
|
UCHAR Padding64 [6]; /* +0x0a2 */
|
|
PVOID ProxyData; /* +0x0a8 */
|
|
PVOID AuditData; /* +0x0b0 */
|
|
PVOID LogonSession; /* +0x0b8 */
|
|
LUID OriginatingLogonSession;/* +0x0c0 */
|
|
ULONG VariablePart; /* +0x0c8 */
|
|
} XP64; /* equial 2K3SP1x64 */
|
|
/* VariablePart */
|
|
} TOKEN_OBJECT, *PTOKEN_OBJECT;
|
|
#include <poppack.h>
|
|
|
|
typedef struct _TOKEN_OWNER {
|
|
PSID Owner;
|
|
} TOKEN_OWNER, *PTOKEN_OWNER;
|
|
|
|
typedef struct _TOKEN_PRIMARY_GROUP {
|
|
PSID PrimaryGroup;
|
|
} TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP;
|
|
|
|
typedef struct _TOKEN_PRIVILEGES {
|
|
ULONG PrivilegeCount;
|
|
LUID_AND_ATTRIBUTES Privileges[1];
|
|
} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;
|
|
|
|
typedef struct _TOKEN_STATISTICS {
|
|
LUID TokenId;
|
|
LUID AuthenticationId;
|
|
LARGE_INTEGER ExpirationTime;
|
|
TOKEN_TYPE TokenType;
|
|
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
|
|
ULONG DynamicCharged;
|
|
ULONG DynamicAvailable;
|
|
ULONG GroupCount;
|
|
ULONG PrivilegeCount;
|
|
LUID ModifiedId;
|
|
} TOKEN_STATISTICS, *PTOKEN_STATISTICS;
|
|
|
|
typedef struct _TOKEN_USER {
|
|
SID_AND_ATTRIBUTES User;
|
|
} TOKEN_USER, *PTOKEN_USER;
|
|
|
|
typedef struct _SECURITY_CLIENT_CONTEXT {
|
|
SECURITY_QUALITY_OF_SERVICE SecurityQos;
|
|
PACCESS_TOKEN ClientToken;
|
|
BOOLEAN DirectlyAccessClientToken;
|
|
BOOLEAN DirectAccessEffectiveOnly;
|
|
BOOLEAN ServerIsRemote;
|
|
TOKEN_CONTROL ClientTokenControl;
|
|
} SECURITY_CLIENT_CONTEXT, *PSECURITY_CLIENT_CONTEXT;
|
|
|
|
typedef struct _TUNNEL {
|
|
FAST_MUTEX Mutex;
|
|
PRTL_SPLAY_LINKS Cache;
|
|
LIST_ENTRY TimerQueue;
|
|
USHORT NumEntries;
|
|
} TUNNEL, *PTUNNEL;
|
|
|
|
typedef struct _VACB {
|
|
PVOID BaseAddress;
|
|
PSHARED_CACHE_MAP SharedCacheMap;
|
|
union {
|
|
LARGE_INTEGER FileOffset;
|
|
USHORT ActiveCount;
|
|
} Overlay;
|
|
LIST_ENTRY LruList;
|
|
} VACB, *PVACB;
|
|
|
|
typedef struct _VAD_HEADER {
|
|
PVOID StartVPN;
|
|
PVOID EndVPN;
|
|
PVAD_HEADER ParentLink;
|
|
PVAD_HEADER LeftLink;
|
|
PVAD_HEADER RightLink;
|
|
ULONG Flags; // LSB = CommitCharge
|
|
PVOID ControlArea;
|
|
PVOID FirstProtoPte;
|
|
PVOID LastPTE;
|
|
ULONG Unknown;
|
|
LIST_ENTRY Secured;
|
|
} VAD_HEADER, *PVAD_HEADER;
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
CcCanIWrite (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN ULONG BytesToWrite,
|
|
IN BOOLEAN Wait,
|
|
IN BOOLEAN Retrying
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
CcCopyRead (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN ULONG Length,
|
|
IN BOOLEAN Wait,
|
|
OUT PVOID Buffer,
|
|
OUT PIO_STATUS_BLOCK IoStatus
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
CcCopyWrite (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN ULONG Length,
|
|
IN BOOLEAN Wait,
|
|
IN PVOID Buffer
|
|
);
|
|
|
|
#define CcCopyWriteWontFlush(FO, FOFF, LEN) ((LEN) <= 0x10000)
|
|
|
|
typedef VOID (*PCC_POST_DEFERRED_WRITE) (
|
|
IN PVOID Context1,
|
|
IN PVOID Context2
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcDeferWrite (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PCC_POST_DEFERRED_WRITE PostRoutine,
|
|
IN PVOID Context1,
|
|
IN PVOID Context2,
|
|
IN ULONG BytesToWrite,
|
|
IN BOOLEAN Retrying
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcFastCopyRead (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN ULONG FileOffset,
|
|
IN ULONG Length,
|
|
IN ULONG PageCount,
|
|
OUT PVOID Buffer,
|
|
OUT PIO_STATUS_BLOCK IoStatus
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcFastCopyWrite (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN ULONG FileOffset,
|
|
IN ULONG Length,
|
|
IN PVOID Buffer
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcFlushCache (
|
|
IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
|
|
IN PLARGE_INTEGER FileOffset OPTIONAL,
|
|
IN ULONG Length,
|
|
OUT PIO_STATUS_BLOCK IoStatus OPTIONAL
|
|
);
|
|
|
|
typedef VOID (*PDIRTY_PAGE_ROUTINE) (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN ULONG Length,
|
|
IN PLARGE_INTEGER OldestLsn,
|
|
IN PLARGE_INTEGER NewestLsn,
|
|
IN PVOID Context1,
|
|
IN PVOID Context2
|
|
);
|
|
|
|
NTKERNELAPI
|
|
LARGE_INTEGER
|
|
CcGetDirtyPages (
|
|
IN PVOID LogHandle,
|
|
IN PDIRTY_PAGE_ROUTINE DirtyPageRoutine,
|
|
IN PVOID Context1,
|
|
IN PVOID Context2
|
|
);
|
|
|
|
NTKERNELAPI
|
|
PFILE_OBJECT
|
|
CcGetFileObjectFromBcb (
|
|
IN PVOID Bcb
|
|
);
|
|
|
|
NTKERNELAPI
|
|
PFILE_OBJECT
|
|
CcGetFileObjectFromSectionPtrs (
|
|
IN PSECTION_OBJECT_POINTERS SectionObjectPointer
|
|
);
|
|
|
|
#define CcGetFileSizePointer(FO) ( \
|
|
((PLARGE_INTEGER)((FO)->SectionObjectPointer->SharedCacheMap) + 1) \
|
|
)
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
LARGE_INTEGER
|
|
CcGetFlushedValidData (
|
|
IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
|
|
IN BOOLEAN BcbListHeld
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
LARGE_INTEGER
|
|
CcGetLsnForFileObject (
|
|
IN PFILE_OBJECT FileObject,
|
|
OUT PLARGE_INTEGER OldestLsn OPTIONAL
|
|
);
|
|
|
|
typedef BOOLEAN (*PACQUIRE_FOR_LAZY_WRITE) (
|
|
IN PVOID Context,
|
|
IN BOOLEAN Wait
|
|
);
|
|
|
|
typedef VOID (*PRELEASE_FROM_LAZY_WRITE) (
|
|
IN PVOID Context
|
|
);
|
|
|
|
typedef BOOLEAN (*PACQUIRE_FOR_READ_AHEAD) (
|
|
IN PVOID Context,
|
|
IN BOOLEAN Wait
|
|
);
|
|
|
|
typedef VOID (*PRELEASE_FROM_READ_AHEAD) (
|
|
IN PVOID Context
|
|
);
|
|
|
|
typedef struct _CACHE_MANAGER_CALLBACKS {
|
|
PACQUIRE_FOR_LAZY_WRITE AcquireForLazyWrite;
|
|
PRELEASE_FROM_LAZY_WRITE ReleaseFromLazyWrite;
|
|
PACQUIRE_FOR_READ_AHEAD AcquireForReadAhead;
|
|
PRELEASE_FROM_READ_AHEAD ReleaseFromReadAhead;
|
|
} CACHE_MANAGER_CALLBACKS, *PCACHE_MANAGER_CALLBACKS;
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcInitializeCacheMap (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PCC_FILE_SIZES FileSizes,
|
|
IN BOOLEAN PinAccess,
|
|
IN PCACHE_MANAGER_CALLBACKS Callbacks,
|
|
IN PVOID LazyWriteContext
|
|
);
|
|
|
|
#define CcIsFileCached(FO) ( \
|
|
((FO)->SectionObjectPointer != NULL) && \
|
|
(((PSECTION_OBJECT_POINTERS)(FO)->SectionObjectPointer)->SharedCacheMap != NULL) \
|
|
)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
CcIsThereDirtyData (
|
|
IN PVPB Vpb
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
CcMapData (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN ULONG Length,
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
IN ULONG Flags,
|
|
#else
|
|
IN BOOLEAN Wait,
|
|
#endif
|
|
OUT PVOID *Bcb,
|
|
OUT PVOID *Buffer
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcMdlRead (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN ULONG Length,
|
|
OUT PMDL *MdlChain,
|
|
OUT PIO_STATUS_BLOCK IoStatus
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcMdlReadComplete (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PMDL MdlChain
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcMdlWriteAbort (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PMDL MdlChain
|
|
);
|
|
|
|
#endif
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcMdlWriteComplete (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN PMDL MdlChain
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
CcPinMappedData (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN ULONG Length,
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
IN ULONG Flags,
|
|
#else
|
|
IN BOOLEAN Wait,
|
|
#endif
|
|
IN OUT PVOID *Bcb
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
CcPinRead (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN ULONG Length,
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
IN ULONG Flags,
|
|
#else
|
|
IN BOOLEAN Wait,
|
|
#endif
|
|
OUT PVOID *Bcb,
|
|
OUT PVOID *Buffer
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcPrepareMdlWrite (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN ULONG Length,
|
|
OUT PMDL *MdlChain,
|
|
OUT PIO_STATUS_BLOCK IoStatus
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
CcPreparePinWrite (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN ULONG Length,
|
|
IN BOOLEAN Zero,
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
IN ULONG Flags,
|
|
#else
|
|
IN BOOLEAN Wait,
|
|
#endif
|
|
OUT PVOID *Bcb,
|
|
OUT PVOID *Buffer
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
CcPurgeCacheSection (
|
|
IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
|
|
IN PLARGE_INTEGER FileOffset OPTIONAL,
|
|
IN ULONG Length,
|
|
IN BOOLEAN UninitializeCacheMaps
|
|
);
|
|
|
|
#define CcReadAhead(FO, FOFF, LEN) ( \
|
|
if ((LEN) >= 256) { \
|
|
CcScheduleReadAhead((FO), (FOFF), (LEN)); \
|
|
} \
|
|
)
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
PVOID
|
|
CcRemapBcb (
|
|
IN PVOID Bcb
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcRepinBcb (
|
|
IN PVOID Bcb
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcScheduleReadAhead (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN ULONG Length
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcSetAdditionalCacheAttributes (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN BOOLEAN DisableReadAhead,
|
|
IN BOOLEAN DisableWriteBehind
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcSetBcbOwnerPointer (
|
|
IN PVOID Bcb,
|
|
IN PVOID OwnerPointer
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcSetDirtyPageThreshold (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN ULONG DirtyPageThreshold
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcSetDirtyPinnedData (
|
|
IN PVOID BcbVoid,
|
|
IN PLARGE_INTEGER Lsn OPTIONAL
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcSetFileSizes (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PCC_FILE_SIZES FileSizes
|
|
);
|
|
|
|
typedef VOID (*PFLUSH_TO_LSN) (
|
|
IN PVOID LogHandle,
|
|
IN PLARGE_INTEGER Lsn
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcSetLogHandleForFile (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PVOID LogHandle,
|
|
IN PFLUSH_TO_LSN FlushToLsnRoutine
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcSetReadAheadGranularity (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN ULONG Granularity // default: PAGE_SIZE
|
|
// allowed: 2^n * PAGE_SIZE
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
CcUninitializeCacheMap (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER TruncateSize OPTIONAL,
|
|
IN PCACHE_UNINITIALIZE_EVENT UninitializeCompleteEvent OPTIONAL
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcUnpinData (
|
|
IN PVOID Bcb
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcUnpinDataForThread (
|
|
IN PVOID Bcb,
|
|
IN ERESOURCE_THREAD ResourceThreadId
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
CcUnpinRepinnedBcb (
|
|
IN PVOID Bcb,
|
|
IN BOOLEAN WriteThrough,
|
|
OUT PIO_STATUS_BLOCK IoStatus
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
CcWaitForCurrentLazyWriterActivity (
|
|
VOID
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
CcZeroData (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER StartOffset,
|
|
IN PLARGE_INTEGER EndOffset,
|
|
IN BOOLEAN Wait
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
ExDisableResourceBoostLite (
|
|
IN PERESOURCE Resource
|
|
);
|
|
|
|
NTKERNELAPI
|
|
ULONG
|
|
ExQueryPoolBlockSize (
|
|
IN PVOID PoolBlock,
|
|
OUT PBOOLEAN QuotaCharged
|
|
);
|
|
|
|
#define FlagOn(x, f) ((x) & (f))
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlAcquireFileExclusive (
|
|
IN PFILE_OBJECT FileObject
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlAddLargeMcbEntry (
|
|
IN PLARGE_MCB Mcb,
|
|
IN LONGLONG Vbn,
|
|
IN LONGLONG Lbn,
|
|
IN LONGLONG SectorCount
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlAddMcbEntry (
|
|
IN PMCB Mcb,
|
|
IN VBN Vbn,
|
|
IN LBN Lbn,
|
|
IN ULONG SectorCount
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlAddToTunnelCache (
|
|
IN PTUNNEL Cache,
|
|
IN ULONGLONG DirectoryKey,
|
|
IN PUNICODE_STRING ShortName,
|
|
IN PUNICODE_STRING LongName,
|
|
IN BOOLEAN KeyByShortName,
|
|
IN ULONG DataLength,
|
|
IN PVOID Data
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
PFILE_LOCK
|
|
FsRtlAllocateFileLock (
|
|
IN PCOMPLETE_LOCK_IRP_ROUTINE CompleteLockIrpRoutine OPTIONAL,
|
|
IN PUNLOCK_ROUTINE UnlockRoutine OPTIONAL
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
PVOID
|
|
FsRtlAllocatePool (
|
|
IN POOL_TYPE PoolType,
|
|
IN ULONG NumberOfBytes
|
|
);
|
|
|
|
NTKERNELAPI
|
|
PVOID
|
|
FsRtlAllocatePoolWithQuota (
|
|
IN POOL_TYPE PoolType,
|
|
IN ULONG NumberOfBytes
|
|
);
|
|
|
|
NTKERNELAPI
|
|
PVOID
|
|
FsRtlAllocatePoolWithQuotaTag (
|
|
IN POOL_TYPE PoolType,
|
|
IN ULONG NumberOfBytes,
|
|
IN ULONG Tag
|
|
);
|
|
|
|
NTKERNELAPI
|
|
PVOID
|
|
FsRtlAllocatePoolWithTag (
|
|
IN POOL_TYPE PoolType,
|
|
IN ULONG NumberOfBytes,
|
|
IN ULONG Tag
|
|
);
|
|
|
|
NTKERNELAPI
|
|
PVOID
|
|
FsRtlAllocateResource (
|
|
VOID
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlAreNamesEqual (
|
|
IN PUNICODE_STRING Name1,
|
|
IN PUNICODE_STRING Name2,
|
|
IN BOOLEAN IgnoreCase,
|
|
IN PWCHAR UpcaseTable OPTIONAL
|
|
);
|
|
|
|
#define FsRtlAreThereCurrentFileLocks(FL) ( \
|
|
((FL)->FastIoIsQuestionable) \
|
|
)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
FsRtlBalanceReads (
|
|
IN PDEVICE_OBJECT TargetDevice
|
|
);
|
|
|
|
/*
|
|
FsRtlCheckLockForReadAccess:
|
|
|
|
All this really does is pick out the lock parameters from the irp (io stack
|
|
location?), get IoGetRequestorProcess, and pass values on to
|
|
FsRtlFastCheckLockForRead.
|
|
*/
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlCheckLockForReadAccess (
|
|
IN PFILE_LOCK FileLock,
|
|
IN PIRP Irp
|
|
);
|
|
|
|
/*
|
|
FsRtlCheckLockForWriteAccess:
|
|
|
|
All this really does is pick out the lock parameters from the irp (io stack
|
|
location?), get IoGetRequestorProcess, and pass values on to
|
|
FsRtlFastCheckLockForWrite.
|
|
*/
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlCheckLockForWriteAccess (
|
|
IN PFILE_LOCK FileLock,
|
|
IN PIRP Irp
|
|
);
|
|
|
|
typedef
|
|
VOID
|
|
(*POPLOCK_WAIT_COMPLETE_ROUTINE) (
|
|
IN PVOID Context,
|
|
IN PIRP Irp
|
|
);
|
|
|
|
typedef
|
|
VOID
|
|
(*POPLOCK_FS_PREPOST_IRP) (
|
|
IN PVOID Context,
|
|
IN PIRP Irp
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
FsRtlCheckOplock (
|
|
IN POPLOCK Oplock,
|
|
IN PIRP Irp,
|
|
IN PVOID Context,
|
|
IN POPLOCK_WAIT_COMPLETE_ROUTINE CompletionRoutine OPTIONAL,
|
|
IN POPLOCK_FS_PREPOST_IRP PostIrpRoutine OPTIONAL
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlCopyRead (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN ULONG Length,
|
|
IN BOOLEAN Wait,
|
|
IN ULONG LockKey,
|
|
OUT PVOID Buffer,
|
|
OUT PIO_STATUS_BLOCK IoStatus,
|
|
IN PDEVICE_OBJECT DeviceObject
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlCopyWrite (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN ULONG Length,
|
|
IN BOOLEAN Wait,
|
|
IN ULONG LockKey,
|
|
IN PVOID Buffer,
|
|
OUT PIO_STATUS_BLOCK IoStatus,
|
|
IN PDEVICE_OBJECT DeviceObject
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlCurrentBatchOplock (
|
|
IN POPLOCK Oplock
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlDeleteKeyFromTunnelCache (
|
|
IN PTUNNEL Cache,
|
|
IN ULONGLONG DirectoryKey
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlDeleteTunnelCache (
|
|
IN PTUNNEL Cache
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlDeregisterUncProvider (
|
|
IN HANDLE Handle
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlDissectDbcs (
|
|
IN ANSI_STRING InputName,
|
|
OUT PANSI_STRING FirstPart,
|
|
OUT PANSI_STRING RemainingPart
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlDissectName (
|
|
IN UNICODE_STRING Path,
|
|
OUT PUNICODE_STRING FirstName,
|
|
OUT PUNICODE_STRING RemainingName
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlDoesDbcsContainWildCards (
|
|
IN PANSI_STRING Name
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlDoesNameContainWildCards (
|
|
IN PUNICODE_STRING Name
|
|
);
|
|
|
|
#define FsRtlEnterFileSystem KeEnterCriticalRegion
|
|
|
|
#define FsRtlExitFileSystem KeLeaveCriticalRegion
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlFastCheckLockForRead (
|
|
IN PFILE_LOCK FileLock,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN PLARGE_INTEGER Length,
|
|
IN ULONG Key,
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PEPROCESS Process
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlFastCheckLockForWrite (
|
|
IN PFILE_LOCK FileLock,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN PLARGE_INTEGER Length,
|
|
IN ULONG Key,
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PEPROCESS Process
|
|
);
|
|
|
|
#define FsRtlFastLock(A1, A2, A3, A4, A5, A6, A7, A8, A9, A10, A11) ( \
|
|
FsRtlPrivateLock(A1, A2, A3, A4, A5, A6, A7, A8, A9, NULL, A10, A11) \
|
|
)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
FsRtlFastUnlockAll (
|
|
IN PFILE_LOCK FileLock,
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PEPROCESS Process,
|
|
IN PVOID Context OPTIONAL
|
|
);
|
|
//ret: STATUS_RANGE_NOT_LOCKED
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
FsRtlFastUnlockAllByKey (
|
|
IN PFILE_LOCK FileLock,
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PEPROCESS Process,
|
|
IN ULONG Key,
|
|
IN PVOID Context OPTIONAL
|
|
);
|
|
//ret: STATUS_RANGE_NOT_LOCKED
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
FsRtlFastUnlockSingle (
|
|
IN PFILE_LOCK FileLock,
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN PLARGE_INTEGER Length,
|
|
IN PEPROCESS Process,
|
|
IN ULONG Key,
|
|
IN PVOID Context OPTIONAL,
|
|
IN BOOLEAN AlreadySynchronized
|
|
);
|
|
//ret: STATUS_RANGE_NOT_LOCKED
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlFindInTunnelCache (
|
|
IN PTUNNEL Cache,
|
|
IN ULONGLONG DirectoryKey,
|
|
IN PUNICODE_STRING Name,
|
|
OUT PUNICODE_STRING ShortName,
|
|
OUT PUNICODE_STRING LongName,
|
|
IN OUT PULONG DataLength,
|
|
OUT PVOID Data
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
VOID
|
|
FsRtlFreeFileLock (
|
|
IN PFILE_LOCK FileLock
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
FsRtlGetFileSize (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN OUT PLARGE_INTEGER FileSize
|
|
);
|
|
|
|
/*
|
|
FsRtlGetNextFileLock:
|
|
|
|
ret: NULL if no more locks
|
|
|
|
Internals:
|
|
FsRtlGetNextFileLock uses FileLock->LastReturnedLockInfo and
|
|
FileLock->LastReturnedLock as storage.
|
|
LastReturnedLock is a pointer to the 'raw' lock inkl. double linked
|
|
list, and FsRtlGetNextFileLock needs this to get next lock on subsequent
|
|
calls with Restart = FALSE.
|
|
*/
|
|
NTKERNELAPI
|
|
PFILE_LOCK_INFO
|
|
FsRtlGetNextFileLock (
|
|
IN PFILE_LOCK FileLock,
|
|
IN BOOLEAN Restart
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlGetNextLargeMcbEntry (
|
|
IN PLARGE_MCB Mcb,
|
|
IN ULONG RunIndex,
|
|
OUT PLONGLONG Vbn,
|
|
OUT PLONGLONG Lbn,
|
|
OUT PLONGLONG SectorCount
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlGetNextMcbEntry (
|
|
IN PMCB Mcb,
|
|
IN ULONG RunIndex,
|
|
OUT PVBN Vbn,
|
|
OUT PLBN Lbn,
|
|
OUT PULONG SectorCount
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlIncrementCcFastReadNotPossible (
|
|
VOID
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlIncrementCcFastReadNoWait (
|
|
VOID
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlIncrementCcFastReadResourceMiss (
|
|
VOID
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlIncrementCcFastReadWait (
|
|
VOID
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlInitializeFileLock (
|
|
IN PFILE_LOCK FileLock,
|
|
IN PCOMPLETE_LOCK_IRP_ROUTINE CompleteLockIrpRoutine OPTIONAL,
|
|
IN PUNLOCK_ROUTINE UnlockRoutine OPTIONAL
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlInitializeLargeMcb (
|
|
IN PLARGE_MCB Mcb,
|
|
IN POOL_TYPE PoolType
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlInitializeMcb (
|
|
IN PMCB Mcb,
|
|
IN POOL_TYPE PoolType
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlInitializeOplock (
|
|
IN OUT POPLOCK Oplock
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlInitializeTunnelCache (
|
|
IN PTUNNEL Cache
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlIsDbcsInExpression (
|
|
IN PANSI_STRING Expression,
|
|
IN PANSI_STRING Name
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlIsFatDbcsLegal (
|
|
IN ANSI_STRING DbcsName,
|
|
IN BOOLEAN WildCardsPermissible,
|
|
IN BOOLEAN PathNamePermissible,
|
|
IN BOOLEAN LeadingBackslashPermissible
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlIsHpfsDbcsLegal (
|
|
IN ANSI_STRING DbcsName,
|
|
IN BOOLEAN WildCardsPermissible,
|
|
IN BOOLEAN PathNamePermissible,
|
|
IN BOOLEAN LeadingBackslashPermissible
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlIsNameInExpression (
|
|
IN PUNICODE_STRING Expression,
|
|
IN PUNICODE_STRING Name,
|
|
IN BOOLEAN IgnoreCase,
|
|
IN PWCHAR UpcaseTable OPTIONAL
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlIsNtstatusExpected (
|
|
IN NTSTATUS Ntstatus
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlIsPagingFile (
|
|
IN PFILE_OBJECT FileObject
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlIsTotalDeviceFailure (
|
|
IN NTSTATUS Status
|
|
);
|
|
|
|
#define FsRtlIsUnicodeCharacterWild(C) ( \
|
|
(((C) >= 0x40) ? \
|
|
FALSE : \
|
|
FlagOn((*FsRtlLegalAnsiCharacterArray)[(C)], FSRTL_WILD_CHARACTER )) \
|
|
)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlLookupLargeMcbEntry (
|
|
IN PLARGE_MCB Mcb,
|
|
IN LONGLONG Vbn,
|
|
OUT PLONGLONG Lbn OPTIONAL,
|
|
OUT PLONGLONG SectorCountFromLbn OPTIONAL,
|
|
OUT PLONGLONG StartingLbn OPTIONAL,
|
|
OUT PLONGLONG SectorCountFromStartingLbn OPTIONAL,
|
|
OUT PULONG Index OPTIONAL
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlLookupLastLargeMcbEntry (
|
|
IN PLARGE_MCB Mcb,
|
|
OUT PLONGLONG Vbn,
|
|
OUT PLONGLONG Lbn
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlLookupLastLargeMcbEntryAndIndex (
|
|
IN PLARGE_MCB OpaqueMcb,
|
|
OUT PLONGLONG LargeVbn,
|
|
OUT PLONGLONG LargeLbn,
|
|
OUT PULONG Index
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlLookupLastMcbEntry (
|
|
IN PMCB Mcb,
|
|
OUT PVBN Vbn,
|
|
OUT PLBN Lbn
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlLookupMcbEntry (
|
|
IN PMCB Mcb,
|
|
IN VBN Vbn,
|
|
OUT PLBN Lbn,
|
|
OUT PULONG SectorCount OPTIONAL,
|
|
OUT PULONG Index
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlMdlReadComplete (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PMDL MdlChain
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlMdlReadCompleteDev (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PMDL MdlChain,
|
|
IN PDEVICE_OBJECT DeviceObject
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 1381)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlMdlReadDev (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN ULONG Length,
|
|
IN ULONG LockKey,
|
|
OUT PMDL *MdlChain,
|
|
OUT PIO_STATUS_BLOCK IoStatus,
|
|
IN PDEVICE_OBJECT DeviceObject
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 1381)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlMdlWriteComplete (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN PMDL MdlChain
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlMdlWriteCompleteDev (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN PMDL MdlChain,
|
|
IN PDEVICE_OBJECT DeviceObject
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
FsRtlNormalizeNtstatus (
|
|
IN NTSTATUS Exception,
|
|
IN NTSTATUS GenericException
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlNotifyChangeDirectory (
|
|
IN PNOTIFY_SYNC NotifySync,
|
|
IN PVOID FsContext,
|
|
IN PSTRING FullDirectoryName,
|
|
IN PLIST_ENTRY NotifyList,
|
|
IN BOOLEAN WatchTree,
|
|
IN ULONG CompletionFilter,
|
|
IN PIRP NotifyIrp
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlNotifyCleanup (
|
|
IN PNOTIFY_SYNC NotifySync,
|
|
IN PLIST_ENTRY NotifyList,
|
|
IN PVOID FsContext
|
|
);
|
|
|
|
typedef BOOLEAN (*PCHECK_FOR_TRAVERSE_ACCESS) (
|
|
IN PVOID NotifyContext,
|
|
IN PVOID TargetContext,
|
|
IN PSECURITY_SUBJECT_CONTEXT SubjectContext
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
typedef BOOLEAN (*PFILTER_REPORT_CHANGE) (
|
|
IN PVOID NotifyContext,
|
|
IN PVOID FilterContext
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlNotifyFilterChangeDirectory (
|
|
IN PNOTIFY_SYNC NotifySync,
|
|
IN PLIST_ENTRY NotifyList,
|
|
IN PVOID FsContext,
|
|
IN PSTRING FullDirectoryName,
|
|
IN BOOLEAN WatchTree,
|
|
IN BOOLEAN IgnoreBuffer,
|
|
IN ULONG CompletionFilter,
|
|
IN PIRP NotifyIrp,
|
|
IN PCHECK_FOR_TRAVERSE_ACCESS TraverseCallback OPTIONAL,
|
|
IN PSECURITY_SUBJECT_CONTEXT SubjectContext OPTIONAL,
|
|
IN PFILTER_REPORT_CHANGE FilterCallback OPTIONAL
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlNotifyFilterReportChange (
|
|
IN PNOTIFY_SYNC NotifySync,
|
|
IN PLIST_ENTRY NotifyList,
|
|
IN PSTRING FullTargetName,
|
|
IN USHORT TargetNameOffset,
|
|
IN PSTRING StreamName OPTIONAL,
|
|
IN PSTRING NormalizedParentName OPTIONAL,
|
|
IN ULONG FilterMatch,
|
|
IN ULONG Action,
|
|
IN PVOID TargetContext,
|
|
IN PVOID FilterContext
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlNotifyFullChangeDirectory (
|
|
IN PNOTIFY_SYNC NotifySync,
|
|
IN PLIST_ENTRY NotifyList,
|
|
IN PVOID FsContext,
|
|
IN PSTRING FullDirectoryName,
|
|
IN BOOLEAN WatchTree,
|
|
IN BOOLEAN IgnoreBuffer,
|
|
IN ULONG CompletionFilter,
|
|
IN PIRP NotifyIrp,
|
|
IN PCHECK_FOR_TRAVERSE_ACCESS TraverseCallback OPTIONAL,
|
|
IN PSECURITY_SUBJECT_CONTEXT SubjectContext OPTIONAL
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlNotifyFullReportChange (
|
|
IN PNOTIFY_SYNC NotifySync,
|
|
IN PLIST_ENTRY NotifyList,
|
|
IN PSTRING FullTargetName,
|
|
IN USHORT TargetNameOffset,
|
|
IN PSTRING StreamName OPTIONAL,
|
|
IN PSTRING NormalizedParentName OPTIONAL,
|
|
IN ULONG FilterMatch,
|
|
IN ULONG Action,
|
|
IN PVOID TargetContext
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlNotifyInitializeSync (
|
|
IN PNOTIFY_SYNC *NotifySync
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlNotifyReportChange (
|
|
IN PNOTIFY_SYNC NotifySync,
|
|
IN PLIST_ENTRY NotifyList,
|
|
IN PSTRING FullTargetName,
|
|
IN PUSHORT FileNamePartLength,
|
|
IN ULONG FilterMatch
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlNotifyUninitializeSync (
|
|
IN PNOTIFY_SYNC *NotifySync
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
FsRtlNotifyVolumeEvent (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN ULONG EventCode
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
ULONG
|
|
FsRtlNumberOfRunsInLargeMcb (
|
|
IN PLARGE_MCB Mcb
|
|
);
|
|
|
|
NTKERNELAPI
|
|
ULONG
|
|
FsRtlNumberOfRunsInMcb (
|
|
IN PMCB Mcb
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
FsRtlOplockFsctrl (
|
|
IN POPLOCK Oplock,
|
|
IN PIRP Irp,
|
|
IN ULONG OpenCount
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlOplockIsFastIoPossible (
|
|
IN POPLOCK Oplock
|
|
);
|
|
|
|
typedef
|
|
VOID
|
|
(*PFSRTL_STACK_OVERFLOW_ROUTINE) (
|
|
IN PVOID Context,
|
|
IN PKEVENT Event
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlPostPagingFileStackOverflow (
|
|
IN PVOID Context,
|
|
IN PKEVENT Event,
|
|
IN PFSRTL_STACK_OVERFLOW_ROUTINE StackOverflowRoutine
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlPostStackOverflow (
|
|
IN PVOID Context,
|
|
IN PKEVENT Event,
|
|
IN PFSRTL_STACK_OVERFLOW_ROUTINE StackOverflowRoutine
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 1381)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlPrepareMdlWriteDev (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN ULONG Length,
|
|
IN ULONG LockKey,
|
|
OUT PMDL *MdlChain,
|
|
OUT PIO_STATUS_BLOCK IoStatus,
|
|
IN PDEVICE_OBJECT DeviceObject
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 1381)
|
|
|
|
/*
|
|
FsRtlPrivateLock:
|
|
|
|
ret: IoStatus->Status: STATUS_PENDING, STATUS_LOCK_NOT_GRANTED
|
|
|
|
Internals:
|
|
-Calls IoCompleteRequest if Irp
|
|
-Uses exception handling / ExRaiseStatus with STATUS_INSUFFICIENT_RESOURCES
|
|
*/
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlPrivateLock (
|
|
IN PFILE_LOCK FileLock,
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN PLARGE_INTEGER Length,
|
|
IN PEPROCESS Process,
|
|
IN ULONG Key,
|
|
IN BOOLEAN FailImmediately,
|
|
IN BOOLEAN ExclusiveLock,
|
|
OUT PIO_STATUS_BLOCK IoStatus,
|
|
IN PIRP Irp OPTIONAL,
|
|
IN PVOID Context,
|
|
IN BOOLEAN AlreadySynchronized
|
|
);
|
|
|
|
/*
|
|
FsRtlProcessFileLock:
|
|
|
|
ret:
|
|
-STATUS_INVALID_DEVICE_REQUEST
|
|
-STATUS_RANGE_NOT_LOCKED from unlock routines.
|
|
-STATUS_PENDING, STATUS_LOCK_NOT_GRANTED from FsRtlPrivateLock
|
|
(redirected IoStatus->Status).
|
|
|
|
Internals:
|
|
-switch ( Irp->CurrentStackLocation->MinorFunction )
|
|
lock: return FsRtlPrivateLock;
|
|
unlocksingle: return FsRtlFastUnlockSingle;
|
|
unlockall: return FsRtlFastUnlockAll;
|
|
unlockallbykey: return FsRtlFastUnlockAllByKey;
|
|
default: IofCompleteRequest with STATUS_INVALID_DEVICE_REQUEST;
|
|
return STATUS_INVALID_DEVICE_REQUEST;
|
|
|
|
-'AllwaysZero' is passed thru as 'AllwaysZero' to lock / unlock routines.
|
|
-'Irp' is passet thru as 'Irp' to FsRtlPrivateLock.
|
|
*/
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
FsRtlProcessFileLock (
|
|
IN PFILE_LOCK FileLock,
|
|
IN PIRP Irp,
|
|
IN PVOID Context OPTIONAL
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
FsRtlRegisterUncProvider (
|
|
IN OUT PHANDLE MupHandle,
|
|
IN PUNICODE_STRING RedirectorDeviceName,
|
|
IN BOOLEAN MailslotsSupported
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlReleaseFile (
|
|
IN PFILE_OBJECT FileObject
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlRemoveLargeMcbEntry (
|
|
IN PLARGE_MCB Mcb,
|
|
IN LONGLONG Vbn,
|
|
IN LONGLONG SectorCount
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlRemoveMcbEntry (
|
|
IN PMCB Mcb,
|
|
IN VBN Vbn,
|
|
IN ULONG SectorCount
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlResetLargeMcb (
|
|
IN PLARGE_MCB Mcb,
|
|
IN BOOLEAN SelfSynchronized
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
#define FsRtlSetupAdvancedHeader( _advhdr, _fmutx ) \
|
|
{ \
|
|
SetFlag( (_advhdr)->Flags, FSRTL_FLAG_ADVANCED_HEADER ); \
|
|
SetFlag( (_advhdr)->Flags2, FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS ); \
|
|
(_advhdr)->Version = FSRTL_FCB_HEADER_V1; \
|
|
InitializeListHead( &(_advhdr)->FilterContexts ); \
|
|
if ((_fmutx) != NULL) { \
|
|
(_advhdr)->FastMutex = (_fmutx); \
|
|
} \
|
|
*((PULONG_PTR)(&(_advhdr)->PushLock)) = 0; \
|
|
(_advhdr)->FileContextSupportPointer = NULL; \
|
|
}
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
FsRtlSplitLargeMcb (
|
|
IN PLARGE_MCB Mcb,
|
|
IN LONGLONG Vbn,
|
|
IN LONGLONG Amount
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlTeardownPerFileContexts (
|
|
IN PVOID *PerFileContextPointer
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlTeardownPerStreamContexts (
|
|
IN PFSRTL_ADVANCED_FCB_HEADER AdvancedHeader
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlTruncateLargeMcb (
|
|
IN PLARGE_MCB Mcb,
|
|
IN LONGLONG Vbn
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlTruncateMcb (
|
|
IN PMCB Mcb,
|
|
IN VBN Vbn
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlUninitializeFileLock (
|
|
IN PFILE_LOCK FileLock
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlUninitializeLargeMcb (
|
|
IN PLARGE_MCB Mcb
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlUninitializeMcb (
|
|
IN PMCB Mcb
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FsRtlUninitializeOplock (
|
|
IN OUT POPLOCK Oplock
|
|
);
|
|
|
|
//
|
|
// If using HalDisplayString during boot on Windows 2000 or later you must
|
|
// first call InbvEnableDisplayString.
|
|
//
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
HalDisplayString (
|
|
IN PCHAR String
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
HalQueryRealTimeClock (
|
|
IN OUT PTIME_FIELDS TimeFields
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
HalSetRealTimeClock (
|
|
IN PTIME_FIELDS TimeFields
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
InbvAcquireDisplayOwnership (
|
|
VOID
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
InbvCheckDisplayOwnership (
|
|
VOID
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
InbvDisplayString (
|
|
IN PCHAR String
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
InbvEnableBootDriver (
|
|
IN BOOLEAN Enable
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
InbvEnableDisplayString (
|
|
IN BOOLEAN Enable
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
InbvInstallDisplayStringFilter (
|
|
IN PVOID Unknown
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
InbvIsBootDriverInstalled (
|
|
VOID
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
InbvNotifyDisplayOwnershipLost (
|
|
IN PVOID Callback
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
InbvResetDisplay (
|
|
VOID
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
InbvSetScrollRegion (
|
|
IN ULONG Left,
|
|
IN ULONG Top,
|
|
IN ULONG Width,
|
|
IN ULONG Height
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
InbvSetTextColor (
|
|
IN ULONG Color
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
InbvSolidColorFill (
|
|
IN ULONG Left,
|
|
IN ULONG Top,
|
|
IN ULONG Width,
|
|
IN ULONG Height,
|
|
IN ULONG Color
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
#define InitializeMessageHeader(m, l, t) { \
|
|
(m)->Length = (USHORT)(l); \
|
|
(m)->DataLength = (USHORT)(l - sizeof( LPC_MESSAGE )); \
|
|
(m)->MessageType = (USHORT)(t); \
|
|
(m)->DataInfoOffset = 0; \
|
|
}
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
IoAcquireVpbSpinLock (
|
|
OUT PKIRQL Irql
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoAttachDeviceToDeviceStackSafe (
|
|
IN PDEVICE_OBJECT SourceDevice,
|
|
IN PDEVICE_OBJECT TargetDevice,
|
|
OUT PDEVICE_OBJECT *AttachedToDeviceObject
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoCheckDesiredAccess (
|
|
IN OUT PACCESS_MASK DesiredAccess,
|
|
IN ACCESS_MASK GrantedAccess
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoCheckEaBufferValidity (
|
|
IN PFILE_FULL_EA_INFORMATION EaBuffer,
|
|
IN ULONG EaLength,
|
|
OUT PULONG ErrorOffset
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoCheckFunctionAccess (
|
|
IN ACCESS_MASK GrantedAccess,
|
|
IN UCHAR MajorFunction,
|
|
IN UCHAR MinorFunction,
|
|
IN ULONG IoControlCode,
|
|
IN PFILE_INFORMATION_CLASS FileInformationClass OPTIONAL,
|
|
IN PFS_INFORMATION_CLASS FsInformationClass OPTIONAL
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoCheckQuerySetFileInformation (
|
|
IN FILE_INFORMATION_CLASS FileInformationClass,
|
|
IN ULONG Length,
|
|
IN BOOLEAN SetOperation
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoCheckQuerySetVolumeInformation (
|
|
IN FS_INFORMATION_CLASS FsInformationClass,
|
|
IN ULONG Length,
|
|
IN BOOLEAN SetOperation
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoCheckQuotaBufferValidity (
|
|
IN PFILE_QUOTA_INFORMATION QuotaBuffer,
|
|
IN ULONG QuotaLength,
|
|
OUT PULONG ErrorOffset
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoCreateFileSpecifyDeviceObjectHint (
|
|
OUT PHANDLE FileHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
IN PLARGE_INTEGER AllocationSize OPTIONAL,
|
|
IN ULONG FileAttributes,
|
|
IN ULONG ShareAccess,
|
|
IN ULONG Disposition,
|
|
IN ULONG CreateOptions,
|
|
IN PVOID EaBuffer OPTIONAL,
|
|
IN ULONG EaLength,
|
|
IN CREATE_FILE_TYPE CreateFileType,
|
|
IN PVOID ExtraCreateParameters OPTIONAL,
|
|
IN ULONG Options,
|
|
IN PVOID DeviceObject
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
PFILE_OBJECT
|
|
IoCreateStreamFileObject (
|
|
IN PFILE_OBJECT FileObject OPTIONAL,
|
|
IN PDEVICE_OBJECT DeviceObject OPTIONAL
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
PFILE_OBJECT
|
|
IoCreateStreamFileObjectEx (
|
|
IN PFILE_OBJECT FileObject OPTIONAL,
|
|
IN PDEVICE_OBJECT DeviceObject OPTIONAL,
|
|
OUT PHANDLE FileObjectHandle OPTIONAL
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
PFILE_OBJECT
|
|
IoCreateStreamFileObjectLite (
|
|
IN PFILE_OBJECT FileObject OPTIONAL,
|
|
IN PDEVICE_OBJECT DeviceObject OPTIONAL
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoEnumerateDeviceObjectList (
|
|
IN PDRIVER_OBJECT DriverObject,
|
|
IN PDEVICE_OBJECT *DeviceObjectList,
|
|
IN ULONG DeviceObjectListSize,
|
|
OUT PULONG ActualNumberDeviceObjects
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
IoFastQueryNetworkAttributes (
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN ULONG OpenOptions,
|
|
OUT PIO_STATUS_BLOCK IoStatus,
|
|
OUT PFILE_NETWORK_OPEN_INFORMATION Buffer
|
|
);
|
|
|
|
NTKERNELAPI
|
|
PDEVICE_OBJECT
|
|
IoGetAttachedDevice (
|
|
IN PDEVICE_OBJECT DeviceObject
|
|
);
|
|
|
|
NTKERNELAPI
|
|
PDEVICE_OBJECT
|
|
IoGetBaseFileSystemDeviceObject (
|
|
IN PFILE_OBJECT FileObject
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
PDEVICE_OBJECT
|
|
IoGetDeviceAttachmentBaseRef (
|
|
IN PDEVICE_OBJECT DeviceObject
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoGetDiskDeviceObject (
|
|
IN PDEVICE_OBJECT FileSystemDeviceObject,
|
|
OUT PDEVICE_OBJECT *DiskDeviceObject
|
|
);
|
|
|
|
NTKERNELAPI
|
|
PDEVICE_OBJECT
|
|
IoGetLowerDeviceObject (
|
|
IN PDEVICE_OBJECT DeviceObject
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
PEPROCESS
|
|
IoGetRequestorProcess (
|
|
IN PIRP Irp
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
ULONG
|
|
IoGetRequestorProcessId (
|
|
IN PIRP Irp
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
PIRP
|
|
IoGetTopLevelIrp (
|
|
VOID
|
|
);
|
|
|
|
#define IoIsFileOpenedExclusively(FileObject) ( \
|
|
(BOOLEAN) !( \
|
|
(FileObject)->SharedRead || \
|
|
(FileObject)->SharedWrite || \
|
|
(FileObject)->SharedDelete \
|
|
) \
|
|
)
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
IoIsFileOriginRemote (
|
|
IN PFILE_OBJECT FileObject
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
IoIsOperationSynchronous (
|
|
IN PIRP Irp
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
IoIsSystemThread (
|
|
IN PETHREAD Thread
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
IoIsValidNameGraftingBuffer (
|
|
IN PIRP Irp,
|
|
IN PREPARSE_DATA_BUFFER ReparseBuffer
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoPageRead (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PMDL Mdl,
|
|
IN PLARGE_INTEGER Offset,
|
|
IN PKEVENT Event,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoQueryFileDosDeviceName (
|
|
IN PFILE_OBJECT FileObject,
|
|
OUT POBJECT_NAME_INFORMATION *ObjectNameInformation
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoQueryFileInformation (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN FILE_INFORMATION_CLASS FileInformationClass,
|
|
IN ULONG Length,
|
|
OUT PVOID FileInformation,
|
|
OUT PULONG ReturnedLength
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoQueryVolumeInformation (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN FS_INFORMATION_CLASS FsInformationClass,
|
|
IN ULONG Length,
|
|
OUT PVOID FsInformation,
|
|
OUT PULONG ReturnedLength
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 1381)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
IoQueueThreadIrp (
|
|
IN PIRP Irp
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 1381)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
IoRegisterFileSystem (
|
|
IN OUT PDEVICE_OBJECT DeviceObject
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 1381)
|
|
|
|
typedef VOID (*PDRIVER_FS_NOTIFICATION) (
|
|
IN PDEVICE_OBJECT DeviceObject,
|
|
IN BOOLEAN DriverActive
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoRegisterFsRegistrationChange (
|
|
IN PDRIVER_OBJECT DriverObject,
|
|
IN PDRIVER_FS_NOTIFICATION DriverNotificationRoutine
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 1381)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
IoReleaseVpbSpinLock (
|
|
IN KIRQL Irql
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
IoSetDeviceToVerify (
|
|
IN PETHREAD Thread,
|
|
IN PDEVICE_OBJECT DeviceObject
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoSetFileOrigin (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN BOOLEAN Remote
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoSetInformation (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN FILE_INFORMATION_CLASS FileInformationClass,
|
|
IN ULONG Length,
|
|
IN PVOID FileInformation
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
IoSetTopLevelIrp (
|
|
IN PIRP Irp
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoSynchronousPageWrite (
|
|
IN PFILE_OBJECT FileObject,
|
|
IN PMDL Mdl,
|
|
IN PLARGE_INTEGER FileOffset,
|
|
IN PKEVENT Event,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock
|
|
);
|
|
|
|
NTKERNELAPI
|
|
PEPROCESS
|
|
IoThreadToProcess (
|
|
IN PETHREAD Thread
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
IoUnregisterFileSystem (
|
|
IN OUT PDEVICE_OBJECT DeviceObject
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 1381)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoUnregisterFsRegistrationChange (
|
|
IN PDRIVER_OBJECT DriverObject,
|
|
IN PDRIVER_FS_NOTIFICATION DriverNotificationRoutine
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 1381)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoVerifyVolume (
|
|
IN PDEVICE_OBJECT DeviceObject,
|
|
IN BOOLEAN AllowRawMount
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
KIRQL
|
|
FASTCALL
|
|
KeAcquireQueuedSpinLock (
|
|
IN KSPIN_LOCK_QUEUE_NUMBER Number
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
KeAttachProcess (
|
|
IN PEPROCESS Process
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
KeDetachProcess (
|
|
VOID
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
KeInitializeApc (
|
|
PKAPC Apc,
|
|
PKTHREAD Thread,
|
|
UCHAR StateIndex,
|
|
PKKERNEL_ROUTINE KernelRoutine,
|
|
PKRUNDOWN_ROUTINE RundownRoutine,
|
|
PKNORMAL_ROUTINE NormalRoutine,
|
|
KPROCESSOR_MODE ApcMode,
|
|
PVOID NormalContext
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
KeInitializeMutant (
|
|
IN PRKMUTANT Mutant,
|
|
IN BOOLEAN InitialOwner
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
KeInitializeQueue (
|
|
IN PRKQUEUE Queue,
|
|
IN ULONG Count OPTIONAL
|
|
);
|
|
|
|
NTKERNELAPI
|
|
LONG
|
|
KeInsertHeadQueue (
|
|
IN PRKQUEUE Queue,
|
|
IN PLIST_ENTRY Entry
|
|
);
|
|
|
|
NTKERNELAPI
|
|
LONG
|
|
KeInsertQueue (
|
|
IN PRKQUEUE Queue,
|
|
IN PLIST_ENTRY Entry
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
KeInsertQueueApc (
|
|
IN PKAPC Apc,
|
|
IN PVOID SystemArgument1,
|
|
IN PVOID SystemArgument2,
|
|
IN KPRIORITY Increment
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
KeIsAttachedProcess (
|
|
VOID
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
KeIsExecutingDpc (
|
|
VOID
|
|
);
|
|
|
|
NTKERNELAPI
|
|
LONG
|
|
KeReadStateMutant (
|
|
IN PRKMUTANT Mutant
|
|
);
|
|
|
|
NTKERNELAPI
|
|
LONG
|
|
KeReadStateQueue (
|
|
IN PRKQUEUE Queue
|
|
);
|
|
|
|
NTKERNELAPI
|
|
LONG
|
|
KeReleaseMutant (
|
|
IN PRKMUTANT Mutant,
|
|
IN KPRIORITY Increment,
|
|
IN BOOLEAN Abandoned,
|
|
IN BOOLEAN Wait
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
FASTCALL
|
|
KeReleaseQueuedSpinLock (
|
|
IN KSPIN_LOCK_QUEUE_NUMBER Number,
|
|
IN KIRQL OldIrql
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
PLIST_ENTRY
|
|
KeRemoveQueue (
|
|
IN PRKQUEUE Queue,
|
|
IN KPROCESSOR_MODE WaitMode,
|
|
IN PLARGE_INTEGER Timeout OPTIONAL
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
KeRevertToUserAffinityThread (
|
|
VOID
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
PLIST_ENTRY
|
|
KeRundownQueue (
|
|
IN PRKQUEUE Queue
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 1381)
|
|
|
|
NTKERNELAPI
|
|
CCHAR
|
|
KeSetIdealProcessorThread (
|
|
IN PKTHREAD Thread,
|
|
IN CCHAR Processor
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
KeSetKernelStackSwapEnable (
|
|
IN BOOLEAN Enable
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 1381)
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
KeStackAttachProcess (
|
|
IN PKPROCESS Process,
|
|
OUT PKAPC_STATE ApcState
|
|
);
|
|
|
|
NTKERNELAPI
|
|
LOGICAL
|
|
FASTCALL
|
|
KeTryToAcquireQueuedSpinLock (
|
|
IN KSPIN_LOCK_QUEUE_NUMBER Number,
|
|
IN PKIRQL OldIrql
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
KeUnstackDetachProcess (
|
|
IN PKAPC_STATE ApcState
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
KeUpdateSystemTime (
|
|
VOID
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
MmCanFileBeTruncated (
|
|
IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
|
|
IN PLARGE_INTEGER NewFileSize
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
MmCreateSection (
|
|
OUT PVOID *SectionObject,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
|
IN PLARGE_INTEGER MaximumSize,
|
|
IN ULONG SectionPageProtection,
|
|
IN ULONG AllocationAttributes,
|
|
IN HANDLE FileHandle OPTIONAL,
|
|
IN PFILE_OBJECT FileObject OPTIONAL
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
MmFlushImageSection (
|
|
IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
|
|
IN MMFLUSH_TYPE FlushType
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
MmForceSectionClosed (
|
|
IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
|
|
IN BOOLEAN DelayClose
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 1381)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
MmIsRecursiveIoFault (
|
|
VOID
|
|
);
|
|
|
|
#else
|
|
|
|
#define MmIsRecursiveIoFault() ( \
|
|
(PsGetCurrentThread()->DisablePageFaultClustering) | \
|
|
(PsGetCurrentThread()->ForwardClusterOnly) \
|
|
)
|
|
|
|
#endif
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
MmMapViewOfSection (
|
|
IN PVOID SectionObject,
|
|
IN PEPROCESS Process,
|
|
IN OUT PVOID *BaseAddress,
|
|
IN ULONG ZeroBits,
|
|
IN ULONG CommitSize,
|
|
IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
|
|
IN OUT PULONG ViewSize,
|
|
IN SECTION_INHERIT InheritDisposition,
|
|
IN ULONG AllocationType,
|
|
IN ULONG Protect
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
MmPrefetchPages (
|
|
IN ULONG NumberOfLists,
|
|
IN PREAD_LIST *ReadLists
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
MmSetAddressRangeModified (
|
|
IN PVOID Address,
|
|
IN SIZE_T Length
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
ObCreateObject (
|
|
IN KPROCESSOR_MODE ObjectAttributesAccessMode OPTIONAL,
|
|
IN POBJECT_TYPE ObjectType,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN OUT PVOID ParseContext OPTIONAL,
|
|
IN ULONG ObjectSize,
|
|
IN ULONG PagedPoolCharge OPTIONAL,
|
|
IN ULONG NonPagedPoolCharge OPTIONAL,
|
|
OUT PVOID *Object
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
ObDereferenceSecurityDescriptor (
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN ULONG Count
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
#if (VER_PRODUCTBUILD <= 2195)
|
|
|
|
NTKERNELAPI
|
|
ULONG
|
|
ObGetObjectPointerCount (
|
|
IN PVOID Object
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD <= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
ObInsertObject (
|
|
IN PVOID Object,
|
|
IN PACCESS_STATE PassedAccessState OPTIONAL,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN ULONG AdditionalReferences,
|
|
OUT PVOID *ReferencedObject OPTIONAL,
|
|
OUT PHANDLE Handle
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
ObLogSecurityDescriptor (
|
|
IN PSECURITY_DESCRIPTOR InputSecurityDescriptor,
|
|
OUT PSECURITY_DESCRIPTOR *OutputSecurityDescriptor,
|
|
IN ULONG RefBias
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
ObMakeTemporaryObject (
|
|
IN PVOID Object
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
ObOpenObjectByPointer (
|
|
IN PVOID Object,
|
|
IN ULONG HandleAttributes,
|
|
IN PACCESS_STATE PassedAccessState OPTIONAL,
|
|
IN ACCESS_MASK DesiredAccess OPTIONAL,
|
|
IN POBJECT_TYPE ObjectType OPTIONAL,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
OUT PHANDLE Handle
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
ObQueryNameString (
|
|
IN PVOID Object,
|
|
OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
|
|
IN ULONG Length,
|
|
OUT PULONG ReturnLength
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
ObQueryObjectAuditingByHandle (
|
|
IN HANDLE Handle,
|
|
OUT PBOOLEAN GenerateOnClose
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
ObReferenceObjectByName (
|
|
IN PUNICODE_STRING ObjectName,
|
|
IN ULONG Attributes,
|
|
IN PACCESS_STATE PassedAccessState OPTIONAL,
|
|
IN ACCESS_MASK DesiredAccess OPTIONAL,
|
|
IN POBJECT_TYPE ObjectType,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN OUT PVOID ParseContext OPTIONAL,
|
|
OUT PVOID *Object
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
ObReferenceSecurityDescriptor (
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN ULONG Count
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
PoQueueShutdownWorkItem (
|
|
IN PWORK_QUEUE_ITEM WorkItem
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
PsAssignImpersonationToken (
|
|
IN PETHREAD Thread,
|
|
IN HANDLE Token
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
PsChargePoolQuota (
|
|
IN PEPROCESS Process,
|
|
IN POOL_TYPE PoolType,
|
|
IN ULONG Amount
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
PsChargeProcessNonPagedPoolQuota (
|
|
IN PEPROCESS Process,
|
|
IN ULONG_PTR Amount
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
PsChargeProcessPagedPoolQuota (
|
|
IN PEPROCESS Process,
|
|
IN ULONG_PTR Amount
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
PsChargeProcessPoolQuota (
|
|
IN PEPROCESS Process,
|
|
IN POOL_TYPE PoolType,
|
|
IN ULONG_PTR Amount
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
PsDereferenceImpersonationToken (
|
|
IN PACCESS_TOKEN ImpersonationToken
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
PsDereferencePrimaryToken (
|
|
IN PACCESS_TOKEN PrimaryToken
|
|
);
|
|
|
|
#else
|
|
|
|
#define PsDereferenceImpersonationToken(T) \
|
|
{if (ARGUMENT_PRESENT(T)) { \
|
|
(ObDereferenceObject((T))); \
|
|
} else { \
|
|
; \
|
|
} \
|
|
}
|
|
|
|
#define PsDereferencePrimaryToken(T) (ObDereferenceObject((T)))
|
|
|
|
#endif
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
PsDisableImpersonation (
|
|
IN PETHREAD Thread,
|
|
IN PSE_IMPERSONATION_STATE ImpersonationState
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
ULONG
|
|
PsGetCurrentProcessSessionId (
|
|
VOID
|
|
);
|
|
|
|
NTKERNELAPI
|
|
KPROCESSOR_MODE
|
|
PsGetCurrentThreadPreviousMode (
|
|
VOID
|
|
);
|
|
|
|
NTKERNELAPI
|
|
PVOID
|
|
PsGetCurrentThreadStackBase (
|
|
VOID
|
|
);
|
|
|
|
NTKERNELAPI
|
|
PVOID
|
|
PsGetCurrentThreadStackLimit (
|
|
VOID
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
LARGE_INTEGER
|
|
PsGetProcessExitTime (
|
|
VOID
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
PsImpersonateClient (
|
|
IN PETHREAD Thread,
|
|
IN PACCESS_TOKEN Token,
|
|
IN BOOLEAN CopyOnOpen,
|
|
IN BOOLEAN EffectiveOnly,
|
|
IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
PsIsSystemThread (
|
|
IN PETHREAD Thread
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
PsIsThreadTerminating (
|
|
IN PETHREAD Thread
|
|
);
|
|
|
|
//
|
|
// PsLookupProcessByProcessId returns a referenced pointer to the process
|
|
// that should be dereferenced after use with a call to ObDereferenceObject.
|
|
//
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
PsLookupProcessByProcessId (
|
|
IN PVOID ProcessId,
|
|
OUT PEPROCESS *Process
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
PsLookupProcessThreadByCid (
|
|
IN PCLIENT_ID Cid,
|
|
OUT PEPROCESS *Process OPTIONAL,
|
|
OUT PETHREAD *Thread
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
PsLookupThreadByThreadId (
|
|
IN PVOID UniqueThreadId,
|
|
OUT PETHREAD *Thread
|
|
);
|
|
|
|
NTKERNELAPI
|
|
PACCESS_TOKEN
|
|
PsReferenceImpersonationToken (
|
|
IN PETHREAD Thread,
|
|
OUT PBOOLEAN CopyOnOpen,
|
|
OUT PBOOLEAN EffectiveOnly,
|
|
OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
|
|
);
|
|
|
|
NTKERNELAPI
|
|
PACCESS_TOKEN
|
|
PsReferencePrimaryToken (
|
|
IN PEPROCESS Process
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
PsRestoreImpersonation (
|
|
IN PETHREAD Thread,
|
|
IN PSE_IMPERSONATION_STATE ImpersonationState
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
PsReturnPoolQuota (
|
|
IN PEPROCESS Process,
|
|
IN POOL_TYPE PoolType,
|
|
IN ULONG Amount
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 1381)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
PsRevertToSelf (
|
|
VOID
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 1381)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAbsoluteToSelfRelativeSD (
|
|
IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
|
|
IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
|
|
IN PULONG BufferLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlAllocateHeap (
|
|
IN HANDLE HeapHandle,
|
|
IN ULONG Flags,
|
|
IN ULONG Size
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCompressBuffer (
|
|
IN USHORT CompressionFormatAndEngine,
|
|
IN PUCHAR UncompressedBuffer,
|
|
IN ULONG UncompressedBufferSize,
|
|
OUT PUCHAR CompressedBuffer,
|
|
IN ULONG CompressedBufferSize,
|
|
IN ULONG UncompressedChunkSize,
|
|
OUT PULONG FinalCompressedSize,
|
|
IN PVOID WorkSpace
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCompressChunks (
|
|
IN PUCHAR UncompressedBuffer,
|
|
IN ULONG UncompressedBufferSize,
|
|
OUT PUCHAR CompressedBuffer,
|
|
IN ULONG CompressedBufferSize,
|
|
IN OUT PCOMPRESSED_DATA_INFO CompressedDataInfo,
|
|
IN ULONG CompressedDataInfoLength,
|
|
IN PVOID WorkSpace
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlConvertSidToUnicodeString (
|
|
OUT PUNICODE_STRING DestinationString,
|
|
IN PSID Sid,
|
|
IN BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCopySid (
|
|
IN ULONG Length,
|
|
IN PSID Destination,
|
|
IN PSID Source
|
|
);
|
|
|
|
NTSYSAPI
|
|
HANDLE
|
|
NTAPI
|
|
RtlCreateHeap (
|
|
IN ULONG Flags,
|
|
IN PVOID Base,
|
|
IN ULONG Reserve,
|
|
IN ULONG Commit,
|
|
IN ULONG Lock,
|
|
IN PVOID RtlHeapParams
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDecompressBuffer (
|
|
IN USHORT CompressionFormat,
|
|
OUT PUCHAR UncompressedBuffer,
|
|
IN ULONG UncompressedBufferSize,
|
|
IN PUCHAR CompressedBuffer,
|
|
IN ULONG CompressedBufferSize,
|
|
OUT PULONG FinalUncompressedSize
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDecompressChunks (
|
|
OUT PUCHAR UncompressedBuffer,
|
|
IN ULONG UncompressedBufferSize,
|
|
IN PUCHAR CompressedBuffer,
|
|
IN ULONG CompressedBufferSize,
|
|
IN PUCHAR CompressedTail,
|
|
IN ULONG CompressedTailSize,
|
|
IN PCOMPRESSED_DATA_INFO CompressedDataInfo
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDecompressFragment (
|
|
IN USHORT CompressionFormat,
|
|
OUT PUCHAR UncompressedFragment,
|
|
IN ULONG UncompressedFragmentSize,
|
|
IN PUCHAR CompressedBuffer,
|
|
IN ULONG CompressedBufferSize,
|
|
IN ULONG FragmentOffset,
|
|
OUT PULONG FinalUncompressedSize,
|
|
IN PVOID WorkSpace
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDescribeChunk (
|
|
IN USHORT CompressionFormat,
|
|
IN OUT PUCHAR *CompressedBuffer,
|
|
IN PUCHAR EndOfCompressedBufferPlus1,
|
|
OUT PUCHAR *ChunkBuffer,
|
|
OUT PULONG ChunkSize
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDestroyHeap (
|
|
IN HANDLE HeapHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlEqualSid (
|
|
IN PSID Sid1,
|
|
IN PSID Sid2
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlFillMemoryUlong (
|
|
IN PVOID Destination,
|
|
IN ULONG Length,
|
|
IN ULONG Fill
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlFreeHeap (
|
|
IN HANDLE HeapHandle,
|
|
IN ULONG Flags,
|
|
IN PVOID P
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlGenerate8dot3Name (
|
|
IN PUNICODE_STRING Name,
|
|
IN BOOLEAN AllowExtendedCharacters,
|
|
IN OUT PGENERATE_NAME_CONTEXT Context,
|
|
OUT PUNICODE_STRING Name8dot3
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetCompressionWorkSpaceSize (
|
|
IN USHORT CompressionFormatAndEngine,
|
|
OUT PULONG CompressBufferWorkSpaceSize,
|
|
OUT PULONG CompressFragmentWorkSpaceSize
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetDaclSecurityDescriptor (
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
OUT PBOOLEAN DaclPresent,
|
|
OUT PACL *Dacl,
|
|
OUT PBOOLEAN DaclDefaulted
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetGroupSecurityDescriptor (
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
OUT PSID *Group,
|
|
OUT PBOOLEAN GroupDefaulted
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlGetNtGlobalFlags (
|
|
VOID
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetOwnerSecurityDescriptor (
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
OUT PSID *Owner,
|
|
OUT PBOOLEAN OwnerDefaulted
|
|
);
|
|
|
|
//
|
|
// This function returns a PIMAGE_NT_HEADERS,
|
|
// see the standard include file winnt.h
|
|
//
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlImageNtHeader (
|
|
IN PVOID BaseAddress
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlInitializeSid (
|
|
IN OUT PSID Sid,
|
|
IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,
|
|
IN UCHAR SubAuthorityCount
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsNameLegalDOS8Dot3 (
|
|
IN PUNICODE_STRING UnicodeName,
|
|
IN PANSI_STRING AnsiName,
|
|
PBOOLEAN Unknown
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlLengthRequiredSid (
|
|
IN UCHAR SubAuthorityCount
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlLengthSid (
|
|
IN PSID Sid
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlNtStatusToDosError (
|
|
IN NTSTATUS Status
|
|
);
|
|
|
|
#define RtlOemStringToCountedUnicodeSize(STRING) ( \
|
|
(ULONG)(RtlOemStringToUnicodeSize(STRING) - sizeof(UNICODE_NULL)) \
|
|
)
|
|
|
|
#define RtlOemStringToUnicodeSize(STRING) ( \
|
|
NLS_MB_OEM_CODE_PAGE_TAG ? \
|
|
RtlxOemStringToUnicodeSize(STRING) : \
|
|
((STRING)->Length + sizeof(ANSI_NULL)) * sizeof(WCHAR) \
|
|
)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlOemStringToUnicodeString (
|
|
OUT PUNICODE_STRING DestinationString,
|
|
IN POEM_STRING SourceString,
|
|
IN BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlRandom (
|
|
IN PULONG Seed
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlRandomEx (
|
|
IN PULONG Seed
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlReserveChunk (
|
|
IN USHORT CompressionFormat,
|
|
IN OUT PUCHAR *CompressedBuffer,
|
|
IN PUCHAR EndOfCompressedBufferPlus1,
|
|
OUT PUCHAR *ChunkBuffer,
|
|
IN ULONG ChunkSize
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlSecondsSince1970ToTime (
|
|
IN ULONG SecondsSince1970,
|
|
OUT PLARGE_INTEGER Time
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlSecondsSince1980ToTime (
|
|
IN ULONG SecondsSince1980,
|
|
OUT PLARGE_INTEGER Time
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSelfRelativeToAbsoluteSD (
|
|
IN PSECURITY_DESCRIPTOR SelfRelativeSD,
|
|
OUT PSECURITY_DESCRIPTOR AbsoluteSD,
|
|
IN PULONG AbsoluteSDSize,
|
|
IN PACL Dacl,
|
|
IN PULONG DaclSize,
|
|
IN PACL Sacl,
|
|
IN PULONG SaclSize,
|
|
IN PSID Owner,
|
|
IN PULONG OwnerSize,
|
|
IN PSID PrimaryGroup,
|
|
IN PULONG PrimaryGroupSize
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetGroupSecurityDescriptor (
|
|
IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN PSID Group,
|
|
IN BOOLEAN GroupDefaulted
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetOwnerSecurityDescriptor (
|
|
IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN PSID Owner,
|
|
IN BOOLEAN OwnerDefaulted
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetSaclSecurityDescriptor (
|
|
IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN BOOLEAN SaclPresent,
|
|
IN PACL Sacl,
|
|
IN BOOLEAN SaclDefaulted
|
|
);
|
|
|
|
NTSYSAPI
|
|
PUCHAR
|
|
NTAPI
|
|
RtlSubAuthorityCountSid (
|
|
IN PSID Sid
|
|
);
|
|
|
|
NTSYSAPI
|
|
PULONG
|
|
NTAPI
|
|
RtlSubAuthoritySid (
|
|
IN PSID Sid,
|
|
IN ULONG SubAuthority
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlTimeToSecondsSince1970 (
|
|
IN PLARGE_INTEGER Time,
|
|
OUT PULONG SecondsSince1970
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlTimeToSecondsSince1980 (
|
|
IN PLARGE_INTEGER Time,
|
|
OUT PULONG SecondsSince1980
|
|
);
|
|
|
|
#define RtlUnicodeStringToOemSize(STRING) ( \
|
|
NLS_MB_OEM_CODE_PAGE_TAG ? \
|
|
RtlxUnicodeStringToOemSize(STRING) : \
|
|
((STRING)->Length + sizeof(UNICODE_NULL)) / sizeof(WCHAR) \
|
|
)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnicodeStringToOemString (
|
|
OUT POEM_STRING DestinationString,
|
|
IN PUNICODE_STRING SourceString,
|
|
IN BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlValidSid (
|
|
IN PSID Sid
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlxOemStringToUnicodeSize (
|
|
IN POEM_STRING OemString
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlxUnicodeStringToAnsiSize (
|
|
IN PUNICODE_STRING UnicodeString
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlxUnicodeStringToOemSize (
|
|
IN PUNICODE_STRING UnicodeString
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
SeAppendPrivileges (
|
|
PACCESS_STATE AccessState,
|
|
PPRIVILEGE_SET Privileges
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
SeAuditHardLinkCreation (
|
|
IN PUNICODE_STRING FileName,
|
|
IN PUNICODE_STRING LinkName,
|
|
IN BOOLEAN Success
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
SeAuditingFileEvents (
|
|
IN BOOLEAN AccessGranted,
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
SeAuditingFileOrGlobalEvents (
|
|
IN BOOLEAN AccessGranted,
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN PSECURITY_SUBJECT_CONTEXT SubjectContext
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
SeAuditingHardLinkEvents (
|
|
IN BOOLEAN AccessGranted,
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
SeCaptureSubjectContext (
|
|
OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
SeCreateAccessState (
|
|
OUT PACCESS_STATE AccessState,
|
|
IN PVOID AuxData,
|
|
IN ACCESS_MASK AccessMask,
|
|
IN PGENERIC_MAPPING Mapping
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
SeCreateClientSecurity (
|
|
IN PETHREAD Thread,
|
|
IN PSECURITY_QUALITY_OF_SERVICE QualityOfService,
|
|
IN BOOLEAN RemoteClient,
|
|
OUT PSECURITY_CLIENT_CONTEXT ClientContext
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
SeCreateClientSecurityFromSubjectContext (
|
|
IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
|
|
IN PSECURITY_QUALITY_OF_SERVICE QualityOfService,
|
|
IN BOOLEAN ServerIsRemote,
|
|
OUT PSECURITY_CLIENT_CONTEXT ClientContext
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
SeDeleteAccessState (
|
|
IN PACCESS_STATE AccessState
|
|
);
|
|
|
|
#define SeDeleteClientSecurity(C) { \
|
|
if (SeTokenType((C)->ClientToken) == TokenPrimary) { \
|
|
PsDereferencePrimaryToken( (C)->ClientToken ); \
|
|
} else { \
|
|
PsDereferenceImpersonationToken( (C)->ClientToken ); \
|
|
} \
|
|
}
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
SeDeleteObjectAuditAlarm (
|
|
IN PVOID Object,
|
|
IN HANDLE Handle
|
|
);
|
|
|
|
#define SeEnableAccessToExports() SeExports = *(PSE_EXPORTS *)SeExports;
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
SeFilterToken (
|
|
IN PACCESS_TOKEN ExistingToken,
|
|
IN ULONG Flags,
|
|
IN PTOKEN_GROUPS SidsToDisable OPTIONAL,
|
|
IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL,
|
|
IN PTOKEN_GROUPS RestrictedSids OPTIONAL,
|
|
OUT PACCESS_TOKEN *FilteredToken
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
SeFreePrivileges (
|
|
IN PPRIVILEGE_SET Privileges
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
SeImpersonateClient (
|
|
IN PSECURITY_CLIENT_CONTEXT ClientContext,
|
|
IN PETHREAD ServerThread OPTIONAL
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
SeImpersonateClientEx (
|
|
IN PSECURITY_CLIENT_CONTEXT ClientContext,
|
|
IN PETHREAD ServerThread OPTIONAL
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
SeLockSubjectContext (
|
|
IN PSECURITY_SUBJECT_CONTEXT SubjectContext
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
SeMarkLogonSessionForTerminationNotification (
|
|
IN PLUID LogonId
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
SeOpenObjectAuditAlarm (
|
|
IN PUNICODE_STRING ObjectTypeName,
|
|
IN PVOID Object OPTIONAL,
|
|
IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN PACCESS_STATE AccessState,
|
|
IN BOOLEAN ObjectCreated,
|
|
IN BOOLEAN AccessGranted,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
OUT PBOOLEAN GenerateOnClose
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
SeOpenObjectForDeleteAuditAlarm (
|
|
IN PUNICODE_STRING ObjectTypeName,
|
|
IN PVOID Object OPTIONAL,
|
|
IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN PACCESS_STATE AccessState,
|
|
IN BOOLEAN ObjectCreated,
|
|
IN BOOLEAN AccessGranted,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
OUT PBOOLEAN GenerateOnClose
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
SePrivilegeCheck (
|
|
IN OUT PPRIVILEGE_SET RequiredPrivileges,
|
|
IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
|
|
IN KPROCESSOR_MODE AccessMode
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
SeQueryAuthenticationIdToken (
|
|
IN PACCESS_TOKEN Token,
|
|
OUT PLUID LogonId
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
SeQueryInformationToken (
|
|
IN PACCESS_TOKEN Token,
|
|
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|
OUT PVOID *TokenInformation
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
SeQuerySecurityDescriptorInfo (
|
|
IN PSECURITY_INFORMATION SecurityInformation,
|
|
OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN OUT PULONG Length,
|
|
IN PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
SeQuerySessionIdToken (
|
|
IN PACCESS_TOKEN Token,
|
|
IN PULONG SessionId
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
#define SeQuerySubjectContextToken( SubjectContext ) \
|
|
( ARGUMENT_PRESENT( \
|
|
((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->ClientToken \
|
|
) ? \
|
|
((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->ClientToken : \
|
|
((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->PrimaryToken )
|
|
|
|
typedef NTSTATUS (*PSE_LOGON_SESSION_TERMINATED_ROUTINE) (
|
|
IN PLUID LogonId
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
SeRegisterLogonSessionTerminatedRoutine (
|
|
IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
SeReleaseSubjectContext (
|
|
IN PSECURITY_SUBJECT_CONTEXT SubjectContext
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
SeSetAccessStateGenericMapping (
|
|
PACCESS_STATE AccessState,
|
|
PGENERIC_MAPPING GenericMapping
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
SeSetSecurityDescriptorInfo (
|
|
IN PVOID Object OPTIONAL,
|
|
IN PSECURITY_INFORMATION SecurityInformation,
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
|
|
IN POOL_TYPE PoolType,
|
|
IN PGENERIC_MAPPING GenericMapping
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
SeSetSecurityDescriptorInfoEx (
|
|
IN PVOID Object OPTIONAL,
|
|
IN PSECURITY_INFORMATION SecurityInformation,
|
|
IN PSECURITY_DESCRIPTOR ModificationDescriptor,
|
|
IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
|
|
IN ULONG AutoInheritFlags,
|
|
IN POOL_TYPE PoolType,
|
|
IN PGENERIC_MAPPING GenericMapping
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
SeTokenIsAdmin (
|
|
IN PACCESS_TOKEN Token
|
|
);
|
|
|
|
NTKERNELAPI
|
|
BOOLEAN
|
|
SeTokenIsRestricted (
|
|
IN PACCESS_TOKEN Token
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTKERNELAPI
|
|
TOKEN_TYPE
|
|
SeTokenType (
|
|
IN PACCESS_TOKEN Token
|
|
);
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
SeUnlockSubjectContext (
|
|
IN PSECURITY_SUBJECT_CONTEXT SubjectContext
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
SeUnregisterLogonSessionTerminatedRoutine (
|
|
IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwAdjustPrivilegesToken (
|
|
IN HANDLE TokenHandle,
|
|
IN BOOLEAN DisableAllPrivileges,
|
|
IN PTOKEN_PRIVILEGES NewState,
|
|
IN ULONG BufferLength,
|
|
OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL,
|
|
OUT PULONG ReturnLength
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwAlertThread (
|
|
IN HANDLE ThreadHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwAllocateVirtualMemory (
|
|
IN HANDLE ProcessHandle,
|
|
IN OUT PVOID *BaseAddress,
|
|
IN ULONG ZeroBits,
|
|
IN OUT PSIZE_T RegionSize,
|
|
IN ULONG AllocationType,
|
|
IN ULONG Protect
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwAccessCheckAndAuditAlarm (
|
|
IN PUNICODE_STRING SubsystemName,
|
|
IN PVOID HandleId,
|
|
IN PUNICODE_STRING ObjectTypeName,
|
|
IN PUNICODE_STRING ObjectName,
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN PGENERIC_MAPPING GenericMapping,
|
|
IN BOOLEAN ObjectCreation,
|
|
OUT PACCESS_MASK GrantedAccess,
|
|
OUT PBOOLEAN AccessStatus,
|
|
OUT PBOOLEAN GenerateOnClose
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwCancelIoFile (
|
|
IN HANDLE FileHandle,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwClearEvent (
|
|
IN HANDLE EventHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwConnectPort (
|
|
OUT PHANDLE ClientPortHandle,
|
|
IN PUNICODE_STRING ServerPortName,
|
|
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
|
|
IN OUT PLPC_SECTION_WRITE ClientSharedMemory OPTIONAL,
|
|
IN OUT PLPC_SECTION_READ ServerSharedMemory OPTIONAL,
|
|
OUT PULONG MaximumMessageLength OPTIONAL,
|
|
IN OUT PVOID ConnectionInfo OPTIONAL,
|
|
IN OUT PULONG ConnectionInfoLength OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwCloseObjectAuditAlarm (
|
|
IN PUNICODE_STRING SubsystemName,
|
|
IN PVOID HandleId,
|
|
IN BOOLEAN GenerateOnClose
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwCreateEvent (
|
|
OUT PHANDLE EventHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
|
IN EVENT_TYPE EventType,
|
|
IN BOOLEAN InitialState
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwCreateSection (
|
|
OUT PHANDLE SectionHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
|
IN PLARGE_INTEGER MaximumSize OPTIONAL,
|
|
IN ULONG SectionPageProtection,
|
|
IN ULONG AllocationAttributes,
|
|
IN HANDLE FileHandle OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwCreateSymbolicLinkObject (
|
|
OUT PHANDLE SymbolicLinkHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
IN PUNICODE_STRING TargetName
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwDeleteFile (
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwDeleteValueKey (
|
|
IN HANDLE Handle,
|
|
IN PUNICODE_STRING Name
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwDeviceIoControlFile (
|
|
IN HANDLE FileHandle,
|
|
IN HANDLE Event OPTIONAL,
|
|
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
|
|
IN PVOID ApcContext OPTIONAL,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
IN ULONG IoControlCode,
|
|
IN PVOID InputBuffer OPTIONAL,
|
|
IN ULONG InputBufferLength,
|
|
OUT PVOID OutputBuffer OPTIONAL,
|
|
IN ULONG OutputBufferLength
|
|
);
|
|
|
|
//
|
|
// If using ZwDisplayString during boot on Windows 2000 or later you must
|
|
// first call InbvEnableDisplayString.
|
|
//
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwDisplayString (
|
|
IN PUNICODE_STRING String
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwDuplicateObject (
|
|
IN HANDLE SourceProcessHandle,
|
|
IN HANDLE SourceHandle,
|
|
IN HANDLE TargetProcessHandle OPTIONAL,
|
|
OUT PHANDLE TargetHandle OPTIONAL,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN ULONG HandleAttributes,
|
|
IN ULONG Options
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwDuplicateToken (
|
|
IN HANDLE ExistingTokenHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
IN BOOLEAN EffectiveOnly,
|
|
IN TOKEN_TYPE TokenType,
|
|
OUT PHANDLE NewTokenHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwFlushInstructionCache (
|
|
IN HANDLE ProcessHandle,
|
|
IN PVOID BaseAddress OPTIONAL,
|
|
IN ULONG FlushSize
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwFlushVirtualMemory (
|
|
IN HANDLE ProcessHandle,
|
|
IN OUT PVOID *BaseAddress,
|
|
IN OUT PSIZE_T RegionSize,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwFreeVirtualMemory (
|
|
IN HANDLE ProcessHandle,
|
|
IN OUT PVOID *BaseAddress,
|
|
IN OUT PSIZE_T RegionSize,
|
|
IN ULONG FreeType
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwFsControlFile (
|
|
IN HANDLE FileHandle,
|
|
IN HANDLE Event OPTIONAL,
|
|
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
|
|
IN PVOID ApcContext OPTIONAL,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
IN ULONG FsControlCode,
|
|
IN PVOID InputBuffer OPTIONAL,
|
|
IN ULONG InputBufferLength,
|
|
OUT PVOID OutputBuffer OPTIONAL,
|
|
IN ULONG OutputBufferLength
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwInitiatePowerAction (
|
|
IN POWER_ACTION SystemAction,
|
|
IN SYSTEM_POWER_STATE MinSystemState,
|
|
IN ULONG Flags,
|
|
IN BOOLEAN Asynchronous
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwLoadDriver (
|
|
// "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>"
|
|
IN PUNICODE_STRING RegistryPath
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwLoadKey (
|
|
IN POBJECT_ATTRIBUTES KeyObjectAttributes,
|
|
IN POBJECT_ATTRIBUTES FileObjectAttributes
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwNotifyChangeKey (
|
|
IN HANDLE KeyHandle,
|
|
IN HANDLE EventHandle OPTIONAL,
|
|
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
|
|
IN PVOID ApcContext OPTIONAL,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
IN ULONG NotifyFilter,
|
|
IN BOOLEAN WatchSubtree,
|
|
IN PVOID Buffer,
|
|
IN ULONG BufferLength,
|
|
IN BOOLEAN Asynchronous
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwOpenDirectoryObject (
|
|
OUT PHANDLE DirectoryHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwOpenEvent (
|
|
OUT PHANDLE EventHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwOpenProcess (
|
|
OUT PHANDLE ProcessHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
IN PCLIENT_ID ClientId OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwOpenProcessToken (
|
|
IN HANDLE ProcessHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
OUT PHANDLE TokenHandle
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwOpenProcessTokenEx (
|
|
IN HANDLE ProcessHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN ULONG HandleAttributes,
|
|
OUT PHANDLE TokenHandle
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwOpenThread (
|
|
OUT PHANDLE ThreadHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
IN PCLIENT_ID ClientId
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwOpenThreadToken (
|
|
IN HANDLE ThreadHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN BOOLEAN OpenAsSelf,
|
|
OUT PHANDLE TokenHandle
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwOpenThreadTokenEx (
|
|
IN HANDLE ThreadHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN BOOLEAN OpenAsSelf,
|
|
IN ULONG HandleAttributes,
|
|
OUT PHANDLE TokenHandle
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwPowerInformation (
|
|
IN POWER_INFORMATION_LEVEL PowerInformationLevel,
|
|
IN PVOID InputBuffer OPTIONAL,
|
|
IN ULONG InputBufferLength,
|
|
OUT PVOID OutputBuffer OPTIONAL,
|
|
IN ULONG OutputBufferLength
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwPulseEvent (
|
|
IN HANDLE EventHandle,
|
|
OUT PULONG PreviousState OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwQueryDefaultLocale (
|
|
IN BOOLEAN ThreadOrSystem,
|
|
OUT PLCID Locale
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwQueryDefaultUILanguage (
|
|
OUT LANGID *LanguageId
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwQueryDirectoryFile (
|
|
IN HANDLE FileHandle,
|
|
IN HANDLE Event OPTIONAL,
|
|
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
|
|
IN PVOID ApcContext OPTIONAL,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
OUT PVOID FileInformation,
|
|
IN ULONG Length,
|
|
IN FILE_INFORMATION_CLASS FileInformationClass,
|
|
IN BOOLEAN ReturnSingleEntry,
|
|
IN PUNICODE_STRING FileName OPTIONAL,
|
|
IN BOOLEAN RestartScan
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwQueryDirectoryObject (
|
|
IN HANDLE DirectoryHandle,
|
|
OUT PVOID Buffer,
|
|
IN ULONG Length,
|
|
IN BOOLEAN ReturnSingleEntry,
|
|
IN BOOLEAN RestartScan,
|
|
IN OUT PULONG Context,
|
|
OUT PULONG ReturnLength OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwQueryEaFile (
|
|
IN HANDLE FileHandle,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
OUT PVOID Buffer,
|
|
IN ULONG Length,
|
|
IN BOOLEAN ReturnSingleEntry,
|
|
IN PVOID EaList OPTIONAL,
|
|
IN ULONG EaListLength,
|
|
IN PULONG EaIndex OPTIONAL,
|
|
IN BOOLEAN RestartScan
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwQueryInformationProcess (
|
|
IN HANDLE ProcessHandle,
|
|
IN PROCESSINFOCLASS ProcessInformationClass,
|
|
OUT PVOID ProcessInformation,
|
|
IN ULONG ProcessInformationLength,
|
|
OUT PULONG ReturnLength OPTIONAL
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwQueryInformationThread (
|
|
IN HANDLE ThreadHandle,
|
|
IN THREADINFOCLASS ThreadInformationClass,
|
|
OUT PVOID ThreadInformation,
|
|
IN ULONG ThreadInformationLength,
|
|
OUT PULONG ReturnLength OPTIONAL
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2600)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwQueryInformationToken (
|
|
IN HANDLE TokenHandle,
|
|
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|
OUT PVOID TokenInformation,
|
|
IN ULONG TokenInformationLength,
|
|
OUT PULONG ReturnLength
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwQueryInstallUILanguage (
|
|
OUT LANGID *LanguageId
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwQueryObject (
|
|
IN HANDLE ObjectHandle,
|
|
IN OBJECT_INFO_CLASS ObjectInformationClass,
|
|
OUT PVOID ObjectInformation,
|
|
IN ULONG Length,
|
|
OUT PULONG ResultLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwQuerySection (
|
|
IN HANDLE SectionHandle,
|
|
IN SECTION_INFORMATION_CLASS SectionInformationClass,
|
|
OUT PVOID SectionInformation,
|
|
IN ULONG SectionInformationLength,
|
|
OUT PULONG ResultLength OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwQuerySecurityObject (
|
|
IN HANDLE FileHandle,
|
|
IN SECURITY_INFORMATION SecurityInformation,
|
|
OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN ULONG Length,
|
|
OUT PULONG ResultLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwQuerySystemInformation (
|
|
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
|
OUT PVOID SystemInformation,
|
|
IN ULONG Length,
|
|
OUT PULONG ReturnLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwQueryVolumeInformationFile (
|
|
IN HANDLE FileHandle,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
OUT PVOID FsInformation,
|
|
IN ULONG Length,
|
|
IN FS_INFORMATION_CLASS FsInformationClass
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwReplaceKey (
|
|
IN POBJECT_ATTRIBUTES NewFileObjectAttributes,
|
|
IN HANDLE KeyHandle,
|
|
IN POBJECT_ATTRIBUTES OldFileObjectAttributes
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwRequestWaitReplyPort (
|
|
IN HANDLE PortHandle,
|
|
IN PLPC_MESSAGE Request,
|
|
OUT PLPC_MESSAGE Reply
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwResetEvent (
|
|
IN HANDLE EventHandle,
|
|
OUT PULONG PreviousState OPTIONAL
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwRestoreKey (
|
|
IN HANDLE KeyHandle,
|
|
IN HANDLE FileHandle,
|
|
IN ULONG Flags
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwSaveKey (
|
|
IN HANDLE KeyHandle,
|
|
IN HANDLE FileHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwSetDefaultLocale (
|
|
IN BOOLEAN ThreadOrSystem,
|
|
IN LCID Locale
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwSetDefaultUILanguage (
|
|
IN LANGID LanguageId
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwSetEaFile (
|
|
IN HANDLE FileHandle,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
OUT PVOID Buffer,
|
|
IN ULONG Length
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwSetEvent (
|
|
IN HANDLE EventHandle,
|
|
OUT PULONG PreviousState OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwSetInformationObject (
|
|
IN HANDLE ObjectHandle,
|
|
IN OBJECT_INFO_CLASS ObjectInformationClass,
|
|
IN PVOID ObjectInformation,
|
|
IN ULONG ObjectInformationLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwSetInformationProcess (
|
|
IN HANDLE ProcessHandle,
|
|
IN PROCESSINFOCLASS ProcessInformationClass,
|
|
IN PVOID ProcessInformation,
|
|
IN ULONG ProcessInformationLength
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwSetSecurityObject (
|
|
IN HANDLE Handle,
|
|
IN SECURITY_INFORMATION SecurityInformation,
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwSetSystemInformation (
|
|
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
|
IN PVOID SystemInformation,
|
|
IN ULONG Length
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwSetSystemTime (
|
|
IN PLARGE_INTEGER NewTime,
|
|
OUT PLARGE_INTEGER OldTime OPTIONAL
|
|
);
|
|
|
|
#if (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwSetVolumeInformationFile (
|
|
IN HANDLE FileHandle,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
IN PVOID FsInformation,
|
|
IN ULONG Length,
|
|
IN FS_INFORMATION_CLASS FsInformationClass
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD >= 2195)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwTerminateProcess (
|
|
IN HANDLE ProcessHandle OPTIONAL,
|
|
IN NTSTATUS ExitStatus
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwUnloadDriver (
|
|
// "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>"
|
|
IN PUNICODE_STRING RegistryPath
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwUnloadKey (
|
|
IN POBJECT_ATTRIBUTES KeyObjectAttributes
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwWaitForSingleObject (
|
|
IN HANDLE Handle,
|
|
IN BOOLEAN Alertable,
|
|
IN PLARGE_INTEGER Timeout OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwWaitForMultipleObjects (
|
|
IN ULONG HandleCount,
|
|
IN PHANDLE Handles,
|
|
IN WAIT_TYPE WaitType,
|
|
IN BOOLEAN Alertable,
|
|
IN PLARGE_INTEGER Timeout OPTIONAL
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwYieldExecution (
|
|
VOID
|
|
);
|
|
|
|
//
|
|
// Below is stuff that is included in the Windows 2000 DDK but is missing in
|
|
// the Windows NT 4.0 DDK
|
|
//
|
|
|
|
#if (VER_PRODUCTBUILD < 2195)
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
HalMakeBeep (
|
|
IN ULONG Frequency
|
|
);
|
|
|
|
#ifndef IoCopyCurrentIrpStackLocationToNext
|
|
#define IoCopyCurrentIrpStackLocationToNext( Irp ) { \
|
|
PIO_STACK_LOCATION irpSp; \
|
|
PIO_STACK_LOCATION nextIrpSp; \
|
|
irpSp = IoGetCurrentIrpStackLocation( (Irp) ); \
|
|
nextIrpSp = IoGetNextIrpStackLocation( (Irp) ); \
|
|
RtlCopyMemory( \
|
|
nextIrpSp, \
|
|
irpSp, \
|
|
FIELD_OFFSET(IO_STACK_LOCATION, CompletionRoutine) \
|
|
); \
|
|
nextIrpSp->Control = 0; }
|
|
#endif
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
IoCreateFile (
|
|
OUT PHANDLE FileHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
IN PLARGE_INTEGER AllocationSize OPTIONAL,
|
|
IN ULONG FileAttributes,
|
|
IN ULONG ShareAccess,
|
|
IN ULONG CreateDisposition,
|
|
IN ULONG CreateOptions,
|
|
IN PVOID EaBuffer OPTIONAL,
|
|
IN ULONG EaLength,
|
|
IN CREATE_FILE_TYPE CreateFileType,
|
|
IN PVOID ExtraCreateParameters,
|
|
IN ULONG Options
|
|
);
|
|
|
|
#ifndef IoSkipCurrentIrpStackLocation
|
|
#define IoSkipCurrentIrpStackLocation( Irp ) \
|
|
(Irp)->CurrentLocation++; \
|
|
(Irp)->Tail.Overlay.CurrentStackLocation++;
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
ProbeForWrite (
|
|
IN PVOID Address,
|
|
IN ULONG Length,
|
|
IN ULONG Alignment
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwOpenFile (
|
|
OUT PHANDLE FileHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|
OUT PIO_STATUS_BLOCK IoStatusBlock,
|
|
IN ULONG ShareAccess,
|
|
IN ULONG OpenOptions
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwOpenSymbolicLinkObject (
|
|
OUT PHANDLE SymbolicLinkHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
ZwQuerySymbolicLinkObject (
|
|
IN HANDLE LinkHandle,
|
|
IN OUT PUNICODE_STRING LinkTarget,
|
|
OUT PULONG ReturnedLength OPTIONAL
|
|
);
|
|
|
|
#endif // (VER_PRODUCTBUILD < 2195)
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif // _NTIFS_
|