Enscript Output
/*
This is a free version of the file ntifs.h, release 53.
The purpose of this include file is to build file system and
file system filter drivers for Windows NT®, Windows® 2000,
Windows® XP and Windows® Server 2003.
Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005 Bo Brantén.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
The GNU General Public License is also available from:
http://www.gnu.org/copyleft/gpl.html
Windows and Windows NT are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
DISCLAIMER: I do not encourage anyone to use this include file to build
drivers used in production. The information in this include file is
incomplete and intended only as an studying companion. The information
has been found in books, magazines, on the Internet and received from
contributors. Some of the information in this file may not be available
in other publications intended for similar use, these should be used with
extra care. Some of the information in this file may have different names
than in other publications even though they describe the same thing.
Please send comments, corrections and contributions to bosse@acc.umu.se
The most recent version of this file is available from:
http://www.acc.umu.se/~bosse/ntifs.h
Thanks to:
Andrey Shedel, Luigi Mori, Louis Joubert, Itai Shaham, David Welch,
Emanuele Aliberti, Anton Altaparmakov, Dan Partelly, Mamaich, Yossi
Yaffe, Gunnar André Dalsnes, Vadim V Vorobev, Ashot Oganesyan K, Oleg
Nikityenko, Matt Wu, Tomas Olsson, Raaf, Anthony Choi, Alexey Logachyov,
Marc-Antoine Ruel, Vyacheslav I. Levtchenko, Yuri Polyakov, Bruno Milot,
Alex Vlasov, Dan Fulger, Petr Semerad and Darja Isaksson.
Revision history:
53. 2005-11-06
Added:
Function prototypes:
RtlRandom
RtlRandomEx
RtlSecondsSince1980ToTime
RtlTimeToSecondsSince1980
52. 2005-11-05
Corrected:
OBJECT_NAME
TOKEN_OBJECT
51. 2005-10-16
Corrected:
ETHREAD
GDI_TEB_BATCH
MMADDRESS_NODE
TEB
50. 2005-10-15
Added:
Data types:
READ_LIST
Function prototypes:
IoAttachDeviceToDeviceStackSafe
IoCheckQuerySetFileInformation
IoCheckQuerySetVolumeInformation
IoCreateFileSpecifyDeviceObjectHint
IoCreateStreamFileObjectEx
IoEnumerateDeviceObjectList
IoGetDeviceAttachmentBaseRef
IoGetDiskDeviceObject
IoGetLowerDeviceObject
IoIsFileOriginRemote
IoQueryFileDosDeviceName
IoQueueThreadIrp
IoSetFileOrigin
KeAcquireQueuedSpinLock
KeInitializeMutant
KeReadStateMutant
KeReleaseMutant
KeReleaseQueuedSpinLock
KeSetIdealProcessorThread
KeSetKernelStackSwapEnable
KeTryToAcquireQueuedSpinLock
MmPrefetchPages
ObDereferenceSecurityDescriptor
ObLogSecurityDescriptor
ObReferenceSecurityDescriptor
PoQueueShutdownWorkItem
RtlxUnicodeStringToAnsiSize
SeAuditHardLinkCreation
SeAuditingHardLinkEvents
SeFilterToken
49. 2005-10-09
Corrected:
EPROCESS
KTHREAD
MMSUPPORT_FLAGS
MMSUPPORT
OBJECT_HEADER
OBJECT_TYPE_INITIALIZER
OBJECT_TYPE
TEB
KeInsertQueueApc
Added:
Defines:
OB_FLAG_XXX
OB_SECURITY_CHARGE
Data types:
ACTIVATION_CONTEXT_STACK
GDI_TEB_BATCH
HANDLE_INFO
KGUARDED_MUTEX
MMADDRESS_NODE
MM_AVL_TABLE
OBJECT_CREATE_INFORMATION
OBJECT_CREATOR_INFO
OBJECT_DIRECTORY
OBJECT_DIRECTORY_ITEM
OBJECT_HANDLE_DB
OBJECT_HANDLE_DB_LIST
OBJECT_HEADER_FLAGS
OBJECT_NAME
OBJECT_QUOTA_CHARGES
OBJECT_QUOTA_INFO
QUOTA_BLOCK
RTL_ACTIVATION_CONTEXT_STACK_FRAME
TEB_ACTIVE_FRAME
TEB_ACTIVE_FRAME_CONTEXT
Wx86ThreadState
Function prototypes:
FsRtlAcquireFileExclusive
FsRtlBalanceReads
FsRtlDissectDbcs
FsRtlDoesDbcsContainWildCards
FsRtlIsDbcsInExpression
FsRtlIsFatDbcsLegal
FsRtlIsHpfsDbcsLegal
FsRtlIsPagingFile
FsRtlIsTotalDeviceFailure
FsRtlMdlReadDev
FsRtlPostPagingFileStackOverflow
FsRtlPostStackOverflow
FsRtlPrepareMdlWriteDev
FsRtlReleaseFile
48. 2005-04-16
Added:
Data types:
THREAD_BASIC_INFORMATION
Function prototypes:
ZwQueryInformationThread
47. 2005-03-08
Corrected:
SYSTEM_PROCESSES_INFORMATION
TOKEN_OBJECT
KeInsertQueueApc
46. 2004-06-08
Added:
Data types:
TOKEN_OBJECT
45. 2004-06-06
Corrected:
SERVICE_DESCRIPTOR_TABLE
Added:
Defines:
TOKEN_SESSION_NOT_REFERENCED
TOKEN_SANDBOX_INERT
TOKEN_HAS_IMPERSONATE_PRIVILEGE
Function prototypes:
FsRtlDissectName
RtlOemStringToCountedUnicodeSize
RtlOemStringToUnicodeSize
RtlOemStringToUnicodeString
RtlUnicodeStringToOemSize
RtlUnicodeStringToOemString
RtlxOemStringToUnicodeSize
RtlxUnicodeStringToOemSize
44. 2003-05-06
Added:
Function prototypes:
InbvAcquireDisplayOwnership
InbvCheckDisplayOwnership
InbvDisplayString
InbvEnableBootDriver
InbvEnableDisplayString
InbvInstallDisplayStringFilter
InbvIsBootDriverInstalled
InbvNotifyDisplayOwnershipLost
InbvResetDisplay
InbvSetScrollRegion
InbvSetTextColor
InbvSolidColorFill
43. 2003-04-07
Added:
Data types:
MCB
Function prototypes:
FsRtlAddMcbEntry
FsRtlInitializeMcb
FsRtlLookupLastMcbEntry
FsRtlLookupMcbEntry
FsRtlNotifyFilterChangeDirectory
FsRtlNotifyFilterReportChange
FsRtlNumberOfRunsInMcb
FsRtlRemoveMcbEntry
FsRtlTruncateMcb
FsRtlUninitializeMcb
42. 2003-03-30
Corrected:
SYSTEM_CACHE_INFORMATION
SYSTEM_INFORMATION_CLASS
Added:
Data types:
SYSTEM_XXX_INFORMATION
THREAD_STATE
41. 2003-01-03
Corrected:
CcMapData
PsDereferenceImpersonationToken
PsDereferencePrimaryToken
PsGetProcessExitTime
PsReferencePrimaryToken
Added:
Defines:
MAP_XXX
Function prototypes:
CcMdlWriteAbort
PsAssignImpersonationToken
PsChargeProcessNonPagedPoolQuota
PsChargeProcessPagedPoolQuota
PsChargeProcessPoolQuota
PsDisableImpersonation
PsImpersonateClient
PsIsSystemThread
PsRestoreImpersonation
SeDeleteAccessState
ZwOpenProcessTokenEx
ZwOpenThreadTokenEx
40. 2002-10-02
Corrected:
HANDLE_TABLE_ENTRY
Added:
Defines:
FSRTL_FLAG_ADVANCED_HEADER
FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS
FSRTL_FLAG2_PURGE_WHEN_MAPPED
Data types:
FILE_ID_BOTH_DIR_INFORMATION
FILE_ID_FULL_DIR_INFORMATION
39. 2002-08-04
Added:
Data types:
LARGE_MCB
Function prototypes:
FsRtlAddLargeMcbEntry
FsRtlGetNextLargeMcbEntry
FsRtlInitializeLargeMcb
FsRtlLookupLargeMcbEntry
FsRtlLookupLastLargeMcbEntry
FsRtlLookupLastLargeMcbEntryAndIndex
FsRtlNumberOfRunsInLargeMcb
FsRtlRemoveLargeMcbEntry
FsRtlResetLargeMcb
FsRtlSplitLargeMcb
FsRtlTruncateLargeMcb
FsRtlUninitializeLargeMcb
38. 2002-06-30
Added:
Defines:
FILE_READ_ONLY_VOLUME
Function prototypes:
FsRtlAllocateResource
FsRtlIncrementCcFastReadNotPossible
FsRtlIncrementCcFastReadNoWait
FsRtlIncrementCcFastReadResourceMiss
FsRtlIncrementCcFastReadWait
KeIsAttachedProcess
KeIsExecutingDpc
KeRevertToUserAffinityThread
KeUpdateSystemTime
PsGetCurrentProcessSessionId
PsGetCurrentThreadPreviousMode
PsGetCurrentThreadStackBase
PsGetCurrentThreadStackLimit
RtlGetNtGlobalFlags
37. 2002-05-18
Uppdated for Windows XP:
EPROCESS
ETHREAD
KPROCESS
KTHREAD
MMSUPPORT_FLAGS
MMSUPPORT
PRIVATE_CACHE_MAP_FLAGS
PRIVATE_CACHE_MAP
SHARED_CACHE_MAP
Corrected:
VACB
Added:
Data types:
EPROCESS_QUOTA_ENTRY
EPROCESS_QUOTA_BLOCK
EX_FAST_REF
EX_PUSH_LOCK
EX_RUNDOWN_REF
PAGEFAULT_HISTORY
SE_AUDIT_PROCESS_CREATION_INFO
SECTION_OBJECT
TERMINATION_PORT
36. 2002-05-14
Corrected:
FILE_FS_FULL_SIZE_INFORMATION
35. 2002-03-23
Added:
Defines:
COMPRESSION_XXX
Data types:
COMPRESSED_DATA_INFO
OBJECT_HEADER
VAD_HEADER
Function prototypes:
CcWaitForCurrentLazyWriterActivity
FsRtlCheckOplock
FsRtlCurrentBatchOplock
FsRtlDeregisterUncProvider
FsRtlInitializeOplock
FsRtlOplockFsctrl
FsRtlOplockIsFastIoPossible
FsRtlRegisterUncProvider
FsRtlUninitializeOplock
RtlCompressBuffer
RtlCompressChunks
RtlDecompressBuffer
RtlDecompressChunks
RtlDecompressFragment
RtlDescribeChunk
RtlGetCompressionWorkSpaceSize
RtlReserveChunk
34. 2002-02-14
Corrected:
HARDWARE_PTE
Changed the use of _WIN32_WINNT to VER_PRODUCTBUILD since _WIN32_WINNT
is incorrectly defined in the Windows 2000 build environment included
in the Windows XP DDK.
33. 2002-01-20
Added:
Function prototypes:
PsDereferenceImpersonationToken
PsDereferencePrimaryToken
32. 2002-01-18
Corrected:
ObReferenceObjectByName
FILE_FS_OBJECT_ID_INFORMATION
FILE_OBJECTID_INFORMATION
Added:
Externals:
IoDriverObjectType
SeExports
Defines:
FILE_ACTION_XXX
FSCTL_XXX
IO_FILE_OBJECT_XXX
IRP_BEING_VERIFIED
TOKEN_XXX
Data types:
DEVICE_MAP
FILE_TRACKING_INFORMATION
SE_EXPORTS
Function prototypes:
SeEnableAccessToExports
31. 2001-12-23
Corrected:
QueryQuota in EXTENDED_IO_STACK_LOCATION
FILE_LOCK
CcPinMappedData
CcPinRead
CcPreparePinWrite
FsRtlFastUnlockAll
FsRtlFastUnlockAllByKey
FsRtlFastUnlockSingle
FsRtlInitializeFileLock
FsRtlPrivateLock
FsRtlProcessFileLock
MmForceSectionClosed
MmIsRecursiveIoFault
SeImpersonateClient
SeImpersonateClientEx
Added:
Defines:
More FSRTL_FLAG_XXX
PIN_XXX
VACB_XXX
Data types:
REPARSE_DATA_BUFFER
Function prototypes:
CcCopyWriteWontFlush
CcGetFileSizePointer
CcGetFlushedValidData
CcIsFileCached
CcRemapBcb
ExDisableResourceBoostLite
ExQueryPoolBlockSize
FsRtlAllocateFileLock
FsRtlAreThereCurrentFileLocks
FsRtlFastLock
FsRtlFreeFileLock
IoCheckDesiredAccess
IoCheckEaBufferValidity
IoCheckFunctionAccess
IoCheckQuotaBufferValidity
IoCreateStreamFileObjectLite
IoFastQueryNetworkAttributes
IoGetRequestorProcessId
IoIsFileOpenedExclusively
IoIsSystemThread
IoIsValidNameGraftingBuffer
IoSynchronousPageWrite
IoThreadToProcess
KeInitializeQueue
KeInsertHeadQueue
KeInsertQueue
KeReadStateQueue
KeRemoveQueue
KeRundownQueue
MmSetAddressRangeModified
ObGetObjectPointerCount
ObMakeTemporaryObject
ObQueryObjectAuditingByHandle
PsChargePoolQuota
PsReturnPoolQuota
SeAppendPrivileges
SeAuditingFileEvents
SeAuditingFileOrGlobalEvents
SeCreateClientSecurity
SeCreateClientSecurityFromSubjectContext
SeDeleteClientSecurity
SeDeleteObjectAuditAlarm
SeFreePrivileges
SeLockSubjectContext
SeOpenObjectAuditAlarm
SeOpenObjectForDeleteAuditAlarm
SePrivilegeCheck
SeQueryAuthenticationIdToken
SeQuerySecurityDescriptorInfo
SeQuerySessionIdToken
SeSetAccessStateGenericMapping
SeSetSecurityDescriptorInfo
SeSetSecurityDescriptorInfoEx
SeTokenIsAdmin
SeTokenIsRestricted
SeTokenType
SeUnlockSubjectContext
30. 2001-10-24
Corrected:
KINTERRUPT
OBJECT_TYPE
Added:
Defines:
More FSCTL_XXX
Data types:
BITMAP_RANGE
CreateMailslot in EXTENDED_IO_STACK_LOCATION
CreatePipe in EXTENDED_IO_STACK_LOCATION
QueryQuota in EXTENDED_IO_STACK_LOCATION
MAILSLOT_CREATE_PARAMETERS
MBCB
NAMED_PIPE_CREATE_PARAMETERS
PRIVATE_CACHE_MAP_FLAGS
PRIVATE_CACHE_MAP
SECURITY_CLIENT_CONTEXT
SHARED_CACHE_MAP
VACB
Function prototypes:
HalQueryRealTimeClock
HalSetRealTimeClock
PsGetProcessExitTime
PsIsThreadTerminating
PsLookupProcessThreadByCid
PsLookupThreadByThreadId
SeQueryAuthenticationIdToken
Externals:
KeServiceDescriptorTable
SePublicDefaultDacl
SeSystemDefaultDacl
29. 2001-10-06
Added:
Defines:
FSRTL_VOLUME_XXX
Function prototypes:
FsRtlNotifyChangeDirectory
FsRtlNotifyReportChange
FsRtlNotifyVolumeEvent
28. 2001-09-16
Added:
Function prototypes:
FsRtlNotifyInitializeSync
FsRtlNotifyUninitializeSync
SeImpersonateClientEx
SeReleaseSubjectContext
27. 2001-08-25
Corrected:
KPROCESS
FILE_LOCK_ANCHOR
FsRtlNormalizeNtstatus
RtlSecondsSince1970ToTime
RtlTimeToSecondsSince1970
SeQueryInformationToken
Added:
Defines:
FS_LFN_APIS
Data types:
FILE_LOCK_ENTRY
FILE_SHARED_LOCK_ENTRY
FILE_EXCLUSIVE_LOCK_ENTRY
Function prototypes:
FsRtlCheckLockForReadAccess
FsRtlCheckLockForWriteAccess
FsRtlFastUnlockAll
FsRtlFastUnlockAllByKey
FsRtlFastUnlockSingle
FsRtlGetFileSize
FsRtlGetNextFileLock
FsRtlInitializeFileLock
FsRtlPrivateLock
FsRtlProcessFileLock
FsRtlUninitializeFileLock
IoUnregisterFsRegistrationChange
PsLookupProcessByProcessId
SeQuerySubjectContextToken
26. 2001-04-28
Added:
Defines:
FSCTL_XXX
Data types:
RTL_SPLAY_LINKS
TUNNEL
Function prototypes:
FsRtlAddToTunnelCache
FsRtlDeleteKeyFromTunnelCache
FsRtlDeleteTunnelCache
FsRtlFindInTunnelCache
FsRtlInitializeTunnelCache
IoSetDeviceToVerify
KeInitializeApc
KeInsertQueueApc
SeQueryInformationToken
25. 2001-04-05
Corrected:
RtlImageNtHeader
LPC_XXX
OBJECT_BASIC_INFO
Added:
Defines:
SID_REVISION
Data types:
DIRECTORY_BASIC_INFORMATION
KINTERRUPT
OBJECT_HANDLE_ATTRIBUTE_INFO
PROCESS_PRIORITY_CLASS
SECTION_BASIC_INFORMATION
SECTION_IMAGE_INFORMATION
SECTION_INFORMATION_CLASS
Function prototypes:
RtlSecondsSince1970ToTime
RtlTimeToSecondsSince1970
ZwAdjustPrivilegesToken
ZwAlertThread
ZwAccessCheckAndAuditAlarm
ZwClearEvent
ZwCloseObjectAuditAlarm
ZwCreateSection
ZwCreateSymbolicLinkObject
ZwDuplicateToken
ZwFlushInstructionCache
ZwFlushVirtualMemory
ZwInitiatePowerAction
ZwLoadKey
ZwNotifyChangeKey
ZwOpenThread
ZwPowerInformation
ZwPulseEvent
ZwQueryDefaultLocale
ZwQueryDefaultUILanguage
ZwQueryInformationProcess
ZwQueryInstallUILanguage
ZwQuerySection
ZwReplaceKey
ZwResetEvent
ZwRestoreKey
ZwSaveKey
ZwSetDefaultLocale
ZwSetDefaultUILanguage
ZwSetEvent
ZwSetInformationObject
ZwSetInformationProcess
ZwSetSecurityObject
ZwSetSystemTime
ZwTerminateProcess
ZwUnloadKey
ZwWaitForSingleObject
ZwWaitForMultipleObjects
ZwYieldExecution
Removed functions that is not exported in kernel mode:
CcZeroEndOfLastPage
RtlAllocateAndInitializeSid
ZwAcceptConnectPort
ZwCompleteConnectPort
ZwCreatePort
ZwCreateProcess
ZwCreateThread
ZwFlushBuffersFile
ZwGetContextThread
ZwImpersonateClientOfPort
ZwListenPort
ZwLockFile
ZwNotifyChangeDirectoryFile
ZwQueryInformationPort
ZwReadRequestData
ZwReplyPort
ZwReplyWaitReceivePort
ZwReplyWaitReplyPort
ZwRequestPort
ZwUnlockFile
ZwWriteRequestData
24. 2001-03-08
Corrected:
EPROCESS
ETHREAD
FAST_IO_POSSIBLE
QueryEa in EXTENDED_IO_STACK_LOCATION
Added:
Defines:
Some more flags for FileSystemAttributes
Data types:
EXCEPTION_REGISTRATION_RECORD
FILE_FS_FULL_SIZE_INFORMATION
FILE_FS_OBJECT_ID_INFORMATION
HANDLE_TABLE_ENTRY
IO_CLIENT_EXTENSION
PS_IMPERSONATION_INFORMATION
SetEa and SetQuota in EXTENDED_IO_STACK_LOCATION
Function prototypes:
IoPageRead
KeStackAttachProcess
KeUnstackDetachProcess
MmMapViewOfSection
RtlSelfRelativeToAbsoluteSD
SeCreateAccessState
23. 2001-01-29
Corrected:
FSCTL_GET_VOLUME_INFORMATION
FSCTL_READ_MFT_RECORD
HARDWARE_PTE
EPROCESS
ETHREAD
KAPC_STATE
KPROCESS
KTHREAD
MMSUPPORT
Added:
Data types:
KGDTENTRY
KIDTENTRY
MMSUPPORT_FLAGS
22. 2000-12-23
Corrected:
EPROCESS
KPROCESS
Added:
Data types:
HARDWARE_PTE
MMSUPPORT
21. 2000-12-12
Added:
Defines:
IO_TYPE_XXX
OB_TYPE_XXX
THREAD_STATE_XXX
Data types:
EPROCESS
ETHREAD
KAPC_STATE
KEVENT_PAIR
KPROCESS
KTHREAD
KQUEUE
SERVICE_DESCRIPTOR_TABLE
TEB
20. 2000-12-03
Added:
Data types:
OBJECT_TYPE
Function prototypes:
ObCreateObject
ObInsertObject
ObReferenceObjectByName
19. 2000-11-25
Removed a name from credits since the person want to be anonymous.
18. 2000-10-13
Corrected:
PsReferenceImpersonationToken
Added:
Defines:
FILE_PIPE_XXX
LPC_XXX
MAILSLOT_XXX
PORT_XXX
FSCTL_GET_VOLUME_INFORMATION
FSCTL_READ_MFT_RECORD
FSCTL_MAILSLOT_PEEK
FSCTL_PIPE_XXX
Data types:
PORT_INFORMATION_CLASS
BITMAP_DESCRIPTOR
FILE_MAILSLOT_XXX
FILE_PIPE_XXX
MAPPING_PAIR
GET_RETRIEVAL_DESCRIPTOR
LPC_XXX
MOVEFILE_DESCRIPTOR
Function prototypes:
InitializeMessageHeader
MmForceSectionClosed
ZwAcceptConnectPort
ZwCompleteConnectPort
ZwConnectPort
ZwCreateEvent
ZwCreatePort
ZwImpersonateClientOfPort
ZwListenPort
ZwQueryInformationPort
ZwReadRequestData
ZwReplyPort
ZwReplyWaitReceivePort
ZwReplyWaitReplyPort
ZwRequestPort
ZwRequestWaitReplyPort
ZwWriteRequestData
17. 2000-05-21
Added:
Function prototypes:
PsRevertToSelf
SeCreateClientSecurity
SeImpersonateClient
ZwDuplicateObject
16. 2000-03-28
Added:
Defines:
FILE_STORAGE_TYPE_XXX
FILE_VC_XXX
IO_CHECK_CREATE_PARAMETERS
IO_ATTACH_DEVICE
IO_ATTACH_DEVICE_API
IO_COMPLETION_XXX
Data types:
IO_COMPLETION_INFORMATION_CLASS
OBJECT_INFO_CLASS
SYSTEM_INFORMATION_CLASS
FILE_LOCK_ANCHOR
IO_COMPLETION_BASIC_INFORMATION
OBJECT_BASIC_INFO
OBJECT_NAME_INFO
OBJECT_PROTECTION_INFO
OBJECT_TYPE_INFO
OBJECT_ALL_TYPES_INFO
SYSTEM_CACHE_INFORMATION
Function prototypes:
FsRtlAllocatePool
FsRtlAllocatePoolWithQuota
FsRtlAllocatePoolWithQuotaTag
FsRtlAllocatePoolWithTag
FsRtlAreNamesEqual
FsRtlFastCheckLockForRead
FsRtlFastCheckLockForWrite
FsRtlMdlReadComplete
FsRtlMdlWriteComplete
FsRtlNormalizeNtstatus
RtlAllocateHeap
RtlCreateHeap
RtlDestroyHeap
RtlFreeHeap
RtlImageNtHeader
ZwQueryObject
ZwQuerySystemInformation
ZwSetSystemInformation
15. 2000-03-15
Corrected:
Renamed IoQueryFileVolumeInformation to IoQueryVolumeInformation
Comment on:
CcZeroEndOfLastPage
14. 2000-03-12
Corrected:
IoCreateFile
Added:
#if (_WIN32_WINNT < 0x0500)/#endif around stuff that is included in
the Windows 2000 DDK but is missing in the Windows NT 4.0 DDK.
ZwOpenEvent
13. 2000-02-08
Corrected:
PsReferenceImpersonationToken
Comment on:
RtlAllocateAndInitializeSid
12. 1999-10-18
Corrected:
FILE_COMPRESSION_INFORMATION
Added:
Defines:
ACCESS_ALLOWED_ACE_TYPE
ACCESS_DENIED_ACE_TYPE
SYSTEM_AUDIT_ACE_TYPE
SYSTEM_ALARM_ACE_TYPE
ANSI_DOS_STAR/QM/DOT
DOS_STAR/QM/DOT
FILE_EA_TYPE_XXX
FILE_NEED_EA
FILE_OPBATCH_BREAK_UNDERWAY
SECURITY_WORLD_SID_AUTHORITY
SECURITY_WORLD_RID
Data types:
POBJECT
FILE_STORAGE_TYPE
FILE_COMPLETION_INFORMATION
FILE_COPY_ON_WRITE_INFORMATION
FILE_FS_CONTROL_INFORMATION
FILE_GET_EA_INFORMATION
FILE_GET_QUOTA_INFORMATION
FILE_OBJECTID_INFORMATION
FILE_OLE_CLASSID_INFORMATION
FILE_OLE_ALL_INFORMATION
FILE_OLE_DIR_INFORMATION
FILE_OLE_INFORMATION
FILE_OLE_STATE_BITS_INFORMATION
FILE_QUOTA_INFORMATION
Function prototypes:
HalDisplayString
HalMakeBeep
IoGetRequestorProcess
ObQueryNameString
ProbeForWrite
RtlAbsoluteToSelfRelativeSD
RtlGetDaclSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetOwnerSecurityDescriptor
RtlInitializeSid
RtlSetGroupSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlSetSaclSecurityDescriptor
ZwDeleteValueKey
ZwDisplayString
ZwQueryDirectoryObject
11. 1999-10-13
Corrected:
ZwOpenProcessToken
ZwOpenThreadToken
Added:
Function prototypes:
RtlAllocateAndInitializeSid
RtlCopySid
RtlEqualSid
RtlFillMemoryUlong
RtlIsNameLegalDOS8Dot3
RtlLengthRequiredSid
RtlLengthSid
RtlNtStatusToDosError
RtlSubAuthorityCountSid
RtlSubAuthoritySid
RtlValidSid
10. 1999-07-15
Corrected:
RtlConvertSidToUnicodeString
Added:
Externals:
FsRtlLegalAnsiCharacterArray
NtBuildNumber
Defines:
FSRTL_WILD_CHARACTER
FlagOn
FsRtlIsUnicodeCharacterWild
Structures:
FILE_ACCESS_INFORMATION
FILE_MODE_INFORMATION
GENERATE_NAME_CONTEXT
Function prototypes:
FsRtlDoesNameContainWildCards
FsRtlIsNameInExpression
IoSetInformation
RtlGenerate8dot3Name
ZwQuerySecurityObject
9. 1999-07-12
Corrected:
EXTENDED_IO_STACK_LOCATION
QueryDirectory in EXTENDED_IO_STACK_LOCATION
ZwCreateThread
Added:
Structures:
INITIAL_TEB
Function prototypes:
ZwQuerySymbolicLinkObject
8. 1999-06-07
Corrected:
ZwOpenProcessToken
ZwOpenThreadToken
Added:
Defines:
FILE_OPLOCK_BROKEN_TO_LEVEL_2
FILE_OPLOCK_BROKEN_TO_NONE
FILE_CASE_SENSITIVE_SEARCH
FILE_CASE_PRESERVED_NAMES
FILE_UNICODE_ON_DISK
FILE_PERSISTENT_ACLS
FILE_FILE_COMPRESSION
FILE_VOLUME_IS_COMPRESSED
FSRTL_FLAG_ACQUIRE_MAIN_RSRC_EX
FSRTL_FLAG_ACQUIRE_MAIN_RSRC_SH
IOCTL_REDIR_QUERY_PATH
Structures:
FILE_FS_LABEL_INFORMATION
PATHNAME_BUFFER
In IO_STACK_LOCATION:
FileSystemControl
LockControl
SetVolume
Function prototypes:
FsRtlCopyRead
FsRtlCopyWrite
IoVerifyVolume
7. 1999-06-05
Added:
defines for TOKEN_XXX
SID_NAME_USE
TOKEN_INFORMATION_CLASS
TOKEN_TYPE
FILE_FS_ATTRIBUTE_INFORMATION
FILE_FS_SIZE_INFORMATION
SID_IDENTIFIER_AUTHORITY
SID
SID_AND_ATTRIBUTES
TOKEN_CONTROL
TOKEN_DEFAULT_DACL
TOKEN_GROUPS
TOKEN_OWNER
TOKEN_PRIMARY_GROUP
TOKEN_PRIVILEGES
TOKEN_SOURCE
TOKEN_STATISTICS
TOKEN_USER
IoCreateFile
IoGetAttachedDevice
IoGetBaseFileSystemDeviceObject
PsReferenceImpersonationToken
PsReferencePrimaryToken
RtlConvertSidToUnicodeString
SeCaptureSubjectContext
SeMarkLogonSessionForTerminationNotification
SeRegisterLogonSessionTerminatedRoutine
SeUnregisterLogonSessionTerminatedRoutine
ZwOpenProcessToken
ZwOpenThreadToken
ZwQueryInformationToken
6. 1999-05-10
Corrected declarations of Zw functions.
Added:
ZwCancelIoFile
ZwDeleteFile
ZwFlushBuffersFile
ZwFsControlFile
ZwLockFile
ZwNotifyChangeDirectoryFile
ZwOpenFile
ZwQueryEaFile
ZwSetEaFile
ZwSetVolumeInformationFile
ZwUnlockFile
5. 1999-05-09
Added:
defines for FILE_ACTION_XXX and FILE_NOTIFY_XXX
FILE_FS_VOLUME_INFORMATION
RETRIEVAL_POINTERS_BUFFER
STARTING_VCN_INPUT_BUFFER
FsRtlNotifyFullReportChange
4. 1999-04-11
Corrected:
ZwCreateThread
Added:
define _GNU_NTIFS_
3. 1999-03-30
Added:
defines for MAP_XXX, MEM_XXX and SEC_XXX
FILE_BOTH_DIR_INFORMATION
FILE_DIRECTORY_INFORMATION
FILE_FULL_DIR_INFORMATION
FILE_NAMES_INFORMATION
FILE_NOTIFY_INFORMATION
FsRtlNotifyCleanup
KeAttachProcess
KeDetachProcess
MmCreateSection
ZwCreateProcess
ZwCreateThread
ZwDeviceIoControlFile
ZwGetContextThread
ZwLoadDriver
ZwOpenDirectoryObject
ZwOpenProcess
ZwOpenSymbolicLinkObject
ZwQueryDirectoryFile
ZwUnloadDriver
2. 1999-03-15
Added:
FILE_COMPRESSION_INFORMATION
FILE_STREAM_INFORMATION
FILE_LINK_INFORMATION
FILE_RENAME_INFORMATION
EXTENDED_IO_STACK_LOCATION
IoQueryFileInformation
IoQueryFileVolumeInformation
ZwQueryVolumeInformationFile
Moved include of ntddk.h to inside extern "C" block.
1. 1999-03-11
Initial release.
*/
#ifndef _NTIFS_
#define _NTIFS_
#define _GNU_NTIFS_
#ifdef __cplusplus
extern "C" {
#endif
#include <ntddk.h>
#include <ntverp.h>
typedef struct _SERVICE_DESCRIPTOR_TABLE *PSERVICE_DESCRIPTOR_TABLE;
typedef struct _SE_EXPORTS *PSE_EXPORTS;
extern PUCHAR *FsRtlLegalAnsiCharacterArray;
extern POBJECT_TYPE *IoDriverObjectType;
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
extern PSHORT NtBuildNumber;
extern PSE_EXPORTS SeExports;
extern PACL SePublicDefaultDacl;
extern PACL SeSystemDefaultDacl;
#define ACCESS_ALLOWED_ACE_TYPE (0x0)
#define ACCESS_DENIED_ACE_TYPE (0x1)
#define SYSTEM_AUDIT_ACE_TYPE (0x2)
#define SYSTEM_ALARM_ACE_TYPE (0x3)
#define ANSI_DOS_STAR ('<')
#define ANSI_DOS_QM ('>')
#define ANSI_DOS_DOT ('"')
#define DOS_STAR (L'<')
#define DOS_QM (L'>')
#define DOS_DOT (L'"')
#define COMPRESSION_FORMAT_NONE (0x0000)
#define COMPRESSION_FORMAT_DEFAULT (0x0001)
#define COMPRESSION_FORMAT_LZNT1 (0x0002)
#define COMPRESSION_ENGINE_STANDARD (0x0000)
#define COMPRESSION_ENGINE_MAXIMUM (0x0100)
#define COMPRESSION_ENGINE_HIBER (0x0200)
#define FILE_ACTION_ADDED 0x00000001
#define FILE_ACTION_REMOVED 0x00000002
#define FILE_ACTION_MODIFIED 0x00000003
#define FILE_ACTION_RENAMED_OLD_NAME 0x00000004
#define FILE_ACTION_RENAMED_NEW_NAME 0x00000005
#define FILE_ACTION_ADDED_STREAM 0x00000006
#define FILE_ACTION_REMOVED_STREAM 0x00000007
#define FILE_ACTION_MODIFIED_STREAM 0x00000008
#define FILE_ACTION_REMOVED_BY_DELETE 0x00000009
#define FILE_ACTION_ID_NOT_TUNNELLED 0x0000000A
#define FILE_ACTION_TUNNELLED_ID_COLLISION 0x0000000B
#define FILE_EA_TYPE_BINARY 0xfffe
#define FILE_EA_TYPE_ASCII 0xfffd
#define FILE_EA_TYPE_BITMAP 0xfffb
#define FILE_EA_TYPE_METAFILE 0xfffa
#define FILE_EA_TYPE_ICON 0xfff9
#define FILE_EA_TYPE_EA 0xffee
#define FILE_EA_TYPE_MVMT 0xffdf
#define FILE_EA_TYPE_MVST 0xffde
#define FILE_EA_TYPE_ASN1 0xffdd
#define FILE_EA_TYPE_FAMILY_IDS 0xff01
#define FILE_NEED_EA 0x00000080
#define FILE_NOTIFY_CHANGE_FILE_NAME 0x00000001
#define FILE_NOTIFY_CHANGE_DIR_NAME 0x00000002
#define FILE_NOTIFY_CHANGE_NAME 0x00000003
#define FILE_NOTIFY_CHANGE_ATTRIBUTES 0x00000004
#define FILE_NOTIFY_CHANGE_SIZE 0x00000008
#define FILE_NOTIFY_CHANGE_LAST_WRITE 0x00000010
#define FILE_NOTIFY_CHANGE_LAST_ACCESS 0x00000020
#define FILE_NOTIFY_CHANGE_CREATION 0x00000040
#define FILE_NOTIFY_CHANGE_EA 0x00000080
#define FILE_NOTIFY_CHANGE_SECURITY 0x00000100
#define FILE_NOTIFY_CHANGE_STREAM_NAME 0x00000200
#define FILE_NOTIFY_CHANGE_STREAM_SIZE 0x00000400
#define FILE_NOTIFY_CHANGE_STREAM_WRITE 0x00000800
#define FILE_NOTIFY_VALID_MASK 0x00000fff
#define FILE_OPLOCK_BROKEN_TO_LEVEL_2 0x00000007
#define FILE_OPLOCK_BROKEN_TO_NONE 0x00000008
#define FILE_OPBATCH_BREAK_UNDERWAY 0x00000009
#define FILE_CASE_SENSITIVE_SEARCH 0x00000001
#define FILE_CASE_PRESERVED_NAMES 0x00000002
#define FILE_UNICODE_ON_DISK 0x00000004
#define FILE_PERSISTENT_ACLS 0x00000008
#define FILE_FILE_COMPRESSION 0x00000010
#define FILE_VOLUME_QUOTAS 0x00000020
#define FILE_SUPPORTS_SPARSE_FILES 0x00000040
#define FILE_SUPPORTS_REPARSE_POINTS 0x00000080
#define FILE_SUPPORTS_REMOTE_STORAGE 0x00000100
#define FS_LFN_APIS 0x00004000
#define FILE_VOLUME_IS_COMPRESSED 0x00008000
#define FILE_SUPPORTS_OBJECT_IDS 0x00010000
#define FILE_SUPPORTS_ENCRYPTION 0x00020000
#define FILE_NAMED_STREAMS 0x00040000
#define FILE_READ_ONLY_VOLUME 0x00080000
#define FILE_PIPE_BYTE_STREAM_TYPE 0x00000000
#define FILE_PIPE_MESSAGE_TYPE 0x00000001
#define FILE_PIPE_BYTE_STREAM_MODE 0x00000000
#define FILE_PIPE_MESSAGE_MODE 0x00000001
#define FILE_PIPE_QUEUE_OPERATION 0x00000000
#define FILE_PIPE_COMPLETE_OPERATION 0x00000001
#define FILE_PIPE_INBOUND 0x00000000
#define FILE_PIPE_OUTBOUND 0x00000001
#define FILE_PIPE_FULL_DUPLEX 0x00000002
#define FILE_PIPE_DISCONNECTED_STATE 0x00000001
#define FILE_PIPE_LISTENING_STATE 0x00000002
#define FILE_PIPE_CONNECTED_STATE 0x00000003
#define FILE_PIPE_CLOSING_STATE 0x00000004
#define FILE_PIPE_CLIENT_END 0x00000000
#define FILE_PIPE_SERVER_END 0x00000001
#define FILE_PIPE_READ_DATA 0x00000000
#define FILE_PIPE_WRITE_SPACE 0x00000001
#define FILE_STORAGE_TYPE_SPECIFIED 0x00000041 // FILE_DIRECTORY_FILE | FILE_NON_DIRECTORY_FILE
#define FILE_STORAGE_TYPE_DEFAULT (StorageTypeDefault << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_DIRECTORY (StorageTypeDirectory << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_FILE (StorageTypeFile << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_DOCFILE (StorageTypeDocfile << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_JUNCTION_POINT (StorageTypeJunctionPoint << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_CATALOG (StorageTypeCatalog << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_STRUCTURED_STORAGE (StorageTypeStructuredStorage << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_EMBEDDING (StorageTypeEmbedding << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_STREAM (StorageTypeStream << FILE_STORAGE_TYPE_SHIFT)
#define FILE_MINIMUM_STORAGE_TYPE FILE_STORAGE_TYPE_DEFAULT
#define FILE_MAXIMUM_STORAGE_TYPE FILE_STORAGE_TYPE_STREAM
#define FILE_STORAGE_TYPE_MASK 0x000f0000
#define FILE_STORAGE_TYPE_SHIFT 16
#define FILE_VC_QUOTA_NONE 0x00000000
#define FILE_VC_QUOTA_TRACK 0x00000001
#define FILE_VC_QUOTA_ENFORCE 0x00000002
#define FILE_VC_QUOTA_MASK 0x00000003
#define FILE_VC_QUOTAS_LOG_VIOLATIONS 0x00000004
#define FILE_VC_CONTENT_INDEX_DISABLED 0x00000008
#define FILE_VC_LOG_QUOTA_THRESHOLD 0x00000010
#define FILE_VC_LOG_QUOTA_LIMIT 0x00000020
#define FILE_VC_LOG_VOLUME_THRESHOLD 0x00000040
#define FILE_VC_LOG_VOLUME_LIMIT 0x00000080
#define FILE_VC_QUOTAS_INCOMPLETE 0x00000100
#define FILE_VC_QUOTAS_REBUILDING 0x00000200
#define FILE_VC_VALID_MASK 0x000003ff
#define FSRTL_FLAG_FILE_MODIFIED (0x01)
#define FSRTL_FLAG_FILE_LENGTH_CHANGED (0x02)
#define FSRTL_FLAG_LIMIT_MODIFIED_PAGES (0x04)
#define FSRTL_FLAG_ACQUIRE_MAIN_RSRC_EX (0x08)
#define FSRTL_FLAG_ACQUIRE_MAIN_RSRC_SH (0x10)
#define FSRTL_FLAG_USER_MAPPED_FILE (0x20)
#define FSRTL_FLAG_ADVANCED_HEADER (0x40)
#define FSRTL_FLAG_EOF_ADVANCE_ACTIVE (0x80)
#define FSRTL_FLAG2_DO_MODIFIED_WRITE (0x01)
#define FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS (0x02)
#define FSRTL_FLAG2_PURGE_WHEN_MAPPED (0x04)
#define FSRTL_FSP_TOP_LEVEL_IRP (0x01)
#define FSRTL_CACHE_TOP_LEVEL_IRP (0x02)
#define FSRTL_MOD_WRITE_TOP_LEVEL_IRP (0x03)
#define FSRTL_FAST_IO_TOP_LEVEL_IRP (0x04)
#define FSRTL_MAX_TOP_LEVEL_IRP_FLAG (0x04)
#define FSRTL_VOLUME_DISMOUNT 1
#define FSRTL_VOLUME_DISMOUNT_FAILED 2
#define FSRTL_VOLUME_LOCK 3
#define FSRTL_VOLUME_LOCK_FAILED 4
#define FSRTL_VOLUME_UNLOCK 5
#define FSRTL_VOLUME_MOUNT 6
#define FSRTL_WILD_CHARACTER 0x08
#ifdef _X86_
#define HARDWARE_PTE HARDWARE_PTE_X86
#define PHARDWARE_PTE PHARDWARE_PTE_X86
#else
#define HARDWARE_PTE ULONG
#define PHARDWARE_PTE PULONG
#endif
#define IO_CHECK_CREATE_PARAMETERS 0x0200
#define IO_ATTACH_DEVICE 0x0400
#define IO_ATTACH_DEVICE_API 0x80000000
#define IO_COMPLETION_QUERY_STATE 0x0001
#define IO_COMPLETION_MODIFY_STATE 0x0002
#define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)
#define IO_FILE_OBJECT_NON_PAGED_POOL_CHARGE 64
#define IO_FILE_OBJECT_PAGED_POOL_CHARGE 1024
#define IO_TYPE_APC 18
#define IO_TYPE_DPC 19
#define IO_TYPE_DEVICE_QUEUE 20
#define IO_TYPE_EVENT_PAIR 21
#define IO_TYPE_INTERRUPT 22
#define IO_TYPE_PROFILE 23
#define IRP_BEING_VERIFIED 0x10
#define MAILSLOT_CLASS_FIRSTCLASS 1
#define MAILSLOT_CLASS_SECONDCLASS 2
#define MAILSLOT_SIZE_AUTO 0
#define MAP_PROCESS 1L
#define MAP_SYSTEM 2L
#define MEM_DOS_LIM 0x40000000
#define MEM_IMAGE SEC_IMAGE
#define OB_FLAG_CREATE_INFO 0x01 /* Object header has OBJECT_CREATE_INFO */
#define OB_FLAG_KERNEL_MODE 0x02 /* Created by kernel */
#define OB_FLAG_CREATOR_INFO 0x04 /* Object header has OBJECT_CREATOR_INFO */
#define OB_FLAG_EXCLUSIVE 0x08 /* OBJ_EXCLUSIVE */
#define OB_FLAG_PERMAMENT 0x10 /* OBJ_PERMAMENT */
#define OB_FLAG_SECURITY 0x20 /* Object header has SecurityDescriptor != NULL */
#define OB_FLAG_SINGLE_PROCESS 0x40 /* absent HandleDBList */
#define OB_SECURITY_CHARGE 0x00000800
#define OB_TYPE_TYPE 1
#define OB_TYPE_DIRECTORY 2
#define OB_TYPE_SYMBOLIC_LINK 3
#define OB_TYPE_TOKEN 4
#define OB_TYPE_PROCESS 5
#define OB_TYPE_THREAD 6
#define OB_TYPE_EVENT 7
#define OB_TYPE_EVENT_PAIR 8
#define OB_TYPE_MUTANT 9
#define OB_TYPE_SEMAPHORE 10
#define OB_TYPE_TIMER 11
#define OB_TYPE_PROFILE 12
#define OB_TYPE_WINDOW_STATION 13
#define OB_TYPE_DESKTOP 14
#define OB_TYPE_SECTION 15
#define OB_TYPE_KEY 16
#define OB_TYPE_PORT 17
#define OB_TYPE_ADAPTER 18
#define OB_TYPE_CONTROLLER 19
#define OB_TYPE_DEVICE 20
#define OB_TYPE_DRIVER 21
#define OB_TYPE_IO_COMPLETION 22
#define OB_TYPE_FILE 23
#define PIN_WAIT (1)
#define PIN_EXCLUSIVE (2)
#define PIN_NO_READ (4)
#define PIN_IF_BCB (8)
#define MAP_WAIT (1)
#define MAP_NO_READ (16)
#define PORT_CONNECT 0x0001
#define PORT_ALL_ACCESS (STANDARD_RIGHTS_ALL |\
PORT_CONNECT)
#define SEC_BASED 0x00200000
#define SEC_NO_CHANGE 0x00400000
#define SEC_FILE 0x00800000
#define SEC_IMAGE 0x01000000
#define SEC_COMMIT 0x08000000
#define SEC_NOCACHE 0x10000000
#define SECURITY_WORLD_SID_AUTHORITY {0,0,0,0,0,1}
#define SECURITY_WORLD_RID (0x00000000L)
#define SID_REVISION 1
#define THREAD_STATE_INITIALIZED 0
#define THREAD_STATE_READY 1
#define THREAD_STATE_RUNNING 2
#define THREAD_STATE_STANDBY 3
#define THREAD_STATE_TERMINATED 4
#define THREAD_STATE_WAIT 5
#define THREAD_STATE_TRANSITION 6
#define THREAD_STATE_UNKNOWN 7
#define TOKEN_ASSIGN_PRIMARY (0x0001)
#define TOKEN_DUPLICATE (0x0002)
#define TOKEN_IMPERSONATE (0x0004)
#define TOKEN_QUERY (0x0008)
#define TOKEN_QUERY_SOURCE (0x0010)
#define TOKEN_ADJUST_PRIVILEGES (0x0020)
#define TOKEN_ADJUST_GROUPS (0x0040)
#define TOKEN_ADJUST_DEFAULT (0x0080)
#define TOKEN_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
TOKEN_ASSIGN_PRIMARY |\
TOKEN_DUPLICATE |\
TOKEN_IMPERSONATE |\
TOKEN_QUERY |\
TOKEN_QUERY_SOURCE |\
TOKEN_ADJUST_PRIVILEGES |\
TOKEN_ADJUST_GROUPS |\
TOKEN_ADJUST_DEFAULT)
#define TOKEN_READ (STANDARD_RIGHTS_READ |\
TOKEN_QUERY)
#define TOKEN_WRITE (STANDARD_RIGHTS_WRITE |\
TOKEN_ADJUST_PRIVILEGES |\
TOKEN_ADJUST_GROUPS |\
TOKEN_ADJUST_DEFAULT)
#define TOKEN_EXECUTE (STANDARD_RIGHTS_EXECUTE)
#define TOKEN_SOURCE_LENGTH 8
#define TOKEN_HAS_TRAVERSE_PRIVILEGE 0x01
#define TOKEN_HAS_BACKUP_PRIVILEGE 0x02
#define TOKEN_HAS_RESTORE_PRIVILEGE 0x04
#define TOKEN_HAS_ADMIN_GROUP 0x08
#define TOKEN_IS_RESTRICTED 0x10
#define TOKEN_SESSION_NOT_REFERENCED 0x20
#define TOKEN_SANDBOX_INERT 0x40
#define TOKEN_HAS_IMPERSONATE_PRIVILEGE 0x80
#define VACB_MAPPING_GRANULARITY (0x40000)
#define VACB_OFFSET_SHIFT (18)
#define FSCTL_REQUEST_OPLOCK_LEVEL_1 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_REQUEST_OPLOCK_LEVEL_2 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 1, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_REQUEST_BATCH_OPLOCK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_OPLOCK_BREAK_ACKNOWLEDGE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 3, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_OPBATCH_ACK_CLOSE_PENDING CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 4, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_OPLOCK_BREAK_NOTIFY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 5, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_LOCK_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 6, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_UNLOCK_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 7, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_DISMOUNT_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 8, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_IS_VOLUME_MOUNTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 10, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_IS_PATHNAME_VALID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 11, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_MARK_VOLUME_DIRTY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 12, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_QUERY_RETRIEVAL_POINTERS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 14, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_GET_COMPRESSION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 15, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_SET_COMPRESSION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 16, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
#define FSCTL_MARK_AS_SYSTEM_HIVE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 19, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_OPLOCK_BREAK_ACK_NO_2 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 20, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_INVALIDATE_VOLUMES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 21, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_QUERY_FAT_BPB CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 22, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_REQUEST_FILTER_OPLOCK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 23, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_FILESYSTEM_GET_STATISTICS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 24, METHOD_BUFFERED, FILE_ANY_ACCESS)
#if (VER_PRODUCTBUILD >= 1381)
#define FSCTL_GET_NTFS_VOLUME_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 25, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_GET_NTFS_FILE_RECORD CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 26, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_GET_VOLUME_BITMAP CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 27, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_GET_RETRIEVAL_POINTERS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 28, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_MOVE_FILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 29, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_IS_VOLUME_DIRTY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 30, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_GET_HFS_INFORMATION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 31, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_ALLOW_EXTENDED_DASD_IO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 32, METHOD_NEITHER, FILE_ANY_ACCESS)
#endif // (VER_PRODUCTBUILD >= 1381)
#if (VER_PRODUCTBUILD >= 2195)
#define FSCTL_READ_PROPERTY_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 33, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_WRITE_PROPERTY_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 34, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_FIND_FILES_BY_SID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 35, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_DUMP_PROPERTY_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 37, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_SET_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 38, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_GET_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 39, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_DELETE_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 40, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_SET_REPARSE_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 41, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_GET_REPARSE_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 42, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_DELETE_REPARSE_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 43, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_ENUM_USN_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 44, METHOD_NEITHER, FILE_READ_DATA)
#define FSCTL_SECURITY_ID_CHECK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 45, METHOD_NEITHER, FILE_READ_DATA)
#define FSCTL_READ_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 46, METHOD_NEITHER, FILE_READ_DATA)
#define FSCTL_SET_OBJECT_ID_EXTENDED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 47, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_CREATE_OR_GET_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 48, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_SET_SPARSE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 49, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_SET_ZERO_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 50, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_QUERY_ALLOCATED_RANGES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 51, METHOD_NEITHER, FILE_READ_DATA)
#define FSCTL_ENABLE_UPGRADE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 52, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_SET_ENCRYPTION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 53, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_ENCRYPTION_FSCTL_IO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 54, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_WRITE_RAW_ENCRYPTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 55, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_READ_RAW_ENCRYPTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 56, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_CREATE_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 57, METHOD_NEITHER, FILE_READ_DATA)
#define FSCTL_READ_FILE_USN_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 58, METHOD_NEITHER, FILE_READ_DATA)
#define FSCTL_WRITE_USN_CLOSE_RECORD CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 59, METHOD_NEITHER, FILE_READ_DATA)
#define FSCTL_EXTEND_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 60, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_QUERY_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 61, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_DELETE_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 62, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_MARK_HANDLE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 63, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_SIS_COPYFILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 64, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_SIS_LINK_FILES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 65, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
#define FSCTL_HSM_MSG CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 66, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
#define FSCTL_NSS_CONTROL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 67, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_HSM_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 68, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
#define FSCTL_RECALL_FILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 69, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_NSS_RCONTROL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 70, METHOD_BUFFERED, FILE_READ_DATA)
#define FSCTL_READ_FROM_PLEX CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 71, METHOD_OUT_DIRECT, FILE_READ_DATA)
#define FSCTL_FILE_PREFETCH CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 72, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#endif // (VER_PRODUCTBUILD >= 2195)
#define FSCTL_MAILSLOT_PEEK CTL_CODE(FILE_DEVICE_MAILSLOT, 0, METHOD_NEITHER, FILE_READ_DATA)
#define FSCTL_NETWORK_SET_CONFIGURATION_INFO CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 102, METHOD_IN_DIRECT, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_GET_CONFIGURATION_INFO CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 103, METHOD_OUT_DIRECT, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_GET_CONNECTION_INFO CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 104, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_ENUMERATE_CONNECTIONS CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 105, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_DELETE_CONNECTION CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 107, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_GET_STATISTICS CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 116, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_SET_DOMAIN_NAME CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 120, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_REMOTE_BOOT_INIT_SCRT CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 250, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_ASSIGN_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 0, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_DISCONNECT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 1, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_LISTEN CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_PEEK CTL_CODE(FILE_DEVICE_NAMED_PIPE, 3, METHOD_BUFFERED, FILE_READ_DATA)
#define FSCTL_PIPE_QUERY_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 4, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 5, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
#define FSCTL_PIPE_WAIT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 6, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_IMPERSONATE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 7, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_SET_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 8, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_QUERY_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 9, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_PIPE_INTERNAL_READ CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2045, METHOD_BUFFERED, FILE_READ_DATA)
#define FSCTL_PIPE_INTERNAL_WRITE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2046, METHOD_BUFFERED, FILE_WRITE_DATA)
#define FSCTL_PIPE_INTERNAL_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2047, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
#define FSCTL_PIPE_INTERNAL_READ_OVFLOW CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2048, METHOD_BUFFERED, FILE_READ_DATA)
#define IOCTL_REDIR_QUERY_PATH CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 99, METHOD_NEITHER, FILE_ANY_ACCESS)
typedef PVOID PEJOB;
typedef PVOID PNOTIFY_SYNC;
typedef PVOID OPLOCK, *POPLOCK;
typedef PVOID PWOW64_PROCESS;
typedef ULONG LBN;
typedef LBN *PLBN;
typedef ULONG VBN;
typedef VBN *PVBN;
typedef struct _CACHE_MANAGER_CALLBACKS *PCACHE_MANAGER_CALLBACKS;
typedef struct _EPROCESS_QUOTA_BLOCK *PEPROCESS_QUOTA_BLOCK;
typedef struct _FILE_GET_QUOTA_INFORMATION *PFILE_GET_QUOTA_INFORMATION;
typedef struct _HANDLE_TABLE *PHANDLE_TABLE;
typedef struct _KEVENT_PAIR *PKEVENT_PAIR;
typedef struct _KPROCESS *PKPROCESS;
typedef struct _KQUEUE *PKQUEUE;
typedef struct _KTRAP_FRAME *PKTRAP_FRAME;
typedef struct _LPC_MESSAGE *PLPC_MESSAGE;
typedef struct _MAILSLOT_CREATE_PARAMETERS *PMAILSLOT_CREATE_PARAMETERS;
typedef struct _MMWSL *PMMWSL;
typedef struct _NAMED_PIPE_CREATE_PARAMETERS *PNAMED_PIPE_CREATE_PARAMETERS;
typedef struct _OBJECT_DIRECTORY *POBJECT_DIRECTORY;
typedef struct _PAGEFAULT_HISTORY *PPAGEFAULT_HISTORY;
typedef struct _PEB *PPEB;
typedef struct _PS_IMPERSONATION_INFORMATION *PPS_IMPERSONATION_INFORMATION;
typedef struct _SECTION_OBJECT *PSECTION_OBJECT;
typedef struct _SERVICE_DESCRIPTOR_TABLE *PSERVICE_DESCRIPTOR_TABLE;
typedef struct _SHARED_CACHE_MAP *PSHARED_CACHE_MAP;
typedef struct _TERMINATION_PORT *PTERMINATION_PORT;
typedef struct _VACB *PVACB;
typedef struct _VAD_HEADER *PVAD_HEADER;
#if (VER_PRODUCTBUILD < 2195)
typedef ULONG SIZE_T, *PSIZE_T;
#endif
typedef enum _FAST_IO_POSSIBLE {
FastIoIsNotPossible,
FastIoIsPossible,
FastIoIsQuestionable
} FAST_IO_POSSIBLE;
typedef enum _FILE_STORAGE_TYPE {
StorageTypeDefault = 1,
StorageTypeDirectory,
StorageTypeFile,
StorageTypeJunctionPoint,
StorageTypeCatalog,
StorageTypeStructuredStorage,
StorageTypeEmbedding,
StorageTypeStream
} FILE_STORAGE_TYPE;
typedef enum _IO_COMPLETION_INFORMATION_CLASS {
IoCompletionBasicInformation
} IO_COMPLETION_INFORMATION_CLASS;
#if (VER_PRODUCTBUILD == 2195)
typedef enum _KSPIN_LOCK_QUEUE_NUMBER {
LockQueueDispatcherLock,
LockQueueContextSwapLock,
LockQueuePfnLock,
LockQueueSystemSpaceLock,
LockQueueVacbLock,
LockQueueMasterLock,
LockQueueNonPagedPoolLock,
LockQueueIoCancelLock,
LockQueueWorkQueueLock,
LockQueueIoVpbLock,
LockQueueIoDatabaseLock,
LockQueueIoCompletionLock,
LockQueueNtfsStructLock,
LockQueueAfdWorkQueueLock,
LockQueueBcbLock,
LockQueueMaximumLock
} KSPIN_LOCK_QUEUE_NUMBER;
#endif // (VER_PRODUCTBUILD == 2195)
typedef enum _LPC_TYPE {
LPC_NEW_MESSAGE,
LPC_REQUEST,
LPC_REPLY,
LPC_DATAGRAM,
LPC_LOST_REPLY,
LPC_PORT_CLOSED,
LPC_CLIENT_DIED,
LPC_EXCEPTION,
LPC_DEBUG_EVENT,
LPC_ERROR_EVENT,
LPC_CONNECTION_REQUEST
} LPC_TYPE;
typedef enum _MMFLUSH_TYPE {
MmFlushForDelete,
MmFlushForWrite
} MMFLUSH_TYPE;
typedef enum _OBJECT_INFO_CLASS {
ObjectBasicInfo,
ObjectNameInfo,
ObjectTypeInfo,
ObjectAllTypesInfo,
ObjectProtectionInfo
} OBJECT_INFO_CLASS;
typedef enum _PORT_INFORMATION_CLASS {
PortNoInformation
} PORT_INFORMATION_CLASS;
typedef enum _SECTION_INFORMATION_CLASS {
SectionBasicInformation,
SectionImageInformation
} SECTION_INFORMATION_CLASS;
typedef enum _SID_NAME_USE {
SidTypeUser = 1,
SidTypeGroup,
SidTypeDomain,
SidTypeAlias,
SidTypeWellKnownGroup,
SidTypeDeletedAccount,
SidTypeInvalid,
SidTypeUnknown
} SID_NAME_USE;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation
} SYSTEM_INFORMATION_CLASS;
typedef enum _THREAD_STATE {
StateInitialized,
StateReady,
StateRunning,
StateStandby,
StateTerminated,
StateWait,
StateTransition,
StateUnknown
} THREAD_STATE;
typedef enum _TOKEN_INFORMATION_CLASS {
TokenUser = 1,
TokenGroups,
TokenPrivileges,
TokenOwner,
TokenPrimaryGroup,
TokenDefaultDacl,
TokenSource,
TokenType,
TokenImpersonationLevel,
TokenStatistics,
TokenRestrictedSids
} TOKEN_INFORMATION_CLASS;
typedef enum _TOKEN_TYPE {
TokenPrimary = 1,
TokenImpersonation
} TOKEN_TYPE;
typedef struct _HARDWARE_PTE_X86 {
ULONG Valid : 1;
ULONG Write : 1;
ULONG Owner : 1;
ULONG WriteThrough : 1;
ULONG CacheDisable : 1;
ULONG Accessed : 1;
ULONG Dirty : 1;
ULONG LargePage : 1;
ULONG Global : 1;
ULONG CopyOnWrite : 1;
ULONG Prototype : 1;
ULONG reserved : 1;
ULONG PageFrameNumber : 20;
} HARDWARE_PTE_X86, *PHARDWARE_PTE_X86;
typedef struct _KAPC_STATE {
LIST_ENTRY ApcListHead[2];
PKPROCESS Process;
BOOLEAN KernelApcInProgress;
BOOLEAN KernelApcPending;
BOOLEAN UserApcPending;
} KAPC_STATE, *PKAPC_STATE;
typedef struct _KGDTENTRY {
USHORT LimitLow;
USHORT BaseLow;
union {
struct {
UCHAR BaseMid;
UCHAR Flags1;
UCHAR Flags2;
UCHAR BaseHi;
} Bytes;
struct {
ULONG BaseMid : 8;
ULONG Type : 5;
ULONG Dpl : 2;
ULONG Pres : 1;
ULONG LimitHi : 4;
ULONG Sys : 1;
ULONG Reserved_0 : 1;
ULONG Default_Big : 1;
ULONG Granularity : 1;
ULONG BaseHi : 8;
} Bits;
} HighWord;
} KGDTENTRY, *PKGDTENTRY;
typedef struct _KIDTENTRY {
USHORT Offset;
USHORT Selector;
USHORT Access;
USHORT ExtendedOffset;
} KIDTENTRY, *PKIDTENTRY;
#if (VER_PRODUCTBUILD >= 2600)
typedef struct _KPROCESS {
DISPATCHER_HEADER Header;
LIST_ENTRY ProfileListHead;
ULONG DirectoryTableBase[2];
KGDTENTRY LdtDescriptor;
KIDTENTRY Int21Descriptor;
USHORT IopmOffset;
UCHAR Iopl;
UCHAR Unused;
ULONG ActiveProcessors;
ULONG KernelTime;
ULONG UserTime;
LIST_ENTRY ReadyListHead;
SINGLE_LIST_ENTRY SwapListEntry;
PVOID VdmTrapcHandler;
LIST_ENTRY ThreadListHead;
KSPIN_LOCK ProcessLock;
KAFFINITY Affinity;
USHORT StackCount;
CHAR BasePriority;
CHAR ThreadQuantum;
BOOLEAN AutoAlignment;
UCHAR State;
UCHAR ThreadSeed;
BOOLEAN DisableBoost;
UCHAR PowerState;
BOOLEAN DisableQuantum;
UCHAR IdealNode;
UCHAR Spare;
} KPROCESS, *PKPROCESS;
#else
typedef struct _KPROCESS {
DISPATCHER_HEADER Header;
LIST_ENTRY ProfileListHead;
ULONG DirectoryTableBase[2];
KGDTENTRY LdtDescriptor;
KIDTENTRY Int21Descriptor;
USHORT IopmOffset;
UCHAR Iopl;
UCHAR VdmFlag;
ULONG ActiveProcessors;
ULONG KernelTime;
ULONG UserTime;
LIST_ENTRY ReadyListHead;
SINGLE_LIST_ENTRY SwapListEntry;
PVOID Reserved1;
LIST_ENTRY ThreadListHead;
KSPIN_LOCK ProcessLock;
KAFFINITY Affinity;
USHORT StackCount;
UCHAR BasePriority;
UCHAR ThreadQuantum;
BOOLEAN AutoAlignment;
UCHAR State;
UCHAR ThreadSeed;
BOOLEAN DisableBoost;
#if (VER_PRODUCTBUILD >= 2195)
UCHAR PowerState;
BOOLEAN DisableQuantum;
UCHAR IdealNode;
UCHAR Spare;
#endif // (VER_PRODUCTBUILD >= 2195)
} KPROCESS, *PKPROCESS;
#endif
#if (VER_PRODUCTBUILD >= 3790)
typedef struct _KTHREAD {
DISPATCHER_HEADER Header;
LIST_ENTRY MutantListHead; // 0x10
PVOID InitialStack; // 0x18
PVOID StackLimit; // 0x1c
PVOID KernelStack; // 0x20
ULONG ThreadLock; // 0x24
ULONG ContextSwitches; // 0x28
UCHAR State; // 0x2c
UCHAR NpxState; // 0x2d
UCHAR WaitIrql; // 0x2e
CHAR WaitMode; // 0x2f
struct _TEB *Teb; // 0x30
KAPC_STATE ApcState; // 0x34
KSPIN_LOCK ApcQueueLock; // 0x4c
NTSTATUS WaitStatus; // 0x50
PKWAIT_BLOCK WaitBlockList; // 0x54
BOOLEAN Alertable; // 0x58
UCHAR WaitNext; // 0x59
UCHAR WaitReason; // 0x5a
CHAR Priority; // 0x5b
BOOLEAN EnableStackSwap; // 0x5c
BOOLEAN SwapBusy; // 0x5d
UCHAR Alerted[2]; // 0x5e
union {
LIST_ENTRY WaitListEntry; // 0x60
SINGLE_LIST_ENTRY SwapListEntry; // 0x60
};
PKQUEUE Queue; // 0x68
ULONG WaitTime; // 0x6c
union {
struct {
USHORT KernelApcDisable; // 0x70
USHORT SpecialApcDisable; // 0x72
};
USHORT CombinedApcDisable; // 0x70
};
KTIMER Timer; // 0x78
KWAIT_BLOCK WaitBlock[4]; // 0xa0
LIST_ENTRY QueueListEntry; // 0x100
UCHAR ApcStateIndex; // 0x108
BOOLEAN ApcQueueable; // 0x109
BOOLEAN Preempted; // 0x10a
BOOLEAN ProcessReadyQueue; // 0x10b
BOOLEAN KernelStackResident; // 0x10c
CHAR Saturation; // 0x10d
UCHAR IdealProcessor; // 0x10e
UCHAR NextProcessor; // 0x10f
CHAR BasePriority; // 0x110
UCHAR Spare4; // 0x111
CHAR PriorityDecrement; // 0x112
CHAR Quantum; // 0x113
BOOLEAN SystemAffinityActive; // 0x114
CHAR PreviousMode; // 0x115
UCHAR ResourceIndex; // 0x116
BOOLEAN DisableBoost; // 0x117
ULONG UserAffinity; // 0x118
PKPROCESS Process; // 0x11c
ULONG Affinity; // 0x120
PSERVICE_DESCRIPTOR_TABLE ServiceTable; // 0x124
PKAPC_STATE ApcStatePointer[2]; // 0x128
KAPC_STATE SavedApcState; // 0x130
PVOID CallbackStack; // 0x148
PVOID Win32Thread; // 0x14c
PKTRAP_FRAME TrapFrame; // 0x150
ULONG KernelTime; // 0x154
ULONG UserTime; // 0x158
PVOID StackBase; // 0x15c
KAPC SuspendApc; // 0x160
KSEMAPHORE SuspendSemaphore; // 0x190
PVOID TlsArray; // 0x1a4
PVOID LegoData; // 0x1a8
LIST_ENTRY ThreadListEntry; // 0x1ac
BOOLEAN LargeStack; // 0x1b4
UCHAR PowerState; // 0x1b5
UCHAR NpxIrql; // 0x1b6
UCHAR Spare5; // 0x1b7
BOOLEAN AutoAlignment; // 0x1b8
UCHAR Iopl; // 0x1b9
CHAR FreezeCount; // 0x1ba
CHAR SuspendCount; // 0x1bb
UCHAR Spare0[1]; // 0x1bc
UCHAR UserIdealProcessor; // 0x1bd
UCHAR DeferredProcessor; // 0x1be
UCHAR AdjustReason; // 0x1bf
CHAR AdjustIncrement; // 0x1c0
UCHAR Spare2[3]; // 0x1c1
} KTHREAD, *PKTHREAD;
#elif (VER_PRODUCTBUILD >= 2600)
typedef struct _KTHREAD {
DISPATCHER_HEADER Header;
LIST_ENTRY MutantListHead;
PVOID InitialStack;
PVOID StackLimit;
struct _TEB *Teb;
PVOID TlsArray;
PVOID KernelStack;
BOOLEAN DebugActive;
UCHAR State;
UCHAR Alerted[2];
UCHAR Iopl;
UCHAR NpxState;
CHAR Saturation;
CHAR Priority;
KAPC_STATE ApcState;
ULONG ContextSwitches;
UCHAR IdleSwapBlock;
UCHAR Spare0[3];
NTSTATUS WaitStatus;
UCHAR WaitIrql;
CHAR WaitMode;
UCHAR WaitNext;
UCHAR WaitReason;
PKWAIT_BLOCK WaitBlockList;
union {
LIST_ENTRY WaitListEntry;
SINGLE_LIST_ENTRY SwapListEntry;
};
ULONG WaitTime;
CHAR BasePriority;
UCHAR DecrementCount;
CHAR PriorityDecrement;
CHAR Quantum;
KWAIT_BLOCK WaitBlock[4];
PVOID LegoData;
ULONG KernelApcDisable;
ULONG UserAffinity;
BOOLEAN SystemAffinityActive;
UCHAR PowerState;
UCHAR NpxIrql;
UCHAR InitialNode;
PSERVICE_DESCRIPTOR_TABLE ServiceTable;
PKQUEUE Queue;
KSPIN_LOCK ApcQueueLock;
KTIMER Timer;
LIST_ENTRY QueueListEntry;
ULONG SoftAffinity;
ULONG Affinity;
BOOLEAN Preempted;
BOOLEAN ProcessReadyQueue;
BOOLEAN KernelStackResident;
UCHAR NextProcessor;
PVOID CallbackStack;
PVOID Win32Thread;
PKTRAP_FRAME TrapFrame;
PKAPC_STATE ApcStatePointer[2];
CHAR PreviousMode;
BOOLEAN EnableStackSwap;
BOOLEAN LargeStack;
UCHAR ResourceIndex;
ULONG KernelTime;
ULONG UserTime;
KAPC_STATE SavedApcState;
BOOLEAN Alertable;
UCHAR ApcStateIndex;
BOOLEAN ApcQueueable;
BOOLEAN AutoAlignment;
PVOID StackBase;
KAPC SuspendApc;
KSEMAPHORE SuspendSemaphore;
LIST_ENTRY ThreadListEntry;
CHAR FreezeCount;
CHAR SuspendCount;
UCHAR IdealProcessor;
BOOLEAN DisableBoost;
} KTHREAD, *PKTHREAD;
#else
typedef struct _KTHREAD {
DISPATCHER_HEADER Header;
LIST_ENTRY MutantListHead;
PVOID InitialStack;
PVOID StackLimit;
struct _TEB *Teb;
PVOID TlsArray;
PVOID KernelStack;
BOOLEAN DebugActive;
UCHAR State;
USHORT Alerted;
UCHAR Iopl;
UCHAR NpxState;
UCHAR Saturation;
UCHAR Priority;
KAPC_STATE ApcState;
ULONG ContextSwitches;
NTSTATUS WaitStatus;
UCHAR WaitIrql;
UCHAR WaitMode;
UCHAR WaitNext;
UCHAR WaitReason;
PKWAIT_BLOCK WaitBlockList;
LIST_ENTRY WaitListEntry;
ULONG WaitTime;
UCHAR BasePriority;
UCHAR DecrementCount;
UCHAR PriorityDecrement;
UCHAR Quantum;
KWAIT_BLOCK WaitBlock[4];
ULONG LegoData;
ULONG KernelApcDisable;
ULONG UserAffinity;
BOOLEAN SystemAffinityActive;
#if (VER_PRODUCTBUILD < 2195)
UCHAR Pad[3];
#else // (VER_PRODUCTBUILD >= 2195)
UCHAR PowerState;
UCHAR NpxIrql;
UCHAR Pad[1];
#endif // (VER_PRODUCTBUILD >= 2195)
PSERVICE_DESCRIPTOR_TABLE ServiceDescriptorTable;
PKQUEUE Queue;
KSPIN_LOCK ApcQueueLock;
KTIMER Timer;
LIST_ENTRY QueueListEntry;
ULONG Affinity;
BOOLEAN Preempted;
BOOLEAN ProcessReadyQueue;
BOOLEAN KernelStackResident;
UCHAR NextProcessor;
PVOID CallbackStack;
PVOID Win32Thread;
PKTRAP_FRAME TrapFrame;
PKAPC_STATE ApcStatePointer[2];
#if (VER_PRODUCTBUILD >= 2195)
UCHAR PreviousMode;
#endif // (VER_PRODUCTBUILD >= 2195)
BOOLEAN EnableStackSwap;
BOOLEAN LargeStack;
UCHAR ResourceIndex;
#if (VER_PRODUCTBUILD < 2195)
UCHAR PreviousMode;
#endif // (VER_PRODUCTBUILD < 2195)
ULONG KernelTime;
ULONG UserTime;
KAPC_STATE SavedApcState;
BOOLEAN Alertable;
UCHAR ApcStateIndex;
BOOLEAN ApcQueueable;
BOOLEAN AutoAlignment;
PVOID StackBase;
KAPC SuspendApc;
KSEMAPHORE SuspendSemaphore;
LIST_ENTRY ThreadListEntry;
UCHAR FreezeCount;
UCHAR SuspendCount;
UCHAR IdealProcessor;
BOOLEAN DisableBoost;
} KTHREAD, *PKTHREAD;
#endif
#if (VER_PRODUCTBUILD >= 3790)
typedef struct _MMSUPPORT_FLAGS {
ULONG SessionSpace : 1;
ULONG BeingTrimmed : 1;
ULONG SessionLeader : 1;
ULONG TrimHard : 1;
ULONG MaximumWorkingSetHard : 1;
ULONG ForceTrim : 1;
ULONG MinimumWorkingSetHard : 1;
ULONG Available0 : 1;
ULONG MemoryPriority : 8;
ULONG GrowWsleHash : 1;
ULONG AcquiredUnsafe : 1;
ULONG Available : 14;
} MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;
#elif (VER_PRODUCTBUILD >= 2600)
typedef struct _MMSUPPORT_FLAGS {
ULONG SessionSpace : 1;
ULONG BeingTrimmed : 1;
ULONG SessionLeader : 1;
ULONG TrimHard : 1;
ULONG WorkingSetHard : 1;
ULONG AddressSpaceBeingDeleted : 1;
ULONG Available : 10;
ULONG AllowWorkingSetAdjustment : 8;
ULONG MemoryPriority : 8;
} MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;
#else
typedef struct _MMSUPPORT_FLAGS {
ULONG SessionSpace : 1;
ULONG BeingTrimmed : 1;
ULONG ProcessInSession : 1;
ULONG SessionLeader : 1;
ULONG TrimHard : 1;
ULONG WorkingSetHard : 1;
ULONG WriteWatch : 1;
ULONG Filler : 25;
} MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;
#endif
#if (VER_PRODUCTBUILD >= 3790)
typedef struct _KGUARDED_MUTEX {
LONG Count;
PKTHREAD Owner; // 0x4
ULONG Contention; // 0x8
KEVENT Event; // 0xc
union {
struct {
USHORT KernelApcDisable; // 0x1c
USHORT SpecialApcDisable; // 0x1e
};
USHORT CombinedApcDisable; // 0x1c
};
} KGUARDED_MUTEX, *PKGUARDED_MUTEX;
typedef struct _MMSUPPORT {
LIST_ENTRY WorkingSetExpansionLinks;
LARGE_INTEGER LastTrimTime; // 0x8
MMSUPPORT_FLAGS Flags; // 0x10
ULONG PageFaultCount; // 0x14
ULONG PeakWorkingSetSize; // 0x18
ULONG GrowthSinceLastEstimate; // 0x1c
ULONG MinimumWorkingSetSize; // 0x20
ULONG MaximumWorkingSetSize; // 0x24
PMMWSL VmWorkingSetList; // 0x28
ULONG Claim; // 0x2c
ULONG NextEstimationSlot; // 0x30
ULONG NextAgingSlot; // 0x34
ULONG EstimatedAvailable; // 0x38
ULONG WorkingSetSize; //0x3c
KGUARDED_MUTEX Mutex; // 0x40
} MMSUPPORT, *PMMSUPPORT;
#elif (VER_PRODUCTBUILD >= 2600)
typedef struct _MMSUPPORT {
LARGE_INTEGER LastTrimTime;
MMSUPPORT_FLAGS Flags;
ULONG PageFaultCount;
ULONG PeakWorkingSetSize;
ULONG WorkingSetSize;
ULONG MinimumWorkingSetSize;
ULONG MaximumWorkingSetSize;
PMMWSL VmWorkingSetList;
LIST_ENTRY WorkingSetExpansionLinks;
ULONG Claim;
ULONG NextEstimationSlot;
ULONG NextAgingSlot;
ULONG EstimatedAvailable;
ULONG GrowthSinceLastEstimate;
} MMSUPPORT, *PMMSUPPORT;
#else
typedef struct _MMSUPPORT {
LARGE_INTEGER LastTrimTime;
ULONG LastTrimFaultCount;
ULONG PageFaultCount;
ULONG PeakWorkingSetSize;
ULONG WorkingSetSize;
ULONG MinimumWorkingSetSize;
ULONG MaximumWorkingSetSize;
PMMWSL VmWorkingSetList;
LIST_ENTRY WorkingSetExpansionLinks;
BOOLEAN AllowWorkingSetAdjustment;
BOOLEAN AddressSpaceBeingDeleted;
UCHAR ForegroundSwitchCount;
UCHAR MemoryPriority;
#if (VER_PRODUCTBUILD >= 2195)
union {
ULONG LongFlags;
MMSUPPORT_FLAGS Flags;
} u;
ULONG Claim;
ULONG NextEstimationSlot;
ULONG NextAgingSlot;
ULONG EstimatedAvailable;
ULONG GrowthSinceLastEstimate;
#endif // (VER_PRODUCTBUILD >= 2195)
} MMSUPPORT, *PMMSUPPORT;
#endif
typedef struct _SE_AUDIT_PROCESS_CREATION_INFO {
POBJECT_NAME_INFORMATION ImageFileName;
} SE_AUDIT_PROCESS_CREATION_INFO, *PSE_AUDIT_PROCESS_CREATION_INFO;
typedef struct _SID_IDENTIFIER_AUTHORITY {
UCHAR Value[6];
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
typedef struct _SID {
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
ULONG SubAuthority[1];
} SID, *PREAL_SID;
typedef struct _BITMAP_DESCRIPTOR {
ULONGLONG StartLcn;
ULONGLONG ClustersToEndOfVol;
UCHAR Map[1];
} BITMAP_DESCRIPTOR, *PBITMAP_DESCRIPTOR;
typedef struct _BITMAP_RANGE {
LIST_ENTRY Links;
LARGE_INTEGER BasePage;
ULONG FirstDirtyPage;
ULONG LastDirtyPage;
ULONG DirtyPages;
PULONG Bitmap;
} BITMAP_RANGE, *PBITMAP_RANGE;
typedef struct _CACHE_UNINITIALIZE_EVENT {
struct _CACHE_UNINITIALIZE_EVENT *Next;
KEVENT Event;
} CACHE_UNINITIALIZE_EVENT, *PCACHE_UNINITIALIZE_EVENT;
typedef struct _CC_FILE_SIZES {
LARGE_INTEGER AllocationSize;
LARGE_INTEGER FileSize;
LARGE_INTEGER ValidDataLength;
} CC_FILE_SIZES, *PCC_FILE_SIZES;
typedef struct _COMPRESSED_DATA_INFO {
USHORT CompressionFormatAndEngine;
UCHAR CompressionUnitShift;
UCHAR ChunkShift;
UCHAR ClusterShift;
UCHAR Reserved;
USHORT NumberOfChunks;
ULONG CompressedChunkSizes[ANYSIZE_ARRAY];
} COMPRESSED_DATA_INFO, *PCOMPRESSED_DATA_INFO;
typedef struct _DEVICE_MAP {
POBJECT_DIRECTORY DosDevicesDirectory;
POBJECT_DIRECTORY GlobalDosDevicesDirectory;
ULONG ReferenceCount;
ULONG DriveMap;
UCHAR DriveType[32];
} DEVICE_MAP, *PDEVICE_MAP;
typedef struct _DIRECTORY_BASIC_INFORMATION {
UNICODE_STRING ObjectName;
UNICODE_STRING ObjectTypeName;
} DIRECTORY_BASIC_INFORMATION, *PDIRECTORY_BASIC_INFORMATION;
#if (VER_PRODUCTBUILD >= 2600)
typedef struct _EX_FAST_REF {
union {
PVOID Object;
ULONG RefCnt : 3;
ULONG Value;
};
} EX_FAST_REF, *PEX_FAST_REF;
typedef struct _EX_PUSH_LOCK {
union {
struct {
ULONG Waiting : 1;
ULONG Exclusive : 1;
ULONG Shared : 30;
};
ULONG Value;
PVOID Ptr;
};
} EX_PUSH_LOCK, *PEX_PUSH_LOCK;
typedef struct _EX_RUNDOWN_REF {
union {
ULONG Count;
PVOID Ptr;
};
} EX_RUNDOWN_REF, *PEX_RUNDOWN_REF;
#endif // (VER_PRODUCTBUILD >= 2600)
#if (VER_PRODUCTBUILD >= 3790)
typedef struct _MM_ADDRESS_NODE {
union {
ULONG Balance : 2;
struct _MM_ADDRESS_NODE *Parent; // lower 2 bits of Parent are Balance and must be zeroed to obtain Parent
};
struct _MM_ADDRESS_NODE *LeftChild;
struct _MM_ADDRESS_NODE *RightChild;
ULONG_PTR StartingVpn;
ULONG_PTR EndingVpn;
} MMADDRESS_NODE, *PMMADDRESS_NODE;
typedef struct _MM_AVL_TABLE {
MMADDRESS_NODE BalancedRoot; // Vadroot; incorrectly represents the NULL pages (EndingVpn should be 0xf, etc.)
ULONG DepthOfTree : 5; // 0x14
ULONG Unused : 3;
ULONG NumberGenericTableElements : 24; // total number of nodes
PVOID NodeHint; // 0x18 (0x270 in _EPROCESS)
PVOID NodeFreeHint; // 0x1c
} MM_AVL_TABLE, *PMM_AVL_TABLE;
typedef struct _EPROCESS {
KPROCESS Pcb; // +0x000
EX_PUSH_LOCK ProcessLock; // +0x06c
LARGE_INTEGER CreateTime; // +0x070
LARGE_INTEGER ExitTime; // +0x078
EX_RUNDOWN_REF RundownProtect; // +0x080
ULONG UniqueProcessId; // +0x084
LIST_ENTRY ActiveProcessLinks; // +0x088
ULONG QuotaUsage[3]; // +0x090
ULONG QuotaPeak[3]; // +0x09c
ULONG CommitCharge; // +0x0a8
ULONG PeakVirtualSize; // +0x0ac
ULONG VirtualSize; // +0x0b0
LIST_ENTRY SessionProcessLinks; // +0x0b4
PVOID DebugPort; // +0x0bc
PVOID ExceptionPort; // +0x0c0
PHANDLE_TABLE ObjectTable; // +0x0c4
EX_FAST_REF Token; // +0x0c8
ULONG WorkingSetPage; // +0x0cc
KGUARDED_MUTEX AddressCreationLock; // +0x0d0
ULONG HyperSpaceLock; // +0x0f0
PETHREAD ForkInProgress; // +0x0f4
ULONG HardwareTrigger; // +0x0f8
PMM_AVL_TABLE PhysicalVadRoot; // +0x0fc
PVOID CloneRoot; // +0x100
ULONG NumberOfPrivatePages; // +0x104
ULONG NumberOfLockedPages; // +0x108
PVOID Win32Process; // +0x10c
PEJOB Job; // +0x110
PVOID SectionObject; // +0x114
PVOID SectionBaseAddress; // +0x118
PEPROCESS_QUOTA_BLOCK QuotaBlock; // +0x11c
PPAGEFAULT_HISTORY WorkingSetWatch; // +0x120
PVOID Win32WindowStation; // +0x124
ULONG InheritedFromUniqueProcessId; // +0x128
PVOID LdtInformation; // +0x12c
PVOID VadFreeHint; // +0x130
PVOID VdmObjects; // +0x134
PVOID DeviceMap; // +0x138
PVOID Spare0[3]; // +0x13c
union {
HARDWARE_PTE PageDirectoryPte; // +0x148
UINT64 Filler; // +0x148
};
PVOID Session; // +0x150
UCHAR ImageFileName[16]; // +0x154
LIST_ENTRY JobLinks; // +0x164
PVOID LockedPagesList; // +0x16c
LIST_ENTRY ThreadListHead; // +0x170
PVOID SecurityPort; // +0x178
PVOID PaeTop; // +0x17c
ULONG ActiveThreads; // +0x180
ULONG GrantedAccess; // +0x184
ULONG DefaultHardErrorProcessing; // +0x188
SHORT LastThreadExitStatus; // +0x18c
PPEB Peb; // +0x190
EX_FAST_REF PrefetchTrace; // +0x194
LARGE_INTEGER ReadOperationCount; // +0x198
LARGE_INTEGER WriteOperationCount; // +0x1a0
LARGE_INTEGER OtherOperationCount; // +0x1a8
LARGE_INTEGER ReadTransferCount; // +0x1b0
LARGE_INTEGER WriteTransferCount; // +0x1b8
LARGE_INTEGER OtherTransferCount; // +0x1c0
ULONG CommitChargeLimit; // +0x1c8
ULONG CommitChargePeak; // +0x1cc
PVOID AweInfo; // +0x1d0
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo; // +0x1d4
MMSUPPORT Vm; // +0x1d8
LIST_ENTRY MmProcessLinks; // +0x238
ULONG ModifiedPageCount; // +0x240
ULONG JobStatus; // +0x244
union {
ULONG Flags; // 0x248
struct {
ULONG CreateReported : 1;
ULONG NoDebugInherit : 1;
ULONG ProcessExiting : 1;
ULONG ProcessDelete : 1;
ULONG Wow64SplitPages : 1;
ULONG VmDeleted : 1;
ULONG OutswapEnabled : 1;
ULONG Outswapped : 1;
ULONG ForkFailed : 1;
ULONG Wow64VaSpace4Gb : 1;
ULONG AddressSpaceInitialized : 2;
ULONG SetTimerResolution : 1;
ULONG BreakOnTermination : 1;
ULONG SessionCreationUnderway : 1;
ULONG WriteWatch : 1;
ULONG ProcessInSession : 1;
ULONG OverrideAddressSpace : 1;
ULONG HasAddressSpace : 1;
ULONG LaunchPrefetched : 1;
ULONG InjectInpageErrors : 1;
ULONG VmTopDown : 1;
ULONG ImageNotifyDone : 1;
ULONG PdeUpdateNeeded : 1;
ULONG VdmAllowed : 1;
ULONG Unused : 7;
};
};
NTSTATUS ExitStatus; // +0x24c
USHORT NextPageColor; // +0x250
union {
struct {
UCHAR SubSystemMinorVersion; // +0x252
UCHAR SubSystemMajorVersion; // +0x253
};
USHORT SubSystemVersion; // +0x252
};
UCHAR PriorityClass; // +0x254
MM_AVL_TABLE VadRoot; // +0x258
} EPROCESS, *PEPROCESS; // 0x278 in total
#elif (VER_PRODUCTBUILD >= 2600)
typedef struct _EPROCESS {
KPROCESS Pcb;
EX_PUSH_LOCK ProcessLock;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
EX_RUNDOWN_REF RundownProtect;
ULONG UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
ULONG QuotaUsage[3];
ULONG QuotaPeak[3];
ULONG CommitCharge;
ULONG PeakVirtualSize;
ULONG VirtualSize;
LIST_ENTRY SessionProcessLinks;
PVOID DebugPort;
PVOID ExceptionPort;
PHANDLE_TABLE ObjectTable;
EX_FAST_REF Token;
FAST_MUTEX WorkingSetLock;
ULONG WorkingSetPage;
FAST_MUTEX AddressCreationLock;
KSPIN_LOCK HyperSpaceLock;
PETHREAD ForkInProgress;
ULONG HardwareTrigger;
PVOID VadRoot;
PVOID VadHint;
PVOID CloneRoot;
ULONG NumberOfPrivatePages;
ULONG NumberOfLockedPages;
PVOID Win32Process;
PEJOB Job;
PSECTION_OBJECT SectionObject;
PVOID SectionBaseAddress;
PEPROCESS_QUOTA_BLOCK QuotaBlock;
PPAGEFAULT_HISTORY WorkingSetWatch;
PVOID Win32WindowStation;
PVOID InheritedFromUniqueProcessId;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
PDEVICE_MAP DeviceMap;
LIST_ENTRY PhysicalVadList;
union {
HARDWARE_PTE PageDirectoryPte;
ULONGLONG Filler;
};
PVOID Session;
UCHAR ImageFileName[16];
LIST_ENTRY JobLinks;
PVOID LockedPageList;
LIST_ENTRY ThreadListHead;
PVOID SecurityPort;
PVOID PaeTop;
ULONG ActiveThreads;
ULONG GrantedAccess;
ULONG DefaultHardErrorProcessing;
NTSTATUS LastThreadExitStatus;
PPEB Peb;
EX_FAST_REF PrefetchTrace;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
ULONG CommitChargeLimit;
ULONG CommitChargePeek;
PVOID AweInfo;
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
MMSUPPORT Vm;
ULONG LastFaultCount;
ULONG ModifiedPageCount;
ULONG NumberOfVads;
ULONG JobStatus;
union {
ULONG Flags;
struct {
ULONG CreateReported : 1;
ULONG NoDebugInherit : 1;
ULONG ProcessExiting : 1;
ULONG ProcessDelete : 1;
ULONG Wow64SplitPages : 1;
ULONG VmDeleted : 1;
ULONG OutswapEnabled : 1;
ULONG Outswapped : 1;
ULONG ForkFailed : 1;
ULONG HasPhysicalVad : 1;
ULONG AddressSpaceInitialized : 2;
ULONG SetTimerResolution : 1;
ULONG BreakOnTermination : 1;
ULONG SessionCreationUnderway : 1;
ULONG WriteWatch : 1;
ULONG ProcessInSession : 1;
ULONG OverrideAddressSpace : 1;
ULONG HasAddressSpace : 1;
ULONG LaunchPrefetched : 1;
ULONG InjectInpageErrors : 1;
ULONG Unused : 11;
};
};
NTSTATUS ExitStatus;
USHORT NextPageColor;
union {
struct {
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
UCHAR PriorityClass;
BOOLEAN WorkingSetAcquiredUnsafe;
} EPROCESS, *PEPROCESS;
#else
typedef struct _EPROCESS {
KPROCESS Pcb;
NTSTATUS ExitStatus;
KEVENT LockEvent;
ULONG LockCount;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
PKTHREAD LockOwner;
ULONG UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
ULONGLONG QuotaPeakPoolUsage;
ULONGLONG QuotaPoolUsage;
ULONG PagefileUsage;
ULONG CommitCharge;
ULONG PeakPagefileUsage;
ULONG PeakVirtualSize;
ULONGLONG VirtualSize;
MMSUPPORT Vm;
#if (VER_PRODUCTBUILD < 2195)
ULONG LastProtoPteFault;
#else // (VER_PRODUCTBUILD >= 2195)
LIST_ENTRY SessionProcessLinks;
#endif // (VER_PRODUCTBUILD >= 2195)
ULONG DebugPort;
ULONG ExceptionPort;
PHANDLE_TABLE ObjectTable;
PACCESS_TOKEN Token;
FAST_MUTEX WorkingSetLock;
ULONG WorkingSetPage;
BOOLEAN ProcessOutswapEnabled;
BOOLEAN ProcessOutswapped;
BOOLEAN AddressSpaceInitialized;
BOOLEAN AddressSpaceDeleted;
FAST_MUTEX AddressCreationLock;
KSPIN_LOCK HyperSpaceLock;
PETHREAD ForkInProgress;
USHORT VmOperation;
BOOLEAN ForkWasSuccessful;
UCHAR MmAgressiveWsTrimMask;
PKEVENT VmOperationEvent;
#if (VER_PRODUCTBUILD < 2195)
HARDWARE_PTE PageDirectoryPte;
#else // (VER_PRODUCTBUILD >= 2195)
PVOID PaeTop;
#endif // (VER_PRODUCTBUILD >= 2195)
ULONG LastFaultCount;
ULONG ModifiedPageCount;
PVOID VadRoot;
PVOID VadHint;
ULONG CloneRoot;
ULONG NumberOfPrivatePages;
ULONG NumberOfLockedPages;
USHORT NextPageColor;
BOOLEAN ExitProcessCalled;
BOOLEAN CreateProcessReported;
HANDLE SectionHandle;
PPEB Peb;
PVOID SectionBaseAddress;
PEPROCESS_QUOTA_BLOCK QuotaBlock;
NTSTATUS LastThreadExitStatus;
PPROCESS_WS_WATCH_INFORMATION WorkingSetWatch;
HANDLE Win32WindowStation;
HANDLE InheritedFromUniqueProcessId;
ACCESS_MASK GrantedAccess;
ULONG DefaultHardErrorProcessing;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
#if (VER_PRODUCTBUILD < 2195)
KMUTANT ProcessMutant;
#else // (VER_PRODUCTBUILD >= 2195)
PDEVICE_MAP DeviceMap;
ULONG SessionId;
LIST_ENTRY PhysicalVadList;
HARDWARE_PTE PageDirectoryPte;
ULONG Filler;
ULONG PaePageDirectoryPage;
#endif // (VER_PRODUCTBUILD >= 2195)
UCHAR ImageFileName[16];
ULONG VmTrimFaultValue;
UCHAR SetTimerResolution;
UCHAR PriorityClass;
union {
struct {
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
PVOID Win32Process;
#if (VER_PRODUCTBUILD >= 2195)
PEJOB Job;
ULONG JobStatus;
LIST_ENTRY JobLinks;
PVOID LockedPageList;
PVOID SecurityPort;
PWOW64_PROCESS Wow64Process;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
ULONG CommitChargeLimit;
ULONG CommitChargePeek;
LIST_ENTRY ThreadListHead;
PRTL_BITMAP VadPhysicalPagesBitMap;
ULONG VadPhysicalPages;
ULONG AweLock;
#endif // (VER_PRODUCTBUILD >= 2195)
} EPROCESS, *PEPROCESS;
#endif
#if (VER_PRODUCTBUILD >= 2600)
typedef struct _ETHREAD {
KTHREAD Tcb;
union {
LARGE_INTEGER CreateTime;
struct {
ULONG NestedFaultCount : 2;
ULONG ApcNeeded : 1;
};
};
union {
LARGE_INTEGER ExitTime;
LIST_ENTRY LpcReplyChain;
LIST_ENTRY KeyedWaitChain;
};
union {
NTSTATUS ExitStatus;
PVOID OfsChain;
};
LIST_ENTRY PostBlockList;
union {
PTERMINATION_PORT TerminationPort;
PETHREAD ReaperLink;
PVOID KeyedWaitValue;
};
KSPIN_LOCK ActiveTimerListLock;
LIST_ENTRY ActiveTimerListHead;
CLIENT_ID Cid;
union {
KSEMAPHORE LpcReplySemaphore;
KSEMAPHORE KeyedWaitSemaphore;
};
union {
PLPC_MESSAGE LpcReplyMessage;
PVOID LpcWaitingOnPort;
};
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
LIST_ENTRY IrpList;
ULONG TopLevelIrp;
PDEVICE_OBJECT DeviceToVerify;
PEPROCESS ThreadsProcess;
PKSTART_ROUTINE StartAddress;
union {
PVOID Win32StartAddress;
ULONG LpcReceivedMessageId;
};
LIST_ENTRY ThreadListEntry;
EX_RUNDOWN_REF RundownProtect;
EX_PUSH_LOCK ThreadLock;
ULONG LpcReplyMessageId;
ULONG ReadClusterSize;
ACCESS_MASK GrantedAccess;
union {
ULONG CrossThreadFlags;
struct {
ULONG Terminated : 1;
ULONG DeadThread : 1;
ULONG HideFromDebugger : 1;
ULONG ActiveImpersonationInfo : 1;
ULONG SystemThread : 1;
ULONG HardErrorsAreDisabled : 1;
ULONG BreakOnTermination : 1;
ULONG SkipCreationMsg : 1;
ULONG SkipTerminationMsg : 1;
};
};
union {
ULONG SameThreadPassiveFlags;
struct {
ULONG ActiveExWorker : 1;
ULONG ExWorkerCanWaitUser : 1;
ULONG MemoryMaker : 1;
ULONG KeyedEventInUse : 1;
};
};
union {
ULONG SameThreadApcFlags;
struct {
BOOLEAN LpcReceivedMsgIdValid : 1;
BOOLEAN LpcExitThreadCalled : 1;
BOOLEAN AddressSpaceOwner : 1;
};
};
BOOLEAN ForwardClusterOnly;
BOOLEAN DisablePageFaultClustering;
} ETHREAD, *PETHREAD;
#else
typedef struct _ETHREAD {
KTHREAD Tcb;
LARGE_INTEGER CreateTime;
union {
LARGE_INTEGER ExitTime;
LIST_ENTRY LpcReplyChain;
};
union {
NTSTATUS ExitStatus;
PVOID OfsChain;
};
LIST_ENTRY PostBlockList;
LIST_ENTRY TerminationPortList;
KSPIN_LOCK ActiveTimerListLock;
LIST_ENTRY ActiveTimerListHead;
CLIENT_ID Cid;
KSEMAPHORE LpcReplySemaphore;
PLPC_MESSAGE LpcReplyMessage;
ULONG LpcReplyMessageId;
ULONG PerformanceCountLow;
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
LIST_ENTRY IrpList;
PVOID TopLevelIrp;
PDEVICE_OBJECT DeviceToVerify;
ULONG ReadClusterSize;
BOOLEAN ForwardClusterOnly;
BOOLEAN DisablePageFaultClustering;
BOOLEAN DeadThread;
#if (VER_PRODUCTBUILD >= 2195)
BOOLEAN HideFromDebugger;
#endif // (VER_PRODUCTBUILD >= 2195)
#if (VER_PRODUCTBUILD < 2195)
BOOLEAN HasTerminated;
#else // (VER_PRODUCTBUILD >= 2195)
ULONG HasTerminated;
#endif // (VER_PRODUCTBUILD >= 2195)
#if (VER_PRODUCTBUILD < 2195)
PKEVENT_PAIR EventPair;
#endif // (VER_PRODUCTBUILD < 2195)
ACCESS_MASK GrantedAccess;
PEPROCESS ThreadsProcess;
PKSTART_ROUTINE StartAddress;
union {
PVOID Win32StartAddress;
ULONG LpcReceivedMessageId;
};
BOOLEAN LpcExitThreadCalled;
BOOLEAN HardErrorsAreDisabled;
BOOLEAN LpcReceivedMsgIdValid;
BOOLEAN ActiveImpersonationInfo;
ULONG PerformanceCountHigh;
#if (VER_PRODUCTBUILD >= 2195)
LIST_ENTRY ThreadListEntry;
#endif // (VER_PRODUCTBUILD >= 2195)
} ETHREAD, *PETHREAD;
#endif
typedef struct _EPROCESS_QUOTA_ENTRY {
ULONG Usage;
ULONG Limit;
ULONG Peak;
ULONG Return;
} EPROCESS_QUOTA_ENTRY, *PEPROCESS_QUOTA_ENTRY;
typedef struct _EPROCESS_QUOTA_BLOCK {
EPROCESS_QUOTA_ENTRY QuotaEntry[3];
LIST_ENTRY QuotaList;
ULONG ReferenceCount;
ULONG ProcessCount;
} EPROCESS_QUOTA_BLOCK, *PEPROCESS_QUOTA_BLOCK;
typedef struct _EXCEPTION_REGISTRATION_RECORD {
struct _EXCEPTION_REGISTRATION_RECORD *Next;
PVOID Handler;
} EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;
/*
* When needing these parameters cast your PIO_STACK_LOCATION to
* PEXTENDED_IO_STACK_LOCATION
*/
#if !defined(_ALPHA_)
#include <pshpack4.h>
#endif
typedef struct _EXTENDED_IO_STACK_LOCATION {
/* Included for padding */
UCHAR MajorFunction;
UCHAR MinorFunction;
UCHAR Flags;
UCHAR Control;
union {
struct {
PIO_SECURITY_CONTEXT SecurityContext;
ULONG Options;
USHORT Reserved;
USHORT ShareAccess;
PMAILSLOT_CREATE_PARAMETERS Parameters;
} CreateMailslot;
struct {
PIO_SECURITY_CONTEXT SecurityContext;
ULONG Options;
USHORT Reserved;
USHORT ShareAccess;
PNAMED_PIPE_CREATE_PARAMETERS Parameters;
} CreatePipe;
struct {
ULONG OutputBufferLength;
ULONG InputBufferLength;
ULONG FsControlCode;
PVOID Type3InputBuffer;
} FileSystemControl;
struct {
PLARGE_INTEGER Length;
ULONG Key;
LARGE_INTEGER ByteOffset;
} LockControl;
struct {
ULONG Length;
ULONG CompletionFilter;
} NotifyDirectory;
struct {
ULONG Length;
PUNICODE_STRING FileName;
FILE_INFORMATION_CLASS FileInformationClass;
ULONG FileIndex;
} QueryDirectory;
struct {
ULONG Length;
PVOID EaList;
ULONG EaListLength;
ULONG EaIndex;
} QueryEa;
struct {
ULONG Length;
PSID StartSid;
PFILE_GET_QUOTA_INFORMATION SidList;
ULONG SidListLength;
} QueryQuota;
struct {
ULONG Length;
} SetEa;
struct {
ULONG Length;
} SetQuota;
struct {
ULONG Length;
FS_INFORMATION_CLASS FsInformationClass;
} SetVolume;
} Parameters;
} EXTENDED_IO_STACK_LOCATION, *PEXTENDED_IO_STACK_LOCATION;
#if !defined(_ALPHA_)
#include <poppack.h>
#endif
typedef struct _FILE_ACCESS_INFORMATION {
ACCESS_MASK AccessFlags;
} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;
typedef struct _FILE_ALLOCATION_INFORMATION {
LARGE_INTEGER AllocationSize;
} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;
typedef struct _FILE_BOTH_DIR_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
CCHAR ShortNameLength;
WCHAR ShortName[12];
WCHAR FileName[1];
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;
typedef struct _FILE_COMPLETION_INFORMATION {
HANDLE Port;
ULONG Key;
} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION;
typedef struct _FILE_COMPRESSION_INFORMATION {
LARGE_INTEGER CompressedFileSize;
USHORT CompressionFormat;
UCHAR CompressionUnitShift;
UCHAR ChunkShift;
UCHAR ClusterShift;
UCHAR Reserved[3];
} FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION;
typedef struct _FILE_COPY_ON_WRITE_INFORMATION {
BOOLEAN ReplaceIfExists;
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_COPY_ON_WRITE_INFORMATION, *PFILE_COPY_ON_WRITE_INFORMATION;
typedef struct _FILE_DIRECTORY_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
typedef struct _FILE_EA_INFORMATION {
ULONG EaSize;
} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;
typedef struct _FILE_FS_ATTRIBUTE_INFORMATION {
ULONG FileSystemAttributes;
ULONG MaximumComponentNameLength;
ULONG FileSystemNameLength;
WCHAR FileSystemName[1];
} FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION;
typedef struct _FILE_FS_CONTROL_INFORMATION {
LARGE_INTEGER FreeSpaceStartFiltering;
LARGE_INTEGER FreeSpaceThreshold;
LARGE_INTEGER FreeSpaceStopFiltering;
LARGE_INTEGER DefaultQuotaThreshold;
LARGE_INTEGER DefaultQuotaLimit;
ULONG FileSystemControlFlags;
} FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION;
typedef struct _FILE_FS_FULL_SIZE_INFORMATION {
LARGE_INTEGER TotalAllocationUnits;
LARGE_INTEGER CallerAvailableAllocationUnits;
LARGE_INTEGER ActualAvailableAllocationUnits;
ULONG SectorsPerAllocationUnit;
ULONG BytesPerSector;
} FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION;
typedef struct _FILE_FS_LABEL_INFORMATION {
ULONG VolumeLabelLength;
WCHAR VolumeLabel[1];
} FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION;
#if (VER_PRODUCTBUILD >= 2195)
typedef struct _FILE_FS_OBJECT_ID_INFORMATION {
UCHAR ObjectId[16];
UCHAR ExtendedInfo[48];
} FILE_FS_OBJECT_ID_INFORMATION, *PFILE_FS_OBJECT_ID_INFORMATION;
#endif // (VER_PRODUCTBUILD >= 2195)
typedef struct _FILE_FS_SIZE_INFORMATION {
LARGE_INTEGER TotalAllocationUnits;
LARGE_INTEGER AvailableAllocationUnits;
ULONG SectorsPerAllocationUnit;
ULONG BytesPerSector;
} FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION;
typedef struct _FILE_FS_VOLUME_INFORMATION {
LARGE_INTEGER VolumeCreationTime;
ULONG VolumeSerialNumber;
ULONG VolumeLabelLength;
BOOLEAN SupportsObjects;
WCHAR VolumeLabel[1];
} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;
typedef struct _FILE_FULL_DIR_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
WCHAR FileName[1];
} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;
typedef struct _FILE_GET_EA_INFORMATION {
ULONG NextEntryOffset;
UCHAR EaNameLength;
CHAR EaName[1];
} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION;
typedef struct _FILE_GET_QUOTA_INFORMATION {
ULONG NextEntryOffset;
ULONG SidLength;
SID Sid;
} FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION;
typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
CCHAR ShortNameLength;
WCHAR ShortName[12];
LARGE_INTEGER FileId;
WCHAR FileName[1];
} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
typedef struct _FILE_ID_FULL_DIR_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
LARGE_INTEGER FileId;
WCHAR FileName[1];
} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;
typedef struct _FILE_INTERNAL_INFORMATION {
LARGE_INTEGER IndexNumber;
} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;
typedef struct _FILE_LINK_INFORMATION {
BOOLEAN ReplaceIfExists;
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;
typedef struct _FILE_LOCK_INFO {
LARGE_INTEGER StartingByte;
LARGE_INTEGER Length;
BOOLEAN ExclusiveLock;
ULONG Key;
PFILE_OBJECT FileObject;
PEPROCESS Process;
LARGE_INTEGER EndingByte;
} FILE_LOCK_INFO, *PFILE_LOCK_INFO;
// raw internal file lock struct returned from FsRtlGetNextFileLock
typedef struct _FILE_SHARED_LOCK_ENTRY {
PVOID Unknown1;
PVOID Unknown2;
FILE_LOCK_INFO FileLock;
} FILE_SHARED_LOCK_ENTRY, *PFILE_SHARED_LOCK_ENTRY;
// raw internal file lock struct returned from FsRtlGetNextFileLock
typedef struct _FILE_EXCLUSIVE_LOCK_ENTRY {
LIST_ENTRY ListEntry;
PVOID Unknown1;
PVOID Unknown2;
FILE_LOCK_INFO FileLock;
} FILE_EXCLUSIVE_LOCK_ENTRY, *PFILE_EXCLUSIVE_LOCK_ENTRY;
typedef NTSTATUS (*PCOMPLETE_LOCK_IRP_ROUTINE) (
IN PVOID Context,
IN PIRP Irp
);
typedef VOID (*PUNLOCK_ROUTINE) (
IN PVOID Context,
IN PFILE_LOCK_INFO FileLockInfo
);
typedef struct _FILE_LOCK {
PCOMPLETE_LOCK_IRP_ROUTINE CompleteLockIrpRoutine;
PUNLOCK_ROUTINE UnlockRoutine;
BOOLEAN FastIoIsQuestionable;
BOOLEAN Pad[3];
PVOID LockInformation;
FILE_LOCK_INFO LastReturnedLockInfo;
PVOID LastReturnedLock;
} FILE_LOCK, *PFILE_LOCK;
typedef struct _FILE_MAILSLOT_PEEK_BUFFER {
ULONG ReadDataAvailable;
ULONG NumberOfMessages;
ULONG MessageLength;
} FILE_MAILSLOT_PEEK_BUFFER, *PFILE_MAILSLOT_PEEK_BUFFER;
typedef struct _FILE_MAILSLOT_QUERY_INFORMATION {
ULONG MaximumMessageSize;
ULONG MailslotQuota;
ULONG NextMessageSize;
ULONG MessagesAvailable;
LARGE_INTEGER ReadTimeout;
} FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION;
typedef struct _FILE_MAILSLOT_SET_INFORMATION {
PLARGE_INTEGER ReadTimeout;
} FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION;
typedef struct _FILE_MODE_INFORMATION {
ULONG Mode;
} FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;
// This structure is included in the Windows 2000 DDK but is missing in the
// Windows NT 4.0 DDK
#if (VER_PRODUCTBUILD < 2195)
typedef struct _FILE_NAME_INFORMATION {
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
#endif // (VER_PRODUCTBUILD < 2195)
typedef struct _FILE_ALL_INFORMATION {
FILE_BASIC_INFORMATION BasicInformation;
FILE_STANDARD_INFORMATION StandardInformation;
FILE_INTERNAL_INFORMATION InternalInformation;
FILE_EA_INFORMATION EaInformation;
FILE_ACCESS_INFORMATION AccessInformation;
FILE_POSITION_INFORMATION PositionInformation;
FILE_MODE_INFORMATION ModeInformation;
FILE_ALIGNMENT_INFORMATION AlignmentInformation;
FILE_NAME_INFORMATION NameInformation;
} FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;
typedef struct _FILE_NAMES_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
typedef struct _FILE_NOTIFY_INFORMATION {
ULONG NextEntryOffset;
ULONG Action;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NOTIFY_INFORMATION, *PFILE_NOTIFY_INFORMATION;
typedef struct _FILE_OBJECTID_INFORMATION {
LONGLONG FileReference;
UCHAR ObjectId[16];
union {
struct {
UCHAR BirthVolumeId[16];
UCHAR BirthObjectId[16];
UCHAR DomainId[16];
} ;
UCHAR ExtendedInfo[48];
};
} FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION;
typedef struct _FILE_OLE_CLASSID_INFORMATION {
GUID ClassId;
} FILE_OLE_CLASSID_INFORMATION, *PFILE_OLE_CLASSID_INFORMATION;
typedef struct _FILE_OLE_ALL_INFORMATION {
FILE_BASIC_INFORMATION BasicInformation;
FILE_STANDARD_INFORMATION StandardInformation;
FILE_INTERNAL_INFORMATION InternalInformation;
FILE_EA_INFORMATION EaInformation;
FILE_ACCESS_INFORMATION AccessInformation;
FILE_POSITION_INFORMATION PositionInformation;
FILE_MODE_INFORMATION ModeInformation;
FILE_ALIGNMENT_INFORMATION AlignmentInformation;
USN LastChangeUsn;
USN ReplicationUsn;
LARGE_INTEGER SecurityChangeTime;
FILE_OLE_CLASSID_INFORMATION OleClassIdInformation;
FILE_OBJECTID_INFORMATION ObjectIdInformation;
FILE_STORAGE_TYPE StorageType;
ULONG OleStateBits;
ULONG OleId;
ULONG NumberOfStreamReferences;
ULONG StreamIndex;
ULONG SecurityId;
BOOLEAN ContentIndexDisable;
BOOLEAN InheritContentIndexDisable;
FILE_NAME_INFORMATION NameInformation;
} FILE_OLE_ALL_INFORMATION, *PFILE_OLE_ALL_INFORMATION;
typedef struct _FILE_OLE_DIR_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
FILE_STORAGE_TYPE StorageType;
GUID OleClassId;
ULONG OleStateBits;
BOOLEAN ContentIndexDisable;
BOOLEAN InheritContentIndexDisable;
WCHAR FileName[1];
} FILE_OLE_DIR_INFORMATION, *PFILE_OLE_DIR_INFORMATION;
typedef struct _FILE_OLE_INFORMATION {
LARGE_INTEGER SecurityChangeTime;
FILE_OLE_CLASSID_INFORMATION OleClassIdInformation;
FILE_OBJECTID_INFORMATION ObjectIdInformation;
FILE_STORAGE_TYPE StorageType;
ULONG OleStateBits;
BOOLEAN ContentIndexDisable;
BOOLEAN InheritContentIndexDisable;
} FILE_OLE_INFORMATION, *PFILE_OLE_INFORMATION;
typedef struct _FILE_OLE_STATE_BITS_INFORMATION {
ULONG StateBits;
ULONG StateBitsMask;
} FILE_OLE_STATE_BITS_INFORMATION, *PFILE_OLE_STATE_BITS_INFORMATION;
typedef struct _FILE_PIPE_ASSIGN_EVENT_BUFFER {
HANDLE EventHandle;
ULONG KeyValue;
} FILE_PIPE_ASSIGN_EVENT_BUFFER, *PFILE_PIPE_ASSIGN_EVENT_BUFFER;
typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER {
PVOID ClientSession;
PVOID ClientProcess;
} FILE_PIPE_CLIENT_PROCESS_BUFFER, *PFILE_PIPE_CLIENT_PROCESS_BUFFER;
typedef struct _FILE_PIPE_EVENT_BUFFER {
ULONG NamedPipeState;
ULONG EntryType;
ULONG ByteCount;
ULONG KeyValue;
ULONG NumberRequests;
} FILE_PIPE_EVENT_BUFFER, *PFILE_PIPE_EVENT_BUFFER;
typedef struct _FILE_PIPE_INFORMATION {
ULONG ReadMode;
ULONG CompletionMode;
} FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION;
typedef struct _FILE_PIPE_LOCAL_INFORMATION {
ULONG NamedPipeType;
ULONG NamedPipeConfiguration;
ULONG MaximumInstances;
ULONG CurrentInstances;
ULONG InboundQuota;
ULONG ReadDataAvailable;
ULONG OutboundQuota;
ULONG WriteQuotaAvailable;
ULONG NamedPipeState;
ULONG NamedPipeEnd;
} FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION;
typedef struct _FILE_PIPE_PEEK_BUFFER {
ULONG NamedPipeState;
ULONG ReadDataAvailable;
ULONG NumberOfMessages;
ULONG MessageLength;
CHAR Data[1];
} FILE_PIPE_PEEK_BUFFER, *PFILE_PIPE_PEEK_BUFFER;
typedef struct _FILE_PIPE_REMOTE_INFORMATION {
LARGE_INTEGER CollectDataTime;
ULONG MaximumCollectionCount;
} FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION;
typedef struct _FILE_PIPE_WAIT_FOR_BUFFER {
LARGE_INTEGER Timeout;
ULONG NameLength;
BOOLEAN TimeoutSpecified;
WCHAR Name[1];
} FILE_PIPE_WAIT_FOR_BUFFER, *PFILE_PIPE_WAIT_FOR_BUFFER;
typedef struct _FILE_QUOTA_INFORMATION {
ULONG NextEntryOffset;
ULONG SidLength;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER QuotaUsed;
LARGE_INTEGER QuotaThreshold;
LARGE_INTEGER QuotaLimit;
SID Sid;
} FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION;
typedef struct _FILE_RENAME_INFORMATION {
BOOLEAN ReplaceIfExists;
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;
typedef struct _FILE_STREAM_INFORMATION {
ULONG NextEntryOffset;
ULONG StreamNameLength;
LARGE_INTEGER StreamSize;
LARGE_INTEGER StreamAllocationSize;
WCHAR StreamName[1];
} FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION;
typedef struct _FILE_TRACKING_INFORMATION {
HANDLE DestinationFile;
ULONG ObjectInformationLength;
CHAR ObjectInformation[1];
} FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION;
typedef struct _FSRTL_COMMON_FCB_HEADER {
CSHORT NodeTypeCode;
CSHORT NodeByteSize;
UCHAR Flags;
UCHAR IsFastIoPossible;
#if (VER_PRODUCTBUILD >= 1381)
UCHAR Flags2;
UCHAR Reserved;
#endif // (VER_PRODUCTBUILD >= 1381)
PERESOURCE Resource;
PERESOURCE PagingIoResource;
LARGE_INTEGER AllocationSize;
LARGE_INTEGER FileSize;
LARGE_INTEGER ValidDataLength;
} FSRTL_COMMON_FCB_HEADER, *PFSRTL_COMMON_FCB_HEADER;
typedef struct _GENERATE_NAME_CONTEXT {
USHORT Checksum;
BOOLEAN CheckSumInserted;
UCHAR NameLength;
WCHAR NameBuffer[8];
ULONG ExtensionLength;
WCHAR ExtensionBuffer[4];
ULONG LastIndexValue;
} GENERATE_NAME_CONTEXT, *PGENERATE_NAME_CONTEXT;
typedef struct _HANDLE_INFO { // Information about open handles
union {
PEPROCESS Process; // Pointer to PEPROCESS owning the Handle
ULONG Count; // Count of HANDLE_INFO structures following this structure
} HandleInfo;
USHORT HandleCount;
} HANDLE_INFO, *PHANDLE_INFO;
typedef struct _HANDLE_TABLE_ENTRY_INFO {
ULONG AuditMask;
} HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;
typedef struct _HANDLE_TABLE_ENTRY {
union {
PVOID Object;
ULONG ObAttributes;
PHANDLE_TABLE_ENTRY_INFO InfoTable;
ULONG Value;
};
union {
ULONG GrantedAccess;
USHORT GrantedAccessIndex;
LONG NextFreeTableEntry;
};
USHORT CreatorBackTraceIndex;
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
typedef struct _MAPPING_PAIR {
ULONGLONG Vcn;
ULONGLONG Lcn;
} MAPPING_PAIR, *PMAPPING_PAIR;
typedef struct _GET_RETRIEVAL_DESCRIPTOR {
ULONG NumberOfPairs;
ULONGLONG StartVcn;
MAPPING_PAIR Pair[1];
} GET_RETRIEVAL_DESCRIPTOR, *PGET_RETRIEVAL_DESCRIPTOR;
typedef struct _INITIAL_TEB {
ULONG Unknown_1;
ULONG Unknown_2;
PVOID StackTop;
PVOID StackBase;
PVOID Unknown_3;
} INITIAL_TEB, *PINITIAL_TEB;
typedef struct _IO_CLIENT_EXTENSION {
struct _IO_CLIENT_EXTENSION *NextExtension;
PVOID ClientIdentificationAddress;
} IO_CLIENT_EXTENSION, *PIO_CLIENT_EXTENSION;
typedef struct _IO_COMPLETION_BASIC_INFORMATION {
LONG Depth;
} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION;
typedef struct _KEVENT_PAIR {
USHORT Type;
USHORT Size;
KEVENT Event1;
KEVENT Event2;
} KEVENT_PAIR, *PKEVENT_PAIR;
typedef struct _KINTERRUPT {
CSHORT Type;
CSHORT Size;
LIST_ENTRY InterruptListEntry;
PKSERVICE_ROUTINE ServiceRoutine;
PVOID ServiceContext;
KSPIN_LOCK SpinLock;
ULONG TickCount;
PKSPIN_LOCK ActualLock;
PVOID DispatchAddress;
ULONG Vector;
KIRQL Irql;
KIRQL SynchronizeIrql;
BOOLEAN FloatingSave;
BOOLEAN Connected;
CHAR Number;
UCHAR ShareVector;
KINTERRUPT_MODE Mode;
ULONG ServiceCount;
ULONG DispatchCount;
ULONG DispatchCode[106];
} KINTERRUPT, *PKINTERRUPT;
typedef struct _KQUEUE {
DISPATCHER_HEADER Header;
LIST_ENTRY EntryListHead;
ULONG CurrentCount;
ULONG MaximumCount;
LIST_ENTRY ThreadListHead;
} KQUEUE, *PKQUEUE, *RESTRICTED_POINTER PRKQUEUE;
typedef struct _LARGE_MCB {
PFAST_MUTEX FastMutex;
ULONG MaximumPairCount;
ULONG PairCount;
POOL_TYPE PoolType;
PVOID Mapping;
} LARGE_MCB, *PLARGE_MCB;
typedef struct _LPC_MESSAGE {
USHORT DataSize;
USHORT MessageSize;
USHORT MessageType;
USHORT VirtualRangesOffset;
CLIENT_ID ClientId;
ULONG MessageId;
ULONG SectionSize;
UCHAR Data[1];
} LPC_MESSAGE, *PLPC_MESSAGE;
typedef struct _LPC_SECTION_READ {
ULONG Length;
ULONG ViewSize;
PVOID ViewBase;
} LPC_SECTION_READ, *PLPC_SECTION_READ;
typedef struct _LPC_SECTION_WRITE {
ULONG Length;
HANDLE SectionHandle;
ULONG SectionOffset;
ULONG ViewSize;
PVOID ViewBase;
PVOID TargetViewBase;
} LPC_SECTION_WRITE, *PLPC_SECTION_WRITE;
typedef struct _MAILSLOT_CREATE_PARAMETERS {
ULONG MailslotQuota;
ULONG MaximumMessageSize;
LARGE_INTEGER ReadTimeout;
BOOLEAN TimeoutSpecified;
} MAILSLOT_CREATE_PARAMETERS, *PMAILSLOT_CREATE_PARAMETERS;
typedef struct _MBCB {
CSHORT NodeTypeCode;
CSHORT NodeIsInZone;
ULONG PagesToWrite;
ULONG DirtyPages;
ULONG Reserved;
LIST_ENTRY BitmapRanges;
LONGLONG ResumeWritePage;
BITMAP_RANGE BitmapRange1;
BITMAP_RANGE BitmapRange2;
BITMAP_RANGE BitmapRange3;
} MBCB, *PMBCB;
typedef struct _MCB {
LARGE_MCB LargeMcb;
} MCB, *PMCB;
typedef struct _MOVEFILE_DESCRIPTOR {
HANDLE FileHandle;
ULONG Reserved;
LARGE_INTEGER StartVcn;
LARGE_INTEGER TargetLcn;
ULONG NumVcns;
ULONG Reserved1;
} MOVEFILE_DESCRIPTOR, *PMOVEFILE_DESCRIPTOR;
typedef struct _NAMED_PIPE_CREATE_PARAMETERS {
ULONG NamedPipeType;
ULONG ReadMode;
ULONG CompletionMode;
ULONG MaximumInstances;
ULONG InboundQuota;
ULONG OutboundQuota;
LARGE_INTEGER DefaultTimeout;
BOOLEAN TimeoutSpecified;
} NAMED_PIPE_CREATE_PARAMETERS, *PNAMED_PIPE_CREATE_PARAMETERS;
typedef struct _QUOTA_BLOCK {
KSPIN_LOCK QuotaLock;
ULONG ReferenceCount; // Number of processes using this block
ULONG PeakNonPagedPoolUsage;
ULONG PeakPagedPoolUsage;
ULONG NonPagedpoolUsage;
ULONG PagedPoolUsage;
ULONG NonPagedPoolLimit;
ULONG PagedPoolLimit;
ULONG PeakPagefileUsage;
ULONG PagefileUsage;
ULONG PageFileLimit;
} QUOTA_BLOCK, *PQUOTA_BLOCK;
typedef struct _OBJECT_BASIC_INFO {
ULONG Attributes;
ACCESS_MASK GrantedAccess;
ULONG HandleCount;
ULONG ReferenceCount;
ULONG PagedPoolUsage;
ULONG NonPagedPoolUsage;
ULONG Reserved[3];
ULONG NameInformationLength;
ULONG TypeInformationLength;
ULONG SecurityDescriptorLength;
LARGE_INTEGER CreateTime;
} OBJECT_BASIC_INFO, *POBJECT_BASIC_INFO;
typedef struct _OBJECT_CREATE_INFORMATION {
ULONG Attributes;
HANDLE RootDirectory; // 0x4
PVOID ParseContext; // 0x8
KPROCESSOR_MODE ProbeMode; // 0xc
ULONG PagedPoolCharge; // 0x10
ULONG NonPagedPoolCharge; // 0x14
ULONG SecurityDescriptorCharge; // 0x18
PSECURITY_DESCRIPTOR SecurityDescriptor; // 0x1c
PSECURITY_QUALITY_OF_SERVICE SecurityQos; // 0x20
SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; // 0x24
} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;
typedef struct _OBJECT_CREATOR_INFO {
LIST_ENTRY Creator;
ULONG UniqueProcessId; // Creator's Process ID
ULONG Reserved; // Alignment
} OBJECT_CREATOR_INFO, *POBJECT_CREATOR_INFO;
typedef struct _OBJECT_DIRECTORY_ITEM {
struct _OBJECT_DIRECTORY_ITEM *Next;
PVOID Object;
} OBJECT_DIRECTORY_ITEM, *POBJECT_DIRECTORY_ITEM;
typedef struct _OBJECT_DIRECTORY {
POBJECT_DIRECTORY_ITEM HashEntries[0x25];
POBJECT_DIRECTORY_ITEM LastHashAccess;
ULONG LastHashResult;
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
typedef struct _OBJECT_HANDLE_ATTRIBUTE_INFO {
BOOLEAN Inherit;
BOOLEAN ProtectFromClose;
} OBJECT_HANDLE_ATTRIBUTE_INFO, *POBJECT_HANDLE_ATTRIBUTE_INFO;
typedef struct _OBJECT_HANDLE_DB {
union {
struct _EPROCESS *Process;
struct _OBJECT_HANDLE_DB_LIST *HandleDBList;
};
ULONG HandleCount;
} OBJECT_HANDLE_DB, *POBJECT_HANDLE_DB;
typedef struct _OBJECT_HANDLE_DB_LIST {
ULONG Count;
OBJECT_HANDLE_DB Entries[1];
} OBJECT_HANDLE_DB_LIST, *POBJECT_HANDLE_DB_LIST;
typedef struct _OBJECT_HEADER_FLAGS {
ULONG NameInfoOffset : 8;
ULONG HandleInfoOffset : 8;
ULONG QuotaInfoOffset : 8;
ULONG QuotaBlock : 1; // QuotaBlock/ObjectInfo
ULONG KernelMode : 1; // UserMode/KernelMode
ULONG CreatorInfo : 1;
ULONG Exclusive : 1;
ULONG Permanent : 1;
ULONG SecurityDescriptor : 1;
ULONG HandleInfo : 1;
ULONG Reserved : 1;
} OBJECT_HEADER_FLAGS, *POBJECT_HEADER_FLAGS;
typedef struct _OBJECT_HEADER {
ULONG ReferenceCount;
union {
ULONG HandleCount;
PSINGLE_LIST_ENTRY NextToFree;
}; // 0x4
POBJECT_TYPE ObjectType; // 0x8
OBJECT_HEADER_FLAGS Flags; // 0xc
union {
POBJECT_CREATE_INFORMATION ObjectCreateInfo;
PQUOTA_BLOCK QuotaBlock;
}; // 0x10
PSECURITY_DESCRIPTOR SecurityDescriptor; // 0x14
QUAD Body; // 0x18
} OBJECT_HEADER, *POBJECT_HEADER;
typedef struct _OBJECT_NAME {
POBJECT_DIRECTORY Directory;
UNICODE_STRING ObjectName;
ULONG Reserved;
} OBJECT_NAME, *POBJECT_NAME;
typedef struct _OBJECT_NAME_INFO {
UNICODE_STRING ObjectName;
WCHAR ObjectNameBuffer[1];
} OBJECT_NAME_INFO, *POBJECT_NAME_INFO;
typedef struct _OBJECT_PROTECTION_INFO {
BOOLEAN Inherit;
BOOLEAN ProtectHandle;
} OBJECT_PROTECTION_INFO, *POBJECT_PROTECTION_INFO;
typedef struct _OBJECT_QUOTA_CHARGES {
ULONG PagedPoolCharge;
ULONG NonPagedPoolCharge;
ULONG SecurityCharge;
ULONG Reserved;
} OBJECT_QUOTA_CHARGES, *POBJECT_QUOTA_CHARGES;
typedef struct _OBJECT_QUOTA_INFO {
ULONG PagedPoolQuota;
ULONG NonPagedPoolQuota;
ULONG QuotaInformationSize;
PEPROCESS Process; // Owning process
} OBJECT_QUOTA_INFO, *POBJECT_QUOTA_INFO;
typedef struct _OBJECT_TYPE_INITIALIZER {
USHORT Length;
BOOLEAN UseDefaultObject;
BOOLEAN Reserved1;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ACCESS_MASK ValidAccessMask;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount; /* OBJECT_HANDLE_DB */
BOOLEAN MaintainTypeList; /* OBJECT_CREATOR_INFO */
UCHAR Reserved2;
BOOLEAN PagedPool;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
PVOID DumpProcedure;
PVOID OpenProcedure;
PVOID CloseProcedure;
PVOID DeleteProcedure;
PVOID ParseProcedure;
PVOID SecurityProcedure; /* SeDefaultObjectMethod */
PVOID QueryNameProcedure;
PVOID OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
typedef struct _OBJECT_TYPE {
ERESOURCE Lock;
LIST_ENTRY ObjectListHead; /* OBJECT_CREATOR_INFO */
UNICODE_STRING ObjectTypeName;
union {
PVOID DefaultObject; /* ObpDefaultObject */
ULONG Code; /* File: 5C, WaitablePort: A0 */
};
ULONG ObjectTypeIndex; /* OB_TYPE_INDEX_* */
ULONG ObjectCount;
ULONG HandleCount;
ULONG PeakObjectCount;
ULONG PeakHandleCount;
OBJECT_TYPE_INITIALIZER TypeInfo;
ULONG ObjectTypeTag; /* OB_TYPE_TAG_* */
} OBJECT_TYPE, *POBJECT_TYPE;
typedef struct _OBJECT_TYPE_INFO {
UNICODE_STRING ObjectTypeName;
UCHAR Unknown[0x58];
WCHAR ObjectTypeNameBuffer[1];
} OBJECT_TYPE_INFO, *POBJECT_TYPE_INFO;
typedef struct _OBJECT_ALL_TYPES_INFO {
ULONG NumberOfObjectTypes;
OBJECT_TYPE_INFO ObjectsTypeInfo[1];
} OBJECT_ALL_TYPES_INFO, *POBJECT_ALL_TYPES_INFO;
typedef struct _PAGEFAULT_HISTORY {
ULONG CurrentIndex;
ULONG MaxIndex;
KSPIN_LOCK SpinLock;
PVOID Reserved;
PROCESS_WS_WATCH_INFORMATION WatchInfo[1];
} PAGEFAULT_HISTORY, *PPAGEFAULT_HISTORY;
typedef struct _PATHNAME_BUFFER {
ULONG PathNameLength;
WCHAR Name[1];
} PATHNAME_BUFFER, *PPATHNAME_BUFFER;
#if (VER_PRODUCTBUILD >= 2600)
typedef struct _PRIVATE_CACHE_MAP_FLAGS {
ULONG DontUse : 16;
ULONG ReadAheadActive : 1;
ULONG ReadAheadEnabled : 1;
ULONG Available : 14;
} PRIVATE_CACHE_MAP_FLAGS, *PPRIVATE_CACHE_MAP_FLAGS;
typedef struct _PRIVATE_CACHE_MAP {
union {
CSHORT NodeTypeCode;
PRIVATE_CACHE_MAP_FLAGS Flags;
ULONG UlongFlags;
};
ULONG ReadAheadMask;
PFILE_OBJECT FileObject;
LARGE_INTEGER FileOffset1;
LARGE_INTEGER BeyondLastByte1;
LARGE_INTEGER FileOffset2;
LARGE_INTEGER BeyondLastByte2;
LARGE_INTEGER ReadAheadOffset[2];
ULONG ReadAheadLength[2];
KSPIN_LOCK ReadAheadSpinLock;
LIST_ENTRY PrivateLinks;
} PRIVATE_CACHE_MAP, *PPRIVATE_CACHE_MAP;
#endif
typedef struct _PROCESS_PRIORITY_CLASS {
BOOLEAN Foreground;
UCHAR PriorityClass;
} PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS;
typedef struct _PS_IMPERSONATION_INFORMATION {
PACCESS_TOKEN Token;
BOOLEAN CopyOnOpen;
BOOLEAN EffectiveOnly;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
} PS_IMPERSONATION_INFORMATION, *PPS_IMPERSONATION_INFORMATION;
typedef struct _PUBLIC_BCB {
CSHORT NodeTypeCode;
CSHORT NodeByteSize;
ULONG MappedLength;
LARGE_INTEGER MappedFileOffset;
} PUBLIC_BCB, *PPUBLIC_BCB;
typedef struct _QUERY_PATH_REQUEST {
ULONG PathNameLength;
PIO_SECURITY_CONTEXT SecurityContext;
WCHAR FilePathName[1];
} QUERY_PATH_REQUEST, *PQUERY_PATH_REQUEST;
typedef struct _QUERY_PATH_RESPONSE {
ULONG LengthAccepted;
} QUERY_PATH_RESPONSE, *PQUERY_PATH_RESPONSE;
#if (VER_PRODUCTBUILD >= 2600)
typedef struct _READ_LIST {
PFILE_OBJECT FileObject;
ULONG NumberOfEntries;
LOGICAL IsImage;
FILE_SEGMENT_ELEMENT List[ANYSIZE_ARRAY];
} READ_LIST, *PREAD_LIST;
#endif // (VER_PRODUCTBUILD >= 2600)
typedef struct _REPARSE_DATA_BUFFER {
ULONG ReparseTag;
USHORT ReparseDataLength;
USHORT Reserved;
union {
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
WCHAR PathBuffer[1];
} SymbolicLinkReparseBuffer;
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
WCHAR PathBuffer[1];
} MountPointReparseBuffer;
struct {
UCHAR DataBuffer[1];
} GenericReparseBuffer;
};
} REPARSE_DATA_BUFFER, *PREPARSE_DATA_BUFFER;
typedef struct _RETRIEVAL_POINTERS_BUFFER {
ULONG ExtentCount;
LARGE_INTEGER StartingVcn;
struct {
LARGE_INTEGER NextVcn;
LARGE_INTEGER Lcn;
} Extents[1];
} RETRIEVAL_POINTERS_BUFFER, *PRETRIEVAL_POINTERS_BUFFER;
typedef struct _RTL_SPLAY_LINKS {
struct _RTL_SPLAY_LINKS *Parent;
struct _RTL_SPLAY_LINKS *LeftChild;
struct _RTL_SPLAY_LINKS *RightChild;
} RTL_SPLAY_LINKS, *PRTL_SPLAY_LINKS;
typedef struct _SE_EXPORTS {
LUID SeCreateTokenPrivilege;
LUID SeAssignPrimaryTokenPrivilege;
LUID SeLockMemoryPrivilege;
LUID SeIncreaseQuotaPrivilege;
LUID SeUnsolicitedInputPrivilege;
LUID SeTcbPrivilege;
LUID SeSecurityPrivilege;
LUID SeTakeOwnershipPrivilege;
LUID SeLoadDriverPrivilege;
LUID SeCreatePagefilePrivilege;
LUID SeIncreaseBasePriorityPrivilege;
LUID SeSystemProfilePrivilege;
LUID SeSystemtimePrivilege;
LUID SeProfileSingleProcessPrivilege;
LUID SeCreatePermanentPrivilege;
LUID SeBackupPrivilege;
LUID SeRestorePrivilege;
LUID SeShutdownPrivilege;
LUID SeDebugPrivilege;
LUID SeAuditPrivilege;
LUID SeSystemEnvironmentPrivilege;
LUID SeChangeNotifyPrivilege;
LUID SeRemoteShutdownPrivilege;
PSID SeNullSid;
PSID SeWorldSid;
PSID SeLocalSid;
PSID SeCreatorOwnerSid;
PSID SeCreatorGroupSid;
PSID SeNtAuthoritySid;
PSID SeDialupSid;
PSID SeNetworkSid;
PSID SeBatchSid;
PSID SeInteractiveSid;
PSID SeLocalSystemSid;
PSID SeAliasAdminsSid;
PSID SeAliasUsersSid;
PSID SeAliasGuestsSid;
PSID SeAliasPowerUsersSid;
PSID SeAliasAccountOpsSid;
PSID SeAliasSystemOpsSid;
PSID SeAliasPrintOpsSid;
PSID SeAliasBackupOpsSid;
PSID SeAuthenticatedUsersSid;
PSID SeRestrictedSid;
PSID SeAnonymousLogonSid;
LUID SeUndockPrivilege;
LUID SeSyncAgentPrivilege;
LUID SeEnableDelegationPrivilege;
} SE_EXPORTS, *PSE_EXPORTS;
typedef struct _SECTION_BASIC_INFORMATION {
PVOID BaseAddress;
ULONG Attributes;
LARGE_INTEGER Size;
} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
typedef struct _SECTION_IMAGE_INFORMATION {
PVOID EntryPoint;
ULONG Unknown1;
ULONG StackReserve;
ULONG StackCommit;
ULONG Subsystem;
USHORT MinorSubsystemVersion;
USHORT MajorSubsystemVersion;
ULONG Unknown2;
ULONG Characteristics;
USHORT ImageNumber;
BOOLEAN Executable;
UCHAR Unknown3;
ULONG Unknown4[3];
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
typedef struct _SECTION_OBJECT {
PVOID StartingVa;
PVOID EndingVa;
struct _SECTION_OBJECT *Parent;
struct _SECTION_OBJECT *LeftChild;
struct _SECTION_OBJECT *RightChild;
PVOID Segment;
} SECTION_OBJECT, *PSECTION_OBJECT;
typedef struct _SEP_AUDIT_POLICY {
// _SEP_AUDIT_POLICY_CATEGORIES
ULONGLONG System : 4;
ULONGLONG Logon : 4;
ULONGLONG ObjectAccess : 4;
ULONGLONG PrivilegeUse : 4;
ULONGLONG DetailedTracking : 4;
ULONGLONG PolicyChange : 4;
ULONGLONG AccountManagement : 4;
ULONGLONG DirectoryServiceAccess : 4;
ULONGLONG AccountLogon : 4;
// _SEP_AUDIT_POLICY_OVERLAY
ULONGLONG SetBit : 1;
} SEP_AUDIT_POLICY, *PSEP_AUDIT_POLICY;
typedef struct _SERVICE_DESCRIPTOR_TABLE {
/*
* Table containing cServices elements of pointers to service handler
* functions, indexed by service ID.
*/
PVOID *ServiceTable;
/*
* Table that counts how many times each service is used. This table
* is only updated in checked builds.
*/
PULONG CounterTable;
/*
* Number of services contained in this table.
*/
ULONG TableSize;
/*
* Table containing the number of bytes of parameters the handler
* function takes.
*/
PUCHAR ArgumentTable;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
#if (VER_PRODUCTBUILD >= 2600)
typedef struct _SHARED_CACHE_MAP {
CSHORT NodeTypeCode;
CSHORT NodeByteSize;
ULONG OpenCount;
LARGE_INTEGER FileSize;
LIST_ENTRY BcbList;
LARGE_INTEGER SectionSize;
LARGE_INTEGER ValidDataLength;
LARGE_INTEGER ValidDataGoal;
PVACB InitialVacbs[4];
PVACB *Vacbs;
PFILE_OBJECT FileObject;
PVACB ActiveVacb;
PVOID NeedToZero;
ULONG ActivePage;
ULONG NeedToZeroPage;
KSPIN_LOCK ActiveVacbSpinLock;
ULONG VacbActiveCount;
ULONG DirtyPages;
LIST_ENTRY SharedCacheMapLinks;
ULONG Flags;
NTSTATUS Status;
PMBCB Mbcb;
PVOID Section;
PKEVENT CreateEvent;
PKEVENT WaitOnActiveCount;
ULONG PagesToWrite;
LONGLONG BeyondLastFlush;
PCACHE_MANAGER_CALLBACKS Callbacks;
PVOID LazyWriteContext;
LIST_ENTRY PrivateList;
PVOID LogHandle;
PVOID FlushToLsnRoutine;
ULONG DirtyPageThreshold;
ULONG LazyWritePassCount;
PCACHE_UNINITIALIZE_EVENT UninitializeEvent;
PVACB NeedToZeroVacb;
KSPIN_LOCK BcbSpinLock;
PVOID Reserved;
KEVENT Event;
EX_PUSH_LOCK VacbPushLock;
PRIVATE_CACHE_MAP PrivateCacheMap;
} SHARED_CACHE_MAP, *PSHARED_CACHE_MAP;
#endif
typedef struct _SID_AND_ATTRIBUTES {
PSID Sid;
ULONG Attributes;
} SID_AND_ATTRIBUTES, *PSID_AND_ATTRIBUTES;
typedef struct _STARTING_VCN_INPUT_BUFFER {
LARGE_INTEGER StartingVcn;
} STARTING_VCN_INPUT_BUFFER, *PSTARTING_VCN_INPUT_BUFFER;
// SystemBasicInformation
typedef struct _SYSTEM_BASIC_INFORMATION {
ULONG Unknown;
ULONG MaximumIncrement;
ULONG PhysicalPageSize;
ULONG NumberOfPhysicalPages;
ULONG LowestPhysicalPage;
ULONG HighestPhysicalPage;
ULONG AllocationGranularity;
ULONG LowestUserAddress;
ULONG HighestUserAddress;
ULONG ActiveProcessors;
UCHAR NumberProcessors;
} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;
// SystemProcessorInformation
typedef struct _SYSTEM_PROCESSOR_INFORMATION {
USHORT ProcessorArchitecture;
USHORT ProcessorLevel;
USHORT ProcessorRevision;
USHORT Unknown;
ULONG FeatureBits;
} SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION;
// SystemPerformanceInformation
typedef struct _SYSTEM_PERFORMANCE_INFORMATION {
LARGE_INTEGER IdleTime;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
ULONG ReadOperationCount;
ULONG WriteOperationCount;
ULONG OtherOperationCount;
ULONG AvailablePages;
ULONG TotalCommittedPages;
ULONG TotalCommitLimit;
ULONG PeakCommitment;
ULONG PageFaults;
ULONG WriteCopyFaults;
ULONG TransistionFaults;
ULONG Reserved1;
ULONG DemandZeroFaults;
ULONG PagesRead;
ULONG PageReadIos;
ULONG Reserved2[2];
ULONG PagefilePagesWritten;
ULONG PagefilePageWriteIos;
ULONG MappedFilePagesWritten;
ULONG MappedFilePageWriteIos;
ULONG PagedPoolUsage;
ULONG NonPagedPoolUsage;
ULONG PagedPoolAllocs;
ULONG PagedPoolFrees;
ULONG NonPagedPoolAllocs;
ULONG NonPagedPoolFrees;
ULONG TotalFreeSystemPtes;
ULONG SystemCodePage;
ULONG TotalSystemDriverPages;
ULONG TotalSystemCodePages;
ULONG SmallNonPagedLookasideListAllocateHits;
ULONG SmallPagedLookasideListAllocateHits;
ULONG Reserved3;
ULONG MmSystemCachePage;
ULONG PagedPoolPage;
ULONG SystemDriverPage;
ULONG FastReadNoWait;
ULONG FastReadWait;
ULONG FastReadResourceMiss;
ULONG FastReadNotPossible;
ULONG FastMdlReadNoWait;
ULONG FastMdlReadWait;
ULONG FastMdlReadResourceMiss;
ULONG FastMdlReadNotPossible;
ULONG MapDataNoWait;
ULONG MapDataWait;
ULONG MapDataNoWaitMiss;
ULONG MapDataWaitMiss;
ULONG PinMappedDataCount;
ULONG PinReadNoWait;
ULONG PinReadWait;
ULONG PinReadNoWaitMiss;
ULONG PinReadWaitMiss;
ULONG CopyReadNoWait;
ULONG CopyReadWait;
ULONG CopyReadNoWaitMiss;
ULONG CopyReadWaitMiss;
ULONG MdlReadNoWait;
ULONG MdlReadWait;
ULONG MdlReadNoWaitMiss;
ULONG MdlReadWaitMiss;
ULONG ReadAheadIos;
ULONG LazyWriteIos;
ULONG LazyWritePages;
ULONG DataFlushes;
ULONG DataPages;
ULONG ContextSwitches;
ULONG FirstLevelTbFills;
ULONG SecondLevelTbFills;
ULONG SystemCalls;
} SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION;
// SystemTimeOfDayInformation
typedef struct _SYSTEM_TIME_OF_DAY_INFORMATION {
LARGE_INTEGER BootTime;
LARGE_INTEGER CurrentTime;
LARGE_INTEGER TimeZoneBias;
ULONG CurrentTimeZoneId;
} SYSTEM_TIME_OF_DAY_INFORMATION, *PSYSTEM_TIME_OF_DAY_INFORMATION;
typedef struct _SYSTEM_THREADS_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
THREAD_STATE State;
KWAIT_REASON WaitReason;
} SYSTEM_THREADS_INFORMATION, *PSYSTEM_THREADS_INFORMATION;
// SystemProcessesAndThreadsInformation
typedef struct _SYSTEM_PROCESSES_INFORMATION {
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG Reserved2;
VM_COUNTERS VmCounters;
#if (VER_PRODUCTBUILD >= 2195)
IO_COUNTERS IoCounters;
#endif // (VER_PRODUCTBUILD >= 2195)
SYSTEM_THREADS_INFORMATION Threads[1];
} SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION;
// SystemCallCounts
typedef struct _SYSTEM_CALL_COUNTS {
ULONG Size;
ULONG NumberOfDescriptorTables;
ULONG NumberOfRoutinesInTable[1];
// On checked build this is followed by a ULONG CallCounts[1] variable length array.
} SYSTEM_CALL_COUNTS, *PSYSTEM_CALL_COUNTS;
// SystemConfigurationInformation
typedef struct _SYSTEM_CONFIGURATION_INFORMATION {
ULONG DiskCount;
ULONG FloppyCount;
ULONG CdRomCount;
ULONG TapeCount;
ULONG SerialCount;
ULONG ParallelCount;
} SYSTEM_CONFIGURATION_INFORMATION, *PSYSTEM_CONFIGURATION_INFORMATION;
// SystemProcessorTimes
typedef struct _SYSTEM_PROCESSOR_TIMES {
LARGE_INTEGER IdleTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER DpcTime;
LARGE_INTEGER InterruptTime;
ULONG InterruptCount;
} SYSTEM_PROCESSOR_TIMES, *PSYSTEM_PROCESSOR_TIMES;
// SystemGlobalFlag
typedef struct _SYSTEM_GLOBAL_FLAG {
ULONG GlobalFlag;
} SYSTEM_GLOBAL_FLAG, *PSYSTEM_GLOBAL_FLAG;
// SystemModuleInformation
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
// SystemLockInformation
typedef struct _SYSTEM_LOCK_INFORMATION {
PVOID Address;
USHORT Type;
USHORT Reserved1;
ULONG ExclusiveOwnerThreadId;
ULONG ActiveCount;
ULONG ContentionCount;
ULONG Reserved2[2];
ULONG NumberOfSharedWaiters;
ULONG NumberOfExclusiveWaiters;
} SYSTEM_LOCK_INFORMATION, *PSYSTEM_LOCK_INFORMATION;
// SystemHandleInformation
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
// SystemObjectInformation
typedef struct _SYSTEM_OBJECT_TYPE_INFORMATION {
ULONG NextEntryOffset;
ULONG ObjectCount;
ULONG HandleCount;
ULONG TypeNumber;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ACCESS_MASK ValidAccessMask;
POOL_TYPE PoolType;
UCHAR Unknown;
UNICODE_STRING Name;
} SYSTEM_OBJECT_TYPE_INFORMATION, *PSYSTEM_OBJECT_TYPE_INFORMATION;
typedef struct _SYSTEM_OBJECT_INFORMATION {
ULONG NextEntryOffset;
PVOID Object;
ULONG CreatorProcessId;
USHORT Unknown;
USHORT Flags;
ULONG PointerCount;
ULONG HandleCount;
ULONG PagedPoolUsage;
ULONG NonPagedPoolUsage;
ULONG ExclusiveProcessId;
PSECURITY_DESCRIPTOR SecurityDescriptor;
UNICODE_STRING Name;
} SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION;
// SystemPagefileInformation
typedef struct _SYSTEM_PAGEFILE_INFORMATION {
ULONG NextEntryOffset;
ULONG CurrentSize;
ULONG TotalUsed;
ULONG PeakUsed;
UNICODE_STRING FileName;
} SYSTEM_PAGEFILE_INFORMATION, *PSYSTEM_PAGEFILE_INFORMATION;
// SystemInstructionEmulationCounts
typedef struct _SYSTEM_INSTRUCTION_EMULATION_COUNTS {
ULONG GenericInvalidOpcode;
ULONG TwoByteOpcode;
ULONG ESprefix;
ULONG CSprefix;
ULONG SSprefix;
ULONG DSprefix;
ULONG FSPrefix;
ULONG GSprefix;
ULONG OPER32prefix;
ULONG ADDR32prefix;
ULONG INSB;
ULONG INSW;
ULONG OUTSB;
ULONG OUTSW;
ULONG PUSHFD;
ULONG POPFD;
ULONG INTnn;
ULONG INTO;
ULONG IRETD;
ULONG FloatingPointOpcode;
ULONG INBimm;
ULONG INWimm;
ULONG OUTBimm;
ULONG OUTWimm;
ULONG INB;
ULONG INW;
ULONG OUTB;
ULONG OUTW;
ULONG LOCKprefix;
ULONG REPNEprefix;
ULONG REPprefix;
ULONG CLI;
ULONG STI;
ULONG HLT;
} SYSTEM_INSTRUCTION_EMULATION_COUNTS, *PSYSTEM_INSTRUCTION_EMULATION_COUNTS;
// SystemCacheInformation
typedef struct _SYSTEM_CACHE_INFORMATION {
ULONG SystemCacheWsSize;
ULONG SystemCacheWsPeakSize;
ULONG SystemCacheWsFaults;
ULONG SystemCacheWsMinimum;
ULONG SystemCacheWsMaximum;
ULONG TransitionSharedPages;
ULONG TransitionSharedPagesPeak;
ULONG Reserved[2];
} SYSTEM_CACHE_INFORMATION, *PSYSTEM_CACHE_INFORMATION;
// SystemPoolTagInformation
typedef struct _SYSTEM_POOL_TAG_INFORMATION {
CHAR Tag[4];
ULONG PagedPoolAllocs;
ULONG PagedPoolFrees;
ULONG PagedPoolUsage;
ULONG NonPagedPoolAllocs;
ULONG NonPagedPoolFrees;
ULONG NonPagedPoolUsage;
} SYSTEM_POOL_TAG_INFORMATION, *PSYSTEM_POOL_TAG_INFORMATION;
// SystemProcessorStatistics
typedef struct _SYSTEM_PROCESSOR_STATISTICS {
ULONG ContextSwitches;
ULONG DpcCount;
ULONG DpcRequestRate;
ULONG TimeIncrement;
ULONG DpcBypassCount;
ULONG ApcBypassCount;
} SYSTEM_PROCESSOR_STATISTICS, *PSYSTEM_PROCESSOR_STATISTICS;
// SystemDpcInformation
typedef struct _SYSTEM_DPC_INFORMATION {
ULONG Reserved;
ULONG MaximumDpcQueueDepth;
ULONG MinimumDpcRate;
ULONG AdjustDpcThreshold;
ULONG IdealDpcRate;
} SYSTEM_DPC_INFORMATION, *PSYSTEM_DPC_INFORMATION;
// SystemLoadImage
typedef struct _SYSTEM_LOAD_IMAGE {
UNICODE_STRING ModuleName;
PVOID ModuleBase;
PVOID Unknown;
PVOID EntryPoint;
PVOID ExportDirectory;
} SYSTEM_LOAD_IMAGE, *PSYSTEM_LOAD_IMAGE;
// SystemUnloadImage
typedef struct _SYSTEM_UNLOAD_IMAGE {
PVOID ModuleBase;
} SYSTEM_UNLOAD_IMAGE, *PSYSTEM_UNLOAD_IMAGE;
// SystemTimeAdjustment
typedef struct _SYSTEM_QUERY_TIME_ADJUSTMENT {
ULONG TimeAdjustment;
ULONG MaximumIncrement;
BOOLEAN TimeSynchronization;
} SYSTEM_QUERY_TIME_ADJUSTMENT, *PSYSTEM_QUERY_TIME_ADJUSTMENT;
// SystemTimeAdjustment
typedef struct _SYSTEM_SET_TIME_ADJUSTMENT {
ULONG TimeAdjustment;
BOOLEAN TimeSynchronization;
} SYSTEM_SET_TIME_ADJUSTMENT, *PSYSTEM_SET_TIME_ADJUSTMENT;
// SystemCrashDumpInformation
typedef struct _SYSTEM_CRASH_DUMP_INFORMATION {
HANDLE CrashDumpSectionHandle;
#if (VER_PRODUCTBUILD >= 2195)
HANDLE Unknown;
#endif // (VER_PRODUCTBUILD >= 2195)
} SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION;
// SystemExceptionInformation
typedef struct _SYSTEM_EXCEPTION_INFORMATION {
ULONG AlignmentFixupCount;
ULONG ExceptionDispatchCount;
ULONG FloatingEmulationCount;
ULONG Reserved;
} SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION;
// SystemCrashDumpStateInformation
typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION {
ULONG ValidCrashDump;
#if (VER_PRODUCTBUILD >= 2195)
ULONG Unknown;
#endif // (VER_PRODUCTBUILD >= 2195)
} SYSTEM_CRASH_DUMP_STATE_INFORMATION, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION;
// SystemKernelDebuggerInformation
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION {
BOOLEAN DebuggerEnabled;
BOOLEAN DebuggerNotPresent;
} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
// SystemContextSwitchInformation
typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION {
ULONG ContextSwitches;
ULONG ContextSwitchCounters[11];
} SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION;
// SystemRegistryQuotaInformation
typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION {
ULONG RegistryQuota;
ULONG RegistryQuotaInUse;
ULONG PagedPoolSize;
} SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION;
// SystemLoadAndCallImage
typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE {
UNICODE_STRING ModuleName;
} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;
// SystemPrioritySeparation
typedef struct _SYSTEM_PRIORITY_SEPARATION {
ULONG PrioritySeparation;
} SYSTEM_PRIORITY_SEPARATION, *PSYSTEM_PRIORITY_SEPARATION;
// SystemTimeZoneInformation
typedef struct _SYSTEM_TIME_ZONE_INFORMATION {
LONG Bias;
WCHAR StandardName[32];
TIME_FIELDS StandardDate;
LONG StandardBias;
WCHAR DaylightName[32];
TIME_FIELDS DaylightDate;
LONG DaylightBias;
} SYSTEM_TIME_ZONE_INFORMATION, *PSYSTEM_TIME_ZONE_INFORMATION;
// SystemLookasideInformation
typedef struct _SYSTEM_LOOKASIDE_INFORMATION {
USHORT Depth;
USHORT MaximumDepth;
ULONG TotalAllocates;
ULONG AllocateMisses;
ULONG TotalFrees;
ULONG FreeMisses;
POOL_TYPE Type;
ULONG Tag;
ULONG Size;
} SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION;
// SystemSetTimeSlipEvent
typedef struct _SYSTEM_SET_TIME_SLIP_EVENT {
HANDLE TimeSlipEvent;
} SYSTEM_SET_TIME_SLIP_EVENT, *PSYSTEM_SET_TIME_SLIP_EVENT;
// SystemCreateSession
typedef struct _SYSTEM_CREATE_SESSION {
ULONG Session;
} SYSTEM_CREATE_SESSION, *PSYSTEM_CREATE_SESSION;
// SystemDeleteSession
typedef struct _SYSTEM_DELETE_SESSION {
ULONG Session;
} SYSTEM_DELETE_SESSION, *PSYSTEM_DELETE_SESSION;
// SystemRangeStartInformation
typedef struct _SYSTEM_RANGE_START_INFORMATION {
PVOID SystemRangeStart;
} SYSTEM_RANGE_START_INFORMATION, *PSYSTEM_RANGE_START_INFORMATION;
// SystemSessionProcessesInformation
typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION {
ULONG SessionId;
ULONG BufferSize;
PVOID Buffer;
} SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION;
typedef struct _GDI_TEB_BATCH {
ULONG Offset;
ULONG HDC;
ULONG Buffer[(VER_PRODUCTBUILD >= 2195) ? 0x133 : 0x136];
} GDI_TEB_BATCH, *PGDI_TEB_BATCH;
#if (VER_PRODUCTBUILD >= 2600)
typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
struct _ACTIVATION_CONTEXT* ActivationContext; // 0x4
ULONG Flags; // 0x8
} RTL_ACTIVATION_CONTEXT_STACK_FRAME, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
typedef struct _ACTIVATION_CONTEXT_STACK {
ULONG Flags;
ULONG NextCookieSequenceNumber;
PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; // 0x8
LIST_ENTRY FrameListCache; // 0xc
} ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;
#endif // (VER_PRODUCTBUILD >= 2600)
typedef struct _Wx86ThreadState {
PULONG CallBx86Eip;
PVOID DeallocationCpu;
UCHAR UseKnownWx86Dll; // 0x8
UCHAR OleStubInvoked; // 0x9
} Wx86ThreadState, *PWx86ThreadState;
typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
ULONG Flags;
PCHAR FrameName;
} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
typedef struct _TEB_ACTIVE_FRAME {
ULONG Flags;
struct _TEB_ACTIVE_FRAME *Previous;
PTEB_ACTIVE_FRAME_CONTEXT Context;
} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
typedef struct _TEB // from Reactos, Native API; checked and corrected for 2003 and nt 4.0
// should also work on XP and 2000
// the reactos version was probably from NT 3.51 SP3
{
NT_TIB Tib; /* 00h */
PVOID EnvironmentPointer; /* 1Ch */
CLIENT_ID Cid; /* 20h */
HANDLE RpcHandle; /* 28h */
PVOID *ThreadLocalStorage; /* 2Ch */
PPEB Peb; /* 30h */
ULONG LastErrorValue; /* 34h */
ULONG CountOfOwnedCriticalSections; /* 38h */
PVOID CsrClientThread; /* 3Ch */
struct _W32THREAD* Win32ThreadInfo; /* 40h */
ULONG User32Reserved[26]; /* 44h */
ULONG UserReserved[5]; /* ACh */
PVOID WOW32Reserved; /* C0h */
LCID CurrentLocale; /* C4h */
ULONG FpSoftwareStatusRegister; /* C8h */
PVOID SystemReserved1[0x36]; /* CCh */
#if (VER_PRODUCTBUILD <= 1381)
PVOID Spare1; /* 1A4h */
#endif
LONG ExceptionCode; /* 1A4h */
#if (VER_PRODUCTBUILD >= 2600)
ACTIVATION_CONTEXT_STACK
ActivationContextStack; /* 1A8h */
UCHAR SpareBytes1[24]; /* 1BCh */
#elif (VER_PRODUCTBUILD >= 2195)
UCHAR SpareBytes1[0x2c]; /* 1A8h */
#else /* nt 4.0 */
ULONG SpareBytes1[0x14]; /* 1ACh */
#endif
GDI_TEB_BATCH GdiTebBatch; /* 1D4h */ /* 1FC for nt 4.0 */
ULONG gdiRgn; /* 6A8h */ /* 6DCh for nt 4.0 */
ULONG gdiPen; /* 6ACh */
ULONG gdiBrush; /* 6B0h */
CLIENT_ID RealClientId; /* 6B4h */ /* 6E8h for nt 4.0 */
PVOID GdiCachedProcessHandle; /* 6BCh */
ULONG GdiClientPID; /* 6C0h */
ULONG GdiClientTID; /* 6C4h */
PVOID GdiThreadLocaleInfo; /* 6C8h */
#if (VER_PRODUCTBUILD == 1381)
PVOID Win32ClientInfo[5]; /* 700h */
PVOID glDispatchTable[0x118]; /* 714h */
ULONG glReserved1[0x1a]; /* B74h */
#else
PVOID Win32ClientInfo[0x3e]; /* 6CCh */
PVOID glDispatchTable[0xe9]; /* 7C4h */
ULONG glReserved1[0x1d]; /* B68h */
#endif
PVOID glReserved2; /* BDCh */
PVOID glSectionInfo; /* BE0h */
PVOID glSection; /* BE4h */
PVOID glTable; /* BE8h */
PVOID glCurrentRC; /* BECh */
PVOID glContext; /* BF0h */
NTSTATUS LastStatusValue; /* BF4h */
UNICODE_STRING StaticUnicodeString; /* BF8h */
WCHAR StaticUnicodeBuffer[0x105]; /* C00h */
PVOID DeallocationStack; /* E0Ch */
PVOID TlsSlots[0x40]; /* E10h */
LIST_ENTRY TlsLinks; /* F10h */
PVOID Vdm; /* F18h */
PVOID ReservedForNtRpc; /* F1Ch */
PVOID DbgSsReserved[0x2]; /* F20h */
ULONG HardErrorDisabled; /* F28h */
PVOID Instrumentation[0x10]; /* F2Ch */
PVOID WinSockData; /* F6Ch */
ULONG GdiBatchCount; /* F70h */
BOOLEAN InDbgPrint; /* F74h */
BOOLEAN FreeStackOnTermination; /* F75h */
BOOLEAN HasFiberData; /* F76h */
UCHAR IdealProcessor; /* F77h */
ULONG Spare3; /* F78h */
ULONG ReservedForPerf; /* F7Ch */
PVOID ReservedForOle; /* F80h */
ULONG WaitingOnLoaderLock; /* F84h */
#if (VER_PRODUCTBUILD >= 2195)
Wx86ThreadState Wx86Thread; /* F88h */
PVOID* TlsExpansionSlots; /* F94h */
ULONG ImpersonationLocale; /* F98h */
ULONG IsImpersonating; /* F9Ch */
PVOID NlsCache; /* FA0h */
PVOID pShimData; /* FA4h */
ULONG HeapVirtualAffinity; /* FA8h */
PVOID CurrentTransactionHandle; /* FACh */
PTEB_ACTIVE_FRAME ActiveFrame; /* FB0h*/
PVOID FlsSlots; /* FB4h */
#endif
} TEB, *PTEB;
typedef struct _TERMINATION_PORT {
struct _TERMINATION_PORT* Next;
PVOID Port;
} TERMINATION_PORT, *PTERMINATION_PORT;
typedef struct _THREAD_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PVOID TebBaseAddress;
ULONG UniqueProcessId;
ULONG UniqueThreadId;
KAFFINITY AffinityMask;
KPRIORITY BasePriority;
ULONG DiffProcessPriority;
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
typedef struct _TOKEN_SOURCE {
CCHAR SourceName[TOKEN_SOURCE_LENGTH];
LUID SourceIdentifier;
} TOKEN_SOURCE, *PTOKEN_SOURCE;
typedef struct _TOKEN_CONTROL {
LUID TokenId;
LUID AuthenticationId;
LUID ModifiedId;
TOKEN_SOURCE TokenSource;
} TOKEN_CONTROL, *PTOKEN_CONTROL;
typedef struct _TOKEN_DEFAULT_DACL {
PACL DefaultDacl;
} TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL;
typedef struct _TOKEN_GROUPS {
ULONG GroupCount;
SID_AND_ATTRIBUTES Groups[1];
} TOKEN_GROUPS, *PTOKEN_GROUPS;
/* XP SP2 has same TOKEN_OBJECT structure as Windows Server 2003 (stucture K23 in union). */
#include <pshpack1.h>
typedef union
{
struct
{
TOKEN_SOURCE TokenSource; /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32 " + LUID SourceIdentifier = 0x10, *SYSTEM* id == 0 */
LUID TokenId; /* 0x10: */
LUID AuthenticationId; /* 0x18: */
LARGE_INTEGER ExpirationTime; /* 0x20: -1 no expired. *SYSTEM* has expired? */
LUID ModifiedId; /* 0x28: */
ULONG UserAndGroupCount; /* 0x30: 3 */
ULONG PrivilegeCount; /* 0x34: 14 */
ULONG VariableLength; /* 0x38: 0x37C */
ULONG DynamicCharged; /* 0x3C: 0x1F4 */
ULONG DynamicAvailable; /* 0x40: 0x1A4 */
ULONG DefaultOwnerIndex; /* 0x44: 1 */
PSID_AND_ATTRIBUTES UserAndGroups;/* 0x48: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
PSID PrimaryGroup; /* 0x4C: */
PLUID_AND_ATTRIBUTES Privileges;/* 0x50: */
PULONG DynamicPart; /* 0x54: */
PACL DefaultDacl; /* 0x58: */
TOKEN_TYPE TokenType; /* 0x5C: TokenPrimary | TokenImpersonation */
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x60: 0 */
UCHAR TokenFlags; /* 0x64: 1 */
BOOLEAN TokenInUse; /* 0x65: 1 */
USHORT Alignment; /* 0x66: 0 */
PVOID ProxyData; /* 0x68: 0 */
PVOID AuditData; /* 0x6C: 0 */
ULONG VariablePart; /* 0x70: */
} NT;
struct
{
TOKEN_SOURCE TokenSource; /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32 " + LUID SourceIdentifier = 0x10 */
LUID TokenId; /* 0x10: */
LUID AuthenticationId; /* 0x18: */
LUID ParentTokenId; /* 0x20: 0 */
LARGE_INTEGER ExpirationTime; /* 0x28: -1 no expired */
LUID ModifiedId; /* 0x30: */
ULONG SessionId; /* 0x38: 0 */
ULONG UserAndGroupCount; /* 0x3C: 9 */
ULONG RestrictedSidCount; /*+0x40: 0 */
ULONG PrivilegeCount; /* 0x44: 11 */
ULONG VariableLength; /* 0x48: 0x1F0 */
ULONG DynamicCharged; /* 0x4C: 0x1F4 */
ULONG DynamicAvailable; /* 0x50: 0x1A4 */
ULONG DefaultOwnerIndex; /* 0x54: 3 */
PSID_AND_ATTRIBUTES UserAndGroups; /* 0x58: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
PSID_AND_ATTRIBUTES RestrictedSids;/* 0x5C: 0 */
PSID PrimaryGroup; /* 0x60: */
PLUID_AND_ATTRIBUTES Privileges;/* 0x64: */
PULONG DynamicPart; /* 0x68: */
PACL DefaultDacl; /* 0x6C: */
TOKEN_TYPE TokenType; /* 0x70: TokenPrimary | TokenImpersonation */
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x74: 0 */
UCHAR TokenFlags; /* 0x78: 9 */
BOOLEAN TokenInUse; /* 0x79: 1 */
USHORT Alignment; /* 0x7A: 0 */
PVOID ProxyData; /* 0x7C: 0 */
PVOID AuditData; /* 0x80: 0 */
ULONG VariablePart; /* 0x84: */
} K2;
struct
{
TOKEN_SOURCE TokenSource; /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32 " + LUID SourceIdentifier = 0x10 */
LUID TokenId; /* 0x10: 0x6F68 */
LUID AuthenticationId; /* 0x18: */
LUID ParentTokenId; /* 0x20: 0 */
LARGE_INTEGER ExpirationTime; /* 0x28: -1 no expired */
PERESOURCE TokenLock; /*+0x30: 0x8xxxxxxxx */
LUID ModifiedId; /* 0x34: */
ULONG SessionId; /* 0x3C: 0x6F6A */
ULONG UserAndGroupCount; /* 0x40: 4 */
ULONG RestrictedSidCount; /*+0x44: 0 */
ULONG VariableLength; /* 0x48: 0x160 */
ULONG DynamicCharged; /* 0x4C: 0x164 */
ULONG DynamicAvailable; /* 0x50: 0x1F4 */
ULONG PrivilegeCount; /* 0x54: 0 */
ULONG DefaultOwnerIndex; /* 0x58: 1 */
PSID_AND_ATTRIBUTES UserAndGroups; /* 0x5C: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
PSID_AND_ATTRIBUTES RestrictedSids;/* 0x60: 0 */
PSID PrimaryGroup; /* 0x64: */
PLUID_AND_ATTRIBUTES Privileges;/* 0x68: */
PULONG DynamicPart; /* 0x6C: */
PACL DefaultDacl; /* 0x70: */
TOKEN_TYPE TokenType; /* 0x74: TokenPrimary | TokenImpersonation */
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x78: 0 */
UCHAR TokenFlags; /* 0x7C: 9 */
BOOLEAN TokenInUse; /* 0x7D: 1 */
USHORT Alignment; /* 0x7E: 4BB4 */
PVOID ProxyData; /* 0x80: 0 */
PVOID AuditData; /* 0x84: 0 */
ULONG VariablePart; /* 0x88: */
} XP;
struct
{
TOKEN_SOURCE TokenSource; /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32 " + LUID SourceIdentifier = 0x10 */
LUID TokenId; /* 0x10: 0x6F68 */
LUID AuthenticationId; /* 0x18: */
LUID ParentTokenId; /* 0x20: 0 */
LARGE_INTEGER ExpirationTime; /* 0x28: -1 no expired */
PERESOURCE TokenLock; /*+0x30: 0x8xxxxxxxx */
ULONG Padding64; /*+0x34: 0xXxxxxxxxx */
SEP_AUDIT_POLICY AuditPolicy; /*+0x38: */
LUID ModifiedId; /*+0x040: 0x6F6A */
ULONG SessionId; /*+0x048: */
ULONG UserAndGroupCount; /* 0x4C: 4 */
ULONG RestrictedSidCount; /*+0x50: 0 */
ULONG VariableLength; /* 0x54: 0x18 */
ULONG DynamicCharged; /* 0x58: 0x17C */
ULONG DynamicAvailable; /* 0x5C: 0x1F4 */
ULONG PrivilegeCount; /* 0x60: 0 */
ULONG DefaultOwnerIndex; /* 0x64: 1 */
PSID_AND_ATTRIBUTES UserAndGroups; /* 0x68: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
PSID_AND_ATTRIBUTES RestrictedSids;/* 0x6C: 0 */
PSID PrimaryGroup; /* 0x70: */
PLUID_AND_ATTRIBUTES Privileges;/* 0x74: */
PULONG DynamicPart; /* 0x78: */
PACL DefaultDacl; /* 0x7C: */
TOKEN_TYPE TokenType; /* 0x80: TokenPrimary | TokenImpersonation */
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x84: 0 */
UCHAR TokenFlags; /* 0x88: 9 */
BOOLEAN TokenInUse; /* 0x89: 1 */
USHORT Alignment; /* 0x8A: 4BB4 */
PVOID ProxyData; /* 0x8C: 0x8xxxxxxxx */
PVOID AuditData; /* 0x90: 0 */
ULONG VariablePart; /* 0x94: */
} K23;
struct
{
TOKEN_SOURCE TokenSource; /*+0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32 " + LUID SourceIdentifier = 0x10 */
LUID TokenId; /*+0x10: 0x6F68 */
LUID AuthenticationId; /*+0x18: */
LUID ParentTokenId; /*+0x20: 0 */
LARGE_INTEGER ExpirationTime; /*+0x28: -1 no expired */
PERESOURCE TokenLock; /*+0x30: 0x8xxxxxxxx */
ULONG Padding64; /*+0x34: 0xXxxxxxxxx */
SEP_AUDIT_POLICY AuditPolicy; /*+0x38: */
LUID ModifiedId; /*+0x040: 0x6F6A */
ULONG SessionId; /*+0x048: */
ULONG UserAndGroupCount; /*+0x04c: 4 */
ULONG RestrictedSidCount; /*+0x050: 0 */
ULONG PrivilegeCount; /*+0x054: 0x18 */
ULONG VariableLength; /*+0x058: 0x17C */
ULONG DynamicCharged; /*+0x05c: 0x1F4 */
ULONG DynamicAvailable; /*+0x060: 0 */
ULONG DefaultOwnerIndex; /*+0x064: 1 */
PSID_AND_ATTRIBUTES UserAndGroups; /* 0x68: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
PSID_AND_ATTRIBUTES RestrictedSids;/* 0x6C: 0 */
PSID PrimaryGroup; /* 0x70: */
PLUID_AND_ATTRIBUTES Privileges;/* 0x74: */
PULONG DynamicPart; /* 0x78: */
PACL DefaultDacl; /* 0x7C: */
TOKEN_TYPE TokenType; /* 0x80: TokenPrimary | TokenImpersonation */
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x84: 0 */
UCHAR TokenFlags; /* 0x88: 9 */
BOOLEAN TokenInUse; /* 0x89: 1 */
USHORT Alignment; /* 0x8A: 4BB4 */
PVOID ProxyData; /* 0x8C: 0x8xxxxxxxx */
PVOID AuditData; /* 0x90: 0 */
PVOID LogonSession; /* 0x94: */
LUID OriginatingLogonSession;/* 0x98: */
ULONG VariablePart; /* 0xa0: */
} K23SP1;
/* VariablePart */
} TOKEN_OBJECT, *PTOKEN_OBJECT;
#include <poppack.h>
typedef struct _TOKEN_OWNER {
PSID Owner;
} TOKEN_OWNER, *PTOKEN_OWNER;
typedef struct _TOKEN_PRIMARY_GROUP {
PSID PrimaryGroup;
} TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP;
typedef struct _TOKEN_PRIVILEGES {
ULONG PrivilegeCount;
LUID_AND_ATTRIBUTES Privileges[1];
} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;
typedef struct _TOKEN_STATISTICS {
LUID TokenId;
LUID AuthenticationId;
LARGE_INTEGER ExpirationTime;
TOKEN_TYPE TokenType;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
ULONG DynamicCharged;
ULONG DynamicAvailable;
ULONG GroupCount;
ULONG PrivilegeCount;
LUID ModifiedId;
} TOKEN_STATISTICS, *PTOKEN_STATISTICS;
typedef struct _TOKEN_USER {
SID_AND_ATTRIBUTES User;
} TOKEN_USER, *PTOKEN_USER;
typedef struct _SECURITY_CLIENT_CONTEXT {
SECURITY_QUALITY_OF_SERVICE SecurityQos;
PACCESS_TOKEN ClientToken;
BOOLEAN DirectlyAccessClientToken;
BOOLEAN DirectAccessEffectiveOnly;
BOOLEAN ServerIsRemote;
TOKEN_CONTROL ClientTokenControl;
} SECURITY_CLIENT_CONTEXT, *PSECURITY_CLIENT_CONTEXT;
typedef struct _TUNNEL {
FAST_MUTEX Mutex;
PRTL_SPLAY_LINKS Cache;
LIST_ENTRY TimerQueue;
USHORT NumEntries;
} TUNNEL, *PTUNNEL;
typedef struct _VACB {
PVOID BaseAddress;
PSHARED_CACHE_MAP SharedCacheMap;
union {
LARGE_INTEGER FileOffset;
USHORT ActiveCount;
} Overlay;
LIST_ENTRY LruList;
} VACB, *PVACB;
typedef struct _VAD_HEADER {
PVOID StartVPN;
PVOID EndVPN;
PVAD_HEADER ParentLink;
PVAD_HEADER LeftLink;
PVAD_HEADER RightLink;
ULONG Flags; // LSB = CommitCharge
PVOID ControlArea;
PVOID FirstProtoPte;
PVOID LastPTE;
ULONG Unknown;
LIST_ENTRY Secured;
} VAD_HEADER, *PVAD_HEADER;
NTKERNELAPI
BOOLEAN
CcCanIWrite (
IN PFILE_OBJECT FileObject,
IN ULONG BytesToWrite,
IN BOOLEAN Wait,
IN BOOLEAN Retrying
);
NTKERNELAPI
BOOLEAN
CcCopyRead (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Wait,
OUT PVOID Buffer,
OUT PIO_STATUS_BLOCK IoStatus
);
NTKERNELAPI
BOOLEAN
CcCopyWrite (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Wait,
IN PVOID Buffer
);
#define CcCopyWriteWontFlush(FO, FOFF, LEN) ((LEN) <= 0x10000)
typedef VOID (*PCC_POST_DEFERRED_WRITE) (
IN PVOID Context1,
IN PVOID Context2
);
NTKERNELAPI
VOID
CcDeferWrite (
IN PFILE_OBJECT FileObject,
IN PCC_POST_DEFERRED_WRITE PostRoutine,
IN PVOID Context1,
IN PVOID Context2,
IN ULONG BytesToWrite,
IN BOOLEAN Retrying
);
NTKERNELAPI
VOID
CcFastCopyRead (
IN PFILE_OBJECT FileObject,
IN ULONG FileOffset,
IN ULONG Length,
IN ULONG PageCount,
OUT PVOID Buffer,
OUT PIO_STATUS_BLOCK IoStatus
);
NTKERNELAPI
VOID
CcFastCopyWrite (
IN PFILE_OBJECT FileObject,
IN ULONG FileOffset,
IN ULONG Length,
IN PVOID Buffer
);
NTKERNELAPI
VOID
CcFlushCache (
IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
IN PLARGE_INTEGER FileOffset OPTIONAL,
IN ULONG Length,
OUT PIO_STATUS_BLOCK IoStatus OPTIONAL
);
typedef VOID (*PDIRTY_PAGE_ROUTINE) (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN PLARGE_INTEGER OldestLsn,
IN PLARGE_INTEGER NewestLsn,
IN PVOID Context1,
IN PVOID Context2
);
NTKERNELAPI
LARGE_INTEGER
CcGetDirtyPages (
IN PVOID LogHandle,
IN PDIRTY_PAGE_ROUTINE DirtyPageRoutine,
IN PVOID Context1,
IN PVOID Context2
);
NTKERNELAPI
PFILE_OBJECT
CcGetFileObjectFromBcb (
IN PVOID Bcb
);
NTKERNELAPI
PFILE_OBJECT
CcGetFileObjectFromSectionPtrs (
IN PSECTION_OBJECT_POINTERS SectionObjectPointer
);
#define CcGetFileSizePointer(FO) ( \
((PLARGE_INTEGER)((FO)->SectionObjectPointer->SharedCacheMap) + 1) \
)
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
LARGE_INTEGER
CcGetFlushedValidData (
IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
IN BOOLEAN BcbListHeld
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
LARGE_INTEGER
CcGetLsnForFileObject (
IN PFILE_OBJECT FileObject,
OUT PLARGE_INTEGER OldestLsn OPTIONAL
);
typedef BOOLEAN (*PACQUIRE_FOR_LAZY_WRITE) (
IN PVOID Context,
IN BOOLEAN Wait
);
typedef VOID (*PRELEASE_FROM_LAZY_WRITE) (
IN PVOID Context
);
typedef BOOLEAN (*PACQUIRE_FOR_READ_AHEAD) (
IN PVOID Context,
IN BOOLEAN Wait
);
typedef VOID (*PRELEASE_FROM_READ_AHEAD) (
IN PVOID Context
);
typedef struct _CACHE_MANAGER_CALLBACKS {
PACQUIRE_FOR_LAZY_WRITE AcquireForLazyWrite;
PRELEASE_FROM_LAZY_WRITE ReleaseFromLazyWrite;
PACQUIRE_FOR_READ_AHEAD AcquireForReadAhead;
PRELEASE_FROM_READ_AHEAD ReleaseFromReadAhead;
} CACHE_MANAGER_CALLBACKS, *PCACHE_MANAGER_CALLBACKS;
NTKERNELAPI
VOID
CcInitializeCacheMap (
IN PFILE_OBJECT FileObject,
IN PCC_FILE_SIZES FileSizes,
IN BOOLEAN PinAccess,
IN PCACHE_MANAGER_CALLBACKS Callbacks,
IN PVOID LazyWriteContext
);
#define CcIsFileCached(FO) ( \
((FO)->SectionObjectPointer != NULL) && \
(((PSECTION_OBJECT_POINTERS)(FO)->SectionObjectPointer)->SharedCacheMap != NULL) \
)
NTKERNELAPI
BOOLEAN
CcIsThereDirtyData (
IN PVPB Vpb
);
NTKERNELAPI
BOOLEAN
CcMapData (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
#if (VER_PRODUCTBUILD >= 2600)
IN ULONG Flags,
#else
IN BOOLEAN Wait,
#endif
OUT PVOID *Bcb,
OUT PVOID *Buffer
);
NTKERNELAPI
VOID
CcMdlRead (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus
);
NTKERNELAPI
VOID
CcMdlReadComplete (
IN PFILE_OBJECT FileObject,
IN PMDL MdlChain
);
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
VOID
CcMdlWriteAbort (
IN PFILE_OBJECT FileObject,
IN PMDL MdlChain
);
#endif
NTKERNELAPI
VOID
CcMdlWriteComplete (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PMDL MdlChain
);
NTKERNELAPI
BOOLEAN
CcPinMappedData (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
#if (VER_PRODUCTBUILD >= 2195)
IN ULONG Flags,
#else
IN BOOLEAN Wait,
#endif
IN OUT PVOID *Bcb
);
NTKERNELAPI
BOOLEAN
CcPinRead (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
#if (VER_PRODUCTBUILD >= 2195)
IN ULONG Flags,
#else
IN BOOLEAN Wait,
#endif
OUT PVOID *Bcb,
OUT PVOID *Buffer
);
NTKERNELAPI
VOID
CcPrepareMdlWrite (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus
);
NTKERNELAPI
BOOLEAN
CcPreparePinWrite (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Zero,
#if (VER_PRODUCTBUILD >= 2195)
IN ULONG Flags,
#else
IN BOOLEAN Wait,
#endif
OUT PVOID *Bcb,
OUT PVOID *Buffer
);
NTKERNELAPI
BOOLEAN
CcPurgeCacheSection (
IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
IN PLARGE_INTEGER FileOffset OPTIONAL,
IN ULONG Length,
IN BOOLEAN UninitializeCacheMaps
);
#define CcReadAhead(FO, FOFF, LEN) ( \
if ((LEN) >= 256) { \
CcScheduleReadAhead((FO), (FOFF), (LEN)); \
} \
)
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
PVOID
CcRemapBcb (
IN PVOID Bcb
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
VOID
CcRepinBcb (
IN PVOID Bcb
);
NTKERNELAPI
VOID
CcScheduleReadAhead (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length
);
NTKERNELAPI
VOID
CcSetAdditionalCacheAttributes (
IN PFILE_OBJECT FileObject,
IN BOOLEAN DisableReadAhead,
IN BOOLEAN DisableWriteBehind
);
NTKERNELAPI
VOID
CcSetBcbOwnerPointer (
IN PVOID Bcb,
IN PVOID OwnerPointer
);
NTKERNELAPI
VOID
CcSetDirtyPageThreshold (
IN PFILE_OBJECT FileObject,
IN ULONG DirtyPageThreshold
);
NTKERNELAPI
VOID
CcSetDirtyPinnedData (
IN PVOID BcbVoid,
IN PLARGE_INTEGER Lsn OPTIONAL
);
NTKERNELAPI
VOID
CcSetFileSizes (
IN PFILE_OBJECT FileObject,
IN PCC_FILE_SIZES FileSizes
);
typedef VOID (*PFLUSH_TO_LSN) (
IN PVOID LogHandle,
IN PLARGE_INTEGER Lsn
);
NTKERNELAPI
VOID
CcSetLogHandleForFile (
IN PFILE_OBJECT FileObject,
IN PVOID LogHandle,
IN PFLUSH_TO_LSN FlushToLsnRoutine
);
NTKERNELAPI
VOID
CcSetReadAheadGranularity (
IN PFILE_OBJECT FileObject,
IN ULONG Granularity // default: PAGE_SIZE
// allowed: 2^n * PAGE_SIZE
);
NTKERNELAPI
BOOLEAN
CcUninitializeCacheMap (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER TruncateSize OPTIONAL,
IN PCACHE_UNINITIALIZE_EVENT UninitializeCompleteEvent OPTIONAL
);
NTKERNELAPI
VOID
CcUnpinData (
IN PVOID Bcb
);
NTKERNELAPI
VOID
CcUnpinDataForThread (
IN PVOID Bcb,
IN ERESOURCE_THREAD ResourceThreadId
);
NTKERNELAPI
VOID
CcUnpinRepinnedBcb (
IN PVOID Bcb,
IN BOOLEAN WriteThrough,
OUT PIO_STATUS_BLOCK IoStatus
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
NTSTATUS
CcWaitForCurrentLazyWriterActivity (
VOID
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
BOOLEAN
CcZeroData (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER StartOffset,
IN PLARGE_INTEGER EndOffset,
IN BOOLEAN Wait
);
NTKERNELAPI
VOID
ExDisableResourceBoostLite (
IN PERESOURCE Resource
);
NTKERNELAPI
ULONG
ExQueryPoolBlockSize (
IN PVOID PoolBlock,
OUT PBOOLEAN QuotaCharged
);
#define FlagOn(x, f) ((x) & (f))
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
VOID
FsRtlAcquireFileExclusive (
IN PFILE_OBJECT FileObject
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
BOOLEAN
FsRtlAddLargeMcbEntry (
IN PLARGE_MCB Mcb,
IN LONGLONG Vbn,
IN LONGLONG Lbn,
IN LONGLONG SectorCount
);
NTKERNELAPI
BOOLEAN
FsRtlAddMcbEntry (
IN PMCB Mcb,
IN VBN Vbn,
IN LBN Lbn,
IN ULONG SectorCount
);
NTKERNELAPI
VOID
FsRtlAddToTunnelCache (
IN PTUNNEL Cache,
IN ULONGLONG DirectoryKey,
IN PUNICODE_STRING ShortName,
IN PUNICODE_STRING LongName,
IN BOOLEAN KeyByShortName,
IN ULONG DataLength,
IN PVOID Data
);
#if (VER_PRODUCTBUILD >= 2195)
PFILE_LOCK
FsRtlAllocateFileLock (
IN PCOMPLETE_LOCK_IRP_ROUTINE CompleteLockIrpRoutine OPTIONAL,
IN PUNLOCK_ROUTINE UnlockRoutine OPTIONAL
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
PVOID
FsRtlAllocatePool (
IN POOL_TYPE PoolType,
IN ULONG NumberOfBytes
);
NTKERNELAPI
PVOID
FsRtlAllocatePoolWithQuota (
IN POOL_TYPE PoolType,
IN ULONG NumberOfBytes
);
NTKERNELAPI
PVOID
FsRtlAllocatePoolWithQuotaTag (
IN POOL_TYPE PoolType,
IN ULONG NumberOfBytes,
IN ULONG Tag
);
NTKERNELAPI
PVOID
FsRtlAllocatePoolWithTag (
IN POOL_TYPE PoolType,
IN ULONG NumberOfBytes,
IN ULONG Tag
);
NTKERNELAPI
PVOID
FsRtlAllocateResource (
VOID
);
NTKERNELAPI
BOOLEAN
FsRtlAreNamesEqual (
IN PUNICODE_STRING Name1,
IN PUNICODE_STRING Name2,
IN BOOLEAN IgnoreCase,
IN PWCHAR UpcaseTable OPTIONAL
);
#define FsRtlAreThereCurrentFileLocks(FL) ( \
((FL)->FastIoIsQuestionable) \
)
NTKERNELAPI
NTSTATUS
FsRtlBalanceReads (
IN PDEVICE_OBJECT TargetDevice
);
/*
FsRtlCheckLockForReadAccess:
All this really does is pick out the lock parameters from the irp (io stack
location?), get IoGetRequestorProcess, and pass values on to
FsRtlFastCheckLockForRead.
*/
NTKERNELAPI
BOOLEAN
FsRtlCheckLockForReadAccess (
IN PFILE_LOCK FileLock,
IN PIRP Irp
);
/*
FsRtlCheckLockForWriteAccess:
All this really does is pick out the lock parameters from the irp (io stack
location?), get IoGetRequestorProcess, and pass values on to
FsRtlFastCheckLockForWrite.
*/
NTKERNELAPI
BOOLEAN
FsRtlCheckLockForWriteAccess (
IN PFILE_LOCK FileLock,
IN PIRP Irp
);
typedef
VOID
(*POPLOCK_WAIT_COMPLETE_ROUTINE) (
IN PVOID Context,
IN PIRP Irp
);
typedef
VOID
(*POPLOCK_FS_PREPOST_IRP) (
IN PVOID Context,
IN PIRP Irp
);
NTKERNELAPI
NTSTATUS
FsRtlCheckOplock (
IN POPLOCK Oplock,
IN PIRP Irp,
IN PVOID Context,
IN POPLOCK_WAIT_COMPLETE_ROUTINE CompletionRoutine OPTIONAL,
IN POPLOCK_FS_PREPOST_IRP PostIrpRoutine OPTIONAL
);
NTKERNELAPI
BOOLEAN
FsRtlCopyRead (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Wait,
IN ULONG LockKey,
OUT PVOID Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
NTKERNELAPI
BOOLEAN
FsRtlCopyWrite (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN BOOLEAN Wait,
IN ULONG LockKey,
IN PVOID Buffer,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
NTKERNELAPI
BOOLEAN
FsRtlCurrentBatchOplock (
IN POPLOCK Oplock
);
NTKERNELAPI
VOID
FsRtlDeleteKeyFromTunnelCache (
IN PTUNNEL Cache,
IN ULONGLONG DirectoryKey
);
NTKERNELAPI
VOID
FsRtlDeleteTunnelCache (
IN PTUNNEL Cache
);
NTKERNELAPI
VOID
FsRtlDeregisterUncProvider (
IN HANDLE Handle
);
NTKERNELAPI
VOID
FsRtlDissectDbcs (
IN ANSI_STRING InputName,
OUT PANSI_STRING FirstPart,
OUT PANSI_STRING RemainingPart
);
NTKERNELAPI
VOID
FsRtlDissectName (
IN UNICODE_STRING Path,
OUT PUNICODE_STRING FirstName,
OUT PUNICODE_STRING RemainingName
);
NTKERNELAPI
BOOLEAN
FsRtlDoesDbcsContainWildCards (
IN PANSI_STRING Name
);
NTKERNELAPI
BOOLEAN
FsRtlDoesNameContainWildCards (
IN PUNICODE_STRING Name
);
#define FsRtlEnterFileSystem KeEnterCriticalRegion
#define FsRtlExitFileSystem KeLeaveCriticalRegion
NTKERNELAPI
BOOLEAN
FsRtlFastCheckLockForRead (
IN PFILE_LOCK FileLock,
IN PLARGE_INTEGER FileOffset,
IN PLARGE_INTEGER Length,
IN ULONG Key,
IN PFILE_OBJECT FileObject,
IN PEPROCESS Process
);
NTKERNELAPI
BOOLEAN
FsRtlFastCheckLockForWrite (
IN PFILE_LOCK FileLock,
IN PLARGE_INTEGER FileOffset,
IN PLARGE_INTEGER Length,
IN ULONG Key,
IN PFILE_OBJECT FileObject,
IN PEPROCESS Process
);
#define FsRtlFastLock(A1, A2, A3, A4, A5, A6, A7, A8, A9, A10, A11) ( \
FsRtlPrivateLock(A1, A2, A3, A4, A5, A6, A7, A8, A9, NULL, A10, A11) \
)
NTKERNELAPI
NTSTATUS
FsRtlFastUnlockAll (
IN PFILE_LOCK FileLock,
IN PFILE_OBJECT FileObject,
IN PEPROCESS Process,
IN PVOID Context OPTIONAL
);
//ret: STATUS_RANGE_NOT_LOCKED
NTKERNELAPI
NTSTATUS
FsRtlFastUnlockAllByKey (
IN PFILE_LOCK FileLock,
IN PFILE_OBJECT FileObject,
IN PEPROCESS Process,
IN ULONG Key,
IN PVOID Context OPTIONAL
);
//ret: STATUS_RANGE_NOT_LOCKED
NTKERNELAPI
NTSTATUS
FsRtlFastUnlockSingle (
IN PFILE_LOCK FileLock,
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PLARGE_INTEGER Length,
IN PEPROCESS Process,
IN ULONG Key,
IN PVOID Context OPTIONAL,
IN BOOLEAN AlreadySynchronized
);
//ret: STATUS_RANGE_NOT_LOCKED
NTKERNELAPI
BOOLEAN
FsRtlFindInTunnelCache (
IN PTUNNEL Cache,
IN ULONGLONG DirectoryKey,
IN PUNICODE_STRING Name,
OUT PUNICODE_STRING ShortName,
OUT PUNICODE_STRING LongName,
IN OUT PULONG DataLength,
OUT PVOID Data
);
#if (VER_PRODUCTBUILD >= 2195)
VOID
FsRtlFreeFileLock (
IN PFILE_LOCK FileLock
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
NTSTATUS
FsRtlGetFileSize (
IN PFILE_OBJECT FileObject,
IN OUT PLARGE_INTEGER FileSize
);
/*
FsRtlGetNextFileLock:
ret: NULL if no more locks
Internals:
FsRtlGetNextFileLock uses FileLock->LastReturnedLockInfo and
FileLock->LastReturnedLock as storage.
LastReturnedLock is a pointer to the 'raw' lock inkl. double linked
list, and FsRtlGetNextFileLock needs this to get next lock on subsequent
calls with Restart = FALSE.
*/
NTKERNELAPI
PFILE_LOCK_INFO
FsRtlGetNextFileLock (
IN PFILE_LOCK FileLock,
IN BOOLEAN Restart
);
NTKERNELAPI
BOOLEAN
FsRtlGetNextLargeMcbEntry (
IN PLARGE_MCB Mcb,
IN ULONG RunIndex,
OUT PLONGLONG Vbn,
OUT PLONGLONG Lbn,
OUT PLONGLONG SectorCount
);
NTKERNELAPI
BOOLEAN
FsRtlGetNextMcbEntry (
IN PMCB Mcb,
IN ULONG RunIndex,
OUT PVBN Vbn,
OUT PLBN Lbn,
OUT PULONG SectorCount
);
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
VOID
FsRtlIncrementCcFastReadNotPossible (
VOID
);
NTKERNELAPI
VOID
FsRtlIncrementCcFastReadNoWait (
VOID
);
NTKERNELAPI
VOID
FsRtlIncrementCcFastReadResourceMiss (
VOID
);
NTKERNELAPI
VOID
FsRtlIncrementCcFastReadWait (
VOID
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
VOID
FsRtlInitializeFileLock (
IN PFILE_LOCK FileLock,
IN PCOMPLETE_LOCK_IRP_ROUTINE CompleteLockIrpRoutine OPTIONAL,
IN PUNLOCK_ROUTINE UnlockRoutine OPTIONAL
);
NTKERNELAPI
VOID
FsRtlInitializeLargeMcb (
IN PLARGE_MCB Mcb,
IN POOL_TYPE PoolType
);
NTKERNELAPI
VOID
FsRtlInitializeMcb (
IN PMCB Mcb,
IN POOL_TYPE PoolType
);
NTKERNELAPI
VOID
FsRtlInitializeOplock (
IN OUT POPLOCK Oplock
);
NTKERNELAPI
VOID
FsRtlInitializeTunnelCache (
IN PTUNNEL Cache
);
NTKERNELAPI
BOOLEAN
FsRtlIsDbcsInExpression (
IN PANSI_STRING Expression,
IN PANSI_STRING Name
);
NTKERNELAPI
BOOLEAN
FsRtlIsFatDbcsLegal (
IN ANSI_STRING DbcsName,
IN BOOLEAN WildCardsPermissible,
IN BOOLEAN PathNamePermissible,
IN BOOLEAN LeadingBackslashPermissible
);
NTKERNELAPI
BOOLEAN
FsRtlIsHpfsDbcsLegal (
IN ANSI_STRING DbcsName,
IN BOOLEAN WildCardsPermissible,
IN BOOLEAN PathNamePermissible,
IN BOOLEAN LeadingBackslashPermissible
);
NTKERNELAPI
BOOLEAN
FsRtlIsNameInExpression (
IN PUNICODE_STRING Expression,
IN PUNICODE_STRING Name,
IN BOOLEAN IgnoreCase,
IN PWCHAR UpcaseTable OPTIONAL
);
NTKERNELAPI
BOOLEAN
FsRtlIsNtstatusExpected (
IN NTSTATUS Ntstatus
);
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
BOOLEAN
FsRtlIsPagingFile (
IN PFILE_OBJECT FileObject
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
BOOLEAN
FsRtlIsTotalDeviceFailure (
IN NTSTATUS Status
);
#define FsRtlIsUnicodeCharacterWild(C) ( \
(((C) >= 0x40) ? \
FALSE : \
FlagOn((*FsRtlLegalAnsiCharacterArray)[(C)], FSRTL_WILD_CHARACTER )) \
)
NTKERNELAPI
BOOLEAN
FsRtlLookupLargeMcbEntry (
IN PLARGE_MCB Mcb,
IN LONGLONG Vbn,
OUT PLONGLONG Lbn OPTIONAL,
OUT PLONGLONG SectorCountFromLbn OPTIONAL,
OUT PLONGLONG StartingLbn OPTIONAL,
OUT PLONGLONG SectorCountFromStartingLbn OPTIONAL,
OUT PULONG Index OPTIONAL
);
NTKERNELAPI
BOOLEAN
FsRtlLookupLastLargeMcbEntry (
IN PLARGE_MCB Mcb,
OUT PLONGLONG Vbn,
OUT PLONGLONG Lbn
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
BOOLEAN
FsRtlLookupLastLargeMcbEntryAndIndex (
IN PLARGE_MCB OpaqueMcb,
OUT PLONGLONG LargeVbn,
OUT PLONGLONG LargeLbn,
OUT PULONG Index
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
BOOLEAN
FsRtlLookupLastMcbEntry (
IN PMCB Mcb,
OUT PVBN Vbn,
OUT PLBN Lbn
);
NTKERNELAPI
BOOLEAN
FsRtlLookupMcbEntry (
IN PMCB Mcb,
IN VBN Vbn,
OUT PLBN Lbn,
OUT PULONG SectorCount OPTIONAL,
OUT PULONG Index
);
NTKERNELAPI
BOOLEAN
FsRtlMdlReadComplete (
IN PFILE_OBJECT FileObject,
IN PMDL MdlChain
);
NTKERNELAPI
BOOLEAN
FsRtlMdlReadCompleteDev (
IN PFILE_OBJECT FileObject,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
);
#if (VER_PRODUCTBUILD >= 1381)
NTKERNELAPI
BOOLEAN
FsRtlMdlReadDev (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN ULONG LockKey,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
#endif // (VER_PRODUCTBUILD >= 1381)
NTKERNELAPI
BOOLEAN
FsRtlMdlWriteComplete (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PMDL MdlChain
);
NTKERNELAPI
BOOLEAN
FsRtlMdlWriteCompleteDev (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PMDL MdlChain,
IN PDEVICE_OBJECT DeviceObject
);
NTKERNELAPI
NTSTATUS
FsRtlNormalizeNtstatus (
IN NTSTATUS Exception,
IN NTSTATUS GenericException
);
NTKERNELAPI
VOID
FsRtlNotifyChangeDirectory (
IN PNOTIFY_SYNC NotifySync,
IN PVOID FsContext,
IN PSTRING FullDirectoryName,
IN PLIST_ENTRY NotifyList,
IN BOOLEAN WatchTree,
IN ULONG CompletionFilter,
IN PIRP NotifyIrp
);
NTKERNELAPI
VOID
FsRtlNotifyCleanup (
IN PNOTIFY_SYNC NotifySync,
IN PLIST_ENTRY NotifyList,
IN PVOID FsContext
);
typedef BOOLEAN (*PCHECK_FOR_TRAVERSE_ACCESS) (
IN PVOID NotifyContext,
IN PVOID TargetContext,
IN PSECURITY_SUBJECT_CONTEXT SubjectContext
);
#if (VER_PRODUCTBUILD >= 2600)
typedef BOOLEAN (*PFILTER_REPORT_CHANGE) (
IN PVOID NotifyContext,
IN PVOID FilterContext
);
NTKERNELAPI
VOID
FsRtlNotifyFilterChangeDirectory (
IN PNOTIFY_SYNC NotifySync,
IN PLIST_ENTRY NotifyList,
IN PVOID FsContext,
IN PSTRING FullDirectoryName,
IN BOOLEAN WatchTree,
IN BOOLEAN IgnoreBuffer,
IN ULONG CompletionFilter,
IN PIRP NotifyIrp,
IN PCHECK_FOR_TRAVERSE_ACCESS TraverseCallback OPTIONAL,
IN PSECURITY_SUBJECT_CONTEXT SubjectContext OPTIONAL,
IN PFILTER_REPORT_CHANGE FilterCallback OPTIONAL
);
NTKERNELAPI
VOID
FsRtlNotifyFilterReportChange (
IN PNOTIFY_SYNC NotifySync,
IN PLIST_ENTRY NotifyList,
IN PSTRING FullTargetName,
IN USHORT TargetNameOffset,
IN PSTRING StreamName OPTIONAL,
IN PSTRING NormalizedParentName OPTIONAL,
IN ULONG FilterMatch,
IN ULONG Action,
IN PVOID TargetContext,
IN PVOID FilterContext
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
VOID
FsRtlNotifyFullChangeDirectory (
IN PNOTIFY_SYNC NotifySync,
IN PLIST_ENTRY NotifyList,
IN PVOID FsContext,
IN PSTRING FullDirectoryName,
IN BOOLEAN WatchTree,
IN BOOLEAN IgnoreBuffer,
IN ULONG CompletionFilter,
IN PIRP NotifyIrp,
IN PCHECK_FOR_TRAVERSE_ACCESS TraverseCallback OPTIONAL,
IN PSECURITY_SUBJECT_CONTEXT SubjectContext OPTIONAL
);
NTKERNELAPI
VOID
FsRtlNotifyFullReportChange (
IN PNOTIFY_SYNC NotifySync,
IN PLIST_ENTRY NotifyList,
IN PSTRING FullTargetName,
IN USHORT TargetNameOffset,
IN PSTRING StreamName OPTIONAL,
IN PSTRING NormalizedParentName OPTIONAL,
IN ULONG FilterMatch,
IN ULONG Action,
IN PVOID TargetContext
);
NTKERNELAPI
VOID
FsRtlNotifyInitializeSync (
IN PNOTIFY_SYNC *NotifySync
);
NTKERNELAPI
VOID
FsRtlNotifyReportChange (
IN PNOTIFY_SYNC NotifySync,
IN PLIST_ENTRY NotifyList,
IN PSTRING FullTargetName,
IN PUSHORT FileNamePartLength,
IN ULONG FilterMatch
);
NTKERNELAPI
VOID
FsRtlNotifyUninitializeSync (
IN PNOTIFY_SYNC *NotifySync
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
NTSTATUS
FsRtlNotifyVolumeEvent (
IN PFILE_OBJECT FileObject,
IN ULONG EventCode
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
ULONG
FsRtlNumberOfRunsInLargeMcb (
IN PLARGE_MCB Mcb
);
NTKERNELAPI
ULONG
FsRtlNumberOfRunsInMcb (
IN PMCB Mcb
);
NTKERNELAPI
NTSTATUS
FsRtlOplockFsctrl (
IN POPLOCK Oplock,
IN PIRP Irp,
IN ULONG OpenCount
);
NTKERNELAPI
BOOLEAN
FsRtlOplockIsFastIoPossible (
IN POPLOCK Oplock
);
typedef
VOID
(*PFSRTL_STACK_OVERFLOW_ROUTINE) (
IN PVOID Context,
IN PKEVENT Event
);
NTKERNELAPI
VOID
FsRtlPostPagingFileStackOverflow (
IN PVOID Context,
IN PKEVENT Event,
IN PFSRTL_STACK_OVERFLOW_ROUTINE StackOverflowRoutine
);
NTKERNELAPI
VOID
FsRtlPostStackOverflow (
IN PVOID Context,
IN PKEVENT Event,
IN PFSRTL_STACK_OVERFLOW_ROUTINE StackOverflowRoutine
);
#if (VER_PRODUCTBUILD >= 1381)
NTKERNELAPI
BOOLEAN
FsRtlPrepareMdlWriteDev (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN ULONG LockKey,
OUT PMDL *MdlChain,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
#endif // (VER_PRODUCTBUILD >= 1381)
/*
FsRtlPrivateLock:
ret: IoStatus->Status: STATUS_PENDING, STATUS_LOCK_NOT_GRANTED
Internals:
-Calls IoCompleteRequest if Irp
-Uses exception handling / ExRaiseStatus with STATUS_INSUFFICIENT_RESOURCES
*/
NTKERNELAPI
BOOLEAN
FsRtlPrivateLock (
IN PFILE_LOCK FileLock,
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN PLARGE_INTEGER Length,
IN PEPROCESS Process,
IN ULONG Key,
IN BOOLEAN FailImmediately,
IN BOOLEAN ExclusiveLock,
OUT PIO_STATUS_BLOCK IoStatus,
IN PIRP Irp OPTIONAL,
IN PVOID Context,
IN BOOLEAN AlreadySynchronized
);
/*
FsRtlProcessFileLock:
ret:
-STATUS_INVALID_DEVICE_REQUEST
-STATUS_RANGE_NOT_LOCKED from unlock routines.
-STATUS_PENDING, STATUS_LOCK_NOT_GRANTED from FsRtlPrivateLock
(redirected IoStatus->Status).
Internals:
-switch ( Irp->CurrentStackLocation->MinorFunction )
lock: return FsRtlPrivateLock;
unlocksingle: return FsRtlFastUnlockSingle;
unlockall: return FsRtlFastUnlockAll;
unlockallbykey: return FsRtlFastUnlockAllByKey;
default: IofCompleteRequest with STATUS_INVALID_DEVICE_REQUEST;
return STATUS_INVALID_DEVICE_REQUEST;
-'AllwaysZero' is passed thru as 'AllwaysZero' to lock / unlock routines.
-'Irp' is passet thru as 'Irp' to FsRtlPrivateLock.
*/
NTKERNELAPI
NTSTATUS
FsRtlProcessFileLock (
IN PFILE_LOCK FileLock,
IN PIRP Irp,
IN PVOID Context OPTIONAL
);
NTKERNELAPI
NTSTATUS
FsRtlRegisterUncProvider (
IN OUT PHANDLE MupHandle,
IN PUNICODE_STRING RedirectorDeviceName,
IN BOOLEAN MailslotsSupported
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
VOID
FsRtlReleaseFile (
IN PFILE_OBJECT FileObject
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
VOID
FsRtlRemoveLargeMcbEntry (
IN PLARGE_MCB Mcb,
IN LONGLONG Vbn,
IN LONGLONG SectorCount
);
NTKERNELAPI
VOID
FsRtlRemoveMcbEntry (
IN PMCB Mcb,
IN VBN Vbn,
IN ULONG SectorCount
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
VOID
FsRtlResetLargeMcb (
IN PLARGE_MCB Mcb,
IN BOOLEAN SelfSynchronized
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
BOOLEAN
FsRtlSplitLargeMcb (
IN PLARGE_MCB Mcb,
IN LONGLONG Vbn,
IN LONGLONG Amount
);
NTKERNELAPI
VOID
FsRtlTruncateLargeMcb (
IN PLARGE_MCB Mcb,
IN LONGLONG Vbn
);
NTKERNELAPI
VOID
FsRtlTruncateMcb (
IN PMCB Mcb,
IN VBN Vbn
);
NTKERNELAPI
VOID
FsRtlUninitializeFileLock (
IN PFILE_LOCK FileLock
);
NTKERNELAPI
VOID
FsRtlUninitializeLargeMcb (
IN PLARGE_MCB Mcb
);
NTKERNELAPI
VOID
FsRtlUninitializeMcb (
IN PMCB Mcb
);
NTKERNELAPI
VOID
FsRtlUninitializeOplock (
IN OUT POPLOCK Oplock
);
//
// If using HalDisplayString during boot on Windows 2000 or later you must
// first call InbvEnableDisplayString.
//
NTSYSAPI
VOID
NTAPI
HalDisplayString (
IN PCHAR String
);
NTSYSAPI
VOID
NTAPI
HalQueryRealTimeClock (
IN OUT PTIME_FIELDS TimeFields
);
NTSYSAPI
VOID
NTAPI
HalSetRealTimeClock (
IN PTIME_FIELDS TimeFields
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
VOID
InbvAcquireDisplayOwnership (
VOID
);
NTKERNELAPI
BOOLEAN
InbvCheckDisplayOwnership (
VOID
);
NTKERNELAPI
BOOLEAN
InbvDisplayString (
IN PCHAR String
);
NTKERNELAPI
VOID
InbvEnableBootDriver (
IN BOOLEAN Enable
);
NTKERNELAPI
BOOLEAN
InbvEnableDisplayString (
IN BOOLEAN Enable
);
NTKERNELAPI
VOID
InbvInstallDisplayStringFilter (
IN PVOID Unknown
);
NTKERNELAPI
BOOLEAN
InbvIsBootDriverInstalled (
VOID
);
NTKERNELAPI
VOID
InbvNotifyDisplayOwnershipLost (
IN PVOID Callback
);
NTKERNELAPI
BOOLEAN
InbvResetDisplay (
VOID
);
NTKERNELAPI
VOID
InbvSetScrollRegion (
IN ULONG Left,
IN ULONG Top,
IN ULONG Width,
IN ULONG Height
);
NTKERNELAPI
VOID
InbvSetTextColor (
IN ULONG Color
);
NTKERNELAPI
VOID
InbvSolidColorFill (
IN ULONG Left,
IN ULONG Top,
IN ULONG Width,
IN ULONG Height,
IN ULONG Color
);
#endif // (VER_PRODUCTBUILD >= 2195)
#define InitializeMessageHeader(m, l, t) { \
(m)->Length = (USHORT)(l); \
(m)->DataLength = (USHORT)(l - sizeof( LPC_MESSAGE )); \
(m)->MessageType = (USHORT)(t); \
(m)->DataInfoOffset = 0; \
}
NTKERNELAPI
VOID
IoAcquireVpbSpinLock (
OUT PKIRQL Irql
);
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
NTSTATUS
IoAttachDeviceToDeviceStackSafe (
IN PDEVICE_OBJECT SourceDevice,
IN PDEVICE_OBJECT TargetDevice,
OUT PDEVICE_OBJECT *AttachedToDeviceObject
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
NTSTATUS
IoCheckDesiredAccess (
IN OUT PACCESS_MASK DesiredAccess,
IN ACCESS_MASK GrantedAccess
);
NTKERNELAPI
NTSTATUS
IoCheckEaBufferValidity (
IN PFILE_FULL_EA_INFORMATION EaBuffer,
IN ULONG EaLength,
OUT PULONG ErrorOffset
);
NTKERNELAPI
NTSTATUS
IoCheckFunctionAccess (
IN ACCESS_MASK GrantedAccess,
IN UCHAR MajorFunction,
IN UCHAR MinorFunction,
IN ULONG IoControlCode,
IN PFILE_INFORMATION_CLASS FileInformationClass OPTIONAL,
IN PFS_INFORMATION_CLASS FsInformationClass OPTIONAL
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
NTSTATUS
IoCheckQuerySetFileInformation (
IN FILE_INFORMATION_CLASS FileInformationClass,
IN ULONG Length,
IN BOOLEAN SetOperation
);
NTKERNELAPI
NTSTATUS
IoCheckQuerySetVolumeInformation (
IN FS_INFORMATION_CLASS FsInformationClass,
IN ULONG Length,
IN BOOLEAN SetOperation
);
NTKERNELAPI
NTSTATUS
IoCheckQuotaBufferValidity (
IN PFILE_QUOTA_INFORMATION QuotaBuffer,
IN ULONG QuotaLength,
OUT PULONG ErrorOffset
);
#endif // (VER_PRODUCTBUILD >= 2195)
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
NTSTATUS
IoCreateFileSpecifyDeviceObjectHint (
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG Disposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength,
IN CREATE_FILE_TYPE CreateFileType,
IN PVOID ExtraCreateParameters OPTIONAL,
IN ULONG Options,
IN PVOID DeviceObject
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
PFILE_OBJECT
IoCreateStreamFileObject (
IN PFILE_OBJECT FileObject OPTIONAL,
IN PDEVICE_OBJECT DeviceObject OPTIONAL
);
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
PFILE_OBJECT
IoCreateStreamFileObjectEx (
IN PFILE_OBJECT FileObject OPTIONAL,
IN PDEVICE_OBJECT DeviceObject OPTIONAL,
OUT PHANDLE FileObjectHandle OPTIONAL
);
#endif // (VER_PRODUCTBUILD >= 2600)
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
PFILE_OBJECT
IoCreateStreamFileObjectLite (
IN PFILE_OBJECT FileObject OPTIONAL,
IN PDEVICE_OBJECT DeviceObject OPTIONAL
);
#endif // (VER_PRODUCTBUILD >= 2195)
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
NTSTATUS
IoEnumerateDeviceObjectList (
IN PDRIVER_OBJECT DriverObject,
IN PDEVICE_OBJECT *DeviceObjectList,
IN ULONG DeviceObjectListSize,
OUT PULONG ActualNumberDeviceObjects
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
BOOLEAN
IoFastQueryNetworkAttributes (
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ACCESS_MASK DesiredAccess,
IN ULONG OpenOptions,
OUT PIO_STATUS_BLOCK IoStatus,
OUT PFILE_NETWORK_OPEN_INFORMATION Buffer
);
NTKERNELAPI
PDEVICE_OBJECT
IoGetAttachedDevice (
IN PDEVICE_OBJECT DeviceObject
);
NTKERNELAPI
PDEVICE_OBJECT
IoGetBaseFileSystemDeviceObject (
IN PFILE_OBJECT FileObject
);
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
PDEVICE_OBJECT
IoGetDeviceAttachmentBaseRef (
IN PDEVICE_OBJECT DeviceObject
);
NTKERNELAPI
NTSTATUS
IoGetDiskDeviceObject (
IN PDEVICE_OBJECT FileSystemDeviceObject,
OUT PDEVICE_OBJECT *DiskDeviceObject
);
NTKERNELAPI
PDEVICE_OBJECT
IoGetLowerDeviceObject (
IN PDEVICE_OBJECT DeviceObject
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
PEPROCESS
IoGetRequestorProcess (
IN PIRP Irp
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
ULONG
IoGetRequestorProcessId (
IN PIRP Irp
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
PIRP
IoGetTopLevelIrp (
VOID
);
#define IoIsFileOpenedExclusively(FileObject) ( \
(BOOLEAN) !( \
(FileObject)->SharedRead || \
(FileObject)->SharedWrite || \
(FileObject)->SharedDelete \
) \
)
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
BOOLEAN
IoIsFileOriginRemote (
IN PFILE_OBJECT FileObject
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
BOOLEAN
IoIsOperationSynchronous (
IN PIRP Irp
);
NTKERNELAPI
BOOLEAN
IoIsSystemThread (
IN PETHREAD Thread
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
BOOLEAN
IoIsValidNameGraftingBuffer (
IN PIRP Irp,
IN PREPARSE_DATA_BUFFER ReparseBuffer
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
NTSTATUS
IoPageRead (
IN PFILE_OBJECT FileObject,
IN PMDL Mdl,
IN PLARGE_INTEGER Offset,
IN PKEVENT Event,
OUT PIO_STATUS_BLOCK IoStatusBlock
);
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
NTSTATUS
IoQueryFileDosDeviceName (
IN PFILE_OBJECT FileObject,
OUT POBJECT_NAME_INFORMATION *ObjectNameInformation
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
NTSTATUS
IoQueryFileInformation (
IN PFILE_OBJECT FileObject,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN ULONG Length,
OUT PVOID FileInformation,
OUT PULONG ReturnedLength
);
NTKERNELAPI
NTSTATUS
IoQueryVolumeInformation (
IN PFILE_OBJECT FileObject,
IN FS_INFORMATION_CLASS FsInformationClass,
IN ULONG Length,
OUT PVOID FsInformation,
OUT PULONG ReturnedLength
);
#if (VER_PRODUCTBUILD >= 1381)
NTKERNELAPI
VOID
IoQueueThreadIrp (
IN PIRP Irp
);
#endif // (VER_PRODUCTBUILD >= 1381)
NTKERNELAPI
VOID
IoRegisterFileSystem (
IN OUT PDEVICE_OBJECT DeviceObject
);
#if (VER_PRODUCTBUILD >= 1381)
typedef VOID (*PDRIVER_FS_NOTIFICATION) (
IN PDEVICE_OBJECT DeviceObject,
IN BOOLEAN DriverActive
);
NTKERNELAPI
NTSTATUS
IoRegisterFsRegistrationChange (
IN PDRIVER_OBJECT DriverObject,
IN PDRIVER_FS_NOTIFICATION DriverNotificationRoutine
);
#endif // (VER_PRODUCTBUILD >= 1381)
NTKERNELAPI
VOID
IoReleaseVpbSpinLock (
IN KIRQL Irql
);
NTKERNELAPI
VOID
IoSetDeviceToVerify (
IN PETHREAD Thread,
IN PDEVICE_OBJECT DeviceObject
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
NTSTATUS
IoSetFileOrigin (
IN PFILE_OBJECT FileObject,
IN BOOLEAN Remote
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
NTSTATUS
IoSetInformation (
IN PFILE_OBJECT FileObject,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN ULONG Length,
IN PVOID FileInformation
);
NTKERNELAPI
VOID
IoSetTopLevelIrp (
IN PIRP Irp
);
NTKERNELAPI
NTSTATUS
IoSynchronousPageWrite (
IN PFILE_OBJECT FileObject,
IN PMDL Mdl,
IN PLARGE_INTEGER FileOffset,
IN PKEVENT Event,
OUT PIO_STATUS_BLOCK IoStatusBlock
);
NTKERNELAPI
PEPROCESS
IoThreadToProcess (
IN PETHREAD Thread
);
NTKERNELAPI
VOID
IoUnregisterFileSystem (
IN OUT PDEVICE_OBJECT DeviceObject
);
#if (VER_PRODUCTBUILD >= 1381)
NTKERNELAPI
NTSTATUS
IoUnregisterFsRegistrationChange (
IN PDRIVER_OBJECT DriverObject,
IN PDRIVER_FS_NOTIFICATION DriverNotificationRoutine
);
#endif // (VER_PRODUCTBUILD >= 1381)
NTKERNELAPI
NTSTATUS
IoVerifyVolume (
IN PDEVICE_OBJECT DeviceObject,
IN BOOLEAN AllowRawMount
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
KIRQL
FASTCALL
KeAcquireQueuedSpinLock (
IN KSPIN_LOCK_QUEUE_NUMBER Number
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
VOID
KeAttachProcess (
IN PEPROCESS Process
);
NTKERNELAPI
VOID
KeDetachProcess (
VOID
);
NTKERNELAPI
VOID
KeInitializeApc (
PKAPC Apc,
PKTHREAD Thread,
UCHAR StateIndex,
PKKERNEL_ROUTINE KernelRoutine,
PKRUNDOWN_ROUTINE RundownRoutine,
PKNORMAL_ROUTINE NormalRoutine,
KPROCESSOR_MODE ApcMode,
PVOID NormalContext
);
NTKERNELAPI
VOID
KeInitializeMutant (
IN PRKMUTANT Mutant,
IN BOOLEAN InitialOwner
);
NTKERNELAPI
VOID
KeInitializeQueue (
IN PRKQUEUE Queue,
IN ULONG Count OPTIONAL
);
NTKERNELAPI
LONG
KeInsertHeadQueue (
IN PRKQUEUE Queue,
IN PLIST_ENTRY Entry
);
NTKERNELAPI
LONG
KeInsertQueue (
IN PRKQUEUE Queue,
IN PLIST_ENTRY Entry
);
NTKERNELAPI
BOOLEAN
KeInsertQueueApc (
IN PKAPC Apc,
IN PVOID SystemArgument1,
IN PVOID SystemArgument2,
IN KPRIORITY Increment
);
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
BOOLEAN
KeIsAttachedProcess (
VOID
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
BOOLEAN
KeIsExecutingDpc (
VOID
);
NTKERNELAPI
LONG
KeReadStateMutant (
IN PRKMUTANT Mutant
);
NTKERNELAPI
LONG
KeReadStateQueue (
IN PRKQUEUE Queue
);
NTKERNELAPI
LONG
KeReleaseMutant (
IN PRKMUTANT Mutant,
IN KPRIORITY Increment,
IN BOOLEAN Abandoned,
IN BOOLEAN Wait
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
VOID
FASTCALL
KeReleaseQueuedSpinLock (
IN KSPIN_LOCK_QUEUE_NUMBER Number,
IN KIRQL OldIrql
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
PLIST_ENTRY
KeRemoveQueue (
IN PRKQUEUE Queue,
IN KPROCESSOR_MODE WaitMode,
IN PLARGE_INTEGER Timeout OPTIONAL
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
NTSTATUS
KeRevertToUserAffinityThread (
VOID
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
PLIST_ENTRY
KeRundownQueue (
IN PRKQUEUE Queue
);
#if (VER_PRODUCTBUILD >= 1381)
NTKERNELAPI
CCHAR
KeSetIdealProcessorThread (
IN PKTHREAD Thread,
IN CCHAR Processor
);
NTKERNELAPI
BOOLEAN
KeSetKernelStackSwapEnable (
IN BOOLEAN Enable
);
#endif // (VER_PRODUCTBUILD >= 1381)
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
VOID
KeStackAttachProcess (
IN PKPROCESS Process,
OUT PKAPC_STATE ApcState
);
NTKERNELAPI
LOGICAL
FASTCALL
KeTryToAcquireQueuedSpinLock (
IN KSPIN_LOCK_QUEUE_NUMBER Number,
IN PKIRQL OldIrql
);
NTKERNELAPI
VOID
KeUnstackDetachProcess (
IN PKAPC_STATE ApcState
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
NTSTATUS
KeUpdateSystemTime (
VOID
);
NTKERNELAPI
BOOLEAN
MmCanFileBeTruncated (
IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
IN PLARGE_INTEGER NewFileSize
);
NTKERNELAPI
NTSTATUS
MmCreateSection (
OUT PVOID *SectionObject,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize,
IN ULONG SectionPageProtection,
IN ULONG AllocationAttributes,
IN HANDLE FileHandle OPTIONAL,
IN PFILE_OBJECT FileObject OPTIONAL
);
NTKERNELAPI
BOOLEAN
MmFlushImageSection (
IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
IN MMFLUSH_TYPE FlushType
);
NTKERNELAPI
BOOLEAN
MmForceSectionClosed (
IN PSECTION_OBJECT_POINTERS SectionObjectPointer,
IN BOOLEAN DelayClose
);
#if (VER_PRODUCTBUILD >= 1381)
NTKERNELAPI
BOOLEAN
MmIsRecursiveIoFault (
VOID
);
#else
#define MmIsRecursiveIoFault() ( \
(PsGetCurrentThread()->DisablePageFaultClustering) | \
(PsGetCurrentThread()->ForwardClusterOnly) \
)
#endif
NTKERNELAPI
NTSTATUS
MmMapViewOfSection (
IN PVOID SectionObject,
IN PEPROCESS Process,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN ULONG CommitSize,
IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
IN OUT PULONG ViewSize,
IN SECTION_INHERIT InheritDisposition,
IN ULONG AllocationType,
IN ULONG Protect
);
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
NTSTATUS
MmPrefetchPages (
IN ULONG NumberOfLists,
IN PREAD_LIST *ReadLists
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
BOOLEAN
MmSetAddressRangeModified (
IN PVOID Address,
IN SIZE_T Length
);
NTKERNELAPI
NTSTATUS
ObCreateObject (
IN KPROCESSOR_MODE ObjectAttributesAccessMode OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
IN ULONG ObjectSize,
IN ULONG PagedPoolCharge OPTIONAL,
IN ULONG NonPagedPoolCharge OPTIONAL,
OUT PVOID *Object
);
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
VOID
ObDereferenceSecurityDescriptor (
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN ULONG Count
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
ULONG
ObGetObjectPointerCount (
IN PVOID Object
);
NTKERNELAPI
NTSTATUS
ObInsertObject (
IN PVOID Object,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN ULONG AdditionalReferences,
OUT PVOID *ReferencedObject OPTIONAL,
OUT PHANDLE Handle
);
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
NTSTATUS
ObLogSecurityDescriptor (
IN PSECURITY_DESCRIPTOR InputSecurityDescriptor,
OUT PSECURITY_DESCRIPTOR *OutputSecurityDescriptor,
IN ULONG RefBias
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
VOID
ObMakeTemporaryObject (
IN PVOID Object
);
NTKERNELAPI
NTSTATUS
ObOpenObjectByPointer (
IN PVOID Object,
IN ULONG HandleAttributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PHANDLE Handle
);
NTKERNELAPI
NTSTATUS
ObQueryNameString (
IN PVOID Object,
OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
IN ULONG Length,
OUT PULONG ReturnLength
);
NTKERNELAPI
NTSTATUS
ObQueryObjectAuditingByHandle (
IN HANDLE Handle,
OUT PBOOLEAN GenerateOnClose
);
NTKERNELAPI
NTSTATUS
ObReferenceObjectByName (
IN PUNICODE_STRING ObjectName,
IN ULONG Attributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
OUT PVOID *Object
);
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
VOID
ObReferenceSecurityDescriptor (
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN ULONG Count
);
NTKERNELAPI
NTSTATUS
PoQueueShutdownWorkItem (
IN PWORK_QUEUE_ITEM WorkItem
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
NTSTATUS
PsAssignImpersonationToken (
IN PETHREAD Thread,
IN HANDLE Token
);
NTKERNELAPI
VOID
PsChargePoolQuota (
IN PEPROCESS Process,
IN POOL_TYPE PoolType,
IN ULONG Amount
);
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
NTSTATUS
PsChargeProcessNonPagedPoolQuota (
IN PEPROCESS Process,
IN ULONG_PTR Amount
);
NTKERNELAPI
NTSTATUS
PsChargeProcessPagedPoolQuota (
IN PEPROCESS Process,
IN ULONG_PTR Amount
);
NTKERNELAPI
NTSTATUS
PsChargeProcessPoolQuota (
IN PEPROCESS Process,
IN POOL_TYPE PoolType,
IN ULONG_PTR Amount
);
#endif // (VER_PRODUCTBUILD >= 2600)
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
VOID
PsDereferenceImpersonationToken (
IN PACCESS_TOKEN ImpersonationToken
);
NTKERNELAPI
VOID
PsDereferencePrimaryToken (
IN PACCESS_TOKEN PrimaryToken
);
#else
#define PsDereferenceImpersonationToken(T) \
{if (ARGUMENT_PRESENT(T)) { \
(ObDereferenceObject((T))); \
} else { \
; \
} \
}
#define PsDereferencePrimaryToken(T) (ObDereferenceObject((T)))
#endif
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
BOOLEAN
PsDisableImpersonation (
IN PETHREAD Thread,
IN PSE_IMPERSONATION_STATE ImpersonationState
);
#endif // (VER_PRODUCTBUILD >= 2195)
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
ULONG
PsGetCurrentProcessSessionId (
VOID
);
NTKERNELAPI
KPROCESSOR_MODE
PsGetCurrentThreadPreviousMode (
VOID
);
NTKERNELAPI
PVOID
PsGetCurrentThreadStackBase (
VOID
);
NTKERNELAPI
PVOID
PsGetCurrentThreadStackLimit (
VOID
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
LARGE_INTEGER
PsGetProcessExitTime (
VOID
);
NTKERNELAPI
NTSTATUS
PsImpersonateClient (
IN PETHREAD Thread,
IN PACCESS_TOKEN Token,
IN BOOLEAN CopyOnOpen,
IN BOOLEAN EffectiveOnly,
IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
);
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
BOOLEAN
PsIsSystemThread (
IN PETHREAD Thread
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
BOOLEAN
PsIsThreadTerminating (
IN PETHREAD Thread
);
//
// PsLookupProcessByProcessId returns a referenced pointer to the process
// that should be dereferenced after use with a call to ObDereferenceObject.
//
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId (
IN PVOID ProcessId,
OUT PEPROCESS *Process
);
NTKERNELAPI
NTSTATUS
PsLookupProcessThreadByCid (
IN PCLIENT_ID Cid,
OUT PEPROCESS *Process OPTIONAL,
OUT PETHREAD *Thread
);
NTKERNELAPI
NTSTATUS
PsLookupThreadByThreadId (
IN PVOID UniqueThreadId,
OUT PETHREAD *Thread
);
NTKERNELAPI
PACCESS_TOKEN
PsReferenceImpersonationToken (
IN PETHREAD Thread,
OUT PBOOLEAN CopyOnOpen,
OUT PBOOLEAN EffectiveOnly,
OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
);
NTKERNELAPI
PACCESS_TOKEN
PsReferencePrimaryToken (
IN PEPROCESS Process
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
VOID
PsRestoreImpersonation (
IN PETHREAD Thread,
IN PSE_IMPERSONATION_STATE ImpersonationState
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
VOID
PsReturnPoolQuota (
IN PEPROCESS Process,
IN POOL_TYPE PoolType,
IN ULONG Amount
);
#if (VER_PRODUCTBUILD >= 1381)
NTKERNELAPI
VOID
PsRevertToSelf (
VOID
);
#endif // (VER_PRODUCTBUILD >= 1381)
NTSYSAPI
NTSTATUS
NTAPI
RtlAbsoluteToSelfRelativeSD (
IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
IN PULONG BufferLength
);
NTSYSAPI
PVOID
NTAPI
RtlAllocateHeap (
IN HANDLE HeapHandle,
IN ULONG Flags,
IN ULONG Size
);
NTSYSAPI
NTSTATUS
NTAPI
RtlCompressBuffer (
IN USHORT CompressionFormatAndEngine,
IN PUCHAR UncompressedBuffer,
IN ULONG UncompressedBufferSize,
OUT PUCHAR CompressedBuffer,
IN ULONG CompressedBufferSize,
IN ULONG UncompressedChunkSize,
OUT PULONG FinalCompressedSize,
IN PVOID WorkSpace
);
NTSYSAPI
NTSTATUS
NTAPI
RtlCompressChunks (
IN PUCHAR UncompressedBuffer,
IN ULONG UncompressedBufferSize,
OUT PUCHAR CompressedBuffer,
IN ULONG CompressedBufferSize,
IN OUT PCOMPRESSED_DATA_INFO CompressedDataInfo,
IN ULONG CompressedDataInfoLength,
IN PVOID WorkSpace
);
NTSYSAPI
NTSTATUS
NTAPI
RtlConvertSidToUnicodeString (
OUT PUNICODE_STRING DestinationString,
IN PSID Sid,
IN BOOLEAN AllocateDestinationString
);
NTSYSAPI
NTSTATUS
NTAPI
RtlCopySid (
IN ULONG Length,
IN PSID Destination,
IN PSID Source
);
NTSYSAPI
HANDLE
NTAPI
RtlCreateHeap (
IN ULONG Flags,
IN PVOID Base,
IN ULONG Reserve,
IN ULONG Commit,
IN ULONG Lock,
IN PVOID RtlHeapParams
);
NTSYSAPI
NTSTATUS
NTAPI
RtlDecompressBuffer (
IN USHORT CompressionFormat,
OUT PUCHAR UncompressedBuffer,
IN ULONG UncompressedBufferSize,
IN PUCHAR CompressedBuffer,
IN ULONG CompressedBufferSize,
OUT PULONG FinalUncompressedSize
);
NTSYSAPI
NTSTATUS
NTAPI
RtlDecompressChunks (
OUT PUCHAR UncompressedBuffer,
IN ULONG UncompressedBufferSize,
IN PUCHAR CompressedBuffer,
IN ULONG CompressedBufferSize,
IN PUCHAR CompressedTail,
IN ULONG CompressedTailSize,
IN PCOMPRESSED_DATA_INFO CompressedDataInfo
);
NTSYSAPI
NTSTATUS
NTAPI
RtlDecompressFragment (
IN USHORT CompressionFormat,
OUT PUCHAR UncompressedFragment,
IN ULONG UncompressedFragmentSize,
IN PUCHAR CompressedBuffer,
IN ULONG CompressedBufferSize,
IN ULONG FragmentOffset,
OUT PULONG FinalUncompressedSize,
IN PVOID WorkSpace
);
NTSYSAPI
NTSTATUS
NTAPI
RtlDescribeChunk (
IN USHORT CompressionFormat,
IN OUT PUCHAR *CompressedBuffer,
IN PUCHAR EndOfCompressedBufferPlus1,
OUT PUCHAR *ChunkBuffer,
OUT PULONG ChunkSize
);
NTSYSAPI
NTSTATUS
NTAPI
RtlDestroyHeap (
IN HANDLE HeapHandle
);
NTSYSAPI
BOOLEAN
NTAPI
RtlEqualSid (
IN PSID Sid1,
IN PSID Sid2
);
NTSYSAPI
VOID
NTAPI
RtlFillMemoryUlong (
IN PVOID Destination,
IN ULONG Length,
IN ULONG Fill
);
NTSYSAPI
BOOLEAN
NTAPI
RtlFreeHeap (
IN HANDLE HeapHandle,
IN ULONG Flags,
IN PVOID P
);
NTSYSAPI
VOID
NTAPI
RtlGenerate8dot3Name (
IN PUNICODE_STRING Name,
IN BOOLEAN AllowExtendedCharacters,
IN OUT PGENERATE_NAME_CONTEXT Context,
OUT PUNICODE_STRING Name8dot3
);
NTSYSAPI
NTSTATUS
NTAPI
RtlGetCompressionWorkSpaceSize (
IN USHORT CompressionFormatAndEngine,
OUT PULONG CompressBufferWorkSpaceSize,
OUT PULONG CompressFragmentWorkSpaceSize
);
NTSYSAPI
NTSTATUS
NTAPI
RtlGetDaclSecurityDescriptor (
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
OUT PBOOLEAN DaclPresent,
OUT PACL *Dacl,
OUT PBOOLEAN DaclDefaulted
);
NTSYSAPI
NTSTATUS
NTAPI
RtlGetGroupSecurityDescriptor (
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
OUT PSID *Group,
OUT PBOOLEAN GroupDefaulted
);
#if (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
ULONG
NTAPI
RtlGetNtGlobalFlags (
VOID
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
RtlGetOwnerSecurityDescriptor (
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
OUT PSID *Owner,
OUT PBOOLEAN OwnerDefaulted
);
//
// This function returns a PIMAGE_NT_HEADERS,
// see the standard include file winnt.h
//
NTSYSAPI
PVOID
NTAPI
RtlImageNtHeader (
IN PVOID BaseAddress
);
NTSYSAPI
NTSTATUS
NTAPI
RtlInitializeSid (
IN OUT PSID Sid,
IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,
IN UCHAR SubAuthorityCount
);
NTSYSAPI
BOOLEAN
NTAPI
RtlIsNameLegalDOS8Dot3 (
IN PUNICODE_STRING UnicodeName,
IN PANSI_STRING AnsiName,
PBOOLEAN Unknown
);
NTSYSAPI
ULONG
NTAPI
RtlLengthRequiredSid (
IN UCHAR SubAuthorityCount
);
NTSYSAPI
ULONG
NTAPI
RtlLengthSid (
IN PSID Sid
);
NTSYSAPI
ULONG
NTAPI
RtlNtStatusToDosError (
IN NTSTATUS Status
);
#define RtlOemStringToCountedUnicodeSize(STRING) ( \
(ULONG)(RtlOemStringToUnicodeSize(STRING) - sizeof(UNICODE_NULL)) \
)
#define RtlOemStringToUnicodeSize(STRING) ( \
NLS_MB_OEM_CODE_PAGE_TAG ? \
RtlxOemStringToUnicodeSize(STRING) : \
((STRING)->Length + sizeof(ANSI_NULL)) * sizeof(WCHAR) \
)
NTSYSAPI
NTSTATUS
NTAPI
RtlOemStringToUnicodeString (
OUT PUNICODE_STRING DestinationString,
IN POEM_STRING SourceString,
IN BOOLEAN AllocateDestinationString
);
NTSYSAPI
ULONG
NTAPI
RtlRandom (
IN PULONG Seed
);
#if (VER_PRODUCTBUILD >= 2600)
NTSYSAPI
ULONG
NTAPI
RtlRandomEx (
IN PULONG Seed
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTSYSAPI
NTSTATUS
NTAPI
RtlReserveChunk (
IN USHORT CompressionFormat,
IN OUT PUCHAR *CompressedBuffer,
IN PUCHAR EndOfCompressedBufferPlus1,
OUT PUCHAR *ChunkBuffer,
IN ULONG ChunkSize
);
NTSYSAPI
VOID
NTAPI
RtlSecondsSince1970ToTime (
IN ULONG SecondsSince1970,
OUT PLARGE_INTEGER Time
);
NTSYSAPI
VOID
NTAPI
RtlSecondsSince1980ToTime (
IN ULONG SecondsSince1980,
OUT PLARGE_INTEGER Time
);
#if (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
RtlSelfRelativeToAbsoluteSD (
IN PSECURITY_DESCRIPTOR SelfRelativeSD,
OUT PSECURITY_DESCRIPTOR AbsoluteSD,
IN PULONG AbsoluteSDSize,
IN PACL Dacl,
IN PULONG DaclSize,
IN PACL Sacl,
IN PULONG SaclSize,
IN PSID Owner,
IN PULONG OwnerSize,
IN PSID PrimaryGroup,
IN PULONG PrimaryGroupSize
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
RtlSetGroupSecurityDescriptor (
IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSID Group,
IN BOOLEAN GroupDefaulted
);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetOwnerSecurityDescriptor (
IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSID Owner,
IN BOOLEAN OwnerDefaulted
);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetSaclSecurityDescriptor (
IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
IN BOOLEAN SaclPresent,
IN PACL Sacl,
IN BOOLEAN SaclDefaulted
);
NTSYSAPI
PUCHAR
NTAPI
RtlSubAuthorityCountSid (
IN PSID Sid
);
NTSYSAPI
PULONG
NTAPI
RtlSubAuthoritySid (
IN PSID Sid,
IN ULONG SubAuthority
);
NTSYSAPI
BOOLEAN
NTAPI
RtlTimeToSecondsSince1970 (
IN PLARGE_INTEGER Time,
OUT PULONG SecondsSince1970
);
NTSYSAPI
BOOLEAN
NTAPI
RtlTimeToSecondsSince1980 (
IN PLARGE_INTEGER Time,
OUT PULONG SecondsSince1980
);
#define RtlUnicodeStringToOemSize(STRING) ( \
NLS_MB_OEM_CODE_PAGE_TAG ? \
RtlxUnicodeStringToOemSize(STRING) : \
((STRING)->Length + sizeof(UNICODE_NULL)) / sizeof(WCHAR) \
)
NTSYSAPI
NTSTATUS
NTAPI
RtlUnicodeStringToOemString (
OUT POEM_STRING DestinationString,
IN PUNICODE_STRING SourceString,
IN BOOLEAN AllocateDestinationString
);
NTSYSAPI
BOOLEAN
NTAPI
RtlValidSid (
IN PSID Sid
);
NTSYSAPI
ULONG
NTAPI
RtlxOemStringToUnicodeSize (
IN POEM_STRING OemString
);
NTSYSAPI
ULONG
NTAPI
RtlxUnicodeStringToAnsiSize (
IN PCUNICODE_STRING UnicodeString
);
NTSYSAPI
ULONG
NTAPI
RtlxUnicodeStringToOemSize (
IN PUNICODE_STRING UnicodeString
);
NTKERNELAPI
NTSTATUS
SeAppendPrivileges (
PACCESS_STATE AccessState,
PPRIVILEGE_SET Privileges
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
VOID
SeAuditHardLinkCreation (
IN PUNICODE_STRING FileName,
IN PUNICODE_STRING LinkName,
IN BOOLEAN Success
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
BOOLEAN
SeAuditingFileEvents (
IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor
);
NTKERNELAPI
BOOLEAN
SeAuditingFileOrGlobalEvents (
IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectContext
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
BOOLEAN
SeAuditingHardLinkEvents (
IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
VOID
SeCaptureSubjectContext (
OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
);
NTKERNELAPI
NTSTATUS
SeCreateAccessState (
OUT PACCESS_STATE AccessState,
IN PVOID AuxData,
IN ACCESS_MASK AccessMask,
IN PGENERIC_MAPPING Mapping
);
NTKERNELAPI
NTSTATUS
SeCreateClientSecurity (
IN PETHREAD Thread,
IN PSECURITY_QUALITY_OF_SERVICE QualityOfService,
IN BOOLEAN RemoteClient,
OUT PSECURITY_CLIENT_CONTEXT ClientContext
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
NTSTATUS
SeCreateClientSecurityFromSubjectContext (
IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
IN PSECURITY_QUALITY_OF_SERVICE QualityOfService,
IN BOOLEAN ServerIsRemote,
OUT PSECURITY_CLIENT_CONTEXT ClientContext
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
VOID
SeDeleteAccessState (
IN PACCESS_STATE AccessState
);
#define SeDeleteClientSecurity(C) { \
if (SeTokenType((C)->ClientToken) == TokenPrimary) { \
PsDereferencePrimaryToken( (C)->ClientToken ); \
} else { \
PsDereferenceImpersonationToken( (C)->ClientToken ); \
} \
}
NTKERNELAPI
VOID
SeDeleteObjectAuditAlarm (
IN PVOID Object,
IN HANDLE Handle
);
#define SeEnableAccessToExports() SeExports = *(PSE_EXPORTS *)SeExports;
#if (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
NTSTATUS
SeFilterToken (
IN PACCESS_TOKEN ExistingToken,
IN ULONG Flags,
IN PTOKEN_GROUPS SidsToDisable OPTIONAL,
IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL,
IN PTOKEN_GROUPS RestrictedSids OPTIONAL,
OUT PACCESS_TOKEN *FilteredToken
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTKERNELAPI
VOID
SeFreePrivileges (
IN PPRIVILEGE_SET Privileges
);
NTKERNELAPI
VOID
SeImpersonateClient (
IN PSECURITY_CLIENT_CONTEXT ClientContext,
IN PETHREAD ServerThread OPTIONAL
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
NTSTATUS
SeImpersonateClientEx (
IN PSECURITY_CLIENT_CONTEXT ClientContext,
IN PETHREAD ServerThread OPTIONAL
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
VOID
SeLockSubjectContext (
IN PSECURITY_SUBJECT_CONTEXT SubjectContext
);
NTKERNELAPI
NTSTATUS
SeMarkLogonSessionForTerminationNotification (
IN PLUID LogonId
);
NTKERNELAPI
VOID
SeOpenObjectAuditAlarm (
IN PUNICODE_STRING ObjectTypeName,
IN PVOID Object OPTIONAL,
IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PACCESS_STATE AccessState,
IN BOOLEAN ObjectCreated,
IN BOOLEAN AccessGranted,
IN KPROCESSOR_MODE AccessMode,
OUT PBOOLEAN GenerateOnClose
);
NTKERNELAPI
VOID
SeOpenObjectForDeleteAuditAlarm (
IN PUNICODE_STRING ObjectTypeName,
IN PVOID Object OPTIONAL,
IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PACCESS_STATE AccessState,
IN BOOLEAN ObjectCreated,
IN BOOLEAN AccessGranted,
IN KPROCESSOR_MODE AccessMode,
OUT PBOOLEAN GenerateOnClose
);
NTKERNELAPI
BOOLEAN
SePrivilegeCheck (
IN OUT PPRIVILEGE_SET RequiredPrivileges,
IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
IN KPROCESSOR_MODE AccessMode
);
NTKERNELAPI
NTSTATUS
SeQueryAuthenticationIdToken (
IN PACCESS_TOKEN Token,
OUT PLUID LogonId
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
NTSTATUS
SeQueryInformationToken (
IN PACCESS_TOKEN Token,
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
OUT PVOID *TokenInformation
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
NTSTATUS
SeQuerySecurityDescriptorInfo (
IN PSECURITY_INFORMATION SecurityInformation,
OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
IN OUT PULONG Length,
IN PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
NTSTATUS
SeQuerySessionIdToken (
IN PACCESS_TOKEN Token,
IN PULONG SessionId
);
#endif // (VER_PRODUCTBUILD >= 2195)
#define SeQuerySubjectContextToken( SubjectContext ) \
( ARGUMENT_PRESENT( \
((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->ClientToken \
) ? \
((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->ClientToken : \
((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->PrimaryToken )
typedef NTSTATUS (*PSE_LOGON_SESSION_TERMINATED_ROUTINE) (
IN PLUID LogonId
);
NTKERNELAPI
NTSTATUS
SeRegisterLogonSessionTerminatedRoutine (
IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine
);
NTKERNELAPI
VOID
SeReleaseSubjectContext (
IN PSECURITY_SUBJECT_CONTEXT SubjectContext
);
NTKERNELAPI
VOID
SeSetAccessStateGenericMapping (
PACCESS_STATE AccessState,
PGENERIC_MAPPING GenericMapping
);
NTKERNELAPI
NTSTATUS
SeSetSecurityDescriptorInfo (
IN PVOID Object OPTIONAL,
IN PSECURITY_INFORMATION SecurityInformation,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
IN POOL_TYPE PoolType,
IN PGENERIC_MAPPING GenericMapping
);
#if (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
NTSTATUS
SeSetSecurityDescriptorInfoEx (
IN PVOID Object OPTIONAL,
IN PSECURITY_INFORMATION SecurityInformation,
IN PSECURITY_DESCRIPTOR ModificationDescriptor,
IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
IN ULONG AutoInheritFlags,
IN POOL_TYPE PoolType,
IN PGENERIC_MAPPING GenericMapping
);
NTKERNELAPI
BOOLEAN
SeTokenIsAdmin (
IN PACCESS_TOKEN Token
);
NTKERNELAPI
BOOLEAN
SeTokenIsRestricted (
IN PACCESS_TOKEN Token
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTKERNELAPI
TOKEN_TYPE
SeTokenType (
IN PACCESS_TOKEN Token
);
NTKERNELAPI
VOID
SeUnlockSubjectContext (
IN PSECURITY_SUBJECT_CONTEXT SubjectContext
);
NTKERNELAPI
NTSTATUS
SeUnregisterLogonSessionTerminatedRoutine (
IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine
);
#if (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwAdjustPrivilegesToken (
IN HANDLE TokenHandle,
IN BOOLEAN DisableAllPrivileges,
IN PTOKEN_PRIVILEGES NewState,
IN ULONG BufferLength,
OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL,
OUT PULONG ReturnLength
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwAlertThread (
IN HANDLE ThreadHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAllocateVirtualMemory (
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN OUT PSIZE_T RegionSize,
IN ULONG AllocationType,
IN ULONG Protect
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAccessCheckAndAuditAlarm (
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId,
IN PUNICODE_STRING ObjectTypeName,
IN PUNICODE_STRING ObjectName,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN ACCESS_MASK DesiredAccess,
IN PGENERIC_MAPPING GenericMapping,
IN BOOLEAN ObjectCreation,
OUT PACCESS_MASK GrantedAccess,
OUT PBOOLEAN AccessStatus,
OUT PBOOLEAN GenerateOnClose
);
#if (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwCancelIoFile (
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwClearEvent (
IN HANDLE EventHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwConnectPort (
OUT PHANDLE ClientPortHandle,
IN PUNICODE_STRING ServerPortName,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
IN OUT PLPC_SECTION_WRITE ClientSharedMemory OPTIONAL,
IN OUT PLPC_SECTION_READ ServerSharedMemory OPTIONAL,
OUT PULONG MaximumMessageLength OPTIONAL,
IN OUT PVOID ConnectionInfo OPTIONAL,
IN OUT PULONG ConnectionInfoLength OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCloseObjectAuditAlarm (
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId,
IN BOOLEAN GenerateOnClose
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateEvent (
OUT PHANDLE EventHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN EVENT_TYPE EventType,
IN BOOLEAN InitialState
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateSection (
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG SectionPageProtection,
IN ULONG AllocationAttributes,
IN HANDLE FileHandle OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateSymbolicLinkObject (
OUT PHANDLE SymbolicLinkHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PUNICODE_STRING TargetName
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteFile (
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteValueKey (
IN HANDLE Handle,
IN PUNICODE_STRING Name
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDeviceIoControlFile (
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);
//
// If using ZwDisplayString during boot on Windows 2000 or later you must
// first call InbvEnableDisplayString.
//
NTSYSAPI
NTSTATUS
NTAPI
ZwDisplayString (
IN PUNICODE_STRING String
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDuplicateObject (
IN HANDLE SourceProcessHandle,
IN HANDLE SourceHandle,
IN HANDLE TargetProcessHandle OPTIONAL,
OUT PHANDLE TargetHandle OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN ULONG HandleAttributes,
IN ULONG Options
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDuplicateToken (
IN HANDLE ExistingTokenHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN BOOLEAN EffectiveOnly,
IN TOKEN_TYPE TokenType,
OUT PHANDLE NewTokenHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwFlushInstructionCache (
IN HANDLE ProcessHandle,
IN PVOID BaseAddress OPTIONAL,
IN ULONG FlushSize
);
#if (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwFlushVirtualMemory (
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN OUT PSIZE_T RegionSize,
OUT PIO_STATUS_BLOCK IoStatusBlock
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwFreeVirtualMemory (
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN OUT PSIZE_T RegionSize,
IN ULONG FreeType
);
NTSYSAPI
NTSTATUS
NTAPI
ZwFsControlFile (
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG FsControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);
#if (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwInitiatePowerAction (
IN POWER_ACTION SystemAction,
IN SYSTEM_POWER_STATE MinSystemState,
IN ULONG Flags,
IN BOOLEAN Asynchronous
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwLoadDriver (
// "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>"
IN PUNICODE_STRING RegistryPath
);
NTSYSAPI
NTSTATUS
NTAPI
ZwLoadKey (
IN POBJECT_ATTRIBUTES KeyObjectAttributes,
IN POBJECT_ATTRIBUTES FileObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwNotifyChangeKey (
IN HANDLE KeyHandle,
IN HANDLE EventHandle OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG NotifyFilter,
IN BOOLEAN WatchSubtree,
IN PVOID Buffer,
IN ULONG BufferLength,
IN BOOLEAN Asynchronous
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenDirectoryObject (
OUT PHANDLE DirectoryHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenEvent (
OUT PHANDLE EventHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcess (
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcessToken (
IN HANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
OUT PHANDLE TokenHandle
);
#if (VER_PRODUCTBUILD >= 2600)
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcessTokenEx (
IN HANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN ULONG HandleAttributes,
OUT PHANDLE TokenHandle
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThread (
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThreadToken (
IN HANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN BOOLEAN OpenAsSelf,
OUT PHANDLE TokenHandle
);
#if (VER_PRODUCTBUILD >= 2600)
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThreadTokenEx (
IN HANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN BOOLEAN OpenAsSelf,
IN ULONG HandleAttributes,
OUT PHANDLE TokenHandle
);
#endif // (VER_PRODUCTBUILD >= 2600)
#if (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwPowerInformation (
IN POWER_INFORMATION_LEVEL PowerInformationLevel,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwPulseEvent (
IN HANDLE EventHandle,
OUT PULONG PreviousState OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDefaultLocale (
IN BOOLEAN ThreadOrSystem,
OUT PLCID Locale
);
#if (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDefaultUILanguage (
OUT LANGID *LanguageId
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDirectoryFile (
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan
);
#if (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDirectoryObject (
IN HANDLE DirectoryHandle,
OUT PVOID Buffer,
IN ULONG Length,
IN BOOLEAN ReturnSingleEntry,
IN BOOLEAN RestartScan,
IN OUT PULONG Context,
OUT PULONG ReturnLength OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryEaFile (
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN BOOLEAN ReturnSingleEntry,
IN PVOID EaList OPTIONAL,
IN ULONG EaListLength,
IN PULONG EaIndex OPTIONAL,
IN BOOLEAN RestartScan
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess (
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
#if (VER_PRODUCTBUILD >= 2600)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationThread (
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
OUT PVOID ThreadInformation,
IN ULONG ThreadInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
#endif // (VER_PRODUCTBUILD >= 2600)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationToken (
IN HANDLE TokenHandle,
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
OUT PVOID TokenInformation,
IN ULONG TokenInformationLength,
OUT PULONG ReturnLength
);
#if (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInstallUILanguage (
OUT LANGID *LanguageId
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryObject (
IN HANDLE ObjectHandle,
IN OBJECT_INFO_CLASS ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG Length,
OUT PULONG ResultLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySection (
IN HANDLE SectionHandle,
IN SECTION_INFORMATION_CLASS SectionInformationClass,
OUT PVOID SectionInformation,
IN ULONG SectionInformationLength,
OUT PULONG ResultLength OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySecurityObject (
IN HANDLE FileHandle,
IN SECURITY_INFORMATION SecurityInformation,
OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
IN ULONG Length,
OUT PULONG ResultLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation (
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG Length,
OUT PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryVolumeInformationFile (
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FsInformation,
IN ULONG Length,
IN FS_INFORMATION_CLASS FsInformationClass
);
NTSYSAPI
NTSTATUS
NTAPI
ZwReplaceKey (
IN POBJECT_ATTRIBUTES NewFileObjectAttributes,
IN HANDLE KeyHandle,
IN POBJECT_ATTRIBUTES OldFileObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwRequestWaitReplyPort (
IN HANDLE PortHandle,
IN PLPC_MESSAGE Request,
OUT PLPC_MESSAGE Reply
);
NTSYSAPI
NTSTATUS
NTAPI
ZwResetEvent (
IN HANDLE EventHandle,
OUT PULONG PreviousState OPTIONAL
);
#if (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwRestoreKey (
IN HANDLE KeyHandle,
IN HANDLE FileHandle,
IN ULONG Flags
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwSaveKey (
IN HANDLE KeyHandle,
IN HANDLE FileHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetDefaultLocale (
IN BOOLEAN ThreadOrSystem,
IN LCID Locale
);
#if (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetDefaultUILanguage (
IN LANGID LanguageId
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetEaFile (
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetEvent (
IN HANDLE EventHandle,
OUT PULONG PreviousState OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationObject (
IN HANDLE ObjectHandle,
IN OBJECT_INFO_CLASS ObjectInformationClass,
IN PVOID ObjectInformation,
IN ULONG ObjectInformationLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationProcess (
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
IN PVOID ProcessInformation,
IN ULONG ProcessInformationLength
);
#if (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetSecurityObject (
IN HANDLE Handle,
IN SECURITY_INFORMATION SecurityInformation,
IN PSECURITY_DESCRIPTOR SecurityDescriptor
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetSystemInformation (
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG Length
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetSystemTime (
IN PLARGE_INTEGER NewTime,
OUT PLARGE_INTEGER OldTime OPTIONAL
);
#if (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetVolumeInformationFile (
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FsInformation,
IN ULONG Length,
IN FS_INFORMATION_CLASS FsInformationClass
);
#endif // (VER_PRODUCTBUILD >= 2195)
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess (
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
NTSYSAPI
NTSTATUS
NTAPI
ZwUnloadDriver (
// "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>"
IN PUNICODE_STRING RegistryPath
);
NTSYSAPI
NTSTATUS
NTAPI
ZwUnloadKey (
IN POBJECT_ATTRIBUTES KeyObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwWaitForSingleObject (
IN HANDLE Handle,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwWaitForMultipleObjects (
IN ULONG HandleCount,
IN PHANDLE Handles,
IN WAIT_TYPE WaitType,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwYieldExecution (
VOID
);
//
// Below is stuff that is included in the Windows 2000 DDK but is missing in
// the Windows NT 4.0 DDK
//
#if (VER_PRODUCTBUILD < 2195)
NTSYSAPI
VOID
NTAPI
HalMakeBeep (
IN ULONG Frequency
);
#ifndef IoCopyCurrentIrpStackLocationToNext
#define IoCopyCurrentIrpStackLocationToNext( Irp ) { \
PIO_STACK_LOCATION irpSp; \
PIO_STACK_LOCATION nextIrpSp; \
irpSp = IoGetCurrentIrpStackLocation( (Irp) ); \
nextIrpSp = IoGetNextIrpStackLocation( (Irp) ); \
RtlCopyMemory( \
nextIrpSp, \
irpSp, \
FIELD_OFFSET(IO_STACK_LOCATION, CompletionRoutine) \
); \
nextIrpSp->Control = 0; }
#endif
NTKERNELAPI
NTSTATUS
IoCreateFile (
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength,
IN CREATE_FILE_TYPE CreateFileType,
IN PVOID ExtraCreateParameters,
IN ULONG Options
);
#ifndef IoSkipCurrentIrpStackLocation
#define IoSkipCurrentIrpStackLocation( Irp ) \
(Irp)->CurrentLocation++; \
(Irp)->Tail.Overlay.CurrentStackLocation++;
#endif
NTSYSAPI
VOID
NTAPI
ProbeForWrite (
IN PVOID Address,
IN ULONG Length,
IN ULONG Alignment
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenFile (
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenSymbolicLinkObject (
OUT PHANDLE SymbolicLinkHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySymbolicLinkObject (
IN HANDLE LinkHandle,
IN OUT PUNICODE_STRING LinkTarget,
OUT PULONG ReturnedLength OPTIONAL
);
#endif // (VER_PRODUCTBUILD < 2195)
#ifdef __cplusplus
}
#endif
#endif // _NTIFS_
Generated by GNU enscript 1.6.1.